Remove or rework assumptions in queue proofs (#603)

This commit is paired with another to queue.c in the kernel.  To
accomodate changes in newer versions of CBMC, the
--pointer-overflow-check is removed.

FreeRTOS/Test/CBMC/patches/0005-Remove-volatile-qualifier-from-tasks-variables.patch

@@ -44,15 +44,6 @@ diff --git a/FreeRTOS/Source/tasks.c b/FreeRTOS/Source/tasks.c
 index c7be57cb2..9f76465d5 100644
 --- a/FreeRTOS/Source/tasks.c
 +++ b/FreeRTOS/Source/tasks.c
-@@ -296,7 +296,7 @@ typedef struct tskTaskControlBlock       /* The old naming convention is used to
- 
-     #if ( configUSE_NEWLIB_REENTRANT == 1 )
-         /* Allocate a Newlib reent structure that is specific to this task.
--         * Note Newlib support has been included by popular demand, but is not
-+          Note Newlib support has been included by popular demand, but is not
-          * used by the FreeRTOS maintainers themselves.  FreeRTOS is not
-          * responsible for resulting newlib operation.  User must be familiar with
-          * newlib and must provide system-wide implementations of the necessary
 @@ -343,8 +343,8 @@ PRIVILEGED_DATA TCB_t * volatile pxCurrentTCB = NULL;
  PRIVILEGED_DATA static List_t pxReadyTasksLists[ configMAX_PRIORITIES ]; /*< Prioritised ready tasks. */
  PRIVILEGED_DATA static List_t xDelayedTaskList1;                         /*< Delayed tasks. */

FreeRTOS/Test/CBMC/patches/0009-Remove-overflow-asserts-from-xQueueGenericCreate.patch

@@ -1,13 +0,0 @@
-diff --git a/FreeRTOS/Source/queue.c b/FreeRTOS/Source/queue.c
-index b01dfd11f..b219b599a 100644
---- a/FreeRTOS/Source/queue.c
-+++ b/FreeRTOS/Source/queue.c
-@@ -395,7 +395,7 @@ BaseType_t xQueueGenericReset( QueueHandle_t xQueue,
-         xQueueSizeInBytes = ( size_t ) ( uxQueueLength * uxItemSize ); /*lint !e961 MISRA exception as the casts are only redundant for some ports. */
- 
-         /* Check for multiplication overflow. */
--        configASSERT( ( uxItemSize == 0 ) || ( uxQueueLength == ( xQueueSizeInBytes / uxItemSize ) ) );
-+        /* configASSERT( ( uxItemSize == 0 ) || ( uxQueueLength == ( xQueueSizeInBytes / uxItemSize ) ) ); */
- 
-         /* Check for addition overflow. */
-         configASSERT( ( sizeof( Queue_t ) + xQueueSizeInBytes ) >  xQueueSizeInBytes );

FreeRTOS/Test/CBMC/proofs/Makefile.template

@@ -138,12 +138,11 @@ report: cbmc.txt property.xml coverage.xml
 	$(VIEWER) \
 	--goto $(ENTRY).goto \
 	--srcdir $(FREERTOS) \
-	--blddir $(FREERTOS) \
+	--reportdir html \
-	--htmldir html \
+	--exclude "(.@FORWARD_SLASH@Demo)" \
-	--srcexclude "(.@FORWARD_SLASH@Demo)" \
 	--result cbmc.txt \
 	--property property.xml \
-	--block coverage.xml
+	--coverage coverage.xml
 
 # This rule depends only on cbmc.txt and has no dependents, so it will
 # not block the report from being generated if it fails. This rule is

FreeRTOS/Test/CBMC/proofs/MakefileCommon.json

@@ -3,18 +3,20 @@
     "PROOFS": [ "." ],
 
     "DEF ": [
-	"_DEBUG",
+        "_DEBUG",
-	"__free_rtos__",
+        "__free_rtos__",
-	"_CONSOLE",
+        "_CONSOLE",
-	"_WIN32_WINNT=0x0500",
+        "_WIN32_WINNT=0x0500",
-	"WINVER=0x400",
+        "WINVER=0x400",
-	"_CRT_SECURE_NO_WARNINGS",
+        "_CRT_SECURE_NO_WARNINGS",
-	"__PRETTY_FUNCTION__=__FUNCTION__",
+        "__PRETTY_FUNCTION__=__FUNCTION__",
          "CBMC",
-	"'configASSERT(X)=__CPROVER_assert(X,\"Assertion Error\")'",
+        "'configASSERT(X)='",
-    	"'configPRECONDITION(X)=__CPROVER_assume(X)'",
+        "'configPRECONDITION(X)=__CPROVER_assume(X)'",
-	"'_static='",
+        "'_static='",
-	"'_volatile='"
+        "'_volatile='",
+        "QUEUE_LENGTH=15",
+        "QUEUE_ITEM_SIZE=990"
     ],
 
