adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

isabelle2021-1: remove no_take_bit 

Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This commit is contained in:
Gerwin Klein 2022-02-13 18:01:23 +11:00 committed by Gerwin Klein
parent 6650ba5ce7
commit b29a3433ef
105 changed files with 17 additions and 345 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
proof/asmrefine/SEL4GraphRefine.thy
View File

@ -73,10 +73,6 @@ val dbg = ProveSimplToGraphGoals.new_debug
};
\<close>
context
includes no_take_bit
begin
(* If this fails, it can be debugged with the assistance of the
script in TestGraphRefine.thy *)
ML \<open>
@ -99,5 +95,3 @@ val _ = ProveSimplToGraphGoals.print dbg "successes:" #successes;
end
end
end

1
proof/crefine/ARM/ADT_C.thy
View File

@ -1210,7 +1210,6 @@ lemma (in kernel_m) cDomScheduleIdx_to_H_correct:
assumes cstate_rel: "cstate_relation as cs"
assumes ms: "cstate_to_machine_H cs = observable_memory (ksMachineState as) (user_mem' as)"
shows "unat (ksDomScheduleIdx_' cs) = ksDomScheduleIdx as"
including no_take_bit
using assms
by (clarsimp simp: cstate_relation_def Let_def observable_memory_def valid_state'_def
newKernelState_def unat_of_nat_eq cdom_schedule_relation_def)

3
proof/crefine/ARM/Arch_C.thy
View File

@ -884,7 +884,6 @@ lemma checkVPAlignment_spec:
"\<forall>s. \<Gamma>\<turnstile> \<lbrace>s. \<acute>sz < 4\<rbrace> Call checkVPAlignment_'proc
{t. ret__unsigned_long_' t = from_bool
(vmsz_aligned' (w_' s) (gen_framesize_to_H (sz_' s)))}"
including no_take_bit
apply (rule allI, rule conseqPre, vcg)
apply (clarsimp simp: mask_eq_iff_w2p word_size)
apply (rule conjI)
@ -1401,7 +1400,6 @@ lemma createSafeMappingEntries_PTE_ccorres:
lemma ptr_add_uint_of_nat [simp]:
"a +\<^sub>p uint (of_nat b :: word32) = a +\<^sub>p (int b)"
including no_take_bit
by (clarsimp simp: CTypesDefs.ptr_add_def)
declare int_unat[simp]
@ -2848,7 +2846,6 @@ lemma decodeARMPageDirectoryInvocation_ccorres:
(decodeARMMMUInvocation label args cptr slot cp extraCaps
>>= invocationCatch thread isBlocking isCall InvokeArchObject)
(Call decodeARMPageDirectoryInvocation_'proc)"
including no_take_bit
apply (clarsimp simp only: isCap_simps)
apply (cinit' lift: invLabel_' length___unsigned_long_' cte_' current_extra_caps_' cap_' buffer_'
simp: decodeARMMMUInvocation_def invocation_eq_use_types)

3
proof/crefine/ARM/CSpace_C.thy
View File

@ -1788,7 +1788,6 @@ lemma untypedZeroRange_idx_forward_helper:
\<Longrightarrow> (case (untypedZeroRange cap, untypedZeroRange (capFreeIndex_update (\<lambda>_. idx) cap))
of (Some (a, b), Some (a', b')) \<Rightarrow> {a' ..+ unat (b' + 1 - a')} \<subseteq> {a ..+ unat (b + 1 - a)}
| _ \<Rightarrow> True)"
including no_take_bit
apply (clarsimp split: option.split)
apply (clarsimp simp: untypedZeroRange_def max_free_index_def Let_def
isCap_simps valid_cap_simps' capAligned_def untypedBits_defs
@ -1831,7 +1830,6 @@ lemma untypedZeroRange_idx_backward_helper:
of Some (a, b) \<Rightarrow> {a ..+ unat (b + 1 - a)}
| None \<Rightarrow> {})
)"
including no_take_bit
apply (clarsimp split: option.split, intro impI conjI allI)
apply (rule intvl_both_le; clarsimp simp: untypedZeroRange_def
max_free_index_def Let_def
@ -2940,7 +2938,6 @@ lemma sameRegionAs_spec:
capAligned capb \<and> (\<exists>s. s \<turnstile>' capa)\<rbrace>
Call sameRegionAs_'proc
\<lbrace> \<acute>ret__unsigned_long = from_bool (sameRegionAs capa capb) \<rbrace>"
including no_take_bit
apply vcg
apply clarsimp
apply (simp add: sameRegionAs_def isArchCap_tag_def2)

2
proof/crefine/ARM/Delete_C.thy
View File

@ -332,7 +332,6 @@ lemma ccorres_cutMon_locateSlotCap_Zombie:
{s. array_assertion (cte_Ptr (capZombiePtr cap)) (capZombieNumber cap - 1)
(hrs_htd (t_hrs_' (globals s))) \<longrightarrow> s \<in> Q'} hs
(cutMon ((=) s) (locateSlotCap cap n >>= a)) c"
including no_take_bit
apply (simp add: locateSlot_conv in_monad cutMon_walk_bind)
apply (rule ccorres_gen_asm)
apply (rule ccorres_guard_imp2)
@ -381,7 +380,6 @@ lemma reduceZombie_ccorres1:
(invs' and sch_act_simple and cte_wp_at' (\<lambda>cte. cteCap cte = cap) slot)
(UNIV \<inter> {s. slot_' s = Ptr slot} \<inter> {s. immediate_' s = from_bool expo}) []
(cutMon ((=) s) (reduceZombie cap slot expo)) (Call reduceZombie_'proc)"
including no_take_bit
apply (cinit' lift: slot_' immediate_')
apply (simp add: from_bool_0 del: Collect_const)
apply (rule_tac P="capZombieNumber cap < 2 ^ word_bits" in ccorres_gen_asm)

1
proof/crefine/ARM/Detype_C.thy
View File

@ -371,7 +371,6 @@ proof -
ultimately show ?thesis
unfolding ctcb_ptr_to_tcb_ptr_def ctcb_offset_defs
including no_take_bit
apply -
apply (clarsimp simp: field_simps objBits_simps' size_of_def)
apply (drule intvlD)

1
proof/crefine/ARM/Fastpath_C.thy
View File

@ -410,7 +410,6 @@ lemma lookup_fp_ccorres':
by (simp add: cap_get_tag_def cong: if_cong)
show ?case
including no_take_bit
supply if_cong[cong] option.case_cong[cong]
apply (cinitlift cap_' bits_')
apply (rename_tac cbits ccap)

1
proof/crefine/ARM/Finalise_C.thy
View File

@ -1026,7 +1026,6 @@ lemma deleteASIDPool_ccorres:
"ccorres dc xfdc (invs' and (\<lambda>_. base < 2 ^ 17 \<and> pool \<noteq> 0))
(UNIV \<inter> {s. asid_base_' s = base} \<inter> {s. pool_' s = Ptr pool}) []
(deleteASIDPool base pool) (Call deleteASIDPool_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit lift: asid_base_' pool_' simp: whileAnno_def)
apply (rule ccorres_assert)

5
proof/crefine/ARM/Invoke_C.thy
View File

@ -191,7 +191,6 @@ lemma decodeDomainInvocation_ccorres:
apply clarsimp
apply (vcg exspec=getSyscallArg_modifies)
including no_take_bit
apply (clarsimp simp: valid_tcb_state'_def invs_valid_queues' invs_valid_objs'
invs_queues invs_sch_act_wf' ct_in_state'_def pred_tcb_at'
rf_sr_ksCurThread word_sle_def word_sless_def sysargs_rel_to_n
@ -1541,7 +1540,6 @@ lemma clearMemory_untyped_ccorres:
[]
(doMachineOp (clearMemory ptr (2 ^ sz))) (Call clearMemory_'proc)"
(is "ccorres dc xfdc ?P ?P' [] ?m ?c")
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit' lift: bits_' ptr___ptr_to_unsigned_long_')
apply (rule_tac P="ptr \<noteq> 0 \<and> sz < word_bits"
@ -2255,7 +2253,6 @@ lemma invokeUntyped_Retype_ccorres:
(ptr + of_nat (shiftL (length destSlots)
(APIType_capBits newType us)))) >> 4"
using cover range_cover_sz'[OF cover]
including no_take_bit
apply (simp add: getFreeIndex_def shiftl_t2n
unat_of_nat_eq shiftL_nat)
apply (rule less_mask_eq)
@ -2273,7 +2270,6 @@ lemma invokeUntyped_Retype_ccorres:
(liftxf errstate id (K ()) ret__unsigned_long_') (\<lambda>s'. s' = s) ?P'
[] (invokeUntyped (Retype cref reset ptr_base ptr newType us destSlots isdev))
(Call invokeUntyped_Retype_'proc)"
including no_take_bit
apply (cinit lift: retypeBase_' srcSlot_' reset_' newType_'
userSize_' deviceMemory_' destCNode_' destOffset_' destLength_'
simp: when_def)
@ -2699,7 +2695,6 @@ lemma decodeUntypedInvocation_ccorres_helper:
liftE (stateAssert (valid_untyped_inv' uinv) []); returnOk uinv odE)
>>= invocationCatch thread isBlocking isCall InvokeUntyped)
(Call decodeUntypedInvocation_'proc)"
including no_take_bit
supply if_cong[cong] option.case_cong[cong]
apply (rule ccorres_name_pre)
apply (cinit' lift: invLabel_' length___unsigned_long_' cap_' slot_' current_extra_caps_' call_' buffer_'

6
proof/crefine/ARM/IpcCancel_C.thy
View File

@ -689,7 +689,6 @@ lemma cready_queues_index_to_C_def2:
"\<lbrakk> qdom \<le> maxDomain; prio \<le> maxPriority \<rbrakk>
\<Longrightarrow> cready_queues_index_to_C qdom prio
= unat (ucast qdom * of_nat numPriorities + ucast prio :: machine_word)"
including no_take_bit
using numPriorities_machine_word_safe
apply -
apply (frule (1) cready_queues_index_to_C_in_range[simplified maxDom_to_H maxPrio_to_H])
@ -788,7 +787,6 @@ lemma cbitmap_L1_relation_bit_set:
(Arrays.update (ksReadyQueuesL1Bitmap_' (globals x)) (unat d)
(ksReadyQueuesL1Bitmap_' (globals x).[unat d] || 2 ^ unat (p >> wordRadix)))
((ksReadyQueuesL1Bitmap \<sigma>)(d := ksReadyQueuesL1Bitmap \<sigma> d || 2 ^ prioToL1Index p))"
including no_take_bit
apply (unfold cbitmap_L1_relation_def)
apply (clarsimp simp: le_maxDomain_eq_less_numDomains word_le_nat_alt prioToL1Index_def
num_domains_index_updates)
@ -1989,7 +1987,6 @@ proof -
(* FIXME generalise *)
have word_clz_sint_upper[simp]:
"\<And>(w::machine_word). sint (of_nat (word_clz w) :: 32 signed word) \<le> 2147483679"
including no_take_bit
apply (subst sint_eq_uint)
apply (rule not_msb_from_less)
apply simp
@ -2026,7 +2023,6 @@ proof -
"\<And>(w::32 word). \<lbrakk> w \<noteq> 0 ; word_log2 w < l2BitmapSize \<rbrakk> \<Longrightarrow>
unat (of_nat l2BitmapSize - (1::32 word) - of_nat (word_log2 w))
= invertL1Index (word_log2 w)"
including no_take_bit
apply (subst unat_sub)
apply (clarsimp simp: l2BitmapSize_def')
apply (rule word_of_nat_le)
@ -2041,7 +2037,6 @@ proof -
include no_less_1_simps
show ?thesis
including no_take_bit
apply (cinit lift: dom_')
apply (clarsimp split del: if_split)
apply (rule ccorres_pre_getReadyQueuesL1Bitmap)
@ -2163,7 +2158,6 @@ lemma possibleSwitchTo_ccorres:
\<inter> UNIV) []
(possibleSwitchTo t )
(Call possibleSwitchTo_'proc)"
including no_take_bit
supply if_split [split del]
supply Collect_const [simp del]
supply dc_simp [simp del]

9
proof/crefine/ARM/Ipc_C.thy
View File

@ -819,7 +819,6 @@ lemma setMR_ccorres:
\<inter> {s. receiver_' s = tcb_ptr_to_ctcb_ptr thread}
\<inter> {s. receiveIPCBuffer_' s = option_to_ptr buf}) []
(setMR thread buf offset v) (Call setMR_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit lift: offset_' reg_' receiver_' receiveIPCBuffer_')
apply (rule ccorres_cond2'[where R=\<top>])
@ -1094,7 +1093,6 @@ lemma copyMRs_register_loop_helper:
(CALL setRegister(tcb_ptr_to_ctcb_ptr receiver,
ucast (index msgRegistersC (unat \<acute>i)),
\<acute>ret__unsigned_long)))"
including no_take_bit
apply clarsimp
apply (rule ccorres_guard_imp)
apply ctac
@ -1325,7 +1323,6 @@ lemma copyMRsFault_ccorres_exception:
hs
(mapM_x (\<lambda>(x, y). setMR receiver recvBuffer x y) (zip [0..<120] msg))
(Call copyMRsFault_'proc)"
including no_take_bit
apply (unfold K_def)
apply (intro ccorres_gen_asm)
apply (cinit' lift: sender_' receiver_' receiveIPCBuffer_'
@ -2134,7 +2131,6 @@ lemma setExtraBadge_ccorres:
hs
(setExtraBadge buffer badge n)
(Call setExtraBadge_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit lift: bufferPtr_' badge_' i_')
apply (unfold storeWordUser_def)
@ -2396,7 +2392,6 @@ proof (rule ccorres_gen_asm, induct caps arbitrary: n slots mi)
note if_split[split]
case Nil
thus ?case
including no_take_bit
apply (simp only: transferCapsToSlots.simps)
apply (rule ccorres_guard_imp2)
apply (rule ccorres_Guard_Seq ccorres_rhs_assoc)+
@ -2419,7 +2414,6 @@ next
let ?S="\<lbrace>\<acute>i=of_nat n \<and> mi=message_info_to_H \<acute>info\<rbrace>"
have n3: "n \<le> 3" using Cons.prems by simp
hence of_nat_n3[intro!]: "of_nat n \<le> (3 :: word32)"
including no_take_bit
by (simp add: word_le_nat_alt unat_of_nat)
have drop_n_foo: "\<And>xs n y ys. drop n xs = y # ys
\<Longrightarrow> \<exists>xs'. length xs' = n \<and> xs = xs' @ (y # ys)"
@ -2499,7 +2493,6 @@ next
note sle_positive[simp del]
from Cons.prems
show ?case
including no_take_bit
apply (clarsimp simp: Let_def word_sle_def[where b=5] split_def
cong: call_ignore_cong
simp del: Collect_const)
@ -3374,7 +3367,6 @@ lemma copyMRsFaultReply_ccorres_exception:
(Call copyMRsFaultReply_'proc)"
proof -
show ?thesis
including no_take_bit
apply (unfold K_def, rule ccorres_gen_asm)
apply (cinit' lift: sender_' receiver_'
id___anonymous_enum_'
@ -3484,7 +3476,6 @@ lemma copyMRsFaultReply_ccorres_syscall:
note symb_exec_r_fault = ccorres_symb_exec_r_known_rv_UNIV
[where xf'=ret__unsigned_' and R="?obj_at_ft" and R'=UNIV]
show ?thesis
including no_take_bit
apply (unfold K_def, rule ccorres_gen_asm)
apply (cinit' lift: sender_' receiver_'
id___anonymous_enum_'

2
proof/crefine/ARM/Recycle_C.thy
View File

@ -392,7 +392,6 @@ lemma clearMemory_PT_setObject_PTE_ccorres:
doMachineOp (cleanCacheRange_PoU ptr (ptr + 2 ^ ptBits - 1) pstart)
od)
(Call clearMemory_PT_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)+
apply (cinit' lift: ptr___ptr_to_unsigned_long_' bits_')
apply (rule ccorres_Guard_Seq)
@ -894,7 +893,6 @@ lemma updateFreeIndex_ccorres:
\<longrightarrow> region_actually_is_zero_bytes (capPtr cap' + of_nat idx') (capFreeIndex cap' - idx') s} hs
(updateFreeIndex srcSlot idx') c"
(is "_ \<Longrightarrow> ccorres dc xfdc (valid_objs' and ?cte_wp_at' and _ and _) ?P' hs ?a c")
including no_take_bit
apply (rule ccorres_gen_asm)
apply (simp add: updateFreeIndex_def getSlotCap_def updateCap_def)
apply (rule ccorres_guard_imp2)

9
proof/crefine/ARM/Retype_C.thy
View File

@ -492,7 +492,6 @@ qed
lemma h_t_array_valid_retyp:
"0 < n \<Longrightarrow> n * size_of TYPE('a) < addr_card
\<Longrightarrow> h_t_array_valid (ptr_arr_retyps n p htd) (p :: ('a :: wf_type) ptr) n"
including no_take_bit
apply (clarsimp simp: ptr_arr_retyps_def h_t_array_valid_def
valid_footprint_def)
apply (simp add: htd_update_list_index intvlI mult.commute)
@ -1163,7 +1162,6 @@ lemma zero_ranges_ptr_retyps:
\<Longrightarrow> valid_objs' s
\<Longrightarrow> zero_ranges_are_zero (gsUntypedZeroRanges s)
(hrs_htd_update (ptr_retyps_gen n p arr) hrs)"
including no_take_bit
apply (clarsimp simp: zero_ranges_are_zero_def untyped_ranges_zero_inv_def
hrs_htd_update)
apply (drule(1) bspec, clarsimp)
@ -2012,7 +2010,6 @@ proof (intro impI allI)
= (pde_stored_asid \<circ>\<^sub>m cslift x)"
unfolding rf_sr_def
using cpsp empty
including no_take_bit
supply image_cong_simp [cong del]
apply (clarsimp simp: rl' cterl cte_C_size tag_disj_via_td_name foldr_upd_app_if [folded data_map_insert_def])
apply (simp add: ptr_retyp_to_array[simplified])
@ -2656,7 +2653,6 @@ qed
lemma tcb_ptr_orth_cte_ptrs':
"ptr_span (tcb_Ptr (regionBase + 0x100)) \<inter> ptr_span (Ptr regionBase :: (cte_C[5]) ptr) = {}"
including no_take_bit
apply (rule disjointI)
apply (clarsimp simp: ctcb_ptr_to_tcb_ptr_def size_td_array
intvl_def field_simps size_of_def ctcb_offset_def)
@ -2744,7 +2740,6 @@ proof -
"region_is_bytes' (ctcb_ptr_to_tcb_ptr p) (5 * size_of TYPE(cte_C))
(ptr_retyps_gen 1 p False (hrs_htd (t_hrs_' (globals x))))"
using al region_is_bytes_subset[OF empty] tcb_ptr_to_ctcb_ptr_in_range'
including no_take_bit
apply (simp add: objBits_simps kotcb_def)
apply (clarsimp simp: region_is_bytes'_def)
apply (subst(asm) ptr_retyps_gen_out)
@ -2775,7 +2770,6 @@ proof -
{k. k < 5}
then Some (from_bytes (replicate (size_of TYPE(cte_C)) 0)) else cslift x y)"
using cgp
including no_take_bit
apply (simp add: ptr_retyp_to_array[simplified] hrs_comm[symmetric])
apply (subst clift_ptr_retyps_gen_prev_memset_same[OF guard],
simp_all add: hrs_htd_update empty_smaller[simplified])
@ -3909,7 +3903,6 @@ lemma ghost_assertion_size_logic_no_unat:
\<Longrightarrow> (s, \<sigma>) \<in> rf_sr
\<Longrightarrow> gs_get_assn cap_get_capSizeBits_'proc (ghost'state_' (globals \<sigma>)) = 0 \<or>
of_nat sz \<le> gs_get_assn cap_get_capSizeBits_'proc (ghost'state_' (globals \<sigma>))"
including no_take_bit
apply (rule ghost_assertion_size_logic'[rotated])
apply (simp add: rf_sr_def)
apply (simp add: unat_of_nat)
@ -6671,7 +6664,6 @@ lemma offset_intvl_first_chunk_subsets_unat:
\<and> {p + (i << bits) ..+ 2 ^ bits}
\<inter> {p + ((i + 1) << bits) ..+ unat (n' - (i + 1)) * 2 ^ bits}
= {}"
including no_take_bit
apply (subgoal_tac "unat (n' - (i + 1)) = unat n' - unat (i + 1)
\<and> unat (n' - i) = unat n' - unat i")
apply (frule(1) offset_intvl_first_chunk_subsets)
@ -6690,7 +6682,6 @@ lemma retype_offs_region_actually_is_zero_bytes:
\<Longrightarrow> region_actually_is_zero_bytes ptr
(num_ret * 2 ^ APIType_capBits newType userSize) s'"
using word_unat_mask_lt[where w=ptr and m=sz]
including no_take_bit
apply -
apply (frule range_cover.sz(1))
apply (drule(2) ctes_of_untyped_zero_rf_sr)

