RTOS/SDK_STM32F302x
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[修改] 增加freeRTOS

Browse Source 
1. 版本FreeRTOSv202212.01,命名为kernel;
This commit is contained in:
gaoyang3513
2023-05-06 16:43:01 +00:00
commit a345df017b
20944 changed files with 11094377 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
kernel/FreeRTOS/Test/CBMC/.gitignore vendored Normal file
View File

@ -0,0 +1,5 @@
cbmc.txt
property.xml
coverage.xml
*.goto
**/html/*

89
kernel/FreeRTOS/Test/CBMC/README.md Normal file
View File

@ -0,0 +1,89 @@
CBMC Proof Infrastructure
=========================
This directory contains automated proofs of the memory safety of various parts
of the FreeRTOS codebase. A continuous integration system validates every
pull request posted to the repository against these proofs, and developers can
also run the proofs on their local machines.
The proofs are checked using the
[C Bounded Model Checker](http://www.cprover.org/cbmc/), an open-source static
analysis tool
([GitHub repository](https://github.com/diffblue/cbmc)). This README describes
how to run the proofs on your local clone of FreeRTOS.
Building and running proofs
--------------------------
Currently, only python based builds are supported for the CBMC proofs. The proofs
can be run on Linux and MacOS. Windows users can use [WSL](https://docs.microsoft.com/en-us/windows/wsl).
The below section outlines the instructions for the Python based build.
### Prerequisites
On Windows, you can install WSL using these simple [instructions](https://docs.microsoft.com/en-us/windows/wsl/install).
You will need Python version >= 3.7.
And you will need Make to build and run the proofs.
If you are running on a 64-bit machine, please install the 32-bit version of gcc
libraires. For example, on linux, one would run the following command to install
the libraries: `sudo apt-get install gcc-multilib`
### Installing CBMC
- The latest installation instructions can be found on the
[releases](https://github.com/diffblue/cbmc/releases) page of the CBMC repository.
- Please follow all the installation instructions given for your platform.
- Ensure that you can run the programs `cbmc`, `goto-cc` (or `goto-cl`
on Windows), and `goto-instrument` from the command line. If you cannot run these
commands, please refer to the above instructions to install CBMC.
### Installing CBMC-viewer (to generate the report)
- The latest installation instructions can be found on the
[releases](https://github.com/awslabs/aws-viewer-for-cbmc/releases) page of the CBMC-viewer repository.
- Please follow all the installation instructions given for your platform.
- Ensure that you can run the programs `cbmc-viewer`. If not, please verify
that all instructions above have been followed.
### Setting up the proofs
Make sure that all the submodules of the FreeRTOS repository have been cloned. To
clone all the submodules, go to the root of the FreeRTOS repository and run this
command: `git submodule update --init --recursive --checkout`.
Change into the `proofs` directory and run
```
python3 prepare.py
```
If you are on a Windows machine but want to generate Linux Makefiles (or vice
versa), you can pass the `--system linux` or `--system windows` options to those
programs.
### Running the proofs
Each of the leaf directories under `proofs` is a proof of the memory
safety of a single entry point in FreeRTOS. The scripts that you ran in the
previous step will have left a Makefile in each of those directories. To
run a proof, change into the directory for that proof and run `make`.
The proofs may take some time to run; they eventually write their output to
`cbmc.txt`, which should have the text `VERIFICATION SUCCESSFUL` at the end.
The make command will also generate a report in html and json format which makes
understanding the failures easier.
### Proof directory structure
This directory contains the following subdirectories:
- `proofs` contains the proofs run against each pull request
- `patches` contains a set of patches that get applied to the codebase prior to
running the proofs. The patches are used to remove static and volatile qulaifiers
from the source.
- `include` and `windows` contain header files used by the proofs.

14
kernel/FreeRTOS/Test/CBMC/cmake/compute-coverage.cmake Normal file
View File

@ -0,0 +1,14 @@
execute_process(
COMMAND
cbmc --cover location --xml-ui
${cbmc_flags} ${cbmc_verbosity} ${goto_binary}
OUTPUT_FILE ${out_file}
ERROR_FILE ${out_file}
RESULT_VARIABLE res
)
if(NOT (${res} EQUAL 0 OR ${res} EQUAL 10))
message(FATAL_ERROR
"Unexpected CBMC coverage return code '${res}' for proof ${proof_name}. Log written to ${out_file}."
)
endif()

14
kernel/FreeRTOS/Test/CBMC/cmake/compute-property.cmake Normal file
View File

@ -0,0 +1,14 @@
execute_process(
COMMAND
cbmc --show-properties --unwinding-assertions --xml-ui
${cbmc_flags} ${cbmc_verbosity} ${goto_binary}
OUTPUT_FILE ${out_file}
ERROR_FILE ${out_file}
RESULT_VARIABLE res
)
if(NOT (${res} EQUAL 0 OR ${res} EQUAL 10))
message(FATAL_ERROR
"Unexpected CBMC property return code '${res}' for proof ${proof_name}. Log written to ${out_file}."
)
endif()

14
kernel/FreeRTOS/Test/CBMC/cmake/model-check.cmake Normal file
View File

@ -0,0 +1,14 @@
execute_process(
COMMAND
cbmc --trace --unwinding-assertions
${cbmc_flags} ${cbmc_verbosity} ${goto_binary}
OUTPUT_FILE ${out_file}
ERROR_FILE ${out_file}
RESULT_VARIABLE res
)
if(NOT (${res} EQUAL 0 OR ${res} EQUAL 10))
message(FATAL_ERROR
"Unexpected CBMC return code '${res}' for proof ${proof_name}. Log written to ${out_file}."
)
endif()

2
kernel/FreeRTOS/Test/CBMC/include/README.md Normal file
View File

@ -0,0 +1,2 @@
This directory contains include files used by the CBMC proofs:
* cbmc.h defines some macros used in the proof test harnesses

5
kernel/FreeRTOS/Test/CBMC/include/aws_freertos_ip_verification_access_ip_define.h Normal file
View File

@ -0,0 +1,5 @@
eFrameProcessingResult_t publicProcessIPPacket( IPPacket_t * const pxIPPacket,
NetworkBufferDescriptor_t * const pxNetworkBuffer )
{
prvProcessIPPacket( pxIPPacket, pxNetworkBuffer );
}

20
kernel/FreeRTOS/Test/CBMC/include/aws_freertos_tcp_verification_access_tcp_define.h Normal file
View File

@ -0,0 +1,20 @@
int32_t publicTCPPrepareSend( FreeRTOS_Socket_t * pxSocket,
NetworkBufferDescriptor_t ** ppxNetworkBuffer,
UBaseType_t uxOptionsLength )
{
prvTCPPrepareSend( pxSocket, ppxNetworkBuffer, uxOptionsLength );
}
BaseType_t publicTCPHandleState( FreeRTOS_Socket_t * pxSocket,
NetworkBufferDescriptor_t ** ppxNetworkBuffer )
{
prvTCPHandleState( pxSocket, ppxNetworkBuffer );
}
void publicTCPReturnPacket( FreeRTOS_Socket_t * pxSocket,
NetworkBufferDescriptor_t * pxNetworkBuffer,
uint32_t ulLen,
BaseType_t xReleaseAfterSend )
{
prvTCPReturnPacket( pxSocket, pxNetworkBuffer, ulLen, xReleaseAfterSend );
}

100
kernel/FreeRTOS/Test/CBMC/include/cbmc.h Normal file
View File

@ -0,0 +1,100 @@
/* Standard includes. */
#include <stdint.h>
#include <stdio.h>
/* FreeRTOS includes. */
#include "FreeRTOS.h"
#include "task.h"
#include "semphr.h"
/* FreeRTOS+TCP includes. */
#include "FreeRTOS_IP.h"
#include "FreeRTOS_Sockets.h"
#include "FreeRTOS_IP_Private.h"
#include "FreeRTOS_UDP_IP.h"
#include "FreeRTOS_DNS.h"
#include "FreeRTOS_DHCP.h"
#include "NetworkBufferManagement.h"
#include "NetworkInterface.h"
/*
* CBMC models a pointer as an object id and an offset into that
* object. The top bits of a pointer encode the object id and the
* remaining bits encode the offset. This means there is a bound on
* the maximum offset into an object in CBMC, and hence a bound on the
* size of objects in CBMC.
*/
#define CBMC_BITS 7
#define CBMC_MAX_OBJECT_SIZE ( 0xFFFFFFFF >> ( CBMC_BITS + 1 ) )
#define IMPLIES( a, b ) ( !( a ) || ( b ) )
BaseType_t nondet_basetype();
UBaseType_t nondet_ubasetype();
TickType_t nondet_ticktype();
int32_t nondet_int32();
uint32_t nondet_uint32();
size_t nondet_sizet();
#define nondet_BaseType() nondet_basetype()
void * safeMalloc( size_t size );
enum CBMC_LOOP_CONDITION
{
CBMC_LOOP_BREAK, CBMC_LOOP_CONTINUE, CBMC_LOOP_RETURN
};
/* CBMC specification: capture old value for precondition and */
/* postcondition checking */
#define OLDVAL( var ) _old_ ## var
#define SAVE_OLDVAL( var, typ ) const typ OLDVAL( var ) = var
/* CBMC specification: capture old value for values passed by */
/* reference in function abstractions */
#define OBJ( var ) ( * var )
#define OLDOBJ( var ) _oldobj_ ## var
#define SAVE_OLDOBJ( var, typ ) const typ OLDOBJ( var ) = OBJ( var )
/* CBMC debugging: printfs for expressions */
#define __CPROVER_printf( var ) { uint32_t ValueOf_ ## var = ( uint32_t ) var; }
#define __CPROVER_printf2( str, exp ) { uint32_t ValueOf_ ## str = ( uint32_t ) ( exp ); }
/* CBMC debugging: printfs for pointer expressions */
#define __CPROVER_printf_ptr( var ) { uint8_t * ValueOf_ ## var = ( uint8_t * ) var; }
#define __CPROVER_printf2_ptr( str, exp ) { uint8_t * ValueOf_ ## str = ( uint8_t * ) ( exp ); }
/*
* An assertion that pvPortMalloc returns NULL when asked to allocate 0 bytes.
* This assertion is used in some of the TaskPool proofs.
*/
#define __CPROVER_assert_zero_allocation() \
__CPROVER_assert( pvPortMalloc( 0 ) == NULL, \
"pvPortMalloc allows zero-allocated memory." )
/*
* A stub for pvPortMalloc that nondeterministically chooses to return
* either NULL or an allocation of the requested space. The stub is
* guaranteed to return NULL when asked to allocate 0 bytes.
* This stub is used in some of the TaskPool proofs.
*/
void * pvPortMalloc( size_t xWantedSize )
{
if( xWantedSize == 0 )
{
return NULL;
}
return nondet_bool() ? malloc( xWantedSize ) : NULL;
}
void vPortFree( void * pv )
{
( void ) pv;
free( pv );
}

255
kernel/FreeRTOS/Test/CBMC/include/portmacro.h Normal file
View File

@ -0,0 +1,255 @@
/*
* FreeRTOS V202212.01
* Copyright (C) 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy of
* this software and associated documentation files (the "Software"), to deal in
* the Software without restriction, including without limitation the rights to
* use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
* the Software, and to permit persons to whom the Software is furnished to do so,
* subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
* FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
* COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
* IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*
* https://www.FreeRTOS.org
* https://github.com/FreeRTOS
*
*/
#ifndef PORTMACRO_H
#define PORTMACRO_H
/*
* portmacro.h is an architecture specific file defining certain
* constants and declaring certain functions.
*
* This portmacro file is defined in the CBMC directory and aims
* to be architecture-independent, with all constants defined with '#ifndef'.
* Hence, each proof can override the definitions they want to modify
* in the proof-specific makefiles and the remaining constants will take
* default values from the definitions in this file.
*
* The default values in this portmacro are a combination of the
* values from the portmacros of FreeRTOSKernel/portable/MSVC-MingW
* and FreeRTOSKernel/portable/IAR/ARM_CM33/non_secure.
* They cover almost all the constants needed in the kernel.
* If a specific proof needs some constant not available in this
* file, one can directly define the constant in that proof's makefile.
* To add additional constants to this file, use the '#ifndef' style
* from below to ensure that the constants can be overridden in
* specific proofs.
*/
/******************************************************************************
* Defines
******************************************************************************/
/* Type definitions. */
#ifndef portCHAR
#define portCHAR char
#endif
#ifndef portFLOAT
#define portFLOAT float
#endif
#ifndef portDOUBLE
#define portDOUBLE double
#endif
#ifndef portLONG
#define portLONG long
#endif
#ifndef portSHORT
#define portSHORT short
#endif
#ifndef portSTACK_TYPE
#define portSTACK_TYPE size_t
#endif
#ifndef portBASE_TYPE
#define portBASE_TYPE long
#endif
#ifndef portPOINTER_SIZE_TYPE
#define portPOINTER_SIZE_TYPE size_t
#endif
typedef portSTACK_TYPE StackType_t;
typedef long BaseType_t;
typedef unsigned long UBaseType_t;
#if ( configUSE_16_BIT_TICKS == 1 )
typedef uint16_t TickType_t;
#define portMAX_DELAY ( TickType_t ) 0xffff
#else
typedef uint32_t TickType_t;
#define portMAX_DELAY ( TickType_t ) 0xffffffffUL
/* 32/64-bit tick type on a 32/64-bit architecture, so reads of the tick
* count do not need to be guarded with a critical section. */
#define portTICK_TYPE_IS_ATOMIC 1
#endif
/* Hardware specifics. */
#ifndef portSTACK_GROWTH
#define portSTACK_GROWTH ( -1 )
#endif
#ifndef portTICK_PERIOD_MS
#define portTICK_PERIOD_MS ( ( TickType_t ) 1000 / configTICK_RATE_HZ )
#endif
#ifndef portINLINE
#define portINLINE __inline
#endif
#if defined( __x86_64__ ) || defined( _M_X64 )
#define portBYTE_ALIGNMENT 8
#else
#define portBYTE_ALIGNMENT 4
#endif
#define portYIELD() vPortGenerateSimulatedInterrupt( portINTERRUPT_YIELD )
extern volatile BaseType_t xInsideInterrupt;
/*#define portSOFTWARE_BARRIER() while( xInsideInterrupt != pdFALSE ) */
/* Simulated interrupts return pdFALSE if no context switch should be performed,
* or a non-zero number if a context switch should be performed. */
#define portYIELD_FROM_ISR( x ) ( void ) x
#define portEND_SWITCHING_ISR( x ) portYIELD_FROM_ISR( ( x ) )
void vPortCloseRunningThread( void * pvTaskToDelete,
volatile BaseType_t * pxPendYield );
void vPortDeleteThread( void * pvThreadToDelete );
#define portCLEAN_UP_TCB( pxTCB ) vPortDeleteThread( pxTCB )
#define portPRE_TASK_DELETE_HOOK( pvTaskToDelete, pxPendYield ) vPortCloseRunningThread( ( pvTaskToDelete ), ( pxPendYield ) )
#define portDISABLE_INTERRUPTS() vPortEnterCritical()
#define portENABLE_INTERRUPTS() vPortExitCritical()
/* Critical section handling. */
void vPortEnterCritical( void );
void vPortExitCritical( void );
#define portENTER_CRITICAL() vPortEnterCritical()
#define portEXIT_CRITICAL() vPortExitCritical()
#ifndef configUSE_PORT_OPTIMISED_TASK_SELECTION
#define configUSE_PORT_OPTIMISED_TASK_SELECTION 1
#endif
#if configUSE_PORT_OPTIMISED_TASK_SELECTION == 1
/* Check the configuration. */
#if ( configMAX_PRIORITIES > 32 )
#error configUSE_PORT_OPTIMISED_TASK_SELECTION can only be set to 1 when configMAX_PRIORITIES is less than or equal to 32. It is very rare that a system requires more than 10 to 15 difference priorities as tasks that share a priority will time slice.
#endif
/* Store/clear the ready priorities in a bit map. */
#define portRECORD_READY_PRIORITY( uxPriority, uxReadyPriorities ) ( uxReadyPriorities ) |= ( 1UL << ( uxPriority ) )
#define portRESET_READY_PRIORITY( uxPriority, uxReadyPriorities ) ( uxReadyPriorities ) &= ~( 1UL << ( uxPriority ) )
/*-----------------------------------------------------------*/
#ifdef __GNUC__
#define portGET_HIGHEST_PRIORITY( uxTopPriority, uxReadyPriorities ) \
__asm volatile ( "bsr %1, %0\n\t" \
: "=r" ( uxTopPriority ) : "rm" ( uxReadyPriorities ) : "cc" )
#else
/* BitScanReverse returns the bit position of the most significant '1'
* in the word. */
#define portGET_HIGHEST_PRIORITY( uxTopPriority, uxReadyPriorities ) _BitScanReverse( ( DWORD * ) &( uxTopPriority ), ( uxReadyPriorities ) )
#endif /* __GNUC__ */
#endif /* taskRECORD_READY_PRIORITY */
#ifndef __GNUC__
__pragma( warning( disable:4211 ) ) /* Nonstandard extension used, as extern is only nonstandard to MSVC. */
#endif
/* Task function macros as described on the FreeRTOS.org WEB site. */
#define portTASK_FUNCTION_PROTO( vFunction, pvParameters ) void vFunction( void * pvParameters )
#define portTASK_FUNCTION( vFunction, pvParameters ) void vFunction( void * pvParameters )
#ifndef portINTERRUPT_YIELD
#define portINTERRUPT_YIELD ( 0UL )
#endif
#ifndef portINTERRUPT_TICK
#define portINTERRUPT_TICK ( 1UL )
#endif
/*
* Raise a simulated interrupt represented by the bit mask in ulInterruptMask.
* Each bit can be used to represent an individual interrupt - with the first
* two bits being used for the Yield and Tick interrupts respectively.
*/
void vPortGenerateSimulatedInterrupt( uint32_t ulInterruptNumber );
/*
* Install an interrupt handler to be called by the simulated interrupt handler
* thread. The interrupt number must be above any used by the kernel itself
* (at the time of writing the kernel was using interrupt numbers 0, 1, and 2
* as defined above). The number must also be lower than 32.
*
* Interrupt handler functions must return a non-zero value if executing the
* handler resulted in a task switch being required.
*/
void vPortSetInterruptHandler( uint32_t ulInterruptNumber,
uint32_t ( * pvHandler )( void ) );
/*
* MPU regions Macros
*/
#ifndef configTOTAL_MPU_REGIONS
#define configTOTAL_MPU_REGIONS ( 10UL )
#endif
#ifndef portPRIVILEGED_FLASH_REGION
#define portPRIVILEGED_FLASH_REGION ( 0UL )
#endif
#ifndef portUNPRIVILEGED_FLASH_REGION
#define portUNPRIVILEGED_FLASH_REGION ( 1UL )
#endif
#ifndef portUNPRIVILEGED_SYSCALLS_REGION
#define portUNPRIVILEGED_SYSCALLS_REGION ( 2UL )
#endif
#ifndef portPRIVILEGED_RAM_REGION
#define portPRIVILEGED_RAM_REGION ( 3UL )
#endif
#ifndef portSTACK_REGION
#define portSTACK_REGION ( 4UL )
#endif
#ifndef portFIRST_CONFIGURABLE_REGION
#define portFIRST_CONFIGURABLE_REGION ( 5UL )
#endif
#ifndef portLAST_CONFIGURABLE_REGION
#define portLAST_CONFIGURABLE_REGION ( configTOTAL_MPU_REGIONS - 1UL )
#endif
#ifndef portNUM_CONFIGURABLE_REGIONS
#define portNUM_CONFIGURABLE_REGIONS ( ( portLAST_CONFIGURABLE_REGION - portFIRST_CONFIGURABLE_REGION ) + 1 )
#endif
#ifndef portTOTAL_NUM_REGIONS
#define portTOTAL_NUM_REGIONS ( portNUM_CONFIGURABLE_REGIONS + 1 ) /* Plus one to make space for the stack region. */
#endif
#ifndef portUSING_MPU_WRAPPERS
#define portUSING_MPU_WRAPPERS 0
#endif
typedef struct MPURegionSettings
{
uint32_t ulRBAR; /**< RBAR for the region. */
uint32_t ulRLAR; /**< RLAR for the region. */
} MPURegionSettings_t;
typedef struct MPU_SETTINGS
{
uint32_t ulMAIR0; /**< MAIR0 for the task containing attributes for all the 4 per task regions. */
MPURegionSettings_t xRegionsSettings[ portTOTAL_NUM_REGIONS ]; /**< Settings for 4 per task regions. */
} xMPU_SETTINGS;
#endif /* closes #ifndef PORTMACRO_H */

