(* * Copyright 2014, General Dynamics C4 Systems * * This software may be distributed and modified according to the terms of * the GNU General Public License version 2. Note that NO WARRANTY is provided. * See "LICENSE_GPLv2.txt" for details. * * @TAG(GD_GPL) *) theory KHeap_R imports "../../invariant-abstract/$L4V_ARCH/ArchDetSchedSchedule_AI" Machine_R begin lemma lookupAround2_known1: "m x = Some y \ fst (lookupAround2 x m) = Some (x, y)" by (fastforce simp: lookupAround2_char1) context begin interpretation Arch . (*FIXME: arch_split*) lemma obj_at_getObject: assumes R: "\a b p q n ko s obj::'a::pspace_storable. \ (a, b) \ fst (loadObject t t n ko s); projectKO_opt ko = Some obj \ \ a = obj" shows "\obj_at' P t\ getObject t \\(rv::'a::pspace_storable) s. P rv\" by (auto simp: getObject_def obj_at'_def in_monad valid_def split_def projectKOs lookupAround2_known1 dest: R) declare projectKO_inv [wp] lemma loadObject_default_inv: "\P\ loadObject_default addr addr' next obj \\rv. P\" apply (simp add: loadObject_default_def magnitudeCheck_def alignCheck_def unless_def alignError_def | wp hoare_vcg_split_case_option hoare_drop_imps hoare_vcg_all_lift)+ done lemma getObject_inv: assumes x: "\p q n ko. \P\ loadObject p q n ko \\(rv :: 'a :: pspace_storable). P\" shows "\P\ getObject p \\(rv :: 'a :: pspace_storable). P\" by (simp add: getObject_def split_def | wp x)+ lemma getObject_inv_tcb [wp]: "\P\ getObject l \\(rv :: Structures_H.tcb). P\" apply (rule getObject_inv) apply simp apply (rule loadObject_default_inv) done end (* FIXME: this should go somewhere in spec *) translations (type) "'a kernel" <=(type) "kernel_state \ ('a \ kernel_state) set \ bool" context begin interpretation Arch . (*FIXME: arch_split*) lemma no_fail_loadObject_default [wp]: "no_fail (\s. \obj. projectKO_opt ko = Some (obj::'a) \ is_aligned p (objBits obj) \ q = p \ case_option True (\x. 2 ^ (objBits obj) \ x - p) n) (loadObject_default p q n ko :: ('a::pre_storable) kernel)" apply (simp add: loadObject_default_def split_def projectKO_def alignCheck_def alignError_def magnitudeCheck_def unless_def) apply (rule no_fail_pre) apply (wp case_option_wp) apply (clarsimp simp: is_aligned_mask) apply (clarsimp split: option.split_asm) apply (clarsimp simp: is_aligned_mask[symmetric]) apply simp done lemma no_fail_getObject_tcb [wp]: "no_fail (tcb_at' t) (getObject t :: tcb kernel)" apply (simp add: getObject_def split_def) apply (rule no_fail_pre) apply wp apply (clarsimp simp add: obj_at'_def projectKOs objBits_simps cong: conj_cong) apply (rule ps_clear_lookupAround2, assumption+) apply simp apply (simp add: field_simps) apply (erule is_aligned_no_wrap') apply simp apply (fastforce split: option.split_asm simp: objBits_simps archObjSize_def) done lemma typ_at_to_obj_at': "typ_at' (koType (TYPE ('a :: pspace_storable))) p s = obj_at' (\ :: 'a \ bool) p s" by (simp add: typ_at'_def obj_at'_real_def project_koType[symmetric]) lemmas typ_at_to_obj_at_arches = typ_at_to_obj_at'[where 'a=pte, simplified] typ_at_to_obj_at' [where 'a=pde, simplified] typ_at_to_obj_at'[where 'a=asidpool, simplified] typ_at_to_obj_at'[where 'a=user_data, simplified] typ_at_to_obj_at'[where 'a=user_data_device, simplified] lemmas page_table_at_obj_at' = page_table_at'_def[unfolded typ_at_to_obj_at_arches] lemma no_fail_getASIDPool [wp]: "no_fail (asid_pool_at' p) (getObject p :: asidpool kernel)" apply (simp add: getObject_def split_def) apply (rule no_fail_pre) apply wp apply (clarsimp simp add: obj_at'_def projectKOs objBits_simps typ_at_to_obj_at_arches cong: conj_cong) apply (rule ps_clear_lookupAround2, assumption+) apply simp apply (simp add: archObjSize_def) apply (erule is_aligned_no_overflow) apply (clarsimp split: option.split_asm simp: objBits_simps archObjSize_def) done lemma no_fail_getPDE [wp]: "no_fail (pde_at' p) (getObject p :: pde kernel)" apply (simp add: getObject_def split_def) apply (rule no_fail_pre) apply wp apply (clarsimp simp add: obj_at'_def projectKOs objBits_simps typ_at_to_obj_at_arches cong: conj_cong) apply (rule ps_clear_lookupAround2, assumption+) apply simp apply (erule is_aligned_no_overflow) apply clarsimp apply (clarsimp split: option.split_asm simp: objBits_simps archObjSize_def) done lemma corres_get_tcb [corres]: "corres (tcb_relation \ the) (tcb_at t) (tcb_at' t) (gets (get_tcb t)) (getObject t)" apply (rule corres_no_failI) apply wp apply (clarsimp simp add: gets_def get_def return_def bind_def get_tcb_def) apply (frule in_inv_by_hoareD [OF getObject_inv_tcb]) apply (clarsimp simp add: obj_at_def is_tcb obj_at'_def projectKO_def projectKO_opt_tcb split_def getObject_def loadObject_default_def in_monad) apply (case_tac koa) apply (simp_all add: fail_def return_def) apply (case_tac bb) apply (simp_all add: fail_def return_def) apply (clarsimp simp add: state_relation_def pspace_relation_def) apply (drule bspec) apply clarsimp apply blast apply (clarsimp simp add: other_obj_relation_def lookupAround2_known1) done lemma lookupAround2_same1[simp]: "(fst (lookupAround2 x s) = Some (x, y)) = (s x = Some y)" apply (rule iffI) apply (simp add: lookupAround2_char1) apply (simp add: lookupAround2_known1) done lemma getObject_tcb_at': "\ \ \ getObject t \\r::tcb. tcb_at' t\" by (clarsimp simp: valid_def getObject_def in_monad loadObject_default_def obj_at'_def projectKOs split_def in_magnitude_check objBits_simps) text {* updateObject_cte lemmas *} lemma koType_objBitsKO: "koTypeOf k = koTypeOf k' \ objBitsKO k = objBitsKO k'" by (auto simp: objBitsKO_def archObjSize_def split: Structures_H.kernel_object.splits ARM_H.arch_kernel_object.splits) lemma updateObject_objBitsKO: "(ko', t') \ fst (updateObject (val :: 'a :: pspace_storable) ko p q n t) \ objBitsKO ko' = objBitsKO ko" apply (drule updateObject_type) apply (erule koType_objBitsKO) done lemma objBitsKO_bounded: "objBitsKO ko \ word_bits" apply (cases ko) apply (simp_all add: word_bits_def pageBits_def pdeBits_def objBitsKO_simps archObjSize_def pteBits_def split: ARM_H.arch_kernel_object.splits) done lemma updateObject_cte_is_tcb_or_cte: fixes cte :: cte and ptr :: word32 shows "\ fst (lookupAround2 p (ksPSpace s)) = Some (q, ko); snd (lookupAround2 p (ksPSpace s)) = n; (ko', s') \ fst (updateObject cte ko p q n s) \ \ (\tcb getF setF. ko = KOTCB tcb \ s' = s \ tcb_cte_cases (p - q) = Some (getF, setF) \ ko' = KOTCB (setF (\x. cte) tcb) \ is_aligned q 9 \ ps_clear q 9 s) \ (\cte'. ko = KOCTE cte' \ ko' = KOCTE cte \ s' = s \ p = q \ is_aligned p cte_level_bits \ ps_clear p cte_level_bits s)" apply (clarsimp simp: updateObject_cte typeError_def alignError_def tcbVTableSlot_def tcbCTableSlot_def to_bl_0 to_bl_1 rev_take objBitsKO_simps in_monad map_bits_to_bl cte_level_bits_def in_magnitude_check field_simps lookupAround2_char1 split: kernel_object.splits) apply (subst(asm) in_magnitude_check3, simp+) apply (simp add: in_monad tcbCTableSlot_def tcbVTableSlot_def tcbReplySlot_def tcbCallerSlot_def tcbIPCBufferSlot_def split: if_split_asm) apply (simp add: in_monad tcbCTableSlot_def tcbVTableSlot_def tcbReplySlot_def tcbCallerSlot_def tcbIPCBufferSlot_def split: if_split_asm) done declare plus_1_less[simp] lemma ps_clear_domE[elim?]: "\ ps_clear x n s; dom (ksPSpace s) = dom (ksPSpace s') \ \ ps_clear x n s'" by (simp add: ps_clear_def) lemma ps_clear_upd: "ksPSpace s y = Some v \ ps_clear x n (ksPSpace_update (\a. ksPSpace s(y \ v')) s') = ps_clear x n s" by (rule iffI | clarsimp elim!: ps_clear_domE | fastforce)+ lemmas ps_clear_updE[elim] = iffD2[OF ps_clear_upd, rotated] lemma typ_at_update_cte: fixes cte :: cte and ptr :: word32 assumes tat: "typ_at' T x s" assumes lup: "fst (lookupAround2 y (ksPSpace s)) = Some (z, ko)" assumes upd: "(r, s') \ fst (updateObject cte ko y z (snd (lookupAround2 y (ksPSpace s))) s)" shows "typ_at' T x (ksPSpace_update (\a. ksPSpace s (z \ r)) s)" using tat lup apply (clarsimp simp add: typ_at'_def ko_wp_at'_def) apply (frule updateObject_cte_is_tcb_or_cte [OF _ refl upd]) apply (clarsimp simp: ps_clear_upd) apply (rule conjI) apply (elim conjE disjE exE) apply (clarsimp simp: objBits_simps ps_clear_upd) apply (clarsimp simp: lookupAround2_char1 objBits_simps ps_clear_upd) apply (clarsimp simp: lookupAround2_char1 objBits_simps ps_clear_upd) apply (clarsimp simp: lookupAround2_char1 ps_clear_upd) done lemma updateObject_default_result: "(x, s'') \ fst (updateObject_default e ko p q n s) \ x = injectKO e" by (clarsimp simp add: updateObject_default_def in_monad) lemma ps_clear_upd': "ksPSpace s y = Some v \ ps_clear x n (s' \ ksPSpace := ksPSpace s(y \ v')\) = ps_clear x n s" by (rule iffI | clarsimp elim!: ps_clear_domE | fastforce)+ lemmas ps_clear_updE'[elim] = iffD2[OF ps_clear_upd', rotated] lemma obj_at_setObject1: assumes R: "\(v::'a::pspace_storable) p q n ko s x s''. (x, s'') \ fst (updateObject v ko p q n s) \ x = injectKO v" assumes Q: "\(v::'a::pspace_storable) (v'::'a). objBits v = objBits v'" shows "\ obj_at' (\x::'a::pspace_storable. True) t \ setObject p (v::'a::pspace_storable) \ \rv. obj_at' (\x::'a::pspace_storable. True) t \" apply (simp add: setObject_def split_def) apply (rule hoare_seq_ext [OF _ hoare_gets_post]) apply (clarsimp simp: valid_def in_monad obj_at'_def projectKOs lookupAround2_char1 project_inject dest!: R) apply (subgoal_tac "objBitsKO (injectKO v) = objBitsKO (injectKO obj)") apply (intro conjI impI, simp_all) apply fastforce+ apply (fold objBits_def) apply (rule Q) done lemma obj_at_setObject2: fixes v :: "'a::pspace_storable" fixes P :: "'b::pspace_storable \ bool" assumes R: "\ko s' (v :: 'a) oko x y n s. (ko, s') \ fst (updateObject v oko x y n s) \ koTypeOf ko \ koType TYPE('b)" shows "\ obj_at' P t \ setObject p (v::'a) \ \rv. obj_at' P t \" apply (simp add: setObject_def split_def) apply (rule hoare_seq_ext [OF _ hoare_gets_post]) apply (clarsimp simp: valid_def in_monad) apply (frule updateObject_type) apply (drule R) apply (clarsimp simp: obj_at'_def projectKOs) apply (rule conjI) apply (clarsimp simp: lookupAround2_char1) apply (drule iffD1 [OF project_koType, OF