adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

x64: update for Isabelle2016-1 and improved wp

This commit is contained in:
Matthew Brecknell 2017-01-25 11:55:26 +11:00
parent b70d6f442c
commit e350f1e9db
13 changed files with 131 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
proof/invariant-abstract/X64/ArchAInvsPre.thy
View File

@ -96,7 +96,7 @@ lemma get_pd_of_thread_reachable:
"get_pd_of_thread (kheap s) (arch_state s) t \<noteq> arm_global_pd (arch_state s)
\<Longrightarrow> (\<exists>\<rhd> get_pd_of_thread (kheap s) (arch_state s) t) s"
by (auto simp: get_pd_of_thread_vs_lookup
split: Structures_A.kernel_object.splits split_if_asm option.splits
split: Structures_A.kernel_object.splits if_split_asm option.splits
cap.splits arch_cap.splits)
lemma is_aligned_ptrFromPAddrD:

32
proof/invariant-abstract/X64/ArchArch_AI.thy
View File

@ -301,7 +301,7 @@ lemma vs_asid_refs' [simp]:
apply (simp add: s'_def)
apply (rule set_eqI)
apply (rule iffI)
apply (auto simp: vs_asid_refs_def split: split_if_asm)[1]
apply (auto simp: vs_asid_refs_def split: if_split_asm)[1]
apply clarsimp
apply (erule disjE)
apply (auto simp: vs_asid_refs_def)[1]
@ -531,7 +531,7 @@ lemma cap_insert_simple_arch_caps_ap:
apply (strengthen valid_vs_lookup_at_upd_strg)
apply (wp get_cap_wp set_cap_valid_vs_lookup set_cap_arch_obj
set_cap_valid_table_caps hoare_vcg_all_lift
| simp split del: split_if)+
| simp split del: if_split)+
apply (rule_tac P = "cte_wp_at (op = src_cap) src" in set_cap_orth)
apply (wp hoare_vcg_imp_lift hoare_vcg_ball_lift set_free_index_final_cap
hoare_vcg_disj_lift set_cap_reachable_pg_cap set_cap.vs_lookup_pages
@ -548,7 +548,7 @@ lemma cap_insert_simple_arch_caps_ap:
apply (simp add: unique_table_caps_def is_cap_simps)
apply (subst unique_table_refs_def)
apply (intro allI impI)
apply (simp split: split_if_asm)
apply (simp split: if_split_asm)
apply (simp add: no_cap_to_obj_with_diff_ref_def cte_wp_at_caps_of_state)
apply (simp add: no_cap_to_obj_with_diff_ref_def cte_wp_at_caps_of_state)
apply (erule (3) unique_table_refsD)
@ -1298,7 +1298,7 @@ lemma arch_decode_inv_wf[wp]:
\<lbrace>valid_arch_inv\<rbrace>,-"
apply (cases arch_cap)
apply (rename_tac word1 word2)
apply (simp add: arch_decode_invocation_def Let_def split_def cong: if_cong split del: split_if)
apply (simp add: arch_decode_invocation_def Let_def split_def cong: if_cong split del: if_split)
apply (rule hoare_pre)
apply ((wp whenE_throwError_wp check_vp_wpR ensure_empty_stronger select_wp select_ext_weak_wp|
wpc|
@ -1342,7 +1342,7 @@ lemma arch_decode_inv_wf[wp]:
apply (subst asid_high_bits_of_add_ucast, assumption)
apply assumption
apply (simp add: arch_decode_invocation_def Let_def split_def
cong: if_cong split del: split_if)
cong: if_cong split del: if_split)
apply (rule hoare_pre)
apply ((wp whenE_throwError_wp check_vp_wpR ensure_empty_stronger|
wpc|
@ -1362,7 +1362,7 @@ lemma arch_decode_inv_wf[wp]:
apply (rule order_less_le_trans, rule ucast_less, simp)
apply (simp add: asid_bits_def asid_low_bits_def)
apply (simp add: asid_bits_def)
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (wp ensure_no_children_sp select_ext_weak_wp select_wp whenE_throwError_wp|wpc | simp)+
apply clarsimp
apply (rule conjI, fastforce)
@ -1388,10 +1388,10 @@ lemma arch_decode_inv_wf[wp]:
apply (clarsimp simp: cap_rights_update_def)
apply (clarsimp simp:diminished_def)
apply (simp add: arch_decode_invocation_def Let_def split_def
cong: if_cong split del: split_if)
cong: if_cong split del: if_split)
apply (cases "invocation_type label = ArchInvocationLabel X64PageMap")
apply (rename_tac word rights vmpage_size option)
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (rule hoare_pre)
apply ((wp whenE_throwError_wp check_vp_wpR hoare_vcg_const_imp_lift_R
create_mapping_entries_parent_for_refs find_pd_for_asid_pd_at_asid
@ -1420,7 +1420,7 @@ lemma arch_decode_inv_wf[wp]:
(fastforce intro: diminished_pd_self)+)[1]
apply (cases "invocation_type label = ArchInvocationLabel X64PageRemap")
apply (rename_tac word rights vmpage_size option)
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (rule hoare_pre)
apply ((wp whenE_throwError_wp check_vp_wpR hoare_vcg_const_imp_lift_R
create_mapping_entries_parent_for_refs
@ -1443,7 +1443,7 @@ lemma arch_decode_inv_wf[wp]:
intro!: is_aligned_addrFromPPtr pbfs_atleast_pageBits,
fastforce+)[1]
apply (cases "invocation_type label = ArchInvocationLabel X64PageUnmap")
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (rule hoare_pre, wp)
apply (clarsimp simp: valid_arch_inv_def valid_page_inv_def)
apply (thin_tac "Ball S P" for S P)
@ -1455,22 +1455,22 @@ lemma arch_decode_inv_wf[wp]:
apply (erule cte_wp_at_weakenE)
apply (clarsimp simp: is_arch_diminished_def is_cap_simps)
apply (cases "isPageFlushLabel (invocation_type label)")
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (rule hoare_pre)
apply (wp whenE_throwError_wp static_imp_wp hoare_drop_imps)
apply (simp add: valid_arch_inv_def valid_page_inv_def)
apply (wp find_pd_for_asid_pd_at_asid | wpc)+
apply (clarsimp simp: valid_cap_def mask_def)
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (cases "invocation_type label = ArchInvocationLabel X64PageGetAddress")
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (rule hoare_pre, wp)
apply (clarsimp simp: valid_arch_inv_def valid_page_inv_def)
apply (rule hoare_pre, wp)
apply (simp)
apply (simp add: arch_decode_invocation_def Let_def split_def
is_final_cap_def
cong: if_cong split del: split_if)
cong: if_cong split del: if_split)
apply (rename_tac word option)
apply (rule hoare_pre)
apply ((wp whenE_throwError_wp check_vp_wpR get_master_pde_wp hoare_vcg_all_lift_R|
@ -1540,9 +1540,9 @@ lemma arch_decode_inv_wf[wp]:
apply (drule le_shiftr[where n=20], drule(1) order_trans)
apply (simp add: kernel_base_def)
apply (clarsimp simp: cte_wp_at_def is_arch_diminished_def is_cap_simps)
apply (simp add: arch_decode_invocation_def Let_def split del: split_if)
apply (simp add: arch_decode_invocation_def Let_def split del: if_split)
apply (cases "isPDFlushLabel (invocation_type label)")
apply (simp split del: split_if)
apply (simp split del: if_split)
apply (rule hoare_pre)
apply (wp whenE_throwError_wp static_imp_wp hoare_drop_imp | wpc | simp)+
apply (simp add: resolve_vaddr_def)

2
proof/invariant-abstract/X64/ArchBCorres2_AI.thy
View File

@ -123,7 +123,7 @@ lemma choose_switch_or_idle:
return_def get_def modify_def put_def
get_thread_state_def
thread_get_def
split: split_if_asm)
split: if_split_asm)
apply force
done

60
proof/invariant-abstract/X64/ArchCNodeInv_AI.thy
View File

@ -69,7 +69,7 @@ lemma update_cap_objrefs [CNodeInv_AI_assms]:
obj_refs (update_cap_data P dt cap) = obj_refs cap"
by (case_tac cap,
simp_all add: update_cap_data_closedform
split: split_if_asm)
split: if_split_asm)
lemma update_cap_zobjrefs [CNodeInv_AI_assms]:
@ -77,7 +77,7 @@ lemma update_cap_zobjrefs [CNodeInv_AI_assms]:
zobj_refs (update_cap_data P dt cap) = zobj_refs cap"
apply (case_tac cap,
simp_all add: update_cap_data_closedform arch_update_cap_data_def
split: split_if_asm)
split: if_split_asm)
done
@ -100,7 +100,7 @@ lemma update_cap_data_mask_Null [simp, CNodeInv_AI_assms]:
lemma cap_master_update_cap_data [CNodeInv_AI_assms]:
"\<lbrakk> update_cap_data P x c \<noteq> NullCap \<rbrakk>
\<Longrightarrow> cap_master_cap (update_cap_data P x c) = cap_master_cap c"
apply (simp add: update_cap_data_def split del: split_if split: split_if_asm)
apply (simp add: update_cap_data_def split del: if_split split: if_split_asm)
apply (auto simp: is_cap_simps Let_def the_cnode_cap_def cap_master_cap_def
badge_update_def arch_update_cap_data_def
split: arch_cap.split)
@ -131,7 +131,7 @@ lemma same_object_as_cap_master [CNodeInv_AI_assms]:
lemma cap_asid_update_cap_data [CNodeInv_AI_assms]:
"update_cap_data P x c \<noteq> NullCap
\<Longrightarrow> cap_asid (update_cap_data P x c) = cap_asid c"
apply (simp add: update_cap_data_def split del: split_if split: split_if_asm)
apply (simp add: update_cap_data_def split del: if_split split: if_split_asm)
apply (auto simp: is_cap_simps Let_def the_cnode_cap_def cap_master_cap_def
badge_update_def arch_update_cap_data_def
split: arch_cap.split)
@ -140,7 +140,7 @@ lemma cap_asid_update_cap_data [CNodeInv_AI_assms]:
lemma cap_vptr_update_cap_data [CNodeInv_AI_assms]:
"update_cap_data P x c \<noteq> NullCap
\<Longrightarrow> cap_vptr (update_cap_data P x c) = cap_vptr c"
apply (simp add: update_cap_data_def split del: split_if split: split_if_asm)
apply (simp add: update_cap_data_def split del: if_split split: if_split_asm)
apply (auto simp: is_cap_simps Let_def the_cnode_cap_def cap_master_cap_def
badge_update_def arch_update_cap_data_def
split: arch_cap.split)
@ -149,7 +149,7 @@ lemma cap_vptr_update_cap_data [CNodeInv_AI_assms]:
lemma cap_asid_base_update_cap_data [CNodeInv_AI_assms]:
"update_cap_data P x c \<noteq> NullCap
\<Longrightarrow> cap_asid_base (update_cap_data P x c) = cap_asid_base c"
apply (simp add: update_cap_data_def split del: split_if split: split_if_asm)
apply (simp add: update_cap_data_def split del: if_split split: if_split_asm)
apply (auto simp: is_cap_simps Let_def the_cnode_cap_def cap_master_cap_def
badge_update_def arch_update_cap_data_def
split: arch_cap.split)
@ -159,9 +159,9 @@ lemma same_object_as_update_cap_data [CNodeInv_AI_assms]:
"\<lbrakk> update_cap_data P x c \<noteq> NullCap; same_object_as c' c \<rbrakk> \<Longrightarrow>
same_object_as c' (update_cap_data P x c)"
apply (clarsimp simp: same_object_as_def is_cap_simps
split: cap.split_asm arch_cap.splits split_if_asm)
split: cap.split_asm arch_cap.splits if_split_asm)
apply (simp add: update_cap_data_def badge_update_def cap_rights_update_def is_cap_simps arch_update_cap_data_def
Let_def split_def the_cnode_cap_def bits_of_def split: split_if_asm cap.splits)+
Let_def split_def the_cnode_cap_def bits_of_def split: if_split_asm cap.splits)+
done
lemma weak_derived_update_cap_data [CNodeInv_AI_assms]:
@ -171,9 +171,9 @@ lemma weak_derived_update_cap_data [CNodeInv_AI_assms]:
cap_master_update_cap_data cap_asid_update_cap_data
cap_asid_base_update_cap_data
cap_vptr_update_cap_data
split del: split_if cong: if_cong)
split del: if_split cong: if_cong)
apply (erule disjE)
apply (clarsimp split: split_if_asm)
apply (clarsimp split: if_split_asm)
apply (erule disjE)
apply (clarsimp simp: is_cap_simps)
apply (simp add: update_cap_data_def arch_update_cap_data_def is_cap_simps)
@ -184,12 +184,12 @@ lemma weak_derived_update_cap_data [CNodeInv_AI_assms]:
apply (simp add: update_cap_data_def arch_update_cap_data_def is_cap_simps)
apply (erule (1) same_object_as_update_cap_data)
apply clarsimp
apply (rule conjI, clarsimp simp: is_cap_simps update_cap_data_def split del: split_if)+
apply (rule conjI, clarsimp simp: is_cap_simps update_cap_data_def split del: if_split)+
apply clarsimp
apply (clarsimp simp: same_object_as_def is_cap_simps
split: cap.split_asm arch_cap.splits split_if_asm)
split: cap.split_asm arch_cap.splits if_split_asm)
apply (simp add: update_cap_data_def badge_update_def cap_rights_update_def is_cap_simps arch_update_cap_data_def
Let_def split_def the_cnode_cap_def bits_of_def split: split_if_asm cap.splits)+
Let_def split_def the_cnode_cap_def bits_of_def split: if_split_asm cap.splits)+
done
lemma cap_badge_update_cap_data [CNodeInv_AI_assms]:
@ -197,7 +197,7 @@ lemma cap_badge_update_cap_data [CNodeInv_AI_assms]:
\<longrightarrow> (bdg, cap_badge (update_cap_data False x c)) \<in> capBadge_ordering False"
apply clarsimp
apply (erule capBadge_ordering_trans)
apply (simp add: update_cap_data_def split del: split_if split: split_if_asm)
