SVA: and/or as a sequence also need to work with parentheses

kroening · kroening · commit e305f6c0eeb2 · 2025-03-24T13:00:27.000-07:00
The SVA operators 'and' and 'or' can be used to form SVA sequences or SVA
properties, depending on the types of the operands.  Furthermore, any
sequence expression is also a property expression.

This results in a conflict in the SystemVerilog grammar, as the context is
insufficient to determine whether an expression is a sequence_expr or a
property_expr.

This resolves the conflict by replicating the sequence_expr rules into
property_expr, and allowing property_expr to be used where sequence_expr
would be required.

To detect malformed input programs that use a property where a sequence is
required, a check is added to the type checker.
diff --git a/regression/verilog/SVA/sequence_and1.desc b/regression/verilog/SVA/sequence_and1.desc
@@ -5,6 +5,7 @@ sequence_and1.sv
 ^\[main\.p1\] strong\(main\.x == 0 and main\.x == 1\): REFUTED$
 ^\[main\.p2\] main\.x == 0 and \(nexttime main\.x == 1\): PROVED up to bound \d+$
 ^\[main\.p3\] \(nexttime main\.x == 1\) and main\.x == 0: PROVED up to bound \d+$
+^\[main\.p4\] \(main\.x == 0 and main\.x != 10\) |=> main\.x == 1: PROVED up to bound \d+$
 ^EXIT=10$
 ^SIGNAL=0$
 --
diff --git a/regression/verilog/SVA/sequence_and1.sv b/regression/verilog/SVA/sequence_and1.sv
@@ -15,4 +15,7 @@ module main(input clk);
   initial p2: assert property (x == 0 and nexttime x == 1);
   initial p3: assert property (nexttime x == 1 and x == 0);
 
+  // It also yields a sequence when in parentheses.
+  initial p4: assert property ((x == 0 and x != 10) |=> x == 1);
+
 endmodule
diff --git a/regression/verilog/SVA/sequence_first_match2.desc b/regression/verilog/SVA/sequence_first_match2.desc
@@ -1,9 +1,9 @@
 CORE
 sequence_first_match2.sv
 --bound 5
-^\[.*\] \(##1 1\) or \(\(##2 1\) \|-> main.x == 1\): PROVED up to bound 5$
+^\[.*\] \(\(##1 1\) or \(##2 1\)\) \|-> main.x == 1: PROVED up to bound 5$
 ^\[.*\] first_match\(\(##1 1\) or \(##2 1\)\) \|-> main\.x == 1: PROVED up to bound 5$
-^\[.*\] 1 or \(\(##1 1\) \|-> main\.x == 0\): PROVED up to bound 5$
+^\[.*\] \(1 or \(##1 1\)\) \|-> main\.x == 0: PROVED up to bound 5$
 ^\[.*\] first_match\(1 or \(##1 1\)\) \|-> main\.x == 0: PROVED up to bound 5$
 ^EXIT=0$
 ^SIGNAL=0$
diff --git a/regression/verilog/SVA/sequence_implication2.desc b/regression/verilog/SVA/sequence_implication2.desc
@@ -0,0 +1,8 @@
+CORE
+sequence_implication2.sv
+--module main
+^file .* line 4: sequence required$
+^EXIT=2$
+^SIGNAL=0$
+--
+--
diff --git a/regression/verilog/SVA/sequence_implication2.sv b/regression/verilog/SVA/sequence_implication2.sv
@@ -0,0 +1,6 @@
+module main(input clk);
+
+  // The RHS must be a sequence
+  assert property (@(posedge clk) (always 1) |-> 1);
+
+endmodule : main
diff --git a/regression/verilog/SVA/sequence_or1.desc b/regression/verilog/SVA/sequence_or1.desc
@@ -5,6 +5,7 @@ sequence_or1.sv
 ^\[main\.p1\] strong\(main\.x == 0 or main\.x == 1\): PROVED$
 ^\[main\.p2\] main\.x == 0 or \(nexttime main\.x == 1\): PROVED up to bound \d+$
 ^\[main\.p3\] \(nexttime main\.x == 1\) or main\.x == 1: PROVED up to bound \d+$
+^\[main\.p4\] \(main\.x == 0 or main\.x != 10\) |=> main\.x == 1: PROVED up to bound \d+$
 ^EXIT=0$
 ^SIGNAL=0$
 --
diff --git a/regression/verilog/SVA/sequence_or1.sv b/regression/verilog/SVA/sequence_or1.sv
@@ -15,4 +15,7 @@ module main(input clk);
   initial p2: assert property (x==0 or nexttime x == 1);
   initial p3: assert property (nexttime x==1 or x == 1);
 