exI]) apply simp apply (clarsimp simp: ps_clear_upd' lookupAround2_char1) done lemma updateObject_ep_eta: "updateObject (v :: endpoint) = updateObject_default v" by ((rule ext)+, simp) lemma updateObject_tcb_eta: "updateObject (v :: tcb) = updateObject_default v" by ((rule ext)+, simp) lemma updateObject_ntfn_eta: "updateObject (v :: Structures_H.notification) = updateObject_default v" by ((rule ext)+, simp) lemmas updateObject_eta = updateObject_ep_eta updateObject_tcb_eta updateObject_ntfn_eta lemma objBits_type: "koTypeOf k = koTypeOf k' \ objBitsKO k = objBitsKO k'" by (erule koType_objBitsKO) lemma setObject_typ_at_inv: "\typ_at' T p'\ setObject p v \\r. typ_at' T p'\" apply (clarsimp simp: setObject_def split_def) apply (clarsimp simp: valid_def typ_at'_def ko_wp_at'_def in_monad lookupAround2_char1 ps_clear_upd') apply (drule updateObject_type) apply clarsimp apply (drule objBits_type) apply (simp add: ps_clear_upd') done lemma setObject_typ_at_not: "\\s. \ (typ_at' T p' s)\ setObject p v \\r s. \ (typ_at' T p' s)\" apply (clarsimp simp: setObject_def valid_def in_monad split_def) apply (erule notE) apply (clarsimp simp: typ_at'_def ko_wp_at'_def lookupAround2_char1 split: if_split_asm) apply (drule updateObject_type) apply clarsimp apply (drule objBits_type) apply (clarsimp elim!: ps_clear_domE) apply fastforce apply (clarsimp elim!: ps_clear_domE) apply fastforce done lemma setObject_typ_at': "\\s. P (typ_at' T p' s)\ setObject p v \\r s. P (typ_at' T p' s)\" by (blast intro: P_bool_lift setObject_typ_at_inv setObject_typ_at_not) lemmas setObject_typ_ats [wp] = typ_at_lifts [OF setObject_typ_at'] lemma setObject_cte_wp_at2': assumes x: "\x n tcb s t. \ t \ fst (updateObject v (KOTCB tcb) ptr x n s); Q s; lookupAround2 ptr (ksPSpace s) = (Some (x, KOTCB tcb), n) \ \ \tcb'. t = (KOTCB tcb', s) \ (\(getF, setF) \ ran tcb_cte_cases. getF tcb' = getF tcb)" assumes y: "\x n cte s. fst (updateObject v (KOCTE cte) ptr x n s) = {}" shows "\\s. P' (cte_wp_at' P p s) \ Q s\ setObject ptr v \\rv s. P' (cte_wp_at' P p s)\" apply (clarsimp simp add: setObject_def valid_def in_monad split_def) apply (simp add: cte_wp_at_cases' split del: if_split) apply (erule rsubst[where P=P']) apply (rule iffI) apply (erule disjEI) apply (clarsimp simp: ps_clear_upd' lookupAround2_char1 y) apply (erule exEI [where 'a=word32]) apply (clarsimp simp: ps_clear_upd' lookupAround2_char1) apply (drule(1) x) apply (clarsimp simp: lookupAround2_char1 prod_eqI) apply (fastforce dest: bspec [OF _ ranI]) apply (erule disjEI) apply (clarsimp simp: ps_clear_upd' lookupAround2_char1 split: if_split_asm) apply (frule updateObject_type) apply (case_tac ba, simp_all add: y)[1] apply (erule exEI) apply (clarsimp simp: ps_clear_upd' lookupAround2_char1 split: if_split_asm) apply (frule updateObject_type) apply (case_tac ba, simp_all) apply (drule(1) x) apply (clarsimp simp: prod_eqI lookupAround2_char1) apply (fastforce dest: bspec [OF _ ranI]) done lemma setObject_cte_wp_at': assumes x: "\x n tcb s t. \ t \ fst (updateObject v (KOTCB tcb) ptr x n s); Q s; lookupAround2 ptr (ksPSpace s) = (Some (x, KOTCB tcb), n) \ \ \tcb'. t = (KOTCB tcb', s) \ (\(getF, setF) \ ran tcb_cte_cases. getF tcb' = getF tcb)" assumes y: "\x n cte s. fst (updateObject v (KOCTE cte) ptr x n s) = {}" shows "\cte_wp_at' P p and Q\ setObject ptr v \\rv. cte_wp_at' P p\" unfolding pred_conj_def by (rule setObject_cte_wp_at2'[OF x y], assumption+) lemma setObject_ep_pre: assumes "\P and ep_at' p\ setObject p (e::endpoint) \Q\" shows "\P\ setObject p (e::endpoint) \Q\" using assms apply (clarsimp simp: valid_def setObject_def in_monad split_def updateObject_default_def projectKOs in_magnitude_check objBits_simps) apply (drule spec, drule mp, erule conjI) apply (simp add: obj_at'_def projectKOs objBits_simps) apply (simp add: split_paired_Ball) apply (drule spec, erule mp) apply (clarsimp simp: in_monad projectKOs in_magnitude_check) done lemma setObject_ntfn_pre: assumes "\P and ntfn_at' p\ setObject p (e::Structures_H.notification) \Q\" shows "\P\ setObject p (e::Structures_H.notification) \Q\" using assms apply (clarsimp simp: valid_def setObject_def in_monad split_def updateObject_default_def projectKOs in_magnitude_check objBits_simps) apply (drule spec, drule mp, erule conjI) apply (simp add: obj_at'_def projectKOs objBits_simps) apply (simp add: split_paired_Ball) apply (drule spec, erule mp) apply (clarsimp simp: in_monad projectKOs in_magnitude_check) done lemma setObject_tcb_pre: assumes "\P and tcb_at' p\ setObject p (t::tcb) \Q\" shows "\P\ setObject p (t::tcb) \Q\" using assms apply (clarsimp simp: valid_def setObject_def in_monad split_def updateObject_default_def projectKOs in_magnitude_check objBits_simps) apply (drule spec, drule mp, erule conjI) apply (simp add: obj_at'_def projectKOs objBits_simps) apply (simp add: split_paired_Ball) apply (drule spec, erule mp) apply (clarsimp simp: in_monad projectKOs in_magnitude_check) done lemma tcb_ep': "\ tcb_at' p s; ep_at' p s \ \ False" by (clarsimp simp: obj_at'_def projectKOs) lemma setObject_tcb_ep_at: shows "\ ep_at' t \ setObject p (x::tcb) \ \rv. ep_at' t \" apply (rule obj_at_setObject2) apply (auto dest: updateObject_default_result) done lemma obj_at_setObject3: fixes Q::"'a::pspace_storable \ bool" fixes P::"'a::pspace_storable \ bool" assumes R: "\ko s x y n. (updateObject v ko p y n s) = (updateObject_default v ko p y n s)" assumes P: "\(v::'a::pspace_storable). (1 :: word32) < 2 ^ (objBits v)" shows "\(\s. P v)\ setObject p v \\rv. obj_at' P p\" apply (clarsimp simp add: valid_def in_monad obj_at'_def setObject_def split_def projectKOs project_inject objBits_def[symmetric] R updateObject_default_def in_magnitude_check P ps_clear_upd') apply fastforce done lemma setObject_tcb_strongest: "\\s. if t = t' then P tcb else obj_at' P t' s\ setObject t (tcb :: tcb) \\rv. obj_at' P t'\" apply (cases "t = t'") apply simp apply (rule hoare_weaken_pre) apply (rule obj_at_setObject3) apply simp apply (simp add: objBits_simps) apply simp apply (simp add: setObject_def split_def) apply (clarsimp simp: valid_def obj_at'_def split_def in_monad updateObject_default_def projectKOs ps_clear_upd') done lemma getObject_obj_at': assumes x: "\q n ko. loadObject p q n ko = (loadObject_default p q n ko :: ('a :: pspace_storable) kernel)" assumes P: "\(v::'a::pspace_storable). (1 :: word32) < 2 ^ (objBits v)" shows "\ \ \ getObject p \\r::'a::pspace_storable. obj_at' (op = r) p\" by (clarsimp simp: valid_def getObject_def in_monad loadObject_default_def obj_at'_def projectKOs split_def in_magnitude_check lookupAround2_char1 x P project_inject objBits_def[symmetric]) lemma getObject_ep_at': "\ \ \ getObject t \\r::endpoint. ep_at' t\" apply (rule hoare_strengthen_post) apply (rule getObject_obj_at') apply simp apply (simp add: objBits_simps) apply (clarsimp elim!: obj_at'_weakenE) done lemma getObject_valid_obj: assumes x: "\p q n ko. loadObject p q n ko = (loadObject_default p q n ko :: ('a :: pspace_storable) kernel)" assumes P: "\(v::'a::pspace_storable). (1 :: word32) < 2 ^ (objBits v)" shows "\ valid_objs' \ getObject p \\rv::'a::pspace_storable. valid_obj' (injectKO rv) \" apply (rule hoare_chain) apply (rule hoare_vcg_conj_lift) apply (rule getObject_obj_at' [OF x P]) apply (rule getObject_inv) apply (subst x) apply (rule loadObject_default_inv) apply (clarsimp, assumption) apply clarsimp apply (drule(1) obj_at_valid_objs') apply (clarsimp simp: project_inject) done declare fail_inv[simp] declare return_inv[simp] lemma typeError_inv [wp]: "\P\ typeError x y \\rv. P\" by (simp add: typeError_def|wp)+ lemma getObject_cte_inv [wp]: "\P\ (getObject addr :: cte kernel) \\rv. P\" apply (simp add: getObject_def loadObject_cte split_def) apply (clarsimp simp: valid_def in_monad) apply (clarsimp simp: typeError_def in_monad magnitudeCheck_def split: kernel_object.split_asm if_split_asm option.split_asm) done lemma getObject_ko_at: assumes x: "\q n ko. loadObject p q n ko = (loadObject_default p q n ko :: ('a :: pspace_storable) kernel)" assumes P: "\(v::'a::pspace_storable). (1 :: word32) < 2 ^ (objBits v)" shows "\ \ \ getObject p \\r::'a::pspace_storable. ko_at' r p\" by (subst eq_commute, rule getObject_obj_at' [OF x P]) lemma getObject_ko_at_tcb [wp]: "\\\ getObject p \\rv::tcb. ko_at' rv p\" by (rule getObject_ko_at | simp add: objBits_simps)+ lemma OMG_getObject_tcb: "\obj_at' P t\ getObject t \\(tcb :: tcb) s. P tcb\" apply (rule obj_at_getObject) apply (clarsimp simp: loadObject_default_def in_monad projectKOs) done lemma setObject_nosch: assumes x: "\p q n ko. \\s. P (ksSchedulerAction s)\ updateObject val p q n ko \\rv s. P (ksSchedulerAction s)\" shows "\\s. P (ksSchedulerAction s)\ setObject t val \\rv s. P (ksSchedulerAction s)\" apply (simp add: setObject_def split_def) apply (wp x | simp)+ done lemma getObject_ep_inv: "\P\ (getObject addr :: endpoint kernel) \\rv. P\" apply (rule getObject_inv) apply (simp add: loadObject_default_inv) done lemma getObject_ntfn_inv: "\P\ (getObject addr :: Structures_H.notification kernel) \\rv. P\" apply (rule getObject_inv) apply (simp add: loadObject_default_inv) done lemma get_ep_inv'[wp]: "\P\ getEndpoint ep \\rv. P\" by (simp add: getEndpoint_def getObject_ep_inv) lemma get_ntfn_inv'[wp]: "\P\ getNotification ntfn \\rv. P\" by (simp add: getNotification_def getObject_ntfn_inv) lemma get_ep'_valid_ep[wp]: "\ invs' and ep_at' ep \ getEndpoint ep \ valid_ep' \" apply (simp add: getEndpoint_def) apply (rule hoare_chain) apply (rule getObject_valid_obj) apply simp apply (simp add: objBits_simps) apply clarsimp apply (simp add: valid_obj'_def) done lemma get_ntfn'_valid_ntfn[wp]: "\ invs' and ntfn_at' ep \ getNotification ep \ valid_ntfn' \" apply (simp add: getNotification_def) apply (rule hoare_chain) apply (rule getObject_valid_obj) apply simp apply (simp add: objBits_simps) apply clarsimp apply (simp add: valid_obj'_def) done lemma setObject_distinct[wp]: shows "\pspace_distinct'\ setObject p val \\rv. pspace_distinct'\" apply (clarsimp simp: setObject_def split_def valid_def in_monad projectKOs pspace_distinct'_def ps_clear_upd' objBits_def[symmetric] lookupAround2_char1 split: if_split_asm dest!: updateObject_objBitsKO) apply (fastforce dest: bspec[OF _ domI]) apply (fastforce dest: bspec[OF _ domI]) done lemma setObject_aligned[wp]: shows "\pspace_aligned'\ setObject p val \\rv. pspace_aligned'\" apply (clarsimp simp: setObject_def split_def valid_def in_monad projectKOs pspace_aligned'_def ps_clear_upd' objBits_def[symmetric] lookupAround2_char1 split: if_split_asm dest!: updateObject_objBitsKO) apply (fastforce dest: bspec[OF _ domI]) apply (fastforce dest: bspec[OF _ domI]) done lemma set_ep_aligned' [wp]: "\pspace_aligned'\ setEndpoint ep v \\rv. pspace_aligned'\" unfolding setEndpoint_def by wp lemma set_ep_distinct' [wp]: "\pspace_distinct'\ setEndpoint ep v \\rv. pspace_distinct'\" unfolding setEndpoint_def by wp lemma setEndpoint_cte_wp_at': "\cte_wp_at' P p\ setEndpoint ptr v \\rv. cte_wp_at' P p\" unfolding setEndpoint_def apply (rule setObject_cte_wp_at'[where Q="\", simplified]) apply (clarsimp simp add: updateObject_default_def in_monad projectKOs intro!: set_eqI)+ done lemma setEndpoint_pred_tcb_at'[wp]: "\pred_tcb_at' proj P t\ setEndpoint ptr val \\rv. pred_tcb_at' proj P t\" apply (simp add: pred_tcb_at'_def setEndpoint_def) apply (rule obj_at_setObject2) apply (clarsimp simp: updateObject_default_def in_monad) done lemma get_ntfn_ko': "\\\ getNotification ep \\rv. ko_at' rv ep\" apply (simp add: getNotification_def) apply (rule getObject_ko_at) apply simp apply (simp add: objBits_simps) done lemma set_ntfn_aligned'[wp]: "\pspace_aligned'\ setNotification p ntfn \\rv. pspace_aligned'\" unfolding setNotification_def by wp lemma set_ntfn_distinct'[wp]: "\pspace_distinct'\ setNotification p ntfn \\rv. pspace_distinct'\" unfolding setNotification_def by wp lemma setNotification_cte_wp_at': "\cte_wp_at' P p\ setNotification ptr v \\rv. cte_wp_at' P p\" unfolding setNotification_def apply (rule setObject_cte_wp_at'[where Q="\", simplified]) apply (clarsimp simp add: updateObject_default_def in_monad projectKOs intro!: set_eqI)+ done lemma setObject_ep_tcb': "\tcb_at' t\ setObject p (e::endpoint) \\_. tcb_at' t\" apply (rule obj_at_setObject2) apply (clarsimp simp: updateObject_default_def in_monad) done lemma set_ep_tcb' [wp]: "\ tcb_at' t \ setEndpoint ep v \ \rv. tcb_at' t \" by (simp add: setEndpoint_def setObject_ep_tcb') lemma setObject_ntfn_tcb': "\tcb_at' t\ setObject p (e::Structures_H.notification) \\_. tcb_at' t\" apply (rule obj_at_setObject2) apply (clarsimp simp: updateObject_default_def in_monad) done lemma set_ntfn_tcb' [wp]: "\ tcb_at' t \ setNotification ntfn v \ \rv. tcb_at' t \" by (simp add: setNotification_def setObject_ntfn_tcb') lemma pspace_dom_update: "\ ps ptr = Some x; a_type x = a_type v \ \ pspace_dom (ps(ptr \ v)) = pspace_dom ps" apply (simp add: pspace_dom_def dom_fun_upd2 del: dom_fun_upd) apply (rule SUP_cong [OF refl]) apply clarsimp apply (simp add: obj_relation_cuts_def3) done lemmas ps_clear_def3 = ps_clear_def2 [OF order_less_imp_le [OF aligned_less_plus_1]] declare diff_neg_mask[simp del] lemma cte_wp_at_ctes_of: "cte_wp_at' P p s = (\cte. ctes_of s p = Some cte \ P cte)" apply (simp add: cte_wp_at_cases' map_to_ctes_def Let_def cte_level_bits_def objBits_simps split del: if_split) apply (safe del: disjCI) apply (clarsimp simp: ps_clear_def3 field_simps) apply (clarsimp simp: ps_clear_def3 field_simps split del: if_split) apply (frule is_aligned_sub_helper) apply (clarsimp simp: tcb_cte_cases_def split: if_split_asm) apply (case_tac "n = 0") apply (clarsimp simp: field_simps) apply (subgoal_tac "ksPSpace s p = None") apply clarsimp apply (clarsimp simp: field_simps) apply (elim conjE) apply (subst(asm) mask_in_range, assumption) apply (drule arg_cong[where f="\S. p \ S"]) apply (simp add: dom_def field_simps) apply (erule mp) apply (rule ccontr, simp add: linorder_not_le) apply (drule minus_one_helper3) apply clarsimp apply (simp add: field_simps) apply (clarsimp split: if_split_asm del: disjCI) apply (simp add: ps_clear_def3 field_simps) apply (rule disjI2, rule exI[where x="(p - (p && ~~ mask 9))"]) apply (clarsimp simp: ps_clear_def3[where na=9] is_aligned_mask word_bw_assocs) done lemma tcb_cte_cases_small: "\ tcb_cte_cases v = Some (getF, setF) \ \ v < 2 ^ 9" by (simp add: tcb_cte_cases_def split: if_split_asm) lemmas tcb_cte_cases_aligned_helpers = is_aligned_add_helper [OF _ tcb_cte_cases_small] is_aligned_sub_helper [OF _ tcb_cte_cases_small] lemma ctes_of_from_cte_wp_at: assumes x: "\P P' p. \\s. P (cte_wp_at' P' p s) \ Q s\ f \\r s. P (cte_wp_at' P' p s)\" shows "\\s. P (ctes_of s) \ Q s\ f \\rv s. P (ctes_of s)\" apply (clarsimp simp: valid_def elim!: rsubst[where P=P] intro!: ext) apply (case_tac "ctes_of s x", simp_all) apply (drule_tac P1=Not and P'1="\" and p1=x in use_valid [OF _ x], simp_all add: cte_wp_at_ctes_of) apply (drule_tac P1=id and P'1="op = aa" and p1=x in use_valid [OF _ x], simp_all add: cte_wp_at_ctes_of) done lemmas setObject_ctes_of = ctes_of_from_cte_wp_at [OF setObject_cte_wp_at2'] lemma map_to_ctes_upd_cte: "\ s p = Some (KOCTE cte'); is_aligned p 4; {p + 1..p + 15} \ dom s = {} \ \ map_to_ctes (s (p \ (KOCTE cte))) = ((map_to_ctes s) (p \ cte))" apply (rule ext) apply (simp add: map_to_ctes_def Let_def dom_fun_upd2 split del: if_split del: dom_fun_upd) apply (case_tac "x = p") apply (simp add: objBits_simps field_simps) apply (case_tac "(x && ~~ mask (objBitsKO (KOTCB undefined))) = p") apply clarsimp apply (simp del: dom_fun_upd split del: if_split cong: if_cong add: dom_fun_upd2 field_simps objBits_simps) done declare overflow_plus_one_self[simp] lemma map_to_ctes_upd_tcb: "\ s p = Some (KOTCB tcb'); is_aligned p 9; {p + 1..p + 511} \ dom s = {} \ \ map_to_ctes (s (p \ (KOTCB tcb))) = (\x. if \getF setF. tcb_cte_cases (x - p) = Some (getF, setF) \ getF tcb \ getF tcb' then (case tcb_cte_cases (x - p) of Some (getF, setF) \ Some (getF tcb)) else map_to_ctes s x)" apply (subgoal_tac "p && ~~ (mask 9) = p") apply (rule ext) apply (simp add: map_to_ctes_def Let_def dom_fun_upd2 split del: if_split del: dom_fun_upd cong: option.case_cong if_cong) apply (case_tac "x = p") apply (simp add: objBits_simps field_simps map_to_ctes_def) apply (case_tac "x && ~~ mask (objBitsKO (KOTCB undefined)) = p") apply (case_tac "tcb_cte_cases (x - p)") apply (simp split del: if_split cong: if_cong option.case_cong) apply (subgoal_tac "s x = None") apply (simp add: field_simps objBits_simps split del: if_split cong: if_cong option.case_cong) apply clarsimp apply (subst(asm) mask_in_range[where bits="objBitsKO v" for v]) apply (simp add: objBitsKO_def) apply (drule_tac a=x in equals0D) apply (simp add: dom_def objBits_simps field_simps) apply (erule mp) apply (rule ccontr, simp add: linorder_not_le) apply (drule minus_one_helper3, simp) apply (case_tac "tcb_cte_cases (x - p)") apply (simp split del: if_split cong: if_cong option.case_cong) apply (rule FalseE) apply (subst(asm) mask_in_range[where bits="objBitsKO v" for v]) apply (simp add: objBitsKO_def) apply (subgoal_tac "x - p < 2 ^ 9") apply (frule minus_one_helper3) apply (frule(1) is_aligned_no_wrap') apply (drule word_plus_mono_right[where x=p]) apply (simp only: field_simps) apply (erule is_aligned_no_overflow) apply (simp add: objBits_simps field_simps) apply (clarsimp simp: tcb_cte_cases_def objBits_simps field_simps split: if_split_asm) apply (subst mask_in_range, assumption) apply (simp only: atLeastAtMost_iff order_refl simp_thms) apply (erule is_aligned_no_overflow) done lemma map_to_ctes_upd_other: "\ s p = Some ko; case ko of KOTCB tcb \ False | KOCTE cte \ False | _ \ True; case ko' of KOTCB tcb \ False | KOCTE cte \ False | _ \ True \ \ map_to_ctes (s (p \ ko')) = (map_to_ctes s)" apply (rule ext) apply (simp add: map_to_ctes_def Let_def dom_fun_upd2 split del: if_split del: dom_fun_upd cong: if_cong) apply (rule if_cong) apply clarsimp apply fastforce apply clarsimp apply (rule if_cong) apply clarsimp apply fastforce apply clarsimp apply (rule refl) done lemma ctes_of_eq_cte_wp_at': "cte_wp_at' (op = cte) x s \ ctes_of s x = Some cte" by (simp add: cte_wp_at_ctes_of) lemma tcb_cte_cases_change: "tcb_cte_cases x = Some (getF, setF) \ (\getF. (\setF. tcb_cte_cases y = Some (getF, setF)) \ getF (setF f tcb) \ getF tcb) = (x = y \ f (getF tcb) \ getF tcb)" apply (rule iffI) apply (clarsimp simp: tcb_cte_cases_def split: if_split_asm) apply (clarsimp simp: tcb_cte_cases_def split: if_split_asm) done lemma ctes_of_setObject_cte: "\\s. P ((ctes_of s) (p \ cte))\ setObject p (cte :: cte) \\rv s. P (ctes_of s)\" apply (clarsimp simp: setObject_def split_def valid_def in_monad) apply (drule(1) updateObject_cte_is_tcb_or_cte[OF _ refl, rotated]) apply (elim exE conjE disjE rsubst[where P=P]) apply (clarsimp simp: map_to_ctes_upd_tcb field_simps ps_clear_def3 lookupAround2_char1 tcb_cte_cases_change) apply (rule ext, clarsimp) apply (intro conjI impI) apply (clarsimp simp: tcb_cte_cases_def split: if_split_asm) apply (drule(1) cte_wp_at_tcbI'[where P="op = cte"]) apply (simp add: ps_clear_def3 field_simps) apply assumption+ apply (simp add: cte_wp_at_ctes_of) apply (clarsimp simp: map_to_ctes_upd_cte ps_clear_def3 field_simps cte_level_bits_def) done declare foldl_True[simp] lemma real_cte_at': "real_cte_at' p s \ cte_at' p s" by (clarsimp simp add: cte_wp_at_cases' obj_at'_def projectKOs objBits_simps cte_level_bits_def del: disjCI) lemma no_fail_getEndpoint [wp]: "no_fail (ep_at' ptr) (getEndpoint ptr)" apply (simp add: getEndpoint_def getObject_def split_def) apply (rule no_fail_pre) apply wp apply (clarsimp simp add: obj_at'_def projectKOs objBits_simps lookupAround2_known1) apply (erule(1) ps_clear_lookupAround2) apply simp apply (simp add: field_simps) apply (erule is_aligned_no_wrap') apply (simp add: word_bits_conv) apply (clarsimp split: option.split_asm simp: objBits_simps archObjSize_def) done lemma get_ep_corres [corres]: "corres ep_relation (ep_at ptr) (ep_at' ptr) (get_endpoint