(* * Copyright 2014, General Dynamics C4 Systems * * SPDX-License-Identifier: GPL-2.0-only *) (* CSpace invariants *) theory CSpace_I imports ArchAcc_R begin context begin interpretation Arch . (*FIXME: arch_split*) lemma capUntypedPtr_simps [simp]: "capUntypedPtr (ThreadCap r) = r" "capUntypedPtr (NotificationCap r badge a b) = r" "capUntypedPtr (EndpointCap r badge a b c d) = r" "capUntypedPtr (Zombie r bits n) = r" "capUntypedPtr (ArchObjectCap x) = Arch.capUntypedPtr x" "capUntypedPtr (UntypedCap d r n f) = r" "capUntypedPtr (CNodeCap r n g n2) = r" "capUntypedPtr (ReplyCap r m a) = r" "Arch.capUntypedPtr (ARM_H.ASIDPoolCap r asid) = r" "Arch.capUntypedPtr (ARM_H.PageCap d r rghts sz mapdata) = r" "Arch.capUntypedPtr (ARM_H.PageTableCap r mapdata2) = r" "Arch.capUntypedPtr (ARM_H.PageDirectoryCap r mapdata3) = r" by (auto simp: capUntypedPtr_def ARM_H.capUntypedPtr_def) lemma rights_mask_map_UNIV [simp]: "rights_mask_map UNIV = allRights" by (simp add: rights_mask_map_def allRights_def) declare insert_UNIV[simp] lemma maskCapRights_allRights [simp]: "maskCapRights allRights c = c" unfolding maskCapRights_def isCap_defs allRights_def ARM_H.maskCapRights_def maskVMRights_def by (cases c) (simp_all add: Let_def split: arch_capability.split vmrights.split) lemma getCTE_inv [wp]: "\P\ getCTE addr \\rv. P\" by (simp add: getCTE_def) wp lemma getEndpoint_inv [wp]: "\P\ getEndpoint ptr \\rv. P\" by (simp add: getEndpoint_def getObject_inv loadObject_default_inv) lemma getNotification_inv [wp]: "\P\ getNotification ptr \\rv. P\" by (simp add: getNotification_def getObject_inv loadObject_default_inv) lemma getSlotCap_inv [wp]: "\P\ getSlotCap addr \\rv. P\" by (simp add: getSlotCap_def, wp) declare resolveAddressBits.simps[simp del] lemma cap_case_CNodeCap: "(case cap of CNodeCap a b c d \ P | _ \ Q) = (if isCNodeCap cap then P else Q)" by (cases cap, simp_all add: isCap_simps) lemma resolveAddressBits_inv_induct: shows "s \ \P\ resolveAddressBits cap cref depth \\rv. P\,\\rv. P\" proof (induct arbitrary: s rule: resolveAddressBits.induct) case (1 cap fn cref depth) show ?case apply (subst resolveAddressBits.simps) apply (simp add: Let_def split_def cap_case_CNodeCap[unfolded isCap_simps] split del: if_split cong: if_cong) apply (rule hoare_pre_spec_validE) apply ((elim exE | wp (once) spec_strengthen_postE[OF "1.hyps"])+, (rule refl conjI | simp add: in_monad split del: if_split)+) apply (wp | simp add: locateSlot_conv split del: if_split | wp (once) hoare_drop_imps)+ done qed lemma rab_inv' [wp]: "\P\ resolveAddressBits cap addr depth \\rv. P\" by (rule validE_valid, rule use_specE', rule resolveAddressBits_inv_induct) lemmas rab_inv'' [wp] = rab_inv' [folded resolveAddressBits_decl_def] crunch inv [wp]: lookupCap P lemma updateObject_cte_inv: "\P\ updateObject (cte :: cte) ko x y n \\rv. P\" apply (simp add: updateObject_cte) apply (cases ko, simp_all add: typeError_def unless_def split del: if_split cong: if_cong) apply (wp | simp)+ done definition "no_mdb cte \ mdbPrev (cteMDBNode cte) = 0 \ mdbNext (cteMDBNode cte) = 0" lemma