Hi Marcelo,
> Compiling the testcase with the debug information does help thanks.
> Since the counterexample is still at the IR level it's not very useful
> for long models.
>
> With respect to my testcase I'm still not sure why do I get the error.
> In attach I send you the .c file and the log file. I'm only interested
> in verifying my assertions:
>
> llbmc -only-custom-assertions -ignore-missing-function-bodies
> bist_cell.bc > bist_cell.log
I noticed that your C file does not include assert.h. Version 2012.2a
of LLBMC will then not be able to recognize the call to assert as such
and will not check whether it is true. I would suggest you include
assert.h. Alternatively, add a declaration of the form
void __llbmc_assert(int);
to the file and replace the call to assert by a call to __llbmc_assert.
> The error synopsis states: Loop iteration bound is not sufficient. The
> program analysis is thus not complete.
>
> I have 2 questions regarding this:
> 1. How do you compute this, i.e. are you performing static analysis of
> the loop condition and comparing it with the input parameter?
This is determined by the SMT solver since LLBMC adds an assertion that
checks whether the loop bound is sufficient. The SMT solver then found
out that this assertion fails.
> 2. Why do you consider this an error? To me, this seems a natural
> consequence of performing BMC. In the case of this example since you
> have a while(1), you won't achieve completeness with 'pure' BMC.
We consider it an error since we don't want the give the user the false
impression that LLBMC has verified that the program is error-free. You
can disable the checks for loop bounds by passing the option
"-no-max-loop-iterations-checks" to LLBMC. In your example, providing
this option will cause LLBMC to check the assertion only for those runs
of the program where the loop iteration bound that you provide is
sufficient.
Best regards,
Stephan