adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

aarch64 ainvs: reduce sorries in ArchAcc_AI 

Co-authored-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
Signed-off-by: Gerwin Klein <gerwin.klein@proofcraft.systems>
This commit is contained in:
Gerwin Klein 2022-07-08 12:32:06 +10:00 committed by Gerwin Klein
parent 06ef438713
commit de8ebe7219
1 changed files with 44 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

119
proof/invariant-abstract/AARCH64/ArchAcc_AI.thy
View File

@ -1083,16 +1083,20 @@ lemma set_pt_table_caps[wp]:
apply (clarsimp simp: opt_map_def fun_upd_apply split: option.splits)
done
(* FIXME AARCH64: move *)
lemma pt_upd_empty_InvalidPTE[simp]:
"pt_upd (empty_pt pt_t) idx InvalidPTE = empty_pt pt_t"
by (auto simp: pt_upd_def empty_pt_def split: pt.splits)
lemma store_pte_valid_table_caps:
"\<lbrace> valid_table_caps and (\<lambda>s. valid_caps (caps_of_state s) s) and
(\<lambda>s. (\<forall>slot asidopt. caps_of_state s slot = Some (ArchObjectCap (PageTableCap (table_base pt_t p) pt_t asidopt))
\<longrightarrow> asidopt = None \<longrightarrow> pte = InvalidPTE)) \<rbrace>
\<longrightarrow> asidopt = None \<longrightarrow> pte = InvalidPTE)) \<rbrace>
store_pte pt_t p pte
\<lbrace>\<lambda>rv. valid_table_caps\<rbrace>"
unfolding store_pte_def
sorry (* FIXME AARCH64
by wpsimp
(fastforce simp: valid_table_caps_def pts_of_ko_at obj_at_def) *)
(fastforce simp: valid_table_caps_def pts_of_ko_at obj_at_def)
lemma set_object_caps_of_state:
"\<lbrace>(\<lambda>s. \<not>tcb_at p s \<and> \<not>(\<exists>n. cap_table_at n p s)) and
@ -1173,7 +1177,7 @@ lemma pt_walk_eqI:
level < level'
\<longrightarrow> pt_walk top_level level' pt_ptr vptr (\<lambda>pt_t p. level_pte_of pt_t p pts) = Some (level', pt_ptr')
\<longrightarrow> pts' pt_ptr' = pts pt_ptr';
is_aligned pt_ptr (pt_bits top_level) \<rbrakk>
is_aligned pt_ptr (pt_bits top_level); top_level \<le> max_pt_level \<rbrakk>
\<Longrightarrow> pt_walk top_level level pt_ptr vptr (\<lambda>pt_t p. level_pte_of pt_t p pts')
= pt_walk top_level level pt_ptr vptr (\<lambda>pt_t p. level_pte_of pt_t p pts)"
apply (induct top_level arbitrary: pt_ptr; clarsimp)
@ -1186,21 +1190,18 @@ lemma pt_walk_eqI:
apply clarsimp
apply (rename_tac pte)
apply (drule_tac x="pptr_from_pte pte" in meta_spec)
apply (erule meta_impE; simp?)
apply (erule meta_impE; (simp add: pptr_from_pte_aligned_pt_bits)?)
apply clarsimp
sorry (* FIXME AARCH64
apply (subgoal_tac "is_aligned pt_ptr pt_bits \<and> pts' pt_ptr = pts pt_ptr")
prefer 2
apply (prop_tac "is_aligned pt_ptr (pt_bits (level_type top_level)) \<and> pts' pt_ptr = pts pt_ptr")
subgoal by simp
apply (erule_tac x=level' in allE, simp)
apply (erule_tac x=pt_ptr' in allE)
apply (erule impE; assumption?)
apply (subst pt_walk.simps)
apply (subgoal_tac "level' < top_level")
prefer 2
apply (prop_tac "level' < top_level")
apply (fastforce dest!: pt_walk_max_level simp: le_less_trans)
apply (fastforce simp: level_pte_of_def in_omonad)
done *)
done
lemma valid_vspace_obj_valid_pte_upd:
"\<lbrakk> valid_vspace_obj level (PageTable pt) s; valid_pte level pte s \<rbrakk>
@ -1220,21 +1221,20 @@ lemma pte_of_pt_slot_offset_of_empty_pt:
lemma pt_walk_non_empty_ptD:
"\<lbrakk> pt_walk level bot_level pt_ptr vref (\<lambda>pt_t p. level_pte_of pt_t p pts) = Some (level', p);
pts pt_ptr = Some pt; is_aligned pt_ptr (pt_bits level) \<rbrakk>
\<Longrightarrow> (pt \<noteq> empty_pt pt_t \<or> (level' = level \<and> p = pt_ptr))"
\<Longrightarrow> (pt \<noteq> empty_pt (level_type level) \<or> (level' = level \<and> p = pt_ptr))"
apply (subst (asm) pt_walk.simps)
apply (case_tac "bot_level < level")
apply (clarsimp simp: in_omonad)
apply (prop_tac "v' = InvalidPTE")
sorry (* FIXME AARCH64
apply (drule_tac vref=vref and level=level in pte_of_pt_slot_offset_of_empty_pt, clarsimp+)
done *)
done
lemma pt_walk_pt_upd_idem:
"\<lbrakk> \<forall>level' pt_ptr'.
level < level'
\<longrightarrow> pt_walk top_level level' pt_ptr vptr (\<lambda>pt_t p. level_pte_of pt_t p pts) = Some (level', pt_ptr')
\<longrightarrow> pt_ptr' \<noteq> obj_ref;
is_aligned pt_ptr (pt_bits top_level) \<rbrakk>
is_aligned pt_ptr (pt_bits top_level); top_level \<le> max_pt_level \<rbrakk>
\<Longrightarrow> pt_walk top_level level pt_ptr vptr (\<lambda>pt_t p. level_pte_of pt_t p (pts(obj_ref := pt)))
= pt_walk top_level level pt_ptr vptr (\<lambda>pt_t p. level_pte_of pt_t p pts)"
by (rule pt_walk_eqI; auto)
@ -1244,7 +1244,7 @@ lemma pt_walk_upd_idem:
level < level'
\<longrightarrow> pt_walk top_level level' pt_ptr vptr (ptes_of s) = Some (level', pt_ptr')
\<longrightarrow> pt_ptr' \<noteq> obj_ref;
is_aligned pt_ptr (pt_bits top_level) \<rbrakk>
is_aligned pt_ptr (pt_bits top_level); top_level \<le> max_pt_level \<rbrakk>
\<Longrightarrow> pt_walk top_level level pt_ptr vptr (ptes_of (s\<lparr>kheap := kheap s(obj_ref \<mapsto> ko)\<rparr>))
= pt_walk top_level level pt_ptr vptr (ptes_of s)"
by (rule pt_walk_eqI; simp split del: if_split)
@ -1290,21 +1290,21 @@ lemma vs_lookup_table_eqI:
apply (clarsimp simp: asid_pool_level_eq[symmetric] vs_lookup_table_def in_omonad
pool_for_asid_def)
apply (rule obind_eqI; fastforce simp: pool_for_asid_def)
(* pt_walk case: *)
apply (simp (no_asm) add: vs_lookup_table_def in_omonad)
apply (rule obind_eqI_full; simp add: pool_for_asid_def)
apply (rename_tac pool_ptr)
apply (rule obind_eqI_full; clarsimp)
apply (erule_tac x=asid_pool_level in allE)
sorry (* FIXME AARCH64
apply (fastforce simp: pool_for_asid_vs_lookup pool_for_asid_def vspace_for_pool_def obind_def
order.not_eq_order_implies_strict)
entry_for_pool_def order.not_eq_order_implies_strict
split: option.splits)
apply (rename_tac root)
apply (rule pt_walk_eqI)
apply clarsimp
apply (rule pt_walk_eqI; clarsimp)
apply (frule pt_walk_max_level)
apply (fastforce simp add: vs_lookup_table_def in_omonad asid_pool_level_eq pool_for_asid_def)
apply (rule vspace_for_pool_is_aligned; fastforce simp add: pool_for_asid_def)
done *)
apply (fastforce simp: vs_lookup_table_def in_omonad asid_pool_level_eq pool_for_asid_def)
apply (rule vspace_for_pool_is_aligned; fastforce simp: pool_for_asid_def)
done
lemma vs_lookup_table_upd_idem:
"\<lbrakk> \<forall>level' p'.
