github-forks
/
FreeRTOS
mirror of https://github.com/FreeRTOS/FreeRTOS.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
p3_rel_wip
202411.00
202212.01
202212.00
202112.00
202111.00
202107.00
202104.00
V200717_LTS_development_snapshot
V10.3.0
PartialReleases
V10.2.1
V10.2.0
V10.1.1
V10.1.0
V10.0.1
V10.0.0
V8.0.1
V9.0.0
V9.0.0rc2
V9.0.0rc1
V8.2.3
V8.2.2
V8.2.1
V8.2.0
V8.2.0rc1
V8.1.2
V8.1.1
V8.1.0
V8.0.0
V8.0.0rc1
V7.6.0
V7.5.3
V7.5.2
V7.5.1
V7.5.0
V7.4.2
V7.4.1
V7.4.0
V7.3.0
V7.2.0
V7.1.1
BackupPoints
V7.1.0
V7.0.2
V7.0.1
V7.0.0
V6.1.1
V6.1.0
V6.0.5
V6.0.4
V6.0.3
V6.0.1
V6.0.0
V5.4.2
V5.4.1
V5.3.1
V5.3.0
V5.2.0
V5.1.2
V5.0.3
V5.0.2
V5.0.0
V4.8.0
V4.7.2
V4.7.1
V4.7.0
V4.6.1
V4.5.0
V4.4.0
V4.3.1
V4.3.0
V4.2.1
V4.2.0
V4.1.3
V4.1.2
V4.1.1
V4.1.0
V4.0.5
V4.0.3
V4.0.2
V4.0.1
202011.00
202012.00
V10.3.1
V10.4.0
V10.4.1
V200218_LTS_development_snapshot
final_LTS_development_snapshot
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b8c758b2fe'
${ noResults }
FreeRTOS/FreeRTOS/Test/VeriFast
History
Nathan Chong bc54c6bc10
Syntactic proof changes to track 10.4.1 changes (#322) 
All changes restricted to comments/formatting.
 		4 years ago
..
docs List proofs and signoff (#194) 4 years ago
include/proof List proofs and signoff (#194) 4 years ago
list Syntactic proof changes to track 10.4.1 changes (#322) 4 years ago
queue Syntactic proof changes to track 10.4.1 changes (#322) 4 years ago
scripts List proofs and signoff (#194) 4 years ago
Makefile Syntactic proof changes to track 10.4.1 changes (#322) 4 years ago
README.md List proofs and signoff (#194) 4 years ago

README.md

FreeRTOS VeriFast proofs

This directory contains unbounded proofs of the FreeRTOS kernel queue and list data structures. Unbounded proofs mean that these results hold independent of the length of the queue or list.

Informally, the queue proofs demonstrate that the queue implementation is memory safe (does not access invalid memory), thread safe (properly synchronizes accesses) and functionally correct (behaves like a queue) under any arbitrary number of tasks or ISRs. The list proofs demonstrate that the list implementation is memory safe and functionally correct.

These properties are proven with the VeriFast verifier. See the proof signoff document for more on the proof properties, assumptions, and simplifications.

Proof directory structure

We split proofs by data structure into separate proof directories. Each file within a proof directory is a proof of one or more related API functions. A proof is the source code of the FreeRTOS implementation with VeriFast annotations (denoted by special comments /*@ ... @*/). A set of common predicates, functions and lemmas used by all proofs is maintained in the include/proof directory.

  • queue: proofs for the FreeRTOS queue data structure
  • list: proofs for the FreeRTOS list data structure

The following figure gives the callgraph of the queue proofs. Green=Proven functions, Blue=Functions modeled by lock invariants (underlying implementation assumed to provide these atomicity guarantees), Grey=Assumed stubs.

Queue proof callgraph

Prerequisites

Proof checking needs VeriFast and proof regression further needs make and perl.

We recommend installing VeriFast from the nightly builds on the VeriFast GitHub page. After unpacking the build tarball, the verifast and vfide binaries will be in the directory verifast-COMMIT/bin/ where COMMIT is the Git commit of the VeriFast build.

Note that for CI we use VeriFast 19.12.

Proof checking a single proof in the VeriFast IDE

To load a proof in the vfide VeriFast IDE:

$ /path/to/vfide -I include queue/xQueueGenericSend.c

Then click Verify and Verify Program (or press F5). Note that the following proofs require arithmetic overflow checking to be turned off (click Verify and uncheck Check arithmetic overflow).

  • queue/prvCopyDataToQueue.c
  • queue/xQueueGenericSendFromISR.c
  • queue/xQueueReceiveFromISR.c

A successful proof results in the top banner turning green with a statement similar to: 0 errors found (335 statements verified).

Proof checking a single proof at the command-line

The following is an example of checking a proof using the verifast command-line tool. Turn off arithmetic overflow checking where necessary with the flag -disable_overflow_check.

$ /path/to/verifast -I include -c queue/xQueueGenericSend.c

A successful proof results in output similar to:

queue/xQueueGenericSend.c
0 errors found (335 statements verified)

Running proof regression

The following will check all proofs in the repo along with a statement coverage regression.

$ VERIFAST=/path/to/verifast make

If you have made changes to the proofs so the statement coverage no longer matches then you can temporarily turn off coverage checking:

$ VERIFAST=/path/to/verifast NO_COVERAGE=1 make

Annotation burden

VeriFast can emit statistics about the number of source code lines and annotations. These range from .3-2x annotations per line of source code for the queue proofs and up to 7x for the list proofs.

$ VERIFAST=/path/to/verifast ./scripts/annotation_overhead.sh

Reading a VeriFast proof

VeriFast is a modular deductive verifier using separation logic. A quick introduction is given by Jacobs and Piessens. In particular, Section 1 Introduction, gives a high-level overview of the proof technique, which uses forward symbolic execution over a symbolic heap.

Learning how to use VeriFast will help you read and understand the proofs. The VeriFast tutorial is a good guide. You will need to understand:

  • Sec 4. Functions and Contracts
  • Sec 5. Patterns
  • Sec 6. Predicates
  • Sec 7. Recursive Predicates
  • Sec 8. Loops
  • Sec 9. Inductive Datatypes
  • Sec 10. Inductive Datatypes
  • Sec 11. Lemmas

Contributors

We acknowledge and thank the following contributors: