2014-07-14 19:32:44 +00:00
|
|
|
(*
|
|
|
|
* Copyright 2014, General Dynamics C4 Systems
|
|
|
|
*
|
2020-03-09 06:18:30 +00:00
|
|
|
* SPDX-License-Identifier: GPL-2.0-only
|
2014-07-14 19:32:44 +00:00
|
|
|
*)
|
|
|
|
|
|
|
|
theory Arch_C
|
2020-03-12 00:55:09 +00:00
|
|
|
imports Recycle_C
|
2014-07-14 19:32:44 +00:00
|
|
|
begin
|
|
|
|
|
2016-05-04 05:07:51 +00:00
|
|
|
context begin interpretation Arch . (*FIXME: arch_split*)
|
2014-07-14 19:32:44 +00:00
|
|
|
crunch ctes_of[wp]: unmapPageTable "\<lambda>s. P (ctes_of s)"
|
2020-01-30 05:56:48 +00:00
|
|
|
(wp: crunch_wps simp: crunch_simps)
|
2014-07-14 19:32:44 +00:00
|
|
|
|
2015-07-13 06:17:55 +00:00
|
|
|
crunch gsMaxObjectSize[wp]: unmapPageTable "\<lambda>s. P (gsMaxObjectSize s)"
|
|
|
|
|
|
|
|
crunch inv[wp]: pteCheckIfMapped "P"
|
|
|
|
|
|
|
|
crunch inv[wp]: pdeCheckIfMapped "P"
|
2016-05-04 05:07:51 +00:00
|
|
|
end
|
2015-07-13 06:17:55 +00:00
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
context kernel_m begin
|
|
|
|
|
|
|
|
lemma performPageTableInvocationUnmap_ccorres:
|
|
|
|
"ccorres (K (K \<bottom>) \<currency> dc) (liftxf errstate id (K ()) ret__unsigned_long_')
|
2019-11-08 06:32:01 +00:00
|
|
|
(invs' and cte_wp_at' ((=) (ArchObjectCap cap) \<circ> cteCap) ctSlot
|
2014-07-14 19:32:44 +00:00
|
|
|
and (\<lambda>_. isPageTableCap cap))
|
|
|
|
(UNIV \<inter> \<lbrace>ccap_relation (ArchObjectCap cap) \<acute>cap\<rbrace> \<inter> \<lbrace>\<acute>ctSlot = Ptr ctSlot\<rbrace>)
|
|
|
|
[]
|
|
|
|
(liftE (performPageTableInvocation (PageTableUnmap cap ctSlot)))
|
|
|
|
(Call performPageTableInvocationUnmap_'proc)"
|
|
|
|
apply (simp only: liftE_liftM ccorres_liftM_simp)
|
|
|
|
apply (rule ccorres_gen_asm)
|
|
|
|
apply (cinit lift: cap_' ctSlot_')
|
|
|
|
apply csymbr
|
|
|
|
apply (simp del: Collect_const)
|
|
|
|
apply (rule ccorres_split_nothrow_novcg_dc)
|
|
|
|
apply (subgoal_tac "capPTMappedAddress cap
|
|
|
|
= (\<lambda>cp. if to_bool (capPTIsMapped_CL cp)
|
|
|
|
then Some (capPTMappedASID_CL cp, capPTMappedAddress_CL cp)
|
|
|
|
else None) (cap_page_table_cap_lift capa)")
|
|
|
|
apply (rule ccorres_Cond_rhs)
|
|
|
|
apply (simp add: to_bool_def)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply (ctac add: unmapPageTable_ccorres)
|
|
|
|
apply csymbr
|
|
|
|
apply (simp add: storePTE_def swp_def)
|
2021-08-15 07:41:02 +00:00
|
|
|
apply (ctac add: clearMemory_PT_setObject_PTE_ccorres[unfolded dc_def])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply wp
|
|
|
|
apply (simp del: Collect_const)
|
|
|
|
apply (vcg exspec=unmapPageTable_modifies)
|
|
|
|
apply (simp add: to_bool_def)
|
|
|
|
apply (rule ccorres_return_Skip')
|
|
|
|
apply (simp add: cap_get_tag_isCap_ArchObject[symmetric])
|
|
|
|
apply (clarsimp simp: cap_lift_page_table_cap cap_to_H_def
|
|
|
|
cap_page_table_cap_lift_def
|
|
|
|
elim!: ccap_relationE cong: if_cong)
|
|
|
|
apply (simp add: liftM_def getSlotCap_def updateCap_def
|
|
|
|
del: Collect_const)
|
|
|
|
apply (rule ccorres_move_c_guard_cte)
|
|
|
|
apply (rule ccorres_getCTE)+
|
2018-06-09 08:30:53 +00:00
|
|
|
apply (rule_tac P="cte_wp_at' ((=) rv) ctSlot
|
2014-07-14 19:32:44 +00:00
|
|
|
and (\<lambda>_. rv = rva \<and> isArchCap isPageTableCap (cteCap rv))"
|
|
|
|
in ccorres_from_vcg_throws [where P'=UNIV])
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: cte_wp_at_ctes_of cap_get_tag_isCap_ArchObject)
|
|
|
|
apply (rule cmap_relationE1[OF cmap_relation_cte], assumption+)
|
|
|
|
apply (frule ccte_relation_ccap_relation)
|
|
|
|
apply (clarsimp simp: typ_heap_simps cap_get_tag_isCap_ArchObject)
|
|
|
|
apply (rule fst_setCTE [OF ctes_of_cte_at], assumption)
|
|
|
|
apply (erule rev_bexI)
|
2016-09-21 00:33:03 +00:00
|
|
|
apply (clarsimp simp: rf_sr_def cstate_relation_def Let_def
|
|
|
|
typ_heap_simps')
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule conjI)
|
2016-09-21 00:33:03 +00:00
|
|
|
apply (clarsimp simp: cpspace_relation_def typ_heap_simps')
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (subst setCTE_tcb_case, assumption+)
|
|
|
|
apply (clarsimp dest!: ksPSpace_update_eq_ExD)
|
|
|
|
apply (erule cmap_relation_updI, assumption)
|
|
|
|
apply (simp add: cap_get_tag_isCap_ArchObject[symmetric])
|
|
|
|
apply (clarsimp simp: ccte_relation_def c_valid_cte_def
|
|
|
|
elim!: ccap_relationE)
|
|
|
|
apply (subst cteCap_update_cte_to_H)
|
2016-04-18 20:25:44 +00:00
|
|
|
apply (clarsimp simp: map_option_Some_eq2)
|
2014-08-09 05:16:17 +00:00
|
|
|
apply (rule trans, rule sym, rule option.sel, rule sym, erule arg_cong)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (erule iffD1[OF cap_page_table_cap_lift])
|
2016-04-18 20:25:44 +00:00
|
|
|
apply (clarsimp simp: map_option_Some_eq2 cap_get_tag_isCap_ArchObject[symmetric]
|
2014-07-14 19:32:44 +00:00
|
|
|
cap_lift_page_table_cap cap_to_H_def
|
|
|
|
cap_page_table_cap_lift_def)
|
|
|
|
apply simp
|
|
|
|
apply (clarsimp simp: carch_state_relation_def cmachine_state_relation_def
|
2016-09-21 00:33:03 +00:00
|
|
|
typ_heap_simps'
|
2015-11-16 03:12:37 +00:00
|
|
|
cvariable_array_map_const_add_map_option[where f="tcb_no_ctes_proj"]
|
2014-07-14 19:32:44 +00:00
|
|
|
dest!: ksPSpace_update_eq_ExD)
|
|
|
|
apply (simp add: cte_wp_at_ctes_of)
|
|
|
|
apply (wp mapM_x_wp' | wpc | simp)+
|
|
|
|
apply (simp add: guard_is_UNIV_def)
|
|
|
|
apply (clarsimp simp: cap_get_tag_isCap_ArchObject[symmetric] cte_wp_at_ctes_of)
|
|
|
|
apply (frule ctes_of_valid', clarsimp)
|
2015-07-13 06:17:55 +00:00
|
|
|
apply (frule valid_global_refsD_with_objSize, clarsimp)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: cap_lift_page_table_cap cap_to_H_def
|
|
|
|
cap_page_table_cap_lift_def isCap_simps
|
|
|
|
valid_cap'_def get_capSizeBits_CL_def
|
|
|
|
ptBits_def pageBits_def capAligned_def
|
|
|
|
to_bool_def mask_def page_table_at'_def
|
2017-06-05 04:55:42 +00:00
|
|
|
capRange_def Int_commute pteBits_def
|
2019-11-08 06:32:01 +00:00
|
|
|
elim!: ccap_relationE cong: if_cong)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (drule spec[where x=0], clarsimp)
|
|
|
|
done
|
2015-11-16 03:12:37 +00:00
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
lemma cap_case_PageDirectoryCap2:
|
|
|
|
"(case cap of ArchObjectCap (PageDirectoryCap pd mapdata)
|
|
|
|
\<Rightarrow> f pd mapdata | _ \<Rightarrow> g)
|
|
|
|
= (if isArchObjectCap cap \<and> isPageDirectoryCap (capCap cap)
|
|
|
|
then f (capPDBasePtr (capCap cap)) (capPDMappedASID (capCap cap))
|
|
|
|
else g)"
|
|
|
|
by (simp add: isCap_simps
|
|
|
|
split: capability.split arch_capability.split)
|
|
|
|
|
|
|
|
lemma ap_eq_D:
|
2019-06-19 07:05:40 +00:00
|
|
|
"x \<lparr>array_C := arr'\<rparr> = asid_pool_C.asid_pool_C arr \<Longrightarrow> arr' = arr"
|
2014-07-14 19:32:44 +00:00
|
|
|
by (cases x) simp
|
|
|
|
|
|
|
|
declare Kernel_C.asid_pool_C_size [simp del]
|
|
|
|
|
|
|
|
lemma createObjects_asidpool_ccorres:
|
|
|
|
shows "ccorres dc xfdc
|
2016-07-04 07:35:42 +00:00
|
|
|
((\<lambda>s. \<exists>p. cte_wp_at' (\<lambda>cte. cteCap cte = UntypedCap isdev frame pageBits idx ) p s)
|
2014-07-14 19:32:44 +00:00
|
|
|
and pspace_aligned' and pspace_distinct' and valid_objs'
|
2016-09-21 00:33:03 +00:00
|
|
|
and ret_zero frame (2 ^ pageBits)
|
2014-07-14 19:32:44 +00:00
|
|
|
and valid_global_refs' and pspace_no_overlap' frame pageBits)
|
|
|
|
({s. region_actually_is_bytes frame (2^pageBits) s})
|
|
|
|
hs
|
|
|
|
(placeNewObject frame (makeObject::asidpool) 0)
|
|
|
|
(CALL memzero(Ptr frame, (2 ^ unat ARMSmallPageBits));;
|
|
|
|
(global_htd_update (\<lambda>_. ptr_retyp (ap_Ptr frame))))"
|
|
|
|
proof -
|
2017-07-12 05:13:51 +00:00
|
|
|
have helper: "\<forall>\<sigma> x. (\<sigma>, x) \<in> rf_sr \<and> is_aligned frame pageBits \<and> frame \<noteq> 0
|
2014-07-14 19:32:44 +00:00
|
|
|
\<and> pspace_aligned' \<sigma> \<and> pspace_distinct' \<sigma>
|
2017-07-12 05:13:51 +00:00
|
|
|
\<and> pspace_no_overlap' frame pageBits \<sigma>
|
2016-09-21 00:33:03 +00:00
|
|
|
\<and> ret_zero frame (2 ^ pageBits) \<sigma>
|
2017-07-12 05:13:51 +00:00
|
|
|
\<and> region_actually_is_bytes frame (2 ^ pageBits) x
|
2014-07-14 19:32:44 +00:00
|
|
|
\<and> {frame ..+ 2 ^ pageBits} \<inter> kernel_data_refs = {}
|
|
|
|
\<longrightarrow>
|
|
|
|
(\<sigma>\<lparr>ksPSpace := foldr (\<lambda>addr. data_map_insert addr (KOArch (KOASIDPool makeObject))) (new_cap_addrs (Suc 0) frame (KOArch (KOASIDPool makeObject))) (ksPSpace \<sigma>)\<rparr>,
|
|
|
|
x\<lparr>globals := globals x
|
2015-11-16 03:12:37 +00:00
|
|
|
\<lparr>t_hrs_' := hrs_htd_update (ptr_retyps_gen 1 (ap_Ptr frame) False)
|
2014-07-14 19:32:44 +00:00
|
|
|
(hrs_mem_update
|
|
|
|
(heap_update_list frame (replicate (2 ^ pageBits) 0))
|
|
|
|
(t_hrs_' (globals x)))\<rparr>\<rparr>) \<in> rf_sr"
|
2017-07-12 05:13:51 +00:00
|
|
|
(is "\<forall>\<sigma> x. ?P \<sigma> x \<longrightarrow>
|
2014-07-14 19:32:44 +00:00
|
|
|
(\<sigma>\<lparr>ksPSpace := ?ks \<sigma>\<rparr>, x\<lparr>globals := globals x\<lparr>t_hrs_' := ?ks' x\<rparr>\<rparr>) \<in> rf_sr")
|
|
|
|
proof (intro impI allI)
|
|
|
|
fix \<sigma> x
|
|
|
|
let ?thesis = "(\<sigma>\<lparr>ksPSpace := ?ks \<sigma>\<rparr>, x\<lparr>globals := globals x\<lparr>t_hrs_' := ?ks' x\<rparr>\<rparr>) \<in> rf_sr"
|
|
|
|
let ?ks = "?ks \<sigma>"
|
|
|
|
let ?ks' = "?ks' x"
|
|
|
|
let ?ptr = "ap_Ptr frame"
|
2017-07-12 05:13:51 +00:00
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
assume "?P \<sigma> x"
|
|
|
|
hence rf: "(\<sigma>, x) \<in> rf_sr" and al: "is_aligned frame pageBits" and ptr0: "frame \<noteq> 0"
|
|
|
|
and pal: "pspace_aligned' \<sigma>" and pdst: "pspace_distinct' \<sigma>"
|
2017-07-12 05:13:51 +00:00
|
|
|
and pno: "pspace_no_overlap' frame pageBits \<sigma>"
|
2016-09-21 00:33:03 +00:00
|
|
|
and zro: "ret_zero frame (2 ^ pageBits) \<sigma>"
|
2014-07-14 19:32:44 +00:00
|
|
|
and actually: "region_actually_is_bytes frame (2 ^ pageBits) x"
|
|
|
|
and kdr: "{frame ..+ 2 ^ pageBits} \<inter> kernel_data_refs = {}"
|
2016-09-21 00:33:03 +00:00
|
|
|
by simp_all
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
note empty = region_actually_is_bytes[OF actually]
|
|
|
|
|
|
|
|
have relrl:
|
|
|
|
"casid_pool_relation makeObject (from_bytes (replicate (size_of TYPE(asid_pool_C)) 0))"
|
|
|
|
unfolding casid_pool_relation_def
|
|
|
|
apply (clarsimp simp: makeObject_asidpool split: asid_pool_C.splits)
|
|
|
|
apply (clarsimp simp: array_relation_def option_to_ptr_def option_to_0_def)
|
|
|
|
apply (simp add: from_bytes_def)
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (simp add: typ_info_simps asid_pool_C_tag_def
|
2014-07-14 19:32:44 +00:00
|
|
|
size_td_lt_final_pad size_td_lt_ti_typ_pad_combine Let_def size_of_def)
|
|
|
|
apply (simp add: final_pad_def Let_def size_td_lt_ti_typ_pad_combine)
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (simp add: padup_def align_td_array')
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (subst (asm) size_td_array)
|
|
|
|
apply simp
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (simp add: size_td_array ti_typ_pad_combine_def ti_typ_combine_def
|
2014-07-14 19:32:44 +00:00
|
|
|
Let_def empty_typ_info_def update_ti_adjust_ti
|
|
|
|
del: replicate_numeral Kernel_C.pde_C_size)
|
|
|
|
apply (simp add: typ_info_array array_tag_def
|
|
|
|
del: replicate_numeral)
|
|
|
|
apply (drule ap_eq_D)
|
|
|
|
apply (clarsimp simp del: replicate_numeral)
|
|
|
|
apply (subst update_ti_t_array_tag_n_rep)
|
|
|
|
apply (simp del: replicate_numeral)
|
|
|
|
apply simp
|
|
|
|
apply (simp del: replicate_numeral)
|
|
|
|
apply (subst index_fold_update)
|
|
|
|
apply simp
|
|
|
|
apply auto[1]
|
|
|
|
apply (simp add: asid_low_bits_def word_le_nat_alt)
|
2016-10-25 06:01:30 +00:00
|
|
|
apply (simp split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule conjI)
|
|
|
|
apply (clarsimp simp: update_ti_t_ptr_0s)
|
|
|
|
apply (clarsimp simp: asid_low_bits_def word_le_nat_alt)
|
|
|
|
done
|
2017-07-12 05:13:51 +00:00
|
|
|
|
2018-06-27 12:43:34 +00:00
|
|
|
define ko where "ko \<equiv> KOArch (KOASIDPool makeObject)"
|
2014-07-14 19:32:44 +00:00
|
|
|
|
2017-07-12 05:13:51 +00:00
|
|
|
have rc :"range_cover frame (objBitsKO ko) (objBitsKO ko) (Suc 0)"
|
2014-07-14 19:32:44 +00:00
|
|
|
by (simp add:objBits_simps ko_def archObjSize_def al range_cover_full)
|
|
|
|
|
|
|
|
have rc' :"range_cover frame (objBitsKO ko) (objBitsKO ko) (2 ^ 0)"
|
|
|
|
by (simp add:objBits_simps ko_def archObjSize_def al range_cover_full range_cover_rel)
|
|
|
|
|
2017-07-12 05:13:51 +00:00
|
|
|
have pno': "pspace_no_overlap' frame (objBitsKO ko) \<sigma>"
|
2014-07-14 19:32:44 +00:00
|
|
|
by (simp add:objBits_simps pno ko_def archObjSize_def al)
|
2017-07-12 05:13:51 +00:00
|
|
|
|
2016-02-01 08:24:20 +00:00
|
|
|
have al': "is_aligned frame (objBitsKO (ko::kernel_object))"
|
2014-07-14 19:32:44 +00:00
|
|
|
by (simp add:objBits_simps ko_def archObjSize_def al)
|
|
|
|
|
|
|
|
(* s/obj/obj'/ *)
|
2017-07-12 05:13:51 +00:00
|
|
|
have szo: "size_of TYPE(asid_pool_C) = 2 ^ objBitsKO ko"
|
2014-07-14 19:32:44 +00:00
|
|
|
by (simp add: size_of_def objBits_simps ko_def archObjSize_def pageBits_def)
|
|
|
|
have szko: "objBitsKO ko = pageBits"
|
2017-07-12 05:13:51 +00:00
|
|
|
by (simp add: objBits_simps ko_def archObjSize_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
hence sz: "objBitsKO ko \<le> pageBits" by simp
|
|
|
|
have szo': "2 ^ pageBits = 2 ^ (pageBits - objBitsKO ko) * size_of TYPE(asid_pool_C)" using szko
|
|
|
|
apply (subst szo)
|
|
|
|
apply (simp add: power_add [symmetric])
|
|
|
|
done
|
|
|
|
|
|
|
|
have [simp]: "(2::nat) ^ (pageBits - objBitsKO ko) * 2 ^ objBitsKO ko = 2 ^ pageBits"
|
|
|
|
by (clarsimp simp:pageBits_def objBits_simps ko_def archObjSize_def)
|
|
|
|
|
|
|
|
have ptr_retyp:
|
|
|
|
"hrs_htd_update (ptr_retyps (2 ^ (pageBits - objBitsKO ko)) (ap_Ptr frame)) = hrs_htd_update (ptr_retyp (ap_Ptr frame))"
|
|
|
|
apply (simp add: szko hrs_htd_update_def)
|
|
|
|
done
|
|
|
|
|
|
|
|
note rl' = cslift_ptr_retyp_memset_other_inst [OF _ rc' _ szo,
|
|
|
|
simplified, OF empty[folded szko] szo[symmetric], unfolded szko]
|
|
|
|
|
|
|
|
have szb: "pageBits < word_bits" by simp
|
2016-07-04 07:35:42 +00:00
|
|
|
have mko: "\<And>dev. makeObjectKO dev (Inl (KOArch (KOASIDPool f))) = Some ko"
|
|
|
|
by (simp add: ko_def makeObjectKO_def)
|
2017-07-12 05:13:51 +00:00
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
|
2015-11-16 03:12:37 +00:00
|
|
|
note rl = projectKO_opt_retyp_other [OF rc pal pno' ko_def]
|
2017-07-12 05:13:51 +00:00
|
|
|
note cterl = retype_ctes_helper[OF pal pdst pno' al'
|
2014-07-14 19:32:44 +00:00
|
|
|
le_refl range_cover_sz'[where 'a=32, folded word_bits_def, OF rc] mko rc,simplified]
|
2015-11-16 03:12:37 +00:00
|
|
|
note ht_rl = clift_eq_h_t_valid_eq[OF rl', OF tag_disj_via_td_name, simplified]
|
2014-07-14 19:32:44 +00:00
|
|
|
|
2017-07-12 05:13:51 +00:00
|
|
|
have guard:
|
2014-07-14 19:32:44 +00:00
|
|
|
"\<forall>n<2 ^ (pageBits - objBitsKO ko). c_guard (CTypesDefs.ptr_add ?ptr (of_nat n))"
|
|
|
|
apply (rule retype_guard_helper[where m = 2])
|
|
|
|
apply (rule range_cover_rel[OF rc])
|
|
|
|
apply fastforce
|
|
|
|
apply simp
|
|
|
|
apply (clarsimp simp:objBits_simps ko_def archObjSize_def)
|
|
|
|
apply (simp add:ptr0)
|
|
|
|
apply (simp add:szo)
|
|
|
|
apply (simp add:align_of_def objBits_simps pageBits_def ko_def archObjSize_def)+
|
|
|
|
done
|
|
|
|
|
|
|
|
have cslift_ptr_retyp_helper:
|
2016-02-02 00:53:00 +00:00
|
|
|
"\<forall>x::asid_pool_C ptr\<in>dom (cslift x). is_aligned (ptr_val x) (objBitsKO ko)
|
2015-11-16 03:12:37 +00:00
|
|
|
\<Longrightarrow> clift (hrs_htd_update (ptr_retyps_gen 1 (ap_Ptr frame) False)
|
2016-02-02 00:53:00 +00:00
|
|
|
(hrs_mem_update (heap_update_list frame (replicate ((2::nat) ^ pageBits) (0::word8)))
|
2014-07-14 19:32:44 +00:00
|
|
|
(t_hrs_' (globals x)))) =
|
2016-02-02 00:53:00 +00:00
|
|
|
(\<lambda>y::asid_pool_C ptr.
|
|
|
|
if y \<in> (CTypesDefs.ptr_add (ap_Ptr frame) \<circ> of_nat) ` {k::nat. k < (2::nat) ^ (pageBits - objBitsKO ko)}
|
|
|
|
then Some (from_bytes (replicate (size_of TYPE(asid_pool_C)) (0::word8))) else cslift x y)"
|
2015-11-16 03:12:37 +00:00
|
|
|
using guard
|
|
|
|
apply (subst clift_ptr_retyps_gen_memset_same, simp_all add: szo szko)
|
|
|
|
apply (simp add: szo empty szko)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2017-07-12 05:13:51 +00:00
|
|
|
from rf have "cpspace_relation (ksPSpace \<sigma>) (underlying_memory (ksMachineState \<sigma>)) (t_hrs_' (globals x))"
|
2014-07-14 19:32:44 +00:00
|
|
|
unfolding rf_sr_def cstate_relation_def by (simp add: Let_def)
|
|
|
|
hence "cpspace_relation ?ks (underlying_memory (ksMachineState \<sigma>)) ?ks'"
|
|
|
|
unfolding cpspace_relation_def
|
|
|
|
apply -
|
2019-06-03 01:02:44 +00:00
|
|
|
supply image_cong_simp [cong del]
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: rl' cterl[unfolded ko_def] tag_disj_via_td_name
|
|
|
|
foldr_upd_app_if [folded data_map_insert_def] cte_C_size tcb_C_size)
|
2015-11-16 03:12:37 +00:00
|
|
|
apply (subst cslift_ptr_retyp_helper[simplified])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (erule pspace_aligned_to_C [OF pal])
|
|
|
|
apply (simp add: projectKOs ko_def)
|
|
|
|
apply (simp add: ko_def projectKOs objBits_simps archObjSize_def)
|
2015-11-16 03:12:37 +00:00
|
|
|
apply (simp add: ptr_add_to_new_cap_addrs [OF szo] ht_rl)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: rl[unfolded ko_def] projectKO_opt_retyp_same ko_def projectKOs cong: if_cong)
|
|
|
|
apply (simp add:objBits_simps archObjSize_def)
|
|
|
|
apply (erule cmap_relation_retype)
|
|
|
|
apply (rule relrl)
|
|
|
|
done
|
|
|
|
|
2016-09-21 00:33:03 +00:00
|
|
|
thus ?thesis using rf empty kdr zro
|
2015-11-16 03:12:37 +00:00
|
|
|
apply (simp add: rf_sr_def cstate_relation_def Let_def rl' tag_disj_via_td_name
|
|
|
|
ko_def[symmetric])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: carch_state_relation_def cmachine_state_relation_def)
|
|
|
|
apply (simp add: rl' cterl tag_disj_via_td_name h_t_valid_clift_Some_iff tcb_C_size)
|
2015-11-16 03:12:37 +00:00
|
|
|
apply (clarsimp simp: hrs_htd_update ptr_retyps_htd_safe_neg szo szko
|
|
|
|
kernel_data_refs_domain_eq_rotate
|
|
|
|
cvariable_array_ptr_retyps[OF szo]
|
|
|
|
foldr_upd_app_if [folded data_map_insert_def]
|
2016-09-21 00:33:03 +00:00
|
|
|
zero_ranges_ptr_retyps
|
2015-11-16 03:12:37 +00:00
|
|
|
rl empty projectKOs)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
qed
|
|
|
|
|
|
|
|
have [simp]:
|
|
|
|
"of_nat pageBits < (4::word32) = False" by (simp add: pageBits_def)
|
|
|
|
|
|
|
|
show ?thesis
|
|
|
|
apply (rule ccorres_from_vcg_nofail2, rule allI)
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (rule conseqPre)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply vcg
|
2016-10-25 06:01:30 +00:00
|
|
|
apply (clarsimp simp: cte_wp_at_ctes_of split: if_split_asm)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (frule(1) ctes_of_valid', clarsimp)
|
2015-07-13 06:17:55 +00:00
|
|
|
apply (subst ghost_assertion_size_logic[unfolded o_def, rotated], assumption)
|
|
|
|
apply (drule(1) valid_global_refsD_with_objSize)
|
|
|
|
apply (simp add: ARMSmallPageBits_def pageBits_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (erule valid_untyped_capE)
|
|
|
|
apply (subst simpler_placeNewObject_def)
|
|
|
|
apply ((simp add:word_bits_conv objBits_simps archObjSize_def
|
|
|
|
capAligned_def)+)[4]
|
|
|
|
apply (simp add:simpler_modify_def rf_sr_htd_safe)
|
|
|
|
apply (subgoal_tac "{frame ..+ 2 ^ pageBits} \<inter> kernel_data_refs = {}")
|
|
|
|
prefer 2
|
|
|
|
apply (drule(1) valid_global_refsD')
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (clarsimp simp:Int_commute pageBits_def ARMSmallPageBits_def
|
2014-07-14 19:32:44 +00:00
|
|
|
intvl_range_conv[where bits = pageBits,unfolded pageBits_def word_bits_def,simplified])
|
|
|
|
apply (intro conjI impI)
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (erule is_aligned_no_wrap')
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp:ARMSmallPageBits_def pageBits_def)
|
|
|
|
apply (erule is_aligned_weaken,simp add:pageBits_def)
|
|
|
|
apply (simp add:is_aligned_def ARMSmallPageBits_def)
|
|
|
|
apply (simp add: region_actually_is_bytes_dom_s pageBits_def ARMSmallPageBits_def)
|
|
|
|
apply (clarsimp simp: rf_sr_def cstate_relation_def Let_def
|
|
|
|
kernel_data_refs_domain_eq_rotate
|
|
|
|
size_of_def pageBits_def
|
2020-08-18 05:58:18 +00:00
|
|
|
ptr_retyp_htd_safe_neg)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply clarsimp
|
|
|
|
apply (cut_tac helper [rule_format])
|
|
|
|
prefer 2
|
|
|
|
apply fastforce
|
|
|
|
apply (subst data_map_insert_def[symmetric])
|
|
|
|
apply (erule iffD1[OF rf_sr_upd,rotated -1 ])
|
|
|
|
apply simp_all
|
|
|
|
apply (simp add: hrs_htd_update_def hrs_mem_update_def split_def)
|
2015-11-16 03:12:37 +00:00
|
|
|
apply (simp add: pageBits_def ARMSmallPageBits_def ptr_retyps_gen_def
|
|
|
|
del:replicate_numeral)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
qed
|
|
|
|
|
2015-07-13 06:17:55 +00:00
|
|
|
lemma ghost_assertion_data_get_gs_clear_region:
|
|
|
|
"gs_get_assn proc (gs_clear_region addr n gs) = gs_get_assn proc gs"
|
|
|
|
by (clarsimp simp: ghost_assertion_data_get_def gs_clear_region_def)
|
|
|
|
|
|
|
|
lemma ghost_assertion_size_logic_flex:
|
|
|
|
"unat (sz :: word32) \<le> gsMaxObjectSize s
|
|
|
|
\<Longrightarrow> (s, \<sigma>') \<in> rf_sr
|
|
|
|
\<Longrightarrow> gs_get_assn cap_get_capSizeBits_'proc (ghost'state_' (globals \<sigma>'))
|
|
|
|
= gs_get_assn cap_get_capSizeBits_'proc gs
|
|
|
|
\<Longrightarrow> gs_get_assn cap_get_capSizeBits_'proc gs = 0 \<or>
|
|
|
|
sz \<le> gs_get_assn cap_get_capSizeBits_'proc gs"
|
|
|
|
by (metis ghost_assertion_size_logic)
|
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
lemma performASIDControlInvocation_ccorres:
|
|
|
|
notes replicate_numeral[simp del]
|
|
|
|
shows
|
|
|
|
"ccorres (K (K \<bottom>) \<currency> dc) (liftxf errstate id (K ()) ret__unsigned_long_')
|
2017-07-12 05:13:51 +00:00
|
|
|
(invs'
|
|
|
|
and ct_active'
|
2014-07-14 19:32:44 +00:00
|
|
|
and sch_act_simple
|
2017-07-12 05:13:51 +00:00
|
|
|
and cte_wp_at' (\<lambda>cte. cteCap cte = capability.UntypedCap isdev frame pageBits idx) parent
|
2014-07-14 19:32:44 +00:00
|
|
|
and (\<lambda>s. descendants_of' parent (ctes_of s) = {})
|
2017-07-12 05:13:51 +00:00
|
|
|
and ex_cte_cap_to' parent
|
2014-07-14 19:32:44 +00:00
|
|
|
and (\<lambda>_. base \<le> mask asid_bits \<and> is_aligned base asid_low_bits))
|
|
|
|
(UNIV \<inter> {s. frame_' s = Ptr frame}
|
|
|
|
\<inter> {s. slot_' s = cte_Ptr slot}
|
|
|
|
\<inter> {s. parent_' s = cte_Ptr parent}
|
|
|
|
\<inter> {s. asid_base_' s = base}) []
|
|
|
|
(liftE (performASIDControlInvocation (MakePool frame slot parent base)))
|
|
|
|
(Call performASIDControlInvocation_'proc)"
|
|
|
|
apply (rule ccorres_gen_asm)
|
|
|
|
apply (simp only: liftE_liftM ccorres_liftM_simp)
|
|
|
|
apply (cinit lift: frame_' slot_' parent_' asid_base_')
|
|
|
|
apply (rule_tac P="is_aligned frame pageBits" in ccorres_gen_asm)
|
|
|
|
apply (rule ccorres_rhs_assoc2)
|
2014-08-11 08:51:04 +00:00
|
|
|
apply (rule ccorres_split_nothrow[where c="Seq c c'" for c c'])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (fold pageBits_def)[1]
|
|
|
|
apply (simp add: hrs_htd_update)
|
|
|
|
apply (rule deleteObjects_ccorres)
|
|
|
|
apply ceqv
|
2016-09-21 00:33:03 +00:00
|
|
|
apply (rule ccorres_rhs_assoc2)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_abstract_cleanup)
|
|
|
|
apply (rule ccorres_symb_exec_l)
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (rule_tac P = "rva = (capability.UntypedCap isdev frame pageBits idx)" in ccorres_gen_asm)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: hrs_htd_update del:fun_upd_apply)
|
2016-09-21 00:33:03 +00:00
|
|
|
apply (rule ccorres_split_nothrow)
|
|
|
|
|
|
|
|
apply (rule_tac cap'="UntypedCap isdev frame pageBits idx" in updateFreeIndex_ccorres)
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (rule subsetI, clarsimp simp: typ_heap_simps' pageBits_def isCap_simps)
|
|
|
|
apply (frule ccte_relation_ccap_relation, clarsimp)
|
|
|
|
apply (frule cap_get_tag_isCap_unfolded_H_cap)
|
|
|
|
apply (clarsimp simp: isCap_simps cap_lift_untyped_cap
|
|
|
|
cap_to_H_simps cap_untyped_cap_lift_def
|
|
|
|
ccap_relation_def modify_map_def
|
|
|
|
fun_eq_iff
|
2016-10-25 06:01:30 +00:00
|
|
|
dest!: word_unat.Rep_inverse' split: if_split)
|
2016-09-21 00:33:03 +00:00
|
|
|
apply (rule exI, strengthen refl)
|
|
|
|
apply (case_tac cte', simp add: cap_lift_untyped_cap max_free_index_def mask_def)
|
|
|
|
apply (simp add: mex_def meq_def del: split_paired_Ex)
|
|
|
|
apply blast
|
|
|
|
apply ceqv
|
2014-07-14 19:32:44 +00:00
|
|
|
apply ccorres_remove_UNIV_guard
|
|
|
|
apply (rule ccorres_Guard_Seq[where F=ShiftError])+
|
2016-09-21 00:33:03 +00:00
|
|
|
apply (ctac (c_lines 2) add:createObjects_asidpool_ccorres[where idx="max_free_index pageBits"]
|
2014-07-14 19:32:44 +00:00
|
|
|
pre del: ccorres_Guard_Seq)
|
|
|
|
apply csymbr
|
|
|
|
apply (ctac (no_vcg) add: cteInsert_ccorres)
|
|
|
|
apply (simp add: ccorres_seq_skip del: fun_upd_apply)
|
|
|
|
apply (rule ccorres_assert)
|
|
|
|
apply (rule_tac P=\<top> and P'=UNIV in ccorres_from_vcg_throws)
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: gets_def modify_def return_def put_def get_def bind_def
|
|
|
|
asid_shiftr_low_bits_less
|
|
|
|
simp del: fun_upd_apply Collect_const)
|
|
|
|
apply (clarsimp simp: word_sle_def word_sless_def Kernel_C.asidLowBits_def simp del: fun_upd_apply)
|
|
|
|
apply (clarsimp simp: rf_sr_def cstate_relation_def Let_def cmachine_state_relation_def simp del: fun_upd_apply)
|
|
|
|
apply (clarsimp simp: carch_state_relation_def carch_globals_def simp del: fun_upd_apply)
|
|
|
|
apply (simp add: asid_high_bits_of_def fun_upd_def[symmetric]
|
|
|
|
del: fun_upd_apply)
|
|
|
|
apply (erule array_relation_update)
|
|
|
|
apply (simp add: unat_ucast)
|
|
|
|
apply (drule leq_asid_bits_shift)
|
|
|
|
apply (simp add: asid_high_bits_def mask_def word_le_nat_alt)
|
|
|
|
apply simp
|
|
|
|
apply (clarsimp simp: option_to_ptr_def option_to_0_def)
|
|
|
|
apply (clarsimp simp: asid_high_bits_def)
|
2017-01-13 12:58:40 +00:00
|
|
|
apply wp+
|
2015-10-29 00:22:21 +00:00
|
|
|
apply (strengthen valid_pspace_mdb' vp_strgs' valid_pspace_valid_objs')
|
2015-05-16 09:52:49 +00:00
|
|
|
apply (clarsimp simp: is_simple_cap'_def isCap_simps conj_comms placeNewObject_def2)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (wp createObjects_valid_pspace'[where ty="Inl (KOArch (KOASIDPool f))" and sz = pageBits]
|
2017-07-12 05:13:51 +00:00
|
|
|
createObjects_cte_wp_at'[where sz = pageBits]
|
2014-07-14 19:32:44 +00:00
|
|
|
| simp add:makeObjectKO_def objBits_simps archObjSize_def range_cover_full)+
|
|
|
|
apply (clarsimp simp:valid_cap'_def capAligned_def)
|
|
|
|
apply (wp createObject_typ_at')
|
|
|
|
apply clarsimp
|
|
|
|
apply vcg
|
2015-05-16 09:52:49 +00:00
|
|
|
apply (clarsimp simp:conj_comms objBits_simps archObjSize_def |
|
2015-10-29 00:22:21 +00:00
|
|
|
strengthen valid_pspace_mdb' vp_strgs' invs_valid_pspace'
|
2016-09-21 00:33:03 +00:00
|
|
|
valid_pspace_valid_objs' invs_valid_global'
|
|
|
|
invs_urz)+
|
2016-09-10 02:58:11 +00:00
|
|
|
apply (wp updateFreeIndex_forward_invs'
|
2016-09-21 00:33:03 +00:00
|
|
|
updateFreeIndex_caps_no_overlap''[where sz=pageBits]
|
|
|
|
updateFreeIndex_pspace_no_overlap'[where sz=pageBits]
|
|
|
|
updateFreeIndex_caps_overlap_reserved
|
|
|
|
updateFreeIndex_cte_wp_at
|
|
|
|
)
|
|
|
|
apply (strengthen exI[where x=parent])
|
|
|
|
apply (wp updateFreeIndex_cte_wp_at)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply clarsimp
|
|
|
|
apply vcg
|
|
|
|
apply wp
|
|
|
|
apply clarsimp
|
|
|
|
apply (wp getSlotCap_wp)
|
|
|
|
apply clarsimp
|
2018-06-09 08:30:53 +00:00
|
|
|
apply (rule_tac Q="\<lambda>_. cte_wp_at' ((=) (UntypedCap isdev frame pageBits idx) o cteCap) parent
|
2016-02-02 00:53:00 +00:00
|
|
|
and (\<lambda>s. descendants_range_in' {frame..frame + (2::word32) ^ pageBits - (1::word32)} parent (ctes_of s))
|
2014-07-14 19:32:44 +00:00
|
|
|
and pspace_no_overlap' frame pageBits
|
|
|
|
and invs'
|
|
|
|
and ct_active'"
|
|
|
|
in hoare_post_imp)
|
|
|
|
apply (clarsimp simp: cte_wp_at_ctes_of invs_valid_objs' range_cover_full word_bits_conv
|
2017-12-18 01:58:27 +00:00
|
|
|
pageBits_def max_free_index_def asid_low_bits_def untypedBits_defs)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (case_tac cte,clarsimp simp:invs_valid_pspace')
|
|
|
|
apply (frule(1) ctes_of_valid_cap'[OF _ invs_valid_objs'])
|
2016-09-21 00:33:03 +00:00
|
|
|
apply (clarsimp simp:valid_cap'_def asid_low_bits_def invs_urz)
|
|
|
|
apply (strengthen descendants_range_in_subseteq'[mk_strg I E] refl)
|
|
|
|
apply simp
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (intro conjI)
|
2016-09-21 00:33:03 +00:00
|
|
|
apply (simp add:is_aligned_def)
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (rule descendants_range_caps_no_overlapI'[where d=isdev and cref = parent])
|
2016-09-21 00:33:03 +00:00
|
|
|
apply simp
|
|
|
|
apply (fastforce simp:cte_wp_at_ctes_of is_aligned_neg_mask_eq)
|
|
|
|
apply (clarsimp simp:is_aligned_neg_mask_eq)
|
|
|
|
apply (rule le_m1_iff_lt[THEN iffD1,THEN iffD1])
|
|
|
|
apply (simp add:asid_bits_def)
|
|
|
|
apply (simp add:mask_def)
|
|
|
|
apply (clarsimp dest!: upto_intvl_eq)
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (wp deleteObjects_cte_wp_at'[where d=isdev and idx = idx and p = parent]
|
|
|
|
deleteObjects_descendants[where d=isdev and p = parent and idx = idx]
|
|
|
|
deleteObjects_invs'[where d=isdev and p = parent and idx = idx]
|
2016-09-21 00:33:03 +00:00
|
|
|
Detype_R.deleteObjects_descendants[where p = parent and idx = idx]
|
2016-07-04 07:35:42 +00:00
|
|
|
deleteObjects_ct_active'[where d=isdev and cref = parent and idx = idx])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply clarsimp
|
|
|
|
apply vcg
|
2017-12-18 01:58:27 +00:00
|
|
|
apply (clarsimp simp: conj_comms invs_valid_pspace')
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (frule cte_wp_at_valid_objs_valid_cap', fastforce)
|
2017-12-18 01:58:27 +00:00
|
|
|
apply (clarsimp simp: valid_cap'_def capAligned_def cte_wp_at_ctes_of untypedBits_defs
|
|
|
|
descendants_range'_def2 empty_descendants_range_in')
|
2016-09-21 00:33:03 +00:00
|
|
|
apply (intro conjI; (rule refl)?)
