Isabelle2016-1: update references to renamed constants and facts
This commit is contained in:
parent
0b039a0735
commit
41d4aa4f1d
|
@ -179,8 +179,8 @@ lemma helper3: "(\<Sum>(a, b) \<leftarrow> xs. Suc (f a b)) = length xs + (\<Sum
|
|||
by clarsimp+
|
||||
|
||||
lemma helper4: "fold op + ((map (\<lambda>(a, b). f a b) xs)::nat list) 0 = (\<Sum>(a, b) \<leftarrow> xs. f a b)"
|
||||
apply (subst fold_plus_listsum_rev)
|
||||
apply (subst listsum_rev)
|
||||
apply (subst fold_plus_sum_list_rev)
|
||||
apply (subst sum_list_rev)
|
||||
by clarsimp
|
||||
|
||||
lemma set_of_enumerate:"card (set (enumerate n xs)) = length xs"
|
||||
|
|
|
@ -51,7 +51,7 @@ lemma distinct_prefix:
|
|||
"\<lbrakk> distinct xs; ys \<le> xs \<rbrakk> \<Longrightarrow> distinct ys"
|
||||
apply (induct xs arbitrary: ys; clarsimp)
|
||||
apply (case_tac ys; clarsimp)
|
||||
by (fastforce simp: less_eq_list_def dest: set_mono_prefixeq)
|
||||
by (fastforce simp: less_eq_list_def dest: set_mono_prefix)
|
||||
|
||||
lemma distinct_sets_prop:
|
||||
"distinct_sets xs = distinct_prop (\<lambda>x y. x \<inter> y = {}) xs"
|
||||
|
@ -62,10 +62,10 @@ lemma distinct_take_strg:
|
|||
by simp
|
||||
|
||||
lemma distinct_prop_prefixE:
|
||||
"\<lbrakk> distinct_prop P ys; prefixeq xs ys \<rbrakk> \<Longrightarrow> distinct_prop P xs"
|
||||
"\<lbrakk> distinct_prop P ys; prefix xs ys \<rbrakk> \<Longrightarrow> distinct_prop P xs"
|
||||
apply (induct xs arbitrary: ys; clarsimp)
|
||||
apply (case_tac ys; clarsimp)
|
||||
by (fastforce dest: set_mono_prefixeq)
|
||||
by (fastforce dest: set_mono_prefix)
|
||||
|
||||
|
||||
lemma distinct_sets_union_sub:
|
||||
|
@ -108,7 +108,7 @@ lemma distinct_sets_append_Cons_disjoint:
|
|||
|
||||
lemma distinct_prop_take:
|
||||
"\<lbrakk>distinct_prop P xs; i < length xs\<rbrakk> \<Longrightarrow> distinct_prop P (take i xs)"
|
||||
by (metis take_is_prefixeq distinct_prop_prefixE)
|
||||
by (metis take_is_prefix distinct_prop_prefixE)
|
||||
|
||||
lemma distinct_sets_take:
|
||||
"\<lbrakk>distinct_sets xs; i < length xs\<rbrakk> \<Longrightarrow> distinct_sets (take i xs)"
|
||||
|
|
|
@ -329,7 +329,7 @@ lemma if_ev:
|
|||
assumes "b \<Longrightarrow> equiv_valid I A B P f"
|
||||
assumes "\<not> b \<Longrightarrow> equiv_valid I A B Q g"
|
||||
shows "equiv_valid I A B (\<lambda>s. (b \<longrightarrow> P s) \<and> (\<not>b \<longrightarrow> Q s)) (if b then f else g)"
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
using assms by blast
|
||||
|
||||
lemmas if_ev_pre = equiv_valid_guard_imp[OF if_ev]
|
||||
|
@ -984,7 +984,7 @@ lemma if_evrv:
|
|||
assumes "b \<Longrightarrow> equiv_valid_rv_inv I A R P f"
|
||||
assumes "\<not> b \<Longrightarrow> equiv_valid_rv_inv I A R Q g"
|
||||
shows "equiv_valid_rv_inv I A R (\<lambda>s. (b \<longrightarrow> P s) \<and> (\<not>b \<longrightarrow> Q s)) (if b then f else g)"
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
using assms by blast
|
||||
|
||||
end
|
||||
|
|
|
@ -47,8 +47,8 @@ lemma corres_mapM_list_all2:
|
|||
and rc: "\<And>x xs y ys. \<lbrakk> r xs ys; r' x y \<rbrakk> \<Longrightarrow> r (x # xs) (y # ys)"
|
||||
and corr: "\<And>x xs y ys. \<lbrakk> S x y; list_all2 S xs ys \<rbrakk>
|
||||
\<Longrightarrow> corres_underlying sr nf nf' r' (Q (x # xs)) (Q' (y # ys)) (f x) (f' y)"
|
||||
and ha: "\<And>x xs y. \<lbrakk> S x y; suffixeq (x#xs) as \<rbrakk> \<Longrightarrow> \<lbrace>Q (x # xs)\<rbrace> f x \<lbrace>\<lambda>r. Q xs\<rbrace>"
|
||||
and hc: "\<And>x y ys. \<lbrakk> S x y; suffixeq (y#ys) cs \<rbrakk> \<Longrightarrow> \<lbrace>Q' (y # ys) \<rbrace> f' y \<lbrace>\<lambda>r. Q' ys\<rbrace>"
|
||||
and ha: "\<And>x xs y. \<lbrakk> S x y; suffix (x#xs) as \<rbrakk> \<Longrightarrow> \<lbrace>Q (x # xs)\<rbrace> f x \<lbrace>\<lambda>r. Q xs\<rbrace>"
|
||||
and hc: "\<And>x y ys. \<lbrakk> S x y; suffix (y#ys) cs \<rbrakk> \<Longrightarrow> \<lbrace>Q' (y # ys) \<rbrace> f' y \<lbrace>\<lambda>r. Q' ys\<rbrace>"
|
||||
and lall: "list_all2 S as cs"
|
||||
shows "corres_underlying sr nf nf' r (Q as) (Q' cs) (mapM f as) (mapM f' cs)"
|
||||
using lall
|
||||
|
|
|
@ -108,7 +108,7 @@ lemma break_subsetsD:
|
|||
apply simp
|
||||
apply (case_tac "break f xs")
|
||||
apply (elim meta_allE, drule(1) meta_mp)
|
||||
apply (fastforce simp: split_def split: split_if_asm)
|
||||
apply (fastforce simp: split_def split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma distinct_prop_breakD:
|
||||
|
@ -116,7 +116,7 @@ lemma distinct_prop_breakD:
|
|||
\<Longrightarrow> \<forall>y \<in> set ys. \<forall>z \<in> set zs. P y z"
|
||||
apply (induct xs arbitrary: ys zs)
|
||||
apply simp
|
||||
apply (simp add: split_def split: split_if_asm)
|
||||
apply (simp add: split_def split: if_split_asm)
|
||||
apply (case_tac "break f xs")
|
||||
apply (elim meta_allE, drule(1) meta_mp)
|
||||
apply (frule break_subsetsD)
|
||||
|
@ -267,13 +267,13 @@ lemma snd_stateAssert_after:
|
|||
"\<not> snd ((do _ \<leftarrow> f; stateAssert R vs od) s) \<Longrightarrow>
|
||||
\<not>snd (f s) \<and> (\<forall>(rv, s') \<in> fst (f s). R s')"
|
||||
apply (clarsimp simp: bind_def stateAssert_def get_def assert_def
|
||||
return_def fail_def split_def split: split_if_asm)
|
||||
return_def fail_def split_def split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma oblivious_stateAssert [simp]:
|
||||
"oblivious f (stateAssert g xs) = (\<forall>s. g (f s) = g s)"
|
||||
apply (simp add: oblivious_def stateAssert_def exec_get
|
||||
assert_def return_def fail_def split: split_if)
|
||||
assert_def return_def fail_def split: if_split)
|
||||
apply auto
|
||||
done
|
||||
|
||||
|
@ -295,7 +295,7 @@ lemma findM_is_mapME:
|
|||
liftM_def cong: if_cong)
|
||||
apply (simp add: liftE_bindE bind_assoc)
|
||||
apply (rule bind_cong[OF refl])
|
||||
apply (simp add: bindE_assoc split: split_if)
|
||||
apply (simp add: bindE_assoc split: if_split)
|
||||
apply (simp add: liftE_bindE bind_assoc throwError_bind)
|
||||
done
|
||||
|
||||
|
|
|
@ -295,8 +295,8 @@ lemma sum_suc_pair: "(\<Sum>(a, b) \<leftarrow> xs. Suc (f a b)) = length xs + (
|
|||
by clarsimp+
|
||||
|
||||
lemma fold_add_sum: "fold op + ((map (\<lambda>(a, b). f a b) xs)::nat list) 0 = (\<Sum>(a, b) \<leftarrow> xs. f a b)"
|
||||
apply (subst fold_plus_listsum_rev)
|
||||
apply (subst listsum_rev)
|
||||
apply (subst fold_plus_sum_list_rev)
|
||||
apply (subst sum_list_rev)
|
||||
by clarsimp
|
||||
|
||||
lemma set_of_enumerate:"card (set (enumerate n xs)) = length xs"
|
||||
|
@ -435,7 +435,7 @@ lemma dom_map_fold:"dom (fold op ++ (map (\<lambda>x. [f x \<mapsto> g x]) xs) m
|
|||
by (induct xs arbitrary:f g ms; clarsimp)
|
||||
|
||||
lemma list_ran_prop:"map_of (map (\<lambda>x. (f x, g x)) xs) i = Some t \<Longrightarrow> \<exists>x \<in> set xs. g x = t"
|
||||
by (induct xs arbitrary:f g t i; clarsimp split:split_if_asm)
|
||||
by (induct xs arbitrary:f g t i; clarsimp split:if_split_asm)
|
||||
|
||||
lemma in_set_enumerate_eq2:"(a, b) \<in> set (enumerate n xs) \<Longrightarrow> (b = xs ! (a - n))"
|
||||
by (simp add: in_set_enumerate_eq)
|
||||
|
|
|
@ -53,7 +53,7 @@ lemma exec_Guard:
|
|||
"(G \<turnstile> \<langle>Guard Err S c, Normal s\<rangle> \<Rightarrow> s')
|
||||
= (if s \<in> S then G \<turnstile> \<langle>c, Normal s\<rangle> \<Rightarrow> s'
|
||||
else s' = Fault Err)"
|
||||
by (auto split: split_if elim!: exec_elim_cases intro: exec.intros)
|
||||
by (auto split: if_split elim!: exec_elim_cases intro: exec.intros)
|
||||
|
||||
lemma to_bytes_word8:
|
||||
"to_bytes (v :: word8) xs = [v]"
|
||||
|
@ -285,7 +285,7 @@ lemma intvl_nowrap:
|
|||
apply (drule intvlD)
|
||||
apply clarsimp
|
||||
apply (simp add: unat_arith_simps)
|
||||
apply (simp split: split_if_asm)
|
||||
apply (simp split: if_split_asm)
|
||||
apply (simp add: unat_of_nat)
|
||||
done
|
||||
|
||||
|
@ -457,16 +457,16 @@ next
|
|||
by (simp add: map_le_def list_map_def merge_dom2 set_zip)
|
||||
|
||||
hence "length xs < length n" and "x = n ! length xs"
|
||||
by (auto simp add: list_map_eq split: split_if_asm)
|
||||
by (auto simp add: list_map_eq split: if_split_asm)
|
||||
|
||||
thus "xs @ [x] \<le> n" using xsn
|
||||
by (simp add: append_one_prefixeq less_eq_list_def)
|
||||
by (simp add: append_one_prefix less_eq_list_def)
|
||||
qed
|
||||
|
||||
lemma typ_slice_t_self:
|
||||
"td \<in> fst ` set (typ_slice_t td m)"
|
||||
apply (cases td)
|
||||
apply (simp split: split_if)
|
||||
apply (simp split: if_split)
|
||||
done
|
||||
|
||||
lemma drop_heap_list_le2:
|
||||
|
@ -874,7 +874,7 @@ lemma typ_slice_t_array:
|
|||
typ_slice_t (export_uinfo (array_tag TYPE('a['b :: finite])))
|
||||
(y + size_of TYPE('a :: mem_type) * n)"
|
||||
apply (simp add: array_tag_def array_tag_n_eq
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (rule disjI2)
|
||||
apply (subgoal_tac "y + (size_of TYPE('a) * n) < CARD('b) * size_of TYPE('a)")
|
||||
apply (simp add: typ_slice_list_cut[where m="size_of TYPE('a)"]
|
||||
|
@ -1114,7 +1114,7 @@ lemma ptr_retyp_valid_footprint_disjoint2:
|
|||
apply (subst (asm) ptr_retyp_d)
|
||||
apply clarsimp
|
||||
apply fast
|
||||
apply (clarsimp simp add: ptr_retyp_d_eq_fst split: split_if_asm)
|
||||
apply (clarsimp simp add: ptr_retyp_d_eq_fst split: if_split_asm)
|
||||
apply fast
|
||||
apply (erule intvlI)
|
||||
done
|
||||
|
@ -1141,7 +1141,7 @@ lemma h_t_valid_ptr_retyp_eq:
|
|||
"\<not> cptr_type p <\<^sub>\<tau> cptr_type p' \<Longrightarrow> h_t_valid (ptr_retyp p td) g p'
|
||||
= (if ptr_span p \<inter> ptr_span p' = {} then h_t_valid td g p'
|
||||
else field_of_t p' p \<and> g p')"
|
||||
apply (clarsimp simp: ptr_retyp_disjoint_iff split: split_if)
|
||||
apply (clarsimp simp: ptr_retyp_disjoint_iff split: if_split)
|
||||
apply (cases "g p'")
|
||||
apply (rule iffI)
|
||||
apply (rule ccontr, drule h_t_valid_neq_disjoint, rule ptr_retyp_h_t_valid, simp+)
|
||||
|
@ -1157,10 +1157,10 @@ lemma field_lookup_list_Some_again:
|
|||
\<Longrightarrow> i < length xs
|
||||
\<Longrightarrow> f \<notin> dt_snd ` set ((take i xs))
|
||||
\<Longrightarrow> field_lookup_list xs [f] n
|
||||
= Some (dt_fst (xs ! i), n + listsum (map (size_td o dt_fst) (take i xs)))"
|
||||
= Some (dt_fst (xs ! i), n + sum_list (map (size_td o dt_fst) (take i xs)))"
|
||||
apply (induct xs arbitrary: i n, simp_all)
|
||||
apply (case_tac x1, simp)
|
||||
apply (case_tac i, auto split: split_if)
|
||||
apply (case_tac i, auto split: if_split)
|
||||
done
|
||||
|
||||
lemma field_lookup_array:
|
||||
|
@ -1169,7 +1169,7 @@ lemma field_lookup_array:
|
|||
(\<lambda>x. x.[n]) (\<lambda>x f. Arrays.update f n x), i + n * size_of TYPE ('a))"
|
||||
apply (simp add: typ_info_array array_tag_def array_tag_n_eq)
|
||||
apply (subst field_lookup_list_Some_again[where i=n],
|
||||
auto simp add: take_map o_def listsum_triv size_of_def)
|
||||
auto simp add: take_map o_def sum_list_triv size_of_def)
|
||||
done
|
||||
|
||||
end
|
||||
|
|
76
lib/Lib.thy
76
lib/Lib.thy
|
@ -636,7 +636,7 @@ lemma trancl_trancl:
|
|||
|
||||
lemma if_1_0_0:
|
||||
"((if P then 1 else 0) = (0 :: ('a :: zero_neq_one))) = (\<not> P)"
|
||||
by (simp split: split_if)
|
||||
by (simp split: if_split)
|
||||
|
||||
lemma neq_Nil_lengthI:
|
||||
"Suc 0 \<le> length xs \<Longrightarrow> xs \<noteq> []"
|
||||
|
@ -686,11 +686,11 @@ definition
|
|||
|
||||
lemma graph_of_None_update:
|
||||
"graph_of (f (p := None)) = graph_of f - {p} \<times> UNIV"
|
||||
by (auto simp: graph_of_def split: split_if_asm)
|
||||
by (auto simp: graph_of_def split: if_split_asm)
|
||||
|
||||
lemma graph_of_Some_update:
|
||||
"graph_of (f (p \<mapsto> v)) = (graph_of f - {p} \<times> UNIV) \<union> {(p,v)}"
|
||||
by (auto simp: graph_of_def split: split_if_asm)
|
||||
by (auto simp: graph_of_def split: if_split_asm)
|
||||
|
||||
lemma graph_of_restrict_map:
|
||||
"graph_of (m |` S) \<subseteq> graph_of m"
|
||||
|
@ -847,7 +847,7 @@ lemma UN_sub_empty:
|
|||
|
||||
lemma bij_betw_fun_updI:
|
||||
"\<lbrakk>x \<notin> A; y \<notin> B; bij_betw f A B\<rbrakk> \<Longrightarrow> bij_betw (f(x := y)) (insert x A) (insert y B)"
|
||||
by (clarsimp simp: bij_betw_def fun_upd_image inj_on_fun_updI split: split_if_asm)
|
||||
by (clarsimp simp: bij_betw_def fun_upd_image inj_on_fun_updI split: if_split_asm)
|
||||
|
||||
definition
|
||||
"bij_betw_map f A B \<equiv> bij_betw f A (Some ` B)"
|
||||
|
@ -1015,16 +1015,16 @@ lemma fold_to_map_of:
|
|||
apply (case_tac "fold op ++ (map (\<lambda>x. [f x \<mapsto> g x]) xs) Map.empty x")
|
||||
apply clarsimp
|
||||
apply (drule fold_ignore3)
|
||||
apply (clarsimp split:split_if_asm)
|
||||
apply (clarsimp split:if_split_asm)
|
||||
apply (rule sym)
|
||||
apply (subst map_of_eq_None_iff)
|
||||
apply clarsimp
|
||||
apply (rename_tac xa)
|
||||
apply (erule_tac x=xa in ballE; clarsimp)
|
||||
apply clarsimp
|
||||
apply (frule fold_ignore5; clarsimp split:split_if_asm)
|
||||
apply (frule fold_ignore5; clarsimp split:if_split_asm)
|
||||
apply (subst map_add_map_of_foldr[where m=empty, simplified])
|
||||
apply (induct xs arbitrary:f g; clarsimp split:split_if)
|
||||
apply (induct xs arbitrary:f g; clarsimp split:if_split)
|
||||
apply (rule conjI; clarsimp)
|
||||
apply (drule fold_ignore9; clarsimp)
|
||||
apply (cut_tac ms="map (\<lambda>x. [f x \<mapsto> g x]) xs" and f="[f a \<mapsto> g a]" and x="f b" in fold_ignore6, clarsimp)
|
||||
|
@ -1033,7 +1033,7 @@ lemma fold_to_map_of:
|
|||
|
||||
lemma if_n_0_0:
|
||||
"((if P then n else 0) \<noteq> 0) = (P \<and> n \<noteq> 0)"
|
||||
by (simp split: split_if)
|
||||
by (simp split: if_split)
|
||||
|
||||
lemma insert_dom:
|
||||
assumes fx: "f x = Some y"
|
||||
|
@ -1297,7 +1297,7 @@ lemma insert_minus_eq:
|
|||
|
||||
lemma modify_map_K_D:
|
||||
"modify_map m p (\<lambda>x. y) p' = Some v \<Longrightarrow> (m (p \<mapsto> y)) p' = Some v"
|
||||
by (simp add: modify_map_def split: split_if_asm)
|
||||
by (simp add: modify_map_def split: if_split_asm)
|
||||
|
||||
lemma tranclE2:
|
||||
assumes trancl: "(a, b) \<in> r\<^sup>+"
|
||||
|
@ -1391,7 +1391,7 @@ lemma foldl_fun_upd:
|
|||
lemma all_rv_choice_fn_eq_pred:
|
||||
"\<lbrakk> \<And>rv. P rv \<Longrightarrow> \<exists>fn. f rv = g fn \<rbrakk> \<Longrightarrow> \<exists>fn. \<forall>rv. P rv \<longrightarrow> f rv = g (fn rv)"
|
||||
apply (rule_tac x="\<lambda>rv. SOME h. f rv = g h" in exI)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
by (meson someI_ex)
|
||||
|
||||
lemma ex_const_function:
|
||||
|
@ -1400,13 +1400,13 @@ lemma ex_const_function:
|
|||
|
||||
lemma if_Const_helper:
|
||||
"If P (Con x) (Con y) = Con (If P x y)"
|
||||
by (simp split: split_if)
|
||||
by (simp split: if_split)
|
||||
|
||||
lemmas if_Some_helper = if_Const_helper[where Con=Some]
|
||||
|
||||
lemma expand_restrict_map_eq:
|
||||
"(m |` S = m' |` S) = (\<forall>x. x \<in> S \<longrightarrow> m x = m' x)"
|
||||
by (simp add: fun_eq_iff restrict_map_def split: split_if)
|
||||
by (simp add: fun_eq_iff restrict_map_def split: if_split)
|
||||
|
||||
lemma disj_imp_rhs:
|
||||
"(P \<Longrightarrow> Q) \<Longrightarrow> (P \<or> Q) = Q"
|
||||
|
@ -1473,7 +1473,7 @@ lemma list_case_If:
|
|||
|
||||
lemma remove1_Nil_in_set:
|
||||
"\<lbrakk> remove1 x xs = []; xs \<noteq> [] \<rbrakk> \<Longrightarrow> x \<in> set xs"
|
||||
by (induct xs) (auto split: split_if_asm)
|
||||
by (induct xs) (auto split: if_split_asm)
|
||||
|
||||
lemma remove1_empty:
|
||||
"(remove1 v xs = []) = (xs = [v] \<or> xs = [])"
|
||||
|
@ -1481,7 +1481,7 @@ lemma remove1_empty:
|
|||
|
||||
lemma set_remove1:
|
||||
"x \<in> set (remove1 y xs) \<Longrightarrow> x \<in> set xs"
|
||||
by (induct xs) (auto split: split_if_asm)
|
||||
by (induct xs) (auto split: if_split_asm)
|
||||
|
||||
lemma If_rearrage:
|
||||
"(if P then if Q then x else y else z) = (if P \<and> Q then x else if P then y else z)"
|
||||
|
@ -1626,15 +1626,15 @@ lemma Min_prop:
|
|||
|
||||
lemma findSomeD:
|
||||
"find P xs = Some x \<Longrightarrow> P x \<and> x \<in> set xs"
|
||||
by (induct xs) (auto split: split_if_asm)
|
||||
by (induct xs) (auto split: if_split_asm)
|
||||
|
||||
lemma findNoneD:
|
||||
"find P xs = None \<Longrightarrow> \<forall>x \<in> set xs. \<not>P x"
|
||||
by (induct xs) (auto split: split_if_asm)
|
||||
by (induct xs) (auto split: if_split_asm)
|
||||
|
||||
lemma dom_upd:
|
||||
"dom (\<lambda>x. if x = y then None else f x) = dom f - {y}"
|
||||
by (rule set_eqI) (auto split: split_if_asm)
|
||||
by (rule set_eqI) (auto split: if_split_asm)
|
||||
|
||||
|
||||
definition
|
||||
|
@ -1721,7 +1721,7 @@ lemma map_comp_eq:
|
|||
|
||||
lemma dom_If_Some:
|
||||
"dom (\<lambda>x. if x \<in> S then Some v else f x) = (S \<union> dom f)"
|
||||
by (auto split: split_if)
|
||||
by (auto split: if_split)
|
||||
|
||||
lemma foldl_fun_upd_const:
|
||||
"foldl (\<lambda>s x. s(f x := v)) s xs
|
||||
|
@ -1767,7 +1767,7 @@ qed
|
|||
|
||||
lemma ran_del_subset:
|
||||
"y \<in> ran (f (x := None)) \<Longrightarrow> y \<in> ran f"
|
||||
by (auto simp: ran_def split: split_if_asm)
|
||||
by (auto simp: ran_def split: if_split_asm)
|
||||
|
||||
lemma trancl_sub_lift:
|
||||
assumes sub: "\<And>p p'. (p,p') \<in> r \<Longrightarrow> (p,p') \<in> r'"
|
||||
|
@ -1819,7 +1819,7 @@ lemma psubset_singleton:
|
|||
|
||||
lemma length_takeWhile_ge:
|
||||
"length (takeWhile f xs) = n \<Longrightarrow> length xs = n \<or> (length xs > n \<and> \<not> f (xs ! n))"
|
||||
by (induct xs arbitrary: n) (auto split: split_if_asm)
|
||||
by (induct xs arbitrary: n) (auto split: if_split_asm)
|
||||
|
||||
lemma length_takeWhile_le:
|
||||
"\<not> f (xs ! n) \<Longrightarrow> length (takeWhile f xs) \<le> n"
|
||||
|
@ -1828,7 +1828,7 @@ lemma length_takeWhile_le:
|
|||
lemma length_takeWhile_gt:
|
||||
"n < length (takeWhile f xs)
|
||||
\<Longrightarrow> (\<exists>ys zs. length ys = Suc n \<and> xs = ys @ zs \<and> takeWhile f xs = ys @ takeWhile f zs)"
|
||||
apply (induct xs arbitrary: n; simp split: split_if_asm)
|
||||
apply (induct xs arbitrary: n; simp split: if_split_asm)
|
||||
apply (case_tac n; simp)
|
||||
apply (rule_tac x="[a]" in exI)
|
||||
apply simp
|
||||
|
@ -1910,7 +1910,7 @@ lemma Collect_int_vars:
|
|||
|
||||
lemma if_0_1_eq:
|
||||
"((if P then 1 else 0) = (case Q of True \<Rightarrow> of_nat 1 | False \<Rightarrow> of_nat 0)) = (P = Q)"
|
||||
by (simp split: split_if bool.split)
|
||||
by (simp split: if_split bool.split)
|
||||
|
||||
lemma modify_map_exists_cte :
|
||||
"(\<exists>cte. modify_map m p f p' = Some cte) = (\<exists>cte. m p' = Some cte)"
|
||||
|
@ -1997,7 +1997,7 @@ lemma case_option_over_if:
|
|||
= (if G then P else Q v)"
|
||||
"case_option P Q (if G then Some v else None)
|
||||
= (if G then Q v else P)"
|
||||
by (simp split: split_if)+
|
||||
by (simp split: if_split)+
|
||||
|
||||
lemma map_length_cong:
|
||||
"\<lbrakk> length xs = length ys; \<And>x y. (x, y) \<in> set (zip xs ys) \<Longrightarrow> f x = g y \<rbrakk>
|
||||
|
@ -2318,31 +2318,31 @@ lemma fst_last_zip_upt:
|
|||
apply (simp add: min_def zip_is_empty)
|
||||
done
|
||||
|
||||
lemma neq_into_nprefixeq:
|
||||
lemma neq_into_nprefix:
|
||||
"\<lbrakk> x \<noteq> take (length x) y \<rbrakk> \<Longrightarrow> \<not> x \<le> y"
|
||||
by (clarsimp simp: prefixeq_def less_eq_list_def)
|
||||
by (clarsimp simp: prefix_def less_eq_list_def)
|
||||
|
||||
lemma suffixeq_eqI:
|
||||
"\<lbrakk> suffixeq xs as; suffixeq xs bs; length as = length bs;
|
||||
lemma suffix_eqI:
|
||||
"\<lbrakk> suffix xs as; suffix xs bs; length as = length bs;
|
||||
take (length as - length xs) as \<le> take (length bs - length xs) bs\<rbrakk> \<Longrightarrow> as = bs"
|
||||
by (clarsimp elim!: prefixE suffixeqE)
|
||||
by (clarsimp elim!: prefixE suffixE)
|
||||
|
||||
lemma suffixeq_Cons_mem:
|
||||
"suffixeq (x # xs) as \<Longrightarrow> x \<in> set as"
|
||||
by (drule suffixeq_set_subset) simp
|
||||
lemma suffix_Cons_mem:
|
||||
"suffix (x # xs) as \<Longrightarrow> x \<in> set as"
|
||||
by (drule suffix_set_subset) simp
|
||||
|
||||
lemma distinct_imply_not_in_tail:
|
||||
"\<lbrakk> distinct list; suffixeq (y # ys) list\<rbrakk> \<Longrightarrow> y \<notin> set ys"
|
||||
by (clarsimp simp:suffixeq_def)
|
||||
"\<lbrakk> distinct list; suffix (y # ys) list\<rbrakk> \<Longrightarrow> y \<notin> set ys"
|
||||
by (clarsimp simp:suffix_def)
|
||||
|
||||
lemma list_induct_suffixeq [case_names Nil Cons]:
|
||||
lemma list_induct_suffix [case_names Nil Cons]:
|
||||
assumes nilr: "P []"
|
||||
and consr: "\<And>x xs. \<lbrakk>P xs; suffixeq (x # xs) as \<rbrakk> \<Longrightarrow> P (x # xs)"
|
||||
and consr: "\<And>x xs. \<lbrakk>P xs; suffix (x # xs) as \<rbrakk> \<Longrightarrow> P (x # xs)"
|
||||
shows "P as"
|
||||
proof -
|
||||
def as' == as
|
||||
|
||||
have "suffixeq as as'" unfolding as'_def by simp
|
||||
have "suffix as as'" unfolding as'_def by simp
|
||||
then show ?thesis
|
||||
proof (induct as)
|
||||
case Nil show ?case by fact
|
||||
|
@ -2351,8 +2351,8 @@ proof -
|
|||
|
||||
show ?case
|
||||
proof (rule consr)
|
||||
from Cons.prems show "suffixeq (x # xs) as" unfolding as'_def .
|
||||
then have "suffixeq xs as'" by (auto dest: suffixeq_ConsD simp: as'_def)
|
||||
from Cons.prems show "suffix (x # xs) as" unfolding as'_def .
|
||||
then have "suffix xs as'" by (auto dest: suffix_ConsD simp: as'_def)
|
||||
then show "P xs" using Cons.hyps by simp
|
||||
qed
|
||||
qed
|
||||
|
|
|
@ -218,7 +218,7 @@ text {* These list operations roughly correspond to cdt
|
|||
lemma after_can_split: "after_in_list list x = Some y \<Longrightarrow> \<exists>ys xs. list = xs @ (x # y # ys)"
|
||||
apply (induct list x rule: after_in_list.induct)
|
||||
apply simp+
|
||||
apply (simp split: split_if_asm)
|
||||
apply (simp split: if_split_asm)
|
||||
apply force
|
||||
apply (elim exE)
|
||||
apply simp
|
||||
|
@ -301,9 +301,9 @@ lemma after_in_list_inj:
|
|||
apply(simp)
|
||||
apply(case_tac "a=aa")
|
||||
apply(case_tac list, simp)
|
||||
apply(simp add: hd_not_after_in_list split: split_if_asm)
|
||||
apply(simp add: hd_not_after_in_list split: if_split_asm)
|
||||
apply(case_tac list, simp)
|
||||
apply(simp add: hd_not_after_in_list split: split_if_asm)
|
||||
apply(simp add: hd_not_after_in_list split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma list_replace_ignore:"a \<notin> set list \<Longrightarrow> list_replace list a b = list"
|
||||
|
@ -370,7 +370,7 @@ lemma list_insert_after_after:
|
|||
\<Longrightarrow> after_in_list (list_insert_after list a b) p
|
||||
= (if p = a then Some b else if p = b then after_in_list list a else after_in_list list p)"
|
||||
apply(induct list p rule: after_in_list.induct)
|
||||
apply (simp split: split_if_asm)+
|
||||
apply (simp split: if_split_asm)+
|
||||
apply fastforce
|
||||
done
|
||||
|
||||
|
@ -385,14 +385,14 @@ lemma remove_distinct_helper: "\<lbrakk>distinct (list_remove list x); a \<noteq
|
|||
distinct list\<rbrakk>
|
||||
\<Longrightarrow> a \<notin> set (list_remove list x)"
|
||||
apply (induct list)
|
||||
apply (simp split: split_if_asm)+
|
||||
apply (simp split: if_split_asm)+
|
||||
done
|
||||
|
||||
|
||||
lemma list_remove_distinct:
|
||||
"distinct list \<Longrightarrow> distinct (list_remove list x)"
|
||||
apply (induct list)
|
||||
apply (simp add: remove_distinct_helper split: split_if_asm)+
|
||||
apply (simp add: remove_distinct_helper split: if_split_asm)+
|
||||
done
|
||||
|
||||
lemma list_remove_none: "x \<notin> set list \<Longrightarrow> list_remove list x = list"
|
||||
|
@ -416,14 +416,14 @@ lemma set_list_replace_list:
|
|||
lemma after_in_list_in_list:
|
||||
"after_in_list list a = Some b \<Longrightarrow> b \<in> set list"
|
||||
apply(induct list a arbitrary: b rule: after_in_list.induct)
|
||||
apply (simp split: split_if_asm)+
|
||||
apply (simp split: if_split_asm)+
|
||||
done
|
||||
|
||||
lemma list_replace_empty_after_empty:
|
||||
"\<lbrakk>after_in_list list p = Some slot; distinct list\<rbrakk>
|
||||
\<Longrightarrow> after_in_list (list_replace_list list slot []) p = after_in_list list slot"
|
||||
apply(induct list slot rule: after_in_list.induct)
|
||||
apply (simp split: split_if_asm)+
|
||||
apply (simp split: if_split_asm)+
|
||||
apply (case_tac xs,simp+)
|
||||
apply (case_tac xs,simp+)
|
||||
apply (auto dest!: after_in_list_in_list)
|
||||
|
@ -433,7 +433,7 @@ lemma list_replace_after_fst_list:
|
|||
"\<lbrakk>after_in_list list p = Some slot; distinct list\<rbrakk>
|
||||
\<Longrightarrow> after_in_list (list_replace_list list slot (x # xs)) p = Some x"
|
||||
apply(induct list p rule: after_in_list.induct)
|
||||
apply (simp split: split_if_asm)+
|
||||
apply (simp split: if_split_asm)+
|
||||
apply (drule after_in_list_in_list)+
|
||||
apply force
|
||||
done
|
||||
|
@ -451,13 +451,13 @@ lemma after_in_list_append_last_hd:
|
|||
apply(induct list' p rule: after_in_list.induct)
|
||||
apply(simp)
|
||||
apply(simp)
|
||||
apply(simp split: split_if_asm)
|
||||
apply(simp split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma after_in_list_append_in_hd:
|
||||
"after_in_list list p = Some a \<Longrightarrow> after_in_list (list @ list') p = Some a"
|
||||
apply(induct list p rule: after_in_list.induct)
|
||||
apply(simp split: split_if_asm)+
|
||||
apply(simp split: if_split_asm)+
|
||||
done
|
||||
|
||||
lemma after_in_list_in_list': "after_in_list list a = Some y \<Longrightarrow> a \<in> set list"
|
||||
|
@ -479,13 +479,13 @@ lemma list_replace_after_None_notin_new:
|
|||
apply(simp)
|
||||
apply(simp)
|
||||
apply(case_tac list', simp, simp)
|
||||
apply(simp split: split_if_asm)
|
||||
apply(simp split: if_split_asm)
|
||||
apply(simp add: after_in_list_append_notin_hd)
|
||||
apply(simp add: after_in_list_append_notin_hd)
|
||||
apply(case_tac "list_replace_list list slot list'")
|
||||
apply(simp)
|
||||
apply(simp)
|
||||
apply(case_tac list, simp, simp split: split_if_asm)
|
||||
apply(case_tac list, simp, simp split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma list_replace_after_notin_new:
|
||||
|
@ -497,7 +497,7 @@ lemma list_replace_after_notin_new:
|
|||
apply(intro conjI impI)
|
||||
apply(simp add: after_in_list_append_notin_hd)
|
||||
apply(case_tac list, simp, simp)
|
||||
apply(case_tac list, simp, simp split: split_if_asm)
|
||||
apply(case_tac list, simp, simp split: if_split_asm)
|
||||
apply(insert after_in_list_append_notin_hd)
|
||||
apply(atomize)
|
||||
apply(erule_tac x=p in allE, erule_tac x="[aa]" in allE, erule_tac x="list' @ lista" in allE)
|
||||
|
@ -623,13 +623,13 @@ lemma distinct_after_in_list_antisym:
|
|||
apply (induct list b arbitrary: a rule: after_in_list.induct)
|
||||
apply simp+
|
||||
apply (case_tac xs)
|
||||
apply (clarsimp split: split_if_asm | intro impI conjI)+
|
||||
apply (clarsimp split: if_split_asm | intro impI conjI)+
|
||||
done
|
||||
|
||||
|
||||
lemma after_in_listD: "after_in_list list x = Some y \<Longrightarrow> \<exists>xs ys. list = xs @ (x # y # ys) \<and> x \<notin> set xs"
|
||||
apply (induct list x arbitrary: a rule: after_in_list.induct)
|
||||
apply (simp split: split_if_asm | elim exE | force)+
|
||||
apply (simp split: if_split_asm | elim exE | force)+
|
||||
apply (rule_tac x="x # xsa" in exI)
|
||||
apply simp
|
||||
done
|
||||
|
@ -730,7 +730,7 @@ lemma list_swap_preserve_separate:
|
|||
"\<lbrakk>p \<noteq> desta; p \<noteq> srca; z \<noteq> desta; z \<noteq> srca; after_in_list list p = Some z\<rbrakk>
|
||||
\<Longrightarrow> after_in_list (list_swap list srca desta) p = Some z"
|
||||
apply (induct list p rule: after_in_list.induct)
|
||||
apply (simp add: list_swap_def split: split_if_asm)+
|
||||
apply (simp add: list_swap_def split: if_split_asm)+
|
||||
apply (intro impI conjI)
|
||||
apply simp+
|
||||
done
|
||||
|
@ -934,7 +934,7 @@ lemma prepend_after_in_list_distinct : "distinct (a # list) \<Longrightarrow> {(
|
|||
(* base case *)
|
||||
apply (drule CollectD, simp)
|
||||
apply (case_tac list, simp)
|
||||
apply (simp split:split_if_asm)
|
||||
apply (simp split:if_split_asm)
|
||||
apply (rule r_into_trancl)
|
||||
apply (rule CollectI, simp)
|
||||
(* Inductive case *)
|
||||
|
@ -1083,11 +1083,11 @@ lemma after_in_list_last_None:
|
|||
apply(simp)
|
||||
apply(case_tac list)
|
||||
apply(simp)
|
||||
apply(fastforce split: split_if_asm)
|
||||
apply(fastforce split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma after_in_list_None_last:
|
||||
"\<lbrakk>after_in_list list x = None; x \<in> set list\<rbrakk> \<Longrightarrow> x = last list"
|
||||
by (induct list x rule: after_in_list.induct,(simp split: split_if_asm)+)
|
||||
by (induct list x rule: after_in_list.induct,(simp split: if_split_asm)+)
|
||||
|
||||
end
|
||||
|
|
|
@ -633,7 +633,7 @@ lemma in_bindE_L:
|
|||
(\<exists>s'' x. (Inr x, s'') \<in> fst (f s) \<and> (Inl r, s') \<in> fst (g x s'')) \<or> ((Inl r, s') \<in> fst (f s))"
|
||||
apply (simp add: bindE_def lift_def bind_def)
|
||||
apply safe
|
||||
apply (simp add: return_def throwError_def lift_def split_def split: sum.splits split_if_asm)
|
||||
apply (simp add: return_def throwError_def lift_def split_def split: sum.splits if_split_asm)
|
||||
apply force
|
||||
done
|
||||
|
||||
|
@ -1742,7 +1742,7 @@ lemma list_cases_wp:
|
|||
(* FIXME: make wp *)
|
||||
lemma whenE_throwError_wp:
|
||||
"\<lbrace>\<lambda>s. \<not>Q \<longrightarrow> P s\<rbrace> whenE Q (throwError e) \<lbrace>\<lambda>rv. P\<rbrace>, -"
|
||||
apply (simp add: whenE_def split del: split_if)
|
||||
apply (simp add: whenE_def split del: if_split)
|
||||
apply (rule hoare_pre)
|
||||
apply wp
|
||||
apply simp
|
||||
|
|
|
@ -262,7 +262,7 @@ proof -
|
|||
then have ?thesis using `I s`
|
||||
by (induct arbitrary: s) (auto intro: istep) }
|
||||
then show ?thesis using assms(1)
|
||||
by (auto simp: option_while_def option_while'_THE split: split_if_asm)
|
||||
by (auto simp: option_while_def option_while'_THE split: if_split_asm)
|
||||
qed
|
||||
|
||||
lemma option_while'_term:
|
||||
|
|
|
@ -176,12 +176,12 @@ proof -
|
|||
have "\<And>s. owhile C B r s = None
|
||||
\<Longrightarrow> whileLoop C (\<lambda>a. gets_the (B a)) r s = ({}, True)"
|
||||
by (auto simp: whileLoop_def owhile_def option_while_def option_while'_THE gets_the_loop_terminates
|
||||
split: split_if_asm dest: option_while'_None wl'_Inl option_while'_inj)
|
||||
split: if_split_asm dest: option_while'_None wl'_Inl option_while'_inj)
|
||||
moreover
|
||||
have "\<And>s r'. owhile C B r s = Some r'
|
||||
\<Longrightarrow> whileLoop C (\<lambda>a. gets_the (B a)) r s = ({(r', s)}, False)"
|
||||
by (auto simp: whileLoop_def owhile_def option_while_def option_while'_THE gets_the_loop_terminates
|
||||
split: split_if_asm dest: wl'_Inl wl'_Inr option_while'_inj intro: option_while'_Some)
|
||||
split: if_split_asm dest: wl'_Inl wl'_Inr option_while'_inj intro: option_while'_Some)
|
||||
ultimately
|
||||
show ?thesis
|
||||
by (auto simp: fun_eq_iff gets_the_conv split: option.split)
|
||||
|
|
|
@ -492,7 +492,7 @@ proof -
|
|||
|
||||
have cond_true: "\<And>x s. fst (whileLoop C B x s) = {} \<Longrightarrow> C x s"
|
||||
apply (subst (asm) whileLoop_unroll)
|
||||
apply (clarsimp simp: condition_def return_def split: split_if_asm)
|
||||
apply (clarsimp simp: condition_def return_def split: if_split_asm)
|
||||
done
|
||||
|
||||
have "snd (whileLoop C B r s)"
|
||||
|
|
|
@ -46,9 +46,9 @@ lemma valid_whileLoop_complete:
|
|||
apply clarsimp
|
||||
apply (subst (asm) (2) whileLoop_unroll)
|
||||
apply (case_tac "C a b")
|
||||
apply (clarsimp simp: valid_def bind_def' Bex_def condition_def split: split_if_asm)
|
||||
apply (clarsimp simp: valid_def bind_def' Bex_def condition_def split: if_split_asm)
|
||||
apply force
|
||||
apply (clarsimp simp: valid_def bind_def' Bex_def condition_def split: split_if_asm)
|
||||
apply (clarsimp simp: valid_def bind_def' Bex_def condition_def split: if_split_asm)
|
||||
apply force
|
||||
apply (subst whileLoop_unroll)
|
||||
apply (clarsimp simp: valid_def bind_def' condition_def return_def)
|
||||
|
@ -351,7 +351,7 @@ lemma valid_path_implies_exs_valid_whileLoop:
|
|||
apply (clarsimp split: prod.splits)
|
||||
apply (case_tac l)
|
||||
apply clarsimp
|
||||
apply (clarsimp split del: split_if)
|
||||
apply (clarsimp split del: if_split)
|
||||
apply (erule bexI [rotated])
|
||||
apply clarsimp
|
||||
apply clarsimp
|
||||
|
@ -379,7 +379,7 @@ lemma shortest_path_gets_shorter:
|
|||
apply (drule valid_path_implies_exs_valid_whileLoop)
|
||||
apply (clarsimp simp: exs_valid_def)
|
||||
apply (erule bexI [rotated])
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply clarsimp
|
||||
done
|
||||
|
||||
|
|
|
@ -164,7 +164,7 @@ val put_Lib_simpset = put_simpset (Simplifier.simpset_of (Proof_Context.init_gl
|
|||
fun in_mresults_ctxt ctxt = ctxt
|
||||
|> put_Lib_simpset
|
||||
|> (fn ctxt => ctxt addsimps [@{thm in_mresults_export}, @{thm in_mresults_bind}])
|
||||
|> Splitter.del_split @{thm split_if}
|
||||
|> Splitter.del_split @{thm if_split}
|
||||
|
||||
fun prove_qad ctxt term tac = Goal.prove ctxt [] [] term
|
||||
(K (if Config.get ctxt quick_and_dirty andalso false
|
||||
|
@ -179,7 +179,7 @@ fun preannotate_ss ctxt = ctxt
|
|||
fun in_mresults_ss ctxt = ctxt
|
||||
|> put_Lib_simpset
|
||||
|> (fn ctxt => ctxt addsimps [@{thm in_mresults_export}, @{thm in_mresults_bind}])
|
||||
|> Splitter.del_split @{thm split_if}
|
||||
|> Splitter.del_split @{thm if_split}
|
||||
|> simpset_of
|
||||
|
||||
|
||||
|
@ -280,7 +280,7 @@ fun postcond_ss ctxt = ctxt
|
|||
|
||||
fun wp_default_ss ctxt = ctxt
|
||||
|> put_simpset HOL_ss
|
||||
|> Splitter.del_split @{thm split_if}
|
||||
|> Splitter.del_split @{thm if_split}
|
||||
|> simpset_of
|
||||
|
||||
fun raise_tac s = all_tac THEN (fn _ => error s);
|
||||
|
|
|
@ -321,7 +321,7 @@ method post_strengthen methods wp_weak wp_strong simp' tests =
|
|||
determ \<open>make_goals \<open>wp_weak\<close> \<open>wp_strong\<close> \<open>tests\<close>,
|
||||
(elim trips_pushEs)?,
|
||||
rule trip_init\<close>,
|
||||
(simp add: imp_conjL del: simp_dels split del: split_if)?,
|
||||
(simp add: imp_conjL del: simp_dels split del: if_split)?,
|
||||
determ \<open>(erule trips_True_drop trips_contr_drop hoare_add_trip)\<close>,
|
||||
simp',
|
||||
rule trip_drop,
|
||||
|
@ -333,7 +333,7 @@ text \<open>The "wpi" named theorem is used to avoid the safety heuristics, effe
|
|||
named_theorems wpi
|
||||
|
||||
private method final_simp =
|
||||
(simp del: del: simp_dels split del: split_if cong: post_imp_cong)
|
||||
(simp del: del: simp_dels split del: if_split cong: post_imp_cong)
|
||||
|
||||
text \<open>By default, wpi will only solve an atomic consequent if all its antecedents
|
||||
aren't preserved. Therefore "test" is simply "fail". Unpreserved antecedents
|
||||
|
@ -406,7 +406,7 @@ method wp_drop_imp_internal methods tests =
|
|||
determ \<open>erule trips_transport\<close>,
|
||||
((drule trip_term_quants)+)?,
|
||||
erule strengthen_trip_term,
|
||||
simp split del: split_if cong: post_conj_cong,
|
||||
simp split del: if_split cong: post_conj_cong,
|
||||
rule post_conj_drop)
|
||||
|
||||
method wp_drop_imp = wp_drop_imp_internal \<open>tests\<close>
|
||||
|
|
|
@ -102,7 +102,7 @@ proof -
|
|||
apply (clarsimp simp: monadic_rewrite_def bind_def P image_constant_conv
|
||||
cong: image_cong)
|
||||
apply (drule empty_failD2[OF ef])
|
||||
apply (clarsimp simp: prod_eq_iff split: split_if_asm)
|
||||
apply (clarsimp simp: prod_eq_iff split: if_split_asm)
|
||||
done
|
||||
qed
|
||||
|
||||
|
@ -173,7 +173,7 @@ lemma monadic_rewrite_gen_asm:
|
|||
lemma monadic_rewrite_assert:
|
||||
"\<lbrakk> Q \<Longrightarrow> monadic_rewrite True E P (f ()) g \<rbrakk>
|
||||
\<Longrightarrow> monadic_rewrite True E (\<lambda>s. Q \<longrightarrow> P s) (assert Q >>= f) g"
|
||||
apply (simp add: assert_def split: split_if)
|
||||
apply (simp add: assert_def split: if_split)
|
||||
apply (simp add: monadic_rewrite_def fail_def)
|
||||
done
|
||||
|
||||
|
|
|
@ -269,9 +269,9 @@ lemma mapM_x_Cons:
|
|||
|
||||
lemma mapM_x_inv_wp2:
|
||||
assumes post: "\<And>s. \<lbrakk> I s; V [] s \<rbrakk> \<Longrightarrow> Q s"
|
||||
and hr: "\<And>a as. suffixeq (a # as) xs \<Longrightarrow> \<lbrace>\<lambda>s. I s \<and> V (a # as) s\<rbrace> m a \<lbrace>\<lambda>r s. I s \<and> V as s\<rbrace>"
|
||||
and hr: "\<And>a as. suffix (a # as) xs \<Longrightarrow> \<lbrace>\<lambda>s. I s \<and> V (a # as) s\<rbrace> m a \<lbrace>\<lambda>r s. I s \<and> V as s\<rbrace>"
|
||||
shows "\<lbrace>I and V xs\<rbrace> mapM_x m xs \<lbrace>\<lambda>rv. Q\<rbrace>"
|
||||
proof (induct xs rule: list_induct_suffixeq)
|
||||
proof (induct xs rule: list_induct_suffix)
|
||||
case Nil thus ?case
|
||||
apply (simp add: mapM_x_Nil)
|
||||
apply wp
|
||||
|
@ -576,7 +576,7 @@ lemma cutMon_walk_bindE:
|
|||
apply (simp add: bindE_def cutMon_walk_bind)
|
||||
apply (rule bind_cong, rule refl)
|
||||
apply (simp add: cutMon_def lift_def fail_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp split: sum.split)
|
||||
done
|
||||
|
||||
|
@ -596,11 +596,11 @@ lemma cutMon_validE_drop:
|
|||
lemma assertE_assert:
|
||||
"assertE F = liftE (assert F)"
|
||||
by (clarsimp simp: assertE_def assert_def liftE_def returnOk_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
|
||||
lemma snd_cutMon:
|
||||
"snd (cutMon P f s) = (P s \<longrightarrow> snd (f s))"
|
||||
by (simp add: cutMon_def fail_def split: split_if)
|
||||
by (simp add: cutMon_def fail_def split: if_split)
|
||||
|
||||
lemma exec_modify:
|
||||
"(modify f >>= g) s = g () (f s)"
|
||||
|
@ -612,7 +612,7 @@ lemma no_fail_spec:
|
|||
|
||||
lemma no_fail_assertE [wp]:
|
||||
"no_fail (\<lambda>_. P) (assertE P)"
|
||||
by (simp add: assertE_def split: split_if)
|
||||
by (simp add: assertE_def split: if_split)
|
||||
|
||||
lemma no_fail_spec_pre:
|
||||
"\<lbrakk> no_fail ((op = s) and P') f; \<And>s. P s \<Longrightarrow> P' s \<rbrakk> \<Longrightarrow> no_fail ((op = s) and P) f"
|
||||
|
@ -620,11 +620,11 @@ lemma no_fail_spec_pre:
|
|||
|
||||
lemma no_fail_whenE [wp]:
|
||||
"\<lbrakk> G \<Longrightarrow> no_fail P f \<rbrakk> \<Longrightarrow> no_fail (\<lambda>s. G \<longrightarrow> P s) (whenE G f)"
|
||||
by (simp add: whenE_def split: split_if)
|
||||
by (simp add: whenE_def split: if_split)
|
||||
|
||||
lemma no_fail_unlessE [wp]:
|
||||
"\<lbrakk> \<not> G \<Longrightarrow> no_fail P f \<rbrakk> \<Longrightarrow> no_fail (\<lambda>s. \<not> G \<longrightarrow> P s) (unlessE G f)"
|
||||
by (simp add: unlessE_def split: split_if)
|
||||
by (simp add: unlessE_def split: if_split)
|
||||
|
||||
lemma no_fail_throwError [wp]:
|
||||
"no_fail \<top> (throwError e)"
|
||||
|
@ -718,7 +718,7 @@ lemma select_f_asserts:
|
|||
"select_f (assert P s) = do assert P; return ((), s) od"
|
||||
"select_f (assert_opt v s) = do v' \<leftarrow> assert_opt v; return (v', s) od"
|
||||
by (simp add: select_f_def fail_def assert_def return_def bind_def
|
||||
assert_opt_def split: split_if option.split)+
|
||||
assert_opt_def split: if_split option.split)+
|
||||
|
||||
lemma liftE_bindE_handle:
|
||||
"((liftE f >>=E (\<lambda>x. g x)) <handle> h)
|
||||
|
@ -766,24 +766,24 @@ lemma liftE_bindE_assoc:
|
|||
lemma empty_fail_use_cutMon:
|
||||
"\<lbrakk> \<And>s. empty_fail (cutMon (op = s) f) \<rbrakk> \<Longrightarrow> empty_fail f"
|
||||
apply (clarsimp simp add: empty_fail_def cutMon_def)
|
||||
apply (fastforce split: split_if_asm)
|
||||
apply (fastforce split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma empty_fail_drop_cutMon:
|
||||
"empty_fail f \<Longrightarrow> empty_fail (cutMon P f)"
|
||||
by (simp add: empty_fail_def fail_def cutMon_def split: split_if)
|
||||
by (simp add: empty_fail_def fail_def cutMon_def split: if_split)
|
||||
|
||||
lemma empty_fail_cutMon:
|
||||
"\<lbrakk> \<And>s. P s \<Longrightarrow> empty_fail (cutMon (op = s) f) \<rbrakk>
|
||||
\<Longrightarrow> empty_fail (cutMon P f)"
|
||||
apply (clarsimp simp: empty_fail_def cutMon_def fail_def
|
||||
split: split_if)
|
||||
apply (fastforce split: split_if_asm)
|
||||
split: if_split)
|
||||
apply (fastforce split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma empty_fail_If:
|
||||
"\<lbrakk> P \<Longrightarrow> empty_fail f; \<not> P \<Longrightarrow> empty_fail g \<rbrakk> \<Longrightarrow> empty_fail (if P then f else g)"
|
||||
by (simp split: split_if)
|
||||
by (simp split: if_split)
|
||||
|
||||
lemmas empty_fail_cutMon_intros =
|
||||
cutMon_walk_bind[THEN arg_cong[where f=empty_fail], THEN iffD2,
|
||||
|
@ -796,16 +796,16 @@ lemmas empty_fail_cutMon_intros =
|
|||
lemma empty_fail_whenEs:
|
||||
"empty_fail f \<Longrightarrow> empty_fail (whenE P f)"
|
||||
"empty_fail f \<Longrightarrow> empty_fail (unlessE P f)"
|
||||
by (auto simp add: whenE_def unlessE_def empty_fail_error_bits split: split_if)
|
||||
by (auto simp add: whenE_def unlessE_def empty_fail_error_bits split: if_split)
|
||||
|
||||
lemma empty_fail_assertE:
|
||||
"empty_fail (assertE P)"
|
||||
by (simp add: assertE_def empty_fail_error_bits split: split_if)
|
||||
by (simp add: assertE_def empty_fail_error_bits split: if_split)
|
||||
|
||||
lemma unlessE_throw_catch_If:
|
||||
"catch (unlessE P (throwError e) >>=E f) g
|
||||
= (if P then catch (f ()) g else g e)"
|
||||
by (simp add: unlessE_def catch_throwError split: split_if)
|
||||
by (simp add: unlessE_def catch_throwError split: if_split)
|
||||
|
||||
lemma gets_the_return:
|
||||
"(return x = gets_the f) = (\<forall>s. f s = Some x)"
|
||||
|
@ -834,7 +834,7 @@ lemma cutMon_assert_opt:
|
|||
= gets_the (\<lambda>s. if P s then f s else None) >>= g"
|
||||
by (simp add: cutMon_def gets_the_def exec_gets
|
||||
bind_assoc fun_eq_iff assert_opt_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
|
||||
lemma gets_the_eq_bind:
|
||||
"\<lbrakk> \<exists>fn. f = gets_the (fn o fn');
|
||||
|
@ -870,7 +870,7 @@ lemma gets_the_asserts:
|
|||
"(assertE P = gets_the h) = (\<forall>s. h s = (if P then Some (Inr ()) else None))"
|
||||
by (simp add: assert_def assertE_def
|
||||
gets_the_fail gets_the_returns
|
||||
split: split_if)+
|
||||
split: if_split)+
|
||||
|
||||
lemma gets_the_condsE:
|
||||
"(\<exists>fn. whenE P f = gets_the (fn o fn'))
|
||||
|
@ -879,7 +879,7 @@ lemma gets_the_condsE:
|
|||
= (\<not> P \<longrightarrow> (\<exists>fn. g = gets_the (fn o fn')))"
|
||||
by (simp add: whenE_def unlessE_def gets_the_returns
|
||||
ex_const_function
|
||||
split: split_if)+
|
||||
split: if_split)+
|
||||
|
||||
lemma no_fail_gets_the [wp]:
|
||||
"no_fail (\<lambda>s. f s \<noteq> None) (gets_the f)"
|
||||
|
@ -907,11 +907,11 @@ lemma assert_opt_If:
|
|||
|
||||
lemma if_to_top_of_bind:
|
||||
"(bind (If P x y) z) = If P (bind x z) (bind y z)"
|
||||
by (simp split: split_if)
|
||||
by (simp split: if_split)
|
||||
|
||||
lemma if_to_top_of_bindE:
|
||||
"(bindE (If P x y) z) = If P (bindE x z) (bindE y z)"
|
||||
by (simp split: split_if)
|
||||
by (simp split: if_split)
|
||||
|
||||
lemma alternative_bind:
|
||||
"((a \<sqinter> b) >>= c) = ((a >>= c) \<sqinter> (b >>= c))"
|
||||
|
@ -2222,7 +2222,7 @@ lemma oblivious_returnOk [simp]:
|
|||
|
||||
lemma oblivious_assertE [simp]:
|
||||
"oblivious f (assertE P)"
|
||||
by (simp add: assertE_def split: split_if)
|
||||
by (simp add: assertE_def split: if_split)
|
||||
|
||||
|
||||
lemma oblivious_throwError [simp]:
|
||||
|
@ -2247,11 +2247,11 @@ lemma oblivious_catch:
|
|||
|
||||
lemma oblivious_when [simp]:
|
||||
"oblivious f (when P m) = (P \<longrightarrow> oblivious f m)"
|
||||
by (simp add: when_def split: split_if)
|
||||
by (simp add: when_def split: if_split)
|
||||
|
||||
lemma oblivious_whenE [simp]:
|
||||
"oblivious f (whenE P g) = (P \<longrightarrow> oblivious f g)"
|
||||
by (simp add: whenE_def split: split_if)
|
||||
by (simp add: whenE_def split: if_split)
|
||||
|
||||
lemma select_f_oblivious [simp]:
|
||||
"oblivious f (select_f v)"
|
||||
|
@ -2319,7 +2319,7 @@ lemma zipWithM_x_Nil2 :
|
|||
lemma assert2:
|
||||
"(do v1 \<leftarrow> assert P; v2 \<leftarrow> assert Q; c od)
|
||||
= (do v \<leftarrow> assert (P \<and> Q); c od)"
|
||||
by (simp add: assert_def split: split_if)
|
||||
by (simp add: assert_def split: if_split)
|
||||
|
||||
lemma assert_opt_def2:
|
||||
"assert_opt v = (do assert (v \<noteq> None); return (the v) od)"
|
||||
|
@ -2334,7 +2334,7 @@ lemma gets_assert:
|
|||
"(do v1 \<leftarrow> assert v; v2 \<leftarrow> gets f; c v1 v2 od)
|
||||
= (do v2 \<leftarrow> gets f; v1 \<leftarrow> assert v; c v1 v2 od)"
|
||||
by (simp add: simpler_gets_def return_def assert_def fail_def bind_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
|
||||
lemma list_case_return2:
|
||||
"(case x of [] \<Rightarrow> return v | y # ys \<Rightarrow> return (f y ys))
|
||||
|
@ -2345,7 +2345,7 @@ lemma modify_assert:
|
|||
"(do v2 \<leftarrow> modify f; v1 \<leftarrow> assert v; c v1 od)
|
||||
= (do v1 \<leftarrow> assert v; v2 \<leftarrow> modify f; c v1 od)"
|
||||
by (simp add: simpler_modify_def return_def assert_def fail_def bind_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
|
||||
lemma gets_fold_into_modify:
|
||||
"do x \<leftarrow> gets f; modify (g x) od = modify (\<lambda>s. g (f s) s)"
|
||||
|
@ -2504,7 +2504,7 @@ lemma case_option_find_give_me_a_map:
|
|||
apply (induct xs)
|
||||
apply simp
|
||||
apply (simp add: liftM_def mapME_Nil)
|
||||
apply (simp add: mapME_Cons split: split_if)
|
||||
apply (simp add: mapME_Cons split: if_split)
|
||||
apply (clarsimp simp add: throwError_def bindE_def bind_assoc
|
||||
liftM_def)
|
||||
apply (rule bind_cong [OF refl])
|
||||
|
|
|
@ -76,7 +76,7 @@ An additional annoyance to the clarsimp/tuple issue described above is
|
|||
the splitter. The wp tool is designed to work on a hoare triple with a
|
||||
schematic precondition. Note how the simplifier splits the problem
|
||||
in two because it contains an if constant. Delete the split
|
||||
rule from the simpset with (simp split del: split_if) to avoid this
|
||||
rule from the simpset with (simp split del: if_split) to avoid this
|
||||
issue and see where wp gets stuck.
|
||||
|
||||
We still need to deal with the if constant. In this (somewhat contrived)
|
||||
|
@ -95,7 +95,7 @@ lemma example_3:
|
|||
return $ y \<and> \<not> x
|
||||
od \<lbrace>\<lambda>rv s. rv\<rbrace>"
|
||||
apply wp
|
||||
apply (simp add: if_apply_def2 split del: split_if)
|
||||
apply (simp add: if_apply_def2 split del: if_split)
|
||||
apply wp
|
||||
apply simp
|
||||
done
|
||||
|
|
|
@ -20,7 +20,7 @@ lemma ccorres_rel_imp2:
|
|||
apply (rule ccorresI', erule(5) ccorresE)
|
||||
apply simp
|
||||
apply (erule rev_bexI)
|
||||
apply (simp add: unif_rrel_def split: split_if_asm)
|
||||
apply (simp add: unif_rrel_def split: if_split_asm)
|
||||
apply (cases "hs = []", simp_all)
|
||||
done
|
||||
|
||||
|
@ -66,9 +66,9 @@ lemma exec_handlers_Hoare_Post:
|
|||
"\<lbrakk> exec_handlers_Hoare \<Gamma> P c Q' A'; Q' \<subseteq> Q; A' \<subseteq> A \<rbrakk>
|
||||
\<Longrightarrow> exec_handlers_Hoare \<Gamma> P c Q A"
|
||||
apply (simp add: exec_handlers_Hoare_def
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (elim allEI)
|
||||
apply (simp split: split_if_asm)
|
||||
apply (simp split: if_split_asm)
|
||||
apply blast+
|
||||
done
|
||||
|
||||
|
@ -96,7 +96,7 @@ lemma exec_handlers_Hoare_from_vcg_might_fail:
|
|||
"\<lbrakk> \<Gamma> \<turnstile>\<^bsub>/F\<^esub> P c Q, A; UNIV \<subseteq> A' \<rbrakk>
|
||||
\<Longrightarrow> exec_handlers_Hoare \<Gamma> P (c # hs) Q A'"
|
||||
apply (clarsimp simp: exec_handlers_Hoare_def
|
||||
split del: split_if split: split_if_asm)
|
||||
split del: if_split split: if_split_asm)
|
||||
apply (erule exec_handlers.cases, simp_all)
|
||||
apply (case_tac hsa, simp_all)
|
||||
apply (erule exec_handlers.cases, simp_all)
|
||||
|
@ -303,13 +303,13 @@ lemma exec_handlers_Hoare_call_Basic:
|
|||
"\<lbrakk> \<forall>s' t x. s' \<in> P \<longrightarrow> g s' t (ret s' t) \<in> Q; UNIV \<subseteq> A \<rbrakk> \<Longrightarrow>
|
||||
exec_handlers_Hoare \<Gamma> P (call initfn p ret (\<lambda>x y. Basic (g x y)) # hs) Q A"
|
||||
apply (clarsimp simp: exec_handlers_Hoare_def
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (erule exec_handlers.cases)
|
||||
apply clarsimp
|
||||
apply (erule exec_call_Normal_elim, simp_all)[1]
|
||||
apply (auto elim!: exec_Normal_elim_cases)[1]
|
||||
apply (frule exec_handlers_less2, clarsimp+)
|
||||
apply (clarsimp simp: subset_iff split: split_if_asm)
|
||||
apply (clarsimp simp: subset_iff split: if_split_asm)
|
||||
apply (auto elim!: exec_Normal_elim_cases
|
||||
exec_call_Normal_elim)
|
||||
done
|
||||
|
@ -560,12 +560,12 @@ lemma ccorres_if_lhs:
|
|||
\<Longrightarrow> ccorres_underlying sr Gamm r xf arrel axf (\<lambda>s. (P \<longrightarrow> Q s) \<and> (\<not> P \<longrightarrow> R s))
|
||||
{s. (P \<longrightarrow> s \<in> S) \<and> (\<not> P \<longrightarrow> s \<in> T)}
|
||||
hs (if P then f else g) conc"
|
||||
by (simp split: split_if)
|
||||
by (simp split: if_split)
|
||||
|
||||
lemma ccorres_if_bind:
|
||||
"ccorres_underlying sr Gamm r xf arrel axf G G' hs (if a then (b >>= f) else (c >>= f)) d
|
||||
\<Longrightarrow> ccorres_underlying sr Gamm r xf arrel axf G G' hs ((if a then b else c) >>= f) d"
|
||||
by (simp split: split_if_asm)
|
||||
by (simp split: if_split_asm)
|
||||
|
||||
lemma ccorres_Cond_rhs:
|
||||
"\<lbrakk> P \<Longrightarrow> ccorres_underlying sr Gamm rvr xf arrel axf Q S hs absf f;
|
||||
|
|
|
@ -43,14 +43,14 @@ val unfold_bodies = Simplifier.make_simproc @{context} "unfold constants named *
|
|||
*}
|
||||
|
||||
theorem spec_refine:
|
||||
notes split_if[split del]
|
||||
notes if_split[split del]
|
||||
shows
|
||||
"spec_statefn_simulates id (kernel_all_global_addresses.\<Gamma> symbol_table)
|
||||
(kernel_all_substitute.\<Gamma> symbol_table domain)"
|
||||
apply (simp add: kernel_all_global_addresses.\<Gamma>_def kernel_all_substitute.\<Gamma>_def)
|
||||
apply (intro spec_statefn_simulates_lookup_tree_Node spec_statefn_simulates_lookup_tree_Leaf)
|
||||
apply (tactic {* ALLGOALS (asm_simp_tac (put_simpset HOL_ss @{context} addsimps @{thms switch.simps fst_conv snd_conv}
|
||||
addsimprocs [unfold_bodies] |> Splitter.del_split @{thm split_if}))
|
||||
addsimprocs [unfold_bodies] |> Splitter.del_split @{thm if_split}))
|
||||
THEN ALLGOALS (TRY o resolve_tac @{context} @{thms exec_statefn_simulates_refl}) *})
|
||||
|
||||
apply (tactic {* ALLGOALS (REPEAT_ALL_NEW (resolve_tac @{context} @{thms exec_statefn_simulates_comI
|
||||
|
|
|
@ -718,7 +718,7 @@ lemma ccorres_trim_return:
|
|||
apply -
|
||||
apply (rule ccorres_rhs_assoc2)+
|
||||
apply (rule ccorres_trim_redundant_throw)
|
||||
apply (clarsimp split del: split_if)
|
||||
apply (clarsimp split del: if_split)
|
||||
apply (rule iffD2 [OF ccorres_semantic_equiv, OF _ cc])
|
||||
apply (rule semantic_equivI)
|
||||
apply (case_tac s')
|
||||
|
|
|
@ -420,8 +420,8 @@ lemma exec_handlers_Hoare_from_vcg_nofail:
|
|||
"\<Gamma> \<turnstile>\<^bsub>/F\<^esub> P c Q \<Longrightarrow> exec_handlers_Hoare \<Gamma> P (c # cs) Q A"
|
||||
apply (drule hoare_sound)
|
||||
apply (simp add: cvalid_def HoarePartialDef.valid_def
|
||||
exec_handlers_Hoare_def split del: split_if)
|
||||
apply (clarsimp split del: split_if)
|
||||
exec_handlers_Hoare_def split del: if_split)
|
||||
apply (clarsimp split del: if_split)
|
||||
apply (erule exec_handlers.cases, auto)
|
||||
done
|
||||
|
||||
|
@ -429,8 +429,8 @@ lemma exec_handlers_Hoare_from_vcg_fails:
|
|||
"\<lbrakk> \<Gamma> \<turnstile>\<^bsub>/F\<^esub> P c {},UNIV; UNIV \<subseteq> A \<rbrakk> \<Longrightarrow> exec_handlers_Hoare \<Gamma> P (c # cs) Q A"
|
||||
apply (drule hoare_sound)
|
||||
apply (simp add: cvalid_def HoarePartialDef.valid_def
|
||||
exec_handlers_Hoare_def split del: split_if)
|
||||
apply (clarsimp split del: split_if)
|
||||
exec_handlers_Hoare_def split del: if_split)
|
||||
apply (clarsimp split del: if_split)
|
||||
apply (erule exec_handlers.cases, simp_all)
|
||||
apply (cases cs)
|
||||
apply (auto elim!: exec_handlers.cases)[1]
|
||||
|
@ -987,7 +987,7 @@ lemma ccorres_liftM_simp [simp]:
|
|||
apply (erule (5) ccorresE)
|
||||
apply (simp add: liftM_def NonDetMonad.bind_def return_def)
|
||||
apply (erule bexI [rotated])
|
||||
apply (simp add: unif_rrel_def split: split_if_asm)
|
||||
apply (simp add: unif_rrel_def split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma ccorres_cond_weak:
|
||||
|
@ -1225,7 +1225,7 @@ lemma ccorres_gen_asm2:
|
|||
prefer 2
|
||||
apply (rule ccorres_guard_imp)
|
||||
apply (erule rl)
|
||||
apply (simp split: split_if_asm)+
|
||||
apply (simp split: if_split_asm)+
|
||||
done
|
||||
|
||||
lemma ccorres_guard_imp2:
|
||||
|
|
|
@ -557,7 +557,7 @@ lemma ccorres_special_trim_guard_DontReach_pis:
|
|||
end
|
||||
|
||||
lemmas ccorres_boilerplace_simp_dels =
|
||||
Collect_const -- "Avoid getting an implication due to split_if. Should probably just remove split_if"
|
||||
Collect_const -- "Avoid getting an implication due to if_split. Should probably just remove if_split"
|
||||
|
||||
lemma ccorres_introduce_UNIV_Int_when_needed:
|
||||
"ccorres_underlying sr Gamm r xf ar axf P (UNIV \<inter> {x. Q x}) hs a c
|
||||
|
@ -1359,7 +1359,7 @@ lemma ceqv_xpres_rewrite_set_rules:
|
|||
"\<lbrakk> ceqv_xpres_rewrite_set xf v S S''; ceqv_xpres_rewrite_set xf v S' S''' \<rbrakk>
|
||||
\<Longrightarrow> ceqv_xpres_rewrite_set xf v (if G then S else S') (if G then S'' else S''')"
|
||||
by (simp_all add: ceqv_xpres_rewrite_set_def ceqv_xpres_rewrite_basic_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
|
||||
lemma ceqv_xpres_eq_If_rules:
|
||||
"ceqv_xpres_eq_If False x y y"
|
||||
|
@ -1467,7 +1467,7 @@ lemma ceqv_xpres_While_simpl_sequence:
|
|||
[0 ..< (LEAST n. \<not> CP (v + of_nat n
|
||||
* (THE offs. \<forall>s v. (xf' (simpl_final_basic (c' v) s) - v = offs))))])
|
||||
else While {s. CP (xf' s)} c)"
|
||||
apply (split split_if, simp add: ceqv_xpres_def[where c=c and c'=c for c])
|
||||
apply (split if_split, simp add: ceqv_xpres_def[where c=c and c'=c for c])
|
||||
apply (clarsimp simp: ceqv_xpres_eq_ceqv)
|
||||
apply (rule ceqv_trans)
|
||||
apply (rule_tac n="LEAST n. \<not> CP (v + of_nat n * offs)"
|
||||
|
@ -1993,7 +1993,7 @@ fun tac ctxt =
|
|||
ceqv_Seq_Skip_cases ceqv_Guard_UNIV[THEN iffD2]
|
||||
Guard_ceqv[OF impI, OF refl] ceqv_refl
|
||||
finish_ceqv_Seq_Skip_cases} 1
|
||||
ORELSE (resolve_tac ctxt [@{thm xpresI}] THEN' simp_tac (ctxt |> Splitter.del_split @{thm "split_if"})) 1
|
||||
ORELSE (resolve_tac ctxt [@{thm xpresI}] THEN' simp_tac (ctxt |> Splitter.del_split @{thm "if_split"})) 1
|
||||
))
|
||||
THEN simp_tac (put_simpset HOL_basic_ss ctxt addsimps @{thms com.case}) 1
|
||||
*}
|
||||
|
|
|
@ -358,7 +358,7 @@ fun unfold_data ctxt constn goal nmspce nil = (
|
|||
|
||||
|
||||
|
||||
val split_if = @{thm "split_if"}
|
||||
val split_if = @{thm "if_split"}
|
||||
|
||||
fun maybe_cheat_tac ctxt thm =
|
||||
if (Goal.skip_proofs_enabled ())
|
||||
|
|
|
@ -118,7 +118,7 @@ subsection {* Properties of map restriction *}
|
|||
|
||||
lemma restrict_map_cancel:
|
||||
"(m |` S = m |` T) = (dom m \<inter> S = dom m \<inter> T)"
|
||||
by (fastforce dest: fun_cong simp: restrict_map_def None_not_eq split: split_if_asm)
|
||||
by (fastforce dest: fun_cong simp: restrict_map_def None_not_eq split: if_split_asm)
|
||||
|
||||
lemma map_add_restricted_self [simp]:
|
||||
"m ++ m |` S = m"
|
||||
|
@ -232,11 +232,11 @@ subsection {* Properties of @{term "sub_restrict_map"} *}
|
|||
|
||||
lemma restrict_map_sub_disj: "h |` S \<bottom> h `- S"
|
||||
by (fastforce simp: sub_restrict_map_def restrict_map_def map_disj_def
|
||||
split: option.splits split_if_asm)
|
||||
split: option.splits if_split_asm)
|
||||
|
||||
lemma restrict_map_sub_add: "h |` S ++ h `- S = h"
|
||||
by (fastforce simp: sub_restrict_map_def restrict_map_def map_add_def
|
||||
split: option.splits split_if)
|
||||
split: option.splits if_split)
|
||||
|
||||
|
||||
subsection {* Properties of map disjunction *}
|
||||
|
@ -493,7 +493,7 @@ lemma map_le_conv:
|
|||
unfolding map_le_def map_disj_def map_add_def
|
||||
by (rule iffI,
|
||||
clarsimp intro!: exI[where x="\<lambda>x. if x \<notin> dom h\<^sub>0' then h\<^sub>0 x else None"])
|
||||
(fastforce intro: split: option.splits split_if_asm)+
|
||||
(fastforce intro: split: option.splits if_split_asm)+
|
||||
|
||||
lemma map_le_conv2:
|
||||
"h\<^sub>0' \<subseteq>\<^sub>m h\<^sub>0 = (\<exists>h\<^sub>1. h\<^sub>0 = h\<^sub>0' ++ h\<^sub>1 \<and> h\<^sub>0' \<bottom> h\<^sub>1)"
|
||||
|
|
|
@ -90,9 +90,9 @@ lemma sep_set_conj_map_singleton_wp:
|
|||
\<Longrightarrow> \<lbrace><P \<and>* (\<And>* x\<in>xs. I x) \<and>* R>\<rbrace> f \<lbrace>\<lambda>_. <Q \<and>* (\<And>* x\<in>xs. I x) \<and>* R>\<rbrace>"
|
||||
apply (rule hoare_chain [where P="<P \<and>* I x \<and>* (\<And>* x\<in>xs - {x}. I x) \<and>* R>" and
|
||||
Q="\<lambda>_. <Q \<and>* I x \<and>* (\<And>* x\<in>xs - {x}. I x) \<and>* R>"], assumption)
|
||||
apply (subst (asm) sep.setprod.remove, assumption+)
|
||||
apply (subst (asm) sep.prod.remove, assumption+)
|
||||
apply sep_solve
|
||||
apply (subst sep.setprod.remove, assumption+)
|
||||
apply (subst sep.prod.remove, assumption+)
|
||||
apply sep_solve
|
||||
done
|
||||
|
||||
|
|
|
@ -691,11 +691,11 @@ where
|
|||
abbreviation
|
||||
sep_map_set_conj :: "('b \<Rightarrow> 'a::sep_algebra \<Rightarrow> bool) \<Rightarrow> 'b set \<Rightarrow> ('a \<Rightarrow> bool)"
|
||||
where
|
||||
"sep_map_set_conj g S \<equiv> sep.setprod g S"
|
||||
"sep_map_set_conj g S \<equiv> sep.prod g S"
|
||||
|
||||
definition
|
||||
sep_set_conj :: "('a::sep_algebra \<Rightarrow> bool) set \<Rightarrow> ('a \<Rightarrow> bool)" where
|
||||
"sep_set_conj S \<equiv> sep.setprod id S"
|
||||
"sep_set_conj S \<equiv> sep.prod id S"
|
||||
|
||||
(* Notation. *)
|
||||
consts
|
||||
|
@ -857,7 +857,7 @@ lemma sep_map_set_conj_restrict:
|
|||
sep_map_set_conj P xs =
|
||||
(sep_map_set_conj P {x \<in> xs. t x} \<and>*
|
||||
sep_map_set_conj P {x \<in> xs. \<not> t x})"
|
||||
by (subst sep.setprod.union_disjoint [symmetric], (fastforce simp: union_filter)+)
|
||||
by (subst sep.prod.union_disjoint [symmetric], (fastforce simp: union_filter)+)
|
||||
|
||||
|
||||
lemma sep_list_conj_map_add:
|
||||
|
@ -917,7 +917,7 @@ lemma sep_set_conj_empty [simp]:
|
|||
lemma sep_map_set_conj_reindex_cong:
|
||||
"\<lbrakk>inj_on f A; B = f ` A; \<And>a. a \<in> A \<Longrightarrow> g a = h (f a)\<rbrakk>
|
||||
\<Longrightarrow> sep_map_set_conj h B = sep_map_set_conj g A"
|
||||
by (simp add: sep.setprod.reindex)
|
||||
by (simp add: sep.prod.reindex)
|
||||
|
||||
lemma sep_list_conj_sep_map_set_conj:
|
||||
"distinct xs
|
||||
|
@ -928,7 +928,7 @@ lemma sep_list_conj_sep_set_conj:
|
|||
"\<lbrakk>distinct xs; inj_on P (set xs)\<rbrakk>
|
||||
\<Longrightarrow> \<And>* (map P xs) = \<And>* (P ` set xs)"
|
||||
apply (subst sep_list_conj_sep_map_set_conj, assumption)
|
||||
apply (clarsimp simp: sep_set_conj_def sep.setprod.reindex)
|
||||
apply (clarsimp simp: sep_set_conj_def sep.prod.reindex)
|
||||
done
|
||||
|
||||
lemma sep_map_set_conj_sep_list_conj:
|
||||
|
@ -985,7 +985,7 @@ lemma set_sub_sub:
|
|||
lemma sep_map_set_conj_sub_sub_disjoint:
|
||||
"\<lbrakk>finite xs; zs \<subseteq> ys; ys \<subseteq> xs\<rbrakk>
|
||||
\<Longrightarrow> sep_map_set_conj P (xs - zs) = (sep_map_set_conj P (xs - ys) \<and>* sep_map_set_conj P (ys - zs))"
|
||||
apply (cut_tac sep.setprod.subset_diff [where A="xs-zs" and B="ys-zs" and g=P])
|
||||
apply (cut_tac sep.prod.subset_diff [where A="xs-zs" and B="ys-zs" and g=P])
|
||||
apply (subst (asm) set_sub_sub, fast+)
|
||||
done
|
||||
|
||||
|
@ -1001,7 +1001,7 @@ lemma sep_list_conj_filter_map:
|
|||
|
||||
lemma sep_map_set_conj_restrict_predicate:
|
||||
"finite A \<Longrightarrow> (\<And>* x\<in>A. if T x then P x else \<box>) = (\<And>* x\<in>(Set.filter T A). P x)"
|
||||
by (simp add: Set.filter_def sep.setprod.inter_filter)
|
||||
by (simp add: Set.filter_def sep.prod.inter_filter)
|
||||
|
||||
lemma distinct_filters:
|
||||
"\<lbrakk>distinct xs; \<And>x. (f x \<and> g x) = False\<rbrakk> \<Longrightarrow>
|
||||
|
@ -1013,14 +1013,14 @@ lemma sep_list_conj_distinct_filters:
|
|||
\<And>* map P [x\<leftarrow>xs . f x \<or> g x] = (\<And>* map P [x\<leftarrow>xs . f x] \<and>* \<And>* map P [x\<leftarrow>xs . g x])"
|
||||
apply (subst sep_list_conj_sep_map_set_conj, simp)+
|
||||
apply (subst distinct_filters, simp+)
|
||||
apply (subst sep.setprod.union_disjoint, auto)
|
||||
apply (subst sep.prod.union_disjoint, auto)
|
||||
done
|
||||
|
||||
lemma sep_map_set_conj_set_disjoint:
|
||||
"\<lbrakk>finite {x. P x}; finite {x. Q x}; \<And>x. (P x \<and> Q x) = False\<rbrakk>
|
||||
\<Longrightarrow> sep_map_set_conj g {x. P x \<or> Q x} =
|
||||
(sep_map_set_conj g {x. P x} \<and>* sep_map_set_conj g {x. Q x})"
|
||||
apply (subst sep.setprod.union_disjoint [symmetric], simp+)
|
||||
apply (subst sep.prod.union_disjoint [symmetric], simp+)
|
||||
apply blast
|
||||
apply simp
|
||||
by (metis Collect_disj_eq)
|
||||
|
|
|
@ -617,11 +617,11 @@ lemma add_to_slots_comm:
|
|||
|
||||
lemma cdl_heap_add_none1:
|
||||
"cdl_heap_add x y obj_id = None \<Longrightarrow> (sep_heap x) obj_id = None"
|
||||
by (clarsimp simp: cdl_heap_add_def Let_unfold split:option.splits split_if_asm)
|
||||
by (clarsimp simp: cdl_heap_add_def Let_unfold split:option.splits if_split_asm)
|
||||
|
||||
lemma cdl_heap_add_none2:
|
||||
"cdl_heap_add x y obj_id = None \<Longrightarrow> (sep_heap y) obj_id = None"
|
||||
by (clarsimp simp: cdl_heap_add_def Let_unfold split:option.splits split_if_asm)
|
||||
by (clarsimp simp: cdl_heap_add_def Let_unfold split:option.splits if_split_asm)
|
||||
|
||||
lemma object_type_object_addL:
|
||||
"object_type obj = object_type obj'
|
||||
|
@ -700,7 +700,7 @@ instance
|
|||
apply (case_tac x)
|
||||
apply (clarsimp simp: cdl_heap_add_def)
|
||||
apply (rule ext)
|
||||
apply (clarsimp simp: cdl_ghost_state_add_def split:split_if_asm)
|
||||
apply (clarsimp simp: cdl_ghost_state_add_def split:if_split_asm)
|
||||
(* x ## y \<Longrightarrow> x + y = y + x *)
|
||||
apply (clarsimp simp: plus_sep_state_def sep_disj_sep_state_def)
|
||||
apply (erule sep_state_add_comm)
|
||||
|
|
|
@ -47,7 +47,7 @@ lemma sep_map_general_def2:
|
|||
apply clarsimp
|
||||
apply (clarsimp simp: fun_upd_def)
|
||||
apply (rule ext)
|
||||
apply (fastforce simp: dom_def split:split_if)
|
||||
apply (fastforce simp: dom_def split:if_split)
|
||||
done
|
||||
|
||||
(* There is an object there. *)
|
||||
|
|
|
@ -1089,7 +1089,7 @@ lemma auth_ipc_buffers_tro:
|
|||
apply (drule_tac x = p in spec)
|
||||
apply (erule integrity_obj.cases,
|
||||
simp_all add: tcb_states_of_state_def get_tcb_def auth_ipc_buffers_def
|
||||
split: cap.split_asm arch_cap.split_asm split_if_asm bool.splits)
|
||||
split: cap.split_asm arch_cap.split_asm if_split_asm bool.splits)
|
||||
apply fastforce
|
||||
done
|
||||
|
||||
|
@ -1100,7 +1100,7 @@ lemma auth_ipc_buffers_tro_fwd:
|
|||
apply (drule_tac x = p in spec)
|
||||
apply (erule integrity_obj.cases,
|
||||
simp_all add: tcb_states_of_state_def get_tcb_def auth_ipc_buffers_def
|
||||
split: cap.split_asm arch_cap.split_asm split_if_asm bool.splits)
|
||||
split: cap.split_asm arch_cap.split_asm if_split_asm bool.splits)
|
||||
apply fastforce
|
||||
done
|
||||
|
||||
|
|
|
@ -304,7 +304,7 @@ lemma lookup_pt_slot_authorised:
|
|||
apply (simp add: aag_has_auth_to_Control_eq_owns)
|
||||
apply (drule_tac f="\<lambda>pde. valid_pde pde s" in arg_cong, simp)
|
||||
apply (clarsimp simp: obj_at_def a_type_def less_kernel_base_mapping_slots)
|
||||
apply (clarsimp split: Structures_A.kernel_object.split_asm split_if_asm
|
||||
apply (clarsimp split: Structures_A.kernel_object.split_asm if_split_asm
|
||||
arch_kernel_obj.split_asm)
|
||||
apply (erule pspace_alignedE, erule domI)
|
||||
apply (simp add: pt_bits_def pageBits_def)
|
||||
|
@ -517,10 +517,10 @@ lemma set_mrs_state_vrefs[wp]:
|
|||
apply (simp add: set_mrs_def split_def set_object_def)
|
||||
apply (wp gets_the_wp get_wp put_wp mapM_x_wp'
|
||||
| wpc
|
||||
| simp split del: split_if add: zipWithM_x_mapM_x split_def store_word_offs_def)+
|
||||
| simp split del: if_split add: zipWithM_x_mapM_x split_def store_word_offs_def)+
|
||||
apply (auto simp: obj_at_def state_vrefs_def get_tcb_ko_at
|
||||
elim!: rsubst[where P=P, OF _ ext]
|
||||
split: split_if_asm simp: vs_refs_no_global_pts_def)
|
||||
split: if_split_asm simp: vs_refs_no_global_pts_def)
|
||||
done
|
||||
|
||||
(* FIXME: move *)
|
||||
|
@ -529,7 +529,7 @@ lemma set_mrs_thread_states[wp]:
|
|||
apply (simp add: set_mrs_def split_def set_object_def)
|
||||
apply (wp gets_the_wp get_wp put_wp mapM_x_wp'
|
||||
| wpc
|
||||
| simp split del: split_if add: zipWithM_x_mapM_x split_def store_word_offs_def)+
|
||||
| simp split del: if_split add: zipWithM_x_mapM_x split_def store_word_offs_def)+
|
||||
apply (clarsimp simp: fun_upd_def[symmetric] thread_states_preserved)
|
||||
done
|
||||
|
||||
|
@ -538,7 +538,7 @@ lemma set_mrs_thread_bound_ntfns[wp]:
|
|||
apply (simp add: set_mrs_def split_def set_object_def)
|
||||
apply (wp gets_the_wp get_wp put_wp mapM_x_wp' dmo_wp
|
||||
| wpc
|
||||
| simp split del: split_if add: zipWithM_x_mapM_x split_def store_word_offs_def no_irq_storeWord)+
|
||||
| simp split del: if_split add: zipWithM_x_mapM_x split_def store_word_offs_def no_irq_storeWord)+
|
||||
apply (clarsimp simp: fun_upd_def[symmetric] thread_bound_ntfns_preserved )
|
||||
done
|
||||
|
||||
|
@ -616,8 +616,8 @@ lemma set_mrs_integrity_autarch:
|
|||
apply (simp add: set_mrs_def)
|
||||
apply (wp gets_the_wp get_wp put_wp mapM_x_wp' store_word_offs_integrity_autarch [where aag = aag and thread = thread]
|
||||
| wpc
|
||||
| simp split del: split_if add: split_def zipWithM_x_mapM_x )+
|
||||
apply (clarsimp elim!: in_set_zipE split: split_if_asm)
|
||||
| simp split del: if_split add: split_def zipWithM_x_mapM_x )+
|
||||
apply (clarsimp elim!: in_set_zipE split: if_split_asm)
|
||||
apply (rule order_le_less_trans [where y = msg_max_length])
|
||||
apply (fastforce simp add: le_eq_less_or_eq)
|
||||
apply (simp add: msg_max_length_def msg_align_bits)
|
||||
|
@ -763,7 +763,7 @@ lemma pas_refined_set_asid_strg:
|
|||
\<longrightarrow>
|
||||
pas_refined aag (s\<lparr>arch_state := arch_state s \<lparr>arm_asid_table := (arm_asid_table (arch_state s))(base \<mapsto> pool)\<rparr>\<rparr>)"
|
||||
apply (clarsimp simp: pas_refined_def state_objs_to_policy_def)
|
||||
apply (erule state_asids_to_policy_aux.cases, simp_all split: split_if_asm)
|
||||
apply (erule state_asids_to_policy_aux.cases, simp_all split: if_split_asm)
|
||||
apply (auto intro: state_asids_to_policy_aux.intros auth_graph_map_memI[OF sbta_vref] pas_refined_refl[simplified pas_refined_def state_objs_to_policy_def])
|
||||
done
|
||||
|
||||
|
@ -984,7 +984,7 @@ lemma perform_asid_pool_invocation_pas_refined [wp]:
|
|||
apply (clarsimp simp: cap_auth_conferred_def is_cap_simps is_page_cap_def auth_graph_map_mem
|
||||
pas_refined_all_auth_is_owns pas_refined_refl cli_no_irqs
|
||||
dest!: graph_ofD)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (clarsimp simp add: pas_refined_refl auth_graph_map_def2
|
||||
mask_asid_low_bits_ucast_ucast[symmetric]
|
||||
valid_apinv_def obj_at_def)
|
||||
|
@ -1105,7 +1105,7 @@ lemma decode_arch_invocation_authorised:
|
|||
unfolding arch_decode_invocation_def authorised_arch_inv_def aag_cap_auth_def
|
||||
apply (rule hoare_pre)
|
||||
apply (simp add: split_def Let_def
|
||||
cong: cap.case_cong arch_cap.case_cong if_cong option.case_cong split del: split_if)
|
||||
cong: cap.case_cong arch_cap.case_cong if_cong option.case_cong split del: if_split)
|
||||
|
||||
apply (wp select_wp whenE_throwError_wp check_vp_wpR
|
||||
find_pd_for_asid_authority2
|
||||
|
@ -1113,7 +1113,7 @@ lemma decode_arch_invocation_authorised:
|
|||
| simp add: authorised_asid_control_inv_def authorised_page_inv_def
|
||||
authorised_page_directory_inv_def
|
||||
del: hoare_post_taut hoare_True_E_R
|
||||
split del: split_if)+
|
||||
split del: if_split)+
|
||||
apply (clarsimp simp: authorised_asid_pool_inv_def authorised_page_table_inv_def
|
||||
neq_Nil_conv invs_psp_aligned invs_arch_objs cli_no_irqs)
|
||||
apply (drule diminished_cte_wp_at_valid_cap, clarsimp+)
|
||||
|
@ -1158,7 +1158,7 @@ lemma decode_arch_invocation_authorised:
|
|||
apply (clarsimp simp: vspace_cap_rights_to_auth_def mask_vm_rights_def
|
||||
validate_vm_rights_def vm_read_write_def vm_read_only_def
|
||||
vm_kernel_only_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
-- "Unmap"
|
||||
apply (simp add: aag_cap_auth_def cli_no_irqs)
|
||||
-- "PageTableCap"
|
||||
|
@ -1174,7 +1174,7 @@ lemma decode_arch_invocation_authorised:
|
|||
pde_ref2_def pas_refined_all_auth_is_owns pas_refined_refl )
|
||||
apply (subgoal_tac "x && ~~ mask pt_bits = word")
|
||||
apply simp
|
||||
apply (clarsimp simp: valid_cap_simps cap_aligned_def split: split_if_asm)
|
||||
apply (clarsimp simp: valid_cap_simps cap_aligned_def split: if_split_asm)
|
||||
apply (subst (asm) upto_enum_step_subtract)
|
||||
apply (subgoal_tac "is_aligned word pt_bits")
|
||||
apply (simp add: is_aligned_no_overflow)
|
||||
|
@ -1207,11 +1207,11 @@ lemma delete_asid_pas_refined[wp]:
|
|||
apply (clarsimp dest!: auth_graph_map_memD graph_ofD)
|
||||
apply (erule pas_refined_mem[OF sta_vref, rotated])
|
||||
apply (fastforce simp: state_vrefs_def vs_refs_no_global_pts_def
|
||||
image_def graph_of_def split: split_if_asm)
|
||||
image_def graph_of_def split: if_split_asm)
|
||||
apply (clarsimp simp: pas_refined_def dest!: graph_ofD)
|
||||
apply (erule subsetD, erule state_asids_to_policy_aux.intros)
|
||||
apply (fastforce simp: state_vrefs_def vs_refs_no_global_pts_def
|
||||
graph_of_def image_def split: split_if_asm)
|
||||
graph_of_def image_def split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma delete_asid_pool_pas_refined [wp]:
|
||||
|
|
|
@ -154,7 +154,7 @@ proof (induct arbitrary: s rule: resolve_address_bits'.induct)
|
|||
by wp
|
||||
show ?case
|
||||
apply (subst resolve_address_bits'.simps)
|
||||
apply (cases cap', simp_all add: P split del: split_if)
|
||||
apply (cases cap', simp_all add: P split del: if_split)
|
||||
apply (rule hoare_pre_spec_validE)
|
||||
apply (wp "1.hyps", (assumption | simp add: in_monad | rule conjI)+)
|
||||
apply (wp get_cap_wp)
|
||||
|
@ -177,12 +177,12 @@ lemma lookup_slot_for_cnode_op_authorised[wp]:
|
|||
"\<lbrace>pas_refined aag and K (is_cnode_cap root \<longrightarrow> (\<forall>x \<in> obj_refs root. is_subject aag x))\<rbrace>
|
||||
lookup_slot_for_cnode_op is_source root ptr depth
|
||||
\<lbrace>\<lambda>rv s. is_subject aag (fst rv)\<rbrace>, -"
|
||||
apply (simp add: lookup_slot_for_cnode_op_def split del: split_if)
|
||||
apply (simp add: lookup_slot_for_cnode_op_def split del: if_split)
|
||||
apply (rule hoare_pre)
|
||||
apply (wp whenE_throwError_wp hoare_drop_imps
|
||||
resolve_address_bits_authorised[THEN hoare_post_imp_R[where Q'="\<lambda>x s. is_subject aag (fst (fst x))"]]
|
||||
| wpc
|
||||
| simp add: split_def authorised_cnode_inv_def split del: split_if
|
||||
| simp add: split_def authorised_cnode_inv_def split del: if_split
|
||||
del: resolve_address_bits'.simps split_paired_All | clarsimp)+
|
||||
done
|
||||
|
||||
|
@ -218,7 +218,7 @@ lemma decode_cnode_inv_authorised:
|
|||
decode_cnode_invocation label args cap excaps
|
||||
\<lbrace>\<lambda>rv s. authorised_cnode_inv aag rv s\<rbrace>,-"
|
||||
apply (simp add: authorised_cnode_inv_def decode_cnode_invocation_def split_def whenE_def unlessE_def set_eq_iff
|
||||
cong: if_cong Invocations_A.cnode_invocation.case_cong split del: split_if)
|
||||
cong: if_cong Invocations_A.cnode_invocation.case_cong split del: if_split)
|
||||
apply (rule hoare_pre)
|
||||
apply (wp hoare_vcg_all_lift hoare_vcg_const_imp_lift_R hoare_vcg_all_lift_R
|
||||
lsfco_cte_at
|
||||
|
@ -245,7 +245,7 @@ lemma set_cap_state_vrefs[wp]:
|
|||
apply (wp get_object_wp | wpc)+
|
||||
apply (auto simp: obj_at_def state_vrefs_def
|
||||
elim!: rsubst[where P=P, OF _ ext]
|
||||
split: split_if_asm simp: vs_refs_no_global_pts_def)
|
||||
split: if_split_asm simp: vs_refs_no_global_pts_def)
|
||||
done
|
||||
|
||||
lemma set_cap_thread_states[wp]:
|
||||
|
@ -279,7 +279,7 @@ lemma sita_caps_update:
|
|||
state_irqs_to_policy_aux aag (\<lambda>a. if a = ptr then Some cap else caps a) \<subseteq> pasPolicy aag"
|
||||
apply clarsimp
|
||||
apply (erule state_irqs_to_policy_aux.cases)
|
||||
apply (fastforce intro: state_irqs_to_policy_aux.intros simp: cap_links_irq_def split: split_if_asm)+
|
||||
apply (fastforce intro: state_irqs_to_policy_aux.intros simp: cap_links_irq_def split: if_split_asm)+
|
||||
done
|
||||
|
||||
lemma sata_update:
|
||||
|
@ -289,7 +289,7 @@ lemma sata_update:
|
|||
state_asids_to_policy_aux aag ((caps_of_state s) (ptr \<mapsto> cap)) asid_tab vrefs \<subseteq> pasPolicy aag"
|
||||
apply clarsimp
|
||||
apply (erule state_asids_to_policy_aux.cases)
|
||||
apply (fastforce intro: state_asids_to_policy_aux.intros simp: cap_links_asid_slot_def label_owns_asid_slot_def split: split_if_asm)+
|
||||
apply (fastforce intro: state_asids_to_policy_aux.intros simp: cap_links_asid_slot_def label_owns_asid_slot_def split: if_split_asm)+
|
||||
done
|
||||
|
||||
lemma cli_caps_of_state:
|
||||
|
@ -335,7 +335,7 @@ lemma set_cap_pas_refined [wp]:
|
|||
apply (intro conjI) -- "auth_graph_map"
|
||||
apply (clarsimp dest!: auth_graph_map_memD)
|
||||
apply (erule state_bits_to_policy.cases, auto simp: cap_links_asid_slot_def label_owns_asid_slot_def intro: auth_graph_map_memI state_bits_to_policy.intros
|
||||
split: split_if_asm)[1]
|
||||
split: if_split_asm)[1]
|
||||
apply (erule (2) sata_update[unfolded fun_upd_def])
|
||||
apply (erule (2) sita_caps_update)
|
||||
done
|
||||
|
@ -350,7 +350,7 @@ lemma cap_move_respects[wp]:
|
|||
apply (rule hoare_pre)
|
||||
apply (wp get_cap_wp set_cap_integrity_autarch set_original_integrity_autarch
|
||||
cap_move_ext.list_integ_lift[where Q="\<top>"] cap_move_list_integrity
|
||||
| simp add: set_cdt_def split del: split_if)+
|
||||
| simp add: set_cdt_def split del: if_split)+
|
||||
apply (rule_tac Q="\<lambda>rv s. integrity aag X st s \<and> (\<forall>v. cdt s v = Some src \<longrightarrow> is_subject aag (fst v))"
|
||||
in hoare_post_imp)
|
||||
apply (simp add: integrity_def)
|
||||
|
@ -378,12 +378,12 @@ lemma cap_swap_respects[wp]:
|
|||
apply (wp get_cap_wp set_cap_integrity_autarch
|
||||
cap_swap_ext_extended.list_integ_lift[where Q="\<top>"] cap_swap_list_integrity
|
||||
set_original_integrity_autarch[unfolded pred_conj_def K_def]
|
||||
| simp add: set_cdt_def split del: split_if)+
|
||||
| simp add: set_cdt_def split del: if_split)+
|
||||
apply (rule_tac Q="\<lambda>rv s. integrity aag X st s
|
||||
\<and> (\<forall>v. cdt s v = Some slot \<or> cdt s v = Some slot'
|
||||
\<longrightarrow> is_subject aag (fst v))"
|
||||
in hoare_post_imp)
|
||||
apply (simp add: fun_upd_def[symmetric] split del: split_if)
|
||||
apply (simp add: fun_upd_def[symmetric] split del: if_split)
|
||||
apply (intro integrity_cdt_fun_upd, simp_all)[1]
|
||||
apply (simp add: integrity_def)
|
||||
apply (clarsimp simp: integrity_cdt_def)
|
||||
|
@ -491,7 +491,7 @@ lemma set_cdt_pas_refined:
|
|||
apply (thin_tac "\<forall>a b aa. P a b aa" for P)
|
||||
apply (erule state_bits_to_policy.cases)
|
||||
apply (auto intro: auth_graph_map_memI state_bits_to_policy.intros
|
||||
split: split_if_asm | blast)+
|
||||
split: if_split_asm | blast)+
|
||||
done
|
||||
|
||||
lemma pas_refined_original_cap_update[simp]:
|
||||
|
@ -585,12 +585,12 @@ lemma cap_insert_pas_refined:
|
|||
hoare_weak_lift_imp hoare_vcg_all_lift set_cap_caps_of_state2
|
||||
set_untyped_cap_as_full_cdt_is_original_cap get_cap_wp
|
||||
tcb_domain_map_wellformed_lift
|
||||
| simp split del: split_if del: split_paired_All fun_upd_apply
|
||||
| simp split del: if_split del: split_paired_All fun_upd_apply
|
||||
| strengthen update_one_strg)+
|
||||
apply (clarsimp simp: pas_refined_refl split del: split_if)
|
||||
apply (clarsimp simp: pas_refined_refl split del: if_split)
|
||||
apply (erule impE)
|
||||
apply(clarsimp simp: cap_cur_auth_caps_of_state cte_wp_at_caps_of_state)
|
||||
apply (auto split: split_if_asm simp: pas_refined_refl dest: aag_cdt_link_Control)
|
||||
apply (auto split: if_split_asm simp: pas_refined_refl dest: aag_cdt_link_Control)
|
||||
done
|
||||
|
||||
lemma cap_links_irq_Nullcap [simp]:
|
||||
|
@ -628,8 +628,8 @@ lemma cap_swap_pas_refined[wp]:
|
|||
\<lbrace>\<lambda>rv. pas_refined aag\<rbrace>"
|
||||
apply (simp add: cap_swap_def)
|
||||
apply (rule hoare_pre)
|
||||
apply (wp set_cdt_pas_refined tcb_domain_map_wellformed_lift | simp split del: split_if)+
|
||||
apply (clarsimp simp: pas_refined_refl split: split_if_asm split del: split_if)
|
||||
apply (wp set_cdt_pas_refined tcb_domain_map_wellformed_lift | simp split del: if_split)+
|
||||
apply (clarsimp simp: pas_refined_refl split: if_split_asm split del: if_split)
|
||||
apply (fastforce dest: sta_cdt pas_refined_mem)+
|
||||
done
|
||||
|
||||
|
@ -690,7 +690,7 @@ lemma sts_thread_bound_ntfns[wp]:
|
|||
apply (simp add: set_thread_state_def set_object_def)
|
||||
apply (wp dxo_wp_weak |simp)+
|
||||
apply (clarsimp simp: thread_bound_ntfns_def get_tcb_def
|
||||
split: split_if option.splits kernel_object.splits
|
||||
split: if_split option.splits kernel_object.splits
|
||||
elim!: rsubst[where P=P, OF _ ext])
|
||||
done
|
||||
|
||||
|
@ -728,7 +728,7 @@ lemma set_thread_state_pas_refined:
|
|||
apply (clarsimp dest!: auth_graph_map_memD)
|
||||
apply (erule state_bits_to_policy.cases)
|
||||
apply (auto intro: state_bits_to_policy.intros auth_graph_map_memI
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma set_ep_vrefs[wp]:
|
||||
|
@ -955,14 +955,14 @@ lemma store_pte_pas_refined[wp]:
|
|||
apply (wp tcb_domain_map_wellformed_lift | wps)+
|
||||
apply clarsimp
|
||||
apply (rule conjI)
|
||||
apply (clarsimp dest!: auth_graph_map_memD split del: split_if)
|
||||
apply (clarsimp dest!: auth_graph_map_memD split del: if_split)
|
||||
apply (erule state_bits_to_policy.cases,
|
||||
auto intro: state_bits_to_policy.intros auth_graph_map_memI
|
||||
split: split_if_asm)[1]
|
||||
split: if_split_asm)[1]
|
||||
apply (erule_tac B="state_asids_to_policy aag s" for s in subset_trans[rotated])
|
||||
apply (auto intro: state_asids_to_policy_aux.intros
|
||||
elim!: state_asids_to_policy_aux.cases
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma store_pde_st_vrefs[wp]:
|
||||
|
@ -973,7 +973,7 @@ lemma store_pde_st_vrefs[wp]:
|
|||
(\<Union>(p', sz, auth)\<in>set_option (pde_ref2 pde).
