len0rd/FreeRTOS-Kernel
1
0
Fork 0
mirror of https://github.com/FreeRTOS/FreeRTOS-Kernel.git synced 2025-10-15 09:17:44 -04:00
Code Issues Projects Releases Packages Wiki Activity

Copying CBMC proofs from aws/amazon-freertos repo ./tools/cbmc to this repo ./FreeRTOS/Test/CBMC as is.

Browse source 
The commit ID in aws/amazon-freertos is 0c8e0217f2a43bdeb364b58ae01c6c259e03ef1b.
This commit is contained in:
Yuhui Zheng 2020-02-25 18:04:23 -08:00
parent 9f316c246b
commit 8156f64d1c
174 changed files with 9245 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

5
FreeRTOS/Test/CBMC/.gitignore vendored Normal file
View file

@ -0,0 +1,5 @@
cbmc.txt
property.xml
coverage.xml
*.goto
**/html/*

133
FreeRTOS/Test/CBMC/README.md Normal file
View file

@ -0,0 +1,133 @@
CBMC Proof Infrastructure
=========================
This directory contains automated proofs of the memory safety of various parts
of the amazon:FreeRTOS codebase. A continuous integration system validates every
pull request posted to the repository against these proofs, and developers can
also run the proofs on their local machines.
The proofs are checked using the
[C Bounded Model Checker](http://www.cprover.org/cbmc/), an open-source static
analysis tool
([GitHub repository](https://github.com/diffblue/cbmc)). This README describes
how to run the proofs on your local clone of a:FR.
Bulding and running proofs
--------------------------
For historical reasons, some of the proofs are built and run using CMake
and CTest. Others use a custom python-based build system. New proofs
should use CMake. This README describes how to build and run both kinds
of proof.
CMake-based build
-----------------
Follow the CBMC installation instructions below.
Suppose that the amazon-freertos source tree is located at
`~/src/amazon-freertos` and you wish to build the proofs into
`~/build/amazon-freertos`. The following three commands build and run
the proofs:
```sh
cmake -S~/src/amazon-freertos -B~/build/amazon-freertos -DCOMPILER=cbmc
-DBOARD=windows -DVENDOR=pc
cmake --build ~/build/amazon-freertos --target all-proofs
cd ~/build/amazon-freertos && ctest -L cbmc
```
Alternatively, this single command does the same thing, assuming you
have the Ninja build tool installed:
```sh
ctest --build-and-test \
~/src/amazon-freertos \
~/build/amazon-freertos \
--build-target cbmc \
--build-generator Ninja \
--build-options \
-DCOMPILER=cbmc \
-DBOARD=windows \
-DVENDOR=pc \
--test-command ctest -j4 -L cbmc --output-on-failure
```
Python-based build
------------------
### Prerequisites
You will need Python 3. On Windows, you will need Visual Studio 2015 or later
(in particular, you will need the Developer Command Prompt and NMake). On macOS
and Linux, you will need Make.
### Installing CBMC
- Clone the [CBMC repository](https://github.com/diffblue/cbmc).
- The canonical compilation and installation instructions are in the
[COMPILING.md](https://github.com/diffblue/cbmc/blob/develop/COMPILING.md)
file in the CBMC repository; we reproduce the most important steps for
Windows users here, but refer to that document if in doubt.
- Download and install CMake from the [CMake website](https://cmake.org/download).
- Download and install the "git for Windows" package, which also
provides the `patch` command, from [here](https://git-scm.com/download/win).
- Download the flex and bison for Windows package from
[this sourceforge site](https://sourceforge.net/projects/winflexbison).
"Install" it by dropping the contents of the entire unzipped
package into the top-level CBMC source directory.
- Change into the top-level CBMC source directory and run
```
cmake -H. -Bbuild -DCMAKE_BUILD_TYPE=Release -DWITH_JBMC=OFF
cmake --build build
```
- Ensure that you can run the programs `cbmc`, `goto-cc` (or `goto-cl`
on Windows), and `goto-instrument` from the command line. If you build
CBMC with CMake, the programs will have been installed under the
`build/bin/Debug` directory under the top-level `cbmc` directory; you
should add that directory to your `$PATH`. If you built CBMC using
Make, then those programs will have been installed in the `src/cbmc`,
`src/goto-cc`, and `src/goto-instrument` directories respectively.
### Setting up the proofs
Change into the `proofs` directory. On Windows, run
```
python prepare.py
```
On macOS or Linux, run
```
./prepare.py
```
If you are on a Windows machine but want to generate Linux Makefiles (or vice
versa), you can pass the `--system linux` or `--system windows` options to those
programs.
### Running the proofs
Each of the leaf directories under `proofs` is a proof of the memory
safety of a single entry point in a:FR. The scripts that you ran in the
previous step will have left a Makefile in each of those directories. To
run a proof, change into the directory for that proof and run `nmake` on
Windows or `make` on Linux or macOS. The proofs may take some time to
run; they eventually write their output to `cbmc.txt`, which should have
the text `VERIFICATION SUCCESSFUL` at the end.
### Proof directory structure
This directory contains the following subdirectories:
- `proofs` contains the proofs run against each pull request
- `patches` contains a set of patches that get applied to the codebase prior to
running the proofs
- `include` and `windows` contain header files used by the proofs.

14
FreeRTOS/Test/CBMC/cmake/compute-coverage.cmake Normal file
View file

@ -0,0 +1,14 @@
execute_process(
COMMAND
cbmc --cover location --xml-ui
${cbmc_flags} ${cbmc_verbosity} ${goto_binary}
OUTPUT_FILE ${out_file}
ERROR_FILE ${out_file}
RESULT_VARIABLE res
)
if(NOT (${res} EQUAL 0 OR ${res} EQUAL 10))
message(FATAL_ERROR
"Unexpected CBMC coverage return code '${res}' for proof ${proof_name}. Log written to ${out_file}."
)
endif()

14
FreeRTOS/Test/CBMC/cmake/compute-property.cmake Normal file
View file

@ -0,0 +1,14 @@
execute_process(
COMMAND
cbmc --show-properties --unwinding-assertions --xml-ui
${cbmc_flags} ${cbmc_verbosity} ${goto_binary}
OUTPUT_FILE ${out_file}
ERROR_FILE ${out_file}
RESULT_VARIABLE res
)
if(NOT (${res} EQUAL 0 OR ${res} EQUAL 10))
message(FATAL_ERROR
"Unexpected CBMC property return code '${res}' for proof ${proof_name}. Log written to ${out_file}."
)
endif()

14
FreeRTOS/Test/CBMC/cmake/model-check.cmake Normal file
View file

@ -0,0 +1,14 @@
execute_process(
COMMAND
cbmc --trace --unwinding-assertions
${cbmc_flags} ${cbmc_verbosity} ${goto_binary}
OUTPUT_FILE ${out_file}
ERROR_FILE ${out_file}
RESULT_VARIABLE res
)
if(NOT (${res} EQUAL 0 OR ${res} EQUAL 10))
message(FATAL_ERROR
"Unexpected CBMC return code '${res}' for proof ${proof_name}. Log written to ${out_file}."
)
endif()

2
FreeRTOS/Test/CBMC/include/README.md Normal file
View file

@ -0,0 +1,2 @@
This directory contains include files used by the CBMC proofs:
* cbmc.h defines some macros used in the proof test harnesses

3
FreeRTOS/Test/CBMC/include/aws_freertos_ip_verification_access_ip_define.h Normal file
View file

@ -0,0 +1,3 @@
eFrameProcessingResult_t publicProcessIPPacket( IPPacket_t * const pxIPPacket, NetworkBufferDescriptor_t * const pxNetworkBuffer ) {
prvProcessIPPacket(pxIPPacket, pxNetworkBuffer);
}

12
FreeRTOS/Test/CBMC/include/aws_freertos_tcp_verification_access_tcp_define.h Normal file
View file

@ -0,0 +1,12 @@
int32_t publicTCPPrepareSend( FreeRTOS_Socket_t *pxSocket, NetworkBufferDescriptor_t **ppxNetworkBuffer, UBaseType_t uxOptionsLength ) {
prvTCPPrepareSend( pxSocket, ppxNetworkBuffer, uxOptionsLength );
}
BaseType_t publicTCPHandleState( FreeRTOS_Socket_t *pxSocket, NetworkBufferDescriptor_t **ppxNetworkBuffer ) {
prvTCPHandleState(pxSocket, ppxNetworkBuffer);
}
void publicTCPReturnPacket( FreeRTOS_Socket_t *pxSocket, NetworkBufferDescriptor_t *pxNetworkBuffer,
uint32_t ulLen, BaseType_t xReleaseAfterSend ) {
prvTCPReturnPacket(pxSocket, pxNetworkBuffer, ulLen, xReleaseAfterSend );
}

67
FreeRTOS/Test/CBMC/include/cbmc.h Normal file
View file

@ -0,0 +1,67 @@
/*
* CBMC models a pointer as an object id and an offset into that
* object. The top bits of a pointer encode the object id and the
* remaining bits encode the offset. This means there is a bound on
* the maximum offset into an object in CBMC, and hence a bound on the
* size of objects in CBMC.
*/
#define CBMC_BITS 7
#define CBMC_MAX_OBJECT_SIZE (0xFFFFFFFF >> CBMC_BITS)
enum CBMC_LOOP_CONDITION { CBMC_LOOP_BREAK, CBMC_LOOP_CONTINUE, CBMC_LOOP_RETURN };
// CBMC specification: capture old value for precondition /
// postcondition checking
#define OLDVAL(var) _old_ ## var
#define SAVE_OLDVAL(var,typ) const typ OLDVAL(var) = var
// CBMC specification: capture old value for values passed by
// reference in function abstractions
#define OBJ(var) (*var)
#define OLDOBJ(var) _oldobj_ ## var
#define SAVE_OLDOBJ(var,typ) const typ OLDOBJ(var) = OBJ(var)
// CBMC debugging: printfs for expressions
#define __CPROVER_printf(var) { uint32_t ValueOf_ ## var = (uint32_t) var; }
#define __CPROVER_printf2(str,exp) { uint32_t ValueOf_ ## str = (uint32_t) (exp); }
// CBMC debugging: printfs for pointer expressions
#define __CPROVER_printf_ptr(var) { uint8_t *ValueOf_ ## var = (uint8_t *) var; }
#define __CPROVER_printf2_ptr(str,exp) { uint8_t *ValueOf_ ## str = (uint8_t *) (exp); }
/*
* An assertion that pvPortMalloc returns NULL when asked to allocate 0 bytes.
* This assertion is used in some of the Task proofs.
*/
#define __CPROVER_assert_zero_allocation() \
__CPROVER_assert( pvPortMalloc(0) == NULL, \
"pvPortMalloc allows zero-allocated memory.")
/*
* A stub for pvPortMalloc that nondeterministically chooses to return
* either NULL or an allocation of the requested space. The stub is
* guaranteed to return NULL when asked to allocate 0 bytes.
* This stub is used in some of the Task proofs.
*/
void *pvPortMalloc( size_t xWantedSize )
{
if ( xWantedSize == 0 )
{
return NULL;
}
return nondet_bool() ? malloc( xWantedSize ) : NULL;
}
void vPortFree( void *pv )
{
(void)pv;
free(pv);
}
BaseType_t nondet_basetype();
UBaseType_t nondet_ubasetype();
TickType_t nondet_ticktype();

