2014-07-14 19:32:44 +00:00
|
|
|
(*
|
2020-03-09 06:18:30 +00:00
|
|
|
* Copyright 2020, Data61, CSIRO (ABN 41 687 119 230)
|
2014-07-14 19:32:44 +00:00
|
|
|
*
|
2020-03-09 06:18:30 +00:00
|
|
|
* SPDX-License-Identifier: GPL-2.0-only
|
2014-07-14 19:32:44 +00:00
|
|
|
*)
|
|
|
|
|
|
|
|
theory
|
|
|
|
InitVSpace_SI
|
|
|
|
imports
|
2018-06-13 07:55:36 +00:00
|
|
|
"DSpecProofs.Invocation_DP"
|
|
|
|
"DSpecProofs.Arch_DP"
|
2014-07-14 19:32:44 +00:00
|
|
|
ObjectInitialised_SI
|
|
|
|
RootTask_SI
|
|
|
|
SysInit_SI
|
2019-01-25 05:38:20 +00:00
|
|
|
DuplicateCaps_SI
|
2019-01-18 03:39:34 +00:00
|
|
|
Sep_Algebra.Sep_Fold_Cancel
|
|
|
|
Sep_Algebra.Sep_Util
|
2019-01-25 05:38:20 +00:00
|
|
|
"HOL-Library.Multiset"
|
|
|
|
Mapped_Separating_Conjunction
|
|
|
|
AInvs.Rights_AI
|
2019-01-18 03:39:34 +00:00
|
|
|
Lib.Guess_ExI
|
2014-07-14 19:32:44 +00:00
|
|
|
begin
|
|
|
|
|
2016-04-27 06:48:03 +00:00
|
|
|
context begin interpretation Arch . (*FIXME: arch_split*)
|
2016-04-25 23:27:46 +00:00
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
declare
|
|
|
|
object_at_predicate_lift[simp]
|
|
|
|
opt_cap_object_slot[simp]
|
|
|
|
opt_cap_object_slotE[elim]
|
|
|
|
slots_of_object_slot[simp]
|
|
|
|
slots_of_object_slotE[elim]
|
|
|
|
object_at_cdl_objects[simp]
|
|
|
|
|
|
|
|
(* Abbreviations for commonly appearing expressions involving virtual addresses and slots *)
|
|
|
|
(* TODO: use pd_size, pt_size, small_frame_size instead of magic numbers *)
|
|
|
|
abbreviation
|
|
|
|
"pd_slot_of_pt_vaddr vaddr \<equiv> vaddr >> 20 :: machine_word"
|
|
|
|
abbreviation
|
|
|
|
"pt_slot_of_vaddr vaddr \<equiv> (vaddr >> 12) && 0xFF :: machine_word"
|
|
|
|
abbreviation
|
|
|
|
"pt_vaddr_of_pd_slot pd_slot \<equiv> of_nat pd_slot << 20 :: machine_word"
|
|
|
|
abbreviation
|
|
|
|
"frame_vaddr_of_slots pd_slot pt_slot \<equiv>
|
|
|
|
pt_vaddr_of_pd_slot pd_slot + (of_nat pt_slot << small_frame_size) :: machine_word"
|
|
|
|
|
|
|
|
(* FIXME: MOVE (Lib) *)
|
|
|
|
lemma singleton_eq[simp]: "(\<lambda>v. if v = x then Some y else None) = [x \<mapsto> y]"
|
|
|
|
by (clarsimp simp: fun_upd_def)
|
|
|
|
|
|
|
|
lemma map_add_simp [simp]: "(\<lambda>p. if p = p' then Some v else f p) = f ++ [p' \<mapsto> v] "
|
|
|
|
by (intro ext iffI; clarsimp simp: map_add_def split: option.splits)
|
|
|
|
|
|
|
|
lemma list_all_spec: "list_all P xs \<Longrightarrow> x \<in> set xs \<Longrightarrow> P x"
|
|
|
|
by (simp add: list_all_iff)
|
|
|
|
(* /MOVE *)
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
lemma empty_cap_map_shiftr_NullCap:
|
2019-01-25 05:38:20 +00:00
|
|
|
"empty_cap_map 12 (unat ((vaddr :: word32) >> 20)) = Some NullCap"
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp:empty_cap_map_def)
|
|
|
|
apply (rule unat_less_helper)
|
|
|
|
apply simp
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (subst word32_less_sub_le[where n=12, simplified, symmetric])
|
|
|
|
apply (simp add: word_bits_def)
|
|
|
|
apply (simp add: shiftr_shiftr le_mask_iff[where n=12, unfolded mask_def, simplified])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule shiftr_eq_0)
|
|
|
|
apply simp
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma object_slot_initialised_lookup:
|
|
|
|
"\<lbrakk>t spec_ptr = Some ptr; opt_cap (spec_ptr,slot) spec = Some cap\<rbrakk>
|
2019-01-25 05:38:20 +00:00
|
|
|
\<Longrightarrow> object_slot_initialised spec t spec_ptr slot = (ptr, slot) \<mapsto>c cap_transform t cap"
|
2019-02-28 03:34:01 +00:00
|
|
|
apply (clarsimp simp: object_slot_initialised_def
|
2019-01-25 05:38:20 +00:00
|
|
|
object_initialised_general_def opt_cap_def slots_of_def
|
|
|
|
split: option.splits)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (intro ext iffI)
|
|
|
|
apply (drule sep_map_c_sep_map_s[where cap = "cap_transform t cap"])
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (simp add: spec2s_def update_slots_def object_slots_def split: cdl_object.splits)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
2014-07-22 04:37:37 +00:00
|
|
|
apply (subst (asm) sep_map_c_def2)
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (clarsimp simp: spec2s_def sep_map_s_def sep_map_general_def object_to_sep_state_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ext)
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (clarsimp simp: object_project_def object_slots_object_clean)
|
|
|
|
apply (clarsimp simp: update_slots_def object_slots_def split: cdl_object.splits)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma seL4_Page_Map_object_initialised_sep:
|
|
|
|
"\<lbrace>\<guillemotleft>object_slot_initialised spec t spec_pd_ptr (unat (vaddr >> 20)) \<and>*
|
|
|
|
object_slot_empty spec t (cap_object pt_cap) (unat (pt_slot_of_vaddr vaddr)) \<and>*
|
|
|
|
(si_cnode_id , offset sel4_page si_cnode_size) \<mapsto>c
|
|
|
|
FrameCap dev page_ptr vm_read_write n Real None \<and>*
|
|
|
|
(si_cnode_id , offset sel4_pd si_cnode_size) \<mapsto>c (PageDirectoryCap pd_ptr Real None) \<and>*
|
|
|
|
si_objects \<and>* R\<guillemotright> and
|
|
|
|
K(pd_at spec_pd_ptr spec \<and>
|
|
|
|
opt_cap (spec_pd_ptr, unat (vaddr >> 20)) spec = Some pt_cap \<and>
|
|
|
|
pt_cap = PageTableCap spec_pt_ptr Fake None \<and>
|
|
|
|
opt_cap (spec_pt_ptr, unat (pt_slot_of_vaddr vaddr)) spec
|
|
|
|
= Some (FrameCap False spec_page_ptr (validate_vm_rights rights) n Fake None) \<and>
|
|
|
|
cdl_objects spec (cap_object pt_cap) = Some cap_obj \<and>
|
|
|
|
sel4_page < 2 ^ si_cnode_size \<and>
|
|
|
|
vaddr = frame_vaddr_of_slots (unat (pd_slot_of_pt_vaddr vaddr))
|
|
|
|
(unat (pt_slot_of_vaddr vaddr)) \<and>
|
|
|
|
sel4_pd < 2 ^ si_cnode_size \<and>
|
|
|
|
object_slots (object_default_state cap_obj) (unat (pt_slot_of_vaddr vaddr)) = Some cap_slots \<and>
|
|
|
|
(n = 12 \<or> n = 16) \<and>
|
|
|
|
t (cap_object pt_cap) = Some pt_ptr \<and>
|
|
|
|
t spec_pd_ptr = Some pd_ptr \<and>
|
|
|
|
t spec_page_ptr = Some page_ptr)\<rbrace>
|
|
|
|
seL4_Page_Map sel4_page sel4_pd vaddr rights vmattribs
|
|
|
|
\<lbrace>\<lambda>rv. \<guillemotleft>object_slot_initialised spec t spec_pd_ptr (unat (vaddr >> 20)) \<and>*
|
|
|
|
object_slot_initialised spec t (cap_object pt_cap) (unat (pt_slot_of_vaddr vaddr)) \<and>*
|
|
|
|
(si_cnode_id , offset sel4_page si_cnode_size) \<mapsto>c
|
|
|
|
FrameCap dev page_ptr vm_read_write n Real None \<and>*
|
|
|
|
(si_cnode_id , offset sel4_pd si_cnode_size) \<mapsto>c (PageDirectoryCap pd_ptr Real None) \<and>*
|
|
|
|
si_objects \<and>* R\<guillemotright>\<rbrace>"
|
|
|
|
apply (rule hoare_gen_asm)
|
|
|
|
apply (wp sep_wp: seL4_Page_Map_wp[where n=n and cnode_cap= si_cspace_cap and
|
|
|
|
root_size = si_cnode_size and pt_ptr = pt_ptr])
|
|
|
|
apply fastforce+
|
|
|
|
apply (simp add: word_bits_def guard_equal_si_cspace_cap)+
|
|
|
|
apply clarsimp
|
|
|
|
apply sep_cancel+
|
|
|
|
apply (clarsimp simp: si_objects_def sep_conj_assoc sep_state_projection2_def root_tcb_def
|
|
|
|
update_slots_def)
|
|
|
|
apply sep_cancel+
|
|
|
|
apply (clarsimp simp: object_slot_empty_def object_fields_empty_def
|
|
|
|
object_initialised_general_def si_objects_def cdl_lookup_pd_slot_def
|
|
|
|
root_tcb_def update_slots_def validate_vm_rights_inter_rw)
|
|
|
|
apply (sep_drule sep_map_c_sep_map_s)
|
|
|
|
apply (clarsimp, fastforce)
|
|
|
|
apply (clarsimp simp: object_slot_initialised_lookup shiftr_less cap_object_def)
|
|
|
|
apply sep_solve
|
|
|
|
done
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
lemma seL4_PageTable_Map_object_initialised_sep:
|
|
|
|
"\<lbrace>\<guillemotleft>object_slot_empty spec t pd_id (unat (shiftr vaddr 20)) \<and>*
|
|
|
|
(si_cnode_id, offset sel4_pt si_cnode_size) \<mapsto>c (PageTableCap pt_ptr Real None) \<and>*
|
|
|
|
(si_cnode_id, offset sel4_pd si_cnode_size) \<mapsto>c (PageDirectoryCap pd_ptr Real None) \<and>*
|
|
|
|
si_objects \<and>* R\<guillemotright> and K(
|
|
|
|
well_formed spec \<and>
|
|
|
|
pd_at pd_id spec \<and>
|
|
|
|
opt_cap (pd_id, unat (shiftr vaddr 20)) spec = Some (PageTableCap pt_id Fake None) \<and>
|
|
|
|
|
|
|
|
sel4_pt < 2 ^ si_cnode_size \<and>
|
|
|
|
sel4_pd < 2 ^ si_cnode_size \<and>
|
|
|
|
|
|
|
|
t pd_id = Some pd_ptr \<and>
|
|
|
|
t pt_id = Some pt_ptr)\<rbrace>
|
|
|
|
seL4_PageTable_Map sel4_pt sel4_pd vaddr vmattribs
|
|
|
|
\<lbrace>\<lambda>rv. \<guillemotleft>object_slot_initialised spec t pd_id (unat (shiftr vaddr 20)) \<and>*
|
|
|
|
(si_cnode_id, offset sel4_pt si_cnode_size) \<mapsto>c (PageTableCap pt_ptr Real None) \<and>*
|
|
|
|
(si_cnode_id, offset sel4_pd si_cnode_size) \<mapsto>c (PageDirectoryCap pd_ptr Real None) \<and>*
|
|
|
|
si_objects \<and>* R\<guillemotright>\<rbrace>"
|
|
|
|
apply (rule hoare_gen_asm)
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (clarsimp simp: object_slot_initialised_lookup cap_transform_def
|
|
|
|
update_cap_object_def object_at_def is_pd_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp split:cdl_object.split_asm)
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (wp add: seL4_Page_Table_Map[where cnode_cap = si_cspace_cap
|
|
|
|
and root_size = si_cnode_size
|
|
|
|
and ptr = pt_ptr
|
|
|
|
and pd_ptr = pd_ptr,
|
|
|
|
sep_wandise])
|
|
|
|
apply (simp add: word_bits_def guard_equal_si_cspace_cap)+
|
|
|
|
apply (clarsimp simp: si_objects_def sep_state_projection2_def object_slot_empty_def
|
|
|
|
object_fields_empty_def object_initialised_general_def cdl_lookup_pd_slot_def
|
2014-07-14 19:32:44 +00:00
|
|
|
root_tcb_def update_slots_def)
|
|
|
|
apply sep_cancel+
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (sep_drule sep_map_c_sep_map_s)
|
|
|
|
apply (fastforce simp: object_default_state_def object_type_def default_object_def
|
|
|
|
object_slots_def empty_cap_map_shiftr_NullCap)
|
|
|
|
by sep_solve
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
lemma assert_opt_validI:
|
|
|
|
assumes w: "\<And>a. r = Some a \<Longrightarrow> \<lbrace>P\<rbrace> f a \<lbrace>Q\<rbrace>"
|
|
|
|
shows "\<lbrace>P\<rbrace> (assert_opt r) >>= f \<lbrace>Q\<rbrace>"
|
|
|
|
using w
|
|
|
|
by (clarsimp simp:assert_opt_def split:option.split)
|
|
|
|
|
|
|
|
lemma sep_caps_at_split: "a \<in> A \<Longrightarrow>
|
2016-09-22 09:23:19 +00:00
|
|
|
si_caps_at t orig_caps spec dev A = (
|
|
|
|
si_cap_at t orig_caps spec dev a \<and>* si_caps_at t orig_caps spec dev (A - {a}))"
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add:si_caps_at_def)
|
2016-10-25 06:01:30 +00:00
|
|
|
apply (subst sep.prod.union_disjoint [where A = "{a}", simplified, symmetric])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
|
|
|
apply (simp add:insert_absorb)
|
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma duplicate_frame_cap_sep:
|
|
|
|
"\<lbrace>\<guillemotleft>(si_cnode_id, unat free_cptr) \<mapsto>c NullCap \<and>*
|
|
|
|
si_caps_at t orig_caps spec dev {obj_id. real_object_at obj_id spec} \<and>* si_objects \<and>* R\<guillemotright> and K (
|
|
|
|
well_formed spec \<and>
|
|
|
|
unat free_cptr < 2 ^ si_cnode_size \<and>
|
|
|
|
frame_at obj_id spec)\<rbrace>
|
|
|
|
duplicate_cap spec orig_caps (obj_id, free_cptr)
|
|
|
|
\<lbrace>\<lambda>_.