1
proof/crefine/ARM/SR_lemmas_C.thy
View File

@ -2194,7 +2194,6 @@ lemma numDomains_sge_1_simp:
lemma unat_scast_numDomains:
"unat (SCAST(32 signed \<rightarrow> machine_word_len) Kernel_C.numDomains) = unat Kernel_C.numDomains"
including no_take_bit
by (simp add: scast_eq sint_numDomains_to_H unat_numDomains_to_H numDomains_machine_word_safe)
end

1
proof/crefine/ARM/StoreWord_C.thy
View File

@ -1007,7 +1007,6 @@ proof -
have horrible_helper:
"\<And>v p. v \<le> 3 \<Longrightarrow> (3 - unat (p && mask 2 :: word32) = v) =
(p && mask 2 = 3 - of_nat v)"
including no_take_bit
apply (simp add: unat_arith_simps unat_of_nat)
apply (cut_tac p=p in unat_mask_2_less_4)
apply arith

3
proof/crefine/ARM/Tcb_C.thy
View File

@ -1105,7 +1105,6 @@ lemma invokeTCB_CopyRegisters_ccorres:
\<inter> {s. to_bool (transferInteger_' s) = ints}) []
(invokeTCB (CopyRegisters destn source susp resume frames ints arch))
(Call invokeTCB_CopyRegisters_'proc)"
including no_take_bit
apply (cinit lift: dest_' tcb_src_' resumeTarget_'
suspendSource_' transferFrame_' transferInteger_'
simp: whileAnno_def)
@ -1481,7 +1480,6 @@ lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]:
\<inter> {s. buffer_' s = option_to_ptr buffer}) []
(invokeTCB (WriteRegisters dst resume values arch))
(Call invokeTCB_WriteRegisters_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (erule conjE)
apply (cinit lift: n_' dest_' resumeTarget_' buffer_'
@ -1720,7 +1718,6 @@ shows
(doE reply \<leftarrow> invokeTCB (ReadRegisters target susp n archCp);
liftE (replyOnRestart thread reply isCall) odE)
(Call invokeTCB_ReadRegisters_'proc)"
including no_take_bit
supply option.case_cong_weak[cong]
apply (rule ccorres_gen_asm)
apply (cinit' lift: tcb_src_' suspendSource_' n_' call_'

1
proof/crefine/ARM/VSpace_C.thy
View File

@ -1166,7 +1166,6 @@ lemma findFreeHWASID_ccorres:
"ccorres (=) ret__unsigned_char_'
(valid_arch_state' and valid_pde_mappings') UNIV []
(findFreeHWASID) (Call findFreeHWASID_'proc)"
including no_take_bit
apply (cinit)
apply csymbr
apply (rule ccorres_pre_gets_armKSHWASIDTable_ksArchState)

2
proof/crefine/ARM_HYP/ADT_C.thy
View File

@ -614,7 +614,6 @@ lemma (in kernel_m) carch_state_to_H_correct:
assumes valid: "valid_arch_state' astate"
assumes rel: "carch_state_relation (ksArchState astate) (cstate)"
shows "carch_state_to_H cstate = ksArchState astate"
including no_take_bit
apply (case_tac "ksArchState astate", simp)
apply (rename_tac v1 v2 v3 v4 v5 v6 v7 v8)
using rel[simplified carch_state_relation_def carch_globals_def]
@ -1387,7 +1386,6 @@ lemma (in kernel_m) cDomScheduleIdx_to_H_correct:
assumes cstate_rel: "cstate_relation as cs"
assumes ms: "cstate_to_machine_H cs = observable_memory (ksMachineState as) (user_mem' as)"
shows "unat (ksDomScheduleIdx_' cs) = ksDomScheduleIdx as"
including no_take_bit
using assms
by (clarsimp simp: cstate_relation_def Let_def observable_memory_def valid_state'_def
newKernelState_def unat_of_nat_eq cdom_schedule_relation_def)

10
proof/crefine/ARM_HYP/Arch_C.thy
View File

@ -909,7 +909,6 @@ lemma checkVPAlignment_spec:
"\<forall>s. \<Gamma>\<turnstile> \<lbrace>s. \<acute>sz < 4\<rbrace> Call checkVPAlignment_'proc
{t. ret__unsigned_long_' t = from_bool
(vmsz_aligned' (w_' s) (gen_framesize_to_H (sz_' s)))}"
including no_take_bit
apply (rule allI, rule conseqPre, vcg)
apply (clarsimp simp: mask_eq_iff_w2p word_size)
apply (rule conjI)
@ -1417,7 +1416,6 @@ lemma createSafeMappingEntries_PTE_ccorres:
lemma ptr_add_uint_of_nat [simp]:
"a +\<^sub>p uint (of_nat b :: word32) = a +\<^sub>p (int b)"
including no_take_bit
by (clarsimp simp: CTypesDefs.ptr_add_def)
@ -1586,7 +1584,6 @@ lemma performPageInvocationMapPTE_ccorres:
\<inter> {s. isLeft mapping}) []
(liftE (performPageInvocation (PageMap asid cap slot mapping)))
(Call performPageInvocationMapPTE_'proc)"
including no_take_bit
supply pageBitsForSize_le_32 [simp]
apply (rule ccorres_gen_asm2)
apply (rule ccorres_gen_asm)
@ -1971,7 +1968,6 @@ lemma performPageInvocationMapPDE_ccorres:
\<inter> {s. isRight mapping}) []
(liftE (performPageInvocation (PageMap asid cap slot mapping)))
(Call performPageInvocationMapPDE_'proc)"
including no_take_bit
supply pageBitsForSize_le_32 [simp]
apply (rule ccorres_gen_asm2)
apply (rule ccorres_gen_asm)
@ -3266,7 +3262,6 @@ lemma decodeARMPageDirectoryInvocation_ccorres:
(decodeARMMMUInvocation label args cptr slot cp extraCaps
>>= invocationCatch thread isBlocking isCall InvokeArchObject)
(Call decodeARMPageDirectoryInvocation_'proc)"
including no_take_bit
apply (clarsimp simp only: isCap_simps)
apply (cinit' lift: invLabel_' length___unsigned_long_' cte_' current_extra_caps_' cap_' buffer_'
simp: decodeARMMMUInvocation_def invocation_eq_use_types)
@ -4268,7 +4263,6 @@ lemma writeVCPUReg_ccorres:
\<inter> \<lbrace>\<acute>field = of_nat (fromEnum reg) \<rbrace>
\<inter> \<lbrace>\<acute>value = val\<rbrace>) hs
(writeVCPUReg vcpuptr reg val) (Call writeVCPUReg_'proc)"
including no_take_bit
apply (cinit lift: vcpu_' field_' value_')
apply clarsimp
apply (rule ccorres_pre_getCurVCPU, rename_tac cvcpuopt)
@ -4313,7 +4307,6 @@ lemma readVCPUReg_ccorres:
(vcpu_at' vcpuptr and no_0_obj')
(UNIV \<inter> \<lbrace>\<acute>vcpu = vcpu_Ptr vcpuptr \<rbrace> \<inter> \<lbrace>\<acute>field = of_nat (fromEnum reg) \<rbrace>) hs
(readVCPUReg vcpuptr reg) (Call readVCPUReg_'proc)"
including no_take_bit
apply (cinit lift: vcpu_' field_')
apply clarsimp
apply (rule ccorres_pre_getCurVCPU, rename_tac cvcpuopt)
@ -4573,7 +4566,6 @@ lemma invokeVCPUInjectIRQ_ccorres:
hs
(liftE (invokeVCPUInjectIRQ vcpuptr idx virq))
(Call invokeVCPUInjectIRQ_'proc)"
including no_take_bit
apply (rule ccorres_grab_asm)
apply (cinit' lift: vcpu_' index_' virq_')
supply not_None_eq[simp del]
@ -4633,7 +4625,6 @@ lemma decodeVCPUInjectIRQ_ccorres:
(decodeVCPUInjectIRQ args cp
>>= invocationCatch thread isBlocking isCall InvokeArchObject)
(Call decodeVCPUInjectIRQ_'proc)"
including no_take_bit
apply (rule ccorres_grab_asm)
apply (cinit' lift: length_' cap_' buffer_'
simp: decodeVCPUInjectIRQ_def Let_def shiftL_nat )
@ -5082,7 +5073,6 @@ proof -
split: if_splits)
show ?thesis
including no_take_bit
apply (rule ccorres_grab_asm)
apply (cinit' lift: length_' cap_' buffer_')
apply (clarsimp simp: decodeVCPUAckVPPI_def)

3
proof/crefine/ARM_HYP/CSpace_C.thy
View File

@ -2214,7 +2214,6 @@ lemma untypedZeroRange_idx_forward_helper:
\<Longrightarrow> (case (untypedZeroRange cap, untypedZeroRange (capFreeIndex_update (\<lambda>_. idx) cap))
of (Some (a, b), Some (a', b')) \<Rightarrow> {a' ..+ unat (b' + 1 - a')} \<subseteq> {a ..+ unat (b + 1 - a)}
| _ \<Rightarrow> True)"
including no_take_bit
apply (clarsimp split: option.split)
apply (clarsimp simp: untypedZeroRange_def max_free_index_def Let_def
isCap_simps valid_cap_simps' capAligned_def untypedBits_defs
@ -2257,7 +2256,6 @@ lemma untypedZeroRange_idx_backward_helper:
of Some (a, b) \<Rightarrow> {a ..+ unat (b + 1 - a)}
| None \<Rightarrow> {})
)"
including no_take_bit
apply (clarsimp split: option.split, intro impI conjI allI)
apply (rule intvl_both_le; clarsimp simp: untypedZeroRange_def
max_free_index_def Let_def
@ -3449,7 +3447,6 @@ lemma sameRegionAs_spec:
capAligned capb \<and> (\<exists>s. s \<turnstile>' capa)\<rbrace>
Call sameRegionAs_'proc
\<lbrace> \<acute>ret__unsigned_long = from_bool (sameRegionAs capa capb) \<rbrace>"
including no_take_bit
apply vcg
apply clarsimp
apply (simp add: sameRegionAs_def isArchCap_tag_def2)

2
proof/crefine/ARM_HYP/Delete_C.thy
View File

@ -367,7 +367,6 @@ lemma ccorres_cutMon_locateSlotCap_Zombie:
{s. array_assertion (cte_Ptr (capZombiePtr cap)) (capZombieNumber cap - 1)
(hrs_htd (t_hrs_' (globals s))) \<longrightarrow> s \<in> Q'} hs
(cutMon ((=) s) (locateSlotCap cap n >>= a)) c"
including no_take_bit
apply (simp add: locateSlot_conv in_monad cutMon_walk_bind)
apply (rule ccorres_gen_asm)
apply (rule ccorres_guard_imp2)
@ -415,7 +414,6 @@ lemma reduceZombie_ccorres1:
(invs' and sch_act_simple and cte_wp_at' (\<lambda>cte. cteCap cte = cap) slot)
(UNIV \<inter> {s. slot_' s = Ptr slot} \<inter> {s. immediate_' s = from_bool expo}) []
(cutMon ((=) s) (reduceZombie cap slot expo)) (Call reduceZombie_'proc)"
including no_take_bit
apply (cinit' lift: slot_' immediate_')
apply (simp add: from_bool_0 del: Collect_const)
apply (rule_tac P="capZombieNumber cap < 2 ^ word_bits" in ccorres_gen_asm)

1
proof/crefine/ARM_HYP/Detype_C.thy
View File

@ -460,7 +460,6 @@ proof -
ultimately show ?thesis
unfolding ctcb_ptr_to_tcb_ptr_def ctcb_offset_defs
including no_take_bit
apply -
apply (clarsimp simp: field_simps objBits_simps' size_of_def)
apply (drule intvlD)

1
proof/crefine/ARM_HYP/Fastpath_C.thy
View File

@ -419,7 +419,6 @@ lemma lookup_fp_ccorres':
by (simp add: cap_get_tag_def cong: if_cong)
show ?case
including no_take_bit
supply if_cong[cong]
apply (cinitlift cap_' bits_')
apply (rename_tac cbits ccap)

1
proof/crefine/ARM_HYP/Finalise_C.thy
View File

@ -1060,7 +1060,6 @@ lemma deleteASIDPool_ccorres:
"ccorres dc xfdc (invs' and (\<lambda>_. base < 2 ^ 17 \<and> pool \<noteq> 0))
(UNIV \<inter> {s. asid_base_' s = base} \<inter> {s. pool_' s = Ptr pool}) []
(deleteASIDPool base pool) (Call deleteASIDPool_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit lift: asid_base_' pool_' simp: whileAnno_def)
apply (rule ccorres_assert)

5
proof/crefine/ARM_HYP/Invoke_C.thy
View File

@ -191,7 +191,6 @@ lemma decodeDomainInvocation_ccorres:
apply clarsimp
apply (vcg exspec=getSyscallArg_modifies)
including no_take_bit
apply (clarsimp simp: valid_tcb_state'_def invs_valid_queues' invs_valid_objs'
invs_queues invs_sch_act_wf' ct_in_state'_def pred_tcb_at'
rf_sr_ksCurThread word_sle_def word_sless_def sysargs_rel_to_n
@ -1695,7 +1694,6 @@ lemma clearMemory_untyped_ccorres:
[]
(doMachineOp (clearMemory ptr (2 ^ sz))) (Call clearMemory_'proc)"
(is "ccorres dc xfdc ?P ?P' [] ?m ?c")
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit' lift: bits_' ptr___ptr_to_unsigned_long_')
apply (rule_tac P="ptr \<noteq> 0 \<and> sz < word_bits"
@ -2411,7 +2409,6 @@ lemma invokeUntyped_Retype_ccorres:
(ptr + of_nat (shiftL (length destSlots)
(APIType_capBits newType us)))) >> 4"
using cover range_cover_sz'[OF cover]
including no_take_bit
apply (simp add: getFreeIndex_def shiftl_t2n
unat_of_nat_eq shiftL_nat)
apply (rule less_mask_eq)
@ -2429,7 +2426,6 @@ lemma invokeUntyped_Retype_ccorres:
(liftxf errstate id (K ()) ret__unsigned_long_') (\<lambda>s'. s' = s) ?P'
[] (invokeUntyped (Retype cref reset ptr_base ptr newType us destSlots isdev))
(Call invokeUntyped_Retype_'proc)"
including no_take_bit
apply (cinit lift: retypeBase_' srcSlot_' reset_' newType_'
userSize_' deviceMemory_' destCNode_' destOffset_' destLength_'
simp: when_def)
@ -2898,7 +2894,6 @@ lemma decodeUntypedInvocation_ccorres_helper:
liftE (stateAssert (valid_untyped_inv' uinv) []); returnOk uinv odE)
>>= invocationCatch thread isBlocking isCall InvokeUntyped)
(Call decodeUntypedInvocation_'proc)"
including no_take_bit
supply if_cong[cong] option.case_cong[cong]
apply (rule ccorres_name_pre)
apply (cinit' lift: invLabel_' length___unsigned_long_' cap_' slot_' current_extra_caps_' call_' buffer_'

5
proof/crefine/ARM_HYP/IpcCancel_C.thy
View File

@ -823,7 +823,6 @@ lemma cready_queues_index_to_C_def2:
"\<lbrakk> qdom \<le> maxDomain; prio \<le> maxPriority \<rbrakk>
\<Longrightarrow> cready_queues_index_to_C qdom prio
= unat (ucast qdom * of_nat numPriorities + ucast prio :: machine_word)"
including no_take_bit
using numPriorities_machine_word_safe
apply -
apply (frule (1) cready_queues_index_to_C_in_range[simplified maxDom_to_H maxPrio_to_H])
@ -901,7 +900,6 @@ lemma cbitmap_L1_relation_bit_set:
(Arrays.update (ksReadyQueuesL1Bitmap_' (globals x)) (unat d)
(ksReadyQueuesL1Bitmap_' (globals x).[unat d] || 2 ^ unat (p >> wordRadix)))
((ksReadyQueuesL1Bitmap \<sigma>)(d := ksReadyQueuesL1Bitmap \<sigma> d || 2 ^ prioToL1Index p))"
including no_take_bit
apply (unfold cbitmap_L1_relation_def)
apply (clarsimp simp: le_maxDomain_eq_less_numDomains word_le_nat_alt prioToL1Index_def
num_domains_index_updates)
@ -2170,7 +2168,6 @@ proof -
(* FIXME generalise *)
have word_clz_sint_upper[simp]:
"\<And>(w::machine_word). sint (of_nat (word_clz w) :: 32 signed word) \<le> 2147483679"
including no_take_bit
apply (subst sint_eq_uint)
apply (rule not_msb_from_less)
apply simp
@ -2206,7 +2203,6 @@ proof -
"\<And>(w::32 word). \<lbrakk> w \<noteq> 0 ; word_log2 w < l2BitmapSize \<rbrakk> \<Longrightarrow>
unat (of_nat l2BitmapSize - (1::32 word) - of_nat (word_log2 w))
= invertL1Index (word_log2 w)"
including no_take_bit
apply (subst unat_sub)
apply (clarsimp simp: l2BitmapSize_def')
apply (rule word_of_nat_le)
@ -2221,7 +2217,6 @@ proof -
include no_less_1_simps
show ?thesis
including no_take_bit
apply (cinit lift: dom_')
apply (clarsimp split del: if_split)
apply (rule ccorres_pre_getReadyQueuesL1Bitmap)

