(* * Copyright 2014, NICTA * * This software may be distributed and modified according to the terms of * the GNU General Public License version 2. Note that NO WARRANTY is provided. * See "LICENSE_GPLv2.txt" for details. * * @TAG(NICTA_GPL) *) (* * Well formed constraints of what capDL specifications the system-initialiser can initialise. * * There are two types of constraints: * - fundamental ones (such as that specs must be finite), * and other seL4 limitations (such as that page tables can't be shared). * - limitations of the initialiser. * * The latter are commented with LIMITATION. *) theory WellFormed_SI imports "../proof/capDL-api/Kernel_DP" "../proof/sep-capDL/Separation_SD" "../lib/SimpStrategy" begin lemma cap_has_object_NullCap [simp]: "\cap_has_object NullCap" by (clarsimp simp: cap_has_object_def) lemma cap_has_object_not_NullCap: "cap_has_object cap \ cap \ NullCap" by clarsimp lemma is_irqhandler_cap_not_NullCap: "is_irqhandler_cap cap \ cap \ NullCap" by clarsimp lemma cap_has_object_not_irqhandler_cap: "cap_has_object cap \ \ is_irqhandler_cap cap" by (clarsimp simp: cap_has_object_def cap_type_def split: cdl_cap.splits) lemmas cap_has_object_not_irqhandler_cap_simp[simp] = cap_has_object_not_irqhandler_cap[OF ByAssum] lemmas cap_has_object_not_NullCap_simp[simp] = cap_has_object_not_NullCap[OF ByAssum] lemmas is_irqhandler_cap_not_NullCap_simp[simp] = is_irqhandler_cap_not_NullCap[OF ByAssum] definition cap_ref_object :: "cdl_cap_ref \ cdl_state \ cdl_object_id" where "cap_ref_object cap_ref s \ cap_object (the (opt_cap cap_ref s))" definition cap_ref_irq :: "cdl_cap_ref \ cdl_state \ cdl_irq" where "cap_ref_irq cap_ref s \ cap_irq (the (opt_cap cap_ref s))" definition real_cap_ref :: "cdl_cap_ref \ cdl_state \ bool" where "real_cap_ref cap_ref s \ \cap. opt_cap cap_ref s = Some cap \ cap \ NullCap \ cnode_at (fst cap_ref) s" definition object_cap_ref :: "cdl_cap_ref \ cdl_state \ bool" where "object_cap_ref cap_ref s \ \cap. opt_cap cap_ref s = Some cap \ cap_has_object cap \ cnode_at (fst cap_ref) s" (* MOVE ME *) definition "guard_bits = (18::nat)" lemma guard_less_guard_bits: "\guard_size < guard_bits; (g::word32) < 2 ^ guard_size\ \ g < 2 ^ guard_bits" apply (erule less_le_trans) apply (rule two_power_increasing, simp) apply (clarsimp simp: guard_bits_def) done lemma guard_size_shiftl_non_zero: "\guard_size < guard_bits; guard_size \ 0\ \ ((of_nat guard_size)::word32) << 3 \ 0" apply (rule word_shift_nonzero [where m=guard_bits]) apply clarsimp apply (rule order_less_imp_le) apply (rule guard_less_guard_bits, assumption) apply (insert n_less_equal_power_2 [where n=guard_size]) apply clarsimp apply (rule of_nat_n_less_equal_power_2) apply (clarsimp simp: guard_bits_def) apply (clarsimp simp: guard_bits_def) apply (clarsimp simp: of_nat_0) apply (drule of_nat_0) apply (erule less_le_trans) apply (clarsimp simp: guard_bits_def word_bits_def) apply clarsimp done (* End of MOVE ME *) definition well_formed_cap :: "cdl_cap \ bool" where "well_formed_cap cap \ (case cap of EndpointCap _ b _ \ b < 2 ^ badge_bits | NotificationCap _ b r \ (b < 2 ^ badge_bits) \ (r \ {AllowRead, AllowWrite}) | CNodeCap _ g gs sz \ (gs < guard_bits) \ (g < 2 ^ gs) \ (sz + gs \ 32) | TcbCap _ \ True | FrameCap _ r _ _ ad \ r \ {vm_read_write, vm_read_only} \ ad = None | PageTableCap _ _ ad \ ad = None | PageDirectoryCap _ _ ad \ ad = None | IrqHandlerCap _ \ True (* LIMITATION: The following should probably eventually be true. *) | IrqControlCap \ False | UntypedCap _ _ \ False | AsidControlCap \ False | AsidPoolCap _ _ \ False | _ \ False)" (* LIMITATION: The specification cannot contain ASID numbers. *) definition vm_cap_has_asid :: "cdl_cap \ bool" where "vm_cap_has_asid cap \ (case cap of FrameCap _ _ _ _ ad \ ad \ None | PageTableCap _ _ ad \ ad \ None | PageDirectoryCap _ _ ad \ ad \ None | _ \ False)" definition is_real_vm_cap :: "cdl_cap \ bool" where "is_real_vm_cap cap \ (case cap of FrameCap _ _ _ Real _ \ True | PageTableCap _ Real _ \ True | PageDirectoryCap _ Real _ \ True | _ \ False)" definition is_fake_vm_cap :: "cdl_cap \ bool" where "is_fake_vm_cap cap \ (case cap of FrameCap _ _ _ Fake _ \ True | PageTableCap _ Fake _ \ True | PageDirectoryCap _ Fake _ \ True | _ \ False)" (* Original caps must have default rights, * and original endpoint + notification caps must not be badged. *) definition is_copyable_cap :: "cdl_cap \ bool" where "is_copyable_cap cap \ \ is_irqhandler_cap cap" definition well_formed_orig_cap :: "cdl_cap \ bool" where "well_formed_orig_cap cap \ (cap_has_type cap \ cap_rights (default_cap (the (cap_type cap)) undefined undefined) = cap_rights cap) \ (ep_related_cap cap \ cap_badge cap = 0)" definition well_formed_cdt :: "cdl_state \ cdl_cap_ref \ cdl_cap \ bool" where "well_formed_cdt spec cap_ref cap \ cnode_at (fst cap_ref) spec \ cap_has_object cap \ (\orig_obj_id orig_slot orig_cap. cnode_at orig_obj_id spec \ (\obj. opt_object (cap_object cap) spec = Some obj) \ original_cap_at (orig_obj_id, orig_slot) spec \ opt_cap (orig_obj_id, orig_slot) spec = Some orig_cap \ cap_has_object orig_cap \ cap_object orig_cap = cap_object cap)" (* MOVEME *) lemma well_formed_cdt_irqhandler_cap: "is_irqhandler_cap cap \ well_formed_cdt spec cap_ref cap" by (clarsimp simp: well_formed_cdt_def split: cdl_cap.splits) (* The only thing that points to IRQ objects is the IRQ table (not a cap). *) definition well_formed_cap_to_real_object :: "cdl_state \ cdl_cap \ bool" where "well_formed_cap_to_real_object spec cap \ cap_has_object cap \ real_object_at (cap_object cap) spec" definition well_formed_cap_types_match :: "cdl_state \ cdl_cap \ bool" where "well_formed_cap_types_match spec cap \ (cap_has_object cap \ (\cap_obj. cdl_objects spec (cap_object cap) = Some cap_obj \ cap_type cap = Some (object_type cap_obj))) \ (is_irqhandler_cap cap \ (\cap_obj. cdl_objects spec (cdl_irq_node spec (cap_irq cap)) = Some cap_obj \ cap_type cap = Some (object_type cap_obj)))" definition well_formed_caps :: "cdl_state \ cdl_object_id \ cdl_object \ bool" where "well_formed_caps spec obj_id obj \ \slot cap. object_slots obj slot = Some cap \ cap \ NullCap \ (well_formed_cap cap \ (original_cap_at (obj_id, slot) spec \ well_formed_orig_cap cap) \ (\original_cap_at (obj_id, slot) spec \ is_copyable_cap cap) \ well_formed_cdt spec (obj_id, slot) cap \ well_formed_cap_to_real_object spec cap \ well_formed_cap_types_match spec cap \ ((is_cnode obj \ is_tcb obj) \ (\ is_fake_vm_cap cap)))" definition well_formed_cap_to_object :: "cdl_state \ cdl_object_id \ cdl_object \ bool" where "well_formed_cap_to_object spec obj_id obj \ (\cnode_id slot cap. opt_cap (cnode_id, slot) spec = Some cap \ original_cap_at (cnode_id, slot) spec \ cnode_at cnode_id spec \ (real_object_at obj_id spec \ cap_object cap = obj_id \ cap_has_object cap) \ (\real_object_at obj_id spec \ is_irqhandler_cap cap \ cdl_irq_node spec (cap_irq cap) = obj_id)) \ (\slot cap. (opt_cap slot spec = Some cap \ is_cnode_cap cap \ cap_object cap = obj_id) \ object_size_bits obj = cnode_cap_size cap)" (* For every IRQ object that has a cap in it, * there should be an IRQ handler cap to that object. * There can be more IRQ handler caps than this, * but every object must have a cap to it. *) definition well_formed_irqhandler_caps :: "cdl_state \ bool" where "well_formed_irqhandler_caps spec \ (\irq. irq \ bound_irqs spec \ (\cnode_id slot cap. opt_cap (cnode_id, slot) spec = Some cap \ is_irqhandler_cap cap \ cap_irq cap = irq))" definition well_formed_orig_caps_unique :: "cdl_state \ bool" where "well_formed_orig_caps_unique spec \ \obj_id obj_id' slot slot' cap cap'. cnode_at obj_id spec \ cnode_at obj_id' spec \ cap_has_object cap \ cap_has_object cap' \ opt_cap (obj_id, slot) spec = Some cap \ opt_cap (obj_id', slot') spec = Some cap' \ cap \ NullCap \ original_cap_at (obj_id, slot) spec \ cap' \ NullCap \ original_cap_at (obj_id', slot') spec \ cap_object cap = cap_object cap' \ (obj_id = obj_id' \ slot = slot')" definition well_formed_irqhandler_caps_unique :: "cdl_state \ bool" where "well_formed_irqhandler_caps_unique spec \ \obj_id obj_id' slot slot' cap cap'. opt_cap (obj_id, slot) spec = Some cap \ opt_cap (obj_id', slot') spec = Some cap' \ is_irqhandler_cap cap \ is_irqhandler_cap cap' \ cap_irq cap = cap_irq cap' \ (obj_id = obj_id' \ slot = slot')" definition well_formed_tcb :: "cdl_state \ cdl_object_id \ cdl_object \ bool" where "well_formed_tcb spec obj_id obj \ is_tcb obj \ \ tcb_has_fault obj \ tcb_domain obj = minBound \ (\slot cap. object_slots obj slot = Some cap \ ((slot = tcb_cspace_slot \ is_cnode_cap cap \ cap_guard_size cap \ 0 \ cap_object cap \ irq_nodes spec) \ (slot = tcb_vspace_slot \ is_pd_cap cap) \ (slot = tcb_ipcbuffer_slot \ is_frame_cap cap \ is_default_cap cap) \ (slot = tcb_replycap_slot \ cap = NullCap \ cap = MasterReplyCap obj_id) \ (slot = tcb_caller_slot \ cap = NullCap) \ (slot = tcb_pending_op_slot \ cap = NullCap \ cap = RestartCap) \ (slot = tcb_boundntfn_slot \ cap = NullCap) )) \ ((object_slots obj tcb_replycap_slot = Some (MasterReplyCap obj_id)) = (object_slots obj tcb_pending_op_slot = Some RestartCap))" definition well_formed_fake_pt_caps_unique :: "cdl_state \ bool" where "well_formed_fake_pt_caps_unique spec \ \obj_id obj_id' slot slot' cap cap'. pd_at obj_id spec \ pd_at obj_id' spec \ opt_cap (obj_id, slot) spec = Some cap \ opt_cap (obj_id', slot') spec = Some cap' \ cap \ NullCap \ is_fake_pt_cap cap \ cap' \ NullCap \ is_fake_pt_cap cap' \ cap_object cap = cap_object cap' \ (obj_id = obj_id' \ slot = slot')" definition well_formed_cap_to_non_empty_pt :: "cdl_state \ cdl_object_id \ cdl_object \ bool" where "well_formed_cap_to_non_empty_pt spec obj_id obj \ pt_at obj_id spec \ object_default_state obj \ obj \ (\pd_id slot cap. opt_cap (pd_id, slot) spec = Some cap \ pd_at pd_id spec \ cap_object cap = obj_id \ cap_has_object cap)" definition well_formed_vspace :: "cdl_state \ cdl_object_id \ cdl_object \ bool" where "well_formed_vspace spec obj_id obj \ well_formed_cap_to_non_empty_pt spec obj_id obj \ (\slot cap. (is_pt obj \ object_slots obj slot = Some cap \ cap \ NullCap \ (\sz. cap_type cap = Some (FrameType sz) \ (sz = 12 \ sz = 16) \ is_fake_vm_cap cap) ) \ (is_pd obj \ object_slots obj slot = Some cap \ cap \ NullCap \ (is_fake_pt_cap cap \ (\sz. cap_type cap = Some (FrameType sz) \ (sz = 20 \ sz = 24) \ is_fake_vm_cap cap) )))" (* LIMITATION: The caps in a IRQ Node must have full permissions and be unbadged. *) definition well_formed_irq_node :: "cdl_state \ cdl_object_id \ cdl_object \ bool" where "well_formed_irq_node spec obj_id obj \ \slot cap. obj_id \ irq_nodes spec \ dom (object_slots obj) = {0} \ (object_slots obj slot = Some cap \ (cap \ NullCap \ (is_ntfn_cap cap \ is_default_cap cap)))" definition well_formed_irq_table :: "cdl_state \ bool" where "well_formed_irq_table spec \ inj (cdl_irq_node spec) \ irq_nodes spec = {obj_id. \irq. cdl_irq_node spec irq = obj_id \ obj_id \ dom (cdl_objects spec)}" definition well_formed :: "cdl_state \ bool" where "well_formed spec \ well_formed_orig_caps_unique spec \ well_formed_irqhandler_caps_unique spec \ well_formed_fake_pt_caps_unique spec \ well_formed_irqhandler_caps spec \ well_formed_irq_table spec \ (\obj_id. case cdl_objects spec obj_id of Some obj \ well_formed_caps spec obj_id obj \ well_formed_cap_to_object spec obj_id obj \ well_formed_tcb spec obj_id obj \ well_formed_vspace spec obj_id obj \ well_formed_irq_node spec obj_id obj \ object_size_bits obj < word_bits \ object_size_bits (object_default_state obj) = object_size_bits obj \ dom (object_slots (object_default_state obj)) = dom (object_slots obj) \ (cnode_at obj_id spec \ 0 < object_size_bits obj) | None \ True)" lemma dom_cap_map [simp]: "dom (\n. if n \ N then Some a else None) = {0::nat .. N}" by (rule, clarsimp simp: dom_def)+ lemma dom_cap_map' [simp]: "dom (\n. if n < N then Some a else None) = {0::nat ..< N}" by (rule, clarsimp simp: dom_def)+ (******************************* * Rules about well_formed_cap. * *******************************) lemma well_formed_cap_cap_has_object_eq: "\well_formed_cap cap; cap_has_object cap; cap_type cap = cap_type cap'\ \ cap_has_object cap'" by (clarsimp simp: well_formed_cap_def cap_type_def cap_has_object_def split: cdl_cap.splits)+ lemma well_formed_cap_update_cap_objects [simp]: "is_untyped_cap cap \ well_formed_cap (update_cap_objects x cap) = well_formed_cap cap" apply (clarsimp simp: update_cap_object_def update_cap_objects_def