172
kernel/FreeRTOS/Test/CBMC/include/queue_init.h Normal file
View File

@ -0,0 +1,172 @@
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_datastructure.h"
#ifndef CBMC_OBJECT_BITS
#define CBMC_OBJECT_BITS 7
#endif
#ifndef CBMC_OBJECT_MAX_SIZE
#define CBMC_OBJECT_MAX_SIZE ( UINT32_MAX >> ( CBMC_OBJECT_BITS + 1 ) )
#endif
/* Using prvCopyDataToQueue together with prvNotifyQueueSetContainer
* leads to a problem space explosion. Therefore, we use this stub
* and a sepearted proof on prvCopyDataToQueue to deal with it.
* As prvNotifyQueueSetContainer is disabled if configUSE_QUEUE_SETS != 1,
* in other cases the original implementation should be used. */
#if ( configUSE_QUEUE_SETS == 1 )
BaseType_t prvCopyDataToQueue( Queue_t * const pxQueue,
const void * pvItemToQueue,
const BaseType_t xPosition )
{
if( pxQueue->uxItemSize > ( UBaseType_t ) 0 )
{
__CPROVER_assert( __CPROVER_r_ok( pvItemToQueue, ( size_t ) pxQueue->uxItemSize ), "pvItemToQueue region must be readable" );
if( xPosition == queueSEND_TO_BACK )
{
__CPROVER_assert( __CPROVER_w_ok( ( void * ) pxQueue->pcWriteTo, ( size_t ) pxQueue->uxItemSize ), "pxQueue->pcWriteTo region must be writable" );
}
else
{
__CPROVER_assert( __CPROVER_w_ok( ( void * ) pxQueue->u.xQueue.pcReadFrom, ( size_t ) pxQueue->uxItemSize ), "pxQueue->u.xQueue.pcReadFrom region must be writable" );
}
return pdFALSE;
}
else
{
return nondet_BaseType_t();
}
}
#endif /* if ( configUSE_QUEUE_SETS == 1 ) */
/* xQueueCreateSet is compiled out if configUSE_QUEUE_SETS != 1.*/
#if ( configUSE_QUEUE_SETS == 1 )
QueueSetHandle_t xUnconstrainedQueueSet()
{
UBaseType_t uxEventQueueLength = 2;
QueueSetHandle_t xSet = xQueueCreateSet( uxEventQueueLength );
if( xSet )
{
xSet->cTxLock = nondet_int8_t();
__CPROVER_assume( xSet->cTxLock != 127 );
xSet->cRxLock = nondet_int8_t();
xSet->uxMessagesWaiting = nondet_UBaseType_t();
xSet->xTasksWaitingToReceive.uxNumberOfItems = nondet_UBaseType_t();
/* This is an invariant checked with a couple of asserts in the code base.
* If it is false from the beginning, the CBMC proofs are not able to succeed*/
__CPROVER_assume( xSet->uxMessagesWaiting < xSet->uxLength );
xSet->xTasksWaitingToSend.uxNumberOfItems = nondet_UBaseType_t();
}
return xSet;
}
#endif /* if ( configUSE_QUEUE_SETS == 1 ) */
/* Create a mostly unconstrained Queue but bound the max item size.
* This is required for performance reasons in CBMC at the moment. */
QueueHandle_t xUnconstrainedQueueBoundedItemSize( UBaseType_t uxItemSizeBound )
{
UBaseType_t uxQueueLength;
UBaseType_t uxItemSize;
uint8_t ucQueueType;
__CPROVER_assume( uxQueueLength > 0 );
__CPROVER_assume( uxItemSize < uxItemSizeBound );
/* QueueGenericCreate method does not check for multiplication overflow */
size_t uxQueueStorageSize;
__CPROVER_assume( uxQueueStorageSize < CBMC_OBJECT_MAX_SIZE );
__CPROVER_assume( uxItemSize < uxQueueStorageSize / uxQueueLength );
QueueHandle_t xQueue =
xQueueGenericCreate( uxQueueLength, uxItemSize, ucQueueType );
if( xQueue )
{
xQueue->cTxLock = nondet_int8_t();
__CPROVER_assume( xQueue->cTxLock != 127 );
xQueue->cRxLock = nondet_int8_t();
__CPROVER_assume( xQueue->cRxLock != 127 );
xQueue->uxMessagesWaiting = nondet_UBaseType_t();
/* This is an invariant checked with a couple of asserts in the code base.
* If it is false from the beginning, the CBMC proofs are not able to succeed*/
__CPROVER_assume( xQueue->uxMessagesWaiting < xQueue->uxLength );
xQueue->xTasksWaitingToReceive.uxNumberOfItems = nondet_UBaseType_t();
xQueue->xTasksWaitingToSend.uxNumberOfItems = nondet_UBaseType_t();
#if ( configUSE_QUEUE_SETS == 1 )
xQueueAddToSet( xQueue, xUnconstrainedQueueSet() );
#endif
}
return xQueue;
}
/* Create a mostly unconstrained Queue */
QueueHandle_t xUnconstrainedQueue( void )
{
UBaseType_t uxQueueLength;
UBaseType_t uxItemSize;
uint8_t ucQueueType;
__CPROVER_assume( uxQueueLength > 0 );
/* QueueGenericCreate method does not check for multiplication overflow */
size_t uxQueueStorageSize;
__CPROVER_assume( uxQueueStorageSize < CBMC_OBJECT_MAX_SIZE );
__CPROVER_assume( uxItemSize < uxQueueStorageSize / uxQueueLength );
QueueHandle_t xQueue =
xQueueGenericCreate( uxQueueLength, uxItemSize, ucQueueType );
if( xQueue )
{
xQueue->cTxLock = nondet_int8_t();
__CPROVER_assume( xQueue->cTxLock != 127 );
xQueue->cRxLock = nondet_int8_t();
xQueue->uxMessagesWaiting = nondet_UBaseType_t();
/* This is an invariant checked with a couple of asserts in the code base.
* If it is false from the beginning, the CBMC proofs are not able to succeed*/
__CPROVER_assume( xQueue->uxMessagesWaiting < xQueue->uxLength );
xQueue->xTasksWaitingToReceive.uxNumberOfItems = nondet_UBaseType_t();
xQueue->xTasksWaitingToSend.uxNumberOfItems = nondet_UBaseType_t();
#if ( configUSE_QUEUE_SETS == 1 )
xQueueAddToSet( xQueue, xUnconstrainedQueueSet() );
#endif
}
return xQueue;
}
/* Create a mostly unconstrained Mutex */
QueueHandle_t xUnconstrainedMutex( void )
{
uint8_t ucQueueType;
QueueHandle_t xQueue =
xQueueCreateMutex( ucQueueType );
if( xQueue )
{
xQueue->cTxLock = nondet_int8_t();
__CPROVER_assume( xQueue->cTxLock != 127 );
xQueue->cRxLock = nondet_int8_t();
xQueue->uxMessagesWaiting = nondet_UBaseType_t();
/* This is an invariant checked with a couple of asserts in the code base.
* If it is false from the beginning, the CBMC proofs are not able to succeed*/
__CPROVER_assume( xQueue->uxMessagesWaiting < xQueue->uxLength );
xQueue->xTasksWaitingToReceive.uxNumberOfItems = nondet_UBaseType_t();
xQueue->xTasksWaitingToSend.uxNumberOfItems = nondet_UBaseType_t();
#if ( configUSE_QUEUE_SETS == 1 )
xQueueAddToSet( xQueue, xUnconstrainedQueueSet() );
#endif
}
return xQueue;
}

11
kernel/FreeRTOS/Test/CBMC/include/tasksStubs.h Normal file
View File

@ -0,0 +1,11 @@
#ifndef INC_TASK_STUBS_H
#define INC_TASK_STUBS_H
#include "FreeRTOS.h"
#include "task.h"
BaseType_t xState;
void vInitTaskCheckForTimeOut( BaseType_t maxCounter,
BaseType_t maxCounter_limit );
#endif /* INC_TASK_STUBS_H */

2
kernel/FreeRTOS/Test/CBMC/patches/.gitattributes vendored Normal file
View File

@ -0,0 +1,2 @@
# It seems git apply does not want crlf line endings on Windows
*.patch eol=lf

2
kernel/FreeRTOS/Test/CBMC/patches/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
auto_patch*
patched

66
kernel/FreeRTOS/Test/CBMC/patches/0005-Remove-volatile-qualifier-from-tasks-variables.patch Normal file
View File

@ -0,0 +1,66 @@
This patch removes the volatile qualifier from some global variable
declarations in the tasks.c file. For task pool proofs, we are running
`goto-instrument` with the `--nondet-volatile` flag on, which causes reads from
volatile variable to be nondeterministic (i.e., any possible value can be
returned). This is actually the desired behavior for volatile variables
regarding verification purposes. However, this causes a lot of trouble when
such variables are pointers, since one of the possible values we can get when
dereferencing a volatile pointer is `NULL`.
In the case of `uxPendedTicks`, a non-volatile copy of the variable is done
before the following loop in tasks.c (lines 2231-2255):
{
UBaseType_t uxPendedCounts = uxPendedTicks; /* Non-volatile copy. */
if( uxPendedCounts > ( UBaseType_t ) 0U )
{
do
{
if( xTaskIncrementTick() != pdFALSE )
{
xYieldPending = pdTRUE;
}
else
{
mtCOVERAGE_TEST_MARKER();
}
--uxPendedCounts;
} while( uxPendedCounts > ( UBaseType_t ) 0U );
uxPendedTicks = 0;
}
else
{
mtCOVERAGE_TEST_MARKER();
}
}
Here, `uxPendedTicks` could return any value, making it impossible to unwind
(or unroll) this loop in CBMC. Therefore, we require `uxPendedTicks` to behave
as a regular variable so that the loop can be unwound.
diff --git a/FreeRTOS/Source/tasks.c b/FreeRTOS/Source/tasks.c
index c7be57cb2..9f76465d5 100644
--- a/FreeRTOS/Source/tasks.c
+++ b/FreeRTOS/Source/tasks.c
@@ -343,8 +343,8 @@ PRIVILEGED_DATA TCB_t * volatile pxCurrentTCB = NULL;
PRIVILEGED_DATA static List_t pxReadyTasksLists[ configMAX_PRIORITIES ]; /*< Prioritised ready tasks. */
PRIVILEGED_DATA static List_t xDelayedTaskList1; /*< Delayed tasks. */
PRIVILEGED_DATA static List_t xDelayedTaskList2; /*< Delayed tasks (two lists are used - one for delays that have overflowed the current tick count. */
-PRIVILEGED_DATA static List_t * volatile pxDelayedTaskList; /*< Points to the delayed task list currently being used. */
-PRIVILEGED_DATA static List_t * volatile pxOverflowDelayedTaskList; /*< Points to the delayed task list currently being used to hold tasks that have overflowed the current tick count. */
+PRIVILEGED_DATA static List_t * pxDelayedTaskList; /*< Points to the delayed task list currently being used. */
+PRIVILEGED_DATA static List_t * pxOverflowDelayedTaskList; /*< Points to the delayed task list currently being used to hold tasks that have overflowed the current tick count. */
PRIVILEGED_DATA static List_t xPendingReadyList; /*< Tasks that have been readied while the scheduler was suspended. They will be moved to the ready list when the scheduler is resumed. */
#if ( INCLUDE_vTaskDelete == 1 )
@@ -371,7 +371,7 @@ PRIVILEGED_DATA static volatile UBaseType_t uxCurrentNumberOfTasks = ( UBaseType
PRIVILEGED_DATA static volatile TickType_t xTickCount = ( TickType_t ) configINITIAL_TICK_COUNT;
PRIVILEGED_DATA static volatile UBaseType_t uxTopReadyPriority = tskIDLE_PRIORITY;
PRIVILEGED_DATA static volatile BaseType_t xSchedulerRunning = pdFALSE;
-PRIVILEGED_DATA static volatile TickType_t xPendedTicks = ( TickType_t ) 0U;
+PRIVILEGED_DATA static TickType_t xPendedTicks = ( TickType_t ) 0U;
PRIVILEGED_DATA static volatile BaseType_t xYieldPending = pdFALSE;
PRIVILEGED_DATA static volatile BaseType_t xNumOfOverflows = ( BaseType_t ) 0;
PRIVILEGED_DATA static UBaseType_t uxTaskNumber = ( UBaseType_t ) 0U;

22
kernel/FreeRTOS/Test/CBMC/patches/0005-remove-static-from-prvCopyDataToQueue.patch Normal file
View File

@ -0,0 +1,22 @@
diff --git a/FreeRTOS/Source/queue.c b/FreeRTOS/Source/queue.c
index 08d3799da..6681a34f1 100644
--- a/FreeRTOS/Source/queue.c
+++ b/FreeRTOS/Source/queue.c
@@ -193,7 +193,7 @@ static BaseType_t prvIsQueueFull( const Queue_t * pxQueue ) PRIVILEGED_FUNCTION;
* Copies an item into the queue, either at the front of the queue or the
* back of the queue.
*/
-static BaseType_t prvCopyDataToQueue( Queue_t * const pxQueue,
+BaseType_t prvCopyDataToQueue( Queue_t * const pxQueue,
const void * pvItemToQueue,
const BaseType_t xPosition ) PRIVILEGED_FUNCTION;
@@ -2157,7 +2157,7 @@ void vQueueDelete( QueueHandle_t xQueue )
#endif /* configUSE_MUTEXES */
/*-----------------------------------------------------------*/
-static BaseType_t prvCopyDataToQueue( Queue_t * const pxQueue,
+BaseType_t prvCopyDataToQueue( Queue_t * const pxQueue,
const void * pvItemToQueue,
const BaseType_t xPosition )
{