@ -1362,13 +1362,11 @@ lemma pt_walk_Some_finds_pt:
done
lemma pte_of_pt_slot_offset_upd_idem:
"\<lbrakk> is_aligned pt_ptr (pt_bits pt_t); obj_ref \<noteq> pt_ptr \<rbrakk>
"\<lbrakk> is_aligned pt_ptr (pt_bits pt_t); obj_ref \<noteq> pt_ptr; pt_t = level_type level \<rbrakk>
\<Longrightarrow> level_pte_of pt_t (pt_slot_offset level pt_ptr vptr) (pts(obj_ref := pt'))
= level_pte_of pt_t (pt_slot_offset level pt_ptr vptr) pts"
unfolding level_pte_of_def
sorry (* FIXME AARCH64: might need (level_type level) instead of pt_t
by (rule obind_eqI; clarsimp simp: in_omonad)+
*)
lemma pt_lookup_target_pt_eqI:
"\<lbrakk> \<forall>level' pt_ptr'.
@ -1382,9 +1380,10 @@ lemma pt_lookup_target_pt_eqI:
= pt_walk max_pt_level level pt_ptr vptr (\<lambda>pt_t p. level_pte_of pt_t p pts)")
prefer 2
apply (rule pt_walk_eqI; assumption?)
apply (intro allI impI)
apply (erule_tac x=level' in allE)
apply fastforce
apply (intro allI impI)
apply (erule_tac x=level' in allE)
apply fastforce
apply simp
apply (rule obind_eqI, assumption)
apply (rule obind_eqI; clarsimp)
apply (rule obind_eqI; clarsimp)
@ -1493,28 +1492,17 @@ lemma set_pt_caps_respects_device_region[wp]:
arch_kernel_obj.split_asm)
done
lemma set_pt_valid_ioc[wp]:
"\<lbrace>valid_ioc\<rbrace> set_pt p pt \<lbrace>\<lambda>_. valid_ioc\<rbrace>"
apply (simp add: set_pt_def)
apply (wp set_object_valid_ioc_no_caps get_object_wp)
sorry (* FIXME AARCH64
by (clarsimp simp: a_type_simps obj_at_def is_tcb is_cap_table
split: kernel_object.splits arch_kernel_obj.splits) *)
"set_pt p pt \<lbrace>valid_ioc\<rbrace>"
unfolding set_pt_def
by (wpsimp wp: set_object_wp_strong)
(fastforce simp: valid_ioc_def cte_wp_at_cases obj_at_def)
lemma valid_machine_stateE:
assumes vm: "valid_machine_state s"
assumes e: "\<lbrakk>in_user_frame p s
\<or> underlying_memory (machine_state s) p = 0 \<rbrakk> \<Longrightarrow> E "
assumes e: "\<lbrakk>in_user_frame p s \<or> underlying_memory (machine_state s) p = 0 \<rbrakk> \<Longrightarrow> E"
shows E
using vm
apply (clarsimp simp: valid_machine_state_def)
apply (drule_tac x = p in spec)
apply (rule e)
apply auto
done
using vm by (auto simp: valid_machine_state_def intro: e)
lemma in_user_frame_same_type_upd:
"\<lbrakk>typ_at type p s; type = a_type obj; in_user_frame q s\<rbrakk>
@ -1532,22 +1520,11 @@ lemma in_device_frame_same_type_upd:
apply (auto simp: a_type_simps)
done
lemma store_word_offs_in_user_frame[wp]:
"\<lbrace>\<lambda>s. in_user_frame p s\<rbrace> store_word_offs a x w \<lbrace>\<lambda>_ s. in_user_frame p s\<rbrace>"
unfolding in_user_frame_def
by (wp hoare_vcg_ex_lift)
lemma store_word_offs_in_device_frame[wp]:
"\<lbrace>\<lambda>s. in_device_frame p s\<rbrace> store_word_offs a x w \<lbrace>\<lambda>_ s. in_device_frame p s\<rbrace>"
unfolding in_device_frame_def
by (wp hoare_vcg_ex_lift)
lemma as_user_in_user_frame[wp]:
"\<lbrace>\<lambda>s. in_user_frame p s\<rbrace> as_user t m \<lbrace>\<lambda>_ s. in_user_frame p s\<rbrace>"
unfolding in_user_frame_def
by (wp hoare_vcg_ex_lift)
lemma as_user_in_device_frame[wp]:
"\<lbrace>\<lambda>s. in_device_frame p s\<rbrace> as_user t m \<lbrace>\<lambda>_ s. in_device_frame p s\<rbrace>"
unfolding in_device_frame_def
@ -1561,18 +1538,11 @@ lemma load_word_offs_in_user_frame[wp]:
by (wp hoare_vcg_ex_lift)
lemma valid_machine_state_heap_updI:
assumes vm : "valid_machine_state s"
assumes tyat : "typ_at type p s"
shows
" a_type obj = type \<Longrightarrow> valid_machine_state (s\<lparr>kheap := kheap s(p \<mapsto> obj)\<rparr>)"
apply (clarsimp simp: valid_machine_state_def)
subgoal for p
apply (rule valid_machine_stateE[OF vm,where p = p])
apply (elim disjE,simp_all)
apply (drule(1) in_user_frame_same_type_upd[OF tyat])
apply simp+
done
done
"\<lbrakk> valid_machine_state s; typ_at type p s; a_type obj = type \<rbrakk>
\<Longrightarrow> valid_machine_state (s\<lparr>kheap := kheap s(p \<mapsto> obj)\<rparr>)"
by (fastforce simp: valid_machine_state_def
intro: in_user_frame_same_type_upd
elim: valid_machine_stateE)
lemma set_pt_vms[wp]:
"\<lbrace>valid_machine_state\<rbrace> set_pt p pt \<lbrace>\<lambda>_. valid_machine_state\<rbrace>"
@ -1753,9 +1723,8 @@ lemma vs_lookup_target_unreachable_upd_idem:
(* level' = asid_pool_level *)
apply (rename_tac pool_ptr)
apply (drule vs_lookup_level, drule vs_lookup_level)
apply (clarsimp simp: pool_for_asid_vs_lookup vspace_for_pool_def in_omonad)
apply (rule obind_eqI[rotated], fastforce)
sorry (* FIXME AARCH64
apply (clarsimp simp: pool_for_asid_vs_lookup vspace_for_pool_def entry_for_pool_def in_omonad)
apply (rule obind_eqI[rotated], fastforce)+
apply (case_tac "pool_ptr = obj_ref"; clarsimp)
apply (erule_tac x=asid_pool_level in allE)
apply (fastforce simp: pool_for_asid_vs_lookup)
@ -1765,11 +1734,11 @@ lemma vs_lookup_target_unreachable_upd_idem:
apply (rename_tac pt_ptr level')
apply (case_tac "pt_ptr = obj_ref")
apply (fastforce dest: vs_lookup_level)
apply (rule pte_refs_of_eqI, rule ptes_of_eqI)
apply (prop_tac "is_aligned pt_ptr pt_bits")
apply (rule pte_refs_of_eqI, rule level_ptes_of_eqI)
apply (prop_tac "is_aligned pt_ptr (pt_bits (level_type level'))")
apply (erule vs_lookup_table_is_aligned; fastforce)
apply (clarsimp simp: fun_upd_def opt_map_def split: option.splits)
done *)
done
lemma vs_lookup_target_unreachable_upd_idem':
"\<lbrakk> \<not>(\<exists>level. \<exists>\<rhd> (level, obj_ref) s);