diff --git a/proof/drefine/Finalise_DR.thy b/proof/drefine/Finalise_DR.thy index 3f1b17cab..96318cf92 100644 --- a/proof/drefine/Finalise_DR.thy +++ b/proof/drefine/Finalise_DR.thy @@ -11,7 +11,7 @@ theory Finalise_DR imports KHeap_DR - "../invariant-abstract/PDPTEntries_AI" + "../invariant-abstract/VSpaceEntries_AI" begin context begin interpretation Arch . (*FIXME: arch_split*) diff --git a/proof/infoflow/Syscall_IF.thy b/proof/infoflow/Syscall_IF.thy index f909a3a47..a76a3578d 100644 --- a/proof/infoflow/Syscall_IF.thy +++ b/proof/infoflow/Syscall_IF.thy @@ -816,7 +816,7 @@ lemma handle_recv_reads_respects_f: apply (wp get_ntfn_wp get_cap_wp | wpc)+ apply simp apply(rule hoare_pre) - apply(rule PDPTEntries_AI.hoare_vcg_all_liftE) + apply(rule VSpaceEntries_AI.hoare_vcg_all_liftE) apply (rule_tac Q="\r s. silc_inv aag st s \ einvs s \ pas_refined aag s \ tcb_at rv s \ pas_cur_domain aag s \ is_subject aag rv \ is_subject aag (cur_thread s) \ diff --git a/proof/invariant-abstract/AInvsPre.thy b/proof/invariant-abstract/AInvsPre.thy index a617541e0..6f82d5c94 100644 --- a/proof/invariant-abstract/AInvsPre.thy +++ b/proof/invariant-abstract/AInvsPre.thy @@ -1,5 +1,5 @@ theory AInvsPre -imports PDPTEntries_AI ADT_AI +imports "./$L4V_ARCH/ArchVSpaceEntries_AI" ADT_AI begin locale AInvsPre = @@ -14,4 +14,4 @@ locale AInvsPre = definition "kernel_mappings \ {x. x \ kernel_base}" -end \ No newline at end of file +end diff --git a/proof/invariant-abstract/ARM/ArchUntyped_AI.thy b/proof/invariant-abstract/ARM/ArchUntyped_AI.thy index 5f623460b..61c12ec60 100644 --- a/proof/invariant-abstract/ARM/ArchUntyped_AI.thy +++ b/proof/invariant-abstract/ARM/ArchUntyped_AI.thy @@ -227,7 +227,6 @@ lemma copy_global_mappings_hoare_lift:(*FIXME: arch_split \ these d apply (wp mapM_x_wp' wp) done -declare [[show_types=true]] lemma init_arch_objects_hoare_lift: assumes wp: "\oper. \(P::'state_ext::state_ext state\bool)\ do_machine_op oper \\rv :: unit. Q\" "\ptr val. \P\ store_pde ptr val \\rv. P\" diff --git a/proof/invariant-abstract/PDPTEntries_AI.thy b/proof/invariant-abstract/ARM/ArchVSpaceEntries_AI.thy similarity index 88% rename from proof/invariant-abstract/PDPTEntries_AI.thy rename to proof/invariant-abstract/ARM/ArchVSpaceEntries_AI.thy index 6a2534136..1a95755fc 100644 --- a/proof/invariant-abstract/PDPTEntries_AI.thy +++ b/proof/invariant-abstract/ARM/ArchVSpaceEntries_AI.thy @@ -8,271 +8,10 @@ * @TAG(GD_GPL) *) -theory PDPTEntries_AI -imports Syscall_AI +theory ArchVSpaceEntries_AI +imports "../VSpaceEntries_AI" begin -definition valid_entries :: " ('b \ ('a::len) word \ 'c set) \ (('a::len) word \ 'b) \ bool" - where "valid_entries \ \range fun. \x y. x \ y \ range (fun x) x \ range (fun y) y = {}" - -definition entries_align :: "('b \ nat ) \ (('a::len) word \ 'b) \ bool" - where "entries_align \ \sz fun. \x. is_aligned x (sz (fun x))" - -lemma valid_entries_overwrite_0: - assumes ve: "valid_entries rg tab" - assumes disjoint: "\p. \p \ x\ \ rg v x \ rg (tab p) p = {}" - shows "valid_entries rg (tab (x := v))" - apply (subst valid_entries_def) - apply clarsimp - apply (intro allI impI conjI) - apply clarsimp - apply (rule disjoint) - apply simp - apply clarsimp - apply (drule disjoint) - apply blast - using ve - apply (clarsimp simp:valid_entries_def) - done - -lemma vaid_entries_overwrite_0_weak: - assumes ve: "valid_entries rg tab" - assumes disjoint: "rg v x \ rg (tab x) x" - shows "valid_entries rg (tab (x := v))" - using assms - apply (subst valid_entries_def) - apply clarsimp - apply (intro allI impI conjI) - apply (fastforce simp:valid_entries_def)+ - done - -lemma valid_entries_partial_copy: - "\ valid_entries rg tab; valid_entries rg tab'; - \v x. P x \ (rg v x \ S); - \v x. \ P x \ (rg v x \ S) = {}\ - \ valid_entries rg (\x. if P x then tab x else tab' x)" - apply (subst valid_entries_def, simp) - apply (intro allI impI conjI) - apply (fastforce simp:valid_entries_def) - apply (drule_tac x = "tab x" in spec) - apply (drule_tac x = x in spec) - apply (drule_tac x = "tab' y" in spec) - apply (drule_tac x = y in spec) - apply clarsimp - apply blast - apply (fastforce simp:valid_entries_def)+ - done - -lemma valid_entries_overwrite_groups: - "\valid_entries rg tab; valid_entries rg (\_. v); - \v x. P x \ rg v x \ S; - \v x. \ P x \ rg v x \ S = {}\ - \ valid_entries rg (\x. if P x then v else tab x)" - by (rule valid_entries_partial_copy) - -lemmas valid_entries_overwrite_group - = valid_entries_overwrite_groups[where S="{y}" for y, simplified] - -lemma valid_entriesD: - "\x \ y; valid_entries rg fun\ \ rg (fun x) x \ rg (fun y) y = {}" - by (simp add:valid_entries_def) - -lemma aligned_le_sharp: - "\a \ b;is_aligned a n\ \ a \ b &&~~ mask n" - apply (simp add:is_aligned_mask) - apply (drule neg_mask_mono_le[where n = n]) - apply (simp add:mask_out_sub_mask) - done - -lemma ucast_neg_mask: - "len_of TYPE('a) \ len_of TYPE ('b) - \ ((ucast ptr && ~~ mask n)::('a :: len) word) = ucast ((ptr::('b :: len) word) && ~~ mask n)" - apply (rule word_eqI) - apply (auto simp:nth_ucast neg_mask_bang word_size) - done - -lemma shiftr_eq_neg_mask_eq: - "a >> b = c >> b \ a && ~~ mask b = c && ~~ mask b" - apply (rule word_eqI) - apply (simp add:neg_mask_bang) - apply (drule_tac f = "\x. x !! (n - b)" in arg_cong) - apply (simp add:nth_shiftr) - apply (rule iffI) - apply simp+ - done - -lemma delete_objects_reduct: - "valid (\s. P (kheap (s :: ('z::state_ext) state))) (modify (detype {ptr..ptr + 2 ^ bits - 1})) - (\_ s. P(kheap (s :: ('z::state_ext) state))) \ - valid (\s. P (kheap (s :: ('z::state_ext) state))) (delete_objects ptr bits) (\_ s. P (kheap s))" - apply (clarsimp simp add: delete_objects_def do_machine_op_def split_def) - apply wp - apply (clarsimp simp add: valid_def simpler_modify_def) - done - -(* FIXME: move *) -lemma upto_0_to_n: - "0 < n \ tl [0.. [0..is_aligned (p::word32) 6\ - \ ucast ((pa && mask 4) + (ucast (p && mask 10 >> 2)::word8)) - = ucast (pa && mask 4) + (p && mask 10 >> 2)" - apply (simp