Add spinlock_validate, cpu_mask, ipi modules + fix Rocq CI

Three new verified kernel modules porting foundational SMP safety logic:

- spinlock_validate: owner encoding/validation (6 properties, 15 tests)
  Replaces the silent & 3U mask with configurable MAX_CPUS check.

- cpu_mask: thread affinity mask arithmetic (4 properties, 33 tests)
  Enforces PIN_ONLY invariant at runtime (Zephyr only asserts in debug).

- ipi: inter-processor interrupt mask computation (5 properties, 22 tests)
  Pure decision function for which CPUs need scheduling interrupts.

Also updates rules_rocq_rust to 2cfb99ca (hermetic nightly download,
fixes libLLVM linker error in sandboxed CI) and removes the
LIBRARY_PATH workaround from formal-verification.yml.

Author: avrabe

.github/workflows/formal-verification.yml

@@ -87,13 +87,7 @@ jobs:
       - uses: cachix/install-nix-action@v30
 
       - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@nightly
-
-      - name: Set LLVM library path for rocq_of_rust
-        run: |
-          SYSROOT=$(rustc +nightly --print sysroot)
-          echo "LIBRARY_PATH=${SYSROOT}/lib" >> "$GITHUB_ENV"
-          echo "LD_LIBRARY_PATH=${SYSROOT}/lib" >> "$GITHUB_ENV"
+        uses: dtolnay/rust-toolchain@stable
 
       - name: Run Rocq proof verification
         run: |

BUILD.bazel

@@ -62,6 +62,9 @@ VERUS_SRCS = [
     "src/sched.rs",
     "src/poll.rs",
     "src/zms.rs",
+    "src/spinlock_validate.rs",
+    "src/cpu_mask.rs",
+    "src/ipi.rs",
 ]
 
 PLAIN_SRCS = ["//plain:srcs"]

MODULE.bazel

@@ -23,7 +23,7 @@ bazel_dep(name = "rules_rocq_rust", version = "0.1.0")
 git_override(
     module_name = "rules_rocq_rust",
     remote = "https://github.com/pulseengine/rules_rocq_rust.git",
-    commit = "6a8da0bd30b5f80f811acefbf6ac5740a08d4a8c",
+    commit = "2cfb99ca46eb570c5dc54ed1ee2124b8add212e2",
 )
 