apply (simp add: update_cap_data_def split del: if_split split: if_split_asm)
apply (auto simp: is_cap_simps Let_def the_cnode_cap_def cap_master_cap_def
badge_update_def arch_update_cap_data_def
split: arch_cap.split)
@ -285,7 +285,7 @@ lemma cte_at_nat_to_cref_zbits [CNodeInv_AI_assms]:
lemma copy_of_cap_range [CNodeInv_AI_assms]:
"copy_of cap cap' \<Longrightarrow> cap_range cap = cap_range cap'"
apply (clarsimp simp: copy_of_def split: split_if_asm)
apply (clarsimp simp: copy_of_def split: if_split_asm)
apply (cases cap', simp_all add: same_object_as_def)
apply (clarsimp simp: is_cap_simps bits_of_def cap_range_def
split: cap.split_asm)+
@ -297,7 +297,7 @@ lemma copy_of_cap_range [CNodeInv_AI_assms]:
lemma copy_of_zobj_refs [CNodeInv_AI_assms]:
"copy_of cap cap' \<Longrightarrow> zobj_refs cap = zobj_refs cap'"
apply (clarsimp simp: copy_of_def split: split_if_asm)
apply (clarsimp simp: copy_of_def split: if_split_asm)
apply (cases cap', simp_all add: same_object_as_def)
apply (clarsimp simp: is_cap_simps bits_of_def
split: cap.split_asm)+
@ -323,13 +323,13 @@ lemma weak_derived_vs_cap_ref [CNodeInv_AI_assms]:
"weak_derived c c' \<Longrightarrow> vs_cap_ref c = vs_cap_ref c'"
by (auto simp: weak_derived_def copy_of_def
same_object_as_def2
split: split_if_asm elim: vs_cap_ref_master[OF sym])
split: if_split_asm elim: vs_cap_ref_master[OF sym])
lemma weak_derived_table_cap_ref [CNodeInv_AI_assms]:
"weak_derived c c' \<Longrightarrow> table_cap_ref c = table_cap_ref c'"
apply (clarsimp simp: weak_derived_def copy_of_def
same_object_as_def2
split: split_if_asm)
split: if_split_asm)
apply (elim disjE,simp_all add:is_cap_simps)
apply (elim disjE,simp_all)
apply clarsimp
@ -347,7 +347,7 @@ lemma weak_derived_pd_pt_asid:
by (auto simp: weak_derived_def copy_of_def is_cap_simps
same_object_as_def2 is_pt_cap_def
cap_master_cap_simps
split: split_if_asm
split: if_split_asm
dest!: cap_master_cap_eqDs)
lemma weak_derived_ASIDPool1:
@ -356,7 +356,7 @@ lemma weak_derived_ASIDPool1:
apply (rule iffI)
prefer 2
apply simp
apply (clarsimp simp: weak_derived_def copy_of_def split: split_if_asm)
apply (clarsimp simp: weak_derived_def copy_of_def split: if_split_asm)
apply (clarsimp simp: same_object_as_def2 cap_master_cap_simps dest!: cap_master_cap_eqDs)
done
@ -366,7 +366,7 @@ lemma weak_derived_ASIDPool2:
apply (rule iffI)
prefer 2
apply simp
apply (clarsimp simp: weak_derived_def copy_of_def split: split_if_asm)
apply (clarsimp simp: weak_derived_def copy_of_def split: if_split_asm)
apply (auto simp: same_object_as_def2 cap_master_cap_simps dest!: cap_master_cap_eqDs)
done
@ -408,15 +408,15 @@ lemma swap_of_caps_valid_arch_caps [CNodeInv_AI_assms]:
del: split_paired_Ex split_paired_All imp_disjL)
apply (simp add: unique_table_caps_def
del: split_paired_Ex split_paired_All imp_disjL
split del: split_if)
split del: if_split)
apply (erule allfEI[where f="id (a := b, b := a)"])
apply (erule allfEI[where f="id (a := b, b := a)"])
apply (clarsimp split del: split_if split: split_if_asm)
apply (clarsimp split del: if_split split: if_split_asm)
apply (simp add: unique_table_refs_def
del: split_paired_All split del: split_if)
del: split_paired_All split del: if_split)
apply (erule allfEI[where f="id (a := b, b := a)"])
apply (erule allfEI[where f="id (a := b, b := a)"])
apply (clarsimp split del: split_if split: split_if_asm dest!:vs_cap_ref_to_table_cap_ref
apply (clarsimp split del: if_split split: if_split_asm dest!:vs_cap_ref_to_table_cap_ref
dest!: weak_derived_table_cap_ref)
done
@ -440,7 +440,7 @@ lemma cap_swap_cap_refs_in_kernel_window[wp, CNodeInv_AI_assms]:
cap_swap c a c' b \<lbrace>\<lambda>rv. cap_refs_in_kernel_window\<rbrace>"
apply (simp add: cap_swap_def)
apply (rule hoare_pre)
apply (wp | simp split del: split_if)+
apply (wp | simp split del: if_split)+
apply (auto dest!: cap_refs_in_kernel_windowD
simp: cte_wp_at_caps_of_state weak_derived_cap_range)
done
@ -518,7 +518,7 @@ lemma finalise_cap_not_reply_master_unlifted [CNodeInv_AI_assms]:
\<not> is_master_reply_cap (fst rv)"
by (case_tac cap, auto simp: is_cap_simps in_monad liftM_def
arch_finalise_cap_def
split: split_if_asm arch_cap.split_asm bool.split_asm option.split_asm)
split: if_split_asm arch_cap.split_asm bool.split_asm option.split_asm)
lemma nat_to_cref_0_replicate [CNodeInv_AI_assms]:
@ -632,7 +632,7 @@ next
apply (erule disjE)
apply clarsimp
apply (clarsimp simp: cap_irq_opt_def cte_wp_at_def
split: cap.split_asm split_if_asm
split: cap.split_asm if_split_asm
elim!: ranE dest!: caps_of_state_cteD)
apply (drule(2) final_cap_duplicate_irq)
apply simp+
@ -922,7 +922,7 @@ lemma weak_derived_appropriate [CNodeInv_AI_assms]:
"weak_derived cap cap' \<Longrightarrow> appropriate_cte_cap cap = appropriate_cte_cap cap'"
by (auto simp: weak_derived_def copy_of_def same_object_as_def2
appropriate_cte_master
split: split_if_asm
split: if_split_asm
dest!: arg_cong[where f=appropriate_cte_cap])
end
@ -1004,7 +1004,7 @@ lemma recycle_cap_appropriateness [CNodeInv_AI_assms]:
apply (simp add: recycle_cap_def)
apply (rule hoare_pre)
apply (wp thread_get_wp gts_wp | wpc | simp add: get_bound_notification_def)+
apply (simp add: arch_recycle_cap_def o_def split del: split_if)
apply (simp add: arch_recycle_cap_def o_def split del: if_split)
apply (wp | wpc | simp add: | wp_once hoare_drop_imps)+
apply (auto simp: appropriate_cte_cap_def fun_eq_iff valid_cap_def tcb_at_st_tcb_at pred_tcb_at_def)
done