mdb_next_update: "m (x \ y) \ a \ b = (if a = x then mdbNext (cteMDBNode y) = b else m \ a \ b)" by (simp add: mdb_next_rel_def mdb_next_def) lemma neg_no_loopsI: "m \ c \\<^sup>+ c \ \ no_loops m" unfolding no_loops_def by auto lemma valid_dlistEp [elim?]: "\ valid_dlist m; m p = Some cte; mdbPrev (cteMDBNode cte) \ 0; \cte'. \ m (mdbPrev (cteMDBNode cte)) = Some cte'; mdbNext (cteMDBNode cte') = p \ \ P \ \ P" unfolding valid_dlist_def Let_def by blast lemma valid_dlistEn [elim?]: "\ valid_dlist m; m p = Some cte; mdbNext (cteMDBNode cte) \ 0; \cte'. \ m (mdbNext (cteMDBNode cte)) = Some cte'; mdbPrev (cteMDBNode cte') = p \ \ P \ \ P" unfolding valid_dlist_def Let_def by blast lemmas valid_dlistE = valid_dlistEn valid_dlistEp lemma mdb_next_update_other: "\ m (x \ y) \ a \ b; x \ a \ \ m \ a \ b" by (simp add: mdb_next_rel_def mdb_next_def) lemma mdb_trancl_update_other: assumes upd: "m(p \ cte) \ x \\<^sup>+ y" and nopath: "\ m \ x \\<^sup>* p" shows "m \ x \\<^sup>+ y" using upd nopath proof induct case (base y) have "m \ x \ y" proof (rule mdb_next_update_other) from base show "p \ x" by clarsimp qed fact+ thus ?case .. next case (step y z) hence ih: "m \ x \\<^sup>+ y" by auto from ih show ?case proof show "m \ y \ z" proof (rule mdb_next_update_other) show "p \ y" proof (cases "x = p") case True thus ?thesis using step.prems by simp next case False thus ?thesis using step.prems ih by - (erule contrapos_nn, rule trancl_into_rtrancl, simp) qed qed fact+ qed qed lemma next_unfold': "m \ c \ y = (\cte. m c = Some cte \ mdbNext (cteMDBNode cte) = y)" unfolding mdb_next_rel_def by (simp add: next_unfold split: option.splits) lemma no_self_loop_next_noloop: assumes no_loop: "no_loops m" and lup: "m ptr = Some cte" shows "mdbNext (cteMDBNode cte) \ ptr" proof - from no_loop have "\ m \ ptr \ ptr" unfolding no_loops_def by - (drule spec, erule contrapos_nn, erule r_into_trancl) thus ?thesis using lup by (simp add: next_unfold') qed lemma valid_dlistI [intro?]: defines "nxt \ \cte. mdbNext (cteMDBNode cte)" and "prv \ \cte. mdbPrev (cteMDBNode cte)" assumes r1: "\p cte. \ m p = Some cte; prv cte \ 0 \ \ \cte'. m (prv cte) = Some cte' \ nxt cte' = p" and r2: "\p cte. \ m p = Some cte; nxt cte \ 0 \ \ \cte'. m (nxt cte) = Some cte' \ prv cte' = p" shows "valid_dlist m" unfolding valid_dlist_def by (auto dest: r1 r2 simp: Let_def prv_def nxt_def) lemma no_loops_tranclE: assumes nl: "no_loops m" and nxt: "m \ x \\<^sup>+ y" shows "\ m \ y \\<^sup>* x" proof assume "m \ y \\<^sup>* x" hence "m \ x \\<^sup>+ x" using nxt by simp thus False using nl unfolding no_loops_def by auto qed lemma neg_next_rtrancl_trancl: "\ \ m \ y \\<^sup>* r; m \ x \ y \ \ \ m \ x \\<^sup>+ r" apply (erule contrapos_nn) apply (drule tranclD) apply (clarsimp simp: next_unfold') done lemma next_trancl_split_tt: assumes p1: "m \ x \\<^sup>+ y" and p2: "m \ x \\<^sup>+ p" and nm: "\ m \ p \\<^sup>* y" shows "m \ y \\<^sup>* p" using p2 p1 nm proof induct case base thus ?case by (clarsimp dest!: tranclD) (drule (1) next_single_value, simp) next case (step