+  // It also yields a sequence when in parentheses.
+  initial p4: assert property ((x == 0 or x != 10) |=> x == 1);
+
 endmodule
diff --git a/src/temporal-logic/normalize_property.cpp b/src/temporal-logic/normalize_property.cpp
@@ -24,7 +24,7 @@ exprt normalize_pre_sva_non_overlapped_implication(
   sva_non_overlapped_implication_exprt expr)
 {
   // Same as a->always[1:1] b if lhs is not a sequence.
-  if(!is_SVA_sequence(expr.lhs()))
+  if(!is_SVA_sequence_operator(expr.lhs()))
   {
     auto one = natural_typet{}.one_expr();
     return or_exprt{
diff --git a/src/temporal-logic/temporal_logic.cpp b/src/temporal-logic/temporal_logic.cpp
@@ -92,7 +92,7 @@ bool is_LTL_past(const exprt &expr)
   return !has_subexpr(expr, non_LTL_past_operator);
 }
 
-bool is_SVA_sequence(const exprt &expr)
+bool is_SVA_sequence_operator(const exprt &expr)
 {
   auto id = expr.id();
   // Note that ID_sva_overlapped_followed_by and ID_sva_nonoverlapped_followed_by
@@ -114,7 +114,7 @@ bool is_SVA_sequence(const exprt &expr)
 bool is_SVA_operator(const exprt &expr)
 {
   auto id = expr.id();
-  return is_SVA_sequence(expr) || id == ID_sva_disable_iff ||
+  return is_SVA_sequence_operator(expr) || id == ID_sva_disable_iff ||
          id == ID_sva_accept_on || id == ID_sva_reject_on ||
          id == ID_sva_sync_accept_on || id == ID_sva_sync_reject_on ||
          id == ID_sva_always || id == ID_sva_s_always ||
diff --git a/src/temporal-logic/temporal_logic.h b/src/temporal-logic/temporal_logic.h
@@ -54,7 +54,7 @@ bool is_LTL_operator(const exprt &);
 bool is_LTL_past_operator(const exprt &);
 
 /// Returns true iff the given expression is an SVA sequence expression
-bool is_SVA_sequence(const exprt &);
+bool is_SVA_sequence_operator(const exprt &);
 