ptr) (getEndpoint ptr)" apply (rule corres_no_failI) apply wp apply (simp add: get_endpoint_def getEndpoint_def get_object_def getObject_def bind_assoc) apply (clarsimp simp: in_monad split_def bind_def gets_def get_def return_def) apply (clarsimp simp add: assert_def fail_def obj_at_def return_def is_ep) apply (clarsimp simp: loadObject_default_def in_monad projectKOs in_magnitude_check objBits_simps) apply (clarsimp simp add: state_relation_def pspace_relation_def) apply (drule bspec) apply blast apply (simp add: other_obj_relation_def) done declare magnitudeCheck_inv [wp] declare alignCheck_inv [wp] lemma setObject_ct_inv: "\\s. P (ksCurThread s)\ setObject t (v::tcb) \\rv s. P (ksCurThread s)\" apply (simp add: setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done lemma setObject_cd_inv: "\\s. P (ksCurDomain s)\ setObject t (v::tcb) \\rv s. P (ksCurDomain s)\" apply (simp add: setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done lemma setObject_it_inv: "\\s. P (ksIdleThread s)\ setObject t (v::tcb) \\rv s. P (ksIdleThread s)\" apply (simp add: setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done lemma setObject_sa_inv: "\\s. P (ksSchedulerAction s)\ setObject t (v::tcb) \\rv s. P (ksSchedulerAction s)\" apply (simp add: setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done lemma setObject_ksDomSchedule_inv: "\\s. P (ksDomSchedule s)\ setObject t (v::tcb) \\rv s. P (ksDomSchedule s)\" apply (simp add: setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done lemma other_obj_case_helper: "other_obj_relation ob ob' \ (case ob of CNode sz cs \ P sz cs | _ \ Q) = Q" by (case_tac ob, simp_all add: other_obj_relation_def) lemma projectKO_def2: "projectKO ko = assert_opt (projectKO_opt ko)" by (simp add: projectKO_def assert_opt_def) lemma no_fail_magnitudeCheck[wp]: "no_fail (\s. case y of None \ True | Some z \ 2 ^ n \ z - x) (magnitudeCheck x y n)" apply (clarsimp simp add: magnitudeCheck_def split: option.splits) apply (rule no_fail_pre, wp) apply simp done lemma no_fail_setObject_other [wp]: fixes ob :: "'a :: pspace_storable" assumes x: "updateObject ob = updateObject_default ob" shows "no_fail (obj_at' (\k::'a. objBits k = objBits ob) ptr) (setObject ptr ob)" apply (simp add: setObject_def x split_def updateObject_default_def projectKO_def2 alignCheck_def alignError_def) apply (rule no_fail_pre) apply (wp ) apply (clarsimp simp: is_aligned_mask[symmetric] obj_at'_def objBits_def[symmetric] projectKOs project_inject lookupAround2_known1) apply (erule(1) ps_clear_lookupAround2) apply simp apply (erule is_aligned_get_word_bits) apply (subst add_diff_eq[symmetric]) apply (erule is_aligned_no_wrap') apply simp apply simp apply fastforce done lemma obj_relation_cut_same_type: "\ (y, P) \ obj_relation_cuts ko x; P ko z; (y', P') \ obj_relation_cuts ko' x'; P' ko' z \ \ (a_type ko = a_type ko') \ (\n n'. a_type ko = ACapTable n \ a_type ko' = ACapTable n') \ (\sz sz'. a_type ko = AArch (AUserData sz) \ a_type ko' = AArch (AUserData sz')) \ (\sz sz'. a_type ko = AArch (ADeviceData sz) \ a_type ko' = AArch (ADeviceData sz'))" apply (rule ccontr) apply (simp add: obj_relation_cuts_def2 a_type_def) apply (auto simp: other_obj_relation_def cte_relation_def pte_relation_def pde_relation_def split: Structures_A.kernel_object.split_asm if_split_asm Structures_H.kernel_object.split_asm ARM_A.arch_kernel_obj.split_asm) done definition exst_same :: "Structures_H.tcb \ Structures_H.tcb \ bool" where "exst_same tcb tcb' \ tcbPriority tcb = tcbPriority tcb' \ tcbTimeSlice tcb = tcbTimeSlice tcb' \ tcbDomain tcb = tcbDomain tcb'" fun exst_same' :: "Structures_H.kernel_object \ Structures_H.kernel_object \ bool" where "exst_same' (KOTCB tcb) (KOTCB tcb') = exst_same tcb tcb'" | "exst_same' _ _ = True" lemma set_other_obj_corres: fixes ob' :: "'a :: pspace_storable" assumes x: "updateObject ob' = updateObject_default ob'" assumes z: "\s. obj_at' P ptr s \ map_to_ctes ((ksPSpace s) (ptr \ injectKO ob')) = map_to_ctes (ksPSpace s)" assumes t: "is_other_obj_relation_type (a_type ob)" assumes b: "\ko. P ko \ objBits ko = objBits ob'" assumes e: "\ko. P ko \ exst_same' (injectKO ko) (injectKO ob')" assumes P: "\(v::'a::pspace_storable). (1 :: word32) < 2 ^ (objBits v)" shows "other_obj_relation ob (injectKO (ob' :: 'a :: pspace_storable)) \ corres dc (obj_at (\ko. a_type ko = a_type ob) ptr and obj_at (same_caps ob) ptr) (obj_at' (P :: 'a \ bool) ptr) (set_object ptr ob) (setObject ptr ob')" apply (rule corres_no_failI) apply (rule no_fail_pre) apply wp apply (rule x) apply (clarsimp simp: b elim!: obj_at'_weakenE) apply (unfold set_object_def setObject_def) apply (clarsimp simp: in_monad split_def bind_def gets_def get_def Bex_def put_def return_def modify_def get_object_def x projectKOs updateObject_default_def in_magnitude_check [OF _ P]) apply (clarsimp simp add: state_relation_def z) apply (clarsimp simp add: caps_of_state_after_update cte_wp_at_after_update swp_def fun_upd_def obj_at_def) apply (subst conj_assoc[symmetric]) apply (rule conjI[rotated]) apply (clarsimp simp add: ghost_relation_def) apply (erule_tac x=ptr in allE)+ apply (clarsimp simp: obj_at_def a_type_def split: Structures_A.kernel_object.splits if_split_asm) apply (simp split: arch_kernel_obj.splits if_splits) apply (fold fun_upd_def) apply (simp only: pspace_relation_def pspace_dom_update dom_fun_upd2 simp_thms) apply (elim conjE) apply (frule bspec, erule domI) apply (rule conjI) apply (rule ballI, drule(1) bspec) apply (drule domD) apply (clarsimp simp: is_other_obj_relation_type t) apply (drule(1) bspec) apply clarsimp apply (frule_tac ko'=ko and x'=ptr in obj_relation_cut_same_type, (fastforce simp add: is_other_obj_relation_type t)+) apply (erule disjE) apply (simp add: is_other_obj_relation_type t) apply (erule disjE) apply (insert t, clarsimp simp: is_other_obj_relation_type_CapTable a_type_def) apply (erule disjE) apply (insert t, clarsimp simp: is_other_obj_relation_type_UserData a_type_def) apply (insert t, clarsimp simp: is_other_obj_relation_type_DeviceData a_type_def) apply (simp only: ekheap_relation_def) apply (rule ballI, drule(1) bspec) apply (drule domD) apply (insert e) apply atomize apply (clarsimp simp: obj_at'_def) apply (erule_tac x=obj in allE) apply (clarsimp simp: projectKO_eq project_inject) apply (case_tac ob; simp_all add: a_type_def other_obj_relation_def etcb_relation_def is_other_obj_relation_type t exst_same_def) by (clarsimp simp: is_other_obj_relation_type t exst_same_def split: Structures_A.kernel_object.splits Structures_H.kernel_object.splits ARM_A.arch_kernel_obj.splits)+ lemmas obj_at_simps = obj_at_def obj_at'_def projectKOs map_to_ctes_upd_other is_other_obj_relation_type_def a_type_def objBits_simps other_obj_relation_def archObjSize_def pageBits_def lemma set_ep_corres [corres]: "ep_relation e e' \ corres dc (ep_at ptr) (ep_at' ptr) (set_endpoint ptr e) (setEndpoint ptr e')" apply (simp add: set_endpoint_def setEndpoint_def is_ep_def[symmetric]) apply (corres_search search: set_other_obj_corres[where P="\_. True"]) apply (correswp wp: get_object_ret get_object_wp)+ by (clarsimp simp: is_ep obj_at_simps) lemma set_ntfn_corres [corres]: "ntfn_relation ae ae' \ corres dc (ntfn_at ptr) (ntfn_at' ptr) (set_notification ptr ae) (setNotification ptr ae')" apply (simp add: set_notification_def setNotification_def is_ntfn_def[symmetric]) apply (corres_search search: set_other_obj_corres[where P="\_. True"]) apply (correswp wp: get_object_ret get_object_wp)+ by (clarsimp simp: is_ntfn obj_at_simps) lemma no_fail_getNotification [wp]: "no_fail (ntfn_at' ptr) (getNotification ptr)" apply (simp add: getNotification_def getObject_def split_def) apply (rule no_fail_pre) apply wp apply (clarsimp simp add: obj_at'_def projectKOs objBits_simps lookupAround2_known1) apply (erule(1) ps_clear_lookupAround2) apply simp apply (simp add: field_simps) apply (erule is_aligned_no_wrap') apply (simp add: word_bits_conv) apply (clarsimp split: option.split_asm simp: objBits_simps archObjSize_def) done lemma get_ntfn_corres: "corres ntfn_relation (ntfn_at ptr) (ntfn_at' ptr) (get_notification ptr) (getNotification ptr)" apply (rule corres_no_failI) apply wp apply (simp add: get_notification_def getNotification_def get_object_def getObject_def bind_assoc) apply (clarsimp simp: in_monad split_def bind_def gets_def get_def return_def) apply (clarsimp simp add: assert_def fail_def obj_at_def return_def is_ntfn) apply (clarsimp simp: loadObject_default_def in_monad projectKOs in_magnitude_check objBits_simps) apply (clarsimp simp add: state_relation_def pspace_relation_def) apply (drule bspec) apply blast apply (simp add: other_obj_relation_def) done lemma setObject_ko_wp_at: fixes v :: "'a :: pspace_storable" assumes R: "\ko s x y n. (updateObject v ko p y n s) = (updateObject_default v ko p y n s)" assumes n: "\v' :: 'a. objBits v' = n" assumes m: "(1 :: word32) < 2 ^ n" shows "\\s. obj_at' (\x :: 'a. True) p s \ P (ko_wp_at' (if p = p' then K (P' (injectKO v)) else P')p' s)\ setObject p v \\rv s. P (ko_wp_at' P' p' s)\" apply (clarsimp simp: setObject_def valid_def in_monad ko_wp_at'_def split_def R updateObject_default_def projectKOs obj_at'_real_def split del: if_split) apply (clarsimp simp: project_inject objBits_def[symmetric] n in_magnitude_check [OF _ m] elim!: rsubst[where P=P] split del: if_split) apply (rule iffI) apply (clarsimp simp: n ps_clear_upd' objBits_def[symmetric] split: if_split_asm) apply (clarsimp simp: n project_inject objBits_def[symmetric] ps_clear_upd split: if_split_asm) done lemma typ_at'_valid_obj'_lift: assumes P: "\P T p. \\s. P (typ_at' T p s)\ f \\rv s. P (typ_at' T p s)\" notes [wp] = hoare_vcg_all_lift hoare_vcg_imp_lift hoare_vcg_const_Ball_lift typ_at_lifts [OF P] shows "\\s. valid_obj' obj s\ f \\rv s. valid_obj' obj s\" apply (cases obj; simp add: valid_obj'_def hoare_TrueI) apply (rename_tac endpoint) apply (case_tac endpoint; simp add: valid_ep'_def, wp) apply (rename_tac notification) apply (case_tac "ntfnObj notification"; simp