22
kernel/FreeRTOS/Test/CBMC/patches/0006-Remove-static-from-prvNotifyQueueSetContainer.patch Normal file
View File

@ -0,0 +1,22 @@
diff --git a/FreeRTOS/Source/queue.c b/FreeRTOS/Source/queue.c
index 17a6964e..24a40c29 100644
--- a/FreeRTOS/Source/queue.c
+++ b/FreeRTOS/Source/queue.c
@@ -207,7 +207,7 @@ static void prvCopyDataFromQueue( Queue_t * const pxQueue, void * const pvBuffer
* Checks to see if a queue is a member of a queue set, and if so, notifies
* the queue set that the queue contains data.
*/
- static BaseType_t prvNotifyQueueSetContainer( const Queue_t * const pxQueue ) PRIVILEGED_FUNCTION;
+ BaseType_t prvNotifyQueueSetContainer( const Queue_t * const pxQueue ) PRIVILEGED_FUNCTION;
#endif
/*
@@ -2957,7 +2957,7 @@ BaseType_t xQueueIsQueueFullFromISR( const QueueHandle_t xQueue )
#if ( configUSE_QUEUE_SETS == 1 )
- static BaseType_t prvNotifyQueueSetContainer( const Queue_t * const pxQueue )
+ BaseType_t prvNotifyQueueSetContainer( const Queue_t * const pxQueue )
{
Queue_t * pxQueueSetContainer = pxQueue->pxQueueSetContainer;
BaseType_t xReturn = pdFALSE;

22
kernel/FreeRTOS/Test/CBMC/patches/0007-Remove-static-from-prvUnlockQueue.patch Normal file
View File

@ -0,0 +1,22 @@
diff --git a/FreeRTOS/Source/queue.c b/FreeRTOS/Source/queue.c
index 17a6964e..60ea3e69 100644
--- a/FreeRTOS/Source/queue.c
+++ b/FreeRTOS/Source/queue.c
@@ -175,7 +175,7 @@ typedef xQUEUE Queue_t;
* to indicate that a task may require unblocking. When the queue in unlocked
* these lock counts are inspected, and the appropriate action taken.
*/
-static void prvUnlockQueue( Queue_t * const pxQueue ) PRIVILEGED_FUNCTION;
+void prvUnlockQueue( Queue_t * const pxQueue ) PRIVILEGED_FUNCTION;
/*
* Uses a critical section to determine if there is any data in a queue.
@@ -2175,7 +2175,7 @@ static void prvCopyDataFromQueue( Queue_t * const pxQueue, void * const pvBuffer
}
/*-----------------------------------------------------------*/
-static void prvUnlockQueue( Queue_t * const pxQueue )
+void prvUnlockQueue( Queue_t * const pxQueue )
{
/* THIS FUNCTION MUST BE CALLED WITH THE SCHEDULER SUSPENDED. */

225
kernel/FreeRTOS/Test/CBMC/patches/FreeRTOSConfig.h Normal file
View File

@ -0,0 +1,225 @@
/*
* FreeRTOS V202212.01
* Copyright (C) 2020 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy of
* this software and associated documentation files (the "Software"), to deal in
* the Software without restriction, including without limitation the rights to
* use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
* the Software, and to permit persons to whom the Software is furnished to do so,
* subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
* FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
* COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
* IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*
* https://www.FreeRTOS.org
* https://github.com/FreeRTOS
*
*/
#ifndef FREERTOS_CONFIG_H
#define FREERTOS_CONFIG_H
/*-----------------------------------------------------------
* Application specific definitions.
*
* These definitions should be adjusted for your particular hardware and
* application requirements.
*
* THESE PARAMETERS ARE DESCRIBED WITHIN THE 'CONFIGURATION' SECTION OF THE
* FreeRTOS API DOCUMENTATION AVAILABLE ON THE FreeRTOS.org WEB SITE.
* https://www.FreeRTOS.org/a00110.html
*
* The bottom of this file contains some constants specific to running the UDP
* stack in this demo. Constants specific to FreeRTOS+TCP itself (rather than
* the demo) are contained in FreeRTOSIPConfig.h.
*----------------------------------------------------------*/
#define configENABLE_BACKWARD_COMPATIBILITY 1
#define configUSE_PREEMPTION 1
#define configUSE_PORT_OPTIMISED_TASK_SELECTION 0
#define configMAX_PRIORITIES ( 7 )
#define configTICK_RATE_HZ ( 1000 ) /* In this non-real time simulated environment the tick frequency has to be at least a multiple of the Win32 tick frequency, and therefore very slow. */
#define configMINIMAL_STACK_SIZE ( ( unsigned short ) 60 ) /* In this simulated case, the stack only has to hold one small structure as the real stack is part of the Win32 thread. */
#define configTOTAL_HEAP_SIZE ( ( size_t ) ( 2048U * 1024U ) )
#define configMAX_TASK_NAME_LEN ( 15 )
#define configUSE_16_BIT_TICKS 0
#define configIDLE_SHOULD_YIELD 1
#ifndef configUSE_MUTEXES
#define configUSE_MUTEXES 1
#endif
#ifndef configUSE_RECURSIVE_MUTEXES
#define configUSE_RECURSIVE_MUTEXES 1
#endif
#define configQUEUE_REGISTRY_SIZE 0
#define configUSE_APPLICATION_TASK_TAG 1
#define configUSE_COUNTING_SEMAPHORES 1
#define configUSE_ALTERNATIVE_API 0
#define configNUM_THREAD_LOCAL_STORAGE_POINTERS 3 /* FreeRTOS+FAT requires 2 pointers if a CWD is supported. */
#define configRECORD_STACK_HIGH_ADDRESS 1
/* Hook function related definitions. */
#ifndef configUSE_TICK_HOOK
#define configUSE_TICK_HOOK 0
#endif
#define configUSE_IDLE_HOOK 1
#define configUSE_MALLOC_FAILED_HOOK 1
#define configCHECK_FOR_STACK_OVERFLOW 0 /* Not applicable to the Win32 port. */
/* Software timer related definitions. */
#define configUSE_TIMERS 1
#define configTIMER_TASK_PRIORITY ( configMAX_PRIORITIES - 1 )
#define configTIMER_QUEUE_LENGTH 5
#define configTIMER_TASK_STACK_DEPTH ( configMINIMAL_STACK_SIZE * 2 )
/* Event group related definitions. */
#define configUSE_EVENT_GROUPS 1
/* Memory allocation strategy. */
#ifndef configSUPPORT_DYNAMIC_ALLOCATION
#define configSUPPORT_DYNAMIC_ALLOCATION 1
#endif
#ifndef configSUPPORT_STATIC_ALLOCATION
#define configSUPPORT_STATIC_ALLOCATION 1
#endif
/* Set the following definitions to 1 to include the API function, or zero
* to exclude the API function. */
#define INCLUDE_vTaskPrioritySet 1
#define INCLUDE_uxTaskPriorityGet 1
#define INCLUDE_vTaskDelete 1
#define INCLUDE_vTaskCleanUpResources 0
#ifndef INCLUDE_vTaskSuspend
#define INCLUDE_vTaskSuspend 1
#endif
#define INCLUDE_vTaskDelayUntil 1
#define INCLUDE_vTaskDelay 1
#define INCLUDE_uxTaskGetStackHighWaterMark 1
#ifndef INCLUDE_xTaskGetSchedulerState
#define INCLUDE_xTaskGetSchedulerState 1
#endif
#define INCLUDE_xTimerGetTimerTaskHandle 0
#define INCLUDE_xTaskGetIdleTaskHandle 0
#define INCLUDE_xQueueGetMutexHolder 1
#define INCLUDE_eTaskGetState 1
#define INCLUDE_xEventGroupSetBitsFromISR 1
#define INCLUDE_xTimerPendFunctionCall 1
#define INCLUDE_xTaskGetCurrentTaskHandle 1
#define INCLUDE_xTaskAbortDelay 1
#define configUSE_STATS_FORMATTING_FUNCTIONS 0
/* Assert call defined for debug builds. */
extern void vAssertCalled( const char * pcFile,
uint32_t ulLine );
#ifndef configASSERT
#define configASSERT( x ) if( ( x ) == 0 ) vAssertCalled( __FILE__, __LINE__ )
#endif
/* Remove logging in formal verification */
#define configPRINTF( X )
/* Non-format version thread-safe print. */
#define configPRINT_STRING( X )
/* Application specific definitions follow. **********************************/
/* If configINCLUDE_DEMO_DEBUG_STATS is set to one, then a few basic IP trace
* macros are defined to gather some UDP stack statistics that can then be viewed
* through the CLI interface. */
#define configINCLUDE_DEMO_DEBUG_STATS 1
/* The size of the global output buffer that is available for use when there
* are multiple command interpreters running at once (for example, one on a UART
* and one on TCP/IP). This is done to prevent an output buffer being defined by
* each implementation - which would waste RAM. In this case, there is only one
* command interpreter running, and it has its own local output buffer, so the
* global buffer is just set to be one byte long as it is not used and should not
* take up unnecessary RAM. */
#define configCOMMAND_INT_MAX_OUTPUT_SIZE 1
/* Only used when running in the FreeRTOS Windows simulator. Defines the
* priority of the task used to simulate Ethernet interrupts. */
#define configMAC_ISR_SIMULATOR_PRIORITY ( configMAX_PRIORITIES - 1 )
/* This demo creates a virtual network connection by accessing the raw Ethernet
* or WiFi data to and from a real network connection. Many computers have more
* than one real network port, and configNETWORK_INTERFACE_TO_USE is used to tell
* the demo which real port should be used to create the virtual port. The ports
* available are displayed on the console when the application is executed. For
* example, on my development laptop setting configNETWORK_INTERFACE_TO_USE to 4
* results in the wired network being used, while setting
* configNETWORK_INTERFACE_TO_USE to 2 results in the wireless network being
* used. */
#define configNETWORK_INTERFACE_TO_USE ( 0L )
/* The address of an echo server that will be used by the two demo echo client
* tasks:
* https://www.FreeRTOS.org/FreeRTOS-Plus/FreeRTOS_Plus_TCP/TCP_Echo_Clients.html,
* https://www.FreeRTOS.org/FreeRTOS-Plus/FreeRTOS_Plus_TCP/UDP_Echo_Clients.html. */
#define configECHO_SERVER_ADDR0 192
#define configECHO_SERVER_ADDR1 168
#define configECHO_SERVER_ADDR2 2
#define configECHO_SERVER_ADDR3 6
#define configTCP_ECHO_CLIENT_PORT 7
/* Default MAC address configuration. The demo creates a virtual network
* connection that uses this MAC address by accessing the raw Ethernet/WiFi data
* to and from a real network connection on the host PC. See the
* configNETWORK_INTERFACE_TO_USE definition above for information on how to
* configure the real network connection to use. */
#define configMAC_ADDR0 0x00
#define configMAC_ADDR1 0x11
#define configMAC_ADDR2 0x22
#define configMAC_ADDR3 0x33
#define configMAC_ADDR4 0x44
#define configMAC_ADDR5 0x21
/* Default IP address configuration. Used in ipconfigUSE_DHCP is set to 0, or
* ipconfigUSE_DHCP is set to 1 but a DNS server cannot be contacted. */
#define configIP_ADDR0 192
#define configIP_ADDR1 168
#define configIP_ADDR2 0
#define configIP_ADDR3 105
/* Default gateway IP address configuration. Used in ipconfigUSE_DHCP is set to
* 0, or ipconfigUSE_DHCP is set to 1 but a DNS server cannot be contacted. */
#define configGATEWAY_ADDR0 192
#define configGATEWAY_ADDR1 168
#define configGATEWAY_ADDR2 0
#define configGATEWAY_ADDR3 1
/* Default DNS server configuration. OpenDNS addresses are 208.67.222.222 and
* 208.67.220.220. Used in ipconfigUSE_DHCP is set to 0, or ipconfigUSE_DHCP is
* set to 1 but a DNS server cannot be contacted.*/
#define configDNS_SERVER_ADDR0 208
#define configDNS_SERVER_ADDR1 67
#define configDNS_SERVER_ADDR2 222
#define configDNS_SERVER_ADDR3 222
/* Default netmask configuration. Used in ipconfigUSE_DHCP is set to 0, or
* ipconfigUSE_DHCP is set to 1 but a DNS server cannot be contacted. */
#define configNET_MASK0 255
#define configNET_MASK1 255
#define configNET_MASK2 255
#define configNET_MASK3 0
/* The UDP port to which print messages are sent. */
#define configPRINT_PORT ( 15000 )
#define configPROFILING ( 0 )
/* Pseudo random number generator used by some demo tasks. */
extern uint32_t ulRand();
#define configRAND32() ulRand()
/* The platform that FreeRTOS is running on. */
#define configPLATFORM_NAME "WinSim"
#endif /* FREERTOS_CONFIG_H */