 # rocq-of-rust toolchain — translates Rust to Rocq

plain/src/cpu_mask.rs

@@ -0,0 +1,112 @@
+//! Verified CPU affinity mask model for Zephyr RTOS.
+//!
+//! This is a formally verified port of zephyr/kernel/cpu_mask.c.
+//! All safety-critical properties are proven with Verus (SMT/Z3).
+//!
+//! Source mapping:
+//!   cpu_mask_mod              -> cpu_mask_mod           (cpu_mask.c:19-45)
+//!   k_thread_cpu_mask_clear   -> (enable=0, disable=0xFFFFFFFF)
+//!   k_thread_cpu_mask_enable_all -> (enable=0xFFFFFFFF, disable=0)
+//!   k_thread_cpu_mask_enable  -> (enable=BIT(cpu), disable=0)
+//!   k_thread_cpu_mask_disable -> (enable=0, disable=BIT(cpu))
+//!   k_thread_cpu_pin          -> (enable=BIT(cpu), disable=!BIT(cpu))
+//!   validate_pin_mask         -> power-of-2 check (cpu_mask.c:38-41)
+//!   cpu_pin_compute           -> BIT(cpu) with bounds check
+//!
+//! Omitted (not safety-relevant):
+//!   - K_SPINLOCK(&_sched_spinlock) — locking handled in C
+//!   - z_is_thread_prevented_from_running — caller supplies `is_running`
+//!   - CONFIG_POLL, CONFIG_OBJ_CORE — debug/tracing
+//!   - CONFIG_USERSPACE (z_vrfy_*) — syscall marshaling
+//!
+//! ASIL-D verified properties:
+//!   CM1: Running threads cannot have mask modified (returns EINVAL)
+//!   CM2: PIN_ONLY mode requires exactly one bit set: (m & (m-1)) == 0
+//!   CM3: New mask = (current | enable) & !disable
+//!   CM4: Result mask is never zero (at least one CPU)
+//!   CM5: Mask arithmetic is overflow-safe (bitwise ops on u32)
+//!   CM6: cpu_pin_compute bounds-checks cpu_id < max_cpus <= 32
+use crate::error::*;
+/// Maximum supported CPUs (matches Zephyr BUILD_ASSERT: max 16).
+pub const MAX_CPUS: u32 = 16;
+/// Result of a cpu_mask_mod operation.
+///
+/// On success, holds the new mask. On failure, holds the error code.
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub struct CpuMaskResult {
+    /// The resulting CPU affinity mask (valid only when `error == OK`).
+    pub mask: u32,
+    /// Error code: OK on success, EINVAL on failure.
+    pub error: i32,
+}
+/// Check whether a mask is a valid PIN_ONLY mask (exactly one bit set).
+///
+/// This is the power-of-two check from cpu_mask.c:38-41:
+///   `(m == 0) || ((m & (m - 1)) == 0)`
+/// We strengthen to require m != 0 (a zero mask is never valid).
+///
+/// CM2: PIN_ONLY mode requires exactly one bit set.
+pub fn validate_pin_mask(mask: u32) -> bool {
+    mask != 0 && (mask & (mask - 1)) == 0
+}
+/// Core CPU mask modification function.
+///
+/// Models cpu_mask_mod (cpu_mask.c:19-45).
+///
+/// Parameters:
+/// - `current_mask`: the thread's current cpu_mask
+/// - `enable`: bits to OR into the mask
+/// - `disable`: bits to AND-complement out of the mask
+/// - `is_running`: true if the thread is currently running (not prevented)
+/// - `pin_only`: true if CONFIG_SCHED_CPU_MASK_PIN_ONLY is enabled
+///
+/// CM1: Running threads cannot have mask modified (returns EINVAL).
+/// CM2: PIN_ONLY mode requires exactly one bit set in the result.
+/// CM3: New mask = (current | enable) & !disable.
+/// CM4: Result mask is never zero.
+/// CM5: All arithmetic is overflow-safe (bitwise ops on u32).
+pub fn cpu_mask_mod(
+    current_mask: u32,
+    enable: u32,
+    disable: u32,
+    is_running: bool,
+    pin_only: bool,
+) -> CpuMaskResult {
+    if is_running {
+        return CpuMaskResult {
+            mask: current_mask,
+            error: EINVAL,
+        };
+    }
+    let new_mask: u32 = (current_mask | enable) & !disable;
+    if new_mask == 0 {
+        return CpuMaskResult {
+            mask: current_mask,
+            error: EINVAL,
+        };
+    }
+    if pin_only && (new_mask & (new_mask - 1)) != 0 {
+        return CpuMaskResult {
+            mask: current_mask,
+            error: EINVAL,
+        };
+    }
+    CpuMaskResult {
+        mask: new_mask,
+        error: OK,
+    }
+}
+/// Compute the pin mask for a specific CPU.
+///
+/// Models the BIT(cpu) computation from k_thread_cpu_pin (cpu_mask.c:69).
+/// Returns `Ok(1u32 << cpu_id)` if `cpu_id < max_cpus` and `max_cpus <= 32`,
+/// otherwise returns `Err(EINVAL)`.
+///
+/// CM6: bounds check ensures shift is within u32 range.
+pub fn cpu_pin_compute(cpu_id: u32, max_cpus: u32) -> Result<u32, i32> {
+    if max_cpus > 32 || cpu_id >= max_cpus {
+        return Err(EINVAL);
+    }
+    let mask: u32 = 1u32 << cpu_id;
+    Ok(mask)
+}

plain/src/ipi.rs

@@ -0,0 +1,79 @@
+//! Verified IPI mask creation model for Zephyr RTOS.
+//!
+//! This is a formally verified port of zephyr/kernel/ipi.c.
+//! All safety-critical properties are proven with Verus (SMT/Z3).
+//!
+//! This module models the **IPI mask creation** logic from Zephyr's SMP
+//! IPI subsystem.  The mask determines which CPUs need an inter-processor
+//! interrupt when a thread becomes ready.
+//!
+//! Source mapping:
+//!   ipi_mask_create -> compute_ipi_mask  (ipi.c:29-70)
+//!
+//! Omitted (not safety-relevant):
+//!   - CONFIG_IPI_OPTIMIZE bypass (trivially returns IPI_ALL_CPUS_MASK)
+//!   - thread_is_metairq — MetaIRQ preemption override
+//!   - thread_is_preemptible — cooperative thread guard
+//!   - signal_pending_ipi — actual IPI delivery
+//!   - CONFIG_USERSPACE (z_vrfy_*) — syscall marshaling
+//!   - SYS_PORT_TRACING_* — instrumentation
+//!
+//! ASIL-D verified properties:
+//!   IP1: current CPU is never in the result mask
+//!   IP2: only CPUs within [0, num_cpus) can be in the mask
+//!   IP3: only CPUs allowed by target_cpu_mask are considered
+//!   IP4: a CPU is included only if its priority > target (lower importance)
+//!   IP5: result fits in max_cpus bits (no stray high bits)
+/// Maximum supported CPUs (matches CONFIG_MP_MAX_NUM_CPUS).
+pub const MAX_CPUS: u32 = 16;
+/// Compute the IPI bitmask for a newly ready thread.
+///
+/// This is the verified model of `ipi_mask_create()` from ipi.c:29-70.
+///
+/// Parameters:
+/// - `current_cpu`: CPU executing the scheduling decision
+/// - `target_prio`: priority of the newly ready thread (lower = higher importance)
+/// - `target_cpu_mask`: CPU affinity mask for the thread (CONFIG_SCHED_CPU_MASK)
+/// - `cpu_prios`: per-CPU current thread priorities
+/// - `cpu_active`: per-CPU active flags
+/// - `num_cpus`: number of CPUs present (arch_num_cpus())
+/// - `max_cpus`: CONFIG_MP_MAX_NUM_CPUS (upper bound for bit width)
+///
+/// Returns a bitmask where bit `i` is set iff CPU `i` should receive an IPI.
+pub fn compute_ipi_mask(
+    current_cpu: u32,
+    target_prio: i32,
+    target_cpu_mask: u32,
+    cpu_prios: &[i32],
+    cpu_active: &[bool],
+    num_cpus: u32,
+    max_cpus: u32,
+) -> u32 {
+    let mut mask: u32 = 0u32;
+    let mut idx: u32 = 0u32;
+    while idx < num_cpus {
+        if idx != current_cpu {
+            if cpu_active[idx as usize] {
+                let bit: u32 = 1u32 << idx;
+                if (target_cpu_mask & bit) != 0u32 {
+                    if cpu_prios[idx as usize] > target_prio {
+                        mask = mask | bit;
+                    }
+                }
+            }
+        }
+        idx = idx + 1u32;
+    }
+    mask
+}
+/// Validate a previously computed IPI mask.
+///
+/// Checks structural properties that must hold for any valid mask:
+/// - current CPU bit is not set
+/// - no bits at or above max_cpus are set
+pub fn validate_ipi_mask(mask: u32, current_cpu: u32, max_cpus: u32) -> bool {
+    let current_bit: u32 = 1u32 << current_cpu;
+    let current_excluded = (mask & current_bit) == 0u32;
+    let bounded = (mask >> max_cpus) == 0u32;
+    current_excluded && bounded
+}

plain/src/lib.rs

@@ -18,6 +18,7 @@
 //! - [`sem`] — Counting semaphore (port of kernel/sem.c)
 //! - [`mutex`] — Reentrant mutex (port of kernel/mutex.c)
 //! - [`condvar`] — Condition variable (port of kernel/condvar.c)
+//! - [`cpu_mask`] — CPU affinity mask (port of kernel/cpu_mask.c)
 #![no_std]
 #![allow(unused_imports)]
 #![allow(
@@ -39,6 +40,7 @@ pub mod wait_queue;
 pub mod sem;
 pub mod mutex;
 pub mod condvar;
+pub mod cpu_mask;
 pub mod msgq;
 pub mod pipe;
 pub mod stack;
@@ -63,10 +65,12 @@ pub mod fault_decode;
 pub mod mempool;
 pub mod dynamic;
 pub mod smp_state;
+pub mod ipi;
 pub mod stack_config;
 pub mod device_init;
 pub mod mem_domain;
 pub mod spinlock;
+pub mod spinlock_validate;
 pub mod atomic;
 pub mod userspace;
 pub mod ring_buf;