|
2016-07-04 07:35:42 +00:00
|
|
|
apply clarsimp
|
|
|
|
apply (drule(1) cte_cap_in_untyped_range[where ptr = frame])
|
|
|
|
apply (fastforce simp: cte_wp_at_ctes_of)
|
|
|
|
apply assumption+
|
|
|
|
apply fastforce
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
2016-07-04 07:35:42 +00:00
|
|
|
apply assumption
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
2016-07-04 07:35:42 +00:00
|
|
|
apply simp
|
|
|
|
apply (erule empty_descendants_range_in')
|
|
|
|
apply (fastforce)
|
|
|
|
apply (erule(1) cmap_relationE1[OF cmap_relation_cte])
|
|
|
|
apply (clarsimp simp: typ_heap_simps cap_get_tag_isCap dest!: ccte_relation_ccap_relation)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: is_aligned_mask max_free_index_def pageBits_def
|
|
|
|
gen_framesize_to_H_def)
|
2016-09-21 00:33:03 +00:00
|
|
|
apply (rule conjI, rule UNIV_I)?
|
|
|
|
apply clarsimp?
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (erule_tac s = sa in rf_sr_ctes_of_cliftE)
|
|
|
|
apply assumption
|
|
|
|
apply (frule_tac s = sa in rf_sr_cte_relation)
|
|
|
|
apply simp+
|
2016-09-21 00:33:03 +00:00
|
|
|
apply (clarsimp simp:typ_heap_simps' region_is_bytes'_def[where sz=0])
|
|
|
|
apply (frule ccte_relation_ccap_relation)
|
2016-11-29 01:59:18 +00:00
|
|
|
apply (clarsimp simp: cap_get_tag_isCap hrs_htd_update)
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (clarsimp simp: hrs_htd_update_def split_def
|
|
|
|
pageBits_def
|
2016-10-25 06:01:30 +00:00
|
|
|
split: if_split)
|
2015-07-13 06:17:55 +00:00
|
|
|
apply (clarsimp simp: ARMSmallPageBits_def word_sle_def is_aligned_mask[symmetric]
|
|
|
|
ghost_assertion_data_get_gs_clear_region[unfolded o_def])
|
|
|
|
apply (subst ghost_assertion_size_logic_flex[unfolded o_def, rotated])
|
|
|
|
apply assumption
|
|
|
|
apply (simp add: ghost_assertion_data_get_gs_clear_region[unfolded o_def])
|
|
|
|
apply (drule valid_global_refsD_with_objSize, clarsimp)+
|
2016-09-21 00:33:03 +00:00
|
|
|
apply (clarsimp simp: isCap_simps dest!: ccte_relation_ccap_relation)
|
2016-11-29 01:59:18 +00:00
|
|
|
apply (cut_tac ptr=frame and bits=12
|
|
|
|
and htd="typ_region_bytes frame 12 (hrs_htd (t_hrs_' (globals s')))" in typ_region_bytes_actually_is_bytes)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: hrs_htd_update)
|
2016-11-29 01:59:18 +00:00
|
|
|
apply (clarsimp simp: region_actually_is_bytes'_def[where len=0])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (intro conjI)
|
|
|
|
apply (clarsimp elim!:is_aligned_weaken)
|
|
|
|
apply (simp add:is_aligned_def)
|
2016-11-29 01:59:18 +00:00
|
|
|
apply (simp add: hrs_htd_def)
|
|
|
|
apply (erule is_aligned_no_wrap',simp)
|
|
|
|
apply (drule region_actually_is_bytes_dom_s[OF _ order_refl])
|
|
|
|
apply (simp add: hrs_htd_def split_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: ccap_relation_def)
|
|
|
|
apply (clarsimp simp: cap_asid_pool_cap_lift)
|
|
|
|
apply (clarsimp simp: cap_to_H_def)
|
2018-09-17 06:17:28 +00:00
|
|
|
apply (drule word_le_mask_eq)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: asid_bits_def)
|
|
|
|
done
|
|
|
|
|
|
|
|
lemmas performARMMMUInvocations
|
|
|
|
= ccorres_invocationCatch_Inr performInvocation_def
|
2016-05-01 03:35:49 +00:00
|
|
|
ARM_H.performInvocation_def performARMMMUInvocation_def
|
2014-07-14 19:32:44 +00:00
|
|
|
liftE_bind_return_bindE_returnOk
|
|
|
|
|
|
|
|
lemma slotcap_in_mem_PageDirectory:
|
|
|
|
"\<lbrakk> slotcap_in_mem cap slot (ctes_of s); (s, s') \<in> rf_sr \<rbrakk>
|
|
|
|
\<Longrightarrow> \<exists>v. cslift s' (cte_Ptr slot) = Some v
|
|
|
|
\<and> (cap_get_tag (cte_C.cap_C v) = scast cap_page_directory_cap)
|
|
|
|
= (isArchObjectCap cap \<and> isPageDirectoryCap (capCap cap))
|
|
|
|
\<and> (isArchObjectCap cap \<and> isPageDirectoryCap (capCap cap)
|
|
|
|
\<longrightarrow> ccap_relation cap (cte_C.cap_C v))"
|
|
|
|
apply (clarsimp simp: slotcap_in_mem_def)
|
|
|
|
apply (erule(1) cmap_relationE1[OF cmap_relation_cte])
|
|
|
|
apply (clarsimp dest!: ccte_relation_ccap_relation)
|
|
|
|
apply (simp add: cap_get_tag_isCap_ArchObject2)
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma decodeARMPageTableInvocation_ccorres:
|
|
|
|
"\<lbrakk> interpret_excaps extraCaps' = excaps_map extraCaps;
|
|
|
|
isPageTableCap cp \<rbrakk>
|
|
|
|
\<Longrightarrow>
|
|
|
|
ccorres (intr_and_se_rel \<currency> dc) (liftxf errstate id (K ()) ret__unsigned_long_')
|
|
|
|
(invs' and (\<lambda>s. ksCurThread s = thread) and ct_active' and sch_act_simple
|
|
|
|
and (excaps_in_mem extraCaps \<circ> ctes_of)
|
2019-11-08 06:32:01 +00:00
|
|
|
and cte_wp_at' ((=) (ArchObjectCap cp) \<circ> cteCap) slot
|
2015-11-16 03:12:37 +00:00
|
|
|
and valid_cap' (ArchObjectCap cp)
|
2014-07-14 19:32:44 +00:00
|
|
|
and (\<lambda>s. \<forall>v \<in> set extraCaps. ex_cte_cap_wp_to' isCNodeCap (snd v) s)
|
|
|
|
and sysargs_rel args buffer)
|
2016-01-08 07:43:33 +00:00
|
|
|
(UNIV \<inter> {s. invLabel_' s = label}
|
|
|
|
\<inter> {s. unat (length___unsigned_long_' s) = length args}
|
2014-07-14 19:32:44 +00:00
|
|
|
\<inter> {s. cte_' s = cte_Ptr slot}
|
crefine: remove large structs passed by value
The RISC-V calling convention specifies that when a C function takes an
argument by value, the binary function should take the argument by
reference, if the value is larger than 2 pointer words.
For binary verification, we avoid implementing this aspect of the RISC-V
calling convention, by eliminating all such function arguments for
functions which are not inlined. This commit includes the proof updates
corresponding to the kernel source update, which is in the seL4
repository.
This includes arguments of types `slot_range_t` and `extra_caps_t`.
`slot_range_t` is only used in two functions, so for those cases, we
unpack the arguments, and remove the type altogether.
`extra_caps_t` is used extensively in invocation decoding, and also in
inter-process communication. Since extra caps are already stored in a
global variable `current_extra_caps`, we remove the function argument,
and use the global variable instead. However, this adds significant
difficulty to the proofs, because the variable lifting performed by
`cinit` worked for the function argument, but not for the global
variable. We have therefore recently improved the `cinit` automation to
support this change to the kernel.
Even though this change was for the benefit of RISC-V binary
verification, we update all architectures for consistency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-06-12 07:44:30 +00:00
|
|
|
\<inter> {s. current_extra_caps_' (globals s) = extraCaps'}
|
2014-07-14 19:32:44 +00:00
|
|
|
\<inter> {s. ccap_relation (ArchObjectCap cp) (cap_' s)}
|
|
|
|
\<inter> {s. buffer_' s = option_to_ptr buffer}) []
|
|
|
|
(decodeARMMMUInvocation label args cptr slot cp extraCaps
|
|
|
|
>>= invocationCatch thread isBlocking isCall InvokeArchObject)
|
|
|
|
(Call decodeARMPageTableInvocation_'proc)"
|
crefine: remove large structs passed by value
The RISC-V calling convention specifies that when a C function takes an
argument by value, the binary function should take the argument by
reference, if the value is larger than 2 pointer words.
For binary verification, we avoid implementing this aspect of the RISC-V
calling convention, by eliminating all such function arguments for
functions which are not inlined. This commit includes the proof updates
corresponding to the kernel source update, which is in the seL4
repository.
This includes arguments of types `slot_range_t` and `extra_caps_t`.
`slot_range_t` is only used in two functions, so for those cases, we
unpack the arguments, and remove the type altogether.
`extra_caps_t` is used extensively in invocation decoding, and also in
inter-process communication. Since extra caps are already stored in a
global variable `current_extra_caps`, we remove the function argument,
and use the global variable instead. However, this adds significant
difficulty to the proofs, because the variable lifting performed by
`cinit` worked for the function argument, but not for the global
variable. We have therefore recently improved the `cinit` automation to
support this change to the kernel.
Even though this change was for the benefit of RISC-V binary
verification, we update all architectures for consistency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-06-12 07:44:30 +00:00
|
|
|
supply if_cong[cong]
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp only: isCap_simps)
|
crefine: remove large structs passed by value
The RISC-V calling convention specifies that when a C function takes an
argument by value, the binary function should take the argument by
reference, if the value is larger than 2 pointer words.
For binary verification, we avoid implementing this aspect of the RISC-V
calling convention, by eliminating all such function arguments for
functions which are not inlined. This commit includes the proof updates
corresponding to the kernel source update, which is in the seL4
repository.
This includes arguments of types `slot_range_t` and `extra_caps_t`.
`slot_range_t` is only used in two functions, so for those cases, we
unpack the arguments, and remove the type altogether.
`extra_caps_t` is used extensively in invocation decoding, and also in
inter-process communication. Since extra caps are already stored in a
global variable `current_extra_caps`, we remove the function argument,
and use the global variable instead. However, this adds significant
difficulty to the proofs, because the variable lifting performed by
`cinit` worked for the function argument, but not for the global
variable. We have therefore recently improved the `cinit` automation to
support this change to the kernel.
Even though this change was for the benefit of RISC-V binary
verification, we update all architectures for consistency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-06-12 07:44:30 +00:00
|
|
|
apply (cinit' lift: invLabel_' length___unsigned_long_' cte_' current_extra_caps_' cap_' buffer_'
|
2014-07-14 19:32:44 +00:00
|
|
|
simp: decodeARMMMUInvocation_def invocation_eq_use_types)
|
|
|
|
apply (simp add: Let_def isCap_simps if_to_top_of_bind
|
|
|
|
del: Collect_const cong: StateSpace.state.fold_congs globals.fold_congs)
|
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
|
|
|
apply (rule ccorres_split_throws)
|
|
|
|
apply (simp add: liftE_bindE bind_assoc)
|
|
|
|
apply (rule ccorres_symb_exec_l[OF _ getCTE_inv _ empty_fail_getCTE])
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply (ctac add: isFinalCapability_ccorres)
|
|
|
|
apply (simp add: unlessE_def if_to_top_of_bind if_to_top_of_bindE
|
|
|
|
ccorres_seq_cond_raise
|
|
|
|
del: Collect_const)
|
|
|
|
apply (rule ccorres_cond2'[where R=\<top>])
|
|
|
|
apply (clarsimp simp: from_bool_0)
|
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (simp add: returnOk_bind bindE_assoc
|
|
|
|
performARMMMUInvocations)
|
|
|
|
apply (ctac add: setThreadState_ccorres)
|
|
|
|
apply (ctac add: performPageTableInvocationUnmap_ccorres)
|
|
|
|
apply (rule ccorres_alternative2)
|
|
|
|
apply (rule ccorres_return_CE, simp+)[1]
|
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV], simp)
|
|
|
|
apply wp
|
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=performPageTableInvocationUnmap_modifies)
|
|
|
|
apply (wp sts_invs_minor')
|
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=setThreadState_modifies)
|
|
|
|
apply (wp hoare_drop_imps isFinalCapability_inv)
|
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=isFinalCapability_modifies)
|
|
|
|
apply (wp getCTE_wp)
|
|
|
|
apply (vcg exspec=performPageTableInvocationUnmap_modifies exspec=isFinalCapability_modifies)
|
|
|
|
apply (simp del: Collect_const)
|
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
|
|
|
apply (rule ccorres_equals_throwError)
|
2016-01-21 23:34:54 +00:00
|
|
|
apply (simp split: invocation_label.split arch_invocation_label.split
|
2014-07-14 19:32:44 +00:00
|
|
|
add: throwError_bind invocationCatch_def)
|
|
|
|
apply fastforce
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (simp del: Collect_const)
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
|
|
|
apply (simp add: if_1_0_0 word_less_nat_alt throwError_bind invocationCatch_def)
|
|
|
|
apply (rule ccorres_cond_true_seq)
|
|
|
|
apply (rule ccorres_equals_throwError)
|
|
|
|
apply (simp add: throwError_bind split: list.split)
|
|
|
|
apply fastforce
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply csymbr
|
|
|
|
apply (simp add: if_1_0_0 interpret_excaps_test_null excaps_map_def
|
|
|
|
del: Collect_const)
|
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule ccorres_equals_throwError)
|
|
|
|
apply (fastforce simp: throwError_bind split: list.split)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (simp add: list_case_If2 split_def
|
|
|
|
word_less_nat_alt length_ineq_not_Nil Let_def
|
|
|
|
whenE_bindE_throwError_to_if if_to_top_of_bind
|
|
|
|
del: Collect_const)
|
|
|
|
apply csymbr
|
|
|
|
apply (rule_tac Q=\<top> and Q'=\<top> in ccorres_if_cond_throws[rotated -1])
|
|
|
|
apply vcg
|
|
|
|
apply clarsimp
|
|
|
|
apply (frule cap_get_tag_isCap_unfolded_H_cap)
|
|
|
|
apply (clarsimp simp: cap_lift_page_table_cap cap_page_table_cap_lift_def
|
|
|
|
cap_to_H_def
|
2016-10-25 06:01:30 +00:00
|
|
|
elim!: ccap_relationE split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: to_bool_def)
|
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (simp add: cap_case_PageDirectoryCap2 split_def
|
|
|
|
del: Collect_const)
|
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
apply (ctac add: getSyscallArg_ccorres_foo[where args=args and n=0 and buffer=buffer])
|
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
apply (ctac add: getSyscallArg_ccorres_foo[where args=args and n=1 and buffer=buffer])
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
apply (rule_tac r'="(\<lambda>rv _ rv'. ((cap_get_tag rv' = scast cap_page_directory_cap)
|
|
|
|
= (isArchObjectCap rv \<and> isPageDirectoryCap (capCap rv)))
|
|
|
|
\<and> (cap_get_tag rv' = scast cap_page_directory_cap \<longrightarrow> ccap_relation rv rv'))
|
|
|
|
(fst (extraCaps ! 0))"
|
|
|
|
and xf'=pdCap_' in ccorres_split_nothrow)
|
|
|
|
apply (rule ccorres_from_vcg[where P="excaps_in_mem extraCaps \<circ> ctes_of" and P'=UNIV])
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: excaps_in_mem_def return_def neq_Nil_conv)
|
|
|
|
apply (drule(1) slotcap_in_mem_PageDirectory)
|
|
|
|
apply (frule interpret_excaps_eq[rule_format, where n=0], simp)
|
|
|
|
apply (clarsimp simp: typ_heap_simps' mask_def)
|
|
|
|
apply (simp add:word_sless_def word_sle_def)
|
|
|
|
apply ceqv
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply (simp add: if_1_0_0 del: Collect_const)
|
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
|
|
|
apply (simp add: throwError_bind invocationCatch_def hd_conv_nth
|
|
|
|
cong: conj_cong)
|
|
|
|
apply (rule ccorres_cond_true_seq)
|
|
|
|
apply (rule ccorres_split_throws)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply vcg
|
|
|
|
apply (simp del: Collect_const)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
2014-08-09 05:16:17 +00:00
|
|
|
apply (simp add: case_option_If2 if_1_0_0 if_to_top_of_bind
|
2014-07-14 19:32:44 +00:00
|
|
|
if_to_top_of_bindE hd_conv_nth del: Collect_const)
|
|
|
|
apply (rule ccorres_if_cond_throws2[rotated -1, where Q=\<top> and Q'=\<top>])
|
|
|
|
apply vcg
|
|
|
|
apply (clarsimp simp: cap_lift_page_directory_cap
|
|
|
|
cap_to_H_def cap_page_directory_cap_lift_def
|
|
|
|
to_bool_def neq_Nil_conv
|
2016-10-25 06:01:30 +00:00
|
|
|
elim!: ccap_relationE split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
2018-02-13 01:12:28 +00:00
|
|
|
apply csymbr
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: if_to_top_of_bind del: Collect_const)
|
|
|
|
apply (rule ccorres_if_cond_throws[rotated -1, where Q=\<top> and Q'=\<top>])
|
|
|
|
apply vcg
|
2020-11-13 11:24:06 +00:00
|
|
|
apply (simp add: pptrBase_def ARM.pptrBase_def hd_conv_nth length_ineq_not_Nil)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (simp add: lookupError_injection invocationCatch_use_injection_handler
|
|
|
|
injection_bindE[OF refl refl] injection_handler_If
|
|
|
|
injection_handler_throwError injection_liftE[OF refl]
|
|
|
|
injection_handler_returnOk bindE_assoc
|
|
|
|
cong: if_cong del: Collect_const)
|
|
|
|
apply csymbr
|
|
|
|
apply (ctac add: ccorres_injection_handler_csum1 [OF ccorres_injection_handler_csum1,
|
|
|
|
OF findPDForASID_ccorres])
|
|
|
|
apply (simp add: Collect_False if_to_top_of_bindE del: Collect_const)
|
|
|
|
apply (rule ccorres_if_cond_throws[rotated -1, where Q=\<top> and Q'=\<top>])
|
|
|
|
apply vcg
|
|
|
|
apply (clarsimp simp: isCap_simps)
|
|
|
|
apply (frule cap_get_tag_isCap_unfolded_H_cap)
|
|
|
|
apply (clarsimp simp: cap_lift_page_directory_cap
|
|
|
|
cap_to_H_def cap_page_directory_cap_lift_def
|
2016-10-25 06:01:30 +00:00
|
|
|
elim!: ccap_relationE split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (simp add: bindE_assoc del: Collect_const,
|
|
|
|
simp add: liftE_bindE del: Collect_const)
|
|
|
|
apply (rule ccorres_pre_getObject_pde)
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_rhs_assoc2, rule ccorres_symb_exec_r)
|
|
|
|
apply (simp add: unlessE_def if_to_top_of_bindE injection_handler_If
|
|
|
|
del: Collect_const)
|
|
|
|
apply (rule_tac Q'="\<lambda>s. \<exists>v. cslift s (pde_Ptr (capPDBasePtr (capCap (fst (extraCaps ! 0)))
|
|
|
|
+ (args ! 0 >> 20 << 2))) = Some v
|
2015-12-08 06:29:42 +00:00
|
|
|
\<and> cpde_relation rva v \<and> ret__unsigned_' s = pde_get_tag v"
|
2014-07-14 19:32:44 +00:00
|
|
|
in ccorres_if_cond_throws2[rotated -1, where Q=\<top>])
|
|
|
|
apply vcg
|
|
|
|
apply clarsimp
|
|
|
|
apply (clarsimp simp: cpde_relation_def Let_def pde_pde_invalid_lift
|
|
|
|
split: pde.split_asm)
|
|
|
|
apply (simp add: pde_pde_invalid_lift_def)
|
|
|
|
apply (simp add: injection_handler_throwError throwError_bind invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (simp add: injection_handler_returnOk
|
|
|
|
performARMMMUInvocations bindE_assoc)
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply (ctac add: setThreadState_ccorres)
|
|
|
|
apply (ctac(no_vcg) add: performPageTableInvocationMap_ccorres)
|
|
|
|
apply (rule ccorres_alternative2)
|
|
|
|
apply (rule ccorres_return_CE, simp+)[1]
|
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV], simp)
|
2017-01-13 12:58:40 +00:00
|
|
|
apply wp+
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=setThreadState_modifies)
|
|
|
|
apply simp
|
|
|
|
apply vcg
|
|
|
|
apply (rule conseqPre, vcg, clarsimp)
|
|
|
|
apply simp
|
|
|
|
apply (rule_tac P'="{s. errstate s = find_ret}"
|
|
|
|
in ccorres_from_vcg_split_throws[where P=\<top>])
|
|
|
|
apply vcg
|
|
|
|
apply (rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: throwError_def return_def syscall_error_rel_def
|
|
|
|
syscall_error_to_H_cases exception_defs false_def)
|
|
|
|
apply (erule lookup_failure_rel_fault_lift[rotated])
|
|
|
|
apply (simp add: exception_defs)
|
|
|
|
apply simp
|
|
|
|
apply (wp injection_wp[OF refl] hoare_drop_imps)
|
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=findPDForASID_modifies)
|
|
|
|
apply simp
|
2019-05-06 06:34:44 +00:00
|
|
|
apply (wp | wp (once) hoare_drop_imps)+
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
|
|
|
apply vcg
|
|
|
|
apply simp
|
|
|
|
apply wp
|
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=getSyscallArg_modifies)
|
|
|
|
apply simp
|
|
|
|
apply wp
|
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=getSyscallArg_modifies)
|
|
|
|
apply (clarsimp simp: cte_wp_at_ctes_of excaps_map_def
|
|
|
|
if_1_0_0 word_sle_def word_sless_def)
|
|
|
|
apply (rule conjI)
|
|
|
|
apply (auto simp: ct_in_state'_def isCap_simps valid_tcb_state'_def
|
2015-09-02 05:43:39 +00:00
|
|
|
elim!: pred_tcb'_weakenE dest!: st_tcb_at_idle_thread')[1]
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule conjI)
|
|
|
|
apply (clarsimp simp: isCap_simps)
|
|
|
|
apply (subgoal_tac "s \<turnstile>' fst (extraCaps ! 0)")
|
|
|
|
apply (clarsimp simp: sysargs_rel_to_n word_le_nat_alt
|
|
|
|
linorder_not_less)
|
|
|
|
apply (clarsimp | drule length_le_helper)+
|
|
|
|
apply (clarsimp simp: valid_cap'_def neq_Nil_conv
|
|
|
|
mask_add_aligned page_directory_at'_def
|
2020-11-13 11:24:06 +00:00
|
|
|
less_pptrBase_valid_pde_offset''
|
2017-06-05 04:55:42 +00:00
|
|
|
pageBits_def pteBits_def pdeBits_def ptBits_def
|
2014-07-14 19:32:44 +00:00
|
|
|
word_le_nat_alt[symmetric])
|
2015-09-02 05:43:39 +00:00
|
|
|
apply (auto simp: ct_in_state'_def pred_tcb_at' mask_def valid_tcb_state'_def
|
2017-06-05 04:55:42 +00:00
|
|
|
pageBits_def pteBits_def pdeBits_def pdBits_def ptBits_def
|
2015-09-02 05:43:39 +00:00
|
|
|
elim!: pred_tcb'_weakenE dest!: st_tcb_at_idle_thread')[1]
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: neq_Nil_conv excaps_in_mem_def
|
|
|
|
slotcap_in_mem_def)
|
|
|
|
apply (auto dest: ctes_of_valid')[1]
|
|
|
|
apply (rule conjI)
|
|
|
|
apply (clarsimp simp: rf_sr_ksCurThread "StrictC'_thread_state_defs"
|
|
|
|
mask_eq_iff_w2p word_size
|
|
|
|
ct_in_state'_def st_tcb_at'_def
|
2016-09-21 00:33:03 +00:00
|
|
|
word_sle_def word_sless_def
|
|
|
|
typ_heap_simps')
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: cap_get_tag_isCap_ArchObject isCap_simps
|
|
|
|
word_sle_def word_sless_def
|
2017-06-05 04:55:42 +00:00
|
|
|
word_less_nat_alt
|
|
|
|
pageBits_def pteBits_def pdeBits_def ptBits_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (frule length_ineq_not_Nil)
|
2019-11-08 06:32:01 +00:00
|
|
|
apply (drule_tac t="cteCap ctea" in sym, simp)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (frule cap_get_tag_isCap_unfolded_H_cap(14))
|
|
|
|
apply (clarsimp simp: cap_lift_page_directory_cap hd_conv_nth
|
|
|
|
cap_lift_page_table_cap
|
|
|
|
cap_to_H_def cap_page_directory_cap_lift_def
|
|
|
|
to_bool_def cap_page_table_cap_lift_def
|
|
|
|
typ_heap_simps' shiftl_t2n[where n=2] field_simps
|
|
|
|
elim!: ccap_relationE)
|
2015-11-16 03:12:37 +00:00
|
|
|
apply (clarsimp simp: neq_Nil_conv[where xs=extraCaps]
|
2015-12-01 22:07:49 +00:00
|
|
|
excaps_in_mem_def slotcap_in_mem_def
|
|
|
|
dest!: sym[where s="ArchObjectCap cp" for cp])
|
2015-11-16 03:12:37 +00:00
|
|
|
apply (cut_tac p="snd (hd extraCaps)" in ctes_of_valid', simp, clarsimp)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (clarsimp simp: valid_cap_simps')
|
|
|
|
apply (subst array_assertion_abs_pd, erule conjI,
|
2017-06-05 04:55:42 +00:00
|
|
|
simp add: unat_eq_0 unat_shiftr_le_bound pdBits_def pageBits_def pdeBits_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: rf_sr_ksCurThread mask_def[where n=4]
|
|
|
|
"StrictC'_thread_state_defs"
|
|
|
|
ccap_relation_def cap_to_H_def
|
|
|
|
cap_lift_page_table_cap word_bw_assocs
|
|
|
|
shiftr_shiftl1 mask_def[where n=18])
|
|
|
|
apply (simp add: cpde_relation_def Let_def pde_lift_pde_coarse
|
|
|
|
pde_pde_coarse_lift_def word_bw_assocs)
|
2015-05-17 23:11:43 +00:00
|
|
|
apply (thin_tac "P" for P)+
|
2018-09-17 06:17:28 +00:00
|
|
|
apply (subst is_aligned_neg_mask_eq,
|
2014-09-10 07:26:44 +00:00
|
|
|
rule is_aligned_addrFromPPtr_n,
|
|
|
|
rule is_aligned_andI2,
|
2017-09-14 07:27:19 +00:00
|
|
|
simp add: is_aligned_def mask_def,
|
2014-09-10 07:26:44 +00:00
|
|
|
simp)+
|
2016-10-25 06:01:30 +00:00
|
|
|
apply (clarsimp simp: attribsFromWord_def split: if_split)
|
2014-09-10 07:26:44 +00:00
|
|
|
apply word_bitwise
|
2016-09-22 02:05:17 +00:00
|
|
|
apply (clarsimp simp: word_size)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
lemma checkVPAlignment_spec:
|
|
|
|
"\<forall>s. \<Gamma>\<turnstile> \<lbrace>s. \<acute>sz < 4\<rbrace> Call checkVPAlignment_'proc
|
|
|
|
{t. ret__unsigned_long_' t = from_bool
|
|
|
|
(vmsz_aligned' (w_' s) (gen_framesize_to_H (sz_' s)))}"
|
2021-09-22 00:21:01 +00:00
|
|
|
including no_take_bit
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: mask_eq_iff_w2p word_size)
|
|
|
|
apply (rule conjI)
|
|
|
|
apply (simp add: pageBitsForSize_def split: vmpage_size.split)
|
|
|
|
apply (simp add: from_bool_def vmsz_aligned'_def is_aligned_mask
|
2016-10-25 06:01:30 +00:00
|
|
|
mask_def split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
definition
|
|
|
|
"createSafeMappingEntries ptr vaddr vsz vrights attr pd = doE
|
|
|
|
entries \<leftarrow> createMappingEntries ptr vaddr vsz vrights attr pd;
|
|
|
|
ensureSafeMapping entries;
|
|
|
|
returnOk entries
|
|
|
|
odE"
|
|
|
|
|
|
|
|
lemma createSafeMappingEntries_fold:
|
|
|
|
"(doE
|
|
|
|
entries \<leftarrow> createMappingEntries ptr vaddr vsz vrights attr pd;
|
|
|
|
_ \<leftarrow> ensureSafeMapping entries;
|
|
|
|
f entries
|
|
|
|
odE) = (createSafeMappingEntries ptr vaddr vsz vrights attr pd >>=E f)"
|
|
|
|
by (simp add: createSafeMappingEntries_def bindE_assoc)
|
|
|
|
|
|
|
|
definition
|
|
|
|
ptr_range_to_list :: "('a :: c_type) ptr \<Rightarrow> word32 \<Rightarrow> 'a ptr list"
|
|
|
|
where
|
|
|
|
"ptr_range_to_list ptr lenV \<equiv>
|
|
|
|
map (\<lambda>x. CTypesDefs.ptr_add ptr (of_nat x)) [0 ..< unat lenV]"
|
|
|
|
|
|
|
|
definition
|
|
|
|
"pte_range_relation xs pte_ran \<equiv>
|
|
|
|
xs = map ptr_val (ptr_range_to_list (pte_range_C.base_C pte_ran)
|
2017-07-12 05:13:51 +00:00
|
|
|
(pte_range_C.length_C pte_ran))
|
2014-07-14 19:32:44 +00:00
|
|
|
\<and> 1 \<le> pte_range_C.length_C pte_ran"
|
|
|
|
|
|
|
|
definition
|
|
|
|
"pde_range_relation xs pde_ran \<equiv>
|
|
|
|
xs = map ptr_val (ptr_range_to_list (pde_range_C.base_C pde_ran)
|
|
|
|
(pde_range_C.length_C pde_ran))
|
|
|
|
\<and> 1 \<le> pde_range_C.length_C pde_ran"
|
|
|
|
|
|
|
|
definition
|
|
|
|
"vm_attribs_relation attr attr' \<equiv>
|
|
|
|
armParityEnabled_CL (vm_attributes_lift attr') = from_bool (armParityEnabled attr)
|
2014-11-26 06:18:47 +00:00
|
|
|
\<and> armPageCacheable_CL (vm_attributes_lift attr') = from_bool (armPageCacheable attr)
|
|
|
|
\<and> armExecuteNever_CL (vm_attributes_lift attr') = from_bool (armExecuteNever attr)"
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
lemma framesize_from_H_eqs:
|
|
|
|
"(framesize_from_H vsz = scast Kernel_C.ARMSmallPage) = (vsz = ARMSmallPage)"
|
|
|
|
"(framesize_from_H vsz = scast Kernel_C.ARMLargePage) = (vsz = ARMLargePage)"
|
|
|
|
"(framesize_from_H vsz = scast Kernel_C.ARMSection) = (vsz = ARMSection)"
|
|
|
|
"(framesize_from_H vsz = scast Kernel_C.ARMSuperSection) = (vsz = ARMSuperSection)"
|
|
|
|
by (simp add: framesize_from_H_def vm_page_size_defs split: vmpage_size.split)+
|
|
|
|
|
|
|
|
lemma pde_get_tag_alt:
|
|
|
|
"pde_lift v = Some pdeC
|
|
|
|
\<Longrightarrow> pde_get_tag v = (case pdeC of Pde_pde_invalid _ \<Rightarrow> scast pde_pde_invalid
|
|
|
|
| Pde_pde_coarse _ \<Rightarrow> scast pde_pde_coarse
|
|
|
|
| Pde_pde_section _ \<Rightarrow> scast pde_pde_section
|
|
|
|
| Pde_pde_reserved \<Rightarrow> scast pde_pde_reserved)"
|
2016-10-25 06:01:30 +00:00
|
|
|
by (auto simp add: pde_lift_def Let_def split: if_split_asm)
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
|
|
|
|
lemma cpde_relation_pde_case:
|
|
|
|
"cpde_relation pde cpde
|
|
|
|
\<Longrightarrow> (case pde of InvalidPDE \<Rightarrow> P
|
|
|
|
| PageTablePDE _ _ _ \<Rightarrow> Q
|
2014-11-26 06:18:47 +00:00
|
|
|
| SectionPDE _ _ _ _ _ _ _ \<Rightarrow> R
|
|
|
|
| SuperSectionPDE _ _ _ _ _ _ \<Rightarrow> S)
|
2014-07-14 19:32:44 +00:00
|
|
|
= (if pde_get_tag cpde = scast pde_pde_invalid then P
|
|
|
|
else if (pde_get_tag cpde = scast pde_pde_coarse)
|
|
|
|
\<or> (pde_get_tag cpde \<noteq> scast pde_pde_section) then Q
|
|
|
|
else if size_CL (pde_pde_section_lift cpde) = 0
|
|
|
|
then R else S)"
|
|
|
|
by (clarsimp simp: cpde_relation_def Let_def pde_get_tag_alt
|
|
|
|
pde_tag_defs pde_pde_section_lift_def
|
2016-05-05 22:59:33 +00:00
|
|
|
split: ARM_H.pde.split_asm)
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
lemma pde_pde_section_size_0_1:
|
|
|
|
"pde_get_tag pde = scast pde_pde_section
|
|
|
|
\<Longrightarrow> size_CL (pde_pde_section_lift pde) = 0
|
|
|
|
\<or> size_CL (pde_pde_section_lift pde) = 1"
|
|
|
|
apply (simp add: pde_pde_section_lift_def pde_lift_pde_section)
|
|
|
|
apply (rule x_less_2_0_1)
|
|
|
|
apply (rule order_le_less_trans, rule word_and_le1)
|
|
|
|
apply simp
|
|
|
|
done
|
|
|
|
|
2014-11-26 06:18:47 +00:00
|
|
|
lemma pde_bits_from_cacheable_simps [simp]:
|
|
|
|
"shared_bit_from_cacheable (from_bool b) = s_from_cacheable b"
|
|
|
|
"tex_bits_from_cacheable (from_bool b) = tex_from_cacheable b"
|
|
|
|
"iwb_from_cacheable (from_bool b) = b_from_cacheable b"
|
2017-07-12 05:13:51 +00:00
|
|
|
by (simp_all add: shared_bit_from_cacheable_def s_from_cacheable_def
|
2014-11-26 06:18:47 +00:00
|
|
|
tex_bits_from_cacheable_def tex_from_cacheable_def
|
2017-07-12 05:13:51 +00:00
|
|
|
iwb_from_cacheable_def b_from_cacheable_def
|
2014-11-26 06:18:47 +00:00
|
|
|
split: bool.splits)
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
lemma createSafeMappingEntries_PDE_ccorres:
|
|
|
|
"ccorres (syscall_error_rel \<currency> (\<lambda>rv rv'. isRight rv \<and> cpde_relation (fst (theRight rv)) (fst rv')
|
|
|
|
\<and> pde_range_relation (snd (theRight rv)) (snd rv')))
|
|
|
|
(liftxf errstate create_mappings_pde_return_C.status_C
|
|
|
|
(\<lambda>v. (create_mappings_pde_return_C.pde_C v,
|
|
|
|
create_mappings_pde_return_C.pde_entries_C v))
|
|
|
|
ret__struct_create_mappings_pde_return_C_')
|
2015-12-01 22:07:49 +00:00
|
|
|
(page_directory_at' pd and (\<lambda>_. vmsz_aligned' vaddr vsz \<and> vmsz_aligned' base vsz
|
2014-07-14 19:32:44 +00:00
|
|
|
\<and> is_aligned pd pdBits))
|
|
|
|
(UNIV \<inter> {s. base_' s = base} \<inter> {s. vaddr_' s = vaddr}
|
|
|
|
\<inter> {s. frameSize_' s = framesize_from_H vsz
|
|
|
|
\<and> (vsz = ARMSection \<or> vsz = ARMSuperSection)}
|
|
|
|
\<inter> {s. vmrights_to_H (vmRights_' s) = vrights \<and> vmRights_' s < 4}
|
|
|
|
\<inter> {s. vm_attribs_relation attr (attr_' s)}
|
|
|
|
\<inter> {s. pd_' s = pde_Ptr pd}) []
|
|
|
|
(createSafeMappingEntries base vaddr vsz vrights attr pd)
|
|
|
|
(Call createSafeMappingEntries_PDE_'proc)"
|
2021-09-22 00:21:01 +00:00
|
|
|
including no_take_bit no_0_dvd
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_gen_asm)
|
|
|
|
apply (subgoal_tac "vsz = ARMSuperSection
|
|
|
|
\<longrightarrow> lookup_pd_slot pd vaddr \<le> lookup_pd_slot pd vaddr + 0x3C")
|
|
|
|
prefer 2
|
|
|
|
apply (clarsimp simp: vmsz_aligned'_def)
|
|
|
|
apply (rule is_aligned_no_wrap'[where sz=6], simp_all add: word_bits_def)[1]
|
|
|
|
apply (simp add: lookup_pd_slot_def Let_def)
|
|
|
|
apply (erule aligned_add_aligned,
|
|
|
|
simp_all add: pdBits_def pageBits_def word_bits_def)[1]
|
|
|
|
apply (intro is_aligned_shiftl is_aligned_shiftr)
|
|
|
|
apply simp
|
|
|
|
apply (cinit lift: base_' vaddr_' frameSize_' vmRights_' attr_' pd_')
|
|
|
|
apply (simp add: createSafeMappingEntries_def createMappingEntries_def
|
|
|
|
ensureSafeMapping_def framesize_from_H_eqs
|
|
|
|
del: Collect_const)
|
|
|
|
apply (rule ccorres_Cond_rhs)
|
|
|
|
apply (simp add: mapME_x_def sequenceE_x_def bindE_assoc
|
|
|
|
del: Collect_const)
|
|
|
|
apply (simp add: liftE_bindE)
|
|
|
|
apply (rule ccorres_pre_getObject_pde)
|
|
|
|
apply (rule_tac P'="{s. \<exists>v. cslift s (pde_Ptr (lookup_pd_slot pd vaddr)) = Some v
|
2015-12-01 22:07:49 +00:00
|
|
|
\<and> cpde_relation x v
|
|
|
|
\<and> array_assertion (pde_Ptr pd) (2 ^ pageBits) (hrs_htd (t_hrs_' (globals s)))}"
|
2014-07-14 19:32:44 +00:00
|
|
|
in ccorres_from_vcg_might_throw[where P=\<top>])
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: if_1_0_0)
|
|
|
|
apply (clarsimp simp: typ_heap_simps vm_attribs_relation_def
|
|
|
|
from_bool_mask_simp[unfolded mask_def, simplified])
|
2014-11-26 06:18:47 +00:00
|
|
|
apply (rule conjI)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: gen_framesize_to_H_def vm_page_size_defs)
|
|
|
|
apply (clarsimp simp: pde_get_tag_alt cpde_relation_pde_case
|
|
|
|
pde_tag_defs fst_throwError_returnOk
|
|
|
|
pde_range_relation_def ptr_range_to_list_def
|
|
|
|
exception_defs isRight_def from_bool_def[where b=True]
|
|
|
|
syscall_error_rel_def syscall_error_to_H_cases)
|
2014-11-26 06:18:47 +00:00
|
|
|
apply (clarsimp simp: cpde_relation_def true_def false_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_Cond_rhs)
|
|
|
|
apply (simp del: Collect_const)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
2018-02-13 01:12:28 +00:00
|
|
|
apply (rule ccorres_rhs_assoc2)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_symb_exec_r)
|
|
|
|
apply (rule ccorres_Guard_Seq)+
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
2014-11-26 06:18:47 +00:00
|
|
|
apply csymbr
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: mapME_x_sequenceE bindE_assoc)
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (simp add:ARMSuperSectionBits_def word_0_sle_from_less
|
2014-07-14 19:32:44 +00:00
|
|
|
ARMSectionBits_def)
|
|
|
|
apply (ccorres_remove_UNIV_guard)
|
2021-03-18 12:18:37 +00:00
|
|
|
apply csymbr
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_rhs_assoc2,rule ccorres_splitE)
|
|
|
|
apply (simp only:whileAnno_def)
|
|
|
|
apply (ccorres_remove_UNIV_guard)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule_tac r'=dc and xf'=xfdc and F="\<lambda>_. page_directory_at' pd"
|
2014-07-14 19:32:44 +00:00
|
|
|
and Q="{s. pde_range_C.base_C (pde_entries_C
|
2021-03-18 12:18:37 +00:00
|
|
|
ret___struct_create_mappings_pde_return_C)
|
2014-07-14 19:32:44 +00:00
|
|
|
= Ptr (lookup_pd_slot pd vaddr)}"
|
|
|
|
in ccorres_sequenceE_while)
|
|
|
|
apply (simp add: liftE_bindE)
|
|
|
|
apply (rule ccorres_guard_imp2)
|
|
|
|
apply (rule_tac r'="\<lambda>rv rv'. rv' = from_bool (isPageTablePDE rv \<or> isSectionPDE rv)"
|
|
|
|
and xf'=ret__int_' in ccorres_split_nothrow_novcg)
|
|
|
|
apply (rule ccorres_add_return2, rule ccorres_pre_getObject_pde)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule_tac P'="{s. let ptr = (pde_range_C.base_C (pde_entries_C
|
2021-03-18 12:18:37 +00:00
|
|
|
ret___struct_create_mappings_pde_return_C))
|
2015-12-01 22:07:49 +00:00
|
|
|
in \<exists>v. cslift s (CTypesDefs.ptr_add ptr (uint (i_' s))) = Some v
|
|
|
|
\<and> cpde_relation x v
|
|
|
|
\<and> (i_' s = 0 \<or> array_assertion ptr (Suc (unat (i_' s)))
|
|
|
|
(hrs_htd (t_hrs_' (globals s))))}"
|
2014-07-14 19:32:44 +00:00
|
|
|
in ccorres_from_vcg_nofail[where P=\<top>])
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (clarsimp simp: if_1_0_0 return_def typ_heap_simps Let_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: isPageTablePDE_def isSectionPDE_def
|
|
|
|
cpde_relation_pde_case from_bool_def)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (intro impI conjI disjCI2, simp_all add: array_assertion_shrink_right)[1]
|
2016-10-25 06:01:30 +00:00
|
|
|
apply (clarsimp simp: pde_tag_defs split: if_split bool.split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (frule pde_pde_section_size_0_1[simplified pde_tag_defs, simplified], simp)
|
|
|
|
apply ceqv
|
|
|
|
apply (simp add: from_bool_0 del: Collect_const)
|
|
|
|
apply (rule ccorres_from_vcg_might_throw[where P=\<top> and P'=UNIV])
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: isPageTablePDE_def isSectionPDE_def
|
|
|
|
fst_throwError_returnOk
|
2016-05-05 22:59:33 +00:00
|
|
|
split: ARM_H.pde.split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (auto simp: exception_defs syscall_error_rel_def
|
|
|
|
syscall_error_to_H_cases)[1]
|
2017-06-05 04:55:42 +00:00
|
|
|
apply wpsimp
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: guard_is_UNIV_def)
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (clarsimp simp: upto_enum_step_def superSectionPDEOffsets_def pdeBits_def)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (frule_tac n3="Suc o unat o i_'" in array_assertion_abs_pde_16_const[where pd=pd and vptr=vaddr,
|
|
|
|
simplified imp_conjL, THEN spec, THEN spec, THEN mp])
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (subst add.commute)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (simp add: upto_enum_word unat_of_nat vmsz_aligned_def
|
2017-06-05 04:55:42 +00:00
|
|
|
vmsz_aligned'_def
|
|
|
|
split: if_split_asm)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: upto_enum_step_def upto_enum_word
|
2017-06-05 04:55:42 +00:00
|
|
|
superSectionPDEOffsets_def pdeBits_def
|
2016-10-25 06:01:30 +00:00
|
|
|
split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
|
|
|
apply (rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: if_1_0_0)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply simp
|
|
|
|
apply (wp getPDE_wp | wpc)+
|
|
|
|
apply simp
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (simp add: upto_enum_step_def word_bits_def
|
|
|
|
superSectionPDEOffsets_def pdeBits_def
|
|
|
|
split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply clarsimp
|
|
|
|
apply ceqv
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_return_CE, simp+)[1]
|
|
|
|
apply wp
|
|
|
|
apply (simp add: ccHoarePost_def isRight_def xfdc_def)
|
|
|
|
apply (rule HoarePartial.SeqSwap)
|
2015-05-17 23:11:43 +00:00
|
|
|
apply (rule_tac Q="\<lbrace>Bonus \<acute>i \<longrightarrow> Prop \<acute>ret___struct_create_mappings_pde_return_C\<rbrace>"
|
|
|
|
and I="\<lbrace>Prop \<acute>ret___struct_create_mappings_pde_return_C\<rbrace>"
|
|
|
|
for Bonus Prop
|
2014-07-14 19:32:44 +00:00
|
|
|
in HoarePartial.reannotateWhileNoGuard)
|
|
|
|
apply (rule HoarePartial.While[OF order_refl])
|
|
|
|
apply (rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: if_1_0_0)
|
|
|
|
apply clarsimp
|
|
|
|
apply vcg
|
|
|
|
apply (clarsimp simp: pde_range_relation_def)
|
|
|
|
apply vcg
|
|
|
|
apply (rule conseqPre, vcg, clarsimp)
|
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV])
|
|
|
|
apply simp
|
|
|
|
apply (clarsimp simp: vmsz_aligned'_def gen_framesize_to_H_def vm_page_size_defs
|
2017-07-12 05:13:51 +00:00
|
|
|
vm_attribs_relation_def
|
2017-06-05 04:55:42 +00:00
|
|
|
superSectionPDEOffsets_def pdeBits_def
|
2014-07-14 19:32:44 +00:00
|
|
|
from_bool_mask_simp[unfolded mask_def, simplified]
|
|
|
|
ptr_range_to_list_def upto_enum_step_def
|
|
|
|
o_def upto_enum_word
|
|
|
|
cong: if_cong)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (frule(1) page_directory_at_rf_sr, clarsimp)
|
|
|
|
apply (frule array_ptr_valid_array_assertionD[OF h_t_valid_clift])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp:ARMSuperSectionBits_def
|
2015-12-01 22:07:49 +00:00
|
|
|
ARMSectionBits_def word_0_sle_from_less
|
|
|
|
pageBits_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule conjI)
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (simp add: cpde_relation_def true_def false_def)
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (simp add: upt_def split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
lemma pte_case_isLargePagePTE:
|
2014-11-26 06:18:47 +00:00
|
|
|
"(case pte of LargePagePTE _ _ _ _ _ \<Rightarrow> P | _ \<Rightarrow> Q)
|
2014-07-14 19:32:44 +00:00
|
|
|
= (if isLargePagePTE pte then P else Q)"
|
2016-05-05 22:59:33 +00:00
|
|
|
by (simp add: isLargePagePTE_def split: ARM_H.pte.split)
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
lemma ccorres_pre_getObject_pte:
|
|
|
|
"(\<And>rv. ccorresG rf_sr \<Gamma> r xf (P rv) (P' rv) hs (f rv) c) \<Longrightarrow>
|
|
|
|
ccorresG rf_sr \<Gamma> r xf (\<lambda>s. \<forall>pte. ko_at' pte p s \<longrightarrow> P pte s)
|
|
|
|
{s. \<forall>pte pte'. cslift s (pte_Ptr p) = Some pte' \<and> cpte_relation pte pte' \<longrightarrow> s \<in> P' pte} hs
|
|
|
|
(getObject p >>= f) c"
|
|
|
|
apply (rule ccorres_guard_imp2)
|
|
|
|
apply (rule ccorres_symb_exec_l)
|
|
|
|
apply (rule_tac P="ko_at' rv p" in ccorres_cross_over_guard)
|
|
|
|
apply assumption
|
|
|
|
apply (wp getObject_inv loadObject_default_inv
|
|
|
|
getPTE_wp empty_fail_getObject | simp)+
|
|
|
|
apply clarsimp
|
|
|
|
apply (erule cmap_relationE1[OF rf_sr_cpte_relation], erule ko_at_projectKO_opt)
|
|
|
|
apply clarsimp
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma lookupPTSlot_le_0x3C:
|
|
|
|
"\<lbrace>valid_objs' and K (vmsz_aligned' vptr ARMLargePage)\<rbrace>
|
|
|
|
lookupPTSlot pd vptr \<lbrace>\<lambda>rv s. rv \<le> rv + 0x3C\<rbrace>,-"
|
|
|
|
apply (rule hoare_gen_asmE)
|
|
|
|
apply (simp add: lookupPTSlot_def cong: pde.case_cong)
|
|
|
|
apply (rule hoare_pre)
|
|
|
|
apply (wp getPDE_wp | wpc)+
|
|
|
|
apply clarsimp
|
|
|
|
apply (drule(1) obj_at_valid_objs')
|
|
|
|
apply (clarsimp simp: projectKOs)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (clarsimp simp: valid_obj'_def ptBits_def pageBits_def vmsz_aligned'_def
|
|
|
|
lookup_pt_slot_no_fail_def)
|
2016-05-02 09:35:37 +00:00
|
|
|
apply (subgoal_tac "is_aligned (ptrFromPAddr x) 10")
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule is_aligned_no_wrap' [where sz=6])
|
|
|
|
apply (erule aligned_add_aligned)
|
|
|
|
apply clarsimp
|
|
|
|
apply (rule is_aligned_andI1)
|
|
|
|
apply clarsimp
|
|
|
|
apply (simp add: word_bits_def)
|
|
|
|
apply simp
|
2020-11-13 11:24:06 +00:00
|
|
|
apply (simp add: ARM.ptrFromPAddr_def pptrBaseOffset_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (erule aligned_add_aligned)
|
2020-11-13 11:24:06 +00:00
|
|
|
apply (simp add: pptrBase_def ARM.physBase_def
|
2016-02-05 05:16:16 +00:00
|
|
|
physBase_def is_aligned_def)
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (simp add: word_bits_def pteBits_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
2014-11-26 06:18:47 +00:00
|
|
|
lemma pte_get_tag_exhaust:
|
|
|
|
"pte_get_tag pte = 0 \<or> pte_get_tag pte = 1"
|
|
|
|
apply (simp add: pte_get_tag_def)
|
|
|
|
apply word_bitwise
|
|
|
|
done
|
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
lemma createSafeMappingEntries_PTE_ccorres:
|
|
|
|
"ccorres (syscall_error_rel \<currency> (\<lambda>rv rv'. isLeft rv \<and> cpte_relation (fst (theLeft rv)) (fst rv')
|
|
|
|
\<and> pte_range_relation (snd (theLeft rv)) (snd rv')))
|
|
|
|
(liftxf errstate create_mappings_pte_return_C.status_C
|
|
|
|
(\<lambda>v. (create_mappings_pte_return_C.pte_C v,
|
|
|
|
create_mappings_pte_return_C.pte_entries_C v))
|
|
|
|
ret__struct_create_mappings_pte_return_C_')
|
2015-12-01 22:07:49 +00:00
|
|
|
(valid_objs' and page_directory_at' pd
|
|
|
|
and (\<lambda>_. vmsz_aligned' vaddr vsz \<and> vmsz_aligned' base vsz
|
2014-07-14 19:32:44 +00:00
|
|
|
\<and> is_aligned pd pdBits))
|
|
|
|
(UNIV \<inter> {s. base_' s = base} \<inter> {s. vaddr_' s = vaddr}
|
|
|
|
\<inter> {s. frameSize_' s = framesize_from_H vsz
|
|
|
|
\<and> (vsz = ARMSmallPage \<or> vsz = ARMLargePage)}
|
|
|
|
\<inter> {s. vmrights_to_H (vmRights_' s) = vrights \<and> vmRights_' s < 4}
|
|
|
|
\<inter> {s. vm_attribs_relation attr (attr_' s)}
|
|
|
|
\<inter> {s. pd_' s = pde_Ptr pd}) []
|
|
|
|
(createSafeMappingEntries base vaddr vsz vrights attr pd)
|
|
|
|
(Call createSafeMappingEntries_PTE_'proc)"
|
2021-09-22 00:21:01 +00:00
|
|
|
including no_take_bit no_0_dvd
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_gen_asm)
|
|
|
|
apply (cinit lift: base_' vaddr_' frameSize_' vmRights_' attr_' pd_')
|
|
|
|
apply (simp add: createSafeMappingEntries_def createMappingEntries_def
|
|
|
|
ensureSafeMapping_def framesize_from_H_eqs
|
|
|
|
del: Collect_const)
|
|
|
|
apply (rule ccorres_Cond_rhs)
|
|
|
|
apply (simp add: bindE_assoc mapME_x_def sequenceE_x_def
|
|
|
|
pte_case_isLargePagePTE)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
2014-11-26 06:18:47 +00:00
|
|
|
apply csymbr
|
2018-02-13 01:12:28 +00:00
|
|
|
apply (rule ccorres_rhs_assoc2)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_symb_exec_r)
|
|
|
|
apply (simp only: lookupError_injection)
|
|
|
|
apply (ctac add: ccorres_injection_handler_csum1
|
|
|
|
[OF lookupPTSlot_ccorres])
|
|
|
|
apply (simp add: Collect_False liftE_bindE del: Collect_const)
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_pre_getObject_pte)
|
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
apply (rule_tac xf'="ret__unsigned_long_'"
|
|
|
|
and r'="\<lambda>_ rv'. (rv' = scast pte_pte_large) = (isLargePagePTE rva)"
|
|
|
|
in ccorres_split_nothrow[where F=UNIV])
|
|
|
|
apply (rule_tac P="ko_at' rva rv" in ccorres_from_vcg[where P'=UNIV])
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: return_def)
|
|
|
|
apply (drule obj_at_ko_at', clarsimp)
|
|
|
|
apply (erule cmap_relationE1[OF rf_sr_cpte_relation], erule ko_at_projectKO_opt)
|
|
|
|
apply (clarsimp simp: typ_heap_simps cpte_relation_def Let_def)
|
2014-11-26 06:18:47 +00:00
|
|
|
apply (simp add: isLargePagePTE_def pte_pte_large_lift_def pte_lift_def Let_def
|
|
|
|
pte_tag_defs pte_pte_invalid_def
|
2016-10-25 06:01:30 +00:00
|
|
|
split: ARM_H.pte.split_asm if_split_asm)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply ceqv
|
|
|
|
apply (simp add: pte_case_isLargePagePTE if_to_top_of_bindE del: Collect_const)
|
|
|
|
apply (rule ccorres_if_cond_throws[rotated -1, where Q=\<top> and Q'=\<top>])
|
|
|
|
apply vcg
|
|
|
|
apply simp
|
|
|
|
apply simp
|
|
|
|
apply (rule ccorres_from_vcg_throws[where P=\<top> and P'=UNIV])
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: fst_throwError_returnOk
|
|
|
|
exception_defs syscall_error_to_H_cases
|
|
|
|
syscall_error_rel_def)
|
|
|
|
apply simp
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_return_CE, simp+)[1]
|
|
|
|
apply (simp only: pred_conj_def simp_thms)
|
|
|
|
apply wp
|
|
|
|
apply (simp add: isLeft_def)
|
|
|
|
apply vcg
|
|
|
|
apply simp
|
|
|
|
apply (rule_tac P'="{s. lu_ret___struct_lookupPTSlot_ret_C = errstate s}"
|
|
|
|
in ccorres_from_vcg_split_throws [where P=\<top>])
|
|
|
|
apply vcg
|
|
|
|
apply (rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: fst_throwError_returnOk syscall_error_to_H_cases
|
|
|
|
syscall_error_rel_def exception_defs false_def)
|
|
|
|
apply (erule lookup_failure_rel_fault_lift[rotated])
|
|
|
|
apply (simp add: exception_defs)
|
|
|
|
apply simp
|
|
|
|
apply wp
|
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=lookupPTSlot_modifies)
|
|
|
|
apply simp
|
|
|
|
apply vcg
|
|
|
|
apply (rule conseqPre, vcg, clarsimp)
|
|
|
|
apply (rule ccorres_Cond_rhs)
|
|
|
|
apply (simp add: ARMLargePageBits_def ARMSmallPageBits_def word_0_sle_from_less)
|
|
|
|
apply (ccorres_remove_UNIV_guard)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply (simp add: lookupError_injection bindE_assoc del: Collect_const)
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
2014-11-26 06:18:47 +00:00
|
|
|
apply csymbr
|
2014-07-14 19:32:44 +00:00
|
|
|
|
2018-02-13 01:12:28 +00:00
|
|
|
apply (rule ccorres_rhs_assoc2)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_symb_exec_r)
|
|
|
|
apply (ctac add: ccorres_injection_handler_csum1
|
|
|
|
[OF lookupPTSlot_ccorres])
|
|
|
|
apply (simp add: Collect_False del: Collect_const)
|
|
|
|
apply csymbr
|
|
|
|
apply (simp add: mapME_x_sequenceE bindE_assoc
|
|
|
|
del: Collect_const)
|
|
|
|
apply (rule_tac P="\<not> rv + 0x3C < rv" in ccorres_gen_asm)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule_tac P="is_aligned rv 6" in ccorres_gen_asm)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_rhs_assoc2, rule ccorres_splitE)
|
|
|
|
apply (simp only: whileAnno_def)
|
|
|
|
apply (ccorres_remove_UNIV_guard)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule_tac xf'=xfdc and r'=dc and F="\<lambda>_. page_table_at' (rv && ~~ mask ptBits)"
|
2014-07-14 19:32:44 +00:00
|
|
|
and Q="{s. pte_range_C.base_C (pte_entries_C
|
|
|
|
(ret___struct_create_mappings_pte_return_C_' s))
|
|
|
|
= Ptr rv}"
|
|
|
|
in ccorres_sequenceE_while)
|
|
|
|
apply (clarsimp simp: liftE_bindE)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule ccorres_symb_exec_l'[OF _ _ hoare_vcg_conj_lift[OF getObject_obj_at' getObject_inv, simplified]])
|
|
|
|
apply (rule ccorres_from_vcg_might_throw)
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (clarsimp simp: largePagePTEOffsets_def pteBits_def)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (simp add: upto_enum_step_def upto_enum_word)
|
|
|
|
apply (clarsimp simp: fst_throwError_returnOk
|
|
|
|
inr_rrel_def syscall_error_rel_def
|
|
|
|
syscall_error_to_H_cases exception_defs
|
|
|
|
split: pte.split)
|
|
|
|
apply (subst array_assertion_abs_pte_16[rule_format], erule conjI,
|
|
|
|
clarsimp simp: unat_of_nat)+
|
|
|
|
apply (drule obj_at_ko_at', clarsimp)
|
|
|
|
apply (erule cmap_relationE1[OF rf_sr_cpte_relation],
|
|
|
|
erule ko_at_projectKO_opt)
|
|
|
|
apply (auto simp: typ_heap_simps cpte_relation_def pte_pte_invalid_def
|
|
|
|
Let_def pte_lift_def pte_tag_defs
|
2017-06-05 04:55:42 +00:00
|
|
|
pteBits_def add.commute[of "_ * 4"]
|
2016-10-25 06:01:30 +00:00
|
|
|
intro: typ_heap_simps split: if_split_asm)[1]
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (wp getObject_inv loadObject_default_inv | simp add: pteBits_def)+
|
|
|
|
apply (simp add: objBits_simps archObjSize_def pteBits_def)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (simp add: loadObject_default_inv)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: empty_fail_getObject)
|
|
|
|
apply (simp add: upto_enum_step_def upto_enum_word
|
2017-06-05 04:55:42 +00:00
|
|
|
largePagePTEOffsets_def pteBits_def
|
2016-10-25 06:01:30 +00:00
|
|
|
split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule conseqPre, vcg)
|
2014-11-26 06:18:47 +00:00
|
|
|
apply (clarsimp simp: pte_tag_defs)
|
|
|
|
using pte_get_tag_exhaust
|
|
|
|
apply blast
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (wp getPTE_wp | simp | wpc)+
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: upto_enum_step_def upto_enum_word
|
2017-06-05 04:55:42 +00:00
|
|
|
word_bits_def largePagePTEOffsets_def
|
|
|
|
pteBits_def
|
2016-10-25 06:01:30 +00:00
|
|
|
split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
|
|
|
apply (rule ceqv_refl)
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_return_CE, simp+)[1]
|
|
|
|
apply wp
|
|
|
|
apply (simp add: isLeft_def ccHoarePost_def xfdc_def
|
|
|
|
upto_enum_step_def)
|
|
|
|
apply (rule HoarePartial.SeqSwap)
|
2015-05-17 23:11:43 +00:00
|
|
|
apply (rule_tac Q="\<lbrace>Bonus \<acute>i \<longrightarrow> Prop \<acute>ret___struct_create_mappings_pte_return_C\<rbrace>"
|
|
|
|
and I="\<lbrace>Prop \<acute>ret___struct_create_mappings_pte_return_C\<rbrace>"
|
|
|
|
for Bonus Prop
|
2014-07-14 19:32:44 +00:00
|
|
|
in HoarePartial.reannotateWhileNoGuard)
|
|
|
|
apply (rule HoarePartial.While[OF order_refl])
|
|
|
|
apply (rule conseqPre, vcg)
|
2014-11-26 06:18:47 +00:00
|
|
|
apply (clarsimp simp: pte_tag_defs)
|
|
|
|
using pte_get_tag_exhaust
|
|
|
|
apply blast
|
2014-07-14 19:32:44 +00:00
|
|
|
apply clarsimp
|
|
|
|
apply vcg
|
|
|
|
apply simp
|
|
|
|
apply (rule_tac P'="{s. lu_ret___struct_lookupPTSlot_ret_C = errstate s}"
|
|
|
|
in ccorres_from_vcg_split_throws [where P=\<top>])
|
|
|
|
apply vcg
|
|
|
|
apply (rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: fst_throwError_returnOk syscall_error_rel_def
|
|
|
|
syscall_error_to_H_cases exception_defs false_def)
|
|
|
|
apply (erule lookup_failure_rel_fault_lift[rotated])
|
|
|
|
apply (simp add: exception_defs)
|
|
|
|
apply (wp injection_wp[OF refl])
|
|
|
|
apply (simp add: linorder_not_less)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (wp lookupPTSlot_le_0x3C lookupPTSlot_page_table_at' Arch_R.lookupPTSlot_aligned)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=lookupPTSlot_modifies)
|
|
|
|
apply simp
|
|
|
|
apply vcg
|
|
|
|
apply (rule conseqPre, vcg)
|
|
|
|
apply clarsimp
|
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV])
|
|
|
|
apply simp
|
|
|
|
apply (clarsimp simp: gen_framesize_to_H_def vm_page_size_defs
|
|
|
|
vm_attribs_relation_def
|
|
|
|
from_bool_mask_simp[unfolded mask_def, simplified])
|
|
|
|
apply (clarsimp simp: typ_heap_simps pte_range_relation_def
|
|
|
|
ptr_range_to_list_def upto_enum_word)
|
2014-11-26 06:18:47 +00:00
|
|
|
apply (simp add: cpte_relation_def true_def false_def pte_tag_defs)
|
|
|
|
using pte_get_tag_exhaust
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (auto simp: vmsz_aligned'_def largePagePTEOffsets_def pteBits_def
|
|
|
|
upt_def upto_enum_def upto_enum_step_def)[1]
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
lemma ptr_add_uint_of_nat [simp]:
|
2021-09-22 00:21:01 +00:00
|
|
|
"a +\<^sub>p uint (of_nat b :: word32) = a +\<^sub>p (int b)"
|
|
|
|
including no_take_bit
|
2014-07-14 19:32:44 +00:00
|
|
|
by (clarsimp simp: CTypesDefs.ptr_add_def)
|
|
|
|
|
2018-09-20 06:21:52 +00:00
|
|
|
declare int_unat[simp]
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
definition
|
2015-12-01 22:07:49 +00:00
|
|
|
"valid_pte_slots'2 slots \<equiv> \<lambda>s. case slots of Inl (pte,xs) \<Rightarrow> (\<exists>sz. sz \<le> 4 \<and> length xs = 2^sz \<and> is_aligned (hd xs) (sz+2)
|
|
|
|
\<and> (page_table_at' (hd xs && ~~ mask ptBits) s)
|
|
|
|
\<and> (sz = 0 \<or> sz = 4))
|
2014-07-14 19:32:44 +00:00
|
|
|
| Inr _ => True"
|
|
|
|
|
2015-12-01 22:07:49 +00:00
|
|
|
lemma valid_pte_slots_lift2:
|
|
|
|
"\<lbrakk> \<And>pt. \<lbrace> page_table_at' pt \<rbrace> f \<lbrace> \<lambda>_. page_table_at' pt \<rbrace> \<rbrakk>
|
|
|
|
\<Longrightarrow> \<lbrace> valid_pte_slots'2 slots \<rbrace> f \<lbrace> \<lambda>_. valid_pte_slots'2 slots \<rbrace>"
|
|
|
|
apply (cases slots, simp_all add: valid_pte_slots'2_def hoare_post_taut)
|
|
|
|
apply clarsimp
|
|
|
|
apply (wp hoare_vcg_ex_lift hoare_vcg_conj_lift | assumption)+
|
|
|
|
done
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
definition
|
2015-12-01 22:07:49 +00:00
|
|
|
"valid_pde_slots'2 slots \<equiv> \<lambda>s. case slots of Inl _ \<Rightarrow> True
|
2014-07-14 19:32:44 +00:00
|
|
|
| Inr (pde, xs) \<Rightarrow> (\<forall>x \<in> set xs. valid_pde_mapping_offset' (x && mask pdBits))
|
2015-12-01 22:07:49 +00:00
|
|
|
\<and> (page_directory_at' (hd xs && ~~ mask pdBits) s)
|
|
|
|
\<and> (\<exists>sz. sz \<le> 4 \<and> length xs = 2^sz \<and> is_aligned (hd xs) (sz+2)
|
2017-07-12 05:13:51 +00:00
|
|
|
\<and> (sz = 0 \<or> sz = 4))"
|
2015-12-01 22:07:49 +00:00
|
|
|
|
|
|
|
lemma valid_pde_slots_lift2:
|
|
|
|
"\<lbrakk> \<And>pd. \<lbrace> page_directory_at' pd \<rbrace> f \<lbrace> \<lambda>_. page_directory_at' pd \<rbrace> \<rbrakk>
|
|
|
|
\<Longrightarrow> \<lbrace> valid_pde_slots'2 slots \<rbrace> f \<lbrace> \<lambda>_. valid_pde_slots'2 slots \<rbrace>"
|
|
|
|
apply (cases slots, simp_all add: valid_pde_slots'2_def hoare_post_taut)
|
|
|
|
apply clarsimp
|
|
|
|
apply (wp hoare_vcg_ex_lift hoare_vcg_conj_lift | assumption)+
|
|
|
|
done
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
lemma addrFromPPtr_mask_5:
|
2016-02-02 00:53:00 +00:00
|
|
|
"addrFromPPtr ptr && mask (5::nat) = ptr && mask (5::nat)"
|
2020-11-13 11:24:06 +00:00
|
|
|
apply (simp add:addrFromPPtr_def pptrBaseOffset_def
|
|
|
|
pptrBase_def physBase_def ARM.physBase_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply word_bitwise
|
|
|
|
apply (simp add:mask_def)
|
|
|
|
done
|
|
|
|
|
2014-07-17 16:22:50 +00:00
|
|
|
lemma pteCheckIfMapped_ccorres:
|
2017-07-12 05:13:51 +00:00
|
|
|
"ccorres (\<lambda>rv rv'. rv = to_bool rv') ret__unsigned_long_' \<top>
|
|
|
|
(UNIV \<inter> {s. pte___ptr_to_struct_pte_C_' s = Ptr slot}) []
|
2014-07-17 16:22:50 +00:00
|
|
|
(pteCheckIfMapped slot)
|
|
|
|
(Call pteCheckIfMapped_'proc)"
|
|
|
|
apply (cinit lift: pte___ptr_to_struct_pte_C_')
|
|
|
|
apply (rule ccorres_pre_getObject_pte)
|
|
|
|
apply (rule_tac P'="{s. \<exists>pte'. cslift s (pte_Ptr slot) = Some pte' \<and> cpte_relation rv pte'}"
|
|
|
|
in ccorres_from_vcg_throws[where P="\<lambda>s. True"])
|
|
|
|
apply simp_all
|
|
|
|
apply clarsimp
|
|
|
|
apply (rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: typ_heap_simps' return_def)
|
2014-11-26 06:18:47 +00:00
|
|
|
apply (case_tac rv, simp_all add: to_bool_def isInvalidPTE_def pte_tag_defs pte_pte_invalid_def
|
|
|
|
cpte_relation_def pte_pte_large_lift_def pte_get_tag_def
|
|
|
|
pte_lift_def Let_def
|
2016-10-25 06:01:30 +00:00
|
|
|
split: if_split_asm)
|
2014-07-17 16:22:50 +00:00
|
|
|
done
|
|
|
|
|
2017-07-12 05:13:51 +00:00
|
|
|
lemma cpde_relation_invalid:
|
2014-07-17 16:22:50 +00:00
|
|
|
"cpde_relation pdea pde \<Longrightarrow> (pde_get_tag pde = scast pde_pde_invalid) = isInvalidPDE pdea"
|
|
|
|
apply (simp add: cpde_relation_def Let_def)
|
|
|
|
apply (simp add: pde_pde_invalid_lift)
|
|
|
|
apply (case_tac pdea, simp_all add: isInvalidPDE_def) [1]
|
|
|
|
apply clarsimp
|
|
|
|
apply (simp add: pde_pde_invalid_lift_def)
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma pdeCheckIfMapped_ccorres:
|
2017-07-12 05:13:51 +00:00
|
|
|
"ccorres (\<lambda>rv rv'. rv = to_bool rv') ret__unsigned_long_' \<top>
|
|
|
|
(UNIV \<inter> {s. pde___ptr_to_struct_pde_C_' s = Ptr slot}) []
|
2014-07-17 16:22:50 +00:00
|
|
|
(pdeCheckIfMapped slot)
|
|
|
|
(Call pdeCheckIfMapped_'proc)"
|
|
|
|
apply (cinit lift: pde___ptr_to_struct_pde_C_')
|
|
|
|
apply (rule ccorres_pre_getObject_pde)
|
|
|
|
apply (rule_tac P'="{s. \<exists>pde'. cslift s (pde_Ptr slot) = Some pde' \<and> cpde_relation rv pde'}"
|
|
|
|
in ccorres_from_vcg_throws[where P="\<lambda>s. True"])
|
|
|
|
apply simp_all
|
|
|
|
apply clarsimp
|
|
|
|
apply (rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: typ_heap_simps' return_def)
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (case_tac rv, simp_all add: to_bool_def cpde_relation_invalid isInvalidPDE_def
|
2016-10-25 06:01:30 +00:00
|
|
|
split: if_split)
|
2014-07-17 16:22:50 +00:00
|
|
|
done
|
|
|
|
|
2015-12-01 22:07:49 +00:00
|
|
|
lemma array_assertion_abs_pte_16_mv_aligned:
|
|
|
|
"\<forall>s s'. (s, s') \<in> rf_sr \<and> (page_table_at' (ptr_val ptPtr && ~~ mask ptBits) s)
|
|
|
|
\<and> (n s' \<le> 16 \<and> (x s' \<noteq> k \<longrightarrow> is_aligned (ptr_val ptPtr) 6 \<and> n s' \<noteq> 0))
|
|
|
|
\<longrightarrow> (x s' = k \<or> array_assertion (ptPtr :: pte_C ptr) (n s') (hrs_htd (t_hrs_' (globals s'))))"
|
|
|
|
by (metis array_assertion_abs_pte_16)
|
|
|
|
|
|
|
|
lemmas ccorres_move_array_assertion_pte_16_2
|
|
|
|
= ccorres_move_array_assertions[OF array_assertion_abs_pte_16_mv_aligned]
|
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
(* FIXME: move *)
|
|
|
|
lemma performPageInvocationMapPTE_ccorres:
|
|
|
|
"ccorres (K (K \<bottom>) \<currency> dc) (liftxf errstate id (K ()) ret__unsigned_long_')
|
2015-07-13 06:17:55 +00:00
|
|
|
(invs' and cte_at' slot and (\<lambda>s. 63 \<le> gsMaxObjectSize s)
|
2015-12-01 22:07:49 +00:00
|
|
|
and valid_pte_slots'2 mapping and (\<lambda>_. asid \<le> mask asid_bits))
|
2014-07-14 19:32:44 +00:00
|
|
|
(UNIV \<inter> {s. pte_range_relation (snd (theLeft mapping)) (pte_entries_' s)}
|
|
|
|
\<inter> {s. cpte_relation (fst (theLeft mapping)) (pte_' s)}
|
|
|
|
\<inter> {s. ccap_relation cap (cap_' s)}
|
|
|
|
\<inter> {s. ctSlot_' s = cte_Ptr slot}
|
2014-07-17 16:22:50 +00:00
|
|
|
\<inter> {s. asid_' s = asid}
|
2014-07-14 19:32:44 +00:00
|
|
|
\<inter> {s. isLeft mapping}) []
|
2014-07-17 16:22:50 +00:00
|
|
|
(liftE (performPageInvocation (PageMap asid cap slot mapping)))
|
2014-07-14 19:32:44 +00:00
|
|
|
(Call performPageInvocationMapPTE_'proc)"
|
2021-09-22 00:21:01 +00:00
|
|
|
including no_take_bit no_0_dvd
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_gen_asm2)
|
|
|
|
apply (rule ccorres_gen_asm)
|
|
|
|
apply (simp only: liftE_liftM ccorres_liftM_simp)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (cinit lift: pte_entries_' pte_' cap_' ctSlot_' asid_' )
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule_tac P="\<exists>s. valid_pte_slots'2 mapping s" in ccorres_gen_asm)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (rule ccorres_gen_asm [where P ="snd (theLeft mapping)\<noteq>[]"])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: isLeft_def simp del: Collect_const)
|
|
|
|
apply (ctac (no_vcg))
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (ctac (no_vcg) add: pteCheckIfMapped_ccorres)
|
|
|
|
apply csymbr
|
|
|
|
apply (simp add: mapM_discarded whileAnno_def
|
|
|
|
Collect_False
|
|
|
|
del: Collect_const)
|
2015-07-13 06:17:55 +00:00
|
|
|
apply (rule ccorres_Guard_Seq)
|
|
|
|
apply (rule ccorres_basic_srnoop2, simp)
|
|
|
|
apply csymbr
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (rule ccorres_split_nothrow_novcg)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule_tac F="\<lambda>_. valid_pte_slots'2 mapping"
|
|
|
|
in ccorres_mapM_x_while' [where i=0])
|
2014-07-17 16:22:50 +00:00
|
|
|
apply clarsimp
|
|
|
|
apply (rule ccorres_guard_imp2)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule ccorres_move_array_assertion_pte_16_2
|
|
|
|
| (rule ccorres_flip_Guard, rule ccorres_move_array_assertion_pte_16_2))+
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (rule storePTE_Basic_ccorres', simp)
|
|
|
|
apply clarsimp
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (clarsimp simp: pte_range_relation_def ptr_range_to_list_def
|
|
|
|
unat_of_nat)
|
|
|
|
apply (auto simp: valid_pte_slots'2_def upt_conv_Cons[where i=0] of_nat_gt_0)[1]
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: pte_range_relation_def ptr_range_to_list_def)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply vcg
|
|
|
|
apply simp
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (simp add: valid_pte_slots'2_def)
|
|
|
|
apply (rule hoare_pre, wp hoare_vcg_ex_lift, simp)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply clarsimp
|
|
|
|
apply (clarsimp simp: pte_range_relation_def ptr_range_to_list_def)
|
|
|
|
apply (rule order_less_le_trans)
|
|
|
|
apply (rule unat_lt2p)
|
|
|
|
apply (simp add: word_bits_def)
|
|
|
|
apply ceqv
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule_tac P="valid_pte_slots'2 mapping"
|
|
|
|
in ccorres_cross_over_guard)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply csymbr
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule ccorres_move_c_guard_pte
|
|
|
|
ccorres_move_array_assertion_pte_16_2
|
|
|
|
ccorres_Guard_Seq
|
|
|
|
ccorres_rhs_assoc)+
|
|
|
|
apply (ctac add: cleanCacheRange_PoU_ccorres)
|
|
|
|
apply (rule ccorres_move_c_guard_pte
|
|
|
|
ccorres_move_array_assertion_pte_16_2
|
|
|
|
ccorres_rhs_assoc)+
|
|
|
|
apply (simp add: when_def del: Collect_const)
|
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
|
|
|
apply (simp add: to_bool_def)
|
|
|
|
apply (rule ccorres_add_return2)
|
|
|
|
apply (ctac (no_vcg) add: invalidateTLBByASID_ccorres)
|
|
|
|
apply (rule_tac P=\<top> and P'=UNIV in ccorres_from_vcg_throws)
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp:return_def)
|
|
|
|
apply (rule wp_post_taut)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (simp add: to_bool_def)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule_tac P=\<top> and P'=UNIV in ccorres_from_vcg_throws)
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp:return_def)
|
|
|
|
apply (wp hoare_vcg_const_imp_lift) [1]
|
|
|
|
apply clarsimp
|
|
|
|
apply (vcg exspec=cleanCacheRange_PoU_modifies)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (clarsimp simp: to_bool_def)
|
|
|
|
apply (rule hoare_strengthen_post)
|
2015-07-13 06:17:55 +00:00
|
|
|
apply (rule_tac Q'="\<lambda>rv s. valid_pde_mappings' s
|
2015-12-01 22:07:49 +00:00
|
|
|
\<and> valid_pte_slots'2 mapping s
|
2015-07-13 06:17:55 +00:00
|
|
|
\<and> unat (last (snd (theLeft mapping)) + 3
|
|
|
|
- hd (snd (theLeft mapping))) \<le> gsMaxObjectSize s" in hoare_vcg_conj_lift)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (rule mapM_x_accumulate_checks)
|
|
|
|
apply (simp add: storePTE_def)
|
|
|
|
apply (rule obj_at_setObject3)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (simp add: objBits_simps archObjSize_def pteBits_def)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (simp add: typ_at_to_obj_at_arches[symmetric])
|
2015-12-01 22:07:49 +00:00
|
|
|
apply ((wp mapM_x_wp_inv hoare_vcg_ex_lift | simp add: valid_pte_slots'2_def)+)[2]
|
2014-07-17 16:22:50 +00:00
|
|
|
apply clarsimp
|
|
|
|
apply (simp add: typ_at_to_obj_at_arches)
|
|
|
|
apply (frule bspec, erule hd_in_set)
|
|
|
|
apply (drule bspec, erule last_in_set)
|
|
|
|
apply (simp add: hd_conv_nth last_conv_nth)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule conj_assoc[where Q="a \<le> b" for a b, THEN iffD1])+
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule conjI)
|
2014-07-17 16:22:50 +00:00
|
|
|
(* the inequality first *)
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (clarsimp simp:valid_pte_slots'2_def pteBits_def
|
2014-07-17 16:22:50 +00:00
|
|
|
objBits_simps archObjSize_def hd_conv_nth)
|
|
|
|
apply (clarsimp simp:pte_range_relation_def ptr_range_to_list_def ptr_add_def)
|
|
|
|
apply (frule is_aligned_addrFromPPtr_n,simp)
|
2015-07-13 06:17:55 +00:00
|
|
|
apply (cut_tac n = "sz + 2" in power_not_zero[where 'a="32"])
|
2014-07-17 16:22:50 +00:00
|
|
|
apply simp
|
2014-09-10 07:26:44 +00:00
|
|
|
apply (subst is_aligned_no_wrap', assumption, fastforce simp: field_simps)
|
2015-07-13 06:17:55 +00:00
|
|
|
apply (subst add_diff_eq [symmetric], subst is_aligned_no_wrap', assumption, fastforce simp: field_simps)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (simp add:addrFromPPtr_mask_5)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (clarsimp simp:pte_range_relation_def ptr_add_def ptr_range_to_list_def
|
|
|
|
addrFromPPtr_mask_5)
|
|
|
|
apply (auto simp: valid_pte_slots'2_def upt_conv_Cons[where i=0])[1]
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem hd_conv_nth last_conv_nth ucast_minus)
|
|
|
|
apply (clarsimp simp: pte_range_relation_def ptr_range_to_list_def objBits_simps archObjSize_def)
|
|
|
|
apply (simp add: CTypesDefs.ptr_add_def ucast_nat_def word_0_sle_from_less)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (clarsimp simp: valid_pte_slots'2_def del: disjCI)
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (erule disjE, simp_all add: unat_arith_simps pteBits_def)[1]
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (clarsimp simp: upt_conv_Cons[where i=0])
|
2017-01-13 12:58:40 +00:00
|
|
|
apply (wp valid_pte_slots_lift2)+
|
2015-07-13 06:17:55 +00:00
|
|
|
apply (clarsimp simp: pte_range_relation_def map_is_Nil_conv hd_map_simp
|
|
|
|
ptr_range_to_list_def valid_pte_slots'2_def
|
|
|
|
word_le_nat_alt power_increasing[where a="2 :: nat" and N=4, simplified])
|
|
|
|
apply (clarsimp simp: pte_range_relation_def ptr_range_to_list_def unat_1_0
|
|
|
|
valid_pte_slots'2_def isLeft_def last_map hd_map
|
|
|
|
ptr_add_def)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (auto elim!: order_trans[rotated] simp: unat_word_ariths unat_arith_simps)[1]
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
lemma pde_align_ptBits:
|
2016-05-04 05:07:51 +00:00
|
|
|
"\<lbrakk> ko_at' (ARM_H.PageTablePDE x xa xb) slot s ;valid_objs' s\<rbrakk>
|
2014-07-14 19:32:44 +00:00
|
|
|
\<Longrightarrow> is_aligned (ptrFromPAddr x) ptBits"
|
|
|
|
apply (drule ko_at_valid_objs')
|
|
|
|
apply simp
|
|
|
|
apply (simp add:projectKO_opts_defs injectKO_defs
|
|
|
|
split:Structures_H.kernel_object.splits
|
|
|
|
arch_kernel_object.splits)+
|
|
|
|
apply (simp add:valid_obj'_def)
|
|
|
|
apply (rule is_aligned_ptrFromPAddr_n)
|
|
|
|
apply simp
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (simp add:ptBits_def pageBits_def pteBits_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
lemma createMappingEntries_valid_pte_slots'2:
|
|
|
|
"\<lbrace>K (vmsz_aligned' vptr sz) and valid_objs'\<rbrace>
|
|
|
|
createMappingEntries base vptr sz vm_rights attrib pt
|
2015-12-01 22:07:49 +00:00
|
|
|
\<lbrace>\<lambda>rv. valid_pte_slots'2 rv\<rbrace>,-"
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: createMappingEntries_def valid_pde_slots'2_def)
|
|
|
|
apply (cases sz, simp_all)
|
|
|
|
apply (wp | simp)+
|
|
|
|
apply (simp add:lookupPTSlot_def)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (wp getPDE_wp|wpc|simp add: checkPTAt_def valid_pte_slots'2_def)+
|
|
|
|
apply (clarsimp simp:valid_pte_slots'2_def lookup_pt_slot_no_fail_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule_tac x = 0 in exI)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (subst vaddr_segment_nonsense3[simplified pt_bits_stuff])
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (simp add: page_table_at'_def ptBits_def pageBits_def pteBits_def)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply simp
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule aligned_add_aligned[where n = 2])
|
|
|
|
apply (drule pde_align_ptBits)
|
|
|
|
apply simp
|
|
|
|
apply (erule is_aligned_weaken)
|
|
|
|
apply (simp add:ptBits_def pageBits_def)
|
|
|
|
apply (simp add: is_aligned_shiftl)
|
|
|
|
apply simp
|
|
|
|
apply (simp add:lookupPTSlot_def)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (wp getPDE_wp|wpc|simp add: valid_pte_slots'2_def checkPTAt_def)+
|
|
|
|
apply (clarsimp simp:valid_pte_slots'2_def lookup_pt_slot_no_fail_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule_tac x = 4 in exI)
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (clarsimp simp:upto_enum_step_def largePagePTEOffsets_def pteBits_def
|
|
|
|
split:if_splits)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule context_conjI)
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (simp add: vmsz_aligned'_def upto_enum_def hd_map_simp)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (erule(1) aligned_add_aligned[OF pde_align_ptBits])
|
|
|
|
apply (rule is_aligned_shiftl[OF aligned_already_mask],simp)
|
|
|
|
apply (rule is_aligned_shiftr)
|
|
|
|
apply simp
|
|
|
|
apply (simp add:ptBits_def pageBits_def)
|
|
|
|
apply (clarsimp simp:upto_enum_def hd_map_simp)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (subst vaddr_segment_nonsense3[simplified pt_bits_stuff])
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (simp add: page_table_at'_def ptBits_def pageBits_def pteBits_def)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply simp
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (wp | simp add:valid_pte_slots'2_def)+
|
|
|
|
done
|
|
|
|
|
|
|
|
(* replay of proof in Arch_R with stronger validity result *)
|
|
|
|
lemma createMappingEntries_valid_pde_slots'2:
|
2020-11-13 11:24:06 +00:00
|
|
|
"\<lbrace>page_directory_at' pd and K (vmsz_aligned' vptr sz \<and> vptr < pptrBase)\<rbrace>
|
2014-07-14 19:32:44 +00:00
|
|
|
createMappingEntries base vptr sz vm_rights attrib pd
|
2015-12-01 22:07:49 +00:00
|
|
|
\<lbrace>\<lambda>rv. valid_pde_slots'2 rv\<rbrace>,-"
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: createMappingEntries_def valid_pde_slots'2_def)
|
|
|
|
apply (cases sz, simp_all)
|
|
|
|
apply (wp | simp)+
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (clarsimp simp: page_directory_at'_def
|
|
|
|
lookup_pd_slot_eq[unfolded pd_bits_def, folded pdBits_def])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: lookup_pd_slot_def Let_def mask_add_aligned)
|
|
|
|
apply (rule conjI)
|
2020-11-13 11:24:06 +00:00
|
|
|
apply (erule less_pptrBase_valid_pde_offset'')
|
2017-06-08 01:49:25 +00:00
|
|
|
apply (rule conjI)
|
|
|
|
apply (clarsimp simp: vaddr_segment_nonsense6)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule_tac x= 0 in exI)
|
|
|
|
apply simp
|
|
|
|
apply (erule aligned_add_aligned
|
|
|
|
[OF is_aligned_weaken is_aligned_shiftl,where n = 2])
|
|
|
|
apply (simp add:pdBits_def)
|
|
|
|
apply (simp add:vmsz_aligned'_def)
|
|
|
|
apply simp
|
2017-06-08 01:49:25 +00:00
|
|
|
apply (rule hoare_pre, wp)
|
|
|
|
apply (clarsimp simp: vmsz_aligned'_def page_directory_at'_def lookup_pd_slot_def)
|
|
|
|
apply (rule conjI)
|
2018-06-09 08:27:30 +00:00
|
|
|
subgoal \<comment> \<open>valid_pde_mapping_offset'\<close>
|
2017-06-08 01:49:25 +00:00
|
|
|
apply (clarsimp simp: superSectionPDEOffsets_def length_upto_enum_step pdeBits_def)
|
|
|
|
apply (clarsimp simp: upto_enum_step_def upto_enum_def comp_def)
|
|
|
|
apply (clarsimp simp: linorder_not_less field_simps mask_add_aligned)
|
2020-11-13 11:24:06 +00:00
|
|
|
apply (erule less_pptrBase_valid_pde_offset', simp+)
|
2017-06-08 01:49:25 +00:00
|
|
|
apply (rule word_of_nat_le, simp)
|
|
|
|
done
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule conjI)
|
2018-06-09 08:27:30 +00:00
|
|
|
subgoal \<comment> \<open>pde_at'\<close>
|
2017-06-08 01:49:25 +00:00
|
|
|
apply (clarsimp simp: superSectionPDEOffsets_def length_upto_enum_step pdeBits_def)
|
|
|
|
apply (clarsimp simp:upto_enum_step_def upto_enum_def hd_map_simp comp_def)
|
|
|
|
apply (simp add: vaddr_segment_nonsense6)
|
|
|
|
done
|
|
|
|
apply (rule_tac x = 4 in exI)
|
|
|
|
apply (clarsimp simp: superSectionPDEOffsets_def length_upto_enum_step pdeBits_def)
|
|
|
|
apply (clarsimp simp:upto_enum_step_def upto_enum_def hd_map_simp comp_def isSuperSectionPDE_def)
|
|
|
|
apply (erule aligned_add_aligned)
|
|
|
|
apply (rule is_aligned_shiftl, simp)
|
|
|
|
apply (rule is_aligned_shiftr)
|
|
|
|
apply simp
|
|
|
|
apply (simp add: pdBits_def)
|
|
|
|
done
|
2014-07-14 19:32:44 +00:00
|
|
|
|
2014-07-17 16:22:50 +00:00
|
|
|
lemma mapM_x_storePDE_pde_mappings':
|
2015-12-01 22:07:49 +00:00
|
|
|
"\<lbrakk>valid_pde_slots'2 (Inr (a, b)) s; b \<noteq> []\<rbrakk> \<Longrightarrow> \<lbrace>valid_pde_mappings'\<rbrace>
|
2014-07-17 16:22:50 +00:00
|
|
|
mapM_x (\<lambda>b. storePDE b a) b \<lbrace>\<lambda>rv. valid_pde_mappings'\<rbrace>"
|
|
|
|
apply (wp mapM_x_wp')
|
|
|
|
apply (auto simp: valid_pde_slots'2_def valid_pde_mapping'_def)
|
|
|
|
done
|
|
|
|
|
2015-12-01 22:07:49 +00:00
|
|
|
lemma array_assertion_abs_pde_16_no_lookup:
|
|
|
|
"\<forall>s s'. (s, s') \<in> rf_sr \<and> (page_directory_at' (ptr_val ptr && ~~ mask pdBits) s)
|
|
|
|
\<and> (n s' \<le> 16 \<and> (x s' \<noteq> k \<longrightarrow> n s' \<noteq> 0 \<and> is_aligned (ptr_val ptr) 6))
|
|
|
|
\<longrightarrow> (x s' = k \<or> array_assertion (ptr :: pde_C ptr) (n s') (hrs_htd (t_hrs_' (globals s'))))"
|
|
|
|
apply (intro allI impI disjCI2, clarsimp)
|
|
|
|
apply (frule(1) page_directory_at_rf_sr, clarsimp)
|
|
|
|
apply (erule clift_array_assertion_imp, simp_all)
|
|
|
|
apply (rule_tac x="unat ((ptr_val ptr && mask pdBits) >> 2)" in exI)
|
|
|
|
apply (simp add: shiftl_t2n[where n=2, symmetric, THEN trans[rotated],
|
|
|
|
OF mult.commute, simplified])
|
|
|
|
apply (cases ptr, simp add: shiftr_shiftl1)
|
|
|
|
apply (rule conjI, rule trans,
|
|
|
|
rule word_plus_and_or_coroll2[symmetric, where w="mask pdBits"])
|
2018-09-17 06:17:28 +00:00
|
|
|
apply (simp, rule is_aligned_neg_mask_eq[THEN sym], rule is_aligned_andI1,
|
2015-12-01 22:07:49 +00:00
|
|
|
erule is_aligned_weaken, simp)
|
|
|
|
apply (rule order_trans, erule add_mono[OF order_refl], simp)
|
|
|
|
apply (rule unat_le_helper)
|
|
|
|
apply (simp add: is_aligned_mask mask_def pdBits_def pageBits_def)
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (word_bitwise, simp add: pdeBits_def)
|
2015-12-01 22:07:49 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
lemmas ccorres_move_array_assertion_pde_16_2
|
|
|
|
= ccorres_move_array_assertions[OF array_assertion_abs_pde_16_no_lookup]
|
2014-07-17 16:22:50 +00:00
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
lemma performPageInvocationMapPDE_ccorres:
|
|
|
|
"ccorres (K (K \<bottom>) \<currency> dc) (liftxf errstate id (K ()) ret__unsigned_long_')
|
2015-07-13 06:17:55 +00:00
|
|
|
(invs' and cte_at' slot and (\<lambda>s. 63 \<le> gsMaxObjectSize s)
|
2015-12-01 22:07:49 +00:00
|
|
|
and valid_pde_slots'2 mapping and (\<lambda>s. asid \<le> mask asid_bits))
|
2014-07-14 19:32:44 +00:00
|
|
|
(UNIV \<inter> {s. pde_range_relation (snd (theRight mapping)) (pde_entries_' s)}
|
|
|
|
\<inter> {s. cpde_relation (fst (theRight mapping)) (pde_' s)}
|
|
|
|
\<inter> {s. ccap_relation cap (cap_' s)}
|
|
|
|
\<inter> {s. ctSlot_' s = cte_Ptr slot}
|
2014-07-17 16:22:50 +00:00
|
|
|
\<inter> {s. asid_' s = asid}
|
2014-07-14 19:32:44 +00:00
|
|
|
\<inter> {s. isRight mapping}) []
|
2014-07-17 16:22:50 +00:00
|
|
|
(liftE (performPageInvocation (PageMap asid cap slot mapping)))
|
2014-07-14 19:32:44 +00:00
|
|
|
(Call performPageInvocationMapPDE_'proc)"
|
2021-09-22 00:21:01 +00:00
|
|
|
including no_take_bit no_0_dvd
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_gen_asm)
|
|
|
|
apply (rule ccorres_gen_asm2)
|
|
|
|
apply (simp only: liftE_liftM ccorres_liftM_simp)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (cinit lift: pde_entries_' pde_' cap_' ctSlot_' asid_' )
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule_tac P="\<exists>s. valid_pde_slots'2 mapping s" in ccorres_gen_asm)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (rule ccorres_gen_asm [where P ="snd (theRight mapping)\<noteq>[]"])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: isRight_def simp del: Collect_const)
|
|
|
|
apply (ctac (no_vcg))
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (ctac (no_vcg) add: pdeCheckIfMapped_ccorres)
|
|
|
|
apply csymbr
|
|
|
|
apply (simp add: mapM_discarded whileAnno_def
|
|
|
|
Collect_False
|
|
|
|
del: Collect_const)
|
2015-07-13 06:17:55 +00:00
|
|
|
apply (rule ccorres_Guard_Seq)
|
|
|
|
apply (rule ccorres_basic_srnoop2, simp)
|
|
|
|
apply csymbr
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (rule ccorres_split_nothrow_novcg)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule_tac F="\<lambda>_. valid_pde_slots'2 mapping" in ccorres_mapM_x_while' [where i=0])
|
2014-07-17 16:22:50 +00:00
|
|
|
apply clarsimp
|
|
|
|
apply (rule ccorres_guard_imp2)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule ccorres_Guard[where F=MemorySafety]
|
|
|
|
| (rule ccorres_flip_Guard, rule ccorres_Guard[where F=MemorySafety]))+
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (rule storePDE_Basic_ccorres', simp)
|
|
|
|
apply clarsimp
|
|
|
|
apply (clarsimp simp: pde_range_relation_def ptr_range_to_list_def
|
|
|
|
valid_pde_slots'2_def ucast_nat_def ucast_minus
|
|
|
|
of_nat_ucast)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (erule disjE, simp_all)[1]
|
|
|
|
apply (simp add: upt_conv_Cons[where i=0])
|
|
|
|
apply (subst array_assertion_abs_pde_16_no_lookup, erule conjI,
|
|
|
|
clarsimp simp: unat_of_nat of_nat_gt_0)+
|
|
|
|
apply simp
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (clarsimp simp: pde_range_relation_def ptr_range_to_list_def)
|
|
|
|
apply vcg
|
|
|
|
apply simp
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (wp valid_pde_slots_lift2)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply clarsimp
|
|
|
|
apply (clarsimp simp: pde_range_relation_def ptr_range_to_list_def)
|
|
|
|
apply (rule order_less_le_trans)
|
|
|
|
apply (rule unat_lt2p)
|
|
|
|
apply (simp add: word_bits_def)
|
|
|
|
apply ceqv
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule_tac P="valid_pde_slots'2 mapping" in ccorres_cross_over_guard)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply csymbr
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule ccorres_move_c_guard_pde
|
|
|
|
ccorres_move_array_assertion_pde_16_2 ccorres_Guard_Seq
|
|
|
|
ccorres_rhs_assoc)+
|
|
|
|
apply (ctac(no_vcg) add: cleanCacheRange_PoU_ccorres)
|
|
|
|
apply (rule ccorres_move_c_guard_pde
|
|
|
|
ccorres_move_array_assertion_pde_16_2 ccorres_Guard_Seq
|
|
|
|
ccorres_rhs_assoc)+
|
|
|
|
apply (simp add: when_def del: Collect_const)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
|
|
|
apply (simp add: to_bool_def)
|
|
|
|
apply (rule ccorres_add_return2)
|
|
|
|
apply (ctac (no_vcg) add: invalidateTLBByASID_ccorres)
|
|
|
|
apply (rule_tac P=\<top> and P'=UNIV in ccorres_from_vcg_throws)
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp:return_def)
|
|
|
|
apply wp [1]
|
|
|
|
apply (simp add: to_bool_def)
|
|
|
|
apply (rule_tac P=\<top> and P'=UNIV in ccorres_from_vcg_throws)
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp:return_def)
|
|
|
|
apply (wp hoare_vcg_const_imp_lift) [1]
|
|
|
|
apply (clarsimp simp: to_bool_def)
|
|
|
|
apply (rule hoare_strengthen_post)
|
2015-07-13 06:17:55 +00:00
|
|
|
apply (rule_tac Q'="\<lambda>rv s. valid_pde_mappings' s
|
2015-12-01 22:07:49 +00:00
|
|
|
\<and> valid_pde_slots'2 mapping s
|
2015-07-13 06:17:55 +00:00
|
|
|
\<and> unat (last (snd (theRight mapping)) + 3
|
|
|
|
- hd (snd (theRight mapping))) \<le> gsMaxObjectSize s" in hoare_vcg_conj_lift)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (rule mapM_x_accumulate_checks)
|
|
|
|
apply (simp add: storePDE_def)
|
|
|
|
apply (rule obj_at_setObject3)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (simp add: objBits_simps archObjSize_def pdeBits_def)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (simp add: typ_at_to_obj_at_arches[symmetric])
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (wp mapM_x_storePDE_pde_mappings' mapM_x_wp' valid_pde_slots_lift2 | simp)+
|
2014-07-17 16:22:50 +00:00
|
|
|
apply clarsimp
|
|
|
|
apply (simp add: typ_at_to_obj_at_arches)
|
|
|
|
apply (frule bspec, erule hd_in_set)
|
|
|
|
apply (drule bspec, erule last_in_set)
|
|
|
|
apply (simp add: hd_conv_nth last_conv_nth)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule conj_assoc[where Q="a \<le> b" for a b, THEN iffD1])+
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule conjI)
|
2014-07-17 16:22:50 +00:00
|
|
|
(* the inequality first *)
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (clarsimp simp:valid_pde_slots'2_def pdeBits_def
|
2014-07-17 16:22:50 +00:00
|
|
|
objBits_simps archObjSize_def hd_conv_nth)
|
|
|
|
apply (clarsimp simp:pde_range_relation_def ptr_range_to_list_def ptr_add_def)
|
|
|
|
apply (frule is_aligned_addrFromPPtr_n,simp)
|
|
|
|
apply (cut_tac n = "sz+2" in power_not_zero[where 'a="32"])
|
|
|
|
apply simp
|
2014-09-10 07:26:44 +00:00
|
|
|
apply (subst is_aligned_no_wrap', assumption, fastforce simp: field_simps)
|
|
|
|
apply (subst add_diff_eq [symmetric])
|
|
|
|
apply (subst is_aligned_no_wrap', assumption, fastforce simp: field_simps)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (simp add:addrFromPPtr_mask_5)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (clarsimp simp: pde_range_relation_def ptr_range_to_list_def CTypesDefs.ptr_add_def
|
|
|
|
valid_pde_slots'2_def addrFromPPtr_mask_5)
|
|
|
|
apply (auto simp: upt_conv_Cons[where i=0])[1]
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem hd_conv_nth last_conv_nth)
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (clarsimp simp: pde_range_relation_def ptr_range_to_list_def pdeBits_def)
|
2014-07-17 16:22:50 +00:00
|
|
|
apply (simp add: CTypesDefs.ptr_add_def ucast_nat_def ucast_minus objBits_simps archObjSize_def
|
|
|
|
word_0_sle_from_less)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (clarsimp simp: valid_pde_slots'2_def del: disjCI)
|
|
|
|
apply (erule disjE, simp_all add: unat_arith_simps)[1]
|
|
|
|
apply (clarsimp simp: upt_conv_Cons[where i=0])
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (wp valid_pde_slots_lift2 | simp add: pdeBits_def)+
|
2015-07-13 06:17:55 +00:00
|
|
|
apply (clarsimp simp: pde_range_relation_def map_is_Nil_conv hd_map_simp
|
|
|
|
ptr_range_to_list_def valid_pde_slots'2_def
|
|
|
|
word_le_nat_alt power_increasing[where a="2 :: nat" and N=4, simplified])
|
|
|
|
apply (clarsimp simp: pde_range_relation_def ptr_range_to_list_def unat_1_0
|
|
|
|
valid_pde_slots'2_def isRight_def last_map hd_map
|
|
|
|
ptr_add_def)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (auto simp: unat_arith_simps unat_word_ariths)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
lemma vmsz_aligned_addrFromPPtr':
|
|
|
|
"vmsz_aligned' (addrFromPPtr p) sz
|
|
|
|
= vmsz_aligned' p sz"
|
|
|
|
apply (simp add: vmsz_aligned'_def addrFromPPtr_def
|
2016-05-01 03:35:49 +00:00
|
|
|
ARM.addrFromPPtr_def)
|
2020-11-13 11:24:06 +00:00
|
|
|
apply (subgoal_tac "is_aligned pptrBaseOffset (pageBitsForSize sz)")
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule iffI)
|
|
|
|
apply (drule(1) aligned_add_aligned)
|
|
|
|
apply (simp add: pageBitsForSize_def word_bits_def split: vmpage_size.split)
|
|
|
|
apply simp
|
|
|
|
apply (erule(1) aligned_sub_aligned)
|
|
|
|
apply (simp add: pageBitsForSize_def word_bits_def split: vmpage_size.split)
|
2020-11-13 11:24:06 +00:00
|
|
|
apply (simp add: pageBitsForSize_def pptrBaseOffset_def pptrBase_def
|
2016-05-01 03:35:49 +00:00
|
|
|
physBase_def ARM.physBase_def is_aligned_def
|
2014-07-14 19:32:44 +00:00
|
|
|
split: vmpage_size.split)
|
|
|
|
done
|
|
|
|
|
|
|
|
lemmas vmsz_aligned_addrFromPPtr
|
|
|
|
= vmsz_aligned_addrFromPPtr'
|
|
|
|
vmsz_aligned_addrFromPPtr'[unfolded addrFromPPtr_def]
|
|
|
|
vmsz_aligned_addrFromPPtr'[unfolded vmsz_aligned'_def]
|
|
|
|
vmsz_aligned_addrFromPPtr'[unfolded addrFromPPtr_def vmsz_aligned'_def]
|
|
|
|
|
|
|
|
lemma gen_framesize_to_H_eq_from_H':
|
|
|
|
"v < 4 \<Longrightarrow> (v' = gen_framesize_to_H v) = (framesize_from_H v' = v)"
|
|
|
|
apply (simp add: gen_framesize_to_H_def framesize_from_H_eqs
|
2016-10-25 06:01:30 +00:00
|
|
|
split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: framesize_from_H_eqs[symmetric] vm_page_size_defs)
|
|
|
|
apply unat_arith
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma gen_framesize_to_H_eq_from_H:
|
|
|
|
assumes v: "v < 4" shows
|
|
|
|
"(v' = gen_framesize_to_H v) = (framesize_from_H v' = v)"
|
|
|
|
"(gen_framesize_to_H v = v') = (v = framesize_from_H v')"
|
|
|
|
using gen_framesize_to_H_eq_from_H'[OF v, where v'=v']
|
|
|
|
by auto
|
|
|
|
|
|
|
|
lemmas framesize_from_H_simps
|
|
|
|
= framesize_from_H_def[split_simps vmpage_size.split]
|
|
|
|
|
|
|
|
lemma framesize_from_H_eq_eq:
|
|
|
|
"(framesize_from_H v = v') = (v' < 4 \<and> gen_framesize_to_H v' = v)"
|
|
|
|
apply (rule iffI)
|
|
|
|
apply (clarsimp simp: framesize_from_to_H)
|
|
|
|
apply (simp add: framesize_from_H_def vm_page_size_defs split: vmpage_size.split)
|
|
|
|
apply (clarsimp simp: gen_framesize_to_H_eq_from_H)
|
2016-10-25 06:01:30 +00:00
|
|
|
apply (simp add: gen_framesize_to_H_def framesize_from_H_def split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: vm_page_size_defs)
|
|
|
|
apply unat_arith
|
|
|
|
done
|
|
|
|
|
|
|
|
lemmas framesize_from_H_eq_eqs = framesize_from_H_eq_eq trans [OF eq_commute framesize_from_H_eq_eq]
|
|
|
|
|
|
|
|
lemma shiftr_asid_low_bits_mask_asid_high_bits:
|
|
|
|
"(asid :: word32) \<le> mask asid_bits
|
|
|
|
\<Longrightarrow> (asid >> asid_low_bits) && mask asid_high_bits = asid >> asid_low_bits"
|
|
|
|
apply (rule iffD2 [OF mask_eq_iff_w2p])
|
|
|
|
apply (simp add: asid_high_bits_def word_size)
|
|
|
|
apply (rule shiftr_less_t2n)
|
|
|
|
apply (simp add: asid_low_bits_def asid_high_bits_def mask_def)
|
|
|
|
apply (simp add: asid_bits_def)
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma shiftr_asid_low_bits_mask_eq_0:
|
|
|
|
"\<lbrakk> (asid :: word32) \<le> mask asid_bits; asid >> asid_low_bits = 0 \<rbrakk>
|
|
|
|
\<Longrightarrow> (asid && mask asid_low_bits = 0) = (asid = 0)"
|
|
|
|
apply (rule iffI[rotated])
|
|
|
|
apply simp
|
|
|
|
apply (rule asid_low_high_bits)
|
|
|
|
apply simp
|
|
|
|
apply (simp add: ucast_asid_high_bits_is_shift)
|
|
|
|
apply (simp add: mask_def)
|
|
|
|
apply simp
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma generic_frame_cap_set_capFMappedAddress_ccap_relation:
|
|
|
|
"\<lbrakk> cap_lift c'' = generic_frame_cap_set_capFMappedAddress_CL (cap_lift c') asid addr;
|
|
|
|
ccap_relation c c'; isArchPageCap c; asid \<le> mask asid_bits; asid \<noteq> 0;
|
|
|
|
vmsz_aligned' addr (gen_framesize_to_H (generic_frame_cap_get_capFSize_CL (cap_lift c')))
|
|
|
|
\<rbrakk>
|
|
|
|
\<Longrightarrow> ccap_relation (capCap_update (capVPMappedAddress_update (\<lambda>_. Some (asid, addr))) c) c''"
|
|
|
|
apply (clarsimp simp: isCap_simps)
|
|
|
|
apply (erule ccap_relationE)
|
2016-10-25 06:01:30 +00:00
|
|
|
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.split_asm if_split_asm)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp_all add: ccap_relation_def generic_frame_cap_set_capFMappedAddress_CL_def
|
|
|
|
cap_to_H_def c_valid_cap_def cl_valid_cap_def
|
|
|
|
generic_frame_cap_get_capFSize_CL_def
|
|
|
|
shiftr_asid_low_bits_mask_asid_high_bits
|
|
|
|
and_not_mask[symmetric] shiftr_asid_low_bits_mask_eq_0
|
2016-10-25 06:01:30 +00:00
|
|
|
split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: vmsz_aligned'_def gen_framesize_to_H_def)
|
|
|
|
apply (subst field_simps, simp add: word_plus_and_or_coroll2)
|
|
|
|
apply (simp add: vmsz_aligned'_def gen_framesize_to_H_def)
|
|
|
|
apply (subst field_simps, simp add: word_plus_and_or_coroll2)
|
|
|
|
apply (simp add: vmsz_aligned'_def gen_framesize_to_H_def)
|
|
|
|
apply (subst field_simps, simp add: word_plus_and_or_coroll2)
|
2018-09-17 06:17:28 +00:00
|
|
|
apply (rule sym, erule is_aligned_neg_mask_weaken)
|
2016-10-25 06:01:30 +00:00
|
|
|
apply (simp add: pageBitsForSize_def split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: vmsz_aligned'_def gen_framesize_to_H_def)
|
|
|
|
apply (subst field_simps, simp add: word_plus_and_or_coroll2)
|
2018-09-17 06:17:28 +00:00
|
|
|
apply (rule sym, erule is_aligned_neg_mask_weaken)
|
2016-10-25 06:01:30 +00:00
|
|
|
apply (simp add: pageBitsForSize_def split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
lemma slotcap_in_mem_valid:
|
|
|
|
"\<lbrakk> slotcap_in_mem cap slot (ctes_of s); valid_objs' s \<rbrakk>
|
|
|
|
\<Longrightarrow> s \<turnstile>' cap"
|
|
|
|
apply (clarsimp simp: slotcap_in_mem_def)
|
|
|
|
apply (erule(1) ctes_of_valid')
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma ivc_label_flush_case:
|
2016-01-21 23:34:54 +00:00
|
|
|
"label = ArchInvocationLabel arch_invocation_label.ARMPageUnify_Instruction \<or>
|
|
|
|
label = ArchInvocationLabel arch_invocation_label.ARMPageCleanInvalidate_Data \<or>
|
|
|
|
label = ArchInvocationLabel arch_invocation_label.ARMPageInvalidate_Data \<or>
|
|
|
|
label = ArchInvocationLabel arch_invocation_label.ARMPageClean_Data
|
2014-07-14 19:32:44 +00:00
|
|
|
\<Longrightarrow> (case label of
|
2017-07-12 05:13:51 +00:00
|
|
|
ArchInvocationLabel arch_invocation_label.ARMPageMap \<Rightarrow> A
|
2019-09-26 05:26:30 +00:00
|
|
|
| ArchInvocationLabel arch_invocation_label.ARMPageUnmap \<Rightarrow> B
|
|
|
|
| ArchInvocationLabel arch_invocation_label.ARMPageUnify_Instruction \<Rightarrow> C
|
|
|
|
| ArchInvocationLabel arch_invocation_label.ARMPageCleanInvalidate_Data \<Rightarrow> C
|
|
|
|
| ArchInvocationLabel arch_invocation_label.ARMPageInvalidate_Data \<Rightarrow> C
|
|
|
|
| ArchInvocationLabel arch_invocation_label.ARMPageClean_Data \<Rightarrow> C
|
|
|
|
| ArchInvocationLabel arch_invocation_label.ARMPageGetAddress \<Rightarrow> D
|
|
|
|
| _ \<Rightarrow> E)
|
|
|
|
= C"
|
2016-01-21 23:34:54 +00:00
|
|
|
by (auto split: invocation_label.split arch_invocation_label.split)
|
2017-07-12 05:13:51 +00:00
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
lemma injection_handler_whenE:
|
2020-03-29 08:35:28 +00:00
|
|
|
"injection_handler Inl (whenE a b) = (if a then injection_handler Inl b else returnOk ())"
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (subst injection_handler_returnOk[symmetric])
|
2020-03-29 08:35:28 +00:00
|
|
|
apply (clarsimp simp: whenE_def injection_handler_def cong: if_cong)
|
|
|
|
apply (fastforce split: if_splits)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
lemma injection_handler_if_returnOk:
|
|
|
|
"injection_handler Inl (if a then b else returnOk c)
|
|
|
|
= (if a then (injection_handler Inl b) else returnOk c)"
|
|
|
|
apply (clarsimp simp:whenE_def injection_handler_def)
|
|
|
|
apply (clarsimp simp:injection_handler_def
|
|
|
|
throwError_def return_def bind_def returnOk_def
|
|
|
|
handleE'_def split:if_splits)
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma pbfs_less: "pageBitsForSize sz < 31"
|
|
|
|
by (case_tac sz,simp_all)
|
|
|
|
|
|
|
|
lemma flushtype_relation_triv:
|
2016-01-21 23:34:54 +00:00
|
|
|
"isPageFlushLabel (invocation_type label) \<or>
|
|
|
|
isPDFlushLabel (invocation_type label)
|
2014-07-14 19:32:44 +00:00
|
|
|
==> flushtype_relation (labelToFlushType label) (ucast label)"
|
2017-07-12 05:13:51 +00:00
|
|
|
by (clarsimp simp: labelToFlushType_def flushtype_relation_def
|
|
|
|
invocation_eq_use_types ARM_H.isPageFlushLabel_def
|
2016-05-04 05:07:51 +00:00
|
|
|
ARM_H.isPDFlushLabel_def
|
2016-01-21 23:34:54 +00:00
|
|
|
split: flush_type.splits invocation_label.splits arch_invocation_label.splits)
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
lemma pte_get_tag_alt:
|
|
|
|
"pte_lift v = Some pteC
|
2017-07-12 05:13:51 +00:00
|
|
|
\<Longrightarrow> pte_get_tag v = (case pteC of
|
2014-11-26 06:18:47 +00:00
|
|
|
Pte_pte_small _ \<Rightarrow> scast pte_pte_small
|
2014-07-14 19:32:44 +00:00
|
|
|
| Pte_pte_large _ \<Rightarrow> scast pte_pte_large)"
|
2016-10-25 06:01:30 +00:00
|
|
|
by (auto simp add: pte_lift_def Let_def split: if_split_asm)
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
definition
|
|
|
|
to_option :: "('a \<Rightarrow> bool) \<Rightarrow> 'a \<Rightarrow> 'a option"
|
|
|
|
where
|
|
|
|
"to_option f x \<equiv> if f x then Some x else None"
|
|
|
|
|
|
|
|
definition
|
|
|
|
resolve_ret_rel :: "(vmpage_size \<times> 32 word) option \<Rightarrow> resolve_ret_C \<Rightarrow> bool"
|
|
|
|
where
|
|
|
|
"resolve_ret_rel \<equiv>
|
2014-08-09 05:16:17 +00:00
|
|
|
\<lambda>x y. rel_option (\<lambda>rv rv'. resolve_ret_C.frameSize_C rv' = framesize_from_H (fst rv)
|
2014-07-14 19:32:44 +00:00
|
|
|
\<and> snd rv = resolve_ret_C.frameBase_C rv')
|
|
|
|
x (to_option (to_bool \<circ> resolve_ret_C.valid_C) y)"
|
|
|
|
|
|
|
|
|
|
|
|
lemma resolve_ret_rel_None[simp]:
|
|
|
|
"resolve_ret_rel None y = (valid_C y = scast false)"
|
|
|
|
by (clarsimp simp: resolve_ret_rel_def o_def to_option_def false_def to_bool_def split: if_splits)
|
|
|
|
|
|
|
|
lemma resolve_ret_rel_Some:
|
|
|
|
"\<lbrakk>valid_C y = scast true; frameSize_C y = framesize_from_H (fst x); snd x = frameBase_C y\<rbrakk>
|
|
|
|
\<Longrightarrow> resolve_ret_rel (Some x) y"
|
|
|
|
by (clarsimp simp: resolve_ret_rel_def o_def to_option_def true_def)
|
|
|
|
|
|
|
|
lemma resolveVAddr_ccorres:
|
|
|
|
"ccorres resolve_ret_rel ret__struct_resolve_ret_C_'
|
2015-12-01 22:07:49 +00:00
|
|
|
(page_directory_at' pd) (UNIV \<inter> {s. pd_' s = pde_Ptr pd} \<inter> {s. vaddr_' s = vaddr}) hs
|
2014-07-14 19:32:44 +00:00
|
|
|
(resolveVAddr pd vaddr) (Call resolveVAddr_'proc)"
|
|
|
|
apply (cinit lift: pd_' vaddr_')
|
|
|
|
apply clarsimp
|
|
|
|
apply (rule ccorres_pre_getObject_pde)
|
|
|
|
apply csymbr+
|
|
|
|
apply (rule ccorres_abstract_cleanup)
|
2015-12-08 06:29:42 +00:00
|
|
|
apply (rule_tac P="(ret__unsigned = scast pde_pde_coarse) = (isPageTablePDE rv)"
|
2014-07-14 19:32:44 +00:00
|
|
|
in ccorres_gen_asm2)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule_tac P="isPageTablePDE rv" in ccorres_cases)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: pde_tag_defs)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply wpc
|
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: isPageTablePDE_def split: pde.splits)
|
2015-12-01 22:07:49 +00:00
|
|
|
prefer 2
|
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV])
|
|
|
|
apply (clarsimp simp: isPageTablePDE_def split: pde.splits)
|
|
|
|
prefer 2
|
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV])
|
|
|
|
apply (clarsimp simp: isPageTablePDE_def split: pde.splits)
|
|
|
|
apply (rename_tac word1 bool word2)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_abstract_cleanup)
|
2015-12-08 06:29:42 +00:00
|
|
|
apply (rule_tac P="(ret__unsigned = word1)" in ccorres_gen_asm2)
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (rule ccorres_stateAssert)
|
|
|
|
apply (rule_tac val="Ptr (ptrFromPAddr word1)" and R=\<top>
|
2018-03-13 01:55:39 +00:00
|
|
|
in ccorres_symb_exec_r_known_rv_UNIV[where xf'=ret__ptr_to_void_' and R'=UNIV])
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (vcg, clarsimp)
|
|
|
|
apply ceqv
|
|
|
|
apply (rule ccorres_pre_getObject_pte)
|
|
|
|
apply (rule_tac P="page_table_at' (ptrFromPAddr word1)"
|
|
|
|
in ccorres_cross_over_guard)
|
|
|
|
apply (rule_tac P'="{s. \<exists>v. cslift s (pte_Ptr (lookup_pt_slot_no_fail (ptrFromPAddr word1) vaddr)) = Some v
|
|
|
|
\<and> cpte_relation rva v
|
|
|
|
\<and> array_assertion (pte_Ptr (ptrFromPAddr word1))
|
|
|
|
(2 ^ (ptBits - 2)) (hrs_htd (t_hrs_' (globals s)))}"
|
2014-07-14 19:32:44 +00:00
|
|
|
in ccorres_from_vcg_might_throw[where P=\<top>])
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
2015-12-01 22:07:49 +00:00
|
|
|
using pte_get_tag_exhaust
|
2014-07-14 19:32:44 +00:00
|
|
|
apply clarsimp
|
2015-12-01 22:07:49 +00:00
|
|
|
apply (fastforce simp: pte_get_tag_alt pte_tag_defs cpte_relation_def
|
2014-07-14 19:32:44 +00:00
|
|
|
fst_return typ_heap_simps framesize_from_H_simps
|
2015-12-01 22:07:49 +00:00
|
|
|
pte_pte_large_lift_def pte_pte_small_lift_def
|
|
|
|
pte_pte_invalid_def
|
2014-07-14 19:32:44 +00:00
|
|
|
intro: resolve_ret_rel_Some
|
2015-12-01 22:07:49 +00:00
|
|
|
split: pte.splits)
|
|
|
|
apply (rule guard_is_UNIVI)
|
|
|
|
apply (clarsimp simp: typ_heap_simps)
|
2017-06-05 04:55:42 +00:00
|
|
|
apply (auto simp: ptBits_def pageBits_def pteBits_def
|
2015-12-01 22:07:49 +00:00
|
|
|
dest!: page_table_at_rf_sr
|
|
|
|
elim: clift_array_assertion_imp)[1]
|
|
|
|
apply (rule_tac P'="{s. \<exists>v. cslift s (pde_Ptr (lookup_pd_slot pd vaddr)) = Some v
|
|
|
|
\<and> cpde_relation rv v
|
2015-12-08 06:29:42 +00:00
|
|
|
\<and> ret__unsigned = pde_get_tag v}"
|
2015-12-01 22:07:49 +00:00
|
|
|
in ccorres_from_vcg_might_throw[where P=\<top>])
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply clarsimp
|
|
|
|
apply (fastforce simp: isPageTablePDE_def pde_get_tag_alt pde_tag_defs cpde_relation_def
|
|
|
|
fst_return typ_heap_simps framesize_from_H_simps
|
|
|
|
pde_pde_section_lift_def
|
|
|
|
intro: resolve_ret_rel_Some
|
|
|
|
split: pde.splits)
|
|
|
|
apply clarsimp
|
|
|
|
apply (frule(1) page_directory_at_rf_sr)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: isPageTablePDE_def pde_get_tag_alt pde_tag_defs cpde_relation_def
|
|
|
|
typ_heap_simps pde_pde_coarse_lift_def
|
2015-12-01 22:07:49 +00:00
|
|
|
clift_array_assertion_imp pageBits_def Let_def
|
2014-07-14 19:32:44 +00:00
|
|
|
split: pde.splits)
|
|
|
|
done
|
|
|
|
|
2019-11-08 06:32:01 +00:00
|
|
|
lemma cte_wp_at_eq_gsMaxObjectSize:
|
|
|
|
"cte_wp_at' ((=) cap o cteCap) slot s
|
2015-07-13 06:17:55 +00:00
|
|
|
\<Longrightarrow> valid_global_refs' s
|
|
|
|
\<Longrightarrow> 2 ^ capBits cap \<le> gsMaxObjectSize s"
|
|
|
|
apply (clarsimp simp: cte_wp_at_ctes_of)
|
|
|
|
apply (drule(1) valid_global_refsD_with_objSize)
|
2019-11-08 06:32:01 +00:00
|
|
|
apply (clarsimp simp: capMaster_eq_capBits_eq[OF capMasterCap_maskCapRights])
|
2015-07-13 06:17:55 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
lemma two_nat_power_pageBitsForSize_le:
|
|
|
|
"(2 :: nat) ^ pageBits \<le> 2 ^ pageBitsForSize vsz"
|
|
|
|
by (cases vsz, simp_all add: pageBits_def)
|
|
|
|
|
2019-09-26 05:26:30 +00:00
|
|
|
lemma cap_get_tag_PageDirectoryCap:
|
|
|
|
"ccap_relation cap cap' \<Longrightarrow>
|
|
|
|
(cap_get_tag cap' = SCAST(32 signed \<rightarrow> 32) cap_page_directory_cap) =
|
|
|
|
(cap = ArchObjectCap
|
|
|
|
(PageDirectoryCap (capPDBasePtr_CL (cap_page_directory_cap_lift cap'))
|
|
|
|
(if to_bool (capPDIsMapped_CL (cap_page_directory_cap_lift cap'))
|
|
|
|
then Some (capPDMappedASID_CL (cap_page_directory_cap_lift cap'))
|
|
|
|
else None)))"
|
|
|
|
apply (rule iffI)
|
|
|
|
apply (erule ccap_relationE)
|
|
|
|
apply (clarsimp simp: cap_lifts cap_to_H_def)
|
|
|
|
apply (simp add: cap_get_tag_isCap_unfolded_H_cap)
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma ccap_relation_capPDMappedASID_liftE:
|
|
|
|
"\<lbrakk> ccap_relation c c'; cap_get_tag c' = SCAST(32 signed \<rightarrow> 32) cap_page_directory_cap;
|
|
|
|
capPDMappedASID (capCap c) = Some y \<rbrakk>
|
|
|
|
\<Longrightarrow> capPDMappedASID_CL (cap_page_directory_cap_lift c') = the (capPDMappedASID (capCap c))"
|
|
|
|
by (simp add: cap_get_tag_PageDirectoryCap split: if_splits)
|
|
|
|
|
|
|
|
lemma throwError_invocationCatch:
|
|
|
|
"throwError a >>= invocationCatch b c d e = throwError (Inl a)"
|
|
|
|
by (simp add: invocationCatch_def throwError_bind)
|
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
lemma decodeARMFrameInvocation_ccorres:
|
2018-09-17 06:17:28 +00:00
|
|
|
notes
|
|
|
|
if_cong[cong]
|
|
|
|
is_aligned_neg_mask_eq[simp del]
|
|
|
|
is_aligned_neg_mask_weaken[simp del]
|
2019-09-26 05:26:30 +00:00
|
|
|
defines "does_not_throw args extraCaps pg_sz mapdata \<equiv>
|
2020-11-14 07:21:08 +00:00
|
|
|
(mapdata = None \<longrightarrow> \<not> (ARM.pptrBase \<le> hd args + 2 ^ pageBitsForSize pg_sz - 1)) \<and>
|
2019-09-26 05:26:30 +00:00
|
|
|
(mapdata \<noteq> None \<longrightarrow> (fst (the mapdata) = (the (capPDMappedASID (capCap (fst (extraCaps ! 0)))))
|
|
|
|
\<and> snd (the mapdata) = hd args))"
|
2014-07-14 19:32:44 +00:00
|
|
|
shows
|
|
|
|
"\<lbrakk> interpret_excaps extraCaps' = excaps_map extraCaps;
|
|
|
|
isPageCap cp \<rbrakk>
|
|
|
|
\<Longrightarrow>
|
|
|
|
ccorres (intr_and_se_rel \<currency> dc) (liftxf errstate id (K ()) ret__unsigned_long_')
|
|
|
|
(invs' and (\<lambda>s. ksCurThread s = thread) and ct_active' and sch_act_simple
|
|
|
|
and (excaps_in_mem extraCaps \<circ> ctes_of)
|
2019-11-08 06:32:01 +00:00
|
|
|
and cte_wp_at' ((=) (ArchObjectCap cp) \<circ> cteCap) slot
|
2014-07-14 19:32:44 +00:00
|
|
|
and (\<lambda>s. \<forall>v \<in> set extraCaps. ex_cte_cap_wp_to' isCNodeCap (snd v) s)
|
|
|
|
and sysargs_rel args buffer and valid_objs')
|
2016-01-08 07:43:33 +00:00
|
|
|
(UNIV \<inter> {s. invLabel_' s = label}
|
|
|
|
\<inter> {s. unat (length___unsigned_long_' s) = length args}
|
2014-07-14 19:32:44 +00:00
|
|
|
\<inter> {s. cte_' s = cte_Ptr slot}
|
crefine: remove large structs passed by value
The RISC-V calling convention specifies that when a C function takes an
argument by value, the binary function should take the argument by
reference, if the value is larger than 2 pointer words.
For binary verification, we avoid implementing this aspect of the RISC-V
calling convention, by eliminating all such function arguments for
functions which are not inlined. This commit includes the proof updates
corresponding to the kernel source update, which is in the seL4
repository.
This includes arguments of types `slot_range_t` and `extra_caps_t`.
`slot_range_t` is only used in two functions, so for those cases, we
unpack the arguments, and remove the type altogether.
`extra_caps_t` is used extensively in invocation decoding, and also in
inter-process communication. Since extra caps are already stored in a
global variable `current_extra_caps`, we remove the function argument,
and use the global variable instead. However, this adds significant
difficulty to the proofs, because the variable lifting performed by
`cinit` worked for the function argument, but not for the global
variable. We have therefore recently improved the `cinit` automation to
support this change to the kernel.
Even though this change was for the benefit of RISC-V binary
verification, we update all architectures for consistency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-06-12 07:44:30 +00:00
|
|
|
\<inter> {s. current_extra_caps_' (globals s) = extraCaps'}
|
2014-07-14 19:32:44 +00:00
|
|
|
\<inter> {s. ccap_relation (ArchObjectCap cp) (cap_' s)}
|
|
|
|
\<inter> {s. buffer_' s = option_to_ptr buffer}) []
|
|
|
|
(decodeARMMMUInvocation label args cptr slot cp extraCaps
|
|
|
|
>>= invocationCatch thread isBlocking isCall InvokeArchObject)
|
|
|
|
(Call decodeARMFrameInvocation_'proc)"
|
2021-09-22 00:21:01 +00:00
|
|
|
including no_take_bit no_0_dvd
|
2020-03-29 08:35:28 +00:00
|
|
|
supply if_cong[cong] option.case_cong[cong]
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp only: isCap_simps)
|
crefine: remove large structs passed by value
The RISC-V calling convention specifies that when a C function takes an
argument by value, the binary function should take the argument by
reference, if the value is larger than 2 pointer words.
For binary verification, we avoid implementing this aspect of the RISC-V
calling convention, by eliminating all such function arguments for
functions which are not inlined. This commit includes the proof updates
corresponding to the kernel source update, which is in the seL4
repository.
This includes arguments of types `slot_range_t` and `extra_caps_t`.
`slot_range_t` is only used in two functions, so for those cases, we
unpack the arguments, and remove the type altogether.
`extra_caps_t` is used extensively in invocation decoding, and also in
inter-process communication. Since extra caps are already stored in a
global variable `current_extra_caps`, we remove the function argument,
and use the global variable instead. However, this adds significant
difficulty to the proofs, because the variable lifting performed by
`cinit` worked for the function argument, but not for the global
variable. We have therefore recently improved the `cinit` automation to
support this change to the kernel.