 /// Returns true iff the given expression is an SVA temporal operator
 bool is_SVA_operator(const exprt &);
diff --git a/src/temporal-logic/trivial_sva.cpp b/src/temporal-logic/trivial_sva.cpp
@@ -20,8 +20,8 @@ exprt trivial_sva(exprt expr)
     // Same as regular implication if lhs and rhs are not sequences.
     auto &sva_implication = to_sva_overlapped_implication_expr(expr);
     if(
-      !is_SVA_sequence(sva_implication.lhs()) &&
-      !is_SVA_sequence(sva_implication.rhs()))
+      !is_SVA_sequence_operator(sva_implication.lhs()) &&
+      !is_SVA_sequence_operator(sva_implication.rhs()))
     {
       expr = implies_exprt{sva_implication.lhs(), sva_implication.rhs()};
     }
@@ -40,14 +40,18 @@ exprt trivial_sva(exprt expr)
   {
     // Same as a ∧ b if lhs and rhs are not sequences.
     auto &sva_and = to_sva_and_expr(expr);
-    if(!is_SVA_sequence(sva_and.lhs()) && !is_SVA_sequence(sva_and.rhs()))
+    if(
+      !is_SVA_sequence_operator(sva_and.lhs()) &&
+      !is_SVA_sequence_operator(sva_and.rhs()))
       expr = and_exprt{sva_and.lhs(), sva_and.rhs()};
   }
   else if(expr.id() == ID_sva_or)
   {
     // Same as a ∧ b if lhs or rhs are not sequences.
     auto &sva_or = to_sva_or_expr(expr);
-    if(!is_SVA_sequence(sva_or.lhs()) && !is_SVA_sequence(sva_or.rhs()))
+    if(
+      !is_SVA_sequence_operator(sva_or.lhs()) &&
+      !is_SVA_sequence_operator(sva_or.rhs()))
       expr = or_exprt{sva_or.lhs(), sva_or.rhs()};
   }
   else if(expr.id() == ID_sva_not)
diff --git a/src/trans-word-level/instantiate_word_level.cpp b/src/trans-word-level/instantiate_word_level.cpp
@@ -119,7 +119,7 @@ wl_instantiatet::instantiate_rec(exprt expr, const mp_integer &t) const
   {
     return {t, timeframe_symbol(t, to_symbol_expr(std::move(expr)))};
   }
-  else if(is_SVA_sequence(expr))
+  else if(is_SVA_sequence_operator(expr))
   {
     // sequence expressions -- these may have multiple potential
     // match points, and evaluate to true if any of them matches
diff --git a/src/trans-word-level/property.cpp b/src/trans-word-level/property.cpp
@@ -543,7 +543,7 @@ static obligationst property_obligations_rec(
       return property_obligations_rec(
         op_negated_opt.value(), current, no_timeframes);
     }
-    else if(is_SVA_sequence(op))
+    else if(is_SVA_sequence_operator(op))
     {
       return obligationst{
         instantiate_property(property_expr, current, no_timeframes)};
diff --git a/src/verilog/parser.y b/src/verilog/parser.y
@@ -559,10 +559,6 @@ int yyverilogerror(const char *error)
 // whereas the table gives them in decreasing order.
 // The precendence of the assertion operators is lower than
 // those in Table 11-2.
-//
-// SEQUENCE_TO_PROPERTY is an artificial token to give
-// the right precedence to the conversion of a sequence_expr
-// to a property_expr.
 %nonassoc "property_expr_abort" // accept_on, reject_on, ...
 %nonassoc "property_expr_clocking_event" // @(...) property_expr
 %nonassoc "always" "s_always" "eventually" "s_eventually"
@@ -573,7 +569,6 @@ int yyverilogerror(const char *error)
 %right "iff"
 %left "or"
 %left "and"
-%nonassoc SEQUENCE_TO_PROPERTY
 %nonassoc "not" "nexttime" "s_nexttime"
 %left "intersect"
 %left "within"
@@ -2451,10 +2446,13 @@ sequence_formal_type:
 // for property_expr into property_expr and property_expr_proper.
 
 property_expr:
-	  sequence_expr %prec SEQUENCE_TO_PROPERTY
+	  expression_or_dist
 	| property_expr_proper
 	;
 