add:is_aligned_mask mask_def) - apply word_bitwise - apply (auto simp:carry_def) - done - -lemma ucast_pd_index: - "\is_aligned (p::word32) 6\ - \ ucast ((pa && mask 4) + (ucast (p && mask 14 >> 2)::12 word)) - = ucast (pa && mask 4) + (p && mask 14 >> 2)" - apply (simp add:is_aligned_mask mask_def) - apply word_bitwise - apply (auto simp:carry_def) - done - -lemma unat_ucast_12_32: - "unat (ucast (x::(12 word))::word32) = unat x" - apply (subst unat_ucast) - apply (rule mod_less) - apply (rule less_le_trans[OF unat_lt2p]) - apply simp - done - -lemma all_imp_ko_at_from_ex_strg: - "((\v. ko_at (f v) p s \ P v) \ inj f) \ (\v. ko_at (f v) p s \ P v)" - apply (clarsimp simp add: obj_at_def) - apply (auto dest: inj_onD) - done - -lemma set_cap_arch_obj_neg: - "\\s. \ko_at (ArchObj ao) p s \ cte_wp_at (\_. True) p' s\ set_cap cap p' \\_ s. \ko_at (ArchObj ao) p s\" - apply (simp add: set_cap_def split_def) - apply (wp set_object_neg_ko get_object_wp| wpc)+ - apply (auto simp: pred_neg_def) - done - -lemma mapME_x_Nil: - "mapME_x f [] = returnOk ()" - unfolding mapME_x_def sequenceE_x_def - by simp - -lemma mapME_x_mapME: - "mapME_x m l = (mapME m l >>=E (%_. returnOk ()))" - apply (simp add: mapME_x_def sequenceE_x_def mapME_def sequenceE_def) - apply (induct l, simp_all add: Let_def bindE_assoc) - done - -lemma mapME_wp: - assumes x: "\x. x \ S \ \P\ f x \\rv. P\, \E\" - shows "set xs \ S \ \P\ mapME f xs \\rv. P\, \E\" - apply (induct xs) - apply (simp add: mapME_def sequenceE_def) - apply wp - apply (simp add: mapME_Cons) - apply wp - apply simp - apply (simp add: x) - done - -lemma mapME_x_wp: - assumes x: "\x. x \ S \ \P\ f x \\rv. P\, \E\" - shows "set xs \ S \ \P\ mapME_x f xs \\rv. P\, \E\" - apply (subst mapME_x_mapME) - apply wp - apply simp - apply (rule mapME_wp) - apply (rule x) - apply assumption+ - done - -lemmas mapME_x_wp' = mapME_x_wp [OF _ subset_refl] - -lemma hoare_vcg_all_liftE: - "\ \x. \P x\ f \Q x\,\E\ \ \ \\s. \x. P x s\ f \\rv s. \x. Q x rv s\,\E\" - by (fastforce simp: validE_def valid_def split: sum.splits) - -lemma hoare_vcg_const_Ball_liftE: - "\ \x. x \ S \ \P x\ f \Q x\,\E\; \\s. True\ f \\r s. True\, \E\ \ \ \\s. \x\S. P x s\ f \\rv s. \x\S. Q x rv s\,\E\" - by (fastforce simp: validE_def valid_def split: sum.splits) - -lemma hoare_post_conjE: - "\ \ P \ a \ Q \,\E\; \ P \ a \ R \,\E\ \ \ \ P \ a \ Q And R \,\E\" - by (clarsimp simp: validE_def valid_def split_def bipred_conj_def - split: sum.splits) - -lemma hoare_vcg_conj_liftE: - assumes x: "\P\ f \Q\,\E\" - assumes y: "\P'\ f \Q'\,\E\" - shows "\\s. P s \ P' s\ f \\rv s. Q rv s \ Q' rv s\,\E\" - apply (subst bipred_conj_def[symmetric], rule hoare_post_conjE) - apply (rule hoare_vcg_precond_impE [OF x], simp) - apply (rule hoare_vcg_precond_impE [OF y], simp) - done - -lemma mapME_x_accumulate_checks: - assumes P: "\x. x \ set xs \ \Q\ f x \\rv. P x\, \E\" - and Q : "\x. x \ set xs \ \Q\ f x \\rv. Q\, \E\" - and P': "\x y. y \ x \ \P y\ f x \\rv. P y\, \E\" - and distinct: "distinct xs" - shows "\Q \ mapME_x f xs \\rv s. \x \ set xs. P x s\, \E\" - using assms - proof (induct xs) - case Nil - show ?case - by (simp add: mapME_x_Nil, wp) - next - case (Cons y ys) - show ?case - apply (simp add: mapME_x_Cons) - apply wp - apply (rule hoare_vcg_conj_liftE) - apply (wp mapME_x_wp' P P' - hoare_vcg_const_Ball_liftE - | simp add:Q - | rule hoare_post_impErr[OF P])+ - using Cons.prems - apply fastforce - apply (wp Cons.hyps) - apply (rule Cons.prems,simp) - apply (wp Cons.prems(2),simp) - apply (wp Cons.prems(3),simp) - using Cons.prems - apply fastforce - apply (rule hoare_pre) - apply (rule hoare_vcg_conj_liftE) - apply (wp Cons.prems| simp)+ - done - qed - -lemma hoare_vcg_ex_liftE: - "\ \x. \P x\ f \Q x\,\E\ \ \ \\s. \x. P x s\ f \\rv s. \x. Q x rv s\,\E\" - by (fastforce simp: validE_def valid_def split: sum.splits) - -lemma mapME_singleton: - "mapME_x f [x] = f x" - by (simp add:mapME_x_def sequenceE_x_def) - context Arch begin global_naming ARM (*FIXME: arch_split*) lemma a_type_pdD: diff --git a/proof/invariant-abstract/VSpaceEntries_AI.thy b/proof/invariant-abstract/VSpaceEntries_AI.thy new file mode 100644 index 000000000..0a45dba77 --- /dev/null +++ b/proof/invariant-abstract/VSpaceEntries_AI.thy @@ -0,0 +1,276 @@ +(* + * Copyright 2014, General Dynamics C4 Systems + * + * This software may be distributed and modified according to the terms of + * the GNU General Public License version 2. Note that NO WARRANTY is provided. + * See "LICENSE_GPLv2.txt" for details. + * + * @TAG(GD_GPL) + *) + +theory VSpaceEntries_AI +imports Syscall_AI +begin + +definition valid_entries :: " ('b \ ('a::len) word \ 'c set) \ (('a::len) word \ 'b) \ bool" + where "valid_entries \ \range fun. \x y. x \ y \ range (fun x) x \ range (fun y) y = {}" + +definition entries_align :: "('b \ nat ) \ (('a::len) word \ 'b) \ bool" + where "entries_align \ \sz fun. \x. is_aligned x (sz (fun x))" + +lemma valid_entries_overwrite_0: + assumes ve: "valid_entries rg tab" + assumes disjoint: "\p. \p \ x\ \ rg v x \ rg (tab p) p = {}" + shows "valid_entries rg (tab (x := v))" + apply (subst valid_entries_def) + apply clarsimp + apply (intro allI impI conjI) + apply clarsimp + apply (rule disjoint) + apply simp + apply clarsimp + apply (drule disjoint) + apply blast + using ve + apply (clarsimp simp:valid_entries_def) + done + +lemma vaid_entries_overwrite_0_weak: + assumes ve: "valid_entries rg tab" + assumes disjoint: "rg v x \ rg (tab x) x" + shows "valid_entries rg (tab (x := v))" + using assms + apply (subst valid_entries_def) + apply clarsimp + apply (intro allI impI conjI) + apply (fastforce simp:valid_entries_def)+ + done + +lemma valid_entries_partial_copy: + "\ valid_entries rg tab; valid_entries rg tab'; + \v x. P x \ (rg v x \ S); + \v x. \ P x \ (rg v x \ S) = {}\ + \ valid_entries rg (\x. if P x then tab x else tab' x)" + apply (subst valid_entries_def, simp) + apply (intro allI impI conjI) + apply (fastforce simp:valid_entries_def) + apply (drule_tac x = "tab x" in spec) + apply (drule_tac x = x in spec) + apply (drule_tac x = "tab' y" in spec) + apply (drule_tac x = y in spec) + apply clarsimp + apply blast + apply (fastforce simp:valid_entries_def)+ + done + +lemma valid_entries_overwrite_groups: + "\valid_entries rg tab; valid_entries rg (\_. v); + \v x. P x \ rg v x \ S; + \v x. \ P x \ rg v x \ S = {}\ + \ valid_entries rg (\x. if P x then v else tab x)" + by (rule valid_entries_partial_copy) + +lemmas valid_entries_overwrite_group + = valid_entries_overwrite_groups[where S="{y}" for y, simplified] + +lemma valid_entriesD: + "\x \ y; valid_entries rg fun\ \ rg (fun x) x \ rg (fun y) y = {}" + by (simp add:valid_entries_def) + +lemma aligned_le_sharp: + "\a \ b;is_aligned a n\ \ a \ b &&~~ mask n" + apply (simp add:is_aligned_mask) + apply (drule neg_mask_mono_le[where n = n]) + apply (simp add:mask_out_sub_mask) + done + +lemma ucast_neg_mask: + "len_of TYPE('a) \ len_of TYPE ('b) + \ ((ucast ptr && ~~ mask n)::('a :: len) word) = ucast ((ptr::('b :: len) word) && ~~ mask n)" + apply (rule word_eqI) + apply (auto simp:nth_ucast neg_mask_bang word_size) + done + +lemma shiftr_eq_neg_mask_eq: + "a >> b = c >> b \ a && ~~ mask b = c && ~~ mask b" + apply (rule word_eqI) + apply (simp add:neg_mask_bang) + apply (drule_tac f = "\x. x !! (n - b)" in arg_cong) + apply (simp add:nth_shiftr) + apply (rule iffI) + apply simp+ + done + +lemma delete_objects_reduct: + "valid (\s. P (kheap (s :: ('z::state_ext) state))) (modify (detype {ptr..ptr + 2 ^ bits - 1})) + (\_ s. P(kheap (s :: ('z::state_ext) state))) \ + valid (\s. P (kheap (s :: ('z::state_ext) state))) (delete_objects ptr bits) (\_ s. P (kheap s))" + apply (clarsimp simp add: delete_objects_def do_machine_op_def split_def) + apply wp + apply (clarsimp simp add: valid_def simpler_modify_def) + done + +(* FIXME: move *) +lemma upto_0_to_n: + "0 < n \ tl [0.. [0..is_aligned (p::word32) 6\ + \ ucast ((pa && mask 4) + (ucast (p && mask 10 >> 2)::word8)) + = ucast (pa && mask 4) + (p && mask 10 >> 2)" + apply (simp add:is_aligned_mask mask_def) + apply word_bitwise + apply (auto simp:carry_def) + done + +lemma ucast_pd_index: + "\is_aligned (p::word32) 6\ + \ ucast ((pa && mask 4) + (ucast (p && mask 14 >> 2)::12 word)) + = ucast (pa && mask 4) + (p && mask 14 >> 2)" + apply (simp add:is_aligned_mask mask_def) + apply word_bitwise + apply (auto simp:carry_def) + done + +lemma unat_ucast_12_32: + "unat (ucast (x::(12 word))::word32) = unat x" + apply (subst unat_ucast) + apply (rule mod_less) + apply (rule less_le_trans[OF unat_lt2p]) + apply simp + done + +lemma all_imp_ko_at_from_ex_strg: + "((\v. ko_at (f v) p s \ P v) \ inj f) \ (\v. ko_at (f v) p s \ P v)" + apply (clarsimp simp add: obj_at_def) + apply (auto dest: inj_onD) + done + +lemma set_cap_arch_obj_neg: + "\\s. \ko_at (ArchObj ao) p s \ cte_wp_at (\_. True) p' s\ set_cap cap p' \\_ s. \ko_at (ArchObj ao) p s\" + apply (simp add: set_cap_def split_def) + apply (wp set_object_neg_ko get_object_wp| wpc)+ + apply (auto simp: pred_neg_def) + done + +lemma mapME_x_Nil: + "mapME_x f [] = returnOk ()" + unfolding mapME_x_def sequenceE_x_def + by simp + +lemma mapME_x_mapME: + "mapME_x m l = (mapME m l >>=E (%_. returnOk ()))" + apply (simp add: mapME_x_def sequenceE_x_def mapME_def sequenceE_def) + apply (induct l, simp_all add: Let_def bindE_assoc) + done + +lemma mapME_wp: + assumes x: "\x. x \ S \ \P\ f x \\rv. P\, \E\" + shows "set xs \ S \ \P\ mapME f xs \\rv. P\, \E\" + apply (induct xs) + apply (simp add: mapME_def sequenceE_def) + apply wp + apply (simp add: mapME_Cons) + apply wp + apply simp + apply (simp add: x) + done + +lemma mapME_x_wp: + assumes x: "\x. x \ S \ \P\ f x \\rv. P\, \E\" + shows "set xs \ S \ \P\ mapME_x f xs \\rv. P\, \E\" + apply (subst mapME_x_mapME) + apply wp + apply simp + apply (rule mapME_wp) + apply (rule x) + apply assumption+ + done + +lemmas mapME_x_wp' = mapME_x_wp [OF _ subset_refl] + +lemma hoare_vcg_all_liftE: + "\ \x. \P x\ f \Q x\,\E\ \ \ \\s. \x. P x s\ f \\rv s. \x. Q x rv s\,\E\" + by (fastforce simp: validE_def valid_def split: sum.splits) + +lemma hoare_vcg_const_Ball_liftE: + "\ \x. x \ S \ \P x\ f \Q x\,\E\; \\s. True\ f \\r s. True\, \E\ \ \ \\s. \x\S. P x s\ f \\rv s. \x\S. Q x rv s\,\E\" + by (fastforce simp: validE_def valid_def split: sum.splits) + +lemma hoare_post_conjE: + "\ \ P \ a \ Q \,\E\; \ P \ a \ R \,\E\ \ \ \ P \ a \ Q And R \,\E\" + by (clarsimp simp: validE_def valid_def split_def bipred_conj_def + split: sum.splits) + +lemma hoare_vcg_conj_liftE: + assumes x: "\P\ f \Q\,\E\" + assumes y: "\P'\ f \Q'\,\E\" + shows "\\s. P s \ P' s\ f \\rv s. Q rv s \ Q' rv s\,\E\" + apply (subst bipred_conj_def[symmetric], rule hoare_post_conjE) + apply (rule hoare_vcg_precond_impE [OF x], simp) + apply (rule hoare_vcg_precond_impE [OF y], simp) + done + +lemma mapME_x_accumulate_checks: + assumes P: "\x. x \ set xs \ \Q\ f x \\rv. P x\, \E\" + and Q : "\x. x \ set xs \ \Q\ f x \\rv. Q\, \E\" + and P': "\x y. y \ x \ \P y\ f x \\rv. P y\, \E\" + and distinct: "distinct xs" + shows "\Q \ mapME_x f xs \\rv s. \x \ set xs. P x s\, \E\" + using assms + proof (induct xs) + case Nil + show ?case + by (simp add: mapME_x_Nil, wp) + next + case (Cons y ys) + show ?case + apply (simp add: mapME_x_Cons) + apply wp + apply (rule hoare_vcg_conj_liftE) + apply (wp mapME_x_wp' P P' + hoare_vcg_const_Ball_liftE + | simp add:Q + | rule hoare_post_impErr[OF P])+ + using Cons.prems + apply fastforce + apply (wp Cons.hyps) + apply (rule Cons.prems,simp) + apply (wp Cons.prems(2),simp) + apply (wp Cons.prems(3),simp) + using Cons.prems + apply fastforce + apply (rule hoare_pre) + apply (rule hoare_vcg_conj_liftE) + apply (wp Cons.prems| simp)+ + done + qed + +lemma hoare_vcg_ex_liftE: + "\ \x. \P x\ f \Q x\,\E\ \ \ \\s. \x. P x s\ f \\rv s. \x. Q x rv s\,\E\" + by (fastforce simp: validE_def valid_def split: sum.splits) + +lemma mapME_singleton: + "mapME_x f [x] = f x" + by (simp add:mapME_x_def sequenceE_x_def) + +end