This also moves several lemmas required for obj_range'_disjoint
to Invariants_H
Signed-off-by: Michael McInerney <michael.mcinerney@proofcraft.systems>
Proofs now don't care about numDomains, except for a small interface in
Invariants_H. The interface is currently by convention only, and has no
enforcement capabilities.
Signed-off-by: Rafal Kolanski <rafal.kolanski@proofcraft.systems>
- in VSpace_R
- the same method added to each arch; would be good to unify via
arch split in the future
- also includes some style cleanup
Signed-off-by: Miki Tanaka <miki.tanaka@data61.csiro.au>
- this introduces idle_tcb' which is defined directly using tcb fields
- backport from MCS ARM Refine
Signed-off-by: Miki Tanaka <miki.tanaka@data61.csiro.au>
It turns out that Untyped_R needs the properties of valid_arch_cap' non-locally
for all descendants of the untyped cap it's looking at. This would be a fairly
involved property to assert, and so far only Retype/Detype had any real proof
obligations on valid_cap', i.e. it should be cheap to keep.
Michael McInerney
Rafal Kolanski
Gerwin Klein
Miki Tanaka
Gerwin Klein
Rafal Kolanski