Range count quantifier (#438)

* quantifier fixes

* feat: added range count quantifier

* feat: updates

* feat: added is valid

* refactor: remove dead requires_sum/requires_filter_indices, use range_based()

After the unify-quantifier-helpers work, count/sum_map/range_count are
direct scalar helpers — none wrap their result with $0_vec_$sum anymore.
The `qt.requires_sum()` gates in mono_analysis and verification_analysis
were pushing `prover_vec_sum_qid` as a dead dependency.

- Remove QuantifierType::requires_sum() and requires_filter_indices()
  (both had no remaining callers after the refactor).
- Drop the now-dead push_todo_fun / mark_inlined calls for the sum helper
  in mono_analysis.rs and verification_analysis.rs.
- Replace `matches!(info.qht, RangeMap | RangeCount)` with the existing
  `info.qht.range_based()` method in lib.rs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: add range_sum_map quantifier helper

Mirrors range_count as the sum-over-integer-range counterpart, and
completes the range-based helper family:

| Helper          | Vector-valued | Scalar-valued |
|-----------------|---------------|---------------|
| Over a vector   | map, filter,  | count, sum_map,
|                 | find_indices  | find_index    |
| Over a range    | range_map     | range_count,
|                 |               | range_sum_map (NEW)

Move API: `range_sum_map!<U>(start, end, |i| f(i)): Integer` — sums
FN(i) for i in [start, end). Typed as Integer for overflow safety.

Boogie axioms (scalar helper parallel to sum_map, range-based like
range_count): empty, left-step, right-step, split (compound trigger),
and bounding gated on `result_is_unsigned` (FN's Move return type).
No singleton — derivable from left-step + empty and keeps matching
pressure low.

Tests: range_sum_map.ok (concrete), range_sum_map.fail, and
range_sum_map_split.ok (symbolic n/k forces the split axiom to fire).

404 tests pass.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* test: fill coverage gaps for range_count and range_sum_map

Targeted tests that exercise axiom shapes previously only covered for
the vector-based helpers:

- range_count_split.ok — symbolic n/k forcing the split axiom to fire
  (two-way and three-way partitions).
- range_count_loop.ok — loop iterating [0, n) with invariant over the
  processed prefix, exercising left-step.
- range_sum_map_bounding.ok — symbolic a/b nested in [0, n], exercises
  the unsigned-return bounding axiom gate.
- range_sum_map_loop.ok — loop with 0/1-contribution FN (odd_to_int)
  mirroring sum_map_loop, exercises left-step without overflow concerns.

408 tests pass.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Andrei Stefanescu <andrei@stefanescu.io>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 3 people

crates/move-model/src/model.rs

@@ -1633,6 +1633,10 @@ impl GlobalEnv {
     const PROVER_BEGIN_SUM_MAP_RANGE_LAMBDA: &'static str = "begin_sum_map_range_lambda";
     const PROVER_END_SUM_MAP_LAMBDA: &'static str = "end_sum_map_lambda";
     const PROVER_BEGIN_RANGE_MAP_LAMBDA: &'static str = "begin_range_map_lambda";
+    const PROVER_BEGIN_RANGE_COUNT_LAMBDA: &'static str = "begin_range_count_lambda";
+    const PROVER_END_RANGE_COUNT_LAMBDA: &'static str = "end_range_count_lambda";
+    const PROVER_BEGIN_RANGE_SUM_MAP_LAMBDA: &'static str = "begin_range_sum_map_lambda";
+    const PROVER_END_RANGE_SUM_MAP_LAMBDA: &'static str = "end_range_sum_map_lambda";
     const PROVER_END_RANGE_MAP_LAMBDA: &'static str = "end_range_map_lambda";
     const PROVER_RANGE: &'static str = "range";
     const PROVER_VEC_SUM: &'static str = "sum";
@@ -2122,6 +2126,34 @@ impl GlobalEnv {
         )
     }
 