well_formed_cap_def) apply (cases cap, simp_all) done lemma well_formed_cap_update_cap_object [simp]: "well_formed_cap (update_cap_object x cap) = well_formed_cap cap" apply (clarsimp simp: update_cap_object_def well_formed_cap_def) apply (cases cap, simp_all add:is_default_cap_def cap_type_def cap_badge_def default_cap_def) done lemma cap_rights_inter_default_cap_rights: "\well_formed_cap cap; cap_type cap = Some type\ \ cap_rights (default_cap type ids sz) \ cap_rights cap = cap_rights cap" by (fastforce simp: well_formed_cap_def default_cap_def cap_type_def cap_rights_def validate_vm_rights_def vm_read_write_def vm_kernel_only_def vm_read_only_def split: cdl_cap.splits cdl_object_type.splits) lemma well_formed_cap_derived_cap [simp]: "\well_formed_cap cap; \ vm_cap_has_asid cap\ \ derived_cap cap = cap" by (clarsimp simp: well_formed_cap_def vm_cap_has_asid_def derived_cap_def not_Some_eq_tuple split: cdl_cap.splits) (********************************* * Rules about well_formed spec. * *********************************) lemma dom_if_0 [simp]: "dom (\a. if a = 0 then Some b else None) = {0}" by (auto split: split_if_asm) lemma well_formed_finite [elim!]: "well_formed spec \ finite (dom (slots_of obj_id spec))" apply (clarsimp simp: well_formed_def) apply (erule_tac x=obj_id in allE) apply (clarsimp simp: opt_object_def slots_of_def split: option.splits) apply (rename_tac obj) apply (drule_tac t="dom (object_slots obj)" in sym) (* Makes rewriting work. *) apply (clarsimp simp: object_default_state_def2 object_slots_def default_tcb_def tcb_pending_op_slot_def empty_cnode_def empty_irq_node_def empty_cap_map_def split: cdl_object.splits) done lemma well_formed_finite_object_slots: "\well_formed spec; cdl_objects spec obj_id = Some obj\ \ finite (dom (object_slots obj))" apply (drule well_formed_finite [where obj_id=obj_id]) apply (clarsimp simp: slots_of_def opt_object_def) done lemma well_formed_distinct_slots_of_list [elim!]: "well_formed spec \ distinct (slots_of_list spec obj_id)" apply (drule_tac obj_id=obj_id in well_formed_finite) apply (clarsimp simp: slots_of_list_def) done lemma well_formed_object_size_bits: "\well_formed spec; cdl_objects spec obj_id = Some obj\ \ object_size_bits (object_default_state obj) = object_size_bits obj" apply (clarsimp simp: well_formed_def) apply (erule_tac x=obj_id in allE) apply (clarsimp) done lemma well_formed_well_formed_caps: "\well_formed spec; cdl_objects spec obj_id = Some obj\ \ well_formed_caps spec obj_id obj" by (clarsimp simp: well_formed_def split: option.splits) lemma well_formed_well_formed_cap: "\well_formed spec; cdl_objects spec obj_id = Some obj; object_slots obj slot = Some cap; cap \ NullCap\ \ well_formed_cap cap" apply (clarsimp simp: well_formed_def) apply (erule_tac x=obj_id in allE) apply (clarsimp simp: well_formed_caps_def) done lemma well_formed_well_formed_cap': "\well_formed spec; opt_cap (obj_id, slot) spec = Some cap; cap \ NullCap\ \ well_formed_cap cap" apply (frule opt_cap_dom_cdl_objects) apply clarsimp apply (frule (1) object_slots_opt_cap, simp) apply (erule (3) well_formed_well_formed_cap) done