Included reference to core ID in interrupt predicates and added distinction between global and core local variables.

2025-12-12 14:45:09 -05:00 · 2022-11-07 14:21:42 -05:00 · 2022-11-07 14:21:42 -05:00 · 91eb6eefaa
commit 91eb6eefaa
parent 06d2611aa9
4 changed files with 204 additions and 138 deletions
--- a/tasks.c
+++ b/tasks.c
@ -1330,7 +1330,7 @@ static void prvYieldForTask( TCB_t * pxTCB,
                 // We assume that macro `configMAX_TASK_NAME_LEN` evaluates to 16.
                 chars(pcName, 16, _) &*&
                 *pxCreatedTask |-> _ &*&
-                 interruptState_p(_) &*&
+                 interruptState_p(?coreID, _) &*&
                 unprotectedGlobalVars();
     @*/
    //@ ensures true;
@ -1876,7 +1876,7 @@ static void prvInitialiseNewTask( TaskFunction_t pxTaskCode,
 /*-----------------------------------------------------------*/

 static void prvAddNewTaskToReadyList( TCB_t * pxNewTCB )
-/*@ requires interruptState_p(_) &*&
+/*@ requires interruptState_p(?coreID, _) &*&
             unprotectedGlobalVars(); 
  @*/
 /*@ ensures true; 
@ -5284,8 +5284,8 @@ static void prvResetNextTaskUnblockTime( void )
 #if ( ( INCLUDE_xTaskGetCurrentTaskHandle == 1 ) || ( configUSE_MUTEXES == 1 ) )

    TaskHandle_t xTaskGetCurrentTaskHandle( void )
-    //@ requires interruptState_p(?irpState);
-    //@ ensures interruptState_p(irpState) &*& false;
+    //@ requires interruptState_p(?coreID, ?irpState);
+    //@ ensures interruptState_p(coreID, irpState) &*& false;
    {
        TaskHandle_t xReturn;
        uint32_t ulState;
@ -5662,7 +5662,7 @@ void vTaskYieldWithinAPI( void )
 #if ( portCRITICAL_NESTING_IN_TCB == 1 )

    void vTaskEnterCritical( void )
-    //@ requires interruptState_p(_) &*& unprotectedGlobalVars();
+    //@ requires interruptState_p(?coreID, _) &*& unprotectedGlobalVars();
    //@ ensures false;
    {
        portDISABLE_INTERRUPTS();
--- a/verification/verifast/preprocessed_files/tasks__pp.c
+++ b/verification/verifast/preprocessed_files/tasks__pp.c
@ -10342,29 +10342,36 @@ bool assert_fct(bool b, const char*)
 /* FreeRTOS core id is always zero based.*/
 static uint VF__get_core_num(void);
 //@ requires true;
-//@ ensures result < configNUM_CORES;
-
+/*@ ensures 0 <= result &*& result < configNUM_CORES &*&
+            result == coreID_f();
+@*/

 /*@
-predicate interruptState_p(uint32_t);
+// Allow reference to core id in proofs.
+fixpoint uint coreID_f();

-fixpoint bool interruptsEnabled_f(uint32_t);
+lemma void coreID_f_range();
+requires true;
+ensures 0 <= coreID_f() &*& coreID_f() < configNUM_CORES;
@*/



+
+
+
 uint32_t VF__portDISABLE_INTERRUPTS();
-//@ requires interruptState_p(?state);
+//@ requires interruptState_p(?coreID, ?state);
 /*@ ensures result == state &*& 
-            interruptState_p(?newState) &*&
-            !interruptsEnabled_f(newState);
+            interruptState_p(coreID, ?newState) &*&
+            interruptsDisabled_f(newState) == true;
@*/



 void VF__portRESTORE_INTERRUPTS(uint32_t state);
-//@ requires interruptState_p(_);
-/*@ ensures interruptState_p(state);
+//@ requires interruptState_p(?coreID, _);
+/*@ ensures interruptState_p(coreID, state);
@*/