10
proof/crefine/ARM_HYP/Ipc_C.thy
View File

@ -1047,7 +1047,6 @@ lemma setMR_ccorres:
\<inter> {s. receiver_' s = tcb_ptr_to_ctcb_ptr thread}
\<inter> {s. receiveIPCBuffer_' s = option_to_ptr buf}) []
(setMR thread buf offset v) (Call setMR_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit lift: offset_' reg_' receiver_' receiveIPCBuffer_')
apply (rule ccorres_cond2'[where R=\<top>])
@ -1328,7 +1327,6 @@ lemma copyMRs_register_loop_helper:
(CALL setRegister(tcb_ptr_to_ctcb_ptr receiver,
ucast (index msgRegistersC (unat \<acute>i)),
\<acute>ret__unsigned_long)))"
including no_take_bit
apply clarsimp
apply (rule ccorres_guard_imp)
apply ctac
@ -1581,7 +1579,6 @@ lemma copyMRsFault_ccorres_exception:
hs
(mapM_x (\<lambda>(x, y). setMR receiver recvBuffer x y) (zip [0..<120] msg))
(Call copyMRsFault_'proc)"
including no_take_bit
apply (unfold K_def)
apply (intro ccorres_gen_asm)
apply (cinit' lift: sender_' receiver_' receiveIPCBuffer_'
@ -2571,7 +2568,6 @@ lemma setExtraBadge_ccorres:
hs
(setExtraBadge buffer badge n)
(Call setExtraBadge_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit lift: bufferPtr_' badge_' i_')
apply (unfold storeWordUser_def)
@ -2862,7 +2858,6 @@ proof (rule ccorres_gen_asm, induct caps arbitrary: n slots mi)
note if_split[split]
case Nil
thus ?case
including no_take_bit
apply (simp only: transferCapsToSlots.simps)
apply (rule ccorres_guard_imp2)
apply (rule ccorres_Guard_Seq ccorres_rhs_assoc)+
@ -2885,7 +2880,6 @@ next
let ?S="\<lbrace>\<acute>i=of_nat n \<and> mi=message_info_to_H \<acute>info\<rbrace>"
have n3: "n \<le> 3" using Cons.prems by simp
hence of_nat_n3[intro!]: "of_nat n \<le> (3 :: word32)"
including no_take_bit
by (simp add: word_le_nat_alt unat_of_nat)
have drop_n_foo: "\<And>xs n y ys. drop n xs = y # ys
\<Longrightarrow> \<exists>xs'. length xs' = n \<and> xs = xs' @ (y # ys)"
@ -2975,7 +2969,6 @@ next
note sle_positive[simp del]
from Cons.prems
show ?case
including no_take_bit
apply (clarsimp simp: Let_def word_sle_def[where b=5] split_def
cong: call_ignore_cong
simp del: Collect_const)
@ -3437,7 +3430,6 @@ proof -
let ?interpret = "\<lambda>v n. take n (array_to_list (excaprefs_C v))"
note if_split[split del]
show ?thesis
including no_take_bit
apply (rule ccorres_gen_asm)+
apply (cinit(no_subst_asm) lift: thread_' bufferPtr_' info_' simp: whileAnno_def)
apply (clarsimp simp add: getExtraCPtrs_def lookupCapAndSlot_def
@ -3889,7 +3881,6 @@ lemma copyMRsFaultReply_ccorres_exception:
(Call copyMRsFaultReply_'proc)"
proof -
show ?thesis
including no_take_bit
apply (unfold K_def, rule ccorres_gen_asm) using [[goals_limit=1]]
apply (cinit' lift: sender_' receiver_'
id___anonymous_enum_'
@ -4004,7 +3995,6 @@ lemma copyMRsFaultReply_ccorres_syscall:
note symb_exec_r_fault = ccorres_symb_exec_r_known_rv_UNIV
[where xf'=ret__unsigned_' and R="?obj_at_ft" and R'=UNIV]
show ?thesis
including no_take_bit
apply (unfold K_def, rule ccorres_gen_asm) using [[goals_limit=1]]
apply (cinit' lift: sender_' receiver_'
id___anonymous_enum_'

3
proof/crefine/ARM_HYP/Recycle_C.thy
View File

@ -260,7 +260,6 @@ lemma clearMemory_PageCap_ccorres:
[]
(doMachineOp (clearMemory ptr (2 ^ pageBitsForSize sz))) (Call clearMemory_'proc)"
(is "ccorres dc xfdc ?P ?P' [] ?m ?c")
including no_take_bit
supply image_cong_simp [cong del]
apply (cinit' lift: bits_' ptr___ptr_to_unsigned_long_')
apply (rule_tac P="capAligned (ArchObjectCap (PageCap False ptr undefined sz None))"
@ -638,7 +637,6 @@ lemma clearMemory_PT_setObject_PTE_ccorres:
doMachineOp (cleanCacheRange_PoU ptr (ptr + 2 ^ ptBits - 1) pstart)
od)
(Call clearMemory_PT_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)+
apply (cinit' lift: ptr___ptr_to_unsigned_long_' bits_')
apply (rule ccorres_Guard_Seq)
@ -1273,7 +1271,6 @@ lemma updateFreeIndex_ccorres:
\<longrightarrow> region_actually_is_zero_bytes (capPtr cap' + of_nat idx') (capFreeIndex cap' - idx') s} hs
(updateFreeIndex srcSlot idx') c"
(is "_ \<Longrightarrow> ccorres dc xfdc (valid_objs' and ?cte_wp_at' and _ and _) ?P' hs ?a c")
including no_take_bit
apply (rule ccorres_gen_asm)
apply (simp add: updateFreeIndex_def getSlotCap_def updateCap_def)
apply (rule ccorres_guard_imp2)

12
proof/crefine/ARM_HYP/Retype_C.thy
View File

@ -573,7 +573,6 @@ qed
lemma h_t_array_valid_retyp:
"0 < n \<Longrightarrow> n * size_of TYPE('a) < addr_card
\<Longrightarrow> h_t_array_valid (ptr_arr_retyps n p htd) (p :: ('a :: wf_type) ptr) n"
including no_take_bit
apply (clarsimp simp: ptr_arr_retyps_def h_t_array_valid_def
valid_footprint_def)
apply (simp add: htd_update_list_index intvlI mult.commute)
@ -1454,7 +1453,6 @@ lemma zero_ranges_ptr_retyps:
\<Longrightarrow> valid_objs' s
\<Longrightarrow> zero_ranges_are_zero (gsUntypedZeroRanges s)
(hrs_htd_update (ptr_retyps_gen n p arr) hrs)"
including no_take_bit
apply (clarsimp simp: zero_ranges_are_zero_def untyped_ranges_zero_inv_def
hrs_htd_update)
apply (drule(1) bspec, clarsimp)
@ -2334,7 +2332,6 @@ proof (intro impI allI)
= (pde_stored_asid \<circ>\<^sub>m cslift x)"
unfolding rf_sr_def
using cpsp empty
including no_take_bit
supply image_cong_simp [cong del]
apply (clarsimp simp: rl' cterl cte_C_size tag_disj_via_td_name foldr_upd_app_if [folded data_map_insert_def])
apply (simp add: ptr_retyp_to_array[simplified])
@ -2877,7 +2874,6 @@ declare Collect_const_mem [simp]
lemma createNewCaps_untyped_if_helper:
"\<forall>s s'. (s, s') \<in> rf_sr \<and> (sz < word_bits \<and> gbits < word_bits) \<and> True \<longrightarrow>
(\<not> gbits \<le> sz) = (s' \<in> \<lbrace>of_nat sz < (of_nat gbits :: word32)\<rbrace>)"
including no_take_bit
by (clarsimp simp: not_le unat_of_nat32 word_less_nat_alt lt_word_bits_lt_pow)
lemma true_mask1 [simp]:
@ -3116,7 +3112,6 @@ qed
lemma tcb_ptr_orth_cte_ptrs:
"{ptr_val p..+size_of TYPE(tcb_C)} \<inter> {ctcb_ptr_to_tcb_ptr p..+5 * size_of TYPE(cte_C)} = {}"
including no_take_bit
apply (rule disjointI)
apply (clarsimp simp: ctcb_ptr_to_tcb_ptr_def intvl_def field_simps size_of_def ctcb_offset_defs)
apply unat_arith
@ -3126,7 +3121,6 @@ lemma tcb_ptr_orth_cte_ptrs:
lemma tcb_ptr_orth_cte_ptrs':
"ptr_span (tcb_Ptr (regionBase + 0x100)) \<inter> ptr_span (Ptr regionBase :: (cte_C[5]) ptr) = {}"
including no_take_bit
apply (rule disjointI)
apply (clarsimp simp: ctcb_ptr_to_tcb_ptr_def size_td_array
intvl_def field_simps size_of_def ctcb_offset_def)
@ -3218,7 +3212,6 @@ proof -
"region_is_bytes' (ctcb_ptr_to_tcb_ptr p) (5 * size_of TYPE(cte_C))
(ptr_retyps_gen 1 p False (hrs_htd (t_hrs_' (globals x))))"
using al region_is_bytes_subset[OF empty] tcb_ptr_to_ctcb_ptr_in_range'
including no_take_bit
apply (simp add: objBits_simps kotcb_def)
apply (clarsimp simp: region_is_bytes'_def)
apply (subst(asm) ptr_retyps_gen_out)
@ -3262,7 +3255,6 @@ proof -
{k. k < 5}
then Some (from_bytes (replicate (size_of TYPE(cte_C)) 0)) else cslift x y)"
using cgp
including no_take_bit
apply (simp add: ptr_retyp_to_array[simplified] hrs_comm[symmetric])
apply (subst clift_ptr_retyps_gen_prev_memset_same[OF guard],
simp_all add: hrs_htd_update empty_smaller[simplified])
@ -4498,7 +4490,6 @@ lemma ghost_assertion_size_logic_no_unat:
\<Longrightarrow> (s, \<sigma>) \<in> rf_sr
\<Longrightarrow> gs_get_assn cap_get_capSizeBits_'proc (ghost'state_' (globals \<sigma>)) = 0 \<or>
of_nat sz \<le> gs_get_assn cap_get_capSizeBits_'proc (ghost'state_' (globals \<sigma>))"
including no_take_bit
apply (rule ghost_assertion_size_logic'[rotated])
apply (simp add: rf_sr_def)
apply (simp add: unat_of_nat)
@ -7672,7 +7663,6 @@ lemma range_cover_bound'':
lemma caps_no_overlap''_cell:
"\<lbrakk>range_cover ptr sz us n;caps_no_overlap'' ptr sz s;p < n\<rbrakk>
\<Longrightarrow> caps_no_overlap'' (ptr + (of_nat p << us)) us s"
including no_take_bit
apply (clarsimp simp:caps_no_overlap''_def)
apply (drule(1) bspec)
apply (subgoal_tac "{ptr + (of_nat p << us)..(ptr + (of_nat p << us) && ~~ mask us) + 2 ^ us - 1}
@ -8068,7 +8058,6 @@ lemma offset_intvl_first_chunk_subsets_unat:
\<and> {p + (i << bits) ..+ 2 ^ bits}
\<inter> {p + ((i + 1) << bits) ..+ unat (n' - (i + 1)) * 2 ^ bits}
= {}"
including no_take_bit
apply (subgoal_tac "unat (n' - (i + 1)) = unat n' - unat (i + 1)
\<and> unat (n' - i) = unat n' - unat i")
apply (frule(1) offset_intvl_first_chunk_subsets)
@ -8087,7 +8076,6 @@ lemma retype_offs_region_actually_is_zero_bytes:
\<Longrightarrow> region_actually_is_zero_bytes ptr
(num_ret * 2 ^ APIType_capBits newType userSize) s'"
using word_unat_mask_lt[where w=ptr and m=sz]
including no_take_bit
apply -
apply (frule range_cover.sz(1))
apply (drule(2) ctes_of_untyped_zero_rf_sr)

3
proof/crefine/ARM_HYP/SR_lemmas_C.thy
View File

@ -2487,12 +2487,10 @@ where
lemma unat_scast_seL4_VCPUReg_SCTLR_simp[simp]:
"unat (SCAST(32 signed \<rightarrow> 32) seL4_VCPUReg_SCTLR) = fromEnum VCPURegSCTLR"
including no_take_bit
by (simp add: vcpureg_eq_use_types[where reg=VCPURegSCTLR, simplified, symmetric])
lemma unat_scast_seL4_VCPUReg_ACTLR_simp[simp]:
"unat (SCAST(32 signed \<rightarrow> 32) seL4_VCPUReg_ACTLR) = fromEnum VCPURegACTLR"
including no_take_bit
by (simp add: vcpureg_eq_use_types[where reg=VCPURegACTLR, simplified, symmetric])
lemma numDomains_sge_1_simp:
@ -2503,7 +2501,6 @@ lemma numDomains_sge_1_simp:
lemma unat_scast_numDomains:
"unat (SCAST(32 signed \<rightarrow> machine_word_len) Kernel_C.numDomains) = unat Kernel_C.numDomains"
including no_take_bit
by (simp add: scast_eq sint_numDomains_to_H unat_numDomains_to_H numDomains_machine_word_safe)
end

1
proof/crefine/ARM_HYP/StoreWord_C.thy
View File

@ -1006,7 +1006,6 @@ proof -
have horrible_helper:
"\<And>v p. v \<le> 3 \<Longrightarrow> (3 - unat (p && mask 2 :: word32) = v) =
(p && mask 2 = 3 - of_nat v)"
including no_take_bit
apply (simp add: unat_arith_simps unat_of_nat)
apply (cut_tac p=p in unat_mask_2_less_4)
apply arith

7
proof/crefine/ARM_HYP/Syscall_C.thy
View File

@ -1729,7 +1729,6 @@ lemma gic_vcpu_num_list_regs_cross_over:
"\<lbrakk> of_nat (armKSGICVCPUNumListRegs (ksArchState s)) = gic_vcpu_num_list_regs_' t;
valid_arch_state' s \<rbrakk>
\<Longrightarrow> gic_vcpu_num_list_regs_' t \<le> 0x3F"
including no_take_bit
apply (drule sym, simp)
apply (clarsimp simp: valid_arch_state'_def max_armKSGICVCPUNumListRegs_def)
apply (clarsimp simp: word_le_nat_alt unat_of_nat)
@ -1814,13 +1813,11 @@ proof -
have unat_of_nat_ctz_plus_32s:
"unat (of_nat (word_ctz w) + (0x20 :: int_sword)) = word_ctz w + 32" for w :: machine_word
including no_take_bit
apply (subst unat_add_lem' ; clarsimp simp: unat_of_nat_ctz_smw)
using word_ctz_le[where w=w, simplified] by (auto simp: unat_of_nat_eq)
have unat_of_nat_ctz_plus_32:
"unat (of_nat (word_ctz w) + (0x20 :: machine_word)) = word_ctz w + 32" for w :: machine_word
including no_take_bit
apply (subst unat_add_lem' ; clarsimp simp: unat_of_nat_ctz_mw)
using word_ctz_le[where w=w, simplified] by (auto simp: unat_of_nat_eq)
@ -1829,7 +1826,6 @@ proof -
\<Longrightarrow> (0 :: int_sword) <=s of_nat (eisr_calc eisr0 eisr1)
\<and> of_nat (eisr_calc eisr0 eisr1) <s (0x40 :: int_sword)"
for eisr0 :: machine_word and eisr1
including no_take_bit
using word_ctz_le[where w=eisr0] word_ctz_less[where w=eisr1]
apply (clarsimp simp: word_sless_alt word_sle_def)
apply (rule conjI) (* 0 \<le> *)
@ -1849,14 +1845,12 @@ proof -
have of_nat_word_ctz_0x21helper:
"0x21 + word_of_nat (word_ctz w) \<noteq> (0 :: int_sword)" for w :: machine_word
including no_take_bit
apply (subst unat_arith_simps, simp)
apply (subst unat_add_lem'; clarsimp simp: unat_of_nat_ctz_smw)
using word_ctz_le[where w=w, simplified]
by simp
show ?thesis
including no_take_bit
supply if_cong[cong]
apply (cinit)
apply (rule ccorres_pre_getCurVCPU, rename_tac vcpuPtr_opt)
@ -2153,7 +2147,6 @@ lemma ccorres_VPPIEvent:
(is "ccorres _ _ ?PRE _ _ _ _")
proof -
show ?thesis
including no_take_bit
apply (cinit lift: irq_')
apply (rule_tac P="irqVPPIEventIndex irq \<noteq> None" in ccorres_gen_asm)
apply (rule ccorres_pre_getCurVCPU, rename_tac vcpuPtr_opt)

3
proof/crefine/ARM_HYP/Tcb_C.thy
View File

@ -1166,7 +1166,6 @@ lemma invokeTCB_CopyRegisters_ccorres:
\<inter> {s. to_bool (transferInteger_' s) = ints}) []
(invokeTCB (CopyRegisters destn source susp resume frames ints arch))
(Call invokeTCB_CopyRegisters_'proc)"
including no_take_bit
apply (cinit lift: dest_' tcb_src_' resumeTarget_'
suspendSource_' transferFrame_' transferInteger_'
simp: whileAnno_def)
@ -1552,7 +1551,6 @@ lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]:
\<inter> {s. buffer_' s = option_to_ptr buffer}) []
(invokeTCB (WriteRegisters dst resume values arch))
(Call invokeTCB_WriteRegisters_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (erule conjE)
apply (cinit lift: n_' dest_' resumeTarget_' buffer_'
@ -1801,7 +1799,6 @@ shows
(doE reply \<leftarrow> invokeTCB (ReadRegisters target susp n archCp);
liftE (replyOnRestart thread reply isCall) odE)
(Call invokeTCB_ReadRegisters_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm) using [[goals_limit=1]]
apply (cinit' lift: tcb_src_' suspendSource_' n_' call_'
simp: invokeTCB_def liftE_bindE bind_assoc)

11
proof/crefine/ARM_HYP/VSpace_C.thy
View File

@ -82,7 +82,6 @@ lemma checkVPAlignment_ccorres:
proof -
note [split del] = if_split
show ?thesis
including no_take_bit
apply (cinit lift: sz_' w_')
apply (csymbr)
apply clarsimp
@ -1246,7 +1245,6 @@ lemma findFreeHWASID_ccorres:
"ccorres (=) ret__unsigned_char_'
(valid_arch_state' and valid_pde_mappings') UNIV []
(findFreeHWASID) (Call findFreeHWASID_'proc)"
including no_take_bit
apply (cinit)
apply csymbr
apply (rule ccorres_pre_gets_armKSHWASIDTable_ksArchState)
@ -1664,7 +1662,6 @@ lemma vcpu_write_reg_ccorres:
\<inter> \<lbrace> \<acute>value = v \<rbrace>) hs
(vcpuWriteReg vcpuptr reg v)
(Call vcpu_write_reg_'proc)"
including no_take_bit
supply Collect_const[simp del] dc_simp[simp del]
apply (cinit lift: vcpu_' reg_' value_')
apply (rule ccorres_assert)
@ -1744,7 +1741,6 @@ lemma vcpu_restore_reg_range_ccorres:
(UNIV \<inter> \<lbrace>unat \<acute>start = fromEnum start\<rbrace> \<inter> \<lbrace>unat \<acute>end = fromEnum end\<rbrace>
\<inter> \<lbrace> \<acute>vcpu = vcpu_Ptr vcpuptr \<rbrace>) hs
(vcpuRestoreRegRange vcpuptr start end) (Call vcpu_restore_reg_range_'proc)"
including no_take_bit
apply (rule ccorres_grab_asm)
apply (cinit lift: start_' end_' vcpu_' simp: whileAnno_def)
apply csymbr
@ -1782,7 +1778,6 @@ lemma vcpu_save_reg_range_ccorres:
(UNIV \<inter> \<lbrace>unat \<acute>start = fromEnum start\<rbrace> \<inter> \<lbrace>unat \<acute>end = fromEnum end\<rbrace>
\<inter> \<lbrace> \<acute>vcpu = vcpu_Ptr vcpuptr \<rbrace>) hs
(vcpuSaveRegRange vcpuptr start end) (Call vcpu_save_reg_range_'proc)"
including no_take_bit
apply (rule ccorres_grab_asm)
apply (cinit lift: start_' end_' vcpu_' simp: whileAnno_def)
apply csymbr
@ -1819,7 +1814,6 @@ lemma vcpu_read_reg_ccorres:
(UNIV \<inter> \<lbrace> \<acute>vcpu = vcpu_Ptr vcpuptr \<rbrace> \<inter> \<lbrace> \<acute>reg = of_nat (fromEnum reg) \<rbrace>) hs
(vcpuReadReg vcpuptr reg)
(Call vcpu_read_reg_'proc)"
including no_take_bit
supply Collect_const[simp del]
apply (cinit lift: vcpu_' reg_')
apply (rule ccorres_assert)
@ -1889,7 +1883,6 @@ lemma restore_virt_timer_ccorres:
(vcpu_at' vcpuptr)
(UNIV \<inter> \<lbrace> \<acute>vcpu = vcpu_Ptr vcpuptr \<rbrace>) hs
(restoreVirtTimer vcpuptr) (Call restore_virt_timer_'proc)"
including no_take_bit
apply (cinit lift: vcpu_')
apply (ctac (no_vcg) add: vcpu_read_reg_ccorres)
apply csymbr
@ -2002,7 +1995,6 @@ lemma save_virt_timer_ccorres:
(vcpu_at' vcpuptr)
(UNIV \<inter> \<lbrace> \<acute>vcpu = vcpu_Ptr vcpuptr \<rbrace>) hs
(saveVirtTimer vcpuptr) (Call save_virt_timer_'proc)"
including no_take_bit
apply (cinit lift: vcpu_')
apply (ctac (no_vcg) add: vcpu_save_reg_ccorres)
apply (ctac (no_vcg) add: vcpu_hw_write_reg_ccorres)
@ -2152,7 +2144,6 @@ lemma vcpu_restore_ccorres:
and vcpu_at' vcpuPtr)
(UNIV \<inter> {s. vcpu_' s = vcpu_Ptr vcpuPtr}) hs
(vcpuRestore vcpuPtr) (Call vcpu_restore_'proc)"
including no_take_bit
apply (cinit lift: vcpu_' simp: whileAnno_def)
apply (simp add: doMachineOp_bind uncurry_def split_def doMachineOp_mapM_x)+
apply (clarsimp simp: bind_assoc)
@ -2286,7 +2277,6 @@ lemma vcpu_save_ccorres:
(UNIV \<inter> {s. vcpu_' s = case_option NULL (vcpu_Ptr \<circ> fst) v}
\<inter> {s. active_' s = case_option 0 (from_bool \<circ> snd) v}) hs
(vcpuSave v) (Call vcpu_save_'proc)"
including no_take_bit
supply if_cong[cong] option.case_cong[cong]
apply (cinit lift: vcpu_' active_' simp: whileAnno_def)
apply wpc
@ -2884,7 +2874,6 @@ lemma setMR_as_setRegister_ccorres:
\<inter> \<lbrace>\<acute>receiver = tcb_ptr_to_ctcb_ptr thread\<rbrace>) hs
(asUser thread (setRegister reg val))
(Call setMR_'proc)"
including no_take_bit
apply (rule ccorres_grab_asm)
apply (cinit' lift: reg_' offset_' receiver_')
apply (clarsimp simp: n_msgRegisters_def length_of_msgRegisters)

2
proof/crefine/RISCV64/ADT_C.thy
View File

@ -1189,7 +1189,7 @@ lemma cDomScheduleIdx_to_H_correct:
assumes cstate_rel: "cstate_relation as cs"
assumes ms: "cstate_to_machine_H cs = observable_memory (ksMachineState as) (user_mem' as)"
shows "unat (ksDomScheduleIdx_' cs) = ksDomScheduleIdx as"
using assms including no_take_bit
using assms
by (clarsimp simp: cstate_relation_def Let_def observable_memory_def valid_state'_def
newKernelState_def unat_of_nat_eq cdom_schedule_relation_def)

6
proof/crefine/RISCV64/Arch_C.thy
View File

@ -430,7 +430,6 @@ shows
\<inter> {s. asid_base_' s = base}) []
(liftE (performASIDControlInvocation (MakePool frame slot parent base)))
(Call performASIDControlInvocation_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (simp only: liftE_liftM ccorres_liftM_simp)
apply (cinit lift: frame_' slot_' parent_' asid_base_')
@ -1175,7 +1174,6 @@ lemma checkVPAlignment_spec:
"\<forall>s. \<Gamma>\<turnstile> \<lbrace>s. \<acute>sz < 3\<rbrace> Call checkVPAlignment_'proc
{t. ret__unsigned_long_' t = from_bool
(vmsz_aligned (w_' s) (framesize_to_H (sz_' s)))}"
including no_take_bit
apply (rule allI, rule conseqPre, vcg)
apply (clarsimp simp: mask_eq_iff_w2p word_size)
apply (rule conjI)
@ -1230,7 +1228,7 @@ lemma ccorres_pre_getObject_pte:
lemma ptr_add_uint_of_nat [simp]:
"a +\<^sub>p uint (of_nat b :: machine_word) = a +\<^sub>p (int b)"
including no_take_bit by (clarsimp simp: CTypesDefs.ptr_add_def)
by (clarsimp simp: CTypesDefs.ptr_add_def)
declare int_unat[simp]
@ -1492,7 +1490,6 @@ lemma canonical_address_cap_frame_cap:
lemma of_nat_pageBitsForSize_eq:
"(x = of_nat (pageBitsForSize sz)) = (unat x = pageBitsForSize sz)" for x::machine_word
including no_take_bit
by (auto simp: of_nat_pageBitsForSize)
lemma ccap_relation_FrameCap_IsMapped:
@ -1575,7 +1572,6 @@ lemma decodeRISCVFrameInvocation_ccorres:
(decodeRISCVMMUInvocation label args cptr slot cp extraCaps
>>= invocationCatch thread isBlocking isCall InvokeArchObject)
(Call decodeRISCVFrameInvocation_'proc)"
including no_take_bit
apply (clarsimp simp only: isCap_simps)
apply (cinit' lift: label___unsigned_long_' length___unsigned_long_' cte_'
current_extra_caps_' cap_' buffer_'

3
proof/crefine/RISCV64/CSpace_C.thy
View File

@ -1727,7 +1727,6 @@ lemma untypedZeroRange_idx_forward_helper:
\<Longrightarrow> (case (untypedZeroRange cap, untypedZeroRange (capFreeIndex_update (\<lambda>_. idx) cap))
of (Some (a, b), Some (a', b')) \<Rightarrow> {a' ..+ unat (b' + 1 - a')} \<subseteq> {a ..+ unat (b + 1 - a)}
| _ \<Rightarrow> True)"
including no_take_bit
apply (clarsimp split: option.split)
apply (clarsimp simp: untypedZeroRange_def max_free_index_def Let_def
isCap_simps valid_cap_simps' capAligned_def untypedBits_defs
@ -1770,7 +1769,6 @@ lemma untypedZeroRange_idx_backward_helper:
of Some (a, b) \<Rightarrow> {a ..+ unat (b + 1 - a)}
| None \<Rightarrow> {})
)"
including no_take_bit
apply (clarsimp split: option.split, intro impI conjI allI)
apply (rule intvl_both_le; clarsimp simp: untypedZeroRange_def
max_free_index_def Let_def
@ -2794,7 +2792,6 @@ lemma sameRegionAs_spec:
"\<forall>capa capb. \<Gamma> \<turnstile> \<lbrace>ccap_relation capa \<acute>cap_a \<and> ccap_relation capb \<acute>cap_b \<and> capAligned capb\<rbrace>
Call sameRegionAs_'proc
\<lbrace> \<acute>ret__unsigned_long = from_bool (sameRegionAs capa capb) \<rbrace>"
including no_take_bit
apply vcg
apply clarsimp
apply (simp add: sameRegionAs_def isArchCap_tag_def2 ccap_relation_c_valid_cap)

2
proof/crefine/RISCV64/Delete_C.thy
View File

@ -372,7 +372,6 @@ lemma ccorres_cutMon_locateSlotCap_Zombie:
{s. array_assertion (cte_Ptr (capZombiePtr cap)) (capZombieNumber cap - 1)
(hrs_htd (t_hrs_' (globals s))) \<longrightarrow> s \<in> Q'} hs
(cutMon ((=) s) (locateSlotCap cap n >>= a)) c"
including no_take_bit
apply (simp add: locateSlot_conv in_monad cutMon_walk_bind)
apply (rule ccorres_gen_asm)
apply (rule ccorres_guard_imp2)
@ -421,7 +420,6 @@ lemma reduceZombie_ccorres1:
(invs' and sch_act_simple and cte_wp_at' (\<lambda>cte. cteCap cte = cap) slot)
(UNIV \<inter> {s. slot_' s = Ptr slot} \<inter> {s. immediate_' s = from_bool expo}) []
(cutMon ((=) s) (reduceZombie cap slot expo)) (Call reduceZombie_'proc)"
including no_take_bit
apply (cinit' lift: slot_' immediate_')
apply (simp add: from_bool_0 del: Collect_const)
apply (rule_tac P="capZombieNumber cap < 2 ^ word_bits" in ccorres_gen_asm)

1
proof/crefine/RISCV64/Detype_C.thy
View File

@ -461,7 +461,6 @@ proof -
ultimately show ?thesis
unfolding ctcb_ptr_to_tcb_ptr_def ctcb_offset_defs
including no_take_bit
apply -
apply (clarsimp simp: field_simps objBits_simps' size_of_def)
apply (drule intvlD)

4
proof/crefine/RISCV64/Finalise_C.thy
View File

@ -1033,7 +1033,6 @@ lemma deleteASIDPool_ccorres:
"ccorres dc xfdc (invs' and (\<lambda>_. asid_wf base \<and> pool \<noteq> 0))
(UNIV \<inter> {s. asid_base_' s = base} \<inter> {s. pool_' s = Ptr pool}) []
(deleteASIDPool base pool) (Call deleteASIDPool_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit lift: asid_base_' pool_' simp: whileAnno_def)
apply (rule ccorres_assert)
@ -1289,17 +1288,14 @@ next
have level: "level < maxPTLevel" by simp
then
have [simp]: "maxPT - (1 + of_nat level) < maxPT" (is "?i < maxPT")
including no_take_bit
by (simp add: maxPTLevel_def maxPT_def unat_arith_simps unat_of_nat)
from level
have [simp]: "idx ?i < 0x40"
including no_take_bit
by (simp add: idx_def maxPT_def maxPTLevel_def unat_word_ariths unat_arith_simps unat_of_nat)
from level
have [simp]: "pt + vshift vaddr ?i * 8 = ptSlotIndex (Suc level) pt vaddr"
including no_take_bit
by (simp add: ptSlotIndex_def vshift_def maxPT_def ptIndex_def idx_def ptBitsLeft_def
bit_simps mask_def unat_word_ariths unat_of_nat maxPTLevel_def shiftl_t2n)

6
proof/crefine/RISCV64/Invoke_C.thy
View File

@ -192,7 +192,6 @@ lemma decodeDomainInvocation_ccorres:
apply clarsimp
apply (vcg exspec=getSyscallArg_modifies)
including no_take_bit
apply (clarsimp simp: valid_tcb_state'_def invs_valid_queues' invs_valid_objs'
invs_queues invs_sch_act_wf' ct_in_state'_def pred_tcb_at'
rf_sr_ksCurThread word_sle_def word_sless_def sysargs_rel_to_n
@ -1647,7 +1646,6 @@ lemma clearMemory_untyped_ccorres:
[]
(doMachineOp (clearMemory ptr (2 ^ sz))) (Call clearMemory_'proc)"
(is "ccorres dc xfdc ?P ?P' [] ?m ?c")
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit' lift: bits_' ptr___ptr_to_void_')
apply (rule_tac P="ptr \<noteq> 0 \<and> sz < word_bits" in ccorres_gen_asm)
@ -1777,7 +1775,6 @@ lemma byte_regions_unmodified_actually_heap_list:
lemma ucast_64_32[simp]:
"UCAST(64 \<rightarrow> 32) (of_nat x) = of_nat x"
including no_take_bit
by (simp add: ucast_of_nat is_down_def source_size_def target_size_def word_size)
text \<open>
@ -2337,7 +2334,6 @@ lemma invokeUntyped_Retype_ccorres:
(ptr + of_nat (shiftL (length destSlots)
(APIType_capBits newType us)))) >> 4"
using cover range_cover_sz'[OF cover]
including no_take_bit
apply (simp add: getFreeIndex_def shiftl_t2n
unat_of_nat_eq shiftL_nat)
apply (rule less_mask_eq)
@ -2355,7 +2351,6 @@ lemma invokeUntyped_Retype_ccorres:
(liftxf errstate id (K ()) ret__unsigned_long_') (\<lambda>s'. s' = s) ?P'
[] (invokeUntyped (Retype cref reset ptr_base ptr newType us destSlots isdev))
(Call invokeUntyped_Retype_'proc)"
including no_take_bit
apply (cinit lift: retypeBase_' srcSlot_' reset_' newType_'
userSize_' deviceMemory_' destCNode_' destOffset_' destLength_'
simp: when_def)
@ -2842,7 +2837,6 @@ lemma decodeUntypedInvocation_ccorres_helper:
liftE (stateAssert (valid_untyped_inv' uinv) []); returnOk uinv odE)
>>= invocationCatch thread isBlocking isCall InvokeUntyped)
(Call decodeUntypedInvocation_'proc)"
including no_take_bit
supply if_cong[cong] option.case_cong[cong]
apply (rule ccorres_name_pre)
apply (cinit' lift: invLabel_' length___unsigned_long_' cap_' slot_' current_extra_caps_' call_' buffer_'

5
proof/crefine/RISCV64/IpcCancel_C.thy
View File

@ -821,7 +821,6 @@ lemma cready_queues_index_to_C_def2:
"\<lbrakk> qdom \<le> maxDomain; prio \<le> maxPriority \<rbrakk>
\<Longrightarrow> cready_queues_index_to_C qdom prio
= unat (ucast qdom * of_nat numPriorities + ucast prio :: machine_word)"
including no_take_bit
using numPriorities_machine_word_safe
apply -
apply (frule (1) cready_queues_index_to_C_in_range[simplified maxDom_to_H maxPrio_to_H])
@ -900,7 +899,6 @@ lemma cbitmap_L1_relation_bit_set:
(Arrays.update (ksReadyQueuesL1Bitmap_' (globals x)) (unat d)
(ksReadyQueuesL1Bitmap_' (globals x).[unat d] || 2 ^ unat (p >> wordRadix)))
((ksReadyQueuesL1Bitmap \<sigma>)(d := ksReadyQueuesL1Bitmap \<sigma> d || 2 ^ prioToL1Index p))"
including no_take_bit
apply (unfold cbitmap_L1_relation_def)
apply (clarsimp simp: le_maxDomain_eq_less_numDomains word_le_nat_alt prioToL1Index_def
num_domains_index_updates)
@ -2155,7 +2153,6 @@ proof -
"\<And>(w::machine_word). \<lbrakk> w \<noteq> 0 ; word_log2 w < l2BitmapSize \<rbrakk> \<Longrightarrow>
unat (of_nat l2BitmapSize - (1::machine_word) - of_nat (word_log2 w))
= invertL1Index (word_log2 w)"
including no_take_bit
apply (subst unat_sub)
apply (clarsimp simp: l2BitmapSize_def')
apply (rule word_of_nat_le)
@ -2178,7 +2175,6 @@ proof -
include no_less_1_simps
show ?thesis
including no_take_bit
apply (rule ccorres_grab_asm)
apply (cinit lift: dom_')
apply (clarsimp split del: if_split)
@ -2299,7 +2295,6 @@ lemma possibleSwitchTo_ccorres:
\<inter> UNIV) []
(possibleSwitchTo t )
(Call possibleSwitchTo_'proc)"
including no_take_bit
supply if_split [split del]
supply Collect_const [simp del]
supply dc_simp [simp del]

10
proof/crefine/RISCV64/Ipc_C.thy
View File

@ -969,7 +969,6 @@ lemma setMR_ccorres:
\<inter> {s. receiver_' s = tcb_ptr_to_ctcb_ptr thread}
\<inter> {s. receiveIPCBuffer_' s = option_to_ptr buf}) []
(setMR thread buf offset v) (Call setMR_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit lift: offset_' reg___unsigned_long_' receiver_' receiveIPCBuffer_')
apply (rule ccorres_cond2'[where R=\<top>])
@ -1255,7 +1254,6 @@ lemma copyMRs_register_loop_helper:
(CALL setRegister(tcb_ptr_to_ctcb_ptr receiver,
ucast (index msgRegistersC (unat \<acute>i)),
\<acute>ret__unsigned_long)))"
including no_take_bit
apply clarsimp
apply (rule ccorres_guard_imp)
apply ctac
@ -1505,7 +1503,6 @@ lemma copyMRsFault_ccorres_exception:
hs
(mapM_x (\<lambda>(x, y). setMR receiver recvBuffer x y) (zip [0..<120] msg))
(Call copyMRsFault_'proc)"
including no_take_bit
apply (unfold K_def)
apply (intro ccorres_gen_asm)
apply (cinit' lift: sender_' receiver_' receiveIPCBuffer_'
@ -2321,7 +2318,6 @@ lemma setExtraBadge_ccorres:
hs
(setExtraBadge buffer badge n)
(Call setExtraBadge_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit lift: bufferPtr_' badge_' i_')
apply (unfold storeWordUser_def)
@ -2611,7 +2607,6 @@ proof (rule ccorres_gen_asm, induct caps arbitrary: n slots mi)
note if_split[split]
case Nil
thus ?case
including no_take_bit
apply (simp only: transferCapsToSlots.simps)
apply (rule ccorres_guard_imp2)
apply (rule ccorres_Guard_Seq ccorres_rhs_assoc)+
@ -2635,7 +2630,6 @@ next
let ?S="\<lbrace>\<acute>i=of_nat n \<and> mi=message_info_to_H \<acute>info\<rbrace>"
have n3: "n \<le> 3" using Cons.prems by simp
hence of_nat_n3[intro!]: "of_nat n \<le> (3 :: machine_word)"
including no_take_bit
by (simp add: word_le_nat_alt unat_of_nat)
have drop_n_foo: "\<And>xs n y ys. drop n xs = y # ys
\<Longrightarrow> \<exists>xs'. length xs' = n \<and> xs = xs' @ (y # ys)"
@ -2731,7 +2725,6 @@ next
note extra_sle_sless_unfolds [simp del]
from Cons.prems
show ?case
including no_take_bit
apply (clarsimp simp: Let_def word_sle_def[where b=5] split_def
cong: call_ignore_cong
simp del: Collect_const)
@ -3191,7 +3184,6 @@ proof -
let ?EXCNONE = "{s. ret__unsigned_long_' s = scast EXCEPTION_NONE}"
let ?interpret = "\<lambda>v n. take n (array_to_list (excaprefs_C v))"
show ?thesis
including no_take_bit
apply (rule ccorres_gen_asm)+
apply (cinit(no_subst_asm) lift: thread_' bufferPtr_' info_' simp: whileAnno_def)
apply (clarsimp simp add: getExtraCPtrs_def lookupCapAndSlot_def
@ -3631,7 +3623,6 @@ lemma copyMRsFaultReply_ccorres_exception:
(Call copyMRsFaultReply_'proc)"
proof -
show ?thesis
including no_take_bit
apply (unfold K_def, rule ccorres_gen_asm) using [[goals_limit=1]]
apply (cinit' lift: sender_' receiver_'
id___anonymous_enum_'
@ -3746,7 +3737,6 @@ lemma copyMRsFaultReply_ccorres_syscall:
note symb_exec_r_fault = ccorres_symb_exec_r_known_rv_UNIV
[where xf'=ret__unsigned_' and R="?obj_at_ft" and R'=UNIV]
show ?thesis
including no_take_bit
apply (unfold K_def, rule ccorres_gen_asm) using [[goals_limit=1]]
apply (cinit' lift: sender_' receiver_'
id___anonymous_enum_'