q r) show ?case proof (cases "q = y") case True thus ?thesis using step by fastforce next case False have "m \ y \\<^sup>* q" proof (rule step.hyps) have "\ m \ q \\<^sup>+ y" by (rule neg_next_rtrancl_trancl) fact+ thus "\ m \ q \\<^sup>* y" using False by (clarsimp dest!: rtranclD) qed fact+ thus ?thesis by (rule rtrancl_into_rtrancl) fact+ qed qed lemma no_loops_upd_last: assumes noloop: "no_loops m" and nxt: "m \ x \\<^sup>+ p" shows "m (p \ cte) \ x \\<^sup>+ p" proof - from noloop nxt have xp: "x \ p" by (clarsimp dest!: neg_no_loopsI) from nxt show ?thesis using xp proof (induct rule: converse_trancl_induct') case (base y) hence "m (p \ cte) \ y \ p" using noloop by (auto simp add: mdb_next_update) thus ?case .. next case (step y z) from noloop step have xp: "z \ p" by (clarsimp dest!: neg_no_loopsI) hence "m (p \ cte) \ y \ z" using step by (simp add: mdb_next_update) moreover from xp have "m (p \ cte) \ z \\<^sup>+ p" using step.hyps assms by (auto simp del: fun_upd_apply) ultimately show ?case by (rule trancl_into_trancl2) qed qed lemma no_0_neq [intro?]: "\m c = Some cte; no_0 m\ \ c \ 0" by (auto simp add: no_0_def) lemma no_0_update: assumes no0: "no_0 m" and pnz: "p \ 0" shows "no_0 (m(p \ cte))" using no0 pnz unfolding no_0_def by simp lemma mdb_rtrancl_update_other: assumes upd: "m(p \ cte) \ x \\<^sup>* y" and nopath: "\ m \ x \\<^sup>* p" shows "m \ x \\<^sup>* y" using upd proof (cases rule: next_rtrancl_tranclE) case eq thus ?thesis by simp next case trancl thus ?thesis by (auto intro: trancl_into_rtrancl elim: mdb_trancl_update_other [OF _ nopath]) qed lemma mdb_trancl_other_update: assumes upd: "m \ x \\<^sup>+ y" and np: "\ m \ x \\<^sup>* p" shows "m(p \ cte) \ x \\<^sup>+ y" using upd proof induct case (base q) from np have "x \ p" by clarsimp hence"m (p \ cte) \ x \ q" using base by (simp add: mdb_next_update del: fun_upd_apply) thus ?case .. next case (step q r) show ?case proof from step.hyps(1) np have "q \ p" by (auto elim!: contrapos_nn) thus x: "m(p \ cte) \ q \ r" using step by (simp add: mdb_next_update del: fun_upd_apply) qed fact+ qed lemma mdb_rtrancl_other_update: assumes upd: "m \ x \\<^sup>* y" and nopath: "\ m \ x \\<^sup>* p" shows "m(p \ cte) \ x \\<^sup>* y" using upd proof (cases rule: next_rtrancl_tranclE) case eq thus ?thesis by simp next case trancl thus ?thesis by (auto intro: trancl_into_rtrancl elim: mdb_trancl_other_update [OF _ nopath]) qed lemma mdb_chain_0_update: assumes x: "m \ mdbNext (cteMDBNode cte) \\<^sup>* 0" and np: "\ m \ mdbNext (cteMDBNode cte) \\<^sup>* p" assumes p: "p \ 0" assumes 0: "no_0 m" assumes n: "mdb_chain_0 m" shows "mdb_chain_0 (m(p \ cte))" unfolding mdb_chain_0_def proof rule fix x assume "x \ dom (m(p \ cte))" hence x: "x = p \ x \ dom m" by simp have cnxt: "m(p \ cte) \ mdbNext (cteMDBNode cte) \\<^sup>* 0" by (rule mdb_rtrancl_other_update) fact+ from x show "m(p \ cte) \ x \\<^sup>+ 0" proof assume xp: "x = p" show ?thesis proof (rule rtrancl_into_trancl2 [OF _ cnxt]) show "m(p \ cte) \ x \ mdbNext (cteMDBNode cte)" using xp by (simp add: mdb_next_update) qed next assume x: "x \ dom m" show ?thesis proof (cases "m \ x \\<^sup>* p") case False from n have "m \ x \\<^sup>+ 0" unfolding mdb_chain_0_def using x by auto thus ?thesis by (rule mdb_trancl_other_update) fact+ next case True hence "m(p \ cte) \ x \\<^sup>* p" proof (cases rule: next_rtrancl_tranclE) case eq thus ?thesis by simp next case trancl have "no_loops m" by (rule mdb_chain_0_no_loops) fact+ thus ?thesis by (rule trancl_into_rtrancl [OF no_loops_upd_last]) fact+ qed moreover have "m(p \ cte) \ p \ mdbNext (cteMDBNode cte)" by (simp add: mdb_next_update) ultimately show ?thesis using cnxt by simp qed qed qed lemma mdb_chain_0_update_0: assumes x: "mdbNext (cteMDBNode cte) = 0" assumes p: "p \ 0" assumes 0: "no_0 m" assumes n: "mdb_chain_0 m" shows "mdb_chain_0 (m(p \ cte))" using x 0 p apply - apply (rule mdb_chain_0_update [OF _ _ p 0 n]) apply (auto elim: next_rtrancl_tranclE dest: no_0_lhs_trancl) done lemma valid_badges_0_update: assumes nx: "mdbNext (cteMDBNode cte) = 0" assumes pv: "mdbPrev (cteMDBNode cte) = 0" assumes p: "m p = Some cte'" assumes m: "no_mdb cte'" assumes 0: "no_0 m" assumes d: "valid_dlist m" assumes v: "valid_badges m" shows "valid_badges (m(p \ cte))" proof (unfold valid_badges_def, clarify) fix c c' cap cap' n n' assume c: "(m(p \ cte)) c = Some (CTE cap n)" assume c': "(m(p \ cte)) c' = Some (CTE cap' n')" assume nxt: "m(p \ cte) \ c \ c'" assume r: "sameRegionAs cap cap'" from p 0 have p0: "p \ 0" by (clarsimp simp: no_0_def) from c' p0 0 have "c' \ 0" by (clarsimp simp: no_0_def) with nx nxt have cp: "c \ p" by (clarsimp simp add: mdb_next_unfold) moreover from pv nx nxt p p0 c d m 0 have "c' \ p" apply clarsimp apply (simp add: mdb_next_unfold split: if_split_asm) apply (erule (1) valid_dlistEn, simp) apply (clarsimp simp: no_mdb_def no_0_def) done moreover with nxt c c' cp have "m \ c \ c'" by (simp add: mdb_next_unfold) ultimately show "(isEndpointCap cap \ capEPBadge cap \ capEPBadge cap' \ capEPBadge cap' \ 0 \ mdbFirstBadged n') \ (isNotificationCap cap \ capNtfnBadge cap \ capNtfnBadge cap' \ capNtfnBadge cap' \ 0 \ mdbFirstBadged n')" using r c c' v by (fastforce simp: valid_badges_def) qed definition "caps_no_overlap' m S \ \p c n. m p = Some (CTE c n) \ capRange c \ S = {}" definition fresh_virt_cap_class :: "capclass \ cte_heap \ bool" where "fresh_virt_cap_class C m \ C \ PhysicalClass \ C \ (capClass \ cteCap) ` ran m" lemma fresh_virt_cap_class_Physical[simp]: "fresh_virt_cap_class PhysicalClass = \" by (rule ext, simp add: fresh_virt_cap_class_def)+ lemma fresh_virt_cap_classD: "\ m x = Some cte; fresh_virt_cap_class C m \ \ C \ PhysicalClass \ capClass (cteCap cte) \ C" by (auto simp: fresh_virt_cap_class_def) lemma capRange_untyped: "capRange cap' \ untypedRange cap \ {} \ isUntypedCap cap" by (cases cap, auto simp: isCap_simps) lemma capRange_of_untyped [simp]: "capRange (UntypedCap d r n f) = untypedRange (UntypedCap d r n f)" by (simp add: capRange_def isCap_simps capUntypedSize_def) lemma caps_contained_no_overlap: "\ caps_no_overlap' m (capRange