     "INC ": [
@@ -31,10 +33,10 @@
     ],
 
     "CBMCFLAGS ": [
-	"--object-bits 7",
+        "--object-bits 7",
-	"--32",
+        "--32",
-	"--bounds-check",
+        "--bounds-check",
-	"--pointer-check"
+        "--pointer-check"
     ],
 
     "FORWARD_SLASH": ["/"],

FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphore/Makefile.json

@@ -31,7 +31,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check"
   ],
   "OBJS": [

FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphore/QueueCreateCountingSemaphore_harness.c

@@ -32,13 +32,10 @@
 #include "cbmc.h"
 
 
-void harness(){
+void harness()
+{
     UBaseType_t uxMaxCount;
     UBaseType_t uxInitialCount;
 
-    __CPROVER_assume(uxMaxCount != 0);
-    __CPROVER_assume(uxInitialCount <= uxMaxCount);
-
     xQueueCreateCountingSemaphore( uxMaxCount, uxInitialCount );
 }
-

FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphoreStatic/Makefile.json

@@ -31,7 +31,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check"
   ],
   "OBJS": [

FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateCountingSemaphoreStatic/QueueCreateCountingSemaphoreStatic_harness.c

@@ -31,15 +31,12 @@
 #include "cbmc.h"
 
 
-void harness(){
+void harness()
+{
     UBaseType_t uxMaxCount;
     UBaseType_t uxInitialCount;
+    StaticQueue_t * pxStaticQueue = ( StaticQueue_t * ) pvPortMalloc( sizeof( StaticQueue_t ) );
 
-    //xStaticQueue is required to be not null
-    StaticQueue_t xStaticQueue;
 
-    //Checked invariant
+    xQueueCreateCountingSemaphoreStatic( uxMaxCount, uxInitialCount, pxStaticQueue );
-    __CPROVER_assume(uxMaxCount != 0);
-    __CPROVER_assume(uxInitialCount <= uxMaxCount);
-    xQueueCreateCountingSemaphoreStatic( uxMaxCount, uxInitialCount, &xStaticQueue );
 }

FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutex/Makefile.json

@@ -31,7 +31,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check"
   ],
   "OBJS": [

FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutexStatic/Makefile.json

@@ -31,7 +31,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check"
   ],
   "OBJS": [

FreeRTOS/Test/CBMC/proofs/Queue/QueueCreateMutexStatic/QueueCreateMutexStatic_harness.c

@@ -31,11 +31,10 @@
 #include "cbmc.h"
 
 
-void harness(){
+void harness()
+{
     uint8_t ucQueueType;
+    StaticQueue_t * pxStaticQueue = ( StaticQueue_t * ) pvPortMalloc( sizeof( StaticQueue_t ) );
 
-    //The mutex storage is assumed to be not null.
+    xQueueCreateMutexStatic( ucQueueType, pxStaticQueue );
-    StaticQueue_t xStaticQueue;
-
-    xQueueCreateMutexStatic( ucQueueType, &xStaticQueue );
 }

FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreate/Configurations.json

@@ -38,7 +38,6 @@
   [
       "--unwind 1",
       "--signed-overflow-check",
-      "--pointer-overflow-check",
       "--unsigned-overflow-check"
 
   ],

FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreate/QueueGenericCreate_harness.c

@@ -32,19 +32,14 @@
 #include "cbmc.h"
 
 
-void harness(){
+void harness()
-	UBaseType_t uxQueueLength;
+{
-	UBaseType_t uxItemSize;
+    UBaseType_t uxQueueLength;
-	uint8_t ucQueueType;
+    UBaseType_t uxItemSize;
+    uint8_t ucQueueType;
 
-	size_t uxQueueStorageSize;
+    /* Allow CBMC to run in a reasonable amount of time. */
-	__CPROVER_assume(uxQueueStorageSize < (UINT32_MAX>>8));
+    __CPROVER_assume( ( uxQueueLength == QUEUE_LENGTH ) || ( uxItemSize == QUEUE_ITEM_SIZE ) );
 
