[修改] 增加freeRTOS

1. 版本FreeRTOSv202212.01，命名为kernel；

kernel/FreeRTOS/Test/CBMC/include/README.md

@@ -0,0 +1,2 @@
+This directory contains include files used by the CBMC proofs:
+* cbmc.h defines some macros used in the proof test harnesses

kernel/FreeRTOS/Test/CBMC/include/aws_freertos_ip_verification_access_ip_define.h

@@ -0,0 +1,5 @@
+eFrameProcessingResult_t publicProcessIPPacket( IPPacket_t * const pxIPPacket,
+                                                NetworkBufferDescriptor_t * const pxNetworkBuffer )
+{
+    prvProcessIPPacket( pxIPPacket, pxNetworkBuffer );
+}

kernel/FreeRTOS/Test/CBMC/include/aws_freertos_tcp_verification_access_tcp_define.h

@@ -0,0 +1,20 @@
+int32_t publicTCPPrepareSend( FreeRTOS_Socket_t * pxSocket,
+                              NetworkBufferDescriptor_t ** ppxNetworkBuffer,
+                              UBaseType_t uxOptionsLength )
+{
+    prvTCPPrepareSend( pxSocket, ppxNetworkBuffer, uxOptionsLength );
+}
+
+BaseType_t publicTCPHandleState( FreeRTOS_Socket_t * pxSocket,
+                                 NetworkBufferDescriptor_t ** ppxNetworkBuffer )
+{
+    prvTCPHandleState( pxSocket, ppxNetworkBuffer );
+}
+
+void publicTCPReturnPacket( FreeRTOS_Socket_t * pxSocket,
+                            NetworkBufferDescriptor_t * pxNetworkBuffer,
+                            uint32_t ulLen,
+                            BaseType_t xReleaseAfterSend )
+{
+    prvTCPReturnPacket( pxSocket, pxNetworkBuffer, ulLen, xReleaseAfterSend );
+}

kernel/FreeRTOS/Test/CBMC/include/cbmc.h

@@ -0,0 +1,100 @@
+/* Standard includes. */
+#include <stdint.h>
+#include <stdio.h>
+
+/* FreeRTOS includes. */
+#include "FreeRTOS.h"
+#include "task.h"
+#include "semphr.h"
+
+/* FreeRTOS+TCP includes. */
+#include "FreeRTOS_IP.h"
+#include "FreeRTOS_Sockets.h"
+#include "FreeRTOS_IP_Private.h"
+#include "FreeRTOS_UDP_IP.h"
+#include "FreeRTOS_DNS.h"
+#include "FreeRTOS_DHCP.h"
+#include "NetworkBufferManagement.h"
+#include "NetworkInterface.h"
+
+/*
+ * CBMC models a pointer as an object id and an offset into that
+ * object.  The top bits of a pointer encode the object id and the
+ * remaining bits encode the offset.  This means there is a bound on
+ * the maximum offset into an object in CBMC, and hence a bound on the
+ * size of objects in CBMC.
+ */
+#define CBMC_BITS               7
+#define CBMC_MAX_OBJECT_SIZE    ( 0xFFFFFFFF >> ( CBMC_BITS + 1 ) )
+
+#define IMPLIES( a, b )    ( !( a ) || ( b ) )
+
+BaseType_t nondet_basetype();
+UBaseType_t nondet_ubasetype();
+TickType_t nondet_ticktype();
+int32_t nondet_int32();
+uint32_t nondet_uint32();
+size_t nondet_sizet();
+
+#define nondet_BaseType()    nondet_basetype()
+
+void * safeMalloc( size_t size );
+
+
+enum CBMC_LOOP_CONDITION
+{
+    CBMC_LOOP_BREAK, CBMC_LOOP_CONTINUE, CBMC_LOOP_RETURN
+};
+
+/* CBMC specification: capture old value for precondition and */
+/* postcondition checking */
+
+#define OLDVAL( var )              _old_ ## var
+#define SAVE_OLDVAL( var, typ )    const typ OLDVAL( var ) = var
+
+/* CBMC specification: capture old value for values passed by */
+/* reference in function abstractions */
+
+#define OBJ( var )                 ( * var )
+#define OLDOBJ( var )              _oldobj_ ## var
+#define SAVE_OLDOBJ( var, typ )    const typ OLDOBJ( var ) = OBJ( var )
+
+/* CBMC debugging: printfs for expressions */
+
+#define __CPROVER_printf( var )          { uint32_t ValueOf_ ## var = ( uint32_t ) var; }
+#define __CPROVER_printf2( str, exp )    { uint32_t ValueOf_ ## str = ( uint32_t ) ( exp ); }
+
+/* CBMC debugging: printfs for pointer expressions */
+
+#define __CPROVER_printf_ptr( var )          { uint8_t * ValueOf_ ## var = ( uint8_t * ) var; }
+#define __CPROVER_printf2_ptr( str, exp )    { uint8_t * ValueOf_ ## str = ( uint8_t * ) ( exp ); }
+
+/*
+ * An assertion that pvPortMalloc returns NULL when asked to allocate 0 bytes.
+ * This assertion is used in some of the TaskPool proofs.
+ */
+#define __CPROVER_assert_zero_allocation()       \
+    __CPROVER_assert( pvPortMalloc( 0 ) == NULL, \
+                      "pvPortMalloc allows zero-allocated memory." )
+
+/*
+ * A stub for pvPortMalloc that nondeterministically chooses to return
+ * either NULL or an allocation of the requested space.  The stub is
+ * guaranteed to return NULL when asked to allocate 0 bytes.
+ * This stub is used in some of the TaskPool proofs.
+ */
+void * pvPortMalloc( size_t xWantedSize )
+{
+    if( xWantedSize == 0 )
+    {
+        return NULL;
+    }
+
+    return nondet_bool() ? malloc( xWantedSize ) : NULL;
+}
+
+void vPortFree( void * pv )
+{
+    ( void ) pv;
+    free( pv );
+}