Even though this change was for the benefit of RISC-V binary
verification, we update all architectures for consistency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-06-12 07:44:30 +00:00
|
|
|
apply (cinit' lift: invLabel_' length___unsigned_long_' cte_' current_extra_caps_' cap_' buffer_'
|
2014-07-14 19:32:44 +00:00
|
|
|
simp: decodeARMMMUInvocation_def decodeARMPageFlush_def)
|
|
|
|
apply (simp add: Let_def isCap_simps invocation_eq_use_types split_def
|
|
|
|
del: Collect_const
|
|
|
|
cong: StateSpace.state.fold_congs globals.fold_congs
|
2016-01-21 23:34:54 +00:00
|
|
|
if_cong invocation_label.case_cong arch_invocation_label.case_cong list.case_cong)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_Cond_rhs[rotated])+
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV], simp)
|
|
|
|
apply (rule ccorres_equals_throwError)
|
|
|
|
apply (fastforce simp: throwError_bind invocationCatch_def
|
2016-01-21 23:34:54 +00:00
|
|
|
split: invocation_label.split arch_invocation_label.split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
|
2019-09-26 05:26:30 +00:00
|
|
|
\<comment> \<open>PageGetAddress\<close>
|
|
|
|
apply (simp add: returnOk_bind bindE_assoc performARMMMUInvocations)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply (ctac add: setThreadState_ccorres)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply csymbr
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (ctac(no_vcg) add: performPageGetAddress_ccorres)
|
|
|
|
apply (rule ccorres_alternative2)
|
|
|
|
apply (rule ccorres_return_CE, simp+)[1]
|
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV], simp)
|
|
|
|
apply wp+
|
|
|
|
|
|
|
|
\<comment> \<open>PageUnify_Instruction | PageCleanInvalidate_Data | Page Invalidate_Data | PageClean_Data\<close>
|
|
|
|
apply (vcg exspec=setThreadState_modifies)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply csymbr+
|
|
|
|
apply (simp add: ivc_label_flush_case decodeARMPageFlush_def list_case_If2 if3_fold2
|
|
|
|
del: Collect_const
|
|
|
|
cong: StateSpace.state.fold_congs globals.fold_congs if_cong
|
|
|
|
invocation_label.case_cong arch_invocation_label.case_cong list.case_cong)
|
|
|
|
apply (simp add: if_1_0_0 split_def case_option_If2 if_to_top_of_bind del: Collect_const
|
|
|
|
cong: if_cong invocation_label.case_cong arch_invocation_label.case_cong)
|
|
|
|
apply (rule ccorres_if_cond_throws[rotated -1, where Q=\<top> and Q'=\<top>])
|
|
|
|
apply vcg
|
|
|
|
apply (clarsimp simp: list_length_less)
|
|
|
|
apply (drule unat_less_iff[where c=2])
|
|
|
|
apply (simp add: word_bits_def)
|
|
|
|
apply simp
|
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_if_cond_throws2[rotated -1, where Q = \<top> and Q' = \<top>])
|
|
|
|
apply vcg
|
|
|
|
apply clarsimp
|
|
|
|
apply (frule ccap_relation_mapped_asid_0)
|
|
|
|
apply fastforce
|
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (simp add: invocationCatch_use_injection_handler
|
|
|
|
injection_bindE[OF refl refl] bindE_assoc
|
|
|
|
injection_handler_returnOk injection_handler_whenE
|
|
|
|
lookupError_injection)
|
|
|
|
apply (ctac add: ccorres_injection_handler_csum1[OF ccorres_injection_handler_csum1,
|
|
|
|
OF findPDForASID_ccorres])
|
|
|
|
apply (rule ccorres_if_cond_throws[where P = False and Q = \<top> and Q'=\<top>, simplified])
|
|
|
|
apply simp
|
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
apply (ctac add: getSyscallArg_ccorres_foo[where args=args and n=0 and buffer=buffer])
|
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
apply (ctac add: getSyscallArg_ccorres_foo[where args = args and n = 1 and buffer = buffer])
|
|
|
|
apply (simp only: if_to_top_of_bindE)
|
|
|
|
apply (rule ccorres_if_cond_throws[rotated -1,where Q = \<top> and Q' = \<top>])
|
|
|
|
apply vcg
|
|
|
|
apply (clarsimp simp: hd_drop_conv_nth hd_conv_nth)
|
|
|
|
apply (simp add: injection_handler_throwError)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (simp only: returnOk_bindE)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply csymbr
|
2019-09-26 05:26:30 +00:00
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_Guard_Seq)
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_if_cond_throws[rotated -1,where Q = \<top> and Q' = \<top>])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply vcg
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (clarsimp simp: hd_drop_conv_nth hd_conv_nth)
|
|
|
|
apply (clarsimp dest!: ccap_relation_PageCap_generics)
|
|
|
|
apply (simp add: injection_handler_throwError)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (simp add: performARMMMUInvocations bindE_assoc)
|
|
|
|
apply (ctac add: setThreadState_ccorres)
|
|
|
|
apply (ctac(no_vcg) add: performPageFlush_ccorres)
|
|
|
|
apply (rule ccorres_alternative2)
|
|
|
|
apply (rule ccorres_return_CE, simp+)[1]
|
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV], simp)
|
|
|
|
apply wp
|
|
|
|
apply simp
|
|
|
|
apply (strengthen unat_sub_le_strg[where v="2 ^ pageBitsForSize (capVPSize cp)"])
|
|
|
|
apply (simp add: linorder_not_less linorder_not_le order_less_imp_le)
|
|
|
|
apply (wp sts_invs_minor')
|
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=setThreadState_modifies)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
2019-09-26 05:26:30 +00:00
|
|
|
apply wp
|
|
|
|
apply vcg
|
|
|
|
apply wp
|
|
|
|
apply vcg
|
|
|
|
apply vcg
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (rule_tac P'="{s. pd___struct_findPDForASID_ret_C = errstate s}"
|
|
|
|
in ccorres_from_vcg_split_throws[where P=\<top>])
|
|
|
|
apply vcg
|
|
|
|
apply (rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: throwError_def return_def syscall_error_rel_def
|
|
|
|
syscall_error_to_H_cases exception_defs false_def)
|
|
|
|
apply (erule lookup_failure_rel_fault_lift[rotated])
|
|
|
|
apply (simp add: exception_defs)
|
|
|
|
apply (wp injection_wp[OF refl])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (vcg exspec=findPDForASID_modifies)
|
|
|
|
|
|
|
|
\<comment> \<open>PageUnmap\<close>
|
|
|
|
apply (simp add: returnOk_bind bindE_assoc performARMMMUInvocations)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply (ctac add: setThreadState_ccorres)
|
|
|
|
apply (ctac(no_vcg) add: performPageInvocationUnmap_ccorres)
|
|
|
|
apply (rule ccorres_alternative2)
|
|
|
|
apply (rule ccorres_return_CE; simp)
|
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV], simp)
|
|
|
|
apply wp
|
|
|
|
apply (wp sts_invs_minor')
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (vcg exspec=setThreadState_modifies)
|
2014-07-14 19:32:44 +00:00
|
|
|
|
2018-06-09 08:27:30 +00:00
|
|
|
\<comment> \<open>PageMap\<close>
|
2019-09-26 05:26:30 +00:00
|
|
|
supply Collect_const[simp del]
|
|
|
|
apply (rename_tac word rghts pg_sz mapdata buffera cap excaps cte length___unsigned_long invLabel)
|
|
|
|
apply simp
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply csymbr+
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (simp add: word_less_nat_alt)
|
|
|
|
(* throw on length < 3 *)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply simp
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_equals_throwError)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (fastforce simp: throwError_bind invocationCatch_def split: list.split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_cond_true_seq)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply csymbr
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (simp add: interpret_excaps_test_null excaps_map_def)
|
|
|
|
(* throw if no excaps *)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
|
|
|
apply (rule ccorres_equals_throwError)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (fastforce simp: throwError_bind invocationCatch_def split: list.split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (simp add: list_case_If2 length_ineq_not_Nil linorder_class.not_less)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
apply (ctac add: getSyscallArg_ccorres_foo[where args=args and n=0 and buffer=buffer])
|
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
apply (ctac add: getSyscallArg_ccorres_foo[where args=args and n=1 and buffer=buffer])
|
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
apply (ctac add: getSyscallArg_ccorres_foo[where args=args and n=2 and buffer=buffer])
|
|
|
|
apply csymbr
|
|
|
|
apply (rule getSlotCap_ccorres_fudge_n[where vals=extraCaps and n=0])
|
|
|
|
apply (rule ccorres_move_c_guard_cte)
|
|
|
|
apply (rule_tac r'="\<lambda>rv rv'. ((cap_get_tag rv' = scast cap_page_directory_cap)
|
2019-09-26 05:26:30 +00:00
|
|
|
= (isArchObjectCap rv \<and> isPageDirectoryCap (capCap rv)))
|
|
|
|
\<and> (cap_get_tag rv' = scast cap_page_directory_cap
|
|
|
|
\<longrightarrow> ccap_relation rv rv')"
|
|
|
|
and xf'=pdCap_' in ccorres_split_nothrow[where F=UNIV])
|
|
|
|
apply (simp add: getSlotCap_def)
|
|
|
|
apply (rule ccorres_symb_exec_l[OF _ getCTE_inv getCTE_sp[where P=\<top>] empty_fail_getCTE])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_from_vcg[where P'=UNIV])
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: return_def cte_wp_at_ctes_of)
|
|
|
|
apply (erule(1) cmap_relationE1[OF cmap_relation_cte])
|
|
|
|
apply (frule interpret_excaps_eq[rule_format, where n=0], simp)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (clarsimp simp: typ_heap_simps' split_def cap_get_tag_isCap_ArchObject2
|
2014-07-14 19:32:44 +00:00
|
|
|
dest!: ccte_relation_ccap_relation)
|
|
|
|
apply ceqv
|
|
|
|
apply (rule ccorres_assert2)
|
|
|
|
apply csymbr+
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (simp add: whenE_bindE_throwError_to_if if_to_top_of_bind hd_conv_nth)
|
|
|
|
(* throw if pdCap not a page directory cap *)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply simp
|
|
|
|
apply (rule ccorres_equals_throwError)
|
|
|
|
apply (fastforce simp: throwError_bind invocationCatch_def isCap_simps
|
|
|
|
split: list.split capability.split arch_capability.split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_cond_true_seq)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
(* throw if pdCap is not mapped *)
|
|
|
|
apply (clarsimp simp: cap_case_PageDirectoryCap2)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply csymbr+
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (rule ssubst[OF case_option_If2,
|
|
|
|
where P="\<lambda>tm. ccorres _ _ _ _ _ (bindE tm _ >>= _) _"])
|
|
|
|
apply (simp add: if_to_top_of_bind if_to_top_of_bindE hd_conv_nth cong: conj_cong)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_if_cond_throws2[rotated -1, where Q=\<top> and Q'=\<top>])
|
|
|
|
apply vcg
|
|
|
|
apply (clarsimp simp: cap_lift_page_directory_cap cap_to_H_def
|
|
|
|
to_bool_def cap_page_directory_cap_lift_def
|
2016-10-25 06:01:30 +00:00
|
|
|
elim!: ccap_relationE split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply csymbr+
|
|
|
|
apply (clarsimp simp: whenE_def)
|
|
|
|
apply (drule_tac t="Some y" in sym)
|
|
|
|
(* There are two paths through the cap mapping eligibility check (target asid/address for
|
|
|
|
mapped cap, target address for not mapped case) which do not throw;
|
|
|
|
pull the non-throwing cases together *)
|
|
|
|
apply (rule_tac P="does_not_throw args extraCaps pg_sz mapdata" in ccorres_cases[rotated])
|
|
|
|
(* Always throws case *)
|
|
|
|
apply (clarsimp simp: if_to_top_of_bind if_to_top_of_bindE case_option_If2 hd_conv_nth
|
|
|
|
cong: conj_cong)
|
|
|
|
apply (rule ccorres_split_throws[rotated])
|
|
|
|
apply vcg
|
|
|
|
apply (clarsimp simp: does_not_throw_def)
|
|
|
|
(* is the frame cap mapped? *)
|
|
|
|
apply (rule ccorres_Cond_rhs)
|
|
|
|
(* frame cap is mapped: remap case *)
|
|
|
|
apply (prop_tac "mapdata \<noteq> None", simp add: ccap_relation_mapped_asid_0)
|
|
|
|
apply clarsimp
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply csymbr
|
|
|
|
apply clarsimp
|
|
|
|
apply (frule(2) ccap_relation_capPDMappedASID_liftE[OF _ _ sym])
|
|
|
|
apply (frule length_ineq_not_Nil)
|
|
|
|
apply (simp add: whenE_bindE_throwError_to_if if_to_top_of_bind)
|
|
|
|
(* throw on mismatched ASID *)
|
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
|
|
|
apply (frule ccap_relation_PageCap_generics)
|
|
|
|
apply (drule sym[where s="Some _"])
|
|
|
|
apply clarsimp
|
|
|
|
apply (rule ccorres_equals_throwError[OF throwError_invocationCatch])
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
(* throw on mismatched vaddr *)
|
|
|
|
apply simp
|
|
|
|
apply csymbr
|
|
|
|
apply (frule ccap_relation_PageCap_generics)
|
|
|
|
apply (clarsimp simp: hd_conv_nth length_ineq_not_Nil)
|
|
|
|
apply ccorres_rewrite
|
|
|
|
apply (rule ccorres_equals_throwError)
|
|
|
|
apply (frule ccap_relation_PageCap_generics)
|
|
|
|
apply (drule sym[where s="Some _"])
|
|
|
|
apply clarsimp
|
|
|
|
apply (rule throwError_invocationCatch)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
(* frame cap not mapped, check mapping *)
|
2020-11-13 11:24:06 +00:00
|
|
|
(* disallow mappings above pptrBase *)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply clarsimp
|
|
|
|
apply (prop_tac "mapdata = None")
|
|
|
|
apply (simp add: ccap_relation_mapped_asid_0)
|
|
|
|
apply clarsimp
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_equals_throwError[OF throwError_invocationCatch])
|
|
|
|
apply (frule ccap_relation_PageCap_generics)
|
|
|
|
apply clarsimp
|
|
|
|
apply ccorres_rewrite
|
|
|
|
apply csymbr
|
2020-11-14 07:21:08 +00:00
|
|
|
apply (simp add: ARM.pptrBase_def ARM.pptrBase_def hd_conv_nth length_ineq_not_Nil)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply ccorres_rewrite
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n[unfolded id_def dc_def])
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
(* Doesn't throw case *)
|
|
|
|
apply (drule_tac s="Some y" in sym,
|
|
|
|
clarsimp simp: does_not_throw_def case_option_If2 cong: if_cong)
|
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
(* split off map/remap check, show it's equivalent to SKIP *)
|
|
|
|
apply (rule_tac P=\<top> and P'=UNIV in ccorres_split_nothrow)
|
|
|
|
apply (rule ccorres_guard_imp)
|
|
|
|
apply (frule ccap_relation_PageCap_generics, clarsimp)
|
|
|
|
apply (rule ccorres_Cond_rhs, clarsimp)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply (csymbr, clarsimp)
|
|
|
|
apply (prop_tac "generic_frame_cap_get_capFMappedASID_CL (cap_lift cap)
|
|
|
|
= capPDMappedASID_CL (cap_page_directory_cap_lift rv')")
|
|
|
|
apply (clarsimp simp: cap_lift_page_directory_cap cap_to_H_def
|
|
|
|
to_bool_def cap_page_directory_cap_lift_def
|
|
|
|
elim!: ccap_relationE split: if_splits)
|
|
|
|
apply (clarsimp, ccorres_rewrite)
|
|
|
|
apply (csymbr, clarsimp simp: hd_conv_nth length_ineq_not_Nil, ccorres_rewrite)
|
|
|
|
apply (rule ccorres_return_Skip)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply (csymbr, clarsimp, ccorres_rewrite)
|
|
|
|
apply (csymbr,
|
2020-11-14 07:21:08 +00:00
|
|
|
simp add: ARM.pptrBase_def ARM.pptrBase_def
|
2019-09-26 05:26:30 +00:00
|
|
|
hd_conv_nth length_ineq_not_Nil,
|
|
|
|
ccorres_rewrite)
|
|
|
|
apply (fold dc_def)
|
|
|
|
apply (rule ccorres_return_Skip, clarsimp)
|
|
|
|
apply (subgoal_tac "cap_get_tag cap = SCAST(32 signed \<rightarrow> 32) cap_frame_cap
|
|
|
|
\<or> cap_get_tag cap = SCAST(32 signed \<rightarrow> 32) cap_small_frame_cap",
|
|
|
|
fastforce)
|
|
|
|
apply (erule ccap_relation_frame_tags)
|
|
|
|
apply ceqv
|
|
|
|
apply csymbr
|
|
|
|
apply (simp add: createSafeMappingEntries_fold lookupError_injection
|
|
|
|
invocationCatch_use_injection_handler injection_bindE[OF refl refl]
|
|
|
|
injection_handler_returnOk injection_handler_If
|
|
|
|
injection_handler_throwError bindE_assoc
|
|
|
|
cong: if_cong)
|
|
|
|
(* throw on no pd for asid *)
|
|
|
|
apply (ctac add: ccorres_injection_handler_csum1[OF ccorres_injection_handler_csum1,
|
|
|
|
OF findPDForASID_ccorres])
|
|
|
|
apply (simp add: Collect_False if_to_top_of_bindE)
|
|
|
|
(* throw on mismatched pd *)
|
|
|
|
apply (rule ccorres_if_cond_throws[rotated -1, where Q=\<top> and Q'=\<top>])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply vcg
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (clarsimp simp: cap_lift_page_directory_cap cap_to_H_def
|
|
|
|
to_bool_def cap_page_directory_cap_lift_def
|
|
|
|
elim!: ccap_relationE split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply csymbr
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (rule ccorres_symb_exec_r)
|
|
|
|
apply csymbr
|
|
|
|
apply (simp add: bindE_assoc checkVPAlignment_def unlessE_def
|
|
|
|
injection_handler_If if_to_top_of_bindE)
|
|
|
|
(* throw on vaddr has incorrect alignment *)
|
|
|
|
apply (rule ccorres_if_cond_throws2[rotated -1, where Q=\<top> and Q'=\<top>])
|
|
|
|
apply vcg
|
|
|
|
apply (clarsimp simp add: from_bool_0 vmsz_aligned'_def is_aligned_mask)
|
|
|
|
apply (drule ccap_relation_PageCap_generics)
|
|
|
|
apply (simp add: hd_conv_nth length_ineq_not_Nil)
|
|
|
|
apply (simp add: injection_handler_throwError throwError_bind
|
|
|
|
invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply csymbr+
|
|
|
|
apply (simp add: injection_handler_returnOk bindE_assoc)
|
|
|
|
(* return perform page invocation map
|
|
|
|
pte if frameSize is small or large, otherwise pde *)
|
|
|
|
apply (rule ccorres_Cond_rhs)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply csymbr
|
|
|
|
(* throw on pte not free *)
|
|
|
|
apply (ctac add: ccorres_injection_handler_csum1[
|
|
|
|
OF createSafeMappingEntries_PTE_ccorres])
|
|
|
|
apply (simp add: performARMMMUInvocations bindE_assoc)
|
|
|
|
apply ccorres_rewrite
|
|
|
|
apply (ctac add: setThreadState_ccorres)
|
|
|
|
apply (ctac(no_vcg) add: performPageInvocationMapPTE_ccorres)
|
|
|
|
apply (rule ccorres_alternative2)
|
|
|
|
apply (rule ccorres_return_CE; simp)
|
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV], simp)
|
|
|
|
apply (wp sts_invs_minor' valid_pte_slots_lift2)+
|
|
|
|
apply (simp, vcg exspec=setThreadState_modifies)
|
|
|
|
apply (simp, rule ccorres_split_throws)
|
|
|
|
apply ccorres_rewrite
|
|
|
|
apply (rule ccorres_return_C_errorE, simp+)
|
|
|
|
apply vcg
|
|
|
|
apply (simp add: createSafeMappingEntries_def)
|
|
|
|
apply (wp injection_wp[OF refl] createMappingEntries_valid_pte_slots'2)
|
|
|
|
apply (simp add: all_ex_eq_helper)
|
|
|
|
apply (vcg exspec=createSafeMappingEntries_PTE_modifies)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply csymbr
|
|
|
|
(* throw on pde not free *)
|
|
|
|
apply (ctac add: ccorres_injection_handler_csum1[
|
|
|
|
OF createSafeMappingEntries_PDE_ccorres])
|
|
|
|
apply (simp add: performARMMMUInvocations bindE_assoc)
|
|
|
|
apply ccorres_rewrite
|
|
|
|
apply (ctac add: setThreadState_ccorres)
|
|
|
|
apply (ctac(no_vcg) add: performPageInvocationMapPDE_ccorres)
|
|
|
|
apply (rule ccorres_alternative2)
|
|
|
|
apply (rule ccorres_return_CE; simp)
|
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV], simp)
|
|
|
|
apply wp
|
|
|
|
apply (wp sts_invs_minor' valid_pde_slots_lift2)
|
|
|
|
apply (simp, vcg exspec=setThreadState_modifies)
|
|
|
|
apply (simp, ccorres_rewrite, rule ccorres_return_C_errorE; simp)
|
|
|
|
apply (simp add: createSafeMappingEntries_def,
|
|
|
|
wp injection_wp[OF refl] createMappingEntries_valid_pde_slots'2)
|
|
|
|
apply (simp add: all_ex_eq_helper, vcg exspec=createSafeMappingEntries_PDE_modifies)
|
|
|
|
apply (simp, vcg)
|
|
|
|
apply (rule conseqPre, vcg, clarsimp)
|
|
|
|
apply (simp, ccorres_rewrite)
|
|
|
|
apply (rule_tac P'="{s. find_ret = errstate s}" in ccorres_from_vcg_throws[where P=\<top>])
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: fst_throwError_returnOk exception_defs syscall_error_rel_def
|
|
|
|
syscall_error_to_H_cases false_def)
|
|
|
|
apply (erule lookup_failure_rel_fault_lift[rotated], simp add: exception_defs)
|
|
|
|
apply simp
|
2019-05-06 06:34:44 +00:00
|
|
|
apply (wp injection_wp[OF refl] | wp (once) hoare_drop_imps)+
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (simp add: all_ex_eq_helper, vcg exspec=findPDForASID_modifies)
|
|
|
|
apply (simp add: getSlotCap_def)
|
|
|
|
apply (prop_tac "y = the (capPDMappedASID (capCap (fst (extraCaps ! 0))))", fastforce)
|
|
|
|
apply (drule_tac t="Some y" in sym)
|
|
|
|
apply (simp, rule return_inv)
|
|
|
|
apply simp
|
|
|
|
apply (prop_tac "y = the(capPDMappedASID (capCap (fst (extraCaps ! 0))))"; clarsimp)
|
|
|
|
apply vcg
|
2019-05-06 06:34:44 +00:00
|
|
|
apply (simp, wp (once) hoare_drop_imps, wpsimp)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (clarsimp, vcg)
|
|
|
|
apply (wpsimp, (simp, vcg exspec=getSyscallArg_modifies))+
|
|
|
|
apply (rename_tac word rghts pg_sz mapdata buffera cap excaps cte length___unsigned_long invLabel
|
|
|
|
s s')
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule conjI)
|
2019-11-08 06:32:01 +00:00
|
|
|
apply (clarsimp, frule cte_wp_at_eq_gsMaxObjectSize, clarsimp)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (clarsimp simp: cte_wp_at_ctes_of is_aligned_mask[symmetric] vmsz_aligned'_def
|
2014-07-14 19:32:44 +00:00
|
|
|
vmsz_aligned_addrFromPPtr)
|
|
|
|
apply (frule ctes_of_valid', clarsimp+)
|
2019-11-08 06:32:01 +00:00
|
|
|
apply (drule_tac t="cteCap cte" in sym, simp)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (clarsimp simp: valid_cap'_def capAligned_def mask_def[where n=asid_bits] linorder_not_le)
|
|
|
|
apply (prop_tac "extraCaps \<noteq> [] \<longrightarrow> (s \<turnstile>' fst (extraCaps ! 0))")
|
|
|
|
apply (clarsimp simp: neq_Nil_conv excaps_in_mem_def slotcap_in_mem_def linorder_not_le)
|
|
|
|
apply (erule ctes_of_valid', clarsimp)
|
|
|
|
|
|
|
|
(* Haskell side *)
|
2019-11-08 06:32:01 +00:00
|
|
|
subgoal
|
|
|
|
apply (clarsimp simp: ct_in_state'_def vmsz_aligned'_def isCap_simps valid_cap'_def
|
|
|
|
valid_tcb_state'_def page_directory_at'_def sysargs_rel_to_n
|
|
|
|
linorder_not_less excaps_map_def
|
|
|
|
| rule conjI | erule pred_tcb'_weakenE disjE
|
|
|
|
| erule(3) is_aligned_no_overflow3[OF vmsz_aligned_addrFromPPtr(3)[THEN iffD2]]
|
|
|
|
| drule st_tcb_at_idle_thread' interpret_excaps_eq
|
|
|
|
| erule order_le_less_trans[rotated] order_trans[where x=63, rotated]
|
|
|
|
| rule order_trans[where x=63, OF _ two_nat_power_pageBitsForSize_le, unfolded pageBits_def]
|
|
|
|
| clarsimp simp: neq_Nil_conv
|
|
|
|
| solves \<open>rule word_plus_mono_right[OF word_less_sub_1], simp,
|
|
|
|
subst (asm) vmsz_aligned_addrFromPPtr(3)[symmetric],
|
|
|
|
erule is_aligned_no_wrap', clarsimp\<close>
|
|
|
|
| solves \<open>frule vmsz_aligned_addrFromPPtr(3)[THEN iffD2],
|
|
|
|
(subst mask_add_aligned mask_add_aligned_right, erule is_aligned_weaken,
|
|
|
|
rule order_trans[OF _ pbfs_atleast_pageBits[simplified pageBits_def]], simp)+,
|
|
|
|
simp\<close>)+
|
|
|
|
apply (clarsimp simp: does_not_throw_def not_le word_aligned_add_no_wrap_bounded
|
|
|
|
split: option.splits)
|
|
|
|
apply (clarsimp simp: neq_Nil_conv dest!: st_tcb_at_idle_thread' interpret_excaps_eq)
|
|
|
|
apply ((clarsimp | rule conjI | erule pred_tcb'_weakenE disjE
|
|
|
|
| solves \<open>rule word_plus_mono_right[OF word_less_sub_1], simp,
|
|
|
|
subst (asm) vmsz_aligned_addrFromPPtr(3)[symmetric],
|
|
|
|
erule is_aligned_no_wrap', clarsimp\<close>
|
|
|
|
| solves \<open>frule vmsz_aligned_addrFromPPtr(3)[THEN iffD2],
|
|
|
|
(subst mask_add_aligned mask_add_aligned_right, erule is_aligned_weaken,
|
|
|
|
rule order_trans[OF _ pbfs_atleast_pageBits[simplified pageBits_def]], simp)+,
|
|
|
|
simp\<close>)+)[1] (* 20s *)
|
|
|
|
done
|
2019-09-26 05:26:30 +00:00
|
|
|
|
|
|
|
(* C side *)
|
|
|
|
apply (clarsimp simp: rf_sr_ksCurThread "StrictC'_thread_state_defs" mask_eq_iff_w2p
|
|
|
|
word_size word_less_nat_alt from_bool_0 excaps_map_def cte_wp_at_ctes_of)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (frule ctes_of_valid', clarsimp)
|
2019-11-08 06:32:01 +00:00
|
|
|
apply (drule_tac t="cteCap ctea" in sym)
|
|
|
|
apply (clarsimp simp: valid_cap'_def capAligned_def word_sless_def word_sle_def)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (prop_tac "cap_get_tag cap \<in> {scast cap_small_frame_cap, scast cap_frame_cap}")
|
|
|
|
apply (clarsimp simp: cap_to_H_def cap_lift_def Let_def elim!: ccap_relationE split: if_split_asm)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule conjI)
|
|
|
|
apply (frule ccap_relation_PageCap_generics)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (clarsimp simp: word_less_nat_alt vm_attribs_relation_def attribsFromWord_def
|
|
|
|
framesize_from_H_eq_eqs of_bool_nth[simplified of_bool_from_bool]
|
|
|
|
vm_page_size_defs neq_Nil_conv excaps_in_mem_def hd_conv_nth
|
|
|
|
length_ineq_not_Nil numeral_2_eq_2 does_not_throw_def
|
2021-09-22 00:21:01 +00:00
|
|
|
pptrBase_def
|
|
|
|
simp del: unsigned_numeral)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (frule interpret_excaps_eq[rule_format, where n=0], simp)
|
|
|
|
apply (frule(1) slotcap_in_mem_PageDirectory)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (clarsimp simp: mask_def[where n=4] typ_heap_simps' isCap_simps)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (frule slotcap_in_mem_valid, clarsimp+)
|
2015-05-17 23:11:43 +00:00
|
|
|
apply (erule_tac c="ArchObjectCap (PageDirectoryCap a b)" for a b in ccap_relationE)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (case_tac mapdata
|
|
|
|
; (clarsimp simp: cap_lift_page_directory_cap to_bool_def cap_page_directory_cap_lift_def
|
|
|
|
cap_to_H_def[split_simps cap_CL.split] valid_cap'_def,
|
|
|
|
(drule(1) generic_frame_cap_set_capFMappedAddress_ccap_relation
|
|
|
|
; simp add: isCap_simps mask_def),
|
|
|
|
(simp add: gen_framesize_to_H_def vm_page_size_defs hd_conv_nth length_ineq_not_Nil
|
|
|
|
split: if_split_asm)))
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (frule ccap_relation_PageCap_generics)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (clarsimp simp: signed_shift_guard_simpler_32 pbfs_less framesize_from_H_eq_eqs)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (intro conjI impI)
|
2019-09-26 05:26:30 +00:00
|
|
|
apply (clarsimp simp: unat_less_helper isPageFlush_def isPageFlushLabel_def dest!: at_least_2_args
|
|
|
|
| intro flushtype_relation_triv allI impI conjI)+
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
lemma asidHighBits_handy_convs:
|
2016-07-04 07:35:42 +00:00
|
|
|
"sint Kernel_C.asidHighBits = 7"
|
2014-07-14 19:32:44 +00:00
|
|
|
"Kernel_C.asidHighBits \<noteq> 0x20"
|
|
|
|
"unat Kernel_C.asidHighBits = asid_high_bits"
|
|
|
|
by (simp add: Kernel_C.asidHighBits_def
|
|
|
|
asid_high_bits_def)+
|
|
|
|
|
|
|
|
lemma sts_Restart_ct_active [wp]:
|
|
|
|
"\<lbrace>\<lambda>s. thread = ksCurThread s\<rbrace> setThreadState Restart thread \<lbrace>\<lambda>_. ct_active'\<rbrace>"
|
|
|
|
apply (clarsimp simp: ct_in_state'_def)
|
|
|
|
apply (rule hoare_lift_Pf2 [where f=ksCurThread])
|
|
|
|
apply (wp sts_st_tcb')
|
2016-10-25 06:01:30 +00:00
|
|
|
apply (simp split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply wp
|
|
|
|
done
|
|
|
|
|
2017-07-12 05:13:51 +00:00
|
|
|
lemma isPDFlush_fold:
|
2016-01-21 23:34:54 +00:00
|
|
|
"(label = ArchInvocationLabel arch_invocation_label.ARMPDUnify_Instruction \<or>
|
|
|
|
label = ArchInvocationLabel arch_invocation_label.ARMPDCleanInvalidate_Data \<or>
|
|
|
|
label = ArchInvocationLabel arch_invocation_label.ARMPDInvalidate_Data \<or>
|
|
|
|
label = ArchInvocationLabel arch_invocation_label.ARMPDClean_Data) = isPDFlushLabel label"
|
|
|
|
by (simp_all add:isPDFlushLabel_def split:invocation_label.splits arch_invocation_label.splits)
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
lemma injection_handler_liftE:
|
|
|
|
"injection_handler a (liftE f) = liftE f"
|
|
|
|
by (simp add:injection_handler_def)
|
2015-07-13 06:17:55 +00:00
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
lemma pageBase_spec:
|
2015-12-08 06:29:42 +00:00
|
|
|
"\<forall>s. \<Gamma> \<turnstile> \<lbrace>s. \<acute>size___unsigned_long && mask 2 = \<acute>size___unsigned_long\<rbrace>
|
2014-07-14 19:32:44 +00:00
|
|
|
Call pageBase_'proc
|
2015-12-08 06:29:42 +00:00
|
|
|
\<lbrace> \<acute>ret__unsigned_long = \<^bsup>s\<^esup>vaddr && ~~ (2 ^ pageBitsForSize (gen_framesize_to_H \<^bsup>s\<^esup>size___unsigned_long) - 1)\<rbrace>"
|
2014-07-14 19:32:44 +00:00
|
|
|
apply vcg
|
|
|
|
apply (simp add:pageBitsForSize_def split:vmpage_size.splits)
|
|
|
|
done
|
|
|
|
|
2014-08-09 05:16:17 +00:00
|
|
|
lemma liftE_case_sum:
|
|
|
|
"liftE f >>= case_sum (throwError \<circ> Inr) g = f >>= g"
|
2014-07-14 19:32:44 +00:00
|
|
|
by (simp add:liftE_def)
|
|
|
|
|
|
|
|
crunch inv': resolveVAddr "P"
|
2020-01-30 05:56:48 +00:00
|
|
|
(wp: crunch_wps simp: crunch_simps)
|
2014-07-14 19:32:44 +00:00
|
|
|
|
2015-07-13 06:17:55 +00:00
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
lemma flush_range_le:
|
2015-07-16 04:44:56 +00:00
|
|
|
assumes assms:"page_base start a = page_base end a"
|
|
|
|
"start \<le> end" "w && mask (pageBitsForSize a) = start && mask (pageBitsForSize a)"
|
|
|
|
shows "w \<le> w + (end - start)" "unat (end - start) \<le> 2 ^ pageBitsForSize a"
|
|
|
|
proof -
|
|
|
|
have q: "w && mask (pageBitsForSize a) \<le> (w && mask (pageBitsForSize a)) + (end - start)"
|
|
|
|
using assms
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (subst AND_NOT_mask_plus_AND_mask_eq
|
|
|
|
[where w = start,symmetric,where n = "pageBitsForSize a"])
|
2020-03-29 08:35:28 +00:00
|
|
|
apply (simp add: page_base_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (drule word_le_minus_mono_left[where x= "start && ~~ mask (pageBitsForSize a)"])
|
|
|
|
apply (rule word_and_le2)
|
2015-07-16 04:44:56 +00:00
|
|
|
apply (simp(no_asm_use), simp)
|
|
|
|
done
|
|
|
|
have a: "unat (w && mask (pageBitsForSize a)) + unat (end - start)
|
|
|
|
= unat ((w && mask (pageBitsForSize a)) + (end - start))"
|
|
|
|
apply (rule unat_plus_simple[THEN iffD1,symmetric])
|
|
|
|
apply (rule q)
|
|
|
|
done
|
2017-07-12 05:13:51 +00:00
|
|
|
have b: "end + (start && mask (pageBitsForSize a)) - start
|
2015-07-16 04:44:56 +00:00
|
|
|
= end - (start && ~~ mask (pageBitsForSize a))"
|
|
|
|
by (simp add:mask_out_sub_mask)
|
|
|
|
have c: "unat (w && mask (pageBitsForSize a)) + unat (end - start) < 2 ^ pageBitsForSize a"
|
|
|
|
using assms a
|
|
|
|
apply (simp add:field_simps)
|
|
|
|
apply (rule unat_less_helper)
|
|
|
|
apply simp
|
|
|
|
apply (rule_tac P =" \<lambda>x. x < y" for y in ssubst[OF b])
|
|
|
|
apply (subst AND_NOT_mask_plus_AND_mask_eq
|
|
|
|
[where w = "end",symmetric,where n = "pageBitsForSize a"])
|
|
|
|
apply (simp add:page_base_def)
|
|
|
|
apply (rule and_mask_less')
|
|
|
|
apply simp
|
|
|
|
done
|
|
|
|
|
|
|
|
show "w \<le> w + (end - start)"
|
|
|
|
using assms
|
|
|
|
apply -
|
2017-01-26 03:20:48 +00:00
|
|
|
apply (rule machine_word_plus_mono_right_split, rule c)
|
2015-07-16 04:44:56 +00:00
|
|
|
apply (simp add:pbfs_less_wb')
|
|
|
|
done
|
|
|
|
|
|
|
|
show "unat (end - start) \<le> 2 ^ pageBitsForSize a"
|
|
|
|
using q c
|
|
|
|
by (simp add: olen_add_eqv)
|
|
|
|
qed
|
|
|
|
|
|
|
|
lemmas flush_range_le1 = flush_range_le(2)[OF _ _ refl]
|
2014-07-14 19:32:44 +00:00
|
|
|
|
|
|
|
lemma resolveVAddr_ret:
|
|
|
|
"\<lbrace>valid_objs' and P \<rbrace> resolveVAddr p start
|
|
|
|
\<lbrace>\<lambda>r s. P s \<and> (r \<noteq> None \<longrightarrow> is_aligned (snd (the r)) (pageBitsForSize (fst (the r))))
|
|
|
|
\<rbrace>"
|
|
|
|
apply (simp add:resolveVAddr_def)
|
|
|
|
apply (wp getPDE_wp getPTE_wp|wpc|simp)+
|
|
|
|
apply (intro conjI impI allI)
|
|
|
|
apply clarsimp
|
|
|
|
apply (drule obj_at_valid_objs', clarsimp)+
|
|
|
|
apply (clarsimp simp: projectKOs valid_obj'_def valid_mapping'_def)
|
|
|
|
apply (drule obj_at_valid_objs', clarsimp)+
|
|
|
|
apply (clarsimp simp: projectKOs valid_obj'_def valid_mapping'_def)
|
|
|
|
apply (drule obj_at_valid_objs', clarsimp)+
|
|
|
|
apply (clarsimp simp: projectKOs valid_obj'_def valid_mapping'_def)
|
|
|
|
apply (drule obj_at_valid_objs', clarsimp)+
|
|
|
|
apply (clarsimp simp: projectKOs valid_obj'_def valid_mapping'_def)
|
|
|
|
done
|
|
|
|
|
|
|
|
lemma framesize_from_H_mask2:
|
|
|
|
"framesize_from_H a && mask 2 = framesize_from_H a"
|
|
|
|
apply (rule less_mask_eq)
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (simp add:framesize_from_H_def
|
2014-07-14 19:32:44 +00:00
|
|
|
split: vmpage_size.splits)
|
|
|
|
apply (simp add:Kernel_C.ARMSmallPage_def
|
|
|
|
Kernel_C.ARMLargePage_def
|
|
|
|
Kernel_C.ARMSection_def
|
|
|
|
Kernel_C.ARMSuperSection_def)+
|
|
|
|
done
|
|
|
|
|
2015-07-13 06:17:55 +00:00
|
|
|
lemma injection_handler_stateAssert_relocate:
|
|
|
|
"injection_handler Inl (stateAssert ass xs >>= f) >>=E g
|
|
|
|
= do v \<leftarrow> stateAssert ass xs; injection_handler Inl (f ()) >>=E g od"
|
|
|
|
by (simp add: injection_handler_def handleE'_def bind_bindE_assoc bind_assoc)
|
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
lemma decodeARMPageDirectoryInvocation_ccorres:
|
2017-11-21 23:52:59 +00:00
|
|
|
notes if_cong[cong]
|
2014-07-14 19:32:44 +00:00
|
|
|
shows
|
|
|
|
"\<lbrakk> interpret_excaps extraCaps' = excaps_map extraCaps;
|
|
|
|
isPageDirectoryCap cp \<rbrakk>
|
|
|
|
\<Longrightarrow>
|
|
|
|
ccorres (intr_and_se_rel \<currency> dc) (liftxf errstate id (K ()) ret__unsigned_long_')
|
|
|
|
(invs' and (\<lambda>s. ksCurThread s = thread) and ct_active' and sch_act_simple
|
|
|
|
and (excaps_in_mem extraCaps \<circ> ctes_of)
|
2019-11-08 06:32:01 +00:00
|
|
|
and cte_wp_at' ((=) (ArchObjectCap cp) \<circ> cteCap) slot
|
2014-07-14 19:32:44 +00:00
|
|
|
and (\<lambda>s. \<forall>v \<in> set extraCaps. ex_cte_cap_wp_to' isCNodeCap (snd v) s)
|
|
|
|
and sysargs_rel args buffer)
|
2016-01-08 07:43:33 +00:00
|
|
|
(UNIV \<inter> {s. invLabel_' s = label}
|
|
|
|
\<inter> {s. unat (length___unsigned_long_' s) = length args}
|
2014-07-14 19:32:44 +00:00
|
|
|
\<inter> {s. cte_' s = cte_Ptr slot}
|
crefine: remove large structs passed by value
The RISC-V calling convention specifies that when a C function takes an
argument by value, the binary function should take the argument by
reference, if the value is larger than 2 pointer words.
For binary verification, we avoid implementing this aspect of the RISC-V
calling convention, by eliminating all such function arguments for
functions which are not inlined. This commit includes the proof updates
corresponding to the kernel source update, which is in the seL4
repository.
This includes arguments of types `slot_range_t` and `extra_caps_t`.
`slot_range_t` is only used in two functions, so for those cases, we
unpack the arguments, and remove the type altogether.
`extra_caps_t` is used extensively in invocation decoding, and also in
inter-process communication. Since extra caps are already stored in a
global variable `current_extra_caps`, we remove the function argument,
and use the global variable instead. However, this adds significant
difficulty to the proofs, because the variable lifting performed by
`cinit` worked for the function argument, but not for the global
variable. We have therefore recently improved the `cinit` automation to
support this change to the kernel.
