Update VeriFast proofs (#836)

* Undo syntax changes preventing VeriFast parsing * Update proofs inline with source changes Outstanding: - xQueueGenericReset return code - Not using prvIncrementQueueTxLock or prvIncrementQueueRxLock macros * Remove git hash check * Document new changes between proven code and implementation * Update copyright header * VeriFast proofs: turn off uncrustify checks Uncrustify requires formatting of comments that is at odds with VeriFast's proof annotations, which are contained within comments. * Update ci.yml Co-authored-by: Joseph Julicher <jjulicher@mac.com> Co-authored-by: Aniruddha Kanhere <60444055+AniruddhaKanhere@users.noreply.github.com>
2025-10-17 02:07:48 -04:00 · 2022-10-27 17:54:38 -04:00 · 2022-10-27 17:54:38 -04:00 · 4f87f485d5
commit 4f87f485d5
parent 4e0fecaadd
32 changed files with 1877 additions and 1864 deletions
--- a/FreeRTOS/Test/VeriFast/queue/prvCopyDataFromQueue.c
+++ b/FreeRTOS/Test/VeriFast/queue/prvCopyDataFromQueue.c
@ -1,6 +1,6 @@
 /*
 * FreeRTOS V202112.00
- * Copyright (C) Amazon.com, Inc. or its affiliates.  All Rights Reserved.
+ * Copyright (C) 2020 Amazon.com, Inc. or its affiliates.  All Rights Reserved.
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy of
 * this software and associated documentation files (the "Software"), to deal in
@ -24,14 +24,15 @@
 *
 */

+/* *INDENT-OFF* */
+
 #include "proof/queue.h"

 static void prvCopyDataFromQueue( Queue_t * const pxQueue,
                                  void * const pvBuffer )
 /*@requires queue(pxQueue, ?Storage, ?N, ?M, ?W, ?R, ?K, ?is_locked, ?abs) &*& 0 < K &*& chars(pvBuffer, M, _);@*/
-
 /*@ensures queue_after_prvCopyDataFromQueue(pxQueue, Storage, N, M, W, (R+1)%N, K, is_locked, abs) &*&
- *  chars(pvBuffer, M, head(abs));@*/
+    chars(pvBuffer, M, head(abs));@*/
 {
    if( pxQueue->uxItemSize != ( UBaseType_t ) 0 )
    {
@ -47,48 +48,44 @@ static void prvCopyDataFromQueue( Queue_t * const pxQueue,
        else
        {
            /*@{
-             *  div_lt(R+1, N, M); // now we know R+1 < N
-             *  mod_lt(R+1, N);    // so, R+1 == (R+1)%N
-             *  note(pxQueue->u.xQueue.pcReadFrom == Storage + ((R + 1) * M));
-             *  note(                                Storage + ((R + 1) * M) == Storage + (((R + 1) % N) * M));
-             * }@*/
+                div_lt(R+1, N, M); // now we know R+1 < N
+                mod_lt(R+1, N);    // so, R+1 == (R+1)%N
+                note(pxQueue->u.xQueue.pcReadFrom == Storage + ((R + 1) * M));
+                note(                                Storage + ((R + 1) * M) == Storage + (((R + 1) % N) * M));
+            }@*/
            mtCOVERAGE_TEST_MARKER();
        }

        /*@mod_plus(R+1, K, N);@*/
        /*@mod_mod(R+1, N);@*/
        /*@split_element(Storage, N, M, (R+1)%N);@*/
-
        /*@assert
-         *  buffer(Storage, (R+1)%N, M, ?prefix) &*&
-         *  chars(Storage + ((R+1)%N) * M, M, ?element) &*&
-         *  buffer(Storage + ((R+1)%N + 1) * M, (N-1-(R+1)%N), M, ?suffix);@*/
-        #ifdef VERIFAST /*< void cast of unused return value */
-            memcpy( ( void * ) pvBuffer, ( void * ) pxQueue->u.xQueue.pcReadFrom, ( size_t ) pxQueue->uxItemSize );
-        #else
-            ( void ) memcpy( ( void * ) pvBuffer, ( void * ) pxQueue->u.xQueue.pcReadFrom, ( size_t ) pxQueue->uxItemSize ); /*lint !e961 !e418 !e9087 MISRA exception as the casts are only redundant for some ports.  Also previous logic ensures a null pointer can only be passed to memcpy() when the count is 0.  Cast to void required by function signature and safe as no alignment requirement and copy length specified in bytes. */
-        #endif
-
+            buffer(Storage, (R+1)%N, M, ?prefix) &*&
+            chars(Storage + ((R+1)%N) * M, M, ?element) &*&
+            buffer(Storage + ((R+1)%N + 1) * M, (N-1-(R+1)%N), M, ?suffix);@*/
+#ifdef VERIFAST /*< void cast of unused return value */
+        memcpy( ( void * ) pvBuffer, ( void * ) pxQueue->u.xQueue.pcReadFrom, ( size_t ) pxQueue->uxItemSize );
+#else
+        ( void ) memcpy( ( void * ) pvBuffer, ( void * ) pxQueue->u.xQueue.pcReadFrom, ( size_t ) pxQueue->uxItemSize ); /*lint !e961 !e418 !e9087 MISRA exception as the casts are only redundant for some ports.  Also previous logic ensures a null pointer can only be passed to memcpy() when the count is 0.  Cast to void required by function signature and safe as no alignment requirement and copy length specified in bytes. */
+#endif
        /*@{
-         *  combine_list_no_change(prefix, element, suffix, (R+1)%N, contents);
-         *  join_element(Storage, N, M, (R+1)%N);
-         *  length_take(K, contents);
-         *  take_length_eq(K, rotate_left((R+1)%N, contents), abs);
-         *  deq_value_lemma(K, (R+1)%N, contents, abs);
-         * }@*/
+            combine_list_no_change(prefix, element, suffix, (R+1)%N, contents);
+            join_element(Storage, N, M, (R+1)%N);
+            length_take(K, contents);
+            take_length_eq(K, rotate_left((R+1)%N, contents), abs);
+            deq_value_lemma(K, (R+1)%N, contents, abs);
+        }@*/
    }
 }

 void caller_reinstates_queue_predicate( Queue_t * const pxQueue,
                                        void * const pvBuffer )
-
 /*@requires queue(pxQueue, ?Storage, ?N, ?M, ?W, ?R, ?K, ?is_locked, ?abs) &*&
- *  0 < K &*&
- *  chars(pvBuffer, M, _);@*/
-
+    0 < K &*&
+    chars(pvBuffer, M, _);@*/
 /*@ensures
- *  queue(pxQueue, Storage, N, M, W, (R+1)%N, K-1, is_locked, tail(abs)) &*&
- *  chars(pvBuffer, M, head(abs));@*/
+    queue(pxQueue, Storage, N, M, W, (R+1)%N, K-1, is_locked, tail(abs)) &*&
+    chars(pvBuffer, M, head(abs));@*/
 {
    prvCopyDataFromQueue( pxQueue, pvBuffer );
    /*@open queue_after_prvCopyDataFromQueue(pxQueue, Storage, N, M, W, (R+1)%N, K, is_locked, abs);@*/
@ -96,3 +93,5 @@ void caller_reinstates_queue_predicate( Queue_t * const pxQueue,
    pxQueue->uxMessagesWaiting = pxQueue->uxMessagesWaiting - 1;
    /*@deq_lemma(K, (R+1)%N, contents, abs, head(abs));@*/
 }
+
+/* *INDENT-ON* */