|
||||
(\<lambda>(p'', a). (p'', VSRef ((p && mask pd_bits) >> 2) (Some APageDirectory), a)) ` (ptr_range p' sz \<times> auth)))))\<rbrace>
|
||||
store_pde p pde \<lbrace>\<lambda>rv s. P (state_vrefs s)\<rbrace>"
|
||||
apply (simp add: store_pde_def set_pd_def set_object_def split del: split_if)
|
||||
apply (simp add: store_pde_def set_pd_def set_object_def split del: if_split)
|
||||
apply (wp get_object_wp)
|
||||
apply (clarsimp simp: obj_at_def)
|
||||
apply (erule all_rsubst[where P=P], subst fun_eq_iff)
|
||||
|
@ -1011,16 +1011,16 @@ lemma store_pde_pas_refined[wp]:
|
|||
apply (simp add: pas_refined_def state_objs_to_policy_def)
|
||||
apply (rule hoare_pre)
|
||||
apply (wp tcb_domain_map_wellformed_lift | wps)+
|
||||
apply (clarsimp split del: split_if)
|
||||
apply (clarsimp split del: if_split)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp dest!: auth_graph_map_memD split del: split_if)
|
||||
apply (clarsimp dest!: auth_graph_map_memD split del: if_split)
|
||||
apply (erule state_bits_to_policy.cases,
|
||||
auto intro: state_bits_to_policy.intros auth_graph_map_memI
|
||||
split: split_if_asm)[1]
|
||||
split: if_split_asm)[1]
|
||||
apply (erule_tac B="state_asids_to_policy aag s" for s in subset_trans[rotated])
|
||||
apply (auto intro: state_asids_to_policy_aux.intros
|
||||
elim!: state_asids_to_policy_aux.cases
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemmas pde_ref_simps = pde_ref_def[split_simps pde.split]
|
||||
|
@ -1079,11 +1079,11 @@ lemma set_asid_pool_pas_refined[wp]:
|
|||
apply (clarsimp dest!: auth_graph_map_memD)
|
||||
apply (erule state_bits_to_policy.cases,
|
||||
auto intro: state_bits_to_policy.intros auth_graph_map_memI
|
||||
split: split_if_asm)[1]
|
||||
split: if_split_asm)[1]
|
||||
apply (auto intro: state_asids_to_policy_aux.intros
|
||||
simp: subsetD[OF _ state_asids_to_policy_aux.intros(2)]
|
||||
elim!: state_asids_to_policy_aux.cases
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply fastforce+
|
||||
done
|
||||
|
||||
|
@ -1095,7 +1095,7 @@ lemma pas_refined_clear_asid:
|
|||
"pas_refined aag s \<Longrightarrow> pas_refined aag (s\<lparr>arch_state := arch_state s\<lparr>arm_asid_table := \<lambda>a. if a = asid then None else arm_asid_table (arch_state s) a\<rparr>\<rparr>)"
|
||||
unfolding pas_refined_def
|
||||
apply (auto simp: state_objs_to_policy_def elim!: state_asids_to_policy_aux.cases
|
||||
split: split_if_asm intro: state_asids_to_policy_aux.intros)
|
||||
split: if_split_asm intro: state_asids_to_policy_aux.intros)
|
||||
apply (fastforce elim: state_asids_to_policy_aux.intros)+
|
||||
done
|
||||
|
||||
|
@ -1262,18 +1262,18 @@ lemma auth_derived_mask_cap:
|
|||
apply (rule conjI | clarsimp
|
||||
| erule subsetD subsetD[OF cap_rights_to_auth_mono, rotated]
|
||||
| simp add: cap_auth_conferred_def vspace_cap_rights_to_auth_def
|
||||
is_page_cap_def split: split_if_asm)+
|
||||
is_page_cap_def split: if_split_asm)+
|
||||
done
|
||||
|
||||
lemma auth_derived_update_cap_data:
|
||||
"\<lbrakk> auth_derived cap cap'; update_cap_data pres w cap \<noteq> cap.NullCap \<rbrakk>
|
||||
\<Longrightarrow> auth_derived (update_cap_data pres w cap) cap'"
|
||||
apply (simp add: update_cap_data_def is_cap_simps arch_update_cap_data_def
|
||||
split del: split_if cong: if_cong)
|
||||
split del: if_split cong: if_cong)
|
||||
apply (clarsimp simp: badge_update_def Let_def split_def is_cap_simps
|
||||
is_page_cap_def
|
||||
split: split_if_asm
|
||||
split del: split_if)
|
||||
split: if_split_asm
|
||||
split del: if_split)
|
||||
apply (simp_all add: auth_derived_def the_cnode_cap_def)
|
||||
apply (simp_all add: cap_auth_conferred_def)
|
||||
done
|
||||
|
@ -1298,7 +1298,7 @@ lemma decode_cnode_invocation_auth_derived:
|
|||
"\<lbrace>\<top>\<rbrace> decode_cnode_invocation label args cap excaps
|
||||
\<lbrace>cnode_inv_auth_derivations\<rbrace>,-"
|
||||
apply (simp add: decode_cnode_invocation_def split_def whenE_def unlessE_def
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (rule hoare_pre)
|
||||
apply (wp derive_cap_auth_derived get_cap_auth_derived
|
||||
hoare_vcg_all_lift
|
||||
|
@ -1306,7 +1306,7 @@ lemma decode_cnode_invocation_auth_derived:
|
|||
| simp add: cnode_inv_auth_derivations_If_Insert_Move[unfolded cnode_inv_auth_derivations_def]
|
||||
cnode_inv_auth_derivations_def split_def whenE_def
|
||||
del: hoare_post_taut hoare_True_E_R
|
||||
split del: split_if
|
||||
split del: if_split
|
||||
| strengthen cte_wp_at_auth_derived_mask_cap_strg
|
||||
cte_wp_at_auth_derived_update_cap_data_strg
|
||||
| wp_once hoare_drop_imps)+
|
||||
|
@ -1375,7 +1375,7 @@ lemma update_cap_obj_refs_subset:
|
|||
"x \<in> obj_refs (update_cap_data P dt cap) \<Longrightarrow> x \<in> obj_refs cap"
|
||||
apply (case_tac cap,
|
||||
simp_all add: update_cap_data_closedform
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
(* FIXME: move *)
|
||||
|
@ -1383,7 +1383,7 @@ lemma update_cap_untyped_range_subset:
|
|||
"x \<in> untyped_range (update_cap_data P dt cap) \<Longrightarrow> x \<in> untyped_range cap"
|
||||
apply (case_tac cap,
|
||||
simp_all add: update_cap_data_closedform
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemmas derive_cap_aag_caps = derive_cap_obj_refs_auth derive_cap_untyped_range_subset derive_cap_clas derive_cap_cli
|
||||
|
@ -1410,7 +1410,7 @@ lemma clas_update_cap_data [simp]:
|
|||
lemma update_cap_cap_auth_conferred_subset:
|
||||
"x \<in> cap_auth_conferred (update_cap_data b w cap) \<Longrightarrow> x \<in> cap_auth_conferred cap"
|
||||
unfolding update_cap_data_def
|
||||
apply (clarsimp split: split_if_asm simp: is_cap_simps cap_auth_conferred_def cap_rights_to_auth_def badge_update_def the_cnode_cap_def
|
||||
apply (clarsimp split: if_split_asm simp: is_cap_simps cap_auth_conferred_def cap_rights_to_auth_def badge_update_def the_cnode_cap_def
|
||||
Let_def vspace_cap_rights_to_auth_def arch_update_cap_data_def)
|
||||
done
|
||||
|
||||
|
|
|
@ -89,7 +89,7 @@ lemma cap_move_list_integrity:
|
|||
notes split_paired_All[simp del]
|
||||
shows
|
||||
"\<lbrace>list_integ P st and K(P src) and K(P dest)\<rbrace> cap_move_ext src dest src_p dest_p \<lbrace>\<lambda>_. list_integ P st\<rbrace>"
|
||||
apply (simp add: cap_move_ext_def split del: split_if)
|
||||
apply (simp add: cap_move_ext_def split del: if_split)
|
||||
apply (wp update_cdt_list_wp)
|
||||
apply (intro impI conjI allI | simp add: list_filter_replace list_filter_remove split: option.splits | elim conjE | simp add: list_integ_def)+
|
||||
done
|
||||
|
@ -98,7 +98,7 @@ lemma cap_insert_list_integrity:
|
|||
notes split_paired_All[simp del]
|
||||
shows
|
||||
"\<lbrace>list_integ P st and K(P src) and K(P dest)\<rbrace> cap_insert_ext src_parent src dest src_p dest_p \<lbrace>\<lambda>_. list_integ P st\<rbrace>"
|
||||
apply (simp add: cap_insert_ext_def split del: split_if)
|
||||
apply (simp add: cap_insert_ext_def split del: if_split)
|
||||
apply (wp update_cdt_list_wp)
|
||||
apply (intro impI conjI allI | simp add: list_filter_insert_after list_filter_remove split: option.splits | elim conjE | simp add: list_integ_def)+
|
||||
done
|
||||
|
@ -107,7 +107,7 @@ lemma create_cap_list_integrity:
|
|||
notes split_paired_All[simp del]
|
||||
shows
|
||||
"\<lbrace>list_integ P st and K(P dest)\<rbrace> create_cap_ext untyped dest dest_p \<lbrace>\<lambda>_. list_integ P st\<rbrace>"
|
||||
apply (simp add: create_cap_ext_def split del: split_if)
|
||||
apply (simp add: create_cap_ext_def split del: if_split)
|
||||
apply (wp update_cdt_list_wp)
|
||||
apply (intro impI conjI allI | simp add: list_filter_replace list_filter_remove split: option.splits | elim conjE | simp add: list_integ_def)+
|
||||
done
|
||||
|
@ -117,7 +117,7 @@ lemma empty_slot_list_integrity:
|
|||
notes split_paired_All[simp del]
|
||||
shows
|
||||
"\<lbrace>list_integ P st and (\<lambda>s. valid_list_2 (cdt_list s) m) and K(P slot) and K( all_children P m)\<rbrace> empty_slot_ext slot slot_p \<lbrace>\<lambda>_. list_integ P st\<rbrace>"
|
||||
apply (simp add: empty_slot_ext_def split del: split_if)
|
||||
apply (simp add: empty_slot_ext_def split del: if_split)
|
||||
apply (wp update_cdt_list_wp)
|
||||
apply (intro impI conjI allI | simp add: list_filter_replace_list list_filter_remove split: option.splits | elim conjE | simp add: list_integ_def)+
|
||||
apply (drule_tac x="the slot_p" in spec)
|
||||
|
@ -130,7 +130,7 @@ lemma cap_swap_list_integrity:
|
|||
notes split_paired_All[simp del]
|
||||
shows
|
||||
"\<lbrace>list_integ P st and K(P slot1) and K(P slot2)\<rbrace> cap_swap_ext slot1 slot2 slot1_p slot2_p \<lbrace>\<lambda>_. list_integ P st\<rbrace>"
|
||||
apply (simp add: cap_swap_ext_def split del: split_if)
|
||||
apply (simp add: cap_swap_ext_def split del: if_split)
|
||||
apply (wp update_cdt_list_wp)
|
||||
apply (intro impI conjI allI | simp add: list_filter_replace list_filter_swap split: option.splits | elim conjE | simp add: list_integ_def)+ (* slow *)
|
||||
done
|
||||
|
|
|
@ -214,7 +214,7 @@ lemma weak_derived_DomainCap:
|
|||
"weak_derived c' c \<Longrightarrow> (c' = cap.DomainCap) = (c = cap.DomainCap)"
|
||||
apply (clarsimp simp: weak_derived_def)
|
||||
apply (erule disjE)
|
||||
apply (clarsimp simp: copy_of_def split: split_if_asm)
|
||||
apply (clarsimp simp: copy_of_def split: if_split_asm)
|
||||
apply (auto simp: is_cap_simps same_object_as_def
|
||||
split: cap.splits arch_cap.splits)[1]
|
||||
apply simp
|
||||
|
@ -277,7 +277,7 @@ lemma cap_insert_domain_sep_inv:
|
|||
cap_insert cap slot dest_slot
|
||||
\<lbrace> \<lambda>_. domain_sep_inv irqs st \<rbrace>"
|
||||
apply(simp add: cap_insert_def)
|
||||
apply(wp set_cap_domain_sep_inv get_cap_wp set_original_wp dxo_wp_weak | simp split del: split_if)+
|
||||
apply(wp set_cap_domain_sep_inv get_cap_wp set_original_wp dxo_wp_weak | simp split del: if_split)+
|
||||
apply(blast dest: cte_wp_at_is_derived_domain_sep_inv_cap)
|
||||
done
|
||||
|
||||
|
@ -291,7 +291,7 @@ lemma cap_move_domain_sep_inv:
|
|||
cap_move cap slot dest_slot
|
||||
\<lbrace> \<lambda>_. domain_sep_inv irqs st \<rbrace>"
|
||||
apply(simp add: cap_move_def)
|
||||
apply(wp set_cap_domain_sep_inv get_cap_wp set_original_wp dxo_wp_weak | simp split del: split_if | blast dest: cte_wp_at_weak_derived_domain_sep_inv_cap)+
|
||||
apply(wp set_cap_domain_sep_inv get_cap_wp set_original_wp dxo_wp_weak | simp split del: if_split | blast dest: cte_wp_at_weak_derived_domain_sep_inv_cap)+
|
||||
done
|
||||
|
||||
lemma domain_sep_inv_machine_state_update[simp]:
|
||||
|
@ -487,7 +487,7 @@ crunch domain_sep_inv[wp]: finalise_cap "domain_sep_inv irqs st"
|
|||
lemma finalise_cap_domain_sep_inv_cap:
|
||||
"\<lbrace>\<lambda>s. domain_sep_inv_cap irqs cap\<rbrace> finalise_cap cap b \<lbrace>\<lambda>rv s. domain_sep_inv_cap irqs (fst rv)\<rbrace>"
|
||||
apply(case_tac cap)
|
||||
apply(wp | simp add: o_def split del: split_if split: cap.splits arch_cap.splits | fastforce split: if_splits simp: domain_sep_inv_cap_def)+
|
||||
apply(wp | simp add: o_def split del: if_split split: cap.splits arch_cap.splits | fastforce split: if_splits simp: domain_sep_inv_cap_def)+
|
||||
apply(rule hoare_pre, wp, fastforce)
|
||||
apply(rule hoare_pre, simp, wp, fastforce simp: domain_sep_inv_cap_def)
|
||||
apply(simp add: arch_finalise_cap_def)
|
||||
|
@ -509,7 +509,7 @@ lemma finalise_cap_returns_None:
|
|||
finalise_cap cap b
|
||||
\<lbrace>\<lambda>rv s. \<not> irqs \<longrightarrow> snd rv = None\<rbrace>"
|
||||
apply(case_tac cap)
|
||||
apply(simp add: o_def split del: split_if | wp | fastforce simp: domain_sep_inv_cap_def | rule hoare_pre)+
|
||||
apply(simp add: o_def split del: if_split | wp | fastforce simp: domain_sep_inv_cap_def | rule hoare_pre)+
|
||||
done
|
||||
|
||||
lemma rec_del_domain_sep_inv':
|
||||
|
@ -528,10 +528,10 @@ lemma rec_del_domain_sep_inv':
|
|||
done
|
||||
next
|
||||
case (2 slot exposed s) show ?case
|
||||
apply(simp add: rec_del.simps split del: split_if)
|
||||
apply(simp add: rec_del.simps split del: if_split)
|
||||
apply(rule hoare_pre_spec_validE)
|
||||
apply(wp drop_spec_validE[OF returnOk_wp] drop_spec_validE[OF liftE_wp] set_cap_domain_sep_inv
|
||||
|simp add: split_def split del: split_if)+
|
||||
|simp add: split_def split del: if_split)+
|
||||
apply(rule spec_strengthen_postE)
|
||||
apply(rule "2.hyps", fastforce+)
|
||||
apply(rule drop_spec_validE, (wp preemption_point_inv| simp)+)[1]
|
||||
|
@ -541,7 +541,7 @@ lemma rec_del_domain_sep_inv':
|
|||
apply(wp finalise_cap_domain_sep_inv_cap get_cap_wp
|
||||
finalise_cap_returns_None
|
||||
drop_spec_validE[OF liftE_wp] set_cap_domain_sep_inv
|
||||
|simp add: without_preemption_def split del: split_if
|
||||
|simp add: without_preemption_def split del: if_split
|
||||
|wp_once hoare_drop_imps)+
|
||||
apply(blast dest: cte_wp_at_domain_sep_inv_cap)
|
||||
done
|
||||
|
@ -668,7 +668,7 @@ lemma invoke_cnode_domain_sep_inv:
|
|||
\<lbrace>\<lambda>_. domain_sep_inv irqs st\<rbrace>"
|
||||
unfolding invoke_cnode_def
|
||||
apply(case_tac ci)
|
||||
apply(wp cap_insert_domain_sep_inv cap_move_domain_sep_inv | simp split del: split_if)+
|
||||
apply(wp cap_insert_domain_sep_inv cap_move_domain_sep_inv | simp split del: if_split)+
|
||||
apply(rule hoare_pre)
|
||||
apply(wp cap_move_domain_sep_inv cap_move_cte_wp_at_other get_cap_wp | simp | blast dest: cte_wp_at_weak_derived_domain_sep_inv_cap | wpc)+
|
||||
apply(fastforce dest: cte_wp_at_weak_derived_ReplyCap)
|
||||
|
@ -847,7 +847,7 @@ lemma cap_insert_domain_sep_inv':
|
|||
cap_insert cap slot dest_slot
|
||||
\<lbrace> \<lambda>_. domain_sep_inv irqs st\<rbrace>"
|
||||
apply(simp add: cap_insert_def)
|
||||
apply(wp set_cap_domain_sep_inv get_cap_wp dxo_wp_weak | simp split del: split_if)+
|
||||
apply(wp set_cap_domain_sep_inv get_cap_wp dxo_wp_weak | simp split del: if_split)+
|
||||
done
|
||||
|
||||
lemma domain_sep_inv_cap_max_free_index_update[simp]:
|
||||
|
@ -1044,7 +1044,7 @@ lemma receive_ipc_base_domain_sep_inv:
|
|||
apply (clarsimp cong: endpoint.case_cong thread_get_def get_thread_state_def)
|
||||
apply (rule hoare_pre)
|
||||
apply (wp setup_caller_cap_domain_sep_inv dxo_wp_weak
|
||||
| wpc | simp split del: split_if)+
|
||||
| wpc | simp split del: if_split)+
|
||||
apply(rule_tac Q="\<lambda> r s. domain_sep_inv irqs st s" in hoare_strengthen_post)
|
||||
apply(wp do_ipc_transfer_domain_sep_inv hoare_vcg_all_lift | wpc | simp)+
|
||||
apply(wp hoare_vcg_imp_lift [OF set_endpoint_get_tcb, unfolded disj_not1] hoare_vcg_all_lift get_endpoint_wp
|
||||
|
@ -1064,7 +1064,7 @@ lemma receive_ipc_domain_sep_inv:
|
|||
apply (rule hoare_seq_ext[OF _ get_endpoint_sp])
|
||||
apply (rule hoare_seq_ext[OF _ gbn_sp])
|
||||
apply (case_tac ntfnptr, simp)
|
||||
apply (wp receive_ipc_base_domain_sep_inv get_ntfn_wp | simp split: split_if option.splits)+
|
||||
apply (wp receive_ipc_base_domain_sep_inv get_ntfn_wp | simp split: if_split option.splits)+
|
||||
done
|
||||
|
||||
lemma send_fault_ipc_domain_sep_inv:
|
||||
|
@ -1077,7 +1077,7 @@ lemma send_fault_ipc_domain_sep_inv:
|
|||
apply(wp send_ipc_domain_sep_inv thread_set_valid_objs thread_set_tcb_fault_update_valid_mdb
|
||||
thread_set_refs_trivial thread_set_obj_at_impossible
|
||||
hoare_vcg_ex_lift
|
||||
| wpc| simp add: Let_def split_def lookup_cap_def valid_tcb_fault_update split del: split_if)+
|
||||
| wpc| simp add: Let_def split_def lookup_cap_def valid_tcb_fault_update split del: if_split)+
|
||||
apply (wpe get_cap_inv[where P="domain_sep_inv irqs st and valid_objs and valid_mdb
|
||||
and sym_refs o state_refs_of"])
|
||||
apply (wp | simp)+
|
||||
|
@ -1210,7 +1210,7 @@ lemma invoke_tcb_domain_sep_inv:
|
|||
apply(case_tac tinv)
|
||||
apply((wp restart_domain_sep_inv hoare_vcg_if_lift mapM_x_wp[OF _ subset_refl]
|
||||
| wpc
|
||||
| simp split del: split_if add: check_cap_at_def
|
||||
| simp split del: if_split add: check_cap_at_def
|
||||
| clarsimp)+)[3]
|
||||
defer
|
||||
apply((wp | simp )+)[2]
|
||||
|
@ -1275,10 +1275,10 @@ lemma handle_invocation_domain_sep_inv:
|
|||
\<lbrace>\<lambda>_. domain_sep_inv irqs st\<rbrace>"
|
||||
apply (simp add: handle_invocation_def ts_Restart_case_helper split_def
|
||||
liftE_liftM_liftME liftME_def bindE_assoc
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply(wp syscall_valid perform_invocation_domain_sep_inv
|
||||
set_thread_state_runnable_valid_sched
|
||||
| simp split del: split_if)+
|
||||
| simp split del: if_split)+
|
||||
apply(rule_tac E="\<lambda>ft. domain_sep_inv irqs st and
|
||||
valid_objs and
|
||||
sym_refs \<circ> state_refs_of and
|
||||
|
|
|
@ -315,7 +315,7 @@ lemma caps_of_state_transform_opt_cap_rev:
|
|||
apply (clarsimp simp:valid_objs_def dom_def)
|
||||
apply (drule_tac x=a in spec, clarsimp)
|
||||
apply (case_tac aa, simp_all add: object_slots_def caps_of_state_def2 nat_split_conv_to_if
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp:valid_obj_def valid_cs_def valid_cs_size_def)
|
||||
apply (clarsimp simp:transform_cnode_contents_def)
|
||||
apply (rule_tac x=z in exI, simp)
|
||||
|
@ -331,7 +331,7 @@ lemma caps_of_state_transform_opt_cap_rev:
|
|||
apply (rule nat_to_bl_to_bin, simp+)
|
||||
apply (drule valid_etcbs_tcb_etcb [rotated], fastforce)
|
||||
apply clarsimp
|
||||
apply (clarsimp simp:transform_tcb_def tcb_slot_defs split:split_if_asm)
|
||||
apply (clarsimp simp:transform_tcb_def tcb_slot_defs split:if_split_asm)
|
||||
apply (clarsimp simp: is_null_cap_def is_bound_ntfn_cap_def infer_tcb_bound_notification_def
|
||||
split: option.splits)
|
||||
apply (simp add:is_thread_state_cap_def infer_tcb_pending_op_def is_null_cap_def is_real_cap_def
|
||||
|
@ -344,13 +344,13 @@ lemma caps_of_state_transform_opt_cap_rev:
|
|||
apply (subst bl_to_bin_tcb_cnode_index_le0; simp)
|
||||
apply (rename_tac arch_kernel_obj)
|
||||
apply (case_tac arch_kernel_obj; simp)
|
||||
apply (clarsimp simp:transform_asid_pool_contents_def unat_map_def split:split_if_asm)
|
||||
apply (clarsimp simp:transform_asid_pool_contents_def unat_map_def split:if_split_asm)
|
||||
apply (clarsimp simp:is_real_cap_def is_null_cap_def transform_asid_pool_entry_def
|
||||
split:option.splits)
|
||||
apply (clarsimp simp:transform_page_table_contents_def unat_map_def split:split_if_asm)
|
||||
apply (clarsimp simp:transform_page_table_contents_def unat_map_def split:if_split_asm)
|
||||
apply (clarsimp simp:is_real_cap_def is_null_cap_def transform_pte_def
|
||||
split:ARM_A.pte.splits)
|
||||
apply (clarsimp simp:transform_page_directory_contents_def unat_map_def split:split_if_asm)
|
||||
apply (clarsimp simp:transform_page_directory_contents_def unat_map_def split:if_split_asm)
|
||||
apply (clarsimp simp:is_real_cap_def is_null_cap_def transform_pde_def
|
||||
split:ARM_A.pde.splits)
|
||||
done
|
||||
|
@ -371,7 +371,7 @@ lemma opt_cap_None_word_bits:
|
|||
apply (drule invs_valid_objs)
|
||||
apply (simp add:object_slots_def valid_objs_def)
|
||||
apply (case_tac aa, simp_all add: nat_split_conv_to_if
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp:transform_cnode_contents_def object_slots_def)
|
||||
apply (drule_tac x=a in bspec)
|
||||
apply (simp add:dom_def)+
|
||||
|
@ -438,9 +438,9 @@ lemma thread_states_transform:
|
|||
apply simp
|
||||
apply (rule notI, drule invs_valid_idle, simp add:valid_idle_def pred_tcb_def2)
|
||||
apply (simp add:infer_tcb_pending_op_def, case_tac "tcb_state a",
|
||||
(simp add:split_if_asm| erule disjE)+)
|
||||
(simp add:if_split_asm| erule disjE)+)
|
||||
apply (simp add:infer_tcb_pending_op_def cdl_cap_auth_conferred_def,
|
||||
case_tac "tcb_state a", (simp add:split_if_asm| erule disjE)+)
|
||||
case_tac "tcb_state a", (simp add:if_split_asm| erule disjE)+)
|
||||
done
|
||||
|
||||
lemma thread_bound_ntfns_transform:
|
||||
|
@ -473,23 +473,23 @@ lemma thread_state_cap_transform_tcb:
|
|||
apply (clarsimp simp: map_add_def object_slots_def)
|
||||
apply (simp add:get_tcb_def object_slots_def)
|
||||
apply (case_tac aa, simp_all add: nat_split_conv_to_if
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp:transform_cnode_contents_def)
|
||||
apply (case_tac z, simp_all add:is_thread_state_cap_def split:split_if_asm)
|
||||
apply (case_tac z, simp_all add:is_thread_state_cap_def split:if_split_asm)
|
||||
apply (rename_tac arch_cap)
|
||||
apply (case_tac arch_cap; simp)
|
||||
apply (clarsimp simp:transform_cnode_contents_def)
|
||||
apply (case_tac z, simp_all add:is_thread_state_cap_def split:split_if_asm)
|
||||
apply (case_tac z, simp_all add:is_thread_state_cap_def split:if_split_asm)
|
||||
apply (rename_tac arch_cap)
|
||||
apply (case_tac arch_cap; simp)
|
||||
apply (rename_tac arch_kernel_obj)
|
||||
apply (case_tac arch_kernel_obj; simp)
|
||||
apply (clarsimp simp:transform_asid_pool_contents_def unat_map_def transform_asid_pool_entry_def
|
||||
split:split_if_asm option.splits)
|
||||
split:if_split_asm option.splits)
|
||||
apply (clarsimp simp:transform_page_table_contents_def unat_map_def transform_pte_def
|
||||
split:split_if_asm ARM_A.pte.splits)
|
||||
split:if_split_asm ARM_A.pte.splits)
|
||||
apply (clarsimp simp:transform_page_directory_contents_def unat_map_def transform_pde_def
|
||||
split:split_if_asm ARM_A.pde.splits)
|
||||
split:if_split_asm ARM_A.pde.splits)
|
||||
done
|
||||
|
||||
|
||||
|
@ -514,12 +514,12 @@ lemma thread_bound_ntfn_cap_transform_tcb:
|
|||
apply (clarsimp simp:transform_cnode_contents_def)
|
||||
apply (clarsimp simp:transform_cnode_contents_def)
|
||||
apply (rename_tac arch_obj)
|
||||
apply (case_tac arch_obj;clarsimp simp:transform_asid_pool_contents_def unat_map_def split:split_if_asm)
|
||||
apply (case_tac arch_obj;clarsimp simp:transform_asid_pool_contents_def unat_map_def split:if_split_asm)
|
||||
apply (clarsimp simp:transform_asid_pool_entry_def is_bound_ntfn_cap_def split:option.splits)
|
||||
apply (clarsimp simp:transform_page_table_contents_def unat_map_def transform_pte_def is_bound_ntfn_cap_def
|
||||
split:split_if_asm ARM_A.pte.splits)
|
||||
split:if_split_asm ARM_A.pte.splits)
|
||||
apply (clarsimp simp:transform_page_directory_contents_def unat_map_def transform_pde_def is_bound_ntfn_cap_def
|
||||
split:split_if_asm ARM_A.pde.splits)
|
||||
split:if_split_asm ARM_A.pde.splits)
|
||||
done
|
||||
|
||||
|
||||
|
@ -532,10 +532,10 @@ lemma thread_states_transform_rev:
|
|||
apply (clarsimp simp:thread_states_def tcb_states_of_state_def)
|
||||
apply (frule valid_etcbs_get_tcb_get_etcb[rotated], fastforce)
|
||||
apply (frule_tac sl=b in opt_cap_tcb, assumption, simp)
|
||||
apply (clarsimp split:split_if_asm)
|
||||
apply (case_tac "aa tcb", simp_all add:is_thread_state_cap_def split:split_if_asm)
|
||||
apply (clarsimp split:if_split_asm)
|
||||
apply (case_tac "aa tcb", simp_all add:is_thread_state_cap_def split:if_split_asm)
|
||||
apply (rename_tac arch_cap)
|
||||
apply (case_tac "arch_cap", simp_all split:split_if_asm)
|
||||
apply (case_tac "arch_cap", simp_all split:if_split_asm)
|
||||
apply (case_tac "tcb_state tcb", auto simp:infer_tcb_pending_op_def cdl_cap_auth_conferred_def
|
||||
infer_tcb_bound_notification_def split: option.splits)
|
||||
done
|
||||
|
@ -549,10 +549,10 @@ lemma thread_bound_ntfns_transform_rev:
|
|||
apply (clarsimp simp:thread_bound_ntfns_def)
|
||||
apply (frule valid_etcbs_get_tcb_get_etcb[rotated], fastforce)
|
||||
apply (frule_tac sl=b in opt_cap_tcb, assumption, simp)
|
||||
apply (clarsimp split:split_if_asm)
|
||||
apply (case_tac "tcb"; simp add:is_thread_state_cap_def is_bound_ntfn_cap_def split:split_if_asm)
|
||||
apply (clarsimp split:if_split_asm)
|
||||
apply (case_tac "tcb"; simp add:is_thread_state_cap_def is_bound_ntfn_cap_def split:if_split_asm)
|
||||
apply (rename_tac arch_cap)
|
||||
apply (case_tac "arch_cap", simp_all split:split_if_asm)
|
||||
apply (case_tac "arch_cap", simp_all split:if_split_asm)
|
||||
apply (clarsimp simp: infer_tcb_pending_op_def split: Structures_A.thread_state.splits)
|
||||
apply (case_tac "tcb_bound_notification tcb",
|
||||
auto simp: infer_tcb_pending_op_def cdl_cap_auth_conferred_def
|
||||
|
@ -704,16 +704,16 @@ lemma state_vrefs_transform_rev:
|
|||
apply (clarsimp simp:state_vrefs_def transform_def transform_objects_def
|
||||
opt_cap_def slots_of_def opt_object_def)
|
||||
apply (case_tac aa, simp_all add: transform_object_def object_slots_def nat_split_conv_to_if
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp:transform_cnode_contents_def is_real_cap_transform)
|
||||
apply (clarsimp simp:transform_cnode_contents_def is_real_cap_transform)
|
||||
apply (frule valid_etcbs_tcb_etcb [rotated], fastforce)
|
||||
apply (clarsimp simp: transform_tcb_def is_real_cap_transform is_real_cap_infer_tcb_pending_op
|
||||
is_real_cap_infer_tcb_bound_notification
|
||||
split:split_if_asm)
|
||||
split:if_split_asm)
|
||||
apply (rename_tac arch_kernel_obj)
|
||||
apply (case_tac arch_kernel_obj, simp_all add:vs_refs_no_global_pts_def graph_of_def)
|
||||
apply (clarsimp simp:transform_asid_pool_contents_def unat_map_def split:split_if_asm)
|
||||
apply (clarsimp simp:transform_asid_pool_contents_def unat_map_def split:if_split_asm)
|
||||
apply (rule exI)
|
||||
apply (rename_tac "fun")
|
||||
apply (case_tac "fun (of_nat b)")
|
||||
|
@ -722,7 +722,7 @@ lemma state_vrefs_transform_rev:
|
|||
apply (clarsimp simp:transform_asid_pool_entry_def cdl_cap_auth_conferred_def)
|
||||
apply simp
|
||||
apply (clarsimp simp:transform_asid_pool_entry_def)
|
||||
apply (clarsimp simp:transform_page_table_contents_def unat_map_def split:split_if_asm)
|
||||
apply (clarsimp simp:transform_page_table_contents_def unat_map_def split:if_split_asm)
|
||||
apply (rule exI)+
|
||||
apply (drule pte_ref_transform_rev)
|
||||
apply safe[1]
|
||||
|
@ -730,7 +730,7 @@ lemma state_vrefs_transform_rev:
|
|||
apply (rule_tac x="(ptr', auth)" in image_eqI)
|
||||
apply simp
|
||||
apply simp
|
||||
apply (clarsimp simp:transform_page_directory_contents_def unat_map_def split:split_if_asm)
|
||||
apply (clarsimp simp:transform_page_directory_contents_def unat_map_def split:if_split_asm)
|
||||
apply (subgoal_tac "(of_nat b :: 12 word) < ucast (kernel_base >> 20)")
|
||||
prefer 2
|
||||
apply (subst word_not_le[symmetric])
|
||||
|
@ -752,7 +752,7 @@ lemma cdl_cdt_transform_rev:
|
|||
"\<lbrakk> invs s; cdl_cdt (transform s) slot' = Some slot \<rbrakk> \<Longrightarrow>
|
||||
\<exists>ptr' ptr. slot' = transform_cslot_ptr ptr' \<and> slot = transform_cslot_ptr ptr \<and>
|
||||
cdt s ptr' = Some ptr"
|
||||
apply (clarsimp simp:cdt_transform map_lift_over_def split:split_if_asm)
|
||||
apply (clarsimp simp:cdt_transform map_lift_over_def split:if_split_asm)
|
||||
apply (rule_tac x=a in exI, rule_tac x=b in exI)
|
||||
apply (subst (asm) inv_into_f_f)
|
||||
apply (rule subset_inj_on)
|
||||
|
@ -832,7 +832,7 @@ lemma state_objs_transform_rev:
|
|||
apply simp
|
||||
apply (subst (asm) untyped_range_transform[symmetric])
|
||||
apply (simp add:is_untyped_cap_def transform_cap_def
|
||||
split:cap.splits arch_cap.splits split_if_asm)
|
||||
split:cap.splits arch_cap.splits if_split_asm)
|
||||
apply simp
|
||||
apply (simp add:cdl_cap_auth_conferred_def is_untyped_cap_def split:cdl_cap.splits)
|
||||
apply clarsimp
|
||||
|
@ -841,7 +841,7 @@ lemma state_objs_transform_rev:
|
|||
apply simp
|
||||
apply (subst (asm) obj_refs_transform[symmetric])
|
||||
apply (simp add:is_untyped_cap_def transform_cap_def
|
||||
split:cap.splits arch_cap.splits split_if_asm)
|
||||
split:cap.splits arch_cap.splits if_split_asm)
|
||||
apply simp
|
||||
apply (simp add:cap_auth_conferred_transform)
|
||||
apply (drule cdl_cdt_transform_rev [rotated], simp+)
|
||||
|
@ -952,20 +952,20 @@ lemma opt_cap_Some_asid_real:
|
|||
apply (case_tac "kheap s a")
|
||||
apply (clarsimp simp: map_add_def object_slots_def)
|
||||
apply (case_tac aa, simp_all add:object_slots_def valid_objs_def nat_split_conv_to_if
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp:transform_cnode_contents_def is_real_cap_transform)
|
||||
apply (clarsimp simp:transform_cnode_contents_def is_real_cap_transform)
|
||||
apply (frule valid_etcbs_tcb_etcb[rotated], fastforce)
|
||||
apply (clarsimp simp: transform_tcb_def tcb_slot_defs is_real_cap_infer_tcb_bound_notification
|
||||
is_real_cap_transform is_real_cap_infer_tcb_pending_op
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (rename_tac arch_kernel_obj)
|
||||
apply (case_tac arch_kernel_obj; simp)
|
||||
apply (clarsimp simp:transform_asid_pool_contents_def unat_map_def split:split_if_asm)
|
||||
apply (clarsimp simp:transform_asid_pool_contents_def unat_map_def split:if_split_asm)
|
||||
apply (clarsimp simp:transform_asid_pool_entry_def split:option.splits)
|
||||
apply (clarsimp simp:transform_page_table_contents_def unat_map_def split:split_if_asm)
|
||||
apply (clarsimp simp:transform_page_table_contents_def unat_map_def split:if_split_asm)
|
||||
apply (clarsimp simp:transform_pte_def split:ARM_A.pte.splits)
|
||||
apply (clarsimp simp:transform_page_directory_contents_def unat_map_def split:split_if_asm)
|
||||
apply (clarsimp simp:transform_page_directory_contents_def unat_map_def split:if_split_asm)
|
||||
apply (clarsimp simp:transform_pde_def split:ARM_A.pde.splits)
|
||||
done
|
||||
|
||||
|
@ -994,11 +994,11 @@ lemma state_vrefs_asid_pool_transform_rev:
|
|||
apply (drule bspec)
|
||||
apply fastforce
|
||||
apply (case_tac a, simp_all add:transform_object_def object_slots_def)
|
||||
apply (clarsimp simp:obj_at_def a_type_def split:split_if_asm)+
|
||||
apply (clarsimp simp:obj_at_def a_type_def split:if_split_asm)+
|
||||
apply (rename_tac arch_kernel_obj)
|
||||
apply (case_tac arch_kernel_obj; simp add:vs_refs_no_global_pts_def graph_of_def)
|
||||
apply (simp add:transform_asid_pool_contents_def unat_map_def transform_asid_low_bits_of
|
||||
split:split_if_asm)
|
||||
split:if_split_asm)
|
||||
apply (rule_tac x="(ucast asid, cap_object pdcap)" in image_eqI)
|
||||
apply (simp add:mask_asid_low_bits_ucast_ucast)
|
||||
apply (clarsimp simp:transform_asid_pool_entry_def split:option.splits)
|
||||
|
@ -1114,9 +1114,9 @@ proof -
|
|||
apply (cases)
|
||||
using e
|
||||
apply (clarsimp simp: transform_def transform_objects_def restrict_map_def
|
||||
split: split_if_asm Structures_A.kernel_object.splits)
|
||||
split: if_split_asm Structures_A.kernel_object.splits)
|
||||
apply (case_tac z, simp_all add: nat_split_conv_to_if
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
prefer 2
|
||||
apply (rename_tac arch_kernel_obj)
|
||||
apply (case_tac arch_kernel_obj; simp)
|
||||
|
|
|
@ -519,7 +519,7 @@ lemma s1_caps_of_state :
|
|||
apply (case_tac p, clarsimp)
|
||||
apply (clarsimp split: if_splits)
|
||||
apply (clarsimp simp: cte_wp_at_cases tcb_cap_cases_def
|
||||
split: split_if_asm)+
|
||||
split: if_split_asm)+
|
||||
apply (clarsimp simp: caps1_7_def split: if_splits)
|
||||
apply (clarsimp simp: caps1_6_def cte_wp_at_cases split: if_splits)
|
||||
done
|
||||
|
@ -1089,7 +1089,7 @@ lemma "pas_refined Sys2PAS s2"
|
|||
Sys2AgentMap_simps
|
||||
Sys2AuthGraph_def Sys2AuthGraph_aux_def
|
||||
complete_AuthGraph_def
|
||||
split: split_if_asm)[1]
|
||||
split: if_split_asm)[1]
|
||||
apply (drule s2_caps_of_state, clarsimp)
|
||||
apply (elim disjE, simp_all)[1]
|
||||
apply (clarsimp simp: state_refs_of_def s2_def kh2_def kh2_obj_def
|
||||
|
|
|
@ -166,7 +166,7 @@ lemma sbn_pas_refined[wp]:
|
|||
apply (clarsimp dest!: auth_graph_map_memD)
|
||||
apply (erule state_bits_to_policy.cases)
|
||||
apply (auto intro: state_bits_to_policy.intros auth_graph_map_memI
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma unbind_notification_pas_refined[wp]:
|
||||
|
@ -320,7 +320,7 @@ lemma fast_finalise_respects[wp]:
|
|||
apply (wp unbind_maybe_notification_valid_objs get_ntfn_wp unbind_maybe_notification_respects
|
||||
| wpc
|
||||
| simp add: cap_auth_conferred_def cap_rights_to_auth_def aag_cap_auth_def when_def
|
||||
split: split_if_asm
|
||||
split: if_split_asm
|
||||
| fastforce)+
|
||||
apply (clarsimp simp: obj_at_def valid_cap_def is_ntfn invs_def valid_state_def valid_pspace_def
|
||||
split: option.splits)+
|
||||
|
@ -440,7 +440,7 @@ lemma finalise_cap_respects[wp]:
|
|||
apply ((wp unbind_maybe_notification_valid_objs get_ntfn_wp
|
||||
unbind_maybe_notification_respects
|
||||
| wpc
|
||||
| simp add: cap_auth_conferred_def cap_rights_to_auth_def aag_cap_auth_def split: split_if_asm
|
||||
| simp add: cap_auth_conferred_def cap_rights_to_auth_def aag_cap_auth_def split: if_split_asm
|
||||
| fastforce)+)[3]
|
||||
apply (clarsimp simp: obj_at_def valid_cap_def is_ntfn invs_def
|
||||
valid_state_def valid_pspace_def
|
||||
|
@ -455,18 +455,18 @@ lemma finalise_cap_respects[wp]:
|
|||
| clarsimp simp: cap_auth_conferred_def cap_rights_to_auth_def aag_cap_auth_def
|
||||
unbind_maybe_notification_def
|
||||
elim!: pas_refined_Control[symmetric]
|
||||
| simp add: if_apply_def2 split del: split_if )+
|
||||
| simp add: if_apply_def2 split del: if_split )+
|
||||
apply (clarsimp simp: valid_cap_def pred_tcb_at_def obj_at_def is_tcb
|
||||
dest!: tcb_at_ko_at)
|
||||
apply (clarsimp split: option.splits elim!: pas_refined_Control[symmetric])
|
||||
apply (frule bound_tcb_at_implies_reset, fastforce simp add: pred_tcb_at_def obj_at_def)
|
||||
apply (drule pas_refined_Control, simp, simp)
|
||||
(* other caps *)
|
||||
apply (wp | simp add: if_apply_def2 split del: split_if
|
||||
apply (wp | simp add: if_apply_def2 split del: if_split
|
||||
| clarsimp simp: cap_auth_conferred_def cap_rights_to_auth_def is_cap_simps
|
||||
pas_refined_all_auth_is_owns aag_cap_auth_def
|
||||
deleting_irq_handler_def cap_links_irq_def invs_valid_objs
|
||||
split del: split_if
|
||||
split del: if_split
|
||||
elim!: pas_refined_Control [symmetric])+
|
||||
done
|
||||
|
||||
|
@ -502,16 +502,16 @@ lemma finalise_cap_auth':
|
|||
finalise_cap cap final
|
||||
\<lbrace>\<lambda>rv s. pas_cap_cur_auth aag (fst rv)\<rbrace>"
|
||||
apply (rule hoare_gen_asm)
|
||||
apply (cases cap, simp_all add: arch_finalise_cap_def split del: split_if)
|
||||
apply (cases cap, simp_all add: arch_finalise_cap_def split del: if_split)
|
||||
apply (wp
|
||||
| simp add: comp_def hoare_post_taut [where P = \<top>] del: hoare_post_taut split del: split_if
|
||||
| simp add: comp_def hoare_post_taut [where P = \<top>] del: hoare_post_taut split del: if_split
|
||||
| fastforce simp: aag_cap_auth_Zombie aag_cap_auth_CNode aag_cap_auth_Thread
|
||||
)+
|
||||
apply (rule hoare_pre)
|
||||
apply (wp | simp)+
|
||||
apply (rule hoare_pre)
|
||||
apply (wp | wpc
|
||||
| simp add: comp_def hoare_post_taut [where P = \<top>] del: hoare_post_taut split del: split_if)+
|
||||
| simp add: comp_def hoare_post_taut [where P = \<top>] del: hoare_post_taut split del: if_split)+
|
||||
done
|
||||
|
||||
lemma finalise_cap_obj_refs:
|
||||
|
@ -789,7 +789,7 @@ lemma pas_refined_set_asid_table_empty_strg:
|
|||
pas_refined aag (s\<lparr>arch_state := arch_state s \<lparr>arm_asid_table := (arm_asid_table (arch_state s))(base \<mapsto> pool)\<rparr>\<rparr>)"
|
||||
apply (clarsimp simp: pas_refined_def state_objs_to_policy_def)
|
||||
apply (erule state_asids_to_policy_aux.cases)
|
||||
apply(simp_all split: split_if_asm)
|
||||
apply(simp_all split: if_split_asm)
|
||||
prefer 2
|
||||
apply (clarsimp simp: state_vrefs_def obj_at_def vs_refs_no_global_pts_def)
|
||||
apply (auto intro: state_asids_to_policy_aux.intros auth_graph_map_memI[OF sbta_vref] pas_refined_refl[simplified pas_refined_def state_objs_to_policy_def])[3]
|
||||
|
@ -843,7 +843,7 @@ proof (induct rule: cap_revoke.induct[where ?a1.0=s])
|
|||
apply (wp "1.hyps", assumption+)
|
||||
apply ((wp preemption_point_inv' | simp add: integrity_subjects_def pas_refined_def)+)[1]
|
||||
apply (wp select_ext_weak_wp cap_delete_respects cap_delete_pas_refined
|
||||
| simp split del: split_if | wp_once hoare_vcg_const_imp_lift hoare_drop_imps)+
|
||||
| simp split del: if_split | wp_once hoare_vcg_const_imp_lift hoare_drop_imps)+
|
||||
apply (auto simp: emptyable_def dest: descendants_of_owned reply_slot_not_descendant)
|
||||
done
|
||||
qed
|
||||
|
@ -882,14 +882,14 @@ lemma finalise_cap_caps_of_state_nullinv:
|
|||
"\<lbrace>\<lambda>s. P (caps_of_state s) \<and> (\<forall>p. P (caps_of_state s(p \<mapsto> cap.NullCap)))\<rbrace>
|
||||
finalise_cap cap final
|
||||
\<lbrace>\<lambda>rv s. P (caps_of_state s)\<rbrace>"
|
||||
apply (cases cap, simp_all split del: split_if)
|
||||
apply (cases cap, simp_all split del: if_split)
|
||||
apply (wp suspend_caps_of_state unbind_notification_caps_of_state
|
||||
unbind_notification_cte_wp_at
|
||||
hoare_vcg_all_lift hoare_drop_imps
|
||||
| simp split del: split_if
|
||||
| simp split del: if_split
|
||||
| fastforce simp: fun_upd_def )+
|
||||
apply (rule hoare_pre)
|
||||
apply (wp deleting_irq_handler_caps_of_state_nullinv | clarsimp split del: split_if | fastforce simp: fun_upd_def)+
|
||||
apply (wp deleting_irq_handler_caps_of_state_nullinv | clarsimp split del: if_split | fastforce simp: fun_upd_def)+
|
||||
done
|
||||
|
||||
lemma finalise_cap_cte_wp_at_nullinv:
|
||||
|
@ -903,8 +903,8 @@ lemma finalise_cap_cte_wp_at_nullinv:
|
|||
|
||||
lemma finalise_cap_fst_ret:
|
||||
"\<lbrace>\<lambda>s. P cap.NullCap \<and> (\<forall>a b c. P (cap.Zombie a b c)) \<rbrace> finalise_cap cap is_final\<lbrace>\<lambda>rv s. P (fst rv)\<rbrace>"
|
||||
apply (cases cap, simp_all add: arch_finalise_cap_def split del: split_if)
|
||||
apply (wp | simp add: comp_def split del: split_if | fastforce)+
|
||||
apply (cases cap, simp_all add: arch_finalise_cap_def split del: if_split)
|
||||
apply (wp | simp add: comp_def split del: if_split | fastforce)+
|
||||
apply (rule hoare_pre)
|
||||
apply (wp | simp | (rule hoare_pre, wpc))+
|
||||
done
|
||||
|
@ -1057,7 +1057,7 @@ lemma invoke_cnode_pas_refined:
|
|||
apply (wp cap_insert_pas_refined cap_delete_pas_refined cap_revoke_pas_refined
|
||||
get_cap_wp
|
||||
| wpc
|
||||
| simp split del: split_if)+
|
||||
| simp split del: if_split)+
|
||||
apply (cases ci, simp_all add: authorised_cnode_inv_def
|
||||
cnode_inv_auth_derivations_def integrity_def)
|
||||
apply (clarsimp simp: cte_wp_at_caps_of_state pas_refined_refl cap_links_irq_def
|
||||
|
|
|
@ -87,7 +87,7 @@ lemma decode_irq_control_invocation_authorised [wp]:
|
|||
unfolding decode_irq_control_invocation_def authorised_irq_ctl_inv_def arch_check_irq_def
|
||||
apply (rule hoare_gen_asmE)
|
||||
apply (rule hoare_pre)
|
||||
apply (simp add: Let_def split del: split_if cong: if_cong)
|
||||
apply (simp add: Let_def split del: if_split cong: if_cong)
|
||||
apply (wp whenE_throwError_wp hoare_vcg_imp_lift hoare_drop_imps
|
||||
| strengthen aag_Control_owns_strg
|
||||
| simp add: o_def del: hoare_post_taut hoare_True_E_R)+
|
||||
|
@ -105,7 +105,7 @@ lemma decode_irq_handler_invocation_authorised [wp]:
|
|||
\<lbrace>\<lambda>x s. authorised_irq_hdl_inv aag x\<rbrace>, -"
|
||||
unfolding decode_irq_handler_invocation_def authorised_irq_hdl_inv_def
|
||||
apply (rule hoare_pre)
|
||||
apply (simp add: Let_def split_def split del: split_if cong: if_cong)
|
||||
apply (simp add: Let_def split_def split del: if_split cong: if_cong)
|
||||
apply wp
|
||||
apply (auto dest!: hd_in_set)
|
||||
done
|
||||
|
|
|
@ -183,10 +183,10 @@ lemma dmo_storeWord_respects_ipc:
|
|||
apply (simp add: storeWord_def)
|
||||
apply (wp dmo_wp)
|
||||
apply clarsimp
|
||||
apply (simp add: integrity_def split del: split_if)
|
||||
apply (clarsimp split del: split_if)
|
||||
apply (simp add: integrity_def split del: if_split)
|
||||
apply (clarsimp split del: if_split)
|
||||
apply (case_tac "x \<in> ptr_range (buf + of_nat p * of_nat word_size) 2")
|
||||
apply (clarsimp simp add: st_tcb_at_tcb_states_of_state split del: split_if)
|
||||
apply (clarsimp simp add: st_tcb_at_tcb_states_of_state split del: if_split)
|
||||
apply (rule trm_ipc [where p' = thread])
|
||||
apply simp
|
||||
apply assumption
|
||||
|
@ -263,7 +263,7 @@ lemma lookup_ipc_buffer_has_auth [wp]:
|
|||
apply simp
|
||||
apply (drule (1) cap_auth_caps_of_state)
|
||||
apply (clarsimp simp: aag_cap_auth_def cap_auth_conferred_def vspace_cap_rights_to_auth_def
|
||||
vm_read_write_def is_page_cap_def split: split_if_asm)
|
||||
vm_read_write_def is_page_cap_def split: if_split_asm)
|
||||
apply (drule bspec)
|
||||
apply (erule (3) ipcframe_subset_page)
|
||||
apply simp
|
||||
|
@ -331,13 +331,13 @@ lemma set_mrs_respects_in_signalling':
|
|||
apply (simp add: set_mrs_def split_def set_object_def)
|
||||
apply (wp gets_the_wp get_wp put_wp
|
||||
| wpc
|
||||
| simp split del: split_if
|
||||
| simp split del: if_split
|
||||
add: zipWithM_x_mapM_x split_def store_word_offs_def fun_upd_def[symmetric])+
|
||||
apply (rule hoare_post_imp [where Q = "\<lambda>rv. st_tcb_at (op = Structures_A.Running) thread and integrity aag X st"])
|
||||
apply simp
|
||||
apply (wp mapM_x_wp' dmo_storeWord_respects_ipc [where thread = thread and ep = ep])
|
||||
apply (fastforce simp add: set_zip nth_append simp: msg_align_bits msg_max_length_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply wp
|
||||
apply (rule impI)
|
||||
apply (subgoal_tac "\<forall>c'. integrity aag X st
|
||||
|
@ -382,7 +382,7 @@ lemma lookup_ipc_buffer_ptr_range:
|
|||
apply (drule get_tcb_SomeD)+
|
||||
apply (erule(1) valid_objsE)
|
||||
apply (clarsimp simp: valid_obj_def valid_tcb_def valid_ipc_buffer_cap_def case_bool_if
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (erule integrity_obj.cases, simp_all add: get_tcb_def vm_read_write_def)
|
||||
apply auto
|
||||
done
|
||||
|
@ -699,10 +699,10 @@ next
|
|||
thus ?case
|
||||
apply (cases m)
|
||||
apply (clarsimp simp add: Let_def split_def whenE_def
|
||||
cong: if_cong list.case_cong split del: split_if)
|
||||
cong: if_cong list.case_cong split del: if_split)
|
||||
apply (rule hoare_pre)
|
||||
apply (wp eb [OF nN] hoare_vcg_const_imp_lift hoare_vcg_const_Ball_lift
|
||||
| assumption | simp split del: split_if)+
|
||||
| assumption | simp split del: if_split)+
|
||||
|
||||
apply (rule cap_insert_assume_null)
|
||||
apply (wp x hoare_vcg_const_Ball_lift cap_insert_cte_wp_at)
|
||||
|
@ -721,7 +721,7 @@ next
|
|||
apply (clarsimp simp: cte_wp_at_caps_of_state
|
||||
ex_cte_cap_to_cnode_always_appropriate_strg
|
||||
real_cte_tcb_valid caps_of_state_valid
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (clarsimp simp: remove_rights_def caps_of_state_valid
|
||||
neq_Nil_conv cte_wp_at_caps_of_state
|
||||
imp_conjR[symmetric] cap_master_cap_masked_as_full
|
||||
|
@ -817,7 +817,7 @@ lemma remove_rights_clas [simp]:
|
|||
lemma remove_rights_cap_auth_conferred_subset:
|
||||
"x \<in> cap_auth_conferred (remove_rights R cap) \<Longrightarrow> x \<in> cap_auth_conferred cap"
|
||||
unfolding remove_rights_def cap_rights_update_def
|
||||
apply (clarsimp split: split_if_asm cap.splits arch_cap.splits
|
||||
apply (clarsimp split: if_split_asm cap.splits arch_cap.splits
|
||||
simp: cap_auth_conferred_def vspace_cap_rights_to_auth_def acap_rights_update_def
|
||||
validate_vm_rights_def vm_read_only_def vm_kernel_only_def)
|
||||
apply (erule set_mp [OF cap_rights_to_auth_mono, rotated], clarsimp)+
|
||||
|
@ -857,7 +857,7 @@ next
|
|||
case (Cons c caps')
|
||||
show ?case using Cons.prems
|
||||
apply (cases c)
|
||||
apply (simp split del: split_if cong: if_cong)
|
||||
apply (simp split del: if_split cong: if_cong)
|
||||
apply (rule hoare_pre)
|
||||
apply (wp)
|
||||
apply (elim conjE, erule subst, rule Cons.hyps)
|
||||
|
@ -866,7 +866,7 @@ next
|
|||
apply (fastforce dest: in_set_dropD in_set_dropD[where n=1, folded tl_drop_1])
|
||||
apply (wp cap_insert_pas_refined hoare_vcg_ball_lift hoare_whenE_wp hoare_drop_imps
|
||||
derive_cap_aag_caps
|
||||
| simp split del: split_if add: if_apply_def2)+
|
||||
| simp split del: if_split add: if_apply_def2)+
|
||||
done
|
||||
qed
|
||||
|
||||
|
@ -1018,7 +1018,7 @@ lemma send_ipc_pas_refined:
|
|||
apply (wp set_thread_state_pas_refined)
|
||||
apply wpc
|
||||
apply (wp set_thread_state_pas_refined)
|
||||
apply (simp add: hoare_if_r_and split del:split_if)
|
||||
apply (simp add: hoare_if_r_and split del:if_split)
|
||||
apply (rename_tac list x xs recv_state)
|
||||
apply (rule_tac Q="\<lambda>rv. pas_refined aag and K (can_grant \<longrightarrow> is_subject aag (hd list))"
|
||||
in hoare_strengthen_post[rotated])
|
||||
|
@ -1115,7 +1115,7 @@ lemma receive_ipc_base_pas_refined:
|
|||
apply (clarsimp simp: thread_get_def cong: endpoint.case_cong)
|
||||
apply (rule hoare_pre)
|
||||
apply (wp static_imp_wp set_thread_state_pas_refined get_endpoint_wp
|
||||
| wpc | simp add: thread_get_def do_nbrecv_failed_transfer_def split del: split_if)+
|
||||
| wpc | simp add: thread_get_def do_nbrecv_failed_transfer_def split del: if_split)+
|
||||
apply (simp add:aag_cap_auth_def clas_no_asid cli_no_irqs)
|
||||
apply (rename_tac list sss data)
|
||||
apply (rule_tac Q="\<lambda>rv s. pas_refined aag s \<and> (sender_can_grant data \<longrightarrow> is_subject aag (hd list))"
|
||||
|
@ -1254,7 +1254,7 @@ lemma copy_mrs_integrity_autarch:
|
|||
store_word_offs_integrity_autarch [where aag = aag and thread = receiver]
|
||||
| wpc
|
||||
| simp
|
||||
| fastforce simp: length_msg_registers msg_align_bits split: split_if_asm)+
|
||||
| fastforce simp: length_msg_registers msg_align_bits split: if_split_asm)+
|
||||
done
|
||||
|
||||
(* FIXME: Why was the [wp] attribute clobbered by interpretation of the Arch locale? *)
|
||||
|
@ -1520,7 +1520,7 @@ lemma auth_ipc_buffers_mem_Write:
|
|||
apply (clarsimp simp: aag_cap_auth_def cap_auth_conferred_def
|
||||
vspace_cap_rights_to_auth_def vm_read_write_def
|
||||
is_page_cap_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (auto dest: ipcframe_subset_page)
|
||||
done
|
||||
|
||||
|
@ -1550,7 +1550,7 @@ lemma integrity_tcb_in_ipc_final:
|
|||
apply (simp add: tcb_states_of_state_def get_tcb_def)
|
||||
apply (simp add: tcb_states_of_state_def get_tcb_def)
|
||||
apply (simp add: auth_ipc_buffers_def get_tcb_def
|
||||
split: option.split_asm cap.split_asm arch_cap.split_asm split_if_asm split del: split_if)
|
||||
split: option.split_asm cap.split_asm arch_cap.split_asm if_split_asm split del: if_split)
|
||||
apply simp
|
||||
done
|
||||
|
||||
|
@ -1594,7 +1594,7 @@ lemma as_user_respects_in_ipc:
|
|||
apply (simp add: as_user_def set_object_def)
|
||||
apply (wp gets_the_wp get_wp put_wp mapM_x_wp'
|
||||
| wpc
|
||||
| simp split del: split_if add: zipWithM_x_mapM_x split_def store_word_offs_def)+
|
||||
| simp split del: if_split add: zipWithM_x_mapM_x split_def store_word_offs_def)+
|
||||
apply (clarsimp simp: st_tcb_def2 tcb_at_def fun_upd_def[symmetric])
|
||||
apply (auto elim: update_tcb_context_in_ipc)
|
||||
done
|
||||
|
@ -1681,7 +1681,7 @@ lemma set_original_respects_in_ipc_autarch:
|
|||
apply (clarsimp simp: integrity_tcb_in_ipc_def)
|
||||
apply (simp add: integrity_def
|
||||
tcb_states_of_state_def get_tcb_def map_option_def
|
||||
split del: split_if cong: if_cong)
|
||||
split del: if_split cong: if_cong)
|
||||
apply simp
|
||||
apply (clarsimp simp: integrity_cdt_def)
|
||||
done
|
||||
|
@ -1695,7 +1695,7 @@ lemma update_cdt_fun_upd_respects_in_ipc_autarch:
|
|||
apply wp
|
||||
apply (clarsimp simp: integrity_tcb_in_ipc_def integrity_def
|
||||
tcb_states_of_state_def get_tcb_def
|
||||
split del: split_if cong: if_cong)
|
||||
split del: if_split cong: if_cong)
|
||||
apply simp
|
||||
apply (clarsimp simp add: integrity_cdt_def)
|
||||
done
|
||||
|
@ -1721,13 +1721,13 @@ lemma cap_insert_ext_integrity_in_ipc:
|
|||
src_slot dest_slot src_p dest_p)
|
||||
\<lbrace>\<lambda>yd. integrity_tcb_in_ipc aag X receiver epptr ctxt st\<rbrace>"
|
||||
apply (rule hoare_gen_asm)+
|
||||
apply (simp add: integrity_tcb_in_ipc_def split del: split_if)
|
||||
apply (simp add: integrity_tcb_in_ipc_def split del: if_split)
|
||||
apply (unfold integrity_def)
|
||||
apply (simp only: integrity_cdt_list_as_list_integ)
|
||||
apply (rule hoare_lift_Pf[where f="ekheap"])
|
||||
apply (clarsimp simp: integrity_tcb_in_ipc_def integrity_def
|
||||
tcb_states_of_state_def get_tcb_def
|
||||
split del: split_if cong: if_cong)
|
||||
split del: if_split cong: if_cong)
|
||||
apply wp
|
||||
apply (rule hoare_vcg_conj_lift)
|
||||
apply (simp add: list_integ_def del: split_paired_All)
|
||||
|
@ -1748,7 +1748,7 @@ lemma cap_inserintegrity_in_ipc_autarch:
|
|||
update_cdt_fun_upd_respects_in_ipc_autarch
|
||||
set_cap_respects_in_ipc_autarch get_cap_wp
|
||||
cap_insert_ext_integrity_in_ipc
|
||||
| simp split del: split_if)+
|
||||
| simp split del: if_split)+
|
||||
done
|
||||
|
||||
lemma transfer_caps_loop_respects_in_ipc_autarch:
|
||||
|
@ -1812,7 +1812,7 @@ lemma copy_mrs_respects_in_ipc:
|
|||
mapM_wp'
|
||||
hoare_vcg_const_imp_lift hoare_vcg_all_lift
|
||||
| wpc
|
||||
| fastforce split: split_if_asm simp: length_msg_registers)+
|
||||
| fastforce split: if_split_asm simp: length_msg_registers)+
|
||||
done
|
||||
|
||||
lemma do_normal_transfer_respects_in_ipc:
|
||||
|
@ -1849,9 +1849,9 @@ lemma set_mrs_respects_in_ipc:
|
|||
apply (simp add: set_mrs_def set_object_def)
|
||||
apply (wp mapM_x_wp' store_word_offs_respects_in_ipc
|
||||
| wpc
|
||||
| simp split del: split_if add: zipWithM_x_mapM_x split_def)+
|
||||
| simp split del: if_split add: zipWithM_x_mapM_x split_def)+
|
||||
apply (clarsimp simp add: set_zip nth_append simp: msg_align_bits msg_max_length_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (simp add: length_msg_registers)
|
||||
apply arith
|
||||
apply simp
|
||||
|
@ -1886,7 +1886,7 @@ lemma lookup_ipc_buffer_ptr_range_in_ipc:
|
|||
apply (drule get_tcb_SomeD)
|
||||
apply (erule(1) valid_objsE)
|
||||
apply (clarsimp simp: valid_obj_def valid_tcb_def valid_ipc_buffer_cap_def case_bool_if
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (erule tcb_in_ipc.cases, simp_all)
|
||||
apply (clarsimp simp: get_tcb_def vm_read_write_def)
|
||||
apply (clarsimp simp: get_tcb_def vm_read_write_def)
|
||||
|
@ -2039,7 +2039,7 @@ lemma send_ipc_integrity_autarch:
|
|||
apply simp+
|
||||
apply (wp set_thread_state_integrity_autarch thread_get_wp' do_ipc_transfer_integrity_autarch
|
||||
hoare_vcg_all_lift hoare_drop_imps set_endpoinintegrity
|
||||
| wpc | simp add: get_thread_state_def split del: split_if
|
||||
| wpc | simp add: get_thread_state_def split del: if_split
|
||||
del: hoare_post_taut hoare_True_E_R)+
|
||||
apply clarsimp
|
||||
apply (intro conjI)
|
||||
|
@ -2139,7 +2139,7 @@ lemma send_fault_ipc_pas_refined:
|
|||
hoare_vcg_conj_lift hoare_vcg_ex_lift hoare_vcg_all_lift
|
||||
| wpc
|
||||
| rule hoare_drop_imps
|
||||
| simp add: split_def del: split_if)+
|
||||
| simp add: split_def del: if_split)+
|
||||
apply (rule_tac Q'="\<lambda>rv s. pas_refined aag s
|
||||
\<and> is_subject aag (cur_thread s)
|
||||
\<and> valid_objs s \<and> sym_refs (state_refs_of s)
|
||||
|
@ -2281,7 +2281,7 @@ lemma do_reply_transfer_pas_refined:
|
|||
apply (wp set_thread_state_pas_refined do_ipc_transfer_pas_refined
|
||||
thread_set_pas_refined_triv K_valid
|
||||
| wpc
|
||||
| simp add: thread_get_def split del: split_if)+
|
||||
| simp add: thread_get_def split del: if_split)+
|
||||
(* otherwise simp does too much *)
|
||||
apply (rule hoare_strengthen_post, rule gts_inv)
|
||||
apply (rule impI)
|
||||
|
@ -2303,7 +2303,7 @@ lemma do_reply_transfer_respects:
|
|||
do_ipc_transfer_integrity_autarch do_ipc_transfer_pas_refined
|
||||
thread_set_integrity_autarch
|
||||
handle_fault_reply_respects
|
||||
| wpc | simp split del: split_if)+
|
||||
| wpc | simp split del: if_split)+
|
||||
apply (clarsimp simp: tcb_at_def invs_mdb invs_valid_objs)
|
||||
done
|
||||
|
||||
|
|
|
@ -237,7 +237,7 @@ lemma init_arch_objects_integrity:
|
|||
\<lbrace>\<lambda>rv. integrity aag X st\<rbrace>"
|
||||
apply(rule hoare_gen_asm)+
|
||||
apply(cases new_type)
|
||||
apply(simp_all add: init_arch_objects_def split del: split_if)
|
||||
apply(simp_all add: init_arch_objects_def split del: if_split)
|
||||
apply(rule hoare_pre)
|
||||
apply(wpc
|
||||
| wp mapM_x_wp[OF _ subset_refl]
|
||||
|
@ -334,21 +334,21 @@ lemma sta_detype:
|
|||
"state_objs_to_policy (detype R s) \<subseteq> state_objs_to_policy s"
|
||||
apply (clarsimp simp add: state_objs_to_policy_def state_refs_of_detype)
|
||||
apply (erule state_bits_to_policy.induct)
|
||||
apply (auto intro: state_bits_to_policy.intros split: split_if_asm)
|
||||
apply (auto intro: state_bits_to_policy.intros split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma sita_detype:
|
||||
"state_irqs_to_policy aag (detype R s) \<subseteq> state_irqs_to_policy aag s"
|
||||
apply (clarsimp)
|
||||
apply (erule state_irqs_to_policy_aux.induct)
|
||||
apply (auto simp: detype_def intro: state_irqs_to_policy_aux.intros split: split_if_asm)
|
||||
apply (auto simp: detype_def intro: state_irqs_to_policy_aux.intros split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma sata_detype:
|
||||
"state_asids_to_policy aag (detype R s) \<subseteq> state_asids_to_policy aag s"
|
||||
apply (clarsimp)
|
||||
apply (erule state_asids_to_policy_aux.induct)
|
||||
apply (auto intro: state_asids_to_policy_aux.intros split: split_if_asm)
|
||||
apply (auto intro: state_asids_to_policy_aux.intros split: if_split_asm)
|
||||
done
|
||||
|
||||
(* FIXME: move *)
|
||||
|
@ -760,7 +760,7 @@ lemma use_retype_region_proofs_ext':
|
|||
\<and> caps_no_overlap ptr sz s \<and> pspace_no_overlap_range_cover ptr sz s
|
||||
\<and> (\<exists>slot. cte_wp_at (\<lambda>c. up_aligned_area ptr sz \<subseteq> cap_range c \<and> cap_is_device c = dev) slot s) \<and>
|
||||
P s \<and> R (retype_addrs ptr ty n us) s\<rbrace> retype_region ptr n us ty dev \<lbrace>Q\<rbrace>"
|
||||
apply (simp add: retype_region_def split del: split_if)
|
||||
apply (simp add: retype_region_def split del: if_split)
|
||||
apply (rule hoare_pre, (wp|simp)+)
|
||||
apply (rule retype_region_ext_kheap_update[OF y])
|
||||
apply (wp|simp)+
|
||||
|
@ -796,7 +796,7 @@ lemma retype_region_ext_pas_refined:
|
|||
apply (simp add: retype_region_ext_def, wp)
|
||||
apply (clarsimp simp: tcb_domain_map_wellformed_aux_def)
|
||||
apply (erule domains_of_state_aux.cases)
|
||||
apply (clarsimp simp: foldr_upd_app_if' fun_upd_def[symmetric] split: split_if_asm)
|
||||
apply (clarsimp simp: foldr_upd_app_if' fun_upd_def[symmetric] split: if_split_asm)
|
||||
apply (clarsimp simp: default_ext_def default_etcb_def split: apiobject_type.splits)
|
||||
defer
|
||||
apply (force intro: domtcbs)
|
||||
|
@ -1017,7 +1017,7 @@ lemma descendants_range_in_detype:
|
|||
apply(simp add: descendants_range_in_def)
|
||||
apply(rule ballI)
|
||||
apply(drule_tac x=p' in bspec, assumption)
|
||||
apply(clarsimp simp: null_filter_def split: split_if_asm)
|
||||
apply(clarsimp simp: null_filter_def split: if_split_asm)
|
||||
apply(rule conjI)
|
||||
apply(simp add: cte_wp_at_caps_of_state)
|
||||
apply(rule_tac t=a in ssubst[OF fst_conv[symmetric]])
|
||||
|
@ -1376,7 +1376,7 @@ lemma invoke_untyped_pas_refined:
|
|||
apply (clarsimp simp: retype_addrs_aligned_range_cover
|
||||
cte_wp_at_caps_of_state)
|
||||
apply (drule valid_global_refsD[rotated 2])
|
||||
apply (clarsimp simp: post_retype_invs_def split: split_if_asm)
|
||||
apply (clarsimp simp: post_retype_invs_def split: if_split_asm)
|
||||
apply (erule caps_of_state_cteD)
|
||||
apply (erule notE, erule subsetD[rotated])
|
||||
apply (rule order_trans, erule retype_addrs_subset_ptr_bits)
|
||||
|
@ -1402,7 +1402,7 @@ subsection{* decode *}
|
|||
lemma data_to_obj_type_ret_not_asid_pool:
|
||||
"\<lbrace> \<top> \<rbrace> data_to_obj_type arg \<lbrace> \<lambda>r s. r \<noteq> ArchObject ASIDPoolObj \<rbrace>,-"
|
||||
apply(clarsimp simp: validE_R_def validE_def valid_def)
|
||||
apply(auto simp: data_to_obj_type_def arch_data_to_obj_type_def throwError_def simp: returnOk_def bindE_def return_def bind_def lift_def split: split_if_asm)
|
||||
apply(auto simp: data_to_obj_type_def arch_data_to_obj_type_def throwError_def simp: returnOk_def bindE_def return_def bind_def lift_def split: if_split_asm)
|
||||
done
|
||||
|
||||
crunch inv[wp]: data_to_obj_type "P"
|
||||
|
@ -1462,11 +1462,11 @@ lemma decode_untyped_invocation_authorised:
|
|||
apply(wp dui_inv_wf | simp)+
|
||||
apply (clarsimp simp: decode_untyped_invocation_def split_def
|
||||
authorised_untyped_inv'_def
|
||||
split del: split_if split: untyped_invocation.splits)
|
||||
split del: if_split split: untyped_invocation.splits)
|
||||
(* need to hoist the is_cnode_cap assumption into postcondition later on *)
|
||||
|
||||
apply (simp add: unlessE_def[symmetric] whenE_def[symmetric] unlessE_whenE
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (wp whenE_throwError_wp hoare_vcg_all_lift mapME_x_inv_wp
|
||||
| simp split: untyped_invocation.splits
|
||||
| (auto)[1])+
|
||||
|
|
|
@ -100,7 +100,7 @@ lemma perform_invocation_respects:
|
|||
| wp_once hoare_pre_cont)+
|
||||
apply (clarsimp simp: authorised_invocation_def split: Invocations_A.invocation.splits)
|
||||
-- "EP case"
|
||||
apply (fastforce simp: obj_at_def is_tcb split: split_if_asm)
|
||||
apply (fastforce simp: obj_at_def is_tcb split: if_split_asm)
|
||||
-- "NTFN case"
|
||||
apply fastforce
|
||||
done
|
||||
|
@ -157,7 +157,7 @@ lemma decode_invocation_authorised:
|
|||
decode_arch_invocation_authorised
|
||||
| strengthen cnode_diminished_strg
|
||||
| wpc | simp add: comp_def authorised_invocation_def decode_invocation_def
|
||||
split del: split_if del: hoare_post_taut hoare_True_E_R
|
||||
split del: if_split del: hoare_post_taut hoare_True_E_R
|
||||
| wp_once hoare_FalseE_R)+
|
||||
|
||||
apply (clarsimp simp: aag_has_Control_iff_owns split_def aag_cap_auth_def)
|
||||
|
@ -312,7 +312,7 @@ lemma handle_invocation_pas_refined:
|
|||
hoare_vcg_conj_lift hoare_vcg_all_lift
|
||||
| wpc
|
||||
| rule hoare_drop_imps
|
||||
| simp add: if_apply_def2 conj_comms split del: split_if
|
||||
| simp add: if_apply_def2 conj_comms split del: if_split
|
||||
del: hoare_True_E_R)+),
|
||||
((wp lookup_extra_caps_auth lookup_extra_caps_authorised
|
||||
decode_invocation_authorised
|
||||
|
@ -320,7 +320,7 @@ lemma handle_invocation_pas_refined:
|
|||
lookup_cap_and_slot_cur_auth
|
||||
as_user_pas_refined
|
||||
lookup_cap_and_slot_valid_fault3
|
||||
| simp add: split comp_def runnable_eq_active del: split_if)+),
|
||||
| simp add: split comp_def runnable_eq_active del: if_split)+),
|
||||
(auto intro: guarded_to_cur_domain simp: ct_in_state_def st_tcb_at_def intro: if_live_then_nonz_capD)[1])+
|
||||
done
|
||||
|
||||
|
@ -340,8 +340,8 @@ lemma handle_invocation_respects:
|
|||
| rule hoare_drop_imps
|
||||
| wpc | simp add: if_apply_def2
|
||||
del: hoare_post_taut hoare_True_E_R
|
||||
split del: split_if)+
|
||||
apply (simp add: conj_comms pred_conj_def comp_def if_apply_def2 split del: split_if
|
||||
split del: if_split)+
|
||||
apply (simp add: conj_comms pred_conj_def comp_def if_apply_def2 split del: if_split
|
||||
| wp perform_invocation_respects set_thread_state_pas_refined
|
||||
set_thread_state_authorised
|
||||
set_thread_state_runnable_valid_sched
|
||||
|
@ -449,7 +449,7 @@ lemma ethread_set_time_slice_pas_refined[wp]:
|
|||
apply (erule_tac x="(a, b)" in ballE)
|
||||
apply force
|
||||
apply (erule notE)
|
||||
apply (erule domains_of_state_aux.cases, simp add: get_etcb_def split: split_if_asm)
|
||||
apply (erule domains_of_state_aux.cases, simp add: get_etcb_def split: if_split_asm)
|
||||
apply (force intro: domtcbs)+
|
||||
done
|
||||
|
||||
|
@ -495,7 +495,7 @@ lemma timer_tick_integrity[wp]:
|
|||
\<lbrace>\<lambda>_. integrity aag X st\<rbrace>"
|
||||
apply (simp add: timer_tick_def)
|
||||
apply (wp ethread_set_integrity_autarch gts_wp
|
||||
| wpc | simp add: thread_set_time_slice_def split del: split_if)+
|
||||
| wpc | simp add: thread_set_time_slice_def split del: if_split)+
|
||||
apply (clarsimp simp: ct_in_state_def st_tcb_at_def obj_at_def)
|
||||
done
|
||||
|
||||
|
@ -539,7 +539,7 @@ lemma handle_interrupt_integrity:
|
|||
apply (clarsimp simp: cte_wp_at_caps_of_state)
|
||||
apply (rule_tac s = s in hacky_ipc_Send [where irq = irq])
|
||||
apply (drule (1) cap_auth_caps_of_state)
|
||||
apply (clarsimp simp: aag_cap_auth_def is_cap_simps cap_auth_conferred_def cap_rights_to_auth_def split: split_if_asm)
|
||||
apply (clarsimp simp: aag_cap_auth_def is_cap_simps cap_auth_conferred_def cap_rights_to_auth_def split: if_split_asm)
|
||||
apply assumption+
|
||||
done
|
||||
|
||||
|
@ -1557,7 +1557,7 @@ crunch cur_thread[wp]: cancel_badged_sends "\<lambda>s. P (cur_thread s)" (wp: c
|
|||
lemma invoke_cnode_cur_thread[wp]: "\<lbrace>\<lambda>s. P (cur_thread s)\<rbrace> invoke_cnode a \<lbrace>\<lambda>r s. P (cur_thread s)\<rbrace>"
|
||||
apply (simp add: invoke_cnode_def)
|
||||
apply (rule hoare_pre)
|
||||
apply (wp hoare_drop_imps hoare_vcg_all_lift | wpc | simp add: without_preemption_def split del: split_if)+
|
||||
apply (wp hoare_drop_imps hoare_vcg_all_lift | wpc | simp add: without_preemption_def split del: if_split)+
|
||||
done
|
||||
|
||||
crunch cur_thread[wp]: handle_event "\<lambda>s. P (cur_thread s)"
|
||||
|
@ -1603,7 +1603,7 @@ lemma cap_revoke_idle_thread[wp]:"\<lbrace>\<lambda>s. P (idle_thread s)\<rbrace
|
|||
lemma invoke_cnode_idle_thread[wp]: "\<lbrace>\<lambda>s. P (idle_thread s)\<rbrace> invoke_cnode a \<lbrace>\<lambda>r s. P (idle_thread s)\<rbrace>"
|
||||
apply (simp add: invoke_cnode_def)
|
||||
apply (rule hoare_pre)
|
||||
apply (wp hoare_drop_imps hoare_vcg_all_lift | wpc | simp add: without_preemption_def split del: split_if)+
|
||||
apply (wp hoare_drop_imps hoare_vcg_all_lift | wpc | simp add: without_preemption_def split del: if_split)+
|
||||