307
kernel/FreeRTOS/Test/CBMC/patches/FreeRTOSIPConfig.h Normal file
View File

@ -0,0 +1,307 @@
/*
* FreeRTOS V202212.01
* Copyright (C) 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy of
* this software and associated documentation files (the "Software"), to deal in
* the Software without restriction, including without limitation the rights to
* use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
* the Software, and to permit persons to whom the Software is furnished to do so,
* subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
* FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
* COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
* IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
/*****************************************************************************
*
* See the following URL for configuration information.
* https://www.FreeRTOS.org/FreeRTOS-Plus/FreeRTOS_Plus_TCP/TCP_IP_Configuration.html
*
*****************************************************************************/
#ifndef FREERTOS_IP_CONFIG_H
#define FREERTOS_IP_CONFIG_H
/* Set to 1 to print out debug messages. If ipconfigHAS_DEBUG_PRINTF is set to
* 1 then FreeRTOS_debug_printf should be defined to the function used to print
* out the debugging messages. */
#define ipconfigHAS_DEBUG_PRINTF 0
#if ( ipconfigHAS_DEBUG_PRINTF == 1 )
#define FreeRTOS_debug_printf( X ) configPRINTF( X )
#endif
/* Set to 1 to print out non debugging messages, for example the output of the
* FreeRTOS_netstat() command, and ping replies. If ipconfigHAS_PRINTF is set to 1
* then FreeRTOS_printf should be set to the function used to print out the
* messages. */
#define FreeRTOS_printf( X )
/* Define the byte order of the target MCU (the MCU FreeRTOS+TCP is executing
* on). Valid options are pdFREERTOS_BIG_ENDIAN and pdFREERTOS_LITTLE_ENDIAN. */
#define ipconfigBYTE_ORDER pdFREERTOS_LITTLE_ENDIAN
/* If the network card/driver includes checksum offloading (IP/TCP/UDP checksums)
* then set ipconfigDRIVER_INCLUDED_RX_IP_CHECKSUM to 1 to prevent the software
* stack repeating the checksum calculations. */
#define ipconfigDRIVER_INCLUDED_RX_IP_CHECKSUM 1
/* Several API's will block until the result is known, or the action has been
* performed, for example FreeRTOS_send() and FreeRTOS_recv(). The timeouts can be
* set per socket, using setsockopt(). If not set, the times below will be
* used as defaults. */
#define ipconfigSOCK_DEFAULT_RECEIVE_BLOCK_TIME ( 5000 )
#define ipconfigSOCK_DEFAULT_SEND_BLOCK_TIME ( 5000 )
/* Include support for DNS caching. For TCP, having a small DNS cache is very
* useful. When a cache is present, ipconfigDNS_REQUEST_ATTEMPTS can be kept low
* and also DNS may use small timeouts. If a DNS reply comes in after the DNS
* socket has been destroyed, the result will be stored into the cache. The next
* call to FreeRTOS_gethostbyname() will return immediately, without even creating
* a socket. */
#define ipconfigUSE_DNS_CACHE ( 1 )
#define ipconfigDNS_REQUEST_ATTEMPTS ( 2 )
/* The IP stack executes it its own task (although any application task can make
* use of its services through the published sockets API). ipconfigUDP_TASK_PRIORITY
* sets the priority of the task that executes the IP stack. The priority is a
* standard FreeRTOS task priority so can take any value from 0 (the lowest
* priority) to (configMAX_PRIORITIES - 1) (the highest priority).
* configMAX_PRIORITIES is a standard FreeRTOS configuration parameter defined in
* FreeRTOSConfig.h, not FreeRTOSIPConfig.h. Consideration needs to be given as to
* the priority assigned to the task executing the IP stack relative to the
* priority assigned to tasks that use the IP stack. */
#define ipconfigIP_TASK_PRIORITY ( configMAX_PRIORITIES - 2 )
/* The size, in words (not bytes), of the stack allocated to the FreeRTOS+TCP
* task. This setting is less important when the FreeRTOS Win32 simulator is used
* as the Win32 simulator only stores a fixed amount of information on the task
* stack. FreeRTOS includes optional stack overflow detection, see:
* https://www.FreeRTOS.org/Stacks-and-stack-overflow-checking.html. */
#define ipconfigIP_TASK_STACK_SIZE_WORDS ( configMINIMAL_STACK_SIZE * 5 )
/* ipconfigRAND32() is called by the IP stack to generate random numbers for
* things such as a DHCP transaction number or initial sequence number. Random
* number generation is performed via this macro to allow applications to use their
* own random number generation method. For example, it might be possible to
* generate a random number by sampling noise on an analogue input. */
extern uint32_t ulRand();
#define ipconfigRAND32() ulRand()
/* If ipconfigUSE_NETWORK_EVENT_HOOK is set to 1 then FreeRTOS+TCP will call the
* network event hook at the appropriate times. If ipconfigUSE_NETWORK_EVENT_HOOK
* is not set to 1 then the network event hook will never be called. See:
* https://www.FreeRTOS.org/FreeRTOS-Plus/FreeRTOS_Plus_UDP/API/vApplicationIPNetworkEventHook.shtml.
*/
#define ipconfigUSE_NETWORK_EVENT_HOOK 1
/* Sockets have a send block time attribute. If FreeRTOS_sendto() is called but
* a network buffer cannot be obtained then the calling task is held in the Blocked
* state (so other tasks can continue to executed) until either a network buffer
* becomes available or the send block time expires. If the send block time expires
* then the send operation is aborted. The maximum allowable send block time is
* capped to the value set by ipconfigMAX_SEND_BLOCK_TIME_TICKS. Capping the
* maximum allowable send block time prevents prevents a deadlock occurring when
* all the network buffers are in use and the tasks that process (and subsequently
* free) the network buffers are themselves blocked waiting for a network buffer.
* ipconfigMAX_SEND_BLOCK_TIME_TICKS is specified in RTOS ticks. A time in
* milliseconds can be converted to a time in ticks by dividing the time in
* milliseconds by portTICK_PERIOD_MS. */
#define ipconfigUDP_MAX_SEND_BLOCK_TIME_TICKS ( 5000U / portTICK_PERIOD_MS )
/* If ipconfigUSE_DHCP is 1 then FreeRTOS+TCP will attempt to retrieve an IP
* address, netmask, DNS server address and gateway address from a DHCP server. If
* ipconfigUSE_DHCP is 0 then FreeRTOS+TCP will use a static IP address. The
* stack will revert to using the static IP address even when ipconfigUSE_DHCP is
* set to 1 if a valid configuration cannot be obtained from a DHCP server for any
* reason. The static configuration used is that passed into the stack by the
* FreeRTOS_IPInit() function call. */
#define ipconfigUSE_DHCP 1
#define ipconfigDHCP_REGISTER_HOSTNAME 1
#define ipconfigDHCP_USES_UNICAST 1
/* If ipconfigDHCP_USES_USER_HOOK is set to 1 then the application writer must
* provide an implementation of the DHCP callback function,
* xApplicationDHCPUserHook(). */
#define ipconfigUSE_DHCP_HOOK 0
/* When ipconfigUSE_DHCP is set to 1, DHCP requests will be sent out at
* increasing time intervals until either a reply is received from a DHCP server
* and accepted, or the interval between transmissions reaches
* ipconfigMAXIMUM_DISCOVER_TX_PERIOD. The IP stack will revert to using the
* static IP address passed as a parameter to FreeRTOS_IPInit() if the
* re-transmission time interval reaches ipconfigMAXIMUM_DISCOVER_TX_PERIOD without
* a DHCP reply being received. */
#define ipconfigMAXIMUM_DISCOVER_TX_PERIOD \
( 120000U / portTICK_PERIOD_MS )
/* The ARP cache is a table that maps IP addresses to MAC addresses. The IP
* stack can only send a UDP message to a remove IP address if it knowns the MAC
* address associated with the IP address, or the MAC address of the router used to
* contact the remote IP address. When a UDP message is received from a remote IP
* address the MAC address and IP address are added to the ARP cache. When a UDP
* message is sent to a remote IP address that does not already appear in the ARP
* cache then the UDP message is replaced by a ARP message that solicits the
* required MAC address information. ipconfigARP_CACHE_ENTRIES defines the maximum
* number of entries that can exist in the ARP table at any one time. */
#define ipconfigARP_CACHE_ENTRIES 6
/* ARP requests that do not result in an ARP response will be re-transmitted a
* maximum of ipconfigMAX_ARP_RETRANSMISSIONS times before the ARP request is
* aborted. */
#define ipconfigMAX_ARP_RETRANSMISSIONS ( 5 )
/* ipconfigMAX_ARP_AGE defines the maximum time between an entry in the ARP
* table being created or refreshed and the entry being removed because it is stale.
* New ARP requests are sent for ARP cache entries that are nearing their maximum
* age. ipconfigMAX_ARP_AGE is specified in tens of seconds, so a value of 150 is
* equal to 1500 seconds (or 25 minutes). */
#define ipconfigMAX_ARP_AGE 150
/* Implementing FreeRTOS_inet_addr() necessitates the use of string handling
* routines, which are relatively large. To save code space the full
* FreeRTOS_inet_addr() implementation is made optional, and a smaller and faster
* alternative called FreeRTOS_inet_addr_quick() is provided. FreeRTOS_inet_addr()
* takes an IP in decimal dot format (for example, "192.168.0.1") as its parameter.
* FreeRTOS_inet_addr_quick() takes an IP address as four separate numerical octets
* (for example, 192, 168, 0, 1) as its parameters. If
* ipconfigINCLUDE_FULL_INET_ADDR is set to 1 then both FreeRTOS_inet_addr() and
* FreeRTOS_indet_addr_quick() are available. If ipconfigINCLUDE_FULL_INET_ADDR is
* not set to 1 then only FreeRTOS_indet_addr_quick() is available. */
#define ipconfigINCLUDE_FULL_INET_ADDR 1
/* ipconfigNUM_NETWORK_BUFFER_DESCRIPTORS defines the total number of network buffer that
* are available to the IP stack. The total number of network buffers is limited
* to ensure the total amount of RAM that can be consumed by the IP stack is capped
* to a pre-determinable value. */
#ifndef ipconfigNUM_NETWORK_BUFFER_DESCRIPTORS
#define ipconfigNUM_NETWORK_BUFFER_DESCRIPTORS 60
#endif
/* A FreeRTOS queue is used to send events from application tasks to the IP
* stack. ipconfigEVENT_QUEUE_LENGTH sets the maximum number of events that can
* be queued for processing at any one time. The event queue must be a minimum of
* 5 greater than the total number of network buffers. */
#define ipconfigEVENT_QUEUE_LENGTH \
( ipconfigNUM_NETWORK_BUFFER_DESCRIPTORS + 5 )
/* The address of a socket is the combination of its IP address and its port
* number. FreeRTOS_bind() is used to manually allocate a port number to a socket
* (to 'bind' the socket to a port), but manual binding is not normally necessary
* for client sockets (those sockets that initiate outgoing connections rather than
* wait for incoming connections on a known port number). If
* ipconfigALLOW_SOCKET_SEND_WITHOUT_BIND is set to 1 then calling
* FreeRTOS_sendto() on a socket that has not yet been bound will result in the IP
* stack automatically binding the socket to a port number from the range
* socketAUTO_PORT_ALLOCATION_START_NUMBER to 0xffff. If
* ipconfigALLOW_SOCKET_SEND_WITHOUT_BIND is set to 0 then calling FreeRTOS_sendto()
* on a socket that has not yet been bound will result in the send operation being
* aborted. */
#define ipconfigALLOW_SOCKET_SEND_WITHOUT_BIND 1
/* Defines the Time To Live (TTL) values used in outgoing UDP packets. */
#define ipconfigUDP_TIME_TO_LIVE 128
/* Also defined in FreeRTOSIPConfigDefaults.h. */
#define ipconfigTCP_TIME_TO_LIVE 128
/* USE_TCP: Use TCP and all its features. */
#define ipconfigUSE_TCP ( 1 )
/* USE_WIN: Let TCP use windowing mechanism. */
#define ipconfigUSE_TCP_WIN ( 1 )
/* The MTU is the maximum number of bytes the payload of a network frame can
* contain. For normal Ethernet V2 frames the maximum MTU is 1500. Setting a
* lower value can save RAM, depending on the buffer management scheme used. If
* ipconfigCAN_FRAGMENT_OUTGOING_PACKETS is 1 then (ipconfigNETWORK_MTU - 28) must
* be divisible by 8. */
#define ipconfigNETWORK_MTU 1200U
/* Set ipconfigUSE_DNS to 1 to include a basic DNS client/resolver. DNS is used
* through the FreeRTOS_gethostbyname() API function. */
#define ipconfigUSE_DNS 1
/* If ipconfigREPLY_TO_INCOMING_PINGS is set to 1 then the IP stack will
* generate replies to incoming ICMP echo (ping) requests. */
#define ipconfigREPLY_TO_INCOMING_PINGS 1
/* If ipconfigSUPPORT_OUTGOING_PINGS is set to 1 then the
* FreeRTOS_SendPingRequest() API function is available. */
#define ipconfigSUPPORT_OUTGOING_PINGS 0
/* If ipconfigSUPPORT_SELECT_FUNCTION is set to 1 then the FreeRTOS_select()
* (and associated) API function is available. */
#define ipconfigSUPPORT_SELECT_FUNCTION 0
/* If ipconfigFILTER_OUT_NON_ETHERNET_II_FRAMES is set to 1 then Ethernet frames
* that are not in Ethernet II format will be dropped. This option is included for
* potential future IP stack developments. */
#define ipconfigFILTER_OUT_NON_ETHERNET_II_FRAMES 1
/* If ipconfigETHERNET_DRIVER_FILTERS_FRAME_TYPES is set to 1 then it is the
* responsibility of the Ethernet interface to filter out packets that are of no
* interest. If the Ethernet interface does not implement this functionality, then
* set ipconfigETHERNET_DRIVER_FILTERS_FRAME_TYPES to 0 to have the IP stack
* perform the filtering instead (it is much less efficient for the stack to do it
* because the packet will already have been passed into the stack). If the
* Ethernet driver does all the necessary filtering in hardware then software
* filtering can be removed by using a value other than 1 or 0. */
#define ipconfigETHERNET_DRIVER_FILTERS_FRAME_TYPES 1
/* The windows simulator cannot really simulate MAC interrupts, and needs to
* block occasionally to allow other tasks to run. */
#define configWINDOWS_MAC_INTERRUPT_SIMULATOR_DELAY ( 20 / portTICK_PERIOD_MS )
/* Advanced only: in order to access 32-bit fields in the IP packets with
* 32-bit memory instructions, all packets will be stored 32-bit-aligned,
* plus 16-bits. This has to do with the contents of the IP-packets: all
* 32-bit fields are 32-bit-aligned, plus 16-bit. */
#define ipconfigPACKET_FILLER_SIZE 2U
/* Define the size of the pool of TCP window descriptors. On the average, each
* TCP socket will use up to 2 x 6 descriptors, meaning that it can have 2 x 6
* outstanding packets (for Rx and Tx). When using up to 10 TP sockets
* simultaneously, one could define TCP_WIN_SEG_COUNT as 120. */
#define ipconfigTCP_WIN_SEG_COUNT 240
/* Each TCP socket has a circular buffers for Rx and Tx, which have a fixed
* maximum size. Define the size of Rx buffer for TCP sockets. */
#define ipconfigTCP_RX_BUFFER_LENGTH ( 10000 )
/* Define the size of Tx buffer for TCP sockets. */
#define ipconfigTCP_TX_BUFFER_LENGTH ( 10000 )
/* When using call-back handlers, the driver may check if the handler points to
* real program memory (RAM or flash) or just has a random non-zero value. */
#define ipconfigIS_VALID_PROG_ADDRESS( x ) ( ( x ) != NULL )
/* Include support for TCP keep-alive messages. */
#define ipconfigTCP_KEEP_ALIVE ( 1 )
#define ipconfigTCP_KEEP_ALIVE_INTERVAL ( 20 ) /* Seconds. */
/* The socket semaphore is used to unblock the MQTT task. */
#define ipconfigSOCKET_HAS_USER_SEMAPHORE ( 0 )
#define ipconfigSOCKET_HAS_USER_WAKE_CALLBACK ( 1 )
#define ipconfigUSE_CALLBACKS ( 0 )
#define portINLINE __inline
void vApplicationMQTTGetKeys( const char ** ppcRootCA,
const char ** ppcClientCert,
const char ** ppcClientPrivateKey );
#endif /* FREERTOS_IP_CONFIG_H */

24
kernel/FreeRTOS/Test/CBMC/patches/Makefile Normal file
View File

@ -0,0 +1,24 @@
BRANCH=freertos
PATCHED=patched
default:
git format-patch $(BRANCH)..$(BRANCH)-cbmc-patches
patch:
if [ ! -f $(PATCHED) ]; then \
for p in *.patch; do \
(cd ../../..; patch -p1 < CBMC/patches/$${p}) \
done; \
cat > $(PATCHED) < /dev/null; \
fi
unpatch:
git checkout ../../../lib
$(RM) $(PATCHED)
#patching file lib/FreeRTOS-Plus-TCP/include/FreeRTOS_IP_Private.h
#patching file lib/include/private/list.h
#patching file lib/FreeRTOS-Plus-TCP/source/FreeRTOS_DHCP.c
#patching file lib/FreeRTOS-Plus-TCP/source/FreeRTOS_DNS.c
#patching file lib/FreeRTOS-Plus-TCP/source/FreeRTOS_TCP_WIN.c

6
kernel/FreeRTOS/Test/CBMC/patches/README.md Normal file
View File

@ -0,0 +1,6 @@
This directory includes patches to FreeRTOS required to run the CBMC proofs.
The patches fall into three classes:
* First is a refactoring of prvCheckOptions
* Second is the removal of static attributes from some functions
* Third is two patches dealing with shortcomings of CBMC that should be removed soon.