3
proof/crefine/RISCV64/Machine_C.thy
View File

@ -211,7 +211,6 @@ lemma clz64_step:
lemma clz64_spec:
"\<forall>s. \<Gamma> \<turnstile> {s} Call clz64_'proc \<lbrace>\<acute>ret__unsigned = of_nat (word_clz (x___unsigned_longlong_' s))\<rbrace>"
including no_take_bit
apply (hoare_rule HoarePartial.ProcNoRec1)
apply (hoarep_rewrite, fold clz64_step_def)
apply (intro allI hoarep.Catch[OF _ hoarep.Skip])
@ -376,7 +375,6 @@ lemma clzl_spec:
"\<forall>s. \<Gamma> \<turnstile> {\<sigma>. s = \<sigma> \<and> x___unsigned_long_' s \<noteq> 0}
Call clzl_'proc
\<lbrace>\<acute>ret__long = of_nat (word_clz (x___unsigned_long_' s))\<rbrace>"
including no_take_bit
apply (rule allI, rule conseqPre, vcg)
by (clarsimp simp: casts_of_nat_small[OF word_clz_max[THEN le_less_trans]] word_size)
@ -384,7 +382,6 @@ lemma ctzl_spec:
"\<forall>s. \<Gamma> \<turnstile> {\<sigma>. s = \<sigma> \<and> x___unsigned_long_' s \<noteq> 0}
Call ctzl_'proc
\<lbrace>\<acute>ret__long = of_nat (word_ctz (x___unsigned_long_' s))\<rbrace>"
including no_take_bit
apply (rule allI, rule conseqPre, vcg)
by (clarsimp simp: casts_of_nat_small[OF word_ctz_max[THEN le_less_trans]] word_size)

2
proof/crefine/RISCV64/Recycle_C.thy
View File

@ -270,7 +270,6 @@ lemma clearMemory_PageCap_ccorres:
[]
(doMachineOp (clearMemory ptr (2 ^ pageBitsForSize sz))) (Call clearMemory_'proc)"
(is "ccorres dc xfdc ?P ?P' [] ?m ?c")
including no_take_bit
supply pageBitsForSize_bounded[simp del]
apply (cinit' lift: bits_' ptr___ptr_to_void_')
apply (rule_tac P="capAligned (ArchObjectCap (FrameCap ptr undefined sz False None))"
@ -1168,7 +1167,6 @@ lemma updateFreeIndex_ccorres:
\<longrightarrow> region_actually_is_zero_bytes (capPtr cap' + of_nat idx') (capFreeIndex cap' - idx') s} hs
(updateFreeIndex srcSlot idx') c"
(is "_ \<Longrightarrow> ccorres dc xfdc (valid_objs' and ?cte_wp_at' and _ and _) ?P' hs ?a c")
including no_take_bit
apply (rule ccorres_gen_asm)
apply (simp add: updateFreeIndex_def getSlotCap_def updateCap_def)
apply (rule ccorres_guard_imp2)

12
proof/crefine/RISCV64/Retype_C.thy
View File

@ -598,7 +598,6 @@ qed
lemma h_t_array_valid_retyp:
"0 < n \<Longrightarrow> n * size_of TYPE('a) < addr_card
\<Longrightarrow> h_t_array_valid (ptr_arr_retyps n p htd) (p :: ('a :: wf_type) ptr) n"
including no_take_bit
apply (clarsimp simp: ptr_arr_retyps_def h_t_array_valid_def
valid_footprint_def)
apply (simp add: htd_update_list_index intvlI mult.commute)
@ -1479,7 +1478,6 @@ lemma zero_ranges_ptr_retyps:
untyped_ranges_zero' s; valid_objs' s \<rbrakk>
\<Longrightarrow> zero_ranges_are_zero (gsUntypedZeroRanges s)
(hrs_htd_update (ptr_retyps_gen n p arr) hrs)"
including no_take_bit
apply (clarsimp simp: zero_ranges_are_zero_def untyped_ranges_zero_inv_def
hrs_htd_update)
apply (drule(1) bspec, clarsimp)
@ -2682,7 +2680,6 @@ declare Collect_const_mem [simp]
lemma createNewCaps_untyped_if_helper:
"\<forall>s s'. (s, s') \<in> rf_sr \<and> (sz < word_bits \<and> gbits < word_bits) \<and> True \<longrightarrow>
(\<not> gbits \<le> sz) = (s' \<in> \<lbrace>of_nat sz < (of_nat gbits :: machine_word)\<rbrace>)"
including no_take_bit
by (clarsimp simp: not_le unat_of_nat64 word_less_nat_alt lt_word_bits_lt_pow)
lemma true_mask1 [simp]:
@ -2936,7 +2933,6 @@ qed
lemma tcb_ptr_orth_cte_ptrs:
"{ptr_val p..+size_of TYPE(tcb_C)} \<inter> {ctcb_ptr_to_tcb_ptr p..+5 * size_of TYPE(cte_C)} = {}"
including no_take_bit
apply (rule disjointI)
apply (clarsimp simp: ctcb_ptr_to_tcb_ptr_def intvl_def field_simps size_of_def ctcb_offset_defs)
apply unat_arith
@ -2946,7 +2942,6 @@ lemma tcb_ptr_orth_cte_ptrs:
lemma tcb_ptr_orth_cte_ptrs':
"ptr_span (tcb_Ptr (regionBase + 0x200)) \<inter> ptr_span (Ptr regionBase :: (cte_C[5]) ptr) = {}"
including no_take_bit
apply (rule disjointI)
apply (clarsimp simp: ctcb_ptr_to_tcb_ptr_def size_td_array
intvl_def field_simps size_of_def ctcb_offset_def)
@ -3113,7 +3108,6 @@ proof -
"region_is_bytes' (ctcb_ptr_to_tcb_ptr p) (5 * size_of TYPE(cte_C))
(ptr_retyps_gen 1 p False (hrs_htd (t_hrs_' (globals x))))"
using al region_is_bytes_subset[OF empty] tcb_ptr_to_ctcb_ptr_in_range'
including no_take_bit
apply (simp add: objBits_simps kotcb_def)
apply (clarsimp simp: region_is_bytes'_def)
apply (subst(asm) ptr_retyps_gen_out)
@ -3157,7 +3151,6 @@ proof -
{k. k < 5}
then Some (from_bytes (replicate (size_of TYPE(cte_C)) 0)) else cslift x y)"
using cgp unfolding heap_updates_defs
including no_take_bit
apply (simp add: ptr_retyp_to_array[simplified] hrs_comm[symmetric] Let_def)
apply (subst clift_ptr_retyps_gen_prev_memset_same[OF guard],
simp_all add: hrs_htd_update empty_smaller[simplified])
@ -4393,7 +4386,6 @@ lemma ghost_assertion_size_logic_no_unat:
\<Longrightarrow> (s, \<sigma>) \<in> rf_sr
\<Longrightarrow> gs_get_assn cap_get_capSizeBits_'proc (ghost'state_' (globals \<sigma>)) = 0 \<or>
of_nat sz \<le> gs_get_assn cap_get_capSizeBits_'proc (ghost'state_' (globals \<sigma>))"
including no_take_bit
apply (rule ghost_assertion_size_logic'[rotated])
apply (simp add: rf_sr_def)
apply (simp add: unat_of_nat)
@ -6752,7 +6744,6 @@ lemma range_cover_bound'':
lemma caps_no_overlap''_cell:
"\<lbrakk>range_cover ptr sz us n;caps_no_overlap'' ptr sz s;p < n\<rbrakk>
\<Longrightarrow> caps_no_overlap'' (ptr + (of_nat p << us)) us s"
including no_take_bit
apply (clarsimp simp:caps_no_overlap''_def)
apply (drule(1) bspec)
apply (subgoal_tac "{ptr + (of_nat p << us)..(ptr + (of_nat p << us) && ~~ mask us) + 2 ^ us - 1}
@ -7155,7 +7146,6 @@ lemma offset_intvl_first_chunk_subsets_unat:
\<and> {p + (i << bits) ..+ 2 ^ bits}
\<inter> {p + ((i + 1) << bits) ..+ unat (n' - (i + 1)) * 2 ^ bits}
= {}"
including no_take_bit
apply (subgoal_tac "unat (n' - (i + 1)) = unat n' - unat (i + 1)
\<and> unat (n' - i) = unat n' - unat i")
apply (frule(1) offset_intvl_first_chunk_subsets)
@ -7174,7 +7164,6 @@ lemma retype_offs_region_actually_is_zero_bytes:
\<Longrightarrow> region_actually_is_zero_bytes ptr
(num_ret * 2 ^ APIType_capBits newType userSize) s'"
using word_unat_mask_lt[where w=ptr and m=sz]
including no_take_bit
apply -
apply (frule range_cover.sz(1))
apply (drule(2) ctes_of_untyped_zero_rf_sr)
@ -7324,7 +7313,6 @@ shows "ccorres dc xfdc
(createNewObjects newType srcSlot destSlots ptr userSize isdev)
(Call createNewObjects_'proc)"
unfolding from_bool_to_bool_iff
including no_take_bit
supply if_cong[cong]
apply (rule ccorres_gen_asm_state)
apply clarsimp

1
proof/crefine/RISCV64/SR_lemmas_C.thy
View File

@ -2177,7 +2177,6 @@ lemma numDomains_sge_1_simp:
lemma unat_scast_numDomains:
"unat (SCAST(32 signed \<rightarrow> machine_word_len) Kernel_C.numDomains) = unat Kernel_C.numDomains"
including no_take_bit
by (simp add: scast_eq sint_numDomains_to_H unat_numDomains_to_H numDomains_machine_word_safe)
end

1
proof/crefine/RISCV64/StoreWord_C.thy
View File

@ -967,7 +967,6 @@ proof -
have horrible_helper:
"\<And>v p. v \<le> 7 \<Longrightarrow> (7 - unat (p && mask 3 :: machine_word) = v) =
(p && mask 3 = 7 - of_nat v)"
including no_take_bit
apply (simp add: unat_arith_simps unat_of_nat)
apply (cut_tac p=p in unat_mask_3_less_8)
apply arith

3
proof/crefine/RISCV64/Tcb_C.thy
View File

@ -1181,7 +1181,6 @@ lemma invokeTCB_CopyRegisters_ccorres:
\<inter> {s. to_bool (transferInteger_' s) = ints}) []
(invokeTCB (CopyRegisters destn source susp resume frames ints arch))
(Call invokeTCB_CopyRegisters_'proc)"
including no_take_bit
apply (cinit lift: dest___ptr_to_struct_tcb_C_' tcb_src_' resumeTarget_'
suspendSource_' transferFrame_' transferInteger_'
simp: whileAnno_def)
@ -1569,7 +1568,6 @@ lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]:
\<inter> {s. buffer_' s = option_to_ptr buffer}) []
(invokeTCB (WriteRegisters dst resume values arch))
(Call invokeTCB_WriteRegisters_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (erule conjE)
apply (cinit lift: n_' dest___ptr_to_struct_tcb_C_' resumeTarget_' buffer_'
@ -1818,7 +1816,6 @@ shows
(doE reply \<leftarrow> invokeTCB (ReadRegisters target susp n archCp);
liftE (replyOnRestart thread reply isCall) odE)
(Call invokeTCB_ReadRegisters_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit' lift: tcb_src_' suspendSource_' n_' call_'
simp: invokeTCB_def liftE_bindE bind_assoc)

9
proof/crefine/RISCV64/VSpace_C.thy
View File

@ -489,7 +489,6 @@ proof (induct level arbitrary: pt)
case 0
show ?case
including no_take_bit
apply (simp only: ptSlot_upd_def lookupPTSlotFromLevel.simps(1))
apply (cinitlift pt_' vptr_', simp only:)
apply (rule ccorres_rhs_assoc)+
@ -531,11 +530,9 @@ proof (induct level arbitrary: pt)
of_nat ptTranslationBits * of_nat level +
of_nat pt_bits :: machine_word) =
ptTranslationBits + ptTranslationBits * level + pt_bits"
including no_take_bit
by (simp add: bit_simps word_less_nat_alt maxPTLevel_def unat_word_ariths unat_of_nat_eq)
show ?case
including no_take_bit
apply (simp only: lookupPTSlotFromLevel.simps)
apply (subst ptSlot_upd_def)
\<comment> \<open>cinitlift will not fully eliminate pt and vptr,
@ -1067,7 +1064,6 @@ lemma setMR_as_setRegister_ccorres:
\<inter> \<lbrace>\<acute>receiver = tcb_ptr_to_ctcb_ptr thread\<rbrace>) hs
(asUser thread (setRegister reg val))
(Call setMR_'proc)"
including no_take_bit
apply (rule ccorres_grab_asm)
apply (cinit' lift: reg___unsigned_long_' offset_' receiver_')
apply (clarsimp simp: n_msgRegisters_def length_of_msgRegisters)
@ -1692,7 +1688,7 @@ lemma page_table_at'_array_assertion_weak[unfolded ptTranslationBits_def, simpli
assumes "n < 2^(ptTranslationBits-1)"
shows "array_assertion (pte_Ptr pt) ((unat (2^(ptTranslationBits-1) + of_nat n::machine_word)))
(hrs_htd (t_hrs_' (globals s')))"
using assms including no_take_bit
using assms
by (fastforce intro: page_table_at'_array_assertion
simp: unat_add_simple ptTranslationBits_def word_bits_def unat_of_nat)
@ -1702,7 +1698,7 @@ lemma page_table_at'_array_assertion_strong[unfolded ptTranslationBits_def, simp
assumes "n < 2^(ptTranslationBits-1)"
shows "array_assertion (pte_Ptr pt) (Suc (unat (2^(ptTranslationBits-1) + of_nat n::machine_word)))
(hrs_htd (t_hrs_' (globals s')))"
using assms including no_take_bit
using assms
by (fastforce intro: page_table_at'_array_assertion
simp: unat_add_simple ptTranslationBits_def word_bits_def unat_of_nat)
@ -1721,7 +1717,6 @@ proof -
"\<And>n. n < 256 \<Longrightarrow> ?enum n = 0x800 + of_nat n * 8"
by (auto simp: upto_enum_word_nth word_shiftl_add_distrib shiftl_t2n)
show ?thesis
including no_take_bit
apply (cinit lift: newLvl1pt_' simp: ptIndex_maxPTLevel_pptrBase ptTranslationBits_def)
apply (rule ccorres_pre_gets_riscvKSGlobalPT_ksArchState, rename_tac globalPT)
apply (rule ccorres_rel_imp[where r=dc, OF _ dc_simp])

2
proof/crefine/X64/ADT_C.thy
View File

@ -1332,7 +1332,7 @@ lemma cDomScheduleIdx_to_H_correct:
assumes cstate_rel: "cstate_relation as cs"
assumes ms: "cstate_to_machine_H cs = observable_memory (ksMachineState as) (user_mem' as)"
shows "unat (ksDomScheduleIdx_' cs) = ksDomScheduleIdx as"
using assms including no_take_bit
using assms
by (clarsimp simp: cstate_relation_def Let_def observable_memory_def valid_state'_def
newKernelState_def unat_of_nat_eq cdom_schedule_relation_def)

6
proof/crefine/X64/Arch_C.thy
View File

@ -732,7 +732,6 @@ shows
\<inter> {s. asid_base_' s = base}) []
(liftE (performASIDControlInvocation (MakePool frame slot parent base)))
(Call performASIDControlInvocation_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (simp only: liftE_liftM ccorres_liftM_simp)
apply (cinit lift: frame_' slot_' parent_' asid_base_')
@ -1366,7 +1365,6 @@ lemma checkVPAlignment_spec:
"\<forall>s. \<Gamma>\<turnstile> \<lbrace>s. \<acute>sz < 3\<rbrace> Call checkVPAlignment_'proc
{t. ret__unsigned_long_' t = from_bool
(vmsz_aligned (w_' s) (framesize_to_H (sz_' s)))}"
including no_take_bit
apply (rule allI, rule conseqPre, vcg)
apply (clarsimp simp: mask_eq_iff_w2p word_size)
apply (rule conjI)
@ -1456,7 +1454,7 @@ lemma ccorres_pre_getObject_pte:
lemma ptr_add_uint_of_nat [simp]:
"a +\<^sub>p uint (of_nat b :: machine_word) = a +\<^sub>p (int b)"
including no_take_bit by (clarsimp simp: CTypesDefs.ptr_add_def)
by (clarsimp simp: CTypesDefs.ptr_add_def)
declare int_unat[simp]
@ -4792,7 +4790,6 @@ lemma first_last_highbits_eq_port_set:
\<Longrightarrow> \<exists>port::16 word.
unat f \<le> unat port \<and> unat port \<le> unat l
\<and> arr.[unat (port >> 6)] !! unat (port && 0x3F)"
including no_take_bit
apply (frule word_exists_nth[OF word_neq_0_conv[THEN iffD2], OF unat_less_impl_less, simplified],
clarsimp simp: word_size)
apply (rule_tac x="(l && ~~ mask 6) + of_nat i" in exI)
@ -4937,7 +4934,6 @@ lemma isIOPortRangeFree_spec:
ret__unsigned_long_' t = from_bool
(\<forall>port. first_port_' \<sigma> \<le> port \<and> port \<le> last_port_' \<sigma>
\<longrightarrow> \<not> port_array \<sigma>.[unat (port >> wordRadix)] !! unat (port && mask wordRadix))}"
including no_take_bit
apply (rule allI)
subgoal for \<sigma>
apply (hoare_rule HoarePartial.ProcNoRec1)

3
proof/crefine/X64/CSpace_C.thy
View File

@ -1768,7 +1768,6 @@ lemma untypedZeroRange_idx_forward_helper:
\<Longrightarrow> (case (untypedZeroRange cap, untypedZeroRange (capFreeIndex_update (\<lambda>_. idx) cap))
of (Some (a, b), Some (a', b')) \<Rightarrow> {a' ..+ unat (b' + 1 - a')} \<subseteq> {a ..+ unat (b + 1 - a)}
| _ \<Rightarrow> True)"
including no_take_bit
apply (clarsimp split: option.split)
apply (clarsimp simp: untypedZeroRange_def max_free_index_def Let_def
isCap_simps valid_cap_simps' capAligned_def untypedBits_defs
@ -1811,7 +1810,6 @@ lemma untypedZeroRange_idx_backward_helper:
of Some (a, b) \<Rightarrow> {a ..+ unat (b + 1 - a)}
| None \<Rightarrow> {})
)"
including no_take_bit
apply (clarsimp split: option.split, intro impI conjI allI)
apply (rule intvl_both_le; clarsimp simp: untypedZeroRange_def
max_free_index_def Let_def
@ -3067,7 +3065,6 @@ lemma sameRegionAs_spec:
"\<forall>capa capb. \<Gamma> \<turnstile> \<lbrace>ccap_relation capa \<acute>cap_a \<and> ccap_relation capb \<acute>cap_b \<and> capAligned capb\<rbrace>
Call sameRegionAs_'proc
\<lbrace> \<acute>ret__unsigned_long = from_bool (sameRegionAs capa capb) \<rbrace>"
including no_take_bit
apply vcg
apply clarsimp
apply (simp add: sameRegionAs_def isArchCap_tag_def2 ccap_relation_c_valid_cap)

2
proof/crefine/X64/Delete_C.thy
View File

@ -372,7 +372,6 @@ lemma ccorres_cutMon_locateSlotCap_Zombie:
{s. array_assertion (cte_Ptr (capZombiePtr cap)) (capZombieNumber cap - 1)
(hrs_htd (t_hrs_' (globals s))) \<longrightarrow> s \<in> Q'} hs
(cutMon ((=) s) (locateSlotCap cap n >>= a)) c"
including no_take_bit
apply (simp add: locateSlot_conv in_monad cutMon_walk_bind)
apply (rule ccorres_gen_asm)
apply (rule ccorres_guard_imp2)
@ -421,7 +420,6 @@ lemma reduceZombie_ccorres1:
(invs' and sch_act_simple and cte_wp_at' (\<lambda>cte. cteCap cte = cap) slot)
(UNIV \<inter> {s. slot_' s = Ptr slot} \<inter> {s. immediate_' s = from_bool expo}) []
(cutMon ((=) s) (reduceZombie cap slot expo)) (Call reduceZombie_'proc)"
including no_take_bit
apply (cinit' lift: slot_' immediate_')
apply (simp add: from_bool_0 del: Collect_const)
apply (rule_tac P="capZombieNumber cap < 2 ^ word_bits" in ccorres_gen_asm)

1
proof/crefine/X64/Detype_C.thy
View File

@ -460,7 +460,6 @@ proof -
ultimately show ?thesis
unfolding ctcb_ptr_to_tcb_ptr_def ctcb_offset_defs
including no_take_bit
apply -
apply (clarsimp simp: field_simps objBits_simps' size_of_def)
apply (drule intvlD)

2
proof/crefine/X64/Finalise_C.thy
View File

@ -1030,7 +1030,6 @@ lemma deleteASIDPool_ccorres:
"ccorres dc xfdc (invs' and (\<lambda>_. base < 2 ^ 12 \<and> pool \<noteq> 0))
(UNIV \<inter> {s. asid_base_' s = base} \<inter> {s. pool_' s = Ptr pool}) []
(deleteASIDPool base pool) (Call deleteASIDPool_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit lift: asid_base_' pool_' simp: whileAnno_def)
apply (rule ccorres_assert)
@ -1358,7 +1357,6 @@ lemma flushTable_ccorres:
(UNIV \<inter> {s. asid_' s = asid} \<inter> {s. vptr_' s = vptr}
\<inter> {s. pt_' s = pte_Ptr ptPtr} \<inter> {s. vspace_' s = pml4e_Ptr vspace})
[] (flushTable vspace vptr ptPtr asid) (Call flushTable_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit lift: asid_' vptr_' pt_' vspace_')
apply (rule ccorres_assert)

1
proof/crefine/X64/Interrupt_C.thy
View File

@ -664,7 +664,6 @@ lemma Arch_decodeIRQControlInvocation_ccorres:
have irq64_helper_three:
"\<And>irq. \<not> 107 < unat irq \<Longrightarrow>
toEnum (16 + unat (UCAST(64 \<rightarrow> 8) irq)) \<le> SCAST(32 signed \<rightarrow> 8) Kernel_C.maxIRQ"
including no_take_bit
supply Word.of_nat_unat[simp del]
apply (subst toEnum_of_nat)
apply (simp add: unat_ucast)

6
proof/crefine/X64/Invoke_C.thy
View File

@ -191,7 +191,6 @@ lemma decodeDomainInvocation_ccorres:
apply clarsimp
apply (vcg exspec=getSyscallArg_modifies)
including no_take_bit
apply (clarsimp simp: valid_tcb_state'_def invs_valid_queues' invs_valid_objs'
invs_queues invs_sch_act_wf' ct_in_state'_def pred_tcb_at'
rf_sr_ksCurThread word_sle_def word_sless_def sysargs_rel_to_n
@ -1676,7 +1675,6 @@ lemma clearMemory_untyped_ccorres:
[]
(doMachineOp (clearMemory ptr (2 ^ sz))) (Call clearMemory_'proc)"
(is "ccorres dc xfdc ?P ?P' [] ?m ?c")
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit' lift: bits_' ptr___ptr_to_void_')
apply (rule_tac P="ptr \<noteq> 0 \<and> sz < word_bits" in ccorres_gen_asm)
@ -1806,7 +1804,6 @@ lemma byte_regions_unmodified_actually_heap_list:
lemma ucast_64_32[simp]:
"UCAST(64 \<rightarrow> 32) (of_nat x) = of_nat x"
including no_take_bit
by (simp add: ucast_of_nat is_down_def source_size_def target_size_def word_size)
lemma resetUntypedCap_ccorres:
@ -2359,7 +2356,6 @@ lemma invokeUntyped_Retype_ccorres:
(ptr + of_nat (shiftL (length destSlots)
(APIType_capBits newType us)))) >> 4"
using cover range_cover_sz'[OF cover]
including no_take_bit
apply (simp add: getFreeIndex_def shiftl_t2n
unat_of_nat_eq shiftL_nat)
apply (rule less_mask_eq)
@ -2377,7 +2373,6 @@ lemma invokeUntyped_Retype_ccorres:
(liftxf errstate id (K ()) ret__unsigned_long_') (\<lambda>s'. s' = s) ?P'
[] (invokeUntyped (Retype cref reset ptr_base ptr newType us destSlots isdev))
(Call invokeUntyped_Retype_'proc)"
including no_take_bit
apply (cinit lift: retypeBase_' srcSlot_' reset_' newType_'
userSize_' deviceMemory_' destCNode_' destOffset_' destLength_'
simp: when_def)
@ -2863,7 +2858,6 @@ lemma decodeUntypedInvocation_ccorres_helper:
liftE (stateAssert (valid_untyped_inv' uinv) []); returnOk uinv odE)
>>= invocationCatch thread isBlocking isCall InvokeUntyped)
(Call decodeUntypedInvocation_'proc)"
including no_take_bit
supply if_cong[cong] option.case_cong[cong]
apply (rule ccorres_name_pre)
apply (cinit' lift: invLabel_' length___unsigned_long_' cap_' slot_' current_extra_caps_' call_' buffer_'

6
proof/crefine/X64/IpcCancel_C.thy
View File

@ -836,7 +836,6 @@ lemma cready_queues_index_to_C_def2:
"\<lbrakk> qdom \<le> maxDomain; prio \<le> maxPriority \<rbrakk>
\<Longrightarrow> cready_queues_index_to_C qdom prio
= unat (ucast qdom * of_nat numPriorities + ucast prio :: machine_word)"
including no_take_bit
using numPriorities_machine_word_safe
apply -
apply (frule (1) cready_queues_index_to_C_in_range[simplified maxDom_to_H maxPrio_to_H])
@ -915,7 +914,6 @@ lemma cbitmap_L1_relation_bit_set:
(Arrays.update (ksReadyQueuesL1Bitmap_' (globals x)) (unat d)
(ksReadyQueuesL1Bitmap_' (globals x).[unat d] || 2 ^ unat (p >> wordRadix)))
((ksReadyQueuesL1Bitmap \<sigma>)(d := ksReadyQueuesL1Bitmap \<sigma> d || 2 ^ prioToL1Index p))"
including no_take_bit
apply (unfold cbitmap_L1_relation_def)
apply (clarsimp simp: le_maxDomain_eq_less_numDomains word_le_nat_alt prioToL1Index_def
num_domains_index_updates)
@ -2182,7 +2180,6 @@ proof -
(* FIXME generalise *)
have word_clz_sint_upper[simp]:
"\<And>(w::machine_word). sint (of_nat (word_clz w) :: 64 signed word) \<le> 0x800000000000003F"
including no_take_bit
apply (subst sint_eq_uint)
apply (rule not_msb_from_less)
apply simp
@ -2218,7 +2215,6 @@ proof -
"\<And>(w::machine_word). \<lbrakk> w \<noteq> 0 ; word_log2 w < l2BitmapSize \<rbrakk> \<Longrightarrow>
unat (of_nat l2BitmapSize - (1::machine_word) - of_nat (word_log2 w))
= invertL1Index (word_log2 w)"
including no_take_bit
apply (subst unat_sub)
apply (clarsimp simp: l2BitmapSize_def')
apply (rule word_of_nat_le)
@ -2233,7 +2229,6 @@ proof -
include no_less_1_simps
show ?thesis
including no_take_bit
apply (cinit lift: dom_')
apply (clarsimp split del: if_split)
apply (rule ccorres_pre_getReadyQueuesL1Bitmap)
@ -2354,7 +2349,6 @@ lemma possibleSwitchTo_ccorres:
\<inter> UNIV) []
(possibleSwitchTo t )
(Call possibleSwitchTo_'proc)"
including no_take_bit
supply if_split [split del]
supply Collect_const [simp del]
supply dc_simp [simp del]

10
proof/crefine/X64/Ipc_C.thy
View File

@ -974,7 +974,6 @@ lemma setMR_ccorres:
\<inter> {s. receiver_' s = tcb_ptr_to_ctcb_ptr thread}
\<inter> {s. receiveIPCBuffer_' s = option_to_ptr buf}) []
(setMR thread buf offset v) (Call setMR_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit lift: offset_' reg___unsigned_long_' receiver_' receiveIPCBuffer_')
apply (rule ccorres_cond2'[where R=\<top>])
@ -1260,7 +1259,6 @@ lemma copyMRs_register_loop_helper:
(CALL setRegister(tcb_ptr_to_ctcb_ptr receiver,
ucast (index msgRegistersC (unat \<acute>i)),
\<acute>ret__unsigned_long)))"
including no_take_bit
apply clarsimp
apply (rule ccorres_guard_imp)
apply ctac
@ -1512,7 +1510,6 @@ lemma copyMRsFault_ccorres_exception:
hs
(mapM_x (\<lambda>(x, y). setMR receiver recvBuffer x y) (zip [0..<120] msg))
(Call copyMRsFault_'proc)"
including no_take_bit
apply (unfold K_def)
apply (intro ccorres_gen_asm)
apply (cinit' lift: sender_' receiver_' receiveIPCBuffer_'
@ -2329,7 +2326,6 @@ lemma setExtraBadge_ccorres:
hs
(setExtraBadge buffer badge n)
(Call setExtraBadge_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit lift: bufferPtr_' badge_' i_')
apply (unfold storeWordUser_def)
@ -2619,7 +2615,6 @@ proof (rule ccorres_gen_asm, induct caps arbitrary: n slots mi)
note if_split[split]
case Nil
thus ?case
including no_take_bit
apply (simp only: transferCapsToSlots.simps)
apply (rule ccorres_guard_imp2)
apply (rule ccorres_Guard_Seq ccorres_rhs_assoc)+
@ -2643,7 +2638,6 @@ next
let ?S="\<lbrace>\<acute>i=of_nat n \<and> mi=message_info_to_H \<acute>info\<rbrace>"
have n3: "n \<le> 3" using Cons.prems by simp
hence of_nat_n3[intro!]: "of_nat n \<le> (3 :: machine_word)"
including no_take_bit
by (simp add: word_le_nat_alt unat_of_nat)
have drop_n_foo: "\<And>xs n y ys. drop n xs = y # ys
\<Longrightarrow> \<exists>xs'. length xs' = n \<and> xs = xs' @ (y # ys)"
@ -2739,7 +2733,6 @@ next
note extra_sle_sless_unfolds [simp del]
from Cons.prems
show ?case
including no_take_bit
apply (clarsimp simp: Let_def word_sle_def[where b=5] split_def
cong: call_ignore_cong
simp del: Collect_const)
@ -3199,7 +3192,6 @@ proof -
let ?EXCNONE = "{s. ret__unsigned_long_' s = scast EXCEPTION_NONE}"
let ?interpret = "\<lambda>v n. take n (array_to_list (excaprefs_C v))"
show ?thesis
including no_take_bit
apply (rule ccorres_gen_asm)+
apply (cinit(no_subst_asm) lift: thread_' bufferPtr_' info_' simp: whileAnno_def)
apply (clarsimp simp add: getExtraCPtrs_def lookupCapAndSlot_def
@ -3640,7 +3632,6 @@ lemma copyMRsFaultReply_ccorres_exception:
(Call copyMRsFaultReply_'proc)"
proof -
show ?thesis
including no_take_bit
apply (unfold K_def, rule ccorres_gen_asm) using [[goals_limit=1]]
apply (cinit' lift: sender_' receiver_'
id___anonymous_enum_'
@ -3755,7 +3746,6 @@ lemma copyMRsFaultReply_ccorres_syscall:
note symb_exec_r_fault = ccorres_symb_exec_r_known_rv_UNIV
[where xf'=ret__unsigned_' and R="?obj_at_ft" and R'=UNIV]
show ?thesis
including no_take_bit
apply (unfold K_def, rule ccorres_gen_asm) using [[goals_limit=1]]
apply (cinit' lift: sender_' receiver_'
id___anonymous_enum_'

2
proof/crefine/X64/Recycle_C.thy
View File

@ -268,7 +268,6 @@ lemma clearMemory_PageCap_ccorres:
[]
(doMachineOp (clearMemory ptr (2 ^ pageBitsForSize sz))) (Call clearMemory_'proc)"
(is "ccorres dc xfdc ?P ?P' [] ?m ?c")
including no_take_bit
apply (cinit' lift: bits_' ptr___ptr_to_void_')
apply (rule_tac P="capAligned (ArchObjectCap (PageCap ptr undefined mt sz False None))"
in ccorres_gen_asm)
@ -1268,7 +1267,6 @@ lemma updateFreeIndex_ccorres:
\<longrightarrow> region_actually_is_zero_bytes (capPtr cap' + of_nat idx') (capFreeIndex cap' - idx') s} hs
(updateFreeIndex srcSlot idx') c"
(is "_ \<Longrightarrow> ccorres dc xfdc (valid_objs' and ?cte_wp_at' and _ and _) ?P' hs ?a c")
including no_take_bit
apply (rule ccorres_gen_asm)
apply (simp add: updateFreeIndex_def getSlotCap_def updateCap_def)
apply (rule ccorres_guard_imp2)

12
proof/crefine/X64/Retype_C.thy
View File

@ -598,7 +598,6 @@ qed
lemma h_t_array_valid_retyp:
"0 < n \<Longrightarrow> n * size_of TYPE('a) < addr_card
\<Longrightarrow> h_t_array_valid (ptr_arr_retyps n p htd) (p :: ('a :: wf_type) ptr) n"
including no_take_bit
apply (clarsimp simp: ptr_arr_retyps_def h_t_array_valid_def
valid_footprint_def)
apply (simp add: htd_update_list_index intvlI mult.commute)
@ -1480,7 +1479,6 @@ lemma zero_ranges_ptr_retyps:
\<Longrightarrow> valid_objs' s
\<Longrightarrow> zero_ranges_are_zero (gsUntypedZeroRanges s)
(hrs_htd_update (ptr_retyps_gen n p arr) hrs)"
including no_take_bit
apply (clarsimp simp: zero_ranges_are_zero_def untyped_ranges_zero_inv_def
hrs_htd_update)
apply (drule(1) bspec, clarsimp)
@ -3232,7 +3230,6 @@ declare Collect_const_mem [simp]
lemma createNewCaps_untyped_if_helper:
"\<forall>s s'. (s, s') \<in> rf_sr \<and> (sz < word_bits \<and> gbits < word_bits) \<and> True \<longrightarrow>
(\<not> gbits \<le> sz) = (s' \<in> \<lbrace>of_nat sz < (of_nat gbits :: machine_word)\<rbrace>)"
including no_take_bit
by (clarsimp simp: not_le unat_of_nat64 word_less_nat_alt lt_word_bits_lt_pow)
lemma true_mask1 [simp]:
@ -3498,7 +3495,6 @@ qed
lemma tcb_ptr_orth_cte_ptrs:
"{ptr_val p..+size_of TYPE(tcb_C)} \<inter> {ctcb_ptr_to_tcb_ptr p..+5 * size_of TYPE(cte_C)} = {}"
including no_take_bit
apply (rule disjointI)
apply (clarsimp simp: ctcb_ptr_to_tcb_ptr_def intvl_def field_simps size_of_def ctcb_offset_defs)
apply unat_arith
@ -3508,7 +3504,6 @@ lemma tcb_ptr_orth_cte_ptrs:
lemma tcb_ptr_orth_cte_ptrs':
"ptr_span (tcb_Ptr (regionBase + 0x400)) \<inter> ptr_span (Ptr regionBase :: (cte_C[5]) ptr) = {}"
including no_take_bit
apply (rule disjointI)
apply (clarsimp simp: ctcb_ptr_to_tcb_ptr_def size_td_array
intvl_def field_simps size_of_def ctcb_offset_def)
@ -3698,7 +3693,6 @@ proof -
"region_is_bytes' (ctcb_ptr_to_tcb_ptr p) (5 * size_of TYPE(cte_C))
(ptr_retyps_gen 1 p False (hrs_htd (t_hrs_' (globals x))))"
using al region_is_bytes_subset[OF empty] tcb_ptr_to_ctcb_ptr_in_range'
including no_take_bit
apply (simp add: objBits_simps kotcb_def)
apply (clarsimp simp: region_is_bytes'_def)
apply (subst(asm) ptr_retyps_gen_out)
@ -3742,7 +3736,6 @@ proof -
{k. k < 5}
then Some (from_bytes (replicate (size_of TYPE(cte_C)) 0)) else cslift x y)"
using cgp unfolding heap_updates_defs
including no_take_bit
apply (simp add: ptr_retyp_to_array[simplified] hrs_comm[symmetric] Let_def)
apply (subst clift_ptr_retyps_gen_prev_memset_same[OF guard],
simp_all add: hrs_htd_update empty_smaller[simplified])
@ -5043,7 +5036,6 @@ lemma ghost_assertion_size_logic_no_unat:
\<Longrightarrow> (s, \<sigma>) \<in> rf_sr
\<Longrightarrow> gs_get_assn cap_get_capSizeBits_'proc (ghost'state_' (globals \<sigma>)) = 0 \<or>
of_nat sz \<le> gs_get_assn cap_get_capSizeBits_'proc (ghost'state_' (globals \<sigma>))"
including no_take_bit
apply (rule ghost_assertion_size_logic'[rotated])
apply (simp add: rf_sr_def)
apply (simp add: unat_of_nat)
@ -7867,7 +7859,6 @@ lemma range_cover_bound'':
lemma caps_no_overlap''_cell:
"\<lbrakk>range_cover ptr sz us n;caps_no_overlap'' ptr sz s;p < n\<rbrakk>
\<Longrightarrow> caps_no_overlap'' (ptr + (of_nat p << us)) us s"
including no_take_bit
apply (clarsimp simp:caps_no_overlap''_def)
apply (drule(1) bspec)
apply (subgoal_tac "{ptr + (of_nat p << us)..(ptr + (of_nat p << us) && ~~ mask us) + 2 ^ us - 1}
@ -8289,7 +8280,6 @@ lemma offset_intvl_first_chunk_subsets_unat:
\<and> {p + (i << bits) ..+ 2 ^ bits}
\<inter> {p + ((i + 1) << bits) ..+ unat (n' - (i + 1)) * 2 ^ bits}
= {}"
including no_take_bit
apply (subgoal_tac "unat (n' - (i + 1)) = unat n' - unat (i + 1)
\<and> unat (n' - i) = unat n' - unat i")
apply (frule(1) offset_intvl_first_chunk_subsets)
@ -8308,7 +8298,6 @@ lemma retype_offs_region_actually_is_zero_bytes:
\<Longrightarrow> region_actually_is_zero_bytes ptr
(num_ret * 2 ^ APIType_capBits newType userSize) s'"
using word_unat_mask_lt[where w=ptr and m=sz]
including no_take_bit
apply -
apply (frule range_cover.sz(1))
apply (drule(2) ctes_of_untyped_zero_rf_sr)
@ -8458,7 +8447,6 @@ shows "ccorres dc xfdc
(createNewObjects newType srcSlot destSlots ptr userSize isdev)
(Call createNewObjects_'proc)"
unfolding from_bool_to_bool_iff
including no_take_bit
supply if_cong[cong]
apply (rule ccorres_gen_asm_state)
apply clarsimp

1
proof/crefine/X64/SR_lemmas_C.thy
View File

@ -2570,7 +2570,6 @@ lemma numDomains_sge_1_simp:
lemma unat_scast_numDomains:
"unat (SCAST(32 signed \<rightarrow> machine_word_len) Kernel_C.numDomains) = unat Kernel_C.numDomains"
including no_take_bit
by (simp add: scast_eq sint_numDomains_to_H unat_numDomains_to_H numDomains_machine_word_safe)
end

1
proof/crefine/X64/StoreWord_C.thy
View File

@ -966,7 +966,6 @@ proof -
have horrible_helper:
"\<And>v p. v \<le> 7 \<Longrightarrow> (7 - unat (p && mask 3 :: machine_word) = v) =
(p && mask 3 = 7 - of_nat v)"
including no_take_bit
apply (simp add: unat_arith_simps unat_of_nat)
apply (cut_tac p=p in unat_mask_3_less_8)
apply arith

3
proof/crefine/X64/Tcb_C.thy
View File

@ -1180,7 +1180,6 @@ lemma invokeTCB_CopyRegisters_ccorres:
\<inter> {s. to_bool (transferInteger_' s) = ints}) []
(invokeTCB (CopyRegisters destn source susp resume frames ints arch))
(Call invokeTCB_CopyRegisters_'proc)"
including no_take_bit
apply (cinit lift: dest___ptr_to_struct_tcb_C_' tcb_src_' resumeTarget_'
suspendSource_' transferFrame_' transferInteger_'
simp: whileAnno_def)
@ -1563,7 +1562,6 @@ lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]:
\<inter> {s. buffer_' s = option_to_ptr buffer}) []
(invokeTCB (WriteRegisters dst resume values arch))
(Call invokeTCB_WriteRegisters_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (erule conjE)
apply (cinit lift: n_' dest___ptr_to_struct_tcb_C_' resumeTarget_' buffer_'
@ -1812,7 +1810,6 @@ shows
(doE reply \<leftarrow> invokeTCB (ReadRegisters target susp n archCp);
liftE (replyOnRestart thread reply isCall) odE)
(Call invokeTCB_ReadRegisters_'proc)"
including no_take_bit
apply (rule ccorres_gen_asm)
apply (cinit' lift: tcb_src_' suspendSource_' n_' call_'
simp: invokeTCB_def liftE_bindE bind_assoc)

1
proof/crefine/X64/VSpace_C.thy
View File

@ -1397,7 +1397,6 @@ lemma setMR_as_setRegister_ccorres:
\<inter> \<lbrace>\<acute>receiver = tcb_ptr_to_ctcb_ptr thread\<rbrace>) hs
(asUser thread (setRegister reg val))
(Call setMR_'proc)"
including no_take_bit
apply (rule ccorres_grab_asm)
apply (cinit' lift: reg___unsigned_long_' offset_' receiver_')
apply (clarsimp simp: n_msgRegisters_def length_of_msgRegisters)

2
proof/drefine/Arch_DR.thy
View File

@ -1248,7 +1248,6 @@ lemma store_pte_page_inv_entries_safe:
\<lbrace>\<lambda>rv s. (\<exists>f. ko_at (ArchObj (arch_kernel_obj.PageTable f)) (hd bb && ~~ mask pt_bits) s
\<and> (\<forall>slot\<in>set (tl bb). f (ucast (slot && mask pt_bits >> 2)) = ARM_A.pte.InvalidPTE))
\<and> (\<forall>sl\<in>set (tl bb). sl && ~~ mask pt_bits = hd bb && ~~ mask pt_bits)\<rbrace>"
including no_take_bit
apply (simp add:store_pte_def set_pt_def set_object_def)
apply (wp get_object_wp)
apply (clarsimp simp:obj_at_def page_inv_entries_safe_def split:if_splits)
@ -1291,7 +1290,6 @@ lemma store_pde_page_inv_entries_safe:
\<lbrace>\<lambda>rv s. (\<exists>f. ko_at (ArchObj (arch_kernel_obj.PageDirectory f)) (hd bb && ~~ mask pd_bits) s
\<and> (\<forall>slot\<in>set (tl bb). f (ucast (slot && mask pd_bits >> 2)) = ARM_A.pde.InvalidPDE))
\<and> (\<forall>sl\<in>set (tl bb). sl && ~~ mask pd_bits = hd bb && ~~ mask pd_bits)\<rbrace>"
including no_take_bit
apply (simp add:store_pde_def set_pd_def set_object_def)
apply (wp get_object_wp)
apply (clarsimp simp:obj_at_def page_inv_entries_safe_def split:if_splits)

2
proof/drefine/CNode_DR.thy
View File

@ -1134,7 +1134,6 @@ lemma set_asid_pool_empty'_helper:
"n < 1023 \<Longrightarrow>
(if x = ucast ((1 :: word32) + of_nat n) then None else if x \<le> of_nat n then None else ap x) =
(if (x :: 10 word) \<le> 1 + of_nat n then None else ap x)"
including no_take_bit
apply (frule of_nat_mono_maybe[where x="2^10 - 1" and 'a=10, simplified])
apply (subgoal_tac "ucast (1 + of_nat n :: word32) = (1 + of_nat n :: 10 word)")
prefer 2
@ -1684,7 +1683,6 @@ lemma dcorres_clear_object_caps_pt:
"dcorres dc \<top> (invs and cte_wp_at ((=) (cap.ArchObjectCap (arch_cap.PageTableCap w option))) (a, b))
(clear_object_caps w)
(mapM_x (swp store_pte ARM_A.pte.InvalidPTE) [w , w + 4 .e. w + 2 ^ pt_bits - 1])"
including no_take_bit
apply (clarsimp simp: clear_object_caps_def gets_def)
apply (rule dcorres_absorb_get_l)
apply (subgoal_tac "\<exists>ptx. (ko_at (ArchObj (arch_kernel_obj.PageTable ptx)) w) s'")

2
proof/drefine/Intent_DR.thy
View File

@ -59,13 +59,11 @@ lemma tcb_cap_casesE:
lemma tcb_cnode_index_def2:
"n < 8 \<Longrightarrow> tcb_cnode_index n = bin_to_bl 3 (int n)"
unfolding tcb_cnode_index_def to_bl_def
including no_take_bit
by (simp add: uint_nat unat_of_nat)
lemma bl_to_bin_tcb_cnode_index:
"n < 8 \<Longrightarrow> nat (bl_to_bin (tcb_cnode_index n)) = n"
unfolding tcb_cnode_index_def
including no_take_bit
by (simp add: unat_of_nat)
(* LIFT LEMMAS:

1
proof/drefine/KHeap_DR.thy
View File

@ -270,7 +270,6 @@ lemma nat_to_bl_dest:
lemma bl_to_bin_tcb_cnode_index_le0:
"n < 8 \<Longrightarrow> (bl_to_bin (tcb_cnode_index n) \<le> 0) = (n = 0)"
including no_take_bit
by (simp add: tcb_cnode_index_def uint_nat unat_of_nat)
lemma nat_bl_to_bin_lt2p: "nat(bl_to_bin b) < 2 ^ length b"

1
proof/drefine/Untyped_DR.thy
View File

@ -1271,7 +1271,6 @@ lemma reset_untyped_cap_corres:
and (\<lambda>s. descendants_of cref (cdt s) = {}))
(Untyped_D.reset_untyped_cap (transform_cslot_ptr cref))
(Retype_A.reset_untyped_cap cref)"
including no_take_bit
supply if_cong[cong]
apply (rule dcorres_expand_pfx)
apply (clarsimp simp: cte_wp_at_caps_of_state is_cap_simps)

1
proof/invariant-abstract/ARM/ArchIpc_AI.thy
View File

@ -205,7 +205,6 @@ lemma valid_msg_length_strengthen [Ipc_AI_assms]:
apply (clarsimp simp: valid_message_info_def)
apply (subgoal_tac "unat (mi_length mi) \<le> unat (of_nat msg_max_length :: word32)")
apply (clarsimp simp: unat_of_nat msg_max_length_def)
including no_take_bit
apply (clarsimp simp: un_ui_le word_le_def)
done

1
proof/invariant-abstract/ARM_HYP/ArchIpc_AI.thy
View File

@ -205,7 +205,6 @@ lemma valid_msg_length_strengthen [Ipc_AI_assms]:
apply (clarsimp simp: valid_message_info_def)
apply (subgoal_tac "unat (mi_length mi) \<le> unat (of_nat msg_max_length :: word32)")
apply (clarsimp simp: unat_of_nat msg_max_length_def)
including no_take_bit
apply (clarsimp simp: un_ui_le word_le_def)
done

2
proof/invariant-abstract/Arch_AI.thy
View File

@ -65,7 +65,6 @@ lemma ucast_assocs:
"LENGTH('a) < LENGTH('b) \<Longrightarrow>
assocs (fn o (ucast :: 'a :: len word \<Rightarrow> 'b :: len word))
= map (\<lambda>(x, y). (ucast x, y)) (filter (\<lambda>(x, y). x < 2 ^ LENGTH('a)) (assocs fn))"
including no_take_bit
apply (simp add: assocs_def enum_word_def split_def filter_map)
apply (rule map_cong)
apply (simp add: o_def)
@ -86,7 +85,6 @@ lemma ucast_assocs:
lemma ucast_le_migrate:
"\<lbrakk> y < 2 ^ size x; size x < size y \<rbrakk> \<Longrightarrow> (ucast x \<le> y) = (x \<le> ucast y)"
for x :: "'a :: len word" and y :: "'b :: len word"
including no_take_bit
apply (simp add: word_le_def ucast_def del: Word.of_int_uint)
apply (subst word_uint.Abs_inverse)
apply (simp add: uints_num word_size)

1
proof/invariant-abstract/Detype_AI.thy
View File

@ -964,7 +964,6 @@ lemma (in Detype_AI) mapM_storeWord_clear_um:
lemma intvl_range_conv':
"\<lbrakk>is_aligned (ptr::'a :: len word) bits; bits \<le> len_of TYPE('a)\<rbrakk> \<Longrightarrow>
(\<exists>k. x = ptr + of_nat k \<and> k < 2 ^ bits) \<longleftrightarrow> (ptr \<le> x \<and> x \<le> ptr + 2 ^ bits - 1)"
including no_take_bit
apply (rule iffI)
apply (clarsimp simp: x_power_minus_1 mask_2pm1[symmetric])
apply (frule is_aligned_no_overflow'[simplified mask_2pm1[symmetric]])

1
proof/invariant-abstract/RISCV64/ArchIpc_AI.thy
View File

@ -200,7 +200,6 @@ lemma valid_msg_length_strengthen [Ipc_AI_assms]:
apply (clarsimp simp: valid_message_info_def)
apply (subgoal_tac "unat (mi_length mi) \<le> unat (of_nat msg_max_length :: machine_word)")
apply (clarsimp simp: unat_of_nat msg_max_length_def)
including no_take_bit
apply (clarsimp simp: un_ui_le word_le_def)
done

3
proof/invariant-abstract/Retype_AI.thy
View File

@ -223,7 +223,6 @@ proof -
apply (case_tac "p = 0")
apply (insert pointer)
apply (clarsimp simp: range_cover_def pointer)
including no_take_bit
apply (simp add:unat_word_ariths)
apply (rule le_less_trans[OF mod_less_eq_dividend])
apply (rule less_le_trans[OF mult_less_mono1[where j = n]])
@ -674,7 +673,6 @@ lemma range_cover_not_zero:
lemma range_cover_not_zero_shift:
"\<lbrakk>n \<noteq> 0; range_cover (ptr :: 'a :: len word) sz bits n; gbits \<le> bits\<rbrakk>
\<Longrightarrow> ((of_nat n) :: 'a :: len word) << gbits \<noteq> 0"
including no_take_bit
apply (rule word_shift_nonzero[where m = "sz-gbits"])
prefer 2
apply (clarsimp simp:range_cover_def)
@ -708,7 +706,6 @@ lemma range_cover_cell_subset:
apply (simp add:is_aligned_mask mask_twice range_cover_def min_def)
done
show ?thesis
including no_take_bit
using cover cmp
apply clarsimp
apply (intro conjI)

3
proof/invariant-abstract/Untyped_AI.thy
View File

@ -384,8 +384,6 @@ lemma range_cover_stuff:
range_cover (alignUp (w + ((of_nat rv)::machine_word)) bits) sz bits n"
apply (clarsimp simp: range_cover_def)
proof (intro conjI)
include no_take_bit
assume not_0 : "0<n"
assume bound : "n \<le> unat ((2::machine_word) ^ sz - of_nat rv >> bits)" "rv\<le> 2^sz"
"sz < word_bits"
@ -704,7 +702,6 @@ lemma inj_bits:
lemma of_nat_shiftR:
"a < 2 ^ word_bits \<Longrightarrow>
unat (of_nat (shiftR a b)::machine_word) = unat ((of_nat a :: machine_word) >> b)"
including no_take_bit
apply (subst shiftr_div_2n')
apply (clarsimp simp: shiftR_nat)
apply (subst unat_of_nat_eq[where 'a=machine_word_len])

1
proof/invariant-abstract/X64/ArchIpc_AI.thy
View File

@ -205,7 +205,6 @@ lemma valid_msg_length_strengthen [Ipc_AI_assms]:
apply (clarsimp simp: valid_message_info_def)
apply (subgoal_tac "unat (mi_length mi) \<le> unat (of_nat msg_max_length :: machine_word)")
apply (clarsimp simp: unat_of_nat msg_max_length_def)
including no_take_bit
apply (clarsimp simp: un_ui_le word_le_def)
done

1
proof/refine/ARM/CSpace_I.thy
View File

@ -1128,7 +1128,6 @@ qed
lemma cte_refs_capRange:
"\<lbrakk> s \<turnstile>' c; \<forall>irq. c \<noteq> IRQHandlerCap irq \<rbrakk> \<Longrightarrow> cte_refs' c x \<subseteq> capRange c"
including no_take_bit
apply (cases c; simp add: capRange_def isCap_simps)
apply (clarsimp dest!: valid_capAligned
simp: capAligned_def objBits_simps field_simps)

1
proof/refine/ARM/CSpace_R.thy
View File

@ -3840,7 +3840,6 @@ lemma create_reply_master_corres:
lemma cte_map_nat_to_cref:
"\<lbrakk> n < 2 ^ b; b < word_bits \<rbrakk> \<Longrightarrow>
cte_map (p, nat_to_cref b n) = p + (of_nat n * 2^cte_level_bits)"
including no_take_bit
apply (clarsimp simp: cte_map_def nat_to_cref_def
dest!: less_is_drop_replicate)
apply (rule arg_cong [where f="\<lambda>x. x * 2^cte_level_bits"])

6
proof/refine/ARM/Detype_R.thy
View File

@ -4628,7 +4628,6 @@ lemma new_cap_addrs_def2:
"n < 2 ^ 32
\<Longrightarrow> new_cap_addrs (Suc n) ptr obj
= map (\<lambda>n. ptr + (n << objBitsKO obj)) [0.e.of_nat n]"
including no_take_bit
by (simp add:new_cap_addrs_def upto_enum_word unat_of_nat Fun.comp_def)
lemma createTCBs_tcb_at':
@ -4734,7 +4733,7 @@ proof -
done
show ?thesis
including no_take_bit using assms
using assms
apply (clarsimp simp:valid_pspace'_def)
apply (frule range_cover.aligned)
apply (frule(3) pspace_no_overlap'_tail)
@ -5201,7 +5200,6 @@ lemma createNewObjects_def2:
apply (simp add:range_cover_def objSize_eq_capBits)+
done
show ?case
including no_take_bit
apply simp
using snoc.prems
apply (subst upto_enum_inc_1)
@ -5487,7 +5485,7 @@ lemma createNewObjects_Cons:
case Nil thus ?case by simp
next
case (Cons x xs)
thus ?case including no_take_bit by (simp add:unat_of_nat32)
thus ?case by (simp add:unat_of_nat32)
qed
show ?thesis