lemma well_formed_well_formed_cap_to_object: "\well_formed spec; cdl_objects spec obj_id = Some obj\ \ well_formed_cap_to_object spec obj_id obj" by (clarsimp simp: well_formed_def split: option.splits) lemma well_formed_well_formed_cap_to_real_object: "\well_formed spec; cdl_objects spec obj_id = Some obj; object_slots obj slot = Some cap; cap \ NullCap\ \ well_formed_cap_to_real_object spec cap" apply (clarsimp simp: well_formed_def) apply (erule_tac x=obj_id in allE) apply (clarsimp simp: well_formed_caps_def) done lemma well_formed_well_formed_cap_to_real_object': "\well_formed spec; opt_cap cap_ref spec = Some cap; cap \ NullCap\ \ well_formed_cap_to_real_object spec cap" apply (frule opt_cap_dom_cdl_objects) apply (clarsimp split: prod.splits) apply (frule (1) object_slots_opt_capD) apply (erule (3) well_formed_well_formed_cap_to_real_object) done lemma well_formed_well_formed_cap_types_match: "\well_formed spec; cdl_objects spec obj_id = Some obj; object_slots obj slot = Some cap; cap \ NullCap\ \ well_formed_cap_types_match spec cap" apply (clarsimp simp: well_formed_def) apply (erule_tac x=obj_id in allE) apply (clarsimp simp: well_formed_caps_def) done lemma well_formed_well_formed_cap_types_match': "\well_formed spec; opt_cap cap_ref spec = Some cap; cap \ NullCap\ \ well_formed_cap_types_match spec cap" apply (frule opt_cap_dom_cdl_objects) apply (clarsimp) apply (frule (1) object_slots_opt_capD) apply (erule (3) well_formed_well_formed_cap_types_match) done lemma well_formed_cap_object_is_real: "\well_formed spec; opt_cap slot spec = Some cap; cap_has_object cap\ \ real_object_at (cap_object cap) spec" apply (drule (1) well_formed_well_formed_cap_to_real_object', simp) apply (clarsimp simp: well_formed_cap_to_real_object_def) done lemma well_formed_types_match: "\well_formed spec; opt_cap (obj_id, slot) spec = Some cap; cdl_objects spec (cap_object cap) = Some cap_obj; cap_has_object cap\ \ Some (object_type cap_obj) = cap_type cap" apply (frule cap_has_object_not_NullCap) apply (clarsimp simp: well_formed_def) apply (erule_tac x=obj_id in allE) apply (clarsimp simp: opt_cap_def opt_object_def slots_of_def) apply (clarsimp split: option.splits) apply (rename_tac obj) apply (clarsimp simp: well_formed_caps_def well_formed_cap_types_match_def) apply (erule_tac x=slot in allE) apply (clarsimp) done lemma well_formed_object_slots: "\well_formed spec; cdl_objects spec obj_id = Some obj\ \ dom (object_slots obj) = dom (object_slots (object_default_state obj))" apply (clarsimp simp: well_formed_def) apply (erule allE [where x=obj_id]) apply simp done lemma well_formed_slot_object_size_bits: "\well_formed spec; opt_cap (obj_id, slot) spec = Some cap; cdl_objects spec obj_id = Some obj; cnode_at obj_id spec\ \ slot < 2 ^ object_size_bits obj" apply (frule opt_cap_cdl_objects) apply (clarsimp simp: well_formed_def object_at_def is_cnode_def) apply (erule_tac x=obj_id in allE) apply clarsimp apply (clarsimp simp: opt_cap_def opt_object_def) apply (subgoal_tac "slot \ dom (object_slots (object_default_state obj))") apply (thin_tac "dom P = dom Q" for P Q) apply (clarsimp simp: well_formed_caps_def) apply (erule_tac x=slot in allE) apply (clarsimp simp: object_default_state_def2 object_type_def has_slots_def default_tcb_def object_size_bits_def object_slots_def empty_cnode_def empty_cap_map_def pt_size_def pd_size_def split: cdl_object.splits split_if_asm) apply (clarsimp simp: object_slots_slots_of) done lemma well_formed_cnode_object_size_bits: "\well_formed spec; cnode_at obj_id spec; cdl_objects spec obj_id = Some obj\ \ 0 < object_size_bits obj" apply (clarsimp simp: well_formed_def) apply (erule_tac x=obj_id in allE) apply (clarsimp simp: is_cnode_def object_at_def) done lemma well_formed_cnode_object_size_bits_eq: "\well_formed spec; opt_cap slot spec = Some cap; cdl_objects spec (cap_object cap) = Some obj; is_cnode_cap cap\ \ object_size_bits obj = cnode_cap_size cap" apply (frule (1) well_formed_cap_object_is_real) apply (clarsimp simp: cap_has_object_def cap_type_def split: cdl_cap.splits) apply (clarsimp simp: well_formed_def split_def split:option.splits) apply (erule_tac x="cap_object cap" in allE) apply (case_tac slot) apply (clarsimp simp: is_cnode_def opt_object_def well_formed_cap_to_object_def) done lemma slots_of_set [simp]: "well_formed spec \ set (slots_of_list spec obj) = dom (slots_of obj spec)" by (clarsimp simp: slots_of_list_def well_formed_finite) lemma well_formed_well_formed_tcb: "\well_formed spec; cdl_objects spec obj_id = Some obj\ \ well_formed_tcb spec obj_id obj" apply (clarsimp simp: well_formed_def) apply (erule_tac x=obj_id in allE) apply clarsimp done lemma well_formed_well_formed_vspace: "\well_formed spec; cdl_objects spec obj_id = Some obj\ \ well_formed_vspace spec obj_id obj" apply (clarsimp simp: well_formed_def) apply (erule_tac x=obj_id in allE) apply clarsimp done lemma well_formed_well_formed_irq_node: "\well_formed spec; cdl_objects spec obj_id = Some obj\ \ well_formed_irq_node spec obj_id obj" apply (clarsimp simp: well_formed_def) apply (erule_tac x=obj_id in allE) apply clarsimp done lemma well_formed_well_formed_irqhandler_caps: "well_formed spec \ well_formed_irqhandler_caps spec" by (clarsimp simp: well_formed_def) lemma well_formed_well_formed_irq_table: "well_formed spec \ well_formed_irq_table spec" by (clarsimp simp: well_formed_def) lemma well_formed_inj_cdl_irq_node: "well_formed spec \ inj (cdl_irq_node spec)" by (clarsimp simp: well_formed_def well_formed_irq_table_def) lemma well_formed_vm_cap_has_asid: "\well_formed spec; cdl_objects spec obj_id = Some obj; object_slots obj slot = Some cap\ \ \vm_cap_has_asid cap" apply (case_tac "cap = NullCap") apply (clarsimp simp: vm_cap_has_asid_def) apply (drule (3) well_formed_well_formed_cap) apply (clarsimp simp: well_formed_cap_def vm_cap_has_asid_def split: cdl_cap.splits) done lemma is_fake_vm_cap_cap_type: "is_fake_vm_cap cap \ (\sz. cap_type cap = Some (FrameType sz)) \ (cap_type cap = Some PageTableType) \ (cap_type cap = Some PageDirectoryType)" by (clarsimp simp: is_fake_vm_cap_def cap_type_def split: cdl_cap.splits) lemma well_formed_irq_node_in_irq_nodes: "\well_formed spec; cdl_objects spec obj_id = Some obj; is_irq_node obj\ \