(* * Copyright 2014, NICTA * * This software may be distributed and modified according to the terms of * the GNU General Public License version 2. Note that NO WARRANTY is provided. * See "LICENSE_GPLv2.txt" for details. * * @TAG(NICTA_GPL) *) (* * The layout of the capability space and other parts of the system-initialiser. *) theory RootTask_SI imports WellFormed_SI begin (****************************************************************** * Definition of the CSpace of the root task. * * This requires a default cap to all of the objects created, * * and a copy of caps to all of the CNodes (for installing caps). * ******************************************************************) consts si_cnode_id :: cdl_object_id si_asidpool_id :: cdl_object_id si_asidpool_base :: nat definition si_cnode_size :: cdl_size_bits where "si_cnode_size = 12" (* If we axioimise this size, we need it to be smaller than the word size. * We need this to prove that: - word_bits - si_cnode_size + si_cnode_size = word_bits. - offset (of_nat slot) si_cnode_size = slot *) lemma si_cnode_size_less_than_word_size [simp]: "si_cnode_size < word_bits" by (clarsimp simp: si_cnode_size_def word_bits_def) lemma si_cnode_size_less_than_eq_word_size [simp]: "si_cnode_size \ word_bits" by (rule less_imp_le_nat, simp) lemma si_cnode_size_greater_than_1 [simp]: "1 < si_cnode_size" by (clarsimp simp: si_cnode_size_def) lemma si_cnode_size_greater_than_2 [simp]: "2 < si_cnode_size" by (clarsimp simp: si_cnode_size_def) lemma unat_less_2_si_cnode_size: "unat (cptr::32 word) < 2 ^ si_cnode_size \ cptr < 2 ^ si_cnode_size" by (metis si_cnode_size_less_than_word_size unat_power_lower32 word_less_nat_alt) lemma unat_less_2_si_cnode_size': "(cptr::32 word) < 2 ^ si_cnode_size \ unat cptr < 2 ^ si_cnode_size" by (metis unat_less_helper word_unat_power) (* This is stored in the root TCB. *) definition si_cspace_cap :: cdl_cap where "si_cspace_cap = CNodeCap si_cnode_id 0 (word_bits - si_cnode_size) si_cnode_size" (* This is the cap the root TCB has to its own root cnode (stored in its root CNode). *) definition si_cnode_cap :: cdl_cap where "si_cnode_cap = CNodeCap si_cnode_id 0 (word_bits - si_cnode_size) si_cnode_size" definition root_tcb :: cdl_object where "root_tcb = update_slots [tcb_cspace_slot \ si_cspace_cap, tcb_vspace_slot \ undefined, tcb_replycap_slot \ undefined, tcb_caller_slot \ undefined, tcb_ipcbuffer_slot \ undefined, tcb_pending_op_slot \ undefined] (Tcb (default_tcb minBound))" definition empty_asid :: cdl_asid_pool where "empty_asid = \cdl_asid_pool_caps = empty_cap_map asid_low_bits\" definition si_asid :: "sep_state \ bool" where "si_asid \ (si_cnode_id, unat seL4_CapInitThreadASIDPool) \c AsidPoolCap si_asidpool_id si_asidpool_base \* si_asidpool_id \f AsidPool empty_asid \* (\* offset\{offset. offset < 2 ^ asid_low_bits}. (si_asidpool_id, offset) \c -)" abbreviation "si_tcb_id \ root_tcb_id" definition si_objects :: "sep_state \ bool" where "si_objects \ si_tcb_id \f root_tcb \* si_cnode_id \f CNode (empty_cnode si_cnode_size) \* (si_tcb_id, tcb_cspace_slot) \c si_cspace_cap \* (si_tcb_id, tcb_pending_op_slot) \c RunningCap \* (si_cnode_id, unat seL4_CapInitThreadCNode) \c si_cnode_cap \* (si_cnode_id, unat seL4_CapIRQControl) \c IrqControlCap \* si_asid" definition si_objects_extra_caps' :: "cdl_object_id