(* * Copyright 2014, General Dynamics C4 Systems * * This software may be distributed and modified according to the terms of * the GNU General Public License version 2. Note that NO WARRANTY is provided. * See "LICENSE_GPLv2.txt" for details. * * @TAG(GD_GPL) *) (* Proofs about untyped invocations. *) theory Untyped_R imports Detype_R Invocations_R begin primrec untypinv_relation :: "Invocations_A.untyped_invocation \ Invocations_H.untyped_invocation \ bool" where "untypinv_relation (Invocations_A.Retype c ob n ao n2 cl) x = (\ao'. x = (Invocations_H.Retype (cte_map c) ob n ao' n2 (map cte_map cl)) \ ao = APIType_map2 (Inr ao'))" primrec valid_untyped_inv' :: "Invocations_H.untyped_invocation \ kernel_state \ bool" where "valid_untyped_inv' (Invocations_H.Retype slot ptr_base ptr ty us slots) = (\s. \sz idx. (cte_wp_at' (\cte. cteCap cte = UntypedCap ptr_base sz idx) slot s \ range_cover ptr sz (APIType_capBits ty us) (length slots) \ (idx \ unat (ptr - ptr_base) \ ptr = ptr_base ) \ (ptr && ~~ mask sz) = ptr_base) \ (ptr = ptr_base \ descendants_range_in' {ptr_base..ptr_base + 2^sz - 1} slot (ctes_of s)) \ distinct (slot # slots) \ (ty = APIObjectType ArchTypes_H.CapTableObject \ us > 0) \ (ty = APIObjectType ArchTypes_H.Untyped \ 4\ us \ us \ 30) \ (\slot \ set slots. cte_wp_at' (\c. cteCap c = NullCap) slot s) \ (\slot \ set slots. ex_cte_cap_to' slot s) \ sch_act_simple s \ 0 < length slots)" lemma whenE_rangeCheck_eq: "(rangeCheck (x :: 'a :: {linorder, integral}) y z) = (whenE (x < fromIntegral y \ fromIntegral z < x) (throwError (RangeError (fromIntegral y) (fromIntegral z))))" by (simp add: rangeCheck_def unlessE_whenE ucast_id linorder_not_le[symmetric]) lemma APIType_map2_CapTable[simp]: "(APIType_map2 ty = Structures_A.CapTableObject) = (ty = Inr (APIObjectType ArchTypes_H.CapTableObject))" by (simp add: APIType_map2_def split: sum.split ArchTypes_H.object_type.split ArchTypes_H.apiobject_type.split kernel_object.split arch_kernel_object.splits) lemma alignUp_H[simp]: "Untyped_H.alignUp = WordSetup.alignUp" apply (rule ext)+ apply (clarsimp simp:Untyped_H.alignUp_def WordSetup.alignUp_def mask_def) done (* MOVE *) lemma corres_compute_free_index: "corres (\x y. x = y) (cte_at slot) (pspace_aligned' and pspace_distinct' and valid_mdb' and cte_wp_at' (\_. True) (cte_map slot)) (const_on_failure idx (doE y \ ensure_no_children slot; returnOk (0::nat) odE)) (constOnFailure idx (doE y \ ensureNoChildren (cte_map slot); returnOk (0::nat) odE))" apply (clarsimp simp:const_on_failure_def constOnFailure_def) apply (rule corres_guard_imp) apply (rule corres_split_catch[where E = dc and E'=dc]) apply simp apply (rule corres_guard_imp[OF corres_splitEE]) apply (rule corres_returnOkTT) apply simp apply (rule ensure_no_children_corres) apply simp apply wp apply simp+ apply (clarsimp simp:dc_def,wp)+ apply simp apply simp done lemma mapM_x_stateAssert: "mapM_x (\x. stateAssert (f x) (ss x)) xs = stateAssert (\s. \x \ set xs. f x s) []" apply (induct xs) apply (simp add: mapM_x_Nil) apply (simp add: mapM_x_Cons) apply (simp add: fun_eq_iff stateAssert_def bind_assoc exec_get assert_def) done lemma mapM_locate_eq: "isCNodeCap cap \ mapM (\x. locateSlotCap cap x) xs = (do stateAssert (\s. case gsCNodes s (capUntypedPtr cap) of None \ xs = [] | Some n \ \x \ set xs. n = capCNodeBits cap \ x < 2 ^ n) []; return (map (\x. (capCNodePtr cap) + 2 ^ cte_level_bits * x) xs) od)" apply (clarsimp simp: isCap_simps) apply (simp add: locateSlot_conv objBits_simps cte_level_bits_def liftM_def[symmetric] mapM_liftM_const isCap_simps) apply (simp add: liftM_def mapM_discarded mapM_x_stateAssert) apply (intro bind_cong refl arg_cong2[where f=stateAssert] ext) apply (simp add: isCap_simps split: option.split) done lemma dec_untyped_inv_corres: assumes cap_rel: "list_all2 cap_relation cs cs'" shows "corres (ser \ untypinv_relation) (invs and cte_wp_at (op = (cap.UntypedCap w n idx)) slot and (\s. \x \ set cs. s \ x)) (invs' and (\s. \x \ set cs'. s \' x)) (decode_untyped_invocation label args slot (cap.UntypedCap w n idx) cs) (decodeUntypedInvocation label args (cte_map slot) (capability.UntypedCap w n idx) cs')" proof (cases "6 \ length args \ cs \ [] \ invocation_type label = UntypedRetype") case False show ?thesis using False cap_rel apply (clarsimp simp: decode_untyped_invocation_def decodeUntypedInvocation_def whenE_whenE_body unlessE_whenE split del: split_if cong: list.case_cong) apply (auto split: list.split) done next case True have val_le_length_Cons: (* clagged from Tcb_R *) "\n xs. n \ 0 \ (n \ length xs) = (\y ys. xs = y # ys \ (n - 1) \ length ys)" apply (case_tac xs, simp_all) apply (case_tac n, simp_all) done obtain arg0 arg1 arg2 arg3 arg4 arg5 argsmore cap cap' csmore csmore' where args: "args = arg0 # arg1 # arg2 # arg3 # arg4 # arg5 # argsmore" and cs: "cs = cap # csmore" and cs': "cs' = cap' # csmore'" and crel: "cap_relation cap cap'" using True cap_rel by (clarsimp simp: neq_Nil_conv list_all2_Cons1 val_le_length_Cons) have il: "invocation_type label = UntypedRetype" using True by simp have word_unat_power2: "\bits. \ bits < 32 \ bits < word_bits \ \ unat (2 ^ bits :: word32) = 2 ^ bits" by (simp add: word_bits_def) have P: "\P. corres (ser \ dc) \ \ (whenE P (throwError ExceptionTypes_A.syscall_error.TruncatedMessage)) (whenE P (throwError Fault_H.syscall_error.TruncatedMessage))" by (simp add: whenE_def returnOk_def) have Q: "\v. corres (ser \ (\a b. APIType_map2 (Inr (toEnum (unat v))) = a)) \ \ (data_to_obj_type v) (whenE (fromEnum (maxBound :: ArchTypes_H.object_type) < unat v) (throwError (Fault_H.syscall_error.InvalidArgument 0)))" apply (simp only: data_to_obj_type_def returnOk_bindE fun_app_def) apply (simp add: maxBound_def enum_apiobject_type fromEnum_def whenE_def) apply (simp add: returnOk_def APIType_map2_def toEnum_def enum_apiobject_type enum_object_type) apply (intro conjI impI) apply (subgoal_tac "unat v - 5 > 5") apply (simp add: arch_data_to_obj_type_def) apply simp apply (subgoal_tac "\n. unat v = n + 5") apply (clarsimp simp: arch_data_to_obj_type_def returnOk_def) apply (rule_tac x="unat v - 5" in exI) apply arith done have S: "\x (y :: ('g :: len) word) (z :: 'g word) bits. \ bits < len_of TYPE('g); x < 2 ^ bits \ \ toEnum x = (of_nat x :: 'g word)" apply (rule toEnum_of_nat) apply (erule order_less_trans) apply simp done obtain xs where xs: "xs = [unat arg4..ref bits. \ is_aligned ref bits; Suc (unat arg4 + unat arg5 - Suc 0) \ 2 ^ bits; bits < 32; 1 \ arg4 + arg5; arg4 \ arg4 + arg5 \ \ (map (\x. ref + 2 ^ cte_level_bits * x) [arg4 .e. arg4 + arg5 - 1]) = map cte_map (map (Pair ref) (map (nat_to_cref bits) xs))" apply (subgoal_tac "Suc (unat (arg4 + arg5 - 1)) = unat arg4 + unat arg5") apply (simp add: upto_enum_def xs del: upt.simps) apply (clarsimp simp: cte_map_def) apply (subst of_bl_nat_to_cref) apply simp apply simp apply (subst S) apply simp apply simp apply (simp add: cte_level_bits_def) apply unat_arith done have another: "\bits a. \ (a::word32) \ 2 ^ bits; bits < word_bits\ \ 2 ^ bits - a = of_nat (2 ^ bits - unat a)" apply (subst of_nat_diff) apply (subst (asm) word_le_nat_alt) apply (simp add: word_unat_power2) apply simp done have ty_size: "\x y. (obj_bits_api (APIType_map2 (Inr x)) y) = (Types_H.getObjectSize x y)" apply (clarsimp simp:obj_bits_api_def APIType_map2_def getObjectSize_def ArchTypes_H.getObjectSize_def) apply (case_tac x) apply (simp_all add:arch_kobj_size_def default_arch_object_def pageBits_def pdBits_def ptBits_def) apply (rename_tac apiobject_type) apply (case_tac apiobject_type) apply (simp_all add:apiGetObjectSize_def tcbBlockSizeBits_def epSizeBits_def ntfnSizeBits_def slot_bits_def cteSizeBits_def) done note word_unat_power [symmetric, simp del] show ?thesis apply (rule corres_name_pre) apply clarsimp apply (subgoal_tac "cte_wp_at' (\cte. cteCap cte = (capability.UntypedCap w n idx)) (cte_map slot) s'") prefer 2 apply (drule state_relation_pspace_relation) apply (case_tac slot) apply simp apply (drule(1) pspace_relation_cte_wp_at) apply fastforce+ apply (clarsimp simp:cte_wp_at_caps_of_state) apply (frule caps_of_state_valid_cap[unfolded valid_cap_def]) apply fastforce apply (clarsimp simp:cap_aligned_def) (* ugh yuck. who likes a word proof? furthermore, some more restriction of the returnOk_bindE stuff needs to be done in order to give you a single target to do the word proof against or else it needs repeating. ugh. maybe could seperate out the equality Isar-style? *) apply (simp add: decodeUntypedInvocation_def decode_untyped_invocation_def args cs cs' xs[symmetric] il whenE_rangeCheck_eq cap_case_CNodeCap unlessE_whenE case_bool_If lookup_target_slot_def lookupTargetSlot_def split del: split_if cong: if_cong list.case_cong del: upt.simps) apply (rule corres_guard_imp) apply (rule corres_splitEE [OF _ Q]) apply (rule whenE_throwError_corres) apply (simp add: word_bits_def word_size) apply (simp add: word_size word_bits_def fromIntegral_def toInteger_nat fromInteger_nat linorder_not_less) apply fastforce apply (rule whenE_throwError_corres, simp) apply (clarsimp simp: fromAPIType_def ArchTypes_H.fromAPIType_def) apply (rule whenE_throwError_corres, simp) apply (clarsimp simp: fromAPIType_def ArchTypes_H.fromAPIType_def) apply (rule_tac r' = "\cap cap'. cap_relation cap cap'" in corres_splitEE[OF _ corres_if]) apply (rule_tac corres_split_norE) prefer 2 apply (rule corres_if) apply simp apply (rule corres_returnOk,clarsimp) apply (rule corres_trivial) apply (clarsimp simp: fromAPIType_def lookup_failure_map_def) apply (rule_tac F="is_cnode_cap rva \ cap_aligned rva" in corres_gen_asm) apply (subgoal_tac "is_aligned (obj_ref_of rva) (bits_of rva) \ bits_of rva < 32") prefer 2 apply (clarsimp simp: is_cap_simps bits_of_def cap_aligned_def word_bits_def is_aligned_weaken) apply (rule whenE_throwError_corres) apply (clarsimp simp:retypeFanOutLimit_def is_cap_simps bits_of_def ucast_id)+ apply (simp add: unat_arith_simps(2) unat_2p_sub_1 word_bits_def) apply (rule whenE_throwError_corres) apply (clarsimp simp:retypeFanOutLimit_def is_cap_simps bits_of_def ucast_id)+ apply (simp add: unat_eq_0 word_less_nat_alt) apply (rule whenE_throwError_corres) apply (clarsimp simp:retypeFanOutLimit_def is_cap_simps bits_of_def ucast_id)+ apply (clarsimp simp:toInteger_word ucast_id unat_arith_simps(2) cap_aligned_def) apply (subst unat_sub) apply (simp add: linorder_not_less word_le_nat_alt) apply (fold neq0_conv) apply (simp add: unat_eq_0 cap_aligned_def) apply (clarsimp simp:fromAPIType_def) apply (clarsimp simp:liftE_bindE mapM_locate_eq) apply (subgoal_tac "unat (arg4 + arg5) = unat arg4 + unat arg5") prefer 2 apply (clarsimp simp:not_less) apply (subst unat_word_ariths(1)) apply (rule mod_less) apply (unfold word_bits_len_of)[1] apply (subgoal_tac "2 ^ bits_of rva < (2 :: nat) ^ word_bits") apply arith apply (rule power_strict_increasing, simp add: word_bits_conv) apply simp apply (rule_tac P'="valid_cap rva" in corres_stateAssert_implied) apply (frule_tac bits2 = "bits_of rva" in YUCK) apply (simp) apply (simp add: word_bits_conv) apply (simp add: word_le_nat_alt) apply (simp add: word_le_nat_alt) apply (simp add:liftE_bindE[symmetric] free_index_of_def) apply (rule corres_split_norE) apply (subst liftE_bindE)+ apply (rule corres_split[OF _ corres_compute_free_index]) apply (rule_tac F ="free_index \ 2 ^ n" in corres_gen_asm) apply (rule whenE_throwError_corres) apply (clarsimp simp:shiftL_nat word_less_nat_alt shiftr_div_2n')+ apply (simp add: word_of_nat_le another) apply (drule_tac x = freeIndex in unat_of_nat32[OF le_less_trans]) apply (simp add:ty_size shiftR_nat)+ apply (simp add:unat_of_nat32 le_less_trans[OF div_le_dividend] le_less_trans[OF diff_le_self]) apply (rule corres_returnOkTT) apply (clarsimp simp:ty_size getFreeRef_def get_free_ref_def is_cap_simps) apply (rule hoare_strengthen_post[OF compute_free_index_wp]) apply simp apply simp apply wp apply (clarsimp simp:is_cap_simps simp del:ser_def) apply (simp add: mapME_x_map_simp del: ser_def) apply (rule_tac P = "valid_cap (cap.CNodeCap r bits g) and invs" in corres_guard_imp [where P' = invs']) apply (rule mapME_x_corres_inv [OF _ _ _ refl]) apply (simp del: ser_def) apply (rule ensure_empty_corres) apply (clarsimp simp: is_cap_simps) apply (simp, wp) apply (simp, wp) apply clarsimp apply (clarsimp simp add: xs is_cap_simps bits_of_def valid_cap_def) apply (erule cap_table_at_cte_at) apply (simp add: nat_to_cref_def word_bits_conv) apply simp apply (wp mapME_x_inv_wp validE_R_validE[OF valid_validE_R[OF ensure_empty_inv]] validE_R_validE[OF valid_validE_R[OF ensureEmpty_inv]]) apply (clarsimp simp: is_cap_simps valid_cap_simps cap_table_at_gsCNodes bits_of_def linorder_not_less) apply (erule order_le_less_trans) apply (rule minus_one_helper) apply (simp add: word_le_nat_alt) apply (simp add: unat_arith_simps) apply wp apply simp apply (rule corres_returnOkTT) apply (rule crel) apply simp apply (rule corres_splitEE[OF _ lsfc_corres]) apply simp apply (rule getSlotCap_corres,simp) apply (rule crel) apply simp apply (wp lookup_slot_for_cnode_op_inv hoare_drop_impE_R hoare_vcg_all_lift_R | clarsimp)+ apply (rule hoare_strengthen_post [where Q = "\r. invs and valid_cap r and cte_at slot"]) apply wp apply (clarsimp simp: is_cap_simps bits_of_def cap_aligned_def valid_cap_def word_bits_def) apply (rule TrueI conjI impI)+ apply wp apply (rule hoare_strengthen_post [where Q = "\r. invs' and cte_at' (cte_map slot)"]) apply wp apply (clarsimp simp:invs_pspace_aligned' invs_pspace_distinct' ) apply auto[1] apply (wp whenE_throwError_wp | wp_once hoare_drop_imps)+ apply (clarsimp simp: invs_valid_objs' invs_pspace_aligned' invs_pspace_distinct' cte_wp_at_caps_of_state cte_wp_at_ctes_of ) apply (clarsimp simp: invs_valid_objs invs_psp_aligned) apply (clarsimp simp: is_cap_simps valid_cap_def bits_of_def cap_aligned_def cte_level_bits_def word_bits_conv) apply (clarsimp simp: invs_valid_objs' invs_pspace_aligned' invs_pspace_distinct' cte_wp_at_caps_of_state cte_wp_at_ctes_of ) done qed crunch inv[wp]: ensureEmptySlot "P" lemma decodeUntyped_inv[wp]: "\P\ decodeUntypedInvocation label args slot (UntypedCap w n idx) cs \\rv. P\" apply (simp add: decodeUntypedInvocation_def whenE_def split_def unlessE_def Let_def split del: split_if cong: if_cong list.case_cong) apply (rule hoare_pre) apply (wp mapME_x_inv_wp hoare_drop_imps constOnFailure_wp mapM_wp' | wpcw | simp add: lookupTargetSlot_def locateSlot_conv)+ done declare inj_Pair[simp] declare upt_Suc[simp del] lemma descendants_of_cte_at': "\p \ descendants_of' x (ctes_of s); valid_mdb' s\ \ cte_wp_at' (\_. True) p s" by (clarsimp simp:descendants_of'_def cte_wp_at_ctes_of dest!:subtree_target_Some) lemma ctes_of_ko: "valid_cap' cap s \ isUntypedCap cap \ (\ptr\capRange cap. \optr ko. ksPSpace s optr = Some ko \ ptr \ obj_range' optr ko)" apply (case_tac cap) -- "TCB case" apply (simp_all add: isCap_simps capRange_def) apply (clarsimp simp: valid_cap'_def obj_at'_def) apply (intro exI conjI, assumption) apply (clarsimp simp: projectKO_eq objBits_def obj_range'_def dest!: projectKO_opt_tcbD simp: objBitsKO_def) -- "NTFN case" apply (clarsimp simp: valid_cap'_def obj_at'_def) apply (intro exI conjI, assumption) apply (clarsimp simp: projectKO_eq objBits_def obj_range'_def projectKO_ntfn objBitsKO_def) -- "EP case" apply (clarsimp simp: valid_cap'_def obj_at'_def) apply (intro exI conjI, assumption) apply (clarsimp simp: projectKO_eq objBits_def obj_range'_def projectKO_ep objBitsKO_def) -- "Zombie case" apply (rename_tac word zombie_type nat) apply (case_tac zombie_type) apply (clarsimp simp: valid_cap'_def obj_at'_def) apply (intro exI conjI, assumption) apply (clarsimp simp: projectKO_eq objBits_def obj_range'_def dest!:projectKO_opt_tcbD simp: objBitsKO_def) apply (clarsimp simp: valid_cap'_def obj_at'_def capAligned_def objBits_simps projectKOs) apply (frule_tac ptr=ptr and sz=4 in nasty_range [where 'a=32, folded word_bits_def], simp+) apply clarsimp apply (drule_tac x=idx in spec) apply (clarsimp simp: less_mask_eq) apply (fastforce simp: obj_range'_def projectKOs objBits_simps field_simps)[1] -- "Arch cases" apply (rename_tac arch_capability) apply (case_tac arch_capability) -- "ASID case" apply (clarsimp simp: valid_cap'_def typ_at'_def ko_wp_at'_def) apply (intro exI conjI, assumption) apply (clarsimp simp: obj_range'_def archObjSize_def objBitsKO_def) apply (case_tac ko, simp+)[1] apply (rename_tac arch_kernel_object) apply (case_tac arch_kernel_object; simp add: archObjSize_def asid_low_bits_def pageBits_def) apply simp -- "Page case" apply (rename_tac word vmrights vmpage_size option) apply (clarsimp simp: valid_cap'_def typ_at'_def ko_wp_at'_def capAligned_def) apply (frule_tac ptr = ptr and sz = "pageBits" in nasty_range [where 'a=32, folded word_bits_def]) apply assumption apply (simp add: pbfs_atleast_pageBits)+ apply (clarsimp) apply (drule_tac x = idx in spec) apply (clarsimp simp: objBitsT_koTypeOf [symmetric] objBitsT_simps) apply (intro exI conjI,assumption) apply (clarsimp simp:obj_range'_def) apply (case_tac ko, simp_all) apply (simp add: objBitsKO_def archObjSize_def field_simps shiftl_t2n) -- "PT case" apply (rename_tac word option) apply (clarsimp simp: valid_cap'_def obj_at'_def pageBits_def page_table_at'_def typ_at'_def ko_wp_at'_def ptBits_def) apply (frule_tac ptr=ptr and sz=2 in nasty_range[where 'a=32 and bz="ptBits", folded word_bits_def, simplified ptBits_def pageBits_def word_bits_def, simplified]) apply simp apply simp apply clarsimp apply (drule_tac x=idx in spec) apply clarsimp apply (intro exI conjI,assumption) apply (clarsimp simp:obj_range'_def) apply (case_tac ko; simp) apply (rename_tac arch_kernel_object) apply (case_tac arch_kernel_object; simp) apply (simp add:objBitsKO_def archObjSize_def field_simps shiftl_t2n) -- "PD case" apply (clarsimp simp: valid_cap'_def obj_at'_def pageBits_def pdBits_def page_directory_at'_def typ_at'_def ko_wp_at'_def) apply (frule_tac ptr=ptr and sz=2 in nasty_range[where 'a=32 and bz="pdBits", folded word_bits_def, simplified pdBits_def pageBits_def word_bits_def, simplified]) apply simp apply simp apply clarsimp apply (drule_tac x="idx" in spec) apply clarsimp apply (intro exI conjI, assumption) apply (clarsimp simp: obj_range'_def objBitsKO_def field_simps) apply (case_tac ko; simp) apply (rename_tac arch_kernel_object) apply (case_tac arch_kernel_object; simp) apply (simp add: field_simps archObjSize_def shiftl_t2n) -- "CNode case" apply (clarsimp simp: valid_cap'_def obj_at'_def capAligned_def objBits_simps projectKOs) apply (frule_tac ptr=ptr and sz=4 in nasty_range [where 'a=32, folded word_bits_def], simp+) apply clarsimp apply (drule_tac x=idx in spec) apply (clarsimp simp: less_mask_eq) apply (fastforce simp: obj_range'_def projectKOs objBits_simps field_simps)[1] done lemma untypedCap_descendants_range': "\valid_pspace' s; (ctes_of s) p = Some cte; isUntypedCap (cteCap cte);valid_mdb' s; q \ descendants_of' p (ctes_of s)\ \ cte_wp_at' (\c. (capRange (cteCap c) \ usableUntypedRange (cteCap cte) = {})) q s" apply (clarsimp simp: valid_pspace'_def) apply (frule(1) descendants_of_cte_at') apply (clarsimp simp:cte_wp_at_ctes_of) apply (clarsimp simp:valid_mdb'_def) apply (frule valid_mdb_no_loops) apply (case_tac "isUntypedCap (cteCap ctea)") apply (case_tac ctea) apply (rename_tac cap node) apply (case_tac cte) apply (rename_tac cap' node') apply clarsimp apply (frule(1) valid_capAligned[OF ctes_of_valid_cap']) apply (frule_tac c = cap in valid_capAligned[OF ctes_of_valid_cap']) apply (simp add:untypedCapRange)+ apply (frule_tac c = cap' in aligned_untypedRange_non_empty) apply simp apply (frule_tac c = cap in aligned_untypedRange_non_empty) apply simp apply (clarsimp simp:valid_mdb'_def valid_mdb_ctes_def) apply (drule untyped_incD') apply simp+ apply clarify apply (erule subset_splitE) apply simp apply (thin_tac "P \ Q" for P Q)+ apply (elim conjE) apply (simp add:descendants_of'_def) apply (drule(1) subtree_trans) apply (simp add:no_loops_no_subtree) apply simp apply (clarsimp simp:descendants_of'_def | erule disjE)+ apply (drule(1) subtree_trans) apply (simp add:no_loops_no_subtree)+ apply (thin_tac "P \ Q" for P Q)+ apply (erule(1) disjoint_subset2[OF usableRange_subseteq]) apply (simp add:Int_ac) apply (case_tac ctea) apply (rename_tac cap node) apply (case_tac cte) apply clarsimp apply (drule(1) ctes_of_valid_cap')+ apply (frule_tac cap = cap in ctes_of_ko) apply (elim disjE) apply clarsimp+ apply (thin_tac "s \' cap") apply (clarsimp simp: valid_cap'_def isCap_simps valid_untyped'_def simp del: usableUntypedRange.simps untypedRange.simps) apply (thin_tac "\x y z. P x y z" for P) apply (rule ccontr) apply (clarsimp dest!: WordLemmaBucket.int_not_emptyD simp del: usableUntypedRange.simps untypedRange.simps) apply (drule(1) bspec) apply (clarsimp simp: ko_wp_at'_def simp del: usableUntypedRange.simps untypedRange.simps) apply (drule_tac x = optr in spec) apply (clarsimp simp: ko_wp_at'_def simp del: usableUntypedRange.simps untypedRange.simps) apply (frule(1) pspace_alignedD') apply (frule(1) pspace_distinctD') apply (erule(1) impE) apply (clarsimp simp del: usableUntypedRange.simps untypedRange.simps) apply blast done lemma cte_wp_at_caps_descendants_range_inI': "\invs' s; cte_wp_at' (\c. (cteCap c) = capability.UntypedCap (ptr && ~~ mask sz) sz idx) cref s; idx \ unat (ptr && mask sz); sz < word_bits\ \ descendants_range_in' {ptr .. (ptr && ~~ mask sz) + 2 ^ sz - 1} cref (ctes_of s)" apply (frule invs_mdb') apply (frule(1) le_mask_le_2p) apply (clarsimp simp: descendants_range_in'_def cte_wp_at_ctes_of) apply (drule untypedCap_descendants_range'[rotated]) apply (simp add: isCap_simps)+ apply (simp add: invs_valid_pspace') apply (clarsimp simp: cte_wp_at_ctes_of) apply (erule disjoint_subset2[rotated]) apply clarsimp apply (rule le_plus'[OF word_and_le2]) apply simp apply (erule word_of_nat_le) done lemma checkFreeIndex_wp: "\\s. if descendants_of' slot (ctes_of s) = {} then Q 0 s else Q idx s\ constOnFailure idx (doE y \ ensureNoChildren slot; returnOk (0::nat) odE) \Q\" apply (clarsimp simp:constOnFailure_def const_def) apply wp apply (simp add: ensureNoChildren_def whenE_def) apply (wp getCTE_wp') apply (intro allI impI conjI) apply simp_all apply (drule conjunct2) apply (erule impE) apply (clarsimp simp: cte_wp_at_ctes_of nullPointer_def descendants_of'_def) apply (rule_tac x = "(mdbNext (cteMDBNode cte))" in exI) apply (rule subtree.direct_parent) apply (simp add:mdb_next_rel_def mdb_next_def) apply simp apply (simp add:parentOf_def)+ apply (drule conjunct1) apply (erule impE) apply (clarsimp simp: cte_wp_at_ctes_of nullPointer_def descendants_of'_def) apply (erule (4) subtree_no_parent) apply clarsimp apply (drule conjunct1) apply (clarsimp simp:nullPointer_def cte_wp_at_ctes_of descendants_of'_def) apply (erule(2) subtree_next_0) done declare upt_Suc[simp] lemma ensureNoChildren_sp: "\P\ ensureNoChildren sl \\rv s. P s \ descendants_of' sl (ctes_of s) = {}\,-" by (rule hoare_pre, wp ensureNoChildren_wp, simp) declare isPDCap_PD [simp] declare diminished_Untyped' [simp] lemma dui_sp_helper': "\P\ if Q then returnOk root_cap else doE slot \ lookupTargetSlot root_cap cref dpth; liftE (getSlotCap slot) odE \\rv s. (rv = root_cap \ (\slot. cte_wp_at' (diminished' rv o cteCap) slot s)) \ P s\, -" apply (cases Q, simp_all add: lookupTargetSlot_def) apply (rule hoare_pre, wp, simp) apply (simp add: getSlotCap_def split_def) apply wp apply (rule hoare_strengthen_post [OF getCTE_sp[where P=P]]) apply (clarsimp simp: cte_wp_at_ctes_of diminished'_def) apply (elim allE, drule(1) mp) apply (erule allE, subst(asm) maskCapRights_allRights) apply simp apply (rule hoare_pre, wp) apply simp done lemma map_ensure_empty': "\\s. (\slot \ set slots. cte_wp_at' (\cte. cteCap cte = NullCap) slot s) \ P s\ mapME_x ensureEmptySlot slots \\rv s. P s \,-" apply (induct slots arbitrary: P) apply (simp add: mapME_x_def sequenceE_x_def) apply wp apply (simp add: mapME_x_def sequenceE_x_def) apply (rule_tac Q="\rv s. (\slot\set slots. cte_wp_at' (\cte. cteCap cte = capability.NullCap) slot s) \ P s" in validE_R_sp) apply (simp add: ensureEmptySlot_def unlessE_def) apply (wp getCTE_wp') apply (clarsimp elim!: cte_wp_at_weakenE') apply (erule meta_allE) apply (erule hoare_post_imp_R) apply clarsimp done lemma irq_nodes_global: "\irq :: word8. irq_node' s + (ucast irq) * 16 \ global_refs' s" by (simp add: global_refs'_def mult.commute mult.left_commute) lemma valid_global_refsD2': "\ctes_of s p = Some cte; valid_global_refs' s\ \ global_refs' s \ capRange (cteCap cte) = {}" by (blast dest: valid_global_refsD') lemma cte_cap_in_untyped_range: "\ ptr \ x; x \ ptr + 2 ^ bits - 1; cte_wp_at' (\cte. cteCap cte = UntypedCap ptr bits idx) cref s; descendants_of' cref (ctes_of s) = {}; invs' s; ex_cte_cap_to' x s; valid_global_refs' s \ \ False" apply (clarsimp simp: ex_cte_cap_to'_def cte_wp_at_ctes_of) apply (case_tac ctea, simp) apply (rename_tac cap node) apply (frule ctes_of_valid_cap', clarsimp) apply (case_tac "\irq. cap = IRQHandlerCap irq") apply (drule (1) equals0D[where a=x, OF valid_global_refsD2'[where p=cref]]) apply (clarsimp simp: irq_nodes_global) apply (frule_tac p=crefa and p'=cref in caps_containedD', assumption) apply (clarsimp dest!: isCapDs) apply (rule_tac x=x in notemptyI) apply (simp add: subsetD [OF cte_refs_capRange]) apply (clarsimp simp: invs'_def valid_state'_def valid_pspace'_def valid_mdb'_def valid_mdb_ctes_def) apply (frule_tac p=cref and p'=crefa in untyped_mdbD', assumption) apply (simp_all add: isUntypedCap_def) apply (frule valid_capAligned) apply (frule capAligned_capUntypedPtr) apply (case_tac cap; simp) apply blast apply (case_tac cap; simp) apply (clarsimp simp: invs'_def valid_state'_def valid_pspace'_def valid_mdb'_def valid_mdb_ctes_def) done lemma cap_case_CNodeCap_True_throw: "(case cap of CNodeCap a b c d \ returnOk () | _ \ throw $ e) = (whenE (\isCNodeCap cap) (throwError e))" by (simp split: capability.split bool.split add: whenE_def isCNodeCap_def) lemma empty_descendants_range_in': "\descendants_of' slot m = {}\ \ descendants_range_in' S slot m " by (clarsimp simp:descendants_range_in'_def) lemma liftE_validE_R: "\P\ f \Q\ \ \P\ liftE f \Q\,-" by (wp, simp) lemma decodeUntyped_wf[wp]: "\invs' and cte_wp_at' (\cte. cteCap cte = UntypedCap w sz idx) slot and sch_act_simple and (\s. \x \ set cs. s \' x) and (\s. \x \ set cs. \r \ cte_refs' x (irq_node' s). ex_cte_cap_to' r s)\ decodeUntypedInvocation label args slot (UntypedCap w sz idx) cs \valid_untyped_inv'\,-" using [[ hypsubst_thin = true ]] apply (simp add: decodeUntypedInvocation_def unlessE_def[symmetric] unlessE_whenE rangeCheck_def whenE_def[symmetric] returnOk_liftE[symmetric] Let_def cap_case_CNodeCap_True_throw split del: split_if cong: if_cong list.case_cong) apply (rule list_case_throw_validE_R) apply (clarsimp split del: split_if split: list.splits) apply (intro conjI impI allI) apply ((rule hoare_pre,wp)+)[6] apply clarify apply (rule validE_R_sp[OF map_ensure_empty'] validE_R_sp[OF whenE_throwError_sp] validE_R_sp[OF dui_sp_helper'])+ apply (case_tac "\ isCNodeCap nodeCap") apply (simp add: validE_R_def) apply (simp add: mapM_locate_eq bind_liftE_distrib bindE_assoc returnOk_liftE[symmetric]) apply (rule validE_R_sp, rule liftE_validE_R, rule stateAssert_sp) apply (rule hoare_pre, wp whenE_throwError_wp checkFreeIndex_wp map_ensure_empty') apply (clarsimp simp:cte_wp_at_ctes_of not_less shiftL_nat) apply (rename_tac ty us b e srcNode list dimNode s cte) apply (case_tac cte) apply clarsimp apply (frule(1) valid_capAligned[OF ctes_of_valid_cap'[OF _ invs_valid_objs']]) apply (clarsimp simp:capAligned_def) apply (subgoal_tac "idx \ 2^ sz") prefer 2 apply (frule(1) ctes_of_valid_cap'[OF _ invs_valid_objs']) apply (clarsimp simp:valid_cap'_def valid_untyped_def) apply (subgoal_tac "(2 ^ sz - idx) < 2^ word_bits") prefer 2 apply (rule le_less_trans[where y = "2^sz"]) apply simp+ apply (subgoal_tac "of_nat (2 ^ sz - idx) = (2::word32)^sz - of_nat idx") prefer 2 apply (simp add:word_of_nat_minus) apply (subgoal_tac "valid_cap' dimNode s") prefer 2 apply (erule disjE) apply (fastforce dest: cte_wp_at_valid_objs_valid_cap') apply clarsimp apply (case_tac cte) apply clarsimp apply (drule(1) ctes_of_valid_cap'[OF _ invs_valid_objs'])+ apply (drule diminished_valid') apply simp apply (clarsimp simp: toEnum_of_nat [OF less_Suc_unat_less_bound] ucast_id) apply (subgoal_tac "b \ 2 ^ capCNodeBits dimNode") prefer 2 apply (clarsimp simp: isCap_simps) apply (subst (asm) le_m1_iff_lt[THEN iffD1]) apply (clarsimp simp:valid_cap'_def isCap_simps p2_gt_0 capAligned_def word_bits_def) apply (erule less_imp_le) apply (subgoal_tac "distinct (map (\y. capCNodePtr dimNode + y * 0x10) [b .e. b + e - 1])") prefer 2 apply (simp add: distinct_map upto_enum_def del: upt_Suc) apply (rule comp_inj_on) apply (rule inj_onI) apply (clarsimp simp: toEnum_of_nat dest!: less_Suc_unat_less_bound) apply (erule word_unat.Abs_eqD) apply (simp add: unats_def) apply (simp add: unats_def) apply (rule inj_onI) apply (clarsimp simp: toEnum_of_nat[OF less_Suc_unat_less_bound] ucast_id isCap_simps) apply (erule(2) inj_16) apply (subst Suc_unat_diff_1) apply (rule word_le_plus_either,simp) apply (subst olen_add_eqv) apply (subst add.commute) apply (erule(1) plus_minus_no_overflow_ab) apply (drule(1) le_plus) apply (rule unat_le_helper) apply (erule order_trans) apply (subst unat_power_lower32[symmetric], simp add: word_bits_def) apply (simp add: word_less_nat_alt[symmetric]) apply (rule two_power_increasing) apply (clarsimp dest!:valid_capAligned simp:capAligned_def objBits_def objBitsKO_def) apply (simp_all add: word_bits_def)[2] apply (clarsimp simp: Types_H.fromAPIType_def ArchTypes_H.fromAPIType_def) apply (subgoal_tac "Suc (unat (b + e - 1)) = unat b + unat e") prefer 2 apply (subst Suc_unat_diff_1) apply (rule word_le_plus_either,simp) apply (subst olen_add_eqv) apply (subst add.commute) apply (erule(1) plus_minus_no_overflow_ab) apply (rule unat_plus_simple[THEN iffD1]) apply (subst olen_add_eqv) apply (subst add.commute) apply (erule(1) plus_minus_no_overflow_ab) apply clarsimp apply (subgoal_tac "(\x. b \ x \ x \ b + e - 1 \ ex_cte_cap_wp_to' (\_. True) (capCNodePtr dimNode + x * 0x10) s)") prefer 2 apply clarsimp apply (erule disjE) apply (erule bspec) apply (clarsimp simp:isCap_simps image_def) apply (rule_tac x = x in bexI,simp) apply simp apply (erule order_trans) apply (frule(1) le_plus) apply (rule word_l_diffs,simp+) apply (rule word_le_plus_either,simp) apply (subst olen_add_eqv) apply (subst add.commute) apply (erule(1) plus_minus_no_overflow_ab) apply (clarsimp simp:ex_cte_cap_wp_to'_def) apply (rule_tac x = nodeSlot in exI) apply (case_tac cte) apply (clarsimp simp:cte_wp_at_ctes_of diminished_cte_refs'[symmetric] isCap_simps image_def) apply (rule_tac x = x in bexI,simp) apply simp apply (erule order_trans) apply (frule(1) le_plus) apply (rule word_l_diffs,simp+) apply (rule word_le_plus_either,simp) apply (subst olen_add_eqv) apply (subst add.commute) apply (erule(1) plus_minus_no_overflow_ab) apply (intro conjI) apply (clarsimp simp:of_nat_shiftR fromIntegral_def toInteger_nat fromInteger_nat word_le_nat_alt of_nat_shiftR) apply (frule_tac n = "unat e" and bits = "(APIType_capBits (toEnum (unat ty)) (unat us))" in range_cover_stuff[where rv = 0,rotated -1]) apply (simp add:unat_1_0) apply (erule le_trans[OF _ word_le_nat_alt[THEN iffD1],OF _ le_shiftr]) apply (simp add:word_sub_le_iff word_of_nat_le) apply simp+ apply (clarsimp simp:getFreeRef_def) apply (frule alignUp_idem[OF is_aligned_weaken,where a = w]) apply (erule range_cover.sz) apply (simp add:range_cover_def) apply (simp add:empty_descendants_range_in') apply (clarsimp simp:image_def isCap_simps nullPointer_def word_size cte_level_bits_def field_simps) apply (drule_tac x = x in spec)+ apply simp apply (clarsimp simp:of_nat_shiftR fromIntegral_def toInteger_nat fromInteger_nat word_le_nat_alt of_nat_shiftR) apply (frule_tac n = "unat e" and bits = "(APIType_capBits (toEnum (unat ty)) (unat us))" in range_cover_stuff[rotated -1]) apply (simp add:unat_1_0)+ apply (clarsimp simp:getFreeRef_def cte_level_bits_def field_simps) apply (intro conjI) apply clarsimp apply (drule cte_wp_at_caps_descendants_range_inI' [where ptr = w and sz = sz and idx = 0 and cref=slot]) apply (clarsimp simp:cte_wp_at_ctes_of is_aligned_neg_mask_eq) apply simp apply (simp add:range_cover_def) apply (simp add:is_aligned_neg_mask_eq) apply (clarsimp simp:image_def isCap_simps) apply (drule_tac x = x in spec)+ apply (simp add:nullPointer_def word_size)+ done lemma getCTE_known_cap: "\cte_wp_at' (\c. cteCap c = cap) p\ getCTE p \\rv s. cteCap rv = cap\" by (rule getCTE_get) lemma corres_list_all2_mapM_': assumes w: "suffixeq xs oxs" "suffixeq ys oys" assumes y: "\x xs y ys. \ F x y; suffixeq (x # xs) oxs; suffixeq (y # ys) oys \ \ corres dc (P (x # xs)) (P' (y # ys)) (f x) (g y)" assumes z: "\x y xs. \ F x y; suffixeq (x # xs) oxs \ \ \P (x # xs)\ f x \\rv. P xs\" "\x y ys. \ F x y; suffixeq (y # ys) oys \ \ \P' (y # ys)\ g y \\rv. P' ys\" assumes x: "list_all2 F xs ys" shows "corres dc (P xs) (P' ys) (mapM_x f xs) (mapM_x g ys)" apply (insert x w) apply (induct xs arbitrary: ys) apply (simp add: mapM_x_def sequence_x_def) apply (case_tac ys) apply simp apply (clarsimp simp add: mapM_x_def sequence_x_def) apply (rule corres_guard_imp) apply (rule corres_split [OF _ y]) apply (clarsimp dest!: suffixeq_ConsD) apply (erule meta_allE, (drule(1) meta_mp)+) apply assumption apply assumption apply assumption apply assumption apply (erule(1) z)+ apply simp+ done lemmas corres_list_all2_mapM_ = corres_list_all2_mapM_' [OF suffixeq_refl suffixeq_refl] declare modify_map_id[simp] lemma valid_mdbD3': "\ ctes_of s p = Some cte; valid_mdb' s \ \ p \ 0" by (clarsimp simp add: valid_mdb'_def valid_mdb_ctes_def no_0_def) lemma capRange_sameRegionAs: "\ sameRegionAs x y; s \' y; capClass x = PhysicalClass \ capClass y = PhysicalClass \ \ capRange x \ capRange y \ {}" apply (erule sameRegionAsE) apply (subgoal_tac "capClass x = capClass y \ capRange x = capRange y") apply simp apply (drule valid_capAligned) apply (drule(1) capAligned_capUntypedPtr) apply clarsimp apply (rule conjI) apply (rule master_eqI, rule capClass_Master, simp) apply (rule master_eqI, rule capRange_Master, simp) apply blast apply blast apply (clarsimp simp: isCap_simps) done locale mdb_insert_again = mdb_ptr_parent: mdb_ptr m _ _ parent parent_cap parent_node + mdb_ptr_site: mdb_ptr m _ _ site site_cap site_node for m parent parent_cap parent_node site site_cap site_node + fixes c' assumes site_cap: "site_cap = NullCap" assumes site_prev: "mdbPrev site_node = 0" assumes site_next: "mdbNext site_node = 0" assumes is_untyped: "isUntypedCap parent_cap" assumes same_region: "sameRegionAs parent_cap c'" assumes range: "descendants_range' c' parent m" assumes phys: "capClass c' = PhysicalClass" fixes s assumes valid_capI': "m p = Some (CTE cap node) \ s \' cap" assumes ut_rev: "ut_revocable' m" fixes n defines "n \ (modify_map (\x. if x = site then Some (CTE c' (MDB (mdbNext parent_node) parent True True)) else m x) parent (cteMDBNode_update (mdbNext_update (\x. site))))" assumes neq: "parent \ site" context mdb_insert_again begin lemmas parent = mdb_ptr_parent.m_p lemmas site = mdb_ptr_site.m_p lemma next_wont_bite: "\ mdbNext parent_node \ 0; m (mdbNext parent_node) = Some cte \ \ \ sameRegionAs c' (cteCap cte)" using range ut_rev apply (cases cte) apply clarsimp apply (cases "m \ parent \ mdbNext parent_node") apply (drule (2) descendants_rangeD') apply (drule capRange_sameRegionAs) apply (erule valid_capI') apply (simp add: phys) apply blast apply (erule notE, rule direct_parent) apply (clarsimp simp: mdb_next_unfold parent) apply assumption apply (simp add: parentOf_def parent) apply (insert is_untyped same_region) apply (clarsimp simp: isMDBParentOf_CTE) apply (rule conjI) apply (erule (1) sameRegionAs_trans) apply (simp add: ut_revocable'_def) apply (insert parent) apply simp apply (clarsimp simp: isCap_simps) done lemma no_0_helper: "no_0 m \ no_0 n" by (simp add: n_def, simp add: no_0_def) lemma no_0_n [intro!]: "no_0 n" by (auto intro: no_0_helper) lemmas n_0_simps [iff] = no_0_simps [OF no_0_n] lemmas neqs [simp] = neq neq [symmetric] definition "new_site \ CTE c' (MDB (mdbNext parent_node) parent True True)" definition "new_parent \ CTE parent_cap (mdbNext_update (\a. site) parent_node)" lemma n: "n = m (site \ new_site, parent \ new_parent)" using parent site by (simp add: n_def modify_map_apply new_site_def new_parent_def fun_upd_def[symmetric]) lemma site_no_parent [iff]: "m \ site \ x = False" using site site_next by (auto dest: subtree_next_0) lemma site_no_child [iff]: "m \ x \ site = False" using site site_prev by (auto dest: subtree_prev_0) lemma site_no_descendants: "descendants_of' site m = {}" by (simp add: descendants_of'_def) lemma descendants_not_site: "site \ descendants_of' p m \ False" by (simp add: descendants_of'_def) lemma parent_next: "m \ parent \ mdbNext parent_node" by (simp add: parent mdb_next_unfold) lemma parent_next_rtrancl_conv [simp]: "m \ mdbNext parent_node \\<^sup>* site = m \ parent \\<^sup>+ site" apply (rule iffI) apply (insert parent_next) apply (fastforce dest: rtranclD) apply (drule tranclD) apply (clarsimp simp: mdb_next_unfold) done lemma site_no_next [iff]: "m \ x \ site = False" using site site_prev dlist apply clarsimp apply (simp add: mdb_next_unfold) apply (elim exE conjE) apply (case_tac z) apply simp apply (rule dlistEn [where p=x], assumption) apply clarsimp apply clarsimp done lemma site_no_next_trans [iff]: "m \ x \\<^sup>+ site = False" by (clarsimp dest!: tranclD2) lemma site_no_prev [iff]: "m \ site \ p = (p = 0)" using site site_next by (simp add: mdb_next_unfold) lemma site_no_prev_trancl [iff]: "m \ site \\<^sup>+ p = (p = 0)" apply (rule iffI) apply (drule tranclD) apply clarsimp apply simp apply (insert chain site) apply (simp add: mdb_chain_0_def) apply auto done lemma chain_n: "mdb_chain_0 n" proof - from chain have "m \ mdbNext parent_node \\<^sup>* 0" using dlist parent apply (cases "mdbNext parent_node = 0") apply simp apply (erule dlistEn, simp) apply (auto simp: mdb_chain_0_def) done moreover have "\m \ mdbNext parent_node \\<^sup>* parent" using parent_next apply clarsimp apply (drule (1) rtrancl_into_trancl2) apply simp done moreover have "\ m \ 0 \\<^sup>* site" using no_0 site by (auto elim!: next_rtrancl_tranclE dest!: no_0_lhs_trancl) moreover have "\ m \ 0 \\<^sup>* parent" using no_0 parent by (auto elim!: next_rtrancl_tranclE dest!: no_0_lhs_trancl) moreover note chain ultimately show "mdb_chain_0 n" using no_0 parent site apply (simp add: n new_parent_def new_site_def) apply (auto intro!: mdb_chain_0_update no_0_update simp: next_update_lhs_rtrancl) done qed lemma no_loops_n: "no_loops n" using chain_n no_0_n by (rule mdb_chain_0_no_loops) lemma irrefl_direct_simp_n [iff]: "n \ x \ x = False" using no_loops_n by (rule no_loops_direct_simp) lemma irrefl_trancl_simp [iff]: "n \ x \\<^sup>+ x = False" using no_loops_n by (rule no_loops_trancl_simp) lemma n_direct_eq: "n \ p \ p' = (if p = parent then p' = site else if p = site then m \ parent \ p' else m \ p \ p')" using parent site site_prev by (auto simp: mdb_next_update n new_parent_def new_site_def parent_next mdb_next_unfold) lemma n_site: "n site = Some new_site" by (simp add: n) lemma next_not_parent: "\ mdbNext parent_node \ 0; m (mdbNext parent_node) = Some cte \ \ \ isMDBParentOf new_site cte" apply (drule(1) next_wont_bite) apply (cases cte) apply (simp add: isMDBParentOf_def new_site_def) done lemma parent_not_loop: "mdbNext parent_node \ parent" apply (insert no_loops) apply (simp add: no_loops_def) done (* The newly inserted cap should never have children. *) lemma site_no_parent_n: "n \ site \ p = False" using parent valid_badges apply clarsimp apply (erule subtree.induct) prefer 2 apply simp apply (clarsimp simp: parentOf_def mdb_next_unfold n_site new_site_def n) apply (cases "mdbNext parent_node = site") apply (subgoal_tac "m \ parent \ site") apply simp apply (subst mdb_next_unfold) apply (simp add: parent) apply clarsimp apply (erule notE[rotated], erule(1) next_not_parent[unfolded new_site_def]) done end locale mdb_insert_again_child = mdb_insert_again + assumes child: "isMDBParentOf (CTE parent_cap parent_node) (CTE c' (MDB (mdbNext parent_node) parent True True))" context mdb_insert_again_child begin lemma new_child [simp]: "isMDBParentOf new_parent new_site" by (simp add: new_parent_def new_site_def) (rule child) lemma n_site_child: "n \ parent \ site" apply (rule subtree.direct_parent) apply (simp add: n_direct_eq) apply simp apply (clarsimp simp: parentOf_def parent site n) done lemma parent_m_n: assumes "m \ p \ p'" shows "if p' = parent then n \ p \ site \ n \ p \ p' else n \ p \ p'" using assms proof induct case (direct_parent c) thus ?case apply (cases "p = parent") apply simp apply (rule conjI, clarsimp) apply clarsimp apply (rule subtree.trans_parent [where c'=site]) apply (rule n_site_child) apply (simp add: n_direct_eq) apply simp apply (clarsimp simp: parentOf_def n) apply (clarsimp simp: new_parent_def parent) apply simp apply (subgoal_tac "n \ p \ c") prefer 2 apply (rule subtree.direct_parent) apply (clarsimp simp add: n_direct_eq) apply simp apply (clarsimp simp: parentOf_def n) apply (fastforce simp: new_parent_def parent) apply clarsimp apply (erule subtree_trans) apply (rule n_site_child) done next case (trans_parent c d) thus ?case apply - apply (cases "c = site", simp) apply (cases "d = site", simp) apply (cases "c = parent") apply clarsimp apply (erule subtree.trans_parent [where c'=site]) apply (clarsimp simp add: n_direct_eq) apply simp apply (clarsimp simp: parentOf_def n) apply (rule conjI, clarsimp) apply (clarsimp simp: new_parent_def parent) apply clarsimp apply (subgoal_tac "n \ p \ d") apply clarsimp apply (erule subtree_trans, rule n_site_child) apply (erule subtree.trans_parent) apply (simp add: n_direct_eq) apply simp apply (clarsimp simp: parentOf_def n) apply (fastforce simp: parent new_parent_def) done qed lemma n_to_site [simp]: "n \ p \ site = (p = parent)" by (simp add: n_direct_eq) lemma parent_n_m: assumes "n \ p \ p'" shows "if p' = site then p \ parent \ m \ p \ parent else m \ p \ p'" proof - from assms have [simp]: "p \ site" by (clarsimp simp: site_no_parent_n) from assms show ?thesis proof induct case (direct_parent c) thus ?case apply simp apply (rule conjI) apply clarsimp apply clarsimp apply (rule subtree.direct_parent) apply (simp add: n_direct_eq split: split_if_asm) apply simp apply (clarsimp simp: parentOf_def n parent new_parent_def split: split_if_asm) done next case (trans_parent c d) thus ?case apply clarsimp apply (rule conjI, clarsimp) apply (clarsimp split: split_if_asm) apply (simp add: n_direct_eq) apply (cases "p=parent") apply simp apply (rule subtree.direct_parent, assumption, assumption) apply (clarsimp simp: parentOf_def n parent new_parent_def split: split_if_asm) apply clarsimp apply (erule subtree.trans_parent, assumption, assumption) apply (clarsimp simp: parentOf_def n parent new_parent_def split: split_if_asm) apply (erule subtree.trans_parent) apply (simp add: n_direct_eq split: split_if_asm) apply assumption apply (clarsimp simp: parentOf_def n parent new_parent_def split: split_if_asm) done qed qed lemma descendants: "descendants_of' p n = (if parent \ descendants_of' p m \ p = parent then descendants_of' p m \ {site} else descendants_of' p m)" apply (rule set_eqI) apply (simp add: descendants_of'_def) apply (fastforce dest!: parent_n_m dest: parent_m_n simp: n_site_child split: split_if_asm) done end lemma blarg_descendants_of': "descendants_of' x (modify_map m p (if P then id else cteMDBNode_update (mdbPrev_update f))) = descendants_of' x m" by (simp add: descendants_of'_def) lemma bluhr_descendants_of': "mdb_insert_again_child (ctes_of s') parent parent_cap pmdb site site_cap site_node cap s \ descendants_of' x (modify_map (modify_map (\c. if c = site then Some (CTE cap (MDB (mdbNext pmdb) parent True True)) else ctes_of s' c) (mdbNext pmdb) (if mdbNext pmdb = 0 then id else cteMDBNode_update (mdbPrev_update (\x. site)))) parent (cteMDBNode_update (mdbNext_update (\x. site)))) = (if parent \ descendants_of' x (ctes_of s') \ x = parent then descendants_of' x (ctes_of s') \ {site} else descendants_of' x (ctes_of s'))" apply (subst modify_map_com) apply (case_tac x, rename_tac node, case_tac node, clarsimp) apply (subst blarg_descendants_of') apply (erule mdb_insert_again_child.descendants) done lemma mdb_relation_simp: "\ (s, s') \ state_relation; cte_at p s \ \ descendants_of' (cte_map p) (ctes_of s') = cte_map ` descendants_of p (cdt s)" by (cases p, clarsimp simp: state_relation_def cdt_relation_def) lemma in_getCTE2: "((cte, s') \ fst (getCTE p s)) = (s' = s \ cte_wp_at' (op = cte) p s)" apply (safe dest!: in_getCTE) apply (clarsimp simp: cte_wp_at'_def getCTE_def) done declare wrap_ext_op_det_ext_ext_def[simp] lemma do_ext_op_update_cdt_list_symb_exec_l: "corres_underlying {(s :: det_ext state, s'). f (kheap s) s'} nf dc P P' (update_cdt_list g) (return x)" by (simp add: corres_underlying_def update_cdt_list_def set_cdt_list_def bind_def put_def get_def gets_def return_def) lemma do_ext_op_update_cdt_list_symb_exec_l': "corres_underlying {(s::det_state, s'). f (kheap s) (ekheap s) s'} nf dc P P' (create_cap_ext p z a) (return x)" apply (simp add: corres_underlying_def create_cap_ext_def update_cdt_list_def set_cdt_list_def bind_def put_def get_def gets_def return_def) done crunch it'[wp]: updateMDB "\s. P (ksIdleThread s)" crunch ups'[wp]: updateMDB "\s. P (gsUserPages s)" crunch cns'[wp]: updateMDB "\s. P (gsCNodes s)" crunch ksDomainTime[wp]: updateMDB "\s. P (ksDomainTime s)" crunch ksDomScheduleIdx[wp]: updateMDB "\s. P (ksDomScheduleIdx s)" crunch irq_node[wp]: update_cdt "\s. P (interrupt_irq_node s)" crunch ksWorkUnitsCompleted[wp]: updateMDB "\s. P (ksWorkUnitsCompleted s)" crunch exst[wp]: set_cdt "\s. P (exst s)" (*FIXME: Move to StateRelation*) lemma state_relation_schact[elim!]: "(s,s') \ state_relation \ sched_act_relation (scheduler_action s) (ksSchedulerAction s')" apply (simp add: state_relation_def) done lemma state_relation_queues[elim!]: "(s,s') \ state_relation \ ready_queues_relation (ready_queues s) (ksReadyQueues s')" apply (simp add: state_relation_def) done lemma set_original_symb_exec_l: "corres_underlying {(s, s'). f (kheap s) (exst s) s'} nf dc P P' (set_original p b) (return x)" by (simp add: corres_underlying_def return_def set_original_def in_monad Bex_def) lemma set_cdt_symb_exec_l: "corres_underlying {(s, s'). f (kheap s) (exst s) s'} nf dc P P' (set_cdt g) (return x)" by (simp add: corres_underlying_def return_def set_cdt_def in_monad Bex_def) crunch domain_index[wp]: create_cap_ext "\s. P (domain_index s)" crunch domain_list[wp]: create_cap_ext "\s. P (domain_list s)" crunch domain_time[wp]: create_cap_ext "\s. P (domain_time s)" crunch work_units_completed[wp]: create_cap_ext "\s. P (work_units_completed s)" lemma create_cap_corres: notes if_cong[cong del] if_weak_cong[cong] shows "\ cref' = cte_map (fst tup) \ cap_relation (default_cap tp (snd tup) sz) cap \ \ corres dc (cte_wp_at (op = cap.NullCap) (fst tup) and pspace_aligned and pspace_distinct and valid_objs and valid_mdb and valid_list and cte_wp_at (op \ cap.NullCap) p) (cte_wp_at' (\c. cteCap c = NullCap) cref' and cte_wp_at' (\cte. isUntypedCap (cteCap cte) \ sameRegionAs (cteCap cte) cap) (cte_map p) and valid_mdb' and pspace_aligned' and pspace_distinct' and valid_objs' and (\s. descendants_range' cap (cte_map p) (ctes_of s))) (create_cap tp sz p tup) (insertNewCap (cte_map p) cref' cap)" apply (cases tup, clarsimp simp add: create_cap_def insertNewCap_def liftM_def) apply (rule corres_symb_exec_r [OF _ getCTE_sp])+ prefer 3 apply (rule no_fail_pre, wp) apply (clarsimp elim!: cte_wp_at_weakenE') prefer 4 apply (rule no_fail_pre, wp) apply (clarsimp elim!: cte_wp_at_weakenE') apply (rule corres_assert_assume) prefer 2 apply (case_tac oldCTE) apply (clarsimp simp: cte_wp_at_ctes_of valid_mdb'_def valid_mdb_ctes_def valid_nullcaps_def) apply (erule allE)+ apply (erule (1) impE) apply (simp add: initMDBNode_def) apply clarsimp apply (rule_tac F="capClass cap = PhysicalClass" in corres_req) apply (clarsimp simp: cte_wp_at_ctes_of isCap_simps) apply (drule sameRegionAs_classes, simp) apply (rule corres_caps_decomposition) prefer 3 apply wp+ apply (rule hoare_post_imp, simp) apply wp defer apply ((wp | simp)+)[1] apply (simp add: create_cap_ext_def set_cdt_list_def update_cdt_list_def bind_assoc) apply ((wp | simp)+)[1] apply (wp updateMDB_ctes_of_cases getCTE_ctes_of_weakened | simp add: o_def split del: split_if)+ apply (clarsimp simp: cdt_relation_def cte_wp_at_ctes_of split del: split_if cong: if_cong simp del: id_apply) apply (subst if_not_P, erule(1) valid_mdbD3') apply (case_tac x, case_tac oldCTE) apply (subst bluhr_descendants_of') apply (rule mdb_insert_again_child.intro) apply (rule mdb_insert_again.intro) apply (rule mdb_ptr.intro) apply (simp add: valid_mdb'_def vmdb_def) apply (rule mdb_ptr_axioms.intro) apply simp apply (rule mdb_ptr.intro) apply (simp add: valid_mdb'_def vmdb_def) apply (rule mdb_ptr_axioms.intro) apply fastforce apply (rule mdb_insert_again_axioms.intro) apply (clarsimp simp: nullPointer_def)+ apply (erule (1) ctes_of_valid_cap') apply (simp add: valid_mdb'_def valid_mdb_ctes_def) apply clarsimp apply (rule mdb_insert_again_child_axioms.intro) apply (clarsimp simp: isMDBParentOf_def) apply (clarsimp simp: isCap_simps) apply (clarsimp simp: valid_mdb'_def valid_mdb_ctes_def ut_revocable'_def) apply (erule_tac x="cte_map p" in allE) apply (simp add: isCap_simps) apply (fold fun_upd_def) apply (subst descendants_of_insert_child') apply (erule(1) mdb_Null_descendants) apply (clarsimp simp: cte_wp_at_def) apply (erule(1) mdb_Null_None) apply (subgoal_tac "cte_at (aa, bb) s") prefer 2 apply (drule not_sym, clarsimp simp: cte_wp_at_caps_of_state split: split_if_asm) apply (subst descendants_of_eq' [OF _ cte_wp_at_cte_at], assumption+) apply (clarsimp simp: state_relation_def) apply assumption+ apply (subst cte_map_eq_subst [OF _ cte_wp_at_cte_at], assumption+) apply (simp add: mdb_relation_simp) defer apply (clarsimp split del: split_if)+ apply (clarsimp simp add: revokable_relation_def cte_wp_at_ctes_of split del: split_if) apply simp apply (rule conjI) apply clarsimp apply (elim modify_map_casesE) apply ((clarsimp split: split_if_asm cong: conj_cong simp: cte_map_eq_subst cte_wp_at_cte_at revokable_relation_simp)+)[4] apply clarsimp apply (subgoal_tac "null_filter (caps_of_state s) (aa, bb) \ None") prefer 2 apply (clarsimp simp: null_filter_def cte_wp_at_caps_of_state split: split_if_asm) apply (subgoal_tac "cte_at (aa,bb) s") prefer 2 apply clarsimp apply (drule null_filter_caps_of_stateD) apply (erule cte_wp_cte_at) apply (elim modify_map_casesE) apply (clarsimp split: split_if_asm cong: conj_cong simp: cte_map_eq_subst cte_wp_at_cte_at revokable_relation_simp)+ apply (clarsimp simp: state_relation_def ghost_relation_of_heap)+ apply wp apply (rule corres_guard_imp) apply (rule corres_underlying_symb_exec_l [OF gets_symb_exec_l]) apply (rule corres_underlying_symb_exec_l [OF gets_symb_exec_l]) apply (rule corres_underlying_symb_exec_l [OF set_cdt_symb_exec_l]) apply (rule corres_underlying_symb_exec_l [OF do_ext_op_update_cdt_list_symb_exec_l']) apply (rule corres_underlying_symb_exec_l [OF set_original_symb_exec_l]) apply (rule corres_cong[OF refl refl _ refl refl, THEN iffD1]) apply (rule bind_return[THEN fun_cong]) apply (rule corres_split [OF _ set_cap_pspace_corres]) apply (subst bind_return[symmetric], rule corres_split) prefer 2 apply (simp add: dc_def[symmetric]) apply (rule updateMDB_symb_exec_r) apply (simp add: dc_def[symmetric]) apply (rule updateMDB_symb_exec_r) apply (wp getCTE_wp set_cdt_valid_objs set_cdt_cte_at hoare_weak_lift_imp | simp add: o_def)+ apply (clarsimp simp: cte_wp_at_cte_at) apply (clarsimp simp: cte_wp_at_ctes_of no_0_def valid_mdb'_def valid_mdb_ctes_def) apply (rule conjI, clarsimp) apply clarsimp apply (erule (2) valid_dlistEn) apply simp apply(simp only: cdt_list_relation_def valid_mdb_def2 del: split_paired_All split_paired_Ex split del: split_if) apply(subgoal_tac "finite_depth (cdt s)") prefer 2 apply(simp add: finite_depth valid_mdb_def2[symmetric]) apply(intro impI allI) apply(subgoal_tac "mdb_insert_abs (cdt s) p (a, b)") prefer 2 apply(clarsimp simp: cte_wp_at_caps_of_state) apply(rule mdb_insert_abs.intro) apply(clarsimp) apply(erule (1) mdb_cte_at_Null_None) apply (erule (1) mdb_cte_at_Null_descendants) apply(subgoal_tac "no_0 (ctes_of s')") prefer 2 apply(simp add: valid_mdb_ctes_def valid_mdb'_def) apply simp apply (elim conjE) apply (case_tac "cdt s (a,b)") prefer 2 apply (simp add: mdb_insert_abs_def) apply simp apply(case_tac x) apply(simp add: cte_wp_at_ctes_of) apply(simp add: mdb_insert_abs.next_slot split del: split_if) apply(case_tac "c=p") apply(simp) apply(clarsimp simp: modify_map_def) apply(case_tac z) apply(fastforce split: split_if_asm) apply(case_tac "c = (a, b)") apply(simp) apply(case_tac "next_slot p (cdt_list s) (cdt s)") apply(simp) apply(simp) apply(clarsimp simp: modify_map_def const_def) apply(clarsimp split: split_if_asm) apply(drule_tac p="cte_map p" in valid_mdbD1') apply(simp) apply(simp add: valid_mdb'_def valid_mdb_ctes_def) apply(clarsimp simp: nullPointer_def no_0_def) apply(clarsimp simp: state_relation_def) apply(clarsimp simp: cte_wp_at_caps_of_state) apply(drule_tac slot=p in pspace_relation_ctes_ofI) apply(simp add: cte_wp_at_caps_of_state) apply(simp) apply(simp) apply(simp) apply(clarsimp simp: state_relation_def cdt_list_relation_def) apply(erule_tac x="fst p" in allE, erule_tac x="snd p" in allE) apply(fastforce) apply(simp) apply(case_tac "next_slot c (cdt_list s) (cdt s)") apply(simp) apply(simp) apply(subgoal_tac "cte_at c s") prefer 2 apply(rule cte_at_next_slot) apply(simp_all add: valid_mdb_def2)[4] apply(clarsimp simp: modify_map_def const_def) apply(simp split: split_if_asm) apply(simp add: valid_mdb'_def) apply(drule_tac ptr="cte_map p" in no_self_loop_next) apply(simp) apply(simp) apply(drule_tac p="(aa, bb)" in cte_map_inj) apply(simp_all add: cte_wp_at_caps_of_state)[5] apply(clarsimp) apply(simp) apply(clarsimp) apply(drule cte_map_inj_eq; simp add: cte_wp_at_caps_of_state) apply(clarsimp) apply(case_tac z) apply(clarsimp simp: state_relation_def cdt_list_relation_def) apply(erule_tac x=aa in allE, erule_tac x=bb in allE) apply(fastforce) apply(clarsimp) apply(drule cte_map_inj_eq) apply(simp_all add: cte_wp_at_caps_of_state)[6] apply(clarsimp simp: state_relation_def cdt_list_relation_def) apply(erule_tac x=aa in allE, erule_tac x=bb in allE, fastforce) done lemma insertNewCap_mdbNext: "\\s. \ sameRegionAs cap' cap \ parent \ slot \ valid_mdb' s \ parent \ 0 \ slot \ 0\ insertNewCap parent slot cap \\rv s. \next. cte_wp_at' (\cte. mdbNext (cteMDBNode cte) = next) parent s \ next \ 0 \ cte_wp_at' (\cte. \ sameRegionAs cap' (cteCap cte)) next s\" apply (simp add: insertNewCap_def cte_wp_at_ctes_of) apply (wp getCTE_ctes_of updateMDB_ctes_of_cases | simp add: o_def split del: split_if)+ apply (clarsimp split del: split_if simp: nullPointer_def) apply (erule modify_map_casesE, simp_all split del: split_if) apply (subst modify_map_other) apply assumption apply (subst modify_map_other) defer apply simp apply clarsimp apply (clarsimp simp: valid_mdb'_def valid_mdb_ctes_def) apply (erule(2) valid_dlistE(1)) apply simp done lemma setCTE_cteCaps_of[wp]: "\\s. P ((cteCaps_of s)(p \ cteCap cte))\ setCTE p cte \\rv s. P (cteCaps_of s)\" apply (simp add: cteCaps_of_def) apply wp apply (clarsimp elim!: rsubst[where P=P] intro!: ext) done lemma insertNewCap_wps[wp]: "\pspace_aligned'\ insertNewCap parent slot cap \\rv. pspace_aligned'\" "\pspace_distinct'\ insertNewCap parent slot cap \\rv. pspace_distinct'\" "\\s. P ((cteCaps_of s)(slot \ cap))\ insertNewCap parent slot cap \\rv s. P (cteCaps_of s)\" apply (simp_all add: insertNewCap_def) apply (wp hoare_drop_imps | simp add: o_def)+ apply (clarsimp elim!: rsubst[where P=P] intro!: ext) done definition apitype_of :: "cap \ apiobject_type option" where "apitype_of c \ case c of Structures_A.UntypedCap p b idx \ Some ArchTypes_H.Untyped | Structures_A.EndpointCap r badge rights \ Some EndpointObject | Structures_A.NotificationCap r badge rights \ Some NotificationObject | Structures_A.CNodeCap r bits guard \ Some ArchTypes_H.CapTableObject | Structures_A.ThreadCap r \ Some TCBObject | _ \ None" lemma sameRegion_untyped_imp_subseteq: "\RetypeDecls_H.sameRegionAs cap c; isUntypedCap cap\ \ capRange c \ untypedRange cap" apply (simp add:sameRegionAs_def3) apply (elim disjE) apply (clarsimp simp:capRange_of_untyped isCap_simps) apply (drule(1) subsetD) apply simp apply (simp add:isCap_simps) done lemma cteCaps_of_ran_Ball: "(\x \ ran (cteCaps_of s). P x) = (\x \ ran (ctes_of s). P (cteCap x))" apply (simp add: cteCaps_of_def ran_def) apply fastforce done lemma cteCaps_of_ran_Ball_upd: "(\x \ ran (\x. if x = p then None else cteCaps_of s x). P x) = (\x \ ran (\x. if x = p then None else ctes_of s x). P (cteCap x))" apply (simp add: cteCaps_of_def ran_def) apply fastforce done lemma cte_wp_at_cteCaps_of: "cte_wp_at' (\cte. P (cteCap cte)) p s = (\cap. cteCaps_of s p = Some cap \ P cap)" apply (subst tree_cte_cteCap_eq[unfolded o_def]) apply (clarsimp split: option.splits) done lemma caps_contained_modify_mdb_helper[simp]: "(\n. modify_map m p (cteMDBNode_update f) x = Some (CTE c n)) = (\n. m x = Some (CTE c n))" apply (cases "m p", simp_all add: modify_map_def) apply (case_tac a, simp_all) done lemma caps_contained_modify_mdb[simp]: "caps_contained' (modify_map m p (cteMDBNode_update f)) = caps_contained' m" by (simp add: caps_contained'_def) lemma sameRegionAs_capRange_subset: "\ sameRegionAs c c'; capClass c = PhysicalClass \ \ capRange c' \ capRange c" apply (erule sameRegionAsE) apply (rule equalityD1) apply (rule master_eqI, rule capRange_Master) apply simp apply assumption+ apply (clarsimp simp: isCap_simps) done definition is_end_chunk :: "cte_heap \ capability \ word32 \ bool" where "is_end_chunk ctes cap p \ \p'. ctes \ p \ p' \ (\cte. ctes p = Some cte \ sameRegionAs cap (cteCap cte)) \ (\cte'. ctes p' = Some cte' \ \ sameRegionAs cap (cteCap cte'))" lemma chunk_end_chunk: "\ is_chunk ctes cap p p'; ctes \ p \\<^sup>+ p'; is_end_chunk ctes cap p \ \ P" apply (clarsimp simp add: is_chunk_def is_end_chunk_def) apply (drule_tac x=p'a in spec) apply (drule mp) apply (erule trancl.intros) apply (drule mp) apply (drule tranclD, clarsimp) apply (simp add: mdb_next_unfold) apply clarsimp done lemma end_chunk_site: "is_end_chunk ctes cap p \ \pcap pnode. ctes p = Some (CTE pcap pnode) \ sameRegionAs cap pcap" apply (clarsimp simp: is_end_chunk_def) apply (case_tac cte, simp) done lemma chunk_region_trans: "\ sameRegionAs cap cap'; is_chunk ctes cap' p p' \ \ is_chunk ctes cap p p'" apply (simp add: is_chunk_def) apply (erule allEI) apply clarsimp apply (erule(1) sameRegionAs_trans) done lemma sameRegionAs_refl: "sameRegionAs cap cap' \ sameRegionAs cap cap" apply (simp add: sameRegionAs_def3) apply (elim disjE exE) apply simp apply fastforce apply (clarsimp simp: isCap_simps) done definition mdb_chunked2 :: "cte_heap \ bool" where "mdb_chunked2 ctes \ (\x p p' cte. ctes x = Some cte \ is_end_chunk ctes (cteCap cte) p \ is_end_chunk ctes (cteCap cte) p' \ p = p') \ (\p p' cte cte'. ctes p = Some cte \ ctes p' = Some cte' \ ctes \ p \ p' \ sameRegionAs (cteCap cte') (cteCap cte) \ sameRegionAs (cteCap cte) (cteCap cte'))" lemma mdb_chunked2_endD: "\ is_end_chunk ctes cap p; is_end_chunk ctes cap p'; mdb_chunked2 ctes; ctes x = Some (CTE cap node) \ \ p = p'" by (fastforce simp add: mdb_chunked2_def) lemma mdb_chunked2_revD: "\ ctes p = Some cte; ctes p' = Some cte'; ctes \ p \ p'; mdb_chunked2 ctes; sameRegionAs (cteCap cte') (cteCap cte) \ \ sameRegionAs (cteCap cte) (cteCap cte')" by (fastforce simp add: mdb_chunked2_def) lemma valid_dlist_step_back: "\ ctes \ p \ p''; ctes \ p' \ p''; valid_dlist ctes; p'' \ 0 \ \ p = p'" apply (simp add: mdb_next_unfold valid_dlist_def) apply (frule_tac x=p in spec) apply (drule_tac x=p' in spec) apply (clarsimp simp: Let_def) done lemma valid_dlist_step_back_trans: "\ valid_dlist ctes; ctes \ p \\<^sup>+ p''; ctes \ p' \ p''; p'' \ 0 \ \ ctes \ p \\<^sup>* p'" apply (erule tranclE) apply (drule(3) valid_dlist_step_back) apply simp apply (drule(3) valid_dlist_step_back) apply simp done lemma chunk_sameRegionAs_step1: "\ ctes \ p' \\<^sup>* p''; ctes p'' = Some cte; is_chunk ctes (cteCap cte) p p''; mdb_chunked2 ctes; valid_dlist ctes \ \ \cte'. ctes p' = Some cte' \ ctes \ p \\<^sup>+ p' \ sameRegionAs (cteCap cte') (cteCap cte)" apply (erule converse_rtrancl_induct) apply (clarsimp simp: is_chunk_def) apply (drule_tac x=p'' in spec, clarsimp) apply (clarsimp simp: is_chunk_def) apply (frule_tac x=y in spec) apply (drule_tac x=z in spec) apply ((drule mp, erule(1) transitive_closure_trans) | clarsimp)+ apply (rule sameRegionAs_trans[rotated], assumption) apply (drule(3) mdb_chunked2_revD) apply simp apply (erule(1) sameRegionAs_trans) apply simp done lemma chunk_sameRegionAs: "\ ctes \ p \\<^sup>+ p'; ctes p = Some cte; ctes p' = Some cte'; is_chunk ctes (cteCap cte') p p'; mdb_chunked2 ctes; valid_dlist ctes; sameRegionAs (cteCap cte') (cteCap cte) \ \ sameRegionAs (cteCap cte) (cteCap cte')" apply (erule tranclE2) apply (erule(4) mdb_chunked2_revD) apply (frule(4) chunk_sameRegionAs_step1[OF trancl_into_rtrancl]) apply (case_tac "ctes c") apply (erule tranclE2, (clarsimp simp: mdb_next_unfold)+)[1] apply (clarsimp simp: trancl.intros(1)) apply (rule sameRegionAs_trans[rotated], assumption) apply (erule(3) mdb_chunked2_revD) apply (erule(1) sameRegionAs_trans) done locale mdb_insert_again_all = mdb_insert_again_child + assumes valid_c': "s \' c'" fixes n' defines "n' \ modify_map n (mdbNext parent_node) (cteMDBNode_update (mdbPrev_update (\a. site)))" begin lemma no_0_n' [simp]: "no_0 n'" using no_0_n by (simp add: n'_def) lemma dom_n' [simp]: "dom n' = dom n" apply (simp add: n'_def) apply (simp add: modify_map_if dom_def) apply (rule set_eqI) apply simp apply (rule iffI) apply auto[1] apply clarsimp apply (case_tac y) apply (case_tac "mdbNext parent_node = x") apply auto done lemma mdb_chain_0_n' [simp]: "mdb_chain_0 n'" using chain_n apply (simp add: mdb_chain_0_def) apply (simp add: n'_def trancl_prev_update) done lemma parency_n': "n' \ p \ p' = (if m \ p \ parent \ p = parent then m \ p \ p' \ p' = site else m \ p \ p')" using descendants [of p] unfolding descendants_of'_def by (auto simp add: set_eq_iff n'_def) lemma n'_direct_eq: "n' \ p \ p' = (if p = parent then p' = site else if p = site then m \ parent \ p' else m \ p \ p')" by (simp add: n'_def n_direct_eq) lemma n'_tranclD: "n' \ p \\<^sup>+ p' \ (if p = site then m \ parent \\<^sup>+ p' else if m \ p \\<^sup>+ parent \ p = parent then m \ p \\<^sup>+ p' \ p' = site else m \ p \\<^sup>+ p')" apply (erule trancl_induct) apply (fastforce simp: n'_direct_eq split: split_if_asm) apply (fastforce simp: n'_direct_eq split: split_if_asm elim: trancl_trans) done lemma site_in_dom: "site \ dom n" by (simp add: n) lemma m_tranclD: assumes m: "m \ p \\<^sup>+ p'" shows "p' \ site \ n' \ p \\<^sup>+ p'" proof - from m have "p = site \ p' = 0" by clarsimp with mdb_chain_0_n' m show ?thesis apply - apply (erule trancl_induct) apply (rule context_conjI) apply clarsimp apply (cases "p = site") apply (simp add: mdb_chain_0_def site_in_dom) apply (cases "p = parent") apply simp apply (rule trancl_trans) apply (rule r_into_trancl) apply (simp add: n'_direct_eq) apply (rule r_into_trancl) apply (simp add: n'_direct_eq) apply (rule r_into_trancl) apply (simp add: n'_direct_eq) apply (rule context_conjI) apply clarsimp apply clarsimp apply (erule trancl_trans) apply (case_tac "y = parent") apply simp apply (rule trancl_trans) apply (rule r_into_trancl) apply (simp add: n'_direct_eq) apply (rule r_into_trancl) apply (simp add: n'_direct_eq) apply (rule r_into_trancl) apply (simp add: n'_direct_eq) done qed lemma n'_trancl_eq: "n' \ p \\<^sup>+ p' = (if p = site then m \ parent \\<^sup>+ p' else if m \ p \\<^sup>+ parent \ p = parent then m \ p \\<^sup>+ p' \ p' = site else m \ p \\<^sup>+ p')" apply simp apply (intro conjI impI iffI) apply (drule n'_tranclD) apply simp apply simp apply (drule n'_tranclD) apply simp apply (erule disjE) apply (drule m_tranclD)+ apply simp apply (drule m_tranclD) apply simp apply (erule trancl_trans) apply (rule r_into_trancl) apply (simp add: n'_direct_eq) apply (drule n'_tranclD, simp) apply (erule disjE) apply (drule m_tranclD) apply simp apply simp apply (rule r_into_trancl) apply (simp add: n'_direct_eq) apply (drule n'_tranclD, simp) apply simp apply (cases "p' = site", simp) apply (drule m_tranclD) apply clarsimp apply (drule tranclD) apply (clarsimp simp: n'_direct_eq) apply (simp add: rtrancl_eq_or_trancl) apply (drule n'_tranclD, simp) apply clarsimp apply (drule m_tranclD, simp) done lemma n'_rtrancl_eq: "n' \ p \\<^sup>* p' = (if p = site then p' \ site \ m \ parent \\<^sup>+ p' \ p' = site else if m \ p \\<^sup>* parent then m \ p \\<^sup>* p' \ p' = site else m \ p \\<^sup>* p')" by (auto simp: rtrancl_eq_or_trancl n'_trancl_eq split) lemma mdbNext_parent_site [simp]: "mdbNext parent_node \ site" proof assume "mdbNext parent_node = site" hence "m \ parent \ site" using parent by (unfold mdb_next_unfold) simp thus False by simp qed lemma mdbPrev_parent_site [simp]: "site \ mdbPrev parent_node" proof assume "site = mdbPrev parent_node" with parent site have "m \ site \ parent" apply (unfold mdb_next_unfold) apply simp apply (erule dlistEp) apply clarsimp apply clarsimp done with p_0 show False by simp qed lemma parent_prev: "(m \ parent \ p) = (p = mdbNext parent_node \ p \ 0)" apply (rule iffI) apply (frule dlist_prevD, rule parent) apply (simp add: mdb_next_unfold parent) apply (clarsimp simp: mdb_prev_def) apply clarsimp apply (rule dlist_nextD0) apply (rule parent_next) apply assumption done lemma parent_next_prev: "(m \ p \ mdbNext parent_node) = (p = parent \ mdbNext parent_node \ 0)" using parent apply - apply (rule iffI) apply (clarsimp simp add: mdb_prev_def) apply (rule conjI) apply (erule dlistEn) apply clarsimp apply simp apply clarsimp apply clarsimp apply (rule dlist_nextD0) apply (rule parent_next) apply assumption done lemma n'_prev_eq: notes if_cong[cong del] if_weak_cong[cong] shows "n' \ p \ p' = (if p' = site then p = parent else if p = site then m \ parent \ p' else if p = parent then p' = site else m \ p \ p')" using parent site site_prev apply (simp add: n'_def n mdb_prev_def new_parent_def new_site_def split del: split_if) apply (clarsimp simp add: modify_map_if cong: if_cong split del: split_if) apply (cases "p' = site", simp) apply (simp cong: if_cong split del: split_if) apply (cases "p' = parent") apply clarsimp apply (rule conjI, clarsimp simp: mdb_prev_def) apply (clarsimp simp: mdb_prev_def) apply (simp cong: if_cong split del: split_if) apply (cases "p = site") apply (simp add: parent_prev) apply (cases "mdbNext parent_node = p'") apply simp apply (rule iffI) prefer 2 apply clarsimp apply (erule dlistEn) apply simp apply clarsimp apply (case_tac cte') apply clarsimp apply clarsimp apply clarsimp apply (insert site_next)[1] apply (rule valid_dlistEp [OF dlist, where p=p'], assumption) apply clarsimp apply clarsimp apply (simp cong: if_cong split del: split_if) apply (cases "p = parent") apply clarsimp apply (insert site_next) apply (cases "mdbNext parent_node = p'", clarsimp) apply clarsimp apply (rule valid_dlistEp [OF dlist, where p=p'], assumption) apply clarsimp apply clarsimp apply simp apply (cases "mdbNext parent_node = p'") prefer 2 apply (clarsimp simp: mdb_prev_def) apply (rule iffI, clarsimp) apply clarsimp apply (case_tac z) apply simp apply (rule iffI) apply (clarsimp simp: mdb_prev_def) apply (drule sym [where t=p']) apply (simp add: parent_next_prev) done lemma dlist_n' [simp]: notes if_cong[cong del] if_weak_cong[cong] shows "valid_dlist n'" using no_0_n' by (clarsimp simp: valid_dlist_def2 n'_direct_eq n'_prev_eq Invariants_H.valid_dlist_prevD [OF dlist]) lemma n'_cap: "n' p = Some (CTE c node) \ if p = site then c = c' \ m p = Some (CTE NullCap site_node) else \node'. m p = Some (CTE c node')" by (auto simp: n'_def n modify_map_if new_parent_def parent new_site_def site site_cap split: split_if_asm) lemma m_cap: "m p = Some (CTE c node) \ if p = site then \node'. n' site = Some (CTE c' node') else \node'. n' p = Some (CTE c node')" by (clarsimp simp: n n'_def new_parent_def new_site_def parent) lemma n'_badged: "n' p = Some (CTE c node) \ if p = site then c = c' \ mdbFirstBadged node else \node'. m p = Some (CTE c node') \ mdbFirstBadged node = mdbFirstBadged node'" by (auto simp: n'_def n modify_map_if new_parent_def parent new_site_def site site_cap split: split_if_asm) lemma no_next_region: "\ m \ parent \ p'; m p' = Some (CTE cap' node) \ \ \sameRegionAs c' cap'" apply (clarsimp simp: mdb_next_unfold parent) apply (frule next_wont_bite [rotated], clarsimp) apply simp done lemma valid_badges_n' [simp]: "valid_badges n'" using valid_badges apply (clarsimp simp: valid_badges_def) apply (simp add: n'_direct_eq) apply (drule n'_badged)+ apply (clarsimp split: split_if_asm) apply (drule (1) no_next_region) apply simp apply (erule_tac x=p in allE) apply (erule_tac x=p' in allE) apply simp done lemma c'_not_Null: "c' \ NullCap" using same_region by clarsimp lemma valid_nullcaps_n' [simp]: "valid_nullcaps n'" using nullcaps is_untyped c'_not_Null apply (clarsimp simp: valid_nullcaps_def n'_def n modify_map_if new_site_def new_parent_def isCap_simps) apply (erule allE)+ apply (erule (1) impE) apply (simp add: nullMDBNode_def) apply (insert parent) apply (rule dlistEn, rule parent) apply clarsimp apply (clarsimp simp: nullPointer_def) done lemma phys': "capClass parent_cap = PhysicalClass" using sameRegionAs_classes [OF same_region] phys by simp lemma capRange_c': "capRange c' \ capRange parent_cap" apply (rule sameRegionAs_capRange_subset) apply (rule same_region) apply (rule phys') done lemma untypedRange_c': assumes ut: "isUntypedCap c'" shows "untypedRange c' \ untypedRange parent_cap" using ut is_untyped capRange_c' by (auto simp: isCap_simps) lemma sameRegion_parentI: "sameRegionAs c' cap \ sameRegionAs parent_cap cap" using same_region apply - apply (erule (1) sameRegionAs_trans) done lemma no_loops_n': "no_loops n'" using mdb_chain_0_n' no_0_n' by (rule mdb_chain_0_no_loops) lemmas no_loops_simps' [simp]= no_loops_trancl_simp [OF no_loops_n'] no_loops_direct_simp [OF no_loops_n'] lemma rangeD: "\ m \ parent \ p; m p = Some (CTE cap node) \ \ capRange cap \ capRange c' = {}" using range by (rule descendants_rangeD') lemma capAligned_c': "capAligned c'" using valid_c' by (rule valid_capAligned) lemma capRange_ut: "capRange c' \ untypedRange parent_cap" using capRange_c' is_untyped by (clarsimp simp: isCap_simps del: subsetI) lemma untyped_mdb_n' [simp]: "untyped_mdb' n'" using untyped_mdb capRange_ut untyped_inc apply (clarsimp simp: untyped_mdb'_def descendants_of'_def) apply (drule n'_cap)+ apply (simp add: parency_n') apply (simp split: split_if_asm) apply clarsimp apply (erule_tac x=parent in allE) apply (simp add: parent is_untyped) apply (erule_tac x=p' in allE) apply simp apply (frule untypedCapRange) apply (drule untypedRange_c') apply (erule impE, blast) apply (drule (1) rangeD) apply simp apply clarsimp apply (thin_tac "All P" for P) apply (simp add: untyped_inc'_def) apply (erule_tac x=parent in allE) apply (erule_tac x=p in allE) apply (simp add: parent is_untyped) apply (clarsimp simp: descendants_of'_def) apply (case_tac "untypedRange parent_cap = untypedRange c") apply simp apply (elim disjE conjE) apply (drule (1) rangeD) apply (drule untypedCapRange) apply simp apply blast apply simp apply (erule disjE) apply clarsimp apply (erule disjE) apply (simp add: psubsetI) apply (elim conjE) apply (drule (1) rangeD) apply (drule untypedCapRange) apply simp apply blast apply blast apply clarsimp done lemma site': "n' site = Some new_site" by (simp add: n n'_def modify_map_if new_site_def) lemma loopE: "m \ x \\<^sup>+ x \ P" by simp lemma capRange_parent_inter: "capRange c' \ untypedRange parent_cap \ {}" using capAligned_capUntypedPtr [OF valid_capAligned [OF valid_c'] phys] capRange_ut by blast lemma n'_ex_cteCap: "(\cte. n' p = Some cte \ P (cteCap cte)) = (if p = site then P c' else (\cte. m p = Some cte \ P (cteCap cte)))" apply (simp add: n'_def n_def modify_map_def) apply fastforce done lemma n'_all_cteCap: "(\cte. n' p = Some cte \ P (cteCap cte)) = (if p = site then P c' else (\cte. m p = Some cte \ P (cteCap cte)))" apply (simp add: n'_def n_def modify_map_def) apply fastforce done lemma is_end_chunk_n': "is_end_chunk n' cap x = (if x = site \ sameRegionAs cap c' then is_end_chunk m cap parent else if x = parent \ sameRegionAs cap parent_cap then False else is_end_chunk m cap x)" apply (simp add: is_end_chunk_def n'_direct_eq site' new_site_def mdb_ptr_parent.p_next mdb_ptr_parent.m_p cong: conj_cong) apply (subst n'_all_cteCap n'_ex_cteCap)+ apply simp oops lemma m_loop_trancl_rtrancl: "m \ y \\<^sup>* x \ \ m \ x \\<^sup>+ y" apply clarsimp apply (drule(1) transitive_closure_trans) apply (erule loopE) done lemma m_rtrancl_to_site: "m \ p \\<^sup>* site = (p = site)" apply (rule iffI) apply (erule rtranclE) apply assumption apply simp apply simp done lemma descendants_of'_D: "p' \ descendants_of' p ctes \ ctes \ p \ p' " by (clarsimp simp:descendants_of'_def) lemma untyped_inc_mdbD: "\ sameRegionAs cap cap'; isUntypedCap cap; ctes p = Some (CTE cap node); ctes p' = Some (CTE cap' node'); untyped_inc' ctes; untyped_mdb' ctes; no_loops ctes \ \ ctes \ p \ p' \ p = p' \ (isUntypedCap cap' \ untypedRange cap \ untypedRange cap' \ sameRegionAs cap' cap \ ctes \ p' \ p)" apply (subgoal_tac "untypedRange cap \ untypedRange cap' \ sameRegionAs cap' cap") apply (cases "isUntypedCap cap'") apply (drule(4) untyped_incD'[where p=p and p'=p']) apply (erule sameRegionAsE, simp_all add: untypedCapRange)[1] apply (cases "untypedRange cap = untypedRange cap'") apply simp apply (elim disjE conjE) apply (simp only: simp_thms descendants_of'_D)+ apply (elim disjE conjE) apply (simp add: subset_iff_psubset_eq) apply (elim disjE) apply (simp add:descendants_of'_D)+ apply (clarsimp simp:descendants_of'_def) apply (clarsimp simp: isCap_simps) apply clarsimp apply (erule sameRegionAsE) apply simp apply (drule(1) untyped_mdbD',simp) apply (simp add:untypedCapRange) apply blast apply simp apply assumption apply (simp add:descendants_of'_def) apply (clarsimp simp:isCap_simps) apply (simp add:isCap_simps) apply (clarsimp simp:sameRegionAs_def3) apply (erule disjE) apply (intro conjI) apply blast apply (simp add:untypedCapRange) apply (erule subset_trans[OF _ untypedRange_in_capRange]) apply clarsimp apply (rule untypedRange_not_emptyD) apply (simp add:untypedCapRange) apply blast apply (clarsimp simp:isCap_simps) done lemma parent_chunk: "is_chunk n' parent_cap parent site" by (clarsimp simp: is_chunk_def n'_trancl_eq n'_rtrancl_eq site' new_site_def same_region m_loop_trancl_rtrancl m_rtrancl_to_site) lemma mdb_chunked_n' [simp]: notes if_cong[cong del] if_weak_cong[cong] shows "mdb_chunked n'" using chunked untyped_mdb untyped_inc apply (clarsimp simp: mdb_chunked_def) apply (drule n'_cap)+ apply (simp add: n'_trancl_eq split del: split_if) apply (simp split: split_if_asm) apply clarsimp apply (frule sameRegion_parentI) apply (frule(1) untyped_inc_mdbD [OF _ is_untyped _ _ untyped_inc untyped_mdb no_loops, OF _ parent]) apply (elim disjE) apply (frule sameRegionAs_capRange_Int) apply (simp add: phys) apply (rule valid_capAligned [OF valid_c']) apply (rule valid_capAligned) apply (erule valid_capI') apply (erule notE, erule(1) descendants_rangeD' [OF range, rotated]) apply (clarsimp simp: parent parent_chunk) apply clarsimp apply (frule subtree_mdb_next) apply (simp add: m_loop_trancl_rtrancl [OF trancl_into_rtrancl, where x=parent]) apply (case_tac "p' = parent") apply (clarsimp simp: parent) apply (drule_tac x=p' in spec) apply (drule_tac x=parent in spec) apply (frule sameRegionAs_trans [OF _ same_region]) apply (clarsimp simp: parent is_chunk_def n'_trancl_eq n'_rtrancl_eq m_rtrancl_to_site site' new_site_def) apply (drule_tac x=p'' in spec) apply clarsimp apply (drule_tac p=p'' in m_cap, clarsimp) apply clarsimp apply (erule_tac x=p in allE) apply (erule_tac x=parent in allE) apply (insert parent is_untyped)[1] apply simp apply (case_tac "p = parent") apply (simp add: parent) apply (clarsimp simp add: is_chunk_def) apply (simp add: rtrancl_eq_or_trancl) apply (erule disjE) apply (clarsimp simp: site' new_site_def) apply clarsimp apply (drule tranclD) apply (clarsimp simp: n'_direct_eq) apply (drule (1) transitive_closure_trans) apply simp apply simp apply (case_tac "isUntypedCap cap") prefer 2 apply (simp add: untyped_mdb'_def) apply (erule_tac x=parent in allE) apply simp apply (erule_tac x=p in allE) apply (simp add: descendants_of'_def) apply (drule mp[where P="S \ T \ {}" for S T]) apply (frule sameRegionAs_capRange_Int, simp add: phys) apply (rule valid_capAligned, erule valid_capI') apply (rule valid_capAligned, rule valid_c') apply (insert capRange_ut)[1] apply blast apply (drule (1) rangeD) apply (drule capRange_sameRegionAs, rule valid_c') apply (simp add: phys) apply simp apply (case_tac "untypedRange parent_cap \ untypedRange cap") apply (erule impE) apply (clarsimp simp only: isCap_simps untypedRange.simps) apply (subst (asm) range_subset_eq) apply (drule valid_capI')+ apply (drule valid_capAligned)+ apply (clarsimp simp: capAligned_def) apply (erule is_aligned_no_overflow) apply (simp(no_asm) add: sameRegionAs_def3 isCap_simps) apply (drule valid_capI')+ apply (drule valid_capAligned)+ apply (clarsimp simp: capAligned_def is_aligned_no_overflow interval_empty) apply clarsimp apply (erule disjE) apply simp apply (rule conjI) prefer 2 apply clarsimp apply (drule (1) trancl_trans, erule loopE) apply (thin_tac "P \ Q" for P Q) apply (clarsimp simp: is_chunk_def) apply (simp add: n'_trancl_eq n'_rtrancl_eq split: split_if_asm) apply (simp add: site' new_site_def) apply (erule_tac x=p'' in allE) apply clarsimp apply (drule_tac p=p'' in m_cap) apply clarsimp apply (simp add: rtrancl_eq_or_trancl) apply simp apply (rule conjI) apply clarsimp apply (drule (1) trancl_trans, erule loopE) apply clarsimp apply (clarsimp simp: is_chunk_def) apply (simp add: n'_trancl_eq n'_rtrancl_eq split: split_if_asm) apply (drule (1) transitive_closure_trans, erule loopE) apply (subgoal_tac "m \ p \ parent") apply (drule subtree_mdb_next) apply (drule (1) trancl_trans, erule loopE) apply (thin_tac "All P" for P) apply (drule_tac p=parent and p'=p in untyped_incD'[rotated], assumption+) apply simp apply (subgoal_tac "\ m \ parent \ p") prefer 2 apply clarsimp apply (drule (1) rangeD) apply (drule capRange_sameRegionAs, rule valid_c') apply (simp add: phys) apply simp apply (clarsimp simp: descendants_of'_def subset_iff_psubset_eq) apply (erule disjE,simp,simp) apply (drule_tac p=parent and p'=p in untyped_incD'[rotated], assumption+) apply (simp add:subset_iff_psubset_eq descendants_of'_def) apply (elim disjE conjE| simp )+ apply (drule(1) rangeD) apply (drule capRange_sameRegionAs[OF _ valid_c']) apply (simp add:phys)+ apply (insert capRange_c' is_untyped)[1] apply (simp add: untypedCapRange [symmetric]) apply (drule(1) disjoint_subset) apply (drule capRange_sameRegionAs[OF _ valid_c']) apply (simp add:phys) apply (simp add:Int_ac) apply clarsimp apply (erule_tac x=p in allE) apply (erule_tac x=p' in allE) apply clarsimp apply (erule disjE) apply simp apply (thin_tac "P \ Q" for P Q) apply (subgoal_tac "is_chunk n' cap p p'") prefer 2 apply (clarsimp simp: is_chunk_def) apply (simp add: n'_trancl_eq n'_rtrancl_eq split: split_if_asm) apply (erule disjE) apply (erule_tac x=parent in allE) apply clarsimp apply (erule impE, fastforce) apply (clarsimp simp: parent) apply (simp add: site' new_site_def) apply (erule sameRegionAs_trans, rule same_region) apply (clarsimp simp add: parent) apply (simp add: site' new_site_def) apply (rule same_region) apply (erule_tac x=p'' in allE) apply clarsimp apply (drule_tac p=p'' in m_cap) apply clarsimp apply (erule_tac x=p'' in allE) apply clarsimp apply (drule_tac p=p'' in m_cap) apply clarsimp apply (erule_tac x=p'' in allE) apply clarsimp apply (drule_tac p=p'' in m_cap) apply clarsimp apply (erule_tac x=p'' in allE) apply clarsimp apply (drule_tac p=p'' in m_cap) apply clarsimp apply simp apply (rule conjI) apply clarsimp apply (rule conjI) apply clarsimp apply (drule (1) trancl_trans, erule loopE) apply (rule conjI, clarsimp) apply (drule (1) trancl_trans, erule loopE) apply clarsimp apply (drule (1) trancl_trans, erule loopE) apply (rule conjI) apply clarsimp apply (drule (1) trancl_trans, erule loopE) apply clarsimp apply (rule conjI) apply clarsimp apply (drule (1) trancl_trans, erule loopE) apply (rule conjI, clarsimp) apply clarsimp apply (drule (1) trancl_trans, erule loopE) apply simp apply (thin_tac "P \ Q" for P Q) apply (subgoal_tac "is_chunk n' cap' p' p") prefer 2 apply (clarsimp simp: is_chunk_def) apply (simp add: n'_trancl_eq n'_rtrancl_eq split: split_if_asm) apply (erule disjE) apply (erule_tac x=parent in allE) apply clarsimp apply (erule impE, fastforce) apply (clarsimp simp: parent) apply (simp add: site' new_site_def) apply (erule sameRegionAs_trans, rule same_region) apply (clarsimp simp add: parent) apply (simp add: site' new_site_def) apply (rule same_region) apply (erule_tac x=p'' in allE) apply clarsimp apply (drule_tac p=p'' in m_cap) apply clarsimp apply (erule_tac x=p'' in allE) apply clarsimp apply (drule_tac p=p'' in m_cap) apply clarsimp apply (erule_tac x=p'' in allE) apply clarsimp apply (drule_tac p=p'' in m_cap) apply clarsimp apply (erule_tac x=p'' in allE) apply clarsimp apply (drule_tac p=p'' in m_cap) apply clarsimp apply simp apply (rule conjI) apply clarsimp apply (rule conjI) apply clarsimp apply (drule (1) trancl_trans, erule loopE) apply (rule conjI, clarsimp) apply (drule (1) trancl_trans, erule loopE) apply clarsimp apply (drule (1) trancl_trans, erule loopE) apply (rule conjI) apply clarsimp apply (drule (1) trancl_trans, erule loopE) apply clarsimp apply (rule conjI) apply clarsimp apply (drule (1) trancl_trans, erule loopE) apply (rule conjI, clarsimp) apply clarsimp apply (drule (1) trancl_trans, erule loopE) done lemma caps_contained_n' [simp]: "caps_contained' n'" using caps_contained untyped_mdb untyped_inc apply (clarsimp simp: caps_contained'_def) apply (drule n'_cap)+ apply (clarsimp split: split_if_asm) apply (drule capRange_untyped) apply simp apply (frule capRange_untyped) apply (frule untypedRange_c') apply (erule_tac x=parent in allE) apply (erule_tac x=p' in allE) apply (simp add: parent) apply (erule impE, blast) apply (simp add: untyped_mdb'_def) apply (erule_tac x=parent in allE) apply (erule_tac x=p' in allE) apply (simp add: parent is_untyped descendants_of'_def) apply (erule impE) apply (thin_tac "m site = t" for t) apply (drule valid_capI') apply (frule valid_capAligned) apply blast apply (drule (1) rangeD) apply (frule capRange_untyped) apply (drule untypedCapRange) apply simp apply (thin_tac "All P" for P) apply (insert capRange_c')[1] apply (simp add: untypedCapRange is_untyped) apply (subgoal_tac "untypedRange parent_cap \ untypedRange c \ {}") prefer 2 apply blast apply (frule untyped_incD'[OF _ capRange_untyped _ is_untyped]) apply (case_tac c) apply simp_all apply (simp add:isCap_simps) apply (rule parent) apply clarsimp apply (case_tac "untypedRange c = untypedRange parent_cap") apply blast apply simp apply (elim disjE) apply (drule_tac A = "untypedRange c" in psubsetI) apply simp+ apply (thin_tac "P\Q" for P Q) apply (elim conjE) apply (simp add:descendants_of'_def) apply (drule(1) rangeD) apply (frule capRange_untyped) apply (simp add:untypedCapRange Int_ac) apply blast apply (simp add:descendants_of'_def) apply blast apply blast done lemma untyped_inc_n' [simp]: "untypedRange c' \ usableUntypedRange parent_cap = {} \ untyped_inc' n'" using untyped_inc apply (clarsimp simp: untyped_inc'_def) apply (drule n'_cap)+ apply (clarsimp simp: descendants_of'_def parency_n' split: split_if_asm) apply (frule untypedRange_c') apply (insert parent is_untyped)[1] apply (erule_tac x=parent in allE) apply (erule_tac x=p' in allE) apply clarsimp apply (case_tac "untypedRange parent_cap = untypedRange c'a") apply simp apply (intro conjI) apply (intro impI) apply (elim disjE conjE) apply (drule(1) subtree_trans,simp) apply (simp add:subset_not_psubset) apply simp apply (clarsimp simp:subset_not_psubset) apply (drule valid_capI')+ apply (drule(2) disjoint_subset[OF usableRange_subseteq[OF valid_capAligned],rotated -1]) apply simp apply (clarsimp) apply (rule int_not_emptyD) apply (drule(1) rangeD) apply (simp add:untypedCapRange Int_ac) apply (erule aligned_untypedRange_non_empty[OF valid_capAligned[OF valid_c']]) apply (erule(1) aligned_untypedRange_non_empty[OF valid_capAligned[OF valid_capI']]) apply simp apply (erule subset_splitE) apply (simp|elim conjE)+ apply (thin_tac "P \ Q" for P Q)+ apply blast apply (simp|elim conjE)+ apply (thin_tac "P \ Q" for P Q)+ apply (intro conjI,intro impI,drule(1) subtree_trans,simp) apply clarsimp apply (intro impI) apply (drule(1) rangeD) apply (simp add:untypedCapRange Int_ac) apply (rule int_not_emptyD) apply (simp add:Int_ac) apply (erule aligned_untypedRange_non_empty[OF valid_capAligned[OF valid_c']]) apply (erule(1) aligned_untypedRange_non_empty[OF valid_capAligned[OF valid_capI']]) apply simp apply (thin_tac "P \ Q" for P Q)+ apply (drule(1) disjoint_subset[rotated]) apply simp apply (drule_tac B = "untypedRange c'a" in int_not_emptyD) apply (erule aligned_untypedRange_non_empty[OF capAligned_c']) apply (erule(1) aligned_untypedRange_non_empty[OF valid_capAligned[OF valid_capI']]) apply simp apply (frule untypedRange_c') apply (insert parent is_untyped)[1] apply (erule_tac x=p in allE) apply (erule_tac x=parent in allE) apply clarsimp apply (case_tac "untypedRange parent_cap = untypedRange c") apply simp apply (intro conjI) apply (intro impI) apply (elim disjE conjE) apply (clarsimp simp:subset_not_psubset )+ apply (drule(1) subtree_trans,simp) apply simp apply (clarsimp simp:subset_not_psubset) apply (drule disjoint_subset[OF usableRange_subseteq[OF valid_capAligned[OF valid_capI']],rotated]) apply simp apply assumption apply simp apply clarsimp apply (rule int_not_emptyD) apply (drule(1) rangeD) apply (simp add:untypedCapRange Int_ac) apply (erule(1) aligned_untypedRange_non_empty[OF valid_capAligned[OF valid_capI']]) apply (erule aligned_untypedRange_non_empty[OF capAligned_c']) apply simp apply (erule subset_splitE) apply (simp|elim conjE)+ apply (thin_tac "P \ Q" for P Q)+ apply (intro conjI,intro impI,drule(1) subtree_trans,simp) apply clarsimp apply (intro impI) apply (drule(1) rangeD) apply (simp add:untypedCapRange Int_ac) apply (rule int_not_emptyD) apply (simp add:Int_ac) apply (erule(1) aligned_untypedRange_non_empty[OF valid_capAligned[OF valid_capI']]) apply (erule aligned_untypedRange_non_empty[OF valid_capAligned[OF valid_c']]) apply simp apply (thin_tac "P\Q" for P Q)+ apply blast apply (thin_tac "P\Q" for P Q)+ apply simp apply (drule(1) disjoint_subset2[rotated]) apply simp apply (drule_tac B = "untypedRange c'" in int_not_emptyD) apply (erule(1) aligned_untypedRange_non_empty[OF valid_capAligned[OF valid_capI']]) apply (erule aligned_untypedRange_non_empty[OF capAligned_c']) apply simp apply (erule_tac x=p in allE) apply (erule_tac x=p' in allE) apply simp apply blast done lemma ut_rev_n' [simp]: "ut_revocable' n'" using ut_rev apply (clarsimp simp: ut_revocable'_def n'_def n_def) apply (clarsimp simp: modify_map_if split: split_if_asm) done lemma class_links_m: "class_links m" using valid by (simp add: valid_mdb_ctes_def) lemma parent_phys: "capClass parent_cap = PhysicalClass" using is_untyped by (clarsimp simp: isCap_simps) lemma class_links [simp]: "class_links n'" using class_links_m apply (clarsimp simp add: class_links_def) apply (simp add: n'_direct_eq split: split_if_asm) apply (case_tac cte, clarsimp dest!: n'_cap simp: site' parent new_site_def phys parent_phys) apply (drule_tac x=parent in spec) apply (drule_tac x=p' in spec) apply (case_tac cte') apply (clarsimp simp: site' new_site_def parent parent_phys phys dest!: n'_cap split: split_if_asm) apply (case_tac cte, case_tac cte') apply (clarsimp dest!: n'_cap split: split_if_asm) apply fastforce done lemma irq_control_n' [simp]: "irq_control n'" using irq_control phys apply (clarsimp simp: irq_control_def) apply (clarsimp simp: n'_def n_def) apply (clarsimp simp: modify_map_if split: split_if_asm) done lemma dist_z_m: "distinct_zombies m" using valid by auto lemma dist_z [simp]: "distinct_zombies n'" using dist_z_m apply (simp add: n'_def distinct_zombies_nonCTE_modify_map) apply (simp add: n_def distinct_zombies_nonCTE_modify_map fun_upd_def[symmetric]) apply (erule distinct_zombies_seperateE, simp) apply (case_tac cte, clarsimp) apply (rename_tac cap node) apply (subgoal_tac "capRange cap \ capRange c' \ {}") apply (frule untyped_mdbD' [OF _ _ _ _ _ untyped_mdb, OF parent]) apply (simp add: is_untyped) apply (clarsimp simp add: untypedCapRange[OF is_untyped, symmetric]) apply (drule disjoint_subset2 [OF capRange_c']) apply simp apply simp apply (simp add: descendants_of'_def) apply (drule(1) rangeD) apply simp apply (drule capAligned_capUntypedPtr [OF capAligned_c']) apply (frule valid_capAligned [OF valid_capI']) apply (drule(1) capAligned_capUntypedPtr) apply auto done lemma reply_masters_rvk_fb_m: "reply_masters_rvk_fb m" using valid by auto lemma reply_masters_rvk_fb_n[simp]: "reply_masters_rvk_fb n'" using reply_masters_rvk_fb_m apply (simp add: reply_masters_rvk_fb_def n'_def ball_ran_modify_map_eq n_def fun_upd_def[symmetric]) apply (rule ball_ran_fun_updI, assumption) apply clarsimp done lemma valid_n': "untypedRange c' \ usableUntypedRange parent_cap = {} \ valid_mdb_ctes n'" by auto end lemma caps_overlap_reserved'_D: "\caps_overlap_reserved' S s; ctes_of s p = Some cte;isUntypedCap (cteCap cte)\ \ usableUntypedRange (cteCap cte) \ S = {}" apply (simp add:caps_overlap_reserved'_def) apply (erule ballE) apply (erule(2) impE) apply fastforce done lemma insertNewCap_valid_mdb: "\valid_mdb' and valid_objs' and K (slot \ p) and caps_overlap_reserved' (untypedRange cap) and cte_wp_at' (\cte. isUntypedCap (cteCap cte) \ sameRegionAs (cteCap cte) cap) p and K (\isZombie cap) and valid_cap' cap and (\s. descendants_range' cap p (ctes_of s))\ insertNewCap p slot cap \\rv. valid_mdb'\" apply (clarsimp simp: insertNewCap_def valid_mdb'_def) apply (wp getCTE_ctes_of | simp add: o_def)+ apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule conjI) apply (clarsimp simp: no_0_def valid_mdb_ctes_def) apply (case_tac cte) apply (rename_tac p_cap p_node) apply (clarsimp cong: if_cong) apply (case_tac ya) apply (rename_tac node) apply (clarsimp simp: nullPointer_def) apply (rule mdb_insert_again_all.valid_n') apply unfold_locales[1] apply (assumption|rule refl)+ apply (frule sameRegionAs_classes, clarsimp simp: isCap_simps) apply (erule (1) ctes_of_valid_cap') apply (simp add: valid_mdb_ctes_def) apply simp apply (clarsimp simp: isMDBParentOf_CTE) apply (clarsimp simp: isCap_simps valid_mdb_ctes_def ut_revocable'_def) apply assumption apply (drule(1) caps_overlap_reserved'_D) apply simp apply (simp add:Int_ac) done (* FIXME: move *) lemma no_default_zombie: "cap_relation (default_cap tp p sz) cap \ \isZombie cap" by (cases tp, auto simp: isCap_simps) lemma insertNewCap_valid_objs [wp]: "\ valid_objs' and valid_cap' cap and pspace_aligned' and pspace_distinct'\ insertNewCap parent slot cap \\_. valid_objs'\" apply (simp add: insertNewCap_def) apply (wp setCTE_valid_objs getCTE_wp') apply clarsimp done lemma insertNewCap_valid_cap [wp]: "\ valid_cap' c \ insertNewCap parent slot cap \\_. valid_cap' c\" apply (simp add: insertNewCap_def) apply (wp getCTE_wp') apply clarsimp done lemmas descendants_of'_mdbPrev = descendants_of_prev_update lemma insertNewCap_ranges: "\\s. descendants_range' c p (ctes_of s) \ descendants_range' cap p (ctes_of s) \ capRange c \ capRange cap = {} \ cte_wp_at' (\cte. isUntypedCap (cteCap cte) \ sameRegionAs (cteCap cte) cap) p s \ valid_mdb' s \ valid_objs' s\ insertNewCap p slot cap \\_ s. descendants_range' c p (ctes_of s)\" apply (simp add: insertNewCap_def) apply (wp getCTE_wp') apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule conjI) apply (clarsimp simp: valid_mdb'_def valid_mdb_ctes_def no_0_def) apply (case_tac ctea) apply (case_tac cteb) apply (clarsimp simp: nullPointer_def cong: if_cong) apply (simp (no_asm) add: descendants_range'_def descendants_of'_mdbPrev) apply (subst mdb_insert_again_child.descendants) apply unfold_locales[1] apply (simp add: valid_mdb'_def) apply (assumption|rule refl)+ apply (frule sameRegionAs_classes, clarsimp simp: isCap_simps) apply (erule (1) ctes_of_valid_cap') apply (simp add: valid_mdb'_def valid_mdb_ctes_def) apply clarsimp apply (clarsimp simp: isMDBParentOf_def) apply (clarsimp simp: isCap_simps valid_mdb'_def valid_mdb_ctes_def ut_revocable'_def) apply clarsimp apply (rule context_conjI, blast) apply (clarsimp simp: descendants_range'_def) done lemma insertNewCap_overlap_reserved'[wp]: "\\s. caps_overlap_reserved' (capRange c) s\ capRange c \ capRange cap = {} \ capAligned cap \ cte_wp_at' (\cte. isUntypedCap (cteCap cte) \ sameRegionAs (cteCap cte) cap) p s \ valid_mdb' s \ valid_objs' s\ insertNewCap p slot cap \\_ s. caps_overlap_reserved' (capRange c) s\" apply (simp add: insertNewCap_def caps_overlap_reserved'_def) apply (wp getCTE_wp') apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule conjI) apply (clarsimp simp: valid_mdb'_def valid_mdb_ctes_def no_0_def) apply (case_tac ctea) apply (case_tac cteb) apply (clarsimp simp: nullPointer_def ball_ran_modify_map_eq caps_overlap_reserved'_def[symmetric]) apply (clarsimp simp: ran_def split: if_splits) apply (case_tac "slot = a") apply clarsimp apply (rule disjoint_subset) apply (erule(1) usableRange_subseteq) apply (simp add:untypedCapRange Int_ac)+ apply (subst Int_commute) apply (erule(2) caps_overlap_reserved'_D) done crunch typ_at'[wp]: insertNewCap "\s. P (typ_at' T p s)" (wp: crunch_wps) crunch ksArch[wp]: insertNewCap "\s. P (ksArchState s)" (wp: crunch_wps) lemma inv_untyped_corres_helper1: "list_all2 cap_relation (map (\ref. default_cap tp ref sz) orefs) cps \ corres dc (\s. pspace_aligned s \ pspace_distinct s \ valid_objs s \ valid_mdb s \ valid_list s \ cte_wp_at is_untyped_cap p s \ (\tup \ set (zip crefs orefs). cte_wp_at (\c. cap_range (default_cap tp (snd tup) sz) \ untyped_range c) p s) \ (\tup \ set (zip crefs orefs). descendants_range (default_cap tp (snd tup) sz) p s) \ (\tup \ set (zip crefs orefs). caps_overlap_reserved (untyped_range (default_cap tp (snd tup) sz)) s) \ (\tup \ set (zip crefs orefs). real_cte_at (fst tup) s) \ (\tup \ set (zip crefs orefs). cte_wp_at (op = cap.NullCap) (fst tup) s) \ distinct (p # (map fst (zip crefs orefs))) \ distinct_sets (map (\tup. cap_range (default_cap tp (snd tup) sz)) (zip crefs orefs)) \ (\tup \ set (zip crefs orefs). valid_cap (default_cap tp (snd tup) sz) s)) (\s. (\tup \ set (zip (map cte_map crefs) cps). valid_cap' (snd tup) s) \ (\tup \ set (zip (map cte_map crefs) cps). cte_wp_at' (\c. cteCap c = NullCap) (fst tup) s) \ cte_wp_at' (\cte. isUntypedCap (cteCap cte) \ (\tup \ set (zip (map cte_map crefs) cps). sameRegionAs (cteCap cte) (snd tup))) (cte_map p) s \ distinct ((cte_map p) # (map fst (zip (map cte_map crefs) cps))) \ valid_mdb' s \ valid_objs' s \ pspace_aligned' s \ pspace_distinct' s \ (\tup \ set (zip (map cte_map crefs) cps). descendants_range' (snd tup) (cte_map p) (ctes_of s)) \ (\tup \ set (zip (map cte_map crefs) cps). caps_overlap_reserved' (capRange (snd tup)) s) \ distinct_sets (map capRange (map snd (zip (map cte_map crefs) cps)))) (sequence_x (map (create_cap tp sz p) (zip crefs orefs))) (zipWithM_x (insertNewCap (cte_map p)) ((map cte_map crefs)) cps)" apply (simp add: zipWithM_x_def zipWith_def split_def) apply (fold mapM_x_def) apply (rule corres_list_all2_mapM_) apply (rule corres_guard_imp) apply (erule create_cap_corres) apply (clarsimp simp: cte_wp_at_def is_cap_simps) apply (clarsimp simp: cteCaps_of_ran_Ball_upd fun_upd_def cte_wp_at_ctes_of) apply clarsimp apply (rule hoare_pre, wp hoare_vcg_const_Ball_lift) apply clarsimp apply (rule conjI) apply (clarsimp simp: cte_wp_at_caps_of_state cap_range_def[where c="default_cap a b c" for a b c]) apply (drule(2) caps_overlap_reservedD[rotated]) apply (simp add:Int_ac) apply (rule conjI) apply (clarsimp simp: valid_cap_def) apply (rule conjI) apply (clarsimp simp: cte_wp_at_caps_of_state) apply (rule conjI) apply (clarsimp simp:Int_ac) apply (erule disjoint_subset2[rotated]) apply fastforce apply clarsimp apply (rule conjI) apply clarsimp apply (rule conjI) subgoal by fastforce apply (clarsimp simp: cte_wp_at_caps_of_state is_cap_simps valid_cap_def) apply (fastforce simp: image_def) apply (rule hoare_pre) apply (wp hoare_vcg_const_Ball_lift hoare_vcg_const_imp_lift [OF insertNewCap_mdbNext] insertNewCap_valid_mdb hoare_vcg_all_lift insertNewCap_ranges | subst cte_wp_at_cteCaps_of)+ apply (subst(asm) cte_wp_at_cteCaps_of)+ apply (clarsimp simp only:) apply simp apply (rule conjI) apply clarsimp apply (thin_tac "cte_map p \ S" for S) apply (erule notE, erule rev_image_eqI) apply simp apply (rule conjI,clarsimp+) apply (rule conjI,erule caps_overlap_reserved'_subseteq) apply (rule untypedRange_in_capRange) apply (rule conjI,erule no_default_zombie) apply (rule conjI, clarsimp simp:Int_ac) apply fastforce apply (clarsimp simp:Int_ac valid_capAligned ) apply fastforce apply (rule list_all2_zip_split) apply (simp add: list_all2_map2 list_all2_refl) apply (simp add: list_all2_map1) done lemma createNewCaps_valid_pspace_extras: "\(\s. n \ 0 \ ptr \ 0 \ range_cover ptr sz (APIType_capBits ty us) n \ pspace_no_overlap' ptr sz s \ valid_pspace' s \ caps_no_overlap'' ptr sz s \ caps_overlap_reserved' {ptr .. ptr + of_nat n * 2 ^ APIType_capBits ty us - 1} s \ ksCurDomain s \ maxDomain )\ createNewCaps ty ptr n us \\rv. pspace_aligned'\" "\(\s. n \ 0 \ ptr \ 0 \ range_cover ptr sz (APIType_capBits ty us) n \ pspace_no_overlap' ptr sz s \ valid_pspace' s \ caps_no_overlap'' ptr sz s \ caps_overlap_reserved' {ptr .. ptr + of_nat n * 2 ^ APIType_capBits ty us - 1} s \ ksCurDomain s \ maxDomain )\ createNewCaps ty ptr n us \\rv. pspace_distinct'\" "\(\s. n \ 0 \ ptr \ 0 \ range_cover ptr sz (APIType_capBits ty us) n \ pspace_no_overlap' ptr sz s \ valid_pspace' s \ caps_no_overlap'' ptr sz s \ caps_overlap_reserved' {ptr .. ptr + of_nat n * 2 ^ APIType_capBits ty us - 1} s \ ksCurDomain s \ maxDomain )\ createNewCaps ty ptr n us \\rv. valid_mdb'\" "\(\s. n \ 0 \ ptr \ 0 \ range_cover ptr sz (APIType_capBits ty us) n \ pspace_no_overlap' ptr sz s \ valid_pspace' s \ caps_no_overlap'' ptr sz s \ caps_overlap_reserved' {ptr .. ptr + of_nat n * 2 ^ APIType_capBits ty us - 1} s \ ksCurDomain s \ maxDomain )\ createNewCaps ty ptr n us \\rv. valid_objs'\" apply (rule hoare_grab_asm)+ apply (rule hoare_pre,rule hoare_strengthen_post[OF createNewCaps_valid_pspace]) apply (simp add:valid_pspace'_def)+ apply (rule hoare_grab_asm)+ apply (rule hoare_pre,rule hoare_strengthen_post[OF createNewCaps_valid_pspace]) apply (simp add:valid_pspace'_def)+ apply (rule hoare_grab_asm)+ apply (rule hoare_pre,rule hoare_strengthen_post[OF createNewCaps_valid_pspace]) apply (simp add:valid_pspace'_def)+ apply (rule hoare_grab_asm)+ apply (rule hoare_pre,rule hoare_strengthen_post[OF createNewCaps_valid_pspace]) apply (simp add:valid_pspace'_def)+ done declare map_fst_zip_prefix[simp] declare map_snd_zip_prefix[simp] declare word_unat_power [symmetric, simp del] lemma createWordObjects_ret2: "\(\s. P (map (\p. ptr_add y (p * 2 ^ (pageBits + us))) [0 ..< n])) and K ( n < 2 ^ word_bits \ n \ 0)\ createWordObjects y n us \\rv s. P rv\" apply (simp add: createWordObjects_def split del: split_if) apply (rule hoare_pre, wp) apply (wp createObjects_ret2) apply (simp add: objBits_simps) done lemma createNewCaps_range_helper: "\\s. range_cover ptr sz (APIType_capBits tp us) n \ 0 < n\ createNewCaps tp ptr n us \\rv s. \capfn. rv = map capfn (map (\p. ptr_add ptr (p * 2 ^ (APIType_capBits tp us))) [0 ..< n]) \ (\p. capClass (capfn p) = PhysicalClass \ capUntypedPtr (capfn p) = p \ capBits (capfn p) = (APIType_capBits tp us))\" apply (simp add: createNewCaps_def toAPIType_def ArchTypes_H.toAPIType_def createNewCaps_def Arch_createNewCaps_def split del: split_if cong: option.case_cong) apply (rule hoare_grab_asm)+ apply (frule range_cover.range_cover_n_less) apply (frule range_cover.unat_of_nat_n) apply (cases tp, simp_all split del: split_if) apply (rename_tac apiobject_type) apply (case_tac apiobject_type, simp_all split del: split_if) apply (rule hoare_pre, wp) apply (frule range_cover_not_zero[rotated -1],simp) apply (clarsimp simp: APIType_capBits_def objBits_simps archObjSize_def ptr_add_def o_def) apply (subst upto_enum_red') apply unat_arith apply (clarsimp simp: o_def fromIntegral_def toInteger_nat fromInteger_nat) apply fastforce apply (rule hoare_pre,wp createObjects_ret2) apply (clarsimp simp: APIType_capBits_def word_bits_def objBits_simps archObjSize_def ptr_add_def o_def) apply (fastforce simp: objBitsKO_def objBits_def) apply (rule hoare_pre,wp createObjects_ret2) apply (clarsimp simp: APIType_capBits_def word_bits_def objBits_simps archObjSize_def ptr_add_def o_def) apply (fastforce simp: objBitsKO_def objBits_def) apply (rule hoare_pre,wp createObjects_ret2) apply (clarsimp simp: APIType_capBits_def word_bits_def objBits_simps archObjSize_def ptr_add_def o_def) apply (fastforce simp: objBitsKO_def objBits_def) apply (rule hoare_pre,wp createObjects_ret2) apply (clarsimp simp: APIType_capBits_def word_bits_def objBits_simps archObjSize_def ptr_add_def o_def) apply (fastforce simp: objBitsKO_def objBits_def) apply (wp createWordObjects_ret2 createObjects_ret2, clarsimp simp: APIType_capBits_def objBits_simps archObjSize_def word_bits_def pdBits_def pageBits_def ptBits_def ,rule exI,fastforce)+ done lemma createNewCaps_range_helper2: "\\s. range_cover ptr sz (APIType_capBits tp us) n \ 0 < n\ createNewCaps tp ptr n us \\rv s. \cp \ set rv. capRange cp \ {} \ capRange cp \ {ptr .. (ptr && ~~ mask sz) + 2 ^ sz - 1}\" apply (rule hoare_assume_pre) apply (rule hoare_strengthen_post) apply (rule createNewCaps_range_helper) apply (clarsimp simp: capRange_def interval_empty ptr_add_def word_unat_power[symmetric] simp del: atLeastatMost_subset_iff dest!: less_two_pow_divD) apply (rule conjI) apply (rule is_aligned_no_overflow) apply (rule is_aligned_add_multI [OF _ _ refl]) apply (fastforce simp:range_cover_def) apply simp apply (rule range_subsetI) apply (rule word32_plus_mono_right_split[OF range_cover.range_cover_compare]) apply (assumption)+ apply (simp add:range_cover_def word_bits_def) apply (frule range_cover_cell_subset) apply (erule of_nat_mono_maybe[rotated]) apply (drule (1) range_cover.range_cover_n_less ) apply (clarsimp) apply (erule impE) apply (simp add:range_cover_def) apply (rule is_aligned_no_overflow) apply (rule is_aligned_add_multI[OF _ le_refl refl]) apply (fastforce simp:range_cover_def) apply simp done lemma createNewCaps_children: "\\s. cap = UntypedCap (ptr && ~~ mask sz) sz idx \ range_cover ptr sz (APIType_capBits tp us) n \ 0 < n\ createNewCaps tp ptr n us \\rv s. \y \ set rv. sameRegionAs cap y\" apply (rule hoare_assume_pre) apply (rule hoare_chain [OF createNewCaps_range_helper2]) apply fastforce apply clarsimp apply (drule(1) bspec) apply (clarsimp simp: sameRegionAs_def3 isCap_simps) apply (drule(1) subsetD) apply clarsimp apply (erule order_trans[rotated]) apply (rule word_and_le2) done lemma createObjects_null_filter': "\\s. P (null_filter' (ctes_of s)) \ makeObjectKO ty = Some val \ range_cover ptr sz (objBitsKO val + gbits) n \ n \ 0 \ pspace_aligned' s \ pspace_distinct' s \ pspace_no_overlap' ptr sz s\ createObjects' ptr n val gbits \\addrs a. P (null_filter' (ctes_of a))\" apply (clarsimp simp: createObjects'_def split_def) apply (wp hoare_unless_wp|wpc | clarsimp simp:haskell_assert_def alignError_def split del: if_splits simp del:fun_upd_apply)+ apply (subst new_cap_addrs_fold') apply (simp add:unat_1_0 unat_gt_0) apply (rule range_cover_not_zero_shift) apply fastforce+ apply (subst new_cap_addrs_fold') apply (simp add:unat_1_0 unat_gt_0) apply (rule range_cover_not_zero_shift) apply simp apply assumption apply simp apply (subst data_map_insert_def[symmetric])+ apply (frule(2) retype_aligned_distinct'[where ko = val]) apply (erule range_cover_rel) apply simp+ apply (frule(2) retype_aligned_distinct'(2)[where ko = val]) apply (erule range_cover_rel) apply simp+ apply (frule null_filter_ctes_retype [where addrs = "(new_cap_addrs (unat (((of_nat n)::word32) << gbits)) ptr val)"]) apply assumption+ apply (clarsimp simp:field_simps foldr_upd_app_if[folded data_map_insert_def] shiftl_t2n range_cover.unat_of_nat_shift)+ apply (rule new_cap_addrs_aligned[THEN bspec]) apply (erule range_cover.aligned[OF range_cover_rel]) apply simp+ apply (clarsimp simp:shiftl_t2n field_simps range_cover.unat_of_nat_shift) apply (drule subsetD[OF new_cap_addrs_subset,rotated]) apply (erule range_cover_rel) apply simp apply simp apply (rule ccontr) apply clarify apply (frule(1) pspace_no_overlapD') apply (erule_tac B = "{x..x+2^objBitsKO y - 1}" in in_empty_interE[rotated]) apply (drule(1) pspace_alignedD') apply (clarsimp) apply (erule is_aligned_no_overflow) apply (simp del:atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff add:Int_ac ptr_add_def p_assoc_help) apply (simp add:field_simps foldr_upd_app_if[folded data_map_insert_def] shiftl_t2n) apply auto done lemma createNewCaps_null_filter': "\(\s. P (null_filter' (ctes_of s))) and pspace_aligned' and pspace_distinct' and pspace_no_overlap' ptr sz and K (range_cover ptr sz (APIType_capBits ty us) n \ n \ 0) \ createNewCaps ty ptr n us \\_ s. P (null_filter' (ctes_of s))\" apply (rule hoare_gen_asm) apply (simp add: createNewCaps_def toAPIType_def ArchTypes_H.toAPIType_def createNewCaps_def Arch_createNewCaps_def split del: split_if cong: option.case_cong) apply (cases ty, simp_all split del: split_if) apply (rename_tac apiobject_type) apply (case_tac apiobject_type, simp_all split del: split_if) apply (rule hoare_pre, wp,simp) apply (simp add: createWordObjects_def createObjects_def objBitsKO_def makeObjectKO_def APIType_capBits_def objBits_def pageBits_def archObjSize_def ptBits_def pdBits_def curDomain_def | wp createObjects_null_filter'[where ty = "Inr ty" and sz = sz] copyGlobalMappings_ctes_of threadSet_ctes_of mapM_x_wp' | fastforce)+ done lemma createNewCaps_descendants_range': "\\s. descendants_range' p q (ctes_of s) \ range_cover ptr sz (APIType_capBits ty us) n \ n \ 0 \ pspace_aligned' s \ pspace_distinct' s \ pspace_no_overlap' ptr sz s\ createNewCaps ty ptr n us \ \rv s. descendants_range' p q (ctes_of s)\" apply (clarsimp simp:descendants_range'_def2 descendants_range_in'_def2) apply (wp createNewCaps_null_filter') apply fastforce done lemma caps_overlap_reserved'_def2: "caps_overlap_reserved' S = (\s. (\cte \ ran (null_filter' (ctes_of s)). isUntypedCap (cteCap cte) \ usableUntypedRange (cteCap cte) \ S = {}))" apply (rule ext) apply (clarsimp simp:caps_overlap_reserved'_def) apply (intro iffI ballI impI) apply (elim ballE impE) apply simp apply simp apply (simp add:ran_def null_filter'_def split:split_if_asm option.splits) apply (elim ballE impE) apply simp apply simp apply (clarsimp simp: ran_def null_filter'_def is_cap_simps simp del: split_paired_All split_paired_Ex split: if_splits) apply (drule_tac x = a in spec) apply simp done lemma createNewCaps_caps_overlap_reserved': "\\s. caps_overlap_reserved' S s \ pspace_aligned' s \ pspace_distinct' s \ pspace_no_overlap' ptr sz s \ 0 < n \ range_cover ptr sz (APIType_capBits ty us) n\ createNewCaps ty ptr n us \\rv s. caps_overlap_reserved' S s\" apply (clarsimp simp: caps_overlap_reserved'_def2) apply (wp createNewCaps_null_filter') apply fastforce done lemma createNewCaps_caps_overlap_reserved_ret': "\\s. caps_overlap_reserved' {ptr..ptr + of_nat n * 2 ^ APIType_capBits ty us - 1} s \ pspace_aligned' s \ pspace_distinct' s \ pspace_no_overlap' ptr sz s \ 0 < n \ range_cover ptr sz (APIType_capBits ty us) n\ createNewCaps ty ptr n us \\rv s. \y\set rv. caps_overlap_reserved' (capRange y) s\" apply (rule hoare_name_pre_state) apply (clarsimp simp:valid_def) apply (frule use_valid[OF _ createNewCaps_range_helper]) apply fastforce apply clarsimp apply (erule use_valid[OF _ createNewCaps_caps_overlap_reserved']) apply (intro conjI,simp_all) apply (erule caps_overlap_reserved'_subseteq) apply (drule(1) range_cover_subset) apply simp apply (clarsimp simp: ptr_add_def capRange_def simp del: atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff) done lemma createNewCaps_descendants_range_ret': "\\s. (range_cover ptr sz (APIType_capBits ty us) n \ 0 < n) \ pspace_aligned' s \ pspace_distinct' s \ pspace_no_overlap' ptr sz s \ descendants_range_in' {ptr..ptr + of_nat n * 2^(APIType_capBits ty us) - 1} cref (ctes_of s)\ createNewCaps ty ptr n us \ \rv s. \y\set rv. descendants_range' y cref (ctes_of s)\" apply (rule hoare_name_pre_state) apply (clarsimp simp: valid_def) apply (frule use_valid[OF _ createNewCaps_range_helper]) apply simp apply (erule use_valid[OF _ createNewCaps_descendants_range']) apply (intro conjI,simp_all) apply (clarsimp simp:descendants_range'_def descendants_range_in'_def) apply (drule(1) bspec)+ apply (clarsimp simp:cte_wp_at_ctes_of) apply (erule disjoint_subset2[rotated]) apply (drule(1) range_cover_subset) apply simp apply (simp add:capRange_def ptr_add_def) done lemma createNewCaps_not_parents: "\\s. (\cap \ ran (cteCaps_of s). \ sameRegionAs (UntypedCap ptr_base sz idx) cap) \ pspace_no_overlap' ptr sz s \ pspace_aligned' s \ pspace_distinct' s \ 0 < n \ range_cover ptr sz (APIType_capBits ty us) n \ ptr_base = ptr && ~~ mask sz\ createNewCaps ty ptr n us \\rv s. \cap \ ran (cteCaps_of s). \tup \ set (zip xs rv). \ sameRegionAs (snd tup) cap\" apply (rule_tac Q="\rv s. (\y\set rv. sameRegionAs (UntypedCap ptr_base sz idx) y) \ (\p. \ cte_wp_at' (sameRegionAs (UntypedCap ptr_base sz idx) \ cteCap) p s)" in hoare_post_imp) apply (clarsimp dest!: set_zip_helper) apply (drule(1) bspec)+ apply (drule(1) sameRegionAs_trans) apply (erule ranE) apply (clarsimp simp: tree_cte_cteCap_eq) apply (erule_tac x=x in allE) apply simp apply (wp createNewCaps_children hoare_vcg_all_lift createNewCaps_cte_wp_at2) apply (clarsimp simp: tree_cte_cteCap_eq simp del: o_apply) apply (rule conjI) apply (clarsimp split: option.splits) apply (erule notE[rotated], erule bspec, erule ranI) apply (simp add: makeObject_cte) apply fastforce done lemma createObjects_distinct: "\\s. 0 range_cover ptr sz ((objBitsKO (injectKO obj)) + us) n\ createObjects ptr n obj us \\rv s. distinct_prop op \ rv\" apply (simp add: createObjects_def unless_def alignError_def split_def lookupAround2_pspace_no createObjects'_def cong: if_cong split del: split_if) apply (wp | simp only: o_def)+ apply (clarsimp simp: upto_enum_def distinct_prop_map simp del: upt_Suc) apply (rule distinct_prop_distinct) apply simp apply (clarsimp simp: unat_minus_one) apply (subgoal_tac "x<2^word_bits") prefer 2 apply (rule range_cover.range_cover_le_n_less(1) [where 'a=32, folded word_bits_def], assumption) apply (drule unat_of_nat_minus_1[OF range_cover.range_cover_n_less(1),where 'a=32, folded word_bits_def]) apply simp apply arith apply (subgoal_tac "y< 2^word_bits") prefer 2 apply (rule range_cover.range_cover_le_n_less(1) [where 'a=32, folded word_bits_def],assumption) apply (drule unat_of_nat_minus_1[OF range_cover.range_cover_n_less(1)]) apply simp apply arith apply (subst(asm) toEnum_of_nat) apply (simp add:word_bits_def) apply (subst(asm) toEnum_of_nat) apply (simp add:word_bits_def) apply (drule_tac f = "\x. x >> (objBitsKO (injectKOS obj) + us)" and x= "x << l" for x l in arg_cong) apply (subst (asm) shiftl_shiftr_id) apply (simp add:range_cover_def) apply (rule of_nat_power[OF range_cover.range_cover_le_n_less(2)]) apply assumption apply (drule unat_of_nat_minus_1[OF range_cover.range_cover_n_less(1)]) apply simp apply arith apply (simp add:word_bits_def objBitsKO_bounded_low) apply (subst (asm) shiftl_shiftr_id) apply (simp add:range_cover_def) apply (rule of_nat_power[OF range_cover.range_cover_le_n_less(2)]) apply assumption apply (drule unat_of_nat_minus_1[OF range_cover.range_cover_n_less(1)]) apply simp apply arith apply (simp add:word_bits_def objBitsKO_bounded_low) apply (simp add:of_nat_inj32) done lemma createNewCaps_distinct: "\K (range_cover ptr sz (APIType_capBits ty us) n \ 0 < n)\ createNewCaps ty ptr n us \\rv s. distinct_prop (\x y. \ RetypeDecls_H.sameRegionAs x y \ \ RetypeDecls_H.sameRegionAs y x) (map snd (zip xs rv))\" apply (rule hoare_gen_asm[where P'=\, simplified pred_and_true_var]) apply (rule hoare_strengthen_post) apply (rule hoare_pre) apply (rule hoare_vcg_conj_lift) apply (rule createNewCaps_range_helper) apply (rule createNewCaps_children) apply fastforce apply clarsimp apply (rule distinct_prop_prefixE [OF _ map_snd_zip_prefix [unfolded less_eq_list_def]]) apply (simp add: distinct_prop_map) apply (rule distinct_prop_distinct) apply simp apply clarsimp apply (subgoal_tac "capRange (capfn (ptr_add ptr (x * 2^APIType_capBits ty us))) \ capRange (capfn (ptr_add ptr (y * 2 ^ APIType_capBits ty us))) = {}") apply (subgoal_tac "\x < n. capAligned (capfn (ptr_add ptr (x * 2 ^ APIType_capBits ty us)))") apply (rule conjI) apply (rule notI, drule sameRegionAs_capRange_Int, simp+) apply (simp add: Int_commute) apply (rule notI, drule sameRegionAs_capRange_Int, simp+) apply (clarsimp simp: capAligned_def ptr_add_def word_unat_power[symmetric] dest!: less_two_pow_divD) apply (intro conjI) apply (rule is_aligned_add_multI [OF _ le_refl refl]) apply ((simp add:range_cover_def word_bits_def)+)[2] apply (simp add: capRange_def del: Int_atLeastAtMost) apply (rule aligned_neq_into_no_overlap[simplified field_simps]) apply (rule notI) apply (erule(3) ptr_add_distinct_helper) apply (simp add:range_cover_def word_bits_def) apply (erule range_cover.range_cover_n_le(1) [where 'a=32, folded word_bits_def]) apply (clarsimp simp: ptr_add_def word_unat_power[symmetric]) apply (rule is_aligned_add_multI[OF _ le_refl refl]) apply (simp add:range_cover_def) apply (simp add:range_cover_def) apply (clarsimp simp: ptr_add_def word_unat_power[symmetric]) apply (rule is_aligned_add_multI[OF _ le_refl refl]) apply (simp add:range_cover_def)+ done lemma getCTE_Ex_valid: "\valid_pspace'\ getCTE p \\rv s. \s'. s' \' cteCap rv\" apply (rule hoare_pre) apply (rule hoare_strengthen_post [OF getCTE_valid_cap']) apply fastforce apply (clarsimp simp: valid_pspace'_def) done lemma createNewCaps_parent_helper: "\\s. cte_wp_at' (\cte. cteCap cte = UntypedCap ptr_base sz idx) p s \ pspace_aligned' s \ pspace_distinct' s \ pspace_no_overlap' ptr sz s \ (ty = APIObjectType ArchTypes_H.CapTableObject \ 0 < us) \ range_cover ptr sz (APIType_capBits ty us) n \ 0 < n \ ptr_base = ptr && ~~ mask sz \ createNewCaps ty ptr n us \\rv. cte_wp_at' (\cte. isUntypedCap (cteCap cte) \ (\tup\set (zip (xs rv) rv). sameRegionAs (cteCap cte) (snd tup))) p\" apply (rule hoare_post_imp [where Q="\rv s. \cte. cte_wp_at' (op = cte) p s \ isUntypedCap (cteCap cte) \ (\tup\set (zip (xs rv) rv). sameRegionAs (cteCap cte) (snd tup))"]) apply (clarsimp elim!: cte_wp_at_weakenE') apply (rule hoare_pre) apply (wp hoare_vcg_ex_lift createNewCaps_cte_wp_at' set_tuple_pick createNewCaps_children) apply (auto simp:cte_wp_at'_def isCap_simps) done lemma createNewCaps_valid_cap': "\\s. pspace_no_overlap' ptr sz s \ valid_pspace' s \ n \ 0 \ range_cover ptr sz (APIType_capBits ty us) n \ (ty = APIObjectType ArchTypes_H.CapTableObject \ 0 < us) \ (ty = APIObjectType ArchTypes_H.apiobject_type.Untyped \ 4\ us \ us \ 30) \ ptr \ 0 \ createNewCaps ty ptr n us \\r s. \cap\set r. s \' cap\" apply (rule hoare_assume_pre) apply clarsimp apply (erule createNewCaps_valid_cap) apply simp+ done lemma dmo_ctes_of[wp]: "\\s. P (ctes_of s)\ doMachineOp mop \\rv s. P (ctes_of s)\" by (simp add: doMachineOp_def split_def | wp select_wp)+ lemma createNewCaps_ranges: "\\s. range_cover ptr sz (APIType_capBits ty us) n \ 0 createNewCaps ty ptr n us \\rv s. distinct_sets (map capRange rv)\" apply (rule hoare_assume_pre) apply (rule hoare_chain) apply (rule createNewCaps_range_helper) apply fastforce apply (clarsimp simp: distinct_sets_prop distinct_prop_map) apply (rule distinct_prop_distinct) apply simp apply (clarsimp simp: capRange_def simp del: Int_atLeastAtMost dest!: less_two_pow_divD) apply (rule aligned_neq_into_no_overlap[simplified field_simps]) apply (rule notI) apply (erule(3) ptr_add_distinct_helper) apply (simp add:range_cover_def word_bits_def) apply (erule range_cover.range_cover_n_le(1) [where 'a=32, folded word_bits_def]) apply (clarsimp simp: ptr_add_def word_unat_power[symmetric]) apply (rule is_aligned_add_multI[OF _ le_refl refl]) apply (simp add:range_cover_def)+ apply (clarsimp simp: ptr_add_def word_unat_power[symmetric]) apply (rule is_aligned_add_multI[OF _ le_refl refl]) apply (simp add:range_cover_def)+ done lemma createNewCaps_ranges': "\\s. range_cover ptr sz (APIType_capBits ty us) n \ 0 < n\ createNewCaps ty ptr n us \\rv s. distinct_sets (map capRange (map snd (zip xs rv)))\" apply (rule hoare_strengthen_post) apply (rule createNewCaps_ranges) apply (simp add: distinct_sets_prop del: map_map) apply (erule distinct_prop_prefixE) apply (rule map_prefixeqI) apply (rule map_snd_zip_prefix [unfolded less_eq_list_def]) done lemmas corres_split_retype_createNewCaps = corres_split [OF _ corres_retype_region_createNewCaps, simplified bind_assoc, simplified] crunch cte_wp_at[wp]: do_machine_op "\s. P (cte_wp_at P' p s)" lemma retype_region_caps_overlap_reserved: "\valid_pspace and valid_mdb and pspace_no_overlap ptr sz and caps_no_overlap ptr sz and caps_overlap_reserved {ptr..ptr + of_nat n * 2^obj_bits_api (APIType_map2 (Inr ao')) us - 1} and K (APIType_map2 (Inr ao') = Invariants_AI.CapTableObject \ 0 < us) and K (range_cover ptr sz (obj_bits_api (APIType_map2 (Inr ao')) us) n) and K (S \ {ptr..ptr + of_nat n * 2 ^ obj_bits_api (APIType_map2 (Inr ao')) us - 1})\ retype_region ptr n us (APIType_map2 (Inr ao')) \\rv s. caps_overlap_reserved S s\" apply (rule hoare_gen_asm)+ apply (simp (no_asm) add:caps_overlap_reserved_def2) apply (rule hoare_pre) apply (wp retype_region_caps_of) apply simp+ apply (simp add:caps_overlap_reserved_def2) apply (intro conjI,simp+) apply clarsimp apply (drule bspec) apply simp+ apply (erule(1) disjoint_subset2) done lemma retype_region_caps_overlap_reserved_ret: "\valid_pspace and valid_mdb and caps_no_overlap ptr sz and pspace_no_overlap ptr sz and caps_overlap_reserved {ptr..ptr + of_nat n * 2^obj_bits_api (APIType_map2 (Inr ao')) us - 1} and K (APIType_map2 (Inr ao') = Invariants_AI.CapTableObject \ 0 < us) and K (range_cover ptr sz (obj_bits_api (APIType_map2 (Inr ao')) us) n)\ retype_region ptr n us (APIType_map2 (Inr ao')) \\rv s. \y\set rv. caps_overlap_reserved (untyped_range (default_cap (APIType_map2 (Inr ao')) y us)) s\" apply (rule hoare_name_pre_state) apply (clarsimp simp:valid_def) apply (frule retype_region_ret[unfolded valid_def,simplified,THEN spec,THEN bspec]) apply clarsimp apply (erule use_valid[OF _ retype_region_caps_overlap_reserved]) apply clarsimp apply (intro conjI,simp_all) apply (case_tac ao') apply (simp_all add:APIType_map2_def) apply (rename_tac apiobject_type) apply (case_tac apiobject_type) apply (simp_all add:obj_bits_api_def ptr_add_def) apply (drule(1) range_cover_subset) apply clarsimp+ done lemma getObjectSize_def_eq: "Types_H.getObjectSize va us = obj_bits_api (APIType_map2 (Inr va)) us" apply (case_tac va) apply (rename_tac apiobject_type) apply (case_tac apiobject_type) apply (clarsimp simp: getObjectSize_def apiGetObjectSize_def APIType_map2_def ArchTypes_H.getObjectSize_def obj_bits_api_def tcbBlockSizeBits_def epSizeBits_def ntfnSizeBits_def cteSizeBits_def slot_bits_def arch_kobj_size_def default_arch_object_def ptBits_def pageBits_def pdBits_def)+ done lemma updateFreeIndex_pspace_no_overlap': "\\s. pspace_no_overlap' ptr sz s \ valid_pspace' s \ cte_wp_at' (\c. cteCap c = cap) src s\ updateCap src (capFreeIndex_update (\_. index) cap) \\r s. pspace_no_overlap' ptr sz s\" apply (rule hoare_pre) apply (wp pspace_no_overlap'_lift) apply (clarsimp simp:valid_pspace'_def) done lemma updateFreeIndex_caps_overlap_reserved': "\\s. invs' s \ S \ untypedRange cap \ usableUntypedRange (capFreeIndex_update (\_. index) cap) \ S = {} \ isUntypedCap cap \ descendants_range_in' S src (ctes_of s) \ cte_wp_at' (\c. cteCap c = cap) src s\ updateCap src (capFreeIndex_update (\_. index) cap) \\r s. caps_overlap_reserved' S s\" apply (clarsimp simp:caps_overlap_reserved'_def) apply (wp updateCap_ctes_of_wp) apply (clarsimp simp:modify_map_def cte_wp_at_ctes_of) apply (erule ranE) apply (frule invs_mdb') apply (clarsimp split:split_if_asm simp:valid_mdb'_def valid_mdb_ctes_def) apply (case_tac cte) apply (case_tac ctea) apply simp apply (drule untyped_incD') apply (simp+)[4] apply clarify apply (erule subset_splitE) apply (simp del:usable_untyped_range.simps) apply (thin_tac "P \ Q" for P Q)+ apply (elim conjE) apply blast apply (simp) apply (thin_tac "P\Q" for P Q)+ apply (elim conjE) apply (drule(2) descendants_range_inD') apply simp apply (rule disjoint_subset[OF usableRange_subseteq]) apply (rule valid_capAligned) apply (erule(1) ctes_of_valid_cap'[OF _ invs_valid_objs']) apply (simp add:untypedCapRange)+ apply (elim disjE) apply clarsimp apply (drule(2) descendants_range_inD') apply simp apply (rule disjoint_subset[OF usableRange_subseteq]) apply (rule valid_capAligned) apply (erule(1) ctes_of_valid_cap'[OF _ invs_valid_objs']) apply (simp add:untypedCapRange)+ apply (thin_tac "P\Q" for P Q)+ apply (rule disjoint_subset[OF usableRange_subseteq]) apply (rule valid_capAligned) apply (erule(1) ctes_of_valid_cap'[OF _ invs_valid_objs']) apply simp+ apply blast done lemma updateFreeIndex_caps_no_overlap'': "\\s. isUntypedCap cap \ caps_no_overlap'' ptr sz s \ cte_wp_at' (\c. cteCap c = cap) src s\ updateCap src (capFreeIndex_update (\_. index) cap) \\r s. caps_no_overlap'' ptr sz s\" apply (clarsimp simp:caps_no_overlap''_def) apply (wp updateCap_ctes_of_wp) apply (clarsimp simp: modify_map_def ran_def cte_wp_at_ctes_of simp del: atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff split_paired_Ex) apply (case_tac "a = src") apply (clarsimp simp del: atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff split_paired_Ex) apply (erule subsetD[rotated]) apply (elim allE impE) apply fastforce apply (clarsimp simp:isCap_simps) apply (erule subset_trans) apply (clarsimp simp:isCap_simps) apply (clarsimp simp del: atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff split_paired_Ex) apply (erule subsetD[rotated]) apply (elim allE impE) prefer 2 apply assumption apply fastforce+ done lemma updateCap_ct_active': "\ct_active'\ updateCap slot newCap \\_. ct_active'\" apply (simp add: updateCap_def ct_in_state'_def) apply wp apply (wps setCTE_ct) apply (wp setCTE_pred_tcb_at') done (* FIXME: move to CSpace_R *) lemma mdb_preserve_refl: "mdb_inv_preserve m m" by (simp add:mdb_inv_preserve_def) (* FIXME: move to CSpace_R *) lemma mdb_preserve_sym: "mdb_inv_preserve m m' \ mdb_inv_preserve m' m" by (simp add:mdb_inv_preserve_def) lemma updateFreeIndex_descendants_of': "\\s. cte_wp_at' (\c. cteCap c = cap) ptr s \ isUntypedCap cap \ P ((swp descendants_of') (null_filter' (ctes_of s)))\ updateCap ptr (capFreeIndex_update (\_. index) cap) \\r s. P ((swp descendants_of') (null_filter' (ctes_of s)))\" apply (wp updateCap_ctes_of_wp) apply clarsimp apply (erule subst[rotated,where P = P]) apply (rule ext) apply (clarsimp simp:null_filter_descendants_of'[OF null_filter_simp']) apply (rule mdb_inv_preserve.descendants_of) apply (clarsimp simp:cte_wp_at_ctes_of) apply (erule(1) mdb_inv_preserve_updateCap) done lemma updateFreeIndex_descendants_range_in': "\\s. cte_wp_at' (\c. cteCap c = cap) slot s \ isUntypedCap cap \ descendants_range_in' S slot (ctes_of s)\ updateCap slot (capFreeIndex_update (\_. index) cap) \\r s. descendants_range_in' S slot (ctes_of s)\" apply (rule hoare_pre) apply (wp descendants_range_in_lift' [where Q'="\s. cte_wp_at' (\c. cteCap c = cap) slot s \ isUntypedCap cap" and Q = "\s. cte_wp_at' (\c. cteCap c = cap) slot s \ isUntypedCap cap "] ) apply (wp updateFreeIndex_descendants_of') apply (elim conjE) apply (intro conjI,assumption+) apply clarsimp apply (simp add:updateCap_def) apply (wp setCTE_weak_cte_wp_at getCTE_wp) apply (fastforce simp:cte_wp_at_ctes_of isCap_simps) apply (clarsimp) done lemma caps_no_overlap''_def2: "caps_no_overlap'' ptr sz = (\s. \cte\ran (null_filter' (ctes_of s)). untypedRange (cteCap cte) \ {ptr..(ptr && ~~ mask sz) + 2 ^ sz - 1} \ {} \ {ptr..(ptr && ~~ mask sz) + 2 ^ sz - 1} \ untypedRange (cteCap cte))" apply (intro ext iffI) apply (clarsimp simp:caps_no_overlap''_def null_filter'_def ran_def) apply (drule_tac x = cte in spec) apply fastforce apply (clarsimp simp:caps_no_overlap''_def null_filter'_def) apply (case_tac "cte = CTE capability.NullCap nullMDBNode") apply clarsimp apply (drule_tac x = cte in bspec) apply (clarsimp simp:ran_def) apply (rule_tac x= a in exI) apply clarsimp apply clarsimp apply (erule subsetD) apply simp done lemma caps_no_overlapI'': "\cte_wp_at' (\c. cteCap c = capability.UntypedCap ptr_base sz idx) slot s; valid_pspace' s;idx < 2^sz;ptr = ptr_base + of_nat idx\ \ caps_no_overlap'' ptr sz s" apply (unfold caps_no_overlap''_def) apply (intro ballI impI) apply (erule ranE) apply (subgoal_tac "isUntypedCap (cteCap cte)") apply (clarsimp simp:cte_wp_at_ctes_of simp del: atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff ) apply (case_tac cte,case_tac ctea) apply clarify apply (drule untyped_incD') apply (simp add:isCap_simps)+ apply (clarsimp simp:valid_pspace'_def valid_mdb'_def valid_mdb_ctes_def) apply (clarsimp simp:cte_wp_at_ctes_of valid_pspace'_def valid_cap'_def capAligned_def of_nat_less_pow is_aligned_add_helper simp del: atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff dest!:ctes_of_valid_cap') apply (erule subset_splitE) apply (simp del:atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff)+ apply (erule subsetD[OF psubset_imp_subset]) apply (erule subsetD[rotated]) apply clarsimp apply (erule is_aligned_no_wrap') apply (simp add:of_nat_less_pow) apply (simp del:atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff)+ apply (erule subsetD[rotated]) apply clarsimp apply (erule is_aligned_no_wrap') apply (simp add:of_nat_less_pow) apply (thin_tac "P \ Q" for P Q)+ apply (drule disjoint_subset2[rotated,where B'="{ptr_base + of_nat idx..ptr_base + 2 ^ sz - 1}"]) apply clarsimp apply (erule is_aligned_no_wrap') apply (simp add:of_nat_less_pow) apply simp apply (case_tac "cteCap cte") apply (simp_all add:isCap_simps) done lemma caps_no_overlap'_def2: "caps_no_overlap' = (\ms S. \p c. (\n. (null_filter' ms) p = Some (CTE c n)) \ capRange c \ S = {})" apply (intro iffI ext allI) apply (clarsimp simp:caps_no_overlap'_def null_filter'_def dest!:bspec split:if_splits)+ apply (drule_tac x = p in spec) apply auto done lemma deleteObjects_caps_no_overlap'': "\\s. invs' s \ ct_active' s \ sch_act_simple s \ cte_wp_at' (\c. cteCap c = capability.UntypedCap ptr sz idx) slot s \ caps_no_overlap'' ptr sz s \ descendants_range' (capability.UntypedCap ptr sz idx) slot (ctes_of s)\ deleteObjects ptr sz \\rv s. caps_no_overlap'' ptr sz s\" apply (rule hoare_name_pre_state) apply (clarsimp split:if_splits) apply (clarsimp simp:caps_no_overlap''_def2 deleteObjects_def2 capAligned_def valid_cap'_def dest!:ctes_of_valid_cap') apply (wp deleteObjects_null_filter[where idx = idx and p = slot]) apply (clarsimp simp:cte_wp_at_ctes_of invs_def) apply (case_tac cte) apply clarsimp apply (frule ctes_of_valid_cap') apply (simp add:invs_valid_objs') apply (simp add:valid_cap'_def capAligned_def) done lemma descendants_range_in_subseteq': "\descendants_range_in' A p ms ;B\ A\ \ descendants_range_in' B p ms" by (auto simp:descendants_range_in'_def cte_wp_at_ctes_of dest!:bspec) lemma deleteObjects_caps_overlap_reserved': "\\s. valid_pspace' s \ cte_wp_at' (\c. cteCap c = capability.UntypedCap ptr sz idx) slot s \ caps_overlap_reserved' S s\ deleteObjects ptr sz \\rv s. caps_overlap_reserved' S s\" apply (rule hoare_name_pre_state) apply (clarsimp simp: cte_wp_at_ctes_of valid_pspace'_def isCap_simps capAligned_def) apply (case_tac cte) apply (clarsimp simp: caps_no_overlap''_def deleteObjects_def2 capAligned_def valid_cap'_def dest!: ctes_of_valid_cap') apply (wp hoare_drop_imps)+ apply (rule_tac Q = "\r. caps_overlap_reserved' S and pspace_distinct' and Q" for Q in hoare_strengthen_post) prefer 2 apply (cut_tac s = sa in map_to_ctes_delete[where base = ptr and magnitude = sz and idx = idx]) apply clarsimp apply assumption apply simp apply (simp add:valid_cap'_def capAligned_def p_assoc_help caps_overlap_reserved'_def)+ apply (intro ballI) apply (erule ranE) apply (fastforce split:if_splits) apply (clarsimp simp:caps_overlap_reserved'_def2) apply wp apply (clarsimp simp:caps_overlap_reserved'_def2 valid_cap'_def capAligned_def)+ done lemma updateFreeIndex_mdb_simple': "\\s. descendants_range_in' (capRange cap) src (ctes_of s) \ pspace_no_overlap' (capPtr cap) (capBlockSize cap) s \ valid_pspace' s \ cte_wp_at' (\c. cteCap c = cap) src s \ isUntypedCap cap\ updateCap src (capFreeIndex_update (\_. idx) cap) \\rv. valid_mdb'\" apply (clarsimp simp:valid_mdb'_def updateCap_def valid_pspace'_def) apply (wp getCTE_wp) apply (clarsimp simp:cte_wp_at_ctes_of simp del:fun_upd_apply) apply (subgoal_tac "mdb_inv_preserve (ctes_of s) (ctes_of s(src \ cteCap_update (\_. capFreeIndex_update (\_. idx) (cteCap cte)) cte))") prefer 2 apply (frule mdb_inv_preserve_updateCap) apply (simp add: modify_map_apply)+ apply (clarsimp simp:valid_mdb_ctes_def mdb_inv_preserve.preserve_stuff mdb_inv_preserve.by_products) apply (clarsimp simp:isCap_simps) proof - fix s cte v0 v1 f assume descendants_range: "descendants_range_in' {v0..v0 + 2 ^ v1 - 1} src (ctes_of s)" and cte_wp_at' :"ctes_of s src = Some cte" "cteCap cte = capability.UntypedCap v0 v1 f" and unt_inc' :"untyped_inc' (ctes_of s)" and valid_objs' :"valid_objs' s" have descendants_of_simp: "\p. descendants_of' p (ctes_of s(src \ cteCap_update (\_. capability.UntypedCap v0 v1 idx) cte)) = descendants_of' p (ctes_of s)" using cte_wp_at' apply - apply (drule updateUntypedCap_descendants_of) apply (clarsimp simp:isCap_simps)+ apply simp done note drangeD = descendants_range_inD'[OF descendants_range] note valid_capD = ctes_of_valid_cap'[OF _ valid_objs'] note blah[simp del] = usableUntypedRange.simps atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff split_paired_Ex order_class.Icc_eq_Icc show "untyped_inc' (ctes_of s(src \ cteCap_update (\_. capability.UntypedCap v0 v1 idx) cte))" using unt_inc' cte_wp_at' apply (clarsimp simp:untyped_inc'_def descendants_of_simp) apply (case_tac cte) apply clarsimp apply (intro conjI) apply clarsimp apply (drule_tac x = src in spec) apply (drule_tac x = p' in spec) apply (clarsimp simp: isCap_simps) apply (intro conjI impI) apply simp apply (elim conjE) apply (thin_tac "P\Q" for P Q)+ apply (drule(1) drangeD) apply (drule valid_capAligned[OF valid_capD])+ apply (drule aligned_untypedRange_non_empty,simp add:isCap_simps)+ apply simp apply blast apply clarsimp apply (drule(1) drangeD) apply (drule valid_capAligned[OF valid_capD])+ apply (drule aligned_untypedRange_non_empty,simp add:isCap_simps)+ apply simp apply clarsimp apply (drule_tac x = src in spec) apply (drule_tac x = p in spec) apply (clarsimp simp:isCap_simps) apply (intro conjI impI) apply (elim disjE) apply (simp add:Int_ac)+ apply (thin_tac "P\Q" for P Q)+ apply (elim conjE) apply (drule(1) drangeD) apply (drule valid_capAligned[OF valid_capD])+ apply (drule aligned_untypedRange_non_empty,simp add:isCap_simps)+ apply simp apply blast apply simp apply (elim disjE conjE,simp_all) apply (drule(1) drangeD) apply (drule valid_capAligned[OF valid_capD])+ apply (drule aligned_untypedRange_non_empty,simp add:isCap_simps)+ apply simp done qed lemma updateFreeIndex_pspace_simple': "\\s. descendants_range_in' (capRange cap) src (ctes_of s) \ pspace_no_overlap' (capPtr cap) (capBlockSize cap) s \ valid_pspace' s \ cte_wp_at' (\c. cteCap c = cap) src s \ isUntypedCap cap \ is_aligned (of_nat idx :: word32) 4 \ idx \ 2 ^ (capBlockSize cap)\ updateCap src (capFreeIndex_update (\_. idx) cap) \\r s. valid_pspace' s\" apply (clarsimp simp:valid_pspace'_def) apply (rule hoare_pre) apply (rule hoare_vcg_conj_lift) apply (clarsimp simp:updateCap_def) apply (wp getCTE_wp) apply (wp updateFreeIndex_mdb_simple') apply (simp)+ apply (clarsimp simp:cte_wp_at_ctes_of valid_pspace'_def) apply (case_tac cte,simp add:isCap_simps) apply (frule(1) ctes_of_valid_cap') apply (clarsimp simp:valid_cap'_def capAligned_def valid_untyped'_def simp del:atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff usableUntypedRange.simps split del:if_splits) apply (drule_tac x = ptr' in spec) apply (clarsimp simp:ko_wp_at'_def valid_mdb'_def obj_range'_def valid_mdb_ctes_def simp del:atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff usableUntypedRange.simps split del:if_splits) apply (drule(1) pspace_no_overlapD') apply (cut_tac c' = "capability.UntypedCap v0 v1 idx" in usableRange_subseteq) apply (simp add:capAligned_def) apply (simp add:isCap_simps) apply (clarsimp simp:ko_wp_at'_def valid_mdb'_def is_aligned_neg_mask is_aligned_neg_mask_eq simp del:atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff usableUntypedRange.simps) apply blast done lemma updateCap_vms'[wp]: "\valid_machine_state'\ updateCap src cap' \\rv s. valid_machine_state' s\" by (clarsimp simp:updateCap_def,wp) (* FIXME: move *) lemma setCTE_tcbDomain_inv[wp]: "\obj_at' (\tcb. P (tcbState tcb)) t\ setCTE ptr v \\_. obj_at' (\tcb. P (tcbState tcb)) t\" apply (simp add: setCTE_def) apply (rule setObject_cte_obj_at_tcb', simp_all) done (* FIXME: move *) crunch tcbState_inv[wp]: cteInsert "obj_at' (\tcb. P (tcbState tcb)) t" (wp: crunch_simps hoare_drop_imps) lemma updateCap_ct_idle_or_in_cur_domain'[wp]: "\ct_idle_or_in_cur_domain' and ct_active'\ updateCap src cap \\_. ct_idle_or_in_cur_domain'\" apply (wp ct_idle_or_in_cur_domain'_lift_futz[where Q=\]) apply (rule_tac Q="\_. obj_at' (\tcb. tcbState tcb \ Structures_H.thread_state.Inactive) t and obj_at' (\tcb. d = tcbDomain tcb) t" in hoare_strengthen_post) apply (wp | clarsimp elim: obj_at'_weakenE)+ apply (auto simp: obj_at'_def) done lemma updateFreeIndex_invs_simple': "\\s. ct_active' s \ descendants_range_in' (capRange cap) src (ctes_of s) \ pspace_no_overlap' (capPtr cap) (capBlockSize cap) s \ invs' s \ cte_wp_at' (\c. cteCap c = cap) src s \ isUntypedCap cap \ is_aligned (of_nat index :: word32) 4 \ index \ 2 ^ capBlockSize cap\ updateCap src (capFreeIndex_update (\_. index) cap) \\r s. invs' s\" apply (clarsimp simp:invs'_def valid_state'_def ) apply (wp updateFreeIndex_pspace_simple' sch_act_wf_lift valid_queues_lift updateCap_iflive' tcb_in_cur_domain'_lift) apply (rule hoare_pre) apply (rule hoare_vcg_conj_lift) apply (simp add: ifunsafe'_def3 cteInsert_def setUntypedCapAsFull_def split del: split_if) apply (wp getCTE_wp) apply (rule hoare_vcg_conj_lift) apply (simp add:updateCap_def) apply wp apply (wp valid_irq_node_lift) apply (rule hoare_vcg_conj_lift) apply (simp add:updateCap_def) apply (wp setCTE_irq_handlers' getCTE_wp) apply (wp irqs_masked_lift valid_queues_lift' cur_tcb_lift) apply (clarsimp simp:cte_wp_at_ctes_of) apply (intro conjI allI impI) apply (clarsimp simp: modify_map_def cteCaps_of_def ifunsafe'_def3 split:if_splits) apply (drule_tac x=src in spec) apply (clarsimp simp:isCap_simps) apply (rule_tac x = cref' in exI) apply clarsimp apply (drule_tac x = cref in spec) apply clarsimp apply (rule_tac x = cref' in exI) apply clarsimp apply (drule(1) valid_global_refsD_with_objSize) apply (clarsimp simp: isCap_simps) apply (drule(1) valid_global_refsD_with_objSize) apply (clarsimp simp:isCap_simps cte_wp_at_ctes_of)+ done lemma cte_wp_at_pspace_no_overlapI': "\invs' s; cte_wp_at' (\c. cteCap c = capability.UntypedCap (ptr && ~~ mask sz) sz idx) cref s; idx \ unat (ptr && mask sz); sz < word_bits\ \ pspace_no_overlap' ptr sz s" apply (clarsimp simp:cte_wp_at_ctes_of) apply (case_tac cte,clarsimp) apply (frule ctes_of_valid_cap') apply (simp add:invs_valid_objs') apply (clarsimp simp:valid_cap'_def invs'_def valid_state'_def valid_pspace'_def valid_untyped'_def simp del:usableUntypedRange.simps) apply (unfold pspace_no_overlap'_def) apply (intro allI impI) apply (unfold ko_wp_at'_def) apply (clarsimp simp del: atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff usableUntypedRange.simps) apply (drule spec)+ apply (frule(1) pspace_distinctD') apply (frule(1) pspace_alignedD') apply (erule(1) impE)+ apply (clarsimp simp: obj_range'_def simp del: atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff usableUntypedRange.simps) apply (erule disjoint_subset2[rotated]) apply (frule(1) le_mask_le_2p) apply (clarsimp simp:p_assoc_help) apply (rule le_plus'[OF word_and_le2]) apply simp apply (erule word_of_nat_le) done lemma descendants_range_caps_no_overlapI': "\invs' s; cte_wp_at' (\c. cteCap c = capability.UntypedCap (ptr && ~~ mask sz) sz idx) cref s; descendants_range_in' {ptr .. (ptr && ~~ mask sz) +2^sz - 1} cref (ctes_of s)\ \ caps_no_overlap'' ptr sz s" apply (frule invs_mdb') apply (clarsimp simp:valid_mdb'_def valid_mdb_ctes_def cte_wp_at_ctes_of simp del:usableUntypedRange.simps untypedRange.simps) apply (unfold caps_no_overlap''_def) apply (intro ballI impI) apply (erule ranE) apply (subgoal_tac "isUntypedCap (cteCap ctea)") prefer 2 apply (rule untypedRange_not_emptyD) apply blast apply (case_tac ctea,case_tac cte) apply simp apply (drule untyped_incD') apply ((simp add:isCap_simps del:usableUntypedRange.simps untypedRange.simps)+)[4] apply (elim conjE subset_splitE) apply (erule subset_trans[OF _ psubset_imp_subset,rotated]) apply (clarsimp simp:word_and_le2) apply simp apply (elim conjE) apply (thin_tac "P\Q" for P Q)+ apply (drule(2) descendants_range_inD') apply (simp add:untypedCapRange)+ apply (erule subset_trans[OF _ equalityD1,rotated]) apply (clarsimp simp:word_and_le2) apply (thin_tac "P\Q" for P Q)+ apply (drule disjoint_subset[rotated, where A' = "{ptr..