add: valid_ntfn'_def valid_bound_tcb'_def split: option.splits, (wpsimp|rule conjI)+) apply (rename_tac tcb) apply (case_tac "tcbState tcb"; simp add: valid_tcb'_def valid_tcb_state'_def split_def valid_bound_ntfn'_def split: option.splits, wpsimp) apply (wpsimp simp: valid_cte'_def) apply (rename_tac arch_kernel_object) apply (case_tac arch_kernel_object; wpsimp) done lemmas setObject_valid_obj = typ_at'_valid_obj'_lift [OF setObject_typ_at'] lemma setObject_valid_objs': assumes x: "\x n ko s ko' s'. \ (ko', s') \ fst (updateObject val ko ptr x n s); P s; valid_obj' ko s; lookupAround2 ptr (ksPSpace s) = (Some (x, ko), n) \ \ valid_obj' ko' s" shows "\valid_objs' and P\ setObject ptr val \\rv. valid_objs'\" apply (clarsimp simp: valid_def) apply (subgoal_tac "\ko. valid_obj' ko s \ valid_obj' ko b") defer apply clarsimp apply (erule(1) use_valid [OF _ setObject_valid_obj]) apply (clarsimp simp: setObject_def split_def in_monad lookupAround2_char1) apply (simp add: valid_objs'_def) apply clarsimp apply (drule spec, erule mp) apply (drule(1) x) apply (simp add: ranI) apply (simp add: prod_eqI lookupAround2_char1) apply (clarsimp elim!: ranE split: if_split_asm simp: ranI) done lemma setObject_iflive': fixes v :: "'a :: pspace_storable" assumes R: "\ko s x y n. (updateObject v ko ptr y n s) = (updateObject_default v ko ptr y n s)" assumes n: "\x :: 'a. objBits x = n" assumes m: "(1 :: word32) < 2 ^ n" assumes x: "\x n tcb s t. \ t \ fst (updateObject v (KOTCB tcb) ptr x n s); P s; lookupAround2 ptr (ksPSpace s) = (Some (x, KOTCB tcb), n) \ \ \tcb'. t = (KOTCB tcb', s) \ (\(getF, setF) \ ran tcb_cte_cases. getF tcb' = getF tcb)" assumes y: "\x n cte s. fst (updateObject v (KOCTE cte) ptr x n s) = {}" shows "\\s. if_live_then_nonz_cap' s \ (live' (injectKO v) \ ex_nonz_cap_to' ptr s) \ P s\ setObject ptr v \\rv s. if_live_then_nonz_cap' s\" unfolding if_live_then_nonz_cap'_def ex_nonz_cap_to'_def apply (rule hoare_pre) apply (simp only: imp_conv_disj) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift) apply (rule setObject_ko_wp_at [OF R n m]) apply (rule hoare_vcg_ex_lift) apply (rule setObject_cte_wp_at'[where Q = P, OF x y]) apply assumption+ apply clarsimp apply (clarsimp simp: ko_wp_at'_def) done lemma setObject_qs[wp]: assumes x: "\q n obj. \\s. P (ksReadyQueues s)\ updateObject v obj p q n \\rv s. P (ksReadyQueues s)\" shows "\\s. P (ksReadyQueues s)\ setObject p v \\rv s. P (ksReadyQueues s)\" apply (simp add: setObject_def split_def) apply (wp x | simp)+ done lemma setObject_qsL1[wp]: assumes x: "\q n obj. \\s. P (ksReadyQueuesL1Bitmap s)\ updateObject v obj p q n \\rv s. P (ksReadyQueuesL1Bitmap s)\" shows "\\s. P (ksReadyQueuesL1Bitmap s)\ setObject p v \\rv s. P (ksReadyQueuesL1Bitmap s)\" apply (simp add: setObject_def split_def) apply (wp x | simp)+ done lemma setObject_qsL2[wp]: assumes x: "\q n obj. \\s. P (ksReadyQueuesL2Bitmap s)\ updateObject v obj p q n \\rv s. P (ksReadyQueuesL2Bitmap s)\" shows "\\s. P (ksReadyQueuesL2Bitmap s)\ setObject p v \\rv s. P (ksReadyQueuesL2Bitmap s)\" apply (simp add: setObject_def split_def) apply (wp x | simp)+ done lemma setObject_ifunsafe': fixes v :: "'a :: pspace_storable" assumes x: "\x n tcb s t. \ t \ fst (updateObject v (KOTCB tcb) ptr x n s); P s; lookupAround2 ptr (ksPSpace s) = (Some (x, KOTCB tcb), n) \ \ \tcb'. t = (KOTCB tcb', s) \ (\(getF, setF) \ ran tcb_cte_cases. getF tcb' = getF tcb)" assumes y: "\x n cte s. fst (updateObject v (KOCTE cte) ptr x n s) = {}" assumes z: "\P. \\s. P (intStateIRQNode (ksInterruptState s))\ setObject ptr v \\rv s. P (intStateIRQNode (ksInterruptState s))\" shows "\\s. if_unsafe_then_cap' s \ P s\ setObject ptr v \\rv s. if_unsafe_then_cap' s\" apply (simp only: if_unsafe_then_cap'_def ex_cte_cap_to'_def cte_wp_at_ctes_of) apply (rule hoare_use_eq_irq_node' [OF z]) apply (rule setObject_ctes_of [OF x y], assumption+) done lemma setObject_it[wp]: assumes x: "\p q n ko. \\s. P (ksIdleThread s)\ updateObject val p q n ko \\rv s. P (ksIdleThread s)\" shows "\\s. P (ksIdleThread s)\ setObject t val \\rv s. P (ksIdleThread s)\" apply (simp add: setObject_def split_def) apply (wp x | simp)+ done lemma setObject_idle': fixes v :: "'a :: pspace_storable" assumes R: "\ko s x y n. (updateObject v ko ptr y n s) = (updateObject_default v ko ptr y n s)" assumes n: "\x :: 'a. objBits x = n" assumes m: "(1 :: word32) < 2 ^ n" assumes z: "\P p q n ko. \\s. P (ksIdleThread s)\ updateObject v p q n ko \\rv s. P (ksIdleThread s)\" shows "\\s. valid_idle' s \ (ptr = ksIdleThread s \ (\obj (val :: 'a). projectKO_opt (injectKO val) = Some obj \ idle' (tcbState obj) \ tcbBoundNotification obj = None) \ (\obj. projectKO_opt (injectKO v) = Some obj \ idle' (tcbState obj) \ tcbBoundNotification obj = None)) \ P s\ setObject ptr v \\rv s. valid_idle' s\" apply (simp add: valid_idle'_def pred_tcb_at'_def o_def) apply (rule hoare_pre) apply (rule hoare_lift_Pf2 [where f="ksIdleThread"]) apply (simp add: pred_tcb_at'_def obj_at'_real_def) apply (rule setObject_ko_wp_at [OF R n m]) apply (wp z) apply (clarsimp simp add: pred_tcb_at'_def obj_at'_real_def ko_wp_at'_def) apply (drule_tac x=obj in spec, simp) apply (clarsimp simp add: project_inject) apply (drule_tac x=obja in spec, simp) done lemma setObject_no_0_obj' [wp]: "\no_0_obj'\ setObject p v \\r. no_0_obj'\" apply (clarsimp simp: setObject_def split_def) apply (clarsimp simp: valid_def no_0_obj'_def ko_wp_at'_def in_monad lookupAround2_char1 ps_clear_upd') done lemma valid_updateCapDataI: "s \' c \ s \' updateCapData b x c" apply (unfold updateCapData_def Let_def ARM_H.updateCapData_def) apply (cases c) apply (simp_all add: isCap_defs valid_cap'_def capUntypedPtr_def isCap_simps capAligned_def word_size word_bits_def word_bw_assocs) done lemma no_fail_threadGet [wp]: "no_fail (tcb_at' t) (threadGet f t)" by (simp add: threadGet_def, wp) lemma no_fail_getThreadState [wp]: "no_fail (tcb_at' t) (getThreadState t)" by (simp add: getThreadState_def, wp) lemma no_fail_setObject_tcb [wp]: "no_fail (tcb_at' t) (setObject t (t'::tcb))" apply (rule no_fail_pre, wp) apply (rule ext)+ apply simp apply (simp add: objBits_simps) done lemma no_fail_threadSet [wp]: "no_fail (tcb_at' t) (threadSet f t)" apply (simp add: threadSet_def) apply (rule no_fail_pre, wp) apply simp done lemma dmo_return' [simp]: "doMachineOp (return x) = return x" apply (simp add: doMachineOp_def select_f_def return_def gets_def get_def bind_def modify_def put_def) done lemma dmo_storeWordVM' [simp]: "doMachineOp (storeWordVM x y) = return ()" by (simp add: storeWordVM_def) declare mapM_x_return [simp] lemma no_fail_dmo' [wp]: "no_fail P f \ no_fail (P o ksMachineState) (doMachineOp f)" apply (simp add: doMachineOp_def split_def) apply (rule no_fail_pre, wp) apply simp apply (simp add: no_fail_def) done lemma doMachineOp_obj_at: "\obj_at' P addr\ doMachineOp opr \\rv. obj_at' P addr\" proof - have obj_at'_machine: "\P addr f s. obj_at' P addr (ksMachineState_update f s) = obj_at' P addr s" by (fastforce intro: obj_at'_pspaceI) show ?thesis apply (simp add: doMachineOp_def split_def) apply (wp select_wp) apply (clarsimp simp: obj_at'_machine) done qed lemma setEndpoint_nosch[wp]: "\\s. P (ksSchedulerAction s)\ setEndpoint val ptr \\rv s. P (ksSchedulerAction s)\" apply (simp add: setEndpoint_def) apply (rule setObject_nosch) apply (simp add: updateObject_default_def) apply wp apply simp done lemma setNotification_nosch[wp]: "\\s. P (ksSchedulerAction s)\ setNotification val ptr \\rv s. P (ksSchedulerAction s)\" apply (simp add: setNotification_def) apply (rule setObject_nosch) apply (simp add: updateObject_default_def) apply wp apply simp done lemma set_ep_valid_objs': "\valid_objs' and valid_ep' ep\ setEndpoint epptr ep \\r s. valid_objs' s\" apply (simp add: setEndpoint_def) apply (rule setObject_valid_objs') apply (clarsimp simp: updateObject_default_def in_monad projectKOs valid_obj'_def) done lemma set_ep_ctes_of[wp]: "\\s. P (ctes_of s)\ setEndpoint p val \\rv s. P (ctes_of s)\" apply (simp add: setEndpoint_def) apply (rule setObject_ctes_of[where Q="\", simplified]) apply (clarsimp simp: updateObject_default_def in_monad projectKOs) apply (clarsimp simp: updateObject_default_def bind_def projectKOs) done lemma set_ep_valid_mdb' [wp]: "\valid_mdb'\ setObject epptr (ep::endpoint) \\_. valid_mdb'\" apply (simp add: valid_mdb'_def) apply (rule set_ep_ctes_of[simplified setEndpoint_def]) done lemma setEndpoint_valid_mdb': "\valid_mdb'\ setEndpoint p v \\rv. valid_mdb'\" unfolding setEndpoint_def by (rule set_ep_valid_mdb') lemma set_ep_valid_pspace'[wp]: "\valid_pspace' and valid_ep' ep\ setEndpoint epptr ep \\r. valid_pspace'\" apply (simp add: valid_pspace'_def) apply (wp set_ep_aligned' [simplified] set_ep_valid_objs') apply (wp hoare_vcg_conj_lift) apply (simp add: setEndpoint_def) apply (wp setEndpoint_valid_mdb')+ apply auto done lemma set_ep_valid_bitmapQ[wp]: "\Invariants_H.valid_bitmapQ\ setEndpoint epptr ep \\rv. Invariants_H.valid_bitmapQ\" apply (unfold setEndpoint_def) apply (rule setObject_ep_pre) apply (simp add: bitmapQ_defs setObject_def split_def) apply (wp hoare_Ball_helper hoare_vcg_all_lift updateObject_default_inv | simp add: bitmapQ_def)+ done lemma set_ep_bitmapQ_no_L1_orphans[wp]: "\ bitmapQ_no_L1_orphans \ setEndpoint epptr ep \\rv. bitmapQ_no_L1_orphans \" apply (unfold setEndpoint_def) apply (rule setObject_ep_pre) apply (simp add: bitmapQ_defs setObject_def split_def) apply (wp hoare_Ball_helper hoare_vcg_all_lift updateObject_default_inv | simp add: bitmapQ_def)+ done lemma set_ep_bitmapQ_no_L2_orphans[wp]: "\ bitmapQ_no_L2_orphans \ setEndpoint epptr ep \\rv. bitmapQ_no_L2_orphans \" apply (unfold setEndpoint_def) apply (rule setObject_ep_pre) apply (simp add: bitmapQ_defs setObject_def split_def) apply (wp hoare_Ball_helper hoare_vcg_all_lift updateObject_default_inv | simp add: bitmapQ_def)+ done lemma set_ep_valid_queues[wp]: "\Invariants_H.valid_queues\ setEndpoint epptr ep \\rv. Invariants_H.valid_queues\" apply (simp add: Invariants_H.valid_queues_def) apply (wp hoare_vcg_conj_lift) apply (simp add: setEndpoint_def valid_queues_no_bitmap_def) apply (wp hoare_Ball_helper hoare_vcg_all_lift) apply (rule obj_at_setObject2) apply (clarsimp simp: updateObject_default_def in_monad) apply (wp updateObject_default_inv set_ep_valid_bitmapQ[unfolded setEndpoint_def] | simp add: valid_queues_no_bitmap_def)+ done lemma set_ep_valid_queues'[wp]: "\valid_queues'\ setEndpoint epptr ep \\rv. valid_queues'\" apply (unfold setEndpoint_def) apply (simp only: valid_queues'_def imp_conv_disj obj_at'_real_def) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift) apply (rule setObject_ko_wp_at) apply simp apply (simp add: objBits_simps) apply simp apply (wp updateObject_default_inv | simp)+ apply (clarsimp simp: projectKOs ko_wp_at'_def) done lemma ct_in_state_thread_state_lift': assumes ct: "\P. \\s. P (ksCurThread s)\ f \\_ s. P (ksCurThread s)\" assumes st: "\t. \st_tcb_at' P t\ f \\_. st_tcb_at' P t\" shows "\ct_in_state' P\ f \\_. ct_in_state' P\" apply (clarsimp simp: ct_in_state'_def) apply (clarsimp simp: valid_def) apply (frule (1) use_valid [OF _ ct]) apply (drule (1) use_valid [OF _ st], assumption) done lemma sch_act_wf_lift: assumes tcb: "\P t. \st_tcb_at' P t\ f \\rv. st_tcb_at' P t\" assumes tcb_cd: "\P t. \ tcb_in_cur_domain' t\ f \\_ . tcb_in_cur_domain' t \" assumes kCT: "\P. \\s. P (ksCurThread s)\ f \\_ s. P (ksCurThread s)\" assumes ksA: "\P. \\s. P (ksSchedulerAction s)\ f \\_ s. P (ksSchedulerAction s)\" shows "\\s. sch_act_wf (ksSchedulerAction s) s\ f \\rv s. sch_act_wf (ksSchedulerAction s) s\" apply (clarsimp simp: valid_def) apply (frule (1) use_valid [OF _ ksA]) apply (case_tac "ksSchedulerAction b", simp_all) apply (drule (2) use_valid [OF _ ct_in_state_thread_state_lift' [OF kCT tcb]]) apply (clarsimp) apply (rule conjI) apply (drule (2) use_valid [OF _ tcb]) apply (drule (2) use_valid [OF _ tcb_cd]) done lemma tcb_in_cur_domain'_lift: assumes a: "\P. \\s. P (ksCurDomain s)\ f \\_ s. P (ksCurDomain s)\" assumes b: "\x. \obj_at' (\tcb. x = tcbDomain tcb) t\ f \\_. obj_at' (\tcb. x = tcbDomain tcb) t\" shows "\ tcb_in_cur_domain' t \ f \ \_. tcb_in_cur_domain' t \" apply (simp add: tcb_in_cur_domain'_def) apply (rule_tac f="ksCurDomain" in hoare_lift_Pf) apply (rule b) apply (rule a) done lemma ct_idle_or_in_cur_domain'_lift: assumes a: "\P. \\s. P (ksCurDomain s)\ f \\_ s. P (ksCurDomain s)\" assumes b: "\P. \\s. P (ksSchedulerAction s)\ f \\_ s. P (ksSchedulerAction s)\" assumes c: "\P. \\s. P (ksIdleThread s)\ f \\_ s. P (ksIdleThread s)\" assumes d: "\P. \\s. P (ksCurThread s)\ f \\_ s. P (ksCurThread s)\" assumes e: "\d a t t'. \\s. t = t' \ obj_at' (\tcb. d = tcbDomain tcb) t s\ f \\_ s. t = t' \ obj_at' (\tcb. d = tcbDomain tcb) t s\" shows "\ ct_idle_or_in_cur_domain' \ f \ \_. ct_idle_or_in_cur_domain' \" apply (simp add: ct_idle_or_in_cur_domain'_def tcb_in_cur_domain'_def) apply (rule_tac f="ksCurThread" in hoare_lift_Pf) apply (rule_tac f="ksIdleThread" in hoare_lift_Pf) apply (rule_tac f="ksSchedulerAction" in hoare_lift_Pf) apply (rule_tac f="ksCurDomain" in hoare_lift_Pf) apply (wp hoare_vcg_imp_lift) apply (rule e) apply simp apply (rule a) apply (rule b) apply (rule c) apply (rule d) done lemma setObject_ep_obj_at'_tcb[wp]: "\obj_at' (P :: tcb \ bool) t \ setObject ptr (e::endpoint) \\_. obj_at' (P :: tcb \ bool) t\" apply (rule obj_at_setObject2) apply (clarsimp simp: updateObject_default_def in_monad) done lemma setObject_ep_cur_domain[wp]: "\\s. P (ksCurDomain s)\ setObject ptr (e::endpoint) \\_ s. P (ksCurDomain s)\" apply (simp add: setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done lemma setEndpoint_tcb_in_cur_domain'[wp]: "\tcb_in_cur_domain' t\ setEndpoint epptr ep \\_. tcb_in_cur_domain' t\" apply (clarsimp simp: setEndpoint_def) apply (rule tcb_in_cur_domain'_lift; wp) done lemma setEndpoint_obj_at'_tcb[wp]: "\obj_at' (P :: tcb \ bool) t \ setEndpoint ptr (e::endpoint) \\_. obj_at' (P :: tcb \ bool) t\" by (clarsimp simp: setEndpoint_def, wp) lemma set_ep_sch_act_wf[wp]: "\\s. sch_act_wf (ksSchedulerAction s) s\ setEndpoint epptr ep \\rv s. sch_act_wf (ksSchedulerAction s) s\" apply (wp sch_act_wf_lift) apply (simp add: setEndpoint_def split_def setObject_def | wp updateObject_default_inv)+ done lemma setObject_state_refs_of': assumes x: "updateObject val = updateObject_default val" assumes y: "(1 :: word32) < 2 ^ objBits val" shows "\\s. P ((state_refs_of' s) (ptr := refs_of' (injectKO val)))\ setObject ptr val \\rv s. P (state_refs_of' s)\" apply (clarsimp simp: setObject_def valid_def in_monad split_def updateObject_default_def x in_magnitude_check projectKOs y elim!: rsubst[where P=P] intro!: ext split del: if_split cong: option.case_cong if_cong) apply (clarsimp simp: state_refs_of'_def objBits_def[symmetric] ps_clear_upd cong: if_cong option.case_cong) done lemma setObject_state_refs_of_eq: assumes x: "\s s' obj obj' ptr' ptr''. (obj', s') \ fst (updateObject val obj ptr ptr' ptr'' s) \ refs_of' obj' = refs_of' obj" shows "\\s. P (state_refs_of' s)\ setObject ptr val \\rv s. P (state_refs_of' s)\" apply (clarsimp simp: setObject_def valid_def in_monad split_def updateObject_default_def in_magnitude_check projectKOs lookupAround2_char1 elim!: rsubst[where P=P] intro!: ext split del: if_split cong: option.case_cong if_cong) apply (frule x, drule updateObject_objBitsKO) apply (simp add: state_refs_of'_def ps_clear_upd cong: option.case_cong if_cong) done lemma set_ep_state_refs_of'[wp]: "\\s. P ((state_refs_of' s) (epptr := ep_q_refs_of' ep))\ setEndpoint epptr ep \\rv s. P (state_refs_of' s)\" unfolding setEndpoint_def by (wp setObject_state_refs_of', simp_all add: objBits_simps fun_upd_def[symmetric]) lemma set_ntfn_ctes_of[wp]: "\\s. P (ctes_of s)\ setNotification p val \\rv s. P (ctes_of s)\" apply (simp add: setNotification_def) apply (rule setObject_ctes_of[where Q="\", simplified]) apply (clarsimp simp: updateObject_default_def in_monad projectKOs) apply (clarsimp simp: updateObject_default_def bind_def projectKOs) done lemma set_ntfn_valid_mdb' [wp]: "\valid_mdb'\ setObject epptr (ntfn::Structures_H.notification) \\_. valid_mdb'\" apply (simp add: valid_mdb'_def) apply (rule set_ntfn_ctes_of[simplified setNotification_def]) done lemma set_ntfn_valid_objs': "\valid_objs' and valid_ntfn' ntfn\ setNotification p ntfn \\r s. valid_objs' s\" apply (simp add: setNotification_def) apply (rule setObject_valid_objs') apply (clarsimp simp: updateObject_default_def in_monad valid_obj'_def) done lemma set_ntfn_valid_pspace'[wp]: "\valid_pspace' and valid_ntfn' ntfn\ setNotification p ntfn \\r. valid_pspace'\" apply (simp add: valid_pspace'_def) apply (wp set_ntfn_aligned' [simplified] set_ntfn_valid_objs') apply (simp add: setNotification_def,wp) apply auto done lemma set_ntfn_valid_bitmapQ[wp]: "\Invariants_H.valid_bitmapQ\ setNotification p ntfn \\rv. Invariants_H.valid_bitmapQ\" apply (unfold setNotification_def) apply (rule setObject_ntfn_pre) apply (simp add: bitmapQ_defs setObject_def split_def) apply (wp hoare_Ball_helper hoare_vcg_all_lift updateObject_default_inv | simp)+ done lemma set_ntfn_bitmapQ_no_L1_orphans[wp]: "\ bitmapQ_no_L1_orphans \ setNotification p ntfn \\rv. bitmapQ_no_L1_orphans \" apply (unfold setNotification_def) apply (rule setObject_ntfn_pre) apply (simp add: bitmapQ_defs setObject_def split_def) apply (wp hoare_Ball_helper hoare_vcg_all_lift updateObject_default_inv | simp)+ done lemma set_ntfn_bitmapQ_no_L2_orphans[wp]: "\ bitmapQ_no_L2_orphans \ setNotification p ntfn \\rv. bitmapQ_no_L2_orphans \" apply (unfold setNotification_def) apply (rule setObject_ntfn_pre) apply (simp add: bitmapQ_defs setObject_def split_def) apply (wp hoare_Ball_helper hoare_vcg_all_lift updateObject_default_inv | simp)+ done lemma set_ntfn_valid_queues[wp]: "\Invariants_H.valid_queues\ setNotification p ntfn \\rv. Invariants_H.valid_queues\" apply (simp add: Invariants_H.valid_queues_def) apply (rule hoare_pre) apply (wp hoare_vcg_conj_lift) apply (simp add: setNotification_def valid_queues_no_bitmap_def) apply (wp hoare_Ball_helper hoare_vcg_all_lift) apply (rule obj_at_setObject2) apply (clarsimp simp: updateObject_default_def in_monad) apply (wp updateObject_default_inv set_ep_valid_bitmapQ[unfolded setEndpoint_def] | simp add: valid_queues_no_bitmap_def)+ done lemma set_ntfn_valid_queues'[wp]: "\valid_queues'\ setNotification p ntfn \\rv. valid_queues'\" apply (unfold setNotification_def) apply (rule setObject_ntfn_pre) apply (simp only: valid_queues'_def imp_conv_disj obj_at'_real_def) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift) apply (rule setObject_ko_wp_at) apply simp apply (simp add: objBits_simps) apply simp apply (wp updateObject_default_inv | simp)+ apply (clarsimp simp: projectKOs ko_wp_at'_def) done lemma set_ntfn_state_refs_of'[wp]: "\\s. P ((state_refs_of' s) (epptr := ntfn_q_refs_of' (ntfnObj ntfn) \ ntfn_bound_refs' (ntfnBoundTCB ntfn)))\ setNotification epptr ntfn \\rv s. P (state_refs_of' s)\" unfolding setNotification_def by (wp setObject_state_refs_of', simp_all add: objBits_simps fun_upd_def) lemma setNotification_pred_tcb_at'[wp]: "\pred_tcb_at' proj P t\ setNotification ptr val \\rv. pred_tcb_at' proj P t\" apply (simp add: pred_tcb_at'_def setNotification_def) apply (rule obj_at_setObject2) apply simp apply (clarsimp simp: updateObject_default_def in_monad) done lemma setObject_ntfn_cur_domain[wp]: "\ \s. P (ksCurDomain s) \ setObject ptr (ntfn::Structures_H.notification) \ \_s . P (ksCurDomain s) \" apply (clarsimp simp: setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done lemma setObject_ntfn_obj_at'_tcb[wp]: "\obj_at' (P :: tcb \ bool) t \ setObject ptr (ntfn::Structures_H.notification) \\_. obj_at' (P :: tcb \ bool) t\" apply (rule obj_at_setObject2) apply (clarsimp simp: updateObject_default_def in_monad) done lemma setNotification_ksCurDomain[wp]: "\ \s. P (ksCurDomain s) \ setNotification ptr (ntfn::Structures_H.notification) \ \_s . P (ksCurDomain s) \" apply (simp add: setNotification_def) apply