|
|
|
|
\<guillemotleft>si_cap_at t (map_of [(obj_id, free_cptr)]) spec dev obj_id
|
|
|
|
\<and>* si_caps_at t orig_caps spec dev {obj_id. real_object_at obj_id spec}
|
|
|
|
\<and>* si_objects
|
|
|
|
\<and>* R\<guillemotright>\<rbrace>"
|
|
|
|
apply (wp sep_wp: duplicate_cap_sep_general[
|
|
|
|
where free_cptr=free_cptr and
|
|
|
|
free_cptrs="[free_cptr]" and
|
|
|
|
obj_ids="obj_id # (sorted_list_of_set (dom (cdl_objects spec) - {obj_id}))" and
|
|
|
|
spec=spec and
|
|
|
|
obj_id=obj_id and
|
|
|
|
obj_filter=frame_at])
|
|
|
|
apply (clarsimp simp: object_at_def wf_obj_filter_frame_at, intro conjI)
|
|
|
|
apply sep_solve
|
|
|
|
apply fastforce
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma si_caps_at_take_2:
|
|
|
|
"\<lbrakk>well_formed spec;
|
|
|
|
pd_at spec_pd_ptr spec;
|
|
|
|
frame_at spec_pt_section_ptr spec\<rbrakk>
|
|
|
|
\<Longrightarrow> si_caps_at t orig_caps spec dev {obj_id. real_object_at obj_id spec} =
|
|
|
|
(si_cap_at t orig_caps spec dev spec_pd_ptr \<and>*
|
|
|
|
si_cap_at t orig_caps spec dev spec_pt_section_ptr \<and>*
|
|
|
|
si_caps_at t orig_caps spec dev ({obj_id. real_object_at obj_id spec} -
|
|
|
|
{spec_pd_ptr} - {spec_pt_section_ptr}))"
|
|
|
|
apply (frule (1) object_at_real_object_at)
|
|
|
|
apply (frule (1) object_at_real_object_at[where obj_id=spec_pt_section_ptr])
|
|
|
|
apply (clarsimp simp: object_at_def is_pd_def is_frame_def is_pt_def split: cdl_object.split_asm)
|
|
|
|
by (metis sep_caps_at_split[where a="spec_pd_ptr"]
|
|
|
|
sep_caps_at_split[where a="spec_pt_section_ptr"]
|
|
|
|
cdl_object.exhaust mem_Collect_eq member_remove option.inject remove_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma si_caps_at_take_2_not_object_at:
|
|
|
|
"\<lbrakk>well_formed spec;
|
|
|
|
cdl_objects spec spec_pd_ptr = Some pd;
|
|
|
|
is_pd pd;
|
|
|
|
cdl_objects spec spec_pt_section_ptr = Some frame;
|
|
|
|
is_frame frame\<rbrakk>
|
|
|
|
\<Longrightarrow> si_caps_at t orig_caps spec dev {obj_id. real_object_at obj_id spec} =
|
|
|
|
(si_cap_at t orig_caps spec dev spec_pd_ptr \<and>*
|
|
|
|
si_cap_at t orig_caps spec dev spec_pt_section_ptr \<and>*
|
|
|
|
si_caps_at t orig_caps spec dev ({obj_id. real_object_at obj_id spec} -
|
|
|
|
{spec_pd_ptr} - {spec_pt_section_ptr}))"
|
|
|
|
by (erule si_caps_at_take_2; fastforce simp: object_at_def)
|
|
|
|
|
|
|
|
lemma si_caps_at_take_2':
|
|
|
|
"\<lbrakk>well_formed spec;
|
|
|
|
pd_at spec_pd_ptr spec;
|
|
|
|
pt_at spec_pt_section_ptr spec \<rbrakk>
|
|
|
|
\<Longrightarrow> si_caps_at t orig_caps spec dev {obj_id. real_object_at obj_id spec} =
|
|
|
|
(si_cap_at t orig_caps spec dev spec_pd_ptr \<and>*
|
|
|
|
si_cap_at t orig_caps spec dev spec_pt_section_ptr \<and>*
|
|
|
|
si_caps_at t orig_caps spec dev ({obj_id. real_object_at obj_id spec} -
|
|
|
|
{spec_pd_ptr} - {spec_pt_section_ptr}))"
|
|
|
|
apply (frule (1) object_at_real_object_at)
|
2019-02-15 05:14:04 +00:00
|
|
|
apply (frule (1) object_at_real_object_at[where obj_id=spec_pt_section_ptr])
|
|
|
|
apply (clarsimp simp: object_at_def is_pd_def is_frame_def is_pt_def split: cdl_object.split_asm)
|
|
|
|
by (metis sep_caps_at_split[where a="spec_pd_ptr"]
|
|
|
|
sep_caps_at_split[where a="spec_pt_section_ptr"]
|
|
|
|
cdl_object.exhaust mem_Collect_eq member_remove option.inject remove_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma frame_at_default_cap[simp]:
|
|
|
|
"well_formed spec \<Longrightarrow>
|
|
|
|
is_frame frame \<Longrightarrow>
|
|
|
|
cdl_objects spec (cap_object frame_cap) = Some frame \<Longrightarrow>
|
|
|
|
opt_cap (parent_id, slot) spec = Some frame_cap \<Longrightarrow>
|
|
|
|
is_fake_frame_cap frame_cap \<Longrightarrow>
|
|
|
|
t (cap_object frame_cap) = Some ptr' \<Longrightarrow>
|
|
|
|
default_cap (object_type frame) {ptr'} (object_size_bits frame) False
|
|
|
|
= conjure_real_frame_cap frame_cap t"
|
|
|
|
apply (clarsimp simp: si_caps_at_take_2 si_cap_at_def object_type_is_object object_at_def
|
|
|
|
default_cap_def object_type_def wf_frame_cap_frame_size_bits
|
|
|
|
offset_slot_si_cnode_size' vm_read_write_def si_objects_def)
|
|
|
|
apply (clarsimp simp: is_frame_def split: cdl_object.splits)
|
|
|
|
apply (clarsimp split: cdl_cap.splits cdl_frame_cap_type.splits option.splits)
|
|
|
|
apply (drule_tac frame=x8 in wf_frame_cap_frame_size_bits)
|
|
|
|
by (fastforce simp: vm_read_write_def conjure_real_frame_cap_def dev_of_def)+
|
|
|
|
|
|
|
|
lemma is_frame_default_cap[simp]:
|
|
|
|
"well_formed spec \<Longrightarrow>
|
|
|
|
frame_at (cap_object frame_cap) spec \<Longrightarrow>
|
|
|
|
cdl_objects spec (cap_object frame_cap) = Some obj \<Longrightarrow>
|
|
|
|
opt_cap (parent_id, slot) spec = Some frame_cap \<Longrightarrow>
|
|
|
|
is_fake_frame_cap frame_cap \<Longrightarrow>
|
|
|
|
t (cap_object frame_cap) = Some ptr' \<Longrightarrow>
|
|
|
|
default_cap (object_type obj) {ptr'} (object_size_bits obj) False
|
|
|
|
= conjure_real_frame_cap frame_cap t"
|
|
|
|
by (fastforce dest!: frame_at_default_cap simp: object_at_def)
|
|
|
|
|
|
|
|
lemma pt_slot_compute[simp]:
|
|
|
|
"pt_slot < 2 ^ 8 \<Longrightarrow> unat (pt_slot_of_vaddr (frame_vaddr_of_slots pd_slot pt_slot)) = pt_slot"
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp:pt_size_def small_frame_size_def)
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (rule of_nat_inverse)
|
|
|
|
apply (drule of_nat_mono_maybe[rotated,where 'a=32])
|
|
|
|
apply simp
|
|
|
|
apply word_bitwise
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
|
|
|
apply simp
|
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma pd_slot_compute_from_pt[simp]:
|
|
|
|
"pd_slot < 2 ^ 12 \<Longrightarrow>
|
|
|
|
pt_slot < 2 ^ 8 \<Longrightarrow>
|
|
|
|
unat (pd_slot_of_pt_vaddr (frame_vaddr_of_slots pd_slot pt_slot)) = pd_slot"
|
|
|
|
apply (clarsimp simp: cdl_lookup_pd_slot_def pt_size_def small_frame_size_def)
|
|
|
|
apply (rule of_nat_inverse)
|
|
|
|
apply (drule of_nat_mono_maybe[rotated,where 'a=32],simp)+
|
|
|
|
apply (subst is_aligned_add_or [where n=20])
|
|
|
|
apply (rule is_aligned_shiftl, simp)
|
|
|
|
apply (rule shiftl_less_t2n, simp+)
|
|
|
|
apply (clarsimp simp: shiftr_over_or_dist)
|
|
|
|
apply (subst shiftl_shiftr_id, simp+)
|
2021-02-17 23:55:56 +00:00
|
|
|
apply (clarsimp simp: shiftl_shiftr2)
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (subst le_mask_iff [THEN iffD1])
|
|
|
|
apply (clarsimp simp: mask_def plus_one_helper)
|
|
|
|
apply clarsimp
|
|
|
|
apply (clarsimp simp: word_bits_len_of)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma pd_slot_compute_inverse[simp]:
|
|
|
|
"pd_slot < 2 ^ 12 \<Longrightarrow>
|
|
|
|
unat (pd_slot_of_pt_vaddr (pt_vaddr_of_pd_slot pd_slot)) = pd_slot"
|
|
|
|
apply (clarsimp simp: cdl_lookup_pd_slot_def pt_size_def small_frame_size_def)
|
|
|
|
apply (rule of_nat_inverse)
|
|
|
|
apply (drule of_nat_mono_maybe[rotated, where 'a=32], simp)+
|
|
|
|
apply (word_bitwise, clarsimp, clarsimp)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma object_slot_empty_translate_exists:
|
|
|
|
"(object_slot_empty spec t pt_id pt_slot) s \<Longrightarrow>
|
|
|
|
(object_slot_empty spec t pt_id pt_slot) s \<and> t pt_id \<noteq> None"
|
|
|
|
by (clarsimp simp: object_slot_empty_def object_initialised_general_def)
|
|
|
|
|
|
|
|
lemma object_slot_initialised_translate_exists:
|
|
|
|
"(object_slot_initialised spec t pt_id pt_slot) s \<Longrightarrow>
|
|
|
|
(object_slot_initialised spec t pt_id pt_slot) s \<and> t pt_id \<noteq> None"
|
|
|
|
by (clarsimp simp: object_slot_initialised_def object_initialised_general_def)
|
|
|
|
|
|
|
|
lemma si_cap_at_translate_exists:
|
|
|
|
"si_cap_at t f spec dev page_id s \<Longrightarrow>
|
|
|
|
si_cap_at t f spec dev page_id s \<and> t page_id \<noteq> None"
|
|
|
|
by (clarsimp simp: si_cap_at_def)
|
|
|
|
|
|
|
|
lemmas translate_exists = si_cap_at_translate_exists object_slot_initialised_translate_exists
|
|
|
|
object_slot_empty_translate_exists
|
|
|
|
|
|
|
|
lemma si_caps_at_less_si_cnode_size:
|
|
|
|
"(si_caps_at t orig_caps spec dev xs \<and>* R) s \<Longrightarrow>
|
|
|
|
orig_caps ptr = Some v \<Longrightarrow>
|
|
|
|
ptr \<in> xs \<Longrightarrow>
|
|
|
|
v < 2 ^ si_cnode_size"
|
|
|
|
by (clarsimp simp: sep_caps_at_split si_cap_at_def sep_conj_def)
|
|
|
|
|
|
|
|
lemma si_caps_at_less_translate_exists:
|
|
|
|
"(si_caps_at t orig_caps spec dev xs \<and>* R) s \<Longrightarrow>
|
|
|
|
ptr \<in> xs \<Longrightarrow>
|
|
|
|
t ptr \<noteq> None"
|
|
|
|
by (clarsimp simp: sep_caps_at_split si_cap_at_def sep_conj_def)
|
|
|
|
|
|
|
|
lemma map_page_wp:
|
|
|
|
"\<lbrakk>well_formed spec; pd_at spec_pd_ptr spec\<rbrakk> \<Longrightarrow>
|
|
|
|
\<lbrace>\<guillemotleft>object_slot_initialised spec t spec_pd_ptr (unat (vaddr >> 20)) \<and>*
|
|
|
|
object_slot_empty spec t pt_id pt_slot \<and>*
|
|
|
|
(si_cnode_id, unat free_cptr) \<mapsto>c NullCap \<and>*
|
|
|
|
si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>*
|
|
|
|
si_objects \<and>* R\<guillemotright> and
|
|
|
|
K (page_cap = fake_frame_cap False page_id (validate_vm_rights rights) n \<and>
|
|
|
|
(n = 12 \<or> n = (16 :: nat)) \<and>
|
|
|
|
opt_cap (spec_pd_ptr, pd_slot) spec = Some pt_cap \<and>
|
|
|
|
pt_cap = PageTableCap pt_id Fake None \<and>
|
|
|
|
opt_cap (pt_id, pt_slot) spec = Some page_cap \<and>
|
|
|
|
vaddr = frame_vaddr_of_slots pd_slot pt_slot \<and>
|
|
|
|
pt_slot < 2 ^ 8 \<and>
|
|
|
|
pd_slot < 2 ^ 12 \<and>
|
|
|
|
the (orig_caps spec_pd_ptr) < 2 ^ si_cnode_size \<and>
|
|
|
|
free_cptr < 2 ^ si_cnode_size)\<rbrace>
|
|
|
|
map_page spec orig_caps page_id spec_pd_ptr rights vaddr free_cptr
|
|
|
|
\<lbrace>\<lambda>_. \<guillemotleft>object_slot_initialised spec t spec_pd_ptr (unat (vaddr >> 20)) \<and>*
|
|
|
|
object_slot_initialised spec t pt_id pt_slot \<and>*
|
|
|
|
(si_cnode_id, unat free_cptr) \<mapsto>c conjure_real_frame_cap page_cap t \<and>*
|
|
|
|
si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>*
|
|
|
|
si_objects \<and>* R\<guillemotright>\<rbrace>"
|
|
|
|
apply (rule hoare_gen_asm)
|
|
|
|
apply (frule well_formed_pt_cap_pt_at[where cap=pt_cap],
|
|
|
|
fastforce, clarsimp simp: is_fake_pt_cap_def)
|
|
|
|
apply (elim conjE)
|
|
|
|
apply (clarsimp simp: map_page_def dest!: domE)
|
|
|
|
apply (wp)
|
|
|
|
apply (clarsimp simp: object_at_def)
|
|
|
|
apply (wp sep_wp: seL4_Page_Map_object_initialised_sep
|
|
|
|
[where n=n and
|
|
|
|
spec=spec and
|
|
|
|
cap_obj="the (cdl_objects spec pt_id)" and
|
|
|
|
spec_pd_ptr=spec_pd_ptr and
|
|
|
|
pt_ptr="the (t pt_id)" and
|
|
|
|
pt_cap=pt_cap and
|
|
|
|
spec_page_ptr=page_id and
|
|
|
|
page_ptr="the (t page_id)" and
|
|
|
|
t=t and
|
|
|
|
pd_ptr="the (t spec_pd_ptr)"]
|
|
|
|
duplicate_frame_cap_sep)+
|
|
|
|
apply clarsimp
|
|
|
|
apply (intro conjI, sep_cancel+, intro conjI)
|
|
|
|
apply (sep_simp si_caps_at_take_2 si_cap_at_def)
|
|
|
|
apply (clarsimp simp: offset_slot_si_cnode_size' vm_read_write_def
|
|
|
|
conjure_real_frame_cap_def dev_of_def
|
|
|
|
is_frame_default_cap[where frame_cap=page_cap])
|
|
|
|
apply sep_solve
|
|
|
|
apply (fastforce simp: object_at_def pt_size_def pt_has_slots
|
|
|
|
intro: object_slots_object_default_state_NullCap')+
|
|
|
|
by (sep_map thms: translate_exists, fastforce simp: unat_less_2_si_cnode_size')+
|
2014-07-14 19:32:44 +00:00
|
|
|
|
2019-02-15 05:14:04 +00:00
|
|
|
(***********************************************************
|
|
|
|
* Mapping a frame inside a page directory *
|
|
|
|
************************************************************)
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma map_page_in_pd_wp:
|
|
|
|
"\<lbrakk>well_formed spec; pd_at pd_id spec\<rbrakk> \<Longrightarrow>
|
|
|
|
\<lbrace>\<guillemotleft>object_slot_empty spec t pd_id pd_slot \<and>*
|
|
|
|
(si_cnode_id, unat free_cptr) \<mapsto>c NullCap \<and>*
|
|
|
|
si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>*
|
|
|
|
si_objects \<and>* R\<guillemotright> and
|
|
|
|
K ( page_cap = fake_frame_cap False page_id (validate_vm_rights rights) n \<and>
|
|
|
|
(n = 20 \<or> n = (24 :: nat)) \<and>
|
|
|
|
pd_slot = unat (pd_slot_of_pt_vaddr vaddr) \<and>
|
|
|
|
opt_cap (pd_id, pd_slot) spec = Some page_cap \<and>
|
|
|
|
pd_slot < 2 ^ 12 \<and>
|
|
|
|
the (orig_caps pd_id) < 2 ^ si_cnode_size \<and>
|
|
|
|
free_cptr < 2 ^ si_cnode_size)\<rbrace>
|
|
|
|
map_page spec orig_caps page_id pd_id rights vaddr free_cptr
|
|
|
|
\<lbrace>\<lambda>_. \<guillemotleft>object_slot_initialised spec t pd_id pd_slot \<and>*
|
|
|
|
(si_cnode_id, unat free_cptr) \<mapsto>c conjure_real_frame_cap page_cap t \<and>*
|
|
|
|
si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>*
|
|
|
|
si_objects \<and>* R\<guillemotright>\<rbrace>"
|
|
|
|
apply (rule hoare_gen_asm)
|
|
|
|
apply (elim conjE)
|
|
|
|
apply (clarsimp simp: map_page_def dest!: domE)
|
|
|
|
apply (intro assert_opt_validI)
|
|
|
|
apply wp
|
|
|
|
apply (clarsimp simp: object_at_def)
|
|
|
|
apply (wp sep_wp: seL4_Section_Map_wp[where pd_ptr="the (t pd_id)" and
|
|
|
|
frame_ptr="the (t page_id)" and
|
|
|
|
cnode_cap=si_cspace_cap and
|
|
|
|
root_size=si_cnode_size and
|
|
|
|
n=n];
|
|
|
|
fastforce simp: word_bits_def intro!: guard_equal_si_cspace_cap)
|
|
|
|
apply (wp sep_wp: duplicate_frame_cap_sep)+
|
|
|
|
apply (clarsimp, intro conjI impI, clarsimp simp: si_objects_def cdl_lookup_pd_slot_def)
|
|
|
|
apply sep_cancel+
|
|
|
|
apply (sep_map thms: translate_exists)
|
|
|
|
apply (sep_simp si_cap_at_def object_at_def object_slot_empty_eq)
|
|
|
|
apply (sep_drule sep_map_c_sep_map_s)
|
|
|
|
apply (clarsimp simp: opt_cap_def object_default_state_def is_pd_def object_type_def
|
|
|
|
default_object_def
|
|
|
|
split: cdl_object.splits)
|
|
|
|
apply (clarsimp simp: object_slots_def empty_cap_map_def, fastforce)
|
|
|
|
apply sep_cancel+
|
|
|
|
apply (clarsimp simp: si_caps_at_take_2_not_object_at offset_slot_si_cnode_size' si_cap_at_def
|
|
|
|
frame_at_default_cap[where frame_cap=page_cap] cap_object_def
|
|
|
|
object_at_def conjure_real_frame_cap_def dev_of_def
|
|
|
|
root_tcb_def update_slots_def)
|
|
|
|
apply sep_cancel+
|
|
|
|
apply (fastforce simp: object_slot_initialised_lookup shiftr_less cap_object_def
|
|
|
|
validate_vm_rights_inter_rw)
|
|
|
|
by (fastforce simp: unat_less_2_si_cnode_size')
|
|
|
|
|
2019-02-15 05:14:04 +00:00
|
|
|
(***********************************************************
|
|
|
|
* Mapping a page table inside a page directory *
|
|
|
|
************************************************************)
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma map_page_table_in_pd_wp:
|
|
|
|
"\<lbrakk>well_formed spec; pd_at pd_id spec\<rbrakk> \<Longrightarrow>
|
|
|
|
\<lbrace>\<guillemotleft>object_slot_empty spec t pd_id pd_slot \<and>*
|
|
|
|
si_caps_at t orig_caps spec dev {obj_id. real_object_at obj_id spec} \<and>*
|
|
|
|
si_objects \<and>* R\<guillemotright> and
|
|
|
|
K ((n = 20 \<or> n = 24) \<and>
|
|
|
|
opt_cap (pd_id, pd_slot) spec = Some (PageTableCap spec_pt_section_ptr Fake None) \<and>
|
|
|
|
pd_slot < 2 ^ 12 \<and>
|
|
|
|
vaddr = pt_vaddr_of_pd_slot pd_slot)\<rbrace>
|
|
|
|
map_page_table spec orig_caps spec_pt_section_ptr pd_id rights vaddr
|
|
|
|
\<lbrace>\<lambda>_. \<guillemotleft>object_slot_initialised spec t pd_id pd_slot \<and>*
|
2016-09-22 09:23:19 +00:00
|
|
|
si_caps_at t orig_caps spec dev {obj_id. real_object_at obj_id spec} \<and>*
|
2014-07-14 19:32:44 +00:00
|
|
|
si_objects \<and>* R\<guillemotright>\<rbrace>"
|
|
|
|
apply (rule hoare_gen_asm)
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (clarsimp simp: map_page_table_def dest!: domE)