(ptr && ~~ mask sz) + 2 ^ sz - 1}"]) apply (clarsimp simp:word_and_le2 Int_ac)+ done lemma cte_wp_at_caps_no_overlapI': "\invs' s; cte_wp_at' (\c. (cteCap c) = capability.UntypedCap (ptr && ~~ mask sz) sz idx) cref s; idx \ unat (ptr && mask sz); sz < word_bits\ \ caps_no_overlap'' ptr sz s" apply (frule invs_mdb') apply (frule(1) le_mask_le_2p) apply (clarsimp simp:valid_mdb'_def valid_mdb_ctes_def cte_wp_at_ctes_of) apply (case_tac cte) apply simp apply (frule(1) ctes_of_valid_cap'[OF _ invs_valid_objs']) apply (unfold caps_no_overlap''_def) apply (intro ballI impI) apply (erule ranE) apply (subgoal_tac "isUntypedCap (cteCap ctea)") prefer 2 apply (rule untypedRange_not_emptyD) apply blast apply (case_tac ctea) apply simp apply (drule untyped_incD') apply (simp add:isCap_simps)+ apply (elim conjE) apply (erule subset_splitE) apply (erule subset_trans[OF _ psubset_imp_subset,rotated]) apply (clarsimp simp: word_and_le2) apply simp apply (thin_tac "P\Q" for P Q)+ apply (elim conjE) apply (drule disjoint_subset2[rotated, where B' = "{ptr..(ptr && ~~ mask sz) + 2 ^ sz - 1}"]) apply clarsimp apply (rule le_plus'[OF word_and_le2]) apply simp apply (erule word_of_nat_le) apply simp apply simp apply (erule subset_trans[OF _ equalityD1,rotated]) apply (clarsimp simp:word_and_le2) apply (thin_tac "P\Q" for P Q)+ apply (drule disjoint_subset[rotated, where A' = "{ptr..(ptr && ~~ mask sz) + 2 ^ sz - 1}"]) apply (clarsimp simp:word_and_le2 Int_ac)+ done lemma descendants_range_ex_cte': "\descendants_range_in' S p (ctes_of s');ex_cte_cap_wp_to' P q s'; S \ capRange (cteCap cte); invs' s';ctes_of s' p = Some cte;isUntypedCap (cteCap cte)\ \ q \ S" apply (frule invs_valid_objs') apply (frule invs_mdb') apply (clarsimp simp:invs'_def valid_state'_def) apply (clarsimp simp: ex_cte_cap_to'_def cte_wp_at_ctes_of) apply (frule_tac cte = "cte" in valid_global_refsD') apply simp apply (case_tac "\irq. cteCap ctea = IRQHandlerCap irq") apply clarsimp apply (erule(1) in_empty_interE[OF _ _ subsetD,rotated -1]) apply (clarsimp simp:global_refs'_def) apply (erule_tac A = "range P" for P in subsetD) apply (simp add:range_eqI field_simps) apply (case_tac ctea) apply clarsimp apply (case_tac ctea) apply (drule_tac cte = "cte" and cte' = ctea in untyped_mdbD') apply assumption apply (clarsimp simp:isCap_simps) apply (drule_tac B = "untypedRange (cteCap cte)" in subsetD[rotated]) apply (clarsimp simp:untypedCapRange) apply clarsimp apply (drule_tac x = " (irq_node' s')" in cte_refs_capRange[rotated]) apply (erule(1) ctes_of_valid_cap') apply blast apply (clarsimp simp:isCap_simps) apply (simp add:valid_mdb'_def valid_mdb_ctes_def) apply (drule(2) descendants_range_inD') apply clarsimp apply (drule_tac x = " (irq_node' s')" in cte_refs_capRange[rotated]) apply (erule(1) ctes_of_valid_cap') apply blast done lemma update_untyped_cap_corres: "\is_untyped_cap cap; isUntypedCap cap'; cap_relation cap cap'\ \ corres dc (cte_wp_at (\c. is_untyped_cap c \ obj_ref_of c = obj_ref_of cap \ cap_bits c = cap_bits cap) src and valid_objs and pspace_aligned and pspace_distinct) (cte_at' (cte_map src) and pspace_distinct' and pspace_aligned') (set_cap cap src) (updateCap (cte_map src) cap')" apply (rule corres_name_pre) apply (simp add:updateCap_def) apply (frule state_relation_pspace_relation) apply (clarsimp simp:cte_wp_at_ctes_of) apply (frule pspace_relation_cte_wp_atI) apply (fastforce simp:cte_wp_at_ctes_of) apply simp apply clarify apply (frule cte_map_inj_eq) apply (fastforce simp:cte_wp_at_ctes_of cte_wp_at_caps_of_state)+ apply (clarsimp simp:isCap_simps is_cap_simps) apply (rule corres_guard_imp) apply (rule corres_symb_exec_r) apply (rule_tac F = "cteCap_update (\_. capability.UntypedCap r bits f) ctea = cteCap_update (\cap. capFreeIndex_update (\_. f) (cteCap cte)) cte" in corres_gen_asm2) apply (rule_tac F = " (cap.UntypedCap r bits f) = free_index_update (\_. f) c" in corres_gen_asm) apply simp apply (rule set_untyped_cap_corres) apply (clarsimp simp:cte_wp_at_caps_of_state cte_wp_at_ctes_of)+ apply (subst identity_eq) apply (wp getCTE_sp getCTE_get) apply (rule no_fail_pre[OF no_fail_getCTE]) apply (clarsimp simp:cte_wp_at_ctes_of cte_wp_at_caps_of_state)+ done locale invokeUntyped_proofs = fixes s cref ptr tp us slots sz idx assumes cte_wp_at': "cte_wp_at' (\cte. cteCap cte = capability.UntypedCap (ptr && ~~ mask sz) sz idx) cref s" assumes cover : "range_cover ptr sz (APIType_capBits tp us) (length (slots::word32 list))" assumes misc : "distinct slots" "idx \ unat (ptr && mask sz) \ ptr = ptr && ~~ mask sz" "invs' s" "slots \ []" "\slot\set slots. cte_wp_at' (\c. cteCap c = capability.NullCap) slot s" "\x\set slots. ex_cte_cap_wp_to' (\_. True) x s" assumes desc_range: "ptr = ptr && ~~ mask sz \ descendants_range_in' {ptr..ptr + 2 ^ sz - 1} (cref) (ctes_of s)" begin abbreviation(input) "retype_range == {ptr..ptr + of_nat (length slots) * 2 ^ APIType_capBits tp us - 1}" abbreviation(input) "usable_range == {ptr..(ptr && ~~ mask sz) + 2 ^ sz - 1}" lemma not_0_ptr[simp]: "ptr\ 0" using misc cte_wp_at' apply (clarsimp simp:cte_wp_at_ctes_of) apply (case_tac cte) apply clarsimp apply (drule(1) ctes_of_valid_cap'[OF _ invs_valid_objs']) apply (simp add:valid_cap'_def) done lemma subset_stuff[simp]: "retype_range \ usable_range" apply (rule range_cover_subset'[OF cover]) apply (simp add:misc) done lemma descendants_range[simp]: "descendants_range_in' usable_range cref (ctes_of s)" "descendants_range_in' retype_range cref (ctes_of s)" proof - have "descendants_range_in' usable_range cref (ctes_of s)" using misc cte_wp_at' cover apply - apply (erule disjE) apply (erule cte_wp_at_caps_descendants_range_inI' [OF _ _ _ range_cover.sz(1)[where 'a=32, folded word_bits_def]]) apply simp+ using desc_range apply simp done thus "descendants_range_in' usable_range cref (ctes_of s)" by simp thus "descendants_range_in' retype_range cref (ctes_of s)" by (rule descendants_range_in_subseteq'[OF _ subset_stuff]) qed lemma vc'[simp] : "s \' capability.UntypedCap (ptr && ~~ mask sz) sz idx" using misc cte_wp_at' apply (clarsimp simp:cte_wp_at_ctes_of) apply (case_tac cte) apply clarsimp apply (erule ctes_of_valid_cap') apply (simp add:invs_valid_objs') done lemma ps_no_overlap'[simp]: "ptr && ~~ mask sz \ ptr \ pspace_no_overlap' ptr sz s" using misc cte_wp_at' cover apply clarsimp apply (erule(3) cte_wp_at_pspace_no_overlapI' [OF _ _ _ range_cover.sz(1)[where 'a=32, folded word_bits_def]]) done lemma caps_no_overlap'[simp]: "caps_no_overlap'' ptr sz s" using cte_wp_at' misc cover desc_range apply - apply (erule disjE) apply (erule cte_wp_at_caps_no_overlapI' [OF _ _ _ range_cover.sz(1)[where 'a=32, folded word_bits_def]]) apply simp+ apply (erule descendants_range_caps_no_overlapI') apply simp+ done lemma idx_compare'[simp]:"unat ((ptr && mask sz) + (of_nat (length slots)<< (APIType_capBits tp us))) \ 2 ^ sz" apply (rule le_trans[OF unat_plus_gt]) apply (simp add:range_cover.unat_of_nat_n_shift[OF cover] range_cover_unat) apply (insert range_cover.range_cover_compare_bound[OF cover]) apply simp done lemma ex_cte_no_overlap': "\P p. ex_cte_cap_wp_to' P p s \ p \ usable_range" using cte_wp_at' misc apply (clarsimp simp:cte_wp_at_ctes_of) apply (drule_tac cte = cte in descendants_range_ex_cte'[OF descendants_range(1)]) apply (clarsimp simp:word_and_le2 isCap_simps)+ done lemma cref_inv: "cref \ usable_range" apply (insert misc cte_wp_at') apply (drule if_unsafe_then_capD') apply (simp add:invs'_def valid_state'_def) apply simp apply (erule ex_cte_no_overlap') done lemma slots_invD: "\x. x \ set slots \ x \ cref \ x \ usable_range \ ex_cte_cap_wp_to' (\_. True) x s" using misc cte_wp_at' apply - apply simp apply (drule(1) bspec)+ apply (drule ex_cte_no_overlap') apply simp apply (clarsimp simp:cte_wp_at_ctes_of) done lemma usableRange_disjoint: "usableUntypedRange (capability.UntypedCap (ptr && ~~ mask sz) sz (unat ((ptr && mask sz) + of_nat (length slots) * 2 ^ APIType_capBits tp us))) \ {ptr..ptr + of_nat (length slots) * 2 ^ APIType_capBits tp us - 1} = {}" proof - have idx_compare''[simp]: "unat ((ptr && mask sz) + (of_nat (length slots) * (2::word32) ^ APIType_capBits tp us)) < 2 ^ sz \ ptr + of_nat (length slots) * 2 ^ APIType_capBits tp us - 1 < ptr + of_nat (length slots) * 2 ^ APIType_capBits tp us" apply (rule minus_one_helper,simp) apply (rule neq_0_no_wrap) apply (rule word32_plus_mono_right_split) apply (simp add:shiftl_t2n range_cover_unat[OF cover] field_simps) apply (simp add:range_cover.sz(1) [where 'a=32, folded word_bits_def, OF cover])+ done show ?thesis apply (clarsimp simp:mask_out_sub_mask) apply (drule idx_compare'') apply simp done qed end lemma and_distrib: "(P and (\x. Q x)) = (\x. P x \ Q x)" by (rule ext,simp) lemma valid_sched_etcbs[elim!]: "valid_sched_2 queues ekh sa cdom kh ct it \ valid_etcbs_2 ekh kh" by (simp add: valid_sched_def) lemma valid_etcbs_detype: "valid_etcbs s \ valid_etcbs (detype S s)" by (clarsimp simp add: detype_def detype_ext_def valid_etcbs_def st_tcb_at_kh_def is_etcb_at_def obj_at_kh_def obj_at_def) crunch ksIdleThread[wp]: deleteObjects "\s. P (ksIdleThread s)" (simp: crunch_simps wp: hoare_drop_imps hoare_unless_wp ignore:freeMemory) crunch ksCurDomain[wp]: deleteObjects "\s. P (ksCurDomain s)" (simp: crunch_simps wp: hoare_drop_imps hoare_unless_wp ignore:freeMemory) crunch irq_node[wp]: deleteObjects "\s. P (irq_node' s)" (simp: crunch_simps wp: hoare_drop_imps hoare_unless_wp ignore:freeMemory) lemma deleteObjects_ksCurThread[wp]: "\\s. P (ksCurThread s)\ deleteObjects ptr sz \\_ s. P (ksCurThread s)\" apply (simp add: deleteObjects_def3) apply (wp | simp add: doMachineOp_def split_def)+ done lemma deleteObjects_ct_active': "\invs' and sch_act_simple and ct_active' and cte_wp_at' (\c. cteCap c = UntypedCap ptr sz idx) cref and (\s. descendants_range' (UntypedCap ptr sz idx) cref (ctes_of s)) and K (sz < word_bits \ is_aligned ptr sz)\ deleteObjects ptr sz \\_. ct_active'\" apply (simp add: ct_in_state'_def) apply (rule hoare_pre) apply wps apply (wp deleteObjects_st_tcb_at') apply (auto simp: ct_in_state'_def elim: pred_tcb'_weakenE) done defs cNodeOverlap_def: "cNodeOverlap \ \cns inRange. \p n. cns p = Some n \ (\ is_aligned p (cte_level_bits + n) \ cte_level_bits + n \ word_bits \ ({p .. p + 2 ^ (cte_level_bits + n) - 1} \ {p. inRange p} \ {}))" lemma cNodeNoOverlap: notes Int_atLeastAtMost[simp del] shows "corres dc (\s. \cref. cte_wp_at (\cap. is_untyped_cap cap \ Collect R \ usable_untyped_range cap) cref s \ valid_objs s \ pspace_aligned s) \ (return x) (stateAssert (\s. \ cNodeOverlap (gsCNodes s) R) [])" apply (simp add: stateAssert_def assert_def) apply (rule corres_symb_exec_r[OF _ get_sp]) apply (rule corres_req[rotated], subst if_P, assumption) apply simp apply (clarsimp simp: cNodeOverlap_def cte_wp_at_caps_of_state) apply (frule(1) caps_of_state_valid_cap) apply (frule usable_range_subseteq[rotated], simp add: valid_cap_def) apply (clarsimp simp: valid_cap_def valid_untyped_def cap_table_at_gsCNodes_eq obj_at_def is_cap_table is_cap_simps) apply (frule(1) pspace_alignedD) apply simp apply (elim allE, drule(1) mp, simp add: obj_range_def valid_obj_def cap_aligned_def) apply (erule is_aligned_get_word_bits[where 'a=32, folded word_bits_def]) apply (clarsimp simp: is_aligned_no_overflow simp del: ) apply blast apply (simp add: is_aligned_no_overflow power_overflow word_bits_def Int_atLeastAtMost) apply wp done lemma cNodeNoOverlap_empty: notes Int_atLeastAtMost[simp del] shows "corres dc (\s. pspace_no_overlap ptr bits s \ Collect R \ {ptr .. (ptr && ~~ mask bits) + 2 ^ bits - 1} \ pspace_aligned s \ valid_objs s) \ (return x) (stateAssert (\s. \ cNodeOverlap (gsCNodes s) R) [])" apply (simp add: stateAssert_def assert_def) apply (rule corres_symb_exec_r[OF _ get_sp]) apply (rule corres_req[rotated], subst if_P, assumption) apply simp apply (clarsimp simp: cNodeOverlap_def) apply (clarsimp simp: cap_table_at_gsCNodes_eq obj_at_def is_cap_table is_cap_simps pspace_no_overlap_def) apply (erule(1) valid_objsE) apply (frule(1) pspace_alignedD) apply (elim allE, drule(1) mp) apply (clarsimp simp: valid_obj_def valid_cs_def valid_cs_size_def) apply (simp add: cte_level_bits_def word_bits_def field_simps) apply blast apply wp done lemma inv_untyped_corres': "\ ui = (Invocations_A.Retype cref ptr_base ptr tp us slots); untypinv_relation ui ui' \ \ corres (op =) (einvs and valid_untyped_inv ui and ct_active) (invs' and valid_untyped_inv' ui' and ct_active') (invoke_untyped ui) (invokeUntyped ui')" apply (rule corres_name_pre) apply (clarsimp simp del:invoke_untyped.simps) proof - fix s s' ao' sz idx sza idxa assume cte_wp_at : "cte_wp_at (\c. c = cap.UntypedCap (ptr && ~~ mask sz) sz idx) cref (s::det_state)" have cte_at: "cte_wp_at (op = (cap.UntypedCap (ptr && ~~ mask sz) sz idx)) cref s" (is "?cte_cond s") using cte_wp_at by (simp add:cte_wp_at_caps_of_state) assume cte_wp_at': "cte_wp_at' (\cte. cteCap cte = capability.UntypedCap (ptr && ~~ mask sz) sza idxa) (cte_map cref) s'" assume cover : "range_cover ptr sz (obj_bits_api (APIType_map2 (Inr ao')) us) (length slots)" assume vslot : "slots \ []" assume cap_table : "\slot\set slots. cte_wp_at (op = cap.NullCap) slot s \ ex_cte_cap_wp_to is_cnode_cap slot s \ real_cte_at slot s" assume desc_range: "ptr = ptr && ~~ mask sz \ descendants_range_in {ptr..ptr + 2 ^ sz - 1} cref s" "ptr = ptr && ~~ mask sz \ descendants_range_in' {ptr..ptr + 2 ^ sza - 1} (cte_map cref) (ctes_of s')" assume misc : "distinct slots" "cte_map cref \ cte_map ` set slots" "cref \ set slots" "distinct (map cte_map slots)" " ao' = APIObjectType ArchTypes_H.apiobject_type.CapTableObject \ 0 < us" "idx \ unat (ptr && mask sz) \ ptr = ptr && ~~ mask sz" " ao' = APIObjectType ArchTypes_H.apiobject_type.Untyped \ 4 \ us" " ao' = APIObjectType ArchTypes_H.apiobject_type.Untyped \ us \ 30" "invs s" "invs' s'" "valid_list s" "valid_sched s" " APIType_map2 (Inr ao') \ ArchObject ASIDPoolObj " " \slot\set slots. ex_cte_cap_wp_to' (\_. True) (cte_map slot) s'" " \slot\set slots. cte_wp_at' (\c. cteCap c = capability.NullCap) (cte_map slot) s'" " \slot\set slots. cte_wp_at (op = cap.NullCap) slot s \ ex_cte_cap_wp_to is_cnode_cap slot s \ real_cte_at slot s" " ct_active s" "ct_active' s'" "(s, s') \ state_relation" "sch_act_simple s'" have sz_simp[simp]: "sza = sz \ idxa = idx \ 2 \ sz" using misc cte_at cte_wp_at' apply - apply (clarsimp simp:cte_wp_at_ctes_of) apply (drule pspace_relation_cte_wp_atI'[OF state_relation_pspace_relation]) apply (simp add:cte_wp_at_ctes_of) apply (simp add:invs_valid_objs) apply (clarsimp simp:is_cap_simps isCap_simps) apply (frule cte_map_inj_eq) apply ((fastforce simp:cte_wp_at_caps_of_state cte_wp_at_ctes_of)+)[5] apply (clarsimp simp:cte_wp_at_caps_of_state cte_wp_at_ctes_of) apply (drule caps_of_state_valid_cap,fastforce) apply (clarsimp simp:valid_cap_def) done have obj_bits_low_bound[simp]: "4 \ obj_bits_api (APIType_map2 (Inr ao')) us" using misc apply (case_tac ao') apply (simp_all add:obj_bits_api_def slot_bits_def arch_kobj_size_def default_arch_object_def APIType_map2_def split: ArchTypes_H.apiobject_type.splits) done have intvl_eq[simp]: "ptr && ~~ mask sz = ptr \ {ptr + of_nat k |k. k < 2 ^ sz} = {ptr..ptr + 2 ^ sz - 1}" using cover apply (subgoal_tac "is_aligned (ptr &&~~ mask sz) sz") apply (rule intvl_range_conv) apply (simp) apply (drule range_cover.sz) apply simp apply (rule is_aligned_neg_mask,simp) done have delete_objects_rewrite: "ptr && ~~ mask sz = ptr \ delete_objects ptr sz = do y \ modify (clear_um {ptr + of_nat k |k. k < 2 ^ sz}); modify (detype {ptr && ~~ mask sz..ptr + 2 ^ sz - 1}) od" using cover apply (clarsimp simp:delete_objects_def freeMemory_def word_size_def) apply (subgoal_tac "is_aligned (ptr &&~~ mask sz) sz") apply (subst mapM_storeWord_clear_um) apply (simp) apply simp apply (simp add:range_cover_def word_bits_def) apply clarsimp apply (rule is_aligned_neg_mask) apply simp done have of_nat_length: "(of_nat (length slots)::word32) - (1::word32) < (of_nat (length slots)::word32)" using vslot using range_cover.range_cover_le_n_less(1)[OF cover,where p = "length slots"] apply - apply (case_tac slots) apply clarsimp+ apply (subst add.commute) apply (subst word_le_make_less[symmetric]) apply (rule less_imp_neq) apply (simp add:word_bits_def minus_one_norm) apply (rule word_of_nat_less) apply auto done have not_0_ptr[simp]: "ptr\ 0" using misc cte_wp_at' apply (clarsimp simp:cte_wp_at_ctes_of) apply (case_tac cte) apply clarsimp apply (drule(1) ctes_of_valid_cap'[OF _ invs_valid_objs']) apply (simp add:valid_cap'_def) done have size_eq[simp]: "APIType_capBits ao' us = obj_bits_api (APIType_map2 (Inr ao')) us" apply (case_tac ao') apply (rename_tac apiobject_type) apply (case_tac apiobject_type) apply (clarsimp simp: APIType_capBits_def objBits_def arch_kobj_size_def default_arch_object_def obj_bits_api_def APIType_map2_def objBitsKO_def slot_bits_def pageBitsForSize_def)+ done have subset_stuff[simp]: "{ptr..ptr + of_nat (length slots) * 2 ^ obj_bits_api (APIType_map2 (Inr ao')) us - 1} \ {ptr..(ptr && ~~ mask sz) + 2 ^ sz - 1}" (is "?retype_range \ ?usable_range") apply (rule range_cover_subset'[OF cover]) apply (simp add:vslot) done have non_detype_idx_le[simp]: "ptr \ ptr && ~~ mask sz \ idx < 2^sz" using misc apply clarsimp apply (erule le_less_trans) apply (rule unat_less_helper) apply simp apply (rule le_less_trans) apply (rule word_and_le1) apply (simp add:mask_def) apply (rule minus_one_helper) apply simp using cover apply (clarsimp simp:range_cover_def) done note blah[simp del] = untyped_range.simps usable_untyped_range.simps atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff split_paired_Ex usableUntypedRange.simps have descendants_range[simp]: "descendants_range_in ?usable_range cref s" "descendants_range_in ?retype_range cref s" "descendants_range_in' ?usable_range (cte_map cref) (ctes_of s')" "descendants_range_in' ?retype_range (cte_map cref) (ctes_of s')" proof - have "descendants_range_in ?usable_range cref s" using misc cte_at cover cte_wp_at apply - apply (erule disjE) apply (erule cte_wp_at_caps_descendants_range_inI [OF _ _ _ range_cover.sz(1)[where 'a=32, folded word_bits_def]]) apply simp+ using desc_range apply simp done thus "descendants_range_in ?usable_range cref s" by simp thus "descendants_range_in ?retype_range cref s" by (rule descendants_range_in_subseteq[OF _ subset_stuff]) have "descendants_range_in' ?usable_range (cte_map cref) (ctes_of s')" using misc cte_wp_at' cover apply - apply (erule disjE) apply (erule cte_wp_at_caps_descendants_range_inI' [OF _ _ _ range_cover.sz(1)[where 'a=32, folded word_bits_def]]) apply simp+ using desc_range apply simp done thus "descendants_range_in' ?usable_range (cte_map cref) (ctes_of s')" by simp thus "descendants_range_in' ?retype_range (cte_map cref) (ctes_of s')" by (rule descendants_range_in_subseteq'[OF _ subset_stuff]) qed have vc'[simp] : "s' \' capability.UntypedCap (ptr && ~~ mask sz) sz idx" using misc cte_wp_at' apply (clarsimp simp:cte_wp_at_ctes_of) apply (case_tac cte) apply clarsimp apply (erule ctes_of_valid_cap') apply (simp add:invs_valid_objs') done -- "pspace_no_overlap on both side :" have ps_no_overlap[simp]: "ptr && ~~ mask sz \ ptr \ pspace_no_overlap ptr sz s" using misc cte_wp_at cover apply clarsimp apply (erule(3) cte_wp_at_pspace_no_overlapI [OF _ _ _ range_cover.sz(1)[where 'a=32, folded word_bits_def]]) done have ps_no_overlap'[simp]: "ptr && ~~ mask sz \ ptr \ pspace_no_overlap' ptr sz s'" using misc cte_wp_at' cover apply clarsimp apply (erule(3) cte_wp_at_pspace_no_overlapI' [OF _ _ _ range_cover.sz(1)[where 'a=32, folded word_bits_def]]) done -- "caps_no_overlap on both side :" have caps_no_overlap[simp]: "caps_no_overlap ptr sz s" using cte_wp_at misc cover desc_range cte_at apply - apply (erule disjE) apply (erule(3) cte_wp_at_caps_no_overlapI [OF _ _ _ range_cover.sz(1)[where 'a=32, folded word_bits_def]]) apply clarsimp apply (erule descendants_range_caps_no_overlapI) apply simp apply simp done have caps_no_overlap'[simp]: "caps_no_overlap'' ptr sz s'" using cte_wp_at' misc cover desc_range apply - apply (erule disjE) apply (erule cte_wp_at_caps_no_overlapI' [OF _ _ _ range_cover.sz(1)[where 'a=32, folded word_bits_def]]) apply simp+ apply (erule descendants_range_caps_no_overlapI') apply simp+ done have ex_cte_no_overlap: "\P slot. ex_cte_cap_wp_to P slot s \ fst slot \ ?usable_range" using cte_at apply clarsimp apply (drule ex_cte_cap_to_obj_ref_disj,erule disjE) using misc apply clarsimp apply (rule_tac ptr' = "(aa,b)" in untyped_children_in_mdbEE[OF invs_untyped_children]) apply simp+ apply (clarsimp simp:untyped_range.simps) apply (drule_tac B'="?usable_range" in disjoint_subset2[rotated]) apply (clarsimp simp:blah word_and_le2) apply blast apply (clarsimp simp:cte_wp_at_caps_of_state) apply (drule(1) descendants_range_inD[OF descendants_range(1)]) apply (clarsimp simp:cap_range_def) apply blast apply clarsimp apply (drule_tac irq = irq in valid_globals_irq_node[rotated]) using misc apply (clarsimp simp: invs_def valid_state_def ) apply (clarsimp simp:untyped_range.simps) apply (drule_tac B = "{ptr && ~~ mask sz..(ptr && ~~ mask sz) + 2 ^ sz - 1}" in subsetD[rotated]) apply (clarsimp simp:blah word_and_le2) apply simp done have ex_cte_no_overlap': "\P p. ex_cte_cap_wp_to' P p s' \ p \ ?usable_range" using cte_wp_at' misc apply (clarsimp simp:cte_wp_at_ctes_of) apply (drule_tac cte = cte in descendants_range_ex_cte'[OF descendants_range(3)]) apply (clarsimp simp:blah word_and_le2 isCap_simps)+ done have cref_inv: "fst cref \ ?usable_range" "cte_map cref \ ?usable_range" apply (insert misc cte_wp_at cte_wp_at') apply (drule if_unsafe_then_capD) apply (simp add:invs_def valid_state_def) apply simp apply (erule ex_cte_no_overlap) apply (drule if_unsafe_then_capD') apply (simp add:invs'_def valid_state'_def) apply simp apply (erule ex_cte_no_overlap') done have slots_invD: "\x. x \ set slots \ fst x \ ?usable_range \ caps_of_state s x = Some cap.NullCap \ ex_cte_cap_wp_to is_cnode_cap x s \ real_cte_at x s \ cte_map x \ cte_map cref \ cte_map x \ ?usable_range" using cte_at misc cte_wp_at' apply - apply (drule(1) bspec)+ apply (frule_tac p = cref and p' = x in cte_map_inj_ps[rotated -1,OF invs_valid_pspace]) apply (clarsimp simp: cte_wp_at_caps_of_state)+ apply (drule ex_cte_no_overlap) apply simp apply (drule ex_cte_no_overlap') apply simp done have kernel_window_inv[simp]: "\x\?usable_range. arm_kernel_vspace (arch_state s) x = ArmVSpaceKernelWindow" using cte_at misc apply (clarsimp simp:cte_wp_at_caps_of_state invs_def valid_state_def) apply (erule(1) cap_refs_in_kernel_windowD[THEN bspec]) apply (simp add:blah cap_range_def) apply clarsimp apply (erule order_trans[OF word_and_le2]) done have nidx[simp]: "ptr + (of_nat (length slots) * 2^obj_bits_api (APIType_map2 (Inr ao')) us) - (ptr && ~~ mask sz) = (ptr && mask sz) + (of_nat (length slots) * 2^obj_bits_api (APIType_map2 (Inr ao')) us)" apply (subst word_plus_and_or_coroll2[symmetric,where w = "mask sz" and t = ptr]) apply simp done have idx_compare: "\unat ((ptr && mask sz) + of_nat (length slots) * 2 ^ obj_bits_api (APIType_map2 (Inr ao')) us) < 2^ sz; ptr \ ptr && ~~ mask sz \ \ (ptr && ~~ mask sz) + of_nat idx \ ptr + (of_nat (length slots) << obj_bits_api (APIType_map2 (Inr ao')) us)" apply (rule range_cover_idx_compare[OF cover ]) apply assumption+ apply (frule non_detype_idx_le) apply (erule less_imp_le) using misc apply simp done have idx_compare'[simp]:"unat ((ptr && mask sz) + (of_nat (length slots)<< obj_bits_api (APIType_map2 (Inr ao')) us)) \ 2 ^ sz" apply (rule le_trans[OF unat_plus_gt]) apply (simp add:range_cover.unat_of_nat_n_shift[OF cover] range_cover_unat) apply (insert range_cover.range_cover_compare_bound[OF cover]) apply simp done have usable_range_subset: "ptr && ~~ mask sz \ ptr \ usableUntypedRange (capability.UntypedCap (ptr &&~~ mask sz) sz (getFreeIndex (ptr &&~~ mask sz) (ptr + of_nat (length slots) * 2 ^ obj_bits_api (APIType_map2 (Inr ao')) us))) \ usableUntypedRange (capability.UntypedCap (ptr&&~~ mask sz) sz idx)" "ptr && ~~ mask sz \ ptr \usable_untyped_range (cap.UntypedCap (ptr && ~~ mask sz) sz (unat (ptr + (of_nat (length slots) << obj_bits_api (APIType_map2 (Inr ao')) us) - (ptr && ~~ mask sz)))) \ usable_untyped_range (cap.UntypedCap (ptr && ~~ mask sz) sz idx)" apply (simp_all add:blah getFreeIndex_def field_simps nidx) apply (clarsimp) apply (subst add.commute) apply (erule order_trans[OF idx_compare]) apply simp apply (subst word_plus_and_or_coroll2[symmetric,where w = "mask sz"]) apply (simp add:shiftl_t2n field_simps) apply (clarsimp simp:shiftl_t2n nidx field_simps) apply (subst add.commute) apply (erule order_trans[OF idx_compare]) apply simp apply (simp add:shiftl_t2n field_simps) done have idx_compare''[simp]: "unat ((ptr && mask sz) + (of_nat (length slots) * (2::word32) ^ obj_bits_api (APIType_map2 (Inr ao')) us)) < 2 ^ sz \ ptr + of_nat (length slots) * 2 ^ obj_bits_api (APIType_map2 (Inr ao')) us - 1 < ptr + of_nat (length slots) * 2 ^ obj_bits_api (APIType_map2 (Inr ao')) us" apply (rule minus_one_helper,simp) apply (rule neq_0_no_wrap) apply (rule word32_plus_mono_right_split) apply (simp add:shiftl_t2n range_cover_unat[OF cover] field_simps) apply (simp add:range_cover.sz[where 'a=32, folded word_bits_def, OF cover])+ done note neg_mask_add_mask = word_plus_and_or_coroll2[symmetric,where w = "mask sz" and t = ptr,symmetric] have idx_compare'''[simp]: "\unat (of_nat (length slots) * (2::word32) ^ obj_bits_api (APIType_map2 (Inr ao')) us) < 2 ^ sz; ptr && ~~ mask sz = ptr\ \ ptr + of_nat (length slots) * 2 ^ obj_bits_api (APIType_map2 (Inr ao')) us - 1 < ptr + of_nat (length slots) * 2 ^ obj_bits_api (APIType_map2 (Inr ao')) us " apply (rule minus_one_helper,simp) apply (simp add:is_aligned_neg_mask_eq'[symmetric]) apply (rule neq_0_no_wrap) apply (rule word32_plus_mono_right_split[where sz = sz]) apply (simp add:is_aligned_mask)+ apply (simp add:range_cover.sz[where 'a=32, folded word_bits_def, OF cover])+ done have detype_locale:"ptr && ~~ mask sz = ptr \ detype_locale (cap.UntypedCap (ptr && ~~ mask sz) sz idx) cref s" using cte_at descendants_range misc by (simp add:detype_locale_def cte_at descendants_range_def2 blah invs_untyped_children) have detype_descendants_range_in: "ptr && ~~ mask sz = ptr \ descendants_range_in ?usable_range cref (detype ?usable_range (clear_um ?usable_range s))" using misc cte_at apply - apply (frule detype_invariants) apply (simp add:isCap_simps) using descendants_range apply (clarsimp simp:blah descendants_range_def2) apply ((simp add:isCap_simps invs_untyped_children blah invs_valid_reply_caps invs_valid_reply_masters)+)[5] apply (subst valid_mdb_descendants_range_in) apply (clarsimp dest!: invs_mdb simp: untyped_range.simps) apply (frule detype_locale) apply (drule detype_locale.non_filter_detype[symmetric]) using descendants_range(1) apply - apply (subst (asm) valid_mdb_descendants_range_in) apply (clarsimp simp: invs_mdb untyped_range.simps) apply (clarsimp simp:descendants_range_in_def untyped_range.simps clear_um_def cong:if_cong) done have maxDomain:"ksCurDomain s' \ maxDomain" using misc by (simp add:invs'_def valid_state'_def) have sz_mask_less: "unat (ptr && mask sz) < 2 ^ sz" using range_cover.sz[OF cover] by (simp add: unat_less_helper and_mask_less_size word_size) have invs: "invs s" using misc by simp have overlap_ranges1: "{x. ptr \ x \ x \ ptr + 2 ^ obj_bits_api (APIType_map2 (Inr ao')) us * of_nat (length slots) - 1} \ {ptr .. (ptr && ~~ mask sz) + 2 ^ sz - 1}" apply (rule order_trans[rotated]) apply (rule range_cover_subset'[OF cover], simp add: vslot) apply (clarsimp simp: atLeastAtMost_iff field_simps) done have overlap_ranges2: "idx \ unat (ptr && mask sz) \ {x. ptr \ x \ x \ ptr + 2 ^ obj_bits_api (APIType_map2 (Inr ao')) us * of_nat (length slots) - 1} \ {(ptr && ~~ mask sz) + of_nat idx..