0
kernel/FreeRTOS/Test/CBMC/patches/__init__.py Executable file
View File

241
kernel/FreeRTOS/Test/CBMC/patches/compute_patch.py Executable file
View File

@ -0,0 +1,241 @@
#!/usr/bin/env python3
#
# Generation of patches for CBMC proofs.
#
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
import json
import os
import re
import subprocess
import textwrap
import unittest
from patches_constants import PATCHES_DIR
from patches_constants import HEADERS
DEFINE_REGEX_MAKEFILE = re.compile(r"(?:['\"])?([\w]+)")
DEFINE_REGEX_HEADER = re.compile(r"\s*#\s*define\s*([\w]+)")
class DirtyGitError(Exception):
pass
class PatchCreationError(Exception):
pass
def prolog():
return textwrap.dedent("""\
This script generates patch files for the header files used
in the cbmc proof. These patches permit setting values of preprocessor
macros as part of the proof configuration.
""")
def find_all_defines():
"""Collects all define values in Makefile.json.
Some of the Makefiles use # in the json to make comments.
As this is non standard json, we need to remove the comment
lines before parsing. Then we extract all defines from the file.
"""
defines = set()
proof_dir = os.path.abspath(os.path.join(PATCHES_DIR, "..", "proofs"))
for fldr, _, fyles in os.walk(proof_dir):
if "Makefile.json" in fyles:
file = os.path.join(fldr, "Makefile.json")
key = "DEF"
elif "MakefileCommon.json" in fyles:
file = os.path.join(fldr, "MakefileCommon.json")
key = "DEF "
else:
continue
with open(file, "r") as source:
content = "".join([line for line in source
if line and not line.strip().startswith("#")])
makefile = json.loads(content)
if key in makefile.keys():
"""This regex parses the define declaration in Makefile.json
'macro(x)=false' is an example for a declaration.
'macro' is expected to be matched.
"""
for define in makefile[key]:
matched = DEFINE_REGEX_MAKEFILE.match(define)
if matched:
defines.add(matched.group(1))
return defines
def manipulate_headerfile(defines, header_file):
"""Wraps all defines used in an ifndef."""
# This regex matches the actual define in the header file.
modified_content = ""
with open(header_file, "r") as source:
last = ""
for line in source:
match = DEFINE_REGEX_HEADER.match(line)
if (match and
match.group(1) in defines and
not last.lstrip().startswith("#ifndef")):
full_def = line
# this loop deals with multiline definitions
while line.rstrip().endswith("\\"):
line = next(source)
full_def += line
# indentation for multiline definitions can be improved
modified_content += textwrap.dedent("""\
#ifndef {target}
{original}\
#endif
""".format(target=match.group(1), original=full_def))
else:
modified_content += line
last = line
with open(header_file, "w") as output:
output.write(modified_content)
def header_dirty(header_files):
"""Check that the header_file is not previously modified."""
# Git does not update the modified file list returned by diff-files on
# apply -R (at least not on MacOS).
# Running git status updates git's internal state.
status = subprocess.run(["git", "status"], stdout=subprocess.DEVNULL,
stderr=subprocess.PIPE, universal_newlines=True)
diff_state = subprocess.run(["git", "diff-files"], stdout=subprocess.PIPE,
stderr=subprocess.PIPE, universal_newlines=True)
if status.returncode:
raise DirtyGitError(textwrap.dedent("""\
Could not run git status. Exited: {}
stderr: {}
""".format(status.returncode, status.stderr)))
if diff_state.returncode:
raise DirtyGitError(textwrap.dedent("""\
Could not run git diff-files. Exited: {}
stderr: {}
""".format(diff_state.returncode, diff_state.stderr)))
for header_file in header_files:
if os.path.basename(header_file) + "\n" in diff_state.stdout:
return True
return False
def create_patch(defines, header_file):
"""Computes a patch enclosing defines used in CBMC proofs with #ifndef."""
manipulate_headerfile(defines, header_file)
patch = subprocess.run(["git", "diff", header_file],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE, universal_newlines=True)
cleaned = subprocess.run(["git", "checkout", "--", header_file],
stdout=subprocess.DEVNULL,
stderr=subprocess.PIPE, universal_newlines=True)
if patch.returncode:
raise PatchCreationError(textwrap.dedent("""\
git diff exited with error code: {}
stderr: {}
""".format(patch.returncode, patch.stderr)))
if cleaned.returncode:
raise DirtyGitError(textwrap.dedent("""\
git checkout for cleaning files failed with error code: {}
on file {}
stderr: {}
""".format(cleaned.returncode, header_file, cleaned.stderr)))
header_path_part = header_file.replace(os.sep, "_")
path_name = "auto_patch_" + header_path_part + ".patch"
path_name = os.path.join(PATCHES_DIR, path_name)
if patch.stdout:
with open(path_name, "w") as patch_file:
patch_file.write(patch.stdout)
def create_patches(headers):
defines = find_all_defines()
if not header_dirty(headers):
for header in headers:
create_patch(defines, header)
else:
raise DirtyGitError(textwrap.dedent("""\
It seems like one of the header files is in dirty state.
This script cannot patch files in dirty state.
"""))
# Invoke 'python3 -m unittest compute_patch.py" for running tests.
class TestDefineRegexes(unittest.TestCase):
def test_makefile_regex(self):
input1 = "ipconfigETHERNET_MINIMUM_PACKET_BYTES={MINIMUM_PACKET_BYTES}"
input2 = "ipconfigETHERNET_MINIMUM_PACKET_BYTES=50"
input3 = "'configASSERT(X)=__CPROVER_assert(x, \"must hold\")'"
input4 = '"configASSERT (X)=__CPROVER_assert(x, "must hold")"'
input5 = "configASSERT(X)=__CPROVER_assert(x,\"must hold\")"
match1 = DEFINE_REGEX_MAKEFILE.match(input1)
match2 = DEFINE_REGEX_MAKEFILE.match(input2)
match3 = DEFINE_REGEX_MAKEFILE.match(input3)
match4 = DEFINE_REGEX_MAKEFILE.match(input4)
match5 = DEFINE_REGEX_MAKEFILE.match(input5)
self.assertIsNotNone(match1)
self.assertIsNotNone(match2)
self.assertIsNotNone(match3)
self.assertIsNotNone(match4)
self.assertIsNotNone(match5)
self.assertEqual(match1.group(1),
"ipconfigETHERNET_MINIMUM_PACKET_BYTES")
self.assertEqual(match2.group(1),
"ipconfigETHERNET_MINIMUM_PACKET_BYTES")
self.assertEqual(match3.group(1), "configASSERT")
self.assertEqual(match4.group(1), "configASSERT")
self.assertEqual(match5.group(1), "configASSERT")
def test_header_regex(self):
input1 = ("#define configASSERT( x ) if( ( x ) == 0 )" +
"vAssertCalled( __FILE__, __LINE__ )")
input2 = "#define ipconfigMAX_ARP_RETRANSMISSIONS ( 5 )"
input3 = "#define ipconfigINCLUDE_FULL_INET_ADDR 1"
match1 = DEFINE_REGEX_HEADER.match(input1)
match2 = DEFINE_REGEX_HEADER.match(input2)
match3 = DEFINE_REGEX_HEADER.match(input3)
self.assertIsNotNone(match1)
self.assertIsNotNone(match2)
self.assertIsNotNone(match3)
self.assertEqual(match1.group(1), "configASSERT")
self.assertEqual(match2.group(1), "ipconfigMAX_ARP_RETRANSMISSIONS")
self.assertEqual(match3.group(1), "ipconfigINCLUDE_FULL_INET_ADDR")
if __name__ == '__main__':
create_patches(HEADERS)

36
kernel/FreeRTOS/Test/CBMC/patches/patch.py Executable file
View File

@ -0,0 +1,36 @@
#!/usr/bin/env python3
import logging
import os
import subprocess
import sys
from glob import glob
from patches_constants import PATCHES_DIR
def patch():
if os.path.isfile("patched"):
sys.exit()
applied_patches = []
failed_patches = []
for tmpfile in glob(os.path.join(PATCHES_DIR, "*.patch")):
print("patch", tmpfile)
result = subprocess.run(["git", "apply", "--ignore-space-change", "--ignore-whitespace", tmpfile],
cwd=os.path.join("..", "..", "..", ".."))
if result.returncode:
failed_patches.append(tmpfile)
logging.error("patching failed: %s", tmpfile)
else:
applied_patches.append(tmpfile)
with open(os.path.join(PATCHES_DIR, "patched"), "w") as outp:
print("Success:", file=outp)
print("\n".join(map(lambda x: "\t" + x, applied_patches)), file=outp)
print("Failure:", file=outp)
print("\n".join(map(lambda x: "\t" + x, failed_patches)), file=outp)
if __name__ == "__main__":
patch()

42
kernel/FreeRTOS/Test/CBMC/patches/patches_constants.py Executable file
View File

@ -0,0 +1,42 @@
#!/usr/bin/env python3
#
# Constants for the generation of patches for CBMC proofs.
#
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
import os
PATCHES_DIR = os.path.dirname(os.path.abspath(__file__))
shared_prefix = [
"."
]
shared_prefix_port = [
"..", "..", "..", "Source", "portable", "MSVC-MingW"
]
absolute_prefix = os.path.abspath(os.path.join(PATCHES_DIR, *shared_prefix))
absolute_prefix_port = os.path.abspath(os.path.join(PATCHES_DIR, *shared_prefix_port))
HEADERS = [os.path.join(absolute_prefix, "FreeRTOSConfig.h"),
os.path.join(absolute_prefix, "FreeRTOSIPConfig.h"),
os.path.join(absolute_prefix_port, "portmacro.h")]

42
kernel/FreeRTOS/Test/CBMC/patches/unpatch.py Executable file
View File

@ -0,0 +1,42 @@
#!/usr/bin/env python3
#
# unpatching changes for the CBMC proofs.
#
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
import subprocess
import os
import sys
from glob import glob
from patches_constants import PATCHES_DIR
try:
os.remove(os.path.join(PATCHES_DIR, "patched"))
except FileNotFoundError:
print("Nothing to do here.")
sys.exit(0)
for tmpfile in glob(os.path.join(PATCHES_DIR, "*.patch")):
print("unpatch", tmpfile)
result = subprocess.run(["git", "apply", "-R", "--ignore-space-change", "--ignore-whitespace", tmpfile],
cwd=os.path.join("..", "..", "..", ".."))
if result.returncode:
print("Unpatching failed: {}".format(tmpfile))

10
kernel/FreeRTOS/Test/CBMC/proofs/.gitignore vendored Normal file
View File

@ -0,0 +1,10 @@
# These files are generated by make_type_header_files.py
*_datastructure.h
Makefile
Makefile.common
cbmc-batch.yaml
**/*.txt
**/*.goto
!CMakeLists.txt

51
kernel/FreeRTOS/Test/CBMC/proofs/CBMCStubLibrary/tasksStubs.c Normal file
View File

@ -0,0 +1,51 @@
#include "FreeRTOS.h"
#include "task.h"
#include "tasksStubs.h"
#ifndef TASK_STUB_COUNTER
#define TASK_STUB_COUNTER 0;
#endif
/* 5 is a magic number, but we need some number here as a default value.
* This value is used to bound any loop depending on xTaskCheckForTimeOut
* as a loop bound. It should be overwritten in the Makefile.json adapting
* to the performance requirements of the harness. */
#ifndef TASK_STUB_COUNTER_LIMIT
#define TASK_STUB_COUNTER_LIMIT 5;
#endif
static BaseType_t xCounter = TASK_STUB_COUNTER;
static BaseType_t xCounterLimit = TASK_STUB_COUNTER_LIMIT;
BaseType_t xTaskGetSchedulerState( void )
{
return xState;
}
/* This function is another method apart from overwritting the defines to init the max
* loop bound. */
void vInitTaskCheckForTimeOut( BaseType_t maxCounter,
BaseType_t maxCounter_limit )
{
xCounter = maxCounter;
xCounterLimit = maxCounter_limit;
}
/* This is mostly called in a loop. For CBMC, we have to bound the loop
* to a max limits of calls. Therefore this Stub models a nondet timeout in
* max TASK_STUB_COUNTER_LIMIT iterations.*/
BaseType_t xTaskCheckForTimeOut( TimeOut_t * const pxTimeOut,
TickType_t * const pxTicksToWait )
{
++xCounter;
if( xCounter == xCounterLimit )
{
return pdTRUE;
}
else
{
return nondet_basetype();
}
}

40
kernel/FreeRTOS/Test/CBMC/proofs/CMakeLists.txt Normal file
View File

@ -0,0 +1,40 @@
list(APPEND cbmc_compile_options
-m32
)
list(APPEND cbmc_compile_definitions
CBMC
WINVER=0x400
_CONSOLE
_CRT_SECURE_NO_WARNINGS
_DEBUG
_WIN32_WINNT=0x0500
__PRETTY_FUNCTION__=__FUNCTION__
__free_rtos__
)
list(APPEND cbmc_compile_includes
${CMAKE_SOURCE_DIR}/Source/include
${CMAKE_SOURCE_DIR}/Source/portable/MSVC-MingW
${CMAKE_SOURCE_DIR}/Source/../../FreeRTOS-Plus/Source/FreeRTOS-Plus-TCP/source/portable/BufferManagement
${CMAKE_SOURCE_DIR}/Source/../../FreeRTOS-Plus/Source/FreeRTOS-Plus-TCP/source/include
${CMAKE_SOURCE_DIR}/Source/../../FreeRTOS-Plus/Source/FreeRTOS-Plus-TCP/source/portable/Compiler/MSVC
${cbmc_dir}/include
${cbmc_dir}/windows
)
# Remove --flag for a specific proof with list(REMOVE_ITEM cbmc_flags --flag)
list(APPEND cbmc_flags
--32
--bounds-check
--pointer-check
--div-by-zero-check
--float-overflow-check
--nan-check
--nondet-static
--pointer-overflow-check
--signed-overflow-check
--undefined-shift-check
--unsigned-overflow-check
)

173
kernel/FreeRTOS/Test/CBMC/proofs/Makefile.template Normal file
View File

@ -0,0 +1,173 @@
default: report
# ____________________________________________________________________
# CBMC binaries
#
GOTO_CC = @GOTO_CC@
GOTO_INSTRUMENT = goto-instrument
GOTO_ANALYZER = goto-analyzer
VIEWER = cbmc-viewer
# ____________________________________________________________________
# Variables
#
# Naming scheme:
# ``````````````
# FOO is the concatenation of the following:
# FOO2: Set of command line
# C_FOO: Value of $FOO common to all harnesses, set in this file
# O_FOO: Value of $FOO specific to the OS we're running on, set in the
# makefile for the operating system
# H_FOO: Value of $FOO specific to a particular harness, set in the
# makefile for that harness
ENTRY = $(H_ENTRY)
OBJS = $(H_OBJS)
INC = \
$(INC2) \
$(C_INC) $(O_INC) $(H_INC) \
# empty
CFLAGS = \
$(CFLAGS2) \
$(C_DEF) $(O_DEF) $(H_DEF) $(DEF) \
$(C_OPT) $(O_OPT) $(H_OPT) $(OPT) \
-m32 \
# empty
CBMCFLAGS = \
$(CBMCFLAGS2) \
$(C_CBMCFLAGS) $(O_CBMCFLAGS) $(H_CBMCFLAGS) \
# empty
INSTFLAGS = \
$(INSTFLAGS2) \
$(C_INSTFLAGS) $(O_INSTFLAGS) $(H_INSTFLAGS) \
# empty
# ____________________________________________________________________
# Rules
#
# Rules for patching
patch:
cd $(PROOFS)/../patches && ./patch.py
unpatch:
cd $(PROOFS)/../patches && ./unpatch.py
# ____________________________________________________________________
# Rules
#
# Rules for building the CBMC harness
C_SOURCES = $(patsubst %.goto,%.c,$(H_OBJS_EXCEPT_HARNESS))
# Build each goto-binary out-of-source (i.e. in a 'gotos' directory
# underneath each proof directory, to make it safe to build all proofs
# in parallel
OOS_OBJS = $(patsubst %.c,gotos/%.goto,$(C_SOURCES))
CWD=$(abspath .)
gotos/%.goto: %.c
mkdir -p $(dir $@)
$(GOTO_CC) @COMPILE_ONLY@ @RULE_OUTPUT@ $(INC) $(CFLAGS) @RULE_INPUT@
queue_datastructure.h: gotos/$(FREERTOS)/Source/queue.goto
python3 @TYPE_HEADER_SCRIPT@ --binary $(CWD)/gotos$(FREERTOS)/Source/queue.goto --c-file $(FREERTOS)/Source/queue.c
$(ENTRY)_harness.goto: $(ENTRY)_harness.c $(H_GENERATE_HEADER)
$(GOTO_CC) @COMPILE_ONLY@ @RULE_OUTPUT@ $(INC) $(CFLAGS) $(ENTRY)_harness.c
$(ENTRY)1.goto: $(ENTRY)_harness.goto $(OOS_OBJS)
$(GOTO_CC) @COMPILE_LINK@ @RULE_OUTPUT@ --function harness @RULE_INPUT@
$(ENTRY)2.goto: $(ENTRY)1.goto
$(GOTO_INSTRUMENT) --add-library @RULE_INPUT@ @RULE_OUTPUT@ \
> $(ENTRY)2.txt 2>&1
$(ENTRY)3.goto: $(ENTRY)2.goto
$(GOTO_INSTRUMENT) --drop-unused-functions @RULE_INPUT@ @RULE_OUTPUT@ \
> $(ENTRY)3.txt 2>&1
$(ENTRY)4.goto: $(ENTRY)3.goto
$(GOTO_INSTRUMENT) $(INSTFLAGS) --slice-global-inits @RULE_INPUT@ @RULE_OUTPUT@ \
> $(ENTRY)4.txt 2>&1
# ____________________________________________________________________
# After running goto-instrument to remove function bodies the unused
# functions need to be dropped again.
$(ENTRY)5.goto: $(ENTRY)4.goto
$(GOTO_INSTRUMENT) --drop-unused-functions @RULE_INPUT@ @RULE_OUTPUT@ \
> $(ENTRY)5.txt 2>&1
$(ENTRY).goto: $(ENTRY)5.goto
@CP@ @RULE_INPUT@ @RULE_OUTPUT@
# ____________________________________________________________________
# Rules
#
# Rules for running CBMC
goto:
$(MAKE) patch
$(MAKE) -B $(ENTRY).goto
# Ignore the return code for CBMC, so that we can still generate the
# report if the proof failed. If the proof failed, we separately fail
# the entire job using the check-cbmc-result rule.
cbmc.txt: $(ENTRY).goto
-cbmc $(CBMCFLAGS) $(SOLVER) --unwinding-assertions --trace @RULE_INPUT@ > $@ 2>&1
property.xml: $(ENTRY).goto
cbmc $(CBMCFLAGS) --unwinding-assertions --show-properties --xml-ui @RULE_INPUT@ > $@ 2>&1
coverage.xml: $(ENTRY).goto
cbmc $(CBMCFLAGS) --cover location --xml-ui @RULE_INPUT@ > $@ 2>&1
cbmc: cbmc.txt
property: property.xml
coverage: coverage.xml
report: cbmc.txt property.xml coverage.xml
$(VIEWER) \
--goto $(ENTRY).goto \
--srcdir $(FREERTOS) \
--htmldir html \
--srcexclude "(.@FORWARD_SLASH@Demo)" \
--result cbmc.txt \
--property property.xml \
--block coverage.xml
# This rule depends only on cbmc.txt and has no dependents, so it will
# not block the report from being generated if it fails. This rule is
# intended to fail if and only if the CBMC safety check that emits
# cbmc.txt yielded a proof failure.
check-cbmc-result: cbmc.txt
grep -e "^VERIFICATION SUCCESSFUL" $^
# ____________________________________________________________________
# Rules
#
# Rules for cleaning up
clean:
@RM@ $(OBJS) $(ENTRY).goto
@RM@ $(ENTRY)[0-9].goto $(ENTRY)[0-9].txt
@RM@ cbmc.txt property.xml coverage.xml TAGS TAGS-*
@RM@ *~ \#*
@RM@ queue_datastructure.h
veryclean: clean
@RM_RECURSIVE@ html
@RM_RECURSIVE@ gotos
distclean: veryclean
cd $(PROOFS)/../patches && ./unpatch.py
cd $(PROOFS) && ./make-remove-makefiles.py