set \ cdl_cptr list \ cdl_cptr list \ sep_state \ bool" where "si_objects_extra_caps' obj_ids free_cptrs untyped_cptrs \ \s. \untyped_caps all_available_ids. ((\* (cptr, cap) \ set (zip untyped_cptrs untyped_caps). (si_cnode_id, unat cptr) \c cap) \* (\* cptr \ set (drop (card obj_ids) free_cptrs). (si_cnode_id, unat cptr) \c NullCap) \* (\* obj_id\all_available_ids. obj_id \o Untyped)) s" definition si_objects_extra_caps :: "cdl_object_id set \ cdl_cptr list \ cdl_cptr list \ cdl_state \ sep_state \ bool" where "si_objects_extra_caps obj_ids free_cptrs untyped_cptrs spec \ \s. \untyped_caps all_available_ids. ((\* (cptr, cap) \ set (zip untyped_cptrs untyped_caps). (si_cnode_id, unat cptr) \c cap) \* (\* cptr \ set (drop (card obj_ids + card {obj_id \ obj_ids. cnode_or_tcb_at obj_id spec}) free_cptrs). (si_cnode_id, unat cptr) \c NullCap) \* (\* obj_id\all_available_ids. obj_id \o Untyped)) s" lemma distinct_take_drop_append: "distinct xs \ set (take b (drop a xs)) \ set (drop (a + b) xs) = {}" by (metis distinct_append distinct_drop take_drop_append) lemma si_objects_extra_caps'_si_objects_extra_caps: "distinct free_slots \ si_objects_extra_caps' obj_ids free_slots untyped_cptrs = (si_objects_extra_caps obj_ids free_slots untyped_cptrs spec \* (\* cptr \ set (take (card {obj_id \ obj_ids. cnode_or_tcb_at obj_id spec}) (drop (card obj_ids) free_slots)). (si_cnode_id, unat cptr) \c NullCap))" apply (rule ext) apply (clarsimp simp: si_objects_extra_caps'_def si_objects_extra_caps_def sep_conj_exists) apply (rule ex_eqI)+ apply (subst take_drop_append [where a="card obj_ids" and b="card {obj_id \ obj_ids. cnode_or_tcb_at obj_id spec}"]) apply clarsimp apply (subst sep.prod.union_disjoint, (simp add: distinct_take_drop_append)+)+ apply (clarsimp simp: sep_conj_ac) done definition si_irq_nodes :: "cdl_state \ sep_state \ bool" where "si_irq_nodes spec \ (\s. \k_irq_table. (\* irq\used_irqs spec. irq \irq k_irq_table irq \* k_irq_table irq \o IRQNode empty_irq_node) s)" (*************************************** * Lemmas about the root task objects. * ***************************************) lemma is_cnode_cap_si_cspace_cap [simp]: "is_cnode_cap si_cspace_cap" by (clarsimp simp: si_cspace_cap_def) lemma is_cnode_cap_si_cnode_cap [simp]: "is_cnode_cap si_cnode_cap" by (clarsimp simp: si_cnode_cap_def) lemma is_tcb_root_tcb [simp]: "is_tcb root_tcb" by (clarsimp simp: root_tcb_def) lemma cap_guard_size_si_cnode_cap_plus_si_cnode_size [simp]: "cap_guard_size si_cnode_cap + si_cnode_size = word_bits" by (clarsimp simp: si_cnode_cap_def) lemma cap_object_si_cspace_cap [simp]: "cap_object si_cspace_cap = si_cnode_id" by (clarsimp simp: cap_object_def cap_has_object_def si_cspace_cap_def) lemma cap_object_si_cnode_cap [simp]: "cap_object si_cnode_cap = si_cnode_id" by (clarsimp simp: cap_object_def cap_has_object_def si_cnode_cap_def) lemma offset_slot_si_cnode_size: "slot < 2^si_cnode_size \ offset (of_nat slot) si_cnode_size = slot" by (clarsimp simp: offset_slot) lemma offset_slot_si_cnode_size': "slot < 2^si_cnode_size \ offset slot si_cnode_size = unat slot" by (clarsimp simp: offset_slot') lemma guard_equal_si_cspace_cap: "src_index < 2 ^ si_cnode_size \ guard_equal si_cspace_cap src_index 32" apply (clarsimp simp: si_cspace_cap_def guard_equal_def Let_unfold) apply (subst and_mask_eq_iff_shiftr_0 [THEN iffD1]) apply (clarsimp simp: word_bits_def) apply (erule less_mask_eq) apply (clarsimp simp: mask_def) done lemma guard_equal_si_cspace_cap': "src_index < 2 ^ si_cnode_size \ guard_equal si_cspace_cap src_index word_bits" by (drule guard_equal_si_cspace_cap, simp add: word_bits_def) lemma guard_equal_si_cnode_cap: "src_index < 2 ^ si_cnode_size \ guard_equal si_cnode_cap src_index 32" apply (clarsimp simp: si_cnode_cap_def guard_equal_def Let_unfold) apply (subst and_mask_eq_iff_shiftr_0 [THEN iffD1]) apply (clarsimp simp: word_bits_def) apply (erule less_mask_eq) apply (clarsimp simp: mask_def) done lemma seL4_CapInitThreadASIDPool_si_cnode_size [simp]: "seL4_CapInitThreadASIDPool < 2 ^ si_cnode_size" by (clarsimp simp: seL4_CapInitThreadASIDPool_def si_cnode_size_def) lemma guard_equal_si_cspace_cap_seL4_CapInitThreadASIDPool [simp]: "guard_equal si_cspace_cap seL4_CapInitThreadASIDPool word_bits" by (rule guard_equal_si_cspace_cap', simp) lemma si_cspace_cap_guard_equal: "guard_equal si_cnode_cap src_index 32 \ src_index < 2 ^ si_cnode_size" apply (clarsimp simp: si_cnode_cap_def guard_equal_def Let_unfold si_cnode_size_def) apply (subst (asm) shiftr_mask_eq') apply (simp add: word_bits_size word_bits_def) apply (subst (asm) le_mask_iff [symmetric]) apply (clarsimp simp: mask_def) apply (insert word32_less_sub_le [where x=src_index and n=12]) apply (clarsimp simp: word_bits_def) done lemma one_lvl_lookup_si_cspace_cap [simp]: "one_lvl_lookup si_cspace_cap word_bits si_cnode_size" by (clarsimp simp: one_lvl_lookup_def si_cspace_cap_def) lemmas one_lvl_lookup_si_cspace_cap' [simp] = one_lvl_lookup_si_cspace_cap [simplified word_bits_def, simplified] lemma one_lvl_lookup_si_cnode_cap [simp]: "one_lvl_lookup si_cnode_cap word_bits si_cnode_size" by (clarsimp simp: one_lvl_lookup_def si_cnode_cap_def) lemmas one_lvl_lookup_si_cnode_cap' [simp] = one_lvl_lookup_si_cnode_cap [simplified word_bits_def, simplified] lemma obj_tcb_root_tcb [simp]: "Tcb (obj_tcb root_tcb) = root_tcb" by (clarsimp simp: obj_tcb_def root_tcb_def update_slots_def) (*************************** * Lemmas about word size. * ***************************) lemma seL4_CapInitThreadCNode_less_than_si_cnode_size [simp]: "seL4_CapInitThreadCNode < 2 ^ si_cnode_size" apply (insert si_cnode_size_greater_than_1) apply (insert power_strict_increasing [where n=1 and a="(2::nat)" and N=si_cnode_size, simplified]) apply (clarsimp) apply (drule of_nat_less_pow_32) apply (clarsimp simp: seL4_CapInitThreadCNode_def)+ done lemma offset_seL4_CapInitThreadCNode [simp]: "offset seL4_CapInitThreadCNode si_cnode_size = unat seL4_CapInitThreadCNode" by (rule offset_slot', simp) lemma seL4_CapIRQControl_less_than_si_cnode_size [simp]: "seL4_CapIRQControl < 2 ^ si_cnode_size" apply (simp add: seL4_CapIRQControl_def) apply (insert si_cnode_size_greater_than_2) apply (insert power_strict_increasing [where n=2 and a="(2::nat)" and N=si_cnode_size, simplified]) apply (drule of_nat_less_pow_32, simp_all) done lemma offset_seL4_CapIRQControl [simp]: "offset seL4_CapIRQControl si_cnode_size = unat seL4_CapIRQControl" by (rule offset_slot', simp) (* There is a cap in the root cnode that points to the obj_id specified. * This cap should be the default cap to that object. * * This predicate can be