+// To allow the operators and/or to be used as either sequence or property,
+// we use 'property_expr' where 'sequence_expr' would be required, and
+// copy the sequence_expr rules.
 property_expr_proper:
 	  "strong" '(' sequence_expr ')'
 		{ init($$, ID_sva_strong); mto ($$, $3); }
@@ -2468,19 +2466,23 @@ property_expr_proper:
 		{ init($$, ID_sva_or); mto($$, $1); mto($$, $3); }
 	| property_expr "and" property_expr
 		{ init($$, ID_sva_and); mto($$, $1); mto($$, $3); }
-	| sequence_expr "|->" property_expr
+	// requires sequence_expr on the LHS
+	| property_expr "|->" property_expr
 		{ init($$, ID_sva_overlapped_implication); mto($$, $1); mto($$, $3); }
-	| sequence_expr "|=>" property_expr
+	// requires sequence_expr on the LHS
+	| property_expr "|=>" property_expr
 		{ init($$, ID_sva_non_overlapped_implication); mto($$, $1); mto($$, $3); }
 	| "if" '(' expression_or_dist ')' property_expr %prec LT_TOK_ELSE
 		{ init($$, ID_sva_if); mto($$, $3); mto($$, $5); stack_expr($$).add_to_operands(nil_exprt()); }
 	| "if" '(' expression_or_dist ')' property_expr "else" property_expr
 		{ init($$, ID_sva_if); mto($$, $3); mto($$, $5); mto($$, $7); }
 	| "case" '(' expression_or_dist ')' property_case_item_brace "endcase"
 		{ init($$, ID_sva_case); mto($$, $3); mto($$, $5); }
-	| sequence_expr "#-#" property_expr
+	// requires sequence_expr on the LHS
+	| property_expr "#-#" property_expr
 		{ init($$, ID_sva_overlapped_followed_by); mto($$, $1); mto($$, $3); }
-	| sequence_expr "#=#" property_expr
+	// requires sequence_expr on the LHS
+	| property_expr "#=#" property_expr
 		{ init($$, ID_sva_nonoverlapped_followed_by); mto($$, $1); mto($$, $3); }
 	| "nexttime" property_expr
 		{ init($$, ID_sva_nexttime); mto($$, $2); }
@@ -2523,6 +2525,37 @@ property_expr_proper:
 	| "sync_reject_on" '(' expression_or_dist ')' property_expr %prec "property_expr_abort"
 		{ init($$, ID_sva_sync_reject_on); mto($$, $3); mto($$, $5); }
 	| clocking_event property_expr { $$=$2; } %prec "property_expr_clocking_event"
+	//
+	// copy of sequence_expr, to allow and/or to be both sequence_expr and property_expr
+	//
+	| cycle_delay_range sequence_expr %prec "##"
+		{ $$=$1; mto($$, $2); }
+	// requires sequence_expr on the LHS
+	| property_expr cycle_delay_range sequence_expr %prec "##"
+		{ init($$, ID_sva_sequence_concatenation); mto($$, $1); mto($2, $3); mto($$, $2); }
+	// requires sequence_expr on the LHS
+	| '(' property_expr_proper ')' sequence_abbrev
+		{ $$ = $4;
+		  // preserve the operand ordering as in the source code
+		  stack_expr($$).operands().insert(stack_expr($$).operands().begin(), stack_expr($2));
+		}
+	| expression_or_dist boolean_abbrev
+		{ $$ = $2;
+		  // preserve the operand ordering as in the source code
+		  stack_expr($$).operands().insert(stack_expr($$).operands().begin(), stack_expr($1));
+		}
+	// requires sequence_expr on the LHS
+	| property_expr "intersect" sequence_expr
+		{ init($$, ID_sva_sequence_intersect); mto($$, $1); mto($$, $3); }
+	| "first_match" '(' sequence_expr ')'
+		{ init($$, ID_sva_sequence_first_match); mto($$, $3); stack_expr($$).add_to_operands(nil_exprt{}); }
+	| "first_match" '(' sequence_expr ',' sequence_match_item_brace ')'
+		{ init($$, ID_sva_sequence_first_match); mto($$, $3); mto($$, $5); }
+	| expression_or_dist "throughout" sequence_expr
+		{ init($$, ID_sva_sequence_throughout); mto($$, $1); mto($$, $3); }
+	// requires sequence_expr on the LHS
+	| property_expr "within" sequence_expr
+		{ init($$, ID_sva_sequence_within); mto($$, $1); mto($$, $3); }
 	;
 
 property_case_item_brace:
diff --git a/src/verilog/verilog_typecheck_expr.h b/src/verilog/verilog_typecheck_expr.h
@@ -199,6 +199,8 @@ class verilog_typecheck_exprt:public verilog_typecheck_baset
     expr = convert_sva_rec(std::move(expr));
   }
 