done
|
||||
|
||||
crunch idle_thread[wp]: handle_event "\<lambda>s::det_state. P (idle_thread s)"
|
||||
|
@ -1619,7 +1619,7 @@ crunch cur_domain[wp]: transfer_caps_loop, ethread_set, thread_set_priority, se
|
|||
lemma invoke_cnode_cur_domain[wp]: "\<lbrace>\<lambda>s. P (cur_domain s)\<rbrace> invoke_cnode a \<lbrace>\<lambda>r s. P (cur_domain s)\<rbrace>"
|
||||
apply (simp add: invoke_cnode_def)
|
||||
apply (rule hoare_pre)
|
||||
apply (wp hoare_drop_imps hoare_vcg_all_lift | wpc | simp add: without_preemption_def split del: split_if)+
|
||||
apply (wp hoare_drop_imps hoare_vcg_all_lift | wpc | simp add: without_preemption_def split del: if_split)+
|
||||
done
|
||||
|
||||
crunch cur_domain[wp]: handle_event "\<lambda>s. P (cur_domain s)" (wp: syscall_valid select_wp crunch_wps check_cap_inv cap_revoke_preservation simp: crunch_simps filterM_mapM unless_def ignore: without_preemption check_cap_at filterM getActiveIRQ resetTimer ackInterrupt const_on_failure getFAR getDFSR getIFSR)
|
||||
|
|
|
@ -176,7 +176,7 @@ lemma set_priority_pas_refined[wp]:
|
|||
apply (erule_tac x="(a, b)" in ballE)
|
||||
apply simp
|
||||
apply (erule domains_of_state_aux.cases)
|
||||
apply (force intro: domtcbs split: split_if_asm)
|
||||
apply (force intro: domtcbs split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma gts_test[wp]: "\<lbrace>\<top>\<rbrace> get_thread_state t \<lbrace>\<lambda>rv s. test rv = st_tcb_at test t s\<rbrace>"
|
||||
|
@ -360,7 +360,7 @@ lemma invoke_tcb_respects:
|
|||
apply (cases ti, simp_all add: hoare_conjD1 [OF invoke_tcb_tc_respects_aag [simplified simp_thms]]
|
||||
del: invoke_tcb.simps Tcb_AI.tcb_inv_wf.simps K_def)
|
||||
apply (safe intro!: hoare_gen_asm)
|
||||
apply ((wp itr_wps mapM_x_wp' | simp add: if_apply_def2 split del: split_if
|
||||
apply ((wp itr_wps mapM_x_wp' | simp add: if_apply_def2 split del: if_split
|
||||
| wpc | clarsimp simp: authorised_tcb_inv_def
|
||||
| rule conjI | subst(asm) idle_no_ex_cap)+)
|
||||
done
|
||||
|
@ -436,9 +436,9 @@ lemma decode_set_ipc_buffer_authorised:
|
|||
\<lbrace>\<lambda>rv s. authorised_tcb_inv aag rv\<rbrace>, -"
|
||||
unfolding decode_set_ipc_buffer_def authorised_tcb_inv_def
|
||||
apply (cases "excaps ! 0")
|
||||
apply (clarsimp cong: list.case_cong split del: split_if)
|
||||
apply (clarsimp cong: list.case_cong split del: if_split)
|
||||
apply (rule hoare_pre)
|
||||
apply (clarsimp simp: ball_Un aag_cap_auth_def split del: split_if split add: prod.split
|
||||
apply (clarsimp simp: ball_Un aag_cap_auth_def split del: if_split split: prod.split
|
||||
| strengthen stupid_strg
|
||||
| wp_once derive_cap_obj_refs_auth derive_cap_untyped_range_subset derive_cap_clas derive_cap_cli
|
||||
hoare_vcg_all_lift_R whenE_throwError_wp slot_long_running_inv
|
||||
|
@ -454,8 +454,8 @@ lemma decode_set_space_authorised:
|
|||
\<lbrace>\<lambda>rv s. authorised_tcb_inv aag rv\<rbrace>, -"
|
||||
unfolding decode_set_space_def authorised_tcb_inv_def
|
||||
apply (rule hoare_pre)
|
||||
apply (simp cong: list.case_cong split del: split_if)
|
||||
apply (clarsimp simp: ball_Un split del: split_if
|
||||
apply (simp cong: list.case_cong split del: if_split)
|
||||
apply (clarsimp simp: ball_Un split del: if_split
|
||||
| wp_once derive_cap_obj_refs_auth derive_cap_untyped_range_subset derive_cap_clas derive_cap_cli
|
||||
hoare_vcg_const_imp_lift_R hoare_vcg_all_lift_R whenE_throwError_wp slot_long_running_inv)+
|
||||
apply (clarsimp simp: not_less all_set_conv_all_nth dest!: P_0_1_spec)
|
||||
|
@ -475,10 +475,10 @@ lemma decode_set_space_authorised':
|
|||
apply (cases set_param)
|
||||
apply (simp_all add: is_thread_control_def decode_set_space_def authorised_tcb_inv_def
|
||||
cong: list.case_cong option.case_cong prod.case_cong
|
||||
split: prod.split_asm split del: split_if)
|
||||
split: prod.split_asm split del: if_split)
|
||||
apply (cases "excaps!0")
|
||||
apply (cases "excaps!Suc 0")
|
||||
apply (clarsimp simp: ball_Un split del: split_if split add: prod.split
|
||||
apply (clarsimp simp: ball_Un split del: if_split split: prod.split
|
||||
| strengthen stupid_strg
|
||||
| wp_once derive_cap_obj_refs_auth derive_cap_untyped_range_subset derive_cap_clas derive_cap_cli
|
||||
hoare_vcg_all_lift_R whenE_throwError_wp slot_long_running_inv)+
|
||||
|
|
|
@ -55,7 +55,7 @@ lemma globals_list_valid:
|
|||
apply (rule globals_list_valid_optimisation[OF _ _ globals_list_ok])
|
||||
apply (simp_all add: globals_list_def globals_list_valid_def
|
||||
global_data_defs
|
||||
del: distinct_prop.simps split del: split_if)
|
||||
del: distinct_prop.simps split del: if_split)
|
||||
apply (simp add: global_data_swappable_def global_data_def)
|
||||
apply (simp_all add: global_data_valid)
|
||||
apply (simp_all add: global_data_valid_def addressed_global_data_def
|
||||
|
|
|
@ -106,7 +106,7 @@ lemma bisim_rab:
|
|||
apply (auto intro!: bisim_underlyingI
|
||||
elim!: separate_cnode_capE
|
||||
simp: whenE_def in_monad Bex_def in_bindE word_bits_def in_get_cap_cte_wp_at cte_wp_at_caps_of_state
|
||||
simp del: add_is_0 split: split_if_asm)[1]
|
||||
simp del: add_is_0 split: if_split_asm)[1]
|
||||
apply simp
|
||||
apply (rule bisim_underlyingI)
|
||||
apply (clarsimp )
|
||||
|
@ -117,14 +117,14 @@ lemma bisim_rab:
|
|||
apply (drule (2) valid_sep_cap_not_cnode [where cref = cref])
|
||||
apply simp
|
||||
apply (fastforce simp: in_monad Bex_def in_bindE word_bits_def in_get_cap_cte_wp_at cte_wp_at_caps_of_state whenE_def
|
||||
simp del: add_is_0 split: split_if_asm)
|
||||
simp del: add_is_0 split: if_split_asm)
|
||||
apply clarsimp
|
||||
apply (erule separate_cnode_capE)
|
||||
apply (fastforce simp: word_bits_def in_monad)
|
||||
apply (drule (2) valid_sep_cap_not_cnode [where cref = cref])
|
||||
apply simp
|
||||
apply (fastforce simp: in_monad Bex_def in_bindE word_bits_def in_get_cap_cte_wp_at cte_wp_at_caps_of_state whenE_def
|
||||
simp del: add_is_0 split: split_if_asm)
|
||||
simp del: add_is_0 split: if_split_asm)
|
||||
done
|
||||
|
||||
|
||||
|
@ -359,9 +359,9 @@ lemma decode_invocation_bisim:
|
|||
unfolding decode_invocation_def Decode_A.decode_invocation_def
|
||||
apply (rule bisim_guard_imp)
|
||||
apply (rule bisim_separate_cap_cases [where cap = cap])
|
||||
apply (simp split del: split_if)
|
||||
apply (simp split del: if_split)
|
||||
apply (rule bisim_throwError, simp)
|
||||
apply (simp split del: split_if)
|
||||
apply (simp split del: if_split)
|
||||
apply (rule bisim_reflE)
|
||||
apply (fastforce intro!: bisim_throwError bisim_returnOk simp: AllowRecv_def AllowSend_def)
|
||||
apply simp
|
||||
|
@ -386,7 +386,7 @@ lemma decode_separate_inv:
|
|||
unfolding Decode_A.decode_invocation_def
|
||||
apply (rule hoare_gen_asmE)
|
||||
apply clarify
|
||||
apply (erule separate_capE, simp_all split del: split_if)
|
||||
apply (erule separate_capE, simp_all split del: if_split)
|
||||
apply (rule hoare_pre, (wp | simp add: comp_def)+)[1]
|
||||
apply (rule hoare_pre)
|
||||
apply (wp | simp)+
|
||||
|
@ -626,7 +626,7 @@ lemma handle_recv_bisim:
|
|||
apply (rule bisim_split_reflE)
|
||||
apply (rule_tac cap = rb in bisim_separate_cap_cases)
|
||||
apply (simp, rule bisim_throwError, rule refl)+
|
||||
apply (simp split del: split_if)
|
||||
apply (simp split del: if_split)
|
||||
apply (rule bisim_refl [where P = \<top> and P' = \<top>])
|
||||
apply (case_tac rc, simp_all)[1]
|
||||
apply (wp get_cap_wp' lsft_sep | simp add: lookup_cap_def split_def del: hoare_True_E_R)+
|
||||
|
|
|
@ -612,7 +612,7 @@ lemma invoke_asid_pool_wp:
|
|||
apply (rule hoare_strengthen_post[OF set_cap_wp])
|
||||
apply (subst set_split_single[where A = "(Collect (\<lambda>off. off < 2 ^ asid_low_bits))"])
|
||||
apply simp
|
||||
apply (subst sep.setprod.union_disjoint)
|
||||
apply (subst sep.prod.union_disjoint)
|
||||
apply simp+
|
||||
apply (clarsimp simp: sep_conj_assoc)
|
||||
apply (sep_erule_concl sep_any_imp, sep_solve)
|
||||
|
@ -627,7 +627,7 @@ lemma invoke_asid_pool_wp:
|
|||
apply (safe,fastforce+)
|
||||
apply (subst (asm) set_split_single[where A = "(Collect (\<lambda>off. off < 2 ^ asid_low_bits))"])
|
||||
apply simp
|
||||
apply (subst (asm) sep.setprod.union_disjoint)
|
||||
apply (subst (asm) sep.prod.union_disjoint)
|
||||
apply simp+
|
||||
apply (simp add:sep_conj_assoc)
|
||||
apply sep_solve
|
||||
|
|
|
@ -86,7 +86,7 @@ lemma sep_nonimpact_valid_lift:
|
|||
sep_state_add_def sep_disj_sep_state_def
|
||||
sep_state_disj_def
|
||||
map_option_case
|
||||
split: split_if_asm option.splits sep_state.splits)
|
||||
split: if_split_asm option.splits sep_state.splits)
|
||||
apply (erule rsubst [where P=Q])
|
||||
apply clarsimp
|
||||
apply (rule conjI)
|
||||
|
|
|
@ -470,10 +470,10 @@ lemma resolve_cap_rv1:
|
|||
apply (wp gets_the_wpE)
|
||||
apply (clarsimp simp: one_lvl_lookup_def offset_def)
|
||||
apply (clarsimp simp: split_def split: sum.splits option.splits)
|
||||
apply (simp add: split_def resolve_cap.simps split: split_if_asm)
|
||||
apply (simp add: split_def resolve_cap.simps split: if_split_asm)
|
||||
apply (simp add: obind_def split:option.splits)
|
||||
apply (drule sep_f_size_opt_cnode)
|
||||
apply (simp split: split_if_asm)+
|
||||
apply (simp split: if_split_asm)+
|
||||
done
|
||||
|
||||
lemma resolve_cap_u:
|
||||
|
@ -485,10 +485,10 @@ lemma resolve_cap_u:
|
|||
apply (clarsimp simp:
|
||||
user_pointer_at_def Let_unfold one_lvl_lookup_def
|
||||
offset_def split:option.splits sum.splits)
|
||||
apply (simp add: split_def resolve_cap.simps split: split_if_asm)
|
||||
apply (simp add: split_def resolve_cap.simps split: if_split_asm)
|
||||
apply (simp add: obind_def sep_conj_assoc split:option.splits)
|
||||
apply (sep_drule (direct) sep_f_size_opt_cnode)
|
||||
apply (fastforce split: split_if_asm)+
|
||||
apply (fastforce split: if_split_asm)+
|
||||
done
|
||||
|
||||
lemma resolve_cap_u_nf:
|
||||
|
@ -501,14 +501,14 @@ lemma resolve_cap_u_nf:
|
|||
offset_def sep.mult_assoc)
|
||||
apply (clarsimp simp: split_def split: sum.splits option.splits)
|
||||
apply (safe)
|
||||
apply (simp add: split_def resolve_cap.simps split: split_if_asm)
|
||||
apply (simp add: split_def resolve_cap.simps split: if_split_asm)
|
||||
apply (simp add: obind_def split:option.splits)
|
||||
apply (sep_drule (direct) sep_f_size_opt_cnode)
|
||||
apply (fastforce)+
|
||||
apply (simp add: split_def resolve_cap.simps split: split_if_asm)
|
||||
apply (simp add: split_def resolve_cap.simps split: if_split_asm)
|
||||
apply (simp add: obind_def split:option.splits)
|
||||
apply (sep_drule (direct) sep_f_size_opt_cnode)
|
||||
apply (fastforce split: split_if_asm)+
|
||||
apply (fastforce split: if_split_asm)+
|
||||
done
|
||||
|
||||
lemma resolve_cap_rv:
|
||||
|
@ -911,10 +911,10 @@ lemma is_exclusive_cap_update_cap_data:
|
|||
apply (rule iffI)
|
||||
apply (simp_all add: safe_for_derive_def update_cap_data_def update_cap_data_det_def)
|
||||
apply (case_tac cap, simp_all add: safe_for_derive_def badge_update_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (case_tac cap, simp_all add: badge_update_def guard_update_def
|
||||
update_cap_badge_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma cap_object_update_cap_rights:
|
||||
|
@ -928,13 +928,13 @@ lemma derived_cap_update_cap_data_det_NullCap [simp]:
|
|||
= (derived_cap cap = NullCap)"
|
||||
by (clarsimp simp: derived_cap_def update_cap_data_det_def
|
||||
badge_update_def update_cap_badge_def guard_update_def
|
||||
split: cdl_cap.splits split_if_asm)
|
||||
split: cdl_cap.splits if_split_asm)
|
||||
|
||||
lemma derived_cap_update_cap_rights_NullCap [simp]:
|
||||
"(derived_cap (update_cap_rights rights cap) = NullCap)
|
||||
= (derived_cap cap = NullCap)"
|
||||
by (clarsimp simp: derived_cap_def update_cap_rights_def
|
||||
split: cdl_cap.splits split_if_asm)
|
||||
split: cdl_cap.splits if_split_asm)
|
||||
|
||||
lemma derived_cap_reset_cap_asid_NullCap:
|
||||
"\<lbrakk>reset_cap_asid cap = reset_cap_asid cap'; derived_cap cap = NullCap\<rbrakk>
|
||||
|
@ -1043,7 +1043,7 @@ lemma update_cap_data_non:
|
|||
by (rule iffI,
|
||||
simp_all add: update_cap_data_det_def badge_update_def
|
||||
guard_update_def update_cap_badge_def
|
||||
split: cdl_cap.splits split_if_asm)
|
||||
split: cdl_cap.splits if_split_asm)
|
||||
|
||||
lemma decode_cnode_mutate_rvu:
|
||||
"\<lbrace>\<lambda>s. caps \<noteq> []
|
||||
|
|
|
@ -203,7 +203,7 @@ lemma sep_irq_node_dom_sep_map_predicate:
|
|||
"sep_irq_node_dom (sep_map_predicate ptr P cmps) {}"
|
||||
apply (clarsimp simp: sep_map_general_def object_to_sep_state_def
|
||||
sep_irq_node_dom_def sep_map_predicate_def
|
||||
split:sep_state.splits split_if_asm)
|
||||
split:sep_state.splits if_split_asm)
|
||||
done
|
||||
|
||||
lemma sep_map_rewrite_spec:
|
||||
|
@ -262,7 +262,7 @@ lemma sep_spec_simps:
|
|||
apply (clarsimp simp:object_to_sep_state_def)
|
||||
apply (rule ext)
|
||||
apply (clarsimp simp: object_project_def object_slots_object_clean
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma sep_conj_spec:
|
||||
|
@ -472,7 +472,7 @@ lemma set_cap_all_scheduable_tcbs:
|
|||
apply (drule in_singleton)
|
||||
apply (intro set_eqI iffI)
|
||||
apply (clarsimp simp: sep_all_scheduable_tcbs_def sep_state_projection_def
|
||||
split: split_if_asm option.splits)
|
||||
split: if_split_asm option.splits)
|
||||
apply (fastforce simp: sep_all_scheduable_tcbs_def map_add_def
|
||||
sep_state_projection_def scheduable_cap_def
|
||||
split: option.splits)
|
||||
|
|
|
@ -152,7 +152,7 @@ lemma retype_region_wp:
|
|||
apply (rule_tac P="current_domain = minBound" in hoare_gen_asm)
|
||||
apply (wp create_objects_wp | simp)+
|
||||
apply (subst sep_conj_assoc[symmetric])
|
||||
apply (subst sep.setprod.union_disjoint [symmetric])
|
||||
apply (subst sep.prod.union_disjoint [symmetric])
|
||||
apply simp+
|
||||
apply (simp add:Un_absorb1)
|
||||
done
|
||||
|
@ -204,7 +204,7 @@ lemma dummy_detype_if_untyped:
|
|||
apply (case_tac s,clarsimp simp:detype_def sep_set_conj_def)
|
||||
apply (rule ext)
|
||||
apply (clarsimp simp:sep_state_projection_def sep_conj_def)
|
||||
apply (subst (asm) sep.setprod.remove)
|
||||
apply (subst (asm) sep.prod.remove)
|
||||
apply simp+
|
||||
apply (clarsimp simp:sep_map_o_conj image_def)
|
||||
apply (drule_tac f = sep_heap in arg_cong)
|
||||
|
@ -276,7 +276,7 @@ lemma reset_untyped_cap_wp:
|
|||
apply (clarsimp dest!: reset_cap_asid_untyped_cap_eqD)
|
||||
apply (subgoal_tac "tot_free_range = obj_range \<union> (tot_free_range - obj_range)")
|
||||
apply simp
|
||||
apply (subst (asm) sep.setprod.subset_diff)
|
||||
apply (subst (asm) sep.prod.subset_diff)
|
||||
apply simp+
|
||||
apply (sep_select_asm 2)
|
||||
apply (simp add:sep_conj_assoc)
|
||||
|
@ -355,18 +355,18 @@ lemma invoke_untyped_wp:
|
|||
\<and> distinct (map pick new_obj_refs) \<and>
|
||||
new_obj_refs = map ((\<lambda>x. {x}) \<circ> pick) new_obj_refs \<and>
|
||||
pick ` set new_obj_refs \<subseteq> tot_free_range" in hoare_gen_asm)
|
||||
apply (simp del:set_map split del:split_if)
|
||||
apply (simp del:set_map split del:if_split)
|
||||
apply (rule hoare_strengthen_post[OF update_available_range_wp])
|
||||
apply clarsimp
|
||||
apply (rule_tac x = nfr in exI)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp split:if_splits)
|
||||
apply (sep_select 3,sep_select 2,simp)
|
||||
apply (wp|simp split del:split_if)+
|
||||
apply (wp|simp split del:if_split)+
|
||||
apply (rule_tac P = "untyped_cap = UntypedCap dev obj_range free_range"
|
||||
in hoare_gen_asm)
|
||||
apply (clarsimp simp:conj_comms split del: split_if)
|
||||
apply (simp add: conj_assoc[symmetric] del:conj_assoc split del: split_if)+
|
||||
apply (clarsimp simp:conj_comms split del: if_split)
|
||||
apply (simp add: conj_assoc[symmetric] del:conj_assoc split del: if_split)+
|
||||
apply (rule hoare_vcg_conj_lift)
|
||||
apply wp
|
||||
apply (rule hoare_strengthen_post[OF generate_object_ids_rv])
|
||||
|
@ -1055,10 +1055,10 @@ lemma transfer_caps_loop_cdl_parent:
|
|||
"\<lbrace>\<lambda>s. cdl_cdt s slot = Some parent\<rbrace>
|
||||
transfer_caps_loop ep rcvr caps dest
|
||||
\<lbrace>\<lambda>_ s. cdl_cdt s slot = Some parent\<rbrace>"
|
||||
apply (induct caps arbitrary: dest; clarsimp split del: split_if)
|
||||
apply (induct caps arbitrary: dest; clarsimp split del: if_split)
|
||||
apply (rule hoare_pre)
|
||||
apply (wp alternative_wp crunch_wps | assumption
|
||||
| simp add: crunch_simps split del: split_if)+
|
||||
| simp add: crunch_simps split del: if_split)+
|
||||
done
|
||||
|
||||
lemmas reset_untyped_cap_cdl2[wp] = reset_untyped_cap_cdl_parent[THEN valid_validE_E]
|
||||
|
@ -1114,7 +1114,7 @@ lemma default_object_no_pending_cap:
|
|||
apply (case_tac b)
|
||||
apply (clarsimp simp: default_object_def object_slots_def default_tcb_def is_pending_cap_def
|
||||
empty_cnode_def empty_cap_map_def empty_irq_node_def
|
||||
split: split_if_asm)+
|
||||
split: if_split_asm)+
|
||||
done
|
||||
|
||||
lemma create_objects_no_pending[wp]:
|
||||
|
|
|
@ -107,8 +107,8 @@ lemma setArchTCB_C_corres:
|
|||
apply (rule conjI)
|
||||
defer
|
||||
apply (erule cready_queues_relation_not_queue_ptrs)
|
||||
apply (rule ext, simp split: split_if)
|
||||
apply (rule ext, simp split: split_if)
|
||||
apply (rule ext, simp split: if_split)
|
||||
apply (rule ext, simp split: if_split)
|
||||
apply (drule ko_at_projectKO_opt)
|
||||
apply (erule (2) cmap_relation_upd_relI)
|
||||
apply (simp add: ctcb_relation_def carch_tcb_relation_def)
|
||||
|
@ -485,7 +485,7 @@ proof -
|
|||
using vms'[simplified valid_machine_state'_def]
|
||||
apply (auto simp: user_mem'_def option_to_0_def typ_at'_def ko_wp_at'_def
|
||||
option_to_ptr_def pointerInUserData_def observable_memory_def
|
||||
split: option.splits split_if_asm)
|
||||
split: option.splits if_split_asm)
|
||||
done
|
||||
with mach_rel[simplified cmachine_state_relation_def]
|
||||
user_mem_C_relation[OF um_rel]
|
||||
|
@ -566,7 +566,7 @@ lemma the_the_inv_mapI:
|
|||
|
||||
lemma eq_restrict_map_None[simp]:
|
||||
"restrict_map m A x = None \<longleftrightarrow> x ~: (A \<inter> dom m)"
|
||||
by (auto simp: restrict_map_def split: split_if_asm)
|
||||
by (auto simp: restrict_map_def split: if_split_asm)
|
||||
lemma eq_the_inv_map_None[simp]: "the_inv_map m x = None \<longleftrightarrow> x\<notin>ran m"
|
||||
by (simp add: the_inv_map_def2)
|
||||
lemma is_inv_unique:
|
||||
|
@ -648,7 +648,7 @@ lemma (in kernel_m)
|
|||
apply (rule conjI)
|
||||
apply (frule is_inv_inj)
|
||||
apply (clarsimp simp: the_inv_map_def is_inv_def dom_option_map
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (intro conjI[rotated] impI domI, assumption)
|
||||
apply (rule the_equality)
|
||||
apply (clarsimp simp: ran_def dom_def Collect_eq)
|
||||
|
@ -730,7 +730,7 @@ lemma tcb_queue_rel'_unique:
|
|||
"hp NULL = None \<Longrightarrow>
|
||||
tcb_queue_relation' gn gp hp as pp cp \<Longrightarrow>
|
||||
tcb_queue_relation' gn gp hp as' pp cp \<Longrightarrow> as' = as"
|
||||
apply (clarsimp simp: tcb_queue_relation'_def split: split_if_asm)
|
||||
apply (clarsimp simp: tcb_queue_relation'_def split: if_split_asm)
|
||||
apply (clarsimp simp: neq_Nil_conv)
|
||||
apply (clarsimp simp: neq_Nil_conv)
|
||||
apply (erule(2) tcb_queue_rel_unique)
|
||||
|
@ -782,7 +782,7 @@ lemma cready_queues_to_H_correct:
|
|||
lemma inj_image_inv:
|
||||
assumes inj_f: "inj f"
|
||||
shows "f ` A = B \<Longrightarrow> inv f ` B = A"
|
||||
by (drule sym) (simp add: inv_image_comp[OF inj_f])
|
||||
by (drule sym) (simp add: image_inv_f_f[OF inj_f])
|
||||
|
||||
lemma cmap_relation_unique:
|
||||
assumes inj_f: "inj f"
|
||||
|
@ -829,7 +829,7 @@ lemma ran_tcb_cte_cases:
|
|||
(Structures_H.tcbReply, tcbReply_update),
|
||||
(Structures_H.tcbCaller, tcbCaller_update),
|
||||
(tcbIPCBufferFrame, tcbIPCBufferFrame_update)}"
|
||||
by (auto simp add: tcb_cte_cases_def split: split_if_asm)
|
||||
by (auto simp add: tcb_cte_cases_def split: if_split_asm)
|
||||
|
||||
(* FIXME: move *)
|
||||
lemma ps_clear_is_aligned_ksPSpace_None:
|
||||
|
@ -924,7 +924,7 @@ lemma map_to_ctes_tcb_ctes:
|
|||
lemma cfault_rel_imp_eq:
|
||||
"cfault_rel x a b \<Longrightarrow> cfault_rel y a b \<Longrightarrow> x=y"
|
||||
by (clarsimp simp: cfault_rel_def is_cap_fault_def
|
||||
split: split_if_asm seL4_Fault_CL.splits)
|
||||
split: if_split_asm seL4_Fault_CL.splits)
|
||||
|
||||
lemma cthread_state_rel_imp_eq:
|
||||
"cthread_state_relation x z \<Longrightarrow> cthread_state_relation y z \<Longrightarrow> x=y"
|
||||
|
@ -1531,7 +1531,7 @@ lemma (in kernel_m) cstate_to_H_correct:
|
|||
using cstate_rel
|
||||
apply (fastforce simp: cstate_relation_def cpspace_relation_def
|
||||
Let_def ghost_size_rel_def unat_eq_0
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
using valid cstate_rel
|
||||
apply (rule cDomScheduleIdx_to_H_correct)
|
||||
using cstate_rel
|
||||
|
|
|
@ -215,7 +215,7 @@ proof -
|
|||
apply simp
|
||||
apply auto[1]
|
||||
apply (simp add: asid_low_bits_def word_le_nat_alt)
|
||||
apply (simp split: split_if)
|
||||
apply (simp split: if_split)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: update_ti_t_ptr_0s)
|
||||
apply (clarsimp simp: asid_low_bits_def word_le_nat_alt)
|
||||
|
@ -332,7 +332,7 @@ proof -
|
|||
apply (rule ccorres_from_vcg_nofail2, rule allI)
|
||||
apply (rule conseqPre)
|
||||
apply vcg
|
||||
apply (clarsimp simp: cte_wp_at_ctes_of split: split_if_asm)
|
||||
apply (clarsimp simp: cte_wp_at_ctes_of split: if_split_asm)
|
||||
apply (frule(1) ctes_of_valid', clarsimp)
|
||||
apply (subst ghost_assertion_size_logic[unfolded o_def, rotated], assumption)
|
||||
apply (drule(1) valid_global_refsD_with_objSize)
|
||||
|
@ -446,7 +446,7 @@ shows
|
|||
cap_to_H_simps cap_untyped_cap_lift_def
|
||||
ccap_relation_def modify_map_def
|
||||
fun_eq_iff
|
||||
dest!: word_unat.Rep_inverse' split: split_if)
|
||||
dest!: word_unat.Rep_inverse' split: if_split)
|
||||
apply (rule exI, strengthen refl)
|
||||
apply (case_tac cte', simp add: cap_lift_untyped_cap max_free_index_def mask_def)
|
||||
apply (simp add: mex_def meq_def del: split_paired_Ex)
|
||||
|
@ -567,7 +567,7 @@ shows
|
|||
apply (clarsimp simp: cap_get_tag_isCap hrs_htd_update)
|
||||
apply (clarsimp simp: hrs_htd_update_def split_def
|
||||
pageBits_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (clarsimp simp: ARMSmallPageBits_def word_sle_def is_aligned_mask[symmetric]
|
||||
ghost_assertion_data_get_gs_clear_region[unfolded o_def])
|
||||
apply (subst ghost_assertion_size_logic_flex[unfolded o_def, rotated])
|
||||
|
@ -612,7 +612,7 @@ lemma slotcap_in_mem_PageDirectory:
|
|||
apply (simp add: cap_get_tag_isCap_ArchObject2)
|
||||
done
|
||||
|
||||
declare split_if [split del]
|
||||
declare if_split [split del]
|
||||
|
||||
lemma decodeARMPageTableInvocation_ccorres:
|
||||
notes if_cong[cong] tl_drop_1[simp]
|
||||
|
@ -712,7 +712,7 @@ lemma decodeARMPageTableInvocation_ccorres:
|
|||
apply (frule cap_get_tag_isCap_unfolded_H_cap)
|
||||
apply (clarsimp simp: cap_lift_page_table_cap cap_page_table_cap_lift_def
|
||||
cap_to_H_def
|
||||
elim!: ccap_relationE split: split_if)
|
||||
elim!: ccap_relationE split: if_split)
|
||||
apply (simp add: to_bool_def)
|
||||
apply (simp add: throwError_bind invocationCatch_def)
|
||||
apply (rule syscall_error_throwError_ccorres_n)
|
||||
|
@ -760,7 +760,7 @@ lemma decodeARMPageTableInvocation_ccorres:
|
|||
apply (clarsimp simp: cap_lift_page_directory_cap
|
||||
cap_to_H_def cap_page_directory_cap_lift_def
|
||||
to_bool_def neq_Nil_conv
|
||||
elim!: ccap_relationE split: split_if)
|
||||
elim!: ccap_relationE split: if_split)
|
||||
apply (simp add: throwError_bind invocationCatch_def)
|
||||
apply (rule syscall_error_throwError_ccorres_n)
|
||||
apply (simp add: syscall_error_to_H_cases)
|
||||
|
@ -789,7 +789,7 @@ lemma decodeARMPageTableInvocation_ccorres:
|
|||
apply (frule cap_get_tag_isCap_unfolded_H_cap)
|
||||
apply (clarsimp simp: cap_lift_page_directory_cap
|
||||
cap_to_H_def cap_page_directory_cap_lift_def
|
||||
elim!: ccap_relationE split: split_if)
|
||||
elim!: ccap_relationE split: if_split)
|
||||
apply (rule syscall_error_throwError_ccorres_n)
|
||||
apply (simp add: syscall_error_to_H_cases)
|
||||
apply (simp add: bindE_assoc del: Collect_const,
|
||||
|
@ -915,7 +915,7 @@ lemma decodeARMPageTableInvocation_ccorres:
|
|||
rule is_aligned_andI2,
|
||||
simp add: is_aligned_def,
|
||||
simp)+
|
||||
apply (clarsimp simp: attribsFromWord_def split: split_if)
|
||||
apply (clarsimp simp: attribsFromWord_def split: if_split)
|
||||
apply word_bitwise
|
||||
apply (clarsimp simp: word_size)
|
||||
done
|
||||
|
@ -929,7 +929,7 @@ lemma checkVPAlignment_spec:
|
|||
apply (rule conjI)
|
||||
apply (simp add: pageBitsForSize_def split: vmpage_size.split)
|
||||
apply (simp add: from_bool_def vmsz_aligned'_def is_aligned_mask
|
||||
mask_def split: split_if)
|
||||
mask_def split: if_split)
|
||||
done
|
||||
|
||||
definition
|
||||
|
@ -984,7 +984,7 @@ lemma pde_get_tag_alt:
|
|||
| Pde_pde_coarse _ \<Rightarrow> scast pde_pde_coarse
|
||||
| Pde_pde_section _ \<Rightarrow> scast pde_pde_section
|
||||
| Pde_pde_reserved \<Rightarrow> scast pde_pde_reserved)"
|
||||
by (auto simp add: pde_lift_def Let_def split: split_if_asm)
|
||||
by (auto simp add: pde_lift_def Let_def split: if_split_asm)
|
||||
|
||||
|
||||
lemma cpde_relation_pde_case:
|
||||
|
@ -1113,7 +1113,7 @@ lemma createSafeMappingEntries_PDE_ccorres:
|
|||
apply (simp add: isPageTablePDE_def isSectionPDE_def
|
||||
cpde_relation_pde_case from_bool_def)
|
||||
apply (intro impI conjI disjCI2, simp_all add: array_assertion_shrink_right)[1]
|
||||
apply (clarsimp simp: pde_tag_defs split: split_if bool.split)
|
||||
apply (clarsimp simp: pde_tag_defs split: if_split bool.split)
|
||||
apply (frule pde_pde_section_size_0_1[simplified pde_tag_defs, simplified], simp)
|
||||
apply ceqv
|
||||
apply (simp add: from_bool_0 del: Collect_const)
|
||||
|
@ -1130,16 +1130,16 @@ lemma createSafeMappingEntries_PDE_ccorres:
|
|||
apply (frule_tac n3="Suc o unat o i_'" in array_assertion_abs_pde_16_const[where pd=pd and vptr=vaddr,
|
||||
simplified imp_conjL, THEN spec, THEN spec, THEN mp])
|
||||
apply (simp add: upto_enum_word unat_of_nat vmsz_aligned_def
|
||||
vmsz_aligned'_def split: split_if_asm)
|
||||
vmsz_aligned'_def split: if_split_asm)
|
||||
apply (clarsimp simp: upto_enum_step_def upto_enum_word
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply simp
|
||||
apply (rule conseqPre, vcg)
|
||||
apply (clarsimp simp: if_1_0_0)
|
||||
apply simp
|
||||
apply (wp getPDE_wp | wpc)+
|
||||
apply simp
|
||||
apply (simp add: upto_enum_step_def word_bits_def split: split_if)
|
||||
apply (simp add: upto_enum_step_def word_bits_def split: if_split)
|
||||
apply clarsimp
|
||||
apply ceqv
|
||||
apply csymbr
|
||||
|
@ -1174,7 +1174,7 @@ lemma createSafeMappingEntries_PDE_ccorres:
|
|||
pageBits_def)
|
||||
apply (rule conjI)
|
||||
apply (simp add: cpde_relation_def true_def false_def)
|
||||
apply (simp add: split: split_if)
|
||||
apply (simp add: split: if_split)
|
||||
done
|
||||
|
||||
lemma pte_case_isLargePagePTE:
|
||||
|
@ -1281,7 +1281,7 @@ lemma createSafeMappingEntries_PTE_ccorres:
|
|||
apply (clarsimp simp: typ_heap_simps cpte_relation_def Let_def)
|
||||
apply (simp add: isLargePagePTE_def pte_pte_large_lift_def pte_lift_def Let_def
|
||||
pte_tag_defs pte_pte_invalid_def
|
||||
split: ARM_H.pte.split_asm split_if_asm)
|
||||
split: ARM_H.pte.split_asm if_split_asm)
|
||||
apply ceqv
|
||||
apply (simp add: pte_case_isLargePagePTE if_to_top_of_bindE del: Collect_const)
|
||||
apply (rule ccorres_if_cond_throws[rotated -1, where Q=\<top> and Q'=\<top>])
|
||||
|
@ -1360,13 +1360,13 @@ lemma createSafeMappingEntries_PTE_ccorres:
|
|||
erule ko_at_projectKO_opt)
|
||||
apply (auto simp: typ_heap_simps cpte_relation_def pte_pte_invalid_def
|
||||
Let_def pte_lift_def pte_tag_defs
|
||||
intro: typ_heap_simps split: split_if_asm)[1]
|
||||
intro: typ_heap_simps split: if_split_asm)[1]
|
||||
apply (wp getObject_inv loadObject_default_inv | simp)+
|
||||
apply (simp add: objBits_simps archObjSize_def)
|
||||
apply (simp add: loadObject_default_inv)
|
||||
apply (simp add: empty_fail_getObject)
|
||||
apply (simp add: upto_enum_step_def upto_enum_word
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (rule conseqPre, vcg)
|
||||
apply (clarsimp simp: pte_tag_defs)
|
||||
using pte_get_tag_exhaust
|
||||
|
@ -1374,7 +1374,7 @@ lemma createSafeMappingEntries_PTE_ccorres:
|
|||
apply (wp getPTE_wp | simp | wpc)+
|
||||
apply (simp add: upto_enum_step_def upto_enum_word
|
||||
word_bits_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply simp
|
||||
apply (rule ceqv_refl)
|
||||
apply csymbr
|
||||
|
@ -1496,7 +1496,7 @@ lemma pteCheckIfMapped_ccorres:
|
|||
apply (case_tac rv, simp_all add: to_bool_def isInvalidPTE_def pte_tag_defs pte_pte_invalid_def
|
||||
cpte_relation_def pte_pte_large_lift_def pte_get_tag_def
|
||||
pte_lift_def Let_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma cpde_relation_invalid:
|
||||
|
@ -1522,7 +1522,7 @@ lemma pdeCheckIfMapped_ccorres:
|
|||
apply (rule conseqPre, vcg)
|
||||
apply (clarsimp simp: typ_heap_simps' return_def)
|
||||
apply (case_tac rv, simp_all add: to_bool_def cpde_relation_invalid isInvalidPDE_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
done
|
||||
|
||||
lemma mapping_two_power_16_64_inequality:
|
||||
|
@ -1774,7 +1774,7 @@ lemma createMappingEntries_valid_pde_slots'2:
|
|||
apply (erule less_kernelBase_valid_pde_offset'[unfolded pdBits_def pageBits_def, simplified],
|
||||
simp+)
|
||||
apply (clarsimp simp:upto_enum_step_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (clarsimp simp: upto_enum_def upt_conv_Cons[where i=0]
|
||||
lookup_pd_slot_eq[unfolded pd_bits_def pageBits_def, simplified])
|
||||
apply (rule context_conjI)
|
||||
|
@ -2236,7 +2236,7 @@ lemmas vmsz_aligned_addrFromPPtr
|
|||
lemma gen_framesize_to_H_eq_from_H':
|
||||
"v < 4 \<Longrightarrow> (v' = gen_framesize_to_H v) = (framesize_from_H v' = v)"
|
||||
apply (simp add: gen_framesize_to_H_def framesize_from_H_eqs
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (clarsimp simp: framesize_from_H_eqs[symmetric] vm_page_size_defs)
|
||||
apply unat_arith
|
||||
done
|
||||
|
@ -2257,7 +2257,7 @@ lemma framesize_from_H_eq_eq:
|
|||
apply (clarsimp simp: framesize_from_to_H)
|
||||
apply (simp add: framesize_from_H_def vm_page_size_defs split: vmpage_size.split)
|
||||
apply (clarsimp simp: gen_framesize_to_H_eq_from_H)
|
||||
apply (simp add: gen_framesize_to_H_def framesize_from_H_def split: split_if)
|
||||
apply (simp add: gen_framesize_to_H_def framesize_from_H_def split: if_split)
|
||||
apply (clarsimp simp: vm_page_size_defs)
|
||||
apply unat_arith
|
||||
done
|
||||
|
@ -2294,13 +2294,13 @@ lemma generic_frame_cap_set_capFMappedAddress_ccap_relation:
|
|||
\<Longrightarrow> ccap_relation (capCap_update (capVPMappedAddress_update (\<lambda>_. Some (asid, addr))) c) c''"
|
||||
apply (clarsimp simp: isCap_simps)
|
||||
apply (erule ccap_relationE)
|
||||
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.split_asm split_if_asm)
|
||||
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.split_asm if_split_asm)
|
||||
apply (simp_all add: ccap_relation_def generic_frame_cap_set_capFMappedAddress_CL_def
|
||||
cap_to_H_def c_valid_cap_def cl_valid_cap_def
|
||||
generic_frame_cap_get_capFSize_CL_def
|
||||
shiftr_asid_low_bits_mask_asid_high_bits
|
||||
and_not_mask[symmetric] shiftr_asid_low_bits_mask_eq_0
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (simp add: vmsz_aligned'_def gen_framesize_to_H_def)
|
||||
apply (subst field_simps, simp add: word_plus_and_or_coroll2)
|
||||
apply (simp add: vmsz_aligned'_def gen_framesize_to_H_def)
|
||||
|
@ -2308,11 +2308,11 @@ lemma generic_frame_cap_set_capFMappedAddress_ccap_relation:
|
|||
apply (simp add: vmsz_aligned'_def gen_framesize_to_H_def)
|
||||
apply (subst field_simps, simp add: word_plus_and_or_coroll2)
|
||||
apply (rule sym, erule is_aligned_neg_mask)
|
||||
apply (simp add: pageBitsForSize_def split: split_if)
|
||||
apply (simp add: pageBitsForSize_def split: if_split)
|
||||
apply (simp add: vmsz_aligned'_def gen_framesize_to_H_def)
|
||||
apply (subst field_simps, simp add: word_plus_and_or_coroll2)
|
||||
apply (rule sym, erule is_aligned_neg_mask)
|
||||
apply (simp add: pageBitsForSize_def split: split_if)
|
||||
apply (simp add: pageBitsForSize_def split: if_split)
|
||||
done
|
||||
|
||||
lemma slotcap_in_mem_valid:
|
||||
|
@ -2443,7 +2443,7 @@ lemma setVMRootForFlush_ccorres2:
|
|||
apply (clarsimp simp: isCap_simps(2) cap_get_tag_isCap_ArchObject[symmetric])
|
||||
apply (clarsimp simp: cap_page_directory_cap_lift cap_to_H_def
|
||||
elim!: ccap_relationE)
|
||||
apply (simp add: to_bool_def split: split_if)
|
||||
apply (simp add: to_bool_def split: if_split)
|
||||
apply (auto simp: cap_get_tag_isCap_ArchObject2)
|
||||
done
|
||||
|
||||
|
@ -2472,7 +2472,7 @@ lemma pte_get_tag_alt:
|
|||
\<Longrightarrow> pte_get_tag v = (case pteC of
|
||||
Pte_pte_small _ \<Rightarrow> scast pte_pte_small
|
||||
| Pte_pte_large _ \<Rightarrow> scast pte_pte_large)"
|
||||
by (auto simp add: pte_lift_def Let_def split: split_if_asm)
|
||||
by (auto simp add: pte_lift_def Let_def split: if_split_asm)
|
||||
|
||||
definition
|
||||
to_option :: "('a \<Rightarrow> bool) \<Rightarrow> 'a \<Rightarrow> 'a option"
|
||||
|
@ -2833,7 +2833,7 @@ lemma decodeARMFrameInvocation_ccorres:
|
|||
apply (clarsimp simp: if_1_0_0)
|
||||
apply (clarsimp simp: cap_lift_page_directory_cap cap_to_H_def
|
||||
to_bool_def cap_page_directory_cap_lift_def
|
||||
elim!: ccap_relationE split: split_if)
|
||||
elim!: ccap_relationE split: if_split)
|
||||
apply (simp add: throwError_bind invocationCatch_def)
|
||||
apply (rule syscall_error_throwError_ccorres_n)
|
||||
apply (simp add: syscall_error_to_H_cases)
|
||||
|
@ -3084,7 +3084,7 @@ lemma decodeARMFrameInvocation_ccorres:
|
|||
apply (clarsimp simp: if_1_0_0)
|
||||
apply (clarsimp simp: cap_lift_page_directory_cap cap_to_H_def
|
||||
to_bool_def cap_page_directory_cap_lift_def
|
||||
elim!: ccap_relationE split: split_if)
|
||||
elim!: ccap_relationE split: if_split)
|
||||
apply (simp add: throwError_bind invocationCatch_def)
|
||||
apply (rule syscall_error_throwError_ccorres_n)
|
||||
apply (simp add: syscall_error_to_H_cases)
|
||||
|
@ -3106,7 +3106,7 @@ lemma decodeARMFrameInvocation_ccorres:
|
|||
apply vcg
|
||||
apply (clarsimp simp: cap_lift_page_directory_cap cap_to_H_def
|
||||
to_bool_def cap_page_directory_cap_lift_def
|
||||
elim!: ccap_relationE split: split_if)
|
||||
elim!: ccap_relationE split: if_split)
|
||||
apply (rule syscall_error_throwError_ccorres_n)
|
||||
apply (simp add: syscall_error_to_H_cases)
|
||||
apply csymbr+
|
||||
|
@ -3260,7 +3260,7 @@ lemma decodeARMFrameInvocation_ccorres:
|
|||
apply (subgoal_tac "cap_get_tag cap \<in> {scast cap_small_frame_cap, scast cap_frame_cap}")
|
||||
prefer 2
|
||||
apply (clarsimp simp: cap_to_H_def cap_lift_def Let_def elim!: ccap_relationE
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (rule conjI)
|
||||
apply clarsimp
|
||||
apply (frule ccap_relation_PageCap_generics)
|
||||
|
@ -3287,8 +3287,8 @@ lemma decodeARMFrameInvocation_ccorres:
|
|||
apply simp
|
||||
apply (simp add: gen_framesize_to_H_def vm_page_size_defs
|
||||
hd_conv_nth length_ineq_not_Nil
|
||||
split: split_if)
|
||||
apply (simp add: vm_page_size_defs split: split_if_asm)
|
||||
split: if_split)
|
||||
apply (simp add: vm_page_size_defs split: if_split_asm)
|
||||
apply (clarsimp simp:signed_shift_guard_simpler_32 pbfs_less)
|
||||
apply (frule ccap_relation_PageCap_generics)
|
||||
apply (clarsimp simp:framesize_from_H_eq_eqs)
|
||||
|
@ -3320,7 +3320,7 @@ lemma sts_Restart_ct_active [wp]:
|
|||
apply (clarsimp simp: ct_in_state'_def)
|
||||
apply (rule hoare_lift_Pf2 [where f=ksCurThread])
|
||||
apply (wp sts_st_tcb')
|
||||
apply (simp split: split_if)
|
||||
apply (simp split: if_split)
|
||||
apply wp
|
||||
done
|
||||
|
||||
|
@ -3563,7 +3563,7 @@ lemma decodeARMPageDirectoryInvocation_ccorres:
|
|||
apply (frule cap_get_tag_isCap_unfolded_H_cap)
|
||||
apply (clarsimp simp: cap_lift_page_directory_cap
|
||||
cap_to_H_def cap_page_directory_cap_lift_def
|
||||
elim!: ccap_relationE split: split_if)
|
||||
elim!: ccap_relationE split: if_split)
|
||||
apply (simp add: injection_handler_throwError)
|
||||
apply (rule syscall_error_throwError_ccorres_n)
|
||||
apply (simp add:syscall_error_to_H_cases)
|
||||
|
@ -3953,7 +3953,7 @@ lemma Arch_decodeInvocation_ccorres:
|
|||
linorder_not_less
|
||||
order_antisym[OF inc_le])
|
||||
apply (clarsimp simp: true_def false_def
|
||||
split: option.split split_if)
|
||||
split: option.split if_split)
|
||||
apply (simp add: asid_high_bits_def word_le_nat_alt
|
||||
word_less_nat_alt unat_add_lem[THEN iffD1])
|
||||
apply auto[1]
|
||||
|
@ -3974,7 +3974,7 @@ lemma Arch_decodeInvocation_ccorres:
|
|||
rf_sr_armKSASIDTable[where n=0, simplified])
|
||||
apply (simp add: asid_high_bits_def option_to_ptr_def option_to_0_def
|
||||
from_bool_def
|
||||
split: option.split split_if)
|
||||
split: option.split if_split)
|
||||
apply fastforce
|
||||
apply ceqv
|
||||
apply (rule ccorres_Guard_Seq)+
|
||||
|
@ -4262,7 +4262,7 @@ lemma Arch_decodeInvocation_ccorres:
|
|||
apply (clarsimp simp: inc_le from_bool_def typ_heap_simps
|
||||
asid_low_bits_def not_less field_simps
|
||||
false_def
|
||||
split: split_if bool.splits)
|
||||
split: if_split bool.splits)
|
||||
apply unat_arith
|
||||
apply (rule iffI)
|
||||
apply (rule disjCI)
|
||||
|
@ -4312,7 +4312,7 @@ lemma Arch_decodeInvocation_ccorres:
|
|||
word_sless_def word_sle_def)
|
||||
apply (erule cmap_relationE1[OF rf_sr_cpspace_asidpool_relation],
|
||||
erule ko_at_projectKO_opt)
|
||||
apply (clarsimp simp: typ_heap_simps from_bool_def split: split_if)
|
||||
apply (clarsimp simp: typ_heap_simps from_bool_def split: if_split)
|
||||
apply (simp add: cap_get_tag_isCap_ArchObject[symmetric])
|
||||
apply (clarsimp simp: cap_lift_asid_pool_cap cap_to_H_def
|
||||
cap_asid_pool_cap_lift_def false_def
|
||||
|
@ -4472,12 +4472,12 @@ lemma Arch_decodeInvocation_ccorres:
|
|||
cap_page_directory_cap_lift_def
|
||||
cap_asid_pool_cap_lift_def mask_def[where n=4]
|
||||
asid_shiftr_low_bits_less[unfolded mask_def asid_bits_def] word_and_le1
|
||||
elim!: ccap_relationE split: split_if_asm)
|
||||
elim!: ccap_relationE split: if_split_asm)
|
||||
apply (clarsimp split: list.split)
|
||||
apply (clarsimp simp: cap_lift_asid_pool_cap cap_lift_page_directory_cap
|
||||
cap_to_H_def to_bool_def
|
||||
cap_page_directory_cap_lift_def
|
||||
elim!: ccap_relationE split: split_if_asm)
|
||||
elim!: ccap_relationE split: if_split_asm)
|
||||
done
|
||||
end
|
||||
end
|
||||
|
|
|
@ -240,7 +240,7 @@ lemma locateSlotCNode_ccorres [corres]:
|
|||
{s. x s = 0 \<or> array_assertion (cte_Ptr cnode') (unat offset') (hrs_htd (t_hrs_' (globals s)))}
|
||||
(Basic (\<lambda>s. xfu (\<lambda>_. cte_Ptr (cnode' + offset'
|
||||
* of_nat (size_of TYPE(cte_C)))) s)))"
|
||||
apply (simp add: locateSlot_conv split del: split_if)
|
||||
apply (simp add: locateSlot_conv split del: if_split)
|
||||
apply (rule ccorres_guard_imp2)
|
||||
apply (rule_tac P="cnode = cnode' \<and> offset = offset'" in ccorres_gen_asm2)
|
||||
apply (rule ccorres_stateAssert)
|
||||
|
@ -260,7 +260,7 @@ lemma locateSlotTCB_ccorres [corres]:
|
|||
(Basic (\<lambda>s. xfu (\<lambda>_. Ptr (cnode' + offset' * of_nat (size_of TYPE(cte_C))) :: cte_C ptr) s))"
|
||||
unfolding locateSlot_conv using gl fg
|
||||
apply -
|
||||
apply (simp add: size_of_def split del: split_if)
|
||||
apply (simp add: size_of_def split del: if_split)
|
||||
apply (rule ccorres_return)
|
||||
apply (rule conseqPre)
|
||||
apply vcg
|
||||
|
|
|
@ -33,8 +33,8 @@ lemma maskCapRights_cap_cases:
|
|||
(capNtfnCanSend_update
|
||||
(\<lambda>_. capNtfnCanSend c \<and> capAllowWrite R) c))
|
||||
| _ \<Rightarrow> return c)"
|
||||
apply (simp add: maskCapRights_def Let_def split del: split_if)
|
||||
apply (cases c; simp add: isCap_simps split del: split_if)
|
||||
apply (simp add: maskCapRights_def Let_def split del: if_split)
|
||||
apply (cases c; simp add: isCap_simps split del: if_split)
|
||||
done
|
||||
|
||||
|
||||
|
@ -119,7 +119,7 @@ lemma Arch_maskCapRights_ccorres [corres]:
|
|||
apply (simp add: cap_small_frame_cap_lift [THEN iffD1])
|
||||
apply (clarsimp simp: cap_to_H_def)
|
||||
apply (simp add: map_option_case split: option.splits)
|
||||
apply (clarsimp simp add: cap_to_H_def Let_def split: cap_CL.splits split_if_asm)
|
||||
apply (clarsimp simp add: cap_to_H_def Let_def split: cap_CL.splits if_split_asm)
|
||||
apply (simp add: cap_small_frame_cap_lift_def)
|
||||
apply (simp add: ccap_rights_relation_def)
|
||||
apply (simp add: cap_small_frame_cap_lift_def)
|
||||
|
@ -142,7 +142,7 @@ lemma Arch_maskCapRights_ccorres [corres]:
|
|||
apply (clarsimp simp: cap_to_H_def)
|
||||
apply (simp add: map_option_case split: option.splits)
|
||||
apply (clarsimp simp add: isCap_simps pageSize_def cap_to_H_def Let_def simp del: not_ex
|
||||
split: cap_CL.splits split_if_asm)
|
||||
split: cap_CL.splits if_split_asm)
|
||||
apply (simp add: cap_frame_cap_lift_def)
|
||||
apply (simp add: ccap_rights_relation_def)
|
||||
apply (simp add: c_valid_cap_def cl_valid_cap_def cap_lift_frame_cap)
|
||||
|
@ -185,7 +185,7 @@ lemma to_bool_ntfn_cap_bf:
|
|||
"cap_lift c = Some (Cap_notification_cap cap) \<Longrightarrow>
|
||||
to_bool (capNtfnCanSend_CL cap) = to_bool_bf (capNtfnCanSend_CL cap) \<and>
|
||||
to_bool (capNtfnCanReceive_CL cap) = to_bool_bf (capNtfnCanReceive_CL cap)"
|
||||
apply (simp add:cap_lift_def Let_def split: split_if_asm)
|
||||
apply (simp add:cap_lift_def Let_def split: if_split_asm)
|
||||
apply (subst to_bool_bf_to_bool_mask,
|
||||
clarsimp simp: cap_lift_thread_cap mask_def word_bw_assocs)+
|
||||
apply simp
|
||||
|
@ -196,7 +196,7 @@ lemma to_bool_ep_cap_bf:
|
|||
to_bool (capCanSend_CL cap) = to_bool_bf (capCanSend_CL cap) \<and>
|
||||
to_bool (capCanReceive_CL cap) = to_bool_bf (capCanReceive_CL cap) \<and>
|
||||
to_bool (capCanGrant_CL cap) = to_bool_bf (capCanGrant_CL cap)"
|
||||
apply (simp add:cap_lift_def Let_def split: split_if_asm)
|
||||
apply (simp add:cap_lift_def Let_def split: if_split_asm)
|
||||
apply (subst to_bool_bf_to_bool_mask,
|
||||
clarsimp simp: cap_lift_thread_cap mask_def word_bw_assocs)+
|
||||
apply simp
|
||||
|
@ -260,7 +260,7 @@ lemma maskCapRights_ccorres [corres]:
|
|||
apply (clarsimp simp: cap_to_H_def)
|
||||
apply (simp add: map_option_case split: option.splits)
|
||||
apply (clarsimp simp add: cap_to_H_def Let_def
|
||||
split: cap_CL.splits split_if_asm)
|
||||
split: cap_CL.splits if_split_asm)
|
||||
apply (simp add: cap_notification_cap_lift_def)
|
||||
apply (simp add: ccap_rights_relation_def cap_rights_to_H_def
|
||||
to_bool_ntfn_cap_bf
|
||||
|
@ -296,7 +296,7 @@ lemma maskCapRights_ccorres [corres]:
|
|||
apply (clarsimp simp: cap_to_H_def)
|
||||
apply (simp add: map_option_case split: option.splits)
|
||||
apply (clarsimp simp add: cap_to_H_def Let_def
|
||||
split: cap_CL.splits split_if_asm)
|
||||
split: cap_CL.splits if_split_asm)
|
||||
apply (simp add: cap_endpoint_cap_lift_def)
|
||||
apply (simp add: ccap_rights_relation_def cap_rights_to_H_def
|
||||
to_bool_ep_cap_bf
|
||||
|
@ -506,13 +506,13 @@ lemma cap_lift_capNtfnBadge_mask_eq:
|
|||
"cap_lift cap = Some (Cap_notification_cap ec)
|
||||
\<Longrightarrow> capNtfnBadge_CL ec && mask 28 = capNtfnBadge_CL ec"
|
||||
unfolding cap_lift_def
|
||||
by (fastforce simp: Let_def mask_def word_bw_assocs split: split_if_asm)
|
||||
by (fastforce simp: Let_def mask_def word_bw_assocs split: if_split_asm)
|
||||
|
||||
lemma cap_lift_capEPBadge_mask_eq:
|
||||
"cap_lift cap = Some (Cap_endpoint_cap ec)
|
||||
\<Longrightarrow> capEPBadge_CL ec && mask 28 = capEPBadge_CL ec"
|
||||
unfolding cap_lift_def
|
||||
by (fastforce simp: Let_def mask_def word_bw_assocs split: split_if_asm)
|
||||
by (fastforce simp: Let_def mask_def word_bw_assocs split: if_split_asm)
|
||||
|
||||
lemma revokable_ccorres:
|
||||
"\<lbrakk>ccap_relation cap newCap; cmdbnode_relation rva srcMDB;
|
||||
|
@ -795,7 +795,7 @@ schematic_goal ccap_relation_tag_Master:
|
|||
(capMasterCap cap)"
|
||||
by (fastforce simp: ccap_relation_def map_option_Some_eq2
|
||||
Let_def cap_lift_def cap_to_H_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
|
||||
lemma ccap_relation_is_derived_tag_equal:
|
||||
"\<lbrakk> is_derived' cs p cap cap'; ccap_relation cap ccap; ccap_relation cap' ccap' \<rbrakk>
|
||||
|
@ -947,9 +947,9 @@ show "ccorresG rf_sr \<Gamma> dc xfdc (cte_wp_at' (\<lambda>cte. \<exists>i. cte
|
|||
apply (erule(2) cpspace_cte_relation_upd_capI)
|
||||
apply (simp add:cte_lift_def)
|
||||
apply (simp split:option.splits )
|
||||
apply (simp add:cap_to_H_def Let_def split:cap_CL.splits split_if_asm)
|
||||
apply (simp add:cap_to_H_def Let_def split:cap_CL.splits if_split_asm)
|
||||
apply (case_tac y)
|
||||
apply (simp add:cap_lift_def Let_def split:split_if_asm)
|
||||
apply (simp add:cap_lift_def Let_def split:if_split_asm)
|
||||
apply (case_tac cte',simp)
|
||||
apply (clarsimp simp:ccap_relation_def cap_lift_def
|
||||
cap_get_tag_def cap_to_H_def)
|
||||
|
@ -1004,7 +1004,7 @@ lemma t2p_shiftr:
|
|||
done
|
||||
|
||||
lemma setUntypedCapAsFull_ccorres [corres]:
|
||||
notes split_if [split del]
|
||||
notes if_split [split del]
|
||||
notes Collect_const [simp del]
|
||||
notes Collect_True [simp] Collect_False [simp]
|
||||
shows
|
||||
|
@ -1064,15 +1064,15 @@ lemma setUntypedCapAsFull_ccorres [corres]:
|
|||
apply csymbr
|
||||
apply csymbr
|
||||
apply (rule ccorres_cases [where P="capPtr srcCap = capPtr newCap"])
|
||||
apply (clarsimp simp: cap_get_tag_isCap[symmetric] cap_get_tag_UntypedCap split: split_if_asm)
|
||||
apply (clarsimp simp: cap_get_tag_isCap[symmetric] cap_get_tag_UntypedCap split: if_split_asm)
|
||||
apply (rule ccorres_rhs_assoc)+
|
||||
apply csymbr
|
||||
apply csymbr
|
||||
apply csymbr
|
||||
apply (clarsimp simp: cap_get_tag_to_H cap_get_tag_UntypedCap split: split_if_asm)
|
||||
apply (clarsimp simp: cap_get_tag_to_H cap_get_tag_UntypedCap split: if_split_asm)
|
||||
apply (rule ccorres_cond_false)
|
||||
apply (rule ccorres_return_Skip [unfolded dc_def])
|
||||
apply (clarsimp simp: cap_get_tag_isCap[symmetric] cap_get_tag_UntypedCap split: split_if_asm)
|
||||
apply (clarsimp simp: cap_get_tag_isCap[symmetric] cap_get_tag_UntypedCap split: if_split_asm)
|
||||
apply (rule ccorres_cond_false)
|
||||
apply (rule ccorres_return_Skip [unfolded dc_def])
|
||||
apply (rule ccorres_return_Skip [unfolded dc_def])
|
||||
|
@ -1084,7 +1084,7 @@ lemma setUntypedCapAsFull_ccorres [corres]:
|
|||
apply clarsimp
|
||||
apply (intro conjI impI allI)
|
||||
apply (erule cte_wp_at_weakenE')
|
||||
apply (clarsimp simp: cap_get_tag_isCap[symmetric] cap_get_tag_UntypedCap split: split_if_asm)
|
||||
apply (clarsimp simp: cap_get_tag_isCap[symmetric] cap_get_tag_UntypedCap split: if_split_asm)
|
||||
apply clarsimp
|
||||
apply (drule valid_cap_untyped_inv,clarsimp simp:max_free_index_def)
|
||||
apply (rule is_aligned_weaken)
|
||||
|
@ -1103,11 +1103,11 @@ lemma setUntypedCapAsFull_ccorres [corres]:
|
|||
apply (rule capBlockSize_CL_maxSize)
|
||||
apply (clarsimp simp: cap_get_tag_UntypedCap)
|
||||
apply (clarsimp simp: cap_get_tag_isCap_unfolded_H_cap)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma ccte_lift:
|
||||
|
@ -1214,14 +1214,14 @@ thm cteInsert_body_def
|
|||
apply (simp add:dc_def[symmetric])
|
||||
apply (ctac ccorres: ccorres_updateMDB_skip)
|
||||
apply (wp static_imp_wp)
|
||||
apply (clarsimp simp: Collect_const_mem dc_def split del: split_if)
|
||||
apply (clarsimp simp: Collect_const_mem dc_def split del: if_split)
|
||||
apply vcg
|
||||
apply (wp static_imp_wp)
|
||||
apply (clarsimp simp: Collect_const_mem dc_def split del: split_if)
|
||||
apply (clarsimp simp: Collect_const_mem dc_def split del: if_split)
|
||||
apply vcg
|
||||
apply (clarsimp simp:cmdb_node_relation_mdbNext)
|
||||
apply (wp setUntypedCapAsFull_cte_at_wp static_imp_wp)
|
||||
apply (clarsimp simp: Collect_const_mem dc_def split del: split_if)
|
||||
apply (clarsimp simp: Collect_const_mem dc_def split del: if_split)
|
||||
apply (vcg exspec=setUntypedCapAsFull_modifies)
|
||||
apply wp
|
||||
apply vcg
|
||||
|
@ -1233,7 +1233,7 @@ thm cteInsert_body_def
|
|||
apply vcg
|
||||
apply wp
|
||||
apply vcg
|
||||
apply (simp add: Collect_const_mem split del: split_if) -- "Takes a while"
|
||||
apply (simp add: Collect_const_mem split del: if_split) -- "Takes a while"
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: conj_comms cte_wp_at_ctes_of)
|
||||
apply (intro conjI)
|
||||
|
@ -1256,7 +1256,7 @@ thm cteInsert_body_def
|
|||
apply simp
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: map_comp_Some_iff cte_wp_at_ctes_of
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (clarsimp simp: typ_heap_simps c_guard_clift split_def)
|
||||
apply (clarsimp simp: is_simple_cap_get_tag_relation ccte_relation_ccap_relation cmdb_node_relation_mdbNext[symmetric])
|
||||
apply (metis (hide_lams, no_types) ccap_relation_Master_tags_eq ccte_relation_ccap_relation rf_sr_cte_relation)
|
||||
|
@ -1394,7 +1394,7 @@ lemma cteMove_ccorres:
|
|||
apply (intro conjI, simp+)
|
||||
apply (erule (2) is_aligned_3_prev)
|
||||
apply (erule (2) is_aligned_3_next)
|
||||
apply (clarsimp simp: dc_def split del: split_if)
|
||||
apply (clarsimp simp: dc_def split del: if_split)
|
||||
apply (simp add: ccap_relation_NullCap_iff)
|
||||
apply (clarsimp simp add: cmdbnode_relation_def
|
||||
mdb_node_to_H_def nullMDBNode_def
|
||||
|
@ -1539,7 +1539,7 @@ lemma cteMove_ccorres_verbose:
|
|||
-- "***C generalised precondition***"
|
||||
-- "***--------------------------***"
|
||||
apply (unfold dc_def)
|
||||
apply (clarsimp simp: ccap_relation_NullCap_iff split del: split_if)
|
||||
apply (clarsimp simp: ccap_relation_NullCap_iff split del: if_split)
|
||||
-- "cmdbnode_relation nullMDBNode va"
|
||||
apply (simp add: cmdbnode_relation_def)
|
||||
apply (simp add: mdb_node_to_H_def)
|
||||
|
@ -1892,7 +1892,7 @@ lemma cteSwap_ccorres:
|
|||
-- "modify_map (modify_map \<dots>) (?P3540 \<dots>) = Some cte"
|
||||
-- "\<dots>\<longrightarrow> (\<exists>ctea. ctes_of s (mdbPrev (cteMDBNode cte)) = Some ctea) \<and> is_aligned (mdbPrev (cteMDBNode cte)) 3"
|
||||
-- " Important: we need the first part to prove the second \<Longrightarrow> we need conj_cong"
|
||||
apply (clarsimp simp: modify_map_if cong: if_cong split: split_if_asm)
|
||||
apply (clarsimp simp: modify_map_if cong: if_cong split: if_split_asm)
|
||||
apply (erule disjE)
|
||||
apply clarsimp
|
||||
apply clarsimp
|
||||
|
@ -1937,7 +1937,7 @@ done
|
|||
(************************************************************************)
|
||||
|
||||
|
||||
declare split_if [split del]
|
||||
declare if_split [split del]
|
||||
|
||||
|
||||
(* rq CALL mdb_node_ptr_set_mdbNext_'proc \<dots>) is a printing bug
|
||||
|
@ -2078,7 +2078,7 @@ lemma emptySlot_helper:
|
|||
prefer 2
|
||||
apply (drule cteMDBNode_CL_lift [symmetric])
|
||||
subgoal by (simp add: mdb_node_lift_def mask_def word_bw_assocs)
|
||||
apply (simp add: to_bool_def mask_def split: split_if)
|
||||
apply (simp add: to_bool_def mask_def split: if_split)
|
||||
|
||||
-- "trivial case where mdbNext rva = 0"
|
||||
apply (simp add:ccorres_cond_empty_iff)
|
||||
|
@ -2239,7 +2239,7 @@ show ?thesis
|
|||
apply (simp add: cinterrupt_relation_def Kernel_C.maxIRQ_def)
|
||||
apply (clarsimp simp: word_sless_msb_less order_le_less_trans
|
||||
unat_ucast_no_overflow_le word_le_nat_alt ucast_ucast_b
|
||||
split: split_if )
|
||||
split: if_split )
|
||||
apply (rule word_0_sle_from_less)
|
||||
|
||||
apply (rule order_less_le_trans[where y = 160])
|
||||
|
@ -2357,7 +2357,7 @@ lemma untypedZeroRange_idx_forward_helper:
|
|||
apply (clarsimp split: option.split)
|
||||
apply (clarsimp simp: untypedZeroRange_def max_free_index_def Let_def
|
||||
isCap_simps valid_cap_simps' capAligned_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (erule subsetD[rotated], rule intvl_both_le)
|
||||
apply (clarsimp simp: getFreeRef_def)
|
||||
apply (rule word_plus_mono_right)
|
||||
|
@ -2400,7 +2400,7 @@ lemma untypedZeroRange_idx_backward_helper:
|
|||
apply (rule intvl_both_le; clarsimp simp: untypedZeroRange_def
|
||||
max_free_index_def Let_def
|
||||
isCap_simps valid_cap_simps' capAligned_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp: getFreeRef_def)
|
||||
apply (clarsimp simp: getFreeRef_def)
|
||||
apply (simp add: word_of_nat_le unat_sub
|
||||
|
@ -2410,11 +2410,11 @@ lemma untypedZeroRange_idx_backward_helper:
|
|||
apply (clarsimp simp: untypedZeroRange_def
|
||||
max_free_index_def Let_def
|
||||
getFreeRef_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp: untypedZeroRange_def
|
||||
max_free_index_def Let_def
|
||||
getFreeRef_def isCap_simps valid_cap_simps'
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (simp add: word_of_nat_le unat_sub capAligned_def
|
||||
order_le_less_trans[OF _ power_strict_increasing]
|
||||
order_le_less_trans[where x=idx]
|
||||
|
@ -2470,7 +2470,7 @@ lemma updateTrackedFreeIndex_noop_ccorres:
|
|||
apply (clarsimp simp: simpler_modify_def bind_def cte_wp_at_ctes_of)
|
||||
apply (erule gsUntypedZeroRanges_update_helper)
|
||||
apply (clarsimp simp: zero_ranges_are_zero_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (case_tac "(a, b) \<in> gsUntypedZeroRanges \<sigma>")
|
||||
apply (drule(1) bspec, simp)
|
||||
apply (erule disjE_L)
|
||||
|
@ -2480,7 +2480,7 @@ lemma updateTrackedFreeIndex_noop_ccorres:
|
|||
apply (clarsimp simp: untypedZeroRange_def
|
||||
valid_cap_simps'
|
||||
max_free_index_def Let_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply clarsimp
|
||||
apply (thin_tac "\<not> capIsDevice cap' \<longrightarrow> P" for P)
|
||||
apply (clarsimp split: option.split_asm)
|
||||
|
@ -2558,7 +2558,7 @@ lemma emptySlot_ccorres:
|
|||
apply (rule ccorres_cond2'[where R=\<top>])
|
||||
|
||||
-- "*** link between abstract and concrete conditionals ***"
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
|
||||
-- "*** proof for the 'else' branch (return () and SKIP) ***"
|
||||
prefer 2
|
||||
|
@ -2635,7 +2635,7 @@ lemma emptySlot_ccorres:
|
|||
-- "final precondition proof"
|
||||
apply (clarsimp simp: typ_heap_simps Collect_const_mem
|
||||
cte_wp_at_ctes_of
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
|
||||
apply (rule conjI)
|
||||
-- "Haskell side"
|
||||
|
@ -2741,7 +2741,7 @@ lemma cap_get_tag_PageCap_small_frame:
|
|||
cap_small_frame_cap_CL.capFMappedAddress_CL (cap_small_frame_cap_lift cap')))))"
|
||||
apply (rule iffI)
|
||||
apply (erule ccap_relationE)
|
||||
apply (clarsimp simp add: cap_lifts cap_to_H_def Let_def split: split_if)
|
||||
apply (clarsimp simp add: cap_lifts cap_to_H_def Let_def split: if_split)
|
||||
apply (simp add: cap_get_tag_isCap isCap_simps pageSize_def)
|
||||
done
|
||||
|
||||
|
@ -2762,7 +2762,7 @@ lemma cap_get_tag_PageCap_frame:
|
|||
cap_frame_cap_CL.capFMappedAddress_CL (cap_frame_cap_lift cap')))))"
|
||||
apply (rule iffI)
|
||||
apply (erule ccap_relationE)
|
||||
apply (clarsimp simp add: cap_lifts cap_to_H_def Let_def split: split_if)
|
||||
apply (clarsimp simp add: cap_lifts cap_to_H_def Let_def split: if_split)
|
||||
apply (simp add: cap_get_tag_isCap isCap_simps pageSize_def)
|
||||
done
|
||||
|
||||
|
@ -3126,7 +3126,7 @@ lemma generic_frame_cap_get_capFVMRights_spec:
|
|||
apply (clarsimp simp: generic_frame_cap_get_capFVMRights_CL_def
|
||||
cap_lift_small_frame_cap cap_lift_frame_cap
|
||||
cap_small_frame_cap_lift_def cap_frame_cap_lift_def)
|
||||
by (simp add: cap_lift_def Let_def Kernel_C.VMNoAccess_def split: split_if)
|
||||
by (simp add: cap_lift_def Let_def Kernel_C.VMNoAccess_def split: if_split)
|
||||
|
||||
definition
|
||||
get_capSizeBits_CL :: "cap_CL option \<Rightarrow> nat" where
|
||||
|
@ -3186,7 +3186,7 @@ lemma cap_get_capSizeBits_spec:
|
|||
cap_cnode_cap_lift_def cap_thread_cap_lift_def
|
||||
cap_zombie_cap_lift_def cap_page_table_cap_lift_def
|
||||
cap_page_directory_cap_lift_def cap_asid_pool_cap_lift_def
|
||||
Let_def cap_untyped_cap_lift_def split: split_if_asm)
|
||||
Let_def cap_untyped_cap_lift_def split: if_split_asm)
|
||||
|
||||
lemma ccap_relation_get_capSizeBits_physical:
|
||||
notes unfolds = ccap_relation_def get_capSizeBits_CL_def cap_lift_def
|
||||
|
@ -3201,9 +3201,9 @@ lemma ccap_relation_get_capSizeBits_physical:
|
|||
defer 4 (* arch caps last *)
|
||||
apply ((frule cap_get_tag_isCap_unfolded_H_cap,
|
||||
clarsimp simp: unfolds
|
||||
split: split_if_asm)+)[5] (* SOMEONE FIX SUBGOAL PLZ *)
|
||||
split: if_split_asm)+)[5] (* SOMEONE FIX SUBGOAL PLZ *)
|
||||
apply (frule cap_get_tag_isCap_unfolded_H_cap)
|
||||
apply (clarsimp simp: unfolds split: split_if_asm)
|
||||
apply (clarsimp simp: unfolds split: if_split_asm)
|
||||
apply (rule arg_cong [OF less_mask_eq[where n=5, unfolded mask_def, simplified]])
|
||||
apply (simp add: capAligned_def objBits_simps word_bits_conv word_less_nat_alt)
|
||||
subgoal for arch_capability
|
||||
|
@ -3212,17 +3212,17 @@ lemma ccap_relation_get_capSizeBits_physical:
|
|||
apply (fold_subgoals (prefix))[3]
|
||||
subgoal premises prems by ((frule cap_get_tag_isCap_unfolded_H_cap,
|
||||
clarsimp simp: unfolds
|
||||
split: split_if_asm)+)
|
||||
split: if_split_asm)+)
|
||||
apply (rename_tac vmpage_size option)
|
||||
apply (case_tac "vmpage_size = ARMSmallPage", simp_all)
|
||||
apply (frule cap_get_tag_isCap_unfolded_H_cap(16), simp)
|
||||
subgoal by (clarsimp simp: unfolds split: split_if_asm)
|
||||
subgoal by (clarsimp simp: unfolds split: if_split_asm)
|
||||
by (frule cap_get_tag_isCap_unfolded_H_cap(17), simp,
|
||||
clarsimp simp: unfolds
|
||||
pageBitsForSize_spec gen_framesize_to_H_def
|
||||
c_valid_cap_def cl_valid_cap_def framesize_to_H_def
|
||||
generic_frame_cap_get_capFSize_CL_def
|
||||
split: split_if_asm)+
|
||||
split: if_split_asm)+
|
||||
done
|
||||
|
||||
lemma ccap_relation_get_capSizeBits_untyped:
|
||||
|
@ -3245,7 +3245,7 @@ lemma get_capSizeBits_valid_shift:
|
|||
apply (cases hcap;
|
||||
simp add: cap_get_tag_isCap_unfolded_H_cap cap_lift_def cap_tag_defs)
|
||||
(* zombie *)
|
||||
apply (clarsimp simp: Let_def split: split_if)
|
||||
apply (clarsimp simp: Let_def split: if_split)
|
||||
apply (frule cap_get_tag_isCap_unfolded_H_cap)
|
||||
apply (clarsimp simp: ccap_relation_def map_option_Some_eq2
|
||||
cap_lift_zombie_cap cap_to_H_def
|
||||
|
@ -3310,9 +3310,9 @@ lemma cap_zombie_cap_get_capZombiePtr_spec:
|
|||
apply (intro conjI)
|
||||
apply (simp add: word_add_less_mono1[where k=1 and j="0x1F", simplified])
|
||||
apply (subst unat_plus_if_size)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (clarsimp simp: get_capZombieBits_CL_def Let_def word_size
|
||||
split: split_if split_if_asm)
|
||||
split: if_split if_split_asm)
|
||||
apply (subgoal_tac "unat (capZombieType_CL (cap_zombie_cap_lift cap) && mask 5)
|
||||
< unat ((2::word32) ^ 5)")
|
||||
apply clarsimp
|
||||
|
@ -3360,7 +3360,7 @@ lemma cap_get_capPtr_spec:
|
|||
cap_cnode_cap_lift_def cap_thread_cap_lift_def
|
||||
cap_zombie_cap_lift_def cap_page_table_cap_lift_def
|
||||
cap_page_directory_cap_lift_def cap_asid_pool_cap_lift_def
|
||||
Let_def cap_untyped_cap_lift_def split: split_if_asm)
|
||||
Let_def cap_untyped_cap_lift_def split: if_split_asm)
|
||||
|
||||
definition get_capIsPhysical_CL :: "cap_CL option \<Rightarrow> bool"
|
||||
where
|
||||
|
@ -3400,13 +3400,13 @@ lemma cap_get_capIsPhysical_spec:
|
|||
cap_cnode_cap_lift_def cap_thread_cap_lift_def
|
||||
cap_zombie_cap_lift_def cap_page_table_cap_lift_def
|
||||
cap_page_directory_cap_lift_def cap_asid_pool_cap_lift_def
|
||||
Let_def cap_untyped_cap_lift_def split: split_if_asm)
|
||||
Let_def cap_untyped_cap_lift_def split: if_split_asm)
|
||||
|
||||
lemma ccap_relation_get_capPtr_not_physical:
|
||||
"\<lbrakk> ccap_relation hcap ccap; capClass hcap \<noteq> PhysicalClass \<rbrakk> \<Longrightarrow>
|
||||
get_capPtr_CL (cap_lift ccap) = Ptr 0"
|
||||
by (clarsimp simp: ccap_relation_def get_capPtr_CL_def cap_to_H_def Let_def
|
||||
split: option.split cap_CL.split_asm split_if_asm)
|
||||
split: option.split cap_CL.split_asm if_split_asm)
|
||||
|
||||
lemma ccap_relation_get_capIsPhysical:
|
||||
"ccap_relation hcap ccap \<Longrightarrow> isPhysicalCap hcap = get_capIsPhysical_CL (cap_lift ccap)"
|
||||
|
@ -3449,9 +3449,9 @@ lemma ccap_relation_get_capPtr_physical:
|
|||
defer 4
|
||||
apply ((frule cap_get_tag_isCap_unfolded_H_cap,
|
||||
clarsimp simp: unfolds
|
||||
split: split_if_asm dest!: ctcb_ptr_to_tcb_ptr_mask)+)[5]
|
||||
split: if_split_asm dest!: ctcb_ptr_to_tcb_ptr_mask)+)[5]
|
||||
apply (frule cap_get_tag_isCap_unfolded_H_cap)
|
||||
apply (clarsimp simp: unfolds split: split_if_asm dest!: ctcb_ptr_to_tcb_ptr_mask)
|
||||
apply (clarsimp simp: unfolds split: if_split_asm dest!: ctcb_ptr_to_tcb_ptr_mask)
|
||||
apply (rule arg_cong [OF less_mask_eq])
|
||||
apply (simp add: capAligned_def word_bits_conv objBits_simps
|
||||
word_less_nat_alt)
|
||||
|
@ -3460,16 +3460,16 @@ lemma ccap_relation_get_capPtr_physical:
|
|||
defer 2 (* page caps last *)
|
||||
apply (fold_subgoals (prefix))[3]
|
||||
subgoal by ((frule cap_get_tag_isCap_unfolded_H_cap,
|
||||
clarsimp simp: unfolds split: split_if_asm)+)
|
||||
clarsimp simp: unfolds split: if_split_asm)+)
|
||||
defer
|
||||
subgoal for \<dots> vmpage_size option
|
||||
apply (cases "vmpage_size = ARMSmallPage"; simp?)
|
||||
apply (frule cap_get_tag_isCap_unfolded_H_cap(16), simp)
|
||||
subgoal by (clarsimp simp: unfolds split: split_if_asm)
|
||||
subgoal by (clarsimp simp: unfolds split: if_split_asm)
|
||||
by (frule cap_get_tag_isCap_unfolded_H_cap(17), simp,
|
||||
clarsimp simp: unfolds
|
||||
cap_tag_defs cap_to_H_def
|
||||
split: split_if_asm)+
|
||||
split: if_split_asm)+
|
||||
done
|
||||
done
|
||||
|
||||
|
@ -3543,7 +3543,7 @@ lemma sameRegionAs_spec:
|
|||
apply (simp add: ccap_relation_def map_option_case)
|
||||
apply (simp add: cap_notification_cap_lift)
|
||||
apply (simp add: cap_to_H_def)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (frule_tac cap'=cap_b in cap_get_tag_isArchCap_unfolded_H_cap)
|
||||
apply (clarsimp simp: isArchCap_tag_def2)
|
||||
-- "capa is an IRQHandlerCap"
|
||||
|
@ -3556,7 +3556,7 @@ lemma sameRegionAs_spec:
|
|||
apply (simp add: cap_to_H_def)
|
||||
apply (clarsimp simp: up_ucast_inj_eq c_valid_cap_def
|
||||
cl_valid_cap_def mask_twice
|
||||
split: split_if bool.split
|
||||
split: if_split bool.split
|
||||
| intro impI conjI
|
||||
| simp )+
|
||||
apply (drule ucast_ucast_mask_eq, simp)
|
||||
|
@ -3572,14 +3572,14 @@ lemma sameRegionAs_spec:
|
|||
apply (simp add: ccap_relation_def map_option_case)
|
||||
apply (simp add: cap_endpoint_cap_lift)
|
||||
apply (simp add: cap_to_H_def)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (frule_tac cap'=cap_b in cap_get_tag_isArchCap_unfolded_H_cap)
|
||||
apply (clarsimp simp: isArchCap_tag_def2)
|
||||
-- "capa is a DomainCap"
|
||||
apply (case_tac capb, simp_all add: cap_get_tag_isCap_unfolded_H_cap
|
||||
isCap_simps cap_tag_defs from_bool_def false_def true_def)[1]
|
||||
apply (frule_tac cap'=cap_b in cap_get_tag_isArchCap_unfolded_H_cap)
|
||||
apply (fastforce simp: isArchCap_tag_def2 split: split_if)
|
||||
apply (fastforce simp: isArchCap_tag_def2 split: if_split)
|
||||
-- "capa is a Zombie"
|
||||
apply (simp add: cap_tag_defs from_bool_def false_def)
|
||||
-- "capa is an Arch object cap"
|
||||
|
@ -3601,7 +3601,7 @@ lemma sameRegionAs_spec:
|
|||
apply (simp add: ccap_relation_def map_option_case)
|
||||
apply (simp add: cap_reply_cap_lift)
|
||||
apply (simp add: cap_to_H_def ctcb_ptr_to_tcb_ptr_def)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
-- "capa is an UntypedCap"
|
||||
apply (frule_tac cap'=cap_a in cap_get_tag_isCap_unfolded_H_cap(9))
|
||||
apply (intro conjI)
|
||||
|
@ -3611,13 +3611,13 @@ lemma sameRegionAs_spec:
|
|||
objBits_simps get_capZombieBits_CL_def
|
||||
Let_def word_less_nat_alt
|
||||
less_mask_eq true_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (subgoal_tac "capBlockSize_CL (cap_untyped_cap_lift cap_a) \<le> 0x1F")
|
||||
apply (simp add: word_le_make_less)
|
||||
apply (simp add: cap_untyped_cap_lift_def cap_lift_def
|
||||
cap_tag_defs word_and_le1)
|
||||
apply (clarsimp simp: get_capSizeBits_valid_shift_word)
|
||||
apply (clarsimp simp: from_bool_def Let_def split: split_if bool.splits)
|
||||
apply (clarsimp simp: from_bool_def Let_def split: if_split bool.splits)
|
||||
apply (subst unat_of_nat32,
|
||||
clarsimp simp: unat_of_nat32 word_bits_def
|
||||
dest!: get_capSizeBits_valid_shift)+
|
||||
|
@ -3642,12 +3642,12 @@ lemma sameRegionAs_spec:
|
|||
apply (simp add: ccap_relation_def map_option_case)
|
||||
apply (simp add: cap_cnode_cap_lift)
|
||||
apply (simp add: cap_to_H_def)
|
||||
apply (clarsimp split: split_if bool.split)
|
||||
apply (clarsimp split: if_split bool.split)
|
||||
-- "capa is an IRQControlCap"
|
||||
apply (case_tac capb, simp_all add: cap_get_tag_isCap_unfolded_H_cap
|
||||
isCap_simps cap_tag_defs from_bool_def false_def true_def)[1]
|
||||
apply (frule_tac cap'=cap_b in cap_get_tag_isArchCap_unfolded_H_cap)
|
||||
apply (fastforce simp: isArchCap_tag_def2 split: split_if)
|
||||
apply (fastforce simp: isArchCap_tag_def2 split: if_split)
|
||||
done
|
||||
|
||||
lemma gen_framesize_to_H_eq:
|
||||
|
@ -3656,7 +3656,7 @@ lemma gen_framesize_to_H_eq:
|
|||
by (fastforce simp: gen_framesize_to_H_def Kernel_C.ARMSmallPage_def
|
||||
Kernel_C.ARMLargePage_def Kernel_C.ARMSection_def
|
||||
word_le_make_less
|
||||
split: split_if
|
||||
split: if_split
|
||||
dest: word_less_cases)
|
||||
|
||||
lemma framesize_to_H_eq:
|
||||
|
@ -3665,7 +3665,7 @@ lemma framesize_to_H_eq:
|
|||
by (fastforce simp: framesize_to_H_def Kernel_C.ARMSmallPage_def
|
||||
Kernel_C.ARMLargePage_def Kernel_C.ARMSection_def
|
||||
word_le_make_less
|
||||
split: split_if
|
||||
split: if_split
|
||||
dest: word_less_cases)
|
||||
|
||||
lemma capFSize_range:
|
||||
|
@ -3702,7 +3702,7 @@ lemma Arch_sameObjectAs_spec:
|
|||
apply (simp add: ccap_relation_def map_option_case)
|
||||
apply (simp add: cap_small_frame_cap_lift)
|
||||
apply (clarsimp simp: cap_to_H_def capAligned_def to_bool_def from_bool_def
|
||||
split: split_if bool.split
|
||||
split: if_split bool.split
|
||||
dest!: is_aligned_no_overflow)
|
||||
apply (case_tac "vmpage_sizea = ARMSmallPage",
|
||||
simp_all add: cap_get_tag_isCap_unfolded_H_cap cap_tag_defs
|
||||
|
@ -3714,7 +3714,7 @@ lemma Arch_sameObjectAs_spec:
|
|||
apply (clarsimp simp: cap_to_H_def capAligned_def from_bool_def
|
||||
c_valid_cap_def cl_valid_cap_def
|
||||
Kernel_C.ARMSmallPage_def
|
||||
split: split_if bool.split vmpage_size.split_asm
|
||||
split: if_split bool.split vmpage_size.split_asm
|
||||
dest!: is_aligned_no_overflow)
|
||||
apply (simp add: framesize_to_H_eq capFSize_range to_bool_def
|
||||
cap_frame_cap_lift [symmetric])
|
||||
|
@ -3814,7 +3814,7 @@ lemma isMDBParentOf_spec:
|
|||
apply (simp add: cte_lift_def)
|
||||
apply (clarsimp simp: cte_to_H_def mdb_node_to_H_def split: option.split_asm)
|
||||
apply (clarsimp simp: Let_def false_def from_bool_def to_bool_def
|
||||
split: split_if bool.splits)
|
||||
split: if_split bool.splits)
|
||||
apply ((clarsimp simp: typ_heap_simps dest!: lift_t_g)+)[3]
|
||||
apply (rule_tac x="cteCap ctea" in exI, rule conjI)
|
||||
apply (clarsimp simp: ccte_relation_ccap_relation typ_heap_simps
|
||||
|
@ -3833,7 +3833,7 @@ lemma isMDBParentOf_spec:
|
|||
-- "sameRegionAs = 0"
|
||||
apply (rule impI)
|
||||
apply (clarsimp simp: from_bool_def false_def
|
||||
split: split_if bool.splits)
|
||||
split: if_split bool.splits)
|
||||
|
||||
-- "sameRegionAs \<noteq> 0"
|
||||
apply (clarsimp simp: from_bool_def false_def)
|
||||
|
@ -3855,7 +3855,7 @@ lemma isMDBParentOf_spec:
|
|||
|
||||
apply (clarsimp simp: if_1_0_0 typ_heap_simps' Let_def case_bool_If)
|
||||
apply (frule_tac cap="(cap_to_H x2c)" in cap_get_tag_EndpointCap)
|
||||
apply (clarsimp split: split_if_asm simp: if_distrib [where f=scast])
|
||||
apply (clarsimp split: if_split_asm simp: if_distrib [where f=scast])
|
||||
|
||||
apply (clarsimp, rule conjI)
|
||||
--" cap_get_tag of cte_a is an notification"
|
||||
|
@ -4111,7 +4111,7 @@ lemma Arch_deriveCap_ccorres:
|
|||
subgoal by (simp add: ccap_relation_def cap_lift_def Let_def
|
||||
cap_tag_defs cap_to_H_def to_bool_def
|
||||
cap_page_table_cap_lift_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply wpc
|
||||
apply (clarsimp simp: cap_get_tag_isCap_ArchObject
|
||||
ccorres_cond_iffs)
|
||||
|
@ -4139,7 +4139,7 @@ lemma Arch_deriveCap_ccorres:
|
|||
subgoal by (simp add: ccap_relation_def cap_lift_def Let_def
|
||||
cap_tag_defs cap_to_H_def to_bool_def
|
||||
cap_page_directory_cap_lift_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply wpc
|
||||
apply (clarsimp simp: cap_get_tag_isCap_ArchObject
|
||||
ccorres_cond_iffs)
|
||||
|
|
|
@ -127,7 +127,7 @@ lemma rightsFromWord_wordFromRights:
|
|||
"rightsFromWord (wordFromRights rghts) = rghts"
|
||||
apply (cases rghts)
|
||||
apply (simp add: wordFromRights_def rightsFromWord_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
done
|
||||
|
||||
lemma wordFromRights_inj:
|
||||
|
@ -224,7 +224,7 @@ proof (cases "isCNodeCap cap'")
|
|||
apply (simp add: throwError_def return_def split)
|
||||
apply vcg
|
||||
apply (clarsimp simp add: exception_defs lookup_fault_lift_def)
|
||||
apply (simp split: split_if)
|
||||
apply (simp split: if_split)
|
||||
apply (vcg strip_guards=true)
|
||||
apply (clarsimp simp: cap_get_tag_isCap isCap_simps)
|
||||
done
|
||||
|
@ -251,7 +251,7 @@ next
|
|||
apply (erule conjE)
|
||||
apply (erule_tac t = capptr in ssubst)
|
||||
apply csymbr+
|
||||
apply (simp add: cap_get_tag_isCap split del: split_if)
|
||||
apply (simp add: cap_get_tag_isCap split del: if_split)
|
||||
apply (thin_tac "ret__unsigned = X" for X)
|
||||
apply (rule ccorres_split_throws [where P = "?P"])
|
||||
apply (rule_tac G' = "\<lambda>w_rightsMask. ({s. nodeCap_' s = nodeCap}
|
||||
|
@ -305,7 +305,7 @@ next
|
|||
"\<And>c f g. (case c of CNodeCap _ _ _ _ \<Rightarrow> f | _ \<Rightarrow> g) = (if isCNodeCap c then f else g)"
|
||||
by (case_tac c, simp_all add: isCap_simps)
|
||||
|
||||
note [split del] = split_if
|
||||
note [split del] = if_split
|
||||
|
||||
have gbD: "\<And>guardBits cap cap'. \<lbrakk> guardBits = capCNodeGuardSize_CL (cap_cnode_cap_lift cap');
|
||||
ccap_relation cap cap'; isCNodeCap cap \<rbrakk>
|
||||
|
@ -466,7 +466,7 @@ next
|
|||
apply (rule iffD1 [OF ccorres_expand_while_iff])
|
||||
apply (subst resolveAddressBits.simps)
|
||||
apply (unfold case_into_if)
|
||||
apply (simp add: Let_def ccorres_cond_iffs split del: split_if)
|
||||
apply (simp add: Let_def ccorres_cond_iffs split del: if_split)
|
||||
apply (rule ccorres_rhs_assoc)+
|
||||
apply (cinitlift nodeCap_' n_bits_')
|
||||
apply (erule_tac t = nodeCapa in ssubst)
|
||||
|
@ -704,7 +704,7 @@ lemma lookupSlotForThread_ccorres':
|
|||
apply (clarsimp simp add: Collect_const_mem errstate_def tcbSlots
|
||||
Kernel_C.tcbCTable_def word_size lookupSlot_raw_rel_def
|
||||
word_sle_def
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
done
|
||||
|
||||
lemma lookupSlotForThread_ccorres[corres]:
|
||||
|
|
|
@ -20,7 +20,7 @@ lemma ccorres_drop_cutMon:
|
|||
\<Longrightarrow> ccorres_underlying sr Gamm r xf arrel axf P P' hs (cutMon Q f) g"
|
||||
apply (clarsimp simp: ccorres_underlying_def
|
||||
cutMon_def fail_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (subst if_P, simp)
|
||||
apply fastforce
|
||||
done
|
||||
|
@ -30,7 +30,7 @@ lemma ccorres_drop_cutMon_bind:
|
|||
\<Longrightarrow> ccorres_underlying sr Gamm r xf arrel axf P P' hs (cutMon Q f >>= f') g"
|
||||
apply (clarsimp simp: ccorres_underlying_def
|
||||
cutMon_def fail_def bind_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (subst if_P, simp)+
|
||||
apply fastforce
|
||||
done
|
||||
|
@ -40,7 +40,7 @@ lemma ccorres_drop_cutMon_bindE:
|
|||
\<Longrightarrow> ccorres_underlying sr Gamm r xf arrel axf P P' hs (cutMon Q f >>=E f') g"
|
||||
apply (clarsimp simp: ccorres_underlying_def
|
||||
cutMon_def fail_def bind_def bindE_def lift_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (subst if_P, simp)+
|
||||
apply fastforce
|
||||
done
|
||||
|
@ -50,11 +50,11 @@ lemma ccorres_cutMon:
|
|||
\<Longrightarrow> ccorres_underlying sr Gamm r xf arrel axf P P' hs (cutMon Q f) g"
|
||||
apply (clarsimp simp: ccorres_underlying_def
|
||||
cutMon_def fail_def bind_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (erule meta_allE, drule(1) meta_mp)
|
||||
apply (drule(1) bspec)
|
||||
apply (clarsimp simp: fail_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (subst if_P, assumption)+
|
||||
apply fastforce
|
||||
done
|
||||
|
@ -67,7 +67,7 @@ lemma ccap_zombie_radix_less1:
|
|||
apply (clarsimp simp: Let_def capAligned_def
|
||||
objBits_simps word_bits_conv word_less_nat_alt
|
||||
word_le_nat_alt less_mask_eq
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemmas ccap_zombie_radix_less2
|
||||
|
@ -78,7 +78,7 @@ lemma ccap_zombie_radix_less3:
|
|||
\<Longrightarrow> get_capZombieBits_CL (cap_zombie_cap_lift ccap) < 28"
|
||||
by (clarsimp simp: get_capZombieBits_CL_def Let_def
|
||||
less_mask_eq ccap_zombie_radix_less2
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
|
||||
lemmas ccap_zombie_radix_less4
|
||||
= order_less_le_trans [OF ccap_zombie_radix_less3]
|
||||
|
@ -99,7 +99,7 @@ lemma cap_zombie_cap_get_capZombieNumber_spec:
|
|||
apply (rule conjI)
|
||||
apply unat_arith
|
||||
apply (fold mask_2pm1)
|
||||
apply (simp add: get_capZombieBits_CL_def Let_def split: split_if_asm)
|
||||
apply (simp add: get_capZombieBits_CL_def Let_def split: if_split_asm)
|
||||
apply (subst unat_Suc2)
|
||||
apply clarsimp
|
||||
apply (subst less_mask_eq, erule order_less_le_trans)
|
||||
|
@ -122,7 +122,7 @@ lemma cap_zombie_cap_set_capZombieNumber_spec:
|
|||
apply (clarsimp simp: cap_zombie_cap_lift
|
||||
ccap_relation_def map_option_Some_eq2
|
||||
cap_to_H_def get_capZombieBits_CL_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (simp add: mask_def word_bw_assocs word_ao_dist)
|
||||
apply (rule sym, rule less_mask_eq[where n=5, unfolded mask_def, simplified])
|
||||
apply unat_arith
|
||||
|
@ -155,7 +155,7 @@ lemma capRemovable_spec:
|
|||
apply (clarsimp simp: get_capZombiePtr_CL_def Let_def get_capZombieBits_CL_def
|
||||
isCap_simps unat_eq_0 unat_eq_1
|
||||
less_mask_eq ccap_zombie_radix_less2
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma capCyclicZombie_spec:
|
||||
|
@ -172,7 +172,7 @@ lemma capCyclicZombie_spec:
|
|||
apply (frule(1) cap_get_tag_to_H)
|
||||
apply (clarsimp simp: capCyclicZombie_def Let_def
|
||||
get_capZombieBits_CL_def get_capZombiePtr_CL_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (auto simp: less_mask_eq ccap_zombie_radix_less2)
|
||||
done
|
||||
|
||||
|
@ -183,7 +183,7 @@ lemma case_assertE_to_assert:
|
|||
| _ \<Rightarrow> returnOk ())
|
||||
= liftE (assert (case cap of Zombie ptr2 x xa \<Rightarrow> P ptr2 x xa | _ \<Rightarrow> True))"
|
||||
apply (simp add: assertE_def returnOk_liftE assert_def
|
||||
split: capability.split split_if)
|
||||
split: capability.split if_split)
|
||||
done
|
||||
|
||||
lemma cteDelete_ccorres1:
|
||||
|
@ -258,7 +258,7 @@ lemma zombie_rf_sr_helperE:
|
|||
apply (clarsimp simp: get_capZombiePtr_CL_def Let_def
|
||||
get_capZombieBits_CL_def
|
||||
isZombieTCB_C_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (simp add: less_mask_eq ccap_zombie_radix_less2
|
||||
isZombieTCB_C_def)
|
||||
done
|
||||
|
@ -786,7 +786,7 @@ lemma finaliseSlot_ccorres:
|
|||
apply (rule allI, rule conseqPre, vcg)
|
||||
apply (clarsimp simp: returnOk_def return_def
|
||||
from_bool_def true_def)
|
||||
apply (clarsimp simp: irq_opt_relation_def split: split_if)
|
||||
apply (clarsimp simp: irq_opt_relation_def split: if_split)
|
||||
apply vcg
|
||||
apply (simp only: cutMon_walk_if Collect_False ccorres_seq_cond_empty
|
||||
ccorres_seq_skip)
|
||||
|
@ -822,7 +822,7 @@ lemma finaliseSlot_ccorres:
|
|||
apply (clarsimp simp: returnOk_def return_def)
|
||||
apply (drule use_valid [OF _ finaliseCap_cases, OF _ TrueI])
|
||||
apply (simp add: from_bool_def false_def irq_opt_relation_def true_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply vcg
|
||||
apply wp
|
||||
apply (simp add: guard_is_UNIV_def true_def)
|
||||
|
|
|
@ -38,7 +38,7 @@ lemma h_t_valid_ptr_clear_region:
|
|||
apply (clarsimp simp: typ_clear_region_def)
|
||||
apply clarsimp
|
||||
apply (drule spec, drule (1) mp)
|
||||
apply (clarsimp simp: typ_clear_region_def split: split_if_asm)
|
||||
apply (clarsimp simp: typ_clear_region_def split: if_split_asm)
|
||||
apply clarsimp
|
||||
apply (drule spec, drule (1) mp)
|
||||
apply (subgoal_tac "ptr_val p + of_nat y \<notin> {ptr..+2 ^ bits}")
|
||||
|
@ -61,7 +61,7 @@ lemma map_of_le:
|
|||
apply clarsimp
|
||||
apply (clarsimp simp: map_le_def dom_map_of_conv_image_fst)
|
||||
apply (drule(1) bspec, simp)
|
||||
apply (simp(no_asm_use) split: split_if_asm)
|
||||
apply (simp(no_asm_use) split: if_split_asm)
|
||||
apply (fastforce simp: image_def)
|
||||
apply simp
|
||||
done
|
||||
|
@ -74,7 +74,7 @@ lemma list_map_le_singleton:
|
|||
apply (drule map_of_le)
|
||||
apply simp
|
||||
apply (cases xs, simp_all add: list_map_def upt_conv_Cons
|
||||
split: split_if_asm del: upt.simps)
|
||||
split: if_split_asm del: upt.simps)
|
||||
apply (case_tac list, simp_all add: upt_conv_Cons del: upt.simps)
|
||||
apply auto
|
||||
done
|
||||
|
@ -102,7 +102,7 @@ lemma valid_footprint_typ_region_bytes:
|
|||
apply (drule spec, drule (1) mp)
|
||||
apply (clarsimp simp: typ_region_bytes_def list_map_le_singleton neq_byte
|
||||
neq_types_not_typ_slice_eq
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply clarsimp
|
||||
apply (drule spec, drule (1) mp)
|
||||
apply (subgoal_tac "p + of_nat y \<notin> {ptr..+2 ^ bits}")
|
||||
|
@ -166,7 +166,7 @@ lemma lift_t_typ_clear_region:
|
|||
apply (drule (1) orthD2)
|
||||
apply (erule contrapos_np, rule intvl_self)
|
||||
apply (simp add: size_of_def wf_size_desc_gt)
|
||||
apply (simp add: lift_t_def lift_typ_heap_if s_valid_def h_t_valid_ptr_clear_region del: disj_not1 split del: split_if)
|
||||
apply (simp add: lift_t_def lift_typ_heap_if s_valid_def h_t_valid_ptr_clear_region del: disj_not1 split del: if_split)
|
||||
apply (subst if_not_P)
|
||||
apply simp
|
||||
apply (case_tac "x \<in> (- Ptr ` {ptr..+2 ^ bits})")
|
||||
|
@ -206,7 +206,7 @@ lemma lift_t_typ_region_bytes:
|
|||
apply (cut_tac p=x in mem_type_self)
|
||||
apply blast
|
||||
apply (simp add: lift_t_def lift_typ_heap_if s_valid_def neq_byte
|
||||
h_t_valid_typ_region_bytes del: disj_not1 split del: split_if)
|
||||
h_t_valid_typ_region_bytes del: disj_not1 split del: if_split)
|
||||
apply (clarsimp simp add: restrict_map_def)
|
||||
apply (blast dest: doms)
|
||||
done
|
||||
|
@ -582,7 +582,7 @@ proof -
|
|||
apply simp
|
||||
apply clarsimp
|
||||
apply (drule_tac y = n in aligned_add_aligned [where m = 4])
|
||||
apply (simp add: tcb_cte_cases_def is_aligned_def split: split_if_asm)
|
||||
apply (simp add: tcb_cte_cases_def is_aligned_def split: if_split_asm)
|
||||
apply (simp add: word_bits_conv)
|
||||
apply simp
|
||||
done
|
||||
|
@ -607,7 +607,7 @@ lemma tcb_cte_cases_in_range3:
|
|||
proof -
|
||||
from tc obtain q where yq: "y = x + q" and qv: "q \<le> 2 ^ 7 - 1"
|
||||
unfolding tcb_cte_cases_def
|
||||
by (simp add: diff_eq_eq split: split_if_asm)
|
||||
by (simp add: diff_eq_eq split: if_split_asm)
|
||||
|
||||
have "q + (2 ^ 4 - 1) \<le> (2 ^ 7 - 1) + (2 ^ 4 - 1)" using qv
|
||||
by (rule word_plus_mcs_3) simp
|
||||
|
@ -635,7 +635,7 @@ lemma tcb_cte_cases_aligned:
|
|||
"\<lbrakk>is_aligned p 9; tcb_cte_cases n = Some (getF, setF)\<rbrakk>
|
||||
\<Longrightarrow> is_aligned (p + n) (objBits (cte :: cte))"
|
||||
apply (erule aligned_add_aligned)
|
||||
apply (simp add: tcb_cte_cases_def is_aligned_def objBits_simps split: split_if_asm)
|
||||
apply (simp add: tcb_cte_cases_def is_aligned_def objBits_simps split: if_split_asm)
|
||||
apply (simp add: objBits_simps)
|
||||
done
|
||||
|
||||
|
@ -1341,7 +1341,7 @@ lemma heap_to_user_data_update_region:
|
|||
else heap_to_user_data psp f x)"
|
||||
apply (rule ext)
|
||||
apply (simp add: heap_to_user_data_def Let_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: byte_to_word_heap_def Let_def add.assoc
|
||||
intro!: ext)
|
||||
|
@ -1375,7 +1375,7 @@ lemma heap_to_device_data_update_region:
|
|||
else heap_to_device_data psp f x)"
|
||||
apply (rule ext)
|
||||
apply (simp add: heap_to_device_data_def Let_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: byte_to_word_heap_def Let_def add.assoc
|
||||
intro!: ext)
|
||||
|
@ -1867,7 +1867,7 @@ proof -
|
|||
apply clarsimp
|
||||
apply (rule ccontr)
|
||||
apply (drule (2) asid)
|
||||
apply (clarsimp simp: ran_def pd_pointer_to_asid_slot_def split: split_if_asm)
|
||||
apply (clarsimp simp: ran_def pd_pointer_to_asid_slot_def split: if_split_asm)
|
||||
apply (subgoal_tac "armKSASIDMap (ksArchState (s\<lparr>ksPSpace := ?ks\<rparr>)) a = Some (asid, pd_ptr)")
|
||||
prefer 2
|
||||
apply simp
|
||||
|
@ -1908,7 +1908,7 @@ proof -
|
|||
apply (rule ext)
|
||||
apply clarsimp
|
||||
apply (simp add: map_option_def map_comp_def
|
||||
split: split_if_asm option.splits)
|
||||
split: if_split_asm option.splits)
|
||||
apply (frule pspace_alignedD'[OF _ pspace_aligned'])
|
||||
apply (case_tac "pageBits \<le> bits")
|
||||
apply (simp add: objBitsKO_def projectKOs split: kernel_object.splits)
|
||||
|
@ -1961,7 +1961,7 @@ proof -
|
|||
apply (rule ext)
|
||||
apply clarsimp
|
||||
apply (simp add: map_option_def map_comp_def
|
||||
split: split_if_asm option.splits)
|
||||
split: if_split_asm option.splits)
|
||||
apply (frule pspace_alignedD'[OF _ pspace_aligned'])
|
||||
apply (case_tac "pageBits \<le> bits")
|
||||
apply (simp add: objBitsKO_def projectKOs split: kernel_object.splits)
|
||||
|
|
|
@ -232,7 +232,7 @@ where
|
|||
|
||||
lemma obj_at_tcbs_of:
|
||||
"obj_at' P t s = (EX tcb. tcbs_of s t = Some tcb & P tcb)"
|
||||
apply (simp add: tcbs_of_def split: split_if)
|
||||
apply (simp add: tcbs_of_def split: if_split)
|
||||
apply (intro conjI impI)
|
||||
apply (clarsimp simp: obj_at'_def projectKOs)
|
||||
apply (clarsimp simp: obj_at'_weakenE[OF _ TrueI])
|
||||
|
@ -355,7 +355,7 @@ lemma of_int_sint_scast [simp]:
|
|||
lemma stateAssert_bind_out_of_if:
|
||||
"If P f (stateAssert Q xs >>= g) = stateAssert (\<lambda>s. \<not> P \<longrightarrow> Q s) [] >>= (\<lambda>_. If P f (g ()))"
|
||||
"If P (stateAssert Q xs >>= g) f = stateAssert (\<lambda>s. P \<longrightarrow> Q s) [] >>= (\<lambda>_. If P (g ()) f)"
|
||||
by (simp_all add: fun_eq_iff stateAssert_def exec_get split: split_if)
|
||||
by (simp_all add: fun_eq_iff stateAssert_def exec_get split: if_split)
|
||||
|
||||
lemma isCNodeCap_capUntypedPtr_capCNodePtr:
|
||||
"isCNodeCap c \<Longrightarrow> capUntypedPtr c = capCNodePtr c"
|
||||
|
@ -384,7 +384,7 @@ lemma lookup_fp_ccorres':
|
|||
apply (simp add: from_bool_0 del: Collect_const cong: call_ignore_cong)
|
||||
apply (rule ccorres_Cond_rhs_Seq)
|
||||
apply (simp add: resolveAddressBits.simps split_def del: Collect_const
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (rule ccorres_drop_cutMon)
|
||||
apply (rule ccorres_from_vcg_split_throws[where P=\<top> and P'=UNIV])
|
||||
apply vcg
|
||||
|
@ -462,9 +462,9 @@ lemma lookup_fp_ccorres':
|
|||
apply (rule ccorres_Guard_Seq, csymbr)
|
||||
apply (simp add: resolveAddressBits.simps bindE_assoc extra_sle_sless_unfolds
|
||||
Collect_True
|
||||
split del: split_if del: Collect_const cong: call_ignore_cong)
|
||||
split del: if_split del: Collect_const cong: call_ignore_cong)
|
||||
apply (simp add: cutMon_walk_bindE del: Collect_const
|
||||
split del: split_if cong: call_ignore_cong)
|
||||
split del: if_split cong: call_ignore_cong)
|
||||
apply (rule ccorres_drop_cutMon_bindE, rule ccorres_assertE)
|
||||
apply (rule ccorres_cutMon)
|
||||
apply csymbr
|
||||
|
@ -481,7 +481,7 @@ lemma lookup_fp_ccorres':
|
|||
apply (rule ccorres_from_vcg_split_throws[where P=\<top> and P'=UNIV])
|
||||
apply vcg
|
||||
apply (rule conseqPre, vcg)
|
||||
apply (clarsimp simp: unlessE_def split: split_if)
|
||||
apply (clarsimp simp: unlessE_def split: if_split)
|
||||
apply (simp add: throwError_def return_def cap_tag_defs
|
||||
isRight_def isLeft_def
|
||||
ccap_relation_NullCap_iff
|
||||
|
@ -504,7 +504,7 @@ lemma lookup_fp_ccorres':
|
|||
apply (rule ccorres_from_vcg_split_throws[where P=\<top> and P'=UNIV])
|
||||
apply vcg
|
||||
apply (rule conseqPre, vcg)
|
||||
apply (clarsimp simp: unlessE_def split: split_if cong: call_ignore_cong)
|
||||
apply (clarsimp simp: unlessE_def split: if_split cong: call_ignore_cong)
|
||||
apply (simp add: throwError_def return_def cap_tag_defs isRight_def
|
||||
isLeft_def ccap_relation_NullCap_iff)
|
||||
apply fastforce
|
||||
|
@ -518,7 +518,7 @@ lemma lookup_fp_ccorres':
|
|||
apply (rule ccorres_cutMon)
|
||||
apply (simp add: cutMon_walk_bindE unlessE_whenE
|
||||
del: Collect_const
|
||||
split del: split_if cong: call_ignore_cong)
|
||||
split del: if_split cong: call_ignore_cong)
|
||||
apply (rule ccorres_drop_cutMon_bindE)
|
||||
apply csymbr+
|
||||
apply (rule ccorres_rhs_assoc2)
|
||||
|
@ -624,7 +624,7 @@ lemma lookup_fp_ccorres':
|
|||
apply (simp add: ccHoarePost_def del: Collect_const)
|
||||
apply vcg
|
||||
apply (clarsimp simp: Collect_const_mem if_1_0_0 of_bl_from_bool
|
||||
split del: split_if cong: if_cong)
|
||||
split del: if_split cong: if_cong)
|
||||
apply (clarsimp simp: cap_get_tag_isCap
|
||||
option.split[where P="\<lambda>x. x"]
|
||||
isCNodeCap_capUntypedPtr_capCNodePtr
|
||||
|
@ -823,7 +823,7 @@ lemma stored_hw_asid_get_ccorres_split':
|
|||
add_mask_eq pdBits_def pageBits_def word_bits_def
|
||||
valid_pde_mapping_offset'_def pd_asid_slot_def)
|
||||
apply (simp add: cpde_relation_def Let_def pde_lift_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma ptr_add_0xFF0:
|
||||
|
@ -853,7 +853,7 @@ lemma pde_stored_asid_Some:
|
|||
= (pde_get_tag pde = scast pde_pde_invalid
|
||||
\<and> to_bool (stored_asid_valid_CL (pde_pde_invalid_lift pde))
|
||||
\<and> v = ucast (stored_hw_asid_CL (pde_pde_invalid_lift pde)))"
|
||||
by (auto simp add: pde_stored_asid_def split: split_if)
|
||||
by (auto simp add: pde_stored_asid_def split: if_split)
|
||||
|
||||
lemma pointerInUserData_c_guard':
|
||||
"\<lbrakk> pointerInUserData ptr s; no_0_obj' s; is_aligned ptr 2 \<rbrakk>
|
||||
|
@ -1098,7 +1098,7 @@ lemma switchToThread_fp_ccorres:
|
|||
apply (fastforce simp: ran_def)
|
||||
apply (frule ctes_of_valid', clarsimp, clarsimp simp: valid_cap'_def)
|
||||
apply (auto simp: singleton_eq_o2s projectKOs obj_at'_def
|
||||
pde_stored_asid_def split: split_if_asm)
|
||||
pde_stored_asid_def split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma thread_state_ptr_set_tsType_np_spec:
|
||||
|
@ -1479,14 +1479,14 @@ lemma isValidVTableRoot_fp_lemma:
|
|||
apply (subgoal_tac "cap_get_tag ccap = scast cap_page_directory_cap
|
||||
\<Longrightarrow> (index (cap_C.words_C ccap) 0 && 0x10 = 0x10) = to_bool (capPDIsMapped_CL (cap_page_directory_cap_lift ccap))")
|
||||
apply (clarsimp simp add: cap_get_tag_eq_x mask_def
|
||||
cap_page_directory_cap_def split: split_if)
|
||||
cap_page_directory_cap_def split: if_split)
|
||||
apply (rule conj_cong[OF refl])
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: cap_lift_page_directory_cap
|
||||
cap_to_H_simps
|
||||
to_bool_def bool_mask[folded word_neq_0_conv]
|
||||
cap_page_directory_cap_lift_def
|
||||
elim!: ccap_relationE split: split_if)
|
||||
elim!: ccap_relationE split: if_split)
|
||||
apply (thin_tac "P" for P)
|
||||
apply word_bitwise
|
||||
done
|
||||
|
@ -1496,7 +1496,7 @@ lemma isValidVTableRoot_fp_spec:
|
|||
{t. ret__unsigned_long_' t = from_bool (isValidVTableRoot_C (pd_cap_' s))}"
|
||||
apply vcg
|
||||
apply (clarsimp simp: word_sle_def word_sless_def isValidVTableRoot_fp_lemma)
|
||||
apply (simp add: from_bool_def split: split_if)
|
||||
apply (simp add: from_bool_def split: if_split)
|
||||
done
|
||||
|
||||
lemma isRecvEP_endpoint_case:
|
||||
|
@ -1600,7 +1600,7 @@ lemma fastpath_dequeue_ccorres:
|
|||
update_tcb_map_tos typ_heap_simps')
|
||||
apply (rule conjI, erule ctcb_relation_null_queue_ptrs)
|
||||
apply (rule ext, simp add: tcb_null_queue_ptrs_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (rule conjI)
|
||||
apply (rule cpspace_relation_ep_update_ep, assumption+)
|
||||
apply (simp add: Let_def cendpoint_relation_def EPState_Recv_def)
|
||||
|
@ -1616,7 +1616,7 @@ lemma fastpath_dequeue_ccorres:
|
|||
cmachine_state_relation_def h_t_valid_clift_Some_iff
|
||||
update_ep_map_tos)
|
||||
apply (erule cready_queues_relation_null_queue_ptrs)
|
||||
apply (rule ext, simp add: tcb_null_ep_ptrs_def split: split_if)
|
||||
apply (rule ext, simp add: tcb_null_ep_ptrs_def split: if_split)
|
||||
done
|
||||
|
||||
lemma tcb_NextPrev_C_update_swap:
|
||||
|
@ -1684,7 +1684,7 @@ lemma sym_refs_upd_sD:
|
|||
apply (clarsimp simp: obj_at'_def ko_wp_at'_def projectKOs)
|
||||
apply (clarsimp simp: project_inject objBits_def)
|
||||
apply (clarsimp simp: obj_at'_def ps_clear_upd projectKOs
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (clarsimp simp: project_inject objBits_def)
|
||||
apply auto
|
||||
done
|
||||
|
@ -1775,7 +1775,7 @@ lemma fastpath_enqueue_ccorres:
|
|||
typ_heap_simps')
|
||||
apply (rule conjI, erule ctcb_relation_null_queue_ptrs)
|
||||
apply (rule ext, simp add: tcb_null_queue_ptrs_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (rule conjI)
|
||||
apply (rule_tac S="tcb_ptr_to_ctcb_ptr ` set (ksCurThread \<sigma> # list)"
|
||||
in cpspace_relation_ep_update_an_ep,
|
||||
|
@ -1806,15 +1806,15 @@ lemma fastpath_enqueue_ccorres:
|
|||
apply (fastforce dest!: map_to_ko_atI)
|
||||
|
||||
apply (rule cnotification_relation_q_cong)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (clarsimp simp: restrict_map_def ntfn_q_refs_of'_def
|
||||
split: split_if Structures_H.notification.split_asm Structures_H.ntfn.split_asm)
|
||||
split: if_split Structures_H.notification.split_asm Structures_H.ntfn.split_asm)
|
||||
apply (erule notE[rotated], erule_tac ntfnptr=p and ntfn=a in st_tcb_at_not_in_ntfn_queue,
|
||||
auto dest!: map_to_ko_atI)[1]
|
||||
apply (simp add: carch_state_relation_def typ_heap_simps' update_ep_map_tos
|
||||
cmachine_state_relation_def h_t_valid_clift_Some_iff)
|
||||
apply (erule cready_queues_relation_null_queue_ptrs)
|
||||
apply (rule ext, simp add: tcb_null_ep_ptrs_def split: split_if)
|
||||
apply (rule ext, simp add: tcb_null_ep_ptrs_def split: if_split)
|
||||
apply (clarsimp simp: typ_heap_simps' EPState_Recv_def mask_def
|
||||
is_aligned_weaken[OF is_aligned_tcb_ptr_to_ctcb_ptr])
|
||||
apply (clarsimp simp: rf_sr_def cstate_relation_def Let_def)
|
||||
|
@ -1824,7 +1824,7 @@ lemma fastpath_enqueue_ccorres:
|
|||
typ_heap_simps' ct_in_state'_def)
|
||||
apply (rule conjI, erule ctcb_relation_null_queue_ptrs)
|
||||
apply (rule ext, simp add: tcb_null_queue_ptrs_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (rule conjI)
|
||||
apply (rule_tac S="{tcb_ptr_to_ctcb_ptr (ksCurThread \<sigma>)}"
|
||||
in cpspace_relation_ep_update_an_ep, assumption+)
|
||||
|
@ -1836,15 +1836,15 @@ lemma fastpath_enqueue_ccorres:
|
|||
apply (erule iffD1 [OF cmap_relation_cong, OF refl refl, rotated -1])
|
||||
apply simp
|
||||
apply (rule cnotification_relation_q_cong)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (clarsimp simp: restrict_map_def ntfn_q_refs_of'_def
|
||||
split: split_if Structures_H.notification.split_asm Structures_H.ntfn.split_asm)
|
||||
split: if_split Structures_H.notification.split_asm Structures_H.ntfn.split_asm)
|
||||
apply (erule notE[rotated], rule_tac ntfnptr=p and ntfn=a in st_tcb_at_not_in_ntfn_queue,
|
||||
assumption+, auto dest!: map_to_ko_atI)[1]
|
||||
apply (simp add: carch_state_relation_def typ_heap_simps' update_ep_map_tos
|
||||
cmachine_state_relation_def h_t_valid_clift_Some_iff)
|
||||
apply (erule cready_queues_relation_null_queue_ptrs)
|
||||
apply (rule ext, simp add: tcb_null_ep_ptrs_def split: split_if)
|
||||
apply (rule ext, simp add: tcb_null_ep_ptrs_def split: if_split)
|
||||
done
|
||||
|
||||
|
||||
|
@ -2222,7 +2222,7 @@ lemma fastpath_call_ccorres:
|
|||
apply (drule(1) obj_at_cslift_tcb, clarsimp)
|
||||
apply (clarsimp simp: typ_heap_simps' ctcb_relation_def cfault_rel_def)
|
||||
apply (rule rev_bexI, erule threadGet_eq)
|
||||
apply (clarsimp simp: seL4_Fault_lift_def Let_def split: split_if_asm)
|
||||
apply (clarsimp simp: seL4_Fault_lift_def Let_def split: if_split_asm)
|
||||
apply ceqv
|
||||
apply csymbr
|
||||
apply (simp del: Collect_const cong: call_ignore_cong)
|
||||
|
@ -2457,8 +2457,8 @@ lemma fastpath_call_ccorres:
|
|||
apply (simp add: ctcb_relation_def cthread_state_relation_def)
|
||||
apply simp
|
||||
apply (rule conjI, erule cready_queues_relation_not_queue_ptrs)
|
||||
apply (rule ext, simp split: split_if add: typ_heap_simps')
|
||||
apply (rule ext, simp split: split_if add: typ_heap_simps')
|
||||
apply (rule ext, simp split: if_split add: typ_heap_simps')
|
||||
apply (rule ext, simp split: if_split add: typ_heap_simps')
|
||||
apply (simp add: carch_state_relation_def cmachine_state_relation_def
|
||||
typ_heap_simps' map_comp_update projectKO_opt_tcb
|
||||
cvariable_relation_upd_const ko_at_projectKO_opt)
|
||||
|
@ -2565,8 +2565,8 @@ lemma fastpath_call_ccorres:
|
|||
apply (simp add: ctcb_relation_def cthread_state_relation_def)
|
||||
apply simp
|
||||
apply (rule conjI, erule cready_queues_relation_not_queue_ptrs)
|
||||
apply (rule ext, simp split: split_if)
|
||||
apply (rule ext, simp split: split_if)
|
||||
apply (rule ext, simp split: if_split)
|
||||
apply (rule ext, simp split: if_split)
|
||||
apply (simp add: carch_state_relation_def cmachine_state_relation_def
|
||||
typ_heap_simps' map_comp_update projectKO_opt_tcb
|
||||
cvariable_relation_upd_const ko_at_projectKO_opt)
|
||||
|
@ -2741,7 +2741,7 @@ lemma fastpath_call_ccorres:
|
|||
ptr_val_tcb_ptr_mask' size_of_def cte_level_bits_def
|
||||
tcb_cnode_index_defs tcbCTableSlot_def tcbVTableSlot_def
|
||||
tcbReplySlot_def tcbCallerSlot_def
|
||||
simp del: Collect_const split del: split_if)
|
||||
simp del: Collect_const split del: if_split)
|
||||
apply (drule(1) obj_at_cslift_tcb)
|
||||
apply (clarsimp simp: ccte_relation_eq_ccap_relation of_bl_from_bool from_bool_0
|
||||
if_1_0_0 ccap_relation_case_sum_Null_endpoint
|
||||
|
@ -2774,7 +2774,7 @@ lemma isMasterReplyCap_fp_conv:
|
|||
apply (simp add: cap_get_tag_isCap[symmetric])
|
||||
apply (rule conj_cong)
|
||||
apply (simp add: mask_def word_bw_assocs cap_get_tag_eq_x
|
||||
cap_reply_cap_def split: split_if)
|
||||
cap_reply_cap_def split: if_split)
|
||||
apply (clarsimp simp: cap_lift_reply_cap cap_to_H_simps
|
||||
isCap_simps
|
||||
elim!: ccap_relationE)
|
||||
|
@ -2838,7 +2838,7 @@ lemma fastpath_reply_cap_check_ccorres:
|
|||
apply (rule allI, rule conseqPre, vcg)
|
||||
apply (clarsimp simp: extra_sle_sless_unfolds isMasterReplyCap_fp_conv
|
||||
from_bool_def return_def)
|
||||
apply (simp split: bool.split split_if)
|
||||
apply (simp split: bool.split if_split)
|
||||
done
|
||||
|
||||
lemma fastpath_reply_recv_ccorres:
|
||||
|
@ -2909,7 +2909,7 @@ lemma fastpath_reply_recv_ccorres:
|
|||
apply (drule(1) obj_at_cslift_tcb, clarsimp)
|
||||
apply (clarsimp simp: typ_heap_simps' ctcb_relation_def cfault_rel_def)
|
||||
apply (rule rev_bexI, erule threadGet_eq)
|
||||
apply (clarsimp simp: seL4_Fault_lift_def Let_def split: split_if_asm)
|
||||
apply (clarsimp simp: seL4_Fault_lift_def Let_def split: if_split_asm)
|
||||
apply ceqv
|
||||
apply csymbr
|
||||
apply (simp only:)
|
||||
|
@ -3068,7 +3068,7 @@ lemma fastpath_reply_recv_ccorres:
|
|||
apply (clarsimp simp: obj_at_tcbs_of)
|
||||
apply (clarsimp simp: typ_heap_simps' ctcb_relation_def cfault_rel_def
|
||||
ccap_relation_reply_helper)
|
||||
apply (clarsimp simp: seL4_Fault_lift_def Let_def split: split_if_asm)
|
||||
apply (clarsimp simp: seL4_Fault_lift_def Let_def split: if_split_asm)
|
||||
apply ceqv
|
||||
apply (simp del: Collect_const not_None_eq cong: call_ignore_cong)
|
||||
apply (rule ccorres_Cond_rhs_Seq)
|
||||
|
@ -3210,8 +3210,8 @@ lemma fastpath_reply_recv_ccorres:
|
|||
to_bool_def if_1_0_0)
|
||||
apply simp
|
||||
apply (rule conjI, erule cready_queues_relation_not_queue_ptrs)
|
||||
apply (rule ext, simp split: split_if)
|
||||
apply (rule ext, simp split: split_if)
|
||||
apply (rule ext, simp split: if_split)
|
||||
apply (rule ext, simp split: if_split)
|
||||
apply (simp add: carch_state_relation_def cmachine_state_relation_def
|
||||
typ_heap_simps' map_comp_update projectKO_opt_tcb
|
||||
cvariable_relation_upd_const ko_at_projectKO_opt)
|
||||
|
@ -3289,8 +3289,8 @@ lemma fastpath_reply_recv_ccorres:
|
|||
apply (simp add: ctcb_relation_def cthread_state_relation_def)
|
||||
apply simp
|
||||
apply (rule conjI, erule cready_queues_relation_not_queue_ptrs)
|
||||
apply (rule ext, simp split: split_if)
|
||||
apply (rule ext, simp split: split_if)
|
||||
apply (rule ext, simp split: if_split)
|
||||
apply (rule ext, simp split: if_split)
|
||||
apply (simp add: carch_state_relation_def cmachine_state_relation_def
|
||||
typ_heap_simps' map_comp_update projectKO_opt_tcb
|
||||
cvariable_relation_upd_const ko_at_projectKO_opt)
|
||||
|
@ -3505,7 +3505,7 @@ lemma foldr_copy_register_tsrs:
|
|||
apply (induct rs)
|
||||
apply simp
|
||||
apply (simp add: copy_register_tsrs_def fun_eq_iff
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
done
|
||||
|
||||
lemma monadic_rewrite_add_lookup_both_sides:
|
||||
|
@ -3767,12 +3767,12 @@ lemma fastpath_callKernel_SysCall_corres:
|
|||
enum_register toEnum_def
|
||||
msgRegisters_unfold
|
||||
cong: if_cong)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (rule ext)
|
||||
apply (simp add: badgeRegister_def msgInfoRegister_def
|
||||
ARM.badgeRegister_def
|
||||
ARM.msgInfoRegister_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply simp
|
||||
apply (wp | simp cong: if_cong bool.case_cong
|
||||
| rule getCTE_wp' gts_wp' threadGet_wp
|
||||
|
@ -3898,7 +3898,7 @@ lemma doReplyTransfer_simple:
|
|||
lemma monadic_rewrite_if_known:
|
||||
"monadic_rewrite F E ((\<lambda>s. C = X) and \<top>) (if C then f else g) (if X then f else g)"
|
||||
apply (rule monadic_rewrite_gen_asm)
|
||||
apply (simp split del: split_if)
|
||||
apply (simp split del: if_split)
|
||||
apply (rule monadic_rewrite_refl)
|
||||
done
|
||||
|
||||
|
@ -3933,7 +3933,7 @@ lemma receiveIPC_simple_rewrite:
|
|||
|
||||
lemma empty_fail_isFinalCapability:
|
||||
"empty_fail (isFinalCapability cte)"
|
||||
by (simp add: isFinalCapability_def Let_def split: split_if)
|
||||
by (simp add: isFinalCapability_def Let_def split: if_split)
|
||||
|
||||
lemma cteDeleteOne_replycap_rewrite:
|
||||
"monadic_rewrite True False
|
||||
|
@ -3997,7 +3997,7 @@ lemma emptySlot_cnode_caps:
|
|||
apply (wp emptySlot_cteCaps_of)
|
||||
apply (clarsimp simp: cteCaps_of_def cte_wp_at_ctes_of
|
||||
elim!: rsubst[where P=P] intro!: ext
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
done
|
||||
|
||||
lemma cteDeleteOne_cnode_caps:
|
||||
|
@ -4026,7 +4026,7 @@ lemma setCTE_obj_at_ep[wp]:
|
|||
apply (rule obj_at_setObject2)
|
||||
apply (clarsimp simp: updateObject_cte typeError_def in_monad
|
||||
split: Structures_H.kernel_object.split_asm
|
||||
split_if_asm)
|
||||
if_split_asm)
|
||||
done
|
||||
|
||||
lemma setCTE_obj_at_ntfn[wp]:
|
||||
|
@ -4035,7 +4035,7 @@ lemma setCTE_obj_at_ntfn[wp]:
|
|||
apply (rule obj_at_setObject2)
|
||||
apply (clarsimp simp: updateObject_cte typeError_def in_monad
|
||||
split: Structures_H.kernel_object.split_asm
|
||||
split_if_asm)
|
||||
if_split_asm)
|
||||
done
|
||||
|
||||
crunch obj_at_ep[wp]: emptySlot "obj_at' (P :: endpoint \<Rightarrow> bool) p"
|
||||
|
@ -4173,7 +4173,7 @@ lemma emptySlot_cte_wp_at_cteCap:
|
|||
\<lbrace>\<lambda>rv s. cte_wp_at' (\<lambda>cte. P (cteCap cte)) p s\<rbrace>"
|
||||
apply (simp add: tree_cte_cteCap_eq[unfolded o_def])
|
||||
apply (wp emptySlot_cteCaps_of)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
done
|
||||
|
||||
lemma real_cte_at_tcbs_of_neq:
|
||||
|
@ -4181,7 +4181,7 @@ lemma real_cte_at_tcbs_of_neq:
|
|||
2 ^ cte_level_bits * offs : dom tcb_cte_cases |]
|
||||
==> p ~= t + 2 ^ cte_level_bits * offs"
|
||||
apply (clarsimp simp: tcbs_of_def obj_at'_def projectKOs objBits_simps
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (erule notE[rotated], erule(2) tcb_ctes_clear[rotated])
|
||||
apply fastforce
|
||||
done
|
||||
|
@ -4194,7 +4194,7 @@ lemma setEndpoint_getCTE_pivot[unfolded K_bind_def]:
|
|||
fun_eq_iff bind_assoc)
|
||||
apply (simp add: exec_gets assert_def assert_opt_def
|
||||
exec_modify update_ep_map_tos
|
||||
split: split_if option.split)
|
||||
split: if_split option.split)
|
||||
done
|
||||
|
||||
lemma setEndpoint_setCTE_pivot[unfolded K_bind_def]:
|
||||
|
@ -4230,8 +4230,8 @@ lemma setEndpoint_setCTE_pivot[unfolded K_bind_def]:
|
|||
in monadic_rewrite_refl3)
|
||||
apply (simp add: setEndpoint_def setObject_modify_assert bind_assoc
|
||||
exec_gets assert_def exec_modify
|
||||
split: split_if)
|
||||
apply (auto split: split_if simp: obj_at'_def projectKOs
|
||||
split: if_split)
|
||||
apply (auto split: if_split simp: obj_at'_def projectKOs
|
||||
intro!: arg_cong[where f=f] ext kernel_state.fold_congs)[1]
|
||||
apply wp
|
||||
apply simp
|
||||
|
@ -4243,7 +4243,7 @@ lemma setEndpoint_updateMDB_pivot[unfolded K_bind_def]:
|
|||
by (clarsimp simp: updateMDB_def bind_assoc
|
||||
setEndpoint_getCTE_pivot
|
||||
setEndpoint_setCTE_pivot
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
|
||||
lemma setEndpoint_updateCap_pivot[unfolded K_bind_def]:
|
||||
"do setEndpoint p val; updateCap slot mf; f od =
|
||||
|
@ -4260,7 +4260,7 @@ lemma modify_setEndpoint_pivot[unfolded K_bind_def]:
|
|||
apply (simp add: setEndpoint_def setObject_modify_assert
|
||||
bind_assoc fun_eq_iff
|
||||
exec_gets exec_modify assert_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply atomize
|
||||
apply clarsimp
|
||||
apply (drule_tac x="\<lambda>_. ksPSpace s" in spec)
|
||||
|
@ -4292,7 +4292,7 @@ lemma emptySlot_setEndpoint_pivot[unfolded K_bind_def]:
|
|||
setEndpoint_updateMDB_pivot
|
||||
case_Null_If
|
||||
setEndpoint_clearUntypedFreeIndex_pivot
|
||||
split: split_if
|
||||
split: if_split
|
||||
| rule bind_apply_cong[OF refl])+
|
||||
done
|
||||
|
||||
|
@ -4343,13 +4343,13 @@ lemma set_setCTE[unfolded K_bind_def]:
|
|||
\<and> (\<forall> f g tcb. setF f (setF g tcb) = setF (f o g) tcb)))"
|
||||
in monadic_rewrite_gen_asm)
|
||||
apply (rule monadic_rewrite_refl2)
|
||||
apply (simp add: exec_modify split: split_if)
|
||||
apply (simp add: exec_modify split: if_split)
|
||||
apply (auto simp: simpler_modify_def projectKO_opt_tcb
|
||||
intro!: kernel_state.fold_congs ext
|
||||
split: split_if)[1]
|
||||
split: if_split)[1]
|
||||
apply wp
|
||||
apply (clarsimp intro!: all_tcbI)
|
||||
apply (auto simp: tcb_cte_cases_def split: split_if_asm)
|
||||
apply (auto simp: tcb_cte_cases_def split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma setCTE_updateCapMDB:
|
||||
|
@ -4359,7 +4359,7 @@ lemma setCTE_updateCapMDB:
|
|||
cte_overwrite set_setCTE)
|
||||
apply (simp add: getCTE_assert_opt setCTE_assert_modify bind_assoc)
|
||||
apply (rule ext, simp add: exec_gets assert_opt_def exec_modify
|
||||
split: split_if option.split)
|
||||
split: if_split option.split)
|
||||
apply (cut_tac P=\<top> and p=p and s=x in cte_wp_at_ctes_of)
|
||||
apply (cases cte)
|
||||
apply (simp add: cte_wp_at_obj_cases')
|
||||
|
@ -4510,7 +4510,7 @@ lemma tcbSchedEnqueue_tcbIPCBuffer:
|
|||
\<lbrace>\<lambda>_. obj_at' (\<lambda>tcb. P (tcbIPCBuffer tcb)) t\<rbrace>"
|
||||
apply (simp add: tcbSchedEnqueue_def unless_when)
|
||||
apply (wp threadSet_obj_at' hoare_drop_imps threadGet_wp
|
||||
|simp split: split_if)+
|
||||
|simp split: if_split)+
|
||||
done
|
||||
|
||||
crunch obj_at'_tcbIPCBuffer[wp]: rescheduleRequired "obj_at' (\<lambda>tcb. P (tcbIPCBuffer tcb)) t"
|
||||
|
@ -4814,13 +4814,13 @@ lemma fastpath_callKernel_SysReplyRecv_corres:
|
|||
enum_register toEnum_def
|
||||
msgRegisters_unfold
|
||||
cong: if_cong)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (rule ext)
|
||||
apply (simp add: badgeRegister_def msgInfoRegister_def
|
||||
ARM.msgInfoRegister_def
|
||||
ARM.badgeRegister_def
|
||||
cong: if_cong
|
||||
split: split_if)
|
||||
cong: if_cong
|
||||
split: if_split)
|
||||
apply simp
|
||||
apply (clarsimp simp: cte_wp_at_ctes_of isCap_simps
|
||||
map_to_ctes_partial_overwrite)
|
||||
|
|
|
@ -26,7 +26,7 @@ lemma switchIfRequiredTo_ccorres [corres]:
|
|||
apply clarsimp
|
||||
done
|
||||
|
||||
declare split_if [split del]
|
||||
declare if_split [split del]
|
||||
|
||||
lemma empty_fail_getEndpoint:
|
||||
"empty_fail (getEndpoint ep)"
|
||||
|
@ -59,9 +59,9 @@ lemma tcbSchedEnqueue_cslift_spec:
|
|||
h_t_valid_field[OF h_t_valid_clift])
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: typ_heap_simps cong: if_cong)
|
||||
apply (simp split: split_if)
|
||||
apply (simp split: if_split)
|
||||
apply (clarsimp simp: typ_heap_simps if_Some_helper cong: if_cong)
|
||||
by (simp split: split_if)
|
||||
by (simp split: if_split)
|
||||
|
||||
lemma setThreadState_cslift_spec:
|
||||
"\<forall>s. \<Gamma>\<turnstile>\<^bsub>/UNIV\<^esub> \<lbrace>s. s \<Turnstile>\<^sub>c \<acute>tptr \<and> (\<forall>x. ksSchedulerAction_' (globals s) = tcb_Ptr x
|
||||
|
@ -103,7 +103,7 @@ lemma setThreadState_cslift_spec:
|
|||
apply vcg_step+
|
||||
apply (clarsimp simp: typ_heap_simps h_t_valid_clift_Some_iff
|
||||
fun_eq_iff option_map2_def if_1_0_0)
|
||||
by (simp split: split_if)
|
||||
by (simp split: if_split)
|
||||
|
||||
lemma ep_queue_relation_shift:
|
||||
"(option_map2 tcbEPNext_C (cslift s')
|
||||
|
@ -355,7 +355,7 @@ lemma cancelAllIPC_ccorres:
|
|||
| simp)+
|
||||
apply (rule mapM_x_wp', wp)+
|
||||
apply (wp sts_st_tcb')
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (rule mapM_x_wp', wp)+
|
||||
apply (clarsimp simp: valid_tcb_state'_def)
|
||||
apply (simp add: guard_is_UNIV_def)
|
||||
|
@ -402,7 +402,7 @@ lemma cancelAllIPC_ccorres:
|
|||
apply (ctac add: rescheduleRequired_ccorres)
|
||||
apply (wp cancelAllIPC_mapM_x_valid_queues)
|
||||
apply (wp mapM_x_wp' weak_sch_act_wf_lift_linear
|
||||
sts_st_tcb' | clarsimp simp: valid_tcb_state'_def split: split_if)+
|
||||
sts_st_tcb' | clarsimp simp: valid_tcb_state'_def split: if_split)+
|
||||
apply (simp add: guard_is_UNIV_def)
|
||||
apply (wp set_ep_valid_objs' hoare_vcg_const_Ball_lift
|
||||
weak_sch_act_wf_lift_linear)
|
||||
|
@ -489,7 +489,7 @@ lemma cancelAllSignals_ccorres:
|
|||
apply (ctac add: rescheduleRequired_ccorres)
|
||||
apply (wp cancelAllIPC_mapM_x_valid_queues)
|
||||
apply (wp mapM_x_wp' weak_sch_act_wf_lift_linear
|
||||
sts_st_tcb' | clarsimp simp: valid_tcb_state'_def split: split_if)+
|
||||
sts_st_tcb' | clarsimp simp: valid_tcb_state'_def split: if_split)+
|
||||
apply (simp add: guard_is_UNIV_def)
|
||||
apply (wp set_ntfn_valid_objs' hoare_vcg_const_Ball_lift
|
||||
weak_sch_act_wf_lift_linear)
|
||||
|
@ -564,7 +564,7 @@ lemma tcb_queue_relation2_concat:
|
|||
apply (induct xs arbitrary: before)
|
||||
apply simp
|
||||
apply (rename_tac x xs before)
|
||||
apply (simp split del: split_if)
|
||||
apply (simp split del: if_split)
|
||||
apply (case_tac "hp x")
|
||||
apply simp
|
||||
apply simp
|
||||
|
@ -640,7 +640,7 @@ lemma cap_to_H_NTFNCap_tag:
|
|||
"\<lbrakk> cap_to_H cap = NotificationCap word1 word2 a b;
|
||||
cap_lift C_cap = Some cap \<rbrakk> \<Longrightarrow>
|
||||
cap_get_tag C_cap = scast cap_notification_cap"
|
||||
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.splits split_if_asm)
|
||||
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.splits if_split_asm)
|
||||
by (simp_all add: Let_def cap_lift_def split: if_splits)
|
||||
|
||||
lemmas ccorres_pre_getBoundNotification = ccorres_pre_threadGet [where f=tcbBoundNotification, folded getBoundNotification_def]
|
||||
|
@ -976,13 +976,13 @@ lemma invalidateASIDEntry_ccorres:
|
|||
apply (rule ccorres_split_nothrow_novcg_dc)
|
||||
apply (rule ccorres_cond2[where R=\<top>])
|
||||
apply (clarsimp simp: Collect_const_mem pde_stored_asid_def to_bool_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply csymbr
|
||||
apply (rule ccorres_Guard)+
|
||||
apply (rule_tac P="rv \<noteq> None" in ccorres_gen_asm)
|
||||
apply (ctac(no_simp) add: invalidateHWASIDEntry_ccorres)
|
||||
apply (clarsimp simp: pde_stored_asid_def unat_ucast
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (rule sym, rule nat_mod_eq')
|
||||
apply (simp add: pde_pde_invalid_lift_def pde_lift_def)
|
||||
apply (rule unat_less_power[where sz=8, simplified])
|
||||
|
@ -1203,7 +1203,7 @@ lemma deleteASID_ccorres:
|
|||
apply (drule sym, simp)
|
||||
apply (simp add: option_to_ptr_def option_to_0_def
|
||||
from_bool_def inv_ASIDPool
|
||||
split: option.split split_if bool.split)
|
||||
split: option.split if_split bool.split)
|
||||
apply ceqv
|
||||
apply (rule ccorres_cond2[where R=\<top>])
|
||||
apply (simp add: Collect_const_mem from_bool_0)
|
||||
|
@ -1268,7 +1268,7 @@ lemma deleteASID_ccorres:
|
|||
projectKOs invs_valid_pde_mappings'
|
||||
invs_cur')
|
||||
apply (rule conjI, blast)
|
||||
subgoal by (fastforce simp: inv_into_def ran_def split: split_if_asm)
|
||||
subgoal by (fastforce simp: inv_into_def ran_def split: if_split_asm)
|
||||
by (clarsimp simp: order_le_less_trans [OF word_and_le1]
|
||||
asid_shiftr_low_bits_less asid_bits_def mask_def
|
||||
plus_one_helper arg_cong[where f="\<lambda>x. 2 ^ x", OF meta_eq_to_obj_eq, OF asid_low_bits_def]
|
||||
|
@ -1369,8 +1369,8 @@ lemma pageTableMapped_ccorres:
|
|||
return_def addrFromPPtr_def
|
||||
pde_pde_coarse_lift_def)
|
||||
apply (rule conjI)
|
||||
apply (simp add: pde_lift_def Let_def split: split_if_asm)
|
||||
apply (clarsimp simp: option_to_0_def option_to_ptr_def split: split_if)
|
||||
apply (simp add: pde_lift_def Let_def split: if_split_asm)
|
||||
apply (clarsimp simp: option_to_0_def option_to_ptr_def split: if_split)
|
||||
apply (clarsimp simp: ARM.addrFromPPtr_def ARM.ptrFromPAddr_def)
|
||||
apply ((rule ccorres_cond_false_seq ccorres_cond_false
|
||||
ccorres_return_C | simp)+)[3]
|
||||
|
@ -1378,7 +1378,7 @@ lemma pageTableMapped_ccorres:
|
|||
apply wp
|
||||
apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem if_1_0_0)
|
||||
apply (simp add: cpde_relation_def Let_def pde_lift_def
|
||||
split: split_if_asm,
|
||||
split: if_split_asm,
|
||||
auto simp: option_to_0_def option_to_ptr_def pde_tag_defs)[1]
|
||||
apply simp
|
||||
apply (rule ccorres_split_throws)
|
||||
|
@ -1398,7 +1398,7 @@ lemma pageTableMapped_pd:
|
|||
apply (rule hoare_pre)
|
||||
apply (wp getPDE_wp hoare_vcg_all_lift_R | wpc)+
|
||||
apply (rule hoare_post_imp_R, rule findPDForASID_page_directory_at'_simple)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply simp
|
||||
done
|
||||
|
||||
|
@ -1580,24 +1580,24 @@ lemma Arch_finaliseCap_ccorres:
|
|||
subgoal by (clarsimp simp: cap_small_frame_cap_lift cap_to_H_def to_bool_def
|
||||
vmsz_aligned_aligned_pageBits
|
||||
elim!: ccap_relationE
|
||||
split: option.split_asm split_if_asm)
|
||||
split: option.split_asm if_split_asm)
|
||||
apply (clarsimp simp: valid_cap'_def mask_def)
|
||||
apply (frule(1) cap_get_tag_isCap_unfolded_H_cap)
|
||||
subgoal by (clarsimp simp: cap_frame_cap_lift cap_to_H_def to_bool_def
|
||||
vmsz_aligned_aligned_pageBits
|
||||
elim!: ccap_relationE
|
||||
split: option.split_asm split_if_asm)
|
||||
split: option.split_asm if_split_asm)
|
||||
apply (clarsimp simp: valid_cap'_def mask_def)
|
||||
apply (frule cap_get_tag_isCap_unfolded_H_cap)
|
||||
apply (clarsimp simp: cap_page_table_cap_lift cap_to_H_def to_bool_def
|
||||
elim!: ccap_relationE
|
||||
split: option.split_asm split_if_asm)
|
||||
split: option.split_asm if_split_asm)
|
||||
apply (clarsimp simp: valid_cap'_def)
|
||||
apply (frule cap_get_tag_isCap_unfolded_H_cap)
|
||||
apply (frule cap_lift_page_directory_cap)
|
||||
apply (clarsimp simp: ccap_relation_def cap_to_H_def capAligned_def
|
||||
to_bool_def cap_page_directory_cap_lift_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: asid_bits_def cap_page_directory_cap_lift_def)
|
||||
apply clarsimp
|
||||
|
@ -1619,7 +1619,7 @@ lemma Arch_finaliseCap_ccorres:
|
|||
apply (clarsimp simp: cap_frame_cap_lift cap_to_H_def
|
||||
vm_page_size_defs framesize_to_H_def
|
||||
elim!: ccap_relationE simp del: Collect_const frame_cap_size
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (clarsimp simp: c_valid_cap_def cl_valid_cap_def
|
||||
Kernel_C.ARMSmallPage_def)
|
||||
apply (clarsimp simp: cap_get_tag_isCap_unfolded_H_cap)
|
||||
|
@ -1690,7 +1690,7 @@ lemma isFinalCapability_ccorres:
|
|||
apply (rule allI, rule conseqPre, vcg)
|
||||
apply (clarsimp simp: return_def from_bool_eq_if from_bool_0
|
||||
mdbNext_to_H[symmetric] rf_sr_cte_at_validD)
|
||||
apply (clarsimp simp: cte_wp_at_ctes_of split: split_if)
|
||||
apply (clarsimp simp: cte_wp_at_ctes_of split: if_split)
|
||||
apply (rule cmap_relationE1 [OF cmap_relation_cte], assumption+,
|
||||
simp?, simp add: typ_heap_simps)+
|
||||
apply (drule ccte_relation_ccap_relation)+
|
||||
|
@ -2032,7 +2032,7 @@ lemma finaliseCap_ccorres:
|
|||
apply (rule allI, rule conseqPre, vcg)
|
||||
apply (clarsimp simp: return_def)
|
||||
apply (frule cap_get_tag_to_H, erule(1) cap_get_tag_isCap [THEN iffD2])
|
||||
apply (simp add: ccap_relation_NullCap_iff split: split_if)
|
||||
apply (simp add: ccap_relation_NullCap_iff split: if_split)
|
||||
apply (frule(1) ccap_relation_IRQHandler_mask)
|
||||
apply (erule irq_opt_relation_Some_ucast)
|
||||
apply (simp add: ARM.maxIRQ_def Kernel_C.maxIRQ_def)
|
||||
|
|
|
@ -421,7 +421,7 @@ lemma checkIRQ_ret_good:
|
|||
"\<lbrace>\<lambda>s. (irq \<le> scast Kernel_C.maxIRQ \<longrightarrow> P s) \<and> Q s\<rbrace> checkIRQ irq \<lbrace>\<lambda>rv. P\<rbrace>, \<lbrace>\<lambda>rv. Q\<rbrace>"
|
||||
apply (clarsimp simp: checkIRQ_def rangeCheck_def Platform_maxIRQ minIRQ_def)
|
||||
apply (rule hoare_pre,wp)
|
||||
by (clarsimp simp: Kernel_C.maxIRQ_def split: split_if)
|
||||
by (clarsimp simp: Kernel_C.maxIRQ_def split: if_split)
|
||||
|
||||
lemma toEnum_of_ucast:
|
||||
"len_of TYPE('b) \<le> len_of TYPE('a) \<Longrightarrow>
|
||||
|
|
|
@ -370,7 +370,7 @@ lemma invokeCNodeRotate_ccorres:
|
|||
(invokeCNode (Rotate cap1 cap2 slot1 slot2 slot3))
|
||||
(Call invokeCNodeRotate_'proc)"
|
||||
apply (cinit lift: slot1_' slot2_' slot3_' cap1_' cap2_' simp del: return_bind cong:call_ignore_cong)
|
||||
apply (simp split del: split_if del: Collect_const)
|
||||
apply (simp split del: if_split del: Collect_const)
|
||||
apply (simp only: liftE_def)
|
||||
apply (rule_tac r'="dc" and xf'="xfdc" in ccorres_split_nothrow_novcg)
|
||||
apply (rule ccorres_cond [where R = \<top>])
|
||||
|
@ -410,7 +410,7 @@ lemma invokeCNodeSaveCaller_ccorres:
|
|||
(invokeCNode (SaveCaller destSlot))
|
||||
(Call invokeCNodeSaveCaller_'proc)"
|
||||
apply (cinit lift: destSlot_' simp del: return_bind cong:call_ignore_cong)
|
||||
apply (simp add: Collect_True split del: split_if del: Collect_const cong:call_ignore_cong)
|
||||
apply (simp add: Collect_True split del: if_split del: Collect_const cong:call_ignore_cong)
|
||||
apply (simp only: liftE_def)
|
||||
apply (rule ccorres_Guard_Seq)+
|
||||
apply (simp only: bind_assoc)
|
||||
|
@ -557,7 +557,7 @@ lemma hasCancelSendRights_spec:
|
|||
apply (drule sym, drule (1) cap_get_tag_to_H)
|
||||
apply (clarsimp simp: hasCancelSendRights_def to_bool_def
|
||||
true_def false_def
|
||||
split: split_if bool.splits)
|
||||
split: if_split bool.splits)
|
||||
apply (rule impI)
|
||||
apply (case_tac cap,
|
||||
auto simp: cap_get_tag_isCap_unfolded_H_cap cap_tag_defs
|
||||
|
@ -818,7 +818,7 @@ lemma decodeCNodeInvocation_ccorres:
|
|||
apply (rule ccorres_from_vcg_split_throws[where P=\<top> and P'=UNIV])
|
||||
apply vcg
|
||||
apply (rule conseqPre, vcg)
|
||||
apply (clarsimp split: split_if simp: injection_handler_throwError)
|
||||
apply (clarsimp split: if_split simp: injection_handler_throwError)
|
||||
apply (auto simp: throwError_def return_def
|
||||
syscall_error_to_H_cases syscall_error_rel_def
|
||||
exception_defs)[1]
|
||||
|
@ -1705,8 +1705,8 @@ lemma pspace_no_overlap_underlying_zero_update:
|
|||
= s"
|
||||
apply (subgoal_tac "\<forall>x \<in> S. underlying_memory (ksMachineState s) x = 0")
|
||||
apply (cases "ksMachineState s")
|
||||
apply (cases s, simp add: fun_eq_iff split: split_if)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (cases s, simp add: fun_eq_iff split: if_split)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (erule pspace_no_overlap_underlying_zero)
|
||||
apply (simp add: invs'_def valid_state'_def)
|
||||
apply blast
|
||||
|
@ -1781,7 +1781,7 @@ lemma clearMemory_untyped_ccorres:
|
|||
apply (simp add: addrFromPPtr_mask)
|
||||
apply (cases "ptr = 0")
|
||||
apply (drule subsetD, rule intvl_self, simp)
|
||||
apply (simp split: split_if_asm)
|
||||
apply (simp split: if_split_asm)
|
||||
apply simp
|
||||
done
|
||||
|
||||
|
@ -1954,7 +1954,7 @@ lemma byte_regions_unmodified_actually_heap_list:
|
|||
apply (drule_tac x=x in spec)
|
||||
apply (drule_tac x=x in bspec)
|
||||
apply blast
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma resetUntypedCap_ccorres:
|
||||
|
@ -2147,7 +2147,7 @@ lemma resetUntypedCap_ccorres:
|
|||
apply (clarsimp simp: valid_cap_simps' capAligned_def
|
||||
aligned_offset_non_zero cteCaps_of_def
|
||||
is_aligned_mask_out_add_eq_sub[OF is_aligned_weaken]
|
||||
split_if[where P="\<lambda>z. a \<le> z" for a])
|
||||
if_split[where P="\<lambda>z. a \<le> z" for a])
|
||||
apply (strengthen is_aligned_mult_triv2[THEN is_aligned_weaken]
|
||||
aligned_sub_aligned[OF _ _ order_refl]
|
||||
aligned_intvl_offset_subset_ran
|
||||
|
@ -2551,7 +2551,7 @@ lemma invokeUntyped_Retype_ccorres:
|
|||
apply clarsimp
|
||||
apply (frule cap_get_tag_isCap_unfolded_H_cap)
|
||||
apply (cut_tac some_range_cover_arithmetic)
|
||||
apply (case_tac cte', clarsimp simp: modify_map_def fun_eq_iff split: split_if)
|
||||
apply (case_tac cte', clarsimp simp: modify_map_def fun_eq_iff split: if_split)
|
||||
apply (simp add: mex_def meq_def ptr_base_eq del: split_paired_Ex)
|
||||
apply (rule exI, strengthen refl, simp)
|
||||
apply (strengthen globals.fold_congs, simp add: field_simps)
|
||||
|
@ -2594,7 +2594,7 @@ lemma invokeUntyped_Retype_ccorres:
|
|||
invokeUntyped_proofs.caps_no_overlap'
|
||||
invokeUntyped_proofs.ps_no_overlap'
|
||||
invokeUntyped_proofs.descendants_range
|
||||
split_if[where P="\<lambda>v. v \<le> getFreeIndex x y" for x y]
|
||||
if_split[where P="\<lambda>v. v \<le> getFreeIndex x y" for x y]
|
||||
empty_descendants_range_in'
|
||||
invs_pspace_aligned' invs_pspace_distinct'
|
||||
invs_ksCurDomain_maxDomain'
|
||||
|
@ -2620,7 +2620,7 @@ lemma invokeUntyped_Retype_ccorres:
|
|||
apply (erule is_aligned_weaken[OF range_cover.aligned])
|
||||
apply (clarsimp simp: APIType_capBits_low)
|
||||
(* new idx le *)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
(* cnodeptr not in area *)
|
||||
apply (rule contra_subsetD[rotated],
|
||||
rule invokeUntyped_proofs.ex_cte_no_overlap'[OF proofs], rule misc)
|
||||
|
@ -2645,7 +2645,7 @@ lemma invokeUntyped_Retype_ccorres:
|
|||
apply (rule order_trans, erule invokeUntyped_proofs.subset_stuff)
|
||||
apply (simp add: atLeastatMost_subset_iff word_and_le2)
|
||||
(* destSlots *)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (frule invokeUntyped_proofs.slots_invD[OF proofs])
|
||||
apply (simp add: conj_comms)
|
||||
(* usableUntyped *)
|
||||
|
@ -2666,7 +2666,7 @@ lemma invokeUntyped_Retype_ccorres:
|
|||
apply (cut_tac vui)
|
||||
apply (clarsimp simp: cap_get_tag_isCap getFreeIndex_def
|
||||
cte_wp_at_ctes_of shiftL_nat
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (simp add: mask_out_sub_mask field_simps region_is_bytes'_def)
|
||||
apply (clarsimp elim!: region_actually_is_bytes_subset)
|
||||
apply (rule order_refl)
|
||||
|
@ -2708,7 +2708,7 @@ lemma ccorres_returnOk_Basic:
|
|||
lemma injection_handler_whenE:
|
||||
"injection_handler injf (whenE P f)
|
||||
= whenE P (injection_handler injf f)"
|
||||
by (simp add: whenE_def injection_handler_returnOk split: split_if)
|
||||
by (simp add: whenE_def injection_handler_returnOk split: if_split)
|
||||
|
||||
lemma fromEnum_object_type_to_H:
|
||||
"fromEnum x = unat (object_type_from_H x)"
|
||||
|
@ -2717,7 +2717,7 @@ lemma fromEnum_object_type_to_H:
|
|||
enum_apiobject_type
|
||||
object_type_from_H_def
|
||||
"StrictC'_object_defs" "api_object_defs"
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (auto simp: "api_object_defs")
|
||||
done
|
||||
|
||||
|
@ -2747,7 +2747,7 @@ lemma ccorres_throwError_inl_rrel:
|
|||
apply (simp add: throwError_def return_def)
|
||||
apply assumption
|
||||
apply (simp add: throwError_def return_def
|
||||
unif_rrel_def split: split_if_asm)
|
||||
unif_rrel_def split: if_split_asm)
|
||||
done
|
||||
|
||||
lemmas ccorres_return_C_errorE_inl_rrel
|
||||
|
@ -2958,7 +2958,7 @@ proof -
|
|||
from foo have plus: "unat wbase + unat wlength < 2 ^ len_of TYPE('a)"
|
||||
apply -
|
||||
apply (rule order_le_less_trans[rotated], rule sz_less, simp)
|
||||
apply (simp add: unat_arith_simps split: split_if_asm)
|
||||
apply (simp add: unat_arith_simps split: if_split_asm)
|
||||
done
|
||||
|
||||
from foo show ?thesis
|
||||
|
@ -2967,7 +2967,7 @@ qed
|
|||
|
||||
lemma unat_2tp_if:
|
||||
"unat (2 ^ n :: ('a :: len) word) = (if n < len_of TYPE ('a) then 2 ^ n else 0)"
|
||||
by (split split_if, simp_all add: power_overflow)
|
||||
by (split if_split, simp_all add: power_overflow)
|
||||
|
||||
lemma ctes_of_ex_cte_cap_to':
|
||||
"ctes_of s p = Some cte \<Longrightarrow> \<forall>r \<in> cte_refs' (cteCap cte) (irq_node' s). ex_cte_cap_to' r s"
|
||||
|
@ -3298,7 +3298,7 @@ shows
|
|||
apply (simp add: all_ex_eq_helper)
|
||||
apply (vcg exspec=ensureEmptySlot_modifies)
|
||||
apply (clarsimp simp: upto_enum_word
|
||||
split: split_if_asm simp del: upt.simps)
|
||||
split: if_split_asm simp del: upt.simps)
|
||||
apply (simp add: cte_level_bits_def field_simps size_of_def
|
||||
numeral_eqs[symmetric])
|
||||
apply (simp add: cap_get_tag_isCap[symmetric]
|
||||
|
@ -3472,7 +3472,7 @@ shows
|
|||
apply (strengthen word_of_nat_less)
|
||||
apply (clarsimp simp: StrictC'_thread_state_defs mask_def true_def false_def
|
||||
from_bool_0 ccap_relation_isDeviceCap2
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (intro conjI impI; clarsimp simp:not_less shiftr_overflow)
|
||||
apply simp
|
||||
apply simp
|
||||
|
@ -3506,7 +3506,7 @@ shows
|
|||
fromAPIType_def)
|
||||
apply (clarsimp simp: word_le_nat_alt unat_2tp_if
|
||||
valid_tcb_state'_def
|
||||
split: option.split_asm split_if_asm)
|
||||
split: option.split_asm if_split_asm)
|
||||
apply blast
|
||||
apply (case_tac "tcbState obja",
|
||||
(simp add: runnable'_def valid_tcb_state'_def)+)[1]
|
||||
|
@ -3540,7 +3540,7 @@ shows
|
|||
wbase="args ! 4" and wlength="args ! 5"], simp_all)[1]
|
||||
apply (simp add: valid_cap_simps' capAligned_def word_bits_def)
|
||||
apply (clarsimp simp: upto_enum_def word_le_nat_alt[symmetric]
|
||||
split: option.split_asm split_if_asm)
|
||||
split: option.split_asm if_split_asm)
|
||||
apply (drule spec, drule mp, erule conjI, rule order_refl)
|
||||
apply clarsimp
|
||||
apply (simp del: Collect_const)
|
||||
|
|
|
@ -92,7 +92,7 @@ lemma cmap_relation_drop_fun_upd:
|
|||
apply (simp add: cmap_relation_def)
|
||||
apply (rule conj_cong[OF refl])
|
||||
apply (rule ball_cong[OF refl])
|
||||
apply (auto split: split_if)
|
||||
apply (auto split: if_split)
|
||||
done
|
||||
|
||||
lemma valid_queuesD':
|
||||
|
@ -154,7 +154,7 @@ lemma tcbEPDequeue_spec:
|
|||
apply (intro allI)
|
||||
apply (rule conseqPre)
|
||||
apply vcg
|
||||
apply (clarsimp split del: split_if)
|
||||
apply (clarsimp split del: if_split)
|
||||
apply (frule (4) tcb_queue_valid_ptrsD [OF _ _ _ _ tcb_queue_relation'_queue_rel])
|
||||
apply (elim conjE exE)
|
||||
apply (frule (3) tcbEPDequeue_update)
|
||||
|
@ -215,7 +215,7 @@ lemma cancelSignal_ccorres_helper:
|
|||
FI)"
|
||||
apply (rule ccorres_from_vcg)
|
||||
apply (rule allI, rule conseqPre, vcg)
|
||||
apply (clarsimp split del: split_if simp del: comp_def)
|
||||
apply (clarsimp split del: if_split simp del: comp_def)
|
||||
apply (frule (2) ntfn_blocked_in_queueD)
|
||||
apply (frule (1) ko_at_valid_ntfn' [OF _ invs_valid_objs'])
|
||||
apply (elim conjE)
|
||||
|
@ -232,7 +232,7 @@ lemma cancelSignal_ccorres_helper:
|
|||
apply (intro conjI, assumption+)
|
||||
apply (drule (2) ntfn_to_ep_queue)
|
||||
apply (simp add: tcb_queue_relation'_def)
|
||||
apply (clarsimp simp: typ_heap_simps cong: imp_cong split del: split_if simp del: comp_def)
|
||||
apply (clarsimp simp: typ_heap_simps cong: imp_cong split del: if_split simp del: comp_def)
|
||||
apply (frule null_ep_queue [simplified Fun.comp_def])
|
||||
apply (intro impI conjI allI)
|
||||
-- "empty case"
|
||||
|
@ -301,7 +301,7 @@ lemma cancelSignal_ccorres_helper:
|
|||
-- "ntfn relation"
|
||||
apply (rule cpspace_relation_ntfn_update_ntfn, assumption+)
|
||||
apply (simp add: cnotification_relation_def Let_def isWaitingNtfn_def
|
||||
split: ntfn.splits split del: split_if)
|
||||
split: ntfn.splits split del: if_split)
|
||||
apply (erule iffD1 [OF tcb_queue_relation'_cong [OF refl _ _ refl], rotated -1])
|
||||
apply (clarsimp simp add: Ptr_ptr_val h_t_valid_clift_Some_iff)
|
||||
apply (simp add: tcb_queue_relation'_next_mask_4)
|
||||
|
@ -778,7 +778,7 @@ lemma state_relation_queue_update_helper':
|
|||
apply clarsimp
|
||||
apply (drule_tac x="tcb_ptr_to_ctcb_ptr x" in fun_cong)+
|
||||
apply (clarsimp simp: restrict_map_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (simp_all add: carch_state_relation_def cmachine_state_relation_def
|
||||
h_t_valid_clift_Some_iff)
|
||||
done
|
||||
|
@ -1110,7 +1110,7 @@ proof -
|
|||
apply (drule spec, drule(1) mp, clarsimp)
|
||||
apply (clarsimp simp: typ_heap_simps ctcb_relation_def)
|
||||
apply ceqv
|
||||
apply (simp add: when_def unless_def del: Collect_const split del: split_if)
|
||||
apply (simp add: when_def unless_def del: Collect_const split del: if_split)
|
||||
apply (rule ccorres_cond[where R=\<top>])
|
||||
apply (simp add: to_bool_def)
|
||||
apply (rule ccorres_rhs_assoc)+
|
||||
|
@ -1232,7 +1232,7 @@ proof -
|
|||
(simp | rule globals.equality)+,
|
||||
simp_all add: typ_heap_simps if_Some_helper numPriorities_def
|
||||
cready_queues_index_to_C_def2 upd_unless_null_def
|
||||
cong: if_cong split del: split_if
|
||||
cong: if_cong split del: if_split
|
||||
del: fun_upd_restrict_conv)[1]
|
||||
apply simp
|
||||
apply (rule conjI)
|
||||
|
@ -1301,7 +1301,7 @@ lemma tcb_queue_relation_prev_next':
|
|||
\<and> (tp tcb \<noteq> tcb_Ptr 0 \<longrightarrow> tp tcb \<in> tcb_ptr_to_ctcb_ptr ` set queue
|
||||
\<and> mp (tp tcb) \<noteq> None \<and> tp tcb \<noteq> tcb_ptr_to_ctcb_ptr tcbp)
|
||||
\<and> (tn tcb \<noteq> tcb_Ptr 0 \<longrightarrow> tn tcb \<noteq> tp tcb)"
|
||||
apply (clarsimp simp: tcb_queue_relation'_def split: split_if_asm)
|
||||
apply (clarsimp simp: tcb_queue_relation'_def split: if_split_asm)
|
||||
apply (drule(1) tcb_queue_relation_prev_next, simp_all)
|
||||
apply (fastforce dest: tcb_at_not_NULL)
|
||||
apply clarsimp
|
||||
|
@ -1358,7 +1358,7 @@ lemma rf_sr_drop_bitmaps_dequeue_helper:
|
|||
|
||||
lemma filter_empty_unfiltered_contr:
|
||||
"\<lbrakk> [x\<leftarrow>xs . x \<noteq> y] = [] ; x' \<in> set xs ; x' \<noteq> y \<rbrakk> \<Longrightarrow> False"
|
||||
by (induct xs, auto split: split_if_asm)
|
||||
by (induct xs, auto split: if_split_asm)
|
||||
|
||||
(* FIXME same proofs as bit_set, maybe can generalise? *)
|
||||
lemma cbitmap_L1_relation_bit_clear:
|
||||
|
@ -1463,7 +1463,7 @@ proof -
|
|||
apply (clarsimp simp: typ_heap_simps ctcb_relation_def)
|
||||
apply ceqv
|
||||
apply (simp add: when_def
|
||||
del: Collect_const split del: split_if)
|
||||
del: Collect_const split del: if_split)
|
||||
apply (rule ccorres_cond[where R=\<top>])
|
||||
apply (simp add: to_bool_def)
|
||||
apply (rule ccorres_rhs_assoc)+
|
||||
|
@ -1592,7 +1592,7 @@ proof -
|
|||
simp_all add: clift_field_update if_Some_helper numPriorities_def
|
||||
cready_queues_index_to_C_def2 typ_heap_simps
|
||||
maxDom_to_H maxPrio_to_H
|
||||
cong: if_cong split del: split_if)[1]
|
||||
cong: if_cong split del: if_split)[1]
|
||||
apply (fold_subgoals (prefix))[2]
|
||||
subgoal premises prems using prems by (fastforce simp: tcb_null_sched_ptrs_def)+
|
||||
apply (erule_tac S="set (ksReadyQueues \<sigma> (tcbDomain ko, tcbPriority ko))"
|
||||
|
@ -1601,7 +1601,7 @@ proof -
|
|||
simp_all add: clift_field_update if_Some_helper numPriorities_def
|
||||
cready_queues_index_to_C_def2
|
||||
maxDom_to_H maxPrio_to_H
|
||||
cong: if_cong split del: split_if,
|
||||
cong: if_cong split del: if_split,
|
||||
simp_all add: typ_heap_simps')[1]
|
||||
subgoal by (fastforce simp: tcb_null_sched_ptrs_def)
|
||||
subgoal by fastforce
|
||||
|
@ -1621,7 +1621,7 @@ proof -
|
|||
simp_all add: clift_field_update if_Some_helper numPriorities_def
|
||||
cready_queues_index_to_C_def2
|
||||
maxDom_to_H maxPrio_to_H
|
||||
cong: if_cong split del: split_if)[1]
|
||||
cong: if_cong split del: if_split)[1]
|
||||
apply (fold_subgoals (prefix))[4]
|
||||
subgoal premises prems using prems
|
||||
by (fastforce simp: typ_heap_simps tcb_null_sched_ptrs_def)+
|
||||
|
@ -1691,7 +1691,7 @@ proof -
|
|||
simp_all add: clift_field_update if_Some_helper numPriorities_def
|
||||
cready_queues_index_to_C_def2
|
||||
maxDom_to_H maxPrio_to_H
|
||||
cong: if_cong split del: split_if)[1]
|
||||
cong: if_cong split del: if_split)[1]
|
||||
apply (fastforce simp: typ_heap_simps tcb_null_sched_ptrs_def)+
|
||||
apply (erule_tac S="set (ksReadyQueues \<sigma> (tcbDomain ko, tcbPriority ko))"
|
||||
in state_relation_queue_update_helper',
|
||||
|
@ -1699,7 +1699,7 @@ proof -
|
|||
simp_all add: clift_field_update if_Some_helper numPriorities_def
|
||||
cready_queues_index_to_C_def2
|
||||
maxDom_to_H maxPrio_to_H
|
||||
cong: if_cong split del: split_if)[1]
|
||||
cong: if_cong split del: if_split)[1]
|
||||
apply (fold_subgoals (prefix))[4]
|
||||
subgoal premises prems using prems
|
||||
by (fastforce simp: typ_heap_simps tcb_null_sched_ptrs_def)+
|
||||
|
@ -1720,7 +1720,7 @@ proof -
|
|||
simp_all add: clift_field_update if_Some_helper numPriorities_def
|
||||
cready_queues_index_to_C_def2 typ_heap_simps
|
||||
maxDom_to_H maxPrio_to_H
|
||||
cong: if_cong split del: split_if)[1]
|
||||
cong: if_cong split del: if_split)[1]
|
||||
apply (fold_subgoals (prefix))[2]
|
||||
subgoal premises prems using prems
|
||||
by (fastforce simp: typ_heap_simps tcb_null_sched_ptrs_def)+
|
||||
|
@ -1828,7 +1828,7 @@ proof -
|
|||
apply (drule spec, drule(1) mp, clarsimp)
|
||||
apply (clarsimp simp: typ_heap_simps ctcb_relation_def)
|
||||
apply ceqv
|
||||
apply (simp add: when_def unless_def del: Collect_const split del: split_if)
|
||||
apply (simp add: when_def unless_def del: Collect_const split del: if_split)
|
||||
apply (rule ccorres_cond[where R=\<top>])
|
||||
apply (simp add: to_bool_def)
|
||||
apply (rule ccorres_rhs_assoc)+
|
||||
|
@ -1934,7 +1934,7 @@ proof -
|
|||
(simp | rule globals.equality)+,
|
||||
simp_all add: typ_heap_simps if_Some_helper numPriorities_def
|
||||
cready_queues_index_to_C_def2 upd_unless_null_def
|
||||
cong: if_cong split del: split_if
|
||||
cong: if_cong split del: if_split
|
||||
del: fun_upd_restrict_conv)[1]
|
||||
apply simp
|
||||
apply (rule conjI)
|
||||
|
@ -2022,7 +2022,7 @@ lemma rescheduleRequired_ccorres:
|
|||
apply (rule ccorres_symb_exec_l)
|
||||
apply (rule ccorres_split_nothrow_novcg[where r'=dc and xf'=xfdc])
|
||||
apply (simp add: scheduler_action_case_switch_to_if
|
||||
cong: if_weak_cong split del: split_if)
|
||||
cong: if_weak_cong split del: if_split)
|
||||
apply (rule_tac R="\<lambda>s. action = ksSchedulerAction s \<and> weak_sch_act_wf action s"
|
||||
in ccorres_cond)
|
||||
apply (clarsimp simp: rf_sr_def cstate_relation_def Let_def
|
||||
|
@ -2124,7 +2124,7 @@ lemma possibleSwitchTo_ccorres:
|
|||
split: scheduler_action.split_asm dest!: pred_tcb_at' )
|
||||
apply (ctac add: rescheduleRequired_ccorres)
|
||||
apply (rule ccorres_return_Skip)
|
||||
apply (simp split del: split_if)
|
||||
apply (simp split del: if_split)
|
||||
apply wp
|
||||
apply (simp add: weak_sch_act_wf_def)
|
||||
apply (wp weak_sch_act_wf_lift_linear)
|
||||
|
@ -2182,7 +2182,7 @@ lemma scheduleTCB_ccorres':
|
|||
\<and> (\<forall>t. ksSchedulerAction s = SwitchToThread t \<longrightarrow> tcb_at' t s)"
|
||||
and P'=UNIV in ccorres_from_vcg)
|
||||
apply (rule allI, rule conseqPre, vcg)
|
||||
apply (clarsimp simp: return_def if_1_0_0 split del: split_if)
|
||||
apply (clarsimp simp: return_def if_1_0_0 split del: if_split)
|
||||
apply (clarsimp simp: from_bool_0 rf_sr_ksCurThread)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: st_tcb_at'_def)
|
||||
|
@ -2239,7 +2239,7 @@ lemma scheduleTCB_ccorres_valid_queues'_pre:
|
|||
\<and> weak_sch_act_wf (ksSchedulerAction s) s"
|
||||
and P'=UNIV in ccorres_from_vcg)
|
||||
apply (rule allI, rule conseqPre, vcg)
|
||||
apply (clarsimp simp: return_def if_1_0_0 split del: split_if)
|
||||
apply (clarsimp simp: return_def if_1_0_0 split del: if_split)
|
||||
apply (clarsimp simp: from_bool_0 rf_sr_ksCurThread)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: st_tcb_at'_def)
|
||||
|
@ -2274,7 +2274,7 @@ lemma rescheduleRequired_ccorres_valid_queues'_simple:
|
|||
apply (rule ccorres_symb_exec_l)
|
||||
apply (rule ccorres_split_nothrow_novcg[where r'=dc and xf'=xfdc])
|
||||
apply (simp add: scheduler_action_case_switch_to_if
|
||||
cong: if_weak_cong split del: split_if)
|
||||
cong: if_weak_cong split del: if_split)
|
||||
apply (rule_tac R="\<lambda>s. action = ksSchedulerAction s \<and> sch_act_simple s"
|
||||
in ccorres_cond)
|
||||
apply (clarsimp simp: rf_sr_def cstate_relation_def Let_def
|
||||
|
@ -2333,7 +2333,7 @@ lemma scheduleTCB_ccorres_valid_queues'_pre_simple:
|
|||
\<and> sch_act_simple s"
|
||||
and P'=UNIV in ccorres_from_vcg)
|
||||
apply (rule allI, rule conseqPre, vcg)
|
||||
apply (clarsimp simp: return_def if_1_0_0 split del: split_if)
|
||||
apply (clarsimp simp: return_def if_1_0_0 split del: if_split)
|
||||
apply (clarsimp simp: from_bool_0 rf_sr_ksCurThread)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: st_tcb_at'_def)
|
||||
|
@ -2437,7 +2437,7 @@ lemma cancelSignal_ccorres [corres]:
|
|||
apply (rule ccorres_rhs_assoc2)
|
||||
apply (ctac (no_vcg) add: cancelSignal_ccorres_helper)
|
||||
apply (ctac add: setThreadState_ccorres_valid_queues')
|
||||
apply ((wp setNotification_sch_act_not setNotification_ksQ hoare_vcg_all_lift set_ntfn_valid_objs' | simp add: valid_tcb_state'_def split del: split_if)+)[1]
|
||||
apply ((wp setNotification_sch_act_not setNotification_ksQ hoare_vcg_all_lift set_ntfn_valid_objs' | simp add: valid_tcb_state'_def split del: if_split)+)[1]
|
||||
apply (simp add: "StrictC'_thread_state_defs")
|
||||
apply (rule conjI, clarsimp, rule conjI, clarsimp)
|
||||
apply (frule (1) ko_at_valid_ntfn'[OF _ invs_valid_objs'])
|
||||
|
@ -2589,7 +2589,7 @@ proof -
|
|||
\<Longrightarrow> mp' p = mp p"
|
||||
using epq
|
||||
apply (cut_tac x=p in fun_cong[OF mpeq])
|
||||
apply (cases ep', auto simp: restrict_map_def split: split_if_asm)
|
||||
apply (cases ep', auto simp: restrict_map_def split: if_split_asm)
|
||||
done
|
||||
|
||||
have rl': "\<And>p list. \<lbrakk> p \<in> tcb_ptr_to_ctcb_ptr ` set list;
|
||||
|
@ -2730,7 +2730,7 @@ lemma cancelIPC_ccorres_helper:
|
|||
apply (rule allI)
|
||||
apply (rule conseqPre)
|
||||
apply vcg
|
||||
apply (clarsimp split del: split_if simp del: comp_def)
|
||||
apply (clarsimp split del: if_split simp del: comp_def)
|
||||
apply (frule (2) ep_blocked_in_queueD)
|
||||
apply (frule (1) ko_at_valid_ep' [OF _ invs_valid_objs'])
|
||||
apply (elim conjE)
|
||||
|
@ -2748,7 +2748,7 @@ lemma cancelIPC_ccorres_helper:
|
|||
apply assumption+
|
||||
apply (drule (2) ep_to_ep_queue)
|
||||
apply (simp add: tcb_queue_relation'_def)
|
||||
apply (clarsimp simp: typ_heap_simps cong: imp_cong split del: split_if simp del: comp_def)
|
||||
apply (clarsimp simp: typ_heap_simps cong: imp_cong split del: if_split simp del: comp_def)
|
||||
apply (frule null_ep_queue [simplified comp_def] null_ep_queue)
|
||||
apply (intro impI conjI allI)
|
||||
-- "empty case"
|
||||
|
@ -2806,7 +2806,7 @@ lemma cancelIPC_ccorres_helper:
|
|||
subgoal by (clarsimp simp: comp_def)
|
||||
-- "ep relation"
|
||||
apply (rule cpspace_relation_ep_update_ep, assumption+)
|
||||
apply (simp add: cendpoint_relation_def Let_def isSendEP_def isRecvEP_def split: endpoint.splits split del: split_if)
|
||||
apply (simp add: cendpoint_relation_def Let_def isSendEP_def isRecvEP_def split: endpoint.splits split del: if_split)
|
||||
-- "recv case"
|
||||
apply (clarsimp simp add: Ptr_ptr_val h_t_valid_clift_Some_iff
|
||||
tcb_queue_relation'_next_mask_4 tcb_queue_relation'_prev_mask_4 cong: tcb_queue_relation'_cong)
|
||||
|
@ -2998,7 +2998,7 @@ lemma cancelIPC_ccorres1:
|
|||
apply (rule ccorres_rhs_assoc2)
|
||||
apply (ctac (no_vcg) add: cancelIPC_ccorres_helper)
|
||||
apply (ctac add: setThreadState_ccorres_valid_queues')
|
||||
apply (wp hoare_vcg_all_lift set_ep_valid_objs' | simp add: valid_tcb_state'_def split del: split_if)+
|
||||
apply (wp hoare_vcg_all_lift set_ep_valid_objs' | simp add: valid_tcb_state'_def split del: if_split)+
|
||||
apply (simp add: "StrictC'_thread_state_defs")
|
||||
apply vcg
|
||||
apply (rule conseqPre, vcg)
|
||||
|
@ -3099,7 +3099,7 @@ lemma cancelIPC_ccorres1:
|
|||
apply (rule ccorres_rhs_assoc2)
|
||||
apply (ctac (no_vcg) add: cancelIPC_ccorres_helper)
|
||||
apply (ctac add: setThreadState_ccorres_valid_queues')
|
||||
apply (wp hoare_vcg_all_lift set_ep_valid_objs' | simp add: valid_tcb_state'_def split del:split_if)+
|
||||
apply (wp hoare_vcg_all_lift set_ep_valid_objs' | simp add: valid_tcb_state'_def split del:if_split)+
|
||||
apply (simp add: "StrictC'_thread_state_defs")
|
||||
apply clarsimp
|
||||
apply (rule conseqPre, vcg, rule subset_refl)
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -245,7 +245,7 @@ lemma partial_overwrite_fun_upd:
|
|||
partial_overwrite idx (tsrs (x := y))
|
||||
= (\<lambda>ps. (partial_overwrite idx tsrs ps) (idx x := put_tcb_state_regs y (ps (idx x))))"
|
||||
apply (intro ext, simp add: partial_overwrite_def)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
done
|
||||
|
||||
lemma get_tcb_state_regs_ko_at':
|
||||
|
@ -266,7 +266,7 @@ lemma partial_overwrite_get_tcb_state_regs:
|
|||
partial_overwrite idx (\<lambda>x. get_tcb_state_regs (ksPSpace s (idx x)))
|
||||
(ksPSpace s) = ksPSpace s"
|
||||
apply (rule ext, simp add: partial_overwrite_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply clarsimp
|
||||
apply (drule_tac x=xa in spec)
|
||||
apply (clarsimp simp: obj_at'_def projectKOs put_tcb_state_regs_def
|
||||
|
@ -341,7 +341,7 @@ lemma dom_partial_overwrite:
|
|||
= dom (ksPSpace s)"
|
||||
apply (rule set_eqI)
|
||||
apply (clarsimp simp: dom_def partial_overwrite_def put_tcb_state_regs_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (fastforce elim!: obj_atE')
|
||||
done
|
||||
|
||||
|
@ -361,7 +361,7 @@ lemma map_to_ctes_partial_overwrite:
|
|||
apply (simp add: put_tcb_state_regs_def put_tcb_state_regs_tcb_def
|
||||
objBits_simps
|
||||
cong: if_cong option.case_cong)
|
||||
apply (case_tac obj, simp split: tcb_state_regs.split split_if)
|
||||
apply (case_tac obj, simp split: tcb_state_regs.split if_split)
|
||||
apply simp
|
||||
apply (rule if_cong[OF refl])
|
||||
apply simp
|
||||
|
@ -373,10 +373,10 @@ lemma map_to_ctes_partial_overwrite:
|
|||
apply (simp add: put_tcb_state_regs_def put_tcb_state_regs_tcb_def
|
||||
objBits_simps
|
||||
cong: if_cong option.case_cong)
|
||||
apply (case_tac obj, simp split: tcb_state_regs.split split_if)
|
||||
apply (case_tac obj, simp split: tcb_state_regs.split if_split)
|
||||
apply (intro impI allI)
|
||||
apply (subgoal_tac "x - idx xa = x && mask 9")
|
||||
apply (clarsimp simp: tcb_cte_cases_def split: split_if)
|
||||
apply (clarsimp simp: tcb_cte_cases_def split: if_split)
|
||||
apply (drule_tac t = "idx xa" in sym)
|
||||
apply simp
|
||||
apply (simp cong: if_cong)
|
||||
|
@ -449,7 +449,7 @@ lemma getObject_get_assert:
|
|||
alignCheck_assert)
|
||||
apply (case_tac "ksPSpace x p")
|
||||
apply (simp add: obj_at'_def assert_opt_def assert_def
|
||||
split: option.split split_if)
|
||||
split: option.split if_split)
|
||||
apply (simp add: lookupAround2_known1 assert_opt_def
|
||||
obj_at'_def projectKO_def2
|
||||
split: option.split)
|
||||
|
@ -473,7 +473,7 @@ lemma obj_at_partial_overwrite_If:
|
|||
else obj_at' P p s)"
|
||||
apply (frule dom_partial_overwrite[where tsrs=f])
|
||||
apply (simp add: obj_at'_def ps_clear_def partial_overwrite_def
|
||||
projectKOs split: split_if)
|
||||
projectKOs split: if_split)
|
||||
apply clarsimp
|
||||
apply (drule_tac x=x in spec)
|
||||
apply (clarsimp simp: put_tcb_state_regs_def objBits_simps)
|
||||
|
@ -494,7 +494,7 @@ lemma obj_at_partial_overwrite_id2:
|
|||
= obj_at' P p s"
|
||||
apply (frule dom_partial_overwrite[where tsrs=f])
|
||||
apply (simp add: obj_at'_def ps_clear_def partial_overwrite_def
|
||||
projectKOs split: split_if)
|
||||
projectKOs split: if_split)
|
||||
apply clarsimp
|
||||
apply (drule_tac x=x in spec)
|
||||
apply (clarsimp simp: put_tcb_state_regs_def objBits_simps
|
||||
|
@ -1012,7 +1012,7 @@ lemma oblivious_getObject_ksPSpace_cte[simp]:
|
|||
typeError_def unless_when
|
||||
cong: Structures_H.kernel_object.case_cong)
|
||||
apply (intro oblivious_bind,
|
||||
simp_all split: Structures_H.kernel_object.split split_if)
|
||||
simp_all split: Structures_H.kernel_object.split if_split)
|
||||
by (safe intro!: oblivious_bind, simp_all)
|
||||
|
||||
lemma oblivious_doMachineOp[simp]:
|
||||
|
@ -1167,7 +1167,7 @@ lemma setThreadState_no_sch_change:
|
|||
apply (simp add: setThreadState_def setSchedulerAction_def)
|
||||
apply (wp hoare_pre_cont[where a=rescheduleRequired])
|
||||
apply (rule_tac Q="\<lambda>_. ?P and st_tcb_at' (op = st) t" in hoare_post_imp)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (clarsimp simp: obj_at'_def st_tcb_at'_def projectKOs)
|
||||
apply (rule hoare_pre, wp threadSet_pred_tcb_at_state)
|
||||
apply simp
|
||||
|
@ -1205,7 +1205,7 @@ lemma setObject_modify_assert:
|
|||
apply (simp only: objBits_def objBitsT_koTypeOf[symmetric] koTypeOf_injectKO)
|
||||
apply (simp add: magnitudeCheck_assert2 simpler_modify_def)
|
||||
apply (clarsimp simp: assert_opt_def assert_def magnitudeCheck_assert2
|
||||
split: option.split split_if)
|
||||
split: option.split if_split)
|
||||
apply (clarsimp simp: obj_at'_def projectKOs)
|
||||
apply (clarsimp simp: project_inject)
|
||||
apply (simp only: objBits_def objBitsT_koTypeOf[symmetric]
|
||||
|
@ -1235,7 +1235,7 @@ lemma setEndpoint_isolatable:
|
|||
apply (clarsimp simp: o_def partial_overwrite_def)
|
||||
apply (rule kernel_state.fold_congs[OF refl refl])
|
||||
apply (clarsimp simp: fun_eq_iff
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (wp | simp)+
|
||||
done
|
||||
|
||||
|
@ -1257,7 +1257,7 @@ lemma setCTE_assert_modify:
|
|||
assert_opt_def alignCheck_assert objBits_simps
|
||||
magnitudeCheck_assert2 updateObject_cte)
|
||||
apply (simp add: simpler_modify_def)
|
||||
apply (simp split: split_if, intro conjI impI)
|
||||
apply (simp split: if_split, intro conjI impI)
|
||||
apply (clarsimp simp: obj_at'_def projectKOs)
|
||||
apply (subgoal_tac "p \<le> (p && ~~ mask 9) + 2 ^ 9 - 1")
|
||||
apply (subgoal_tac "fst (lookupAround2 p (ksPSpace x))
|
||||
|
@ -1303,7 +1303,7 @@ lemma partial_overwrite_fun_upd2:
|
|||
= (partial_overwrite idx tsrs f)
|
||||
(x := if x \<in> range idx then put_tcb_state_regs (tsrs (inv idx x)) y
|
||||
else y)"
|
||||
by (simp add: fun_eq_iff partial_overwrite_def split: split_if)
|
||||
by (simp add: fun_eq_iff partial_overwrite_def split: if_split)
|
||||
|
||||
lemma setCTE_isolatable:
|
||||
"thread_actions_isolatable idx (setCTE p v)"
|
||||
|
@ -1321,22 +1321,22 @@ lemma setCTE_isolatable:
|
|||
apply clarsimp
|
||||
apply (frule_tac x=x in spec, erule obj_atE')
|
||||
apply (subgoal_tac "\<not> real_cte_at' p s")
|
||||
apply (clarsimp simp: select_f_returns select_f_asserts split: split_if)
|
||||
apply (clarsimp simp: select_f_returns select_f_asserts split: if_split)
|
||||
apply (clarsimp simp: o_def simpler_modify_def partial_overwrite_fun_upd2)
|
||||
apply (rule kernel_state.fold_congs[OF refl refl])
|
||||
apply (rule ext)
|
||||
apply (clarsimp simp: partial_overwrite_get_tcb_state_regs
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (clarsimp simp: projectKOs get_tcb_state_regs_def
|
||||
put_tcb_state_regs_def put_tcb_state_regs_tcb_def
|
||||
partial_overwrite_def
|
||||
split: tcb_state_regs.split)
|
||||
apply (case_tac obj, simp add: projectKO_opt_tcb)
|
||||
apply (simp add: tcb_cte_cases_def split: split_if_asm)
|
||||
apply (simp add: tcb_cte_cases_def split: if_split_asm)
|
||||
apply (drule_tac x=x in spec)
|
||||
apply (clarsimp simp: obj_at'_def projectKOs objBits_simps subtract_mask(2) [symmetric])
|
||||
apply (erule notE[rotated], erule (3) tcb_ctes_clear[rotated])
|
||||
apply (simp add: select_f_returns select_f_asserts split: split_if)
|
||||
apply (simp add: select_f_returns select_f_asserts split: if_split)
|
||||
apply (intro conjI impI)
|
||||
apply (clarsimp simp: simpler_modify_def fun_eq_iff
|
||||
partial_overwrite_fun_upd2 o_def
|
||||
|
@ -1349,7 +1349,7 @@ lemma setCTE_isolatable:
|
|||
partial_overwrite_fun_upd2 o_def
|
||||
partial_overwrite_get_tcb_state_regs
|
||||
intro!: kernel_state.fold_congs[OF refl refl]
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (simp add: partial_overwrite_def)
|
||||
apply (subgoal_tac "p \<notin> range idx")
|
||||
apply (clarsimp simp: simpler_modify_def
|
||||
|
@ -1463,7 +1463,7 @@ lemma threadGet_isolatable:
|
|||
apply (clarsimp simp: projectKOs
|
||||
partial_overwrite_def put_tcb_state_regs_def
|
||||
cong: if_cong)
|
||||
apply (simp add: projectKO_opt_tcb v split: split_if)
|
||||
apply (simp add: projectKO_opt_tcb v split: if_split)
|
||||
done
|
||||
|
||||
lemma switchToThread_isolatable:
|
||||
|
@ -1543,7 +1543,7 @@ lemma tcb_at_KOTCB_upd:
|
|||
tcb_at' p (ksPSpace_update (\<lambda>ps. ps(idx x \<mapsto> KOTCB tcb)) s)
|
||||
= tcb_at' p s"
|
||||
apply (clarsimp simp: obj_at'_def projectKOs objBits_simps
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (simp add: ps_clear_def)
|
||||
done
|
||||
|
||||
|
@ -1612,7 +1612,7 @@ lemma copy_register_isolate:
|
|||
apply (simp add: projectKO_opt_tcb put_tcb_state_regs_def
|
||||
put_tcb_state_regs_tcb_def get_tcb_state_regs_def
|
||||
cong: if_cong)
|
||||
apply (auto simp: fun_eq_iff split: split_if)
|
||||
apply (auto simp: fun_eq_iff split: if_split)
|
||||
done
|
||||
|
||||
lemmas monadic_rewrite_bind_alt
|
||||
|
@ -1693,7 +1693,7 @@ lemma setSchedulerAction_isolate:
|
|||
lemma updateMDB_isolatable:
|
||||
"thread_actions_isolatable idx (updateMDB slot f)"
|
||||
apply (simp add: updateMDB_def thread_actions_isolatable_return
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (intro impI thread_actions_isolatable_bind[OF _ _ hoare_pre(1)]
|
||||
getCTE_isolatable setCTE_isolatable,
|
||||
(wp | simp)+)
|
||||
|
|
|
@ -358,7 +358,7 @@ lemma add_right_shift:
|
|||
"\<lbrakk>x && mask n = 0; y && mask n = 0; x \<le> x + y \<rbrakk>
|
||||
\<Longrightarrow> (x + y :: ('a :: len) word) >> n = (x >> n) + (y >> n)"
|
||||
apply (simp add: no_olen_add_nat is_aligned_mask[symmetric])
|
||||
apply (simp add: unat_arith_simps shiftr_div_2n' split del: split_if)
|
||||
apply (simp add: unat_arith_simps shiftr_div_2n' split del: if_split)
|
||||
apply (subst if_P)
|
||||
apply (erule order_le_less_trans[rotated])
|
||||
apply (simp add: add_mono)
|
||||
|
@ -561,7 +561,7 @@ lemma cleanCacheRange_PoU_ccorres:
|
|||
|
||||
lemma dmo_if:
|
||||
"(doMachineOp (if a then b else c)) = (if a then (doMachineOp b) else (doMachineOp c))"
|
||||
by (simp split: split_if)
|
||||
by (simp split: if_split)
|
||||
|
||||
lemma invalidateCacheRange_RAM_ccorres:
|
||||
"ccorres dc xfdc ((\<lambda>s. unat (w2 - w1) \<le> gsMaxObjectSize s)
|
||||
|
@ -572,13 +572,13 @@ lemma invalidateCacheRange_RAM_ccorres:
|
|||
(Call invalidateCacheRange_RAM_'proc)"
|
||||
apply (rule ccorres_gen_asm)
|
||||
apply (cinit' lift: start_' end_' pstart_')
|
||||
apply (clarsimp simp: word_sle_def whileAnno_def split del: split_if)
|
||||
apply (clarsimp simp: word_sle_def whileAnno_def split del: if_split)
|
||||
apply (ccorres_remove_UNIV_guard)
|
||||
apply (simp add: invalidateCacheRange_RAM_def doMachineOp_bind when_def
|
||||
split_if_empty_fail empty_fail_cleanCacheRange_RAM
|
||||
empty_fail_invalidateL2Range empty_fail_cacheRangeOp empty_fail_invalidateByVA
|
||||
empty_fail_dsb dmo_if
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (rule ccorres_split_nothrow_novcg)
|
||||
apply (rule ccorres_cond[where R=\<top>])
|
||||
apply (clarsimp simp: lineStart_def cacheLineBits_def)
|
||||
|
@ -621,7 +621,7 @@ lemma invalidateCacheRange_RAM_ccorres:
|
|||
apply wp
|
||||
apply (simp add: guard_is_UNIV_def)
|
||||
apply (auto dest: ghost_assertion_size_logic simp: o_def)[1]
|
||||
apply (wp | clarsimp split: split_if)+
|
||||
apply (wp | clarsimp split: if_split)+
|
||||
apply (clarsimp simp: lineStart_def cacheLineBits_def guard_is_UNIV_def)
|
||||
apply (clarsimp simp: lineStart_mask)
|
||||
apply (subst mask_eqs(7)[symmetric])
|
||||
|
|
|
@ -531,7 +531,7 @@ lemma invalidateTLBByASID_ccorres:
|
|||
apply csymbr
|
||||
apply (simp add: case_option_If2 del: Collect_const)
|
||||
apply (rule ccorres_if_cond_throws2[where Q=\<top> and Q'=\<top>])
|
||||
apply (clarsimp simp: pde_stored_asid_def to_bool_def split: split_if)
|
||||
apply (clarsimp simp: pde_stored_asid_def to_bool_def split: if_split)
|
||||
apply (rule ccorres_return_void_C[unfolded dc_def])
|
||||
apply (simp add: dc_def[symmetric])
|
||||
apply csymbr
|
||||
|
@ -744,14 +744,14 @@ lemma ccap_relation_VPIsDevice:
|
|||
by (clarsimp elim!:ccap_relationE
|
||||
simp : isPageCap_def generic_frame_cap_get_capFIsDevice_CL_def cap_to_H_def
|
||||
Let_def to_bool_def
|
||||
split: arch_capability.split_asm cap_CL.split_asm split_if_asm)
|
||||
split: arch_capability.split_asm cap_CL.split_asm if_split_asm)
|
||||
|
||||
lemma ccap_relation_get_capZombiePtr_CL:
|
||||
"\<lbrakk> ccap_relation cap cap'; isZombie cap; capAligned cap \<rbrakk>
|
||||
\<Longrightarrow> get_capZombiePtr_CL (cap_zombie_cap_lift cap') = capZombiePtr cap"
|
||||
apply (simp only: cap_get_tag_isCap[symmetric])
|
||||
apply (drule(1) cap_get_tag_to_H)
|
||||
apply (clarsimp simp: get_capZombiePtr_CL_def get_capZombieBits_CL_def Let_def split: split_if)
|
||||
apply (clarsimp simp: get_capZombiePtr_CL_def get_capZombieBits_CL_def Let_def split: if_split)
|
||||
apply (subst less_mask_eq)
|
||||
apply (clarsimp simp add: capAligned_def objBits_simps word_bits_conv)
|
||||
apply unat_arith
|
||||
|
@ -776,7 +776,7 @@ lemma snd_lookupAround2_update:
|
|||
apply (clarsimp simp: lookupAround2_def lookupAround_def Let_def
|
||||
dom_fun_upd2
|
||||
simp del: dom_fun_upd cong: if_cong option.case_cong)
|
||||
apply (clarsimp split: option.split split_if cong: if_cong)
|
||||
apply (clarsimp split: option.split if_split cong: if_cong)
|
||||
apply auto
|
||||
done
|
||||
|
||||
|
@ -826,7 +826,7 @@ lemma cpspace_relation_ep_update_ep2:
|
|||
apply (rule_tac P="\<lambda>a. cmap_relation a b c d" for b c d in rsubst,
|
||||
erule cmap_relation_upd_relI, assumption+)
|
||||
apply simp+
|
||||
apply (rule ext, simp add: map_comp_def projectKO_opt_ep split: split_if)
|
||||
apply (rule ext, simp add: map_comp_def projectKO_opt_ep split: if_split)
|
||||
done
|
||||
|
||||
end
|
||||
|
@ -913,7 +913,7 @@ lemma tcbSchedEnqueue_ep_at:
|
|||
\<lbrace>\<lambda>rv. obj_at' P ep\<rbrace>"
|
||||
apply (simp add: tcbSchedEnqueue_def unless_def null_def)
|
||||
apply (wp threadGet_wp, clarsimp, wp)
|
||||
apply (clarsimp split: split_if, wp)
|
||||
apply (clarsimp split: if_split, wp)
|
||||
done
|
||||
|
||||
lemma ctcb_relation_unat_tcbPriority_C:
|
||||
|
@ -1044,7 +1044,7 @@ lemma cancelBadgedSends_ccorres:
|
|||
apply (subgoal_tac "tcb_at' (last (a # list)) \<sigma> \<and> tcb_at' a \<sigma>")
|
||||
apply (clarsimp simp: is_aligned_neg_mask [OF is_aligned_tcb_ptr_to_ctcb_ptr[where P=\<top>]])
|
||||
subgoal by (simp add: tcb_queue_relation'_def EPState_Send_def mask_def)
|
||||
subgoal by (auto split: split_if)
|
||||
subgoal by (auto split: if_split)
|
||||
subgoal by simp
|
||||
apply (ctac add: rescheduleRequired_ccorres[unfolded dc_def])
|
||||
apply (rule hoare_pre, wp weak_sch_act_wf_lift_linear set_ep_valid_objs')
|
||||
|
@ -1160,7 +1160,7 @@ lemma cancelBadgedSends_ccorres:
|
|||
apply (thin_tac "\<forall>x. P x" for P)
|
||||
apply (clarsimp simp: pred_tcb_at' ball_Un)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
subgoal by (fastforce simp: valid_tcb_state'_def valid_objs'_maxDomain
|
||||
valid_objs'_maxPriority dest: pred_tcb_at')
|
||||
apply (clarsimp simp: tcb_at_not_NULL [OF pred_tcb_at'])
|
||||
|
@ -1208,7 +1208,7 @@ lemma cancelBadgedSends_ccorres:
|
|||
apply (clarsimp simp: typ_heap_simps)
|
||||
apply (clarsimp simp: cendpoint_relation_def Let_def)
|
||||
subgoal by (clarsimp simp: tcb_queue_relation'_def neq_Nil_conv
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply clarsimp
|
||||
apply (frule ko_at_valid_objs', clarsimp)
|
||||
apply (simp add: projectKOs)
|
||||
|
@ -1218,7 +1218,7 @@ lemma cancelBadgedSends_ccorres:
|
|||
apply (rule conjI)
|
||||
subgoal by (auto simp: isBlockedOnSend_def elim!: pred_tcb'_weakenE)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (drule sym_refsD, clarsimp)
|
||||
apply (drule(1) bspec)+
|
||||
by (auto simp: obj_at'_def projectKOs state_refs_of'_def pred_tcb_at'_def tcb_bound_refs'_def
|
||||
|
|
|
@ -1121,7 +1121,7 @@ lemma kernel_all_subset_kernel:
|
|||
apply (simp add: callKernel_C_def callKernel_withFastpath_C_def
|
||||
kernel_global.callKernel_C_def
|
||||
kernel_global.callKernel_withFastpath_C_def
|
||||
split: event.split split_if)
|
||||
split: event.split if_split)
|
||||
apply (intro allI impI conjI monadic_rewrite_\<Gamma>)[1]
|
||||
apply ((wp | simp)+)[3]
|
||||
apply (clarsimp simp: snd_bind snd_modify in_monad gets_def)
|
||||
|
|
|
@ -323,7 +323,7 @@ lemma memset_spec:
|
|||
(t_hrs_' (globals s))\<rparr>}"
|
||||
and V1=undefined in subst [OF whileAnno_def])
|
||||
apply vcg
|
||||
apply (clarsimp simp add: hrs_mem_update_def split: split_if_asm)
|
||||
apply (clarsimp simp add: hrs_mem_update_def split: if_split_asm)
|
||||
apply (subst (asm) word_mod_2p_is_mask [where n=2, simplified], simp)
|
||||
apply (subst (asm) word_mod_2p_is_mask [where n=2, simplified], simp)
|
||||
apply (rule conjI)
|
||||
|
@ -376,7 +376,7 @@ declare snd_gets[simp]
|
|||
|
||||
lemma snd_when_aligneError[simp]:
|
||||
shows "(snd ((when P (alignError sz)) s)) = P"
|
||||
by (simp add: when_def alignError_def fail_def split: split_if)
|
||||
by (simp add: when_def alignError_def fail_def split: if_split)
|
||||
|
||||
lemma snd_unless_aligneError[simp]:
|
||||
shows "(snd ((unless P (alignError sz)) s)) = (\<not> P)"
|
||||
|
@ -471,7 +471,7 @@ proof (rule classical)
|
|||
apply -
|
||||
apply (rule_tac x = "(typ_uinfo_t TYPE('b), b)" in image_eqI)
|
||||
apply simp
|
||||
apply (fastforce simp add: ptr_retyp_footprint list_map_eq in_set_conv_nth split: split_if_asm)
|
||||
apply (fastforce simp add: ptr_retyp_footprint list_map_eq in_set_conv_nth split: if_split_asm)
|
||||
done
|
||||
|
||||
with typ_slice_set have "(typ_uinfo_t TYPE('b)) \<in> fst ` td_set (typ_uinfo_t TYPE('a)) 0"
|
||||
|
@ -557,7 +557,7 @@ lemma htd_update_list_same2:
|
|||
lemma ptr_retyps_gen_out:
|
||||
fixes p :: "'a :: mem_type ptr"
|
||||
shows "x \<notin> {ptr_val p..+n * size_of TYPE('a)} \<Longrightarrow> ptr_retyps_gen n p arr td x = td x"
|
||||
apply (simp add: ptr_retyps_gen_def ptr_retyps_out split: split_if)
|
||||
apply (simp add: ptr_retyps_gen_def ptr_retyps_out split: if_split)
|
||||
apply (clarsimp simp: ptr_arr_retyps_def htd_update_list_same2)
|
||||
done
|
||||
|
||||
|
@ -579,7 +579,7 @@ lemma list_map_override_comono:
|
|||
apply (simp add: map_le_def list_map_eq map_add_def)
|
||||
apply (cases "length xs \<le> length ys")
|
||||
apply (simp add: prefix_eq_nth)
|
||||
apply (simp split: split_if_asm add: prefix_eq_nth)
|
||||
apply (simp split: if_split_asm add: prefix_eq_nth)
|
||||
done
|
||||
|
||||
lemma list_map_plus_le_not_tag_disj:
|
||||
|
@ -688,7 +688,7 @@ next
|
|||
from Suc.prems show ?case
|
||||
apply (simp add: upt_conv_Cons map_Suc_upt[symmetric]
|
||||
del: upt.simps)
|
||||
apply (split split_if, intro conjI impI)
|
||||
apply (split if_split, intro conjI impI)
|
||||
apply auto[1]
|
||||
apply (simp add: o_def)
|
||||
apply (subst Suc.hyps)
|
||||
|
@ -756,7 +756,7 @@ lemma ptr_retyps_gen_not_tag_disj:
|
|||
\<Longrightarrow> 0 < n
|
||||
\<Longrightarrow> \<not> td \<bottom>\<^sub>t typ_uinfo_t TYPE('a)"
|
||||
apply (simp add: ptr_retyps_gen_def ptr_arr_retyps_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (drule_tac td'="uinfo_array_tag_n_m TYPE('a) n n"
|
||||
in htd_update_list_not_tag_disj, simp+)
|
||||
apply (clarsimp simp: mult.commute)
|
||||
|
@ -789,7 +789,7 @@ lemma ptr_retyps_gen_valid_footprint:
|
|||
"valid_footprint (ptr_retyps_gen n (Ptr p :: 'a :: mem_type ptr) arr htd) p' td
|
||||
= (valid_footprint htd p' td)"
|
||||
apply (cases "n = 0")
|
||||
apply (simp add: ptr_retyps_gen_def ptr_arr_retyps_def split: split_if)
|
||||
apply (simp add: ptr_retyps_gen_def ptr_arr_retyps_def split: if_split)
|
||||
apply (simp add: valid_footprint_def Let_def)
|
||||
apply (intro conj_cong refl, rule all_cong)
|
||||
apply (case_tac "p' + of_nat y \<in> {p ..+ n * size_of TYPE('a)}")
|
||||
|
@ -821,7 +821,7 @@ lemma ptr_retyp_same_cleared_region:
|
|||
shows "p = p' \<or> {ptr_val p..+ size_of TYPE('a)} \<inter> {ptr_val p' ..+ size_of TYPE('a)} = {}"
|
||||
using ht
|
||||
by (simp add: h_t_valid_ptr_retyp_eq[where p=p and p'=p'] field_of_t_refl
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
|
||||
lemma h_t_valid_ptr_retyp_inside_eq:
|
||||
fixes p :: "'a :: mem_type ptr" and p' :: "'a :: mem_type ptr"
|
||||
|
@ -856,7 +856,7 @@ lemma ptr_add_orth:
|
|||
lemma dom_lift_t_heap_update:
|
||||
"dom (lift_t g (hrs_mem_update v hp)) = dom (lift_t g hp)"
|
||||
by (clarsimp simp add: lift_t_def lift_typ_heap_if s_valid_def hrs_htd_def hrs_mem_update_def split_def dom_def
|
||||
intro!: Collect_cong split: split_if)
|
||||
intro!: Collect_cong split: if_split)
|
||||
|
||||
lemma h_t_valid_ptr_retyps_gen_same:
|
||||
assumes guard: "\<forall>n' < nptrs. gd (CTypesDefs.ptr_add (Ptr p :: 'a ptr) (of_nat n'))"
|
||||
|
@ -907,7 +907,7 @@ next
|
|||
|
||||
have mod_split: "\<And>k. k < nptrs * size_of TYPE('a)
|
||||
\<Longrightarrow> \<exists>quot rem. k = quot * size_of TYPE('a) + rem \<and> rem < size_of TYPE('a) \<and> quot < nptrs"
|
||||
apply (intro exI conjI, rule mod_div_equality[symmetric])
|
||||
apply (intro exI conjI, rule div_mult_mod_eq[symmetric])
|
||||
apply simp
|
||||
apply (simp add: Word_Miscellaneous.td_gal_lt)
|
||||
done
|
||||
|
@ -959,7 +959,7 @@ lemma clift_ptr_retyps_gen_memset_same:
|
|||
apply (subst heap_list_update_list)
|
||||
apply (simp add: addr_card_def card_word word_bits_def)
|
||||
apply simp
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (simp add: h_val_def)
|
||||
apply (subst heap_list_update_disjoint_same, simp_all)
|
||||
apply (simp add: region_is_bytes_disjoint[OF cleared not_byte])
|
||||
|
@ -1002,7 +1002,7 @@ lemma clift_heap_list_update_no_heap_other:
|
|||
and not_byte: "typ_uinfo_t TYPE('a :: c_type) \<noteq> typ_uinfo_t TYPE(word8)"
|
||||
shows "clift (hrs_mem_update (heap_update_list p xs) hrs) = (clift hrs :: 'a typ_heap)"
|
||||
apply (clarsimp simp: liftt_if[folded hrs_mem_def hrs_htd_def] hrs_mem_update
|
||||
fun_eq_iff h_val_def split: split_if)
|
||||
fun_eq_iff h_val_def split: if_split)
|
||||
apply (subst heap_list_update_disjoint_same, simp_all)
|
||||
apply (clarsimp simp: set_eq_iff h_t_valid_def valid_footprint_def Let_def
|
||||
dest!: intvlD[where n="size_of TYPE('a)"])
|
||||
|
@ -1482,7 +1482,7 @@ lemma cvariable_array_ptr_upd:
|
|||
\<Longrightarrow> cvariable_array_map_relation (m(x \<mapsto> y))
|
||||
ns (ptrfun :: _ \<Rightarrow> ('b :: mem_type) ptr) htd"
|
||||
by (clarsimp simp: cvariable_array_map_relation_def at
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
|
||||
lemma clift_eq_h_t_valid_eq:
|
||||
"clift hp = (clift hp' :: ('a :: c_type) ptr \<Rightarrow> _)
|
||||
|
@ -1494,7 +1494,7 @@ lemma region_is_bytes_typ_region_bytes:
|
|||
"{ptr ..+ len} \<le> {ptr' ..+ 2 ^ bits}
|
||||
\<Longrightarrow> region_is_bytes' ptr len (typ_region_bytes ptr' bits htd)"
|
||||
apply (clarsimp simp: region_is_bytes'_def typ_region_bytes_def hrs_htd_update)
|
||||
apply (simp add: subsetD split: split_if_asm)
|
||||
apply (simp add: subsetD split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma region_actually_is_bytes_retyp_disjoint:
|
||||
|
@ -1533,7 +1533,7 @@ lemma zero_ranges_ptr_retyps:
|
|||
apply (frule(1) untypedZeroRange_to_usableCapRange)
|
||||
apply (clarsimp simp: isCap_simps untypedZeroRange_def
|
||||
getFreeRef_def max_free_index_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (erule disjoint_subset[rotated])
|
||||
apply (subst intvl_plus_unat_eq)
|
||||
apply clarsimp
|
||||
|
@ -2035,9 +2035,9 @@ lemma cmap_relation_array_add_array[OF refl]:
|
|||
apply (simp add: and_mask_less_size word_size word_bits_def)
|
||||
apply (case_tac "chp (ptrf pa)", simp_all)
|
||||
apply (drule spec, drule(1) iffD2)
|
||||
apply (auto split: split_if)[1]
|
||||
apply (auto split: if_split)[1]
|
||||
apply (drule_tac x=pa in spec, clarsimp)
|
||||
apply (drule_tac x=p' in spec, clarsimp split: split_if_asm)
|
||||
apply (drule_tac x=p' in spec, clarsimp split: if_split_asm)
|
||||
apply (clarsimp simp: new_cap_addrs_def)
|
||||
apply (subst(asm) is_aligned_add_helper, simp_all)
|
||||
apply (rule shiftl_less_t2n, rule word_of_nat_less, simp_all add: word_bits_def)
|
||||
|
@ -2159,11 +2159,11 @@ proof (intro impI allI)
|
|||
apply (erule cmap_relation_array_add_array[OF _ al])
|
||||
apply (simp add: foldr_upd_app_if[folded data_map_insert_def])
|
||||
apply (rule projectKO_opt_retyp_same, simp add: ko_def projectKOs)
|
||||
apply (simp add: h_t_valid_clift_Some_iff dom_def split: split_if)
|
||||
apply (simp add: h_t_valid_clift_Some_iff dom_def split: if_split)
|
||||
apply (subst clift_ptr_retyps_gen_prev_memset_same[where n=1, simplified, OF guard],
|
||||
simp_all only: szo refl empty, simp_all add: zero)[1]
|
||||
apply (simp add: ptBits_def pageBits_def word_bits_def)
|
||||
apply (auto split: split_if)[1]
|
||||
apply (auto split: if_split)[1]
|
||||
apply (simp_all add: objBits_simps archObjSize_def ptBits_def
|
||||
pageBits_def ko_def word_bits_def)
|
||||
done
|
||||
|
@ -2349,11 +2349,11 @@ proof (intro impI allI)
|
|||
apply (erule cmap_relation_array_add_array[OF _ al])
|
||||
apply (simp add: foldr_upd_app_if[folded data_map_insert_def])
|
||||
apply (rule projectKO_opt_retyp_same, simp add: ko_def projectKOs)
|
||||
apply (simp add: h_t_valid_clift_Some_iff dom_def split: split_if)
|
||||
apply (simp add: h_t_valid_clift_Some_iff dom_def split: if_split)
|
||||
apply (subst clift_ptr_retyps_gen_prev_memset_same[where n=1, simplified, OF guard],
|
||||
simp_all only: szo empty, simp_all add: zero)[1]
|
||||
apply (simp add: pdBits_def pageBits_def word_bits_def)
|
||||
apply (auto split: split_if)[1]
|
||||
apply (auto split: if_split)[1]
|
||||
apply (simp_all add: objBits_simps archObjSize_def pdBits_def
|
||||
pageBits_def ko_def word_bits_def)
|
||||
done
|
||||
|
@ -2399,7 +2399,7 @@ proof (intro impI allI)
|
|||
apply (simp add: pdBits_def word_bits_def pageBits_def)
|
||||
apply (simp add: zero)
|
||||
apply (rule ext)
|
||||
apply (simp add: map_comp_def stored_asid[simplified] split: option.split split_if)
|
||||
apply (simp add: map_comp_def stored_asid[simplified] split: option.split if_split)
|
||||
apply (simp only: o_def CTypesDefs.ptr_add_def' Abs_fnat_hom_mult)
|
||||
apply (clarsimp simp only:)
|
||||
apply (drule h_t_valid_intvl_htd_contains_uinfo_t [OF h_t_valid_clift])
|
||||
|
@ -2772,7 +2772,7 @@ lemma byte_regions_unmodified_region_is_bytes:
|
|||
apply (clarsimp simp: byte_regions_unmodified_def imp_conjL[symmetric])
|
||||
apply (drule spec, erule mp)
|
||||
apply (clarsimp simp: region_actually_is_bytes'_def)
|
||||
apply (drule(1) bspec, simp split: split_if_asm)
|
||||
apply (drule(1) bspec, simp split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma insertNewCap_ccorres1:
|
||||
|
@ -2843,8 +2843,8 @@ lemma createNewCaps_guard_helper:
|
|||
apply (erule subst)
|
||||
apply (simp add: min.assoc)
|
||||
apply (rule iffI)
|
||||
apply (simp add: min_def word_less_nat_alt split: split_if)
|
||||
apply (simp add: min_def word_less_nat_alt not_le unat_of_nat32 split: split_if_asm)
|
||||
apply (simp add: min_def word_less_nat_alt split: if_split)
|
||||
apply (simp add: min_def word_less_nat_alt not_le unat_of_nat32 split: if_split_asm)
|
||||
done
|
||||
|
||||
end
|
||||
|
@ -2970,7 +2970,7 @@ lemma heap_update_field':
|
|||
|
||||
lemma h_t_valid_clift_Some_iff':
|
||||
"td \<Turnstile>\<^sub>t p = (clift (hp, td) p = Some (h_val hp p))"
|
||||
by (simp add: lift_t_if split: split_if)
|
||||
by (simp add: lift_t_if split: if_split)
|
||||
|
||||
lemma option_noneI: "\<lbrakk> \<And>x. a = Some x \<Longrightarrow> False \<rbrakk> \<Longrightarrow> a = None"
|
||||
apply (case_tac a)
|
||||
|
@ -3030,7 +3030,7 @@ lemma cmap_relation_retype2:
|
|||
apply (case_tac "x \<in> addrs")
|
||||
apply (simp add: image_image)
|
||||
apply (simp add: image_image)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (erule contrapos_np)
|
||||
apply (erule image_eqI [rotated])
|
||||
apply simp
|
||||
|
@ -3302,7 +3302,7 @@ proof -
|
|||
apply (subst(asm) ptr_retyps_gen_out)
|
||||
apply (clarsimp simp: ctcb_ptr_to_tcb_ptr_def ctcb_offset_def intvl_def)
|
||||
apply (simp add: unat_arith_simps unat_of_nat cte_C_size tcb_C_size
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (subst(asm) empty[unfolded region_is_bytes'_def], simp_all)
|
||||
apply (erule subsetD[rotated], rule intvl_start_le)
|
||||
apply (simp add: cte_C_size)
|
||||
|
@ -3357,7 +3357,7 @@ proof -
|
|||
apply (simp only: take_replicate, simp add: cte_C_size)
|
||||
apply (simp add: cte_C_size)
|
||||
apply (simp add: fun_eq_iff
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (simp add: hrs_comm packed_heap_update_collapse
|
||||
typ_heap_simps)
|
||||
apply (subst clift_heap_update_same_td_name, simp_all,
|
||||
|
@ -3478,7 +3478,7 @@ proof -
|
|||
have rl_tcb: "(projectKO_opt \<circ>\<^sub>m (ks(ctcb_ptr_to_tcb_ptr p \<mapsto> KOTCB makeObject)) :: word32 \<Rightarrow> tcb option)
|
||||
= (projectKO_opt \<circ>\<^sub>m ks)(ctcb_ptr_to_tcb_ptr p \<mapsto> makeObject)"
|
||||
apply (rule ext)
|
||||
apply (clarsimp simp: projectKOs map_comp_def split: split_if)
|
||||
apply (clarsimp simp: projectKOs map_comp_def split: if_split)
|
||||
done
|
||||
|
||||
have mko: "\<And>dev. makeObjectKO dev (Inr (APIObjectType ArchTypes_H.apiobject_type.TCBObject)) = Some kotcb"
|
||||
|
@ -3595,7 +3595,7 @@ proof -
|
|||
apply (simp add: cfault_rel_def seL4_Fault_lift_def seL4_Fault_get_tag_def Let_def
|
||||
lookup_fault_lift_def lookup_fault_get_tag_def lookup_fault_invalid_root_def
|
||||
eval_nat_numeral seL4_Fault_NullFault_def option_to_ptr_def option_to_0_def
|
||||
split: split_if)+
|
||||
split: if_split)+
|
||||
done
|
||||
|
||||
have pks: "ks (ctcb_ptr_to_tcb_ptr p) = None"
|
||||
|
@ -3858,7 +3858,7 @@ lemma cslift_empty_mem_update:
|
|||
apply (rule ext)
|
||||
apply (simp only: lift_t_if hrs_mem_update_def split_def x'_def)
|
||||
apply (simp add: lift_t_if hrs_mem_update_def split_def)
|
||||
apply (clarsimp simp: h_val_def split: split_if)
|
||||
apply (clarsimp simp: h_val_def split: if_split)
|
||||
apply (subst heap_list_update_disjoint_same)
|
||||
apply simp
|
||||
apply (rule disjointI)
|
||||
|
@ -3882,7 +3882,7 @@ lemma cslift_bytes_mem_update:
|
|||
apply (rule ext)
|
||||
apply (simp only: lift_t_if hrs_mem_update_def split_def x'_def)
|
||||
apply (simp add: lift_t_if hrs_mem_update_def split_def)
|
||||
apply (clarsimp simp: h_val_def split: split_if)
|
||||
apply (clarsimp simp: h_val_def split: if_split)
|
||||
apply (subst heap_list_update_disjoint_same)
|
||||
apply simp
|
||||
apply (rule disjointI)
|
||||
|
@ -3902,7 +3902,7 @@ lemma heap_update_list_replicate_eq:
|
|||
"(heap_update_list x (replicate n v) hp y)
|
||||
= (if y \<in> {x ..+ n} then v else hp y)"
|
||||
apply (induct n arbitrary: x hp, simp_all add: intvl_Suc_right)
|
||||
apply (simp split: split_if)
|
||||
apply (simp split: if_split)
|
||||
done
|
||||
|
||||
lemma zero_ranges_are_zero_update_zero[simp]:
|
||||
|
@ -3976,7 +3976,7 @@ next
|
|||
|
||||
show "?thesis m x"
|
||||
apply (simp add: xin word_rsplit_0 cong: if_cong)
|
||||
apply (simp split: split_if)
|
||||
apply (simp split: if_split)
|
||||
done
|
||||
qed
|
||||
|
||||
|
@ -4523,7 +4523,7 @@ lemma copyGlobalMappings_ccorres:
|
|||
cmachine_state_relation_def
|
||||
typ_heap_simps map_comp_eq
|
||||
pd_pointer_to_asid_slot_def
|
||||
intro!: ext split: split_if)
|
||||
intro!: ext split: if_split)
|
||||
apply (simp add: field_simps)
|
||||
apply (drule arg_cong[where f="\<lambda>x. x && mask pdBits"],
|
||||
simp add: mask_add_aligned)
|
||||
|
@ -4667,14 +4667,14 @@ lemma placeNewObject_eq:
|
|||
((), (s\<lparr>ksPSpace := foldr (\<lambda>addr. data_map_insert addr (injectKOS object)) (new_cap_addrs (2 ^ groupSizeBits) ptr (injectKOS object)) (ksPSpace s)\<rparr>))
|
||||
\<in> fst (placeNewObject ptr object groupSizeBits s)"
|
||||
apply (clarsimp simp: placeNewObject_def placeNewObject'_def)
|
||||
apply (clarsimp simp: split_def field_simps split del: split_if)
|
||||
apply (clarsimp simp: split_def field_simps split del: if_split)
|
||||
apply (clarsimp simp: no_fail_def)
|
||||
apply (subst lookupAround2_pspace_no)
|
||||
apply assumption
|
||||
apply (subst (asm) lookupAround2_pspace_no)
|
||||
apply assumption
|
||||
apply (clarsimp simp add: in_monad' split_def bind_assoc field_simps
|
||||
snd_bind ball_to_all unless_def split: option.splits split_if_asm)
|
||||
snd_bind ball_to_all unless_def split: option.splits if_split_asm)
|
||||
apply (clarsimp simp: data_map_insert_def new_cap_addrs_def)
|
||||
apply (subst upto_enum_red2)
|
||||
apply (fold word_bits_def, assumption)
|
||||
|
@ -4808,7 +4808,7 @@ lemma htd_update_list_dom_better [rule_format]:
|
|||
apply(induct_tac xs)
|
||||
apply simp
|
||||
apply clarsimp
|
||||
apply(auto split: split_if_asm)
|
||||
apply(auto split: if_split_asm)
|
||||
apply(erule notE)
|
||||
apply(clarsimp simp: dom_s_def)
|
||||
apply(case_tac y)
|
||||
|
@ -5754,7 +5754,7 @@ lemma cep_relations_drop_fun_upd:
|
|||
\<Longrightarrow> cnotification_relation (f (x \<mapsto> v')) = cnotification_relation f"
|
||||
by (intro ext cendpoint_relation_upd_tcb_no_queues[where thread=x]
|
||||
cnotification_relation_upd_tcb_no_queues[where thread=x]
|
||||
| simp split: split_if)+
|
||||
| simp split: if_split)+
|
||||
|
||||
lemma threadSet_domain_ccorres [corres]:
|
||||
"ccorres dc xfdc (tcb_at' thread) {s. thread' s = tcb_ptr_to_ctcb_ptr thread \<and> d' s = ucast d} hs
|
||||
|
@ -5776,8 +5776,8 @@ lemma threadSet_domain_ccorres [corres]:
|
|||
apply (rule conjI)
|
||||
defer
|
||||
apply (erule cready_queues_relation_not_queue_ptrs)
|
||||
apply (rule ext, simp split: split_if)
|
||||
apply (rule ext, simp split: split_if)
|
||||
apply (rule ext, simp split: if_split)
|
||||
apply (rule ext, simp split: if_split)
|
||||
apply (drule ko_at_projectKO_opt)
|
||||
apply (erule (2) cmap_relation_upd_relI)
|
||||
subgoal by (simp add: ctcb_relation_def)
|
||||
|
@ -6213,7 +6213,7 @@ lemma pspace_no_overlap_induce_notification:
|
|||
lemma ctes_of_ko_at_strong:
|
||||
"\<lbrakk>ctes_of s p = Some a;is_aligned p 4\<rbrakk> \<Longrightarrow>
|
||||
(\<exists>ptr ko. (ksPSpace s ptr = Some ko \<and> {p ..+ 16} \<subseteq> obj_range' ptr ko))"
|
||||
apply (clarsimp simp: map_to_ctes_def Let_def split:split_if_asm)
|
||||
apply (clarsimp simp: map_to_ctes_def Let_def split:if_split_asm)
|
||||
apply (intro exI conjI,assumption)
|
||||
apply (simp add:obj_range'_def objBits_simps is_aligned_no_wrap' field_simps)
|
||||
apply (subst intvl_range_conv[where bits = 4,simplified])
|
||||
|
@ -6233,7 +6233,7 @@ lemma ctes_of_ko_at_strong:
|
|||
apply (thin_tac "P \<or> Q" for P Q)
|
||||
apply (erule order_trans)
|
||||
apply (subst word_plus_and_or_coroll2[where x = p and w = "mask 9",symmetric])
|
||||
apply (clarsimp simp:tcb_cte_cases_def field_simps split:split_if_asm)
|
||||
apply (clarsimp simp:tcb_cte_cases_def field_simps split:if_split_asm)
|
||||
apply (subst add.commute)
|
||||
apply (rule word_plus_mono_right[OF _ is_aligned_no_wrap'])
|
||||
apply simp
|
||||
|
@ -6384,13 +6384,13 @@ lemma typ_region_bytes_dom:
|
|||
apply (clarsimp simp: h_t_valid_def valid_footprint_def Let_def
|
||||
hrs_htd_update_def split_def typ_region_bytes_def)
|
||||
apply (drule spec, drule(1) mp)
|
||||
apply (simp add: size_of_def split: split_if_asm)
|
||||
apply (simp add: size_of_def split: if_split_asm)
|
||||
apply (drule subsetD[OF equalityD1], rule IntI, erule intvlI, simp)
|
||||
apply simp
|
||||
apply (clarsimp simp: set_eq_iff)
|
||||
apply (drule(1) h_t_valid_intvl_htd_contains_uinfo_t)
|
||||
apply (clarsimp simp: hrs_htd_update_def typ_region_bytes_def split_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma lift_t_typ_region_bytes_none:
|
||||
|
@ -6659,7 +6659,7 @@ lemma h_t_array_first_element_at:
|
|||
apply (erule order_less_le_trans, simp add: size_of_def)
|
||||
apply (clarsimp simp: uinfo_array_tag_n_m_def upt_conv_Cons)
|
||||
apply (erule map_le_trans[rotated])
|
||||
apply (simp add: list_map_mono split: split_if)
|
||||
apply (simp add: list_map_mono split: if_split)
|
||||
done
|
||||
|
||||
lemma aligned_intvl_disjointI:
|
||||
|
@ -6721,7 +6721,7 @@ lemma gsCNodes_typ_region_bytes:
|
|||
apply (drule_tac x="cte_Ptr p" in fun_cong)
|
||||
apply (simp add: liftt_if[folded hrs_htd_def] hrs_htd_update
|
||||
h_t_valid_def valid_footprint_typ_region_bytes
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (subgoal_tac "p \<in> {p ..+ size_of TYPE(cte_C)}")
|
||||
apply (simp add: cte_C_size)
|
||||
apply blast
|
||||
|
@ -7512,7 +7512,7 @@ lemma createObject_cnodes_have_size:
|
|||
apply (cases newType, simp_all add: ARM_H.toAPIType_def)
|
||||
apply (clarsimp simp: APIType_capBits_def objBits_simps
|
||||
cnodes_retype_have_size_def cte_level_bits_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma range_cover_not_in_neqD:
|
||||
|
@ -7839,7 +7839,7 @@ lemma createObject_untyped_region_is_zero_bytes:
|
|||
apply (clarsimp simp: cap_tag_defs)
|
||||
apply (simp add: cap_lift_untyped_cap cap_tag_defs cap_to_H_simps
|
||||
cap_untyped_cap_lift_def object_type_from_H_def)
|
||||
apply (simp add: untypedZeroRange_def split: split_if)
|
||||
apply (simp add: untypedZeroRange_def split: if_split)
|
||||
apply (clarsimp simp: getFreeRef_def Let_def object_type_to_H_def)
|
||||
apply (simp add: is_aligned_neg_mask_eq[OF is_aligned_weaken])
|
||||
apply (simp add: APIType_capBits_def
|
||||
|
@ -8002,7 +8002,7 @@ shows "ccorres dc xfdc
|
|||
apply (drule_tac p = n in range_cover_no_0)
|
||||
apply (simp add:shiftl_t2n field_simps)+
|
||||
apply (cut_tac x=num in unat_lt2p, simp)
|
||||
apply (simp add: unat_arith_simps unat_of_nat, simp split: split_if)
|
||||
apply (simp add: unat_arith_simps unat_of_nat, simp split: if_split)
|
||||
apply (intro impI, erule order_trans[rotated], simp)
|
||||
apply (erule pspace_no_overlap'_le)
|
||||
apply (fold_subgoals (prefix))[2]
|
||||
|
|
|
@ -101,7 +101,7 @@ lemma cap_get_tag_isCap0:
|
|||
apply (erule ccap_relationE)
|
||||
apply (simp add: cap_to_H_def cap_lift_def Let_def isArchCap_tag_def2 isArchCap_def)
|
||||
apply (clarsimp simp: isCap_simps cap_tag_defs word_le_nat_alt pageSize_def Let_def
|
||||
split: split_if_asm) -- "takes a while"
|
||||
split: if_split_asm) -- "takes a while"
|
||||
done
|
||||
|
||||
|
||||
|
@ -232,7 +232,7 @@ lemma cap_get_tag_ZombieCap:
|
|||
apply (erule ccap_relationE)
|
||||
apply (clarsimp simp add: cap_lifts cap_to_H_def)
|
||||
apply (simp add: cap_get_tag_isCap isCap_simps Let_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
|
||||
|
@ -306,7 +306,7 @@ lemma tcb_cte_cases_in_range1:
|
|||
proof -
|
||||
from tc obtain q where yq: "y = x + q" and qv: "q < 2 ^ 9"
|
||||
unfolding tcb_cte_cases_def
|
||||
by (simp add: diff_eq_eq split: split_if_asm)
|
||||
by (simp add: diff_eq_eq split: if_split_asm)
|
||||
|
||||
have "x \<le> x + 2 ^ 9 - 1" using al
|
||||
by (rule is_aligned_no_overflow)
|
||||
|
@ -327,7 +327,7 @@ lemma tcb_cte_cases_in_range2:
|
|||
proof -
|
||||
from tc obtain q where yq: "y = x + q" and qv: "q \<le> 2 ^ 9 - 1"
|
||||
unfolding tcb_cte_cases_def
|
||||
by (simp add: diff_eq_eq split: split_if_asm)
|
||||
by (simp add: diff_eq_eq split: if_split_asm)
|
||||
|
||||
have "x + q \<le> x + (2 ^ 9 - 1)" using qv
|
||||
apply (rule word_plus_mono_right)
|
||||
|
@ -352,7 +352,7 @@ lemma updateObject_cte_tcb:
|
|||
apply -
|
||||
apply (clarsimp simp add: updateObject_cte Let_def
|
||||
tcb_cte_cases_def objBits_simps tcbSlots shiftl_t2n
|
||||
split: split_if_asm cong: if_cong)
|
||||
split: if_split_asm cong: if_cong)
|
||||
done
|
||||
|
||||
definition
|
||||
|
@ -365,7 +365,7 @@ lemma tcb_cte_cases_proj_eq [simp]:
|
|||
"tcb_cte_cases p = Some (getF, setF) \<Longrightarrow>
|
||||
tcb_no_ctes_proj tcb = tcb_no_ctes_proj (setF f tcb)"
|
||||
unfolding tcb_no_ctes_proj_def tcb_cte_cases_def
|
||||
by (auto split: split_if_asm)
|
||||
by (auto split: if_split_asm)
|
||||
|
||||
lemma map_to_ctes_upd_cte':
|
||||
"\<lbrakk> ksPSpace s p = Some (KOCTE cte'); is_aligned p 4; ps_clear p 4 s \<rbrakk>
|
||||
|
@ -392,7 +392,7 @@ lemma map_to_ctes_upd_tcb':
|
|||
lemma tcb_cte_cases_inv [simp]:
|
||||
"tcb_cte_cases p = Some (getF, setF) \<Longrightarrow> getF (setF (\<lambda>_. v) tcb) = v"
|
||||
unfolding tcb_cte_cases_def
|
||||
by (simp split: split_if_asm)
|
||||
by (simp split: if_split_asm)
|
||||
|
||||
declare insert_dom [simp]
|
||||
|
||||
|
@ -821,7 +821,7 @@ lemma cmap_relation_upd_relI:
|
|||
apply (simp add: cmap_relation_def)
|
||||
apply (case_tac "x = dest")
|
||||
apply simp
|
||||
apply (simp add: inj_eq split: split_if_asm)
|
||||
apply (simp add: inj_eq split: if_split_asm)
|
||||
apply (erule (2) rel)
|
||||
apply (erule (2) cmap_relation_relI)
|
||||
done
|
||||
|
@ -938,7 +938,7 @@ proof -
|
|||
thus ?thesis
|
||||
apply (rule cte_wp_atE')
|
||||
apply (simp add: cte_level_bits_def is_aligned_weaken)
|
||||
apply (simp add: tcb_cte_cases_def field_simps split: split_if_asm )
|
||||
apply (simp add: tcb_cte_cases_def field_simps split: if_split_asm )
|
||||
apply ((erule aligned_add_aligned, simp_all add: is_aligned_def word_bits_conv)[1])+
|
||||
apply (simp add: is_aligned_weaken)
|
||||
done
|
||||
|
@ -1213,7 +1213,7 @@ lemma ccap_relation_NullCap_iff:
|
|||
"(ccap_relation NullCap cap') = (cap_get_tag cap' = scast cap_null_cap)"
|
||||
unfolding ccap_relation_def
|
||||
apply (clarsimp simp: map_option_Some_eq2 c_valid_cap_def cl_valid_cap_def
|
||||
cap_to_H_def cap_lift_def Let_def cap_tag_defs split: split_if)
|
||||
cap_to_H_def cap_lift_def Let_def cap_tag_defs split: if_split)
|
||||
done
|
||||
|
||||
(* MOVE *)
|
||||
|
@ -1541,7 +1541,7 @@ lemma map_to_ctes_upd_tcb_no_ctes:
|
|||
apply (subst map_to_ctes_upd_tcb')
|
||||
apply assumption+
|
||||
apply (rule ext)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (drule (1) bspec [OF _ ranI])
|
||||
apply simp
|
||||
done
|
||||
|
@ -1559,7 +1559,7 @@ lemma update_ntfn_map_tos:
|
|||
and "map_to_user_data_device (ksPSpace s(p \<mapsto> KONotification ko)) = map_to_user_data_device (ksPSpace s)"
|
||||
using at
|
||||
by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI
|
||||
simp: projectKOs projectKO_opts_defs split: kernel_object.splits split_if_asm)+
|
||||
simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+
|
||||
|
||||
lemma update_ep_map_tos:
|
||||
fixes P :: "endpoint \<Rightarrow> bool"
|
||||
|
@ -1574,7 +1574,7 @@ lemma update_ep_map_tos:
|
|||
and "map_to_user_data_device (ksPSpace s(p \<mapsto> KOEndpoint ko)) = map_to_user_data_device (ksPSpace s)"
|
||||
using at
|
||||
by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI
|
||||
simp: projectKOs projectKO_opts_defs split: kernel_object.splits split_if_asm)+
|
||||
simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+
|
||||
|
||||
lemma update_tcb_map_tos:
|
||||
fixes P :: "tcb \<Rightarrow> bool"
|
||||
|
@ -1588,7 +1588,7 @@ lemma update_tcb_map_tos:
|
|||
and "map_to_user_data_device (ksPSpace s(p \<mapsto> KOTCB ko)) = map_to_user_data_device (ksPSpace s)"
|
||||
using at
|
||||
by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI
|
||||
simp: projectKOs projectKO_opts_defs split: kernel_object.splits split_if_asm)+
|
||||
simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+
|
||||
|
||||
lemma update_asidpool_map_tos:
|
||||
fixes P :: "asidpool \<Rightarrow> bool"
|
||||
|
@ -1605,18 +1605,18 @@ lemma update_asidpool_map_tos:
|
|||
using at
|
||||
by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI
|
||||
simp: projectKOs projectKO_opts_defs
|
||||
split: split_if split_if_asm Structures_H.kernel_object.split_asm
|
||||
split: if_split if_split_asm Structures_H.kernel_object.split_asm
|
||||
arch_kernel_object.split_asm)
|
||||
|
||||
lemma update_asidpool_map_to_asidpools:
|
||||
"map_to_asidpools (ksPSpace s(p \<mapsto> KOArch (KOASIDPool ap)))
|
||||
= (map_to_asidpools (ksPSpace s))(p \<mapsto> ap)"
|
||||
by (rule ext, clarsimp simp: projectKOs map_comp_def split: split_if)
|
||||
by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split)
|
||||
|
||||
lemma update_pte_map_to_ptes:
|
||||
"map_to_ptes (ksPSpace s(p \<mapsto> KOArch (KOPTE pte)))
|
||||
= (map_to_ptes (ksPSpace s))(p \<mapsto> pte)"
|
||||
by (rule ext, clarsimp simp: projectKOs map_comp_def split: split_if)
|
||||
by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split)
|
||||
|
||||
lemma update_pte_map_tos:
|
||||
fixes P :: "pte \<Rightarrow> bool"
|
||||
|
@ -1631,14 +1631,14 @@ lemma update_pte_map_tos:
|
|||
and "map_to_user_data_device (ksPSpace s(p \<mapsto> (KOArch (KOPTE pte)))) = map_to_user_data_device (ksPSpace s)"
|
||||
using at
|
||||
by (auto elim!: obj_atE' intro!: map_comp_eqI map_to_ctes_upd_other
|
||||
split: split_if_asm split_if
|
||||
split: if_split_asm if_split
|
||||
simp: projectKOs,
|
||||
auto simp: projectKO_opts_defs)
|
||||
|
||||
lemma update_pde_map_to_pdes:
|
||||
"map_to_pdes (ksPSpace s(p \<mapsto> KOArch (KOPDE pde)))
|
||||
= (map_to_pdes (ksPSpace s))(p \<mapsto> pde)"
|
||||
by (rule ext, clarsimp simp: projectKOs map_comp_def split: split_if)
|
||||
by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split)
|
||||
|
||||
lemma update_pde_map_tos:
|
||||
fixes P :: "pde \<Rightarrow> bool"
|
||||
|
@ -1653,7 +1653,7 @@ lemma update_pde_map_tos:
|
|||
and "map_to_user_data_device (ksPSpace s(p \<mapsto> (KOArch (KOPDE pde)))) = map_to_user_data_device (ksPSpace s)"
|
||||
using at
|
||||
by (auto elim!: obj_atE' intro!: map_comp_eqI map_to_ctes_upd_other
|
||||
split: split_if_asm split_if
|
||||
split: if_split_asm if_split
|
||||
simp: projectKOs,
|
||||
auto simp: projectKO_opts_defs)
|
||||
|
||||
|
@ -1690,7 +1690,7 @@ lemma region_actually_is_bytes:
|
|||
"region_actually_is_bytes' ptr len htd
|
||||
\<Longrightarrow> region_is_bytes' ptr len htd"
|
||||
by (simp add: region_is_bytes'_def region_actually_is_bytes'_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
|
||||
lemma zero_ranges_are_zero_update[simp]:
|
||||
"h_t_valid (hrs_htd hrs) c_guard (ptr :: 'a ptr)
|
||||
|
@ -1829,7 +1829,7 @@ lemma cmap_relation_updI2:
|
|||
and inj: "inj f"
|
||||
shows "cmap_relation (am(dest \<mapsto> nv)) (cm(f dest \<mapsto> nv')) f rel"
|
||||
using cr cof cc inj
|
||||
by (clarsimp simp add: cmap_relation_def inj_eq split: split_if)
|
||||
by (clarsimp simp add: cmap_relation_def inj_eq split: if_split)
|
||||
|
||||
definition
|
||||
user_word_at :: "word32 \<Rightarrow> word32 \<Rightarrow> kernel_state \<Rightarrow> bool"
|
||||
|
@ -1871,7 +1871,7 @@ lemma ko_at_projectKO_opt:
|
|||
|
||||
lemma int_and_leR:
|
||||
"0 \<le> b \<Longrightarrow> a AND b \<le> (b :: int)"
|
||||
by (clarsimp simp: int_and_le bin_sign_def split: split_if_asm)
|
||||
by (clarsimp simp: int_and_le bin_sign_def split: if_split_asm)
|
||||
|
||||
lemma int_and_leL:
|
||||
"0 \<le> a \<Longrightarrow> a AND b \<le> (a :: int)"
|
||||
|
@ -2045,7 +2045,7 @@ lemma cap_get_tag_isCap_ArchObject0:
|
|||
apply -
|
||||
apply (erule ccap_relationE)
|
||||
apply (simp add: cap_to_H_def cap_lift_def Let_def isArchCap_def)
|
||||
apply (clarsimp simp: isCap_simps cap_tag_defs word_le_nat_alt pageSize_def Let_def split: split_if_asm) -- "takes a while"
|
||||
apply (clarsimp simp: isCap_simps cap_tag_defs word_le_nat_alt pageSize_def Let_def split: if_split_asm) -- "takes a while"
|
||||
done
|
||||
|
||||
lemma cap_get_tag_isCap_ArchObject:
|
||||
|
@ -2152,7 +2152,7 @@ lemma update_typ_at:
|
|||
using at
|
||||
by (auto elim!: obj_atE' simp: typ_at'_def ko_wp_at'_def
|
||||
dest!: tp[rule_format]
|
||||
simp: project_inject projectKO_eq split: kernel_object.splits split_if_asm,
|
||||
simp: project_inject projectKO_eq split: kernel_object.splits if_split_asm,
|
||||
simp_all add: objBits_def objBitsT_koTypeOf[symmetric] ps_clear_upd
|
||||
del: objBitsT_koTypeOf)
|
||||
|
||||
|
|
|
@ -924,7 +924,7 @@ lemma cep_relations_drop_fun_upd:
|
|||
\<Longrightarrow> cnotification_relation (f (x \<mapsto> v')) = cnotification_relation f"
|
||||
by (intro ext cendpoint_relation_upd_tcb_no_queues[where thread=x]
|
||||
cnotification_relation_upd_tcb_no_queues[where thread=x]
|
||||
| simp split: split_if)+
|
||||
| simp split: if_split)+
|
||||
|
||||
lemma threadSet_timeSlice_ccorres [corres]:
|
||||
"ccorres dc xfdc (tcb_at' thread) {s. thread' s = tcb_ptr_to_ctcb_ptr thread \<and> unat (v' s) = v} hs
|
||||
|
@ -947,8 +947,8 @@ lemma threadSet_timeSlice_ccorres [corres]:
|
|||
apply (rule conjI)
|
||||
defer
|
||||
apply (erule cready_queues_relation_not_queue_ptrs)
|
||||
apply (rule ext, simp split: split_if)
|
||||
apply (rule ext, simp split: split_if)
|
||||
apply (rule ext, simp split: if_split)
|
||||
apply (rule ext, simp split: if_split)
|
||||
apply (drule ko_at_projectKO_opt)
|
||||
apply (erule (2) cmap_relation_upd_relI)
|
||||
apply (simp add: ctcb_relation_def)
|
||||
|
|
|
@ -897,7 +897,7 @@ lemma (in kernel) syscall_error_to_H_cases_rev:
|
|||
"syscall_error_to_H e lf = Some RevokeFirst \<Longrightarrow>
|
||||
type_C e = scast seL4_RevokeFirst"
|
||||
by (clarsimp simp: syscall_error_to_H_def syscall_error_type_defs
|
||||
split: split_if_asm)+
|
||||
split: if_split_asm)+
|
||||
|
||||
definition
|
||||
syscall_from_H :: "syscall \<Rightarrow> word32"
|
||||
|
|
|
@ -107,7 +107,7 @@ lemma byte_to_word_heap_upd_outside_range:
|
|||
intvl_inter_le [where k=0 and ka=2, simplified, OF refl]
|
||||
intvl_inter_le [where k=0 and ka=1, simplified, OF refl]
|
||||
intvl_inter_le [where k=0 and ka=0, simplified, OF refl]
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma intvl_range_conv:
|
||||
|
@ -175,7 +175,7 @@ lemma update_ti_t_acc_foo:
|
|||
\<Longrightarrow> acc (update_ti_pair a ys v) = update_ti_pair (f a) ys (acc v);
|
||||
\<And>a. size_td_pair (f a) = size_td_pair a \<rbrakk> \<Longrightarrow>
|
||||
\<forall>xs. acc (update_ti_list_t adjs xs v) = update_ti_list_t (map f adjs) xs (acc v)"
|
||||
apply (simp add: update_ti_list_t_def size_td_list_map2 split: split_if)
|
||||
apply (simp add: update_ti_list_t_def size_td_list_map2 split: if_split)
|
||||
apply (induct adjs)
|
||||
apply simp
|
||||
apply clarsimp
|
||||
|
@ -467,7 +467,7 @@ proof (intro allI impI)
|
|||
\<Longrightarrow> update_ti_pair (map_td_pair f a) ys (Cons v) = Cons (update_ti_pair a ys v) \<rbrakk>
|
||||
\<Longrightarrow> \<forall>xs. update_ti_list_t (map_td_list f adjs) xs v
|
||||
= Cons (update_ti_list_t adjs xs v')"
|
||||
apply (simp add: update_ti_list_t_def split: split_if)
|
||||
apply (simp add: update_ti_list_t_def split: if_split)
|
||||
apply (induct_tac adjs)
|
||||
apply simp
|
||||
apply clarsimp
|
||||
|
@ -669,7 +669,7 @@ proof (intro allI impI)
|
|||
apply (rule ext)
|
||||
apply clarsimp
|
||||
apply (case_tac y)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (rule cmap_relationI)
|
||||
apply (clarsimp simp: dom_heap_to_device_data cmap_relation_def dom_if_Some
|
||||
intro!: Un_absorb1 [symmetric])
|
||||
|
@ -776,7 +776,7 @@ proof (intro allI impI)
|
|||
\<Longrightarrow> update_ti_pair (map_td_pair f a) ys (Cons v) = Cons (update_ti_pair a ys v) \<rbrakk>
|
||||
\<Longrightarrow> \<forall>xs. update_ti_list_t (map_td_list f adjs) xs v
|
||||
= Cons (update_ti_list_t adjs xs v')"
|
||||
apply (simp add: update_ti_list_t_def split: split_if)
|
||||
apply (simp add: update_ti_list_t_def split: if_split)
|
||||
apply (induct_tac adjs)
|
||||
apply simp
|
||||
apply clarsimp
|
||||
|
@ -978,7 +978,7 @@ proof (intro allI impI)
|
|||
apply (rule ext)
|
||||
apply clarsimp
|
||||
apply (case_tac y)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (rule cmap_relationI)
|
||||
apply (clarsimp simp: dom_heap_to_user_data cmap_relation_def dom_if_Some
|
||||
intro!: Un_absorb1 [symmetric])
|
||||
|
@ -1068,12 +1068,12 @@ proof -
|
|||
apply (rule kernel_state.fold_congs[OF refl refl], simp only:)
|
||||
apply (rule machine_state.fold_congs[OF refl refl], simp only:)
|
||||
apply (cut_tac p=ptr in unat_mask_2_less_4)
|
||||
apply (simp del: list_update.simps split del: split_if
|
||||
apply (simp del: list_update.simps split del: if_split
|
||||
add: word_rsplit_rcat_size word_size nth_list_update
|
||||
horrible_helper)
|
||||
apply (subgoal_tac "(ptr && ~~ mask 2) + (ptr && mask 2) = ptr")
|
||||
apply (subgoal_tac "(ptr && mask 2) \<in> {0, 1, 2, 3}")
|
||||
apply (auto split: split_if simp: fun_upd_idem)[1]
|
||||
apply (auto split: if_split simp: fun_upd_idem)[1]
|
||||
apply (simp add: word_unat.Rep_inject[symmetric]
|
||||
del: word_unat.Rep_inject)
|
||||
apply arith
|
||||
|
@ -1107,7 +1107,7 @@ proof -
|
|||
apply (rule if_cong)
|
||||
apply assumption
|
||||
apply simp
|
||||
apply (clarsimp simp: nth_list_update split: split_if)
|
||||
apply (clarsimp simp: nth_list_update split: if_split)
|
||||
apply (frule_tac ptr=x in memory_cross_over, simp+)
|
||||
apply (clarsimp simp: pointerInUserData_def pointerInDeviceData_def)
|
||||
apply (cut_tac p="ptr && ~~ mask 2" and n=2 and d="x - (ptr && ~~ mask 2)"
|
||||
|
@ -1142,11 +1142,11 @@ lemma storeWord_ccorres':
|
|||
(Basic (\<lambda>s. globals_update (t_hrs_'_update
|
||||
(hrs_mem_update (heap_update (ptr' s) (val' s)))) s))"
|
||||
apply (clarsimp simp: storeWordUser_def simp del: Collect_const
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (rule ccorres_from_vcg_nofail)
|
||||
apply (rule allI)
|
||||
apply (rule conseqPre, vcg)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (rule bexI[rotated])
|
||||
apply (subst in_doMachineOp)
|
||||
apply (fastforce simp: storeWord_def in_monad is_aligned_mask)
|
||||
|
|
|
@ -300,7 +300,7 @@ lemma ccorres_invocationCatch_Inr:
|
|||
apply (rule bind_apply_cong [OF refl])+
|
||||
apply (simp add: throwError_bind returnOk_bind lift_def liftE_def
|
||||
alternative_bind
|
||||
split: sum.split split_if)
|
||||
split: sum.split if_split)
|
||||
apply (simp add: throwError_def)
|
||||
done
|
||||
|
||||
|
@ -504,7 +504,7 @@ lemma injection_handler_If:
|
|||
"injection_handler injector (If P a b)
|
||||
= If P (injection_handler injector a)
|
||||
(injection_handler injector b)"
|
||||
by (simp split: split_if)
|
||||
by (simp split: if_split)
|
||||
|
||||
(* FIXME: duplicated in CSpace_All *)
|
||||
lemma injection_handler_liftM:
|
||||
|
@ -633,7 +633,7 @@ lemma msgRegisters_ccorres:
|
|||
"n < unat n_msgRegisters \<Longrightarrow>
|
||||
register_from_H (ARM_H.msgRegisters ! n) = (index msgRegistersC n)"
|
||||
apply (simp add: msgRegistersC_def msgRegisters_unfold fupdate_def)
|
||||
apply (simp add: Arrays.update_def n_msgRegisters_def fcp_beta nth_Cons' split: split_if)
|
||||
apply (simp add: Arrays.update_def n_msgRegisters_def fcp_beta nth_Cons' split: if_split)
|
||||
done
|
||||
|
||||
|
||||
|
@ -701,7 +701,7 @@ lemma getMRs_tcbContext:
|
|||
apply clarsimp
|
||||
apply (wp asUser_const_rv)
|
||||
apply (clarsimp simp: n_msgRegisters_def msgRegisters_unfold)
|
||||
apply (simp add: nth_Cons' cur_tcb'_def split: split_if)
|
||||
apply (simp add: nth_Cons' cur_tcb'_def split: if_split)
|
||||
done
|
||||
|
||||
lemma threadGet_tcbIpcBuffer_ccorres [corres]:
|
||||
|
@ -850,7 +850,7 @@ lemma lookupIPCBuffer_ccorres[corres]:
|
|||
apply (clarsimp simp: vmrights_to_H_def)
|
||||
apply (simp add: Kernel_C.VMReadOnly_def Kernel_C.VMKernelOnly_def
|
||||
Kernel_C.VMReadWrite_def Kernel_C.VMNoAccess_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply clarsimp
|
||||
apply (drule less_4_cases)
|
||||
apply auto[1]
|
||||
|
@ -904,7 +904,7 @@ lemma lookupIPCBuffer_ccorres[corres]:
|
|||
apply (clarsimp simp: vmrights_to_H_def)
|
||||
apply (simp add: Kernel_C.VMReadOnly_def Kernel_C.VMKernelOnly_def
|
||||
Kernel_C.VMReadWrite_def Kernel_C.VMNoAccess_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply clarsimp
|
||||
apply (drule less_4_cases)
|
||||
apply auto[1]
|
||||
|
@ -1092,7 +1092,7 @@ lemma getMRs_user_word:
|
|||
wordSize_def')
|
||||
done
|
||||
|
||||
declare split_if [split]
|
||||
declare if_split [split]
|
||||
|
||||
definition
|
||||
"getMRs_rel args buffer \<equiv> \<lambda>s. \<exists>mi. msgLength mi \<le> msgMaxLength \<and> fst (getMRs (ksCurThread s) buffer mi s) = {(args, s)}"
|
||||
|
@ -1273,7 +1273,7 @@ lemma getSyscallArg_ccorres_foo:
|
|||
apply assumption
|
||||
apply (rule ccorres_cond_seq)
|
||||
apply (rule_tac R=\<top> and P="\<lambda>_. n < unat (scast n_msgRegisters :: word32)" in ccorres_cond_both)
|
||||
apply (simp add: word_less_nat_alt split: split_if)
|
||||
apply (simp add: word_less_nat_alt split: if_split)
|
||||
apply (rule ccorres_add_return2)
|
||||
apply (rule ccorres_symb_exec_l)
|
||||
apply (rule_tac P="\<lambda>s. n < unat (scast n_msgRegisters :: word32) \<and> obj_at' (\<lambda>tcb. atcbContextGet (tcbArch tcb) (ARM_H.msgRegisters!n) = x!n) (ksCurThread s) s"
|
||||
|
@ -1303,9 +1303,9 @@ lemma getSyscallArg_ccorres_foo:
|
|||
\<and> valid_ipc_buffer_ptr' (ptr_val ipc_buffer) s \<and> n < msgMaxLength"
|
||||
and P'=UNIV
|
||||
in ccorres_from_vcg_throws)
|
||||
apply (simp add: return_def split del: split_if)
|
||||
apply (simp add: return_def split del: if_split)
|
||||
apply (rule allI, rule conseqPre, vcg)
|
||||
apply (clarsimp split del: split_if)
|
||||
apply (clarsimp split del: if_split)
|
||||
apply (frule(1) user_word_at_cross_over, rule refl)
|
||||
apply (clarsimp simp: ptr_add_def mult.commute
|
||||
msgMaxLength_def)
|
||||
|
@ -1325,7 +1325,7 @@ lemma getSyscallArg_ccorres_foo:
|
|||
apply (drule equalityD2)
|
||||
apply clarsimp
|
||||
apply (drule use_valid, rule getMRs_length, assumption)
|
||||
apply (simp add: n_msgRegisters_def split: split_if_asm)
|
||||
apply (simp add: n_msgRegisters_def split: if_split_asm)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: option_to_ptr_def option_to_0_def
|
||||
word_less_nat_alt word_le_nat_alt unat_of_nat32 word_bits_def
|
||||
|
@ -1334,7 +1334,7 @@ lemma getSyscallArg_ccorres_foo:
|
|||
apply clarsimp
|
||||
apply (drule use_valid, rule getMRs_length)
|
||||
apply (simp add: word_le_nat_alt msgMaxLength_def)
|
||||
apply (simp split: split_if_asm)
|
||||
apply (simp split: if_split_asm)
|
||||
apply (rule conjI, clarsimp simp: cur_tcb'_def)
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: bind_def gets_def return_def split_def get_def)
|
||||
|
@ -1351,7 +1351,7 @@ lemma invocation_eq_use_type:
|
|||
apply (fold invocation_type_eq, unfold invocationType_def)
|
||||
apply (simp add: maxBound_is_length Let_def toEnum_def
|
||||
nth_eq_iff_index_eq nat_le_Suc_less_imp
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (intro impI conjI)
|
||||
apply (simp add: enum_invocation_label)
|
||||
apply (subgoal_tac "InvalidInvocation = enum ! 0")
|
||||
|
|
|
@ -41,7 +41,7 @@ lemma one_on_true_True[simp]: "one_on_true True = 1"
|
|||
by (simp add: one_on_true_def)
|
||||
|
||||
lemma one_on_true_eq_0[simp]: "(one_on_true P = 0) = (\<not> P)"
|
||||
by (simp add: one_on_true_def split: split_if)
|
||||
by (simp add: one_on_true_def split: if_split)
|
||||
|
||||
lemma cap_cases_one_on_true_sum:
|
||||
"one_on_true (isZombie cap) + one_on_true (isArchObjectCap cap)
|
||||
|
@ -352,7 +352,7 @@ lemma wordFromRights_mask_0:
|
|||
"wordFromRights rghts && ~~ mask 4 = 0"
|
||||
apply (simp add: wordFromRights_def word_ao_dist word_or_zero
|
||||
split: cap_rights.split)
|
||||
apply (simp add: mask_def split: split_if)
|
||||
apply (simp add: mask_def split: if_split)
|
||||
done
|
||||
|
||||
lemma wordFromRights_mask_eq:
|
||||
|
@ -503,7 +503,7 @@ lemma handleInvocation_def2:
|
|||
apply (simp cong: bind_cong add: ts_Restart_case_helper')
|
||||
apply (simp add: when_def[symmetric] replyOnRestart_def[symmetric])
|
||||
apply (simp add: liftE_def replyOnRestart_twice alternative_bind
|
||||
alternative_refl split: split_if)
|
||||
alternative_refl split: if_split)
|
||||
done
|
||||
|
||||
lemma thread_state_to_tsType_eq_Restart:
|
||||
|
@ -670,7 +670,7 @@ lemma sendFaultIPC_ccorres:
|
|||
apply (simp add: cfault_rel_def)
|
||||
apply (clarsimp)
|
||||
apply (clarsimp simp: seL4_Fault_lift_def Let_def is_cap_fault_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply ceqv
|
||||
|
||||
apply csymbr
|
||||
|
@ -828,7 +828,7 @@ lemma getMessageInfo_msgLength':
|
|||
apply wp
|
||||
apply (rule hoare_strengthen_post, rule hoare_vcg_prop)
|
||||
apply (simp add: messageInfoFromWord_def Let_def msgMaxLength_def not_less
|
||||
Types_H.msgExtraCapBits_def split: split_if )
|
||||
Types_H.msgExtraCapBits_def split: if_split )
|
||||
done
|
||||
|
||||
lemma handleInvocation_ccorres:
|
||||
|
|
|
@ -77,7 +77,7 @@ next
|
|||
proof (rule conjI)
|
||||
show "?prev tcb (tcb' # tcbs) qprev'"
|
||||
using ih [THEN conjunct1] tcbp_not_tcb' hd_tcbs tcbsnz
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply fastforce
|
||||
apply (rule_tac x = "Suc n" in exI)
|
||||
apply simp
|
||||
|
@ -85,7 +85,7 @@ next
|
|||
next
|
||||
show "?next tcb (tcb' # tcbs)"
|
||||
using ih [THEN conjunct2] tcbp_not_tcb' hd_tcbs tcbsnz
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (rule_tac x = "Suc n" in exI)
|
||||
apply simp
|
||||
done
|
||||
|
@ -121,7 +121,7 @@ lemma tcb_queue_valid_ptrsD:
|
|||
apply (frule (3) tcb_queue_memberD)
|
||||
apply (elim exE)
|
||||
apply (frule (3) tcb_queueD)
|
||||
apply (auto intro!: tcb_at_h_t_valid elim!: bspec split: split_if_asm)
|
||||
apply (auto intro!: tcb_at_h_t_valid elim!: bspec split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma tcb_queue_relation_restrict0:
|
||||
|
@ -301,7 +301,7 @@ lemma tcb_queue_relation_ptr_rel:
|
|||
apply -
|
||||
apply (frule (3) tcb_queueD)
|
||||
apply (frule (2) tcb_queue_relation_not_NULL')
|
||||
apply (simp split: split_if_asm)
|
||||
apply (simp split: if_split_asm)
|
||||
apply (rule not_sym)
|
||||
apply (rule notI)
|
||||
apply simp
|
||||
|
@ -437,7 +437,7 @@ lemma tcb_queue_next_prev:
|
|||
apply simp
|
||||
apply (cut_tac bspec [OF tcb_queue_relation_not_NULL, OF qr valid_ep(1) tq(1)])
|
||||
apply (cut_tac bspec [OF tcb_queue_relation_not_NULL, OF qr valid_ep(1) tq(2)])
|
||||
apply (simp add: inj_eq split: split_if_asm)
|
||||
apply (simp add: inj_eq split: if_split_asm)
|
||||
apply clarsimp
|
||||
apply clarsimp
|
||||
subgoal by (clarsimp simp: last_conv_nth distinct_nth distinct_nth_cons)
|
||||
|
@ -623,7 +623,7 @@ next
|
|||
by (simp add: upd_unless_null_def)
|
||||
|
||||
thus ?thesis using qp qh tq cs_tcb tcbp Cons nnull
|
||||
apply (simp (no_asm) add: tcbp Cons split del: split_if)
|
||||
apply (simp (no_asm) add: tcbp Cons split del: if_split)
|
||||
apply (subst tcb_queue_relation_cong [OF refl refl refl mpeq])
|
||||
apply assumption
|
||||
apply (clarsimp simp: f)
|
||||
|
@ -717,7 +717,7 @@ proof -
|
|||
using queue_rel in_queue cs_tcb
|
||||
apply -
|
||||
apply (drule tcb_queue_relation'_queue_rel)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (cases queue)
|
||||
apply simp
|
||||
apply clarsimp
|
||||
|
@ -776,14 +776,14 @@ proof -
|
|||
apply simp
|
||||
apply (subgoal_tac "(remove1 (last queue) queue) \<noteq> []")
|
||||
apply (clarsimp simp: inj_eq last_conv_nth nth_eq_iff_index_eq length_remove1
|
||||
distinct_remove1_take_drop split: split_if_asm)
|
||||
distinct_remove1_take_drop split: if_split_asm)
|
||||
apply arith
|
||||
apply (clarsimp simp: remove1_empty last_conv_nth hd_conv_nth nth_eq_iff_index_eq not_le split: split_if_asm)
|
||||
apply (clarsimp simp: remove1_empty last_conv_nth hd_conv_nth nth_eq_iff_index_eq not_le split: if_split_asm)
|
||||
apply (cases queue)
|
||||
apply simp
|
||||
apply simp
|
||||
apply (fastforce simp: inj_eq split: split_if_asm)
|
||||
apply (clarsimp simp: last_conv_nth distinct_remove1_take_drop nth_eq_iff_index_eq inj_eq split: split_if_asm)
|
||||
apply (fastforce simp: inj_eq split: if_split_asm)
|
||||
apply (clarsimp simp: last_conv_nth distinct_remove1_take_drop nth_eq_iff_index_eq inj_eq split: if_split_asm)
|
||||
apply arith
|
||||
apply (simp add: nth_append min_def nth_eq_iff_index_eq)
|
||||
apply clarsimp
|
||||
|
@ -852,7 +852,7 @@ next
|
|||
hence "ctcb_ptr_to_tcb_ptr (getNext tcb) \<in> set queue" using assms
|
||||
apply -
|
||||
apply (drule (3) tcb_queueD)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
done
|
||||
|
||||
with valid_ep(1) have "tcb_at' (ctcb_ptr_to_tcb_ptr (getNext tcb)) s" ..
|
||||
|
@ -877,7 +877,7 @@ next
|
|||
hence "ctcb_ptr_to_tcb_ptr (getPrev tcb) \<in> set queue" using assms
|
||||
apply -
|
||||
apply (drule (3) tcb_queueD)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
done
|
||||
|
||||
with valid_ep(1) have "tcb_at' (ctcb_ptr_to_tcb_ptr (getPrev tcb)) s" ..
|
||||
|
|
|
@ -116,7 +116,7 @@ lemma getObject_state:
|
|||
\<Longrightarrow> (if t = t' then tcbState_update (\<lambda>_. st) x else x,
|
||||
s'\<lparr>ksPSpace := ksPSpace s(t \<mapsto> KOTCB (tcbState_update (\<lambda>_. st) ko))\<rparr>)
|
||||
\<in> fst (getObject t' (s\<lparr>ksPSpace := ksPSpace s(t \<mapsto> KOTCB (tcbState_update (\<lambda>_. st) ko))\<rparr>))"
|
||||
apply (simp split: split_if)
|
||||
apply (simp split: if_split)
|
||||
apply (rule conjI)
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: getObject_def split_def loadObject_default_def in_monad
|
||||
|
@ -125,7 +125,7 @@ lemma getObject_state:
|
|||
apply (simp add: magnitudeCheck_def in_monad split: option.splits)
|
||||
apply clarsimp
|
||||
apply (simp add: lookupAround2_char2)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (erule_tac x=x2 in allE)
|
||||
apply (clarsimp simp: ps_clear_def)
|
||||
apply (drule_tac x=x2 in orthD2)
|
||||
|
@ -142,7 +142,7 @@ lemma getObject_state:
|
|||
apply (simp add: magnitudeCheck_def in_monad split: option.splits)
|
||||
apply clarsimp
|
||||
apply (simp add: lookupAround2_char2)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (erule_tac x=t in allE)
|
||||
apply simp
|
||||
apply (clarsimp simp: obj_at'_real_def projectKOs
|
||||
|
@ -207,7 +207,7 @@ lemma asUser_state:
|
|||
apply (clarsimp simp: setObject_def split_def updateObject_default_def threadGet_def
|
||||
in_magnitude_check' getObject_def loadObject_default_def liftM_def
|
||||
objBits_simps projectKOs in_monad)
|
||||
apply (simp split: split_if)
|
||||
apply (simp split: if_split)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: obj_at'_def projectKOs objBits_simps)
|
||||
apply (clarsimp simp: magnitudeCheck_def in_monad split: option.splits)
|
||||
|
@ -215,12 +215,12 @@ lemma asUser_state:
|
|||
apply clarsimp
|
||||
apply (cases s, simp)
|
||||
apply (rule ext)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (cases ko)
|
||||
apply clarsimp
|
||||
apply clarsimp
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp add: lookupAround2_char2 split: split_if_asm)
|
||||
apply (clarsimp simp add: lookupAround2_char2 split: if_split_asm)
|
||||
apply (erule_tac x=x2 in allE)
|
||||
apply simp
|
||||
apply (simp add: ps_clear_def)
|
||||
|
@ -236,17 +236,17 @@ lemma asUser_state:
|
|||
apply (rule conjI, fastforce)
|
||||
apply clarsimp
|
||||
apply (cases s, clarsimp)
|
||||
apply (rule ext, clarsimp split: split_if)
|
||||
apply (rule ext, clarsimp split: if_split)
|
||||
apply (cases ko, clarsimp)
|
||||
apply (clarsimp simp: magnitudeCheck_def in_monad split: option.splits)
|
||||
apply (rule conjI)
|
||||
apply clarsimp
|
||||
apply (cases s, clarsimp)
|
||||
apply (rule ext, clarsimp split: split_if)
|
||||
apply (rule ext, clarsimp split: if_split)
|
||||
apply (case_tac tcb, clarsimp)
|
||||
apply clarsimp
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp add: lookupAround2_char2 split: split_if_asm)
|
||||
apply (clarsimp simp add: lookupAround2_char2 split: if_split_asm)
|
||||
apply (clarsimp simp: obj_at'_real_def ko_wp_at'_def projectKOs objBits_simps)
|
||||
apply (erule_tac x=t in allE)
|
||||
apply simp
|
||||
|
@ -276,7 +276,7 @@ lemma asUser_state:
|
|||
apply (rule conjI, fastforce)
|
||||
apply clarsimp
|
||||
apply (cases s, clarsimp)
|
||||
apply (rule ext, clarsimp split: split_if)
|
||||
apply (rule ext, clarsimp split: if_split)
|
||||
apply (case_tac tcb, clarsimp)
|
||||
done
|
||||
|
||||
|
@ -325,10 +325,10 @@ lemma getMRs_rel_state:
|
|||
apply (simp add: cur_tcb'_def)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: obj_at'_real_def ko_wp_at'_def projectKOs
|
||||
objBits_simps ps_clear_def split: split_if)
|
||||
objBits_simps ps_clear_def split: if_split)
|
||||
apply (clarsimp simp: valid_ipc_buffer_ptr'_def split: option.splits)
|
||||
apply (clarsimp simp: typ_at'_def ko_wp_at'_def projectKOs obj_at'_real_def
|
||||
objBits_simps ps_clear_def split: split_if)
|
||||
objBits_simps ps_clear_def split: if_split)
|
||||
apply (clarsimp simp: getMRs_def in_monad)
|
||||
apply (frule use_valid, rule asUser_inv [where P="op = s"])
|
||||
apply (wp mapM_wp' getRegister_inv)[1]
|
||||
|
@ -351,7 +351,7 @@ lemma getMRs_rel_state:
|
|||
apply (rule conjI)
|
||||
apply (clarsimp simp: pointerInUserData_def typ_at'_def ko_wp_at'_def
|
||||
projectKOs ps_clear_def obj_at'_real_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (erule doMachineOp_state)
|
||||
done
|
||||
|
||||
|
@ -379,7 +379,7 @@ lemma setThreadState_getMRs_rel:
|
|||
apply (drule obj_at_ko_at')+
|
||||
apply (clarsimp simp del: fun_upd_apply)
|
||||
apply (rule exI, rule conjI, assumption)
|
||||
apply (clarsimp split: split_if simp del: fun_upd_apply)
|
||||
apply (clarsimp split: if_split simp del: fun_upd_apply)
|
||||
apply (simp add: getMRs_rel_state)
|
||||
done
|
||||
|
||||
|
@ -405,7 +405,7 @@ lemma distinct_remove1_filter:
|
|||
"distinct xs \<Longrightarrow> remove1 v xs = [x\<leftarrow>xs. x \<noteq> v]"
|
||||
apply (induct xs)
|
||||
apply simp
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (rule sym, simp add: filter_id_conv)
|
||||
apply clarsimp
|
||||
done
|
||||
|
@ -1119,7 +1119,7 @@ lemma invokeTCB_CopyRegisters_ccorres:
|
|||
apply wp
|
||||
apply (simp add: pred_conj_def guard_is_UNIV_def cong: if_cong
|
||||
| wp mapM_x_wp' static_imp_wp)+
|
||||
apply (clarsimp simp: Collect_const_mem from_bool_def true_def split: split_if)
|
||||
apply (clarsimp simp: Collect_const_mem from_bool_def true_def split: if_split)
|
||||
apply (auto simp: invs'_def valid_state'_def global'_no_ex_cap sch_act_simple_imp_weak_sch_act_wf)
|
||||
done
|
||||
|
||||
|
@ -1173,7 +1173,7 @@ lemma getObject_context:
|
|||
\<Longrightarrow> (if t = t' then tcbContext_update (\<lambda>_. st) x else x,
|
||||
s'\<lparr>ksPSpace := ksPSpace s(t \<mapsto> KOTCB (tcbContext_update (\<lambda>_. st) ko))\<rparr>)
|
||||
\<in> fst (getObject t' (s\<lparr>ksPSpace := ksPSpace s(t \<mapsto> KOTCB (tcbContext_update (\<lambda>_. st) ko))\<rparr>))"
|
||||
apply (simp split: split_if)
|
||||
apply (simp split: if_split)
|
||||
apply (rule conjI)
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: getObject_def split_def loadObject_default_def in_monad
|
||||
|
@ -1182,7 +1182,7 @@ lemma getObject_context:
|
|||
apply (simp add: magnitudeCheck_def in_monad split: option.splits)
|
||||
apply clarsimp
|
||||
apply (simp add: lookupAround2_char2)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (erule_tac x=x2 in allE)
|
||||
apply (clarsimp simp: ps_clear_def)
|
||||
apply (drule_tac x=x2 in orthD2)
|
||||
|
@ -1200,7 +1200,7 @@ lemma getObject_context:
|
|||
apply (simp add: magnitudeCheck_def in_monad split: option.splits)
|
||||
apply clarsimp
|
||||
apply (simp add: lookupAround2_char2)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (erule_tac x=t in allE)
|
||||
apply simp
|
||||
apply (clarsimp simp: obj_at'_real_def projectKOs
|
||||
|
@ -1272,12 +1272,12 @@ lemma asUser_context:
|
|||
apply (rule conjI)
|
||||
apply clarsimp
|
||||
apply (cases s, simp)
|
||||
apply (rule ext, clarsimp split: split_if)
|
||||
apply (rule ext, clarsimp split: if_split)
|
||||
apply (case_tac tcb, simp)
|
||||
|
||||
apply clarsimp
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp add: lookupAround2_char2 split: split_if_asm)
|
||||
apply (clarsimp simp add: lookupAround2_char2 split: if_split_asm)
|
||||
apply (clarsimp simp: obj_at'_real_def ko_wp_at'_def projectKOs objBits_simps)
|
||||
apply (erule_tac x=t in allE)
|
||||
apply simp
|
||||
|
@ -1307,7 +1307,7 @@ lemma asUser_context:
|
|||
apply (rule conjI, fastforce)
|
||||
apply clarsimp
|
||||
apply (cases s, clarsimp)
|
||||
apply (rule ext, clarsimp split: split_if)
|
||||
apply (rule ext, clarsimp split: if_split)
|
||||
apply (case_tac tcb, clarsimp)
|
||||
done
|
||||
|
||||
|
@ -1325,10 +1325,10 @@ lemma getMRs_rel_context:
|
|||
apply (simp add: cur_tcb'_def)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: obj_at'_real_def ko_wp_at'_def projectKOs
|
||||
objBits_simps ps_clear_def split: split_if)
|
||||
objBits_simps ps_clear_def split: if_split)
|
||||
apply (clarsimp simp: valid_ipc_buffer_ptr'_def split: option.splits)
|
||||
apply (clarsimp simp: typ_at'_def ko_wp_at'_def projectKOs obj_at'_real_def
|
||||
objBits_simps ps_clear_def split: split_if)
|
||||
objBits_simps ps_clear_def split: if_split)
|
||||
apply (clarsimp simp: getMRs_def in_monad)
|
||||
apply (frule use_valid, rule asUser_inv [where P="op = s"])
|
||||
apply (wp mapM_wp' getRegister_inv)[1]
|
||||
|
@ -1352,7 +1352,7 @@ lemma getMRs_rel_context:
|
|||
apply (rule conjI)
|
||||
apply (clarsimp simp: pointerInUserData_def typ_at'_def ko_wp_at'_def
|
||||
projectKOs ps_clear_def obj_at'_real_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (erule doMachineOp_context)
|
||||
done
|
||||
|
||||
|
@ -1372,7 +1372,7 @@ lemma asUser_getMRs_rel:
|
|||
apply (drule obj_at_ko_at')+
|
||||
apply (clarsimp simp del: fun_upd_apply)
|
||||
apply (rule exI, rule conjI, assumption)
|
||||
apply (clarsimp split: split_if simp del: fun_upd_apply)
|
||||
apply (clarsimp split: if_split simp del: fun_upd_apply)
|
||||
apply (erule getMRs_rel_context, simp)
|
||||
apply (clarsimp simp: obj_at'_real_def ko_wp_at'_def projectKOs)
|
||||
apply simp
|
||||
|
@ -1531,7 +1531,7 @@ lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]:
|
|||
apply (simp add: performTransfer_def)
|
||||
apply wp
|
||||
apply vcg
|
||||
apply (clarsimp simp: n_msgRegisters_def sysargs_rel_n_def split: split_if)
|
||||
apply (clarsimp simp: n_msgRegisters_def sysargs_rel_n_def split: if_split)
|
||||
apply (rule conjI)
|
||||
apply (cases args, simp)
|
||||
apply (case_tac list, simp)
|
||||
|
@ -1539,7 +1539,7 @@ lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]:
|
|||
apply simp
|
||||
apply (clarsimp simp: frame_gp_registers_convs word_less_nat_alt
|
||||
sysargs_rel_def n_frameRegisters_def n_msgRegisters_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma invokeTCB_Suspend_ccorres:
|
||||
|
@ -1649,7 +1649,7 @@ shows
|
|||
apply (rename_tac cthread,
|
||||
rule_tac P="cthread = tcb_ptr_to_ctcb_ptr thread" in ccorres_gen_asm2)
|
||||
apply (rule ccorres_split_nothrow_dc)
|
||||
apply (simp add: when_def del: Collect_const split del: split_if)
|
||||
apply (simp add: when_def del: Collect_const split del: if_split)
|
||||
apply (rule ccorres_cond2[where R=\<top>], simp add: from_bool_0 Collect_const_mem)
|
||||
apply (ctac add: suspend_ccorres[OF cteDeleteOne_ccorres])
|
||||
apply (rule ccorres_return_Skip)
|
||||
|
@ -1706,13 +1706,13 @@ shows
|
|||
apply (clarsimp simp: obj_at'_def projectKOs asUser_fetch_def
|
||||
frame_gp_registers_convs genericTake_def
|
||||
nth_append
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (simp add: n_frameRegisters_def n_msgRegisters_def)
|
||||
apply (simp add: frame_gp_registers_convs msg_registers_convs
|
||||
n_msgRegisters_def n_frameRegisters_def
|
||||
n_gpRegisters_def msgMaxLength_def msgLengthBits_def
|
||||
split: option.split)
|
||||
apply (simp add: min_def word_less_nat_alt split: split_if)[1]
|
||||
apply (simp add: min_def word_less_nat_alt split: if_split)[1]
|
||||
apply arith
|
||||
apply (rule allI, rule conseqPre, vcg exspec=setRegister_modifies
|
||||
exspec=getRegister_modifies)
|
||||
|
@ -1807,8 +1807,8 @@ shows
|
|||
n_gpRegisters_def Types_H.msgMaxLength_def
|
||||
Types_H.msgLengthBits_def
|
||||
split: option.split)
|
||||
apply (simp add: min_def word_less_nat_alt split: split_if)[1]
|
||||
apply (simp split: split_if_asm, arith+)[1]
|
||||
apply (simp add: min_def word_less_nat_alt split: if_split)[1]
|
||||
apply (simp split: if_split_asm, arith+)[1]
|
||||
apply (rule allI, rule conseqPre, vcg)
|
||||
apply clarsimp
|
||||
apply (wp)
|
||||
|
@ -1820,7 +1820,7 @@ shows
|
|||
msgMaxLength_def Types_H.msgLengthBits_def
|
||||
n_gpRegisters_def msg_registers_convs
|
||||
split: option.split_asm)
|
||||
apply (simp add: min_def split: split_if_asm split_if)
|
||||
apply (simp add: min_def split: if_split_asm if_split)
|
||||
apply arith
|
||||
apply (drule_tac s=rv'a in sym, simp)
|
||||
apply (rule_tac P=\<top> and P'="{s. i_' s = rv'a}" in ccorres_inst)
|
||||
|
@ -1833,12 +1833,12 @@ shows
|
|||
apply (rule ccorres_guard_imp2, rule ccorres_return_Skip')
|
||||
apply (simp add: n_msgRegisters_def n_frameRegisters_def
|
||||
n_gpRegisters_def cong: option.case_cong)
|
||||
apply (simp add: min_def split: split_if option.split)
|
||||
apply (simp add: min_def split: if_split option.split)
|
||||
apply (simp add: mapM_x_Nil)
|
||||
apply (rule ccorres_guard_imp2, rule ccorres_return_Skip')
|
||||
apply (simp add: n_msgRegisters_def n_frameRegisters_def
|
||||
n_gpRegisters_def cong: option.case_cong)
|
||||
apply (simp add: min_def split: split_if option.split)
|
||||
apply (simp add: min_def split: if_split option.split)
|
||||
apply (clarsimp simp only: unat_arith_simps, simp)
|
||||
apply (clarsimp simp: less_diff_conv word_le_nat_alt linorder_not_less)
|
||||
apply (subst(asm) unat_of_nat32)
|
||||
|
@ -1895,7 +1895,7 @@ shows
|
|||
n_msgRegisters_def n_frameRegisters_def
|
||||
n_gpRegisters_def msgMaxLength_def msgLengthBits_def
|
||||
del: upt.simps upt_rec_numeral)
|
||||
apply (simp add: min_def split: split_if_asm)
|
||||
apply (simp add: min_def split: if_split_asm)
|
||||
apply (rule frame_gp_registers_convs)
|
||||
apply (simp add: frame_gp_registers_convs n_msgRegisters_def n_frameRegisters_def
|
||||
n_gpRegisters_def msgMaxLength_def msgLengthBits_def
|
||||
|
@ -1911,7 +1911,7 @@ shows
|
|||
nth_append frame_gp_registers_convs
|
||||
n_frameRegisters_def n_gpRegisters_def
|
||||
n_msgRegisters_def frame_gp_registers_convs
|
||||
cong: if_cong split: split_if)
|
||||
cong: if_cong split: if_split)
|
||||
apply (clarsimp simp: frame_gp_registers_convs n_gpRegisters_def
|
||||
min.absorb1 unat_of_nat)
|
||||
apply (clarsimp simp: less_diff_conv)
|
||||
|
@ -1920,11 +1920,11 @@ shows
|
|||
n_msgRegisters_def frame_gp_registers_convs
|
||||
Types_H.msgMaxLength_def Types_H.msgLengthBits_def
|
||||
msg_registers_convs
|
||||
cong: if_cong split: split_if)
|
||||
cong: if_cong split: if_split)
|
||||
apply (simp add: word_less_nat_alt unat_of_nat)
|
||||
apply (simp add: iffD1[OF unat_add_lem] cong: conj_cong)
|
||||
apply (simp add: min_def
|
||||
split: split_if split_if_asm, arith+)[1]
|
||||
split: if_split if_split_asm, arith+)[1]
|
||||
apply (rule allI, rule conseqPre, vcg)
|
||||
apply clarsimp
|
||||
apply wp
|
||||
|
@ -1964,11 +1964,11 @@ shows
|
|||
split: option.split_asm)
|
||||
apply (clarsimp simp: min_def iffD2 [OF mask_eq_iff_w2p] word_size
|
||||
word_less_nat_alt
|
||||
split: split_if_asm dest!: word_unat.Rep_inverse')
|
||||
split: if_split_asm dest!: word_unat.Rep_inverse')
|
||||
apply (clarsimp simp: length_msgRegisters n_msgRegisters_def)
|
||||
apply (clarsimp simp: min_def iffD2 [OF mask_eq_iff_w2p] word_size
|
||||
word_less_nat_alt
|
||||
split: split_if_asm dest!: word_unat.Rep_inverse')
|
||||
split: if_split_asm dest!: word_unat.Rep_inverse')
|
||||
apply unat_arith
|
||||
apply simp
|
||||
apply (wp mapM_x_wp' sch_act_wf_lift valid_queues_lift static_imp_wp
|
||||
|
@ -1986,7 +1986,7 @@ shows
|
|||
n_frameRegisters_def n_gpRegisters_def
|
||||
msgMaxLength_def msgLengthBits_def
|
||||
word_less_nat_alt unat_of_nat)
|
||||
apply (simp add: min_def split: split_if_asm)
|
||||
apply (simp add: min_def split: if_split_asm)
|
||||
apply (wp_once hoare_drop_imps)
|
||||
apply (wp asUser_obj_at'[where t'=target] static_imp_wp
|
||||
asUser_valid_ipc_buffer_ptr')
|
||||
|
@ -2030,7 +2030,7 @@ shows
|
|||
apply vcg
|
||||
apply (rule conseqPre, vcg, clarsimp)
|
||||
apply (clarsimp simp: rf_sr_ksCurThread ct_in_state'_def true_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
done
|
||||
|
||||
lemma capTCBPtr_eq:
|
||||
|
@ -2130,7 +2130,7 @@ lemma decodeReadRegisters_ccorres:
|
|||
apply (rule ccorres_nondet_refinement)
|
||||
apply (rule is_nondet_refinement_bindE)
|
||||
apply (rule is_nondet_refinement_refl)
|
||||
apply (simp split: split_if)
|
||||
apply (simp split: if_split)
|
||||
apply (rule conjI[rotated], rule impI, rule is_nondet_refinement_refl)
|
||||
apply (rule impI)
|
||||
apply (rule is_nondet_refinement_alternative1)
|
||||
|
@ -2162,7 +2162,7 @@ lemma decodeReadRegisters_ccorres:
|
|||
valid_tcb_state'_def
|
||||
elim!: pred_tcb'_weakenE
|
||||
dest!: st_tcb_at_idle_thread')[1]
|
||||
apply (clarsimp simp: from_bool_def word_and_1 split: split_if)
|
||||
apply (clarsimp simp: from_bool_def word_and_1 split: if_split)
|
||||
done
|
||||
|
||||
lemma decodeWriteRegisters_ccorres:
|
||||
|
@ -2276,7 +2276,7 @@ lemma decodeWriteRegisters_ccorres:
|
|||
apply (clarsimp simp: genericTake_def linorder_not_less)
|
||||
apply (subst hd_conv_nth, clarsimp simp: unat_eq_0)
|
||||
apply (clarsimp simp: from_bool_def word_and_1
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
done
|
||||
|
||||
lemma excaps_map_Nil: "(excaps_map caps = []) = (caps = [])"
|
||||
|
@ -2407,7 +2407,7 @@ lemma decodeCopyRegisters_ccorres:
|
|||
dest!: st_tcb_at_idle_thread' interpret_excaps_eq)[1]
|
||||
apply (clarsimp simp: word_sle_def CopyRegistersFlags_defs word_sless_def
|
||||
"StrictC'_thread_state_defs" rf_sr_ksCurThread
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (drule interpret_excaps_eq)
|
||||
apply (clarsimp simp: mask_def excaps_map_def split_def ccap_rights_relation_def
|
||||
rightsFromWord_wordFromRights excaps_map_Nil)
|
||||
|
@ -2415,7 +2415,7 @@ lemma decodeCopyRegisters_ccorres:
|
|||
drule(1) cap_get_tag_to_H)
|
||||
apply (clarsimp simp: cap_get_tag_isCap to_bool_def)
|
||||
apply (auto simp: unat_eq_of_nat word_and_1_shiftls
|
||||
word_and_1_shiftl [where n=3,simplified] cap_get_tag_isCap[symmetric] split: split_if_asm)
|
||||
word_and_1_shiftl [where n=3,simplified] cap_get_tag_isCap[symmetric] split: if_split_asm)
|
||||
done
|
||||
|
||||
(* FIXME: move *)
|
||||
|
@ -2439,7 +2439,7 @@ lemma ccap_relation_gen_framesize_to_H:
|
|||
apply (frule(1) iffD1 [OF cap_get_tag_PageCap_frame])
|
||||
apply (clarsimp simp: cap_frame_cap_lift generic_frame_cap_get_capFSize_CL_def)
|
||||
apply (simp add: gen_framesize_to_H_def framesize_to_H_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (clarsimp simp: ccap_relation_def c_valid_cap_def
|
||||
cl_valid_cap_def)
|
||||
apply (simp add: cap_get_tag_isCap isCap_simps pageSize_def)
|
||||
|
@ -2451,7 +2451,7 @@ lemma isDevice_PageCap_ccap_relation:
|
|||
by (clarsimp elim!: ccap_relationE
|
||||
simp: isPageCap_def generic_frame_cap_get_capFIsDevice_CL_def cap_to_H_def
|
||||
Let_def to_bool_def
|
||||
split: arch_capability.split_asm cap_CL.split_asm split_if_asm)
|
||||
split: arch_capability.split_asm cap_CL.split_asm if_split_asm)
|
||||
|
||||
lemma checkValidIPCBuffer_ccorres:
|
||||
"ccorres (syscall_error_rel \<currency> dc) (liftxf errstate id (K ()) ret__unsigned_long_')
|
||||
|
@ -2526,7 +2526,7 @@ apply (simp add:checkValidIPCBuffer_def ARM_H.checkValidIPCBuffer_def)
|
|||
apply (case_tac cp)
|
||||
apply (clarsimp simp: syscall_error_rel_def syscall_error_to_H_cases isCap_simps
|
||||
exception_defs throwError_def return_def if_1_0_0
|
||||
split: capability.split arch_capability.split split_if_asm)+
|
||||
split: capability.split arch_capability.split if_split_asm)+
|
||||
apply (simp add: cap_get_tag_isCap isCap_simps pageSize_def Cond_if_mem)
|
||||
apply (frule ccap_relation_page_is_device)
|
||||
apply (auto simp add: isCap_simps isDeviceCap.simps pageSize_def
|
||||
|
@ -2547,7 +2547,7 @@ apply (simp add:checkValidIPCBuffer_def ARM_H.checkValidIPCBuffer_def)
|
|||
apply (case_tac cp)
|
||||
apply (auto simp: syscall_error_rel_def syscall_error_to_H_cases isCap_simps
|
||||
exception_defs throwError_def return_def if_1_0_0
|
||||
split: capability.split arch_capability.split split_if_asm)
|
||||
split: capability.split arch_capability.split if_split_asm)
|
||||
done
|
||||
|
||||
lemma slotCapLongRunningDelete_ccorres:
|
||||
|
@ -2610,7 +2610,7 @@ lemma empty_fail_slotCapLongRunningDelete:
|
|||
"empty_fail (slotCapLongRunningDelete slot)"
|
||||
by (auto simp: slotCapLongRunningDelete_def Let_def
|
||||
case_Null_If isFinalCapability_def
|
||||
split: split_if
|
||||
split: if_split
|
||||
intro!: empty_fail_bind)
|
||||
|
||||
definition
|
||||
|
@ -2624,7 +2624,7 @@ lemma isValidVTableRoot_spec:
|
|||
{s'. ret__unsigned_long_' s' = from_bool (isValidVTableRoot_C (cap_' s))}"
|
||||
apply vcg
|
||||
apply (clarsimp simp: isValidVTableRoot_C_def if_1_0_0 from_bool_0)
|
||||
apply (simp add: from_bool_def to_bool_def false_def split: split_if)
|
||||
apply (simp add: from_bool_def to_bool_def false_def split: if_split)
|
||||
done
|
||||
|
||||
lemma isValidVTableRoot_conv:
|
||||
|
@ -2640,7 +2640,7 @@ lemma isValidVTableRoot_conv:
|
|||
apply (clarsimp simp: ccap_relation_def map_option_Some_eq2
|
||||
cap_page_directory_cap_lift cap_to_H_def
|
||||
from_bool_def)
|
||||
apply (clarsimp simp: to_bool_def split: split_if)
|
||||
apply (clarsimp simp: to_bool_def split: if_split)
|
||||
apply (clarsimp simp: cap_get_tag_isCap cap_get_tag_isCap_ArchObject)
|
||||
apply (simp split: arch_capability.split_asm add: isCap_simps)
|
||||
apply (case_tac "cap_get_tag cap' = scast cap_page_directory_cap")
|
||||
|
@ -2656,7 +2656,7 @@ lemma updateCapData_spec:
|
|||
|
||||
lemma if_n_updateCapData_valid_strg:
|
||||
"s \<turnstile>' cap \<longrightarrow> s \<turnstile>' (if P then cap else updateCapData prs v cap)"
|
||||
by (simp add: valid_updateCapDataI split: split_if)
|
||||
by (simp add: valid_updateCapDataI split: if_split)
|
||||
|
||||
lemma length_excaps_map:
|
||||
"length (excaps_map xcs) = length xcs"
|
||||
|
@ -2728,7 +2728,7 @@ lemma checkPrio_ccorres:
|
|||
apply (clarsimp simp: rf_sr_ksCurThread obj_at'_def projectKOs
|
||||
typ_heap_simps' ctcb_relation_def)
|
||||
apply ceqv
|
||||
apply (simp add: whenE_def del: Collect_const split: split_if)
|
||||
apply (simp add: whenE_def del: Collect_const split: if_split)
|
||||
apply (rule conjI; clarsimp)
|
||||
apply (rule ccorres_from_vcg_split_throws)
|
||||
apply vcg
|
||||
|
@ -3759,7 +3759,7 @@ lemma decodeBindNotification_ccorres:
|
|||
apply (clarsimp simp: typ_heap_simps cnotification_relation_def Let_def
|
||||
valid_ntfn'_def)
|
||||
apply (case_tac "ntfnObj ntfn", simp_all add: isWaitingNtfn_def option_to_ctcb_ptr_def
|
||||
false_def true_def split: option.split_asm split_if,
|
||||
false_def true_def split: option.split_asm if_split,
|
||||
auto simp: neq_Nil_conv tcb_queue_relation'_def tcb_at_not_NULL[symmetric]
|
||||
tcb_at_not_NULL)[1]
|
||||
apply ceqv
|
||||
|
@ -3861,7 +3861,7 @@ lemma decodeBindNotification_ccorres:
|
|||
apply (clarsimp simp: typ_heap_simps cap_get_tag_ThreadCap ccap_relation_def)
|
||||
apply (auto simp: word_sless_alt typ_heap_simps cap_get_tag_ThreadCap ctcb_relation_def
|
||||
option_to_ptr_def option_to_0_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
done
|
||||
|
||||
|
||||
|
|
|
@ -19,10 +19,10 @@ lemma empty_fail_findPDForASID[iff]:
|
|||
"empty_fail (findPDForASID asid)"
|
||||
apply (simp add: findPDForASID_def liftME_def)
|
||||
apply (intro empty_fail_bindE, simp_all split: option.split)
|
||||
apply (simp add: assertE_def split: split_if)
|
||||
apply (simp add: assertE_def split: split_if)
|
||||
apply (simp add: assertE_def split: if_split)
|
||||
apply (simp add: assertE_def split: if_split)
|
||||
apply (simp add: empty_fail_getObject)
|
||||
apply (simp add: assertE_def liftE_bindE checkPDAt_def split: split_if)
|
||||
apply (simp add: assertE_def liftE_bindE checkPDAt_def split: if_split)
|
||||
done
|
||||
|
||||
(* FIXME: move *)
|
||||
|
@ -67,13 +67,13 @@ lemma checkVPAlignment_ccorres:
|
|||
(checkVPAlignment sz w)
|
||||
(Call checkVPAlignment_'proc)"
|
||||
proof -
|
||||
note [split del] = split_if
|
||||
note [split del] = if_split
|
||||
show ?thesis
|
||||
apply (cinit lift: sz_' w_')
|
||||
apply (csymbr)
|
||||
apply clarsimp
|
||||
apply (rule ccorres_Guard [where A=\<top> and C'=UNIV])
|
||||
apply (simp split: split_if)
|
||||
apply (simp split: if_split)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: mask_def unlessE_def returnOk_def)
|
||||
apply (rule ccorres_guard_imp)
|
||||
|
@ -82,16 +82,16 @@ proof -
|
|||
apply simp
|
||||
apply simp
|
||||
apply simp
|
||||
apply (simp split: split_if add: to_bool_def)
|
||||
apply (clarsimp simp: mask_def unlessE_def throwError_def split: split_if)
|
||||
apply (simp split: if_split add: to_bool_def)
|
||||
apply (clarsimp simp: mask_def unlessE_def throwError_def split: if_split)
|
||||
apply (rule ccorres_guard_imp)
|
||||
apply (rule ccorres_return_C)
|
||||
apply simp
|
||||
apply simp
|
||||
apply simp
|
||||
apply simp
|
||||
apply (simp split: split_if add: to_bool_def)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (simp split: if_split add: to_bool_def)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (simp add: word_less_nat_alt)
|
||||
apply (rule order_le_less_trans, rule pageBitsForSize_le)
|
||||
apply simp
|
||||
|
@ -210,7 +210,7 @@ lemma pd_at_asid_cross_over:
|
|||
pd_asid_slot_def mask_add_aligned)
|
||||
apply (simp add: mask_def pdBits_def pageBits_def)
|
||||
apply (clarsimp simp add: cpde_relation_def Let_def)
|
||||
by (simp add: pde_lift_def Let_def split: split_if_asm)
|
||||
by (simp add: pde_lift_def Let_def split: if_split_asm)
|
||||
|
||||
lemma findPDForASIDAssert_pd_at_wp2:
|
||||
"\<lbrace>\<lambda>s. \<forall>pd. pd_at_asid' pd asid s
|
||||
|
@ -269,7 +269,7 @@ lemma loadHWASID_ccorres:
|
|||
apply (drule singleton_eqD)
|
||||
apply (clarsimp elim!: ranE)
|
||||
apply (erule notE, rule_tac a=xa in ranI)
|
||||
apply (simp add: restrict_map_def split: split_if)
|
||||
apply (simp add: restrict_map_def split: if_split)
|
||||
apply clarsimp
|
||||
apply clarsimp
|
||||
apply (drule_tac x=a in eqset_imp_iff)
|
||||
|
@ -289,7 +289,7 @@ lemma array_relation_update:
|
|||
unat bnd < card (UNIV :: 'b set) \<rbrakk>
|
||||
\<Longrightarrow> array_relation R bnd (table (x := v))
|
||||
(Arrays.update arr x' v')"
|
||||
by (simp add: array_relation_def word_le_nat_alt split: split_if)
|
||||
by (simp add: array_relation_def word_le_nat_alt split: if_split)
|
||||
|
||||
lemma asid_map_pd_to_hwasids_update:
|
||||
"\<lbrakk> pd \<notin> ran (option_map snd \<circ> m |` (- {asid}));
|
||||
|
@ -297,15 +297,15 @@ lemma asid_map_pd_to_hwasids_update:
|
|||
asid_map_pd_to_hwasids (m (asid \<mapsto> (hw_asid, pd)))
|
||||
= (asid_map_pd_to_hwasids m) (pd := {hw_asid})"
|
||||
apply (rule ext, rule set_eqI)
|
||||
apply (simp add: asid_map_pd_to_hwasids_def split: split_if)
|
||||
apply (simp add: asid_map_pd_to_hwasids_def split: if_split)
|
||||
apply (intro conjI impI)
|
||||
apply (rule iffI)
|
||||
apply (rule ccontr, clarsimp elim!: ranE split: split_if_asm)
|
||||
apply (rule ccontr, clarsimp elim!: ranE split: if_split_asm)
|
||||
apply (erule notE, rule ranI, simp add: restrict_map_def)
|
||||
apply (subst if_P, assumption)
|
||||
apply simp
|
||||
apply (fastforce split: split_if)
|
||||
apply (simp add: ran_def split: split_if)
|
||||
apply (fastforce split: if_split)
|
||||
apply (simp add: ran_def split: if_split)
|
||||
apply (rule iffI)
|
||||
apply fastforce
|
||||
apply (erule exEI)
|
||||
|
@ -350,7 +350,7 @@ lemma storeHWASID_ccorres:
|
|||
apply (simp add: word_sless_def word_sle_def cslift_ptr_safe)
|
||||
apply (intro conjI)
|
||||
apply (erule iffD1 [OF cmap_relation_cong, rotated -1], simp_all)[1]
|
||||
apply (simp split: split_if_asm)
|
||||
apply (simp split: if_split_asm)
|
||||
apply (clarsimp simp: cpde_relation_def Let_def
|
||||
pde_lift_pde_invalid
|
||||
cong: ARM_H.pde.case_cong)
|
||||
|
@ -360,7 +360,7 @@ lemma storeHWASID_ccorres:
|
|||
subgoal by simp
|
||||
apply (subst asid_map_pd_to_hwasids_update, assumption)
|
||||
subgoal by clarsimp
|
||||
apply (rule ext, simp add: pd_pointer_to_asid_slot_def map_comp_def split: split_if)
|
||||
apply (rule ext, simp add: pd_pointer_to_asid_slot_def map_comp_def split: if_split)
|
||||
apply (clarsimp simp: pde_stored_asid_def true_def mask_def[where n="Suc 0"])
|
||||
apply (subst less_mask_eq)
|
||||
apply (rule order_less_le_trans, rule ucast_less)
|
||||
|
@ -392,7 +392,7 @@ lemma invalidateHWASIDEntry_ccorres:
|
|||
Let_def)
|
||||
apply (clarsimp simp: carch_state_relation_def carch_globals_def
|
||||
cmachine_state_relation_def)
|
||||
apply (simp add: array_relation_def split: split_if, erule allEI)
|
||||
apply (simp add: array_relation_def split: if_split, erule allEI)
|
||||
apply (clarsimp simp: word_le_nat_alt)
|
||||
apply (simp add: option_to_0_def asidInvalid_def)
|
||||
done
|
||||
|
@ -403,13 +403,13 @@ lemma asid_map_pd_to_hwasids_clear:
|
|||
asid_map_pd_to_hwasids (m (asid := None))
|
||||
= (asid_map_pd_to_hwasids m) (pd := {})"
|
||||
apply (rule ext, rule set_eqI)
|
||||
apply (simp add: asid_map_pd_to_hwasids_def split: split_if)
|
||||
apply (simp add: asid_map_pd_to_hwasids_def split: if_split)
|
||||
apply (intro conjI impI)
|
||||
apply (clarsimp elim!: ranE split: split_if_asm)
|
||||
apply (clarsimp elim!: ranE split: if_split_asm)
|
||||
apply (erule notE, rule ranI, simp add: restrict_map_def)
|
||||
apply (subst if_P, assumption)
|
||||
apply simp
|
||||
apply (simp add: ran_def split: split_if)
|
||||
apply (simp add: ran_def split: if_split)
|
||||
apply (rule iffI)
|
||||
apply fastforce
|
||||
apply (erule exEI)
|
||||
|
@ -446,13 +446,13 @@ lemma invalidateASID_ccorres:
|
|||
arg_cong[where f="\<lambda>x. 2 ^ x", OF meta_eq_to_obj_eq, OF asid_low_bits_def])
|
||||
apply (intro conjI)
|
||||
apply (erule iffD1 [OF cmap_relation_cong, rotated -1], simp_all)[1]
|
||||
apply (simp split: split_if_asm)
|
||||
apply (simp split: if_split_asm)
|
||||
apply (clarsimp simp: cpde_relation_def Let_def
|
||||
pde_lift_pde_invalid
|
||||
cong: ARM_H.pde.case_cong)
|
||||
apply (subst asid_map_pd_to_hwasids_clear, assumption)
|
||||
subgoal by clarsimp
|
||||
apply (rule ext, simp add: pd_pointer_to_asid_slot_def map_comp_def split: split_if)
|
||||
apply (rule ext, simp add: pd_pointer_to_asid_slot_def map_comp_def split: if_split)
|
||||
subgoal by (clarsimp simp: pde_stored_asid_def false_def mask_def[where n="Suc 0"])
|
||||
apply wp[1]
|
||||
apply (wp findPDForASIDAssert_pd_at_wp2)
|
||||
|
@ -1122,7 +1122,7 @@ lemma flushSpace_ccorres:
|
|||
apply (simp add: case_option_If2)
|
||||
apply (rule_tac Q=\<top> and Q'=\<top> in ccorres_if_cond_throws2)
|
||||
apply (clarsimp simp: Collect_const_mem pde_stored_asid_def)
|
||||
apply (simp add: split_if_eq1 to_bool_def)
|
||||
apply (simp add: if_split_eq1 to_bool_def)
|
||||
apply (rule ccorres_return_void_C [unfolded dc_def])
|
||||
apply csymbr
|
||||
apply (clarsimp simp: pde_stored_asid_def)
|
||||
|
@ -1328,7 +1328,7 @@ lemma findFreeHWASID_ccorres:
|
|||
apply (simp add: min.absorb2
|
||||
del: upt.simps)
|
||||
apply (simp add: nth_append
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
|
||||
apply ceqv
|
||||
apply (rule ccorres_assert)
|
||||
|
@ -1363,7 +1363,7 @@ lemma findFreeHWASID_ccorres:
|
|||
simp add: is_down_def target_size_def source_size_def word_size)+
|
||||
apply (clarsimp simp: maxBound_word minBound_word
|
||||
ucast_ucast_add minus_one_norm
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (simp add: word_sint_msb_eq uint_up_ucast word_size
|
||||
msb_nth nth_ucast bang_big is_up_def source_size_def
|
||||
target_size_def)
|
||||
|
@ -1431,10 +1431,10 @@ lemma getHWASID_ccorres:
|
|||
apply (rule ccorres_from_vcg_throws[where P=\<top> and P'=UNIV])
|
||||
apply (rule allI, rule conseqPre, vcg)
|
||||
apply (clarsimp simp: return_def pde_stored_asid_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply wp
|
||||
apply (clarsimp simp: pde_stored_asid_def)
|
||||
apply (clarsimp simp: to_bool_def split: split_if)
|
||||
apply (clarsimp simp: to_bool_def split: if_split)
|
||||
apply (auto simp: all_invs_but_ct_idle_or_in_cur_domain'_def)
|
||||
done
|
||||
|
||||
|
@ -1587,7 +1587,7 @@ lemma setVMRoot_ccorres:
|
|||
cap_lift_page_directory_cap cap_to_H_def
|
||||
cap_page_directory_cap_lift_def
|
||||
to_bool_def
|
||||
elim!: ccap_relationE split: split_if_asm)
|
||||
elim!: ccap_relationE split: if_split_asm)
|
||||
|
||||
|
||||
(* FIXME: move *)
|
||||
|
@ -1651,7 +1651,7 @@ lemma setVMRootForFlush_ccorres:
|
|||
apply (clarsimp simp: isCap_simps(2) cap_get_tag_isCap_ArchObject[symmetric])
|
||||
apply (clarsimp simp: cap_page_directory_cap_lift cap_to_H_def
|
||||
elim!: ccap_relationE)
|
||||
apply (simp add: to_bool_def split: split_if)
|
||||
apply (simp add: to_bool_def split: if_split)
|
||||
by (auto simp: cap_get_tag_isCap_ArchObject2)
|
||||
|
||||
|
||||
|
@ -1669,7 +1669,7 @@ lemma framesize_from_to_H:
|
|||
by (simp add: gen_framesize_to_H_def framesize_from_H_def
|
||||
Kernel_C.ARMSmallPage_def Kernel_C.ARMLargePage_def
|
||||
Kernel_C.ARMSection_def Kernel_C.ARMSuperSection_def
|
||||
split: split_if vmpage_size.splits)
|
||||
split: if_split vmpage_size.splits)
|
||||
|
||||
lemma framesize_from_H_mask:
|
||||
"framesize_from_H vmsz && mask 2 = framesize_from_H vmsz"
|
||||
|
@ -1786,14 +1786,14 @@ lemma performPageFlush_ccorres:
|
|||
apply (unfold when_def)
|
||||
apply (rule ccorres_cond_seq)
|
||||
apply (rule ccorres_cond2[where R=\<top>])
|
||||
apply (simp split: split_if)
|
||||
apply (simp split: if_split)
|
||||
apply (rule ccorres_rhs_assoc)+
|
||||
apply (ctac (no_vcg) add: setVMRootForFlush_ccorres)
|
||||
apply (ctac (no_vcg) add: doFlush_ccorres)
|
||||
apply (rule ccorres_add_return2)
|
||||
apply (rule ccorres_split_nothrow_novcg_dc)
|
||||
apply (rule ccorres_cond2[where R=\<top>])
|
||||
apply (simp add: from_bool_def split: split_if bool.splits)
|
||||
apply (simp add: from_bool_def split: if_split bool.splits)
|
||||
apply (rule ccorres_pre_getCurThread)
|
||||
apply (ctac add: setVMRoot_ccorres)
|
||||
apply (rule ccorres_return_Skip)
|
||||
|
@ -1841,7 +1841,7 @@ lemma setRegister_ccorres:
|
|||
(asUser thread (setRegister reg val))
|
||||
(Call setRegister_'proc)"
|
||||
apply (cinit' lift: thread_' reg_' w_')
|
||||
apply (simp add: asUser_def dc_def[symmetric] split_def split del: split_if)
|
||||
apply (simp add: asUser_def dc_def[symmetric] split_def split del: if_split)
|
||||
apply (rule ccorres_pre_threadGet)
|
||||
apply (rule ccorres_Guard)
|
||||
apply (simp add: setRegister_def simpler_modify_def exec_select_f_singleton)
|
||||
|
@ -1861,7 +1861,7 @@ lemma setRegister_ccorres:
|
|||
apply (clarsimp simp: ctcb_relation_def ccontext_relation_def
|
||||
atcbContextSet_def atcbContextGet_def
|
||||
carch_tcb_relation_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (clarsimp simp: Collect_const_mem register_from_H_sless
|
||||
register_from_H_less)
|
||||
apply (auto intro: typ_heap_simps elim: obj_at'_weakenE)
|
||||
|
@ -1976,14 +1976,14 @@ lemma performPageDirectoryInvocationFlush_ccorres:
|
|||
apply (unfold when_def)
|
||||
apply (rule ccorres_cond_seq)
|
||||
apply (rule ccorres_cond2[where R=\<top>])
|
||||
apply (simp split: split_if)
|
||||
apply (simp split: if_split)
|
||||
apply (rule ccorres_rhs_assoc)+
|
||||
apply (ctac (no_vcg) add: setVMRootForFlush_ccorres)
|
||||
apply (ctac (no_vcg) add: doFlush_ccorres)
|
||||
apply (rule ccorres_add_return2)
|
||||
apply (rule ccorres_split_nothrow_novcg_dc)
|
||||
apply (rule ccorres_cond2[where R=\<top>])
|
||||
apply (simp add: from_bool_def split: split_if bool.splits)
|
||||
apply (simp add: from_bool_def split: if_split bool.splits)
|
||||
apply (rule ccorres_pre_getCurThread)
|
||||
apply (ctac add: setVMRoot_ccorres)
|
||||
apply (rule ccorres_return_Skip)
|
||||
|
@ -2018,7 +2018,7 @@ lemma flushPage_ccorres:
|
|||
apply csymbr
|
||||
apply (simp add: when_def del: Collect_const)
|
||||
apply (rule ccorres_cond2[where R=\<top>])
|
||||
apply (clarsimp simp: pde_stored_asid_def to_bool_def split: split_if)
|
||||
apply (clarsimp simp: pde_stored_asid_def to_bool_def split: if_split)
|
||||
apply (rule ccorres_Guard_Seq ccorres_rhs_assoc)+
|
||||
apply csymbr
|
||||
apply csymbr
|
||||
|
@ -2365,7 +2365,7 @@ lemma unmapPage_ccorres:
|
|||
apply (simp add: cpte_relation_def Let_def pte_lift_def
|
||||
isSmallPagePTE_def pte_tag_defs
|
||||
pte_pte_small_lift_def pte_pte_invalid_def
|
||||
split: split_if_asm pte.split_asm)
|
||||
split: if_split_asm pte.split_asm)
|
||||
apply (rule ceqv_refl)
|
||||
apply (simp add: unfold_checkMapping_return liftE_liftM
|
||||
Collect_const[symmetric] dc_def[symmetric]
|
||||
|
@ -2407,7 +2407,7 @@ lemma unmapPage_ccorres:
|
|||
subgoal by (simp add: cpte_relation_def Let_def pte_lift_def
|
||||
isLargePagePTE_def pte_tag_defs
|
||||
pte_pte_large_lift_def pte_pte_invalid_def
|
||||
split: split_if_asm pte.split_asm)
|
||||
split: if_split_asm pte.split_asm)
|
||||
apply (rule ceqv_refl)
|
||||
apply (simp add: liftE_liftM dc_def[symmetric]
|
||||
mapM_discarded whileAnno_def ARMLargePageBits_def ARMSmallPageBits_def
|
||||
|
@ -2485,7 +2485,7 @@ lemma unmapPage_ccorres:
|
|||
apply (simp add: gen_framesize_to_H_def dc_def[symmetric]
|
||||
liftE_liftM
|
||||
del: Collect_const)
|
||||
apply (simp split: split_if, rule conjI[rotated], rule impI,
|
||||
apply (simp split: if_split, rule conjI[rotated], rule impI,
|
||||
rule ccorres_empty, rule impI)
|
||||
apply (rule ccorres_rhs_assoc2, rule ccorres_rhs_assoc2,
|
||||
rule ccorres_rhs_assoc2, rule ccorres_rhs_assoc2,
|
||||
|
@ -2496,7 +2496,7 @@ lemma unmapPage_ccorres:
|
|||
apply (clarsimp simp: typ_heap_simps')
|
||||
subgoal by (simp add: pde_pde_section_lift_def cpde_relation_def pde_lift_def
|
||||
Let_def pde_tag_defs isSectionPDE_def
|
||||
split: pde.split_asm split_if_asm)
|
||||
split: pde.split_asm if_split_asm)
|
||||
apply (rule ceqv_refl)
|
||||
apply (simp add: unfold_checkMapping_return Collect_False dc_def[symmetric]
|
||||
del: Collect_const)
|
||||
|
@ -2535,7 +2535,7 @@ lemma unmapPage_ccorres:
|
|||
subgoal by (simp add: cpde_relation_def Let_def pde_lift_def
|
||||
isSuperSectionPDE_def pde_tag_defs
|
||||
pde_pde_section_lift_def
|
||||
split: split_if_asm pde.split_asm)
|
||||
split: if_split_asm pde.split_asm)
|
||||
apply (rule ceqv_refl)
|
||||
apply (simp add: unfold_checkMapping_return Collect_False ARMSuperSectionBits_def
|
||||
ARMSectionBits_def word_sle_def
|
||||
|
@ -2641,7 +2641,7 @@ lemma cap_to_H_PageCap_tag:
|
|||
"\<lbrakk> cap_to_H cap = ArchObjectCap (PageCap d p R sz A);
|
||||
cap_lift C_cap = Some cap \<rbrakk> \<Longrightarrow>
|
||||
cap_get_tag C_cap = scast cap_frame_cap \<or> cap_get_tag C_cap = scast cap_small_frame_cap"
|
||||
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.splits split_if_asm)
|
||||
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.splits if_split_asm)
|
||||
by (simp_all add: Let_def cap_lift_def split_def split: if_splits)
|
||||
|
||||
lemma generic_frame_mapped_address:
|
||||
|
@ -2659,12 +2659,12 @@ lemma generic_frame_mapped_address:
|
|||
apply (simp add: cap_frame_cap_lift)
|
||||
apply (simp add: generic_frame_cap_set_capFMappedAddress_CL_def)
|
||||
apply (clarsimp simp: cap_to_H_def)
|
||||
apply (simp add: asidInvalid_def split: split_if)
|
||||
apply (simp add: asidInvalid_def split: if_split)
|
||||
apply (simp add: c_valid_cap_def cl_valid_cap_def)
|
||||
apply (simp add: cap_small_frame_cap_lift)
|
||||
apply (simp add: generic_frame_cap_set_capFMappedAddress_CL_def)
|
||||
apply (clarsimp simp: cap_to_H_def)
|
||||
apply (simp add: asidInvalid_def split: split_if)
|
||||
apply (simp add: asidInvalid_def split: if_split)
|
||||
apply (simp add: c_valid_cap_def cl_valid_cap_def)
|
||||
done
|
||||
|
||||
|
@ -2764,17 +2764,17 @@ lemma ccap_relation_mapped_asid_0:
|
|||
apply (erule disjE)
|
||||
apply (clarsimp simp: cap_lift_frame_cap cap_to_H_def
|
||||
generic_frame_cap_get_capFMappedASID_CL_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp: cap_lift_small_frame_cap cap_to_H_def
|
||||
generic_frame_cap_get_capFMappedASID_CL_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply clarsimp
|
||||
apply (erule disjE)
|
||||
apply (rule ccontr)
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: cap_lift_frame_cap cap_to_H_def
|
||||
generic_frame_cap_get_capFMappedASID_CL_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (drule word_aligend_0_sum [where n=asid_low_bits])
|
||||
apply fastforce
|
||||
apply (simp add: mask_def asid_low_bits_def word_and_le1)
|
||||
|
@ -2790,7 +2790,7 @@ lemma ccap_relation_mapped_asid_0:
|
|||
apply clarsimp
|
||||
apply (clarsimp simp: cap_lift_small_frame_cap cap_to_H_def
|
||||
generic_frame_cap_get_capFMappedASID_CL_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (drule word_aligend_0_sum [where n=asid_low_bits])
|
||||
apply fastforce
|
||||
apply (simp add: mask_def asid_low_bits_def word_and_le1)
|
||||
|
@ -2848,8 +2848,8 @@ lemma ccap_relation_PageCap_generics:
|
|||
elim!: ccap_relationE)
|
||||
apply (simp add: gen_framesize_to_H_def)
|
||||
apply (simp add: vm_page_size_defs order_le_less_trans [OF word_and_le1]
|
||||
split: split_if)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
split: if_split)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (frule(1) cap_get_tag_isCap_unfolded_H_cap)
|
||||
apply (clarsimp simp: cap_lift_frame_cap cap_to_H_def
|
||||
generic_frame_cap_get_capFMappedAddress_CL_def
|
||||
|
@ -2863,8 +2863,8 @@ lemma ccap_relation_PageCap_generics:
|
|||
elim!: ccap_relationE)
|
||||
apply (simp add: gen_framesize_to_H_is_framesize_to_H_if_not_ARMSmallPage)
|
||||
apply (simp add: vm_page_size_defs order_le_less_trans [OF word_and_le1]
|
||||
split: split_if)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
split: if_split)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma performPageInvocationUnmap_ccorres:
|
||||
|
@ -2926,7 +2926,7 @@ lemma performPageInvocationUnmap_ccorres:
|
|||
apply (simp add: guard_is_UNIV_def)
|
||||
apply (simp add: cte_wp_at_ctes_of)
|
||||
apply wp
|
||||
apply (clarsimp simp: cte_wp_at_ctes_of isCap_simps split: split_if)
|
||||
apply (clarsimp simp: cte_wp_at_ctes_of isCap_simps split: if_split)
|
||||
apply (drule diminished_PageCap)
|
||||
apply clarsimp
|
||||
apply (drule ccap_relation_mapped_asid_0)
|
||||
|
@ -2935,7 +2935,7 @@ lemma performPageInvocationUnmap_ccorres:
|
|||
apply (clarsimp simp: mask_def valid_cap'_def
|
||||
vmsz_aligned_aligned_pageBits)
|
||||
apply assumption
|
||||
apply (clarsimp simp: cte_wp_at_ctes_of isCap_simps split: split_if)
|
||||
apply (clarsimp simp: cte_wp_at_ctes_of isCap_simps split: if_split)
|
||||
apply (drule diminished_PageCap)
|
||||
apply clarsimp
|
||||
apply (frule (1) rf_sr_ctes_of_clift)
|
||||
|
@ -3108,7 +3108,7 @@ lemma cap_to_H_PDCap_tag:
|
|||
"\<lbrakk> cap_to_H cap = ArchObjectCap (PageDirectoryCap p A);
|
||||
cap_lift C_cap = Some cap \<rbrakk> \<Longrightarrow>
|
||||
cap_get_tag C_cap = scast cap_page_directory_cap"
|
||||
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.splits split_if_asm)
|
||||
apply (clarsimp simp: cap_to_H_def Let_def split: cap_CL.splits if_split_asm)
|
||||
apply (simp_all add: Let_def cap_lift_def split: if_splits)
|
||||
done
|
||||
|
||||
|
@ -3146,7 +3146,7 @@ lemma setCTE_asidpool':
|
|||
apply (clarsimp simp: obj_at'_def projectKOs)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: lookupAround2_char1)
|
||||
apply (clarsimp split: split_if)
|
||||
apply (clarsimp split: if_split)
|
||||
apply (case_tac obj', auto)[1]
|
||||
apply (rename_tac arch_kernel_object)
|
||||
apply (case_tac arch_kernel_object, auto)[1]
|
||||
|
@ -3360,7 +3360,7 @@ lemma flushTable_ccorres:
|
|||
apply csymbr
|
||||
apply (simp add: when_def del: Collect_const)
|
||||
apply (rule ccorres_cond2[where R=\<top>])
|
||||
apply (clarsimp simp: pde_stored_asid_def to_bool_def split: split_if)
|
||||
apply (clarsimp simp: pde_stored_asid_def to_bool_def split: if_split)
|
||||
apply (rule ccorres_Guard_Seq ccorres_rhs_assoc)+
|
||||
|
||||
apply csymbr
|
||||
|
|
|
@ -393,7 +393,7 @@ proof -
|
|||
apply simp
|
||||
apply (drule_tac t="pda v" for v in sym, simp)
|
||||
apply (clarsimp simp: obj_at_def a_type_def del: disjCI)
|
||||
apply (clarsimp split: Structures_A.kernel_object.split_asm split_if_asm
|
||||
apply (clarsimp split: Structures_A.kernel_object.split_asm if_split_asm
|
||||
arch_kernel_obj.split_asm del: disjCI)
|
||||
apply (frule_tac p="ptrFromPAddr v" for v in pspace_alignedD, simp+)
|
||||
apply (rule disjI2, rule conjI)
|
||||
|
@ -436,7 +436,7 @@ proof -
|
|||
apply simp
|
||||
apply (drule_tac t="pda v" for v in sym, simp)
|
||||
apply (clarsimp simp: obj_at_def a_type_def del: disjCI)
|
||||
apply (clarsimp split: Structures_A.kernel_object.split_asm split_if_asm
|
||||
apply (clarsimp split: Structures_A.kernel_object.split_asm if_split_asm
|
||||
arch_kernel_obj.split_asm del: disjCI)
|
||||
apply (frule_tac p="ptrFromPAddr v" for v in pspace_alignedD, simp+)
|
||||
apply (rule map_includedI)
|
||||
|
@ -455,7 +455,7 @@ proof -
|
|||
restrict_map_def)
|
||||
apply (clarsimp simp: valid_idle_def pred_tcb_at_def obj_at_def)
|
||||
apply (clarsimp simp: upto_enum_step_def pt_bits_def pageBits_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (subst add.assoc, subst is_aligned_add_helper, assumption)
|
||||
apply (simp only: word_shift_by_2 word_shiftl_add_distrib[symmetric])
|
||||
apply (rule shiftl_less_t2n)
|
||||
|
@ -573,11 +573,11 @@ proof (induct x)
|
|||
thus ?case
|
||||
apply (simp add: Decode_D.decode_invocation_def
|
||||
decode_invocation_def arch_decode_invocation_def
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (clarsimp simp: get_asid_pool_intent_def transform_intent_def
|
||||
map_option_Some_eq2 throw_opt_def
|
||||
decode_asid_pool_invocation_def
|
||||
split del: split_if split: label_split_asm list.split_asm)
|
||||
split del: if_split split: label_split_asm list.split_asm)
|
||||
apply (simp add: split_beta corres_alternate2
|
||||
liftE_bindE corres_symb_exec_in_gets
|
||||
corres_whenE_throwError_split_rhs
|
||||
|
@ -621,7 +621,7 @@ proof (induct x)
|
|||
apply (rule ucast_up_inj[where 'b=32])
|
||||
apply (simp add: ucast_ucast_mask is_aligned_mask asid_low_bits_def)
|
||||
apply simp
|
||||
apply (wp select_wp | simp add:valid_cap_def split del: split_if)+
|
||||
apply (wp select_wp | simp add:valid_cap_def split del: if_split)+
|
||||
done
|
||||
next
|
||||
case ASIDControlCap
|
||||
|
@ -629,12 +629,12 @@ next
|
|||
apply (simp add: Decode_D.decode_invocation_def
|
||||
decode_invocation_def arch_decode_invocation_def
|
||||
bindE_assoc
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (clarsimp simp: get_asid_control_intent_def transform_intent_def
|
||||
map_option_Some_eq2 throw_opt_def
|
||||
decode_asid_control_invocation_def
|
||||
transform_cnode_index_and_depth_def
|
||||
split del: split_if split: label_split_asm list.split_asm)
|
||||
split del: if_split split: label_split_asm list.split_asm)
|
||||
apply (simp add: split_beta corres_alternate2
|
||||
liftE_bindE corres_symb_exec_in_gets
|
||||
corres_whenE_throwError_split_rhs
|
||||
|
@ -707,13 +707,13 @@ next
|
|||
thus ?case
|
||||
apply (simp add: Decode_D.decode_invocation_def
|
||||
decode_invocation_def arch_decode_invocation_def
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (clarsimp simp: get_page_intent_def transform_intent_def
|
||||
map_option_Some_eq2 throw_opt_def
|
||||
decode_page_invocation_def
|
||||
transform_intent_page_map_def
|
||||
transform_intent_page_remap_def
|
||||
split del: split_if split: label_split_asm list.split_asm,
|
||||
split del: if_split split: label_split_asm list.split_asm,
|
||||
simp_all add: split_beta corres_alternate2
|
||||
liftE_bindE corres_symb_exec_in_gets
|
||||
corres_whenE_throwError_split_rhs
|
||||
|
@ -761,7 +761,7 @@ next
|
|||
apply wp
|
||||
apply (rule hoare_pre, wp, simp)
|
||||
apply (rule hoare_pre, wp, auto)[1]
|
||||
apply (wp | simp add: whenE_def split del: split_if)+
|
||||
apply (wp | simp add: whenE_def split del: if_split)+
|
||||
apply (rule hoare_pre, wp, simp)
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: gets_bind_alternative
|
||||
|
@ -806,7 +806,7 @@ next
|
|||
apply wp
|
||||
apply (rule hoare_pre, wp, simp)
|
||||
apply (rule hoare_pre, wp, auto)[1]
|
||||
apply (wp | simp add: whenE_def split del: split_if)+
|
||||
apply (wp | simp add: whenE_def split del: if_split)+
|
||||
apply (rule hoare_pre, wp, simp)
|
||||
apply (rule corres_alternate1)
|
||||
apply (simp add: returnOk_def arch_invocation_relation_def cap_object_simps
|
||||
|
@ -866,12 +866,12 @@ next
|
|||
thus ?case
|
||||
apply (simp add: Decode_D.decode_invocation_def
|
||||
decode_invocation_def arch_decode_invocation_def
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (clarsimp simp: get_page_table_intent_def transform_intent_def
|
||||
map_option_Some_eq2 throw_opt_def cdl_get_pt_mapped_addr_def
|
||||
decode_page_table_invocation_def
|
||||
transform_intent_page_table_map_def
|
||||
split del: split_if
|
||||
split del: if_split
|
||||
split: label_split_asm list.split_asm)
|
||||
apply (simp add: throw_on_none_def transform_cap_list_def
|
||||
get_index_def split_beta alternative_refl
|
||||
|
@ -912,7 +912,7 @@ next
|
|||
le_shiftr linorder_not_le cap_object_simps)
|
||||
apply (rule hoare_pre, wp, auto)[1]
|
||||
apply (wp | simp)+
|
||||
apply (simp add: whenE_def split del: split_if)
|
||||
apply (simp add: whenE_def split del: if_split)
|
||||
apply (rule hoare_pre, wp, simp)
|
||||
apply (clarsimp simp: is_final_cap'_def
|
||||
is_final_cap_def split:list.splits)
|
||||
|
@ -931,7 +931,7 @@ next
|
|||
decode_invocation_def arch_decode_invocation_def
|
||||
get_page_directory_intent_def transform_intent_def
|
||||
isPDFlushLabel_def
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (clarsimp simp: get_page_directory_intent_def transform_intent_def
|
||||
map_option_Some_eq2 throw_opt_def decode_page_directory_invocation_def
|
||||
split: label_split_asm cdl_intent.splits
|
||||
|
@ -1112,7 +1112,7 @@ lemma set_object_simple_corres:
|
|||
apply (clarsimp simp: transform_def transform_objects_def
|
||||
not_idle_thread_def obj_at_def
|
||||
transform_current_thread_def)
|
||||
apply (rule ext, simp split: split_if)
|
||||
apply (rule ext, simp split: if_split)
|
||||
apply (intro conjI impI allI)
|
||||
apply (clarsimp simp: transform_object_def
|
||||
split: Structures_A.kernel_object.split)
|
||||
|
@ -1212,7 +1212,7 @@ lemma set_cap_opt_cap':
|
|||
apply (rule hoare_seq_ext [OF _ dget_object_sp])
|
||||
apply (case_tac obj, simp_all add:KHeap_D.set_object_def has_slots_def
|
||||
update_slots_def object_slots_def
|
||||
split del:split_if cong: if_cong bind_cong)
|
||||
split del:if_split cong: if_cong bind_cong)
|
||||
apply (rule hoare_pre, wp select_wp)
|
||||
apply (clarsimp simp:fun_upd_def[symmetric])
|
||||
apply (safe elim!:rsubst[where P=P] intro!: ext)
|
||||
|
@ -1256,7 +1256,7 @@ lemma invoke_page_table_corres:
|
|||
apply (simp add: invoke_page_table_def perform_page_table_invocation_def)
|
||||
apply (clarsimp simp: transform_page_table_inv_def
|
||||
split: ARM_A.page_table_invocation.split_asm
|
||||
split_if_asm)
|
||||
if_split_asm)
|
||||
apply (rename_tac word oref attribs)
|
||||
apply (clarsimp simp: is_pt_cap_def valid_pti_def make_arch_duplicate_def)
|
||||
apply (rule stronger_corres_guard_imp)
|
||||
|
@ -1655,7 +1655,7 @@ lemma invoke_page_corres:
|
|||
apply (rule corres_split [OF _ set_cap_corres])
|
||||
apply (rule corres_dummy_return_pl[where b ="()"])
|
||||
apply (rule corres_split[OF _ pte_check_if_mapped_corres])
|
||||
apply (simp split del: split_if)
|
||||
apply (simp split del: if_split)
|
||||
apply (rule corres_dummy_return_l)
|
||||
apply (rule corres_split[OF _ store_pte_set_cap_corres])
|
||||
apply (rule corres_dummy_return_l)
|
||||
|
@ -1674,7 +1674,7 @@ lemma invoke_page_corres:
|
|||
apply (rule corres_split [OF _ set_cap_corres])
|
||||
apply (rule corres_dummy_return_pl[where b="()"])
|
||||
apply (rule corres_split[OF _ pde_check_if_mapped_corres])
|
||||
apply (simp split del: split_if)
|
||||
apply (simp split del: if_split)
|
||||
apply (rule corres_dummy_return_l)
|
||||
apply (rule corres_split[OF _ store_pde_set_cap_corres])
|
||||
apply (rule corres_dummy_return_l)
|
||||
|
@ -1702,7 +1702,7 @@ lemma invoke_page_corres:
|
|||
apply (rule corres_guard_imp)
|
||||
apply (rule corres_dummy_return_pl[where b="()"])
|
||||
apply (rule corres_split[OF _ pte_check_if_mapped_corres])
|
||||
apply (simp split del: split_if)
|
||||
apply (simp split del: if_split)
|
||||
apply (rule corres_dummy_return_l)
|
||||
apply (rule corres_split[OF _ store_pte_set_cap_corres])
|
||||
apply (rule corres_dummy_return_l)
|
||||
|
@ -1718,7 +1718,7 @@ lemma invoke_page_corres:
|
|||
apply (rule corres_guard_imp)
|
||||
apply (rule corres_dummy_return_pl[where b="()"])
|
||||
apply (rule corres_split[OF _ pde_check_if_mapped_corres])
|
||||
apply (simp split del: split_if)
|
||||
apply (simp split del: if_split)
|
||||
apply (rule corres_dummy_return_l)
|
||||
apply (rule corres_split[OF _ store_pde_set_cap_corres])
|
||||
apply (rule corres_dummy_return_l)
|
||||
|
@ -1780,7 +1780,7 @@ lemma invoke_page_corres:
|
|||
apply (clarsimp simp: when_def split: if_splits)
|
||||
apply (rule corres_guard_imp)
|
||||
apply (rule dcorres_symb_exec_r)+
|
||||
apply (simp only: split_if_asm)
|
||||
apply (simp only: if_split_asm)
|
||||
apply (safe)
|
||||
apply (erule notE)
|
||||
apply (rule dcorres_symb_exec_r)+
|
||||
|
|
|
@ -91,7 +91,7 @@ lemma dcorres_set_untyped_cap_as_full:
|
|||
(CSpace_D.set_untyped_cap_as_full (transform_cap src_cap) (transform_cap cap) (transform_cslot_ptr src))
|
||||
(CSpace_A.set_untyped_cap_as_full src_cap cap src)"
|
||||
apply (simp add:set_untyped_cap_as_full_def CSpace_D.set_untyped_cap_as_full_def
|
||||
split del:split_if)
|
||||
split del:if_split)
|
||||
apply (case_tac "is_untyped_cap src_cap \<and> is_untyped_cap cap")
|
||||
apply (rule dcorres_expand_pfx)
|
||||
apply (rule corres_guard_imp)
|
||||
|
@ -197,7 +197,7 @@ lemma insert_cap_sibling_corres:
|
|||
and (\<lambda>s. mdb_cte_at (swp cte_at s) (cdt s))
|
||||
and (\<lambda>s. cdt s sibling = None)" for orig'
|
||||
in corres_modify)
|
||||
apply (clarsimp split del: split_if)
|
||||
apply (clarsimp split del: if_split)
|
||||
apply (subst if_not_P, assumption)+
|
||||
apply (clarsimp simp: opt_parent_def transform_def
|
||||
transform_objects_def transform_cdt_def
|
||||
|
@ -220,7 +220,7 @@ lemma insert_cap_sibling_corres:
|
|||
apply ((wp set_cap_caps_of_state2 get_cap_wp static_imp_wp
|
||||
| simp add: swp_def cte_wp_at_caps_of_state)+)
|
||||
apply (wp set_cap_idle |
|
||||
simp add:set_untyped_cap_as_full_def split del: split_if)+
|
||||
simp add:set_untyped_cap_as_full_def split del: if_split)+
|
||||
apply (rule_tac Q = "\<lambda>r s. cdt s sibling = None
|
||||
\<and> \<not> should_be_parent_of src_capa (is_original_cap s sibling) cap (cap_insert_dest_original cap src_capa)
|
||||
\<and> mdb_cte_at (swp (cte_wp_at (op \<noteq> cap.NullCap)) s) (cdt s)"
|
||||
|
@ -232,7 +232,7 @@ lemma insert_cap_sibling_corres:
|
|||
apply fastforce
|
||||
apply (wp get_cap_wp set_cap_idle static_imp_wp
|
||||
| simp add:set_untyped_cap_as_full_def
|
||||
split del: split_if)+
|
||||
split del: if_split)+
|
||||
apply (rule_tac Q = "\<lambda>r s. cdt s sibling = None
|
||||
\<and> (\<exists>cap. caps_of_state s src = Some cap)
|
||||
\<and> \<not> should_be_parent_of src_capa (is_original_cap s src) cap (cap_insert_dest_original cap src_capa)
|
||||
|
@ -288,7 +288,7 @@ lemma insert_cap_child_corres:
|
|||
and cte_at src and cte_at child
|
||||
and (\<lambda>s. mdb_cte_at (swp cte_at s) (cdt s))" for orig orig'
|
||||
in corres_modify)
|
||||
apply (clarsimp split del: split_if)
|
||||
apply (clarsimp split del: if_split)
|
||||
apply (subst if_P, assumption)+
|
||||
apply (clarsimp simp: opt_parent_def transform_def transform_asid_table_def
|
||||
transform_objects_def transform_cdt_def
|
||||
|
@ -304,7 +304,7 @@ lemma insert_cap_child_corres:
|
|||
apply (wp set_cap_caps_of_state2 get_cap_wp static_imp_wp
|
||||
| simp add: swp_def cte_wp_at_caps_of_state)+
|
||||
apply (wp set_cap_idle |
|
||||
simp add:set_untyped_cap_as_full_def split del:split_if)+
|
||||
simp add:set_untyped_cap_as_full_def split del:if_split)+
|
||||
apply (rule_tac Q = "\<lambda>r s. not_idle_thread (fst child) s
|
||||
\<and> should_be_parent_of src_capa (is_original_cap s child) cap (cap_insert_dest_original cap src_capa)
|
||||
\<and> mdb_cte_at (swp (cte_wp_at (op \<noteq> cap.NullCap)) s) (cdt s)"
|
||||
|
@ -313,7 +313,7 @@ lemma insert_cap_child_corres:
|
|||
apply (clarsimp simp:mdb_cte_at_def cte_wp_at_caps_of_state)
|
||||
apply fastforce
|
||||
apply (wp get_cap_wp set_cap_idle static_imp_wp
|
||||
| simp split del:split_if add:set_untyped_cap_as_full_def)+
|
||||
| simp split del:if_split add:set_untyped_cap_as_full_def)+
|
||||
apply (rule_tac Q = "\<lambda>r s. not_idle_thread (fst child) s
|
||||
\<and> (\<exists>cap. caps_of_state s src = Some cap)
|
||||
\<and> should_be_parent_of src_capa (is_original_cap s src) cap (cap_insert_dest_original cap src_capa)
|
||||
|
@ -441,14 +441,14 @@ proof -
|
|||
({p, p'} \<union> dom (cdt s') \<union> ran (cdt s')) \<and> cdt s' p \<noteq> Some p")
|
||||
apply (elim conjE)
|
||||
apply (subst map_lift_over_if_eq)
|
||||
apply (erule subset_inj_on, auto elim!: ranE split: split_if_asm)[1]
|
||||
apply (erule subset_inj_on, auto elim!: ranE split: if_split_asm)[1]
|
||||
apply (rule sym)
|
||||
apply (simp add: Fun.swap_def split del: split_if)
|
||||
apply (simp add: Fun.swap_def split del: if_split)
|
||||
apply (subst map_lift_over_upd[unfolded fun_upd_def],
|
||||
((erule subset_inj_on, auto elim!: ranE split: split_if_asm)[1]))+
|
||||
((erule subset_inj_on, auto elim!: ranE split: if_split_asm)[1]))+
|
||||
apply (rule ext)
|
||||
apply (cases p, cases p')
|
||||
apply (simp split del: split_if)
|
||||
apply (simp split del: if_split)
|
||||
apply simp
|
||||
apply (subst subset_inj_on map_lift_over_f_eq[OF subset_inj_on],
|
||||
assumption, fastforce)+
|
||||
|
@ -1052,7 +1052,7 @@ lemma dcorres_ep_cancel_badge_sends:
|
|||
apply (simp add:valid_pspace_def)
|
||||
apply (clarsimp simp: restrict_map_def transform_def transform_objects_def)
|
||||
apply (clarsimp simp: ep_waiting_set_recv_def restrict_map_def transform_def
|
||||
split:split_if_asm dest!:get_tcb_rev elim!: CollectE)
|
||||
split:if_split_asm dest!:get_tcb_rev elim!: CollectE)
|
||||
apply (frule(1) valid_etcbs_get_tcb_get_etcb)
|
||||
apply (clarsimp simp: transform_tcb_def transform_objects_def infer_tcb_bound_notification_def
|
||||
