Add constraints for bounded quantification

These can only be omitted when the instantiations trivially make them true. This
surfaced further misinterpretations in the regression tests of the "==>"
operator: bounded existential quantification should generally use &&.

Author: tautschnig

regression/cbmc/Quantifiers-not-exists/main.c renamed to regression/cbmc-cover/Quantifiers-not-exists/main.c

@@ -1,6 +1,5 @@
 int main()
 {
-
   int a[2][2];
   int b[2][2];
   int c[2][2];
@@ -25,16 +24,15 @@ int main()
 
   assert(0);
 
-  assert(a[0][0]>10);
-
-  assert( (b[0][0]<1||b[0][0]>10) && (b[0][1]<1||b[0][1]>10));
-  assert( (b[1][0]<1||b[1][0]>10) && (b[1][1]<1||b[1][1]>10));
+  assert(a[0][0] > 10);
 
-  assert(c[0][0]==0 || c[0][1]==0 || c[1][0]<=10 || c[1][1]<=10);
+  assert((b[0][0] < 1 || b[0][0] > 10) && (b[0][1] < 1 || b[0][1] > 10));
+  assert((b[1][0] < 1 || b[1][0] > 10) && (b[1][1] < 1 || b[1][1] > 10));
 
-  assert( ((d[0][0]<1||d[0][0]>10) || (d[0][1]<1||d[0][1]>10)) );
-  assert( ((d[1][0]<1||d[1][0]>10) || (d[1][1]<1||d[1][1]>10)) );
+  assert(c[0][0] == 0 || c[0][1] == 0 || c[1][0] <= 10 || c[1][1] <= 10);
 
+  assert(((d[0][0] < 1 || d[0][0] > 10) || (d[0][1] < 1 || d[0][1] > 10)));
+  assert(((d[1][0] < 1 || d[1][0] > 10) || (d[1][1] < 1 || d[1][1] > 10)));
 
   return 0;
 }

regression/cbmc-cover/Quantifiers-not-exists/test.desc

@@ -0,0 +1,12 @@
+CORE
+main.c
+--cover location
+^\*\* 1 of 46 covered \(2.2%\)
+^EXIT=0$
+^SIGNAL=0$
+--
+^warning: ignoring
+--
+All assertions are unreachable as each of the __CPROVER_assume evaluate to false
+(!exists i. i>=0 && i<2 ==> ... is equivalent to forall i. i>=0 && i<2 && ...,
+where neither i>=0 nor i<2 is actually true for all values of i).

regression/cbmc/Quantifiers-assertion/test.desc

@@ -1,4 +1,4 @@
-KNOWNBUG
+CORE
 main.c
 
 ^\*\* Results:$

regression/cbmc/Quantifiers-if/main.c

@@ -9,16 +9,16 @@ int main()
   if(__CPROVER_forall { int i; (i>=0 && i<2) ==> a[i]>=1 && a[i]<=10 })
     __CPROVER_assert(0, "failure 1");
 
-  if(__CPROVER_exists { int i; (i>=0 && i<2) ==> a[i]>=1 && a[i]<=10 })
+  if(__CPROVER_exists { int i; (i>=0 && i<2) && a[i]>=1 && a[i]<=10 })
     __CPROVER_assert(0, "failure 2");
 
   if(__CPROVER_forall { int i; (i>=0 && i<2) ==> a[i]>=2 && a[i]<=10 })
     __CPROVER_assert(0, "success 1");
 
-  if(__CPROVER_exists { int i; (i>=0 && i<2) ==> a[i]>=2 && a[i]<=10 })
+  if(__CPROVER_exists { int i; (i>=0 && i<2) && a[i]>=2 && a[i]<=10 })
     __CPROVER_assert(0, "failure 3");
 
-  if(__CPROVER_exists { int i; (i>=0 && i<2) ==> a[i]>=5 && a[i]<=10 })
+  if(__CPROVER_exists { int i; (i>=0 && i<2) && a[i]>=5 && a[i]<=10 })
     __CPROVER_assert(0, "success 2");
   // clang-format on
 

regression/cbmc/Quantifiers-invalid-var-range/main.c

@@ -4,7 +4,8 @@ int main()
   int a[3][3];
   // clang-format off
   // clang-format would rewrite the "==>" as "== >"
-  __CPROVER_assume(__CPROVER_forall { int i; (i>=0 && i<5) ==>  __CPROVER_exists{int j; (j>=i && j<3) ==> a[i][j]==10} });
+  // NOLINTNEXTLINE(whitespace/line_length)
+  __CPROVER_assume(__CPROVER_forall { int i; (i>=0 && i<5) ==>  __CPROVER_exists{int j; (j>=i && j<3) && a[i][j]==10} });
   // clang-format on
 
   assert(a[0][0]==10||a[0][1]==10||a[0][2]==10);

regression/cbmc/Quantifiers-not-exists/test.desc

@@ -9,16 +9,16 @@ int main()
   if(!__CPROVER_forall { int i; (i>=0 && i<2) ==> a[i]>=1 && a[i]<=10 })
     __CPROVER_assert(0, "success 1");
 
-  if(!__CPROVER_exists { int i; (i>=0 && i<2) ==> a[i]>=1 && a[i]<=10 })
+  if(!__CPROVER_exists { int i; (i>=0 && i<2) && a[i]>=1 && a[i]<=10 })
     __CPROVER_assert(0, "success 2");
 
   if(!__CPROVER_forall { int i; (i>=0 && i<2) ==> a[i]>=2 && a[i]<=10 })
     __CPROVER_assert(0, "failure 1");
 
-  if(!__CPROVER_exists { int i; (i>=0 && i<2) ==> a[i]>=2 && a[i]<=10 })
+  if(!__CPROVER_exists { int i; (i>=0 && i<2) && a[i]>=2 && a[i]<=10 })
     __CPROVER_assert(0, "success 3");
 
-  if(!__CPROVER_exists { int i; (i>=0 && i<2) ==> a[i]>=5 && a[i]<=10 })
+  if(!__CPROVER_exists { int i; (i>=0 && i<2) && a[i]>=5 && a[i]<=10 })
     __CPROVER_assert(0, "failure 2");
   // clang-format on
 

regression/cbmc/Quantifiers-not/main.c

@@ -1,4 +1,4 @@
-KNOWNBUG
+CORE
 main.c
 
 ^\*\* Results:$

regression/cbmc/Quantifiers-two-dimension-array/test.desc

@@ -167,11 +167,31 @@ instantiate_quantifier(const quantifier_exprt &expr, const namespacet &ns)
 
   if(expr.id()==ID_forall)
   {
-    return conjunction(expr_insts);
+    // maintain the domain constraint if it isn't guaranteed by the
+    // instantiations (for a disjunction the domain constraint is implied by the
+    // instantiations)
+    if(re.id() == ID_and)
+    {
+      expr_insts.push_back(binary_predicate_exprt(
+        var_expr, ID_gt, from_integer(lb, var_expr.type())));
+      expr_insts.push_back(binary_predicate_exprt(
+        var_expr, ID_le, from_integer(ub, var_expr.type())));
+    }
+    return simplify_expr(conjunction(expr_insts), ns);
   }
   else if(expr.id() == ID_exists)
   {
-    return disjunction(expr_insts);
+    // maintain the domain constraint if it isn't trivially satisfied by the
+    // instantiations (for a conjunction the instantiations are stronger
+    // constraints)
+    if(re.id() == ID_or)
+    {
+      expr_insts.push_back(binary_predicate_exprt(
+        var_expr, ID_gt, from_integer(lb, var_expr.type())));
+      expr_insts.push_back(binary_predicate_exprt(
+        var_expr, ID_le, from_integer(ub, var_expr.type())));
+    }
+    return simplify_expr(disjunction(expr_insts), ns);
   }
 
   UNREACHABLE;