7
proof/refine/ARM/Retype_R.thy
View File

@ -1735,7 +1735,6 @@ proof -
"image (\<lambda>n. ptr + 2 ^ obj_bits_api (APIType_map2 ty) us * n)
{x. x \<le> of_nat n - 1} =
set (retype_addrs ptr (APIType_map2 ty) n us)"
including no_take_bit
apply (clarsimp simp: retype_addrs_def image_def Bex_def ptr_add_def
Collect_eq)
apply (rule iffI)
@ -1769,7 +1768,6 @@ proof -
have al': "is_aligned ptr (obj_bits_api (APIType_map2 ty) us)"
by (simp add: obj_bits_api ko)
show ?thesis
including no_take_bit
apply (simp add: when_def retype_region2_def createObjects'_def
createObjects_def aligned obj_bits_api[symmetric]
ko[symmetric] al' shiftl_t2n data_map_insert_def[symmetric]
@ -1942,7 +1940,6 @@ proof -
have in_new:"\<And>idx offs. \<lbrakk>idx \<le> of_nat n - 1;offs<2 ^ gbits\<rbrakk>
\<Longrightarrow> ptr + (idx << objBitsKO ko + gbits) + (offs << objBitsKO ko)
\<in> set (new_cap_addrs (n * 2 ^ gbits) ptr ko)"
including no_take_bit
apply (insert range_cover_not_zero[OF not_0 cover] not_0)
apply (clarsimp simp:new_cap_addrs_def image_def)
apply (rule_tac x ="unat (2 ^ gbits * idx + offs)" in bexI)
@ -2912,7 +2909,7 @@ proof -
apply simp
done
have "ptr' + 2 ^ objBitsKO val - 1 \<le> ptr + of_nat n * 2 ^ objBitsKO val - 1"
using cover including no_take_bit
using cover
apply (subst decomp)
apply (simp add:add.assoc[symmetric])
apply (simp add:p_assoc_help)
@ -3316,7 +3313,6 @@ proof -
using cover
by (simp add:range_cover_def word_bits_def)
thus ?thesis
including no_take_bit
apply -
apply (insert not_0 cover ptr_in)
apply (frule range_cover.range_cover_le_n_less[OF _ le_refl])
@ -5249,7 +5245,6 @@ lemma corres_retype_region_createNewCaps:
init_arch_objects (APIType_map2 (Inr ty)) y n us x;
return x od)
(createNewCaps ty y n us dev)"
including no_take_bit
apply (rule_tac F="range_cover y sz
(obj_bits_api (APIType_map2 (Inr ty)) us) n \<and>
n \<noteq> 0 \<and>

1
proof/refine/ARM/Tcb_R.thy
View File

@ -1989,7 +1989,6 @@ lemma decodeWriteRegisters_corres:
corres (ser \<oplus> tcbinv_relation) (invs and tcb_at t) (invs' and tcb_at' t)
(decode_write_registers args (cap.ThreadCap t))
(decodeWriteRegisters args (ThreadCap t))"
including no_take_bit
apply (simp add: decode_write_registers_def decodeWriteRegisters_def)
apply (cases args, simp_all)
apply (case_tac list, simp_all)

3
proof/refine/ARM/Untyped_R.thy
View File

@ -258,7 +258,6 @@ next
note word_unat_power [symmetric, simp del]
show ?thesis
including no_take_bit
apply (rule corres_name_pre)
apply clarsimp
apply (subgoal_tac "cte_wp_at' (\<lambda>cte. cteCap cte = (capability.UntypedCap d w n idx)) (cte_map slot) s'")
@ -748,7 +747,6 @@ lemma decodeUntyped_wf[wp]:
(UntypedCap d w sz idx) cs
\<lbrace>valid_untyped_inv'\<rbrace>,-"
unfolding decodeUntypedInvocation_def
including no_take_bit
apply (simp add: unlessE_def[symmetric] unlessE_whenE rangeCheck_def whenE_def[symmetric]
returnOk_liftE[symmetric] Let_def cap_case_CNodeCap_True_throw
split del: if_split cong: if_cong list.case_cong)
@ -4181,7 +4179,6 @@ lemma resetUntypedCap_corres:
(invs' and valid_untyped_inv_wcap' ui' (Some (UntypedCap dev ptr sz idx)) and ct_active')
(reset_untyped_cap slot)
(resetUntypedCap (cte_map slot))"
including no_take_bit
apply (rule corres_gen_asm, clarsimp)
apply (simp add: reset_untyped_cap_def resetUntypedCap_def
liftE_bindE)

1
proof/refine/ARM_HYP/CSpace_I.thy
View File

@ -1171,7 +1171,6 @@ qed
lemma cte_refs_capRange:
"\<lbrakk> s \<turnstile>' c; \<forall>irq. c \<noteq> IRQHandlerCap irq \<rbrakk> \<Longrightarrow> cte_refs' c x \<subseteq> capRange c"
including no_take_bit
apply (cases c; simp add: capRange_def isCap_simps)
apply (clarsimp dest!: valid_capAligned
simp: capAligned_def objBits_simps field_simps)

1
proof/refine/ARM_HYP/CSpace_R.thy
View File

@ -3892,7 +3892,6 @@ lemma create_reply_master_corres:
lemma cte_map_nat_to_cref:
"\<lbrakk> n < 2 ^ b; b < word_bits \<rbrakk> \<Longrightarrow>
cte_map (p, nat_to_cref b n) = p + (of_nat n * 2^cte_level_bits)"
including no_take_bit
apply (clarsimp simp: cte_map_def nat_to_cref_def
dest!: less_is_drop_replicate)
apply (rule arg_cong [where f="\<lambda>x. x * 2^cte_level_bits"])

6
proof/refine/ARM_HYP/Detype_R.thy
View File

@ -4650,7 +4650,6 @@ lemma new_cap_addrs_def2:
"n < 2 ^ 32
\<Longrightarrow> new_cap_addrs (Suc n) ptr obj
= map (\<lambda>n. ptr + (n << objBitsKO obj)) [0.e.of_nat n]"
including no_take_bit
by (simp add:new_cap_addrs_def upto_enum_word unat_of_nat Fun.comp_def)
lemma createTCBs_tcb_at':
@ -4756,7 +4755,7 @@ proof -
done
show ?thesis
including no_take_bit using assms
using assms
apply (clarsimp simp:valid_pspace'_def)
apply (frule range_cover.aligned)
apply (frule(3) pspace_no_overlap'_tail)
@ -5242,7 +5241,6 @@ lemma createNewObjects_def2:
apply (simp add:range_cover_def objSize_eq_capBits)+
done
show ?case
including no_take_bit
apply simp
using snoc.prems
apply (subst upto_enum_inc_1)
@ -5528,7 +5526,7 @@ lemma createNewObjects_Cons:
case Nil thus ?case by simp
next
case (Cons x xs)
thus ?case including no_take_bit by (simp add:unat_of_nat32)
thus ?case by (simp add:unat_of_nat32)
qed
show ?thesis

7
proof/refine/ARM_HYP/Retype_R.thy
View File

@ -1748,7 +1748,6 @@ proof -
"image (\<lambda>n. ptr + 2 ^ obj_bits_api (APIType_map2 ty) us * n)
{x. x \<le> of_nat n - 1} =
set (retype_addrs ptr (APIType_map2 ty) n us)"
including no_take_bit
apply (clarsimp simp: retype_addrs_def image_def Bex_def ptr_add_def
Collect_eq)
apply (rule iffI)
@ -1782,7 +1781,6 @@ proof -
have al': "is_aligned ptr (obj_bits_api (APIType_map2 ty) us)"
by (simp add: obj_bits_api ko)
show ?thesis
including no_take_bit
apply (simp add: when_def retype_region2_def createObjects'_def
createObjects_def aligned obj_bits_api[symmetric]
ko[symmetric] al' shiftl_t2n data_map_insert_def[symmetric]
@ -1955,7 +1953,6 @@ proof -
have in_new:"\<And>idx offs. \<lbrakk>idx \<le> of_nat n - 1;offs<2 ^ gbits\<rbrakk>
\<Longrightarrow> ptr + (idx << objBitsKO ko + gbits) + (offs << objBitsKO ko)
\<in> set (new_cap_addrs (n * 2 ^ gbits) ptr ko)"
including no_take_bit
apply (insert range_cover_not_zero[OF not_0 cover] not_0)
apply (clarsimp simp:new_cap_addrs_def image_def)
apply (rule_tac x ="unat (2 ^ gbits * idx + offs)" in bexI)
@ -2908,7 +2905,7 @@ proof -
apply simp
done
have "ptr' + 2 ^ objBitsKO val - 1 \<le> ptr + of_nat n * 2 ^ objBitsKO val - 1"
using cover including no_take_bit
using cover
apply (subst decomp)
apply (simp add:add.assoc[symmetric])
apply (simp add:p_assoc_help)
@ -3302,7 +3299,6 @@ proof -
using cover
by (simp add:range_cover_def word_bits_def)
thus ?thesis
including no_take_bit
apply -
apply (insert not_0 cover ptr_in)
apply (frule range_cover.range_cover_le_n_less[OF _ le_refl])
@ -5299,7 +5295,6 @@ lemma corres_retype_region_createNewCaps:
init_arch_objects (APIType_map2 (Inr ty)) y n us x;
return x od)
(createNewCaps ty y n us dev)"
including no_take_bit
apply (rule_tac F="range_cover y sz
(obj_bits_api (APIType_map2 (Inr ty)) us) n \<and>
n \<noteq> 0 \<and>

1
proof/refine/ARM_HYP/Tcb_R.thy
View File

@ -1969,7 +1969,6 @@ lemma decodeWriteRegisters_corres:
corres (ser \<oplus> tcbinv_relation) (invs and tcb_at t) (invs' and tcb_at' t)
(decode_write_registers args (cap.ThreadCap t))
(decodeWriteRegisters args (ThreadCap t))"
including no_take_bit
apply (simp add: decode_write_registers_def decodeWriteRegisters_def)
apply (cases args, simp_all)
apply (case_tac list, simp_all)

3
proof/refine/ARM_HYP/Untyped_R.thy
View File

@ -259,7 +259,6 @@ next
note word_unat_power [symmetric, simp del]
show ?thesis
including no_take_bit
apply (rule corres_name_pre)
apply clarsimp
apply (subgoal_tac "cte_wp_at' (\<lambda>cte. cteCap cte = (capability.UntypedCap d w n idx)) (cte_map slot) s'")
@ -761,7 +760,6 @@ lemma decodeUntyped_wf[wp]:
(UntypedCap d w sz idx) cs
\<lbrace>valid_untyped_inv'\<rbrace>,-"
unfolding decodeUntypedInvocation_def
including no_take_bit
apply (simp add: unlessE_def[symmetric] unlessE_whenE rangeCheck_def whenE_def[symmetric]
returnOk_liftE[symmetric] Let_def cap_case_CNodeCap_True_throw
split del: if_split cong: if_cong list.case_cong)
@ -4232,7 +4230,6 @@ lemma resetUntypedCap_corres:
(invs' and valid_untyped_inv_wcap' ui' (Some (UntypedCap dev ptr sz idx)) and ct_active')
(reset_untyped_cap slot)
(resetUntypedCap (cte_map slot))"
including no_take_bit
apply (rule corres_gen_asm, clarsimp)
apply (simp add: reset_untyped_cap_def resetUntypedCap_def
liftE_bindE)

1
proof/refine/RISCV64/CSpace_I.thy
View File

@ -1131,7 +1131,6 @@ qed
lemma cte_refs_capRange:
"\<lbrakk> s \<turnstile>' c; \<forall>irq. c \<noteq> IRQHandlerCap irq \<rbrakk> \<Longrightarrow> cte_refs' c x \<subseteq> capRange c"
including no_take_bit
apply (cases c; simp add: capRange_def isCap_simps)
apply (clarsimp dest!: valid_capAligned
simp: capAligned_def objBits_simps field_simps)

1
proof/refine/RISCV64/CSpace_R.thy
View File

@ -3835,7 +3835,6 @@ lemma create_reply_master_corres:
lemma cte_map_nat_to_cref:
"\<lbrakk> n < 2 ^ b; b < word_bits \<rbrakk> \<Longrightarrow>
cte_map (p, nat_to_cref b n) = p + (of_nat n * 2^cte_level_bits)"
including no_take_bit
apply (clarsimp simp: cte_map_def nat_to_cref_def shiftl_t2n
dest!: less_is_drop_replicate)
apply (subst mult_ac)

4
proof/refine/RISCV64/Detype_R.thy
View File

@ -4115,7 +4115,6 @@ qed
lemma new_cap_addrs_def2:
"n < 2^64 \<Longrightarrow> new_cap_addrs (Suc n) ptr obj = map (\<lambda>n. ptr + (n << objBitsKO obj)) [0.e.of_nat n]"
including no_take_bit
by (simp add:new_cap_addrs_def upto_enum_word unat_of_nat Fun.comp_def)
lemma createTCBs_tcb_at':
@ -4535,7 +4534,6 @@ lemma createNewObjects_def2:
apply (simp add:range_cover_def objSize_eq_capBits)+
done
show ?case
including no_take_bit
apply simp
using snoc.prems
apply (subst upto_enum_inc_1_len)
@ -4826,7 +4824,7 @@ lemma createNewObjects_Cons:
case Nil thus ?case by simp
next
case (Cons x xs)
thus ?case including no_take_bit by (simp add:unat_of_nat64)
thus ?case by (simp add:unat_of_nat64)
qed
show ?thesis

7
proof/refine/RISCV64/Retype_R.thy
View File

@ -1726,7 +1726,6 @@ proof -
"image (\<lambda>n. ptr + 2 ^ obj_bits_api (APIType_map2 ty) us * n)
{x. x \<le> of_nat n - 1} =
set (retype_addrs ptr (APIType_map2 ty) n us)"
including no_take_bit
apply (clarsimp simp: retype_addrs_def image_def Bex_def ptr_add_def
Collect_eq)
apply (rule iffI)
@ -1760,7 +1759,6 @@ proof -
have al': "is_aligned ptr (obj_bits_api (APIType_map2 ty) us)"
by (simp add: obj_bits_api ko)
show ?thesis
including no_take_bit
apply (simp add: when_def retype_region2_def createObjects'_def
createObjects_def aligned obj_bits_api[symmetric]
ko[symmetric] al' shiftl_t2n data_map_insert_def[symmetric]
@ -1933,7 +1931,6 @@ proof -
have in_new:"\<And>idx offs. \<lbrakk>idx \<le> of_nat n - 1;offs<2 ^ gbits\<rbrakk>
\<Longrightarrow> ptr + (idx << objBitsKO ko + gbits) + (offs << objBitsKO ko)
\<in> set (new_cap_addrs (n * 2 ^ gbits) ptr ko)"
including no_take_bit
apply (insert range_cover_not_zero[OF not_0 cover] not_0)
apply (clarsimp simp:new_cap_addrs_def image_def)
apply (rule_tac x ="unat (2 ^ gbits * idx + offs)" in bexI)
@ -2812,7 +2809,7 @@ proof -
apply simp
done
have "ptr' + 2 ^ objBitsKO val - 1 \<le> ptr + of_nat n * 2 ^ objBitsKO val - 1"
using cover including no_take_bit
using cover
apply (subst decomp)
apply (simp add:add.assoc[symmetric])
apply (simp add:p_assoc_help)
@ -3254,7 +3251,6 @@ proof -
using cover
by (simp add:range_cover_def word_bits_def)
thus ?thesis
including no_take_bit
apply -
apply (insert not_0 cover ptr_in)
apply (frule range_cover.range_cover_le_n_less[OF _ le_refl])
@ -5088,7 +5084,6 @@ lemma corres_retype_region_createNewCaps:
init_arch_objects (APIType_map2 (Inr ty)) y n us x;
return x od)
(createNewCaps ty y n us dev)"
including no_take_bit
apply (rule_tac F="range_cover y sz (obj_bits_api (APIType_map2 (Inr ty)) us) n
\<and> n \<noteq> 0 \<and> (APIType_map2 (Inr ty) = Structures_A.CapTableObject \<longrightarrow> 0 < us)"
in corres_req, simp)

1
proof/refine/RISCV64/Tcb_R.thy
View File

@ -1905,7 +1905,6 @@ lemma decodeWriteRegisters_corres:
corres (ser \<oplus> tcbinv_relation) (invs and tcb_at t) (invs' and tcb_at' t)
(decode_write_registers args (cap.ThreadCap t))
(decodeWriteRegisters args (ThreadCap t))"
including no_take_bit
apply (simp add: decode_write_registers_def decodeWriteRegisters_def)
apply (cases args, simp_all)
apply (case_tac list, simp_all)

2
proof/refine/RISCV64/Untyped_R.thy
View File

@ -259,7 +259,6 @@ next
note word_unat_power [symmetric, simp del]
show ?thesis
including no_take_bit
apply (rule corres_name_pre)
apply clarsimp
apply (subgoal_tac "cte_wp_at' (\<lambda>cte. cteCap cte = (capability.UntypedCap d w n idx)) (cte_map slot) s'")
@ -732,7 +731,6 @@ lemma decodeUntyped_wf[wp]:
(UntypedCap d w sz idx) cs
\<lbrace>valid_untyped_inv'\<rbrace>,-"
unfolding decodeUntypedInvocation_def
including no_take_bit
apply (simp add: unlessE_def[symmetric] unlessE_whenE rangeCheck_def whenE_def[symmetric]
returnOk_liftE[symmetric] Let_def cap_case_CNodeCap_True_throw
split del: if_split cong: if_cong list.case_cong)

1
proof/refine/X64/CSpace_I.thy
View File

@ -1187,7 +1187,6 @@ qed
lemma cte_refs_capRange:
"\<lbrakk> s \<turnstile>' c; \<forall>irq. c \<noteq> IRQHandlerCap irq \<rbrakk> \<Longrightarrow> cte_refs' c x \<subseteq> capRange c"
including no_take_bit
apply (cases c; simp add: capRange_def isCap_simps)
apply (clarsimp dest!: valid_capAligned
simp: capAligned_def objBits_simps field_simps)

1
proof/refine/X64/CSpace_R.thy
View File

@ -4037,7 +4037,6 @@ lemma create_reply_master_corres:
lemma cte_map_nat_to_cref:
"\<lbrakk> n < 2 ^ b; b < word_bits \<rbrakk> \<Longrightarrow>
cte_map (p, nat_to_cref b n) = p + (of_nat n * 2^cte_level_bits)"
including no_take_bit
apply (clarsimp simp: cte_map_def nat_to_cref_def
dest!: less_is_drop_replicate)
apply (rule arg_cong [where f="\<lambda>x. x * 2^cte_level_bits"])

6
proof/refine/X64/Detype_R.thy
View File

@ -4882,7 +4882,6 @@ lemma new_cap_addrs_def2:
"n < 2 ^ 64
\<Longrightarrow> new_cap_addrs (Suc n) ptr obj
= map (\<lambda>n. ptr + (n << objBitsKO obj)) [0.e.of_nat n]"
including no_take_bit
by (simp add:new_cap_addrs_def upto_enum_word unat_of_nat Fun.comp_def)
lemma createTCBs_tcb_at':
@ -4988,7 +4987,7 @@ proof -
done
show ?thesis
including no_take_bit using assms
using assms
apply (clarsimp simp:valid_pspace'_def)
apply (frule range_cover.aligned)
apply (frule(3) pspace_no_overlap'_tail)
@ -5452,7 +5451,6 @@ lemma createNewObjects_def2:
apply (simp add:range_cover_def objSize_eq_capBits)+
done
show ?case
including no_take_bit
apply simp
using snoc.prems
apply (subst upto_enum_inc_1_len)
@ -5744,7 +5742,7 @@ lemma createNewObjects_Cons:
case Nil thus ?case by simp
next
case (Cons x xs)
thus ?case including no_take_bit by (simp add:unat_of_nat64)
thus ?case by (simp add:unat_of_nat64)
qed
show ?thesis

Some files were not shown because too many files have changed in this diff Show More