2
proof/invariant-abstract/X64/ArchDetype_AI.thy
View File

@ -466,7 +466,7 @@ lemma valid_machine_state_detype[detype_invs_proofs]:
apply (elim exEI exE conjE, simp)
apply (frule valid_pspace_aligned[OF valid_pspace])
apply (drule_tac ptr'=p in mask_in_range)
apply (case_tac ko, simp_all add: a_type_simps split: split_if_asm)
apply (case_tac ko, simp_all add: a_type_simps split: if_split_asm)
apply (rename_tac arch_kernel_obj)
apply (case_tac arch_kernel_obj, simp_all add: a_type_simps)
apply clarsimp using untyped cap_is_valid

2
proof/invariant-abstract/X64/ArchEmptyFail_AI.thy
View File

@ -81,7 +81,7 @@ lemma arch_decode_X64ASIDControlMakePool_empty_fail:
apply (subst bindE_assoc[symmetric])
apply (rule empty_fail_bindE)
subgoal by (fastforce simp: empty_fail_def whenE_def throwError_def select_ext_def bindE_def bind_def return_def
returnOk_def lift_def liftE_def fail_def gets_def get_def assert_def select_def split: split_if_asm)
returnOk_def lift_def liftE_def fail_def gets_def get_def assert_def select_def split: if_split_asm)
apply (simp add: Let_def split: cap.splits arch_cap.splits option.splits bool.splits | wp | intro conjI impI allI)+
by (clarsimp simp add: decode_page_invocation_def split: arch_cap.splits | wp)+

44
proof/invariant-abstract/X64/ArchFinalise_AI.thy
View File

@ -21,7 +21,7 @@ lemma (* obj_at_not_live_valid_arch_cap_strg *) [Finalise_AI_asms]:
\<longrightarrow> obj_at (\<lambda>ko. \<not> live ko) r s"
by (clarsimp simp: valid_cap_def obj_at_def
a_type_arch_live
split: arch_cap.split_asm split_if_asm)
split: arch_cap.split_asm if_split_asm)
global_naming X64
@ -158,7 +158,7 @@ lemma delete_asid_pool_unmapped[wp]:
dest!: graph_ofD)
apply (clarsimp simp: vs_lookup_def vs_asid_refs_def
dest!: graph_ofD
split: split_if_asm)
split: if_split_asm)
apply (erule rtranclE)
apply (simp add: up_ucast_inj_eq)
apply (drule vs_lookup1D)
@ -258,7 +258,7 @@ lemma (* empty_slot_invs *) [Finalise_AI_asms]:
apply (wp replace_cap_valid_pspace set_cap_caps_of_state2
replace_cap_ifunsafe get_cap_wp
set_cap_idle valid_irq_node_typ set_cap_typ_at
set_cap_irq_handlers set_cap_valid_arch_caps | simp add: trans_state_update[symmetric] del: trans_state_update fun_upd_apply split del: split_if )+
set_cap_irq_handlers set_cap_valid_arch_caps | simp add: trans_state_update[symmetric] del: trans_state_update fun_upd_apply split del: if_split )+
apply (clarsimp simp: is_final_cap'_def2 simp del: fun_upd_apply)
apply (clarsimp simp: conj_comms invs_def valid_state_def valid_mdb_def2)
apply (subgoal_tac "mdb_empty_abs s")
@ -289,7 +289,7 @@ lemma (* empty_slot_invs *) [Finalise_AI_asms]:
apply (rule allEI, assumption)
apply (fold reply_caps_mdb_def)[1]
apply (case_tac "sl = ptr", simp)
apply (simp add: fun_upd_def split del: split_if del: split_paired_Ex)
apply (simp add: fun_upd_def split del: if_split del: split_paired_Ex)
apply (erule allEI, rule impI, erule(1) impE)
apply (erule exEI)
apply (simp, rule ccontr)
@ -324,7 +324,7 @@ lemma dom_tcb_cap_cases_lt_ARCH [Finalise_AI_asms]:
"dom tcb_cap_cases = {xs. length xs = 3 \<and> unat (of_bl xs :: machine_word) < 5}"
apply (rule set_eqI, rule iffI)
apply clarsimp
apply (simp add: tcb_cap_cases_def tcb_cnode_index_def to_bl_1 split: split_if_asm)
apply (simp add: tcb_cap_cases_def tcb_cnode_index_def to_bl_1 split: if_split_asm)
apply clarsimp
apply (frule tcb_cap_cases_lt)
apply (clarsimp simp: nat_to_cref_unat_of_bl')
@ -365,7 +365,7 @@ lemma (* finalise_cap_cases1 *)[Finalise_AI_asms]:
\<and> cap_irqs (fst rv) = cap_irqs cap
\<and> fst_cte_ptrs (fst rv) = fst_cte_ptrs cap
\<and> vs_cap_ref cap = None\<rbrace>"
apply (cases cap, simp_all split del: split_if cong: if_cong)
apply (cases cap, simp_all split del: if_split cong: if_cong)
apply (wp suspend_final_cap[where sl=slot]
deleting_irq_handler_final[where slot=slot]
| simp add: o_def is_cap_simps fst_cte_ptrs_def
@ -389,12 +389,12 @@ lemma (* finalise_cap_new_valid_cap *)[wp,Finalise_AI_asms]:
apply (wp suspend_valid_cap
| simp add: o_def valid_cap_def cap_aligned_def
valid_cap_Null_ext
split del: split_if
split del: if_split
| clarsimp | rule conjI)+
apply (simp add: arch_finalise_cap_def)
apply (rule hoare_pre)
apply (wp|simp add: o_def valid_cap_def cap_aligned_def
split del: split_if|clarsimp|wpc)+
split del: if_split|clarsimp|wpc)+
done
lemma (* arch_finalise_cap_invs *)[wp,Finalise_AI_asms]:
@ -520,7 +520,7 @@ lemma (* finalise_cap_replaceable *) [Finalise_AI_asms]:
finalise_cap cap x
\<lbrace>\<lambda>rv s. replaceable s sl (fst rv) cap\<rbrace>"
apply (cases cap, simp_all add: replaceable_def reachable_pg_cap_def
split del: split_if)
split del: if_split)
prefer 10
(* TS: this seems to be necessary for deleting_irq_handler,
kind of nasty, not sure how to sidestep *)
@ -1297,10 +1297,10 @@ global_naming Arch
lemma (* finalise_cap_invs *)[Finalise_AI_asms]:
shows "\<lbrace>invs and cte_wp_at (op = cap) slot\<rbrace> finalise_cap cap x \<lbrace>\<lambda>rv. invs\<rbrace>"
apply (cases cap, simp_all split del: split_if)
apply (cases cap, simp_all split del: if_split)
apply (wp cancel_all_ipc_invs cancel_all_signals_invs unbind_notification_invs
unbind_maybe_notification_invs
| simp add: o_def split del: split_if cong: if_cong
| simp add: o_def split del: if_split cong: if_cong
| wpc )+
apply clarsimp (* thread *)
apply (frule cte_wp_at_valid_objs_valid_cap, clarsimp)
@ -1416,7 +1416,7 @@ interpretation Finalise_AI_3?: Finalise_AI_3
context Arch begin global_naming X64
lemma arch_cap_recycle_replaceable:
notes split_if [split del]
notes if_split [split del]
and arch_reset_mem_mapping.simps [simp del]
shows "\<lbrace>cte_wp_at (op = (ArchObjectCap cap)) slot
and invs
@ -1658,7 +1658,7 @@ lemma valid_kernel_mappings [iff]:
lemma vs_asid_refs_updateD:
"(ref', p') \<in> vs_asid_refs (table (x \<mapsto> p))
\<Longrightarrow> (ref',p') \<in> vs_asid_refs table \<or> (ref' = [VSRef (ucast x) None] \<and> p' = p)"
apply (clarsimp simp: vs_asid_refs_def graph_of_def split: split_if_asm)
apply (clarsimp simp: vs_asid_refs_def graph_of_def split: if_split_asm)
apply (rule_tac x="(a,p')" in image_eqI)
apply auto
done
@ -1688,7 +1688,7 @@ lemma vs_lookup_empty_table:
apply assumption
apply (fastforce simp: vs_lookup_def)
apply (clarsimp simp: obj_at_def vs_lookup1_def vs_refs_def
split: split_if_asm)
split: if_split_asm)
apply clarsimp
apply (drule rtranclD)
apply (erule disjE)
@ -1721,7 +1721,7 @@ lemma vs_lookup_pages_empty_table:
apply assumption
apply (fastforce simp: vs_lookup_pages_def)
apply (clarsimp simp: obj_at_def vs_lookup_pages1_def vs_refs_pages_def
split: split_if_asm)
split: if_split_asm)
apply clarsimp
apply (drule rtranclD)
apply (erule disjE)
@ -1749,7 +1749,7 @@ lemma set_asid_pool_empty_table_objs:
apply simp
prefer 2
apply (simp add: a_type_def)
apply (clarsimp simp add: a_type_def split: split_if_asm)
apply (clarsimp simp add: a_type_def split: if_split_asm)
apply (erule_tac x=pa in allE)
apply (erule impE)
apply (drule vs_lookup_empty_table)
@ -1932,7 +1932,7 @@ crunch valid_cap [wp]: unmap_page_table, invalidate_tlb_by_asid,
(wp: mapM_wp_inv mapM_x_wp')
lemma recycle_cap_cases:
notes split_if [split del]
notes if_split [split del]
shows "\<lbrace>\<top>\<rbrace>
recycle_cap is_final cap
\<lbrace>\<lambda>rv s. rv = cap
@ -1952,7 +1952,7 @@ lemma recycle_cap_cases:
apply (clarsimp simp: is_cap_simps arch_recycle_cap_def)
apply (rule hoare_pre)
apply (wp | wpc | simp)+
apply (fastforce split: split_if_asm)
apply (fastforce split: if_split_asm)
done
global_naming Arch
@ -1973,7 +1973,7 @@ lemma (* clearMemory_invs *) [wp,Finalise_AI_asms]:
done
lemma arch_recycle_cap_invs_ARCH [Finalise_AI_asms]:
notes split_if [split del]
notes if_split [split del]
shows "\<lbrace>invs and cte_wp_at (op = (ArchObjectCap cap)) slot\<rbrace>
arch_recycle_cap is_final cap
\<lbrace>\<lambda>rv. invs\<rbrace>"
@ -1996,7 +1996,7 @@ lemma arch_recycle_cap_invs_ARCH [Finalise_AI_asms]:
apply (frule valid_cap_aligned, clarsimp simp: cap_aligned_def)
apply (intro conjI)
(* ASID pool case *)
apply ((fastforce simp: valid_cap_def mask_def split: split_if
apply ((fastforce simp: valid_cap_def mask_def split: if_split
elim!: vs_lookup_atE)+)[2]
(* PageTable case*)
apply clarsimp
@ -2011,11 +2011,11 @@ lemma arch_recycle_cap_invs_ARCH [Finalise_AI_asms]:
apply (clarsimp simp: valid_cap_simps)
apply (clarsimp simp: is_cap_simps valid_cap_simps mask_def asid_bits_def
vmsz_aligned_def upto_enum_step_def pt_bits_def pageBits_def
image_image word_shift_by_2 split: split_if_asm)
image_image word_shift_by_2 split: if_split_asm)
apply (erule order_le_less_trans, simp)+
apply (rule_tac x=a in exI, rule_tac x=b in exI)
apply (clarsimp simp: upto_enum_step_def pt_bits_def pageBits_def is_cap_simps
image_image word_shift_by_2 split: split_if_asm)
image_image word_shift_by_2 split: if_split_asm)
apply (frule_tac d="xb << 2" in is_aligned_add_helper)
apply (rule shiftl_less_t2n)
apply (erule order_le_less_trans, simp)

14
proof/invariant-abstract/X64/ArchInterrupt_AI.thy
View File

@ -41,9 +41,9 @@ named_theorems Interrupt_AI_asms
lemma (* decode_irq_control_invocation_inv *)[Interrupt_AI_asms]:
"\<lbrace>P\<rbrace> decode_irq_control_invocation label args slot caps \<lbrace>\<lambda>rv. P\<rbrace>"
apply (simp add: decode_irq_control_invocation_def Let_def arch_check_irq_def
arch_decode_irq_control_invocation_def whenE_def split del: split_if)
arch_decode_irq_control_invocation_def whenE_def split del: if_split)
apply (rule hoare_pre)
apply (wp | simp split del: split_if)+
apply (wp | simp split del: if_split)+
done
lemma irq_control_inv_valid_ArchIRQControl[simp]:
@ -69,11 +69,11 @@ lemma arch_decode_irq_control_valid[wp]:
\<lbrace>arch_irq_control_inv_valid\<rbrace>,-"
apply (simp add: arch_decode_irq_control_invocation_def Let_def whenE_def
arch_irq_control_inv_valid_def
split del: split_if
split del: if_split
cong: if_cong)
apply (rule hoare_pre)
apply (wp ensure_empty_stronger hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift
| simp add: cte_wp_at_eq_simp split del: split_if
| simp add: cte_wp_at_eq_simp split del: if_split
| wpc | wp_once hoare_drop_imps)+
apply clarsimp
by (safe; (cap_hammer | word_hammer))
@ -89,7 +89,7 @@ lemma (* decode_irq_control_valid *)[Interrupt_AI_asms]:
\<lbrace>irq_control_inv_valid\<rbrace>,-"
apply (simp add: decode_irq_control_invocation_def Let_def split_def
whenE_def arch_check_irq_def
split del: split_if cong: if_cong)
split del: if_split cong: if_cong)
apply (rule hoare_pre)
apply (wp ensure_empty_stronger | simp add: cte_wp_at_eq_simp
| wp_once hoare_drop_imps)+
@ -143,7 +143,7 @@ lemma (* set_irq_state_valid_cap *)[Interrupt_AI_asms]:
apply (wp do_machine_op_valid_cap)
apply (auto simp: valid_cap_def valid_untyped_def
split: cap.splits option.splits arch_cap.splits
split del: split_if)
split del: if_split)
done
crunch valid_global_refs[Interrupt_AI_asms]: set_irq_state "valid_global_refs"
@ -190,7 +190,7 @@ lemma invoke_irq_handler_invs'[Interrupt_AI_asms]:
\<and> cte_wp_at (is_derived (cdt s) prod cap) prod s"
in hoare_post_imp)
apply (clarsimp simp: is_cap_simps is_derived_def cte_wp_at_caps_of_state)
apply (simp split: split_if_asm)
apply (simp split: if_split_asm)
apply (simp add: cap_master_cap_def split: cap.split_asm)
apply (drule cte_wp_valid_cap [OF caps_of_state_cteD] | clarsimp)+
apply (clarsimp simp: cap_master_cap_simps valid_cap_def obj_at_def is_ntfn is_tcb is_cap_table

10
proof/invariant-abstract/X64/ArchIpc_AI.thy
View File

@ -261,7 +261,7 @@ lemma copy_mrs_in_user_frame[wp, Ipc_AI_assms]:
lemma make_fault_message_inv[wp, Ipc_AI_assms]:
"\<lbrace>P\<rbrace> make_fault_msg ft t \<lbrace>\<lambda>rv. P\<rbrace>"
apply (cases ft, simp_all split del: split_if)
apply (cases ft, simp_all split del: if_split)
apply (wp as_user_inv getRestartPC_inv mapM_wp'
| simp add: getRegister_def)+
done
@ -278,7 +278,7 @@ lemma lookup_ipc_buffer_in_user_frame[wp, Ipc_AI_assms]:
\<lbrace>case_option (\<lambda>_. True) in_user_frame\<rbrace>"
apply (simp add: lookup_ipc_buffer_def)
apply (wp get_cap_wp thread_get_wp | wpc | simp)+
apply (clarsimp simp add: obj_at_def is_tcb split: split_if_asm)
apply (clarsimp simp add: obj_at_def is_tcb split: if_split_asm)
apply (rename_tac dev p R tp sz m)
apply (subgoal_tac "in_user_frame (p + (tcb_ipc_buffer tcb &&
mask (pageBitsForSize sz))) s", simp)
@ -305,16 +305,16 @@ lemma transfer_caps_loop_cte_wp_at:
apply (simp, wp, simp)
apply (clarsimp simp: Let_def split_def whenE_def
cong: if_cong list.case_cong
split del: split_if)
split del: if_split)
apply (rule hoare_pre)
apply (wp hoare_vcg_const_imp_lift hoare_vcg_const_Ball_lift
derive_cap_is_derived_foo
hoare_drop_imps
| assumption | simp split del: split_if)+
| assumption | simp split del: if_split)+
apply (wp hoare_vcg_conj_lift cap_insert_weak_cte_wp_at2)
apply (erule imp)
by (wp hoare_vcg_ball_lift
| clarsimp simp: is_cap_simps split del:split_if
| clarsimp simp: is_cap_simps split del:if_split
| unfold derive_cap_def arch_derive_cap_def
| wpc
| rule conjI

33
proof/invariant-abstract/X64/ArchRetype_AI.thy
View File

@ -234,7 +234,7 @@ lemma vs_refs_add_one'':
"p \<in> kernel_mapping_slots \<Longrightarrow>
vs_refs (ArchObj (PageMapL4 (pml4(p := pml4e)))) =
vs_refs (ArchObj (PageMapL4 pml4))"
by (auto simp: vs_refs_def graph_of_def split: split_if_asm)
by (auto simp: vs_refs_def graph_of_def split: if_split_asm)
lemma glob_vs_refs_add_one':
"glob_vs_refs (ArchObj (PageDirectory (pd(p := pde)))) =
@ -245,7 +245,7 @@ lemma glob_vs_refs_add_one':
apply (rule set_eqI)
apply clarsimp
apply (rule iffI)
apply (clarsimp del: disjCI dest!: graph_ofD split: split_if_asm)
apply (clarsimp del: disjCI dest!: graph_ofD split: if_split_asm)
apply (rule disjI1)
apply (rule conjI)
apply (rule_tac x="(aa, ba)" in image_eqI)
@ -384,10 +384,10 @@ lemma mapM_x_store_pde_eq_kernel_mappings_restr:
apply (erule hoare_seq_ext[rotated])
apply (simp add: store_pde_def set_pd_def set_object_def cong: bind_cong)
apply (wp get_object_wp get_pde_wp)
apply (clarsimp simp: obj_at_def split del: split_if)
apply (clarsimp simp: obj_at_def split del: if_split)
apply (frule shiftl_less_t2n)
apply (simp add: pd_bits_def pageBits_def)
apply (simp add: is_aligned_add_helper split del: split_if)
apply (simp add: is_aligned_add_helper split del: if_split)
apply (cut_tac x=x and n=2 in shiftl_shiftr_id)
apply (simp add: word_bits_def)
apply (simp add: word_bits_def pd_bits_def pageBits_def)
@ -455,7 +455,7 @@ lemma copy_global_equal_kernel_mappings_restricted:
apply (simp add: ucast_down_ucast_id word_size source_size_def
target_size_def is_down_def)
apply (drule_tac x=p' in spec)
apply (simp split: split_if_asm)
apply (simp split: if_split_asm)
done
lemma store_pde_valid_global_pd_mappings[wp]:
@ -707,19 +707,19 @@ lemma valid_untyped_helper [Retype_AI_assms]:
apply (fastforce elim!: obj_at_pres)
apply (fastforce elim!: obj_at_pres)
apply (rename_tac word nat1 nat2)
apply (clarsimp simp:valid_untyped_def is_cap_simps obj_at_def split:split_if_asm)
apply (clarsimp simp:valid_untyped_def is_cap_simps obj_at_def split: if_split_asm)
apply (thin_tac "\<forall>x. Q x" for Q)
apply (frule retype_addrs_obj_range_subset_strong[OF _ cover' tyunt])
apply (frule usable_range_subseteq)
apply (simp add:is_cap_simps)
apply (clarsimp simp:cap_aligned_def split:split_if_asm)
apply (clarsimp simp:cap_aligned_def split: if_split_asm)
apply (frule aligned_ranges_subset_or_disjoint)
apply (erule retype_addrs_aligned[where sz = sz])
apply (simp add:range_cover_def)
apply (simp add:range_cover_def word_bits_def)
apply (simp add:range_cover_def)
apply (clarsimp simp:obj_range_def[symmetric] obj_bits_api_def3 Int_ac tyunt
split:split_if_asm)
split: if_split_asm)
apply (elim disjE)
apply (drule(2) subset_trans[THEN disjoint_subset2])
apply (drule Int_absorb2)+
@ -736,7 +736,7 @@ lemma valid_untyped_helper [Retype_AI_assms]:
apply (simp add:range_cover_def word_bits_def)
apply (simp add:range_cover_def)
apply (clarsimp simp:obj_range_def[symmetric] obj_bits_api_def3 Int_ac tyunt
split:split_if_asm)
split: if_split_asm)
apply (case_tac "{word..word + 2 ^ nat1 - 1} = obj_range p (default_object ty us)")
apply simp
apply (erule disjE)
@ -832,10 +832,10 @@ lemma vs_lookup':
"vs_lookup s' = vs_lookup s"
apply (rule order_antisym)
apply (rule vs_lookup_sub2)
apply (clarsimp simp: obj_at_def s'_def ps_def split: split_if_asm)
apply (clarsimp simp: obj_at_def s'_def ps_def split: if_split_asm)
apply simp
apply (rule vs_lookup_sub)
apply (clarsimp simp: obj_at_def s'_def ps_def split: split_if_asm dest!: orthr)
apply (clarsimp simp: obj_at_def s'_def ps_def split: if_split_asm dest!: orthr)
apply simp
done
@ -843,10 +843,10 @@ lemma vs_lookup_pages':
"vs_lookup_pages s' = vs_lookup_pages s"
apply (rule order_antisym)
apply (rule vs_lookup_pages_sub2)
apply (clarsimp simp: obj_at_def s'_def ps_def split: split_if_asm)
apply (clarsimp simp: obj_at_def s'_def ps_def split: if_split_asm)
apply simp
apply (rule vs_lookup_pages_sub)
apply (clarsimp simp: obj_at_def s'_def ps_def split: split_if_asm dest!: orthr)
apply (clarsimp simp: obj_at_def s'_def ps_def split: if_split_asm dest!: orthr)
apply simp
done
@ -880,7 +880,7 @@ proof
assume p: "(\<exists>\<rhd> p) s'"
assume "ko_at (ArchObj ao) p s'"
hence "ko_at (ArchObj ao) p s \<or> ArchObj ao = default_object ty us"
by (simp add: ps_def obj_at_def s'_def split: split_if_asm)
by (simp add: ps_def obj_at_def s'_def split: if_split_asm)
moreover
{ assume "ArchObj ao = default_object ty us" with tyunt
have "valid_arch_obj ao s'" by (rule valid_arch_obj_default)
@ -1187,9 +1187,8 @@ lemma clearMemory_um_eq_0:
\<lbrace>\<lambda>_ m. underlying_memory m p = 0\<rbrace>"
apply (clarsimp simp: clearMemory_def)
apply (wp mapM_x_wp_inv | simp)+
apply (rule hoare_pre)
apply (wp hoare_drop_imps storeWord_um_eq_0)
apply (fastforce simp: ignore_failure_def split: split_if_asm)
apply (wp hoare_drop_imps storeWord_um_eq_0)
apply (fastforce simp: ignore_failure_def split: if_split_asm)
done

12
proof/invariant-abstract/X64/ArchTcb_AI.thy
View File

@ -273,9 +273,9 @@ lemma check_valid_ipc_buffer_inv: (* arch_specific *)
"\<lbrace>P\<rbrace> check_valid_ipc_buffer vptr cap \<lbrace>\<lambda>rv. P\<rbrace>"
apply (simp add: check_valid_ipc_buffer_def whenE_def
cong: cap.case_cong arch_cap.case_cong
split del: split_if)
split del: if_split)
apply (rule hoare_pre)
apply (wp | simp add: whenE_def split del: split_if | wpcw)+
apply (wp | simp add: whenE_def split del: if_split | wpcw)+
done
lemma check_valid_ipc_buffer_wp[Tcb_AI_asms]:
@ -287,9 +287,9 @@ lemma check_valid_ipc_buffer_wp[Tcb_AI_asms]:
\<lbrace>\<lambda>rv. P\<rbrace>,-"
apply (simp add: check_valid_ipc_buffer_def whenE_def
cong: cap.case_cong arch_cap.case_cong
split del: split_if)
split del: if_split)
apply (rule hoare_pre)
apply (wp | simp add: whenE_def split del: split_if | wpc)+
apply (wp | simp add: whenE_def split del: if_split | wpc)+
apply (clarsimp simp: is_cap_simps is_cnode_or_valid_arch_def
valid_ipc_buffer_cap_def)
done
@ -312,7 +312,7 @@ lemma decode_set_ipc_inv[wp,Tcb_AI_asms]:
"\<lbrace>P::'state_ext::state_ext state \<Rightarrow> bool\<rbrace> decode_set_ipc_buffer args cap slot excaps \<lbrace>\<lambda>rv. P\<rbrace>"
apply (simp add: decode_set_ipc_buffer_def whenE_def
split_def
split del: split_if)
split del: if_split)
apply (rule hoare_pre, wp check_valid_ipc_buffer_inv)
apply simp
done
@ -346,7 +346,7 @@ lemma update_cap_valid[Tcb_AI_asms]:
is_cap_defs Let_def split_def valid_cap_def
badge_update_def the_cnode_cap_def cap_aligned_def
arch_update_cap_data_def
split del: split_if)
split del: if_split)
apply (simp add: badge_update_def cap_rights_update_def)
apply (simp add: badge_update_def)
apply (simp add: word_bits_def)

14
proof/invariant-abstract/X64/ArchUntyped_AI.thy
View File

@ -66,7 +66,7 @@ lemma data_to_obj_type_sp[Untyped_AI_assms]:
apply (rule hoare_pre)
apply (wp|wpc)+
apply clarsimp
apply (simp add: arch_data_to_obj_type_def split: split_if_asm)
apply (simp add: arch_data_to_obj_type_def split: if_split_asm)
done
lemma dui_inv_wf[wp, Untyped_AI_assms]:
@ -99,7 +99,7 @@ proof -
show ?thesis
apply (simp add: decode_untyped_invocation_def unlessE_def[symmetric]
unlessE_whenE
split del: split_if)
split del: if_split)
apply (rule validE_R_sp[OF whenE_throwError_sp]
validE_R_sp[OF data_to_obj_type_sp]
validE_R_sp[OF dui_sp_helper] validE_R_sp[OF map_ensure_empty])+
@ -367,7 +367,7 @@ lemma invoke_untyped_st_tcb_at[Untyped_AI_assms]: (*FIXME: move *)
invoke_untyped ui
\<lbrace>\<lambda>rv. st_tcb_at P t\<rbrace>"
apply (cases ui, simp add: mapM_x_def[symmetric]
split del: split_if)
split del: if_split)
apply (rename_tac cslot_ptr word1 word2 apiobject_type nat list)
apply (rule hoare_name_pre_state)
apply (clarsimp)
@ -482,7 +482,7 @@ lemma create_cap_valid_arch_caps[wp, Untyped_AI_assms]:
apply (simp add: create_cap_def set_cdt_def)
apply (wp set_cap_valid_arch_caps hoare_vcg_disj_lift
hoare_vcg_conj_lift hoare_vcg_all_lift hoare_vcg_imp_lift
| simp add: trans_state_update[symmetric] del: trans_state_update split_paired_All split_paired_Ex imp_disjL split del: split_if)+
| simp add: trans_state_update[symmetric] del: trans_state_update split_paired_All split_paired_Ex imp_disjL split del: if_split)+
apply (clarsimp simp del: split_paired_All split_paired_Ex
imp_disjL
simp: cte_wp_at_caps_of_state)
@ -621,7 +621,7 @@ lemma valid_arch_state_global_pd:
pd_aligned pd_bits_def pageBits_def
elim!: obj_at_weakenE)
apply (clarsimp split: Structures_A.kernel_object.split_asm
arch_kernel_obj.split_asm split_if_asm)
arch_kernel_obj.split_asm if_split_asm)
done
lemma pd_shifting':
@ -702,7 +702,7 @@ lemma init_arch_objects_nonempty_table[wp]:
lemma nonempty_table_caps_of[Untyped_AI_assms]:
"nonempty_table S ko \<Longrightarrow> caps_of ko = {}"
by (auto simp: caps_of_def cap_of_def nonempty_table_def a_type_def
split: Structures_A.kernel_object.split split_if_asm)
split: Structures_A.kernel_object.split if_split_asm)
lemma nonempty_default[simp, Untyped_AI_assms]:
@ -804,7 +804,7 @@ interpretation Arch .
lemma invoke_untyp_invs'' :
"\<lbrace>(invs ::'state_ext::state_ext state \<Rightarrow> bool) and Q and valid_untyped_inv ui and ct_active\<rbrace>
invoke_untyped ui \<lbrace>\<lambda>rv s. invs s \<and> Q s\<rbrace>"
apply (cases ui, simp split del: split_if del:invoke_untyped.simps)
apply (cases ui, simp split del: if_split del:invoke_untyped.simps)
apply (rule hoare_name_pre_state)
apply (clarsimp simp del:split_paired_All split_paired_Ex split_paired_Ball invoke_untyped.simps)
apply (rename_tac cref oref ptr tp us slots s sz idx)