141
FreeRTOS/Test/CBMC/include/queue_init.h Normal file
View file

@ -0,0 +1,141 @@
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_datastructure.h"
#ifndef CBMC_OBJECT_BITS
#define CBMC_OBJECT_BITS 7
#endif
#ifndef CBMC_OBJECT_MAX_SIZE
#define CBMC_OBJECT_MAX_SIZE (UINT32_MAX>>(CBMC_OBJECT_BITS+1))
#endif
/* Using prvCopyDataToQueue together with prvNotifyQueueSetContainer
leads to a problem space explosion. Therefore, we use this stub
and a sepearted proof on prvCopyDataToQueue to deal with it.
As prvNotifyQueueSetContainer is disabled if configUSE_QUEUE_SETS != 1,
in other cases the original implementation should be used. */
#if( configUSE_QUEUE_SETS == 1 )
BaseType_t prvCopyDataToQueue( Queue_t * const pxQueue, const void *pvItemToQueue, const BaseType_t xPosition )
{
if(pxQueue->uxItemSize > ( UBaseType_t ) 0)
{
__CPROVER_assert(__CPROVER_r_ok(pvItemToQueue, ( size_t ) pxQueue->uxItemSize), "pvItemToQueue region must be readable");
if(xPosition == queueSEND_TO_BACK){
__CPROVER_assert(__CPROVER_w_ok(( void * ) pxQueue->pcWriteTo, ( size_t ) pxQueue->uxItemSize), "pxQueue->pcWriteTo region must be writable");
}else{
__CPROVER_assert(__CPROVER_w_ok(( void * ) pxQueue->u.xQueue.pcReadFrom, ( size_t ) pxQueue->uxItemSize), "pxQueue->u.xQueue.pcReadFrom region must be writable");
}
return pdFALSE;
}else
{
return nondet_BaseType_t();
}
}
#endif
/* xQueueCreateSet is compiled out if configUSE_QUEUE_SETS != 1.*/
#if( configUSE_QUEUE_SETS == 1 )
QueueSetHandle_t xUnconstrainedQueueSet()
{
UBaseType_t uxEventQueueLength = 2;
QueueSetHandle_t xSet = xQueueCreateSet(uxEventQueueLength);
if( xSet )
{
xSet->cTxLock = nondet_int8_t();
xSet->cRxLock = nondet_int8_t();
xSet->uxMessagesWaiting = nondet_UBaseType_t();
xSet->xTasksWaitingToReceive.uxNumberOfItems = nondet_UBaseType_t();
/* This is an invariant checked with a couple of asserts in the code base.
If it is false from the beginning, the CBMC proofs are not able to succeed*/
__CPROVER_assume(xSet->uxMessagesWaiting < xSet->uxLength);
xSet->xTasksWaitingToSend.uxNumberOfItems = nondet_UBaseType_t();
}
return xSet;
}
#endif
/* Create a mostly unconstrained Queue but bound the max item size.
This is required for performance reasons in CBMC at the moment. */
QueueHandle_t xUnconstrainedQueueBoundedItemSize( UBaseType_t uxItemSizeBound ) {
UBaseType_t uxQueueLength;
UBaseType_t uxItemSize;
uint8_t ucQueueType;
__CPROVER_assume(uxQueueLength > 0);
__CPROVER_assume(uxItemSize < uxItemSizeBound);
// QueueGenericCreate method does not check for multiplication overflow
size_t uxQueueStorageSize;
__CPROVER_assume(uxQueueStorageSize < CBMC_OBJECT_MAX_SIZE);
__CPROVER_assume(uxItemSize < uxQueueStorageSize/uxQueueLength);
QueueHandle_t xQueue =
xQueueGenericCreate(uxQueueLength, uxItemSize, ucQueueType);
if(xQueue){
xQueue->cTxLock = nondet_int8_t();
xQueue->cRxLock = nondet_int8_t();
xQueue->uxMessagesWaiting = nondet_UBaseType_t();
/* This is an invariant checked with a couple of asserts in the code base.
If it is false from the beginning, the CBMC proofs are not able to succeed*/
__CPROVER_assume(xQueue->uxMessagesWaiting < xQueue->uxLength);
xQueue->xTasksWaitingToReceive.uxNumberOfItems = nondet_UBaseType_t();
xQueue->xTasksWaitingToSend.uxNumberOfItems = nondet_UBaseType_t();
#if( configUSE_QUEUE_SETS == 1)
xQueueAddToSet(xQueue, xUnconstrainedQueueSet());
#endif
}
return xQueue;
}
/* Create a mostly unconstrained Queue */
QueueHandle_t xUnconstrainedQueue( void ) {
UBaseType_t uxQueueLength;
UBaseType_t uxItemSize;
uint8_t ucQueueType;
__CPROVER_assume(uxQueueLength > 0);
// QueueGenericCreate method does not check for multiplication overflow
size_t uxQueueStorageSize;
__CPROVER_assume(uxQueueStorageSize < CBMC_OBJECT_MAX_SIZE);
__CPROVER_assume(uxItemSize < uxQueueStorageSize/uxQueueLength);
QueueHandle_t xQueue =
xQueueGenericCreate(uxQueueLength, uxItemSize, ucQueueType);
if(xQueue){
xQueue->cTxLock = nondet_int8_t();
xQueue->cRxLock = nondet_int8_t();
xQueue->uxMessagesWaiting = nondet_UBaseType_t();
/* This is an invariant checked with a couple of asserts in the code base.
If it is false from the beginning, the CBMC proofs are not able to succeed*/
__CPROVER_assume(xQueue->uxMessagesWaiting < xQueue->uxLength);
xQueue->xTasksWaitingToReceive.uxNumberOfItems = nondet_UBaseType_t();
xQueue->xTasksWaitingToSend.uxNumberOfItems = nondet_UBaseType_t();
#if( configUSE_QUEUE_SETS == 1)
xQueueAddToSet(xQueue, xUnconstrainedQueueSet());
#endif
}
return xQueue;
}
/* Create a mostly unconstrained Mutex */
QueueHandle_t xUnconstrainedMutex( void ) {
uint8_t ucQueueType;
QueueHandle_t xQueue =
xQueueCreateMutex(ucQueueType);
if(xQueue){
xQueue->cTxLock = nondet_int8_t();
xQueue->cRxLock = nondet_int8_t();
xQueue->uxMessagesWaiting = nondet_UBaseType_t();
/* This is an invariant checked with a couple of asserts in the code base.
If it is false from the beginning, the CBMC proofs are not able to succeed*/
__CPROVER_assume(xQueue->uxMessagesWaiting < xQueue->uxLength);
xQueue->xTasksWaitingToReceive.uxNumberOfItems = nondet_UBaseType_t();
xQueue->xTasksWaitingToSend.uxNumberOfItems = nondet_UBaseType_t();
#if( configUSE_QUEUE_SETS == 1)
xQueueAddToSet(xQueue, xUnconstrainedQueueSet());
#endif
}
return xQueue;
}

10
FreeRTOS/Test/CBMC/include/tasksStubs.h Normal file
View file

@ -0,0 +1,10 @@
#ifndef INC_TASK_STUBS_H
#define INC_TASK_STUBS_H
#include "FreeRTOS.h"
#include "task.h"
BaseType_t xState;
void vInitTaskCheckForTimeOut(BaseType_t maxCounter, BaseType_t maxCounter_limit);
#endif /* INC_TASK_STUBS_H */

2
FreeRTOS/Test/CBMC/patches/.gitattributes vendored Normal file
View file

@ -0,0 +1,2 @@
# It seems git apply does not want crlf line endings on Windows
*.patch eol=lf

2
FreeRTOS/Test/CBMC/patches/.gitignore vendored Normal file
View file

@ -0,0 +1,2 @@
auto_patch*
patched

121
FreeRTOS/Test/CBMC/patches/0001-Remove-static-storage-class-from-entry-points.patch Normal file
View file

@ -0,0 +1,121 @@
From 884e69144abac08d203bbf8257c6b4a96a2a91ea Mon Sep 17 00:00:00 2001
From: "Mark R. Tuttle" <mrtuttle@amazon.com>
Date: Mon, 21 Oct 2019 14:17:50 -0400
Subject: [PATCH] Remove static storage class from entry points
Many of the entry points we wish to test are marked as being static.
This commit removes the static keyword from all entry points that we
test.
Patch revised on October 21, 2019.
---
.../freertos_plus_tcp/source/FreeRTOS_DHCP.c | 6 +++---
.../standard/freertos_plus_tcp/source/FreeRTOS_DNS.c | 12 ++++++------
.../freertos_plus_tcp/source/FreeRTOS_TCP_WIN.c | 2 +-
3 files changed, 10 insertions(+), 10 deletions(-)
diff --git a/libraries/freertos_plus/standard/freertos_plus_tcp/source/FreeRTOS_DHCP.c b/libraries/freertos_plus/standard/freertos_plus_tcp/source/FreeRTOS_DHCP.c
index c4f79e8e7..d8089a5e7 100644
--- a/libraries/freertos_plus/standard/freertos_plus_tcp/source/FreeRTOS_DHCP.c
+++ b/libraries/freertos_plus/standard/freertos_plus_tcp/source/FreeRTOS_DHCP.c
@@ -198,7 +198,7 @@ static void prvSendDHCPDiscover( void );
/*
* Interpret message received on the DHCP socket.
*/
-static BaseType_t prvProcessDHCPReplies( BaseType_t xExpectedMessageType );
+BaseType_t prvProcessDHCPReplies( BaseType_t xExpectedMessageType );
/*
* Generate a DHCP request packet, and send it on the DHCP socket.
@@ -234,7 +234,7 @@ static void prvCreateDHCPSocket( void );
/*-----------------------------------------------------------*/
/* The next DHCP transaction Id to be used. */
-static DHCPData_t xDHCPData;
+DHCPData_t xDHCPData;
/*-----------------------------------------------------------*/
@@ -607,7 +607,7 @@ static void prvInitialiseDHCP( void )
}
/*-----------------------------------------------------------*/
-static BaseType_t prvProcessDHCPReplies( BaseType_t xExpectedMessageType )
+BaseType_t prvProcessDHCPReplies( BaseType_t xExpectedMessageType )
{
uint8_t *pucUDPPayload, *pucLastByte;
struct freertos_sockaddr xClient;
diff --git a/libraries/freertos_plus/standard/freertos_plus_tcp/source/FreeRTOS_DNS.c b/libraries/freertos_plus/standard/freertos_plus_tcp/source/FreeRTOS_DNS.c
index e511ca324..d6f335304 100644
--- a/libraries/freertos_plus/standard/freertos_plus_tcp/source/FreeRTOS_DNS.c
+++ b/libraries/freertos_plus/standard/freertos_plus_tcp/source/FreeRTOS_DNS.c
@@ -116,7 +116,7 @@ static size_t prvCreateDNSMessage( uint8_t *pucUDPPayloadBuffer,
/*
* Simple routine that jumps over the NAME field of a resource record.
*/
-static uint8_t * prvSkipNameField( uint8_t *pucByte,
+uint8_t * prvSkipNameField( uint8_t *pucByte,
size_t uxSourceLen );
/*
@@ -124,7 +124,7 @@ static uint8_t * prvSkipNameField( uint8_t *pucByte,
* The parameter 'xExpected' indicates whether the identifier in the reply
* was expected, and thus if the DNS cache may be updated with the reply.
*/
-static uint32_t prvParseDNSReply( uint8_t *pucUDPPayloadBuffer,
+uint32_t prvParseDNSReply( uint8_t *pucUDPPayloadBuffer,
size_t uxBufferLength,
BaseType_t xExpected );
@@ -152,7 +152,7 @@ static uint32_t prvGetHostByName( const char *pcHostName,
#if( ipconfigUSE_DNS_CACHE == 1 ) || ( ipconfigDNS_USE_CALLBACKS == 1 )
- static uint8_t * prvReadNameField( uint8_t *pucByte,
+ uint8_t * prvReadNameField( uint8_t *pucByte,
size_t uxSourceLen,
char *pcName,
size_t uxLen );
@@ -765,7 +765,7 @@ static const DNSMessage_t xDefaultPartDNSHeader =
#if( ipconfigUSE_DNS_CACHE == 1 ) || ( ipconfigDNS_USE_CALLBACKS == 1 )
- static uint8_t * prvReadNameField( uint8_t *pucByte,
+ uint8_t * prvReadNameField( uint8_t *pucByte,
size_t uxSourceLen,
char *pcName,
size_t uxDestLen )
@@ -843,7 +843,7 @@ static const DNSMessage_t xDefaultPartDNSHeader =
#endif /* ipconfigUSE_DNS_CACHE || ipconfigDNS_USE_CALLBACKS */
/*-----------------------------------------------------------*/
-static uint8_t * prvSkipNameField( uint8_t *pucByte,
+uint8_t * prvSkipNameField( uint8_t *pucByte,
size_t uxSourceLen )
{
size_t uxChunkLength;
@@ -949,7 +949,7 @@ DNSMessage_t *pxDNSMessageHeader;
#endif /* ipconfigUSE_NBNS */
/*-----------------------------------------------------------*/
-static uint32_t prvParseDNSReply( uint8_t *pucUDPPayloadBuffer,
+uint32_t prvParseDNSReply( uint8_t *pucUDPPayloadBuffer,
size_t uxBufferLength,
BaseType_t xExpected )
{
diff --git a/libraries/freertos_plus/standard/freertos_plus_tcp/source/FreeRTOS_TCP_WIN.c b/libraries/freertos_plus/standard/freertos_plus_tcp/source/FreeRTOS_TCP_WIN.c
index 1f5a845fa..1a69807c0 100644
--- a/libraries/freertos_plus/standard/freertos_plus_tcp/source/FreeRTOS_TCP_WIN.c
+++ b/libraries/freertos_plus/standard/freertos_plus_tcp/source/FreeRTOS_TCP_WIN.c
@@ -206,7 +206,7 @@ extern void vListInsertGeneric( List_t * const pxList, ListItem_t * const pxNewL
/* List of free TCP segments. */
#if( ipconfigUSE_TCP_WIN == 1 )
- static List_t xSegmentList;
+ List_t xSegmentList;
#endif
/* Logging verbosity level. */
--
2.20.1 (Apple Git-117)

26
FreeRTOS/Test/CBMC/patches/0002-Change-FreeRTOS_IP_Private.h-union-to-struct.patch Normal file
View file

@ -0,0 +1,26 @@
From b7fbcc3979324838ec240b28717bfd7918bbb388 Mon Sep 17 00:00:00 2001
From: Kareem Khazem <karkhaz@amazon.com>
Date: Thu, 31 Jan 2019 15:07:52 -0800
Subject: [PATCH 2/4] Change FreeRTOS_IP_Private.h union to struct
This patch should be removed soon: It is for a CBMC issue being fixed now.
---
libraries/freertos_plus/standard/freertos_plus_tcp/include/FreeRTOS_IP_Private.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libraries/freertos_plus/standard/freertos_plus_tcp/include/FreeRTOS_IP_Private.h b/libraries/freertos_plus/standard/freertos_plus_tcp/include/FreeRTOS_IP_Private.h
index 6006f89f0..d1a0cf898 100644
--- a/libraries/freertos_plus/standard/freertos_plus_tcp/include/FreeRTOS_IP_Private.h
+++ b/libraries/freertos_plus/standard/freertos_plus_tcp/include/FreeRTOS_IP_Private.h
@@ -643,7 +643,7 @@ typedef struct XSOCKET
/* Before accessing any member of this structure, it should be confirmed */
/* that the protocol corresponds with the type of structure */
- union
+ struct
{
IPUDPSocket_t xUDP;
#if( ipconfigUSE_TCP == 1 )
--
2.21.0

79
FreeRTOS/Test/CBMC/patches/0005-Remove-volatile-qualifier-from-tasks-variables.patch Normal file
View file

@ -0,0 +1,79 @@
This patch removes the volatile qualifier from some global variable
declarations in the tasks.c file. For task pool proofs, we are running
`goto-instrument` with the `--nondet-volatile` flag on, which causes reads from
volatile variable to be nondeterministic (i.e., any possible value can be
returned). This is actually the desired behavior for volatile variables
regarding verification purposes. However, this causes a lot of trouble when
such variables are pointers, since one of the possible values we can get when
dereferencing a volatile pointer is `NULL`.
In the case of `uxPendedTicks`, a non-volatile copy of the variable is done
before the following loop in tasks.c (lines 2231-2255):
{
UBaseType_t uxPendedCounts = uxPendedTicks; /* Non-volatile copy. */
if( uxPendedCounts > ( UBaseType_t ) 0U )
{
do
{
if( xTaskIncrementTick() != pdFALSE )
{
xYieldPending = pdTRUE;
}
else
{
mtCOVERAGE_TEST_MARKER();
}
--uxPendedCounts;
} while( uxPendedCounts > ( UBaseType_t ) 0U );
uxPendedTicks = 0;
}
else
{
mtCOVERAGE_TEST_MARKER();
}
}
Here, `uxPendedTicks` could return any value, making it impossible to unwind
(or unroll) this loop in CBMC. Therefore, we require `uxPendedTicks` to behave
as a regular variable so that the loop can be unwound.
---
diff --git a/FreeRTOS/Source/tasks.c b/FreeRTOS/Source/tasks.c
index ff657733..8b57d198 100644
--- a/FreeRTOS/Source/tasks.c
+++ b/FreeRTOS/Source/tasks.c
@@ -331,7 +331,7 @@ typedef tskTCB TCB_t;
/*lint -save -e956 A manual analysis and inspection has been used to determine
which static variables must be declared volatile. */
-PRIVILEGED_DATA TCB_t * volatile pxCurrentTCB = NULL;
+PRIVILEGED_DATA TCB_t * pxCurrentTCB = NULL;
/* Lists for ready and blocked tasks. --------------------
xDelayedTaskList1 and xDelayedTaskList2 could be move to function scople but
@@ -340,8 +340,8 @@ the static qualifier. */
PRIVILEGED_DATA static List_t pxReadyTasksLists[ configMAX_PRIORITIES ];/*< Prioritised ready tasks. */
PRIVILEGED_DATA static List_t xDelayedTaskList1; /*< Delayed tasks. */
PRIVILEGED_DATA static List_t xDelayedTaskList2; /*< Delayed tasks (two lists are used - one for delays that have overflowed the current tick count. */
-PRIVILEGED_DATA static List_t * volatile pxDelayedTaskList; /*< Points to the delayed task list currently being used. */
-PRIVILEGED_DATA static List_t * volatile pxOverflowDelayedTaskList; /*< Points to the delayed task list currently being used to hold tasks that have overflowed the current tick count. */
+PRIVILEGED_DATA static List_t * pxDelayedTaskList; /*< Points to the delayed task list currently being used. */
+PRIVILEGED_DATA static List_t * pxOverflowDelayedTaskList; /*< Points to the delayed task list currently being used to hold tasks that have overflowed the current tick count. */
PRIVILEGED_DATA static List_t xPendingReadyList; /*< Tasks that have been readied while the scheduler was suspended. They will be moved to the ready list when the scheduler is resumed. */
#if( INCLUDE_vTaskDelete == 1 )
@@ -368,10 +368,10 @@ PRIVILEGED_DATA static volatile UBaseType_t uxCurrentNumberOfTasks = ( UBaseTyp
/* Other file private variables. --------------------------------*/
PRIVILEGED_DATA static volatile UBaseType_t uxCurrentNumberOfTasks = ( UBaseType_t ) 0U;
PRIVILEGED_DATA static volatile TickType_t xTickCount = ( TickType_t ) configINITIAL_TICK_COUNT;
PRIVILEGED_DATA static volatile UBaseType_t uxTopReadyPriority = tskIDLE_PRIORITY;
PRIVILEGED_DATA static volatile BaseType_t xSchedulerRunning = pdFALSE;
-PRIVILEGED_DATA static volatile TickType_t xPendedTicks = ( TickType_t ) 0U;
+PRIVILEGED_DATA static TickType_t xPendedTicks = ( TickType_t ) 0U;
PRIVILEGED_DATA static volatile BaseType_t xYieldPending = pdFALSE;
PRIVILEGED_DATA static volatile BaseType_t xNumOfOverflows = ( BaseType_t ) 0;
PRIVILEGED_DATA static UBaseType_t uxTaskNumber = ( UBaseType_t ) 0U;

22
FreeRTOS/Test/CBMC/patches/0005-remove-static-from-prvCopyDataToQueue.patch Normal file
View file

@ -0,0 +1,22 @@
diff --git a/FreeRTOS/Source/queue.c b/FreeRTOS/Source/queue.c
index df2b9c8c..c2265c26 100644
--- a/FreeRTOS/Source/queue.c
+++ b/FreeRTOS/Source/queue.c
@@ -105,7 +105,7 @@ static BaseType_t prvIsQueueFull( const Queue_t *pxQueue ) PRIVILEGED_FUNCTION;
* Copies an item into the queue, either at the front of the queue or the
* back of the queue.
*/
-static BaseType_t prvCopyDataToQueue( Queue_t * const pxQueue, const void *pvItemToQueue, const BaseType_t xPosition ) PRIVILEGED_FUNCTION;
+BaseType_t prvCopyDataToQueue( Queue_t * const pxQueue, const void *pvItemToQueue, const BaseType_t xPosition ) PRIVILEGED_FUNCTION;
/*
* Copies an item out of a queue.
@@ -1985,7 +1985,7 @@ Queue_t * const pxQueue = xQueue;
#endif /* configUSE_MUTEXES */
/*-----------------------------------------------------------*/
-static BaseType_t prvCopyDataToQueue( Queue_t * const pxQueue, const void *pvItemToQueue, const BaseType_t xPosition )
+BaseType_t prvCopyDataToQueue( Queue_t * const pxQueue, const void *pvItemToQueue, const BaseType_t xPosition )
{
BaseType_t xReturn = pdFALSE;
UBaseType_t uxMessagesWaiting;

22
FreeRTOS/Test/CBMC/patches/0006-Remove-static-from-prvNotifyQueueSetContainer.patch Normal file
View file

@ -0,0 +1,22 @@
diff --git a/FreeRTOS/Source/queue.c b/FreeRTOS/Source/queue.c
index 17a6964e..24a40c29 100644
--- a/FreeRTOS/Source/queue.c
+++ b/FreeRTOS/Source/queue.c
@@ -207,7 +207,7 @@ static void prvCopyDataFromQueue( Queue_t * const pxQueue, void * const pvBuffer
* Checks to see if a queue is a member of a queue set, and if so, notifies
* the queue set that the queue contains data.
*/
- static BaseType_t prvNotifyQueueSetContainer( const Queue_t * const pxQueue ) PRIVILEGED_FUNCTION;
+ BaseType_t prvNotifyQueueSetContainer( const Queue_t * const pxQueue ) PRIVILEGED_FUNCTION;
#endif
/*
@@ -2887,7 +2887,7 @@ Queue_t * const pxQueue = xQueue;
#if ( configUSE_QUEUE_SETS == 1 )
- static BaseType_t prvNotifyQueueSetContainer( const Queue_t * const pxQueue )
+ BaseType_t prvNotifyQueueSetContainer( const Queue_t * const pxQueue )
{
Queue_t *pxQueueSetContainer = pxQueue->pxQueueSetContainer;
BaseType_t xReturn = pdFALSE;

22
FreeRTOS/Test/CBMC/patches/0007-Remove-static-from-prvUnlockQueue.patch Normal file
View file

@ -0,0 +1,22 @@
diff --git a/FreeRTOS/Source/queue.c b/FreeRTOS/Source/queue.c
index 17a6964e..60ea3e69 100644
--- a/FreeRTOS/Source/queue.c
+++ b/FreeRTOS/Source/queue.c
@@ -175,7 +175,7 @@ typedef xQUEUE Queue_t;
* to indicate that a task may require unblocking. When the queue in unlocked
* these lock counts are inspected, and the appropriate action taken.
*/
-static void prvUnlockQueue( Queue_t * const pxQueue ) PRIVILEGED_FUNCTION;
+void prvUnlockQueue( Queue_t * const pxQueue ) PRIVILEGED_FUNCTION;
/*
* Uses a critical section to determine if there is any data in a queue.
@@ -2175,7 +2175,7 @@ static void prvCopyDataFromQueue( Queue_t * const pxQueue, void * const pvBuffer
}
/*-----------------------------------------------------------*/
-static void prvUnlockQueue( Queue_t * const pxQueue )
+void prvUnlockQueue( Queue_t * const pxQueue )
{
/* THIS FUNCTION MUST BE CALLED WITH THE SCHEDULER SUSPENDED. */

68
FreeRTOS/Test/CBMC/patches/0008-Remove-static-attributes-from-functions-implementing.patch Normal file
View file

@ -0,0 +1,68 @@
From 18ca738652bd0ce0a1345cb3dcd7ffacbc196bfa Mon Sep 17 00:00:00 2001
From: "Mark R. Tuttle" <mrtuttle@amazon.com>
Date: Wed, 30 Oct 2019 09:38:56 -0400
Subject: [PATCH] Remove static attributes from functions implementing
prvCheckOptions for CBMC proofs.
---
.../freertos_plus_tcp/source/FreeRTOS_TCP_IP.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/libraries/freertos_plus/standard/freertos_plus_tcp/source/FreeRTOS_TCP_IP.c b/libraries/freertos_plus/standard/freertos_plus_tcp/source/FreeRTOS_TCP_IP.c
index 4378e28de..2cd072d24 100644
--- a/libraries/freertos_plus/standard/freertos_plus_tcp/source/FreeRTOS_TCP_IP.c
+++ b/libraries/freertos_plus/standard/freertos_plus_tcp/source/FreeRTOS_TCP_IP.c
@@ -225,20 +225,20 @@ static BaseType_t prvTCPPrepareConnect( FreeRTOS_Socket_t *pxSocket );
/*
* Parse the TCP option(s) received, if present.
*/
-static void prvCheckOptions( FreeRTOS_Socket_t *pxSocket, NetworkBufferDescriptor_t *pxNetworkBuffer );
+void prvCheckOptions( FreeRTOS_Socket_t *pxSocket, NetworkBufferDescriptor_t *pxNetworkBuffer );
/*
* Identify and deal with a single TCP header option, advancing the pointer to
* the header. This function returns pdTRUE or pdFALSE depending on whether the
* caller should continue to parse more header options or break the loop.
*/
-static BaseType_t prvSingleStepTCPHeaderOptions( const unsigned char ** const ppucPtr, const unsigned char ** const ppucLast, FreeRTOS_Socket_t ** const ppxSocket, TCPWindow_t ** const ppxTCPWindow);
+BaseType_t prvSingleStepTCPHeaderOptions( const unsigned char ** const ppucPtr, const unsigned char ** const ppucLast, FreeRTOS_Socket_t ** const ppxSocket, TCPWindow_t ** const ppxTCPWindow);
/*
* Skip past TCP header options when doing Selective ACK, until there are no
* more options left.
*/
-static void prvSkipPastRemainingOptions( const unsigned char ** const ppucPtr, FreeRTOS_Socket_t ** const ppxSocket, unsigned char * const ppucLen );
+void prvSkipPastRemainingOptions( const unsigned char ** const ppucPtr, FreeRTOS_Socket_t ** const ppxSocket, unsigned char * const ppucLen );
/*
* Set the initial properties in the options fields, like the preferred
@@ -1157,7 +1157,7 @@ uint32_t ulInitialSequenceNumber = 0;
* that: ((pxTCPHeader->ucTCPOffset & 0xf0) > 0x50), meaning that the TP header
* is longer than the usual 20 (5 x 4) bytes.
*/
-static void prvCheckOptions( FreeRTOS_Socket_t *pxSocket, NetworkBufferDescriptor_t *pxNetworkBuffer )
+void prvCheckOptions( FreeRTOS_Socket_t *pxSocket, NetworkBufferDescriptor_t *pxNetworkBuffer )
{
TCPPacket_t * pxTCPPacket;
TCPHeader_t * pxTCPHeader;
@@ -1191,7 +1191,7 @@ BaseType_t xShouldContinueLoop;
/*-----------------------------------------------------------*/
-static BaseType_t prvSingleStepTCPHeaderOptions( const unsigned char ** const ppucPtr, const unsigned char ** const ppucLast, FreeRTOS_Socket_t ** const ppxSocket, TCPWindow_t ** const ppxTCPWindow)
+BaseType_t prvSingleStepTCPHeaderOptions( const unsigned char ** const ppucPtr, const unsigned char ** const ppucLast, FreeRTOS_Socket_t ** const ppxSocket, TCPWindow_t ** const ppxTCPWindow)
{
UBaseType_t uxNewMSS;
UBaseType_t xRemainingOptionsBytes = ( *ppucLast ) - ( *ppucPtr );
@@ -1319,7 +1319,7 @@ static BaseType_t prvSingleStepTCPHeaderOptions( const unsigned char ** const pp
/*-----------------------------------------------------------*/
-static void prvSkipPastRemainingOptions( const unsigned char ** const ppucPtr, FreeRTOS_Socket_t ** const ppxSocket, unsigned char * const pucLen )
+void prvSkipPastRemainingOptions( const unsigned char ** const ppucPtr, FreeRTOS_Socket_t ** const ppxSocket, unsigned char * const pucLen )
{
uint32_t ulFirst = ulChar2u32( ( *ppucPtr ) );
uint32_t ulLast = ulChar2u32( ( *ppucPtr ) + 4 );
--
2.20.1 (Apple Git-117)

140
FreeRTOS/Test/CBMC/patches/FreeRTOSConfig.h Normal file
View file

@ -0,0 +1,140 @@
/*
* FreeRTOS Kernel V10.0.1
* Copyright (C) 2017 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy of
* this software and associated documentation files (the "Software"), to deal in
* the Software without restriction, including without limitation the rights to
* use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
* the Software, and to permit persons to whom the Software is furnished to do so,
* subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
* FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
* COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
* IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#ifndef FREERTOS_CONFIG_H
#define FREERTOS_CONFIG_H
/*-----------------------------------------------------------
* Application specific definitions.
*
* These definitions should be adjusted for your particular hardware and
* application requirements.
*
* THESE PARAMETERS ARE DESCRIBED WITHIN THE 'CONFIGURATION' SECTION OF THE
* FreeRTOS API DOCUMENTATION AVAILABLE ON THE FreeRTOS.org WEB SITE.
* http://www.freertos.org/a00110.html
*
* The bottom of this file contains some constants specific to running the UDP
* stack in this demo. Constants specific to FreeRTOS+TCP itself (rather than
* the demo) are contained in FreeRTOSIPConfig.h.
*----------------------------------------------------------*/
#define configENABLE_BACKWARD_COMPATIBILITY 1
#define configUSE_PREEMPTION 1
#define configUSE_PORT_OPTIMISED_TASK_SELECTION 1
#define configMAX_PRIORITIES ( 7 )
#define configTICK_RATE_HZ ( 1000 ) /* In this non-real time simulated environment the tick frequency has to be at least a multiple of the Win32 tick frequency, and therefore very slow. */
#define configMINIMAL_STACK_SIZE ( ( unsigned short ) 60 ) /* In this simulated case, the stack only has to hold one small structure as the real stack is part of the Win32 thread. */
#define configTOTAL_HEAP_SIZE ( ( size_t ) ( 2048U * 1024U ) )
#define configMAX_TASK_NAME_LEN ( 15 )
#define configUSE_16_BIT_TICKS 0
#define configIDLE_SHOULD_YIELD 1
#define configUSE_CO_ROUTINES 0
#ifndef configUSE_MUTEXES
#define configUSE_MUTEXES 1
#endif
#ifndef configUSE_RECURSIVE_MUTEXES
#define configUSE_RECURSIVE_MUTEXES 1
#endif
#define configQUEUE_REGISTRY_SIZE 0
#define configUSE_APPLICATION_TASK_TAG 1
#define configUSE_COUNTING_SEMAPHORES 1
#define configUSE_ALTERNATIVE_API 0
#define configNUM_THREAD_LOCAL_STORAGE_POINTERS 3 /* FreeRTOS+FAT requires 2 pointers if a CWD is supported. */
#define configRECORD_STACK_HIGH_ADDRESS 1
/* Hook function related definitions. */
#ifndef configUSE_TICK_HOOK
#define configUSE_TICK_HOOK 0
#endif
#define configUSE_IDLE_HOOK 1
#define configUSE_MALLOC_FAILED_HOOK 1
#define configCHECK_FOR_STACK_OVERFLOW 0 /* Not applicable to the Win32 port. */
/* Software timer related definitions. */
#define configUSE_TIMERS 1
#define configTIMER_TASK_PRIORITY ( configMAX_PRIORITIES - 1 )
#define configTIMER_QUEUE_LENGTH 5
#define configTIMER_TASK_STACK_DEPTH ( configMINIMAL_STACK_SIZE * 2 )
/* Event group related definitions. */
#define configUSE_EVENT_GROUPS 1
/* Co-routine definitions. */
#define configUSE_CO_ROUTINES 0
#define configMAX_CO_ROUTINE_PRIORITIES ( 2 )
/* Memory allocation strategy. */
#ifndef configSUPPORT_DYNAMIC_ALLOCATION
#define configSUPPORT_DYNAMIC_ALLOCATION 1
#endif
#ifndef configSUPPORT_STATIC_ALLOCATION
#define configSUPPORT_STATIC_ALLOCATION 1
#endif
/* Set the following definitions to 1 to include the API function, or zero
* to exclude the API function. */
#define INCLUDE_vTaskPrioritySet 1
#define INCLUDE_uxTaskPriorityGet 1
#define INCLUDE_vTaskDelete 1
#define INCLUDE_vTaskCleanUpResources 0
#ifndef INCLUDE_vTaskSuspend
#define INCLUDE_vTaskSuspend 1
#endif
#define INCLUDE_vTaskDelayUntil 1
#define INCLUDE_vTaskDelay 1
#define INCLUDE_uxTaskGetStackHighWaterMark 1
#ifndef INCLUDE_xTaskGetSchedulerState
#define INCLUDE_xTaskGetSchedulerState 1
#endif
#define INCLUDE_xTimerGetTimerTaskHandle 0
#define INCLUDE_xTaskGetIdleTaskHandle 0
#define INCLUDE_xQueueGetMutexHolder 1
#define INCLUDE_eTaskGetState 1
#define INCLUDE_xEventGroupSetBitsFromISR 1
#define INCLUDE_xTimerPendFunctionCall 1
#define INCLUDE_xTaskGetCurrentTaskHandle 1
#define INCLUDE_xTaskAbortDelay 1
/* This demo makes use of one or more example stats formatting functions. These
* format the raw data provided by the uxTaskGetSystemState() function in to human
* readable ASCII form. See the notes in the implementation of vTaskList() within
* FreeRTOS/Source/tasks.c for limitations. configUSE_STATS_FORMATTING_FUNCTIONS
* is set to 2 so the formatting functions are included without the stdio.h being
* included in tasks.c. That is because this project defines its own sprintf()
* functions. */
#define configUSE_STATS_FORMATTING_FUNCTIONS 1
/* Assert call defined for debug builds. */
extern void vAssertCalled( const char * pcFile,
uint32_t ulLine );
#ifndef configASSERT
#define configASSERT( x ) if( ( x ) == 0 ) vAssertCalled( __FILE__, __LINE__ )
#endif
/* The platform that FreeRTOS is running on. */
#define configPLATFORM_NAME "WinSim"
#endif /* FREERTOS_CONFIG_H */

24
FreeRTOS/Test/CBMC/patches/Makefile Normal file
View file

@ -0,0 +1,24 @@
BRANCH=freertos
PATCHED=patched
default:
git format-patch $(BRANCH)..$(BRANCH)-cbmc-patches
patch:
if [ ! -f $(PATCHED) ]; then \
for p in *.patch; do \
(cd ../../..; patch -p1 < cbmc/patches/$${p}) \
done; \
cat > $(PATCHED) < /dev/null; \
fi
unpatch:
git checkout ../../../lib
$(RM) $(PATCHED)
#patching file lib/FreeRTOS-Plus-TCP/include/FreeRTOS_IP_Private.h
#patching file lib/include/private/list.h
#patching file lib/FreeRTOS-Plus-TCP/source/FreeRTOS_DHCP.c
#patching file lib/FreeRTOS-Plus-TCP/source/FreeRTOS_DNS.c
#patching file lib/FreeRTOS-Plus-TCP/source/FreeRTOS_TCP_WIN.c

6
FreeRTOS/Test/CBMC/patches/README.md Normal file
View file

@ -0,0 +1,6 @@
This directory includes patches to FreeRTOS required to run the CBMC proofs.
The patches fall into three classes:
* First is a refactoring of prvCheckOptions
* Second is the removal of static attributes from some functions
* Third is two patches dealing with shortcomings of CBMC that should be removed soon.

0
FreeRTOS/Test/CBMC/patches/__init__.py Normal file
View file

241
FreeRTOS/Test/CBMC/patches/compute_patch.py Normal file
View file

@ -0,0 +1,241 @@
#!/usr/bin/env python3
#
# Generation of patches for CBMC proofs.
#
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
import json
import os
import re
import subprocess
import textwrap
import unittest
from patches_constants import PATCHES_DIR
from patches_constants import HEADERS
DEFINE_REGEX_MAKEFILE = re.compile(r"(?:['\"])?([\w]+)")
DEFINE_REGEX_HEADER = re.compile(r"\s*#\s*define\s*([\w]+)")
class DirtyGitError(Exception):
pass
class PatchCreationError(Exception):
pass
def prolog():
return textwrap.dedent("""\
This script generates patch files for the header files used
in the cbmc proof. These patches permit setting values of preprocessor
macros as part of the proof configuration.
""")
def find_all_defines():
"""Collects all define values in Makefile.json.
Some of the Makefiles use # in the json to make comments.
As this is non standard json, we need to remove the comment
lines before parsing. Then we extract all defines from the file.
"""
defines = set()
proof_dir = os.path.abspath(os.path.join(PATCHES_DIR, "..", "proofs"))
for fldr, _, fyles in os.walk(proof_dir):
if "Makefile.json" in fyles:
file = os.path.join(fldr, "Makefile.json")
key = "DEF"
elif "MakefileCommon.json" in fyles:
file = os.path.join(fldr, "MakefileCommon.json")
key = "DEF "
else:
continue
with open(file, "r") as source:
content = "".join([line for line in source
if line and not line.strip().startswith("#")])
makefile = json.loads(content)
if key in makefile.keys():
"""This regex parses the define declaration in Makefile.json
'macro(x)=false' is an example for a declaration.
'macro' is expected to be matched.
"""
for define in makefile[key]:
matched = DEFINE_REGEX_MAKEFILE.match(define)
if matched:
defines.add(matched.group(1))
return defines
def manipulate_headerfile(defines, header_file):
"""Wraps all defines used in an ifndef."""
# This regex matches the actual define in the header file.
modified_content = ""
with open(header_file, "r") as source:
last = ""
for line in source:
match = DEFINE_REGEX_HEADER.match(line)
if (match and
match.group(1) in defines and
not last.lstrip().startswith("#ifndef")):
full_def = line
# this loop deals with multiline definitions
while line.rstrip().endswith("\\"):
line = next(source)
full_def += line
# indentation for multiline definitions can be improved
modified_content += textwrap.dedent("""\
#ifndef {target}
{original}\
#endif
""".format(target=match.group(1), original=full_def))
else:
modified_content += line
last = line
with open(header_file, "w") as output:
output.write(modified_content)
def header_dirty(header_files):
"""Check that the header_file is not previously modified."""
# Git does not update the modified file list returned by diff-files on
# apply -R (at least not on MacOS).
# Running git status updates git's internal state.
status = subprocess.run(["git", "status"], stdout=subprocess.DEVNULL,
stderr=subprocess.PIPE, universal_newlines=True)
diff_state = subprocess.run(["git", "diff-files"], stdout=subprocess.PIPE,
stderr=subprocess.PIPE, universal_newlines=True)
if status.returncode:
raise DirtyGitError(textwrap.dedent("""\
Could not run git status. Exited: {}
stderr: {}
""".format(status.returncode, status.stderr)))
if diff_state.returncode:
raise DirtyGitError(textwrap.dedent("""\
Could not run git diff-files. Exited: {}
stderr: {}
""".format(diff_state.returncode, diff_state.stderr)))
for header_file in header_files:
if os.path.basename(header_file) + "\n" in diff_state.stdout:
return True
return False
def create_patch(defines, header_file):
"""Computes a patch enclosing defines used in CBMC proofs with #ifndef."""
manipulate_headerfile(defines, header_file)
patch = subprocess.run(["git", "diff", header_file],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE, universal_newlines=True)
cleaned = subprocess.run(["git", "checkout", "--", header_file],
stdout=subprocess.DEVNULL,
stderr=subprocess.PIPE, universal_newlines=True)
if patch.returncode:
raise PatchCreationError(textwrap.dedent("""\
git diff exited with error code: {}
stderr: {}
""".format(patch.returncode, patch.stderr)))
if cleaned.returncode:
raise DirtyGitError(textwrap.dedent("""\
git checkout for cleaning files failed with error code: {}
on file {}
stderr: {}
""".format(cleaned.returncode, header_file, cleaned.stderr)))
header_path_part = header_file.replace(os.sep, "_")
path_name = "auto_patch_" + header_path_part + ".patch"
path_name = os.path.join(PATCHES_DIR, path_name)
if patch.stdout:
with open(path_name, "w") as patch_file:
patch_file.write(patch.stdout)
def create_patches(headers):
defines = find_all_defines()
if not header_dirty(headers):
for header in headers:
create_patch(defines, header)
else:
raise DirtyGitError(textwrap.dedent("""\
It seems like one of the header files is in dirty state.
This script cannot patch files in dirty state.
"""))
# Invoke 'python3 -m unittest compute_patch.py" for running tests.
class TestDefineRegexes(unittest.TestCase):
def test_makefile_regex(self):
input1 = "ipconfigETHERNET_MINIMUM_PACKET_BYTES={MINIMUM_PACKET_BYTES}"
input2 = "ipconfigETHERNET_MINIMUM_PACKET_BYTES=50"
input3 = "'configASSERT(X)=__CPROVER_assert(x, \"must hold\")'"
input4 = '"configASSERT (X)=__CPROVER_assert(x, "must hold")"'
input5 = "configASSERT(X)=__CPROVER_assert(x,\"must hold\")"
match1 = DEFINE_REGEX_MAKEFILE.match(input1)
match2 = DEFINE_REGEX_MAKEFILE.match(input2)
match3 = DEFINE_REGEX_MAKEFILE.match(input3)
match4 = DEFINE_REGEX_MAKEFILE.match(input4)
match5 = DEFINE_REGEX_MAKEFILE.match(input5)
self.assertIsNotNone(match1)
self.assertIsNotNone(match2)
self.assertIsNotNone(match3)
self.assertIsNotNone(match4)
self.assertIsNotNone(match5)
self.assertEqual(match1.group(1),
"ipconfigETHERNET_MINIMUM_PACKET_BYTES")
self.assertEqual(match2.group(1),
"ipconfigETHERNET_MINIMUM_PACKET_BYTES")
self.assertEqual(match3.group(1), "configASSERT")
self.assertEqual(match4.group(1), "configASSERT")
self.assertEqual(match5.group(1), "configASSERT")
def test_header_regex(self):
input1 = ("#define configASSERT( x ) if( ( x ) == 0 )" +
"vAssertCalled( __FILE__, __LINE__ )")
input2 = "#define ipconfigMAX_ARP_RETRANSMISSIONS ( 5 )"
input3 = "#define ipconfigINCLUDE_FULL_INET_ADDR 1"
match1 = DEFINE_REGEX_HEADER.match(input1)
match2 = DEFINE_REGEX_HEADER.match(input2)
match3 = DEFINE_REGEX_HEADER.match(input3)
self.assertIsNotNone(match1)
self.assertIsNotNone(match2)
self.assertIsNotNone(match3)
self.assertEqual(match1.group(1), "configASSERT")
self.assertEqual(match2.group(1), "ipconfigMAX_ARP_RETRANSMISSIONS")
self.assertEqual(match3.group(1), "ipconfigINCLUDE_FULL_INET_ADDR")
if __name__ == '__main__':
create_patches(HEADERS)

36
FreeRTOS/Test/CBMC/patches/patch.py Executable file
View file

@ -0,0 +1,36 @@
#!/usr/bin/env python3
import logging
import os
import subprocess
import sys
from glob import glob
from patches_constants import PATCHES_DIR
def patch():
if os.path.isfile("patched"):
sys.exit()
applied_patches = []
failed_patches = []
for tmpfile in glob(os.path.join(PATCHES_DIR, "*.patch")):
print("patch", tmpfile)
result = subprocess.run(["git", "apply", tmpfile],
cwd=os.path.join("..", "..", ".."))
if result.returncode:
failed_patches.append(tmpfile)
logging.error("patching failed: %s", tmpfile)
else:
applied_patches.append(tmpfile)
with open(os.path.join(PATCHES_DIR, "patched"), "w") as outp:
print("Success:", file=outp)
print("\n".join(map(lambda x: "\t" + x, applied_patches)), file=outp)
print("Failure:", file=outp)
print("\n".join(map(lambda x: "\t" + x, failed_patches)), file=outp)
if __name__ == "__main__":
patch()

41
FreeRTOS/Test/CBMC/patches/patches_constants.py Normal file
View file

@ -0,0 +1,41 @@
#!/usr/bin/env python3
#
# Constants for the generation of patches for CBMC proofs.
#
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
import os
PATCHES_DIR = os.path.dirname(os.path.abspath(__file__))
shared_prefix = [
"."
]
shared_prefix_port = [
"..", "..", "..", "Source", "portable", "MSVC-MingW"
]
absolute_prefix = os.path.abspath(os.path.join(PATCHES_DIR, *shared_prefix))
absolute_prefix_port = os.path.abspath(os.path.join(PATCHES_DIR, *shared_prefix_port))
HEADERS = [os.path.join(absolute_prefix, "FreeRTOSConfig.h"),
os.path.join(absolute_prefix_port, "portmacro.h")]

42
FreeRTOS/Test/CBMC/patches/unpatch.py Executable file
View file

@ -0,0 +1,42 @@
#!/usr/bin/env python3
#
# unpatching changes for the CBMC proofs.
#
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
import subprocess
import os
import sys
from glob import glob
from patches_constants import PATCHES_DIR
try:
os.remove(os.path.join(PATCHES_DIR, "patched"))
except FileNotFoundError:
print("Nothing to do here.")
sys.exit(0)
for tmpfile in glob(os.path.join(PATCHES_DIR, "*.patch")):
print("unpatch", tmpfile)
result = subprocess.run(["git", "apply", "-R", tmpfile],
cwd=os.path.join("..", "..", ".."))
if result.returncode:
print("Unpatching failed: {}".format(tmpfile))

10
FreeRTOS/Test/CBMC/proofs/.gitignore vendored Normal file
View file

@ -0,0 +1,10 @@
# These files are generated by make_type_header_files.py
*_datastructure.h
Makefile
Makefile.common
cbmc-batch.yaml
**/*.txt
**/*.goto
!CMakeLists.txt

47
FreeRTOS/Test/CBMC/proofs/CBMCStubLibrary/tasksStubs.c Normal file
View file

@ -0,0 +1,47 @@
#include "FreeRTOS.h"
#include "task.h"
#include "tasksStubs.h"
#ifndef TASK_STUB_COUNTER
#define TASK_STUB_COUNTER 0;
#endif
/* 5 is a magic number, but we need some number here as a default value.
This value is used to bound any loop depending on xTaskCheckForTimeOut
as a loop bound. It should be overwritten in the Makefile.json adapting
to the performance requirements of the harness. */
#ifndef TASK_STUB_COUNTER_LIMIT
#define TASK_STUB_COUNTER_LIMIT 5;
#endif
static BaseType_t xCounter = TASK_STUB_COUNTER;
static BaseType_t xCounterLimit = TASK_STUB_COUNTER_LIMIT;
BaseType_t xTaskGetSchedulerState( void )
{
return xState;
}
/* This function is another method apart from overwritting the defines to init the max
loop bound. */
void vInitTaskCheckForTimeOut(BaseType_t maxCounter, BaseType_t maxCounter_limit)
{
xCounter = maxCounter;
xCounterLimit = maxCounter_limit;
}
/* This is mostly called in a loop. For CBMC, we have to bound the loop
to a max limits of calls. Therefore this Stub models a nondet timeout in
max TASK_STUB_COUNTER_LIMIT iterations.*/
BaseType_t xTaskCheckForTimeOut( TimeOut_t * const pxTimeOut, TickType_t * const pxTicksToWait ) {
++xCounter;
if(xCounter == xCounterLimit)
{
return pdTRUE;
}
else
{
return nondet_basetype();
}
}

37
FreeRTOS/Test/CBMC/proofs/CMakeLists.txt Normal file
View file

@ -0,0 +1,37 @@
list(APPEND cbmc_compile_options
-m32
)
list(APPEND cbmc_compile_definitions
CBMC
WINVER=0x400
_CONSOLE
_CRT_SECURE_NO_WARNINGS
_DEBUG
_WIN32_WINNT=0x0500
__PRETTY_FUNCTION__=__FUNCTION__
__free_rtos__
)
list(APPEND cbmc_compile_includes
${CMAKE_SOURCE_DIR}/Source/include
${CMAKE_SOURCE_DIR}/Source/portable/MSVC-MingW
${cbmc_dir}/include
${cbmc_dir}/windows
)
# Remove --flag for a specific proof with list(REMOVE_ITEM cbmc_flags --flag)
list(APPEND cbmc_flags
--32
--bounds-check
--pointer-check
--div-by-zero-check
--float-overflow-check
--nan-check
--nondet-static
--pointer-overflow-check
--signed-overflow-check
--undefined-shift-check
--unsigned-overflow-check
)

161
FreeRTOS/Test/CBMC/proofs/Makefile.template Normal file
View file

@ -0,0 +1,161 @@
default: cbmc
# ____________________________________________________________________
# CBMC binaries
#
GOTO_CC = @GOTO_CC@
GOTO_INSTRUMENT = goto-instrument
GOTO_ANALYZER = goto-analyzer
VIEWER = cbmc-viewer
# ____________________________________________________________________
# Variables
#
# Naming scheme:
# ``````````````
# FOO is the concatenation of the following:
# FOO2: Set of command line
# C_FOO: Value of $FOO common to all harnesses, set in this file
# O_FOO: Value of $FOO specific to the OS we're running on, set in the
# makefile for the operating system
# H_FOO: Value of $FOO specific to a particular harness, set in the
# makefile for that harness
ENTRY = $(H_ENTRY)
OBJS = $(H_OBJS)
INC = \
$(INC2) \
$(C_INC) $(O_INC) $(H_INC) \
# empty
CFLAGS = \
$(CFLAGS2) \
$(C_DEF) $(O_DEF) $(H_DEF) $(DEF) \
$(C_OPT) $(O_OPT) $(H_OPT) $(OPT) \
-m32 \
# empty
CBMCFLAGS = \
$(CBMCFLAGS2) \
$(C_CBMCFLAGS) $(O_CBMCFLAGS) $(H_CBMCFLAGS) \
# empty
INSTFLAGS = \
$(INSTFLAGS2) \
$(C_INSTFLAGS) $(O_INSTFLAGS) $(H_INSTFLAGS) \
# empty
# ____________________________________________________________________
# Rules
#
# Rules for building a:FR object files. These are not harness-specific,
# and several harnesses might depend on a particular a:FR object, so
# define them all once here.
@RULE_GOTO@
$(GOTO_CC) @COMPILE_ONLY@ @RULE_OUTPUT@ $(INC) $(CFLAGS) @RULE_INPUT@
# ____________________________________________________________________
# Rules
#
# Rules for patching
patch:
cd $(PROOFS)/../patches && ./patch.py
unpatch:
cd $(PROOFS)/../patches && ./unpatch.py
# ____________________________________________________________________
# Rules
#
# Rules for building the CBMC harness
queue_datastructure.h: $(H_OBJS_EXCEPT_HARNESS)
python3 @TYPE_HEADER_SCRIPT@ --binary $(FREERTOS)/Source/queue.goto --c-file $(FREERTOS)/Source/queue.c
$(ENTRY)_harness.goto: $(ENTRY)_harness.c $(H_GENERATE_HEADER)
$(GOTO_CC) @COMPILE_ONLY@ @RULE_OUTPUT@ $(INC) $(CFLAGS) @RULE_INPUT@
$(ENTRY)1.goto: $(OBJS)
$(GOTO_CC) @COMPILE_LINK@ @RULE_OUTPUT@ --function harness $(OBJS)
$(ENTRY)2.goto: $(ENTRY)1.goto
$(GOTO_INSTRUMENT) --add-library @RULE_INPUT@ @RULE_OUTPUT@ \
> $(ENTRY)2.txt 2>&1
$(ENTRY)3.goto: $(ENTRY)2.goto
$(GOTO_INSTRUMENT) --drop-unused-functions @RULE_INPUT@ @RULE_OUTPUT@ \
> $(ENTRY)3.txt 2>&1
$(ENTRY)4.goto: $(ENTRY)3.goto
$(GOTO_INSTRUMENT) $(INSTFLAGS) --slice-global-inits @RULE_INPUT@ @RULE_OUTPUT@ \
> $(ENTRY)4.txt 2>&1
# ____________________________________________________________________
# After running goto-instrument to remove function bodies the unused
# functions need to be dropped again.
$(ENTRY)5.goto: $(ENTRY)4.goto
$(GOTO_INSTRUMENT) --drop-unused-functions @RULE_INPUT@ @RULE_OUTPUT@ \
> $(ENTRY)5.txt 2>&1
$(ENTRY).goto: $(ENTRY)5.goto
@CP@ @RULE_INPUT@ @RULE_OUTPUT@
# ____________________________________________________________________
# Rules
#
# Rules for running CBMC
goto:
$(MAKE) patch
$(MAKE) $(ENTRY).goto
cbmc.txt: $(ENTRY).goto
cbmc $(CBMCFLAGS) --unwinding-assertions --trace @RULE_INPUT@ > $@ 2>&1
property.xml: $(ENTRY).goto
cbmc $(CBMCFLAGS) --unwinding-assertions --show-properties --xml-ui @RULE_INPUT@ \
2>&1 > $@
coverage.xml: $(ENTRY).goto
cbmc $(CBMCFLAGS) --cover location --xml-ui @RULE_INPUT@ 2>&1 > $@
cbmc: cbmc.txt
property: property.xml
coverage: coverage.xml
report: cbmc.txt property.xml coverage.xml
$(VIEWER) \
--goto $(ENTRY).goto \
--srcdir $(FREERTOS) \
--blddir $(FREERTOS) \
--htmldir html \
--srcexclude "(.@FORWARD_SLASH@doc|.@FORWARD_SLASH@tests|.@FORWARD_SLASH@vendors)" \
--result cbmc.txt \
--property property.xml \
--block coverage.xml
# ____________________________________________________________________
# Rules
#
# Rules for cleaning up
clean:
@RM@ $(OBJS) $(ENTRY).goto
@RM@ $(ENTRY)[0-9].goto $(ENTRY)[0-9].txt
@RM@ cbmc.txt property.xml coverage.xml TAGS
@RM@ *~ \#*
@RM@ queue_datastructure.h
veryclean: clean
@RM_RECURSIVE@ html
distclean: veryclean
cd $(PROOFS)/../patches && ./unpatch.py
cd $(PROOFS) && ./make-remove-makefiles.py

37
FreeRTOS/Test/CBMC/proofs/MakefileCommon.json Normal file
View file

@ -0,0 +1,37 @@
{
"FREERTOS": [ " ../../.." ],
"PROOFS": [ "." ],
"DEF ": [
"_DEBUG",
"__free_rtos__",
"_CONSOLE",
"_WIN32_WINNT=0x0500",
"WINVER=0x400",
"_CRT_SECURE_NO_WARNINGS",
"__PRETTY_FUNCTION__=__FUNCTION__",
"'configASSERT(X)=__CPROVER_assert(X,\"Assertion Error\")'",
"'configPRECONDITION(X)=__CPROVER_assume(X)'"
],
"INC ": [
"$(FREERTOS)/Source/include",
"$(FREERTOS)/Source/portable/MSVC-MingW",
"$(FREERTOS)/Test/CBMC/include",
"$(FREERTOS)/Test/CBMC/patches"
],
"CBMCFLAGS ": [
"--object-bits 7",
"--32",
"--bounds-check",
"--pointer-check"
],
"FORWARD_SLASH": ["/"],
"TYPE_HEADERS": [
"$(FREERTOS)/Source/queue.c"
]
}

36
FreeRTOS/Test/CBMC/proofs/MakefileLinux.json Normal file
View file

@ -0,0 +1,36 @@
{
"GOTO_CC": [
"goto-cc"
],
"COMPILE_LINK": [
"-o"
],
"COMPILE_ONLY": [
"-c",
"-o"
],
"RULE_INPUT": [
"$<"
],
"RULE_OUTPUT": [
"$@"
],
"RULE_GOTO": [
"%.goto : %.c"
],
"INC": [
"$(PROOFS)/../windows"
],
"RM": [
"$(RM)"
],
"RM_RECURSIVE": [
"$(RM) -r"
],
"CP": [
"cp"
],
"TYPE_HEADER_SCRIPT": [
"$(PROOFS)/make_type_header_files.py"
]
}

44
FreeRTOS/Test/CBMC/proofs/MakefileWindows.json Normal file
View file

@ -0,0 +1,44 @@
{
"DEF": [
"WIN32"
],
"GOTO_CC": [
"goto-cl"
],
"COMPILE_LINK": [
"/Fe"
],
"COMPILE_ONLY": [
"/c",
"/Fo"
],
"RULE_INPUT": [
"$**"
],
"RULE_OUTPUT": [
"$@"
],
"RULE_GOTO": [
".c.goto:"
],
"OPT": [
"/wd4210",
"/wd4127",
"/wd4214",
"/wd4201",
"/wd4244",
"/wd4310"
],
"RM": [
"del"
],
"RM_RECURSIVE": [
"del /s"
],
"CP": [
"copy"
],
"TYPE_HEADER_SCRIPT": [
"$(PROOFS)\\make_type_header_files.py"
]
}

47
FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphore/Makefile.json Normal file
View file

@ -0,0 +1,47 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueCreateCountingSemaphore",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
]
}

44
FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphore/QueueCreateCountingSemaphore_harness.c Normal file
View file

@ -0,0 +1,44 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "cbmc.h"
void harness(){
UBaseType_t uxMaxCount;
UBaseType_t uxInitialCount;
__CPROVER_assume(uxMaxCount != 0);
__CPROVER_assume(uxInitialCount <= uxMaxCount);
xQueueCreateCountingSemaphore( uxMaxCount, uxInitialCount );
}

10
FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphore/README.md Normal file
View file

@ -0,0 +1,10 @@
Assuming uxMaxCount != 0 and uxInitialCount <= uxMaxCount,
this harness proves the memory safety of QueueCreateCountingSemaphore.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical

50
FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphoreStatic/Makefile.json Normal file
View file

@ -0,0 +1,50 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueCreateCountingSemaphoreStatic",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

45
FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphoreStatic/QueueCreateCountingSemaphoreStatic_harness.c Normal file
View file

@ -0,0 +1,45 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "cbmc.h"
void harness(){
UBaseType_t uxMaxCount;
UBaseType_t uxInitialCount;
//xStaticQueue is required to be not null
StaticQueue_t xStaticQueue;
//Checked invariant
__CPROVER_assume(uxMaxCount != 0);
__CPROVER_assume(uxInitialCount <= uxMaxCount);
xQueueCreateCountingSemaphoreStatic( uxMaxCount, uxInitialCount, &xStaticQueue );
}

11
FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphoreStatic/README.md Normal file
View file

@ -0,0 +1,11 @@
Assuming uxMaxCount > 0, uxInitialCount <= uxMaxCount and the reference
to the storage area is not null,
this harness proves the memory saftey of QueueCreateCountingSemphoreStatic.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical

47
FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutex/Makefile.json Normal file
View file

@ -0,0 +1,47 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueCreateMutex",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
]
}

38
FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutex/QueueCreateMutex_harness.c Normal file
View file

@ -0,0 +1,38 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "cbmc.h"
void harness() {
uint8_t ucQueueType;
xQueueCreateMutex(ucQueueType);
}

14
FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutex/README.md Normal file
View file

@ -0,0 +1,14 @@
This harness proves the memory safety of QueueCreateMutex
for totally unconstrained input.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* xTaskGetSchedulerState
* xTaskPriorityDisinherit
* xTaskRemoveFromEventList

50
FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutexStatic/Makefile.json Normal file
View file

@ -0,0 +1,50 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueCreateMutexStatic",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

41
FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutexStatic/QueueCreateMutexStatic_harness.c Normal file
View file

@ -0,0 +1,41 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "cbmc.h"
void harness(){
uint8_t ucQueueType;
//The mutex storage is assumed to be not null.
StaticQueue_t xStaticQueue;
xQueueCreateMutexStatic( ucQueueType, &xStaticQueue );
}

15
FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutexStatic/README.md Normal file
View file

@ -0,0 +1,15 @@
Given that the passed mutex storage area is not null, the QueueCreateMutexStatic
function is memory safe.
Otherwise an assertion violation is triggered.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* xTaskGetSchedulerState
* xTaskPriorityDisinherit

110
FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreate/Configurations.json Normal file
View file

@ -0,0 +1,110 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGenericCreate",
# A CBMC pointer is an object id followed by an offset into the object.
# The size of the offset is limited by the size of the object id.
"CBMC_OBJECT_BITS": "7",
"CBMC_OBJECT_MAX_SIZE": "\"((UINT32_MAX>>(CBMC_OBJECT_BITS+1))\"",
"CBMCFLAGS":
[
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check"
],
"OBJS":
[
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/list.goto",
"$(FREERTOS)/Source/queue.goto"
],
"DEF":
[
{
"QueueGenericCreate_default": [
"CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
"CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configUSE_MUTEXES=1",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configSUPPORT_STATIC_ALLOCATION=1",
"configUSE_QUEUE_SETS=0",
"configSUPPORT_DYNAMIC_ALLOCATION=1"
]
},
{
"QueueGenericCreate_noMutex": [
"CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
"CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configUSE_MUTEXES=0",
"configUSE_RECURSIVE_MUTEXES=0",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configSUPPORT_STATIC_ALLOCATION=1",
"configUSE_QUEUE_SETS=0",
"configSUPPORT_DYNAMIC_ALLOCATION=1"
]
},
{
"QueueGenericCreate_noSTATIC_ALLOCATION": [
"CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
"CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configUSE_MUTEXES=1",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configSUPPORT_STATIC_ALLOCATION=0",
"configUSE_QUEUE_SETS=0",
"configSUPPORT_DYNAMIC_ALLOCATION=1"
]
},
{
"QueueGenericCreate_useQueueSets": [
"CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
"CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configUSE_MUTEXES=1",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configSUPPORT_STATIC_ALLOCATION=1",
"configUSE_QUEUE_SETS=1",
"configSUPPORT_DYNAMIC_ALLOCATION=1"
]
}
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

50
FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreate/QueueGenericCreate_harness.c Normal file
View file

@ -0,0 +1,50 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_datastructure.h"
#include "cbmc.h"
void harness(){
UBaseType_t uxQueueLength;
UBaseType_t uxItemSize;
uint8_t ucQueueType;
size_t uxQueueStorageSize;
__CPROVER_assume(uxQueueStorageSize < (UINT32_MAX>>8));
// QueueGenericCreate does not check for multiplication overflow
__CPROVER_assume(uxItemSize < uxQueueStorageSize/uxQueueLength);
// QueueGenericCreate asserts positive queue length
__CPROVER_assume(uxQueueLength > ( UBaseType_t ) 0);
xQueueGenericCreate( uxQueueLength, uxItemSize, ucQueueType );
}

13
FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreate/README.md Normal file
View file

@ -0,0 +1,13 @@
The harness and configurations in this folder show memory safety of
QueueGenericCreate, given the assumption made in the harness.
The principal assumption is that (uxItemSize * uxQueueLength) + sizeof(Queue_t)
does not overflow.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical

74
FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreateStatic/Configurations.json Normal file
View file

@ -0,0 +1,74 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGenericCreateStatic",
# A CBMC pointer is an object id followed by an offset into the object.
# The size of the offset is limited by the size of the object id.
"CBMC_OBJECT_BITS": "7",
"CBMC_OBJECT_MAX_SIZE": "\"((UINT32_MAX>>(CBMC_OBJECT_BITS+1))\"",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
{
"QeueuGenericCreateStatic_DynamicAllocation": [
"CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
"CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configSUPPORT_STATIC_ALLOCATION=1",
"configSUPPORT_DYNAMIC_ALLOCATION=1"
]
},
{
"QeueuGenericCreateStatic_NoDynamicAllocation": [
"CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
"CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configSUPPORT_STATIC_ALLOCATION=1",
"configSUPPORT_DYNAMIC_ALLOCATION=0"
]
}
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

62
FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreateStatic/QueueGenericCreateStatic_harness.c Normal file
View file

@ -0,0 +1,62 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_datastructure.h"
#include "cbmc.h"
void harness(){
UBaseType_t uxQueueLength;
UBaseType_t uxItemSize;
size_t uxQueueStorageSize;
uint8_t *pucQueueStorage = (uint8_t *) pvPortMalloc(uxQueueStorageSize);
StaticQueue_t *pxStaticQueue =
(StaticQueue_t *) pvPortMalloc(sizeof(StaticQueue_t));
uint8_t ucQueueType;
__CPROVER_assume(uxQueueStorageSize < (UINT32_MAX>>8));
// QueueGenericReset does not check for multiplication overflow
__CPROVER_assume(uxItemSize < uxQueueStorageSize/uxQueueLength);
// QueueGenericCreateStatic asserts positive queue length
__CPROVER_assume(uxQueueLength > ( UBaseType_t ) 0);
// QueueGenericCreateStatic asserts the following equivalence
__CPROVER_assume( ( pucQueueStorage && uxItemSize ) ||
( !pucQueueStorage && !uxItemSize ) );
// QueueGenericCreateStatic asserts nonnull pointer
__CPROVER_assume(pxStaticQueue);
xQueueGenericCreateStatic( uxQueueLength, uxItemSize, pucQueueStorage, pxStaticQueue, ucQueueType );
}

16
FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreateStatic/README.md Normal file
View file

@ -0,0 +1,16 @@
The harness proves memory safety of
QueueGenericCreateStatic under the assumption made in the harness.
The principal assumption is that (uxItemSize * uxQueueLength) + sizeof(Queue_t)
does not overflow. Further, ucQueueStorage must only be null iff uxItemSize is null.
In addition, the passed queue storage is assumed to be allocated to the right size.
The configurations for configSUPPORT_DYNAMIC_ALLOCATION set to 0 and 1 are checked.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical

53
FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericReset/Makefile.json Normal file
View file

@ -0,0 +1,53 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGenericReset",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
],
"INC": [
"."
],
"GENERATE_HEADER":[
"queue_datastructure.h"
]
}

45
FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericReset/QueueGenericReset_harness.c Normal file
View file

@ -0,0 +1,45 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "cbmc.h"
struct QueueDefinition;
void harness() {
BaseType_t xNewQueue;
QueueHandle_t xQueue = xUnconstrainedQueue();
if(xQueue != NULL)
{
xQueueGenericReset(xQueue, xNewQueue);
}
}

12
FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericReset/README.md Normal file
View file

@ -0,0 +1,12 @@
Assuming that the QueueHandel_t is not null and the assumptions made
for QueueGenericCreate hold, this harness proves the memory safety of QueueGenericReset.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* xTaskRemoveFromEventList

76
FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericSend/Configurations.json Normal file
View file

@ -0,0 +1,76 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGenericSend",
"LOCK_BOUND": 2,
"QUEUE_SEND_BOUND":3,
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check",
"--unwindset xQueueGenericSend.0:{QUEUE_SEND_BOUND},prvUnlockQueue.0:{LOCK_BOUND},prvUnlockQueue.1:{LOCK_BOUND}",
"--nondet-static"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto",
"$(FREERTOS)/Test/CBMC/proofs/CBMCStubLibrary/tasksStubs.goto"
],
"DEF": [
{
"QueueGenericSend_noQueueSets": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configUSE_QUEUE_SETS=0",
"LOCK_BOUND={LOCK_BOUND}",
"QUEUE_SEND_BOUND={QUEUE_SEND_BOUND}"
]
},
{
"QueueGenericSend_QueueSets": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configUSE_QUEUE_SETS=1",
"LOCK_BOUND={LOCK_BOUND}",
"QUEUE_SEND_BOUND={QUEUE_SEND_BOUND}"
]
}
],
"INC": [
"."
],
"GENERATE_HEADER":[
"queue_datastructure.h"
]
}

127
FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericSend/QueueGenericSend_harness.c Normal file
View file

@ -0,0 +1,127 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "tasksStubs.h"
#include "cbmc.h"
#ifndef LOCK_BOUND
#define LOCK_BOUND 4
#endif
#ifndef QUEUE_SEND_BOUND
#define QUEUE_SEND_BOUND 4
#endif
#if( configUSE_QUEUE_SETS == 0 )
BaseType_t prvCopyDataToQueue( Queue_t * const pxQueue, const void *pvItemToQueue, const BaseType_t xPosition )
{
if(pxQueue->uxItemSize > ( UBaseType_t ) 0)
{
__CPROVER_assert(__CPROVER_r_ok(pvItemToQueue, ( size_t ) pxQueue->uxItemSize), "pvItemToQueue region must be readable");
if(xPosition == queueSEND_TO_BACK){
__CPROVER_assert(__CPROVER_w_ok(( void * ) pxQueue->pcWriteTo, ( size_t ) pxQueue->uxItemSize), "pxQueue->pcWriteTo region must be writable");
}else{
__CPROVER_assert(__CPROVER_w_ok(( void * ) pxQueue->u.xQueue.pcReadFrom, ( size_t ) pxQueue->uxItemSize), "pxQueue->u.xQueue.pcReadFrom region must be writable");
}
return pdFALSE;
}else
{
return nondet_BaseType_t();
}
}
#else
BaseType_t prvNotifyQueueSetContainer( const Queue_t * const pxQueue )
{
Queue_t *pxQueueSetContainer = pxQueue->pxQueueSetContainer;
configASSERT( pxQueueSetContainer );
}
void prvUnlockQueue( Queue_t * const pxQueue ) {
configASSERT( pxQueue );
if( pxQueue->pxQueueSetContainer != NULL )
{
prvNotifyQueueSetContainer(pxQueue);
}
listLIST_IS_EMPTY( &( pxQueue->xTasksWaitingToReceive ) );
pxQueue->cTxLock = queueUNLOCKED;
listLIST_IS_EMPTY( &( pxQueue->xTasksWaitingToSend ) );
pxQueue->cRxLock = queueUNLOCKED;
}
#endif
void harness(){
//Initialise the tasksStubs
vInitTaskCheckForTimeOut(0, QUEUE_SEND_BOUND - 1);
xState = nondet_basetype();
QueueHandle_t xQueue =
xUnconstrainedQueueBoundedItemSize(2);
TickType_t xTicksToWait;
if(xState == taskSCHEDULER_SUSPENDED){
xTicksToWait = 0;
}
if(xQueue){
void *pvItemToQueue = pvPortMalloc(xQueue->uxItemSize);
BaseType_t xCopyPosition;
if(xCopyPosition == queueOVERWRITE){
xQueue->uxLength = 1;
}
if(xQueue->uxItemSize == 0)
{
/* uxQueue->xQueueType is a pointer to the head of the queue storage area.
If an item has a sice, this pointer must not be modified after init.
Otherwise some of the write statements will fail. */
xQueue->uxQueueType = nondet_int8_t();
pvItemToQueue = 0;
}
/* This code checks explicitly for violations of the pxQueue->uxMessagesWaiting < pxQueue->uxLength
invariant. */
xQueue->uxMessagesWaiting = nondet_UBaseType_t();
/* These values are decremented during a while loop interacting with task.c.
This interaction is currently abstracted away.*/
xQueue->cTxLock = LOCK_BOUND - 1;
xQueue->cRxLock = LOCK_BOUND - 1;
if(!pvItemToQueue){
xQueue->uxItemSize = 0;
}
xQueueGenericSend( xQueue, pvItemToQueue, xTicksToWait, xCopyPosition );
}
}

19
FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericSend/README.md Normal file
View file

@ -0,0 +1,19 @@
The harness in this folder proves the memory safety of QueueGenericSend
with and without QueueSets. It is abstracting away the task pool and concurrency
related functions and assumes the parameters to be initialized to valid data structures.
Further, prvCopyDataToQueue, prvUnlockQueue and prvNotifyQueueSetContainer are abstracted away.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* vTaskInternalSetTimeOutState
* vTaskMissedYield
* vTaskPlaceOnEventList
* vTaskSuspendAll
* xTaskRemoveFromEventList
* xTaskResumeAll

68
FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericSendFromISR/Configurations.json Normal file
View file

@ -0,0 +1,68 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGenericSendFromISR",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check",
"--nondet-static"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
{
"QueueGenericSendFromISR_noQueueSets": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configUSE_QUEUE_SETS=0"
]
},
{
"QueueGenericSendFromISR_QueueSets": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configUSE_QUEUE_SETS=1"
]
}
],
"INC": [
"."
],
"GENERATE_HEADER":[
"queue_datastructure.h"
]
}

85
FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericSendFromISR/QueueGenericSendFromISR_harness.c Normal file
View file

@ -0,0 +1,85 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "cbmc.h"
#ifndef ITEM_BOUND
#define ITEM_BOUND 10
#endif
#if( configUSE_QUEUE_SETS == 0 )
BaseType_t prvCopyDataToQueue( Queue_t * const pxQueue, const void *pvItemToQueue, const BaseType_t xPosition )
{
if(pxQueue->uxItemSize > ( UBaseType_t ) 0)
{
__CPROVER_assert(__CPROVER_r_ok(pvItemToQueue, ( size_t ) pxQueue->uxItemSize), "pvItemToQueue region must be readable");
if(xPosition == queueSEND_TO_BACK){
__CPROVER_assert(__CPROVER_w_ok(( void * ) pxQueue->pcWriteTo, ( size_t ) pxQueue->uxItemSize), "pxQueue->pcWriteTo region must be writable");
}else{
__CPROVER_assert(__CPROVER_w_ok(( void * ) pxQueue->u.xQueue.pcReadFrom, ( size_t ) pxQueue->uxItemSize), "pxQueue->u.xQueue.pcReadFrom region must be writable");
}
return pdFALSE;
}else
{
return nondet_BaseType_t();
}
}
#endif
void harness(){
QueueHandle_t xQueue = xUnconstrainedQueueBoundedItemSize(ITEM_BOUND);
if( xQueue ){
void *pvItemToQueue = pvPortMalloc(xQueue->uxItemSize);
BaseType_t *xHigherPriorityTaskWoken = pvPortMalloc(sizeof(BaseType_t));
BaseType_t xCopyPosition;
if(xQueue->uxItemSize == 0)
{
/* uxQueue->xQueueType is a pointer to the head of the queue storage area.
If an item has a size, this pointer must not be modified after init.
Otherwise some of the write statements will fail. */
xQueue->uxQueueType = nondet_int8_t();
pvItemToQueue = 0;
}
/* This code checks explicitly for violations of the pxQueue->uxMessagesWaiting < pxQueue->uxLength
invariant. */
xQueue->uxMessagesWaiting = nondet_UBaseType_t();
if(!pvItemToQueue){
xQueue->uxItemSize = 0;
}
if(xCopyPosition == 2 ){
__CPROVER_assume(xQueue->uxLength == 1);
}
xQueueGenericSendFromISR( xQueue, pvItemToQueue, xHigherPriorityTaskWoken, xCopyPosition );
}
}

12
FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericSendFromISR/README.md Normal file
View file

@ -0,0 +1,12 @@
The harness in this folder proves the memory safety of QueueGenericSendFromISR
with and without QueueSets. It is abstracting away the task pool and concurrency
related functions. Further, it uses a stub for prvCopyDataToQueue.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* xTaskRemoveFromEventList

53
FreeRTOS/Test/CBMC/proofs/Queue/QueueGetMutexHolder/Makefile.json Normal file
View file

@ -0,0 +1,53 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGetMutexHolder",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

41
FreeRTOS/Test/CBMC/proofs/Queue/QueueGetMutexHolder/QueueGetMutexHolder_harness.c Normal file
View file

@ -0,0 +1,41 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue_init.h"
#include "queue.h"
#include "cbmc.h"
void harness() {
QueueHandle_t xSemaphore = xUnconstrainedQueue();
if (xSemaphore) {
xSemaphore->uxQueueType = nondet_uint8_t();
xQueueGetMutexHolder(xSemaphore);
}
}

10
FreeRTOS/Test/CBMC/proofs/Queue/QueueGetMutexHolder/README.md Normal file
View file

@ -0,0 +1,10 @@
This harness proves the memory safety of QueueGetMutexHolder assuming the passed
semaphore is not null.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical

53
FreeRTOS/Test/CBMC/proofs/Queue/QueueGetMutexHolderFromISR/Makefile.json Normal file
View file

@ -0,0 +1,53 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGetMutexHolderFromISR",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

41
FreeRTOS/Test/CBMC/proofs/Queue/QueueGetMutexHolderFromISR/QueueGetMutexHolderFromISR_harness.c Normal file
View file

@ -0,0 +1,41 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_datastructure.h"
#include "cbmc.h"
void harness(){
QueueHandle_t xSemaphore = pvPortMalloc(sizeof(Queue_t));
if (xSemaphore) {
xQueueGetMutexHolderFromISR( xSemaphore );
}
}

5
FreeRTOS/Test/CBMC/proofs/Queue/QueueGetMutexHolderFromISR/README.md Normal file
View file

@ -0,0 +1,5 @@
Assuming that xSemaphore is a pointer to an allocated Queue_t instance,
this harness proves the memory safety of QueueGetMutexHolderFromISR.
This proof is a work-in-progress. Proof assumptions are described in
the harness.

72
FreeRTOS/Test/CBMC/proofs/Queue/QueueGiveFromISR/Configurations.json Normal file
View file

@ -0,0 +1,72 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGiveFromISR",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check",
"--nondet-static"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
{
"QueueGiveFromISR_default": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configSUPPORT_STATIC_ALLOCATION=1",
"configSUPPORT_DYNAMIC_ALLOCATION=1",
"configUSE_QUEUE_SETS=0"
]
},
{
"QueueGiveFromISR_QueueSets": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configSUPPORT_STATIC_ALLOCATION=1",
"configSUPPORT_DYNAMIC_ALLOCATION=1",
"configUSE_QUEUE_SETS=1"
]
}
],
"INC": [
"$(FREERTOS)/Test/CBMC/proofs/CBMCStubLibrary/",
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

43
FreeRTOS/Test/CBMC/proofs/Queue/QueueGiveFromISR/QueueGiveFromISR_harness.c Normal file
View file

@ -0,0 +1,43 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "cbmc.h"
void harness(){
QueueHandle_t xQueue = xUnconstrainedMutex();
BaseType_t *xHigherPriorityTaskWoken = pvPortMalloc(sizeof(BaseType_t));
if(xQueue){
xQueue->uxMessagesWaiting = nondet_UBaseType_t();
xQueueGiveFromISR( xQueue, xHigherPriorityTaskWoken );
}
}

15
FreeRTOS/Test/CBMC/proofs/Queue/QueueGiveFromISR/README.md Normal file
View file

@ -0,0 +1,15 @@
Assuming the xQueue is allocated to a valid memory block and abstracting
away concurrency and task pool related functions, this harness proves the memory
safety of QueueGiveFromISR.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* xTaskGetSchedulerState
* xTaskPriorityDisinherit
* xTaskRemoveFromEventList

54
FreeRTOS/Test/CBMC/proofs/Queue/QueueGiveMutexRecursive/Makefile.json Normal file
View file

@ -0,0 +1,54 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueGiveMutexRecursive",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configUSE_RECURSIVE_MUTEXES=1"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

48
FreeRTOS/Test/CBMC/proofs/Queue/QueueGiveMutexRecursive/QueueGiveMutexRecursive_harness.c Normal file
View file

@ -0,0 +1,48 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_datastructure.h"
#include "cbmc.h"
void harness() {
uint8_t ucQueueType;
QueueHandle_t xMutex =
xQueueCreateMutex( ucQueueType);
if (xMutex) {
xMutex->uxQueueType = ucQueueType;
UBaseType_t uxCounter;
/* This assumption is explained in the queue.c file inside the method body
xQueueGiveMutexRecursive and guards against an underflow error. */
__CPROVER_assume(uxCounter > 0);
xMutex->u.xSemaphore.uxRecursiveCallCount = uxCounter;
xQueueGiveMutexRecursive(xMutex);
}
}

16
FreeRTOS/Test/CBMC/proofs/Queue/QueueGiveMutexRecursive/README.md Normal file
View file

@ -0,0 +1,16 @@
Assuming that the xMutex parameter is initialized to a valid pointer and
abstracting concurrency and task pool related functions, this harness
proves the memory safety of QueueGiveMutexRecursive.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* xTaskGetCurrentTaskHandle
* xTaskGetSchedulerState
* xTaskPriorityDisinherit
* xTaskRemoveFromEventList

52
FreeRTOS/Test/CBMC/proofs/Queue/QueueMessagesWaiting/Makefile.json Normal file
View file

@ -0,0 +1,52 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueMessagesWaiting",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

41
FreeRTOS/Test/CBMC/proofs/Queue/QueueMessagesWaiting/QueueMessagesWaiting_harness.c Normal file
View file

@ -0,0 +1,41 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_datastructure.h"
#include "cbmc.h"
void harness(){
QueueHandle_t xQueue = pvPortMalloc(sizeof(Queue_t));
if(xQueue){
uxQueueMessagesWaiting( xQueue );
}
}

12
FreeRTOS/Test/CBMC/proofs/Queue/QueueMessagesWaiting/README.md Normal file
View file

@ -0,0 +1,12 @@
Assuming the parameter passed to QueueMessagesWaiting is a pointer to a Queue_t
struct, this harness proves the memory safety of QueueMessagesWaiting.
The concurrency related functions vPortEnterCrititcal and vPortExitCritical
are abstracted away.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical

60
FreeRTOS/Test/CBMC/proofs/Queue/QueuePeek/Makefile.json Normal file
View file

@ -0,0 +1,60 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueuePeek",
"LOCK_BOUND":4,
"QUEUE_PEEK_BOUND" :4,
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check",
"--unwindset prvUnlockQueue.0:{LOCK_BOUND},prvUnlockQueue.1:{LOCK_BOUND},xQueuePeek.0:{QUEUE_PEEK_BOUND}",
"--nondet-static"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto",
"$(FREERTOS)/Test/CBMC/proofs/CBMCStubLibrary/tasksStubs.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"LOCK_BOUND={LOCK_BOUND}",
"QUEUE_PEEK_BOUND={QUEUE_PEEK_BOUND}",
"INCLUDE_xTaskGetSchedulerState=1"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

79
FreeRTOS/Test/CBMC/proofs/Queue/QueuePeek/QueuePeek_harness.c Normal file
View file

@ -0,0 +1,79 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "tasksStubs.h"
#include "cbmc.h"
#ifndef LOCK_BOUND
#define LOCK_BOUND 4
#endif
#ifndef QUEUE_PEEK_BOUND
#define QUEUE_PEEK_BOUND 4
#endif
QueueHandle_t xQueue;
/* This method is called to initialize pxTimeOut.
Setting up the data structure is not interesting for the proof,
but the harness uses it to model a release
on the queue after first check. */
void vTaskInternalSetTimeOutState( TimeOut_t * const pxTimeOut ){
xQueue-> uxMessagesWaiting = nondet_BaseType_t();
}
void harness(){
xQueue = xUnconstrainedQueueBoundedItemSize(10);
//Initialise the tasksStubs
vInitTaskCheckForTimeOut(0, QUEUE_PEEK_BOUND - 1);
TickType_t xTicksToWait;
if(xState == taskSCHEDULER_SUSPENDED){
xTicksToWait = 0;
}
if(xQueue){
__CPROVER_assume(xQueue->cTxLock < LOCK_BOUND - 1);
__CPROVER_assume(xQueue->cRxLock < LOCK_BOUND - 1);
void *pvItemToQueue = pvPortMalloc(xQueue->uxItemSize);
/* In case malloc fails as this is otherwise an invariant violation. */
if(!pvItemToQueue){
xQueue->uxItemSize = 0;
}
xQueuePeek( xQueue, pvItemToQueue, xTicksToWait );
}
}

18
FreeRTOS/Test/CBMC/proofs/Queue/QueuePeek/README.md Normal file
View file

@ -0,0 +1,18 @@
Assuming xQueue and pvItemToQueue are non-null pointers allocated to the right
size, this harness proves the memory safety of QueueGenericPeek. Some of the
task pool behavior is abstracted away. Nevertheless, some of the concurrent
behavior has been modeled to allow full coverage of QueuePeek.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* vTaskMissedYield
* vTaskPlaceOnEventList
* vTaskSuspendAll
* xTaskRemoveFromEventList
* xTaskResumeAll

61
FreeRTOS/Test/CBMC/proofs/Queue/QueueReceive/Makefile.json Normal file
View file

@ -0,0 +1,61 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueReceive",
"LOCK_BOUND": 2,
"QUEUE_RECEIVE_BOUND": 3,
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check",
"--unwindset xQueueReceive.0:{QUEUE_RECEIVE_BOUND},prvUnlockQueue.0:{LOCK_BOUND},prvUnlockQueue.1:{LOCK_BOUND}",
"--nondet-static"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto",
"$(FREERTOS)/Test/CBMC/proofs/CBMCStubLibrary/tasksStubs.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"INCLUDE_xTaskGetSchedulerState=1",
"QUEUE_RECEIVE_BOUND={QUEUE_RECEIVE_BOUND}",
"LOCK_BOUND={LOCK_BOUND}"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

88
FreeRTOS/Test/CBMC/proofs/Queue/QueueReceive/QueueReceive_harness.c Normal file
View file

@ -0,0 +1,88 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "tasksStubs.h"
#include "cbmc.h"
/* prvUnlockQueue is going to decrement this value to 0 in the loop.
We need a bound for the loop. Using 4 has a reasonable performance resulting
in 3 unwinding iterations of the loop. The loop is mostly modifying a
data structure in task.c that is not in the scope of the proof. */
#ifndef LOCK_BOUND
#define LOCK_BOUND 4
#endif
/* This code checks for time outs. This value is used to bound the time out
wait period. The stub function xTaskCheckForTimeOut used to model
this wait time will be bounded to this define. */
#ifndef QUEUE_RECEIVE_BOUND
#define QUEUE_RECEIVE_BOUND 4
#endif
/* If the item size is not bounded, the proof does not finish in a reasonable
time due to the involved memcpy commands. */
#ifndef MAX_ITEM_SIZE
#define MAX_ITEM_SIZE 20
#endif
QueueHandle_t xQueue;
/* This method is used to model side effects of concurrency.
The initialization of pxTimeOut is not relevant for this harness. */
void vTaskInternalSetTimeOutState( TimeOut_t * const pxTimeOut ){
__CPROVER_assert(__CPROVER_w_ok(&(pxTimeOut->xOverflowCount), sizeof(BaseType_t)), "pxTimeOut should be a valid pointer and xOverflowCount writable");
__CPROVER_assert(__CPROVER_w_ok(&(pxTimeOut->xTimeOnEntering), sizeof(TickType_t)), "pxTimeOut should be a valid pointer and xTimeOnEntering writable");
xQueue->uxMessagesWaiting = nondet_BaseType_t();
}
void harness(){
vInitTaskCheckForTimeOut(0, QUEUE_RECEIVE_BOUND - 1);
xQueue = xUnconstrainedQueueBoundedItemSize(MAX_ITEM_SIZE);
TickType_t xTicksToWait;
if(xState == taskSCHEDULER_SUSPENDED){
xTicksToWait = 0;
}
if(xQueue){
xQueue->cTxLock = LOCK_BOUND - 1;
xQueue->cRxLock = LOCK_BOUND - 1;
void *pvBuffer = pvPortMalloc(xQueue->uxItemSize);
if(!pvBuffer){
xQueue->uxItemSize = 0;
}
xQueueReceive( xQueue, pvBuffer, xTicksToWait );
}
}

17
FreeRTOS/Test/CBMC/proofs/Queue/QueueReceive/README.md Normal file
View file

@ -0,0 +1,17 @@
Assuming the bound described in the harness, this harness proves memory safety
for the QueueReceive function abstracting away
the task pool and concurrency functions.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* vTaskMissedYield
* vTaskPlaceOnEventList
* vTaskSuspendAll
* xTaskRemoveFromEventList
* xTaskResumeAll

54
FreeRTOS/Test/CBMC/proofs/Queue/QueueReceiveFromISR/Makefile.json Normal file
View file

@ -0,0 +1,54 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueReceiveFromISR",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto",
"$(FREERTOS)/Test/CBMC/proofs/CBMCStubLibrary/tasksStubs.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

53
FreeRTOS/Test/CBMC/proofs/Queue/QueueReceiveFromISR/QueueReceiveFromISR_harness.c Normal file
View file

@ -0,0 +1,53 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "cbmc.h"
/* If the item size is not bounded, the proof does not finish in a reasonable
time due to the involved memcpy commands. */
#ifndef MAX_ITEM_SIZE
#define MAX_ITEM_SIZE 10
#endif
void harness(){
QueueHandle_t xQueue =
xUnconstrainedQueueBoundedItemSize(MAX_ITEM_SIZE);
BaseType_t *xHigherPriorityTaskWoken = pvPortMalloc(sizeof(BaseType_t));
if(xQueue){
void *pvBuffer = pvPortMalloc(xQueue->uxItemSize);
if(!pvBuffer){
xQueue->uxItemSize = 0;
}
xQueueReceiveFromISR( xQueue, pvBuffer, xHigherPriorityTaskWoken );
}
}

12
FreeRTOS/Test/CBMC/proofs/Queue/QueueReceiveFromISR/README.md Normal file
View file

@ -0,0 +1,12 @@
Assuming the bound declared in the harness, this harness proves the memory
safety the QueueReceiveFromISR abstracting
away the task pool and concurrency related functions.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* xTaskRemoveFromEventList

60
FreeRTOS/Test/CBMC/proofs/Queue/QueueSemaphoreTake/Makefile.json Normal file
View file

@ -0,0 +1,60 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueSemaphoreTake",
# This bound on queue size is needed to bound a loop in prvUnlockQueue
"QUEUE_BOUND": 5,
"CBMCFLAGS": [
"--unwind 2",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check",
"--nondet-static",
"--unwindset prvUnlockQueue.0:{QUEUE_BOUND},prvUnlockQueue.1:{QUEUE_BOUND},xQueueSemaphoreTake.0:3"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto",
"$(FREERTOS)/Test/CBMC/proofs/CBMCStubLibrary/tasksStubs.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"PRV_UNLOCK_QUEUE_BOUND={QUEUE_BOUND}"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

88
FreeRTOS/Test/CBMC/proofs/Queue/QueueSemaphoreTake/QueueSemaphoreTake_harness.c Normal file
View file

@ -0,0 +1,88 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "tasksStubs.h"
#include "cbmc.h"
BaseType_t state;
QueueHandle_t xQueue;
BaseType_t counter;
BaseType_t xTaskGetSchedulerState(void)
{
return state;
}
void vTaskInternalSetTimeOutState( TimeOut_t * const pxTimeOut )
{
/* QueueSemaphoreTake might be blocked to wait for
another process to release a token to the semaphore.
This is currently not in the CBMC model. Anyhow,
vTaskInternalSetTimeOutState is set a timeout for
QueueSemaphoreTake operation. We use this to model a successful
release during wait time. */
UBaseType_t bound;
__CPROVER_assume((bound >= 0 && xQueue->uxLength >= bound));
xQueue->uxMessagesWaiting = bound;
}
void harness()
{
/* Init task stub to make sure that the third loop iteration
simulates a time out */
vInitTaskCheckForTimeOut(0, 3);
xQueue = xUnconstrainedMutex();
TickType_t xTicksToWait;
if(state == taskSCHEDULER_SUSPENDED){
xTicksToWait = 0;
}
if (xQueue) {
/* Bounding the loop in prvUnlockQueue to
PRV_UNLOCK_QUEUE_BOUND. As the loop is not relevant
in this proof the value might be set to any
positive 8-bit integer value. We subtract one,
because the bound must be one greater than the
amount of loop iterations. */
__CPROVER_assert(PRV_UNLOCK_QUEUE_BOUND > 0, "Make sure, a valid macro value is chosen.");
xQueue->cTxLock = PRV_UNLOCK_QUEUE_BOUND - 1;
xQueue->cRxLock = PRV_UNLOCK_QUEUE_BOUND - 1;
((&(xQueue->xTasksWaitingToReceive))->xListEnd).pxNext->xItemValue = nondet_ticktype();
/* This assumptions is required to prevent an overflow in l. 2057 of queue.c
in the prvGetDisinheritPriorityAfterTimeout() function. */
__CPROVER_assume( (
( UBaseType_t ) listGET_ITEM_VALUE_OF_HEAD_ENTRY( &( xQueue->xTasksWaitingToReceive ) )
<= ( ( UBaseType_t ) configMAX_PRIORITIES)));
xQueueSemaphoreTake(xQueue, xTicksToWait);
}
}

22
FreeRTOS/Test/CBMC/proofs/Queue/QueueSemaphoreTake/README.md Normal file
View file

@ -0,0 +1,22 @@
Assuming the bound specified in the harness and abstracting the task pool and
concurrency functions, this harness proves the memory safety of QueueSemaphoreTake.
Some of the task pool functions are used to model concurrent behavior required
to trigger all branches during the model creation.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* pvTaskIncrementMutexHeldCount
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* vTaskMissedYield
* vTaskPlaceOnEventList
* vTaskPriorityDisinheritAfterTimeout
* vTaskSuspendAll
* xTaskPriorityDisinherit
* xTaskPriorityInherit
* xTaskRemoveFromEventList
* xTaskResumeAll

52
FreeRTOS/Test/CBMC/proofs/Queue/QueueSpacesAvailable/Makefile.json Normal file
View file

@ -0,0 +1,52 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "QueueSpacesAvailable",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

41
FreeRTOS/Test/CBMC/proofs/Queue/QueueSpacesAvailable/QueueSpacesAvailable_harness.c Normal file
View file

@ -0,0 +1,41 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "cbmc.h"
void harness(){
QueueHandle_t xQueue = xUnconstrainedQueue();
// QueueSpacesAvailable asserts nonnull pointer
__CPROVER_assume(xQueue);
uxQueueSpacesAvailable( xQueue );
}

9
FreeRTOS/Test/CBMC/proofs/Queue/QueueSpacesAvailable/README.md Normal file
View file

@ -0,0 +1,9 @@
This harness proves that QueueSpacesAvailable is memory safe.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical

62
FreeRTOS/Test/CBMC/proofs/Queue/QueueTakeMutexRecursive/Makefile.json Normal file
View file

@ -0,0 +1,62 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
# This bound on queue size is needed to bound a loop in prvUnlockQueue
"PRV_UNLOCK_UNWINDING_BOUND": 4,
# This is a bound on the timeout cycles
"QueueSemaphoreTake_BOUND": 4,
"ENTRY": "QueueTakeMutexRecursive",
"CBMCFLAGS": [
"--unwind {QueueSemaphoreTake_BOUND}",
"--unwindset prvUnlockQueue.0:{PRV_UNLOCK_UNWINDING_BOUND},prvUnlockQueue.1:{PRV_UNLOCK_UNWINDING_BOUND}",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto",
"$(FREERTOS)/Test/CBMC/proofs/CBMCStubLibrary/tasksStubs.goto"
],
"DEF": [
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"PRV_UNLOCK_UNWINDING_BOUND={PRV_UNLOCK_UNWINDING_BOUND}",
"QueueSemaphoreTake_BOUND={QueueSemaphoreTake_BOUND}"
],
"INC": [
"."
],
"GENERATE_HEADER": [
"queue_datastructure.h"
]
}

71
FreeRTOS/Test/CBMC/proofs/Queue/QueueTakeMutexRecursive/QueueTakeMutexRecursive_harness.c Normal file
View file

@ -0,0 +1,71 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "tasksStubs.h"
#include "queue_datastructure.h"
#include "cbmc.h"
QueueHandle_t xMutex;
void vTaskInternalSetTimeOutState( TimeOut_t * const pxTimeOut )
{
/* QueueSemaphoreTake might be blocked to wait for
another process to release a token to the semaphore.
This is currently not in the CBMC model. Anyhow,
vTaskInternalSetTimeOutState is set a timeout for
QueueSemaphoreTake operation. We use this to model a successful
release during wait time. */
UBaseType_t bound;
__CPROVER_assume((bound >= 0 && xMutex->uxLength >= bound));
xMutex->uxMessagesWaiting = bound;
}
BaseType_t xTaskGetSchedulerState( void ) {
BaseType_t ret;
__CPROVER_assume(ret != taskSCHEDULER_SUSPENDED);
return ret;
}
void harness() {
uint8_t ucQueueType;
xMutex = xQueueCreateMutex(ucQueueType);
TickType_t xTicksToWait;
/* Init task stub to make sure that the QueueSemaphoreTake_BOUND - 1
loop iteration simulates a time out */
vInitTaskCheckForTimeOut(0, QueueSemaphoreTake_BOUND - 1);
if(xMutex){
xMutex->cTxLock = PRV_UNLOCK_UNWINDING_BOUND - 1;
xMutex->cRxLock = PRV_UNLOCK_UNWINDING_BOUND - 1;
xMutex->uxMessagesWaiting = nondet_UBaseType_t();
xQueueTakeMutexRecursive(xMutex, xTicksToWait);
}
}

23
FreeRTOS/Test/CBMC/proofs/Queue/QueueTakeMutexRecursive/README.md Normal file
View file

@ -0,0 +1,23 @@
Assuming that the parameter is valid mutex data structure and reasonable
bounded, this harness proves the memory safety of QueueTakeMutexRecursive.
Task pool and concurrency functions are abstracted away and replaced with
required stubs to drive coverage.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* pvTaskIncrementMutexHeldCount
* vPortEnterCritical
* vPortExitCritical
* vPortGenerateSimulatedInterrupt
* vTaskMissedYield
* vTaskPlaceOnEventList
* vTaskPriorityDisinheritAfterTimeout
* vTaskSuspendAll
* xTaskGetCurrentTaskHandle
* xTaskPriorityDisinherit
* xTaskPriorityInherit
* xTaskRemoveFromEventList
* xTaskResumeAll

71
FreeRTOS/Test/CBMC/proofs/Queue/prvCopyDataToQueue/Configurations.json Normal file
View file

@ -0,0 +1,71 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "prvCopyDataToQueue",
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
{
"prvCopyDataToQueue_default" : [
"'configPRECONDITION(X)=__CPROVER_assume(X)'",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configUSE_MUTEXES=1"
]
},
{
"prvCopyDataToQueue_noMutex" : [
"'configPRECONDITION(X)=__CPROVER_assume(X)'",
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configUSE_MUTEXES=0",
"configUSE_RECURSIVE_MUTEXES=0"
]
}
],
"INC": [
"."
],
"GENERATE_HEADER":[
"queue_datastructure.h"
]
}

12
FreeRTOS/Test/CBMC/proofs/Queue/prvCopyDataToQueue/README.md Normal file
View file

@ -0,0 +1,12 @@
This harness proves the memory safety of the prvNotifyQueuSetContainer method.
It assumes that the queue is initalized to a valid datastructure.
The concurrency functions are abstracted away.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* xTaskPriorityDisinherit

54
FreeRTOS/Test/CBMC/proofs/Queue/prvCopyDataToQueue/prvCopyDataToQueue_harness.c Normal file
View file

@ -0,0 +1,54 @@
/*
* FreeRTOS memory safety proofs with CBMC.
* Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Permission is hereby granted, free of charge, to any person
* obtaining a copy of this software and associated documentation
* files (the "Software"), to deal in the Software without
* restriction, including without limitation the rights to use, copy,
* modify, merge, publish, distribute, sublicense, and/or sell copies
* of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
* BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
* ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*
* http://aws.amazon.com/freertos
* http://www.FreeRTOS.org
*/
#include "FreeRTOS.h"
#include "queue.h"
#include "queue_init.h"
#include "cbmc.h"
BaseType_t prvCopyDataToQueue( Queue_t * const pxQueue, const void *pvItemToQueue, const BaseType_t xPosition );
void harness(){
QueueHandle_t xQueue = xUnconstrainedQueueBoundedItemSize(10);
if( xQueue ){
void *pvItemToQueue = pvPortMalloc(xQueue->uxItemSize);
if( !pvItemToQueue )
{
xQueue->uxItemSize = 0;
}
if(xQueue->uxItemSize == 0)
{
xQueue->uxQueueType = nondet_int8_t();
}
BaseType_t xPosition;
prvCopyDataToQueue( xQueue, pvItemToQueue, xPosition );
}
}

73
FreeRTOS/Test/CBMC/proofs/Queue/prvNotifyQueueSetContainer/Configurations.json Normal file
View file

@ -0,0 +1,73 @@
#
# FreeRTOS memory safety proofs with CBMC.
# Copyright (C) 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy,
# modify, merge, publish, distribute, sublicense, and/or sell copies
# of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
# http://aws.amazon.com/freertos
# http://www.FreeRTOS.org
#
{
"ENTRY": "prvNotifyQueueSetContainer",
"LOCK_BOUND": 2,
"CBMCFLAGS": [
"--unwind 1",
"--signed-overflow-check",
"--pointer-overflow-check",
"--unsigned-overflow-check",
"--unwindset prvUnlockQueue.0:{LOCK_BOUND},prvUnlockQueue.1:{LOCK_BOUND}"
],
"OBJS": [
"$(ENTRY)_harness.goto",
"$(FREERTOS)/Source/queue.goto",
"$(FREERTOS)/Source/list.goto"
],
"DEF": [
{
"prvNotifyQueueSetContainer_Mutex" : [
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configUSE_MUTEXES=1",
"configUSE_RECURSIVE_MUTEXES=1",
"configUSE_QUEUE_SETS=1"
]
},
{
"prvNotifyQueueSetContainer_noMutex" : [
"'mtCOVERAGE_TEST_MARKER()=__CPROVER_assert(1, \"Coverage marker\")'",
"configUSE_TRACE_FACILITY=0",
"configGENERATE_RUN_TIME_STATS=0",
"configUSE_MUTEXES=0",
"configUSE_RECURSIVE_MUTEXES=0",
"configUSE_QUEUE_SETS=1"
]
}
],
"INC": [
"."
],
"GENERATE_HEADER":[
"queue_datastructure.h"
]
}

14
FreeRTOS/Test/CBMC/proofs/Queue/prvNotifyQueueSetContainer/README.md Normal file
View file

@ -0,0 +1,14 @@
This harness proves the memory safety of the prvNotifyQueuSetContainer method.
It assumes that the queue is initalized to a valid datastructure and added
to a QueueSet. The concurrency functions and task pool functions are abstracted
away. prvCopyDataToQueue is replaced with a stub checking the preconditions
for prvCopyDataToQueue to be sucessful.
This proof is a work-in-progress. Proof assumptions are described in
the harness. The proof also assumes the following functions are
memory safe and have no side effects relevant to the memory safety of
this function:
* vPortEnterCritical
* vPortExitCritical
* xTaskRemoveFromEventList

Some files were not shown because too many files have changed in this diff Show more