2014-07-14 19:32:44 +00:00
(*
* Copyright 2014, General Dynamics C4 Systems
*
* This software may be distributed and modified according to the terms of
* the GNU General Public License version 2. Note that NO WARRANTY is provided.
* See "LICENSE_GPLv2.txt" for details.
*
* @TAG(GD_GPL)
*)
theory Ipc_R
imports Finalise_R
begin
2016-04-28 23:47:59 +00:00
context begin interpretation Arch . (*FIXME: arch_split*)
2014-07-14 19:32:44 +00:00
lemmas lookup_slot_wrapper_defs'[simp] =
lookupSourceSlot_def lookupTargetSlot_def lookupPivotSlot_def
2018-06-09 08:30:53 +00:00
lemma get_mi_corres: "corres ((=) \<circ> message_info_map)
2014-07-14 19:32:44 +00:00
(tcb_at t) (tcb_at' t)
(get_message_info t) (getMessageInfo t)"
apply (rule corres_guard_imp)
apply (unfold get_message_info_def getMessageInfo_def fun_app_def)
2016-04-28 23:47:59 +00:00
apply (simp add: ARM_H.msgInfoRegister_def
2016-05-04 03:28:20 +00:00
ARM.msgInfoRegister_def ARM_A.msg_info_register_def)
2014-07-14 19:32:44 +00:00
apply (rule corres_split_eqr [OF _ user_getreg_corres])
apply (rule corres_trivial, simp add: message_info_from_data_eqv)
apply (wp | simp)+
done
lemma get_mi_inv'[wp]: "\<lbrace>I\<rbrace> getMessageInfo a \<lbrace>\<lambda>x. I\<rbrace>"
by (simp add: getMessageInfo_def, wp)
definition
2017-07-12 05:13:51 +00:00
"get_send_cap_relation rv rv' \<equiv>
2014-07-14 19:32:44 +00:00
(case rv of Some (c, cptr) \<Rightarrow> (\<exists>c' cptr'. rv' = Some (c', cptr') \<and>
cte_map cptr = cptr' \<and>
cap_relation c c')
| None \<Rightarrow> rv' = None)"
lemma cap_relation_mask:
2017-07-12 05:13:51 +00:00
"\<lbrakk> cap_relation c c'; msk' = rights_mask_map msk \<rbrakk> \<Longrightarrow>
2014-07-14 19:32:44 +00:00
cap_relation (mask_cap msk c) (maskCapRights msk' c')"
by simp
lemma lsfco_cte_at':
2017-07-12 05:13:51 +00:00
"\<lbrace>valid_objs' and valid_cap' cap\<rbrace>
lookupSlotForCNodeOp f cap idx depth
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. cte_at' rv\<rbrace>, -"
apply (simp add: lookupSlotForCNodeOp_def)
apply (rule conjI)
prefer 2
apply clarsimp
2017-01-13 12:58:40 +00:00
apply (wp)
2014-07-14 19:32:44 +00:00
apply (clarsimp simp: split_def unlessE_def
2016-10-25 06:01:30 +00:00
split del: if_split)
2017-01-13 12:58:40 +00:00
apply (wp hoare_drop_imps throwE_R)
2014-07-14 19:32:44 +00:00
done
declare unifyFailure_wp [wp]
(* FIXME: move *)
lemma unifyFailure_wp_E [wp]:
"\<lbrace>P\<rbrace> f -, \<lbrace>\<lambda>_. E\<rbrace> \<Longrightarrow> \<lbrace>P\<rbrace> unifyFailure f -, \<lbrace>\<lambda>_. E\<rbrace>"
unfolding validE_E_def
by (erule unifyFailure_wp)+
(* FIXME: move *)
lemma unifyFailure_wp2 [wp]:
assumes x: "\<lbrace>P\<rbrace> f \<lbrace>\<lambda>_. Q\<rbrace>"
shows "\<lbrace>P\<rbrace> unifyFailure f \<lbrace>\<lambda>_. Q\<rbrace>"
by (wp x, simp)
definition
ct_relation :: "captransfer \<Rightarrow> cap_transfer \<Rightarrow> bool"
where
"ct_relation ct ct' \<equiv>
ct_receive_root ct = to_bl (ctReceiveRoot ct')
\<and> ct_receive_index ct = to_bl (ctReceiveIndex ct')
\<and> ctReceiveDepth ct' = unat (ct_receive_depth ct)"
(* MOVE *)
lemma valid_ipc_buffer_ptr_aligned_2:
"\<lbrakk>valid_ipc_buffer_ptr' a s; is_aligned y 2 \<rbrakk> \<Longrightarrow> is_aligned (a + y) 2"
2017-07-12 05:13:51 +00:00
unfolding valid_ipc_buffer_ptr'_def
2014-07-14 19:32:44 +00:00
apply clarsimp
apply (erule (1) aligned_add_aligned)
apply (simp add: msg_align_bits)
done
(* MOVE *)
lemma valid_ipc_buffer_ptr'D2:
"\<lbrakk>valid_ipc_buffer_ptr' a s; y < max_ipc_words * 4; is_aligned y 2\<rbrakk> \<Longrightarrow> typ_at' UserDataT (a + y && ~~ mask pageBits) s"
2017-07-12 05:13:51 +00:00
unfolding valid_ipc_buffer_ptr'_def
2014-07-14 19:32:44 +00:00
apply clarsimp
apply (subgoal_tac "(a + y) && ~~ mask pageBits = a && ~~ mask pageBits")
apply simp
apply (rule mask_out_first_mask_some [where n = msg_align_bits])
apply (erule is_aligned_add_helper [THEN conjunct2])
apply (erule order_less_le_trans)
apply (simp add: msg_align_bits max_ipc_words )
apply simp
done
lemma load_ct_corres:
"corres ct_relation \<top> (valid_ipc_buffer_ptr' buffer) (load_cap_transfer buffer) (loadCapTransfer buffer)"
2017-07-12 05:13:51 +00:00
apply (simp add: load_cap_transfer_def loadCapTransfer_def
2018-08-09 03:01:05 +00:00
captransfer_from_words_def
2014-07-14 19:32:44 +00:00
capTransferDataSize_def capTransferFromWords_def
2014-08-11 04:50:56 +00:00
msgExtraCapBits_def word_size add.commute add.left_commute
2014-07-14 19:32:44 +00:00
msg_max_length_def msg_max_extra_caps_def word_size_def
2015-08-21 03:27:17 +00:00
msgMaxLength_def msgMaxExtraCaps_def msgLengthBits_def wordSize_def wordBits_def
2014-07-14 19:32:44 +00:00
del: upt.simps)
apply (rule corres_guard_imp)
apply (rule corres_split [OF _ load_word_corres])
apply (rule corres_split [OF _ load_word_corres])
apply (rule corres_split [OF _ load_word_corres])
apply (rule_tac P=\<top> and P'=\<top> in corres_inst)
apply (clarsimp simp: ct_relation_def)
2017-01-13 12:58:40 +00:00
apply (wp no_irq_loadWord)+
2014-07-14 19:32:44 +00:00
apply simp
2015-05-12 15:17:31 +00:00
apply (simp add: conj_comms)
2014-07-14 19:32:44 +00:00
apply safe
apply (erule valid_ipc_buffer_ptr_aligned_2, simp add: is_aligned_def)+
apply (erule valid_ipc_buffer_ptr'D2, simp add: max_ipc_words, simp add: is_aligned_def)+
done
lemma get_recv_slot_corres:
"corres (\<lambda>xs ys. ys = map cte_map xs)
(tcb_at receiver and valid_objs and pspace_aligned)
(tcb_at' receiver and valid_objs' and pspace_aligned' and pspace_distinct' and
2014-08-09 05:16:17 +00:00
case_option \<top> valid_ipc_buffer_ptr' recv_buf)
2014-07-14 19:32:44 +00:00
(get_receive_slots receiver recv_buf)
(getReceiveSlots receiver recv_buf)"
apply (cases recv_buf)
apply (simp add: getReceiveSlots_def)
apply (simp add: getReceiveSlots_def split_def)
apply (rule corres_guard_imp)
apply (rule corres_split [OF _ load_ct_corres])
apply (rule corres_empty_on_failure)
apply (rule corres_splitEE)
prefer 2
apply (rule corres_unify_failure)
apply (rule lookup_cap_corres)
apply (simp add: ct_relation_def)
apply simp
apply (rule corres_splitEE)
prefer 2
apply (rule corres_unify_failure)
apply (simp add: ct_relation_def)
apply (erule lsfc_corres [OF _ refl])
apply simp
apply (simp add: split_def liftE_bindE unlessE_whenE)
apply (rule corres_split [OF _ get_cap_corres])
apply (rule corres_split_norE)
apply (rule corres_trivial, simp add: returnOk_def)
apply (rule corres_whenE)
apply (case_tac cap, auto)[1]
apply (rule corres_trivial, simp)
apply simp
apply (wp lookup_cap_valid lookup_cap_valid' lsfco_cte_at | simp)+
done
lemma get_recv_slot_inv'[wp]:
"\<lbrace> P \<rbrace> getReceiveSlots receiver buf \<lbrace>\<lambda>rv'. P \<rbrace>"
apply (case_tac buf)
apply (simp add: getReceiveSlots_def)
apply (simp add: getReceiveSlots_def
split_def unlessE_def)
apply (wp | simp)+
done
lemma get_rs_cte_at'[wp]:
2017-07-12 05:13:51 +00:00
"\<lbrace>\<top>\<rbrace>
getReceiveSlots receiver recv_buf
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv s. \<forall>x \<in> set rv. cte_wp_at' (\<lambda>c. cteCap c = capability.NullCap) x s\<rbrace>"
apply (cases recv_buf)
apply (simp add: getReceiveSlots_def)
apply (wp,simp)
apply (clarsimp simp add: getReceiveSlots_def
split_def whenE_def unlessE_whenE)
apply wp
apply simp
apply (rule getCTE_wp)
apply (simp add: cte_wp_at_ctes_of cong: conj_cong)
2017-01-13 12:58:40 +00:00
apply wp+
2014-07-14 19:32:44 +00:00
apply simp
done
lemma get_rs_real_cte_at'[wp]:
"\<lbrace>valid_objs'\<rbrace>
2017-07-12 05:13:51 +00:00
getReceiveSlots receiver recv_buf
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv s. \<forall>x \<in> set rv. real_cte_at' x s\<rbrace>"
apply (cases recv_buf)
apply (simp add: getReceiveSlots_def)
apply (wp,simp)
apply (clarsimp simp add: getReceiveSlots_def
split_def whenE_def unlessE_whenE)
apply wp
apply simp
apply (wp hoare_drop_imps)[1]
apply simp
2017-01-13 12:58:40 +00:00
apply (wp lookup_cap_valid')+
2014-07-14 19:32:44 +00:00
apply simp
done
declare word_div_1 [simp]
declare word_minus_one_le [simp]
declare word32_minus_one_le [simp]
lemma load_word_offs_corres':
"\<lbrakk> y < unat max_ipc_words; y' = of_nat y * 4 \<rbrakk> \<Longrightarrow>
2018-06-09 08:30:53 +00:00
corres (=) \<top> (valid_ipc_buffer_ptr' a) (load_word_offs a y) (loadWordUser (a + y'))"
2014-07-14 19:32:44 +00:00
apply simp
apply (erule load_word_offs_corres)
done
declare loadWordUser_inv [wp]
lemma getExtraCptrs_inv[wp]:
"\<lbrace>P\<rbrace> getExtraCPtrs buf mi \<lbrace>\<lambda>rv. P\<rbrace>"
apply (cases mi, cases buf, simp_all add: getExtraCPtrs_def)
apply (wp dmo_inv' mapM_wp' loadWord_inv)
done
lemma badge_derived_mask [simp]:
"badge_derived' (maskCapRights R c) c' = badge_derived' c c'"
by (simp add: badge_derived'_def)
declare derived'_not_Null [simp]
lemma maskCapRights_vsCapRef[simp]:
"vsCapRef (maskCapRights msk cap) = vsCapRef cap"
unfolding vsCapRef_def
apply (cases cap, simp_all add: maskCapRights_def isCap_simps Let_def)
2015-05-12 15:17:31 +00:00
apply (rename_tac arch_capability)
apply (case_tac arch_capability;
2016-04-28 07:16:29 +00:00
simp add: maskCapRights_def ARM_H.maskCapRights_def isCap_simps Let_def)
2014-07-14 19:32:44 +00:00
done
lemma corres_set_extra_badge:
2017-07-12 05:13:51 +00:00
"b' = b \<Longrightarrow>
2014-07-14 19:32:44 +00:00
corres dc (in_user_frame buffer)
(valid_ipc_buffer_ptr' buffer and
(\<lambda>_. msg_max_length + 2 + n < unat max_ipc_words))
(set_extra_badge buffer b n) (setExtraBadge buffer b' n)"
apply (rule corres_gen_asm2)
apply (drule store_word_offs_corres [where a=buffer and w=b])
apply (simp add: set_extra_badge_def setExtraBadge_def buffer_cptr_index_def
bufferCPtrOffset_def Let_def)
2015-08-21 03:27:17 +00:00
apply (simp add: word_size word_size_def wordSize_def wordBits_def
2017-07-12 05:13:51 +00:00
bufferCPtrOffset_def buffer_cptr_index_def msgMaxLength_def
2014-07-14 19:32:44 +00:00
msg_max_length_def msgLengthBits_def store_word_offs_def
2014-08-11 04:50:56 +00:00
add.commute add.left_commute)
2014-07-14 19:32:44 +00:00
done
crunch typ_at': setExtraBadge "\<lambda>s. P (typ_at' T p s)"
lemmas setExtraBadge_typ_ats' [wp] = typ_at_lifts [OF setExtraBadge_typ_at']
crunch valid_pspace' [wp]: setExtraBadge valid_pspace'
crunch cte_wp_at' [wp]: setExtraBadge "cte_wp_at' P p"
crunch ipc_buffer' [wp]: setExtraBadge "valid_ipc_buffer_ptr' buffer"
crunch inv'[wp]: getExtraCPtr P (wp: dmo_inv' loadWord_inv)
lemmas unifyFailure_discard2
= corres_injection[OF id_injection unifyFailure_injection, simplified]
lemma deriveCap_not_null:
"\<lbrace>\<top>\<rbrace> deriveCap slot cap \<lbrace>\<lambda>rv. K (rv \<noteq> NullCap \<longrightarrow> cap \<noteq> NullCap)\<rbrace>,-"
2016-10-25 06:01:30 +00:00
apply (simp add: deriveCap_def split del: if_split)
2014-07-14 19:32:44 +00:00
apply (case_tac cap)
apply (simp_all add: Let_def isCap_simps)
apply wp
apply simp
done
lemma deriveCap_derived_foo:
"\<lbrace>\<lambda>s. \<forall>cap'. (cte_wp_at' (\<lambda>cte. badge_derived' cap (cteCap cte)
\<and> capASID cap = capASID (cteCap cte) \<and> cap_asid_base' cap = cap_asid_base' (cteCap cte)
\<and> cap_vptr' cap = cap_vptr' (cteCap cte)) slot s
\<and> valid_objs' s \<and> cap' \<noteq> NullCap \<longrightarrow> cte_wp_at' (is_derived' (ctes_of s) slot cap' \<circ> cteCap) slot s)
2016-05-30 13:12:39 +00:00
\<and> (cte_wp_at' (untyped_derived_eq cap \<circ> cteCap) slot s
\<longrightarrow> cte_wp_at' (untyped_derived_eq cap' \<circ> cteCap) slot s)
2014-07-14 19:32:44 +00:00
\<and> (s \<turnstile>' cap \<longrightarrow> s \<turnstile>' cap') \<and> (cap' \<noteq> NullCap \<longrightarrow> cap \<noteq> NullCap) \<longrightarrow> Q cap' s\<rbrace>
deriveCap slot cap \<lbrace>Q\<rbrace>,-"
using deriveCap_derived[where slot=slot and c'=cap] deriveCap_valid[where slot=slot and c=cap]
2016-05-30 13:12:39 +00:00
deriveCap_untyped_derived[where slot=slot and c'=cap] deriveCap_not_null[where slot=slot and cap=cap]
2014-07-14 19:32:44 +00:00
apply (clarsimp simp: validE_R_def validE_def valid_def split: sum.split)
apply (frule in_inv_by_hoareD[OF deriveCap_inv])
2016-05-30 13:12:39 +00:00
apply (clarsimp simp: o_def)
2014-07-14 19:32:44 +00:00
apply (drule spec, erule mp)
apply safe
2016-05-30 13:12:39 +00:00
apply fastforce
apply (drule spec, drule(1) mp)
2014-07-14 19:32:44 +00:00
apply fastforce
apply (drule spec, drule(1) mp)
apply fastforce
apply (drule spec, drule(1) bspec, simp)
done
lemma valid_mdb_untyped_incD':
"valid_mdb' s \<Longrightarrow> untyped_inc' (ctes_of s)"
by (simp add: valid_mdb'_def valid_mdb_ctes_def)
lemma cteInsert_cte_wp_at:
2017-07-12 05:13:51 +00:00
"\<lbrace>\<lambda>s. cte_wp_at' (\<lambda>c. is_derived' (ctes_of s) src cap (cteCap c)) src s
2014-07-14 19:32:44 +00:00
\<and> valid_mdb' s \<and> valid_objs' s
2017-07-12 05:13:51 +00:00
\<and> (if p = dest then P cap
2014-07-14 19:32:44 +00:00
else cte_wp_at' (\<lambda>c. P (maskedAsFull (cteCap c) cap)) p s)\<rbrace>
2017-07-12 05:13:51 +00:00
cteInsert cap src dest
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>uu. cte_wp_at' (\<lambda>c. P (cteCap c)) p\<rbrace>"
apply (simp add: cteInsert_def)
apply (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp static_imp_wp
| clarsimp simp: comp_def
| unfold setUntypedCapAsFull_def)+
apply (drule cte_at_cte_wp_atD)
apply (elim exE)
apply (rule_tac x=cte in exI)
apply clarsimp
apply (drule cte_at_cte_wp_atD)
apply (elim exE)
apply (rule_tac x=ctea in exI)
apply clarsimp
apply (cases "p=dest")
apply (clarsimp simp: cte_wp_at'_def)
apply (cases "p=src")
apply clarsimp
apply (intro conjI impI)
2016-10-25 06:01:30 +00:00
apply ((clarsimp simp: cte_wp_at'_def maskedAsFull_def split: if_split_asm)+)[2]
2015-05-12 15:17:31 +00:00
apply clarsimp
2014-07-14 19:32:44 +00:00
apply (rule conjI)
2016-10-25 06:01:30 +00:00
apply (clarsimp simp: maskedAsFull_def cte_wp_at_ctes_of split:if_split_asm)
2014-07-14 19:32:44 +00:00
apply (erule disjE) prefer 2 apply simp
apply (clarsimp simp: is_derived'_def isCap_simps)
2015-05-12 15:17:31 +00:00
apply (drule valid_mdb_untyped_incD')
2014-07-14 19:32:44 +00:00
apply (case_tac cte, case_tac cteb, clarsimp)
apply (drule untyped_incD', (simp add: isCap_simps)+)
apply (frule(1) ctes_of_valid'[where p = p])
apply (clarsimp simp:valid_cap'_def capAligned_def split:if_splits)
2015-05-12 15:17:31 +00:00
apply (drule_tac y ="of_nat fb" in word_plus_mono_right[OF _ is_aligned_no_overflow',rotated])
2014-07-14 19:32:44 +00:00
apply simp+
apply (rule word_of_nat_less)
apply simp
apply (simp add:p_assoc_help)
apply (simp add: max_free_index_def)
2017-07-12 05:13:51 +00:00
apply (clarsimp simp: maskedAsFull_def is_derived'_def badge_derived'_def
2014-07-14 19:32:44 +00:00
isCap_simps capMasterCap_def cte_wp_at_ctes_of
2016-10-25 06:01:30 +00:00
split: if_split_asm capability.splits)
2014-07-14 19:32:44 +00:00
done
lemma cteInsert_weak_cte_wp_at3:
assumes imp:"\<And>c. P c \<Longrightarrow> \<not> isUntypedCap c"
2017-07-12 05:13:51 +00:00
shows " \<lbrace>\<lambda>s. if p = dest then P cap
2014-07-14 19:32:44 +00:00
else cte_wp_at' (\<lambda>c. P (cteCap c)) p s\<rbrace>
2017-07-12 05:13:51 +00:00
cteInsert cap src dest
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>uu. cte_wp_at' (\<lambda>c. P (cteCap c)) p\<rbrace>"
2015-05-12 15:17:31 +00:00
by (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp' static_imp_wp
2014-07-14 19:32:44 +00:00
| clarsimp simp: comp_def cteInsert_def
| unfold setUntypedCapAsFull_def
| auto simp: cte_wp_at'_def dest!: imp)+
lemma maskedAsFull_null_cap[simp]:
"(maskedAsFull x y = capability.NullCap) = (x = capability.NullCap)"
"(capability.NullCap = maskedAsFull x y) = (x = capability.NullCap)"
by (case_tac x, auto simp:maskedAsFull_def isCap_simps )
lemma maskCapRights_eq_null:
"(RetypeDecls_H.maskCapRights r xa = capability.NullCap) =
(xa = capability.NullCap)"
2015-05-12 15:17:31 +00:00
apply (cases xa; simp add: maskCapRights_def isCap_simps)
apply (rename_tac arch_capability)
2014-07-14 19:32:44 +00:00
apply (case_tac arch_capability)
2016-04-28 07:16:29 +00:00
apply (simp_all add: ARM_H.maskCapRights_def isCap_simps)
2014-07-14 19:32:44 +00:00
done
lemma cte_refs'_maskedAsFull[simp]:
"cte_refs' (maskedAsFull a b) = cte_refs' a"
apply (rule ext)+
apply (case_tac a)
apply (clarsimp simp:maskedAsFull_def isCap_simps)+
done
lemma tc_loop_corres:
"\<lbrakk> list_all2 (\<lambda>(cap, slot) (cap', slot'). cap_relation cap cap'
\<and> slot' = cte_map slot) caps caps';
mi' = message_info_map mi \<rbrakk> \<Longrightarrow>
2018-06-09 08:30:53 +00:00
corres ((=) \<circ> message_info_map)
2014-07-14 19:32:44 +00:00
(\<lambda>s. valid_objs s \<and> pspace_aligned s \<and> pspace_distinct s \<and> valid_mdb s
\<and> valid_list s
\<and> (case ep of Some x \<Rightarrow> ep_at x s | _ \<Rightarrow> True)
\<and> (\<forall>x \<in> set slots. cte_wp_at (\<lambda>cap. cap = cap.NullCap) x s \<and>
real_cte_at x s)
\<and> (\<forall>(cap, slot) \<in> set caps. valid_cap cap s \<and>
cte_wp_at (\<lambda>cp'. (cap \<noteq> cap.NullCap \<longrightarrow> cp'\<noteq>cap \<longrightarrow> cp' = masked_as_full cap cap )) slot s )
\<and> distinct slots
\<and> in_user_frame buffer s)
2017-07-12 05:13:51 +00:00
(\<lambda>s. valid_pspace' s
2014-07-14 19:32:44 +00:00
\<and> (case ep of Some x \<Rightarrow> ep_at' x s | _ \<Rightarrow> True)
\<and> (\<forall>x \<in> set (map cte_map slots).
cte_wp_at' (\<lambda>cte. cteCap cte = NullCap) x s
\<and> real_cte_at' x s)
\<and> distinct (map cte_map slots)
\<and> valid_ipc_buffer_ptr' buffer s
2017-07-12 05:13:51 +00:00
\<and> (\<forall>(cap, slot) \<in> set caps'. valid_cap' cap s \<and>
2014-07-14 19:32:44 +00:00
cte_wp_at' (\<lambda>cte. cap \<noteq> NullCap \<longrightarrow> cteCap cte \<noteq> cap \<longrightarrow> cteCap cte = maskedAsFull cap cap) slot s)
\<and> 2 + msg_max_length + n + length caps' < unat max_ipc_words)
2016-02-10 03:11:09 +00:00
(transfer_caps_loop ep buffer n caps slots mi)
(transferCapsToSlots ep buffer n caps'
2014-07-14 19:32:44 +00:00
(map cte_map slots) mi')"
(is "\<lbrakk> list_all2 ?P caps caps'; ?v \<rbrakk> \<Longrightarrow> ?corres")
proof (induct caps caps' arbitrary: slots n mi mi' rule: list_all2_induct)
case Nil
show ?case using Nil.prems by (case_tac mi, simp)
next
case (Cons x xs y ys slots n mi mi')
2015-05-12 15:17:31 +00:00
note if_weak_cong[cong] if_cong [cong del]
2014-07-14 19:32:44 +00:00
assume P: "?P x y"
show ?case using Cons.prems P
2016-10-25 06:01:30 +00:00
apply (clarsimp split del: if_split)
2014-07-14 19:32:44 +00:00
apply (simp add: Let_def split_def word_size liftE_bindE
2016-10-25 06:01:30 +00:00
word_bits_conv[symmetric] split del: if_split)
2014-07-14 19:32:44 +00:00
apply (rule corres_const_on_failure)
2016-10-25 06:01:30 +00:00
apply (simp add: dc_def[symmetric] split del: if_split)
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
apply (rule corres_if2)
2014-08-11 04:50:56 +00:00
apply (case_tac "fst x", auto simp add: isCap_simps)[1]
2014-07-14 19:32:44 +00:00
apply (rule corres_split [OF _ corres_set_extra_badge])
apply (drule conjunct1)
apply simp
apply (rule corres_rel_imp, rule Cons.hyps, simp_all)[1]
apply (case_tac mi, simp)
apply (clarsimp simp: is_cap_simps)
apply (simp add: split_def)
apply (wp hoare_vcg_const_Ball_lift)
2014-08-11 04:50:56 +00:00
apply (subgoal_tac "obj_ref_of (fst x) = capEPPtr (fst y)")
2014-07-14 19:32:44 +00:00
prefer 2
apply (clarsimp simp: is_cap_simps)
apply (simp add: split_def)
apply (wp hoare_vcg_const_Ball_lift)
apply (rule_tac P="slots = []" and Q="slots \<noteq> []" in corres_disj_division)
apply simp
apply (rule corres_trivial, simp add: returnOk_def)
apply (case_tac mi, simp)
2016-10-25 06:01:30 +00:00
apply (simp add: list_case_If2 split del: if_split)
2014-07-14 19:32:44 +00:00
apply (rule corres_splitEE)
prefer 2
apply (rule unifyFailure_discard2)
apply (case_tac mi, clarsimp)
apply (rule derive_cap_corres)
2019-05-07 05:53:41 +00:00
apply (simp add: remove_rights_def)
2014-07-14 19:32:44 +00:00
apply clarsimp
apply (rule corres_split_norE)
apply (simp add: liftE_bindE)
apply (rule corres_split_nor)
prefer 2
apply (rule cins_corres, simp_all add: hd_map)[1]
apply (simp add: tl_map)
apply (rule corres_rel_imp, rule Cons.hyps, simp_all)[1]
2014-08-09 05:16:17 +00:00
apply (wp valid_case_option_post_wp hoare_vcg_const_Ball_lift
2014-07-14 19:32:44 +00:00
hoare_vcg_const_Ball_lift cap_insert_weak_cte_wp_at)
apply (wp hoare_vcg_const_Ball_lift | simp add:split_def del: imp_disj1)+
apply (wp cap_insert_cte_wp_at)
2014-08-09 05:16:17 +00:00
apply (wp valid_case_option_post_wp hoare_vcg_const_Ball_lift
2014-07-14 19:32:44 +00:00
cteInsert_valid_pspace
| simp add: split_def)+
2017-01-13 12:58:40 +00:00
apply (wp cteInsert_weak_cte_wp_at hoare_valid_ipc_buffer_ptr_typ_at')+
2014-08-09 05:16:17 +00:00
apply (wp hoare_vcg_const_Ball_lift cteInsert_cte_wp_at valid_case_option_post_wp
2014-07-14 19:32:44 +00:00
| simp add:split_def)+
apply (rule corres_whenE)
apply (case_tac cap', auto)[1]
apply (rule corres_trivial, simp)
apply (case_tac mi, simp)
apply simp
apply (unfold whenE_def)
2017-01-13 12:58:40 +00:00
apply wp+
2016-10-25 06:01:30 +00:00
apply (clarsimp simp: conj_comms ball_conj_distrib split del: if_split)
2017-07-12 05:13:51 +00:00
apply (rule_tac Q' ="\<lambda>cap' s. (cap'\<noteq> cap.NullCap \<longrightarrow>
2014-07-14 19:32:44 +00:00
cte_wp_at (is_derived (cdt s) (a, b) cap') (a, b) s
2015-05-12 15:17:31 +00:00
\<and> QM s cap')" for QM
2014-07-14 19:32:44 +00:00
in hoare_post_imp_R)
prefer 2
apply clarsimp
apply assumption
apply (subst imp_conjR)
apply (rule hoare_vcg_conj_liftE_R)
apply (rule derive_cap_is_derived)
2017-01-13 12:58:40 +00:00
apply (wp derive_cap_is_derived_foo)+
2016-10-25 06:01:30 +00:00
apply (simp split del: if_split)
2017-07-12 05:13:51 +00:00
apply (rule_tac Q' ="\<lambda>cap' s. (cap'\<noteq> capability.NullCap \<longrightarrow>
2014-07-14 19:32:44 +00:00
cte_wp_at' (\<lambda>c. is_derived' (ctes_of s) (cte_map (a, b)) cap' (cteCap c)) (cte_map (a, b)) s
2015-05-12 15:17:31 +00:00
\<and> QM s cap')" for QM
2014-07-14 19:32:44 +00:00
in hoare_post_imp_R)
prefer 2
apply clarsimp
apply assumption
apply (subst imp_conjR)
apply (rule hoare_vcg_conj_liftE_R)
apply (rule hoare_post_imp_R[OF deriveCap_derived])
apply (clarsimp simp:cte_wp_at_ctes_of)
apply (wp deriveCap_derived_foo)
apply (clarsimp simp: cte_wp_at_caps_of_state remove_rights_def
real_cte_tcb_valid if_apply_def2
2016-10-25 06:01:30 +00:00
split del: if_split)
apply (rule conjI, (clarsimp split del: if_split)+)
apply (clarsimp simp:conj_comms split del:if_split)
2014-07-14 19:32:44 +00:00
apply (intro conjI allI)
apply (clarsimp split:if_splits)
2014-08-11 04:50:56 +00:00
apply (case_tac "cap = fst x",simp+)
2014-07-14 19:32:44 +00:00
apply (clarsimp simp:masked_as_full_def is_cap_simps cap_master_cap_simps)
2016-10-25 06:01:30 +00:00
apply (clarsimp split del: if_split)
2014-07-14 19:32:44 +00:00
apply (intro conjI)
apply (clarsimp simp:neq_Nil_conv)
apply (drule hd_in_set)
apply (drule(1) bspec)
2016-10-25 06:01:30 +00:00
apply (clarsimp split:if_split_asm)
2014-07-14 19:32:44 +00:00
apply (fastforce simp:neq_Nil_conv)
apply (intro ballI conjI)
apply (clarsimp simp:neq_Nil_conv)
apply (intro impI)
apply (drule(1) bspec[OF _ subsetD[rotated]])
apply (clarsimp simp:neq_Nil_conv)
apply (clarsimp split:if_splits)
apply clarsimp
apply (intro conjI)
apply (drule(1) bspec,clarsimp)+
2016-01-12 05:44:35 +00:00
subgoal for \<dots> aa _ _ capa
by (case_tac "capa = aa"; clarsimp split:if_splits simp:masked_as_full_def is_cap_simps)
2015-05-12 15:17:31 +00:00
apply (case_tac "isEndpointCap (fst y) \<and> capEPPtr (fst y) = the ep \<and> (\<exists>y. ep = Some y)")
2016-10-25 06:01:30 +00:00
apply (clarsimp simp:conj_comms split del:if_split)
2014-07-14 19:32:44 +00:00
apply (subst if_not_P)
apply clarsimp
2016-10-25 06:01:30 +00:00
apply (clarsimp simp:valid_pspace'_def cte_wp_at_ctes_of split del:if_split)
2014-07-14 19:32:44 +00:00
apply (intro conjI)
2014-08-11 04:50:56 +00:00
apply (case_tac "cteCap cte = fst y",clarsimp simp: badge_derived'_def)
2015-05-12 15:17:31 +00:00
apply (clarsimp simp: maskCapRights_eq_null maskedAsFull_def badge_derived'_def isCap_simps
2016-10-25 06:01:30 +00:00
split: if_split_asm)
apply (clarsimp split del: if_split)
2014-08-11 04:50:56 +00:00
apply (case_tac "fst y = capability.NullCap")
2016-10-25 06:01:30 +00:00
apply (clarsimp simp: neq_Nil_conv split del: if_split)+
2014-07-14 19:32:44 +00:00
apply (intro allI impI conjI)
apply (clarsimp split:if_splits)
apply (clarsimp simp:image_def)+
2015-05-12 15:17:31 +00:00
apply (thin_tac "\<forall>x\<in>set ys. Q x" for Q)
2014-07-14 19:32:44 +00:00
apply (drule(1) bspec)+
apply clarsimp+
apply (drule(1) bspec)
apply (rule conjI)
apply clarsimp+
apply (case_tac "cteCap cteb = ab")
2016-01-12 05:44:35 +00:00
by (clarsimp simp: isCap_simps maskedAsFull_def split:if_splits)+
2014-07-14 19:32:44 +00:00
qed
declare constOnFailure_wp [wp]
2016-08-23 12:31:49 +00:00
lemma transferCapsToSlots_pres1[crunch_rules]:
2014-07-14 19:32:44 +00:00
assumes x: "\<And>cap src dest. \<lbrace>P\<rbrace> cteInsert cap src dest \<lbrace>\<lambda>rv. P\<rbrace>"
assumes eb: "\<And>b n. \<lbrace>P\<rbrace> setExtraBadge buffer b n \<lbrace>\<lambda>_. P\<rbrace>"
2016-02-10 03:11:09 +00:00
shows "\<lbrace>P\<rbrace> transferCapsToSlots ep buffer n caps slots mi \<lbrace>\<lambda>rv. P\<rbrace>"
2014-07-14 19:32:44 +00:00
apply (induct caps arbitrary: slots n mi)
apply simp
apply (simp add: Let_def split_def whenE_def
cong: if_cong list.case_cong
2016-10-25 06:01:30 +00:00
split del: if_split)
2014-07-14 19:32:44 +00:00
apply (rule hoare_pre)
2016-10-25 06:01:30 +00:00
apply (wp x eb | assumption | simp split del: if_split | wpc
2019-05-06 06:34:44 +00:00
| wp (once) hoare_drop_imps)+
2014-07-14 19:32:44 +00:00
done
lemma cteInsert_cte_cap_to':