wp done lemma setNotification_tcb_in_cur_domain'[wp]: "\tcb_in_cur_domain' t\ setNotification epptr ep \\_. tcb_in_cur_domain' t\" apply (clarsimp simp: setNotification_def) apply (rule tcb_in_cur_domain'_lift; wp) done lemma set_ntfn_sch_act_wf[wp]: "\\s. sch_act_wf (ksSchedulerAction s) s\ setNotification ntfnptr ntfn \\rv s. sch_act_wf (ksSchedulerAction s) s\" apply (wp sch_act_wf_lift | clarsimp simp: setNotification_def)+ apply (simp add: setNotification_def split_def setObject_def | wp updateObject_default_inv)+ done lemmas cur_tcb_lift = hoare_lift_Pf [where f = ksCurThread and P = tcb_at', folded cur_tcb'_def] lemma set_ntfn_cur_tcb'[wp]: "\cur_tcb'\ setNotification ptr ntfn \\rv. cur_tcb'\" apply (wp cur_tcb_lift) apply (simp add: setNotification_def setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done lemma setEndpoint_typ_at'[wp]: "\\s. P (typ_at' T p s)\ setEndpoint ptr val \\rv s. P (typ_at' T p s)\" unfolding setEndpoint_def by (rule setObject_typ_at') lemmas setEndpoint_typ_ats[wp] = typ_at_lifts [OF setEndpoint_typ_at'] lemma get_ep_sp': "\P\ getEndpoint r \\t. P and ko_at' t r\" by (clarsimp simp: getEndpoint_def getObject_def loadObject_default_def projectKOs in_monad valid_def obj_at'_def objBits_simps in_magnitude_check split_def) lemma setEndpoint_cur_tcb'[wp]: "\cur_tcb'\ setEndpoint p v \\rv. cur_tcb'\" apply (wp cur_tcb_lift) apply (simp add: setEndpoint_def setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done lemma setEndpoint_iflive'[wp]: "\\s. if_live_then_nonz_cap' s \ (v \ IdleEP \ ex_nonz_cap_to' p s)\ setEndpoint p v \\rv. if_live_then_nonz_cap'\" unfolding setEndpoint_def apply (wp setObject_iflive'[where P="\"]) apply simp apply (simp add: objBits_simps) apply simp apply (clarsimp simp: updateObject_default_def in_monad projectKOs) apply (clarsimp simp: updateObject_default_def in_monad projectKOs bind_def) apply clarsimp done declare setEndpoint_cte_wp_at'[wp] lemma ex_nonz_cap_to_pres': assumes y: "\P p. \cte_wp_at' P p\ f \\rv. cte_wp_at' P p\" shows "\ex_nonz_cap_to' p\ f \\rv. ex_nonz_cap_to' p\" apply (simp only: ex_nonz_cap_to'_def) apply (intro hoare_vcg_disj_lift hoare_vcg_ex_lift y hoare_vcg_all_lift) done lemma setEndpoint_cap_to'[wp]: "\ex_nonz_cap_to' p\ setEndpoint p' v \\rv. ex_nonz_cap_to' p\" by (wp ex_nonz_cap_to_pres') lemma setEndpoint_ifunsafe'[wp]: "\if_unsafe_then_cap'\ setEndpoint p v \\rv. if_unsafe_then_cap'\" unfolding setEndpoint_def apply (rule setObject_ifunsafe'[where P="\", simplified]) apply (clarsimp simp: updateObject_default_def in_monad projectKOs intro!: equals0I)+ apply (simp add: setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done lemma setEndpoint_idle'[wp]: "\\s. valid_idle' s\ setEndpoint p v \\_. valid_idle'\" unfolding setEndpoint_def apply (wp setObject_idle'[where P="\"]) apply (simp add: objBits_simps updateObject_default_inv)+ apply (clarsimp simp: projectKOs) done crunch it[wp]: setEndpoint "\s. P (ksIdleThread s)" (simp: updateObject_default_inv ignore: getObject) lemma setObject_ksPSpace_only: "\ \p q n ko. \P\ updateObject val p q n ko \\rv. P \; \f s. P (ksPSpace_update f s) = P s \ \ \P\ setObject ptr val \\rv. P\" apply (simp add: setObject_def split_def) apply (wp | simp | assumption)+ done lemma setObject_ksMachine: "\ \p q n ko. \\s. P (ksMachineState s)\ updateObject val p q n ko \\rv s. P (ksMachineState s)\ \ \ \\s. P (ksMachineState s)\ setObject ptr val \\rv s. P (ksMachineState s)\" by (simp add: setObject_ksPSpace_only) lemma setObject_ksInterrupt: "\ \p q n ko. \\s. P (ksInterruptState s)\ updateObject val p q n ko \\rv s. P (ksInterruptState s)\ \ \ \\s. P (ksInterruptState s)\ setObject ptr val \\rv s. P (ksInterruptState s)\" by (simp add: setObject_ksPSpace_only) lemma valid_irq_handlers_lift': assumes x: "\P. \\s. P (cteCaps_of s)\ f \\rv s. P (cteCaps_of s)\" assumes y: "\P. \\s. P (ksInterruptState s)\ f \\rv s. P (ksInterruptState s)\" shows "\valid_irq_handlers'\ f \\rv. valid_irq_handlers'\" apply (simp add: valid_irq_handlers'_def irq_issued'_def) apply (rule hoare_use_eq [where f=cteCaps_of, OF x y]) done lemmas valid_irq_handlers_lift'' = valid_irq_handlers_lift' [unfolded cteCaps_of_def] crunch ksInterruptState[wp]: setEndpoint "\s. P (ksInterruptState s)" (ignore: setObject wp: setObject_ksInterrupt updateObject_default_inv) lemmas setEndpoint_irq_handlers[wp] = valid_irq_handlers_lift'' [OF set_ep_ctes_of setEndpoint_ksInterruptState] declare set_ep_arch' [wp] lemma set_ep_irq_node' [wp]: "\\s. P (irq_node' s)\ setEndpoint ptr val \\rv s. P (irq_node' s)\" by (simp add: setEndpoint_def | wp setObject_ksInterrupt updateObject_default_inv)+ lemma set_ep_maxObj [wp]: "\\s. P (gsMaxObjectSize s)\ setEndpoint ptr val \\rv s. P (gsMaxObjectSize s)\" by (simp add: setEndpoint_def | wp setObject_ksPSpace_only updateObject_default_inv)+ lemma valid_global_refs_lift': assumes ctes: "\P. \\s. P (ctes_of s)\ f \\_ s. P (ctes_of s)\" assumes arch: "\P. \\s. P (ksArchState s)\ f \\_ s. P (ksArchState s)\" assumes idle: "\P. \\s. P (ksIdleThread s)\ f \\_ s. P (ksIdleThread s)\" assumes irqn: "\P. \\s. P (irq_node' s)\ f \\_ s. P (irq_node' s)\" assumes maxObj: "\P. \\s. P (gsMaxObjectSize s)\ f \\_ s. P (gsMaxObjectSize s)\" shows "\valid_global_refs'\ f \\_. valid_global_refs'\" apply (simp add: valid_global_refs'_def valid_refs'_def global_refs'_def valid_cap_sizes'_def) apply (rule hoare_lift_Pf [where f="ksArchState"]) apply (rule hoare_lift_Pf [where f="ksIdleThread"]) apply (rule hoare_lift_Pf [where f="irq_node'"]) apply (rule hoare_lift_Pf [where f="gsMaxObjectSize"]) apply (wp ctes hoare_vcg_const_Ball_lift arch idle irqn maxObj)+ done lemma valid_arch_state_lift': assumes typs: "\T p P. \\s. P (typ_at' T p s)\ f \\_ s. P (typ_at' T p s)\" assumes arch: "\P. \\s. P (ksArchState s)\ f \\_ s. P (ksArchState s)\" shows "\valid_arch_state'\ f \\_. valid_arch_state'\" apply (simp add: valid_arch_state'_def valid_asid_table'_def valid_global_pts'_def page_directory_at'_def page_table_at'_def All_less_Ball) apply (rule hoare_lift_Pf [where f="ksArchState"]) apply (wp typs hoare_vcg_const_Ball_lift arch typ_at_lifts)+ done lemma set_ep_global_refs'[wp]: "\valid_global_refs'\ setEndpoint ptr val \\_. valid_global_refs'\" by (rule valid_global_refs_lift'; wp) lemma set_ep_valid_arch' [wp]: "\valid_arch_state'\ setEndpoint ptr val \\_. valid_arch_state'\" by (rule valid_arch_state_lift'; wp) lemma setObject_ep_ct: "\\s. P (ksCurThread s)\ setObject p (e::endpoint) \\_ s. P (ksCurThread s)\" apply (simp add: setObject_def updateObject_ep_eta split_def) apply (wp updateObject_default_inv | simp)+ done lemma setObject_ntfn_ct: "\\s. P (ksCurThread s)\ setObject p (e::Structures_H.notification) \\_ s. P (ksCurThread s)\" apply (simp add: setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done lemma get_ntfn_sp': "\P\ getNotification r \\t. P and ko_at' t r\" by (clarsimp simp: getNotification_def getObject_def loadObject_default_def projectKOs in_monad valid_def obj_at'_def objBits_simps in_magnitude_check split_def) lemma set_ntfn_pred_tcb_at' [wp]: "\ pred_tcb_at' proj P t \ setNotification ep v \ \rv. pred_tcb_at' proj P t \" apply (simp add: setNotification_def pred_tcb_at'_def) apply (rule obj_at_setObject2) apply (clarsimp simp add: updateObject_default_def in_monad) done lemma set_ntfn_iflive'[wp]: "\\s. if_live_then_nonz_cap' s \ (live' (KONotification v) \ ex_nonz_cap_to' p s)\ setNotification p v \\rv. if_live_then_nonz_cap'\" apply (simp add: setNotification_def) apply (wp setObject_iflive'[where P="\"]) apply simp apply (simp add: objBits_simps) apply (simp add: objBits_simps) apply (clarsimp simp: updateObject_default_def in_monad projectKOs) apply (clarsimp simp: updateObject_default_def projectKOs bind_def) apply clarsimp done declare setNotification_cte_wp_at'[wp] lemma set_ntfn_cap_to'[wp]: "\ex_nonz_cap_to' p\ setNotification p' v \\rv. ex_nonz_cap_to' p\" by (wp ex_nonz_cap_to_pres') lemma setNotification_ifunsafe'[wp]: "\if_unsafe_then_cap'\ setNotification p v \\rv. if_unsafe_then_cap'\" unfolding setNotification_def apply (rule setObject_ifunsafe'[where P="\", simplified]) apply (clarsimp simp: updateObject_default_def in_monad projectKOs intro!: equals0I)+ apply (simp add: setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done lemma setNotification_idle'[wp]: "\\s. valid_idle' s\ setNotification p v \\rv. valid_idle'\" unfolding setNotification_def apply (wp setObject_idle'[where P="\"]) apply (simp add: objBits_simps updateObject_default_inv)+ apply (clarsimp simp: projectKOs) done crunch it[wp]: setNotification "\s. P (ksIdleThread s)" (wp: updateObject_default_inv) lemma set_ntfn_arch' [wp]: "\\s. P (ksArchState s)\ setNotification ntfn p \\_ s. P (ksArchState s)\" apply (simp add: setNotification_def setObject_def split_def) apply (wp updateObject_default_inv|simp)+ done lemma set_ntfn_ksInterrupt[wp]: "\\s. P (ksInterruptState s)\ setNotification ptr val \\rv s. P (ksInterruptState s)\" by (simp add: setNotification_def | wp setObject_ksInterrupt updateObject_default_inv)+ lemma set_ntfn_ksMachine[wp]: "\\s. P (ksMachineState s)\ setNotification ptr val \\rv s. P (ksMachineState s)\" by (simp add: setNotification_def | wp setObject_ksMachine updateObject_default_inv)+ lemma set_ntfn_maxObj [wp]: "\\s. P (gsMaxObjectSize s)\ setNotification ptr val \\rv s. P (gsMaxObjectSize s)\" by (simp add: setNotification_def | wp setObject_ksPSpace_only updateObject_default_inv)+ lemma set_ntfn_global_refs' [wp]: "\valid_global_refs'\ setNotification ptr val \\_. valid_global_refs'\" by (rule valid_global_refs_lift'; wp) crunch typ_at' [wp]: setNotification "\s. P (typ_at' T p s)" lemma set_ntfn_valid_arch' [wp]: "\valid_arch_state'\ setNotification ptr val \\_. valid_arch_state'\" by (rule valid_arch_state_lift'; wp) lemmas valid_irq_node_lift = hoare_use_eq_irq_node' [OF _ typ_at_lift_valid_irq_node'] lemmas untyped_ranges_zero_lift = hoare_use_eq[where f="gsUntypedZeroRanges" and Q="\v s. untyped_ranges_zero_inv (f