Remove or rework assumptions in queue proofs (#603)

This commit is paired with another to queue.c in the kernel. To accomodate changes in newer versions of CBMC, the --pointer-overflow-check is removed.
2025-10-17 10:17:45 -04:00 · 2021-06-04 15:42:14 -04:00 · 2021-06-04 15:42:14 -04:00 · b6624fa44d
commit b6624fa44d
parent d9ddcc0134
33 changed files with 57 additions and 124 deletions
--- a/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreateStatic/Configurations.json
+++ b/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreateStatic/Configurations.json
@ -37,7 +37,6 @@
  "CBMCFLAGS": [
    "--unwind 1",
    "--signed-overflow-check",
-    "--pointer-overflow-check",
    "--unsigned-overflow-check"
  ],
  "OBJS": [
@ -48,8 +47,8 @@
  "DEF": [
    {
      "QeueuGenericCreateStatic_DynamicAllocation": [
-	"CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
-	"CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
+        "CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
+        "CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
        "configUSE_TRACE_FACILITY=0",
        "configGENERATE_RUN_TIME_STATS=0",
        "configSUPPORT_STATIC_ALLOCATION=1",
@ -58,8 +57,8 @@
    },
    {
      "QeueuGenericCreateStatic_NoDynamicAllocation": [
-	"CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
-	"CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
+        "CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
+        "CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
        "configUSE_TRACE_FACILITY=0",
        "configGENERATE_RUN_TIME_STATS=0",
        "configSUPPORT_STATIC_ALLOCATION=1",
--- a/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreateStatic/QueueGenericCreateStatic_harness.c
+++ b/FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreateStatic/QueueGenericCreateStatic_harness.c
@ -31,32 +31,22 @@
 #include "queue_datastructure.h"
 #include "cbmc.h"

-void harness(){
+void harness()
+{
    UBaseType_t uxQueueLength;
    UBaseType_t uxItemSize;
-
-    size_t uxQueueStorageSize;
-    uint8_t *pucQueueStorage = (uint8_t *) pvPortMalloc(uxQueueStorageSize);
-
-    StaticQueue_t *pxStaticQueue =
-      (StaticQueue_t *) pvPortMalloc(sizeof(StaticQueue_t));
-
    uint8_t ucQueueType;
+    size_t storageSize;

-    __CPROVER_assume(uxQueueStorageSize < (UINT32_MAX>>8));
+    /* Allow CBMC to run in a reasonable amount of time. */
+    __CPROVER_assume( ( uxQueueLength == QUEUE_LENGTH ) || ( uxItemSize == QUEUE_ITEM_SIZE ) );

-    // QueueGenericReset does not check for multiplication overflow
-    __CPROVER_assume(uxItemSize < uxQueueStorageSize/uxQueueLength);
+    /* Prevent overflow in this harness. */
+    __CPROVER_assume( ( uxQueueLength > 0 ) && ( ( storageSize / uxQueueLength ) == uxItemSize ) );

-    // QueueGenericCreateStatic asserts positive queue length
-    __CPROVER_assume(uxQueueLength > ( UBaseType_t ) 0);
+    uint8_t * pucQueueStorage = ( uint8_t * ) pvPortMalloc( storageSize );

-    // QueueGenericCreateStatic asserts the following equivalence
-    __CPROVER_assume( ( pucQueueStorage && uxItemSize ) ||
-                      ( !pucQueueStorage && !uxItemSize ) );
-
-    // QueueGenericCreateStatic asserts nonnull pointer
-    __CPROVER_assume(pxStaticQueue);
+    StaticQueue_t * pxStaticQueue = ( StaticQueue_t * ) pvPortMalloc( sizeof( StaticQueue_t ) );

    xQueueGenericCreateStatic( uxQueueLength, uxItemSize, pucQueueStorage, pxStaticQueue, ucQueueType );
 }