"\<lbrace>ex_cte_cap_to' p and cte_wp_at' (\<lambda>cte. cteCap cte = NullCap) dest\<rbrace>
cteInsert cap src dest
\<lbrace>\<lambda>rv. ex_cte_cap_to' p\<rbrace>"
apply (simp add: ex_cte_cap_to'_def)
apply (rule hoare_pre)
apply (rule hoare_use_eq_irq_node' [OF cteInsert_ksInterruptState])
apply (clarsimp simp:cteInsert_def)
apply (wp hoare_vcg_ex_lift updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases
setUntypedCapAsFull_cte_wp_at getCTE_wp static_imp_wp)
apply (clarsimp simp:cte_wp_at_ctes_of)
apply (rule_tac x = "cref" in exI)
apply (rule conjI)
apply clarsimp+
done
2015-05-12 15:17:31 +00:00
declare maskCapRights_eq_null[simp]
2014-07-14 19:32:44 +00:00
crunch ex_cte_cap_wp_to' [wp]: setExtraBadge "ex_cte_cap_wp_to' P p"
2016-08-23 12:31:49 +00:00
(rule: ex_cte_cap_to'_pres)
2014-07-14 19:32:44 +00:00
crunch valid_objs' [wp]: setExtraBadge valid_objs'
crunch aligned' [wp]: setExtraBadge pspace_aligned'
crunch distinct' [wp]: setExtraBadge pspace_distinct'
lemma cteInsert_assume_Null:
"\<lbrace>P\<rbrace> cteInsert cap src dest \<lbrace>Q\<rbrace> \<Longrightarrow>
\<lbrace>\<lambda>s. cte_wp_at' (\<lambda>cte. cteCap cte = NullCap) dest s \<longrightarrow> P s\<rbrace>
cteInsert cap src dest
\<lbrace>Q\<rbrace>"
apply (rule hoare_name_pre_state)
apply (erule impCE)
apply (simp add: cteInsert_def)
apply (rule hoare_seq_ext[OF _ getCTE_sp])+
apply (rule hoare_name_pre_state)
apply (clarsimp simp: cte_wp_at_ctes_of)
apply (erule hoare_pre(1))
apply simp
done
crunch mdb'[wp]: setExtraBadge valid_mdb'
lemma cteInsert_weak_cte_wp_at2:
assumes weak:"\<And>c cap. P (maskedAsFull c cap) = P c"
shows
"\<lbrace>\<lambda>s. if p = dest then P cap else cte_wp_at' (\<lambda>c. P (cteCap c)) p s\<rbrace>
2017-07-12 05:13:51 +00:00
cteInsert cap src dest
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>uu. cte_wp_at' (\<lambda>c. P (cteCap c)) p\<rbrace>"
apply (rule hoare_pre)
apply (rule hoare_use_eq_irq_node' [OF cteInsert_ksInterruptState])
apply (clarsimp simp:cteInsert_def)
apply (wp hoare_vcg_ex_lift updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases
setUntypedCapAsFull_cte_wp_at getCTE_wp static_imp_wp)
apply (clarsimp simp:cte_wp_at_ctes_of weak)
apply auto
done
lemma transferCapsToSlots_presM:
assumes x: "\<And>cap src dest. \<lbrace>\<lambda>s. P s \<and> (emx \<longrightarrow> cte_wp_at' (\<lambda>cte. cteCap cte = NullCap) dest s \<and> ex_cte_cap_to' dest s)
\<and> (vo \<longrightarrow> valid_objs' s \<and> valid_cap' cap s \<and> real_cte_at' dest s)
2016-05-30 13:12:39 +00:00
\<and> (drv \<longrightarrow> cte_wp_at' (is_derived' (ctes_of s) src cap \<circ> cteCap) src s
\<and> cte_wp_at' (untyped_derived_eq cap o cteCap) src s
\<and> valid_mdb' s)
2014-07-14 19:32:44 +00:00
\<and> (pad \<longrightarrow> pspace_aligned' s \<and> pspace_distinct' s)\<rbrace>
cteInsert cap src dest \<lbrace>\<lambda>rv. P\<rbrace>"
assumes eb: "\<And>b n. \<lbrace>P\<rbrace> setExtraBadge buffer b n \<lbrace>\<lambda>_. P\<rbrace>"
shows "\<lbrace>\<lambda>s. P s
\<and> (emx \<longrightarrow> (\<forall>x \<in> set slots. ex_cte_cap_to' x s \<and> cte_wp_at' (\<lambda>cte. cteCap cte = NullCap) x s) \<and> distinct slots)
\<and> (vo \<longrightarrow> valid_objs' s \<and> (\<forall>x \<in> set slots. real_cte_at' x s \<and> cte_wp_at' (\<lambda>cte. cteCap cte = NullCap) x s)
\<and> (\<forall>x \<in> set caps. s \<turnstile>' fst x ) \<and> distinct slots)
\<and> (pad \<longrightarrow> pspace_aligned' s \<and> pspace_distinct' s)
2016-09-12 00:19:22 +00:00
\<and> (drv \<longrightarrow> vo \<and> pspace_aligned' s \<and> pspace_distinct' s \<and> valid_mdb' s
\<and> length slots \<le> 1
\<and> (\<forall>x \<in> set caps. s \<turnstile>' fst x \<and> (slots \<noteq> []
\<longrightarrow> cte_wp_at' (\<lambda>cte. fst x \<noteq> NullCap \<longrightarrow> cteCap cte = fst x) (snd x) s)))\<rbrace>
2016-02-10 03:11:09 +00:00
transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. P\<rbrace>"
apply (induct caps arbitrary: slots n mi)
apply (simp, wp, simp)
apply (simp add: Let_def split_def whenE_def
2016-10-25 06:01:30 +00:00
cong: if_cong list.case_cong split del: if_split)
2014-07-14 19:32:44 +00:00
apply (rule hoare_pre)
apply (wp eb hoare_vcg_const_Ball_lift hoare_vcg_const_imp_lift
| assumption | wpc)+
apply (rule cteInsert_assume_Null)
apply (wp x hoare_vcg_const_Ball_lift cteInsert_cte_cap_to' static_imp_wp)
apply (rule cteInsert_weak_cte_wp_at2,clarsimp)
2017-01-13 12:58:40 +00:00
apply (wp hoare_vcg_const_Ball_lift static_imp_wp)+
2014-07-14 19:32:44 +00:00
apply (rule cteInsert_weak_cte_wp_at2,clarsimp)
2016-09-12 00:19:22 +00:00
apply (wp hoare_vcg_const_Ball_lift cteInsert_cte_wp_at static_imp_wp
2017-01-13 12:58:40 +00:00
deriveCap_derived_foo)+
2016-09-12 00:19:22 +00:00
apply (thin_tac "\<And>slots. PROP P slots" for P)
2014-07-14 19:32:44 +00:00
apply (clarsimp simp: cte_wp_at_ctes_of remove_rights_def
real_cte_tcb_valid if_apply_def2
2016-10-25 06:01:30 +00:00
split del: if_split)
2016-02-10 03:11:09 +00:00
apply (rule conjI)
2016-09-12 00:19:22 +00:00
apply (clarsimp simp:cte_wp_at_ctes_of untyped_derived_eq_def)
2014-07-14 19:32:44 +00:00
apply (intro conjI allI)
apply (clarsimp simp:Fun.comp_def cte_wp_at_ctes_of)+
apply (clarsimp simp:valid_capAligned)
2016-09-12 00:19:22 +00:00
done
2014-07-14 19:32:44 +00:00
lemmas transferCapsToSlots_pres2
= transferCapsToSlots_presM[where vo=False and emx=True
and drv=False and pad=False, simplified]
lemma transferCapsToSlots_aligned'[wp]:
"\<lbrace>pspace_aligned'\<rbrace>
2016-02-10 03:11:09 +00:00
transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. pspace_aligned'\<rbrace>"
by (wp transferCapsToSlots_pres1)
lemma transferCapsToSlots_distinct'[wp]:
"\<lbrace>pspace_distinct'\<rbrace>
2016-02-10 03:11:09 +00:00
transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. pspace_distinct'\<rbrace>"
by (wp transferCapsToSlots_pres1)
lemma transferCapsToSlots_typ_at'[wp]:
"\<lbrace>\<lambda>s. P (typ_at' T p s)\<rbrace>
2016-02-10 03:11:09 +00:00
transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv s. P (typ_at' T p s)\<rbrace>"
by (wp transferCapsToSlots_pres1 setExtraBadge_typ_at')
lemma transferCapsToSlots_valid_objs[wp]:
"\<lbrace>valid_objs' and valid_mdb' and (\<lambda>s. \<forall>x \<in> set slots. real_cte_at' x s \<and> cte_wp_at' (\<lambda>cte. cteCap cte = capability.NullCap) x s)
and (\<lambda>s. \<forall>x \<in> set caps. s \<turnstile>' fst x) and K(distinct slots)\<rbrace>
2016-02-10 03:11:09 +00:00
transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. valid_objs'\<rbrace>"
apply (rule hoare_pre)
apply (rule transferCapsToSlots_presM[where vo=True and emx=False and drv=False and pad=False])
apply (wp | simp)+
done
abbreviation(input)
"transferCaps_srcs caps s \<equiv> \<forall>x\<in>set caps. cte_wp_at' (\<lambda>cte. fst x \<noteq> NullCap \<longrightarrow> cteCap cte = fst x) (snd x) s"
lemma transferCapsToSlots_mdb[wp]:
"\<lbrace>\<lambda>s. valid_pspace' s \<and> distinct slots
2016-09-12 00:19:22 +00:00
\<and> length slots \<le> 1
2014-07-14 19:32:44 +00:00
\<and> (\<forall>x \<in> set slots. ex_cte_cap_to' x s \<and> cte_wp_at' (\<lambda>cte. cteCap cte = capability.NullCap) x s)
\<and> (\<forall>x \<in> set slots. real_cte_at' x s)
\<and> transferCaps_srcs caps s\<rbrace>
2016-02-10 03:11:09 +00:00
transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. valid_mdb'\<rbrace>"
apply (wp transferCapsToSlots_presM[where drv=True and vo=True and emx=True and pad=True])
apply clarsimp
apply (frule valid_capAligned)
apply (clarsimp simp: cte_wp_at_ctes_of is_derived'_def badge_derived'_def)
apply wp
apply (clarsimp simp: valid_pspace'_def)
apply (clarsimp simp:cte_wp_at_ctes_of)
apply (drule(1) bspec,clarify)
2016-09-12 00:19:22 +00:00
apply (case_tac cte)
apply (clarsimp dest!:ctes_of_valid_cap' split:if_splits)
apply (fastforce simp:valid_cap'_def)
2014-07-14 19:32:44 +00:00
done
crunch no_0' [wp]: setExtraBadge no_0_obj'
lemma transferCapsToSlots_no_0_obj' [wp]:
2016-02-10 03:11:09 +00:00
"\<lbrace>no_0_obj'\<rbrace> transferCapsToSlots ep buffer n caps slots mi \<lbrace>\<lambda>rv. no_0_obj'\<rbrace>"
2014-07-14 19:32:44 +00:00
by (wp transferCapsToSlots_pres1)
lemma transferCapsToSlots_vp[wp]:
"\<lbrace>\<lambda>s. valid_pspace' s \<and> distinct slots
2016-09-12 00:19:22 +00:00
\<and> length slots \<le> 1
2014-07-14 19:32:44 +00:00
\<and> (\<forall>x \<in> set slots. ex_cte_cap_to' x s \<and> cte_wp_at' (\<lambda>cte. cteCap cte = capability.NullCap) x s)
\<and> (\<forall>x \<in> set slots. real_cte_at' x s)
\<and> transferCaps_srcs caps s\<rbrace>
2016-02-10 03:11:09 +00:00
transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. valid_pspace'\<rbrace>"
apply (rule hoare_pre)
apply (simp add: valid_pspace'_def | wp)+
apply (fastforce simp: cte_wp_at_ctes_of dest: ctes_of_valid')
done
2016-08-23 12:31:49 +00:00
crunch sch_act [wp]: setExtraBadge, doIPCTransfer "\<lambda>s. P (ksSchedulerAction s)"
(wp: crunch_wps mapME_wp' simp: zipWithM_x_mapM)
2015-09-02 05:43:39 +00:00
crunch pred_tcb_at' [wp]: setExtraBadge "\<lambda>s. pred_tcb_at' proj P p s"
2014-07-14 19:32:44 +00:00
crunch ksCurThread[wp]: setExtraBadge "\<lambda>s. P (ksCurThread s)"
crunch ksCurDomain[wp]: setExtraBadge "\<lambda>s. P (ksCurDomain s)"
crunch obj_at' [wp]: setExtraBadge "\<lambda>s. P' (obj_at' P p s)"
(simp: storeWordUser_def)
crunch queues [wp]: setExtraBadge "\<lambda>s. P (ksReadyQueues s)"
2015-08-21 03:27:17 +00:00
crunch queuesL1 [wp]: setExtraBadge "\<lambda>s. P (ksReadyQueuesL1Bitmap s)"
crunch queuesL2 [wp]: setExtraBadge "\<lambda>s. P (ksReadyQueuesL2Bitmap s)"
2014-07-14 19:32:44 +00:00
lemma tcts_sch_act[wp]:
"\<lbrace>\<lambda>s. sch_act_wf (ksSchedulerAction s) s\<rbrace>
2016-02-10 03:11:09 +00:00
transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv s. sch_act_wf (ksSchedulerAction s) s\<rbrace>"
by (wp sch_act_wf_lift tcb_in_cur_domain'_lift transferCapsToSlots_pres1)
lemma tcts_vq[wp]:
2016-02-10 03:11:09 +00:00
"\<lbrace>Invariants_H.valid_queues\<rbrace> transferCapsToSlots ep buffer n caps slots mi \<lbrace>\<lambda>rv. Invariants_H.valid_queues\<rbrace>"
2014-07-14 19:32:44 +00:00
by (wp valid_queues_lift transferCapsToSlots_pres1)
lemma tcts_vq'[wp]:
2016-02-10 03:11:09 +00:00
"\<lbrace>valid_queues'\<rbrace> transferCapsToSlots ep buffer n caps slots mi \<lbrace>\<lambda>rv. valid_queues'\<rbrace>"
2014-07-14 19:32:44 +00:00
by (wp valid_queues_lift' transferCapsToSlots_pres1)
crunch state_refs_of' [wp]: setExtraBadge "\<lambda>s. P (state_refs_of' s)"
lemma tcts_state_refs_of'[wp]:
"\<lbrace>\<lambda>s. P (state_refs_of' s)\<rbrace>
2016-02-10 03:11:09 +00:00
transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv s. P (state_refs_of' s)\<rbrace>"
by (wp transferCapsToSlots_pres1)
crunch if_live' [wp]: setExtraBadge if_live_then_nonz_cap'
lemma tcts_iflive[wp]:
"\<lbrace>\<lambda>s. if_live_then_nonz_cap' s \<and> distinct slots \<and>
(\<forall>x\<in>set slots.
ex_cte_cap_to' x s \<and> cte_wp_at' (\<lambda>cte. cteCap cte = capability.NullCap) x s)\<rbrace>
2016-02-10 03:11:09 +00:00
transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. if_live_then_nonz_cap'\<rbrace>"
by (wp transferCapsToSlots_pres2 | simp)+
crunch if_unsafe' [wp]: setExtraBadge if_unsafe_then_cap'
lemma tcts_ifunsafe[wp]:
"\<lbrace>\<lambda>s. if_unsafe_then_cap' s \<and> distinct slots \<and>
(\<forall>x\<in>set slots. cte_wp_at' (\<lambda>cte. cteCap cte = capability.NullCap) x s \<and>
2016-02-10 03:11:09 +00:00
ex_cte_cap_to' x s)\<rbrace> transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. if_unsafe_then_cap'\<rbrace>"
by (wp transferCapsToSlots_pres2 | simp)+
crunch it[wp]: ensureNoChildren "\<lambda>s. P (ksIdleThread s)"
crunch idle'[wp]: deriveCap "valid_idle'"
crunch valid_idle' [wp]: setExtraBadge valid_idle'
lemma tcts_idle'[wp]:
2016-02-10 03:11:09 +00:00
"\<lbrace>\<lambda>s. valid_idle' s\<rbrace> transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. valid_idle'\<rbrace>"
2017-07-12 05:13:51 +00:00
apply (rule hoare_pre)
2014-07-14 19:32:44 +00:00
apply (wp transferCapsToSlots_pres1)
apply simp
done
lemma tcts_ct[wp]:
2016-02-10 03:11:09 +00:00
"\<lbrace>cur_tcb'\<rbrace> transferCapsToSlots ep buffer n caps slots mi \<lbrace>\<lambda>rv. cur_tcb'\<rbrace>"
2014-07-14 19:32:44 +00:00
by (wp transferCapsToSlots_pres1 cur_tcb_lift)
crunch valid_arch_state' [wp]: setExtraBadge valid_arch_state'
lemma transferCapsToSlots_valid_arch [wp]:
2016-02-10 03:11:09 +00:00
"\<lbrace>valid_arch_state'\<rbrace> transferCapsToSlots ep buffer n caps slots mi \<lbrace>\<lambda>rv. valid_arch_state'\<rbrace>"
2017-01-13 12:58:40 +00:00
by (rule transferCapsToSlots_pres1; wp)
2014-07-14 19:32:44 +00:00
crunch valid_global_refs' [wp]: setExtraBadge valid_global_refs'
lemma transferCapsToSlots_valid_globals [wp]:
"\<lbrace>valid_global_refs' and valid_objs' and valid_mdb' and pspace_distinct' and pspace_aligned' and K (distinct slots)
2016-09-12 00:19:22 +00:00
and K (length slots \<le> 1)
2014-07-14 19:32:44 +00:00
and (\<lambda>s. \<forall>x \<in> set slots. real_cte_at' x s \<and> cte_wp_at' (\<lambda>cte. cteCap cte = capability.NullCap) x s)
2017-07-12 05:13:51 +00:00
and transferCaps_srcs caps\<rbrace>
transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. valid_global_refs'\<rbrace>"
apply (wp transferCapsToSlots_presM[where vo=True and emx=False and drv=True and pad=True] | clarsimp)+
apply (clarsimp simp:cte_wp_at_ctes_of)
2016-09-12 00:19:22 +00:00
apply (drule(1) bspec,clarsimp)
apply (case_tac cte,clarsimp)
apply (frule(1) CSpace_I.ctes_of_valid_cap')
apply (fastforce simp:valid_cap'_def)
2014-07-14 19:32:44 +00:00
done
crunch irq_node' [wp]: setExtraBadge "\<lambda>s. P (irq_node' s)"
lemma transferCapsToSlots_irq_node'[wp]:
2016-02-10 03:11:09 +00:00
"\<lbrace>\<lambda>s. P (irq_node' s)\<rbrace> transferCapsToSlots ep buffer n caps slots mi \<lbrace>\<lambda>rv s. P (irq_node' s)\<rbrace>"
2014-07-14 19:32:44 +00:00
by (wp transferCapsToSlots_pres1)
lemma valid_irq_handlers_ctes_ofD:
"\<lbrakk> ctes_of s p = Some cte; cteCap cte = IRQHandlerCap irq; valid_irq_handlers' s \<rbrakk>
\<Longrightarrow> irq_issued' irq s"
by (auto simp: valid_irq_handlers'_def cteCaps_of_def ran_def)
crunch valid_irq_handlers' [wp]: setExtraBadge valid_irq_handlers'
lemma transferCapsToSlots_irq_handlers[wp]:
"\<lbrace>valid_irq_handlers' and valid_objs' and valid_mdb' and pspace_distinct' and pspace_aligned'
2016-09-12 00:19:22 +00:00
and K(distinct slots \<and> length slots \<le> 1)
2014-07-14 19:32:44 +00:00
and (\<lambda>s. \<forall>x \<in> set slots. real_cte_at' x s \<and> cte_wp_at' (\<lambda>cte. cteCap cte = capability.NullCap) x s)
and transferCaps_srcs caps\<rbrace>
2017-07-12 05:13:51 +00:00
transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. valid_irq_handlers'\<rbrace>"
apply (wp transferCapsToSlots_presM[where vo=True and emx=False and drv=True and pad=False])
apply (clarsimp simp: is_derived'_def cte_wp_at_ctes_of badge_derived'_def)
apply (erule(2) valid_irq_handlers_ctes_ofD)
apply wp
apply (clarsimp simp:cte_wp_at_ctes_of | intro ballI conjI)+
2016-09-12 00:19:22 +00:00
apply (drule(1) bspec,clarsimp)
apply (case_tac cte,clarsimp)
apply (frule(1) CSpace_I.ctes_of_valid_cap')
apply (fastforce simp:valid_cap'_def)
2014-07-14 19:32:44 +00:00
done
crunch irq_state' [wp]: setExtraBadge "\<lambda>s. P (ksInterruptState s)"
2017-07-12 05:13:51 +00:00
lemma setExtraBadge_irq_states'[wp]:
2014-07-14 19:32:44 +00:00
"\<lbrace>valid_irq_states'\<rbrace> setExtraBadge buffer b n \<lbrace>\<lambda>_. valid_irq_states'\<rbrace>"
apply (wp valid_irq_states_lift')
2017-01-13 12:58:40 +00:00
apply (simp add: setExtraBadge_def storeWordUser_def)
2018-03-14 00:48:48 +00:00
apply (wpsimp wp: no_irq dmo_lift' no_irq_storeWord)
2017-01-13 12:58:40 +00:00
apply assumption
2014-07-14 19:32:44 +00:00
done
2016-05-30 13:12:39 +00:00
2017-07-12 05:13:51 +00:00
lemma transferCapsToSlots_irq_states' [wp]:
2016-02-10 03:11:09 +00:00
"\<lbrace>valid_irq_states'\<rbrace> transferCapsToSlots ep buffer n caps slots mi \<lbrace>\<lambda>_. valid_irq_states'\<rbrace>"
2014-07-14 19:32:44 +00:00
by (wp transferCapsToSlots_pres1)
crunch valid_pde_mappings' [wp]: setExtraBadge valid_pde_mappings'
lemma transferCapsToSlots_pde_mappings'[wp]:
2016-02-10 03:11:09 +00:00
"\<lbrace>valid_pde_mappings'\<rbrace> transferCapsToSlots ep buffer n caps slots mi \<lbrace>\<lambda>rv. valid_pde_mappings'\<rbrace>"
2014-07-14 19:32:44 +00:00
by (wp transferCapsToSlots_pres1)
lemma transferCapsToSlots_irqs_masked'[wp]:
2016-02-10 03:11:09 +00:00
"\<lbrace>irqs_masked'\<rbrace> transferCapsToSlots ep buffer n caps slots mi \<lbrace>\<lambda>rv. irqs_masked'\<rbrace>"
2014-07-14 19:32:44 +00:00
by (wp transferCapsToSlots_pres1 irqs_masked_lift)
lemma storeWordUser_vms'[wp]:
"\<lbrace>valid_machine_state'\<rbrace> storeWordUser a w \<lbrace>\<lambda>_. valid_machine_state'\<rbrace>"
proof -
have aligned_offset_ignore:
"\<And>(l::word32) (p::word32) sz. l<4 \<Longrightarrow> p && mask 2 = 0 \<Longrightarrow>
p+l && ~~ mask pageBits = p && ~~ mask pageBits"
proof -
fix l p sz
assume al: "(p::word32) && mask 2 = 0"
assume "(l::word32) < 4" hence less: "l<2^2" by simp
have le: "2 \<le> pageBits" by (simp add: pageBits_def)
show "?thesis l p sz"
by (rule is_aligned_add_helper[simplified is_aligned_mask,
THEN conjunct2, THEN mask_out_first_mask_some,
where n=2, OF al less le])
qed
show ?thesis
apply (simp add: valid_machine_state'_def storeWordUser_def
doMachineOp_def split_def)
apply wp
apply clarsimp
apply (drule use_valid)
apply (rule_tac x=p in storeWord_um_inv, simp+)
apply (drule_tac x=p in spec)
apply (erule disjE, simp_all)
apply (erule conjE)
apply (erule disjE, simp)
apply (simp add: pointerInUserData_def word_size)
apply (subgoal_tac "a && ~~ mask pageBits = p && ~~ mask pageBits", simp)
apply (simp only: is_aligned_mask[of _ 2])
apply (elim disjE, simp_all)
apply (rule aligned_offset_ignore[symmetric], simp+)+
done
qed
lemma setExtraBadge_vms'[wp]:
"\<lbrace>valid_machine_state'\<rbrace> setExtraBadge buffer b n \<lbrace>\<lambda>_. valid_machine_state'\<rbrace>"
by (simp add: setExtraBadge_def) wp
lemma transferCapsToSlots_vms[wp]:
"\<lbrace>\<lambda>s. valid_machine_state' s\<rbrace>
2016-02-10 03:11:09 +00:00
transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>_ s. valid_machine_state' s\<rbrace>"
by (wp transferCapsToSlots_pres1)
crunch pspace_domain_valid[wp]: setExtraBadge, transferCapsToSlots
"pspace_domain_valid"
crunch ct_not_inQ[wp]: setExtraBadge "ct_not_inQ"
lemma tcts_ct_not_inQ[wp]:
"\<lbrace>ct_not_inQ\<rbrace>
2016-02-10 03:11:09 +00:00
transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>_. ct_not_inQ\<rbrace>"
by (wp transferCapsToSlots_pres1)
2016-05-30 13:12:39 +00:00
crunch gsUntypedZeroRanges[wp]: setExtraBadge "\<lambda>s. P (gsUntypedZeroRanges s)"
crunch ctes_of[wp]: setExtraBadge "\<lambda>s. P (ctes_of s)"
lemma tcts_zero_ranges[wp]:
"\<lbrace>\<lambda>s. untyped_ranges_zero' s \<and> valid_pspace' s \<and> distinct slots
\<and> (\<forall>x \<in> set slots. ex_cte_cap_to' x s \<and> cte_wp_at' (\<lambda>cte. cteCap cte = capability.NullCap) x s)
\<and> (\<forall>x \<in> set slots. real_cte_at' x s)
2016-09-12 00:19:22 +00:00
\<and> length slots \<le> 1
2016-05-30 13:12:39 +00:00
\<and> transferCaps_srcs caps s\<rbrace>
transferCapsToSlots ep buffer n caps slots mi
\<lbrace>\<lambda>rv. untyped_ranges_zero'\<rbrace>"
apply (wp transferCapsToSlots_presM[where emx=True and vo=True
and drv=True and pad=True])
apply (clarsimp simp: cte_wp_at_ctes_of)
apply (simp add: cteCaps_of_def)
apply (rule hoare_pre, wp untyped_ranges_zero_lift)
apply (simp add: o_def)
apply (clarsimp simp: valid_pspace'_def ball_conj_distrib[symmetric])
apply (drule(1) bspec)
apply (clarsimp simp: cte_wp_at_ctes_of)
apply (case_tac cte, clarsimp)
apply (frule(1) ctes_of_valid_cap')
apply auto[1]
done
2014-07-14 19:32:44 +00:00
crunch ct_idle_or_in_cur_domain'[wp]: setExtraBadge ct_idle_or_in_cur_domain'
crunch ct_idle_or_in_cur_domain'[wp]: transferCapsToSlots ct_idle_or_in_cur_domain'
crunch ksCurDomain[wp]: transferCapsToSlots "\<lambda>s. P (ksCurDomain s)"
crunch ksDomSchedule[wp]: setExtraBadge "\<lambda>s. P (ksDomSchedule s)"
crunch ksDomScheduleIdx[wp]: setExtraBadge "\<lambda>s. P (ksDomScheduleIdx s)"
crunch ksDomSchedule[wp]: transferCapsToSlots "\<lambda>s. P (ksDomSchedule s)"
crunch ksDomScheduleIdx[wp]: transferCapsToSlots "\<lambda>s. P (ksDomScheduleIdx s)"
lemma transferCapsToSlots_invs[wp]:
2017-07-12 05:13:51 +00:00
"\<lbrace>\<lambda>s. invs' s \<and> distinct slots
2014-07-14 19:32:44 +00:00
\<and> (\<forall>x \<in> set slots. cte_wp_at' (\<lambda>cte. cteCap cte = NullCap) x s)
\<and> (\<forall>x \<in> set slots. ex_cte_cap_to' x s)
\<and> (\<forall>x \<in> set slots. real_cte_at' x s)
2016-09-12 00:19:22 +00:00
\<and> length slots \<le> 1
\<and> transferCaps_srcs caps s\<rbrace>
2016-02-10 03:11:09 +00:00
transferCapsToSlots ep buffer n caps slots mi
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. invs'\<rbrace>"
apply (simp add: invs'_def valid_state'_def)
2017-01-13 12:58:40 +00:00
apply (wp valid_irq_node_lift)
apply fastforce
2014-07-14 19:32:44 +00:00
done
lemma grs_distinct'[wp]:
"\<lbrace>\<top>\<rbrace> getReceiveSlots t buf \<lbrace>\<lambda>rv s. distinct rv\<rbrace>"
apply (cases buf, simp_all add: getReceiveSlots_def
split_def unlessE_def)
apply (wp, simp)
2014-08-11 08:51:04 +00:00
apply (wp | simp only: distinct.simps list.simps empty_iff)+
2014-07-14 19:32:44 +00:00
apply simp
done
2016-09-12 00:19:22 +00:00
2014-07-14 19:32:44 +00:00
lemma tc_corres:
"\<lbrakk> info' = message_info_map info;
list_all2 (\<lambda>x y. cap_relation (fst x) (fst y) \<and> snd y = cte_map (snd x))
caps caps' \<rbrakk>
\<Longrightarrow>
2018-06-09 08:30:53 +00:00
corres ((=) \<circ> message_info_map)
2017-07-12 05:13:51 +00:00
(tcb_at receiver and valid_objs and
2014-07-14 19:32:44 +00:00
pspace_aligned and pspace_distinct and valid_mdb
and valid_list
and (\<lambda>s. case ep of Some x \<Rightarrow> ep_at x s | _ \<Rightarrow> True)
2014-08-09 05:16:17 +00:00
and case_option \<top> in_user_frame recv_buf
2014-07-14 19:32:44 +00:00
and (\<lambda>s. valid_message_info info)
and transfer_caps_srcs caps)
(tcb_at' receiver and valid_objs' and
pspace_aligned' and pspace_distinct' and no_0_obj' and valid_mdb'
and (\<lambda>s. case ep of Some x \<Rightarrow> ep_at' x s | _ \<Rightarrow> True)
2014-08-09 05:16:17 +00:00
and case_option \<top> valid_ipc_buffer_ptr' recv_buf
2014-07-14 19:32:44 +00:00
and transferCaps_srcs caps'
and (\<lambda>s. length caps' \<le> msgMaxExtraCaps))
2016-02-10 03:11:09 +00:00
(transfer_caps info caps ep receiver recv_buf)
(transferCaps info' caps' ep receiver recv_buf)"
2014-07-14 19:32:44 +00:00
apply (simp add: transfer_caps_def transferCaps_def
getThreadCSpaceRoot)
apply (rule corres_assume_pre)
apply (rule corres_guard_imp)
2017-07-12 05:13:51 +00:00
apply (rule corres_split [OF _ get_recv_slot_corres])
2014-07-14 19:32:44 +00:00
apply (rule_tac x=recv_buf in option_corres)
apply (rule_tac P=\<top> and P'=\<top> in corres_inst)
apply (case_tac info, simp)
apply simp
apply (rule corres_rel_imp, rule tc_loop_corres,
simp_all add: split_def)[1]
apply (case_tac info, simp)
apply (wp hoare_vcg_all_lift get_rs_cte_at static_imp_wp
| simp only: ball_conj_distrib)+
apply (simp add: cte_map_def tcb_cnode_index_def split_def)
apply (clarsimp simp: valid_pspace'_def valid_ipc_buffer_ptr'_def2
split_def
cong: option.case_cong)
apply (drule(1) bspec)
apply (clarsimp simp:cte_wp_at_caps_of_state)
apply (frule(1) Invariants_AI.caps_of_state_valid)
apply (fastforce simp:valid_cap_def)
apply (cases info)
2017-07-12 05:13:51 +00:00
apply (clarsimp simp: msg_max_extra_caps_def valid_message_info_def
2014-07-14 19:32:44 +00:00
max_ipc_words msg_max_length_def
msgMaxExtraCaps_def msgExtraCapBits_def
shiftL_nat valid_pspace'_def)
apply (drule(1) bspec)
apply (clarsimp simp:cte_wp_at_ctes_of)
apply (case_tac cte,clarsimp)
apply (frule(1) ctes_of_valid_cap')
apply (fastforce simp:valid_cap'_def)
done
crunch typ_at'[wp]: transferCaps "\<lambda>s. P (typ_at' T p s)"
lemmas transferCaps_typ_ats[wp] = typ_at_lifts [OF transferCaps_typ_at']
declare maskCapRights_Reply [simp]
lemma isIRQControlCap_mask [simp]:
"isIRQControlCap (maskCapRights R c) = isIRQControlCap c"
apply (case_tac c)
apply (clarsimp simp: isCap_simps maskCapRights_def Let_def)+
2015-05-12 15:17:31 +00:00
apply (rename_tac arch_capability)
2014-07-14 19:32:44 +00:00
apply (case_tac arch_capability)
2016-04-28 07:16:29 +00:00
apply (clarsimp simp: isCap_simps ARM_H.maskCapRights_def
2014-07-14 19:32:44 +00:00
maskCapRights_def Let_def)+
done
lemma isPageCap_maskCapRights[simp]:
" isArchCap isPageCap (RetypeDecls_H.maskCapRights R c) = isArchCap isPageCap c"
2015-05-12 15:17:31 +00:00
apply (case_tac c; simp add: isCap_simps isArchCap_def maskCapRights_def)
apply (rename_tac arch_capability)
2016-04-28 07:16:29 +00:00
apply (case_tac arch_capability; simp add: isCap_simps ARM_H.maskCapRights_def)
2014-07-14 19:32:44 +00:00
done
2017-07-12 05:13:51 +00:00
2014-07-14 19:32:44 +00:00
lemma capReplyMaster_mask[simp]:
"isReplyCap c \<Longrightarrow> capReplyMaster (maskCapRights R c) = capReplyMaster c"
by (clarsimp simp: isCap_simps maskCapRights_def)
lemma is_derived_mask' [simp]:
"is_derived' m p (maskCapRights R c) = is_derived' m p c"
apply (rule ext)
apply (simp add: is_derived'_def badge_derived'_def)
done
lemma updateCapData_ordering:
"\<lbrakk> (x, capBadge cap) \<in> capBadge_ordering P; updateCapData p d cap \<noteq> NullCap \<rbrakk>
\<Longrightarrow> (x, capBadge (updateCapData p d cap)) \<in> capBadge_ordering P"
apply (cases cap, simp_all add: updateCapData_def isCap_simps Let_def
2016-04-28 07:16:29 +00:00
capBadge_def ARM_H.updateCapData_def
2016-10-25 06:01:30 +00:00
split: if_split_asm)
2014-07-14 19:32:44 +00:00
apply fastforce+
done
lemma lookup_cap_to'[wp]:
"\<lbrace>\<top>\<rbrace> lookupCap t cref \<lbrace>\<lambda>rv s. \<forall>r\<in>cte_refs' rv (irq_node' s). ex_cte_cap_to' r s\<rbrace>,-"
by (simp add: lookupCap_def lookupCapAndSlot_def | wp)+
lemma grs_cap_to'[wp]:
"\<lbrace>\<top>\<rbrace> getReceiveSlots t buf \<lbrace>\<lambda>rv s. \<forall>x \<in> set rv. ex_cte_cap_to' x s\<rbrace>"
2015-05-12 15:17:31 +00:00
apply (cases buf; simp add: getReceiveSlots_def split_def unlessE_def)
2014-07-14 19:32:44 +00:00
apply (wp, simp)
2019-05-07 05:53:41 +00:00
apply (wp | simp | rule hoare_drop_imps)+
2014-07-14 19:32:44 +00:00
done
2016-09-12 00:19:22 +00:00
lemma grs_length'[wp]:
"\<lbrace>\<lambda>s. 1 \<le> n\<rbrace> getReceiveSlots receiver recv_buf \<lbrace>\<lambda>rv s. length rv \<le> n\<rbrace>"
apply (simp add: getReceiveSlots_def split_def unlessE_def)
apply (rule hoare_pre)
apply (wp | wpc | simp)+
done
2014-07-14 19:32:44 +00:00
lemma transferCaps_invs' [wp]:
2017-07-12 05:13:51 +00:00
"\<lbrace>invs' and transferCaps_srcs caps\<rbrace>
2016-02-10 03:11:09 +00:00
transferCaps mi caps ep receiver recv_buf
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. invs'\<rbrace>"
2015-05-12 15:17:31 +00:00
apply (simp add: transferCaps_def Let_def split_def)
2014-07-14 19:32:44 +00:00
apply (wp get_rs_cte_at' hoare_vcg_const_Ball_lift
| wpcw | clarsimp)+
done
lemma get_mrs_inv'[wp]:
"\<lbrace>P\<rbrace> getMRs t buf info \<lbrace>\<lambda>rv. P\<rbrace>"
by (simp add: getMRs_def load_word_offs_def getRegister_def
| wp dmo_inv' loadWord_inv mapM_wp'
asUser_inv det_mapM[where S=UNIV] | wpc)+
lemma copyMRs_typ_at':
"\<lbrace>\<lambda>s. P (typ_at' T p s)\<rbrace> copyMRs s sb r rb n \<lbrace>\<lambda>rv s. P (typ_at' T p s)\<rbrace>"
by (simp add: copyMRs_def | wp mapM_wp [where S=UNIV, simplified] | wpc)+
lemmas copyMRs_typ_at_lifts[wp] = typ_at_lifts [OF copyMRs_typ_at']
lemma copy_mrs_invs'[wp]:
"\<lbrace> invs' and tcb_at' s and tcb_at' r \<rbrace> copyMRs s sb r rb n \<lbrace>\<lambda>rv. invs' \<rbrace>"
2017-01-13 12:58:40 +00:00
including no_pre
2017-07-12 05:13:51 +00:00
apply (simp add: copyMRs_def)
2014-07-14 19:32:44 +00:00
apply (wp dmo_invs' no_irq_mapM no_irq_storeWord|
2017-01-13 12:58:40 +00:00
simp add: split_def)
2014-07-14 19:32:44 +00:00
apply (case_tac sb, simp_all)[1]
2017-01-13 12:58:40 +00:00
apply wp+
2014-07-14 19:32:44 +00:00
apply (case_tac rb, simp_all)[1]
apply (wp mapM_wp dmo_invs' no_irq_mapM no_irq_storeWord no_irq_loadWord)
apply blast
apply (rule hoare_strengthen_post)
apply (rule mapM_wp)
apply (wp | simp | blast)+
done
crunch aligned'[wp]: transferCaps pspace_aligned'
(wp: crunch_wps simp: zipWithM_x_mapM)
crunch distinct'[wp]: transferCaps pspace_distinct'
(wp: crunch_wps simp: zipWithM_x_mapM)
crunch aligned'[wp]: setMRs pspace_aligned'
(wp: crunch_wps simp: crunch_simps ignore: getObject)
crunch distinct'[wp]: setMRs pspace_distinct'
(wp: crunch_wps simp: crunch_simps ignore: getObject)
crunch aligned'[wp]: copyMRs pspace_aligned'
(wp: crunch_wps simp: crunch_simps ignore: getObject wp: crunch_wps)
crunch distinct'[wp]: copyMRs pspace_distinct'
(wp: crunch_wps simp: crunch_simps ignore: getObject wp: crunch_wps)
crunch aligned'[wp]: setMessageInfo pspace_aligned'
(wp: crunch_wps simp: crunch_simps ignore: getObject)
crunch distinct'[wp]: setMessageInfo pspace_distinct'
(wp: crunch_wps simp: crunch_simps ignore: getObject)
crunch valid_objs'[wp]: storeWordUser valid_objs'
crunch valid_pspace'[wp]: storeWordUser valid_pspace'
lemma set_mrs_valid_objs' [wp]:
"\<lbrace>valid_objs'\<rbrace> setMRs t a msgs \<lbrace>\<lambda>rv. valid_objs'\<rbrace>"
apply (simp add: setMRs_def zipWithM_x_mapM split_def)
2017-07-12 05:13:51 +00:00
apply (wp asUser_valid_objs crunch_wps)
2014-07-14 19:32:44 +00:00
done
crunch valid_objs'[wp]: copyMRs valid_objs'
(wp: crunch_wps simp: crunch_simps)
crunch valid_queues'[wp]: asUser "Invariants_H.valid_queues'"
(simp: crunch_simps wp: hoare_drop_imps)
lemma setMRs_invs_bits[wp]:
"\<lbrace>valid_pspace'\<rbrace> setMRs t buf mrs \<lbrace>\<lambda>rv. valid_pspace'\<rbrace>"
"\<lbrace>\<lambda>s. sch_act_wf (ksSchedulerAction s) s\<rbrace>
setMRs t buf mrs \<lbrace>\<lambda>rv s. sch_act_wf (ksSchedulerAction s) s\<rbrace>"
2015-09-02 05:43:39 +00:00
"\<lbrace>\<lambda>s. weak_sch_act_wf (ksSchedulerAction s) s\<rbrace>
setMRs t buf mrs \<lbrace>\<lambda>rv s. weak_sch_act_wf (ksSchedulerAction s) s\<rbrace>"
2014-07-14 19:32:44 +00:00
"\<lbrace>Invariants_H.valid_queues\<rbrace> setMRs t buf mrs \<lbrace>\<lambda>rv. Invariants_H.valid_queues\<rbrace>"
"\<lbrace>valid_queues'\<rbrace> setMRs t buf mrs \<lbrace>\<lambda>rv. valid_queues'\<rbrace>"
"\<lbrace>\<lambda>s. P (state_refs_of' s)\<rbrace>
setMRs t buf mrs
\<lbrace>\<lambda>rv s. P (state_refs_of' s)\<rbrace>"
"\<lbrace>if_live_then_nonz_cap'\<rbrace> setMRs t buf mrs \<lbrace>\<lambda>rv. if_live_then_nonz_cap'\<rbrace>"
"\<lbrace>ex_nonz_cap_to' p\<rbrace> setMRs t buf mrs \<lbrace>\<lambda>rv. ex_nonz_cap_to' p\<rbrace>"
"\<lbrace>cur_tcb'\<rbrace> setMRs t buf mrs \<lbrace>\<lambda>rv. cur_tcb'\<rbrace>"
"\<lbrace>if_unsafe_then_cap'\<rbrace> setMRs t buf mrs \<lbrace>\<lambda>rv. if_unsafe_then_cap'\<rbrace>"
by (simp add: setMRs_def zipWithM_x_mapM split_def storeWordUser_def | wp crunch_wps)+
crunch no_0_obj'[wp]: setMRs no_0_obj'
(wp: crunch_wps ignore: getObject simp: crunch_simps)
lemma copyMRs_invs_bits[wp]:
"\<lbrace>valid_pspace'\<rbrace> copyMRs s sb r rb n \<lbrace>\<lambda>rv. valid_pspace'\<rbrace>"
"\<lbrace>\<lambda>s. sch_act_wf (ksSchedulerAction s) s\<rbrace> copyMRs s sb r rb n
\<lbrace>\<lambda>rv s. sch_act_wf (ksSchedulerAction s) s\<rbrace>"
"\<lbrace>Invariants_H.valid_queues\<rbrace> copyMRs s sb r rb n \<lbrace>\<lambda>rv. Invariants_H.valid_queues\<rbrace>"
"\<lbrace>valid_queues'\<rbrace> copyMRs s sb r rb n \<lbrace>\<lambda>rv. valid_queues'\<rbrace>"
"\<lbrace>\<lambda>s. P (state_refs_of' s)\<rbrace>
copyMRs s sb r rb n
\<lbrace>\<lambda>rv s. P (state_refs_of' s)\<rbrace>"
"\<lbrace>if_live_then_nonz_cap'\<rbrace> copyMRs s sb r rb n \<lbrace>\<lambda>rv. if_live_then_nonz_cap'\<rbrace>"
"\<lbrace>ex_nonz_cap_to' p\<rbrace> copyMRs s sb r rb n \<lbrace>\<lambda>rv. ex_nonz_cap_to' p\<rbrace>"
"\<lbrace>cur_tcb'\<rbrace> copyMRs s sb r rb n \<lbrace>\<lambda>rv. cur_tcb'\<rbrace>"
"\<lbrace>if_unsafe_then_cap'\<rbrace> copyMRs s sb r rb n \<lbrace>\<lambda>rv. if_unsafe_then_cap'\<rbrace>"
by (simp add: copyMRs_def storeWordUser_def | wp mapM_wp' | wpc)+
crunch no_0_obj'[wp]: copyMRs no_0_obj'
(wp: crunch_wps ignore: getObject simp: crunch_simps)
lemma mi_map_length[simp]: "msgLength (message_info_map mi) = mi_length mi"
by (cases mi, simp)
crunch cte_wp_at'[wp]: copyMRs "cte_wp_at' P p"
(wp: crunch_wps)
lemma lookupExtraCaps_srcs[wp]:
"\<lbrace>\<top>\<rbrace> lookupExtraCaps thread buf info \<lbrace>transferCaps_srcs\<rbrace>,-"
apply (simp add: lookupExtraCaps_def lookupCapAndSlot_def
split_def lookupSlotForThread_def
getSlotCap_def)
apply (wp mapME_set[where R=\<top>] getCTE_wp')
apply (rule_tac P=\<top> in hoare_trivE_R)
apply (simp add: cte_wp_at_ctes_of)
apply (wp | simp)+
done
crunch inv[wp]: lookupExtraCaps "P"
(wp: crunch_wps mapME_wp' simp: crunch_simps ignore: mapME)
lemma invs_mdb_strengthen':
"invs' s \<longrightarrow> valid_mdb' s" by auto
lemma lookupExtraCaps_length:
"\<lbrace>\<lambda>s. unat (msgExtraCaps mi) \<le> n\<rbrace> lookupExtraCaps thread send_buf mi \<lbrace>\<lambda>rv s. length rv \<le> n\<rbrace>,-"
apply (simp add: lookupExtraCaps_def getExtraCPtrs_def)
apply (rule hoare_pre)
apply (wp mapME_length | wpc)+
apply (clarsimp simp: upto_enum_step_def Suc_unat_diff_1 word_le_sub1)
done
lemma getMessageInfo_msgExtraCaps[wp]:
"\<lbrace>\<top>\<rbrace> getMessageInfo t \<lbrace>\<lambda>rv s. unat (msgExtraCaps rv) \<le> msgMaxExtraCaps\<rbrace>"
apply (simp add: getMessageInfo_def)
apply wp
2017-01-13 12:58:40 +00:00
apply (simp add: messageInfoFromWord_def Let_def msgMaxExtraCaps_def
shiftL_nat)
apply (subst nat_le_Suc_less_imp)
apply (rule unat_less_power)
apply (simp add: word_bits_def msgExtraCapBits_def)
apply (rule and_mask_less'[unfolded mask_2pm1])
apply (simp add: msgExtraCapBits_def)
2017-03-13 16:37:32 +00:00
apply wpsimp+
2014-07-14 19:32:44 +00:00
done
2017-07-12 05:13:51 +00:00
lemma lcs_corres:
"cptr = to_bl cptr' \<Longrightarrow>
2014-07-14 19:32:44 +00:00
corres (lfr \<oplus> (\<lambda>a b. cap_relation (fst a) (fst b) \<and> snd b = cte_map (snd a)))
(valid_objs and pspace_aligned and tcb_at thread)
(valid_objs' and pspace_distinct' and pspace_aligned' and tcb_at' thread)
(lookup_cap_and_slot thread cptr) (lookupCapAndSlot thread cptr')"
unfolding lookup_cap_and_slot_def lookupCapAndSlot_def
apply (simp add: liftE_bindE split_def)
apply (rule corres_guard_imp)
apply (rule_tac r'="\<lambda>rv rv'. rv' = cte_map (fst rv)"
in corres_splitEE)
apply (rule corres_split[OF _ getSlotCap_corres])
apply (rule corres_returnOkTT, simp)
apply simp
2017-01-13 12:58:40 +00:00
apply wp+
2014-07-14 19:32:44 +00:00
apply (rule corres_rel_imp, rule lookup_slot_corres)
apply (simp add: split_def)
apply (wp | simp add: liftE_bindE[symmetric])+
done
lemma lec_corres:
"\<lbrakk> info' = message_info_map info; buffer = buffer'\<rbrakk> \<Longrightarrow>
corres (fr \<oplus> list_all2 (\<lambda>x y. cap_relation (fst x) (fst y) \<and> snd y = cte_map (snd x)))
(valid_objs and pspace_aligned and tcb_at thread and (\<lambda>_. valid_message_info info))
(valid_objs' and pspace_distinct' and pspace_aligned' and tcb_at' thread
2014-08-09 05:16:17 +00:00
and case_option \<top> valid_ipc_buffer_ptr' buffer')
2014-07-14 19:32:44 +00:00
(lookup_extra_caps thread buffer info) (lookupExtraCaps thread buffer' info')"
unfolding lookupExtraCaps_def lookup_extra_caps_def
apply (rule corres_gen_asm)
apply (cases "mi_extra_caps info = 0")
apply (cases info)
apply (simp add: Let_def returnOk_def getExtraCPtrs_def
liftE_bindE upto_enum_step_def mapM_def
sequence_def doMachineOp_return mapME_Nil
split: option.split)
apply (cases info)
2015-05-12 15:17:31 +00:00
apply (rename_tac w1 w2 w3 w4)
2014-07-14 19:32:44 +00:00
apply (simp add: Let_def liftE_bindE)
apply (cases buffer')
apply (simp add: getExtraCPtrs_def mapME_Nil)
apply (rule corres_returnOk)
apply simp
apply (simp add: msgLengthBits_def msgMaxLength_def word_size field_simps
getExtraCPtrs_def upto_enum_step_def upto_enum_word
word_size_def msg_max_length_def liftM_def
Suc_unat_diff_1 word_le_sub1 mapM_map_simp
upt_lhs_sub_map[where x=buffer_cptr_index]
2015-08-21 03:27:17 +00:00
wordSize_def wordBits_def
2014-07-14 19:32:44 +00:00
del: upt.simps)
apply (rule corres_guard_imp)
apply (rule corres_split')
2015-05-12 15:17:31 +00:00
apply (rule_tac S = "\<lambda>x y. x = y \<and> x < unat w2"
2014-07-14 19:32:44 +00:00
in corres_mapM_list_all2
2018-06-09 08:30:53 +00:00
[where Q = "\<lambda>_. valid_objs and pspace_aligned and tcb_at thread" and r = "(=)"
2014-07-14 19:32:44 +00:00
and Q' = "\<lambda>_. valid_objs' and pspace_aligned' and pspace_distinct' and tcb_at' thread
2018-06-09 08:30:53 +00:00
and case_option \<top> valid_ipc_buffer_ptr' buffer'" and r'="(=)" ])
2014-07-14 19:32:44 +00:00
apply simp
apply simp
apply simp
apply (rule corres_guard_imp)
apply (rule load_word_offs_corres')
apply (clarsimp simp: buffer_cptr_index_def msg_max_length_def
max_ipc_words valid_message_info_def
msg_max_extra_caps_def word_le_nat_alt)
apply (simp add: buffer_cptr_index_def msg_max_length_def)
apply simp
apply simp
apply (simp add: load_word_offs_word_def)
apply (wp | simp)+
apply (subst list_all2_same)
apply (clarsimp simp: max_ipc_words field_simps)
apply (simp add: mapME_def, fold mapME_def)[1]
apply (rule corres_mapME [where S = Id and r'="(\<lambda>x y. cap_relation (fst x) (fst y) \<and> snd y = cte_map (snd x))"])
apply simp
apply simp
apply simp
apply (rule corres_cap_fault [OF lcs_corres])
apply simp
apply simp
apply (wp | simp)+
apply (simp add: set_zip_same Int_lower1)
apply (wp mapM_wp [OF _ subset_refl] | simp)+
done
crunch ctes_of[wp]: copyMRs "\<lambda>s. P (ctes_of s)"
(ignore: threadSet setObject getObject
wp: threadSet_ctes_of crunch_wps)
lemma copyMRs_valid_mdb[wp]:
"\<lbrace>valid_mdb'\<rbrace> copyMRs t buf t' buf' n \<lbrace>\<lambda>rv. valid_mdb'\<rbrace>"
by (simp add: valid_mdb'_def copyMRs_ctes_of)
lemma do_normal_transfer_corres:
2017-07-12 05:13:51 +00:00
"corres dc
2014-07-14 19:32:44 +00:00
(tcb_at sender and tcb_at receiver and (pspace_aligned:: det_state \<Rightarrow> bool)
and valid_objs and cur_tcb and valid_mdb and valid_list and pspace_distinct
and (\<lambda>s. case ep of Some x \<Rightarrow> ep_at x s | _ \<Rightarrow> True)
2014-08-09 05:16:17 +00:00
and case_option \<top> in_user_frame send_buf
and case_option \<top> in_user_frame recv_buf)
2014-07-14 19:32:44 +00:00
(tcb_at' sender and tcb_at' receiver and valid_objs'
and pspace_aligned' and pspace_distinct' and cur_tcb'
and valid_mdb' and no_0_obj'
and (\<lambda>s. case ep of Some x \<Rightarrow> ep_at' x s | _ \<Rightarrow> True)
2014-08-09 05:16:17 +00:00
and case_option \<top> valid_ipc_buffer_ptr' send_buf
and case_option \<top> valid_ipc_buffer_ptr' recv_buf)
2016-02-10 03:11:09 +00:00
(do_normal_transfer sender send_buf ep badge can_grant receiver recv_buf)
(doNormalTransfer sender send_buf ep badge can_grant receiver recv_buf)"
2014-07-14 19:32:44 +00:00
apply (simp add: do_normal_transfer_def doNormalTransfer_def)
apply (rule corres_guard_imp)
apply (rule corres_split_mapr [OF _ get_mi_corres])
apply (rule_tac F="valid_message_info mi" in corres_gen_asm)
apply (rule_tac r'="list_all2 (\<lambda>x y. cap_relation (fst x) (fst y) \<and> snd y = cte_map (snd x))"
in corres_split)
prefer 2
apply (rule corres_if[OF refl])
apply (rule corres_split_catch)
apply (rule corres_trivial, simp)
apply (rule lec_corres, simp+)
2017-01-13 12:58:40 +00:00
apply wp+
2014-07-14 19:32:44 +00:00
apply (rule corres_trivial, simp)
apply simp
apply (rule corres_split_eqr [OF _ copy_mrs_corres])
apply (rule corres_split [OF _ tc_corres])
apply (rename_tac mi' mi'')
apply (rule_tac F="mi_label mi' = mi_label mi"
in corres_gen_asm)
apply (rule corres_split_nor [OF _ set_mi_corres])
apply (simp add: badge_register_def badgeRegister_def)
apply (fold dc_def)
apply (rule user_setreg_corres)
apply (case_tac mi', clarsimp)
apply wp
apply simp+
2014-08-09 05:16:17 +00:00
apply ((wp valid_case_option_post_wp hoare_vcg_const_Ball_lift
hoare_case_option_wp
2014-07-14 19:32:44 +00:00
hoare_valid_ipc_buffer_ptr_typ_at' copyMRs_typ_at'
hoare_vcg_const_Ball_lift lookupExtraCaps_length
| simp add: if_apply_def2)+)
apply (wp static_imp_wp | strengthen valid_msg_length_strengthen)+
apply clarsimp
apply auto
done
lemma corres_liftE_lift:
"corres r1 P P' m m' \<Longrightarrow>
corres (f1 \<oplus> r1) P P' (liftE m) (withoutFailure m')"
by simp
2017-07-12 05:13:51 +00:00
lemmas corres_ipc_thread_helper =
2014-07-14 19:32:44 +00:00
corres_split_eqrE [OF _ corres_liftE_lift [OF gct_corres]]
2017-07-12 05:13:51 +00:00
lemmas corres_ipc_info_helper =
2014-07-14 19:32:44 +00:00
corres_split_maprE [where f = message_info_map, OF _
corres_liftE_lift [OF get_mi_corres]]
crunch typ_at'[wp]: doNormalTransfer "\<lambda>s. P (typ_at' T p s)"
lemmas doNormal_lifts[wp] = typ_at_lifts [OF doNormalTransfer_typ_at']
lemma doNormal_invs'[wp]:
"\<lbrace>tcb_at' sender and tcb_at' receiver and invs'\<rbrace>
doNormalTransfer sender send_buf ep badge
2016-02-10 03:11:09 +00:00
can_grant receiver recv_buf \<lbrace>\<lambda>r. invs'\<rbrace>"
2014-07-14 19:32:44 +00:00
apply (simp add: doNormalTransfer_def)
apply (wp hoare_vcg_const_Ball_lift | simp)+
done
crunch aligned'[wp]: doNormalTransfer pspace_aligned'
(wp: crunch_wps)
crunch distinct'[wp]: doNormalTransfer pspace_distinct'
(wp: crunch_wps)
2016-05-30 13:12:39 +00:00
lemma transferCaps_urz[wp]:
"\<lbrace>untyped_ranges_zero' and valid_pspace'
and (\<lambda>s. (\<forall>x\<in>set caps. cte_wp_at' (\<lambda>cte. fst x \<noteq> capability.NullCap \<longrightarrow> cteCap cte = fst x) (snd x) s))\<rbrace>
transferCaps tag caps ep receiver recv_buf
\<lbrace>\<lambda>r. untyped_ranges_zero'\<rbrace>"
apply (simp add: transferCaps_def)
apply (rule hoare_pre)
apply (wp hoare_vcg_all_lift hoare_vcg_const_imp_lift
| wpc
| simp add: ball_conj_distrib)+
apply clarsimp
done
crunch gsUntypedZeroRanges[wp]: doNormalTransfer "\<lambda>s. P (gsUntypedZeroRanges s)"
(wp: crunch_wps transferCapsToSlots_pres1 ignore: constOnFailure)
lemmas asUser_urz = untyped_ranges_zero_lift[OF asUser_gsUntypedZeroRanges]
crunch urz[wp]: doNormalTransfer "untyped_ranges_zero'"
(ignore: asUser wp: crunch_wps asUser_urz hoare_vcg_const_Ball_lift)
2014-07-14 19:32:44 +00:00
lemma msgFromLookupFailure_map[simp]:
"msgFromLookupFailure (lookup_failure_map lf)
= msg_from_lookup_failure lf"
by (cases lf, simp_all add: lookup_failure_map_def msgFromLookupFailure_def)
lemma getRestartPCs_corres:
2018-06-09 08:30:53 +00:00
"corres (=) (tcb_at t) (tcb_at' t)
2014-07-14 19:32:44 +00:00
(as_user t getRestartPC) (asUser t getRestartPC)"
apply (rule corres_as_user')
apply (rule corres_Id, simp, simp)
apply (rule no_fail_getRestartPC)
done
lemma user_mapM_getRegister_corres:
2018-06-09 08:30:53 +00:00
"corres (=) (tcb_at t) (tcb_at' t)
2014-07-14 19:32:44 +00:00
(as_user t (mapM getRegister regs))
(asUser t (mapM getRegister regs))"
apply (rule corres_as_user')
apply (rule corres_Id [OF refl refl])
apply (rule no_fail_mapM)
apply (simp add: getRegister_def)
done
2016-09-01 08:24:32 +00:00
lemma make_arch_fault_msg_corres:
2018-06-09 08:30:53 +00:00
"corres (=) (tcb_at t) (tcb_at' t)
2016-09-01 08:24:32 +00:00
(make_arch_fault_msg f t)
(makeArchFaultMessage (arch_fault_map f) t)"
apply (cases f, clarsimp simp: makeArchFaultMessage_def split: arch_fault.split)
apply (rule corres_guard_imp)
apply (rule corres_split_eqr[OF _ getRestartPCs_corres])
apply (rule corres_trivial, simp add: arch_fault_map_def)
2017-01-13 12:58:40 +00:00
apply (wp+, auto)
2016-09-01 08:24:32 +00:00
done
2014-07-14 19:32:44 +00:00
lemma mk_ft_msg_corres:
2018-06-09 08:30:53 +00:00
"corres (=) (tcb_at t) (tcb_at' t)
2014-07-14 19:32:44 +00:00
(make_fault_msg ft t)
(makeFaultMessage (fault_map ft) t)"
2016-10-25 06:01:30 +00:00
apply (cases ft, simp_all add: makeFaultMessage_def split del: if_split)
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
apply (rule corres_split_eqr [OF _ getRestartPCs_corres])
apply (rule corres_trivial, simp add: fromEnum_def enum_bool)
apply (wp | simp)+
2016-09-01 08:24:32 +00:00
apply (simp add: ARM_H.syscallMessage_def)
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
2016-09-01 08:24:32 +00:00
apply (rule corres_split_eqr [OF _ user_mapM_getRegister_corres])
2014-07-14 19:32:44 +00:00
apply (rule corres_trivial, simp)
apply (wp | simp)+
2016-09-01 08:24:32 +00:00
apply (simp add: ARM_H.exceptionMessage_def)
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
apply (rule corres_split_eqr [OF _ user_mapM_getRegister_corres])
apply (rule corres_trivial, simp)
apply (wp | simp)+
2016-09-01 08:24:32 +00:00
apply (rule make_arch_fault_msg_corres)
2014-07-14 19:32:44 +00:00
done
lemma makeFaultMessage_inv[wp]:
"\<lbrace>P\<rbrace> makeFaultMessage ft t \<lbrace>\<lambda>rv. P\<rbrace>"
apply (cases ft, simp_all add: makeFaultMessage_def)
apply (wp asUser_inv mapM_wp' det_mapM[where S=UNIV]
det_getRestartPC getRestartPC_inv
2016-09-01 08:24:32 +00:00
| clarsimp simp: getRegister_def makeArchFaultMessage_def
split: arch_fault.split)+
2014-07-14 19:32:44 +00:00
done
lemmas threadget_fault_corres =
2014-08-09 05:16:17 +00:00
threadget_corres [where r = fault_rel_optionation
2014-07-14 19:32:44 +00:00
and f = tcb_fault and f' = tcbFault,
simplified tcb_relation_def, simplified]
lemma do_fault_transfer_corres:
"corres dc
(obj_at (\<lambda>ko. \<exists>tcb ft. ko = TCB tcb \<and> tcb_fault tcb = Some ft) sender
2014-08-09 05:16:17 +00:00
and tcb_at receiver and case_option \<top> in_user_frame recv_buf)
2014-07-14 19:32:44 +00:00
(tcb_at' sender and tcb_at' receiver and
2014-08-09 05:16:17 +00:00
case_option \<top> valid_ipc_buffer_ptr' recv_buf)
2014-07-14 19:32:44 +00:00
(do_fault_transfer badge sender receiver recv_buf)
(doFaultTransfer badge sender receiver recv_buf)"
apply (clarsimp simp: do_fault_transfer_def doFaultTransfer_def split_def
2016-04-28 23:47:59 +00:00
ARM_H.badgeRegister_def badge_register_def)
2014-07-14 19:32:44 +00:00
apply (rule_tac Q="\<lambda>fault. K (\<exists>f. fault = Some f) and
tcb_at sender and tcb_at receiver and
2014-08-09 05:16:17 +00:00
case_option \<top> in_user_frame recv_buf"
2014-07-14 19:32:44 +00:00
and Q'="\<lambda>fault'. tcb_at' sender and tcb_at' receiver and
2014-08-09 05:16:17 +00:00
case_option \<top> valid_ipc_buffer_ptr' recv_buf"
2014-07-14 19:32:44 +00:00
in corres_split')
apply (rule corres_guard_imp)
apply (rule threadget_fault_corres)
apply (clarsimp simp: obj_at_def is_tcb)+
apply (rule corres_assume_pre)
apply (fold assert_opt_def | unfold haskell_fail_def)+
apply (rule corres_assert_opt_assume)
apply (clarsimp split: option.splits
2014-08-09 05:16:17 +00:00
simp: fault_rel_optionation_def assert_opt_def
2014-08-09 11:09:37 +00:00
map_option_case)
2014-07-14 19:32:44 +00:00
defer
defer
2014-08-09 05:16:17 +00:00
apply (clarsimp simp: fault_rel_optionation_def)
2014-07-14 19:32:44 +00:00
apply (wp thread_get_wp)
apply (clarsimp simp: obj_at_def is_tcb)
apply wp
apply (rule corres_guard_imp)
apply (rule corres_split_eqr [OF _ mk_ft_msg_corres])
apply (rule corres_split_eqr [OF _ set_mrs_corres [OF refl]])
apply (rule corres_split_nor [OF _ set_mi_corres])
apply (rule user_setreg_corres)
apply simp
apply (wp | simp)+
apply (rule corres_guard_imp)
apply (rule corres_split_eqr [OF _ mk_ft_msg_corres])
apply (rule corres_split_eqr [OF _ set_mrs_corres [OF refl]])
apply (rule corres_split_nor [OF _ set_mi_corres])
apply (rule user_setreg_corres)
apply simp
apply (wp | simp)+
done
lemma doFaultTransfer_invs[wp]:
"\<lbrace>invs' and tcb_at' receiver\<rbrace>
doFaultTransfer badge sender receiver recv_buf
\<lbrace>\<lambda>rv. invs'\<rbrace>"
by (simp add: doFaultTransfer_def split_def | wp
| clarsimp split: option.split)+
lemma lookupIPCBuffer_valid_ipc_buffer [wp]:
2014-08-09 05:16:17 +00:00
"\<lbrace>valid_objs'\<rbrace> VSpace_H.lookupIPCBuffer b s \<lbrace>case_option \<top> valid_ipc_buffer_ptr'\<rbrace>"
2016-04-26 07:14:06 +00:00
unfolding lookupIPCBuffer_def ARM_H.lookupIPCBuffer_def
2014-07-14 19:32:44 +00:00
apply (simp add: Let_def getSlotCap_def getThreadBufferSlot_def
locateSlot_conv threadGet_def comp_def)
2016-07-04 07:35:42 +00:00
apply (wp getCTE_wp getObject_tcb_wp | wpc)+
2014-07-14 19:32:44 +00:00
apply (clarsimp simp del: imp_disjL)
apply (drule obj_at_ko_at')
apply (clarsimp simp del: imp_disjL)
apply (rule_tac x = ko in exI)
apply (frule ko_at_cte_ipcbuffer)
apply (clarsimp simp: cte_wp_at_ctes_of simp del: imp_disjL)
apply (clarsimp simp: valid_ipc_buffer_ptr'_def)
apply (frule (1) ko_at_valid_objs')
apply (clarsimp simp: projectKO_opts_defs split: kernel_object.split_asm)
2017-07-12 05:13:51 +00:00
apply (clarsimp simp add: valid_obj'_def valid_tcb'_def
2014-07-14 19:32:44 +00:00
isCap_simps cte_level_bits_def field_simps)
apply (drule bspec [OF _ ranI [where a = "0x40"]])
apply simp
apply (clarsimp simp add: valid_cap'_def)
apply (rule conjI)
apply (rule aligned_add_aligned)
apply (clarsimp simp add: capAligned_def)
apply assumption
apply (erule is_aligned_andI1)
2016-07-04 07:35:42 +00:00
apply (case_tac xd, simp_all add: msg_align_bits)[1]
2014-07-14 19:32:44 +00:00
apply (clarsimp simp: capAligned_def)
2017-07-12 05:13:51 +00:00
apply (drule_tac x =
2016-07-04 07:35:42 +00:00
"(tcbIPCBuffer ko && mask (pageBitsForSize xd)) >> pageBits" in spec)
2014-08-11 08:51:04 +00:00
apply (subst(asm) mult.commute mult.left_commute, subst(asm) shiftl_t2n[symmetric])
2014-07-14 19:32:44 +00:00
apply (simp add: shiftr_shiftl1)
apply (subst (asm) mask_out_add_aligned)
apply (erule is_aligned_weaken [OF _ pbfs_atleast_pageBits])
apply (erule mp)
apply (rule shiftr_less_t2n)
apply (clarsimp simp: pbfs_atleast_pageBits)
apply (rule and_mask_less')
apply (simp add: word_bits_conv)
done
lemma dit_corres:
"corres dc
(tcb_at s and tcb_at r and valid_objs and pspace_aligned
and valid_list
and pspace_distinct and valid_mdb and cur_tcb
and (\<lambda>s. case ep of Some x \<Rightarrow> ep_at x s | _ \<Rightarrow> True))
(tcb_at' s and tcb_at' r and valid_pspace' and cur_tcb'
and (\<lambda>s. case ep of Some x \<Rightarrow> ep_at' x s | _ \<Rightarrow> True))
2016-02-10 03:11:09 +00:00
(do_ipc_transfer s ep bg grt r)
(doIPCTransfer s ep bg grt r)"
2014-07-14 19:32:44 +00:00
apply (simp add: do_ipc_transfer_def doIPCTransfer_def)
apply (rule_tac Q="%receiveBuffer sa. tcb_at s sa \<and> valid_objs sa \<and>
pspace_aligned sa \<and> tcb_at r sa \<and>
cur_tcb sa \<and> valid_mdb sa \<and> valid_list sa \<and> pspace_distinct sa \<and>
(case ep of None \<Rightarrow> True | Some x \<Rightarrow> ep_at x sa) \<and>
2014-08-09 05:16:17 +00:00
case_option (\<lambda>_. True) in_user_frame receiveBuffer sa \<and>
2017-07-12 05:13:51 +00:00
obj_at (\<lambda>ko. \<exists>tcb. ko = TCB tcb
2019-05-28 08:24:48 +00:00
\<comment> \<open>\<exists>ft. tcb_fault tcb = Some ft\<close>) s sa"
2014-07-14 19:32:44 +00:00
in corres_split')
apply (rule corres_guard_imp)
apply (rule lipcb_corres')
apply auto[2]
apply (rule corres_split' [OF _ _ thread_get_sp threadGet_inv])
apply (rule corres_guard_imp)
apply (rule threadget_fault_corres)
apply simp
defer
apply (rule corres_guard_imp)
2014-08-09 05:16:17 +00:00
apply (subst case_option_If)+
2014-07-14 19:32:44 +00:00
apply (rule corres_if2)
2014-08-09 05:16:17 +00:00
apply (simp add: fault_rel_optionation_def)