+  void require_sva_sequence(const exprt &) const;
+
   [[nodiscard]] exprt convert_sva_rec(exprt);
   [[nodiscard]] exprt convert_unary_sva(unary_exprt);
   [[nodiscard]] exprt convert_binary_sva(binary_exprt);
diff --git a/src/verilog/verilog_typecheck_sva.cpp b/src/verilog/verilog_typecheck_sva.cpp
@@ -9,6 +9,8 @@ Author: Daniel Kroening, kroening@kroening.com
 #include <util/arith_tools.h>
 #include <util/mathematical_types.h>
 
+#include <temporal-logic/temporal_logic.h>
+
 #include "sva_expr.h"
 #include "verilog_typecheck_expr.h"
 
@@ -42,6 +44,14 @@ exprt verilog_typecheck_exprt::convert_unary_sva(unary_exprt expr)
   }
 }
 
+void verilog_typecheck_exprt::require_sva_sequence(const exprt &expr) const
+{
+  if(is_SVA_operator(expr) && !is_SVA_sequence_operator(expr))
+  {
+    throw errort().with_location(expr.source_location()) << "sequence required";
+  }
+}
+
 exprt verilog_typecheck_exprt::convert_binary_sva(binary_exprt expr)
 {
   if(
@@ -97,7 +107,20 @@ exprt verilog_typecheck_exprt::convert_binary_sva(binary_exprt expr)
     expr.id() == ID_sva_overlapped_implication ||
     expr.id() == ID_sva_non_overlapped_implication ||
     expr.id() == ID_sva_overlapped_followed_by ||
-    expr.id() == ID_sva_nonoverlapped_followed_by ||
+    expr.id() == ID_sva_nonoverlapped_followed_by)
+  {
+    // These all take a sequence on the LHS, and a property on the RHS.
+    // The grammar allows properties on the LHS to implement and/or over
+    // sequences. Check here that the LHS is a sequence.
+    convert_sva(expr.lhs());
+    require_sva_sequence(expr.lhs());
+    make_boolean(expr.lhs());
+    convert_sva(expr.rhs());
+    make_boolean(expr.rhs());
+    expr.type() = bool_typet();
+    return std::move(expr);
+  }
+  else if(
     expr.id() == ID_sva_until || expr.id() == ID_sva_s_until ||
     expr.id() == ID_sva_until_with || expr.id() == ID_sva_s_until_with)
   {
@@ -111,24 +134,40 @@ exprt verilog_typecheck_exprt::convert_binary_sva(binary_exprt expr)
   }
   else if(expr.id() == ID_sva_sequence_concatenation) // a ##b c
   {
-    expr.type() = bool_typet();
-    convert_sva(expr.op0());
+    // This requires a sequence on the LHS.
+    // The grammar allows properties on the LHS to implement and/or over
+    // sequences. Check here that the LHS is a sequence.
+    convert_sva(expr.lhs());
+    require_sva_sequence(expr.lhs());
     make_boolean(expr.op0());
     convert_sva(expr.op1());
     make_boolean(expr.op1());
+    expr.type() = bool_typet();
     return std::move(expr);
   }
   else if(
     expr.id() == ID_sva_sequence_intersect ||
-    expr.id() == ID_sva_sequence_throughout ||
     expr.id() == ID_sva_sequence_within)
   {
-    auto &binary_expr = to_binary_expr(expr);
+    // This requires a sequence on the LHS.
+    // The grammar allows properties on the LHS to implement and/or over
+    // sequences. Check here that the LHS is a sequence.
+    convert_sva(expr.lhs());
+    require_sva_sequence(expr.lhs());
+    make_boolean(expr.lhs());
+    convert_sva(expr.rhs());
+    make_boolean(expr.rhs());
+
+    expr.type() = bool_typet();
 