cap); caps_contained' m\ \ caps_contained' (m(p \ CTE cap n))" apply (clarsimp simp add: caps_contained'_def) apply (rule conjI) apply clarsimp apply (rule conjI, clarsimp dest!: capRange_untyped) apply clarsimp apply (simp add: caps_no_overlap'_def) apply (erule_tac x=p' in allE, erule allE, erule impE, erule exI) apply (frule capRange_untyped) apply (clarsimp simp add: isCap_simps) apply clarsimp apply (simp add: caps_no_overlap'_def) apply (erule_tac x=pa in allE, erule allE, erule impE, erule exI) apply (frule capRange_untyped) apply (clarsimp simp: isCap_simps) apply blast done lemma no_mdb_next: "\ m p = Some cte; no_mdb cte; valid_dlist m; no_0 m \ \ \ m \ x \ p" apply clarsimp apply (frule vdlist_nextD0) apply clarsimp apply assumption apply (clarsimp simp: mdb_prev_def no_mdb_def mdb_next_unfold) done lemma no_mdb_rtrancl: "\ m p = Some cte; no_mdb cte; p \ x; valid_dlist m; no_0 m \ \ \ m \ x \\<^sup>* p" apply (clarsimp dest!: rtranclD) apply (drule tranclD2) apply clarsimp apply (drule (3) no_mdb_next) apply fastforce done lemma isNullCap [simp]: "isNullCap cap = (cap = NullCap)" by (simp add: isCap_simps) lemma isDomainCap [simp]: "isDomainCap cap = (cap = DomainCap)" by (simp add: isCap_simps) lemma isPhysicalCap[simp]: "isPhysicalCap cap = (capClass cap = PhysicalClass)" by (simp add: isPhysicalCap_def ARM_H.isPhysicalCap_def split: capability.split arch_capability.split) (* FIXME instead of a definition and then a simp rule in the simp set, we should use fun *) definition capMasterCap :: "capability \ capability" where "capMasterCap cap \ case cap of EndpointCap ref bdg s r g gr \ EndpointCap ref 0 True True True True | NotificationCap ref bdg s r \ NotificationCap ref 0 True True | CNodeCap ref bits gd gs \ CNodeCap ref bits 0 0 | ThreadCap ref \ ThreadCap ref | ReplyCap ref master g \ ReplyCap ref True True | UntypedCap d ref n f \ UntypedCap d ref n 0 | ArchObjectCap acap \ ArchObjectCap (case acap of PageCap d ref rghts sz mapdata \ PageCap d ref VMReadWrite sz None | ASIDPoolCap pool asid \ ASIDPoolCap pool 0 | PageTableCap ptr data \ PageTableCap ptr None | PageDirectoryCap ptr data \ PageDirectoryCap ptr None | _ \ acap) | _ \ cap" lemma capMasterCap_simps[simp]: "capMasterCap (EndpointCap ref bdg s r g gr) = EndpointCap ref 0 True True True True" "capMasterCap (NotificationCap ref bdg s r) = NotificationCap ref 0 True True" "capMasterCap (CNodeCap ref bits gd gs) = CNodeCap ref bits 0 0" "capMasterCap (ThreadCap ref) = ThreadCap ref" "capMasterCap capability.NullCap = capability.NullCap" "capMasterCap capability.DomainCap = capability.DomainCap" "capMasterCap (capability.IRQHandlerCap irq) = capability.IRQHandlerCap irq" "capMasterCap (capability.Zombie word zombie_type n) = capability.Zombie word zombie_type n" "capMasterCap (capability.ArchObjectCap (arch_capability.ASIDPoolCap word1 word2)) = capability.ArchObjectCap (arch_capability.ASIDPoolCap word1 0)" "capMasterCap (capability.ArchObjectCap arch_capability.ASIDControlCap) = capability.ArchObjectCap arch_capability.ASIDControlCap" "capMasterCap (capability.ArchObjectCap (arch_capability.PageCap d word vmrights vmpage_size pdata)) = capability.ArchObjectCap (arch_capability.PageCap d word VMReadWrite vmpage_size None)" "capMasterCap (capability.ArchObjectCap (arch_capability.PageTableCap word ptdata)) = capability.ArchObjectCap (arch_capability.PageTableCap word None)" "capMasterCap (capability.ArchObjectCap (arch_capability.PageDirectoryCap word pddata)) = capability.ArchObjectCap (arch_capability.PageDirectoryCap word None)" "capMasterCap (capability.UntypedCap d word n f) = capability.UntypedCap d word n 0" "capMasterCap capability.IRQControlCap = capability.IRQControlCap" "capMasterCap (capability.ReplyCap word m g) = capability.ReplyCap word True True" by (simp_all add: capMasterCap_def) lemma capMasterCap_eqDs1: "capMasterCap cap = EndpointCap ref bdg s r g gr \ bdg = 0 \ s \ r \ g \ gr \ (\bdg s r g gr. cap = EndpointCap ref bdg s r g gr)" "capMasterCap cap = NotificationCap ref bdg s r \ bdg = 0 \ s \ r \ (\bdg s r. cap = NotificationCap ref bdg s r)" "capMasterCap cap = CNodeCap ref bits gd gs \ gd = 0 \ gs = 0 \ (\gd gs. cap = CNodeCap ref bits gd gs)" "capMasterCap cap = ThreadCap ref \ cap = ThreadCap ref" "capMasterCap cap = NullCap \ cap = NullCap" "capMasterCap cap = DomainCap \ cap = DomainCap" "capMasterCap cap = IRQControlCap \ cap = IRQControlCap" "capMasterCap cap = IRQHandlerCap irq \ cap = IRQHandlerCap irq" "capMasterCap cap = Zombie ref tp n \ cap = Zombie ref tp n" "capMasterCap cap = UntypedCap d ref bits 0 \ \f. cap = UntypedCap d ref bits f" "capMasterCap cap = ReplyCap ref master g \ master \ g \ (\master g. cap = ReplyCap ref master g)" "capMasterCap cap = ArchObjectCap (PageCap d ref rghts sz mapdata) \ rghts = VMReadWrite \ mapdata = None \ (\rghts mapdata. cap = ArchObjectCap (PageCap d ref rghts sz mapdata))" "capMasterCap cap = ArchObjectCap ASIDControlCap \ cap = ArchObjectCap ASIDControlCap" "capMasterCap cap = ArchObjectCap (ASIDPoolCap pool asid) \ asid = 0 \ (\asid. cap = ArchObjectCap (ASIDPoolCap pool asid))" "capMasterCap cap = ArchObjectCap (PageTableCap ptr data) \ data = None \ (\data. cap = ArchObjectCap (PageTableCap ptr data))" "capMasterCap cap = ArchObjectCap (PageDirectoryCap ptr data2) \ data2 = None \ (\data2. cap = ArchObjectCap (PageDirectoryCap ptr data2))" by (clarsimp simp: capMasterCap_def split: capability.split_asm arch_capability.split_asm)+ lemmas capMasterCap_eqDs[dest!] = capMasterCap_eqDs1 capMasterCap_eqDs1 [OF sym] definition capBadge :: "capability \ word32 option" where "capBadge cap \ if isEndpointCap cap then Some (capEPBadge cap) else if isNotificationCap cap then Some (capNtfnBadge cap) else None" lemma capBadge_simps[simp]: "capBadge (UntypedCap d p n f) = None" "capBadge (NullCap) = None" "capBadge (DomainCap) = None" "capBadge (EndpointCap ref badge s r g gr) = Some badge" "capBadge (NotificationCap ref badge s r) = Some badge" "capBadge (CNodeCap ref bits gd gs) = None" "capBadge (ThreadCap ref) = None" "capBadge (Zombie ref b n) = None" "capBadge (ArchObjectCap cap) = None" "capBadge (IRQControlCap) = None" "capBadge (IRQHandlerCap irq) = None" "capBadge (ReplyCap tcb master g) = None" by (simp add: capBadge_def isCap_defs)+ lemma capClass_Master: "capClass (capMasterCap cap) = capClass cap" by (simp add: capMasterCap_def split: capability.split arch_capability.split) lemma capRange_Master: "capRange (capMasterCap cap) = capRange cap" by (simp add: capMasterCap_def split: capability.split arch_capability.split, simp add: capRange_def) lemma master_eqI: "\ \cap. F (capMasterCap cap) = F cap; F (capMasterCap cap) = F (capMasterCap cap') \ \ F cap = F cap'" by simp lemma isCap_Master: "isZombie (capMasterCap cap) = isZombie cap" "isArchObjectCap (capMasterCap cap) = isArchObjectCap cap" "isThreadCap (capMasterCap cap) = isThreadCap cap" "isCNodeCap (capMasterCap cap) = isCNodeCap cap" "isNotificationCap (capMasterCap cap) = isNotificationCap cap" "isEndpointCap (capMasterCap cap) = isEndpointCap cap" "isUntypedCap (capMasterCap cap) = isUntypedCap cap" "isReplyCap (capMasterCap cap) = isReplyCap cap" "isIRQControlCap (capMasterCap cap) = isIRQControlCap cap" "isIRQHandlerCap (capMasterCap cap) = isIRQHandlerCap cap" "isNullCap (capMasterCap cap) = isNullCap cap" "isDomainCap (capMasterCap cap) = isDomainCap cap" "isArchPageCap (capMasterCap cap) = isArchPageCap cap" by (simp add: isCap_simps capMasterCap_def split: capability.split arch_capability.split)+ lemma capUntypedSize_capBits: "capClass cap = PhysicalClass \ capUntypedSize cap = 2 ^ (capBits cap)" apply (simp add: capUntypedSize_def objBits_simps ARM_H.capUntypedSize_def pteBits_def pdeBits_def ptBits_def pdBits_def shiftl_eq_mult split: capability.splits arch_capability.splits zombie_type.splits) apply fastforce done lemma sameRegionAs_def2: "sameRegionAs cap cap' = (\cap cap'. (cap = cap' \ (\ isNullCap cap \ \ isZombie cap \ \ isUntypedCap cap \ \ isArchPageCap cap) \ (\ isNullCap cap' \ \ isZombie cap' \ \ isUntypedCap cap' \ \ isArchPageCap cap')) \ (capRange cap' \ {} \ capRange cap' \ capRange cap \ (isUntypedCap cap \ (isArchPageCap cap \ isArchPageCap cap'))) \ (isIRQControlCap cap \ isIRQHandlerCap cap')) (capMasterCap cap) (capMasterCap cap')" apply (cases "isUntypedCap cap") apply (clarsimp simp: sameRegionAs_def Let_def isCap_Master capRange_Master capClass_Master) apply (clarsimp simp: isCap_simps capMasterCap_def[where cap="UntypedCap d p n f" for d p n f]) apply (simp add: capRange_def capUntypedSize_capBits) apply (intro impI iffI) apply (clarsimp del: subsetI intro!: range_subsetI) apply clarsimp apply (simp add: range_subset_eq2) apply (simp cong: conj_cong) apply (simp add: capMasterCap_def sameRegionAs_def isArchPageCap_def split: capability.split split del: if_split cong: if_cong) apply (simp add: ARM_H.sameRegionAs_def isCap_simps split: arch_capability.split split del: if_split cong: if_cong) apply (clarsimp simp: capRange_def Let_def) apply (simp add: range_subset_eq2 cong: conj_cong) by (simp add: conj_comms) lemma sameObjectAs_def2: "sameObjectAs cap cap' = (\cap cap'. (cap = cap' \ (\ isNullCap cap \ \ isZombie cap \ \