|
|
|
|
apply (intro assert_opt_validI)
|
|
|
|
apply wp
|
2019-02-28 03:34:01 +00:00
|
|
|
apply (clarsimp simp: object_at_def)
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (wp sep_wp:
|
|
|
|
seL4_PageTable_Map_object_initialised_sep[where pt_ptr ="the (t spec_pt_section_ptr)"
|
|
|
|
and pd_ptr ="the (t pd_id)"])+
|
|
|
|
apply (clarsimp, intro conjI impI)
|
|
|
|
apply sep_cancel+
|
|
|
|
apply (sep_simp si_caps_at_take_2' si_cap_at_def offset_slot_si_cnode_size')
|
|
|
|
apply sep_solve
|
|
|
|
apply assumption+
|
|
|
|
by (sep_simp si_caps_at_less_si_cnode_size[rotated 2, OF pt_at_is_real]
|
|
|
|
si_caps_at_less_si_cnode_size[rotated 2, OF pd_at_is_real]
|
|
|
|
si_caps_at_less_translate_exists[rotated, OF pt_at_is_real]
|
|
|
|
si_caps_at_less_translate_exists[rotated, OF pd_at_is_real])+
|
|
|
|
|
2019-02-15 05:14:04 +00:00
|
|
|
(***********************************************************
|
|
|
|
* Mapping a page table slot *
|
|
|
|
************************************************************)
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma map_page_table_slot_wp:
|
|
|
|
"\<lbrakk>well_formed spec; pd_at pd_id spec\<rbrakk> \<Longrightarrow>
|
|
|
|
\<lbrace>\<guillemotleft>object_slot_initialised spec t pd_id pd_slot \<and>*
|
|
|
|
object_slot_empty spec t (cap_object pt_cap) pt_slot \<and>*
|
|
|
|
(si_cnode_id, unat free_cptr) \<mapsto>c NullCap \<and>*
|
|
|
|
si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>*
|
|
|
|
si_objects \<and>* R\<guillemotright> and K (
|
|
|
|
opt_cap (pd_id, pd_slot) spec = Some pt_cap \<and>
|
|
|
|
pt_at (cap_object pt_cap) spec \<and>
|
|
|
|
opt_cap (pt_id, pt_slot) spec = Some page_cap \<and>
|
|
|
|
cptr_map (pt_id, pt_slot) = free_cptr \<and>
|
|
|
|
pt_cap = PageTableCap pt_id Fake None \<and>
|
|
|
|
((page_cap = fake_frame_cap False page_id (validate_vm_rights rights) n \<and> (n = 12 \<or> n = 16))
|
|
|
|
\<or> page_cap = NullCap) \<and>
|
|
|
|
free_cptr < 2 ^ si_cnode_size \<and>
|
|
|
|
pd_slot < 2 ^ 12 \<and>
|
|
|
|
pt_slot < 2 ^ 8 \<and>
|
|
|
|
vaddr = pt_vaddr_of_pd_slot pd_slot)\<rbrace>
|
|
|
|
map_page_table_slot spec orig_caps pd_id pt_id vaddr cptr_map pt_slot
|
|
|
|
\<lbrace>\<lambda>_. \<guillemotleft>object_slot_initialised spec t pd_id pd_slot \<and>*
|
|
|
|
object_slot_initialised spec t (cap_object pt_cap) pt_slot \<and>*
|
|
|
|
si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>*
|
|
|
|
si_objects \<and>* (si_cnode_id, unat free_cptr) \<mapsto>c conjure_real_frame_cap page_cap t \<and>* R\<guillemotright>\<rbrace>"
|
|
|
|
apply (rule hoare_gen_asm)
|
|
|
|
apply (clarsimp simp: map_page_table_slot_def is_fake_pt_cap_def dest!: domE split: cdl_cap.splits)
|
|
|
|
apply (intro conjI impI)
|
|
|
|
apply (wp sep_wp: map_page_wp[where n=n and page_cap=page_cap])
|
|
|
|
apply (clarsimp, intro conjI; clarsimp?)
|
|
|
|
apply sep_solve
|
|
|
|
apply (clarsimp simp: cap_rights_def)
|
|
|
|
apply fastforce+
|
|
|
|
apply (subst (asm) sep_caps_at_split[where a=pd_id], clarsimp simp: object_at_real_object_at)
|
|
|
|
apply (sep_simp si_cap_at_def)
|
|
|
|
apply (wp, clarsimp simp: conjure_real_frame_cap_def)
|
|
|
|
apply sep_cancel+
|
|
|
|
by (fastforce simp: object_slot_empty_initialised_NullCap object_at_def is_tcb_def)
|
|
|
|
|
2019-02-15 05:14:04 +00:00
|
|
|
(***********************************************************
|
|
|
|
* Mapping a page directory slot that contains a frame *
|
|
|
|
************************************************************)
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma map_page_directory_slot_page_wp:
|
|
|
|
"frame_at page_id spec \<Longrightarrow>
|
|
|
|
\<lbrace>\<guillemotleft>(object_slot_empty spec t pd_id pd_slot \<and>* (si_cnode_id, unat free_cptr) \<mapsto>c NullCap \<and>*
|
|
|
|
si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>* si_objects \<and>* R)\<guillemotright> and
|
|
|
|
K (page_cap = fake_frame_cap False page_id (validate_vm_rights rights) n \<and> well_formed spec \<and>
|
|
|
|
pd_at pd_id spec \<and> (n = 20 \<or> n = 24) \<and> cptr_map (pd_id, pd_slot) = free_cptr \<and>
|
|
|
|
pd_slot = unat (pd_slot_of_pt_vaddr vaddr) \<and> opt_cap (pd_id, pd_slot) spec = Some page_cap \<and>
|
|
|
|
pd_slot < 2 ^ 12 \<and> the (orig_caps pd_id) < 2 ^ si_cnode_size \<and>
|
|
|
|
free_cptr < 2 ^ si_cnode_size)\<rbrace>
|
|
|
|
map_page_directory_slot spec orig_caps pd_id cptr_map pd_slot
|
|
|
|
\<lbrace>\<lambda>_. \<guillemotleft>(object_slot_initialised spec t pd_id pd_slot \<and>*
|
|
|
|
(si_cnode_id, unat free_cptr) \<mapsto>c conjure_real_frame_cap page_cap t \<and>*
|
|
|
|
si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>* si_objects \<and>* R)\<guillemotright>\<rbrace>"
|
|
|
|
apply (rule hoare_gen_asm)
|
|
|
|
apply (clarsimp simp: map_page_directory_slot_def)
|
|
|
|
apply (intro conjI impI)
|
|
|
|
apply (fastforce simp: object_at_def dest: not_frame_and_pt)
|
|
|
|
apply (wp sep_wp: map_page_in_pd_wp[where n=n])
|
|
|
|
apply clarsimp
|
|
|
|
apply (intro conjI)
|
|
|
|
apply sep_solve
|
|
|
|
apply (fastforce simp: cap_rights_def pt_size_def small_frame_size_def)+
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma object_fields_empty_initialised_pt:
|
|
|
|
"\<lbrakk>well_formed spec; pt_at obj_id spec\<rbrakk> \<Longrightarrow>
|
2014-07-14 19:32:44 +00:00
|
|
|
object_fields_empty spec t obj_id = object_fields_initialised spec t obj_id"
|
|
|
|
apply (clarsimp simp: object_at_def object_type_is_object)
|
|
|
|
apply (frule (1) well_formed_object_slots)
|
|
|
|
apply (clarsimp simp: object_fields_empty_def object_fields_initialised_def
|
|
|
|
object_initialised_general_def object_at_def object_type_is_object)
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (subst sep_map_f_object_size_bits_pt, simp+)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma object_fields_empty_initialised_pd:
|
|
|
|
"\<lbrakk>well_formed spec; pd_at obj_id spec\<rbrakk> \<Longrightarrow>
|
2014-07-14 19:32:44 +00:00
|
|
|
object_fields_empty spec t obj_id = object_fields_initialised spec t obj_id"
|
|
|
|
apply (clarsimp simp: object_at_def object_type_is_object)
|
|
|
|
apply (frule (1) well_formed_object_slots)
|
|
|
|
apply (clarsimp simp: object_fields_empty_def object_fields_initialised_def
|
|
|
|
object_initialised_general_def object_at_def object_type_is_object)
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (subst sep_map_f_object_size_bits_pd, simp+)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma pt_NullCap_empty_init:
|
|
|
|
"well_formed spec \<Longrightarrow>
|
|
|
|
pt_at obj_id spec \<Longrightarrow>
|
|
|
|
cap_at (\<lambda>x. x = NullCap) (obj_id, slot) spec \<Longrightarrow>
|
|
|
|
object_slot_empty spec t obj_id slot = object_slot_initialised spec t obj_id slot"
|
|
|
|
apply (rule object_slot_empty_initialised_NullCap)
|
|
|
|
apply fastforce
|
|
|
|
apply (clarsimp simp: object_at_def is_pt_def is_tcb_def split: cdl_object.splits)
|
|
|
|
apply (metis cdl_object.exhaust)
|
|
|
|
apply (clarsimp simp: cap_at_def)
|
|
|
|
done
|
2014-07-14 19:32:44 +00:00
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma pd_NullCap_empty_init:
|
|
|
|
"well_formed spec \<Longrightarrow>
|
|
|
|
pd_at obj_id spec \<Longrightarrow> cap_at (\<lambda>x. x = NullCap) (obj_id, slot) spec \<Longrightarrow>
|
|
|
|
object_slot_empty spec t obj_id slot = object_slot_initialised spec t obj_id slot"
|
|
|
|
apply (rule object_slot_empty_initialised_NullCap)
|
|
|
|
apply clarsimp
|
|
|
|
apply (clarsimp simp: object_at_def is_pd_def is_tcb_def split: cdl_object.splits)
|
|
|
|
apply (metis cdl_object.exhaust)
|
|
|
|
apply (clarsimp simp: cap_at_def)
|
|
|
|
done
|
2014-07-14 19:32:44 +00:00
|
|
|
|
2019-02-15 05:14:04 +00:00
|
|
|
(***********************************************************
|
|
|
|
* Mapping a page directory slot that contains a page table *
|
|
|
|
************************************************************)
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma map_page_directory_slot_pt_wp:
|
|
|
|
"pt_at pt_id spec \<Longrightarrow>
|
|
|
|
\<lbrace>\<guillemotleft>object_slot_empty spec t pd_id slot \<and>*
|
|
|
|
si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>*
|
|
|
|
si_objects \<and>*
|
|
|
|
sep_map_list_conj ((\<lambda>x. (si_cnode_id, unat x) \<mapsto>c NullCap) o cptr_map o (Pair pt_id))
|
|
|
|
[slot <- page_slots. cap_at ((\<noteq>) NullCap) (pt_id, slot) spec] \<and>*
|
|
|
|
object_empty spec t pt_id \<and>* R\<guillemotright> and K (
|
|
|
|
(\<forall>n \<in> range cptr_map. n < 2 ^ si_cnode_size) \<and>
|
|
|
|
pt_cap = PageTableCap pt_id Fake None \<and>
|
|
|
|
well_formed spec \<and>
|
|
|
|
slot < 0x1000 \<and> (n = 12 \<or> n = (16 :: nat)) \<and>
|
|
|
|
pd_at pd_id spec \<and>
|
|
|
|
page_slots = slots_of_list spec pt_id \<and>
|
|
|
|
opt_cap (pd_id, slot) spec = Some pt_cap)\<rbrace>
|
|
|
|
map_page_directory_slot spec orig_caps pd_id cptr_map slot
|
|
|
|
\<lbrace>\<lambda>_. \<guillemotleft>sep_map_list_conj (\<lambda>x. (si_cnode_id, unat (cptr_map (pt_id, x)))
|
|
|
|
\<mapsto>c conjure_real_frame_cap (the_cap spec pt_id x) t)
|
|
|
|
[slot <- page_slots. cap_at ((\<noteq>) NullCap) (pt_id, slot) spec] \<and>*
|
|
|
|
object_initialised spec t pt_id \<and>* object_slot_initialised spec t pd_id slot \<and>*
|
|
|
|
si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>*
|
|
|
|
si_objects \<and>* R\<guillemotright>\<rbrace>"
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule hoare_gen_asm)
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (clarsimp simp: map_page_directory_slot_def)
|
|
|
|
apply (rule hoare_name_pre_state)
|
|
|
|
apply (wp map_page_table_slot_wp[where pt_cap=pt_cap,
|
|
|
|
simplified sep_wp_simp, THEN sep_hoare_fold_mapM_x]
|
|
|
|
map_page_table_in_pd_wp[sep_wandise])+
|
|
|
|
apply (clarsimp, intro conjI impI)
|
|
|
|
apply sep_cancel+
|
|
|
|
apply (clarsimp simp: pt_size_def small_frame_size_def word_of_nat_less word_bits_def
|
|
|
|
unat_of_nat32)
|
|
|
|
apply (sep_fold_cancel, rule sep_map_sep_foldI)
|
2019-06-03 01:02:44 +00:00
|
|
|
apply (clarsimp simp: map_def comp_def object_empty_decomp object_initialised_decomp
|
2019-01-25 05:38:20 +00:00
|
|
|
object_empty_slots_empty_initialised object_fields_empty_initialised_pt
|
|
|
|
object_slots_initialised_decomp object_slots_empty_decomp sep_conj_ac)
|
|
|
|
apply sep_cancel+
|
|
|
|
apply (clarsimp simp: well_formed_finite sep.prod.union_diff2 sep_list_conj_sep_map_set_conj
|
|
|
|
well_formed_distinct_slots_of_list
|
|
|
|
sep_map_set_conj_set_cong
|
|
|
|
[OF split_filter_set
|
|
|
|
[where xs="dom (slots_of pt_id spec)" and
|
|
|
|
P="\<lambda>slot. cap_at ((\<noteq>) NullCap) (pt_id, slot) spec"]])
|
|
|
|
apply sep_cancel+
|
|
|
|
apply (fastforce elim: sep_map_set_conj_match
|
|
|
|
simp: pt_NullCap_empty_init not_cap_at_cap_not_at eq_commute)
|
|
|
|
apply clarsimp
|
|
|
|
apply (intro conjI)
|
|
|
|
apply (clarsimp simp: object_at_def cap_at_def)
|
|
|
|
apply clarsimp
|
|
|
|
apply (erule wf_cap_in_pt_is_frame; fastforce simp: cap_at_def)
|
|
|
|
apply (frule well_formed_slot_object_size_bits_pt[where obj_id=pt_id,
|
2019-02-11 02:19:27 +00:00
|
|
|
simplified is_pt_pt_size])
|
2019-01-25 05:38:20 +00:00
|
|
|
by (fastforce simp: cap_at_def opt_cap_def pt_size_def small_frame_size_def)+
|
|
|
|
|
2019-02-15 05:14:04 +00:00
|
|
|
(***********************************************************
|
|
|
|
* Mapping a page directory *
|
|
|
|
************************************************************)
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma map_page_directory_wp_expanded:
|
|
|
|
"\<lbrakk>well_formed spec; pd_at pd_id spec; pd_slots = slots_of_list spec pd_id;
|
|
|
|
list_all (\<lambda>n. n < 2 ^ 12) pd_slots; \<forall>ptr. cptr_map ptr < 2 ^ si_cnode_size;
|
|
|
|
the (orig_caps pd_id) < 2 ^ si_cnode_size\<rbrakk> \<Longrightarrow>
|
|
|
|
\<lbrace>\<guillemotleft>si_objects \<and>*
|
|
|
|
si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>*
|
|
|
|
\<And>* map (\<lambda>x.
|
|
|
|
let pt_id = get_obj pd_id x spec in
|
|
|
|
object_slot_empty spec t pd_id x \<and>*
|
|
|
|
object_empty spec t pt_id \<and>*
|
|
|
|
sep_map_set_conj (\<lambda>y. (si_cnode_id, unat (cptr_map (pt_id, y))) \<mapsto>c NullCap)
|
|
|
|
{slot \<in> dom (slots_of pt_id spec).
|
|
|
|
cap_at ((\<noteq>) NullCap) (pt_id, slot) spec})
|
2019-02-15 05:14:04 +00:00
|
|
|
[slot <- pd_slots. cap_object_from_slot pd_id slot pt_at spec] \<and>*
|
2019-01-25 05:38:20 +00:00
|
|
|
\<And>* map (\<lambda>x.
|
|
|
|
let frame_id = get_obj pd_id x spec in
|
|
|
|
(si_cnode_id, unat (cptr_map (pd_id, x))) \<mapsto>c NullCap \<and>*
|
|
|
|
object_slot_empty spec t pd_id x)
|
2019-02-15 05:14:04 +00:00
|
|
|
[slot <- pd_slots. cap_object_from_slot pd_id slot frame_at spec] \<and>*
|
2019-01-25 05:38:20 +00:00
|
|
|
R\<guillemotright>\<rbrace>
|
|
|
|
map_page_directory spec orig_caps cptr_map pd_id
|
|
|
|
\<lbrace>\<lambda>_. \<guillemotleft>si_objects \<and>*
|
|
|
|
si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>*
|
|
|
|
\<And>* map (\<lambda>x.
|
|
|
|
let pt_id = get_obj pd_id x spec in
|
|
|
|
object_slot_initialised spec t pd_id x \<and>*
|
|
|
|
object_initialised spec t pt_id \<and>*
|
|
|
|
sep_map_set_conj (\<lambda>y. (si_cnode_id, unat (cptr_map (pt_id, y)))
|
|
|
|
\<mapsto>c conjure_real_frame_cap (the_cap spec pt_id y) t)
|
|
|
|
{slot \<in> dom (slots_of pt_id spec).
|
|
|
|
cap_at ((\<noteq>) NullCap) (pt_id, slot) spec})
|
2019-02-15 05:14:04 +00:00
|
|
|
[slot <- pd_slots. cap_object_from_slot pd_id slot pt_at spec] \<and>*
|
2019-01-25 05:38:20 +00:00
|
|
|
\<And>* map (\<lambda>x.
|
|
|
|
let frame_id = get_obj pd_id x spec in
|
|
|
|
(si_cnode_id, unat (cptr_map (pd_id, x)))
|
|
|
|
\<mapsto>c conjure_real_frame_cap (the_cap spec pd_id x) t \<and>*
|
|
|
|
object_slot_initialised spec t pd_id x)
|
2019-02-15 05:14:04 +00:00
|
|
|
[slot <- pd_slots. cap_object_from_slot pd_id slot frame_at spec] \<and>*
|
2019-01-25 05:38:20 +00:00
|
|
|
R\<guillemotright>\<rbrace>"
|
|
|
|
apply (clarsimp simp: map_page_directory_def Let_unfold)
|
|
|
|
apply wp
|
|
|
|
apply (rule sep_hoare_fold_mapM_x[OF map_page_directory_slot_pt_wp
|
|
|
|
[where t=t and
|
|
|
|
page_slots="slots_of_list spec pt_id" and
|
|
|
|
pt_id="get_obj pd_id slot spec"
|
|
|
|
for pt_id slot,
|
|
|
|
simplified sep_wp_simp],
|
|
|
|
simplified fun_app_def])
|
|
|
|
apply (clarsimp simp: opt_cap_def cap_at_def)
|
|
|
|
apply (fastforce dest: Some_to_the)
|
|
|
|
apply (rule sep_hoare_fold_mapM_x[OF map_page_directory_slot_page_wp
|
|
|
|
[where t=t and
|
|
|
|
rights="cap_rights cap" and
|
|
|
|
n="cap_size_bits cap" and
|
|
|
|
page_id="get_obj pd_id slot spec"
|
|
|
|
for slot cap,
|
|
|
|
simplified sep_wp_simp],
|
|
|
|
simplified fun_app_def])
|
|
|
|
apply (clarsimp simp: cap_at_def)
|
|
|
|
apply (fastforce dest: Some_to_the)
|
|
|
|
apply clarsimp
|
|
|
|
apply (sep_fold_cancel, rule sep_map_sep_foldI)
|
|
|
|
apply (clarsimp simp: cap_at_def)
|
|
|
|
apply sep_cancel+
|
|
|
|
apply (sep_fold_cancel, rule sep_map_sep_foldI)
|
|
|
|
apply (clarsimp simp: sep_list_conj_sep_map_set_conj well_formed_distinct_slots_of_list
|
|
|
|
well_formed_finite)
|
|
|
|
apply sep_solve
|
|
|
|
apply (intro conjI)
|
|
|
|
apply (fastforce dest: Some_to_the)
|
|
|
|
apply (fastforce elim: list_all_spec)+
|
|
|
|
apply clarsimp
|
|
|
|
apply (erule wf_pt_in_pd_fake_and_none; fastforce)
|
|
|
|
apply (clarsimp, intro conjI)
|
|
|
|
apply (drule wf_frame_cap_in_pd; (fastforce simp: cap_at_def)?)
|
|
|
|
apply (drule wf_frame_cap_in_pd; (fastforce simp: cap_at_def)?)
|
|
|
|
apply (rule pd_slot_compute_inverse[symmetric], clarsimp)
|
|
|
|
by (fastforce simp: cap_at_def elim: list_all_spec)+
|
|
|
|
|
|
|
|
lemma slots_of_pd_split:
|
|
|
|
"\<lbrakk>well_formed spec; pd_at pd_id spec\<rbrakk> \<Longrightarrow>
|
|
|
|
dom (slots_of pd_id spec) =
|
|
|
|
{slot \<in> dom (slots_of pd_id spec). cap_at (\<lambda>c. c \<noteq> NullCap \<and> pt_at (cap_object c) spec)
|
|
|
|
(pd_id, slot) spec} \<union>
|
|
|
|
{slot \<in> dom (slots_of pd_id spec). cap_at (\<lambda>c. c \<noteq> NullCap \<and> frame_at (cap_object c) spec)
|
|
|
|
(pd_id, slot) spec} \<union>
|
|
|
|
{slot \<in> dom (slots_of pd_id spec). cap_at (\<lambda>c. c = NullCap) (pd_id, slot) spec}"
|
|
|
|
apply (intro set_eqI iffI; clarsimp)
|
2019-02-28 03:34:01 +00:00
|
|
|
apply (clarsimp simp: slots_of_def cap_at_def opt_cap_object_slot_simp
|
2019-01-25 05:38:20 +00:00
|
|
|
split: option.splits)
|
|
|
|
apply (fastforce dest: well_formed_pd_frame_or_pt)+
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma wf_split_slots_of_pd:
|
|
|
|
"\<lbrakk>well_formed spec; pd_at pd_id spec\<rbrakk> \<Longrightarrow>
|
|
|
|
sep_map_set_conj P (dom (slots_of pd_id spec)) =
|
|
|
|
(sep_map_set_conj P
|
|
|
|
{slot \<in> dom (slots_of pd_id spec). cap_at (\<lambda>c. c \<noteq> NullCap \<and> pt_at (cap_object c) spec)
|
|
|
|
(pd_id, slot) spec} \<and>*
|
|
|
|
sep_map_set_conj P
|
|
|
|
{slot \<in> dom (slots_of pd_id spec). cap_at (\<lambda>c. c \<noteq> NullCap \<and> frame_at (cap_object c) spec)
|
|
|
|
(pd_id, slot) spec} \<and>*
|
|
|
|
sep_map_set_conj P
|
|
|
|
{slot \<in> dom (slots_of pd_id spec). cap_at (\<lambda>c. c = NullCap) (pd_id, slot) spec})"
|
2014-07-14 19:32:44 +00:00
|
|
|
apply clarsimp
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (subst slots_of_pd_split)
|
|
|
|
apply (clarsimp simp: sep.prod.union_disjoint well_formed_finite[where obj_id=pd_id]
|
|
|
|
cap_at_def)+
|
|
|
|
apply (subst sep.prod.union_disjoint)
|
|
|
|
apply (clarsimp simp: well_formed_finite[where obj_id=pd_id])+
|
|
|
|
apply (intro set_eqI iffI; clarsimp)
|
|
|
|
apply (subst sep.prod.union_disjoint)
|
|
|
|
apply (clarsimp simp: well_formed_finite[where obj_id=pd_id])+
|
|
|
|
apply (intro set_eqI iffI; clarsimp)
|
|
|
|
apply (fastforce dest: well_formed_pd_frame_or_pt)
|
|
|
|
apply (clarsimp simp: sep_conj_ac)
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma wf_pd_pt_obj_inj:
|
|
|
|
"\<lbrakk>well_formed spec; pd_at pd_id spec\<rbrakk>
|
|
|
|
\<Longrightarrow> inj_on (ref_obj spec pd_id)
|
2019-02-15 05:14:04 +00:00
|
|
|
{slot \<in> dom (slots_of pd_id spec). cap_object_from_slot pd_id slot pt_at spec}"
|
2019-01-25 05:38:20 +00:00
|
|
|
supply object_type_is_object[simp]
|
|
|
|
apply (clarsimp simp: inj_on_def cap_ref_object_def object_at_def)
|
|
|
|
apply (frule_tac obj_id=pd_id and slot=y in well_formed_types_match)
|
|
|
|
apply fastforce+
|
|
|
|
using object_type_is_object(9) object_type_object_at(9) wf_pd_cap_has_object apply blast
|
|
|
|
apply clarsimp+
|
|
|
|
apply (frule_tac obj_id=pd_id and slot=x in well_formed_types_match, fastforce+)
|
|
|
|
using object_type_is_object(9) object_type_object_at(9) wf_pd_cap_has_object apply blast
|
|
|
|
apply (clarsimp simp: cap_type_def split: cdl_cap.splits)
|
|
|
|
apply (frule_tac obj_id=pd_id and obj_id'=pd_id and slot=x and slot'=y in
|
|
|
|
well_formed_fake_pt_caps_unique)
|
|
|
|
apply fastforce+
|
|
|
|
apply (erule well_formed_pt_cap_is_fake_pt_cap, fastforce+)
|
|
|
|
apply (erule well_formed_pt_cap_is_fake_pt_cap, fastforce+)
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma sep_map_pd_slots_inj[simp]:
|
|
|
|
"well_formed spec \<Longrightarrow>
|
|
|
|
pd_at pd_id spec \<Longrightarrow>
|
2019-02-15 05:14:04 +00:00
|
|
|
(SETSEPCONJ x | x \<in> dom (slots_of pd_id spec) \<and> cap_object_from_slot pd_id x pt_at spec.
|
2019-01-25 05:38:20 +00:00
|
|
|
P (cap_object (the_cap spec pd_id x))) =
|
|
|
|
sep_map_set_conj P
|
|
|
|
{obj. \<exists>slot. slot \<in> dom (slots_of pd_id spec) \<and>
|
2019-02-15 05:14:04 +00:00
|
|
|
cap_object_from_slot pd_id slot pt_at spec \<and>
|
2019-01-25 05:38:20 +00:00
|
|
|
obj = cap_object (the_cap spec pd_id slot)}"
|
|
|
|
apply (subgoal_tac "{obj. \<exists>slot. slot \<in> dom (slots_of pd_id spec) \<and>
|
2019-02-15 05:14:04 +00:00
|
|
|
cap_object_from_slot pd_id slot pt_at spec \<and>
|
2019-01-25 05:38:20 +00:00
|
|
|
obj = cap_object (the_cap spec pd_id slot)} =
|
|
|
|
ref_obj spec pd_id ` {slot \<in> dom (slots_of pd_id spec).
|
2019-02-15 05:14:04 +00:00
|
|
|
cap_object_from_slot pd_id slot pt_at spec}")
|
2019-01-25 05:38:20 +00:00
|
|
|
prefer 2
|
|
|
|
apply (clarsimp simp: cap_ref_object_def)
|
|
|
|
apply blast
|
2014-07-14 19:32:44 +00:00
|
|
|
apply clarsimp
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (subst sep.prod.reindex)
|
|
|
|
apply (erule (1) wf_pd_pt_obj_inj)
|
|
|
|
apply (clarsimp simp: cap_ref_object_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma opt_cap_cap_at_simp: "(opt_cap ref spec = Some cap) = cap_at (\<lambda>x. x = cap) ref spec"
|
|
|
|
by (clarsimp simp: cap_at_def)
|
|
|
|
|
2019-02-15 05:14:04 +00:00
|
|
|
(***********************************************************
|
|
|
|
* Mapping a page directory, with cleaner pre/postcondition *
|
|
|
|
************************************************************)
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma map_page_directory_wp:
|
|
|
|
"\<lbrakk>well_formed spec; pd_at pd_id spec; pd_slots = slots_of_list spec pd_id;
|
|
|
|
list_all (\<lambda>n. n < 2 ^ 12) pd_slots; \<forall>ptr. cptr_map ptr < 2 ^ si_cnode_size;
|
|
|
|
the (orig_caps pd_id) < 2 ^ si_cnode_size\<rbrakk> \<Longrightarrow>
|
|
|
|
\<lbrace>\<guillemotleft>si_objects \<and>*
|
|
|
|
si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>*
|
|
|
|
object_empty spec t pd_id \<and>*
|
|
|
|
frame_duplicates_empty cptr_map pd_id spec \<and>*
|
|
|
|
slots_in_object_empty (\<lambda>cap. cap \<noteq> NullCap \<and> pt_at (cap_object cap) spec) pd_id spec t \<and>*
|
|
|
|
R\<guillemotright>\<rbrace>
|
|
|
|
map_page_directory spec orig_caps cptr_map pd_id
|
|
|
|
\<lbrace>\<lambda>_. \<guillemotleft>si_objects \<and>*
|
|
|
|
si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>*
|
|
|
|
object_initialised spec t pd_id \<and>*
|
|
|
|
frame_duplicates_copied cptr_map pd_id spec t \<and>*
|
|
|
|
slots_in_object_init (\<lambda>cap. cap \<noteq> NullCap \<and> pt_at (cap_object cap) spec) pd_id spec t \<and>*
|
|
|
|
R\<guillemotright>\<rbrace>"
|
|
|
|
apply (wp map_page_directory_wp_expanded[sep_wandise])
|
|
|
|
apply sep_cancel+
|
|
|
|
apply (clarsimp simp: Let_unfold cap_at_def wf_split_slots_of_pd object_slots_empty_decomp
|
|
|
|
object_empty_decomp[where spec_object_id=pd_id]
|
|
|
|
sep_list_conj_sep_map_set_conj slots_in_object_empty_def
|
|
|
|
frame_duplicates_empty_def cap_ref_object_def
|
|
|
|
well_formed_distinct_slots_of_list well_formed_finite
|
|
|
|
object_initialised_decomp[where spec_object_id=pd_id]
|
|
|
|
frame_duplicates_copied_def object_slots_initialised_decomp
|
|
|
|
object_fields_empty_initialised_pd object_empty_slots_empty_initialised)
|
|
|
|
apply sep_cancel+
|
|
|
|
apply (subst (asm) sep_map_set_conj_subst[OF pd_NullCap_empty_init];
|
|
|
|
clarsimp simp: opt_cap_cap_at_simp)
|
|
|
|
apply sep_cancel
|
|
|
|
apply (clarsimp simp: slots_in_object_init_def)
|
|
|
|
apply (fold cap_ref_object_def)
|
|
|
|
apply (erule sep_map_set_elim)
|
|
|
|
apply (clarsimp simp: image_def)
|
|
|
|
apply (intro set_eqI iffI; clarsimp simp: cap_at_def)
|
|
|
|
apply blast
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
lemma set_asid_wp:
|
2016-09-22 09:23:19 +00:00
|
|
|
"\<lbrace>\<guillemotleft>si_caps_at t orig_caps spec dev {obj_id. real_object_at obj_id spec} \<and>*
|
2014-07-14 19:32:44 +00:00
|
|
|
si_objects \<and>* R\<guillemotright> and K(
|
|
|
|
well_formed spec \<and>
|
|
|
|
pd_at obj_id spec)\<rbrace>
|
|
|
|
set_asid spec orig_caps obj_id
|
2016-09-22 09:23:19 +00:00
|
|
|
\<lbrace>\<lambda>rv. \<guillemotleft>si_caps_at t orig_caps spec dev {obj_id. real_object_at obj_id spec} \<and>*
|
2014-07-14 19:32:44 +00:00
|
|
|
si_objects \<and>* R\<guillemotright>\<rbrace>"
|
|
|
|
apply (rule hoare_gen_asm, clarsimp)
|
|
|
|
apply (frule (1) object_at_real_object_at)
|
|
|
|
apply (rule valid_si_caps_at_si_cap_at [where obj_id=obj_id], clarsimp+)
|
|
|
|
apply (clarsimp simp: si_cap_at_def sep_conj_assoc sep_conj_exists)
|
|
|
|
apply (subst ex_conj_increase)+
|
2023-01-24 05:14:35 +00:00
|
|
|
apply (rule hoare_vcg_ex_lift)+
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rename_tac kobj_id)
|
|
|
|
apply (rule hoare_grab_asm)+
|
2018-03-15 03:45:48 +00:00
|
|
|
apply wpsimp
|
|
|
|
apply (clarsimp simp: set_asid_def)
|
|
|
|
apply (wp add: hoare_drop_imps
|
2014-07-14 19:32:44 +00:00
|
|
|
sep_wp: seL4_ASIDPool_Assign_wp [where
|
|
|
|
cnode_cap = si_cspace_cap and
|
|
|
|
cnode_id = si_cnode_id and
|
|
|
|
root_size = si_cnode_size and
|
|
|
|
tcb = "obj_tcb root_tcb" and
|
|
|
|
p = si_asidpool_id and
|
|
|
|
base = si_asidpool_base and
|
|
|
|
pd = "the (t obj_id)"],
|
|
|
|
(simp add: guard_equal_si_cspace_cap')+)
|
|
|
|
apply (subst offset_slot_si_cnode_size', simp)+
|
|
|
|
apply (simp add: si_objects_def si_asid_def default_cap_def object_at_object_type)
|
|
|
|
apply sep_solve
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma cap_transform_empty_cap_map [simp]:
|
|
|
|
"cap_transform t \<circ>\<^sub>M empty_cap_map n = empty_cap_map n"
|
|
|
|
apply (rule ext)
|
|
|
|
apply (clarsimp simp: cap_transform_def empty_cap_map_def update_cap_object_def)
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma spec2s_default_tcb [simp]:
|
|
|
|
"spec2s t (Tcb (default_tcb domain)) = Tcb (default_tcb domain)"
|
|
|
|
apply (clarsimp simp: spec2s_def object_slots_def update_slots_def default_tcb_def cap_transform_def)
|
|
|
|
apply (rule ext)
|
|
|
|
apply clarsimp
|
|
|
|
done
|
|
|
|
|
|
|
|
(* MoveMe *)
|
|
|
|
lemma object_default_state_spec2s:
|
|
|
|
"object_default_state obj = obj \<Longrightarrow> spec2s t obj = obj"
|
|
|
|
apply (clarsimp simp: object_default_state_def2 split: cdl_object.splits)
|
|
|
|
apply (metis spec2s_default_tcb)
|
2014-09-09 04:07:24 +00:00
|
|
|
apply (clarsimp simp: spec2s_def object_slots_def empty_cnode_def empty_irq_node_def
|
|
|
|
cdl_cnode.splits)+
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
lemma object_empty_initialised_default_state:
|
|
|
|
"object_at (\<lambda>obj. object_default_state obj = obj) obj_id spec \<Longrightarrow>
|
|
|
|
object_empty spec t obj_id = object_initialised spec t obj_id"
|
|
|
|
apply (clarsimp simp: object_empty_def object_initialised_def object_initialised_general_def object_at_def)
|
|
|
|
apply (frule object_default_state_spec2s [where t=t])
|
|
|
|
apply clarsimp
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma not_object_at:
|
2019-01-25 05:38:20 +00:00
|
|
|
"(\<not> object_at P obj_id spec) \<Longrightarrow> cdl_objects spec obj_id = Some object \<Longrightarrow>
|
|
|
|
object_at (\<lambda>obj. \<not>P obj) obj_id spec "
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: object_at_def)
|
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
definition parent_obj_of :: "cdl_object_id \<Rightarrow> cdl_object_id \<Rightarrow> cdl_state \<Rightarrow> bool" where
|
|
|
|
"parent_obj_of parent_obj child_obj spec \<equiv>
|
|
|
|
(\<exists>slot \<in> dom (slots_of parent_obj spec).
|
|
|
|
cap_at (\<lambda>cap. cap_has_object cap \<and> cap_object cap = child_obj) (parent_obj, slot) spec)"
|
|
|
|
|
|
|
|
definition pd_equiv_class :: "cdl_state \<Rightarrow> (cdl_object_id \<times> cdl_object_id) set" where
|
|
|
|
"pd_equiv_class spec \<equiv>
|
|
|
|
{(x,y). pt_at x spec \<and> pt_at y spec \<and>
|
|
|
|
(\<exists>obj. pd_at obj spec \<and> parent_obj_of obj x spec \<and> parent_obj_of obj y spec)}"
|
|
|
|
|
|
|
|
lemma pd_equiv_sym:
|
|
|
|
"sym (pd_equiv_class spec)"
|
|
|
|
apply (clarsimp simp: sym_def pd_equiv_class_def)
|
|
|
|
by blast
|
|
|
|
|
|
|
|
lemma pt_parents_eq:
|
|
|
|
"\<lbrakk>well_formed spec; pd_at obj_id spec; pd_at obj_id' spec; pt_at pt spec;
|
|
|
|
parent_obj_of obj_id pt spec; parent_obj_of obj_id' pt spec\<rbrakk>
|
|
|
|
\<Longrightarrow> obj_id = obj_id'"
|
|
|
|
apply (clarsimp simp: parent_obj_of_def cap_at_def)
|
|
|
|
apply (frule well_formed_fake_pt_caps_unique[where obj_id=obj_id and obj_id'=obj_id'])
|
|
|
|
apply assumption+
|
|
|
|
apply (metis (full_types) cap_has_object_not_NullCap cap_type_simps(8)
|
|
|
|
well_formed_pt_cap_is_fake_pt_cap wf_pt_in_pd_fake_and_none)
|
|
|
|
apply (metis (full_types) cap_has_object_not_NullCap cap_type_simps(8)
|
|
|
|
well_formed_pt_cap_is_fake_pt_cap wf_pt_in_pd_fake_and_none)
|
|
|
|
apply fastforce+
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma pd_equiv_trans:
|
|
|
|
"well_formed spec \<Longrightarrow> trans (pd_equiv_class spec)"
|
|
|
|
apply (clarsimp simp: trans_def pd_equiv_class_def)
|
|
|
|
apply (rule_tac x=obj in exI)
|
|
|
|
apply (clarsimp)
|
|
|
|
using pt_parents_eq by blast
|
|
|
|
|
|
|
|
abbreviation (input)
|
|
|
|
"object_in_cap P ref spec \<equiv> cap_at (\<lambda>cap. cap \<noteq> NullCap \<and> P (cap_object cap)) ref spec"
|
|
|
|
|
|
|
|
(* Looking up PTs of a PD is injective, except when both have none *)
|
|
|
|
lemma pd_pts_inj_or_empty:
|
|
|
|
"\<lbrakk>well_formed spec; pd_at x spec; pd_at y spec;
|
|
|
|
{obj. \<exists>slot. slot \<in> dom (slots_of x spec) \<and>
|
|
|
|
object_in_cap (\<lambda>obj. pt_at obj spec) (x, slot) spec \<and> obj = ref_obj spec x slot} =
|
|
|
|
{obj. \<exists>slot. slot \<in> dom (slots_of y spec) \<and>
|
|
|
|
object_in_cap (\<lambda>obj. pt_at obj spec) (y, slot) spec \<and> obj = ref_obj spec y slot};
|
|
|
|
x \<noteq> y\<rbrakk> \<Longrightarrow>
|
|
|
|
{obj. \<exists>slot. slot \<in> dom (slots_of x spec) \<and>
|
|
|
|
object_in_cap (\<lambda>obj. pt_at obj spec) (x, slot) spec \<and> obj = ref_obj spec x slot} = {}"
|
|
|
|
apply (clarsimp simp: cap_at_def cap_ref_object_def)
|
|
|
|
apply (drule_tac x="cap_object cap" in eqset_imp_iff)
|
|
|
|
apply (frule pt_parents_eq[where obj_id = x and obj_id' = y];
|
|
|
|
fastforce simp: parent_obj_of_def cap_at_def wf_pd_cap_has_object)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma wf_pd_equiv_parentD:
|
|
|
|
"\<lbrakk>(pt, pt') \<in> pd_equiv_class spec; well_formed spec; pd_at pd spec; parent_obj_of pd pt spec\<rbrakk>
|
|
|
|
\<Longrightarrow> parent_obj_of pd pt' spec"
|
|
|
|
apply (clarsimp simp: pd_equiv_class_def)
|
|
|
|
apply (frule_tac obj_id=obj and obj_id'=pd and pt=pt in pt_parents_eq; fastforce)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma pd_equiv_ptsD: "pts \<in> pd_equiv_class spec \<Longrightarrow> pt_at (fst pts) spec \<and> pt_at (snd pts) spec"
|
|
|
|
by (clarsimp simp: pd_equiv_class_def split: prod.splits)
|
2014-07-14 19:32:44 +00:00
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
(* Grouping PTs by their parent PD is the same as taking the PT children of each parent PD *)
|
|
|
|
lemma pd_quotient_eq_pts_of_pds:
|
|
|
|
"well_formed spec \<Longrightarrow>
|
|
|
|
image (\<lambda>pd.{ref_obj spec pd slot | slot. slot \<in> dom (slots_of pd spec) \<and>
|
|
|
|
object_in_cap (\<lambda>obj. pt_at obj spec) (pd, slot) spec})
|
|
|
|
{obj. pd_at obj spec} - {{}} =
|
|
|
|
{x. pt_at x spec \<and> (\<exists>obj. pd_at obj spec \<and>
|
|
|
|
(\<exists>slot\<in>dom (slots_of obj spec). cap_at cap_has_object (obj, slot) spec
|
|
|
|
\<and> ref_obj spec obj slot = x))} // pd_equiv_class spec - {{}}"
|
2019-06-03 01:02:44 +00:00
|
|
|
apply (clarsimp simp: image_def quotient_def Image_def cong: SUP_cong_simp)
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (intro set_eqI iffI; clarsimp simp: cap_at_def)
|
|
|
|
apply (guess_exI)
|
|
|
|
apply safe
|
|
|
|
apply (fastforce simp: wf_pd_cap_has_object cap_ref_object_def)
|
|
|
|
apply (clarsimp simp: pd_equiv_class_def cap_ref_object_def)
|
|
|
|
apply (guess_exI, clarsimp)
|
|
|
|
apply (intro conjI; fastforce simp: wf_pd_cap_has_object cap_ref_object_def
|
|
|
|
cap_at_def parent_obj_of_def)
|
|
|
|
apply (clarsimp simp: cap_ref_object_def)
|
|
|
|
apply (frule_tac pd=xa in wf_pd_equiv_parentD; clarsimp?)
|
|
|
|
apply (fastforce simp: wf_pd_cap_has_object cap_ref_object_def cap_at_def parent_obj_of_def)
|
|
|
|
apply (drule pd_equiv_ptsD, clarsimp simp: parent_obj_of_def cap_at_def)
|
|
|
|
apply (rule_tac x=slota in exI)
|
|
|
|
apply (fastforce simp: wf_pd_cap_has_object cap_ref_object_def
|
|
|
|
pd_equiv_class_def cap_at_def parent_obj_of_def)
|
|
|
|
apply (rule_tac x=obj in exI)
|
|
|
|
apply (clarsimp simp: cap_ref_object_def)
|
|
|
|
apply (intro set_eqI iffI; clarsimp)
|
|
|
|
apply (frule_tac pd=obj and pt'=xa in wf_pd_equiv_parentD; clarsimp?)
|
|
|
|
apply (fastforce simp: parent_obj_of_def cap_at_def)
|
|
|
|
apply (drule pd_equiv_ptsD, clarsimp simp: parent_obj_of_def cap_at_def)
|
|
|
|
apply (rule_tac x=slota in exI)
|
|
|
|
apply (fastforce simp: wf_pd_cap_has_object cap_ref_object_def
|
|
|
|
pd_equiv_class_def cap_at_def parent_obj_of_def)
|
|
|
|
apply (clarsimp simp: pd_equiv_class_def)
|
|
|
|
apply (rule_tac x=obj in exI)
|
|
|
|
apply (clarsimp simp: parent_obj_of_def cap_at_def)
|
|
|
|
apply (metis (full_types) domI wf_pd_cap_has_object)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma well_formed_pd_slots:
|
|
|
|
"\<lbrakk>well_formed spec; pd_at obj_id spec\<rbrakk> \<Longrightarrow>
|
|
|
|
\<forall>slot \<in> dom (slots_of obj_id spec). slot < 2 ^ 12"
|
|
|
|
by (fastforce simp: Ball_def elim: well_formed_pd_slot_limited)
|
|
|
|
|
|
|
|
lemma well_formed_pt_not_in_pd_empty_init:
|
|
|
|
"\<lbrakk>well_formed spec; pt_at x spec;
|
|
|
|
(\<forall>obj. pd_at obj spec \<longrightarrow> (\<forall>slot\<in>dom (slots_of obj spec). cap_at cap_has_object (obj, slot) spec
|
|
|
|
\<longrightarrow> ref_obj spec obj slot \<noteq> x))\<rbrakk>
|
|
|
|
\<Longrightarrow> object_empty spec t x = object_initialised spec t x"
|
|
|
|
apply (rule object_empty_initialised_default_state)
|
|
|
|
apply (rule ccontr)
|
|
|
|
apply (drule not_object_at, fastforce)
|
|
|
|
apply (frule (2) well_formed_cap_to_non_empty_pt)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply clarsimp
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (erule_tac x=pd_id in allE, clarsimp)
|
|
|
|
apply (clarsimp simp: object_at_def)
|
|
|
|
apply (case_tac "cap \<noteq> NullCap")
|
|
|
|
apply (frule well_formed_types_match[symmetric], fastforce+)
|
|
|
|
apply (fastforce dest: opt_cap_dom_slots_of
|
|
|
|
simp: cap_at_def cap_ref_object_def object_at_def object_type_is_object)+
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma refl_on_pd_parent[simp]:
|
|
|
|
"refl_on {pt_id. pt_at pt_id spec \<and>
|
|
|
|
(\<exists>obj. pd_at obj spec \<and> parent_obj_of obj pt_id spec)}
|
|
|
|
(pd_equiv_class spec)"
|
|
|
|
by (clarsimp simp: pd_equiv_class_def refl_on_def, fastforce)
|
2014-07-14 19:32:44 +00:00
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma pt_parents_pd_pts_empty:
|
|
|
|
"well_formed spec \<Longrightarrow>
|
|
|
|
(SETSEPCONJ pd_id | pd_at pd_id spec.
|
|
|
|
slots_in_object_empty (\<lambda>cap. cap \<noteq> NullCap \<and> pt_at (cap_object cap) spec) pd_id spec t) =
|
|
|
|
(SETSEPCONJ pt_id | pt_at pt_id spec \<and> (\<exists>obj. pd_at obj spec \<and> parent_obj_of obj pt_id spec).
|
|
|
|
object_empty spec t pt_id)"
|
|
|
|
apply (rule sym, subst sep_map_set_quotient_split[where R="pd_equiv_class spec"])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply fastforce
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (rule equivI; clarsimp simp: pd_equiv_sym[simplified fun_app_def] pd_equiv_trans)
|
|
|
|
apply (clarsimp simp: slots_in_object_empty_def, rule sym, subst sep_map_set_squash)
|
|
|
|
apply clarsimp
|
|
|
|
apply (drule_tac x=x and y=y in pd_pts_inj_or_empty, clarsimp+)
|
|
|
|
apply blast
|
|
|
|
apply fastforce
|
|
|
|
apply (rule sym)
|
|
|
|
apply (rule sep_map_set_conj_cong_empty_eq)
|
|
|
|
apply clarsimp+
|
|
|
|
apply (rule box_equals[OF pd_quotient_eq_pts_of_pds[symmetric]], assumption)
|
|
|
|
apply (clarsimp simp: parent_obj_of_def, intro set_eqI iffI;
|
|
|
|
clarsimp simp: quotient_def Image_def)
|
|
|
|
apply (guess_exI, clarsimp)
|
|
|
|
apply (guess_exI, clarsimp)
|
|
|
|
apply (clarsimp simp: cap_ref_object_def)
|
|
|
|
apply (metis (mono_tags, lifting) cap_at_def domI option.sel)
|
|
|
|
apply (guess_exI, clarsimp)
|
|
|
|
apply (guess_exI, clarsimp)
|
|
|
|
apply (clarsimp simp: cap_ref_object_def)
|
|
|
|
apply (metis (mono_tags, lifting) cap_at_def domI option.sel)
|
|
|
|
apply blast
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2019-01-25 05:38:20 +00:00
|
|
|
lemma pt_parents_pd_pts_init:
|
|
|
|
"well_formed spec \<Longrightarrow>
|
|
|
|
(SETSEPCONJ pd_id | pd_at pd_id spec.
|
|
|
|
slots_in_object_init (\<lambda>cap. cap \<noteq> NullCap \<and> pt_at (cap_object cap) spec) pd_id spec t) =
|
|
|
|
(SETSEPCONJ pt_id | pt_at pt_id spec \<and> (\<exists>obj. pd_at obj spec \<and> parent_obj_of obj pt_id spec).
|
|
|
|
object_initialised spec t pt_id)"
|
|
|
|
apply (rule sym, subst sep_map_set_quotient_split[where R="pd_equiv_class spec"])
|
|
|
|
apply (clarsimp)
|
|
|
|
apply (rule equivI; clarsimp simp: pd_equiv_sym[simplified fun_app_def] pd_equiv_trans)
|
|
|
|
apply (clarsimp simp: slots_in_object_init_def, rule sym, subst sep_map_set_squash)
|
|
|
|
apply clarsimp
|
|
|
|
apply (drule_tac x=x and y=y in pd_pts_inj_or_empty, clarsimp+)
|
|
|
|
apply blast
|
|
|
|
apply clarsimp
|
|
|
|
apply (rule sym)
|
|
|
|
apply (rule sep_map_set_conj_cong_empty_eq)
|
|
|
|
apply clarsimp+
|
|
|
|
apply (rule box_equals [OF pd_quotient_eq_pts_of_pds[symmetric]], assumption)
|
|
|
|
apply (clarsimp simp: parent_obj_of_def, intro set_eqI iffI;
|
|
|
|
clarsimp simp: quotient_def Image_def)
|
|
|
|
apply (guess_exI, clarsimp)
|
|
|
|
apply (guess_exI, clarsimp)
|
|
|
|
apply (clarsimp simp: cap_ref_object_def)
|
|
|
|
apply (metis (mono_tags, lifting) cap_at_def domI option.sel)
|
|
|
|
apply (guess_exI, clarsimp)
|
|
|
|
apply (guess_exI, clarsimp)
|
|
|
|
apply (clarsimp simp: cap_ref_object_def)
|
|
|
|
apply (metis (mono_tags, lifting) cap_at_def domI option.sel)
|
|
|
|
apply blast
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2019-02-15 05:14:04 +00:00
|
|
|
(***********************************************************
|
|
|
|
* Initialising all page directories *
|
|
|
|
************************************************************)
|
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
lemma init_vspace_sep:
|
2019-01-25 05:38:20 +00:00
|
|
|
"\<lbrace>\<guillemotleft>si_objects \<and>*
|
2016-09-22 09:23:19 +00:00
|
|
|
si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>*
|
2019-01-25 05:38:20 +00:00
|
|
|
objects_empty spec t {obj_id. table_at obj_id spec} \<and>*
|
|
|
|
(SETSEPCONJ x | pd_at x spec.
|
|
|
|
frame_duplicates_empty (make_frame_cap_map obj_ids free_cptrs spec) x spec) \<and>*
|
|
|
|
R\<guillemotright> and K (
|
|
|
|
well_formed spec \<and>
|
|
|
|
set obj_ids = dom (cdl_objects spec) \<and>
|
|
|
|
distinct obj_ids \<and>
|
|
|
|
card (\<Union> (set ` get_frame_caps spec ` {obj. pd_at obj spec})) \<le> length free_cptrs \<and>
|
|
|
|
list_all (\<lambda>n. n < 2 ^ si_cnode_size) free_cptrs \<and>
|
|
|
|
(\<forall>p. p \<in> {obj_id. pd_at obj_id spec} \<longrightarrow> the (orig_caps p) < 2 ^ si_cnode_size))\<rbrace>
|
|
|
|
init_vspace spec orig_caps obj_ids free_cptrs
|
|
|
|
\<lbrace>\<lambda>_. \<guillemotleft>si_objects \<and>*
|
2016-09-22 09:23:19 +00:00
|
|
|
si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>*
|
2019-01-25 05:38:20 +00:00
|
|
|
objects_initialised spec t {obj_id. table_at obj_id spec} \<and>*
|
|
|
|
(SETSEPCONJ x | pd_at x spec.
|
|
|
|
frame_duplicates_copied (make_frame_cap_map obj_ids free_cptrs spec) x spec t) \<and>*
|
|
|
|
R\<guillemotright>\<rbrace>"
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule hoare_gen_asm, clarsimp)
|
|
|
|
apply (clarsimp simp: objects_empty_def objects_initialised_def)
|
|
|
|
apply (subst sep_map_set_conj_set_disjoint, simp+,
|
|
|
|
clarsimp simp: object_at_def object_type_is_object)+
|
|
|
|
apply (clarsimp simp: init_vspace_def sep_conj_assoc)
|
2019-01-25 05:38:20 +00:00
|
|
|
apply (wp sep_hoare_fold_mapM_x[OF map_page_directory_wp[simplified sep_wp_simp]], simp+)
|
|
|
|
apply (frule_tac obj_id=x in well_formed_pd_slots; clarsimp)
|
|
|
|
using Ball_set apply fastforce
|
|
|
|
apply (clarsimp simp: make_frame_cap_map_def si_cnode_size_def split: option.splits)
|
|
|
|
apply (meson list_all_spec map_of_SomeD set_zip_rightD)
|
|
|
|
apply (fastforce elim: list_all_spec)
|
|
|
|
apply sep_flatten
|
|
|
|
apply sep_fold_cancel
|
|
|
|
apply (rule sep_map_set_sep_foldI)
|
|
|
|
apply (clarsimp simp: sep.prod.distrib)+
|
|
|
|
apply sep_cancel+
|
|
|
|
(* Split PTs into those which have a parent and those which do not *)
|
|
|
|
apply (clarsimp simp: sep_map_set_conj_restrict
|
|
|
|
[where t="\<lambda>pt_id. (\<exists>obj. pd_at obj spec \<and> parent_obj_of obj pt_id spec)"
|
|
|
|
and xs="{obj_id. pt_at obj_id spec}"])
|
|
|
|
apply (clarsimp simp: pt_parents_pd_pts_empty pt_parents_pd_pts_init, sep_cancel+)
|
|
|
|
apply (subst (asm) sep_map_set_conj_subst[OF well_formed_pt_not_in_pd_empty_init])
|
|
|
|
apply fastforce+
|
|
|
|
apply (clarsimp simp: parent_obj_of_def)
|
|
|
|
apply (erule_tac x=obj in allE, drule mp, assumption, clarsimp simp: cap_at_def)
|
|
|
|
apply (fastforce simp: cap_ref_object_def)
|
|
|
|
by sep_solve
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
lemma init_pd_asids_sep:
|
2016-09-22 09:23:19 +00:00
|
|
|
"\<lbrace>\<guillemotleft>si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>*
|
2014-07-14 19:32:44 +00:00
|
|
|
si_objects \<and>* R\<guillemotright> and K(well_formed spec)\<rbrace>
|
|
|
|
init_pd_asids spec orig_caps obj_ids
|
2016-09-22 09:23:19 +00:00
|
|
|
\<lbrace>\<lambda>_. \<guillemotleft>si_caps_at t orig_caps spec False {obj_id. real_object_at obj_id spec} \<and>*
|
2014-07-14 19:32:44 +00:00
|
|
|
si_objects \<and>* R\<guillemotright>\<rbrace>"
|
|
|
|
apply (rule hoare_gen_asm)
|
|
|
|
apply (clarsimp simp: init_pd_asids_def)
|
|
|
|
apply (rule mapM_x_wp', clarsimp)
|
|
|
|
apply (wp sep_wp: set_asid_wp [where t=t], simp+, sep_solve)
|
|
|
|
done
|
2019-02-04 05:08:34 +00:00
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
end
|
2016-04-25 23:27:46 +00:00
|
|
|
|
|
|
|
end
|