adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Isabelle2016-1: update references to renamed constants and facts

This commit is contained in:
Matthew Brecknell 2016-10-25 17:01:30 +11:00
parent 0b039a0735
commit 41d4aa4f1d
239 changed files with 4139 additions and 4142 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
camkes/cdl-refine/Generator_CAMKES_CDL.thy
View File

@ -179,8 +179,8 @@ lemma helper3: "(\<Sum>(a, b) \<leftarrow> xs. Suc (f a b)) = length xs + (\<Sum
by clarsimp+
lemma helper4: "fold op + ((map (\<lambda>(a, b). f a b) xs)::nat list) 0 = (\<Sum>(a, b) \<leftarrow> xs. f a b)"
apply (subst fold_plus_listsum_rev)
apply (subst listsum_rev)
apply (subst fold_plus_sum_list_rev)
apply (subst sum_list_rev)
by clarsimp
lemma set_of_enumerate:"card (set (enumerate n xs)) = length xs"

8
lib/Distinct_Prop.thy
View File

@ -51,7 +51,7 @@ lemma distinct_prefix:
"\<lbrakk> distinct xs; ys \<le> xs \<rbrakk> \<Longrightarrow> distinct ys"
apply (induct xs arbitrary: ys; clarsimp)
apply (case_tac ys; clarsimp)
by (fastforce simp: less_eq_list_def dest: set_mono_prefixeq)
by (fastforce simp: less_eq_list_def dest: set_mono_prefix)
lemma distinct_sets_prop:
"distinct_sets xs = distinct_prop (\<lambda>x y. x \<inter> y = {}) xs"
@ -62,10 +62,10 @@ lemma distinct_take_strg:
by simp
lemma distinct_prop_prefixE:
"\<lbrakk> distinct_prop P ys; prefixeq xs ys \<rbrakk> \<Longrightarrow> distinct_prop P xs"
"\<lbrakk> distinct_prop P ys; prefix xs ys \<rbrakk> \<Longrightarrow> distinct_prop P xs"
apply (induct xs arbitrary: ys; clarsimp)
apply (case_tac ys; clarsimp)
by (fastforce dest: set_mono_prefixeq)
by (fastforce dest: set_mono_prefix)
lemma distinct_sets_union_sub:
@ -108,7 +108,7 @@ lemma distinct_sets_append_Cons_disjoint:
lemma distinct_prop_take:
"\<lbrakk>distinct_prop P xs; i < length xs\<rbrakk> \<Longrightarrow> distinct_prop P (take i xs)"
by (metis take_is_prefixeq distinct_prop_prefixE)
by (metis take_is_prefix distinct_prop_prefixE)
lemma distinct_sets_take:
"\<lbrakk>distinct_sets xs; i < length xs\<rbrakk> \<Longrightarrow> distinct_sets (take i xs)"

4
lib/EquivValid.thy
View File

@ -329,7 +329,7 @@ lemma if_ev:
assumes "b \<Longrightarrow> equiv_valid I A B P f"
assumes "\<not> b \<Longrightarrow> equiv_valid I A B Q g"
shows "equiv_valid I A B (\<lambda>s. (b \<longrightarrow> P s) \<and> (\<not>b \<longrightarrow> Q s)) (if b then f else g)"
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
using assms by blast
lemmas if_ev_pre = equiv_valid_guard_imp[OF if_ev]
@ -984,7 +984,7 @@ lemma if_evrv:
assumes "b \<Longrightarrow> equiv_valid_rv_inv I A R P f"
assumes "\<not> b \<Longrightarrow> equiv_valid_rv_inv I A R Q g"
shows "equiv_valid_rv_inv I A R (\<lambda>s. (b \<longrightarrow> P s) \<and> (\<not>b \<longrightarrow> Q s)) (if b then f else g)"
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
using assms by blast
end

4
lib/ExtraCorres.thy
View File

@ -47,8 +47,8 @@ lemma corres_mapM_list_all2:
and rc: "\<And>x xs y ys. \<lbrakk> r xs ys; r' x y \<rbrakk> \<Longrightarrow> r (x # xs) (y # ys)"
and corr: "\<And>x xs y ys. \<lbrakk> S x y; list_all2 S xs ys \<rbrakk>
\<Longrightarrow> corres_underlying sr nf nf' r' (Q (x # xs)) (Q' (y # ys)) (f x) (f' y)"
and ha: "\<And>x xs y. \<lbrakk> S x y; suffixeq (x#xs) as \<rbrakk> \<Longrightarrow> \<lbrace>Q (x # xs)\<rbrace> f x \<lbrace>\<lambda>r. Q xs\<rbrace>"
and hc: "\<And>x y ys. \<lbrakk> S x y; suffixeq (y#ys) cs \<rbrakk> \<Longrightarrow> \<lbrace>Q' (y # ys) \<rbrace> f' y \<lbrace>\<lambda>r. Q' ys\<rbrace>"
and ha: "\<And>x xs y. \<lbrakk> S x y; suffix (x#xs) as \<rbrakk> \<Longrightarrow> \<lbrace>Q (x # xs)\<rbrace> f x \<lbrace>\<lambda>r. Q xs\<rbrace>"
and hc: "\<And>x y ys. \<lbrakk> S x y; suffix (y#ys) cs \<rbrakk> \<Longrightarrow> \<lbrace>Q' (y # ys) \<rbrace> f' y \<lbrace>\<lambda>r. Q' ys\<rbrace>"
and lall: "list_all2 S as cs"
shows "corres_underlying sr nf nf' r (Q as) (Q' cs) (mapM f as) (mapM f' cs)"
using lall

10
lib/HaskellLemmaBucket.thy
View File

@ -108,7 +108,7 @@ lemma break_subsetsD:
apply simp
apply (case_tac "break f xs")
apply (elim meta_allE, drule(1) meta_mp)
apply (fastforce simp: split_def split: split_if_asm)
apply (fastforce simp: split_def split: if_split_asm)
done
lemma distinct_prop_breakD:
@ -116,7 +116,7 @@ lemma distinct_prop_breakD:
\<Longrightarrow> \<forall>y \<in> set ys. \<forall>z \<in> set zs. P y z"
apply (induct xs arbitrary: ys zs)
apply simp
apply (simp add: split_def split: split_if_asm)
apply (simp add: split_def split: if_split_asm)
apply (case_tac "break f xs")
apply (elim meta_allE, drule(1) meta_mp)
apply (frule break_subsetsD)
@ -267,13 +267,13 @@ lemma snd_stateAssert_after:
"\<not> snd ((do _ \<leftarrow> f; stateAssert R vs od) s) \<Longrightarrow>
\<not>snd (f s) \<and> (\<forall>(rv, s') \<in> fst (f s). R s')"
apply (clarsimp simp: bind_def stateAssert_def get_def assert_def
return_def fail_def split_def split: split_if_asm)
return_def fail_def split_def split: if_split_asm)
done
lemma oblivious_stateAssert [simp]:
"oblivious f (stateAssert g xs) = (\<forall>s. g (f s) = g s)"
apply (simp add: oblivious_def stateAssert_def exec_get
assert_def return_def fail_def split: split_if)
assert_def return_def fail_def split: if_split)
apply auto
done
@ -295,7 +295,7 @@ lemma findM_is_mapME:
liftM_def cong: if_cong)
apply (simp add: liftE_bindE bind_assoc)
apply (rule bind_cong[OF refl])
apply (simp add: bindE_assoc split: split_if)
apply (simp add: bindE_assoc split: if_split)
apply (simp add: liftE_bindE bind_assoc throwError_bind)
done

6
lib/LemmaBucket.thy
View File

@ -295,8 +295,8 @@ lemma sum_suc_pair: "(\<Sum>(a, b) \<leftarrow> xs. Suc (f a b)) = length xs + (
by clarsimp+
lemma fold_add_sum: "fold op + ((map (\<lambda>(a, b). f a b) xs)::nat list) 0 = (\<Sum>(a, b) \<leftarrow> xs. f a b)"
apply (subst fold_plus_listsum_rev)
apply (subst listsum_rev)
apply (subst fold_plus_sum_list_rev)
apply (subst sum_list_rev)
by clarsimp
lemma set_of_enumerate:"card (set (enumerate n xs)) = length xs"
@ -435,7 +435,7 @@ lemma dom_map_fold:"dom (fold op ++ (map (\<lambda>x. [f x \<mapsto> g x]) xs) m
by (induct xs arbitrary:f g ms; clarsimp)
lemma list_ran_prop:"map_of (map (\<lambda>x. (f x, g x)) xs) i = Some t \<Longrightarrow> \<exists>x \<in> set xs. g x = t"
by (induct xs arbitrary:f g t i; clarsimp split:split_if_asm)
by (induct xs arbitrary:f g t i; clarsimp split:if_split_asm)
lemma in_set_enumerate_eq2:"(a, b) \<in> set (enumerate n xs) \<Longrightarrow> (b = xs ! (a - n))"
by (simp add: in_set_enumerate_eq)

22
lib/LemmaBucket_C.thy
View File

@ -53,7 +53,7 @@ lemma exec_Guard:
"(G \<turnstile> \<langle>Guard Err S c, Normal s\<rangle> \<Rightarrow> s')
= (if s \<in> S then G \<turnstile> \<langle>c, Normal s\<rangle> \<Rightarrow> s'
else s' = Fault Err)"
by (auto split: split_if elim!: exec_elim_cases intro: exec.intros)
by (auto split: if_split elim!: exec_elim_cases intro: exec.intros)
lemma to_bytes_word8:
"to_bytes (v :: word8) xs = [v]"
@ -285,7 +285,7 @@ lemma intvl_nowrap:
apply (drule intvlD)
apply clarsimp
apply (simp add: unat_arith_simps)
apply (simp split: split_if_asm)
apply (simp split: if_split_asm)
apply (simp add: unat_of_nat)
done
@ -457,16 +457,16 @@ next
by (simp add: map_le_def list_map_def merge_dom2 set_zip)
hence "length xs < length n" and "x = n ! length xs"
by (auto simp add: list_map_eq split: split_if_asm)
by (auto simp add: list_map_eq split: if_split_asm)
thus "xs @ [x] \<le> n" using xsn
by (simp add: append_one_prefixeq less_eq_list_def)
by (simp add: append_one_prefix less_eq_list_def)
qed
lemma typ_slice_t_self:
"td \<in> fst ` set (typ_slice_t td m)"
apply (cases td)
apply (simp split: split_if)
apply (simp split: if_split)
done
lemma drop_heap_list_le2:
@ -874,7 +874,7 @@ lemma typ_slice_t_array:
typ_slice_t (export_uinfo (array_tag TYPE('a['b :: finite])))
(y + size_of TYPE('a :: mem_type) * n)"
apply (simp add: array_tag_def array_tag_n_eq
split del: split_if)
split del: if_split)
apply (rule disjI2)
apply (subgoal_tac "y + (size_of TYPE('a) * n) < CARD('b) * size_of TYPE('a)")
apply (simp add: typ_slice_list_cut[where m="size_of TYPE('a)"]
@ -1114,7 +1114,7 @@ lemma ptr_retyp_valid_footprint_disjoint2:
apply (subst (asm) ptr_retyp_d)
apply clarsimp
apply fast
apply (clarsimp simp add: ptr_retyp_d_eq_fst split: split_if_asm)
apply (clarsimp simp add: ptr_retyp_d_eq_fst split: if_split_asm)
apply fast
apply (erule intvlI)
done
@ -1141,7 +1141,7 @@ lemma h_t_valid_ptr_retyp_eq:
"\<not> cptr_type p <\<^sub>\<tau> cptr_type p' \<Longrightarrow> h_t_valid (ptr_retyp p td) g p'
= (if ptr_span p \<inter> ptr_span p' = {} then h_t_valid td g p'
else field_of_t p' p \<and> g p')"
apply (clarsimp simp: ptr_retyp_disjoint_iff split: split_if)
apply (clarsimp simp: ptr_retyp_disjoint_iff split: if_split)
apply (cases "g p'")
apply (rule iffI)
apply (rule ccontr, drule h_t_valid_neq_disjoint, rule ptr_retyp_h_t_valid, simp+)
@ -1157,10 +1157,10 @@ lemma field_lookup_list_Some_again:
\<Longrightarrow> i < length xs
\<Longrightarrow> f \<notin> dt_snd ` set ((take i xs))
\<Longrightarrow> field_lookup_list xs [f] n
= Some (dt_fst (xs ! i), n + listsum (map (size_td o dt_fst) (take i xs)))"
= Some (dt_fst (xs ! i), n + sum_list (map (size_td o dt_fst) (take i xs)))"
apply (induct xs arbitrary: i n, simp_all)
apply (case_tac x1, simp)
apply (case_tac i, auto split: split_if)
apply (case_tac i, auto split: if_split)
done
lemma field_lookup_array:
@ -1169,7 +1169,7 @@ lemma field_lookup_array:
(\<lambda>x. x.[n]) (\<lambda>x f. Arrays.update f n x), i + n * size_of TYPE ('a))"
apply (simp add: typ_info_array array_tag_def array_tag_n_eq)
apply (subst field_lookup_list_Some_again[where i=n],
auto simp add: take_map o_def listsum_triv size_of_def)
auto simp add: take_map o_def sum_list_triv size_of_def)
done
end

76
lib/Lib.thy
View File

@ -636,7 +636,7 @@ lemma trancl_trancl:
lemma if_1_0_0:
"((if P then 1 else 0) = (0 :: ('a :: zero_neq_one))) = (\<not> P)"
by (simp split: split_if)
by (simp split: if_split)
lemma neq_Nil_lengthI:
"Suc 0 \<le> length xs \<Longrightarrow> xs \<noteq> []"
@ -686,11 +686,11 @@ definition
lemma graph_of_None_update:
"graph_of (f (p := None)) = graph_of f - {p} \<times> UNIV"
by (auto simp: graph_of_def split: split_if_asm)
by (auto simp: graph_of_def split: if_split_asm)
lemma graph_of_Some_update:
"graph_of (f (p \<mapsto> v)) = (graph_of f - {p} \<times> UNIV) \<union> {(p,v)}"
by (auto simp: graph_of_def split: split_if_asm)
by (auto simp: graph_of_def split: if_split_asm)
lemma graph_of_restrict_map:
"graph_of (m |` S) \<subseteq> graph_of m"
@ -847,7 +847,7 @@ lemma UN_sub_empty:
lemma bij_betw_fun_updI:
"\<lbrakk>x \<notin> A; y \<notin> B; bij_betw f A B\<rbrakk> \<Longrightarrow> bij_betw (f(x := y)) (insert x A) (insert y B)"
by (clarsimp simp: bij_betw_def fun_upd_image inj_on_fun_updI split: split_if_asm)
by (clarsimp simp: bij_betw_def fun_upd_image inj_on_fun_updI split: if_split_asm)
definition
"bij_betw_map f A B \<equiv> bij_betw f A (Some ` B)"
@ -1015,16 +1015,16 @@ lemma fold_to_map_of:
apply (case_tac "fold op ++ (map (\<lambda>x. [f x \<mapsto> g x]) xs) Map.empty x")
apply clarsimp
apply (drule fold_ignore3)
apply (clarsimp split:split_if_asm)
apply (clarsimp split:if_split_asm)
apply (rule sym)
apply (subst map_of_eq_None_iff)
apply clarsimp
apply (rename_tac xa)
apply (erule_tac x=xa in ballE; clarsimp)
apply clarsimp
apply (frule fold_ignore5; clarsimp split:split_if_asm)
apply (frule fold_ignore5; clarsimp split:if_split_asm)
apply (subst map_add_map_of_foldr[where m=empty, simplified])
apply (induct xs arbitrary:f g; clarsimp split:split_if)
apply (induct xs arbitrary:f g; clarsimp split:if_split)
apply (rule conjI; clarsimp)
apply (drule fold_ignore9; clarsimp)
apply (cut_tac ms="map (\<lambda>x. [f x \<mapsto> g x]) xs" and f="[f a \<mapsto> g a]" and x="f b" in fold_ignore6, clarsimp)
@ -1033,7 +1033,7 @@ lemma fold_to_map_of:
lemma if_n_0_0:
"((if P then n else 0) \<noteq> 0) = (P \<and> n \<noteq> 0)"
by (simp split: split_if)
by (simp split: if_split)
lemma insert_dom:
assumes fx: "f x = Some y"
@ -1297,7 +1297,7 @@ lemma insert_minus_eq:
lemma modify_map_K_D:
"modify_map m p (\<lambda>x. y) p' = Some v \<Longrightarrow> (m (p \<mapsto> y)) p' = Some v"
by (simp add: modify_map_def split: split_if_asm)
by (simp add: modify_map_def split: if_split_asm)
lemma tranclE2:
assumes trancl: "(a, b) \<in> r\<^sup>+"
@ -1391,7 +1391,7 @@ lemma foldl_fun_upd:
lemma all_rv_choice_fn_eq_pred:
"\<lbrakk> \<And>rv. P rv \<Longrightarrow> \<exists>fn. f rv = g fn \<rbrakk> \<Longrightarrow> \<exists>fn. \<forall>rv. P rv \<longrightarrow> f rv = g (fn rv)"
apply (rule_tac x="\<lambda>rv. SOME h. f rv = g h" in exI)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
by (meson someI_ex)
lemma ex_const_function:
@ -1400,13 +1400,13 @@ lemma ex_const_function:
lemma if_Const_helper:
"If P (Con x) (Con y) = Con (If P x y)"
by (simp split: split_if)
by (simp split: if_split)
lemmas if_Some_helper = if_Const_helper[where Con=Some]
lemma expand_restrict_map_eq:
"(m |` S = m' |` S) = (\<forall>x. x \<in> S \<longrightarrow> m x = m' x)"
by (simp add: fun_eq_iff restrict_map_def split: split_if)
by (simp add: fun_eq_iff restrict_map_def split: if_split)
lemma disj_imp_rhs:
"(P \<Longrightarrow> Q) \<Longrightarrow> (P \<or> Q) = Q"
@ -1473,7 +1473,7 @@ lemma list_case_If:
lemma remove1_Nil_in_set:
"\<lbrakk> remove1 x xs = []; xs \<noteq> [] \<rbrakk> \<Longrightarrow> x \<in> set xs"
by (induct xs) (auto split: split_if_asm)
by (induct xs) (auto split: if_split_asm)
lemma remove1_empty:
"(remove1 v xs = []) = (xs = [v] \<or> xs = [])"
@ -1481,7 +1481,7 @@ lemma remove1_empty:
lemma set_remove1:
"x \<in> set (remove1 y xs) \<Longrightarrow> x \<in> set xs"
by (induct xs) (auto split: split_if_asm)
by (induct xs) (auto split: if_split_asm)
lemma If_rearrage:
"(if P then if Q then x else y else z) = (if P \<and> Q then x else if P then y else z)"
@ -1626,15 +1626,15 @@ lemma Min_prop:
lemma findSomeD:
"find P xs = Some x \<Longrightarrow> P x \<and> x \<in> set xs"
by (induct xs) (auto split: split_if_asm)
by (induct xs) (auto split: if_split_asm)
lemma findNoneD:
"find P xs = None \<Longrightarrow> \<forall>x \<in> set xs. \<not>P x"
by (induct xs) (auto split: split_if_asm)
by (induct xs) (auto split: if_split_asm)
lemma dom_upd:
"dom (\<lambda>x. if x = y then None else f x) = dom f - {y}"
by (rule set_eqI) (auto split: split_if_asm)
by (rule set_eqI) (auto split: if_split_asm)
definition
@ -1721,7 +1721,7 @@ lemma map_comp_eq:
lemma dom_If_Some:
"dom (\<lambda>x. if x \<in> S then Some v else f x) = (S \<union> dom f)"
by (auto split: split_if)
by (auto split: if_split)
lemma foldl_fun_upd_const:
"foldl (\<lambda>s x. s(f x := v)) s xs
@ -1767,7 +1767,7 @@ qed
lemma ran_del_subset:
"y \<in> ran (f (x := None)) \<Longrightarrow> y \<in> ran f"
by (auto simp: ran_def split: split_if_asm)
by (auto simp: ran_def split: if_split_asm)
lemma trancl_sub_lift:
assumes sub: "\<And>p p'. (p,p') \<in> r \<Longrightarrow> (p,p') \<in> r'"
@ -1819,7 +1819,7 @@ lemma psubset_singleton:
lemma length_takeWhile_ge:
"length (takeWhile f xs) = n \<Longrightarrow> length xs = n \<or> (length xs > n \<and> \<not> f (xs ! n))"
by (induct xs arbitrary: n) (auto split: split_if_asm)
by (induct xs arbitrary: n) (auto split: if_split_asm)
lemma length_takeWhile_le:
"\<not> f (xs ! n) \<Longrightarrow> length (takeWhile f xs) \<le> n"
@ -1828,7 +1828,7 @@ lemma length_takeWhile_le:
lemma length_takeWhile_gt:
"n < length (takeWhile f xs)
\<Longrightarrow> (\<exists>ys zs. length ys = Suc n \<and> xs = ys @ zs \<and> takeWhile f xs = ys @ takeWhile f zs)"
apply (induct xs arbitrary: n; simp split: split_if_asm)
apply (induct xs arbitrary: n; simp split: if_split_asm)
apply (case_tac n; simp)
apply (rule_tac x="[a]" in exI)
apply simp
@ -1910,7 +1910,7 @@ lemma Collect_int_vars:
lemma if_0_1_eq:
"((if P then 1 else 0) = (case Q of True \<Rightarrow> of_nat 1 | False \<Rightarrow> of_nat 0)) = (P = Q)"
by (simp split: split_if bool.split)
by (simp split: if_split bool.split)
lemma modify_map_exists_cte :
"(\<exists>cte. modify_map m p f p' = Some cte) = (\<exists>cte. m p' = Some cte)"
@ -1997,7 +1997,7 @@ lemma case_option_over_if:
= (if G then P else Q v)"
"case_option P Q (if G then Some v else None)
= (if G then Q v else P)"
by (simp split: split_if)+
by (simp split: if_split)+
lemma map_length_cong:
"\<lbrakk> length xs = length ys; \<And>x y. (x, y) \<in> set (zip xs ys) \<Longrightarrow> f x = g y \<rbrakk>
@ -2318,31 +2318,31 @@ lemma fst_last_zip_upt:
apply (simp add: min_def zip_is_empty)
done
lemma neq_into_nprefixeq:
lemma neq_into_nprefix:
"\<lbrakk> x \<noteq> take (length x) y \<rbrakk> \<Longrightarrow> \<not> x \<le> y"
by (clarsimp simp: prefixeq_def less_eq_list_def)
by (clarsimp simp: prefix_def less_eq_list_def)
lemma suffixeq_eqI:
"\<lbrakk> suffixeq xs as; suffixeq xs bs; length as = length bs;
lemma suffix_eqI:
"\<lbrakk> suffix xs as; suffix xs bs; length as = length bs;
take (length as - length xs) as \<le> take (length bs - length xs) bs\<rbrakk> \<Longrightarrow> as = bs"
by (clarsimp elim!: prefixE suffixeqE)
by (clarsimp elim!: prefixE suffixE)
lemma suffixeq_Cons_mem:
"suffixeq (x # xs) as \<Longrightarrow> x \<in> set as"
by (drule suffixeq_set_subset) simp
lemma suffix_Cons_mem:
"suffix (x # xs) as \<Longrightarrow> x \<in> set as"
by (drule suffix_set_subset) simp
lemma distinct_imply_not_in_tail:
"\<lbrakk> distinct list; suffixeq (y # ys) list\<rbrakk> \<Longrightarrow> y \<notin> set ys"
by (clarsimp simp:suffixeq_def)
"\<lbrakk> distinct list; suffix (y # ys) list\<rbrakk> \<Longrightarrow> y \<notin> set ys"
by (clarsimp simp:suffix_def)
lemma list_induct_suffixeq [case_names Nil Cons]:
lemma list_induct_suffix [case_names Nil Cons]:
assumes nilr: "P []"
and consr: "\<And>x xs. \<lbrakk>P xs; suffixeq (x # xs) as \<rbrakk> \<Longrightarrow> P (x # xs)"
and consr: "\<And>x xs. \<lbrakk>P xs; suffix (x # xs) as \<rbrakk> \<Longrightarrow> P (x # xs)"
shows "P as"
proof -
def as' == as
have "suffixeq as as'" unfolding as'_def by simp
have "suffix as as'" unfolding as'_def by simp
then show ?thesis
proof (induct as)
case Nil show ?case by fact
@ -2351,8 +2351,8 @@ proof -
show ?case
proof (rule consr)
from Cons.prems show "suffixeq (x # xs) as" unfolding as'_def .
then have "suffixeq xs as'" by (auto dest: suffixeq_ConsD simp: as'_def)
from Cons.prems show "suffix (x # xs) as" unfolding as'_def .
then have "suffix xs as'" by (auto dest: suffix_ConsD simp: as'_def)
then show "P xs" using Cons.hyps by simp
qed
qed

40
lib/ListLibLemmas.thy
View File

@ -218,7 +218,7 @@ text {* These list operations roughly correspond to cdt
lemma after_can_split: "after_in_list list x = Some y \<Longrightarrow> \<exists>ys xs. list = xs @ (x # y # ys)"
apply (induct list x rule: after_in_list.induct)
apply simp+
apply (simp split: split_if_asm)
apply (simp split: if_split_asm)
apply force
apply (elim exE)
apply simp
@ -301,9 +301,9 @@ lemma after_in_list_inj:
apply(simp)
apply(case_tac "a=aa")
apply(case_tac list, simp)
apply(simp add: hd_not_after_in_list split: split_if_asm)
apply(simp add: hd_not_after_in_list split: if_split_asm)
apply(case_tac list, simp)
apply(simp add: hd_not_after_in_list split: split_if_asm)
apply(simp add: hd_not_after_in_list split: if_split_asm)
done
lemma list_replace_ignore:"a \<notin> set list \<Longrightarrow> list_replace list a b = list"
@ -370,7 +370,7 @@ lemma list_insert_after_after:
\<Longrightarrow> after_in_list (list_insert_after list a b) p
= (if p = a then Some b else if p = b then after_in_list list a else after_in_list list p)"
apply(induct list p rule: after_in_list.induct)
apply (simp split: split_if_asm)+
apply (simp split: if_split_asm)+
apply fastforce
done
@ -385,14 +385,14 @@ lemma remove_distinct_helper: "\<lbrakk>distinct (list_remove list x); a \<noteq
distinct list\<rbrakk>
\<Longrightarrow> a \<notin> set (list_remove list x)"
apply (induct list)
apply (simp split: split_if_asm)+
apply (simp split: if_split_asm)+
done
lemma list_remove_distinct:
"distinct list \<Longrightarrow> distinct (list_remove list x)"
apply (induct list)
apply (simp add: remove_distinct_helper split: split_if_asm)+
apply (simp add: remove_distinct_helper split: if_split_asm)+
done
lemma list_remove_none: "x \<notin> set list \<Longrightarrow> list_remove list x = list"
@ -416,14 +416,14 @@ lemma set_list_replace_list:
lemma after_in_list_in_list:
"after_in_list list a = Some b \<Longrightarrow> b \<in> set list"
apply(induct list a arbitrary: b rule: after_in_list.induct)
apply (simp split: split_if_asm)+
apply (simp split: if_split_asm)+
done
lemma list_replace_empty_after_empty:
"\<lbrakk>after_in_list list p = Some slot; distinct list\<rbrakk>
\<Longrightarrow> after_in_list (list_replace_list list slot []) p = after_in_list list slot"
apply(induct list slot rule: after_in_list.induct)
apply (simp split: split_if_asm)+
apply (simp split: if_split_asm)+
apply (case_tac xs,simp+)
apply (case_tac xs,simp+)
apply (auto dest!: after_in_list_in_list)
@ -433,7 +433,7 @@ lemma list_replace_after_fst_list:
"\<lbrakk>after_in_list list p = Some slot; distinct list\<rbrakk>
\<Longrightarrow> after_in_list (list_replace_list list slot (x # xs)) p = Some x"
apply(induct list p rule: after_in_list.induct)
apply (simp split: split_if_asm)+
apply (simp split: if_split_asm)+
apply (drule after_in_list_in_list)+
apply force
done
@ -451,13 +451,13 @@ lemma after_in_list_append_last_hd:
apply(induct list' p rule: after_in_list.induct)
apply(simp)
apply(simp)
apply(simp split: split_if_asm)
apply(simp split: if_split_asm)
done
lemma after_in_list_append_in_hd:
"after_in_list list p = Some a \<Longrightarrow> after_in_list (list @ list') p = Some a"
apply(induct list p rule: after_in_list.induct)
apply(simp split: split_if_asm)+
apply(simp split: if_split_asm)+
done
lemma after_in_list_in_list': "after_in_list list a = Some y \<Longrightarrow> a \<in> set list"
@ -479,13 +479,13 @@ lemma list_replace_after_None_notin_new:
apply(simp)
apply(simp)
apply(case_tac list', simp, simp)
apply(simp split: split_if_asm)
apply(simp split: if_split_asm)
apply(simp add: after_in_list_append_notin_hd)
apply(simp add: after_in_list_append_notin_hd)
apply(case_tac "list_replace_list list slot list'")
apply(simp)
apply(simp)
apply(case_tac list, simp, simp split: split_if_asm)
apply(case_tac list, simp, simp split: if_split_asm)
done
lemma list_replace_after_notin_new:
@ -497,7 +497,7 @@ lemma list_replace_after_notin_new:
apply(intro conjI impI)
apply(simp add: after_in_list_append_notin_hd)
apply(case_tac list, simp, simp)
apply(case_tac list, simp, simp split: split_if_asm)
apply(case_tac list, simp, simp split: if_split_asm)
apply(insert after_in_list_append_notin_hd)
apply(atomize)
apply(erule_tac x=p in allE, erule_tac x="[aa]" in allE, erule_tac x="list' @ lista" in allE)
@ -623,13 +623,13 @@ lemma distinct_after_in_list_antisym:
apply (induct list b arbitrary: a rule: after_in_list.induct)
apply simp+
apply (case_tac xs)
apply (clarsimp split: split_if_asm | intro impI conjI)+
apply (clarsimp split: if_split_asm | intro impI conjI)+
done
lemma after_in_listD: "after_in_list list x = Some y \<Longrightarrow> \<exists>xs ys. list = xs @ (x # y # ys) \<and> x \<notin> set xs"
apply (induct list x arbitrary: a rule: after_in_list.induct)
apply (simp split: split_if_asm | elim exE | force)+
apply (simp split: if_split_asm | elim exE | force)+
apply (rule_tac x="x # xsa" in exI)
apply simp
done
@ -730,7 +730,7 @@ lemma list_swap_preserve_separate:
"\<lbrakk>p \<noteq> desta; p \<noteq> srca; z \<noteq> desta; z \<noteq> srca; after_in_list list p = Some z\<rbrakk>
\<Longrightarrow> after_in_list (list_swap list srca desta) p = Some z"
apply (induct list p rule: after_in_list.induct)
apply (simp add: list_swap_def split: split_if_asm)+
apply (simp add: list_swap_def split: if_split_asm)+
apply (intro impI conjI)
apply simp+
done
@ -934,7 +934,7 @@ lemma prepend_after_in_list_distinct : "distinct (a # list) \<Longrightarrow> {(
(* base case *)
apply (drule CollectD, simp)
apply (case_tac list, simp)
apply (simp split:split_if_asm)
apply (simp split:if_split_asm)
apply (rule r_into_trancl)
apply (rule CollectI, simp)
(* Inductive case *)
@ -1083,11 +1083,11 @@ lemma after_in_list_last_None:
apply(simp)
apply(case_tac list)
apply(simp)
apply(fastforce split: split_if_asm)
apply(fastforce split: if_split_asm)
done
lemma after_in_list_None_last:
"\<lbrakk>after_in_list list x = None; x \<in> set list\<rbrakk> \<Longrightarrow> x = last list"
by (induct list x rule: after_in_list.induct,(simp split: split_if_asm)+)
by (induct list x rule: after_in_list.induct,(simp split: if_split_asm)+)
end

4
lib/Monad_WP/NonDetMonadVCG.thy
View File

@ -633,7 +633,7 @@ lemma in_bindE_L:
(\<exists>s'' x. (Inr x, s'') \<in> fst (f s) \<and> (Inl r, s') \<in> fst (g x s'')) \<or> ((Inl r, s') \<in> fst (f s))"
apply (simp add: bindE_def lift_def bind_def)
apply safe
apply (simp add: return_def throwError_def lift_def split_def split: sum.splits split_if_asm)
apply (simp add: return_def throwError_def lift_def split_def split: sum.splits if_split_asm)
apply force
done
@ -1742,7 +1742,7 @@ lemma list_cases_wp:
(* FIXME: make wp *)
lemma whenE_throwError_wp:
"\<lbrace>\<lambda>s. \<not>Q \<longrightarrow> P s\<rbrace> whenE Q (throwError e) \<lbrace>\<lambda>rv. P\<rbrace>, -"
apply (simp add: whenE_def split del: split_if)
apply (simp add: whenE_def split del: if_split)
apply (rule hoare_pre)
apply wp
apply simp

2
lib/Monad_WP/OptionMonad.thy
View File

@ -262,7 +262,7 @@ proof -
then have ?thesis using `I s`
by (induct arbitrary: s) (auto intro: istep) }
then show ?thesis using assms(1)
by (auto simp: option_while_def option_while'_THE split: split_if_asm)
by (auto simp: option_while_def option_while'_THE split: if_split_asm)
qed
lemma option_while'_term:

4
lib/Monad_WP/OptionMonadND.thy
View File

@ -176,12 +176,12 @@ proof -
have "\<And>s. owhile C B r s = None
\<Longrightarrow> whileLoop C (\<lambda>a. gets_the (B a)) r s = ({}, True)"
by (auto simp: whileLoop_def owhile_def option_while_def option_while'_THE gets_the_loop_terminates
split: split_if_asm dest: option_while'_None wl'_Inl option_while'_inj)
split: if_split_asm dest: option_while'_None wl'_Inl option_while'_inj)
moreover
have "\<And>s r'. owhile C B r s = Some r'
\<Longrightarrow> whileLoop C (\<lambda>a. gets_the (B a)) r s = ({(r', s)}, False)"
by (auto simp: whileLoop_def owhile_def option_while_def option_while'_THE gets_the_loop_terminates
split: split_if_asm dest: wl'_Inl wl'_Inr option_while'_inj intro: option_while'_Some)
split: if_split_asm dest: wl'_Inl wl'_Inr option_while'_inj intro: option_while'_Some)
ultimately
show ?thesis
by (auto simp: fun_eq_iff gets_the_conv split: option.split)

2
lib/Monad_WP/WhileLoopRules.thy
View File

@ -492,7 +492,7 @@ proof -
have cond_true: "\<And>x s. fst (whileLoop C B x s) = {} \<Longrightarrow> C x s"
apply (subst (asm) whileLoop_unroll)
apply (clarsimp simp: condition_def return_def split: split_if_asm)
apply (clarsimp simp: condition_def return_def split: if_split_asm)
done
have "snd (whileLoop C B r s)"

8
lib/Monad_WP/WhileLoopRulesCompleteness.thy
View File

@ -46,9 +46,9 @@ lemma valid_whileLoop_complete:
apply clarsimp
apply (subst (asm) (2) whileLoop_unroll)
apply (case_tac "C a b")
apply (clarsimp simp: valid_def bind_def' Bex_def condition_def split: split_if_asm)
apply (clarsimp simp: valid_def bind_def' Bex_def condition_def split: if_split_asm)
apply force
apply (clarsimp simp: valid_def bind_def' Bex_def condition_def split: split_if_asm)
apply (clarsimp simp: valid_def bind_def' Bex_def condition_def split: if_split_asm)
apply force
apply (subst whileLoop_unroll)
apply (clarsimp simp: valid_def bind_def' condition_def return_def)
@ -351,7 +351,7 @@ lemma valid_path_implies_exs_valid_whileLoop:
apply (clarsimp split: prod.splits)
apply (case_tac l)
apply clarsimp
apply (clarsimp split del: split_if)
apply (clarsimp split del: if_split)
apply (erule bexI [rotated])
apply clarsimp
apply clarsimp
@ -379,7 +379,7 @@ lemma shortest_path_gets_shorter:
apply (drule valid_path_implies_exs_valid_whileLoop)
apply (clarsimp simp: exs_valid_def)
apply (erule bexI [rotated])
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
apply clarsimp
done

6
lib/Monad_WP/wp/WPEx.thy
View File

@ -164,7 +164,7 @@ val put_Lib_simpset = put_simpset (Simplifier.simpset_of (Proof_Context.init_gl
fun in_mresults_ctxt ctxt = ctxt
|> put_Lib_simpset
|> (fn ctxt => ctxt addsimps [@{thm in_mresults_export}, @{thm in_mresults_bind}])
|> Splitter.del_split @{thm split_if}
|> Splitter.del_split @{thm if_split}
fun prove_qad ctxt term tac = Goal.prove ctxt [] [] term
(K (if Config.get ctxt quick_and_dirty andalso false
@ -179,7 +179,7 @@ fun preannotate_ss ctxt = ctxt
fun in_mresults_ss ctxt = ctxt
|> put_Lib_simpset
|> (fn ctxt => ctxt addsimps [@{thm in_mresults_export}, @{thm in_mresults_bind}])
|> Splitter.del_split @{thm split_if}
|> Splitter.del_split @{thm if_split}
|> simpset_of
@ -280,7 +280,7 @@ fun postcond_ss ctxt = ctxt
fun wp_default_ss ctxt = ctxt
|> put_simpset HOL_ss
|> Splitter.del_split @{thm split_if}
|> Splitter.del_split @{thm if_split}
|> simpset_of
fun raise_tac s = all_tac THEN (fn _ => error s);

6
lib/Monad_WP/wp/WPI.thy
View File

@ -321,7 +321,7 @@ method post_strengthen methods wp_weak wp_strong simp' tests =
determ \<open>make_goals \<open>wp_weak\<close> \<open>wp_strong\<close> \<open>tests\<close>,
(elim trips_pushEs)?,
rule trip_init\<close>,
(simp add: imp_conjL del: simp_dels split del: split_if)?,
(simp add: imp_conjL del: simp_dels split del: if_split)?,
determ \<open>(erule trips_True_drop trips_contr_drop hoare_add_trip)\<close>,
simp',
rule trip_drop,
@ -333,7 +333,7 @@ text \<open>The "wpi" named theorem is used to avoid the safety heuristics, effe
named_theorems wpi
private method final_simp =
(simp del: del: simp_dels split del: split_if cong: post_imp_cong)
(simp del: del: simp_dels split del: if_split cong: post_imp_cong)
text \<open>By default, wpi will only solve an atomic consequent if all its antecedents
aren't preserved. Therefore "test" is simply "fail". Unpreserved antecedents
@ -406,7 +406,7 @@ method wp_drop_imp_internal methods tests =
determ \<open>erule trips_transport\<close>,
((drule trip_term_quants)+)?,
erule strengthen_trip_term,
simp split del: split_if cong: post_conj_cong,
simp split del: if_split cong: post_conj_cong,
rule post_conj_drop)
method wp_drop_imp = wp_drop_imp_internal \<open>tests\<close>

4
lib/MonadicRewrite.thy
View File

@ -102,7 +102,7 @@ proof -
apply (clarsimp simp: monadic_rewrite_def bind_def P image_constant_conv
cong: image_cong)
apply (drule empty_failD2[OF ef])
apply (clarsimp simp: prod_eq_iff split: split_if_asm)
apply (clarsimp simp: prod_eq_iff split: if_split_asm)
done
qed
@ -173,7 +173,7 @@ lemma monadic_rewrite_gen_asm:
lemma monadic_rewrite_assert:
"\<lbrakk> Q \<Longrightarrow> monadic_rewrite True E P (f ()) g \<rbrakk>
\<Longrightarrow> monadic_rewrite True E (\<lambda>s. Q \<longrightarrow> P s) (assert Q >>= f) g"
apply (simp add: assert_def split: split_if)
apply (simp add: assert_def split: if_split)
apply (simp add: monadic_rewrite_def fail_def)
done

58
lib/NonDetMonadLemmaBucket.thy
View File

@ -269,9 +269,9 @@ lemma mapM_x_Cons:
lemma mapM_x_inv_wp2:
assumes post: "\<And>s. \<lbrakk> I s; V [] s \<rbrakk> \<Longrightarrow> Q s"
and hr: "\<And>a as. suffixeq (a # as) xs \<Longrightarrow> \<lbrace>\<lambda>s. I s \<and> V (a # as) s\<rbrace> m a \<lbrace>\<lambda>r s. I s \<and> V as s\<rbrace>"
and hr: "\<And>a as. suffix (a # as) xs \<Longrightarrow> \<lbrace>\<lambda>s. I s \<and> V (a # as) s\<rbrace> m a \<lbrace>\<lambda>r s. I s \<and> V as s\<rbrace>"
shows "\<lbrace>I and V xs\<rbrace> mapM_x m xs \<lbrace>\<lambda>rv. Q\<rbrace>"
proof (induct xs rule: list_induct_suffixeq)
proof (induct xs rule: list_induct_suffix)
case Nil thus ?case
apply (simp add: mapM_x_Nil)
apply wp
@ -576,7 +576,7 @@ lemma cutMon_walk_bindE:
apply (simp add: bindE_def cutMon_walk_bind)
apply (rule bind_cong, rule refl)
apply (simp add: cutMon_def lift_def fail_def
split: split_if_asm)
split: if_split_asm)
apply (clarsimp split: sum.split)
done
@ -596,11 +596,11 @@ lemma cutMon_validE_drop:
lemma assertE_assert:
"assertE F = liftE (assert F)"
by (clarsimp simp: assertE_def assert_def liftE_def returnOk_def
split: split_if)
split: if_split)
lemma snd_cutMon:
"snd (cutMon P f s) = (P s \<longrightarrow> snd (f s))"
by (simp add: cutMon_def fail_def split: split_if)
by (simp add: cutMon_def fail_def split: if_split)
lemma exec_modify:
"(modify f >>= g) s = g () (f s)"
@ -612,7 +612,7 @@ lemma no_fail_spec:
lemma no_fail_assertE [wp]:
"no_fail (\<lambda>_. P) (assertE P)"
by (simp add: assertE_def split: split_if)
by (simp add: assertE_def split: if_split)
lemma no_fail_spec_pre:
"\<lbrakk> no_fail ((op = s) and P') f; \<And>s. P s \<Longrightarrow> P' s \<rbrakk> \<Longrightarrow> no_fail ((op = s) and P) f"
@ -620,11 +620,11 @@ lemma no_fail_spec_pre:
lemma no_fail_whenE [wp]:
"\<lbrakk> G \<Longrightarrow> no_fail P f \<rbrakk> \<Longrightarrow> no_fail (\<lambda>s. G \<longrightarrow> P s) (whenE G f)"
by (simp add: whenE_def split: split_if)
by (simp add: whenE_def split: if_split)
lemma no_fail_unlessE [wp]:
"\<lbrakk> \<not> G \<Longrightarrow> no_fail P f \<rbrakk> \<Longrightarrow> no_fail (\<lambda>s. \<not> G \<longrightarrow> P s) (unlessE G f)"
by (simp add: unlessE_def split: split_if)
by (simp add: unlessE_def split: if_split)
lemma no_fail_throwError [wp]:
"no_fail \<top> (throwError e)"
@ -718,7 +718,7 @@ lemma select_f_asserts:
"select_f (assert P s) = do assert P; return ((), s) od"
"select_f (assert_opt v s) = do v' \<leftarrow> assert_opt v; return (v', s) od"
by (simp add: select_f_def fail_def assert_def return_def bind_def
assert_opt_def split: split_if option.split)+
assert_opt_def split: if_split option.split)+
lemma liftE_bindE_handle:
"((liftE f >>=E (\<lambda>x. g x)) <handle> h)
@ -766,24 +766,24 @@ lemma liftE_bindE_assoc:
lemma empty_fail_use_cutMon:
"\<lbrakk> \<And>s. empty_fail (cutMon (op = s) f) \<rbrakk> \<Longrightarrow> empty_fail f"
apply (clarsimp simp add: empty_fail_def cutMon_def)
apply (fastforce split: split_if_asm)
apply (fastforce split: if_split_asm)
done
lemma empty_fail_drop_cutMon:
"empty_fail f \<Longrightarrow> empty_fail (cutMon P f)"
by (simp add: empty_fail_def fail_def cutMon_def split: split_if)
by (simp add: empty_fail_def fail_def cutMon_def split: if_split)
lemma empty_fail_cutMon:
"\<lbrakk> \<And>s. P s \<Longrightarrow> empty_fail (cutMon (op = s) f) \<rbrakk>
\<Longrightarrow> empty_fail (cutMon P f)"
apply (clarsimp simp: empty_fail_def cutMon_def fail_def
split: split_if)
apply (fastforce split: split_if_asm)
split: if_split)
apply (fastforce split: if_split_asm)
done
lemma empty_fail_If:
"\<lbrakk> P \<Longrightarrow> empty_fail f; \<not> P \<Longrightarrow> empty_fail g \<rbrakk> \<Longrightarrow> empty_fail (if P then f else g)"
by (simp split: split_if)
by (simp split: if_split)
lemmas empty_fail_cutMon_intros =
cutMon_walk_bind[THEN arg_cong[where f=empty_fail], THEN iffD2,
@ -796,16 +796,16 @@ lemmas empty_fail_cutMon_intros =
lemma empty_fail_whenEs:
"empty_fail f \<Longrightarrow> empty_fail (whenE P f)"
"empty_fail f \<Longrightarrow> empty_fail (unlessE P f)"
by (auto simp add: whenE_def unlessE_def empty_fail_error_bits split: split_if)
by (auto simp add: whenE_def unlessE_def empty_fail_error_bits split: if_split)
lemma empty_fail_assertE:
"empty_fail (assertE P)"
by (simp add: assertE_def empty_fail_error_bits split: split_if)
by (simp add: assertE_def empty_fail_error_bits split: if_split)
lemma unlessE_throw_catch_If:
"catch (unlessE P (throwError e) >>=E f) g
= (if P then catch (f ()) g else g e)"
by (simp add: unlessE_def catch_throwError split: split_if)
by (simp add: unlessE_def catch_throwError split: if_split)
lemma gets_the_return:
"(return x = gets_the f) = (\<forall>s. f s = Some x)"
@ -834,7 +834,7 @@ lemma cutMon_assert_opt:
= gets_the (\<lambda>s. if P s then f s else None) >>= g"
by (simp add: cutMon_def gets_the_def exec_gets
bind_assoc fun_eq_iff assert_opt_def
split: split_if)
split: if_split)
lemma gets_the_eq_bind:
"\<lbrakk> \<exists>fn. f = gets_the (fn o fn');
@ -870,7 +870,7 @@ lemma gets_the_asserts:
"(assertE P = gets_the h) = (\<forall>s. h s = (if P then Some (Inr ()) else None))"
by (simp add: assert_def assertE_def
gets_the_fail gets_the_returns
split: split_if)+
split: if_split)+
lemma gets_the_condsE:
"(\<exists>fn. whenE P f = gets_the (fn o fn'))
@ -879,7 +879,7 @@ lemma gets_the_condsE:
= (\<not> P \<longrightarrow> (\<exists>fn. g = gets_the (fn o fn')))"
by (simp add: whenE_def unlessE_def gets_the_returns
ex_const_function
split: split_if)+
split: if_split)+
lemma no_fail_gets_the [wp]:
"no_fail (\<lambda>s. f s \<noteq> None) (gets_the f)"
@ -907,11 +907,11 @@ lemma assert_opt_If:
lemma if_to_top_of_bind:
"(bind (If P x y) z) = If P (bind x z) (bind y z)"
by (simp split: split_if)
by (simp split: if_split)
lemma if_to_top_of_bindE:
"(bindE (If P x y) z) = If P (bindE x z) (bindE y z)"
by (simp split: split_if)
by (simp split: if_split)
lemma alternative_bind:
"((a \<sqinter> b) >>= c) = ((a >>= c) \<sqinter> (b >>= c))"
@ -2222,7 +2222,7 @@ lemma oblivious_returnOk [simp]:
lemma oblivious_assertE [simp]:
"oblivious f (assertE P)"
by (simp add: assertE_def split: split_if)
by (simp add: assertE_def split: if_split)
lemma oblivious_throwError [simp]:
@ -2247,11 +2247,11 @@ lemma oblivious_catch:
lemma oblivious_when [simp]:
"oblivious f (when P m) = (P \<longrightarrow> oblivious f m)"
by (simp add: when_def split: split_if)
by (simp add: when_def split: if_split)
lemma oblivious_whenE [simp]:
"oblivious f (whenE P g) = (P \<longrightarrow> oblivious f g)"
by (simp add: whenE_def split: split_if)
by (simp add: whenE_def split: if_split)
lemma select_f_oblivious [simp]:
"oblivious f (select_f v)"
@ -2319,7 +2319,7 @@ lemma zipWithM_x_Nil2 :
lemma assert2:
"(do v1 \<leftarrow> assert P; v2 \<leftarrow> assert Q; c od)
= (do v \<leftarrow> assert (P \<and> Q); c od)"
by (simp add: assert_def split: split_if)
by (simp add: assert_def split: if_split)
lemma assert_opt_def2:
"assert_opt v = (do assert (v \<noteq> None); return (the v) od)"
@ -2334,7 +2334,7 @@ lemma gets_assert:
"(do v1 \<leftarrow> assert v; v2 \<leftarrow> gets f; c v1 v2 od)
= (do v2 \<leftarrow> gets f; v1 \<leftarrow> assert v; c v1 v2 od)"
by (simp add: simpler_gets_def return_def assert_def fail_def bind_def
split: split_if)
split: if_split)
lemma list_case_return2:
"(case x of [] \<Rightarrow> return v | y # ys \<Rightarrow> return (f y ys))
@ -2345,7 +2345,7 @@ lemma modify_assert:
"(do v2 \<leftarrow> modify f; v1 \<leftarrow> assert v; c v1 od)
= (do v1 \<leftarrow> assert v; v2 \<leftarrow> modify f; c v1 od)"
by (simp add: simpler_modify_def return_def assert_def fail_def bind_def
split: split_if)
split: if_split)
lemma gets_fold_into_modify:
"do x \<leftarrow> gets f; modify (g x) od = modify (\<lambda>s. g (f s) s)"
@ -2504,7 +2504,7 @@ lemma case_option_find_give_me_a_map:
apply (induct xs)
apply simp
apply (simp add: liftM_def mapME_Nil)
apply (simp add: mapME_Cons split: split_if)
apply (simp add: mapME_Cons split: if_split)
apply (clarsimp simp add: throwError_def bindE_def bind_assoc
liftM_def)
apply (rule bind_cong [OF refl])

4
lib/WPTutorial.thy
View File

@ -76,7 +76,7 @@ An additional annoyance to the clarsimp/tuple issue described above is
the splitter. The wp tool is designed to work on a hoare triple with a
schematic precondition. Note how the simplifier splits the problem
in two because it contains an if constant. Delete the split
rule from the simpset with (simp split del: split_if) to avoid this
rule from the simpset with (simp split del: if_split) to avoid this
issue and see where wp gets stuck.
We still need to deal with the if constant. In this (somewhat contrived)
@ -95,7 +95,7 @@ lemma example_3:
return $ y \<and> \<not> x
od \<lbrace>\<lambda>rv s. rv\<rbrace>"
apply wp
apply (simp add: if_apply_def2 split del: split_if)
apply (simp add: if_apply_def2 split del: if_split)
apply wp
apply simp
done

16
lib/clib/CCorresLemmas.thy
View File

@ -20,7 +20,7 @@ lemma ccorres_rel_imp2:
apply (rule ccorresI', erule(5) ccorresE)
apply simp
apply (erule rev_bexI)
apply (simp add: unif_rrel_def split: split_if_asm)
apply (simp add: unif_rrel_def split: if_split_asm)
apply (cases "hs = []", simp_all)
done
@ -66,9 +66,9 @@ lemma exec_handlers_Hoare_Post:
"\<lbrakk> exec_handlers_Hoare \<Gamma> P c Q' A'; Q' \<subseteq> Q; A' \<subseteq> A \<rbrakk>
\<Longrightarrow> exec_handlers_Hoare \<Gamma> P c Q A"
apply (simp add: exec_handlers_Hoare_def
split del: split_if)
split del: if_split)
apply (elim allEI)
apply (simp split: split_if_asm)
apply (simp split: if_split_asm)
apply blast+
done
@ -96,7 +96,7 @@ lemma exec_handlers_Hoare_from_vcg_might_fail:
"\<lbrakk> \<Gamma> \<turnstile>\<^bsub>/F\<^esub> P c Q, A; UNIV \<subseteq> A' \<rbrakk>
\<Longrightarrow> exec_handlers_Hoare \<Gamma> P (c # hs) Q A'"
apply (clarsimp simp: exec_handlers_Hoare_def
split del: split_if split: split_if_asm)
split del: if_split split: if_split_asm)
apply (erule exec_handlers.cases, simp_all)
apply (case_tac hsa, simp_all)
apply (erule exec_handlers.cases, simp_all)
@ -303,13 +303,13 @@ lemma exec_handlers_Hoare_call_Basic:
"\<lbrakk> \<forall>s' t x. s' \<in> P \<longrightarrow> g s' t (ret s' t) \<in> Q; UNIV \<subseteq> A \<rbrakk> \<Longrightarrow>
exec_handlers_Hoare \<Gamma> P (call initfn p ret (\<lambda>x y. Basic (g x y)) # hs) Q A"
apply (clarsimp simp: exec_handlers_Hoare_def
split del: split_if)
split del: if_split)
apply (erule exec_handlers.cases)
apply clarsimp
apply (erule exec_call_Normal_elim, simp_all)[1]
apply (auto elim!: exec_Normal_elim_cases)[1]
apply (frule exec_handlers_less2, clarsimp+)
apply (clarsimp simp: subset_iff split: split_if_asm)
apply (clarsimp simp: subset_iff split: if_split_asm)
apply (auto elim!: exec_Normal_elim_cases
exec_call_Normal_elim)
done
@ -560,12 +560,12 @@ lemma ccorres_if_lhs:
\<Longrightarrow> ccorres_underlying sr Gamm r xf arrel axf (\<lambda>s. (P \<longrightarrow> Q s) \<and> (\<not> P \<longrightarrow> R s))
{s. (P \<longrightarrow> s \<in> S) \<and> (\<not> P \<longrightarrow> s \<in> T)}
hs (if P then f else g) conc"
by (simp split: split_if)
by (simp split: if_split)
lemma ccorres_if_bind:
"ccorres_underlying sr Gamm r xf arrel axf G G' hs (if a then (b >>= f) else (c >>= f)) d
\<Longrightarrow> ccorres_underlying sr Gamm r xf arrel axf G G' hs ((if a then b else c) >>= f) d"
by (simp split: split_if_asm)
by (simp split: if_split_asm)
lemma ccorres_Cond_rhs:
"\<lbrakk> P \<Longrightarrow> ccorres_underlying sr Gamm rvr xf arrel axf Q S hs absf f;

4
lib/clib/CToCRefine.thy
View File

@ -43,14 +43,14 @@ val unfold_bodies = Simplifier.make_simproc @{context} "unfold constants named *
*}
theorem spec_refine:
notes split_if[split del]
notes if_split[split del]
shows
"spec_statefn_simulates id (kernel_all_global_addresses.\<Gamma> symbol_table)
(kernel_all_substitute.\<Gamma> symbol_table domain)"
apply (simp add: kernel_all_global_addresses.\<Gamma>_def kernel_all_substitute.\<Gamma>_def)
apply (intro spec_statefn_simulates_lookup_tree_Node spec_statefn_simulates_lookup_tree_Leaf)
apply (tactic {* ALLGOALS (asm_simp_tac (put_simpset HOL_ss @{context} addsimps @{thms switch.simps fst_conv snd_conv}
addsimprocs [unfold_bodies] |> Splitter.del_split @{thm split_if}))
addsimprocs [unfold_bodies] |> Splitter.del_split @{thm if_split}))
THEN ALLGOALS (TRY o resolve_tac @{context} @{thms exec_statefn_simulates_refl}) *})
apply (tactic {* ALLGOALS (REPEAT_ALL_NEW (resolve_tac @{context} @{thms exec_statefn_simulates_comI

2
lib/clib/Corres_C.thy
View File

@ -718,7 +718,7 @@ lemma ccorres_trim_return:
apply -
apply (rule ccorres_rhs_assoc2)+
apply (rule ccorres_trim_redundant_throw)
apply (clarsimp split del: split_if)
apply (clarsimp split del: if_split)
apply (rule iffD2 [OF ccorres_semantic_equiv, OF _ cc])
apply (rule semantic_equivI)
apply (case_tac s')

12
lib/clib/Corres_UL_C.thy
View File

@ -420,8 +420,8 @@ lemma exec_handlers_Hoare_from_vcg_nofail:
"\<Gamma> \<turnstile>\<^bsub>/F\<^esub> P c Q \<Longrightarrow> exec_handlers_Hoare \<Gamma> P (c # cs) Q A"
apply (drule hoare_sound)
apply (simp add: cvalid_def HoarePartialDef.valid_def
exec_handlers_Hoare_def split del: split_if)
apply (clarsimp split del: split_if)
exec_handlers_Hoare_def split del: if_split)
apply (clarsimp split del: if_split)
apply (erule exec_handlers.cases, auto)
done
@ -429,8 +429,8 @@ lemma exec_handlers_Hoare_from_vcg_fails:
"\<lbrakk> \<Gamma> \<turnstile>\<^bsub>/F\<^esub> P c {},UNIV; UNIV \<subseteq> A \<rbrakk> \<Longrightarrow> exec_handlers_Hoare \<Gamma> P (c # cs) Q A"
apply (drule hoare_sound)
apply (simp add: cvalid_def HoarePartialDef.valid_def
exec_handlers_Hoare_def split del: split_if)
apply (clarsimp split del: split_if)
exec_handlers_Hoare_def split del: if_split)
apply (clarsimp split del: if_split)
apply (erule exec_handlers.cases, simp_all)
apply (cases cs)
apply (auto elim!: exec_handlers.cases)[1]
@ -987,7 +987,7 @@ lemma ccorres_liftM_simp [simp]:
apply (erule (5) ccorresE)
apply (simp add: liftM_def NonDetMonad.bind_def return_def)
apply (erule bexI [rotated])
apply (simp add: unif_rrel_def split: split_if_asm)
apply (simp add: unif_rrel_def split: if_split_asm)
done
lemma ccorres_cond_weak:
@ -1225,7 +1225,7 @@ lemma ccorres_gen_asm2:
prefer 2
apply (rule ccorres_guard_imp)
apply (erule rl)
apply (simp split: split_if_asm)+
apply (simp split: if_split_asm)+
done
lemma ccorres_guard_imp2:

8
lib/clib/Ctac.thy
View File

@ -557,7 +557,7 @@ lemma ccorres_special_trim_guard_DontReach_pis:
end
lemmas ccorres_boilerplace_simp_dels =
Collect_const -- "Avoid getting an implication due to split_if. Should probably just remove split_if"
Collect_const -- "Avoid getting an implication due to if_split. Should probably just remove if_split"
lemma ccorres_introduce_UNIV_Int_when_needed:
"ccorres_underlying sr Gamm r xf ar axf P (UNIV \<inter> {x. Q x}) hs a c
@ -1359,7 +1359,7 @@ lemma ceqv_xpres_rewrite_set_rules:
"\<lbrakk> ceqv_xpres_rewrite_set xf v S S''; ceqv_xpres_rewrite_set xf v S' S''' \<rbrakk>
\<Longrightarrow> ceqv_xpres_rewrite_set xf v (if G then S else S') (if G then S'' else S''')"
by (simp_all add: ceqv_xpres_rewrite_set_def ceqv_xpres_rewrite_basic_def
split: split_if)
split: if_split)
lemma ceqv_xpres_eq_If_rules:
"ceqv_xpres_eq_If False x y y"
@ -1467,7 +1467,7 @@ lemma ceqv_xpres_While_simpl_sequence:
[0 ..< (LEAST n. \<not> CP (v + of_nat n
* (THE offs. \<forall>s v. (xf' (simpl_final_basic (c' v) s) - v = offs))))])
else While {s. CP (xf' s)} c)"
apply (split split_if, simp add: ceqv_xpres_def[where c=c and c'=c for c])
apply (split if_split, simp add: ceqv_xpres_def[where c=c and c'=c for c])
apply (clarsimp simp: ceqv_xpres_eq_ceqv)
apply (rule ceqv_trans)
apply (rule_tac n="LEAST n. \<not> CP (v + of_nat n * offs)"
@ -1993,7 +1993,7 @@ fun tac ctxt =
ceqv_Seq_Skip_cases ceqv_Guard_UNIV[THEN iffD2]
Guard_ceqv[OF impI, OF refl] ceqv_refl
finish_ceqv_Seq_Skip_cases} 1
ORELSE (resolve_tac ctxt [@{thm xpresI}] THEN' simp_tac (ctxt |> Splitter.del_split @{thm "split_if"})) 1
ORELSE (resolve_tac ctxt [@{thm xpresI}] THEN' simp_tac (ctxt |> Splitter.del_split @{thm "if_split"})) 1
))
THEN simp_tac (put_simpset HOL_basic_ss ctxt addsimps @{thms com.case}) 1
*}

2
lib/crunch-cmd.ML
View File

@ -358,7 +358,7 @@ fun unfold_data ctxt constn goal nmspce nil = (
val split_if = @{thm "split_if"}
val split_if = @{thm "if_split"}
fun maybe_cheat_tac ctxt thm =
if (Goal.skip_proofs_enabled ())

8
lib/sep_algebra/Map_Extra.thy
View File

@ -118,7 +118,7 @@ subsection {* Properties of map restriction *}
lemma restrict_map_cancel:
"(m |` S = m |` T) = (dom m \<inter> S = dom m \<inter> T)"
by (fastforce dest: fun_cong simp: restrict_map_def None_not_eq split: split_if_asm)
by (fastforce dest: fun_cong simp: restrict_map_def None_not_eq split: if_split_asm)
lemma map_add_restricted_self [simp]:
"m ++ m |` S = m"
@ -232,11 +232,11 @@ subsection {* Properties of @{term "sub_restrict_map"} *}
lemma restrict_map_sub_disj: "h |` S \<bottom> h `- S"
by (fastforce simp: sub_restrict_map_def restrict_map_def map_disj_def
split: option.splits split_if_asm)
split: option.splits if_split_asm)
lemma restrict_map_sub_add: "h |` S ++ h `- S = h"
by (fastforce simp: sub_restrict_map_def restrict_map_def map_add_def
split: option.splits split_if)
split: option.splits if_split)
subsection {* Properties of map disjunction *}
@ -493,7 +493,7 @@ lemma map_le_conv:
unfolding map_le_def map_disj_def map_add_def
by (rule iffI,
clarsimp intro!: exI[where x="\<lambda>x. if x \<notin> dom h\<^sub>0' then h\<^sub>0 x else None"])
(fastforce intro: split: option.splits split_if_asm)+
(fastforce intro: split: option.splits if_split_asm)+
lemma map_le_conv2:
"h\<^sub>0' \<subseteq>\<^sub>m h\<^sub>0 = (\<exists>h\<^sub>1. h\<^sub>0 = h\<^sub>0' ++ h\<^sub>1 \<and> h\<^sub>0' \<bottom> h\<^sub>1)"

4
lib/sep_algebra/MonadSep.thy
View File

@ -90,9 +90,9 @@ lemma sep_set_conj_map_singleton_wp:
\<Longrightarrow> \<lbrace><P \<and>* (\<And>* x\<in>xs. I x) \<and>* R>\<rbrace> f \<lbrace>\<lambda>_. <Q \<and>* (\<And>* x\<in>xs. I x) \<and>* R>\<rbrace>"
apply (rule hoare_chain [where P="<P \<and>* I x \<and>* (\<And>* x\<in>xs - {x}. I x) \<and>* R>" and
Q="\<lambda>_. <Q \<and>* I x \<and>* (\<And>* x\<in>xs - {x}. I x) \<and>* R>"], assumption)
apply (subst (asm) sep.setprod.remove, assumption+)
apply (subst (asm) sep.prod.remove, assumption+)
apply sep_solve
apply (subst sep.setprod.remove, assumption+)
apply (subst sep.prod.remove, assumption+)
apply sep_solve
done

18
lib/sep_algebra/Separation_Algebra.thy
View File

@ -691,11 +691,11 @@ where
abbreviation
sep_map_set_conj :: "('b \<Rightarrow> 'a::sep_algebra \<Rightarrow> bool) \<Rightarrow> 'b set \<Rightarrow> ('a \<Rightarrow> bool)"
where
"sep_map_set_conj g S \<equiv> sep.setprod g S"
"sep_map_set_conj g S \<equiv> sep.prod g S"
definition
sep_set_conj :: "('a::sep_algebra \<Rightarrow> bool) set \<Rightarrow> ('a \<Rightarrow> bool)" where
"sep_set_conj S \<equiv> sep.setprod id S"
"sep_set_conj S \<equiv> sep.prod id S"
(* Notation. *)
consts
@ -857,7 +857,7 @@ lemma sep_map_set_conj_restrict:
sep_map_set_conj P xs =
(sep_map_set_conj P {x \<in> xs. t x} \<and>*
sep_map_set_conj P {x \<in> xs. \<not> t x})"
by (subst sep.setprod.union_disjoint [symmetric], (fastforce simp: union_filter)+)
by (subst sep.prod.union_disjoint [symmetric], (fastforce simp: union_filter)+)
lemma sep_list_conj_map_add:
@ -917,7 +917,7 @@ lemma sep_set_conj_empty [simp]:
lemma sep_map_set_conj_reindex_cong:
"\<lbrakk>inj_on f A; B = f ` A; \<And>a. a \<in> A \<Longrightarrow> g a = h (f a)\<rbrakk>
\<Longrightarrow> sep_map_set_conj h B = sep_map_set_conj g A"
by (simp add: sep.setprod.reindex)
by (simp add: sep.prod.reindex)
lemma sep_list_conj_sep_map_set_conj:
"distinct xs
@ -928,7 +928,7 @@ lemma sep_list_conj_sep_set_conj:
"\<lbrakk>distinct xs; inj_on P (set xs)\<rbrakk>
\<Longrightarrow> \<And>* (map P xs) = \<And>* (P ` set xs)"
apply (subst sep_list_conj_sep_map_set_conj, assumption)
apply (clarsimp simp: sep_set_conj_def sep.setprod.reindex)
apply (clarsimp simp: sep_set_conj_def sep.prod.reindex)
done
lemma sep_map_set_conj_sep_list_conj:
@ -985,7 +985,7 @@ lemma set_sub_sub:
lemma sep_map_set_conj_sub_sub_disjoint:
"\<lbrakk>finite xs; zs \<subseteq> ys; ys \<subseteq> xs\<rbrakk>
\<Longrightarrow> sep_map_set_conj P (xs - zs) = (sep_map_set_conj P (xs - ys) \<and>* sep_map_set_conj P (ys - zs))"
apply (cut_tac sep.setprod.subset_diff [where A="xs-zs" and B="ys-zs" and g=P])
apply (cut_tac sep.prod.subset_diff [where A="xs-zs" and B="ys-zs" and g=P])
apply (subst (asm) set_sub_sub, fast+)
done
@ -1001,7 +1001,7 @@ lemma sep_list_conj_filter_map:
lemma sep_map_set_conj_restrict_predicate:
"finite A \<Longrightarrow> (\<And>* x\<in>A. if T x then P x else \<box>) = (\<And>* x\<in>(Set.filter T A). P x)"
by (simp add: Set.filter_def sep.setprod.inter_filter)
by (simp add: Set.filter_def sep.prod.inter_filter)
lemma distinct_filters:
"\<lbrakk>distinct xs; \<And>x. (f x \<and> g x) = False\<rbrakk> \<Longrightarrow>
@ -1013,14 +1013,14 @@ lemma sep_list_conj_distinct_filters:
\<And>* map P [x\<leftarrow>xs . f x \<or> g x] = (\<And>* map P [x\<leftarrow>xs . f x] \<and>* \<And>* map P [x\<leftarrow>xs . g x])"
apply (subst sep_list_conj_sep_map_set_conj, simp)+
apply (subst distinct_filters, simp+)
apply (subst sep.setprod.union_disjoint, auto)
apply (subst sep.prod.union_disjoint, auto)
done
lemma sep_map_set_conj_set_disjoint:
"\<lbrakk>finite {x. P x}; finite {x. Q x}; \<And>x. (P x \<and> Q x) = False\<rbrakk>
\<Longrightarrow> sep_map_set_conj g {x. P x \<or> Q x} =
(sep_map_set_conj g {x. P x} \<and>* sep_map_set_conj g {x. Q x})"
apply (subst sep.setprod.union_disjoint [symmetric], simp+)
apply (subst sep.prod.union_disjoint [symmetric], simp+)
apply blast
apply simp
by (metis Collect_disj_eq)

6
lib/sep_algebra/ex/capDL/Abstract_Separation_D.thy
View File

@ -617,11 +617,11 @@ lemma add_to_slots_comm:
lemma cdl_heap_add_none1:
"cdl_heap_add x y obj_id = None \<Longrightarrow> (sep_heap x) obj_id = None"
by (clarsimp simp: cdl_heap_add_def Let_unfold split:option.splits split_if_asm)
by (clarsimp simp: cdl_heap_add_def Let_unfold split:option.splits if_split_asm)
lemma cdl_heap_add_none2:
"cdl_heap_add x y obj_id = None \<Longrightarrow> (sep_heap y) obj_id = None"
by (clarsimp simp: cdl_heap_add_def Let_unfold split:option.splits split_if_asm)
by (clarsimp simp: cdl_heap_add_def Let_unfold split:option.splits if_split_asm)
lemma object_type_object_addL:
"object_type obj = object_type obj'
@ -700,7 +700,7 @@ instance
apply (case_tac x)
apply (clarsimp simp: cdl_heap_add_def)
apply (rule ext)
apply (clarsimp simp: cdl_ghost_state_add_def split:split_if_asm)
apply (clarsimp simp: cdl_ghost_state_add_def split:if_split_asm)
(* x ## y \<Longrightarrow> x + y = y + x *)
apply (clarsimp simp: plus_sep_state_def sep_disj_sep_state_def)
apply (erule sep_state_add_comm)

2
lib/sep_algebra/ex/capDL/Separation_D.thy
View File

@ -47,7 +47,7 @@ lemma sep_map_general_def2:
apply clarsimp
apply (clarsimp simp: fun_upd_def)
apply (rule ext)
apply (fastforce simp: dom_def split:split_if)
apply (fastforce simp: dom_def split:if_split)
done
(* There is an object there. *)

4
proof/access-control/Access.thy
View File

@ -1089,7 +1089,7 @@ lemma auth_ipc_buffers_tro:
apply (drule_tac x = p in spec)
apply (erule integrity_obj.cases,
simp_all add: tcb_states_of_state_def get_tcb_def auth_ipc_buffers_def
split: cap.split_asm arch_cap.split_asm split_if_asm bool.splits)
split: cap.split_asm arch_cap.split_asm if_split_asm bool.splits)
apply fastforce
done
@ -1100,7 +1100,7 @@ lemma auth_ipc_buffers_tro_fwd:
apply (drule_tac x = p in spec)
apply (erule integrity_obj.cases,
simp_all add: tcb_states_of_state_def get_tcb_def auth_ipc_buffers_def
split: cap.split_asm arch_cap.split_asm split_if_asm bool.splits)
split: cap.split_asm arch_cap.split_asm if_split_asm bool.splits)
apply fastforce
done

30
proof/access-control/Arch_AC.thy
View File

@ -304,7 +304,7 @@ lemma lookup_pt_slot_authorised:
apply (simp add: aag_has_auth_to_Control_eq_owns)
apply (drule_tac f="\<lambda>pde. valid_pde pde s" in arg_cong, simp)
apply (clarsimp simp: obj_at_def a_type_def less_kernel_base_mapping_slots)
apply (clarsimp split: Structures_A.kernel_object.split_asm split_if_asm
apply (clarsimp split: Structures_A.kernel_object.split_asm if_split_asm
arch_kernel_obj.split_asm)
apply (erule pspace_alignedE, erule domI)
apply (simp add: pt_bits_def pageBits_def)
@ -517,10 +517,10 @@ lemma set_mrs_state_vrefs[wp]:
apply (simp add: set_mrs_def split_def set_object_def)
apply (wp gets_the_wp get_wp put_wp mapM_x_wp'
| wpc
| simp split del: split_if add: zipWithM_x_mapM_x split_def store_word_offs_def)+
| simp split del: if_split add: zipWithM_x_mapM_x split_def store_word_offs_def)+
apply (auto simp: obj_at_def state_vrefs_def get_tcb_ko_at
elim!: rsubst[where P=P, OF _ ext]
split: split_if_asm simp: vs_refs_no_global_pts_def)
split: if_split_asm simp: vs_refs_no_global_pts_def)
done
(* FIXME: move *)
@ -529,7 +529,7 @@ lemma set_mrs_thread_states[wp]:
apply (simp add: set_mrs_def split_def set_object_def)
apply (wp gets_the_wp get_wp put_wp mapM_x_wp'
| wpc
| simp split del: split_if add: zipWithM_x_mapM_x split_def store_word_offs_def)+
| simp split del: if_split add: zipWithM_x_mapM_x split_def store_word_offs_def)+
apply (clarsimp simp: fun_upd_def[symmetric] thread_states_preserved)
done
@ -538,7 +538,7 @@ lemma set_mrs_thread_bound_ntfns[wp]:
apply (simp add: set_mrs_def split_def set_object_def)
apply (wp gets_the_wp get_wp put_wp mapM_x_wp' dmo_wp
| wpc
| simp split del: split_if add: zipWithM_x_mapM_x split_def store_word_offs_def no_irq_storeWord)+
| simp split del: if_split add: zipWithM_x_mapM_x split_def store_word_offs_def no_irq_storeWord)+
apply (clarsimp simp: fun_upd_def[symmetric] thread_bound_ntfns_preserved )
done
@ -616,8 +616,8 @@ lemma set_mrs_integrity_autarch:
apply (simp add: set_mrs_def)
apply (wp gets_the_wp get_wp put_wp mapM_x_wp' store_word_offs_integrity_autarch [where aag = aag and thread = thread]
| wpc
| simp split del: split_if add: split_def zipWithM_x_mapM_x )+
apply (clarsimp elim!: in_set_zipE split: split_if_asm)
| simp split del: if_split add: split_def zipWithM_x_mapM_x )+
apply (clarsimp elim!: in_set_zipE split: if_split_asm)
apply (rule order_le_less_trans [where y = msg_max_length])
apply (fastforce simp add: le_eq_less_or_eq)
apply (simp add: msg_max_length_def msg_align_bits)
@ -763,7 +763,7 @@ lemma pas_refined_set_asid_strg:
\<longrightarrow>
pas_refined aag (s\<lparr>arch_state := arch_state s \<lparr>arm_asid_table := (arm_asid_table (arch_state s))(base \<mapsto> pool)\<rparr>\<rparr>)"
apply (clarsimp simp: pas_refined_def state_objs_to_policy_def)
apply (erule state_asids_to_policy_aux.cases, simp_all split: split_if_asm)
apply (erule state_asids_to_policy_aux.cases, simp_all split: if_split_asm)
apply (auto intro: state_asids_to_policy_aux.intros auth_graph_map_memI[OF sbta_vref] pas_refined_refl[simplified pas_refined_def state_objs_to_policy_def])
done
@ -984,7 +984,7 @@ lemma perform_asid_pool_invocation_pas_refined [wp]:
apply (clarsimp simp: cap_auth_conferred_def is_cap_simps is_page_cap_def auth_graph_map_mem
pas_refined_all_auth_is_owns pas_refined_refl cli_no_irqs
dest!: graph_ofD)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
apply (clarsimp simp add: pas_refined_refl auth_graph_map_def2
mask_asid_low_bits_ucast_ucast[symmetric]
valid_apinv_def obj_at_def)
@ -1105,7 +1105,7 @@ lemma decode_arch_invocation_authorised:
unfolding arch_decode_invocation_def authorised_arch_inv_def aag_cap_auth_def
apply (rule hoare_pre)
apply (simp add: split_def Let_def
cong: cap.case_cong arch_cap.case_cong if_cong option.case_cong split del: split_if)
cong: cap.case_cong arch_cap.case_cong if_cong option.case_cong split del: if_split)
apply (wp select_wp whenE_throwError_wp check_vp_wpR
find_pd_for_asid_authority2
@ -1113,7 +1113,7 @@ lemma decode_arch_invocation_authorised:
| simp add: authorised_asid_control_inv_def authorised_page_inv_def
authorised_page_directory_inv_def
del: hoare_post_taut hoare_True_E_R
split del: split_if)+
split del: if_split)+
apply (clarsimp simp: authorised_asid_pool_inv_def authorised_page_table_inv_def
neq_Nil_conv invs_psp_aligned invs_arch_objs cli_no_irqs)
apply (drule diminished_cte_wp_at_valid_cap, clarsimp+)
@ -1158,7 +1158,7 @@ lemma decode_arch_invocation_authorised:
apply (clarsimp simp: vspace_cap_rights_to_auth_def mask_vm_rights_def
validate_vm_rights_def vm_read_write_def vm_read_only_def
vm_kernel_only_def
split: split_if_asm)
split: if_split_asm)
-- "Unmap"
apply (simp add: aag_cap_auth_def cli_no_irqs)
-- "PageTableCap"
@ -1174,7 +1174,7 @@ lemma decode_arch_invocation_authorised:
pde_ref2_def pas_refined_all_auth_is_owns pas_refined_refl )
apply (subgoal_tac "x && ~~ mask pt_bits = word")
apply simp
apply (clarsimp simp: valid_cap_simps cap_aligned_def split: split_if_asm)
apply (clarsimp simp: valid_cap_simps cap_aligned_def split: if_split_asm)
apply (subst (asm) upto_enum_step_subtract)
apply (subgoal_tac "is_aligned word pt_bits")
apply (simp add: is_aligned_no_overflow)
@ -1207,11 +1207,11 @@ lemma delete_asid_pas_refined[wp]:
apply (clarsimp dest!: auth_graph_map_memD graph_ofD)
apply (erule pas_refined_mem[OF sta_vref, rotated])
apply (fastforce simp: state_vrefs_def vs_refs_no_global_pts_def
image_def graph_of_def split: split_if_asm)
image_def graph_of_def split: if_split_asm)
apply (clarsimp simp: pas_refined_def dest!: graph_ofD)
apply (erule subsetD, erule state_asids_to_policy_aux.intros)
apply (fastforce simp: state_vrefs_def vs_refs_no_global_pts_def
graph_of_def image_def split: split_if_asm)
graph_of_def image_def split: if_split_asm)
done
lemma delete_asid_pool_pas_refined [wp]:

78
proof/access-control/CNode_AC.thy
View File

@ -154,7 +154,7 @@ proof (induct arbitrary: s rule: resolve_address_bits'.induct)
by wp
show ?case
apply (subst resolve_address_bits'.simps)
apply (cases cap', simp_all add: P split del: split_if)
apply (cases cap', simp_all add: P split del: if_split)
apply (rule hoare_pre_spec_validE)
apply (wp "1.hyps", (assumption | simp add: in_monad | rule conjI)+)
apply (wp get_cap_wp)
@ -177,12 +177,12 @@ lemma lookup_slot_for_cnode_op_authorised[wp]:
"\<lbrace>pas_refined aag and K (is_cnode_cap root \<longrightarrow> (\<forall>x \<in> obj_refs root. is_subject aag x))\<rbrace>
lookup_slot_for_cnode_op is_source root ptr depth
\<lbrace>\<lambda>rv s. is_subject aag (fst rv)\<rbrace>, -"
apply (simp add: lookup_slot_for_cnode_op_def split del: split_if)
apply (simp add: lookup_slot_for_cnode_op_def split del: if_split)
apply (rule hoare_pre)
apply (wp whenE_throwError_wp hoare_drop_imps
resolve_address_bits_authorised[THEN hoare_post_imp_R[where Q'="\<lambda>x s. is_subject aag (fst (fst x))"]]
| wpc
| simp add: split_def authorised_cnode_inv_def split del: split_if
| simp add: split_def authorised_cnode_inv_def split del: if_split
del: resolve_address_bits'.simps split_paired_All | clarsimp)+
done
@ -218,7 +218,7 @@ lemma decode_cnode_inv_authorised:
decode_cnode_invocation label args cap excaps
\<lbrace>\<lambda>rv s. authorised_cnode_inv aag rv s\<rbrace>,-"
apply (simp add: authorised_cnode_inv_def decode_cnode_invocation_def split_def whenE_def unlessE_def set_eq_iff
cong: if_cong Invocations_A.cnode_invocation.case_cong split del: split_if)
cong: if_cong Invocations_A.cnode_invocation.case_cong split del: if_split)
apply (rule hoare_pre)
apply (wp hoare_vcg_all_lift hoare_vcg_const_imp_lift_R hoare_vcg_all_lift_R
lsfco_cte_at
@ -245,7 +245,7 @@ lemma set_cap_state_vrefs[wp]:
apply (wp get_object_wp | wpc)+
apply (auto simp: obj_at_def state_vrefs_def
elim!: rsubst[where P=P, OF _ ext]
split: split_if_asm simp: vs_refs_no_global_pts_def)
split: if_split_asm simp: vs_refs_no_global_pts_def)
done
lemma set_cap_thread_states[wp]:
@ -279,7 +279,7 @@ lemma sita_caps_update:
state_irqs_to_policy_aux aag (\<lambda>a. if a = ptr then Some cap else caps a) \<subseteq> pasPolicy aag"
apply clarsimp
apply (erule state_irqs_to_policy_aux.cases)
apply (fastforce intro: state_irqs_to_policy_aux.intros simp: cap_links_irq_def split: split_if_asm)+
apply (fastforce intro: state_irqs_to_policy_aux.intros simp: cap_links_irq_def split: if_split_asm)+
done
lemma sata_update:
@ -289,7 +289,7 @@ lemma sata_update:
state_asids_to_policy_aux aag ((caps_of_state s) (ptr \<mapsto> cap)) asid_tab vrefs \<subseteq> pasPolicy aag"
apply clarsimp
apply (erule state_asids_to_policy_aux.cases)
apply (fastforce intro: state_asids_to_policy_aux.intros simp: cap_links_asid_slot_def label_owns_asid_slot_def split: split_if_asm)+
apply (fastforce intro: state_asids_to_policy_aux.intros simp: cap_links_asid_slot_def label_owns_asid_slot_def split: if_split_asm)+
done
lemma cli_caps_of_state:
@ -335,7 +335,7 @@ lemma set_cap_pas_refined [wp]:
apply (intro conjI) -- "auth_graph_map"
apply (clarsimp dest!: auth_graph_map_memD)
apply (erule state_bits_to_policy.cases, auto simp: cap_links_asid_slot_def label_owns_asid_slot_def intro: auth_graph_map_memI state_bits_to_policy.intros
split: split_if_asm)[1]
split: if_split_asm)[1]
apply (erule (2) sata_update[unfolded fun_upd_def])
apply (erule (2) sita_caps_update)
done
@ -350,7 +350,7 @@ lemma cap_move_respects[wp]:
apply (rule hoare_pre)
apply (wp get_cap_wp set_cap_integrity_autarch set_original_integrity_autarch
cap_move_ext.list_integ_lift[where Q="\<top>"] cap_move_list_integrity
| simp add: set_cdt_def split del: split_if)+
| simp add: set_cdt_def split del: if_split)+
apply (rule_tac Q="\<lambda>rv s. integrity aag X st s \<and> (\<forall>v. cdt s v = Some src \<longrightarrow> is_subject aag (fst v))"
in hoare_post_imp)
apply (simp add: integrity_def)
@ -378,12 +378,12 @@ lemma cap_swap_respects[wp]:
apply (wp get_cap_wp set_cap_integrity_autarch
cap_swap_ext_extended.list_integ_lift[where Q="\<top>"] cap_swap_list_integrity
set_original_integrity_autarch[unfolded pred_conj_def K_def]
| simp add: set_cdt_def split del: split_if)+
| simp add: set_cdt_def split del: if_split)+
apply (rule_tac Q="\<lambda>rv s. integrity aag X st s
\<and> (\<forall>v. cdt s v = Some slot \<or> cdt s v = Some slot'
\<longrightarrow> is_subject aag (fst v))"
in hoare_post_imp)
apply (simp add: fun_upd_def[symmetric] split del: split_if)
apply (simp add: fun_upd_def[symmetric] split del: if_split)
apply (intro integrity_cdt_fun_upd, simp_all)[1]
apply (simp add: integrity_def)
apply (clarsimp simp: integrity_cdt_def)
@ -491,7 +491,7 @@ lemma set_cdt_pas_refined:
apply (thin_tac "\<forall>a b aa. P a b aa" for P)
apply (erule state_bits_to_policy.cases)
apply (auto intro: auth_graph_map_memI state_bits_to_policy.intros
split: split_if_asm | blast)+
split: if_split_asm | blast)+
done
lemma pas_refined_original_cap_update[simp]:
@ -585,12 +585,12 @@ lemma cap_insert_pas_refined:
hoare_weak_lift_imp hoare_vcg_all_lift set_cap_caps_of_state2
set_untyped_cap_as_full_cdt_is_original_cap get_cap_wp
tcb_domain_map_wellformed_lift
| simp split del: split_if del: split_paired_All fun_upd_apply
| simp split del: if_split del: split_paired_All fun_upd_apply
| strengthen update_one_strg)+
apply (clarsimp simp: pas_refined_refl split del: split_if)
apply (clarsimp simp: pas_refined_refl split del: if_split)
apply (erule impE)
apply(clarsimp simp: cap_cur_auth_caps_of_state cte_wp_at_caps_of_state)
apply (auto split: split_if_asm simp: pas_refined_refl dest: aag_cdt_link_Control)
apply (auto split: if_split_asm simp: pas_refined_refl dest: aag_cdt_link_Control)
done
lemma cap_links_irq_Nullcap [simp]:
@ -628,8 +628,8 @@ lemma cap_swap_pas_refined[wp]:
\<lbrace>\<lambda>rv. pas_refined aag\<rbrace>"
apply (simp add: cap_swap_def)
apply (rule hoare_pre)
apply (wp set_cdt_pas_refined tcb_domain_map_wellformed_lift | simp split del: split_if)+
apply (clarsimp simp: pas_refined_refl split: split_if_asm split del: split_if)
apply (wp set_cdt_pas_refined tcb_domain_map_wellformed_lift | simp split del: if_split)+
apply (clarsimp simp: pas_refined_refl split: if_split_asm split del: if_split)
apply (fastforce dest: sta_cdt pas_refined_mem)+
done
@ -690,7 +690,7 @@ lemma sts_thread_bound_ntfns[wp]:
apply (simp add: set_thread_state_def set_object_def)
apply (wp dxo_wp_weak |simp)+
apply (clarsimp simp: thread_bound_ntfns_def get_tcb_def
split: split_if option.splits kernel_object.splits
split: if_split option.splits kernel_object.splits
elim!: rsubst[where P=P, OF _ ext])
done
@ -728,7 +728,7 @@ lemma set_thread_state_pas_refined:
apply (clarsimp dest!: auth_graph_map_memD)
apply (erule state_bits_to_policy.cases)
apply (auto intro: state_bits_to_policy.intros auth_graph_map_memI
split: split_if_asm)
split: if_split_asm)
done
lemma set_ep_vrefs[wp]:
@ -955,14 +955,14 @@ lemma store_pte_pas_refined[wp]:
apply (wp tcb_domain_map_wellformed_lift | wps)+
apply clarsimp
apply (rule conjI)
apply (clarsimp dest!: auth_graph_map_memD split del: split_if)
apply (clarsimp dest!: auth_graph_map_memD split del: if_split)
apply (erule state_bits_to_policy.cases,
auto intro: state_bits_to_policy.intros auth_graph_map_memI
split: split_if_asm)[1]
split: if_split_asm)[1]
apply (erule_tac B="state_asids_to_policy aag s" for s in subset_trans[rotated])
apply (auto intro: state_asids_to_policy_aux.intros
elim!: state_asids_to_policy_aux.cases
split: split_if_asm)
split: if_split_asm)
done
lemma store_pde_st_vrefs[wp]:
@ -973,7 +973,7 @@ lemma store_pde_st_vrefs[wp]:
(\<Union>(p', sz, auth)\<in>set_option (pde_ref2 pde).
(\<lambda>(p'', a). (p'', VSRef ((p && mask pd_bits) >> 2) (Some APageDirectory), a)) ` (ptr_range p' sz \<times> auth)))))\<rbrace>
store_pde p pde \<lbrace>\<lambda>rv s. P (state_vrefs s)\<rbrace>"
apply (simp add: store_pde_def set_pd_def set_object_def split del: split_if)
apply (simp add: store_pde_def set_pd_def set_object_def split del: if_split)
apply (wp get_object_wp)
apply (clarsimp simp: obj_at_def)
apply (erule all_rsubst[where P=P], subst fun_eq_iff)
@ -1011,16 +1011,16 @@ lemma store_pde_pas_refined[wp]:
apply (simp add: pas_refined_def state_objs_to_policy_def)
apply (rule hoare_pre)
apply (wp tcb_domain_map_wellformed_lift | wps)+
apply (clarsimp split del: split_if)
apply (clarsimp split del: if_split)
apply (rule conjI)
apply (clarsimp dest!: auth_graph_map_memD split del: split_if)
apply (clarsimp dest!: auth_graph_map_memD split del: if_split)
apply (erule state_bits_to_policy.cases,
auto intro: state_bits_to_policy.intros auth_graph_map_memI
split: split_if_asm)[1]
split: if_split_asm)[1]
apply (erule_tac B="state_asids_to_policy aag s" for s in subset_trans[rotated])
apply (auto intro: state_asids_to_policy_aux.intros
elim!: state_asids_to_policy_aux.cases
split: split_if_asm)
split: if_split_asm)
done
lemmas pde_ref_simps = pde_ref_def[split_simps pde.split]
@ -1079,11 +1079,11 @@ lemma set_asid_pool_pas_refined[wp]:
apply (clarsimp dest!: auth_graph_map_memD)
apply (erule state_bits_to_policy.cases,
auto intro: state_bits_to_policy.intros auth_graph_map_memI
split: split_if_asm)[1]
split: if_split_asm)[1]
apply (auto intro: state_asids_to_policy_aux.intros
simp: subsetD[OF _ state_asids_to_policy_aux.intros(2)]
elim!: state_asids_to_policy_aux.cases
split: split_if_asm)
split: if_split_asm)
apply fastforce+
done
@ -1095,7 +1095,7 @@ lemma pas_refined_clear_asid:
"pas_refined aag s \<Longrightarrow> pas_refined aag (s\<lparr>arch_state := arch_state s\<lparr>arm_asid_table := \<lambda>a. if a = asid then None else arm_asid_table (arch_state s) a\<rparr>\<rparr>)"
unfolding pas_refined_def
apply (auto simp: state_objs_to_policy_def elim!: state_asids_to_policy_aux.cases
split: split_if_asm intro: state_asids_to_policy_aux.intros)
split: if_split_asm intro: state_asids_to_policy_aux.intros)
apply (fastforce elim: state_asids_to_policy_aux.intros)+
done
@ -1262,18 +1262,18 @@ lemma auth_derived_mask_cap:
apply (rule conjI | clarsimp
| erule subsetD subsetD[OF cap_rights_to_auth_mono, rotated]
| simp add: cap_auth_conferred_def vspace_cap_rights_to_auth_def
is_page_cap_def split: split_if_asm)+
is_page_cap_def split: if_split_asm)+
done
lemma auth_derived_update_cap_data:
"\<lbrakk> auth_derived cap cap'; update_cap_data pres w cap \<noteq> cap.NullCap \<rbrakk>
\<Longrightarrow> auth_derived (update_cap_data pres w cap) cap'"
apply (simp add: update_cap_data_def is_cap_simps arch_update_cap_data_def
split del: split_if cong: if_cong)
split del: if_split cong: if_cong)
apply (clarsimp simp: badge_update_def Let_def split_def is_cap_simps
is_page_cap_def
split: split_if_asm
split del: split_if)
split: if_split_asm
split del: if_split)
apply (simp_all add: auth_derived_def the_cnode_cap_def)
apply (simp_all add: cap_auth_conferred_def)
done
@ -1298,7 +1298,7 @@ lemma decode_cnode_invocation_auth_derived:
"\<lbrace>\<top>\<rbrace> decode_cnode_invocation label args cap excaps
\<lbrace>cnode_inv_auth_derivations\<rbrace>,-"
apply (simp add: decode_cnode_invocation_def split_def whenE_def unlessE_def
split del: split_if)
split del: if_split)
apply (rule hoare_pre)
apply (wp derive_cap_auth_derived get_cap_auth_derived
hoare_vcg_all_lift
@ -1306,7 +1306,7 @@ lemma decode_cnode_invocation_auth_derived:
| simp add: cnode_inv_auth_derivations_If_Insert_Move[unfolded cnode_inv_auth_derivations_def]
cnode_inv_auth_derivations_def split_def whenE_def
del: hoare_post_taut hoare_True_E_R
split del: split_if
split del: if_split
| strengthen cte_wp_at_auth_derived_mask_cap_strg
cte_wp_at_auth_derived_update_cap_data_strg
| wp_once hoare_drop_imps)+
@ -1375,7 +1375,7 @@ lemma update_cap_obj_refs_subset:
"x \<in> obj_refs (update_cap_data P dt cap) \<Longrightarrow> x \<in> obj_refs cap"
apply (case_tac cap,
simp_all add: update_cap_data_closedform
split: split_if_asm)
split: if_split_asm)
done
(* FIXME: move *)
@ -1383,7 +1383,7 @@ lemma update_cap_untyped_range_subset:
"x \<in> untyped_range (update_cap_data P dt cap) \<Longrightarrow> x \<in> untyped_range cap"
apply (case_tac cap,
simp_all add: update_cap_data_closedform
split: split_if_asm)
split: if_split_asm)
done
lemmas derive_cap_aag_caps = derive_cap_obj_refs_auth derive_cap_untyped_range_subset derive_cap_clas derive_cap_cli
@ -1410,7 +1410,7 @@ lemma clas_update_cap_data [simp]:
lemma update_cap_cap_auth_conferred_subset:
"x \<in> cap_auth_conferred (update_cap_data b w cap) \<Longrightarrow> x \<in> cap_auth_conferred cap"
unfolding update_cap_data_def
apply (clarsimp split: split_if_asm simp: is_cap_simps cap_auth_conferred_def cap_rights_to_auth_def badge_update_def the_cnode_cap_def
apply (clarsimp split: if_split_asm simp: is_cap_simps cap_auth_conferred_def cap_rights_to_auth_def badge_update_def the_cnode_cap_def
Let_def vspace_cap_rights_to_auth_def arch_update_cap_data_def)
done

10
proof/access-control/Deterministic_AC.thy
View File

@ -89,7 +89,7 @@ lemma cap_move_list_integrity:
notes split_paired_All[simp del]
shows
"\<lbrace>list_integ P st and K(P src) and K(P dest)\<rbrace> cap_move_ext src dest src_p dest_p \<lbrace>\<lambda>_. list_integ P st\<rbrace>"
apply (simp add: cap_move_ext_def split del: split_if)
apply (simp add: cap_move_ext_def split del: if_split)
apply (wp update_cdt_list_wp)
apply (intro impI conjI allI | simp add: list_filter_replace list_filter_remove split: option.splits | elim conjE | simp add: list_integ_def)+
done
@ -98,7 +98,7 @@ lemma cap_insert_list_integrity:
notes split_paired_All[simp del]
shows
"\<lbrace>list_integ P st and K(P src) and K(P dest)\<rbrace> cap_insert_ext src_parent src dest src_p dest_p \<lbrace>\<lambda>_. list_integ P st\<rbrace>"
apply (simp add: cap_insert_ext_def split del: split_if)
apply (simp add: cap_insert_ext_def split del: if_split)
apply (wp update_cdt_list_wp)
apply (intro impI conjI allI | simp add: list_filter_insert_after list_filter_remove split: option.splits | elim conjE | simp add: list_integ_def)+
done
@ -107,7 +107,7 @@ lemma create_cap_list_integrity:
notes split_paired_All[simp del]
shows
"\<lbrace>list_integ P st and K(P dest)\<rbrace> create_cap_ext untyped dest dest_p \<lbrace>\<lambda>_. list_integ P st\<rbrace>"
apply (simp add: create_cap_ext_def split del: split_if)
apply (simp add: create_cap_ext_def split del: if_split)
apply (wp update_cdt_list_wp)
apply (intro impI conjI allI | simp add: list_filter_replace list_filter_remove split: option.splits | elim conjE | simp add: list_integ_def)+
done
@ -117,7 +117,7 @@ lemma empty_slot_list_integrity:
notes split_paired_All[simp del]
shows
"\<lbrace>list_integ P st and (\<lambda>s. valid_list_2 (cdt_list s) m) and K(P slot) and K( all_children P m)\<rbrace> empty_slot_ext slot slot_p \<lbrace>\<lambda>_. list_integ P st\<rbrace>"
apply (simp add: empty_slot_ext_def split del: split_if)
apply (simp add: empty_slot_ext_def split del: if_split)
apply (wp update_cdt_list_wp)
apply (intro impI conjI allI | simp add: list_filter_replace_list list_filter_remove split: option.splits | elim conjE | simp add: list_integ_def)+
apply (drule_tac x="the slot_p" in spec)
@ -130,7 +130,7 @@ lemma cap_swap_list_integrity:
notes split_paired_All[simp del]
shows
"\<lbrace>list_integ P st and K(P slot1) and K(P slot2)\<rbrace> cap_swap_ext slot1 slot2 slot1_p slot2_p \<lbrace>\<lambda>_. list_integ P st\<rbrace>"
apply (simp add: cap_swap_ext_def split del: split_if)
apply (simp add: cap_swap_ext_def split del: if_split)
apply (wp update_cdt_list_wp)
apply (intro impI conjI allI | simp add: list_filter_replace list_filter_swap split: option.splits | elim conjE | simp add: list_integ_def)+ (* slow *)
done

32
proof/access-control/DomainSepInv.thy
View File

@ -214,7 +214,7 @@ lemma weak_derived_DomainCap:
"weak_derived c' c \<Longrightarrow> (c' = cap.DomainCap) = (c = cap.DomainCap)"
apply (clarsimp simp: weak_derived_def)
apply (erule disjE)
apply (clarsimp simp: copy_of_def split: split_if_asm)
apply (clarsimp simp: copy_of_def split: if_split_asm)
apply (auto simp: is_cap_simps same_object_as_def
split: cap.splits arch_cap.splits)[1]
apply simp
@ -277,7 +277,7 @@ lemma cap_insert_domain_sep_inv:
cap_insert cap slot dest_slot
\<lbrace> \<lambda>_. domain_sep_inv irqs st \<rbrace>"
apply(simp add: cap_insert_def)
apply(wp set_cap_domain_sep_inv get_cap_wp set_original_wp dxo_wp_weak | simp split del: split_if)+
apply(wp set_cap_domain_sep_inv get_cap_wp set_original_wp dxo_wp_weak | simp split del: if_split)+
apply(blast dest: cte_wp_at_is_derived_domain_sep_inv_cap)
done
@ -291,7 +291,7 @@ lemma cap_move_domain_sep_inv:
cap_move cap slot dest_slot
\<lbrace> \<lambda>_. domain_sep_inv irqs st \<rbrace>"
apply(simp add: cap_move_def)
apply(wp set_cap_domain_sep_inv get_cap_wp set_original_wp dxo_wp_weak | simp split del: split_if | blast dest: cte_wp_at_weak_derived_domain_sep_inv_cap)+
apply(wp set_cap_domain_sep_inv get_cap_wp set_original_wp dxo_wp_weak | simp split del: if_split | blast dest: cte_wp_at_weak_derived_domain_sep_inv_cap)+
done
lemma domain_sep_inv_machine_state_update[simp]:
@ -487,7 +487,7 @@ crunch domain_sep_inv[wp]: finalise_cap "domain_sep_inv irqs st"
lemma finalise_cap_domain_sep_inv_cap:
"\<lbrace>\<lambda>s. domain_sep_inv_cap irqs cap\<rbrace> finalise_cap cap b \<lbrace>\<lambda>rv s. domain_sep_inv_cap irqs (fst rv)\<rbrace>"
apply(case_tac cap)
apply(wp | simp add: o_def split del: split_if split: cap.splits arch_cap.splits | fastforce split: if_splits simp: domain_sep_inv_cap_def)+
apply(wp | simp add: o_def split del: if_split split: cap.splits arch_cap.splits | fastforce split: if_splits simp: domain_sep_inv_cap_def)+
apply(rule hoare_pre, wp, fastforce)
apply(rule hoare_pre, simp, wp, fastforce simp: domain_sep_inv_cap_def)
apply(simp add: arch_finalise_cap_def)
@ -509,7 +509,7 @@ lemma finalise_cap_returns_None:
finalise_cap cap b
\<lbrace>\<lambda>rv s. \<not> irqs \<longrightarrow> snd rv = None\<rbrace>"
apply(case_tac cap)
apply(simp add: o_def split del: split_if | wp | fastforce simp: domain_sep_inv_cap_def | rule hoare_pre)+
apply(simp add: o_def split del: if_split | wp | fastforce simp: domain_sep_inv_cap_def | rule hoare_pre)+
done
lemma rec_del_domain_sep_inv':
@ -528,10 +528,10 @@ lemma rec_del_domain_sep_inv':
done
next
case (2 slot exposed s) show ?case
apply(simp add: rec_del.simps split del: split_if)
apply(simp add: rec_del.simps split del: if_split)
apply(rule hoare_pre_spec_validE)
apply(wp drop_spec_validE[OF returnOk_wp] drop_spec_validE[OF liftE_wp] set_cap_domain_sep_inv
|simp add: split_def split del: split_if)+
|simp add: split_def split del: if_split)+
apply(rule spec_strengthen_postE)
apply(rule "2.hyps", fastforce+)
apply(rule drop_spec_validE, (wp preemption_point_inv| simp)+)[1]
@ -541,7 +541,7 @@ lemma rec_del_domain_sep_inv':
apply(wp finalise_cap_domain_sep_inv_cap get_cap_wp
finalise_cap_returns_None
drop_spec_validE[OF liftE_wp] set_cap_domain_sep_inv
|simp add: without_preemption_def split del: split_if
|simp add: without_preemption_def split del: if_split
|wp_once hoare_drop_imps)+
apply(blast dest: cte_wp_at_domain_sep_inv_cap)
done
@ -668,7 +668,7 @@ lemma invoke_cnode_domain_sep_inv:
\<lbrace>\<lambda>_. domain_sep_inv irqs st\<rbrace>"
unfolding invoke_cnode_def
apply(case_tac ci)
apply(wp cap_insert_domain_sep_inv cap_move_domain_sep_inv | simp split del: split_if)+
apply(wp cap_insert_domain_sep_inv cap_move_domain_sep_inv | simp split del: if_split)+
apply(rule hoare_pre)
apply(wp cap_move_domain_sep_inv cap_move_cte_wp_at_other get_cap_wp | simp | blast dest: cte_wp_at_weak_derived_domain_sep_inv_cap | wpc)+
apply(fastforce dest: cte_wp_at_weak_derived_ReplyCap)
@ -847,7 +847,7 @@ lemma cap_insert_domain_sep_inv':
cap_insert cap slot dest_slot
\<lbrace> \<lambda>_. domain_sep_inv irqs st\<rbrace>"
apply(simp add: cap_insert_def)
apply(wp set_cap_domain_sep_inv get_cap_wp dxo_wp_weak | simp split del: split_if)+
apply(wp set_cap_domain_sep_inv get_cap_wp dxo_wp_weak | simp split del: if_split)+
done
lemma domain_sep_inv_cap_max_free_index_update[simp]:
@ -1044,7 +1044,7 @@ lemma receive_ipc_base_domain_sep_inv:
apply (clarsimp cong: endpoint.case_cong thread_get_def get_thread_state_def)
apply (rule hoare_pre)
apply (wp setup_caller_cap_domain_sep_inv dxo_wp_weak
| wpc | simp split del: split_if)+
| wpc | simp split del: if_split)+
apply(rule_tac Q="\<lambda> r s. domain_sep_inv irqs st s" in hoare_strengthen_post)
apply(wp do_ipc_transfer_domain_sep_inv hoare_vcg_all_lift | wpc | simp)+
apply(wp hoare_vcg_imp_lift [OF set_endpoint_get_tcb, unfolded disj_not1] hoare_vcg_all_lift get_endpoint_wp
@ -1064,7 +1064,7 @@ lemma receive_ipc_domain_sep_inv:
apply (rule hoare_seq_ext[OF _ get_endpoint_sp])
apply (rule hoare_seq_ext[OF _ gbn_sp])
apply (case_tac ntfnptr, simp)
apply (wp receive_ipc_base_domain_sep_inv get_ntfn_wp | simp split: split_if option.splits)+
apply (wp receive_ipc_base_domain_sep_inv get_ntfn_wp | simp split: if_split option.splits)+
done
lemma send_fault_ipc_domain_sep_inv:
@ -1077,7 +1077,7 @@ lemma send_fault_ipc_domain_sep_inv:
apply(wp send_ipc_domain_sep_inv thread_set_valid_objs thread_set_tcb_fault_update_valid_mdb
thread_set_refs_trivial thread_set_obj_at_impossible
hoare_vcg_ex_lift
| wpc| simp add: Let_def split_def lookup_cap_def valid_tcb_fault_update split del: split_if)+
| wpc| simp add: Let_def split_def lookup_cap_def valid_tcb_fault_update split del: if_split)+
apply (wpe get_cap_inv[where P="domain_sep_inv irqs st and valid_objs and valid_mdb
and sym_refs o state_refs_of"])
apply (wp | simp)+
@ -1210,7 +1210,7 @@ lemma invoke_tcb_domain_sep_inv:
apply(case_tac tinv)
apply((wp restart_domain_sep_inv hoare_vcg_if_lift mapM_x_wp[OF _ subset_refl]
| wpc
| simp split del: split_if add: check_cap_at_def
| simp split del: if_split add: check_cap_at_def
| clarsimp)+)[3]
defer
apply((wp | simp )+)[2]
@ -1275,10 +1275,10 @@ lemma handle_invocation_domain_sep_inv:
\<lbrace>\<lambda>_. domain_sep_inv irqs st\<rbrace>"
apply (simp add: handle_invocation_def ts_Restart_case_helper split_def
liftE_liftM_liftME liftME_def bindE_assoc
split del: split_if)
split del: if_split)
apply(wp syscall_valid perform_invocation_domain_sep_inv
set_thread_state_runnable_valid_sched
| simp split del: split_if)+
| simp split del: if_split)+
apply(rule_tac E="\<lambda>ft. domain_sep_inv irqs st and
valid_objs and
sym_refs \<circ> state_refs_of and

80
proof/access-control/Dpolicy.thy
View File

@ -315,7 +315,7 @@ lemma caps_of_state_transform_opt_cap_rev:
apply (clarsimp simp:valid_objs_def dom_def)
apply (drule_tac x=a in spec, clarsimp)
apply (case_tac aa, simp_all add: object_slots_def caps_of_state_def2 nat_split_conv_to_if
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp:valid_obj_def valid_cs_def valid_cs_size_def)
apply (clarsimp simp:transform_cnode_contents_def)
apply (rule_tac x=z in exI, simp)
@ -331,7 +331,7 @@ lemma caps_of_state_transform_opt_cap_rev:
apply (rule nat_to_bl_to_bin, simp+)
apply (drule valid_etcbs_tcb_etcb [rotated], fastforce)
apply clarsimp
apply (clarsimp simp:transform_tcb_def tcb_slot_defs split:split_if_asm)
apply (clarsimp simp:transform_tcb_def tcb_slot_defs split:if_split_asm)
apply (clarsimp simp: is_null_cap_def is_bound_ntfn_cap_def infer_tcb_bound_notification_def
split: option.splits)
apply (simp add:is_thread_state_cap_def infer_tcb_pending_op_def is_null_cap_def is_real_cap_def
@ -344,13 +344,13 @@ lemma caps_of_state_transform_opt_cap_rev:
apply (subst bl_to_bin_tcb_cnode_index_le0; simp)
apply (rename_tac arch_kernel_obj)
apply (case_tac arch_kernel_obj; simp)
apply (clarsimp simp:transform_asid_pool_contents_def unat_map_def split:split_if_asm)
apply (clarsimp simp:transform_asid_pool_contents_def unat_map_def split:if_split_asm)
apply (clarsimp simp:is_real_cap_def is_null_cap_def transform_asid_pool_entry_def
split:option.splits)
apply (clarsimp simp:transform_page_table_contents_def unat_map_def split:split_if_asm)
apply (clarsimp simp:transform_page_table_contents_def unat_map_def split:if_split_asm)
apply (clarsimp simp:is_real_cap_def is_null_cap_def transform_pte_def
split:ARM_A.pte.splits)
apply (clarsimp simp:transform_page_directory_contents_def unat_map_def split:split_if_asm)
apply (clarsimp simp:transform_page_directory_contents_def unat_map_def split:if_split_asm)
apply (clarsimp simp:is_real_cap_def is_null_cap_def transform_pde_def
split:ARM_A.pde.splits)
done
@ -371,7 +371,7 @@ lemma opt_cap_None_word_bits:
apply (drule invs_valid_objs)
apply (simp add:object_slots_def valid_objs_def)
apply (case_tac aa, simp_all add: nat_split_conv_to_if
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp:transform_cnode_contents_def object_slots_def)
apply (drule_tac x=a in bspec)
apply (simp add:dom_def)+
@ -438,9 +438,9 @@ lemma thread_states_transform:
apply simp
apply (rule notI, drule invs_valid_idle, simp add:valid_idle_def pred_tcb_def2)
apply (simp add:infer_tcb_pending_op_def, case_tac "tcb_state a",
(simp add:split_if_asm| erule disjE)+)
(simp add:if_split_asm| erule disjE)+)
apply (simp add:infer_tcb_pending_op_def cdl_cap_auth_conferred_def,
case_tac "tcb_state a", (simp add:split_if_asm| erule disjE)+)
case_tac "tcb_state a", (simp add:if_split_asm| erule disjE)+)
done
lemma thread_bound_ntfns_transform:
@ -473,23 +473,23 @@ lemma thread_state_cap_transform_tcb:
apply (clarsimp simp: map_add_def object_slots_def)
apply (simp add:get_tcb_def object_slots_def)
apply (case_tac aa, simp_all add: nat_split_conv_to_if
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp:transform_cnode_contents_def)
apply (case_tac z, simp_all add:is_thread_state_cap_def split:split_if_asm)
apply (case_tac z, simp_all add:is_thread_state_cap_def split:if_split_asm)
apply (rename_tac arch_cap)
apply (case_tac arch_cap; simp)
apply (clarsimp simp:transform_cnode_contents_def)
apply (case_tac z, simp_all add:is_thread_state_cap_def split:split_if_asm)
apply (case_tac z, simp_all add:is_thread_state_cap_def split:if_split_asm)
apply (rename_tac arch_cap)
apply (case_tac arch_cap; simp)
apply (rename_tac arch_kernel_obj)
apply (case_tac arch_kernel_obj; simp)
apply (clarsimp simp:transform_asid_pool_contents_def unat_map_def transform_asid_pool_entry_def
split:split_if_asm option.splits)
split:if_split_asm option.splits)
apply (clarsimp simp:transform_page_table_contents_def unat_map_def transform_pte_def
split:split_if_asm ARM_A.pte.splits)
split:if_split_asm ARM_A.pte.splits)
apply (clarsimp simp:transform_page_directory_contents_def unat_map_def transform_pde_def
split:split_if_asm ARM_A.pde.splits)
split:if_split_asm ARM_A.pde.splits)
done
@ -514,12 +514,12 @@ lemma thread_bound_ntfn_cap_transform_tcb:
apply (clarsimp simp:transform_cnode_contents_def)
apply (clarsimp simp:transform_cnode_contents_def)
apply (rename_tac arch_obj)
apply (case_tac arch_obj;clarsimp simp:transform_asid_pool_contents_def unat_map_def split:split_if_asm)
apply (case_tac arch_obj;clarsimp simp:transform_asid_pool_contents_def unat_map_def split:if_split_asm)
apply (clarsimp simp:transform_asid_pool_entry_def is_bound_ntfn_cap_def split:option.splits)
apply (clarsimp simp:transform_page_table_contents_def unat_map_def transform_pte_def is_bound_ntfn_cap_def
split:split_if_asm ARM_A.pte.splits)
split:if_split_asm ARM_A.pte.splits)
apply (clarsimp simp:transform_page_directory_contents_def unat_map_def transform_pde_def is_bound_ntfn_cap_def
split:split_if_asm ARM_A.pde.splits)
split:if_split_asm ARM_A.pde.splits)
done
@ -532,10 +532,10 @@ lemma thread_states_transform_rev:
apply (clarsimp simp:thread_states_def tcb_states_of_state_def)
apply (frule valid_etcbs_get_tcb_get_etcb[rotated], fastforce)
apply (frule_tac sl=b in opt_cap_tcb, assumption, simp)
apply (clarsimp split:split_if_asm)
apply (case_tac "aa tcb", simp_all add:is_thread_state_cap_def split:split_if_asm)
apply (clarsimp split:if_split_asm)
apply (case_tac "aa tcb", simp_all add:is_thread_state_cap_def split:if_split_asm)
apply (rename_tac arch_cap)
apply (case_tac "arch_cap", simp_all split:split_if_asm)
apply (case_tac "arch_cap", simp_all split:if_split_asm)
apply (case_tac "tcb_state tcb", auto simp:infer_tcb_pending_op_def cdl_cap_auth_conferred_def
infer_tcb_bound_notification_def split: option.splits)
done
@ -549,10 +549,10 @@ lemma thread_bound_ntfns_transform_rev:
apply (clarsimp simp:thread_bound_ntfns_def)
apply (frule valid_etcbs_get_tcb_get_etcb[rotated], fastforce)
apply (frule_tac sl=b in opt_cap_tcb, assumption, simp)
apply (clarsimp split:split_if_asm)
apply (case_tac "tcb"; simp add:is_thread_state_cap_def is_bound_ntfn_cap_def split:split_if_asm)
apply (clarsimp split:if_split_asm)
apply (case_tac "tcb"; simp add:is_thread_state_cap_def is_bound_ntfn_cap_def split:if_split_asm)
apply (rename_tac arch_cap)
apply (case_tac "arch_cap", simp_all split:split_if_asm)
apply (case_tac "arch_cap", simp_all split:if_split_asm)
apply (clarsimp simp: infer_tcb_pending_op_def split: Structures_A.thread_state.splits)
apply (case_tac "tcb_bound_notification tcb",
auto simp: infer_tcb_pending_op_def cdl_cap_auth_conferred_def
@ -704,16 +704,16 @@ lemma state_vrefs_transform_rev:
apply (clarsimp simp:state_vrefs_def transform_def transform_objects_def
opt_cap_def slots_of_def opt_object_def)
apply (case_tac aa, simp_all add: transform_object_def object_slots_def nat_split_conv_to_if
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp:transform_cnode_contents_def is_real_cap_transform)
apply (clarsimp simp:transform_cnode_contents_def is_real_cap_transform)
apply (frule valid_etcbs_tcb_etcb [rotated], fastforce)
apply (clarsimp simp: transform_tcb_def is_real_cap_transform is_real_cap_infer_tcb_pending_op
is_real_cap_infer_tcb_bound_notification
split:split_if_asm)
split:if_split_asm)
apply (rename_tac arch_kernel_obj)
apply (case_tac arch_kernel_obj, simp_all add:vs_refs_no_global_pts_def graph_of_def)
apply (clarsimp simp:transform_asid_pool_contents_def unat_map_def split:split_if_asm)
apply (clarsimp simp:transform_asid_pool_contents_def unat_map_def split:if_split_asm)
apply (rule exI)
apply (rename_tac "fun")
apply (case_tac "fun (of_nat b)")
@ -722,7 +722,7 @@ lemma state_vrefs_transform_rev:
apply (clarsimp simp:transform_asid_pool_entry_def cdl_cap_auth_conferred_def)
apply simp
apply (clarsimp simp:transform_asid_pool_entry_def)
apply (clarsimp simp:transform_page_table_contents_def unat_map_def split:split_if_asm)
apply (clarsimp simp:transform_page_table_contents_def unat_map_def split:if_split_asm)
apply (rule exI)+
apply (drule pte_ref_transform_rev)
apply safe[1]
@ -730,7 +730,7 @@ lemma state_vrefs_transform_rev:
apply (rule_tac x="(ptr', auth)" in image_eqI)
apply simp
apply simp
apply (clarsimp simp:transform_page_directory_contents_def unat_map_def split:split_if_asm)
apply (clarsimp simp:transform_page_directory_contents_def unat_map_def split:if_split_asm)
apply (subgoal_tac "(of_nat b :: 12 word) < ucast (kernel_base >> 20)")
prefer 2
apply (subst word_not_le[symmetric])
@ -752,7 +752,7 @@ lemma cdl_cdt_transform_rev:
"\<lbrakk> invs s; cdl_cdt (transform s) slot' = Some slot \<rbrakk> \<Longrightarrow>
\<exists>ptr' ptr. slot' = transform_cslot_ptr ptr' \<and> slot = transform_cslot_ptr ptr \<and>
cdt s ptr' = Some ptr"
apply (clarsimp simp:cdt_transform map_lift_over_def split:split_if_asm)
apply (clarsimp simp:cdt_transform map_lift_over_def split:if_split_asm)
apply (rule_tac x=a in exI, rule_tac x=b in exI)
apply (subst (asm) inv_into_f_f)
apply (rule subset_inj_on)
@ -832,7 +832,7 @@ lemma state_objs_transform_rev:
apply simp
apply (subst (asm) untyped_range_transform[symmetric])
apply (simp add:is_untyped_cap_def transform_cap_def
split:cap.splits arch_cap.splits split_if_asm)
split:cap.splits arch_cap.splits if_split_asm)
apply simp
apply (simp add:cdl_cap_auth_conferred_def is_untyped_cap_def split:cdl_cap.splits)
apply clarsimp
@ -841,7 +841,7 @@ lemma state_objs_transform_rev:
apply simp
apply (subst (asm) obj_refs_transform[symmetric])
apply (simp add:is_untyped_cap_def transform_cap_def
split:cap.splits arch_cap.splits split_if_asm)
split:cap.splits arch_cap.splits if_split_asm)
apply simp
apply (simp add:cap_auth_conferred_transform)
apply (drule cdl_cdt_transform_rev [rotated], simp+)
@ -952,20 +952,20 @@ lemma opt_cap_Some_asid_real:
apply (case_tac "kheap s a")
apply (clarsimp simp: map_add_def object_slots_def)
apply (case_tac aa, simp_all add:object_slots_def valid_objs_def nat_split_conv_to_if
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp:transform_cnode_contents_def is_real_cap_transform)
apply (clarsimp simp:transform_cnode_contents_def is_real_cap_transform)
apply (frule valid_etcbs_tcb_etcb[rotated], fastforce)
apply (clarsimp simp: transform_tcb_def tcb_slot_defs is_real_cap_infer_tcb_bound_notification
is_real_cap_transform is_real_cap_infer_tcb_pending_op
split: split_if_asm)
split: if_split_asm)
apply (rename_tac arch_kernel_obj)
apply (case_tac arch_kernel_obj; simp)
apply (clarsimp simp:transform_asid_pool_contents_def unat_map_def split:split_if_asm)
apply (clarsimp simp:transform_asid_pool_contents_def unat_map_def split:if_split_asm)
apply (clarsimp simp:transform_asid_pool_entry_def split:option.splits)
apply (clarsimp simp:transform_page_table_contents_def unat_map_def split:split_if_asm)
apply (clarsimp simp:transform_page_table_contents_def unat_map_def split:if_split_asm)
apply (clarsimp simp:transform_pte_def split:ARM_A.pte.splits)
apply (clarsimp simp:transform_page_directory_contents_def unat_map_def split:split_if_asm)
apply (clarsimp simp:transform_page_directory_contents_def unat_map_def split:if_split_asm)
apply (clarsimp simp:transform_pde_def split:ARM_A.pde.splits)
done
@ -994,11 +994,11 @@ lemma state_vrefs_asid_pool_transform_rev:
apply (drule bspec)
apply fastforce
apply (case_tac a, simp_all add:transform_object_def object_slots_def)
apply (clarsimp simp:obj_at_def a_type_def split:split_if_asm)+
apply (clarsimp simp:obj_at_def a_type_def split:if_split_asm)+
apply (rename_tac arch_kernel_obj)
apply (case_tac arch_kernel_obj; simp add:vs_refs_no_global_pts_def graph_of_def)
apply (simp add:transform_asid_pool_contents_def unat_map_def transform_asid_low_bits_of
split:split_if_asm)
split:if_split_asm)
apply (rule_tac x="(ucast asid, cap_object pdcap)" in image_eqI)
apply (simp add:mask_asid_low_bits_ucast_ucast)
apply (clarsimp simp:transform_asid_pool_entry_def split:option.splits)
@ -1114,9 +1114,9 @@ proof -
apply (cases)
using e
apply (clarsimp simp: transform_def transform_objects_def restrict_map_def
split: split_if_asm Structures_A.kernel_object.splits)
split: if_split_asm Structures_A.kernel_object.splits)
apply (case_tac z, simp_all add: nat_split_conv_to_if
split: split_if_asm)
split: if_split_asm)
prefer 2
apply (rename_tac arch_kernel_obj)
apply (case_tac arch_kernel_obj; simp)

4
proof/access-control/ExampleSystem.thy
View File

@ -519,7 +519,7 @@ lemma s1_caps_of_state :
apply (case_tac p, clarsimp)
apply (clarsimp split: if_splits)
apply (clarsimp simp: cte_wp_at_cases tcb_cap_cases_def
split: split_if_asm)+
split: if_split_asm)+
apply (clarsimp simp: caps1_7_def split: if_splits)
apply (clarsimp simp: caps1_6_def cte_wp_at_cases split: if_splits)
done
@ -1089,7 +1089,7 @@ lemma "pas_refined Sys2PAS s2"
Sys2AgentMap_simps
Sys2AuthGraph_def Sys2AuthGraph_aux_def
complete_AuthGraph_def
split: split_if_asm)[1]
split: if_split_asm)[1]
apply (drule s2_caps_of_state, clarsimp)
apply (elim disjE, simp_all)[1]
apply (clarsimp simp: state_refs_of_def s2_def kh2_def kh2_obj_def

34
proof/access-control/Finalise_AC.thy
View File

@ -166,7 +166,7 @@ lemma sbn_pas_refined[wp]:
apply (clarsimp dest!: auth_graph_map_memD)
apply (erule state_bits_to_policy.cases)
apply (auto intro: state_bits_to_policy.intros auth_graph_map_memI
split: split_if_asm)
split: if_split_asm)
done
lemma unbind_notification_pas_refined[wp]:
@ -320,7 +320,7 @@ lemma fast_finalise_respects[wp]:
apply (wp unbind_maybe_notification_valid_objs get_ntfn_wp unbind_maybe_notification_respects
| wpc
| simp add: cap_auth_conferred_def cap_rights_to_auth_def aag_cap_auth_def when_def
split: split_if_asm
split: if_split_asm
| fastforce)+
apply (clarsimp simp: obj_at_def valid_cap_def is_ntfn invs_def valid_state_def valid_pspace_def
split: option.splits)+
@ -440,7 +440,7 @@ lemma finalise_cap_respects[wp]:
apply ((wp unbind_maybe_notification_valid_objs get_ntfn_wp
unbind_maybe_notification_respects
| wpc
| simp add: cap_auth_conferred_def cap_rights_to_auth_def aag_cap_auth_def split: split_if_asm
| simp add: cap_auth_conferred_def cap_rights_to_auth_def aag_cap_auth_def split: if_split_asm
| fastforce)+)[3]
apply (clarsimp simp: obj_at_def valid_cap_def is_ntfn invs_def
valid_state_def valid_pspace_def
@ -455,18 +455,18 @@ lemma finalise_cap_respects[wp]:
| clarsimp simp: cap_auth_conferred_def cap_rights_to_auth_def aag_cap_auth_def
unbind_maybe_notification_def
elim!: pas_refined_Control[symmetric]
| simp add: if_apply_def2 split del: split_if )+
| simp add: if_apply_def2 split del: if_split )+
apply (clarsimp simp: valid_cap_def pred_tcb_at_def obj_at_def is_tcb
dest!: tcb_at_ko_at)
apply (clarsimp split: option.splits elim!: pas_refined_Control[symmetric])
apply (frule bound_tcb_at_implies_reset, fastforce simp add: pred_tcb_at_def obj_at_def)
apply (drule pas_refined_Control, simp, simp)
(* other caps *)
apply (wp | simp add: if_apply_def2 split del: split_if
apply (wp | simp add: if_apply_def2 split del: if_split
| clarsimp simp: cap_auth_conferred_def cap_rights_to_auth_def is_cap_simps
pas_refined_all_auth_is_owns aag_cap_auth_def
deleting_irq_handler_def cap_links_irq_def invs_valid_objs
split del: split_if
split del: if_split
elim!: pas_refined_Control [symmetric])+
done
@ -502,16 +502,16 @@ lemma finalise_cap_auth':
finalise_cap cap final
\<lbrace>\<lambda>rv s. pas_cap_cur_auth aag (fst rv)\<rbrace>"
apply (rule hoare_gen_asm)
apply (cases cap, simp_all add: arch_finalise_cap_def split del: split_if)
apply (cases cap, simp_all add: arch_finalise_cap_def split del: if_split)
apply (wp
| simp add: comp_def hoare_post_taut [where P = \<top>] del: hoare_post_taut split del: split_if
| simp add: comp_def hoare_post_taut [where P = \<top>] del: hoare_post_taut split del: if_split
| fastforce simp: aag_cap_auth_Zombie aag_cap_auth_CNode aag_cap_auth_Thread
)+
apply (rule hoare_pre)
apply (wp | simp)+
apply (rule hoare_pre)
apply (wp | wpc
| simp add: comp_def hoare_post_taut [where P = \<top>] del: hoare_post_taut split del: split_if)+
| simp add: comp_def hoare_post_taut [where P = \<top>] del: hoare_post_taut split del: if_split)+
done
lemma finalise_cap_obj_refs:
@ -789,7 +789,7 @@ lemma pas_refined_set_asid_table_empty_strg:
pas_refined aag (s\<lparr>arch_state := arch_state s \<lparr>arm_asid_table := (arm_asid_table (arch_state s))(base \<mapsto> pool)\<rparr>\<rparr>)"
apply (clarsimp simp: pas_refined_def state_objs_to_policy_def)
apply (erule state_asids_to_policy_aux.cases)
apply(simp_all split: split_if_asm)
apply(simp_all split: if_split_asm)
prefer 2
apply (clarsimp simp: state_vrefs_def obj_at_def vs_refs_no_global_pts_def)
apply (auto intro: state_asids_to_policy_aux.intros auth_graph_map_memI[OF sbta_vref] pas_refined_refl[simplified pas_refined_def state_objs_to_policy_def])[3]
@ -843,7 +843,7 @@ proof (induct rule: cap_revoke.induct[where ?a1.0=s])
apply (wp "1.hyps", assumption+)
apply ((wp preemption_point_inv' | simp add: integrity_subjects_def pas_refined_def)+)[1]
apply (wp select_ext_weak_wp cap_delete_respects cap_delete_pas_refined
| simp split del: split_if | wp_once hoare_vcg_const_imp_lift hoare_drop_imps)+
| simp split del: if_split | wp_once hoare_vcg_const_imp_lift hoare_drop_imps)+
apply (auto simp: emptyable_def dest: descendants_of_owned reply_slot_not_descendant)
done
qed
@ -882,14 +882,14 @@ lemma finalise_cap_caps_of_state_nullinv:
"\<lbrace>\<lambda>s. P (caps_of_state s) \<and> (\<forall>p. P (caps_of_state s(p \<mapsto> cap.NullCap)))\<rbrace>
finalise_cap cap final
\<lbrace>\<lambda>rv s. P (caps_of_state s)\<rbrace>"
apply (cases cap, simp_all split del: split_if)
apply (cases cap, simp_all split del: if_split)
apply (wp suspend_caps_of_state unbind_notification_caps_of_state
unbind_notification_cte_wp_at
hoare_vcg_all_lift hoare_drop_imps
| simp split del: split_if
| simp split del: if_split
| fastforce simp: fun_upd_def )+
apply (rule hoare_pre)
apply (wp deleting_irq_handler_caps_of_state_nullinv | clarsimp split del: split_if | fastforce simp: fun_upd_def)+
apply (wp deleting_irq_handler_caps_of_state_nullinv | clarsimp split del: if_split | fastforce simp: fun_upd_def)+
done
lemma finalise_cap_cte_wp_at_nullinv:
@ -903,8 +903,8 @@ lemma finalise_cap_cte_wp_at_nullinv:
lemma finalise_cap_fst_ret:
"\<lbrace>\<lambda>s. P cap.NullCap \<and> (\<forall>a b c. P (cap.Zombie a b c)) \<rbrace> finalise_cap cap is_final\<lbrace>\<lambda>rv s. P (fst rv)\<rbrace>"
apply (cases cap, simp_all add: arch_finalise_cap_def split del: split_if)
apply (wp | simp add: comp_def split del: split_if | fastforce)+
apply (cases cap, simp_all add: arch_finalise_cap_def split del: if_split)
apply (wp | simp add: comp_def split del: if_split | fastforce)+
apply (rule hoare_pre)
apply (wp | simp | (rule hoare_pre, wpc))+
done
@ -1057,7 +1057,7 @@ lemma invoke_cnode_pas_refined:
apply (wp cap_insert_pas_refined cap_delete_pas_refined cap_revoke_pas_refined
get_cap_wp
| wpc
| simp split del: split_if)+
| simp split del: if_split)+
apply (cases ci, simp_all add: authorised_cnode_inv_def
cnode_inv_auth_derivations_def integrity_def)
apply (clarsimp simp: cte_wp_at_caps_of_state pas_refined_refl cap_links_irq_def

4
proof/access-control/Interrupt_AC.thy
View File

@ -87,7 +87,7 @@ lemma decode_irq_control_invocation_authorised [wp]:
unfolding decode_irq_control_invocation_def authorised_irq_ctl_inv_def arch_check_irq_def
apply (rule hoare_gen_asmE)
apply (rule hoare_pre)
apply (simp add: Let_def split del: split_if cong: if_cong)
apply (simp add: Let_def split del: if_split cong: if_cong)
apply (wp whenE_throwError_wp hoare_vcg_imp_lift hoare_drop_imps
| strengthen aag_Control_owns_strg
| simp add: o_def del: hoare_post_taut hoare_True_E_R)+
@ -105,7 +105,7 @@ lemma decode_irq_handler_invocation_authorised [wp]:
\<lbrace>\<lambda>x s. authorised_irq_hdl_inv aag x\<rbrace>, -"
unfolding decode_irq_handler_invocation_def authorised_irq_hdl_inv_def
apply (rule hoare_pre)
apply (simp add: Let_def split_def split del: split_if cong: if_cong)
apply (simp add: Let_def split_def split del: if_split cong: if_cong)
apply wp
apply (auto dest!: hd_in_set)
done

64
proof/access-control/Ipc_AC.thy
View File

@ -183,10 +183,10 @@ lemma dmo_storeWord_respects_ipc:
apply (simp add: storeWord_def)
apply (wp dmo_wp)
apply clarsimp
apply (simp add: integrity_def split del: split_if)
apply (clarsimp split del: split_if)
apply (simp add: integrity_def split del: if_split)
apply (clarsimp split del: if_split)
apply (case_tac "x \<in> ptr_range (buf + of_nat p * of_nat word_size) 2")
apply (clarsimp simp add: st_tcb_at_tcb_states_of_state split del: split_if)
apply (clarsimp simp add: st_tcb_at_tcb_states_of_state split del: if_split)
apply (rule trm_ipc [where p' = thread])
apply simp
apply assumption
@ -263,7 +263,7 @@ lemma lookup_ipc_buffer_has_auth [wp]:
apply simp
apply (drule (1) cap_auth_caps_of_state)
apply (clarsimp simp: aag_cap_auth_def cap_auth_conferred_def vspace_cap_rights_to_auth_def
vm_read_write_def is_page_cap_def split: split_if_asm)
vm_read_write_def is_page_cap_def split: if_split_asm)
apply (drule bspec)
apply (erule (3) ipcframe_subset_page)
apply simp
@ -331,13 +331,13 @@ lemma set_mrs_respects_in_signalling':
apply (simp add: set_mrs_def split_def set_object_def)
apply (wp gets_the_wp get_wp put_wp
| wpc
| simp split del: split_if
| simp split del: if_split
add: zipWithM_x_mapM_x split_def store_word_offs_def fun_upd_def[symmetric])+
apply (rule hoare_post_imp [where Q = "\<lambda>rv. st_tcb_at (op = Structures_A.Running) thread and integrity aag X st"])
apply simp
apply (wp mapM_x_wp' dmo_storeWord_respects_ipc [where thread = thread and ep = ep])
apply (fastforce simp add: set_zip nth_append simp: msg_align_bits msg_max_length_def
split: split_if_asm)
split: if_split_asm)
apply wp
apply (rule impI)
apply (subgoal_tac "\<forall>c'. integrity aag X st
@ -382,7 +382,7 @@ lemma lookup_ipc_buffer_ptr_range:
apply (drule get_tcb_SomeD)+
apply (erule(1) valid_objsE)
apply (clarsimp simp: valid_obj_def valid_tcb_def valid_ipc_buffer_cap_def case_bool_if
split: split_if_asm)
split: if_split_asm)
apply (erule integrity_obj.cases, simp_all add: get_tcb_def vm_read_write_def)
apply auto
done
@ -699,10 +699,10 @@ next
thus ?case
apply (cases m)
apply (clarsimp simp add: Let_def split_def whenE_def
cong: if_cong list.case_cong split del: split_if)
cong: if_cong list.case_cong split del: if_split)
apply (rule hoare_pre)
apply (wp eb [OF nN] hoare_vcg_const_imp_lift hoare_vcg_const_Ball_lift
| assumption | simp split del: split_if)+
| assumption | simp split del: if_split)+
apply (rule cap_insert_assume_null)
apply (wp x hoare_vcg_const_Ball_lift cap_insert_cte_wp_at)
@ -721,7 +721,7 @@ next
apply (clarsimp simp: cte_wp_at_caps_of_state
ex_cte_cap_to_cnode_always_appropriate_strg
real_cte_tcb_valid caps_of_state_valid
split del: split_if)
split del: if_split)
apply (clarsimp simp: remove_rights_def caps_of_state_valid
neq_Nil_conv cte_wp_at_caps_of_state
imp_conjR[symmetric] cap_master_cap_masked_as_full
@ -817,7 +817,7 @@ lemma remove_rights_clas [simp]:
lemma remove_rights_cap_auth_conferred_subset:
"x \<in> cap_auth_conferred (remove_rights R cap) \<Longrightarrow> x \<in> cap_auth_conferred cap"
unfolding remove_rights_def cap_rights_update_def
apply (clarsimp split: split_if_asm cap.splits arch_cap.splits
apply (clarsimp split: if_split_asm cap.splits arch_cap.splits
simp: cap_auth_conferred_def vspace_cap_rights_to_auth_def acap_rights_update_def
validate_vm_rights_def vm_read_only_def vm_kernel_only_def)
apply (erule set_mp [OF cap_rights_to_auth_mono, rotated], clarsimp)+
@ -857,7 +857,7 @@ next
case (Cons c caps')
show ?case using Cons.prems
apply (cases c)
apply (simp split del: split_if cong: if_cong)
apply (simp split del: if_split cong: if_cong)
apply (rule hoare_pre)
apply (wp)
apply (elim conjE, erule subst, rule Cons.hyps)
@ -866,7 +866,7 @@ next
apply (fastforce dest: in_set_dropD in_set_dropD[where n=1, folded tl_drop_1])
apply (wp cap_insert_pas_refined hoare_vcg_ball_lift hoare_whenE_wp hoare_drop_imps
derive_cap_aag_caps
| simp split del: split_if add: if_apply_def2)+
| simp split del: if_split add: if_apply_def2)+
done
qed
@ -1018,7 +1018,7 @@ lemma send_ipc_pas_refined:
apply (wp set_thread_state_pas_refined)
apply wpc
apply (wp set_thread_state_pas_refined)
apply (simp add: hoare_if_r_and split del:split_if)
apply (simp add: hoare_if_r_and split del:if_split)
apply (rename_tac list x xs recv_state)
apply (rule_tac Q="\<lambda>rv. pas_refined aag and K (can_grant \<longrightarrow> is_subject aag (hd list))"
in hoare_strengthen_post[rotated])
@ -1115,7 +1115,7 @@ lemma receive_ipc_base_pas_refined:
apply (clarsimp simp: thread_get_def cong: endpoint.case_cong)
apply (rule hoare_pre)
apply (wp static_imp_wp set_thread_state_pas_refined get_endpoint_wp
| wpc | simp add: thread_get_def do_nbrecv_failed_transfer_def split del: split_if)+
| wpc | simp add: thread_get_def do_nbrecv_failed_transfer_def split del: if_split)+
apply (simp add:aag_cap_auth_def clas_no_asid cli_no_irqs)
apply (rename_tac list sss data)
apply (rule_tac Q="\<lambda>rv s. pas_refined aag s \<and> (sender_can_grant data \<longrightarrow> is_subject aag (hd list))"
@ -1254,7 +1254,7 @@ lemma copy_mrs_integrity_autarch:
store_word_offs_integrity_autarch [where aag = aag and thread = receiver]
| wpc
| simp
| fastforce simp: length_msg_registers msg_align_bits split: split_if_asm)+
| fastforce simp: length_msg_registers msg_align_bits split: if_split_asm)+
done
(* FIXME: Why was the [wp] attribute clobbered by interpretation of the Arch locale? *)
@ -1520,7 +1520,7 @@ lemma auth_ipc_buffers_mem_Write:
apply (clarsimp simp: aag_cap_auth_def cap_auth_conferred_def
vspace_cap_rights_to_auth_def vm_read_write_def
is_page_cap_def
split: split_if_asm)
split: if_split_asm)
apply (auto dest: ipcframe_subset_page)
done
@ -1550,7 +1550,7 @@ lemma integrity_tcb_in_ipc_final:
apply (simp add: tcb_states_of_state_def get_tcb_def)
apply (simp add: tcb_states_of_state_def get_tcb_def)
apply (simp add: auth_ipc_buffers_def get_tcb_def
split: option.split_asm cap.split_asm arch_cap.split_asm split_if_asm split del: split_if)
split: option.split_asm cap.split_asm arch_cap.split_asm if_split_asm split del: if_split)
apply simp
done
@ -1594,7 +1594,7 @@ lemma as_user_respects_in_ipc:
apply (simp add: as_user_def set_object_def)
apply (wp gets_the_wp get_wp put_wp mapM_x_wp'
| wpc
| simp split del: split_if add: zipWithM_x_mapM_x split_def store_word_offs_def)+
| simp split del: if_split add: zipWithM_x_mapM_x split_def store_word_offs_def)+
apply (clarsimp simp: st_tcb_def2 tcb_at_def fun_upd_def[symmetric])
apply (auto elim: update_tcb_context_in_ipc)
done
@ -1681,7 +1681,7 @@ lemma set_original_respects_in_ipc_autarch:
apply (clarsimp simp: integrity_tcb_in_ipc_def)
apply (simp add: integrity_def
tcb_states_of_state_def get_tcb_def map_option_def
split del: split_if cong: if_cong)
split del: if_split cong: if_cong)
apply simp
apply (clarsimp simp: integrity_cdt_def)
done
@ -1695,7 +1695,7 @@ lemma update_cdt_fun_upd_respects_in_ipc_autarch:
apply wp
apply (clarsimp simp: integrity_tcb_in_ipc_def integrity_def
tcb_states_of_state_def get_tcb_def
split del: split_if cong: if_cong)
split del: if_split cong: if_cong)
apply simp
apply (clarsimp simp add: integrity_cdt_def)
done
@ -1721,13 +1721,13 @@ lemma cap_insert_ext_integrity_in_ipc:
src_slot dest_slot src_p dest_p)
\<lbrace>\<lambda>yd. integrity_tcb_in_ipc aag X receiver epptr ctxt st\<rbrace>"
apply (rule hoare_gen_asm)+
apply (simp add: integrity_tcb_in_ipc_def split del: split_if)
apply (simp add: integrity_tcb_in_ipc_def split del: if_split)
apply (unfold integrity_def)
apply (simp only: integrity_cdt_list_as_list_integ)
apply (rule hoare_lift_Pf[where f="ekheap"])
apply (clarsimp simp: integrity_tcb_in_ipc_def integrity_def
tcb_states_of_state_def get_tcb_def
split del: split_if cong: if_cong)
split del: if_split cong: if_cong)
apply wp
apply (rule hoare_vcg_conj_lift)
apply (simp add: list_integ_def del: split_paired_All)
@ -1748,7 +1748,7 @@ lemma cap_inserintegrity_in_ipc_autarch:
update_cdt_fun_upd_respects_in_ipc_autarch
set_cap_respects_in_ipc_autarch get_cap_wp
cap_insert_ext_integrity_in_ipc
| simp split del: split_if)+
| simp split del: if_split)+
done
lemma transfer_caps_loop_respects_in_ipc_autarch:
@ -1812,7 +1812,7 @@ lemma copy_mrs_respects_in_ipc:
mapM_wp'
hoare_vcg_const_imp_lift hoare_vcg_all_lift
| wpc
| fastforce split: split_if_asm simp: length_msg_registers)+
| fastforce split: if_split_asm simp: length_msg_registers)+
done
lemma do_normal_transfer_respects_in_ipc:
@ -1849,9 +1849,9 @@ lemma set_mrs_respects_in_ipc:
apply (simp add: set_mrs_def set_object_def)
apply (wp mapM_x_wp' store_word_offs_respects_in_ipc
| wpc
| simp split del: split_if add: zipWithM_x_mapM_x split_def)+
| simp split del: if_split add: zipWithM_x_mapM_x split_def)+
apply (clarsimp simp add: set_zip nth_append simp: msg_align_bits msg_max_length_def
split: split_if_asm)
split: if_split_asm)
apply (simp add: length_msg_registers)
apply arith
apply simp
@ -1886,7 +1886,7 @@ lemma lookup_ipc_buffer_ptr_range_in_ipc:
apply (drule get_tcb_SomeD)
apply (erule(1) valid_objsE)
apply (clarsimp simp: valid_obj_def valid_tcb_def valid_ipc_buffer_cap_def case_bool_if
split: split_if_asm)
split: if_split_asm)
apply (erule tcb_in_ipc.cases, simp_all)
apply (clarsimp simp: get_tcb_def vm_read_write_def)
apply (clarsimp simp: get_tcb_def vm_read_write_def)
@ -2039,7 +2039,7 @@ lemma send_ipc_integrity_autarch:
apply simp+
apply (wp set_thread_state_integrity_autarch thread_get_wp' do_ipc_transfer_integrity_autarch
hoare_vcg_all_lift hoare_drop_imps set_endpoinintegrity
| wpc | simp add: get_thread_state_def split del: split_if
| wpc | simp add: get_thread_state_def split del: if_split
del: hoare_post_taut hoare_True_E_R)+
apply clarsimp
apply (intro conjI)
@ -2139,7 +2139,7 @@ lemma send_fault_ipc_pas_refined:
hoare_vcg_conj_lift hoare_vcg_ex_lift hoare_vcg_all_lift
| wpc
| rule hoare_drop_imps
| simp add: split_def del: split_if)+
| simp add: split_def del: if_split)+
apply (rule_tac Q'="\<lambda>rv s. pas_refined aag s
\<and> is_subject aag (cur_thread s)
\<and> valid_objs s \<and> sym_refs (state_refs_of s)
@ -2281,7 +2281,7 @@ lemma do_reply_transfer_pas_refined:
apply (wp set_thread_state_pas_refined do_ipc_transfer_pas_refined
thread_set_pas_refined_triv K_valid
| wpc
| simp add: thread_get_def split del: split_if)+
| simp add: thread_get_def split del: if_split)+
(* otherwise simp does too much *)
apply (rule hoare_strengthen_post, rule gts_inv)
apply (rule impI)
@ -2303,7 +2303,7 @@ lemma do_reply_transfer_respects:
do_ipc_transfer_integrity_autarch do_ipc_transfer_pas_refined
thread_set_integrity_autarch
handle_fault_reply_respects
| wpc | simp split del: split_if)+
| wpc | simp split del: if_split)+
apply (clarsimp simp: tcb_at_def invs_mdb invs_valid_objs)
done

22
proof/access-control/Retype_AC.thy
View File

@ -237,7 +237,7 @@ lemma init_arch_objects_integrity:
\<lbrace>\<lambda>rv. integrity aag X st\<rbrace>"
apply(rule hoare_gen_asm)+
apply(cases new_type)
apply(simp_all add: init_arch_objects_def split del: split_if)
apply(simp_all add: init_arch_objects_def split del: if_split)
apply(rule hoare_pre)
apply(wpc
| wp mapM_x_wp[OF _ subset_refl]
@ -334,21 +334,21 @@ lemma sta_detype:
"state_objs_to_policy (detype R s) \<subseteq> state_objs_to_policy s"
apply (clarsimp simp add: state_objs_to_policy_def state_refs_of_detype)
apply (erule state_bits_to_policy.induct)
apply (auto intro: state_bits_to_policy.intros split: split_if_asm)
apply (auto intro: state_bits_to_policy.intros split: if_split_asm)
done
lemma sita_detype:
"state_irqs_to_policy aag (detype R s) \<subseteq> state_irqs_to_policy aag s"
apply (clarsimp)
apply (erule state_irqs_to_policy_aux.induct)
apply (auto simp: detype_def intro: state_irqs_to_policy_aux.intros split: split_if_asm)
apply (auto simp: detype_def intro: state_irqs_to_policy_aux.intros split: if_split_asm)
done
lemma sata_detype:
"state_asids_to_policy aag (detype R s) \<subseteq> state_asids_to_policy aag s"
apply (clarsimp)
apply (erule state_asids_to_policy_aux.induct)
apply (auto intro: state_asids_to_policy_aux.intros split: split_if_asm)
apply (auto intro: state_asids_to_policy_aux.intros split: if_split_asm)
done
(* FIXME: move *)
@ -760,7 +760,7 @@ lemma use_retype_region_proofs_ext':
\<and> caps_no_overlap ptr sz s \<and> pspace_no_overlap_range_cover ptr sz s
\<and> (\<exists>slot. cte_wp_at (\<lambda>c. up_aligned_area ptr sz \<subseteq> cap_range c \<and> cap_is_device c = dev) slot s) \<and>
P s \<and> R (retype_addrs ptr ty n us) s\<rbrace> retype_region ptr n us ty dev \<lbrace>Q\<rbrace>"
apply (simp add: retype_region_def split del: split_if)
apply (simp add: retype_region_def split del: if_split)
apply (rule hoare_pre, (wp|simp)+)
apply (rule retype_region_ext_kheap_update[OF y])
apply (wp|simp)+
@ -796,7 +796,7 @@ lemma retype_region_ext_pas_refined:
apply (simp add: retype_region_ext_def, wp)
apply (clarsimp simp: tcb_domain_map_wellformed_aux_def)
apply (erule domains_of_state_aux.cases)
apply (clarsimp simp: foldr_upd_app_if' fun_upd_def[symmetric] split: split_if_asm)
apply (clarsimp simp: foldr_upd_app_if' fun_upd_def[symmetric] split: if_split_asm)
apply (clarsimp simp: default_ext_def default_etcb_def split: apiobject_type.splits)
defer
apply (force intro: domtcbs)
@ -1017,7 +1017,7 @@ lemma descendants_range_in_detype:
apply(simp add: descendants_range_in_def)
apply(rule ballI)
apply(drule_tac x=p' in bspec, assumption)
apply(clarsimp simp: null_filter_def split: split_if_asm)
apply(clarsimp simp: null_filter_def split: if_split_asm)
apply(rule conjI)
apply(simp add: cte_wp_at_caps_of_state)
apply(rule_tac t=a in ssubst[OF fst_conv[symmetric]])
@ -1376,7 +1376,7 @@ lemma invoke_untyped_pas_refined:
apply (clarsimp simp: retype_addrs_aligned_range_cover
cte_wp_at_caps_of_state)
apply (drule valid_global_refsD[rotated 2])
apply (clarsimp simp: post_retype_invs_def split: split_if_asm)
apply (clarsimp simp: post_retype_invs_def split: if_split_asm)
apply (erule caps_of_state_cteD)
apply (erule notE, erule subsetD[rotated])
apply (rule order_trans, erule retype_addrs_subset_ptr_bits)
@ -1402,7 +1402,7 @@ subsection{* decode *}
lemma data_to_obj_type_ret_not_asid_pool:
"\<lbrace> \<top> \<rbrace> data_to_obj_type arg \<lbrace> \<lambda>r s. r \<noteq> ArchObject ASIDPoolObj \<rbrace>,-"
apply(clarsimp simp: validE_R_def validE_def valid_def)
apply(auto simp: data_to_obj_type_def arch_data_to_obj_type_def throwError_def simp: returnOk_def bindE_def return_def bind_def lift_def split: split_if_asm)
apply(auto simp: data_to_obj_type_def arch_data_to_obj_type_def throwError_def simp: returnOk_def bindE_def return_def bind_def lift_def split: if_split_asm)
done
crunch inv[wp]: data_to_obj_type "P"
@ -1462,11 +1462,11 @@ lemma decode_untyped_invocation_authorised:
apply(wp dui_inv_wf | simp)+
apply (clarsimp simp: decode_untyped_invocation_def split_def
authorised_untyped_inv'_def
split del: split_if split: untyped_invocation.splits)
split del: if_split split: untyped_invocation.splits)
(* need to hoist the is_cnode_cap assumption into postcondition later on *)
apply (simp add: unlessE_def[symmetric] whenE_def[symmetric] unlessE_whenE
split del: split_if)
split del: if_split)
apply (wp whenE_throwError_wp hoare_vcg_all_lift mapME_x_inv_wp
| simp split: untyped_invocation.splits
| (auto)[1])+