2014-07-14 19:32:44 +00:00
apply (rule corres_split_eqr [OF _ lipcb_corres'])
apply (simp add: dc_def[symmetric])
apply (rule do_normal_transfer_corres)
apply (wp | simp add: valid_pspace'_def)+
apply (simp add: dc_def[symmetric])
apply (rule do_fault_transfer_corres)
apply (clarsimp simp: obj_at_def)
apply (erule ignore_if)
apply (wp|simp add: obj_at_def is_tcb valid_pspace'_def)+
done
crunch ifunsafe[wp]: doIPCTransfer "if_unsafe_then_cap'"
(wp: crunch_wps hoare_vcg_const_Ball_lift get_rs_cte_at' ignore: transferCapsToSlots
simp: zipWithM_x_mapM ball_conj_distrib )
crunch iflive[wp]: doIPCTransfer "if_live_then_nonz_cap'"
2017-07-12 05:13:51 +00:00
(wp: crunch_wps hoare_vcg_const_Ball_lift get_rs_cte_at' ignore: transferCapsToSlots
2014-07-14 19:32:44 +00:00
simp: zipWithM_x_mapM ball_conj_distrib )
lemma valid_pspace_valid_objs'[elim!]:
"valid_pspace' s \<Longrightarrow> valid_objs' s"
by (simp add: valid_pspace'_def)
crunch vp[wp]: doIPCTransfer "valid_pspace'"
(wp: crunch_wps hoare_vcg_const_Ball_lift get_rs_cte_at' wp: transferCapsToSlots_vp simp:ball_conj_distrib )
crunch sch_act_wf[wp]: doIPCTransfer "\<lambda>s. sch_act_wf (ksSchedulerAction s) s"
(wp: crunch_wps get_rs_cte_at' ignore: transferCapsToSlots simp: zipWithM_x_mapM)
crunch vq[wp]: doIPCTransfer "Invariants_H.valid_queues"
(wp: crunch_wps get_rs_cte_at' ignore: transferCapsToSlots simp: zipWithM_x_mapM)
crunch vq'[wp]: doIPCTransfer "valid_queues'"
(wp: crunch_wps get_rs_cte_at' ignore: transferCapsToSlots simp: zipWithM_x_mapM)
crunch state_refs_of[wp]: doIPCTransfer "\<lambda>s. P (state_refs_of' s)"
(wp: crunch_wps get_rs_cte_at' ignore: transferCapsToSlots simp: zipWithM_x_mapM)
crunch ct[wp]: doIPCTransfer "cur_tcb'"
(wp: crunch_wps get_rs_cte_at' ignore: transferCapsToSlots simp: zipWithM_x_mapM)
crunch idle'[wp]: doIPCTransfer "valid_idle'"
(wp: crunch_wps get_rs_cte_at' ignore: transferCapsToSlots simp: zipWithM_x_mapM)
crunch typ_at'[wp]: doIPCTransfer "\<lambda>s. P (typ_at' T p s)"
(wp: crunch_wps simp: zipWithM_x_mapM)
lemmas dit'_typ_ats[wp] = typ_at_lifts [OF doIPCTransfer_typ_at']
crunch irq_node'[wp]: doIPCTransfer "\<lambda>s. P (irq_node' s)"
(wp: crunch_wps simp: crunch_simps)
lemmas dit_irq_node'[wp]
= valid_irq_node_lift [OF doIPCTransfer_irq_node' doIPCTransfer_typ_at']
crunch valid_arch_state'[wp]: doIPCTransfer "valid_arch_state'"
(wp: crunch_wps simp: crunch_simps)
(* Levity: added (20090126 19:32:26) *)
declare asUser_global_refs' [wp]
lemma lec_valid_cap' [wp]:
"\<lbrace>valid_objs'\<rbrace> lookupExtraCaps thread xa mi \<lbrace>\<lambda>rv s. (\<forall>x\<in>set rv. s \<turnstile>' fst x)\<rbrace>, -"
apply (rule hoare_pre, rule hoare_post_imp_R)
apply (rule hoare_vcg_conj_lift_R[where R=valid_objs' and S="\<lambda>_. valid_objs'"])
apply (rule lookupExtraCaps_srcs)
apply wp
apply (clarsimp simp: cte_wp_at_ctes_of)
apply (fastforce elim: ctes_of_valid')
apply simp
done
crunch objs'[wp]: doIPCTransfer "valid_objs'"
( wp: crunch_wps hoare_vcg_const_Ball_lift
transferCapsToSlots_valid_objs
simp: zipWithM_x_mapM ball_conj_distrib )
crunch global_refs'[wp]: doIPCTransfer "valid_global_refs'"
(wp: crunch_wps hoare_vcg_const_Ball_lift threadSet_global_refsT
transferCapsToSlots_valid_globals
simp: zipWithM_x_mapM ball_conj_distrib)
declare asUser_irq_handlers' [wp]
crunch irq_handlers'[wp]: doIPCTransfer "valid_irq_handlers'"
(wp: crunch_wps hoare_vcg_const_Ball_lift threadSet_irq_handlers'
transferCapsToSlots_irq_handlers
simp: zipWithM_x_mapM ball_conj_distrib )
crunch irq_states'[wp]: doIPCTransfer "valid_irq_states'"
2016-04-28 23:47:59 +00:00
(wp: crunch_wps no_irq no_irq_mapM no_irq_storeWord no_irq_loadWord
2014-08-09 05:16:17 +00:00
no_irq_case_option simp: crunch_simps zipWithM_x_mapM)
2014-07-14 19:32:44 +00:00
crunch pde_mappings'[wp]: doIPCTransfer "valid_pde_mappings'"
(wp: crunch_wps simp: crunch_simps)
crunch irqs_masked'[wp]: doIPCTransfer "irqs_masked'"
2016-08-23 12:31:49 +00:00
(wp: crunch_wps simp: crunch_simps rule: irqs_masked_lift)
2014-07-14 19:32:44 +00:00
lemma doIPCTransfer_invs[wp]:
"\<lbrace>invs' and tcb_at' s and tcb_at' r\<rbrace>
2016-02-10 03:11:09 +00:00
doIPCTransfer s ep bg grt r
2017-01-13 12:58:40 +00:00
\<lbrace>\<lambda>rv. invs'\<rbrace>"
2014-07-14 19:32:44 +00:00
apply (simp add: doIPCTransfer_def)
2017-01-13 12:58:40 +00:00
apply (wpsimp wp: hoare_drop_imp)
2014-07-14 19:32:44 +00:00
done
2017-07-12 05:13:51 +00:00
crunch nosch[wp]: doIPCTransfer "\<lambda>s. P (ksSchedulerAction s)"
2016-08-23 12:31:49 +00:00
(wp: hoare_drop_imps hoare_vcg_split_case_option mapM_wp'
2014-07-14 19:32:44 +00:00
simp: split_def zipWithM_x_mapM)
lemma handle_fault_reply_registers_corres:
2018-06-09 08:30:53 +00:00
"corres (=) (tcb_at t) (tcb_at' t)
2017-05-02 01:12:26 +00:00
(do t' \<leftarrow> arch_get_sanitise_register_info t;
2017-02-06 07:33:39 +00:00
y \<leftarrow> as_user t
2014-07-14 19:32:44 +00:00
(zipWithM_x
2018-02-28 21:56:28 +00:00
(\<lambda>r v. setRegister r
2017-02-06 07:33:39 +00:00
(sanitise_register t' r v))
2014-07-14 19:32:44 +00:00
msg_template msg);
return (label = 0)
od)
2017-05-02 01:12:26 +00:00
(do t' \<leftarrow> getSanitiseRegisterInfo t;
2017-02-06 07:33:39 +00:00
y \<leftarrow> asUser t
2014-07-14 19:32:44 +00:00
(zipWithM_x
2017-02-06 07:33:39 +00:00
(\<lambda>r v. setRegister r (sanitiseRegister t' r v))
2014-07-14 19:32:44 +00:00
msg_template msg);
return (label = 0)
od)"
apply (rule corres_guard_imp)
2017-05-02 01:12:26 +00:00
apply (clarsimp simp: arch_get_sanitise_register_info_def getSanitiseRegisterInfo_def)
2017-02-06 07:33:39 +00:00
apply (rule corres_split)
2014-07-14 19:32:44 +00:00
apply (rule corres_trivial, simp)
apply (rule corres_as_user')
2018-02-28 21:56:28 +00:00
apply(simp add: setRegister_def sanitise_register_def
2014-07-14 19:32:44 +00:00
sanitiseRegister_def syscallMessage_def)
apply(subst zipWithM_x_modify)+
apply(rule corres_modify')
apply (simp|wp)+
done
lemma handle_fault_reply_corres:
"ft' = fault_map ft \<Longrightarrow>
2018-06-09 08:30:53 +00:00
corres (=) (tcb_at t) (tcb_at' t)
2014-07-14 19:32:44 +00:00
(handle_fault_reply ft t label msg)
(handleFaultReply ft' t label msg)"
apply (cases ft)
apply(simp_all add: handleFaultReply_def
2016-09-01 08:24:32 +00:00
handle_arch_fault_reply_def handleArchFaultReply_def
syscallMessage_def exceptionMessage_def
split: arch_fault.split)
2014-07-14 19:32:44 +00:00
by (rule handle_fault_reply_registers_corres)+
crunch typ_at'[wp]: handleFaultReply "\<lambda>s. P (typ_at' T p s)"
lemmas hfr_typ_ats[wp] = typ_at_lifts [OF handleFaultReply_typ_at']
crunch ct'[wp]: handleFaultReply "\<lambda>s. P (ksCurThread s)"
lemma doIPCTransfer_sch_act_simple [wp]:
2016-02-10 03:11:09 +00:00
"\<lbrace>sch_act_simple\<rbrace> doIPCTransfer sender endpoint badge grant receiver \<lbrace>\<lambda>_. sch_act_simple\<rbrace>"
2014-07-14 19:32:44 +00:00
by (simp add: sch_act_simple_def, wp)
lemma possibleSwitchTo_invs'[wp]:
"\<lbrace>invs' and st_tcb_at' runnable' t
and (\<lambda>s. ksSchedulerAction s = ResumeCurrentThread \<longrightarrow> ksCurThread s \<noteq> t)\<rbrace>
2017-11-24 11:30:55 +00:00
possibleSwitchTo t \<lbrace>\<lambda>_. invs'\<rbrace>"
2016-11-16 03:02:03 +00:00
apply (simp add: possibleSwitchTo_def curDomain_def)
2017-11-24 11:30:55 +00:00
apply (wp tcbSchedEnqueue_invs' ssa_invs')
apply (rule hoare_post_imp[OF _ rescheduleRequired_sa_cnt])
apply (wpsimp wp: ssa_invs' threadGet_wp)+
apply (clarsimp dest!: obj_at_ko_at' simp: tcb_in_cur_domain'_def obj_at'_def)
2014-07-14 19:32:44 +00:00
done
crunch cur' [wp]: isFinalCapability "\<lambda>s. P (cur_tcb' s)"
(simp: crunch_simps unless_when
2015-09-02 05:43:39 +00:00
wp: crunch_wps getObject_inv loadObject_default_inv)
2014-07-14 19:32:44 +00:00
crunch ct' [wp]: deleteCallerCap "\<lambda>s. P (ksCurThread s)"
(simp: crunch_simps unless_when
2015-09-02 05:43:39 +00:00
wp: crunch_wps getObject_inv loadObject_default_inv
ignore: getObject)
2014-07-14 19:32:44 +00:00
lemma getThreadCallerSlot_inv:
"\<lbrace>P\<rbrace> getThreadCallerSlot t \<lbrace>\<lambda>_. P\<rbrace>"
by (simp add: getThreadCallerSlot_def, wp)
lemma deleteCallerCap_ct_not_ksQ:
"\<lbrace>invs' and ct_in_state' simple' and sch_act_sane
and (\<lambda>s. ksCurThread s \<notin> set (ksReadyQueues s p))\<rbrace>
deleteCallerCap t
\<lbrace>\<lambda>rv s. ksCurThread s \<notin> set (ksReadyQueues s p)\<rbrace>"
2015-12-01 22:06:06 +00:00
apply (simp add: deleteCallerCap_def getSlotCap_def getThreadCallerSlot_def locateSlot_conv)
2015-07-13 06:17:55 +00:00
apply (wp getThreadCallerSlot_inv cteDeleteOne_ct_not_ksQ getCTE_wp)
apply (clarsimp simp: cte_wp_at_ctes_of)
2014-07-14 19:32:44 +00:00
done
2015-11-02 00:00:32 +00:00
crunch tcb_at'[wp]: unbindNotification "tcb_at' x"
2015-09-02 05:43:39 +00:00
2014-07-14 19:32:44 +00:00
lemma finaliseCapTrue_standin_tcb_at' [wp]:
"\<lbrace>tcb_at' x\<rbrace> finaliseCapTrue_standin cap v2 \<lbrace>\<lambda>_. tcb_at' x\<rbrace>"
apply (simp add: finaliseCapTrue_standin_def Let_def)
apply (safe)
2015-11-02 00:00:32 +00:00
apply (wp getObject_ntfn_inv
2015-09-02 05:43:39 +00:00
| wpc
| simp)+
2014-07-14 19:32:44 +00:00
done
lemma finaliseCapTrue_standin_cur':
"\<lbrace>\<lambda>s. cur_tcb' s\<rbrace> finaliseCapTrue_standin cap v2 \<lbrace>\<lambda>_ s'. cur_tcb' s'\<rbrace>"
apply (simp add: cur_tcb'_def)
apply (rule hoare_lift_Pf2 [OF _ finaliseCapTrue_standin_ct'])
apply (wp)
done
lemma cteDeleteOne_cur' [wp]:
"\<lbrace>\<lambda>s. cur_tcb' s\<rbrace> cteDeleteOne slot \<lbrace>\<lambda>_ s'. cur_tcb' s'\<rbrace>"
apply (simp add: cteDeleteOne_def unless_def when_def)
apply (wp hoare_drop_imps finaliseCapTrue_standin_cur' isFinalCapability_cur'
2019-05-06 06:34:44 +00:00
| simp add: split_def | wp (once) cur_tcb_lift)+
2014-07-14 19:32:44 +00:00
done
lemma handleFaultReply_cur' [wp]:
"\<lbrace>\<lambda>s. cur_tcb' s\<rbrace> handleFaultReply x0 thread label msg \<lbrace>\<lambda>_ s'. cur_tcb' s'\<rbrace>"
apply (clarsimp simp add: cur_tcb'_def)
apply (rule hoare_lift_Pf2 [OF _ handleFaultReply_ct'])
apply (wp)
done
lemma capClass_Reply:
"capClass cap = ReplyClass tcb \<Longrightarrow> isReplyCap cap \<and> capTCBPtr cap = tcb"
apply (cases cap, simp_all add: isCap_simps)
2015-05-12 15:17:31 +00:00
apply (rename_tac arch_capability)
2014-07-14 19:32:44 +00:00
apply (case_tac arch_capability, simp_all)
done
lemma reply_cap_end_mdb_chain:
2018-08-03 03:27:46 +00:00
"\<lbrakk> cte_wp_at (is_reply_cap_to t) slot s; invs s;
2014-07-14 19:32:44 +00:00
invs' s';
(s, s') \<in> state_relation; ctes_of s' (cte_map slot) = Some cte \<rbrakk>
\<Longrightarrow> (mdbPrev (cteMDBNode cte) \<noteq> nullPointer
\<and> mdbNext (cteMDBNode cte) = nullPointer)
\<and> cte_wp_at' (\<lambda>cte. isReplyCap (cteCap cte) \<and> capReplyMaster (cteCap cte))
(mdbPrev (cteMDBNode cte)) s'"
2018-08-03 03:27:46 +00:00
apply (clarsimp simp only: cte_wp_at_reply_cap_to_ex_rights)
2014-07-14 19:32:44 +00:00
apply (frule(1) pspace_relation_ctes_ofI[OF state_relation_pspace_relation],
clarsimp+)
2018-08-03 03:27:46 +00:00
apply (subgoal_tac "\<exists>slot' rights'. caps_of_state s slot' = Some (cap.ReplyCap t True rights')
2014-07-14 19:32:44 +00:00
\<and> descendants_of slot' (cdt s) = {slot}")
apply (elim state_relationE exE)
apply (clarsimp simp: cdt_relation_def
simp del: split_paired_All)
apply (drule spec, drule(1) mp[OF _ caps_of_state_cte_at])
apply (frule(1) pspace_relation_cte_wp_at[OF _ caps_of_state_cteD],
clarsimp+)
apply (clarsimp simp: descendants_of'_def cte_wp_at_ctes_of)
apply (frule_tac f="\<lambda>S. cte_map slot \<in> S" in arg_cong, simp(no_asm_use))
apply (frule invs_mdb'[unfolded valid_mdb'_def])
apply (rule context_conjI)
apply (clarsimp simp: nullPointer_def valid_mdb_ctes_def)
apply (erule(4) subtree_prev_0)
apply (rule conjI)
apply (rule ccontr)
apply (frule valid_mdb_no_loops, simp add: no_loops_def)
apply (drule_tac x="cte_map slot" in spec)
apply (erule notE, rule r_into_trancl, rule ccontr)
apply (clarsimp simp: mdb_next_unfold valid_mdb_ctes_def nullPointer_def)
apply (rule valid_dlistEn, assumption+)
apply (subgoal_tac "ctes_of s' \<turnstile> cte_map slot \<leadsto> mdbNext (cteMDBNode cte)")
apply (frule(3) class_linksD)
apply (clarsimp simp: isCap_simps dest!: capClass_Reply[OF sym])
apply (drule_tac f="\<lambda>S. mdbNext (cteMDBNode cte) \<in> S" in arg_cong)
apply (simp, erule notE, rule subtree.trans_parent, assumption+)
apply (case_tac ctea, case_tac cte')
apply (clarsimp simp add: parentOf_def isMDBParentOf_CTE)
apply (simp add: sameRegionAs_def2 isCap_simps)
apply (erule subtree.cases)
apply (clarsimp simp: parentOf_def isMDBParentOf_CTE)
apply (clarsimp simp: parentOf_def isMDBParentOf_CTE)
apply (simp add: mdb_next_unfold)
apply (erule subtree.cases)
apply (clarsimp simp: valid_mdb_ctes_def)
apply (erule_tac cte=ctea in valid_dlistEn, assumption)
apply (simp add: mdb_next_unfold)
apply (clarsimp simp: mdb_next_unfold isCap_simps)
apply (drule_tac f="\<lambda>S. c' \<in> S" in arg_cong)
apply (clarsimp simp: no_loops_direct_simp valid_mdb_no_loops)
apply (frule invs_mdb)
apply (drule invs_valid_reply_caps)
apply (clarsimp simp: valid_mdb_def reply_mdb_def
valid_reply_caps_def reply_caps_mdb_def
cte_wp_at_caps_of_state
simp del: split_paired_All)
2018-08-03 03:27:46 +00:00
apply (erule_tac x=slot in allE, erule_tac x=t in allE, erule impE, fast)
2014-07-14 19:32:44 +00:00
apply (elim exEI)
apply clarsimp
2015-05-12 15:17:31 +00:00
apply (subgoal_tac "P" for P, rule sym, rule equalityI, assumption)
2014-07-14 19:32:44 +00:00
apply clarsimp
apply (erule(4) unique_reply_capsD)
apply (simp add: descendants_of_def)
apply (rule r_into_trancl)
apply (simp add: cdt_parent_rel_def is_cdt_parent_def)
done
crunch valid_objs'[wp]: cteDeleteOne "valid_objs'"
2015-09-02 05:43:39 +00:00
(simp: crunch_simps unless_def
2017-07-12 05:13:51 +00:00
wp: crunch_wps getObject_inv loadObject_default_inv
2015-09-02 05:43:39 +00:00
ignore: getObject)
2014-07-14 19:32:44 +00:00
crunch nosch[wp]: handleFaultReply "\<lambda>s. P (ksSchedulerAction s)"
lemma emptySlot_weak_sch_act[wp]:
"\<lbrace>\<lambda>s. weak_sch_act_wf (ksSchedulerAction s) s\<rbrace>
emptySlot slot irq
\<lbrace>\<lambda>_ s. weak_sch_act_wf (ksSchedulerAction s) s\<rbrace>"
by (wp weak_sch_act_wf_lift tcb_in_cur_domain'_lift)
2015-11-02 00:00:32 +00:00
lemma cancelAllIPC_weak_sch_act_wf[wp]:
2014-07-14 19:32:44 +00:00
"\<lbrace>\<lambda>s. weak_sch_act_wf (ksSchedulerAction s) s\<rbrace>
2015-11-02 00:00:32 +00:00
cancelAllIPC epptr
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>_ s. weak_sch_act_wf (ksSchedulerAction s) s\<rbrace>"
2015-11-02 00:00:32 +00:00
apply (simp add: cancelAllIPC_def)
2014-07-14 19:32:44 +00:00
apply (wp rescheduleRequired_weak_sch_act_wf hoare_drop_imp | wpc | simp)+
done
2015-11-02 00:00:32 +00:00
lemma cancelAllSignals_weak_sch_act_wf[wp]:
2014-07-14 19:32:44 +00:00
"\<lbrace>\<lambda>s. weak_sch_act_wf (ksSchedulerAction s) s\<rbrace>
2015-11-02 00:00:32 +00:00
cancelAllSignals ntfnptr
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>_ s. weak_sch_act_wf (ksSchedulerAction s) s\<rbrace>"
2015-11-02 00:00:32 +00:00
apply (simp add: cancelAllSignals_def)
2014-07-14 19:32:44 +00:00
apply (wp rescheduleRequired_weak_sch_act_wf hoare_drop_imp | wpc | simp)+
done
2015-09-02 05:43:39 +00:00
crunch weak_sch_act_wf[wp]: finaliseCapTrue_standin "\<lambda>s. weak_sch_act_wf (ksSchedulerAction s) s"
(ignore: setThreadState getObject setObject
simp: crunch_simps
wp: crunch_wps getObject_inv loadObject_default_inv)
2014-07-14 19:32:44 +00:00
lemma cteDeleteOne_weak_sch_act[wp]:
"\<lbrace>\<lambda>s. weak_sch_act_wf (ksSchedulerAction s) s\<rbrace>
cteDeleteOne sl
\<lbrace>\<lambda>_ s. weak_sch_act_wf (ksSchedulerAction s) s\<rbrace>"
apply (simp add: cteDeleteOne_def unless_def)
apply (wp hoare_drop_imps finaliseCapTrue_standin_cur' isFinalCapability_cur'
| simp add: split_def)+
done
crunch weak_sch_act_wf[wp]: emptySlot "\<lambda>s. weak_sch_act_wf (ksSchedulerAction s) s"
2015-09-02 05:43:39 +00:00
crunch pred_tcb_at'[wp]: handleFaultReply "pred_tcb_at' proj P t"
2014-07-14 19:32:44 +00:00
crunch valid_queues[wp]: handleFaultReply "Invariants_H.valid_queues"
crunch valid_queues'[wp]: handleFaultReply "valid_queues'"
crunch tcb_in_cur_domain'[wp]: handleFaultReply "tcb_in_cur_domain' t"
2015-11-02 00:00:32 +00:00
crunch sch_act_wf[wp]: unbindNotification "\<lambda>s. sch_act_wf (ksSchedulerAction s) s"
(wp: sbn_sch_act')
2015-09-02 05:43:39 +00:00
2014-07-14 19:32:44 +00:00
crunch valid_queues'[wp]: cteDeleteOne valid_queues'
2018-02-26 01:58:43 +00:00
(simp: crunch_simps inQ_def
wp: crunch_wps sts_st_tcb' getObject_inv loadObject_default_inv
threadSet_valid_queues' rescheduleRequired_valid_queues'_weak
2015-09-02 05:43:39 +00:00
ignore: getObject)
2015-11-02 00:00:32 +00:00
lemma cancelSignal_valid_queues'[wp]:
"\<lbrace>valid_queues'\<rbrace> cancelSignal t ntfn \<lbrace>\<lambda>rv. valid_queues'\<rbrace>"
apply (simp add: cancelSignal_def)
2015-09-02 05:43:39 +00:00
apply (rule hoare_pre)
2015-11-02 00:00:32 +00:00
apply (wp getNotification_wp| wpc | simp)+
2015-09-02 05:43:39 +00:00
done
2015-11-02 00:00:32 +00:00
lemma cancelIPC_valid_queues'[wp]:
"\<lbrace>valid_queues' and (\<lambda>s. sch_act_wf (ksSchedulerAction s) s) \<rbrace> cancelIPC t \<lbrace>\<lambda>rv. valid_queues'\<rbrace>"
apply (simp add: cancelIPC_def Let_def getThreadReplySlot_def locateSlot_conv liftM_def)
2015-09-02 05:43:39 +00:00
apply (rule hoare_seq_ext[OF _ gts_sp'])
apply (case_tac state, simp_all) defer 2
apply (rule hoare_pre)
apply ((wp getEndpoint_wp getCTE_wp | wpc | simp)+)[8]
apply (wp cteDeleteOne_valid_queues')
apply (rule_tac Q="\<lambda>_. valid_queues' and (\<lambda>s. sch_act_wf (ksSchedulerAction s) s)" in hoare_post_imp)
apply (clarsimp simp: capHasProperty_def cte_wp_at_ctes_of)
apply (wp threadSet_valid_queues' threadSet_sch_act| simp)+
apply (clarsimp simp: inQ_def)
done
2014-07-14 19:32:44 +00:00
2014-07-22 13:40:44 +00:00
(* FIXME move *)
2014-07-14 19:32:44 +00:00
lemma cap_delete_one_cur_tcb[wp]:
"\<lbrace>\<lambda>s. cur_tcb s\<rbrace> cap_delete_one slot \<lbrace>\<lambda>_ s. cur_tcb s\<rbrace>"
apply (simp add: cur_tcb_def)
apply (rule hoare_pre)
apply wps
apply wp
apply simp
done
crunch valid_objs'[wp]: handleFaultReply valid_objs'
lemma valid_tcb'_tcbFault_update[simp]: "\<And>tcb s. valid_tcb' tcb s \<Longrightarrow> valid_tcb' (tcbFault_update f tcb) s"
by (clarsimp simp: valid_tcb'_def tcb_cte_cases_def)
2018-08-03 03:27:46 +00:00
lemma cte_wp_at_is_reply_cap_toI:
"cte_wp_at ((=) (cap.ReplyCap t False rights)) ptr s
\<Longrightarrow> cte_wp_at (is_reply_cap_to t) ptr s"
by (fastforce simp: cte_wp_at_reply_cap_to_ex_rights)
2014-07-14 19:32:44 +00:00
lemma do_reply_transfer_corres:
"corres dc
(einvs and tcb_at receiver and tcb_at sender
2018-08-03 03:27:46 +00:00
and cte_wp_at ((=) (cap.ReplyCap receiver False rights)) slot)
2015-09-02 05:43:39 +00:00
(invs' and tcb_at' sender and tcb_at' receiver
2014-07-14 19:32:44 +00:00
and valid_pspace' and cte_at' (cte_map slot))
2018-08-03 03:27:46 +00:00
(do_reply_transfer sender receiver slot grant)
(doReplyTransfer sender receiver (cte_map slot) grant)"
2019-05-07 05:53:41 +00:00
apply (simp add: do_reply_transfer_def doReplyTransfer_def cong: option.case_cong)
2014-07-14 19:32:44 +00:00
apply (rule corres_split' [OF _ _ gts_sp gts_sp'])
apply (rule corres_guard_imp)
apply (rule gts_corres, (clarsimp simp add: st_tcb_at_tcb_at)+)
apply (rule_tac F = "awaiting_reply state" in corres_req)
apply (clarsimp simp add: st_tcb_at_def obj_at_def is_tcb)
2018-08-03 03:27:46 +00:00
apply (fastforce simp: invs_def valid_state_def intro: has_reply_cap_cte_wpD
2014-07-14 19:32:44 +00:00
dest: has_reply_cap_cte_wpD
2018-08-03 03:27:46 +00:00
dest!: valid_reply_caps_awaiting_reply cte_wp_at_is_reply_cap_toI)
2014-07-14 19:32:44 +00:00
apply (case_tac state, simp_all add: bind_assoc)
apply (simp add: isReply_def liftM_def)
apply (rule corres_symb_exec_r[OF _ getCTE_sp getCTE_inv, rotated])
apply (rule no_fail_pre, wp)
apply clarsimp
apply (rename_tac mdbnode)
2015-05-12 15:17:31 +00:00
apply (rule_tac P="Q" and Q="Q" and P'="Q'" and Q'="(\<lambda>s. Q' s \<and> R' s)" for Q Q' R'
2014-07-14 19:32:44 +00:00
in stronger_corres_guard_imp[rotated])
apply assumption
apply (rule conjI, assumption)
apply (clarsimp simp: cte_wp_at_ctes_of)
2018-08-03 03:27:46 +00:00
apply (drule cte_wp_at_is_reply_cap_toI)
2014-07-14 19:32:44 +00:00
apply (erule(4) reply_cap_end_mdb_chain)
apply (rule corres_assert_assume[rotated], simp)
apply (simp add: getSlotCap_def)
apply (rule corres_symb_exec_r[OF _ getCTE_sp getCTE_inv, rotated])
apply (rule no_fail_pre, wp)
apply (clarsimp simp: cte_wp_at_ctes_of)
apply (rule corres_assert_assume[rotated])
apply (clarsimp simp: cte_wp_at_ctes_of)
apply (rule corres_guard_imp)
apply (rule corres_split [OF _ threadget_fault_corres])
2014-08-09 05:16:17 +00:00
apply (case_tac rv, simp_all add: fault_rel_optionation_def bind_assoc)[1]
2014-07-14 19:32:44 +00:00
apply (rule corres_split [OF _ dit_corres])
apply (rule corres_split [OF _ cap_delete_one_corres])
apply (rule corres_split [OF _ sts_corres])
2017-11-24 11:30:55 +00:00
apply (rule possibleSwitchTo_corres)
apply simp
apply (wp set_thread_state_runnable_valid_sched set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at' sts_st_tcb' sts_valid_queues sts_valid_objs' delete_one_tcbDomain_obj_at'
| simp add: valid_tcb_state'_def)+
2014-07-14 19:32:44 +00:00
apply (strengthen cte_wp_at_reply_cap_can_fast_finalise)
apply (wp hoare_vcg_conj_lift)
apply (rule hoare_strengthen_post [OF do_ipc_transfer_non_null_cte_wp_at])
prefer 2
apply (erule cte_wp_at_weakenE)
apply (fastforce)
apply (clarsimp simp:is_cap_simps)
2017-01-13 12:58:40 +00:00
apply (wp weak_valid_sched_action_lift)+
2014-07-14 19:32:44 +00:00
apply (rule_tac Q="\<lambda>_. valid_queues' and valid_objs' and cur_tcb' and tcb_at' receiver and (\<lambda>s. sch_act_wf (ksSchedulerAction s) s)" in hoare_post_imp, simp add: sch_act_wf_weak)
apply (wp tcb_in_cur_domain'_lift)
defer
apply (simp)
2017-01-13 12:58:40 +00:00
apply (wp)+
2014-07-14 19:32:44 +00:00
apply (clarsimp)
apply (rule conjI, erule invs_valid_objs)
apply (rule conjI, clarsimp)+
apply (rule conjI)
apply (erule cte_wp_at_weakenE)
apply (clarsimp)
apply (rule conjI, rule refl)
apply (fastforce)
apply (clarsimp simp: invs_def valid_sched_def valid_sched_action_def)
apply (simp)
apply (auto simp: invs'_def valid_state'_def)[1]
2017-11-24 11:30:55 +00:00
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
apply (rule corres_split [OF _ cap_delete_one_corres])
apply (rule corres_split_mapr [OF _ get_mi_corres])
apply (rule corres_split_eqr [OF _ lipcb_corres'])
apply (rule corres_split_eqr [OF _ get_mrs_corres])
apply (simp(no_asm) del: dc_simp)
apply (rule corres_split_eqr [OF _ handle_fault_reply_corres])
apply (rule corres_split [OF _ threadset_corresT])
apply (rule_tac Q="valid_sched and cur_tcb and tcb_at receiver"
and Q'="tcb_at' receiver and cur_tcb'
and (\<lambda>s. weak_sch_act_wf (ksSchedulerAction s) s)
and Invariants_H.valid_queues and valid_queues' and valid_objs'"
in corres_guard_imp)
apply (case_tac rvb, simp_all)[1]
apply (rule corres_guard_imp)
apply (rule corres_split [OF _ sts_corres])
2017-11-24 11:30:55 +00:00
apply (fold dc_def, rule possibleSwitchTo_corres)
apply simp
apply (wp static_imp_wp static_imp_conj_wp set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at'
sts_st_tcb' sts_valid_queues | simp | force simp: valid_sched_def valid_sched_action_def valid_tcb_state'_def)+
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
2017-11-24 11:30:55 +00:00
apply (rule sts_corres)
apply (simp_all)[20]
2014-08-09 05:16:17 +00:00
apply (clarsimp simp add: tcb_relation_def fault_rel_optionation_def
2014-07-14 19:32:44 +00:00
tcb_cap_cases_def tcb_cte_cases_def exst_same_def)+
2015-09-02 05:43:39 +00:00
apply (wp threadSet_cur weak_sch_act_wf_lift_linear threadSet_pred_tcb_no_state
2014-07-14 19:32:44 +00:00
thread_set_not_state_valid_sched threadSet_valid_queues threadSet_valid_queues'
threadSet_tcbDomain_triv threadSet_valid_objs'
| simp add: valid_tcb_state'_def)+
2015-09-02 05:43:39 +00:00
apply (wp threadSet_cur weak_sch_act_wf_lift_linear threadSet_pred_tcb_no_state
2014-07-14 19:32:44 +00:00
thread_set_not_state_valid_sched threadSet_valid_queues threadSet_valid_queues'
| simp add: runnable_def inQ_def valid_tcb'_def)+
apply (rule_tac Q="\<lambda>_. valid_sched and cur_tcb and tcb_at sender and tcb_at receiver and valid_objs and pspace_aligned"
in hoare_strengthen_post [rotated], clarsimp)
apply (wp)
apply (rule hoare_chain [OF cap_delete_one_invs])
apply (assumption)
apply (rule conjI, clarsimp)
apply (clarsimp simp add: invs_def valid_state_def)
apply (rule_tac Q="\<lambda>_. tcb_at' sender and tcb_at' receiver and invs'"
in hoare_strengthen_post [rotated])
2018-08-03 03:27:46 +00:00
apply (solves\<open>auto simp: invs'_def valid_state'_def\<close>)
2014-07-14 19:32:44 +00:00
apply wp
apply clarsimp
apply (rule conjI)
apply (erule cte_wp_at_weakenE)
apply (clarsimp simp add: can_fast_finalise_def)
apply (erule(1) emptyable_cte_wp_atD)
apply (rule allI, rule impI)
apply (clarsimp simp add: is_master_reply_cap_def)
apply (clarsimp)
done
2018-08-03 03:27:46 +00:00
(* when we cannot talk about reply cap rights explicitly (for instance, when a schematic ?rights
would be generated too early *)
lemma do_reply_transfer_corres':
"corres dc
(einvs and tcb_at receiver and tcb_at sender
and cte_wp_at (is_reply_cap_to receiver) slot)
(invs' and tcb_at' sender and tcb_at' receiver
and valid_pspace' and cte_at' (cte_map slot))
(do_reply_transfer sender receiver slot grant)
(doReplyTransfer sender receiver (cte_map slot) grant)"
using do_reply_transfer_corres[of receiver sender _ slot]