Even though this change was for the benefit of RISC-V binary
verification, we update all architectures for consistency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-06-12 07:44:30 +00:00
|
|
|
\<inter> {s. current_extra_caps_' (globals s) = extraCaps'}
|
2014-07-14 19:32:44 +00:00
|
|
|
\<inter> {s. ccap_relation (ArchObjectCap cp) (cap_' s)}
|
|
|
|
\<inter> {s. buffer_' s = option_to_ptr buffer}) []
|
|
|
|
(decodeARMMMUInvocation label args cptr slot cp extraCaps
|
|
|
|
>>= invocationCatch thread isBlocking isCall InvokeArchObject)
|
|
|
|
(Call decodeARMPageDirectoryInvocation_'proc)"
|
2021-09-22 00:21:01 +00:00
|
|
|
including no_take_bit
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp only: isCap_simps)
|
crefine: remove large structs passed by value
The RISC-V calling convention specifies that when a C function takes an
argument by value, the binary function should take the argument by
reference, if the value is larger than 2 pointer words.
For binary verification, we avoid implementing this aspect of the RISC-V
calling convention, by eliminating all such function arguments for
functions which are not inlined. This commit includes the proof updates
corresponding to the kernel source update, which is in the seL4
repository.
This includes arguments of types `slot_range_t` and `extra_caps_t`.
`slot_range_t` is only used in two functions, so for those cases, we
unpack the arguments, and remove the type altogether.
`extra_caps_t` is used extensively in invocation decoding, and also in
inter-process communication. Since extra caps are already stored in a
global variable `current_extra_caps`, we remove the function argument,
and use the global variable instead. However, this adds significant
difficulty to the proofs, because the variable lifting performed by
`cinit` worked for the function argument, but not for the global
variable. We have therefore recently improved the `cinit` automation to
support this change to the kernel.
Even though this change was for the benefit of RISC-V binary
verification, we update all architectures for consistency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-06-12 07:44:30 +00:00
|
|
|
apply (cinit' lift: invLabel_' length___unsigned_long_' cte_' current_extra_caps_' cap_' buffer_'
|
2014-07-14 19:32:44 +00:00
|
|
|
simp: decodeARMMMUInvocation_def invocation_eq_use_types)
|
|
|
|
apply (simp add: Let_def isCap_simps if_to_top_of_bind
|
|
|
|
del: Collect_const cong: StateSpace.state.fold_congs globals.fold_congs)
|
|
|
|
apply (rule ccorres_Cond_rhs)
|
|
|
|
apply (simp add: list_case_If2 if3_fold2 isPDFlush_fold
|
|
|
|
del: Collect_const
|
|
|
|
cong: StateSpace.state.fold_congs globals.fold_congs
|
|
|
|
if_cong list.case_cong)
|
2017-11-21 23:52:59 +00:00
|
|
|
apply (simp add: split_def if_to_top_of_bind
|
|
|
|
del: Collect_const cong: if_cong)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply csymbr+
|
|
|
|
apply (rule ccorres_if_cond_throws[rotated -1, where Q=\<top> and Q'=\<top>])
|
|
|
|
apply vcg
|
|
|
|
apply (clarsimp simp:list_length_less )
|
2018-09-17 06:17:28 +00:00
|
|
|
apply (drule unat_less_iff[where c=2])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add:word_bits_def)
|
|
|
|
apply simp
|
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
apply (ctac add: getSyscallArg_ccorres_foo[where args=args and n=0 and buffer=buffer])
|
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
apply (ctac add: getSyscallArg_ccorres_foo[where args=args and n=1 and buffer=buffer])
|
|
|
|
apply (simp add: invocationCatch_use_injection_handler
|
|
|
|
injection_bindE[OF refl refl] bindE_assoc
|
|
|
|
injection_handler_returnOk injection_handler_whenE
|
|
|
|
lookupError_injection)
|
|
|
|
apply (simp add:if_to_top_of_bindE)
|
|
|
|
apply (rule ccorres_if_cond_throws[rotated -1, where Q=\<top> and Q'=\<top>])
|
|
|
|
apply vcg
|
|
|
|
apply (clarsimp simp: hd_conv_nth length_ineq_not_Nil)
|
|
|
|
apply (simp add:injection_handler_throwError)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (rule ccorres_if_cond_throws[rotated -1, where Q=\<top> and Q'=\<top>])
|
|
|
|
apply vcg
|
2021-09-22 00:21:01 +00:00
|
|
|
apply (clarsimp simp: hd_conv_nth length_ineq_not_Nil pptrBase_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add:injection_handler_throwError)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
2014-08-09 05:16:17 +00:00
|
|
|
apply (simp add:case_option_If2[unfolded if_swap[symmetric]])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp only: injection_handler_if_returnOk)
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_cond_false_seq)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply (simp add:if_to_top_of_bind if_to_top_of_bindE)
|
|
|
|
apply (rule ccorres_if_cond_throws[rotated -1,where Q=\<top> and Q'=\<top>])
|
|
|
|
apply vcg
|
|
|
|
apply (clarsimp dest!:cap_lift_page_directory_cap
|
|
|
|
simp : cap_page_directory_cap_lift_def
|
|
|
|
cap_to_H_def to_bool_def Let_def
|
2017-07-12 05:13:51 +00:00
|
|
|
elim!: ccap_relationE
|
2014-07-14 19:32:44 +00:00
|
|
|
split: cap_CL.splits if_splits)
|
|
|
|
apply (simp add:injection_handler_throwError)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add:syscall_error_to_H_cases)
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
2018-02-13 01:12:28 +00:00
|
|
|
apply csymbr
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (ctac add: ccorres_injection_handler_csum1
|
|
|
|
[OF ccorres_injection_handler_csum1,
|
|
|
|
OF findPDForASID_ccorres])
|
|
|
|
apply (rule ccorres_cond_false_seq)
|
|
|
|
apply simp
|
|
|
|
apply (rule ccorres_if_cond_throws[rotated -1, where Q=\<top> and Q'=\<top>])
|
|
|
|
apply vcg
|
|
|
|
apply (clarsimp simp: isCap_simps)
|
|
|
|
apply (frule cap_get_tag_isCap_unfolded_H_cap)
|
|
|
|
apply (clarsimp simp: cap_lift_page_directory_cap
|
|
|
|
cap_to_H_def cap_page_directory_cap_lift_def
|
2016-10-25 06:01:30 +00:00
|
|
|
elim!: ccap_relationE split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: injection_handler_throwError)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add:syscall_error_to_H_cases)
|
|
|
|
apply (simp add:injection_handler_liftE liftE_bindE)
|
|
|
|
apply (rule ccorres_rhs_assoc2)+
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply (simp add:hd_conv_nth)
|
|
|
|
apply (rule ccorres_split_nothrow)
|
|
|
|
apply (rule_tac xf'= "resolve_ret_'" in
|
|
|
|
ccorres_call)
|
2014-09-10 07:26:44 +00:00
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule resolveVAddr_ccorres)
|
|
|
|
apply simp
|
|
|
|
apply simp
|
|
|
|
apply simp
|
|
|
|
apply ceqv
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (simp add:injection_handler_If
|
2014-07-14 19:32:44 +00:00
|
|
|
injection_handler_returnOk if_to_top_of_bind if_to_top_of_bindE)
|
|
|
|
apply (rule_tac Q=\<top> and Q'=\<top> in ccorres_if_cond_throws[rotated -1])
|
|
|
|
apply vcg
|
2014-09-10 07:26:44 +00:00
|
|
|
apply (clarsimp simp:resolve_ret_rel_def to_bool_def to_option_def
|
|
|
|
rel_option_alt_def not_le split:option.splits if_splits)
|
2016-05-01 03:35:49 +00:00
|
|
|
apply (simp add:invocationCatch_def ARM_H.performInvocation_def
|
2014-07-14 19:32:44 +00:00
|
|
|
performInvocation_def performARMMMUInvocation_def)
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (simp add:performPageDirectoryInvocation_def
|
2014-08-09 05:16:17 +00:00
|
|
|
liftE_case_sum liftE_bindE liftE_alternative)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (ctac add: setThreadState_ccorres)
|
|
|
|
apply (rule ccorres_alternative2)
|
|
|
|
apply (simp add:returnOk_liftE[symmetric])
|
|
|
|
apply (rule ccorres_return_CE,simp+)[1]
|
|
|
|
apply wp
|
|
|
|
apply (vcg exspec=setThreadState_modifies)
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (simp add:injection_handler_whenE
|
|
|
|
injection_bindE[OF refl refl] bindE_assoc
|
2014-07-14 19:32:44 +00:00
|
|
|
if_to_top_of_bindE injection_handler_throwError
|
2015-07-13 06:17:55 +00:00
|
|
|
injection_handler_returnOk injection_handler_stateAssert_relocate
|
2015-07-16 04:44:56 +00:00
|
|
|
checkValidMappingSize_def
|
2014-07-14 19:32:44 +00:00
|
|
|
)
|
2015-07-13 06:17:55 +00:00
|
|
|
apply (rule ccorres_stateAssert)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule_tac Q=\<top> and Q'=\<top> in ccorres_if_cond_throws[rotated -1])
|
|
|
|
apply vcg
|
2021-09-22 00:21:01 +00:00
|
|
|
apply (clarsimp simp: page_base_def resolve_ret_rel_def rel_option_alt_def
|
|
|
|
to_option_def mask_def[unfolded shiftl_1,symmetric]
|
|
|
|
split: option.splits if_splits)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: framesize_from_to_H)
|
|
|
|
apply (rule ccorres_from_vcg_throws[where P=\<top> and P'=UNIV])
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
2021-09-22 00:21:01 +00:00
|
|
|
apply (clarsimp simp: throwError_def return_def syscall_error_rel_def exception_defs
|
|
|
|
syscall_error_to_H_cases false_def)
|
|
|
|
apply (clarsimp simp: page_base_def resolve_ret_rel_def rel_option_alt_def to_option_def
|
|
|
|
mask_def[unfolded shiftl_1,symmetric]
|
|
|
|
split: option.splits if_splits)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (cut_tac sz = a in pbfs_less_wb')
|
2021-09-22 00:21:01 +00:00
|
|
|
apply (clarsimp simp add:framesize_from_to_H word_bits_def framesize_from_H_mask)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule word_of_nat_less)
|
|
|
|
apply (simp add:pbfs_less_wb')
|
|
|
|
apply (simp add:performARMMMUInvocations)
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_Guard_Seq)
|
|
|
|
apply csymbr
|
|
|
|
apply (ctac add: setThreadState_ccorres)
|
|
|
|
apply (simp add:bindE_assoc)
|
|
|
|
apply (ctac add: performPageDirectoryInvocationFlush_ccorres)
|
|
|
|
apply (rule ccorres_alternative2)
|
|
|
|
apply (simp add:returnOk_liftE[symmetric])
|
|
|
|
apply (rule ccorres_return_CE,simp+)[1]
|
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV], simp)
|
|
|
|
apply (rule hoareE_TrueI[where P = \<top>])
|
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=performPDFlush_modifies)
|
|
|
|
apply (wp sts_invs_minor' sts_Restart_ct_active)
|
|
|
|
apply simp
|
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=setThreadState_modifies)
|
|
|
|
apply (rule_tac P = "(the v1 \<le> mask asid_bits)" in hoare_gen_asm)
|
|
|
|
apply simp
|
|
|
|
apply (rule hoare_post_imp[OF _ resolveVAddr_ret
|
|
|
|
[where P = "sch_act_simple and invs' and tcb_at' thread and
|
|
|
|
st_tcb_at'
|
|
|
|
(\<lambda>st'. tcb_st_refs_of' st' = {} \<and>
|
|
|
|
st' \<noteq> Structures_H.thread_state.Inactive \<and> st' \<noteq> Structures_H.thread_state.IdleThreadState)
|
2017-07-12 05:13:51 +00:00
|
|
|
thread and (\<lambda>s. thread \<noteq> ksIdleThread s
|
2014-07-14 19:32:44 +00:00
|
|
|
\<and> (obj_at' tcbQueued thread s \<longrightarrow> st_tcb_at' runnable' thread s))"]])
|
|
|
|
apply (clarsimp simp: invs_valid_objs' invs_sch_act_wf'
|
|
|
|
valid_tcb_state'_def invs_queues)
|
|
|
|
apply (rule conjI)
|
|
|
|
apply (erule flush_range_le)
|
|
|
|
apply (simp add:linorder_not_le)
|
|
|
|
apply (erule word_less_sub_1)
|
|
|
|
apply (simp add:mask_add_aligned mask_twice)
|
|
|
|
apply (subgoal_tac "5 \<le> pageBitsForSize a")
|
|
|
|
apply (frule(1) is_aligned_weaken)
|
|
|
|
apply (simp add:mask_add_aligned mask_twice)
|
2015-07-13 06:17:55 +00:00
|
|
|
apply (erule order_trans[rotated])
|
|
|
|
apply (erule flush_range_le1, simp add: linorder_not_le)
|
|
|
|
apply (erule word_less_sub_1)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (case_tac a,simp+)[1]
|
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=resolveVAddr_modifies)
|
|
|
|
apply (rule_tac P'="{s. errstate s = find_ret}"
|
|
|
|
in ccorres_from_vcg_split_throws[where P=\<top>])
|
|
|
|
apply vcg
|
|
|
|
apply (rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: throwError_def return_def syscall_error_rel_def
|
|
|
|
syscall_error_to_H_cases exception_defs false_def)
|
|
|
|
apply (erule lookup_failure_rel_fault_lift[rotated])
|
|
|
|
apply (simp add: exception_defs)
|
|
|
|
apply simp
|
|
|
|
apply (wp injection_wp[OF refl] hoare_drop_imps)
|
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=findPDForASID_modifies)
|
|
|
|
apply simp
|
2019-05-06 06:34:44 +00:00
|
|
|
apply (wp | wp (once) hoare_drop_imps)+
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
|
|
|
apply vcg
|
|
|
|
apply simp
|
|
|
|
apply wp
|
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=getSyscallArg_modifies)
|
|
|
|
apply (simp add:isPDFlush_fold throwError_invocationCatch)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (clarsimp simp: syscall_error_to_H_cases)
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (clarsimp simp:ex_cte_cap_wp_to'_def invs_arch_state'
|
2014-07-14 19:32:44 +00:00
|
|
|
invs_valid_objs' invs_sch_act_wf' tcb_at_invs')
|
|
|
|
apply (clarsimp simp: isCap_simps cte_wp_at_ctes_of invs_no_0_obj')
|
|
|
|
apply (frule ctes_of_valid', clarsimp)
|
2019-11-08 06:32:01 +00:00
|
|
|
apply (drule_tac t="cteCap cte" in sym)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (intro conjI)
|
|
|
|
apply (clarsimp simp: sysargs_rel_to_n word_le_nat_alt mask_def
|
|
|
|
linorder_not_less linorder_not_le valid_cap_simps')
|
|
|
|
apply (clarsimp dest!:ct_active_runnable')
|
|
|
|
apply (simp add:ct_in_state'_def)
|
2015-09-02 05:43:39 +00:00
|
|
|
apply (erule pred_tcb'_weakenE)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (case_tac st,simp+)
|
|
|
|
apply (clarsimp simp: sysargs_rel_to_n word_le_nat_alt mask_def
|
|
|
|
linorder_not_less linorder_not_le valid_cap_simps')
|
|
|
|
apply (clarsimp dest!:ct_active_runnable')
|
|
|
|
apply (simp add:ct_in_state'_def)
|
2015-09-02 05:43:39 +00:00
|
|
|
apply (erule pred_tcb'_weakenE)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (case_tac st,simp+)
|
|
|
|
apply (clarsimp simp: sysargs_rel_to_n word_le_nat_alt mask_def
|
|
|
|
linorder_not_less linorder_not_le valid_cap_simps')
|
|
|
|
apply (clarsimp dest!:ct_active_runnable')
|
|
|
|
apply (simp add:ct_in_state'_def)
|
2015-09-02 05:43:39 +00:00
|
|
|
apply (erule pred_tcb'_weakenE)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (case_tac st,simp+)
|
|
|
|
apply (clarsimp simp: sysargs_rel_to_n word_le_nat_alt mask_def
|
|
|
|
linorder_not_less linorder_not_le valid_cap_simps')
|
|
|
|
apply (clarsimp dest!:ct_active_runnable')
|
|
|
|
apply (simp add:ct_in_state'_def)
|
2015-09-02 05:43:39 +00:00
|
|
|
apply (erule pred_tcb'_weakenE)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (case_tac st,simp+)
|
|
|
|
apply (frule cap_get_tag_isCap_unfolded_H_cap(15))
|
|
|
|
apply (clarsimp simp: cap_lift_page_directory_cap hd_conv_nth
|
2016-09-21 00:33:03 +00:00
|
|
|
cap_lift_page_table_cap typ_heap_simps'
|
2014-07-14 19:32:44 +00:00
|
|
|
cap_to_H_def cap_page_directory_cap_lift_def
|
|
|
|
to_bool_def cap_page_table_cap_lift_def
|
|
|
|
typ_heap_simps' shiftl_t2n[where n=2] field_simps
|
|
|
|
elim!: ccap_relationE)
|
|
|
|
apply (intro conjI impI allI)
|
|
|
|
apply (clarsimp simp:ThreadState_Restart_def less_mask_eq rf_sr_ksCurThread
|
|
|
|
resolve_ret_rel_def framesize_from_to_H framesize_from_H_mask2
|
2016-09-21 00:33:03 +00:00
|
|
|
to_option_def rel_option_alt_def to_bool_def typ_heap_simps'
|
2014-07-14 19:32:44 +00:00
|
|
|
split:option.splits if_splits
|
|
|
|
| fastforce simp: mask_def
|
2016-01-21 23:34:54 +00:00
|
|
|
| rule flushtype_relation_triv,simp add:isPageFlush_def isPDFlushLabel_def
|
2014-07-14 19:32:44 +00:00
|
|
|
| rule word_of_nat_less,simp add: pbfs_less)+
|
|
|
|
apply (frule cap_get_tag_isCap_unfolded_H_cap(15))
|
|
|
|
apply (clarsimp simp: cap_lift_page_directory_cap hd_conv_nth
|
|
|
|
cap_lift_page_table_cap
|
|
|
|
cap_to_H_def cap_page_directory_cap_lift_def
|
|
|
|
to_bool_def cap_page_table_cap_lift_def
|
|
|
|
typ_heap_simps' shiftl_t2n[where n=2] field_simps
|
|
|
|
elim!: ccap_relationE)
|
|
|
|
apply (intro conjI impI allI)
|
|
|
|
apply (clarsimp simp:ThreadState_Restart_def less_mask_eq rf_sr_ksCurThread
|
|
|
|
resolve_ret_rel_def framesize_from_to_H framesize_from_H_mask2
|
2014-09-10 07:26:44 +00:00
|
|
|
to_option_def rel_option_alt_def to_bool_def
|
2016-09-21 00:33:03 +00:00
|
|
|
typ_heap_simps'
|
2014-07-14 19:32:44 +00:00
|
|
|
split:option.splits if_splits
|
|
|
|
| fastforce simp: mask_def
|
2016-01-21 23:34:54 +00:00
|
|
|
| rule flushtype_relation_triv,simp add:isPageFlush_def isPDFlushLabel_def
|
2014-07-14 19:32:44 +00:00
|
|
|
| rule word_of_nat_less,simp add: pbfs_less)+
|
|
|
|
apply (frule cap_get_tag_isCap_unfolded_H_cap(15))
|
|
|
|
apply (clarsimp simp: cap_lift_page_directory_cap hd_conv_nth
|
|
|
|
cap_lift_page_table_cap
|
|
|
|
cap_to_H_def cap_page_directory_cap_lift_def
|
|
|
|
to_bool_def cap_page_table_cap_lift_def
|
|
|
|
typ_heap_simps' shiftl_t2n[where n=2] field_simps
|
|
|
|
elim!: ccap_relationE)
|
|
|
|
apply (intro conjI impI allI)
|
|
|
|
apply (clarsimp simp:ThreadState_Restart_def less_mask_eq rf_sr_ksCurThread
|
|
|
|
resolve_ret_rel_def framesize_from_to_H framesize_from_H_mask2
|
2014-09-10 07:26:44 +00:00
|
|
|
to_option_def rel_option_alt_def to_bool_def
|
2016-09-21 00:33:03 +00:00
|
|
|
typ_heap_simps'
|
2014-07-14 19:32:44 +00:00
|
|
|
split:option.splits if_splits
|
|
|
|
| fastforce simp: mask_def
|
2016-01-21 23:34:54 +00:00
|
|
|
| rule flushtype_relation_triv,simp add:isPageFlush_def isPDFlushLabel_def
|
2016-07-04 07:35:42 +00:00
|
|
|
| rule word_of_nat_less,simp add: pbfs_less)+ (* slow 20 secs *)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (frule cap_get_tag_isCap_unfolded_H_cap(15))
|
|
|
|
apply (clarsimp simp: cap_lift_page_directory_cap hd_conv_nth
|
|
|
|
cap_lift_page_table_cap
|
|
|
|
cap_to_H_def cap_page_directory_cap_lift_def
|
|
|
|
to_bool_def cap_page_table_cap_lift_def
|
|
|
|
typ_heap_simps' shiftl_t2n[where n=2] field_simps
|
|
|
|
elim!: ccap_relationE)
|
|
|
|
apply (intro conjI impI allI)
|
2016-01-21 23:34:54 +00:00
|
|
|
by (clarsimp simp:ThreadState_Restart_def less_mask_eq rf_sr_ksCurThread
|
2014-07-14 19:32:44 +00:00
|
|
|
resolve_ret_rel_def framesize_from_to_H framesize_from_H_mask2
|
2014-09-10 07:26:44 +00:00
|
|
|
to_option_def rel_option_alt_def to_bool_def
|
2016-09-21 00:33:03 +00:00
|
|
|
typ_heap_simps'
|
2014-07-14 19:32:44 +00:00
|
|
|
split:option.splits if_splits
|
|
|
|
| fastforce simp: mask_def
|
2016-01-21 23:34:54 +00:00
|
|
|
| rule flushtype_relation_triv,simp add:isPageFlush_def isPDFlushLabel_def
|
2014-07-14 19:32:44 +00:00
|
|
|
| rule word_of_nat_less,simp add: pbfs_less)+
|
|
|
|
|
|
|
|
lemma Arch_decodeInvocation_ccorres:
|
|
|
|
"interpret_excaps extraCaps' = excaps_map extraCaps
|
|
|
|
\<Longrightarrow>
|
|
|
|
ccorres (intr_and_se_rel \<currency> dc) (liftxf errstate id (K ()) ret__unsigned_long_')
|
|
|
|
(invs' and (\<lambda>s. ksCurThread s = thread) and ct_active' and sch_act_simple
|
|
|
|
and (excaps_in_mem extraCaps \<circ> ctes_of)
|
2019-11-08 06:32:01 +00:00
|
|
|
and cte_wp_at' ((=) (ArchObjectCap cp) \<circ> cteCap) slot
|
2014-07-14 19:32:44 +00:00
|
|
|
and (\<lambda>s. \<forall>v \<in> set extraCaps. ex_cte_cap_wp_to' isCNodeCap (snd v) s)
|
|
|
|
and sysargs_rel args buffer and valid_objs')
|
2016-01-08 07:43:33 +00:00
|
|
|
(UNIV \<inter> {s. invLabel_' s = label}
|
|
|
|
\<inter> {s. unat (length___unsigned_long_' s) = length args}
|
2014-07-14 19:32:44 +00:00
|
|
|
\<inter> {s. slot_' s = cte_Ptr slot}
|
crefine: remove large structs passed by value
The RISC-V calling convention specifies that when a C function takes an
argument by value, the binary function should take the argument by
reference, if the value is larger than 2 pointer words.
For binary verification, we avoid implementing this aspect of the RISC-V
calling convention, by eliminating all such function arguments for
functions which are not inlined. This commit includes the proof updates
corresponding to the kernel source update, which is in the seL4
repository.
This includes arguments of types `slot_range_t` and `extra_caps_t`.
`slot_range_t` is only used in two functions, so for those cases, we
unpack the arguments, and remove the type altogether.
`extra_caps_t` is used extensively in invocation decoding, and also in
inter-process communication. Since extra caps are already stored in a
global variable `current_extra_caps`, we remove the function argument,
and use the global variable instead. However, this adds significant
difficulty to the proofs, because the variable lifting performed by
`cinit` worked for the function argument, but not for the global
variable. We have therefore recently improved the `cinit` automation to
support this change to the kernel.
Even though this change was for the benefit of RISC-V binary
verification, we update all architectures for consistency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-06-12 07:44:30 +00:00
|
|
|
\<inter> {s. current_extra_caps_' (globals s) = extraCaps'}
|
2014-07-14 19:32:44 +00:00
|
|
|
\<inter> {s. ccap_relation (ArchObjectCap cp) (cap_' s)}
|
|
|
|
\<inter> {s. buffer_' s = option_to_ptr buffer}) []
|
2016-05-02 09:35:37 +00:00
|
|
|
(Arch.decodeInvocation label args cptr slot cp extraCaps
|
2014-07-14 19:32:44 +00:00
|
|
|
>>= invocationCatch thread isBlocking isCall InvokeArchObject)
|
|
|
|
(Call Arch_decodeInvocation_'proc)"
|
|
|
|
(is "?F \<Longrightarrow> ccorres ?r ?xf ?P (?P' slot_') [] ?a ?c")
|
crefine: remove large structs passed by value
The RISC-V calling convention specifies that when a C function takes an
argument by value, the binary function should take the argument by
reference, if the value is larger than 2 pointer words.
For binary verification, we avoid implementing this aspect of the RISC-V
calling convention, by eliminating all such function arguments for
functions which are not inlined. This commit includes the proof updates
corresponding to the kernel source update, which is in the seL4
repository.
This includes arguments of types `slot_range_t` and `extra_caps_t`.
`slot_range_t` is only used in two functions, so for those cases, we
unpack the arguments, and remove the type altogether.
`extra_caps_t` is used extensively in invocation decoding, and also in
inter-process communication. Since extra caps are already stored in a
global variable `current_extra_caps`, we remove the function argument,
and use the global variable instead. However, this adds significant
difficulty to the proofs, because the variable lifting performed by
`cinit` worked for the function argument, but not for the global
variable. We have therefore recently improved the `cinit` automation to
support this change to the kernel.
Even though this change was for the benefit of RISC-V binary
verification, we update all architectures for consistency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-06-12 07:44:30 +00:00
|
|
|
supply if_cong[cong]
|
2014-07-14 19:32:44 +00:00
|
|
|
apply cinit'
|
|
|
|
apply (rule ccorres_trim_returnE, simp+)
|
|
|
|
apply (rule ccorres_call[where xf''="?xf" and A="?P" and C'="?P' cte_'"])
|
|
|
|
defer
|
|
|
|
apply (simp+)[4]
|
2016-01-08 07:43:33 +00:00
|
|
|
apply (cinit' lift: invLabel_' length___unsigned_long_' cte_'
|
crefine: remove large structs passed by value
The RISC-V calling convention specifies that when a C function takes an
argument by value, the binary function should take the argument by
reference, if the value is larger than 2 pointer words.
For binary verification, we avoid implementing this aspect of the RISC-V
calling convention, by eliminating all such function arguments for
functions which are not inlined. This commit includes the proof updates
corresponding to the kernel source update, which is in the seL4
repository.
This includes arguments of types `slot_range_t` and `extra_caps_t`.
`slot_range_t` is only used in two functions, so for those cases, we
unpack the arguments, and remove the type altogether.
`extra_caps_t` is used extensively in invocation decoding, and also in
inter-process communication. Since extra caps are already stored in a
global variable `current_extra_caps`, we remove the function argument,
and use the global variable instead. However, this adds significant
difficulty to the proofs, because the variable lifting performed by
`cinit` worked for the function argument, but not for the global
variable. We have therefore recently improved the `cinit` automation to
support this change to the kernel.
Even though this change was for the benefit of RISC-V binary
verification, we update all architectures for consistency.
Signed-off-by: Matthew Brecknell <Matthew.Brecknell@data61.csiro.au>
2020-06-12 07:44:30 +00:00
|
|
|
current_extra_caps_' cap_' buffer_')
|
2014-07-14 19:32:44 +00:00
|
|
|
apply csymbr
|
|
|
|
apply (simp add: cap_get_tag_isCap_ArchObject
|
2016-05-01 03:35:49 +00:00
|
|
|
ARM_H.decodeInvocation_def
|
2014-07-14 19:32:44 +00:00
|
|
|
invocation_eq_use_types
|
|
|
|
del: Collect_const
|
|
|
|
cong: StateSpace.state.fold_congs globals.fold_congs)
|
|
|
|
apply (rule ccorres_Cond_rhs)
|
|
|
|
apply (rule ccorres_trim_returnE,simp+)
|
|
|
|
apply (rule ccorres_call,
|
|
|
|
rule decodeARMPageDirectoryInvocation_ccorres,
|
|
|
|
simp+)[1]
|
|
|
|
apply (rule ccorres_Cond_rhs)
|
|
|
|
apply (rule ccorres_trim_returnE, simp+)
|
|
|
|
apply (rule ccorres_call,
|
|
|
|
rule decodeARMPageTableInvocation_ccorres, simp+)[1]
|
|
|
|
apply (rule ccorres_Cond_rhs)
|
|
|
|
apply (rule ccorres_trim_returnE, simp+)
|
|
|
|
apply (simp add: conj_disj_distribL[symmetric])
|
|
|
|
apply (rule ccorres_call,
|
|
|
|
rule decodeARMFrameInvocation_ccorres, simp+)[1]
|
|
|
|
apply (rule ccorres_Cond_rhs)
|
|
|
|
apply (simp add: imp_conjR[symmetric] decodeARMMMUInvocation_def
|
|
|
|
del: Collect_const)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply csymbr+
|
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
|
|
|
apply (rule ccorres_equals_throwError)
|
|
|
|
apply (fastforce simp: throwError_bind invocationCatch_def
|
2016-01-21 23:34:54 +00:00
|
|
|
split: invocation_label.split arch_invocation_label.split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (simp add: word_less_nat_alt list_case_If2 split_def
|
|
|
|
del: Collect_const)
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
|
|
|
apply (simp add: if_1_0_0)
|
|
|
|
apply (rule ccorres_cond_true_seq | simp)+
|
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (simp add: if_1_0_0 interpret_excaps_test_null
|
|
|
|
excaps_map_def
|
|
|
|
del: Collect_const)
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
|
|
|
apply (simp add: if_1_0_0 | rule ccorres_cond_true_seq)+
|
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply csymbr
|
|
|
|
apply (simp add: if_1_0_0 interpret_excaps_test_null[OF Suc_leI]
|
|
|
|
del: Collect_const)
|
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
|
|
|
apply (simp add: length_ineq_not_Nil throwError_bind
|
|
|
|
invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (subgoal_tac "1 < List.length extraCaps")
|
|
|
|
prefer 2
|
|
|
|
apply (rule neq_le_trans, simp)
|
|
|
|
apply (simp add: Suc_leI)
|
|
|
|
apply (simp add: Let_def split_def liftE_bindE bind_assoc
|
|
|
|
length_ineq_not_Nil
|
|
|
|
del: Collect_const)
|
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
apply (ctac add: getSyscallArg_ccorres_foo[where args=args and n=0 and buffer=buffer])
|
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
apply (ctac add: getSyscallArg_ccorres_foo[where args=args and n=1 and buffer=buffer])
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_add_return,
|
|
|
|
rule_tac xf'=untyped_' and r'="(\<lambda>rv _ un.
|
|
|
|
(cap_get_tag un = scast cap_untyped_cap) = isUntypedCap rv
|
|
|
|
\<and> (isUntypedCap rv \<longrightarrow> ccap_relation rv un))
|
|
|
|
(fst (extraCaps ! 0))" in ccorres_split_nothrow)
|
|
|
|
apply (rule_tac P="excaps_in_mem extraCaps \<circ> ctes_of"
|
|
|
|
in ccorres_from_vcg[where P'=UNIV])
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (frule length_ineq_not_Nil[where xs=extraCaps])
|
|
|
|
apply (clarsimp simp: return_def neq_Nil_conv excaps_in_mem_def
|
|
|
|
slotcap_in_mem_def)
|
|
|
|
apply (drule interpret_excaps_eq[rule_format, where n=0], simp)
|
|
|
|
apply (simp add: mask_def[where n=4])
|
|
|
|
apply (erule(1) cmap_relationE1[OF cmap_relation_cte])
|
|
|
|
apply (rule conjI, fastforce intro: typ_heap_simps)
|
|
|
|
apply (drule ccte_relation_ccap_relation)
|
|
|
|
apply (simp add: typ_heap_simps cap_get_tag_isCap)
|
|
|
|
apply ceqv
|
|
|
|
apply (rename_tac untyped')
|
|
|
|
apply (rule getSlotCap_ccorres_fudge_n[where vals=extraCaps and n=1])
|
|
|
|
apply (rule ccorres_move_c_guard_cte)
|
|
|
|
apply ctac
|
|
|
|
apply (rule ccorres_assert2)
|
|
|
|
apply (rule ccorres_pre_gets_armKSASIDTable_ksArchState)
|
|
|
|
apply (rename_tac "armKSASIDTab")
|
|
|
|
apply (rule ccorres_rhs_assoc2, rule ccorres_rhs_assoc2,
|
|
|
|
rule ccorres_rhs_assoc2)
|
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
apply (rule_tac r'="\<lambda>rv rv'. rv' = (case [p \<leftarrow> assocs armKSASIDTab.
|
|
|
|
fst p < 2 ^ asid_high_bits \<and> snd p = None]
|
|
|
|
of [] \<Rightarrow> 2 ^ asid_high_bits | x # xs \<Rightarrow> fst x)"
|
|
|
|
and xf'=i_' in ccorres_split_nothrow)
|
|
|
|
apply (rule_tac P="\<forall>x \<in> ran armKSASIDTab. x \<noteq> 0"
|
|
|
|
in ccorres_gen_asm)
|
|
|
|
apply (rule_tac P="\<lambda>s. armKSASIDTab = armKSASIDTable (ksArchState s)"
|
|
|
|
in ccorres_from_vcg[where P'=UNIV])
|
|
|
|
apply (clarsimp simp: return_def)
|
|
|
|
apply (rule HoarePartial.SeqSwap)
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (rule_tac I="{t. (\<sigma>, t) \<in> rf_sr \<and> i_' t \<le> 2 ^ asid_high_bits
|
2014-07-14 19:32:44 +00:00
|
|
|
\<and> armKSASIDTab = armKSASIDTable (ksArchState \<sigma>)
|
|
|
|
\<and> (\<forall>x < i_' t. armKSASIDTab x \<noteq> None)
|
|
|
|
\<and> ret__int_' t = from_bool (i_' t < 2 ^ asid_high_bits
|
|
|
|
\<and> armKSASIDTab (i_' t) \<noteq> None)}"
|
|
|
|
in HoarePartial.reannotateWhileNoGuard)
|
|
|
|
apply (rule HoarePartial.While[OF order_refl])
|
|
|
|
apply (rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: asidHighBits_handy_convs
|
|
|
|
word_sle_def word_sless_def
|
|
|
|
if_1_0_0 word_less_nat_alt[symmetric]
|
|
|
|
from_bool_0)
|
2015-05-17 23:11:43 +00:00
|
|
|
apply (cut_tac P="\<lambda>y. y < i_' x + 1 = rhs y" for rhs in allI,
|
2014-07-14 19:32:44 +00:00
|
|
|
rule less_x_plus_1)
|
2020-06-05 09:04:50 +00:00
|
|
|
apply (clarsimp simp: asid_high_bits_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: rf_sr_armKSASIDTable from_bool_def
|
|
|
|
asid_high_bits_word_bits
|
|
|
|
option_to_ptr_def option_to_0_def
|
|
|
|
order_less_imp_le
|
|
|
|
linorder_not_less
|
|
|
|
order_antisym[OF inc_le])
|
|
|
|
apply (clarsimp simp: true_def false_def
|
2016-10-25 06:01:30 +00:00
|
|
|
split: option.split if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: asid_high_bits_def word_le_nat_alt
|
|
|
|
word_less_nat_alt unat_add_lem[THEN iffD1])
|
|
|
|
apply auto[1]
|
|
|
|
apply (clarsimp simp: from_bool_0)
|
|
|
|
apply (case_tac "i_' x = 2 ^ asid_high_bits")
|
|
|
|
apply (clarsimp split: list.split)
|
|
|
|
apply (drule_tac f="\<lambda>xs. (a, b) \<in> set xs" in arg_cong)
|
|
|
|
apply (clarsimp simp: in_assocs_is_fun)
|
|
|
|
apply fastforce
|
|
|
|
apply (frule(1) neq_le_trans)
|
|
|
|
apply (subst filter_assocs_Cons)
|
|
|
|
apply fastforce
|
|
|
|
apply simp
|
|
|
|
apply simp
|
|
|
|
apply (rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: asidHighBits_handy_convs word_sle_def
|
|
|
|
word_sless_def if_1_0_0 from_bool_0
|
|
|
|
rf_sr_armKSASIDTable[where n=0, simplified])
|
|
|
|
apply (simp add: asid_high_bits_def option_to_ptr_def option_to_0_def
|
|
|
|
from_bool_def
|
2016-10-25 06:01:30 +00:00
|
|
|
split: option.split if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply fastforce
|
|
|
|
apply ceqv
|
|
|
|
apply (rule ccorres_Guard_Seq)+
|
|
|
|
apply (simp add: whenE_bindE_throwError_to_if if_to_top_of_bind
|
|
|
|
del: Collect_const)
|
2017-06-29 09:53:53 +00:00
|
|
|
apply (simp add: conj_commute[of "\<not> capIsDevice _"])
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule_tac Q=\<top> and Q'=\<top> in ccorres_if_cond_throws[rotated -1])
|
|
|
|
apply clarsimp
|
|
|
|
apply (rule conseqPre, vcg, rule subset_refl)
|
|
|
|
apply (clarsimp simp: asid_high_bits_word_bits asidHighBits_handy_convs null_def)
|
|
|
|
apply (clarsimp split: list.split)
|
|
|
|
apply (clarsimp dest!: filter_eq_ConsD)
|
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (rule ccorres_Guard_Seq)+
|
|
|
|
apply (simp add: invocationCatch_use_injection_handler
|
|
|
|
injection_bindE[OF refl refl] injection_handler_If
|
|
|
|
injection_handler_returnOk bindE_assoc
|
|
|
|
injection_handler_throwError
|
|
|
|
cong: if_cong del: Collect_const)
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (rule ccorres_symb_exec_r)
|
|
|
|
apply (rule_tac xf'=ret__int_' in ccorres_abstract, ceqv)
|
|
|
|
apply (rule_tac P = "rv'a = from_bool (\<not>( isUntypedCap (fst (hd extraCaps)) \<and>
|
|
|
|
capBlockSize (fst (hd extraCaps)) = objBits (makeObject ::asidpool)
|
|
|
|
))" in ccorres_gen_asm2)
|
|
|
|
apply (rule ccorres_symb_exec_r)
|
|
|
|
apply (rule_tac xf'=ret__int_' in ccorres_abstract, ceqv)
|
|
|
|
apply (rule_tac P = "rv'b = from_bool (\<not>( isUntypedCap (fst (hd extraCaps)) \<and>
|
|
|
|
capBlockSize (fst (hd extraCaps)) = objBits (makeObject ::asidpool)
|
|
|
|
\<and> \<not> capIsDevice (fst (hd extraCaps))))"
|
|
|
|
in ccorres_gen_asm2)
|
2018-11-13 09:19:41 +00:00
|
|
|
apply (clarsimp simp: cond_throw_whenE bindE_assoc)
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (rule ccorres_split_when_throwError_cond[where Q = \<top> and Q' = \<top>])
|
|
|
|
apply clarsimp
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (clarsimp simp: syscall_error_rel_def shiftL_nat syscall_error_to_H_cases)
|
|
|
|
prefer 2
|
|
|
|
apply vcg
|
|
|
|
apply clarsimp
|
|
|
|
apply (ctac add: ccorres_injection_handler_csum1
|
2014-07-14 19:32:44 +00:00
|
|
|
[OF ensureNoChildren_ccorres])
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (clarsimp simp add: Collect_False del: Collect_const)
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply (ctac add: ccorres_injection_handler_csum1
|
2014-07-14 19:32:44 +00:00
|
|
|
[OF lookupTargetSlot_ccorres,
|
|
|
|
unfolded lookupTargetSlot_def])
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (simp add: Collect_False split_def del: Collect_const)
|
|
|
|
apply csymbr
|
|
|
|
apply (ctac add: ccorres_injection_handler_csum1
|
2014-07-14 19:32:44 +00:00
|
|
|
[OF ensureEmptySlot_ccorres])
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (simp add: ccorres_invocationCatch_Inr
|
|
|
|
performInvocation_def
|
2016-09-22 09:12:33 +00:00
|
|
|
ARM_H.performInvocation_def
|
2016-07-04 07:35:42 +00:00
|
|
|
performARMMMUInvocation_def)
|
|
|
|
apply (simp add: liftE_bindE)
|
|
|
|
apply (ctac add: setThreadState_ccorres)
|
|
|
|
apply (simp only: liftE_bindE[symmetric])
|
|
|
|
apply (ctac(no_vcg) add: performASIDControlInvocation_ccorres
|
|
|
|
[where idx = "capFreeIndex (fst (extraCaps ! 0))"])
|
|
|
|
apply (rule ccorres_alternative2)
|
|
|
|
apply (rule ccorres_return_CE, simp+)[1]
|
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV], simp)
|
|
|
|
apply wp
|
|
|
|
apply (wp sts_invs_minor' sts_Restart_ct_active)
|
2017-07-12 05:13:51 +00:00
|
|
|
apply simp
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (vcg exspec=setThreadState_modifies)
|
|
|
|
apply simp
|
|
|
|
apply (rule ccorres_split_throws)
|
|
|
|
apply (rule ccorres_return_C_errorE, simp+)
|
|
|
|
apply vcg
|
|
|
|
apply simp
|
|
|
|
apply (wp injection_wp[OF refl])
|
|
|
|
apply (simp add: all_ex_eq_helper)
|
|
|
|
apply (vcg exspec=ensureEmptySlot_modifies)
|
|
|
|
apply simp
|
|
|
|
apply (rule ccorres_split_throws)
|
|
|
|
apply (rule ccorres_return_C_errorE, simp+)
|
|
|
|
apply vcg
|
2018-03-14 00:48:48 +00:00
|
|
|
apply (wp injection_wp[OF refl] hoare_drop_imps)
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (simp add: split_def all_ex_eq_helper)
|
|
|
|
apply (vcg exspec=lookupTargetSlot_modifies)
|
|
|
|
apply simp
|
|
|
|
apply (rule ccorres_split_throws)
|
|
|
|
apply (rule ccorres_return_C_errorE, simp+)
|
|
|
|
apply vcg
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (wp injection_wp[OF refl] ensureNoChildren_wp)
|
|
|
|
apply (simp add: all_ex_eq_helper cap_get_tag_isCap)
|
|
|
|
apply (vcg exspec=ensureNoChildren_modifies)
|
|
|
|
apply simp
|
|
|
|
apply clarsimp
|
|
|
|
apply vcg
|
|
|
|
apply clarsimp
|
|
|
|
apply (rule conseqPre,vcg,clarsimp)
|
|
|
|
apply clarsimp
|
|
|
|
apply vcg
|
|
|
|
apply clarsimp
|
|
|
|
apply (rule conseqPre,vcg,clarsimp)
|
2017-07-12 05:13:51 +00:00
|
|
|
apply (clarsimp split: list.splits
|
2016-09-22 02:05:17 +00:00
|
|
|
simp: Kernel_C.asidHighBits_def asid_high_bits_def word_0_sle_from_less)
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (frule interpret_excaps_eq[rule_format, where n=0],fastforce)
|
|
|
|
apply (simp add: interpret_excaps_test_null excaps_map_def
|
2016-09-22 02:05:17 +00:00
|
|
|
list_case_If2 split_def
|
|
|
|
del: Collect_const)
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (simp add: if_1_0_0 from_bool_0 hd_conv_nth length_ineq_not_Nil
|
2017-01-13 12:58:40 +00:00
|
|
|
del: Collect_const)
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (clarsimp simp: eq_Nil_null[symmetric] asid_high_bits_word_bits hd_conv_nth
|
|
|
|
ThreadState_Restart_def mask_def)
|
2017-01-13 12:58:40 +00:00
|
|
|
apply wp+
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: cap_get_tag_isCap)
|
|
|
|
apply (rule HoarePartial.SeqSwap)
|
2015-05-17 23:11:43 +00:00
|
|
|
apply (rule_tac I="\<lbrace>Prop \<acute>ksCurThread \<acute>root\<rbrace>"
|
|
|
|
and Q="\<lbrace>Bonus \<acute>i \<longrightarrow> Prop \<acute>ksCurThread \<acute>root\<rbrace>"
|
|
|
|
for Prop Bonus in HoarePartial.reannotateWhileNoGuard)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule HoarePartial.While[OF order_refl])
|
|
|
|
apply (rule conseqPre, vcg)
|
|
|
|
apply clarify
|
|
|
|
apply (rule conjI)
|
|
|
|
apply clarify
|
|
|
|
apply (simp (no_asm))
|
|
|
|
apply clarify
|
|
|
|
apply clarsimp
|
|
|
|
apply vcg
|
|
|
|
apply simp
|
|
|
|
apply (rule hoare_drop_imps)
|
|
|
|
apply wp
|
|
|
|
apply simp
|
|
|
|
apply vcg
|
|
|
|
apply simp
|
|
|
|
apply wp
|
|
|
|
apply vcg
|
|
|
|
apply wp
|
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=getSyscallArg_modifies)
|
|
|
|
apply simp
|
|
|
|
apply wp
|
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=getSyscallArg_modifies)
|
2018-06-09 08:27:30 +00:00
|
|
|
apply (rule ccorres_Cond_rhs) \<comment> \<open>ASIDPoolCap case\<close>
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: imp_conjR[symmetric] decodeARMMMUInvocation_def
|
|
|
|
del: Collect_const)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply csymbr+
|
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
|
|
|
apply (rule ccorres_equals_throwError)
|
|
|
|
apply (fastforce simp: throwError_bind invocationCatch_def
|
2016-09-22 02:05:17 +00:00
|
|
|
split: invocation_label.split arch_invocation_label.split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (simp add: interpret_excaps_test_null excaps_map_def
|
|
|
|
list_case_If2 split_def
|
|
|
|
del: Collect_const)
|
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (simp add: Let_def split_def del: Collect_const)
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
apply (rule_tac r'="(\<lambda>rv _ rv'. ((cap_get_tag rv' = scast cap_page_directory_cap)
|
|
|
|
= (isArchObjectCap rv \<and> isPageDirectoryCap (capCap rv)))
|
|
|
|
\<and> (cap_get_tag rv' = scast cap_page_directory_cap \<longrightarrow> ccap_relation rv rv'))
|
|
|
|
(fst (extraCaps ! 0))"
|
|
|
|
and xf'=pdCap_' in ccorres_split_nothrow[where F=UNIV])
|
|
|
|
apply (rule_tac P="excaps_in_mem extraCaps \<circ> ctes_of"
|
|
|
|
in ccorres_from_vcg[where P'=UNIV])
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: return_def neq_Nil_conv excaps_in_mem_def)
|
|
|
|
apply (frule interpret_excaps_eq[rule_format, where n=0], simp)
|
|
|
|
apply (frule(1) slotcap_in_mem_PageDirectory)
|
|
|
|
apply (clarsimp simp: typ_heap_simps' mask_def[where n=4])
|
|
|
|
apply ceqv
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply (simp add: cap_get_tag_isCap_ArchObject2 if_1_0_0
|
|
|
|
cap_case_PageDirectoryCap2
|
|
|
|
del: Collect_const)
|
|
|
|
apply (rule ccorres_Cond_rhs_Seq)
|
|
|
|
apply (simp add: hd_conv_nth cong: conj_cong)
|
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule ccorres_cond_true_seq)
|
|
|
|
apply (rule ccorres_split_throws)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply vcg
|
|
|
|
apply (simp del: Collect_const)
|
|
|
|
apply (rule ccorres_rhs_assoc)+
|
|
|
|
apply csymbr
|
|
|
|
apply csymbr
|
|
|
|
apply (simp add: if_1_0_0 hd_conv_nth del: Collect_const)
|
|
|
|
apply wpc
|
|
|
|
apply (rule ccorres_cond_false_seq)
|
|
|
|
apply (simp add: liftME_def bindE_assoc del: Collect_const)
|
|
|
|
apply (simp add: liftE_bindE bind_assoc del: Collect_const)
|
|
|
|
apply (rule ccorres_pre_gets_armKSASIDTable_ksArchState[unfolded o_def])
|
|
|
|
apply csymbr
|
|
|
|
apply (rule ccorres_Guard_Seq)+
|
|
|
|
apply (rule ccorres_add_return)
|
|
|
|
apply (rule_tac r'="\<lambda>_ rv'. rv' = option_to_ptr (x (ucast (asid_high_bits_of (capASIDBase cp))))
|
|
|
|
\<and> x (ucast (asid_high_bits_of (capASIDBase cp))) \<noteq> Some 0"
|
|
|
|
and xf'=pool_' in ccorres_split_nothrow)
|
|
|
|
apply (rule_tac P="\<lambda>s. x = armKSASIDTable (ksArchState s)
|
|
|
|
\<and> valid_arch_state' s \<and> s \<turnstile>' ArchObjectCap cp"
|
|
|
|
in ccorres_from_vcg[where P'=UNIV])
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: return_def valid_arch_state'_def
|
|
|
|
valid_asid_table'_def cap_get_tag_isCap_ArchObject[symmetric])
|
|
|
|
apply (erule_tac v=cap in ccap_relationE)
|
|
|
|
apply (clarsimp simp: cap_lift_asid_pool_cap cap_to_H_def valid_cap'_def
|
|
|
|
cap_asid_pool_cap_lift_def)
|
|
|
|
apply (subst rf_sr_armKSASIDTable, assumption)
|
|
|
|
apply (simp add: asid_high_bits_word_bits)
|
|
|
|
apply (rule shiftr_less_t2n)
|
|
|
|
apply (simp add: asid_low_bits_def asid_high_bits_def asid_bits_def)
|
|
|
|
apply (simp add: ucast_asid_high_bits_is_shift mask_def)
|
|
|
|
apply fastforce
|
|
|
|
apply ceqv
|
|
|
|
apply (simp add: whenE_bindE_throwError_to_if if_to_top_of_bind
|
|
|
|
cong: if_cong del: Collect_const)
|
|
|
|
apply (rule_tac Q=\<top> and Q'=\<top> in ccorres_if_cond_throws[rotated -1])
|
|
|
|
apply vcg
|
|
|
|
apply (simp add: option_to_0_def option_to_ptr_def split: option.split)
|
|
|
|
apply clarsimp
|
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule ccorres_from_vcg_throws[where P=\<top> and P'=UNIV])
|
|
|
|
apply (rule allI, rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: throwError_def return_def
|
|
|
|
syscall_error_rel_def exception_defs
|
|
|
|
syscall_error_to_H_cases false_def)
|
|
|
|
apply (simp add: lookup_fault_lift_invalid_root)
|
|
|
|
apply csymbr
|
|
|
|
apply (rule_tac Q=\<top> and Q'=\<top> in ccorres_if_cond_throws[rotated -1])
|
|
|
|
apply vcg
|
|
|
|
apply (clarsimp simp: option_to_0_def option_to_ptr_def
|
|
|
|
cap_get_tag_isCap_ArchObject[symmetric]
|
|
|
|
elim!: ccap_relationE)
|
|
|
|
apply (simp add: cap_asid_pool_cap_lift cap_to_H_def)
|
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply csymbr
|
2018-02-13 01:12:28 +00:00
|
|
|
apply csymbr
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule ccorres_rhs_assoc2, rule ccorres_rhs_assoc2,
|
|
|
|
rule ccorres_rhs_assoc2)
|
|
|
|
apply (simp add: bind_assoc del: Collect_const)
|
|
|
|
apply (rule_tac xf'=i_' and r'="\<lambda>rv rv'. rv' = (case [(x, y) \<leftarrow> assocs (inv ASIDPool rv).
|
|
|
|
x \<le> 2 ^ asid_low_bits - 1 \<and> x + capASIDBase cp \<noteq> 0
|
|
|
|
\<and> y = None] of [] \<Rightarrow> 2 ^ asid_low_bits
|
|
|
|
| x # xs \<Rightarrow> fst x)"
|
|
|
|
in ccorres_split_nothrow)
|
|
|
|
apply (rule ccorres_add_return2)
|
|
|
|
apply (rule ccorres_pre_getObject_asidpool)
|
|
|
|
apply (rule_tac P="\<forall>x \<in> ran (inv ASIDPool xa). x \<noteq> 0"
|
|
|
|
in ccorres_gen_asm)
|
|
|
|
apply (rule_tac P="ko_at' xa (capASIDPool cp)"
|
|
|
|
in ccorres_from_vcg[where P'=UNIV])
|
|
|
|
apply (clarsimp simp: option_to_0_def option_to_ptr_def
|
|
|
|
return_def)
|
|
|
|
apply (rule HoarePartial.SeqSwap)
|
|
|
|
apply (rule_tac I="{t. (\<sigma>, t) \<in> rf_sr \<and> i_' t \<le> 2 ^ asid_low_bits
|
|
|
|
\<and> ko_at' xa (capASIDPool cp) \<sigma>
|
|
|
|
\<and> (\<exists>v. cslift t (ap_Ptr (capASIDPool cp))
|
|
|
|
= Some v \<and> (\<forall>x < i_' t. capASIDBase cp + x = 0
|
|
|
|
\<or> index (array_C v) (unat x) \<noteq> pde_Ptr 0)
|
|
|
|
\<and> ret__int_' t = from_bool (i_' t < 2 ^ asid_low_bits
|
|
|
|
\<and> (capASIDBase cp + (i_' t) = 0
|
|
|
|
\<or> index (array_C v) (unat (i_' t)) \<noteq> pde_Ptr 0)))}"
|
|
|
|
in HoarePartial.reannotateWhileNoGuard)
|
|
|
|
apply (rule HoarePartial.While[OF order_refl])
|
|
|
|
apply (rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: asidLowBits_handy_convs
|
|
|
|
word_sle_def word_sless_def
|
|
|
|
if_1_0_0 from_bool_0)
|
|
|
|
apply (subgoal_tac "capASIDBase_CL (cap_asid_pool_cap_lift cap)
|
|
|
|
= capASIDBase cp")
|
|
|
|
apply (subgoal_tac "\<And>x. (x < (i_' xb + 1))
|
|
|
|
= (x < i_' xb \<or> x = i_' xb)")
|
|
|
|
apply (clarsimp simp: inc_le from_bool_def typ_heap_simps
|
|
|
|
asid_low_bits_def not_less field_simps
|
|
|
|
false_def
|
2016-10-25 06:01:30 +00:00
|
|
|
split: if_split bool.splits)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply unat_arith
|
|
|
|
apply (rule iffI)
|
|
|
|
apply (rule disjCI)
|
|
|
|
apply (drule plus_one_helper)
|
|
|
|
apply simp
|
|
|
|
apply (subgoal_tac "i_' xb < i_' xb + 1")
|
2015-05-17 23:11:43 +00:00
|
|
|
apply (erule_tac P="x < y" for x y in disjE, simp_all)[1]
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule plus_one_helper2 [OF order_refl])
|
|
|
|
apply (rule notI, drule max_word_wrap)
|
2020-06-05 09:04:50 +00:00
|
|
|
apply (clarsimp simp: asid_low_bits_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: cap_get_tag_isCap_ArchObject[symmetric])
|
|
|
|
apply (clarsimp simp: cap_lift_asid_pool_cap cap_to_H_def
|
2017-07-12 05:13:51 +00:00
|
|
|
cap_asid_pool_cap_lift_def
|
|
|
|
elim!: ccap_relationE)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: from_bool_0)
|
|
|
|
apply (erule cmap_relationE1[OF rf_sr_cpspace_asidpool_relation],
|
|
|
|
erule ko_at_projectKO_opt)
|
|
|
|
apply (clarsimp simp: typ_heap_simps casid_pool_relation_def
|
|
|
|
inv_ASIDPool array_relation_def
|
|
|
|
split: asidpool.split_asm asid_pool_C.split_asm)
|
|
|
|
apply (case_tac "i_' xb = 2 ^ asid_low_bits")
|
|
|
|
apply (clarsimp split: list.split)
|
|
|
|
apply (drule_tac f="\<lambda>xs. (a, b) \<in> set xs" in arg_cong)
|
|
|
|
apply (clarsimp simp: in_assocs_is_fun)
|
|
|
|
apply (drule spec, drule(1) mp)
|
|
|
|
apply (simp add: asid_low_bits_word_bits)
|
|
|
|
apply (drule spec, drule(1) mp)
|
|
|
|
apply (simp add: option_to_ptr_def option_to_0_def field_simps)
|
|
|
|
apply (frule(1) neq_le_trans)
|
|
|
|
apply (subst filter_assocs_Cons)
|
|
|
|
apply (simp add: split_def asid_low_bits_word_bits)
|
|
|
|
apply (rule conjI, assumption)
|
|
|
|
apply (clarsimp simp add: field_simps)
|
|
|
|
apply (drule spec, drule(1) mp)
|
|
|
|
apply (simp add: option_to_ptr_def option_to_0_def
|
|
|
|
split: option.split_asm)
|
|
|
|
apply (drule bspec, erule ranI, simp)
|
|
|
|
apply (simp add: asid_low_bits_word_bits)
|
|
|
|
apply (erule allEI, rule impI, drule(1) mp)
|
|
|
|
apply (clarsimp simp: field_simps)
|
|
|
|
apply (drule_tac x=xa in spec)
|
|
|
|
apply (simp add: option_to_ptr_def option_to_0_def)
|
|
|
|
apply simp
|
|
|
|
apply (rule conseqPre, vcg)
|
|
|
|
apply (clarsimp simp: asidLowBits_handy_convs if_1_0_0
|
|
|
|
signed_shift_guard_simpler_32 asid_low_bits_def
|
|
|
|
word_sless_def word_sle_def)
|
|
|
|
apply (erule cmap_relationE1[OF rf_sr_cpspace_asidpool_relation],
|
|
|
|
erule ko_at_projectKO_opt)
|
2016-10-25 06:01:30 +00:00
|
|
|
apply (clarsimp simp: typ_heap_simps from_bool_def split: if_split)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (simp add: cap_get_tag_isCap_ArchObject[symmetric])
|
|
|
|
apply (clarsimp simp: cap_lift_asid_pool_cap cap_to_H_def
|
|
|
|
cap_asid_pool_cap_lift_def false_def
|
|
|
|
ucast_minus ucast_nat_def
|
|
|
|
elim!: ccap_relationE)
|
|
|
|
apply ceqv
|
|
|
|
apply (rule ccorres_Guard_Seq)+
|
|
|
|
apply (simp add: if_to_top_of_bind del: Collect_const)
|
|
|
|
apply (rule ccorres_if_cond_throws[where Q=\<top> and Q'=\<top>, rotated -1])
|
|
|
|
apply vcg
|
|
|
|
apply (clarsimp simp: null_def split: list.split
|
|
|
|
dest!: filter_eq_ConsD)
|
|
|
|
apply (simp add: asid_low_bits_def)
|
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply (simp add: returnOk_bind ccorres_invocationCatch_Inr
|
|
|
|
performInvocation_def
|
2016-05-01 03:35:49 +00:00
|
|
|
ARM_H.performInvocation_def
|
2014-07-14 19:32:44 +00:00
|
|
|
performARMMMUInvocation_def liftE_bindE)
|
|
|
|
apply csymbr
|
|
|
|
apply (ctac add: setThreadState_ccorres)
|
|
|
|
apply (simp only: liftE_bindE[symmetric])
|
|
|
|
apply (ctac(no_vcg) add: performASIDPoolInvocation_ccorres)
|
|
|
|
apply (rule ccorres_alternative2)
|
|
|
|
apply (rule ccorres_return_CE, simp+)[1]
|
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV])
|
|
|
|
apply simp
|
2017-07-12 05:13:51 +00:00
|
|
|
apply wp
|
|
|
|
apply simp
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (wp sts_invs_minor')
|
|
|
|
apply simp
|
|
|
|
apply (vcg exspec=setThreadState_modifies)
|
|
|
|
apply simp
|
|
|
|
apply (wp getASID_wp)
|
|
|
|
apply (simp del: Collect_const)
|
|
|
|
apply (rule HoarePartial.SeqSwap)
|
2015-05-17 23:11:43 +00:00
|
|
|
apply (rule_tac I="\<lbrace>\<forall>rv. Prop \<acute>ksCurThread \<acute>pdCapSlot rv\<rbrace>"
|
|
|
|
and Q="\<lbrace>\<forall>rv. Bonus \<acute>i rv \<longrightarrow> Prop \<acute>ksCurThread \<acute>pdCapSlot rv\<rbrace>"
|
|
|
|
for Prop Bonus in HoarePartial.reannotateWhileNoGuard)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply vcg
|
|
|
|
apply clarsimp
|
|
|
|
apply clarsimp
|
|
|
|
apply vcg
|
|
|
|
apply simp
|
|
|
|
apply wp
|
|
|
|
apply (simp add: if_1_0_0 cong: if_cong)
|
|
|
|
apply vcg
|
|
|
|
apply (rule ccorres_cond_true_seq)
|
|
|
|
apply (simp add: throwError_bind invocationCatch_def)
|
|
|
|
apply (rule ccorres_split_throws)
|
|
|
|
apply (rule syscall_error_throwError_ccorres_n)
|
|
|
|
apply (simp add: syscall_error_to_H_cases)
|
|
|
|
apply vcg
|
|
|
|
apply simp
|
|
|
|
apply wp
|
|
|
|
apply simp
|
|
|
|
apply vcg
|
|
|
|
apply (rule ccorres_inst[where P=\<top> and P'=UNIV])
|
|
|
|
apply (cases cp, simp_all add: isCap_simps)[1]
|
|
|
|
apply (rule conjI)
|
|
|
|
apply (clarsimp simp: cte_wp_at_ctes_of ct_in_state'_def
|
|
|
|
if_1_0_0 interpret_excaps_eq excaps_map_def)
|
2019-11-08 06:32:01 +00:00
|
|
|
apply (frule(1) ctes_of_valid')
|
|
|
|
apply (drule_tac t="cteCap ctea" in sym, simp)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (cases "extraCaps")
|
|
|
|
apply simp
|
|
|
|
apply (frule interpret_excaps_eq[rule_format, where n=0], simp)
|
|
|
|
apply (clarsimp simp: mask_def[where n=4] excaps_in_mem_def
|
|
|
|
slotcap_in_mem_def typ_at_to_obj_at_arches
|
|
|
|
obj_at'_weakenE[OF _ TrueI] invs_arch_state'
|
|
|
|
unat_lt2p[where 'a=32, folded word_bits_def])
|
|
|
|
apply (rule conjI)
|
|
|
|
apply (frule invs_arch_state')
|
|
|
|
apply (clarsimp simp: valid_arch_state'_def valid_asid_table'_def neq_Nil_conv)
|
|
|
|
apply (frule interpret_excaps_eq[rule_format, where n=1], simp)
|
|
|
|
apply (clarsimp simp: sysargs_rel_to_n word_less_nat_alt)
|
|
|
|
apply (drule length_le_helper | clarsimp simp: linorder_not_less)+
|
|
|
|
apply (rule conjI)
|
|
|
|
apply clarsimp
|
|
|
|
apply (clarsimp simp: tcb_at_invs' Kernel_C.asidLowBits_def)
|
|
|
|
apply (clarsimp simp:invs_valid_objs')
|
|
|
|
apply (rule conjI, fastforce)
|
|
|
|
apply (clarsimp simp: ctes_of_valid' invs_valid_objs' isCap_simps)
|
|
|
|
apply (clarsimp simp: ex_cte_cap_wp_to'_def cte_wp_at_ctes_of
|
|
|
|
invs_sch_act_wf' dest!: isCapDs(1))
|
|
|
|
apply (intro conjI)
|
2016-09-22 02:05:17 +00:00
|
|
|
apply (simp add: Invariants_H.invs_queues)
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (simp add: valid_tcb_state'_def)
|
2016-09-22 02:05:17 +00:00
|
|
|
apply (fastforce elim!: pred_tcb'_weakenE dest!:st_tcb_at_idle_thread')
|
|
|
|
apply (clarsimp simp: st_tcb_at'_def obj_at'_def)
|
2018-03-14 00:48:48 +00:00
|
|
|
apply (rename_tac obj)
|
|
|
|
apply (case_tac "tcbState obj", (simp add: runnable'_def)+)[1]
|
2016-07-04 07:35:42 +00:00
|
|
|
apply simp
|
2016-09-22 02:05:17 +00:00
|
|
|
apply (simp add: objBits_simps archObjSize_def)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply fastforce
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (drule_tac f="\<lambda>xs. (a, bb) \<in> set xs" in arg_cong)
|
|
|
|
apply (clarsimp simp: in_assocs_is_fun)
|
|
|
|
apply (rule unat_less_helper)
|
2016-09-22 02:05:17 +00:00
|
|
|
apply (clarsimp simp: asid_low_bits_def)
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (rule shiftl_less_t2n)
|
2019-10-19 23:14:40 +00:00
|
|
|
apply (simp add: asid_bits_def word_leq_minus_one_le)+
|
2016-09-22 02:05:17 +00:00
|
|
|
apply (simp add: is_aligned_shiftl_self)
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (intro conjI impI)
|
|
|
|
apply clarsimp
|
|
|
|
apply (drule obj_at_valid_objs', clarsimp)
|
|
|
|
apply (clarsimp simp: projectKOs valid_obj'_def inv_ASIDPool
|
2016-09-22 02:05:17 +00:00
|
|
|
split: asidpool.split_asm)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply clarsimp
|
|
|
|
apply (drule obj_at_valid_objs', clarsimp)
|
|
|
|
apply (clarsimp simp: projectKOs valid_obj'_def inv_ASIDPool
|
2016-07-04 07:35:42 +00:00
|
|
|
split: asidpool.split_asm)
|
|
|
|
apply (clarsimp simp: isCap_simps Let_def valid_cap'_def
|
2016-09-22 02:05:17 +00:00
|
|
|
maskCapRights_def[where ?x1.0="ArchObjectCap cp" for cp]
|
|
|
|
ARM_H.maskCapRights_def
|
|
|
|
split: arch_capability.split_asm)
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (clarsimp simp: null_def neq_Nil_conv mask_def field_simps
|
2016-09-22 02:05:17 +00:00
|
|
|
asid_low_bits_word_bits
|
|
|
|
dest!: filter_eq_ConsD)
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (subst is_aligned_add_less_t2n[rotated], assumption+)
|
|
|
|
apply (simp add: asid_low_bits_def asid_bits_def)
|
|
|
|
apply simp
|
2014-07-14 19:32:44 +00:00
|
|
|
apply simp
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (auto simp: ct_in_state'_def valid_tcb_state'_def
|
2016-09-22 02:05:17 +00:00
|
|
|
dest!: st_tcb_at_idle_thread'
|
|
|
|
elim!: pred_tcb'_weakenE)[1]
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: if_1_0_0 cte_wp_at_ctes_of asidHighBits_handy_convs
|
|
|
|
word_sle_def word_sless_def asidLowBits_handy_convs
|
|
|
|
rf_sr_ksCurThread "StrictC'_thread_state_defs"
|
|
|
|
mask_def[where n=4]
|
|
|
|
cong: if_cong)
|
2016-09-22 02:05:17 +00:00
|
|
|
apply (clarsimp simp: if_1_0_0 to_bool_def ccap_relation_isDeviceCap2
|
2016-07-04 07:35:42 +00:00
|
|
|
objBits_simps archObjSize_def pageBits_def from_bool_def case_bool_If)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (rule conjI)
|
2016-07-04 07:35:42 +00:00
|
|
|
(* Is Asid Control Cap *)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: neq_Nil_conv excaps_in_mem_def excaps_map_def)
|
|
|
|
apply (frule interpret_excaps_eq[rule_format, where n=0], simp)
|
|
|
|
apply (frule interpret_excaps_eq[rule_format, where n=1], simp)
|
|
|
|
apply (clarsimp simp: mask_def[where n=4] slotcap_in_mem_def
|
|
|
|
ccap_rights_relation_def rightsFromWord_wordFromRights)
|
|
|
|
apply (clarsimp simp: asid_high_bits_word_bits split: list.split_asm)
|
2016-07-04 07:35:42 +00:00
|
|
|
apply (clarsimp simp: cap_untyped_cap_lift_def cap_lift_untyped_cap
|
2014-07-14 19:32:44 +00:00
|
|
|
cap_to_H_def[split_simps cap_CL.split]
|
|
|
|
hd_conv_nth length_ineq_not_Nil
|
|
|
|
elim!: ccap_relationE)
|
2016-09-22 02:05:17 +00:00
|
|
|
apply (clarsimp simp: if_1_0_0 to_bool_def unat_eq_of_nat
|
|
|
|
objBits_simps archObjSize_def pageBits_def from_bool_def case_bool_If
|
|
|
|
split: if_splits)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp simp: asid_low_bits_word_bits isCap_simps neq_Nil_conv
|
|
|
|
excaps_map_def excaps_in_mem_def
|
|
|
|
p2_gt_0[where 'a=32, folded word_bits_def])
|
2019-11-08 06:32:01 +00:00
|
|
|
apply (drule_tac t="cteCap ctea" in sym, simp)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (frule cap_get_tag_isCap_unfolded_H_cap(13))
|
|
|
|
apply (frule ctes_of_valid', clarsimp)
|
|
|
|
apply (frule interpret_excaps_eq[rule_format, where n=0], simp)
|
|
|
|
apply (rule conjI)
|
|
|
|
apply (clarsimp simp: cap_lift_asid_pool_cap cap_lift_page_directory_cap
|
|
|
|
cap_to_H_def to_bool_def valid_cap'_def
|
|
|
|
cap_page_directory_cap_lift_def
|
2017-09-14 07:27:19 +00:00
|
|
|
cap_asid_pool_cap_lift_def mask_def
|
2014-07-14 19:32:44 +00:00
|
|
|
asid_shiftr_low_bits_less[unfolded mask_def asid_bits_def] word_and_le1
|
2016-10-25 06:01:30 +00:00
|
|
|
elim!: ccap_relationE split: if_split_asm)
|
2014-07-14 19:32:44 +00:00
|
|
|
apply (clarsimp split: list.split)
|
|
|
|
apply (clarsimp simp: cap_lift_asid_pool_cap cap_lift_page_directory_cap
|
|
|
|
cap_to_H_def to_bool_def
|
|
|
|
cap_page_directory_cap_lift_def
|
2016-10-25 06:01:30 +00:00
|
|
|
elim!: ccap_relationE split: if_split_asm)
|
2014-07-14 19:32:44 +00:00
|
|
|
done
|
|
|
|
end
|
2020-06-05 09:04:50 +00:00
|
|
|
|
2014-07-14 19:32:44 +00:00
|
|
|
end
|
|
|
|
|