24
proof/access-control/Syscall_AC.thy
View File

@ -100,7 +100,7 @@ lemma perform_invocation_respects:
| wp_once hoare_pre_cont)+
apply (clarsimp simp: authorised_invocation_def split: Invocations_A.invocation.splits)
-- "EP case"
apply (fastforce simp: obj_at_def is_tcb split: split_if_asm)
apply (fastforce simp: obj_at_def is_tcb split: if_split_asm)
-- "NTFN case"
apply fastforce
done
@ -157,7 +157,7 @@ lemma decode_invocation_authorised:
decode_arch_invocation_authorised
| strengthen cnode_diminished_strg
| wpc | simp add: comp_def authorised_invocation_def decode_invocation_def
split del: split_if del: hoare_post_taut hoare_True_E_R
split del: if_split del: hoare_post_taut hoare_True_E_R
| wp_once hoare_FalseE_R)+
apply (clarsimp simp: aag_has_Control_iff_owns split_def aag_cap_auth_def)
@ -312,7 +312,7 @@ lemma handle_invocation_pas_refined:
hoare_vcg_conj_lift hoare_vcg_all_lift
| wpc
| rule hoare_drop_imps
| simp add: if_apply_def2 conj_comms split del: split_if
| simp add: if_apply_def2 conj_comms split del: if_split
del: hoare_True_E_R)+),
((wp lookup_extra_caps_auth lookup_extra_caps_authorised
decode_invocation_authorised
@ -320,7 +320,7 @@ lemma handle_invocation_pas_refined:
lookup_cap_and_slot_cur_auth
as_user_pas_refined
lookup_cap_and_slot_valid_fault3
| simp add: split comp_def runnable_eq_active del: split_if)+),
| simp add: split comp_def runnable_eq_active del: if_split)+),
(auto intro: guarded_to_cur_domain simp: ct_in_state_def st_tcb_at_def intro: if_live_then_nonz_capD)[1])+
done
@ -340,8 +340,8 @@ lemma handle_invocation_respects:
| rule hoare_drop_imps
| wpc | simp add: if_apply_def2
del: hoare_post_taut hoare_True_E_R
split del: split_if)+
apply (simp add: conj_comms pred_conj_def comp_def if_apply_def2 split del: split_if
split del: if_split)+
apply (simp add: conj_comms pred_conj_def comp_def if_apply_def2 split del: if_split
| wp perform_invocation_respects set_thread_state_pas_refined
set_thread_state_authorised
set_thread_state_runnable_valid_sched
@ -449,7 +449,7 @@ lemma ethread_set_time_slice_pas_refined[wp]:
apply (erule_tac x="(a, b)" in ballE)
apply force
apply (erule notE)
apply (erule domains_of_state_aux.cases, simp add: get_etcb_def split: split_if_asm)
apply (erule domains_of_state_aux.cases, simp add: get_etcb_def split: if_split_asm)
apply (force intro: domtcbs)+
done
@ -495,7 +495,7 @@ lemma timer_tick_integrity[wp]:
\<lbrace>\<lambda>_. integrity aag X st\<rbrace>"
apply (simp add: timer_tick_def)
apply (wp ethread_set_integrity_autarch gts_wp
| wpc | simp add: thread_set_time_slice_def split del: split_if)+
| wpc | simp add: thread_set_time_slice_def split del: if_split)+
apply (clarsimp simp: ct_in_state_def st_tcb_at_def obj_at_def)
done
@ -539,7 +539,7 @@ lemma handle_interrupt_integrity:
apply (clarsimp simp: cte_wp_at_caps_of_state)
apply (rule_tac s = s in hacky_ipc_Send [where irq = irq])
apply (drule (1) cap_auth_caps_of_state)
apply (clarsimp simp: aag_cap_auth_def is_cap_simps cap_auth_conferred_def cap_rights_to_auth_def split: split_if_asm)
apply (clarsimp simp: aag_cap_auth_def is_cap_simps cap_auth_conferred_def cap_rights_to_auth_def split: if_split_asm)
apply assumption+
done
@ -1557,7 +1557,7 @@ crunch cur_thread[wp]: cancel_badged_sends "\<lambda>s. P (cur_thread s)" (wp: c
lemma invoke_cnode_cur_thread[wp]: "\<lbrace>\<lambda>s. P (cur_thread s)\<rbrace> invoke_cnode a \<lbrace>\<lambda>r s. P (cur_thread s)\<rbrace>"
apply (simp add: invoke_cnode_def)
apply (rule hoare_pre)
apply (wp hoare_drop_imps hoare_vcg_all_lift | wpc | simp add: without_preemption_def split del: split_if)+
apply (wp hoare_drop_imps hoare_vcg_all_lift | wpc | simp add: without_preemption_def split del: if_split)+
done
crunch cur_thread[wp]: handle_event "\<lambda>s. P (cur_thread s)"
@ -1603,7 +1603,7 @@ lemma cap_revoke_idle_thread[wp]:"\<lbrace>\<lambda>s. P (idle_thread s)\<rbrace
lemma invoke_cnode_idle_thread[wp]: "\<lbrace>\<lambda>s. P (idle_thread s)\<rbrace> invoke_cnode a \<lbrace>\<lambda>r s. P (idle_thread s)\<rbrace>"
apply (simp add: invoke_cnode_def)
apply (rule hoare_pre)
apply (wp hoare_drop_imps hoare_vcg_all_lift | wpc | simp add: without_preemption_def split del: split_if)+
apply (wp hoare_drop_imps hoare_vcg_all_lift | wpc | simp add: without_preemption_def split del: if_split)+
done
crunch idle_thread[wp]: handle_event "\<lambda>s::det_state. P (idle_thread s)"
@ -1619,7 +1619,7 @@ crunch cur_domain[wp]: transfer_caps_loop, ethread_set, thread_set_priority, se
lemma invoke_cnode_cur_domain[wp]: "\<lbrace>\<lambda>s. P (cur_domain s)\<rbrace> invoke_cnode a \<lbrace>\<lambda>r s. P (cur_domain s)\<rbrace>"
apply (simp add: invoke_cnode_def)
apply (rule hoare_pre)
apply (wp hoare_drop_imps hoare_vcg_all_lift | wpc | simp add: without_preemption_def split del: split_if)+
apply (wp hoare_drop_imps hoare_vcg_all_lift | wpc | simp add: without_preemption_def split del: if_split)+
done
crunch cur_domain[wp]: handle_event "\<lambda>s. P (cur_domain s)" (wp: syscall_valid select_wp crunch_wps check_cap_inv cap_revoke_preservation simp: crunch_simps filterM_mapM unless_def ignore: without_preemption check_cap_at filterM getActiveIRQ resetTimer ackInterrupt const_on_failure getFAR getDFSR getIFSR)

16
proof/access-control/Tcb_AC.thy
View File

@ -176,7 +176,7 @@ lemma set_priority_pas_refined[wp]:
apply (erule_tac x="(a, b)" in ballE)
apply simp
apply (erule domains_of_state_aux.cases)
apply (force intro: domtcbs split: split_if_asm)
apply (force intro: domtcbs split: if_split_asm)
done
lemma gts_test[wp]: "\<lbrace>\<top>\<rbrace> get_thread_state t \<lbrace>\<lambda>rv s. test rv = st_tcb_at test t s\<rbrace>"
@ -360,7 +360,7 @@ lemma invoke_tcb_respects:
apply (cases ti, simp_all add: hoare_conjD1 [OF invoke_tcb_tc_respects_aag [simplified simp_thms]]
del: invoke_tcb.simps Tcb_AI.tcb_inv_wf.simps K_def)
apply (safe intro!: hoare_gen_asm)
apply ((wp itr_wps mapM_x_wp' | simp add: if_apply_def2 split del: split_if
apply ((wp itr_wps mapM_x_wp' | simp add: if_apply_def2 split del: if_split
| wpc | clarsimp simp: authorised_tcb_inv_def
| rule conjI | subst(asm) idle_no_ex_cap)+)
done
@ -436,9 +436,9 @@ lemma decode_set_ipc_buffer_authorised:
\<lbrace>\<lambda>rv s. authorised_tcb_inv aag rv\<rbrace>, -"
unfolding decode_set_ipc_buffer_def authorised_tcb_inv_def
apply (cases "excaps ! 0")
apply (clarsimp cong: list.case_cong split del: split_if)
apply (clarsimp cong: list.case_cong split del: if_split)
apply (rule hoare_pre)
apply (clarsimp simp: ball_Un aag_cap_auth_def split del: split_if split add: prod.split
apply (clarsimp simp: ball_Un aag_cap_auth_def split del: if_split split: prod.split
| strengthen stupid_strg
| wp_once derive_cap_obj_refs_auth derive_cap_untyped_range_subset derive_cap_clas derive_cap_cli
hoare_vcg_all_lift_R whenE_throwError_wp slot_long_running_inv
@ -454,8 +454,8 @@ lemma decode_set_space_authorised:
\<lbrace>\<lambda>rv s. authorised_tcb_inv aag rv\<rbrace>, -"
unfolding decode_set_space_def authorised_tcb_inv_def
apply (rule hoare_pre)
apply (simp cong: list.case_cong split del: split_if)
apply (clarsimp simp: ball_Un split del: split_if
apply (simp cong: list.case_cong split del: if_split)
apply (clarsimp simp: ball_Un split del: if_split
| wp_once derive_cap_obj_refs_auth derive_cap_untyped_range_subset derive_cap_clas derive_cap_cli
hoare_vcg_const_imp_lift_R hoare_vcg_all_lift_R whenE_throwError_wp slot_long_running_inv)+
apply (clarsimp simp: not_less all_set_conv_all_nth dest!: P_0_1_spec)
@ -475,10 +475,10 @@ lemma decode_set_space_authorised':
apply (cases set_param)
apply (simp_all add: is_thread_control_def decode_set_space_def authorised_tcb_inv_def
cong: list.case_cong option.case_cong prod.case_cong
split: prod.split_asm split del: split_if)
split: prod.split_asm split del: if_split)
apply (cases "excaps!0")
apply (cases "excaps!Suc 0")
apply (clarsimp simp: ball_Un split del: split_if split add: prod.split
apply (clarsimp simp: ball_Un split del: if_split split: prod.split
| strengthen stupid_strg
| wp_once derive_cap_obj_refs_auth derive_cap_untyped_range_subset derive_cap_clas derive_cap_cli
hoare_vcg_all_lift_R whenE_throwError_wp slot_long_running_inv)+

2
proof/asmrefine/SEL4GlobalsSwap.thy
View File

@ -55,7 +55,7 @@ lemma globals_list_valid:
apply (rule globals_list_valid_optimisation[OF _ _ globals_list_ok])
apply (simp_all add: globals_list_def globals_list_valid_def
global_data_defs
del: distinct_prop.simps split del: split_if)
del: distinct_prop.simps split del: if_split)
apply (simp add: global_data_swappable_def global_data_def)
apply (simp_all add: global_data_valid)
apply (simp_all add: global_data_valid_def addressed_global_data_def

14
proof/bisim/Syscall_S.thy
View File

@ -106,7 +106,7 @@ lemma bisim_rab:
apply (auto intro!: bisim_underlyingI
elim!: separate_cnode_capE
simp: whenE_def in_monad Bex_def in_bindE word_bits_def in_get_cap_cte_wp_at cte_wp_at_caps_of_state
simp del: add_is_0 split: split_if_asm)[1]
simp del: add_is_0 split: if_split_asm)[1]
apply simp
apply (rule bisim_underlyingI)
apply (clarsimp )
@ -117,14 +117,14 @@ lemma bisim_rab:
apply (drule (2) valid_sep_cap_not_cnode [where cref = cref])
apply simp
apply (fastforce simp: in_monad Bex_def in_bindE word_bits_def in_get_cap_cte_wp_at cte_wp_at_caps_of_state whenE_def
simp del: add_is_0 split: split_if_asm)
simp del: add_is_0 split: if_split_asm)
apply clarsimp
apply (erule separate_cnode_capE)
apply (fastforce simp: word_bits_def in_monad)
apply (drule (2) valid_sep_cap_not_cnode [where cref = cref])
apply simp
apply (fastforce simp: in_monad Bex_def in_bindE word_bits_def in_get_cap_cte_wp_at cte_wp_at_caps_of_state whenE_def
simp del: add_is_0 split: split_if_asm)
simp del: add_is_0 split: if_split_asm)
done
@ -359,9 +359,9 @@ lemma decode_invocation_bisim:
unfolding decode_invocation_def Decode_A.decode_invocation_def
apply (rule bisim_guard_imp)
apply (rule bisim_separate_cap_cases [where cap = cap])
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (rule bisim_throwError, simp)
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (rule bisim_reflE)
apply (fastforce intro!: bisim_throwError bisim_returnOk simp: AllowRecv_def AllowSend_def)
apply simp
@ -386,7 +386,7 @@ lemma decode_separate_inv:
unfolding Decode_A.decode_invocation_def
apply (rule hoare_gen_asmE)
apply clarify
apply (erule separate_capE, simp_all split del: split_if)
apply (erule separate_capE, simp_all split del: if_split)
apply (rule hoare_pre, (wp | simp add: comp_def)+)[1]
apply (rule hoare_pre)
apply (wp | simp)+
@ -626,7 +626,7 @@ lemma handle_recv_bisim:
apply (rule bisim_split_reflE)
apply (rule_tac cap = rb in bisim_separate_cap_cases)
apply (simp, rule bisim_throwError, rule refl)+
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (rule bisim_refl [where P = \<top> and P' = \<top>])
apply (case_tac rc, simp_all)[1]
apply (wp get_cap_wp' lsft_sep | simp add: lookup_cap_def split_def del: hoare_True_E_R)+

4
proof/capDL-api/Arch_DP.thy
View File

@ -612,7 +612,7 @@ lemma invoke_asid_pool_wp:
apply (rule hoare_strengthen_post[OF set_cap_wp])
apply (subst set_split_single[where A = "(Collect (\<lambda>off. off < 2 ^ asid_low_bits))"])
apply simp
apply (subst sep.setprod.union_disjoint)
apply (subst sep.prod.union_disjoint)
apply simp+
apply (clarsimp simp: sep_conj_assoc)
apply (sep_erule_concl sep_any_imp, sep_solve)
@ -627,7 +627,7 @@ lemma invoke_asid_pool_wp:
apply (safe,fastforce+)
apply (subst (asm) set_split_single[where A = "(Collect (\<lambda>off. off < 2 ^ asid_low_bits))"])
apply simp
apply (subst (asm) sep.setprod.union_disjoint)
apply (subst (asm) sep.prod.union_disjoint)
apply simp+
apply (simp add:sep_conj_assoc)
apply sep_solve

2
proof/capDL-api/Invocation_DP.thy
View File

@ -86,7 +86,7 @@ lemma sep_nonimpact_valid_lift:
sep_state_add_def sep_disj_sep_state_def
sep_state_disj_def
map_option_case
split: split_if_asm option.splits sep_state.splits)
split: if_split_asm option.splits sep_state.splits)
apply (erule rsubst [where P=Q])
apply clarsimp
apply (rule conjI)

24
proof/capDL-api/KHeap_DP.thy
View File

@ -470,10 +470,10 @@ lemma resolve_cap_rv1:
apply (wp gets_the_wpE)
apply (clarsimp simp: one_lvl_lookup_def offset_def)
apply (clarsimp simp: split_def split: sum.splits option.splits)
apply (simp add: split_def resolve_cap.simps split: split_if_asm)
apply (simp add: split_def resolve_cap.simps split: if_split_asm)
apply (simp add: obind_def split:option.splits)
apply (drule sep_f_size_opt_cnode)
apply (simp split: split_if_asm)+
apply (simp split: if_split_asm)+
done
lemma resolve_cap_u:
@ -485,10 +485,10 @@ lemma resolve_cap_u:
apply (clarsimp simp:
user_pointer_at_def Let_unfold one_lvl_lookup_def
offset_def split:option.splits sum.splits)
apply (simp add: split_def resolve_cap.simps split: split_if_asm)
apply (simp add: split_def resolve_cap.simps split: if_split_asm)
apply (simp add: obind_def sep_conj_assoc split:option.splits)
apply (sep_drule (direct) sep_f_size_opt_cnode)
apply (fastforce split: split_if_asm)+
apply (fastforce split: if_split_asm)+
done
lemma resolve_cap_u_nf:
@ -501,14 +501,14 @@ lemma resolve_cap_u_nf:
offset_def sep.mult_assoc)
apply (clarsimp simp: split_def split: sum.splits option.splits)
apply (safe)
apply (simp add: split_def resolve_cap.simps split: split_if_asm)
apply (simp add: split_def resolve_cap.simps split: if_split_asm)
apply (simp add: obind_def split:option.splits)
apply (sep_drule (direct) sep_f_size_opt_cnode)
apply (fastforce)+
apply (simp add: split_def resolve_cap.simps split: split_if_asm)
apply (simp add: split_def resolve_cap.simps split: if_split_asm)
apply (simp add: obind_def split:option.splits)
apply (sep_drule (direct) sep_f_size_opt_cnode)
apply (fastforce split: split_if_asm)+
apply (fastforce split: if_split_asm)+
done
lemma resolve_cap_rv:
@ -911,10 +911,10 @@ lemma is_exclusive_cap_update_cap_data:
apply (rule iffI)
apply (simp_all add: safe_for_derive_def update_cap_data_def update_cap_data_det_def)
apply (case_tac cap, simp_all add: safe_for_derive_def badge_update_def
split: split_if_asm)
split: if_split_asm)
apply (case_tac cap, simp_all add: badge_update_def guard_update_def
update_cap_badge_def
split: split_if_asm)
split: if_split_asm)
done
lemma cap_object_update_cap_rights:
@ -928,13 +928,13 @@ lemma derived_cap_update_cap_data_det_NullCap [simp]:
= (derived_cap cap = NullCap)"
by (clarsimp simp: derived_cap_def update_cap_data_det_def
badge_update_def update_cap_badge_def guard_update_def
split: cdl_cap.splits split_if_asm)
split: cdl_cap.splits if_split_asm)
lemma derived_cap_update_cap_rights_NullCap [simp]:
"(derived_cap (update_cap_rights rights cap) = NullCap)
= (derived_cap cap = NullCap)"
by (clarsimp simp: derived_cap_def update_cap_rights_def
split: cdl_cap.splits split_if_asm)
split: cdl_cap.splits if_split_asm)
lemma derived_cap_reset_cap_asid_NullCap:
"\<lbrakk>reset_cap_asid cap = reset_cap_asid cap'; derived_cap cap = NullCap\<rbrakk>
@ -1043,7 +1043,7 @@ lemma update_cap_data_non:
by (rule iffI,
simp_all add: update_cap_data_det_def badge_update_def
guard_update_def update_cap_badge_def
split: cdl_cap.splits split_if_asm)
split: cdl_cap.splits if_split_asm)
lemma decode_cnode_mutate_rvu:
"\<lbrace>\<lambda>s. caps \<noteq> []

6
proof/capDL-api/RWHelper_DP.thy
View File

@ -203,7 +203,7 @@ lemma sep_irq_node_dom_sep_map_predicate:
"sep_irq_node_dom (sep_map_predicate ptr P cmps) {}"
apply (clarsimp simp: sep_map_general_def object_to_sep_state_def
sep_irq_node_dom_def sep_map_predicate_def
split:sep_state.splits split_if_asm)
split:sep_state.splits if_split_asm)
done
lemma sep_map_rewrite_spec:
@ -262,7 +262,7 @@ lemma sep_spec_simps:
apply (clarsimp simp:object_to_sep_state_def)
apply (rule ext)
apply (clarsimp simp: object_project_def object_slots_object_clean
split: split_if_asm)
split: if_split_asm)
done
lemma sep_conj_spec:
@ -472,7 +472,7 @@ lemma set_cap_all_scheduable_tcbs:
apply (drule in_singleton)
apply (intro set_eqI iffI)
apply (clarsimp simp: sep_all_scheduable_tcbs_def sep_state_projection_def
split: split_if_asm option.splits)
split: if_split_asm option.splits)
apply (fastforce simp: sep_all_scheduable_tcbs_def map_add_def
sep_state_projection_def scheduable_cap_def
split: option.splits)

20
proof/capDL-api/Retype_DP.thy
View File

@ -152,7 +152,7 @@ lemma retype_region_wp:
apply (rule_tac P="current_domain = minBound" in hoare_gen_asm)
apply (wp create_objects_wp | simp)+
apply (subst sep_conj_assoc[symmetric])
apply (subst sep.setprod.union_disjoint [symmetric])
apply (subst sep.prod.union_disjoint [symmetric])
apply simp+
apply (simp add:Un_absorb1)
done
@ -204,7 +204,7 @@ lemma dummy_detype_if_untyped:
apply (case_tac s,clarsimp simp:detype_def sep_set_conj_def)
apply (rule ext)
apply (clarsimp simp:sep_state_projection_def sep_conj_def)
apply (subst (asm) sep.setprod.remove)
apply (subst (asm) sep.prod.remove)
apply simp+
apply (clarsimp simp:sep_map_o_conj image_def)
apply (drule_tac f = sep_heap in arg_cong)
@ -276,7 +276,7 @@ lemma reset_untyped_cap_wp:
apply (clarsimp dest!: reset_cap_asid_untyped_cap_eqD)
apply (subgoal_tac "tot_free_range = obj_range \<union> (tot_free_range - obj_range)")
apply simp
apply (subst (asm) sep.setprod.subset_diff)
apply (subst (asm) sep.prod.subset_diff)
apply simp+
apply (sep_select_asm 2)
apply (simp add:sep_conj_assoc)
@ -355,18 +355,18 @@ lemma invoke_untyped_wp:
\<and> distinct (map pick new_obj_refs) \<and>
new_obj_refs = map ((\<lambda>x. {x}) \<circ> pick) new_obj_refs \<and>
pick ` set new_obj_refs \<subseteq> tot_free_range" in hoare_gen_asm)
apply (simp del:set_map split del:split_if)
apply (simp del:set_map split del:if_split)
apply (rule hoare_strengthen_post[OF update_available_range_wp])
apply clarsimp
apply (rule_tac x = nfr in exI)
apply (rule conjI)
apply (clarsimp split:if_splits)
apply (sep_select 3,sep_select 2,simp)
apply (wp|simp split del:split_if)+
apply (wp|simp split del:if_split)+
apply (rule_tac P = "untyped_cap = UntypedCap dev obj_range free_range"
in hoare_gen_asm)
apply (clarsimp simp:conj_comms split del: split_if)
apply (simp add: conj_assoc[symmetric] del:conj_assoc split del: split_if)+
apply (clarsimp simp:conj_comms split del: if_split)
apply (simp add: conj_assoc[symmetric] del:conj_assoc split del: if_split)+
apply (rule hoare_vcg_conj_lift)
apply wp
apply (rule hoare_strengthen_post[OF generate_object_ids_rv])
@ -1055,10 +1055,10 @@ lemma transfer_caps_loop_cdl_parent:
"\<lbrace>\<lambda>s. cdl_cdt s slot = Some parent\<rbrace>
transfer_caps_loop ep rcvr caps dest
\<lbrace>\<lambda>_ s. cdl_cdt s slot = Some parent\<rbrace>"
apply (induct caps arbitrary: dest; clarsimp split del: split_if)
apply (induct caps arbitrary: dest; clarsimp split del: if_split)
apply (rule hoare_pre)
apply (wp alternative_wp crunch_wps | assumption
| simp add: crunch_simps split del: split_if)+
| simp add: crunch_simps split del: if_split)+
done
lemmas reset_untyped_cap_cdl2[wp] = reset_untyped_cap_cdl_parent[THEN valid_validE_E]
@ -1114,7 +1114,7 @@ lemma default_object_no_pending_cap:
apply (case_tac b)
apply (clarsimp simp: default_object_def object_slots_def default_tcb_def is_pending_cap_def
empty_cnode_def empty_cap_map_def empty_irq_node_def
split: split_if_asm)+
split: if_split_asm)+
done
lemma create_objects_no_pending[wp]:

20
proof/crefine/ADT_C.thy
View File

@ -107,8 +107,8 @@ lemma setArchTCB_C_corres:
apply (rule conjI)
defer
apply (erule cready_queues_relation_not_queue_ptrs)
apply (rule ext, simp split: split_if)
apply (rule ext, simp split: split_if)
apply (rule ext, simp split: if_split)
apply (rule ext, simp split: if_split)
apply (drule ko_at_projectKO_opt)
apply (erule (2) cmap_relation_upd_relI)
apply (simp add: ctcb_relation_def carch_tcb_relation_def)
@ -485,7 +485,7 @@ proof -
using vms'[simplified valid_machine_state'_def]
apply (auto simp: user_mem'_def option_to_0_def typ_at'_def ko_wp_at'_def
option_to_ptr_def pointerInUserData_def observable_memory_def
split: option.splits split_if_asm)
split: option.splits if_split_asm)
done
with mach_rel[simplified cmachine_state_relation_def]
user_mem_C_relation[OF um_rel]
@ -566,7 +566,7 @@ lemma the_the_inv_mapI:
lemma eq_restrict_map_None[simp]:
"restrict_map m A x = None \<longleftrightarrow> x ~: (A \<inter> dom m)"
by (auto simp: restrict_map_def split: split_if_asm)
by (auto simp: restrict_map_def split: if_split_asm)
lemma eq_the_inv_map_None[simp]: "the_inv_map m x = None \<longleftrightarrow> x\<notin>ran m"
by (simp add: the_inv_map_def2)
lemma is_inv_unique:
@ -648,7 +648,7 @@ lemma (in kernel_m)
apply (rule conjI)
apply (frule is_inv_inj)
apply (clarsimp simp: the_inv_map_def is_inv_def dom_option_map
split: split_if)
split: if_split)
apply (intro conjI[rotated] impI domI, assumption)
apply (rule the_equality)
apply (clarsimp simp: ran_def dom_def Collect_eq)
@ -730,7 +730,7 @@ lemma tcb_queue_rel'_unique:
"hp NULL = None \<Longrightarrow>
tcb_queue_relation' gn gp hp as pp cp \<Longrightarrow>
tcb_queue_relation' gn gp hp as' pp cp \<Longrightarrow> as' = as"
apply (clarsimp simp: tcb_queue_relation'_def split: split_if_asm)
apply (clarsimp simp: tcb_queue_relation'_def split: if_split_asm)
apply (clarsimp simp: neq_Nil_conv)
apply (clarsimp simp: neq_Nil_conv)
apply (erule(2) tcb_queue_rel_unique)
@ -782,7 +782,7 @@ lemma cready_queues_to_H_correct:
lemma inj_image_inv:
assumes inj_f: "inj f"
shows "f ` A = B \<Longrightarrow> inv f ` B = A"
by (drule sym) (simp add: inv_image_comp[OF inj_f])
by (drule sym) (simp add: image_inv_f_f[OF inj_f])
lemma cmap_relation_unique:
assumes inj_f: "inj f"
@ -829,7 +829,7 @@ lemma ran_tcb_cte_cases:
(Structures_H.tcbReply, tcbReply_update),
(Structures_H.tcbCaller, tcbCaller_update),
(tcbIPCBufferFrame, tcbIPCBufferFrame_update)}"
by (auto simp add: tcb_cte_cases_def split: split_if_asm)
by (auto simp add: tcb_cte_cases_def split: if_split_asm)
(* FIXME: move *)
lemma ps_clear_is_aligned_ksPSpace_None:
@ -924,7 +924,7 @@ lemma map_to_ctes_tcb_ctes:
lemma cfault_rel_imp_eq:
"cfault_rel x a b \<Longrightarrow> cfault_rel y a b \<Longrightarrow> x=y"
by (clarsimp simp: cfault_rel_def is_cap_fault_def
split: split_if_asm seL4_Fault_CL.splits)
split: if_split_asm seL4_Fault_CL.splits)
lemma cthread_state_rel_imp_eq:
"cthread_state_relation x z \<Longrightarrow> cthread_state_relation y z \<Longrightarrow> x=y"
@ -1531,7 +1531,7 @@ lemma (in kernel_m) cstate_to_H_correct:
using cstate_rel
apply (fastforce simp: cstate_relation_def cpspace_relation_def
Let_def ghost_size_rel_def unat_eq_0
split: split_if)
split: if_split)
using valid cstate_rel
apply (rule cDomScheduleIdx_to_H_correct)
using cstate_rel

90
proof/crefine/Arch_C.thy
View File

@ -215,7 +215,7 @@ proof -
apply simp
apply auto[1]
apply (simp add: asid_low_bits_def word_le_nat_alt)
apply (simp split: split_if)
apply (simp split: if_split)
apply (rule conjI)
apply (clarsimp simp: update_ti_t_ptr_0s)
apply (clarsimp simp: asid_low_bits_def word_le_nat_alt)
@ -332,7 +332,7 @@ proof -
apply (rule ccorres_from_vcg_nofail2, rule allI)
apply (rule conseqPre)
apply vcg
apply (clarsimp simp: cte_wp_at_ctes_of split: split_if_asm)
apply (clarsimp simp: cte_wp_at_ctes_of split: if_split_asm)
apply (frule(1) ctes_of_valid', clarsimp)
apply (subst ghost_assertion_size_logic[unfolded o_def, rotated], assumption)
apply (drule(1) valid_global_refsD_with_objSize)
@ -446,7 +446,7 @@ shows
cap_to_H_simps cap_untyped_cap_lift_def
ccap_relation_def modify_map_def
fun_eq_iff
dest!: word_unat.Rep_inverse' split: split_if)
dest!: word_unat.Rep_inverse' split: if_split)
apply (rule exI, strengthen refl)
apply (case_tac cte', simp add: cap_lift_untyped_cap max_free_index_def mask_def)
apply (simp add: mex_def meq_def del: split_paired_Ex)
@ -567,7 +567,7 @@ shows
apply (clarsimp simp: cap_get_tag_isCap hrs_htd_update)
apply (clarsimp simp: hrs_htd_update_def split_def
pageBits_def
split: split_if)
split: if_split)
apply (clarsimp simp: ARMSmallPageBits_def word_sle_def is_aligned_mask[symmetric]
ghost_assertion_data_get_gs_clear_region[unfolded o_def])
apply (subst ghost_assertion_size_logic_flex[unfolded o_def, rotated])
@ -612,7 +612,7 @@ lemma slotcap_in_mem_PageDirectory:
apply (simp add: cap_get_tag_isCap_ArchObject2)
done
declare split_if [split del]
declare if_split [split del]
lemma decodeARMPageTableInvocation_ccorres:
notes if_cong[cong] tl_drop_1[simp]
@ -712,7 +712,7 @@ lemma decodeARMPageTableInvocation_ccorres:
apply (frule cap_get_tag_isCap_unfolded_H_cap)
apply (clarsimp simp: cap_lift_page_table_cap cap_page_table_cap_lift_def
cap_to_H_def
elim!: ccap_relationE split: split_if)
elim!: ccap_relationE split: if_split)
apply (simp add: to_bool_def)
apply (simp add: throwError_bind invocationCatch_def)
apply (rule syscall_error_throwError_ccorres_n)
@ -760,7 +760,7 @@ lemma decodeARMPageTableInvocation_ccorres:
apply (clarsimp simp: cap_lift_page_directory_cap
cap_to_H_def cap_page_directory_cap_lift_def
to_bool_def neq_Nil_conv
elim!: ccap_relationE split: split_if)
elim!: ccap_relationE split: if_split)
apply (simp add: throwError_bind invocationCatch_def)
apply (rule syscall_error_throwError_ccorres_n)
apply (simp add: syscall_error_to_H_cases)
@ -789,7 +789,7 @@ lemma decodeARMPageTableInvocation_ccorres:
apply (frule cap_get_tag_isCap_unfolded_H_cap)
apply (clarsimp simp: cap_lift_page_directory_cap
cap_to_H_def cap_page_directory_cap_lift_def
elim!: ccap_relationE split: split_if)
elim!: ccap_relationE split: if_split)
apply (rule syscall_error_throwError_ccorres_n)
apply (simp add: syscall_error_to_H_cases)
apply (simp add: bindE_assoc del: Collect_const,
@ -915,7 +915,7 @@ lemma decodeARMPageTableInvocation_ccorres:
rule is_aligned_andI2,
simp add: is_aligned_def,
simp)+
apply (clarsimp simp: attribsFromWord_def split: split_if)
apply (clarsimp simp: attribsFromWord_def split: if_split)
apply word_bitwise
apply (clarsimp simp: word_size)
done
@ -929,7 +929,7 @@ lemma checkVPAlignment_spec:
apply (rule conjI)
apply (simp add: pageBitsForSize_def split: vmpage_size.split)
apply (simp add: from_bool_def vmsz_aligned'_def is_aligned_mask
mask_def split: split_if)
mask_def split: if_split)
done
definition
@ -984,7 +984,7 @@ lemma pde_get_tag_alt:
| Pde_pde_coarse _ \<Rightarrow> scast pde_pde_coarse
| Pde_pde_section _ \<Rightarrow> scast pde_pde_section
| Pde_pde_reserved \<Rightarrow> scast pde_pde_reserved)"
by (auto simp add: pde_lift_def Let_def split: split_if_asm)
by (auto simp add: pde_lift_def Let_def split: if_split_asm)
lemma cpde_relation_pde_case:
@ -1113,7 +1113,7 @@ lemma createSafeMappingEntries_PDE_ccorres:
apply (simp add: isPageTablePDE_def isSectionPDE_def
cpde_relation_pde_case from_bool_def)
apply (intro impI conjI disjCI2, simp_all add: array_assertion_shrink_right)[1]
apply (clarsimp simp: pde_tag_defs split: split_if bool.split)
apply (clarsimp simp: pde_tag_defs split: if_split bool.split)
apply (frule pde_pde_section_size_0_1[simplified pde_tag_defs, simplified], simp)
apply ceqv
apply (simp add: from_bool_0 del: Collect_const)
@ -1130,16 +1130,16 @@ lemma createSafeMappingEntries_PDE_ccorres:
apply (frule_tac n3="Suc o unat o i_'" in array_assertion_abs_pde_16_const[where pd=pd and vptr=vaddr,
simplified imp_conjL, THEN spec, THEN spec, THEN mp])
apply (simp add: upto_enum_word unat_of_nat vmsz_aligned_def
vmsz_aligned'_def split: split_if_asm)
vmsz_aligned'_def split: if_split_asm)
apply (clarsimp simp: upto_enum_step_def upto_enum_word
split: split_if)
split: if_split)
apply simp
apply (rule conseqPre, vcg)
apply (clarsimp simp: if_1_0_0)
apply simp
apply (wp getPDE_wp | wpc)+
apply simp
apply (simp add: upto_enum_step_def word_bits_def split: split_if)
apply (simp add: upto_enum_step_def word_bits_def split: if_split)
apply clarsimp
apply ceqv
apply csymbr
@ -1174,7 +1174,7 @@ lemma createSafeMappingEntries_PDE_ccorres:
pageBits_def)
apply (rule conjI)
apply (simp add: cpde_relation_def true_def false_def)
apply (simp add: split: split_if)
apply (simp add: split: if_split)
done
lemma pte_case_isLargePagePTE:
@ -1281,7 +1281,7 @@ lemma createSafeMappingEntries_PTE_ccorres:
apply (clarsimp simp: typ_heap_simps cpte_relation_def Let_def)
apply (simp add: isLargePagePTE_def pte_pte_large_lift_def pte_lift_def Let_def
pte_tag_defs pte_pte_invalid_def
split: ARM_H.pte.split_asm split_if_asm)
split: ARM_H.pte.split_asm if_split_asm)
apply ceqv
apply (simp add: pte_case_isLargePagePTE if_to_top_of_bindE del: Collect_const)
apply (rule ccorres_if_cond_throws[rotated -1, where Q=\<top> and Q'=\<top>])
@ -1360,13 +1360,13 @@ lemma createSafeMappingEntries_PTE_ccorres:
erule ko_at_projectKO_opt)
apply (auto simp: typ_heap_simps cpte_relation_def pte_pte_invalid_def
Let_def pte_lift_def pte_tag_defs
intro: typ_heap_simps split: split_if_asm)[1]
intro: typ_heap_simps split: if_split_asm)[1]
apply (wp getObject_inv loadObject_default_inv | simp)+
apply (simp add: objBits_simps archObjSize_def)
apply (simp add: loadObject_default_inv)
apply (simp add: empty_fail_getObject)
apply (simp add: upto_enum_step_def upto_enum_word
split: split_if)
split: if_split)
apply (rule conseqPre, vcg)
apply (clarsimp simp: pte_tag_defs)
using pte_get_tag_exhaust
@ -1374,7 +1374,7 @@ lemma createSafeMappingEntries_PTE_ccorres:
apply (wp getPTE_wp | simp | wpc)+
apply (simp add: upto_enum_step_def upto_enum_word
word_bits_def
split: split_if)
split: if_split)
apply simp
apply (rule ceqv_refl)
apply csymbr
@ -1496,7 +1496,7 @@ lemma pteCheckIfMapped_ccorres:
apply (case_tac rv, simp_all add: to_bool_def isInvalidPTE_def pte_tag_defs pte_pte_invalid_def
cpte_relation_def pte_pte_large_lift_def pte_get_tag_def
pte_lift_def Let_def
split: split_if_asm)
split: if_split_asm)
done
lemma cpde_relation_invalid:
@ -1522,7 +1522,7 @@ lemma pdeCheckIfMapped_ccorres:
apply (rule conseqPre, vcg)
apply (clarsimp simp: typ_heap_simps' return_def)
apply (case_tac rv, simp_all add: to_bool_def cpde_relation_invalid isInvalidPDE_def
split: split_if)
split: if_split)
done
lemma mapping_two_power_16_64_inequality:
@ -1774,7 +1774,7 @@ lemma createMappingEntries_valid_pde_slots'2:
apply (erule less_kernelBase_valid_pde_offset'[unfolded pdBits_def pageBits_def, simplified],
simp+)
apply (clarsimp simp:upto_enum_step_def
split: split_if)
split: if_split)
apply (clarsimp simp: upto_enum_def upt_conv_Cons[where i=0]
lookup_pd_slot_eq[unfolded pd_bits_def pageBits_def, simplified])
apply (rule context_conjI)
@ -2236,7 +2236,7 @@ lemmas vmsz_aligned_addrFromPPtr
lemma gen_framesize_to_H_eq_from_H':
"v < 4 \<Longrightarrow> (v' = gen_framesize_to_H v) = (framesize_from_H v' = v)"
apply (simp add: gen_framesize_to_H_def framesize_from_H_eqs
split: split_if)
split: if_split)
apply (clarsimp simp: framesize_from_H_eqs[symmetric] vm_page_size_defs)
apply unat_arith
done
@ -2257,7 +2257,7 @@ lemma framesize_from_H_eq_eq:
apply (clarsimp simp: framesize_from_to_H)
apply (simp add: framesize_from_H_def vm_page_size_defs split: vmpage_size.split)
apply (clarsimp simp: gen_framesize_to_H_eq_from_H)
apply (simp add: gen_framesize_to_H_def framesize_from_H_def split: split_if)
apply (simp add: gen_framesize_to_H_def framesize_from_H_def split: if_split)
apply (clarsimp simp: vm_page_size_defs)
apply unat_arith
done
@ -2294,13 +2294,13 @@ lemma generic_frame_cap_set_capFMappedAddress_ccap_relation:
\<Longrightarrow> ccap_relation (capCap_update (capVPMappedAddress_update (\<lambda>_. Some (asid, addr))) c) c''"
apply (clarsimp simp: isCap_simps)
apply (erule ccap_relationE)
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.split_asm split_if_asm)
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.split_asm if_split_asm)
apply (simp_all add: ccap_relation_def generic_frame_cap_set_capFMappedAddress_CL_def
cap_to_H_def c_valid_cap_def cl_valid_cap_def
generic_frame_cap_get_capFSize_CL_def
shiftr_asid_low_bits_mask_asid_high_bits
and_not_mask[symmetric] shiftr_asid_low_bits_mask_eq_0
split: split_if)
split: if_split)
apply (simp add: vmsz_aligned'_def gen_framesize_to_H_def)
apply (subst field_simps, simp add: word_plus_and_or_coroll2)
apply (simp add: vmsz_aligned'_def gen_framesize_to_H_def)
@ -2308,11 +2308,11 @@ lemma generic_frame_cap_set_capFMappedAddress_ccap_relation:
apply (simp add: vmsz_aligned'_def gen_framesize_to_H_def)
apply (subst field_simps, simp add: word_plus_and_or_coroll2)
apply (rule sym, erule is_aligned_neg_mask)
apply (simp add: pageBitsForSize_def split: split_if)
apply (simp add: pageBitsForSize_def split: if_split)
apply (simp add: vmsz_aligned'_def gen_framesize_to_H_def)
apply (subst field_simps, simp add: word_plus_and_or_coroll2)
apply (rule sym, erule is_aligned_neg_mask)
apply (simp add: pageBitsForSize_def split: split_if)
apply (simp add: pageBitsForSize_def split: if_split)
done
lemma slotcap_in_mem_valid:
@ -2443,7 +2443,7 @@ lemma setVMRootForFlush_ccorres2:
apply (clarsimp simp: isCap_simps(2) cap_get_tag_isCap_ArchObject[symmetric])
apply (clarsimp simp: cap_page_directory_cap_lift cap_to_H_def
elim!: ccap_relationE)
apply (simp add: to_bool_def split: split_if)
apply (simp add: to_bool_def split: if_split)
apply (auto simp: cap_get_tag_isCap_ArchObject2)
done
@ -2472,7 +2472,7 @@ lemma pte_get_tag_alt:
\<Longrightarrow> pte_get_tag v = (case pteC of
Pte_pte_small _ \<Rightarrow> scast pte_pte_small
| Pte_pte_large _ \<Rightarrow> scast pte_pte_large)"
by (auto simp add: pte_lift_def Let_def split: split_if_asm)
by (auto simp add: pte_lift_def Let_def split: if_split_asm)
definition
to_option :: "('a \<Rightarrow> bool) \<Rightarrow> 'a \<Rightarrow> 'a option"
@ -2833,7 +2833,7 @@ lemma decodeARMFrameInvocation_ccorres:
apply (clarsimp simp: if_1_0_0)
apply (clarsimp simp: cap_lift_page_directory_cap cap_to_H_def
to_bool_def cap_page_directory_cap_lift_def
elim!: ccap_relationE split: split_if)
elim!: ccap_relationE split: if_split)
apply (simp add: throwError_bind invocationCatch_def)
apply (rule syscall_error_throwError_ccorres_n)
apply (simp add: syscall_error_to_H_cases)
@ -3084,7 +3084,7 @@ lemma decodeARMFrameInvocation_ccorres:
apply (clarsimp simp: if_1_0_0)
apply (clarsimp simp: cap_lift_page_directory_cap cap_to_H_def
to_bool_def cap_page_directory_cap_lift_def
elim!: ccap_relationE split: split_if)
elim!: ccap_relationE split: if_split)
apply (simp add: throwError_bind invocationCatch_def)
apply (rule syscall_error_throwError_ccorres_n)
apply (simp add: syscall_error_to_H_cases)
@ -3106,7 +3106,7 @@ lemma decodeARMFrameInvocation_ccorres:
apply vcg
apply (clarsimp simp: cap_lift_page_directory_cap cap_to_H_def
to_bool_def cap_page_directory_cap_lift_def
elim!: ccap_relationE split: split_if)
elim!: ccap_relationE split: if_split)
apply (rule syscall_error_throwError_ccorres_n)
apply (simp add: syscall_error_to_H_cases)
apply csymbr+
@ -3260,7 +3260,7 @@ lemma decodeARMFrameInvocation_ccorres:
apply (subgoal_tac "cap_get_tag cap \<in> {scast cap_small_frame_cap, scast cap_frame_cap}")
prefer 2
apply (clarsimp simp: cap_to_H_def cap_lift_def Let_def elim!: ccap_relationE
split: split_if_asm)
split: if_split_asm)
apply (rule conjI)
apply clarsimp
apply (frule ccap_relation_PageCap_generics)
@ -3287,8 +3287,8 @@ lemma decodeARMFrameInvocation_ccorres:
apply simp
apply (simp add: gen_framesize_to_H_def vm_page_size_defs
hd_conv_nth length_ineq_not_Nil
split: split_if)
apply (simp add: vm_page_size_defs split: split_if_asm)
split: if_split)
apply (simp add: vm_page_size_defs split: if_split_asm)
apply (clarsimp simp:signed_shift_guard_simpler_32 pbfs_less)
apply (frule ccap_relation_PageCap_generics)
apply (clarsimp simp:framesize_from_H_eq_eqs)
@ -3320,7 +3320,7 @@ lemma sts_Restart_ct_active [wp]:
apply (clarsimp simp: ct_in_state'_def)
apply (rule hoare_lift_Pf2 [where f=ksCurThread])
apply (wp sts_st_tcb')
apply (simp split: split_if)
apply (simp split: if_split)
apply wp
done
@ -3563,7 +3563,7 @@ lemma decodeARMPageDirectoryInvocation_ccorres:
apply (frule cap_get_tag_isCap_unfolded_H_cap)
apply (clarsimp simp: cap_lift_page_directory_cap
cap_to_H_def cap_page_directory_cap_lift_def
elim!: ccap_relationE split: split_if)
elim!: ccap_relationE split: if_split)
apply (simp add: injection_handler_throwError)
apply (rule syscall_error_throwError_ccorres_n)
apply (simp add:syscall_error_to_H_cases)
@ -3953,7 +3953,7 @@ lemma Arch_decodeInvocation_ccorres:
linorder_not_less
order_antisym[OF inc_le])
apply (clarsimp simp: true_def false_def
split: option.split split_if)
split: option.split if_split)
apply (simp add: asid_high_bits_def word_le_nat_alt
word_less_nat_alt unat_add_lem[THEN iffD1])
apply auto[1]
@ -3974,7 +3974,7 @@ lemma Arch_decodeInvocation_ccorres:
rf_sr_armKSASIDTable[where n=0, simplified])
apply (simp add: asid_high_bits_def option_to_ptr_def option_to_0_def
from_bool_def
split: option.split split_if)
split: option.split if_split)
apply fastforce
apply ceqv
apply (rule ccorres_Guard_Seq)+
@ -4262,7 +4262,7 @@ lemma Arch_decodeInvocation_ccorres:
apply (clarsimp simp: inc_le from_bool_def typ_heap_simps
asid_low_bits_def not_less field_simps
false_def
split: split_if bool.splits)
split: if_split bool.splits)
apply unat_arith
apply (rule iffI)
apply (rule disjCI)
@ -4312,7 +4312,7 @@ lemma Arch_decodeInvocation_ccorres:
word_sless_def word_sle_def)
apply (erule cmap_relationE1[OF rf_sr_cpspace_asidpool_relation],
erule ko_at_projectKO_opt)
apply (clarsimp simp: typ_heap_simps from_bool_def split: split_if)
apply (clarsimp simp: typ_heap_simps from_bool_def split: if_split)
apply (simp add: cap_get_tag_isCap_ArchObject[symmetric])
apply (clarsimp simp: cap_lift_asid_pool_cap cap_to_H_def
cap_asid_pool_cap_lift_def false_def
@ -4472,12 +4472,12 @@ lemma Arch_decodeInvocation_ccorres:
cap_page_directory_cap_lift_def
cap_asid_pool_cap_lift_def mask_def[where n=4]
asid_shiftr_low_bits_less[unfolded mask_def asid_bits_def] word_and_le1
elim!: ccap_relationE split: split_if_asm)
elim!: ccap_relationE split: if_split_asm)
apply (clarsimp split: list.split)
apply (clarsimp simp: cap_lift_asid_pool_cap cap_lift_page_directory_cap
cap_to_H_def to_bool_def
cap_page_directory_cap_lift_def
elim!: ccap_relationE split: split_if_asm)
elim!: ccap_relationE split: if_split_asm)
done
end
end

4
proof/crefine/CSpaceAcc_C.thy
View File

@ -240,7 +240,7 @@ lemma locateSlotCNode_ccorres [corres]:
{s. x s = 0 \<or> array_assertion (cte_Ptr cnode') (unat offset') (hrs_htd (t_hrs_' (globals s)))}
(Basic (\<lambda>s. xfu (\<lambda>_. cte_Ptr (cnode' + offset'
* of_nat (size_of TYPE(cte_C)))) s)))"
apply (simp add: locateSlot_conv split del: split_if)
apply (simp add: locateSlot_conv split del: if_split)
apply (rule ccorres_guard_imp2)
apply (rule_tac P="cnode = cnode' \<and> offset = offset'" in ccorres_gen_asm2)
apply (rule ccorres_stateAssert)
@ -260,7 +260,7 @@ lemma locateSlotTCB_ccorres [corres]:
(Basic (\<lambda>s. xfu (\<lambda>_. Ptr (cnode' + offset' * of_nat (size_of TYPE(cte_C))) :: cte_C ptr) s))"
unfolding locateSlot_conv using gl fg
apply -
apply (simp add: size_of_def split del: split_if)
apply (simp add: size_of_def split del: if_split)
apply (rule ccorres_return)
apply (rule conseqPre)
apply vcg

160
proof/crefine/CSpace_C.thy
View File

@ -33,8 +33,8 @@ lemma maskCapRights_cap_cases:
(capNtfnCanSend_update
(\<lambda>_. capNtfnCanSend c \<and> capAllowWrite R) c))
| _ \<Rightarrow> return c)"
apply (simp add: maskCapRights_def Let_def split del: split_if)
apply (cases c; simp add: isCap_simps split del: split_if)
apply (simp add: maskCapRights_def Let_def split del: if_split)
apply (cases c; simp add: isCap_simps split del: if_split)
done
@ -119,7 +119,7 @@ lemma Arch_maskCapRights_ccorres [corres]:
apply (simp add: cap_small_frame_cap_lift [THEN iffD1])
apply (clarsimp simp: cap_to_H_def)
apply (simp add: map_option_case split: option.splits)
apply (clarsimp simp add: cap_to_H_def Let_def split: cap_CL.splits split_if_asm)
apply (clarsimp simp add: cap_to_H_def Let_def split: cap_CL.splits if_split_asm)
apply (simp add: cap_small_frame_cap_lift_def)
apply (simp add: ccap_rights_relation_def)
apply (simp add: cap_small_frame_cap_lift_def)
@ -142,7 +142,7 @@ lemma Arch_maskCapRights_ccorres [corres]:
apply (clarsimp simp: cap_to_H_def)
apply (simp add: map_option_case split: option.splits)
apply (clarsimp simp add: isCap_simps pageSize_def cap_to_H_def Let_def simp del: not_ex
split: cap_CL.splits split_if_asm)
split: cap_CL.splits if_split_asm)
apply (simp add: cap_frame_cap_lift_def)
apply (simp add: ccap_rights_relation_def)
apply (simp add: c_valid_cap_def cl_valid_cap_def cap_lift_frame_cap)
@ -185,7 +185,7 @@ lemma to_bool_ntfn_cap_bf:
"cap_lift c = Some (Cap_notification_cap cap) \<Longrightarrow>
to_bool (capNtfnCanSend_CL cap) = to_bool_bf (capNtfnCanSend_CL cap) \<and>
to_bool (capNtfnCanReceive_CL cap) = to_bool_bf (capNtfnCanReceive_CL cap)"
apply (simp add:cap_lift_def Let_def split: split_if_asm)
apply (simp add:cap_lift_def Let_def split: if_split_asm)
apply (subst to_bool_bf_to_bool_mask,
clarsimp simp: cap_lift_thread_cap mask_def word_bw_assocs)+
apply simp
@ -196,7 +196,7 @@ lemma to_bool_ep_cap_bf:
to_bool (capCanSend_CL cap) = to_bool_bf (capCanSend_CL cap) \<and>
to_bool (capCanReceive_CL cap) = to_bool_bf (capCanReceive_CL cap) \<and>
to_bool (capCanGrant_CL cap) = to_bool_bf (capCanGrant_CL cap)"
apply (simp add:cap_lift_def Let_def split: split_if_asm)
apply (simp add:cap_lift_def Let_def split: if_split_asm)
apply (subst to_bool_bf_to_bool_mask,
clarsimp simp: cap_lift_thread_cap mask_def word_bw_assocs)+
apply simp
@ -260,7 +260,7 @@ lemma maskCapRights_ccorres [corres]:
apply (clarsimp simp: cap_to_H_def)
apply (simp add: map_option_case split: option.splits)
apply (clarsimp simp add: cap_to_H_def Let_def
split: cap_CL.splits split_if_asm)
split: cap_CL.splits if_split_asm)
apply (simp add: cap_notification_cap_lift_def)
apply (simp add: ccap_rights_relation_def cap_rights_to_H_def
to_bool_ntfn_cap_bf
@ -296,7 +296,7 @@ lemma maskCapRights_ccorres [corres]:
apply (clarsimp simp: cap_to_H_def)
apply (simp add: map_option_case split: option.splits)
apply (clarsimp simp add: cap_to_H_def Let_def
split: cap_CL.splits split_if_asm)
split: cap_CL.splits if_split_asm)
apply (simp add: cap_endpoint_cap_lift_def)
apply (simp add: ccap_rights_relation_def cap_rights_to_H_def
to_bool_ep_cap_bf
@ -506,13 +506,13 @@ lemma cap_lift_capNtfnBadge_mask_eq:
"cap_lift cap = Some (Cap_notification_cap ec)
\<Longrightarrow> capNtfnBadge_CL ec && mask 28 = capNtfnBadge_CL ec"
unfolding cap_lift_def
by (fastforce simp: Let_def mask_def word_bw_assocs split: split_if_asm)
by (fastforce simp: Let_def mask_def word_bw_assocs split: if_split_asm)
lemma cap_lift_capEPBadge_mask_eq:
"cap_lift cap = Some (Cap_endpoint_cap ec)
\<Longrightarrow> capEPBadge_CL ec && mask 28 = capEPBadge_CL ec"
unfolding cap_lift_def
by (fastforce simp: Let_def mask_def word_bw_assocs split: split_if_asm)
by (fastforce simp: Let_def mask_def word_bw_assocs split: if_split_asm)
lemma revokable_ccorres:
"\<lbrakk>ccap_relation cap newCap; cmdbnode_relation rva srcMDB;
@ -795,7 +795,7 @@ schematic_goal ccap_relation_tag_Master:
(capMasterCap cap)"
by (fastforce simp: ccap_relation_def map_option_Some_eq2
Let_def cap_lift_def cap_to_H_def
split: split_if_asm)
split: if_split_asm)
lemma ccap_relation_is_derived_tag_equal:
"\<lbrakk> is_derived' cs p cap cap'; ccap_relation cap ccap; ccap_relation cap' ccap' \<rbrakk>
@ -947,9 +947,9 @@ show "ccorresG rf_sr \<Gamma> dc xfdc (cte_wp_at' (\<lambda>cte. \<exists>i. cte
apply (erule(2) cpspace_cte_relation_upd_capI)
apply (simp add:cte_lift_def)
apply (simp split:option.splits )
apply (simp add:cap_to_H_def Let_def split:cap_CL.splits split_if_asm)
apply (simp add:cap_to_H_def Let_def split:cap_CL.splits if_split_asm)
apply (case_tac y)
apply (simp add:cap_lift_def Let_def split:split_if_asm)
apply (simp add:cap_lift_def Let_def split:if_split_asm)
apply (case_tac cte',simp)
apply (clarsimp simp:ccap_relation_def cap_lift_def
cap_get_tag_def cap_to_H_def)
@ -1004,7 +1004,7 @@ lemma t2p_shiftr:
done
lemma setUntypedCapAsFull_ccorres [corres]:
notes split_if [split del]
notes if_split [split del]
notes Collect_const [simp del]
notes Collect_True [simp] Collect_False [simp]
shows
@ -1064,15 +1064,15 @@ lemma setUntypedCapAsFull_ccorres [corres]:
apply csymbr
apply csymbr
apply (rule ccorres_cases [where P="capPtr srcCap = capPtr newCap"])
apply (clarsimp simp: cap_get_tag_isCap[symmetric] cap_get_tag_UntypedCap split: split_if_asm)
apply (clarsimp simp: cap_get_tag_isCap[symmetric] cap_get_tag_UntypedCap split: if_split_asm)
apply (rule ccorres_rhs_assoc)+
apply csymbr
apply csymbr
apply csymbr
apply (clarsimp simp: cap_get_tag_to_H cap_get_tag_UntypedCap split: split_if_asm)
apply (clarsimp simp: cap_get_tag_to_H cap_get_tag_UntypedCap split: if_split_asm)
apply (rule ccorres_cond_false)
apply (rule ccorres_return_Skip [unfolded dc_def])
apply (clarsimp simp: cap_get_tag_isCap[symmetric] cap_get_tag_UntypedCap split: split_if_asm)
apply (clarsimp simp: cap_get_tag_isCap[symmetric] cap_get_tag_UntypedCap split: if_split_asm)
apply (rule ccorres_cond_false)
apply (rule ccorres_return_Skip [unfolded dc_def])
apply (rule ccorres_return_Skip [unfolded dc_def])
@ -1084,7 +1084,7 @@ lemma setUntypedCapAsFull_ccorres [corres]:
apply clarsimp
apply (intro conjI impI allI)
apply (erule cte_wp_at_weakenE')
apply (clarsimp simp: cap_get_tag_isCap[symmetric] cap_get_tag_UntypedCap split: split_if_asm)
apply (clarsimp simp: cap_get_tag_isCap[symmetric] cap_get_tag_UntypedCap split: if_split_asm)
apply clarsimp
apply (drule valid_cap_untyped_inv,clarsimp simp:max_free_index_def)
apply (rule is_aligned_weaken)
@ -1103,11 +1103,11 @@ lemma setUntypedCapAsFull_ccorres [corres]:
apply (rule capBlockSize_CL_maxSize)
apply (clarsimp simp: cap_get_tag_UntypedCap)
apply (clarsimp simp: cap_get_tag_isCap_unfolded_H_cap)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
apply (clarsimp split: if_split_asm)
apply (clarsimp split: if_split_asm)
apply (clarsimp split: if_split_asm)
apply (clarsimp split: if_split_asm)
done
lemma ccte_lift:
@ -1214,14 +1214,14 @@ thm cteInsert_body_def
apply (simp add:dc_def[symmetric])
apply (ctac ccorres: ccorres_updateMDB_skip)
apply (wp static_imp_wp)
apply (clarsimp simp: Collect_const_mem dc_def split del: split_if)
apply (clarsimp simp: Collect_const_mem dc_def split del: if_split)
apply vcg
apply (wp static_imp_wp)
apply (clarsimp simp: Collect_const_mem dc_def split del: split_if)
apply (clarsimp simp: Collect_const_mem dc_def split del: if_split)
apply vcg
apply (clarsimp simp:cmdb_node_relation_mdbNext)
apply (wp setUntypedCapAsFull_cte_at_wp static_imp_wp)
apply (clarsimp simp: Collect_const_mem dc_def split del: split_if)
apply (clarsimp simp: Collect_const_mem dc_def split del: if_split)
apply (vcg exspec=setUntypedCapAsFull_modifies)
apply wp
apply vcg
@ -1233,7 +1233,7 @@ thm cteInsert_body_def
apply vcg
apply wp
apply vcg
apply (simp add: Collect_const_mem split del: split_if) -- "Takes a while"
apply (simp add: Collect_const_mem split del: if_split) -- "Takes a while"
apply (rule conjI)
apply (clarsimp simp: conj_comms cte_wp_at_ctes_of)
apply (intro conjI)
@ -1256,7 +1256,7 @@ thm cteInsert_body_def
apply simp
apply clarsimp
apply (clarsimp simp: map_comp_Some_iff cte_wp_at_ctes_of
split del: split_if)
split del: if_split)
apply (clarsimp simp: typ_heap_simps c_guard_clift split_def)
apply (clarsimp simp: is_simple_cap_get_tag_relation ccte_relation_ccap_relation cmdb_node_relation_mdbNext[symmetric])
apply (metis (hide_lams, no_types) ccap_relation_Master_tags_eq ccte_relation_ccap_relation rf_sr_cte_relation)
@ -1394,7 +1394,7 @@ lemma cteMove_ccorres:
apply (intro conjI, simp+)
apply (erule (2) is_aligned_3_prev)
apply (erule (2) is_aligned_3_next)
apply (clarsimp simp: dc_def split del: split_if)
apply (clarsimp simp: dc_def split del: if_split)
apply (simp add: ccap_relation_NullCap_iff)
apply (clarsimp simp add: cmdbnode_relation_def
mdb_node_to_H_def nullMDBNode_def
@ -1539,7 +1539,7 @@ lemma cteMove_ccorres_verbose:
-- "***C generalised precondition***"
-- "***--------------------------***"
apply (unfold dc_def)
apply (clarsimp simp: ccap_relation_NullCap_iff split del: split_if)
apply (clarsimp simp: ccap_relation_NullCap_iff split del: if_split)
-- "cmdbnode_relation nullMDBNode va"
apply (simp add: cmdbnode_relation_def)
apply (simp add: mdb_node_to_H_def)
@ -1892,7 +1892,7 @@ lemma cteSwap_ccorres:
-- "modify_map (modify_map \<dots>) (?P3540 \<dots>) = Some cte"
-- "\<dots>\<longrightarrow> (\<exists>ctea. ctes_of s (mdbPrev (cteMDBNode cte)) = Some ctea) \<and> is_aligned (mdbPrev (cteMDBNode cte)) 3"
-- " Important: we need the first part to prove the second \<Longrightarrow> we need conj_cong"
apply (clarsimp simp: modify_map_if cong: if_cong split: split_if_asm)
apply (clarsimp simp: modify_map_if cong: if_cong split: if_split_asm)
apply (erule disjE)
apply clarsimp
apply clarsimp
@ -1937,7 +1937,7 @@ done
(************************************************************************)
declare split_if [split del]
declare if_split [split del]
(* rq CALL mdb_node_ptr_set_mdbNext_'proc \<dots>) is a printing bug
@ -2078,7 +2078,7 @@ lemma emptySlot_helper:
prefer 2
apply (drule cteMDBNode_CL_lift [symmetric])
subgoal by (simp add: mdb_node_lift_def mask_def word_bw_assocs)
apply (simp add: to_bool_def mask_def split: split_if)
apply (simp add: to_bool_def mask_def split: if_split)
-- "trivial case where mdbNext rva = 0"
apply (simp add:ccorres_cond_empty_iff)
@ -2239,7 +2239,7 @@ show ?thesis
apply (simp add: cinterrupt_relation_def Kernel_C.maxIRQ_def)
apply (clarsimp simp: word_sless_msb_less order_le_less_trans
unat_ucast_no_overflow_le word_le_nat_alt ucast_ucast_b
split: split_if )
split: if_split )
apply (rule word_0_sle_from_less)
apply (rule order_less_le_trans[where y = 160])
@ -2357,7 +2357,7 @@ lemma untypedZeroRange_idx_forward_helper:
apply (clarsimp split: option.split)
apply (clarsimp simp: untypedZeroRange_def max_free_index_def Let_def
isCap_simps valid_cap_simps' capAligned_def
split: split_if_asm)
split: if_split_asm)
apply (erule subsetD[rotated], rule intvl_both_le)
apply (clarsimp simp: getFreeRef_def)
apply (rule word_plus_mono_right)
@ -2400,7 +2400,7 @@ lemma untypedZeroRange_idx_backward_helper:
apply (rule intvl_both_le; clarsimp simp: untypedZeroRange_def
max_free_index_def Let_def
isCap_simps valid_cap_simps' capAligned_def
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp: getFreeRef_def)
apply (clarsimp simp: getFreeRef_def)
apply (simp add: word_of_nat_le unat_sub
@ -2410,11 +2410,11 @@ lemma untypedZeroRange_idx_backward_helper:
apply (clarsimp simp: untypedZeroRange_def
max_free_index_def Let_def
getFreeRef_def
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp: untypedZeroRange_def
max_free_index_def Let_def
getFreeRef_def isCap_simps valid_cap_simps'
split: split_if_asm)
split: if_split_asm)
apply (simp add: word_of_nat_le unat_sub capAligned_def
order_le_less_trans[OF _ power_strict_increasing]
order_le_less_trans[where x=idx]
@ -2470,7 +2470,7 @@ lemma updateTrackedFreeIndex_noop_ccorres:
apply (clarsimp simp: simpler_modify_def bind_def cte_wp_at_ctes_of)
apply (erule gsUntypedZeroRanges_update_helper)
apply (clarsimp simp: zero_ranges_are_zero_def
split: split_if)
split: if_split)
apply (case_tac "(a, b) \<in> gsUntypedZeroRanges \<sigma>")
apply (drule(1) bspec, simp)
apply (erule disjE_L)
@ -2480,7 +2480,7 @@ lemma updateTrackedFreeIndex_noop_ccorres:
apply (clarsimp simp: untypedZeroRange_def
valid_cap_simps'
max_free_index_def Let_def
split: split_if_asm)
split: if_split_asm)
apply clarsimp
apply (thin_tac "\<not> capIsDevice cap' \<longrightarrow> P" for P)
apply (clarsimp split: option.split_asm)
@ -2558,7 +2558,7 @@ lemma emptySlot_ccorres:
apply (rule ccorres_cond2'[where R=\<top>])
-- "*** link between abstract and concrete conditionals ***"
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
-- "*** proof for the 'else' branch (return () and SKIP) ***"
prefer 2
@ -2635,7 +2635,7 @@ lemma emptySlot_ccorres:
-- "final precondition proof"
apply (clarsimp simp: typ_heap_simps Collect_const_mem
cte_wp_at_ctes_of
split del: split_if)
split del: if_split)
apply (rule conjI)
-- "Haskell side"
@ -2741,7 +2741,7 @@ lemma cap_get_tag_PageCap_small_frame:
cap_small_frame_cap_CL.capFMappedAddress_CL (cap_small_frame_cap_lift cap')))))"
apply (rule iffI)
apply (erule ccap_relationE)
apply (clarsimp simp add: cap_lifts cap_to_H_def Let_def split: split_if)
apply (clarsimp simp add: cap_lifts cap_to_H_def Let_def split: if_split)
apply (simp add: cap_get_tag_isCap isCap_simps pageSize_def)
done
@ -2762,7 +2762,7 @@ lemma cap_get_tag_PageCap_frame:
cap_frame_cap_CL.capFMappedAddress_CL (cap_frame_cap_lift cap')))))"
apply (rule iffI)
apply (erule ccap_relationE)
apply (clarsimp simp add: cap_lifts cap_to_H_def Let_def split: split_if)
apply (clarsimp simp add: cap_lifts cap_to_H_def Let_def split: if_split)
apply (simp add: cap_get_tag_isCap isCap_simps pageSize_def)
done
@ -3126,7 +3126,7 @@ lemma generic_frame_cap_get_capFVMRights_spec:
apply (clarsimp simp: generic_frame_cap_get_capFVMRights_CL_def
cap_lift_small_frame_cap cap_lift_frame_cap
cap_small_frame_cap_lift_def cap_frame_cap_lift_def)
by (simp add: cap_lift_def Let_def Kernel_C.VMNoAccess_def split: split_if)
by (simp add: cap_lift_def Let_def Kernel_C.VMNoAccess_def split: if_split)
definition
get_capSizeBits_CL :: "cap_CL option \<Rightarrow> nat" where
@ -3186,7 +3186,7 @@ lemma cap_get_capSizeBits_spec:
cap_cnode_cap_lift_def cap_thread_cap_lift_def
cap_zombie_cap_lift_def cap_page_table_cap_lift_def
cap_page_directory_cap_lift_def cap_asid_pool_cap_lift_def
Let_def cap_untyped_cap_lift_def split: split_if_asm)
Let_def cap_untyped_cap_lift_def split: if_split_asm)
lemma ccap_relation_get_capSizeBits_physical:
notes unfolds = ccap_relation_def get_capSizeBits_CL_def cap_lift_def
@ -3201,9 +3201,9 @@ lemma ccap_relation_get_capSizeBits_physical:
defer 4 (* arch caps last *)
apply ((frule cap_get_tag_isCap_unfolded_H_cap,
clarsimp simp: unfolds
split: split_if_asm)+)[5] (* SOMEONE FIX SUBGOAL PLZ *)
split: if_split_asm)+)[5] (* SOMEONE FIX SUBGOAL PLZ *)
apply (frule cap_get_tag_isCap_unfolded_H_cap)
apply (clarsimp simp: unfolds split: split_if_asm)
apply (clarsimp simp: unfolds split: if_split_asm)
apply (rule arg_cong [OF less_mask_eq[where n=5, unfolded mask_def, simplified]])
apply (simp add: capAligned_def objBits_simps word_bits_conv word_less_nat_alt)
subgoal for arch_capability
@ -3212,17 +3212,17 @@ lemma ccap_relation_get_capSizeBits_physical:
apply (fold_subgoals (prefix))[3]
subgoal premises prems by ((frule cap_get_tag_isCap_unfolded_H_cap,
clarsimp simp: unfolds
split: split_if_asm)+)
split: if_split_asm)+)
apply (rename_tac vmpage_size option)
apply (case_tac "vmpage_size = ARMSmallPage", simp_all)
apply (frule cap_get_tag_isCap_unfolded_H_cap(16), simp)
subgoal by (clarsimp simp: unfolds split: split_if_asm)
subgoal by (clarsimp simp: unfolds split: if_split_asm)
by (frule cap_get_tag_isCap_unfolded_H_cap(17), simp,
clarsimp simp: unfolds
pageBitsForSize_spec gen_framesize_to_H_def
c_valid_cap_def cl_valid_cap_def framesize_to_H_def
generic_frame_cap_get_capFSize_CL_def
split: split_if_asm)+
split: if_split_asm)+
done
lemma ccap_relation_get_capSizeBits_untyped:
@ -3245,7 +3245,7 @@ lemma get_capSizeBits_valid_shift:
apply (cases hcap;
simp add: cap_get_tag_isCap_unfolded_H_cap cap_lift_def cap_tag_defs)
(* zombie *)
apply (clarsimp simp: Let_def split: split_if)
apply (clarsimp simp: Let_def split: if_split)
apply (frule cap_get_tag_isCap_unfolded_H_cap)
apply (clarsimp simp: ccap_relation_def map_option_Some_eq2
cap_lift_zombie_cap cap_to_H_def
@ -3310,9 +3310,9 @@ lemma cap_zombie_cap_get_capZombiePtr_spec:
apply (intro conjI)
apply (simp add: word_add_less_mono1[where k=1 and j="0x1F", simplified])
apply (subst unat_plus_if_size)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (clarsimp simp: get_capZombieBits_CL_def Let_def word_size
split: split_if split_if_asm)
split: if_split if_split_asm)
apply (subgoal_tac "unat (capZombieType_CL (cap_zombie_cap_lift cap) && mask 5)
< unat ((2::word32) ^ 5)")
apply clarsimp
@ -3360,7 +3360,7 @@ lemma cap_get_capPtr_spec:
cap_cnode_cap_lift_def cap_thread_cap_lift_def
cap_zombie_cap_lift_def cap_page_table_cap_lift_def
cap_page_directory_cap_lift_def cap_asid_pool_cap_lift_def
Let_def cap_untyped_cap_lift_def split: split_if_asm)
Let_def cap_untyped_cap_lift_def split: if_split_asm)
definition get_capIsPhysical_CL :: "cap_CL option \<Rightarrow> bool"
where
@ -3400,13 +3400,13 @@ lemma cap_get_capIsPhysical_spec:
cap_cnode_cap_lift_def cap_thread_cap_lift_def
cap_zombie_cap_lift_def cap_page_table_cap_lift_def
cap_page_directory_cap_lift_def cap_asid_pool_cap_lift_def
Let_def cap_untyped_cap_lift_def split: split_if_asm)
Let_def cap_untyped_cap_lift_def split: if_split_asm)
lemma ccap_relation_get_capPtr_not_physical:
"\<lbrakk> ccap_relation hcap ccap; capClass hcap \<noteq> PhysicalClass \<rbrakk> \<Longrightarrow>
get_capPtr_CL (cap_lift ccap) = Ptr 0"
by (clarsimp simp: ccap_relation_def get_capPtr_CL_def cap_to_H_def Let_def
split: option.split cap_CL.split_asm split_if_asm)
split: option.split cap_CL.split_asm if_split_asm)
lemma ccap_relation_get_capIsPhysical:
"ccap_relation hcap ccap \<Longrightarrow> isPhysicalCap hcap = get_capIsPhysical_CL (cap_lift ccap)"
@ -3449,9 +3449,9 @@ lemma ccap_relation_get_capPtr_physical:
defer 4
apply ((frule cap_get_tag_isCap_unfolded_H_cap,
clarsimp simp: unfolds
split: split_if_asm dest!: ctcb_ptr_to_tcb_ptr_mask)+)[5]
split: if_split_asm dest!: ctcb_ptr_to_tcb_ptr_mask)+)[5]
apply (frule cap_get_tag_isCap_unfolded_H_cap)
apply (clarsimp simp: unfolds split: split_if_asm dest!: ctcb_ptr_to_tcb_ptr_mask)
apply (clarsimp simp: unfolds split: if_split_asm dest!: ctcb_ptr_to_tcb_ptr_mask)
apply (rule arg_cong [OF less_mask_eq])
apply (simp add: capAligned_def word_bits_conv objBits_simps
word_less_nat_alt)
@ -3460,16 +3460,16 @@ lemma ccap_relation_get_capPtr_physical:
defer 2 (* page caps last *)
apply (fold_subgoals (prefix))[3]
subgoal by ((frule cap_get_tag_isCap_unfolded_H_cap,
clarsimp simp: unfolds split: split_if_asm)+)
clarsimp simp: unfolds split: if_split_asm)+)
defer
subgoal for \<dots> vmpage_size option
apply (cases "vmpage_size = ARMSmallPage"; simp?)
apply (frule cap_get_tag_isCap_unfolded_H_cap(16), simp)
subgoal by (clarsimp simp: unfolds split: split_if_asm)
subgoal by (clarsimp simp: unfolds split: if_split_asm)
by (frule cap_get_tag_isCap_unfolded_H_cap(17), simp,
clarsimp simp: unfolds
cap_tag_defs cap_to_H_def
split: split_if_asm)+
split: if_split_asm)+
done
done
@ -3543,7 +3543,7 @@ lemma sameRegionAs_spec:
apply (simp add: ccap_relation_def map_option_case)
apply (simp add: cap_notification_cap_lift)
apply (simp add: cap_to_H_def)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (frule_tac cap'=cap_b in cap_get_tag_isArchCap_unfolded_H_cap)
apply (clarsimp simp: isArchCap_tag_def2)
-- "capa is an IRQHandlerCap"
@ -3556,7 +3556,7 @@ lemma sameRegionAs_spec:
apply (simp add: cap_to_H_def)
apply (clarsimp simp: up_ucast_inj_eq c_valid_cap_def
cl_valid_cap_def mask_twice
split: split_if bool.split
split: if_split bool.split
| intro impI conjI
| simp )+
apply (drule ucast_ucast_mask_eq, simp)
@ -3572,14 +3572,14 @@ lemma sameRegionAs_spec:
apply (simp add: ccap_relation_def map_option_case)
apply (simp add: cap_endpoint_cap_lift)
apply (simp add: cap_to_H_def)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (frule_tac cap'=cap_b in cap_get_tag_isArchCap_unfolded_H_cap)
apply (clarsimp simp: isArchCap_tag_def2)
-- "capa is a DomainCap"
apply (case_tac capb, simp_all add: cap_get_tag_isCap_unfolded_H_cap
isCap_simps cap_tag_defs from_bool_def false_def true_def)[1]
apply (frule_tac cap'=cap_b in cap_get_tag_isArchCap_unfolded_H_cap)
apply (fastforce simp: isArchCap_tag_def2 split: split_if)
apply (fastforce simp: isArchCap_tag_def2 split: if_split)
-- "capa is a Zombie"
apply (simp add: cap_tag_defs from_bool_def false_def)
-- "capa is an Arch object cap"
@ -3601,7 +3601,7 @@ lemma sameRegionAs_spec:
apply (simp add: ccap_relation_def map_option_case)
apply (simp add: cap_reply_cap_lift)
apply (simp add: cap_to_H_def ctcb_ptr_to_tcb_ptr_def)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
-- "capa is an UntypedCap"
apply (frule_tac cap'=cap_a in cap_get_tag_isCap_unfolded_H_cap(9))
apply (intro conjI)
@ -3611,13 +3611,13 @@ lemma sameRegionAs_spec:
objBits_simps get_capZombieBits_CL_def
Let_def word_less_nat_alt
less_mask_eq true_def
split: split_if_asm)
split: if_split_asm)
apply (subgoal_tac "capBlockSize_CL (cap_untyped_cap_lift cap_a) \<le> 0x1F")
apply (simp add: word_le_make_less)
apply (simp add: cap_untyped_cap_lift_def cap_lift_def
cap_tag_defs word_and_le1)
apply (clarsimp simp: get_capSizeBits_valid_shift_word)
apply (clarsimp simp: from_bool_def Let_def split: split_if bool.splits)
apply (clarsimp simp: from_bool_def Let_def split: if_split bool.splits)
apply (subst unat_of_nat32,
clarsimp simp: unat_of_nat32 word_bits_def
dest!: get_capSizeBits_valid_shift)+
@ -3642,12 +3642,12 @@ lemma sameRegionAs_spec:
apply (simp add: ccap_relation_def map_option_case)
apply (simp add: cap_cnode_cap_lift)
apply (simp add: cap_to_H_def)
apply (clarsimp split: split_if bool.split)
apply (clarsimp split: if_split bool.split)
-- "capa is an IRQControlCap"
apply (case_tac capb, simp_all add: cap_get_tag_isCap_unfolded_H_cap
isCap_simps cap_tag_defs from_bool_def false_def true_def)[1]
apply (frule_tac cap'=cap_b in cap_get_tag_isArchCap_unfolded_H_cap)
apply (fastforce simp: isArchCap_tag_def2 split: split_if)
apply (fastforce simp: isArchCap_tag_def2 split: if_split)
done
lemma gen_framesize_to_H_eq:
@ -3656,7 +3656,7 @@ lemma gen_framesize_to_H_eq:
by (fastforce simp: gen_framesize_to_H_def Kernel_C.ARMSmallPage_def
Kernel_C.ARMLargePage_def Kernel_C.ARMSection_def
word_le_make_less
split: split_if
split: if_split
dest: word_less_cases)
lemma framesize_to_H_eq:
@ -3665,7 +3665,7 @@ lemma framesize_to_H_eq:
by (fastforce simp: framesize_to_H_def Kernel_C.ARMSmallPage_def
Kernel_C.ARMLargePage_def Kernel_C.ARMSection_def
word_le_make_less
split: split_if
split: if_split
dest: word_less_cases)
lemma capFSize_range:
@ -3702,7 +3702,7 @@ lemma Arch_sameObjectAs_spec:
apply (simp add: ccap_relation_def map_option_case)
apply (simp add: cap_small_frame_cap_lift)
apply (clarsimp simp: cap_to_H_def capAligned_def to_bool_def from_bool_def
split: split_if bool.split
split: if_split bool.split
dest!: is_aligned_no_overflow)
apply (case_tac "vmpage_sizea = ARMSmallPage",
simp_all add: cap_get_tag_isCap_unfolded_H_cap cap_tag_defs
@ -3714,7 +3714,7 @@ lemma Arch_sameObjectAs_spec:
apply (clarsimp simp: cap_to_H_def capAligned_def from_bool_def
c_valid_cap_def cl_valid_cap_def
Kernel_C.ARMSmallPage_def
split: split_if bool.split vmpage_size.split_asm
split: if_split bool.split vmpage_size.split_asm
dest!: is_aligned_no_overflow)
apply (simp add: framesize_to_H_eq capFSize_range to_bool_def
cap_frame_cap_lift [symmetric])
@ -3814,7 +3814,7 @@ lemma isMDBParentOf_spec:
apply (simp add: cte_lift_def)
apply (clarsimp simp: cte_to_H_def mdb_node_to_H_def split: option.split_asm)
apply (clarsimp simp: Let_def false_def from_bool_def to_bool_def
split: split_if bool.splits)
split: if_split bool.splits)
apply ((clarsimp simp: typ_heap_simps dest!: lift_t_g)+)[3]
apply (rule_tac x="cteCap ctea" in exI, rule conjI)
apply (clarsimp simp: ccte_relation_ccap_relation typ_heap_simps
@ -3833,7 +3833,7 @@ lemma isMDBParentOf_spec:
-- "sameRegionAs = 0"
apply (rule impI)
apply (clarsimp simp: from_bool_def false_def
split: split_if bool.splits)
split: if_split bool.splits)
-- "sameRegionAs \<noteq> 0"
apply (clarsimp simp: from_bool_def false_def)
@ -3855,7 +3855,7 @@ lemma isMDBParentOf_spec:
apply (clarsimp simp: if_1_0_0 typ_heap_simps' Let_def case_bool_If)
apply (frule_tac cap="(cap_to_H x2c)" in cap_get_tag_EndpointCap)
apply (clarsimp split: split_if_asm simp: if_distrib [where f=scast])
apply (clarsimp split: if_split_asm simp: if_distrib [where f=scast])
apply (clarsimp, rule conjI)
--" cap_get_tag of cte_a is an notification"
@ -4111,7 +4111,7 @@ lemma Arch_deriveCap_ccorres:
subgoal by (simp add: ccap_relation_def cap_lift_def Let_def
cap_tag_defs cap_to_H_def to_bool_def
cap_page_table_cap_lift_def
split: split_if_asm)
split: if_split_asm)
apply wpc
apply (clarsimp simp: cap_get_tag_isCap_ArchObject
ccorres_cond_iffs)
@ -4139,7 +4139,7 @@ lemma Arch_deriveCap_ccorres:
subgoal by (simp add: ccap_relation_def cap_lift_def Let_def
cap_tag_defs cap_to_H_def to_bool_def
cap_page_directory_cap_lift_def
split: split_if_asm)
split: if_split_asm)
apply wpc
apply (clarsimp simp: cap_get_tag_isCap_ArchObject
ccorres_cond_iffs)

12
proof/crefine/CSpace_RAB_C.thy
View File

@ -127,7 +127,7 @@ lemma rightsFromWord_wordFromRights:
"rightsFromWord (wordFromRights rghts) = rghts"
apply (cases rghts)
apply (simp add: wordFromRights_def rightsFromWord_def
split: split_if)
split: if_split)
done
lemma wordFromRights_inj:
@ -224,7 +224,7 @@ proof (cases "isCNodeCap cap'")
apply (simp add: throwError_def return_def split)
apply vcg
apply (clarsimp simp add: exception_defs lookup_fault_lift_def)
apply (simp split: split_if)
apply (simp split: if_split)
apply (vcg strip_guards=true)
apply (clarsimp simp: cap_get_tag_isCap isCap_simps)
done
@ -251,7 +251,7 @@ next
apply (erule conjE)
apply (erule_tac t = capptr in ssubst)
apply csymbr+
apply (simp add: cap_get_tag_isCap split del: split_if)
apply (simp add: cap_get_tag_isCap split del: if_split)
apply (thin_tac "ret__unsigned = X" for X)
apply (rule ccorres_split_throws [where P = "?P"])
apply (rule_tac G' = "\<lambda>w_rightsMask. ({s. nodeCap_' s = nodeCap}
@ -305,7 +305,7 @@ next
"\<And>c f g. (case c of CNodeCap _ _ _ _ \<Rightarrow> f | _ \<Rightarrow> g) = (if isCNodeCap c then f else g)"
by (case_tac c, simp_all add: isCap_simps)
note [split del] = split_if
note [split del] = if_split
have gbD: "\<And>guardBits cap cap'. \<lbrakk> guardBits = capCNodeGuardSize_CL (cap_cnode_cap_lift cap');
ccap_relation cap cap'; isCNodeCap cap \<rbrakk>
@ -466,7 +466,7 @@ next
apply (rule iffD1 [OF ccorres_expand_while_iff])
apply (subst resolveAddressBits.simps)
apply (unfold case_into_if)
apply (simp add: Let_def ccorres_cond_iffs split del: split_if)
apply (simp add: Let_def ccorres_cond_iffs split del: if_split)
apply (rule ccorres_rhs_assoc)+
apply (cinitlift nodeCap_' n_bits_')
apply (erule_tac t = nodeCapa in ssubst)
@ -704,7 +704,7 @@ lemma lookupSlotForThread_ccorres':
apply (clarsimp simp add: Collect_const_mem errstate_def tcbSlots
Kernel_C.tcbCTable_def word_size lookupSlot_raw_rel_def
word_sle_def
split del: split_if)
split del: if_split)
done
lemma lookupSlotForThread_ccorres[corres]:

30
proof/crefine/Delete_C.thy
View File

@ -20,7 +20,7 @@ lemma ccorres_drop_cutMon:
\<Longrightarrow> ccorres_underlying sr Gamm r xf arrel axf P P' hs (cutMon Q f) g"
apply (clarsimp simp: ccorres_underlying_def
cutMon_def fail_def
split: split_if_asm)
split: if_split_asm)
apply (subst if_P, simp)
apply fastforce
done
@ -30,7 +30,7 @@ lemma ccorres_drop_cutMon_bind:
\<Longrightarrow> ccorres_underlying sr Gamm r xf arrel axf P P' hs (cutMon Q f >>= f') g"
apply (clarsimp simp: ccorres_underlying_def
cutMon_def fail_def bind_def
split: split_if_asm)
split: if_split_asm)
apply (subst if_P, simp)+
apply fastforce
done
@ -40,7 +40,7 @@ lemma ccorres_drop_cutMon_bindE:
\<Longrightarrow> ccorres_underlying sr Gamm r xf arrel axf P P' hs (cutMon Q f >>=E f') g"
apply (clarsimp simp: ccorres_underlying_def
cutMon_def fail_def bind_def bindE_def lift_def
split: split_if_asm)
split: if_split_asm)
apply (subst if_P, simp)+
apply fastforce
done
@ -50,11 +50,11 @@ lemma ccorres_cutMon:
\<Longrightarrow> ccorres_underlying sr Gamm r xf arrel axf P P' hs (cutMon Q f) g"
apply (clarsimp simp: ccorres_underlying_def
cutMon_def fail_def bind_def
split: split_if_asm)
split: if_split_asm)
apply (erule meta_allE, drule(1) meta_mp)
apply (drule(1) bspec)
apply (clarsimp simp: fail_def
split: split_if_asm)
split: if_split_asm)
apply (subst if_P, assumption)+
apply fastforce
done
@ -67,7 +67,7 @@ lemma ccap_zombie_radix_less1:
apply (clarsimp simp: Let_def capAligned_def
objBits_simps word_bits_conv word_less_nat_alt
word_le_nat_alt less_mask_eq
split: split_if_asm)
split: if_split_asm)
done
lemmas ccap_zombie_radix_less2
@ -78,7 +78,7 @@ lemma ccap_zombie_radix_less3:
\<Longrightarrow> get_capZombieBits_CL (cap_zombie_cap_lift ccap) < 28"
by (clarsimp simp: get_capZombieBits_CL_def Let_def
less_mask_eq ccap_zombie_radix_less2
split: split_if)
split: if_split)
lemmas ccap_zombie_radix_less4
= order_less_le_trans [OF ccap_zombie_radix_less3]
@ -99,7 +99,7 @@ lemma cap_zombie_cap_get_capZombieNumber_spec:
apply (rule conjI)
apply unat_arith
apply (fold mask_2pm1)
apply (simp add: get_capZombieBits_CL_def Let_def split: split_if_asm)
apply (simp add: get_capZombieBits_CL_def Let_def split: if_split_asm)
apply (subst unat_Suc2)
apply clarsimp
apply (subst less_mask_eq, erule order_less_le_trans)
@ -122,7 +122,7 @@ lemma cap_zombie_cap_set_capZombieNumber_spec:
apply (clarsimp simp: cap_zombie_cap_lift
ccap_relation_def map_option_Some_eq2
cap_to_H_def get_capZombieBits_CL_def
split: split_if_asm)
split: if_split_asm)
apply (simp add: mask_def word_bw_assocs word_ao_dist)
apply (rule sym, rule less_mask_eq[where n=5, unfolded mask_def, simplified])
apply unat_arith
@ -155,7 +155,7 @@ lemma capRemovable_spec:
apply (clarsimp simp: get_capZombiePtr_CL_def Let_def get_capZombieBits_CL_def
isCap_simps unat_eq_0 unat_eq_1
less_mask_eq ccap_zombie_radix_less2
split: split_if_asm)
split: if_split_asm)
done
lemma capCyclicZombie_spec:
@ -172,7 +172,7 @@ lemma capCyclicZombie_spec:
apply (frule(1) cap_get_tag_to_H)
apply (clarsimp simp: capCyclicZombie_def Let_def
get_capZombieBits_CL_def get_capZombiePtr_CL_def
split: split_if_asm)
split: if_split_asm)
apply (auto simp: less_mask_eq ccap_zombie_radix_less2)
done
@ -183,7 +183,7 @@ lemma case_assertE_to_assert:
| _ \<Rightarrow> returnOk ())
= liftE (assert (case cap of Zombie ptr2 x xa \<Rightarrow> P ptr2 x xa | _ \<Rightarrow> True))"
apply (simp add: assertE_def returnOk_liftE assert_def
split: capability.split split_if)
split: capability.split if_split)
done
lemma cteDelete_ccorres1:
@ -258,7 +258,7 @@ lemma zombie_rf_sr_helperE:
apply (clarsimp simp: get_capZombiePtr_CL_def Let_def
get_capZombieBits_CL_def
isZombieTCB_C_def
split: split_if_asm)
split: if_split_asm)
apply (simp add: less_mask_eq ccap_zombie_radix_less2
isZombieTCB_C_def)
done
@ -786,7 +786,7 @@ lemma finaliseSlot_ccorres:
apply (rule allI, rule conseqPre, vcg)
apply (clarsimp simp: returnOk_def return_def
from_bool_def true_def)
apply (clarsimp simp: irq_opt_relation_def split: split_if)
apply (clarsimp simp: irq_opt_relation_def split: if_split)
apply vcg
apply (simp only: cutMon_walk_if Collect_False ccorres_seq_cond_empty
ccorres_seq_skip)
@ -822,7 +822,7 @@ lemma finaliseSlot_ccorres:
apply (clarsimp simp: returnOk_def return_def)
apply (drule use_valid [OF _ finaliseCap_cases, OF _ TrueI])
apply (simp add: from_bool_def false_def irq_opt_relation_def true_def
split: split_if_asm)
split: if_split_asm)
apply vcg
apply wp
apply (simp add: guard_is_UNIV_def true_def)

28
proof/crefine/Detype_C.thy
View File

@ -38,7 +38,7 @@ lemma h_t_valid_ptr_clear_region:
apply (clarsimp simp: typ_clear_region_def)
apply clarsimp
apply (drule spec, drule (1) mp)
apply (clarsimp simp: typ_clear_region_def split: split_if_asm)
apply (clarsimp simp: typ_clear_region_def split: if_split_asm)
apply clarsimp
apply (drule spec, drule (1) mp)
apply (subgoal_tac "ptr_val p + of_nat y \<notin> {ptr..+2 ^ bits}")
@ -61,7 +61,7 @@ lemma map_of_le:
apply clarsimp
apply (clarsimp simp: map_le_def dom_map_of_conv_image_fst)
apply (drule(1) bspec, simp)
apply (simp(no_asm_use) split: split_if_asm)
apply (simp(no_asm_use) split: if_split_asm)
apply (fastforce simp: image_def)
apply simp
done
@ -74,7 +74,7 @@ lemma list_map_le_singleton:
apply (drule map_of_le)
apply simp
apply (cases xs, simp_all add: list_map_def upt_conv_Cons
split: split_if_asm del: upt.simps)
split: if_split_asm del: upt.simps)
apply (case_tac list, simp_all add: upt_conv_Cons del: upt.simps)
apply auto
done
@ -102,7 +102,7 @@ lemma valid_footprint_typ_region_bytes:
apply (drule spec, drule (1) mp)
apply (clarsimp simp: typ_region_bytes_def list_map_le_singleton neq_byte
neq_types_not_typ_slice_eq
split: split_if_asm)
split: if_split_asm)
apply clarsimp
apply (drule spec, drule (1) mp)
apply (subgoal_tac "p + of_nat y \<notin> {ptr..+2 ^ bits}")
@ -166,7 +166,7 @@ lemma lift_t_typ_clear_region:
apply (drule (1) orthD2)
apply (erule contrapos_np, rule intvl_self)
apply (simp add: size_of_def wf_size_desc_gt)
apply (simp add: lift_t_def lift_typ_heap_if s_valid_def h_t_valid_ptr_clear_region del: disj_not1 split del: split_if)
apply (simp add: lift_t_def lift_typ_heap_if s_valid_def h_t_valid_ptr_clear_region del: disj_not1 split del: if_split)
apply (subst if_not_P)
apply simp
apply (case_tac "x \<in> (- Ptr ` {ptr..+2 ^ bits})")
@ -206,7 +206,7 @@ lemma lift_t_typ_region_bytes:
apply (cut_tac p=x in mem_type_self)
apply blast
apply (simp add: lift_t_def lift_typ_heap_if s_valid_def neq_byte
h_t_valid_typ_region_bytes del: disj_not1 split del: split_if)
h_t_valid_typ_region_bytes del: disj_not1 split del: if_split)
apply (clarsimp simp add: restrict_map_def)
apply (blast dest: doms)
done
@ -582,7 +582,7 @@ proof -
apply simp
apply clarsimp
apply (drule_tac y = n in aligned_add_aligned [where m = 4])
apply (simp add: tcb_cte_cases_def is_aligned_def split: split_if_asm)
apply (simp add: tcb_cte_cases_def is_aligned_def split: if_split_asm)
apply (simp add: word_bits_conv)
apply simp
done
@ -607,7 +607,7 @@ lemma tcb_cte_cases_in_range3:
proof -
from tc obtain q where yq: "y = x + q" and qv: "q \<le> 2 ^ 7 - 1"
unfolding tcb_cte_cases_def
by (simp add: diff_eq_eq split: split_if_asm)
by (simp add: diff_eq_eq split: if_split_asm)
have "q + (2 ^ 4 - 1) \<le> (2 ^ 7 - 1) + (2 ^ 4 - 1)" using qv
by (rule word_plus_mcs_3) simp
@ -635,7 +635,7 @@ lemma tcb_cte_cases_aligned:
"\<lbrakk>is_aligned p 9; tcb_cte_cases n = Some (getF, setF)\<rbrakk>
\<Longrightarrow> is_aligned (p + n) (objBits (cte :: cte))"
apply (erule aligned_add_aligned)
apply (simp add: tcb_cte_cases_def is_aligned_def objBits_simps split: split_if_asm)
apply (simp add: tcb_cte_cases_def is_aligned_def objBits_simps split: if_split_asm)
apply (simp add: objBits_simps)
done
@ -1341,7 +1341,7 @@ lemma heap_to_user_data_update_region:
else heap_to_user_data psp f x)"
apply (rule ext)
apply (simp add: heap_to_user_data_def Let_def
split: split_if)
split: if_split)
apply (rule conjI)
apply (clarsimp simp: byte_to_word_heap_def Let_def add.assoc
intro!: ext)
@ -1375,7 +1375,7 @@ lemma heap_to_device_data_update_region:
else heap_to_device_data psp f x)"
apply (rule ext)
apply (simp add: heap_to_device_data_def Let_def
split: split_if)
split: if_split)
apply (rule conjI)
apply (clarsimp simp: byte_to_word_heap_def Let_def add.assoc
intro!: ext)
@ -1867,7 +1867,7 @@ proof -
apply clarsimp
apply (rule ccontr)
apply (drule (2) asid)
apply (clarsimp simp: ran_def pd_pointer_to_asid_slot_def split: split_if_asm)
apply (clarsimp simp: ran_def pd_pointer_to_asid_slot_def split: if_split_asm)
apply (subgoal_tac "armKSASIDMap (ksArchState (s\<lparr>ksPSpace := ?ks\<rparr>)) a = Some (asid, pd_ptr)")
prefer 2
apply simp
@ -1908,7 +1908,7 @@ proof -
apply (rule ext)
apply clarsimp
apply (simp add: map_option_def map_comp_def
split: split_if_asm option.splits)
split: if_split_asm option.splits)
apply (frule pspace_alignedD'[OF _ pspace_aligned'])
apply (case_tac "pageBits \<le> bits")
apply (simp add: objBitsKO_def projectKOs split: kernel_object.splits)
@ -1961,7 +1961,7 @@ proof -
apply (rule ext)
apply clarsimp
apply (simp add: map_option_def map_comp_def
split: split_if_asm option.splits)
split: if_split_asm option.splits)
apply (frule pspace_alignedD'[OF _ pspace_aligned'])
apply (case_tac "pageBits \<le> bits")
apply (simp add: objBitsKO_def projectKOs split: kernel_object.splits)

128
proof/crefine/Fastpath_C.thy
View File

@ -232,7 +232,7 @@ where
lemma obj_at_tcbs_of:
"obj_at' P t s = (EX tcb. tcbs_of s t = Some tcb & P tcb)"
apply (simp add: tcbs_of_def split: split_if)
apply (simp add: tcbs_of_def split: if_split)
apply (intro conjI impI)
apply (clarsimp simp: obj_at'_def projectKOs)
apply (clarsimp simp: obj_at'_weakenE[OF _ TrueI])
@ -355,7 +355,7 @@ lemma of_int_sint_scast [simp]:
lemma stateAssert_bind_out_of_if:
"If P f (stateAssert Q xs >>= g) = stateAssert (\<lambda>s. \<not> P \<longrightarrow> Q s) [] >>= (\<lambda>_. If P f (g ()))"
"If P (stateAssert Q xs >>= g) f = stateAssert (\<lambda>s. P \<longrightarrow> Q s) [] >>= (\<lambda>_. If P (g ()) f)"
by (simp_all add: fun_eq_iff stateAssert_def exec_get split: split_if)
by (simp_all add: fun_eq_iff stateAssert_def exec_get split: if_split)
lemma isCNodeCap_capUntypedPtr_capCNodePtr:
"isCNodeCap c \<Longrightarrow> capUntypedPtr c = capCNodePtr c"
@ -384,7 +384,7 @@ lemma lookup_fp_ccorres':
apply (simp add: from_bool_0 del: Collect_const cong: call_ignore_cong)
apply (rule ccorres_Cond_rhs_Seq)
apply (simp add: resolveAddressBits.simps split_def del: Collect_const
split del: split_if)
split del: if_split)
apply (rule ccorres_drop_cutMon)
apply (rule ccorres_from_vcg_split_throws[where P=\<top> and P'=UNIV])
apply vcg
@ -462,9 +462,9 @@ lemma lookup_fp_ccorres':
apply (rule ccorres_Guard_Seq, csymbr)
apply (simp add: resolveAddressBits.simps bindE_assoc extra_sle_sless_unfolds
Collect_True
split del: split_if del: Collect_const cong: call_ignore_cong)
split del: if_split del: Collect_const cong: call_ignore_cong)
apply (simp add: cutMon_walk_bindE del: Collect_const
split del: split_if cong: call_ignore_cong)
split del: if_split cong: call_ignore_cong)
apply (rule ccorres_drop_cutMon_bindE, rule ccorres_assertE)
apply (rule ccorres_cutMon)
apply csymbr
@ -481,7 +481,7 @@ lemma lookup_fp_ccorres':
apply (rule ccorres_from_vcg_split_throws[where P=\<top> and P'=UNIV])
apply vcg
apply (rule conseqPre, vcg)
apply (clarsimp simp: unlessE_def split: split_if)
apply (clarsimp simp: unlessE_def split: if_split)
apply (simp add: throwError_def return_def cap_tag_defs
isRight_def isLeft_def
ccap_relation_NullCap_iff
@ -504,7 +504,7 @@ lemma lookup_fp_ccorres':
apply (rule ccorres_from_vcg_split_throws[where P=\<top> and P'=UNIV])
apply vcg
apply (rule conseqPre, vcg)
apply (clarsimp simp: unlessE_def split: split_if cong: call_ignore_cong)
apply (clarsimp simp: unlessE_def split: if_split cong: call_ignore_cong)
apply (simp add: throwError_def return_def cap_tag_defs isRight_def
isLeft_def ccap_relation_NullCap_iff)
apply fastforce
@ -518,7 +518,7 @@ lemma lookup_fp_ccorres':
apply (rule ccorres_cutMon)
apply (simp add: cutMon_walk_bindE unlessE_whenE
del: Collect_const
split del: split_if cong: call_ignore_cong)
split del: if_split cong: call_ignore_cong)
apply (rule ccorres_drop_cutMon_bindE)
apply csymbr+
apply (rule ccorres_rhs_assoc2)
@ -624,7 +624,7 @@ lemma lookup_fp_ccorres':
apply (simp add: ccHoarePost_def del: Collect_const)
apply vcg
apply (clarsimp simp: Collect_const_mem if_1_0_0 of_bl_from_bool
split del: split_if cong: if_cong)
split del: if_split cong: if_cong)
apply (clarsimp simp: cap_get_tag_isCap
option.split[where P="\<lambda>x. x"]
isCNodeCap_capUntypedPtr_capCNodePtr
@ -823,7 +823,7 @@ lemma stored_hw_asid_get_ccorres_split':
add_mask_eq pdBits_def pageBits_def word_bits_def
valid_pde_mapping_offset'_def pd_asid_slot_def)
apply (simp add: cpde_relation_def Let_def pde_lift_def
split: split_if_asm)
split: if_split_asm)
done
lemma ptr_add_0xFF0:
@ -853,7 +853,7 @@ lemma pde_stored_asid_Some:
= (pde_get_tag pde = scast pde_pde_invalid
\<and> to_bool (stored_asid_valid_CL (pde_pde_invalid_lift pde))
\<and> v = ucast (stored_hw_asid_CL (pde_pde_invalid_lift pde)))"
by (auto simp add: pde_stored_asid_def split: split_if)
by (auto simp add: pde_stored_asid_def split: if_split)
lemma pointerInUserData_c_guard':
"\<lbrakk> pointerInUserData ptr s; no_0_obj' s; is_aligned ptr 2 \<rbrakk>
@ -1098,7 +1098,7 @@ lemma switchToThread_fp_ccorres:
apply (fastforce simp: ran_def)
apply (frule ctes_of_valid', clarsimp, clarsimp simp: valid_cap'_def)
apply (auto simp: singleton_eq_o2s projectKOs obj_at'_def
pde_stored_asid_def split: split_if_asm)
pde_stored_asid_def split: if_split_asm)
done
lemma thread_state_ptr_set_tsType_np_spec:
@ -1479,14 +1479,14 @@ lemma isValidVTableRoot_fp_lemma:
apply (subgoal_tac "cap_get_tag ccap = scast cap_page_directory_cap
\<Longrightarrow> (index (cap_C.words_C ccap) 0 && 0x10 = 0x10) = to_bool (capPDIsMapped_CL (cap_page_directory_cap_lift ccap))")
apply (clarsimp simp add: cap_get_tag_eq_x mask_def
cap_page_directory_cap_def split: split_if)
cap_page_directory_cap_def split: if_split)
apply (rule conj_cong[OF refl])
apply clarsimp
apply (clarsimp simp: cap_lift_page_directory_cap
cap_to_H_simps
to_bool_def bool_mask[folded word_neq_0_conv]
cap_page_directory_cap_lift_def
elim!: ccap_relationE split: split_if)
elim!: ccap_relationE split: if_split)
apply (thin_tac "P" for P)
apply word_bitwise
done
@ -1496,7 +1496,7 @@ lemma isValidVTableRoot_fp_spec:
{t. ret__unsigned_long_' t = from_bool (isValidVTableRoot_C (pd_cap_' s))}"
apply vcg
apply (clarsimp simp: word_sle_def word_sless_def isValidVTableRoot_fp_lemma)
apply (simp add: from_bool_def split: split_if)
apply (simp add: from_bool_def split: if_split)
done
lemma isRecvEP_endpoint_case:
@ -1600,7 +1600,7 @@ lemma fastpath_dequeue_ccorres:
update_tcb_map_tos typ_heap_simps')
apply (rule conjI, erule ctcb_relation_null_queue_ptrs)
apply (rule ext, simp add: tcb_null_queue_ptrs_def
split: split_if)
split: if_split)
apply (rule conjI)
apply (rule cpspace_relation_ep_update_ep, assumption+)
apply (simp add: Let_def cendpoint_relation_def EPState_Recv_def)
@ -1616,7 +1616,7 @@ lemma fastpath_dequeue_ccorres:
cmachine_state_relation_def h_t_valid_clift_Some_iff
update_ep_map_tos)
apply (erule cready_queues_relation_null_queue_ptrs)
apply (rule ext, simp add: tcb_null_ep_ptrs_def split: split_if)
apply (rule ext, simp add: tcb_null_ep_ptrs_def split: if_split)
done
lemma tcb_NextPrev_C_update_swap:
@ -1684,7 +1684,7 @@ lemma sym_refs_upd_sD:
apply (clarsimp simp: obj_at'_def ko_wp_at'_def projectKOs)
apply (clarsimp simp: project_inject objBits_def)
apply (clarsimp simp: obj_at'_def ps_clear_upd projectKOs
split: split_if)
split: if_split)
apply (clarsimp simp: project_inject objBits_def)
apply auto
done
@ -1775,7 +1775,7 @@ lemma fastpath_enqueue_ccorres:
typ_heap_simps')
apply (rule conjI, erule ctcb_relation_null_queue_ptrs)
apply (rule ext, simp add: tcb_null_queue_ptrs_def
split: split_if)
split: if_split)
apply (rule conjI)
apply (rule_tac S="tcb_ptr_to_ctcb_ptr ` set (ksCurThread \<sigma> # list)"
in cpspace_relation_ep_update_an_ep,
@ -1806,15 +1806,15 @@ lemma fastpath_enqueue_ccorres:
apply (fastforce dest!: map_to_ko_atI)
apply (rule cnotification_relation_q_cong)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (clarsimp simp: restrict_map_def ntfn_q_refs_of'_def
split: split_if Structures_H.notification.split_asm Structures_H.ntfn.split_asm)
split: if_split Structures_H.notification.split_asm Structures_H.ntfn.split_asm)
apply (erule notE[rotated], erule_tac ntfnptr=p and ntfn=a in st_tcb_at_not_in_ntfn_queue,
auto dest!: map_to_ko_atI)[1]
apply (simp add: carch_state_relation_def typ_heap_simps' update_ep_map_tos
cmachine_state_relation_def h_t_valid_clift_Some_iff)
apply (erule cready_queues_relation_null_queue_ptrs)
apply (rule ext, simp add: tcb_null_ep_ptrs_def split: split_if)
apply (rule ext, simp add: tcb_null_ep_ptrs_def split: if_split)
apply (clarsimp simp: typ_heap_simps' EPState_Recv_def mask_def
is_aligned_weaken[OF is_aligned_tcb_ptr_to_ctcb_ptr])
apply (clarsimp simp: rf_sr_def cstate_relation_def Let_def)
@ -1824,7 +1824,7 @@ lemma fastpath_enqueue_ccorres:
typ_heap_simps' ct_in_state'_def)
apply (rule conjI, erule ctcb_relation_null_queue_ptrs)
apply (rule ext, simp add: tcb_null_queue_ptrs_def
split: split_if)
split: if_split)
apply (rule conjI)
apply (rule_tac S="{tcb_ptr_to_ctcb_ptr (ksCurThread \<sigma>)}"
in cpspace_relation_ep_update_an_ep, assumption+)
@ -1836,15 +1836,15 @@ lemma fastpath_enqueue_ccorres:
apply (erule iffD1 [OF cmap_relation_cong, OF refl refl, rotated -1])
apply simp
apply (rule cnotification_relation_q_cong)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (clarsimp simp: restrict_map_def ntfn_q_refs_of'_def
split: split_if Structures_H.notification.split_asm Structures_H.ntfn.split_asm)
split: if_split Structures_H.notification.split_asm Structures_H.ntfn.split_asm)
apply (erule notE[rotated], rule_tac ntfnptr=p and ntfn=a in st_tcb_at_not_in_ntfn_queue,
assumption+, auto dest!: map_to_ko_atI)[1]
apply (simp add: carch_state_relation_def typ_heap_simps' update_ep_map_tos
cmachine_state_relation_def h_t_valid_clift_Some_iff)
apply (erule cready_queues_relation_null_queue_ptrs)
apply (rule ext, simp add: tcb_null_ep_ptrs_def split: split_if)
apply (rule ext, simp add: tcb_null_ep_ptrs_def split: if_split)
done
@ -2222,7 +2222,7 @@ lemma fastpath_call_ccorres:
apply (drule(1) obj_at_cslift_tcb, clarsimp)
apply (clarsimp simp: typ_heap_simps' ctcb_relation_def cfault_rel_def)
apply (rule rev_bexI, erule threadGet_eq)
apply (clarsimp simp: seL4_Fault_lift_def Let_def split: split_if_asm)
apply (clarsimp simp: seL4_Fault_lift_def Let_def split: if_split_asm)
apply ceqv
apply csymbr
apply (simp del: Collect_const cong: call_ignore_cong)
@ -2457,8 +2457,8 @@ lemma fastpath_call_ccorres:
apply (simp add: ctcb_relation_def cthread_state_relation_def)
apply simp
apply (rule conjI, erule cready_queues_relation_not_queue_ptrs)
apply (rule ext, simp split: split_if add: typ_heap_simps')
apply (rule ext, simp split: split_if add: typ_heap_simps')
apply (rule ext, simp split: if_split add: typ_heap_simps')
apply (rule ext, simp split: if_split add: typ_heap_simps')
apply (simp add: carch_state_relation_def cmachine_state_relation_def
typ_heap_simps' map_comp_update projectKO_opt_tcb
cvariable_relation_upd_const ko_at_projectKO_opt)
@ -2565,8 +2565,8 @@ lemma fastpath_call_ccorres:
apply (simp add: ctcb_relation_def cthread_state_relation_def)
apply simp
apply (rule conjI, erule cready_queues_relation_not_queue_ptrs)
apply (rule ext, simp split: split_if)
apply (rule ext, simp split: split_if)
apply (rule ext, simp split: if_split)
apply (rule ext, simp split: if_split)
apply (simp add: carch_state_relation_def cmachine_state_relation_def
typ_heap_simps' map_comp_update projectKO_opt_tcb
cvariable_relation_upd_const ko_at_projectKO_opt)
@ -2741,7 +2741,7 @@ lemma fastpath_call_ccorres:
ptr_val_tcb_ptr_mask' size_of_def cte_level_bits_def
tcb_cnode_index_defs tcbCTableSlot_def tcbVTableSlot_def
tcbReplySlot_def tcbCallerSlot_def
simp del: Collect_const split del: split_if)
simp del: Collect_const split del: if_split)
apply (drule(1) obj_at_cslift_tcb)
apply (clarsimp simp: ccte_relation_eq_ccap_relation of_bl_from_bool from_bool_0
if_1_0_0 ccap_relation_case_sum_Null_endpoint
@ -2774,7 +2774,7 @@ lemma isMasterReplyCap_fp_conv:
apply (simp add: cap_get_tag_isCap[symmetric])
apply (rule conj_cong)
apply (simp add: mask_def word_bw_assocs cap_get_tag_eq_x
cap_reply_cap_def split: split_if)
cap_reply_cap_def split: if_split)
apply (clarsimp simp: cap_lift_reply_cap cap_to_H_simps
isCap_simps
elim!: ccap_relationE)
@ -2838,7 +2838,7 @@ lemma fastpath_reply_cap_check_ccorres:
apply (rule allI, rule conseqPre, vcg)
apply (clarsimp simp: extra_sle_sless_unfolds isMasterReplyCap_fp_conv
from_bool_def return_def)
apply (simp split: bool.split split_if)
apply (simp split: bool.split if_split)
done
lemma fastpath_reply_recv_ccorres:
@ -2909,7 +2909,7 @@ lemma fastpath_reply_recv_ccorres:
apply (drule(1) obj_at_cslift_tcb, clarsimp)
apply (clarsimp simp: typ_heap_simps' ctcb_relation_def cfault_rel_def)
apply (rule rev_bexI, erule threadGet_eq)
apply (clarsimp simp: seL4_Fault_lift_def Let_def split: split_if_asm)
apply (clarsimp simp: seL4_Fault_lift_def Let_def split: if_split_asm)
apply ceqv
apply csymbr
apply (simp only:)
@ -3068,7 +3068,7 @@ lemma fastpath_reply_recv_ccorres:
apply (clarsimp simp: obj_at_tcbs_of)
apply (clarsimp simp: typ_heap_simps' ctcb_relation_def cfault_rel_def
ccap_relation_reply_helper)
apply (clarsimp simp: seL4_Fault_lift_def Let_def split: split_if_asm)
apply (clarsimp simp: seL4_Fault_lift_def Let_def split: if_split_asm)
apply ceqv
apply (simp del: Collect_const not_None_eq cong: call_ignore_cong)
apply (rule ccorres_Cond_rhs_Seq)
@ -3210,8 +3210,8 @@ lemma fastpath_reply_recv_ccorres:
to_bool_def if_1_0_0)
apply simp
apply (rule conjI, erule cready_queues_relation_not_queue_ptrs)
apply (rule ext, simp split: split_if)
apply (rule ext, simp split: split_if)
apply (rule ext, simp split: if_split)
apply (rule ext, simp split: if_split)
apply (simp add: carch_state_relation_def cmachine_state_relation_def
typ_heap_simps' map_comp_update projectKO_opt_tcb
cvariable_relation_upd_const ko_at_projectKO_opt)
@ -3289,8 +3289,8 @@ lemma fastpath_reply_recv_ccorres:
apply (simp add: ctcb_relation_def cthread_state_relation_def)
apply simp
apply (rule conjI, erule cready_queues_relation_not_queue_ptrs)
apply (rule ext, simp split: split_if)
apply (rule ext, simp split: split_if)
apply (rule ext, simp split: if_split)
apply (rule ext, simp split: if_split)
apply (simp add: carch_state_relation_def cmachine_state_relation_def
typ_heap_simps' map_comp_update projectKO_opt_tcb
cvariable_relation_upd_const ko_at_projectKO_opt)
@ -3505,7 +3505,7 @@ lemma foldr_copy_register_tsrs:
apply (induct rs)
apply simp
apply (simp add: copy_register_tsrs_def fun_eq_iff
split: split_if)
split: if_split)
done
lemma monadic_rewrite_add_lookup_both_sides:
@ -3767,12 +3767,12 @@ lemma fastpath_callKernel_SysCall_corres:
enum_register toEnum_def
msgRegisters_unfold
cong: if_cong)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (rule ext)
apply (simp add: badgeRegister_def msgInfoRegister_def
ARM.badgeRegister_def
ARM.msgInfoRegister_def
split: split_if)
split: if_split)
apply simp
apply (wp | simp cong: if_cong bool.case_cong
| rule getCTE_wp' gts_wp' threadGet_wp
@ -3898,7 +3898,7 @@ lemma doReplyTransfer_simple:
lemma monadic_rewrite_if_known:
"monadic_rewrite F E ((\<lambda>s. C = X) and \<top>) (if C then f else g) (if X then f else g)"
apply (rule monadic_rewrite_gen_asm)
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (rule monadic_rewrite_refl)
done
@ -3933,7 +3933,7 @@ lemma receiveIPC_simple_rewrite:
lemma empty_fail_isFinalCapability:
"empty_fail (isFinalCapability cte)"
by (simp add: isFinalCapability_def Let_def split: split_if)
by (simp add: isFinalCapability_def Let_def split: if_split)
lemma cteDeleteOne_replycap_rewrite:
"monadic_rewrite True False
@ -3997,7 +3997,7 @@ lemma emptySlot_cnode_caps:
apply (wp emptySlot_cteCaps_of)
apply (clarsimp simp: cteCaps_of_def cte_wp_at_ctes_of
elim!: rsubst[where P=P] intro!: ext
split: split_if)
split: if_split)
done
lemma cteDeleteOne_cnode_caps:
@ -4026,7 +4026,7 @@ lemma setCTE_obj_at_ep[wp]:
apply (rule obj_at_setObject2)
apply (clarsimp simp: updateObject_cte typeError_def in_monad
split: Structures_H.kernel_object.split_asm
split_if_asm)
if_split_asm)
done
lemma setCTE_obj_at_ntfn[wp]:
@ -4035,7 +4035,7 @@ lemma setCTE_obj_at_ntfn[wp]:
apply (rule obj_at_setObject2)
apply (clarsimp simp: updateObject_cte typeError_def in_monad
split: Structures_H.kernel_object.split_asm
split_if_asm)
if_split_asm)
done
crunch obj_at_ep[wp]: emptySlot "obj_at' (P :: endpoint \<Rightarrow> bool) p"
@ -4173,7 +4173,7 @@ lemma emptySlot_cte_wp_at_cteCap:
\<lbrace>\<lambda>rv s. cte_wp_at' (\<lambda>cte. P (cteCap cte)) p s\<rbrace>"
apply (simp add: tree_cte_cteCap_eq[unfolded o_def])
apply (wp emptySlot_cteCaps_of)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
done
lemma real_cte_at_tcbs_of_neq:
@ -4181,7 +4181,7 @@ lemma real_cte_at_tcbs_of_neq:
2 ^ cte_level_bits * offs : dom tcb_cte_cases |]
==> p ~= t + 2 ^ cte_level_bits * offs"
apply (clarsimp simp: tcbs_of_def obj_at'_def projectKOs objBits_simps
split: split_if_asm)
split: if_split_asm)
apply (erule notE[rotated], erule(2) tcb_ctes_clear[rotated])
apply fastforce
done
@ -4194,7 +4194,7 @@ lemma setEndpoint_getCTE_pivot[unfolded K_bind_def]:
fun_eq_iff bind_assoc)
apply (simp add: exec_gets assert_def assert_opt_def
exec_modify update_ep_map_tos
split: split_if option.split)
split: if_split option.split)
done
lemma setEndpoint_setCTE_pivot[unfolded K_bind_def]:
@ -4230,8 +4230,8 @@ lemma setEndpoint_setCTE_pivot[unfolded K_bind_def]:
in monadic_rewrite_refl3)
apply (simp add: setEndpoint_def setObject_modify_assert bind_assoc
exec_gets assert_def exec_modify
split: split_if)
apply (auto split: split_if simp: obj_at'_def projectKOs
split: if_split)
apply (auto split: if_split simp: obj_at'_def projectKOs
intro!: arg_cong[where f=f] ext kernel_state.fold_congs)[1]
apply wp
apply simp
@ -4243,7 +4243,7 @@ lemma setEndpoint_updateMDB_pivot[unfolded K_bind_def]:
by (clarsimp simp: updateMDB_def bind_assoc
setEndpoint_getCTE_pivot
setEndpoint_setCTE_pivot
split: split_if)
split: if_split)
lemma setEndpoint_updateCap_pivot[unfolded K_bind_def]:
"do setEndpoint p val; updateCap slot mf; f od =
@ -4260,7 +4260,7 @@ lemma modify_setEndpoint_pivot[unfolded K_bind_def]:
apply (simp add: setEndpoint_def setObject_modify_assert
bind_assoc fun_eq_iff
exec_gets exec_modify assert_def
split: split_if)
split: if_split)
apply atomize
apply clarsimp
apply (drule_tac x="\<lambda>_. ksPSpace s" in spec)
@ -4292,7 +4292,7 @@ lemma emptySlot_setEndpoint_pivot[unfolded K_bind_def]:
setEndpoint_updateMDB_pivot
case_Null_If
setEndpoint_clearUntypedFreeIndex_pivot
split: split_if
split: if_split
| rule bind_apply_cong[OF refl])+
done
@ -4343,13 +4343,13 @@ lemma set_setCTE[unfolded K_bind_def]:
\<and> (\<forall> f g tcb. setF f (setF g tcb) = setF (f o g) tcb)))"
in monadic_rewrite_gen_asm)
apply (rule monadic_rewrite_refl2)
apply (simp add: exec_modify split: split_if)
apply (simp add: exec_modify split: if_split)
apply (auto simp: simpler_modify_def projectKO_opt_tcb
intro!: kernel_state.fold_congs ext
split: split_if)[1]
split: if_split)[1]
apply wp
apply (clarsimp intro!: all_tcbI)
apply (auto simp: tcb_cte_cases_def split: split_if_asm)
apply (auto simp: tcb_cte_cases_def split: if_split_asm)
done
lemma setCTE_updateCapMDB:
@ -4359,7 +4359,7 @@ lemma setCTE_updateCapMDB:
cte_overwrite set_setCTE)
apply (simp add: getCTE_assert_opt setCTE_assert_modify bind_assoc)
apply (rule ext, simp add: exec_gets assert_opt_def exec_modify
split: split_if option.split)
split: if_split option.split)
apply (cut_tac P=\<top> and p=p and s=x in cte_wp_at_ctes_of)
apply (cases cte)
apply (simp add: cte_wp_at_obj_cases')
@ -4510,7 +4510,7 @@ lemma tcbSchedEnqueue_tcbIPCBuffer:
\<lbrace>\<lambda>_. obj_at' (\<lambda>tcb. P (tcbIPCBuffer tcb)) t\<rbrace>"
apply (simp add: tcbSchedEnqueue_def unless_when)
apply (wp threadSet_obj_at' hoare_drop_imps threadGet_wp
|simp split: split_if)+
|simp split: if_split)+
done
crunch obj_at'_tcbIPCBuffer[wp]: rescheduleRequired "obj_at' (\<lambda>tcb. P (tcbIPCBuffer tcb)) t"
@ -4814,13 +4814,13 @@ lemma fastpath_callKernel_SysReplyRecv_corres:
enum_register toEnum_def
msgRegisters_unfold
cong: if_cong)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (rule ext)
apply (simp add: badgeRegister_def msgInfoRegister_def
ARM.msgInfoRegister_def
ARM.badgeRegister_def
cong: if_cong
split: split_if)
cong: if_cong
split: if_split)
apply simp
apply (clarsimp simp: cte_wp_at_ctes_of isCap_simps
map_to_ctes_partial_overwrite)

48
proof/crefine/Finalise_C.thy
View File

@ -26,7 +26,7 @@ lemma switchIfRequiredTo_ccorres [corres]:
apply clarsimp
done
declare split_if [split del]
declare if_split [split del]
lemma empty_fail_getEndpoint:
"empty_fail (getEndpoint ep)"
@ -59,9 +59,9 @@ lemma tcbSchedEnqueue_cslift_spec:
h_t_valid_field[OF h_t_valid_clift])
apply (rule conjI)
apply (clarsimp simp: typ_heap_simps cong: if_cong)
apply (simp split: split_if)
apply (simp split: if_split)
apply (clarsimp simp: typ_heap_simps if_Some_helper cong: if_cong)
by (simp split: split_if)
by (simp split: if_split)
lemma setThreadState_cslift_spec:
"\<forall>s. \<Gamma>\<turnstile>\<^bsub>/UNIV\<^esub> \<lbrace>s. s \<Turnstile>\<^sub>c \<acute>tptr \<and> (\<forall>x. ksSchedulerAction_' (globals s) = tcb_Ptr x
@ -103,7 +103,7 @@ lemma setThreadState_cslift_spec:
apply vcg_step+
apply (clarsimp simp: typ_heap_simps h_t_valid_clift_Some_iff
fun_eq_iff option_map2_def if_1_0_0)
by (simp split: split_if)
by (simp split: if_split)
lemma ep_queue_relation_shift:
"(option_map2 tcbEPNext_C (cslift s')
@ -355,7 +355,7 @@ lemma cancelAllIPC_ccorres:
| simp)+
apply (rule mapM_x_wp', wp)+
apply (wp sts_st_tcb')
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (rule mapM_x_wp', wp)+
apply (clarsimp simp: valid_tcb_state'_def)
apply (simp add: guard_is_UNIV_def)
@ -402,7 +402,7 @@ lemma cancelAllIPC_ccorres:
apply (ctac add: rescheduleRequired_ccorres)
apply (wp cancelAllIPC_mapM_x_valid_queues)
apply (wp mapM_x_wp' weak_sch_act_wf_lift_linear
sts_st_tcb' | clarsimp simp: valid_tcb_state'_def split: split_if)+
sts_st_tcb' | clarsimp simp: valid_tcb_state'_def split: if_split)+
apply (simp add: guard_is_UNIV_def)
apply (wp set_ep_valid_objs' hoare_vcg_const_Ball_lift
weak_sch_act_wf_lift_linear)
@ -489,7 +489,7 @@ lemma cancelAllSignals_ccorres:
apply (ctac add: rescheduleRequired_ccorres)
apply (wp cancelAllIPC_mapM_x_valid_queues)
apply (wp mapM_x_wp' weak_sch_act_wf_lift_linear
sts_st_tcb' | clarsimp simp: valid_tcb_state'_def split: split_if)+
sts_st_tcb' | clarsimp simp: valid_tcb_state'_def split: if_split)+
apply (simp add: guard_is_UNIV_def)
apply (wp set_ntfn_valid_objs' hoare_vcg_const_Ball_lift
weak_sch_act_wf_lift_linear)
@ -564,7 +564,7 @@ lemma tcb_queue_relation2_concat:
apply (induct xs arbitrary: before)
apply simp
apply (rename_tac x xs before)
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (case_tac "hp x")
apply simp
apply simp
@ -640,7 +640,7 @@ lemma cap_to_H_NTFNCap_tag:
"\<lbrakk> cap_to_H cap = NotificationCap word1 word2 a b;
cap_lift C_cap = Some cap \<rbrakk> \<Longrightarrow>
cap_get_tag C_cap = scast cap_notification_cap"
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.splits split_if_asm)
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.splits if_split_asm)
by (simp_all add: Let_def cap_lift_def split: if_splits)
lemmas ccorres_pre_getBoundNotification = ccorres_pre_threadGet [where f=tcbBoundNotification, folded getBoundNotification_def]
@ -976,13 +976,13 @@ lemma invalidateASIDEntry_ccorres:
apply (rule ccorres_split_nothrow_novcg_dc)
apply (rule ccorres_cond2[where R=\<top>])
apply (clarsimp simp: Collect_const_mem pde_stored_asid_def to_bool_def
split: split_if)
split: if_split)
apply csymbr
apply (rule ccorres_Guard)+
apply (rule_tac P="rv \<noteq> None" in ccorres_gen_asm)
apply (ctac(no_simp) add: invalidateHWASIDEntry_ccorres)
apply (clarsimp simp: pde_stored_asid_def unat_ucast
split: split_if_asm)
split: if_split_asm)
apply (rule sym, rule nat_mod_eq')
apply (simp add: pde_pde_invalid_lift_def pde_lift_def)
apply (rule unat_less_power[where sz=8, simplified])
@ -1203,7 +1203,7 @@ lemma deleteASID_ccorres:
apply (drule sym, simp)
apply (simp add: option_to_ptr_def option_to_0_def
from_bool_def inv_ASIDPool
split: option.split split_if bool.split)
split: option.split if_split bool.split)
apply ceqv
apply (rule ccorres_cond2[where R=\<top>])
apply (simp add: Collect_const_mem from_bool_0)
@ -1268,7 +1268,7 @@ lemma deleteASID_ccorres:
projectKOs invs_valid_pde_mappings'
invs_cur')
apply (rule conjI, blast)
subgoal by (fastforce simp: inv_into_def ran_def split: split_if_asm)
subgoal by (fastforce simp: inv_into_def ran_def split: if_split_asm)
by (clarsimp simp: order_le_less_trans [OF word_and_le1]
asid_shiftr_low_bits_less asid_bits_def mask_def
plus_one_helper arg_cong[where f="\<lambda>x. 2 ^ x", OF meta_eq_to_obj_eq, OF asid_low_bits_def]
@ -1369,8 +1369,8 @@ lemma pageTableMapped_ccorres:
return_def addrFromPPtr_def
pde_pde_coarse_lift_def)
apply (rule conjI)
apply (simp add: pde_lift_def Let_def split: split_if_asm)
apply (clarsimp simp: option_to_0_def option_to_ptr_def split: split_if)
apply (simp add: pde_lift_def Let_def split: if_split_asm)
apply (clarsimp simp: option_to_0_def option_to_ptr_def split: if_split)
apply (clarsimp simp: ARM.addrFromPPtr_def ARM.ptrFromPAddr_def)
apply ((rule ccorres_cond_false_seq ccorres_cond_false
ccorres_return_C | simp)+)[3]
@ -1378,7 +1378,7 @@ lemma pageTableMapped_ccorres:
apply wp
apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem if_1_0_0)
apply (simp add: cpde_relation_def Let_def pde_lift_def
split: split_if_asm,
split: if_split_asm,
auto simp: option_to_0_def option_to_ptr_def pde_tag_defs)[1]
apply simp
apply (rule ccorres_split_throws)
@ -1398,7 +1398,7 @@ lemma pageTableMapped_pd:
apply (rule hoare_pre)
apply (wp getPDE_wp hoare_vcg_all_lift_R | wpc)+
apply (rule hoare_post_imp_R, rule findPDForASID_page_directory_at'_simple)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply simp
done
@ -1580,24 +1580,24 @@ lemma Arch_finaliseCap_ccorres:
subgoal by (clarsimp simp: cap_small_frame_cap_lift cap_to_H_def to_bool_def
vmsz_aligned_aligned_pageBits
elim!: ccap_relationE
split: option.split_asm split_if_asm)
split: option.split_asm if_split_asm)
apply (clarsimp simp: valid_cap'_def mask_def)
apply (frule(1) cap_get_tag_isCap_unfolded_H_cap)
subgoal by (clarsimp simp: cap_frame_cap_lift cap_to_H_def to_bool_def
vmsz_aligned_aligned_pageBits
elim!: ccap_relationE
split: option.split_asm split_if_asm)
split: option.split_asm if_split_asm)
apply (clarsimp simp: valid_cap'_def mask_def)
apply (frule cap_get_tag_isCap_unfolded_H_cap)
apply (clarsimp simp: cap_page_table_cap_lift cap_to_H_def to_bool_def
elim!: ccap_relationE
split: option.split_asm split_if_asm)
split: option.split_asm if_split_asm)
apply (clarsimp simp: valid_cap'_def)
apply (frule cap_get_tag_isCap_unfolded_H_cap)
apply (frule cap_lift_page_directory_cap)
apply (clarsimp simp: ccap_relation_def cap_to_H_def capAligned_def
to_bool_def cap_page_directory_cap_lift_def
split: split_if_asm)
split: if_split_asm)
apply (rule conjI)
apply (clarsimp simp: asid_bits_def cap_page_directory_cap_lift_def)
apply clarsimp
@ -1619,7 +1619,7 @@ lemma Arch_finaliseCap_ccorres:
apply (clarsimp simp: cap_frame_cap_lift cap_to_H_def
vm_page_size_defs framesize_to_H_def
elim!: ccap_relationE simp del: Collect_const frame_cap_size
split: split_if)
split: if_split)
apply (clarsimp simp: c_valid_cap_def cl_valid_cap_def
Kernel_C.ARMSmallPage_def)
apply (clarsimp simp: cap_get_tag_isCap_unfolded_H_cap)
@ -1690,7 +1690,7 @@ lemma isFinalCapability_ccorres:
apply (rule allI, rule conseqPre, vcg)
apply (clarsimp simp: return_def from_bool_eq_if from_bool_0
mdbNext_to_H[symmetric] rf_sr_cte_at_validD)
apply (clarsimp simp: cte_wp_at_ctes_of split: split_if)
apply (clarsimp simp: cte_wp_at_ctes_of split: if_split)
apply (rule cmap_relationE1 [OF cmap_relation_cte], assumption+,
simp?, simp add: typ_heap_simps)+
apply (drule ccte_relation_ccap_relation)+
@ -2032,7 +2032,7 @@ lemma finaliseCap_ccorres:
apply (rule allI, rule conseqPre, vcg)
apply (clarsimp simp: return_def)
apply (frule cap_get_tag_to_H, erule(1) cap_get_tag_isCap [THEN iffD2])
apply (simp add: ccap_relation_NullCap_iff split: split_if)
apply (simp add: ccap_relation_NullCap_iff split: if_split)
apply (frule(1) ccap_relation_IRQHandler_mask)
apply (erule irq_opt_relation_Some_ucast)
apply (simp add: ARM.maxIRQ_def Kernel_C.maxIRQ_def)

2
proof/crefine/Interrupt_C.thy
View File

@ -421,7 +421,7 @@ lemma checkIRQ_ret_good:
"\<lbrace>\<lambda>s. (irq \<le> scast Kernel_C.maxIRQ \<longrightarrow> P s) \<and> Q s\<rbrace> checkIRQ irq \<lbrace>\<lambda>rv. P\<rbrace>, \<lbrace>\<lambda>rv. Q\<rbrace>"
apply (clarsimp simp: checkIRQ_def rangeCheck_def Platform_maxIRQ minIRQ_def)
apply (rule hoare_pre,wp)
by (clarsimp simp: Kernel_C.maxIRQ_def split: split_if)
by (clarsimp simp: Kernel_C.maxIRQ_def split: if_split)
lemma toEnum_of_ucast:
"len_of TYPE('b) \<le> len_of TYPE('a) \<Longrightarrow>

46
proof/crefine/Invoke_C.thy
View File

@ -370,7 +370,7 @@ lemma invokeCNodeRotate_ccorres:
(invokeCNode (Rotate cap1 cap2 slot1 slot2 slot3))
(Call invokeCNodeRotate_'proc)"
apply (cinit lift: slot1_' slot2_' slot3_' cap1_' cap2_' simp del: return_bind cong:call_ignore_cong)
apply (simp split del: split_if del: Collect_const)
apply (simp split del: if_split del: Collect_const)
apply (simp only: liftE_def)
apply (rule_tac r'="dc" and xf'="xfdc" in ccorres_split_nothrow_novcg)
apply (rule ccorres_cond [where R = \<top>])
@ -410,7 +410,7 @@ lemma invokeCNodeSaveCaller_ccorres:
(invokeCNode (SaveCaller destSlot))
(Call invokeCNodeSaveCaller_'proc)"
apply (cinit lift: destSlot_' simp del: return_bind cong:call_ignore_cong)
apply (simp add: Collect_True split del: split_if del: Collect_const cong:call_ignore_cong)
apply (simp add: Collect_True split del: if_split del: Collect_const cong:call_ignore_cong)
apply (simp only: liftE_def)
apply (rule ccorres_Guard_Seq)+
apply (simp only: bind_assoc)
@ -557,7 +557,7 @@ lemma hasCancelSendRights_spec:
apply (drule sym, drule (1) cap_get_tag_to_H)
apply (clarsimp simp: hasCancelSendRights_def to_bool_def
true_def false_def
split: split_if bool.splits)
split: if_split bool.splits)
apply (rule impI)
apply (case_tac cap,
auto simp: cap_get_tag_isCap_unfolded_H_cap cap_tag_defs
@ -818,7 +818,7 @@ lemma decodeCNodeInvocation_ccorres:
apply (rule ccorres_from_vcg_split_throws[where P=\<top> and P'=UNIV])
apply vcg
apply (rule conseqPre, vcg)
apply (clarsimp split: split_if simp: injection_handler_throwError)
apply (clarsimp split: if_split simp: injection_handler_throwError)
apply (auto simp: throwError_def return_def
syscall_error_to_H_cases syscall_error_rel_def
exception_defs)[1]
@ -1705,8 +1705,8 @@ lemma pspace_no_overlap_underlying_zero_update:
= s"
apply (subgoal_tac "\<forall>x \<in> S. underlying_memory (ksMachineState s) x = 0")
apply (cases "ksMachineState s")
apply (cases s, simp add: fun_eq_iff split: split_if)
apply (clarsimp split: split_if_asm)
apply (cases s, simp add: fun_eq_iff split: if_split)
apply (clarsimp split: if_split_asm)
apply (erule pspace_no_overlap_underlying_zero)
apply (simp add: invs'_def valid_state'_def)
apply blast
@ -1781,7 +1781,7 @@ lemma clearMemory_untyped_ccorres:
apply (simp add: addrFromPPtr_mask)
apply (cases "ptr = 0")
apply (drule subsetD, rule intvl_self, simp)
apply (simp split: split_if_asm)
apply (simp split: if_split_asm)
apply simp
done
@ -1954,7 +1954,7 @@ lemma byte_regions_unmodified_actually_heap_list:
apply (drule_tac x=x in spec)
apply (drule_tac x=x in bspec)
apply blast
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
done
lemma resetUntypedCap_ccorres:
@ -2147,7 +2147,7 @@ lemma resetUntypedCap_ccorres:
apply (clarsimp simp: valid_cap_simps' capAligned_def
aligned_offset_non_zero cteCaps_of_def
is_aligned_mask_out_add_eq_sub[OF is_aligned_weaken]
split_if[where P="\<lambda>z. a \<le> z" for a])
if_split[where P="\<lambda>z. a \<le> z" for a])
apply (strengthen is_aligned_mult_triv2[THEN is_aligned_weaken]
aligned_sub_aligned[OF _ _ order_refl]
aligned_intvl_offset_subset_ran
@ -2551,7 +2551,7 @@ lemma invokeUntyped_Retype_ccorres:
apply clarsimp
apply (frule cap_get_tag_isCap_unfolded_H_cap)
apply (cut_tac some_range_cover_arithmetic)
apply (case_tac cte', clarsimp simp: modify_map_def fun_eq_iff split: split_if)
apply (case_tac cte', clarsimp simp: modify_map_def fun_eq_iff split: if_split)
apply (simp add: mex_def meq_def ptr_base_eq del: split_paired_Ex)
apply (rule exI, strengthen refl, simp)
apply (strengthen globals.fold_congs, simp add: field_simps)
@ -2594,7 +2594,7 @@ lemma invokeUntyped_Retype_ccorres:
invokeUntyped_proofs.caps_no_overlap'
invokeUntyped_proofs.ps_no_overlap'
invokeUntyped_proofs.descendants_range
split_if[where P="\<lambda>v. v \<le> getFreeIndex x y" for x y]
if_split[where P="\<lambda>v. v \<le> getFreeIndex x y" for x y]
empty_descendants_range_in'
invs_pspace_aligned' invs_pspace_distinct'
invs_ksCurDomain_maxDomain'
@ -2620,7 +2620,7 @@ lemma invokeUntyped_Retype_ccorres:
apply (erule is_aligned_weaken[OF range_cover.aligned])
apply (clarsimp simp: APIType_capBits_low)
(* new idx le *)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
(* cnodeptr not in area *)
apply (rule contra_subsetD[rotated],
rule invokeUntyped_proofs.ex_cte_no_overlap'[OF proofs], rule misc)
@ -2645,7 +2645,7 @@ lemma invokeUntyped_Retype_ccorres:
apply (rule order_trans, erule invokeUntyped_proofs.subset_stuff)
apply (simp add: atLeastatMost_subset_iff word_and_le2)
(* destSlots *)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (frule invokeUntyped_proofs.slots_invD[OF proofs])
apply (simp add: conj_comms)
(* usableUntyped *)
@ -2666,7 +2666,7 @@ lemma invokeUntyped_Retype_ccorres:
apply (cut_tac vui)
apply (clarsimp simp: cap_get_tag_isCap getFreeIndex_def
cte_wp_at_ctes_of shiftL_nat
split: split_if)
split: if_split)
apply (simp add: mask_out_sub_mask field_simps region_is_bytes'_def)
apply (clarsimp elim!: region_actually_is_bytes_subset)
apply (rule order_refl)
@ -2708,7 +2708,7 @@ lemma ccorres_returnOk_Basic:
lemma injection_handler_whenE:
"injection_handler injf (whenE P f)
= whenE P (injection_handler injf f)"
by (simp add: whenE_def injection_handler_returnOk split: split_if)
by (simp add: whenE_def injection_handler_returnOk split: if_split)
lemma fromEnum_object_type_to_H:
"fromEnum x = unat (object_type_from_H x)"
@ -2717,7 +2717,7 @@ lemma fromEnum_object_type_to_H:
enum_apiobject_type
object_type_from_H_def
"StrictC'_object_defs" "api_object_defs"
split: split_if)
split: if_split)
apply (auto simp: "api_object_defs")
done
@ -2747,7 +2747,7 @@ lemma ccorres_throwError_inl_rrel:
apply (simp add: throwError_def return_def)
apply assumption
apply (simp add: throwError_def return_def
unif_rrel_def split: split_if_asm)
unif_rrel_def split: if_split_asm)
done
lemmas ccorres_return_C_errorE_inl_rrel
@ -2958,7 +2958,7 @@ proof -
from foo have plus: "unat wbase + unat wlength < 2 ^ len_of TYPE('a)"
apply -
apply (rule order_le_less_trans[rotated], rule sz_less, simp)
apply (simp add: unat_arith_simps split: split_if_asm)
apply (simp add: unat_arith_simps split: if_split_asm)
done
from foo show ?thesis
@ -2967,7 +2967,7 @@ qed
lemma unat_2tp_if:
"unat (2 ^ n :: ('a :: len) word) = (if n < len_of TYPE ('a) then 2 ^ n else 0)"
by (split split_if, simp_all add: power_overflow)
by (split if_split, simp_all add: power_overflow)
lemma ctes_of_ex_cte_cap_to':
"ctes_of s p = Some cte \<Longrightarrow> \<forall>r \<in> cte_refs' (cteCap cte) (irq_node' s). ex_cte_cap_to' r s"
@ -3298,7 +3298,7 @@ shows
apply (simp add: all_ex_eq_helper)
apply (vcg exspec=ensureEmptySlot_modifies)
apply (clarsimp simp: upto_enum_word
split: split_if_asm simp del: upt.simps)
split: if_split_asm simp del: upt.simps)
apply (simp add: cte_level_bits_def field_simps size_of_def
numeral_eqs[symmetric])
apply (simp add: cap_get_tag_isCap[symmetric]
@ -3472,7 +3472,7 @@ shows
apply (strengthen word_of_nat_less)
apply (clarsimp simp: StrictC'_thread_state_defs mask_def true_def false_def
from_bool_0 ccap_relation_isDeviceCap2
split: split_if)
split: if_split)
apply (intro conjI impI; clarsimp simp:not_less shiftr_overflow)
apply simp
apply simp
@ -3506,7 +3506,7 @@ shows
fromAPIType_def)
apply (clarsimp simp: word_le_nat_alt unat_2tp_if
valid_tcb_state'_def
split: option.split_asm split_if_asm)
split: option.split_asm if_split_asm)
apply blast
apply (case_tac "tcbState obja",
(simp add: runnable'_def valid_tcb_state'_def)+)[1]
@ -3540,7 +3540,7 @@ shows
wbase="args ! 4" and wlength="args ! 5"], simp_all)[1]
apply (simp add: valid_cap_simps' capAligned_def word_bits_def)
apply (clarsimp simp: upto_enum_def word_le_nat_alt[symmetric]
split: option.split_asm split_if_asm)
split: option.split_asm if_split_asm)
apply (drule spec, drule mp, erule conjI, rule order_refl)
apply clarsimp
apply (simp del: Collect_const)

64
proof/crefine/IpcCancel_C.thy
View File

@ -92,7 +92,7 @@ lemma cmap_relation_drop_fun_upd:
apply (simp add: cmap_relation_def)
apply (rule conj_cong[OF refl])
apply (rule ball_cong[OF refl])
apply (auto split: split_if)
apply (auto split: if_split)
done
lemma valid_queuesD':
@ -154,7 +154,7 @@ lemma tcbEPDequeue_spec:
apply (intro allI)
apply (rule conseqPre)
apply vcg
apply (clarsimp split del: split_if)
apply (clarsimp split del: if_split)
apply (frule (4) tcb_queue_valid_ptrsD [OF _ _ _ _ tcb_queue_relation'_queue_rel])
apply (elim conjE exE)
apply (frule (3) tcbEPDequeue_update)
@ -215,7 +215,7 @@ lemma cancelSignal_ccorres_helper:
FI)"
apply (rule ccorres_from_vcg)
apply (rule allI, rule conseqPre, vcg)
apply (clarsimp split del: split_if simp del: comp_def)
apply (clarsimp split del: if_split simp del: comp_def)
apply (frule (2) ntfn_blocked_in_queueD)
apply (frule (1) ko_at_valid_ntfn' [OF _ invs_valid_objs'])
apply (elim conjE)
@ -232,7 +232,7 @@ lemma cancelSignal_ccorres_helper:
apply (intro conjI, assumption+)
apply (drule (2) ntfn_to_ep_queue)
apply (simp add: tcb_queue_relation'_def)
apply (clarsimp simp: typ_heap_simps cong: imp_cong split del: split_if simp del: comp_def)
apply (clarsimp simp: typ_heap_simps cong: imp_cong split del: if_split simp del: comp_def)
apply (frule null_ep_queue [simplified Fun.comp_def])
apply (intro impI conjI allI)
-- "empty case"
@ -301,7 +301,7 @@ lemma cancelSignal_ccorres_helper:
-- "ntfn relation"
apply (rule cpspace_relation_ntfn_update_ntfn, assumption+)
apply (simp add: cnotification_relation_def Let_def isWaitingNtfn_def
split: ntfn.splits split del: split_if)
split: ntfn.splits split del: if_split)
apply (erule iffD1 [OF tcb_queue_relation'_cong [OF refl _ _ refl], rotated -1])
apply (clarsimp simp add: Ptr_ptr_val h_t_valid_clift_Some_iff)
apply (simp add: tcb_queue_relation'_next_mask_4)
@ -778,7 +778,7 @@ lemma state_relation_queue_update_helper':
apply clarsimp
apply (drule_tac x="tcb_ptr_to_ctcb_ptr x" in fun_cong)+
apply (clarsimp simp: restrict_map_def
split: split_if_asm)
split: if_split_asm)
apply (simp_all add: carch_state_relation_def cmachine_state_relation_def
h_t_valid_clift_Some_iff)
done
@ -1110,7 +1110,7 @@ proof -
apply (drule spec, drule(1) mp, clarsimp)
apply (clarsimp simp: typ_heap_simps ctcb_relation_def)
apply ceqv
apply (simp add: when_def unless_def del: Collect_const split del: split_if)
apply (simp add: when_def unless_def del: Collect_const split del: if_split)
apply (rule ccorres_cond[where R=\<top>])
apply (simp add: to_bool_def)
apply (rule ccorres_rhs_assoc)+
@ -1232,7 +1232,7 @@ proof -
(simp | rule globals.equality)+,
simp_all add: typ_heap_simps if_Some_helper numPriorities_def
cready_queues_index_to_C_def2 upd_unless_null_def
cong: if_cong split del: split_if
cong: if_cong split del: if_split
del: fun_upd_restrict_conv)[1]
apply simp
apply (rule conjI)
@ -1301,7 +1301,7 @@ lemma tcb_queue_relation_prev_next':
\<and> (tp tcb \<noteq> tcb_Ptr 0 \<longrightarrow> tp tcb \<in> tcb_ptr_to_ctcb_ptr ` set queue
\<and> mp (tp tcb) \<noteq> None \<and> tp tcb \<noteq> tcb_ptr_to_ctcb_ptr tcbp)
\<and> (tn tcb \<noteq> tcb_Ptr 0 \<longrightarrow> tn tcb \<noteq> tp tcb)"
apply (clarsimp simp: tcb_queue_relation'_def split: split_if_asm)
apply (clarsimp simp: tcb_queue_relation'_def split: if_split_asm)
apply (drule(1) tcb_queue_relation_prev_next, simp_all)
apply (fastforce dest: tcb_at_not_NULL)
apply clarsimp
@ -1358,7 +1358,7 @@ lemma rf_sr_drop_bitmaps_dequeue_helper:
lemma filter_empty_unfiltered_contr:
"\<lbrakk> [x\<leftarrow>xs . x \<noteq> y] = [] ; x' \<in> set xs ; x' \<noteq> y \<rbrakk> \<Longrightarrow> False"
by (induct xs, auto split: split_if_asm)
by (induct xs, auto split: if_split_asm)
(* FIXME same proofs as bit_set, maybe can generalise? *)
lemma cbitmap_L1_relation_bit_clear:
@ -1463,7 +1463,7 @@ proof -
apply (clarsimp simp: typ_heap_simps ctcb_relation_def)
apply ceqv
apply (simp add: when_def
del: Collect_const split del: split_if)
del: Collect_const split del: if_split)
apply (rule ccorres_cond[where R=\<top>])
apply (simp add: to_bool_def)
apply (rule ccorres_rhs_assoc)+
@ -1592,7 +1592,7 @@ proof -
simp_all add: clift_field_update if_Some_helper numPriorities_def
cready_queues_index_to_C_def2 typ_heap_simps
maxDom_to_H maxPrio_to_H
cong: if_cong split del: split_if)[1]
cong: if_cong split del: if_split)[1]
apply (fold_subgoals (prefix))[2]
subgoal premises prems using prems by (fastforce simp: tcb_null_sched_ptrs_def)+
apply (erule_tac S="set (ksReadyQueues \<sigma> (tcbDomain ko, tcbPriority ko))"
@ -1601,7 +1601,7 @@ proof -
simp_all add: clift_field_update if_Some_helper numPriorities_def
cready_queues_index_to_C_def2
maxDom_to_H maxPrio_to_H
cong: if_cong split del: split_if,
cong: if_cong split del: if_split,
simp_all add: typ_heap_simps')[1]
subgoal by (fastforce simp: tcb_null_sched_ptrs_def)
subgoal by fastforce
@ -1621,7 +1621,7 @@ proof -
simp_all add: clift_field_update if_Some_helper numPriorities_def
cready_queues_index_to_C_def2
maxDom_to_H maxPrio_to_H
cong: if_cong split del: split_if)[1]
cong: if_cong split del: if_split)[1]
apply (fold_subgoals (prefix))[4]
subgoal premises prems using prems
by (fastforce simp: typ_heap_simps tcb_null_sched_ptrs_def)+
@ -1691,7 +1691,7 @@ proof -
simp_all add: clift_field_update if_Some_helper numPriorities_def
cready_queues_index_to_C_def2
maxDom_to_H maxPrio_to_H
cong: if_cong split del: split_if)[1]
cong: if_cong split del: if_split)[1]
apply (fastforce simp: typ_heap_simps tcb_null_sched_ptrs_def)+
apply (erule_tac S="set (ksReadyQueues \<sigma> (tcbDomain ko, tcbPriority ko))"
in state_relation_queue_update_helper',
@ -1699,7 +1699,7 @@ proof -
simp_all add: clift_field_update if_Some_helper numPriorities_def
cready_queues_index_to_C_def2
maxDom_to_H maxPrio_to_H
cong: if_cong split del: split_if)[1]
cong: if_cong split del: if_split)[1]
apply (fold_subgoals (prefix))[4]
subgoal premises prems using prems
by (fastforce simp: typ_heap_simps tcb_null_sched_ptrs_def)+
@ -1720,7 +1720,7 @@ proof -
simp_all add: clift_field_update if_Some_helper numPriorities_def
cready_queues_index_to_C_def2 typ_heap_simps
maxDom_to_H maxPrio_to_H
cong: if_cong split del: split_if)[1]
cong: if_cong split del: if_split)[1]
apply (fold_subgoals (prefix))[2]
subgoal premises prems using prems
by (fastforce simp: typ_heap_simps tcb_null_sched_ptrs_def)+
@ -1828,7 +1828,7 @@ proof -
apply (drule spec, drule(1) mp, clarsimp)
apply (clarsimp simp: typ_heap_simps ctcb_relation_def)
apply ceqv
apply (simp add: when_def unless_def del: Collect_const split del: split_if)
apply (simp add: when_def unless_def del: Collect_const split del: if_split)
apply (rule ccorres_cond[where R=\<top>])
apply (simp add: to_bool_def)
apply (rule ccorres_rhs_assoc)+
@ -1934,7 +1934,7 @@ proof -
(simp | rule globals.equality)+,
simp_all add: typ_heap_simps if_Some_helper numPriorities_def
cready_queues_index_to_C_def2 upd_unless_null_def
cong: if_cong split del: split_if
cong: if_cong split del: if_split
del: fun_upd_restrict_conv)[1]
apply simp
apply (rule conjI)
@ -2022,7 +2022,7 @@ lemma rescheduleRequired_ccorres:
apply (rule ccorres_symb_exec_l)
apply (rule ccorres_split_nothrow_novcg[where r'=dc and xf'=xfdc])
apply (simp add: scheduler_action_case_switch_to_if
cong: if_weak_cong split del: split_if)
cong: if_weak_cong split del: if_split)
apply (rule_tac R="\<lambda>s. action = ksSchedulerAction s \<and> weak_sch_act_wf action s"
in ccorres_cond)
apply (clarsimp simp: rf_sr_def cstate_relation_def Let_def
@ -2124,7 +2124,7 @@ lemma possibleSwitchTo_ccorres:
split: scheduler_action.split_asm dest!: pred_tcb_at' )
apply (ctac add: rescheduleRequired_ccorres)
apply (rule ccorres_return_Skip)
apply (simp split del: split_if)
apply (simp split del: if_split)
apply wp
apply (simp add: weak_sch_act_wf_def)
apply (wp weak_sch_act_wf_lift_linear)
@ -2182,7 +2182,7 @@ lemma scheduleTCB_ccorres':
\<and> (\<forall>t. ksSchedulerAction s = SwitchToThread t \<longrightarrow> tcb_at' t s)"
and P'=UNIV in ccorres_from_vcg)
apply (rule allI, rule conseqPre, vcg)
apply (clarsimp simp: return_def if_1_0_0 split del: split_if)
apply (clarsimp simp: return_def if_1_0_0 split del: if_split)
apply (clarsimp simp: from_bool_0 rf_sr_ksCurThread)
apply (rule conjI)
apply (clarsimp simp: st_tcb_at'_def)
@ -2239,7 +2239,7 @@ lemma scheduleTCB_ccorres_valid_queues'_pre:
\<and> weak_sch_act_wf (ksSchedulerAction s) s"
and P'=UNIV in ccorres_from_vcg)
apply (rule allI, rule conseqPre, vcg)
apply (clarsimp simp: return_def if_1_0_0 split del: split_if)
apply (clarsimp simp: return_def if_1_0_0 split del: if_split)
apply (clarsimp simp: from_bool_0 rf_sr_ksCurThread)
apply (rule conjI)
apply (clarsimp simp: st_tcb_at'_def)
@ -2274,7 +2274,7 @@ lemma rescheduleRequired_ccorres_valid_queues'_simple:
apply (rule ccorres_symb_exec_l)
apply (rule ccorres_split_nothrow_novcg[where r'=dc and xf'=xfdc])
apply (simp add: scheduler_action_case_switch_to_if
cong: if_weak_cong split del: split_if)
cong: if_weak_cong split del: if_split)
apply (rule_tac R="\<lambda>s. action = ksSchedulerAction s \<and> sch_act_simple s"
in ccorres_cond)
apply (clarsimp simp: rf_sr_def cstate_relation_def Let_def
@ -2333,7 +2333,7 @@ lemma scheduleTCB_ccorres_valid_queues'_pre_simple:
\<and> sch_act_simple s"
and P'=UNIV in ccorres_from_vcg)
apply (rule allI, rule conseqPre, vcg)
apply (clarsimp simp: return_def if_1_0_0 split del: split_if)
apply (clarsimp simp: return_def if_1_0_0 split del: if_split)
apply (clarsimp simp: from_bool_0 rf_sr_ksCurThread)
apply (rule conjI)
apply (clarsimp simp: st_tcb_at'_def)
@ -2437,7 +2437,7 @@ lemma cancelSignal_ccorres [corres]:
apply (rule ccorres_rhs_assoc2)
apply (ctac (no_vcg) add: cancelSignal_ccorres_helper)
apply (ctac add: setThreadState_ccorres_valid_queues')
apply ((wp setNotification_sch_act_not setNotification_ksQ hoare_vcg_all_lift set_ntfn_valid_objs' | simp add: valid_tcb_state'_def split del: split_if)+)[1]
apply ((wp setNotification_sch_act_not setNotification_ksQ hoare_vcg_all_lift set_ntfn_valid_objs' | simp add: valid_tcb_state'_def split del: if_split)+)[1]
apply (simp add: "StrictC'_thread_state_defs")
apply (rule conjI, clarsimp, rule conjI, clarsimp)
apply (frule (1) ko_at_valid_ntfn'[OF _ invs_valid_objs'])
@ -2589,7 +2589,7 @@ proof -
\<Longrightarrow> mp' p = mp p"
using epq
apply (cut_tac x=p in fun_cong[OF mpeq])
apply (cases ep', auto simp: restrict_map_def split: split_if_asm)
apply (cases ep', auto simp: restrict_map_def split: if_split_asm)
done
have rl': "\<And>p list. \<lbrakk> p \<in> tcb_ptr_to_ctcb_ptr ` set list;
@ -2730,7 +2730,7 @@ lemma cancelIPC_ccorres_helper:
apply (rule allI)
apply (rule conseqPre)
apply vcg
apply (clarsimp split del: split_if simp del: comp_def)
apply (clarsimp split del: if_split simp del: comp_def)
apply (frule (2) ep_blocked_in_queueD)
apply (frule (1) ko_at_valid_ep' [OF _ invs_valid_objs'])
apply (elim conjE)
@ -2748,7 +2748,7 @@ lemma cancelIPC_ccorres_helper:
apply assumption+
apply (drule (2) ep_to_ep_queue)
apply (simp add: tcb_queue_relation'_def)
apply (clarsimp simp: typ_heap_simps cong: imp_cong split del: split_if simp del: comp_def)
apply (clarsimp simp: typ_heap_simps cong: imp_cong split del: if_split simp del: comp_def)
apply (frule null_ep_queue [simplified comp_def] null_ep_queue)
apply (intro impI conjI allI)
-- "empty case"
@ -2806,7 +2806,7 @@ lemma cancelIPC_ccorres_helper:
subgoal by (clarsimp simp: comp_def)
-- "ep relation"
apply (rule cpspace_relation_ep_update_ep, assumption+)
apply (simp add: cendpoint_relation_def Let_def isSendEP_def isRecvEP_def split: endpoint.splits split del: split_if)
apply (simp add: cendpoint_relation_def Let_def isSendEP_def isRecvEP_def split: endpoint.splits split del: if_split)
-- "recv case"
apply (clarsimp simp add: Ptr_ptr_val h_t_valid_clift_Some_iff
tcb_queue_relation'_next_mask_4 tcb_queue_relation'_prev_mask_4 cong: tcb_queue_relation'_cong)
@ -2998,7 +2998,7 @@ lemma cancelIPC_ccorres1:
apply (rule ccorres_rhs_assoc2)
apply (ctac (no_vcg) add: cancelIPC_ccorres_helper)
apply (ctac add: setThreadState_ccorres_valid_queues')
apply (wp hoare_vcg_all_lift set_ep_valid_objs' | simp add: valid_tcb_state'_def split del: split_if)+
apply (wp hoare_vcg_all_lift set_ep_valid_objs' | simp add: valid_tcb_state'_def split del: if_split)+
apply (simp add: "StrictC'_thread_state_defs")
apply vcg
apply (rule conseqPre, vcg)
@ -3099,7 +3099,7 @@ lemma cancelIPC_ccorres1:
apply (rule ccorres_rhs_assoc2)
apply (ctac (no_vcg) add: cancelIPC_ccorres_helper)
apply (ctac add: setThreadState_ccorres_valid_queues')
apply (wp hoare_vcg_all_lift set_ep_valid_objs' | simp add: valid_tcb_state'_def split del:split_if)+
apply (wp hoare_vcg_all_lift set_ep_valid_objs' | simp add: valid_tcb_state'_def split del:if_split)+
apply (simp add: "StrictC'_thread_state_defs")
apply clarsimp
apply (rule conseqPre, vcg, rule subset_refl)

315
proof/crefine/Ipc_C.thy
View File

File diff suppressed because it is too large Load Diff

48
proof/crefine/IsolatedThreadAction.thy
View File

@ -245,7 +245,7 @@ lemma partial_overwrite_fun_upd:
partial_overwrite idx (tsrs (x := y))
= (\<lambda>ps. (partial_overwrite idx tsrs ps) (idx x := put_tcb_state_regs y (ps (idx x))))"
apply (intro ext, simp add: partial_overwrite_def)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
done
lemma get_tcb_state_regs_ko_at':
@ -266,7 +266,7 @@ lemma partial_overwrite_get_tcb_state_regs:
partial_overwrite idx (\<lambda>x. get_tcb_state_regs (ksPSpace s (idx x)))
(ksPSpace s) = ksPSpace s"
apply (rule ext, simp add: partial_overwrite_def
split: split_if)
split: if_split)
apply clarsimp
apply (drule_tac x=xa in spec)
apply (clarsimp simp: obj_at'_def projectKOs put_tcb_state_regs_def
@ -341,7 +341,7 @@ lemma dom_partial_overwrite:
= dom (ksPSpace s)"
apply (rule set_eqI)
apply (clarsimp simp: dom_def partial_overwrite_def put_tcb_state_regs_def
split: split_if)
split: if_split)
apply (fastforce elim!: obj_atE')
done
@ -361,7 +361,7 @@ lemma map_to_ctes_partial_overwrite:
apply (simp add: put_tcb_state_regs_def put_tcb_state_regs_tcb_def
objBits_simps
cong: if_cong option.case_cong)
apply (case_tac obj, simp split: tcb_state_regs.split split_if)
apply (case_tac obj, simp split: tcb_state_regs.split if_split)
apply simp
apply (rule if_cong[OF refl])
apply simp
@ -373,10 +373,10 @@ lemma map_to_ctes_partial_overwrite:
apply (simp add: put_tcb_state_regs_def put_tcb_state_regs_tcb_def
objBits_simps
cong: if_cong option.case_cong)
apply (case_tac obj, simp split: tcb_state_regs.split split_if)
apply (case_tac obj, simp split: tcb_state_regs.split if_split)
apply (intro impI allI)
apply (subgoal_tac "x - idx xa = x && mask 9")
apply (clarsimp simp: tcb_cte_cases_def split: split_if)
apply (clarsimp simp: tcb_cte_cases_def split: if_split)
apply (drule_tac t = "idx xa" in sym)
apply simp
apply (simp cong: if_cong)
@ -449,7 +449,7 @@ lemma getObject_get_assert:
alignCheck_assert)
apply (case_tac "ksPSpace x p")
apply (simp add: obj_at'_def assert_opt_def assert_def
split: option.split split_if)
split: option.split if_split)
apply (simp add: lookupAround2_known1 assert_opt_def
obj_at'_def projectKO_def2
split: option.split)
@ -473,7 +473,7 @@ lemma obj_at_partial_overwrite_If:
else obj_at' P p s)"
apply (frule dom_partial_overwrite[where tsrs=f])
apply (simp add: obj_at'_def ps_clear_def partial_overwrite_def
projectKOs split: split_if)
projectKOs split: if_split)
apply clarsimp
apply (drule_tac x=x in spec)
apply (clarsimp simp: put_tcb_state_regs_def objBits_simps)
@ -494,7 +494,7 @@ lemma obj_at_partial_overwrite_id2:
= obj_at' P p s"
apply (frule dom_partial_overwrite[where tsrs=f])
apply (simp add: obj_at'_def ps_clear_def partial_overwrite_def
projectKOs split: split_if)
projectKOs split: if_split)
apply clarsimp
apply (drule_tac x=x in spec)
apply (clarsimp simp: put_tcb_state_regs_def objBits_simps
@ -1012,7 +1012,7 @@ lemma oblivious_getObject_ksPSpace_cte[simp]:
typeError_def unless_when
cong: Structures_H.kernel_object.case_cong)
apply (intro oblivious_bind,
simp_all split: Structures_H.kernel_object.split split_if)
simp_all split: Structures_H.kernel_object.split if_split)
by (safe intro!: oblivious_bind, simp_all)
lemma oblivious_doMachineOp[simp]:
@ -1167,7 +1167,7 @@ lemma setThreadState_no_sch_change:
apply (simp add: setThreadState_def setSchedulerAction_def)
apply (wp hoare_pre_cont[where a=rescheduleRequired])
apply (rule_tac Q="\<lambda>_. ?P and st_tcb_at' (op = st) t" in hoare_post_imp)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (clarsimp simp: obj_at'_def st_tcb_at'_def projectKOs)
apply (rule hoare_pre, wp threadSet_pred_tcb_at_state)
apply simp
@ -1205,7 +1205,7 @@ lemma setObject_modify_assert:
apply (simp only: objBits_def objBitsT_koTypeOf[symmetric] koTypeOf_injectKO)
apply (simp add: magnitudeCheck_assert2 simpler_modify_def)
apply (clarsimp simp: assert_opt_def assert_def magnitudeCheck_assert2
split: option.split split_if)
split: option.split if_split)
apply (clarsimp simp: obj_at'_def projectKOs)
apply (clarsimp simp: project_inject)
apply (simp only: objBits_def objBitsT_koTypeOf[symmetric]
@ -1235,7 +1235,7 @@ lemma setEndpoint_isolatable:
apply (clarsimp simp: o_def partial_overwrite_def)
apply (rule kernel_state.fold_congs[OF refl refl])
apply (clarsimp simp: fun_eq_iff
split: split_if)
split: if_split)
apply (wp | simp)+
done
@ -1257,7 +1257,7 @@ lemma setCTE_assert_modify:
assert_opt_def alignCheck_assert objBits_simps
magnitudeCheck_assert2 updateObject_cte)
apply (simp add: simpler_modify_def)
apply (simp split: split_if, intro conjI impI)
apply (simp split: if_split, intro conjI impI)
apply (clarsimp simp: obj_at'_def projectKOs)
apply (subgoal_tac "p \<le> (p && ~~ mask 9) + 2 ^ 9 - 1")
apply (subgoal_tac "fst (lookupAround2 p (ksPSpace x))
@ -1303,7 +1303,7 @@ lemma partial_overwrite_fun_upd2:
= (partial_overwrite idx tsrs f)
(x := if x \<in> range idx then put_tcb_state_regs (tsrs (inv idx x)) y
else y)"
by (simp add: fun_eq_iff partial_overwrite_def split: split_if)
by (simp add: fun_eq_iff partial_overwrite_def split: if_split)
lemma setCTE_isolatable:
"thread_actions_isolatable idx (setCTE p v)"
@ -1321,22 +1321,22 @@ lemma setCTE_isolatable:
apply clarsimp
apply (frule_tac x=x in spec, erule obj_atE')
apply (subgoal_tac "\<not> real_cte_at' p s")
apply (clarsimp simp: select_f_returns select_f_asserts split: split_if)
apply (clarsimp simp: select_f_returns select_f_asserts split: if_split)
apply (clarsimp simp: o_def simpler_modify_def partial_overwrite_fun_upd2)
apply (rule kernel_state.fold_congs[OF refl refl])
apply (rule ext)
apply (clarsimp simp: partial_overwrite_get_tcb_state_regs
split: split_if)
split: if_split)
apply (clarsimp simp: projectKOs get_tcb_state_regs_def
put_tcb_state_regs_def put_tcb_state_regs_tcb_def
partial_overwrite_def
split: tcb_state_regs.split)
apply (case_tac obj, simp add: projectKO_opt_tcb)
apply (simp add: tcb_cte_cases_def split: split_if_asm)
apply (simp add: tcb_cte_cases_def split: if_split_asm)
apply (drule_tac x=x in spec)
apply (clarsimp simp: obj_at'_def projectKOs objBits_simps subtract_mask(2) [symmetric])
apply (erule notE[rotated], erule (3) tcb_ctes_clear[rotated])
apply (simp add: select_f_returns select_f_asserts split: split_if)
apply (simp add: select_f_returns select_f_asserts split: if_split)
apply (intro conjI impI)
apply (clarsimp simp: simpler_modify_def fun_eq_iff
partial_overwrite_fun_upd2 o_def
@ -1349,7 +1349,7 @@ lemma setCTE_isolatable:
partial_overwrite_fun_upd2 o_def
partial_overwrite_get_tcb_state_regs
intro!: kernel_state.fold_congs[OF refl refl]
split: split_if)
split: if_split)
apply (simp add: partial_overwrite_def)
apply (subgoal_tac "p \<notin> range idx")
apply (clarsimp simp: simpler_modify_def
@ -1463,7 +1463,7 @@ lemma threadGet_isolatable:
apply (clarsimp simp: projectKOs
partial_overwrite_def put_tcb_state_regs_def
cong: if_cong)
apply (simp add: projectKO_opt_tcb v split: split_if)
apply (simp add: projectKO_opt_tcb v split: if_split)
done
lemma switchToThread_isolatable:
@ -1543,7 +1543,7 @@ lemma tcb_at_KOTCB_upd:
tcb_at' p (ksPSpace_update (\<lambda>ps. ps(idx x \<mapsto> KOTCB tcb)) s)
= tcb_at' p s"
apply (clarsimp simp: obj_at'_def projectKOs objBits_simps
split: split_if)
split: if_split)
apply (simp add: ps_clear_def)
done
@ -1612,7 +1612,7 @@ lemma copy_register_isolate:
apply (simp add: projectKO_opt_tcb put_tcb_state_regs_def
put_tcb_state_regs_tcb_def get_tcb_state_regs_def
cong: if_cong)
apply (auto simp: fun_eq_iff split: split_if)
apply (auto simp: fun_eq_iff split: if_split)
done
lemmas monadic_rewrite_bind_alt
@ -1693,7 +1693,7 @@ lemma setSchedulerAction_isolate:
lemma updateMDB_isolatable:
"thread_actions_isolatable idx (updateMDB slot f)"
apply (simp add: updateMDB_def thread_actions_isolatable_return
split: split_if)
split: if_split)
apply (intro impI thread_actions_isolatable_bind[OF _ _ hoare_pre(1)]
getCTE_isolatable setCTE_isolatable,
(wp | simp)+)

10
proof/crefine/Machine_C.thy
View File

@ -358,7 +358,7 @@ lemma add_right_shift:
"\<lbrakk>x && mask n = 0; y && mask n = 0; x \<le> x + y \<rbrakk>
\<Longrightarrow> (x + y :: ('a :: len) word) >> n = (x >> n) + (y >> n)"
apply (simp add: no_olen_add_nat is_aligned_mask[symmetric])
apply (simp add: unat_arith_simps shiftr_div_2n' split del: split_if)
apply (simp add: unat_arith_simps shiftr_div_2n' split del: if_split)
apply (subst if_P)
apply (erule order_le_less_trans[rotated])
apply (simp add: add_mono)
@ -561,7 +561,7 @@ lemma cleanCacheRange_PoU_ccorres:
lemma dmo_if:
"(doMachineOp (if a then b else c)) = (if a then (doMachineOp b) else (doMachineOp c))"
by (simp split: split_if)
by (simp split: if_split)
lemma invalidateCacheRange_RAM_ccorres:
"ccorres dc xfdc ((\<lambda>s. unat (w2 - w1) \<le> gsMaxObjectSize s)
@ -572,13 +572,13 @@ lemma invalidateCacheRange_RAM_ccorres:
(Call invalidateCacheRange_RAM_'proc)"
apply (rule ccorres_gen_asm)
apply (cinit' lift: start_' end_' pstart_')
apply (clarsimp simp: word_sle_def whileAnno_def split del: split_if)
apply (clarsimp simp: word_sle_def whileAnno_def split del: if_split)
apply (ccorres_remove_UNIV_guard)
apply (simp add: invalidateCacheRange_RAM_def doMachineOp_bind when_def
split_if_empty_fail empty_fail_cleanCacheRange_RAM
empty_fail_invalidateL2Range empty_fail_cacheRangeOp empty_fail_invalidateByVA
empty_fail_dsb dmo_if
split del: split_if)
split del: if_split)
apply (rule ccorres_split_nothrow_novcg)
apply (rule ccorres_cond[where R=\<top>])
apply (clarsimp simp: lineStart_def cacheLineBits_def)
@ -621,7 +621,7 @@ lemma invalidateCacheRange_RAM_ccorres:
apply wp
apply (simp add: guard_is_UNIV_def)
apply (auto dest: ghost_assertion_size_logic simp: o_def)[1]
apply (wp | clarsimp split: split_if)+
apply (wp | clarsimp split: if_split)+
apply (clarsimp simp: lineStart_def cacheLineBits_def guard_is_UNIV_def)
apply (clarsimp simp: lineStart_mask)
apply (subst mask_eqs(7)[symmetric])

20
proof/crefine/Recycle_C.thy
View File

@ -531,7 +531,7 @@ lemma invalidateTLBByASID_ccorres:
apply csymbr
apply (simp add: case_option_If2 del: Collect_const)
apply (rule ccorres_if_cond_throws2[where Q=\<top> and Q'=\<top>])
apply (clarsimp simp: pde_stored_asid_def to_bool_def split: split_if)
apply (clarsimp simp: pde_stored_asid_def to_bool_def split: if_split)
apply (rule ccorres_return_void_C[unfolded dc_def])
apply (simp add: dc_def[symmetric])
apply csymbr
@ -744,14 +744,14 @@ lemma ccap_relation_VPIsDevice:
by (clarsimp elim!:ccap_relationE
simp : isPageCap_def generic_frame_cap_get_capFIsDevice_CL_def cap_to_H_def
Let_def to_bool_def
split: arch_capability.split_asm cap_CL.split_asm split_if_asm)
split: arch_capability.split_asm cap_CL.split_asm if_split_asm)
lemma ccap_relation_get_capZombiePtr_CL:
"\<lbrakk> ccap_relation cap cap'; isZombie cap; capAligned cap \<rbrakk>
\<Longrightarrow> get_capZombiePtr_CL (cap_zombie_cap_lift cap') = capZombiePtr cap"
apply (simp only: cap_get_tag_isCap[symmetric])
apply (drule(1) cap_get_tag_to_H)
apply (clarsimp simp: get_capZombiePtr_CL_def get_capZombieBits_CL_def Let_def split: split_if)
apply (clarsimp simp: get_capZombiePtr_CL_def get_capZombieBits_CL_def Let_def split: if_split)
apply (subst less_mask_eq)
apply (clarsimp simp add: capAligned_def objBits_simps word_bits_conv)
apply unat_arith
@ -776,7 +776,7 @@ lemma snd_lookupAround2_update:
apply (clarsimp simp: lookupAround2_def lookupAround_def Let_def
dom_fun_upd2
simp del: dom_fun_upd cong: if_cong option.case_cong)
apply (clarsimp split: option.split split_if cong: if_cong)
apply (clarsimp split: option.split if_split cong: if_cong)
apply auto
done
@ -826,7 +826,7 @@ lemma cpspace_relation_ep_update_ep2:
apply (rule_tac P="\<lambda>a. cmap_relation a b c d" for b c d in rsubst,
erule cmap_relation_upd_relI, assumption+)
apply simp+
apply (rule ext, simp add: map_comp_def projectKO_opt_ep split: split_if)
apply (rule ext, simp add: map_comp_def projectKO_opt_ep split: if_split)
done
end
@ -913,7 +913,7 @@ lemma tcbSchedEnqueue_ep_at:
\<lbrace>\<lambda>rv. obj_at' P ep\<rbrace>"
apply (simp add: tcbSchedEnqueue_def unless_def null_def)
apply (wp threadGet_wp, clarsimp, wp)
apply (clarsimp split: split_if, wp)
apply (clarsimp split: if_split, wp)
done
lemma ctcb_relation_unat_tcbPriority_C:
@ -1044,7 +1044,7 @@ lemma cancelBadgedSends_ccorres:
apply (subgoal_tac "tcb_at' (last (a # list)) \<sigma> \<and> tcb_at' a \<sigma>")
apply (clarsimp simp: is_aligned_neg_mask [OF is_aligned_tcb_ptr_to_ctcb_ptr[where P=\<top>]])
subgoal by (simp add: tcb_queue_relation'_def EPState_Send_def mask_def)
subgoal by (auto split: split_if)
subgoal by (auto split: if_split)
subgoal by simp
apply (ctac add: rescheduleRequired_ccorres[unfolded dc_def])
apply (rule hoare_pre, wp weak_sch_act_wf_lift_linear set_ep_valid_objs')
@ -1160,7 +1160,7 @@ lemma cancelBadgedSends_ccorres:
apply (thin_tac "\<forall>x. P x" for P)
apply (clarsimp simp: pred_tcb_at' ball_Un)
apply (rule conjI)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
subgoal by (fastforce simp: valid_tcb_state'_def valid_objs'_maxDomain
valid_objs'_maxPriority dest: pred_tcb_at')
apply (clarsimp simp: tcb_at_not_NULL [OF pred_tcb_at'])
@ -1208,7 +1208,7 @@ lemma cancelBadgedSends_ccorres:
apply (clarsimp simp: typ_heap_simps)
apply (clarsimp simp: cendpoint_relation_def Let_def)
subgoal by (clarsimp simp: tcb_queue_relation'_def neq_Nil_conv
split: split_if_asm)
split: if_split_asm)
apply clarsimp
apply (frule ko_at_valid_objs', clarsimp)
apply (simp add: projectKOs)
@ -1218,7 +1218,7 @@ lemma cancelBadgedSends_ccorres:
apply (rule conjI)
subgoal by (auto simp: isBlockedOnSend_def elim!: pred_tcb'_weakenE)
apply (rule conjI)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (drule sym_refsD, clarsimp)
apply (drule(1) bspec)+
by (auto simp: obj_at'_def projectKOs state_refs_of'_def pred_tcb_at'_def tcb_bound_refs'_def

2
proof/crefine/Refine_C.thy
View File

@ -1121,7 +1121,7 @@ lemma kernel_all_subset_kernel:
apply (simp add: callKernel_C_def callKernel_withFastpath_C_def
kernel_global.callKernel_C_def
kernel_global.callKernel_withFastpath_C_def
split: event.split split_if)
split: event.split if_split)
apply (intro allI impI conjI monadic_rewrite_\<Gamma>)[1]
apply ((wp | simp)+)[3]
apply (clarsimp simp: snd_bind snd_modify in_monad gets_def)

104
proof/crefine/Retype_C.thy
View File

@ -323,7 +323,7 @@ lemma memset_spec:
(t_hrs_' (globals s))\<rparr>}"
and V1=undefined in subst [OF whileAnno_def])
apply vcg
apply (clarsimp simp add: hrs_mem_update_def split: split_if_asm)
apply (clarsimp simp add: hrs_mem_update_def split: if_split_asm)
apply (subst (asm) word_mod_2p_is_mask [where n=2, simplified], simp)
apply (subst (asm) word_mod_2p_is_mask [where n=2, simplified], simp)
apply (rule conjI)
@ -376,7 +376,7 @@ declare snd_gets[simp]
lemma snd_when_aligneError[simp]:
shows "(snd ((when P (alignError sz)) s)) = P"
by (simp add: when_def alignError_def fail_def split: split_if)
by (simp add: when_def alignError_def fail_def split: if_split)
lemma snd_unless_aligneError[simp]:
shows "(snd ((unless P (alignError sz)) s)) = (\<not> P)"
@ -471,7 +471,7 @@ proof (rule classical)
apply -
apply (rule_tac x = "(typ_uinfo_t TYPE('b), b)" in image_eqI)
apply simp
apply (fastforce simp add: ptr_retyp_footprint list_map_eq in_set_conv_nth split: split_if_asm)
apply (fastforce simp add: ptr_retyp_footprint list_map_eq in_set_conv_nth split: if_split_asm)
done
with typ_slice_set have "(typ_uinfo_t TYPE('b)) \<in> fst ` td_set (typ_uinfo_t TYPE('a)) 0"
@ -557,7 +557,7 @@ lemma htd_update_list_same2:
lemma ptr_retyps_gen_out:
fixes p :: "'a :: mem_type ptr"
shows "x \<notin> {ptr_val p..+n * size_of TYPE('a)} \<Longrightarrow> ptr_retyps_gen n p arr td x = td x"
apply (simp add: ptr_retyps_gen_def ptr_retyps_out split: split_if)
apply (simp add: ptr_retyps_gen_def ptr_retyps_out split: if_split)
apply (clarsimp simp: ptr_arr_retyps_def htd_update_list_same2)
done
@ -579,7 +579,7 @@ lemma list_map_override_comono:
apply (simp add: map_le_def list_map_eq map_add_def)
apply (cases "length xs \<le> length ys")
apply (simp add: prefix_eq_nth)
apply (simp split: split_if_asm add: prefix_eq_nth)
apply (simp split: if_split_asm add: prefix_eq_nth)
done
lemma list_map_plus_le_not_tag_disj:
@ -688,7 +688,7 @@ next
from Suc.prems show ?case
apply (simp add: upt_conv_Cons map_Suc_upt[symmetric]
del: upt.simps)
apply (split split_if, intro conjI impI)
apply (split if_split, intro conjI impI)
apply auto[1]
apply (simp add: o_def)
apply (subst Suc.hyps)
@ -756,7 +756,7 @@ lemma ptr_retyps_gen_not_tag_disj:
\<Longrightarrow> 0 < n
\<Longrightarrow> \<not> td \<bottom>\<^sub>t typ_uinfo_t TYPE('a)"
apply (simp add: ptr_retyps_gen_def ptr_arr_retyps_def
split: split_if_asm)
split: if_split_asm)
apply (drule_tac td'="uinfo_array_tag_n_m TYPE('a) n n"
in htd_update_list_not_tag_disj, simp+)
apply (clarsimp simp: mult.commute)
@ -789,7 +789,7 @@ lemma ptr_retyps_gen_valid_footprint:
"valid_footprint (ptr_retyps_gen n (Ptr p :: 'a :: mem_type ptr) arr htd) p' td
= (valid_footprint htd p' td)"
apply (cases "n = 0")
apply (simp add: ptr_retyps_gen_def ptr_arr_retyps_def split: split_if)
apply (simp add: ptr_retyps_gen_def ptr_arr_retyps_def split: if_split)
apply (simp add: valid_footprint_def Let_def)
apply (intro conj_cong refl, rule all_cong)
apply (case_tac "p' + of_nat y \<in> {p ..+ n * size_of TYPE('a)}")
@ -821,7 +821,7 @@ lemma ptr_retyp_same_cleared_region:
shows "p = p' \<or> {ptr_val p..+ size_of TYPE('a)} \<inter> {ptr_val p' ..+ size_of TYPE('a)} = {}"
using ht
by (simp add: h_t_valid_ptr_retyp_eq[where p=p and p'=p'] field_of_t_refl
split: split_if_asm)
split: if_split_asm)
lemma h_t_valid_ptr_retyp_inside_eq:
fixes p :: "'a :: mem_type ptr" and p' :: "'a :: mem_type ptr"
@ -856,7 +856,7 @@ lemma ptr_add_orth:
lemma dom_lift_t_heap_update:
"dom (lift_t g (hrs_mem_update v hp)) = dom (lift_t g hp)"
by (clarsimp simp add: lift_t_def lift_typ_heap_if s_valid_def hrs_htd_def hrs_mem_update_def split_def dom_def
intro!: Collect_cong split: split_if)
intro!: Collect_cong split: if_split)
lemma h_t_valid_ptr_retyps_gen_same:
assumes guard: "\<forall>n' < nptrs. gd (CTypesDefs.ptr_add (Ptr p :: 'a ptr) (of_nat n'))"
@ -907,7 +907,7 @@ next
have mod_split: "\<And>k. k < nptrs * size_of TYPE('a)
\<Longrightarrow> \<exists>quot rem. k = quot * size_of TYPE('a) + rem \<and> rem < size_of TYPE('a) \<and> quot < nptrs"
apply (intro exI conjI, rule mod_div_equality[symmetric])
apply (intro exI conjI, rule div_mult_mod_eq[symmetric])
apply simp
apply (simp add: Word_Miscellaneous.td_gal_lt)
done
@ -959,7 +959,7 @@ lemma clift_ptr_retyps_gen_memset_same:
apply (subst heap_list_update_list)
apply (simp add: addr_card_def card_word word_bits_def)
apply simp
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (simp add: h_val_def)
apply (subst heap_list_update_disjoint_same, simp_all)
apply (simp add: region_is_bytes_disjoint[OF cleared not_byte])
@ -1002,7 +1002,7 @@ lemma clift_heap_list_update_no_heap_other:
and not_byte: "typ_uinfo_t TYPE('a :: c_type) \<noteq> typ_uinfo_t TYPE(word8)"
shows "clift (hrs_mem_update (heap_update_list p xs) hrs) = (clift hrs :: 'a typ_heap)"
apply (clarsimp simp: liftt_if[folded hrs_mem_def hrs_htd_def] hrs_mem_update
fun_eq_iff h_val_def split: split_if)
fun_eq_iff h_val_def split: if_split)
apply (subst heap_list_update_disjoint_same, simp_all)
apply (clarsimp simp: set_eq_iff h_t_valid_def valid_footprint_def Let_def
dest!: intvlD[where n="size_of TYPE('a)"])
@ -1482,7 +1482,7 @@ lemma cvariable_array_ptr_upd:
\<Longrightarrow> cvariable_array_map_relation (m(x \<mapsto> y))
ns (ptrfun :: _ \<Rightarrow> ('b :: mem_type) ptr) htd"
by (clarsimp simp: cvariable_array_map_relation_def at
split: split_if)
split: if_split)
lemma clift_eq_h_t_valid_eq:
"clift hp = (clift hp' :: ('a :: c_type) ptr \<Rightarrow> _)
@ -1494,7 +1494,7 @@ lemma region_is_bytes_typ_region_bytes:
"{ptr ..+ len} \<le> {ptr' ..+ 2 ^ bits}
\<Longrightarrow> region_is_bytes' ptr len (typ_region_bytes ptr' bits htd)"
apply (clarsimp simp: region_is_bytes'_def typ_region_bytes_def hrs_htd_update)
apply (simp add: subsetD split: split_if_asm)
apply (simp add: subsetD split: if_split_asm)
done
lemma region_actually_is_bytes_retyp_disjoint:
@ -1533,7 +1533,7 @@ lemma zero_ranges_ptr_retyps:
apply (frule(1) untypedZeroRange_to_usableCapRange)
apply (clarsimp simp: isCap_simps untypedZeroRange_def
getFreeRef_def max_free_index_def
split: split_if_asm)
split: if_split_asm)
apply (erule disjoint_subset[rotated])
apply (subst intvl_plus_unat_eq)
apply clarsimp
@ -2035,9 +2035,9 @@ lemma cmap_relation_array_add_array[OF refl]:
apply (simp add: and_mask_less_size word_size word_bits_def)
apply (case_tac "chp (ptrf pa)", simp_all)
apply (drule spec, drule(1) iffD2)
apply (auto split: split_if)[1]
apply (auto split: if_split)[1]
apply (drule_tac x=pa in spec, clarsimp)
apply (drule_tac x=p' in spec, clarsimp split: split_if_asm)
apply (drule_tac x=p' in spec, clarsimp split: if_split_asm)
apply (clarsimp simp: new_cap_addrs_def)
apply (subst(asm) is_aligned_add_helper, simp_all)
apply (rule shiftl_less_t2n, rule word_of_nat_less, simp_all add: word_bits_def)
@ -2159,11 +2159,11 @@ proof (intro impI allI)
apply (erule cmap_relation_array_add_array[OF _ al])
apply (simp add: foldr_upd_app_if[folded data_map_insert_def])
apply (rule projectKO_opt_retyp_same, simp add: ko_def projectKOs)
apply (simp add: h_t_valid_clift_Some_iff dom_def split: split_if)
apply (simp add: h_t_valid_clift_Some_iff dom_def split: if_split)
apply (subst clift_ptr_retyps_gen_prev_memset_same[where n=1, simplified, OF guard],
simp_all only: szo refl empty, simp_all add: zero)[1]
apply (simp add: ptBits_def pageBits_def word_bits_def)
apply (auto split: split_if)[1]
apply (auto split: if_split)[1]
apply (simp_all add: objBits_simps archObjSize_def ptBits_def
pageBits_def ko_def word_bits_def)
done
@ -2349,11 +2349,11 @@ proof (intro impI allI)
apply (erule cmap_relation_array_add_array[OF _ al])
apply (simp add: foldr_upd_app_if[folded data_map_insert_def])
apply (rule projectKO_opt_retyp_same, simp add: ko_def projectKOs)
apply (simp add: h_t_valid_clift_Some_iff dom_def split: split_if)
apply (simp add: h_t_valid_clift_Some_iff dom_def split: if_split)
apply (subst clift_ptr_retyps_gen_prev_memset_same[where n=1, simplified, OF guard],
simp_all only: szo empty, simp_all add: zero)[1]
apply (simp add: pdBits_def pageBits_def word_bits_def)
apply (auto split: split_if)[1]
apply (auto split: if_split)[1]
apply (simp_all add: objBits_simps archObjSize_def pdBits_def
pageBits_def ko_def word_bits_def)
done
@ -2399,7 +2399,7 @@ proof (intro impI allI)
apply (simp add: pdBits_def word_bits_def pageBits_def)
apply (simp add: zero)
apply (rule ext)
apply (simp add: map_comp_def stored_asid[simplified] split: option.split split_if)
apply (simp add: map_comp_def stored_asid[simplified] split: option.split if_split)
apply (simp only: o_def CTypesDefs.ptr_add_def' Abs_fnat_hom_mult)
apply (clarsimp simp only:)
apply (drule h_t_valid_intvl_htd_contains_uinfo_t [OF h_t_valid_clift])
@ -2772,7 +2772,7 @@ lemma byte_regions_unmodified_region_is_bytes:
apply (clarsimp simp: byte_regions_unmodified_def imp_conjL[symmetric])
apply (drule spec, erule mp)
apply (clarsimp simp: region_actually_is_bytes'_def)
apply (drule(1) bspec, simp split: split_if_asm)
apply (drule(1) bspec, simp split: if_split_asm)
done
lemma insertNewCap_ccorres1:
@ -2843,8 +2843,8 @@ lemma createNewCaps_guard_helper:
apply (erule subst)
apply (simp add: min.assoc)
apply (rule iffI)
apply (simp add: min_def word_less_nat_alt split: split_if)
apply (simp add: min_def word_less_nat_alt not_le unat_of_nat32 split: split_if_asm)
apply (simp add: min_def word_less_nat_alt split: if_split)
apply (simp add: min_def word_less_nat_alt not_le unat_of_nat32 split: if_split_asm)
done
end
@ -2970,7 +2970,7 @@ lemma heap_update_field':
lemma h_t_valid_clift_Some_iff':
"td \<Turnstile>\<^sub>t p = (clift (hp, td) p = Some (h_val hp p))"
by (simp add: lift_t_if split: split_if)
by (simp add: lift_t_if split: if_split)
lemma option_noneI: "\<lbrakk> \<And>x. a = Some x \<Longrightarrow> False \<rbrakk> \<Longrightarrow> a = None"
apply (case_tac a)
@ -3030,7 +3030,7 @@ lemma cmap_relation_retype2:
apply (case_tac "x \<in> addrs")
apply (simp add: image_image)
apply (simp add: image_image)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
apply (erule contrapos_np)
apply (erule image_eqI [rotated])
apply simp
@ -3302,7 +3302,7 @@ proof -
apply (subst(asm) ptr_retyps_gen_out)
apply (clarsimp simp: ctcb_ptr_to_tcb_ptr_def ctcb_offset_def intvl_def)
apply (simp add: unat_arith_simps unat_of_nat cte_C_size tcb_C_size
split: split_if_asm)
split: if_split_asm)
apply (subst(asm) empty[unfolded region_is_bytes'_def], simp_all)
apply (erule subsetD[rotated], rule intvl_start_le)
apply (simp add: cte_C_size)
@ -3357,7 +3357,7 @@ proof -
apply (simp only: take_replicate, simp add: cte_C_size)
apply (simp add: cte_C_size)
apply (simp add: fun_eq_iff
split: split_if)
split: if_split)
apply (simp add: hrs_comm packed_heap_update_collapse
typ_heap_simps)
apply (subst clift_heap_update_same_td_name, simp_all,
@ -3478,7 +3478,7 @@ proof -
have rl_tcb: "(projectKO_opt \<circ>\<^sub>m (ks(ctcb_ptr_to_tcb_ptr p \<mapsto> KOTCB makeObject)) :: word32 \<Rightarrow> tcb option)
= (projectKO_opt \<circ>\<^sub>m ks)(ctcb_ptr_to_tcb_ptr p \<mapsto> makeObject)"
apply (rule ext)
apply (clarsimp simp: projectKOs map_comp_def split: split_if)
apply (clarsimp simp: projectKOs map_comp_def split: if_split)
done
have mko: "\<And>dev. makeObjectKO dev (Inr (APIObjectType ArchTypes_H.apiobject_type.TCBObject)) = Some kotcb"
@ -3595,7 +3595,7 @@ proof -
apply (simp add: cfault_rel_def seL4_Fault_lift_def seL4_Fault_get_tag_def Let_def
lookup_fault_lift_def lookup_fault_get_tag_def lookup_fault_invalid_root_def
eval_nat_numeral seL4_Fault_NullFault_def option_to_ptr_def option_to_0_def
split: split_if)+
split: if_split)+
done
have pks: "ks (ctcb_ptr_to_tcb_ptr p) = None"
@ -3858,7 +3858,7 @@ lemma cslift_empty_mem_update:
apply (rule ext)
apply (simp only: lift_t_if hrs_mem_update_def split_def x'_def)
apply (simp add: lift_t_if hrs_mem_update_def split_def)
apply (clarsimp simp: h_val_def split: split_if)
apply (clarsimp simp: h_val_def split: if_split)
apply (subst heap_list_update_disjoint_same)
apply simp
apply (rule disjointI)
@ -3882,7 +3882,7 @@ lemma cslift_bytes_mem_update:
apply (rule ext)
apply (simp only: lift_t_if hrs_mem_update_def split_def x'_def)
apply (simp add: lift_t_if hrs_mem_update_def split_def)
apply (clarsimp simp: h_val_def split: split_if)
apply (clarsimp simp: h_val_def split: if_split)
apply (subst heap_list_update_disjoint_same)
apply simp
apply (rule disjointI)
@ -3902,7 +3902,7 @@ lemma heap_update_list_replicate_eq:
"(heap_update_list x (replicate n v) hp y)
= (if y \<in> {x ..+ n} then v else hp y)"
apply (induct n arbitrary: x hp, simp_all add: intvl_Suc_right)
apply (simp split: split_if)
apply (simp split: if_split)
done
lemma zero_ranges_are_zero_update_zero[simp]:
@ -3976,7 +3976,7 @@ next
show "?thesis m x"
apply (simp add: xin word_rsplit_0 cong: if_cong)
apply (simp split: split_if)
apply (simp split: if_split)
done
qed
@ -4523,7 +4523,7 @@ lemma copyGlobalMappings_ccorres:
cmachine_state_relation_def
typ_heap_simps map_comp_eq
pd_pointer_to_asid_slot_def
intro!: ext split: split_if)
intro!: ext split: if_split)
apply (simp add: field_simps)
apply (drule arg_cong[where f="\<lambda>x. x && mask pdBits"],
simp add: mask_add_aligned)
@ -4667,14 +4667,14 @@ lemma placeNewObject_eq:
((), (s\<lparr>ksPSpace := foldr (\<lambda>addr. data_map_insert addr (injectKOS object)) (new_cap_addrs (2 ^ groupSizeBits) ptr (injectKOS object)) (ksPSpace s)\<rparr>))
\<in> fst (placeNewObject ptr object groupSizeBits s)"
apply (clarsimp simp: placeNewObject_def placeNewObject'_def)
apply (clarsimp simp: split_def field_simps split del: split_if)
apply (clarsimp simp: split_def field_simps split del: if_split)
apply (clarsimp simp: no_fail_def)
apply (subst lookupAround2_pspace_no)
apply assumption
apply (subst (asm) lookupAround2_pspace_no)
apply assumption
apply (clarsimp simp add: in_monad' split_def bind_assoc field_simps
snd_bind ball_to_all unless_def split: option.splits split_if_asm)
snd_bind ball_to_all unless_def split: option.splits if_split_asm)
apply (clarsimp simp: data_map_insert_def new_cap_addrs_def)
apply (subst upto_enum_red2)
apply (fold word_bits_def, assumption)
@ -4808,7 +4808,7 @@ lemma htd_update_list_dom_better [rule_format]:
apply(induct_tac xs)
apply simp
apply clarsimp
apply(auto split: split_if_asm)
apply(auto split: if_split_asm)
apply(erule notE)
apply(clarsimp simp: dom_s_def)
apply(case_tac y)
@ -5754,7 +5754,7 @@ lemma cep_relations_drop_fun_upd:
\<Longrightarrow> cnotification_relation (f (x \<mapsto> v')) = cnotification_relation f"
by (intro ext cendpoint_relation_upd_tcb_no_queues[where thread=x]
cnotification_relation_upd_tcb_no_queues[where thread=x]
| simp split: split_if)+
| simp split: if_split)+
lemma threadSet_domain_ccorres [corres]:
"ccorres dc xfdc (tcb_at' thread) {s. thread' s = tcb_ptr_to_ctcb_ptr thread \<and> d' s = ucast d} hs
@ -5776,8 +5776,8 @@ lemma threadSet_domain_ccorres [corres]:
apply (rule conjI)
defer
apply (erule cready_queues_relation_not_queue_ptrs)
apply (rule ext, simp split: split_if)
apply (rule ext, simp split: split_if)
apply (rule ext, simp split: if_split)
apply (rule ext, simp split: if_split)
apply (drule ko_at_projectKO_opt)
apply (erule (2) cmap_relation_upd_relI)
subgoal by (simp add: ctcb_relation_def)
@ -6213,7 +6213,7 @@ lemma pspace_no_overlap_induce_notification:
lemma ctes_of_ko_at_strong:
"\<lbrakk>ctes_of s p = Some a;is_aligned p 4\<rbrakk> \<Longrightarrow>
(\<exists>ptr ko. (ksPSpace s ptr = Some ko \<and> {p ..+ 16} \<subseteq> obj_range' ptr ko))"
apply (clarsimp simp: map_to_ctes_def Let_def split:split_if_asm)
apply (clarsimp simp: map_to_ctes_def Let_def split:if_split_asm)
apply (intro exI conjI,assumption)
apply (simp add:obj_range'_def objBits_simps is_aligned_no_wrap' field_simps)
apply (subst intvl_range_conv[where bits = 4,simplified])
@ -6233,7 +6233,7 @@ lemma ctes_of_ko_at_strong:
apply (thin_tac "P \<or> Q" for P Q)
apply (erule order_trans)
apply (subst word_plus_and_or_coroll2[where x = p and w = "mask 9",symmetric])
apply (clarsimp simp:tcb_cte_cases_def field_simps split:split_if_asm)
apply (clarsimp simp:tcb_cte_cases_def field_simps split:if_split_asm)
apply (subst add.commute)
apply (rule word_plus_mono_right[OF _ is_aligned_no_wrap'])
apply simp
@ -6384,13 +6384,13 @@ lemma typ_region_bytes_dom:
apply (clarsimp simp: h_t_valid_def valid_footprint_def Let_def
hrs_htd_update_def split_def typ_region_bytes_def)
apply (drule spec, drule(1) mp)
apply (simp add: size_of_def split: split_if_asm)
apply (simp add: size_of_def split: if_split_asm)
apply (drule subsetD[OF equalityD1], rule IntI, erule intvlI, simp)
apply simp
apply (clarsimp simp: set_eq_iff)
apply (drule(1) h_t_valid_intvl_htd_contains_uinfo_t)
apply (clarsimp simp: hrs_htd_update_def typ_region_bytes_def split_def
split: split_if_asm)
split: if_split_asm)
done
lemma lift_t_typ_region_bytes_none:
@ -6659,7 +6659,7 @@ lemma h_t_array_first_element_at:
apply (erule order_less_le_trans, simp add: size_of_def)
apply (clarsimp simp: uinfo_array_tag_n_m_def upt_conv_Cons)
apply (erule map_le_trans[rotated])
apply (simp add: list_map_mono split: split_if)
apply (simp add: list_map_mono split: if_split)
done
lemma aligned_intvl_disjointI:
@ -6721,7 +6721,7 @@ lemma gsCNodes_typ_region_bytes:
apply (drule_tac x="cte_Ptr p" in fun_cong)
apply (simp add: liftt_if[folded hrs_htd_def] hrs_htd_update
h_t_valid_def valid_footprint_typ_region_bytes
split: split_if_asm)
split: if_split_asm)
apply (subgoal_tac "p \<in> {p ..+ size_of TYPE(cte_C)}")
apply (simp add: cte_C_size)
apply blast
@ -7512,7 +7512,7 @@ lemma createObject_cnodes_have_size:
apply (cases newType, simp_all add: ARM_H.toAPIType_def)
apply (clarsimp simp: APIType_capBits_def objBits_simps
cnodes_retype_have_size_def cte_level_bits_def
split: split_if_asm)
split: if_split_asm)
done
lemma range_cover_not_in_neqD:
@ -7839,7 +7839,7 @@ lemma createObject_untyped_region_is_zero_bytes:
apply (clarsimp simp: cap_tag_defs)
apply (simp add: cap_lift_untyped_cap cap_tag_defs cap_to_H_simps
cap_untyped_cap_lift_def object_type_from_H_def)
apply (simp add: untypedZeroRange_def split: split_if)
apply (simp add: untypedZeroRange_def split: if_split)
apply (clarsimp simp: getFreeRef_def Let_def object_type_to_H_def)
apply (simp add: is_aligned_neg_mask_eq[OF is_aligned_weaken])
apply (simp add: APIType_capBits_def
@ -8002,7 +8002,7 @@ shows "ccorres dc xfdc
apply (drule_tac p = n in range_cover_no_0)
apply (simp add:shiftl_t2n field_simps)+
apply (cut_tac x=num in unat_lt2p, simp)
apply (simp add: unat_arith_simps unat_of_nat, simp split: split_if)
apply (simp add: unat_arith_simps unat_of_nat, simp split: if_split)
apply (intro impI, erule order_trans[rotated], simp)
apply (erule pspace_no_overlap'_le)
apply (fold_subgoals (prefix))[2]

50
proof/crefine/SR_lemmas_C.thy
View File

@ -101,7 +101,7 @@ lemma cap_get_tag_isCap0:
apply (erule ccap_relationE)
apply (simp add: cap_to_H_def cap_lift_def Let_def isArchCap_tag_def2 isArchCap_def)
apply (clarsimp simp: isCap_simps cap_tag_defs word_le_nat_alt pageSize_def Let_def
split: split_if_asm) -- "takes a while"
split: if_split_asm) -- "takes a while"
done
@ -232,7 +232,7 @@ lemma cap_get_tag_ZombieCap:
apply (erule ccap_relationE)
apply (clarsimp simp add: cap_lifts cap_to_H_def)
apply (simp add: cap_get_tag_isCap isCap_simps Let_def
split: split_if_asm)
split: if_split_asm)
done
@ -306,7 +306,7 @@ lemma tcb_cte_cases_in_range1:
proof -
from tc obtain q where yq: "y = x + q" and qv: "q < 2 ^ 9"
unfolding tcb_cte_cases_def
by (simp add: diff_eq_eq split: split_if_asm)
by (simp add: diff_eq_eq split: if_split_asm)
have "x \<le> x + 2 ^ 9 - 1" using al
by (rule is_aligned_no_overflow)
@ -327,7 +327,7 @@ lemma tcb_cte_cases_in_range2:
proof -
from tc obtain q where yq: "y = x + q" and qv: "q \<le> 2 ^ 9 - 1"
unfolding tcb_cte_cases_def
by (simp add: diff_eq_eq split: split_if_asm)
by (simp add: diff_eq_eq split: if_split_asm)
have "x + q \<le> x + (2 ^ 9 - 1)" using qv
apply (rule word_plus_mono_right)
@ -352,7 +352,7 @@ lemma updateObject_cte_tcb:
apply -
apply (clarsimp simp add: updateObject_cte Let_def
tcb_cte_cases_def objBits_simps tcbSlots shiftl_t2n
split: split_if_asm cong: if_cong)
split: if_split_asm cong: if_cong)
done
definition
@ -365,7 +365,7 @@ lemma tcb_cte_cases_proj_eq [simp]:
"tcb_cte_cases p = Some (getF, setF) \<Longrightarrow>
tcb_no_ctes_proj tcb = tcb_no_ctes_proj (setF f tcb)"
unfolding tcb_no_ctes_proj_def tcb_cte_cases_def
by (auto split: split_if_asm)
by (auto split: if_split_asm)
lemma map_to_ctes_upd_cte':
"\<lbrakk> ksPSpace s p = Some (KOCTE cte'); is_aligned p 4; ps_clear p 4 s \<rbrakk>
@ -392,7 +392,7 @@ lemma map_to_ctes_upd_tcb':
lemma tcb_cte_cases_inv [simp]:
"tcb_cte_cases p = Some (getF, setF) \<Longrightarrow> getF (setF (\<lambda>_. v) tcb) = v"
unfolding tcb_cte_cases_def
by (simp split: split_if_asm)
by (simp split: if_split_asm)
declare insert_dom [simp]
@ -821,7 +821,7 @@ lemma cmap_relation_upd_relI:
apply (simp add: cmap_relation_def)
apply (case_tac "x = dest")
apply simp
apply (simp add: inj_eq split: split_if_asm)
apply (simp add: inj_eq split: if_split_asm)
apply (erule (2) rel)
apply (erule (2) cmap_relation_relI)
done
@ -938,7 +938,7 @@ proof -
thus ?thesis
apply (rule cte_wp_atE')
apply (simp add: cte_level_bits_def is_aligned_weaken)
apply (simp add: tcb_cte_cases_def field_simps split: split_if_asm )
apply (simp add: tcb_cte_cases_def field_simps split: if_split_asm )
apply ((erule aligned_add_aligned, simp_all add: is_aligned_def word_bits_conv)[1])+
apply (simp add: is_aligned_weaken)
done
@ -1213,7 +1213,7 @@ lemma ccap_relation_NullCap_iff:
"(ccap_relation NullCap cap') = (cap_get_tag cap' = scast cap_null_cap)"
unfolding ccap_relation_def
apply (clarsimp simp: map_option_Some_eq2 c_valid_cap_def cl_valid_cap_def
cap_to_H_def cap_lift_def Let_def cap_tag_defs split: split_if)
cap_to_H_def cap_lift_def Let_def cap_tag_defs split: if_split)
done
(* MOVE *)
@ -1541,7 +1541,7 @@ lemma map_to_ctes_upd_tcb_no_ctes:
apply (subst map_to_ctes_upd_tcb')
apply assumption+
apply (rule ext)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (drule (1) bspec [OF _ ranI])
apply simp
done
@ -1559,7 +1559,7 @@ lemma update_ntfn_map_tos:
and "map_to_user_data_device (ksPSpace s(p \<mapsto> KONotification ko)) = map_to_user_data_device (ksPSpace s)"
using at
by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI
simp: projectKOs projectKO_opts_defs split: kernel_object.splits split_if_asm)+
simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+
lemma update_ep_map_tos:
fixes P :: "endpoint \<Rightarrow> bool"
@ -1574,7 +1574,7 @@ lemma update_ep_map_tos:
and "map_to_user_data_device (ksPSpace s(p \<mapsto> KOEndpoint ko)) = map_to_user_data_device (ksPSpace s)"
using at
by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI
simp: projectKOs projectKO_opts_defs split: kernel_object.splits split_if_asm)+
simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+
lemma update_tcb_map_tos:
fixes P :: "tcb \<Rightarrow> bool"
@ -1588,7 +1588,7 @@ lemma update_tcb_map_tos:
and "map_to_user_data_device (ksPSpace s(p \<mapsto> KOTCB ko)) = map_to_user_data_device (ksPSpace s)"
using at
by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI
simp: projectKOs projectKO_opts_defs split: kernel_object.splits split_if_asm)+
simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+
lemma update_asidpool_map_tos:
fixes P :: "asidpool \<Rightarrow> bool"
@ -1605,18 +1605,18 @@ lemma update_asidpool_map_tos:
using at
by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI
simp: projectKOs projectKO_opts_defs
split: split_if split_if_asm Structures_H.kernel_object.split_asm
split: if_split if_split_asm Structures_H.kernel_object.split_asm
arch_kernel_object.split_asm)
lemma update_asidpool_map_to_asidpools:
"map_to_asidpools (ksPSpace s(p \<mapsto> KOArch (KOASIDPool ap)))
= (map_to_asidpools (ksPSpace s))(p \<mapsto> ap)"
by (rule ext, clarsimp simp: projectKOs map_comp_def split: split_if)
by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split)
lemma update_pte_map_to_ptes:
"map_to_ptes (ksPSpace s(p \<mapsto> KOArch (KOPTE pte)))
= (map_to_ptes (ksPSpace s))(p \<mapsto> pte)"
by (rule ext, clarsimp simp: projectKOs map_comp_def split: split_if)
by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split)
lemma update_pte_map_tos:
fixes P :: "pte \<Rightarrow> bool"
@ -1631,14 +1631,14 @@ lemma update_pte_map_tos:
and "map_to_user_data_device (ksPSpace s(p \<mapsto> (KOArch (KOPTE pte)))) = map_to_user_data_device (ksPSpace s)"
using at
by (auto elim!: obj_atE' intro!: map_comp_eqI map_to_ctes_upd_other
split: split_if_asm split_if
split: if_split_asm if_split
simp: projectKOs,
auto simp: projectKO_opts_defs)
lemma update_pde_map_to_pdes:
"map_to_pdes (ksPSpace s(p \<mapsto> KOArch (KOPDE pde)))
= (map_to_pdes (ksPSpace s))(p \<mapsto> pde)"
by (rule ext, clarsimp simp: projectKOs map_comp_def split: split_if)
by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split)
lemma update_pde_map_tos:
fixes P :: "pde \<Rightarrow> bool"
@ -1653,7 +1653,7 @@ lemma update_pde_map_tos:
and "map_to_user_data_device (ksPSpace s(p \<mapsto> (KOArch (KOPDE pde)))) = map_to_user_data_device (ksPSpace s)"
using at
by (auto elim!: obj_atE' intro!: map_comp_eqI map_to_ctes_upd_other
split: split_if_asm split_if
split: if_split_asm if_split
simp: projectKOs,
auto simp: projectKO_opts_defs)
@ -1690,7 +1690,7 @@ lemma region_actually_is_bytes:
"region_actually_is_bytes' ptr len htd
\<Longrightarrow> region_is_bytes' ptr len htd"
by (simp add: region_is_bytes'_def region_actually_is_bytes'_def
split: split_if)
split: if_split)
lemma zero_ranges_are_zero_update[simp]:
"h_t_valid (hrs_htd hrs) c_guard (ptr :: 'a ptr)
@ -1829,7 +1829,7 @@ lemma cmap_relation_updI2:
and inj: "inj f"
shows "cmap_relation (am(dest \<mapsto> nv)) (cm(f dest \<mapsto> nv')) f rel"
using cr cof cc inj
by (clarsimp simp add: cmap_relation_def inj_eq split: split_if)
by (clarsimp simp add: cmap_relation_def inj_eq split: if_split)
definition
user_word_at :: "word32 \<Rightarrow> word32 \<Rightarrow> kernel_state \<Rightarrow> bool"
@ -1871,7 +1871,7 @@ lemma ko_at_projectKO_opt:
lemma int_and_leR:
"0 \<le> b \<Longrightarrow> a AND b \<le> (b :: int)"
by (clarsimp simp: int_and_le bin_sign_def split: split_if_asm)
by (clarsimp simp: int_and_le bin_sign_def split: if_split_asm)
lemma int_and_leL:
"0 \<le> a \<Longrightarrow> a AND b \<le> (a :: int)"
@ -2045,7 +2045,7 @@ lemma cap_get_tag_isCap_ArchObject0:
apply -
apply (erule ccap_relationE)
apply (simp add: cap_to_H_def cap_lift_def Let_def isArchCap_def)
apply (clarsimp simp: isCap_simps cap_tag_defs word_le_nat_alt pageSize_def Let_def split: split_if_asm) -- "takes a while"
apply (clarsimp simp: isCap_simps cap_tag_defs word_le_nat_alt pageSize_def Let_def split: if_split_asm) -- "takes a while"
done
lemma cap_get_tag_isCap_ArchObject:
@ -2152,7 +2152,7 @@ lemma update_typ_at:
using at
by (auto elim!: obj_atE' simp: typ_at'_def ko_wp_at'_def
dest!: tp[rule_format]
simp: project_inject projectKO_eq split: kernel_object.splits split_if_asm,
simp: project_inject projectKO_eq split: kernel_object.splits if_split_asm,
simp_all add: objBits_def objBitsT_koTypeOf[symmetric] ps_clear_upd
del: objBitsT_koTypeOf)

6
proof/crefine/Schedule_C.thy
View File

@ -924,7 +924,7 @@ lemma cep_relations_drop_fun_upd:
\<Longrightarrow> cnotification_relation (f (x \<mapsto> v')) = cnotification_relation f"
by (intro ext cendpoint_relation_upd_tcb_no_queues[where thread=x]
cnotification_relation_upd_tcb_no_queues[where thread=x]
| simp split: split_if)+
| simp split: if_split)+
lemma threadSet_timeSlice_ccorres [corres]:
"ccorres dc xfdc (tcb_at' thread) {s. thread' s = tcb_ptr_to_ctcb_ptr thread \<and> unat (v' s) = v} hs
@ -947,8 +947,8 @@ lemma threadSet_timeSlice_ccorres [corres]:
apply (rule conjI)
defer
apply (erule cready_queues_relation_not_queue_ptrs)
apply (rule ext, simp split: split_if)
apply (rule ext, simp split: split_if)
apply (rule ext, simp split: if_split)
apply (rule ext, simp split: if_split)
apply (drule ko_at_projectKO_opt)
apply (erule (2) cmap_relation_upd_relI)
apply (simp add: ctcb_relation_def)

2
proof/crefine/StateRelation_C.thy
View File

@ -897,7 +897,7 @@ lemma (in kernel) syscall_error_to_H_cases_rev:
"syscall_error_to_H e lf = Some RevokeFirst \<Longrightarrow>
type_C e = scast seL4_RevokeFirst"
by (clarsimp simp: syscall_error_to_H_def syscall_error_type_defs
split: split_if_asm)+
split: if_split_asm)+
definition
syscall_from_H :: "syscall \<Rightarrow> word32"

22
proof/crefine/StoreWord_C.thy
View File

@ -107,7 +107,7 @@ lemma byte_to_word_heap_upd_outside_range:
intvl_inter_le [where k=0 and ka=2, simplified, OF refl]
intvl_inter_le [where k=0 and ka=1, simplified, OF refl]
intvl_inter_le [where k=0 and ka=0, simplified, OF refl]
split: split_if_asm)
split: if_split_asm)
done
lemma intvl_range_conv:
@ -175,7 +175,7 @@ lemma update_ti_t_acc_foo:
\<Longrightarrow> acc (update_ti_pair a ys v) = update_ti_pair (f a) ys (acc v);
\<And>a. size_td_pair (f a) = size_td_pair a \<rbrakk> \<Longrightarrow>
\<forall>xs. acc (update_ti_list_t adjs xs v) = update_ti_list_t (map f adjs) xs (acc v)"
apply (simp add: update_ti_list_t_def size_td_list_map2 split: split_if)
apply (simp add: update_ti_list_t_def size_td_list_map2 split: if_split)
apply (induct adjs)
apply simp
apply clarsimp
@ -467,7 +467,7 @@ proof (intro allI impI)
\<Longrightarrow> update_ti_pair (map_td_pair f a) ys (Cons v) = Cons (update_ti_pair a ys v) \<rbrakk>
\<Longrightarrow> \<forall>xs. update_ti_list_t (map_td_list f adjs) xs v
= Cons (update_ti_list_t adjs xs v')"
apply (simp add: update_ti_list_t_def split: split_if)
apply (simp add: update_ti_list_t_def split: if_split)
apply (induct_tac adjs)
apply simp
apply clarsimp
@ -669,7 +669,7 @@ proof (intro allI impI)
apply (rule ext)
apply clarsimp
apply (case_tac y)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (rule cmap_relationI)
apply (clarsimp simp: dom_heap_to_device_data cmap_relation_def dom_if_Some
intro!: Un_absorb1 [symmetric])
@ -776,7 +776,7 @@ proof (intro allI impI)
\<Longrightarrow> update_ti_pair (map_td_pair f a) ys (Cons v) = Cons (update_ti_pair a ys v) \<rbrakk>
\<Longrightarrow> \<forall>xs. update_ti_list_t (map_td_list f adjs) xs v
= Cons (update_ti_list_t adjs xs v')"
apply (simp add: update_ti_list_t_def split: split_if)
apply (simp add: update_ti_list_t_def split: if_split)
apply (induct_tac adjs)
apply simp
apply clarsimp
@ -978,7 +978,7 @@ proof (intro allI impI)
apply (rule ext)
apply clarsimp
apply (case_tac y)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (rule cmap_relationI)
apply (clarsimp simp: dom_heap_to_user_data cmap_relation_def dom_if_Some
intro!: Un_absorb1 [symmetric])
@ -1068,12 +1068,12 @@ proof -
apply (rule kernel_state.fold_congs[OF refl refl], simp only:)
apply (rule machine_state.fold_congs[OF refl refl], simp only:)
apply (cut_tac p=ptr in unat_mask_2_less_4)
apply (simp del: list_update.simps split del: split_if
apply (simp del: list_update.simps split del: if_split
add: word_rsplit_rcat_size word_size nth_list_update
horrible_helper)
apply (subgoal_tac "(ptr && ~~ mask 2) + (ptr && mask 2) = ptr")
apply (subgoal_tac "(ptr && mask 2) \<in> {0, 1, 2, 3}")
apply (auto split: split_if simp: fun_upd_idem)[1]
apply (auto split: if_split simp: fun_upd_idem)[1]
apply (simp add: word_unat.Rep_inject[symmetric]
del: word_unat.Rep_inject)
apply arith
@ -1107,7 +1107,7 @@ proof -
apply (rule if_cong)
apply assumption
apply simp
apply (clarsimp simp: nth_list_update split: split_if)
apply (clarsimp simp: nth_list_update split: if_split)
apply (frule_tac ptr=x in memory_cross_over, simp+)
apply (clarsimp simp: pointerInUserData_def pointerInDeviceData_def)
apply (cut_tac p="ptr && ~~ mask 2" and n=2 and d="x - (ptr && ~~ mask 2)"
@ -1142,11 +1142,11 @@ lemma storeWord_ccorres':
(Basic (\<lambda>s. globals_update (t_hrs_'_update
(hrs_mem_update (heap_update (ptr' s) (val' s)))) s))"
apply (clarsimp simp: storeWordUser_def simp del: Collect_const
split del: split_if)
split del: if_split)
apply (rule ccorres_from_vcg_nofail)
apply (rule allI)
apply (rule conseqPre, vcg)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
apply (rule bexI[rotated])
apply (subst in_doMachineOp)
apply (fastforce simp: storeWord_def in_monad is_aligned_mask)

26
proof/crefine/SyscallArgs_C.thy
View File

@ -300,7 +300,7 @@ lemma ccorres_invocationCatch_Inr:
apply (rule bind_apply_cong [OF refl])+
apply (simp add: throwError_bind returnOk_bind lift_def liftE_def
alternative_bind
split: sum.split split_if)
split: sum.split if_split)
apply (simp add: throwError_def)
done
@ -504,7 +504,7 @@ lemma injection_handler_If:
"injection_handler injector (If P a b)
= If P (injection_handler injector a)
(injection_handler injector b)"
by (simp split: split_if)
by (simp split: if_split)
(* FIXME: duplicated in CSpace_All *)
lemma injection_handler_liftM:
@ -633,7 +633,7 @@ lemma msgRegisters_ccorres:
"n < unat n_msgRegisters \<Longrightarrow>
register_from_H (ARM_H.msgRegisters ! n) = (index msgRegistersC n)"
apply (simp add: msgRegistersC_def msgRegisters_unfold fupdate_def)
apply (simp add: Arrays.update_def n_msgRegisters_def fcp_beta nth_Cons' split: split_if)
apply (simp add: Arrays.update_def n_msgRegisters_def fcp_beta nth_Cons' split: if_split)
done
@ -701,7 +701,7 @@ lemma getMRs_tcbContext:
apply clarsimp
apply (wp asUser_const_rv)
apply (clarsimp simp: n_msgRegisters_def msgRegisters_unfold)
apply (simp add: nth_Cons' cur_tcb'_def split: split_if)
apply (simp add: nth_Cons' cur_tcb'_def split: if_split)
done
lemma threadGet_tcbIpcBuffer_ccorres [corres]:
@ -850,7 +850,7 @@ lemma lookupIPCBuffer_ccorres[corres]:
apply (clarsimp simp: vmrights_to_H_def)
apply (simp add: Kernel_C.VMReadOnly_def Kernel_C.VMKernelOnly_def
Kernel_C.VMReadWrite_def Kernel_C.VMNoAccess_def
split: split_if)
split: if_split)
apply clarsimp
apply (drule less_4_cases)
apply auto[1]
@ -904,7 +904,7 @@ lemma lookupIPCBuffer_ccorres[corres]:
apply (clarsimp simp: vmrights_to_H_def)
apply (simp add: Kernel_C.VMReadOnly_def Kernel_C.VMKernelOnly_def
Kernel_C.VMReadWrite_def Kernel_C.VMNoAccess_def
split: split_if)
split: if_split)
apply clarsimp
apply (drule less_4_cases)
apply auto[1]
@ -1092,7 +1092,7 @@ lemma getMRs_user_word:
wordSize_def')
done
declare split_if [split]
declare if_split [split]
definition
"getMRs_rel args buffer \<equiv> \<lambda>s. \<exists>mi. msgLength mi \<le> msgMaxLength \<and> fst (getMRs (ksCurThread s) buffer mi s) = {(args, s)}"
@ -1273,7 +1273,7 @@ lemma getSyscallArg_ccorres_foo:
apply assumption
apply (rule ccorres_cond_seq)
apply (rule_tac R=\<top> and P="\<lambda>_. n < unat (scast n_msgRegisters :: word32)" in ccorres_cond_both)
apply (simp add: word_less_nat_alt split: split_if)
apply (simp add: word_less_nat_alt split: if_split)
apply (rule ccorres_add_return2)
apply (rule ccorres_symb_exec_l)
apply (rule_tac P="\<lambda>s. n < unat (scast n_msgRegisters :: word32) \<and> obj_at' (\<lambda>tcb. atcbContextGet (tcbArch tcb) (ARM_H.msgRegisters!n) = x!n) (ksCurThread s) s"
@ -1303,9 +1303,9 @@ lemma getSyscallArg_ccorres_foo:
\<and> valid_ipc_buffer_ptr' (ptr_val ipc_buffer) s \<and> n < msgMaxLength"
and P'=UNIV
in ccorres_from_vcg_throws)
apply (simp add: return_def split del: split_if)
apply (simp add: return_def split del: if_split)
apply (rule allI, rule conseqPre, vcg)
apply (clarsimp split del: split_if)
apply (clarsimp split del: if_split)
apply (frule(1) user_word_at_cross_over, rule refl)
apply (clarsimp simp: ptr_add_def mult.commute
msgMaxLength_def)
@ -1325,7 +1325,7 @@ lemma getSyscallArg_ccorres_foo:
apply (drule equalityD2)
apply clarsimp
apply (drule use_valid, rule getMRs_length, assumption)
apply (simp add: n_msgRegisters_def split: split_if_asm)
apply (simp add: n_msgRegisters_def split: if_split_asm)
apply (rule conjI)
apply (clarsimp simp: option_to_ptr_def option_to_0_def
word_less_nat_alt word_le_nat_alt unat_of_nat32 word_bits_def
@ -1334,7 +1334,7 @@ lemma getSyscallArg_ccorres_foo:
apply clarsimp
apply (drule use_valid, rule getMRs_length)
apply (simp add: word_le_nat_alt msgMaxLength_def)
apply (simp split: split_if_asm)
apply (simp split: if_split_asm)
apply (rule conjI, clarsimp simp: cur_tcb'_def)
apply clarsimp
apply (clarsimp simp: bind_def gets_def return_def split_def get_def)
@ -1351,7 +1351,7 @@ lemma invocation_eq_use_type:
apply (fold invocation_type_eq, unfold invocationType_def)
apply (simp add: maxBound_is_length Let_def toEnum_def
nth_eq_iff_index_eq nat_le_Suc_less_imp
split: split_if)
split: if_split)
apply (intro impI conjI)
apply (simp add: enum_invocation_label)
apply (subgoal_tac "InvalidInvocation = enum ! 0")

10
proof/crefine/Syscall_C.thy
View File

@ -41,7 +41,7 @@ lemma one_on_true_True[simp]: "one_on_true True = 1"
by (simp add: one_on_true_def)
lemma one_on_true_eq_0[simp]: "(one_on_true P = 0) = (\<not> P)"
by (simp add: one_on_true_def split: split_if)
by (simp add: one_on_true_def split: if_split)
lemma cap_cases_one_on_true_sum:
"one_on_true (isZombie cap) + one_on_true (isArchObjectCap cap)
@ -352,7 +352,7 @@ lemma wordFromRights_mask_0:
"wordFromRights rghts && ~~ mask 4 = 0"
apply (simp add: wordFromRights_def word_ao_dist word_or_zero
split: cap_rights.split)
apply (simp add: mask_def split: split_if)
apply (simp add: mask_def split: if_split)
done
lemma wordFromRights_mask_eq:
@ -503,7 +503,7 @@ lemma handleInvocation_def2:
apply (simp cong: bind_cong add: ts_Restart_case_helper')
apply (simp add: when_def[symmetric] replyOnRestart_def[symmetric])
apply (simp add: liftE_def replyOnRestart_twice alternative_bind
alternative_refl split: split_if)
alternative_refl split: if_split)
done
lemma thread_state_to_tsType_eq_Restart:
@ -670,7 +670,7 @@ lemma sendFaultIPC_ccorres:
apply (simp add: cfault_rel_def)
apply (clarsimp)
apply (clarsimp simp: seL4_Fault_lift_def Let_def is_cap_fault_def
split: split_if_asm)
split: if_split_asm)
apply ceqv
apply csymbr
@ -828,7 +828,7 @@ lemma getMessageInfo_msgLength':
apply wp
apply (rule hoare_strengthen_post, rule hoare_vcg_prop)
apply (simp add: messageInfoFromWord_def Let_def msgMaxLength_def not_less
Types_H.msgExtraCapBits_def split: split_if )
Types_H.msgExtraCapBits_def split: if_split )
done
lemma handleInvocation_ccorres:

26
proof/crefine/TcbQueue_C.thy
View File

@ -77,7 +77,7 @@ next
proof (rule conjI)
show "?prev tcb (tcb' # tcbs) qprev'"
using ih [THEN conjunct1] tcbp_not_tcb' hd_tcbs tcbsnz
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
apply fastforce
apply (rule_tac x = "Suc n" in exI)
apply simp
@ -85,7 +85,7 @@ next
next
show "?next tcb (tcb' # tcbs)"
using ih [THEN conjunct2] tcbp_not_tcb' hd_tcbs tcbsnz
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
apply (rule_tac x = "Suc n" in exI)
apply simp
done
@ -121,7 +121,7 @@ lemma tcb_queue_valid_ptrsD:
apply (frule (3) tcb_queue_memberD)
apply (elim exE)
apply (frule (3) tcb_queueD)
apply (auto intro!: tcb_at_h_t_valid elim!: bspec split: split_if_asm)
apply (auto intro!: tcb_at_h_t_valid elim!: bspec split: if_split_asm)
done
lemma tcb_queue_relation_restrict0:
@ -301,7 +301,7 @@ lemma tcb_queue_relation_ptr_rel:
apply -
apply (frule (3) tcb_queueD)
apply (frule (2) tcb_queue_relation_not_NULL')
apply (simp split: split_if_asm)
apply (simp split: if_split_asm)
apply (rule not_sym)
apply (rule notI)
apply simp
@ -437,7 +437,7 @@ lemma tcb_queue_next_prev:
apply simp
apply (cut_tac bspec [OF tcb_queue_relation_not_NULL, OF qr valid_ep(1) tq(1)])
apply (cut_tac bspec [OF tcb_queue_relation_not_NULL, OF qr valid_ep(1) tq(2)])
apply (simp add: inj_eq split: split_if_asm)
apply (simp add: inj_eq split: if_split_asm)
apply clarsimp
apply clarsimp
subgoal by (clarsimp simp: last_conv_nth distinct_nth distinct_nth_cons)
@ -623,7 +623,7 @@ next
by (simp add: upd_unless_null_def)
thus ?thesis using qp qh tq cs_tcb tcbp Cons nnull
apply (simp (no_asm) add: tcbp Cons split del: split_if)
apply (simp (no_asm) add: tcbp Cons split del: if_split)
apply (subst tcb_queue_relation_cong [OF refl refl refl mpeq])
apply assumption
apply (clarsimp simp: f)
@ -717,7 +717,7 @@ proof -
using queue_rel in_queue cs_tcb
apply -
apply (drule tcb_queue_relation'_queue_rel)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (cases queue)
apply simp
apply clarsimp
@ -776,14 +776,14 @@ proof -
apply simp
apply (subgoal_tac "(remove1 (last queue) queue) \<noteq> []")
apply (clarsimp simp: inj_eq last_conv_nth nth_eq_iff_index_eq length_remove1
distinct_remove1_take_drop split: split_if_asm)
distinct_remove1_take_drop split: if_split_asm)
apply arith
apply (clarsimp simp: remove1_empty last_conv_nth hd_conv_nth nth_eq_iff_index_eq not_le split: split_if_asm)
apply (clarsimp simp: remove1_empty last_conv_nth hd_conv_nth nth_eq_iff_index_eq not_le split: if_split_asm)
apply (cases queue)
apply simp
apply simp
apply (fastforce simp: inj_eq split: split_if_asm)
apply (clarsimp simp: last_conv_nth distinct_remove1_take_drop nth_eq_iff_index_eq inj_eq split: split_if_asm)
apply (fastforce simp: inj_eq split: if_split_asm)
apply (clarsimp simp: last_conv_nth distinct_remove1_take_drop nth_eq_iff_index_eq inj_eq split: if_split_asm)
apply arith
apply (simp add: nth_append min_def nth_eq_iff_index_eq)
apply clarsimp
@ -852,7 +852,7 @@ next
hence "ctcb_ptr_to_tcb_ptr (getNext tcb) \<in> set queue" using assms
apply -
apply (drule (3) tcb_queueD)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
done
with valid_ep(1) have "tcb_at' (ctcb_ptr_to_tcb_ptr (getNext tcb)) s" ..
@ -877,7 +877,7 @@ next
hence "ctcb_ptr_to_tcb_ptr (getPrev tcb) \<in> set queue" using assms
apply -
apply (drule (3) tcb_queueD)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
done
with valid_ep(1) have "tcb_at' (ctcb_ptr_to_tcb_ptr (getPrev tcb)) s" ..

120
proof/crefine/Tcb_C.thy
View File

@ -116,7 +116,7 @@ lemma getObject_state:
\<Longrightarrow> (if t = t' then tcbState_update (\<lambda>_. st) x else x,
s'\<lparr>ksPSpace := ksPSpace s(t \<mapsto> KOTCB (tcbState_update (\<lambda>_. st) ko))\<rparr>)
\<in> fst (getObject t' (s\<lparr>ksPSpace := ksPSpace s(t \<mapsto> KOTCB (tcbState_update (\<lambda>_. st) ko))\<rparr>))"
apply (simp split: split_if)
apply (simp split: if_split)
apply (rule conjI)
apply clarsimp
apply (clarsimp simp: getObject_def split_def loadObject_default_def in_monad
@ -125,7 +125,7 @@ lemma getObject_state:
apply (simp add: magnitudeCheck_def in_monad split: option.splits)
apply clarsimp
apply (simp add: lookupAround2_char2)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
apply (erule_tac x=x2 in allE)
apply (clarsimp simp: ps_clear_def)
apply (drule_tac x=x2 in orthD2)
@ -142,7 +142,7 @@ lemma getObject_state:
apply (simp add: magnitudeCheck_def in_monad split: option.splits)
apply clarsimp
apply (simp add: lookupAround2_char2)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
apply (erule_tac x=t in allE)
apply simp
apply (clarsimp simp: obj_at'_real_def projectKOs
@ -207,7 +207,7 @@ lemma asUser_state:
apply (clarsimp simp: setObject_def split_def updateObject_default_def threadGet_def
in_magnitude_check' getObject_def loadObject_default_def liftM_def
objBits_simps projectKOs in_monad)
apply (simp split: split_if)
apply (simp split: if_split)
apply (rule conjI)
apply (clarsimp simp: obj_at'_def projectKOs objBits_simps)
apply (clarsimp simp: magnitudeCheck_def in_monad split: option.splits)
@ -215,12 +215,12 @@ lemma asUser_state:
apply clarsimp
apply (cases s, simp)
apply (rule ext)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (cases ko)
apply clarsimp
apply clarsimp
apply (rule conjI)
apply (clarsimp simp add: lookupAround2_char2 split: split_if_asm)
apply (clarsimp simp add: lookupAround2_char2 split: if_split_asm)
apply (erule_tac x=x2 in allE)
apply simp
apply (simp add: ps_clear_def)
@ -236,17 +236,17 @@ lemma asUser_state:
apply (rule conjI, fastforce)
apply clarsimp
apply (cases s, clarsimp)
apply (rule ext, clarsimp split: split_if)
apply (rule ext, clarsimp split: if_split)
apply (cases ko, clarsimp)
apply (clarsimp simp: magnitudeCheck_def in_monad split: option.splits)
apply (rule conjI)
apply clarsimp
apply (cases s, clarsimp)
apply (rule ext, clarsimp split: split_if)
apply (rule ext, clarsimp split: if_split)
apply (case_tac tcb, clarsimp)
apply clarsimp
apply (rule conjI)
apply (clarsimp simp add: lookupAround2_char2 split: split_if_asm)
apply (clarsimp simp add: lookupAround2_char2 split: if_split_asm)
apply (clarsimp simp: obj_at'_real_def ko_wp_at'_def projectKOs objBits_simps)
apply (erule_tac x=t in allE)
apply simp
@ -276,7 +276,7 @@ lemma asUser_state:
apply (rule conjI, fastforce)
apply clarsimp
apply (cases s, clarsimp)
apply (rule ext, clarsimp split: split_if)
apply (rule ext, clarsimp split: if_split)
apply (case_tac tcb, clarsimp)
done
@ -325,10 +325,10 @@ lemma getMRs_rel_state:
apply (simp add: cur_tcb'_def)
apply (rule conjI)
apply (clarsimp simp: obj_at'_real_def ko_wp_at'_def projectKOs
objBits_simps ps_clear_def split: split_if)
objBits_simps ps_clear_def split: if_split)
apply (clarsimp simp: valid_ipc_buffer_ptr'_def split: option.splits)
apply (clarsimp simp: typ_at'_def ko_wp_at'_def projectKOs obj_at'_real_def
objBits_simps ps_clear_def split: split_if)
objBits_simps ps_clear_def split: if_split)
apply (clarsimp simp: getMRs_def in_monad)
apply (frule use_valid, rule asUser_inv [where P="op = s"])
apply (wp mapM_wp' getRegister_inv)[1]
@ -351,7 +351,7 @@ lemma getMRs_rel_state:
apply (rule conjI)
apply (clarsimp simp: pointerInUserData_def typ_at'_def ko_wp_at'_def
projectKOs ps_clear_def obj_at'_real_def
split: split_if)
split: if_split)
apply (erule doMachineOp_state)
done
@ -379,7 +379,7 @@ lemma setThreadState_getMRs_rel:
apply (drule obj_at_ko_at')+
apply (clarsimp simp del: fun_upd_apply)
apply (rule exI, rule conjI, assumption)
apply (clarsimp split: split_if simp del: fun_upd_apply)
apply (clarsimp split: if_split simp del: fun_upd_apply)
apply (simp add: getMRs_rel_state)
done
@ -405,7 +405,7 @@ lemma distinct_remove1_filter:
"distinct xs \<Longrightarrow> remove1 v xs = [x\<leftarrow>xs. x \<noteq> v]"
apply (induct xs)
apply simp
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (rule sym, simp add: filter_id_conv)
apply clarsimp
done
@ -1119,7 +1119,7 @@ lemma invokeTCB_CopyRegisters_ccorres:
apply wp
apply (simp add: pred_conj_def guard_is_UNIV_def cong: if_cong
| wp mapM_x_wp' static_imp_wp)+
apply (clarsimp simp: Collect_const_mem from_bool_def true_def split: split_if)
apply (clarsimp simp: Collect_const_mem from_bool_def true_def split: if_split)
apply (auto simp: invs'_def valid_state'_def global'_no_ex_cap sch_act_simple_imp_weak_sch_act_wf)
done
@ -1173,7 +1173,7 @@ lemma getObject_context:
\<Longrightarrow> (if t = t' then tcbContext_update (\<lambda>_. st) x else x,
s'\<lparr>ksPSpace := ksPSpace s(t \<mapsto> KOTCB (tcbContext_update (\<lambda>_. st) ko))\<rparr>)
\<in> fst (getObject t' (s\<lparr>ksPSpace := ksPSpace s(t \<mapsto> KOTCB (tcbContext_update (\<lambda>_. st) ko))\<rparr>))"
apply (simp split: split_if)
apply (simp split: if_split)
apply (rule conjI)
apply clarsimp
apply (clarsimp simp: getObject_def split_def loadObject_default_def in_monad
@ -1182,7 +1182,7 @@ lemma getObject_context:
apply (simp add: magnitudeCheck_def in_monad split: option.splits)
apply clarsimp
apply (simp add: lookupAround2_char2)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
apply (erule_tac x=x2 in allE)
apply (clarsimp simp: ps_clear_def)
apply (drule_tac x=x2 in orthD2)
@ -1200,7 +1200,7 @@ lemma getObject_context:
apply (simp add: magnitudeCheck_def in_monad split: option.splits)
apply clarsimp
apply (simp add: lookupAround2_char2)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
apply (erule_tac x=t in allE)
apply simp
apply (clarsimp simp: obj_at'_real_def projectKOs
@ -1272,12 +1272,12 @@ lemma asUser_context:
apply (rule conjI)
apply clarsimp
apply (cases s, simp)
apply (rule ext, clarsimp split: split_if)
apply (rule ext, clarsimp split: if_split)
apply (case_tac tcb, simp)
apply clarsimp
apply (rule conjI)
apply (clarsimp simp add: lookupAround2_char2 split: split_if_asm)
apply (clarsimp simp add: lookupAround2_char2 split: if_split_asm)
apply (clarsimp simp: obj_at'_real_def ko_wp_at'_def projectKOs objBits_simps)
apply (erule_tac x=t in allE)
apply simp
@ -1307,7 +1307,7 @@ lemma asUser_context:
apply (rule conjI, fastforce)
apply clarsimp
apply (cases s, clarsimp)
apply (rule ext, clarsimp split: split_if)
apply (rule ext, clarsimp split: if_split)
apply (case_tac tcb, clarsimp)
done
@ -1325,10 +1325,10 @@ lemma getMRs_rel_context:
apply (simp add: cur_tcb'_def)
apply (rule conjI)
apply (clarsimp simp: obj_at'_real_def ko_wp_at'_def projectKOs
objBits_simps ps_clear_def split: split_if)
objBits_simps ps_clear_def split: if_split)
apply (clarsimp simp: valid_ipc_buffer_ptr'_def split: option.splits)
apply (clarsimp simp: typ_at'_def ko_wp_at'_def projectKOs obj_at'_real_def
objBits_simps ps_clear_def split: split_if)
objBits_simps ps_clear_def split: if_split)
apply (clarsimp simp: getMRs_def in_monad)
apply (frule use_valid, rule asUser_inv [where P="op = s"])
apply (wp mapM_wp' getRegister_inv)[1]
@ -1352,7 +1352,7 @@ lemma getMRs_rel_context:
apply (rule conjI)
apply (clarsimp simp: pointerInUserData_def typ_at'_def ko_wp_at'_def
projectKOs ps_clear_def obj_at'_real_def
split: split_if)
split: if_split)
apply (erule doMachineOp_context)
done
@ -1372,7 +1372,7 @@ lemma asUser_getMRs_rel:
apply (drule obj_at_ko_at')+
apply (clarsimp simp del: fun_upd_apply)
apply (rule exI, rule conjI, assumption)
apply (clarsimp split: split_if simp del: fun_upd_apply)
apply (clarsimp split: if_split simp del: fun_upd_apply)
apply (erule getMRs_rel_context, simp)
apply (clarsimp simp: obj_at'_real_def ko_wp_at'_def projectKOs)
apply simp
@ -1531,7 +1531,7 @@ lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]:
apply (simp add: performTransfer_def)
apply wp
apply vcg
apply (clarsimp simp: n_msgRegisters_def sysargs_rel_n_def split: split_if)
apply (clarsimp simp: n_msgRegisters_def sysargs_rel_n_def split: if_split)
apply (rule conjI)
apply (cases args, simp)
apply (case_tac list, simp)
@ -1539,7 +1539,7 @@ lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]:
apply simp
apply (clarsimp simp: frame_gp_registers_convs word_less_nat_alt
sysargs_rel_def n_frameRegisters_def n_msgRegisters_def
split: split_if_asm)
split: if_split_asm)
done
lemma invokeTCB_Suspend_ccorres:
@ -1649,7 +1649,7 @@ shows
apply (rename_tac cthread,
rule_tac P="cthread = tcb_ptr_to_ctcb_ptr thread" in ccorres_gen_asm2)
apply (rule ccorres_split_nothrow_dc)
apply (simp add: when_def del: Collect_const split del: split_if)
apply (simp add: when_def del: Collect_const split del: if_split)
apply (rule ccorres_cond2[where R=\<top>], simp add: from_bool_0 Collect_const_mem)
apply (ctac add: suspend_ccorres[OF cteDeleteOne_ccorres])
apply (rule ccorres_return_Skip)
@ -1706,13 +1706,13 @@ shows
apply (clarsimp simp: obj_at'_def projectKOs asUser_fetch_def
frame_gp_registers_convs genericTake_def
nth_append
split: split_if)
split: if_split)
apply (simp add: n_frameRegisters_def n_msgRegisters_def)
apply (simp add: frame_gp_registers_convs msg_registers_convs
n_msgRegisters_def n_frameRegisters_def
n_gpRegisters_def msgMaxLength_def msgLengthBits_def
split: option.split)
apply (simp add: min_def word_less_nat_alt split: split_if)[1]
apply (simp add: min_def word_less_nat_alt split: if_split)[1]
apply arith
apply (rule allI, rule conseqPre, vcg exspec=setRegister_modifies
exspec=getRegister_modifies)
@ -1807,8 +1807,8 @@ shows
n_gpRegisters_def Types_H.msgMaxLength_def
Types_H.msgLengthBits_def
split: option.split)
apply (simp add: min_def word_less_nat_alt split: split_if)[1]
apply (simp split: split_if_asm, arith+)[1]
apply (simp add: min_def word_less_nat_alt split: if_split)[1]
apply (simp split: if_split_asm, arith+)[1]
apply (rule allI, rule conseqPre, vcg)
apply clarsimp
apply (wp)
@ -1820,7 +1820,7 @@ shows
msgMaxLength_def Types_H.msgLengthBits_def
n_gpRegisters_def msg_registers_convs
split: option.split_asm)
apply (simp add: min_def split: split_if_asm split_if)
apply (simp add: min_def split: if_split_asm if_split)
apply arith
apply (drule_tac s=rv'a in sym, simp)
apply (rule_tac P=\<top> and P'="{s. i_' s = rv'a}" in ccorres_inst)
@ -1833,12 +1833,12 @@ shows
apply (rule ccorres_guard_imp2, rule ccorres_return_Skip')
apply (simp add: n_msgRegisters_def n_frameRegisters_def
n_gpRegisters_def cong: option.case_cong)
apply (simp add: min_def split: split_if option.split)
apply (simp add: min_def split: if_split option.split)
apply (simp add: mapM_x_Nil)
apply (rule ccorres_guard_imp2, rule ccorres_return_Skip')
apply (simp add: n_msgRegisters_def n_frameRegisters_def
n_gpRegisters_def cong: option.case_cong)
apply (simp add: min_def split: split_if option.split)
apply (simp add: min_def split: if_split option.split)
apply (clarsimp simp only: unat_arith_simps, simp)
apply (clarsimp simp: less_diff_conv word_le_nat_alt linorder_not_less)
apply (subst(asm) unat_of_nat32)
@ -1895,7 +1895,7 @@ shows
n_msgRegisters_def n_frameRegisters_def
n_gpRegisters_def msgMaxLength_def msgLengthBits_def
del: upt.simps upt_rec_numeral)
apply (simp add: min_def split: split_if_asm)
apply (simp add: min_def split: if_split_asm)
apply (rule frame_gp_registers_convs)
apply (simp add: frame_gp_registers_convs n_msgRegisters_def n_frameRegisters_def
n_gpRegisters_def msgMaxLength_def msgLengthBits_def
@ -1911,7 +1911,7 @@ shows
nth_append frame_gp_registers_convs
n_frameRegisters_def n_gpRegisters_def
n_msgRegisters_def frame_gp_registers_convs
cong: if_cong split: split_if)
cong: if_cong split: if_split)
apply (clarsimp simp: frame_gp_registers_convs n_gpRegisters_def
min.absorb1 unat_of_nat)
apply (clarsimp simp: less_diff_conv)
@ -1920,11 +1920,11 @@ shows
n_msgRegisters_def frame_gp_registers_convs
Types_H.msgMaxLength_def Types_H.msgLengthBits_def
msg_registers_convs
cong: if_cong split: split_if)
cong: if_cong split: if_split)
apply (simp add: word_less_nat_alt unat_of_nat)
apply (simp add: iffD1[OF unat_add_lem] cong: conj_cong)
apply (simp add: min_def
split: split_if split_if_asm, arith+)[1]
split: if_split if_split_asm, arith+)[1]
apply (rule allI, rule conseqPre, vcg)
apply clarsimp
apply wp
@ -1964,11 +1964,11 @@ shows
split: option.split_asm)
apply (clarsimp simp: min_def iffD2 [OF mask_eq_iff_w2p] word_size
word_less_nat_alt
split: split_if_asm dest!: word_unat.Rep_inverse')
split: if_split_asm dest!: word_unat.Rep_inverse')
apply (clarsimp simp: length_msgRegisters n_msgRegisters_def)
apply (clarsimp simp: min_def iffD2 [OF mask_eq_iff_w2p] word_size
word_less_nat_alt
split: split_if_asm dest!: word_unat.Rep_inverse')
split: if_split_asm dest!: word_unat.Rep_inverse')
apply unat_arith
apply simp
apply (wp mapM_x_wp' sch_act_wf_lift valid_queues_lift static_imp_wp
@ -1986,7 +1986,7 @@ shows
n_frameRegisters_def n_gpRegisters_def
msgMaxLength_def msgLengthBits_def
word_less_nat_alt unat_of_nat)
apply (simp add: min_def split: split_if_asm)
apply (simp add: min_def split: if_split_asm)
apply (wp_once hoare_drop_imps)
apply (wp asUser_obj_at'[where t'=target] static_imp_wp
asUser_valid_ipc_buffer_ptr')
@ -2030,7 +2030,7 @@ shows
apply vcg
apply (rule conseqPre, vcg, clarsimp)
apply (clarsimp simp: rf_sr_ksCurThread ct_in_state'_def true_def
split: split_if)
split: if_split)
done
lemma capTCBPtr_eq:
@ -2130,7 +2130,7 @@ lemma decodeReadRegisters_ccorres:
apply (rule ccorres_nondet_refinement)
apply (rule is_nondet_refinement_bindE)
apply (rule is_nondet_refinement_refl)
apply (simp split: split_if)
apply (simp split: if_split)
apply (rule conjI[rotated], rule impI, rule is_nondet_refinement_refl)
apply (rule impI)
apply (rule is_nondet_refinement_alternative1)
@ -2162,7 +2162,7 @@ lemma decodeReadRegisters_ccorres:
valid_tcb_state'_def
elim!: pred_tcb'_weakenE
dest!: st_tcb_at_idle_thread')[1]
apply (clarsimp simp: from_bool_def word_and_1 split: split_if)
apply (clarsimp simp: from_bool_def word_and_1 split: if_split)
done
lemma decodeWriteRegisters_ccorres:
@ -2276,7 +2276,7 @@ lemma decodeWriteRegisters_ccorres:
apply (clarsimp simp: genericTake_def linorder_not_less)
apply (subst hd_conv_nth, clarsimp simp: unat_eq_0)
apply (clarsimp simp: from_bool_def word_and_1
split: split_if)
split: if_split)
done
lemma excaps_map_Nil: "(excaps_map caps = []) = (caps = [])"
@ -2407,7 +2407,7 @@ lemma decodeCopyRegisters_ccorres:
dest!: st_tcb_at_idle_thread' interpret_excaps_eq)[1]
apply (clarsimp simp: word_sle_def CopyRegistersFlags_defs word_sless_def
"StrictC'_thread_state_defs" rf_sr_ksCurThread
split: split_if)
split: if_split)
apply (drule interpret_excaps_eq)
apply (clarsimp simp: mask_def excaps_map_def split_def ccap_rights_relation_def
rightsFromWord_wordFromRights excaps_map_Nil)
@ -2415,7 +2415,7 @@ lemma decodeCopyRegisters_ccorres:
drule(1) cap_get_tag_to_H)
apply (clarsimp simp: cap_get_tag_isCap to_bool_def)
apply (auto simp: unat_eq_of_nat word_and_1_shiftls
word_and_1_shiftl [where n=3,simplified] cap_get_tag_isCap[symmetric] split: split_if_asm)
word_and_1_shiftl [where n=3,simplified] cap_get_tag_isCap[symmetric] split: if_split_asm)
done
(* FIXME: move *)
@ -2439,7 +2439,7 @@ lemma ccap_relation_gen_framesize_to_H:
apply (frule(1) iffD1 [OF cap_get_tag_PageCap_frame])
apply (clarsimp simp: cap_frame_cap_lift generic_frame_cap_get_capFSize_CL_def)
apply (simp add: gen_framesize_to_H_def framesize_to_H_def
split: split_if)
split: if_split)
apply (clarsimp simp: ccap_relation_def c_valid_cap_def
cl_valid_cap_def)
apply (simp add: cap_get_tag_isCap isCap_simps pageSize_def)
@ -2451,7 +2451,7 @@ lemma isDevice_PageCap_ccap_relation:
by (clarsimp elim!: ccap_relationE
simp: isPageCap_def generic_frame_cap_get_capFIsDevice_CL_def cap_to_H_def
Let_def to_bool_def
split: arch_capability.split_asm cap_CL.split_asm split_if_asm)
split: arch_capability.split_asm cap_CL.split_asm if_split_asm)
lemma checkValidIPCBuffer_ccorres:
"ccorres (syscall_error_rel \<currency> dc) (liftxf errstate id (K ()) ret__unsigned_long_')
@ -2526,7 +2526,7 @@ apply (simp add:checkValidIPCBuffer_def ARM_H.checkValidIPCBuffer_def)
apply (case_tac cp)
apply (clarsimp simp: syscall_error_rel_def syscall_error_to_H_cases isCap_simps
exception_defs throwError_def return_def if_1_0_0
split: capability.split arch_capability.split split_if_asm)+
split: capability.split arch_capability.split if_split_asm)+
apply (simp add: cap_get_tag_isCap isCap_simps pageSize_def Cond_if_mem)
apply (frule ccap_relation_page_is_device)
apply (auto simp add: isCap_simps isDeviceCap.simps pageSize_def
@ -2547,7 +2547,7 @@ apply (simp add:checkValidIPCBuffer_def ARM_H.checkValidIPCBuffer_def)
apply (case_tac cp)
apply (auto simp: syscall_error_rel_def syscall_error_to_H_cases isCap_simps
exception_defs throwError_def return_def if_1_0_0
split: capability.split arch_capability.split split_if_asm)
split: capability.split arch_capability.split if_split_asm)
done
lemma slotCapLongRunningDelete_ccorres:
@ -2610,7 +2610,7 @@ lemma empty_fail_slotCapLongRunningDelete:
"empty_fail (slotCapLongRunningDelete slot)"
by (auto simp: slotCapLongRunningDelete_def Let_def
case_Null_If isFinalCapability_def
split: split_if
split: if_split
intro!: empty_fail_bind)
definition
@ -2624,7 +2624,7 @@ lemma isValidVTableRoot_spec:
{s'. ret__unsigned_long_' s' = from_bool (isValidVTableRoot_C (cap_' s))}"
apply vcg
apply (clarsimp simp: isValidVTableRoot_C_def if_1_0_0 from_bool_0)
apply (simp add: from_bool_def to_bool_def false_def split: split_if)
apply (simp add: from_bool_def to_bool_def false_def split: if_split)
done
lemma isValidVTableRoot_conv:
@ -2640,7 +2640,7 @@ lemma isValidVTableRoot_conv:
apply (clarsimp simp: ccap_relation_def map_option_Some_eq2
cap_page_directory_cap_lift cap_to_H_def
from_bool_def)
apply (clarsimp simp: to_bool_def split: split_if)
apply (clarsimp simp: to_bool_def split: if_split)
apply (clarsimp simp: cap_get_tag_isCap cap_get_tag_isCap_ArchObject)
apply (simp split: arch_capability.split_asm add: isCap_simps)
apply (case_tac "cap_get_tag cap' = scast cap_page_directory_cap")
@ -2656,7 +2656,7 @@ lemma updateCapData_spec:
lemma if_n_updateCapData_valid_strg:
"s \<turnstile>' cap \<longrightarrow> s \<turnstile>' (if P then cap else updateCapData prs v cap)"
by (simp add: valid_updateCapDataI split: split_if)
by (simp add: valid_updateCapDataI split: if_split)
lemma length_excaps_map:
"length (excaps_map xcs) = length xcs"
@ -2728,7 +2728,7 @@ lemma checkPrio_ccorres:
apply (clarsimp simp: rf_sr_ksCurThread obj_at'_def projectKOs
typ_heap_simps' ctcb_relation_def)
apply ceqv
apply (simp add: whenE_def del: Collect_const split: split_if)
apply (simp add: whenE_def del: Collect_const split: if_split)
apply (rule conjI; clarsimp)
apply (rule ccorres_from_vcg_split_throws)
apply vcg
@ -3759,7 +3759,7 @@ lemma decodeBindNotification_ccorres:
apply (clarsimp simp: typ_heap_simps cnotification_relation_def Let_def
valid_ntfn'_def)
apply (case_tac "ntfnObj ntfn", simp_all add: isWaitingNtfn_def option_to_ctcb_ptr_def
false_def true_def split: option.split_asm split_if,
false_def true_def split: option.split_asm if_split,
auto simp: neq_Nil_conv tcb_queue_relation'_def tcb_at_not_NULL[symmetric]
tcb_at_not_NULL)[1]
apply ceqv
@ -3861,7 +3861,7 @@ lemma decodeBindNotification_ccorres:
apply (clarsimp simp: typ_heap_simps cap_get_tag_ThreadCap ccap_relation_def)
apply (auto simp: word_sless_alt typ_heap_simps cap_get_tag_ThreadCap ctcb_relation_def
option_to_ptr_def option_to_0_def
split: split_if)
split: if_split)
done

120
proof/crefine/VSpace_C.thy
View File

@ -19,10 +19,10 @@ lemma empty_fail_findPDForASID[iff]:
"empty_fail (findPDForASID asid)"
apply (simp add: findPDForASID_def liftME_def)
apply (intro empty_fail_bindE, simp_all split: option.split)
apply (simp add: assertE_def split: split_if)
apply (simp add: assertE_def split: split_if)
apply (simp add: assertE_def split: if_split)
apply (simp add: assertE_def split: if_split)
apply (simp add: empty_fail_getObject)
apply (simp add: assertE_def liftE_bindE checkPDAt_def split: split_if)
apply (simp add: assertE_def liftE_bindE checkPDAt_def split: if_split)
done
(* FIXME: move *)
@ -67,13 +67,13 @@ lemma checkVPAlignment_ccorres:
(checkVPAlignment sz w)
(Call checkVPAlignment_'proc)"
proof -
note [split del] = split_if
note [split del] = if_split
show ?thesis
apply (cinit lift: sz_' w_')
apply (csymbr)
apply clarsimp
apply (rule ccorres_Guard [where A=\<top> and C'=UNIV])
apply (simp split: split_if)
apply (simp split: if_split)
apply (rule conjI)
apply (clarsimp simp: mask_def unlessE_def returnOk_def)
apply (rule ccorres_guard_imp)
@ -82,16 +82,16 @@ proof -
apply simp
apply simp
apply simp
apply (simp split: split_if add: to_bool_def)
apply (clarsimp simp: mask_def unlessE_def throwError_def split: split_if)
apply (simp split: if_split add: to_bool_def)
apply (clarsimp simp: mask_def unlessE_def throwError_def split: if_split)
apply (rule ccorres_guard_imp)
apply (rule ccorres_return_C)
apply simp
apply simp
apply simp
apply simp
apply (simp split: split_if add: to_bool_def)
apply (clarsimp split: split_if)
apply (simp split: if_split add: to_bool_def)
apply (clarsimp split: if_split)
apply (simp add: word_less_nat_alt)
apply (rule order_le_less_trans, rule pageBitsForSize_le)
apply simp
@ -210,7 +210,7 @@ lemma pd_at_asid_cross_over:
pd_asid_slot_def mask_add_aligned)
apply (simp add: mask_def pdBits_def pageBits_def)
apply (clarsimp simp add: cpde_relation_def Let_def)
by (simp add: pde_lift_def Let_def split: split_if_asm)
by (simp add: pde_lift_def Let_def split: if_split_asm)
lemma findPDForASIDAssert_pd_at_wp2:
"\<lbrace>\<lambda>s. \<forall>pd. pd_at_asid' pd asid s
@ -269,7 +269,7 @@ lemma loadHWASID_ccorres:
apply (drule singleton_eqD)
apply (clarsimp elim!: ranE)
apply (erule notE, rule_tac a=xa in ranI)
apply (simp add: restrict_map_def split: split_if)
apply (simp add: restrict_map_def split: if_split)
apply clarsimp
apply clarsimp
apply (drule_tac x=a in eqset_imp_iff)
@ -289,7 +289,7 @@ lemma array_relation_update:
unat bnd < card (UNIV :: 'b set) \<rbrakk>
\<Longrightarrow> array_relation R bnd (table (x := v))
(Arrays.update arr x' v')"
by (simp add: array_relation_def word_le_nat_alt split: split_if)
by (simp add: array_relation_def word_le_nat_alt split: if_split)
lemma asid_map_pd_to_hwasids_update:
"\<lbrakk> pd \<notin> ran (option_map snd \<circ> m |` (- {asid}));
@ -297,15 +297,15 @@ lemma asid_map_pd_to_hwasids_update:
asid_map_pd_to_hwasids (m (asid \<mapsto> (hw_asid, pd)))
= (asid_map_pd_to_hwasids m) (pd := {hw_asid})"
apply (rule ext, rule set_eqI)
apply (simp add: asid_map_pd_to_hwasids_def split: split_if)
apply (simp add: asid_map_pd_to_hwasids_def split: if_split)
apply (intro conjI impI)
apply (rule iffI)
apply (rule ccontr, clarsimp elim!: ranE split: split_if_asm)
apply (rule ccontr, clarsimp elim!: ranE split: if_split_asm)
apply (erule notE, rule ranI, simp add: restrict_map_def)
apply (subst if_P, assumption)
apply simp
apply (fastforce split: split_if)
apply (simp add: ran_def split: split_if)
apply (fastforce split: if_split)
apply (simp add: ran_def split: if_split)
apply (rule iffI)
apply fastforce
apply (erule exEI)
@ -350,7 +350,7 @@ lemma storeHWASID_ccorres:
apply (simp add: word_sless_def word_sle_def cslift_ptr_safe)
apply (intro conjI)
apply (erule iffD1 [OF cmap_relation_cong, rotated -1], simp_all)[1]
apply (simp split: split_if_asm)
apply (simp split: if_split_asm)
apply (clarsimp simp: cpde_relation_def Let_def
pde_lift_pde_invalid
cong: ARM_H.pde.case_cong)
@ -360,7 +360,7 @@ lemma storeHWASID_ccorres:
subgoal by simp
apply (subst asid_map_pd_to_hwasids_update, assumption)
subgoal by clarsimp
apply (rule ext, simp add: pd_pointer_to_asid_slot_def map_comp_def split: split_if)
apply (rule ext, simp add: pd_pointer_to_asid_slot_def map_comp_def split: if_split)
apply (clarsimp simp: pde_stored_asid_def true_def mask_def[where n="Suc 0"])
apply (subst less_mask_eq)
apply (rule order_less_le_trans, rule ucast_less)
@ -392,7 +392,7 @@ lemma invalidateHWASIDEntry_ccorres:
Let_def)
apply (clarsimp simp: carch_state_relation_def carch_globals_def
cmachine_state_relation_def)
apply (simp add: array_relation_def split: split_if, erule allEI)
apply (simp add: array_relation_def split: if_split, erule allEI)
apply (clarsimp simp: word_le_nat_alt)
apply (simp add: option_to_0_def asidInvalid_def)
done
@ -403,13 +403,13 @@ lemma asid_map_pd_to_hwasids_clear:
asid_map_pd_to_hwasids (m (asid := None))
= (asid_map_pd_to_hwasids m) (pd := {})"
apply (rule ext, rule set_eqI)
apply (simp add: asid_map_pd_to_hwasids_def split: split_if)
apply (simp add: asid_map_pd_to_hwasids_def split: if_split)
apply (intro conjI impI)
apply (clarsimp elim!: ranE split: split_if_asm)
apply (clarsimp elim!: ranE split: if_split_asm)
apply (erule notE, rule ranI, simp add: restrict_map_def)
apply (subst if_P, assumption)
apply simp
apply (simp add: ran_def split: split_if)
apply (simp add: ran_def split: if_split)
apply (rule iffI)
apply fastforce
apply (erule exEI)
@ -446,13 +446,13 @@ lemma invalidateASID_ccorres:
arg_cong[where f="\<lambda>x. 2 ^ x", OF meta_eq_to_obj_eq, OF asid_low_bits_def])
apply (intro conjI)
apply (erule iffD1 [OF cmap_relation_cong, rotated -1], simp_all)[1]
apply (simp split: split_if_asm)
apply (simp split: if_split_asm)
apply (clarsimp simp: cpde_relation_def Let_def
pde_lift_pde_invalid
cong: ARM_H.pde.case_cong)
apply (subst asid_map_pd_to_hwasids_clear, assumption)
subgoal by clarsimp
apply (rule ext, simp add: pd_pointer_to_asid_slot_def map_comp_def split: split_if)
apply (rule ext, simp add: pd_pointer_to_asid_slot_def map_comp_def split: if_split)
subgoal by (clarsimp simp: pde_stored_asid_def false_def mask_def[where n="Suc 0"])
apply wp[1]
apply (wp findPDForASIDAssert_pd_at_wp2)
@ -1122,7 +1122,7 @@ lemma flushSpace_ccorres:
apply (simp add: case_option_If2)
apply (rule_tac Q=\<top> and Q'=\<top> in ccorres_if_cond_throws2)
apply (clarsimp simp: Collect_const_mem pde_stored_asid_def)
apply (simp add: split_if_eq1 to_bool_def)
apply (simp add: if_split_eq1 to_bool_def)
apply (rule ccorres_return_void_C [unfolded dc_def])
apply csymbr
apply (clarsimp simp: pde_stored_asid_def)
@ -1328,7 +1328,7 @@ lemma findFreeHWASID_ccorres:
apply (simp add: min.absorb2
del: upt.simps)
apply (simp add: nth_append
split: split_if)
split: if_split)
apply ceqv
apply (rule ccorres_assert)
@ -1363,7 +1363,7 @@ lemma findFreeHWASID_ccorres:
simp add: is_down_def target_size_def source_size_def word_size)+
apply (clarsimp simp: maxBound_word minBound_word
ucast_ucast_add minus_one_norm
split: split_if)
split: if_split)
apply (simp add: word_sint_msb_eq uint_up_ucast word_size
msb_nth nth_ucast bang_big is_up_def source_size_def
target_size_def)
@ -1431,10 +1431,10 @@ lemma getHWASID_ccorres:
apply (rule ccorres_from_vcg_throws[where P=\<top> and P'=UNIV])
apply (rule allI, rule conseqPre, vcg)
apply (clarsimp simp: return_def pde_stored_asid_def
split: split_if_asm)
split: if_split_asm)
apply wp
apply (clarsimp simp: pde_stored_asid_def)
apply (clarsimp simp: to_bool_def split: split_if)
apply (clarsimp simp: to_bool_def split: if_split)
apply (auto simp: all_invs_but_ct_idle_or_in_cur_domain'_def)
done
@ -1587,7 +1587,7 @@ lemma setVMRoot_ccorres:
cap_lift_page_directory_cap cap_to_H_def
cap_page_directory_cap_lift_def
to_bool_def
elim!: ccap_relationE split: split_if_asm)
elim!: ccap_relationE split: if_split_asm)
(* FIXME: move *)
@ -1651,7 +1651,7 @@ lemma setVMRootForFlush_ccorres:
apply (clarsimp simp: isCap_simps(2) cap_get_tag_isCap_ArchObject[symmetric])
apply (clarsimp simp: cap_page_directory_cap_lift cap_to_H_def
elim!: ccap_relationE)
apply (simp add: to_bool_def split: split_if)
apply (simp add: to_bool_def split: if_split)
by (auto simp: cap_get_tag_isCap_ArchObject2)
@ -1669,7 +1669,7 @@ lemma framesize_from_to_H:
by (simp add: gen_framesize_to_H_def framesize_from_H_def
Kernel_C.ARMSmallPage_def Kernel_C.ARMLargePage_def
Kernel_C.ARMSection_def Kernel_C.ARMSuperSection_def
split: split_if vmpage_size.splits)
split: if_split vmpage_size.splits)
lemma framesize_from_H_mask:
"framesize_from_H vmsz && mask 2 = framesize_from_H vmsz"
@ -1786,14 +1786,14 @@ lemma performPageFlush_ccorres:
apply (unfold when_def)
apply (rule ccorres_cond_seq)
apply (rule ccorres_cond2[where R=\<top>])
apply (simp split: split_if)
apply (simp split: if_split)
apply (rule ccorres_rhs_assoc)+
apply (ctac (no_vcg) add: setVMRootForFlush_ccorres)
apply (ctac (no_vcg) add: doFlush_ccorres)
apply (rule ccorres_add_return2)
apply (rule ccorres_split_nothrow_novcg_dc)
apply (rule ccorres_cond2[where R=\<top>])
apply (simp add: from_bool_def split: split_if bool.splits)
apply (simp add: from_bool_def split: if_split bool.splits)
apply (rule ccorres_pre_getCurThread)
apply (ctac add: setVMRoot_ccorres)
apply (rule ccorres_return_Skip)
@ -1841,7 +1841,7 @@ lemma setRegister_ccorres:
(asUser thread (setRegister reg val))
(Call setRegister_'proc)"
apply (cinit' lift: thread_' reg_' w_')
apply (simp add: asUser_def dc_def[symmetric] split_def split del: split_if)
apply (simp add: asUser_def dc_def[symmetric] split_def split del: if_split)
apply (rule ccorres_pre_threadGet)
apply (rule ccorres_Guard)
apply (simp add: setRegister_def simpler_modify_def exec_select_f_singleton)
@ -1861,7 +1861,7 @@ lemma setRegister_ccorres:
apply (clarsimp simp: ctcb_relation_def ccontext_relation_def
atcbContextSet_def atcbContextGet_def
carch_tcb_relation_def
split: split_if)
split: if_split)
apply (clarsimp simp: Collect_const_mem register_from_H_sless
register_from_H_less)
apply (auto intro: typ_heap_simps elim: obj_at'_weakenE)
@ -1976,14 +1976,14 @@ lemma performPageDirectoryInvocationFlush_ccorres:
apply (unfold when_def)
apply (rule ccorres_cond_seq)
apply (rule ccorres_cond2[where R=\<top>])
apply (simp split: split_if)
apply (simp split: if_split)
apply (rule ccorres_rhs_assoc)+
apply (ctac (no_vcg) add: setVMRootForFlush_ccorres)
apply (ctac (no_vcg) add: doFlush_ccorres)
apply (rule ccorres_add_return2)
apply (rule ccorres_split_nothrow_novcg_dc)
apply (rule ccorres_cond2[where R=\<top>])
apply (simp add: from_bool_def split: split_if bool.splits)
apply (simp add: from_bool_def split: if_split bool.splits)
apply (rule ccorres_pre_getCurThread)
apply (ctac add: setVMRoot_ccorres)
apply (rule ccorres_return_Skip)
@ -2018,7 +2018,7 @@ lemma flushPage_ccorres:
apply csymbr
apply (simp add: when_def del: Collect_const)
apply (rule ccorres_cond2[where R=\<top>])
apply (clarsimp simp: pde_stored_asid_def to_bool_def split: split_if)
apply (clarsimp simp: pde_stored_asid_def to_bool_def split: if_split)
apply (rule ccorres_Guard_Seq ccorres_rhs_assoc)+
apply csymbr
apply csymbr
@ -2365,7 +2365,7 @@ lemma unmapPage_ccorres:
apply (simp add: cpte_relation_def Let_def pte_lift_def
isSmallPagePTE_def pte_tag_defs
pte_pte_small_lift_def pte_pte_invalid_def
split: split_if_asm pte.split_asm)
split: if_split_asm pte.split_asm)
apply (rule ceqv_refl)
apply (simp add: unfold_checkMapping_return liftE_liftM
Collect_const[symmetric] dc_def[symmetric]
@ -2407,7 +2407,7 @@ lemma unmapPage_ccorres:
subgoal by (simp add: cpte_relation_def Let_def pte_lift_def
isLargePagePTE_def pte_tag_defs
pte_pte_large_lift_def pte_pte_invalid_def
split: split_if_asm pte.split_asm)
split: if_split_asm pte.split_asm)
apply (rule ceqv_refl)
apply (simp add: liftE_liftM dc_def[symmetric]
mapM_discarded whileAnno_def ARMLargePageBits_def ARMSmallPageBits_def
@ -2485,7 +2485,7 @@ lemma unmapPage_ccorres:
apply (simp add: gen_framesize_to_H_def dc_def[symmetric]
liftE_liftM
del: Collect_const)
apply (simp split: split_if, rule conjI[rotated], rule impI,
apply (simp split: if_split, rule conjI[rotated], rule impI,
rule ccorres_empty, rule impI)
apply (rule ccorres_rhs_assoc2, rule ccorres_rhs_assoc2,
rule ccorres_rhs_assoc2, rule ccorres_rhs_assoc2,
@ -2496,7 +2496,7 @@ lemma unmapPage_ccorres:
apply (clarsimp simp: typ_heap_simps')
subgoal by (simp add: pde_pde_section_lift_def cpde_relation_def pde_lift_def
Let_def pde_tag_defs isSectionPDE_def
split: pde.split_asm split_if_asm)
split: pde.split_asm if_split_asm)
apply (rule ceqv_refl)
apply (simp add: unfold_checkMapping_return Collect_False dc_def[symmetric]
del: Collect_const)
@ -2535,7 +2535,7 @@ lemma unmapPage_ccorres:
subgoal by (simp add: cpde_relation_def Let_def pde_lift_def
isSuperSectionPDE_def pde_tag_defs
pde_pde_section_lift_def
split: split_if_asm pde.split_asm)
split: if_split_asm pde.split_asm)
apply (rule ceqv_refl)
apply (simp add: unfold_checkMapping_return Collect_False ARMSuperSectionBits_def
ARMSectionBits_def word_sle_def
@ -2641,7 +2641,7 @@ lemma cap_to_H_PageCap_tag:
"\<lbrakk> cap_to_H cap = ArchObjectCap (PageCap d p R sz A);
cap_lift C_cap = Some cap \<rbrakk> \<Longrightarrow>
cap_get_tag C_cap = scast cap_frame_cap \<or> cap_get_tag C_cap = scast cap_small_frame_cap"
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.splits split_if_asm)
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.splits if_split_asm)
by (simp_all add: Let_def cap_lift_def split_def split: if_splits)
lemma generic_frame_mapped_address:
@ -2659,12 +2659,12 @@ lemma generic_frame_mapped_address:
apply (simp add: cap_frame_cap_lift)
apply (simp add: generic_frame_cap_set_capFMappedAddress_CL_def)
apply (clarsimp simp: cap_to_H_def)
apply (simp add: asidInvalid_def split: split_if)
apply (simp add: asidInvalid_def split: if_split)
apply (simp add: c_valid_cap_def cl_valid_cap_def)
apply (simp add: cap_small_frame_cap_lift)
apply (simp add: generic_frame_cap_set_capFMappedAddress_CL_def)
apply (clarsimp simp: cap_to_H_def)
apply (simp add: asidInvalid_def split: split_if)
apply (simp add: asidInvalid_def split: if_split)
apply (simp add: c_valid_cap_def cl_valid_cap_def)
done
@ -2764,17 +2764,17 @@ lemma ccap_relation_mapped_asid_0:
apply (erule disjE)
apply (clarsimp simp: cap_lift_frame_cap cap_to_H_def
generic_frame_cap_get_capFMappedASID_CL_def
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp: cap_lift_small_frame_cap cap_to_H_def
generic_frame_cap_get_capFMappedASID_CL_def
split: split_if_asm)
split: if_split_asm)
apply clarsimp
apply (erule disjE)
apply (rule ccontr)
apply clarsimp
apply (clarsimp simp: cap_lift_frame_cap cap_to_H_def
generic_frame_cap_get_capFMappedASID_CL_def
split: split_if_asm)
split: if_split_asm)
apply (drule word_aligend_0_sum [where n=asid_low_bits])
apply fastforce
apply (simp add: mask_def asid_low_bits_def word_and_le1)
@ -2790,7 +2790,7 @@ lemma ccap_relation_mapped_asid_0:
apply clarsimp
apply (clarsimp simp: cap_lift_small_frame_cap cap_to_H_def
generic_frame_cap_get_capFMappedASID_CL_def
split: split_if_asm)
split: if_split_asm)
apply (drule word_aligend_0_sum [where n=asid_low_bits])
apply fastforce
apply (simp add: mask_def asid_low_bits_def word_and_le1)
@ -2848,8 +2848,8 @@ lemma ccap_relation_PageCap_generics:
elim!: ccap_relationE)
apply (simp add: gen_framesize_to_H_def)
apply (simp add: vm_page_size_defs order_le_less_trans [OF word_and_le1]
split: split_if)
apply (clarsimp split: split_if_asm)
split: if_split)
apply (clarsimp split: if_split_asm)
apply (frule(1) cap_get_tag_isCap_unfolded_H_cap)
apply (clarsimp simp: cap_lift_frame_cap cap_to_H_def
generic_frame_cap_get_capFMappedAddress_CL_def
@ -2863,8 +2863,8 @@ lemma ccap_relation_PageCap_generics:
elim!: ccap_relationE)
apply (simp add: gen_framesize_to_H_is_framesize_to_H_if_not_ARMSmallPage)
apply (simp add: vm_page_size_defs order_le_less_trans [OF word_and_le1]
split: split_if)
apply (clarsimp split: split_if_asm)
split: if_split)
apply (clarsimp split: if_split_asm)
done
lemma performPageInvocationUnmap_ccorres:
@ -2926,7 +2926,7 @@ lemma performPageInvocationUnmap_ccorres:
apply (simp add: guard_is_UNIV_def)
apply (simp add: cte_wp_at_ctes_of)
apply wp
apply (clarsimp simp: cte_wp_at_ctes_of isCap_simps split: split_if)
apply (clarsimp simp: cte_wp_at_ctes_of isCap_simps split: if_split)
apply (drule diminished_PageCap)
apply clarsimp
apply (drule ccap_relation_mapped_asid_0)
@ -2935,7 +2935,7 @@ lemma performPageInvocationUnmap_ccorres:
apply (clarsimp simp: mask_def valid_cap'_def
vmsz_aligned_aligned_pageBits)
apply assumption
apply (clarsimp simp: cte_wp_at_ctes_of isCap_simps split: split_if)
apply (clarsimp simp: cte_wp_at_ctes_of isCap_simps split: if_split)
apply (drule diminished_PageCap)
apply clarsimp
apply (frule (1) rf_sr_ctes_of_clift)
@ -3108,7 +3108,7 @@ lemma cap_to_H_PDCap_tag:
"\<lbrakk> cap_to_H cap = ArchObjectCap (PageDirectoryCap p A);
cap_lift C_cap = Some cap \<rbrakk> \<Longrightarrow>
cap_get_tag C_cap = scast cap_page_directory_cap"
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.splits split_if_asm)
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.splits if_split_asm)
apply (simp_all add: Let_def cap_lift_def split: if_splits)
done
@ -3146,7 +3146,7 @@ lemma setCTE_asidpool':
apply (clarsimp simp: obj_at'_def projectKOs)
apply (rule conjI)
apply (clarsimp simp: lookupAround2_char1)
apply (clarsimp split: split_if)
apply (clarsimp split: if_split)
apply (case_tac obj', auto)[1]
apply (rename_tac arch_kernel_object)
apply (case_tac arch_kernel_object, auto)[1]
@ -3360,7 +3360,7 @@ lemma flushTable_ccorres:
apply csymbr
apply (simp add: when_def del: Collect_const)
apply (rule ccorres_cond2[where R=\<top>])
apply (clarsimp simp: pde_stored_asid_def to_bool_def split: split_if)
apply (clarsimp simp: pde_stored_asid_def to_bool_def split: if_split)
apply (rule ccorres_Guard_Seq ccorres_rhs_assoc)+
apply csymbr

48
proof/drefine/Arch_DR.thy
View File

@ -393,7 +393,7 @@ proof -
apply simp
apply (drule_tac t="pda v" for v in sym, simp)
apply (clarsimp simp: obj_at_def a_type_def del: disjCI)
apply (clarsimp split: Structures_A.kernel_object.split_asm split_if_asm
apply (clarsimp split: Structures_A.kernel_object.split_asm if_split_asm
arch_kernel_obj.split_asm del: disjCI)
apply (frule_tac p="ptrFromPAddr v" for v in pspace_alignedD, simp+)
apply (rule disjI2, rule conjI)
@ -436,7 +436,7 @@ proof -
apply simp
apply (drule_tac t="pda v" for v in sym, simp)
apply (clarsimp simp: obj_at_def a_type_def del: disjCI)
apply (clarsimp split: Structures_A.kernel_object.split_asm split_if_asm
apply (clarsimp split: Structures_A.kernel_object.split_asm if_split_asm
arch_kernel_obj.split_asm del: disjCI)
apply (frule_tac p="ptrFromPAddr v" for v in pspace_alignedD, simp+)
apply (rule map_includedI)
@ -455,7 +455,7 @@ proof -
restrict_map_def)
apply (clarsimp simp: valid_idle_def pred_tcb_at_def obj_at_def)
apply (clarsimp simp: upto_enum_step_def pt_bits_def pageBits_def
split: split_if_asm)
split: if_split_asm)
apply (subst add.assoc, subst is_aligned_add_helper, assumption)
apply (simp only: word_shift_by_2 word_shiftl_add_distrib[symmetric])
apply (rule shiftl_less_t2n)
@ -573,11 +573,11 @@ proof (induct x)
thus ?case
apply (simp add: Decode_D.decode_invocation_def
decode_invocation_def arch_decode_invocation_def
split del: split_if)
split del: if_split)
apply (clarsimp simp: get_asid_pool_intent_def transform_intent_def
map_option_Some_eq2 throw_opt_def
decode_asid_pool_invocation_def
split del: split_if split: label_split_asm list.split_asm)
split del: if_split split: label_split_asm list.split_asm)
apply (simp add: split_beta corres_alternate2
liftE_bindE corres_symb_exec_in_gets
corres_whenE_throwError_split_rhs
@ -621,7 +621,7 @@ proof (induct x)
apply (rule ucast_up_inj[where 'b=32])
apply (simp add: ucast_ucast_mask is_aligned_mask asid_low_bits_def)
apply simp
apply (wp select_wp | simp add:valid_cap_def split del: split_if)+
apply (wp select_wp | simp add:valid_cap_def split del: if_split)+
done
next
case ASIDControlCap
@ -629,12 +629,12 @@ next
apply (simp add: Decode_D.decode_invocation_def
decode_invocation_def arch_decode_invocation_def
bindE_assoc
split del: split_if)
split del: if_split)
apply (clarsimp simp: get_asid_control_intent_def transform_intent_def
map_option_Some_eq2 throw_opt_def
decode_asid_control_invocation_def
transform_cnode_index_and_depth_def
split del: split_if split: label_split_asm list.split_asm)
split del: if_split split: label_split_asm list.split_asm)
apply (simp add: split_beta corres_alternate2
liftE_bindE corres_symb_exec_in_gets
corres_whenE_throwError_split_rhs
@ -707,13 +707,13 @@ next
thus ?case
apply (simp add: Decode_D.decode_invocation_def
decode_invocation_def arch_decode_invocation_def
split del: split_if)
split del: if_split)
apply (clarsimp simp: get_page_intent_def transform_intent_def
map_option_Some_eq2 throw_opt_def
decode_page_invocation_def
transform_intent_page_map_def
transform_intent_page_remap_def
split del: split_if split: label_split_asm list.split_asm,
split del: if_split split: label_split_asm list.split_asm,
simp_all add: split_beta corres_alternate2
liftE_bindE corres_symb_exec_in_gets
corres_whenE_throwError_split_rhs
@ -761,7 +761,7 @@ next
apply wp
apply (rule hoare_pre, wp, simp)
apply (rule hoare_pre, wp, auto)[1]
apply (wp | simp add: whenE_def split del: split_if)+
apply (wp | simp add: whenE_def split del: if_split)+
apply (rule hoare_pre, wp, simp)
apply clarsimp
apply (clarsimp simp: gets_bind_alternative
@ -806,7 +806,7 @@ next
apply wp
apply (rule hoare_pre, wp, simp)
apply (rule hoare_pre, wp, auto)[1]
apply (wp | simp add: whenE_def split del: split_if)+
apply (wp | simp add: whenE_def split del: if_split)+
apply (rule hoare_pre, wp, simp)
apply (rule corres_alternate1)
apply (simp add: returnOk_def arch_invocation_relation_def cap_object_simps
@ -866,12 +866,12 @@ next
thus ?case
apply (simp add: Decode_D.decode_invocation_def
decode_invocation_def arch_decode_invocation_def
split del: split_if)
split del: if_split)
apply (clarsimp simp: get_page_table_intent_def transform_intent_def
map_option_Some_eq2 throw_opt_def cdl_get_pt_mapped_addr_def
decode_page_table_invocation_def
transform_intent_page_table_map_def
split del: split_if
split del: if_split
split: label_split_asm list.split_asm)
apply (simp add: throw_on_none_def transform_cap_list_def
get_index_def split_beta alternative_refl
@ -912,7 +912,7 @@ next
le_shiftr linorder_not_le cap_object_simps)
apply (rule hoare_pre, wp, auto)[1]
apply (wp | simp)+
apply (simp add: whenE_def split del: split_if)
apply (simp add: whenE_def split del: if_split)
apply (rule hoare_pre, wp, simp)
apply (clarsimp simp: is_final_cap'_def
is_final_cap_def split:list.splits)
@ -931,7 +931,7 @@ next
decode_invocation_def arch_decode_invocation_def
get_page_directory_intent_def transform_intent_def
isPDFlushLabel_def
split del: split_if)
split del: if_split)
apply (clarsimp simp: get_page_directory_intent_def transform_intent_def
map_option_Some_eq2 throw_opt_def decode_page_directory_invocation_def
split: label_split_asm cdl_intent.splits
@ -1112,7 +1112,7 @@ lemma set_object_simple_corres:
apply (clarsimp simp: transform_def transform_objects_def
not_idle_thread_def obj_at_def
transform_current_thread_def)
apply (rule ext, simp split: split_if)
apply (rule ext, simp split: if_split)
apply (intro conjI impI allI)
apply (clarsimp simp: transform_object_def
split: Structures_A.kernel_object.split)
@ -1212,7 +1212,7 @@ lemma set_cap_opt_cap':
apply (rule hoare_seq_ext [OF _ dget_object_sp])
apply (case_tac obj, simp_all add:KHeap_D.set_object_def has_slots_def
update_slots_def object_slots_def
split del:split_if cong: if_cong bind_cong)
split del:if_split cong: if_cong bind_cong)
apply (rule hoare_pre, wp select_wp)
apply (clarsimp simp:fun_upd_def[symmetric])
apply (safe elim!:rsubst[where P=P] intro!: ext)
@ -1256,7 +1256,7 @@ lemma invoke_page_table_corres:
apply (simp add: invoke_page_table_def perform_page_table_invocation_def)
apply (clarsimp simp: transform_page_table_inv_def
split: ARM_A.page_table_invocation.split_asm
split_if_asm)
if_split_asm)
apply (rename_tac word oref attribs)
apply (clarsimp simp: is_pt_cap_def valid_pti_def make_arch_duplicate_def)
apply (rule stronger_corres_guard_imp)
@ -1655,7 +1655,7 @@ lemma invoke_page_corres:
apply (rule corres_split [OF _ set_cap_corres])
apply (rule corres_dummy_return_pl[where b ="()"])
apply (rule corres_split[OF _ pte_check_if_mapped_corres])
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (rule corres_dummy_return_l)
apply (rule corres_split[OF _ store_pte_set_cap_corres])
apply (rule corres_dummy_return_l)
@ -1674,7 +1674,7 @@ lemma invoke_page_corres:
apply (rule corres_split [OF _ set_cap_corres])
apply (rule corres_dummy_return_pl[where b="()"])
apply (rule corres_split[OF _ pde_check_if_mapped_corres])
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (rule corres_dummy_return_l)
apply (rule corres_split[OF _ store_pde_set_cap_corres])
apply (rule corres_dummy_return_l)
@ -1702,7 +1702,7 @@ lemma invoke_page_corres:
apply (rule corres_guard_imp)
apply (rule corres_dummy_return_pl[where b="()"])
apply (rule corres_split[OF _ pte_check_if_mapped_corres])
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (rule corres_dummy_return_l)
apply (rule corres_split[OF _ store_pte_set_cap_corres])
apply (rule corres_dummy_return_l)
@ -1718,7 +1718,7 @@ lemma invoke_page_corres:
apply (rule corres_guard_imp)
apply (rule corres_dummy_return_pl[where b="()"])
apply (rule corres_split[OF _ pde_check_if_mapped_corres])
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (rule corres_dummy_return_l)
apply (rule corres_split[OF _ store_pde_set_cap_corres])
apply (rule corres_dummy_return_l)
@ -1780,7 +1780,7 @@ lemma invoke_page_corres:
apply (clarsimp simp: when_def split: if_splits)
apply (rule corres_guard_imp)
apply (rule dcorres_symb_exec_r)+
apply (simp only: split_if_asm)
apply (simp only: if_split_asm)
apply (safe)
apply (erule notE)
apply (rule dcorres_symb_exec_r)+

46
proof/drefine/CNode_DR.thy
View File

@ -91,7 +91,7 @@ lemma dcorres_set_untyped_cap_as_full:
(CSpace_D.set_untyped_cap_as_full (transform_cap src_cap) (transform_cap cap) (transform_cslot_ptr src))
(CSpace_A.set_untyped_cap_as_full src_cap cap src)"
apply (simp add:set_untyped_cap_as_full_def CSpace_D.set_untyped_cap_as_full_def
split del:split_if)
split del:if_split)
apply (case_tac "is_untyped_cap src_cap \<and> is_untyped_cap cap")
apply (rule dcorres_expand_pfx)
apply (rule corres_guard_imp)
@ -197,7 +197,7 @@ lemma insert_cap_sibling_corres:
and (\<lambda>s. mdb_cte_at (swp cte_at s) (cdt s))
and (\<lambda>s. cdt s sibling = None)" for orig'
in corres_modify)
apply (clarsimp split del: split_if)
apply (clarsimp split del: if_split)
apply (subst if_not_P, assumption)+
apply (clarsimp simp: opt_parent_def transform_def
transform_objects_def transform_cdt_def
@ -220,7 +220,7 @@ lemma insert_cap_sibling_corres:
apply ((wp set_cap_caps_of_state2 get_cap_wp static_imp_wp
| simp add: swp_def cte_wp_at_caps_of_state)+)
apply (wp set_cap_idle |
simp add:set_untyped_cap_as_full_def split del: split_if)+
simp add:set_untyped_cap_as_full_def split del: if_split)+
apply (rule_tac Q = "\<lambda>r s. cdt s sibling = None
\<and> \<not> should_be_parent_of src_capa (is_original_cap s sibling) cap (cap_insert_dest_original cap src_capa)
\<and> mdb_cte_at (swp (cte_wp_at (op \<noteq> cap.NullCap)) s) (cdt s)"
@ -232,7 +232,7 @@ lemma insert_cap_sibling_corres:
apply fastforce
apply (wp get_cap_wp set_cap_idle static_imp_wp
| simp add:set_untyped_cap_as_full_def
split del: split_if)+
split del: if_split)+
apply (rule_tac Q = "\<lambda>r s. cdt s sibling = None
\<and> (\<exists>cap. caps_of_state s src = Some cap)
\<and> \<not> should_be_parent_of src_capa (is_original_cap s src) cap (cap_insert_dest_original cap src_capa)
@ -288,7 +288,7 @@ lemma insert_cap_child_corres:
and cte_at src and cte_at child
and (\<lambda>s. mdb_cte_at (swp cte_at s) (cdt s))" for orig orig'
in corres_modify)
apply (clarsimp split del: split_if)
apply (clarsimp split del: if_split)
apply (subst if_P, assumption)+
apply (clarsimp simp: opt_parent_def transform_def transform_asid_table_def
transform_objects_def transform_cdt_def
@ -304,7 +304,7 @@ lemma insert_cap_child_corres:
apply (wp set_cap_caps_of_state2 get_cap_wp static_imp_wp
| simp add: swp_def cte_wp_at_caps_of_state)+
apply (wp set_cap_idle |
simp add:set_untyped_cap_as_full_def split del:split_if)+
simp add:set_untyped_cap_as_full_def split del:if_split)+
apply (rule_tac Q = "\<lambda>r s. not_idle_thread (fst child) s
\<and> should_be_parent_of src_capa (is_original_cap s child) cap (cap_insert_dest_original cap src_capa)
\<and> mdb_cte_at (swp (cte_wp_at (op \<noteq> cap.NullCap)) s) (cdt s)"
@ -313,7 +313,7 @@ lemma insert_cap_child_corres:
apply (clarsimp simp:mdb_cte_at_def cte_wp_at_caps_of_state)
apply fastforce
apply (wp get_cap_wp set_cap_idle static_imp_wp
| simp split del:split_if add:set_untyped_cap_as_full_def)+
| simp split del:if_split add:set_untyped_cap_as_full_def)+
apply (rule_tac Q = "\<lambda>r s. not_idle_thread (fst child) s
\<and> (\<exists>cap. caps_of_state s src = Some cap)
\<and> should_be_parent_of src_capa (is_original_cap s src) cap (cap_insert_dest_original cap src_capa)
@ -441,14 +441,14 @@ proof -
({p, p'} \<union> dom (cdt s') \<union> ran (cdt s')) \<and> cdt s' p \<noteq> Some p")
apply (elim conjE)
apply (subst map_lift_over_if_eq)
apply (erule subset_inj_on, auto elim!: ranE split: split_if_asm)[1]
apply (erule subset_inj_on, auto elim!: ranE split: if_split_asm)[1]
apply (rule sym)
apply (simp add: Fun.swap_def split del: split_if)
apply (simp add: Fun.swap_def split del: if_split)
apply (subst map_lift_over_upd[unfolded fun_upd_def],
((erule subset_inj_on, auto elim!: ranE split: split_if_asm)[1]))+
((erule subset_inj_on, auto elim!: ranE split: if_split_asm)[1]))+
apply (rule ext)
apply (cases p, cases p')
apply (simp split del: split_if)
apply (simp split del: if_split)
apply simp
apply (subst subset_inj_on map_lift_over_f_eq[OF subset_inj_on],
assumption, fastforce)+
@ -1052,7 +1052,7 @@ lemma dcorres_ep_cancel_badge_sends:
apply (simp add:valid_pspace_def)
apply (clarsimp simp: restrict_map_def transform_def transform_objects_def)
apply (clarsimp simp: ep_waiting_set_recv_def restrict_map_def transform_def
split:split_if_asm dest!:get_tcb_rev elim!: CollectE)
split:if_split_asm dest!:get_tcb_rev elim!: CollectE)
apply (frule(1) valid_etcbs_get_tcb_get_etcb)
apply (clarsimp simp: transform_tcb_def transform_objects_def infer_tcb_bound_notification_def
is_thread_blocked_on_endpoint_def infer_tcb_pending_op_def infer_tcb_bound_notification_def tcb_pending_op_slot_def tcb_boundntfn_slot_def tcb_slot_defs
@ -1089,11 +1089,11 @@ lemma transform_default_tcb:
done
lemma dcorres_list_all2_mapM_':
assumes w: "suffixeq xs oxs" "suffixeq ys oys"
assumes y: "\<And>x xs y ys. \<lbrakk> F x y; suffixeq (x # xs) oxs; suffixeq (y # ys) oys \<rbrakk>
assumes w: "suffix xs oxs" "suffix ys oys"
assumes y: "\<And>x xs y ys. \<lbrakk> F x y; suffix (x # xs) oxs; suffix (y # ys) oys \<rbrakk>
\<Longrightarrow> dcorres dc (P (x # xs)) (P' (y # ys)) (f x) (g y)"
assumes z: "\<And>x y xs. \<lbrakk> F x y; suffixeq (x # xs) oxs \<rbrakk> \<Longrightarrow> \<lbrace>P (x # xs)\<rbrace> f x \<lbrace>\<lambda>rv. P xs\<rbrace>"
"\<And>x y ys. \<lbrakk> F x y; suffixeq (y # ys) oys \<rbrakk> \<Longrightarrow> \<lbrace>P' (y # ys)\<rbrace> g y \<lbrace>\<lambda>rv. P' ys\<rbrace>"
assumes z: "\<And>x y xs. \<lbrakk> F x y; suffix (x # xs) oxs \<rbrakk> \<Longrightarrow> \<lbrace>P (x # xs)\<rbrace> f x \<lbrace>\<lambda>rv. P xs\<rbrace>"
"\<And>x y ys. \<lbrakk> F x y; suffix (y # ys) oys \<rbrakk> \<Longrightarrow> \<lbrace>P' (y # ys)\<rbrace> g y \<lbrace>\<lambda>rv. P' ys\<rbrace>"
assumes x: "list_all2 F xs ys"
shows "dcorres dc (P xs) (P' ys) (mapM_x f xs) (mapM_x g ys)"
apply (insert x w)
@ -1104,7 +1104,7 @@ lemma dcorres_list_all2_mapM_':
apply (clarsimp simp add: mapM_x_def sequence_x_def)
apply (rule corres_guard_imp)
apply (rule corres_split [OF _ y])
apply (clarsimp dest!: suffixeq_ConsD)
apply (clarsimp dest!: suffix_ConsD)
apply (erule meta_allE, (drule(1) meta_mp)+)
apply assumption
apply assumption
@ -1115,7 +1115,7 @@ lemma dcorres_list_all2_mapM_':
done
lemmas dcorres_list_all2_mapM_
= dcorres_list_all2_mapM_' [OF suffixeq_refl suffixeq_refl]
= dcorres_list_all2_mapM_' [OF suffix_refl suffix_refl]
lemma set_get_set_asid_pool:
"do _ \<leftarrow> set_asid_pool a x; ap \<leftarrow> get_asid_pool a; set_asid_pool a (y ap) od = set_asid_pool a (y x)"
@ -1271,7 +1271,7 @@ lemma dcorres_set_asid_pool_empty:
apply (wp get_asid_pool_triv | clarsimp simp:typ_at_eq_kheap_obj obj_at_def swp_def)+
apply (subgoal_tac "(aa, snd (transform_asid y)) \<in> set (map (Pair a) [0..<2 ^ ARM_A.asid_low_bits])")
apply (clarsimp simp:set_map)
apply (clarsimp simp del:set_map simp:suffixeq_def)
apply (clarsimp simp del:set_map simp: suffix_def)
apply (wp | clarsimp simp:swp_def)+
apply (clarsimp simp:list_all2_iff transform_asid_def asid_low_bits_def set_zip)
apply (clarsimp simp:unat_ucast upto_enum_def unat_of_nat)
@ -2032,7 +2032,7 @@ lemma invoke_cnode_corres:
apply (simp add: CSpace_A.invoke_cnode_def CNode_D.invoke_cnode_def
translate_cnode_invocation_def
split: Invocations_A.cnode_invocation.split
split del: split_if)
split del: if_split)
apply (intro allI conjI impI)
apply (rule corres_guard_imp, rule dcorres_insert_cap_combine)
apply (rule refl)
@ -2078,10 +2078,10 @@ lemma invoke_cnode_corres:
apply (rule stronger_corres_guard_imp)
apply (rule corres_split [OF _ get_cur_thread_corres])
apply (rule corres_split [OF _ get_cap_corres])
apply (simp add: transform_cap_is_Null split del: split_if)
apply (simp add: transform_cap_is_Null split del: if_split)
apply (rule corres_if_rhs2)
apply (rule corres_trivial, simp add: when_False)
apply (simp add: when_def split del: split_if)
apply (simp add: when_def split del: if_split)
apply (rule corres_if_rhs2)
apply (rule corres_if_rhs2)
apply (rule corres_trivial[OF corres_free_fail])
@ -2156,7 +2156,7 @@ lemma decode_cnode_error_corres:
apply (elim disjE)
apply (clarsimp split: list.split_asm
| rule corres_symb_exec_r_dcE[OF _ corres_trivial]
| wp | simp split del: split_if)+
| wp | simp split del: if_split)+
done
lemma transform_cnode_index_and_depth_Some:

36
proof/drefine/Finalise_DR.thy
View File

@ -286,7 +286,7 @@ lemma caps_of_state_transform_opt_cap_no_idle:
slots_of_def opt_object_def transform_def transform_objects_def
transform_cnode_contents_def well_formed_cnode_n_def
restrict_map_def
split: option.splits split_if_asm nat.splits)
split: option.splits if_split_asm nat.splits)
apply (frule(1) eqset_imp_iff[THEN iffD1, OF _ domI])
apply (simp add: nat_to_bl_zero_zero option_map_join_def)
apply clarsimp
@ -304,7 +304,7 @@ lemma caps_of_state_transform_opt_cap_no_idle:
transform_tcb_def tcb_slot_defs infer_tcb_bound_notification_def
tcb_pending_op_slot_def tcb_cap_cases_def tcb_boundntfn_slot_def
bl_to_bin_tcb_cnode_index bl_to_bin_tcb_cnode_index_le0
split: split_if_asm option.splits)
split: if_split_asm option.splits)
done
lemma transform_cap_Null [simp]:
@ -2055,7 +2055,7 @@ lemma check_mapping_pptr_pt_relation:
apply (rule hoare_pre, wp get_pte_wp)
apply (clarsimp simp: obj_at_def)
apply (clarsimp simp: a_type_def pt_page_relation_def
split: Structures_A.kernel_object.split_asm split_if_asm
split: Structures_A.kernel_object.split_asm if_split_asm
arch_kernel_obj.split_asm)
apply (simp split: ARM_A.pte.split_asm)
done
@ -2069,7 +2069,7 @@ lemma check_mapping_pptr_section_relation:
apply (wp get_pde_wp)
apply (clarsimp simp: obj_at_def)
apply (clarsimp simp: a_type_def pd_section_relation_def pd_super_section_relation_def
split: Structures_A.kernel_object.split_asm split_if_asm
split: Structures_A.kernel_object.split_asm if_split_asm
arch_kernel_obj.split_asm
ARM_A.pde.split_asm)
done
@ -2082,7 +2082,7 @@ lemma check_mapping_pptr_super_section_relation:
apply (wp get_pde_wp)
apply (clarsimp simp: obj_at_def)
apply (clarsimp simp: a_type_def pd_section_relation_def pd_super_section_relation_def
split: Structures_A.kernel_object.split_asm split_if_asm
split: Structures_A.kernel_object.split_asm if_split_asm
arch_kernel_obj.split_asm
ARM_A.pde.split_asm)
done
@ -3033,23 +3033,23 @@ proof -
apply (clarsimp simp:transform_def transform_current_thread_def
transform_asid_table_def transform_objects_def
transform_cdt_def split del: split_if)
transform_cdt_def split del: if_split)
apply (rule sym)
apply (subgoal_tac "inj_on transform_cslot_ptr
({slot_a, slot_b} \<union> dom (cdt s') \<union> ran (cdt s'))
\<and> cdt s' slot_a \<noteq> Some slot_a \<and> cdt s' slot_b \<noteq> Some slot_b")
apply (elim conjE)
apply (subst map_lift_over_upd, erule subset_inj_on)
apply (safe elim!: ranE, simp_all split: split_if_asm,
apply (safe elim!: ranE, simp_all split: if_split_asm,
simp_all add: ranI)[1]
apply (subst map_lift_over_upd, erule subset_inj_on)
apply (safe elim!: ranE, simp_all split: split_if_asm,
apply (safe elim!: ranE, simp_all split: if_split_asm,
simp_all add: ranI)[1]
apply (subst map_lift_over_if_eq_twice)
apply (erule subset_inj_on, fastforce)
apply (rule ext)
apply (cases slot_a, cases slot_b)
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (intro if_cong[OF refl],
simp_all add: map_lift_over_eq_Some inj_on_eq_iff[where f=transform_cslot_ptr]
ranI domI)[1]
@ -3127,7 +3127,7 @@ lemma set_cap_noop_dcorres3:
get_tcb_mrs_def)
apply fastforce
apply clarsimp
apply (simp add: transform_cap_def split: cap.split_asm arch_cap.split_asm split_if_asm,
apply (simp add: transform_cap_def split: cap.split_asm arch_cap.split_asm if_split_asm,
simp_all add: get_ipc_buffer_words_def)
done
@ -3162,7 +3162,7 @@ lemma corres_use_cutMon:
\<Longrightarrow> corres_underlying sr False fl r P P' f g"
apply atomize
apply (simp add: corres_underlying_def cutMon_def fail_def
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp: split_def)
done
@ -3170,7 +3170,7 @@ lemma corres_drop_cutMon:
"corres_underlying sr False False r P P' f g
\<Longrightarrow> corres_underlying sr False False r P P' f (cutMon Q g)"
apply (simp add: corres_underlying_def cutMon_def fail_def
split: split_if)
split: if_split)
apply (clarsimp simp: split_def)
done
@ -3178,7 +3178,7 @@ lemma corres_drop_cutMon_bind:
"corres_underlying sr False False r P P' f (g >>= h)
\<Longrightarrow> corres_underlying sr False False r P P' f (cutMon Q g >>= h)"
apply (simp add: corres_underlying_def cutMon_def fail_def bind_def
split: split_if)
split: if_split)
apply (clarsimp simp: split_def)
done
@ -3194,7 +3194,7 @@ lemma corres_cutMon:
\<Longrightarrow> corres_underlying sr False False r P P' f (cutMon Q g)"
apply atomize
apply (simp add: corres_underlying_def cutMon_def fail_def
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp: split_def)
done
@ -3577,7 +3577,7 @@ proof (induct arbitrary: S rule: rec_del.induct,
done
next
case (2 slot exposed s S)
note split_if[split del]
note if_split[split del]
have removeables:
"\<And>s cap fin. \<lbrakk> cte_wp_at (op = cap) slot s; s \<turnstile> remainder_cap fin cap; invs s; valid_etcbs s;
CSpace_A.cap_removeable (remainder_cap fin cap) slot \<rbrakk>
@ -3587,7 +3587,7 @@ next
apply (simp add: CSpace_D.cap_removeable_def)
apply (clarsimp simp: remainder_cap_def valid_cap_simps
cte_wp_at_caps_of_state
split: cap.split_asm split_if_asm)
split: cap.split_asm if_split_asm)
apply (rename_tac word nat option)
apply (frule valid_global_refsD2, clarsimp)
apply (clarsimp simp: CSpace_D.cap_removeable_def)
@ -3602,7 +3602,7 @@ next
apply (frule zombie_cap_has_all[rotated -2], simp, clarsimp+)
apply (clarsimp simp: tcb_at_def cap_range_def global_refs_def
opt_cap_tcb
split: option.split_asm split_if_asm | drule(1) valid_etcbs_get_tcb_get_etcb)+
split: option.split_asm if_split_asm | drule(1) valid_etcbs_get_tcb_get_etcb)+
apply (rule_tac x="tcb_cnode_index b" in exI)
apply (clarsimp simp: transform_cslot_ptr_def dest!: get_tcb_SomeD)
apply (rule conjI, rule sym, rule bl_to_bin_tcb_cnode_index)
@ -3839,7 +3839,7 @@ next
apply (rule corres_drop_cutMon)
apply (simp add: liftE_bindE)
apply (rule corres_symb_exec_r)
apply (simp add: liftME_def[symmetric] split del: split_if)
apply (simp add: liftME_def[symmetric] split del: if_split)
apply (rule monadic_rewrite_corres2)
apply (rule monadic_trancl_preemptible_return)
apply (rule corres_if_rhs_only)

32
proof/drefine/Intent_DR.thy
View File

@ -53,7 +53,7 @@ lemma tcb_cap_casesE:
shows "R"
using cs
unfolding tcb_cap_cases_def
apply (simp split: split_if_asm del: One_nat_def)
apply (simp split: if_split_asm del: One_nat_def)
apply (erule rules, fastforce+)+
done
@ -168,21 +168,21 @@ lemma caps_of_object_update_state [simp]:
"(\<lambda>n. map_option (\<lambda>(f, _). f (tcb_state_update stf tcb)) (tcb_cap_cases n)) =
(\<lambda>n. map_option (\<lambda>(f, _). f tcb) (tcb_cap_cases n))"
apply (rule ext)
apply (simp add: tcb_cap_cases_def split: split_if)
apply (simp add: tcb_cap_cases_def split: if_split)
done
lemma caps_of_object_update_boundntfn [simp]:
"(\<lambda>n. map_option (\<lambda>(f, _). f (tcb_bound_notification_update stf tcb)) (tcb_cap_cases n)) =
(\<lambda>n. map_option (\<lambda>(f, _). f tcb) (tcb_cap_cases n))"
apply (rule ext)
apply (simp add: tcb_cap_cases_def split: split_if)
apply (simp add: tcb_cap_cases_def split: if_split)
done
lemma caps_of_object_update_context [simp]:
"(\<lambda>n. map_option (\<lambda>(f, _). f (tcb_arch_update (tcb_context_update stf) tcb)) (tcb_cap_cases n)) =
(\<lambda>n. map_option (\<lambda>(f, _). f tcb) (tcb_cap_cases n))"
apply (rule ext)
apply (simp add: tcb_cap_cases_def split: split_if)
apply (simp add: tcb_cap_cases_def split: if_split)
done
definition
@ -1032,7 +1032,7 @@ lemma cdl_get_ipc_buffer_None:
apply (simp add:obj_at_def get_tcb_rev not_idle_thread_def | drule(1) valid_etcbs_tcb_etcb | fastforce simp: get_etcb_rev)+
apply (clarsimp simp: assert_opt_def return_def split: cdl_cap.splits)
apply (clarsimp simp:transform_cap_def split:cap.splits arch_cap.splits)
apply (auto simp:cte_wp_at_cases split:split_if_asm)
apply (auto simp:cte_wp_at_cases split:if_split_asm)
done
lemma cdl_get_ipc_buffer_Some:
@ -1103,15 +1103,15 @@ lemma get_tcb_mrs_wp:
apply (clarsimp simp:get_mrs_def thread_get_def gets_the_def)
apply (wp|wpc)+
apply (clarsimp simp:get_tcb_mrs_def Let_def)
apply (clarsimp simp:Suc_leI[OF msg_registers_lt_msg_max_length] split del:split_if)
apply (clarsimp simp:Suc_leI[OF msg_registers_lt_msg_max_length] split del:if_split)
apply (clarsimp simp:get_tcb_message_info_def get_ipc_buffer_words_empty)
apply (clarsimp dest!:get_tcb_SomeD simp:obj_at_def)
apply (clarsimp simp:get_mrs_def thread_get_def gets_the_def)
apply (clarsimp simp:Suc_leI[OF msg_registers_lt_msg_max_length] split del:split_if)
apply (clarsimp simp:Suc_leI[OF msg_registers_lt_msg_max_length] split del:if_split)
apply (wp|wpc)+
apply (rule_tac P = "tcb = obj" in hoare_gen_asm)
apply (clarsimp simp: get_tcb_mrs_def Let_def get_tcb_message_info_def Suc_leI[OF msg_registers_lt_msg_max_length]
split del:split_if)
split del:if_split)
apply (rule_tac Q="\<lambda>buf_mrs s. buf_mrs =
(get_ipc_buffer_words (machine_state sa) obj ([Suc (length msg_registers)..<msg_max_length] @ [msg_max_length]))"
in hoare_strengthen_post)
@ -1567,16 +1567,16 @@ lemma store_word_corres_helper:
apply clarsimp
apply (rule conjI)
apply (clarsimp simp:restrict_map_def transform_object_def transform_tcb_def
split:cdl_object.split_asm Structures_A.kernel_object.split_asm split_if_asm)
split:cdl_object.split_asm Structures_A.kernel_object.split_asm if_split_asm)
apply (drule(1) valid_etcbs_tcb_etcb,
clarsimp simp:restrict_map_def transform_object_def transform_tcb_def
split:cdl_object.split_asm Structures_A.kernel_object.split_asm split_if_asm)+
split:cdl_object.split_asm Structures_A.kernel_object.split_asm if_split_asm)+
defer
apply (drule(1) valid_etcbs_tcb_etcb,
clarsimp simp:restrict_map_def transform_object_def transform_tcb_def
split:cdl_object.split_asm Structures_A.kernel_object.split_asm split_if_asm)+
split:cdl_object.split_asm Structures_A.kernel_object.split_asm if_split_asm)+
defer
apply (simp add:tcb_ipcframe_id_def tcb_boundntfn_slot_def tcb_ipcbuffer_slot_def split:split_if_asm)
apply (simp add:tcb_ipcframe_id_def tcb_boundntfn_slot_def tcb_ipcbuffer_slot_def split:if_split_asm)
apply (simp add:tcb_ipcbuffer_slot_def tcb_pending_op_slot_def)
apply (frule_tac thread = thread in valid_tcb_objs)
apply (simp add: get_tcb_rev)
@ -1585,7 +1585,7 @@ lemma store_word_corres_helper:
apply (case_tac "\<not> is_arch_page_cap (tcb_ipcframe tcb)")
apply (simp add:transform_full_intent_no_ipc_buffer)
apply (clarsimp simp del:upt.simps simp:transform_full_intent_def Let_def get_tcb_mrs_def is_arch_page_cap_def
split:cap.split_asm arch_cap.split_asm split del:split_if)
split:cap.split_asm arch_cap.split_asm split del:if_split)
apply (rename_tac word cap_rights vmpage_size option)
apply (clarsimp simp:transform_cap_def arch_cap.split_asm simp del:upt.simps)
apply (frule_tac thread = thread and ptr = ptr and sz = sz
@ -1703,7 +1703,7 @@ lemma dcorres_store_word_safe:
apply (clarsimp simp del:upt.simps
simp: Let_def get_tcb_mrs_def is_arch_page_cap_def
split:cap.split_asm arch_cap.split_asm
split del: split_if)
split del: if_split)
apply (frule valid_tcb_objs, erule get_tcb_rev)
apply (clarsimp simp: valid_tcb_def tcb_cap_cases_def valid_ipc_buffer_cap_def
simp del: upt.simps)
@ -1867,7 +1867,7 @@ lemma zip_store_word_corres:
and (ipc_frame_sz_at sz s_id) and (ipc_frame_ptr_at buf s_id) and valid_etcbs)
(corrupt_frame buf)
(zipWithM_x (store_word_offs base) xs ys)"
apply (clarsimp simp:zipWithM_x_mapM_x split del: split_if)
apply (clarsimp simp:zipWithM_x_mapM_x split del: if_split)
apply (induct xs arbitrary: ys)
apply (clarsimp simp: mapM_x_Cons)
apply (clarsimp simp: mapM_x_Nil)
@ -2119,7 +2119,7 @@ shows "dcorres dc \<top> P (corrupt_frame buf) g"
apply (drule_tac x = xa in fun_cong)
apply (case_tac xa)
apply (clarsimp simp:not_idle_thread_def tcb_ipcframe_id_def restrict_map_def transform_objects_def
split: split_if)
split: if_split)
apply (clarsimp dest!:get_tcb_rev simp: transform_objects_tcb tcb_ipcbuffer_slot_def
tcb_pending_op_slot_def tcb_boundntfn_slot_def)
apply (clarsimp simp: tcb_ipcbuffer_slot_def tcb_ipcframe_id_def | rule conjI)+

70
proof/drefine/Ipc_DR.thy
View File

@ -321,7 +321,7 @@ lemma mr_opt_cap_into_object:
lemma monadic_rewrite_assert2:
"\<lbrakk> Q \<Longrightarrow> monadic_rewrite F E P (f ()) g \<rbrakk>
\<Longrightarrow> monadic_rewrite F E ((\<lambda>s. Q \<longrightarrow> P s) and (\<lambda>_. Q)) (assert Q >>= f) g"
apply (simp add: assert_def split: split_if)
apply (simp add: assert_def split: if_split)
apply (simp add: monadic_rewrite_def fail_def)
done
@ -910,31 +910,31 @@ apply (wp not_idle_after_blocked_cancel_ipc not_idle_after_reply_cancel_ipc
done
lemma send_signal_corres:
notes split_if [split del]
notes if_split [split del]
shows
"ep_id = epptr \<Longrightarrow> dcorres dc \<top> (invs and valid_etcbs)
(Endpoint_D.send_signal ep_id)
(Ipc_A.send_signal epptr badge)"
apply (unfold Endpoint_D.send_signal_def Ipc_A.send_signal_def invs_def)
apply (rule dcorres_expand_pfx)
apply (clarsimp simp:get_notification_def get_object_def gets_def bind_assoc split: split_if)
apply (clarsimp simp:get_notification_def get_object_def gets_def bind_assoc split: if_split)
apply (rule dcorres_absorb_get_r)
apply (clarsimp simp:assert_def corres_free_fail split:Structures_A.kernel_object.splits split_if )
apply (clarsimp simp:assert_def corres_free_fail split:Structures_A.kernel_object.splits if_split )
apply (rename_tac ntfn_ext)
apply (case_tac "ntfn_obj ntfn_ext", clarsimp)
apply (case_tac "ntfn_bound_tcb ntfn_ext", clarsimp)
-- "Idle, not bound"
apply (rule corres_alternate1)
apply (rule dcorres_absorb_get_l)
apply (clarsimp split del: split_if)
apply (clarsimp split del: if_split)
apply (frule valid_objs_valid_ntfn_simp[rotated])
apply (simp add:valid_state_def valid_pspace_def split del: split_if)
apply (simp add:gets_def bind_assoc option_select_def split del: split_if)
apply (simp add:valid_state_def valid_pspace_def split del: if_split)
apply (simp add:gets_def bind_assoc option_select_def split del: if_split)
apply (frule get_notification_pick,simp)
apply (clarsimp simp:ntfn_waiting_set_lift valid_state_def valid_ntfn_abstract_def none_is_waiting_ntfn_def)
apply (rule corres_guard_imp,rule corres_dummy_set_notification,simp+)[1]
-- "Idle, bound"
apply (clarsimp simp: get_thread_state_def thread_get_def gets_the_def gets_def bind_assoc split del: split_if)
apply (clarsimp simp: get_thread_state_def thread_get_def gets_the_def gets_def bind_assoc split del: if_split)
apply (rule dcorres_absorb_get_r)
apply (clarsimp simp: assert_opt_def corres_free_fail split: Structures_A.kernel_object.splits option.splits)
apply (case_tac "receive_blocked (tcb_state x2)")
@ -944,7 +944,7 @@ lemma send_signal_corres:
apply (clarsimp simp: send_signal_bound_def gets_def)
apply (rule dcorres_absorb_get_l)
apply (clarsimp simp: receive_blocked_waiting_syncs)
apply (clarsimp simp: IpcCancel_A.cancel_ipc_def get_thread_state_def thread_get_def gets_the_def gets_def bind_assoc split del: split_if)
apply (clarsimp simp: IpcCancel_A.cancel_ipc_def get_thread_state_def thread_get_def gets_the_def gets_def bind_assoc split del: if_split)
apply (rule dcorres_absorb_get_r)
apply (clarsimp simp: assert_opt_def corres_free_fail split: Structures_A.kernel_object.splits option.splits)
apply (simp add: receive_blocked_def)
@ -969,22 +969,22 @@ lemma send_signal_corres:
apply clarsimp
apply (rule corres_alternate1)
apply (rule dcorres_absorb_get_l)
apply (clarsimp split del: split_if)
apply (clarsimp split del: if_split)
apply (frule valid_objs_valid_ntfn_simp[rotated])
apply (simp add:valid_state_def valid_pspace_def split del: split_if)
apply (simp add:gets_def bind_assoc option_select_def split del: split_if)
apply (simp add:valid_state_def valid_pspace_def split del: if_split)
apply (simp add:gets_def bind_assoc option_select_def split del: if_split)
apply (frule get_notification_pick,simp)
apply (clarsimp simp:ntfn_waiting_set_lift valid_state_def valid_ntfn_abstract_def none_is_waiting_ntfn_def)
apply (rule corres_guard_imp,rule corres_dummy_set_notification,simp+)[1]
-- "Waiting"
apply (rule corres_alternate1)
apply (rule dcorres_absorb_get_l)
apply (clarsimp split del: split_if)
apply (clarsimp split del: if_split)
apply (frule valid_objs_valid_ntfn_simp[rotated])
apply (simp add:valid_state_def valid_pspace_def split del: split_if)
apply (simp add:valid_state_def valid_pspace_def split del: if_split)
apply (simp add:gets_def bind_assoc option_select_def)
apply (frule get_notification_pick,simp)
apply (clarsimp simp:ntfn_waiting_set_lift valid_state_def valid_ntfn_abstract_def split: split_if)
apply (clarsimp simp:ntfn_waiting_set_lift valid_state_def valid_ntfn_abstract_def split: if_split)
apply (rule conjI)
apply (clarsimp simp: dest!:not_empty_list_not_empty_set)
apply (clarsimp simp:neq_Nil_conv)
@ -1000,9 +1000,9 @@ lemma send_signal_corres:
-- "Active"
apply (rule corres_alternate1)
apply (rule dcorres_absorb_get_l)
apply (clarsimp split del: split_if)
apply (clarsimp split del: if_split)
apply (frule valid_objs_valid_ntfn_simp[rotated])
apply (simp add:valid_state_def valid_pspace_def split del: split_if)
apply (simp add:valid_state_def valid_pspace_def split del: if_split)
apply (clarsimp simp:gets_def bind_assoc option_select_def)
apply (frule get_notification_pick,simp)
apply (clarsimp simp:ntfn_waiting_set_lift valid_state_def valid_ntfn_abstract_def none_is_waiting_ntfn_def)
@ -1287,7 +1287,7 @@ lemma ipc_buffer_wp_at_cap_insert_ext[wp]:
lemma ipc_buffer_wp_at_cap_insert[wp]:
"\<lbrace>ipc_buffer_wp_at buf t :: det_state \<Rightarrow> bool \<rbrace> cap_insert cap' (slot_ptr, slot_idx) a \<lbrace>\<lambda>r. ipc_buffer_wp_at buf t\<rbrace>"
apply (simp add:cap_insert_def set_untyped_cap_as_full_def)
apply (wp|simp split del:split_if)+
apply (wp|simp split del:if_split)+
apply (rule_tac Q = "\<lambda>r. ipc_buffer_wp_at buf t" in hoare_strengthen_post)
apply wp
apply (clarsimp simp:ipc_buffer_wp_at_def)
@ -1317,7 +1317,7 @@ lemma cap_insert_cte_wp_at_masked_as_full:
cap_insert cap src dest \<lbrace>\<lambda>uu. cte_wp_at P slot\<rbrace>"
apply (simp add:cap_insert_def set_untyped_cap_as_full_def)
apply (wp set_cap_cte_wp_at hoare_vcg_if_lift get_cap_wp static_imp_wp dxo_wp_weak
| simp split del:split_if)+
| simp split del:if_split)+
apply (intro conjI impI allI |
clarsimp simp:cte_wp_at_caps_of_state)+
apply (drule assms)
@ -1358,7 +1358,7 @@ next
show ?case
apply (cases p)
apply (rename_tac cap slot_ptr slot_idx)
apply (clarsimp simp: const_on_failure_def split del: split_if)
apply (clarsimp simp: const_on_failure_def split del: if_split)
apply (case_tac "is_ep_cap cap \<and> ep' = Some (obj_ref_of cap)")
apply (subgoal_tac "Types_D.is_ep_cap (transform_cap cap) \<and>
(\<exists>z. ep' = Some z \<and> z = cap_object (transform_cap cap))")
@ -1384,13 +1384,13 @@ next
(\<exists>z. ep' = Some z \<and> z = cap_object (transform_cap cap)))")
prefer 2
apply (clarsimp simp: is_cap_simps cap_type_simps split: cdl_cap.splits)
apply (simp del: de_Morgan_conj split del: split_if)
apply (simp del: de_Morgan_conj split del: if_split)
apply (case_tac dests)
apply (simp add: dest_of_def returnOk_liftE catch_liftE)
apply (case_tac list)
prefer 2
apply simp
apply (simp (no_asm_simp) add: dest_of_def split del: split_if)
apply (simp (no_asm_simp) add: dest_of_def split del: if_split)
apply (subst bindE_assoc [symmetric])
apply (rule corres_guard_imp)
apply (rule corres_split_catch [where f=dc and E="\<top>\<top>" and E'="\<top>\<top>"])
@ -1429,7 +1429,7 @@ next
apply (clarsimp)
apply (rule hoareE_TrueI)
apply (rule validE_R_validE)
apply (simp add:conj_comms ball_conj_distrib split del:split_if)
apply (simp add:conj_comms ball_conj_distrib split del:if_split)
apply (rule_tac Q' ="\<lambda>cap' s. (cap'\<noteq> cap.NullCap \<longrightarrow>(
(cte_wp_at (is_derived (cdt s) (slot_ptr, slot_idx) cap') (slot_ptr, slot_idx) s)
\<and> pspace_aligned s \<and> pspace_distinct s \<and> valid_objs s \<and> valid_idle s
@ -1448,8 +1448,8 @@ next
apply (rule derive_cap_is_derived)
apply (rule derive_cap_is_derived_foo)
apply wp
apply (simp split del: split_if)
apply (clarsimp split del: split_if cong: conj_cong)
apply (simp split del: if_split)
apply (clarsimp split del: if_split cong: conj_cong)
apply (rule conjI)
apply (clarsimp simp: valid_mdb_def mdb_cte_at_def cte_wp_at_caps_of_state)
apply fast
@ -1460,7 +1460,7 @@ next
apply (case_tac "cap = capa")
apply (clarsimp simp:cap_master_cap_simps remove_rights_def)+
apply (clarsimp simp:masked_as_full_def is_cap_simps cap_master_cap_def)
apply (clarsimp split del: split_if)
apply (clarsimp split del: if_split)
apply (clarsimp simp: cte_wp_at_caps_of_state not_idle_thread_def)
apply (rule conjI)
apply (clarsimp simp: not_idle_thread_def valid_idle_def pred_tcb_at_def
@ -1475,11 +1475,11 @@ next
apply (rule rev_mp[OF _ real_cte_tcb_valid])
apply simp
apply (rule context_conjI)
apply (clarsimp split:split_if_asm simp:remove_rights_def)
apply (clarsimp split:if_split_asm simp:remove_rights_def)
apply (intro conjI ballI)
apply (drule(1) bspec,clarsimp)+
apply (case_tac "capb = aa")
apply (clarsimp simp:masked_as_full_def split:split_if_asm)
apply (clarsimp simp:masked_as_full_def split:if_split_asm)
by (clarsimp simp:masked_as_full_def free_index_update_def is_cap_simps)
qed
@ -2249,7 +2249,7 @@ lemma dcorres_set_thread_state_Restart:
apply ((clarsimp simp:tcb_caller_slot_def infer_tcb_pending_op_def cap_counts_def
tcb_pending_op_slot_def tcb_cspace_slot_def tcb_replycap_slot_def
tcb_vspace_slot_def PageTableUnmap_D.is_final_cap'_def
PageTableUnmap_D.is_final_cap_def split:split_if_asm Structures_A.thread_state.splits
PageTableUnmap_D.is_final_cap_def split:if_split_asm Structures_A.thread_state.splits
| wp exs_valid_return exs_valid_gets)+)[1]
apply clarsimp
apply (subst fast_finalise_no_effect)
@ -2260,7 +2260,7 @@ lemma dcorres_set_thread_state_Restart:
apply (clarsimp simp:tcb_caller_slot_def infer_tcb_pending_op_def cap_counts_def
tcb_pending_op_slot_def tcb_cspace_slot_def tcb_replycap_slot_def
tcb_vspace_slot_def PageTableUnmap_D.is_final_cap'_def
PageTableUnmap_D.is_final_cap_def split:split_if_asm Structures_A.thread_state.splits
PageTableUnmap_D.is_final_cap_def split:if_split_asm Structures_A.thread_state.splits
| wp exs_valid_return exs_valid_gets)+
apply (frule(1) valid_etcbs_get_tcb_get_etcb, clarsimp simp: get_etcb_def)
apply (subst opt_cap_tcb)
@ -2489,7 +2489,7 @@ lemma dcorres_receive_sync:
apply (rule corres_symb_exec_r)
apply (rule_tac F="sender_state = tcb_state t" in corres_gen_asm2)
apply (clarsimp dest!:get_tcb_SomeD simp:dc_def[symmetric]
split del:if_splits split:split_if_asm)
split del:if_splits split:if_split_asm)
apply (rule corres_guard_imp)
apply (rule corres_split[OF _ corres_complete_ipc_transfer])
prefer 2
@ -2701,19 +2701,19 @@ lemma send_sync_ipc_corres:
apply (clarsimp simp: dest!: not_empty_list_not_empty_set)
apply (rename_tac list)
apply (drule_tac s = "set list" in sym)
apply (clarsimp simp: bind_assoc neq_Nil_conv split del:split_if)
apply (clarsimp simp: bind_assoc neq_Nil_conv split del:if_split)
apply (rule_tac P1="\<top>" and P'="op = s'a" and x1 = y
in dcorres_absorb_pfx[OF select_pick_corres[OF dcorres_expand_pfx]])
defer
apply (simp+)[3]
apply (simp split del:split_if)
apply (simp split del:if_split)
apply (drule_tac x1 = y in iffD2[OF eqset_imp_iff], simp)
apply (clarsimp simp:obj_at_def dc_def[symmetric] split del:split_if)
apply (clarsimp simp:obj_at_def dc_def[symmetric] split del:if_split)
apply (subst when_def)+
apply (rule corres_guard_imp)
apply (rule dcorres_symb_exec_r)
apply (rule corres_symb_exec_r)
apply (case_tac "recv_state"; simp add: corres_free_fail split del: split_if)
apply (case_tac "recv_state"; simp add: corres_free_fail split del: if_split)
apply (rule corres_split[OF _ corres_complete_ipc_transfer])
apply (rule corres_split[OF _ set_thread_state_corres])
apply (rule dcorres_rhs_noop_above[OF attempt_switch_to_dcorres])

38
proof/drefine/KHeap_DR.thy
View File

@ -138,11 +138,11 @@ proof
apply clarsimp
apply (induct rule: trancl_induct)
apply (fastforce simp: KHeap_D.cdt_parent_rel_def KHeap_D.is_cdt_parent_def s'_def
split: split_if_asm
split: if_split_asm
intro: trancl_trans)
apply (erule trancl_trans)
apply (fastforce simp: KHeap_D.cdt_parent_rel_def KHeap_D.is_cdt_parent_def s'_def
split: split_if_asm
split: if_split_asm
intro: trancl_trans)
done
}
@ -309,7 +309,7 @@ lemma caps_of_state_transform_opt_cap:
transform_tcb_def tcb_slot_defs tcb_slots
tcb_pending_op_slot_def tcb_cap_cases_def
bl_to_bin_tcb_cnode_index bl_to_bin_tcb_cnode_index_le0
split: split_if_asm)
split: if_split_asm)
done
lemma cap_slot_cnode_property_lift:
@ -489,7 +489,7 @@ lemma final_cap_set_map:
apply (thin_tac "opt_cap x y = Q" for x y Q)
apply (auto simp: transform_cap_def cap_has_object_def cap_object_simps
cap_counts_def cdl_cap_irq_def
split: cap.splits arch_cap.splits split_if_asm)
split: cap.splits arch_cap.splits if_split_asm)
done
lemma opt_cap_wp_at_ex_opt_cap:
@ -594,7 +594,7 @@ lemma get_object_corres:
apply (clarsimp simp: KHeap_A.get_object_def gets_the_def)
apply (rule corres_split'[OF _ _ gets_sp gets_sp, where r'=dc])
apply simp
apply (clarsimp simp: assert_def corres_free_fail split: split_if)
apply (clarsimp simp: assert_def corres_free_fail split: if_split)
apply (rule_tac F="rv = Some (transform_object undefined 0 etcb' y)" in corres_req)
apply (simp_all add: assert_opt_def)
apply (clarsimp simp: opt_object_def transform_def transform_objects_def
@ -714,7 +714,7 @@ lemma transform_full_intent_same_cap:
apply (simp add: is_cap_simps)
apply (cases "tcb_ipcframe tcb", simp_all)
apply (simp add:transform_cap_def is_cap_simps
split:cap.splits split_if_asm arch_cap.splits)+
split:cap.splits if_split_asm arch_cap.splits)+
done
lemma set_cap_corres:
@ -737,9 +737,9 @@ proof -
apply (rename_tac s s')
apply (clarsimp simp:assert_def corres_free_fail)
apply (rename_tac obj')
apply (case_tac obj', simp_all add:corres_free_fail split del: split_if)
apply (case_tac obj', simp_all add:corres_free_fail split del: if_split)
-- "cnode or IRQ Node case"
apply (clarsimp simp: corres_free_fail split: split_if)
apply (clarsimp simp: corres_free_fail split: if_split)
apply (rename_tac sz cn ocap)
apply (clarsimp simp: corres_underlying_def in_monad set_object_def cte_wp_at_cases caps_of_state_cte_wp_at)
apply (clarsimp simp: opt_object_def)
@ -767,7 +767,7 @@ proof -
apply (clarsimp simp: cdl_objects_tcb opt_object_def
assert_opt_def has_slots_def object_slots_def
update_slots_def
split del: split_if)
split del: if_split)
apply (case_tac "nat (bl_to_bin sl') = tcb_ipcbuffer_slot")
apply (simp add: tcb_slots tcb_pending_op_slot_def)
apply (clarsimp simp: bl_to_bin_tcb_cnode_index|rule conjI)+
@ -1343,7 +1343,7 @@ lemma dcorres_gets_all_param:
lemma empty_slot_ext_dcorres: "dcorres dc P P' (return ()) (empty_slot_ext slot v)"
apply (clarsimp simp: empty_slot_ext_def)
apply (auto simp: corres_underlying_def update_cdt_list_def set_cdt_list_def
modify_def bind_def put_def gets_def get_def return_def split: option.splits split_if)
modify_def bind_def put_def gets_def get_def return_def split: option.splits if_split)
done
lemma empty_slot_corres:
@ -2532,7 +2532,7 @@ lemma dcorres_ntfn_bound_tcb:
apply (rule dcorres_absorb_get_l)
apply (clarsimp simp: assert_def corres_free_fail split: Structures_A.kernel_object.splits )
apply (frule get_notification_pick, simp)
apply (clarsimp simp: valid_ntfn_abstract_def ntfn_bound_set_lift valid_state_def option_select_def split del: split_if)
apply (clarsimp simp: valid_ntfn_abstract_def ntfn_bound_set_lift valid_state_def option_select_def split del: if_split)
done
lemma option_set_option_select:
@ -2606,12 +2606,12 @@ lemma unbind_notification_valid_state[wp]:
defer 4
apply (auto elim!: obj_at_weakenE obj_at_valid_objsE if_live_then_nonz_capD2
simp: valid_ntfn_set_bound_None is_ntfn valid_obj_def)[8]
apply (clarsimp simp: split_if)
apply (clarsimp simp: if_split)
apply (rule delta_sym_refs, assumption)
apply (fastforce simp: obj_at_def is_tcb
dest!: pred_tcb_at_tcb_at ko_at_state_refs_ofD
split: split_if_asm)
apply (clarsimp split: split_if_asm)
split: if_split_asm)
apply (clarsimp split: if_split_asm)
apply (frule pred_tcb_at_tcb_at)
apply (frule_tac p=t in obj_at_ko_at, clarsimp)
apply (subst (asm) ko_at_state_refs_ofD, assumption)
@ -2635,12 +2635,12 @@ lemma unbind_maybe_notification_valid_state[wp]:
defer 4
apply (auto elim!: obj_at_weakenE obj_at_valid_objsE if_live_then_nonz_capD2
simp: valid_ntfn_set_bound_None is_ntfn valid_obj_def)[8]
apply (clarsimp simp: split_if)
apply (clarsimp simp: if_split)
apply (rule delta_sym_refs, assumption)
apply (fastforce simp: obj_at_def is_tcb
dest!: pred_tcb_at_tcb_at ko_at_state_refs_ofD
split: split_if_asm)
apply (clarsimp split: split_if_asm)
split: if_split_asm)
apply (clarsimp split: if_split_asm)
apply (clarsimp simp: obj_at_def)
apply (frule_tac P="op = (Some a)" in ntfn_bound_tcb_at, simp+)
apply (frule pred_tcb_at_tcb_at)
@ -2952,7 +2952,7 @@ lemma delete_cap_simple_corres:
apply (subst is_final_cap_corres)
apply simp+
apply (wp|clarsimp)+
apply (clarsimp simp:transform_cap_def split:cap.splits arch_cap.splits split_if_asm)
apply (clarsimp simp:transform_cap_def split:cap.splits arch_cap.splits if_split_asm)
apply (rule get_cap_corres)
apply simp
apply (clarsimp simp:not_idle_thread_def |wp get_cap_cte_wp_at_rv)+
@ -3098,7 +3098,7 @@ lemma branch_map_simp2:
apply (subst to_bl_bin[symmetric])
apply (rule arg_cong[where f = bl_to_bin])
apply (simp add:word_rep_drop)+
apply (clarsimp simp:List.take_drop prefixeq_def less_eq_list_def)
apply (clarsimp simp:List.take_drop prefix_def less_eq_list_def)
apply (rule_tac x = "(drop nata zs)" in exI)
apply simp
apply (simp add:word_rep_drop)

10
proof/drefine/Schedule_DR.thy
View File

@ -20,12 +20,12 @@ lemma getActiveTCBs_subset:
x \<in> all_active_tcbs (transform s')"
apply (clarsimp simp: all_active_tcbs_def getActiveTCB_def)
apply (clarsimp simp: transform_def transform_objects_def map_add_def domIff)
apply (clarsimp dest!: get_tcb_SomeD split: option.splits split_if_asm)
apply (clarsimp dest!: get_tcb_SomeD split: option.splits if_split_asm)
apply (rule context_conjI)
apply (clarsimp simp: restrict_map_def)
apply (frule invs_valid_idle)
apply (clarsimp simp: valid_idle_def pred_tcb_def2 get_tcb_def)
apply (clarsimp simp: restrict_map_def split: split_if_asm)
apply (clarsimp simp: restrict_map_def split: if_split_asm)
apply (clarsimp simp: transform_object_def transform_tcb_def)
apply (clarsimp simp: infer_tcb_pending_op_def)
apply (frule(1) valid_etcbs_tcb_etcb)
@ -262,7 +262,7 @@ lemma schedule_resume_cur_thread_dcorres:
apply (auto simp: transform_def transform_current_thread_def all_active_tcbs_def transform_objects_def active_tcbs_in_domain_def etcb_at_def tcb_boundntfn_slot_def tcb_pending_op_slot_def
map_add_def restrict_map_def option_map_def transform_object_def transform_tcb_def valid_idle_def st_tcb_def2 get_tcb_def
transform_cnode_contents_def infer_tcb_pending_op_def transform_cap_def domIff st_tcb_at_kh_def obj_at_def only_idle_def
split: option.splits split_if Structures_A.kernel_object.splits Structures_A.thread_state.splits)[1]
split: option.splits if_split Structures_A.kernel_object.splits Structures_A.thread_state.splits)[1]
(* cur = idle_thread s' *)
apply (subgoal_tac "cdl_current_thread s = None")
apply (clarsimp simp: transform_def transform_current_thread_def)+
@ -283,7 +283,7 @@ lemma schedule_switch_thread_helper:
apply (auto simp: transform_def transform_current_thread_def all_active_tcbs_def transform_objects_def active_tcbs_in_domain_def etcb_at_def
map_add_def restrict_map_def option_map_def transform_object_def transform_tcb_def valid_idle_def pred_tcb_at_def get_tcb_def tcb_pending_op_slot_def tcb_boundntfn_slot_def
transform_cnode_contents_def infer_tcb_pending_op_def transform_cap_def domIff st_tcb_at_kh_def obj_at_def only_idle_def
split: option.splits split_if Structures_A.kernel_object.splits Structures_A.thread_state.splits)
split: option.splits if_split Structures_A.kernel_object.splits Structures_A.thread_state.splits)
done
lemma schedule_switch_thread_dcorres:
@ -353,7 +353,7 @@ lemma schedule_choose_new_thread_helper:
is_etcb_at_def
map_add_def restrict_map_def option_map_def transform_object_def transform_tcb_def valid_idle_def st_tcb_def2 get_tcb_def
transform_cnode_contents_def infer_tcb_pending_op_def transform_cap_def domIff st_tcb_at_kh_def obj_at_def only_idle_def tcb_pending_op_slot_def tcb_boundntfn_slot_def
split: option.splits split_if Structures_A.kernel_object.splits Structures_A.thread_state.splits)
split: option.splits if_split Structures_A.kernel_object.splits Structures_A.thread_state.splits)
done
lemma idle_thread_not_in_queue:

14
proof/drefine/StateTranslationProofs_DR.thy
View File

@ -171,7 +171,7 @@ lemma caps_of_state_update_tcb:
caps_of_state (update_kheap kh s)"
apply (erule caps_of_state_update_same_caps)
apply (rule ext)
apply (simp add: tcb_cap_cases_def split: split_if)
apply (simp add: tcb_cap_cases_def split: if_split)
done
lemmas caps_of_state_upds = caps_of_state_update_tcb caps_of_state_update_same_caps
@ -273,7 +273,7 @@ proof -
"inj_on f (dom m - {x} \<union> ran (m(x := None)))"
"inj_on f (dom m - {x})"
apply (safe intro!: subset_inj_on[OF inj_f])
apply (auto simp: ran_def split: split_if_asm)
apply (auto simp: ran_def split: if_split_asm)
done
show ?thesis
apply (simp add: map_lift_over_def Q del: inj_on_insert)
@ -299,7 +299,7 @@ proof -
have 1: "inj_on f (dom m \<union> ran m)" "inj_on f (dom m)"
by (auto simp: inj_on_Un)
have "dom ?ifeq \<subseteq> dom m"
by (auto split: split_if_asm)
by (auto split: if_split_asm)
with inj_f
have 2: "inj_on f (dom ?ifeq)"
by (auto elim!: subset_inj_on)
@ -309,19 +309,19 @@ proof -
have "inj_on f (dom ?ifeq \<union> ran ?ifeq)"
by (auto elim!: subset_inj_on)
note Q = 1 2 this
note split_if[split del]
note if_split[split del]
show ?thesis
apply (simp add: map_lift_over_def Q)
apply (rule ext)
apply (case_tac "x \<in> f ` dom ?ifeq")
apply clarsimp
apply (subst if_P, fastforce split: split_if_asm)+
apply (subst if_P, fastforce split: if_split_asm)+
apply (simp add: Q[THEN inv_into_f_f] domI ranI inj_on_eq_iff[OF inj_f]
split: split_if_asm)
split: if_split_asm)
apply (subst if_not_P, simp, rule allI, fastforce)+
apply (auto simp: option_map_def Q[THEN inv_into_f_f] domI ranI
inj_on_eq_iff[OF inj_f]
split: split_if option.split)
split: if_split option.split)
done
qed

4
proof/drefine/StateTranslation_D.thy
View File

@ -450,7 +450,7 @@ lemma transform_intent_isnot_UntypedIntent:
apply clarsimp
apply (clarsimp simp: transform_intent_def transform_type_def transform_intent_untyped_retype_def)
apply (clarsimp simp: option_map_def split: invocation_label.splits arch_invocation_label.splits option.splits list.splits)
apply (clarsimp simp: transform_type_def split: split_if_asm)
apply (clarsimp simp: transform_type_def split: if_split_asm)
done
lemma transform_cnode_index_and_depth_success:
@ -969,7 +969,7 @@ lemma evalMonad_bind:
assumes det: "det_or_fail f"
shows "evalMonad (f >>= g) s = (if evalMonad f s = None then None else evalMonad (g (the (evalMonad f s))) s)"
apply (case_tac "evalMonad f s")
apply (simp add: evalMonad_def split: split_if_asm)
apply (simp add: evalMonad_def split: if_split_asm)
apply (simp add: bind_def)
apply simp
apply (simp add: evalMonad_def)

26
proof/drefine/Syscall_DR.thy
View File

@ -328,7 +328,7 @@ lemma decode_invocation_irqhandlercap_corres:
apply (clarsimp simp: throw_opt_def get_irq_handler_intent_def split: option.splits)
apply (rule conjI)
apply (auto simp: decode_irq_handler_invocation_def transform_intent_def
split del: split_if
split del: if_split
split: invocation_label.splits cdl_intent.splits list.splits)[1]
apply clarsimp
apply (simp split: cdl_intent.splits)
@ -343,7 +343,7 @@ lemma decode_invocation_irqhandlercap_corres:
lemma transform_type_eq_None:
"(transform_type a = None) \<Longrightarrow> (data_to_obj_type a = throwError (ExceptionTypes_A.syscall_error.InvalidArgument 0))"
apply (clarsimp simp:data_to_obj_type_def transform_type_def split:split_if_asm)
apply (clarsimp simp:data_to_obj_type_def transform_type_def split:if_split_asm)
apply (simp add:unat_arith_simps)
apply (clarsimp simp:arch_data_to_obj_type_def)
apply (rule conjI,arith,clarsimp)+
@ -358,15 +358,15 @@ lemma transform_intent_untyped_cap_None:
(* 43 subgoals *)
apply (clarsimp simp:Decode_A.decode_untyped_invocation_def unlessE_def)
apply wp
apply (clarsimp simp:transform_intent_def Decode_A.decode_untyped_invocation_def unlessE_def split del:split_if)
apply (clarsimp simp:transform_intent_untyped_retype_def split del:split_if)
apply (clarsimp simp:transform_intent_def Decode_A.decode_untyped_invocation_def unlessE_def split del:if_split)
apply (clarsimp simp:transform_intent_untyped_retype_def split del:if_split)
apply (case_tac "args")
apply (clarsimp,wp)[1]
apply (clarsimp split:list.split_asm split del:split_if)
apply (clarsimp split:list.split_asm split del:if_split)
apply wp[5]
apply (clarsimp simp: transform_type_eq_None split del:split_if split:option.splits)
apply (clarsimp simp: transform_type_eq_None split del:if_split split:option.splits)
apply (wp|clarsimp simp:whenE_def|rule conjI)+
apply (clarsimp simp: Decode_A.decode_untyped_invocation_def unlessE_def split del:split_if,wp)+
apply (clarsimp simp: Decode_A.decode_untyped_invocation_def unlessE_def split del:if_split,wp)+
done
lemma transform_intent_cnode_cap_None:
@ -522,7 +522,7 @@ lemma decode_invocation_error_branch:
"\<lbrakk>transform_intent (invocation_type label) args = None; \<not> ep_related_cap (transform_cap cap)\<rbrakk>
\<Longrightarrow> \<lbrace>op = s\<rbrace> Decode_A.decode_invocation label args cap_i slot cap excaps \<lbrace>\<lambda>r. \<bottom>\<rbrace>,\<lbrace>\<lambda>x. op = s\<rbrace>"
apply (case_tac cap)
apply (simp_all add:ep_related_cap_def transform_cap_def split:split_if_asm)
apply (simp_all add:ep_related_cap_def transform_cap_def split:if_split_asm)
apply (clarsimp simp:Decode_A.decode_invocation_def,wp)
apply (rule transform_intent_untyped_cap_None,fastforce+)
apply (clarsimp simp:Decode_A.decode_invocation_def,wp)
@ -544,7 +544,7 @@ lemma decode_invocation_ep_related_branch:
apply (clarsimp simp:Decode_D.decode_invocation_def Decode_A.decode_invocation_def | rule conjI)+
apply (rule corres_guard_imp[OF dcorres_returnOk],simp add:cdl_invocation_relation_def translate_invocation_def)
apply simp+
apply (clarsimp simp:Decode_D.decode_invocation_def Decode_A.decode_invocation_def split:split_if_asm | rule conjI)+
apply (clarsimp simp:Decode_D.decode_invocation_def Decode_A.decode_invocation_def split:if_split_asm | rule conjI)+
apply (rule corres_guard_imp[OF dcorres_returnOk])
apply (simp add:cdl_invocation_relation_def translate_invocation_def)+
apply (clarsimp simp:Decode_D.decode_invocation_def Decode_A.decode_invocation_def is_master_reply_cap_def | rule conjI)+
@ -1036,7 +1036,7 @@ lemma decode_invocation_corres':
od)
rv')"
apply (rule dcorres_expand_pfx)
apply (clarsimp split del:split_if)
apply (clarsimp split del:if_split)
apply (rule_tac Q' ="\<lambda>r ns. ns = s
\<and> r = get_tcb_mrs (machine_state s) ctcb"
in corres_symb_exec_r)
@ -1278,7 +1278,7 @@ lemma invoke_cnode_valid_etcbs[wp]:
"\<lbrace>valid_etcbs\<rbrace> invoke_cnode ci \<lbrace>\<lambda>_. valid_etcbs\<rbrace>"
apply (simp add: invoke_cnode_def)
apply (rule hoare_pre)
apply (wp crunch_wps hoare_vcg_all_lift | wpc | simp add: split del: split_if)+
apply (wp crunch_wps hoare_vcg_all_lift | wpc | simp add: split del: if_split)+
done
crunch valid_etcbs[wp]: perform_invocation valid_etcbs
@ -1458,10 +1458,10 @@ lemma handle_recv_corres:
\<and> (st_tcb_at active (cur_thread s') s \<and> invs s \<and> valid_etcbs s) \<and> ko_at (TCB obj') (cur_thread s') s " and R= "\<lambda>r. \<top>"
in corres_splitEE[where r'="\<lambda>x y. x = transform_cap y"])
apply (rule dcorres_expand_pfx)
apply (clarsimp split:cap.splits arch_cap.splits split del: split_if simp:transform_cap_def)
apply (clarsimp split:cap.splits arch_cap.splits split del: if_split simp:transform_cap_def)
apply (rename_tac word1 word2 set)
apply (rule corres_guard_imp)
apply (case_tac "AllowRead \<in> set"; simp split del: split_if)
apply (case_tac "AllowRead \<in> set"; simp split del: if_split)
apply (rule corres_alternate1)
apply clarsimp
apply (rule corres_split[where r'=dc])

34
proof/drefine/Tcb_DR.thy
View File

@ -71,16 +71,16 @@ lemma decode_set_ipc_buffer_translate_tcb_invocation:
apply (wpc|wp)+
apply (wp hoare_whenE_wp)
apply (case_tac a)
apply (simp_all add:derive_cap_def split del:split_if)
apply (wp|clarsimp split del:split_if)+
apply (simp_all add:derive_cap_def split del:if_split)
apply (wp|clarsimp split del:if_split)+
apply (rename_tac arch_cap)
apply (case_tac arch_cap)
apply (simp_all add:arch_derive_cap_def split del: split_if)
apply (wp | clarsimp split del: split_if)+
apply (simp_all add:arch_derive_cap_def split del: if_split)
apply (wp | clarsimp split del: if_split)+
apply (clarsimp simp:transform_mapping_def)
apply (rule hoare_pre)
apply wpc
apply (wp | clarsimp split del: split_if)+
apply (wp | clarsimp split del: if_split)+
apply (rule hoare_pre)
apply wpc
apply wp
@ -136,7 +136,7 @@ lemma valid_vtable_root_update:
\<Longrightarrow> CSpace_A.update_cap_data False x aa = aa"
apply (clarsimp simp: update_cap_data_def badge_update_def is_valid_vtable_root_def Let_def
the_cnode_cap_def is_arch_cap_def arch_update_cap_data_def the_arch_cap_def
split: split_if_asm cap.split_asm)
split: if_split_asm cap.split_asm)
done
lemma decode_set_space_translate_tcb_invocation:
@ -169,7 +169,7 @@ lemma decode_set_space_translate_tcb_invocation:
apply (rule validE_validE_R)
apply simp
apply (rule_tac s1 = s in hoare_post_impErr[OF derive_cnode_cap_as_vroot],simp)
apply (rule conjI|simp split:split_if_asm)+
apply (rule conjI|simp split:if_split_asm)+
apply (wp|clarsimp)+
apply (rule validE_validE_R)
apply (rule_tac s1 = s in hoare_post_impErr[OF derive_cnode_cap_as_croot])
@ -188,7 +188,7 @@ lemma decode_set_space_translate_tcb_invocation:
apply (rule validE_validE_R)
apply simp
apply (rule_tac s1 = s in hoare_post_impErr[OF derive_cnode_cap_as_vroot],simp)
apply (rule conjI|simp split:split_if_asm)+
apply (rule conjI|simp split:if_split_asm)+
apply (rule valid_vtable_root_update)
apply clarsimp+
apply (wp|clarsimp)+
@ -218,7 +218,7 @@ lemma is_cnode_cap_update_cap_data:
"Structures_A.is_cnode_cap (CSpace_A.update_cap_data x w a) \<Longrightarrow> is_cnode_cap a"
apply (case_tac a)
apply (clarsimp simp:update_cap_data_def arch_update_cap_data_def is_arch_cap_def badge_update_def
is_cap_simps split:split_if_asm)+
is_cap_simps split:if_split_asm)+
done
lemma update_cnode_cap_data:
@ -229,7 +229,7 @@ lemma update_cnode_cap_data:
apply (simp add:cdl_update_cnode_cap_data_def CSpace_D.update_cap_data_def)
apply (clarsimp simp: update_cap_data_def arch_update_cap_data_def split:if_splits)
apply ((cases ab,simp_all add:badge_update_def)+)[2]
apply (clarsimp simp:is_cap_simps the_cnode_cap_def word_size split:split_if_asm simp:Let_def)
apply (clarsimp simp:is_cap_simps the_cnode_cap_def word_size split:if_split_asm simp:Let_def)
apply (clarsimp simp:cdl_update_cnode_cap_data_def word_bits_def of_drop_to_bl
word_size mask_twice dest!:leI)
done
@ -386,22 +386,22 @@ lemma decode_tcb_corres:
apply (rule dcorres_symb_exec_rE)
apply (case_tac rv, simp)
(* please continue scrolling *)
apply (case_tac "(fst (hd excaps'))", simp_all split del: split_if)[1]
apply (case_tac "(fst (hd excaps'))", simp_all split del: if_split)[1]
prefer 4
apply (rename_tac rights)
apply (case_tac "AllowRead \<notin> rights", simp)
apply (rule corres_alternate2, rule dcorres_throw)
apply simp
apply (rule dcorres_symb_exec_rE)
apply (case_tac "ntfn_obj rva", simp_all split del: split_if)[1]
apply (case_tac "ntfn_bound_tcb rva", simp_all split del: split_if)[1]
apply (case_tac "ntfn_obj rva", simp_all split del: if_split)[1]
apply (case_tac "ntfn_bound_tcb rva", simp_all split del: if_split)[1]
apply (clarsimp simp: throw_on_none_def get_index_def dcorres_alternative_throw)
apply (case_tac "excaps' ! 0", clarsimp, rule corres_alternate1[OF dcorres_returnOk], simp add: translate_tcb_invocation_def hd_conv_nth)
apply (clarsimp simp: throw_on_none_def get_index_def dcorres_alternative_throw split del: split_if)+
apply (case_tac "ntfn_bound_tcb rva", simp split del: split_if)[1]
apply (clarsimp simp: throw_on_none_def get_index_def dcorres_alternative_throw split del: if_split)+
apply (case_tac "ntfn_bound_tcb rva", simp split del: if_split)[1]
apply (rename_tac rva word)
apply ((case_tac "excaps' ! 0",clarsimp, rule corres_alternate1[OF dcorres_returnOk], simp add: translate_tcb_invocation_def hd_conv_nth)
| clarsimp simp: throw_on_none_def get_index_def dcorres_alternative_throw split del: split_if
| clarsimp simp: throw_on_none_def get_index_def dcorres_alternative_throw split del: if_split
| wp get_ntfn_wp
| (case_tac "excaps' ! 0", rule dcorres_alternative_throw)
| (case_tac "AllowRead \<in> rights", simp))+
@ -1257,7 +1257,7 @@ lemma dcorres_tcb_update_cspace_root:
apply (clarsimp)
apply (rule iffI)
apply (clarsimp simp:is_cap_simps bits_of_def cap_type_def transform_cap_def
split:cap.split_asm arch_cap.split_asm split_if_asm)
split:cap.split_asm arch_cap.split_asm if_split_asm)
apply (clarsimp simp:cap_has_object_def is_cap_simps cap_type_def)
apply (rule corres_split[OF _ get_cap_corres])
apply (rule corres_when)

64
proof/drefine/Untyped_DR.thy
View File

@ -22,7 +22,7 @@ lemma detype_dcorres:
apply (rule corres_modify)
apply (clarsimp simp: transform_def Untyped_D.detype_def
transform_cdt_def
split del: split_if
split del: if_split
simp del: untyped_range.simps)
apply (simp add: Untyped_D.detype_def transform_def
transform_current_thread_def Retype_A.detype_def transform_asid_table_def detype_ext_def)
@ -63,7 +63,7 @@ next
apply auto[2]
apply (rule sym)
apply (rule someI2_ex, fastforce)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
apply (rule conjI)
apply (rule someI2_ex, fastforce+)+
done
@ -207,9 +207,9 @@ proof -
get_ipc_buffer_words_def2 3
Suc_leI[OF msg_registers_lt_msg_max_length]
simp del: upt_Suc
split del: split_if)
split del: if_split)
apply (case_tac "AllowRead \<in> rights",
simp_all del: upt_Suc split del: split_if)
simp_all del: upt_Suc split del: if_split)
apply (cut_tac y=2 in is_aligned_weaken[OF 1])
apply (simp add: msg_align_bits_def)
apply (cut_tac y=2 in is_aligned_weaken[OF 4])
@ -274,7 +274,7 @@ lemma freeMemory_dcorres:
apply (clarsimp simp: transform_object_def transform_tcb_def
split: Structures_A.kernel_object.split option.splits)
apply (rename_tac s ms tref etcb tcb)
apply (clarsimp simp: restrict_map_def split: split_if_asm)
apply (clarsimp simp: restrict_map_def split: if_split_asm)
apply (frule(1) valid_etcbs_tcb_etcb)
apply (case_tac "\<not> is_arch_page_cap (tcb_ipcframe tcb)")
apply (erule transform_full_intent_no_ipc_buffer)
@ -590,10 +590,10 @@ lemma retype_region_dcorres:
us (translate_object_type type) (map (retype_transform_obj_ref type us) (retype_addrs ptr type n us)))
(Retype_A.retype_region ptr n us type dev)"
apply (simp add: retype_region_def Untyped_D.retype_region_def
split del: split_if)
split del: if_split)
apply (clarsimp simp:when_def generate_object_ids_def bind_assoc
split del:split_if)
apply (simp add:retype_addrs_fold split del:split_if)
split del:if_split)
apply (simp add:retype_addrs_fold split del:if_split)
apply (case_tac "type = Structures_A.Untyped")
apply (rule corres_guard_imp)
apply (simp add:translate_object_type_def)
@ -1299,7 +1299,7 @@ lemma reset_untyped_cap_corres:
apply (rule_tac F="is_untyped_cap capa \<and> cap_aligned capa
\<and> bits_of capa > 2 \<and> free_index_of capa \<le> 2 ^ bits_of capa"
in corres_gen_asm2)
apply (simp add: whenE_def if_flip split del: split_if)
apply (simp add: whenE_def if_flip split del: if_split)
apply (rule corres_if)
apply (clarsimp simp: is_cap_simps free_range_of_untyped_def
cap_aligned_def free_index_of_def)
@ -1430,7 +1430,7 @@ lemma range_le_free_range_of_untyped:
\<subseteq> free_range_of_untyped idx sz (ptr && ~~ mask sz)"
apply (rule order_trans, erule(1) range_cover_subset')
apply (clarsimp simp: free_range_of_untyped_def
split del: split_if del: subsetI)
split del: if_split del: subsetI)
apply (subst if_P)
prefer 2
apply (rule range_subsetI, simp_all)
@ -1530,7 +1530,7 @@ lemma invoke_untyped_corres:
\<and> (\<forall>slot\<in>set slots.
cte_wp_at (op = cap.NullCap) slot s) \<and> valid_etcbs s"
in hoare_post_imp)
apply (simp add:post_retype_invs_def split:split_if_asm)
apply (simp add:post_retype_invs_def split:if_split_asm)
apply ((clarsimp dest!:set_zip_leftD
simp: vslot image_def invs_def valid_state_def valid_mdb_def cte_wp_at_caps_of_state
| intro conjI | drule (1) bspec | drule(1) mdb_cte_atD[rotated])+)[2]
@ -1577,7 +1577,7 @@ lemma invoke_untyped_corres:
hoare_vcg_ex_lift)
apply simp
apply wp
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (wp get_cap_wp)
apply (wp_once hoare_drop_imps)
apply wp
@ -1595,8 +1595,8 @@ lemma invoke_untyped_corres:
apply (clarsimp simp: ui cte_wp_at_caps_of_state bits_of_def
empty_descendants_range_in exI
free_index_of_def untyped_range_def
split_if[where P="\<lambda>x. x \<le> unat v" for v]
split del: split_if)
if_split[where P="\<lambda>x. x \<le> unat v" for v]
split del: if_split)
apply (frule(1) valid_global_refsD2[OF _ invs_valid_global_refs])
apply (strengthen refl subseteq_set_minus
free_range_of_untyped_subseteq'
@ -1605,21 +1605,21 @@ lemma invoke_untyped_corres:
apply (simp only: word_size word_bits_def[symmetric])
apply (clarsimp simp: conj_comms invoke_untyped_proofs.simps
range_le_free_range_of_untyped
split_if[where P="\<lambda>x. x \<le> unat v" for v]
split del: split_if)
if_split[where P="\<lambda>x. x \<le> unat v" for v]
split del: if_split)
apply (simp add: arg_cong[OF mask_out_sub_mask, where f="\<lambda>y. x - y" for x]
field_simps invoke_untyped_proofs.idx_le_new_offs
invoke_untyped_proofs.idx_compare'
untyped_range_def invs_valid_idle invs_valid_pspace
is_aligned_neg_mask invoke_untyped_proofs.szw
free_range_of_untyped_pick_retype_addrs vslot
split del: split_if)
split del: if_split)
apply (clarsimp simp:detype_clear_um_independent conj_comms not_idle_thread_def
misc invs_valid_idle invs_valid_objs word_bits_def
atLeastatMost_subset_iff[where b=x and d=x for x] word_and_le2
split del: split_if)
split del: if_split)
apply (clarsimp simp: range_cover.aligned bits_of_def field_simps
split del: split_if)
split del: if_split)
apply (intro conjI)
apply (cases cref, fastforce dest: valid_idle_has_null_cap[rotated -1])
@ -1652,7 +1652,7 @@ lemma transform_translate_type:
"transform_type n = Some tp
\<Longrightarrow> \<exists>v. data_to_obj_type n = returnOk v \<and> tp = translate_object_type v"
apply (simp add: transform_type_def
split: split_if_asm)
split: if_split_asm)
apply (simp_all add: data_to_obj_type_def arch_data_to_obj_type_def)
apply (auto simp add: translate_object_type_def)
done
@ -1707,7 +1707,7 @@ lemma transform_cdt_dom_standard:
"transform_cdt s' slot' = Some (transform_cslot_ptr b)
\<Longrightarrow> \<exists>slot. slot' = transform_cslot_ptr slot"
apply (case_tac b)
apply (fastforce simp:transform_cdt_def map_lift_over_def split:split_if_asm)
apply (fastforce simp:transform_cdt_def map_lift_over_def split:if_split_asm)
done
lemma descendants_of_empty_lift :
@ -1791,7 +1791,7 @@ lemma decode_untyped_corres:
apply (clarsimp simp: Untyped_D.decode_untyped_invocation_def
Decode_A.decode_untyped_invocation_def
unlessE_whenE
split del: split_if
split del: if_split
split: invocation_label.split_asm)
apply (rename_tac a list w1 w2 w3 w4 w5 apiobject_type)
apply (cases excaps')
@ -1799,11 +1799,11 @@ lemma decode_untyped_corres:
alternative_refl)
apply (simp add: get_index_def transform_cap_list_def throw_on_none_def
split_beta
split del: split_if)
split del: if_split)
apply (clarsimp simp: corres_whenE_throwError_split_rhs
corres_alternate2
split del: split_if)
apply (simp add: bindE_assoc[symmetric] split del: split_if)
split del: if_split)
apply (simp add: bindE_assoc[symmetric] split del: if_split)
apply (rule_tac r'="\<lambda>rv rv'. rv = transform_cap rv'"
in corres_alternative_throw_splitE)
apply (rule corres_guard_imp, rule corres_alternate1)
@ -1818,9 +1818,9 @@ lemma decode_untyped_corres:
apply (clarsimp simp: cte_wp_at_caps_of_state)
apply auto[1]
apply (rename_tac cnode_cap cnode_cap')
apply (simp add: bindE_assoc split del: split_if)
apply (simp add: bindE_assoc split del: if_split)
apply (simp add: if_to_top_of_bindE is_cnode_cap_transform_cap[symmetric]
split del: split_if)
split del: if_split)
apply (rule corres_if_rhs[rotated])
apply (rule corres_trivial, simp add: alternative_refl)
apply (simp add: corres_whenE_throwError_split_rhs
@ -1830,9 +1830,9 @@ lemma decode_untyped_corres:
apply (simp add:liftE_bindE)
apply (rule corres_symb_exec_r)
apply (clarsimp simp: corres_whenE_throwError_split_rhs corres_alternate2
split del: split_if)
split del: if_split)
apply (rule corres_alternate1)
apply (simp add:gets_get split del: split_if)
apply (simp add:gets_get split del: if_split)
apply (rule corres_underlying_gets_pre_lhs)
apply (rule_tac P' = "\<lambda>s. valid_mdb s \<and> cte_at slot' s \<and> is_cnode_cap cnode_cap' \<and>
cap_aligned cnode_cap' \<and> invs s \<and> not_idle_thread (obj_ref_of cnode_cap') s \<and>
@ -1852,7 +1852,7 @@ lemma decode_untyped_corres:
apply clarsimp
apply wp
apply (clarsimp simp:conj_comms)
apply (wp mapME_x_inv_wp[OF hoare_pre(2)] | simp split del: split_if)+
apply (wp mapME_x_inv_wp[OF hoare_pre(2)] | simp split del: if_split)+
apply (wp hoare_whenE_wp)
apply (simp add:validE_def split del:if_splits)
apply (rule_tac Q = "\<lambda>r. op = s" in hoare_strengthen_post)
@ -1881,7 +1881,7 @@ lemma decode_untyped_corres:
apply (rule hoare_pre)
apply (wp hoare_drop_imp | simp)+
apply fastforce
apply (clarsimp simp: conj_comms is_cnode_cap_transform_cap split del: split_if)
apply (clarsimp simp: conj_comms is_cnode_cap_transform_cap split del: if_split)
apply (rule validE_R_validE)
apply (rule_tac Q' = "\<lambda>a s. invs s \<and> valid_etcbs s \<and> valid_cap a s \<and> cte_wp_at (op = (cap.UntypedCap dev ptr sz idx)) slot' s
\<and> (Structures_A.is_cnode_cap a \<longrightarrow> not_idle_thread (obj_ref_of a) s)"
@ -1903,7 +1903,7 @@ lemma decode_untyped_corres:
apply (rule ccontr)
apply (clarsimp simp:valid_cap_simps cap_aligned_def)
apply (rule hoare_pre,wp,simp)
apply (wp hoare_drop_imp mapME_x_inv_wp2 | simp add:whenE_def split del:split_if)+
apply (wp hoare_drop_imp mapME_x_inv_wp2 | simp add:whenE_def split del:if_split)+
apply (rule hoare_pre,wp,simp)
done

18
proof/infoflow/ADT_IF.thy
View File

@ -1768,7 +1768,7 @@ lemma handle_interrupt_domain_time_sched_action:
\<lbrace>\<lambda>s. domain_time s > 0\<rbrace>
handle_interrupt e
\<lbrace>\<lambda>r s. domain_time s = 0 \<longrightarrow> scheduler_action s = choose_new_thread\<rbrace>"
apply(simp add: handle_interrupt_def split del: split_if)
apply(simp add: handle_interrupt_def split del: if_split)
apply (rule hoare_pre)
apply (wp)
apply(case_tac "st \<noteq> IRQTimer")
@ -2707,12 +2707,12 @@ lemma rec_del_irq_state_inv':
next
case (2 slot exposed s) show ?case
apply(rule hoare_spec_gen_asm)
apply(simp add: rec_del.simps split del: split_if)
apply(simp add: rec_del.simps split del: if_split)
apply(rule hoare_pre_spec_validE)
apply(wp drop_spec_validE[OF returnOk_wp] drop_spec_validE[OF liftE_wp] set_cap_domain_sep_inv
|simp add: split_def split del: split_if)+
|simp add: split_def split del: if_split)+
apply(wp irq_state_inv_triv)[1]
apply (wp | simp split del: split_if)+
apply (wp | simp split del: if_split)+
apply(rule spec_strengthen_postE)
apply(rule "2.hyps"[simplified], fastforce+)
apply(rule drop_spec_validE, (wp preemption_point_irq_state_inv[where irq=irq] | simp)+)[1]
@ -2721,7 +2721,7 @@ lemma rec_del_irq_state_inv':
apply(wp finalise_cap_domain_sep_inv_cap get_cap_wp
finalise_cap_returns_None[where irqs=False, simplified]
drop_spec_validE[OF liftE_wp] set_cap_domain_sep_inv
|simp add: without_preemption_def split del: split_if
|simp add: without_preemption_def split del: if_split
|wp_once hoare_drop_imps
|wp irq_state_inv_triv)+
apply(blast dest: cte_wp_at_domain_sep_inv_cap)
@ -2815,7 +2815,7 @@ lemma invoke_cnode_irq_state_inv:
apply(simp add: invoke_cnode_def)
apply(rule hoare_pre)
apply wpc
apply((wp cap_revoke_irq_state_inv' cap_delete_irq_state_inv hoare_vcg_all_lift | wpc | simp add: cap_move_def split del: split_if | wp_once irq_state_inv_triv | wp_once hoare_drop_imps)+)[7]
apply((wp cap_revoke_irq_state_inv' cap_delete_irq_state_inv hoare_vcg_all_lift | wpc | simp add: cap_move_def split del: if_split | wp_once irq_state_inv_triv | wp_once hoare_drop_imps)+)[7]
apply fastforce
done
@ -2852,7 +2852,7 @@ lemma invoke_tcb_irq_state_inv:
apply(case_tac tinv)
apply((wp hoare_vcg_if_lift mapM_x_wp[OF _ subset_refl]
| wpc
| simp split del: split_if add: check_cap_at_def
| simp split del: if_split add: check_cap_at_def
| clarsimp
| wp_once irq_state_inv_triv)+)[3]
defer
@ -2992,10 +2992,10 @@ lemma handle_invocation_irq_state_inv:
handle_invocation x y \<lbrace>\<lambda>_. irq_state_inv st\<rbrace>, \<lbrace>\<lambda>_. irq_state_next st\<rbrace>"
apply (simp add: handle_invocation_def ts_Restart_case_helper split_def
liftE_liftM_liftME liftME_def bindE_assoc
split del: split_if)
split del: if_split)
apply(wp syscall_valid)
apply ((wp irq_state_inv_triv | wpc | simp)+)[2]
apply(wp static_imp_wp perform_invocation_irq_state_inv hoare_vcg_all_lift hoare_vcg_ex_lift decode_invocation_IRQHandlerCap | wpc | wp_once hoare_drop_imps | simp split del: split_if | wp_once irq_state_inv_triv)+
apply(wp static_imp_wp perform_invocation_irq_state_inv hoare_vcg_all_lift hoare_vcg_ex_lift decode_invocation_IRQHandlerCap | wpc | wp_once hoare_drop_imps | simp split del: if_split | wp_once irq_state_inv_triv)+
apply fastforce
done

6
proof/infoflow/ADT_IF_Refine.thy
View File

@ -1110,7 +1110,7 @@ lemma abstract_invs:
apply (simp add: ADT_A_if_def)
apply (simp_all add: check_active_irq_A_if_def do_user_op_A_if_def
kernel_call_A_if_def kernel_handle_preemption_if_def
kernel_schedule_if_def kernel_exit_A_if_def split del: split_if)[12]
kernel_schedule_if_def kernel_exit_A_if_def split del: if_split)[12]
apply (rule preserves_lifts |
wp check_active_irq_if_wp do_user_op_if_invs
| clarsimp simp add: full_invs_if_def)+
@ -1237,7 +1237,7 @@ lemma haskell_invs:
apply blast
apply (simp_all add: checkActiveIRQ_H_if_def doUserOp_H_if_def
kernelCall_H_if_def handlePreemption_H_if_def
schedule'_H_if_def kernelExit_H_if_def split del: split_if)[12]
schedule'_H_if_def kernelExit_H_if_def split del: if_split)[12]
apply (rule preserves_lifts | wp | simp add: full_invs_if'_def)+
apply (wp_once hoare_disjI1)
apply (rule preserves_lifts | wp | simp add: full_invs_if'_def)+
@ -1698,7 +1698,7 @@ lemma haskell_to_abs: "uop_nonempty uop \<Longrightarrow> global_automata_refine
apply (simp add: full_invs_if_def)
apply (simp add: full_invs_if'_def)
apply (rule schedule'_if_empty_fail)
apply (simp add: kernel_exit_A_if_def kernelExit_H_if_def split del: split_if)
apply (simp add: kernel_exit_A_if_def kernelExit_H_if_def split del: if_split)
apply (rule_tac S="\<top>" and S'="invs'" in step_corres_lifts(5))
apply (rule corres_guard_imp)
apply (rule kernel_exit_if_corres)

4
proof/infoflow/ADT_IF_Refine_C.thy
View File

@ -322,7 +322,7 @@ lemma kernelEntry_corres_C:
apply (clarsimp simp: all_invs'_def)
apply simp
apply (rule_tac P="\<top>" and P'="\<top>" in corres_inst)
apply (clarsimp simp: prod_lift_def split: split_if)
apply (clarsimp simp: prod_lift_def split: if_split)
apply wp
apply (rule hoare_strengthen_post)
apply (subst archTcbUpdate_aux2[symmetric])
@ -584,7 +584,7 @@ lemma check_active_irq_corres_C:
apply (subst bind_assoc[symmetric])
apply (rule corres_guard_imp)
apply (rule corres_split[where r'="\<lambda>a c. case a of None \<Rightarrow> c = 0xFFFF | Some x \<Rightarrow> c = ucast x \<and> c \<noteq> 0xFFFF", OF _ ccorres_corres_u_xf])
apply (clarsimp split: split_if option.splits)
apply (clarsimp split: if_split option.splits)
apply (rule ucast_ucast_id[symmetric], simp)
apply (rule ccorres_guard_imp)
apply (rule ccorres_rel_imp, rule ccorres_guard_imp)

18
proof/infoflow/Arch_IF.thy
View File

@ -252,7 +252,7 @@ lemma get_asid_pool_revrv:
is_subject_asid aag asid \<and> asid \<noteq> 0" and P'="\<lambda>s. Some a = arm_asid_table (arch_state s) (asid_high_bits_of asid) \<and>
is_subject_asid aag asid \<and> asid \<noteq> 0" in equiv_valid_2_bind)
apply(clarsimp split: kernel_object.splits arch_kernel_obj.splits simp: fail_ev2_l fail_ev2_r return_ev2)
apply(clarsimp simp: get_object_def gets_def assert_def bind_def put_def get_def equiv_valid_2_def return_def fail_def split: split_if)
apply(clarsimp simp: get_object_def gets_def assert_def bind_def put_def get_def equiv_valid_2_def return_def fail_def split: if_split)
apply(erule reads_equivE)
apply(clarsimp simp: equiv_asids_def equiv_asid_def asid_pool_at_kheap)
apply(drule aag_can_read_own_asids)
@ -758,7 +758,7 @@ lemma perform_page_directory_invocation_reads_respects:
"reads_respects aag l (is_subject aag \<circ> cur_thread) (perform_page_directory_invocation pdi)"
unfolding perform_page_directory_invocation_def
apply (cases pdi)
apply (wp do_flush_reads_respects set_vm_root_reads_respects set_vm_root_for_flush_reads_respects | simp add: when_def requiv_cur_thread_eq split del: split_if | wp_once hoare_drop_imps | clarsimp)+
apply (wp do_flush_reads_respects set_vm_root_reads_respects set_vm_root_for_flush_reads_respects | simp add: when_def requiv_cur_thread_eq split del: if_split | wp_once hoare_drop_imps | clarsimp)+
done
lemma throw_on_false_reads_respects:
@ -1055,7 +1055,7 @@ lemma set_mrs_reads_respects:
"reads_respects aag l (K (aag_can_read aag thread \<or> aag_can_affect aag l thread)) (set_mrs thread buf msgs)"
apply(simp add: set_mrs_def)
apply(wp mapM_x_ev' store_word_offs_reads_respects set_object_reads_respects
| wpc | simp add: split_def split del: split_if add: zipWithM_x_mapM_x)+
| wpc | simp add: split_def split del: if_split add: zipWithM_x_mapM_x)+
apply(auto intro: reads_affects_equiv_get_tcb_eq)
done
@ -1322,7 +1322,7 @@ lemma set_asid_pool_state_equal_except_kheap:
kheap s pool_ptr = Some (ArchObj (ASIDPool asid_pool)) \<and>
kheap s' pool_ptr = Some (ArchObj (ASIDPool asid_pool')) \<longrightarrow>
asid_pool (ucast asid) = asid_pool' (ucast asid))))"
apply(clarsimp simp: set_asid_pool_def put_def bind_def get_object_def gets_def get_def return_def assert_def fail_def set_object_def split: split_if_asm)
apply(clarsimp simp: set_asid_pool_def put_def bind_def get_object_def gets_def get_def return_def assert_def fail_def set_object_def split: if_split_asm)
apply(clarsimp simp: states_equal_except_kheap_asid_def equiv_for_def obj_at_def)
apply(case_tac "pool_ptr = ptr")
apply(clarsimp simp: a_type_def split: kernel_object.splits arch_kernel_obj.splits)
@ -1625,7 +1625,7 @@ lemma set_vm_root_for_flush_globals_equiv[wp]:
lemma flush_table_globals_equiv[wp]:
"\<lbrace>globals_equiv s\<rbrace> flush_table pd asid cptr pt \<lbrace>\<lambda>rv. globals_equiv s\<rbrace>"
unfolding flush_table_def invalidateTLB_ASID_def fun_app_def
apply (wp mapM_wp' dmo_mol_globals_equiv | wpc | simp add: do_machine_op_bind split del: split_if cong: if_cong)+
apply (wp mapM_wp' dmo_mol_globals_equiv | wpc | simp add: do_machine_op_bind split del: if_split cong: if_cong)+
done
lemma arm_global_pd_arm_asid_map_update[simp]:
@ -1858,7 +1858,7 @@ lemma perform_page_directory_invocation_globals_equiv:
lemma flush_page_globals_equiv[wp]:
"\<lbrace>globals_equiv st\<rbrace> flush_page page_size pd asid vptr \<lbrace>\<lambda>_. globals_equiv st\<rbrace>"
unfolding flush_page_def invalidateTLB_VAASID_def
apply(wp | simp cong: if_cong split del: split_if)+
apply(wp | simp cong: if_cong split del: if_split)+
done
lemma flush_page_arm_global_pd[wp]:
@ -1866,7 +1866,7 @@ lemma flush_page_arm_global_pd[wp]:
flush_page pgsz pd asid vptr
\<lbrace>\<lambda>rv s. P (arm_global_pd (arch_state s))\<rbrace>"
unfolding flush_page_def
apply(wp | simp cong: if_cong split del: split_if)+
apply(wp | simp cong: if_cong split del: if_split)+
done
lemma mapM_swp_store_pte_globals_equiv:
@ -2283,13 +2283,13 @@ lemma decode_arch_invocation_authorised_for_globals:
apply (rule hoare_pre)
apply (simp add: split_def Let_def
cong: cap.case_cong arch_cap.case_cong if_cong option.case_cong
split del: split_if)
split del: if_split)
apply (wp select_wp select_ext_weak_wp whenE_throwError_wp check_vp_wpR unlessE_wp get_pde_wp get_master_pde_wp
find_pd_for_asid_authority3 create_mapping_entries_parent_for_refs
| wpc
| simp add: authorised_for_globals_page_inv_def
del: hoare_True_E_R
split del: split_if)+
split del: if_split)+
apply(simp cong: if_cong)
apply(wp hoare_vcg_if_lift2)
apply(rule hoare_conjI)

10
proof/infoflow/CNode_IF.thy
View File

@ -70,7 +70,7 @@ proof(induct ref arbitrary: s rule: resolve_address_bits'.induct)
apply (cases cap')
apply (simp_all add: drop_spec_ev throwError_ev_pre
cong: if_cong
split del: split_if)
split del: if_split)
apply (wp "1.hyps")
apply (assumption | simp add: in_monad | rule conjI)+
apply (wp get_cap_rev get_cap_wp whenE_throwError_wp)+
@ -248,7 +248,7 @@ lemma cap_insert_reads_respects:
apply(subst gets_apply)
apply (simp only: cap_insert_ext_extended.dxo_eq)
apply (simp only: cap_insert_ext_def)
apply(wp set_original_reads_respects update_cdt_reads_respects set_cap_reads_respects gets_apply_ev update_cdt_list_reads_respects | simp split del: split_if | clarsimp simp: equiv_for_def split: option.splits)+
apply(wp set_original_reads_respects update_cdt_reads_respects set_cap_reads_respects gets_apply_ev update_cdt_list_reads_respects | simp split del: if_split | clarsimp simp: equiv_for_def split: option.splits)+
apply (wp set_untyped_cap_as_full_reads_respects get_cap_wp get_cap_rev | simp)+
apply (intro impI conjI allI)
apply(fastforce simp: reads_equiv_def2 equiv_for_def elim: states_equiv_forE_is_original_cap states_equiv_forE_cdt dest: aag_can_read_self split: option.splits)+
@ -268,7 +268,7 @@ lemma cap_move_reads_respects:
apply (elim conjE)
apply(wp set_original_reads_respects gets_apply_ev update_cdt_reads_respects
set_cap_reads_respects update_cdt_list_reads_respects
| simp split del: split_if | fastforce simp: equiv_for_def split: option.splits)+
| simp split del: if_split | fastforce simp: equiv_for_def split: option.splits)+
apply (intro impI conjI allI)
apply(fastforce simp: reads_equiv_def2 equiv_for_def elim: states_equiv_forE_is_original_cap states_equiv_forE_cdt dest: aag_can_read_self split: option.splits)+
done
@ -295,7 +295,7 @@ lemma cap_swap_reads_respects:
apply (fold update_cdt_def)
apply (simp add: bind_assoc cap_swap_ext_def)
apply (rule gen_asm_ev)
apply(wp set_original_reads_respects update_cdt_reads_respects gets_apply_ev set_cap_reads_respects update_cdt_list_reads_respects | simp split del: split_if | fastforce simp: equiv_for_def split: option.splits)+
apply(wp set_original_reads_respects update_cdt_reads_respects gets_apply_ev set_cap_reads_respects update_cdt_list_reads_respects | simp split del: if_split | fastforce simp: equiv_for_def split: option.splits)+
apply (intro impI conjI allI)
apply((fastforce simp: reads_equiv_def2 equiv_for_def elim: states_equiv_forE_is_original_cap states_equiv_forE_cdt dest: aag_can_read_self split: option.splits)+)[2]
apply (frule_tac x = slot1 in equiv_forD,elim conjE,drule aag_can_read_self,simp)
@ -687,7 +687,7 @@ lemma dmo_getActiveIRQ_wp:
lemma only_timer_irqs:
"\<lbrakk>domain_sep_inv False st s; valid_irq_states s; is_irq_at s irq n\<rbrakk> \<Longrightarrow>
interrupt_states s irq = IRQTimer"
apply(clarsimp simp: is_irq_at_def irq_at_def Let_def split: split_if_asm)
apply(clarsimp simp: is_irq_at_def irq_at_def Let_def split: if_split_asm)
apply(case_tac "interrupt_states s (irq_oracle n)")
apply(blast elim: valid_irq_statesE)
apply(fastforce simp: domain_sep_inv_def)

