diff --git a/doc/html-manual/cbmc-loops.shtml b/doc/html-manual/cbmc-loops.shtml index d9342d971b..51f61e05ad 100644 --- a/doc/html-manual/cbmc-loops.shtml +++ b/doc/html-manual/cbmc-loops.shtml @@ -83,10 +83,10 @@ int main() {

-One hundred iterations are obviously sufficient for the program above, -but note that the loop may abort prematurely depending on the value -that is returned by f(). CBMC is nevertheless able to automatically -unwind the loop to completion.

+The loop in the program above has an obvious upper bound on the number of +iterations, but note that the loop may abort prematurely depending on the +value that is returned by f(). CBMC is nevertheless able to +automatically unwind the loop to completion.

This automatic detection of the unwinding @@ -98,6 +98,21 @@ CBMC offers the command-line option --unwind B, where of loop unwindings CBMC performs on any loop.

+This automatic detection of the unwinding +bound may fail if the number of loop iterations is highly data-dependent. +Furthermore, the number of iterations that are executed by any given +loop may be too large or may simply be unbounded. For this case, +CBMC offers the command-line option --unwind B, where +B denotes a number that corresponds to the maximal number +of loop unwindings CBMC performs on any loop. +

+ +

+Note that the number of unwindings is measured by counting the number of +backjumps. In the example above, note that the condition +i<100 is in fact evaluated 101 times before the loop +terminates. Thus, the loop requires a limit of 101, and not 100.

+

Setting Separate Unwinding Limits

@@ -120,6 +135,10 @@ use   --unwindset L:B,L:B,... +

+where L denotes a loop ID and B denotes +the bound for that loop.

+

As an example, consider a program with two loops in the function main: