Prove buffer lemmas (#124)

* Prove buffer lemmas * Update queue proofs to latest kernel source All changes were syntactic due to uncrustify code-formatting * Strengthen prvCopyDataToQueue proof * Add extract script for diff comparison Co-authored-by: Yuhui Zheng <10982575+yuhui-zheng@users.noreply.github.com>
2025-12-23 11:09:28 -05:00 · 2020-07-21 12:51:20 -04:00 · 2020-07-21 12:51:20 -04:00 · 8e36bee30e
commit 8e36bee30e
parent c720c18ada
26 changed files with 2021 additions and 1762 deletions
--- a/FreeRTOS/Test/VeriFast/queue/xQueuePeekFromISR.c
+++ b/FreeRTOS/Test/VeriFast/queue/xQueuePeekFromISR.c
@ -23,67 +23,68 @@
 #include "proof/queue.h"
 #include "proof/queuecontracts.h"

-BaseType_t xQueuePeekFromISR( QueueHandle_t xQueue,  void * const pvBuffer )
+BaseType_t xQueuePeekFromISR( QueueHandle_t xQueue,
+                              void * const pvBuffer )
 /*@requires [1/2]queuehandle(xQueue, ?N, ?M, ?is_isr) &*& is_isr == true &*&
-	chars(pvBuffer, M, ?x);@*/
+    chars(pvBuffer, M, ?x);@*/
 /*@ensures [1/2]queuehandle(xQueue, N, M, is_isr) &*&
-	(result == pdPASS ? chars(pvBuffer, M, _) : chars(pvBuffer, M, x));@*/
+    (result == pdPASS ? chars(pvBuffer, M, _) : chars(pvBuffer, M, x));@*/
 {
-BaseType_t xReturn;
-UBaseType_t uxSavedInterruptStatus;
-int8_t *pcOriginalReadPosition;
+    BaseType_t xReturn;
+    UBaseType_t uxSavedInterruptStatus;
+    int8_t * pcOriginalReadPosition;
 #ifdef VERIFAST /*< const pointer declaration */
-Queue_t * pxQueue = xQueue;
+    Queue_t * pxQueue = xQueue;
 #else
-Queue_t * const pxQueue = xQueue;
+    Queue_t * const pxQueue = xQueue;

-	configASSERT( pxQueue );
-	configASSERT( !( ( pvBuffer == NULL ) && ( pxQueue->uxItemSize != ( UBaseType_t ) 0U ) ) );
-	configASSERT( pxQueue->uxItemSize != 0 ); /* Can't peek a semaphore. */
+    configASSERT( pxQueue );
+    configASSERT( !( ( pvBuffer == NULL ) && ( pxQueue->uxItemSize != ( UBaseType_t ) 0U ) ) );
+    configASSERT( pxQueue->uxItemSize != 0 ); /* Can't peek a semaphore. */
 #endif

-	/* RTOS ports that support interrupt nesting have the concept of a maximum
-	system call (or maximum API call) interrupt priority.  Interrupts that are
-	above the maximum system call priority are kept permanently enabled, even
-	when the RTOS kernel is in a critical section, but cannot make any calls to
-	FreeRTOS API functions.  If configASSERT() is defined in FreeRTOSConfig.h
-	then portASSERT_IF_INTERRUPT_PRIORITY_INVALID() will result in an assertion
-	failure if a FreeRTOS API function is called from an interrupt that has been
-	assigned a priority above the configured maximum system call priority.
-	Only FreeRTOS functions that end in FromISR can be called from interrupts
-	that have been assigned a priority at or (logically) below the maximum
-	system call	interrupt priority.  FreeRTOS maintains a separate interrupt
-	safe API to ensure interrupt entry is as fast and as simple as possible.
-	More information (albeit Cortex-M specific) is provided on the following
-	link: http://www.freertos.org/RTOS-Cortex-M3-M4.html */
-	portASSERT_IF_INTERRUPT_PRIORITY_INVALID();
+    /* RTOS ports that support interrupt nesting have the concept of a maximum
+     * system call (or maximum API call) interrupt priority.  Interrupts that are
+     * above the maximum system call priority are kept permanently enabled, even
+     * when the RTOS kernel is in a critical section, but cannot make any calls to
+     * FreeRTOS API functions.  If configASSERT() is defined in FreeRTOSConfig.h
+     * then portASSERT_IF_INTERRUPT_PRIORITY_INVALID() will result in an assertion
+     * failure if a FreeRTOS API function is called from an interrupt that has been
+     * assigned a priority above the configured maximum system call priority.
+     * Only FreeRTOS functions that end in FromISR can be called from interrupts
+     * that have been assigned a priority at or (logically) below the maximum
+     * system call	interrupt priority.  FreeRTOS maintains a separate interrupt
+     * safe API to ensure interrupt entry is as fast and as simple as possible.
+     * More information (albeit Cortex-M specific) is provided on the following
+     * link: http://www.freertos.org/RTOS-Cortex-M3-M4.html */
+    portASSERT_IF_INTERRUPT_PRIORITY_INVALID();

-	uxSavedInterruptStatus = portSET_INTERRUPT_MASK_FROM_ISR();
-	/*@assert queue(pxQueue, ?Storage, N, M, ?W, ?R, ?K, ?is_locked, ?abs);@*/
-	{
-		/* Cannot block in an ISR, so check there is data available. */
-		if( pxQueue->uxMessagesWaiting > ( UBaseType_t ) 0 )
-		{
-			traceQUEUE_PEEK_FROM_ISR( pxQueue );
+    uxSavedInterruptStatus = portSET_INTERRUPT_MASK_FROM_ISR();
+    /*@assert queue(pxQueue, ?Storage, N, M, ?W, ?R, ?K, ?is_locked, ?abs);@*/
+    {
+        /* Cannot block in an ISR, so check there is data available. */
+        if( pxQueue->uxMessagesWaiting > ( UBaseType_t ) 0 )
+        {
+            traceQUEUE_PEEK_FROM_ISR( pxQueue );

-			/* Remember the read position so it can be reset as nothing is
-			actually being removed from the queue. */
-			pcOriginalReadPosition = pxQueue->u.xQueue.pcReadFrom;
-			/*@close queue(pxQueue, Storage, N, M, W, R, K, is_locked, abs);@*/
-			prvCopyDataFromQueue( pxQueue, pvBuffer );
-			pxQueue->u.xQueue.pcReadFrom = pcOriginalReadPosition;
-			/*@close queue(pxQueue, Storage, N, M, W, R, K, is_locked, abs);@*/
+            /* Remember the read position so it can be reset as nothing is
+             * actually being removed from the queue. */
+            pcOriginalReadPosition = pxQueue->u.xQueue.pcReadFrom;
+            /*@close queue(pxQueue, Storage, N, M, W, R, K, is_locked, abs);@*/
+            prvCopyDataFromQueue( pxQueue, pvBuffer );
+            pxQueue->u.xQueue.pcReadFrom = pcOriginalReadPosition;
+            /*@close queue(pxQueue, Storage, N, M, W, R, K, is_locked, abs);@*/

-			xReturn = pdPASS;
-		}
-		else
-		{
-			xReturn = pdFAIL;
-			traceQUEUE_PEEK_FROM_ISR_FAILED( pxQueue );
-		}
-	}
-	/*@close queue(pxQueue, Storage, N, M, W, R, K, is_locked, abs);@*/
-	portCLEAR_INTERRUPT_MASK_FROM_ISR( uxSavedInterruptStatus );
+            xReturn = pdPASS;
+        }
+        else
+        {
+            xReturn = pdFAIL;
+            traceQUEUE_PEEK_FROM_ISR_FAILED( pxQueue );
+        }
+    }
+    /*@close queue(pxQueue, Storage, N, M, W, R, K, is_locked, abs);@*/
+    portCLEAR_INTERRUPT_MASK_FROM_ISR( uxSavedInterruptStatus );

-	return xReturn;
+    return xReturn;
 }