by (fastforce simp add: cte_wp_at_reply_cap_to_ex_rights corres_underlying_def)
2014-07-14 19:32:44 +00:00
lemma valid_pspace'_splits[elim!]:
"valid_pspace' s \<Longrightarrow> valid_objs' s"
"valid_pspace' s \<Longrightarrow> pspace_aligned' s"
"valid_pspace' s \<Longrightarrow> pspace_distinct' s"
"valid_pspace' s \<Longrightarrow> valid_mdb' s"
"valid_pspace' s \<Longrightarrow> no_0_obj' s"
by (simp add: valid_pspace'_def)+
lemma sts_valid_pspace_hangers:
"\<lbrace>valid_pspace' and tcb_at' t and
valid_tcb_state' st\<rbrace> setThreadState st t \<lbrace>\<lambda>rv. valid_objs'\<rbrace>"
"\<lbrace>valid_pspace' and tcb_at' t and
valid_tcb_state' st\<rbrace> setThreadState st t \<lbrace>\<lambda>rv. pspace_distinct'\<rbrace>"
"\<lbrace>valid_pspace' and tcb_at' t and
valid_tcb_state' st\<rbrace> setThreadState st t \<lbrace>\<lambda>rv. pspace_aligned'\<rbrace>"
"\<lbrace>valid_pspace' and tcb_at' t and
valid_tcb_state' st\<rbrace> setThreadState st t \<lbrace>\<lambda>rv. valid_mdb'\<rbrace>"
"\<lbrace>valid_pspace' and tcb_at' t and
valid_tcb_state' st\<rbrace> setThreadState st t \<lbrace>\<lambda>rv. no_0_obj'\<rbrace>"
by (safe intro!: hoare_strengthen_post [OF sts'_valid_pspace'_inv])
declare no_fail_getSlotCap [wp]
lemma setup_caller_corres:
"corres dc
(st_tcb_at (Not \<circ> halted) sender and tcb_at receiver and
st_tcb_at (Not \<circ> awaiting_reply) sender and valid_reply_caps and
2017-07-12 05:13:51 +00:00
valid_objs and pspace_distinct and pspace_aligned and valid_mdb
2014-07-14 19:32:44 +00:00
and valid_list and
valid_reply_masters and cte_wp_at (\<lambda>c. c = cap.NullCap) (receiver, tcb_cnode_index 3))
(tcb_at' sender and tcb_at' receiver and valid_pspace'
and (\<lambda>s. weak_sch_act_wf (ksSchedulerAction s) s))
2018-08-03 03:27:46 +00:00
(setup_caller_cap sender receiver grant)
(setupCallerCap sender receiver grant)"
supply if_split[split del]
2014-07-14 19:32:44 +00:00
apply (simp add: setup_caller_cap_def setupCallerCap_def
getThreadReplySlot_def locateSlot_conv
getThreadCallerSlot_def)
apply (rule stronger_corres_guard_imp)
apply (rule corres_split_nor)
apply (rule corres_symb_exec_r)
2018-08-03 03:27:46 +00:00
apply (rule_tac F="\<exists>r. cteCap masterCTE = capability.ReplyCap sender True r
2014-07-14 19:32:44 +00:00
\<and> mdbNext (cteMDBNode masterCTE) = nullPointer"
2018-08-03 03:27:46 +00:00
in corres_gen_asm2, clarsimp simp add: isCap_simps)
2014-07-14 19:32:44 +00:00
apply (rule corres_symb_exec_r)
apply (rule_tac F="rv = capability.NullCap"
in corres_gen_asm2, simp)
apply (rule cins_corres)
2018-08-03 03:27:46 +00:00
apply (simp split: if_splits)
2014-07-14 19:32:44 +00:00
apply (simp add: cte_map_def tcbReplySlot_def
tcb_cnode_index_def cte_level_bits_def)
apply (simp add: cte_map_def tcbCallerSlot_def
tcb_cnode_index_def cte_level_bits_def)
apply (rule_tac Q="\<lambda>rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)"
in valid_prove_more)
2017-01-13 12:58:40 +00:00
apply (wp, (wp getSlotCap_wp)+)
2014-07-14 19:32:44 +00:00
apply blast
apply (rule no_fail_pre, wp)
apply (clarsimp simp: cte_wp_at'_def cte_at'_def)
apply (rule_tac Q="\<lambda>rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)"
in valid_prove_more)
2017-01-13 12:58:40 +00:00
apply (wp, (wp getCTE_wp')+)
2014-07-14 19:32:44 +00:00
apply blast
apply (rule no_fail_pre, wp)
apply (clarsimp simp: cte_wp_at_ctes_of)
apply (rule sts_corres)
apply (simp split: option.split)
apply (wp sts_valid_pspace_hangers
| simp add: cte_wp_at_ctes_of)+
apply (clarsimp simp: valid_tcb_state_def st_tcb_at_reply_cap_valid
st_tcb_at_tcb_at st_tcb_at_caller_cap_null
split: option.split)
apply (clarsimp simp: valid_tcb_state'_def valid_cap'_def capAligned_reply_tcbI)
apply (frule(1) st_tcb_at_reply_cap_valid, simp, clarsimp)
apply (clarsimp simp: cte_wp_at_ctes_of cte_wp_at_caps_of_state)
apply (drule pspace_relation_cte_wp_at[rotated, OF caps_of_state_cteD],
erule valid_pspace'_splits, clarsimp+)+
apply (clarsimp simp: cte_wp_at_ctes_of cte_map_def tcbReplySlot_def
2017-10-05 02:47:10 +00:00
tcbCallerSlot_def tcb_cnode_index_def
2014-07-14 19:32:44 +00:00
is_cap_simps)
2017-10-05 02:47:10 +00:00
apply (auto intro: reply_no_descendants_mdbNext_null[OF not_waiting_reply_slot_no_descendants]
simp: cte_index_repair)
2014-07-14 19:32:44 +00:00
done
crunch tcb_at'[wp]: getThreadCallerSlot "tcb_at' t"
lemma getThreadReplySlot_tcb_at'[wp]:
"\<lbrace>tcb_at' t\<rbrace> getThreadReplySlot tcb \<lbrace>\<lambda>_. tcb_at' t\<rbrace>"
by (simp add: getThreadReplySlot_def, wp)
lemma setupCallerCap_tcb_at'[wp]:
2018-08-03 03:27:46 +00:00
"\<lbrace>tcb_at' t\<rbrace> setupCallerCap sender receiver grant \<lbrace>\<lambda>_. tcb_at' t\<rbrace>"
2014-07-14 19:32:44 +00:00
by (simp add: setupCallerCap_def, wp hoare_drop_imp)
crunch ct'[wp]: setupCallerCap "\<lambda>s. P (ksCurThread s)"
(wp: crunch_wps)
lemma cteInsert_sch_act_wf[wp]:
"\<lbrace>\<lambda>s. sch_act_wf (ksSchedulerAction s) s\<rbrace>
cteInsert newCap srcSlot destSlot
\<lbrace>\<lambda>_ s. sch_act_wf (ksSchedulerAction s) s\<rbrace>"
by (wp sch_act_wf_lift tcb_in_cur_domain'_lift)
lemma setupCallerCap_sch_act [wp]:
2017-07-12 05:13:51 +00:00
"\<lbrace>\<lambda>s. sch_act_not t s \<and> sch_act_wf (ksSchedulerAction s) s\<rbrace>
2018-08-03 03:27:46 +00:00
setupCallerCap t r g \<lbrace>\<lambda>_ s. sch_act_wf (ksSchedulerAction s) s\<rbrace>"
2014-07-14 19:32:44 +00:00
apply (simp add: setupCallerCap_def getSlotCap_def getThreadCallerSlot_def
2015-12-01 22:06:06 +00:00
getThreadReplySlot_def locateSlot_conv)
2014-07-14 19:32:44 +00:00
apply (wp getCTE_wp' sts_sch_act' hoare_drop_imps hoare_vcg_all_lift)
apply clarsimp
done
2017-11-24 11:30:55 +00:00
lemma possibleSwitchTo_weak_sch_act_wf[wp]:
2014-07-14 19:32:44 +00:00
"\<lbrace>\<lambda>s. weak_sch_act_wf (ksSchedulerAction s) s \<and> st_tcb_at' runnable' t s\<rbrace>
2017-11-24 11:30:55 +00:00
possibleSwitchTo t \<lbrace>\<lambda>rv s. weak_sch_act_wf (ksSchedulerAction s) s\<rbrace>"
apply (simp add: possibleSwitchTo_def setSchedulerAction_def threadGet_def curDomain_def
bitmap_fun_defs)
2014-07-14 19:32:44 +00:00
apply (wp rescheduleRequired_weak_sch_act_wf
weak_sch_act_wf_lift_linear[where f="tcbSchedEnqueue t"]
getObject_tcb_wp static_imp_wp
| wpc)+
apply (clarsimp simp: obj_at'_def projectKOs weak_sch_act_wf_def ps_clear_def tcb_in_cur_domain'_def)
done
2015-09-02 05:43:39 +00:00
lemmas transferCapsToSlots_pred_tcb_at' =
transferCapsToSlots_pres1 [OF cteInsert_pred_tcb_at']
2014-07-14 19:32:44 +00:00
2017-11-24 11:30:55 +00:00
crunch pred_tcb_at'[wp]: doIPCTransfer, possibleSwitchTo "pred_tcb_at' proj P t"
2014-07-14 19:32:44 +00:00
(wp: mapM_wp' crunch_wps simp: zipWithM_x_mapM)
(* FIXME move *)
lemma tcb_in_cur_domain'_ksSchedulerAction_update[simp]:
"tcb_in_cur_domain' t (ksSchedulerAction_update f s) = tcb_in_cur_domain' t s"
by (simp add: tcb_in_cur_domain'_def)
(* FIXME move *)
lemma ct_idle_or_in_cur_domain'_ksSchedulerAction_update[simp]:
2017-07-12 05:13:51 +00:00
"b\<noteq> ResumeCurrentThread \<Longrightarrow>
2014-07-14 19:32:44 +00:00
ct_idle_or_in_cur_domain' (s\<lparr>ksSchedulerAction := b\<rparr>)"
apply (clarsimp simp add: ct_idle_or_in_cur_domain'_def)
done
lemma setSchedulerAction_ct_in_domain:
2017-07-12 05:13:51 +00:00
"\<lbrace>\<lambda>s. ct_idle_or_in_cur_domain' s
2014-07-14 19:32:44 +00:00
\<and> p \<noteq> ResumeCurrentThread \<rbrace> setSchedulerAction p
\<lbrace>\<lambda>_. ct_idle_or_in_cur_domain'\<rbrace>"
by (simp add:setSchedulerAction_def | wp)+
2017-11-24 11:30:55 +00:00
crunch ct_idle_or_in_cur_domain'[wp]: setupCallerCap, doIPCTransfer, possibleSwitchTo ct_idle_or_in_cur_domain'
2014-07-14 19:32:44 +00:00
(wp: crunch_wps setSchedulerAction_ct_in_domain simp: zipWithM_x_mapM)
2017-11-24 11:30:55 +00:00
crunch ksCurDomain[wp]: setupCallerCap, doIPCTransfer, possibleSwitchTo "\<lambda>s. P (ksCurDomain s)"
2014-07-14 19:32:44 +00:00
(wp: crunch_wps simp: zipWithM_x_mapM)
2017-11-24 11:30:55 +00:00
crunch ksDomSchedule[wp]: setupCallerCap, doIPCTransfer, possibleSwitchTo "\<lambda>s. P (ksDomSchedule s)"
2014-07-14 19:32:44 +00:00
(wp: crunch_wps simp: zipWithM_x_mapM)
crunch tcbDomain_obj_at'[wp]: doIPCTransfer "obj_at' (\<lambda>tcb. P (tcbDomain tcb)) t"
2016-08-23 12:31:49 +00:00
(wp: crunch_wps constOnFailure_wp simp: crunch_simps)
2014-07-14 19:32:44 +00:00
2017-11-24 11:30:55 +00:00
crunch tcb_at'[wp]: possibleSwitchTo "tcb_at' t"
(wp: crunch_wps)
crunch valid_pspace'[wp]: possibleSwitchTo valid_pspace'
(wp: crunch_wps)
2014-07-14 19:32:44 +00:00
lemma send_ipc_corres:
(* call is only true if called in handleSyscall SysCall, which
is always blocking. *)
assumes "call \<longrightarrow> bl"
shows
"corres dc (einvs and st_tcb_at active t and ep_at ep and ex_nonz_cap_to t)
(invs' and sch_act_not t and tcb_at' t and ep_at' ep)
2018-08-03 03:27:46 +00:00
(send_ipc bl call bg cg cgr t ep) (sendIPC bl call bg cg cgr t ep)"
2014-07-14 19:32:44 +00:00
proof -
show ?thesis
apply (insert assms)
apply (unfold send_ipc_def sendIPC_def Let_def)
apply (case_tac bl)
apply clarsimp
apply (rule corres_guard_imp)
2017-07-12 05:13:51 +00:00
apply (rule corres_split [OF _ get_ep_corres,
2014-07-14 19:32:44 +00:00
where
2017-07-12 05:13:51 +00:00
R="\<lambda>rv. einvs and st_tcb_at active t and ep_at ep and
2014-07-14 19:32:44 +00:00
valid_ep rv and obj_at (\<lambda>ob. ob = Endpoint rv) ep
and ex_nonz_cap_to t"
and
R'="\<lambda>rv'. invs' and tcb_at' t and sch_act_not t
and ep_at' ep and valid_ep' rv'"])
apply (case_tac rv)
apply (simp add: ep_relation_def)
apply (rule corres_guard_imp)
apply (rule corres_split [OF _ sts_corres])
apply (rule set_ep_corres)
apply (simp add: ep_relation_def)
2014-08-09 05:16:17 +00:00
apply (simp add: fault_rel_optionation_def)
2017-01-13 12:58:40 +00:00
apply wp+
2014-07-14 19:32:44 +00:00
apply (clarsimp simp: st_tcb_at_tcb_at valid_tcb_state_def)
apply clarsimp
2018-06-09 08:27:30 +00:00
\<comment> \<open>concludes IdleEP if bl branch\<close>
2014-07-14 19:32:44 +00:00
apply (simp add: ep_relation_def)
apply (rule corres_guard_imp)
apply (rule corres_split [OF _ sts_corres])
apply (rule set_ep_corres)
apply (simp add: ep_relation_def)
2014-08-09 05:16:17 +00:00
apply (simp add: fault_rel_optionation_def)
2017-01-13 12:58:40 +00:00
apply wp+
2014-07-14 19:32:44 +00:00
apply (clarsimp simp: st_tcb_at_tcb_at valid_tcb_state_def)
apply clarsimp
2018-06-09 08:27:30 +00:00
\<comment> \<open>concludes SendEP if bl branch\<close>
2014-07-14 19:32:44 +00:00
apply (simp add: ep_relation_def)
2015-05-12 15:17:31 +00:00
apply (rename_tac list)
2014-07-14 19:32:44 +00:00
apply (rule_tac F="list \<noteq> []" in corres_req)
apply (simp add: valid_ep_def)
apply (case_tac list)
apply simp
2016-10-25 06:01:30 +00:00
apply (clarsimp split del: if_split)
2017-07-12 05:13:51 +00:00
apply (rule corres_guard_imp)
2014-07-14 19:32:44 +00:00
apply (rule corres_split [OF _ set_ep_corres])
2016-10-25 06:01:30 +00:00
apply (simp add: isReceive_def split del:if_split)
2014-07-14 19:32:44 +00:00
apply (rule corres_split [OF _ gts_corres])
2017-07-12 05:13:51 +00:00
apply (rule_tac
2018-08-03 03:27:46 +00:00
F="\<exists>data. recv_state = Structures_A.BlockedOnReceive ep data"
2014-07-14 19:32:44 +00:00
in corres_gen_asm)
2014-08-11 08:51:04 +00:00
apply (clarsimp simp: case_bool_If case_option_If if3_fold
2016-10-25 06:01:30 +00:00
simp del: dc_simp split del: if_split cong: if_cong)
2014-07-14 19:32:44 +00:00
apply (rule corres_split [OF _ dit_corres])
apply (rule corres_split [OF _ sts_corres])
2017-11-24 11:30:55 +00:00
apply (rule corres_split [OF _ possibleSwitchTo_corres])
2014-07-14 19:32:44 +00:00
apply (fold when_def)[1]
2018-08-03 03:27:46 +00:00
apply (rule_tac P="call" and P'="call"
in corres_symmetric_bool_cases, blast)
2016-10-25 06:01:30 +00:00
apply (simp add: when_def dc_def[symmetric] split del: if_split)
2014-07-14 19:32:44 +00:00
apply (rule corres_if2, simp)
apply (rule setup_caller_corres)
apply (rule sts_corres, simp)
apply (rule corres_trivial)
2016-10-25 06:01:30 +00:00
apply (simp add: when_def dc_def[symmetric] split del: if_split)
apply (simp split del: if_split add: if_apply_def2)
2014-07-14 19:32:44 +00:00
apply (wp hoare_drop_imps)[1]
2016-10-25 06:01:30 +00:00
apply (simp split del: if_split add: if_apply_def2)
2014-07-14 19:32:44 +00:00
apply (wp hoare_drop_imps)[1]
apply (wp | simp)+
apply (wp sts_cur_tcb set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at_cases)
apply (wp setThreadState_valid_queues' sts_valid_queues sts_weak_sch_act_wf
sts_cur_tcb' setThreadState_tcb' sts_st_tcb_at'_cases)[1]
apply (simp add: valid_tcb_state_def pred_conj_def)
apply (strengthen reply_cap_doesnt_exist_strg disjI2_strg)
apply ((wp hoare_drop_imps do_ipc_transfer_tcb_caps weak_valid_sched_action_lift
| clarsimp simp: is_cap_simps)+)[1]
2015-10-29 00:22:21 +00:00
apply (simp add: pred_conj_def)
2018-02-26 01:58:43 +00:00
apply (strengthen sch_act_wf_weak)
2014-07-14 19:32:44 +00:00
apply (simp add: valid_tcb_state'_def)
apply (wp weak_sch_act_wf_lift_linear tcb_in_cur_domain'_lift hoare_drop_imps)[1]
2017-01-13 12:58:40 +00:00
apply (wp gts_st_tcb_at)+
2014-07-14 19:32:44 +00:00
apply (simp add: ep_relation_def split: list.split)
apply (simp add: pred_conj_def cong: conj_cong)
apply (wp hoare_post_taut)
apply (simp)
2017-01-13 12:58:40 +00:00
apply (wp weak_sch_act_wf_lift_linear set_ep_valid_objs' setEndpoint_valid_mdb')+
2014-07-14 19:32:44 +00:00
apply (clarsimp simp add: invs_def valid_state_def valid_pspace_def ep_redux_simps
2017-11-27 04:59:58 +00:00
ep_redux_simps' st_tcb_at_tcb_at valid_ep_def
cong: list.case_cong)
2014-08-11 08:51:04 +00:00
apply (drule(1) sym_refs_obj_atD[where P="\<lambda>ob. ob = e" for e])
2018-08-03 03:27:46 +00:00
apply (clarsimp simp: st_tcb_at_refs_of_rev st_tcb_at_reply_cap_valid
st_tcb_def2 valid_sched_def valid_sched_action_def)
apply (force simp: st_tcb_def2 dest!: st_tcb_at_caller_cap_null[simplified,rotated])
2016-01-12 05:44:35 +00:00
subgoal by (auto simp: valid_ep'_def invs'_def valid_state'_def split: list.split)
2017-01-13 12:58:40 +00:00
apply wp+
2017-11-27 04:59:58 +00:00
apply (clarsimp simp: ep_at_def2)+
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
apply (rule corres_split [OF _ get_ep_corres,
where
R="\<lambda>rv. einvs and st_tcb_at active t and ep_at ep and
valid_ep rv and obj_at (\<lambda>k. k = Endpoint rv) ep"
and
R'="\<lambda>rv'. invs' and tcb_at' t and sch_act_not t
and ep_at' ep and valid_ep' rv'"])
apply (rename_tac rv rv')
apply (case_tac rv)
apply (simp add: ep_relation_def)
2018-06-09 08:27:30 +00:00
\<comment> \<open>concludes IdleEP branch if not bl and no ft\<close>
2014-07-14 19:32:44 +00:00
apply (simp add: ep_relation_def)
2018-06-09 08:27:30 +00:00
\<comment> \<open>concludes SendEP branch if not bl and no ft\<close>
2014-07-14 19:32:44 +00:00
apply (simp add: ep_relation_def)
2015-05-12 15:17:31 +00:00
apply (rename_tac list)
2014-07-14 19:32:44 +00:00
apply (rule_tac F="list \<noteq> []" in corres_req)
apply (simp add: valid_ep_def)
apply (case_tac list)
apply simp
apply (rule_tac F="a \<noteq> t" in corres_req)
apply (clarsimp simp: invs_def valid_state_def
valid_pspace_def)
2014-08-11 08:51:04 +00:00
apply (drule(1) sym_refs_obj_atD[where P="\<lambda>ob. ob = e" for e])
2015-09-02 05:43:39 +00:00
apply (clarsimp simp: st_tcb_at_def obj_at_def tcb_bound_refs_def2)
2014-07-14 19:32:44 +00:00
apply fastforce
2016-10-25 06:01:30 +00:00
apply (clarsimp split del: if_split)
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
apply (rule corres_split [OF _ set_ep_corres])
apply (rule corres_split [OF _ gts_corres])
apply (rule_tac
2018-08-03 03:27:46 +00:00
F="\<exists>data. recv_state = Structures_A.BlockedOnReceive ep data"
2014-07-14 19:32:44 +00:00
in corres_gen_asm)
2014-08-11 08:51:04 +00:00
apply (clarsimp simp: isReceive_def case_bool_If
2016-10-25 06:01:30 +00:00
split del: if_split cong: if_cong)
2014-07-14 19:32:44 +00:00
apply (rule corres_split [OF _ dit_corres])
apply (rule corres_split [OF _ sts_corres])
2018-08-03 03:27:46 +00:00
apply (rule possibleSwitchTo_corres)
2014-07-14 19:32:44 +00:00
apply (simp add: if_apply_def2)
2017-01-13 12:58:40 +00:00
apply (wp hoare_drop_imps)
2014-07-14 19:32:44 +00:00
apply (simp add: if_apply_def2)
apply ((wp sts_cur_tcb set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at_cases |
2016-10-25 06:01:30 +00:00
simp add: if_apply_def2 split del: if_split)+)[1]
2014-07-14 19:32:44 +00:00
apply (wp setThreadState_valid_queues' sts_valid_queues sts_weak_sch_act_wf
2017-01-13 12:58:40 +00:00
sts_cur_tcb' setThreadState_tcb' sts_st_tcb_at'_cases)
2014-07-14 19:32:44 +00:00
apply (simp add: valid_tcb_state_def pred_conj_def)
apply ((wp hoare_drop_imps do_ipc_transfer_tcb_caps weak_valid_sched_action_lift
| clarsimp simp:is_cap_simps)+)[1]
apply (simp add: valid_tcb_state'_def pred_conj_def)
2018-02-26 01:58:43 +00:00
apply (strengthen sch_act_wf_weak)
2017-01-13 12:58:40 +00:00
apply (wp weak_sch_act_wf_lift_linear hoare_drop_imps)
apply (wp gts_st_tcb_at)+
2014-07-14 19:32:44 +00:00
apply (simp add: ep_relation_def split: list.split)
apply (simp add: pred_conj_def cong: conj_cong)
apply (wp hoare_post_taut)
apply simp
apply (wp weak_sch_act_wf_lift_linear set_ep_valid_objs' setEndpoint_valid_mdb')
apply (clarsimp simp add: invs_def valid_state_def
valid_pspace_def ep_redux_simps ep_redux_simps'
st_tcb_at_tcb_at
cong: list.case_cong)
apply (clarsimp simp: valid_ep_def)
2014-08-11 08:51:04 +00:00
apply (drule(1) sym_refs_obj_atD[where P="\<lambda>ob. ob = e" for e])
2014-07-14 19:32:44 +00:00
apply (clarsimp simp: st_tcb_at_refs_of_rev st_tcb_at_reply_cap_valid
st_tcb_at_caller_cap_null)
apply (fastforce simp: st_tcb_def2 valid_sched_def valid_sched_action_def)
2016-01-12 05:44:35 +00:00
subgoal by (auto simp: valid_ep'_def
2017-07-12 05:13:51 +00:00
split: list.split;
2016-01-12 05:44:35 +00:00
clarsimp simp: invs'_def valid_state'_def)
2017-01-13 12:58:40 +00:00
apply wp+
2017-11-27 04:59:58 +00:00
apply (clarsimp simp: ep_at_def2)+
2014-07-14 19:32:44 +00:00
done
qed
crunch typ_at'[wp]: setMessageInfo "\<lambda>s. P (typ_at' T p s)"
lemmas setMessageInfo_typ_ats[wp] = typ_at_lifts [OF setMessageInfo_typ_at']
2015-09-02 05:43:39 +00:00
(* Annotation added by Simon Winwood (Thu Jul 1 20:54:41 2010) using taint-mode *)
declare tl_drop_1[simp]
2014-07-14 19:32:44 +00:00
2015-11-02 00:00:32 +00:00
crunch cur[wp]: cancel_ipc "cur_tcb"
2015-09-02 05:43:39 +00:00
(wp: select_wp crunch_wps simp: crunch_simps)
2014-07-14 19:32:44 +00:00
2015-09-02 05:43:39 +00:00
crunch valid_objs'[wp]: asUser "valid_objs'"
2014-07-14 19:32:44 +00:00
2015-09-02 05:43:39 +00:00
lemma valid_sched_weak_strg:
"valid_sched s \<longrightarrow> weak_valid_sched_action s"
by (simp add: valid_sched_def valid_sched_action_def)
2014-07-14 19:32:44 +00:00
2015-09-02 05:43:39 +00:00
crunch weak_valid_sched_action[wp]: as_user weak_valid_sched_action
(wp: weak_valid_sched_action_lift)
2014-07-14 19:32:44 +00:00
2015-11-02 00:00:32 +00:00
lemma send_signal_corres:
"corres dc (einvs and ntfn_at ep) (invs' and ntfn_at' ep)
(send_signal ep bg) (sendSignal ep bg)"
apply (simp add: send_signal_def sendSignal_def Let_def)
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
2015-11-02 00:00:32 +00:00
apply (rule corres_split [OF _ get_ntfn_corres,
2014-07-14 19:32:44 +00:00
where
2017-07-12 05:13:51 +00:00
R = "\<lambda>rv. einvs and ntfn_at ep and valid_ntfn rv and
2015-11-02 00:00:32 +00:00
ko_at (Structures_A.Notification rv) ep" and
R' = "\<lambda>rv'. invs' and ntfn_at' ep and
valid_ntfn' rv' and ko_at' rv' ep"])
2014-07-14 19:32:44 +00:00
defer
2017-11-27 04:59:58 +00:00
apply (wp get_simple_ko_ko_at get_ntfn_ko')+
2015-09-02 05:43:39 +00:00
apply (simp add: invs_valid_objs)+
2015-11-02 00:00:32 +00:00
apply (case_tac "ntfn_obj ntfn")
2018-06-09 08:27:30 +00:00
\<comment> \<open>IdleNtfn\<close>
2015-11-02 00:00:32 +00:00
apply (clarsimp simp add: ntfn_relation_def)
apply (case_tac "ntfnBoundTCB nTFN")
2015-09-02 05:43:39 +00:00
apply clarsimp
2015-11-02 00:00:32 +00:00
apply (rule corres_guard_imp[OF set_ntfn_corres])
apply (clarsimp simp add: ntfn_relation_def)+
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
2015-09-02 05:43:39 +00:00
apply (rule corres_split[OF _ gts_corres])
apply (rule corres_if)
apply (fastforce simp: receive_blocked_def receiveBlocked_def
thread_state_relation_def
split: Structures_A.thread_state.splits
Structures_H.thread_state.splits)
2015-11-02 00:00:32 +00:00
apply (rule corres_split[OF _ cancel_ipc_corres])
2015-09-02 05:43:39 +00:00
apply (rule corres_split[OF _ sts_corres])
apply (simp add: badgeRegister_def badge_register_def)
apply (rule corres_split[OF _ user_setreg_corres])
2017-11-24 11:30:55 +00:00
apply (rule possibleSwitchTo_corres)
2015-09-02 05:43:39 +00:00
apply wp
apply (clarsimp simp: thread_state_relation_def)
apply (wp set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at'
sts_valid_queues sts_st_tcb' hoare_disjI2
2015-11-02 00:00:32 +00:00
cancel_ipc_cte_wp_at_not_reply_state
2015-09-02 05:43:39 +00:00
| strengthen invs_vobjs_strgs invs_psp_aligned_strg valid_sched_weak_strg
| simp add: valid_tcb_state_def)+
apply (rule_tac Q="\<lambda>rv. invs' and tcb_at' a" in hoare_strengthen_post)
apply wp
apply (clarsimp simp: invs'_def valid_state'_def sch_act_wf_weak
valid_tcb_state'_def)
2015-11-02 00:00:32 +00:00
apply (rule set_ntfn_corres)
apply (clarsimp simp add: ntfn_relation_def)
2015-09-02 05:43:39 +00:00
apply (wp gts_wp gts_wp' | clarsimp)+
2015-11-02 00:00:32 +00:00
apply (auto simp: valid_ntfn_def receive_blocked_def valid_sched_def invs_cur
2015-09-02 05:43:39 +00:00
elim: pred_tcb_weakenE
intro: st_tcb_at_reply_cap_valid
split: Structures_A.thread_state.splits)[1]
2015-11-02 00:00:32 +00:00
apply (clarsimp simp: valid_ntfn'_def invs'_def valid_state'_def valid_pspace'_def sch_act_wf_weak)
2018-06-09 08:27:30 +00:00
\<comment> \<open>WaitingNtfn\<close>
2015-11-02 00:00:32 +00:00
apply (clarsimp simp add: ntfn_relation_def Let_def)
apply (simp add: update_waiting_ntfn_def)
2015-05-12 15:17:31 +00:00
apply (rename_tac list)
2014-07-14 19:32:44 +00:00
apply (case_tac "tl list = []")
2018-06-09 08:27:30 +00:00
\<comment> \<open>tl list = []\<close>
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
apply (rule_tac F="list \<noteq> []" in corres_gen_asm)
2016-10-25 06:01:30 +00:00
apply (simp add: list_case_helper split del: if_split)
2015-11-02 00:00:32 +00:00
apply (rule corres_split [OF _ set_ntfn_corres])
2014-07-14 19:32:44 +00:00
apply (rule corres_split [OF _ sts_corres])
2015-09-02 05:43:39 +00:00
apply (simp add: badgeRegister_def badge_register_def)
apply (rule corres_split [OF _ user_setreg_corres])
2017-11-24 11:30:55 +00:00
apply (rule possibleSwitchTo_corres)
2014-07-14 19:32:44 +00:00
apply ((wp | simp)+)[1]
apply (rule_tac Q="\<lambda>_. Invariants_H.valid_queues and valid_queues' and
(\<lambda>s. sch_act_wf (ksSchedulerAction s) s) and
cur_tcb' and
st_tcb_at' runnable' (hd list) and valid_objs'"
2015-09-02 05:43:39 +00:00
in hoare_post_imp, clarsimp simp: pred_tcb_at' elim!: sch_act_wf_weak)
2014-07-14 19:32:44 +00:00
apply (wp | simp)+
2015-09-02 05:43:39 +00:00
apply (wp sts_st_tcb_at' set_thread_state_runnable_weak_valid_sched_action
2017-07-12 05:13:51 +00:00
| simp)+
2015-09-02 05:43:39 +00:00
apply (wp sts_st_tcb_at'_cases sts_valid_queues setThreadState_valid_queues'
setThreadState_st_tcb
| simp)+
2015-11-02 00:00:32 +00:00
apply (simp add: ntfn_relation_def)
2017-11-27 04:59:58 +00:00
apply (wp set_simple_ko_valid_objs set_ntfn_aligned' set_ntfn_valid_objs'
2014-07-14 19:32:44 +00:00
hoare_vcg_disj_lift weak_sch_act_wf_lift_linear
| simp add: valid_tcb_state_def valid_tcb_state'_def)+
2017-07-12 05:13:51 +00:00
apply (clarsimp simp: invs_def valid_state_def valid_ntfn_def
2015-11-02 00:00:32 +00:00
valid_pspace_def ntfn_queued_st_tcb_at valid_sched_def
2015-09-02 05:43:39 +00:00
valid_sched_action_def)
2015-11-02 00:00:32 +00:00
apply (auto simp: valid_ntfn'_def )[1]
2014-07-14 19:32:44 +00:00
apply (clarsimp simp: invs'_def valid_state'_def)
2018-06-09 08:27:30 +00:00
\<comment> \<open>tl list \<noteq> []\<close>
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
apply (rule_tac F="list \<noteq> []" in corres_gen_asm)
apply (simp add: list_case_helper)
2015-11-02 00:00:32 +00:00
apply (rule corres_split [OF _ set_ntfn_corres])
2014-07-14 19:32:44 +00:00
apply (rule corres_split [OF _ sts_corres])
2015-09-02 05:43:39 +00:00
apply (simp add: badgeRegister_def badge_register_def)
apply (rule corres_split [OF _ user_setreg_corres])
2017-11-24 11:30:55 +00:00
apply (rule possibleSwitchTo_corres)
2014-07-14 19:32:44 +00:00
apply (wp cur_tcb_lift | simp)+
2015-09-02 05:43:39 +00:00
apply (wp sts_st_tcb_at' set_thread_state_runnable_weak_valid_sched_action
2017-07-12 05:13:51 +00:00
| simp)+
2015-09-02 05:43:39 +00:00
apply (wp sts_st_tcb_at'_cases sts_valid_queues setThreadState_valid_queues'
setThreadState_st_tcb
| simp)+
2015-11-02 00:00:32 +00:00
apply (simp add: ntfn_relation_def split:list.splits)
2017-11-27 04:59:58 +00:00
apply (wp set_ntfn_aligned' set_simple_ko_valid_objs set_ntfn_valid_objs'
2014-07-14 19:32:44 +00:00
hoare_vcg_disj_lift weak_sch_act_wf_lift_linear
| simp add: valid_tcb_state_def valid_tcb_state'_def)+
2017-07-12 05:13:51 +00:00
apply (clarsimp simp: invs_def valid_state_def valid_ntfn_def
2015-09-02 05:43:39 +00:00
valid_pspace_def neq_Nil_conv
2015-11-02 00:00:32 +00:00
ntfn_queued_st_tcb_at valid_sched_def valid_sched_action_def
2015-09-02 05:43:39 +00:00
split: option.splits)
2015-11-02 00:00:32 +00:00
apply (auto simp: valid_ntfn'_def neq_Nil_conv invs'_def valid_state'_def
2015-09-02 05:43:39 +00:00
weak_sch_act_wf_def
split: option.splits)[1]
2018-06-09 08:27:30 +00:00
\<comment> \<open>ActiveNtfn\<close>
2015-11-02 00:00:32 +00:00
apply (clarsimp simp add: ntfn_relation_def)
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
2015-11-02 00:00:32 +00:00
apply (rule set_ntfn_corres)
apply (simp add: ntfn_relation_def combine_ntfn_badges_def
combine_ntfn_msgs_def)
apply (simp add: invs_def valid_state_def valid_ntfn_def)
apply (simp add: invs'_def valid_state'_def valid_ntfn'_def)
2015-05-12 15:17:31 +00:00
done
2014-07-14 19:32:44 +00:00
lemma valid_Running'[simp]:
"valid_tcb_state' Running = \<top>"
by (rule ext, simp add: valid_tcb_state'_def)
crunch typ'[wp]: setMRs "\<lambda>s. P (typ_at' T p s)"
(wp: crunch_wps simp: zipWithM_x_mapM)
lemma possibleSwitchTo_sch_act[wp]:
"\<lbrace>\<lambda>s. sch_act_wf (ksSchedulerAction s) s \<and> st_tcb_at' runnable' t s\<rbrace>
2017-11-24 11:30:55 +00:00
possibleSwitchTo t
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv s. sch_act_wf (ksSchedulerAction s) s\<rbrace>"
2017-11-24 11:30:55 +00:00
apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs)
2014-07-14 19:32:44 +00:00
apply (wp static_imp_wp threadSet_sch_act setQueue_sch_act threadGet_wp
| simp add: unless_def | wpc)+
apply (auto simp: obj_at'_def projectKOs tcb_in_cur_domain'_def)
done
lemma possibleSwitchTo_valid_queues[wp]:
"\<lbrace>Invariants_H.valid_queues and valid_objs' and (\<lambda>s. sch_act_wf (ksSchedulerAction s) s) and st_tcb_at' runnable' t\<rbrace>
2017-11-24 11:30:55 +00:00
possibleSwitchTo t
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. Invariants_H.valid_queues\<rbrace>"
2017-11-24 11:30:55 +00:00
apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs)
2014-07-14 19:32:44 +00:00
apply (wp hoare_drop_imps | wpc | simp)+
apply (auto simp: valid_tcb'_def weak_sch_act_wf_def
2015-09-02 05:43:39 +00:00
dest: pred_tcb_at'
2014-07-14 19:32:44 +00:00
elim!: valid_objs_valid_tcbE)
done
lemma possibleSwitchTo_ksQ':
"\<lbrace>(\<lambda>s. t' \<notin> set (ksReadyQueues s p) \<and> sch_act_not t' s) and K(t' \<noteq> t)\<rbrace>
2017-11-24 11:30:55 +00:00
possibleSwitchTo t
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>_ s. t' \<notin> set (ksReadyQueues s p)\<rbrace>"
2017-11-24 11:30:55 +00:00
apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs)
2015-05-12 15:17:31 +00:00
apply (wp static_imp_wp rescheduleRequired_ksQ' tcbSchedEnqueue_ksQ threadGet_wp
| wpc
2016-10-25 06:01:30 +00:00
| simp split del: if_split)+
2015-05-12 15:17:31 +00:00
apply (auto simp: obj_at'_def)
done
2014-07-14 19:32:44 +00:00
lemma possibleSwitchTo_valid_queues'[wp]:
"\<lbrace>valid_queues' and (\<lambda>s. sch_act_wf (ksSchedulerAction s) s)
and st_tcb_at' runnable' t\<rbrace>
2017-11-24 11:30:55 +00:00
possibleSwitchTo t
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. valid_queues'\<rbrace>"
2017-11-24 11:30:55 +00:00
apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs)
2015-05-12 15:17:31 +00:00
apply (wp static_imp_wp threadGet_wp | wpc | simp)+
apply (auto simp: obj_at'_def)
done
2014-07-14 19:32:44 +00:00
2017-11-24 11:30:55 +00:00
crunch st_refs_of'[wp]: possibleSwitchTo "\<lambda>s. P (state_refs_of' s)"
(wp: crunch_wps)
2014-07-14 19:32:44 +00:00
2017-11-24 11:30:55 +00:00
crunch cap_to'[wp]: possibleSwitchTo "ex_nonz_cap_to' p"
(wp: crunch_wps)
crunch objs'[wp]: possibleSwitchTo valid_objs'
2017-07-12 05:13:51 +00:00
(wp: crunch_wps)
2017-11-24 11:30:55 +00:00
crunch ct[wp]: possibleSwitchTo cur_tcb'
(wp: cur_tcb_lift crunch_wps)
2014-07-14 19:32:44 +00:00
lemma possibleSwitchTo_iflive[wp]:
"\<lbrace>if_live_then_nonz_cap' and ex_nonz_cap_to' t
and (\<lambda>s. sch_act_wf (ksSchedulerAction s) s)\<rbrace>
2017-11-24 11:30:55 +00:00
possibleSwitchTo t
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. if_live_then_nonz_cap'\<rbrace>"
2016-11-16 03:02:03 +00:00
apply (simp add: possibleSwitchTo_def curDomain_def)
2014-07-14 19:32:44 +00:00
apply (wp | wpc | simp)+
apply (simp only: imp_conv_disj, wp hoare_vcg_all_lift hoare_vcg_disj_lift)
2017-01-13 12:58:40 +00:00
apply (wp threadGet_wp)+
2014-07-14 19:32:44 +00:00
apply (auto simp: obj_at'_def projectKOs)
done
2017-11-24 11:30:55 +00:00
crunch ifunsafe[wp]: possibleSwitchTo if_unsafe_then_cap'
2014-07-14 19:32:44 +00:00
(wp: crunch_wps)
2017-11-24 11:30:55 +00:00
crunch idle'[wp]: possibleSwitchTo valid_idle'
2014-07-14 19:32:44 +00:00
(wp: crunch_wps)
2017-11-24 11:30:55 +00:00
crunch global_refs'[wp]: possibleSwitchTo valid_global_refs'
2014-07-14 19:32:44 +00:00
(wp: crunch_wps)
2017-11-24 11:30:55 +00:00
crunch arch_state'[wp]: possibleSwitchTo valid_arch_state'
2014-07-14 19:32:44 +00:00
(wp: crunch_wps)
2017-11-24 11:30:55 +00:00
crunch irq_node'[wp]: possibleSwitchTo "\<lambda>s. P (irq_node' s)"
2014-07-14 19:32:44 +00:00
(wp: crunch_wps)
2017-11-24 11:30:55 +00:00
crunch typ_at'[wp]: possibleSwitchTo "\<lambda>s. P (typ_at' T p s)"
2014-07-14 19:32:44 +00:00
(wp: crunch_wps)
2017-11-24 11:30:55 +00:00
crunch irq_handlers'[wp]: possibleSwitchTo valid_irq_handlers'
2014-07-14 19:32:44 +00:00
(simp: unless_def tcb_cte_cases_def wp: crunch_wps)
2017-11-24 11:30:55 +00:00
crunch irq_states'[wp]: possibleSwitchTo valid_irq_states'
2014-07-14 19:32:44 +00:00
(wp: crunch_wps)
2017-11-24 11:30:55 +00:00
crunch pde_mappigns'[wp]: possibleSwitchTo valid_pde_mappings'
2014-07-14 19:32:44 +00:00
(wp: crunch_wps)
2015-11-02 00:00:32 +00:00
crunch ct'[wp]: sendSignal "\<lambda>s. P (ksCurThread s)"
2018-03-14 00:48:48 +00:00
(wp: crunch_wps simp: crunch_simps o_def)
2015-11-02 00:00:32 +00:00
crunch it'[wp]: sendSignal "\<lambda>s. P (ksIdleThread s)"
2014-07-14 19:32:44 +00:00
(wp: crunch_wps simp: crunch_simps)
2018-06-08 04:06:44 +00:00
crunch irqs_masked'[wp]: sendSignal, setBoundNotification "irqs_masked'"
2018-03-14 00:48:48 +00:00
(wp: crunch_wps getObject_inv loadObject_default_inv
simp: crunch_simps unless_def o_def
rule: irqs_masked_lift ignore: getObject)
2014-07-14 19:32:44 +00:00
lemma sts_running_valid_queues:
"runnable' st \<Longrightarrow> \<lbrace> Invariants_H.valid_queues \<rbrace> setThreadState st t \<lbrace>\<lambda>_. Invariants_H.valid_queues \<rbrace>"
by (wp sts_valid_queues, clarsimp)
lemma ct_in_state_activatable_imp_simple'[simp]:
"ct_in_state' activatable' s \<Longrightarrow> ct_in_state' simple' s"
apply (simp add: ct_in_state'_def)
2015-09-02 05:43:39 +00:00
apply (erule pred_tcb'_weakenE)
2015-05-12 15:17:31 +00:00
apply (case_tac st; simp)
2014-07-14 19:32:44 +00:00
done
2015-09-02 05:43:39 +00:00
lemma setThreadState_nonqueued_state_update:
"\<lbrace>\<lambda>s. invs' s \<and> st_tcb_at' simple' t s
\<and> st \<in> {Inactive, Running, Restart, IdleThreadState}
\<and> (st \<noteq> Inactive \<longrightarrow> ex_nonz_cap_to' t s)
\<and> (t = ksIdleThread s \<longrightarrow> idle' st)
\<and> (\<not> runnable' st \<longrightarrow> sch_act_simple s)
\<and> (\<not> runnable' st \<longrightarrow> (\<forall>p. t \<notin> set (ksReadyQueues s p)))\<rbrace>
setThreadState st t \<lbrace>\<lambda>rv. invs'\<rbrace>"
apply (simp add: invs'_def valid_state'_def)
apply (rule hoare_pre, wp valid_irq_node_lift
sts_valid_queues
setThreadState_ct_not_inQ)
apply (clarsimp simp: pred_tcb_at')
apply (rule conjI, fastforce simp: valid_tcb_state'_def)
apply (drule simple_st_tcb_at_state_refs_ofD')
apply (drule bound_tcb_at_state_refs_ofD')
apply (rule conjI, fastforce)
apply clarsimp
apply (erule delta_sym_refs)
2016-10-25 06:01:30 +00:00
apply (fastforce split: if_split_asm)
2015-09-02 05:43:39 +00:00
apply (fastforce simp: symreftype_inverse' tcb_bound_refs'_def
2016-10-25 06:01:30 +00:00
split: if_split_asm)
2015-09-02 05:43:39 +00:00
done
lemma cteDeleteOne_reply_cap_to'[wp]:
"\<lbrace>ex_nonz_cap_to' p and
cte_wp_at' (\<lambda>c. isReplyCap (cteCap c)) slot\<rbrace>
cteDeleteOne slot
\<lbrace>\<lambda>rv. ex_nonz_cap_to' p\<rbrace>"
apply (simp add: cteDeleteOne_def ex_nonz_cap_to'_def unless_def)
apply (rule hoare_seq_ext [OF _ getCTE_sp])
apply (rule hoare_assume_pre)
apply (subgoal_tac "isReplyCap (cteCap cte)")
apply (wp hoare_vcg_ex_lift emptySlot_cte_wp_cap_other isFinalCapability_inv
2018-02-26 01:58:43 +00:00
| clarsimp simp: finaliseCap_def isCap_simps | simp
2019-05-06 06:34:44 +00:00
| wp (once) hoare_drop_imps)+
2015-09-02 05:43:39 +00:00
apply (fastforce simp: cte_wp_at_ctes_of)
apply (clarsimp simp: cte_wp_at_ctes_of isCap_simps)
done
2015-09-10 07:06:45 +00:00
2017-11-24 11:30:55 +00:00
crunch vms'[wp]: setupCallerCap, possibleSwitchTo, asUser,
2014-07-14 19:32:44 +00:00
doIPCTransfer "valid_machine_state'"
(wp: crunch_wps simp: zipWithM_x_mapM_x)
2015-11-02 00:00:32 +00:00
crunch nonz_cap_to'[wp]: cancelSignal "ex_nonz_cap_to' p"
2015-09-02 05:43:39 +00:00
(wp: crunch_wps simp: crunch_simps)
2015-11-02 00:00:32 +00:00
lemma cancelIPC_nonz_cap_to'[wp]:
"\<lbrace>ex_nonz_cap_to' p\<rbrace> cancelIPC t \<lbrace>\<lambda>rv. ex_nonz_cap_to' p\<rbrace>"
apply (simp add: cancelIPC_def getThreadReplySlot_def Let_def
2015-09-02 05:43:39 +00:00
capHasProperty_def)
apply (wp threadSet_cap_to'
| wpc
| simp
| clarsimp elim!: cte_wp_at_weakenE'
| rule hoare_post_imp[where Q="\<lambda>rv. ex_nonz_cap_to' p"])+
done
crunch nosch[wp]: activateIdleThread "\<lambda>s. P (ksSchedulerAction s)"
(ignore: setNextPC)
crunch nosch[wp]: getThreadReplySlot "\<lambda>s. P (ksSchedulerAction s)"
crunch nosch[wp]: isFinalCapability "\<lambda>s. P (ksSchedulerAction s)"
(simp: Let_def)
2014-07-14 19:32:44 +00:00
crunch pspace_domain_valid[wp]:
2017-11-24 11:30:55 +00:00
setupCallerCap, asUser, setMRs, doIPCTransfer, possibleSwitchTo
2014-07-14 19:32:44 +00:00
"pspace_domain_valid"
(wp: crunch_wps simp: zipWithM_x_mapM_x)
2017-11-24 11:30:55 +00:00
crunch ksDomScheduleIdx[wp]: setupCallerCap, doIPCTransfer, possibleSwitchTo "\<lambda>s. P (ksDomScheduleIdx s)"
2014-07-14 19:32:44 +00:00
(wp: crunch_wps simp: zipWithM_x_mapM)
2015-09-02 05:43:39 +00:00
lemma setThreadState_not_rct[wp]:
"\<lbrace>\<lambda>s. ksSchedulerAction s \<noteq> ResumeCurrentThread \<rbrace>
setThreadState st t
\<lbrace>\<lambda>_ s. ksSchedulerAction s \<noteq> ResumeCurrentThread \<rbrace>"
apply (simp add: setThreadState_def)
apply (wp)
2017-01-13 12:58:40 +00:00
apply (rule hoare_post_imp [OF _ rescheduleRequired_notresume], simp)
apply (simp)
apply (wp)+
apply simp
2015-09-02 05:43:39 +00:00
done
2015-11-02 00:00:32 +00:00
lemma cancelAllIPC_not_rct[wp]:
2015-09-02 05:43:39 +00:00
"\<lbrace>\<lambda>s. ksSchedulerAction s \<noteq> ResumeCurrentThread \<rbrace>
2015-11-02 00:00:32 +00:00
cancelAllIPC epptr
2015-09-02 05:43:39 +00:00
\<lbrace>\<lambda>_ s. ksSchedulerAction s \<noteq> ResumeCurrentThread \<rbrace>"
2015-11-02 00:00:32 +00:00
apply (simp add: cancelAllIPC_def)
2015-09-02 05:43:39 +00:00
apply (wp | wpc)+
apply (rule hoare_post_imp [OF _ rescheduleRequired_notresume], simp)
2017-01-13 12:58:40 +00:00
apply simp
2015-09-02 05:43:39 +00:00
apply (rule mapM_x_wp_inv)
2017-01-13 12:58:40 +00:00
apply (wp)+
2015-09-02 05:43:39 +00:00
apply (rule hoare_post_imp [OF _ rescheduleRequired_notresume], simp)
2017-01-13 12:58:40 +00:00
apply simp
2015-09-02 05:43:39 +00:00
apply (rule mapM_x_wp_inv)
2017-01-13 12:58:40 +00:00
apply (wp)+
2015-09-02 05:43:39 +00:00
apply (wp hoare_vcg_all_lift hoare_drop_imp)
apply (simp_all)
done
2015-11-02 00:00:32 +00:00
lemma cancelAllSignals_not_rct[wp]:
2015-09-02 05:43:39 +00:00
"\<lbrace>\<lambda>s. ksSchedulerAction s \<noteq> ResumeCurrentThread \<rbrace>
2015-11-02 00:00:32 +00:00
cancelAllSignals epptr
2015-09-02 05:43:39 +00:00
\<lbrace>\<lambda>_ s. ksSchedulerAction s \<noteq> ResumeCurrentThread \<rbrace>"
2015-11-02 00:00:32 +00:00
apply (simp add: cancelAllSignals_def)
2015-09-02 05:43:39 +00:00
apply (wp | wpc)+
apply (rule hoare_post_imp [OF _ rescheduleRequired_notresume], simp)
2017-01-13 12:58:40 +00:00
apply simp
2015-09-02 05:43:39 +00:00
apply (rule mapM_x_wp_inv)
2017-01-13 12:58:40 +00:00
apply (wp)+
2015-09-02 05:43:39 +00:00
apply (wp hoare_vcg_all_lift hoare_drop_imp)
apply (simp_all)
done
crunch not_rct[wp]: finaliseCapTrue_standin "\<lambda>s. ksSchedulerAction s \<noteq> ResumeCurrentThread"
(simp: Let_def)
declare setEndpoint_ct' [wp]
2015-11-02 00:00:32 +00:00
lemma cancelIPC_ResumeCurrentThread_imp_notct[wp]:
2015-09-02 05:43:39 +00:00
"\<lbrace>\<lambda>s. ksSchedulerAction s = ResumeCurrentThread \<longrightarrow> ksCurThread s \<noteq> t'\<rbrace>
2015-11-02 00:00:32 +00:00
cancelIPC t
2015-09-02 05:43:39 +00:00
\<lbrace>\<lambda>_ s. ksSchedulerAction s = ResumeCurrentThread \<longrightarrow> ksCurThread s \<noteq> t'\<rbrace>"
(is "\<lbrace>?PRE t'\<rbrace> _ \<lbrace>_\<rbrace>")
proof -
2015-11-02 00:00:32 +00:00
have aipc: "\<And>t t' ntfn.
2015-09-02 05:43:39 +00:00
\<lbrace>\<lambda>s. ksSchedulerAction s = ResumeCurrentThread \<longrightarrow> ksCurThread s \<noteq> t'\<rbrace>
2015-11-02 00:00:32 +00:00
cancelSignal t ntfn
2015-09-02 05:43:39 +00:00
\<lbrace>\<lambda>_ s. ksSchedulerAction s = ResumeCurrentThread \<longrightarrow> ksCurThread s \<noteq> t'\<rbrace>"
2015-11-02 00:00:32 +00:00
apply (simp add: cancelSignal_def)
2015-09-02 05:43:39 +00:00
apply (wp)[1]
2017-01-13 12:58:40 +00:00
apply (wp hoare_convert_imp)+
apply (rule_tac P="\<lambda>s. ksSchedulerAction s \<noteq> ResumeCurrentThread"
in hoare_weaken_pre)
apply (wpc)
apply (wp | simp)+
apply (wpc, wp+)
apply (rule_tac Q="\<lambda>_. ?PRE t'" in hoare_post_imp, clarsimp)
apply (wp)
apply simp
2015-09-02 05:43:39 +00:00
done
have cdo: "\<And>t t' slot.
\<lbrace>\<lambda>s. ksSchedulerAction s = ResumeCurrentThread \<longrightarrow> ksCurThread s \<noteq> t'\<rbrace>
cteDeleteOne slot
\<lbrace>\<lambda>_ s. ksSchedulerAction s = ResumeCurrentThread \<longrightarrow> ksCurThread s \<noteq> t'\<rbrace>"
apply (simp add: cteDeleteOne_def unless_def split_def)
apply (wp)
apply (wp hoare_convert_imp)[1]
apply (wp)
apply (rule_tac Q="\<lambda>_. ?PRE t'" in hoare_post_imp, clarsimp)
apply (wp hoare_convert_imp | simp)+
done
show ?thesis
2015-11-02 00:00:32 +00:00
apply (simp add: cancelIPC_def Let_def)
2015-09-02 05:43:39 +00:00
apply (wp, wpc)
2018-06-09 08:27:30 +00:00
prefer 4 \<comment> \<open>state = Running\<close>
2017-01-13 12:58:40 +00:00
apply wp
2018-06-09 08:27:30 +00:00
prefer 7 \<comment> \<open>state = Restart\<close>
2017-01-13 12:58:40 +00:00
apply wp
apply (wp)+
2015-09-02 05:43:39 +00:00
apply (wp hoare_convert_imp)[1]
2017-01-13 12:58:40 +00:00
apply (wpc, wp+)
2015-09-02 05:43:39 +00:00
apply (rule_tac Q="\<lambda>_. ?PRE t'" in hoare_post_imp, clarsimp)
2017-01-13 12:58:40 +00:00
apply (wp cdo)+
2015-09-02 05:43:39 +00:00
apply (rule_tac Q="\<lambda>_. ?PRE t'" in hoare_post_imp, clarsimp)
2017-01-13 12:58:40 +00:00
apply ((wp aipc hoare_convert_imp)+)[6]
apply (wp)
apply (wp hoare_convert_imp)[1]
apply (wpc, wp+)
apply (rule_tac Q="\<lambda>_. ?PRE t'" in hoare_post_imp, clarsimp)
apply (wp)
2015-09-02 05:43:39 +00:00
apply (rule_tac Q="\<lambda>_. ?PRE t'" in hoare_post_imp, clarsimp)
apply (wp)
2017-01-13 12:58:40 +00:00
apply simp
2015-09-02 05:43:39 +00:00
done
qed
2017-07-12 05:13:51 +00:00
crunch nosch[wp]: setMRs "\<lambda>s. P (ksSchedulerAction s)"
2016-08-23 12:31:49 +00:00
2014-07-14 19:32:44 +00:00
lemma sai_invs'[wp]:
2015-11-02 00:00:32 +00:00
"\<lbrace>invs' and ex_nonz_cap_to' ntfnptr\<rbrace>
sendSignal ntfnptr badge \<lbrace>\<lambda>y. invs'\<rbrace>"
unfolding sendSignal_def
2017-01-13 12:58:40 +00:00
including no_pre
2015-11-02 00:00:32 +00:00
apply (rule hoare_seq_ext[OF _ get_ntfn_sp'])
apply (case_tac "ntfnObj nTFN", simp_all)
2014-07-14 19:32:44 +00:00
prefer 3
2015-05-12 15:17:31 +00:00
apply (rename_tac list)
2014-07-14 19:32:44 +00:00
apply (case_tac list,
2016-10-25 06:01:30 +00:00
simp_all split del: if_split
2015-09-02 05:43:39 +00:00
add: setMessageInfo_def)[1]
2018-03-15 03:45:48 +00:00
apply (rule hoare_pre)
apply (wp hoare_convert_imp [OF asUser_nosch]
2018-03-14 00:48:48 +00:00
hoare_convert_imp [OF setMRs_sch_act])+
2015-05-16 09:52:49 +00:00
apply (clarsimp simp:conj_comms)
2014-07-14 19:32:44 +00:00
apply (simp add: invs'_def valid_state'_def)
2018-03-15 03:45:48 +00:00
apply ((wp valid_irq_node_lift sts_valid_objs' setThreadState_ct_not_inQ
2014-07-14 19:32:44 +00:00
sts_valid_queues [where st="Structures_H.thread_state.Running", simplified]
2015-11-02 00:00:32 +00:00
set_ntfn_valid_objs' cur_tcb_lift sts_st_tcb'
hoare_convert_imp [OF setNotification_nosch]
2018-03-15 03:45:48 +00:00
| simp split del: if_split)+)[3]
apply (intro conjI[rotated];
(solves \<open>clarsimp simp: invs'_def valid_state'_def valid_pspace'_def\<close>)?)
2016-05-30 13:12:39 +00:00
apply clarsimp
2018-03-15 03:45:48 +00:00
apply (clarsimp simp: invs'_def valid_state'_def split del: if_split)
apply (drule(1) ct_not_in_ntfnQueue, simp+)
apply clarsimp
apply (frule ko_at_valid_objs', clarsimp)
apply (simp add: projectKOs)
apply (clarsimp simp: valid_obj'_def valid_ntfn'_def
split: list.splits)
apply (clarsimp simp: invs'_def valid_state'_def)
apply (clarsimp simp: st_tcb_at_refs_of_rev' valid_idle'_def pred_tcb_at'_def
dest!: sym_refs_ko_atD' sym_refs_st_tcb_atD' sym_refs_obj_atD'
split: list.splits)
apply (clarsimp simp: invs'_def valid_state'_def valid_pspace'_def)
apply (frule(1) ko_at_valid_objs')
2014-07-14 19:32:44 +00:00
apply (simp add: projectKOs)
2018-03-15 03:45:48 +00:00
apply (clarsimp simp: valid_obj'_def valid_ntfn'_def
split: list.splits option.splits)
apply (clarsimp elim!: if_live_then_nonz_capE' simp:invs'_def valid_state'_def)
apply (drule(1) sym_refs_ko_atD')
apply (clarsimp elim!: ko_wp_at'_weakenE
intro!: refs_of_live')
apply (clarsimp split del: if_split)+
apply (frule ko_at_valid_objs', clarsimp)
apply (simp add: projectKOs)
apply (clarsimp simp: valid_obj'_def valid_ntfn'_def split del: if_split)
apply (frule invs_sym')
apply (drule(1) sym_refs_obj_atD')
apply (clarsimp split del: if_split cong: if_cong
simp: st_tcb_at_refs_of_rev' ep_redux_simps' ntfn_bound_refs'_def)
apply (frule st_tcb_at_state_refs_ofD')
apply (erule delta_sym_refs)
2019-05-07 05:53:41 +00:00
apply (fastforce simp: split: if_split_asm)
2018-03-15 03:45:48 +00:00
apply (fastforce simp: tcb_bound_refs'_def set_eq_subset symreftype_inverse'
split: if_split_asm)
2014-07-14 19:32:44 +00:00
apply (clarsimp simp:invs'_def)
apply (frule ko_at_valid_objs')
apply (clarsimp simp: valid_pspace'_def valid_state'_def)
apply (simp add: projectKOs)
2016-10-25 06:01:30 +00:00
apply (clarsimp simp: valid_obj'_def valid_ntfn'_def split del: if_split)
2014-07-14 19:32:44 +00:00
apply (clarsimp simp:invs'_def valid_state'_def valid_pspace'_def)
apply (frule(1) ko_at_valid_objs')
2015-09-02 05:43:39 +00:00
apply (simp add: projectKOs)
2015-11-02 00:00:32 +00:00
apply (clarsimp simp: valid_obj'_def valid_ntfn'_def
2015-09-02 05:43:39 +00:00
split: list.splits option.splits)
2015-11-02 00:00:32 +00:00
apply (case_tac "ntfnBoundTCB nTFN", simp_all)
apply (wp set_ntfn_minor_invs')
apply (fastforce simp: valid_ntfn'_def invs'_def valid_state'_def
2015-09-02 05:43:39 +00:00
elim!: obj_at'_weakenE
dest!: global'_no_ex_cap)
apply (wp add: hoare_convert_imp [OF asUser_nosch]
2018-03-14 00:48:48 +00:00
hoare_convert_imp [OF setMRs_sch_act]
2015-09-02 05:43:39 +00:00
setThreadState_nonqueued_state_update sts_st_tcb'
2015-11-02 00:00:32 +00:00
del: cancelIPC_simple)
apply (clarsimp | wp cancelIPC_ct')+
apply (wp set_ntfn_minor_invs' gts_wp' | clarsimp)+
2015-09-02 05:43:39 +00:00
apply (frule pred_tcb_at')
2016-04-17 20:40:00 +00:00
by (wp set_ntfn_minor_invs'
2015-09-02 05:43:39 +00:00
| rule conjI
| clarsimp elim!: st_tcb_ex_cap''
| fastforce simp: invs'_def valid_state'_def receiveBlocked_def projectKOs
2015-11-02 00:00:32 +00:00
valid_obj'_def valid_ntfn'_def
2015-09-02 05:43:39 +00:00
split: thread_state.splits
dest!: global'_no_ex_cap st_tcb_ex_cap'' ko_at_valid_objs'
| fastforce simp: receiveBlocked_def projectKOs pred_tcb_at'_def obj_at'_def
dest!: invs_rct_ct_activatable'
split: thread_state.splits)+
2014-07-14 19:32:44 +00:00
lemma rfk_corres:
"corres dc (tcb_at t and invs) (tcb_at' t and invs')
(reply_from_kernel t r) (replyFromKernel t r)"
apply (case_tac r)
apply (clarsimp simp: replyFromKernel_def reply_from_kernel_def
badge_register_def badgeRegister_def)
apply (rule corres_guard_imp)
apply (rule corres_split_eqr [OF _ lipcb_corres])
apply (rule corres_split [OF _ user_setreg_corres])
apply (rule corres_split_eqr [OF _ set_mrs_corres])
apply (rule set_mi_corres)
2014-08-09 05:16:17 +00:00
apply (wp hoare_case_option_wp hoare_valid_ipc_buffer_ptr_typ_at'
2014-07-14 19:32:44 +00:00
| clarsimp)+
done
2017-07-12 05:13:51 +00:00
lemma rfk_invs':
2014-07-14 19:32:44 +00:00
"\<lbrace>invs' and tcb_at' t\<rbrace> replyFromKernel t r \<lbrace>\<lambda>rv. invs'\<rbrace>"
apply (simp add: replyFromKernel_def)
apply (cases r)
2019-05-07 05:53:41 +00:00
apply wpsimp
2014-07-14 19:32:44 +00:00
done
crunch nosch[wp]: replyFromKernel "\<lambda>s. P (ksSchedulerAction s)"
2015-11-02 00:00:32 +00:00
lemma complete_signal_corres:
2019-05-28 08:24:48 +00:00
"corres dc (ntfn_at ntfnptr and tcb_at tcb and pspace_aligned and valid_objs
\<comment> \<open>and obj_at (\<lambda>ko. ko = Notification ntfn \<and> Ipc_A.isActive ntfn) ntfnptr*\<close> )
2015-11-02 00:00:32 +00:00
(ntfn_at' ntfnptr and tcb_at' tcb and valid_pspace' and obj_at' isActive ntfnptr)
(complete_signal ntfnptr tcb) (completeSignal ntfnptr tcb)"
apply (simp add: complete_signal_def completeSignal_def)
2015-09-02 05:43:39 +00:00
apply (rule corres_guard_imp)
2015-11-02 00:00:32 +00:00
apply (rule_tac R'="\<lambda>ntfn. ntfn_at' ntfnptr and tcb_at' tcb and valid_pspace'
and valid_ntfn' ntfn and (\<lambda>_. isActive ntfn)"
in corres_split [OF _ get_ntfn_corres])
2015-09-02 05:43:39 +00:00
apply (rule corres_gen_asm2)
2015-11-02 00:00:32 +00:00
apply (case_tac "ntfn_obj rv")
apply (clarsimp simp: ntfn_relation_def isActive_def
split: ntfn.splits Structures_H.notification.splits)+
2015-09-02 05:43:39 +00:00
apply (rule corres_guard2_imp)
apply (simp add: badgeRegister_def badge_register_def)
2015-11-02 00:00:32 +00:00
apply (rule corres_split[OF set_ntfn_corres user_setreg_corres])
apply (clarsimp simp: ntfn_relation_def)
2017-11-27 04:59:58 +00:00
apply (wp set_simple_ko_valid_objs get_simple_ko_wp getNotification_wp | clarsimp simp: valid_ntfn'_def)+
2015-09-02 05:43:39 +00:00
apply (clarsimp simp: valid_pspace'_def)
2015-11-02 00:00:32 +00:00
apply (frule_tac P="(\<lambda>k. k = ntfn)" in obj_at_valid_objs', assumption)
apply (clarsimp simp: projectKOs valid_obj'_def valid_ntfn'_def obj_at'_def)
2015-09-02 05:43:39 +00:00
done
2015-10-21 02:34:22 +00:00
2015-11-10 15:25:02 +00:00
lemma do_nbrecv_failed_transfer_corres:
2015-10-21 02:34:22 +00:00
"corres dc (tcb_at thread)
(tcb_at' thread)
2015-11-10 15:25:02 +00:00
(do_nbrecv_failed_transfer thread)
(doNBRecvFailedTransfer thread)"
unfolding do_nbrecv_failed_transfer_def doNBRecvFailedTransfer_def
2015-10-21 02:34:22 +00:00
by (simp add: badgeRegister_def badge_register_def, rule user_setreg_corres)
2017-07-12 05:13:51 +00:00
2014-07-14 19:32:44 +00:00
lemma receive_ipc_corres:
assumes "is_ep_cap cap" and "cap_relation cap cap'"
shows "
corres dc (einvs and valid_sched and tcb_at thread and valid_cap cap and ex_nonz_cap_to thread
and cte_wp_at (\<lambda>c. c = cap.NullCap) (thread, tcb_cnode_index 3))
(invs' and tcb_at' thread and valid_cap' cap')
2015-10-21 02:34:22 +00:00
(receive_ipc thread cap isBlocking) (receiveIPC thread cap' isBlocking)"
2014-07-14 19:32:44 +00:00
apply (insert assms)
apply (simp add: receive_ipc_def receiveIPC_def
2016-10-25 06:01:30 +00:00
split del: if_split)
2014-07-14 19:32:44 +00:00
apply (case_tac cap, simp_all add: isEndpointCap_def)
2015-05-12 15:17:31 +00:00
apply (rename_tac word1 word2 right)
2014-07-14 19:32:44 +00:00
apply clarsimp
apply (rule corres_guard_imp)
2015-09-02 05:43:39 +00:00
apply (rule corres_split [OF _ get_ep_corres])
apply (rule corres_guard_imp)
2015-11-02 00:00:32 +00:00
apply (rule corres_split [OF _ gbn_corres])
apply (rule_tac r'="ntfn_relation" in corres_split)
2015-09-02 05:43:39 +00:00
apply (rule corres_if)
2015-11-02 00:00:32 +00:00
apply (clarsimp simp: ntfn_relation_def Ipc_A.isActive_def Endpoint_H.isActive_def
split: Structures_A.ntfn.splits Structures_H.notification.splits)
2015-09-02 05:43:39 +00:00
apply clarsimp
2015-11-02 00:00:32 +00:00
apply (rule complete_signal_corres)
2017-07-12 05:13:51 +00:00
apply (rule_tac P="einvs and valid_sched and tcb_at thread and
ep_at word1 and valid_ep ep and
2015-09-02 05:43:39 +00:00
obj_at (\<lambda>k. k = Endpoint ep) word1
and cte_wp_at (\<lambda>c. c = cap.NullCap) (thread, tcb_cnode_index 3)
2017-07-12 05:13:51 +00:00
and ex_nonz_cap_to thread" and
P'="invs' and tcb_at' thread and ep_at' word1 and
valid_ep' epa"
2015-09-02 05:43:39 +00:00
in corres_inst)
apply (case_tac ep)
2018-06-09 08:27:30 +00:00
\<comment> \<open>IdleEP\<close>
2015-09-02 05:43:39 +00:00
apply (simp add: ep_relation_def)
apply (rule corres_guard_imp)
2015-10-21 02:34:22 +00:00
apply (case_tac isBlocking; simp)
apply (rule corres_split [OF _ sts_corres])
apply (rule set_ep_corres)
apply (simp add: ep_relation_def)
apply simp
2017-01-13 12:58:40 +00:00
apply wp+
2015-11-10 15:25:02 +00:00
apply (rule corres_guard_imp, rule do_nbrecv_failed_transfer_corres, simp)
2015-10-21 02:34:22 +00:00
apply simp
apply (clarsimp simp add: invs_def valid_state_def valid_pspace_def
valid_tcb_state_def st_tcb_at_tcb_at)
apply auto[1]
2018-06-09 08:27:30 +00:00
\<comment> \<open>SendEP\<close>
2014-07-14 19:32:44 +00:00
apply (simp add: ep_relation_def)
2015-05-12 15:17:31 +00:00
apply (rename_tac list)
2014-07-14 19:32:44 +00:00
apply (rule_tac F="list \<noteq> []" in corres_req)
apply (clarsimp simp: valid_ep_def)
2016-10-25 06:01:30 +00:00
apply (case_tac list, simp_all split del: if_split)[1]
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
apply (rule corres_split [OF _ set_ep_corres])
apply (rule corres_split [OF _ gts_corres])
2017-07-12 05:13:51 +00:00
apply (rule_tac
2014-07-14 19:32:44 +00:00
F="\<exists>data.
2017-07-12 05:13:51 +00:00
sender_state =
2014-07-14 19:32:44 +00:00
Structures_A.thread_state.BlockedOnSend word1 data"
in corres_gen_asm)
2014-08-11 08:51:04 +00:00
apply (clarsimp simp: isSend_def case_bool_If
2014-08-09 05:16:17 +00:00
case_option_If if3_fold
2016-10-25 06:01:30 +00:00
split del: if_split cong: if_cong)
2014-07-14 19:32:44 +00:00
apply (rule corres_split [OF _ dit_corres])
2016-10-25 06:01:30 +00:00
apply (simp split del: if_split cong: if_cong)
2014-07-14 19:32:44 +00:00
apply (fold dc_def)[1]
apply (rule_tac P="valid_objs and valid_mdb and valid_list
and valid_sched
and cur_tcb
and valid_reply_caps
and pspace_aligned and pspace_distinct
and st_tcb_at (Not \<circ> awaiting_reply) a
and st_tcb_at (Not \<circ> halted) a
and tcb_at thread and valid_reply_masters
and cte_wp_at (\<lambda>c. c = cap.NullCap)
(thread, tcb_cnode_index 3)"
and P'="tcb_at' a and tcb_at' thread and cur_tcb'
and Invariants_H.valid_queues
and valid_queues'
and valid_pspace'
and valid_objs'
and (\<lambda>s. weak_sch_act_wf (ksSchedulerAction s) s)"
in corres_guard_imp [OF corres_if])
2014-08-09 05:16:17 +00:00
apply (simp add: fault_rel_optionation_def)
2014-07-14 19:32:44 +00:00
apply (rule corres_if2 [OF _ setup_caller_corres sts_corres])
2015-09-02 05:43:39 +00:00
apply simp
apply simp
apply (rule corres_split [OF _ sts_corres])
2017-11-24 11:30:55 +00:00
apply (rule possibleSwitchTo_corres)
2015-09-02 05:43:39 +00:00
apply simp
apply (wp sts_st_tcb_at' set_thread_state_runnable_weak_valid_sched_action
| simp)+
apply (wp sts_st_tcb_at'_cases sts_valid_queues setThreadState_valid_queues'
setThreadState_st_tcb
| simp)+
apply (clarsimp simp: st_tcb_at_tcb_at st_tcb_def2 valid_sched_def
valid_sched_action_def)
2016-10-25 06:01:30 +00:00
apply (clarsimp split: if_split_asm)
2015-09-02 05:43:39 +00:00
apply (clarsimp | wp do_ipc_transfer_tcb_caps)+
apply (rule_tac Q="\<lambda>_ s. sch_act_wf (ksSchedulerAction s) s"
in hoare_post_imp, erule sch_act_wf_weak)
2014-07-14 19:32:44 +00:00
apply (wp sts_st_tcb' gts_st_tcb_at | simp)+
2015-09-02 05:43:39 +00:00
apply (case_tac lista, simp_all add: ep_relation_def)[1]
apply (simp cong: list.case_cong)
apply wp
apply simp
2014-07-14 19:32:44 +00:00
apply (wp weak_sch_act_wf_lift_linear setEndpoint_valid_mdb' set_ep_valid_objs')
2015-09-02 05:43:39 +00:00
apply (clarsimp split: list.split)
apply (clarsimp simp add: invs_def valid_state_def st_tcb_at_tcb_at)
apply (clarsimp simp add: valid_ep_def valid_pspace_def)
2015-09-10 07:06:45 +00:00
apply (drule(1) sym_refs_obj_atD[where P="\<lambda>ko. ko = Endpoint e" for e])
2015-09-02 05:43:39 +00:00
apply (fastforce simp: st_tcb_at_refs_of_rev elim: st_tcb_weakenE)
apply (auto simp: valid_ep'_def invs'_def valid_state'_def split: list.split)[1]
2018-06-09 08:27:30 +00:00
\<comment> \<open>RecvEP\<close>
2015-09-02 05:43:39 +00:00
apply (simp add: ep_relation_def)
apply (rule_tac corres_guard_imp)
2015-10-21 02:34:22 +00:00
apply (case_tac isBlocking; simp)
apply (rule corres_split [OF _ sts_corres])
apply (rule set_ep_corres)
apply (simp add: ep_relation_def)
apply simp
2017-01-13 12:58:40 +00:00
apply wp+
2015-11-10 15:25:02 +00:00
apply (rule corres_guard_imp, rule do_nbrecv_failed_transfer_corres, simp)
2015-10-21 02:34:22 +00:00
apply simp
2015-09-02 05:43:39 +00:00
apply (clarsimp simp: valid_tcb_state_def)
apply (clarsimp simp add: valid_tcb_state'_def)
apply (rule corres_option_split[rotated 2])
2015-11-02 00:00:32 +00:00
apply (rule get_ntfn_corres)
2015-09-02 05:43:39 +00:00
apply clarsimp
2015-11-02 00:00:32 +00:00
apply (rule corres_trivial, simp add: ntfn_relation_def default_notification_def
default_ntfn_def)
2017-11-27 04:59:58 +00:00
apply (wp get_simple_ko_wp[where f=Notification] getNotification_wp gbn_wp gbn_wp'
hoare_vcg_all_lift hoare_vcg_imp_lift hoare_vcg_if_lift
| wpc | simp add: ep_at_def2[symmetric, simplified] | clarsimp)+
2015-09-02 05:43:39 +00:00
apply (clarsimp simp: valid_cap_def invs_psp_aligned invs_valid_objs pred_tcb_at_def
2015-11-02 00:00:32 +00:00
valid_obj_def valid_tcb_def valid_bound_ntfn_def
2015-09-02 05:43:39 +00:00
dest!: invs_valid_objs
elim!: obj_at_valid_objsE
split: option.splits)
apply (auto simp: valid_cap'_def invs_valid_pspace' valid_obj'_def valid_tcb'_def
2015-11-02 00:00:32 +00:00
valid_bound_ntfn'_def obj_at'_def projectKOs pred_tcb_at'_def
2015-09-02 05:43:39 +00:00
dest!: invs_valid_objs' obj_at_valid_objs'
split: option.splits)
2014-07-14 19:32:44 +00:00
done
2015-11-02 00:00:32 +00:00
lemma receive_signal_corres:
"\<lbrakk> is_ntfn_cap cap; cap_relation cap cap' \<rbrakk> \<Longrightarrow>
2014-07-14 19:32:44 +00:00
corres dc (invs and st_tcb_at active thread and valid_cap cap and ex_nonz_cap_to thread)
(invs' and tcb_at' thread and valid_cap' cap')
2015-11-02 00:00:32 +00:00
(receive_signal thread cap isBlocking) (receiveSignal thread cap' isBlocking)"
apply (simp add: receive_signal_def receiveSignal_def)
2014-07-14 19:32:44 +00:00
apply (case_tac cap, simp_all add: isEndpointCap_def)
2015-05-12 15:17:31 +00:00
apply (rename_tac word1 word2 rights)
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
2015-10-16 00:01:54 +00:00
apply (rule_tac R="\<lambda>rv. invs and tcb_at thread and st_tcb_at active thread and
2015-11-02 00:00:32 +00:00
ntfn_at word1 and ex_nonz_cap_to thread and
valid_ntfn rv and
obj_at (\<lambda>k. k = Notification rv) word1" and
R'="\<lambda>rv'. invs' and tcb_at' thread and ntfn_at' word1 and
valid_ntfn' rv'"
in corres_split [OF _ get_ntfn_corres])
2014-07-14 19:32:44 +00:00
apply clarsimp
2015-11-02 00:00:32 +00:00
apply (case_tac "ntfn_obj rv")
2018-06-09 08:27:30 +00:00
\<comment> \<open>IdleNtfn\<close>
2015-11-02 00:00:32 +00:00
apply (simp add: ntfn_relation_def)
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
2015-10-16 00:01:54 +00:00
apply (case_tac isBlocking; simp)
apply (rule corres_split [OF _ sts_corres])
2015-11-02 00:00:32 +00:00
apply (rule set_ntfn_corres)
apply (simp add: ntfn_relation_def)
2015-10-16 00:01:54 +00:00
apply simp
2017-01-13 12:58:40 +00:00
apply wp+
2015-11-10 15:25:02 +00:00
apply (rule corres_guard_imp, rule do_nbrecv_failed_transfer_corres, simp+)
2018-06-09 08:27:30 +00:00
\<comment> \<open>WaitingNtfn\<close>
2015-11-02 00:00:32 +00:00
apply (simp add: ntfn_relation_def)
2015-10-16 00:01:54 +00:00
apply (rule corres_guard_imp)
apply (case_tac isBlocking; simp)
apply (rule corres_split[OF _ sts_corres])
2015-11-02 00:00:32 +00:00
apply (rule set_ntfn_corres)
apply (simp add: ntfn_relation_def)
2014-07-14 19:32:44 +00:00
apply simp
2017-01-13 12:58:40 +00:00
apply wp+
2015-10-16 00:01:54 +00:00
apply (rule corres_guard_imp)
2015-11-10 15:25:02 +00:00
apply (rule do_nbrecv_failed_transfer_corres, simp+)
2018-06-09 08:27:30 +00:00
\<comment> \<open>ActiveNtfn\<close>
2015-11-02 00:00:32 +00:00
apply (simp add: ntfn_relation_def)
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
2015-09-02 05:43:39 +00:00
apply (simp add: badgeRegister_def badge_register_def)
apply (rule corres_split [OF _ user_setreg_corres])
2015-11-02 00:00:32 +00:00
apply (rule set_ntfn_corres)
apply (simp add: ntfn_relation_def)
2017-01-13 12:58:40 +00:00
apply wp+
2014-07-14 19:32:44 +00:00
apply (fastforce simp: invs_def valid_state_def valid_pspace_def
2015-10-16 00:01:54 +00:00
elim!: st_tcb_weakenE)
2014-07-14 19:32:44 +00:00
apply (clarsimp simp: invs'_def valid_state'_def valid_pspace'_def)
2017-01-13 12:58:40 +00:00
apply wp+
2017-11-27 04:59:58 +00:00
apply (clarsimp simp add: ntfn_at_def2 valid_cap_def st_tcb_at_tcb_at)
2014-07-14 19:32:44 +00:00
apply (clarsimp simp add: valid_cap'_def)
done
lemma tg_sp':
"\<lbrace>P\<rbrace> threadGet f p \<lbrace>\<lambda>t. obj_at' (\<lambda>t'. f t' = t) p and P\<rbrace>"
2017-01-13 12:58:40 +00:00
including no_pre
2014-07-14 19:32:44 +00:00
apply (simp add: threadGet_def)
apply wp
apply (rule hoare_strengthen_post)
apply (rule getObject_tcb_sp)
apply clarsimp
apply (erule obj_at'_weakenE)
apply simp
done
declare lookup_cap_valid' [wp]
2017-07-12 05:13:51 +00:00
2014-07-14 19:32:44 +00:00
lemma send_fault_ipc_corres:
"valid_fault f \<Longrightarrow> fr f f' \<Longrightarrow>
2017-07-12 05:13:51 +00:00
corres (fr \<oplus> dc)
2014-07-14 19:32:44 +00:00
(einvs and st_tcb_at active thread and ex_nonz_cap_to thread)
(invs' and sch_act_not thread and tcb_at' thread)
(send_fault_ipc thread f) (sendFaultIPC thread f')"
apply (simp add: send_fault_ipc_def sendFaultIPC_def
liftE_bindE Let_def)
apply (rule corres_guard_imp)
apply (rule corres_split [where r'="\<lambda>fh fh'. fh = to_bl fh'"])
apply simp
apply (rule corres_splitEE)
prefer 2
apply (rule corres_cap_fault)
apply (rule lookup_cap_corres, rule refl)
apply (rule_tac P="einvs and st_tcb_at active thread
2017-07-12 05:13:51 +00:00
and valid_cap handler_cap and ex_nonz_cap_to thread"
2014-07-14 19:32:44 +00:00
and P'="invs' and tcb_at' thread and sch_act_not thread
2017-07-12 05:13:51 +00:00
and valid_cap' handlerCap"
2014-07-14 19:32:44 +00:00
in corres_inst)
apply (case_tac handler_cap,
simp_all add: isCap_defs lookup_failure_map_def
2014-08-11 08:51:04 +00:00
case_bool_If If_rearrage
2016-10-25 06:01:30 +00:00
split del: if_split cong: if_cong)[1]
2014-07-14 19:32:44 +00:00
apply (rule corres_guard_imp)
apply (rule corres_if2 [OF refl])
apply (simp add: dc_def[symmetric])
apply (rule corres_split [OF send_ipc_corres threadset_corres], simp_all)[1]
2014-08-09 05:16:17 +00:00
apply (simp add: tcb_relation_def fault_rel_optionation_def exst_same_def)+
2014-07-14 19:32:44 +00:00
apply (wp thread_set_invs_trivial thread_set_no_change_tcb_state
thread_set_typ_at ep_at_typ_at ex_nonz_cap_to_pres
thread_set_cte_wp_at_trivial thread_set_not_state_valid_sched
| simp add: tcb_cap_cases_def)+
apply ((wp threadSet_invs_trivial threadSet_tcb'
| simp add: tcb_cte_cases_def
2019-05-06 06:34:44 +00:00
| wp (once) sch_act_sane_lift)+)[1]
2014-07-14 19:32:44 +00:00
apply (rule corres_trivial, simp add: lookup_failure_map_def)
2016-10-25 06:01:30 +00:00
apply (clarsimp simp: st_tcb_at_tcb_at split: if_split)
2014-07-14 19:32:44 +00:00
apply (simp add: valid_cap_def)
apply (clarsimp simp: valid_cap'_def inQ_def)
apply auto[1]
apply (clarsimp simp: lookup_failure_map_def)
2017-01-13 12:58:40 +00:00
apply wp+
2014-07-14 19:32:44 +00:00
apply (rule threadget_corres)
apply (simp add: tcb_relation_def)
2017-01-13 12:58:40 +00:00
apply wp+
2014-07-14 19:32:44 +00:00
apply (fastforce elim: st_tcb_at_tcb_at)
apply fastforce
done
lemma gets_the_noop_corres:
assumes P: "\<And>s. P s \<Longrightarrow> f s \<noteq> None"
shows "corres dc P P' (gets_the f) (return x)"
apply (clarsimp simp: corres_underlying_def gets_the_def
return_def gets_def bind_def get_def)
apply (clarsimp simp: assert_opt_def return_def dest!: P)
done
lemma hdf_corres:
"corres dc (tcb_at thread)
(tcb_at' thread and (\<lambda>s. weak_sch_act_wf (ksSchedulerAction s) s))
2017-07-12 05:13:51 +00:00
(handle_double_fault thread f ft)
2014-07-14 19:32:44 +00:00
(handleDoubleFault thread f' ft')"
apply (simp add: handle_double_fault_def handleDoubleFault_def)
apply (rule corres_guard_imp)
apply (subst bind_return [symmetric],
rule corres_split' [OF sts_corres])
apply simp
apply (rule corres_noop2)
apply (simp add: exs_valid_def return_def)
apply (rule hoare_eq_P)
apply wp
apply (rule asUser_inv)
apply (rule getRestartPC_inv)
2017-01-13 12:58:40 +00:00
apply (wp no_fail_getRestartPC)+
2014-07-14 19:32:44 +00:00
apply (wp|simp)+
done
crunch tcb' [wp]: sendFaultIPC "tcb_at' t" (wp: crunch_wps)
crunch typ_at'[wp]: receiveIPC "\<lambda>s. P (typ_at' T p s)"
(wp: crunch_wps)
lemmas receiveIPC_typ_ats[wp] = typ_at_lifts [OF receiveIPC_typ_at']
2015-11-02 00:00:32 +00:00
crunch typ_at'[wp]: receiveSignal "\<lambda>s. P (typ_at' T p s)"
2014-07-14 19:32:44 +00:00
(wp: crunch_wps)
2015-11-02 00:00:32 +00:00
lemmas receiveAIPC_typ_ats[wp] = typ_at_lifts [OF receiveSignal_typ_at']
2014-07-14 19:32:44 +00:00
declare cart_singleton_empty[simp]
declare cart_singleton_empty2[simp]
crunch aligned'[wp]: setupCallerCap "pspace_aligned'"
(wp: crunch_wps)
crunch distinct'[wp]: setupCallerCap "pspace_distinct'"
(wp: crunch_wps)
crunch cur_tcb[wp]: setupCallerCap "cur_tcb'"
(wp: crunch_wps)
lemma setupCallerCap_state_refs_of[wp]:
2015-09-02 05:43:39 +00:00
"\<lbrace>\<lambda>s. P ((state_refs_of' s) (sender := {r \<in> state_refs_of' s sender. snd r = TCBBound}))\<rbrace>
2018-08-03 03:27:46 +00:00
setupCallerCap sender rcvr grant
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv s. P (state_refs_of' s)\<rbrace>"
apply (simp add: setupCallerCap_def getThreadCallerSlot_def
getThreadReplySlot_def)
apply (wp hoare_drop_imps)
apply (simp add: fun_upd_def cong: if_cong)
done
crunch sch_act_wf: setupCallerCap
"\<lambda>s. sch_act_wf (ksSchedulerAction s) s"
2016-08-23 12:31:49 +00:00
(wp: crunch_wps ssa_sch_act sts_sch_act rule: sch_act_wf_lift ignore:setObject)
2014-07-14 19:32:44 +00:00
lemma setCTE_valid_queues[wp]:
"\<lbrace>Invariants_H.valid_queues\<rbrace> setCTE ptr val \<lbrace>\<lambda>rv. Invariants_H.valid_queues\<rbrace>"
2015-09-02 05:43:39 +00:00
by (wp valid_queues_lift setCTE_pred_tcb_at')
2014-07-14 19:32:44 +00:00
crunch vq[wp]: cteInsert "Invariants_H.valid_queues"
(wp: crunch_wps)
crunch vq[wp]: getThreadCallerSlot "Invariants_H.valid_queues"
(wp: crunch_wps)
crunch vq[wp]: getThreadReplySlot "Invariants_H.valid_queues"
(wp: crunch_wps)
lemma setupCallerCap_vq[wp]:
"\<lbrace>Invariants_H.valid_queues and (\<lambda>s. \<forall>p. send \<notin> set (ksReadyQueues s p))\<rbrace>
2018-08-03 03:27:46 +00:00
setupCallerCap send recv grant \<lbrace>\<lambda>_. Invariants_H.valid_queues\<rbrace>"
2014-07-14 19:32:44 +00:00
apply (simp add: setupCallerCap_def)
apply (wp crunch_wps sts_valid_queues)
apply (fastforce simp: valid_queues_def obj_at'_def inQ_def)
done
crunch vq'[wp]: setupCallerCap "valid_queues'"
(wp: crunch_wps)
lemma is_derived_ReplyCap' [simp]:
2018-08-03 03:27:46 +00:00
"\<And>m p g. is_derived' m p (capability.ReplyCap t False g) =
(\<lambda>c. \<exists> g. c = capability.ReplyCap t True g)"
2014-07-14 19:32:44 +00:00
apply (subst fun_eq_iff)
apply clarsimp
apply (case_tac x, simp_all add: is_derived'_def isCap_simps
badge_derived'_def
vsCapRef_def)
done
lemma unique_master_reply_cap':
2018-08-03 03:27:46 +00:00
"\<And>c t. isReplyCap c \<and> capReplyMaster c \<and> capTCBPtr c = t \<longleftrightarrow>
(\<exists>g . c = capability.ReplyCap t True g)"
2015-05-16 09:52:49 +00:00
by (fastforce simp: isCap_simps conj_comms)
2014-07-14 19:32:44 +00:00
lemma getSlotCap_cte_wp_at:
"\<lbrace>\<top>\<rbrace> getSlotCap sl \<lbrace>\<lambda>rv. cte_wp_at' (\<lambda>c. cteCap c = rv) sl\<rbrace>"
apply (simp add: getSlotCap_def)
2017-01-13 12:58:40 +00:00
apply (wp getCTE_wp)
apply (clarsimp simp: cte_wp_at_ctes_of)
2014-07-14 19:32:44 +00:00
done
crunch no_0_obj'[wp]: setThreadState no_0_obj'
lemma setupCallerCap_vp[wp]:
"\<lbrace>valid_pspace' and tcb_at' sender and tcb_at' rcvr\<rbrace>
2018-08-03 03:27:46 +00:00
setupCallerCap sender rcvr grant \<lbrace>\<lambda>rv. valid_pspace'\<rbrace>"
2014-07-14 19:32:44 +00:00
apply (simp add: valid_pspace'_def setupCallerCap_def getThreadCallerSlot_def
2015-12-01 22:06:06 +00:00
getThreadReplySlot_def locateSlot_conv getSlotCap_def)
2014-07-14 19:32:44 +00:00
apply (wp getCTE_wp)
apply (rule_tac Q="\<lambda>_. valid_pspace' and
tcb_at' sender and tcb_at' rcvr"
in hoare_post_imp)
apply (clarsimp simp: valid_cap'_def o_def cte_wp_at_ctes_of isCap_simps
valid_pspace'_def)
apply (frule(1) ctes_of_valid', simp add: valid_cap'_def capAligned_def)
apply clarsimp
apply (wp | simp add: valid_pspace'_def valid_tcb_state'_def)+
done
declare haskell_assert_inv[wp del]
lemma setupCallerCap_iflive[wp]:
"\<lbrace>if_live_then_nonz_cap' and ex_nonz_cap_to' sender\<rbrace>
2018-08-03 03:27:46 +00:00
setupCallerCap sender rcvr grant
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. if_live_then_nonz_cap'\<rbrace>"
unfolding setupCallerCap_def getThreadCallerSlot_def
2015-12-01 22:06:06 +00:00
getThreadReplySlot_def locateSlot_conv
2014-07-14 19:32:44 +00:00
by (wp getSlotCap_cte_wp_at
| simp add: unique_master_reply_cap'
2018-08-03 03:27:46 +00:00
| strengthen eq_imp_strg
2019-05-06 06:34:44 +00:00
| wp (once) hoare_drop_imp[where f="getCTE rs" for rs])+
2014-07-14 19:32:44 +00:00
lemma setupCallerCap_ifunsafe[wp]:
"\<lbrace>if_unsafe_then_cap' and valid_objs' and
ex_nonz_cap_to' rcvr and tcb_at' rcvr\<rbrace>
2018-08-03 03:27:46 +00:00
setupCallerCap sender rcvr grant
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. if_unsafe_then_cap'\<rbrace>"
unfolding setupCallerCap_def getThreadCallerSlot_def
2015-12-01 22:06:06 +00:00
getThreadReplySlot_def locateSlot_conv
2014-07-14 19:32:44 +00:00
apply (wp getSlotCap_cte_wp_at
2018-08-03 03:27:46 +00:00
| simp add: unique_master_reply_cap' | strengthen eq_imp_strg
2019-05-06 06:34:44 +00:00
| wp (once) hoare_drop_imp[where f="getCTE rs" for rs])+
2014-07-14 19:32:44 +00:00
apply (rule_tac Q="\<lambda>rv. valid_objs' and tcb_at' rcvr and ex_nonz_cap_to' rcvr"
in hoare_post_imp)
apply (clarsimp simp: ex_nonz_tcb_cte_caps' tcbCallerSlot_def
2015-12-01 22:06:06 +00:00
objBits_def objBitsKO_def dom_def cte_level_bits_def)
2014-07-14 19:32:44 +00:00
apply (wp sts_valid_objs' | simp)+
apply (clarsimp simp: valid_tcb_state'_def)+
done
lemma setupCallerCap_global_refs'[wp]:
"\<lbrace>valid_global_refs'\<rbrace>
2018-08-03 03:27:46 +00:00
setupCallerCap sender rcvr grant
\<lbrace>\<lambda>rv. valid_global_refs'\<rbrace>"
2014-07-14 19:32:44 +00:00
unfolding setupCallerCap_def getThreadCallerSlot_def
2015-12-01 22:06:06 +00:00
getThreadReplySlot_def locateSlot_conv
2018-08-03 03:27:46 +00:00
apply (wp getSlotCap_cte_wp_at
2014-07-14 19:32:44 +00:00
| simp add: o_def unique_master_reply_cap'
| strengthen eq_imp_strg
2019-05-06 06:34:44 +00:00
| wp (once) getCTE_wp | clarsimp simp: cte_wp_at_ctes_of)+
2018-08-03 03:27:46 +00:00
(* at setThreadState *)
apply (rule_tac Q="\<lambda>_. valid_global_refs'" in hoare_post_imp, wpsimp+)
done
2014-07-14 19:32:44 +00:00
crunch valid_arch'[wp]: setupCallerCap "valid_arch_state'"
(wp: hoare_drop_imps)
crunch typ'[wp]: setupCallerCap "\<lambda>s. P (typ_at' T p s)"
crunch irq_node'[wp]: setupCallerCap "\<lambda>s. P (irq_node' s)"
(wp: hoare_drop_imps)
lemma setupCallerCap_irq_handlers'[wp]:
"\<lbrace>valid_irq_handlers'\<rbrace>
2018-08-03 03:27:46 +00:00
setupCallerCap sender rcvr grant
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. valid_irq_handlers'\<rbrace>"
unfolding setupCallerCap_def getThreadCallerSlot_def
2015-12-01 22:06:06 +00:00
getThreadReplySlot_def locateSlot_conv
2014-07-14 19:32:44 +00:00
by (wp hoare_drop_imps | simp)+
lemma cteInsert_cap_to':
"\<lbrace>ex_nonz_cap_to' p and cte_wp_at' (\<lambda>c. cteCap c = NullCap) dest\<rbrace>
cteInsert cap src dest
\<lbrace>\<lambda>rv. ex_nonz_cap_to' p\<rbrace>"
apply (simp add: cteInsert_def ex_nonz_cap_to'_def
updateCap_def setUntypedCapAsFull_def
2016-10-25 06:01:30 +00:00
split del: if_split)
2014-07-14 19:32:44 +00:00
apply (rule hoare_pre, rule hoare_vcg_ex_lift)
apply (wp updateMDB_weak_cte_wp_at
setCTE_weak_cte_wp_at
| simp
| rule hoare_drop_imps)+
apply (wp getCTE_wp)
apply clarsimp
apply (rule_tac x=cref in exI)
apply (rule conjI)
apply (clarsimp simp: cte_wp_at_ctes_of)+
done
crunch cap_to'[wp]: setExtraBadge "ex_nonz_cap_to' p"
crunch cap_to'[wp]: doIPCTransfer "ex_nonz_cap_to' p"
2017-07-12 05:13:51 +00:00
(ignore: transferCapsToSlots
wp: crunch_wps transferCapsToSlots_pres2 cteInsert_cap_to' hoare_vcg_const_Ball_lift
2014-07-14 19:32:44 +00:00
simp: zipWithM_x_mapM ball_conj_distrib)
lemma st_tcb_idle':
"\<lbrakk>valid_idle' s; st_tcb_at' P t s\<rbrakk> \<Longrightarrow>
(t = ksIdleThread s) \<longrightarrow> P IdleThreadState"
2015-09-02 05:43:39 +00:00
by (clarsimp simp: valid_idle'_def pred_tcb_at'_def obj_at'_def)
2014-07-14 19:32:44 +00:00
crunch idle'[wp]: getThreadCallerSlot "valid_idle'"
crunch idle'[wp]: getThreadReplySlot "valid_idle'"
crunch it[wp]: setupCallerCap "\<lambda>s. P (ksIdleThread s)"
(simp: updateObject_cte_inv wp: crunch_wps)
lemma setupCallerCap_idle'[wp]:
"\<lbrace>valid_idle' and valid_pspace' and
(\<lambda>s. st \<noteq> ksIdleThread s \<and> rt \<noteq> ksIdleThread s)\<rbrace>
2018-08-03 03:27:46 +00:00
setupCallerCap st rt gr
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>_. valid_idle'\<rbrace>"
by (simp add: setupCallerCap_def capRange_def | wp hoare_drop_imps)+
crunch idle'[wp]: doIPCTransfer "valid_idle'"
(wp: crunch_wps simp: crunch_simps ignore: transferCapsToSlots)
crunch it[wp]: setExtraBadge "\<lambda>s. P (ksIdleThread s)"
crunch it[wp]: receiveIPC "\<lambda>s. P (ksIdleThread s)"
2017-07-12 05:13:51 +00:00
(ignore: transferCapsToSlots
2014-07-14 19:32:44 +00:00
wp: transferCapsToSlots_pres2 crunch_wps hoare_vcg_const_Ball_lift
simp: crunch_simps ball_conj_distrib)
crunch irq_states' [wp]: setupCallerCap valid_irq_states'
(wp: crunch_wps)
crunch pde_mappings' [wp]: setupCallerCap valid_pde_mappings'
(wp: crunch_wps)
crunch irqs_masked' [wp]: receiveIPC "irqs_masked'"
2016-08-23 12:31:49 +00:00
(wp: crunch_wps rule: irqs_masked_lift)
2014-07-14 19:32:44 +00:00
crunch ct_not_inQ[wp]: getThreadCallerSlot "ct_not_inQ"
crunch ct_not_inQ[wp]: getThreadReplySlot "ct_not_inQ"
lemma setupCallerCap_ct_not_inQ[wp]:
2018-08-03 03:27:46 +00:00
"\<lbrace>ct_not_inQ\<rbrace> setupCallerCap sender receiver grant \<lbrace>\<lambda>_. ct_not_inQ\<rbrace>"
2014-07-14 19:32:44 +00:00
apply (simp add: setupCallerCap_def)
apply (wp hoare_drop_imp setThreadState_ct_not_inQ)
done
2016-08-03 07:45:43 +00:00
crunch ksQ'[wp]: copyMRs "\<lambda>s. P (ksReadyQueues s)"
2014-07-14 19:32:44 +00:00
(wp: mapM_wp' hoare_drop_imps simp: crunch_simps)
crunch ksQ[wp]: doIPCTransfer "\<lambda>s. P (ksReadyQueues s)"
2016-08-23 12:31:49 +00:00
(wp: hoare_drop_imps hoare_vcg_split_case_option
mapM_wp'
2014-07-14 19:32:44 +00:00
simp: split_def zipWithM_x_mapM)
crunch ct'[wp]: doIPCTransfer "\<lambda>s. P (ksCurThread s)"
2016-08-23 12:31:49 +00:00
(wp: hoare_drop_imps hoare_vcg_split_case_option
mapM_wp'
2014-07-14 19:32:44 +00:00
simp: split_def zipWithM_x_mapM)
lemma asUser_ct_not_inQ[wp]:
"\<lbrace>ct_not_inQ\<rbrace> asUser t m \<lbrace>\<lambda>rv. ct_not_inQ\<rbrace>"
apply (simp add: asUser_def split_def)
apply (wp hoare_drop_imps threadSet_not_inQ | simp)+
done
crunch ct_not_inQ[wp]: copyMRs "ct_not_inQ"
(wp: mapM_wp' hoare_drop_imps simp: crunch_simps)
crunch ct_not_inQ[wp]: doIPCTransfer "ct_not_inQ"
(ignore: getRestartPC setRegister transferCapsToSlots
2014-08-09 05:16:17 +00:00
wp: hoare_drop_imps hoare_vcg_split_case_option
2016-08-23 12:31:49 +00:00
mapM_wp'
2014-07-14 19:32:44 +00:00
simp: split_def zipWithM_x_mapM)
2015-11-02 00:00:32 +00:00
lemma ntfn_q_refs_no_bound_refs': "rf : ntfn_q_refs_of' (ntfnObj ob) \<Longrightarrow> rf ~: ntfn_bound_refs' (ntfnBoundTCB ob')"
by (auto simp add: ntfn_q_refs_of'_def ntfn_bound_refs'_def
split: Structures_H.ntfn.splits)
2015-09-02 05:43:39 +00:00
2015-11-02 00:00:32 +00:00
lemma completeSignal_invs:
2015-09-02 05:43:39 +00:00
"\<lbrace>invs' and tcb_at' tcb\<rbrace>
2015-11-02 00:00:32 +00:00
completeSignal ntfnptr tcb
2015-09-02 05:43:39 +00:00
\<lbrace>\<lambda>_. invs'\<rbrace>"
2015-11-02 00:00:32 +00:00
apply (simp add: completeSignal_def)
apply (rule hoare_seq_ext[OF _ get_ntfn_sp'])
2015-09-02 05:43:39 +00:00
apply (rule hoare_pre)
2015-11-02 00:00:32 +00:00
apply (wp set_ntfn_minor_invs' | wpc | simp)+
2017-07-12 05:13:51 +00:00
apply (rule_tac Q="\<lambda>_ s. (state_refs_of' s ntfnptr = ntfn_bound_refs' (ntfnBoundTCB ntfn))
\<and> ntfn_at' ntfnptr s
\<and> valid_ntfn' (ntfnObj_update (\<lambda>_. Structures_H.ntfn.IdleNtfn) ntfn) s
2015-11-02 00:00:32 +00:00
\<and> ((\<exists>y. ntfnBoundTCB ntfn = Some y) \<longrightarrow> ex_nonz_cap_to' ntfnptr s)
\<and> ntfnptr \<noteq> ksIdleThread s"
2015-09-02 05:43:39 +00:00
in hoare_strengthen_post)
2015-11-02 00:00:32 +00:00
apply ((wp hoare_vcg_ex_lift static_imp_wp | wpc | simp add: valid_ntfn'_def)+)[1]
2015-09-02 05:43:39 +00:00
apply (clarsimp simp: obj_at'_def state_refs_of'_def typ_at'_def ko_wp_at'_def projectKOs split: option.splits)
2015-11-02 00:00:32 +00:00
apply (blast dest: ntfn_q_refs_no_bound_refs')
2015-09-02 05:43:39 +00:00
apply wp
2015-11-02 00:00:32 +00:00
apply (subgoal_tac "valid_ntfn' ntfn s")
apply (subgoal_tac "ntfnptr \<noteq> ksIdleThread s")
apply (fastforce simp: valid_ntfn'_def valid_bound_tcb'_def projectKOs ko_at_state_refs_ofD'
2015-09-02 05:43:39 +00:00
elim: obj_at'_weakenE
if_live_then_nonz_capD'[OF invs_iflive'
obj_at'_real_def[THEN meta_eq_to_obj_eq,
THEN iffD1]])
apply (fastforce simp: valid_idle'_def pred_tcb_at'_def obj_at'_def projectKOs
dest!: invs_valid_idle')
apply (fastforce dest: invs_valid_objs' ko_at_valid_objs'
simp: valid_obj'_def projectKOs)[1]
done
2016-05-30 13:12:39 +00:00
lemma setupCallerCap_urz[wp]:
"\<lbrace>untyped_ranges_zero' and valid_pspace' and tcb_at' sender\<rbrace>
2018-08-03 03:27:46 +00:00
setupCallerCap sender t g \<lbrace>\<lambda>rv. untyped_ranges_zero'\<rbrace>"
2016-05-30 13:12:39 +00:00
apply (simp add: setupCallerCap_def getSlotCap_def
getThreadCallerSlot_def getThreadReplySlot_def
locateSlot_conv)
apply (wp getCTE_wp')
apply (rule_tac Q="\<lambda>_. untyped_ranges_zero' and valid_mdb' and valid_objs'" in hoare_post_imp)
apply (clarsimp simp: cte_wp_at_ctes_of cteCaps_of_def untyped_derived_eq_def
isCap_simps)
2017-01-13 12:58:40 +00:00
apply (wp sts_valid_pspace_hangers)
2016-05-30 13:12:39 +00:00
apply (clarsimp simp: valid_tcb_state'_def)
done
lemmas threadSet_urz = untyped_ranges_zero_lift[where f="cteCaps_of", OF _ threadSet_cteCaps_of]
crunch urz[wp]: doIPCTransfer "untyped_ranges_zero'"
(ignore: threadSet wp: threadSet_urz crunch_wps simp: zipWithM_x_mapM)
crunch gsUntypedZeroRanges[wp]: receiveIPC "\<lambda>s. P (gsUntypedZeroRanges s)"
(wp: crunch_wps transferCapsToSlots_pres1 simp: zipWithM_x_mapM ignore: constOnFailure)
2017-11-24 11:30:55 +00:00
crunch ctes_of[wp]: possibleSwitchTo "\<lambda>s. P (ctes_of s)"
2016-05-30 13:12:39 +00:00
(wp: crunch_wps ignore: constOnFailure)
2017-11-24 11:30:55 +00:00
lemmas possibleSwitchToTo_cteCaps_of[wp]
= cteCaps_of_ctes_of_lift[OF possibleSwitchTo_ctes_of]
2016-05-30 13:12:39 +00:00
2014-07-14 19:32:44 +00:00
(* t = ksCurThread s *)
lemma ri_invs' [wp]:
"\<lbrace>invs' and sch_act_not t
and ct_in_state' simple'
and st_tcb_at' simple' t
and (\<lambda>s. \<forall>p. t \<notin> set (ksReadyQueues s p))
and ex_nonz_cap_to' t
and (\<lambda>s. \<forall>r \<in> zobj_refs' cap. ex_nonz_cap_to' r s)\<rbrace>
2015-10-21 02:34:22 +00:00
receiveIPC t cap isBlocking
2015-09-02 05:43:39 +00:00
\<lbrace>\<lambda>_. invs'\<rbrace>" (is "\<lbrace>?pre\<rbrace> _ \<lbrace>_\<rbrace>")
2017-07-12 05:13:51 +00:00
apply (clarsimp simp: receiveIPC_def)
2014-07-14 19:32:44 +00:00
apply (rule hoare_seq_ext [OF _ get_ep_sp'])
2015-11-02 00:00:32 +00:00
apply (rule hoare_seq_ext [OF _ gbn_sp'])
2015-09-02 05:43:39 +00:00
apply (rule hoare_seq_ext)
(* set up precondition for old proof *)
2017-05-17 16:21:35 +00:00
apply (rule_tac R="ko_at' ep (capEPPtr cap) and ?pre" in hoare_vcg_if_split)
2015-11-02 00:00:32 +00:00
apply (wp completeSignal_invs)
2015-09-02 05:43:39 +00:00
apply (case_tac ep)
2018-06-09 08:27:30 +00:00
\<comment> \<open>endpoint = RecvEP\<close>
2015-09-02 05:43:39 +00:00
apply (simp add: invs'_def valid_state'_def)
2015-10-21 02:34:22 +00:00
apply (rule hoare_pre, wpc, wp valid_irq_node_lift)
2015-09-02 05:43:39 +00:00
apply (simp add: valid_ep'_def)
apply (wp sts_sch_act' hoare_vcg_const_Ball_lift valid_irq_node_lift
2016-05-30 13:12:39 +00:00
sts_valid_queues setThreadState_ct_not_inQ
asUser_urz
| simp add: doNBRecvFailedTransfer_def cteCaps_of_def)+
apply (clarsimp simp: valid_tcb_state'_def pred_tcb_at' o_def)
2015-09-02 05:43:39 +00:00
apply (rule conjI, clarsimp elim!: obj_at'_weakenE)
apply (frule obj_at_valid_objs')
apply (clarsimp simp: valid_pspace'_def)
apply (drule(1) sym_refs_ko_atD')
apply (drule simple_st_tcb_at_state_refs_ofD')
apply (drule bound_tcb_at_state_refs_ofD')
apply (clarsimp simp: st_tcb_at_refs_of_rev' valid_ep'_def
valid_obj'_def projectKOs tcb_bound_refs'_def
dest!: isCapDs)
apply (rule conjI, clarsimp)
apply (drule (1) bspec)
apply (clarsimp dest!: st_tcb_at_state_refs_ofD')
apply (clarsimp simp: set_eq_subset)
apply (rule conjI, erule delta_sym_refs)
2016-10-25 06:01:30 +00:00
apply (clarsimp split: if_split_asm)
2018-08-03 03:27:46 +00:00
apply (rename_tac list one two three fur five six seven eight nine ten eleven)
2015-09-02 05:43:39 +00:00
apply (subgoal_tac "set list \<times> {EPRecv} \<noteq> {}")
2018-08-03 03:27:46 +00:00
apply (thin_tac "\<forall>a b. t \<notin> set (ksReadyQueues one (a, b))") \<comment> \<open>causes slowdown\<close>
apply (safe ; solves \<open>auto\<close>)
apply fastforce
apply fastforce
2016-10-25 06:01:30 +00:00
apply (clarsimp split: if_split_asm)
2015-09-02 05:43:39 +00:00
apply (fastforce simp: valid_pspace'_def global'_no_ex_cap idle'_not_queued)
2018-06-09 08:27:30 +00:00
\<comment> \<open>endpoint = IdleEP\<close>
2014-07-14 19:32:44 +00:00
apply (simp add: invs'_def valid_state'_def)
2015-10-21 02:34:22 +00:00
apply (rule hoare_pre, wpc, wp valid_irq_node_lift)
2014-07-14 19:32:44 +00:00
apply (simp add: valid_ep'_def)
2015-09-02 05:43:39 +00:00
apply (wp sts_sch_act' valid_irq_node_lift
2015-10-21 02:34:22 +00:00
sts_valid_queues setThreadState_ct_not_inQ
2016-05-30 13:12:39 +00:00
asUser_urz
| simp add: doNBRecvFailedTransfer_def cteCaps_of_def)+
apply (clarsimp simp: pred_tcb_at' valid_tcb_state'_def o_def)
2014-07-14 19:32:44 +00:00
apply (rule conjI, clarsimp elim!: obj_at'_weakenE)
2015-09-02 05:43:39 +00:00
apply (subgoal_tac "t \<noteq> capEPPtr cap")
apply (drule simple_st_tcb_at_state_refs_ofD')
apply (drule ko_at_state_refs_ofD')
apply (drule bound_tcb_at_state_refs_ofD')
apply (clarsimp dest!: isCapDs)
apply (rule conjI, erule delta_sym_refs)
2016-10-25 06:01:30 +00:00
apply (clarsimp split: if_split_asm)
2015-09-02 05:43:39 +00:00
apply (clarsimp simp: tcb_bound_refs'_def
dest: symreftype_inverse'
2016-10-25 06:01:30 +00:00
split: if_split_asm)
2015-09-02 05:43:39 +00:00
apply (fastforce simp: global'_no_ex_cap)
apply (clarsimp simp: obj_at'_def pred_tcb_at'_def projectKOs)
2018-06-09 08:27:30 +00:00
\<comment> \<open>endpoint = SendEP\<close>
2014-07-14 19:32:44 +00:00
apply (simp add: invs'_def valid_state'_def)
2015-09-10 07:06:45 +00:00
apply (rename_tac list)
2016-10-25 06:01:30 +00:00
apply (case_tac list, simp_all split del: if_split)
2015-09-02 05:43:39 +00:00
apply (rename_tac sender queue)
apply (rule hoare_pre)
apply (wp valid_irq_node_lift hoare_drop_imps setEndpoint_valid_mdb'
set_ep_valid_objs' sts_st_tcb' sts_sch_act' sts_valid_queues
2017-11-24 11:30:55 +00:00
setThreadState_ct_not_inQ possibleSwitchTo_valid_queues
possibleSwitchTo_valid_queues'
possibleSwitchTo_ct_not_inQ hoare_vcg_all_lift
2016-05-30 13:12:39 +00:00
setEndpoint_ksQ setEndpoint_ct'
2015-09-10 07:06:45 +00:00
| simp add: valid_tcb_state'_def case_bool_If
case_option_If
2016-10-25 06:01:30 +00:00
split del: if_split cong: if_cong
2019-05-06 06:34:44 +00:00
| wp (once) sch_act_sane_lift hoare_vcg_conj_lift hoare_vcg_all_lift
2016-05-30 13:12:39 +00:00
untyped_ranges_zero_lift)+
2016-10-25 06:01:30 +00:00
apply (clarsimp split del: if_split simp: pred_tcb_at')
2015-09-02 05:43:39 +00:00
apply (frule obj_at_valid_objs')
apply (clarsimp simp: valid_pspace'_def)
apply (frule(1) ct_not_in_epQueue, clarsimp, clarsimp)
apply (drule(1) sym_refs_ko_atD')
apply (drule simple_st_tcb_at_state_refs_ofD')
apply (clarsimp simp: projectKOs valid_obj'_def valid_ep'_def
st_tcb_at_refs_of_rev' conj_ac
2016-10-25 06:01:30 +00:00
split del: if_split
2015-09-02 05:43:39 +00:00
cong: if_cong)
apply (frule_tac t=sender in valid_queues_not_runnable'_not_ksQ)
apply (erule pred_tcb'_weakenE, clarsimp)
apply (subgoal_tac "sch_act_not sender s")
prefer 2
apply (clarsimp simp: pred_tcb_at'_def obj_at'_def)
apply (drule st_tcb_at_state_refs_ofD')
2015-09-10 07:06:45 +00:00
apply (simp only: conj_ac(1, 2)[where Q="sym_refs R" for R])
2015-09-02 05:43:39 +00:00
apply (subgoal_tac "distinct (ksIdleThread s # capEPPtr cap # t # sender # queue)")
apply (rule conjI)
apply (clarsimp simp: ep_redux_simps' cong: if_cong)
apply (erule delta_sym_refs)
2016-10-25 06:01:30 +00:00
apply (clarsimp split: if_split_asm)
2015-09-02 05:43:39 +00:00
apply (fastforce simp: tcb_bound_refs'_def
dest: symreftype_inverse'
2016-10-25 06:01:30 +00:00
split: if_split_asm)
2015-09-02 05:43:39 +00:00
apply (clarsimp simp: singleton_tuple_cartesian split: list.split
| rule conjI | drule(1) bspec
| drule st_tcb_at_state_refs_ofD' bound_tcb_at_state_refs_ofD'
| clarsimp elim!: if_live_state_refsE)+
apply (case_tac cap, simp_all add: isEndpointCap_def)
apply (clarsimp simp: global'_no_ex_cap)
apply (rule conjI
| clarsimp simp: singleton_tuple_cartesian split: list.split
| clarsimp elim!: if_live_state_refsE
| clarsimp simp: global'_no_ex_cap idle'_not_queued' idle'_no_refs tcb_bound_refs'_def
| drule(1) bspec | drule st_tcb_at_state_refs_ofD'
| clarsimp simp: set_eq_subset dest!: bound_tcb_at_state_refs_ofD' )+
apply (rule hoare_pre)
2015-11-02 00:00:32 +00:00
apply (wp getNotification_wp | wpc | clarsimp)+
2014-07-14 19:32:44 +00:00
done
(* t = ksCurThread s *)
lemma rai_invs'[wp]:
"\<lbrace>invs' and sch_act_not t
and st_tcb_at' simple' t
and (\<lambda>s. \<forall>p. t \<notin> set (ksReadyQueues s p))
and ex_nonz_cap_to' t
and (\<lambda>s. \<forall>r \<in> zobj_refs' cap. ex_nonz_cap_to' r s)
2015-11-02 00:00:32 +00:00
and (\<lambda>s. \<exists>ntfnptr. isNotificationCap cap
\<and> capNtfnPtr cap = ntfnptr
\<and> obj_at' (\<lambda>ko. ntfnBoundTCB ko = None \<or> ntfnBoundTCB ko = Some t)
ntfnptr s)\<rbrace>
receiveSignal t cap isBlocking
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>_. invs'\<rbrace>"
2015-11-02 00:00:32 +00:00
apply (simp add: receiveSignal_def)
apply (rule hoare_seq_ext [OF _ get_ntfn_sp'])
2014-07-14 19:32:44 +00:00
apply (rename_tac ep)
2015-11-02 00:00:32 +00:00
apply (case_tac "ntfnObj ep")
2018-06-09 08:27:30 +00:00
\<comment> \<open>ep = IdleNtfn\<close>
2014-07-14 19:32:44 +00:00
apply (simp add: invs'_def valid_state'_def)
apply (rule hoare_pre)
2015-09-02 05:43:39 +00:00
apply (wp valid_irq_node_lift sts_sch_act' typ_at_lifts
2014-07-14 19:32:44 +00:00
sts_valid_queues setThreadState_ct_not_inQ
2016-05-30 13:12:39 +00:00
asUser_urz
2015-11-10 15:25:02 +00:00
| simp add: valid_ntfn'_def doNBRecvFailedTransfer_def | wpc)+
2015-09-02 05:43:39 +00:00
apply (clarsimp simp: pred_tcb_at' valid_tcb_state'_def)
2014-07-14 19:32:44 +00:00
apply (rule conjI, clarsimp elim!: obj_at'_weakenE)
2015-11-02 00:00:32 +00:00
apply (subgoal_tac "capNtfnPtr cap \<noteq> t")
2015-09-02 05:43:39 +00:00
apply (frule valid_pspace_valid_objs')
apply (frule (1) ko_at_valid_objs')
apply (clarsimp simp: projectKOs)
2015-11-02 00:00:32 +00:00
apply (clarsimp simp: valid_obj'_def valid_ntfn'_def)
2015-09-02 05:43:39 +00:00
apply (rule conjI, clarsimp simp: obj_at'_def split: option.split)
2014-07-14 19:32:44 +00:00
apply (drule simple_st_tcb_at_state_refs_ofD'
2015-09-02 05:43:39 +00:00
ko_at_state_refs_ofD' bound_tcb_at_state_refs_ofD')+
2014-07-14 19:32:44 +00:00
apply (clarsimp dest!: isCapDs)
apply (rule conjI, erule delta_sym_refs)
2016-10-25 06:01:30 +00:00
apply (clarsimp split: if_split_asm)
2015-09-02 05:43:39 +00:00
apply (fastforce simp: tcb_bound_refs'_def symreftype_inverse'
2016-10-25 06:01:30 +00:00
split: if_split_asm)
2014-07-14 19:32:44 +00:00
apply (clarsimp dest!: global'_no_ex_cap)
2015-09-02 05:43:39 +00:00
apply (clarsimp simp: pred_tcb_at'_def obj_at'_def projectKOs)
2018-06-09 08:27:30 +00:00
\<comment> \<open>ep = ActiveNtfn\<close>
2015-09-02 05:43:39 +00:00
apply (simp add: invs'_def valid_state'_def)
2014-07-14 19:32:44 +00:00
apply (rule hoare_pre)
2015-09-02 05:43:39 +00:00
apply (wp valid_irq_node_lift sts_valid_objs' typ_at_lifts static_imp_wp
2016-05-30 13:12:39 +00:00
asUser_urz
2015-11-02 00:00:32 +00:00
| simp add: valid_ntfn'_def)+
2015-09-02 05:43:39 +00:00
apply (clarsimp simp: pred_tcb_at' valid_pspace'_def)
apply (frule (1) ko_at_valid_objs')
apply (clarsimp simp: projectKOs)
2015-11-02 00:00:32 +00:00
apply (clarsimp simp: valid_obj'_def valid_ntfn'_def isCap_simps)
2014-07-14 19:32:44 +00:00
apply (drule simple_st_tcb_at_state_refs_ofD'
ko_at_state_refs_ofD')+
apply (erule delta_sym_refs)
2016-10-25 06:01:30 +00:00
apply (clarsimp split: if_split_asm simp: global'_no_ex_cap)+
2018-06-09 08:27:30 +00:00
\<comment> \<open>ep = WaitingNtfn\<close>
2014-07-14 19:32:44 +00:00
apply (simp add: invs'_def valid_state'_def)
apply (rule hoare_pre)
apply (wp hoare_vcg_const_Ball_lift valid_irq_node_lift sts_sch_act'
2015-09-02 05:43:39 +00:00
sts_valid_queues setThreadState_ct_not_inQ typ_at_lifts
2016-05-30 13:12:39 +00:00
asUser_urz
2015-11-10 15:25:02 +00:00
| simp add: valid_ntfn'_def doNBRecvFailedTransfer_def | wpc)+
2014-07-14 19:32:44 +00:00
apply (clarsimp simp: valid_tcb_state'_def)
2015-11-02 00:00:32 +00:00
apply (frule_tac t=t in not_in_ntfnQueue)
2014-07-14 19:32:44 +00:00
apply (simp)
apply (simp)
2015-09-02 05:43:39 +00:00
apply (erule pred_tcb'_weakenE, clarsimp)
2014-07-14 19:32:44 +00:00
apply (frule ko_at_valid_objs')
apply (clarsimp simp: valid_pspace'_def)
apply (simp add: projectKOs)
apply (clarsimp simp: valid_obj'_def)
2015-11-02 00:00:32 +00:00
apply (clarsimp simp: valid_ntfn'_def pred_tcb_at')
2014-07-14 19:32:44 +00:00
apply (rule conjI, clarsimp elim!: obj_at'_weakenE)
2015-09-02 05:43:39 +00:00
apply (rule conjI, clarsimp simp: obj_at'_def split: option.split)
2014-07-14 19:32:44 +00:00
apply (drule(1) sym_refs_ko_atD')
apply (drule simple_st_tcb_at_state_refs_ofD')
2015-09-02 05:43:39 +00:00
apply (drule bound_tcb_at_state_refs_ofD')
2014-07-14 19:32:44 +00:00
apply (clarsimp simp: st_tcb_at_refs_of_rev'
dest!: isCapDs)
apply (rule conjI, erule delta_sym_refs)
2016-10-25 06:01:30 +00:00
apply (clarsimp split: if_split_asm)
2015-09-10 07:06:45 +00:00
apply (rename_tac list one two three four five six seven eight nine)
2015-11-02 00:00:32 +00:00
apply (subgoal_tac "set list \<times> {NTFNSignal} \<noteq> {}")
2015-09-02 05:43:39 +00:00
apply safe[1]
2015-11-02 00:00:32 +00:00
apply (auto simp: symreftype_inverse' ntfn_bound_refs'_def tcb_bound_refs'_def)[5]
2015-09-02 05:43:39 +00:00
apply (fastforce simp: tcb_bound_refs'_def
2016-10-25 06:01:30 +00:00
split: if_split_asm)
2014-07-14 19:32:44 +00:00
apply (clarsimp dest!: global'_no_ex_cap)
done
lemma getCTE_cap_to_refs[wp]:
"\<lbrace>\<top>\<rbrace> getCTE p \<lbrace>\<lambda>rv s. \<forall>r\<in>zobj_refs' (cteCap rv). ex_nonz_cap_to' r s\<rbrace>"
apply (rule hoare_strengthen_post [OF getCTE_sp])
apply (clarsimp simp: ex_nonz_cap_to'_def)
apply (fastforce elim: cte_wp_at_weakenE')
done
lemma lookupCap_cap_to_refs[wp]:
"\<lbrace>\<top>\<rbrace> lookupCap t cref \<lbrace>\<lambda>rv s. \<forall>r\<in>zobj_refs' rv. ex_nonz_cap_to' r s\<rbrace>,-"
apply (simp add: lookupCap_def lookupCapAndSlot_def split_def
getSlotCap_def)
apply (wp | simp)+
done
lemma arch_stt_objs' [wp]:
2016-04-28 23:47:59 +00:00
"\<lbrace>valid_objs'\<rbrace> Arch.switchToThread t \<lbrace>\<lambda>rv. valid_objs'\<rbrace>"
apply (simp add: ARM_H.switchToThread_def)
2014-07-14 19:32:44 +00:00
apply wp
done
declare zipWithM_x_mapM [simp]
lemma cteInsert_invs_bits[wp]:
"\<lbrace>\<lambda>s. sch_act_wf (ksSchedulerAction s) s\<rbrace>
cteInsert a b c
\<lbrace>\<lambda>rv s. sch_act_wf (ksSchedulerAction s) s\<rbrace>"
"\<lbrace>Invariants_H.valid_queues\<rbrace> cteInsert a b c \<lbrace>\<lambda>rv. Invariants_H.valid_queues\<rbrace>"
"\<lbrace>cur_tcb'\<rbrace> cteInsert a b c \<lbrace>\<lambda>rv. cur_tcb'\<rbrace>"
"\<lbrace>\<lambda>s. P (state_refs_of' s)\<rbrace>
cteInsert a b c
\<lbrace>\<lambda>rv s. P (state_refs_of' s)\<rbrace>"
apply (wp sch_act_wf_lift valid_queues_lift
2017-01-13 12:58:40 +00:00
cur_tcb_lift tcb_in_cur_domain'_lift)+
2014-07-14 19:32:44 +00:00
done
lemma possibleSwitchTo_sch_act_not:
2017-11-24 11:30:55 +00:00
"\<lbrace>sch_act_not t' and K (t \<noteq> t')\<rbrace> possibleSwitchTo t \<lbrace>\<lambda>rv. sch_act_not t'\<rbrace>"
2016-11-16 03:02:03 +00:00
apply (simp add: possibleSwitchTo_def setSchedulerAction_def curDomain_def)
2014-07-14 19:32:44 +00:00
apply (wp hoare_drop_imps | wpc | simp)+
done
2017-11-24 11:30:55 +00:00
crunch vms'[wp]: possibleSwitchTo valid_machine_state'
crunch pspace_domain_valid[wp]: possibleSwitchTo pspace_domain_valid
crunch ct_idle_or_in_cur_domain'[wp]: possibleSwitchTo ct_idle_or_in_cur_domain'
2014-07-14 19:32:44 +00:00
2017-11-24 11:30:55 +00:00
crunch ct'[wp]: possibleSwitchTo "\<lambda>s. P (ksCurThread s)"
crunch it[wp]: possibleSwitchTo "\<lambda>s. P (ksIdleThread s)"
crunch irqs_masked'[wp]: possibleSwitchTo "irqs_masked'"
crunch urz[wp]: possibleSwitchTo "untyped_ranges_zero'"
2016-05-30 13:12:39 +00:00
(simp: crunch_simps unless_def wp: crunch_wps)
2014-07-14 19:32:44 +00:00
2017-07-12 05:13:51 +00:00
lemma si_invs'[wp]:
2014-07-14 19:32:44 +00:00
"\<lbrace>invs' and st_tcb_at' simple' t
and (\<lambda>s. \<forall>p. t \<notin> set (ksReadyQueues s p))
and sch_act_not t
and ex_nonz_cap_to' ep and ex_nonz_cap_to' t\<rbrace>
2018-08-03 03:27:46 +00:00
sendIPC bl call ba cg cgr t ep
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. invs'\<rbrace>"
2018-08-03 03:27:46 +00:00
supply if_split[split del]
2016-10-25 06:01:30 +00:00
apply (simp add: sendIPC_def split del: if_split)
2014-07-14 19:32:44 +00:00
apply (rule hoare_seq_ext [OF _ get_ep_sp'])
apply (case_tac epa)
2018-06-09 08:27:30 +00:00
\<comment> \<open>epa = RecvEP\<close>
2014-07-14 19:32:44 +00:00
apply simp
2015-05-12 15:17:31 +00:00
apply (rename_tac list)
2014-07-14 19:32:44 +00:00
apply (case_tac list)
apply simp
2016-10-25 06:01:30 +00:00
apply (simp split del: if_split add: invs'_def valid_state'_def)
2014-07-14 19:32:44 +00:00
apply (rule hoare_pre)
apply (rule_tac P="a\<noteq>t" in hoare_gen_asm)
2019-05-07 05:53:41 +00:00
apply (wp valid_irq_node_lift
2014-07-14 19:32:44 +00:00
sts_valid_objs' set_ep_valid_objs' setEndpoint_valid_mdb' sts_st_tcb' sts_sch_act'
2017-11-24 11:30:55 +00:00
possibleSwitchTo_sch_act_not sts_valid_queues setThreadState_ct_not_inQ
possibleSwitchTo_ksQ' possibleSwitchTo_ct_not_inQ hoare_vcg_all_lift sts_ksQ'
2018-03-14 00:48:48 +00:00
hoare_convert_imp [OF doIPCTransfer_sch_act doIPCTransfer_ct']
2014-07-14 19:32:44 +00:00
hoare_convert_imp [OF setEndpoint_nosch setEndpoint_ct']
hoare_drop_imp [where f="threadGet tcbFault t"]
| rule_tac f="getThreadState a" in hoare_drop_imp
2019-05-06 06:34:44 +00:00
| wp (once) hoare_drop_imp[where R="\<lambda>_ _. call"]
2018-08-03 03:27:46 +00:00
hoare_drop_imp[where R="\<lambda>_ _. \<not> call"]
hoare_drop_imp[where R="\<lambda>_ _. cg"]
2014-08-11 08:51:04 +00:00
| simp add: valid_tcb_state'_def case_bool_If
2014-08-09 05:16:17 +00:00
case_option_If
2014-07-14 19:32:44 +00:00
cong: if_cong
2016-10-25 06:01:30 +00:00
split del: if_split
2019-05-06 06:34:44 +00:00
| wp (once) sch_act_sane_lift tcb_in_cur_domain'_lift hoare_vcg_const_imp_lift)+
2018-08-03 03:27:46 +00:00
apply (clarsimp simp: pred_tcb_at' cong: conj_cong imp_cong
2016-10-25 06:01:30 +00:00
split del: if_split)
2014-07-14 19:32:44 +00:00
apply (frule obj_at_valid_objs', clarsimp)
apply (frule(1) sym_refs_ko_atD')
apply (clarsimp simp: projectKOs valid_obj'_def valid_ep'_def
2015-09-02 05:43:39 +00:00
st_tcb_at_refs_of_rev' pred_tcb_at'
2015-05-16 09:52:49 +00:00
conj_comms fun_upd_def[symmetric]
2016-10-25 06:01:30 +00:00
split del: if_split)
2015-09-02 05:43:39 +00:00
apply (frule pred_tcb_at')
2014-07-14 19:32:44 +00:00
apply (drule simple_st_tcb_at_state_refs_ofD' st_tcb_at_state_refs_ofD')+
2018-08-03 03:27:46 +00:00
apply (clarsimp simp: valid_pspace'_splits)
2014-07-14 19:32:44 +00:00
apply (subst fun_upd_idem[where x=t])
2018-08-03 03:27:46 +00:00
apply (clarsimp split: if_split)
2015-09-02 05:43:39 +00:00
apply (rule conjI, clarsimp simp: obj_at'_def projectKOs)
apply (drule bound_tcb_at_state_refs_ofD')
apply (fastforce simp: tcb_bound_refs'_def)
2018-08-03 03:27:46 +00:00
apply (subgoal_tac "ex_nonz_cap_to' a s")
prefer 2
2014-07-14 19:32:44 +00:00
apply (clarsimp elim!: if_live_state_refsE)
2018-08-03 03:27:46 +00:00
apply clarsimp
2015-09-02 05:43:39 +00:00
apply (rule conjI)
apply (drule bound_tcb_at_state_refs_ofD')
apply (fastforce simp: tcb_bound_refs'_def set_eq_subset)
2018-08-03 03:27:46 +00:00
apply (clarsimp simp: conj_ac)
2014-07-14 19:32:44 +00:00
apply (rule conjI, clarsimp simp: idle'_no_refs)
apply (rule conjI, clarsimp simp: global'_no_ex_cap)
apply (rule conjI)
apply (rule impI)
apply (frule(1) ct_not_in_epQueue, clarsimp, clarsimp)
apply (clarsimp)
2015-09-02 05:43:39 +00:00
apply (simp add: ep_redux_simps')
2018-08-03 03:27:46 +00:00
apply (rule conjI, clarsimp split: if_split)
apply (rule conjI, fastforce simp: tcb_bound_refs'_def set_eq_subset)
apply (clarsimp, erule delta_sym_refs;
solves\<open>auto simp: symreftype_inverse' tcb_bound_refs'_def split: if_split_asm\<close>)
apply (solves\<open>clarsimp split: list.splits\<close>)
2018-06-09 08:27:30 +00:00
\<comment> \<open>epa = IdleEP\<close>
2014-07-14 19:32:44 +00:00
apply (cases bl)
apply (simp add: invs'_def valid_state'_def)
apply (rule hoare_pre, wp valid_irq_node_lift)
apply (simp add: valid_ep'_def)
apply (wp valid_irq_node_lift sts_sch_act' sts_valid_queues
setThreadState_ct_not_inQ)
2015-09-02 05:43:39 +00:00
apply (clarsimp simp: valid_tcb_state'_def pred_tcb_at')
2014-07-14 19:32:44 +00:00
apply (rule conjI, clarsimp elim!: obj_at'_weakenE)
apply (subgoal_tac "ep \<noteq> t")
2015-09-02 05:43:39 +00:00
apply (drule simple_st_tcb_at_state_refs_ofD' ko_at_state_refs_ofD'
bound_tcb_at_state_refs_ofD')+
2014-07-14 19:32:44 +00:00
apply (rule conjI, erule delta_sym_refs)
2015-09-02 05:43:39 +00:00
apply (auto simp: tcb_bound_refs'_def symreftype_inverse'
2016-10-25 06:01:30 +00:00
split: if_split_asm)[2]
2014-07-14 19:32:44 +00:00
apply (fastforce simp: global'_no_ex_cap)
2015-09-02 05:43:39 +00:00
apply (clarsimp simp: pred_tcb_at'_def obj_at'_def projectKOs)
2014-07-14 19:32:44 +00:00
apply simp
apply wp
apply simp
2018-06-09 08:27:30 +00:00
\<comment> \<open>epa = SendEP\<close>
2014-07-14 19:32:44 +00:00
apply (cases bl)
apply (simp add: invs'_def valid_state'_def)
apply (rule hoare_pre, wp valid_irq_node_lift)
apply (simp add: valid_ep'_def)
apply (wp hoare_vcg_const_Ball_lift valid_irq_node_lift sts_sch_act'
sts_valid_queues setThreadState_ct_not_inQ)
2015-09-02 05:43:39 +00:00
apply (clarsimp simp: valid_tcb_state'_def pred_tcb_at')
2014-07-14 19:32:44 +00:00
apply (rule conjI, clarsimp elim!: obj_at'_weakenE)
apply (frule obj_at_valid_objs', clarsimp)
2015-09-02 05:43:39 +00:00
apply (frule(1) sym_refs_ko_atD')
apply (frule pred_tcb_at')
2014-07-14 19:32:44 +00:00
apply (drule simple_st_tcb_at_state_refs_ofD')
2015-09-02 05:43:39 +00:00
apply (drule bound_tcb_at_state_refs_ofD')
2014-07-14 19:32:44 +00:00
apply (clarsimp simp: valid_obj'_def valid_ep'_def
projectKOs st_tcb_at_refs_of_rev')
2015-09-02 05:43:39 +00:00
apply (rule conjI, clarsimp)
apply (drule (1) bspec)
apply (clarsimp dest!: st_tcb_at_state_refs_ofD' bound_tcb_at_state_refs_ofD'
simp: tcb_bound_refs'_def)
apply (clarsimp simp: set_eq_subset)
2014-07-14 19:32:44 +00:00
apply (rule conjI, erule delta_sym_refs)
2016-01-12 05:44:35 +00:00
subgoal by (fastforce simp: obj_at'_def projectKOs symreftype_inverse'
2016-10-25 06:01:30 +00:00
split: if_split_asm)
2015-09-02 05:43:39 +00:00
apply (fastforce simp: tcb_bound_refs'_def symreftype_inverse'
2016-10-25 06:01:30 +00:00
split: if_split_asm)
2014-07-14 19:32:44 +00:00
apply (fastforce simp: global'_no_ex_cap idle'_not_queued)
apply (simp | wp)+
done
lemma sfi_invs_plus':
"\<lbrace>invs' and st_tcb_at' simple' t
and sch_act_not t
and (\<lambda>s. \<forall>p. t \<notin> set (ksReadyQueues s p))
and ex_nonz_cap_to' t\<rbrace>
sendFaultIPC t f
\<lbrace>\<lambda>rv. invs'\<rbrace>, \<lbrace>\<lambda>rv. invs' and st_tcb_at' simple' t
and (\<lambda>s. \<forall>p. t \<notin> set (ksReadyQueues s p))
and sch_act_not t and (\<lambda>s. ksIdleThread s \<noteq> t)\<rbrace>"
apply (simp add: sendFaultIPC_def)
2015-09-02 05:43:39 +00:00
apply (wp threadSet_invs_trivial threadSet_pred_tcb_no_state
2014-07-14 19:32:44 +00:00
threadSet_cap_to'
| wpc | simp)+
2017-07-12 05:13:51 +00:00
apply (rule_tac Q'="\<lambda>rv s. invs' s \<and> sch_act_not t s
2014-07-14 19:32:44 +00:00
\<and> st_tcb_at' simple' t s
\<and> (\<forall>p. t \<notin> set (ksReadyQueues s p))
\<and> ex_nonz_cap_to' t s
\<and> t \<noteq> ksIdleThread s
\<and> (\<forall>r\<in>zobj_refs' rv. ex_nonz_cap_to' r s)"
in hoare_post_imp_R)
apply wp
2015-09-02 05:43:39 +00:00
apply (clarsimp simp: inQ_def pred_tcb_at')
2014-07-14 19:32:44 +00:00
apply (wp | simp)+
apply (clarsimp simp: eq_commute)
apply (subst(asm) global'_no_ex_cap, auto)
done
lemma hf_corres:
"fr f f' \<Longrightarrow>
corres dc (einvs and st_tcb_at active thread and ex_nonz_cap_to thread
and (%_. valid_fault f))
(invs' and sch_act_not thread
and (\<lambda>s. \<forall>p. thread \<notin> set(ksReadyQueues s p))
and st_tcb_at' simple' thread and ex_nonz_cap_to' thread)
(handle_fault thread f) (handleFault thread f')"
apply (simp add: handle_fault_def handleFault_def)
apply (rule corres_guard_imp)
2017-07-12 05:13:51 +00:00
apply (subst return_bind [symmetric],
rule corres_split [where P="tcb_at thread",
2014-07-14 19:32:44 +00:00
OF _ gets_the_noop_corres [where x="()"]])
apply (rule corres_split_catch)
apply (rule hdf_corres)
apply (rule_tac F="valid_fault f" in corres_gen_asm)
apply (rule send_fault_ipc_corres, assumption)
apply simp
2017-01-13 12:58:40 +00:00
apply wp+
2014-07-14 19:32:44 +00:00
apply (rule hoare_post_impErr, rule sfi_invs_plus', simp_all)[1]
apply clarsimp
apply (simp add: tcb_at_def)
2017-01-13 12:58:40 +00:00
apply wp+
2014-07-14 19:32:44 +00:00
apply (clarsimp simp: st_tcb_at_tcb_at st_tcb_def2 invs_def
valid_state_def valid_idle_def)
apply auto
done
lemma sts_invs_minor'':
"\<lbrace>st_tcb_at' (\<lambda>st'. tcb_st_refs_of' st' = tcb_st_refs_of' st
\<and> (st \<noteq> Inactive \<and> \<not> idle' st \<longrightarrow>
st' \<noteq> Inactive \<and> \<not> idle' st')) t
and (\<lambda>s. t = ksIdleThread s \<longrightarrow> idle' st)
and (\<lambda>s. (\<exists>p. t \<in> set (ksReadyQueues s p)) \<longrightarrow> runnable' st)
and (\<lambda>s. runnable' st \<and> obj_at' tcbQueued t s
\<longrightarrow> st_tcb_at' runnable' t s)
and (\<lambda>s. \<not> runnable' st \<longrightarrow> sch_act_not t s)
and invs'\<rbrace>
setThreadState st t
\<lbrace>\<lambda>rv. invs'\<rbrace>"
apply (simp add: invs'_def valid_state'_def)
apply (rule hoare_pre)
apply (wp valid_irq_node_lift sts_sch_act' sts_valid_queues
setThreadState_ct_not_inQ)
apply clarsimp
apply (rule conjI)
apply fastforce
apply (rule conjI)
2015-09-02 05:43:39 +00:00
apply (clarsimp simp: pred_tcb_at'_def)
2014-07-14 19:32:44 +00:00
apply (drule obj_at_valid_objs')
apply (clarsimp simp: valid_pspace'_def)
apply (clarsimp simp: valid_obj'_def valid_tcb'_def projectKOs)
2016-05-30 13:12:39 +00:00
subgoal by (cases st, auto simp: valid_tcb_state'_def
split: Structures_H.thread_state.splits)[1]
2014-07-14 19:32:44 +00:00
apply (rule conjI)
apply (clarsimp dest!: st_tcb_at_state_refs_ofD'
elim!: rsubst[where P=sym_refs]
intro!: ext)
apply (clarsimp elim!: st_tcb_ex_cap'')
done
2017-07-12 05:13:51 +00:00
lemma hf_invs' [wp]:
2014-07-14 19:32:44 +00:00
"\<lbrace>invs' and sch_act_not t
and (\<lambda>s. \<forall>p. t \<notin> set(ksReadyQueues s p))
and st_tcb_at' simple' t
and ex_nonz_cap_to' t and (\<lambda>s. t \<noteq> ksIdleThread s)\<rbrace>
handleFault t f \<lbrace>\<lambda>r. invs'\<rbrace>"
apply (simp add: handleFault_def)
apply wp
2017-07-12 05:13:51 +00:00
apply (simp add: handleDoubleFault_def)
2017-01-13 12:58:40 +00:00
apply (wp sts_invs_minor'' dmo_invs')+
apply (rule hoare_post_impErr, rule sfi_invs_plus',
2014-07-14 19:32:44 +00:00
simp_all)
apply (strengthen no_refs_simple_strg')
apply clarsimp
done
declare zipWithM_x_mapM [simp del]
lemma gts_st_tcb':
"\<lbrace>\<top>\<rbrace> getThreadState t \<lbrace>\<lambda>r. st_tcb_at' (\<lambda>st. st = r) t\<rbrace>"
apply (rule hoare_strengthen_post)
apply (rule gts_sp')
apply simp
done
declare setEndpoint_ct' [wp]
2015-09-02 05:43:39 +00:00
lemma setupCallerCap_pred_tcb_unchanged:
"\<lbrace>pred_tcb_at' proj P t and K (t \<noteq> t')\<rbrace>
2018-08-03 03:27:46 +00:00
setupCallerCap t' t'' g
2015-09-02 05:43:39 +00:00
\<lbrace>\<lambda>rv. pred_tcb_at' proj P t\<rbrace>"
2014-07-14 19:32:44 +00:00
apply (simp add: setupCallerCap_def getThreadCallerSlot_def
getThreadReplySlot_def)
2015-09-02 05:43:39 +00:00
apply (wp sts_pred_tcb_neq' hoare_drop_imps)
2014-07-14 19:32:44 +00:00
apply clarsimp
done
lemma si_blk_makes_simple':
"\<lbrace>st_tcb_at' simple' t and K (t \<noteq> t')\<rbrace>
2018-08-03 03:27:46 +00:00
sendIPC True call bdg x x' t' ep
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. st_tcb_at' simple' t\<rbrace>"
apply (simp add: sendIPC_def)
apply (rule hoare_seq_ext [OF _ get_ep_inv'])
apply (case_tac xa, simp_all)
2015-05-12 15:17:31 +00:00
apply (rename_tac list)
2014-08-11 08:51:04 +00:00
apply (case_tac list, simp_all add: case_bool_If case_option_If
2016-10-25 06:01:30 +00:00
split del: if_split cong: if_cong)
2014-07-14 19:32:44 +00:00
apply (rule hoare_pre)
2015-09-02 05:43:39 +00:00
apply (wp sts_st_tcb_at'_cases setupCallerCap_pred_tcb_unchanged
2014-07-14 19:32:44 +00:00
hoare_drop_imps)
2015-09-02 05:43:39 +00:00
apply (clarsimp simp: pred_tcb_at' del: disjCI)
2014-07-14 19:32:44 +00:00
apply (wp sts_st_tcb_at'_cases)
apply clarsimp
apply (wp sts_st_tcb_at'_cases)
apply clarsimp
done
lemma si_blk_makes_runnable':
"\<lbrace>st_tcb_at' runnable' t and K (t \<noteq> t')\<rbrace>
2018-08-03 03:27:46 +00:00
sendIPC True call bdg x x' t' ep
2014-07-14 19:32:44 +00:00
\<lbrace>\<lambda>rv. st_tcb_at' runnable' t\<rbrace>"
apply (simp add: sendIPC_def)
apply (rule hoare_seq_ext [OF _ get_ep_inv'])
apply (case_tac xa, simp_all)
2015-05-12 15:17:31 +00:00
apply (rename_tac list)
2014-08-11 08:51:04 +00:00
apply (case_tac list, simp_all add: case_bool_If case_option_If
2016-10-25 06:01:30 +00:00
split del: if_split cong: if_cong)
2014-07-14 19:32:44 +00:00
apply (rule hoare_pre)
2015-09-02 05:43:39 +00:00
apply (wp sts_st_tcb_at'_cases setupCallerCap_pred_tcb_unchanged
2014-07-14 19:32:44 +00:00
hoare_vcg_const_imp_lift hoare_drop_imps
| simp)+
2018-03-14 00:48:48 +00:00
apply (clarsimp del: disjCI simp: pred_tcb_at' elim!: pred_tcb'_weakenE)
2014-07-14 19:32:44 +00:00
apply (wp sts_st_tcb_at'_cases)
apply clarsimp
apply (wp sts_st_tcb_at'_cases)
apply clarsimp
done
2017-11-24 11:30:55 +00:00
crunch pred_tcb_at'[wp]: possibleSwitchTo, completeSignal "pred_tcb_at' proj P t"
2014-07-14 19:32:44 +00:00
2015-11-02 00:00:32 +00:00
lemma sendSignal_st_tcb'_Running:
2015-09-02 05:43:39 +00:00
"\<lbrace>st_tcb_at' (\<lambda>st. st = Running \<or> P st) t\<rbrace>
2015-11-02 00:00:32 +00:00
sendSignal ntfnptr bdg
2015-09-02 05:43:39 +00:00
\<lbrace>\<lambda>_. st_tcb_at' (\<lambda>st. st = Running \<or> P st) t\<rbrace>"
2015-11-02 00:00:32 +00:00
apply (simp add: sendSignal_def)
apply (wp sts_st_tcb_at'_cases cancelIPC_st_tcb_at' gts_wp' getNotification_wp static_imp_wp
2015-09-02 05:43:39 +00:00
| wpc | clarsimp simp: pred_tcb_at')+
done
2014-07-14 19:32:44 +00:00
end
2016-04-28 23:47:59 +00:00
end