-	// QueueGenericCreate does not check for multiplication overflow
+    xQueueGenericCreate( uxQueueLength, uxItemSize, ucQueueType );
-	__CPROVER_assume(uxItemSize < uxQueueStorageSize/uxQueueLength);
-
-	// QueueGenericCreate asserts positive queue length
-	__CPROVER_assume(uxQueueLength > ( UBaseType_t ) 0);
-
-	xQueueGenericCreate( uxQueueLength, uxItemSize, ucQueueType );
 }

FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreateStatic/Configurations.json

@@ -37,7 +37,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check"
   ],
   "OBJS": [
@@ -48,8 +47,8 @@
   "DEF": [
     {
       "QeueuGenericCreateStatic_DynamicAllocation": [
-	"CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
+        "CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
-	"CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
+        "CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
         "configUSE_TRACE_FACILITY=0",
         "configGENERATE_RUN_TIME_STATS=0",
         "configSUPPORT_STATIC_ALLOCATION=1",
@@ -58,8 +57,8 @@
     },
     {
       "QeueuGenericCreateStatic_NoDynamicAllocation": [
-	"CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
+        "CBMC_OBJECT_BITS={CBMC_OBJECT_BITS}",
-	"CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
+        "CBMC_OBJECT_MAX_SIZE={CBMC_OBJECT_MAX_SIZE}",
         "configUSE_TRACE_FACILITY=0",
         "configGENERATE_RUN_TIME_STATS=0",
         "configSUPPORT_STATIC_ALLOCATION=1",

FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericCreateStatic/QueueGenericCreateStatic_harness.c

@@ -31,32 +31,22 @@
 #include "queue_datastructure.h"
 #include "cbmc.h"
 
-void harness(){
+void harness()
+{
     UBaseType_t uxQueueLength;
     UBaseType_t uxItemSize;
-
-    size_t uxQueueStorageSize;
-    uint8_t *pucQueueStorage = (uint8_t *) pvPortMalloc(uxQueueStorageSize);
-
-    StaticQueue_t *pxStaticQueue =
-      (StaticQueue_t *) pvPortMalloc(sizeof(StaticQueue_t));
-
     uint8_t ucQueueType;
+    size_t storageSize;
 
-    __CPROVER_assume(uxQueueStorageSize < (UINT32_MAX>>8));
+    /* Allow CBMC to run in a reasonable amount of time. */
+    __CPROVER_assume( ( uxQueueLength == QUEUE_LENGTH ) || ( uxItemSize == QUEUE_ITEM_SIZE ) );
 
-    // QueueGenericReset does not check for multiplication overflow
+    /* Prevent overflow in this harness. */
-    __CPROVER_assume(uxItemSize < uxQueueStorageSize/uxQueueLength);
+    __CPROVER_assume( ( uxQueueLength > 0 ) && ( ( storageSize / uxQueueLength ) == uxItemSize ) );
 
-    // QueueGenericCreateStatic asserts positive queue length
+    uint8_t * pucQueueStorage = ( uint8_t * ) pvPortMalloc( storageSize );
-    __CPROVER_assume(uxQueueLength > ( UBaseType_t ) 0);
 
-    // QueueGenericCreateStatic asserts the following equivalence
+    StaticQueue_t * pxStaticQueue = ( StaticQueue_t * ) pvPortMalloc( sizeof( StaticQueue_t ) );
-    __CPROVER_assume( ( pucQueueStorage && uxItemSize ) ||
-                      ( !pucQueueStorage && !uxItemSize ) );
-
-    // QueueGenericCreateStatic asserts nonnull pointer
-    __CPROVER_assume(pxStaticQueue);
 
     xQueueGenericCreateStatic( uxQueueLength, uxItemSize, pucQueueStorage, pxStaticQueue, ucQueueType );
 }

FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericReset/Makefile.json

@@ -31,7 +31,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check"
   ],
   "OBJS": [

FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericReset/QueueGenericReset_harness.c

@@ -34,12 +34,11 @@
 
 struct QueueDefinition;
 
-void harness() {
+void harness()
-	BaseType_t xNewQueue;
+{
+    BaseType_t xNewQueue;
 
-	QueueHandle_t xQueue = xUnconstrainedQueue();
+    QueueHandle_t xQueue = xUnconstrainedQueue();
-	if(xQueue != NULL)
+
-	{
+    xQueueGenericReset( xQueue, xNewQueue );
-		xQueueGenericReset(xQueue, xNewQueue);
-	}
 }

FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericSend/Configurations.json

@@ -33,7 +33,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check",
     "--unwindset xQueueGenericSend.0:{QUEUE_SEND_BOUND},prvUnlockQueue.0:{LOCK_BOUND},prvUnlockQueue.1:{LOCK_BOUND}",
     "--nondet-static"

FreeRTOS/Test/CBMC/proofs/Queue/QueueGenericSendFromISR/Configurations.json

@@ -31,7 +31,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check",
     "--nondet-static"
   ],

FreeRTOS/Test/CBMC/proofs/Queue/QueueGetMutexHolder/Makefile.json

@@ -31,7 +31,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check"
   ],
   "OBJS": [

FreeRTOS/Test/CBMC/proofs/Queue/QueueGetMutexHolderFromISR/Makefile.json

@@ -31,7 +31,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check"
   ],
   "OBJS": [

FreeRTOS/Test/CBMC/proofs/Queue/QueueGiveFromISR/Configurations.json

@@ -31,7 +31,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check",
     "--nondet-static"
   ],

FreeRTOS/Test/CBMC/proofs/Queue/QueueGiveMutexRecursive/Makefile.json

@@ -31,7 +31,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check"
   ],
   "OBJS": [

FreeRTOS/Test/CBMC/proofs/Queue/QueueMessagesWaiting/Makefile.json

@@ -31,7 +31,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check"
   ],
   "OBJS": [

FreeRTOS/Test/CBMC/proofs/Queue/QueuePeek/Makefile.json

@@ -33,7 +33,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check",
     "--unwindset prvUnlockQueue.0:{LOCK_BOUND},prvUnlockQueue.1:{LOCK_BOUND},xQueuePeek.0:{QUEUE_PEEK_BOUND}",
     "--nondet-static"

FreeRTOS/Test/CBMC/proofs/Queue/QueueReceive/Makefile.json

@@ -33,7 +33,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check",
     "--unwindset xQueueReceive.0:{QUEUE_RECEIVE_BOUND},prvUnlockQueue.0:{LOCK_BOUND},prvUnlockQueue.1:{LOCK_BOUND}",
     "--nondet-static"

FreeRTOS/Test/CBMC/proofs/Queue/QueueReceiveFromISR/Makefile.json

@@ -31,7 +31,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check"
   ],
   "OBJS": [

FreeRTOS/Test/CBMC/proofs/Queue/QueueSemaphoreTake/Makefile.json

@@ -35,7 +35,6 @@
   "CBMCFLAGS": [
     "--unwind 2",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check",
     "--nondet-static",
     "--unwindset prvUnlockQueue.0:{QUEUE_BOUND},prvUnlockQueue.1:{QUEUE_BOUND},xQueueSemaphoreTake.0:3"

FreeRTOS/Test/CBMC/proofs/Queue/QueueSpacesAvailable/Makefile.json

@@ -31,7 +31,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check"
   ],
   "OBJS": [

FreeRTOS/Test/CBMC/proofs/Queue/QueueTakeMutexRecursive/Makefile.json

@@ -38,7 +38,6 @@
     "--unwind {QueueSemaphoreTake_BOUND}",
     "--unwindset prvUnlockQueue.0:{PRV_UNLOCK_UNWINDING_BOUND},prvUnlockQueue.1:{PRV_UNLOCK_UNWINDING_BOUND}",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check"
   ],
   "OBJS": [

FreeRTOS/Test/CBMC/proofs/Queue/prvCopyDataToQueue/Configurations.json

@@ -31,7 +31,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check"
   ],
   "OBJS": [

FreeRTOS/Test/CBMC/proofs/Queue/prvNotifyQueueSetContainer/Configurations.json

@@ -32,7 +32,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check",
     "--unwindset prvUnlockQueue.0:{LOCK_BOUND},prvUnlockQueue.1:{LOCK_BOUND}"
   ],

FreeRTOS/Test/CBMC/proofs/Queue/prvUnlockQueue/Configurations.json

@@ -32,7 +32,6 @@
   "CBMCFLAGS": [
     "--unwind 1",
     "--signed-overflow-check",
-    "--pointer-overflow-check",
     "--unsigned-overflow-check",
     "--unwindset prvUnlockQueue.0:{LOCK_BOUND},prvUnlockQueue.1:{LOCK_BOUND}"
   ],