plain/src/spinlock_validate.rs

@@ -0,0 +1,118 @@
+//! Verified spinlock validation helpers for Zephyr RTOS.
+//!
+//! This is a formally verified port of zephyr/kernel/spinlock_validate.c.
+//! All safety-critical properties are proven with Verus (SMT/Z3).
+//!
+//! The C code encodes lock ownership by OR-ing the CPU ID into the low
+//! bits of a thread pointer (which is guaranteed aligned).  The `& 3U`
+//! mask hard-codes support for at most 4 CPUs.  This module replaces
+//! the magic constant with a configurable `MAX_CPUS` and explicit
+//! alignment requirement, then proves the encoding is injective.
+//!
+//! Source mapping:
+//!   z_spin_lock_valid     -> spin_lock_valid        (spinlock_validate.c:10-20)
+//!   z_spin_unlock_valid   -> spin_unlock_valid      (spinlock_validate.c:23-37)
+//!   z_spin_lock_set_owner -> spin_lock_compute_owner (spinlock_validate.c:39-43)
+//!
+//! Omitted (not safety-relevant):
+//!   - CONFIG_KERNEL_COHERENCE (z_spin_lock_mem_coherent) — cache coherency check
+//!   - ISR + _THREAD_DUMMY edge case — modeled as a separate flag in the caller
+//!
+//! ASIL-D verified properties:
+//!   SV1: owner encoding is injective (distinct (cpu, thread) -> distinct owner)
+//!   SV2: lock_valid returns false iff the lock is already held by the same CPU
+//!   SV3: unlock_valid returns true iff the stored owner matches (cpu | thread)
+//!   SV4: CPU ID is recoverable from the encoded owner via masking
+//!   SV5: thread pointer is recoverable from the encoded owner via masking
+//!   SV6: MAX_CPUS bounds the CPU mask (replaces hard-coded `& 3U`)
+/// Maximum number of CPUs supported.
+///
+/// Zephyr hard-codes `& 3U` (2 bits, 4 CPUs).  We use the same default
+/// but express it as a named constant so it can be widened.
+pub const MAX_CPUS: u32 = 4;
+/// Bit mask to extract the CPU ID from an encoded owner value.
+///
+/// CPU_MASK == MAX_CPUS - 1 == 0b11 for 4 CPUs.
+/// Requires MAX_CPUS to be a power of two.
+pub const CPU_MASK: usize = 3;
+/// Minimum alignment of thread pointers (in bytes).
+///
+/// Thread pointers must be aligned to at least MAX_CPUS so that the
+/// low bits are zero and available for the CPU ID tag.
+pub const THREAD_ALIGN: usize = 4;
+/// Check whether acquiring the spinlock is valid.
+///
+/// Models z_spin_lock_valid() (spinlock_validate.c:10-20):
+///
+/// ```c
+/// bool z_spin_lock_valid(struct k_spinlock *l) {
+///     uintptr_t thread_cpu = l->thread_cpu;
+///     if (thread_cpu != 0U) {
+///         if ((thread_cpu & 3U) == _current_cpu->id)
+///             return false;
+///     }
+///     return true;
+/// }
+/// ```
+///
+/// Returns `false` when the lock is already held **by the same CPU**
+/// (i.e. the CPU bits in `thread_cpu` match `current_cpu_id`).
+/// A `thread_cpu` of 0 means the lock is free.
+///
+/// SV2: lock_valid returns false iff lock is held and CPU matches.
+pub fn spin_lock_valid(thread_cpu: usize, current_cpu_id: u32) -> bool {
+    if thread_cpu != 0 {
+        if (thread_cpu & CPU_MASK) == (current_cpu_id as usize) {
+            return false;
+        }
+    }
+    true
+}
+/// Check whether releasing the spinlock is valid.
+///
+/// Models z_spin_unlock_valid() (spinlock_validate.c:23-37):
+///
+/// ```c
+/// bool z_spin_unlock_valid(struct k_spinlock *l) {
+///     uintptr_t tcpu = l->thread_cpu;
+///     l->thread_cpu = 0;
+///     ...
+///     if (tcpu != (_current_cpu->id | (uintptr_t)_current))
+///         return false;
+///     return true;
+/// }
+/// ```
+///
+/// Returns `true` iff the stored `thread_cpu` matches the encoded
+/// identity of the current thread on the current CPU.
+///
+/// Note: the C function also zeroes `l->thread_cpu` and handles an ISR
+/// edge case.  Both are side-effects handled by the FFI layer; this
+/// function is a pure validity predicate.
+///
+/// SV3: unlock_valid returns true iff owner matches (cpu | thread).
+pub fn spin_unlock_valid(
+    thread_cpu: usize,
+    current_cpu_id: u32,
+    current_thread: usize,
+) -> bool {
+    let expected = (current_cpu_id as usize) | current_thread;
+    thread_cpu == expected
+}
+/// Compute the owner tag for a spinlock.
+///
+/// Models z_spin_lock_set_owner() (spinlock_validate.c:39-43):
+///
+/// ```c
+/// void z_spin_lock_set_owner(struct k_spinlock *l) {
+///     l->thread_cpu = _current_cpu->id | (uintptr_t)_current;
+/// }
+/// ```
+///
+/// Encodes the current CPU ID and thread pointer into a single `usize`.
+///
+/// SV4/SV5: CPU and thread are recoverable.
+/// SV6: CPU ID fits within the mask.
+pub fn spin_lock_compute_owner(current_cpu_id: u32, current_thread: usize) -> usize {
+    (current_cpu_id as usize) | current_thread
+}