used for spec objects, or the duplicated cnode caps. *) definition si_cap_at :: "(cdl_object_id \ cdl_object_id option) \ (cdl_object_id \ cdl_cptr option) \ cdl_state \ bool \ cdl_object_id \ sep_pred" where "si_cap_at t si_caps spec dev obj_id \ \s. \cap_ptr slot obj kobj_id. ((si_cnode_id, slot) \c default_cap (object_type obj) {kobj_id} (object_size_bits obj) dev) s \ si_caps obj_id = Some cap_ptr \ unat cap_ptr = slot \ cap_ptr < 2 ^ si_cnode_size \ cdl_objects spec obj_id = Some obj \ t obj_id = Some kobj_id" definition si_irq_cap_at :: "(cdl_irq \ cdl_cptr option) \ cdl_state \ cdl_irq \ sep_pred" where "si_irq_cap_at si_irq_caps spec irq \ \s. \cap_ptr slot. ((si_cnode_id, slot) \c IrqHandlerCap irq) s \ si_irq_caps irq = Some cap_ptr \ unat cap_ptr = slot \ cap_ptr < 2 ^ si_cnode_size" definition si_caps_at :: "(cdl_object_id \ cdl_object_id option) \ (cdl_object_id \ cdl_cptr option) \ cdl_state \ bool \ cdl_object_id set \ sep_pred" where "si_caps_at t si_caps spec dev obj_ids \ \* obj_id \ obj_ids. (si_cap_at t si_caps spec) dev obj_id" definition si_irq_caps_at :: "(cdl_irq \ cdl_cptr option) \ cdl_state \ cdl_irq set \ sep_pred" where "si_irq_caps_at si_irq_caps spec irqs \ \* irq \ irqs. si_irq_cap_at si_irq_caps spec irq" definition si_obj_cap_at' :: " (cdl_object_id \ cdl_object_id option) \ (cdl_object_id \ cdl_cptr option) \ cdl_state \ bool \ cdl_object_id \ cdl_cnode_index \ sep_pred" where "si_obj_cap_at' t si_caps spec dev obj_id slot \ \s. \ spec_cap. si_cap_at t si_caps spec dev (cap_object spec_cap) s \ opt_cap (obj_id, slot) spec = Some spec_cap" definition si_obj_cap_at where "si_obj_cap_at t si_caps spec dev obj_id slot \ if original_cap_at (obj_id, slot) spec \ cap_at cap_has_object (obj_id, slot) spec then si_obj_cap_at' t si_caps spec dev obj_id slot else \" definition si_obj_caps_at :: "(cdl_object_id \ cdl_object_id option) \ (cdl_object_id \ cdl_cptr option) \ cdl_state \ bool \ cdl_object_id \ sep_pred" where "si_obj_caps_at t si_caps spec dev obj_id \ \* slot \ dom (slots_of obj_id spec). si_obj_cap_at t si_caps spec dev obj_id slot" definition si_objs_caps_at :: "(cdl_object_id \ cdl_object_id option) \ (cdl_object_id \ cdl_cptr option) \ cdl_state \ bool \ cdl_object_id set \ sep_pred" where "si_objs_caps_at t si_caps spec dev obj_ids \ \* obj_id \ obj_ids. (si_obj_caps_at t si_caps spec) dev obj_id" definition si_spec_irq_cap_at' :: "(cdl_irq \ cdl_cptr option) \ cdl_state \ cdl_object_id \ cdl_cnode_index \ sep_pred" where "si_spec_irq_cap_at' si_irq_caps spec obj_id slot \ \s. \ spec_cap. si_irq_cap_at si_irq_caps spec (cap_irq spec_cap) s \ opt_cap (obj_id, slot) spec = Some spec_cap" definition si_spec_irq_cap_at where "si_spec_irq_cap_at si_irq_caps spec obj_id slot \ if irqhandler_cap_at (obj_id, slot) spec then si_spec_irq_cap_at' si_irq_caps spec obj_id slot else \" definition si_spec_irq_caps_at :: "(cdl_irq \ cdl_cptr option) \ cdl_state \ cdl_object_id \ sep_pred" where "si_spec_irq_caps_at si_irq_caps spec obj_id \ \* slot \ dom (slots_of obj_id spec). si_spec_irq_cap_at si_irq_caps spec obj_id slot" definition si_spec_irqs_caps_at :: "(cdl_irq \ cdl_cptr option) \ cdl_state \ cdl_object_id set \ sep_pred" where "si_spec_irqs_caps_at si_irq_caps spec obj_ids \ \* obj_id \ obj_ids. si_spec_irq_caps_at si_irq_caps spec