s) v" for f] lemma valid_irq_states_lift': assumes x: "\P. \\s. P (intStateIRQTable (ksInterruptState s))\ f \\rv s. P (intStateIRQTable (ksInterruptState s))\" assumes y: "\P. \\s. P (irq_masks (ksMachineState s))\ f \\rv s. P (irq_masks (ksMachineState s))\" shows "\valid_irq_states'\ f \\rv. valid_irq_states'\" apply (rule hoare_use_eq [where f="\s. irq_masks (ksMachineState s)"], rule y) apply (rule hoare_use_eq [where f="\s. intStateIRQTable (ksInterruptState s)"], rule x) apply wp done lemmas set_ntfn_irq_handlers'[wp] = valid_irq_handlers_lift'' [OF set_ntfn_ctes_of set_ntfn_ksInterrupt] lemmas set_ntfn_irq_states' [wp] = valid_irq_states_lift' [OF set_ntfn_ksInterrupt set_ntfn_ksMachine] lemma valid_pde_mappings'_def2: "valid_pde_mappings' = (\s. \x. pde_at' x s \ obj_at' (valid_pde_mapping' (x && mask pdBits)) x s)" apply (clarsimp simp: valid_pde_mappings'_def typ_at_to_obj_at_arches) apply (rule ext, rule iff_allI) apply (clarsimp simp: obj_at'_def projectKOs) apply (auto simp add: objBits_simps archObjSize_def) done lemma valid_pde_mappings_lift': assumes x: "\P T p. \\s. P (typ_at' T p s)\ f \\rv s. P (typ_at' T p s)\" assumes y: "\x. \obj_at' (valid_pde_mapping' (x && mask pdBits)) x\ f \\rv. obj_at' (valid_pde_mapping' (x && mask pdBits)) x\" shows "\valid_pde_mappings'\ f \\rv. valid_pde_mappings'\" apply (simp only: valid_pde_mappings'_def2 imp_conv_disj) apply (rule hoare_vcg_all_lift hoare_vcg_disj_lift x y)+ done lemma set_ntfn_valid_pde_mappings'[wp]: "\valid_pde_mappings'\ setNotification ptr val \\rv. valid_pde_mappings'\" apply (rule valid_pde_mappings_lift') apply wp apply (simp add: setNotification_def) apply (rule obj_at_setObject2) apply (clarsimp simp: updateObject_default_def in_monad) done lemma set_ntfn_vms'[wp]: "\valid_machine_state'\ setNotification ptr val \\rv. valid_machine_state'\" apply (simp add: setNotification_def valid_machine_state'_def pointerInDeviceData_def pointerInUserData_def) apply (intro hoare_vcg_all_lift hoare_vcg_disj_lift) by (wp setObject_typ_at_inv setObject_ksMachine updateObject_default_inv | simp)+ lemma irqs_masked_lift: assumes "\P. \\s. P (intStateIRQTable (ksInterruptState s))\ f \\rv s. P (intStateIRQTable (ksInterruptState s))\" shows "\irqs_masked'\ f \\_. irqs_masked'\" apply (simp add: irqs_masked'_def) apply (wp assms) done lemma setObject_pspace_domain_valid[wp]: "\pspace_domain_valid\ setObject ptr val \\rv. pspace_domain_valid\" apply (clarsimp simp: setObject_def split_def pspace_domain_valid_def valid_def in_monad split: if_split_asm) apply (drule updateObject_objBitsKO) apply (clarsimp simp: lookupAround2_char1) done crunch pspace_domain_valid[wp]: setNotification, setEndpoint "pspace_domain_valid" lemma ct_not_inQ_lift: assumes sch_act: "\P. \\s. P (ksSchedulerAction s)\ f \\_ s. P (ksSchedulerAction s)\" and not_inQ: "\\s. obj_at' (Not \ tcbQueued) (ksCurThread s) s\ f \\_ s. obj_at' (Not \ tcbQueued) (ksCurThread s) s\" shows "\ct_not_inQ\ f \\_. ct_not_inQ\" unfolding ct_not_inQ_def by (rule hoare_convert_imp [OF sch_act not_inQ]) lemma setNotification_ct_not_inQ[wp]: "\ct_not_inQ\ setNotification ptr rval \\_. ct_not_inQ\" apply (rule ct_not_inQ_lift [OF setNotification_nosch]) apply (simp add: setNotification_def ct_not_inQ_def) apply (rule hoare_weaken_pre) apply (wps setObject_ntfn_ct) apply (rule obj_at_setObject2) apply (clarsimp simp add: updateObject_default_def in_monad)+ done lemma setNotification_ksCurThread[wp]: "\\s. P (ksCurThread s)\ setNotification a b \\rv s. P (ksCurThread s)\" apply (simp add: setNotification_def setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done lemma setNotification_ksDomSchedule[wp]: "\\s. P (ksDomSchedule s)\ setNotification a b \\rv s. P (ksDomSchedule s)\" apply (simp add: setNotification_def setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done lemma setNotification_ksDomScheduleId[wp]: "\\s. P (ksDomScheduleIdx s)\ setNotification a b \\rv s. P (ksDomScheduleIdx s)\" apply (simp add: setNotification_def setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done lemma setNotification_ct_idle_or_in_cur_domain'[wp]: "\ ct_idle_or_in_cur_domain' \ setNotification ptr ntfn \ \_. ct_idle_or_in_cur_domain' \" apply (rule ct_idle_or_in_cur_domain'_lift) apply (wp hoare_vcg_disj_lift| rule obj_at_setObject2 | clarsimp simp: updateObject_default_def in_monad setNotification_def)+ done crunch gsUntypedZeroRanges[wp]: setNotification "\s. P (gsUntypedZeroRanges s)" (wp: setObject_ksPSpace_only updateObject_default_inv ignore: setObject) lemma set_ntfn_minor_invs': "\invs' and obj_at' (\ntfn. ntfn_q_refs_of' (ntfnObj ntfn) = ntfn_q_refs_of' (ntfnObj val) \ ntfn_bound_refs' (ntfnBoundTCB ntfn) = ntfn_bound_refs' (ntfnBoundTCB val)) ptr and valid_ntfn' val and (\s. live' (KONotification val) \ ex_nonz_cap_to' ptr s) and (\s. ptr \ ksIdleThread s) \ setNotification ptr val \\rv. invs'\" apply (clarsimp simp add: invs'_def valid_state'_def cteCaps_of_def) apply (wp irqs_masked_lift valid_irq_node_lift untyped_ranges_zero_lift, simp_all add: o_def) apply (clarsimp elim!: rsubst[where P=sym_refs] intro!: ext dest!: obj_at_state_refs_ofD')+ done lemma getEndpoint_wp: "\\s. \ep. ko_at' ep e s \ P ep s\ getEndpoint e \P\" apply (rule hoare_strengthen_post) apply (rule get_ep_sp') apply simp done lemma getNotification_wp: "\\s. \ntfn. ko_at' ntfn e s \ P ntfn s\ getNotification e \P\" apply (rule hoare_strengthen_post) apply (rule get_ntfn_sp') apply simp done lemma ep_redux_simps': "ep_q_refs_of' (case xs of [] \ IdleEP | y # ys \ SendEP xs) = (set xs \ {EPSend})" "ep_q_refs_of' (case xs of [] \ IdleEP | y # ys \ RecvEP xs) = (set xs \ {EPRecv})" "ntfn_q_refs_of' (case xs of [] \ IdleNtfn | y # ys \ WaitingNtfn xs) = (set xs \ {NTFNSignal})" by (fastforce split: list.splits simp: valid_ep_def valid_ntfn_def intro!: ext)+ (* There are two wp rules for preserving valid_ioc over set_object. First, the more involved rule for CNodes and TCBs *) (* Second, the simpler rule suitable for all objects except CNodes and TCBs. *) lemma valid_refs'_def2: "valid_refs' R (ctes_of s) = (\cref. \cte_wp_at' (\c. R \ capRange (cteCap c) \ {}) cref s)" by (auto simp: valid_refs'_def cte_wp_at_ctes_of ran_def) lemma idle_is_global [intro!]: "ksIdleThread s \ global_refs' s" by (simp add: global_refs'_def) lemma idle_global_cap_range: "valid_global_refs' s \ \ (\cref. cte_wp_at' (\c. ksIdleThread s \ capRange (cteCap c)) cref s)" by (auto simp: valid_global_refs'_def valid_refs'_def cte_wp_at_ctes_of) lemma valid_globals_cte_wpD': "\ valid_global_refs' s; cte_wp_at' P p s \ \ \cte. P cte \ ksIdleThread s \ capRange (cteCap cte)" by (fastforce simp: valid_global_refs'_def valid_refs'_def cte_wp_at_ctes_of) lemma dmo_aligned'[wp]: "\pspace_aligned'\ doMachineOp f \\_. pspace_aligned'\" apply (simp add: doMachineOp_def split_def) apply (wp select_wp) apply clarsimp done lemma dmo_distinct'[wp]: "\pspace_distinct'\ doMachineOp f \\_. pspace_distinct'\" apply (simp add: doMachineOp_def split_def) apply (wp select_wp) apply clarsimp done lemma dmo_valid_objs'[wp]: "\valid_objs'\ doMachineOp f \\_. valid_objs'\" apply (simp add: doMachineOp_def split_def) apply (wp select_wp) apply clarsimp done lemma dmo_inv': assumes R: "\P. \P\ f \\_. P\" shows "\P\ doMachineOp f \\_. P\" apply (simp add: doMachineOp_def split_def) apply (wp select_wp) apply clarsimp apply (drule in_inv_by_hoareD [OF R]) apply simp done crunch cte_wp_at'2[wp]: doMachineOp "\s. P (cte_wp_at' P' p s)" crunch typ_at'[wp]: doMachineOp "\s. P (typ_at' T p s)" lemmas doMachineOp_typ_ats[wp] = typ_at_lifts [OF doMachineOp_typ_at'] lemma doMachineOp_invs_bits[wp]: "\valid_pspace'\ doMachineOp m \\rv. valid_pspace'\" "\\s. sch_act_wf (ksSchedulerAction s) s\ doMachineOp m \\rv s. sch_act_wf (ksSchedulerAction s) s\" "\Invariants_H.valid_queues\ doMachineOp m \\rv. Invariants_H.valid_queues\" "\valid_queues'\ doMachineOp m \\rv. valid_queues'\" "\\s. P (state_refs_of' s)\ doMachineOp m \\rv s. P (state_refs_of' s)\" "\if_live_then_nonz_cap'\ doMachineOp m \\rv. if_live_then_nonz_cap'\" "\cur_tcb'\ doMachineOp m \\rv. cur_tcb'\" "\if_unsafe_then_cap'\ doMachineOp m \\rv. if_unsafe_then_cap'\" by (simp add: doMachineOp_def split_def valid_pspace'_def valid_queues_def valid_queues_no_bitmap_def bitmapQ_defs | wp cur_tcb_lift sch_act_wf_lift tcb_in_cur_domain'_lift | fastforce elim: valid_objs'_pspaceI state_refs_of'_pspaceI if_live_then_nonz_cap'_pspaceI)+ crunch cte_wp_at'[wp]: doMachineOp "\s. P (cte_wp_at' P' p s)" crunch obj_at'[wp]: doMachineOp "\s. P (obj_at' P' p s)" crunch it[wp]: doMachineOp "\s. P (ksIdleThread s)" crunch idle'[wp]: doMachineOp "valid_idle'" (wp: crunch_wps simp: crunch_simps valid_idle'_pspace_itI) crunch pde_mappings'[wp]: doMachineOp "valid_pde_mappings'" lemma setEndpoint_ksMachine: "\\s. P (ksMachineState s)\ setEndpoint ptr val \\rv s. P (ksMachineState s)\" by (simp add: setEndpoint_def | wp setObject_ksMachine updateObject_default_inv)+ lemma setEndpoint_ksArch: "\\s. P (ksArchState s)\ setEndpoint ep_ptr val \\_ s. P (ksArchState s)\" apply (simp add: setEndpoint_def setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done lemmas setEndpoint_valid_irq_states' = valid_irq_states_lift' [OF setEndpoint_ksInterruptState setEndpoint_ksMachine] (* analagous to ex_cte_cap_to'_cteCap, elsewhere *) lemma ex_cte_cap_wp_to'_cteCap: "ex_cte_cap_wp_to' P p = (\s. \p' c. cteCaps_of s p' = Some c \ P c \ p \ cte_refs' c (irq_node' s))" apply (simp add: ex_cte_cap_to'_def cteCaps_of_def cte_wp_at_ctes_of) apply (rule ext, fastforce) done lemma setEndpoint_ct': "\\s. P (ksCurThread s)\ setEndpoint a b \\rv s. P (ksCurThread s)\" apply (simp add: setEndpoint_def setObject_def split_def) apply (wp updateObject_default_inv | simp)+ done crunch ksArchState[wp]: setEndpoint "\s. P (ksArchState s)" (ignore: setObject wp: updateObject_default_inv) lemmas setEndpoint_valid_globals[wp] = valid_global_refs_lift' [OF set_ep_ctes_of setEndpoint_ksArchState setEndpoint_it setEndpoint_ksInterruptState] end end