+    pub fn prover_begin_range_count_lambda_qid(&self) -> QualifiedId<FunId> {
+        self.get_fun_qid(
+            Self::PROVER_VECTOR_MODULE_NAME,
+            Self::PROVER_BEGIN_RANGE_COUNT_LAMBDA,
+        )
+    }
+
+    pub fn prover_end_range_count_lambda_qid(&self) -> QualifiedId<FunId> {
+        self.get_fun_qid(
+            Self::PROVER_VECTOR_MODULE_NAME,
+            Self::PROVER_END_RANGE_COUNT_LAMBDA,
+        )
+    }
+
+    pub fn prover_begin_range_sum_map_lambda_qid(&self) -> QualifiedId<FunId> {
+        self.get_fun_qid(
+            Self::PROVER_VECTOR_MODULE_NAME,
+            Self::PROVER_BEGIN_RANGE_SUM_MAP_LAMBDA,
+        )
+    }
+
+    pub fn prover_end_range_sum_map_lambda_qid(&self) -> QualifiedId<FunId> {
+        self.get_fun_qid(
+            Self::PROVER_VECTOR_MODULE_NAME,
+            Self::PROVER_END_RANGE_SUM_MAP_LAMBDA,
+        )
+    }
+
     pub fn prover_range_qid(&self) -> QualifiedId<FunId> {
         self.get_fun_qid(Self::PROVER_VECTOR_MODULE_NAME, Self::PROVER_RANGE)
     }
@@ -3557,6 +3589,10 @@ impl GlobalEnv {
                 self.prover_end_sum_map_lambda_qid(),
                 self.prover_begin_range_map_lambda_qid(),
                 self.prover_end_range_map_lambda_qid(),
+                self.prover_begin_range_count_lambda_qid(),
+                self.prover_end_range_count_lambda_qid(),
+                self.prover_begin_range_sum_map_lambda_qid(),
+                self.prover_end_range_sum_map_lambda_qid(),
                 self.prover_range_qid(),
                 self.prover_vec_sum_qid(),
                 self.prover_vec_sum_range_qid(),
@@ -3802,6 +3838,10 @@ impl GlobalEnv {
                 self.prover_end_sum_map_lambda_qid(),
                 self.prover_begin_range_map_lambda_qid(),
                 self.prover_end_range_map_lambda_qid(),
+                self.prover_begin_range_count_lambda_qid(),
+                self.prover_end_range_count_lambda_qid(),
+                self.prover_begin_range_sum_map_lambda_qid(),
+                self.prover_end_range_sum_map_lambda_qid(),
                 self.prover_range_qid(),
                 self.prover_vec_sum_qid(),
                 self.prover_vec_sum_range_qid(),

crates/move-prover-boogie-backend/src/boogie_backend/bytecode_translator.rs

@@ -145,15 +145,18 @@ impl<'env> BoogieTranslator<'env> {
             QuantifierHelperType::RangeMap => {
                 format!("$RangeMapQuantifierHelper_{}", function_name)
             }
-
+            QuantifierHelperType::RangeCount => {
+                format!("$RangeCountQuantifierHelper_{}", function_name)
+            }
+            QuantifierHelperType::RangeSumMap => {
+                format!("$RangeSumMapQuantifierHelper_{}", function_name)
+            }
             QuantifierHelperType::FindIndex => {
                 format!("$FindIndexQuantifierHelper_{}", function_name)
             }
-
             QuantifierHelperType::FindIndices => {
                 format!("$FindIndicesQuantifierHelper_{}", function_name)
             }
-
             QuantifierHelperType::Filter => format!("$FilterQuantifierHelper_{}", function_name),
             QuantifierHelperType::Count => format!("$CountQuantifierHelper_{}", function_name),
             QuantifierHelperType::SumMap => format!("$SumMapQuantifierHelper_{}", function_name),
@@ -3483,6 +3486,30 @@ impl<'env> FunctionTranslator<'env> {
                     extra_args,
                 )
             }
+            QuantifierType::RangeCount => {
+                let count_quant_name = self
+                    .parent
+                    .get_quantifier_helper_name(QuantifierHelperType::RangeCount, fun_name);
+                format!(
+                    "{}({}, {}{})",
+                    count_quant_name,
+                    fmt_temp(srcs[0]),
+                    fmt_temp(srcs[1]),
+                    extra_args,
+                )
+            }
+            QuantifierType::RangeSumMap => {
+                let sum_map_quant_name = self
+                    .parent
+                    .get_quantifier_helper_name(QuantifierHelperType::RangeSumMap, fun_name);
+                format!(
+                    "{}({}, {}{})",
+                    sum_map_quant_name,
+                    fmt_temp(srcs[0]),
+                    fmt_temp(srcs[1]),
+                    extra_args,
+                )
+            }
             QuantifierType::Count => {
                 let count_quant_name = self
                     .parent

crates/move-prover-boogie-backend/src/boogie_backend/lib.rs

@@ -560,7 +560,7 @@ impl QuantifierHelperInfo {
         let func_env = env.get_function(info.function);
         let params_types = Type::instantiate_vec(func_env.get_parameter_types(), &info.inst);
 
-        let mut quantifier_params = if matches!(info.qht, QuantifierHelperType::RangeMap) {
+        let mut quantifier_params = if info.qht.range_based() {
             "start: int, end: int".to_string()
         } else {
             format!(
@@ -569,7 +569,7 @@ impl QuantifierHelperInfo {
             )
         };
 
-        let mut quantifier_args = if matches!(info.qht, QuantifierHelperType::RangeMap) {
+        let mut quantifier_args = if info.qht.range_based() {
             "start, end".to_string()
         } else {
             "v, start, end".to_string()
@@ -619,17 +619,16 @@ impl QuantifierHelperInfo {
             (String::new(), String::new())
         };
 
-        let (input_vec_is_equal_suffix, input_elem_type) =
-            if matches!(info.qht, QuantifierHelperType::RangeMap) {
-                (String::new(), String::new()) // no input vector
-            } else {
-                let elem_ty = params_types[info.li].skip_reference();
-                let vec_type = Type::Vector(Box::new(elem_ty.clone()));
-                (
-                    boogie_type_suffix(env, &vec_type),
-                    boogie_type(env, &elem_ty),
-                )
-            };
+        let (input_vec_is_equal_suffix, input_elem_type) = if info.qht.range_based() {
+            (String::new(), String::new()) // no input vector
+        } else {
+            let elem_ty = params_types[info.li].skip_reference();
+            let vec_type = Type::Vector(Box::new(elem_ty.clone()));
+            (
+                boogie_type_suffix(env, &vec_type),
+                boogie_type(env, &elem_ty),
+            )
+        };
 
         // True when FN's Move return type is a fixed-width unsigned int
         // (U8..U256). Used by helpers (e.g. sum_map bounding) to gate axioms

crates/move-prover-boogie-backend/src/boogie_backend/prelude/native.bpl

@@ -1428,6 +1428,69 @@ axiom (forall {{QP}}, a: int, b: int ::
 {%- endif %}
 {%- endif %}
 
+{%- if instance.qht == "range_count" %}
+function $RangeCountQuantifierHelper_{{FN}}({{QP}}): int;
+axiom (forall {{QP}} :: {$RangeCountQuantifierHelper_{{FN}}({{QA}})}
+    0 <= $RangeCountQuantifierHelper_{{FN}}({{QA}}) &&
+    $RangeCountQuantifierHelper_{{FN}}({{QA}}) <= (if start <= end then end - start else 0) &&
+    (start >= end ==> $RangeCountQuantifierHelper_{{FN}}({{QA}}) == 0)
+);
+// left step
+axiom (forall {{QP}} :: {$RangeCountQuantifierHelper_{{FN}}({{QA}})}
+    start < end ==>
+        $RangeCountQuantifierHelper_{{FN}}({{QA}}) ==
+            (if {{FN}}({{EAB}}start{{EAA}}) then 1 else 0)
+            + $RangeCountQuantifierHelper_{{FN}}(start + 1, end{{CAT}})
+);
+// right step
+axiom (forall {{QP}} :: {$RangeCountQuantifierHelper_{{FN}}({{QA}})}
+    start < end ==>
+        $RangeCountQuantifierHelper_{{FN}}({{QA}}) ==
+            $RangeCountQuantifierHelper_{{FN}}(start, end - 1{{CAT}})
+            + (if {{FN}}({{EAB}}end - 1{{EAA}}) then 1 else 0)
+);
+// split — compound trigger on the two sub-range counts
+axiom (forall {{QP}}, split_point: int ::
+    {$RangeCountQuantifierHelper_{{FN}}(start, split_point{{CAT}}), $RangeCountQuantifierHelper_{{FN}}(split_point, end{{CAT}})}
+    start <= split_point && split_point <= end ==>
+        $RangeCountQuantifierHelper_{{FN}}(start, split_point{{CAT}}) + $RangeCountQuantifierHelper_{{FN}}(split_point, end{{CAT}})
+            == $RangeCountQuantifierHelper_{{FN}}({{QA}}));
+{%- endif %}
+
+{%- if instance.qht == "range_sum_map" %}
+function $RangeSumMapQuantifierHelper_{{FN}}({{QP}}): int;
+axiom (forall {{QP}} :: {$RangeSumMapQuantifierHelper_{{FN}}({{QA}})}
+    start >= end ==> $RangeSumMapQuantifierHelper_{{FN}}({{QA}}) == 0
+);
+// left step
+axiom (forall {{QP}} :: {$RangeSumMapQuantifierHelper_{{FN}}({{QA}})}
+    start < end ==>
+        $RangeSumMapQuantifierHelper_{{FN}}({{QA}}) ==
+            {{FN}}({{EAB}}start{{EAA}})
+            + $RangeSumMapQuantifierHelper_{{FN}}(start + 1, end{{CAT}})
+);
+// right step
+axiom (forall {{QP}} :: {$RangeSumMapQuantifierHelper_{{FN}}({{QA}})}
+    start < end ==>
+        $RangeSumMapQuantifierHelper_{{FN}}({{QA}}) ==
+            $RangeSumMapQuantifierHelper_{{FN}}(start, end - 1{{CAT}})
+            + {{FN}}({{EAB}}end - 1{{EAA}})
+);
+// split — compound trigger on the two sub-range sums
+axiom (forall {{QP}}, split_point: int ::
+    {$RangeSumMapQuantifierHelper_{{FN}}(start, split_point{{CAT}}), $RangeSumMapQuantifierHelper_{{FN}}(split_point, end{{CAT}})}
+    start <= split_point && split_point <= end ==>
+        $RangeSumMapQuantifierHelper_{{FN}}(start, split_point{{CAT}}) + $RangeSumMapQuantifierHelper_{{FN}}(split_point, end{{CAT}})
+            == $RangeSumMapQuantifierHelper_{{FN}}({{QA}}));
+{%- if instance.result_is_unsigned %}
+// bounding — nested range sum <= outer (FN returns unsigned)
+axiom (forall {{QP}}, a: int, b: int ::
+    {$RangeSumMapQuantifierHelper_{{FN}}(a, b{{CAT}}), $RangeSumMapQuantifierHelper_{{FN}}({{QA}})}
+    start <= a && a <= b && b <= end ==>
+        $RangeSumMapQuantifierHelper_{{FN}}(a, b{{CAT}}) <= $RangeSumMapQuantifierHelper_{{FN}}({{QA}}));
+{%- endif %}
+{%- endif %}
+
 {% endmacro quantifier_helpers_module %}
 
 {% macro dynamic_field_key_module(impl, instance) %}

crates/move-stackless-bytecode/src/quantifier_iterator_analysis.rs

@@ -141,6 +141,16 @@ impl QuantifierPattern {
                 env.prover_end_range_map_lambda_qid(),
                 QuantifierType::RangeMap,
             ),
+            QuantifierPattern::new(
+                env.prover_begin_range_count_lambda_qid(),
+                env.prover_end_range_count_lambda_qid(),
+                QuantifierType::RangeCount,
+            ),
+            QuantifierPattern::new(
+                env.prover_begin_range_sum_map_lambda_qid(),
+                env.prover_end_range_sum_map_lambda_qid(),
+                QuantifierType::RangeSumMap,
+            ),
         ]
     }
 

crates/move-stackless-bytecode/src/stackless_bytecode.rs

@@ -138,12 +138,16 @@ pub enum QuantifierType {
     SumMap,
     SumMapRange,
     RangeMap,
+    RangeCount,
+    RangeSumMap,
 }
 