47
kernel/FreeRTOS/Test/CBMC/proofs/MakefileCommon.json Normal file
View File

@ -0,0 +1,47 @@
{
"FREERTOS": [ " ../../.." ],
"PROOFS": [ "." ],
"DEF ": [
"_DEBUG",
"__free_rtos__",
"_CONSOLE",
"_WIN32_WINNT=0x0500",
"WINVER=0x400",
"_CRT_SECURE_NO_WARNINGS",
"__PRETTY_FUNCTION__=__FUNCTION__",
"CBMC",
"'configASSERT(X)='",
"'configPRECONDITION(X)=__CPROVER_assume(X)'",
"'_static='",
"'_volatile='",
"QUEUE_LENGTH=15",
"QUEUE_ITEM_SIZE=990"
],
"INC ": [
"$(FREERTOS)/Source/include",
"$(FREERTOS)/../FreeRTOS-Plus/Source/FreeRTOS-Plus-TCP/source/include",
"$(FREERTOS)/../FreeRTOS-Plus/Source/FreeRTOS-Plus-TCP/source/portable/Compiler/MSVC",
"$(FREERTOS)/../FreeRTOS-Plus/Demo/FreeRTOS_Plus_TCP_Minimal_Windows_Simulator/WinPCap",
"$(FREERTOS)/Demo/Common/include",
"$(FREERTOS)/Test/CBMC/include",
"$(FREERTOS)/Test/CBMC/patches",
"$(FREERTOS)/../FreeRTOS-Plus/Test/CBMC/windows",
"$(FREERTOS)/../FreeRTOS-Plus/Test/CBMC/windows2"
],
"CBMCFLAGS ": [
"--object-bits 7",
"--32",
"--bounds-check",
"--pointer-check"
],
"FORWARD_SLASH": ["/"],
"TYPE_HEADERS": [
"$(FREERTOS)/Source/queue.c"
]
}

36
kernel/FreeRTOS/Test/CBMC/proofs/MakefileLinux.json Normal file
View File

@ -0,0 +1,36 @@
{
"GOTO_CC": [
"goto-cc"
],
"COMPILE_LINK": [
"-o"
],
"COMPILE_ONLY": [
"-c",
"-o"
],
"RULE_INPUT": [
"$^"
],
"RULE_OUTPUT": [
"$@"
],
"RULE_GOTO": [
"%.goto : %.c"
],
"INC": [
"$(PROOFS)/../windows"
],
"RM": [
"$(RM)"
],
"RM_RECURSIVE": [
"$(RM) -r"
],
"CP": [
"cp"
],
"TYPE_HEADER_SCRIPT": [
"$(PROOFS)/make_type_header_files.py"
]
}

44
kernel/FreeRTOS/Test/CBMC/proofs/MakefileWindows.json Normal file
View File

@ -0,0 +1,44 @@
{
"DEF": [
"WIN32"
],
"GOTO_CC": [
"goto-cl"
],
"COMPILE_LINK": [
"/Fe"
],
"COMPILE_ONLY": [
"/c",
"/Fo"
],
"RULE_INPUT": [
"$**"
],
"RULE_OUTPUT": [
"$@"
],
"RULE_GOTO": [
".c.goto:"
],
"OPT": [
"/wd4210",
"/wd4127",
"/wd4214",
"/wd4201",
"/wd4244",
"/wd4310"
],
"RM": [
"del"
],
"RM_RECURSIVE": [
"del /s"
],
"CP": [
"copy"
],
"TYPE_HEADER_SCRIPT": [
"$(PROOFS)\\make_type_header_files.py"
]
}

46
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphore/Makefile.json Normal file
View File

@ -0,0 +1,46 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueCreateCountingSemaphore",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
]
}

41
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphore/QueueCreateCountingSemaphore_harness.c Normal file
View File

@ -0,0 +1,41 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "cbmc.h"
void harness()
{
UBaseType_t uxMaxCount;
UBaseType_t uxInitialCount;
xQueueCreateCountingSemaphore( uxMaxCount, uxInitialCount );
}

10
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphore/README.md Normal file
View File

@ -0,0 +1,10 @@
Assuming uxMaxCount != 0 and uxInitialCount <= uxMaxCount,
this harness proves the memory safety of QueueCreateCountingSemaphore.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical

28
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphore/cbmc-viewer.json Normal file
View File

@ -0,0 +1,28 @@
{ "expected-missing-functions":
[
"vApplicationTickHook",
"pxPortInitialiseStack",
"vPortCloseRunningThread",
"vPortDeleteThread",
"vPortEnterCritical",
"vPortExitCritical",
"vPortGenerateSimulatedInterrupt",
"xPortStartScheduler",
"pvTaskIncrementMutexHeldCount",
"uxTaskGetTaskNumber",
"vTaskInternalSetTimeOutState",
"vTaskMissedYield",
"vTaskPlaceOnEventList",
"vTaskPriorityDisinheritAfterTimeout",
"vTaskSuspendAll",
"xTaskGetCurrentTaskHandle",
"xTaskPriorityDisinherit",
"xTaskPriorityInherit",
"xTaskRemoveFromEventList",
"xTaskResumeAll"
],
"proof-name": "QueueCreateCountingSemaphore",
"proof-root": "Test/CBMC/proofs"
}

49
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphoreStatic/Makefile.json Normal file
View File

@ -0,0 +1,49 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueCreateCountingSemaphoreStatic",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

42
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphoreStatic/QueueCreateCountingSemaphoreStatic_harness.c Normal file
View File

@ -0,0 +1,42 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "cbmc.h"
void harness()
{
UBaseType_t uxMaxCount;
UBaseType_t uxInitialCount;
StaticQueue_t * pxStaticQueue = ( StaticQueue_t * ) pvPortMalloc( sizeof( StaticQueue_t ) );
xQueueCreateCountingSemaphoreStatic( uxMaxCount, uxInitialCount, pxStaticQueue );
}

11
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphoreStatic/README.md Normal file
View File

@ -0,0 +1,11 @@
Assuming uxMaxCount > 0, uxInitialCount <= uxMaxCount and the reference
to the storage area is not null,
this harness proves the memory saftey of QueueCreateCountingSemphoreStatic.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical

28
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphoreStatic/cbmc-viewer.json Normal file
View File

@ -0,0 +1,28 @@
{ "expected-missing-functions":
[
"vApplicationTickHook",
"pxPortInitialiseStack",
"vPortCloseRunningThread",
"vPortDeleteThread",
"vPortEnterCritical",
"vPortExitCritical",
"vPortGenerateSimulatedInterrupt",
"xPortStartScheduler",
"pvTaskIncrementMutexHeldCount",
"uxTaskGetTaskNumber",
"vTaskInternalSetTimeOutState",
"vTaskMissedYield",
"vTaskPlaceOnEventList",
"vTaskPriorityDisinheritAfterTimeout",
"vTaskSuspendAll",
"xTaskGetCurrentTaskHandle",
"xTaskPriorityDisinherit",
"xTaskPriorityInherit",
"xTaskRemoveFromEventList",
"xTaskResumeAll"
],
"proof-name": "QueueCreateCountingSemaphoreStatic",
"proof-root": "Test/CBMC/proofs"
}

46
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutex/Makefile.json Normal file
View File

@ -0,0 +1,46 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueCreateMutex",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
]
}

39
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutex/QueueCreateMutex_harness.c Normal file
View File

@ -0,0 +1,39 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "cbmc.h"
void harness()
{
uint8_t ucQueueType;
xQueueCreateMutex( ucQueueType );
}

14
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutex/README.md Normal file
View File

@ -0,0 +1,14 @@
This harness proves the memory safety of QueueCreateMutex
for totally unconstrained input.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* xTaskGetSchedulerState
* xTaskPriorityDisinherit
* xTaskRemoveFromEventList

28
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutex/cbmc-viewer.json Normal file
View File

@ -0,0 +1,28 @@
{ "expected-missing-functions":
[
"vApplicationTickHook",
"pxPortInitialiseStack",
"vPortCloseRunningThread",
"vPortDeleteThread",
"vPortEnterCritical",
"vPortExitCritical",
"vPortGenerateSimulatedInterrupt",
"xPortStartScheduler",
"pvTaskIncrementMutexHeldCount",
"uxTaskGetTaskNumber",
"vTaskInternalSetTimeOutState",
"vTaskMissedYield",
"vTaskPlaceOnEventList",
"vTaskPriorityDisinheritAfterTimeout",
"vTaskSuspendAll",
"xTaskGetCurrentTaskHandle",
"xTaskPriorityDisinherit",
"xTaskPriorityInherit",
"xTaskRemoveFromEventList",
"xTaskResumeAll"
],
"proof-name": "QueueCreateMutex",
"proof-root": "Test/CBMC/proofs"
}

49
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutexStatic/Makefile.json Normal file
View File

@ -0,0 +1,49 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueCreateMutexStatic",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

40
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutexStatic/QueueCreateMutexStatic_harness.c Normal file
View File

@ -0,0 +1,40 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "cbmc.h"
void harness()
{
uint8_t ucQueueType;
StaticQueue_t * pxStaticQueue = ( StaticQueue_t * ) pvPortMalloc( sizeof( StaticQueue_t ) );
xQueueCreateMutexStatic( ucQueueType, pxStaticQueue );
}

15
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutexStatic/README.md Normal file
View File

@ -0,0 +1,15 @@
Given that the passed mutex storage area is not null, the QueueCreateMutexStatic
function is memory safe.
Otherwise an assertion violation is triggered.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* xTaskGetSchedulerState
* xTaskPriorityDisinherit

28
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutexStatic/cbmc-viewer.json Normal file
View File

@ -0,0 +1,28 @@
{ "expected-missing-functions":
[
"vApplicationTickHook",
"pxPortInitialiseStack",
"vPortCloseRunningThread",
"vPortDeleteThread",
"vPortEnterCritical",
"vPortExitCritical",
"vPortGenerateSimulatedInterrupt",
"xPortStartScheduler",
"pvTaskIncrementMutexHeldCount",
"uxTaskGetTaskNumber",
"vTaskInternalSetTimeOutState",
"vTaskMissedYield",
"vTaskPlaceOnEventList",
"vTaskPriorityDisinheritAfterTimeout",
"vTaskSuspendAll",
"xTaskGetCurrentTaskHandle",
"xTaskPriorityDisinherit",
"xTaskPriorityInherit",
"xTaskRemoveFromEventList",
"xTaskResumeAll"
],
"proof-name": "QueueCreateMutexStatic",
"proof-root": "Test/CBMC/proofs"
}

109
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreate/Configurations.json Normal file
View File

@ -0,0 +1,109 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGenericCreate",
# A CBMC pointer is an object id followed by an offset into the object.
# The size of the offset is limited by the size of the object id.
"CBMC_OBJECT_BITS": "7",
"CBMC_OBJECT_MAX_SIZE": "\"((UINT32_MAX>>(CBMC_OBJECT_BITS+1))\"",
"CBMCFLAGS":
[
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check"
],
"OBJS":
[
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/list.goto",
"$(FREERTOS)/Source/queue.goto"
],
"DEF":
[
{
"QueueGenericCreate_default": [
"CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
"CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configUSE_MUTEXES=1",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configSUPPORT_STATIC_ALLOCATION=1",
"configUSE_QUEUE_SETS=0",
"configSUPPORT_DYNAMIC_ALLOCATION=1"
]
},
{
"QueueGenericCreate_noMutex": [
"CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
"CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configUSE_MUTEXES=0",
"configUSE_RECURSIVE_MUTEXES=0",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configSUPPORT_STATIC_ALLOCATION=1",
"configUSE_QUEUE_SETS=0",
"configSUPPORT_DYNAMIC_ALLOCATION=1"
]
},
{
"QueueGenericCreate_noSTATIC_ALLOCATION": [
"CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
"CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configUSE_MUTEXES=1",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configSUPPORT_STATIC_ALLOCATION=0",
"configUSE_QUEUE_SETS=0",
"configSUPPORT_DYNAMIC_ALLOCATION=1"
]
},
{
"QueueGenericCreate_useQueueSets": [
"CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
"CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configUSE_MUTEXES=1",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configSUPPORT_STATIC_ALLOCATION=1",
"configUSE_QUEUE_SETS=1",
"configSUPPORT_DYNAMIC_ALLOCATION=1"
]
}
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

45
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreate/QueueGenericCreate_harness.c Normal file
View File

@ -0,0 +1,45 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_datastructure.h"
#include "cbmc.h"
void harness()
{
UBaseType_t uxQueueLength;
UBaseType_t uxItemSize;
uint8_t ucQueueType;
/* Allow CBMC to run in a reasonable amount of time. */
__CPROVER_assume( ( uxQueueLength == QUEUE_LENGTH ) || ( uxItemSize == QUEUE_ITEM_SIZE ) );
xQueueGenericCreate( uxQueueLength, uxItemSize, ucQueueType );
}

13
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreate/README.md Normal file
View File

@ -0,0 +1,13 @@
The harness and configurations in this folder show memory safety of
QueueGenericCreate, given the assumption made in the harness.
The principal assumption is that (uxItemSize * uxQueueLength) + sizeof(Queue_t)
does not overflow.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical

28
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreate/cbmc-viewer.json Normal file
View File

@ -0,0 +1,28 @@
{ "expected-missing-functions":
[
"vApplicationTickHook",
"pxPortInitialiseStack",
"vPortCloseRunningThread",
"vPortDeleteThread",
"vPortEnterCritical",
"vPortExitCritical",
"vPortGenerateSimulatedInterrupt",
"xPortStartScheduler",
"pvTaskIncrementMutexHeldCount",
"uxTaskGetTaskNumber",
"vTaskInternalSetTimeOutState",
"vTaskMissedYield",
"vTaskPlaceOnEventList",
"vTaskPriorityDisinheritAfterTimeout",
"vTaskSuspendAll",
"xTaskGetCurrentTaskHandle",
"xTaskPriorityDisinherit",
"xTaskPriorityInherit",
"xTaskRemoveFromEventList",
"xTaskResumeAll"
],
"proof-name": "QueueGenericCreate",
"proof-root": "Test/CBMC/proofs"
}

73
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreateStatic/Configurations.json Normal file
View File

@ -0,0 +1,73 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGenericCreateStatic",
# A CBMC pointer is an object id followed by an offset into the object.
# The size of the offset is limited by the size of the object id.
"CBMC_OBJECT_BITS": "7",
"CBMC_OBJECT_MAX_SIZE": "\"((UINT32_MAX>>(CBMC_OBJECT_BITS+1))\"",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
{
"QeueuGenericCreateStatic_DynamicAllocation": [
"CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
"CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configSUPPORT_STATIC_ALLOCATION=1",
"configSUPPORT_DYNAMIC_ALLOCATION=1"
]
},
{
"QeueuGenericCreateStatic_NoDynamicAllocation": [
"CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
"CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configSUPPORT_STATIC_ALLOCATION=1",
"configSUPPORT_DYNAMIC_ALLOCATION=0"
]
}
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

52
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreateStatic/QueueGenericCreateStatic_harness.c Normal file
View File

@ -0,0 +1,52 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_datastructure.h"
#include "cbmc.h"
void harness()
{
UBaseType_t uxQueueLength;
UBaseType_t uxItemSize;
uint8_t ucQueueType;
size_t storageSize;
/* Allow CBMC to run in a reasonable amount of time. */
__CPROVER_assume( ( uxQueueLength == QUEUE_LENGTH ) || ( uxItemSize == QUEUE_ITEM_SIZE ) );
/* Prevent overflow in this harness. */
__CPROVER_assume( ( uxQueueLength > 0 ) && ( ( storageSize / uxQueueLength ) == uxItemSize ) );
uint8_t * pucQueueStorage = ( uint8_t * ) pvPortMalloc( storageSize );
StaticQueue_t * pxStaticQueue = ( StaticQueue_t * ) pvPortMalloc( sizeof( StaticQueue_t ) );
xQueueGenericCreateStatic( uxQueueLength, uxItemSize, pucQueueStorage, pxStaticQueue, ucQueueType );
}

16
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreateStatic/README.md Normal file
View File

@ -0,0 +1,16 @@
The harness proves memory safety of
QueueGenericCreateStatic under the assumption made in the harness.
The principal assumption is that (uxItemSize * uxQueueLength) + sizeof(Queue_t)
does not overflow. Further, ucQueueStorage must only be null iff uxItemSize is null.
In addition, the passed queue storage is assumed to be allocated to the right size.
The configurations for configSUPPORT_DYNAMIC_ALLOCATION set to 0 and 1 are checked.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical

28
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreateStatic/cbmc-viewer.json Normal file
View File

@ -0,0 +1,28 @@
{ "expected-missing-functions":
[
"vApplicationTickHook",
"pxPortInitialiseStack",
"vPortCloseRunningThread",
"vPortDeleteThread",
"vPortEnterCritical",
"vPortExitCritical",
"vPortGenerateSimulatedInterrupt",
"xPortStartScheduler",
"pvTaskIncrementMutexHeldCount",
"uxTaskGetTaskNumber",
"vTaskInternalSetTimeOutState",
"vTaskMissedYield",
"vTaskPlaceOnEventList",
"vTaskPriorityDisinheritAfterTimeout",
"vTaskSuspendAll",
"xTaskGetCurrentTaskHandle",
"xTaskPriorityDisinherit",
"xTaskPriorityInherit",
"xTaskRemoveFromEventList",
"xTaskResumeAll"
],
"proof-name": "QueueGenericCreateStatic",
"proof-root": "Test/CBMC/proofs"
}

52
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericReset/Makefile.json Normal file
View File

@ -0,0 +1,52 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGenericReset",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
],
"INC": [
"."
],
"GENERATE_HEADER":[
"queue_datastructure.h"
]
}

44
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericReset/QueueGenericReset_harness.c Normal file
View File

@ -0,0 +1,44 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "cbmc.h"
struct QueueDefinition;
void harness()
{
BaseType_t xNewQueue;
QueueHandle_t xQueue = xUnconstrainedQueue();
xQueueGenericReset( xQueue, xNewQueue );
}

12
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericReset/README.md Normal file
View File

@ -0,0 +1,12 @@
Assuming that the QueueHandel_t is not null and the assumptions made
for QueueGenericCreate hold, this harness proves the memory safety of QueueGenericReset.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* xTaskRemoveFromEventList

28
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericReset/cbmc-viewer.json Normal file
View File

@ -0,0 +1,28 @@
{ "expected-missing-functions":
[
"vApplicationTickHook",
"pxPortInitialiseStack",
"vPortCloseRunningThread",
"vPortDeleteThread",
"vPortEnterCritical",
"vPortExitCritical",
"vPortGenerateSimulatedInterrupt",
"xPortStartScheduler",
"pvTaskIncrementMutexHeldCount",
"uxTaskGetTaskNumber",
"vTaskInternalSetTimeOutState",
"vTaskMissedYield",
"vTaskPlaceOnEventList",
"vTaskPriorityDisinheritAfterTimeout",
"vTaskSuspendAll",
"xTaskGetCurrentTaskHandle",
"xTaskPriorityDisinherit",
"xTaskPriorityInherit",
"xTaskRemoveFromEventList",
"xTaskResumeAll"
],
"proof-name": "QueueGenericReset",
"proof-root": "Test/CBMC/proofs"
}

75
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericSend/Configurations.json Normal file
View File

@ -0,0 +1,75 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGenericSend",
"LOCK_BOUND": 2,
"QUEUE_SEND_BOUND":3,
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check",
"--unwindset xQueueGenericSend.0:{QUEUE_SEND_BOUND},prvUnlockQueue.0:{LOCK_BOUND},prvUnlockQueue.1:{LOCK_BOUND}",
"--nondet-static"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto",
"$(FREERTOS)/Test/CBMC/proofs/CBMCStubLibrary/tasksStubs.goto"
],
"DEF": [
{
"QueueGenericSend_noQueueSets": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configUSE_QUEUE_SETS=0",
"LOCK_BOUND={LOCK_BOUND}",
"QUEUE_SEND_BOUND={QUEUE_SEND_BOUND}"
]
},
{
"QueueGenericSend_QueueSets": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configUSE_QUEUE_SETS=1",
"LOCK_BOUND={LOCK_BOUND}",
"QUEUE_SEND_BOUND={QUEUE_SEND_BOUND}"
]
}
],
"INC": [
"."
],
"GENERATE_HEADER":[
"queue_datastructure.h"
]
}

145
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericSend/QueueGenericSend_harness.c Normal file
View File

@ -0,0 +1,145 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "tasksStubs.h"
#include "cbmc.h"
#ifndef LOCK_BOUND
#define LOCK_BOUND 4
#endif
#ifndef QUEUE_SEND_BOUND
#define QUEUE_SEND_BOUND 4
#endif
#if ( configUSE_QUEUE_SETS == 0 )
BaseType_t prvCopyDataToQueue( Queue_t * const pxQueue,
const void * pvItemToQueue,
const BaseType_t xPosition )
{
if( pxQueue->uxItemSize > ( UBaseType_t ) 0 )
{
__CPROVER_assert( __CPROVER_r_ok( pvItemToQueue, ( size_t ) pxQueue->uxItemSize ), "pvItemToQueue region must be readable" );
if( xPosition == queueSEND_TO_BACK )
{
__CPROVER_assert( __CPROVER_w_ok( ( void * ) pxQueue->pcWriteTo, ( size_t ) pxQueue->uxItemSize ), "pxQueue->pcWriteTo region must be writable" );
}
else
{
__CPROVER_assert( __CPROVER_w_ok( ( void * ) pxQueue->u.xQueue.pcReadFrom, ( size_t ) pxQueue->uxItemSize ), "pxQueue->u.xQueue.pcReadFrom region must be writable" );
}
return pdFALSE;
}
else
{
return nondet_BaseType_t();
}
}
#else /* if ( configUSE_QUEUE_SETS == 0 ) */
BaseType_t prvNotifyQueueSetContainer( const Queue_t * const pxQueue )
{
Queue_t * pxQueueSetContainer = pxQueue->pxQueueSetContainer;
configASSERT( pxQueueSetContainer );
}
void prvUnlockQueue( Queue_t * const pxQueue )
{
configASSERT( pxQueue );
if( pxQueue->pxQueueSetContainer != NULL )
{
prvNotifyQueueSetContainer( pxQueue );
}
listLIST_IS_EMPTY( &( pxQueue->xTasksWaitingToReceive ) );
pxQueue->cTxLock = queueUNLOCKED;
listLIST_IS_EMPTY( &( pxQueue->xTasksWaitingToSend ) );
pxQueue->cRxLock = queueUNLOCKED;
}
#endif /* if ( configUSE_QUEUE_SETS == 0 ) */
void harness()
{
/*Initialise the tasksStubs */
vInitTaskCheckForTimeOut( 0, QUEUE_SEND_BOUND - 1 );
xState = nondet_basetype();
QueueHandle_t xQueue =
xUnconstrainedQueueBoundedItemSize( 2 );
TickType_t xTicksToWait;
if( xState == taskSCHEDULER_SUSPENDED )
{
xTicksToWait = 0;
}
if( xQueue )
{
void * pvItemToQueue = pvPortMalloc( xQueue->uxItemSize );
BaseType_t xCopyPosition;
if( xCopyPosition == queueOVERWRITE )
{
xQueue->uxLength = 1;
}
if( xQueue->uxItemSize == 0 )
{
/* uxQueue->xQueueType is a pointer to the head of the queue storage area.
* If an item has a sice, this pointer must not be modified after init.
* Otherwise some of the write statements will fail. */
xQueue->uxQueueType = nondet_int8_t();
pvItemToQueue = 0;
}
/* This code checks explicitly for violations of the pxQueue->uxMessagesWaiting < pxQueue->uxLength
* invariant. */
xQueue->uxMessagesWaiting = nondet_UBaseType_t();
/* These values are decremented during a while loop interacting with task.c.
* This interaction is currently abstracted away.*/
xQueue->cTxLock = LOCK_BOUND - 1;
xQueue->cRxLock = LOCK_BOUND - 1;
if( !pvItemToQueue )
{
xQueue->uxItemSize = 0;
}
xQueueGenericSend( xQueue, pvItemToQueue, xTicksToWait, xCopyPosition );
}
}

19
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericSend/README.md Normal file
View File

@ -0,0 +1,19 @@
The harness in this folder proves the memory safety of QueueGenericSend
with and without QueueSets. It is abstracting away the task pool and concurrency
related functions and assumes the parameters to be initialized to valid data structures.
Further, prvCopyDataToQueue, prvUnlockQueue and prvNotifyQueueSetContainer are abstracted away.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* vTaskInternalSetTimeOutState
* vTaskMissedYield
* vTaskPlaceOnEventList
* vTaskSuspendAll
* xTaskRemoveFromEventList
* xTaskResumeAll

28
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericSend/cbmc-viewer.json Normal file
View File

@ -0,0 +1,28 @@
{ "expected-missing-functions":
[
"vApplicationTickHook",
"pxPortInitialiseStack",
"vPortCloseRunningThread",
"vPortDeleteThread",
"vPortEnterCritical",
"vPortExitCritical",
"vPortGenerateSimulatedInterrupt",
"xPortStartScheduler",
"pvTaskIncrementMutexHeldCount",
"uxTaskGetTaskNumber",
"vTaskInternalSetTimeOutState",
"vTaskMissedYield",
"vTaskPlaceOnEventList",
"vTaskPriorityDisinheritAfterTimeout",
"vTaskSuspendAll",
"xTaskGetCurrentTaskHandle",
"xTaskPriorityDisinherit",
"xTaskPriorityInherit",
"xTaskRemoveFromEventList",
"xTaskResumeAll"
],
"proof-name": "QueueGenericSend",
"proof-root": "Test/CBMC/proofs"
}

67
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericSendFromISR/Configurations.json Normal file
View File

@ -0,0 +1,67 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGenericSendFromISR",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check",
"--nondet-static"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
{
"QueueGenericSendFromISR_noQueueSets": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configUSE_QUEUE_SETS=0"
]
},
{
"QueueGenericSendFromISR_QueueSets": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configUSE_QUEUE_SETS=1"
]
}
],
"INC": [
"."
],
"GENERATE_HEADER":[
"queue_datastructure.h"
]
}

102
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericSendFromISR/QueueGenericSendFromISR_harness.c Normal file
View File

@ -0,0 +1,102 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "cbmc.h"
#ifndef ITEM_BOUND
#define ITEM_BOUND 10
#endif
#if ( configUSE_QUEUE_SETS == 0 )
BaseType_t prvCopyDataToQueue( Queue_t * const pxQueue,
const void * pvItemToQueue,
const BaseType_t xPosition )
{
if( pxQueue->uxItemSize > ( UBaseType_t ) 0 )
{
__CPROVER_assert( __CPROVER_r_ok( pvItemToQueue, ( size_t ) pxQueue->uxItemSize ), "pvItemToQueue region must be readable" );
if( xPosition == queueSEND_TO_BACK )
{
__CPROVER_assert( __CPROVER_w_ok( ( void * ) pxQueue->pcWriteTo, ( size_t ) pxQueue->uxItemSize ), "pxQueue->pcWriteTo region must be writable" );
}
else
{
__CPROVER_assert( __CPROVER_w_ok( ( void * ) pxQueue->u.xQueue.pcReadFrom, ( size_t ) pxQueue->uxItemSize ), "pxQueue->u.xQueue.pcReadFrom region must be writable" );
}
return pdFALSE;
}
else
{
return nondet_BaseType_t();
}
}
#endif /* if ( configUSE_QUEUE_SETS == 0 ) */
void harness()
{
QueueHandle_t xQueue = xUnconstrainedQueueBoundedItemSize( ITEM_BOUND );
if( xQueue )
{
void * pvItemToQueue = pvPortMalloc( xQueue->uxItemSize );
BaseType_t * xHigherPriorityTaskWoken = pvPortMalloc( sizeof( BaseType_t ) );
BaseType_t xCopyPosition;
if( xQueue->uxItemSize == 0 )
{
/* uxQueue->xQueueType is a pointer to the head of the queue storage area.
* If an item has a size, this pointer must not be modified after init.
* Otherwise some of the write statements will fail. */
xQueue->uxQueueType = nondet_int8_t();
pvItemToQueue = 0;
}
/* This code checks explicitly for violations of the pxQueue->uxMessagesWaiting < pxQueue->uxLength
* invariant. */
xQueue->uxMessagesWaiting = nondet_UBaseType_t();
if( !pvItemToQueue )
{
xQueue->uxItemSize = 0;
}
if( xCopyPosition == 2 )
{
__CPROVER_assume( xQueue->uxLength == 1 );
}
xQueueGenericSendFromISR( xQueue, pvItemToQueue, xHigherPriorityTaskWoken, xCopyPosition );
}
}

12
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericSendFromISR/README.md Normal file
View File

@ -0,0 +1,12 @@
The harness in this folder proves the memory safety of QueueGenericSendFromISR
with and without QueueSets. It is abstracting away the task pool and concurrency
related functions. Further, it uses a stub for prvCopyDataToQueue.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* xTaskRemoveFromEventList

28
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericSendFromISR/cbmc-viewer.json Normal file
View File

@ -0,0 +1,28 @@
{ "expected-missing-functions":
[
"vApplicationTickHook",
"pxPortInitialiseStack",
"vPortCloseRunningThread",
"vPortDeleteThread",
"vPortEnterCritical",
"vPortExitCritical",
"vPortGenerateSimulatedInterrupt",
"xPortStartScheduler",
"pvTaskIncrementMutexHeldCount",
"uxTaskGetTaskNumber",
"vTaskInternalSetTimeOutState",
"vTaskMissedYield",
"vTaskPlaceOnEventList",
"vTaskPriorityDisinheritAfterTimeout",
"vTaskSuspendAll",
"xTaskGetCurrentTaskHandle",
"xTaskPriorityDisinherit",
"xTaskPriorityInherit",
"xTaskRemoveFromEventList",
"xTaskResumeAll"
],
"proof-name": "QueueGenericSendFromISR",
"proof-root": "Test/CBMC/proofs"
}

52
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGetMutexHolder/Makefile.json Normal file
View File

@ -0,0 +1,52 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGetMutexHolder",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

44
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGetMutexHolder/QueueGetMutexHolder_harness.c Normal file
View File

@ -0,0 +1,44 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue_init.h"
#include "queue.h"
#include "cbmc.h"
void harness()
{
QueueHandle_t xSemaphore = xUnconstrainedQueue();
if( xSemaphore )
{
xSemaphore->uxQueueType = nondet_uint8_t();
xQueueGetMutexHolder( xSemaphore );
}
}

10
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGetMutexHolder/README.md Normal file
View File

@ -0,0 +1,10 @@
This harness proves the memory safety of QueueGetMutexHolder assuming the passed
semaphore is not null.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical

28
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGetMutexHolder/cbmc-viewer.json Normal file
View File

@ -0,0 +1,28 @@
{ "expected-missing-functions":
[
"vApplicationTickHook",
"pxPortInitialiseStack",
"vPortCloseRunningThread",
"vPortDeleteThread",
"vPortEnterCritical",
"vPortExitCritical",
"vPortGenerateSimulatedInterrupt",
"xPortStartScheduler",
"pvTaskIncrementMutexHeldCount",
"uxTaskGetTaskNumber",
"vTaskInternalSetTimeOutState",
"vTaskMissedYield",
"vTaskPlaceOnEventList",
"vTaskPriorityDisinheritAfterTimeout",
"vTaskSuspendAll",
"xTaskGetCurrentTaskHandle",
"xTaskPriorityDisinherit",
"xTaskPriorityInherit",
"xTaskRemoveFromEventList",
"xTaskResumeAll"
],
"proof-name": "QueueGetMutexHolder",
"proof-root": "Test/CBMC/proofs"
}

52
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGetMutexHolderFromISR/Makefile.json Normal file
View File

@ -0,0 +1,52 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGetMutexHolderFromISR",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

43
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGetMutexHolderFromISR/QueueGetMutexHolderFromISR_harness.c Normal file
View File

@ -0,0 +1,43 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_datastructure.h"
#include "cbmc.h"
void harness()
{
QueueHandle_t xSemaphore = pvPortMalloc( sizeof( Queue_t ) );
if( xSemaphore )
{
xQueueGetMutexHolderFromISR( xSemaphore );
}
}

5
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGetMutexHolderFromISR/README.md Normal file
View File

@ -0,0 +1,5 @@
Assuming that xSemaphore is a pointer to an allocated Queue_t instance,
this harness proves the memory safety of QueueGetMutexHolderFromISR.
This proof is a work-in-progress. Proof assumptions are described in
the harness.

