Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add VeriFast thread safety proof for context switches in SMP port #608

Draft
wants to merge 293 commits into
base: smp
Choose a base branch
from

Conversation

tobireinhard
Copy link

@tobireinhard tobireinhard commented Dec 31, 2022

Add VeriFast thread safety proof for context switches in SMP port

Description

The SMP implementation of the scheduler suffers from a buffer underflow, cf. the fix proposed in PR 607. We used VeriFast, a deductive program verifier for C, to prove that once the fix from PR 607 has been applied, context switches are memory safe (i.e. no memory error) and mutually thread safe (i.e. no race condition).

The proof is an unbounded proof. That is, it considers any possible number of tasks and any possible sizes for the involved data structures. Further, it considers any possible task interleavings and any possible interrupt schedule that may occur during runtime. Taking all this into account, it ensure that no memory error and no race condition can occur during runtime, when we run multiple concurrent context switches on different cores.

See the proof README for a more detailed explanation.

Test Steps

Run one of the scripts run-verifast.sh or run-vfide.sh as descripted in the proof README.

Related Issue

#607

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

- const pointers
- inline assembler
- statements blocks consisting of multiple elements used in expression contexts, e.g., `({e1 e2;})`
- multiple pointer declarations to user-defined types in single line, i.e., `A *p1, *p2;`
- VeriFast does not support nested union definitions. Removed those temporarily.
- VeriFast does not support duplicate function prototypes. Prevented include of unguarded system header file.
Fields: `pxNewTCB->ucNotifyState` and `pxNewTCB->ulNotifiedValue`
@tobireinhard tobireinhard requested a review from a team as a code owner December 31, 2022 22:42
@tobireinhard tobireinhard force-pushed the verifast_switch_context branch from e52ae50 to c57b62a Compare January 4, 2023 17:35
@tobireinhard tobireinhard marked this pull request as draft January 5, 2023 12:31
@Mancent Mancent linked an issue May 21, 2023 that may be closed by this pull request
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

> - [ ] ```
1 participant