obj_id" definition "si_null_cap_at t si_irq_caps spec obj_id \ \s. \cap_ptr slot obj kobj_id. ((si_cnode_id, slot) \c NullCap) s \ si_irq_caps obj_id = Some cap_ptr \ unat cap_ptr = slot \ cap_ptr < 2 ^ si_cnode_size \ cdl_objects spec obj_id = Some obj \ t obj_id = Some kobj_id" definition "si_null_irq_cap_at si_irq_caps spec irq \ \s. \cap_ptr slot. ((si_cnode_id, slot) \c NullCap) s \ si_irq_caps irq = Some cap_ptr \ unat cap_ptr = slot \ cap_ptr < 2 ^ si_cnode_size" definition si_spec_obj_null_cap_at' :: " (cdl_object_id \ cdl_object_id option) \ (cdl_object_id \ cdl_cptr option) \ cdl_state \ cdl_object_id \ cdl_cnode_index \ sep_pred" where "si_spec_obj_null_cap_at' t si_irq_caps spec obj_id slot \ \s. \ spec_cap. si_null_cap_at t si_irq_caps spec (cap_object spec_cap) s \ opt_cap (obj_id, slot) spec = Some spec_cap" definition si_spec_obj_null_cap_at where "si_spec_obj_null_cap_at t si_irq_caps spec obj_id slot \ if original_cap_at (obj_id, slot) spec \ cap_at cap_has_object (obj_id, slot) spec then si_spec_obj_null_cap_at' t si_irq_caps spec obj_id slot else \" definition si_spec_obj_null_caps_at :: "(cdl_object_id \ cdl_object_id option) \ (cdl_object_id \ cdl_cptr option) \ cdl_state \ cdl_object_id \ sep_pred" where "si_spec_obj_null_caps_at t si_irq_caps spec obj_id \ \* slot \ dom (slots_of obj_id spec). si_spec_obj_null_cap_at t si_irq_caps spec obj_id slot" definition si_spec_objs_null_caps_at :: "(cdl_object_id \ cdl_object_id option) \ (cdl_object_id \ cdl_cptr option) \ cdl_state \ cdl_object_id set \ sep_pred" where "si_spec_objs_null_caps_at t si_irq_caps spec obj_ids \ \* obj_id \ obj_ids. si_spec_obj_null_caps_at t si_irq_caps spec obj_id" definition si_spec_irq_null_cap_at' :: "(cdl_irq \ cdl_cptr option) \ cdl_state \ cdl_object_id \ cdl_cnode_index \ sep_pred" where "si_spec_irq_null_cap_at' si_irq_caps spec obj_id slot \ \s. \ spec_cap. si_null_irq_cap_at si_irq_caps spec (cap_irq spec_cap) s \ opt_cap (obj_id, slot) spec = Some spec_cap \ \is_untyped_cap spec_cap" definition si_spec_irq_null_cap_at where "si_spec_irq_null_cap_at si_irq_caps spec obj_id slot \ if irqhandler_cap_at (obj_id, slot) spec then si_spec_irq_null_cap_at' si_irq_caps spec obj_id slot else \" definition si_spec_irq_null_caps_at :: "(cdl_irq \ cdl_cptr option) \ cdl_state \ cdl_object_id \ sep_pred" where "si_spec_irq_null_caps_at si_irq_caps spec obj_id \ \* slot \ dom (slots_of obj_id spec). si_spec_irq_null_cap_at si_irq_caps spec obj_id slot" definition si_spec_irqs_null_caps_at :: "(cdl_irq \ cdl_cptr option) \ cdl_state \ cdl_object_id set \ sep_pred" where "si_spec_irqs_null_caps_at si_irq_caps spec obj_ids \ \* obj_id \ obj_ids. si_spec_irq_null_caps_at si_irq_caps spec obj_id" definition si_null_caps_at :: "(cdl_object_id \ cdl_object_id option) \ (cdl_object_id \ cdl_cptr option) \ cdl_state \ cdl_object_id set \ sep_pred" where "si_null_caps_at t si_caps spec obj_ids \ \* obj_id \ obj_ids. si_null_cap_at t si_caps spec obj_id" lemma si_cap_at_less_si_cnode_size: "\\si_cap_at t opt_sel4_cap spec dev obj_id \* R\ s; Some cap_ptr = opt_sel4_cap obj_id\ \ cap_ptr < 2 ^ si_cnode_size" by (clarsimp simp: si_cap_at_def sep_conj_exists) lemma si_irq_cap_at_less_si_cnode_size: "\\si_irq_cap_at opt_sel4_cap spec obj_id \* R\ s; Some cap_ptr = opt_sel4_cap obj_id\ \ cap_ptr < 2 ^ si_cnode_size" by (clarsimp simp: si_irq_cap_at_def sep_conj_exists) lemma si_cap_at_has_k_obj_id: "\\si_cap_at t opt_sel4_cap spec dev obj_id \* R\ s\ \ \cap_object_id. t obj_id = Some cap_object_id" by (clarsimp simp: si_cap_at_def sep_conj_exists) (****************************************************** * Using just si_cap_at when you have si_caps_at. * ******************************************************) lemma valid_si_caps_at_si_cap_at: "\finite obj_ids; obj_id \ obj_ids; (\R. \\si_cap_at t orig_caps spec dev obj_id \* P \* R\\ f \\_.\si_cap_at t orig_caps spec dev obj_id \* Q \* R\\)\ \ \\si_caps_at t orig_caps spec dev obj_ids \* P \* R\\ f \\_.\si_caps_at t orig_caps spec dev obj_ids \* Q \* R\\" apply (clarsimp simp: si_caps_at_def) apply (drule sep_set_conj_map_singleton_wp [where f=f and I="si_cap_at t orig_caps spec dev" and P=P and Q=Q and R=R, rotated]) apply (clarsimp simp: sep_conj_ac)+ done (********************************************************** * The pre and post conditions of the system initialiser. * **********************************************************) (* That the boot info is valid, and that there are enough free slots to initialise a system. *) definition valid_boot_info where "valid_boot_info bootinfo spec \ \s. \untyped_caps fstart fend ustart uend. ((\*(cptr, cap) \ set (zip [ustart .e. uend - 1] untyped_caps). (si_cnode_id, unat cptr) \c cap) \* (\* cptr \ set [fstart .e. fend - 1]. (si_cnode_id, unat cptr) \c NullCap) \* (\* obj_id\(\cap\set untyped_caps. cap_free_ids cap). obj_id \o Untyped) \* si_objects \* si_irq_nodes spec) s \ card (dom (cdl_objects spec)) + card {obj_id. cnode_or_tcb_at obj_id spec} \ unat fend - unat fstart \ length untyped_caps = unat uend - unat ustart \ distinct_sets (map cap_free_ids untyped_caps) \ list_all is_full_untyped_cap untyped_caps \ list_all well_formed_untyped_cap untyped_caps \ list_all (\c. \ is_device_cap c) untyped_caps \ bi_untypes bootinfo = (ustart, uend) \ bi_free_slots bootinfo = (fstart, fend) \ ustart < 2 ^ si_cnode_size \ (uend - 1) < 2 ^ si_cnode_size \ fstart < 2 ^ si_cnode_size \ (fend - 1) < 2 ^ si_cnode_size \ uend \ 0 \ fend \ 0" definition si_final_objects :: "cdl_state \ (cdl_object_id \ cdl_object_id option) \ sep_pred" where "si_final_objects spec t \ \s. \dup_caps (untyped_cptrs::32 word list) (free_cptrs::32 word list) untyped_caps all_available_ids. ((\* cptr \ set (take (card (dom (cdl_objects spec))) free_cptrs). (si_cnode_id, unat cptr) \c NullCap) \* (\* cptr \ set (drop (card (dom (cdl_objects spec)) + card ({obj_id. cnode_or_tcb_at obj_id spec})) free_cptrs). (si_cnode_id, unat cptr) \c NullCap) \* (\* (cptr, untyped_cap) \ set (zip untyped_cptrs untyped_caps). (si_cnode_id, unat cptr) \c untyped_cap) \* (\* obj_id \ all_available_ids. obj_id \o Untyped) \* (\* obj_id \ {obj_id. cnode_or_tcb_at obj_id spec}. (si_cap_at t dup_caps spec False obj_id)) \* si_objects) s" (******************************************************** * Conversion of si_objs_caps_at to si_caps_at * ********************************************************) lemma orig_cap_rewrite: "Set.filter (\cap_ref. original_cap_at cap_ref spec \ cap_at cap_has_object cap_ref spec) (SIGMA obj_id:{obj_id. cnode_at obj_id spec}. dom (slots_of obj_id spec)) = {cap_ref. original_cap_at cap_ref spec \