28
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGetMutexHolderFromISR/cbmc-viewer.json Normal file
View File

@ -0,0 +1,28 @@
{ "expected-missing-functions":
[
"vApplicationTickHook",
"pxPortInitialiseStack",
"vPortCloseRunningThread",
"vPortDeleteThread",
"vPortEnterCritical",
"vPortExitCritical",
"vPortGenerateSimulatedInterrupt",
"xPortStartScheduler",
"pvTaskIncrementMutexHeldCount",
"uxTaskGetTaskNumber",
"vTaskInternalSetTimeOutState",
"vTaskMissedYield",
"vTaskPlaceOnEventList",
"vTaskPriorityDisinheritAfterTimeout",
"vTaskSuspendAll",
"xTaskGetCurrentTaskHandle",
"xTaskPriorityDisinherit",
"xTaskPriorityInherit",
"xTaskRemoveFromEventList",
"xTaskResumeAll"
],
"proof-name": "QueueGetMutexHolderFromISR",
"proof-root": "Test/CBMC/proofs"
}

71
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGiveFromISR/Configurations.json Normal file
View File

@ -0,0 +1,71 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGiveFromISR",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check",
"--nondet-static"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
{
"QueueGiveFromISR_default": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configSUPPORT_STATIC_ALLOCATION=1",
"configSUPPORT_DYNAMIC_ALLOCATION=1",
"configUSE_QUEUE_SETS=0"
]
},
{
"QueueGiveFromISR_QueueSets": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configSUPPORT_STATIC_ALLOCATION=1",
"configSUPPORT_DYNAMIC_ALLOCATION=1",
"configUSE_QUEUE_SETS=1"
]
}
],
"INC": [
"$(FREERTOS)/Test/CBMC/proofs/CBMCStubLibrary/",
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

45
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGiveFromISR/QueueGiveFromISR_harness.c Normal file
View File

@ -0,0 +1,45 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "cbmc.h"
void harness()
{
QueueHandle_t xQueue = xUnconstrainedMutex();
BaseType_t * xHigherPriorityTaskWoken = pvPortMalloc( sizeof( BaseType_t ) );
if( xQueue )
{
xQueue->uxMessagesWaiting = nondet_UBaseType_t();
xQueueGiveFromISR( xQueue, xHigherPriorityTaskWoken );
}
}

15
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGiveFromISR/README.md Normal file
View File

@ -0,0 +1,15 @@
Assuming the xQueue is allocated to a valid memory block and abstracting
away concurrency and task pool related functions, this harness proves the memory
safety of QueueGiveFromISR.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* xTaskGetSchedulerState
* xTaskPriorityDisinherit
* xTaskRemoveFromEventList

28
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGiveFromISR/cbmc-viewer.json Normal file
View File

@ -0,0 +1,28 @@
{ "expected-missing-functions":
[
"vApplicationTickHook",
"pxPortInitialiseStack",
"vPortCloseRunningThread",
"vPortDeleteThread",
"vPortEnterCritical",
"vPortExitCritical",
"vPortGenerateSimulatedInterrupt",
"xPortStartScheduler",
"pvTaskIncrementMutexHeldCount",
"uxTaskGetTaskNumber",
"vTaskInternalSetTimeOutState",
"vTaskMissedYield",
"vTaskPlaceOnEventList",
"vTaskPriorityDisinheritAfterTimeout",
"vTaskSuspendAll",
"xTaskGetCurrentTaskHandle",
"xTaskPriorityDisinherit",
"xTaskPriorityInherit",
"xTaskRemoveFromEventList",
"xTaskResumeAll"
],
"proof-name": "QueueGiveFromISR",
"proof-root": "Test/CBMC/proofs"
}

53
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGiveMutexRecursive/Makefile.json Normal file
View File

@ -0,0 +1,53 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGiveMutexRecursive",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configUSE_RECURSIVE_MUTEXES=1"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

52
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGiveMutexRecursive/QueueGiveMutexRecursive_harness.c Normal file
View File

@ -0,0 +1,52 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_datastructure.h"
#include "cbmc.h"
void harness()
{
uint8_t ucQueueType;
QueueHandle_t xMutex =
xQueueCreateMutex( ucQueueType );
if( xMutex )
{
xMutex->uxQueueType = ucQueueType;
UBaseType_t uxCounter;
/* This assumption is explained in the queue.c file inside the method body
* xQueueGiveMutexRecursive and guards against an underflow error. */
__CPROVER_assume( uxCounter > 0 );
xMutex->u.xSemaphore.uxRecursiveCallCount = uxCounter;
xQueueGiveMutexRecursive( xMutex );
}
}

16
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGiveMutexRecursive/README.md Normal file
View File

@ -0,0 +1,16 @@
Assuming that the xMutex parameter is initialized to a valid pointer and
abstracting concurrency and task pool related functions, this harness
proves the memory safety of QueueGiveMutexRecursive.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* xTaskGetCurrentTaskHandle
* xTaskGetSchedulerState
* xTaskPriorityDisinherit
* xTaskRemoveFromEventList

28
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueGiveMutexRecursive/cbmc-viewer.json Normal file
View File

@ -0,0 +1,28 @@
{ "expected-missing-functions":
[
"vApplicationTickHook",
"pxPortInitialiseStack",
"vPortCloseRunningThread",
"vPortDeleteThread",
"vPortEnterCritical",
"vPortExitCritical",
"vPortGenerateSimulatedInterrupt",
"xPortStartScheduler",
"pvTaskIncrementMutexHeldCount",
"uxTaskGetTaskNumber",
"vTaskInternalSetTimeOutState",
"vTaskMissedYield",
"vTaskPlaceOnEventList",
"vTaskPriorityDisinheritAfterTimeout",
"vTaskSuspendAll",
"xTaskGetCurrentTaskHandle",
"xTaskPriorityDisinherit",
"xTaskPriorityInherit",
"xTaskRemoveFromEventList",
"xTaskResumeAll"
],
"proof-name": "QueueGiveMutexRecursive",
"proof-root": "Test/CBMC/proofs"
}

51
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueMessagesWaiting/Makefile.json Normal file
View File

@ -0,0 +1,51 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueMessagesWaiting",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

43
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueMessagesWaiting/QueueMessagesWaiting_harness.c Normal file
View File

@ -0,0 +1,43 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_datastructure.h"
#include "cbmc.h"
void harness()
{
QueueHandle_t xQueue = pvPortMalloc( sizeof( Queue_t ) );
if( xQueue )
{
uxQueueMessagesWaiting( xQueue );
}
}

12
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueMessagesWaiting/README.md Normal file
View File

@ -0,0 +1,12 @@
Assuming the parameter passed to QueueMessagesWaiting is a pointer to a Queue_t
struct, this harness proves the memory safety of QueueMessagesWaiting.
The concurrency related functions vPortEnterCrititcal and vPortExitCritical
are abstracted away.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical

28
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueMessagesWaiting/cbmc-viewer.json Normal file
View File

@ -0,0 +1,28 @@
{ "expected-missing-functions":
[
"vApplicationTickHook",
"pxPortInitialiseStack",
"vPortCloseRunningThread",
"vPortDeleteThread",
"vPortEnterCritical",
"vPortExitCritical",
"vPortGenerateSimulatedInterrupt",
"xPortStartScheduler",
"pvTaskIncrementMutexHeldCount",
"uxTaskGetTaskNumber",
"vTaskInternalSetTimeOutState",
"vTaskMissedYield",
"vTaskPlaceOnEventList",
"vTaskPriorityDisinheritAfterTimeout",
"vTaskSuspendAll",
"xTaskGetCurrentTaskHandle",
"xTaskPriorityDisinherit",
"xTaskPriorityInherit",
"xTaskRemoveFromEventList",
"xTaskResumeAll"
],
"proof-name": "QueueMessagesWaiting",
"proof-root": "Test/CBMC/proofs"
}

59
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueuePeek/Makefile.json Normal file
View File

@ -0,0 +1,59 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueuePeek",
"LOCK_BOUND":4,
"QUEUE_PEEK_BOUND" :4,
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check",
"--unwindset prvUnlockQueue.0:{LOCK_BOUND},prvUnlockQueue.1:{LOCK_BOUND},xQueuePeek.0:{QUEUE_PEEK_BOUND}",
"--nondet-static"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto",
"$(FREERTOS)/Test/CBMC/proofs/CBMCStubLibrary/tasksStubs.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"LOCK_BOUND={LOCK_BOUND}",
"QUEUE_PEEK_BOUND={QUEUE_PEEK_BOUND}",
"INCLUDE_xTaskGetSchedulerState=1"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

85
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueuePeek/QueuePeek_harness.c Normal file
View File

@ -0,0 +1,85 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "tasksStubs.h"
#include "cbmc.h"
#ifndef LOCK_BOUND
#define LOCK_BOUND 4
#endif
#ifndef QUEUE_PEEK_BOUND
#define QUEUE_PEEK_BOUND 4
#endif
QueueHandle_t xQueue;
/* This method is called to initialize pxTimeOut.
* Setting up the data structure is not interesting for the proof,
* but the harness uses it to model a release
* on the queue after first check. */
void vTaskInternalSetTimeOutState( TimeOut_t * const pxTimeOut )
{
xQueue->uxMessagesWaiting = nondet_BaseType_t();
}
void harness()
{
xQueue = xUnconstrainedQueueBoundedItemSize( 10 );
/*Initialise the tasksStubs */
vInitTaskCheckForTimeOut( 0, QUEUE_PEEK_BOUND - 1 );
TickType_t xTicksToWait;
if( xState == taskSCHEDULER_SUSPENDED )
{
xTicksToWait = 0;
}
if( xQueue )
{
__CPROVER_assume( xQueue->cTxLock < LOCK_BOUND - 1 );
__CPROVER_assume( xQueue->cRxLock < LOCK_BOUND - 1 );
void * pvItemToQueue = pvPortMalloc( xQueue->uxItemSize );
/* In case malloc fails as this is otherwise an invariant violation. */
if( !pvItemToQueue )
{
xQueue->uxItemSize = 0;
}
xQueuePeek( xQueue, pvItemToQueue, xTicksToWait );
}
}

18
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueuePeek/README.md Normal file
View File

@ -0,0 +1,18 @@
Assuming xQueue and pvItemToQueue are non-null pointers allocated to the right
size, this harness proves the memory safety of QueueGenericPeek. Some of the
task pool behavior is abstracted away. Nevertheless, some of the concurrent
behavior has been modeled to allow full coverage of QueuePeek.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* vTaskMissedYield
* vTaskPlaceOnEventList
* vTaskSuspendAll
* xTaskRemoveFromEventList
* xTaskResumeAll

28
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueuePeek/cbmc-viewer.json Normal file
View File

@ -0,0 +1,28 @@
{ "expected-missing-functions":
[
"vApplicationTickHook",
"pxPortInitialiseStack",
"vPortCloseRunningThread",
"vPortDeleteThread",
"vPortEnterCritical",
"vPortExitCritical",
"vPortGenerateSimulatedInterrupt",
"xPortStartScheduler",
"pvTaskIncrementMutexHeldCount",
"uxTaskGetTaskNumber",
"vTaskInternalSetTimeOutState",
"vTaskMissedYield",
"vTaskPlaceOnEventList",
"vTaskPriorityDisinheritAfterTimeout",
"vTaskSuspendAll",
"xTaskGetCurrentTaskHandle",
"xTaskPriorityDisinherit",
"xTaskPriorityInherit",
"xTaskRemoveFromEventList",
"xTaskResumeAll"
],
"proof-name": "QueuePeek",
"proof-root": "Test/CBMC/proofs"
}

60
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueReceive/Makefile.json Normal file
View File

@ -0,0 +1,60 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueReceive",
"LOCK_BOUND": 2,
"QUEUE_RECEIVE_BOUND": 3,
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check",
"--unwindset xQueueReceive.0:{QUEUE_RECEIVE_BOUND},prvUnlockQueue.0:{LOCK_BOUND},prvUnlockQueue.1:{LOCK_BOUND}",
"--nondet-static"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto",
"$(FREERTOS)/Test/CBMC/proofs/CBMCStubLibrary/tasksStubs.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"INCLUDE_xTaskGetSchedulerState=1",
"QUEUE_RECEIVE_BOUND={QUEUE_RECEIVE_BOUND}",
"LOCK_BOUND={LOCK_BOUND}"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

95
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueReceive/QueueReceive_harness.c Normal file
View File

@ -0,0 +1,95 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "tasksStubs.h"
#include "cbmc.h"
/* prvUnlockQueue is going to decrement this value to 0 in the loop.
* We need a bound for the loop. Using 4 has a reasonable performance resulting
* in 3 unwinding iterations of the loop. The loop is mostly modifying a
* data structure in task.c that is not in the scope of the proof. */
#ifndef LOCK_BOUND
#define LOCK_BOUND 4
#endif
/* This code checks for time outs. This value is used to bound the time out
* wait period. The stub function xTaskCheckForTimeOut used to model
* this wait time will be bounded to this define. */
#ifndef QUEUE_RECEIVE_BOUND
#define QUEUE_RECEIVE_BOUND 4
#endif
/* If the item size is not bounded, the proof does not finish in a reasonable
* time due to the involved memcpy commands. */
#ifndef MAX_ITEM_SIZE
#define MAX_ITEM_SIZE 20
#endif
QueueHandle_t xQueue;
/* This method is used to model side effects of concurrency.
* The initialization of pxTimeOut is not relevant for this harness. */
void vTaskInternalSetTimeOutState( TimeOut_t * const pxTimeOut )
{
__CPROVER_assert( __CPROVER_w_ok( &( pxTimeOut->xOverflowCount ), sizeof( BaseType_t ) ), "pxTimeOut should be a valid pointer and xOverflowCount writable" );
__CPROVER_assert( __CPROVER_w_ok( &( pxTimeOut->xTimeOnEntering ), sizeof( TickType_t ) ), "pxTimeOut should be a valid pointer and xTimeOnEntering writable" );
xQueue->uxMessagesWaiting = nondet_BaseType_t();
}
void harness()
{
vInitTaskCheckForTimeOut( 0, QUEUE_RECEIVE_BOUND - 1 );
xQueue = xUnconstrainedQueueBoundedItemSize( MAX_ITEM_SIZE );
TickType_t xTicksToWait;
if( xState == taskSCHEDULER_SUSPENDED )
{
xTicksToWait = 0;
}
if( xQueue )
{
xQueue->cTxLock = LOCK_BOUND - 1;
xQueue->cRxLock = LOCK_BOUND - 1;
void * pvBuffer = pvPortMalloc( xQueue->uxItemSize );
if( !pvBuffer )
{
xQueue->uxItemSize = 0;
}
xQueueReceive( xQueue, pvBuffer, xTicksToWait );
}
}

17
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueReceive/README.md Normal file
View File

@ -0,0 +1,17 @@
Assuming the bound described in the harness, this harness proves memory safety
for the QueueReceive function abstracting away
the task pool and concurrency functions.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* vTaskMissedYield
* vTaskPlaceOnEventList
* vTaskSuspendAll
* xTaskRemoveFromEventList
* xTaskResumeAll

28
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueReceive/cbmc-viewer.json Normal file
View File

@ -0,0 +1,28 @@
{ "expected-missing-functions":
[
"vApplicationTickHook",
"pxPortInitialiseStack",
"vPortCloseRunningThread",
"vPortDeleteThread",
"vPortEnterCritical",
"vPortExitCritical",
"vPortGenerateSimulatedInterrupt",
"xPortStartScheduler",
"pvTaskIncrementMutexHeldCount",
"uxTaskGetTaskNumber",
"vTaskInternalSetTimeOutState",
"vTaskMissedYield",
"vTaskPlaceOnEventList",
"vTaskPriorityDisinheritAfterTimeout",
"vTaskSuspendAll",
"xTaskGetCurrentTaskHandle",
"xTaskPriorityDisinherit",
"xTaskPriorityInherit",
"xTaskRemoveFromEventList",
"xTaskResumeAll"
],
"proof-name": "QueueReceive",
"proof-root": "Test/CBMC/proofs"
}

53
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueReceiveFromISR/Makefile.json Normal file
View File

@ -0,0 +1,53 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueReceiveFromISR",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto",
"$(FREERTOS)/Test/CBMC/proofs/CBMCStubLibrary/tasksStubs.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

58
kernel/FreeRTOS/Test/CBMC/proofs/Queue/QueueReceiveFromISR/QueueReceiveFromISR_harness.c Normal file
View File

@ -0,0 +1,58 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* https://aws.amazon.com/freertos
* https://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "cbmc.h"
/* If the item size is not bounded, the proof does not finish in a reasonable
* time due to the involved memcpy commands. */
#ifndef MAX_ITEM_SIZE
#define MAX_ITEM_SIZE 10
#endif
void harness()
{
QueueHandle_t xQueue =
xUnconstrainedQueueBoundedItemSize( MAX_ITEM_SIZE );
BaseType_t * xHigherPriorityTaskWoken = pvPortMalloc( sizeof( BaseType_t ) );
if( xQueue )
{
void * pvBuffer = pvPortMalloc( xQueue->uxItemSize );
if( !pvBuffer )
{
xQueue->uxItemSize = 0;
}
xQueueReceiveFromISR( xQueue, pvBuffer, xHigherPriorityTaskWoken );
}
}

Some files were not shown because too many files have changed in this diff Show More