 #[derive(Debug, Clone, Ord, Eq, PartialEq, PartialOrd)]
 pub enum QuantifierHelperType {
     Map,
     RangeMap,
+    RangeCount,
+    RangeSumMap,
     FindIndex,
     FindIndices,
     Filter,
@@ -156,13 +160,24 @@ impl QuantifierHelperType {
         match self {
             QuantifierHelperType::Map => "map",
             QuantifierHelperType::RangeMap => "range_map",
+            QuantifierHelperType::RangeCount => "range_count",
+            QuantifierHelperType::RangeSumMap => "range_sum_map",
             QuantifierHelperType::FindIndex => "find_index",
             QuantifierHelperType::FindIndices => "find_indices",
             QuantifierHelperType::Filter => "filter",
             QuantifierHelperType::Count => "count",
             QuantifierHelperType::SumMap => "sum_map",
         }
     }
+
+    pub fn range_based(&self) -> bool {
+        matches!(
+            self,
+            QuantifierHelperType::RangeMap
+                | QuantifierHelperType::RangeCount
+                | QuantifierHelperType::RangeSumMap
+        )
+    }
 }
 
 impl QuantifierType {
@@ -189,6 +204,8 @@ impl QuantifierType {
             QuantifierType::SumMap => "sum_map",
             QuantifierType::SumMapRange => "sum_map_range",
             QuantifierType::RangeMap => "range_map",
+            QuantifierType::RangeCount => "range_count",
+            QuantifierType::RangeSumMap => "range_sum_map",
         }
     }
 
@@ -200,6 +217,8 @@ impl QuantifierType {
         *self != QuantifierType::Forall
             && *self != QuantifierType::Exists
             && *self != QuantifierType::RangeMap
+            && *self != QuantifierType::RangeCount
+            && *self != QuantifierType::RangeSumMap
     }
 
     pub fn range_based(&self) -> bool {
@@ -215,6 +234,8 @@ impl QuantifierType {
                 | QuantifierType::AllRange
                 | QuantifierType::SumMapRange
                 | QuantifierType::RangeMap
+                | QuantifierType::RangeCount
+                | QuantifierType::RangeSumMap
         )
     }
 
@@ -228,20 +249,6 @@ impl QuantifierType {
         )
     }
 
-    pub fn requires_sum(&self) -> bool {
-        matches!(
-            self,
-            QuantifierType::SumMap
-                | QuantifierType::SumMapRange
-                | QuantifierType::Count
-                | QuantifierType::CountRange
-        )
-    }
-
-    pub fn requires_filter_indices(&self) -> bool {
-        matches!(self, QuantifierType::Filter | QuantifierType::FilterRange)
-    }
-
     pub fn into_quantifier_helper_type(&self) -> Option<QuantifierHelperType> {
         match self {
             QuantifierType::Map | QuantifierType::MapRange => Some(QuantifierHelperType::Map),
@@ -260,6 +267,8 @@ impl QuantifierType {
                 Some(QuantifierHelperType::Filter)
             }
             QuantifierType::RangeMap => Some(QuantifierHelperType::RangeMap),
+            QuantifierType::RangeCount => Some(QuantifierHelperType::RangeCount),
+            QuantifierType::RangeSumMap => Some(QuantifierHelperType::RangeSumMap),
             _ => None,
         }
     }

crates/move-stackless-bytecode/src/verification_analysis.rs

@@ -7,7 +7,6 @@
 //! each function as well as collect information on how these invariants should be handled (i.e.,
 //! checked after bytecode, checked at function exit, or deferred to caller).
 
-use crate::quantifier_iterator_analysis::QuantifierPattern;
 use crate::{
     function_target::{FunctionData, FunctionTarget},
     function_target_pipeline::{FunctionTargetProcessor, FunctionTargetsHolder, FunctionVariant},
@@ -583,14 +582,6 @@ impl VerificationAnalysisProcessor {
                 }
             }
             Self::mark_inlined(&callee_env, targets);
-            if let Some(qt) = QuantifierPattern::type_from_qid(callee, env) {
-                if qt.requires_sum() {
-                    if let Some(qid) = env.prover_vec_sum_qid_opt() {
-                        let sum_fun_env = env.get_function(qid);
-                        Self::mark_inlined(&sum_fun_env, targets);
-                    }
-                }
-            }
         }
     }