Fix build and proof failures for CBMC ARP proofs #709
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Prior to this commit, CBMC would emit logging information in plain text format, which does not contain information required for the CBMC VSCode debugger. This commit makes CBMC use XML instead of plain text. Co-authored-by: Mark Tuttle <[email protected]>
* Adds /source/FreeRTOS_Routing.c to ARPAgeCache proof build
* Assumes pxNetworkEndPoints and pxNetworkEndPoints->pxNetworkInterface are properly initialized before ARPAgeCache is used.
* Assumes one endpoint and interface are only present
Changes to CBMC flags/configs:
* Added:
* `--unwindset FreeRTOS_OutputARPRequest.0:3` and `--unwindset vARPAgeCache.1:3` as per number of endpoints
* Modified:
* `--object-bits 8` to address: too many addressed objects: maximum number of objects is set to 2^n=128 (with n=7);
…arARP:
* New flags:
* "--unwindset FreeRTOS_ClearARP.0:7" to support loop in cleararp function
* Added argument to FreeRTOS_ClearARP in harness to support new change in API
Changes ------- Removed --nondet-static: proof fails if that option is enabled as the endpoint gets random value even if there is NULL check before its usage
Changes: ------- ARPProcessPacket takes new arg (NetworkBufferDescriptor_t *)
| NetworkBufferDescriptor_t * const pxNetworkBuffer, | ||
| BaseType_t xReleaseAfterSend ) | ||
| { | ||
| return 0; |
Member
There was a problem hiding this comment.
I think it would be better if we check the validity of the pointers in the stub by adding something like this:
__CPROVER_assert( pxDescriptor != NULL, "The network interface cannot be NULL." );
__CPROVER_assert( pxNetworkBuffer != NULL, "The network buffer descriptor cannot be NULL." );
| __CPROVER_assume( pxNetworkEndPoints != NULL ); | ||
| pxNetworkEndPoints->pxNext = ( NetworkEndPoint_t * ) malloc( sizeof( NetworkEndPoint_t ) ); | ||
| __CPROVER_assume( pxNetworkEndPoints->pxNext != NULL ); | ||
| __CPROVER_assume( pxNetworkEndPoints->pxNext->pxNext == NULL ); |
Member
There was a problem hiding this comment.
I think that instead of __CPROVER_assume, we can just set this value to NULL.
as in pxNetworkEndPoints->pxNext->pxNext = NULL;
| */ | ||
| xNetworkBuffer2.pxEndPoint = ( NetworkEndPoint_t * ) malloc( sizeof( NetworkEndPoint_t ) ); | ||
| __CPROVER_assume( xNetworkBuffer2.pxEndPoint != NULL ); | ||
| __CPROVER_assume( xNetworkBuffer2.pxEndPoint->pxNext == NULL ); |
Member
There was a problem hiding this comment.
Same here, we can get away with just setting it to NULL.
|
|
||
| pxNetworkEndPoints = ( NetworkEndPoint_t * ) malloc( sizeof( NetworkEndPoint_t ) ); | ||
| __CPROVER_assume( pxNetworkEndPoints != NULL ); | ||
| __CPROVER_assume( pxNetworkEndPoints->pxNext == NULL ); |
| */ | ||
| uint8_t ucBUFFER_SIZE; | ||
|
|
||
| __CPROVER_assume( ucBUFFER_SIZE < CBMC_MAX_OBJECT_SIZE ); |
Member
There was a problem hiding this comment.
Isn't this true automatically? the ucBUFFER_SIZE is an unsigned 8-bit integer meaning that it will never go beyond 255. I assume that CBMC_MAX_OBJECT_SIZE will at least be 16-bit value...
| eARPProcessPacket( &xARPFrame ); | ||
| /* | ||
| * The assumption made here is that the buffer pointed by pucEthernetBuffer | ||
| * is at least allocated to sizeof(ARPPacket_t) size but eventually a even larger buffer. |
Member
There was a problem hiding this comment.
Suggested change
| * is at least allocated to sizeof(ARPPacket_t) size but eventually a even larger buffer. | |
| * is at least allocated to sizeof(ARPPacket_t) size but eventually an even larger buffer. |
| */ | ||
| xNetworkBuffer2.pxEndPoint = ( NetworkEndPoint_t * ) malloc( sizeof( NetworkEndPoint_t ) ); | ||
| __CPROVER_assume( xNetworkBuffer2.pxEndPoint != NULL ); | ||
| __CPROVER_assume( xNetworkBuffer2.pxEndPoint->pxNext == NULL ); |
Member
There was a problem hiding this comment.
Set this to NULL directly.
|
|
||
| pxNetworkEndPoints = ( NetworkEndPoint_t * ) malloc( sizeof( NetworkEndPoint_t ) ); | ||
| __CPROVER_assume( pxNetworkEndPoints != NULL ); | ||
| __CPROVER_assume( pxNetworkEndPoints->pxNext == NULL ); |
Member
There was a problem hiding this comment.
Why not try this with more than one network endpoint?
| NetworkBufferDescriptor_t * const pxNetworkBuffer, | ||
| BaseType_t xReleaseAfterSend ) | ||
| { | ||
|
|
Member
There was a problem hiding this comment.
We should add asserts on the pointers to make sure that they are not NULL when stub is called.
| { | ||
| vReleaseNetworkBufferAndDescriptor( pxDescriptor ); | ||
| vReleaseNetworkBufferAndDescriptor( pxNetworkBuffer ); | ||
| } |
Member
There was a problem hiding this comment.
Assert on pointers being non-NULL here.
tony-josi-aws
force-pushed
the
fix_cbmc_proof_arp
branch
from
4574eae to
39d8c53
Compare
AniruddhaKanhere
approved these changes
Feb 21, 2023
Member
AniruddhaKanhere
left a comment
AniruddhaKanhere
left a comment
There was a problem hiding this comment.
Approved with one minor comment.
| __CPROVER_assert( pxDescriptor != NULL, "The network interface cannot be NULL." ); | ||
| __CPROVER_assert( pxNetworkBuffer != NULL, "The network buffer descriptor cannot be NULL." ); | ||
| __CPROVER_assert( pxNetworkBuffer->pucEthernetBuffer != NULL, "The Ethernet buffer cannot be NULL." ); | ||
| return 0; |
Member
There was a problem hiding this comment.
Why are we returning 0 and not nondet_uint32?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR fixes the build issues and proof failures for the ARP CBMC proofs post the IPv6 changes.
Description
Major changes:
—nondet-staticfor ARPGetCacheEntryByMac proof: as proof fails if its there as the endpoint gets random value--object-bits 8from 7: as some of the existing proofs were having issues with more number addressed objects:too many addressed objects: maximum number of objects is set to 2^n=128 (with n=7);Test Steps
Related Issue
Failing CBMC proofs
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.