is_thread_blocked_on_endpoint_def infer_tcb_pending_op_def infer_tcb_bound_notification_def tcb_pending_op_slot_def tcb_boundntfn_slot_def tcb_slot_defs
|
||||
|
@ -1089,11 +1089,11 @@ lemma transform_default_tcb:
|
|||
done
|
||||
|
||||
lemma dcorres_list_all2_mapM_':
|
||||
assumes w: "suffixeq xs oxs" "suffixeq ys oys"
|
||||
assumes y: "\<And>x xs y ys. \<lbrakk> F x y; suffixeq (x # xs) oxs; suffixeq (y # ys) oys \<rbrakk>
|
||||
assumes w: "suffix xs oxs" "suffix ys oys"
|
||||
assumes y: "\<And>x xs y ys. \<lbrakk> F x y; suffix (x # xs) oxs; suffix (y # ys) oys \<rbrakk>
|
||||
\<Longrightarrow> dcorres dc (P (x # xs)) (P' (y # ys)) (f x) (g y)"
|
||||
assumes z: "\<And>x y xs. \<lbrakk> F x y; suffixeq (x # xs) oxs \<rbrakk> \<Longrightarrow> \<lbrace>P (x # xs)\<rbrace> f x \<lbrace>\<lambda>rv. P xs\<rbrace>"
|
||||
"\<And>x y ys. \<lbrakk> F x y; suffixeq (y # ys) oys \<rbrakk> \<Longrightarrow> \<lbrace>P' (y # ys)\<rbrace> g y \<lbrace>\<lambda>rv. P' ys\<rbrace>"
|
||||
assumes z: "\<And>x y xs. \<lbrakk> F x y; suffix (x # xs) oxs \<rbrakk> \<Longrightarrow> \<lbrace>P (x # xs)\<rbrace> f x \<lbrace>\<lambda>rv. P xs\<rbrace>"
|
||||
"\<And>x y ys. \<lbrakk> F x y; suffix (y # ys) oys \<rbrakk> \<Longrightarrow> \<lbrace>P' (y # ys)\<rbrace> g y \<lbrace>\<lambda>rv. P' ys\<rbrace>"
|
||||
assumes x: "list_all2 F xs ys"
|
||||
shows "dcorres dc (P xs) (P' ys) (mapM_x f xs) (mapM_x g ys)"
|
||||
apply (insert x w)
|
||||
|
@ -1104,7 +1104,7 @@ lemma dcorres_list_all2_mapM_':
|
|||
apply (clarsimp simp add: mapM_x_def sequence_x_def)
|
||||
apply (rule corres_guard_imp)
|
||||
apply (rule corres_split [OF _ y])
|
||||
apply (clarsimp dest!: suffixeq_ConsD)
|
||||
apply (clarsimp dest!: suffix_ConsD)
|
||||
apply (erule meta_allE, (drule(1) meta_mp)+)
|
||||
apply assumption
|
||||
apply assumption
|
||||
|
@ -1115,7 +1115,7 @@ lemma dcorres_list_all2_mapM_':
|
|||
done
|
||||
|
||||
lemmas dcorres_list_all2_mapM_
|
||||
= dcorres_list_all2_mapM_' [OF suffixeq_refl suffixeq_refl]
|
||||
= dcorres_list_all2_mapM_' [OF suffix_refl suffix_refl]
|
||||
|
||||
lemma set_get_set_asid_pool:
|
||||
"do _ \<leftarrow> set_asid_pool a x; ap \<leftarrow> get_asid_pool a; set_asid_pool a (y ap) od = set_asid_pool a (y x)"
|
||||
|
@ -1271,7 +1271,7 @@ lemma dcorres_set_asid_pool_empty:
|
|||
apply (wp get_asid_pool_triv | clarsimp simp:typ_at_eq_kheap_obj obj_at_def swp_def)+
|
||||
apply (subgoal_tac "(aa, snd (transform_asid y)) \<in> set (map (Pair a) [0..<2 ^ ARM_A.asid_low_bits])")
|
||||
apply (clarsimp simp:set_map)
|
||||
apply (clarsimp simp del:set_map simp:suffixeq_def)
|
||||
apply (clarsimp simp del:set_map simp: suffix_def)
|
||||
apply (wp | clarsimp simp:swp_def)+
|
||||
apply (clarsimp simp:list_all2_iff transform_asid_def asid_low_bits_def set_zip)
|
||||
apply (clarsimp simp:unat_ucast upto_enum_def unat_of_nat)
|
||||
|
@ -2032,7 +2032,7 @@ lemma invoke_cnode_corres:
|
|||
apply (simp add: CSpace_A.invoke_cnode_def CNode_D.invoke_cnode_def
|
||||
translate_cnode_invocation_def
|
||||
split: Invocations_A.cnode_invocation.split
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (intro allI conjI impI)
|
||||
apply (rule corres_guard_imp, rule dcorres_insert_cap_combine)
|
||||
apply (rule refl)
|
||||
|
@ -2078,10 +2078,10 @@ lemma invoke_cnode_corres:
|
|||
apply (rule stronger_corres_guard_imp)
|
||||
apply (rule corres_split [OF _ get_cur_thread_corres])
|
||||
apply (rule corres_split [OF _ get_cap_corres])
|
||||
apply (simp add: transform_cap_is_Null split del: split_if)
|
||||
apply (simp add: transform_cap_is_Null split del: if_split)
|
||||
apply (rule corres_if_rhs2)
|
||||
apply (rule corres_trivial, simp add: when_False)
|
||||
apply (simp add: when_def split del: split_if)
|
||||
apply (simp add: when_def split del: if_split)
|
||||
apply (rule corres_if_rhs2)
|
||||
apply (rule corres_if_rhs2)
|
||||
apply (rule corres_trivial[OF corres_free_fail])
|
||||
|
@ -2156,7 +2156,7 @@ lemma decode_cnode_error_corres:
|
|||
apply (elim disjE)
|
||||
apply (clarsimp split: list.split_asm
|
||||
| rule corres_symb_exec_r_dcE[OF _ corres_trivial]
|
||||
| wp | simp split del: split_if)+
|
||||
| wp | simp split del: if_split)+
|
||||
done
|
||||
|
||||
lemma transform_cnode_index_and_depth_Some:
|
||||
|
|
|
@ -286,7 +286,7 @@ lemma caps_of_state_transform_opt_cap_no_idle:
|
|||
slots_of_def opt_object_def transform_def transform_objects_def
|
||||
transform_cnode_contents_def well_formed_cnode_n_def
|
||||
restrict_map_def
|
||||
split: option.splits split_if_asm nat.splits)
|
||||
split: option.splits if_split_asm nat.splits)
|
||||
apply (frule(1) eqset_imp_iff[THEN iffD1, OF _ domI])
|
||||
apply (simp add: nat_to_bl_zero_zero option_map_join_def)
|
||||
apply clarsimp
|
||||
|
@ -304,7 +304,7 @@ lemma caps_of_state_transform_opt_cap_no_idle:
|
|||
transform_tcb_def tcb_slot_defs infer_tcb_bound_notification_def
|
||||
tcb_pending_op_slot_def tcb_cap_cases_def tcb_boundntfn_slot_def
|
||||
bl_to_bin_tcb_cnode_index bl_to_bin_tcb_cnode_index_le0
|
||||
split: split_if_asm option.splits)
|
||||
split: if_split_asm option.splits)
|
||||
done
|
||||
|
||||
lemma transform_cap_Null [simp]:
|
||||
|
@ -2055,7 +2055,7 @@ lemma check_mapping_pptr_pt_relation:
|
|||
apply (rule hoare_pre, wp get_pte_wp)
|
||||
apply (clarsimp simp: obj_at_def)
|
||||
apply (clarsimp simp: a_type_def pt_page_relation_def
|
||||
split: Structures_A.kernel_object.split_asm split_if_asm
|
||||
split: Structures_A.kernel_object.split_asm if_split_asm
|
||||
arch_kernel_obj.split_asm)
|
||||
apply (simp split: ARM_A.pte.split_asm)
|
||||
done
|
||||
|
@ -2069,7 +2069,7 @@ lemma check_mapping_pptr_section_relation:
|
|||
apply (wp get_pde_wp)
|
||||
apply (clarsimp simp: obj_at_def)
|
||||
apply (clarsimp simp: a_type_def pd_section_relation_def pd_super_section_relation_def
|
||||
split: Structures_A.kernel_object.split_asm split_if_asm
|
||||
split: Structures_A.kernel_object.split_asm if_split_asm
|
||||
arch_kernel_obj.split_asm
|
||||
ARM_A.pde.split_asm)
|
||||
done
|
||||
|
@ -2082,7 +2082,7 @@ lemma check_mapping_pptr_super_section_relation:
|
|||
apply (wp get_pde_wp)
|
||||
apply (clarsimp simp: obj_at_def)
|
||||
apply (clarsimp simp: a_type_def pd_section_relation_def pd_super_section_relation_def
|
||||
split: Structures_A.kernel_object.split_asm split_if_asm
|
||||
split: Structures_A.kernel_object.split_asm if_split_asm
|
||||
arch_kernel_obj.split_asm
|
||||
ARM_A.pde.split_asm)
|
||||
done
|
||||
|
@ -3033,23 +3033,23 @@ proof -
|
|||
|
||||
apply (clarsimp simp:transform_def transform_current_thread_def
|
||||
transform_asid_table_def transform_objects_def
|
||||
transform_cdt_def split del: split_if)
|
||||
transform_cdt_def split del: if_split)
|
||||
apply (rule sym)
|
||||
apply (subgoal_tac "inj_on transform_cslot_ptr
|
||||
({slot_a, slot_b} \<union> dom (cdt s') \<union> ran (cdt s'))
|
||||
\<and> cdt s' slot_a \<noteq> Some slot_a \<and> cdt s' slot_b \<noteq> Some slot_b")
|
||||
apply (elim conjE)
|
||||
apply (subst map_lift_over_upd, erule subset_inj_on)
|
||||
apply (safe elim!: ranE, simp_all split: split_if_asm,
|
||||
apply (safe elim!: ranE, simp_all split: if_split_asm,
|
||||
simp_all add: ranI)[1]
|
||||
apply (subst map_lift_over_upd, erule subset_inj_on)
|
||||
apply (safe elim!: ranE, simp_all split: split_if_asm,
|
||||
apply (safe elim!: ranE, simp_all split: if_split_asm,
|
||||
simp_all add: ranI)[1]
|
||||
apply (subst map_lift_over_if_eq_twice)
|
||||
apply (erule subset_inj_on, fastforce)
|
||||
apply (rule ext)
|
||||
apply (cases slot_a, cases slot_b)
|
||||
apply (simp split del: split_if)
|
||||
apply (simp split del: if_split)
|
||||
apply (intro if_cong[OF refl],
|
||||
simp_all add: map_lift_over_eq_Some inj_on_eq_iff[where f=transform_cslot_ptr]
|
||||
ranI domI)[1]
|
||||
|
@ -3127,7 +3127,7 @@ lemma set_cap_noop_dcorres3:
|
|||
get_tcb_mrs_def)
|
||||
apply fastforce
|
||||
apply clarsimp
|
||||
apply (simp add: transform_cap_def split: cap.split_asm arch_cap.split_asm split_if_asm,
|
||||
apply (simp add: transform_cap_def split: cap.split_asm arch_cap.split_asm if_split_asm,
|
||||
simp_all add: get_ipc_buffer_words_def)
|
||||
done
|
||||
|
||||
|
@ -3162,7 +3162,7 @@ lemma corres_use_cutMon:
|
|||
\<Longrightarrow> corres_underlying sr False fl r P P' f g"
|
||||
apply atomize
|
||||
apply (simp add: corres_underlying_def cutMon_def fail_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp: split_def)
|
||||
done
|
||||
|
||||
|
@ -3170,7 +3170,7 @@ lemma corres_drop_cutMon:
|
|||
"corres_underlying sr False False r P P' f g
|
||||
\<Longrightarrow> corres_underlying sr False False r P P' f (cutMon Q g)"
|
||||
apply (simp add: corres_underlying_def cutMon_def fail_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (clarsimp simp: split_def)
|
||||
done
|
||||
|
||||
|
@ -3178,7 +3178,7 @@ lemma corres_drop_cutMon_bind:
|
|||
"corres_underlying sr False False r P P' f (g >>= h)
|
||||
\<Longrightarrow> corres_underlying sr False False r P P' f (cutMon Q g >>= h)"
|
||||
apply (simp add: corres_underlying_def cutMon_def fail_def bind_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (clarsimp simp: split_def)
|
||||
done
|
||||
|
||||
|
@ -3194,7 +3194,7 @@ lemma corres_cutMon:
|
|||
\<Longrightarrow> corres_underlying sr False False r P P' f (cutMon Q g)"
|
||||
apply atomize
|
||||
apply (simp add: corres_underlying_def cutMon_def fail_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp: split_def)
|
||||
done
|
||||
|
||||
|
@ -3577,7 +3577,7 @@ proof (induct arbitrary: S rule: rec_del.induct,
|
|||
done
|
||||
next
|
||||
case (2 slot exposed s S)
|
||||
note split_if[split del]
|
||||
note if_split[split del]
|
||||
have removeables:
|
||||
"\<And>s cap fin. \<lbrakk> cte_wp_at (op = cap) slot s; s \<turnstile> remainder_cap fin cap; invs s; valid_etcbs s;
|
||||
CSpace_A.cap_removeable (remainder_cap fin cap) slot \<rbrakk>
|
||||
|
@ -3587,7 +3587,7 @@ next
|
|||
apply (simp add: CSpace_D.cap_removeable_def)
|
||||
apply (clarsimp simp: remainder_cap_def valid_cap_simps
|
||||
cte_wp_at_caps_of_state
|
||||
split: cap.split_asm split_if_asm)
|
||||
split: cap.split_asm if_split_asm)
|
||||
apply (rename_tac word nat option)
|
||||
apply (frule valid_global_refsD2, clarsimp)
|
||||
apply (clarsimp simp: CSpace_D.cap_removeable_def)
|
||||
|
@ -3602,7 +3602,7 @@ next
|
|||
apply (frule zombie_cap_has_all[rotated -2], simp, clarsimp+)
|
||||
apply (clarsimp simp: tcb_at_def cap_range_def global_refs_def
|
||||
opt_cap_tcb
|
||||
split: option.split_asm split_if_asm | drule(1) valid_etcbs_get_tcb_get_etcb)+
|
||||
split: option.split_asm if_split_asm | drule(1) valid_etcbs_get_tcb_get_etcb)+
|
||||
apply (rule_tac x="tcb_cnode_index b" in exI)
|
||||
apply (clarsimp simp: transform_cslot_ptr_def dest!: get_tcb_SomeD)
|
||||
apply (rule conjI, rule sym, rule bl_to_bin_tcb_cnode_index)
|
||||
|
@ -3839,7 +3839,7 @@ next
|
|||
apply (rule corres_drop_cutMon)
|
||||
apply (simp add: liftE_bindE)
|
||||
apply (rule corres_symb_exec_r)
|
||||
apply (simp add: liftME_def[symmetric] split del: split_if)
|
||||
apply (simp add: liftME_def[symmetric] split del: if_split)
|
||||
apply (rule monadic_rewrite_corres2)
|
||||
apply (rule monadic_trancl_preemptible_return)
|
||||
apply (rule corres_if_rhs_only)
|
||||
|
|
|
@ -53,7 +53,7 @@ lemma tcb_cap_casesE:
|
|||
shows "R"
|
||||
using cs
|
||||
unfolding tcb_cap_cases_def
|
||||
apply (simp split: split_if_asm del: One_nat_def)
|
||||
apply (simp split: if_split_asm del: One_nat_def)
|
||||
apply (erule rules, fastforce+)+
|
||||
done
|
||||
|
||||
|
@ -168,21 +168,21 @@ lemma caps_of_object_update_state [simp]:
|
|||
"(\<lambda>n. map_option (\<lambda>(f, _). f (tcb_state_update stf tcb)) (tcb_cap_cases n)) =
|
||||
(\<lambda>n. map_option (\<lambda>(f, _). f tcb) (tcb_cap_cases n))"
|
||||
apply (rule ext)
|
||||
apply (simp add: tcb_cap_cases_def split: split_if)
|
||||
apply (simp add: tcb_cap_cases_def split: if_split)
|
||||
done
|
||||
|
||||
lemma caps_of_object_update_boundntfn [simp]:
|
||||
"(\<lambda>n. map_option (\<lambda>(f, _). f (tcb_bound_notification_update stf tcb)) (tcb_cap_cases n)) =
|
||||
(\<lambda>n. map_option (\<lambda>(f, _). f tcb) (tcb_cap_cases n))"
|
||||
apply (rule ext)
|
||||
apply (simp add: tcb_cap_cases_def split: split_if)
|
||||
apply (simp add: tcb_cap_cases_def split: if_split)
|
||||
done
|
||||
|
||||
lemma caps_of_object_update_context [simp]:
|
||||
"(\<lambda>n. map_option (\<lambda>(f, _). f (tcb_arch_update (tcb_context_update stf) tcb)) (tcb_cap_cases n)) =
|
||||
(\<lambda>n. map_option (\<lambda>(f, _). f tcb) (tcb_cap_cases n))"
|
||||
apply (rule ext)
|
||||
apply (simp add: tcb_cap_cases_def split: split_if)
|
||||
apply (simp add: tcb_cap_cases_def split: if_split)
|
||||
done
|
||||
|
||||
definition
|
||||
|
@ -1032,7 +1032,7 @@ lemma cdl_get_ipc_buffer_None:
|
|||
apply (simp add:obj_at_def get_tcb_rev not_idle_thread_def | drule(1) valid_etcbs_tcb_etcb | fastforce simp: get_etcb_rev)+
|
||||
apply (clarsimp simp: assert_opt_def return_def split: cdl_cap.splits)
|
||||
apply (clarsimp simp:transform_cap_def split:cap.splits arch_cap.splits)
|
||||
apply (auto simp:cte_wp_at_cases split:split_if_asm)
|
||||
apply (auto simp:cte_wp_at_cases split:if_split_asm)
|
||||
done
|
||||
|
||||
lemma cdl_get_ipc_buffer_Some:
|
||||
|
@ -1103,15 +1103,15 @@ lemma get_tcb_mrs_wp:
|
|||
apply (clarsimp simp:get_mrs_def thread_get_def gets_the_def)
|
||||
apply (wp|wpc)+
|
||||
apply (clarsimp simp:get_tcb_mrs_def Let_def)
|
||||
apply (clarsimp simp:Suc_leI[OF msg_registers_lt_msg_max_length] split del:split_if)
|
||||
apply (clarsimp simp:Suc_leI[OF msg_registers_lt_msg_max_length] split del:if_split)
|
||||
apply (clarsimp simp:get_tcb_message_info_def get_ipc_buffer_words_empty)
|
||||
apply (clarsimp dest!:get_tcb_SomeD simp:obj_at_def)
|
||||
apply (clarsimp simp:get_mrs_def thread_get_def gets_the_def)
|
||||
apply (clarsimp simp:Suc_leI[OF msg_registers_lt_msg_max_length] split del:split_if)
|
||||
apply (clarsimp simp:Suc_leI[OF msg_registers_lt_msg_max_length] split del:if_split)
|
||||
apply (wp|wpc)+
|
||||
apply (rule_tac P = "tcb = obj" in hoare_gen_asm)
|
||||
apply (clarsimp simp: get_tcb_mrs_def Let_def get_tcb_message_info_def Suc_leI[OF msg_registers_lt_msg_max_length]
|
||||
split del:split_if)
|
||||
split del:if_split)
|
||||
apply (rule_tac Q="\<lambda>buf_mrs s. buf_mrs =
|
||||
(get_ipc_buffer_words (machine_state sa) obj ([Suc (length msg_registers)..<msg_max_length] @ [msg_max_length]))"
|
||||
in hoare_strengthen_post)
|
||||
|
@ -1567,16 +1567,16 @@ lemma store_word_corres_helper:
|
|||
apply clarsimp
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp:restrict_map_def transform_object_def transform_tcb_def
|
||||
split:cdl_object.split_asm Structures_A.kernel_object.split_asm split_if_asm)
|
||||
split:cdl_object.split_asm Structures_A.kernel_object.split_asm if_split_asm)
|
||||
apply (drule(1) valid_etcbs_tcb_etcb,
|
||||
clarsimp simp:restrict_map_def transform_object_def transform_tcb_def
|
||||
split:cdl_object.split_asm Structures_A.kernel_object.split_asm split_if_asm)+
|
||||
split:cdl_object.split_asm Structures_A.kernel_object.split_asm if_split_asm)+
|
||||
defer
|
||||
apply (drule(1) valid_etcbs_tcb_etcb,
|
||||
clarsimp simp:restrict_map_def transform_object_def transform_tcb_def
|
||||
split:cdl_object.split_asm Structures_A.kernel_object.split_asm split_if_asm)+
|
||||
split:cdl_object.split_asm Structures_A.kernel_object.split_asm if_split_asm)+
|
||||
defer
|
||||
apply (simp add:tcb_ipcframe_id_def tcb_boundntfn_slot_def tcb_ipcbuffer_slot_def split:split_if_asm)
|
||||
apply (simp add:tcb_ipcframe_id_def tcb_boundntfn_slot_def tcb_ipcbuffer_slot_def split:if_split_asm)
|
||||
apply (simp add:tcb_ipcbuffer_slot_def tcb_pending_op_slot_def)
|
||||
apply (frule_tac thread = thread in valid_tcb_objs)
|
||||
apply (simp add: get_tcb_rev)
|
||||
|
@ -1585,7 +1585,7 @@ lemma store_word_corres_helper:
|
|||
apply (case_tac "\<not> is_arch_page_cap (tcb_ipcframe tcb)")
|
||||
apply (simp add:transform_full_intent_no_ipc_buffer)
|
||||
apply (clarsimp simp del:upt.simps simp:transform_full_intent_def Let_def get_tcb_mrs_def is_arch_page_cap_def
|
||||
split:cap.split_asm arch_cap.split_asm split del:split_if)
|
||||
split:cap.split_asm arch_cap.split_asm split del:if_split)
|
||||
apply (rename_tac word cap_rights vmpage_size option)
|
||||
apply (clarsimp simp:transform_cap_def arch_cap.split_asm simp del:upt.simps)
|
||||
apply (frule_tac thread = thread and ptr = ptr and sz = sz
|
||||
|
@ -1703,7 +1703,7 @@ lemma dcorres_store_word_safe:
|
|||
apply (clarsimp simp del:upt.simps
|
||||
simp: Let_def get_tcb_mrs_def is_arch_page_cap_def
|
||||
split:cap.split_asm arch_cap.split_asm
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (frule valid_tcb_objs, erule get_tcb_rev)
|
||||
apply (clarsimp simp: valid_tcb_def tcb_cap_cases_def valid_ipc_buffer_cap_def
|
||||
simp del: upt.simps)
|
||||
|
@ -1867,7 +1867,7 @@ lemma zip_store_word_corres:
|
|||
and (ipc_frame_sz_at sz s_id) and (ipc_frame_ptr_at buf s_id) and valid_etcbs)
|
||||
(corrupt_frame buf)
|
||||
(zipWithM_x (store_word_offs base) xs ys)"
|
||||
apply (clarsimp simp:zipWithM_x_mapM_x split del: split_if)
|
||||
apply (clarsimp simp:zipWithM_x_mapM_x split del: if_split)
|
||||
apply (induct xs arbitrary: ys)
|
||||
apply (clarsimp simp: mapM_x_Cons)
|
||||
apply (clarsimp simp: mapM_x_Nil)
|
||||
|
@ -2119,7 +2119,7 @@ shows "dcorres dc \<top> P (corrupt_frame buf) g"
|
|||
apply (drule_tac x = xa in fun_cong)
|
||||
apply (case_tac xa)
|
||||
apply (clarsimp simp:not_idle_thread_def tcb_ipcframe_id_def restrict_map_def transform_objects_def
|
||||
split: split_if)
|
||||
split: if_split)
|
||||
apply (clarsimp dest!:get_tcb_rev simp: transform_objects_tcb tcb_ipcbuffer_slot_def
|
||||
tcb_pending_op_slot_def tcb_boundntfn_slot_def)
|
||||
apply (clarsimp simp: tcb_ipcbuffer_slot_def tcb_ipcframe_id_def | rule conjI)+
|
||||
|
|
|
@ -321,7 +321,7 @@ lemma mr_opt_cap_into_object:
|
|||
lemma monadic_rewrite_assert2:
|
||||
"\<lbrakk> Q \<Longrightarrow> monadic_rewrite F E P (f ()) g \<rbrakk>
|
||||
\<Longrightarrow> monadic_rewrite F E ((\<lambda>s. Q \<longrightarrow> P s) and (\<lambda>_. Q)) (assert Q >>= f) g"
|
||||
apply (simp add: assert_def split: split_if)
|
||||
apply (simp add: assert_def split: if_split)
|
||||
apply (simp add: monadic_rewrite_def fail_def)
|
||||
done
|
||||
|
||||
|
@ -910,31 +910,31 @@ apply (wp not_idle_after_blocked_cancel_ipc not_idle_after_reply_cancel_ipc
|
|||
done
|
||||
|
||||
lemma send_signal_corres:
|
||||
notes split_if [split del]
|
||||
notes if_split [split del]
|
||||
shows
|
||||
"ep_id = epptr \<Longrightarrow> dcorres dc \<top> (invs and valid_etcbs)
|
||||
(Endpoint_D.send_signal ep_id)
|
||||
(Ipc_A.send_signal epptr badge)"
|
||||
apply (unfold Endpoint_D.send_signal_def Ipc_A.send_signal_def invs_def)
|
||||
apply (rule dcorres_expand_pfx)
|
||||
apply (clarsimp simp:get_notification_def get_object_def gets_def bind_assoc split: split_if)
|
||||
apply (clarsimp simp:get_notification_def get_object_def gets_def bind_assoc split: if_split)
|
||||
apply (rule dcorres_absorb_get_r)
|
||||
apply (clarsimp simp:assert_def corres_free_fail split:Structures_A.kernel_object.splits split_if )
|
||||
apply (clarsimp simp:assert_def corres_free_fail split:Structures_A.kernel_object.splits if_split )
|
||||
apply (rename_tac ntfn_ext)
|
||||
apply (case_tac "ntfn_obj ntfn_ext", clarsimp)
|
||||
apply (case_tac "ntfn_bound_tcb ntfn_ext", clarsimp)
|
||||
-- "Idle, not bound"
|
||||
apply (rule corres_alternate1)
|
||||
apply (rule dcorres_absorb_get_l)
|
||||
apply (clarsimp split del: split_if)
|
||||
apply (clarsimp split del: if_split)
|
||||
apply (frule valid_objs_valid_ntfn_simp[rotated])
|
||||
apply (simp add:valid_state_def valid_pspace_def split del: split_if)
|
||||
apply (simp add:gets_def bind_assoc option_select_def split del: split_if)
|
||||
apply (simp add:valid_state_def valid_pspace_def split del: if_split)
|
||||
apply (simp add:gets_def bind_assoc option_select_def split del: if_split)
|
||||
apply (frule get_notification_pick,simp)
|
||||
apply (clarsimp simp:ntfn_waiting_set_lift valid_state_def valid_ntfn_abstract_def none_is_waiting_ntfn_def)
|
||||
apply (rule corres_guard_imp,rule corres_dummy_set_notification,simp+)[1]
|
||||
-- "Idle, bound"
|
||||
apply (clarsimp simp: get_thread_state_def thread_get_def gets_the_def gets_def bind_assoc split del: split_if)
|
||||
apply (clarsimp simp: get_thread_state_def thread_get_def gets_the_def gets_def bind_assoc split del: if_split)
|
||||
apply (rule dcorres_absorb_get_r)
|
||||
apply (clarsimp simp: assert_opt_def corres_free_fail split: Structures_A.kernel_object.splits option.splits)
|
||||
apply (case_tac "receive_blocked (tcb_state x2)")
|
||||
|
@ -944,7 +944,7 @@ lemma send_signal_corres:
|
|||
apply (clarsimp simp: send_signal_bound_def gets_def)
|
||||
apply (rule dcorres_absorb_get_l)
|
||||
apply (clarsimp simp: receive_blocked_waiting_syncs)
|
||||
apply (clarsimp simp: IpcCancel_A.cancel_ipc_def get_thread_state_def thread_get_def gets_the_def gets_def bind_assoc split del: split_if)
|
||||
apply (clarsimp simp: IpcCancel_A.cancel_ipc_def get_thread_state_def thread_get_def gets_the_def gets_def bind_assoc split del: if_split)
|
||||
apply (rule dcorres_absorb_get_r)
|
||||
apply (clarsimp simp: assert_opt_def corres_free_fail split: Structures_A.kernel_object.splits option.splits)
|
||||
apply (simp add: receive_blocked_def)
|
||||
|
@ -969,22 +969,22 @@ lemma send_signal_corres:
|
|||
apply clarsimp
|
||||
apply (rule corres_alternate1)
|
||||
apply (rule dcorres_absorb_get_l)
|
||||
apply (clarsimp split del: split_if)
|
||||
apply (clarsimp split del: if_split)
|
||||
apply (frule valid_objs_valid_ntfn_simp[rotated])
|
||||
apply (simp add:valid_state_def valid_pspace_def split del: split_if)
|
||||
apply (simp add:gets_def bind_assoc option_select_def split del: split_if)
|
||||
apply (simp add:valid_state_def valid_pspace_def split del: if_split)
|
||||
apply (simp add:gets_def bind_assoc option_select_def split del: if_split)
|
||||
apply (frule get_notification_pick,simp)
|
||||
apply (clarsimp simp:ntfn_waiting_set_lift valid_state_def valid_ntfn_abstract_def none_is_waiting_ntfn_def)
|
||||
apply (rule corres_guard_imp,rule corres_dummy_set_notification,simp+)[1]
|
||||
-- "Waiting"
|
||||
apply (rule corres_alternate1)
|
||||
apply (rule dcorres_absorb_get_l)
|
||||
apply (clarsimp split del: split_if)
|
||||
apply (clarsimp split del: if_split)
|
||||
apply (frule valid_objs_valid_ntfn_simp[rotated])
|
||||
apply (simp add:valid_state_def valid_pspace_def split del: split_if)
|
||||
apply (simp add:valid_state_def valid_pspace_def split del: if_split)
|
||||
apply (simp add:gets_def bind_assoc option_select_def)
|
||||
apply (frule get_notification_pick,simp)
|
||||
apply (clarsimp simp:ntfn_waiting_set_lift valid_state_def valid_ntfn_abstract_def split: split_if)
|
||||
apply (clarsimp simp:ntfn_waiting_set_lift valid_state_def valid_ntfn_abstract_def split: if_split)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: dest!:not_empty_list_not_empty_set)
|
||||
apply (clarsimp simp:neq_Nil_conv)
|
||||
|
@ -1000,9 +1000,9 @@ lemma send_signal_corres:
|
|||
-- "Active"
|
||||
apply (rule corres_alternate1)
|
||||
apply (rule dcorres_absorb_get_l)
|
||||
apply (clarsimp split del: split_if)
|
||||
apply (clarsimp split del: if_split)
|
||||
apply (frule valid_objs_valid_ntfn_simp[rotated])
|
||||
apply (simp add:valid_state_def valid_pspace_def split del: split_if)
|
||||
apply (simp add:valid_state_def valid_pspace_def split del: if_split)
|
||||
apply (clarsimp simp:gets_def bind_assoc option_select_def)
|
||||
apply (frule get_notification_pick,simp)
|
||||
apply (clarsimp simp:ntfn_waiting_set_lift valid_state_def valid_ntfn_abstract_def none_is_waiting_ntfn_def)
|
||||
|
@ -1287,7 +1287,7 @@ lemma ipc_buffer_wp_at_cap_insert_ext[wp]:
|
|||
lemma ipc_buffer_wp_at_cap_insert[wp]:
|
||||
"\<lbrace>ipc_buffer_wp_at buf t :: det_state \<Rightarrow> bool \<rbrace> cap_insert cap' (slot_ptr, slot_idx) a \<lbrace>\<lambda>r. ipc_buffer_wp_at buf t\<rbrace>"
|
||||
apply (simp add:cap_insert_def set_untyped_cap_as_full_def)
|
||||
apply (wp|simp split del:split_if)+
|
||||
apply (wp|simp split del:if_split)+
|
||||
apply (rule_tac Q = "\<lambda>r. ipc_buffer_wp_at buf t" in hoare_strengthen_post)
|
||||
apply wp
|
||||
apply (clarsimp simp:ipc_buffer_wp_at_def)
|
||||
|
@ -1317,7 +1317,7 @@ lemma cap_insert_cte_wp_at_masked_as_full:
|
|||
cap_insert cap src dest \<lbrace>\<lambda>uu. cte_wp_at P slot\<rbrace>"
|
||||
apply (simp add:cap_insert_def set_untyped_cap_as_full_def)
|
||||
apply (wp set_cap_cte_wp_at hoare_vcg_if_lift get_cap_wp static_imp_wp dxo_wp_weak
|
||||
| simp split del:split_if)+
|
||||
| simp split del:if_split)+
|
||||
apply (intro conjI impI allI |
|
||||
clarsimp simp:cte_wp_at_caps_of_state)+
|
||||
apply (drule assms)
|
||||
|
@ -1358,7 +1358,7 @@ next
|
|||
show ?case
|
||||
apply (cases p)
|
||||
apply (rename_tac cap slot_ptr slot_idx)
|
||||
apply (clarsimp simp: const_on_failure_def split del: split_if)
|
||||
apply (clarsimp simp: const_on_failure_def split del: if_split)
|
||||
apply (case_tac "is_ep_cap cap \<and> ep' = Some (obj_ref_of cap)")
|
||||
apply (subgoal_tac "Types_D.is_ep_cap (transform_cap cap) \<and>
|
||||
(\<exists>z. ep' = Some z \<and> z = cap_object (transform_cap cap))")
|
||||
|
@ -1384,13 +1384,13 @@ next
|
|||
(\<exists>z. ep' = Some z \<and> z = cap_object (transform_cap cap)))")
|
||||
prefer 2
|
||||
apply (clarsimp simp: is_cap_simps cap_type_simps split: cdl_cap.splits)
|
||||
apply (simp del: de_Morgan_conj split del: split_if)
|
||||
apply (simp del: de_Morgan_conj split del: if_split)
|
||||
apply (case_tac dests)
|
||||
apply (simp add: dest_of_def returnOk_liftE catch_liftE)
|
||||
apply (case_tac list)
|
||||
prefer 2
|
||||
apply simp
|
||||
apply (simp (no_asm_simp) add: dest_of_def split del: split_if)
|
||||
apply (simp (no_asm_simp) add: dest_of_def split del: if_split)
|
||||
apply (subst bindE_assoc [symmetric])
|
||||
apply (rule corres_guard_imp)
|
||||
apply (rule corres_split_catch [where f=dc and E="\<top>\<top>" and E'="\<top>\<top>"])
|
||||
|
@ -1429,7 +1429,7 @@ next
|
|||
apply (clarsimp)
|
||||
apply (rule hoareE_TrueI)
|
||||
apply (rule validE_R_validE)
|
||||
apply (simp add:conj_comms ball_conj_distrib split del:split_if)
|
||||
apply (simp add:conj_comms ball_conj_distrib split del:if_split)
|
||||
apply (rule_tac Q' ="\<lambda>cap' s. (cap'\<noteq> cap.NullCap \<longrightarrow>(
|
||||
(cte_wp_at (is_derived (cdt s) (slot_ptr, slot_idx) cap') (slot_ptr, slot_idx) s)
|
||||
\<and> pspace_aligned s \<and> pspace_distinct s \<and> valid_objs s \<and> valid_idle s
|
||||
|
@ -1448,8 +1448,8 @@ next
|
|||
apply (rule derive_cap_is_derived)
|
||||
apply (rule derive_cap_is_derived_foo)
|
||||
apply wp
|
||||
apply (simp split del: split_if)
|
||||
apply (clarsimp split del: split_if cong: conj_cong)
|
||||
apply (simp split del: if_split)
|
||||
apply (clarsimp split del: if_split cong: conj_cong)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: valid_mdb_def mdb_cte_at_def cte_wp_at_caps_of_state)
|
||||
apply fast
|
||||
|
@ -1460,7 +1460,7 @@ next
|
|||
apply (case_tac "cap = capa")
|
||||
apply (clarsimp simp:cap_master_cap_simps remove_rights_def)+
|
||||
apply (clarsimp simp:masked_as_full_def is_cap_simps cap_master_cap_def)
|
||||
apply (clarsimp split del: split_if)
|
||||
apply (clarsimp split del: if_split)
|
||||
apply (clarsimp simp: cte_wp_at_caps_of_state not_idle_thread_def)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: not_idle_thread_def valid_idle_def pred_tcb_at_def
|
||||
|
@ -1475,11 +1475,11 @@ next
|
|||
apply (rule rev_mp[OF _ real_cte_tcb_valid])
|
||||
apply simp
|
||||
apply (rule context_conjI)
|
||||
apply (clarsimp split:split_if_asm simp:remove_rights_def)
|
||||
apply (clarsimp split:if_split_asm simp:remove_rights_def)
|
||||
apply (intro conjI ballI)
|
||||
apply (drule(1) bspec,clarsimp)+
|
||||
apply (case_tac "capb = aa")
|
||||
apply (clarsimp simp:masked_as_full_def split:split_if_asm)
|
||||
apply (clarsimp simp:masked_as_full_def split:if_split_asm)
|
||||
by (clarsimp simp:masked_as_full_def free_index_update_def is_cap_simps)
|
||||
qed
|
||||
|
||||
|
@ -2249,7 +2249,7 @@ lemma dcorres_set_thread_state_Restart:
|
|||
apply ((clarsimp simp:tcb_caller_slot_def infer_tcb_pending_op_def cap_counts_def
|
||||
tcb_pending_op_slot_def tcb_cspace_slot_def tcb_replycap_slot_def
|
||||
tcb_vspace_slot_def PageTableUnmap_D.is_final_cap'_def
|
||||
PageTableUnmap_D.is_final_cap_def split:split_if_asm Structures_A.thread_state.splits
|
||||
PageTableUnmap_D.is_final_cap_def split:if_split_asm Structures_A.thread_state.splits
|
||||
| wp exs_valid_return exs_valid_gets)+)[1]
|
||||
apply clarsimp
|
||||
apply (subst fast_finalise_no_effect)
|
||||
|
@ -2260,7 +2260,7 @@ lemma dcorres_set_thread_state_Restart:
|
|||
apply (clarsimp simp:tcb_caller_slot_def infer_tcb_pending_op_def cap_counts_def
|
||||
tcb_pending_op_slot_def tcb_cspace_slot_def tcb_replycap_slot_def
|
||||
tcb_vspace_slot_def PageTableUnmap_D.is_final_cap'_def
|
||||
PageTableUnmap_D.is_final_cap_def split:split_if_asm Structures_A.thread_state.splits
|
||||
PageTableUnmap_D.is_final_cap_def split:if_split_asm Structures_A.thread_state.splits
|
||||
| wp exs_valid_return exs_valid_gets)+
|
||||
apply (frule(1) valid_etcbs_get_tcb_get_etcb, clarsimp simp: get_etcb_def)
|
||||
apply (subst opt_cap_tcb)
|
||||
|
@ -2489,7 +2489,7 @@ lemma dcorres_receive_sync:
|
|||
apply (rule corres_symb_exec_r)
|
||||
apply (rule_tac F="sender_state = tcb_state t" in corres_gen_asm2)
|
||||
apply (clarsimp dest!:get_tcb_SomeD simp:dc_def[symmetric]
|
||||
split del:if_splits split:split_if_asm)
|
||||
split del:if_splits split:if_split_asm)
|
||||
apply (rule corres_guard_imp)
|
||||
apply (rule corres_split[OF _ corres_complete_ipc_transfer])
|
||||
prefer 2
|
||||
|
@ -2701,19 +2701,19 @@ lemma send_sync_ipc_corres:
|
|||
apply (clarsimp simp: dest!: not_empty_list_not_empty_set)
|
||||
apply (rename_tac list)
|
||||
apply (drule_tac s = "set list" in sym)
|
||||
apply (clarsimp simp: bind_assoc neq_Nil_conv split del:split_if)
|
||||
apply (clarsimp simp: bind_assoc neq_Nil_conv split del:if_split)
|
||||
apply (rule_tac P1="\<top>" and P'="op = s'a" and x1 = y
|
||||
in dcorres_absorb_pfx[OF select_pick_corres[OF dcorres_expand_pfx]])
|
||||
defer
|
||||
apply (simp+)[3]
|
||||
apply (simp split del:split_if)
|
||||
apply (simp split del:if_split)
|
||||
apply (drule_tac x1 = y in iffD2[OF eqset_imp_iff], simp)
|
||||
apply (clarsimp simp:obj_at_def dc_def[symmetric] split del:split_if)
|
||||
apply (clarsimp simp:obj_at_def dc_def[symmetric] split del:if_split)
|
||||
apply (subst when_def)+
|
||||
apply (rule corres_guard_imp)
|
||||
apply (rule dcorres_symb_exec_r)
|
||||
apply (rule corres_symb_exec_r)
|
||||
apply (case_tac "recv_state"; simp add: corres_free_fail split del: split_if)
|
||||
apply (case_tac "recv_state"; simp add: corres_free_fail split del: if_split)
|
||||
apply (rule corres_split[OF _ corres_complete_ipc_transfer])
|
||||
apply (rule corres_split[OF _ set_thread_state_corres])
|
||||
apply (rule dcorres_rhs_noop_above[OF attempt_switch_to_dcorres])
|
||||
|
|
|
@ -138,11 +138,11 @@ proof
|
|||
apply clarsimp
|
||||
apply (induct rule: trancl_induct)
|
||||
apply (fastforce simp: KHeap_D.cdt_parent_rel_def KHeap_D.is_cdt_parent_def s'_def
|
||||
split: split_if_asm
|
||||
split: if_split_asm
|
||||
intro: trancl_trans)
|
||||
apply (erule trancl_trans)
|
||||
apply (fastforce simp: KHeap_D.cdt_parent_rel_def KHeap_D.is_cdt_parent_def s'_def
|
||||
split: split_if_asm
|
||||
split: if_split_asm
|
||||
intro: trancl_trans)
|
||||
done
|
||||
}
|
||||
|
@ -309,7 +309,7 @@ lemma caps_of_state_transform_opt_cap:
|
|||
transform_tcb_def tcb_slot_defs tcb_slots
|
||||
tcb_pending_op_slot_def tcb_cap_cases_def
|
||||
bl_to_bin_tcb_cnode_index bl_to_bin_tcb_cnode_index_le0
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma cap_slot_cnode_property_lift:
|
||||
|
@ -489,7 +489,7 @@ lemma final_cap_set_map:
|
|||
apply (thin_tac "opt_cap x y = Q" for x y Q)
|
||||
apply (auto simp: transform_cap_def cap_has_object_def cap_object_simps
|
||||
cap_counts_def cdl_cap_irq_def
|
||||
split: cap.splits arch_cap.splits split_if_asm)
|
||||
split: cap.splits arch_cap.splits if_split_asm)
|
||||
done
|
||||
|
||||
lemma opt_cap_wp_at_ex_opt_cap:
|
||||
|
@ -594,7 +594,7 @@ lemma get_object_corres:
|
|||
apply (clarsimp simp: KHeap_A.get_object_def gets_the_def)
|
||||
apply (rule corres_split'[OF _ _ gets_sp gets_sp, where r'=dc])
|
||||
apply simp
|
||||
apply (clarsimp simp: assert_def corres_free_fail split: split_if)
|
||||
apply (clarsimp simp: assert_def corres_free_fail split: if_split)
|
||||
apply (rule_tac F="rv = Some (transform_object undefined 0 etcb' y)" in corres_req)
|
||||
apply (simp_all add: assert_opt_def)
|
||||
apply (clarsimp simp: opt_object_def transform_def transform_objects_def
|
||||
|
@ -714,7 +714,7 @@ lemma transform_full_intent_same_cap:
|
|||
apply (simp add: is_cap_simps)
|
||||
apply (cases "tcb_ipcframe tcb", simp_all)
|
||||
apply (simp add:transform_cap_def is_cap_simps
|
||||
split:cap.splits split_if_asm arch_cap.splits)+
|
||||
split:cap.splits if_split_asm arch_cap.splits)+
|
||||
done
|
||||
|
||||
lemma set_cap_corres:
|
||||
|
@ -737,9 +737,9 @@ proof -
|
|||
apply (rename_tac s s')
|
||||
apply (clarsimp simp:assert_def corres_free_fail)
|
||||
apply (rename_tac obj')
|
||||
apply (case_tac obj', simp_all add:corres_free_fail split del: split_if)
|
||||
apply (case_tac obj', simp_all add:corres_free_fail split del: if_split)
|
||||
-- "cnode or IRQ Node case"
|
||||
apply (clarsimp simp: corres_free_fail split: split_if)
|
||||
apply (clarsimp simp: corres_free_fail split: if_split)
|
||||
apply (rename_tac sz cn ocap)
|
||||
apply (clarsimp simp: corres_underlying_def in_monad set_object_def cte_wp_at_cases caps_of_state_cte_wp_at)
|
||||
apply (clarsimp simp: opt_object_def)
|
||||
|
@ -767,7 +767,7 @@ proof -
|
|||
apply (clarsimp simp: cdl_objects_tcb opt_object_def
|
||||
assert_opt_def has_slots_def object_slots_def
|
||||
update_slots_def
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (case_tac "nat (bl_to_bin sl') = tcb_ipcbuffer_slot")
|
||||
apply (simp add: tcb_slots tcb_pending_op_slot_def)
|
||||
apply (clarsimp simp: bl_to_bin_tcb_cnode_index|rule conjI)+
|
||||
|
@ -1343,7 +1343,7 @@ lemma dcorres_gets_all_param:
|
|||
lemma empty_slot_ext_dcorres: "dcorres dc P P' (return ()) (empty_slot_ext slot v)"
|
||||
apply (clarsimp simp: empty_slot_ext_def)
|
||||
apply (auto simp: corres_underlying_def update_cdt_list_def set_cdt_list_def
|
||||
modify_def bind_def put_def gets_def get_def return_def split: option.splits split_if)
|
||||
modify_def bind_def put_def gets_def get_def return_def split: option.splits if_split)
|
||||
done
|
||||
|
||||
lemma empty_slot_corres:
|
||||
|
@ -2532,7 +2532,7 @@ lemma dcorres_ntfn_bound_tcb:
|
|||
apply (rule dcorres_absorb_get_l)
|
||||
apply (clarsimp simp: assert_def corres_free_fail split: Structures_A.kernel_object.splits )
|
||||
apply (frule get_notification_pick, simp)
|
||||
apply (clarsimp simp: valid_ntfn_abstract_def ntfn_bound_set_lift valid_state_def option_select_def split del: split_if)
|
||||
apply (clarsimp simp: valid_ntfn_abstract_def ntfn_bound_set_lift valid_state_def option_select_def split del: if_split)
|
||||
done
|
||||
|
||||
lemma option_set_option_select:
|
||||
|
@ -2606,12 +2606,12 @@ lemma unbind_notification_valid_state[wp]:
|
|||
defer 4
|
||||
apply (auto elim!: obj_at_weakenE obj_at_valid_objsE if_live_then_nonz_capD2
|
||||
simp: valid_ntfn_set_bound_None is_ntfn valid_obj_def)[8]
|
||||
apply (clarsimp simp: split_if)
|
||||
apply (clarsimp simp: if_split)
|
||||
apply (rule delta_sym_refs, assumption)
|
||||
apply (fastforce simp: obj_at_def is_tcb
|
||||
dest!: pred_tcb_at_tcb_at ko_at_state_refs_ofD
|
||||
split: split_if_asm)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (frule pred_tcb_at_tcb_at)
|
||||
apply (frule_tac p=t in obj_at_ko_at, clarsimp)
|
||||
apply (subst (asm) ko_at_state_refs_ofD, assumption)
|
||||
|
@ -2635,12 +2635,12 @@ lemma unbind_maybe_notification_valid_state[wp]:
|
|||
defer 4
|
||||
apply (auto elim!: obj_at_weakenE obj_at_valid_objsE if_live_then_nonz_capD2
|
||||
simp: valid_ntfn_set_bound_None is_ntfn valid_obj_def)[8]
|
||||
apply (clarsimp simp: split_if)
|
||||
apply (clarsimp simp: if_split)
|
||||
apply (rule delta_sym_refs, assumption)
|
||||
apply (fastforce simp: obj_at_def is_tcb
|
||||
dest!: pred_tcb_at_tcb_at ko_at_state_refs_ofD
|
||||
split: split_if_asm)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (clarsimp simp: obj_at_def)
|
||||
apply (frule_tac P="op = (Some a)" in ntfn_bound_tcb_at, simp+)
|
||||
apply (frule pred_tcb_at_tcb_at)
|
||||
|
@ -2952,7 +2952,7 @@ lemma delete_cap_simple_corres:
|
|||
apply (subst is_final_cap_corres)
|
||||
apply simp+
|
||||
apply (wp|clarsimp)+
|
||||
apply (clarsimp simp:transform_cap_def split:cap.splits arch_cap.splits split_if_asm)
|
||||
apply (clarsimp simp:transform_cap_def split:cap.splits arch_cap.splits if_split_asm)
|
||||
apply (rule get_cap_corres)
|
||||
apply simp
|
||||
apply (clarsimp simp:not_idle_thread_def |wp get_cap_cte_wp_at_rv)+
|
||||
|
@ -3098,7 +3098,7 @@ lemma branch_map_simp2:
|
|||
apply (subst to_bl_bin[symmetric])
|
||||
apply (rule arg_cong[where f = bl_to_bin])
|
||||
apply (simp add:word_rep_drop)+
|
||||
apply (clarsimp simp:List.take_drop prefixeq_def less_eq_list_def)
|
||||
apply (clarsimp simp:List.take_drop prefix_def less_eq_list_def)
|
||||
apply (rule_tac x = "(drop nata zs)" in exI)
|
||||
apply simp
|
||||
apply (simp add:word_rep_drop)
|
||||
|
|
|
@ -20,12 +20,12 @@ lemma getActiveTCBs_subset:
|
|||
x \<in> all_active_tcbs (transform s')"
|
||||
apply (clarsimp simp: all_active_tcbs_def getActiveTCB_def)
|
||||
apply (clarsimp simp: transform_def transform_objects_def map_add_def domIff)
|
||||
apply (clarsimp dest!: get_tcb_SomeD split: option.splits split_if_asm)
|
||||
apply (clarsimp dest!: get_tcb_SomeD split: option.splits if_split_asm)
|
||||
apply (rule context_conjI)
|
||||
apply (clarsimp simp: restrict_map_def)
|
||||
apply (frule invs_valid_idle)
|
||||
apply (clarsimp simp: valid_idle_def pred_tcb_def2 get_tcb_def)
|
||||
apply (clarsimp simp: restrict_map_def split: split_if_asm)
|
||||
apply (clarsimp simp: restrict_map_def split: if_split_asm)
|
||||
apply (clarsimp simp: transform_object_def transform_tcb_def)
|
||||
apply (clarsimp simp: infer_tcb_pending_op_def)
|
||||
apply (frule(1) valid_etcbs_tcb_etcb)
|
||||
|
@ -262,7 +262,7 @@ lemma schedule_resume_cur_thread_dcorres:
|
|||
apply (auto simp: transform_def transform_current_thread_def all_active_tcbs_def transform_objects_def active_tcbs_in_domain_def etcb_at_def tcb_boundntfn_slot_def tcb_pending_op_slot_def
|
||||
map_add_def restrict_map_def option_map_def transform_object_def transform_tcb_def valid_idle_def st_tcb_def2 get_tcb_def
|
||||
transform_cnode_contents_def infer_tcb_pending_op_def transform_cap_def domIff st_tcb_at_kh_def obj_at_def only_idle_def
|
||||
split: option.splits split_if Structures_A.kernel_object.splits Structures_A.thread_state.splits)[1]
|
||||
split: option.splits if_split Structures_A.kernel_object.splits Structures_A.thread_state.splits)[1]
|
||||
(* cur = idle_thread s' *)
|
||||
apply (subgoal_tac "cdl_current_thread s = None")
|
||||
apply (clarsimp simp: transform_def transform_current_thread_def)+
|
||||
|
@ -283,7 +283,7 @@ lemma schedule_switch_thread_helper:
|
|||
apply (auto simp: transform_def transform_current_thread_def all_active_tcbs_def transform_objects_def active_tcbs_in_domain_def etcb_at_def
|
||||
map_add_def restrict_map_def option_map_def transform_object_def transform_tcb_def valid_idle_def pred_tcb_at_def get_tcb_def tcb_pending_op_slot_def tcb_boundntfn_slot_def
|
||||
transform_cnode_contents_def infer_tcb_pending_op_def transform_cap_def domIff st_tcb_at_kh_def obj_at_def only_idle_def
|
||||
split: option.splits split_if Structures_A.kernel_object.splits Structures_A.thread_state.splits)
|
||||
split: option.splits if_split Structures_A.kernel_object.splits Structures_A.thread_state.splits)
|
||||
done
|
||||
|
||||
lemma schedule_switch_thread_dcorres:
|
||||
|
@ -353,7 +353,7 @@ lemma schedule_choose_new_thread_helper:
|
|||
is_etcb_at_def
|
||||
map_add_def restrict_map_def option_map_def transform_object_def transform_tcb_def valid_idle_def st_tcb_def2 get_tcb_def
|
||||
transform_cnode_contents_def infer_tcb_pending_op_def transform_cap_def domIff st_tcb_at_kh_def obj_at_def only_idle_def tcb_pending_op_slot_def tcb_boundntfn_slot_def
|
||||
split: option.splits split_if Structures_A.kernel_object.splits Structures_A.thread_state.splits)
|
||||
split: option.splits if_split Structures_A.kernel_object.splits Structures_A.thread_state.splits)
|
||||
done
|
||||
|
||||
lemma idle_thread_not_in_queue:
|
||||
|
|
|
@ -171,7 +171,7 @@ lemma caps_of_state_update_tcb:
|
|||
caps_of_state (update_kheap kh s)"
|
||||
apply (erule caps_of_state_update_same_caps)
|
||||
apply (rule ext)
|
||||
apply (simp add: tcb_cap_cases_def split: split_if)
|
||||
apply (simp add: tcb_cap_cases_def split: if_split)
|
||||
done
|
||||
|
||||
lemmas caps_of_state_upds = caps_of_state_update_tcb caps_of_state_update_same_caps
|
||||
|
@ -273,7 +273,7 @@ proof -
|
|||
"inj_on f (dom m - {x} \<union> ran (m(x := None)))"
|
||||
"inj_on f (dom m - {x})"
|
||||
apply (safe intro!: subset_inj_on[OF inj_f])
|
||||
apply (auto simp: ran_def split: split_if_asm)
|
||||
apply (auto simp: ran_def split: if_split_asm)
|
||||
done
|
||||
show ?thesis
|
||||
apply (simp add: map_lift_over_def Q del: inj_on_insert)
|
||||
|
@ -299,7 +299,7 @@ proof -
|
|||
have 1: "inj_on f (dom m \<union> ran m)" "inj_on f (dom m)"
|
||||
by (auto simp: inj_on_Un)
|
||||
have "dom ?ifeq \<subseteq> dom m"
|
||||
by (auto split: split_if_asm)
|
||||
by (auto split: if_split_asm)
|
||||
with inj_f
|
||||
have 2: "inj_on f (dom ?ifeq)"
|
||||
by (auto elim!: subset_inj_on)
|
||||
|
@ -309,19 +309,19 @@ proof -
|
|||
have "inj_on f (dom ?ifeq \<union> ran ?ifeq)"
|
||||
by (auto elim!: subset_inj_on)
|
||||
note Q = 1 2 this
|
||||
note split_if[split del]
|
||||
note if_split[split del]
|
||||
show ?thesis
|
||||
apply (simp add: map_lift_over_def Q)
|
||||
apply (rule ext)
|
||||
apply (case_tac "x \<in> f ` dom ?ifeq")
|
||||
apply clarsimp
|
||||
apply (subst if_P, fastforce split: split_if_asm)+
|
||||
apply (subst if_P, fastforce split: if_split_asm)+
|
||||
apply (simp add: Q[THEN inv_into_f_f] domI ranI inj_on_eq_iff[OF inj_f]
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (subst if_not_P, simp, rule allI, fastforce)+
|
||||
apply (auto simp: option_map_def Q[THEN inv_into_f_f] domI ranI
|
||||
inj_on_eq_iff[OF inj_f]
|
||||
split: split_if option.split)
|
||||
split: if_split option.split)
|
||||
done
|
||||
qed
|
||||
|
||||
|
|
|
@ -450,7 +450,7 @@ lemma transform_intent_isnot_UntypedIntent:
|
|||
apply clarsimp
|
||||
apply (clarsimp simp: transform_intent_def transform_type_def transform_intent_untyped_retype_def)
|
||||
apply (clarsimp simp: option_map_def split: invocation_label.splits arch_invocation_label.splits option.splits list.splits)
|
||||
apply (clarsimp simp: transform_type_def split: split_if_asm)
|
||||
apply (clarsimp simp: transform_type_def split: if_split_asm)
|
||||
done
|
||||
|
||||
lemma transform_cnode_index_and_depth_success:
|
||||
|
@ -969,7 +969,7 @@ lemma evalMonad_bind:
|
|||
assumes det: "det_or_fail f"
|
||||
shows "evalMonad (f >>= g) s = (if evalMonad f s = None then None else evalMonad (g (the (evalMonad f s))) s)"
|
||||
apply (case_tac "evalMonad f s")
|
||||
apply (simp add: evalMonad_def split: split_if_asm)
|
||||
apply (simp add: evalMonad_def split: if_split_asm)
|
||||
apply (simp add: bind_def)
|
||||
apply simp
|
||||
apply (simp add: evalMonad_def)
|
||||
|
|
|
@ -328,7 +328,7 @@ lemma decode_invocation_irqhandlercap_corres:
|
|||
apply (clarsimp simp: throw_opt_def get_irq_handler_intent_def split: option.splits)
|
||||
apply (rule conjI)
|
||||
apply (auto simp: decode_irq_handler_invocation_def transform_intent_def
|
||||
split del: split_if
|
||||
split del: if_split
|
||||
split: invocation_label.splits cdl_intent.splits list.splits)[1]
|
||||
apply clarsimp
|
||||
apply (simp split: cdl_intent.splits)
|
||||
|
@ -343,7 +343,7 @@ lemma decode_invocation_irqhandlercap_corres:
|
|||
|
||||
lemma transform_type_eq_None:
|
||||
"(transform_type a = None) \<Longrightarrow> (data_to_obj_type a = throwError (ExceptionTypes_A.syscall_error.InvalidArgument 0))"
|
||||
apply (clarsimp simp:data_to_obj_type_def transform_type_def split:split_if_asm)
|
||||
apply (clarsimp simp:data_to_obj_type_def transform_type_def split:if_split_asm)
|
||||
apply (simp add:unat_arith_simps)
|
||||
apply (clarsimp simp:arch_data_to_obj_type_def)
|
||||
apply (rule conjI,arith,clarsimp)+
|
||||
|
@ -358,15 +358,15 @@ lemma transform_intent_untyped_cap_None:
|
|||
(* 43 subgoals *)
|
||||
apply (clarsimp simp:Decode_A.decode_untyped_invocation_def unlessE_def)
|
||||
apply wp
|
||||
apply (clarsimp simp:transform_intent_def Decode_A.decode_untyped_invocation_def unlessE_def split del:split_if)
|
||||
apply (clarsimp simp:transform_intent_untyped_retype_def split del:split_if)
|
||||
apply (clarsimp simp:transform_intent_def Decode_A.decode_untyped_invocation_def unlessE_def split del:if_split)
|
||||
apply (clarsimp simp:transform_intent_untyped_retype_def split del:if_split)
|
||||
apply (case_tac "args")
|
||||
apply (clarsimp,wp)[1]
|
||||
apply (clarsimp split:list.split_asm split del:split_if)
|
||||
apply (clarsimp split:list.split_asm split del:if_split)
|
||||
apply wp[5]
|
||||
apply (clarsimp simp: transform_type_eq_None split del:split_if split:option.splits)
|
||||
apply (clarsimp simp: transform_type_eq_None split del:if_split split:option.splits)
|
||||
apply (wp|clarsimp simp:whenE_def|rule conjI)+
|
||||
apply (clarsimp simp: Decode_A.decode_untyped_invocation_def unlessE_def split del:split_if,wp)+
|
||||
apply (clarsimp simp: Decode_A.decode_untyped_invocation_def unlessE_def split del:if_split,wp)+
|
||||
done
|
||||
|
||||
lemma transform_intent_cnode_cap_None:
|
||||
|
@ -522,7 +522,7 @@ lemma decode_invocation_error_branch:
|
|||
"\<lbrakk>transform_intent (invocation_type label) args = None; \<not> ep_related_cap (transform_cap cap)\<rbrakk>
|
||||
\<Longrightarrow> \<lbrace>op = s\<rbrace> Decode_A.decode_invocation label args cap_i slot cap excaps \<lbrace>\<lambda>r. \<bottom>\<rbrace>,\<lbrace>\<lambda>x. op = s\<rbrace>"
|
||||
apply (case_tac cap)
|
||||
apply (simp_all add:ep_related_cap_def transform_cap_def split:split_if_asm)
|
||||
apply (simp_all add:ep_related_cap_def transform_cap_def split:if_split_asm)
|
||||
apply (clarsimp simp:Decode_A.decode_invocation_def,wp)
|
||||
apply (rule transform_intent_untyped_cap_None,fastforce+)
|
||||
apply (clarsimp simp:Decode_A.decode_invocation_def,wp)
|
||||
|
@ -544,7 +544,7 @@ lemma decode_invocation_ep_related_branch:
|
|||
apply (clarsimp simp:Decode_D.decode_invocation_def Decode_A.decode_invocation_def | rule conjI)+
|
||||
apply (rule corres_guard_imp[OF dcorres_returnOk],simp add:cdl_invocation_relation_def translate_invocation_def)
|
||||
apply simp+
|
||||
apply (clarsimp simp:Decode_D.decode_invocation_def Decode_A.decode_invocation_def split:split_if_asm | rule conjI)+
|
||||
apply (clarsimp simp:Decode_D.decode_invocation_def Decode_A.decode_invocation_def split:if_split_asm | rule conjI)+
|
||||
apply (rule corres_guard_imp[OF dcorres_returnOk])
|
||||
apply (simp add:cdl_invocation_relation_def translate_invocation_def)+
|
||||
apply (clarsimp simp:Decode_D.decode_invocation_def Decode_A.decode_invocation_def is_master_reply_cap_def | rule conjI)+
|
||||
|
@ -1036,7 +1036,7 @@ lemma decode_invocation_corres':
|
|||
od)
|
||||
rv')"
|
||||
apply (rule dcorres_expand_pfx)
|
||||
apply (clarsimp split del:split_if)
|
||||
apply (clarsimp split del:if_split)
|
||||
apply (rule_tac Q' ="\<lambda>r ns. ns = s
|
||||
\<and> r = get_tcb_mrs (machine_state s) ctcb"
|
||||
in corres_symb_exec_r)
|
||||
|
@ -1278,7 +1278,7 @@ lemma invoke_cnode_valid_etcbs[wp]:
|
|||
"\<lbrace>valid_etcbs\<rbrace> invoke_cnode ci \<lbrace>\<lambda>_. valid_etcbs\<rbrace>"
|
||||
apply (simp add: invoke_cnode_def)
|
||||
apply (rule hoare_pre)
|
||||
apply (wp crunch_wps hoare_vcg_all_lift | wpc | simp add: split del: split_if)+
|
||||
apply (wp crunch_wps hoare_vcg_all_lift | wpc | simp add: split del: if_split)+
|
||||
done
|
||||
|
||||
crunch valid_etcbs[wp]: perform_invocation valid_etcbs
|
||||
|
@ -1458,10 +1458,10 @@ lemma handle_recv_corres:
|
|||
\<and> (st_tcb_at active (cur_thread s') s \<and> invs s \<and> valid_etcbs s) \<and> ko_at (TCB obj') (cur_thread s') s " and R= "\<lambda>r. \<top>"
|
||||
in corres_splitEE[where r'="\<lambda>x y. x = transform_cap y"])
|
||||
apply (rule dcorres_expand_pfx)
|
||||
apply (clarsimp split:cap.splits arch_cap.splits split del: split_if simp:transform_cap_def)
|
||||
apply (clarsimp split:cap.splits arch_cap.splits split del: if_split simp:transform_cap_def)
|
||||
apply (rename_tac word1 word2 set)
|
||||
apply (rule corres_guard_imp)
|
||||
apply (case_tac "AllowRead \<in> set"; simp split del: split_if)
|
||||
apply (case_tac "AllowRead \<in> set"; simp split del: if_split)
|
||||
apply (rule corres_alternate1)
|
||||
apply clarsimp
|
||||
apply (rule corres_split[where r'=dc])
|
||||
|
|
|
@ -71,16 +71,16 @@ lemma decode_set_ipc_buffer_translate_tcb_invocation:
|
|||
apply (wpc|wp)+
|
||||
apply (wp hoare_whenE_wp)
|
||||
apply (case_tac a)
|
||||
apply (simp_all add:derive_cap_def split del:split_if)
|
||||
apply (wp|clarsimp split del:split_if)+
|
||||
apply (simp_all add:derive_cap_def split del:if_split)
|
||||
apply (wp|clarsimp split del:if_split)+
|
||||
apply (rename_tac arch_cap)
|
||||
apply (case_tac arch_cap)
|
||||
apply (simp_all add:arch_derive_cap_def split del: split_if)
|
||||
apply (wp | clarsimp split del: split_if)+
|
||||
apply (simp_all add:arch_derive_cap_def split del: if_split)
|
||||
apply (wp | clarsimp split del: if_split)+
|
||||
apply (clarsimp simp:transform_mapping_def)
|
||||
apply (rule hoare_pre)
|
||||
apply wpc
|
||||
apply (wp | clarsimp split del: split_if)+
|
||||
apply (wp | clarsimp split del: if_split)+
|
||||
apply (rule hoare_pre)
|
||||
apply wpc
|
||||
apply wp
|
||||
|
@ -136,7 +136,7 @@ lemma valid_vtable_root_update:
|
|||
\<Longrightarrow> CSpace_A.update_cap_data False x aa = aa"
|
||||
apply (clarsimp simp: update_cap_data_def badge_update_def is_valid_vtable_root_def Let_def
|
||||
the_cnode_cap_def is_arch_cap_def arch_update_cap_data_def the_arch_cap_def
|
||||
split: split_if_asm cap.split_asm)
|
||||
split: if_split_asm cap.split_asm)
|
||||
done
|
||||
|
||||
lemma decode_set_space_translate_tcb_invocation:
|
||||
|
@ -169,7 +169,7 @@ lemma decode_set_space_translate_tcb_invocation:
|
|||
apply (rule validE_validE_R)
|
||||
apply simp
|
||||
apply (rule_tac s1 = s in hoare_post_impErr[OF derive_cnode_cap_as_vroot],simp)
|
||||
apply (rule conjI|simp split:split_if_asm)+
|
||||
apply (rule conjI|simp split:if_split_asm)+
|
||||
apply (wp|clarsimp)+
|
||||
apply (rule validE_validE_R)
|
||||
apply (rule_tac s1 = s in hoare_post_impErr[OF derive_cnode_cap_as_croot])
|
||||
|
@ -188,7 +188,7 @@ lemma decode_set_space_translate_tcb_invocation:
|
|||
apply (rule validE_validE_R)
|
||||
apply simp
|
||||
apply (rule_tac s1 = s in hoare_post_impErr[OF derive_cnode_cap_as_vroot],simp)
|
||||
apply (rule conjI|simp split:split_if_asm)+
|
||||
apply (rule conjI|simp split:if_split_asm)+
|
||||
apply (rule valid_vtable_root_update)
|
||||
apply clarsimp+
|
||||
apply (wp|clarsimp)+
|
||||
|
@ -218,7 +218,7 @@ lemma is_cnode_cap_update_cap_data:
|
|||
"Structures_A.is_cnode_cap (CSpace_A.update_cap_data x w a) \<Longrightarrow> is_cnode_cap a"
|
||||
apply (case_tac a)
|
||||
apply (clarsimp simp:update_cap_data_def arch_update_cap_data_def is_arch_cap_def badge_update_def
|
||||
is_cap_simps split:split_if_asm)+
|
||||
is_cap_simps split:if_split_asm)+
|
||||
done
|
||||
|
||||
lemma update_cnode_cap_data:
|
||||
|
@ -229,7 +229,7 @@ lemma update_cnode_cap_data:
|
|||
apply (simp add:cdl_update_cnode_cap_data_def CSpace_D.update_cap_data_def)
|
||||
apply (clarsimp simp: update_cap_data_def arch_update_cap_data_def split:if_splits)
|
||||
apply ((cases ab,simp_all add:badge_update_def)+)[2]
|
||||
apply (clarsimp simp:is_cap_simps the_cnode_cap_def word_size split:split_if_asm simp:Let_def)
|
||||
apply (clarsimp simp:is_cap_simps the_cnode_cap_def word_size split:if_split_asm simp:Let_def)
|
||||
apply (clarsimp simp:cdl_update_cnode_cap_data_def word_bits_def of_drop_to_bl
|
||||
word_size mask_twice dest!:leI)
|
||||
done
|
||||
|
@ -386,22 +386,22 @@ lemma decode_tcb_corres:
|
|||
apply (rule dcorres_symb_exec_rE)
|
||||
apply (case_tac rv, simp)
|
||||
(* please continue scrolling *)
|
||||
apply (case_tac "(fst (hd excaps'))", simp_all split del: split_if)[1]
|
||||
apply (case_tac "(fst (hd excaps'))", simp_all split del: if_split)[1]
|
||||
prefer 4
|
||||
apply (rename_tac rights)
|
||||
apply (case_tac "AllowRead \<notin> rights", simp)
|
||||
apply (rule corres_alternate2, rule dcorres_throw)
|
||||
apply simp
|
||||
apply (rule dcorres_symb_exec_rE)
|
||||
apply (case_tac "ntfn_obj rva", simp_all split del: split_if)[1]
|
||||
apply (case_tac "ntfn_bound_tcb rva", simp_all split del: split_if)[1]
|
||||
apply (case_tac "ntfn_obj rva", simp_all split del: if_split)[1]
|
||||
apply (case_tac "ntfn_bound_tcb rva", simp_all split del: if_split)[1]
|
||||
apply (clarsimp simp: throw_on_none_def get_index_def dcorres_alternative_throw)
|
||||
apply (case_tac "excaps' ! 0", clarsimp, rule corres_alternate1[OF dcorres_returnOk], simp add: translate_tcb_invocation_def hd_conv_nth)
|
||||
apply (clarsimp simp: throw_on_none_def get_index_def dcorres_alternative_throw split del: split_if)+
|
||||
apply (case_tac "ntfn_bound_tcb rva", simp split del: split_if)[1]
|
||||
apply (clarsimp simp: throw_on_none_def get_index_def dcorres_alternative_throw split del: if_split)+
|
||||
apply (case_tac "ntfn_bound_tcb rva", simp split del: if_split)[1]
|
||||
apply (rename_tac rva word)
|
||||
apply ((case_tac "excaps' ! 0",clarsimp, rule corres_alternate1[OF dcorres_returnOk], simp add: translate_tcb_invocation_def hd_conv_nth)
|
||||
| clarsimp simp: throw_on_none_def get_index_def dcorres_alternative_throw split del: split_if
|
||||
| clarsimp simp: throw_on_none_def get_index_def dcorres_alternative_throw split del: if_split
|
||||
| wp get_ntfn_wp
|
||||
| (case_tac "excaps' ! 0", rule dcorres_alternative_throw)
|
||||
| (case_tac "AllowRead \<in> rights", simp))+
|
||||
|
@ -1257,7 +1257,7 @@ lemma dcorres_tcb_update_cspace_root:
|
|||
apply (clarsimp)
|
||||
apply (rule iffI)
|
||||
apply (clarsimp simp:is_cap_simps bits_of_def cap_type_def transform_cap_def
|
||||
split:cap.split_asm arch_cap.split_asm split_if_asm)
|
||||
split:cap.split_asm arch_cap.split_asm if_split_asm)
|
||||
apply (clarsimp simp:cap_has_object_def is_cap_simps cap_type_def)
|
||||
apply (rule corres_split[OF _ get_cap_corres])
|
||||
apply (rule corres_when)
|
||||
|
|
|
@ -22,7 +22,7 @@ lemma detype_dcorres:
|
|||
apply (rule corres_modify)
|
||||
apply (clarsimp simp: transform_def Untyped_D.detype_def
|
||||
transform_cdt_def
|
||||
split del: split_if
|
||||
split del: if_split
|
||||
simp del: untyped_range.simps)
|
||||
apply (simp add: Untyped_D.detype_def transform_def
|
||||
transform_current_thread_def Retype_A.detype_def transform_asid_table_def detype_ext_def)
|
||||
|
@ -63,7 +63,7 @@ next
|
|||
apply auto[2]
|
||||
apply (rule sym)
|
||||
apply (rule someI2_ex, fastforce)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (rule conjI)
|
||||
apply (rule someI2_ex, fastforce+)+
|
||||
done
|
||||
|
@ -207,9 +207,9 @@ proof -
|
|||
get_ipc_buffer_words_def2 3
|
||||
Suc_leI[OF msg_registers_lt_msg_max_length]
|
||||
simp del: upt_Suc
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (case_tac "AllowRead \<in> rights",
|
||||
simp_all del: upt_Suc split del: split_if)
|
||||
simp_all del: upt_Suc split del: if_split)
|
||||
apply (cut_tac y=2 in is_aligned_weaken[OF 1])
|
||||
apply (simp add: msg_align_bits_def)
|
||||
apply (cut_tac y=2 in is_aligned_weaken[OF 4])
|
||||
|
@ -274,7 +274,7 @@ lemma freeMemory_dcorres:
|
|||
apply (clarsimp simp: transform_object_def transform_tcb_def
|
||||
split: Structures_A.kernel_object.split option.splits)
|
||||
apply (rename_tac s ms tref etcb tcb)
|
||||
apply (clarsimp simp: restrict_map_def split: split_if_asm)
|
||||
apply (clarsimp simp: restrict_map_def split: if_split_asm)
|
||||
apply (frule(1) valid_etcbs_tcb_etcb)
|
||||
apply (case_tac "\<not> is_arch_page_cap (tcb_ipcframe tcb)")
|
||||
apply (erule transform_full_intent_no_ipc_buffer)
|
||||
|
@ -590,10 +590,10 @@ lemma retype_region_dcorres:
|
|||
us (translate_object_type type) (map (retype_transform_obj_ref type us) (retype_addrs ptr type n us)))
|
||||
(Retype_A.retype_region ptr n us type dev)"
|
||||
apply (simp add: retype_region_def Untyped_D.retype_region_def
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (clarsimp simp:when_def generate_object_ids_def bind_assoc
|
||||
split del:split_if)
|
||||
apply (simp add:retype_addrs_fold split del:split_if)
|
||||
split del:if_split)
|
||||
apply (simp add:retype_addrs_fold split del:if_split)
|
||||
apply (case_tac "type = Structures_A.Untyped")
|
||||
apply (rule corres_guard_imp)
|
||||
apply (simp add:translate_object_type_def)
|
||||
|
@ -1299,7 +1299,7 @@ lemma reset_untyped_cap_corres:
|
|||
apply (rule_tac F="is_untyped_cap capa \<and> cap_aligned capa
|
||||
\<and> bits_of capa > 2 \<and> free_index_of capa \<le> 2 ^ bits_of capa"
|
||||
in corres_gen_asm2)
|
||||
apply (simp add: whenE_def if_flip split del: split_if)
|
||||
apply (simp add: whenE_def if_flip split del: if_split)
|
||||
apply (rule corres_if)
|
||||
apply (clarsimp simp: is_cap_simps free_range_of_untyped_def
|
||||
cap_aligned_def free_index_of_def)
|
||||
|
@ -1430,7 +1430,7 @@ lemma range_le_free_range_of_untyped:
|
|||
\<subseteq> free_range_of_untyped idx sz (ptr && ~~ mask sz)"
|
||||
apply (rule order_trans, erule(1) range_cover_subset')
|
||||
apply (clarsimp simp: free_range_of_untyped_def
|
||||
split del: split_if del: subsetI)
|
||||
split del: if_split del: subsetI)
|
||||
apply (subst if_P)
|
||||
prefer 2
|
||||
apply (rule range_subsetI, simp_all)
|
||||
|
@ -1530,7 +1530,7 @@ lemma invoke_untyped_corres:
|
|||
\<and> (\<forall>slot\<in>set slots.