(ptr && ~~ mask sz) + 2 ^ sz - 1}" apply (rule order_trans[OF overlap_ranges1]) apply (clarsimp simp add: atLeastatMost_subset_iff) apply (rule order_trans, rule word_plus_mono_right) apply (erule word_of_nat_le) apply (simp add: add.commute word_plus_and_or_coroll2 word_and_le2) apply (simp add: add.commute word_plus_and_or_coroll2) done note set_cap_free_index_invs_spec = set_free_index_invs[where cap = "cap.UntypedCap (ptr && ~~ mask sz) sz idx" ,unfolded free_index_update_def free_index_of_def,simplified] note msimp[simp add] = misc getObjectSize_def_eq neg_mask_add_mask show " corres op = (op = s) (op = s') (invoke_untyped (Invocations_A.untyped_invocation.Retype cref (ptr && ~~ mask sz) ptr (APIType_map2 (Inr ao')) us slots)) (invokeUntyped (Invocations_H.untyped_invocation.Retype (cte_map cref) (ptr && ~~ mask sz) ptr ao' us (map cte_map slots)))" using [[ hypsubst_thin = true ]] apply (case_tac "ptr && ~~ mask sz \ ptr") using misc apply (clarsimp simp:invokeUntyped_def getSlotCap_def bind_assoc) apply (case_tac ui') apply (clarsimp simp: insertNewCaps_def split_def bind_assoc split del: split_if) apply (insert cover) apply (rule corres_guard_imp) apply (rule corres_split[OF _ get_cap_corres]) apply (rule_tac F = "cap = cap.UntypedCap (ptr && ~~ mask sz) sz idx" in corres_gen_asm) apply (rule corres_add_noop_lhs) apply (rule corres_split_nor[OF _ cNodeNoOverlap return_wp stateAssert_wp]) apply (rule corres_split[OF _ update_untyped_cap_corres,rotated]) apply (simp add:isCap_simps)+ apply (clarsimp simp:getFreeIndex_def bits_of_def shiftL_nat shiftl_t2n) prefer 3 apply (insert range_cover.range_cover_n_less[OF cover] vslot) apply (rule createNewObjects_corres_helper) apply simp+ apply (simp add: insertNewCaps_def) apply (rule corres_split_retype_createNewCaps[where sz = sz,OF corres_rel_imp]) apply (rule inv_untyped_corres_helper1) apply simp apply simp apply ((wp retype_region_invs_extras[where sz = sz] retype_region_plain_invs [where sz = sz] retype_region_descendants_range_ret[where sz = sz] retype_region_caps_overlap_reserved_ret[where sz = sz] retype_region_cte_at_other[where sz = sz] retype_region_distinct_sets[where sz = sz] (* retype_region_ranges[where p=cref and sz = sz] *) retype_region_ranges[where ptr=ptr and sz=sz and ptr_base="ptr && ~~ mask sz", where p=cref] retype_ret_valid_caps [where sz = sz] retype_region_arch_objs [where sza = "\_. sz"] hoare_vcg_const_Ball_lift set_tuple_pick distinct_tuple_helper retype_region_obj_at_other3[where sz = sz] | assumption)+)[1] apply (wp set_tuple_pick createNewCaps_cte_wp_at'[where sz= sz] hoare_vcg_ex_lift distinct_tuple_helper createNewCaps_parent_helper [where p="cte_map cref" and sz = sz] createNewCaps_valid_pspace_extras [where ptr=ptr and sz = sz] createNewCaps_not_parents[where sz = sz] createNewCaps_distinct[where sz = sz] createNewCaps_ranges'[where sz = sz] hoare_vcg_const_Ball_lift createNewCaps_valid_cap'[where sz = sz] createNewCaps_descendants_range_ret'[where sz = sz] createNewCaps_caps_overlap_reserved_ret'[where sz = sz]) apply clarsimp apply (erule cte_wp_at_weakenE') apply (case_tac c, simp) apply hypsubst apply (case_tac c,clarsimp simp:isCap_simps) apply (clarsimp simp: getObjectSize_def_eq getFreeIndex_def is_cap_simps bits_of_def shiftL_nat shiftl_t2n) apply (clarsimp simp:conj_comms) apply (strengthen invs_mdb invs_valid_objs invs_valid_pspace invs_arch_state invs_psp_aligned) apply (clarsimp simp:conj_comms bits_of_def region_in_kernel_window_def) apply (wp set_cap_free_index_invs_spec set_cap_caps_no_overlap set_cap_no_overlap) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF set_cap_sets]) apply (clarsimp simp:cte_wp_at_caps_of_state) apply (wp set_cap_no_overlap hoare_vcg_ball_lift set_cap_free_index_invs_spec set_cap_cte_wp_at set_cap_descendants_range_in set_untyped_cap_caps_overlap_reserved) apply (clarsimp simp:conj_comms ball_conj_distrib simp del:capFreeIndex_update.simps) apply (strengthen invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace' invs_arch_state' imp_consequent[where Q = "(\x. x \ cte_map ` set slots)"] | clarsimp simp:conj_comms not_0_ptr simp del:capFreeIndex_update.simps)+ apply (wp updateFreeIndex_invs' updateFreeIndex_caps_overlap_reserved' updateFreeIndex_caps_no_overlap'' updateFreeIndex_pspace_no_overlap') apply (rule hoare_vcg_conj_lift[OF hoare_vcg_ball_lift]) apply (simp add:updateCap_def) apply (wp setCTE_weak_cte_wp_at getCTE_wp) apply (wp updateFreeIndex_caps_overlap_reserved' updateFreeIndex_descendants_range_in' ) apply (simp add:updateCap_def) apply (wp setCTE_weak_cte_wp_at,simp) apply (rule hoare_strengthen_post[OF hoare_TrueI[where P = \]]) apply fastforce apply (clarsimp simp:conj_comms ball_conj_distrib and_distrib) apply (strengthen invs_mdb invs_valid_objs imp_consequent invs_valid_pspace invs_arch_state invs_psp_aligned invs_distinct) apply (clarsimp simp:conj_comms) apply (wp get_cap_wp)[1] apply (clarsimp simp:conj_comms and_distrib split del:if_splits) apply (strengthen invs_pspace_aligned' invs_valid_pspace' imp_consequent invs_pspace_distinct' invs_arch_state invs_psp_aligned) apply (clarsimp simp:conj_comms not_0_ptr isCap_simps shiftL_nat field_simps range_cover.unat_of_nat_shift[OF cover le_refl,simplified]) apply (wp get_cap_wp) using kernel_window_inv cte_at ps_no_overlap caps_no_overlap apply (clarsimp simp:cte_wp_at_caps_of_state cap_master_cap_def bits_of_def is_cap_simps shiftl_t2n untyped_range.simps valid_sched_etcbs[OF misc(12)] invs_valid_objs[OF invs] invs_psp_aligned[OF invs]) apply (subst exI[where x=cref]) apply (simp add: usable_untyped_range_def shiftL_nat overlap_ranges2) apply simp apply (intro conjI impI) apply clarsimp apply (drule slots_invD) apply (clarsimp simp: cte_wp_at_caps_of_state ex_cte_cap_wp_to_def) apply (clarsimp dest!:slots_invD) apply (clarsimp simp:field_simps range_cover_unat[OF cover] range_cover.unat_of_nat_shift[OF cover le_refl le_refl])+ apply (subst add.commute) apply (rule range_cover.range_cover_compare_bound[OF cover]) apply (rule subset_trans[OF subset_stuff]) apply (clarsimp simp:blah word_and_le2) apply (clarsimp simp:usable_untyped_range.simps blah add.assoc[symmetric] add.commute dest!:idx_compare'') apply (metis idx_compare'' mult.commute nidx word_arith_nat_mult word_not_le) apply (clarsimp simp:invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace' maxDomain) apply (insert cte_wp_at') apply (intro conjI impI) apply (clarsimp simp:cte_wp_at_ctes_of isCap_simps dest!:usable_range_subset(1))+ apply (clarsimp simp:getFreeIndex_def field_simps range_cover_unat[OF cover] range_cover.unat_of_nat_shift[OF cover le_refl le_refl])+ apply (subst add.commute) apply (rule range_cover.range_cover_compare_bound[OF cover]) apply (simp add:getFreeIndex_def field_simps) apply (rule aligned_add_aligned[OF aligned_after_mask]) apply (erule range_cover.aligned) apply (rule is_aligned_weaken) apply (subst mult.commute) apply (rule is_aligned_shiftl_self[unfolded shiftl_t2n]) apply (simp) apply (simp add: range_cover_def) apply (rule subset_trans[OF subset_stuff]) apply (clarsimp simp:blah word_and_le2) apply clarsimp+ apply (drule slots_invD,clarsimp simp:cte_wp_at_ctes_of) apply simp apply (clarsimp simp: add.assoc[symmetric] getFreeIndex_def blah add.commute dest!:idx_compare'') apply simp apply (clarsimp simp:invokeUntyped_def getSlotCap_def bind_assoc) apply (case_tac ui') apply (clarsimp simp: insertNewCaps_def split_def bind_assoc split del: split_if) apply (rule corres_guard_imp) apply (rule corres_split[OF _ get_cap_corres]) apply (rule_tac F = "cap = cap.UntypedCap (ptr && ~~ mask sz) sz idx" in corres_gen_asm) apply (clarsimp simp:bits_of_def simp del:capFreeIndex_update.simps) apply (rule corres_split[OF _ detype_corres]) apply (rule corres_add_noop_lhs) apply (rule corres_split_nor[OF _ cNodeNoOverlap_empty[where ptr=ptr and bits=sz] return_wp stateAssert_wp]) apply (rule corres_split[OF _ update_untyped_cap_corres,rotated]) apply (simp add:isCap_simps)+ apply (clarsimp simp:shiftl_t2n shiftL_nat getFreeIndex_def) prefer 3 apply (insert range_cover.range_cover_n_less[OF cover] vslot) apply (rule createNewObjects_corres_helper) apply simp+ apply (simp add: insertNewCaps_def) apply (rule corres_split_retype_createNewCaps[where sz = sz,OF corres_rel_imp]) apply (rule inv_untyped_corres_helper1) apply simp apply simp apply ((wp retype_region_invs_extras[where sz = sz] retype_region_plain_invs [where sz = sz] retype_region_descendants_range_ret[where sz = sz] retype_region_caps_overlap_reserved_ret[where sz = sz] retype_region_cte_at_other[where sz = sz] retype_region_distinct_sets[where sz = sz] retype_region_ranges[where p=cref and sz = sz] retype_ret_valid_caps [where sz = sz] retype_region_arch_objs [where sza = "\_. sz"] hoare_vcg_const_Ball_lift set_tuple_pick distinct_tuple_helper retype_region_obj_at_other3[where sz = sz] | assumption)+)[1] apply (wp set_tuple_pick createNewCaps_cte_wp_at'[where sz= sz] hoare_vcg_ex_lift distinct_tuple_helper createNewCaps_parent_helper [where p="cte_map cref" and sz = sz and ptr_base = "ptr && ~~ mask sz"] createNewCaps_valid_pspace_extras [where ptr=ptr and sz = sz] createNewCaps_not_parents[where sz = sz] createNewCaps_distinct[where sz = sz] createNewCaps_ranges'[where sz = sz] hoare_vcg_const_Ball_lift createNewCaps_valid_cap'[where sz = sz] createNewCaps_descendants_range_ret'[where sz = sz] createNewCaps_caps_overlap_reserved_ret'[where sz = sz]) apply clarsimp apply (erule cte_wp_at_weakenE') apply (case_tac c,clarsimp simp:cte_wp_at_ctes_of isCap_simps) apply (clarsimp simp: getFreeIndex_def is_cap_simps bits_of_def shiftL_nat shiftl_t2n) apply (clarsimp simp:conj_comms) apply (strengthen invs_mdb invs_valid_objs invs_valid_pspace invs_arch_state invs_psp_aligned) apply (clarsimp simp:conj_comms bits_of_def region_in_kernel_window_def) apply (wp set_cap_caps_no_overlap set_untyped_cap_invs_simple set_cap_no_overlap) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF set_cap_sets]) apply (clarsimp simp:cte_wp_at_caps_of_state) apply (wp set_cap_no_overlap hoare_vcg_ball_lift set_untyped_cap_invs_simple set_cap_cte_wp_at set_cap_descendants_range_in set_untyped_cap_caps_overlap_reserved) apply (clarsimp simp:conj_comms ball_conj_distrib simp del:capFreeIndex_update.simps) apply (strengthen invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace' invs_arch_state' imp_consequent[where Q = "(\x. x \ cte_map ` set slots)"] | clarsimp simp:conj_comms simp del:capFreeIndex_update.simps)+ apply (wp updateFreeIndex_invs_simple' updateFreeIndex_caps_overlap_reserved' updateFreeIndex_caps_no_overlap'' updateFreeIndex_pspace_no_overlap') apply (rule hoare_vcg_conj_lift[OF hoare_vcg_ball_lift]) apply (simp add:updateCap_def) apply (wp setCTE_weak_cte_wp_at getCTE_wp) apply (rule hoare_vcg_conj_lift) apply (simp add:updateCap_def) apply (wp setCTE_weak_cte_wp_at getCTE_wp) apply (wp updateFreeIndex_caps_overlap_reserved' updateFreeIndex_descendants_range_in' ) apply (simp add:is_aligned_neg_mask_eq') apply simp apply (simp add:delete_objects_rewrite) apply wp apply (clarsimp simp:conj_comms split del: split_if) apply (wp_once hoare_drop_imps) apply (strengthen invs_pspace_aligned' invs_valid_pspace' imp_consequent invs_pspace_distinct' invs_arch_state invs_psp_aligned) apply (clarsimp simp:conj_comms isCap_simps shiftL_nat field_simps range_cover.unat_of_nat_shift[OF cover le_refl,simplified]) apply (wp deleteObjects_invs'[where idx = idx and p = "cte_map cref"] deleteObjects_caps_no_overlap''[where idx = idx and slot = "cte_map cref"] deleteObject_no_overlap[where idx = idx] deleteObjects_cte_wp_at'[where idx = idx and ptr = ptr and bits = sz] deleteObjects_caps_overlap_reserved'[where idx = idx and slot = "cte_map cref"] deleteObjects_descendants[where idx = idx and p = "cte_map cref"] hoare_vcg_ball_lift hoare_drop_imp hoare_vcg_ex_lift deleteObjects_ct_active'[where sz = sz and ptr = ptr and idx = idx and cref = "cte_map cref"] deleteObjects_cte_wp_at'[where idx = idx and ptr = ptr and bits = sz])[1] apply (clarsimp simp:conj_comms ball_conj_distrib pred_conj_def) apply (strengthen invs_mdb invs_valid_objs imp_consequent invs_valid_pspace invs_arch_state invs_psp_aligned invs_distinct | clarsimp simp: conj_comms)+ apply (wp get_cap_wp) using kernel_window_inv cte_at ps_no_overlap caps_no_overlap caps_no_overlap_detype descendants_range apply (clarsimp simp:cte_wp_at_caps_of_state cap_master_cap_def descendants_range_def2 invs_mdb valid_state_def invs_untyped_children bits_of_def is_cap_simps untyped_range.simps) apply (frule detype_descendants_range_in) apply (subgoal_tac "pspace_no_overlap ptr sz (detype {ptr..ptr + 2 ^ sz - 1} s)") prefer 2 apply (cut_tac misc cte_at) apply (erule pspace_no_overlap_detype[OF caps_of_state_valid]) apply (simp add:invs_psp_aligned invs_valid_objs cte_wp_at_caps_of_state)+ apply (subgoal_tac "invs (detype {ptr..ptr + 2 ^ sz - 1} (clear_um {ptr..ptr + 2 ^ sz - 1} s))") prefer 2 apply (cut_tac misc cte_at) apply (frule detype_invariants) apply (simp add:isCap_simps) apply (clarsimp simp:blah descendants_range_def2) apply ((simp add:isCap_simps invs_untyped_children blah invs_valid_reply_caps invs_valid_reply_masters)+)[6] apply (clarsimp simp: detype_clear_um_independent) apply (intro conjI impI) apply (insert misc cte_at cref_inv) apply ((clarsimp simp:invs_def valid_state_def)+)[2] apply (erule caps_of_state_valid,simp) apply simp+ apply (clarsimp dest!:slots_invD) apply simp apply (rule_tac x = cref in exI,simp) apply simp apply (clarsimp dest!:slots_invD) apply (clarsimp simp:field_simps range_cover.unat_of_nat_shift[OF cover le_refl le_refl]) apply (subst mult.commute) apply (rule nat_le_power_trans) apply (rule range_cover.range_cover_n_le(2)[OF cover]) apply (erule range_cover.sz) apply (simp add:caps_no_overlap_detype) apply (simp add:range_cover.unat_of_nat_n_shift[OF cover] field_simps) apply (rule subset_trans[OF subset_stuff],simp) apply (cut_tac kernel_window_inv) apply (simp add:detype_def clear_um_def) apply (simp add: shiftL_nat) apply (rule order_trans, rule overlap_ranges1) apply simp apply (clarsimp simp:blah field_simps dest!:idx_compare''') apply (simp) apply (simp add:clear_um_def detype_def detype_ext_def) apply (erule descendants_range_in_subseteq) apply (rule subset_trans[OF subset_stuff],simp) apply (simp add: clear_um_def) apply (rule valid_etcbs_detype[OF valid_sched_etcbs[OF misc(12)]]) apply (clarsimp,drule slots_invD,simp) apply (clarsimp simp:field_simps range_cover.unat_of_nat_shift[OF cover le_refl le_refl]) apply (subst mult.commute) apply (rule nat_le_power_trans) apply (rule range_cover.range_cover_n_le(2)[OF cover]) apply (erule range_cover.sz) apply (clarsimp simp:conj_comms invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace') apply (insert cte_wp_at' vc' descendants_range) apply (intro conjI impI) apply (simp add: is_aligned_neg_mask_eq' range_cover.sz [where 'a=32, folded word_bits_def, OF cover])+ apply (clarsimp simp:cte_wp_at_ctes_of isCap_simps maxDomain)+ apply (clarsimp simp:descendants_range'_def2) apply simp apply (simp add:getFreeIndex_def)+ apply (clarsimp simp:range_cover.unat_of_nat_shift field_simps) apply (subst mult.commute) apply (rule nat_le_power_trans[OF range_cover.range_cover_n_le(2)[OF cover]]) apply (rule range_cover.sz(2)[OF cover]) apply (simp add:getFreeIndex_def) apply (rule is_aligned_weaken) apply (subst mult.commute) apply (rule is_aligned_shiftl_self[unfolded shiftl_t2n]) apply simp apply (rule subset_trans[OF subset_stuff],simp) apply (clarsimp simp:cte_wp_at_ctes_of) apply (drule slots_invD) apply simp apply (clarsimp simp:blah getFreeIndex_def dest!:idx_compare''') apply simp done qed lemma inv_untyped_corres: "untypinv_relation ui ui' \ corres (op=) (einvs and valid_untyped_inv ui and ct_active) (invs' and valid_untyped_inv' ui' and ct_active') (invoke_untyped ui) (invokeUntyped ui')" by (case_tac ui, erule(1) inv_untyped_corres') crunch pred_tcb_at'[wp]: insertNewCap "pred_tcb_at' proj P t" (wp: crunch_wps) crunch pred_tcb_at'[wp]: doMachineOp "pred_tcb_at' proj P t" (wp: crunch_wps) (* FIXME: move *) lemma deleteObjects_real_cte_at': "\\s. real_cte_at' p s \ p \ {ptr .. ptr + 2 ^ bits - 1} \ s \' (UntypedCap ptr bits idx) \ valid_pspace' s\ deleteObjects ptr bits \\_. real_cte_at' p\" apply (simp add: deleteObjects_def3 doMachineOp_def split_def) apply wp apply (clarsimp simp: valid_pspace'_def cong:if_cong) apply (subgoal_tac "s\ksMachineState := b, ksPSpace := \x. if ptr \ x \ x \ ptr + 2 ^ bits - 1 then None else ksPSpace s x\ = ksMachineState_update (\_. b) (s\ksPSpace := \x. if ptr \ x \ x \ ptr + 2 ^ bits - 1 then None else ksPSpace s x\)", erule ssubst) apply (simp add: obj_at_delete' x_power_minus_1) apply (case_tac s, simp) done lemma inv_untyp_st_tcb_at'[wp]: "\invs' and st_tcb_at' (P and (op \ Inactive) and (op \ IdleThreadState)) tptr and valid_untyped_inv' ui and ct_active'\ invokeUntyped ui \\rv. st_tcb_at' P tptr\" apply (rule hoare_name_pre_state) apply (cases ui) apply (clarsimp) apply (rename_tac s cref ptr tp us slots sz idx) proof - fix s cref ptr tp us slots sz idx assume cte_wp_at': "cte_wp_at' (\cte. cteCap cte = capability.UntypedCap (ptr && ~~ mask sz) sz idx) cref s" assume cover : "range_cover ptr sz (APIType_capBits tp us) (length (slots::word32 list))" assume misc : "distinct slots" "idx \ unat (ptr && mask sz) \ ptr = ptr && ~~ mask sz" "invs' s" "slots \ []" "sch_act_simple s" "\slot\set slots. cte_wp_at' (\c. cteCap c = capability.NullCap) slot s" "\x\set slots. ex_cte_cap_wp_to' (\_. True) x s" "ct_active' s" "tp = APIObjectType ArchTypes_H.apiobject_type.Untyped \ 4 \ us \ us \ 30" assume desc_range: "ptr = ptr && ~~ mask sz \ descendants_range_in' {ptr..ptr + 2 ^ sz - 1} (cref) (ctes_of s)" assume st_tcb: "st_tcb_at' (P and op \ Structures_H.thread_state.Inactive and op \ Structures_H.thread_state.IdleThreadState) tptr s" have pf: "invokeUntyped_proofs s cref ptr tp us slots sz idx" using cte_wp_at' cover misc desc_range by (simp add:invokeUntyped_proofs_def) have us_align[simp]: "is_aligned ((ptr && mask sz) + of_nat (length slots) * 2 ^ APIType_capBits tp us) 4" using misc cover apply - apply (rule aligned_add_aligned[OF aligned_after_mask]) apply (rule range_cover.aligned[OF cover]) apply (subst mult.commute) apply (rule is_aligned_weaken) apply (rule is_aligned_shiftl_self[unfolded shiftl_t2n]) apply (case_tac tp,(clarsimp simp:APIType_capBits_def objBits_simps split: ArchTypes_H.apiobject_type.splits)+)[1] apply (simp add:range_cover_def) apply (case_tac tp,(clarsimp simp:APIType_capBits_def objBits_simps split: ArchTypes_H.apiobject_type.splits)+)[1] done note nidx[simp] = add_minus_neg_mask[where ptr = ptr] note blah[simp del] = untyped_range.simps usable_untyped_range.simps atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff split_paired_Ex usableUntypedRange.simps note if_cong[cong del] if_weak_cong[cong] show "\op = s\ invokeUntyped (Invocations_H.untyped_invocation.Retype cref (ptr && ~~ mask sz) ptr tp us slots) \\rv. st_tcb_at' P tptr\" using misc cover cte_wp_at' invokeUntyped_proofs.not_0_ptr[OF pf] invokeUntyped_proofs.caps_no_overlap'[OF pf] invokeUntyped_proofs.descendants_range[OF pf] invokeUntyped_proofs.idx_compare'[OF pf] apply (simp add:invokeUntyped_def) apply (case_tac "\ ptr && ~~ mask sz = ptr") apply (frule invokeUntyped_proofs.ps_no_overlap'[OF pf]) apply (rule hoare_pre) apply wp apply (rule createNewObjects_wp_helper) apply simp+ apply (simp add: insertNewCaps_def split_def bind_assoc zipWithM_x_mapM cong: capability.case_cong) apply (wp mapM_wp' createNewCaps_pred_tcb_at' deleteObjects_st_tcb_at' createNewObjects_wp_helper updateFreeIndex_pspace_no_overlap'[where sz = sz] | wpc)+ apply (rule hoare_vcg_conj_lift) apply (simp add:updateCap_def) apply (wp setCTE_weak_cte_wp_at getCTE_wp) apply (wp hoare_vcg_const_Ball_lift) apply (simp add:updateCap_def) apply (wp setCTE_weak_cte_wp_at getCTE_wp) apply (strengthen invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace' invs_arch_state') apply (clarsimp simp:conj_comms) apply (wp updateFreeIndex_invs' updateFreeIndex_caps_overlap_reserved' updateFreeIndex_caps_no_overlap''[where sz = sz] updateFreeIndex_pspace_no_overlap'[where sz = sz] hoare_vcg_const_Ball_lift) apply simp apply simp apply (strengthen invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace') apply (clarsimp simp:conj_comms isCap_simps getFreeIndex_def split del:if_splits) apply (wp getSlotCap_wp) apply (strengthen imp_consequent[where Q="\ cNodeOverlap A B" for A B]) apply (clarsimp simp:invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace' cte_wp_at_ctes_of conj_comms field_simps shiftl_t2n shiftL_nat invs_ksCurDomain_maxDomain') apply (intro conjI) apply (rule pred_tcb'_weakenE[OF st_tcb]) apply simp apply (clarsimp dest!:invokeUntyped_proofs.slots_invD[OF pf]) apply (simp add:range_cover_unat[OF cover] range_cover.unat_of_nat_shift field_simps) apply (rule subset_trans[OF invokeUntyped_proofs.subset_stuff[OF pf]]) apply (clarsimp simp:blah word_and_le2) apply (rule invokeUntyped_proofs.usableRange_disjoint[OF pf]) apply (rule hoare_pre) apply wp apply (rule createNewObjects_wp_helper) apply simp+ apply (simp add: insertNewCaps_def split_def bind_assoc zipWithM_x_mapM cong: capability.case_cong) apply (wp mapM_wp' createNewCaps_pred_tcb_at' deleteObjects_st_tcb_at' createNewObjects_wp_helper updateFreeIndex_pspace_no_overlap'[where sz = sz] | wpc)+ apply (rule hoare_vcg_conj_lift) apply (simp add:updateCap_def) apply (wp setCTE_weak_cte_wp_at getCTE_wp) apply (wp hoare_vcg_const_Ball_lift) apply (simp add:updateCap_def) apply (wp setCTE_weak_cte_wp_at getCTE_wp) apply (strengthen invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace' invs_arch_state') apply (clarsimp simp:conj_comms) apply (wp updateFreeIndex_invs_simple' updateFreeIndex_caps_overlap_reserved' updateFreeIndex_caps_no_overlap''[where sz = sz] updateFreeIndex_pspace_no_overlap'[where sz = sz] hoare_vcg_const_Ball_lift) apply (strengthen imp_consequent[where Q="\ cNodeOverlap A B" for A B]) apply (clarsimp simp:conj_comms split del:if_splits) apply (strengthen invs_pspace_aligned' invs_valid_pspace' imp_consequent invs_pspace_distinct' invs_arch_state invs_psp_aligned) apply (clarsimp simp:conj_comms isCap_simps shiftL_nat field_simps range_cover.unat_of_nat_shift[OF cover le_refl,simplified]) apply (rule_tac P = "cap = capability.UntypedCap (ptr && ~~ mask sz) sz idx" in hoare_gen_asm) apply (clarsimp simp: conj_comms) apply (wp deleteObjects_invs'[where idx = idx and p = "cref"] deleteObjects_caps_no_overlap''[where idx = idx and slot = "cref"] deleteObject_no_overlap[where idx = idx] deleteObjects_cte_wp_at'[where idx = idx and ptr = ptr and bits = sz] deleteObjects_caps_overlap_reserved'[where idx = idx and slot = "cref"] deleteObjects_descendants[where idx = idx and p = "cref"] hoare_vcg_ball_lift hoare_drop_imp hoare_vcg_ex_lift deleteObjects_st_tcb_at'[where p = cref] deleteObjects_cte_wp_at'[where idx = idx and ptr = ptr and bits = sz] deleteObjects_real_cte_at'[where idx = idx and ptr = ptr and bits = sz] deleteObjects_ct_active'[where cref=cref and idx=idx]) apply (clarsimp simp:conj_comms ball_conj_distrib descendants_range'_def2 is_aligned_neg_mask_eq pred_conj_def) apply (strengthen invs_mdb' invs_valid_objs' imp_consequent invs_valid_pspace' invs_arch_state' invs_pspace_aligned' invs_pspace_distinct') apply (wp getSlotCap_wp) apply (rule_tac x = "capability.UntypedCap ptr sz idx" in exI) apply (clarsimp simp:invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace' cte_wp_at_ctes_of conj_comms field_simps shiftl_t2n shiftL_nat invs_ksCurDomain_maxDomain') apply (rule conjI) apply (erule range_cover.sz(1)[where 'a=32, folded word_bits_def]) using invokeUntyped_proofs.usableRange_disjoint[OF pf] invokeUntyped_proofs.vc'[OF pf] invokeUntyped_proofs.cref_inv[OF pf] invokeUntyped_proofs.subset_stuff[OF pf] us_align apply (simp add: is_aligned_neg_mask_eq'[symmetric] pred_tcb'_weakenE[OF st_tcb, simplified] is_aligned_neg_mask_eq is_aligned_mask getFreeIndex_def) apply (rule conjI) apply (clarsimp dest!:invokeUntyped_proofs.slots_invD[OF pf] simp:is_aligned_mask[symmetric] is_aligned_neg_mask_eq)+ done qed lemma inv_untyp_tcb'[wp]: "\invs' and st_tcb_at' active' tptr and valid_untyped_inv' ui and ct_active'\ invokeUntyped ui \\rv. tcb_at' tptr\" apply (rule hoare_chain [OF inv_untyp_st_tcb_at'[where tptr=tptr and P="\"]]) apply (clarsimp elim!: pred_tcb'_weakenE) apply fastforce apply (clarsimp simp: pred_tcb_at'_def) done crunch irq_node[wp]: set_thread_state "\s. P (interrupt_irq_node s)" crunch ctes_of [wp]: setQueue "\s. P (ctes_of s)" crunch cte_wp_at [wp]: setQueue "cte_wp_at' P p" (simp: cte_wp_at_ctes_of) lemma sts_valid_untyped_inv': "\valid_untyped_inv' ui\ setThreadState st t \\rv. valid_untyped_inv' ui\" apply (cases ui, simp add: ex_cte_cap_to'_def) apply (rule hoare_pre) apply (rule hoare_use_eq_irq_node' [OF setThreadState_ksInterruptState]) apply (wp hoare_vcg_const_Ball_lift hoare_vcg_ex_lift | simp)+ done crunch nosch[wp]: insertNewCaps "\s. P (ksSchedulerAction s)" (simp: crunch_simps zipWithM_x_mapM wp: crunch_wps) crunch nosch[wp]: createNewObjects "\s. P (ksSchedulerAction s)" (simp: crunch_simps zipWithM_x_mapM wp: crunch_wps hoare_unless_wp) lemma invokeUntyped_nosch[wp]: "\\s. P (ksSchedulerAction s)\ invokeUntyped invok \\rv s. P (ksSchedulerAction s)\" apply (cases invok, simp add: invokeUntyped_def) apply (wp deleteObjects_nosch zipWithM_x_inv hoare_drop_imps) apply clarsimp done crunch no_0_obj'[wp]: insertNewCap no_0_obj' (wp: crunch_wps) lemma insertNewCap_valid_pspace': "\\s. valid_pspace' s \ s \' cap \ slot \ parent \ caps_overlap_reserved' (untypedRange cap) s \ cte_wp_at' (\cte. isUntypedCap (cteCap cte) \ sameRegionAs (cteCap cte) cap) parent s \ \ isZombie cap \ descendants_range' cap parent (ctes_of s)\ insertNewCap parent slot cap \\rv. valid_pspace'\" apply (simp add: valid_pspace'_def) apply (wp insertNewCap_valid_mdb) apply simp_all done crunch tcb'[wp]: insertNewCap "tcb_at' t" (wp: crunch_wps) crunch inQ[wp]: insertNewCap "obj_at' (inQ d p) t" (wp: crunch_wps) crunch norq[wp]: insertNewCap "\s. P (ksReadyQueues s)" (wp: crunch_wps) crunch norqL1[wp]: insertNewCap "\s. P (ksReadyQueuesL1Bitmap s)" (wp: crunch_wps) crunch norqL2[wp]: insertNewCap "\s. P (ksReadyQueuesL2Bitmap s)" (wp: crunch_wps) crunch ct[wp]: insertNewCap "\s. P (ksCurThread s)" (wp: crunch_wps) crunch state_refs_of'[wp]: insertNewCap "\s. P (state_refs_of' s)" (wp: crunch_wps) lemma insertNewCap_ifunsafe'[wp]: "\if_unsafe_then_cap' and ex_cte_cap_to' slot\ insertNewCap parent slot cap \\rv s. if_unsafe_then_cap' s\" apply (simp add: ifunsafe'_def3 insertNewCap_def) apply (wp getCTE_wp') apply (clarsimp simp: ex_cte_cap_to'_def cte_wp_at_ctes_of cteCaps_of_def) apply (drule_tac x=crefa in spec) apply (rule conjI) apply clarsimp apply (rule_tac x=cref in exI, fastforce) apply clarsimp apply (rule_tac x=cref' in exI, fastforce) done lemma insertNewCap_iflive'[wp]: "\if_live_then_nonz_cap'\ insertNewCap parent slot cap \\rv. if_live_then_nonz_cap'\" apply (simp add: insertNewCap_def) apply (wp setCTE_iflive' getCTE_wp') apply (clarsimp elim!: cte_wp_at_weakenE') done lemma insertNewCap_cte_wp_at'': "\cte_wp_at' (\cte. P (cteCap cte)) p and K (\ P NullCap)\ insertNewCap parent slot cap \\rv s. cte_wp_at' (P \ cteCap) p s\" apply (simp add: insertNewCap_def tree_cte_cteCap_eq) apply (wp getCTE_wp') apply (clarsimp simp: cte_wp_at_ctes_of cteCaps_of_def) done lemmas insertNewCap_cte_wp_at' = insertNewCap_cte_wp_at''[unfolded o_def] crunch irq_node'[wp]: insertNewCap "\s. P (irq_node' s)" (wp: crunch_wps) lemma insertNewCap_cap_to'[wp]: "\ex_cte_cap_to' p\ insertNewCap parent slot cap \\rv. ex_cte_cap_to' p\" apply (simp add: ex_cte_cap_to'_def) apply (rule hoare_pre) apply (rule hoare_use_eq_irq_node'[OF insertNewCap_irq_node']) apply (wp hoare_vcg_ex_lift insertNewCap_cte_wp_at') apply clarsimp done lemma insertNewCap_nullcap: "\P and cte_wp_at' (\cte. cteCap cte = NullCap) slot\ insertNewCap parent slot cap \Q\ \ \P\ insertNewCap parent slot cap \Q\" apply (clarsimp simp: valid_def) apply (subgoal_tac "cte_wp_at' (\cte. cteCap cte = NullCap) slot s") apply fastforce apply (clarsimp simp: insertNewCap_def in_monad cte_wp_at_ctes_of liftM_def dest!: use_valid [OF _ getCTE_sp[where P="op = s" for s], OF _ refl]) done crunch idle'[wp]: getCTE "valid_idle'" lemma insertNewCap_idle'[wp]: "\valid_idle' and (\s. ksIdleThread s \ capRange cap)\ insertNewCap parent slot cap \\rv. valid_idle'\" apply (simp add: insertNewCap_def) apply (wp getCTE_no_idle_cap | simp add: o_def | rule hoare_drop_imp)+ done crunch global_refs': insertNewCap "\s. P (global_refs' s)" (wp: crunch_wps simp: crunch_simps) crunch gsMaxObjectSize[wp]: insertNewCap "\s. P (gsMaxObjectSize s)" (wp: crunch_wps simp: crunch_simps) lemma insertNewCap_valid_global_refs': "\valid_global_refs' and cte_wp_at' (\cte. capRange cap \ capRange (cteCap cte) \ capBits cap \ capBits (cteCap cte)) parent\ insertNewCap parent slot cap \\rv. valid_global_refs'\" apply (simp add: valid_global_refs'_def valid_refs'_cteCaps valid_cap_sizes_cteCaps) apply (rule hoare_pre) apply (rule hoare_use_eq [where f=global_refs', OF insertNewCap_global_refs']) apply (rule hoare_use_eq [where f=gsMaxObjectSize]) apply wp apply (clarsimp simp: cte_wp_at_ctes_of cteCaps_of_def ball_ran_eq) apply (frule power_increasing[where a=2], simp) apply (blast intro: order_trans) done lemma insertNewCap_valid_irq_handlers: "\valid_irq_handlers' and (\s. \irq. cap = IRQHandlerCap irq \ irq_issued' irq s)\ insertNewCap parent slot cap \\rv. valid_irq_handlers'\" apply (simp add: insertNewCap_def valid_irq_handlers'_def irq_issued'_def) apply wp apply (simp add: cteCaps_of_def) apply (wp hoare_use_eq[where f=ksInterruptState, OF setCTE_ksInterruptState setCTE_ctes_of_wp] getCTE_wp) apply (clarsimp simp: cteCaps_of_def cte_wp_at_ctes_of ran_def) apply auto done crunch irq_states' [wp]: insertNewCap valid_irq_states' (wp: getCTE_wp') crunch pde_mappings' [wp]: insertNewCap valid_pde_mappings' (wp: getCTE_wp') crunch vq'[wp]: insertNewCap valid_queues' (wp: crunch_wps) crunch irqs_masked' [wp]: insertNewCap irqs_masked' (wp: crunch_wps lift: irqs_masked_lift) crunch valid_machine_state'[wp]: insertNewCap valid_machine_state' (wp: crunch_wps) crunch pspace_domain_valid[wp]: insertNewCap pspace_domain_valid (wp: crunch_wps) crunch ct_not_inQ[wp]: insertNewCap "ct_not_inQ" (wp: crunch_wps) crunch ksCurDomain[wp]: insertNewCap "\s. P (ksCurDomain s)" (wp: crunch_wps) crunch ksCurThread[wp]: insertNewCap "\s. P (ksCurThread s)" (wp: crunch_wps) crunch tcbState_inv[wp]: insertNewCap "obj_at' (\tcb. P (tcbState tcb)) t" (wp: crunch_simps hoare_drop_imps) crunch tcbDomain_inv[wp]: insertNewCap "obj_at' (\tcb. P (tcbDomain tcb)) t" (wp: crunch_simps hoare_drop_imps) crunch tcbPriority_inv[wp]: insertNewCap "obj_at' (\tcb. P (tcbPriority tcb)) t" (wp: crunch_simps hoare_drop_imps) crunch ksIdleThread[wp]: insertNewCap "\s. P (ksIdleThread s)" (wp: crunch_simps hoare_drop_imps) crunch ksDomSchedule[wp]: insertNewCap "\s. P (ksDomSchedule s)" (wp: crunch_simps hoare_drop_imps) crunch ksInterrupt[wp]: insertNewCap "\s. P (ksInterruptState s)" (wp: crunch_wps) lemma insertNewCap_ct_idle_or_in_cur_domain'[wp]: "\ct_idle_or_in_cur_domain' and ct_active'\ insertNewCap parent slot cap \\_. ct_idle_or_in_cur_domain'\" apply (wp ct_idle_or_in_cur_domain'_lift_futz[where Q=\]) apply (rule_tac Q="\_. obj_at' (\tcb. tcbState tcb \ Structures_H.thread_state.Inactive) t and obj_at' (\tcb. d = tcbDomain tcb) t" in hoare_strengthen_post) apply (wp | clarsimp elim: obj_at'_weakenE)+ apply (auto simp: obj_at'_def) done crunch ksDomScheduleIdx[wp]: insertNewCap "\s. P (ksDomScheduleIdx s)" (wp: crunch_simps hoare_drop_imps) lemma capRange_subset_capBits: "capAligned cap \ capAligned cap' \ capRange cap \ capRange cap' \ capRange cap \ {} \ capBits cap \ capBits cap'" apply (simp add: capRange_def capAligned_def is_aligned_no_overflow split: split_if_asm del: atLeastatMost_subset_iff) apply (frule_tac c="capUntypedPtr cap" in subsetD) apply (simp only: mask_in_range[symmetric]) apply (simp add: is_aligned_neg_mask_eq) apply (drule_tac c="(capUntypedPtr cap && ~~ mask (capBits cap)) || (~~ capUntypedPtr cap' && mask (capBits cap))" in subsetD) apply (simp_all only: mask_in_range[symmetric]) apply (simp add: word_ao_dist is_aligned_neg_mask_eq) apply (simp add: word_ao_dist) apply (cases "capBits cap = 0") apply simp apply (drule_tac f="\x. x !! (capBits cap - 1)" and x="a || b" for a b in arg_cong) apply (simp add: word_ops_nth_size word_bits_def word_size) apply auto done lemma insertNewCap_invs': "\invs' and ct_active' and valid_cap' cap and cte_wp_at' (\cte. isUntypedCap (cteCap cte) \ sameRegionAs (cteCap cte) cap) parent and K (\ isZombie cap) and (\s. descendants_range' cap parent (ctes_of s)) and caps_overlap_reserved' (untypedRange cap) and ex_cte_cap_to' slot and (\s. ksIdleThread s \ capRange cap) and (\s. \irq. cap = IRQHandlerCap irq \ irq_issued' irq s)\ insertNewCap parent slot cap \\rv. invs'\" apply (rule insertNewCap_nullcap) apply (simp add: invs'_def valid_state'_def) apply (rule hoare_pre) apply (wp insertNewCap_valid_pspace' sch_act_wf_lift valid_queues_lift cur_tcb_lift tcb_in_cur_domain'_lift insertNewCap_valid_global_refs' valid_arch_state_lift' valid_irq_node_lift insertNewCap_valid_irq_handlers) apply (clarsimp simp: cte_wp_at_ctes_of) apply (frule ctes_of_valid[rotated, where p=parent, OF valid_pspace_valid_objs']) apply (fastforce simp: cte_wp_at_ctes_of) apply (auto simp: isCap_simps sameRegionAs_def3 intro!: capRange_subset_capBits elim: valid_capAligned) done lemma insertNewCap_irq_issued'[wp]: "\\s. P (irq_issued' irq s)\ insertNewCap parent slot cap \\rv s. P (irq_issued' irq s)\" by (simp add: irq_issued'_def, wp) lemma insertNewCap_ct_in_state'[wp]: "\ct_in_state' p\insertNewCap parent slot cap \\rv. ct_in_state' p\" unfolding ct_in_state'_def apply (rule hoare_pre) apply wps apply wp apply simp done lemma zipWithM_x_insertNewCap_invs'': "\\s. invs' s \ ct_active' s \ (\tup \ set ls. s \' snd tup) \ cte_wp_at' (\cte. isUntypedCap (cteCap cte) \ (\tup \ set ls. sameRegionAs (cteCap cte) (snd tup))) parent s \ (\tup \ set ls. \ isZombie (snd tup)) \ (\tup \ set ls. ex_cte_cap_to' (fst tup) s) \ (\tup \ set ls. descendants_range' (snd tup) parent (ctes_of s)) \ (\tup \ set ls. ksIdleThread s \ capRange (snd tup)) \ (\tup \ set ls. caps_overlap_reserved' (capRange (snd tup)) s) \ distinct_sets (map capRange (map snd ls)) \ (\irq. IRQHandlerCap irq \ set (map snd ls) \ irq_issued' irq s) \ distinct (map fst ls)\ mapM (\(x, y). insertNewCap parent x y) ls \\rv. invs'\" apply (induct ls) apply (simp add: mapM_def sequence_def) apply (wp, simp) apply (simp add: mapM_Cons) apply wp apply assumption apply (thin_tac "valid P f Q" for P f Q) apply clarsimp apply (rule hoare_pre) apply (wp insertNewCap_invs' hoare_vcg_const_Ball_lift insertNewCap_cte_wp_at' insertNewCap_ranges hoare_vcg_all_lift insertNewCap_pred_tcb_at') apply (clarsimp simp: cte_wp_at_ctes_of invs_mdb' invs_valid_objs' dest!:valid_capAligned) apply (drule caps_overlap_reserved'_subseteq[OF _ untypedRange_in_capRange]) apply (auto simp:comp_def) done lemma zipWithM_x_insertNewCap_invs': "\\s. invs' s \ ct_active' s \ (\cap \ set cps. s \' cap) \ cte_wp_at' (\cte. isUntypedCap (cteCap cte) \ (\tup \ set (zip slots cps). sameRegionAs (cteCap cte) (snd tup))) parent s \ (\cap \ set cps. \ isZombie cap) \ (\slot \ set slots. ex_cte_cap_to' slot s) \ (\cap \ set cps. ksIdleThread s \ capRange cap) \ (\tup \ set (zip slots cps). caps_overlap_reserved' (capRange (snd tup)) s) \ (\irq. IRQHandlerCap irq \ set cps \ irq_issued' irq s) \ distinct slots \ descendants_of' parent (ctes_of s) = {} \ distinct_sets (map capRange cps)\ zipWithM_x (insertNewCap parent) slots cps \\rv. invs'\" apply (rule hoare_pre) apply (simp add:zipWithM_x_mapM) apply wp apply (rule zipWithM_x_insertNewCap_invs'') apply (clarsimp simp: descendants_range'_def cte_wp_at_ctes_of distinct_prefix [OF _ map_fst_zip_prefix] distinct_sets_prop simp del: map_map) apply (auto simp: map_snd_zip_prefix [unfolded less_eq_list_def] dest!: set_zip_helper elim!: distinct_prop_prefixE intro!: map_prefixeqI simp del: map_map) done lemma createNewCaps_not_isZombie[wp]: "\\\ createNewCaps ty ptr bits sz \\rv s. (\cap \ set rv. \ isZombie cap)\" apply (simp add: createNewCaps_def toAPIType_def ArchTypes_H.toAPIType_def createNewCaps_def split del: split_if cong: option.case_cong if_cong ArchTypes_H.apiobject_type.case_cong ArchTypes_H.object_type.case_cong) apply (rule hoare_pre) apply (wp undefined_valid | wpc | simp add: isCap_simps)+ apply auto? done lemma createNewCaps_cap_to': "\\s. ex_cte_cap_to' p s \ 0 < n \ range_cover ptr sz (APIType_capBits ty us) n \ pspace_aligned' s \ pspace_distinct' s \ pspace_no_overlap' ptr sz s\ createNewCaps ty ptr n us \\rv. ex_cte_cap_to' p\" apply (simp add: ex_cte_cap_to'_def) apply (wp hoare_vcg_ex_lift hoare_use_eq_irq_node' [OF createNewCaps_ksInterrupt createNewCaps_cte_wp_at']) apply fastforce done lemma storePDE_it[wp]: "\\s. P (ksIdleThread s)\ storePDE ptr val \\rv s. P (ksIdleThread s)\" by (simp add: storePDE_def | wp updateObject_default_inv)+ crunch it[wp]: copyGlobalMappings "\s. P (ksIdleThread s)" (wp: mapM_x_wp' ignore: clearMemory forM_x getObject) crunch it[wp]: createWordObjects "\s. P (ksIdleThread s)" (wp: mapM_x_wp' ignore: clearMemory forM_x getObject) lemma createNewCaps_idlethread[wp]: "\\s. P (ksIdleThread s)\ createNewCaps tp ptr sz us \\rv s. P (ksIdleThread s)\" apply (simp add: createNewCaps_def toAPIType_def ArchTypes_H.toAPIType_def createNewCaps_def split: ArchTypes_H.object_type.split ArchTypes_H.apiobject_type.split) apply safe apply (wp mapM_x_wp' | simp)+ done lemma createNewCaps_idlethread_ranges[wp]: "\\s. 0 < n \ range_cover ptr sz (APIType_capBits tp us) n \ ksIdleThread s \ {ptr .. (ptr && ~~ mask sz) + 2 ^ sz - 1}\ createNewCaps tp ptr n us \\rv s. \cap\set rv. ksIdleThread s \ capRange cap\" apply (rule hoare_as_subst [OF createNewCaps_idlethread]) apply (rule hoare_assume_pre) apply (rule hoare_chain, rule createNewCaps_range_helper2) apply fastforce apply blast done lemma createNewCaps_IRQHandler[wp]: "\\\ createNewCaps tp ptr sz us \\rv s. IRQHandlerCap irq \ set rv \ P rv s\" apply (simp add: createNewCaps_def split del: split_if) apply (rule hoare_pre) apply (wp | wpc | simp add: image_def | rule hoare_pre_cont)+ done crunch ksIdleThread[wp]: updateCap "\s. P (ksIdleThread s)" lemma size_eq: "APIType_capBits ao' us = obj_bits_api (APIType_map2 (Inr ao')) us" apply (case_tac ao') apply (rename_tac apiobject_type) apply (case_tac apiobject_type) apply (clarsimp simp: APIType_capBits_def objBits_def arch_kobj_size_def default_arch_object_def obj_bits_api_def APIType_map2_def objBitsKO_def slot_bits_def pageBitsForSize_def)+ done lemma obj_at_in_obj_range': "\ksPSpace s p = Some ko; pspace_aligned' s\ \ p \ {p.. p + 2 ^ objBitsKO ko - 1}" apply (drule(1) pspace_alignedD') apply (clarsimp) apply (erule is_aligned_no_overflow) done lemma updateCap_weak_cte_wp_at: "\\s. if p = ptr then P (cteCap (cteCap_update (\_. cap) cte)) else cte_wp_at' (\c. P (cteCap c)) p s\ updateCap ptr cap \\uu. cte_wp_at' (\c. P (cteCap c)) p\" apply (simp add:updateCap_def) apply (wp setCTE_weak_cte_wp_at getCTE_wp) apply (clarsimp simp:cte_wp_at'_def) done lemma createNewCaps_ct_active': "\ct_active' and pspace_aligned' and pspace_distinct' and pspace_no_overlap' ptr sz and K (range_cover ptr sz (APIType_capBits ty us) n \ 0 < n)\ createNewCaps ty ptr n us \\_. ct_active'\" apply (simp add: ct_in_state'_def) apply (rule hoare_pre) apply wps apply (wp createNewCaps_pred_tcb_at'[where sz=sz]) apply simp done crunch gsMaxObjectSize[wp]: deleteObjects "\s. P (gsMaxObjectSize s)" (simp: unless_def wp: crunch_wps) lemma invokeUntyped_invs'': "ui = Retype cref ptr_base ptr tp us slots \ \invs' and valid_untyped_inv' ui and ct_active'\ invokeUntyped ui \\rv. invs'\" apply (cases ui, simp) apply (rule hoare_name_pre_state) apply (clarsimp simp del: split_paired_All split_paired_Ex split_paired_Ball invokeUntyped_def) apply (rename_tac s sz idx) proof - fix s sz idx assume cte_wp_at': "cte_wp_at' (\cte. cteCap cte = capability.UntypedCap (ptr && ~~ mask sz) sz idx) cref s" assume cover : "range_cover ptr sz (APIType_capBits tp us) (length slots)" assume vslot : "slots \ []" assume desc_range: "ptr = ptr && ~~ mask sz \ descendants_range_in' {ptr..ptr + 2 ^ sz - 1} (cref) (ctes_of s)" assume misc : "distinct slots" "cref \ set slots" "ct_active' s" "tp = APIObjectType ArchTypes_H.apiobject_type.CapTableObject \ 0 < us" "tp = APIObjectType ArchTypes_H.apiobject_type.Untyped \ 4 \ us \ us \ 30" "idx \ unat (ptr && mask sz) \ ptr = ptr && ~~ mask sz" "invs' s" "\slot\set slots. ex_cte_cap_wp_to' (\_. True) slot s" "\slot\set slots. cte_wp_at' (\c. cteCap c = capability.NullCap) slot s" "ct_active' s" "sch_act_simple s" have pf: "invokeUntyped_proofs s cref ptr tp us slots sz idx" using cte_wp_at' cover vslot desc_range misc by (simp add:invokeUntyped_proofs_def) have of_nat_length: "(of_nat (length slots)::word32) - (1::word32) < (of_nat (length slots)::word32)" using vslot using range_cover.range_cover_le_n_less(1)[OF cover,where p = "length slots"] apply - apply (case_tac slots) apply clarsimp+ apply (subst add.commute) apply (subst word_le_make_less[symmetric]) apply (rule less_imp_neq) apply (simp add:word_bits_def minus_one_norm) apply (rule word_of_nat_less) apply auto done have us_align[simp]:"is_aligned ((ptr && mask sz) + 2 ^ APIType_capBits tp us * of_nat (length slots)) 4" using misc cover apply - apply (rule aligned_add_aligned[OF aligned_after_mask]) apply (rule range_cover.aligned[OF cover]) apply (rule is_aligned_weaken) apply (rule is_aligned_shiftl_self[unfolded shiftl_t2n]) apply (case_tac tp,(clarsimp simp:APIType_capBits_def objBits_simps split: ArchTypes_H.apiobject_type.splits)+)[1] apply (simp add:range_cover_def) apply (case_tac tp,(clarsimp simp:APIType_capBits_def objBits_simps split: ArchTypes_H.apiobject_type.splits)+)[1] done note not_0_ptr[simp] = invokeUntyped_proofs.not_0_ptr [OF pf] note subset_stuff[simp] = invokeUntyped_proofs.subset_stuff[OF pf] have non_detype_idx_le[simp]: "ptr \ ptr && ~~ mask sz \ idx < 2^sz" using misc apply clarsimp apply (erule le_less_trans) apply (rule unat_less_helper) apply simp apply (rule le_less_trans) apply (rule word_and_le1) apply (simp add:mask_def) apply (rule minus_one_helper) apply simp using cover apply (clarsimp simp:range_cover_def) done note blah[simp del] = untyped_range.simps usable_untyped_range.simps atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff split_paired_Ex usableUntypedRange.simps note descendants_range[simp] = invokeUntyped_proofs.descendants_range[OF pf] note vc'[simp] = invokeUntyped_proofs.vc'[OF pf] note ps_no_overlap'[simp] = invokeUntyped_proofs.ps_no_overlap'[OF pf] note caps_no_overlap'[simp] = invokeUntyped_proofs.caps_no_overlap'[OF pf] note ex_cte_no_overlap' = invokeUntyped_proofs.ex_cte_no_overlap'[OF pf] note cref_inv = invokeUntyped_proofs.cref_inv[OF pf] note slots_invD = invokeUntyped_proofs.slots_invD[OF pf] note nidx[simp] = add_minus_neg_mask[where ptr = ptr] note idx_compare' = invokeUntyped_proofs.idx_compare'[OF pf] have idx_compare : "\unat ((ptr && mask sz) + of_nat (length slots) * 2 ^ APIType_capBits tp us) < 2 ^ sz;ptr \ ptr && ~~ mask sz\ \ (ptr && ~~ mask sz) + of_nat idx \ ptr + (of_nat (length slots) << APIType_capBits tp us)" apply (rule range_cover_idx_compare[OF cover ]) apply assumption+ apply (frule non_detype_idx_le) apply (erule less_imp_le) using misc apply simp done have usable_range_subset: "ptr && ~~ mask sz \ ptr \ usableUntypedRange (capability.UntypedCap (ptr &&~~ mask sz) sz (getFreeIndex (ptr &&~~ mask sz) (ptr + of_nat (length slots) * 2 ^ APIType_capBits tp us))) \ usableUntypedRange (capability.UntypedCap (ptr&&~~ mask sz) sz idx)" "ptr && ~~ mask sz \ ptr \usable_untyped_range (cap.UntypedCap (ptr && ~~ mask sz) sz (unat ((ptr && mask sz) + (of_nat (length slots) << (APIType_capBits tp us))))) \ usable_untyped_range (cap.UntypedCap (ptr && ~~ mask sz) sz idx)" apply (simp_all add:blah getFreeIndex_def field_simps nidx) apply (clarsimp) apply (subst add.commute) apply (erule order_trans[OF idx_compare]) apply simp apply (subst word_plus_and_or_coroll2[symmetric,where w = "mask sz"]) apply (simp add:shiftl_t2n field_simps) apply (clarsimp simp:shiftl_t2n nidx field_simps) apply (subst add.commute) apply (erule order_trans[OF idx_compare]) apply simp apply (clarsimp simp:shiftl_t2n add.assoc[symmetric] word_plus_and_or_coroll2[where w = "mask sz"] field_simps) done have valid_global_refs': "valid_global_refs' s" using misc by auto have kernel_data_refs[simp]: "\p2. p2 = ptr && ~~ mask sz \ {ptr .. p2 + 2 ^ sz - 1} \ kernel_data_refs = {}" using cte_wp_at' valid_global_refs' apply (clarsimp simp: cte_wp_at_ctes_of valid_global_refs'_def valid_refs'_def) apply (drule bspec, erule ranI) apply (subst Int_commute, erule disjoint_subset2[rotated]) apply (simp add: atLeastatMost_subset_iff word_and_le2) done have gsMaxObjectSize_0: "0 < gsMaxObjectSize s" using cte_wp_at' valid_global_refs' by (clarsimp simp: valid_global_refs'_def cte_wp_at_ctes_of cte_at_valid_cap_sizes_0) note neg_mask_add_mask = word_plus_and_or_coroll2 [symmetric,where w = "mask sz" and t = ptr,symmetric] note msimp[simp add] = misc getObjectSize_def_eq neg_mask_add_mask show "\op = s\ invokeUntyped (Invocations_H.untyped_invocation.Retype cref (ptr && ~~ mask sz) ptr tp us slots) \\rv. invs'\" apply (clarsimp simp:invokeUntyped_def getSlotCap_def) apply (case_tac "ptr && ~~ mask sz \ ptr") apply (wp createNewObjects_wp_helper[where sz = sz]) apply simp+ apply (rule cover) apply simp using vslot apply simp apply (clarsimp simp:insertNewCaps_def) apply (insert misc cover vslot) apply (wp zipWithM_x_insertNewCap_invs'' set_tuple_pick distinct_tuple_helper hoare_vcg_const_Ball_lift createNewCaps_invs'[where sz = sz] createNewCaps_valid_cap[where sz = sz,OF cover] createNewCaps_parent_helper[where sz = sz and ptr_base = "ptr && ~~ mask sz"] createNewCaps_cap_to'[where sz = sz] createNewCaps_descendants_range_ret'[where sz = sz] createNewCaps_caps_overlap_reserved_ret'[where sz = sz] createNewCaps_ranges[where sz = sz] createNewCaps_ranges'[where sz = sz] createNewCaps_IRQHandler createNewCaps_ct_active'[where sz=sz] | simp add: zipWithM_x_mapM)+ apply (wp hoare_vcg_all_lift) apply (wp hoare_strengthen_post[OF createNewCaps_IRQHandler]) apply (intro impI) apply (erule impE) apply (erule(1) snd_set_zip_in_set) apply (wp hoare_strengthen_post[OF createNewCaps_range_helper[where sz = sz]]) apply clarsimp apply (clarsimp simp:conj_comms ball_conj_distrib pred_conj_def simp del:capFreeIndex_update.simps) apply (strengthen invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace' invs_arch_state' imp_consequent[where Q = "(\x. x \ set slots)"] | clarsimp simp:conj_comms not_0_ptr simp del:capFreeIndex_update.simps)+ apply (wp updateFreeIndex_invs' updateFreeIndex_caps_overlap_reserved' updateFreeIndex_caps_no_overlap'' updateFreeIndex_pspace_no_overlap' hoare_vcg_const_Ball_lift updateCap_weak_cte_wp_at updateCap_ct_active') apply (simp add:ex_cte_cap_wp_to'_def) apply wps apply (rule hoare_vcg_ex_lift) apply (wp updateCap_weak_cte_wp_at updateCap_ct_active' getCTE_wp hoare_vcg_ball_lift) apply (wp updateFreeIndex_caps_overlap_reserved' updateFreeIndex_descendants_range_in' getCTE_wp | simp)+ using cte_wp_at' apply (clarsimp simp: cte_wp_at_ctes_of isCap_simps getFreeIndex_def shiftL_nat shiftl_t2n gsMaxObjectSize_0) apply (intro conjI) apply (simp add: range_cover_unat[OF cover,unfolded size_eq] range_cover.unat_of_nat_shift size_eq field_simps)+ apply (clarsimp dest!: range_cover.range_cover_compare_bound) apply (simp add: invs_valid_pspace') using `invs' s` apply (simp add: invs'_def valid_state'_def) apply (clarsimp dest!: slots_invD simp: ex_cte_cap_wp_to'_def cte_wp_at_ctes_of) apply (rule_tac x = crefa in exI) apply clarsimp apply simp+ apply (rule subset_trans[OF subset_stuff]) apply (clarsimp simp:blah word_and_le2) apply (simp add:field_simps) apply (rule invokeUntyped_proofs.usableRange_disjoint[OF pf]) apply (drule ps_no_overlap') using misc apply - apply (frule invs_valid_idle') apply (clarsimp simp:valid_idle'_def pred_tcb_at'_def obj_at'_def) apply (frule obj_at_in_obj_range') apply (simp add:invs_pspace_aligned') apply (drule(1) pspace_no_overlapD') apply blast apply (clarsimp simp:insertNewCaps_def) apply (insert misc cover vslot) apply (wp createNewObjects_wp_helper[where sz = sz]) apply simp+ apply (clarsimp simp:insertNewCaps_def) apply (wp zipWithM_x_insertNewCap_invs'' set_tuple_pick distinct_tuple_helper hoare_vcg_const_Ball_lift createNewCaps_invs'[where sz = sz] createNewCaps_valid_cap[where sz = sz,OF cover] createNewCaps_parent_helper[where sz = sz] createNewCaps_cap_to'[where sz = sz] createNewCaps_descendants_range_ret'[where sz = sz] createNewCaps_caps_overlap_reserved_ret'[where sz = sz] createNewCaps_ranges[where sz = sz] createNewCaps_ranges'[where sz = sz] createNewCaps_IRQHandler createNewCaps_ct_active' | simp add:zipWithM_x_mapM)+ apply (wp hoare_vcg_all_lift) apply (wp hoare_strengthen_post[OF createNewCaps_IRQHandler]) apply (intro impI) apply (erule impE) apply (erule(1) snd_set_zip_in_set) apply (wp hoare_strengthen_post[OF createNewCaps_range_helper[where sz = sz]]) apply clarsimp apply (clarsimp simp:conj_comms ball_conj_distrib pred_conj_def simp del:capFreeIndex_update.simps) apply (strengthen invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace' invs_arch_state' imp_consequent[where Q = "(\x. x \ set slots)"] | clarsimp simp:conj_comms not_0_ptr simp del:capFreeIndex_update.simps)+ apply (wp updateFreeIndex_invs_simple' updateFreeIndex_caps_overlap_reserved' updateFreeIndex_caps_no_overlap''[where sz = sz] updateFreeIndex_pspace_no_overlap'[where sz = sz] hoare_vcg_const_Ball_lift updateCap_weak_cte_wp_at) apply (simp add:ex_cte_cap_wp_to'_def) apply wps apply (rule hoare_vcg_ex_lift) apply (wp updateCap_weak_cte_wp_at getCTE_wp updateCap_ct_active' hoare_vcg_ball_lift) apply (wp updateFreeIndex_caps_overlap_reserved' updateFreeIndex_descendants_range_in' getCTE_wp) apply (strengthen imp_consequent[where Q="\ cNodeOverlap A B" for A B]) apply (clarsimp simp: conj_comms split del: split_if) apply (strengthen invs_pspace_aligned' invs_valid_pspace' imp_consequent invs_pspace_distinct' invs_arch_state invs_psp_aligned) apply (clarsimp simp:conj_comms isCap_simps shiftL_nat field_simps range_cover.unat_of_nat_shift[OF cover le_refl,simplified]) apply (rule_tac P = "cteCap cte = capability.UntypedCap (ptr && ~~ mask sz) sz idx" in hoare_gen_asm) apply simp apply (wp deleteObjects_invs'[where idx = idx and p = "cref"] deleteObjects_caps_no_overlap''[where idx = idx and slot = "cref"] deleteObject_no_overlap[where idx = idx] deleteObjects_cte_wp_at'[where idx = idx and ptr = ptr and bits = sz] deleteObjects_caps_overlap_reserved'[where idx = idx and slot = "cref"] deleteObjects_descendants[where idx = idx and p = "cref"] hoare_vcg_ball_lift hoare_drop_imp hoare_vcg_ex_lift deleteObjects_cte_wp_at'[where idx = idx and ptr = ptr and bits = sz] deleteObjects_real_cte_at'[where idx = idx and ptr = ptr and bits = sz] deleteObjects_ct_active') apply wps apply (wp deleteObjects_cte_wp_at'[where idx = idx and ptr = ptr and bits = sz])[2] using vc' apply (clarsimp simp:conj_comms ball_conj_distrib descendants_range'_def2 is_aligned_neg_mask_eq) apply (strengthen invs_mdb invs_valid_objs imp_consequent invs_valid_pspace invs_arch_state invs_psp_aligned invs_distinct) apply (wp getCTE_wp) using cte_wp_at' cref_inv misc us_align descendants_range apply (clarsimp simp: is_aligned_neg_mask_eq' invs_valid_pspace' invs_ksCurDomain_maxDomain' cte_wp_at_ctes_of isCap_simps getFreeIndex_def shiftL_nat shiftl_t2n gsMaxObjectSize_0) apply (intro conjI) apply (rule range_cover.sz [where 'a=32, folded word_bits_def, OF cover]) using `invs' s` apply (simp add: invs'_def valid_state'_def) apply fastforce+ apply (clarsimp dest!: slots_invD) apply (simp add:range_cover.unat_of_nat_shift[OF cover] size_eq field_simps)+ apply (subst mult.commute) apply (rule nat_le_power_trans) apply (rule range_cover.range_cover_n_le[OF cover,unfolded size_eq]) apply (rule range_cover.sz[OF cover,unfolded size_eq]) apply (clarsimp simp: mask_out_sub_mask field_simps) using misc apply - apply (frule invs_valid_global') apply (clarsimp simp:valid_global_refs'_def valid_refs'_def) apply (thin_tac "\x\ A. P x" for A P) apply (drule bspec) apply fastforce apply (erule(1) in_empty_interE[OF _ subsetD]) prefer 2 apply simp apply (clarsimp simp:global_refs'_def) apply (cut_tac subset_stuff,simp) using invokeUntyped_proofs.usableRange_disjoint[OF pf] apply (simp add: is_aligned_neg_mask_eq'[symmetric] is_aligned_neg_mask_eq is_aligned_mask getFreeIndex_def) apply (rule ballI) apply (drule(1) bspec)+ apply (clarsimp simp: ex_cte_cap_wp_to'_def cte_wp_at_ctes_of ) apply (rule_tac x = crefa in exI,clarsimp) apply (intro conjI,clarsimp) apply (subgoal_tac "ex_cte_cap_wp_to' (\_. True) p s" for p s) apply (drule ex_cte_no_overlap') apply simp apply (rule if_unsafe_then_capD') apply (auto simp:cte_wp_at_ctes_of invs_unsafe_then_cap') done qed lemma invokeUntyped_invs'[wp]: "\invs' and valid_untyped_inv' ui and ct_active'\ invokeUntyped ui \\rv. invs'\" by (cases ui, erule invokeUntyped_invs'') end