@ -10399,19 +10406,42 @@ predicate otherGlobalVars() =
    &*&
    integer_(&xPendedTicks, sizeof(TickType_t), false, _)
    &*&
-    integers_(&xYieldPendings, sizeof(BaseType_t), true, 1, _)
+    integers_(&xYieldPendings, sizeof(BaseType_t), true, configNUM_CORES, _)
    &*&
    integer_(&uxTaskNumber, sizeof(UBaseType_t), false, _)
    &*&
    integer_(&xNextTaskUnblockTime, sizeof(TickType_t), false, _)
    &*&
-    pointers(&xIdleTaskHandle, 1, _);
+    pointers(&xIdleTaskHandle, configNUM_CORES, _);
    
 predicate unprotectedGlobalVars() =
 	[_] integer_(&xSchedulerRunning, sizeof(BaseType_t), true, _);
+
+
@*/


+
+/* ----------------------------------------------------------------------
+ * Core local variables and access restrictions 
+ */
+
+/*@ 
+predicate interruptState_p(uint32_t coreID, uint32_t state);
+
+fixpoint bool interruptsDisabled_f(uint32_t);
+
+predicate coreLocalGlobalVars() =
+    pointer(&pxCurrentTCBs[coreID_f], _);
+
+predicate coreLocalLocked(uint32_t coreID);
+
+//lemma acquireCoreLocalPermissions();
+//requires interruptState_p
+@*/
+
+
+
 /*
 void vf_validate_lock_predicate()
 //@ requires module(tasks__pp, true);
@ -10420,7 +10450,9 @@ void vf_validate_lock_predicate()
 //@ open_module();
 uxCurrentNumberOfTasks = 0;
 
- //@ close tasks_global_vars();
+ //@ coreID_f_range();
+ //@ close coreLocalGlobalVars();
+ ///@ close otherGlobalVars();
 }
 */
 // # 73 "/Users/reitobia/repos2/FreeRTOS-Kernel/tasks.c" 2
@ -11546,7 +11578,7 @@ static void prvYieldForTask( TCB_t * pxTCB,
                 // We assume that macro `configMAX_TASK_NAME_LEN` evaluates to 16.
                 chars(pcName, 16, _) &*&
                 *pxCreatedTask |-> _ &*&
-                 interruptState_p(_) &*&
+                 interruptState_p(?coreID, _) &*&
                 unprotectedGlobalVars();
     @*/
    //@ ensures true;
@ -11893,7 +11925,7 @@ static void prvInitialiseNewTask( TaskFunction_t pxTaskCode,
 /*-----------------------------------------------------------*/

 static void prvAddNewTaskToReadyList( TCB_t * pxNewTCB )
-/*@ requires interruptState_p(_) &*&
+/*@ requires interruptState_p(?coreID, _) &*&
             unprotectedGlobalVars(); 
  @*/
 /*@ ensures true; 
@ -14593,14 +14625,13 @@ static void prvResetNextTaskUnblockTime( void )


    TaskHandle_t xTaskGetCurrentTaskHandle( void )
-    //@ requires interruptState_p(?irpState);
-    //@ ensures interruptState_p(irpState) &*& false;
+    //@ requires interruptState_p(?coreID, ?irpState);
+    //@ ensures interruptState_p(coreID, irpState) &*& false;
    {
        TaskHandle_t xReturn;
        uint32_t ulState;

        ulState = VF__portDISABLE_INTERRUPTS();
-        //@ assert( configNUM_CORES == 13 );
        xReturn = pxCurrentTCBs[ VF__get_core_num() ];
        VF__portRESTORE_INTERRUPTS(ulState);

@ -14972,7 +15003,7 @@ void vTaskYieldWithinAPI( void )


    void vTaskEnterCritical( void )
-    //@ requires interruptState_p(_) &*& unprotectedGlobalVars();
+    //@ requires interruptState_p(?coreID, _) &*& unprotectedGlobalVars();
    //@ ensures false;
    {
        VF__portDISABLE_INTERRUPTS();
--- a/verification/verifast/proof/verifast_lock_predicates.h
+++ b/verification/verifast/proof/verifast_lock_predicates.h
@ -17,19 +17,42 @@ predicate otherGlobalVars() =
    &*&
    integer_(&xPendedTicks, sizeof(TickType_t), false, _)
    &*&
-    integers_(&xYieldPendings, sizeof(BaseType_t), true, 1, _)
+    integers_(&xYieldPendings, sizeof(BaseType_t), true, configNUM_CORES, _)
    &*&
    integer_(&uxTaskNumber, sizeof(UBaseType_t), false, _)
    &*&
    integer_(&xNextTaskUnblockTime, sizeof(TickType_t), false, _)
    &*&
-    pointers(&xIdleTaskHandle, 1, _);
+    pointers(&xIdleTaskHandle, configNUM_CORES, _);
    
 predicate unprotectedGlobalVars() =
 	[_] integer_(&xSchedulerRunning, sizeof(BaseType_t), true, _);
+
+
@*/


+
+/* ----------------------------------------------------------------------
+ * Core local variables and access restrictions 
+ */
+
+/*@ 
+predicate interruptState_p(uint32_t coreID, uint32_t state);
+
+fixpoint bool interruptsDisabled_f(uint32_t);
+
+predicate coreLocalGlobalVars() =
+    pointer(&pxCurrentTCBs[coreID_f], _);
+
+predicate coreLocalLocked(uint32_t coreID);
+
+//lemma acquireCoreLocalPermissions();
+//requires interruptState_p
+@*/
+
+
+
 /*
 void vf_validate_lock_predicate()
 //@ requires module(tasks__pp, true);
@ -38,8 +61,13 @@ void vf_validate_lock_predicate()
 //@ open_module();
 uxCurrentNumberOfTasks = 0;
 
- //@ close tasks_global_vars();
+ //@ coreID_f_range();
+ //@ close coreLocalGlobalVars();
+ ///@ close otherGlobalVars();
 }
 */

+
+
+
 #endif /* VERIFAST_LOCK_PREDICATES_H */
--- a/verification/verifast/proof/verifast_port_contracts.h
+++ b/verification/verifast/proof/verifast_port_contracts.h
@ -12,29 +12,36 @@
 /* FreeRTOS core id is always zero based.*/
 static uint VF__get_core_num(void);
 //@ requires true;
-//@ ensures result < configNUM_CORES;
-
+/*@ ensures 0 <= result &*& result < configNUM_CORES &*&
+            result == coreID_f();
+@*/

 /*@
-predicate interruptState_p(uint32_t);
+// Allow reference to core id in proofs.
+fixpoint uint coreID_f();

-fixpoint bool interruptsEnabled_f(uint32_t);
+lemma void coreID_f_range();
+requires true;
+ensures 0 <= coreID_f() &*& coreID_f() < configNUM_CORES;
@*/

+
+
+
 #undef portDISABLE_INTERRUPTS
 #define portDISABLE_INTERRUPTS  VF__portDISABLE_INTERRUPTS
 uint32_t VF__portDISABLE_INTERRUPTS();
-//@ requires interruptState_p(?state);
+//@ requires interruptState_p(?coreID, ?state);
 /*@ ensures result == state &*& 
-            interruptState_p(?newState) &*&
-            !interruptsEnabled_f(newState);
+            interruptState_p(coreID, ?newState) &*&
+            interruptsDisabled_f(newState) == true;
@*/

 #undef portRESTORE_INTERRUPTS
 #define portRESTORE_INTERRUPTS(ulState) VF__portRESTORE_INTERRUPTS(ulState)
 void VF__portRESTORE_INTERRUPTS(uint32_t state);
-//@ requires interruptState_p(_);
-/*@ ensures interruptState_p(state);
+//@ requires interruptState_p(?coreID, _);
+/*@ ensures interruptState_p(coreID, state);
@*/

 #undef portGET_TASK_LOCK