36
proof/invariant-abstract/X64/ArchVSpaceEntries_AI.thy
View File

@ -81,7 +81,7 @@ proof -
by (clarsimp simp: entries_align_def)
thus ?thesis using P
by (auto simp: init_A_st_def init_kheap_def
elim!: ranE split: split_if_asm)
elim!: ranE split: if_split_asm)
qed
lemma set_object_valid_pdpt[wp]:
@ -143,7 +143,7 @@ lemma mapM_x_store_pte_updates:
apply wp
apply (clarsimp simp: obj_at_def)
apply (simp add: a_type_def fun_upd_idem
split: Structures_A.kernel_object.split_asm split_if_asm
split: Structures_A.kernel_object.split_asm if_split_asm
arch_kernel_obj.split_asm)
apply (simp add: mapM_x_Cons)
apply (rule hoare_seq_ext, assumption)
@ -204,7 +204,7 @@ lemma mapM_x_store_invalid_pte_valid_pdpt:
apply (erule order_le_less_trans, simp)
apply (simp add: field_simps)
apply (simp add: pt_bits_def pageBits_def)
apply (clarsimp simp: ranI elim!: ranE split: split_if_asm)
apply (clarsimp simp: ranI elim!: ranE split: if_split_asm)
apply (intro conjI)
apply (simp add: shift_0x3C_set pt_bits_def pageBits_def)
apply (rule valid_entries_overwrite_groups
@ -239,7 +239,7 @@ lemma mapM_x_store_pde_updates:
apply wp
apply (clarsimp simp: obj_at_def)
apply (simp add: a_type_def fun_upd_idem
split: Structures_A.kernel_object.split_asm split_if_asm
split: Structures_A.kernel_object.split_asm if_split_asm
arch_kernel_obj.split_asm)
apply (simp add: mapM_x_Cons)
apply (rule hoare_seq_ext, assumption)
@ -267,7 +267,7 @@ lemma mapM_x_store_pde_valid_pdpt_objs:
apply (erule order_le_less_trans, simp)
apply (simp add: field_simps)
apply (simp add: pd_bits_def pageBits_def)
apply (clarsimp simp: ranI elim!: ranE split: split_if_asm)
apply (clarsimp simp: ranI elim!: ranE split: if_split_asm)
apply (simp add: shift_0x3C_set pd_bits_def pageBits_def)
apply (rule conjI)
apply (rule_tac valid_entries_overwrite_groups
@ -446,10 +446,10 @@ lemma mapM_x_copy_pde_updates:
apply assumption
apply (thin_tac "valid P f Q" for P f Q)
apply (simp add: store_pde_def set_pd_def set_object_def
cong: bind_cong split del: split_if)
cong: bind_cong split del: if_split)
apply (wp get_object_wp get_pde_wp)
apply (clarsimp simp: obj_at_def a_type_simps mask_out_add_aligned[symmetric]
split del: split_if)
split del: if_split)
apply (simp add: a_type_simps, safe)
apply (erule rsubst[where P=Q])
apply (rule abstract_state.fold_congs[OF refl refl])
@ -476,7 +476,7 @@ lemma copy_global_mappings_valid_pdpt_objs[wp]:
apply (drule plus_one_helper2, simp+)
apply wp
apply (clarsimp simp: invs_aligned_pdD ranI
elim!: ranE split: split_if_asm)
elim!: ranE split: if_split_asm)
apply (intro conjI)
apply (rule_tac S="{x. ucast x \<ge> (kernel_base >> 20)}"
in valid_entries_partial_copy)
@ -612,7 +612,7 @@ lemma arch_recycle_cap_valid_pdpt[wp]:
and pspace_aligned and valid_arch_state\<rbrace>
arch_recycle_cap is_final cap \<lbrace>\<lambda>rv. valid_pdpt_objs\<rbrace>"
apply (simp add: arch_recycle_cap_def
cong: arch_cap.case_cong split del: split_if)
cong: arch_cap.case_cong split del: if_split)
apply (rule hoare_pre)
apply (wp |wpc | simp)+
apply (simp add:swp_def)
@ -662,7 +662,7 @@ lemma invoke_cnode_valid_pdpt_objs[wp]:
"\<lbrace>valid_pdpt_objs and invs and valid_cnode_inv i\<rbrace> invoke_cnode i \<lbrace>\<lambda>rv. valid_pdpt_objs\<rbrace>"
apply (simp add: invoke_cnode_def)
apply (rule hoare_pre)
apply (wp get_cap_wp | wpc | simp split del: split_if)+
apply (wp get_cap_wp | wpc | simp split del: if_split)+
apply (clarsimp)
done
@ -695,10 +695,10 @@ lemma valid_pdpt_objs_trans_state[simp]: "valid_pdpt_objs (trans_state f s) = va
lemma retype_region_valid_pdpt[wp]:
"\<lbrace>valid_pdpt_objs\<rbrace> retype_region ptr bits o_bits type \<lbrace>\<lambda>rv. valid_pdpt_objs\<rbrace>"
apply (simp add: retype_region_def split del: split_if)
apply (simp add: retype_region_def split del: if_split)
apply (wp | simp only: valid_pdpt_objs_trans_state trans_state_update[symmetric])+
apply (clarsimp simp: retype_addrs_fold foldr_upd_app_if ranI
elim!: ranE split: split_if_asm simp del:fun_upd_apply)
elim!: ranE split: if_split_asm simp del:fun_upd_apply)
apply (simp add: default_object_def default_arch_object_def
split: Structures_A.kernel_object.splits
Structures_A.apiobject_type.split aobject_type.split)+
@ -1787,7 +1787,7 @@ lemma arch_decode_invocation_valid_pdpt[wp]:
show ?thesis
apply (simp add: arch_decode_invocation_def
Let_def split_def get_master_pde_def
split del: split_if
split del: if_split
cong: arch_cap.case_cong if_cong cap.case_cong
option.case_cong)
apply (rule hoare_pre)
@ -1802,7 +1802,7 @@ lemma arch_decode_invocation_valid_pdpt[wp]:
mask_lower_twice pd_bits_def bitwise pageBits_def
not_le sz
del: hoare_True_E_R
split del: split_if
split del: if_split
| simp only: obj_at_def)+)
apply (rule_tac Q'="\<lambda>rv. \<exists>\<rhd> rv and K (is_aligned rv pd_bits) and
(\<exists>\<rhd> (lookup_pd_slot rv (args ! 0) && ~~ mask pd_bits)) and
@ -1822,7 +1822,7 @@ lemma arch_decode_invocation_valid_pdpt[wp]:
mask_lower_twice pd_bits_def bitwise pageBits_def
not_le sz
del: hoare_True_E_R
split del: split_if
split del: if_split
| simp only: obj_at_def)+)
apply (rule_tac Q'="\<lambda>rv. \<exists>\<rhd> rv and K (is_aligned rv pd_bits) and
(\<exists>\<rhd> (lookup_pd_slot rv (snd pa) && ~~ mask pd_bits)) and
@ -1843,7 +1843,7 @@ lemma arch_decode_invocation_valid_pdpt[wp]:
mask_lower_twice pd_bits_def bitwise pageBits_def
not_le sz
del: hoare_True_E_R
split del: split_if
split del: if_split
| simp only: obj_at_def)+)
apply (rule hoare_post_imp_R[where P=\<top>])
apply (rule hoare_True_E_R)
@ -1853,7 +1853,7 @@ lemma arch_decode_invocation_valid_pdpt[wp]:
| simp add: invocation_duplicates_valid_def unlessE_def whenE_def
pti_duplicates_valid_def page_inv_duplicates_valid_def
del: hoare_True_E_R
split del: split_if
split del: if_split
| simp only: obj_at_def)+)
apply (auto simp:valid_cap_simps)
done
@ -1862,7 +1862,7 @@ qed
lemma decode_invocation_valid_pdpt[wp]:
"\<lbrace>invs and valid_cap cap and valid_pdpt_objs\<rbrace> decode_invocation label args cap_index slot cap excaps
\<lbrace>invocation_duplicates_valid\<rbrace>,-"
apply (simp add: decode_invocation_def split del: split_if)
apply (simp add: decode_invocation_def split del: if_split)
apply (rule hoare_pre)
apply (wp | wpc
| simp only: invocation_duplicates_valid_def o_def uncurry_def split_def