14
proof/infoflow/Decode_IF.thy
View File

@ -43,7 +43,7 @@ lemma decode_untyped_invocation_rev:
unfolding decode_untyped_invocation_def fun_app_def
apply(rule gen_asm_ev)
apply(simp add: unlessE_def[symmetric] unlessE_whenE
split del: split_if)
split del: if_split)
apply (wp_once whenE_throwError_wp
| wp mapME_x_ev' ensure_empty_rev get_cap_rev
lookup_slot_for_cnode_op_rev
@ -86,7 +86,7 @@ lemma derive_cap_rev:
lemma if_apply_ev:
"equiv_valid I A B P (if a then b x else c x) \<Longrightarrow>
equiv_valid I A B P ((if a then b else c) x)"
by(simp split: split_if_asm)
by(simp split: if_split_asm)
lemma whenE_throwError_bindE_ev:
assumes ev: "\<not> b \<Longrightarrow> equiv_valid I A A P f"
@ -119,7 +119,7 @@ lemma decode_cnode_invocation_rev:
apply ((wp if_apply_ev derive_cap_rev whenE_inv hoare_vcg_imp_lift_R
lookup_slot_for_cnode_op_rev hoare_vcg_all_lift_R
lookup_slot_for_cnode_op_authorised ensure_empty_rev get_cap_rev
| simp add: split_def unlessE_whenE split del: split_if
| simp add: split_def unlessE_whenE split del: if_split
del: hoare_True_E_R
| wpc
| (wp_once hoare_drop_imps, wp_once lookup_slot_for_cnode_op_authorised))+)
@ -234,7 +234,7 @@ lemma decode_tcb_invocation_reads_respects_f:
decode_tcb_configure_def decode_set_space_def decode_bind_notification_def
decode_set_ipc_buffer_def fun_app_def decode_unbind_notification_def
apply (simp add: unlessE_def[symmetric] unlessE_whenE
split del: split_if
split del: if_split
cong: invocation_label.case_cong)
apply (rule equiv_valid_guard_imp)
apply (wp_once requiv_cur_thread_eq range_check_ev
@ -249,7 +249,7 @@ lemma decode_tcb_invocation_reads_respects_f:
| wp_once whenE_throwError_wp
| wp_once hoare_drop_imps
| wpc
| simp add: unlessE_whenE split del: split_if add: o_def split_def)+
| simp add: unlessE_whenE split del: if_split add: o_def split_def)+
unfolding get_tcb_ctable_ptr_def get_tcb_vtable_ptr_def
apply (subgoal_tac "\<not>length excaps < 3 \<longrightarrow> is_subject aag (fst (snd (excaps ! 2)))")
prefer 2
@ -355,7 +355,7 @@ lemma create_mapping_entries_rev:
lemma check_vp_alignment_rev:
"reads_equiv_valid_inv A aag \<top> (check_vp_alignment sz vptr)"
unfolding check_vp_alignment_def
apply(wp | simp add: crunch_simps split del: split_if)+
apply(wp | simp add: crunch_simps split del: if_split)+
done
lemmas reads_respects_f_inv = reads_respects_f[where Q="\<top>", simplified]
@ -507,7 +507,7 @@ lemma lookup_pt_slot_no_fail_is_subject:
apply (simp add: aag_has_auth_to_Control_eq_owns)
apply (drule_tac f="\<lambda>pde. valid_pde pde s" in arg_cong, simp)
apply (clarsimp simp: obj_at_def a_type_def kernel_base_kernel_mapping_slots)
apply (clarsimp split: Structures_A.kernel_object.split_asm split_if_asm
apply (clarsimp split: Structures_A.kernel_object.split_asm if_split_asm
arch_kernel_obj.split_asm)
apply (erule pspace_alignedE, erule domI)
apply (simp add: pt_bits_def pageBits_def)

38
proof/infoflow/Example_Valid_State.thy
View File

@ -311,7 +311,7 @@ lemma mod_less_self [simp]:
lemma split_div_mod:
"a = (b::nat) \<longleftrightarrow> (a div k = b div k \<and> a mod k = b mod k)"
by (metis mod_div_equality2)
by (metis mult_div_mod_eq)
lemma nat_to_bl_eq:
assumes "a < 2 ^ n \<or> b < 2 ^ n"
@ -419,8 +419,8 @@ lemma Low_caps_ran:
NotificationCap ntfn_ptr 0 {AllowSend},
NullCap}"
apply (rule equalityI)
apply (clarsimp simp: Low_caps_def fun_upd_def empty_cnode_def split: split_if_asm)
apply (clarsimp simp: Low_caps_def fun_upd_def empty_cnode_def split: split_if_asm
apply (clarsimp simp: Low_caps_def fun_upd_def empty_cnode_def split: if_split_asm)
apply (clarsimp simp: Low_caps_def fun_upd_def empty_cnode_def split: if_split_asm
cong: conj_cong)
apply (rule exI [where x="the_nat_to_bl_10 0"])
apply simp
@ -456,8 +456,8 @@ lemma High_caps_ran:
NotificationCap ntfn_ptr 0 {AllowRecv},
NullCap}"
apply (rule equalityI)
apply (clarsimp simp: High_caps_def ran_def empty_cnode_def split: split_if_asm)
apply (clarsimp simp: High_caps_def ran_def empty_cnode_def split: split_if_asm
apply (clarsimp simp: High_caps_def ran_def empty_cnode_def split: if_split_asm)
apply (clarsimp simp: High_caps_def ran_def empty_cnode_def split: if_split_asm
cong: conj_cong)
apply (rule exI [where x="the_nat_to_bl_10 0"])
apply simp
@ -805,7 +805,7 @@ lemma kh0_SomeD:
x \<in> irq_node_offs_range \<and> y = CNode 0 (empty_cnode 0)"
apply (frule kh0_SomeD')
apply (erule disjE, simp add: kh0_def
| force simp: kh0_def split: split_if_asm)+
| force simp: kh0_def split: if_split_asm)+
done
lemmas kh0_obj_def =
@ -927,13 +927,13 @@ definition Sys1PAS :: "(auth_graph_label subject_label) PAS" where
subsubsection {* Proof of pas_refined for Sys1 *}
lemma High_caps_well_formed: "well_formed_cnode_n 10 High_caps"
by (auto simp: High_caps_def well_formed_cnode_n_def split: split_if_asm)
by (auto simp: High_caps_def well_formed_cnode_n_def split: if_split_asm)
lemma Low_caps_well_formed: "well_formed_cnode_n 10 Low_caps"
by (auto simp: Low_caps_def well_formed_cnode_n_def split: split_if_asm)
by (auto simp: Low_caps_def well_formed_cnode_n_def split: if_split_asm)
lemma Silc_caps_well_formed: "well_formed_cnode_n 10 Silc_caps"
by (auto simp: Silc_caps_def well_formed_cnode_n_def split: split_if_asm)
by (auto simp: Silc_caps_def well_formed_cnode_n_def split: if_split_asm)
lemma s0_caps_of_state :
"caps_of_state s0_internal p = Some cap \<Longrightarrow>
@ -966,7 +966,7 @@ lemma s0_caps_of_state :
apply (case_tac p, clarsimp)
apply (clarsimp split: if_splits)
apply (clarsimp simp: cte_wp_at_cases tcb_cap_cases_def
split: split_if_asm)+
split: if_split_asm)+
apply (clarsimp simp: Silc_caps_def split: if_splits)
apply (clarsimp simp: High_caps_def split: if_splits)
apply (clarsimp simp: Low_caps_def cte_wp_at_cases split: if_splits)
@ -1008,7 +1008,7 @@ lemma domains_of_state_s0[simp]:
apply(rule subsetI)
apply clarsimp
apply (erule domains_of_state_aux.cases)
apply (clarsimp simp: s0_internal_def exst0_def ekh0_obj_def split: split_if_asm)
apply (clarsimp simp: s0_internal_def exst0_def ekh0_obj_def split: if_split_asm)
apply clarsimp
apply (force simp: s0_internal_def exst0_def ekh0_obj_def intro: domains_of_state_aux.domtcbs)+
done
@ -1117,7 +1117,7 @@ lemma silc_inv_s0:
apply (rule conjI)
apply (clarsimp simp: Sys1PAS_def Sys1AgentMap_def
s0_internal_def kh0_def obj_at_def kh0_obj_def
is_cap_table_def Silc_caps_well_formed split: split_if_asm)
is_cap_table_def Silc_caps_well_formed split: if_split_asm)
apply (rule conjI)
apply (clarsimp simp: Sys1PAS_def Sys1AuthGraph_def)
apply (rule conjI)
@ -1132,7 +1132,7 @@ lemma silc_inv_s0:
apply (case_tac a, clarsimp)
apply (clarsimp split: if_splits)
apply ((clarsimp simp: intra_label_cap_def cte_wp_at_cases tcb_cap_cases_def
cap_points_to_label_def split: split_if_asm)+)[8]
cap_points_to_label_def split: if_split_asm)+)[8]
apply (clarsimp simp: intra_label_cap_def cap_points_to_label_def)
apply (drule cte_wp_at_caps_of_state' s0_caps_of_state)+
apply ((erule disjE |
@ -1256,7 +1256,7 @@ lemma valid_objs_s0:
"valid_objs s0_internal"
apply (clarsimp simp: valid_objs_def)
apply (subst(asm) s0_internal_def kh0_def)+
apply (simp split: split_if_asm)
apply (simp split: if_split_asm)
apply force+
apply (clarsimp simp: valid_obj_def valid_cs_def empty_cnode_def valid_cs_size_def ran_def
cte_level_bits_def word_bits_def well_formed_cnode_n_def dom_def)
@ -1390,7 +1390,7 @@ lemma valid_pspace_s0[simp]:
apply (rule conjI)
apply (clarsimp simp: if_live_then_nonz_cap_def)
apply (subst(asm) s0_internal_def)
apply (clarsimp simp: obj_at_def kh0_def kh0_obj_def s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: obj_at_def kh0_def kh0_obj_def s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: ex_nonz_cap_to_def)
apply (rule_tac x="High_cnode_ptr" in exI)
apply (rule_tac x="the_nat_to_bl_10 1" in exI)
@ -1408,7 +1408,7 @@ lemma valid_pspace_s0[simp]:
apply (force dest: s0_caps_of_state simp: is_zombie_def)
apply (clarsimp simp: sym_refs_def state_refs_of_def s0_internal_def)
apply (subst(asm) kh0_def)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
by (simp add: refs_of_def kh0_def s0_ptr_defs kh0_obj_def)+
lemma descendants_s0[simp]:
@ -1443,7 +1443,7 @@ lemma valid_mdb_s0[simp]:
lemma valid_ioc_s0[simp]:
"valid_ioc s0_internal"
by (clarsimp simp: cte_wp_at_cases tcb_cap_cases_def valid_ioc_def
s0_internal_def kh0_def kh0_obj_def split: split_if_asm)+
s0_internal_def kh0_def kh0_obj_def split: if_split_asm)+
lemma valid_idle_s0[simp]:
"valid_idle s0_internal"
@ -1615,7 +1615,7 @@ lemma valid_kernel_mappings_s0[simp]:
apply (drule kh0_SomeD)
apply (clarsimp simp: arch_state0_def kernel_mapping_slots_def)
apply (erule disjE | simp add: pde_ref_def s0_ptr_defs kh0_obj_def High_pd'_def Low_pd'_def
split: split_if_asm pde.splits)+
split: if_split_asm pde.splits)+
done
lemma equal_kernel_mappings_s0[simp]:
@ -1735,7 +1735,7 @@ lemma valid_sched_s0[simp]:
apply (clarsimp simp: ct_in_cur_domain_def in_cur_domain_def etcb_at'_def ekh0_obj_def
s0_ptr_defs)
apply (clarsimp simp: const_def valid_blocked_def st_tcb_at_kh_def obj_at_kh_def obj_at_def
kh0_def kh0_obj_def split: split_if_asm)
kh0_def kh0_obj_def split: if_split_asm)
apply (clarsimp simp: valid_idle_etcb_def etcb_at'_def ekh0_obj_def s0_ptr_defs idle_thread_ptr_def)
done

326
proof/infoflow/Example_Valid_StateH.thy
View File

@ -770,13 +770,13 @@ lemma caps_dom_length_10:
"Silc_caps x = Some y \<Longrightarrow> length x = 10"
"High_caps x = Some y \<Longrightarrow> length x = 10"
"Low_caps x = Some y \<Longrightarrow> length x = 10"
by (simp_all add: Silc_caps_def High_caps_def Low_caps_def the_nat_to_bl_def nat_to_bl_def split: split_if_asm)
by (simp_all add: Silc_caps_def High_caps_def Low_caps_def the_nat_to_bl_def nat_to_bl_def split: if_split_asm)
lemma dom_caps:
"dom Silc_caps = {x. length x = 10}"
"dom High_caps = {x. length x = 10}"
"dom Low_caps = {x. length x = 10}"
apply (simp_all add: Silc_caps_def High_caps_def Low_caps_def the_nat_to_bl_def nat_to_bl_def dom_def split: split_if_asm)
apply (simp_all add: Silc_caps_def High_caps_def Low_caps_def the_nat_to_bl_def nat_to_bl_def dom_def split: if_split_asm)
apply fastforce+
done
@ -1048,14 +1048,14 @@ lemma kh0H_dom:
pt_offs_range Low_pt_ptr"
apply (rule equalityI)
apply (simp add: kh0H_def dom_def)
apply (clarsimp simp: offs_in_range option_update_range_def not_in_range_None split: split_if_asm)
apply (clarsimp simp: offs_in_range option_update_range_def not_in_range_None split: if_split_asm)
apply (clarsimp simp: dom_def)
apply (rule conjI, clarsimp simp: kh0H_def option_update_range_def kh0H_dom_distinct not_in_range_None split: option.splits)+
apply (force dest: irq_node_offs_range_correct)
by (rule conjI |
clarsimp simp: kh0H_def option_update_range_def kh0H_dom_distinct not_in_range_None split: option.splits,
frule offs_range_correct,
clarsimp simp: kh0H_all_obj_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def split: split_if_asm)+
clarsimp simp: kh0H_all_obj_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def split: if_split_asm)+
lemmas kh0H_SomeD' = set_mp[OF equalityD1[OF kh0H_dom[simplified dom_def]], OF CollectI, simplified, OF exI]
@ -1173,7 +1173,7 @@ lemma kh0H_dom_tcb:
apply (frule domI[where m="kh0H"])
apply (simp add: kh0H_dom)
apply (elim disjE)
apply (drule irq_node_offs_range_correct cnode_offs_range_correct pd_offs_range_correct pt_offs_range_correct | clarsimp simp: kh0H_all_obj_def s0_ptrs_aligned split: split_if_asm)+
apply (drule irq_node_offs_range_correct cnode_offs_range_correct pd_offs_range_correct pt_offs_range_correct | clarsimp simp: kh0H_all_obj_def s0_ptrs_aligned split: if_split_asm)+
done
lemma not_in_range_cte_None:
@ -1310,7 +1310,7 @@ lemma map_to_ctes_kh0H:
apply (rule conjI)
apply (fastforce simp: tcb_cte_cases_def Low_tcb_cte_def dest: neg_mask_decompose)
apply clarsimp
subgoal by (fastforce simp: Low_tcb_cte_def tcb_cte_cases_def split: split_if_asm dest: neg_mask_decompose)
subgoal by (fastforce simp: Low_tcb_cte_def tcb_cte_cases_def split: if_split_asm dest: neg_mask_decompose)
apply (clarsimp simp: option_update_range_def)
apply (frule mask_in_tcb_offs_range)
apply (clarsimp simp: kh0H_dom_distinct[THEN set_mem_neq])
@ -1322,7 +1322,7 @@ lemma map_to_ctes_kh0H:
apply (rule conjI)
apply (fastforce simp: tcb_cte_cases_def High_tcb_cte_def dest: neg_mask_decompose)
apply clarsimp
apply (fastforce simp: High_tcb_cte_def tcb_cte_cases_def split: split_if_asm dest: neg_mask_decompose)
apply (fastforce simp: High_tcb_cte_def tcb_cte_cases_def split: if_split_asm dest: neg_mask_decompose)
apply (clarsimp simp: option_update_range_def)
apply (frule mask_in_tcb_offs_range)
apply (clarsimp simp: kh0H_dom_distinct[THEN set_mem_neq])
@ -1334,7 +1334,7 @@ lemma map_to_ctes_kh0H:
apply (rule conjI)
apply (fastforce simp: tcb_cte_cases_def idle_tcb_cte_def dest: neg_mask_decompose)
apply clarsimp
apply (fastforce simp: idle_tcb_cte_def tcb_cte_cases_def split: split_if_asm dest: neg_mask_decompose)
apply (fastforce simp: idle_tcb_cte_def tcb_cte_cases_def split: if_split_asm dest: neg_mask_decompose)
apply (drule_tac m="kh0H" in opt_None_not_dom)
apply (rule conjI)
apply (clarsimp simp: kh0H_dom option_update_range_def)
@ -1344,7 +1344,7 @@ lemma map_to_ctes_kh0H:
apply (frule range_tcb_not_kh0H_dom(1)[simplified])
apply (frule range_tcb_not_kh0H_dom(2)[simplified])
apply (drule range_tcb_not_kh0H_dom(3)[simplified])
apply (clarsimp simp: kh0H_dom split del: split_if)
apply (clarsimp simp: kh0H_dom split del: if_split)
apply (clarsimp simp: option_update_range_def)
apply ((clarsimp simp: kh0H_dom_sets_distinct[THEN orthD2] not_in_tcb_offs not_in_range_cte_None offs_in_range
| clarsimp simp: kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None)+)[1]
@ -1353,16 +1353,16 @@ lemma map_to_ctes_kh0H:
apply (clarsimp simp: irq_node_offs_in_range)
apply (frule kh0H_SomeD)
apply (elim disjE)
apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: split_if,
subst split_if_eq1,
apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: if_split,
subst if_split_eq1,
rule conjI,
clarsimp,
drule kh0H_dom_tcb,
fastforce simp: s0_ptr_defs mask_def objBitsKO_def,
rule impI,
fastforce simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None)
apply ((clarsimp simp: map_to_ctes_def Let_def split del: split_if,
subst split_if_eq1,
apply ((clarsimp simp: map_to_ctes_def Let_def split del: if_split,
subst if_split_eq1,
rule conjI,
rule impI,
(subst is_aligned_neg_mask_eq,
@ -1378,16 +1378,16 @@ lemma map_to_ctes_kh0H:
drule int_not_emptyD,
clarsimp,
(elim disjE, (clarsimp | drule(1) order_trans le_less_trans, fastforce)+)[1])+)[3]
apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: split_if,
subst split_if_eq1,
apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: if_split,
subst if_split_eq1,
rule conjI,
clarsimp,
drule kh0H_dom_tcb,
fastforce simp: s0_ptr_defs mask_def objBitsKO_def,
rule impI,
fastforce simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None)
apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: split_if,
subst split_if_eq1,
apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: if_split,
subst if_split_eq1,
rule conjI,
rule impI,
clarsimp simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None,
@ -1397,9 +1397,9 @@ lemma map_to_ctes_kh0H:
drule int_not_emptyD,
clarsimp,
(elim disjE, (clarsimp | drule(1) order_trans le_less_trans, fastforce)+)[1])
apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: split_if)
apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: if_split)
apply (frule irq_node_offs_range_correct)
apply (subst split_if_eq1)
apply (subst if_split_eq1)
apply (rule conjI)
apply (rule impI)
apply (clarsimp simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None)
@ -1438,8 +1438,8 @@ lemma map_to_ctes_kh0H:
fastforce,
fastforce simp: add.commute)
| unat_arith)+)[1]
apply ((clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def objBitsKO_def split: split_if_asm split del: split_if,
subst split_if_eq1,
apply ((clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def objBitsKO_def split: if_split_asm split del: if_split,
subst if_split_eq1,
rule conjI,
rule impI,
clarsimp simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None,
@ -1474,14 +1474,14 @@ lemma map_to_ctes_kh0H:
fastforce,
fastforce,
fastforce simp: add.commute | unat_arith)+)[1])+)[3]
apply ((clarsimp simp: map_to_ctes_def Let_def split del: split_if,
subst split_if_eq1,
apply ((clarsimp simp: map_to_ctes_def Let_def split del: if_split,
subst if_split_eq1,
rule conjI,
rule impI,
drule pd_offs_range_correct,
clarsimp simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None kh0H_obj_def,
rule impI,
subst split_if_eq1,
subst if_split_eq1,
rule conjI,
rule impI,
rule FalseE,
@ -1507,14 +1507,14 @@ lemma map_to_ctes_kh0H:
clarsimp simp: option_update_range_def kh0H_dom_distinct[THEN set_mem_neq] not_in_range_cte_None,
((clarsimp simp: kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None irq_node_offs_in_range |
clarsimp simp: kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1])+)[3]
by (clarsimp simp: map_to_ctes_def Let_def split del: split_if,
subst split_if_eq1,
by (clarsimp simp: map_to_ctes_def Let_def split del: if_split,
subst if_split_eq1,
rule conjI,
rule impI,
drule pt_offs_range_correct,
clarsimp simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None kh0H_obj_def,
rule impI,
subst split_if_eq1,
subst if_split_eq1,
rule conjI,
rule impI,
rule FalseE,
@ -1840,13 +1840,13 @@ lemma map_to_ctes_kh0H_dom:
apply (rule equalityI)
apply (simp add: map_to_ctes_kh0H dom_def)
apply clarsimp
apply (clarsimp simp: offs_in_range option_update_range_def split: option.splits split_if_asm)
apply (clarsimp simp: offs_in_range option_update_range_def split: option.splits if_split_asm)
apply (clarsimp simp: idle_tcb_cte_def)
apply (clarsimp simp: High_tcb_cte_def)
apply (clarsimp simp: Low_tcb_cte_def)
apply (clarsimp simp: Silc_cte_cte_def cnode_offs_range_def split: split_if_asm)
apply (clarsimp simp: High_cte_cte_def cnode_offs_range_def split: split_if_asm)
apply (clarsimp simp: Low_cte_cte_def cnode_offs_range_def split: split_if_asm)
apply (clarsimp simp: Silc_cte_cte_def cnode_offs_range_def split: if_split_asm)
apply (clarsimp simp: High_cte_cte_def cnode_offs_range_def split: if_split_asm)
apply (clarsimp simp: Low_cte_cte_def cnode_offs_range_def split: if_split_asm)
apply (clarsimp simp: dom_def)
apply (clarsimp simp: idle_tcb_cte_def Low_tcb_cte_def High_tcb_cte_def)
apply (rule conjI)
@ -1950,7 +1950,7 @@ lemma s0H_pspace_distinct':
| clarsimp simp: objBitsKO_def pageBits_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def irq_node_offs_range_def s0_ptr_defs kh0H_obj_def,
drule(1) notE[rotated, OF le_less_trans, OF _ _ leD, rotated 2]
notE[rotated, OF le_less_trans, OF _ _ leD], fastforce, simp
| (clarsimp simp: objBitsKO_def pageBits_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def irq_node_offs_range_def s0_ptr_defs kh0H_obj_def Low_cte'_def Low_capsH_def cte_level_bits_def empty_cte_def High_cte'_def High_capsH_def Silc_cte'_def Silc_capsH_def split: split_if_asm,
| (clarsimp simp: objBitsKO_def pageBits_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def irq_node_offs_range_def s0_ptr_defs kh0H_obj_def Low_cte'_def Low_capsH_def cte_level_bits_def empty_cte_def High_cte'_def High_capsH_def Silc_cte'_def Silc_capsH_def split: if_split_asm,
(drule(1) aligned_le_sharp, simp add: mask_def,
drule_tac x="0xF" in word_plus_mono_right, fastforce, simp add: add.commute,
(drule(1) notE[rotated, OF le_less_trans, OF _ _ leD, rotated 2]
@ -1963,7 +1963,7 @@ lemma s0H_pspace_distinct':
drule(2) notE[rotated, OF less_trans, OF _ _ leD[OF order_trans], rotated 2]
notE[rotated, OF le_less_trans, OF _ _ leD[OF order_trans], rotated 2],
fastforce, simp
| (clarsimp simp: irq_node_offs_range_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def s0_ptr_defs objBitsKO_def archObjSize_def kh0H_obj_def Low_cte'_def Low_capsH_def High_cte'_def High_capsH_def Silc_cte'_def Silc_capsH_def cte_level_bits_def empty_cte_def split: split_if_asm,
| (clarsimp simp: irq_node_offs_range_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def s0_ptr_defs objBitsKO_def archObjSize_def kh0H_obj_def Low_cte'_def Low_capsH_def High_cte'_def High_capsH_def Silc_cte'_def Silc_capsH_def cte_level_bits_def empty_cte_def split: if_split_asm,
(drule(1) aligned_le_sharp, simp add: mask_neg_add_aligned, fastforce simp: mask_def)+)[1])+
lemma pspace_distinctD'':
@ -2194,36 +2194,36 @@ lemma s0H_valid_objs':
apply (clarsimp simp: valid_obj'_def valid_cte'_def)
apply (clarsimp simp: valid_obj'_def Low_cte_def Low_cte'_def Low_capsH_def empty_cte_def
valid_cte'_def
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp: valid_obj'_def High_cte_def High_cte'_def High_capsH_def empty_cte_def
valid_cte'_def
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp: valid_obj'_def Silc_cte_def Silc_cte'_def Silc_capsH_def empty_cte_def
valid_cte'_def
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp: valid_obj'_def global_pdH'_def valid_mapping'_def s0_ptr_defs
is_aligned_def ARM.addrFromPPtr_def ARM.ptrFromPAddr_def
physMappingOffset_def ARM.kernelBase_def ARM.physBase_def
kernelBase_addr_def physBase_def
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp: valid_obj'_def High_pdH_def High_pd'H_def valid_pde'_def
valid_mapping'_def s0_ptr_defs is_aligned_def ARM.addrFromPPtr_def
ARM.kernelBase_def ARM.physBase_def ARM.ptrFromPAddr_def ptBits_def
pageBits_def physMappingOffset_def kernelBase_addr_def physBase_def
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp: valid_obj'_def Low_pdH_def Low_pd'H_def valid_pde'_def valid_mapping'_def
s0_ptr_defs is_aligned_def ARM.addrFromPPtr_def
ARM.ptrFromPAddr_def ARM.physBase_def ptBits_def pageBits_def
physMappingOffset_def kernelBase_addr_def physBase_def
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp: valid_obj'_def High_ptH_def High_pt'H_def valid_mapping'_def s0_ptr_defs
is_aligned_def ARM.addrFromPPtr_def ARM.ptrFromPAddr_def ARM.kernelBase_def
ARM.physBase_def physMappingOffset_def kernelBase_addr_def physBase_def
split: split_if_asm)
split: if_split_asm)
apply (clarsimp simp: valid_obj'_def Low_ptH_def Low_pt'H_def valid_mapping'_def s0_ptr_defs
is_aligned_def ARM.addrFromPPtr_def ARM.physBase_def ARM.ptrFromPAddr_def
physMappingOffset_def kernelBase_addr_def physBase_def
split: split_if_asm)
split: if_split_asm)
done
lemmas the_nat_to_bl_simps =
@ -2378,9 +2378,9 @@ lemma mdb_next_s0H:
apply (elim exE conjE)
apply (frule map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all)[1]
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: next_unfold' map_to_ctes_kh0H_dom)
apply (elim disjE, simp_all add: kh0H_all_obj_def')
done
@ -2399,11 +2399,11 @@ lemma mdb_prev_s0H:
apply (frule map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all)[1]
apply clarsimp
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
apply clarsimp
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E ucast_shiftr_3 ucast_shiftr_2 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E ucast_shiftr_3 ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
apply clarsimp
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E ucast_shiftr_3 ucast_shiftr_2 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E ucast_shiftr_3 ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: mdb_prev_def map_to_ctes_kh0H_dom)
apply (elim disjE, simp_all add: kh0H_all_obj_def')
done
@ -2459,41 +2459,41 @@ lemma sameRegionAs_s0H:
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
apply (simp add: s0_ptr_defs)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: sameRegionAs_def ARM_H.sameRegionAs_def isCap_simps)[1]
apply (simp add: s0_ptr_defs)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: ARM_H.sameRegionAs_def isCap_simps kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: ARM_H.sameRegionAs_def isCap_simps kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
apply (simp add: s0_ptr_defs)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: sameRegionAs_def ARM_H.sameRegionAs_def isCap_simps)[1]
apply (simp add: s0_ptr_defs)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: ARM_H.sameRegionAs_def isCap_simps kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: ARM_H.sameRegionAs_def isCap_simps kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' split: if_split_asm)
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
apply (drule(2) ucast_shiftr_13E)
apply (rule s0_ptrs_aligned)
apply simp
@ -2501,11 +2501,11 @@ lemma sameRegionAs_s0H:
apply (rule s0_ptrs_aligned)
apply simp
apply clarsimp
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
apply (drule(2) ucast_shiftr_2)
apply (rule s0_ptrs_aligned)
apply simp
@ -2513,13 +2513,13 @@ lemma sameRegionAs_s0H:
apply (rule s0_ptrs_aligned)
apply simp
apply clarsimp
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' split: if_split_asm)
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
apply (drule(2) ucast_shiftr_13E)
apply (rule s0_ptrs_aligned)
apply simp
@ -2527,12 +2527,12 @@ lemma sameRegionAs_s0H:
apply (rule s0_ptrs_aligned)
apply simp
apply clarsimp
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: sameRegionAs_def ARM_H.sameRegionAs_def isCap_simps)[1]
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
apply (drule(2) ucast_shiftr_3)
apply (rule s0_ptrs_aligned)
apply simp
@ -2540,19 +2540,19 @@ lemma sameRegionAs_s0H:
apply (rule s0_ptrs_aligned)
apply simp
apply clarsimp
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
apply (drule(2) ucast_shiftr_3)
apply (rule s0_ptrs_aligned)
apply simp
apply (drule(2) ucast_shiftr_3)
apply (rule s0_ptrs_aligned)
apply simp
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps s0_ptrs_aligned ARM_H.sameRegionAs_def isCap_simps split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps s0_ptrs_aligned ARM_H.sameRegionAs_def isCap_simps split: if_split_asm)
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
apply (drule(2) ucast_shiftr_2)
apply (rule s0_ptrs_aligned)
apply simp
@ -2560,11 +2560,11 @@ lemma sameRegionAs_s0H:
apply (rule s0_ptrs_aligned)
apply simp
apply clarsimp
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
apply (drule(2) ucast_shiftr_1)
apply (rule s0_ptrs_aligned)
apply simp
@ -2572,13 +2572,13 @@ lemma sameRegionAs_s0H:
apply (rule s0_ptrs_aligned)
apply simp
apply clarsimp
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' split: if_split_asm)
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
apply (drule(2) ucast_shiftr_13E)
apply (rule s0_ptrs_aligned)
apply simp
@ -2588,11 +2588,11 @@ lemma sameRegionAs_s0H:
apply clarsimp
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: sameRegionAs_def ARM_H.sameRegionAs_def isCap_simps)[1]
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned ARM_H.sameRegionAs_def isCap_simps split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned ARM_H.sameRegionAs_def isCap_simps split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
apply (drule(2) ucast_shiftr_3)
apply (rule s0_ptrs_aligned)
apply simp
@ -2602,10 +2602,10 @@ lemma sameRegionAs_s0H:
apply clarsimp
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
apply (drule(2) ucast_shiftr_2)
apply (rule s0_ptrs_aligned)
apply simp
@ -2615,9 +2615,9 @@ lemma sameRegionAs_s0H:
apply clarsimp
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_1 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_1 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_1 s0_ptrs_aligned split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_1 s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_1 s0_ptrs_aligned split: if_split_asm)
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_1 s0_ptrs_aligned split: if_split_asm)
apply (drule(2) ucast_shiftr_1)
apply (rule s0_ptrs_aligned)
apply simp
@ -2695,7 +2695,7 @@ lemma s0H_valid_pspace':
apply simp
apply simp
apply ((erule r_into_trancl[OF next_fold], clarsimp)+)[5]
apply (clarsimp simp: Silc_cte_cte_def cnode_offs_range_def Silc_cte'_def Silc_capsH_def empty_cte_def split: split_if_asm)
apply (clarsimp simp: Silc_cte_cte_def cnode_offs_range_def Silc_cte'_def Silc_capsH_def empty_cte_def split: if_split_asm)
apply (rule r_r_into_trancl)
apply (erule next_fold)
apply simp
@ -2704,9 +2704,9 @@ lemma s0H_valid_pspace':
apply simp
apply (erule r_into_trancl[OF next_fold], simp)
apply (erule r_into_trancl[OF next_fold], simp)
apply (clarsimp simp: High_cte_cte_def cnode_offs_range_def High_cte'_def High_capsH_def empty_cte_def split: split_if_asm)
apply (clarsimp simp: High_cte_cte_def cnode_offs_range_def High_cte'_def High_capsH_def empty_cte_def split: if_split_asm)
apply ((erule r_into_trancl[OF next_fold], clarsimp)+)[5]
apply (clarsimp simp: Low_cte_cte_def cnode_offs_range_def Low_cte'_def Low_capsH_def empty_cte_def split: split_if_asm)
apply (clarsimp simp: Low_cte_cte_def cnode_offs_range_def Low_cte'_def Low_capsH_def empty_cte_def split: if_split_asm)
apply (rule trancl_into_trancl2)
apply (erule next_fold)
apply simp
@ -2720,27 +2720,27 @@ lemma s0H_valid_pspace':
apply (erule r_into_trancl[OF next_fold], simp)+
apply (clarsimp simp: valid_badges_def)
apply (frule_tac x=p in map_to_ctes_kh0H_SomeD)
apply (elim disjE, (clarsimp simp: kh0H_all_obj_def Low_cte_cte_def High_cte_cte_def Silc_cte_cte_def isCap_simps cnode_offs_range_def split: split_if_asm)+)[1]
apply (elim disjE, (clarsimp simp: kh0H_all_obj_def Low_cte_cte_def High_cte_cte_def Silc_cte_cte_def isCap_simps cnode_offs_range_def split: if_split_asm)+)[1]
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, (clarsimp simp: kh0H_all_obj_def Low_cte_cte_def High_cte_cte_def Silc_cte_cte_def isCap_simps cnode_offs_range_def sameRegionAs_def split: split_if_asm)+)[1]
apply (elim disjE, (clarsimp simp: kh0H_all_obj_def Low_cte_cte_def High_cte_cte_def Silc_cte_cte_def isCap_simps cnode_offs_range_def sameRegionAs_def split: if_split_asm)+)[1]
apply (intro conjI impI)
apply (clarsimp simp: High_cte_cte_def kh0H_all_obj_def isCap_simps split: split_if_asm)
apply (clarsimp simp: High_cte_cte_def kh0H_all_obj_def isCap_simps split: if_split_asm)
apply (drule(1) sameRegion_ntfn)
apply (clarsimp simp: High_cte_cte_def kh0H_all_obj_def isCap_simps split: split_if_asm)
apply (clarsimp simp: High_cte_cte_def kh0H_all_obj_def isCap_simps split: if_split_asm)
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, (clarsimp simp: kh0H_all_obj_def High_cte_cte_def Low_cte_cte_def Silc_cte_cte_def split: split_if_asm)+)[1]
apply (elim disjE, (clarsimp simp: kh0H_all_obj_def High_cte_cte_def Low_cte_cte_def Silc_cte_cte_def split: if_split_asm)+)[1]
apply (intro conjI impI)
apply (clarsimp simp: Low_cte_cte_def kh0H_all_obj_def isCap_simps split: split_if_asm)
apply (clarsimp simp: Low_cte_cte_def kh0H_all_obj_def isCap_simps split: if_split_asm)
apply (drule(1) sameRegion_ntfn)
apply (clarsimp simp: Low_cte_cte_def kh0H_all_obj_def isCap_simps split: split_if_asm)
apply (clarsimp simp: Low_cte_cte_def kh0H_all_obj_def isCap_simps split: if_split_asm)
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
apply (elim disjE, (clarsimp simp: kh0H_all_obj_def High_cte_cte_def Low_cte_cte_def Silc_cte_cte_def split: split_if_asm)+)[1]
apply (elim disjE, (clarsimp simp: kh0H_all_obj_def High_cte_cte_def Low_cte_cte_def Silc_cte_cte_def split: if_split_asm)+)[1]
apply (clarsimp simp: caps_contained'_def)
apply (drule_tac x=p in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all)[1]
apply (clarsimp simp: Silc_cte_cte_def kh0H_all_obj_def split: split_if_asm)
apply (clarsimp simp: High_cte_cte_def kh0H_all_obj_def split: split_if_asm)
apply (clarsimp simp: Low_cte_cte_def kh0H_all_obj_def split: split_if_asm)
apply (clarsimp simp: Silc_cte_cte_def kh0H_all_obj_def split: if_split_asm)
apply (clarsimp simp: High_cte_cte_def kh0H_all_obj_def split: if_split_asm)
apply (clarsimp simp: Low_cte_cte_def kh0H_all_obj_def split: if_split_asm)
apply (clarsimp simp: mdb_chunked_def)
apply (frule(3) sameRegionAs_s0H)
apply (clarsimp simp: conj_disj_distribL)
@ -2756,20 +2756,20 @@ lemma s0H_valid_pspace':
apply (clarsimp simp: untyped_mdb'_def)
apply (drule_tac x=p in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
apply ((clarsimp split: split_if_asm)+)[3]
apply ((clarsimp split: if_split_asm)+)[3]
apply (clarsimp simp: untyped_inc'_def)
apply (rule FalseE)
apply (drule_tac x=p in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
apply ((clarsimp split: split_if_asm)+)[3]
apply ((clarsimp split: if_split_asm)+)[3]
apply (clarsimp simp: valid_nullcaps_def)
apply (drule map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: kh0H_all_obj_def' nullMDBNode_def)
apply ((clarsimp split: split_if_asm)+)[3]
apply ((clarsimp split: if_split_asm)+)[3]
apply (clarsimp simp: ut_revocable'_def)
apply (drule map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
apply ((clarsimp split: split_if_asm)+)[3]
apply ((clarsimp split: if_split_asm)+)[3]
apply (clarsimp simp: class_links_def)
apply (subst(asm) mdb_next_s0H)
apply (drule_tac x=p' in map_to_ctes_kh0H_SomeD)
@ -2778,15 +2778,15 @@ lemma s0H_valid_pspace':
apply (clarsimp simp: distinct_zombies_def distinct_zombie_caps_def)
apply (drule_tac x=ptr in map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
apply ((clarsimp split: split_if_asm)+)[3]
apply ((clarsimp split: if_split_asm)+)[3]
apply (clarsimp simp: irq_control_def)
apply (drule map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
apply ((clarsimp split: split_if_asm)+)[3]
apply ((clarsimp split: if_split_asm)+)[3]
apply (clarsimp simp: reply_masters_rvk_fb_def ran_def)
apply (frule map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
apply ((clarsimp split: split_if_asm)+)[3]
apply ((clarsimp split: if_split_asm)+)[3]
done
end
@ -2837,9 +2837,9 @@ lemma s0H_invs:
apply (erule notE, rule pspace_distinctD''[OF _ s0H_pspace_distinct'])
apply (simp add: objBitsKO_def)
apply (clarsimp simp: irq_cte_def)
apply (clarsimp simp: Low_cte_def Low_cte'_def split: split_if_asm)
apply (clarsimp simp: High_cte_def High_cte'_def split: split_if_asm)
apply (clarsimp simp: Silc_cte_def Silc_cte'_def split: split_if_asm)
apply (clarsimp simp: Low_cte_def Low_cte'_def split: if_split_asm)
apply (clarsimp simp: High_cte_def High_cte'_def split: if_split_asm)
apply (clarsimp simp: Silc_cte_def Silc_cte'_def split: if_split_asm)
apply (clarsimp simp: global_pdH'_def)
apply (clarsimp simp: High_pdH_def)
apply (clarsimp simp: Low_pdH_def)
@ -2858,7 +2858,7 @@ lemma s0H_invs:
apply (clarsimp simp: ex_nonz_cap_to'_def cte_wp_at_ctes_of)
apply (rule_tac x="Silc_cnode_ptr + 0x13E0" in exI)
apply (clarsimp simp: kh0H_all_obj_def')
apply (clarsimp split: split_if_asm)+
apply (clarsimp split: if_split_asm)+
apply (rule conjI)
apply (clarsimp simp: if_unsafe_then_cap'_def ex_cte_cap_wp_to'_def cte_wp_at_ctes_of)
apply (frule map_to_ctes_kh0H_SomeD)
@ -2876,7 +2876,7 @@ lemma s0H_invs:
apply (rule_tac x="High_cnode_ptr + 0x10" in exI)
apply (clarsimp simp: kh0H_all_obj_def' image_def)
apply (rule_tac x="Silc_cnode_ptr + 0x20" in exI)
apply (clarsimp simp: kh0H_all_obj_def' image_def to_bl_use_of_bl cte_level_bits_def the_nat_to_bl_simps split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' image_def to_bl_use_of_bl cte_level_bits_def the_nat_to_bl_simps split: if_split_asm)
apply (drule(2) ucast_shiftr_13E, rule s0_ptrs_aligned, simp)
apply (rule_tac x="0x13E" in bexI)
apply simp
@ -2886,7 +2886,7 @@ lemma s0H_invs:
apply simp
apply simp
apply (rule_tac x="High_cnode_ptr + 0x20" in exI)
apply (clarsimp simp: kh0H_all_obj_def' image_def to_bl_use_of_bl cte_level_bits_def the_nat_to_bl_simps split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' image_def to_bl_use_of_bl cte_level_bits_def the_nat_to_bl_simps split: if_split_asm)
apply (drule(2) ucast_shiftr_13E, rule s0_ptrs_aligned, simp)
apply (rule_tac x="0x13E" in bexI)
apply simp
@ -2904,7 +2904,7 @@ lemma s0H_invs:
apply simp
apply simp
apply (rule_tac x="Low_cnode_ptr + 0x20" in exI)
apply (clarsimp simp: kh0H_all_obj_def' image_def to_bl_use_of_bl cte_level_bits_def the_nat_to_bl_simps split: split_if_asm)
apply (clarsimp simp: kh0H_all_obj_def' image_def to_bl_use_of_bl cte_level_bits_def the_nat_to_bl_simps split: if_split_asm)
apply (drule(2) ucast_shiftr_13E, rule s0_ptrs_aligned, simp)
apply (rule_tac x="0x13E" in bexI)
apply simp
@ -2964,7 +2964,7 @@ lemma s0H_invs:
apply (clarsimp simp: valid_irq_handlers'_def cteCaps_of_def ran_def)
apply (drule_tac map_to_ctes_kh0H_SomeD)
apply (elim disjE, simp_all add: kh0H_all_obj_def')[1]
apply ((clarsimp split: split_if_asm)+)[3]
apply ((clarsimp split: if_split_asm)+)[3]
apply (rule conjI)
apply (clarsimp simp: valid_irq_states'_def s0H_internal_def machine_state0_def)
apply (rule conjI)
@ -2989,7 +2989,7 @@ lemma s0H_invs:
apply (clarsimp simp: valid_pde_mappings'_def obj_at'_def projectKO_eq project_inject)
apply (drule kh0H_SomeD)
apply (elim disjE, simp_all add: kh0H_all_obj_def High_pd'H_def Low_pd'H_def)[1]
apply (clarsimp split: split_if_asm)+
apply (clarsimp split: if_split_asm)+
apply (clarsimp simp: objBitsKO_def archObjSize_def valid_pde_mapping_offset'_def pd_asid_slot_def pdBits_def pageBits_def)
apply (cut_tac x="x - init_global_pd >> 2" and n=12 and 'a=12 in ucast_mask_drop)
apply simp
@ -2999,7 +2999,7 @@ lemma s0H_invs:
apply (subst(asm) is_aligned_mask[where w="init_global_pd", THEN iffD1])
apply (simp add: s0_ptrs_aligned)
apply (simp add: kernel_base_def)
apply (clarsimp simp: objBitsKO_def archObjSize_def valid_pde_mapping_offset'_def pd_asid_slot_def pdBits_def pageBits_def split: split_if_asm)
apply (clarsimp simp: objBitsKO_def archObjSize_def valid_pde_mapping_offset'_def pd_asid_slot_def pdBits_def pageBits_def split: if_split_asm)
apply (cut_tac x="x - High_pd_ptr >> 2" and n=12 and 'a=12 in ucast_mask_drop)
apply simp
apply (subst(asm) shiftr_then_mask_commute)
@ -3016,7 +3016,7 @@ lemma s0H_invs:
apply (subst(asm) is_aligned_mask[where w="High_pd_ptr", THEN iffD1])
apply (simp add: s0_ptrs_aligned)
apply (simp add: kernel_base_def)
apply (clarsimp simp: objBitsKO_def archObjSize_def valid_pde_mapping_offset'_def pd_asid_slot_def pdBits_def pageBits_def split: split_if_asm)
apply (clarsimp simp: objBitsKO_def archObjSize_def valid_pde_mapping_offset'_def pd_asid_slot_def pdBits_def pageBits_def split: if_split_asm)
apply (cut_tac x="x - Low_pd_ptr >> 2" and n=12 and 'a=12 in ucast_mask_drop)
apply simp
apply (subst(asm) shiftr_then_mask_commute)
@ -3033,8 +3033,8 @@ lemma s0H_invs:
apply (subst(asm) is_aligned_mask[where w="Low_pd_ptr", THEN iffD1])
apply (simp add: s0_ptrs_aligned)
apply (simp add: kernel_base_def)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
apply (clarsimp split: if_split_asm)
apply (rule conjI)
apply (clarsimp simp: kdr_pspace_domain_valid) (* use axiomatization for now *)
(* unfold s0H_internal for remaining goals *)
@ -3062,7 +3062,7 @@ lemma kh0_pspace_dom:
apply (rule equalityI)
apply (simp add: dom_def pspace_dom_def)
apply clarsimp
apply (clarsimp simp: kh0_def obj_relation_cuts_def pd_offs_in_range pt_offs_in_range cnode_offs_in_range irq_node_offs_in_range s0_ptrs_aligned pageBits_def kh0_obj_def cte_map_def caps_dom_length_10 split: split_if_asm)
apply (clarsimp simp: kh0_def obj_relation_cuts_def pd_offs_in_range pt_offs_in_range cnode_offs_in_range irq_node_offs_in_range s0_ptrs_aligned pageBits_def kh0_obj_def cte_map_def caps_dom_length_10 split: if_split_asm)
apply (clarsimp simp: pspace_dom_def dom_def)
apply (rule conjI)
apply (rule_tac x=init_globals_frame in exI)
@ -3194,45 +3194,45 @@ lemma s0_pspace_rel:
apply (drule kh0_SomeD)
apply (elim disjE)
apply (clarsimp simp: pageBits_def)
apply (clarsimp simp: kh0H_obj_def split del: split_if)
apply (clarsimp simp: kh0H_obj_def split del: if_split)
apply (cut_tac x=ya in pd_offs_in_range(3))
apply (clarsimp simp: pd_offs_range_def pde_relation_def pde_relation_aligned_def)
apply (clarsimp simp: kh0H_all_obj_def kh0_obj_def other_obj_relation_def
tcb_relation_def arch_tcb_relation_def fault_rel_optionation_def
word_bits_def the_nat_to_bl_simps)+
apply (clarsimp simp: kh0H_obj_def High_pt_def High_pt'H_def High_pt'_def split del: split_if)
apply (clarsimp simp: kh0H_obj_def High_pt_def High_pt'H_def High_pt'_def split del: if_split)
apply (cut_tac x=ya in pt_offs_in_range(2))
apply (clarsimp simp: pt_offs_range_def pte_relation_def pte_relation_aligned_def pte_relation'_def)
apply (clarsimp simp: kh0H_obj_def Low_pt_def Low_pt'H_def Low_pt'_def split del: split_if)
apply (clarsimp simp: kh0H_obj_def Low_pt_def Low_pt'H_def Low_pt'_def split del: if_split)
apply (cut_tac x=ya in pt_offs_in_range(1))
apply (clarsimp simp: pt_offs_range_def pte_relation_def pte_relation_aligned_def pte_relation'_def)
apply (clarsimp simp: kh0H_obj_def High_pd_def High_pd'H_def High_pd'_def split del: split_if)
apply (clarsimp simp: kh0H_obj_def High_pd_def High_pd'H_def High_pd'_def split del: if_split)
apply (cut_tac x=ya in pd_offs_in_range(2))
apply (clarsimp simp: pd_offs_range_def pde_relation_def pde_relation_aligned_def pde_relation'_def)
apply (clarsimp simp: kh0H_obj_def Low_pd_def Low_pd'H_def Low_pd'_def split del: split_if)
apply (clarsimp simp: kh0H_obj_def Low_pd_def Low_pd'H_def Low_pd'_def split del: if_split)
apply (cut_tac x=ya in pd_offs_in_range(1))
apply (clarsimp simp: pd_offs_range_def pde_relation_def pde_relation_aligned_def pde_relation'_def)
apply (clarsimp simp: kh0H_obj_def irq_cnode_def cte_map_def cte_relation_def well_formed_cnode_n_def split: split_if_asm)
apply (clarsimp simp: kh0H_obj_def irq_cnode_def cte_map_def cte_relation_def well_formed_cnode_n_def split: if_split_asm)
apply (clarsimp simp: kh0H_obj_def kh0_obj_def other_obj_relation_def ntfn_relation_def)
apply (clarsimp simp: kh0H_obj_def kh0_obj_def cte_relation_def cte_map_def)
apply (cut_tac dom_caps(1))[1]
apply (frule_tac m="Silc_caps" in domI)
apply (cut_tac x=ya in cnode_offs_in_range(3))
apply simp
apply (clarsimp simp: cnode_offs_range_def Silc_cte_def Silc_cte'_def Silc_capsH_def the_nat_to_bl_simps Silc_caps_def cte_level_bits_def empty_cte_def split: split_if_asm)
apply (clarsimp simp: cnode_offs_range_def Silc_cte_def Silc_cte'_def Silc_capsH_def the_nat_to_bl_simps Silc_caps_def cte_level_bits_def empty_cte_def split: if_split_asm)
apply (clarsimp simp: kh0H_obj_def kh0_obj_def cte_relation_def cte_map_def)
apply (cut_tac dom_caps(2))[1]
apply (frule_tac m="High_caps" in domI)
apply (cut_tac x=ya in cnode_offs_in_range(2))
apply simp
apply (clarsimp simp: cnode_offs_range_def High_cte_def High_cte'_def High_capsH_def the_nat_to_bl_simps High_caps_def cte_level_bits_def empty_cte_def split: split_if_asm)
apply (clarsimp simp: cnode_offs_range_def High_cte_def High_cte'_def High_capsH_def the_nat_to_bl_simps High_caps_def cte_level_bits_def empty_cte_def split: if_split_asm)
apply (clarsimp simp: kh0H_obj_def kh0_obj_def cte_relation_def cte_map_def)
apply (cut_tac dom_caps(3))[1]
apply (frule_tac m="Low_caps" in domI)
apply (cut_tac x=ya in cnode_offs_in_range(1))
apply simp
apply (clarsimp simp: cnode_offs_range_def Low_cte_def Low_cte'_def Low_capsH_def the_nat_to_bl_simps Low_caps_def cte_level_bits_def empty_cte_def split: split_if_asm)
apply (clarsimp simp: kh0H_obj_def irq_cnode_def cte_map_def cte_relation_def well_formed_cnode_n_def empty_cte_def dom_def split: split_if_asm)
apply (clarsimp simp: cnode_offs_range_def Low_cte_def Low_cte'_def Low_capsH_def the_nat_to_bl_simps Low_caps_def cte_level_bits_def empty_cte_def split: if_split_asm)
apply (clarsimp simp: kh0H_obj_def irq_cnode_def cte_map_def cte_relation_def well_formed_cnode_n_def empty_cte_def dom_def split: if_split_asm)
apply (drule irq_node_offs_range_correct)
apply clarsimp
done
@ -3247,8 +3247,8 @@ lemma s0_srel: "(s0_internal, s0H_internal) \<in> state_relation"
apply (simp add: s0_pspace_rel)
apply (clarsimp simp: ekheap_relation_def)
apply (case_tac "ksPSpace s0H_internal x")
apply (clarsimp simp: s0_internal_def s0H_internal_def exst0_def kh0H_def option_update_range_def split: split_if_asm option.splits)
apply (clarsimp simp: s0_internal_def s0H_internal_def exst0_def etcb_relation_def idle_tcbH_def High_tcbH_def High_etcb_def Low_tcbH_def Low_etcb_def default_etcb_def split: split_if_asm)
apply (clarsimp simp: s0_internal_def s0H_internal_def exst0_def kh0H_def option_update_range_def split: if_split_asm option.splits)
apply (clarsimp simp: s0_internal_def s0H_internal_def exst0_def etcb_relation_def idle_tcbH_def High_tcbH_def High_etcb_def Low_tcbH_def Low_etcb_def default_etcb_def split: if_split_asm)
apply (simp add: s0_internal_def exst0_def s0H_internal_def sched_act_relation_def)
apply (simp add: s0_internal_def exst0_def s0H_internal_def ready_queues_relation_def)
apply (clarsimp simp: s0_internal_def exst0_def s0H_internal_def ghost_relation_def)
@ -3330,11 +3330,11 @@ lemma s0_srel: "(s0_internal, s0H_internal) \<in> state_relation"
apply (simp add: finite_depth_def)
apply simp
apply (clarsimp simp: revokable_relation_def)
apply (clarsimp simp: null_filter_def split: split_if_asm)
apply (clarsimp simp: null_filter_def split: if_split_asm)
apply (drule s0_caps_of_state)
apply clarsimp
apply (elim disjE)
apply (clarsimp simp: cte_map_def s0H_internal_def s0_internal_def kh0H_all_obj_def' cte_level_bits_def split: split_if_asm)+
apply (clarsimp simp: cte_map_def s0H_internal_def s0_internal_def kh0H_all_obj_def' cte_level_bits_def split: if_split_asm)+
apply (clarsimp simp: tcb_cnode_index_def ucast_bl[symmetric] Low_tcb_cte_def Low_tcbH_def High_tcb_cte_def High_tcbH_def)
apply ((clarsimp simp: cte_map_def s0H_internal_def s0_internal_def,
clarsimp simp: tcb_cnode_index_def ucast_bl[symmetric] Low_tcb_cte_def Low_tcbH_def High_tcb_cte_def High_tcbH_def)+)[5]
@ -3352,9 +3352,9 @@ lemma step_restrict_s0:
apply (rule_tac x="fst (fst s0H)" in exI)
apply (rule_tac x="snd (fst s0H)" in exI)
apply (rule_tac x="snd s0H" in exI)
apply (simp add: s0H_def lift_fst_rel_def lift_snd_rel_def s0_srel s0_def split del: split_if)
apply (simp add: s0H_def lift_fst_rel_def lift_snd_rel_def s0_srel s0_def split del: if_split)
apply (rule conjI)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
apply (rule conjI)
apply clarsimp
apply (drule ct_idle'_related[OF s0_srel s0H_invs])
@ -3372,14 +3372,14 @@ lemma step_restrict_s0:
apply (clarsimp simp: vs_valid_duplicates'_def split: option.splits)
apply (frule kh0H_SomeD)
apply (elim disjE, simp_all add: vs_ptr_align_def kh0H_all_obj_def')[1]
apply (clarsimp simp: the_nat_to_bl_simps split: split_if_asm)
apply (clarsimp simp: the_nat_to_bl_simps split: split_if_asm)
apply (clarsimp simp: the_nat_to_bl_simps split: split_if_asm)
apply (clarsimp split: split_if_asm)
apply (clarsimp simp: High_pd'H_def split: split_if_asm)
apply (clarsimp simp: Low_pd'H_def split: split_if_asm)
apply (clarsimp simp: High_pt'H_def split: split_if_asm)
apply (clarsimp simp: Low_pt'H_def split: split_if_asm)
apply (clarsimp simp: the_nat_to_bl_simps split: if_split_asm)
apply (clarsimp simp: the_nat_to_bl_simps split: if_split_asm)
apply (clarsimp simp: the_nat_to_bl_simps split: if_split_asm)
apply (clarsimp split: if_split_asm)
apply (clarsimp simp: High_pd'H_def split: if_split_asm)
apply (clarsimp simp: Low_pd'H_def split: if_split_asm)
apply (clarsimp simp: High_pt'H_def split: if_split_asm)
apply (clarsimp simp: Low_pt'H_def split: if_split_asm)
apply (clarsimp simp: ct_in_state'_def st_tcb_at'_def obj_at'_def projectKO_eq project_inject s0H_internal_def objBitsKO_def s0_ptrs_aligned Low_tcbH_def)
apply (rule pspace_distinctD''[OF _ s0H_pspace_distinct', simplified s0H_internal_def])
apply (simp add: objBitsKO_def kh0H_simps[simplified cte_level_bits_def])

50
proof/infoflow/FinalCaps.thy
View File

@ -696,7 +696,7 @@ lemma weak_derived_overlaps':
apply(erule disjE)
prefer 2
apply simp
apply(simp add: copy_of_def split: split_if_asm add: same_object_as_def split: cap.splits)
apply(simp add: copy_of_def split: if_split_asm add: same_object_as_def split: cap.splits)
apply((case_tac cap; simp)+)[5]
subgoal for arch1 arch2 by (cases arch1; cases arch2; simp)
done
@ -797,7 +797,7 @@ lemma cap_swap_silc_inv:
apply(rule hoare_gen_asm)
unfolding cap_swap_def
apply(rule hoare_pre)
apply (wp set_cap_silc_inv hoare_vcg_ex_lift set_cap_slots_holding_overlapping_caps_other[where aag=aag] set_cdt_silc_inv static_imp_wp | simp split del: split_if)+
apply (wp set_cap_silc_inv hoare_vcg_ex_lift set_cap_slots_holding_overlapping_caps_other[where aag=aag] set_cdt_silc_inv static_imp_wp | simp split del: if_split)+
apply(rule conjI)
apply(rule impI, elim conjE)
apply(drule weak_derived_overlaps)
@ -1035,7 +1035,7 @@ lemma set_thread_state_silc_inv[wp]:
\<lbrace>\<lambda>_. silc_inv aag st\<rbrace>"
unfolding set_thread_state_def
apply(rule silc_inv_pres)
apply(wp set_object_wp|simp split del: split_if)+
apply(wp set_object_wp|simp split del: if_split)+
apply (simp split: kernel_object.splits)
apply(rule impI | simp)+
apply(fastforce simp: silc_inv_def dest: get_tcb_SomeD simp: obj_at_def is_cap_table_def)
@ -1059,7 +1059,7 @@ lemma set_bound_notification_silc_inv[wp]:
\<lbrace>\<lambda>_. silc_inv aag st\<rbrace>"
unfolding set_bound_notification_def
apply(rule silc_inv_pres)
apply(wp set_object_wp|simp split del: split_if)+
apply(wp set_object_wp|simp split del: if_split)+
apply (simp split: kernel_object.splits)
apply(rule impI | simp)+
apply(fastforce simp: silc_inv_def dest: get_tcb_SomeD simp: obj_at_def is_cap_table_def)
@ -1301,13 +1301,13 @@ crunch silc_inv[wp]: arch_finalise_cap "silc_inv aag st"
lemma finalise_cap_silc_inv:
"\<lbrace> silc_inv aag st and pas_refined aag and K (pas_cap_cur_auth aag cap)\<rbrace> finalise_cap cap final \<lbrace>\<lambda>_. silc_inv aag st\<rbrace>"
apply(case_tac cap)
apply(wp cancel_ipc_silc_inv | simp split del: split_if add: suspend_def| clarsimp)+
apply(wp cancel_ipc_silc_inv | simp split del: if_split add: suspend_def| clarsimp)+
apply(clarsimp simp: aag_cap_auth_Thread)
apply(wp | simp split del: split_if | clarsimp split del: split_if)+
apply(wp | simp split del: if_split | clarsimp split del: if_split)+
apply(rule hoare_pre)
apply (wp cap_delete_one_silc_inv | simp add: deleting_irq_handler_def)+
apply (fastforce simp: aag_cap_auth_def cap_links_irq_def elim: aag_Control_into_owns_irq)
apply(wp | simp split del: split_if)+
apply(wp | simp split del: if_split)+
done
@ -1320,8 +1320,8 @@ lemma validE_validE_R':
lemma finalise_cap_ret_subset_cap_irqs:
"\<lbrace>\<lambda> s. (cap_irqs cap) = X\<rbrace> finalise_cap cap blah \<lbrace>\<lambda>rv s. (cap_irqs (fst rv)) \<subseteq> X\<rbrace>"
apply(case_tac cap)
apply(wp | simp add: o_def split del: split_if)+
apply(simp split: split_if)
apply(wp | simp add: o_def split del: if_split)+
apply(simp split: if_split)
apply(wp | simp add: o_def | safe)+
apply(simp add: arch_finalise_cap_def)
apply(rule hoare_pre)
@ -1331,8 +1331,8 @@ lemma finalise_cap_ret_subset_cap_irqs:
lemma finalise_cap_ret_subset_obj_refs:
"\<lbrace>\<lambda> s. (Structures_A.obj_refs cap) = X\<rbrace> finalise_cap cap blah \<lbrace>\<lambda>rv s. (Structures_A.obj_refs (fst rv)) \<subseteq> X\<rbrace>"
apply(case_tac cap)
apply(wp | simp add: o_def split del: split_if)+
apply(simp split: split_if)
apply(wp | simp add: o_def split del: if_split)+
apply(simp split: if_split)
apply(wp | simp add: o_def | safe)+
apply(simp add: arch_finalise_cap_def)
apply(rule hoare_pre)
@ -1433,7 +1433,7 @@ lemma arch_finalise_cap_ret:
lemma finalise_cap_ret:
"(rv, s') \<in> fst (finalise_cap cap final s) \<Longrightarrow> case (fst rv) of NullCap \<Rightarrow> True | Zombie ptr bits n \<Rightarrow> True | _ \<Rightarrow> False"
apply(case_tac cap, simp_all add: return_def)
apply(fastforce simp: liftM_def when_def bind_def return_def split: split_if_asm)+
apply(fastforce simp: liftM_def when_def bind_def return_def split: if_split_asm)+
apply(clarsimp simp: bind_def liftM_def return_def)
apply(drule arch_finalise_cap_ret)
apply(simp)
@ -1705,17 +1705,17 @@ lemma rec_del_silc_inv':
done
next
case (2 slot exposed s) show ?case
apply(simp add: rec_del.simps split del: split_if)
apply(simp add: rec_del.simps split del: if_split)
apply(rule hoare_pre_spec_validE)
apply(wp drop_spec_validE[OF returnOk_wp] drop_spec_validE[OF liftE_wp] set_cap_silc_inv
"2.hyps"
|simp add: split_def split del: split_if)+
|simp add: split_def split del: if_split)+
apply(rule drop_spec_validE, (wp preemption_point_inv'| simp)+)[1]
apply simp
apply(rule spec_valid_conj_liftE2)
apply(wp validE_validE_R'[OF rec_del_pas_refined'[simplified]] "2.hyps"
drop_spec_validE[OF liftE_wp] set_cap_silc_inv
|simp add: without_preemption_def split del: split_if)+
|simp add: without_preemption_def split del: if_split)+
(* where the action is *)
apply(simp cong: conj_cong add: conj_comms)
@ -2121,7 +2121,7 @@ lemma invoke_untyped_silc_inv:
apply (rule hoare_pre)
apply (wp set_cap_silc_inv_simple set_cap_cte_wp_at)
apply (cases ui, clarsimp simp: cte_wp_at_caps_of_state is_cap_simps
split del: split_if cong: if_cong)
split del: if_split cong: if_cong)
apply (clarsimp simp: authorised_untyped_inv_def)
apply (wp reset_untyped_cap_silc_inv reset_untyped_cap_untyped_cap)
apply simp
@ -2274,10 +2274,10 @@ lemma set_mrs_silc_inv[wp]:
\<lbrace>\<lambda>_. silc_inv aag st\<rbrace>"
unfolding set_mrs_def
apply(rule silc_inv_pres)
apply(wp crunch_wps set_object_wp | wpc | simp add: crunch_simps split del: split_if)+
apply(wp crunch_wps set_object_wp | wpc | simp add: crunch_simps split del: if_split)+
apply (clarsimp)
apply(fastforce simp: silc_inv_def dest: get_tcb_SomeD simp: obj_at_def is_cap_table_def)
apply(wp crunch_wps set_object_wp | wpc | simp add: crunch_simps split del: split_if)+
apply(wp crunch_wps set_object_wp | wpc | simp add: crunch_simps split del: if_split)+
apply(case_tac "a = fst slot")
apply(clarsimp split: kernel_object.splits cong: conj_cong)
apply(erule notE)
@ -2340,7 +2340,7 @@ lemma cap_insert_silc_inv':
\<lbrace>\<lambda>_. silc_inv aag st\<rbrace>"
unfolding cap_insert_def
apply (wp set_cap_silc_inv hoare_vcg_ex_lift set_untyped_cap_as_full_slots_holding_overlapping_caps_other[where aag=aag] get_cap_wp update_cdt_silc_inv set_cap_caps_of_state2 set_untyped_cap_as_full_cdt_is_original_cap static_imp_wp | simp split del: split_if)+
apply (wp set_cap_silc_inv hoare_vcg_ex_lift set_untyped_cap_as_full_slots_holding_overlapping_caps_other[where aag=aag] get_cap_wp update_cdt_silc_inv set_cap_caps_of_state2 set_untyped_cap_as_full_cdt_is_original_cap static_imp_wp | simp split del: if_split)+
apply (intro allI impI conjI)
apply clarsimp
apply(fastforce dest: silc_invD simp: intra_label_cap_def)
@ -2512,7 +2512,7 @@ lemma cap_insert_silc_inv'':
cap_insert cap src dest
\<lbrace>\<lambda>_. silc_inv aag st\<rbrace>"
unfolding cap_insert_def
apply (wp set_cap_silc_inv hoare_vcg_ex_lift set_untyped_cap_as_full_slots_holding_overlapping_caps_other[where aag=aag] get_cap_wp update_cdt_silc_inv set_cap_caps_of_state2 set_untyped_cap_as_full_cdt_is_original_cap static_imp_wp | simp split del: split_if)+
apply (wp set_cap_silc_inv hoare_vcg_ex_lift set_untyped_cap_as_full_slots_holding_overlapping_caps_other[where aag=aag] get_cap_wp update_cdt_silc_inv set_cap_caps_of_state2 set_untyped_cap_as_full_cdt_is_original_cap static_imp_wp | simp split del: if_split)+
apply (intro impI conjI allI)
apply clarsimp
apply(fastforce simp: silc_inv_def)
@ -2728,7 +2728,7 @@ lemma receive_ipc_base_silc_inv:
apply (clarsimp simp: thread_get_def get_thread_state_def cong: endpoint.case_cong)
apply (rule hoare_pre)
apply (wp setup_caller_cap_silc_inv
| wpc | simp split del: split_if)+
| wpc | simp split del: if_split)+
apply (rename_tac list tcb data)
apply(rule_tac Q="\<lambda> r s. (sender_can_grant data \<longrightarrow> is_subject aag receiver \<and> is_subject aag (hd list)) \<and> silc_inv aag st s" in hoare_strengthen_post)
apply(wp do_ipc_transfer_silc_inv hoare_vcg_all_lift | wpc | simp)+
@ -2803,7 +2803,7 @@ lemma send_fault_ipc_silc_inv:
apply(wp send_ipc_silc_inv thread_set_valid_objs thread_set_tcb_fault_update_valid_mdb
thread_set_fault_pas_refined thread_set_refs_trivial thread_set_obj_at_impossible
hoare_vcg_ex_lift
| wpc| simp add: Let_def split_def lookup_cap_def valid_tcb_fault_update split del: split_if)+
| wpc| simp add: Let_def split_def lookup_cap_def valid_tcb_fault_update split del: if_split)+
apply(rule_tac Q="\<lambda> handler_cap s. silc_inv aag st s \<and>
valid_objs s \<and> valid_mdb s \<and>
pas_refined aag s \<and>
@ -2930,7 +2930,7 @@ lemma invoke_tcb_silc_inv:
apply(case_tac tinv)
apply((wp restart_silc_inv hoare_vcg_if_lift suspend_silc_inv mapM_x_wp[OF _ subset_refl] static_imp_wp
| wpc
| simp split del: split_if add: authorised_tcb_inv_def check_cap_at_def
| simp split del: if_split add: authorised_tcb_inv_def check_cap_at_def
| clarsimp)+)[3]
defer
apply((wp suspend_silc_inv restart_silc_inv | simp add: authorised_tcb_inv_def)+)[2]
@ -2992,10 +2992,10 @@ lemma handle_invocation_silc_inv:
\<lbrace>\<lambda>_. silc_inv aag st\<rbrace>"
apply (simp add: handle_invocation_def ts_Restart_case_helper split_def
liftE_liftM_liftME liftME_def bindE_assoc
split del: split_if)
split del: if_split)
apply(wp syscall_valid perform_invocation_silc_inv set_thread_state_runnable_valid_sched
set_thread_state_pas_refined decode_invocation_authorised
| simp split del: split_if)+
| simp split del: if_split)+
apply(rule_tac E="\<lambda>ft. silc_inv aag st and pas_refined aag and
valid_objs and
sym_refs \<circ> state_refs_of and

12
proof/infoflow/Finalise_IF.thy
View File

@ -1384,7 +1384,7 @@ lemma reply_cancel_ipc_reads_respects_f:
reads_respects_f[OF get_cap_rev, where st=st and aag=aag] assert_wp
reads_respects_f[OF thread_set_reads_respects, where st=st and aag=aag ]
reads_respects_f[OF gets_descendants_of_revrv[folded equiv_valid_def2]]
| simp add: when_def split del: split_if | elim conjE)+
| simp add: when_def split del: if_split | elim conjE)+
apply(rule_tac Q="\<lambda> rv s. silc_inv aag st s \<and> invs s \<and> pas_refined aag s \<and> is_subject aag tptr \<and>
(\<forall>x\<in>descendants_of (tptr, tcb_cnode_index 2) (cdt s).
is_subject aag (fst x))" in hoare_strengthen_post)
@ -1469,18 +1469,18 @@ lemma finalise_cap_reads_respects:
and K (final \<longrightarrow> (case cap of EndpointCap r badge rights \<Rightarrow> is_subject aag r |
NotificationCap r badge rights \<Rightarrow> is_subject aag r |
_ \<Rightarrow> True))) (finalise_cap cap final)"
apply(case_tac cap, simp_all split del: split_if)
apply(case_tac cap, simp_all split del: if_split)
apply ((wp cancel_all_ipc_reads_respects cancel_all_signals_reads_respects
suspend_reads_respects_f[where st=st] deleting_irq_handler_reads_respects
unbind_notification_is_subj_reads_respects
unbind_maybe_notification_reads_respects
unbind_notification_invs unbind_maybe_notification_invs
| simp add: when_def split del: split_if
| simp add: when_def split del: if_split
add: invs_valid_objs invs_sym_refs aag_cap_auth_def
cap_auth_conferred_def cap_rights_to_auth_def
cap_links_irq_def aag_has_auth_to_Control_eq_owns
| rule aag_Control_into_owns_irq
| clarsimp split del: split_if
| clarsimp split del: if_split
| rule conjI
| wp_once reads_respects_f[where st=st]
| blast
@ -1611,7 +1611,7 @@ next
drop_spec_ev[OF preemption_point_reads_respects_f[where st=st and st'=st']]
validE_validE_R'[OF rec_del_silc_inv] rec_del_invs rec_del_respects(2)
rec_del_only_timer_irq_inv
| simp add: split_def split del: split_if | (rule irq_state_independent_A_conjI, simp)+)+
| simp add: split_def split del: if_split | (rule irq_state_independent_A_conjI, simp)+)+
apply(rule_tac Q'="\<lambda>rv s. emptyable (slot_rdcall (ReduceZombieCall (fst rvb) slot exposed)) s \<and> (\<not> exposed \<longrightarrow>
ex_cte_cap_wp_to (\<lambda>cp. cap_irqs cp = {}) slot s) \<and>
is_subject aag (fst slot)" in hoare_post_imp_R)
@ -1647,7 +1647,7 @@ next
apply (clarsimp simp: cte_wp_at_caps_of_state)
apply (erule disjE)
apply (clarsimp simp: cap_irq_opt_def cte_wp_at_def is_zombie_def
split: cap.split_asm split_if_asm
split: cap.split_asm if_split_asm
elim!: ranE dest!: caps_of_state_cteD)
apply(clarsimp cong: conj_cong simp: conj_comms)
apply(rename_tac word option nat)

22
proof/infoflow/IRQMasks_IF.thy
View File

@ -93,12 +93,12 @@ lemma handle_interrupt_irq_masks:
handle_interrupt irq
\<lbrace>\<lambda>rv s. P (irq_masks_of_state s)\<rbrace>"
apply (rule hoare_gen_asm)
apply(simp add: handle_interrupt_def split del: split_if)
apply(simp add: handle_interrupt_def split del: if_split)
apply (rule hoare_pre)
apply (rule hoare_if)
apply simp
apply( wp dmo_wp
| simp add: ackInterrupt_def maskInterrupt_def when_def split del: split_if
| simp add: ackInterrupt_def maskInterrupt_def when_def split del: if_split
| wpc
| simp add: get_irq_state_def handle_reserved_irq_def
| wp_once hoare_drop_imp)+
@ -124,10 +124,10 @@ lemma rec_del_irq_masks':
done
next
case (2 slot exposed s) show ?case
apply(simp add: rec_del.simps split del: split_if)
apply(simp add: rec_del.simps split del: if_split)
apply(rule hoare_pre_spec_validE)
apply(wp drop_spec_validE[OF returnOk_wp] drop_spec_validE[OF liftE_wp] set_cap_domain_sep_inv
|simp add: split_def split del: split_if)+
|simp add: split_def split del: if_split)+
apply(rule spec_strengthen_postE)
apply(rule "2.hyps"[simplified], fastforce+)
apply(rule drop_spec_validE, (wp preemption_point_inv | simp)+)[1]
@ -137,7 +137,7 @@ lemma rec_del_irq_masks':
apply(wp finalise_cap_domain_sep_inv_cap get_cap_wp
finalise_cap_returns_None[where irqs=False, simplified]
drop_spec_validE[OF liftE_wp] set_cap_domain_sep_inv
|simp split del: split_if
|simp split del: if_split
|wp_once hoare_drop_imps)+
apply(blast dest: cte_wp_at_domain_sep_inv_cap)
done
@ -217,7 +217,7 @@ lemma invoke_tcb_irq_masks:
apply(case_tac tinv)
apply((wp restart_irq_masks hoare_vcg_if_lift mapM_x_wp[OF _ subset_refl]
| wpc
| simp split del: split_if add: check_cap_at_def
| simp split del: if_split add: check_cap_at_def
| clarsimp)+)[3]
defer
apply((wp | simp )+)[2]
@ -328,7 +328,7 @@ lemma invoke_cnode_irq_masks:
\<lbrace>\<lambda>_ s. P (irq_masks_of_state s)\<rbrace>"
unfolding invoke_cnode_def
apply(case_tac ci)
apply(wp cap_insert_irq_masks cap_move_irq_masks cap_revoke_irq_masks[where st=st] cap_delete_irq_masks[where st=st] | simp split del: split_if)+
apply(wp cap_insert_irq_masks cap_move_irq_masks cap_revoke_irq_masks[where st=st] cap_delete_irq_masks[where st=st] | simp split del: if_split)+
apply(rule hoare_pre)
by(wp hoare_vcg_all_lift | simp | wpc | wp_once hoare_drop_imps | rule hoare_pre)+
@ -365,13 +365,13 @@ lemma decode_invocation_IRQHandlerCap:
(\<exists>a b. cte_wp_at
(op = (IRQHandlerCap (irq_of_handler_inv x)))
(a, b) s))\<rbrace>,-"
apply(simp add: decode_invocation_def split del: split_if)
apply(simp add: decode_invocation_def split del: if_split)
apply(rule hoare_pre)
apply (wp | wpc | simp add: o_def)+
apply (rule hoare_post_imp_R[where Q'="\<top>\<top>"])
apply wp
apply (clarsimp simp: uncurry_def)
apply(wp | wpc | simp add: decode_irq_handler_invocation_def o_def split del: split_if)+
apply(wp | wpc | simp add: decode_irq_handler_invocation_def o_def split del: if_split)+
apply (safe | rule TrueI | simp add: op_equal | rule exI[where x="fst slot"], rule exI[where x="snd slot"])+
done
@ -381,9 +381,9 @@ lemma handle_invocation_irq_masks:
\<lbrace> \<lambda> rv s. P (irq_masks_of_state s) \<rbrace>"
apply (simp add: handle_invocation_def ts_Restart_case_helper split_def
liftE_liftM_liftME liftME_def bindE_assoc
split del: split_if)
split del: if_split)
apply(wp static_imp_wp syscall_valid perform_invocation_irq_masks[where st=st] hoare_vcg_all_lift hoare_vcg_ex_lift decode_invocation_IRQHandlerCap
| simp split del: split_if)+
| simp split del: if_split)+
apply(simp add: invs_valid_objs)
done

Some files were not shown because too many files have changed in this diff Show More