-    convert_sva(binary_expr.lhs());
-    make_boolean(binary_expr.lhs());
-    convert_sva(binary_expr.rhs());
-    make_boolean(binary_expr.rhs());
+    return std::move(expr);
+  }
+  else if(expr.id() == ID_sva_sequence_throughout)
+  {
+    convert_expr(expr.lhs());
+    make_boolean(expr.lhs());
+    convert_sva(expr.rhs());
+    make_boolean(expr.rhs());
 
     expr.type() = bool_typet();
 
@@ -152,19 +191,17 @@ exprt verilog_typecheck_exprt::convert_binary_sva(binary_exprt expr)
     expr.id() == ID_sva_sequence_non_consecutive_repetition ||
     expr.id() == ID_sva_sequence_goto_repetition)
   {
-    auto &binary_expr = to_binary_expr(expr);
-
-    convert_sva(binary_expr.lhs());
-    make_boolean(binary_expr.lhs());
+    convert_sva(expr.lhs());
+    make_boolean(expr.lhs());
 
-    convert_sva(binary_expr.rhs());
+    convert_sva(expr.rhs());
 
-    mp_integer n = elaborate_constant_integer_expression(binary_expr.rhs());
+    mp_integer n = elaborate_constant_integer_expression(expr.rhs());
     if(n < 0)
-      throw errort().with_location(binary_expr.rhs().source_location())
+      throw errort().with_location(expr.rhs().source_location())
         << "number of repetitions must not be negative";
 
-    binary_expr.rhs() = from_integer(n, integer_typet{});
+    expr.rhs() = from_integer(n, integer_typet{});
 
     expr.type() = bool_typet();
 

Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ exprt normalize_pre_sva_non_overlapped_implication(`
`24`	`24`	`sva_non_overlapped_implication_exprt expr)`
`25`	`25`	`{`
`26`	`26`	`// Same as a->always[1:1] b if lhs is not a sequence.`
`27`		`- if(!is_SVA_sequence(expr.lhs()))`
	`27`	`+ if(!is_SVA_sequence_operator(expr.lhs()))`
`28`	`28`	`{`
`29`	`29`	`auto one = natural_typet{}.one_expr();`
`30`	`30`	`return or_exprt{`
Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,7 @@ bool is_LTL_past(const exprt &expr)`
`92`	`92`	`return !has_subexpr(expr, non_LTL_past_operator);`
`93`	`93`	`}`
`94`	`94`
`95`		`-bool is_SVA_sequence(const exprt &expr)`
	`95`	`+bool is_SVA_sequence_operator(const exprt &expr)`
`96`	`96`	`{`
`97`	`97`	`auto id = expr.id();`
`98`	`98`	`// Note that ID_sva_overlapped_followed_by and ID_sva_nonoverlapped_followed_by`
`@@ -114,7 +114,7 @@ bool is_SVA_sequence(const exprt &expr)`
`114`	`114`	`bool is_SVA_operator(const exprt &expr)`
`115`	`115`	`{`
`116`	`116`	`auto id = expr.id();`
`117`		`- return is_SVA_sequence(expr) \|\| id == ID_sva_disable_iff \|\|`
	`117`	`+ return is_SVA_sequence_operator(expr) \|\| id == ID_sva_disable_iff \|\|`
`118`	`118`	`id == ID_sva_accept_on \|\| id == ID_sva_reject_on \|\|`
`119`	`119`	`id == ID_sva_sync_accept_on \|\| id == ID_sva_sync_reject_on \|\|`
`120`	`120`	`id == ID_sva_always \|\| id == ID_sva_s_always \|\|`