kernel/FreeRTOS/Test/CBMC/include/portmacro.h

@@ -0,0 +1,255 @@
+/*
+ * FreeRTOS V202212.01
+ * Copyright (C) 2020 Amazon.com, Inc. or its affiliates.  All Rights Reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of
+ * this software and associated documentation files (the "Software"), to deal in
+ * the Software without restriction, including without limitation the rights to
+ * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+ * the Software, and to permit persons to whom the Software is furnished to do so,
+ * subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+ * FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+ * COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+ * IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ * https://www.FreeRTOS.org
+ * https://github.com/FreeRTOS
+ *
+ */
+
+#ifndef PORTMACRO_H
+#define PORTMACRO_H
+
+/*
+ * portmacro.h is an architecture specific file defining certain
+ * constants and declaring certain functions.
+ *
+ * This portmacro file is defined in the CBMC directory and aims
+ * to be architecture-independent, with all constants defined with '#ifndef'.
+ * Hence, each proof can override the definitions they want to modify
+ * in the proof-specific makefiles and the remaining constants will take
+ * default values from the definitions in this file.
+ *
+ * The default values in this portmacro are a combination of the
+ * values from the portmacros of FreeRTOSKernel/portable/MSVC-MingW
+ * and FreeRTOSKernel/portable/IAR/ARM_CM33/non_secure.
+ * They cover almost all the constants needed in the kernel.
+ * If a specific proof needs some constant not available in this
+ * file, one can directly define the constant in that proof's makefile.
+ * To add additional constants to this file, use the '#ifndef' style
+ * from below to ensure that the constants can be overridden in
+ * specific proofs.
+ */
+
+/******************************************************************************
+*   Defines
+******************************************************************************/
+/* Type definitions. */
+#ifndef portCHAR
+    #define portCHAR                 char
+#endif
+#ifndef portFLOAT
+    #define portFLOAT                float
+#endif
+#ifndef portDOUBLE
+    #define portDOUBLE               double
+#endif
+#ifndef portLONG
+    #define portLONG                 long
+#endif
+#ifndef portSHORT
+    #define portSHORT                short
+#endif
+#ifndef portSTACK_TYPE
+    #define portSTACK_TYPE           size_t
+#endif
+#ifndef portBASE_TYPE
+    #define portBASE_TYPE            long
+#endif
+#ifndef portPOINTER_SIZE_TYPE
+    #define portPOINTER_SIZE_TYPE    size_t
+#endif
+
+typedef portSTACK_TYPE   StackType_t;
+typedef long             BaseType_t;
+typedef unsigned long    UBaseType_t;
+
+
+#if ( configUSE_16_BIT_TICKS == 1 )
+    typedef uint16_t     TickType_t;
+    #define portMAX_DELAY              ( TickType_t ) 0xffff
+#else
+    typedef uint32_t     TickType_t;
+    #define portMAX_DELAY              ( TickType_t ) 0xffffffffUL
+
+/* 32/64-bit tick type on a 32/64-bit architecture, so reads of the tick
+ * count do not need to be guarded with a critical section. */
+    #define portTICK_TYPE_IS_ATOMIC    1
+#endif
+
+/* Hardware specifics. */
+#ifndef portSTACK_GROWTH
+    #define portSTACK_GROWTH      ( -1 )
+#endif
+#ifndef portTICK_PERIOD_MS
+    #define portTICK_PERIOD_MS    ( ( TickType_t ) 1000 / configTICK_RATE_HZ )
+#endif
+#ifndef portINLINE
+    #define portINLINE            __inline
+#endif
+
+#if defined( __x86_64__ ) || defined( _M_X64 )
+    #define portBYTE_ALIGNMENT    8
+#else
+    #define portBYTE_ALIGNMENT    4
+#endif
+
+#define portYIELD()    vPortGenerateSimulatedInterrupt( portINTERRUPT_YIELD )
+
+extern volatile BaseType_t xInsideInterrupt;
+/*#define portSOFTWARE_BARRIER() while( xInsideInterrupt != pdFALSE ) */
+
+
+/* Simulated interrupts return pdFALSE if no context switch should be performed,
+ * or a non-zero number if a context switch should be performed. */
+#define portYIELD_FROM_ISR( x )       ( void ) x
+#define portEND_SWITCHING_ISR( x )    portYIELD_FROM_ISR( ( x ) )
+
+void vPortCloseRunningThread( void * pvTaskToDelete,
+                              volatile BaseType_t * pxPendYield );
+void vPortDeleteThread( void * pvThreadToDelete );
+#define portCLEAN_UP_TCB( pxTCB )                                  vPortDeleteThread( pxTCB )
+#define portPRE_TASK_DELETE_HOOK( pvTaskToDelete, pxPendYield )    vPortCloseRunningThread( ( pvTaskToDelete ), ( pxPendYield ) )
+#define portDISABLE_INTERRUPTS()                                   vPortEnterCritical()
+#define portENABLE_INTERRUPTS()                                    vPortExitCritical()
+
+/* Critical section handling. */
+void vPortEnterCritical( void );
+void vPortExitCritical( void );
+
+#define portENTER_CRITICAL()    vPortEnterCritical()
+#define portEXIT_CRITICAL()     vPortExitCritical()
+
+#ifndef configUSE_PORT_OPTIMISED_TASK_SELECTION
+    #define configUSE_PORT_OPTIMISED_TASK_SELECTION    1
+#endif
+
+#if configUSE_PORT_OPTIMISED_TASK_SELECTION == 1
+
+/* Check the configuration. */
+    #if ( configMAX_PRIORITIES > 32 )
+        #error configUSE_PORT_OPTIMISED_TASK_SELECTION can only be set to 1 when configMAX_PRIORITIES is less than or equal to 32.  It is very rare that a system requires more than 10 to 15 difference priorities as tasks that share a priority will time slice.
+    #endif
+
+/* Store/clear the ready priorities in a bit map. */
+    #define portRECORD_READY_PRIORITY( uxPriority, uxReadyPriorities )    ( uxReadyPriorities ) |= ( 1UL << ( uxPriority ) )
+    #define portRESET_READY_PRIORITY( uxPriority, uxReadyPriorities )     ( uxReadyPriorities ) &= ~( 1UL << ( uxPriority ) )
+
+
+/*-----------------------------------------------------------*/
+
+    #ifdef __GNUC__
+        #define portGET_HIGHEST_PRIORITY( uxTopPriority, uxReadyPriorities ) \
+    __asm volatile ( "bsr %1, %0\n\t"                                        \
+                     : "=r" ( uxTopPriority ) : "rm" ( uxReadyPriorities ) : "cc" )
+    #else
+
+/* BitScanReverse returns the bit position of the most significant '1'
+ * in the word. */
+        #define portGET_HIGHEST_PRIORITY( uxTopPriority, uxReadyPriorities )    _BitScanReverse( ( DWORD * ) &( uxTopPriority ), ( uxReadyPriorities ) )
+    #endif /* __GNUC__ */
+
+#endif /* taskRECORD_READY_PRIORITY */
+
+#ifndef __GNUC__
+    __pragma( warning( disable:4211 ) ) /* Nonstandard extension used, as extern is only nonstandard to MSVC. */
+#endif
+
+
+/* Task function macros as described on the FreeRTOS.org WEB site. */
+#define portTASK_FUNCTION_PROTO( vFunction, pvParameters )    void vFunction( void * pvParameters )
+#define portTASK_FUNCTION( vFunction, pvParameters )          void vFunction( void * pvParameters )
+
+#ifndef portINTERRUPT_YIELD
+    #define portINTERRUPT_YIELD    ( 0UL )
+#endif
+#ifndef portINTERRUPT_TICK
+    #define portINTERRUPT_TICK     ( 1UL )
+#endif
+
+/*
+ * Raise a simulated interrupt represented by the bit mask in ulInterruptMask.
+ * Each bit can be used to represent an individual interrupt - with the first
+ * two bits being used for the Yield and Tick interrupts respectively.
+ */
+void vPortGenerateSimulatedInterrupt( uint32_t ulInterruptNumber );
+
+/*
+ * Install an interrupt handler to be called by the simulated interrupt handler
+ * thread.  The interrupt number must be above any used by the kernel itself
+ * (at the time of writing the kernel was using interrupt numbers 0, 1, and 2
+ * as defined above).  The number must also be lower than 32.
+ *
+ * Interrupt handler functions must return a non-zero value if executing the
+ * handler resulted in a task switch being required.
+ */
+void vPortSetInterruptHandler( uint32_t ulInterruptNumber,
+                               uint32_t ( * pvHandler )( void ) );
+
+/*
+ * MPU regions Macros
+ */
+#ifndef configTOTAL_MPU_REGIONS
+    #define configTOTAL_MPU_REGIONS             ( 10UL )
+#endif
+#ifndef portPRIVILEGED_FLASH_REGION
+    #define portPRIVILEGED_FLASH_REGION         ( 0UL )
+#endif
+#ifndef portUNPRIVILEGED_FLASH_REGION
+    #define portUNPRIVILEGED_FLASH_REGION       ( 1UL )
+#endif
+#ifndef portUNPRIVILEGED_SYSCALLS_REGION
+    #define portUNPRIVILEGED_SYSCALLS_REGION    ( 2UL )
+#endif
+#ifndef portPRIVILEGED_RAM_REGION
+    #define portPRIVILEGED_RAM_REGION           ( 3UL )
+#endif
+#ifndef portSTACK_REGION
+    #define portSTACK_REGION                    ( 4UL )
+#endif
+#ifndef portFIRST_CONFIGURABLE_REGION
+    #define portFIRST_CONFIGURABLE_REGION       ( 5UL )
+#endif
+#ifndef portLAST_CONFIGURABLE_REGION
+    #define portLAST_CONFIGURABLE_REGION        ( configTOTAL_MPU_REGIONS - 1UL )
+#endif
+#ifndef portNUM_CONFIGURABLE_REGIONS
+    #define portNUM_CONFIGURABLE_REGIONS        ( ( portLAST_CONFIGURABLE_REGION - portFIRST_CONFIGURABLE_REGION ) + 1 )
+#endif
+#ifndef portTOTAL_NUM_REGIONS
+    #define portTOTAL_NUM_REGIONS               ( portNUM_CONFIGURABLE_REGIONS + 1 )             /* Plus one to make space for the stack region. */
+#endif
+
+#ifndef portUSING_MPU_WRAPPERS
+    #define portUSING_MPU_WRAPPERS    0
+#endif
+
+typedef struct MPURegionSettings
+{
+    uint32_t ulRBAR; /**< RBAR for the region. */
+    uint32_t ulRLAR; /**< RLAR for the region. */
+} MPURegionSettings_t;
+typedef struct MPU_SETTINGS
+{
+    uint32_t ulMAIR0;                                              /**< MAIR0 for the task containing attributes for all the 4 per task regions. */
+    MPURegionSettings_t xRegionsSettings[ portTOTAL_NUM_REGIONS ]; /**< Settings for 4 per task regions. */
+} xMPU_SETTINGS;
+
+#endif /* closes #ifndef PORTMACRO_H */

kernel/FreeRTOS/Test/CBMC/include/queue_init.h

@@ -0,0 +1,172 @@
+#include "FreeRTOS.h"
+#include "queue.h"
+#include "queue_datastructure.h"
+
+#ifndef CBMC_OBJECT_BITS
+    #define CBMC_OBJECT_BITS    7
+#endif
+
+#ifndef CBMC_OBJECT_MAX_SIZE
+    #define CBMC_OBJECT_MAX_SIZE    ( UINT32_MAX >> ( CBMC_OBJECT_BITS + 1 ) )
+#endif
+
+/* Using prvCopyDataToQueue together with prvNotifyQueueSetContainer
+ * leads to a problem space explosion. Therefore, we use this stub
+ * and a sepearted proof on prvCopyDataToQueue to deal with it.
+ * As prvNotifyQueueSetContainer is disabled if configUSE_QUEUE_SETS != 1,
+ * in other cases the original implementation should be used. */
+#if ( configUSE_QUEUE_SETS == 1 )
+    BaseType_t prvCopyDataToQueue( Queue_t * const pxQueue,
+                                   const void * pvItemToQueue,
+                                   const BaseType_t xPosition )
+    {
+        if( pxQueue->uxItemSize > ( UBaseType_t ) 0 )
+        {
+            __CPROVER_assert( __CPROVER_r_ok( pvItemToQueue, ( size_t ) pxQueue->uxItemSize ), "pvItemToQueue region must be readable" );
+
+            if( xPosition == queueSEND_TO_BACK )
+            {
+                __CPROVER_assert( __CPROVER_w_ok( ( void * ) pxQueue->pcWriteTo, ( size_t ) pxQueue->uxItemSize ), "pxQueue->pcWriteTo region must be writable" );
+            }
+            else
+            {
+                __CPROVER_assert( __CPROVER_w_ok( ( void * ) pxQueue->u.xQueue.pcReadFrom, ( size_t ) pxQueue->uxItemSize ), "pxQueue->u.xQueue.pcReadFrom region must be writable" );
+            }
+
+            return pdFALSE;
+        }
+        else
+        {
+            return nondet_BaseType_t();
+        }
+    }
+#endif /* if ( configUSE_QUEUE_SETS == 1 ) */
+
+/* xQueueCreateSet is compiled out if configUSE_QUEUE_SETS != 1.*/
+#if ( configUSE_QUEUE_SETS == 1 )
+    QueueSetHandle_t xUnconstrainedQueueSet()
+    {
+        UBaseType_t uxEventQueueLength = 2;
+        QueueSetHandle_t xSet = xQueueCreateSet( uxEventQueueLength );
+
+        if( xSet )
+        {
+            xSet->cTxLock = nondet_int8_t();
+            __CPROVER_assume( xSet->cTxLock != 127 );
+            xSet->cRxLock = nondet_int8_t();
+            xSet->uxMessagesWaiting = nondet_UBaseType_t();
+            xSet->xTasksWaitingToReceive.uxNumberOfItems = nondet_UBaseType_t();
+
+            /* This is an invariant checked with a couple of asserts in the code base.
+             * If it is false from the beginning, the CBMC proofs are not able to succeed*/
+            __CPROVER_assume( xSet->uxMessagesWaiting < xSet->uxLength );
+            xSet->xTasksWaitingToSend.uxNumberOfItems = nondet_UBaseType_t();
+        }
+
+        return xSet;
+    }
+#endif /* if ( configUSE_QUEUE_SETS == 1 ) */
+
+/* Create a mostly unconstrained Queue but bound the max item size.
+ * This is required for performance reasons in CBMC at the moment. */
+QueueHandle_t xUnconstrainedQueueBoundedItemSize( UBaseType_t uxItemSizeBound )
+{
+    UBaseType_t uxQueueLength;
+    UBaseType_t uxItemSize;
+    uint8_t ucQueueType;
+
+    __CPROVER_assume( uxQueueLength > 0 );
+    __CPROVER_assume( uxItemSize < uxItemSizeBound );
+
+    /* QueueGenericCreate method does not check for multiplication overflow */
+    size_t uxQueueStorageSize;
+    __CPROVER_assume( uxQueueStorageSize < CBMC_OBJECT_MAX_SIZE );
+    __CPROVER_assume( uxItemSize < uxQueueStorageSize / uxQueueLength );
+
+    QueueHandle_t xQueue =
+        xQueueGenericCreate( uxQueueLength, uxItemSize, ucQueueType );
+
+    if( xQueue )
+    {
+        xQueue->cTxLock = nondet_int8_t();
+        __CPROVER_assume( xQueue->cTxLock != 127 );
+        xQueue->cRxLock = nondet_int8_t();
+        __CPROVER_assume( xQueue->cRxLock != 127 );
+        xQueue->uxMessagesWaiting = nondet_UBaseType_t();
+
+        /* This is an invariant checked with a couple of asserts in the code base.
+         * If it is false from the beginning, the CBMC proofs are not able to succeed*/
+        __CPROVER_assume( xQueue->uxMessagesWaiting < xQueue->uxLength );
+        xQueue->xTasksWaitingToReceive.uxNumberOfItems = nondet_UBaseType_t();
+        xQueue->xTasksWaitingToSend.uxNumberOfItems = nondet_UBaseType_t();
+        #if ( configUSE_QUEUE_SETS == 1 )
+            xQueueAddToSet( xQueue, xUnconstrainedQueueSet() );
+        #endif
+    }
+
+    return xQueue;
+}
+
+/* Create a mostly unconstrained Queue */
+QueueHandle_t xUnconstrainedQueue( void )
+{
+    UBaseType_t uxQueueLength;
+    UBaseType_t uxItemSize;
+    uint8_t ucQueueType;
+
+    __CPROVER_assume( uxQueueLength > 0 );
+
+    /* QueueGenericCreate method does not check for multiplication overflow */
+    size_t uxQueueStorageSize;
+    __CPROVER_assume( uxQueueStorageSize < CBMC_OBJECT_MAX_SIZE );
+    __CPROVER_assume( uxItemSize < uxQueueStorageSize / uxQueueLength );
+
+    QueueHandle_t xQueue =
+        xQueueGenericCreate( uxQueueLength, uxItemSize, ucQueueType );
+
+    if( xQueue )
+    {
+        xQueue->cTxLock = nondet_int8_t();
+        __CPROVER_assume( xQueue->cTxLock != 127 );
+        xQueue->cRxLock = nondet_int8_t();
+        xQueue->uxMessagesWaiting = nondet_UBaseType_t();
+
+        /* This is an invariant checked with a couple of asserts in the code base.
+         * If it is false from the beginning, the CBMC proofs are not able to succeed*/
+        __CPROVER_assume( xQueue->uxMessagesWaiting < xQueue->uxLength );
+        xQueue->xTasksWaitingToReceive.uxNumberOfItems = nondet_UBaseType_t();
+        xQueue->xTasksWaitingToSend.uxNumberOfItems = nondet_UBaseType_t();
+        #if ( configUSE_QUEUE_SETS == 1 )
+            xQueueAddToSet( xQueue, xUnconstrainedQueueSet() );
+        #endif
+    }
+
+    return xQueue;
+}
+
+/* Create a mostly unconstrained Mutex */
+QueueHandle_t xUnconstrainedMutex( void )
+{
+    uint8_t ucQueueType;
+    QueueHandle_t xQueue =
+        xQueueCreateMutex( ucQueueType );
+
+    if( xQueue )
+    {
+        xQueue->cTxLock = nondet_int8_t();
+        __CPROVER_assume( xQueue->cTxLock != 127 );
+        xQueue->cRxLock = nondet_int8_t();
+        xQueue->uxMessagesWaiting = nondet_UBaseType_t();
+
+        /* This is an invariant checked with a couple of asserts in the code base.
+         * If it is false from the beginning, the CBMC proofs are not able to succeed*/
+        __CPROVER_assume( xQueue->uxMessagesWaiting < xQueue->uxLength );
+        xQueue->xTasksWaitingToReceive.uxNumberOfItems = nondet_UBaseType_t();
+        xQueue->xTasksWaitingToSend.uxNumberOfItems = nondet_UBaseType_t();
+        #if ( configUSE_QUEUE_SETS == 1 )
+            xQueueAddToSet( xQueue, xUnconstrainedQueueSet() );
+        #endif
+    }
+
+    return xQueue;
+}

kernel/FreeRTOS/Test/CBMC/include/tasksStubs.h

@@ -0,0 +1,11 @@
+#ifndef INC_TASK_STUBS_H
+#define INC_TASK_STUBS_H
+
+#include "FreeRTOS.h"
+#include "task.h"
+
+BaseType_t xState;
+void vInitTaskCheckForTimeOut( BaseType_t maxCounter,
+                               BaseType_t maxCounter_limit );
+
+#endif /* INC_TASK_STUBS_H */