|
||||
cte_wp_at (op = cap.NullCap) slot s) \<and> valid_etcbs s"
|
||||
in hoare_post_imp)
|
||||
apply (simp add:post_retype_invs_def split:split_if_asm)
|
||||
apply (simp add:post_retype_invs_def split:if_split_asm)
|
||||
apply ((clarsimp dest!:set_zip_leftD
|
||||
simp: vslot image_def invs_def valid_state_def valid_mdb_def cte_wp_at_caps_of_state
|
||||
| intro conjI | drule (1) bspec | drule(1) mdb_cte_atD[rotated])+)[2]
|
||||
|
@ -1577,7 +1577,7 @@ lemma invoke_untyped_corres:
|
|||
hoare_vcg_ex_lift)
|
||||
apply simp
|
||||
apply wp
|
||||
apply (simp split del: split_if)
|
||||
apply (simp split del: if_split)
|
||||
apply (wp get_cap_wp)
|
||||
apply (wp_once hoare_drop_imps)
|
||||
apply wp
|
||||
|
@ -1595,8 +1595,8 @@ lemma invoke_untyped_corres:
|
|||
apply (clarsimp simp: ui cte_wp_at_caps_of_state bits_of_def
|
||||
empty_descendants_range_in exI
|
||||
free_index_of_def untyped_range_def
|
||||
split_if[where P="\<lambda>x. x \<le> unat v" for v]
|
||||
split del: split_if)
|
||||
if_split[where P="\<lambda>x. x \<le> unat v" for v]
|
||||
split del: if_split)
|
||||
apply (frule(1) valid_global_refsD2[OF _ invs_valid_global_refs])
|
||||
apply (strengthen refl subseteq_set_minus
|
||||
free_range_of_untyped_subseteq'
|
||||
|
@ -1605,21 +1605,21 @@ lemma invoke_untyped_corres:
|
|||
apply (simp only: word_size word_bits_def[symmetric])
|
||||
apply (clarsimp simp: conj_comms invoke_untyped_proofs.simps
|
||||
range_le_free_range_of_untyped
|
||||
split_if[where P="\<lambda>x. x \<le> unat v" for v]
|
||||
split del: split_if)
|
||||
if_split[where P="\<lambda>x. x \<le> unat v" for v]
|
||||
split del: if_split)
|
||||
apply (simp add: arg_cong[OF mask_out_sub_mask, where f="\<lambda>y. x - y" for x]
|
||||
field_simps invoke_untyped_proofs.idx_le_new_offs
|
||||
invoke_untyped_proofs.idx_compare'
|
||||
untyped_range_def invs_valid_idle invs_valid_pspace
|
||||
is_aligned_neg_mask invoke_untyped_proofs.szw
|
||||
free_range_of_untyped_pick_retype_addrs vslot
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (clarsimp simp:detype_clear_um_independent conj_comms not_idle_thread_def
|
||||
misc invs_valid_idle invs_valid_objs word_bits_def
|
||||
atLeastatMost_subset_iff[where b=x and d=x for x] word_and_le2
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (clarsimp simp: range_cover.aligned bits_of_def field_simps
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
|
||||
apply (intro conjI)
|
||||
apply (cases cref, fastforce dest: valid_idle_has_null_cap[rotated -1])
|
||||
|
@ -1652,7 +1652,7 @@ lemma transform_translate_type:
|
|||
"transform_type n = Some tp
|
||||
\<Longrightarrow> \<exists>v. data_to_obj_type n = returnOk v \<and> tp = translate_object_type v"
|
||||
apply (simp add: transform_type_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (simp_all add: data_to_obj_type_def arch_data_to_obj_type_def)
|
||||
apply (auto simp add: translate_object_type_def)
|
||||
done
|
||||
|
@ -1707,7 +1707,7 @@ lemma transform_cdt_dom_standard:
|
|||
"transform_cdt s' slot' = Some (transform_cslot_ptr b)
|
||||
\<Longrightarrow> \<exists>slot. slot' = transform_cslot_ptr slot"
|
||||
apply (case_tac b)
|
||||
apply (fastforce simp:transform_cdt_def map_lift_over_def split:split_if_asm)
|
||||
apply (fastforce simp:transform_cdt_def map_lift_over_def split:if_split_asm)
|
||||
done
|
||||
|
||||
lemma descendants_of_empty_lift :
|
||||
|
@ -1791,7 +1791,7 @@ lemma decode_untyped_corres:
|
|||
apply (clarsimp simp: Untyped_D.decode_untyped_invocation_def
|
||||
Decode_A.decode_untyped_invocation_def
|
||||
unlessE_whenE
|
||||
split del: split_if
|
||||
split del: if_split
|
||||
split: invocation_label.split_asm)
|
||||
apply (rename_tac a list w1 w2 w3 w4 w5 apiobject_type)
|
||||
apply (cases excaps')
|
||||
|
@ -1799,11 +1799,11 @@ lemma decode_untyped_corres:
|
|||
alternative_refl)
|
||||
apply (simp add: get_index_def transform_cap_list_def throw_on_none_def
|
||||
split_beta
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (clarsimp simp: corres_whenE_throwError_split_rhs
|
||||
corres_alternate2
|
||||
split del: split_if)
|
||||
apply (simp add: bindE_assoc[symmetric] split del: split_if)
|
||||
split del: if_split)
|
||||
apply (simp add: bindE_assoc[symmetric] split del: if_split)
|
||||
apply (rule_tac r'="\<lambda>rv rv'. rv = transform_cap rv'"
|
||||
in corres_alternative_throw_splitE)
|
||||
apply (rule corres_guard_imp, rule corres_alternate1)
|
||||
|
@ -1818,9 +1818,9 @@ lemma decode_untyped_corres:
|
|||
apply (clarsimp simp: cte_wp_at_caps_of_state)
|
||||
apply auto[1]
|
||||
apply (rename_tac cnode_cap cnode_cap')
|
||||
apply (simp add: bindE_assoc split del: split_if)
|
||||
apply (simp add: bindE_assoc split del: if_split)
|
||||
apply (simp add: if_to_top_of_bindE is_cnode_cap_transform_cap[symmetric]
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (rule corres_if_rhs[rotated])
|
||||
apply (rule corres_trivial, simp add: alternative_refl)
|
||||
apply (simp add: corres_whenE_throwError_split_rhs
|
||||
|
@ -1830,9 +1830,9 @@ lemma decode_untyped_corres:
|
|||
apply (simp add:liftE_bindE)
|
||||
apply (rule corres_symb_exec_r)
|
||||
apply (clarsimp simp: corres_whenE_throwError_split_rhs corres_alternate2
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (rule corres_alternate1)
|
||||
apply (simp add:gets_get split del: split_if)
|
||||
apply (simp add:gets_get split del: if_split)
|
||||
apply (rule corres_underlying_gets_pre_lhs)
|
||||
apply (rule_tac P' = "\<lambda>s. valid_mdb s \<and> cte_at slot' s \<and> is_cnode_cap cnode_cap' \<and>
|
||||
cap_aligned cnode_cap' \<and> invs s \<and> not_idle_thread (obj_ref_of cnode_cap') s \<and>
|
||||
|
@ -1852,7 +1852,7 @@ lemma decode_untyped_corres:
|
|||
apply clarsimp
|
||||
apply wp
|
||||
apply (clarsimp simp:conj_comms)
|
||||
apply (wp mapME_x_inv_wp[OF hoare_pre(2)] | simp split del: split_if)+
|
||||
apply (wp mapME_x_inv_wp[OF hoare_pre(2)] | simp split del: if_split)+
|
||||
apply (wp hoare_whenE_wp)
|
||||
apply (simp add:validE_def split del:if_splits)
|
||||
apply (rule_tac Q = "\<lambda>r. op = s" in hoare_strengthen_post)
|
||||
|
@ -1881,7 +1881,7 @@ lemma decode_untyped_corres:
|
|||
apply (rule hoare_pre)
|
||||
apply (wp hoare_drop_imp | simp)+
|
||||
apply fastforce
|
||||
apply (clarsimp simp: conj_comms is_cnode_cap_transform_cap split del: split_if)
|
||||
apply (clarsimp simp: conj_comms is_cnode_cap_transform_cap split del: if_split)
|
||||
apply (rule validE_R_validE)
|
||||
apply (rule_tac Q' = "\<lambda>a s. invs s \<and> valid_etcbs s \<and> valid_cap a s \<and> cte_wp_at (op = (cap.UntypedCap dev ptr sz idx)) slot' s
|
||||
\<and> (Structures_A.is_cnode_cap a \<longrightarrow> not_idle_thread (obj_ref_of a) s)"
|
||||
|
@ -1903,7 +1903,7 @@ lemma decode_untyped_corres:
|
|||
apply (rule ccontr)
|
||||
apply (clarsimp simp:valid_cap_simps cap_aligned_def)
|
||||
apply (rule hoare_pre,wp,simp)
|
||||
apply (wp hoare_drop_imp mapME_x_inv_wp2 | simp add:whenE_def split del:split_if)+
|
||||
apply (wp hoare_drop_imp mapME_x_inv_wp2 | simp add:whenE_def split del:if_split)+
|
||||
apply (rule hoare_pre,wp,simp)
|
||||
done
|
||||
|
||||
|
|
|
@ -1768,7 +1768,7 @@ lemma handle_interrupt_domain_time_sched_action:
|
|||
\<lbrace>\<lambda>s. domain_time s > 0\<rbrace>
|
||||
handle_interrupt e
|
||||
\<lbrace>\<lambda>r s. domain_time s = 0 \<longrightarrow> scheduler_action s = choose_new_thread\<rbrace>"
|
||||
apply(simp add: handle_interrupt_def split del: split_if)
|
||||
apply(simp add: handle_interrupt_def split del: if_split)
|
||||
apply (rule hoare_pre)
|
||||
apply (wp)
|
||||
apply(case_tac "st \<noteq> IRQTimer")
|
||||
|
@ -2707,12 +2707,12 @@ lemma rec_del_irq_state_inv':
|
|||
next
|
||||
case (2 slot exposed s) show ?case
|
||||
apply(rule hoare_spec_gen_asm)
|
||||
apply(simp add: rec_del.simps split del: split_if)
|
||||
apply(simp add: rec_del.simps split del: if_split)
|
||||
apply(rule hoare_pre_spec_validE)
|
||||
apply(wp drop_spec_validE[OF returnOk_wp] drop_spec_validE[OF liftE_wp] set_cap_domain_sep_inv
|
||||
|simp add: split_def split del: split_if)+
|
||||
|simp add: split_def split del: if_split)+
|
||||
apply(wp irq_state_inv_triv)[1]
|
||||
apply (wp | simp split del: split_if)+
|
||||
apply (wp | simp split del: if_split)+
|
||||
apply(rule spec_strengthen_postE)
|
||||
apply(rule "2.hyps"[simplified], fastforce+)
|
||||
apply(rule drop_spec_validE, (wp preemption_point_irq_state_inv[where irq=irq] | simp)+)[1]
|
||||
|
@ -2721,7 +2721,7 @@ lemma rec_del_irq_state_inv':
|
|||
apply(wp finalise_cap_domain_sep_inv_cap get_cap_wp
|
||||
finalise_cap_returns_None[where irqs=False, simplified]
|
||||
drop_spec_validE[OF liftE_wp] set_cap_domain_sep_inv
|
||||
|simp add: without_preemption_def split del: split_if
|
||||
|simp add: without_preemption_def split del: if_split
|
||||
|wp_once hoare_drop_imps
|
||||
|wp irq_state_inv_triv)+
|
||||
apply(blast dest: cte_wp_at_domain_sep_inv_cap)
|
||||
|
@ -2815,7 +2815,7 @@ lemma invoke_cnode_irq_state_inv:
|
|||
apply(simp add: invoke_cnode_def)
|
||||
apply(rule hoare_pre)
|
||||
apply wpc
|
||||
apply((wp cap_revoke_irq_state_inv' cap_delete_irq_state_inv hoare_vcg_all_lift | wpc | simp add: cap_move_def split del: split_if | wp_once irq_state_inv_triv | wp_once hoare_drop_imps)+)[7]
|
||||
apply((wp cap_revoke_irq_state_inv' cap_delete_irq_state_inv hoare_vcg_all_lift | wpc | simp add: cap_move_def split del: if_split | wp_once irq_state_inv_triv | wp_once hoare_drop_imps)+)[7]
|
||||
apply fastforce
|
||||
done
|
||||
|
||||
|
@ -2852,7 +2852,7 @@ lemma invoke_tcb_irq_state_inv:
|
|||
apply(case_tac tinv)
|
||||
apply((wp hoare_vcg_if_lift mapM_x_wp[OF _ subset_refl]
|
||||
| wpc
|
||||
| simp split del: split_if add: check_cap_at_def
|
||||
| simp split del: if_split add: check_cap_at_def
|
||||
| clarsimp
|
||||
| wp_once irq_state_inv_triv)+)[3]
|
||||
defer
|
||||
|
@ -2992,10 +2992,10 @@ lemma handle_invocation_irq_state_inv:
|
|||
handle_invocation x y \<lbrace>\<lambda>_. irq_state_inv st\<rbrace>, \<lbrace>\<lambda>_. irq_state_next st\<rbrace>"
|
||||
apply (simp add: handle_invocation_def ts_Restart_case_helper split_def
|
||||
liftE_liftM_liftME liftME_def bindE_assoc
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply(wp syscall_valid)
|
||||
apply ((wp irq_state_inv_triv | wpc | simp)+)[2]
|
||||
apply(wp static_imp_wp perform_invocation_irq_state_inv hoare_vcg_all_lift hoare_vcg_ex_lift decode_invocation_IRQHandlerCap | wpc | wp_once hoare_drop_imps | simp split del: split_if | wp_once irq_state_inv_triv)+
|
||||
apply(wp static_imp_wp perform_invocation_irq_state_inv hoare_vcg_all_lift hoare_vcg_ex_lift decode_invocation_IRQHandlerCap | wpc | wp_once hoare_drop_imps | simp split del: if_split | wp_once irq_state_inv_triv)+
|
||||
apply fastforce
|
||||
done
|
||||
|
||||
|
|
|
@ -1110,7 +1110,7 @@ lemma abstract_invs:
|
|||
apply (simp add: ADT_A_if_def)
|
||||
apply (simp_all add: check_active_irq_A_if_def do_user_op_A_if_def
|
||||
kernel_call_A_if_def kernel_handle_preemption_if_def
|
||||
kernel_schedule_if_def kernel_exit_A_if_def split del: split_if)[12]
|
||||
kernel_schedule_if_def kernel_exit_A_if_def split del: if_split)[12]
|
||||
apply (rule preserves_lifts |
|
||||
wp check_active_irq_if_wp do_user_op_if_invs
|
||||
| clarsimp simp add: full_invs_if_def)+
|
||||
|
@ -1237,7 +1237,7 @@ lemma haskell_invs:
|
|||
apply blast
|
||||
apply (simp_all add: checkActiveIRQ_H_if_def doUserOp_H_if_def
|
||||
kernelCall_H_if_def handlePreemption_H_if_def
|
||||
schedule'_H_if_def kernelExit_H_if_def split del: split_if)[12]
|
||||
schedule'_H_if_def kernelExit_H_if_def split del: if_split)[12]
|
||||
apply (rule preserves_lifts | wp | simp add: full_invs_if'_def)+
|
||||
apply (wp_once hoare_disjI1)
|
||||
apply (rule preserves_lifts | wp | simp add: full_invs_if'_def)+
|
||||
|
@ -1698,7 +1698,7 @@ lemma haskell_to_abs: "uop_nonempty uop \<Longrightarrow> global_automata_refine
|
|||
apply (simp add: full_invs_if_def)
|
||||
apply (simp add: full_invs_if'_def)
|
||||
apply (rule schedule'_if_empty_fail)
|
||||
apply (simp add: kernel_exit_A_if_def kernelExit_H_if_def split del: split_if)
|
||||
apply (simp add: kernel_exit_A_if_def kernelExit_H_if_def split del: if_split)
|
||||
apply (rule_tac S="\<top>" and S'="invs'" in step_corres_lifts(5))
|
||||
apply (rule corres_guard_imp)
|
||||
apply (rule kernel_exit_if_corres)
|
||||
|
|
|
@ -322,7 +322,7 @@ lemma kernelEntry_corres_C:
|
|||
apply (clarsimp simp: all_invs'_def)
|
||||
apply simp
|
||||
apply (rule_tac P="\<top>" and P'="\<top>" in corres_inst)
|
||||
apply (clarsimp simp: prod_lift_def split: split_if)
|
||||
apply (clarsimp simp: prod_lift_def split: if_split)
|
||||
apply wp
|
||||
apply (rule hoare_strengthen_post)
|
||||
apply (subst archTcbUpdate_aux2[symmetric])
|
||||
|
@ -584,7 +584,7 @@ lemma check_active_irq_corres_C:
|
|||
apply (subst bind_assoc[symmetric])
|
||||
apply (rule corres_guard_imp)
|
||||
apply (rule corres_split[where r'="\<lambda>a c. case a of None \<Rightarrow> c = 0xFFFF | Some x \<Rightarrow> c = ucast x \<and> c \<noteq> 0xFFFF", OF _ ccorres_corres_u_xf])
|
||||
apply (clarsimp split: split_if option.splits)
|
||||
apply (clarsimp split: if_split option.splits)
|
||||
apply (rule ucast_ucast_id[symmetric], simp)
|
||||
apply (rule ccorres_guard_imp)
|
||||
apply (rule ccorres_rel_imp, rule ccorres_guard_imp)
|
||||
|
|
|
@ -252,7 +252,7 @@ lemma get_asid_pool_revrv:
|
|||
is_subject_asid aag asid \<and> asid \<noteq> 0" and P'="\<lambda>s. Some a = arm_asid_table (arch_state s) (asid_high_bits_of asid) \<and>
|
||||
is_subject_asid aag asid \<and> asid \<noteq> 0" in equiv_valid_2_bind)
|
||||
apply(clarsimp split: kernel_object.splits arch_kernel_obj.splits simp: fail_ev2_l fail_ev2_r return_ev2)
|
||||
apply(clarsimp simp: get_object_def gets_def assert_def bind_def put_def get_def equiv_valid_2_def return_def fail_def split: split_if)
|
||||
apply(clarsimp simp: get_object_def gets_def assert_def bind_def put_def get_def equiv_valid_2_def return_def fail_def split: if_split)
|
||||
apply(erule reads_equivE)
|
||||
apply(clarsimp simp: equiv_asids_def equiv_asid_def asid_pool_at_kheap)
|
||||
apply(drule aag_can_read_own_asids)
|
||||
|
@ -758,7 +758,7 @@ lemma perform_page_directory_invocation_reads_respects:
|
|||
"reads_respects aag l (is_subject aag \<circ> cur_thread) (perform_page_directory_invocation pdi)"
|
||||
unfolding perform_page_directory_invocation_def
|
||||
apply (cases pdi)
|
||||
apply (wp do_flush_reads_respects set_vm_root_reads_respects set_vm_root_for_flush_reads_respects | simp add: when_def requiv_cur_thread_eq split del: split_if | wp_once hoare_drop_imps | clarsimp)+
|
||||
apply (wp do_flush_reads_respects set_vm_root_reads_respects set_vm_root_for_flush_reads_respects | simp add: when_def requiv_cur_thread_eq split del: if_split | wp_once hoare_drop_imps | clarsimp)+
|
||||
done
|
||||
|
||||
lemma throw_on_false_reads_respects:
|
||||
|
@ -1055,7 +1055,7 @@ lemma set_mrs_reads_respects:
|
|||
"reads_respects aag l (K (aag_can_read aag thread \<or> aag_can_affect aag l thread)) (set_mrs thread buf msgs)"
|
||||
apply(simp add: set_mrs_def)
|
||||
apply(wp mapM_x_ev' store_word_offs_reads_respects set_object_reads_respects
|
||||
| wpc | simp add: split_def split del: split_if add: zipWithM_x_mapM_x)+
|
||||
| wpc | simp add: split_def split del: if_split add: zipWithM_x_mapM_x)+
|
||||
apply(auto intro: reads_affects_equiv_get_tcb_eq)
|
||||
done
|
||||
|
||||
|
@ -1322,7 +1322,7 @@ lemma set_asid_pool_state_equal_except_kheap:
|
|||
kheap s pool_ptr = Some (ArchObj (ASIDPool asid_pool)) \<and>
|
||||
kheap s' pool_ptr = Some (ArchObj (ASIDPool asid_pool')) \<longrightarrow>
|
||||
asid_pool (ucast asid) = asid_pool' (ucast asid))))"
|
||||
apply(clarsimp simp: set_asid_pool_def put_def bind_def get_object_def gets_def get_def return_def assert_def fail_def set_object_def split: split_if_asm)
|
||||
apply(clarsimp simp: set_asid_pool_def put_def bind_def get_object_def gets_def get_def return_def assert_def fail_def set_object_def split: if_split_asm)
|
||||
apply(clarsimp simp: states_equal_except_kheap_asid_def equiv_for_def obj_at_def)
|
||||
apply(case_tac "pool_ptr = ptr")
|
||||
apply(clarsimp simp: a_type_def split: kernel_object.splits arch_kernel_obj.splits)
|
||||
|
@ -1625,7 +1625,7 @@ lemma set_vm_root_for_flush_globals_equiv[wp]:
|
|||
lemma flush_table_globals_equiv[wp]:
|
||||
"\<lbrace>globals_equiv s\<rbrace> flush_table pd asid cptr pt \<lbrace>\<lambda>rv. globals_equiv s\<rbrace>"
|
||||
unfolding flush_table_def invalidateTLB_ASID_def fun_app_def
|
||||
apply (wp mapM_wp' dmo_mol_globals_equiv | wpc | simp add: do_machine_op_bind split del: split_if cong: if_cong)+
|
||||
apply (wp mapM_wp' dmo_mol_globals_equiv | wpc | simp add: do_machine_op_bind split del: if_split cong: if_cong)+
|
||||
done
|
||||
|
||||
lemma arm_global_pd_arm_asid_map_update[simp]:
|
||||
|
@ -1858,7 +1858,7 @@ lemma perform_page_directory_invocation_globals_equiv:
|
|||
lemma flush_page_globals_equiv[wp]:
|
||||
"\<lbrace>globals_equiv st\<rbrace> flush_page page_size pd asid vptr \<lbrace>\<lambda>_. globals_equiv st\<rbrace>"
|
||||
unfolding flush_page_def invalidateTLB_VAASID_def
|
||||
apply(wp | simp cong: if_cong split del: split_if)+
|
||||
apply(wp | simp cong: if_cong split del: if_split)+
|
||||
done
|
||||
|
||||
lemma flush_page_arm_global_pd[wp]:
|
||||
|
@ -1866,7 +1866,7 @@ lemma flush_page_arm_global_pd[wp]:
|
|||
flush_page pgsz pd asid vptr
|
||||
\<lbrace>\<lambda>rv s. P (arm_global_pd (arch_state s))\<rbrace>"
|
||||
unfolding flush_page_def
|
||||
apply(wp | simp cong: if_cong split del: split_if)+
|
||||
apply(wp | simp cong: if_cong split del: if_split)+
|
||||
done
|
||||
|
||||
lemma mapM_swp_store_pte_globals_equiv:
|
||||
|
@ -2283,13 +2283,13 @@ lemma decode_arch_invocation_authorised_for_globals:
|
|||
apply (rule hoare_pre)
|
||||
apply (simp add: split_def Let_def
|
||||
cong: cap.case_cong arch_cap.case_cong if_cong option.case_cong
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (wp select_wp select_ext_weak_wp whenE_throwError_wp check_vp_wpR unlessE_wp get_pde_wp get_master_pde_wp
|
||||
find_pd_for_asid_authority3 create_mapping_entries_parent_for_refs
|
||||
| wpc
|
||||
| simp add: authorised_for_globals_page_inv_def
|
||||
del: hoare_True_E_R
|
||||
split del: split_if)+
|
||||
split del: if_split)+
|
||||
apply(simp cong: if_cong)
|
||||
apply(wp hoare_vcg_if_lift2)
|
||||
apply(rule hoare_conjI)
|
||||
|
|
|
@ -70,7 +70,7 @@ proof(induct ref arbitrary: s rule: resolve_address_bits'.induct)
|
|||
apply (cases cap')
|
||||
apply (simp_all add: drop_spec_ev throwError_ev_pre
|
||||
cong: if_cong
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (wp "1.hyps")
|
||||
apply (assumption | simp add: in_monad | rule conjI)+
|
||||
apply (wp get_cap_rev get_cap_wp whenE_throwError_wp)+
|
||||
|
@ -248,7 +248,7 @@ lemma cap_insert_reads_respects:
|
|||
apply(subst gets_apply)
|
||||
apply (simp only: cap_insert_ext_extended.dxo_eq)
|
||||
apply (simp only: cap_insert_ext_def)
|
||||
apply(wp set_original_reads_respects update_cdt_reads_respects set_cap_reads_respects gets_apply_ev update_cdt_list_reads_respects | simp split del: split_if | clarsimp simp: equiv_for_def split: option.splits)+
|
||||
apply(wp set_original_reads_respects update_cdt_reads_respects set_cap_reads_respects gets_apply_ev update_cdt_list_reads_respects | simp split del: if_split | clarsimp simp: equiv_for_def split: option.splits)+
|
||||
apply (wp set_untyped_cap_as_full_reads_respects get_cap_wp get_cap_rev | simp)+
|
||||
apply (intro impI conjI allI)
|
||||
apply(fastforce simp: reads_equiv_def2 equiv_for_def elim: states_equiv_forE_is_original_cap states_equiv_forE_cdt dest: aag_can_read_self split: option.splits)+
|
||||
|
@ -268,7 +268,7 @@ lemma cap_move_reads_respects:
|
|||
apply (elim conjE)
|
||||
apply(wp set_original_reads_respects gets_apply_ev update_cdt_reads_respects
|
||||
set_cap_reads_respects update_cdt_list_reads_respects
|
||||
| simp split del: split_if | fastforce simp: equiv_for_def split: option.splits)+
|
||||
| simp split del: if_split | fastforce simp: equiv_for_def split: option.splits)+
|
||||
apply (intro impI conjI allI)
|
||||
apply(fastforce simp: reads_equiv_def2 equiv_for_def elim: states_equiv_forE_is_original_cap states_equiv_forE_cdt dest: aag_can_read_self split: option.splits)+
|
||||
done
|
||||
|
@ -295,7 +295,7 @@ lemma cap_swap_reads_respects:
|
|||
apply (fold update_cdt_def)
|
||||
apply (simp add: bind_assoc cap_swap_ext_def)
|
||||
apply (rule gen_asm_ev)
|
||||
apply(wp set_original_reads_respects update_cdt_reads_respects gets_apply_ev set_cap_reads_respects update_cdt_list_reads_respects | simp split del: split_if | fastforce simp: equiv_for_def split: option.splits)+
|
||||
apply(wp set_original_reads_respects update_cdt_reads_respects gets_apply_ev set_cap_reads_respects update_cdt_list_reads_respects | simp split del: if_split | fastforce simp: equiv_for_def split: option.splits)+
|
||||
apply (intro impI conjI allI)
|
||||
apply((fastforce simp: reads_equiv_def2 equiv_for_def elim: states_equiv_forE_is_original_cap states_equiv_forE_cdt dest: aag_can_read_self split: option.splits)+)[2]
|
||||
apply (frule_tac x = slot1 in equiv_forD,elim conjE,drule aag_can_read_self,simp)
|
||||
|
@ -687,7 +687,7 @@ lemma dmo_getActiveIRQ_wp:
|
|||
lemma only_timer_irqs:
|
||||
"\<lbrakk>domain_sep_inv False st s; valid_irq_states s; is_irq_at s irq n\<rbrakk> \<Longrightarrow>
|
||||
interrupt_states s irq = IRQTimer"
|
||||
apply(clarsimp simp: is_irq_at_def irq_at_def Let_def split: split_if_asm)
|
||||
apply(clarsimp simp: is_irq_at_def irq_at_def Let_def split: if_split_asm)
|
||||
apply(case_tac "interrupt_states s (irq_oracle n)")
|
||||
apply(blast elim: valid_irq_statesE)
|
||||
apply(fastforce simp: domain_sep_inv_def)
|
||||
|
|
|
@ -43,7 +43,7 @@ lemma decode_untyped_invocation_rev:
|
|||
unfolding decode_untyped_invocation_def fun_app_def
|
||||
apply(rule gen_asm_ev)
|
||||
apply(simp add: unlessE_def[symmetric] unlessE_whenE
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply (wp_once whenE_throwError_wp
|
||||
| wp mapME_x_ev' ensure_empty_rev get_cap_rev
|
||||
lookup_slot_for_cnode_op_rev
|
||||
|
@ -86,7 +86,7 @@ lemma derive_cap_rev:
|
|||
lemma if_apply_ev:
|
||||
"equiv_valid I A B P (if a then b x else c x) \<Longrightarrow>
|
||||
equiv_valid I A B P ((if a then b else c) x)"
|
||||
by(simp split: split_if_asm)
|
||||
by(simp split: if_split_asm)
|
||||
|
||||
lemma whenE_throwError_bindE_ev:
|
||||
assumes ev: "\<not> b \<Longrightarrow> equiv_valid I A A P f"
|
||||
|
@ -119,7 +119,7 @@ lemma decode_cnode_invocation_rev:
|
|||
apply ((wp if_apply_ev derive_cap_rev whenE_inv hoare_vcg_imp_lift_R
|
||||
lookup_slot_for_cnode_op_rev hoare_vcg_all_lift_R
|
||||
lookup_slot_for_cnode_op_authorised ensure_empty_rev get_cap_rev
|
||||
| simp add: split_def unlessE_whenE split del: split_if
|
||||
| simp add: split_def unlessE_whenE split del: if_split
|
||||
del: hoare_True_E_R
|
||||
| wpc
|
||||
| (wp_once hoare_drop_imps, wp_once lookup_slot_for_cnode_op_authorised))+)
|
||||
|
@ -234,7 +234,7 @@ lemma decode_tcb_invocation_reads_respects_f:
|
|||
decode_tcb_configure_def decode_set_space_def decode_bind_notification_def
|
||||
decode_set_ipc_buffer_def fun_app_def decode_unbind_notification_def
|
||||
apply (simp add: unlessE_def[symmetric] unlessE_whenE
|
||||
split del: split_if
|
||||
split del: if_split
|
||||
cong: invocation_label.case_cong)
|
||||
apply (rule equiv_valid_guard_imp)
|
||||
apply (wp_once requiv_cur_thread_eq range_check_ev
|
||||
|
@ -249,7 +249,7 @@ lemma decode_tcb_invocation_reads_respects_f:
|
|||
| wp_once whenE_throwError_wp
|
||||
| wp_once hoare_drop_imps
|
||||
| wpc
|
||||
| simp add: unlessE_whenE split del: split_if add: o_def split_def)+
|
||||
| simp add: unlessE_whenE split del: if_split add: o_def split_def)+
|
||||
unfolding get_tcb_ctable_ptr_def get_tcb_vtable_ptr_def
|
||||
apply (subgoal_tac "\<not>length excaps < 3 \<longrightarrow> is_subject aag (fst (snd (excaps ! 2)))")
|
||||
prefer 2
|
||||
|
@ -355,7 +355,7 @@ lemma create_mapping_entries_rev:
|
|||
lemma check_vp_alignment_rev:
|
||||
"reads_equiv_valid_inv A aag \<top> (check_vp_alignment sz vptr)"
|
||||
unfolding check_vp_alignment_def
|
||||
apply(wp | simp add: crunch_simps split del: split_if)+
|
||||
apply(wp | simp add: crunch_simps split del: if_split)+
|
||||
done
|
||||
|
||||
lemmas reads_respects_f_inv = reads_respects_f[where Q="\<top>", simplified]
|
||||
|
@ -507,7 +507,7 @@ lemma lookup_pt_slot_no_fail_is_subject:
|
|||
apply (simp add: aag_has_auth_to_Control_eq_owns)
|
||||
apply (drule_tac f="\<lambda>pde. valid_pde pde s" in arg_cong, simp)
|
||||
apply (clarsimp simp: obj_at_def a_type_def kernel_base_kernel_mapping_slots)
|
||||
apply (clarsimp split: Structures_A.kernel_object.split_asm split_if_asm
|
||||
apply (clarsimp split: Structures_A.kernel_object.split_asm if_split_asm
|
||||
arch_kernel_obj.split_asm)
|
||||
apply (erule pspace_alignedE, erule domI)
|
||||
apply (simp add: pt_bits_def pageBits_def)
|
||||
|
|
|
@ -311,7 +311,7 @@ lemma mod_less_self [simp]:
|
|||
|
||||
lemma split_div_mod:
|
||||
"a = (b::nat) \<longleftrightarrow> (a div k = b div k \<and> a mod k = b mod k)"
|
||||
by (metis mod_div_equality2)
|
||||
by (metis mult_div_mod_eq)
|
||||
|
||||
lemma nat_to_bl_eq:
|
||||
assumes "a < 2 ^ n \<or> b < 2 ^ n"
|
||||
|
@ -419,8 +419,8 @@ lemma Low_caps_ran:
|
|||
NotificationCap ntfn_ptr 0 {AllowSend},
|
||||
NullCap}"
|
||||
apply (rule equalityI)
|
||||
apply (clarsimp simp: Low_caps_def fun_upd_def empty_cnode_def split: split_if_asm)
|
||||
apply (clarsimp simp: Low_caps_def fun_upd_def empty_cnode_def split: split_if_asm
|
||||
apply (clarsimp simp: Low_caps_def fun_upd_def empty_cnode_def split: if_split_asm)
|
||||
apply (clarsimp simp: Low_caps_def fun_upd_def empty_cnode_def split: if_split_asm
|
||||
cong: conj_cong)
|
||||
apply (rule exI [where x="the_nat_to_bl_10 0"])
|
||||
apply simp
|
||||
|
@ -456,8 +456,8 @@ lemma High_caps_ran:
|
|||
NotificationCap ntfn_ptr 0 {AllowRecv},
|
||||
NullCap}"
|
||||
apply (rule equalityI)
|
||||
apply (clarsimp simp: High_caps_def ran_def empty_cnode_def split: split_if_asm)
|
||||
apply (clarsimp simp: High_caps_def ran_def empty_cnode_def split: split_if_asm
|
||||
apply (clarsimp simp: High_caps_def ran_def empty_cnode_def split: if_split_asm)
|
||||
apply (clarsimp simp: High_caps_def ran_def empty_cnode_def split: if_split_asm
|
||||
cong: conj_cong)
|
||||
apply (rule exI [where x="the_nat_to_bl_10 0"])
|
||||
apply simp
|
||||
|
@ -805,7 +805,7 @@ lemma kh0_SomeD:
|
|||
x \<in> irq_node_offs_range \<and> y = CNode 0 (empty_cnode 0)"
|
||||
apply (frule kh0_SomeD')
|
||||
apply (erule disjE, simp add: kh0_def
|
||||
| force simp: kh0_def split: split_if_asm)+
|
||||
| force simp: kh0_def split: if_split_asm)+
|
||||
done
|
||||
|
||||
lemmas kh0_obj_def =
|
||||
|
@ -927,13 +927,13 @@ definition Sys1PAS :: "(auth_graph_label subject_label) PAS" where
|
|||
subsubsection {* Proof of pas_refined for Sys1 *}
|
||||
|
||||
lemma High_caps_well_formed: "well_formed_cnode_n 10 High_caps"
|
||||
by (auto simp: High_caps_def well_formed_cnode_n_def split: split_if_asm)
|
||||
by (auto simp: High_caps_def well_formed_cnode_n_def split: if_split_asm)
|
||||
|
||||
lemma Low_caps_well_formed: "well_formed_cnode_n 10 Low_caps"
|
||||
by (auto simp: Low_caps_def well_formed_cnode_n_def split: split_if_asm)
|
||||
by (auto simp: Low_caps_def well_formed_cnode_n_def split: if_split_asm)
|
||||
|
||||
lemma Silc_caps_well_formed: "well_formed_cnode_n 10 Silc_caps"
|
||||
by (auto simp: Silc_caps_def well_formed_cnode_n_def split: split_if_asm)
|
||||
by (auto simp: Silc_caps_def well_formed_cnode_n_def split: if_split_asm)
|
||||
|
||||
lemma s0_caps_of_state :
|
||||
"caps_of_state s0_internal p = Some cap \<Longrightarrow>
|
||||
|
@ -966,7 +966,7 @@ lemma s0_caps_of_state :
|
|||
apply (case_tac p, clarsimp)
|
||||
apply (clarsimp split: if_splits)
|
||||
apply (clarsimp simp: cte_wp_at_cases tcb_cap_cases_def
|
||||
split: split_if_asm)+
|
||||
split: if_split_asm)+
|
||||
apply (clarsimp simp: Silc_caps_def split: if_splits)
|
||||
apply (clarsimp simp: High_caps_def split: if_splits)
|
||||
apply (clarsimp simp: Low_caps_def cte_wp_at_cases split: if_splits)
|
||||
|
@ -1008,7 +1008,7 @@ lemma domains_of_state_s0[simp]:
|
|||
apply(rule subsetI)
|
||||
apply clarsimp
|
||||
apply (erule domains_of_state_aux.cases)
|
||||
apply (clarsimp simp: s0_internal_def exst0_def ekh0_obj_def split: split_if_asm)
|
||||
apply (clarsimp simp: s0_internal_def exst0_def ekh0_obj_def split: if_split_asm)
|
||||
apply clarsimp
|
||||
apply (force simp: s0_internal_def exst0_def ekh0_obj_def intro: domains_of_state_aux.domtcbs)+
|
||||
done
|
||||
|
@ -1117,7 +1117,7 @@ lemma silc_inv_s0:
|
|||
apply (rule conjI)
|
||||
apply (clarsimp simp: Sys1PAS_def Sys1AgentMap_def
|
||||
s0_internal_def kh0_def obj_at_def kh0_obj_def
|
||||
is_cap_table_def Silc_caps_well_formed split: split_if_asm)
|
||||
is_cap_table_def Silc_caps_well_formed split: if_split_asm)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: Sys1PAS_def Sys1AuthGraph_def)
|
||||
apply (rule conjI)
|
||||
|
@ -1132,7 +1132,7 @@ lemma silc_inv_s0:
|
|||
apply (case_tac a, clarsimp)
|
||||
apply (clarsimp split: if_splits)
|
||||
apply ((clarsimp simp: intra_label_cap_def cte_wp_at_cases tcb_cap_cases_def
|
||||
cap_points_to_label_def split: split_if_asm)+)[8]
|
||||
cap_points_to_label_def split: if_split_asm)+)[8]
|
||||
apply (clarsimp simp: intra_label_cap_def cap_points_to_label_def)
|
||||
apply (drule cte_wp_at_caps_of_state' s0_caps_of_state)+
|
||||
apply ((erule disjE |
|
||||
|
@ -1256,7 +1256,7 @@ lemma valid_objs_s0:
|
|||
"valid_objs s0_internal"
|
||||
apply (clarsimp simp: valid_objs_def)
|
||||
apply (subst(asm) s0_internal_def kh0_def)+
|
||||
apply (simp split: split_if_asm)
|
||||
apply (simp split: if_split_asm)
|
||||
apply force+
|
||||
apply (clarsimp simp: valid_obj_def valid_cs_def empty_cnode_def valid_cs_size_def ran_def
|
||||
cte_level_bits_def word_bits_def well_formed_cnode_n_def dom_def)
|
||||
|
@ -1390,7 +1390,7 @@ lemma valid_pspace_s0[simp]:
|
|||
apply (rule conjI)
|
||||
apply (clarsimp simp: if_live_then_nonz_cap_def)
|
||||
apply (subst(asm) s0_internal_def)
|
||||
apply (clarsimp simp: obj_at_def kh0_def kh0_obj_def s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: obj_at_def kh0_def kh0_obj_def s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: ex_nonz_cap_to_def)
|
||||
apply (rule_tac x="High_cnode_ptr" in exI)
|
||||
apply (rule_tac x="the_nat_to_bl_10 1" in exI)
|
||||
|
@ -1408,7 +1408,7 @@ lemma valid_pspace_s0[simp]:
|
|||
apply (force dest: s0_caps_of_state simp: is_zombie_def)
|
||||
apply (clarsimp simp: sym_refs_def state_refs_of_def s0_internal_def)
|
||||
apply (subst(asm) kh0_def)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
by (simp add: refs_of_def kh0_def s0_ptr_defs kh0_obj_def)+
|
||||
|
||||
lemma descendants_s0[simp]:
|
||||
|
@ -1443,7 +1443,7 @@ lemma valid_mdb_s0[simp]:
|
|||
lemma valid_ioc_s0[simp]:
|
||||
"valid_ioc s0_internal"
|
||||
by (clarsimp simp: cte_wp_at_cases tcb_cap_cases_def valid_ioc_def
|
||||
s0_internal_def kh0_def kh0_obj_def split: split_if_asm)+
|
||||
s0_internal_def kh0_def kh0_obj_def split: if_split_asm)+
|
||||
|
||||
lemma valid_idle_s0[simp]:
|
||||
"valid_idle s0_internal"
|
||||
|
@ -1615,7 +1615,7 @@ lemma valid_kernel_mappings_s0[simp]:
|
|||
apply (drule kh0_SomeD)
|
||||
apply (clarsimp simp: arch_state0_def kernel_mapping_slots_def)
|
||||
apply (erule disjE | simp add: pde_ref_def s0_ptr_defs kh0_obj_def High_pd'_def Low_pd'_def
|
||||
split: split_if_asm pde.splits)+
|
||||
split: if_split_asm pde.splits)+
|
||||
done
|
||||
|
||||
lemma equal_kernel_mappings_s0[simp]:
|
||||
|
@ -1735,7 +1735,7 @@ lemma valid_sched_s0[simp]:
|
|||
apply (clarsimp simp: ct_in_cur_domain_def in_cur_domain_def etcb_at'_def ekh0_obj_def
|
||||
s0_ptr_defs)
|
||||
apply (clarsimp simp: const_def valid_blocked_def st_tcb_at_kh_def obj_at_kh_def obj_at_def
|
||||
kh0_def kh0_obj_def split: split_if_asm)
|
||||
kh0_def kh0_obj_def split: if_split_asm)
|
||||
apply (clarsimp simp: valid_idle_etcb_def etcb_at'_def ekh0_obj_def s0_ptr_defs idle_thread_ptr_def)
|
||||
done
|
||||
|
||||
|
|
|
@ -770,13 +770,13 @@ lemma caps_dom_length_10:
|
|||
"Silc_caps x = Some y \<Longrightarrow> length x = 10"
|
||||
"High_caps x = Some y \<Longrightarrow> length x = 10"
|
||||
"Low_caps x = Some y \<Longrightarrow> length x = 10"
|
||||
by (simp_all add: Silc_caps_def High_caps_def Low_caps_def the_nat_to_bl_def nat_to_bl_def split: split_if_asm)
|
||||
by (simp_all add: Silc_caps_def High_caps_def Low_caps_def the_nat_to_bl_def nat_to_bl_def split: if_split_asm)
|
||||
|
||||
lemma dom_caps:
|
||||
"dom Silc_caps = {x. length x = 10}"
|
||||
"dom High_caps = {x. length x = 10}"
|
||||
"dom Low_caps = {x. length x = 10}"
|
||||
apply (simp_all add: Silc_caps_def High_caps_def Low_caps_def the_nat_to_bl_def nat_to_bl_def dom_def split: split_if_asm)
|
||||
apply (simp_all add: Silc_caps_def High_caps_def Low_caps_def the_nat_to_bl_def nat_to_bl_def dom_def split: if_split_asm)
|
||||
apply fastforce+
|
||||
done
|
||||
|
||||
|
@ -1048,14 +1048,14 @@ lemma kh0H_dom:
|
|||
pt_offs_range Low_pt_ptr"
|
||||
apply (rule equalityI)
|
||||
apply (simp add: kh0H_def dom_def)
|
||||
apply (clarsimp simp: offs_in_range option_update_range_def not_in_range_None split: split_if_asm)
|
||||
apply (clarsimp simp: offs_in_range option_update_range_def not_in_range_None split: if_split_asm)
|
||||
apply (clarsimp simp: dom_def)
|
||||
apply (rule conjI, clarsimp simp: kh0H_def option_update_range_def kh0H_dom_distinct not_in_range_None split: option.splits)+
|
||||
apply (force dest: irq_node_offs_range_correct)
|
||||
by (rule conjI |
|
||||
clarsimp simp: kh0H_def option_update_range_def kh0H_dom_distinct not_in_range_None split: option.splits,
|
||||
frule offs_range_correct,
|
||||
clarsimp simp: kh0H_all_obj_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def split: split_if_asm)+
|
||||
clarsimp simp: kh0H_all_obj_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def split: if_split_asm)+
|
||||
|
||||
lemmas kh0H_SomeD' = set_mp[OF equalityD1[OF kh0H_dom[simplified dom_def]], OF CollectI, simplified, OF exI]
|
||||
|
||||
|
@ -1173,7 +1173,7 @@ lemma kh0H_dom_tcb:
|
|||
apply (frule domI[where m="kh0H"])
|
||||
apply (simp add: kh0H_dom)
|
||||
apply (elim disjE)
|
||||
apply (drule irq_node_offs_range_correct cnode_offs_range_correct pd_offs_range_correct pt_offs_range_correct | clarsimp simp: kh0H_all_obj_def s0_ptrs_aligned split: split_if_asm)+
|
||||
apply (drule irq_node_offs_range_correct cnode_offs_range_correct pd_offs_range_correct pt_offs_range_correct | clarsimp simp: kh0H_all_obj_def s0_ptrs_aligned split: if_split_asm)+
|
||||
done
|
||||
|
||||
lemma not_in_range_cte_None:
|
||||
|
@ -1310,7 +1310,7 @@ lemma map_to_ctes_kh0H:
|
|||
apply (rule conjI)
|
||||
apply (fastforce simp: tcb_cte_cases_def Low_tcb_cte_def dest: neg_mask_decompose)
|
||||
apply clarsimp
|
||||
subgoal by (fastforce simp: Low_tcb_cte_def tcb_cte_cases_def split: split_if_asm dest: neg_mask_decompose)
|
||||
subgoal by (fastforce simp: Low_tcb_cte_def tcb_cte_cases_def split: if_split_asm dest: neg_mask_decompose)
|
||||
apply (clarsimp simp: option_update_range_def)
|
||||
apply (frule mask_in_tcb_offs_range)
|
||||
apply (clarsimp simp: kh0H_dom_distinct[THEN set_mem_neq])
|
||||
|
@ -1322,7 +1322,7 @@ lemma map_to_ctes_kh0H:
|
|||
apply (rule conjI)
|
||||
apply (fastforce simp: tcb_cte_cases_def High_tcb_cte_def dest: neg_mask_decompose)
|
||||
apply clarsimp
|
||||
apply (fastforce simp: High_tcb_cte_def tcb_cte_cases_def split: split_if_asm dest: neg_mask_decompose)
|
||||
apply (fastforce simp: High_tcb_cte_def tcb_cte_cases_def split: if_split_asm dest: neg_mask_decompose)
|
||||
apply (clarsimp simp: option_update_range_def)
|
||||
apply (frule mask_in_tcb_offs_range)
|
||||
apply (clarsimp simp: kh0H_dom_distinct[THEN set_mem_neq])
|
||||
|
@ -1334,7 +1334,7 @@ lemma map_to_ctes_kh0H:
|
|||
apply (rule conjI)
|
||||
apply (fastforce simp: tcb_cte_cases_def idle_tcb_cte_def dest: neg_mask_decompose)
|
||||
apply clarsimp
|
||||
apply (fastforce simp: idle_tcb_cte_def tcb_cte_cases_def split: split_if_asm dest: neg_mask_decompose)
|
||||
apply (fastforce simp: idle_tcb_cte_def tcb_cte_cases_def split: if_split_asm dest: neg_mask_decompose)
|
||||
apply (drule_tac m="kh0H" in opt_None_not_dom)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: kh0H_dom option_update_range_def)
|
||||
|
@ -1344,7 +1344,7 @@ lemma map_to_ctes_kh0H:
|
|||
apply (frule range_tcb_not_kh0H_dom(1)[simplified])
|
||||
apply (frule range_tcb_not_kh0H_dom(2)[simplified])
|
||||
apply (drule range_tcb_not_kh0H_dom(3)[simplified])
|
||||
apply (clarsimp simp: kh0H_dom split del: split_if)
|
||||
apply (clarsimp simp: kh0H_dom split del: if_split)
|
||||
apply (clarsimp simp: option_update_range_def)
|
||||
apply ((clarsimp simp: kh0H_dom_sets_distinct[THEN orthD2] not_in_tcb_offs not_in_range_cte_None offs_in_range
|
||||
| clarsimp simp: kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None)+)[1]
|
||||
|
@ -1353,16 +1353,16 @@ lemma map_to_ctes_kh0H:
|
|||
apply (clarsimp simp: irq_node_offs_in_range)
|
||||
apply (frule kh0H_SomeD)
|
||||
apply (elim disjE)
|
||||
apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: split_if,
|
||||
subst split_if_eq1,
|
||||
apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: if_split,
|
||||
subst if_split_eq1,
|
||||
rule conjI,
|
||||
clarsimp,
|
||||
drule kh0H_dom_tcb,
|
||||
fastforce simp: s0_ptr_defs mask_def objBitsKO_def,
|
||||
rule impI,
|
||||
fastforce simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None)
|
||||
apply ((clarsimp simp: map_to_ctes_def Let_def split del: split_if,
|
||||
subst split_if_eq1,
|
||||
apply ((clarsimp simp: map_to_ctes_def Let_def split del: if_split,
|
||||
subst if_split_eq1,
|
||||
rule conjI,
|
||||
rule impI,
|
||||
(subst is_aligned_neg_mask_eq,
|
||||
|
@ -1378,16 +1378,16 @@ lemma map_to_ctes_kh0H:
|
|||
drule int_not_emptyD,
|
||||
clarsimp,
|
||||
(elim disjE, (clarsimp | drule(1) order_trans le_less_trans, fastforce)+)[1])+)[3]
|
||||
apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: split_if,
|
||||
subst split_if_eq1,
|
||||
apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: if_split,
|
||||
subst if_split_eq1,
|
||||
rule conjI,
|
||||
clarsimp,
|
||||
drule kh0H_dom_tcb,
|
||||
fastforce simp: s0_ptr_defs mask_def objBitsKO_def,
|
||||
rule impI,
|
||||
fastforce simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None)
|
||||
apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: split_if,
|
||||
subst split_if_eq1,
|
||||
apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: if_split,
|
||||
subst if_split_eq1,
|
||||
rule conjI,
|
||||
rule impI,
|
||||
clarsimp simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None,
|
||||
|
@ -1397,9 +1397,9 @@ lemma map_to_ctes_kh0H:
|
|||
drule int_not_emptyD,
|
||||
clarsimp,
|
||||
(elim disjE, (clarsimp | drule(1) order_trans le_less_trans, fastforce)+)[1])
|
||||
apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: split_if)
|
||||
apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: if_split)
|
||||
apply (frule irq_node_offs_range_correct)
|
||||
apply (subst split_if_eq1)
|
||||
apply (subst if_split_eq1)
|
||||
apply (rule conjI)
|
||||
apply (rule impI)
|
||||
apply (clarsimp simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None)
|
||||
|
@ -1438,8 +1438,8 @@ lemma map_to_ctes_kh0H:
|
|||
fastforce,
|
||||
fastforce simp: add.commute)
|
||||
| unat_arith)+)[1]
|
||||
apply ((clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def objBitsKO_def split: split_if_asm split del: split_if,
|
||||
subst split_if_eq1,
|
||||
apply ((clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def objBitsKO_def split: if_split_asm split del: if_split,
|
||||
subst if_split_eq1,
|
||||
rule conjI,
|
||||
rule impI,
|
||||
clarsimp simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None,
|
||||
|
@ -1474,14 +1474,14 @@ lemma map_to_ctes_kh0H:
|
|||
fastforce,
|
||||
fastforce,
|
||||
fastforce simp: add.commute | unat_arith)+)[1])+)[3]
|
||||
apply ((clarsimp simp: map_to_ctes_def Let_def split del: split_if,
|
||||
subst split_if_eq1,
|
||||
apply ((clarsimp simp: map_to_ctes_def Let_def split del: if_split,
|
||||
subst if_split_eq1,
|
||||
rule conjI,
|
||||
rule impI,
|
||||
drule pd_offs_range_correct,
|
||||
clarsimp simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None kh0H_obj_def,
|
||||
rule impI,
|
||||
subst split_if_eq1,
|
||||
subst if_split_eq1,
|
||||
rule conjI,
|
||||
rule impI,
|
||||
rule FalseE,
|
||||
|
@ -1507,14 +1507,14 @@ lemma map_to_ctes_kh0H:
|
|||
clarsimp simp: option_update_range_def kh0H_dom_distinct[THEN set_mem_neq] not_in_range_cte_None,
|
||||
((clarsimp simp: kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None irq_node_offs_in_range |
|
||||
clarsimp simp: kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1])+)[3]
|
||||
by (clarsimp simp: map_to_ctes_def Let_def split del: split_if,
|
||||
subst split_if_eq1,
|
||||
by (clarsimp simp: map_to_ctes_def Let_def split del: if_split,
|
||||
subst if_split_eq1,
|
||||
rule conjI,
|
||||
rule impI,
|
||||
drule pt_offs_range_correct,
|
||||
clarsimp simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None kh0H_obj_def,
|
||||
rule impI,
|
||||
subst split_if_eq1,
|
||||
subst if_split_eq1,
|
||||
rule conjI,
|
||||
rule impI,
|
||||
rule FalseE,
|
||||
|
@ -1840,13 +1840,13 @@ lemma map_to_ctes_kh0H_dom:
|
|||
apply (rule equalityI)
|
||||
apply (simp add: map_to_ctes_kh0H dom_def)
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: offs_in_range option_update_range_def split: option.splits split_if_asm)
|
||||
apply (clarsimp simp: offs_in_range option_update_range_def split: option.splits if_split_asm)
|
||||
apply (clarsimp simp: idle_tcb_cte_def)
|
||||
apply (clarsimp simp: High_tcb_cte_def)
|
||||
apply (clarsimp simp: Low_tcb_cte_def)
|
||||
apply (clarsimp simp: Silc_cte_cte_def cnode_offs_range_def split: split_if_asm)
|
||||
apply (clarsimp simp: High_cte_cte_def cnode_offs_range_def split: split_if_asm)
|
||||
apply (clarsimp simp: Low_cte_cte_def cnode_offs_range_def split: split_if_asm)
|
||||
apply (clarsimp simp: Silc_cte_cte_def cnode_offs_range_def split: if_split_asm)
|
||||
apply (clarsimp simp: High_cte_cte_def cnode_offs_range_def split: if_split_asm)
|
||||
apply (clarsimp simp: Low_cte_cte_def cnode_offs_range_def split: if_split_asm)
|
||||
apply (clarsimp simp: dom_def)
|
||||
apply (clarsimp simp: idle_tcb_cte_def Low_tcb_cte_def High_tcb_cte_def)
|
||||
apply (rule conjI)
|
||||
|
@ -1950,7 +1950,7 @@ lemma s0H_pspace_distinct':
|
|||
| clarsimp simp: objBitsKO_def pageBits_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def irq_node_offs_range_def s0_ptr_defs kh0H_obj_def,
|
||||
drule(1) notE[rotated, OF le_less_trans, OF _ _ leD, rotated 2]
|
||||
notE[rotated, OF le_less_trans, OF _ _ leD], fastforce, simp
|
||||
| (clarsimp simp: objBitsKO_def pageBits_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def irq_node_offs_range_def s0_ptr_defs kh0H_obj_def Low_cte'_def Low_capsH_def cte_level_bits_def empty_cte_def High_cte'_def High_capsH_def Silc_cte'_def Silc_capsH_def split: split_if_asm,
|
||||
| (clarsimp simp: objBitsKO_def pageBits_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def irq_node_offs_range_def s0_ptr_defs kh0H_obj_def Low_cte'_def Low_capsH_def cte_level_bits_def empty_cte_def High_cte'_def High_capsH_def Silc_cte'_def Silc_capsH_def split: if_split_asm,
|
||||
(drule(1) aligned_le_sharp, simp add: mask_def,
|
||||
drule_tac x="0xF" in word_plus_mono_right, fastforce, simp add: add.commute,
|
||||
(drule(1) notE[rotated, OF le_less_trans, OF _ _ leD, rotated 2]
|
||||
|
@ -1963,7 +1963,7 @@ lemma s0H_pspace_distinct':
|
|||
drule(2) notE[rotated, OF less_trans, OF _ _ leD[OF order_trans], rotated 2]
|
||||
notE[rotated, OF le_less_trans, OF _ _ leD[OF order_trans], rotated 2],
|
||||
fastforce, simp
|
||||
| (clarsimp simp: irq_node_offs_range_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def s0_ptr_defs objBitsKO_def archObjSize_def kh0H_obj_def Low_cte'_def Low_capsH_def High_cte'_def High_capsH_def Silc_cte'_def Silc_capsH_def cte_level_bits_def empty_cte_def split: split_if_asm,
|
||||
| (clarsimp simp: irq_node_offs_range_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def s0_ptr_defs objBitsKO_def archObjSize_def kh0H_obj_def Low_cte'_def Low_capsH_def High_cte'_def High_capsH_def Silc_cte'_def Silc_capsH_def cte_level_bits_def empty_cte_def split: if_split_asm,
|
||||
(drule(1) aligned_le_sharp, simp add: mask_neg_add_aligned, fastforce simp: mask_def)+)[1])+
|
||||
|
||||
lemma pspace_distinctD'':
|
||||
|
@ -2194,36 +2194,36 @@ lemma s0H_valid_objs':
|
|||
apply (clarsimp simp: valid_obj'_def valid_cte'_def)
|
||||
apply (clarsimp simp: valid_obj'_def Low_cte_def Low_cte'_def Low_capsH_def empty_cte_def
|
||||
valid_cte'_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp: valid_obj'_def High_cte_def High_cte'_def High_capsH_def empty_cte_def
|
||||
valid_cte'_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp: valid_obj'_def Silc_cte_def Silc_cte'_def Silc_capsH_def empty_cte_def
|
||||
valid_cte'_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp: valid_obj'_def global_pdH'_def valid_mapping'_def s0_ptr_defs
|
||||
is_aligned_def ARM.addrFromPPtr_def ARM.ptrFromPAddr_def
|
||||
physMappingOffset_def ARM.kernelBase_def ARM.physBase_def
|
||||
kernelBase_addr_def physBase_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp: valid_obj'_def High_pdH_def High_pd'H_def valid_pde'_def
|
||||
valid_mapping'_def s0_ptr_defs is_aligned_def ARM.addrFromPPtr_def
|
||||
ARM.kernelBase_def ARM.physBase_def ARM.ptrFromPAddr_def ptBits_def
|
||||
pageBits_def physMappingOffset_def kernelBase_addr_def physBase_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp: valid_obj'_def Low_pdH_def Low_pd'H_def valid_pde'_def valid_mapping'_def
|
||||
s0_ptr_defs is_aligned_def ARM.addrFromPPtr_def
|
||||
ARM.ptrFromPAddr_def ARM.physBase_def ptBits_def pageBits_def
|
||||
physMappingOffset_def kernelBase_addr_def physBase_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp: valid_obj'_def High_ptH_def High_pt'H_def valid_mapping'_def s0_ptr_defs
|
||||
is_aligned_def ARM.addrFromPPtr_def ARM.ptrFromPAddr_def ARM.kernelBase_def
|
||||
ARM.physBase_def physMappingOffset_def kernelBase_addr_def physBase_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
apply (clarsimp simp: valid_obj'_def Low_ptH_def Low_pt'H_def valid_mapping'_def s0_ptr_defs
|
||||
is_aligned_def ARM.addrFromPPtr_def ARM.physBase_def ARM.ptrFromPAddr_def
|
||||
physMappingOffset_def kernelBase_addr_def physBase_def
|
||||
split: split_if_asm)
|
||||
split: if_split_asm)
|
||||
done
|
||||
|
||||
lemmas the_nat_to_bl_simps =
|
||||
|
@ -2378,9 +2378,9 @@ lemma mdb_next_s0H:
|
|||
apply (elim exE conjE)
|
||||
apply (frule map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all)[1]
|
||||
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: next_unfold' map_to_ctes_kh0H_dom)
|
||||
apply (elim disjE, simp_all add: kh0H_all_obj_def')
|
||||
done
|
||||
|
@ -2399,11 +2399,11 @@ lemma mdb_prev_s0H:
|
|||
apply (frule map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all)[1]
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E ucast_shiftr_3 ucast_shiftr_2 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E ucast_shiftr_3 ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E ucast_shiftr_3 ucast_shiftr_2 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E ucast_shiftr_3 ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: mdb_prev_def map_to_ctes_kh0H_dom)
|
||||
apply (elim disjE, simp_all add: kh0H_all_obj_def')
|
||||
done
|
||||
|
@ -2459,41 +2459,41 @@ lemma sameRegionAs_s0H:
|
|||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
|
||||
apply (simp add: s0_ptr_defs)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: sameRegionAs_def ARM_H.sameRegionAs_def isCap_simps)[1]
|
||||
apply (simp add: s0_ptr_defs)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: ARM_H.sameRegionAs_def isCap_simps kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: ARM_H.sameRegionAs_def isCap_simps kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
|
||||
apply (simp add: s0_ptr_defs)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: sameRegionAs_def ARM_H.sameRegionAs_def isCap_simps)[1]
|
||||
apply (simp add: s0_ptr_defs)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: ARM_H.sameRegionAs_def isCap_simps kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: ARM_H.sameRegionAs_def isCap_simps kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' split: if_split_asm)
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
|
||||
apply (drule(2) ucast_shiftr_13E)
|
||||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
|
@ -2501,11 +2501,11 @@ lemma sameRegionAs_s0H:
|
|||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
|
||||
apply (drule(2) ucast_shiftr_2)
|
||||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
|
@ -2513,13 +2513,13 @@ lemma sameRegionAs_s0H:
|
|||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' split: if_split_asm)
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
|
||||
apply (drule(2) ucast_shiftr_13E)
|
||||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
|
@ -2527,12 +2527,12 @@ lemma sameRegionAs_s0H:
|
|||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: sameRegionAs_def ARM_H.sameRegionAs_def isCap_simps)[1]
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
|
||||
apply (drule(2) ucast_shiftr_3)
|
||||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
|
@ -2540,19 +2540,19 @@ lemma sameRegionAs_s0H:
|
|||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
|
||||
apply (drule(2) ucast_shiftr_3)
|
||||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
apply (drule(2) ucast_shiftr_3)
|
||||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps s0_ptrs_aligned ARM_H.sameRegionAs_def isCap_simps split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps s0_ptrs_aligned ARM_H.sameRegionAs_def isCap_simps split: if_split_asm)
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
|
||||
apply (drule(2) ucast_shiftr_2)
|
||||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
|
@ -2560,11 +2560,11 @@ lemma sameRegionAs_s0H:
|
|||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
|
||||
apply (drule(2) ucast_shiftr_1)
|
||||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
|
@ -2572,13 +2572,13 @@ lemma sameRegionAs_s0H:
|
|||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' split: if_split_asm)
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
|
||||
apply (drule(2) ucast_shiftr_13E)
|
||||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
|
@ -2588,11 +2588,11 @@ lemma sameRegionAs_s0H:
|
|||
apply clarsimp
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: sameRegionAs_def ARM_H.sameRegionAs_def isCap_simps)[1]
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned ARM_H.sameRegionAs_def isCap_simps split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned ARM_H.sameRegionAs_def isCap_simps split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
|
||||
apply (drule(2) ucast_shiftr_3)
|
||||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
|
@ -2602,10 +2602,10 @@ lemma sameRegionAs_s0H:
|
|||
apply clarsimp
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
|
||||
apply (drule(2) ucast_shiftr_2)
|
||||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
|
@ -2615,9 +2615,9 @@ lemma sameRegionAs_s0H:
|
|||
apply clarsimp
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_1 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_1 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_1 s0_ptrs_aligned split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_1 s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_1 s0_ptrs_aligned split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_1 s0_ptrs_aligned split: if_split_asm)
|
||||
apply (drule(2) ucast_shiftr_1)
|
||||
apply (rule s0_ptrs_aligned)
|
||||
apply simp
|
||||
|
@ -2695,7 +2695,7 @@ lemma s0H_valid_pspace':
|
|||
apply simp
|
||||
apply simp
|
||||
apply ((erule r_into_trancl[OF next_fold], clarsimp)+)[5]
|
||||
apply (clarsimp simp: Silc_cte_cte_def cnode_offs_range_def Silc_cte'_def Silc_capsH_def empty_cte_def split: split_if_asm)
|
||||
apply (clarsimp simp: Silc_cte_cte_def cnode_offs_range_def Silc_cte'_def Silc_capsH_def empty_cte_def split: if_split_asm)
|
||||
apply (rule r_r_into_trancl)
|
||||
apply (erule next_fold)
|
||||
apply simp
|
||||
|
@ -2704,9 +2704,9 @@ lemma s0H_valid_pspace':
|
|||
apply simp
|
||||
apply (erule r_into_trancl[OF next_fold], simp)
|
||||
apply (erule r_into_trancl[OF next_fold], simp)
|
||||
apply (clarsimp simp: High_cte_cte_def cnode_offs_range_def High_cte'_def High_capsH_def empty_cte_def split: split_if_asm)
|
||||
apply (clarsimp simp: High_cte_cte_def cnode_offs_range_def High_cte'_def High_capsH_def empty_cte_def split: if_split_asm)
|
||||
apply ((erule r_into_trancl[OF next_fold], clarsimp)+)[5]
|
||||
apply (clarsimp simp: Low_cte_cte_def cnode_offs_range_def Low_cte'_def Low_capsH_def empty_cte_def split: split_if_asm)
|
||||
apply (clarsimp simp: Low_cte_cte_def cnode_offs_range_def Low_cte'_def Low_capsH_def empty_cte_def split: if_split_asm)
|
||||
apply (rule trancl_into_trancl2)
|
||||
apply (erule next_fold)
|
||||
apply simp
|
||||
|
@ -2720,27 +2720,27 @@ lemma s0H_valid_pspace':
|
|||
apply (erule r_into_trancl[OF next_fold], simp)+
|
||||
apply (clarsimp simp: valid_badges_def)
|
||||
apply (frule_tac x=p in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, (clarsimp simp: kh0H_all_obj_def Low_cte_cte_def High_cte_cte_def Silc_cte_cte_def isCap_simps cnode_offs_range_def split: split_if_asm)+)[1]
|
||||
apply (elim disjE, (clarsimp simp: kh0H_all_obj_def Low_cte_cte_def High_cte_cte_def Silc_cte_cte_def isCap_simps cnode_offs_range_def split: if_split_asm)+)[1]
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, (clarsimp simp: kh0H_all_obj_def Low_cte_cte_def High_cte_cte_def Silc_cte_cte_def isCap_simps cnode_offs_range_def sameRegionAs_def split: split_if_asm)+)[1]
|
||||
apply (elim disjE, (clarsimp simp: kh0H_all_obj_def Low_cte_cte_def High_cte_cte_def Silc_cte_cte_def isCap_simps cnode_offs_range_def sameRegionAs_def split: if_split_asm)+)[1]
|
||||
apply (intro conjI impI)
|
||||
apply (clarsimp simp: High_cte_cte_def kh0H_all_obj_def isCap_simps split: split_if_asm)
|
||||
apply (clarsimp simp: High_cte_cte_def kh0H_all_obj_def isCap_simps split: if_split_asm)
|
||||
apply (drule(1) sameRegion_ntfn)
|
||||
apply (clarsimp simp: High_cte_cte_def kh0H_all_obj_def isCap_simps split: split_if_asm)
|
||||
apply (clarsimp simp: High_cte_cte_def kh0H_all_obj_def isCap_simps split: if_split_asm)
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, (clarsimp simp: kh0H_all_obj_def High_cte_cte_def Low_cte_cte_def Silc_cte_cte_def split: split_if_asm)+)[1]
|
||||
apply (elim disjE, (clarsimp simp: kh0H_all_obj_def High_cte_cte_def Low_cte_cte_def Silc_cte_cte_def split: if_split_asm)+)[1]
|
||||
apply (intro conjI impI)
|
||||
apply (clarsimp simp: Low_cte_cte_def kh0H_all_obj_def isCap_simps split: split_if_asm)
|
||||
apply (clarsimp simp: Low_cte_cte_def kh0H_all_obj_def isCap_simps split: if_split_asm)
|
||||
apply (drule(1) sameRegion_ntfn)
|
||||
apply (clarsimp simp: Low_cte_cte_def kh0H_all_obj_def isCap_simps split: split_if_asm)
|
||||
apply (clarsimp simp: Low_cte_cte_def kh0H_all_obj_def isCap_simps split: if_split_asm)
|
||||
apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, (clarsimp simp: kh0H_all_obj_def High_cte_cte_def Low_cte_cte_def Silc_cte_cte_def split: split_if_asm)+)[1]
|
||||
apply (elim disjE, (clarsimp simp: kh0H_all_obj_def High_cte_cte_def Low_cte_cte_def Silc_cte_cte_def split: if_split_asm)+)[1]
|
||||
apply (clarsimp simp: caps_contained'_def)
|
||||
apply (drule_tac x=p in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all)[1]
|
||||
apply (clarsimp simp: Silc_cte_cte_def kh0H_all_obj_def split: split_if_asm)
|
||||
apply (clarsimp simp: High_cte_cte_def kh0H_all_obj_def split: split_if_asm)
|
||||
apply (clarsimp simp: Low_cte_cte_def kh0H_all_obj_def split: split_if_asm)
|
||||
apply (clarsimp simp: Silc_cte_cte_def kh0H_all_obj_def split: if_split_asm)
|
||||
apply (clarsimp simp: High_cte_cte_def kh0H_all_obj_def split: if_split_asm)
|
||||
apply (clarsimp simp: Low_cte_cte_def kh0H_all_obj_def split: if_split_asm)
|
||||
apply (clarsimp simp: mdb_chunked_def)
|
||||
apply (frule(3) sameRegionAs_s0H)
|
||||
apply (clarsimp simp: conj_disj_distribL)
|
||||
|
@ -2756,20 +2756,20 @@ lemma s0H_valid_pspace':
|
|||
apply (clarsimp simp: untyped_mdb'_def)
|
||||
apply (drule_tac x=p in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
|
||||
apply ((clarsimp split: split_if_asm)+)[3]
|
||||
apply ((clarsimp split: if_split_asm)+)[3]
|
||||
apply (clarsimp simp: untyped_inc'_def)
|
||||
apply (rule FalseE)
|
||||
apply (drule_tac x=p in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
|
||||
apply ((clarsimp split: split_if_asm)+)[3]
|
||||
apply ((clarsimp split: if_split_asm)+)[3]
|
||||
apply (clarsimp simp: valid_nullcaps_def)
|
||||
apply (drule map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: kh0H_all_obj_def' nullMDBNode_def)
|
||||
apply ((clarsimp split: split_if_asm)+)[3]
|
||||
apply ((clarsimp split: if_split_asm)+)[3]
|
||||
apply (clarsimp simp: ut_revocable'_def)
|
||||
apply (drule map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
|
||||
apply ((clarsimp split: split_if_asm)+)[3]
|
||||
apply ((clarsimp split: if_split_asm)+)[3]
|
||||
apply (clarsimp simp: class_links_def)
|
||||
apply (subst(asm) mdb_next_s0H)
|
||||
apply (drule_tac x=p' in map_to_ctes_kh0H_SomeD)
|
||||
|
@ -2778,15 +2778,15 @@ lemma s0H_valid_pspace':
|
|||
apply (clarsimp simp: distinct_zombies_def distinct_zombie_caps_def)
|
||||
apply (drule_tac x=ptr in map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
|
||||
apply ((clarsimp split: split_if_asm)+)[3]
|
||||
apply ((clarsimp split: if_split_asm)+)[3]
|
||||
apply (clarsimp simp: irq_control_def)
|
||||
apply (drule map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
|
||||
apply ((clarsimp split: split_if_asm)+)[3]
|
||||
apply ((clarsimp split: if_split_asm)+)[3]
|
||||
apply (clarsimp simp: reply_masters_rvk_fb_def ran_def)
|
||||
apply (frule map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
|
||||
apply ((clarsimp split: split_if_asm)+)[3]
|
||||
apply ((clarsimp split: if_split_asm)+)[3]
|
||||
done
|
||||
|
||||
end
|
||||
|
@ -2837,9 +2837,9 @@ lemma s0H_invs:
|
|||
apply (erule notE, rule pspace_distinctD''[OF _ s0H_pspace_distinct'])
|
||||
apply (simp add: objBitsKO_def)
|
||||
apply (clarsimp simp: irq_cte_def)
|
||||
apply (clarsimp simp: Low_cte_def Low_cte'_def split: split_if_asm)
|
||||
apply (clarsimp simp: High_cte_def High_cte'_def split: split_if_asm)
|
||||
apply (clarsimp simp: Silc_cte_def Silc_cte'_def split: split_if_asm)
|
||||
apply (clarsimp simp: Low_cte_def Low_cte'_def split: if_split_asm)
|
||||
apply (clarsimp simp: High_cte_def High_cte'_def split: if_split_asm)
|
||||
apply (clarsimp simp: Silc_cte_def Silc_cte'_def split: if_split_asm)
|
||||
apply (clarsimp simp: global_pdH'_def)
|
||||
apply (clarsimp simp: High_pdH_def)
|
||||
apply (clarsimp simp: Low_pdH_def)
|
||||
|
@ -2858,7 +2858,7 @@ lemma s0H_invs:
|
|||
apply (clarsimp simp: ex_nonz_cap_to'_def cte_wp_at_ctes_of)
|
||||
apply (rule_tac x="Silc_cnode_ptr + 0x13E0" in exI)
|
||||
apply (clarsimp simp: kh0H_all_obj_def')
|
||||
apply (clarsimp split: split_if_asm)+
|
||||
apply (clarsimp split: if_split_asm)+
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: if_unsafe_then_cap'_def ex_cte_cap_wp_to'_def cte_wp_at_ctes_of)
|
||||
apply (frule map_to_ctes_kh0H_SomeD)
|
||||
|
@ -2876,7 +2876,7 @@ lemma s0H_invs:
|
|||
apply (rule_tac x="High_cnode_ptr + 0x10" in exI)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' image_def)
|
||||
apply (rule_tac x="Silc_cnode_ptr + 0x20" in exI)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' image_def to_bl_use_of_bl cte_level_bits_def the_nat_to_bl_simps split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' image_def to_bl_use_of_bl cte_level_bits_def the_nat_to_bl_simps split: if_split_asm)
|
||||
apply (drule(2) ucast_shiftr_13E, rule s0_ptrs_aligned, simp)
|
||||
apply (rule_tac x="0x13E" in bexI)
|
||||
apply simp
|
||||
|
@ -2886,7 +2886,7 @@ lemma s0H_invs:
|
|||
apply simp
|
||||
apply simp
|
||||
apply (rule_tac x="High_cnode_ptr + 0x20" in exI)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' image_def to_bl_use_of_bl cte_level_bits_def the_nat_to_bl_simps split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' image_def to_bl_use_of_bl cte_level_bits_def the_nat_to_bl_simps split: if_split_asm)
|
||||
apply (drule(2) ucast_shiftr_13E, rule s0_ptrs_aligned, simp)
|
||||
apply (rule_tac x="0x13E" in bexI)
|
||||
apply simp
|
||||
|
@ -2904,7 +2904,7 @@ lemma s0H_invs:
|
|||
apply simp
|
||||
apply simp
|
||||
apply (rule_tac x="Low_cnode_ptr + 0x20" in exI)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' image_def to_bl_use_of_bl cte_level_bits_def the_nat_to_bl_simps split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_all_obj_def' image_def to_bl_use_of_bl cte_level_bits_def the_nat_to_bl_simps split: if_split_asm)
|
||||
apply (drule(2) ucast_shiftr_13E, rule s0_ptrs_aligned, simp)
|
||||
apply (rule_tac x="0x13E" in bexI)
|
||||
apply simp
|
||||
|
@ -2964,7 +2964,7 @@ lemma s0H_invs:
|
|||
apply (clarsimp simp: valid_irq_handlers'_def cteCaps_of_def ran_def)
|
||||
apply (drule_tac map_to_ctes_kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: kh0H_all_obj_def')[1]
|
||||
apply ((clarsimp split: split_if_asm)+)[3]
|
||||
apply ((clarsimp split: if_split_asm)+)[3]
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: valid_irq_states'_def s0H_internal_def machine_state0_def)
|
||||
apply (rule conjI)
|
||||
|
@ -2989,7 +2989,7 @@ lemma s0H_invs:
|
|||
apply (clarsimp simp: valid_pde_mappings'_def obj_at'_def projectKO_eq project_inject)
|
||||
apply (drule kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: kh0H_all_obj_def High_pd'H_def Low_pd'H_def)[1]
|
||||
apply (clarsimp split: split_if_asm)+
|
||||
apply (clarsimp split: if_split_asm)+
|
||||
apply (clarsimp simp: objBitsKO_def archObjSize_def valid_pde_mapping_offset'_def pd_asid_slot_def pdBits_def pageBits_def)
|
||||
apply (cut_tac x="x - init_global_pd >> 2" and n=12 and 'a=12 in ucast_mask_drop)
|
||||
apply simp
|
||||
|
@ -2999,7 +2999,7 @@ lemma s0H_invs:
|
|||
apply (subst(asm) is_aligned_mask[where w="init_global_pd", THEN iffD1])
|
||||
apply (simp add: s0_ptrs_aligned)
|
||||
apply (simp add: kernel_base_def)
|
||||
apply (clarsimp simp: objBitsKO_def archObjSize_def valid_pde_mapping_offset'_def pd_asid_slot_def pdBits_def pageBits_def split: split_if_asm)
|
||||
apply (clarsimp simp: objBitsKO_def archObjSize_def valid_pde_mapping_offset'_def pd_asid_slot_def pdBits_def pageBits_def split: if_split_asm)
|
||||
apply (cut_tac x="x - High_pd_ptr >> 2" and n=12 and 'a=12 in ucast_mask_drop)
|
||||
apply simp
|
||||
apply (subst(asm) shiftr_then_mask_commute)
|
||||
|
@ -3016,7 +3016,7 @@ lemma s0H_invs:
|
|||
apply (subst(asm) is_aligned_mask[where w="High_pd_ptr", THEN iffD1])
|
||||
apply (simp add: s0_ptrs_aligned)
|
||||
apply (simp add: kernel_base_def)
|
||||
apply (clarsimp simp: objBitsKO_def archObjSize_def valid_pde_mapping_offset'_def pd_asid_slot_def pdBits_def pageBits_def split: split_if_asm)
|
||||
apply (clarsimp simp: objBitsKO_def archObjSize_def valid_pde_mapping_offset'_def pd_asid_slot_def pdBits_def pageBits_def split: if_split_asm)
|
||||
apply (cut_tac x="x - Low_pd_ptr >> 2" and n=12 and 'a=12 in ucast_mask_drop)
|
||||
apply simp
|
||||
apply (subst(asm) shiftr_then_mask_commute)
|
||||
|
@ -3033,8 +3033,8 @@ lemma s0H_invs:
|
|||
apply (subst(asm) is_aligned_mask[where w="Low_pd_ptr", THEN iffD1])
|
||||
apply (simp add: s0_ptrs_aligned)
|
||||
apply (simp add: kernel_base_def)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp simp: kdr_pspace_domain_valid) (* use axiomatization for now *)
|
||||
(* unfold s0H_internal for remaining goals *)
|
||||
|
@ -3062,7 +3062,7 @@ lemma kh0_pspace_dom:
|
|||
apply (rule equalityI)
|
||||
apply (simp add: dom_def pspace_dom_def)
|
||||
apply clarsimp
|
||||
apply (clarsimp simp: kh0_def obj_relation_cuts_def pd_offs_in_range pt_offs_in_range cnode_offs_in_range irq_node_offs_in_range s0_ptrs_aligned pageBits_def kh0_obj_def cte_map_def caps_dom_length_10 split: split_if_asm)
|
||||
apply (clarsimp simp: kh0_def obj_relation_cuts_def pd_offs_in_range pt_offs_in_range cnode_offs_in_range irq_node_offs_in_range s0_ptrs_aligned pageBits_def kh0_obj_def cte_map_def caps_dom_length_10 split: if_split_asm)
|
||||
apply (clarsimp simp: pspace_dom_def dom_def)
|
||||
apply (rule conjI)
|
||||
apply (rule_tac x=init_globals_frame in exI)
|
||||
|
@ -3194,45 +3194,45 @@ lemma s0_pspace_rel:
|
|||
apply (drule kh0_SomeD)
|
||||
apply (elim disjE)
|
||||
apply (clarsimp simp: pageBits_def)
|
||||
apply (clarsimp simp: kh0H_obj_def split del: split_if)
|
||||
apply (clarsimp simp: kh0H_obj_def split del: if_split)
|
||||
apply (cut_tac x=ya in pd_offs_in_range(3))
|
||||
apply (clarsimp simp: pd_offs_range_def pde_relation_def pde_relation_aligned_def)
|
||||
apply (clarsimp simp: kh0H_all_obj_def kh0_obj_def other_obj_relation_def
|
||||
tcb_relation_def arch_tcb_relation_def fault_rel_optionation_def
|
||||
word_bits_def the_nat_to_bl_simps)+
|
||||
apply (clarsimp simp: kh0H_obj_def High_pt_def High_pt'H_def High_pt'_def split del: split_if)
|
||||
apply (clarsimp simp: kh0H_obj_def High_pt_def High_pt'H_def High_pt'_def split del: if_split)
|
||||
apply (cut_tac x=ya in pt_offs_in_range(2))
|
||||
apply (clarsimp simp: pt_offs_range_def pte_relation_def pte_relation_aligned_def pte_relation'_def)
|
||||
apply (clarsimp simp: kh0H_obj_def Low_pt_def Low_pt'H_def Low_pt'_def split del: split_if)
|
||||
apply (clarsimp simp: kh0H_obj_def Low_pt_def Low_pt'H_def Low_pt'_def split del: if_split)
|
||||
apply (cut_tac x=ya in pt_offs_in_range(1))
|
||||
apply (clarsimp simp: pt_offs_range_def pte_relation_def pte_relation_aligned_def pte_relation'_def)
|
||||
apply (clarsimp simp: kh0H_obj_def High_pd_def High_pd'H_def High_pd'_def split del: split_if)
|
||||
apply (clarsimp simp: kh0H_obj_def High_pd_def High_pd'H_def High_pd'_def split del: if_split)
|
||||
apply (cut_tac x=ya in pd_offs_in_range(2))
|
||||
apply (clarsimp simp: pd_offs_range_def pde_relation_def pde_relation_aligned_def pde_relation'_def)
|
||||
apply (clarsimp simp: kh0H_obj_def Low_pd_def Low_pd'H_def Low_pd'_def split del: split_if)
|
||||
apply (clarsimp simp: kh0H_obj_def Low_pd_def Low_pd'H_def Low_pd'_def split del: if_split)
|
||||
apply (cut_tac x=ya in pd_offs_in_range(1))
|
||||
apply (clarsimp simp: pd_offs_range_def pde_relation_def pde_relation_aligned_def pde_relation'_def)
|
||||
apply (clarsimp simp: kh0H_obj_def irq_cnode_def cte_map_def cte_relation_def well_formed_cnode_n_def split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_obj_def irq_cnode_def cte_map_def cte_relation_def well_formed_cnode_n_def split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_obj_def kh0_obj_def other_obj_relation_def ntfn_relation_def)
|
||||
apply (clarsimp simp: kh0H_obj_def kh0_obj_def cte_relation_def cte_map_def)
|
||||
apply (cut_tac dom_caps(1))[1]
|
||||
apply (frule_tac m="Silc_caps" in domI)
|
||||
apply (cut_tac x=ya in cnode_offs_in_range(3))
|
||||
apply simp
|
||||
apply (clarsimp simp: cnode_offs_range_def Silc_cte_def Silc_cte'_def Silc_capsH_def the_nat_to_bl_simps Silc_caps_def cte_level_bits_def empty_cte_def split: split_if_asm)
|
||||
apply (clarsimp simp: cnode_offs_range_def Silc_cte_def Silc_cte'_def Silc_capsH_def the_nat_to_bl_simps Silc_caps_def cte_level_bits_def empty_cte_def split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_obj_def kh0_obj_def cte_relation_def cte_map_def)
|
||||
apply (cut_tac dom_caps(2))[1]
|
||||
apply (frule_tac m="High_caps" in domI)
|
||||
apply (cut_tac x=ya in cnode_offs_in_range(2))
|
||||
apply simp
|
||||
apply (clarsimp simp: cnode_offs_range_def High_cte_def High_cte'_def High_capsH_def the_nat_to_bl_simps High_caps_def cte_level_bits_def empty_cte_def split: split_if_asm)
|
||||
apply (clarsimp simp: cnode_offs_range_def High_cte_def High_cte'_def High_capsH_def the_nat_to_bl_simps High_caps_def cte_level_bits_def empty_cte_def split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_obj_def kh0_obj_def cte_relation_def cte_map_def)
|
||||
apply (cut_tac dom_caps(3))[1]
|
||||
apply (frule_tac m="Low_caps" in domI)
|
||||
apply (cut_tac x=ya in cnode_offs_in_range(1))
|
||||
apply simp
|
||||
apply (clarsimp simp: cnode_offs_range_def Low_cte_def Low_cte'_def Low_capsH_def the_nat_to_bl_simps Low_caps_def cte_level_bits_def empty_cte_def split: split_if_asm)
|
||||
apply (clarsimp simp: kh0H_obj_def irq_cnode_def cte_map_def cte_relation_def well_formed_cnode_n_def empty_cte_def dom_def split: split_if_asm)
|
||||
apply (clarsimp simp: cnode_offs_range_def Low_cte_def Low_cte'_def Low_capsH_def the_nat_to_bl_simps Low_caps_def cte_level_bits_def empty_cte_def split: if_split_asm)
|
||||
apply (clarsimp simp: kh0H_obj_def irq_cnode_def cte_map_def cte_relation_def well_formed_cnode_n_def empty_cte_def dom_def split: if_split_asm)
|
||||
apply (drule irq_node_offs_range_correct)
|
||||
apply clarsimp
|
||||
done
|
||||
|
@ -3247,8 +3247,8 @@ lemma s0_srel: "(s0_internal, s0H_internal) \<in> state_relation"
|
|||
apply (simp add: s0_pspace_rel)
|
||||
apply (clarsimp simp: ekheap_relation_def)
|
||||
apply (case_tac "ksPSpace s0H_internal x")
|
||||
apply (clarsimp simp: s0_internal_def s0H_internal_def exst0_def kh0H_def option_update_range_def split: split_if_asm option.splits)
|
||||
apply (clarsimp simp: s0_internal_def s0H_internal_def exst0_def etcb_relation_def idle_tcbH_def High_tcbH_def High_etcb_def Low_tcbH_def Low_etcb_def default_etcb_def split: split_if_asm)
|
||||
apply (clarsimp simp: s0_internal_def s0H_internal_def exst0_def kh0H_def option_update_range_def split: if_split_asm option.splits)
|
||||
apply (clarsimp simp: s0_internal_def s0H_internal_def exst0_def etcb_relation_def idle_tcbH_def High_tcbH_def High_etcb_def Low_tcbH_def Low_etcb_def default_etcb_def split: if_split_asm)
|
||||
apply (simp add: s0_internal_def exst0_def s0H_internal_def sched_act_relation_def)
|
||||
apply (simp add: s0_internal_def exst0_def s0H_internal_def ready_queues_relation_def)
|
||||
apply (clarsimp simp: s0_internal_def exst0_def s0H_internal_def ghost_relation_def)
|
||||
|
@ -3330,11 +3330,11 @@ lemma s0_srel: "(s0_internal, s0H_internal) \<in> state_relation"
|
|||
apply (simp add: finite_depth_def)
|
||||
apply simp
|
||||
apply (clarsimp simp: revokable_relation_def)
|
||||
apply (clarsimp simp: null_filter_def split: split_if_asm)
|
||||
apply (clarsimp simp: null_filter_def split: if_split_asm)
|
||||
apply (drule s0_caps_of_state)
|
||||
apply clarsimp
|
||||
apply (elim disjE)
|
||||
apply (clarsimp simp: cte_map_def s0H_internal_def s0_internal_def kh0H_all_obj_def' cte_level_bits_def split: split_if_asm)+
|
||||
apply (clarsimp simp: cte_map_def s0H_internal_def s0_internal_def kh0H_all_obj_def' cte_level_bits_def split: if_split_asm)+
|
||||
apply (clarsimp simp: tcb_cnode_index_def ucast_bl[symmetric] Low_tcb_cte_def Low_tcbH_def High_tcb_cte_def High_tcbH_def)
|
||||
apply ((clarsimp simp: cte_map_def s0H_internal_def s0_internal_def,
|
||||
clarsimp simp: tcb_cnode_index_def ucast_bl[symmetric] Low_tcb_cte_def Low_tcbH_def High_tcb_cte_def High_tcbH_def)+)[5]
|
||||
|
@ -3352,9 +3352,9 @@ lemma step_restrict_s0:
|
|||
apply (rule_tac x="fst (fst s0H)" in exI)
|
||||
apply (rule_tac x="snd (fst s0H)" in exI)
|
||||
apply (rule_tac x="snd s0H" in exI)
|
||||
apply (simp add: s0H_def lift_fst_rel_def lift_snd_rel_def s0_srel s0_def split del: split_if)
|
||||
apply (simp add: s0H_def lift_fst_rel_def lift_snd_rel_def s0_srel s0_def split del: if_split)
|
||||
apply (rule conjI)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (rule conjI)
|
||||
apply clarsimp
|
||||
apply (drule ct_idle'_related[OF s0_srel s0H_invs])
|
||||
|
@ -3372,14 +3372,14 @@ lemma step_restrict_s0:
|
|||
apply (clarsimp simp: vs_valid_duplicates'_def split: option.splits)
|
||||
apply (frule kh0H_SomeD)
|
||||
apply (elim disjE, simp_all add: vs_ptr_align_def kh0H_all_obj_def')[1]
|
||||
apply (clarsimp simp: the_nat_to_bl_simps split: split_if_asm)
|
||||
apply (clarsimp simp: the_nat_to_bl_simps split: split_if_asm)
|
||||
apply (clarsimp simp: the_nat_to_bl_simps split: split_if_asm)
|
||||
apply (clarsimp split: split_if_asm)
|
||||
apply (clarsimp simp: High_pd'H_def split: split_if_asm)
|
||||
apply (clarsimp simp: Low_pd'H_def split: split_if_asm)
|
||||
apply (clarsimp simp: High_pt'H_def split: split_if_asm)
|
||||
apply (clarsimp simp: Low_pt'H_def split: split_if_asm)
|
||||
apply (clarsimp simp: the_nat_to_bl_simps split: if_split_asm)
|
||||
apply (clarsimp simp: the_nat_to_bl_simps split: if_split_asm)
|
||||
apply (clarsimp simp: the_nat_to_bl_simps split: if_split_asm)
|
||||
apply (clarsimp split: if_split_asm)
|
||||
apply (clarsimp simp: High_pd'H_def split: if_split_asm)
|
||||
apply (clarsimp simp: Low_pd'H_def split: if_split_asm)
|
||||
apply (clarsimp simp: High_pt'H_def split: if_split_asm)
|
||||
apply (clarsimp simp: Low_pt'H_def split: if_split_asm)
|
||||
apply (clarsimp simp: ct_in_state'_def st_tcb_at'_def obj_at'_def projectKO_eq project_inject s0H_internal_def objBitsKO_def s0_ptrs_aligned Low_tcbH_def)
|
||||
apply (rule pspace_distinctD''[OF _ s0H_pspace_distinct', simplified s0H_internal_def])
|
||||
apply (simp add: objBitsKO_def kh0H_simps[simplified cte_level_bits_def])
|
||||
|
|
|
@ -696,7 +696,7 @@ lemma weak_derived_overlaps':
|
|||
apply(erule disjE)
|
||||
prefer 2
|
||||
apply simp
|
||||
apply(simp add: copy_of_def split: split_if_asm add: same_object_as_def split: cap.splits)
|
||||
apply(simp add: copy_of_def split: if_split_asm add: same_object_as_def split: cap.splits)
|
||||
apply((case_tac cap; simp)+)[5]
|
||||
subgoal for arch1 arch2 by (cases arch1; cases arch2; simp)
|
||||
done
|
||||
|
@ -797,7 +797,7 @@ lemma cap_swap_silc_inv:
|
|||
apply(rule hoare_gen_asm)
|
||||
unfolding cap_swap_def
|
||||
apply(rule hoare_pre)
|
||||
apply (wp set_cap_silc_inv hoare_vcg_ex_lift set_cap_slots_holding_overlapping_caps_other[where aag=aag] set_cdt_silc_inv static_imp_wp | simp split del: split_if)+
|
||||
apply (wp set_cap_silc_inv hoare_vcg_ex_lift set_cap_slots_holding_overlapping_caps_other[where aag=aag] set_cdt_silc_inv static_imp_wp | simp split del: if_split)+
|
||||
apply(rule conjI)
|
||||
apply(rule impI, elim conjE)
|
||||
apply(drule weak_derived_overlaps)
|
||||
|
@ -1035,7 +1035,7 @@ lemma set_thread_state_silc_inv[wp]:
|
|||
\<lbrace>\<lambda>_. silc_inv aag st\<rbrace>"
|
||||
unfolding set_thread_state_def
|
||||
apply(rule silc_inv_pres)
|
||||
apply(wp set_object_wp|simp split del: split_if)+
|
||||
apply(wp set_object_wp|simp split del: if_split)+
|
||||
apply (simp split: kernel_object.splits)
|
||||
apply(rule impI | simp)+
|
||||
apply(fastforce simp: silc_inv_def dest: get_tcb_SomeD simp: obj_at_def is_cap_table_def)
|
||||
|
@ -1059,7 +1059,7 @@ lemma set_bound_notification_silc_inv[wp]:
|
|||
\<lbrace>\<lambda>_. silc_inv aag st\<rbrace>"
|
||||
unfolding set_bound_notification_def
|
||||
apply(rule silc_inv_pres)
|
||||
apply(wp set_object_wp|simp split del: split_if)+
|
||||
apply(wp set_object_wp|simp split del: if_split)+
|
||||
apply (simp split: kernel_object.splits)
|
||||
apply(rule impI | simp)+
|
||||
apply(fastforce simp: silc_inv_def dest: get_tcb_SomeD simp: obj_at_def is_cap_table_def)
|
||||
|
@ -1301,13 +1301,13 @@ crunch silc_inv[wp]: arch_finalise_cap "silc_inv aag st"
|
|||
lemma finalise_cap_silc_inv:
|
||||
"\<lbrace> silc_inv aag st and pas_refined aag and K (pas_cap_cur_auth aag cap)\<rbrace> finalise_cap cap final \<lbrace>\<lambda>_. silc_inv aag st\<rbrace>"
|
||||
apply(case_tac cap)
|
||||
apply(wp cancel_ipc_silc_inv | simp split del: split_if add: suspend_def| clarsimp)+
|
||||
apply(wp cancel_ipc_silc_inv | simp split del: if_split add: suspend_def| clarsimp)+
|
||||
apply(clarsimp simp: aag_cap_auth_Thread)
|
||||
apply(wp | simp split del: split_if | clarsimp split del: split_if)+
|
||||
apply(wp | simp split del: if_split | clarsimp split del: if_split)+
|
||||
apply(rule hoare_pre)
|
||||
apply (wp cap_delete_one_silc_inv | simp add: deleting_irq_handler_def)+
|
||||
apply (fastforce simp: aag_cap_auth_def cap_links_irq_def elim: aag_Control_into_owns_irq)
|
||||
apply(wp | simp split del: split_if)+
|
||||
apply(wp | simp split del: if_split)+
|
||||
done
|
||||
|
||||
|
||||
|
@ -1320,8 +1320,8 @@ lemma validE_validE_R':
|
|||
lemma finalise_cap_ret_subset_cap_irqs:
|
||||
"\<lbrace>\<lambda> s. (cap_irqs cap) = X\<rbrace> finalise_cap cap blah \<lbrace>\<lambda>rv s. (cap_irqs (fst rv)) \<subseteq> X\<rbrace>"
|
||||
apply(case_tac cap)
|
||||
apply(wp | simp add: o_def split del: split_if)+
|
||||
apply(simp split: split_if)
|
||||
apply(wp | simp add: o_def split del: if_split)+
|
||||
apply(simp split: if_split)
|
||||
apply(wp | simp add: o_def | safe)+
|
||||
apply(simp add: arch_finalise_cap_def)
|
||||
apply(rule hoare_pre)
|
||||
|
@ -1331,8 +1331,8 @@ lemma finalise_cap_ret_subset_cap_irqs:
|
|||
lemma finalise_cap_ret_subset_obj_refs:
|
||||
"\<lbrace>\<lambda> s. (Structures_A.obj_refs cap) = X\<rbrace> finalise_cap cap blah \<lbrace>\<lambda>rv s. (Structures_A.obj_refs (fst rv)) \<subseteq> X\<rbrace>"
|
||||
apply(case_tac cap)
|
||||
apply(wp | simp add: o_def split del: split_if)+
|
||||
apply(simp split: split_if)
|
||||
apply(wp | simp add: o_def split del: if_split)+
|
||||
apply(simp split: if_split)
|
||||
apply(wp | simp add: o_def | safe)+
|
||||
apply(simp add: arch_finalise_cap_def)
|
||||
apply(rule hoare_pre)
|
||||
|
@ -1433,7 +1433,7 @@ lemma arch_finalise_cap_ret:
|
|||
lemma finalise_cap_ret:
|
||||
"(rv, s') \<in> fst (finalise_cap cap final s) \<Longrightarrow> case (fst rv) of NullCap \<Rightarrow> True | Zombie ptr bits n \<Rightarrow> True | _ \<Rightarrow> False"
|
||||
apply(case_tac cap, simp_all add: return_def)
|
||||
apply(fastforce simp: liftM_def when_def bind_def return_def split: split_if_asm)+
|
||||
apply(fastforce simp: liftM_def when_def bind_def return_def split: if_split_asm)+
|
||||
apply(clarsimp simp: bind_def liftM_def return_def)
|
||||
apply(drule arch_finalise_cap_ret)
|
||||
apply(simp)
|
||||
|
@ -1705,17 +1705,17 @@ lemma rec_del_silc_inv':
|
|||
done
|
||||
next
|
||||
case (2 slot exposed s) show ?case
|
||||
apply(simp add: rec_del.simps split del: split_if)
|
||||
apply(simp add: rec_del.simps split del: if_split)
|
||||
apply(rule hoare_pre_spec_validE)
|
||||
apply(wp drop_spec_validE[OF returnOk_wp] drop_spec_validE[OF liftE_wp] set_cap_silc_inv
|
||||
"2.hyps"
|
||||
|simp add: split_def split del: split_if)+
|
||||
|simp add: split_def split del: if_split)+
|
||||
apply(rule drop_spec_validE, (wp preemption_point_inv'| simp)+)[1]
|
||||
apply simp
|
||||
apply(rule spec_valid_conj_liftE2)
|
||||
apply(wp validE_validE_R'[OF rec_del_pas_refined'[simplified]] "2.hyps"
|
||||
drop_spec_validE[OF liftE_wp] set_cap_silc_inv
|
||||
|simp add: without_preemption_def split del: split_if)+
|
||||
|simp add: without_preemption_def split del: if_split)+
|
||||
|
||||
(* where the action is *)
|
||||
apply(simp cong: conj_cong add: conj_comms)
|
||||
|
@ -2121,7 +2121,7 @@ lemma invoke_untyped_silc_inv:
|
|||
apply (rule hoare_pre)
|
||||
apply (wp set_cap_silc_inv_simple set_cap_cte_wp_at)
|
||||
apply (cases ui, clarsimp simp: cte_wp_at_caps_of_state is_cap_simps
|
||||
split del: split_if cong: if_cong)
|
||||
split del: if_split cong: if_cong)
|
||||
apply (clarsimp simp: authorised_untyped_inv_def)
|
||||
apply (wp reset_untyped_cap_silc_inv reset_untyped_cap_untyped_cap)
|
||||
apply simp
|
||||
|
@ -2274,10 +2274,10 @@ lemma set_mrs_silc_inv[wp]:
|
|||
\<lbrace>\<lambda>_. silc_inv aag st\<rbrace>"
|
||||
unfolding set_mrs_def
|
||||
apply(rule silc_inv_pres)
|
||||
apply(wp crunch_wps set_object_wp | wpc | simp add: crunch_simps split del: split_if)+
|
||||
apply(wp crunch_wps set_object_wp | wpc | simp add: crunch_simps split del: if_split)+
|
||||
apply (clarsimp)
|
||||
apply(fastforce simp: silc_inv_def dest: get_tcb_SomeD simp: obj_at_def is_cap_table_def)
|
||||
apply(wp crunch_wps set_object_wp | wpc | simp add: crunch_simps split del: split_if)+
|
||||
apply(wp crunch_wps set_object_wp | wpc | simp add: crunch_simps split del: if_split)+
|
||||
apply(case_tac "a = fst slot")
|
||||
apply(clarsimp split: kernel_object.splits cong: conj_cong)
|
||||
apply(erule notE)
|
||||
|
@ -2340,7 +2340,7 @@ lemma cap_insert_silc_inv':
|
|||
\<lbrace>\<lambda>_. silc_inv aag st\<rbrace>"
|
||||
unfolding cap_insert_def
|
||||
|
||||
apply (wp set_cap_silc_inv hoare_vcg_ex_lift set_untyped_cap_as_full_slots_holding_overlapping_caps_other[where aag=aag] get_cap_wp update_cdt_silc_inv set_cap_caps_of_state2 set_untyped_cap_as_full_cdt_is_original_cap static_imp_wp | simp split del: split_if)+
|
||||
apply (wp set_cap_silc_inv hoare_vcg_ex_lift set_untyped_cap_as_full_slots_holding_overlapping_caps_other[where aag=aag] get_cap_wp update_cdt_silc_inv set_cap_caps_of_state2 set_untyped_cap_as_full_cdt_is_original_cap static_imp_wp | simp split del: if_split)+
|
||||
apply (intro allI impI conjI)
|
||||
apply clarsimp
|
||||
apply(fastforce dest: silc_invD simp: intra_label_cap_def)
|
||||
|
@ -2512,7 +2512,7 @@ lemma cap_insert_silc_inv'':
|
|||
cap_insert cap src dest
|
||||
\<lbrace>\<lambda>_. silc_inv aag st\<rbrace>"
|
||||
unfolding cap_insert_def
|
||||
apply (wp set_cap_silc_inv hoare_vcg_ex_lift set_untyped_cap_as_full_slots_holding_overlapping_caps_other[where aag=aag] get_cap_wp update_cdt_silc_inv set_cap_caps_of_state2 set_untyped_cap_as_full_cdt_is_original_cap static_imp_wp | simp split del: split_if)+
|
||||
apply (wp set_cap_silc_inv hoare_vcg_ex_lift set_untyped_cap_as_full_slots_holding_overlapping_caps_other[where aag=aag] get_cap_wp update_cdt_silc_inv set_cap_caps_of_state2 set_untyped_cap_as_full_cdt_is_original_cap static_imp_wp | simp split del: if_split)+
|
||||
apply (intro impI conjI allI)
|
||||
apply clarsimp
|
||||
apply(fastforce simp: silc_inv_def)
|
||||
|
@ -2728,7 +2728,7 @@ lemma receive_ipc_base_silc_inv:
|
|||
apply (clarsimp simp: thread_get_def get_thread_state_def cong: endpoint.case_cong)
|
||||
apply (rule hoare_pre)
|
||||
apply (wp setup_caller_cap_silc_inv
|
||||
| wpc | simp split del: split_if)+
|
||||
| wpc | simp split del: if_split)+
|
||||
apply (rename_tac list tcb data)
|
||||
apply(rule_tac Q="\<lambda> r s. (sender_can_grant data \<longrightarrow> is_subject aag receiver \<and> is_subject aag (hd list)) \<and> silc_inv aag st s" in hoare_strengthen_post)
|
||||
apply(wp do_ipc_transfer_silc_inv hoare_vcg_all_lift | wpc | simp)+
|
||||
|
@ -2803,7 +2803,7 @@ lemma send_fault_ipc_silc_inv:
|
|||
apply(wp send_ipc_silc_inv thread_set_valid_objs thread_set_tcb_fault_update_valid_mdb
|
||||
thread_set_fault_pas_refined thread_set_refs_trivial thread_set_obj_at_impossible
|
||||
hoare_vcg_ex_lift
|
||||
| wpc| simp add: Let_def split_def lookup_cap_def valid_tcb_fault_update split del: split_if)+
|
||||
| wpc| simp add: Let_def split_def lookup_cap_def valid_tcb_fault_update split del: if_split)+
|
||||
apply(rule_tac Q="\<lambda> handler_cap s. silc_inv aag st s \<and>
|
||||
valid_objs s \<and> valid_mdb s \<and>
|
||||
pas_refined aag s \<and>
|
||||
|
@ -2930,7 +2930,7 @@ lemma invoke_tcb_silc_inv:
|
|||
apply(case_tac tinv)
|
||||
apply((wp restart_silc_inv hoare_vcg_if_lift suspend_silc_inv mapM_x_wp[OF _ subset_refl] static_imp_wp
|
||||
| wpc
|
||||
| simp split del: split_if add: authorised_tcb_inv_def check_cap_at_def
|
||||
| simp split del: if_split add: authorised_tcb_inv_def check_cap_at_def
|
||||
| clarsimp)+)[3]
|
||||
defer
|
||||
apply((wp suspend_silc_inv restart_silc_inv | simp add: authorised_tcb_inv_def)+)[2]
|
||||
|
@ -2992,10 +2992,10 @@ lemma handle_invocation_silc_inv:
|
|||
\<lbrace>\<lambda>_. silc_inv aag st\<rbrace>"
|
||||
apply (simp add: handle_invocation_def ts_Restart_case_helper split_def
|
||||
liftE_liftM_liftME liftME_def bindE_assoc
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply(wp syscall_valid perform_invocation_silc_inv set_thread_state_runnable_valid_sched
|
||||
set_thread_state_pas_refined decode_invocation_authorised
|
||||
| simp split del: split_if)+
|
||||
| simp split del: if_split)+
|
||||
apply(rule_tac E="\<lambda>ft. silc_inv aag st and pas_refined aag and
|
||||
valid_objs and
|
||||
sym_refs \<circ> state_refs_of and
|
||||
|
|
|
@ -1384,7 +1384,7 @@ lemma reply_cancel_ipc_reads_respects_f:
|
|||
reads_respects_f[OF get_cap_rev, where st=st and aag=aag] assert_wp
|
||||
reads_respects_f[OF thread_set_reads_respects, where st=st and aag=aag ]
|
||||
reads_respects_f[OF gets_descendants_of_revrv[folded equiv_valid_def2]]
|
||||
| simp add: when_def split del: split_if | elim conjE)+
|
||||
| simp add: when_def split del: if_split | elim conjE)+
|
||||
apply(rule_tac Q="\<lambda> rv s. silc_inv aag st s \<and> invs s \<and> pas_refined aag s \<and> is_subject aag tptr \<and>
|
||||
(\<forall>x\<in>descendants_of (tptr, tcb_cnode_index 2) (cdt s).
|
||||
is_subject aag (fst x))" in hoare_strengthen_post)
|
||||
|
@ -1469,18 +1469,18 @@ lemma finalise_cap_reads_respects:
|
|||
and K (final \<longrightarrow> (case cap of EndpointCap r badge rights \<Rightarrow> is_subject aag r |
|
||||
NotificationCap r badge rights \<Rightarrow> is_subject aag r |
|
||||
_ \<Rightarrow> True))) (finalise_cap cap final)"
|
||||
apply(case_tac cap, simp_all split del: split_if)
|
||||
apply(case_tac cap, simp_all split del: if_split)
|
||||
apply ((wp cancel_all_ipc_reads_respects cancel_all_signals_reads_respects
|
||||
suspend_reads_respects_f[where st=st] deleting_irq_handler_reads_respects
|
||||
unbind_notification_is_subj_reads_respects
|
||||
unbind_maybe_notification_reads_respects
|
||||
unbind_notification_invs unbind_maybe_notification_invs
|
||||
| simp add: when_def split del: split_if
|
||||
| simp add: when_def split del: if_split
|
||||
add: invs_valid_objs invs_sym_refs aag_cap_auth_def
|
||||
cap_auth_conferred_def cap_rights_to_auth_def
|
||||
cap_links_irq_def aag_has_auth_to_Control_eq_owns
|
||||
| rule aag_Control_into_owns_irq
|
||||
| clarsimp split del: split_if
|
||||
| clarsimp split del: if_split
|
||||
| rule conjI
|
||||
| wp_once reads_respects_f[where st=st]
|
||||
| blast
|
||||
|
@ -1611,7 +1611,7 @@ next
|
|||
drop_spec_ev[OF preemption_point_reads_respects_f[where st=st and st'=st']]
|
||||
validE_validE_R'[OF rec_del_silc_inv] rec_del_invs rec_del_respects(2)
|
||||
rec_del_only_timer_irq_inv
|
||||
| simp add: split_def split del: split_if | (rule irq_state_independent_A_conjI, simp)+)+
|
||||
| simp add: split_def split del: if_split | (rule irq_state_independent_A_conjI, simp)+)+
|
||||
apply(rule_tac Q'="\<lambda>rv s. emptyable (slot_rdcall (ReduceZombieCall (fst rvb) slot exposed)) s \<and> (\<not> exposed \<longrightarrow>
|
||||
ex_cte_cap_wp_to (\<lambda>cp. cap_irqs cp = {}) slot s) \<and>
|
||||
is_subject aag (fst slot)" in hoare_post_imp_R)
|
||||
|
@ -1647,7 +1647,7 @@ next
|
|||
apply (clarsimp simp: cte_wp_at_caps_of_state)
|
||||
apply (erule disjE)
|
||||
apply (clarsimp simp: cap_irq_opt_def cte_wp_at_def is_zombie_def
|
||||
split: cap.split_asm split_if_asm
|
||||
split: cap.split_asm if_split_asm
|
||||
elim!: ranE dest!: caps_of_state_cteD)
|
||||
apply(clarsimp cong: conj_cong simp: conj_comms)
|
||||
apply(rename_tac word option nat)
|
||||
|
|
|
@ -93,12 +93,12 @@ lemma handle_interrupt_irq_masks:
|
|||
handle_interrupt irq
|
||||
\<lbrace>\<lambda>rv s. P (irq_masks_of_state s)\<rbrace>"
|
||||
apply (rule hoare_gen_asm)
|
||||
apply(simp add: handle_interrupt_def split del: split_if)
|
||||
apply(simp add: handle_interrupt_def split del: if_split)
|
||||
apply (rule hoare_pre)
|
||||
apply (rule hoare_if)
|
||||
apply simp
|
||||
apply( wp dmo_wp
|
||||
| simp add: ackInterrupt_def maskInterrupt_def when_def split del: split_if
|
||||
| simp add: ackInterrupt_def maskInterrupt_def when_def split del: if_split
|
||||
| wpc
|
||||
| simp add: get_irq_state_def handle_reserved_irq_def
|
||||
| wp_once hoare_drop_imp)+
|
||||
|
@ -124,10 +124,10 @@ lemma rec_del_irq_masks':
|
|||
done
|
||||
next
|
||||
case (2 slot exposed s) show ?case
|
||||
apply(simp add: rec_del.simps split del: split_if)
|
||||
apply(simp add: rec_del.simps split del: if_split)
|
||||
apply(rule hoare_pre_spec_validE)
|
||||
apply(wp drop_spec_validE[OF returnOk_wp] drop_spec_validE[OF liftE_wp] set_cap_domain_sep_inv
|
||||
|simp add: split_def split del: split_if)+
|
||||
|simp add: split_def split del: if_split)+
|
||||
apply(rule spec_strengthen_postE)
|
||||
apply(rule "2.hyps"[simplified], fastforce+)
|
||||
apply(rule drop_spec_validE, (wp preemption_point_inv | simp)+)[1]
|
||||
|
@ -137,7 +137,7 @@ lemma rec_del_irq_masks':
|
|||
apply(wp finalise_cap_domain_sep_inv_cap get_cap_wp
|
||||
finalise_cap_returns_None[where irqs=False, simplified]
|
||||
drop_spec_validE[OF liftE_wp] set_cap_domain_sep_inv
|
||||
|simp split del: split_if
|
||||
|simp split del: if_split
|
||||
|wp_once hoare_drop_imps)+
|
||||
apply(blast dest: cte_wp_at_domain_sep_inv_cap)
|
||||
done
|
||||
|
@ -217,7 +217,7 @@ lemma invoke_tcb_irq_masks:
|
|||
apply(case_tac tinv)
|
||||
apply((wp restart_irq_masks hoare_vcg_if_lift mapM_x_wp[OF _ subset_refl]
|
||||
| wpc
|
||||
| simp split del: split_if add: check_cap_at_def
|
||||
| simp split del: if_split add: check_cap_at_def
|
||||
| clarsimp)+)[3]
|
||||
defer
|
||||
apply((wp | simp )+)[2]
|
||||
|
@ -328,7 +328,7 @@ lemma invoke_cnode_irq_masks:
|
|||
\<lbrace>\<lambda>_ s. P (irq_masks_of_state s)\<rbrace>"
|
||||
unfolding invoke_cnode_def
|
||||
apply(case_tac ci)
|
||||
apply(wp cap_insert_irq_masks cap_move_irq_masks cap_revoke_irq_masks[where st=st] cap_delete_irq_masks[where st=st] | simp split del: split_if)+
|
||||
apply(wp cap_insert_irq_masks cap_move_irq_masks cap_revoke_irq_masks[where st=st] cap_delete_irq_masks[where st=st] | simp split del: if_split)+
|
||||
apply(rule hoare_pre)
|
||||
by(wp hoare_vcg_all_lift | simp | wpc | wp_once hoare_drop_imps | rule hoare_pre)+
|
||||
|
||||
|
@ -365,13 +365,13 @@ lemma decode_invocation_IRQHandlerCap:
|
|||
(\<exists>a b. cte_wp_at
|
||||
(op = (IRQHandlerCap (irq_of_handler_inv x)))
|
||||
(a, b) s))\<rbrace>,-"
|
||||
apply(simp add: decode_invocation_def split del: split_if)
|
||||
apply(simp add: decode_invocation_def split del: if_split)
|
||||
apply(rule hoare_pre)
|
||||
apply (wp | wpc | simp add: o_def)+
|
||||
apply (rule hoare_post_imp_R[where Q'="\<top>\<top>"])
|
||||
apply wp
|
||||
apply (clarsimp simp: uncurry_def)
|
||||
apply(wp | wpc | simp add: decode_irq_handler_invocation_def o_def split del: split_if)+
|
||||
apply(wp | wpc | simp add: decode_irq_handler_invocation_def o_def split del: if_split)+
|
||||
apply (safe | rule TrueI | simp add: op_equal | rule exI[where x="fst slot"], rule exI[where x="snd slot"])+
|
||||
done
|
||||
|
||||
|
@ -381,9 +381,9 @@ lemma handle_invocation_irq_masks:
|
|||
\<lbrace> \<lambda> rv s. P (irq_masks_of_state s) \<rbrace>"
|
||||
apply (simp add: handle_invocation_def ts_Restart_case_helper split_def
|
||||
liftE_liftM_liftME liftME_def bindE_assoc
|
||||
split del: split_if)
|
||||
split del: if_split)
|
||||
apply(wp static_imp_wp syscall_valid perform_invocation_irq_masks[where st=st] hoare_vcg_all_lift hoare_vcg_ex_lift decode_invocation_IRQHandlerCap
|
||||
| simp split del: split_if)+
|
||||
| simp split del: if_split)+
|
||||
apply(simp add: invs_valid_objs)
|
||||
done
|
||||
|
||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue