lh-l4v/proof/infoflow/refine/ARM/Example_Valid_StateH.thy

(*
 * Copyright 2023, Proofcraft Pty Ltd
 * Copyright 2020, Data61, CSIRO (ABN 41 687 119 230)
 *
 * SPDX-License-Identifier: GPL-2.0-only
 *)

theory Example_Valid_StateH
imports "InfoFlow.Example_Valid_State" ArchADT_IF_Refine
begin

context begin interpretation Arch . (*FIXME: arch_split*)

section \<open>Haskell state\<close>

text \<open>One invariant we need on s0 is that there exists
        an associated Haskell state satisfying the invariants.
        This does not yet exist.\<close>

subsection \<open>Defining the State\<close>

text \<open>Low's CSpace\<close>

definition
  empty_cte :: "nat \<Rightarrow> bool list \<Rightarrow> (capability \<times> mdbnode) option"
where
  "empty_cte bits \<equiv> \<lambda>x. if length x = bits then Some (capability.NullCap, MDB 0 0 False False) else None"

abbreviation (input)
  Null_mdb :: "mdbnode"
where
  "Null_mdb \<equiv> MDB 0 0 False False"

definition
  Low_capsH :: "cnode_index \<Rightarrow> (capability \<times> mdbnode) option"
where
  "Low_capsH \<equiv>
   (empty_cte 10)
      ( (the_nat_to_bl_10 1)
            \<mapsto> (Structures_H.ThreadCap Low_tcb_ptr, Null_mdb),
        (the_nat_to_bl_10 2)
            \<mapsto> (Structures_H.CNodeCap Low_cnode_ptr 10 2 10, MDB 0 Low_tcb_ptr False False),
        (the_nat_to_bl_10 3)
            \<mapsto> (Structures_H.ArchObjectCap (ARM_H.PageDirectoryCap Low_pd_ptr
                                             (Some Low_asid)), MDB 0 (Low_tcb_ptr + 0x10) False False),
        (the_nat_to_bl_10 318)
            \<mapsto> (Structures_H.NotificationCap ntfn_ptr 0 True False,
               MDB (Silc_cnode_ptr + 318 * 0x10) 0 False False))"

definition
  Low_cte' :: "10 word \<Rightarrow> Structures_H.cte option"
where
  "Low_cte' \<equiv> (map_option (\<lambda>(cap, mdb). CTE cap mdb)) \<circ> Low_capsH \<circ> to_bl"

definition
  Low_cte :: "word32 \<Rightarrow> word32 \<Rightarrow> Structures_H.kernel_object option"
where
  "Low_cte \<equiv> \<lambda>base offs. if is_aligned offs cte_level_bits \<and> base \<le> offs \<and> offs \<le> base + 2 ^ 14 - 1
                         then map_option (\<lambda>cte. KOCTE cte) (Low_cte' (ucast (offs - base >> cte_level_bits))) else None"


text \<open>High's Cspace\<close>

definition
  High_capsH :: "cnode_index \<Rightarrow> (capability \<times> mdbnode) option"
where
  "High_capsH \<equiv>
   (empty_cte 10)
      ( (the_nat_to_bl_10 1)
            \<mapsto> (Structures_H.ThreadCap High_tcb_ptr, Null_mdb),
        (the_nat_to_bl_10 2)
            \<mapsto> (Structures_H.CNodeCap High_cnode_ptr 10 2 10, MDB 0 High_tcb_ptr False False),
        (the_nat_to_bl_10 3)
           \<mapsto> (Structures_H.ArchObjectCap (ARM_H.PageDirectoryCap High_pd_ptr
                                            (Some High_asid)), MDB 0 (High_tcb_ptr + 0x10) False False),
        (the_nat_to_bl_10 318)
           \<mapsto> (Structures_H.NotificationCap ntfn_ptr 0 False True,
               MDB 0 (Silc_cnode_ptr + 318 * 0x10) False False))"

definition
  High_cte' :: "10 word \<Rightarrow> Structures_H.cte option"
where
  "High_cte' \<equiv> (map_option (\<lambda>(cap, mdb). CTE cap mdb)) \<circ> High_capsH \<circ> to_bl"

definition
  High_cte :: "word32 \<Rightarrow> word32 \<Rightarrow> Structures_H.kernel_object option"
where
  "High_cte \<equiv> \<lambda>base offs. if is_aligned offs cte_level_bits \<and> base \<le> offs \<and> offs \<le> base + 2 ^ 14 - 1
                          then map_option (\<lambda>cte. KOCTE cte) (High_cte' (ucast (offs - base >> cte_level_bits))) else None"

text \<open>We need a copy of boundary crossing caps owned by SilcLabel.
        The only such cap is Low's cap to the notification\<close>

definition
  Silc_capsH :: "cnode_index \<Rightarrow> (capability \<times> mdbnode) option"
where
  "Silc_capsH \<equiv>
   (empty_cte 10)
      ( (the_nat_to_bl_10 2)
            \<mapsto> (Structures_H.CNodeCap Silc_cnode_ptr 10 2 10, Null_mdb),
        (the_nat_to_bl_10 318)
            \<mapsto> (Structures_H.NotificationCap ntfn_ptr 0 True False,
               MDB (High_cnode_ptr + 318 * 0x10) (Low_cnode_ptr + 318 * 0x10) False False))"

definition
  Silc_cte' :: "10 word \<Rightarrow> Structures_H.cte option"
where
  "Silc_cte' \<equiv> (map_option (\<lambda>(cap, mdb). CTE cap mdb)) \<circ> Silc_capsH \<circ> to_bl"

definition
  Silc_cte :: "word32 \<Rightarrow> word32 \<Rightarrow> Structures_H.kernel_object option"
where
  "Silc_cte \<equiv> \<lambda>base offs. if is_aligned offs cte_level_bits \<and> base \<le> offs \<and> offs \<le> base + 2 ^ 14 - 1
                          then map_option (\<lambda>cte. KOCTE cte) (Silc_cte' (ucast (offs - base >> cte_level_bits))) else None"

text \<open>notification between Low and High\<close>

definition
  ntfnH :: Structures_H.notification
where
  "ntfnH \<equiv> Structures_H.NTFN (Structures_H.ntfn.WaitingNtfn [High_tcb_ptr]) None"


text \<open>Low's VSpace (PageDirectory)\<close>

definition
  Low_pt'H :: "word8 \<Rightarrow> ARM_H.pte "
where
  "Low_pt'H \<equiv> (\<lambda>_. ARM_H.InvalidPTE)
            (0 := ARM_H.SmallPagePTE shared_page_ptr_phys (PageCacheable \<in> {}) (Global \<in> {}) (XNever \<in> {}) (vmrights_map vm_read_write))"

definition
  Low_ptH :: "word32 \<Rightarrow> word32 \<Rightarrow> Structures_H.kernel_object option"
where
  "Low_ptH \<equiv>
     \<lambda>base. (map_option (\<lambda>x. Structures_H.KOArch (ARM_H.KOPTE (Low_pt'H x)))) \<circ>
            (\<lambda>offs. if is_aligned offs 2 \<and> base \<le> offs \<and> offs \<le> base + 2 ^ 10 - 1
                    then Some (ucast (offs - base >> 2)) else None)"

definition
  [simp]:
  "global_pdH \<equiv> (\<lambda>_. ARM_H.InvalidPDE)( ucast (kernel_base >> 20) :=
       ARM_H.SectionPDE (addrFromPPtr kernel_base) (ParityEnabled \<in> {}) 0
                             (PageCacheable \<in> {}) (Global \<in> {}) (XNever \<in> {}) (vmrights_map {}))"


definition
  Low_pd'H :: "12 word \<Rightarrow> ARM_H.pde "
where
  "Low_pd'H \<equiv>
    global_pdH
     (0 := ARM_H.PageTablePDE
              (addrFromPPtr Low_pt_ptr)
              (ParityEnabled \<in> {})
              undefined)"

(* used addrFromPPtr because proof gives me ptrFromAddr.. TODO: check
if it's right *)

definition
  Low_pdH :: "word32 \<Rightarrow> word32 \<Rightarrow> Structures_H.kernel_object option"
where
  "Low_pdH \<equiv>
     \<lambda>base. (map_option (\<lambda>x. Structures_H.KOArch (ARM_H.KOPDE (Low_pd'H x)))) \<circ>
            (\<lambda>offs. if is_aligned offs 2 \<and> base \<le> offs \<and> offs \<le> base + 2 ^ 14 - 1
                    then Some (ucast (offs - base >> 2)) else None)"


text \<open>High's VSpace (PageDirectory)\<close>


definition
  High_pt'H :: "word8 \<Rightarrow> ARM_H.pte "
where
  "High_pt'H \<equiv>
    (\<lambda>_. ARM_H.InvalidPTE)
     (0 := ARM_H.SmallPagePTE shared_page_ptr_phys (PageCacheable \<in> {}) (Global \<in> {}) (XNever \<in> {})
                      (vmrights_map vm_read_only))"


definition
  High_ptH :: "word32 \<Rightarrow> word32 \<Rightarrow> Structures_H.kernel_object option"
where
  "High_ptH \<equiv>
     \<lambda>base. (map_option (\<lambda>x. Structures_H.KOArch (ARM_H.KOPTE (High_pt'H x)))) \<circ>
            (\<lambda>offs. if is_aligned offs 2 \<and> base \<le> offs \<and> offs \<le> base + 2 ^ 10 - 1
                    then Some (ucast (offs - base >> 2)) else None)"


definition
  High_pd'H :: "12 word \<Rightarrow> ARM_H.pde "
where
  "High_pd'H \<equiv>
    global_pdH
     (0 := ARM_H.PageTablePDE
             (addrFromPPtr High_pt_ptr)
             (ParityEnabled \<in> {})
             undefined )"

(* used addrFromPPtr because proof gives me ptrFromAddr.. TODO: check
if it's right *)

definition
  High_pdH :: "word32 \<Rightarrow> word32 \<Rightarrow> Structures_H.kernel_object option"
where
  "High_pdH \<equiv>
     \<lambda>base. (map_option (\<lambda>x. Structures_H.KOArch (ARM_H.KOPDE (High_pd'H x)))) \<circ>
            (\<lambda>offs. if is_aligned offs 2 \<and> base \<le> offs \<and> offs \<le> base + 2 ^ 14 - 1
                    then Some (ucast (offs - base >> 2)) else None)"


text \<open>Low's tcb\<close>

definition
  Low_tcbH :: Structures_H.tcb
where
  "Low_tcbH \<equiv> Thread
     \<comment> \<open>tcbCTable          =\<close> (CTE (CNodeCap Low_cnode_ptr 10 2 10)
                                     (MDB (Low_cnode_ptr + 0x20) 0 False False))
     \<comment> \<open>tcbVTable          =\<close> (CTE (ArchObjectCap (PageDirectoryCap Low_pd_ptr (Some Low_asid))) (MDB (Low_cnode_ptr + 0x30) 0 False False))
     \<comment> \<open>tcbReply           =\<close> (CTE (ReplyCap Low_tcb_ptr True True) (MDB 0 0 True True)) \<comment> \<open>master reply cap to itself\<close>
     \<comment> \<open>tcbCaller          =\<close> (CTE NullCap Null_mdb)
     \<comment> \<open>tcbIPCBufferFrame  =\<close> (CTE NullCap Null_mdb)
     \<comment> \<open>tcbDomain          =\<close> Low_domain
     \<comment> \<open>tcbState           =\<close> Running
     \<comment> \<open>tcbMCPriority      =\<close> Low_mcp
     \<comment> \<open>tcbPriority        =\<close> Low_prio
     \<comment> \<open>tcbQueued          =\<close> False
     \<comment> \<open>tcbFault           =\<close> None
     \<comment> \<open>tcbTimeSlice       =\<close> Low_time_slice
     \<comment> \<open>tcbFaultHandler    =\<close> 0
     \<comment> \<open>tcbIPCBuffer       =\<close> 0
     \<comment> \<open>tcbBoundNotification        =\<close> None
     \<comment> \<open>tcbContext         =\<close> (ArchThread undefined)"


text \<open>High's tcb\<close>
definition
  High_tcbH :: Structures_H.tcb
where
  "High_tcbH \<equiv> Thread
     \<comment> \<open>tcbCTable          =\<close> (CTE (CNodeCap High_cnode_ptr 10 2 10)
                                     (MDB (High_cnode_ptr + 0x20) 0 False False))
     \<comment> \<open>tcbVTable          =\<close> (CTE (ArchObjectCap (PageDirectoryCap High_pd_ptr (Some High_asid))) (MDB (High_cnode_ptr + 0x30) 0 False False))
     \<comment> \<open>tcbReply           =\<close> (CTE (ReplyCap High_tcb_ptr True True) (MDB 0 0 True True)) \<comment> \<open>master reply cap to itself\<close>
     \<comment> \<open>tcbCaller          =\<close> (CTE NullCap Null_mdb)
     \<comment> \<open>tcbIPCBufferFrame  =\<close> (CTE NullCap Null_mdb)
     \<comment> \<open>tcbDomain          =\<close> High_domain
     \<comment> \<open>tcbState           =\<close> (BlockedOnNotification ntfn_ptr)
     \<comment> \<open>tcbMCPriority      =\<close> High_mcp
     \<comment> \<open>tcbPriority        =\<close> High_prio
     \<comment> \<open>tcbQueued          =\<close> False
     \<comment> \<open>tcbFault           =\<close> None
     \<comment> \<open>tcbTimeSlice       =\<close> High_time_slice
     \<comment> \<open>tcbFaultHandler    =\<close> 0
     \<comment> \<open>tcbIPCBuffer       =\<close> 0
     \<comment> \<open>tcbBoundNotification        =\<close> None
     \<comment> \<open>tcbContext         =\<close> (ArchThread undefined)"


text \<open>idle's tcb\<close>

definition
  idle_tcbH :: Structures_H.tcb
where
  "idle_tcbH \<equiv> Thread
     \<comment> \<open>tcbCTable          =\<close> (CTE NullCap Null_mdb)
     \<comment> \<open>tcbVTable          =\<close> (CTE NullCap Null_mdb)
     \<comment> \<open>tcbReply           =\<close> (CTE NullCap Null_mdb)
     \<comment> \<open>tcbCaller          =\<close> (CTE NullCap Null_mdb)
     \<comment> \<open>tcbIPCBufferFrame  =\<close> (CTE NullCap Null_mdb)
     \<comment> \<open>tcbDomain          =\<close> default_domain
     \<comment> \<open>tcbState           =\<close> IdleThreadState
     \<comment> \<open>tcbMCPriority      =\<close> default_priority
     \<comment> \<open>tcbPriority        =\<close> default_priority
     \<comment> \<open>tcbQueued          =\<close> False
     \<comment> \<open>tcbFault           =\<close> None
     \<comment> \<open>tcbTimeSlice       =\<close> timeSlice
     \<comment> \<open>tcbFaultHandler    =\<close> 0
     \<comment> \<open>tcbIPCBuffer       =\<close> 0
     \<comment> \<open>tcbBoundNotification        =\<close> None
     \<comment> \<open>tcbContext         =\<close> (ArchThread empty_context)"

definition
  irq_cte :: "Structures_H.cte"
where
  "irq_cte \<equiv> CTE capability.NullCap Null_mdb"

definition
  option_update_range :: "('a \<Rightarrow> 'b option) \<Rightarrow> ('a \<Rightarrow> 'b option) \<Rightarrow> ('a \<Rightarrow> 'b option)"
where
  "option_update_range f g \<equiv> \<lambda>x. case f x of None \<Rightarrow> g x | Some y \<Rightarrow> Some y"

definition
  global_pdH' :: "word32 \<Rightarrow> word32 \<Rightarrow> Structures_H.kernel_object option"
where
  "global_pdH' \<equiv> \<lambda>base.
     (map_option (\<lambda>x. Structures_H.KOArch (ARM_H.KOPDE (global_pdH (x::12 word))))) \<circ>
     (\<lambda>offs. if is_aligned offs 2 \<and> base \<le> offs \<and> offs \<le> base + 2 ^ 14 - 1
             then Some (ucast (offs - base >> 2)) else None)"

definition
  kh0H :: "(word32 \<rightharpoonup> Structures_H.kernel_object)"
where
  "kh0H \<equiv> (option_update_range
           (\<lambda>x. if \<exists>irq::10 word. init_irq_node_ptr + (ucast irq << cte_level_bits) = x
                then Some (KOCTE (CTE capability.NullCap Null_mdb)) else None) \<circ>
          option_update_range (Low_cte Low_cnode_ptr) \<circ>
          option_update_range (High_cte High_cnode_ptr) \<circ>
          option_update_range (Silc_cte Silc_cnode_ptr) \<circ>
          option_update_range [ntfn_ptr \<mapsto> KONotification ntfnH] \<circ>
          option_update_range [irq_cnode_ptr \<mapsto> KOCTE irq_cte] \<circ>
          option_update_range (Low_pdH Low_pd_ptr) \<circ>
          option_update_range (High_pdH High_pd_ptr) \<circ>
          option_update_range (Low_ptH Low_pt_ptr) \<circ>
          option_update_range (High_ptH High_pt_ptr) \<circ>
          option_update_range [Low_tcb_ptr \<mapsto> KOTCB Low_tcbH] \<circ>
          option_update_range [High_tcb_ptr \<mapsto> KOTCB High_tcbH] \<circ>
          option_update_range [idle_tcb_ptr \<mapsto> KOTCB idle_tcbH] \<circ>
          option_update_range (global_pdH' init_global_pd) \<circ>
          option_update_range [init_globals_frame \<mapsto> KOUserData]
          ) Map.empty"

lemma s0_ptrs_aligned:
  "is_aligned init_global_pd 14"
  "is_aligned High_pd_ptr 14"
  "is_aligned Low_pd_ptr 14"
  "is_aligned High_pt_ptr 10"
  "is_aligned Low_pt_ptr 10"
  "is_aligned Silc_cnode_ptr 14"
  "is_aligned High_cnode_ptr 14"
  "is_aligned Low_cnode_ptr 14"
  "is_aligned High_tcb_ptr 9"
  "is_aligned Low_tcb_ptr 9"
  "is_aligned idle_tcb_ptr 9"
  "is_aligned ntfn_ptr 4"
  "is_aligned irq_cnode_ptr 10"
  by (simp_all add: is_aligned_def s0_ptr_defs)

lemma pd_offs_min':
  "is_aligned ptr 14 \<Longrightarrow> (ptr::32 word) \<le> ptr + (ucast (x:: 12 word) << 2)"
  apply (erule is_aligned_no_wrap'[OF _ ucast_less_shiftl_helper])
   apply (simp add: word_bits_def)
  apply simp
  done

lemma pd_offs_min:
  "Low_pd_ptr \<le> Low_pd_ptr + (ucast (x:: 12 word) << 2)"
  "High_pd_ptr \<le> High_pd_ptr + (ucast (x:: 12 word) << 2)"
  "init_global_pd \<le> init_global_pd + (ucast (x:: 12 word) << 2)"
  by (simp_all add: pd_offs_min' s0_ptrs_aligned)

lemma pd_offs_max':
  "is_aligned ptr 14 \<Longrightarrow> (ptr::word32) + (ucast (x:: 12 word) << 2) \<le> ptr + 0x3fff"
  apply (rule word_plus_mono_right)
   apply (simp add: shiftl_t2n mult.commute)
   apply (rule div_to_mult_word_lt)
   apply simp
   apply (rule plus_one_helper)
   apply simp
   apply (cut_tac ucast_less[where x=x])
    apply simp
   apply simp
  apply (drule is_aligned_no_overflow)
  apply (simp add: add.commute)
  done

lemma pd_offs_max:
  "Low_pd_ptr + (ucast (x:: 12 word) << 2) \<le> Low_pd_ptr + 0x3fff"
  "High_pd_ptr + (ucast (x:: 12 word) << 2) \<le> High_pd_ptr + 0x3fff"
  "init_global_pd + (ucast (x:: 12 word) << 2) \<le> init_global_pd + 0x3fff"
  by (simp_all add: pd_offs_max' s0_ptrs_aligned)

definition pd_offs_range where
  "pd_offs_range (ptr::word32) \<equiv> {x. ptr \<le> x \<and> x \<le> ptr + 2 ^ 14 - 1}
                         \<inter> {x. is_aligned x 2}"

lemma pd_offs_in_range':
  "is_aligned ptr 14 \<Longrightarrow>
     ptr + (ucast (x:: 12 word) << 2) \<in> pd_offs_range ptr"
  apply (clarsimp simp: pd_offs_min' pd_offs_max' pd_offs_range_def add.commute)
  apply (rule is_aligned_add[OF _ is_aligned_shift])
  apply (erule is_aligned_weaken)
  apply simp
  done

lemma pd_offs_in_range:
  "Low_pd_ptr + (ucast (x:: 12 word) << 2) \<in> pd_offs_range Low_pd_ptr"
  "High_pd_ptr + (ucast (x:: 12 word) << 2) \<in> pd_offs_range High_pd_ptr"
  "init_global_pd + (ucast (x:: 12 word) << 2) \<in> pd_offs_range init_global_pd"
  by (simp_all add: pd_offs_in_range' s0_ptrs_aligned)

lemma pd_offs_range_correct':
  "\<lbrakk>x \<in> pd_offs_range ptr; is_aligned ptr 14\<rbrakk>
    \<Longrightarrow> \<exists>y. x = ptr + (ucast (y:: 12 word) << 2)"
  apply (clarsimp simp: pd_offs_range_def s0_ptr_defs cte_level_bits_def)
  apply (rule_tac x="ucast ((x - ptr) >> 2)" in exI)
  apply (clarsimp simp: ucast_ucast_mask)
  apply (subst aligned_shiftr_mask_shiftl)
   apply (rule aligned_sub_aligned)
     apply assumption
    apply (erule is_aligned_weaken)
    apply simp
   apply simp
  apply simp
  apply (rule_tac n=14 in mask_eqI)
   apply (subst mask_add_aligned)
    apply (simp add: is_aligned_def)
   apply (simp add: mask_twice)
   apply (subst diff_conv_add_uminus)
   apply (subst add.commute[symmetric])
   apply (subst mask_add_aligned)
    apply (simp add: is_aligned_minus)
   apply simp
  apply (subst diff_conv_add_uminus)
  apply (subst add_mask_lower_bits)
    apply (simp add: is_aligned_def)
   apply clarsimp
  apply (cut_tac x=x and y="ptr + 0x3FFF" and n=14 in neg_mask_mono_le)
   apply (simp add: add.commute)
  apply (drule_tac n=14 in aligned_le_sharp)
   apply (simp add: is_aligned_def)
  apply (simp add: add.commute)
  apply (subst(asm) mask_out_add_aligned[symmetric])
   apply (erule is_aligned_weaken)
   apply simp
  apply (simp add: mask_def)
  done

lemma pd_offs_range_correct:
  "x \<in> pd_offs_range Low_pd_ptr \<Longrightarrow> \<exists>y. x = Low_pd_ptr + (ucast (y:: 12 word) << 2)"
  "x \<in> pd_offs_range High_pd_ptr \<Longrightarrow> \<exists>y. x = High_pd_ptr + (ucast (y:: 12 word) << 2)"
  "x \<in> pd_offs_range init_global_pd \<Longrightarrow> \<exists>y. x = init_global_pd + (ucast (y:: 12 word) << 2)"
  by (simp_all add: pd_offs_range_correct' s0_ptrs_aligned)

lemma pt_offs_min':
  "is_aligned ptr 10 \<Longrightarrow> (ptr::word32) \<le> ptr + (ucast (x:: 8 word) << 2)"
  apply (erule is_aligned_no_wrap')
  apply (rule ucast_less_shiftl_helper)
   apply (simp add: word_bits_def)
  apply simp
  done

lemma pt_offs_min:
  "Low_pt_ptr \<le> Low_pt_ptr + (ucast (x:: 8 word) << 2)"
  "High_pt_ptr \<le> High_pt_ptr + (ucast (x:: 8 word) << 2)"
  by (simp_all add: pt_offs_min' s0_ptrs_aligned)

lemma pt_offs_max':
  "is_aligned ptr 10 \<Longrightarrow> (ptr::word32) + (ucast (x:: 8 word) << 2) \<le> ptr + 0x3ff"
  apply (rule word_plus_mono_right)
   apply (simp add: shiftl_t2n mult.commute)
   apply (rule div_to_mult_word_lt)
   apply simp
   apply (rule plus_one_helper)
   apply simp
   apply (cut_tac ucast_less[where x=x])
    apply simp
   apply simp
  apply (drule is_aligned_no_overflow)
  apply (simp add: add.commute)
  done

lemma pt_offs_max:
  "Low_pt_ptr + (ucast (x:: 8 word) << 2) \<le> Low_pt_ptr + 0x3ff"
  "High_pt_ptr + (ucast (x:: 8 word) << 2) \<le> High_pt_ptr + 0x3ff"
  by (simp_all add: pt_offs_max' s0_ptrs_aligned)

definition pt_offs_range where
  "pt_offs_range (ptr::word32) \<equiv> {x. ptr \<le> x \<and> x \<le> ptr + 2 ^ 10 - 1}
                         \<inter> {x. is_aligned x 2}"

lemma pt_offs_in_range':
  "is_aligned ptr 10 \<Longrightarrow>
     ptr + (ucast (x:: 8 word) << 2) \<in> pt_offs_range ptr"
  apply (clarsimp simp: pt_offs_min' pt_offs_max' pt_offs_range_def add.commute)
  apply (rule is_aligned_add[OF _ is_aligned_shift])
  apply (erule is_aligned_weaken)
  apply simp
  done

lemma pt_offs_in_range:
  "Low_pt_ptr + (ucast (x:: 8 word) << 2) \<in> pt_offs_range Low_pt_ptr"
  "High_pt_ptr + (ucast (x:: 8 word) << 2) \<in> pt_offs_range High_pt_ptr"
  by (simp_all add: pt_offs_in_range' s0_ptrs_aligned)

lemma pt_offs_range_correct':
  "\<lbrakk>x \<in> pt_offs_range ptr; is_aligned ptr 10\<rbrakk>
    \<Longrightarrow> \<exists>y. x = ptr + (ucast (y:: 8 word) << 2)"
  apply (clarsimp simp: pt_offs_range_def s0_ptr_defs cte_level_bits_def)
  apply (rule_tac x="ucast ((x - ptr) >> 2)" in exI)
  apply (clarsimp simp: ucast_ucast_mask)
  apply (subst aligned_shiftr_mask_shiftl)
   apply (rule aligned_sub_aligned)
     apply assumption
    apply (erule is_aligned_weaken)
    apply simp
   apply simp
  apply simp
  apply (rule_tac n=10 in mask_eqI)
   apply (subst mask_add_aligned)
    apply (simp add: is_aligned_def)
   apply (simp add: mask_twice)
   apply (subst diff_conv_add_uminus)
   apply (subst add.commute[symmetric])
   apply (subst mask_add_aligned)
    apply (simp add: is_aligned_minus)
   apply simp
  apply (subst diff_conv_add_uminus)
  apply (subst add_mask_lower_bits)
    apply (simp add: is_aligned_def)
   apply clarsimp
  apply (cut_tac x=x and y="ptr + 0x3FF" and n=10 in neg_mask_mono_le)
   apply (simp add: add.commute)
  apply (drule_tac n=10 in aligned_le_sharp)
   apply (simp add: is_aligned_def)
  apply (simp add: add.commute)
  apply (subst(asm) mask_out_add_aligned[symmetric])
   apply (erule is_aligned_weaken)
   apply simp
  apply (simp add: mask_def)
  done

lemma pt_offs_range_correct:
  "x \<in> pt_offs_range Low_pt_ptr \<Longrightarrow> \<exists>y. x = Low_pt_ptr + (ucast (y:: 8 word) << 2)"
  "x \<in> pt_offs_range High_pt_ptr \<Longrightarrow> \<exists>y. x = High_pt_ptr + (ucast (y:: 8 word) << 2)"
  by (simp_all add: pt_offs_range_correct' s0_ptrs_aligned)

(* FIXME: move to Word_Lib_l4v *)
lemma bl_to_bin_le2p_aux:
  "bl_to_bin_aux bs w \<le> (w + 1) * (2 ^ length bs) - 1"
  apply (induct bs arbitrary: w)
   apply clarsimp
  apply clarsimp
  apply (rule conjI; clarsimp)
  apply (drule meta_spec, erule xtr8 [rotated], simp)+
  done

(* FIXME: move to Word_Lib_l4v *)
lemma bl_to_bin_le2p: "bl_to_bin bs \<le> (2 ^ length bs) - 1"
  apply (unfold bl_to_bin_def)
  apply (rule xtr3)
   prefer 2
   apply (rule bl_to_bin_le2p_aux)
  apply simp
  done

(* FIXME: move to Word_Lib_l4v *)
lemma of_bl_length_le:
  "length x = k \<Longrightarrow> k < len_of TYPE('a) \<Longrightarrow> (of_bl x :: 'a :: len word) \<le> 2 ^ k - 1"
  by (simp add: of_bl_length_less)

lemma cnode_offs_min':
  "\<lbrakk>is_aligned ptr 14; length x = 10\<rbrakk> \<Longrightarrow> (ptr::word32) \<le> ptr + of_bl x * 0x10"
  apply (erule is_aligned_no_wrap')
  apply (rule div_lt_mult)
   apply (drule of_bl_length_less[where 'a=32])
    apply simp
   apply simp
  apply simp
  done

lemma cnode_offs_min:
  "length x = 10 \<Longrightarrow> Low_cnode_ptr \<le> Low_cnode_ptr + of_bl x * 0x10"
  "length x = 10 \<Longrightarrow> High_cnode_ptr \<le> High_cnode_ptr + of_bl x * 0x10"
  "length x = 10 \<Longrightarrow> Silc_cnode_ptr \<le> Silc_cnode_ptr + of_bl x * 0x10"
  by (simp_all add: cnode_offs_min' s0_ptrs_aligned)

lemma cnode_offs_max':
  "\<lbrakk>is_aligned ptr 14; length x = 10\<rbrakk> \<Longrightarrow> (ptr::word32) + of_bl x * 0x10 \<le> ptr + 0x3fff"
  apply (rule word_plus_mono_right)
   apply (rule div_to_mult_word_lt)
   apply simp
   apply (rule plus_one_helper)
   apply simp
   apply (drule of_bl_length_less[where 'a=32])
    apply simp
   apply simp
  apply (drule is_aligned_no_overflow)
  apply (simp add: add.commute)
  done

lemma cnode_offs_max:
  "length x = 10 \<Longrightarrow> Low_cnode_ptr + of_bl x * 0x10 \<le> Low_cnode_ptr + 0x3fff"
  "length x = 10 \<Longrightarrow> High_cnode_ptr + of_bl x * 0x10 \<le> High_cnode_ptr + 0x3fff"
  "length x = 10 \<Longrightarrow> Silc_cnode_ptr + of_bl x * 0x10 \<le> Silc_cnode_ptr + 0x3fff"
  by (simp_all add: cnode_offs_max' s0_ptrs_aligned)

definition cnode_offs_range where
  "cnode_offs_range (ptr::word32) \<equiv> {x. ptr \<le> x \<and> x \<le> ptr + 2 ^ 14 - 1}
                         \<inter> {x. is_aligned x cte_level_bits}"

lemma cnode_offs_in_range':
  "\<lbrakk>is_aligned ptr 14; length x = 10\<rbrakk> \<Longrightarrow>
     ptr + of_bl x * 0x10 \<in> cnode_offs_range ptr"
  apply (clarsimp simp: cnode_offs_min' cnode_offs_max' cnode_offs_range_def add.commute cte_level_bits_def)
  apply (rule is_aligned_add)
   apply (erule is_aligned_weaken)
   apply simp
  apply (rule_tac is_aligned_mult_triv2[where x="of_bl x" and n=4, simplified])
  done

lemma cnode_offs_in_range:
  "length x = 10 \<Longrightarrow> Low_cnode_ptr + of_bl x * 0x10 \<in> cnode_offs_range Low_cnode_ptr"
  "length x = 10 \<Longrightarrow> High_cnode_ptr + of_bl x * 0x10 \<in> cnode_offs_range High_cnode_ptr"
  "length x = 10 \<Longrightarrow> Silc_cnode_ptr + of_bl x * 0x10 \<in> cnode_offs_range Silc_cnode_ptr"
  by (simp_all add: cnode_offs_in_range' s0_ptrs_aligned)

(* FIXME: move to Word_Lib_l4v *)
lemma le_mask_eq: "x \<le> 2 ^ n - 1 \<Longrightarrow> x AND mask n = (x :: 'a :: len word)"
  by (metis and_mask_eq_iff_le_mask mask_2pm1)

(* FIXME: move to Word_Lib_l4v *)
lemma word_div_mult':
  fixes c :: "'a::len word"
  shows "\<lbrakk>0 < c; a \<le> b * c \<rbrakk> \<Longrightarrow> a div c \<le> b"
  using div_lt_mult word_le_not_less by blast

lemma cnode_offs_range_correct':
  "\<lbrakk>x \<in> cnode_offs_range ptr; is_aligned ptr 14\<rbrakk>
    \<Longrightarrow> \<exists>y. length y = 10 \<and> (x = ptr + of_bl y * 0x10)"
  apply (clarsimp simp: cnode_offs_range_def s0_ptr_defs cte_level_bits_def)
  apply (rule_tac x="to_bl (ucast ((x - ptr) div 0x10):: 10 word)" in exI)
  apply (clarsimp simp: to_bl_ucast of_bl_drop)
  apply (subst le_mask_eq)
   apply simp
   apply (rule word_div_mult')
    apply simp
   apply simp
   apply (rule word_diff_ls')
   apply (drule_tac a=x and n=4 in aligned_le_sharp)
    apply simp
    apply (simp add: add.commute)
    apply (subst(asm) mask_out_add_aligned[symmetric])
     apply (erule is_aligned_weaken)
     apply simp
    apply (simp add: mask_def)
   apply simp
  apply (clarsimp simp: neg_mask_is_div[where n=4, simplified, symmetric])
  apply (subst is_aligned_neg_mask_eq)
   apply (rule aligned_sub_aligned)
     apply assumption
    apply (erule is_aligned_weaken)
    apply simp
   apply simp
  apply simp
  done

lemma cnode_offs_range_correct:
  "x \<in> cnode_offs_range Low_cnode_ptr \<Longrightarrow> \<exists>y. length y = 10 \<and> (x = Low_cnode_ptr + of_bl y * 0x10)"
  "x \<in> cnode_offs_range High_cnode_ptr \<Longrightarrow> \<exists>y. length y = 10 \<and> (x = High_cnode_ptr + of_bl y * 0x10)"
  "x \<in> cnode_offs_range Silc_cnode_ptr \<Longrightarrow> \<exists>y. length y = 10 \<and> (x = Silc_cnode_ptr + of_bl y * 0x10)"
  by (simp_all add: cnode_offs_range_correct' s0_ptrs_aligned)


lemma tcb_offs_min':
  "is_aligned ptr 9 \<Longrightarrow> (ptr::word32) \<le> ptr + ucast (x:: 9 word)"
  apply (erule is_aligned_no_wrap')
  apply (cut_tac x=x and 'a=32 in ucast_less)
   apply simp
  apply simp
  done

lemma tcb_offs_min:
  "Low_tcb_ptr \<le> Low_tcb_ptr + ucast (x:: 9 word)"
  "High_tcb_ptr \<le> High_tcb_ptr + ucast (x:: 9 word)"
  "idle_tcb_ptr \<le> idle_tcb_ptr + ucast (x:: 9 word)"
  by (simp_all add: tcb_offs_min' s0_ptrs_aligned)

lemma tcb_offs_max':
  "is_aligned ptr 9 \<Longrightarrow> (ptr::word32) + ucast (x:: 9 word) \<le> ptr + 0x1ff"
  apply (rule word_plus_mono_right)
   apply (rule plus_one_helper)
   apply (cut_tac ucast_less[where x=x and 'a=32])
    apply simp
   apply simp
  apply (drule is_aligned_no_overflow)
  apply (simp add: add.commute)
  done

lemma tcb_offs_max:
  "Low_tcb_ptr + ucast (x:: 9 word) \<le> Low_tcb_ptr + 0x1ff"
  "High_tcb_ptr + ucast (x:: 9 word) \<le> High_tcb_ptr + 0x1ff"
  "idle_tcb_ptr + ucast (x:: 9 word) \<le> idle_tcb_ptr + 0x1ff"
  by (simp_all add: tcb_offs_max' s0_ptrs_aligned)

definition tcb_offs_range where
  "tcb_offs_range (ptr::word32) \<equiv> {x. ptr \<le> x \<and> x \<le> ptr + 2 ^ 9 - 1}"

lemma tcb_offs_in_range':
  "is_aligned ptr 9 \<Longrightarrow>
     ptr + ucast (x:: 9 word) \<in> tcb_offs_range ptr"
  by (clarsimp simp: tcb_offs_min' tcb_offs_max' tcb_offs_range_def add.commute)

lemma tcb_offs_in_range:
  "Low_tcb_ptr + ucast (x:: 9 word) \<in> tcb_offs_range Low_tcb_ptr"
  "High_tcb_ptr + ucast (x:: 9 word) \<in> tcb_offs_range High_tcb_ptr"
  "idle_tcb_ptr + ucast (x:: 9 word) \<in> tcb_offs_range idle_tcb_ptr"
  by (simp_all add: tcb_offs_in_range' s0_ptrs_aligned)

lemma tcb_offs_range_correct':
  "\<lbrakk>x \<in> tcb_offs_range ptr; is_aligned ptr 9\<rbrakk>
    \<Longrightarrow> \<exists>y. x = ptr + ucast (y:: 9 word)"
  apply (clarsimp simp: tcb_offs_range_def s0_ptr_defs cte_level_bits_def)
  apply (rule_tac x="ucast (x - ptr)" in exI)
  apply (clarsimp simp: ucast_ucast_mask)
  apply (rule_tac n=9 in mask_eqI)
   apply (subst mask_add_aligned)
    apply (simp add: is_aligned_def)
   apply (simp add: mask_twice)
   apply (subst diff_conv_add_uminus)
   apply (subst add.commute[symmetric])
   apply (subst mask_add_aligned)
    apply (simp add: is_aligned_minus)
   apply simp
  apply (subst diff_conv_add_uminus)
  apply (subst add_mask_lower_bits)
    apply (simp add: is_aligned_def)
   apply clarsimp
  apply (cut_tac x=x and y="ptr + 0x1FF" and n=9 in neg_mask_mono_le)
   apply (simp add: add.commute)
  apply (drule_tac n=9 in aligned_le_sharp)
   apply (simp add: is_aligned_def)
  apply (simp add: add.commute)
  apply (subst(asm) mask_out_add_aligned[symmetric])
   apply (erule is_aligned_weaken)
   apply simp
  apply (simp add: mask_def)
  done

lemma tcb_offs_range_correct:
  "x \<in> tcb_offs_range Low_tcb_ptr \<Longrightarrow> \<exists>y. x = Low_tcb_ptr + ucast (y:: 9 word)"
  "x \<in> tcb_offs_range High_tcb_ptr \<Longrightarrow> \<exists>y. x = High_tcb_ptr + ucast (y:: 9 word)"
  "x \<in> tcb_offs_range idle_tcb_ptr \<Longrightarrow> \<exists>y. x = idle_tcb_ptr + ucast (y:: 9 word)"
  by (simp_all add: tcb_offs_range_correct' s0_ptrs_aligned)

lemma caps_dom_length_10:
  "Silc_caps x = Some y \<Longrightarrow> length x = 10"
  "High_caps x = Some y \<Longrightarrow> length x = 10"
  "Low_caps x = Some y \<Longrightarrow> length x = 10"
  by (simp_all add: Silc_caps_def High_caps_def Low_caps_def the_nat_to_bl_def nat_to_bl_def split: if_split_asm)

lemma dom_caps:
  "dom Silc_caps = {x. length x = 10}"
  "dom High_caps = {x. length x = 10}"
  "dom Low_caps = {x. length x = 10}"
  apply (simp_all add: Silc_caps_def High_caps_def Low_caps_def the_nat_to_bl_def nat_to_bl_def dom_def split: if_split_asm)
    apply fastforce+
    done

lemmas kh0H_obj_def =
  Low_cte_def High_cte_def Silc_cte_def ntfnH_def irq_cte_def Low_pdH_def
  High_pdH_def Low_ptH_def High_ptH_def Low_tcbH_def High_tcbH_def idle_tcbH_def
  global_pdH'_def

lemmas kh0H_all_obj_def =
  kh0H_obj_def Low_cte'_def Low_capsH_def High_cte'_def High_capsH_def
  Silc_cte'_def Silc_capsH_def empty_cte_def

lemma not_in_range_None:
  "\<lbrakk>x \<notin> cnode_offs_range Low_cnode_ptr\<rbrakk> \<Longrightarrow> Low_cte Low_cnode_ptr x = None"
  "\<lbrakk>x \<notin> cnode_offs_range High_cnode_ptr\<rbrakk> \<Longrightarrow> High_cte High_cnode_ptr x = None"
  "\<lbrakk>x \<notin> cnode_offs_range Silc_cnode_ptr\<rbrakk> \<Longrightarrow> Silc_cte Silc_cnode_ptr x = None"
  "\<lbrakk>x \<notin> pd_offs_range Low_pd_ptr\<rbrakk> \<Longrightarrow> Low_pdH Low_pd_ptr x = None"
  "\<lbrakk>x \<notin> pd_offs_range High_pd_ptr\<rbrakk> \<Longrightarrow> High_pdH High_pd_ptr x = None"
  "\<lbrakk>x \<notin> pd_offs_range init_global_pd\<rbrakk> \<Longrightarrow> global_pdH' init_global_pd x = None"
  "\<lbrakk>x \<notin> pt_offs_range Low_pt_ptr\<rbrakk> \<Longrightarrow> Low_ptH Low_pt_ptr x = None"
  "\<lbrakk>x \<notin> pt_offs_range High_pt_ptr\<rbrakk> \<Longrightarrow> High_ptH High_pt_ptr x = None"
  by (clarsimp simp: cnode_offs_range_def pd_offs_range_def pt_offs_range_def s0_ptr_defs kh0H_obj_def)+

lemma kh0H_dom_distinct:
  "init_globals_frame \<notin> cnode_offs_range Silc_cnode_ptr"
  "idle_tcb_ptr \<notin> cnode_offs_range Silc_cnode_ptr"
  "High_tcb_ptr \<notin> cnode_offs_range Silc_cnode_ptr"
  "Low_tcb_ptr \<notin> cnode_offs_range Silc_cnode_ptr"
  "irq_cnode_ptr \<notin> cnode_offs_range Silc_cnode_ptr"
  "ntfn_ptr \<notin> cnode_offs_range Silc_cnode_ptr"
  "init_globals_frame \<notin> cnode_offs_range Low_cnode_ptr"
  "idle_tcb_ptr \<notin> cnode_offs_range Low_cnode_ptr"
  "High_tcb_ptr \<notin> cnode_offs_range Low_cnode_ptr"
  "Low_tcb_ptr \<notin> cnode_offs_range Low_cnode_ptr"
  "irq_cnode_ptr \<notin> cnode_offs_range Low_cnode_ptr"
  "ntfn_ptr \<notin> cnode_offs_range Low_cnode_ptr"
  "init_globals_frame \<notin> cnode_offs_range High_cnode_ptr"
  "idle_tcb_ptr \<notin> cnode_offs_range High_cnode_ptr"
  "High_tcb_ptr \<notin> cnode_offs_range High_cnode_ptr"
  "Low_tcb_ptr \<notin> cnode_offs_range High_cnode_ptr"
  "irq_cnode_ptr \<notin> cnode_offs_range High_cnode_ptr"
  "ntfn_ptr \<notin> cnode_offs_range High_cnode_ptr"
  "init_globals_frame \<notin> pd_offs_range Low_pd_ptr"
  "idle_tcb_ptr \<notin> pd_offs_range Low_pd_ptr"
  "High_tcb_ptr \<notin> pd_offs_range Low_pd_ptr"
  "Low_tcb_ptr \<notin> pd_offs_range Low_pd_ptr"
  "irq_cnode_ptr \<notin> pd_offs_range Low_pd_ptr"
  "ntfn_ptr \<notin> pd_offs_range Low_pd_ptr"
  "init_globals_frame \<notin> pd_offs_range High_pd_ptr"
  "idle_tcb_ptr \<notin> pd_offs_range High_pd_ptr"
  "High_tcb_ptr \<notin> pd_offs_range High_pd_ptr"
  "Low_tcb_ptr \<notin> pd_offs_range High_pd_ptr"
  "irq_cnode_ptr \<notin> pd_offs_range High_pd_ptr"
  "ntfn_ptr \<notin> pd_offs_range High_pd_ptr"
  "init_globals_frame \<notin> pd_offs_range init_global_pd"
  "idle_tcb_ptr \<notin> pd_offs_range init_global_pd"
  "High_tcb_ptr \<notin> pd_offs_range init_global_pd"
  "Low_tcb_ptr \<notin> pd_offs_range init_global_pd"
  "irq_cnode_ptr \<notin> pd_offs_range init_global_pd"
  "ntfn_ptr \<notin> pd_offs_range init_global_pd"
  "init_globals_frame \<notin> pt_offs_range Low_pt_ptr"
  "idle_tcb_ptr \<notin> pt_offs_range Low_pt_ptr"
  "High_tcb_ptr \<notin> pt_offs_range Low_pt_ptr"
  "Low_tcb_ptr \<notin> pt_offs_range Low_pt_ptr"
  "irq_cnode_ptr \<notin> pt_offs_range Low_pt_ptr"
  "ntfn_ptr \<notin> pt_offs_range Low_pt_ptr"
  "init_globals_frame \<notin> pt_offs_range High_pt_ptr"
  "idle_tcb_ptr \<notin> pt_offs_range High_pt_ptr"
  "High_tcb_ptr \<notin> pt_offs_range High_pt_ptr"
  "Low_tcb_ptr \<notin> pt_offs_range High_pt_ptr"
  "irq_cnode_ptr \<notin> pt_offs_range High_pt_ptr"
  "ntfn_ptr \<notin> pt_offs_range High_pt_ptr"
  "init_globals_frame \<notin> tcb_offs_range Low_tcb_ptr"
  "idle_tcb_ptr \<notin> tcb_offs_range Low_tcb_ptr"
  "High_tcb_ptr \<notin> tcb_offs_range Low_tcb_ptr"
  "irq_cnode_ptr \<notin> tcb_offs_range Low_tcb_ptr"
  "ntfn_ptr \<notin> tcb_offs_range Low_tcb_ptr"
  "init_globals_frame \<notin> tcb_offs_range High_tcb_ptr"
  "idle_tcb_ptr \<notin> tcb_offs_range High_tcb_ptr"
  "Low_tcb_ptr \<notin> tcb_offs_range High_tcb_ptr"
  "irq_cnode_ptr \<notin> tcb_offs_range High_tcb_ptr"
  "ntfn_ptr \<notin> tcb_offs_range High_tcb_ptr"
  "init_globals_frame \<notin> tcb_offs_range idle_tcb_ptr"
  "High_tcb_ptr \<notin> tcb_offs_range idle_tcb_ptr"
  "Low_tcb_ptr \<notin> tcb_offs_range idle_tcb_ptr"
  "irq_cnode_ptr \<notin> tcb_offs_range idle_tcb_ptr"
  "ntfn_ptr \<notin> tcb_offs_range idle_tcb_ptr"
  by (clarsimp simp: cnode_offs_range_def pd_offs_range_def pt_offs_range_def tcb_offs_range_def kh0H_obj_def s0_ptr_defs)+

lemma kh0H_dom_sets_distinct:
  "irq_node_offs_range \<inter> cnode_offs_range Silc_cnode_ptr = {}"
  "irq_node_offs_range \<inter> cnode_offs_range High_cnode_ptr = {}"
  "irq_node_offs_range \<inter> cnode_offs_range Low_cnode_ptr = {}"
  "irq_node_offs_range \<inter> pd_offs_range init_global_pd = {}"
  "irq_node_offs_range \<inter> pd_offs_range High_pd_ptr = {}"
  "irq_node_offs_range \<inter> pd_offs_range Low_pd_ptr = {}"
  "irq_node_offs_range \<inter> pt_offs_range High_pt_ptr = {}"
  "irq_node_offs_range \<inter> pt_offs_range Low_pt_ptr = {}"
  "irq_node_offs_range \<inter> tcb_offs_range High_tcb_ptr = {}"
  "irq_node_offs_range \<inter> tcb_offs_range Low_tcb_ptr = {}"
  "irq_node_offs_range \<inter> tcb_offs_range idle_tcb_ptr = {}"
  "cnode_offs_range Silc_cnode_ptr \<inter> cnode_offs_range High_cnode_ptr = {}"
  "cnode_offs_range Silc_cnode_ptr \<inter> cnode_offs_range Low_cnode_ptr = {}"
  "cnode_offs_range Silc_cnode_ptr \<inter> pd_offs_range init_global_pd = {}"
  "cnode_offs_range Silc_cnode_ptr \<inter> pd_offs_range High_pd_ptr = {}"
  "cnode_offs_range Silc_cnode_ptr \<inter> pd_offs_range Low_pd_ptr = {}"
  "cnode_offs_range Silc_cnode_ptr \<inter> pt_offs_range High_pt_ptr = {}"
  "cnode_offs_range Silc_cnode_ptr \<inter> pt_offs_range Low_pt_ptr = {}"
  "cnode_offs_range Silc_cnode_ptr \<inter> tcb_offs_range High_tcb_ptr = {}"
  "cnode_offs_range Silc_cnode_ptr \<inter> tcb_offs_range Low_tcb_ptr = {}"
  "cnode_offs_range Silc_cnode_ptr \<inter> tcb_offs_range idle_tcb_ptr = {}"
  "cnode_offs_range High_cnode_ptr \<inter> cnode_offs_range Low_cnode_ptr = {}"
  "cnode_offs_range High_cnode_ptr \<inter> pd_offs_range init_global_pd = {}"
  "cnode_offs_range High_cnode_ptr \<inter> pd_offs_range High_pd_ptr = {}"
  "cnode_offs_range High_cnode_ptr \<inter> pd_offs_range Low_pd_ptr = {}"
  "cnode_offs_range High_cnode_ptr \<inter> pt_offs_range High_pt_ptr = {}"
  "cnode_offs_range High_cnode_ptr \<inter> pt_offs_range Low_pt_ptr = {}"
  "cnode_offs_range High_cnode_ptr \<inter> tcb_offs_range High_tcb_ptr = {}"
  "cnode_offs_range High_cnode_ptr \<inter> tcb_offs_range Low_tcb_ptr = {}"
  "cnode_offs_range High_cnode_ptr \<inter> tcb_offs_range idle_tcb_ptr = {}"
  "cnode_offs_range Low_cnode_ptr \<inter> pd_offs_range init_global_pd = {}"
  "cnode_offs_range Low_cnode_ptr \<inter> pd_offs_range High_pd_ptr = {}"
  "cnode_offs_range Low_cnode_ptr \<inter> pd_offs_range Low_pd_ptr = {}"
  "cnode_offs_range Low_cnode_ptr \<inter> pt_offs_range High_pt_ptr = {}"
  "cnode_offs_range Low_cnode_ptr \<inter> pt_offs_range Low_pt_ptr = {}"
  "cnode_offs_range Low_cnode_ptr \<inter> tcb_offs_range High_tcb_ptr = {}"
  "cnode_offs_range Low_cnode_ptr \<inter> tcb_offs_range Low_tcb_ptr = {}"
  "cnode_offs_range Low_cnode_ptr \<inter> tcb_offs_range idle_tcb_ptr = {}"
  "pd_offs_range init_global_pd \<inter> pd_offs_range High_pd_ptr = {}"
  "pd_offs_range init_global_pd \<inter> pd_offs_range Low_pd_ptr = {}"
  "pd_offs_range init_global_pd \<inter> pt_offs_range High_pt_ptr = {}"
  "pd_offs_range init_global_pd \<inter> pt_offs_range Low_pt_ptr = {}"
  "pd_offs_range init_global_pd \<inter> tcb_offs_range High_tcb_ptr = {}"
  "pd_offs_range init_global_pd \<inter> tcb_offs_range Low_tcb_ptr = {}"
  "pd_offs_range init_global_pd \<inter> tcb_offs_range idle_tcb_ptr = {}"
  "pd_offs_range High_pd_ptr \<inter> pd_offs_range Low_pd_ptr = {}"
  "pd_offs_range High_pd_ptr \<inter> pt_offs_range High_pt_ptr = {}"
  "pd_offs_range High_pd_ptr \<inter> pt_offs_range Low_pt_ptr = {}"
  "pd_offs_range High_pd_ptr \<inter> tcb_offs_range High_tcb_ptr = {}"
  "pd_offs_range High_pd_ptr \<inter> tcb_offs_range Low_tcb_ptr = {}"
  "pd_offs_range High_pd_ptr \<inter> tcb_offs_range idle_tcb_ptr = {}"
  "pd_offs_range Low_pd_ptr \<inter> pt_offs_range High_pt_ptr = {}"
  "pd_offs_range Low_pd_ptr \<inter> pt_offs_range Low_pt_ptr = {}"
  "pd_offs_range Low_pd_ptr \<inter> tcb_offs_range High_tcb_ptr = {}"
  "pd_offs_range Low_pd_ptr \<inter> tcb_offs_range Low_tcb_ptr = {}"
  "pd_offs_range Low_pd_ptr \<inter> tcb_offs_range idle_tcb_ptr = {}"
  "pt_offs_range High_pt_ptr \<inter> pt_offs_range Low_pt_ptr = {}"
  "pt_offs_range High_pt_ptr \<inter> tcb_offs_range High_tcb_ptr = {}"
  "pt_offs_range High_pt_ptr \<inter> tcb_offs_range Low_tcb_ptr = {}"
  "pt_offs_range High_pt_ptr \<inter> tcb_offs_range idle_tcb_ptr = {}"
  "pt_offs_range Low_pt_ptr \<inter> tcb_offs_range High_tcb_ptr = {}"
  "pt_offs_range Low_pt_ptr \<inter> tcb_offs_range Low_tcb_ptr = {}"
  "pt_offs_range Low_pt_ptr \<inter> tcb_offs_range idle_tcb_ptr = {}"
  "tcb_offs_range High_tcb_ptr \<inter> tcb_offs_range Low_tcb_ptr = {}"
  "tcb_offs_range High_tcb_ptr \<inter> tcb_offs_range idle_tcb_ptr = {}"
  "tcb_offs_range Low_tcb_ptr \<inter> tcb_offs_range idle_tcb_ptr = {}"
  by (rule disjointI,
      clarsimp simp: irq_node_offs_range_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def tcb_offs_range_def s0_ptr_defs,
      drule(1) order_trans le_less_trans,
      fastforce)+

lemmas offs_in_range = pd_offs_in_range pt_offs_in_range irq_node_offs_in_range cnode_offs_in_range tcb_offs_in_range

lemmas offs_range_correct = pd_offs_range_correct pt_offs_range_correct irq_node_offs_range_correct cnode_offs_range_correct tcb_offs_range_correct

lemma kh0H_dom_distinct':
  "length x = 10 \<Longrightarrow> Silc_cnode_ptr + of_bl x * 0x10 \<noteq> init_globals_frame"
  "length x = 10 \<Longrightarrow> Silc_cnode_ptr + of_bl x * 0x10 \<noteq> idle_tcb_ptr"
  "length x = 10 \<Longrightarrow> Silc_cnode_ptr + of_bl x * 0x10 \<noteq> High_tcb_ptr"
  "length x = 10 \<Longrightarrow> Silc_cnode_ptr + of_bl x * 0x10 \<noteq> Low_tcb_ptr"
  "length x = 10 \<Longrightarrow> Silc_cnode_ptr + of_bl x * 0x10 \<noteq> irq_cnode_ptr"
  "length x = 10 \<Longrightarrow> Silc_cnode_ptr + of_bl x * 0x10 \<noteq> ntfn_ptr"
  "length x = 10 \<Longrightarrow> Low_cnode_ptr + of_bl x * 0x10 \<noteq> init_globals_frame"
  "length x = 10 \<Longrightarrow> Low_cnode_ptr + of_bl x * 0x10 \<noteq> idle_tcb_ptr"
  "length x = 10 \<Longrightarrow> Low_cnode_ptr + of_bl x * 0x10 \<noteq> High_tcb_ptr"
  "length x = 10 \<Longrightarrow> Low_cnode_ptr + of_bl x * 0x10 \<noteq> Low_tcb_ptr"
  "length x = 10 \<Longrightarrow> Low_cnode_ptr + of_bl x * 0x10 \<noteq> irq_cnode_ptr"
  "length x = 10 \<Longrightarrow> Low_cnode_ptr + of_bl x * 0x10 \<noteq> ntfn_ptr"
  "length x = 10 \<Longrightarrow> High_cnode_ptr + of_bl x * 0x10 \<noteq> init_globals_frame"
  "length x = 10 \<Longrightarrow> High_cnode_ptr + of_bl x * 0x10 \<noteq> idle_tcb_ptr"
  "length x = 10 \<Longrightarrow> High_cnode_ptr + of_bl x * 0x10 \<noteq> High_tcb_ptr"
  "length x = 10 \<Longrightarrow> High_cnode_ptr + of_bl x * 0x10 \<noteq> Low_tcb_ptr"
  "length x = 10 \<Longrightarrow> High_cnode_ptr + of_bl x * 0x10 \<noteq> irq_cnode_ptr"
  "length x = 10 \<Longrightarrow> High_cnode_ptr + of_bl x * 0x10 \<noteq> ntfn_ptr"
  "Low_pd_ptr + (ucast (y::12 word) << 2) \<noteq> init_globals_frame"
  "Low_pd_ptr + (ucast (y::12 word) << 2) \<noteq> idle_tcb_ptr"
  "Low_pd_ptr + (ucast (y::12 word) << 2) \<noteq> High_tcb_ptr"
  "Low_pd_ptr + (ucast (y::12 word) << 2) \<noteq> Low_tcb_ptr"
  "Low_pd_ptr + (ucast (y::12 word) << 2) \<noteq> irq_cnode_ptr"
  "Low_pd_ptr + (ucast (y::12 word) << 2) \<noteq> ntfn_ptr"
  "High_pd_ptr + (ucast (y::12 word) << 2) \<noteq> init_globals_frame"
  "High_pd_ptr + (ucast (y::12 word) << 2) \<noteq> idle_tcb_ptr"
  "High_pd_ptr + (ucast (y::12 word) << 2) \<noteq> High_tcb_ptr"
  "High_pd_ptr + (ucast (y::12 word) << 2) \<noteq> Low_tcb_ptr"
  "High_pd_ptr + (ucast (y::12 word) << 2) \<noteq> irq_cnode_ptr"
  "High_pd_ptr + (ucast (y::12 word) << 2) \<noteq> ntfn_ptr"
  "init_global_pd + (ucast (y::12 word) << 2) \<noteq> init_globals_frame"
  "init_global_pd + (ucast (y::12 word) << 2) \<noteq> idle_tcb_ptr"
  "init_global_pd + (ucast (y::12 word) << 2) \<noteq> High_tcb_ptr"
  "init_global_pd + (ucast (y::12 word) << 2) \<noteq> Low_tcb_ptr"
  "init_global_pd + (ucast (y::12 word) << 2) \<noteq> irq_cnode_ptr"
  "init_global_pd + (ucast (y::12 word) << 2) \<noteq> ntfn_ptr"
  "Low_pt_ptr + (ucast (z::8 word) << 2) \<noteq> init_globals_frame"
  "Low_pt_ptr + (ucast (z::8 word) << 2) \<noteq> idle_tcb_ptr"
  "Low_pt_ptr + (ucast (z::8 word) << 2) \<noteq> High_tcb_ptr"
  "Low_pt_ptr + (ucast (z::8 word) << 2) \<noteq> Low_tcb_ptr"
  "Low_pt_ptr + (ucast (z::8 word) << 2) \<noteq> irq_cnode_ptr"
  "Low_pt_ptr + (ucast (z::8 word) << 2) \<noteq> ntfn_ptr"
  "High_pt_ptr + (ucast (z::8 word) << 2) \<noteq> init_globals_frame"
  "High_pt_ptr + (ucast (z::8 word) << 2) \<noteq> idle_tcb_ptr"
  "High_pt_ptr + (ucast (z::8 word) << 2) \<noteq> High_tcb_ptr"
  "High_pt_ptr + (ucast (z::8 word) << 2) \<noteq> Low_tcb_ptr"
  "High_pt_ptr + (ucast (z::8 word) << 2) \<noteq> irq_cnode_ptr"
  "High_pt_ptr + (ucast (z::8 word) << 2) \<noteq> ntfn_ptr"
  apply (drule offs_in_range, fastforce simp: kh0H_dom_distinct)+
  apply (cut_tac x=y in offs_in_range(1), fastforce simp: kh0H_dom_distinct)+
  apply (cut_tac x=y in offs_in_range(2), fastforce simp: kh0H_dom_distinct)+
  apply (cut_tac x=y in offs_in_range(3), fastforce simp: kh0H_dom_distinct)+
  apply (cut_tac x=z in offs_in_range(4), fastforce simp: kh0H_dom_distinct)+
  apply (cut_tac x=z in offs_in_range(5), fastforce simp: kh0H_dom_distinct)+
  done

lemma not_disjointI:
  "\<lbrakk>x = y; x \<in> A; y \<in> B\<rbrakk> \<Longrightarrow> A \<inter> B \<noteq> {}"
  by fastforce

lemma kh0H_simps[simp]:
  "kh0H (init_irq_node_ptr + (ucast (irq::10 word) << cte_level_bits)) =
                Some (KOCTE (CTE capability.NullCap Null_mdb))"
  "kh0H ntfn_ptr = Some (KONotification ntfnH)"
  "kh0H irq_cnode_ptr = Some (KOCTE irq_cte)"
  "kh0H Low_tcb_ptr = Some (KOTCB Low_tcbH)"
  "kh0H High_tcb_ptr = Some (KOTCB High_tcbH)"
  "kh0H idle_tcb_ptr = Some (KOTCB idle_tcbH)"
  "kh0H init_globals_frame = Some KOUserData"
  "length x = 10 \<Longrightarrow> kh0H (Low_cnode_ptr + of_bl x * 0x10) = Low_cte Low_cnode_ptr (Low_cnode_ptr + of_bl x * 0x10)"
  "length x = 10 \<Longrightarrow> kh0H (High_cnode_ptr + of_bl x * 0x10) = High_cte High_cnode_ptr (High_cnode_ptr + of_bl x * 0x10)"
  "length x = 10 \<Longrightarrow> kh0H (Silc_cnode_ptr + of_bl x * 0x10) = Silc_cte Silc_cnode_ptr (Silc_cnode_ptr + of_bl x * 0x10)"
  "kh0H (Low_pd_ptr + (ucast (y:: 12 word) << 2)) = Low_pdH Low_pd_ptr (Low_pd_ptr + (ucast (y:: 12 word) << 2))"
  "kh0H (High_pd_ptr + (ucast (y:: 12 word) << 2)) = High_pdH High_pd_ptr (High_pd_ptr + (ucast (y:: 12 word) << 2))"
  "kh0H (init_global_pd + (ucast (y:: 12 word) << 2)) = global_pdH' init_global_pd (init_global_pd + (ucast (y:: 12 word) << 2))"
  "kh0H (Low_pt_ptr + (ucast (z:: 8 word) << 2)) = Low_ptH Low_pt_ptr (Low_pt_ptr + (ucast (z:: 8 word) << 2))"
  "kh0H (High_pt_ptr + (ucast (z:: 8 word) << 2)) = High_ptH High_pt_ptr (High_pt_ptr + (ucast (z:: 8 word) << 2))"
  supply option.case_cong[cong]
      apply (clarsimp simp: kh0H_def option_update_range_def)
      apply fastforce
     apply (simp add:kh0H_def)
     apply (clarsimp simp: kh0H_def option_update_range_def kh0H_dom_distinct not_in_range_None)+
     by ((clarsimp simp: kh0H_def option_update_range_def kh0H_dom_distinct kh0H_dom_distinct' not_in_range_None offs_in_range | simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD1] not_in_range_None | simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD2] not_in_range_None)+,
            rule conjI,
             clarsimp,
             drule not_disjointI,
               (erule offs_in_range | rule offs_in_range),
              (erule offs_in_range | rule offs_in_range),
             erule notE,
             rule kh0H_dom_sets_distinct,
            clarsimp split: option.splits)+

lemma kh0H_dom:
  "dom kh0H = {init_globals_frame, idle_tcb_ptr, High_tcb_ptr, Low_tcb_ptr,
              irq_cnode_ptr, ntfn_ptr} \<union>
             irq_node_offs_range \<union>
             cnode_offs_range Silc_cnode_ptr \<union>
             cnode_offs_range High_cnode_ptr \<union>
             cnode_offs_range Low_cnode_ptr \<union>
             pd_offs_range init_global_pd \<union>
             pd_offs_range High_pd_ptr \<union>
             pd_offs_range Low_pd_ptr \<union>
             pt_offs_range High_pt_ptr \<union>
             pt_offs_range Low_pt_ptr"
  apply (rule equalityI)
   apply (simp add: kh0H_def dom_def)
   apply (clarsimp simp: offs_in_range option_update_range_def not_in_range_None split: if_split_asm)
  apply (clarsimp simp: dom_def)
  apply (rule conjI, clarsimp simp: kh0H_def option_update_range_def kh0H_dom_distinct not_in_range_None split: option.splits)+
   apply (force dest: irq_node_offs_range_correct)
  by (rule conjI |
         clarsimp simp: kh0H_def option_update_range_def kh0H_dom_distinct not_in_range_None split: option.splits,
         frule offs_range_correct,
         clarsimp simp: kh0H_all_obj_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def split: if_split_asm)+

lemmas kh0H_SomeD' = set_mp[OF equalityD1[OF kh0H_dom[simplified dom_def]], OF CollectI, simplified, OF exI]

lemma kh0H_SomeD:
  "kh0H x = Some y \<Longrightarrow>
        x = init_globals_frame \<and> y = KOUserData \<or>
        x = idle_tcb_ptr \<and> y = KOTCB idle_tcbH \<or>
        x = High_tcb_ptr \<and> y = KOTCB High_tcbH \<or>
        x = Low_tcb_ptr \<and> y = KOTCB Low_tcbH \<or>
        x = ntfn_ptr \<and> y = KONotification ntfnH \<or>
        x = irq_cnode_ptr \<and> y = KOCTE irq_cte \<or>
        x \<in> irq_node_offs_range \<and> y = KOCTE (CTE capability.NullCap Null_mdb) \<or>
        x \<in> cnode_offs_range Low_cnode_ptr \<and> Low_cte Low_cnode_ptr x \<noteq> None \<and> y = the (Low_cte Low_cnode_ptr x) \<or>
        x \<in> cnode_offs_range High_cnode_ptr \<and> High_cte High_cnode_ptr x \<noteq> None \<and> y = the (High_cte High_cnode_ptr x) \<or>
        x \<in> cnode_offs_range Silc_cnode_ptr \<and> Silc_cte Silc_cnode_ptr x \<noteq> None \<and> y = the (Silc_cte Silc_cnode_ptr x) \<or>
        x \<in> pd_offs_range init_global_pd \<and> global_pdH' init_global_pd x \<noteq> None \<and> y = the (global_pdH' init_global_pd x) \<or>
        x \<in> pd_offs_range High_pd_ptr \<and> High_pdH High_pd_ptr x \<noteq> None \<and> y = the (High_pdH High_pd_ptr x) \<or>
        x \<in> pd_offs_range Low_pd_ptr \<and> Low_pdH Low_pd_ptr x \<noteq> None \<and> y = the (Low_pdH Low_pd_ptr x) \<or>
        x \<in> pt_offs_range High_pt_ptr \<and> High_ptH High_pt_ptr x \<noteq> None \<and> y = the (High_ptH High_pt_ptr x) \<or>
        x \<in> pt_offs_range Low_pt_ptr \<and> Low_ptH Low_pt_ptr x \<noteq> None \<and> y = the (Low_ptH Low_pt_ptr x)"
  apply (frule kh0H_SomeD')
  apply (elim disjE)
  apply (clarsimp | frule offs_range_correct)+
  done

definition arch_state0H :: Arch.kernel_state where
  "arch_state0H \<equiv> ARMKernelState
             \<comment> \<open>armKSASIDTable    =\<close> Map.empty
             \<comment> \<open>armKSHWASIDTable  =\<close> Map.empty
             \<comment> \<open>armKSNextASID     =\<close> 0
             \<comment> \<open>armKSASIDMap      =\<close> Map.empty
             \<comment> \<open>armKSGlobalPD     =\<close> init_global_pd
             \<comment> \<open>armKSGlobalPTs    =\<close> []
             \<comment> \<open>armKSKernelVSpace =\<close>
         (\<lambda>ref. if ref \<in> {kernel_base..kernel_base + mask 20} then ArmVSpaceKernelWindow
                else ArmVSpaceInvalidRegion)"

definition
  s0H_internal :: "kernel_state"
where
  "s0H_internal \<equiv>  \<lparr>
    ksPSpace = kh0H,
    gsUserPages = (\<lambda>x. if x = init_globals_frame then Some ARMSmallPage else None),
    gsCNodes = (\<lambda>x. if \<exists>irq::10 word. init_irq_node_ptr + (ucast irq << cte_level_bits) = x
          then Some 0 else None)
         (Low_cnode_ptr  \<mapsto> 10,
          High_cnode_ptr \<mapsto> 10,
          Silc_cnode_ptr \<mapsto> 10,
          irq_cnode_ptr  \<mapsto> 0),
    gsUntypedZeroRanges = ran (map_comp untypedZeroRange (option_map cteCap o map_to_ctes kh0H)),
    gsMaxObjectSize = card (UNIV :: word32 set),
    ksDomScheduleIdx = 0,
    ksDomSchedule = [(0 ,10), (1, 10)],
    ksCurDomain = 0,
    ksDomainTime = 5,
    ksReadyQueues = const [],
    ksReadyQueuesL1Bitmap = const 0,
    ksReadyQueuesL2Bitmap = const 0,
    ksCurThread = Low_tcb_ptr,
    ksIdleThread = idle_tcb_ptr,
    ksSchedulerAction = ResumeCurrentThread,
    ksInterruptState = InterruptState init_irq_node_ptr ((\<lambda>_. irqstate.IRQInactive) (timer_irq := irqstate.IRQTimer)),
    ksWorkUnitsCompleted = undefined,
    ksArchState = arch_state0H,
    ksMachineState = machine_state0\<rparr>"


definition
  Low_cte_cte :: "word32 \<Rightarrow> word32 \<Rightarrow> cte option"
where
  "Low_cte_cte \<equiv> \<lambda>base offs. if is_aligned offs cte_level_bits \<and> base \<le> offs \<and> offs \<le> base + 2 ^ 14 - 1
                         then Low_cte' (ucast (offs - base >> cte_level_bits)) else None"

definition
  High_cte_cte :: "word32 \<Rightarrow> word32 \<Rightarrow> cte option"
where
  "High_cte_cte \<equiv> \<lambda>base offs. if is_aligned offs cte_level_bits \<and> base \<le> offs \<and> offs \<le> base + 2 ^ 14 - 1
                          then High_cte' (ucast (offs - base >> cte_level_bits)) else None"

definition
  Silc_cte_cte :: "word32 \<Rightarrow> word32 \<Rightarrow> cte option"
where
  "Silc_cte_cte \<equiv> \<lambda>base offs. if is_aligned offs cte_level_bits \<and> base \<le> offs \<and> offs \<le> base + 2 ^ 14 - 1
                          then Silc_cte' (ucast (offs - base >> cte_level_bits)) else None"

definition
  Low_tcb_cte :: "word32 \<Rightarrow> cte option"
where
  "Low_tcb_cte \<equiv> [Low_tcb_ptr \<mapsto> tcbCTable Low_tcbH,
                  Low_tcb_ptr + 0x10 \<mapsto> tcbVTable Low_tcbH,
                  Low_tcb_ptr + 0x20 \<mapsto> tcbReply Low_tcbH,
                  Low_tcb_ptr + 0x30 \<mapsto> tcbCaller Low_tcbH,
                  Low_tcb_ptr + 0x40 \<mapsto> tcbIPCBufferFrame Low_tcbH]"

definition
  High_tcb_cte :: "word32 \<Rightarrow> cte option"
where
  "High_tcb_cte \<equiv> [High_tcb_ptr \<mapsto> tcbCTable High_tcbH,
                   High_tcb_ptr + 0x10 \<mapsto> tcbVTable High_tcbH,
                   High_tcb_ptr + 0x20 \<mapsto> tcbReply High_tcbH,
                   High_tcb_ptr + 0x30 \<mapsto> tcbCaller High_tcbH,
                   High_tcb_ptr + 0x40 \<mapsto> tcbIPCBufferFrame High_tcbH]"

definition
  idle_tcb_cte :: "word32 \<Rightarrow> cte option"
where
  "idle_tcb_cte \<equiv> [idle_tcb_ptr \<mapsto> tcbCTable idle_tcbH,
                   idle_tcb_ptr + 0x10 \<mapsto> tcbVTable idle_tcbH,
                   idle_tcb_ptr + 0x20 \<mapsto> tcbReply idle_tcbH,
                   idle_tcb_ptr + 0x30 \<mapsto> tcbCaller idle_tcbH,
                   idle_tcb_ptr + 0x40 \<mapsto> tcbIPCBufferFrame idle_tcbH]"

lemma kh0H_dom_tcb:
  "kh0H x = Some (KOTCB tcb) \<Longrightarrow> x = Low_tcb_ptr \<or> x = High_tcb_ptr \<or> x = idle_tcb_ptr"
  apply (frule domI[where m="kh0H"])
  apply (simp add: kh0H_dom)
  apply (elim disjE)
   apply (drule irq_node_offs_range_correct cnode_offs_range_correct pd_offs_range_correct pt_offs_range_correct | clarsimp simp: kh0H_all_obj_def s0_ptrs_aligned split: if_split_asm)+
   done

lemma not_in_range_cte_None:
  "\<lbrakk>x \<notin> cnode_offs_range Low_cnode_ptr\<rbrakk> \<Longrightarrow> Low_cte_cte Low_cnode_ptr x = None"
  "\<lbrakk>x \<notin> cnode_offs_range High_cnode_ptr\<rbrakk> \<Longrightarrow> High_cte_cte High_cnode_ptr x = None"
  "\<lbrakk>x \<notin> cnode_offs_range Silc_cnode_ptr\<rbrakk> \<Longrightarrow> Silc_cte_cte Silc_cnode_ptr x = None"
  "\<lbrakk>x \<notin> tcb_offs_range Low_tcb_ptr\<rbrakk> \<Longrightarrow> Low_tcb_cte x = None"
  "\<lbrakk>x \<notin> tcb_offs_range High_tcb_ptr\<rbrakk> \<Longrightarrow> High_tcb_cte x = None"
  "\<lbrakk>x \<notin> tcb_offs_range idle_tcb_ptr\<rbrakk> \<Longrightarrow> idle_tcb_cte x = None"
  by (fastforce simp: cnode_offs_range_def tcb_offs_range_def s0_ptr_defs Low_cte_cte_def High_cte_cte_def Silc_cte_cte_def Low_tcb_cte_def High_tcb_cte_def idle_tcb_cte_def)+

lemma mask_neg_le:
  "x && ~~ mask n \<le> x"
  apply (clarsimp simp: neg_mask_is_div)
  apply (rule word_div_mult_le)
  done

lemma mask_in_tcb_offs_range:
  "x && ~~ mask 9 = ptr \<Longrightarrow> x \<in> tcb_offs_range ptr"
  apply (clarsimp simp: tcb_offs_range_def mask_neg_le objBitsKO_def)
  apply (cut_tac and_neg_mask_plus_mask_mono[where p=x and n=9])
  apply (simp add: add.commute mask_def)
  done

lemma set_mem_neq:
  "\<lbrakk>y \<notin> S; x \<in> S\<rbrakk> \<Longrightarrow> x \<noteq> y"
  by fastforce

lemma neg_mask_decompose:
  "x && ~~ mask n = ptr \<Longrightarrow> x = ptr + (x && mask n)"
  by (clarsimp simp: AND_NOT_mask_plus_AND_mask_eq)

lemma opt_None_not_dom:
  "m a = None \<Longrightarrow> a \<notin> dom m"
  by (simp add: dom_def)

lemma tcb_offs_range_mask_eq:
  "\<lbrakk>x \<in> tcb_offs_range ptr; is_aligned ptr 9\<rbrakk> \<Longrightarrow> x && ~~ mask 9 = ptr"
  apply (drule(1) tcb_offs_range_correct')
  apply (clarsimp simp: objBitsKO_def)
  apply (drule_tac d="ucast y" in is_aligned_add_helper)
   apply (cut_tac x=y and 'a=32 in ucast_less)
    apply simp
   apply simp
  apply simp
  done

lemma not_in_tcb_offs:
  "\<forall>tcb. kh0H (x && ~~ mask 9) \<noteq> Some (KOTCB tcb)
    \<Longrightarrow> x \<notin> tcb_offs_range Low_tcb_ptr"
  "\<forall>tcb. kh0H (x && ~~ mask 9) \<noteq> Some (KOTCB tcb)
    \<Longrightarrow> x \<notin> tcb_offs_range High_tcb_ptr"
  "\<forall>tcb. kh0H (x && ~~ mask 9) \<noteq> Some (KOTCB tcb)
    \<Longrightarrow> x \<notin> tcb_offs_range idle_tcb_ptr"
  by (fastforce simp: s0_ptrs_aligned dest: tcb_offs_range_mask_eq)+

lemma range_tcb_not_kh0H_dom:
  "{(x && ~~ mask 9) + 1..(x && ~~ mask 9) + 2 ^ 9 - 1} \<inter> dom kh0H \<noteq> {} \<Longrightarrow> (x && ~~ mask 9) \<noteq> High_tcb_ptr"
  "{(x && ~~ mask 9) + 1..(x && ~~ mask 9) + 2 ^ 9 - 1} \<inter> dom kh0H \<noteq> {} \<Longrightarrow> (x && ~~ mask 9) \<noteq> Low_tcb_ptr"
  "{(x && ~~ mask 9) + 1..(x && ~~ mask 9) + 2 ^ 9 - 1} \<inter> dom kh0H \<noteq> {} \<Longrightarrow> (x && ~~ mask 9) \<noteq> idle_tcb_ptr"
    apply clarsimp
    apply (drule int_not_emptyD)
    apply (clarsimp simp: kh0H_dom)
    apply (subgoal_tac "xa \<in> tcb_offs_range High_tcb_ptr")
     prefer 2
     apply (clarsimp simp: tcb_offs_range_def objBitsKO_def)
     apply (rule_tac y="High_tcb_ptr + 1" in order_trans)
      apply (simp add: s0_ptr_defs)
     apply simp
    apply (clarsimp simp: kh0H_dom_distinct[THEN set_mem_neq])
    apply ((clarsimp simp: kh0H_dom_sets_distinct[THEN orthD2]
          | clarsimp simp: kh0H_dom_sets_distinct[THEN orthD1])+)[1]
    apply (clarsimp simp: s0_ptr_defs tcb_offs_range_def)
   apply clarsimp
   apply (drule int_not_emptyD)
   apply (clarsimp simp: kh0H_dom)
   apply (subgoal_tac "xa \<in> tcb_offs_range Low_tcb_ptr")
    prefer 2
    apply (clarsimp simp: tcb_offs_range_def objBitsKO_def)
    apply (rule_tac y="Low_tcb_ptr + 1" in order_trans)
     apply (simp add: s0_ptr_defs)
    apply simp
   apply (clarsimp simp: kh0H_dom_distinct[THEN set_mem_neq])
   apply ((clarsimp simp: kh0H_dom_sets_distinct[THEN orthD2]
         | clarsimp simp: kh0H_dom_sets_distinct[THEN orthD1])+)[1]
   apply (clarsimp simp: s0_ptr_defs tcb_offs_range_def)
  apply clarsimp
  apply (drule int_not_emptyD)
  apply (clarsimp simp: kh0H_dom)
  apply (subgoal_tac "xa \<in> tcb_offs_range idle_tcb_ptr")
   prefer 2
   apply (clarsimp simp: tcb_offs_range_def objBitsKO_def)
   apply (rule_tac y="idle_tcb_ptr + 1" in order_trans)
    apply (simp add: s0_ptr_defs)
   apply simp
  apply (clarsimp simp: kh0H_dom_distinct[THEN set_mem_neq])
  apply ((clarsimp simp: kh0H_dom_sets_distinct[THEN orthD2]
        | clarsimp simp: kh0H_dom_sets_distinct[THEN orthD1])+)[1]
  apply (clarsimp simp: s0_ptr_defs tcb_offs_range_def)
  done

lemma gt_imp_neq:
  "x > y \<Longrightarrow> x \<noteq> (y::'a::order)"
  by simp

lemma map_to_ctes_kh0H:
  "map_to_ctes kh0H =
          (option_update_range
           (\<lambda>x. if \<exists>irq::10 word. init_irq_node_ptr + (ucast irq << cte_level_bits) = x
                then Some (CTE NullCap Null_mdb) else None) \<circ>
          option_update_range (Low_cte_cte Low_cnode_ptr) \<circ>
          option_update_range (High_cte_cte High_cnode_ptr) \<circ>
          option_update_range (Silc_cte_cte Silc_cnode_ptr) \<circ>
          option_update_range [irq_cnode_ptr \<mapsto> CTE NullCap Null_mdb] \<circ>
          option_update_range Low_tcb_cte \<circ>
          option_update_range High_tcb_cte \<circ>
          option_update_range idle_tcb_cte
          ) Map.empty"
  supply option.case_cong[cong] if_cong[cong]
  supply objBits_defs[simp]
  apply (rule ext)
  apply (case_tac "kh0H x")
   apply (clarsimp simp add: map_to_ctes_def Let_def objBitsKO_def)
   apply (rule conjI)
    apply clarsimp
    apply (thin_tac "x \<inter> y = {}" for x y)
    apply (frule kh0H_dom_tcb)
    apply (elim disjE)
      apply (clarsimp simp: option_update_range_def)
      apply (frule mask_in_tcb_offs_range)
      apply (clarsimp simp: kh0H_dom_distinct[THEN set_mem_neq])
      apply (simp add: kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None
            | simp add: kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None)+
      apply (rule conjI, clarsimp)
      apply (clarsimp split: option.splits)
      apply (rule conjI)
       apply (fastforce simp: tcb_cte_cases_def Low_tcb_cte_def dest: neg_mask_decompose)
      apply clarsimp
      subgoal by (fastforce simp: Low_tcb_cte_def tcb_cte_cases_def split: if_split_asm dest: neg_mask_decompose)
     apply (clarsimp simp: option_update_range_def)
     apply (frule mask_in_tcb_offs_range)
     apply (clarsimp simp: kh0H_dom_distinct[THEN set_mem_neq])
     apply (simp add: kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None
           | simp add: kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None)+
     apply (rule conjI, clarsimp)
     apply clarsimp
     apply (clarsimp split: option.splits)
     apply (rule conjI)
      apply (fastforce simp: tcb_cte_cases_def High_tcb_cte_def dest: neg_mask_decompose)
     apply clarsimp
     apply (fastforce simp: High_tcb_cte_def tcb_cte_cases_def split: if_split_asm dest: neg_mask_decompose)
    apply (clarsimp simp: option_update_range_def)
    apply (frule mask_in_tcb_offs_range)
    apply (clarsimp simp: kh0H_dom_distinct[THEN set_mem_neq])
    apply (simp add: kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None
          | simp add: kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None)+
    apply (rule conjI, clarsimp)
    apply clarsimp
    apply (clarsimp split: option.splits)
    apply (rule conjI)
     apply (fastforce simp: tcb_cte_cases_def idle_tcb_cte_def dest: neg_mask_decompose)
    apply clarsimp
    apply (fastforce simp: idle_tcb_cte_def tcb_cte_cases_def split: if_split_asm dest: neg_mask_decompose)
   apply (drule_tac m="kh0H" in opt_None_not_dom)
   apply (rule conjI)
    apply (clarsimp simp: kh0H_dom option_update_range_def)
    apply ((clarsimp simp: kh0H_dom_sets_distinct[THEN orthD2] not_in_tcb_offs not_in_range_cte_None offs_in_range
          | clarsimp simp: kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None)+)[1]
   apply (rule impI)
   apply (frule range_tcb_not_kh0H_dom(1)[simplified])
   apply (frule range_tcb_not_kh0H_dom(2)[simplified])
   apply (drule range_tcb_not_kh0H_dom(3)[simplified])
   apply (clarsimp simp: kh0H_dom split del: if_split)
   apply (clarsimp simp: option_update_range_def)
   apply ((clarsimp simp: kh0H_dom_sets_distinct[THEN orthD2] not_in_tcb_offs not_in_range_cte_None offs_in_range
         | clarsimp simp: kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None)+)[1]
   apply (subst not_in_range_cte_None,
          clarsimp simp: tcb_offs_range_mask_eq s0_ptrs_aligned)+
   apply (clarsimp simp: irq_node_offs_in_range)
  apply (frule kh0H_SomeD)
  apply (elim disjE)
   apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: if_split,
          subst if_split_eq1,
          rule conjI,
           clarsimp,
           drule kh0H_dom_tcb,
           fastforce simp: s0_ptr_defs mask_def objBitsKO_def,
          rule impI,
          fastforce simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None)
   apply ((clarsimp simp: map_to_ctes_def Let_def split del: if_split,
          subst if_split_eq1,
          rule conjI,
           rule impI,
           (subst is_aligned_neg_mask_eq,
            simp add: is_aligned_def s0_ptr_defs objBitsKO_def)+,
           ((clarsimp simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None |
             clarsimp simp: idle_tcb_cte_def High_tcb_cte_def Low_tcb_cte_def)+)[1],
          rule impI,
          (subst(asm) is_aligned_neg_mask_eq,
           simp add: is_aligned_def s0_ptr_defs objBitsKO_def)+,
          clarsimp,
          clarsimp simp: s0_ptr_defs cnode_offs_range_def pd_offs_range_def pt_offs_range_def irq_node_offs_range_def objBitsKO_def kh0H_dom,
          rule FalseE,
          drule int_not_emptyD,
          clarsimp,
          (elim disjE, (clarsimp | drule(1) order_trans le_less_trans, fastforce)+)[1])+)[3]
   apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: if_split,
          subst if_split_eq1,
          rule conjI,
           clarsimp,
           drule kh0H_dom_tcb,
           fastforce simp: s0_ptr_defs mask_def objBitsKO_def,
          rule impI,
          fastforce simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None)
   apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: if_split,
          subst if_split_eq1,
          rule conjI,
           rule impI,
           clarsimp simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None,
          rule impI,
          clarsimp simp: s0_ptr_defs cnode_offs_range_def pd_offs_range_def pt_offs_range_def irq_node_offs_range_def objBitsKO_def kh0H_dom is_aligned_def,
          rule FalseE,
          drule int_not_emptyD,
          clarsimp,
          (elim disjE, (clarsimp | drule(1) order_trans le_less_trans, fastforce)+)[1])
   apply (clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def split del: if_split)
   apply (frule irq_node_offs_range_correct)
   apply (subst if_split_eq1)
   apply (rule conjI)
    apply (rule impI)
    apply (clarsimp simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None)
    apply fastforce
   apply (rule impI)
   apply clarsimp
   apply (erule impE)
    apply (rule is_aligned_add)
     apply (simp add: is_aligned_def s0_ptr_defs objBitsKO_def)
    apply (rule is_aligned_shiftl)
    apply (clarsimp simp: objBitsKO_def cte_level_bits_def)
   apply (rule FalseE)
   apply (clarsimp simp: s0_ptr_defs cnode_offs_range_def pd_offs_range_def pt_offs_range_def irq_node_offs_range_def objBitsKO_def kh0H_dom cte_level_bits_def)
   apply (cut_tac x=irq and 'a=32 in ucast_less)
    apply simp
   apply (drule shiftl_less_t2n'[where n=4])
    apply simp
   apply simp
   apply (drule plus_one_helper[where n="0x3FFF", simplified])
   apply (elim disjE)
         apply (unat_arith+)[6]
   apply (drule int_not_emptyD)
   apply clarsimp
   apply (elim disjE,
          ((clarsimp,
           drule(1) aligned_le_sharp,
           clarsimp simp: add.commute,
           subst(asm) mask_out_add_aligned[symmetric],
            simp add: is_aligned_shiftl,
           simp add: mask_def,
           drule word_leq_le_minus_one,
            subst add.commute,
            rule neq_0_no_wrap,
             erule word_plus_mono_right2[rotated],
             fastforce,
            fastforce,
           fastforce simp: add.commute)
           | unat_arith)+)[1]
   apply ((clarsimp simp: map_to_ctes_def Let_def kh0H_obj_def objBitsKO_def split: if_split_asm split del: if_split,
          subst if_split_eq1,
          rule conjI,
           rule impI,
           clarsimp simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None,
           (clarsimp simp: option_update_range_def kh0H_dom_distinct[THEN set_mem_neq] kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None | simp add: kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+,
           rule conjI,
            clarsimp,
           drule offs_range_correct,
           fastforce simp: Low_cte_cte_def High_cte_cte_def Silc_cte_cte_def,
          rule impI,
          rule FalseE,
          clarsimp,
          drule offs_range_correct,
          clarsimp simp: Low_cte_def High_cte_def Silc_cte_def cte_level_bits_def cnode_offs_min cnode_offs_max,
          cut_tac x="of_bl y" and z="0x10::word32" and y="2 ^ 14 - 1" in div_to_mult_word_lt,
           frule_tac 'a=32 in of_bl_length_le,
            simp,
           simp,
          drule int_not_emptyD,
          clarsimp simp: kh0H_dom s0_ptr_defs cnode_offs_range_def pd_offs_range_def pt_offs_range_def irq_node_offs_range_def cte_level_bits_def,
          (elim disjE,
           (clarsimp simp: s0_ptr_defs,
           drule_tac b="x + y * 0x10" and n=4 for x y in aligned_le_sharp,
            fastforce simp: is_aligned_def,
           clarsimp simp: add.commute,
           subst(asm) mask_out_add_aligned[symmetric],
            simp add: is_aligned_mult_triv2[where n=4, simplified],
           simp add: mask_def,
           drule word_leq_le_minus_one,
            subst add.commute,
            rule neq_0_no_wrap,
             erule word_plus_mono_right2[rotated],
             fastforce,
            fastforce,
           fastforce simp: add.commute | unat_arith)+)[1])+)[3]
   apply ((clarsimp simp: map_to_ctes_def Let_def split del: if_split,
          subst if_split_eq1,
          rule conjI,
           rule impI,
           drule pd_offs_range_correct,
           clarsimp simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None kh0H_obj_def,
          rule impI,
          subst if_split_eq1,
          rule conjI,
           rule impI,
           rule FalseE,
           drule pd_offs_range_correct,
           clarsimp,
           cut_tac x=ya and 'a=32 in ucast_less,
            simp,
           drule shiftl_less_t2n'[where n=2],
            simp,
           simp,
           drule plus_one_helper[where n="0x3FFF", simplified],
           drule kh0H_dom_tcb,
           (elim disjE,
             (clarsimp simp: s0_ptr_defs objBitsKO_def,
             erule notE[rotated],
             rule_tac x="x::word32" for x in gt_imp_neq,
             rule less_le_trans[rotated, OF aligned_le_sharp],
               erule word_plus_mono_right2[rotated],
               simp,
              simp add: is_aligned_def,
             simp)+)[1],
          rule impI,
          clarsimp simp: option_update_range_def kh0H_dom_distinct[THEN set_mem_neq] not_in_range_cte_None,
          ((clarsimp simp: kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None irq_node_offs_in_range |
          clarsimp simp: kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1])+)[3]
   by (clarsimp simp: map_to_ctes_def Let_def split del: if_split,
          subst if_split_eq1,
          rule conjI,
           rule impI,
           drule pt_offs_range_correct,
           clarsimp simp: option_update_range_def kh0H_dom_distinct not_in_range_cte_None kh0H_obj_def,
          rule impI,
          subst if_split_eq1,
          rule conjI,
           rule impI,
           rule FalseE,
           drule pt_offs_range_correct,
           clarsimp,
           cut_tac x=ya and 'a=32 in ucast_less,
            simp,
           drule shiftl_less_t2n'[where n=2],
            simp,
           simp,
           drule plus_one_helper[where n="0x3FF", simplified],
           drule kh0H_dom_tcb,
           elim disjE,
             ((clarsimp simp: s0_ptr_defs objBitsKO_def,
             erule notE[rotated],
             rule_tac x="x::word32" for x in gt_imp_neq,
             rule less_le_trans[rotated, OF aligned_le_sharp],
               erule word_plus_mono_right2[rotated],
               fastforce,
              fastforce simp: is_aligned_def,
             fastforce)+)[2],
           clarsimp simp: s0_ptr_defs objBitsKO_def,
           erule notE[rotated],
            rule_tac x="x::word32" for x in less_imp_neq,
           rule le_less_trans[OF mask_neg_le],
           unat_arith,
          rule impI,
          clarsimp simp: option_update_range_def kh0H_dom_distinct[THEN set_mem_neq] not_in_range_cte_None,
          ((clarsimp simp: kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None irq_node_offs_in_range |
          clarsimp simp: kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1])+

lemma option_update_range_map_comp:
  "option_update_range m m' = map_add m' m"
  by (simp add: fun_eq_iff option_update_range_def map_comp_def map_add_def
         split: option.split)

lemma tcb_offs_in_rangeI:
  "\<lbrakk>ptr \<le> ptr + x; ptr + x \<le> ptr + 2 ^ 9 - 1\<rbrakk> \<Longrightarrow> ptr + x \<in> tcb_offs_range ptr"
  by (simp add: tcb_offs_range_def)

lemma map_to_ctes_kh0H_simps[simp]:
  "map_to_ctes kh0H (init_irq_node_ptr + (ucast (irq::10 word) << cte_level_bits)) =
                Some (CTE NullCap Null_mdb)"
  "map_to_ctes kh0H irq_cnode_ptr = Some (CTE NullCap Null_mdb)"
  "length x = 10 \<Longrightarrow> map_to_ctes kh0H (Low_cnode_ptr + of_bl x * 0x10) = Low_cte_cte Low_cnode_ptr (Low_cnode_ptr + of_bl x * 0x10)"
  "length x = 10 \<Longrightarrow> map_to_ctes kh0H (High_cnode_ptr + of_bl x * 0x10) = High_cte_cte High_cnode_ptr (High_cnode_ptr + of_bl x * 0x10)"
  "length x = 10 \<Longrightarrow> map_to_ctes kh0H (Silc_cnode_ptr + of_bl x * 0x10) = Silc_cte_cte Silc_cnode_ptr (Silc_cnode_ptr + of_bl x * 0x10)"
  "map_to_ctes kh0H Low_tcb_ptr = Low_tcb_cte Low_tcb_ptr"
  "map_to_ctes kh0H (Low_tcb_ptr + 0x10) = Low_tcb_cte (Low_tcb_ptr + 0x10)"
  "map_to_ctes kh0H (Low_tcb_ptr + 0x20) = Low_tcb_cte (Low_tcb_ptr + 0x20)"
  "map_to_ctes kh0H (Low_tcb_ptr + 0x30) = Low_tcb_cte (Low_tcb_ptr + 0x30)"
  "map_to_ctes kh0H (Low_tcb_ptr + 0x40) = Low_tcb_cte (Low_tcb_ptr + 0x40)"
  "map_to_ctes kh0H High_tcb_ptr = High_tcb_cte High_tcb_ptr"
  "map_to_ctes kh0H (High_tcb_ptr + 0x10) = High_tcb_cte (High_tcb_ptr + 0x10)"
  "map_to_ctes kh0H (High_tcb_ptr + 0x20) = High_tcb_cte (High_tcb_ptr + 0x20)"
  "map_to_ctes kh0H (High_tcb_ptr + 0x30) = High_tcb_cte (High_tcb_ptr + 0x30)"
  "map_to_ctes kh0H (High_tcb_ptr + 0x40) = High_tcb_cte (High_tcb_ptr + 0x40)"
  "map_to_ctes kh0H idle_tcb_ptr = idle_tcb_cte idle_tcb_ptr"
  "map_to_ctes kh0H (idle_tcb_ptr + 0x10) = idle_tcb_cte (idle_tcb_ptr + 0x10)"
  "map_to_ctes kh0H (idle_tcb_ptr + 0x20) = idle_tcb_cte (idle_tcb_ptr + 0x20)"
  "map_to_ctes kh0H (idle_tcb_ptr + 0x30) = idle_tcb_cte (idle_tcb_ptr + 0x30)"
  "map_to_ctes kh0H (idle_tcb_ptr + 0x40) = idle_tcb_cte (idle_tcb_ptr + 0x40)"
  supply option.case_cong[cong] if_cong[cong]
     apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def)
     apply fastforce
    apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def kh0H_dom_distinct not_in_range_cte_None)
   apply ((clarsimp simp: map_to_ctes_kh0H option_update_range_def cnode_offs_in_range s0_ptrs_aligned kh0H_dom_distinct kh0H_dom_distinct' not_in_range_cte_None,
         ((clarsimp simp: offs_in_range kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None
        | clarsimp simp: offs_in_range kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1],
            intro conjI,
               (clarsimp,
                drule not_disjointI,
                  (erule offs_in_range | rule offs_in_range),
                 (erule offs_in_range | rule offs_in_range),
                erule notE,
                rule kh0H_dom_sets_distinct
                )+,
          clarsimp split: option.splits)+)[3]
  apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def kh0H_dom_distinct not_in_range_cte_None split: option.splits)
  apply (cut_tac ptr="Low_tcb_ptr" and x="0x10" in tcb_offs_in_rangeI, simp add: s0_ptr_defs, simp add: s0_ptr_defs)
  apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def kh0H_dom_distinct kh0H_dom_distinct' not_in_range_cte_None split: option.splits)
  apply ((simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None
        | simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1]
  apply (intro conjI impI allI)
     apply (simp add: s0_ptr_defs)
    apply clarsimp
    apply (drule not_disjointI,
             rule irq_node_offs_in_range,
            assumption,
           erule notE,
           rule kh0H_dom_sets_distinct)
   apply (clarsimp simp: kh0H_dom_distinct)
  apply clarsimp
  apply (drule not_disjointI,
           rule irq_node_offs_in_range,
          assumption,
         erule notE,
         rule kh0H_dom_sets_distinct)
  apply (cut_tac ptr="Low_tcb_ptr" and x="0x20" in tcb_offs_in_rangeI, simp add: s0_ptr_defs, simp add: s0_ptr_defs)
  apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def kh0H_dom_distinct kh0H_dom_distinct' not_in_range_cte_None split: option.splits)
  apply ((simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None
        | simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1]
  apply (intro conjI impI allI)
     apply (simp add: s0_ptr_defs)
    apply clarsimp
    apply (drule not_disjointI,
             rule irq_node_offs_in_range,
            assumption,
           erule notE,
           rule kh0H_dom_sets_distinct)
   apply (clarsimp simp: kh0H_dom_distinct)
  apply clarsimp
  apply (drule not_disjointI,
           rule irq_node_offs_in_range,
          assumption,
         erule notE,
         rule kh0H_dom_sets_distinct)
  apply (cut_tac ptr="Low_tcb_ptr" and x="0x30" in tcb_offs_in_rangeI, simp add: s0_ptr_defs, simp add: s0_ptr_defs)
  apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def kh0H_dom_distinct kh0H_dom_distinct' not_in_range_cte_None split: option.splits)
  apply ((simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None
        | simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1]
  apply (intro conjI impI allI)
     apply (simp add: s0_ptr_defs)
    apply clarsimp
    apply (drule not_disjointI,
             rule irq_node_offs_in_range,
            assumption,
           erule notE,
           rule kh0H_dom_sets_distinct)
   apply (clarsimp simp: kh0H_dom_distinct)
  apply clarsimp
  apply (drule not_disjointI,
           rule irq_node_offs_in_range,
          assumption,
         erule notE,
         rule kh0H_dom_sets_distinct)
  apply (cut_tac ptr="Low_tcb_ptr" and x="0x40" in tcb_offs_in_rangeI, simp add: s0_ptr_defs, simp add: s0_ptr_defs)
  apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def kh0H_dom_distinct kh0H_dom_distinct' not_in_range_cte_None split: option.splits)
  apply ((simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None
        | simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1]
  apply (intro conjI impI allI)
     apply (simp add: s0_ptr_defs)
    apply clarsimp
    apply (drule not_disjointI,
             rule irq_node_offs_in_range,
            assumption,
           erule notE,
           rule kh0H_dom_sets_distinct)
   apply (clarsimp simp: kh0H_dom_distinct)
  apply clarsimp
  apply (drule not_disjointI,
           rule irq_node_offs_in_range,
          assumption,
         erule notE,
         rule kh0H_dom_sets_distinct)
  apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def kh0H_dom_distinct not_in_range_cte_None  split: option.splits)
  apply (cut_tac ptr="High_tcb_ptr" and x="0x10" in tcb_offs_in_rangeI, simp add: s0_ptr_defs, simp add: s0_ptr_defs)
  apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def kh0H_dom_distinct kh0H_dom_distinct' not_in_range_cte_None  split: option.splits)
  apply ((simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None
        | simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1]
  apply (intro conjI impI allI)
     apply (simp add: s0_ptr_defs)
    apply clarsimp
    apply (drule not_disjointI,
             rule irq_node_offs_in_range,
            assumption,
           erule notE,
           rule kh0H_dom_sets_distinct)
   apply (clarsimp simp: kh0H_dom_distinct)
  apply clarsimp
  apply (drule not_disjointI,
           rule irq_node_offs_in_range,
          assumption,
         erule notE,
         rule kh0H_dom_sets_distinct)
  apply (cut_tac ptr="High_tcb_ptr" and x="0x20" in tcb_offs_in_rangeI, simp add: s0_ptr_defs, simp add: s0_ptr_defs)
  apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def kh0H_dom_distinct kh0H_dom_distinct' not_in_range_cte_None  split: option.splits)
  apply ((simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None
        | simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1]
  apply (intro conjI impI allI)
     apply (simp add: s0_ptr_defs)
    apply clarsimp
    apply (drule not_disjointI,
             rule irq_node_offs_in_range,
            assumption,
           erule notE,
           rule kh0H_dom_sets_distinct)
   apply (clarsimp simp: kh0H_dom_distinct)
  apply clarsimp
  apply (drule not_disjointI,
           rule irq_node_offs_in_range,
          assumption,
         erule notE,
         rule kh0H_dom_sets_distinct)
  apply (cut_tac ptr="High_tcb_ptr" and x="0x30" in tcb_offs_in_rangeI, simp add: s0_ptr_defs, simp add: s0_ptr_defs)
  apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def kh0H_dom_distinct kh0H_dom_distinct' not_in_range_cte_None  split: option.splits)
  apply ((simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None
        | simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1]
  apply (intro conjI impI allI)
     apply (simp add: s0_ptr_defs)
    apply clarsimp
    apply (drule not_disjointI,
             rule irq_node_offs_in_range,
            assumption,
           erule notE,
           rule kh0H_dom_sets_distinct)
   apply (clarsimp simp: kh0H_dom_distinct)
  apply clarsimp
  apply (drule not_disjointI,
           rule irq_node_offs_in_range,
          assumption,
         erule notE,
         rule kh0H_dom_sets_distinct)
  apply (cut_tac ptr="High_tcb_ptr" and x="0x40" in tcb_offs_in_rangeI, simp add: s0_ptr_defs, simp add: s0_ptr_defs)
  apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def kh0H_dom_distinct kh0H_dom_distinct' not_in_range_cte_None  split: option.splits)
  apply ((simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None
        | simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1]
  apply (intro conjI impI allI)
     apply (simp add: s0_ptr_defs)
    apply clarsimp
    apply (drule not_disjointI,
             rule irq_node_offs_in_range,
            assumption,
           erule notE,
           rule kh0H_dom_sets_distinct)
   apply (clarsimp simp: kh0H_dom_distinct)
  apply clarsimp
  apply (drule not_disjointI,
           rule irq_node_offs_in_range,
          assumption,
         erule notE,
         rule kh0H_dom_sets_distinct)
  apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def kh0H_dom_distinct not_in_range_cte_None  split: option.splits)
  apply (cut_tac ptr="idle_tcb_ptr" and x="0x10" in tcb_offs_in_rangeI, simp add: s0_ptr_defs, simp add: s0_ptr_defs)
  apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def kh0H_dom_distinct kh0H_dom_distinct' not_in_range_cte_None  split: option.splits)
  apply ((simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None
        | simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1]
  apply (intro conjI impI allI)
     apply (simp add: s0_ptr_defs)
    apply clarsimp
    apply (drule not_disjointI,
             rule irq_node_offs_in_range,
            assumption,
           erule notE,
           rule kh0H_dom_sets_distinct)
   apply (clarsimp simp: kh0H_dom_distinct)
  apply clarsimp
  apply (drule not_disjointI,
           rule irq_node_offs_in_range,
          assumption,
         erule notE,
         rule kh0H_dom_sets_distinct)
  apply (cut_tac ptr="idle_tcb_ptr" and x="0x20" in tcb_offs_in_rangeI, simp add: s0_ptr_defs, simp add: s0_ptr_defs)
  apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def kh0H_dom_distinct kh0H_dom_distinct' not_in_range_cte_None  split: option.splits)
  apply ((simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None
        | simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1]
  apply (intro conjI impI allI)
     apply (simp add: s0_ptr_defs)
    apply clarsimp
    apply (drule not_disjointI,
             rule irq_node_offs_in_range,
            assumption,
           erule notE,
           rule kh0H_dom_sets_distinct)
   apply (clarsimp simp: kh0H_dom_distinct)
  apply clarsimp
  apply (drule not_disjointI,
           rule irq_node_offs_in_range,
          assumption,
         erule notE,
         rule kh0H_dom_sets_distinct)
  apply (cut_tac ptr="idle_tcb_ptr" and x="0x30" in tcb_offs_in_rangeI, simp add: s0_ptr_defs, simp add: s0_ptr_defs)
  apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def kh0H_dom_distinct kh0H_dom_distinct' not_in_range_cte_None  split: option.splits)
  apply ((simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None
        | simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1]
  apply (intro conjI impI allI)
     apply (simp add: s0_ptr_defs)
    apply clarsimp
    apply (drule not_disjointI,
             rule irq_node_offs_in_range,
            assumption,
           erule notE,
           rule kh0H_dom_sets_distinct)
   apply (clarsimp simp: kh0H_dom_distinct)
  apply clarsimp
  apply (drule not_disjointI,
           rule irq_node_offs_in_range,
          assumption,
         erule notE,
         rule kh0H_dom_sets_distinct)
  apply (cut_tac ptr="idle_tcb_ptr" and x="0x40" in tcb_offs_in_rangeI, simp add: s0_ptr_defs, simp add: s0_ptr_defs)
  apply (clarsimp simp: map_to_ctes_kh0H option_update_range_def kh0H_dom_distinct kh0H_dom_distinct' not_in_range_cte_None  split: option.splits)
  apply ((simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD1] not_in_range_cte_None
        | simp add: offs_in_range kh0H_dom_sets_distinct[THEN orthD2] not_in_range_cte_None)+)[1]
  apply (intro conjI impI allI)
     apply (simp add: s0_ptr_defs)
    apply clarsimp
    apply (drule not_disjointI,
             rule irq_node_offs_in_range,
            assumption,
           erule notE,
           rule kh0H_dom_sets_distinct)
   apply (clarsimp simp: kh0H_dom_distinct)
  apply clarsimp
  by (drule not_disjointI,
           rule irq_node_offs_in_range,
          assumption,
         erule notE,
         rule kh0H_dom_sets_distinct)

lemma map_to_ctes_kh0H_dom:
  "dom (map_to_ctes kh0H) =
             {idle_tcb_ptr, idle_tcb_ptr + 0x10, idle_tcb_ptr + 0x20,
              idle_tcb_ptr + 0x30, idle_tcb_ptr + 0x40,
              Low_tcb_ptr, Low_tcb_ptr + 0x10, Low_tcb_ptr + 0x20,
              Low_tcb_ptr + 0x30, Low_tcb_ptr + 0x40,
              High_tcb_ptr, High_tcb_ptr + 0x10, High_tcb_ptr + 0x20,
              High_tcb_ptr + 0x30, High_tcb_ptr + 0x40,
              irq_cnode_ptr} \<union>
             irq_node_offs_range \<union>
             cnode_offs_range Silc_cnode_ptr \<union>
             cnode_offs_range High_cnode_ptr \<union>
             cnode_offs_range Low_cnode_ptr"
  supply option.case_cong[cong] if_cong[cong]
  apply (rule equalityI)
   apply (simp add: map_to_ctes_kh0H dom_def)
   apply clarsimp
   apply (clarsimp simp: offs_in_range option_update_range_def split: option.splits if_split_asm)
        apply (clarsimp simp: idle_tcb_cte_def)
       apply (clarsimp simp: High_tcb_cte_def)
      apply (clarsimp simp: Low_tcb_cte_def)
     apply (clarsimp simp: Silc_cte_cte_def cnode_offs_range_def split: if_split_asm)
    apply (clarsimp simp: High_cte_cte_def cnode_offs_range_def split: if_split_asm)
   apply (clarsimp simp: Low_cte_cte_def cnode_offs_range_def split: if_split_asm)
  apply (clarsimp simp: dom_def)
  apply (clarsimp simp: idle_tcb_cte_def Low_tcb_cte_def High_tcb_cte_def)
  apply (rule conjI)
   apply (fastforce dest: irq_node_offs_range_correct)
  apply (rule conjI)
   apply clarsimp
   apply (frule cnode_offs_range_correct)
   apply (clarsimp simp: Silc_cte_cte_def Silc_cte'_def Silc_capsH_def empty_cte_def cnode_offs_range_def)
  apply (rule conjI)
   apply clarsimp
   apply (frule cnode_offs_range_correct)
   apply (clarsimp simp: High_cte_cte_def High_cte'_def High_capsH_def empty_cte_def cnode_offs_range_def)
  apply clarsimp
  apply (frule cnode_offs_range_correct)
  apply (clarsimp simp: Low_cte_cte_def Low_cte'_def Low_capsH_def empty_cte_def cnode_offs_range_def)
  done

lemmas map_to_ctes_kh0H_SomeD' = set_mp[OF equalityD1[OF map_to_ctes_kh0H_dom[simplified dom_def
]], OF CollectI, simplified, OF exI]

lemma map_to_ctes_kh0H_SomeD:
  "(map_to_ctes kh0H) x = Some y \<Longrightarrow>
        x = idle_tcb_ptr \<and> y = (CTE NullCap Null_mdb) \<or>
        x = idle_tcb_ptr + 0x10 \<and> y = (CTE NullCap Null_mdb) \<or>
        x = idle_tcb_ptr + 0x20 \<and> y = (CTE NullCap Null_mdb) \<or>
        x = idle_tcb_ptr + 0x30 \<and> y = (CTE NullCap Null_mdb) \<or>
        x = idle_tcb_ptr + 0x40 \<and> y = (CTE NullCap Null_mdb) \<or>
        x = Low_tcb_ptr \<and> y = (CTE (CNodeCap Low_cnode_ptr 10 2 10) (MDB (Low_cnode_ptr + 0x20) 0 False False)) \<or>
        x = Low_tcb_ptr + 0x10 \<and> y = (CTE (ArchObjectCap (PageDirectoryCap Low_pd_ptr (Some Low_asid))) (MDB (Low_cnode_ptr + 0x30) 0 False False)) \<or>
        x = Low_tcb_ptr + 0x20 \<and> y = (CTE (ReplyCap Low_tcb_ptr True True) (MDB 0 0 True True)) \<or>
        x = Low_tcb_ptr + 0x30 \<and> y = (CTE NullCap Null_mdb) \<or>
        x = Low_tcb_ptr + 0x40 \<and> y = (CTE NullCap Null_mdb) \<or>
        x = High_tcb_ptr \<and> y = (CTE (CNodeCap High_cnode_ptr 10 2 10) (MDB (High_cnode_ptr + 0x20) 0 False False)) \<or>
        x = High_tcb_ptr + 0x10 \<and> y = (CTE (ArchObjectCap (PageDirectoryCap High_pd_ptr (Some High_asid))) (MDB (High_cnode_ptr + 0x30) 0 False False)) \<or>
        x = High_tcb_ptr + 0x20 \<and> y = (CTE (ReplyCap High_tcb_ptr True True) (MDB 0 0 True True)) \<or>
        x = High_tcb_ptr + 0x30 \<and> y = (CTE NullCap Null_mdb) \<or>
        x = High_tcb_ptr + 0x40 \<and> y = (CTE NullCap Null_mdb) \<or>
        x = irq_cnode_ptr \<and> y = (CTE NullCap Null_mdb) \<or>
        x \<in> irq_node_offs_range \<and> y = (CTE NullCap Null_mdb) \<or>
        x \<in> cnode_offs_range Silc_cnode_ptr \<and> Silc_cte_cte Silc_cnode_ptr x \<noteq> None \<and> y = the (Silc_cte_cte Silc_cnode_ptr x) \<or>
        x \<in> cnode_offs_range High_cnode_ptr \<and> High_cte_cte High_cnode_ptr x \<noteq> None \<and> y = the (High_cte_cte High_cnode_ptr x) \<or>
        x \<in> cnode_offs_range Low_cnode_ptr \<and> Low_cte_cte Low_cnode_ptr x \<noteq> None \<and> y = the (Low_cte_cte Low_cnode_ptr x)"
  apply (frule map_to_ctes_kh0H_SomeD')
  apply (elim disjE)
       apply (clarsimp simp: idle_tcb_cte_def idle_tcbH_def Low_tcb_cte_def Low_tcbH_def Low_capsH_def High_tcb_cte_def High_tcbH_def High_capsH_def the_nat_to_bl_def nat_to_bl_def)+
     by (drule offs_range_correct, clarsimp simp: offs_in_range)+

lemma mask_neg_add_aligned:
  "is_aligned q n \<Longrightarrow> p + q && ~~ mask n = (p && ~~ mask n) + q"
  apply (subst add.commute)
  apply (simp add: mask_out_add_aligned[symmetric])
  done

lemma kh_s0H[simp]:
  "ksPSpace s0H_internal = kh0H"
  by (simp add: s0H_internal_def)

lemma pspace_distinct'_split:
  notes less_1_simp[simp del] shows
  "(\<forall>(y, ko) \<in> graph_of (ksPSpace ks). (x \<le> y \<or> y + (1 << objBitsKO ko) - 1 < x)
        \<and> y \<le> y + (1 << objBitsKO ko) - 1)
    \<Longrightarrow> pspace_distinct' (ks \<lparr>ksPSpace := restrict_map (ksPSpace ks) {..< x}\<rparr>)
    \<Longrightarrow> pspace_distinct' (ks \<lparr>ksPSpace := restrict_map (ksPSpace ks) {x ..}\<rparr>)
    \<Longrightarrow> pspace_distinct' ks"
  apply (clarsimp simp: pspace_distinct'_def)
  apply (drule bspec, erule graph_ofI, clarsimp)
  apply (simp add: Ball_def)
  apply (drule_tac x=xa in spec)+
  apply (erule disjE)
   apply (simp add: domI)
   apply (thin_tac "P \<longrightarrow> Q" for P Q)
   apply (simp add: ps_clear_def)
   apply (erule trans[rotated])
   apply auto[1]
  apply (clarsimp simp add: domI)
  apply (drule mp, erule(1) order_le_less_trans)
  apply (thin_tac "P \<longrightarrow> Q" for P Q)
  apply (simp add: ps_clear_def)
  apply (erule trans[rotated])
  apply auto[1]
  done

lemma s0H_pspace_distinct':
  notes pdeBits_def[simp] pteBits_def[simp] objBits_defs[simp]
  shows
  "pspace_distinct' s0H_internal"
  supply option.case_cong[cong] if_cong[cong]
  apply (clarsimp simp: pspace_distinct'_def ps_clear_def)
  apply (rule disjointI)
  apply clarsimp
  apply (drule kh0H_SomeD)+
  by (simp | erule disjE
        | clarsimp simp: kh0H_dom_sets_distinct[THEN orthD1]
        | clarsimp simp: kh0H_dom_sets_distinct[THEN orthD2]
        | fastforce simp: s0_ptr_defs objBitsKO_def pageBits_def kh0H_obj_def
        | clarsimp simp: irq_node_offs_range_def objBitsKO_def s0_ptr_defs,
          drule_tac x="0xF" in word_plus_strict_mono_right, fastforce, simp add: add.commute,
          drule(1) notE[rotated, OF less_trans, OF _ _ leD, rotated 2], fastforce, simp
        | clarsimp simp: pt_offs_range_def pd_offs_range_def irq_node_offs_range_def cnode_offs_range_def objBitsKO_def archObjSize_def s0_ptr_defs kh0H_obj_def,
          drule(1) aligned_le_sharp, simp add: mask_def,
          drule_tac x="0x3" in word_plus_mono_right, fastforce, simp add: add.commute,
          (drule(1) notE[rotated, OF le_less_trans, OF _ _ leD, rotated 2], fastforce, simp
          | drule(2) notE[rotated, OF le_less_trans, OF _ _ leD[OF order_trans], rotated 2], fastforce, simp)
        | clarsimp simp: objBitsKO_def pageBits_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def irq_node_offs_range_def s0_ptr_defs kh0H_obj_def,
          drule(1) notE[rotated, OF le_less_trans, OF _ _ leD, rotated 2]
                   notE[rotated, OF le_less_trans, OF _ _ leD], fastforce, simp
        | (clarsimp simp: objBitsKO_def pageBits_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def irq_node_offs_range_def s0_ptr_defs kh0H_obj_def Low_cte'_def Low_capsH_def cte_level_bits_def empty_cte_def High_cte'_def High_capsH_def Silc_cte'_def Silc_capsH_def split: if_split_asm,
         (drule(1) aligned_le_sharp, simp add: mask_def,
          drule_tac x="0xF" in word_plus_mono_right, fastforce, simp add: add.commute,
          (drule(1) notE[rotated, OF le_less_trans, OF _ _ leD, rotated 2]
                    notE[rotated, OF le_less_trans, OF _ _ leD], fastforce, simp
          | drule(2) notE[rotated, OF less_trans, OF _ _ leD[OF order_trans], rotated 2]
                     notE[rotated, OF le_less_trans, OF _ _ leD[OF order_trans], rotated 2],
               fastforce, simp))+)[1]
        | clarsimp simp: objBitsKO_def irq_node_offs_range_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def cte_level_bits_def s0_ptr_defs,
          drule_tac x="0xF" in word_plus_strict_mono_right, fastforce, simp add: add.commute,
          drule(2) notE[rotated, OF less_trans, OF _ _ leD[OF order_trans], rotated 2]
                   notE[rotated, OF le_less_trans, OF _ _ leD[OF order_trans], rotated 2],
              fastforce, simp
        | (clarsimp simp: irq_node_offs_range_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def s0_ptr_defs objBitsKO_def archObjSize_def kh0H_obj_def Low_cte'_def Low_capsH_def High_cte'_def High_capsH_def Silc_cte'_def Silc_capsH_def cte_level_bits_def empty_cte_def split: if_split_asm,
          (drule(1) aligned_le_sharp, simp add: mask_neg_add_aligned, fastforce simp: mask_def)+)[1])+

lemma pspace_distinctD'':
  "\<lbrakk>\<exists>v. ksPSpace s x = Some v \<and> objBitsKO v = n; pspace_distinct' s\<rbrakk>
    \<Longrightarrow> ps_clear x n s"
  apply clarsimp
  apply (drule(1) pspace_distinctD')
  apply simp
  done

lemma cnode_offs_min2':
  "is_aligned ptr 14 \<Longrightarrow> (ptr::word32) \<le> ptr + 0x10 * (x && mask 10)"
  apply (erule is_aligned_no_wrap')
  apply (subst mult.commute)
  apply (rule div_lt_mult)
   apply (cut_tac and_mask_less'[where n=10])
    apply simp
   apply simp
  apply simp
  done

lemma cnode_offs_min2:
  "Low_cnode_ptr \<le> Low_cnode_ptr + 0x10 * (x && mask 10)"
  "High_cnode_ptr \<le> High_cnode_ptr + 0x10 * (x && mask 10)"
  "Silc_cnode_ptr \<le> Silc_cnode_ptr + 0x10 * (x && mask 10)"
  by (simp_all add: cnode_offs_min2' s0_ptrs_aligned)

lemma cnode_offs_max2':
  "is_aligned ptr 14 \<Longrightarrow> (ptr::word32) + 0x10 * (x && mask 10) \<le> ptr + 0x3fff"
  apply (rule word_plus_mono_right)
   apply (subst mult.commute)
   apply (rule div_to_mult_word_lt)
   apply simp
   apply (rule plus_one_helper)
   apply simp
   apply (cut_tac and_mask_less'[where n=10])
    apply simp
   apply simp
  apply (drule is_aligned_no_overflow)
  apply (simp add: add.commute)
  done

lemma cnode_offs_max2:
  "Low_cnode_ptr + 0x10 * (x && mask 10) \<le> Low_cnode_ptr + 0x3fff"
  "High_cnode_ptr + 0x10 * (x && mask 10) \<le> High_cnode_ptr + 0x3fff"
  "Silc_cnode_ptr + 0x10 * (x && mask 10) \<le> Silc_cnode_ptr + 0x3fff"
  by (simp_all add: cnode_offs_max2' s0_ptrs_aligned)

lemma cnode_offs_in_range2':
  "\<lbrakk>is_aligned ptr 14\<rbrakk> \<Longrightarrow>
     ptr + 0x10 * (x && mask 10) \<in> cnode_offs_range ptr"
  apply (clarsimp simp: cnode_offs_min2' cnode_offs_max2' cnode_offs_range_def add.commute cte_level_bits_def)
  apply (rule is_aligned_add)
   apply (erule is_aligned_weaken)
   apply simp
  apply (rule_tac is_aligned_mult_triv1[where n=4, simplified])
  done

lemma cnode_offs_in_range2:
  "Silc_cnode_ptr + 0x10 * (x && mask 10) \<in> cnode_offs_range Silc_cnode_ptr"
  "Low_cnode_ptr + 0x10 * (x && mask 10) \<in> cnode_offs_range Low_cnode_ptr"
  "High_cnode_ptr + 0x10 * (x && mask 10) \<in> cnode_offs_range High_cnode_ptr"
  by (simp_all add: cnode_offs_in_range2' s0_ptrs_aligned)+

lemma kh0H_dom_distinct2:
  "Silc_cnode_ptr + 0x10 * (x && mask 10) \<noteq> init_globals_frame"
  "Silc_cnode_ptr + 0x10 * (x && mask 10) \<noteq> idle_tcb_ptr"
  "Silc_cnode_ptr + 0x10 * (x && mask 10) \<noteq> High_tcb_ptr"
  "Silc_cnode_ptr + 0x10 * (x && mask 10) \<noteq> Low_tcb_ptr"
  "Silc_cnode_ptr + 0x10 * (x && mask 10) \<noteq> irq_cnode_ptr"
  "Silc_cnode_ptr + 0x10 * (x && mask 10) \<noteq> ntfn_ptr"
  "Low_cnode_ptr + 0x10 * (x && mask 10) \<noteq> init_globals_frame"
  "Low_cnode_ptr + 0x10 * (x && mask 10) \<noteq> idle_tcb_ptr"
  "Low_cnode_ptr + 0x10 * (x && mask 10) \<noteq> High_tcb_ptr"
  "Low_cnode_ptr + 0x10 * (x && mask 10) \<noteq> Low_tcb_ptr"
  "Low_cnode_ptr + 0x10 * (x && mask 10) \<noteq> irq_cnode_ptr"
  "Low_cnode_ptr + 0x10 * (x && mask 10) \<noteq> ntfn_ptr"
  "High_cnode_ptr + 0x10 * (x && mask 10) \<noteq> init_globals_frame"
  "High_cnode_ptr + 0x10 * (x && mask 10) \<noteq> idle_tcb_ptr"
  "High_cnode_ptr + 0x10 * (x && mask 10) \<noteq> High_tcb_ptr"
  "High_cnode_ptr + 0x10 * (x && mask 10) \<noteq> Low_tcb_ptr"
  "High_cnode_ptr + 0x10 * (x && mask 10) \<noteq> irq_cnode_ptr"
  "High_cnode_ptr + 0x10 * (x && mask 10) \<noteq> ntfn_ptr"
  by (cut_tac x=x in cnode_offs_in_range2(1), fastforce simp: kh0H_dom_distinct
         | cut_tac x=x in cnode_offs_in_range2(2), fastforce simp: kh0H_dom_distinct
         | cut_tac x=x in cnode_offs_in_range2(3), fastforce simp: kh0H_dom_distinct)+

lemma kh0H_cnode_simps2[simp]:
  "kh0H (Low_cnode_ptr + 0x10 * (x && mask 10)) = Low_cte Low_cnode_ptr (Low_cnode_ptr + 0x10 * (x && mask 10))"
  "kh0H (High_cnode_ptr + 0x10 * (x && mask 10)) = High_cte High_cnode_ptr (High_cnode_ptr + 0x10 * (x && mask 10))"
  "kh0H (Silc_cnode_ptr + 0x10 * (x && mask 10)) = Silc_cte Silc_cnode_ptr (Silc_cnode_ptr + 0x10 * (x && mask 10))"
  supply option.case_cong[cong] if_cong[cong]
  by (clarsimp simp: kh0H_def option_update_range_def cnode_offs_in_range' s0_ptrs_aligned kh0H_dom_distinct kh0H_dom_distinct2 not_in_range_None,
         ((clarsimp simp: cnode_offs_in_range2 kh0H_dom_sets_distinct[THEN orthD1] not_in_range_None
        | clarsimp simp: cnode_offs_in_range2 kh0H_dom_sets_distinct[THEN orthD2] not_in_range_None)+),
            intro conjI,
               (clarsimp,
                drule not_disjointI,
                  (rule irq_node_offs_in_range cnode_offs_in_range2 | erule offs_in_range),
                 (rule irq_node_offs_in_range cnode_offs_in_range2 | erule offs_in_range),
                erule notE,
                rule kh0H_dom_sets_distinct
                )+,
          clarsimp split: option.splits)+

lemma cnode_offs_aligned2:
  "is_aligned (Low_cnode_ptr + 0x10 * (addr && mask 10)) 4"
  "is_aligned (High_cnode_ptr + 0x10 * (addr && mask 10)) 4"
  "is_aligned (Silc_cnode_ptr + 0x10 * (addr && mask 10)) 4"
  by (rule is_aligned_add,
          rule is_aligned_weaken,
           rule s0_ptrs_aligned,
          simp,
         rule is_aligned_mult_triv1[where n=4, simplified])+

lemma less_t2n_ex_ucast:
  "\<lbrakk>(x::'a::len word) < 2 ^ n; len_of TYPE('b) = n\<rbrakk> \<Longrightarrow> \<exists>y. x = ucast (y::'b::len word)"
  apply (rule_tac x="ucast x" in exI)
  apply (rule ucast_ucast_len[symmetric])
  apply simp
  done

lemma pd_offs_aligned:
  "is_aligned (Low_pd_ptr + (ucast (x::12 word) << 2)) 2"
  "is_aligned (High_pd_ptr + (ucast (x::12 word) << 2)) 2"
  by (rule is_aligned_add[OF _ is_aligned_shift], simp add: s0_ptr_defs is_aligned_def)+

lemma valid_caps_s0H[simp]:
  notes pdeBits_def[simp] objBits_defs[simp]
  shows
  "valid_cap' NullCap s0H_internal"
  "valid_cap' (ThreadCap Low_tcb_ptr) s0H_internal"
  "valid_cap' (ThreadCap High_tcb_ptr) s0H_internal"
  "valid_cap' (CNodeCap Low_cnode_ptr 10 2 10) s0H_internal"
  "valid_cap' (CNodeCap High_cnode_ptr 10 2 10) s0H_internal"
  "valid_cap' (CNodeCap Silc_cnode_ptr 10 2 10) s0H_internal"
  "valid_cap' (ArchObjectCap (PageDirectoryCap Low_pd_ptr (Some Low_asid))) s0H_internal"
  "valid_cap' (ArchObjectCap (PageDirectoryCap High_pd_ptr (Some High_asid))) s0H_internal"
  "valid_cap' (NotificationCap ntfn_ptr 0 True False) s0H_internal"
  "valid_cap' (NotificationCap ntfn_ptr 0 False True) s0H_internal"
  "valid_cap' (ReplyCap Low_tcb_ptr True True) s0H_internal"
  "valid_cap' (ReplyCap High_tcb_ptr True True) s0H_internal"
  supply option.case_cong[cong] if_cong[cong]
  apply (simp
        | simp add: valid_cap'_def s0H_internal_def capAligned_def word_bits_def objBits_def s0_ptrs_aligned obj_at'_def projectKO_eq project_inject,
          intro conjI,
             simp add: objBitsKO_def s0_ptrs_aligned,
            simp add: objBitsKO_def,
           simp add: objBitsKO_def s0_ptrs_aligned mask_def,
          rule pspace_distinctD'[OF _ s0H_pspace_distinct', simplified s0H_internal_def],
          simp)+
   apply (simp add: valid_cap'_def capAligned_def word_bits_def objBits_def s0_ptrs_aligned obj_at'_def projectKO_eq project_inject)
   apply (intro conjI)
      apply (simp add: objBitsKO_def s0_ptrs_aligned)
     apply (simp add: objBitsKO_def)
    apply (simp add: objBitsKO_def s0_ptrs_aligned mask_def)
   apply (clarsimp simp: Low_cte_def Low_cte'_def Low_capsH_def cnode_offs_min2 cnode_offs_max2 cnode_offs_aligned2 add.commute s0_ptrs_aligned cte_level_bits_def objBitsKO_def empty_cte_def)
   apply (rule pspace_distinctD''[OF _ s0H_pspace_distinct', simplified cte_level_bits_def])
   apply (simp add: Low_cte_def Low_cte'_def Low_capsH_def empty_cte_def cnode_offs_min2 cnode_offs_max2 cnode_offs_aligned2 add.commute s0_ptrs_aligned cte_level_bits_def objBitsKO_def)
   apply (simp add: valid_cap'_def capAligned_def word_bits_def objBits_def s0_ptrs_aligned obj_at'_def projectKO_eq project_inject)
   apply (intro conjI)
      apply (simp add: objBitsKO_def s0_ptrs_aligned)
     apply (simp add: objBitsKO_def)
    apply (simp add: objBitsKO_def s0_ptrs_aligned mask_def)
   apply (clarsimp simp: High_cte_def High_cte'_def High_capsH_def cnode_offs_min2 cnode_offs_max2 cnode_offs_aligned2 add.commute s0_ptrs_aligned cte_level_bits_def objBitsKO_def empty_cte_def)
   apply (rule pspace_distinctD''[OF _ s0H_pspace_distinct', simplified cte_level_bits_def])
   apply (simp add: High_cte_def High_cte'_def High_capsH_def empty_cte_def cnode_offs_min2 cnode_offs_max2 cnode_offs_aligned2 add.commute s0_ptrs_aligned cte_level_bits_def objBitsKO_def)
   apply (simp add: valid_cap'_def capAligned_def word_bits_def objBits_def s0_ptrs_aligned obj_at'_def projectKO_eq project_inject)
   apply (intro conjI)
      apply (simp add: objBitsKO_def s0_ptrs_aligned)
     apply (simp add: objBitsKO_def)
    apply (simp add: objBitsKO_def s0_ptrs_aligned mask_def)
   apply (clarsimp simp: Silc_cte_def Silc_cte'_def Silc_capsH_def cnode_offs_min2 cnode_offs_max2 cnode_offs_aligned2 add.commute s0_ptrs_aligned cte_level_bits_def objBitsKO_def empty_cte_def)
   apply (rule pspace_distinctD''[OF _ s0H_pspace_distinct', simplified cte_level_bits_def])
   apply (simp add: Silc_cte_def Silc_cte'_def Silc_capsH_def empty_cte_def cnode_offs_min2 cnode_offs_max2 cnode_offs_aligned2 add.commute s0_ptrs_aligned cte_level_bits_def objBitsKO_def)
   apply (simp add: valid_cap'_def capAligned_def word_bits_def Low_asid_def asid_low_bits_def asid_bits_def s0_ptrs_aligned page_directory_at'_def pdBits_def pageBits_def)
   apply (clarsimp simp: typ_at'_def ko_wp_at'_def)
   apply (drule less_t2n_ex_ucast[where n=12 and 'b=12, simplified])
   apply (clarsimp simp: Low_pdH_def pd_offs_aligned pd_offs_min pd_offs_max s0_ptrs_aligned add.commute objBitsKO_def archObjSize_def)
   apply (rule pspace_distinctD''[OF _ s0H_pspace_distinct'])
   apply (simp add: Low_pdH_def pd_offs_aligned pd_offs_min pd_offs_max s0_ptrs_aligned objBitsKO_def archObjSize_def add.commute)
   apply (simp add: valid_cap'_def capAligned_def word_bits_def High_asid_def asid_low_bits_def asid_bits_def s0_ptrs_aligned page_directory_at'_def pdBits_def pageBits_def)
   apply (clarsimp simp: typ_at'_def ko_wp_at'_def)
   apply (drule less_t2n_ex_ucast[where n=12 and 'b=12, simplified])
   apply (clarsimp simp: High_pdH_def pd_offs_aligned pd_offs_min pd_offs_max s0_ptrs_aligned add.commute objBitsKO_def archObjSize_def)
   apply (rule pspace_distinctD''[OF _ s0H_pspace_distinct'])
   apply (simp add: High_pdH_def pd_offs_aligned pd_offs_min pd_offs_max s0_ptrs_aligned objBitsKO_def archObjSize_def add.commute)
   apply (simp add: valid_cap'_def capAligned_def word_bits_def objBits_def s0_ptrs_aligned obj_at'_def projectKO_eq project_inject Low_asid_def asid_low_bits_def asid_bits_def objBitsKO_def ntfnH_def)
   apply (rule pspace_distinctD''[OF _ s0H_pspace_distinct', simplified])
   apply (simp add: ntfnH_def objBitsKO_def)
   apply (simp add: valid_cap'_def capAligned_def word_bits_def objBits_def s0_ptrs_aligned obj_at'_def projectKO_eq project_inject Low_asid_def asid_low_bits_def asid_bits_def objBitsKO_def ntfnH_def)
   apply (rule pspace_distinctD''[OF _ s0H_pspace_distinct'])
   apply (simp add: ntfnH_def objBitsKO_def)
  by (simp
        | simp add: valid_cap'_def s0H_internal_def capAligned_def word_bits_def objBits_def s0_ptrs_aligned obj_at'_def projectKO_eq project_inject Low_asid_def asid_low_bits_def asid_bits_def,
          intro conjI,
             simp add: objBitsKO_def s0_ptrs_aligned,
            simp add: objBitsKO_def,
           simp add: objBitsKO_def s0_ptrs_aligned mask_def,
          rule pspace_distinctD'[OF _ s0H_pspace_distinct', simplified s0H_internal_def],
          simp)+

text \<open>We can only instantiate our example state (featuring high and low domains) if the number
  of configured domains is > 1, i.e. that maxDomain is 1 or greater. When seL4 is configured for a
  single domain only, none of the state instantiation proofs below are relevant.\<close>

lemma s0H_valid_objs':
  "1 \<le> maxDomain \<Longrightarrow> valid_objs' s0H_internal"
  supply objBits_defs[simp]
  apply (clarsimp simp: valid_objs'_def ran_def)
  apply (drule kh0H_SomeD)
  apply (elim disjE)
                apply clarsimp
               apply (clarsimp simp: valid_obj'_def valid_tcb'_def kh0H_obj_def valid_tcb_state'_def
                                     default_domain_def minBound_word
                                     default_priority_def tcb_cte_cases_def)
              apply (clarsimp simp: valid_obj'_def valid_tcb'_def kh0H_obj_def valid_tcb_state'_def
                                    High_domain_def minBound_word
                                    High_mcp_def High_prio_def maxPriority_def numPriorities_def
                                    tcb_cte_cases_def High_capsH_def obj_at'_def projectKO_eq
                                    project_inject)
              apply (rule conjI)
               apply (simp add: is_aligned_def s0_ptr_defs objBitsKO_def)
              apply (rule pspace_distinctD'[OF _ s0H_pspace_distinct'])
              apply (simp add: ntfnH_def)
             apply (clarsimp simp: valid_obj'_def valid_tcb'_def kh0H_obj_def valid_tcb_state'_def
                                   Low_domain_def minBound_word
                                   Low_mcp_def Low_prio_def maxPriority_def numPriorities_def
                                   tcb_cte_cases_def Low_capsH_def)
            apply (clarsimp simp: valid_obj'_def ntfnH_def valid_ntfn'_def obj_at'_def projectKO_eq
                                  project_inject)
            apply (rule conjI)
             apply (clarsimp simp: is_aligned_def s0_ptr_defs objBitsKO_def)
            apply (rule pspace_distinctD'[OF _ s0H_pspace_distinct'])
            apply simp
           apply (clarsimp simp: valid_obj'_def irq_cte_def valid_cte'_def)
          apply (clarsimp simp: valid_obj'_def valid_cte'_def)
         apply (clarsimp simp: valid_obj'_def Low_cte_def Low_cte'_def Low_capsH_def empty_cte_def
                               valid_cte'_def
                        split: if_split_asm)
        apply (clarsimp simp: valid_obj'_def High_cte_def High_cte'_def High_capsH_def empty_cte_def
                              valid_cte'_def
                       split: if_split_asm)
       apply (clarsimp simp: valid_obj'_def Silc_cte_def Silc_cte'_def Silc_capsH_def empty_cte_def
                             valid_cte'_def
                      split: if_split_asm)
      apply (clarsimp simp: valid_obj'_def global_pdH'_def valid_mapping'_def s0_ptr_defs
                     split: if_split_asm)
      apply (rule is_aligned_addrFromPPtr_n; clarsimp simp: is_aligned_def)
     apply (clarsimp simp: valid_obj'_def High_pdH_def High_pd'H_def valid_mapping'_def s0_ptr_defs
                           ptBits_def pteBits_def
                    split: if_split_asm)
     apply (intro conjI impI; rule is_aligned_addrFromPPtr_n; clarsimp simp: is_aligned_def)
    apply (clarsimp simp: valid_obj'_def Low_pdH_def Low_pd'H_def valid_mapping'_def s0_ptr_defs
                          ptBits_def pteBits_def
                   split: if_split_asm)
    apply (intro conjI impI; rule is_aligned_addrFromPPtr_n; clarsimp simp: is_aligned_def)
   apply (clarsimp simp: valid_obj'_def High_ptH_def High_pt'H_def valid_mapping'_def s0_ptr_defs
                         ptBits_def pteBits_def shared_page_ptr_phys_def
                  split: if_split_asm)
   apply (rule is_aligned_addrFromPPtr_n; clarsimp simp: is_aligned_def)
  apply (clarsimp simp: valid_obj'_def Low_ptH_def Low_pt'H_def valid_mapping'_def s0_ptr_defs
                        ptBits_def pteBits_def shared_page_ptr_phys_def
                 split: if_split_asm)
  apply (rule is_aligned_addrFromPPtr_n; clarsimp simp: is_aligned_def)
  done

lemmas the_nat_to_bl_simps =
  the_nat_to_bl_def nat_to_bl_def

lemma ucast_shiftr_13E:
  "\<lbrakk>ucast (p - ptr >> 4) = (0x13E::10 word); p \<le> 0x3FFF + ptr; ptr \<le> p;
    is_aligned ptr 14; is_aligned p 4\<rbrakk>
    \<Longrightarrow> p = (ptr::word32) + 0x13E0"
  apply (subst(asm) up_ucast_inj_eq[symmetric, where 'b=32])
   apply simp
  apply simp
  apply (subst(asm) ucast_ucast_len)
   apply simp
   apply (rule shiftr_less_t2n[where m=10, simplified])
   apply simp
   apply (rule word_leq_minus_one_le)
    apply simp
   apply simp
   apply (rule word_diff_ls')
    apply simp
   apply simp
  apply (drule shiftr_eqD[where y="0x13E0" and n=4 and 'a=32, simplified])
    apply (erule(1) aligned_sub_aligned[OF _ is_aligned_weaken])
     apply simp
    apply simp
   apply (simp add: is_aligned_def)
  apply (simp add: diff_eq_eq)
  done

lemma ucast_shiftr_3:
  "\<lbrakk>ucast (p - ptr >> 4) = (3::10 word); p \<le> 0x3FFF + ptr; ptr \<le> p;
    is_aligned ptr 14; is_aligned p 4\<rbrakk>
    \<Longrightarrow> p = (ptr::word32) + 0x30"
  apply (subst(asm) up_ucast_inj_eq[symmetric, where 'b=32])
   apply simp
  apply simp
  apply (subst(asm) ucast_ucast_len)
   apply simp
   apply (rule shiftr_less_t2n[where m=10, simplified])
   apply simp
   apply (rule word_leq_minus_one_le)
    apply simp
   apply simp
   apply (rule word_diff_ls')
    apply simp
   apply simp
  apply (drule shiftr_eqD[where y="0x30" and n=4 and 'a=32, simplified])
    apply (erule(1) aligned_sub_aligned[OF _ is_aligned_weaken])
     apply simp
    apply simp
   apply (simp add: is_aligned_def)
  apply (simp add: diff_eq_eq)
  done

lemma ucast_shiftr_2:
  "\<lbrakk>ucast (p - ptr >> 4) = (2::10 word); p \<le> 0x3FFF + ptr; ptr \<le> p;
    is_aligned ptr 14; is_aligned p 4\<rbrakk>
    \<Longrightarrow> p = (ptr::word32) + 0x20"
  apply (subst(asm) up_ucast_inj_eq[symmetric, where 'b=32])
   apply simp
  apply simp
  apply (subst(asm) ucast_ucast_len)
   apply simp
   apply (rule shiftr_less_t2n[where m=10, simplified])
   apply simp
   apply (rule word_leq_minus_one_le)
    apply simp
   apply simp
   apply (rule word_diff_ls')
    apply simp
   apply simp
  apply (drule shiftr_eqD[where y="0x20" and n=4 and 'a=32, simplified])
    apply (erule(1) aligned_sub_aligned[OF _ is_aligned_weaken])
     apply simp
    apply simp
   apply (simp add: is_aligned_def)
  apply (simp add: diff_eq_eq)
  done

lemma ucast_shiftr_1:
  "\<lbrakk>ucast (p - ptr >> 4) = (1::10 word); p \<le> 0x3FFF + ptr; ptr \<le> p;
    is_aligned ptr 14; is_aligned p 4\<rbrakk>
    \<Longrightarrow> p = (ptr::word32) + 0x10"
  apply (subst(asm) up_ucast_inj_eq[symmetric, where 'b=32])
   apply simp
  apply simp
  apply (subst(asm) ucast_ucast_len)
   apply simp
   apply (rule shiftr_less_t2n[where m=10, simplified])
   apply simp
   apply (rule word_leq_minus_one_le)
    apply simp
   apply simp
   apply (rule word_diff_ls')
    apply simp
   apply simp
  apply (drule shiftr_eqD[where y="0x10" and n=4 and 'a=32, simplified])
    apply (erule(1) aligned_sub_aligned[OF _ is_aligned_weaken])
     apply simp
    apply simp
   apply (simp add: is_aligned_def)
  apply (simp add: diff_eq_eq)
  done

lemmas kh0H_all_obj_def' = kh0H_all_obj_def Low_cte_cte_def High_cte_cte_def Silc_cte_cte_def Low_tcb_cte_def High_tcb_cte_def idle_tcb_cte_def

lemma map_to_ctes_kh0H_simps'[simp]:
  "map_to_ctes kh0H (Low_cnode_ptr + 0x13E0) = Some
    (CTE (NotificationCap ntfn_ptr 0 True False) (MDB (Silc_cnode_ptr + 0x13E0) 0 False False))"
  "map_to_ctes kh0H (Low_cnode_ptr + 0x30) = Some
    (CTE (ArchObjectCap (PageDirectoryCap Low_pd_ptr (Some Low_asid)))
         (MDB 0 (Low_tcb_ptr + 0x10) False False))"
  "map_to_ctes kh0H (Low_cnode_ptr + 0x20) = Some
    (CTE (CNodeCap Low_cnode_ptr 10 2 10) (MDB 0 Low_tcb_ptr False False))"
  "map_to_ctes kh0H (Low_cnode_ptr + 0x10) = Some (CTE (ThreadCap Low_tcb_ptr) Null_mdb)"
  "map_to_ctes kh0H (High_cnode_ptr + 0x13E0) = Some
    (CTE (NotificationCap ntfn_ptr 0 False True) (MDB 0 (Silc_cnode_ptr + 0x13E0) False False))"
  "map_to_ctes kh0H (High_cnode_ptr + 0x30) = Some
    (CTE (ArchObjectCap (PageDirectoryCap High_pd_ptr (Some High_asid)))
         (MDB 0 (High_tcb_ptr + 0x10) False False))"
  "map_to_ctes kh0H (High_cnode_ptr + 0x20) = Some
    (CTE (CNodeCap High_cnode_ptr 10 2 10) (MDB 0 High_tcb_ptr False False))"
  "map_to_ctes kh0H (High_cnode_ptr + 0x10) = Some (CTE (ThreadCap High_tcb_ptr) Null_mdb)"
  "map_to_ctes kh0H (Silc_cnode_ptr + 0x13E0) = Some
    (CTE (NotificationCap ntfn_ptr 0 True False)
         (MDB (High_cnode_ptr + 0x13E0) (Low_cnode_ptr + 0x13E0) False False))"
  "map_to_ctes kh0H (Silc_cnode_ptr + 0x20) = Some
    (CTE (CNodeCap Silc_cnode_ptr 10 2 10) Null_mdb)"
           apply (clarsimp simp: map_to_ctes_kh0H_simps(3)[where x="the_nat_to_bl_10 318", simplified the_nat_to_bl_simps, simplified] kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps, fastforce simp: s0_ptr_defs is_aligned_def)
          apply (clarsimp simp: map_to_ctes_kh0H_simps(3)[where x="the_nat_to_bl_10 3", simplified the_nat_to_bl_simps, simplified] kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps, fastforce simp: s0_ptr_defs is_aligned_def)
         apply (clarsimp simp: map_to_ctes_kh0H_simps(3)[where x="the_nat_to_bl_10 2", simplified the_nat_to_bl_simps, simplified] kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps, fastforce simp: s0_ptr_defs is_aligned_def)
        apply (clarsimp simp: map_to_ctes_kh0H_simps(3)[where x="the_nat_to_bl_10 1", simplified the_nat_to_bl_simps, simplified] kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps, fastforce simp: s0_ptr_defs is_aligned_def)
       apply (clarsimp simp: map_to_ctes_kh0H_simps(4)[where x="the_nat_to_bl_10 318", simplified the_nat_to_bl_simps, simplified] kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps, fastforce simp: s0_ptr_defs is_aligned_def)
      apply (clarsimp simp: map_to_ctes_kh0H_simps(4)[where x="the_nat_to_bl_10 3", simplified the_nat_to_bl_simps, simplified] kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps, fastforce simp: s0_ptr_defs is_aligned_def)
     apply (clarsimp simp: map_to_ctes_kh0H_simps(4)[where x="the_nat_to_bl_10 2", simplified the_nat_to_bl_simps, simplified] kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps, fastforce simp: s0_ptr_defs is_aligned_def)
    apply (clarsimp simp: map_to_ctes_kh0H_simps(4)[where x="the_nat_to_bl_10 1", simplified the_nat_to_bl_simps, simplified] kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps, fastforce simp: s0_ptr_defs is_aligned_def)
   apply (clarsimp simp: map_to_ctes_kh0H_simps(5)[where x="the_nat_to_bl_10 318", simplified the_nat_to_bl_simps, simplified] kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps, fastforce simp: s0_ptr_defs is_aligned_def)
  apply (clarsimp simp: map_to_ctes_kh0H_simps(5)[where x="the_nat_to_bl_10 2", simplified the_nat_to_bl_simps, simplified] kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps, fastforce simp: s0_ptr_defs is_aligned_def)
  done

lemma mdb_next_s0H:
  "p' \<noteq> 0 \<Longrightarrow> map_to_ctes kh0H \<turnstile> p \<leadsto> p' =
     (p = Low_cnode_ptr + 0x13E0 \<and> p' = Silc_cnode_ptr + 0x13E0 \<or>
     p = Silc_cnode_ptr + 0x13E0 \<and> p' = High_cnode_ptr + 0x13E0 \<or>
     p = Low_tcb_ptr \<and> p' = Low_cnode_ptr + 0x20 \<or>
     p = Low_tcb_ptr + 0x10 \<and> p' = Low_cnode_ptr + 0x30 \<or>
     p = High_tcb_ptr \<and> p' = High_cnode_ptr + 0x20 \<or>
     p = High_tcb_ptr + 0x10 \<and> p' = High_cnode_ptr + 0x30)"
  apply (rule iffI)
   apply (simp add: next_unfold')
   apply (elim exE conjE)
   apply (frule map_to_ctes_kh0H_SomeD)
   apply (elim disjE, simp_all)[1]
     apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
    apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
   apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
  apply (clarsimp simp: next_unfold' map_to_ctes_kh0H_dom)
  apply (elim disjE, simp_all add: kh0H_all_obj_def')
  done

lemma mdb_prev_s0H:
  "p \<noteq> 0 \<Longrightarrow> map_to_ctes kh0H \<turnstile> p \<leftarrow> p' =
     (p = Low_cnode_ptr + 0x13E0 \<and> p' = Silc_cnode_ptr + 0x13E0 \<or>
     p = Silc_cnode_ptr + 0x13E0 \<and> p' = High_cnode_ptr + 0x13E0 \<or>
     p = Low_tcb_ptr \<and> p' = Low_cnode_ptr + 0x20 \<or>
     p = Low_tcb_ptr + 0x10 \<and> p' = Low_cnode_ptr + 0x30 \<or>
     p = High_tcb_ptr \<and> p' = High_cnode_ptr + 0x20 \<or>
     p = High_tcb_ptr + 0x10 \<and> p' = High_cnode_ptr + 0x30)"
  apply (rule iffI)
   apply (simp add: mdb_prev_def)
   apply (elim exE conjE)
   apply (frule map_to_ctes_kh0H_SomeD)
   apply (elim disjE, simp_all)[1]
     apply clarsimp
     apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
    apply clarsimp
    apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E ucast_shiftr_3 ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
   apply clarsimp
   apply (clarsimp simp: kh0H_all_obj_def' to_bl_use_of_bl the_nat_to_bl_simps cte_level_bits_def ucast_shiftr_13E ucast_shiftr_3 ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
  apply (clarsimp simp: mdb_prev_def map_to_ctes_kh0H_dom)
  apply (elim disjE, simp_all add: kh0H_all_obj_def')
  done

lemma mdb_next_trancl_s0H:
  "p' \<noteq> 0 \<Longrightarrow> map_to_ctes kh0H \<turnstile> p \<leadsto>\<^sup>+ p' =
     (p = Low_cnode_ptr + 0x13E0 \<and> p' = Silc_cnode_ptr + 0x13E0 \<or>
     p = Silc_cnode_ptr + 0x13E0 \<and> p' = High_cnode_ptr + 0x13E0 \<or>
     p = Low_cnode_ptr + 0x13E0 \<and> p' = High_cnode_ptr + 0x13E0 \<or>
     p = Low_tcb_ptr \<and> p' = Low_cnode_ptr + 0x20 \<or>
     p = Low_tcb_ptr + 0x10 \<and> p' = Low_cnode_ptr + 0x30 \<or>
     p = High_tcb_ptr \<and> p' = High_cnode_ptr + 0x20 \<or>
     p = High_tcb_ptr + 0x10 \<and> p' = High_cnode_ptr + 0x30)"
  apply (rule iffI)
   apply (erule converse_trancl_induct)
    apply (clarsimp simp: mdb_next_s0H)
   apply (elim disjE, simp_all add: mdb_next_s0H s0_ptr_defs)[1]
  apply (elim disjE)
        apply (rule r_into_trancl, simp add: mdb_next_s0H)
       apply (rule r_into_trancl, simp add: mdb_next_s0H)
      apply (rule r_r_into_trancl[where b="Silc_cnode_ptr + 0x13E0"])
       apply (simp add: mdb_next_s0H s0_ptr_defs)
      apply (simp add: mdb_next_s0H)
     apply (rule r_into_trancl, simp add: mdb_next_s0H)+
     done

lemma mdb_next_rtrancl_not_0_s0H:
  "\<lbrakk>map_to_ctes kh0H \<turnstile> p \<leadsto>\<^sup>* p'; p' \<noteq> 0\<rbrakk> \<Longrightarrow> p \<noteq> 0"
  apply (drule rtranclD)
  apply clarsimp
  apply (simp add: mdb_next_trancl_s0H s0_ptr_defs)
  done

lemma sameRegionAs_s0H:
  "\<lbrakk>map_to_ctes kh0H p = Some (CTE cap mdb); map_to_ctes kh0H p' = Some (CTE cap' mdb');
    sameRegionAs cap cap'; p \<noteq> p'\<rbrakk>
    \<Longrightarrow> (p = Low_cnode_ptr + 0x13E0 \<and>
          (p' = Silc_cnode_ptr + 0x13E0 \<or> p' = High_cnode_ptr + 0x13E0) \<or>
       p = Silc_cnode_ptr + 0x13E0 \<and>
          (p' = Low_cnode_ptr + 0x13E0 \<or> p' = High_cnode_ptr + 0x13E0) \<or>
       p = High_cnode_ptr + 0x13E0 \<and>
          (p' = Low_cnode_ptr + 0x13E0 \<or> p' = Silc_cnode_ptr + 0x13E0) \<or>
       p = Low_tcb_ptr \<and> p' = Low_cnode_ptr + 0x20 \<or>
       p = Low_cnode_ptr + 0x20 \<and> p' = Low_tcb_ptr \<or>
       p = Low_tcb_ptr + 0x10 \<and> p' = Low_cnode_ptr + 0x30 \<or>
       p = Low_cnode_ptr + 0x30 \<and> p' = Low_tcb_ptr + 0x10 \<or>
       p = High_tcb_ptr \<and> p' = High_cnode_ptr + 0x20 \<or>
       p = High_cnode_ptr + 0x20 \<and> p' = High_tcb_ptr \<or>
       p = High_tcb_ptr + 0x10 \<and> p' = High_cnode_ptr + 0x30 \<or>
       p = High_cnode_ptr + 0x30 \<and> p' = High_tcb_ptr + 0x10)"
  supply option.case_cong[cong] if_cong[cong]
  apply (frule_tac x=p in map_to_ctes_kh0H_SomeD)
  apply (elim disjE, simp_all)
          apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
          apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
             apply (simp add: s0_ptr_defs)
            apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
           apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
          apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
         apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
         apply (elim disjE, simp_all add: sameRegionAs_def ARM_H.sameRegionAs_def isCap_simps)[1]
            apply (simp add: s0_ptr_defs)
           apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
          apply (clarsimp simp: ARM_H.sameRegionAs_def isCap_simps kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
         apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
        apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
        apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
          apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
         apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
        apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
       apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
       apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
          apply (simp add: s0_ptr_defs)
         apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
        apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
       apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
      apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
      apply (elim disjE, simp_all add: sameRegionAs_def ARM_H.sameRegionAs_def isCap_simps)[1]
         apply (simp add: s0_ptr_defs)
        apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
       apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
      apply (clarsimp simp: ARM_H.sameRegionAs_def isCap_simps kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
     apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
     apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
       apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
      apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
     apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
    apply (clarsimp simp: kh0H_all_obj_def' split: if_split_asm)
     apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
     apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
       apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
       apply (drule(2) ucast_shiftr_13E)
         apply (rule s0_ptrs_aligned)
        apply simp
       apply (drule(2) ucast_shiftr_13E)
         apply (rule s0_ptrs_aligned)
        apply simp
       apply clarsimp
      apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
     apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
    apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
    apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
      apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
      apply (drule(2) ucast_shiftr_2)
        apply (rule s0_ptrs_aligned)
       apply simp
      apply (drule(2) ucast_shiftr_2)
        apply (rule s0_ptrs_aligned)
       apply simp
      apply clarsimp
     apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
    apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
   apply (clarsimp simp: kh0H_all_obj_def' split: if_split_asm)
      apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
      apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
        apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
       apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
       apply (drule(2) ucast_shiftr_13E)
         apply (rule s0_ptrs_aligned)
        apply simp
       apply (drule(2) ucast_shiftr_13E)
         apply (rule s0_ptrs_aligned)
        apply simp
       apply clarsimp
      apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
     apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
     apply (elim disjE, simp_all add: sameRegionAs_def ARM_H.sameRegionAs_def isCap_simps)[1]
        apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
       apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
      apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
      apply (drule(2) ucast_shiftr_3)
        apply (rule s0_ptrs_aligned)
       apply simp
      apply (drule(2) ucast_shiftr_3)
        apply (rule s0_ptrs_aligned)
       apply simp
      apply clarsimp
     apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
     apply (drule(2) ucast_shiftr_3)
       apply (rule s0_ptrs_aligned)
      apply simp
     apply (drule(2) ucast_shiftr_3)
       apply (rule s0_ptrs_aligned)
      apply simp
     apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps s0_ptrs_aligned ARM_H.sameRegionAs_def isCap_simps split: if_split_asm)
    apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
    apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
       apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
      apply (clarsimp simp: kh0H_all_obj_def' s0_ptr_defs split: if_split_asm)
     apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
     apply (drule(2) ucast_shiftr_2)
       apply (rule s0_ptrs_aligned)
      apply simp
     apply (drule(2) ucast_shiftr_2)
       apply (rule s0_ptrs_aligned)
      apply simp
     apply clarsimp
    apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
   apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
   apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
     apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps s0_ptrs_aligned split: if_split_asm)
    apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
    apply (drule(2) ucast_shiftr_1)
      apply (rule s0_ptrs_aligned)
     apply simp
    apply (drule(2) ucast_shiftr_1)
      apply (rule s0_ptrs_aligned)
     apply simp
    apply clarsimp
   apply (clarsimp simp: kh0H_all_obj_def' split: if_split_asm)
  apply (clarsimp simp: kh0H_all_obj_def' split: if_split_asm)
     apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
     apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
       apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
      apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_13E s0_ptrs_aligned split: if_split_asm)
     apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps split: if_split_asm)
     apply (drule(2) ucast_shiftr_13E)
       apply (rule s0_ptrs_aligned)
      apply simp
     apply (drule(2) ucast_shiftr_13E)
       apply (rule s0_ptrs_aligned)
      apply simp
     apply clarsimp
    apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
    apply (elim disjE, simp_all add: sameRegionAs_def ARM_H.sameRegionAs_def isCap_simps)[1]
        apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
       apply (clarsimp simp: kh0H_all_obj_def' split: if_split_asm)
      apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
     apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned ARM_H.sameRegionAs_def isCap_simps split: if_split_asm)
    apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_3 s0_ptrs_aligned split: if_split_asm)
    apply (drule(2) ucast_shiftr_3)
      apply (rule s0_ptrs_aligned)
     apply simp
    apply (drule(2) ucast_shiftr_3)
      apply (rule s0_ptrs_aligned)
     apply simp
    apply clarsimp
   apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
   apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
      apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
     apply (clarsimp simp: kh0H_all_obj_def' split: if_split_asm)
    apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
   apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_2 s0_ptrs_aligned split: if_split_asm)
   apply (drule(2) ucast_shiftr_2)
     apply (rule s0_ptrs_aligned)
    apply simp
   apply (drule(2) ucast_shiftr_2)
     apply (rule s0_ptrs_aligned)
    apply simp
   apply clarsimp
  apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
  apply (elim disjE, simp_all add: sameRegionAs_def isCap_simps)[1]
    apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_1 s0_ptrs_aligned split: if_split_asm)
   apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_1 s0_ptrs_aligned split: if_split_asm)
  apply (clarsimp simp: kh0H_all_obj_def' cte_level_bits_def to_bl_use_of_bl the_nat_to_bl_simps ucast_shiftr_1 s0_ptrs_aligned split: if_split_asm)
  apply (drule(2) ucast_shiftr_1)
    apply (rule s0_ptrs_aligned)
   apply simp
  apply (drule(2) ucast_shiftr_1)
    apply (rule s0_ptrs_aligned)
   apply simp
  apply clarsimp
  done

lemma mdb_prevI:
  "m p = Some c \<Longrightarrow> m \<turnstile> mdbPrev (cteMDBNode c) \<leftarrow> p"
  by (simp add: mdb_prev_def)

lemma mdb_nextI:
  "m p = Some c \<Longrightarrow> m \<turnstile> p \<leadsto> mdbNext (cteMDBNode c)"
  by (simp add: mdb_next_unfold)

lemma s0H_valid_pspace':
  notes pdeBits_def[simp] pteBits_def[simp] objBits_defs[simp]
  assumes "1 \<le> maxDomain"
  shows "valid_pspace' s0H_internal"
  using assms
  supply option.case_cong[cong] if_cong[cong]
  apply (clarsimp simp: valid_pspace'_def s0H_pspace_distinct' s0H_valid_objs')
  apply (intro conjI)
    apply (clarsimp simp: pspace_aligned'_def)
    apply (drule kh0H_SomeD)
    apply (elim disjE, simp_all add: s0_ptr_defs is_aligned_def kh0H_all_obj_def objBitsKO_def pageBits_def archObjSize_def irq_node_offs_range_def cte_level_bits_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def)[1]
   apply (clarsimp simp: no_0_obj'_def)
   apply (rule ccontr)
   apply clarsimp
   apply (drule kh0H_SomeD)
   apply (simp add: s0_ptr_defs irq_node_offs_range_def cnode_offs_range_def pd_offs_range_def pt_offs_range_def)
  apply (simp add: valid_mdb'_def)
  apply (clarsimp simp: valid_mdb_ctes_def)
  apply (intro conjI)
               apply (clarsimp simp: valid_dlist_def3)
               apply (rule conjI)
                apply (clarsimp simp: mdb_next_s0H)
                apply (subst mdb_prev_s0H)
                 apply (fastforce simp: s0_ptr_defs)
                apply simp
               apply (clarsimp simp: mdb_prev_s0H)
               apply (subst mdb_next_s0H)
                apply (fastforce simp: s0_ptr_defs)
               apply simp
              apply (clarsimp simp: no_0_def)
              apply (rule ccontr)
              apply clarsimp
              apply (drule map_to_ctes_kh0H_SomeD)
              apply (elim disjE, (clarsimp simp: s0_ptr_defs irq_node_offs_range_def cnode_offs_range_def)+)[1]
             apply (clarsimp simp: mdb_chain_0_def)
             apply (frule map_to_ctes_kh0H_SomeD)
             apply (elim disjE)
                                apply ((erule r_into_trancl[OF next_fold], clarsimp)+)[5]
                           apply (rule r_r_into_trancl)
                            apply (erule next_fold)
                            apply simp
                           apply (rule next_fold)
                            apply simp
                           apply simp
                          apply (rule r_r_into_trancl)
                           apply (erule next_fold)
                           apply simp
                          apply (rule next_fold)
                           apply simp
                          apply simp
                         apply ((erule r_into_trancl[OF next_fold], clarsimp)+)[3]
                      apply (rule r_r_into_trancl)
                       apply (erule next_fold)
                       apply simp
                      apply (rule next_fold)
                       apply simp
                      apply simp
                     apply (rule r_r_into_trancl)
                      apply (erule next_fold)
                      apply simp
                     apply (rule next_fold)
                      apply simp
                     apply simp
                    apply ((erule r_into_trancl[OF next_fold], clarsimp)+)[5]
               apply (clarsimp simp: Silc_cte_cte_def cnode_offs_range_def Silc_cte'_def Silc_capsH_def empty_cte_def split: if_split_asm)
                 apply (rule r_r_into_trancl)
                  apply (erule next_fold)
                  apply simp
                 apply (rule next_fold)
                  apply simp
                 apply simp
                apply (erule r_into_trancl[OF next_fold], simp)
               apply (erule r_into_trancl[OF next_fold], simp)
              apply (clarsimp simp: High_cte_cte_def cnode_offs_range_def High_cte'_def High_capsH_def empty_cte_def split: if_split_asm)
                  apply ((erule r_into_trancl[OF next_fold], clarsimp)+)[5]
             apply (clarsimp simp: Low_cte_cte_def cnode_offs_range_def Low_cte'_def Low_capsH_def empty_cte_def split: if_split_asm)
                 apply (rule trancl_into_trancl2)
                  apply (erule next_fold)
                  apply simp
                 apply (rule r_r_into_trancl)
                  apply (rule next_fold)
                   apply simp
                  apply simp
                 apply (rule next_fold)
                  apply simp
                 apply simp
                apply (erule r_into_trancl[OF next_fold], simp)+
            apply (clarsimp simp: valid_badges_def)
            apply (frule_tac x=p in map_to_ctes_kh0H_SomeD)
            apply (elim disjE, (clarsimp simp: kh0H_all_obj_def Low_cte_cte_def High_cte_cte_def Silc_cte_cte_def isCap_simps cnode_offs_range_def split: if_split_asm)+)[1]
              apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
              apply (elim disjE, (clarsimp simp: kh0H_all_obj_def Low_cte_cte_def High_cte_cte_def Silc_cte_cte_def isCap_simps cnode_offs_range_def sameRegionAs_def split: if_split_asm)+)[1]
             apply (intro conjI impI)
              apply (clarsimp simp: High_cte_cte_def kh0H_all_obj_def isCap_simps split: if_split_asm)
             apply (drule(1) sameRegion_ntfn)
             apply (clarsimp simp: High_cte_cte_def kh0H_all_obj_def isCap_simps split: if_split_asm)
             apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
             apply (elim disjE, (clarsimp simp: kh0H_all_obj_def High_cte_cte_def Low_cte_cte_def Silc_cte_cte_def split: if_split_asm)+)[1]
            apply (intro conjI impI)
             apply (clarsimp simp: Low_cte_cte_def kh0H_all_obj_def isCap_simps split: if_split_asm)
            apply (drule(1) sameRegion_ntfn)
            apply (clarsimp simp: Low_cte_cte_def kh0H_all_obj_def isCap_simps split: if_split_asm)
            apply (frule_tac x=p' in map_to_ctes_kh0H_SomeD)
            apply (elim disjE, (clarsimp simp: kh0H_all_obj_def High_cte_cte_def Low_cte_cte_def Silc_cte_cte_def split: if_split_asm)+)[1]
           apply (clarsimp simp: caps_contained'_def)
           apply (drule_tac x=p in map_to_ctes_kh0H_SomeD)
           apply (elim disjE, simp_all)[1]
             apply (clarsimp simp: Silc_cte_cte_def kh0H_all_obj_def split: if_split_asm)
            apply (clarsimp simp: High_cte_cte_def kh0H_all_obj_def split: if_split_asm)
           apply (clarsimp simp: Low_cte_cte_def kh0H_all_obj_def split: if_split_asm)
          apply (clarsimp simp: mdb_chunked_def)
          apply (frule(3) sameRegionAs_s0H)
          apply (clarsimp simp: conj_disj_distribL)
          apply (subst mdb_next_trancl_s0H, fastforce simp: s0_ptr_defs)+
          apply (elim disjE, simp_all)[1]
             apply (((rule conjI[rotated], fastforce simp: s0_ptr_defs
                   | simp only: conj_assoc[symmetric], rule conjI, fastforce simp: s0_ptr_defs),
                      clarsimp simp: is_chunk_def,
                      drule mdb_next_rtrancl_not_0_s0H, fastforce simp: s0_ptr_defs,
                      clarsimp simp: mdb_next_trancl_s0H,
                      (elim disjE, simp_all add: sameRegionAs_def isCap_simps kh0H_all_obj_def',
                          (fastforce simp: s0_ptr_defs)+)[1])+)[14]
         apply (clarsimp simp: untyped_mdb'_def)
         apply (drule_tac x=p in map_to_ctes_kh0H_SomeD)
         apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
           apply ((clarsimp split: if_split_asm)+)[3]
        apply (clarsimp simp: untyped_inc'_def)
        apply (rule FalseE)
        apply (drule_tac x=p in map_to_ctes_kh0H_SomeD)
        apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
          apply ((clarsimp split: if_split_asm)+)[3]
       apply (clarsimp simp: valid_nullcaps_def)
       apply (drule map_to_ctes_kh0H_SomeD)
       apply (elim disjE, simp_all add: kh0H_all_obj_def' nullMDBNode_def)
         apply ((clarsimp split: if_split_asm)+)[3]
      apply (clarsimp simp: ut_revocable'_def)
      apply (drule map_to_ctes_kh0H_SomeD)
      apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
        apply ((clarsimp split: if_split_asm)+)[3]
     apply (clarsimp simp: class_links_def)
     apply (subst(asm) mdb_next_s0H)
      apply (drule_tac x=p' in map_to_ctes_kh0H_SomeD)
      apply (elim disjE, (clarsimp simp: s0_ptr_defs irq_node_offs_range_def cnode_offs_range_def)+)[1]
     apply (elim disjE, (clarsimp simp: kh0H_all_obj_def')+)[1]
    apply (clarsimp simp: distinct_zombies_def distinct_zombie_caps_def)
    apply (drule_tac x=ptr in map_to_ctes_kh0H_SomeD)
    apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
      apply ((clarsimp split: if_split_asm)+)[3]
   apply (clarsimp simp: irq_control_def)
   apply (drule map_to_ctes_kh0H_SomeD)
   apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
     apply ((clarsimp split: if_split_asm)+)[3]
  apply (clarsimp simp: reply_masters_rvk_fb_def ran_def)
  apply (frule map_to_ctes_kh0H_SomeD)
  apply (elim disjE, simp_all add: isCap_simps kh0H_all_obj_def')[1]
    apply ((clarsimp split: if_split_asm)+)[3]
    done

end

(* Instantiate the current, abstract domain scheduler into the
   concrete scheduler required for this example *)
axiomatization  where
  newKSDomSched: "newKSDomSchedule = [(0,0xA), (1, 0xA)]"

axiomatization where
  newKSDomainTime: "newKSDomainTime = 5"

(* kernel_data_refs is an undefined constant at the moment, and therefore
   cannot be referred to in valid_global_refs' and pspace_domain_valid.
   We use an axiomatization for the moment. *)
axiomatization  where
  kdr_valid_global_refs': "valid_global_refs' s0H_internal" and
  kdr_pspace_domain_valid: "pspace_domain_valid s0H_internal"

context begin interpretation Arch . (*FIXME: arch_split*)

lemma s0H_invs:
  assumes "1 \<le> maxDomain"
  notes pdeBits_def[simp] pteBits_def[simp] objBits_defs[simp]
  shows "invs' s0H_internal"
  using assms
  supply option.case_cong[cong] if_cong[cong]
  apply (clarsimp simp: invs'_def valid_state'_def s0H_valid_pspace')
  apply (rule conjI)
   apply (clarsimp simp: sch_act_wf_def s0H_internal_def ct_in_state'_def st_tcb_at'_def obj_at'_def projectKO_eq project_inject objBitsKO_def s0_ptrs_aligned Low_tcbH_def)
   apply (rule pspace_distinctD''[OF _ s0H_pspace_distinct', simplified s0H_internal_def])
   apply (simp add: objBitsKO_def)
  apply (rule conjI)
   apply (clarsimp simp: valid_queues_def valid_queues_no_bitmap_def bitmapQ_defs s0H_internal_def)
  apply (rule conjI)
   apply (clarsimp simp: sym_refs_def state_refs_of'_def refs_of'_def split: option.splits)
   apply (frule kh0H_SomeD)
   apply (elim disjE, simp_all)[1]
              apply (clarsimp simp: tcb_st_refs_of'_def idle_tcbH_def)
             apply (clarsimp simp: tcb_st_refs_of'_def High_tcbH_def)
             apply (rule conjI)
              apply (clarsimp simp: ntfnH_def)
             apply (clarsimp simp: objBitsKO_def ntfnH_def)
             apply (erule impE, simp add: is_aligned_def s0_ptr_defs)
             apply (erule notE, rule pspace_distinctD''[OF _ s0H_pspace_distinct'])
             apply (simp add: objBitsKO_def ntfnH_def)
            apply (clarsimp simp: tcb_st_refs_of'_def Low_tcbH_def)
           apply (clarsimp simp: ntfnH_def ntfn_q_refs_of'_def)
           apply (rule conjI)
            apply (clarsimp simp: tcb_st_refs_of'_def High_tcbH_def)
           apply (clarsimp simp: objBitsKO_def s0_ptrs_aligned)
           apply (erule notE, rule pspace_distinctD''[OF _ s0H_pspace_distinct'])
           apply (simp add: objBitsKO_def)
          apply (clarsimp simp: irq_cte_def)
          apply (clarsimp simp: Low_cte_def Low_cte'_def split: if_split_asm)
         apply (clarsimp simp: High_cte_def High_cte'_def split: if_split_asm)
        apply (clarsimp simp: Silc_cte_def Silc_cte'_def split: if_split_asm)
       apply (clarsimp simp: global_pdH'_def)
      apply (clarsimp simp: High_pdH_def)
     apply (clarsimp simp: Low_pdH_def)
    apply (clarsimp simp: High_ptH_def)
   apply (clarsimp simp: Low_ptH_def)
  apply (rule conjI)
   apply (clarsimp simp: if_live_then_nonz_cap'_def ko_wp_at'_def)
   apply (drule kh0H_SomeD)
   apply (elim disjE, simp_all add: kh0H_all_obj_def' objBitsKO_def)[1]
             apply (clarsimp simp: ex_nonz_cap_to'_def cte_wp_at_ctes_of)
             apply (rule_tac x="High_cnode_ptr + 0x10" in exI)
             apply (clarsimp simp: kh0H_all_obj_def')
            apply (clarsimp simp: ex_nonz_cap_to'_def cte_wp_at_ctes_of)
            apply (rule_tac x="Low_cnode_ptr + 0x10" in exI)
            apply (clarsimp simp: kh0H_all_obj_def')
           apply (clarsimp simp: ex_nonz_cap_to'_def cte_wp_at_ctes_of)
           apply (rule_tac x="Silc_cnode_ptr + 0x13E0" in exI)
           apply (clarsimp simp: kh0H_all_obj_def')
          apply (clarsimp split: if_split_asm)+
  apply (rule conjI)
   apply (clarsimp simp: if_unsafe_then_cap'_def ex_cte_cap_wp_to'_def cte_wp_at_ctes_of)
   apply (frule map_to_ctes_kh0H_SomeD)
   apply (elim disjE, simp_all add: kh0H_all_obj_def')[1]
           apply (rule_tac x="Low_cnode_ptr + 0x10" in exI)
           apply (clarsimp simp: kh0H_all_obj_def' image_def)
          apply (rule_tac x="Low_cnode_ptr + 0x10" in exI)
          apply (clarsimp simp: kh0H_all_obj_def' image_def)
         apply (rule_tac x="Low_cnode_ptr + 0x10" in exI)
         apply (clarsimp simp: kh0H_all_obj_def' image_def)
        apply (rule_tac x="High_cnode_ptr + 0x10" in exI)
        apply (clarsimp simp: kh0H_all_obj_def' image_def)
       apply (rule_tac x="High_cnode_ptr + 0x10" in exI)
       apply (clarsimp simp: kh0H_all_obj_def' image_def)
      apply (rule_tac x="High_cnode_ptr + 0x10" in exI)
      apply (clarsimp simp: kh0H_all_obj_def' image_def)
     apply (rule_tac x="Silc_cnode_ptr + 0x20" in exI)
     apply (clarsimp simp: kh0H_all_obj_def' image_def to_bl_use_of_bl cte_level_bits_def the_nat_to_bl_simps split: if_split_asm)
      apply (drule(2) ucast_shiftr_13E, rule s0_ptrs_aligned, simp)
      apply (rule_tac x="0x13E" in bexI)
       apply simp
      apply simp
     apply (drule(2) ucast_shiftr_2, rule s0_ptrs_aligned, simp)
     apply (rule_tac x=2 in bexI)
      apply simp
     apply simp
    apply (rule_tac x="High_cnode_ptr + 0x20" in exI)
    apply (clarsimp simp: kh0H_all_obj_def' image_def to_bl_use_of_bl cte_level_bits_def the_nat_to_bl_simps split: if_split_asm)
       apply (drule(2) ucast_shiftr_13E, rule s0_ptrs_aligned, simp)
       apply (rule_tac x="0x13E" in bexI)
        apply simp
       apply simp
      apply (drule(2) ucast_shiftr_3, rule s0_ptrs_aligned, simp)
      apply (rule_tac x=3 in bexI)
       apply simp
      apply simp
     apply (drule(2) ucast_shiftr_2, rule s0_ptrs_aligned, simp)
     apply (rule_tac x=2 in bexI)
      apply simp
     apply simp
    apply (drule(2) ucast_shiftr_1, rule s0_ptrs_aligned, simp)
    apply (rule_tac x=1 in bexI)
     apply simp
    apply simp
   apply (rule_tac x="Low_cnode_ptr + 0x20" in exI)
   apply (clarsimp simp: kh0H_all_obj_def' image_def to_bl_use_of_bl cte_level_bits_def the_nat_to_bl_simps split: if_split_asm)
      apply (drule(2) ucast_shiftr_13E, rule s0_ptrs_aligned, simp)
      apply (rule_tac x="0x13E" in bexI)
       apply simp
      apply simp
     apply (drule(2) ucast_shiftr_3, rule s0_ptrs_aligned, simp)
     apply (rule_tac x=3 in bexI)
      apply simp
     apply simp
    apply (drule(2) ucast_shiftr_2, rule s0_ptrs_aligned, simp)
    apply (rule_tac x=2 in bexI)
     apply simp
    apply simp
   apply (drule(2) ucast_shiftr_1, rule s0_ptrs_aligned, simp)
   apply (rule_tac x=1 in bexI)
    apply simp
   apply simp
  apply (rule conjI)
   apply (clarsimp simp: valid_idle'_def pred_tcb_at'_def obj_at'_def projectKO_eq project_inject
                         objBitsKO_def idle_tcb'_def)
   apply (clarsimp simp: s0H_internal_def s0_ptrs_aligned idle_tcbH_def)
   apply (rule conjI)
    apply (rule pspace_distinctD''[OF _ s0H_pspace_distinct', simplified s0H_internal_def])
    apply (simp add: objBitsKO_def)
   apply (clarsimp simp: idle_tcb_ptr_def idle_thread_ptr_def)
  apply (rule conjI)
   apply (clarsimp simp: kdr_valid_global_refs') (* use axiomatization for now *)
  apply (rule conjI)
   apply (clarsimp simp: valid_arch_state'_def)
   apply (intro conjI)
        apply (clarsimp simp: s0H_internal_def arch_state0H_def objBitsKO_def pageBits_def)
         apply (clarsimp simp: s0_ptr_defs is_aligned_def)
        apply (cut_tac s0H_pspace_distinct')[1]
        apply (simp add: s0H_internal_def arch_state0H_def)
       apply (clarsimp simp: valid_asid_table'_def s0H_internal_def arch_state0H_def)
      apply (clarsimp simp: page_directory_at'_def s0H_internal_def arch_state0H_def pdBits_def pageBits_def s0_ptrs_aligned)
      apply (clarsimp simp: typ_at'_def ko_wp_at'_def)
      apply (drule less_t2n_ex_ucast[where n=12 and 'b=12, simplified])
      apply clarsimp
      apply (cut_tac x=ya in pd_offs_in_range(3))
      apply (clarsimp simp: global_pdH'_def objBitsKO_def archObjSize_def pd_offs_range_def)
      apply (rule pspace_distinctD'')
       apply (simp add: objBitsKO_def archObjSize_def global_pdH'_def)
      apply (cut_tac s0H_pspace_distinct')[1]
      apply (simp add: s0H_internal_def arch_state0H_def)
     apply (clarsimp simp: valid_global_pts'_def s0H_internal_def arch_state0H_def)
    apply (clarsimp simp: is_inv_def s0H_internal_def arch_state0H_def)
   apply (clarsimp simp: valid_asid_map'_def s0H_internal_def arch_state0H_def)
  apply (rule conjI)
   apply (clarsimp simp: valid_irq_node'_def)
   apply (rule conjI)
    apply (clarsimp simp: s0H_internal_def is_aligned_def s0_ptr_defs word_size)
   apply (clarsimp simp: obj_at'_def projectKO_eq project_inject objBitsKO_def s0H_internal_def
                         shiftl_t2n[where n=4, simplified, symmetric]
                          kh0H_simps(1)[simplified cte_level_bits_def])
   apply (rule conjI)
    apply (rule is_aligned_add)
     apply (simp add: is_aligned_def s0_ptr_defs)
    apply (rule is_aligned_shift)
   apply (rule pspace_distinctD''[OF _ s0H_pspace_distinct', simplified s0H_internal_def])
   apply (simp add: objBitsKO_def kh0H_simps(1)[simplified cte_level_bits_def])
  apply (rule conjI)
   apply (clarsimp simp: valid_irq_handlers'_def cteCaps_of_def ran_def)
   apply (drule_tac map_to_ctes_kh0H_SomeD)
   apply (elim disjE, simp_all add: kh0H_all_obj_def')[1]
     apply ((clarsimp split: if_split_asm)+)[3]
  apply (rule conjI)
   apply (clarsimp simp: valid_irq_states'_def s0H_internal_def machine_state0_def)
  apply (rule conjI)
   apply (clarsimp simp: valid_machine_state'_def s0H_internal_def machine_state0_def)
  apply (rule conjI)
   apply (clarsimp simp: irqs_masked'_def s0H_internal_def maxIRQ_def timer_irq_def)
  apply (rule conjI)
   apply (clarsimp simp: valid_queues'_def obj_at'_def projectKO_eq project_inject s0H_internal_def inQ_def)
   apply (frule kh0H_dom_tcb)
   apply (elim disjE, (clarsimp simp: kh0H_obj_def)+)[1]
  apply (rule conjI)
   apply (clarsimp simp: ct_not_inQ_def obj_at'_def projectKO_eq project_inject s0H_internal_def objBitsKO_def s0_ptrs_aligned Low_tcbH_def)
   apply (rule pspace_distinctD''[OF _ s0H_pspace_distinct', simplified s0H_internal_def])
   apply (simp add: objBitsKO_def)
(*   apply (simp add: objBitsKO_def kh0H_simps[simplified cte_level_bits_def])*)
  apply (rule conjI)
   apply (clarsimp simp: ct_idle_or_in_cur_domain'_def obj_at'_def projectKO_eq project_inject tcb_in_cur_domain'_def s0H_internal_def Low_tcbH_def Low_domain_def objBitsKO_def s0_ptrs_aligned)
   apply (rule pspace_distinctD''[OF _ s0H_pspace_distinct', simplified s0H_internal_def])
   apply (simp add: objBitsKO_def)
(*   apply (simp add: objBitsKO_def kh0H_simps[simplified cte_level_bits_def])*)
  apply (rule conjI)
   apply (clarsimp simp: valid_pde_mappings'_def obj_at'_def projectKO_eq project_inject)
   apply (drule kh0H_SomeD)
   apply (elim disjE, simp_all add: kh0H_all_obj_def High_pd'H_def Low_pd'H_def)[1]
          apply (clarsimp split: if_split_asm)+
       apply (clarsimp simp: objBitsKO_def archObjSize_def valid_pde_mapping_offset'_def pd_asid_slot_def pdBits_def pageBits_def)
       apply (cut_tac x="x - init_global_pd >> 2" and n=12 and 'a=12 in ucast_mask_drop)
        apply simp
       apply (subst(asm) shiftr_then_mask_commute)
       apply simp
       apply (subst(asm) mask_eqs(4)[symmetric])
       apply (subst(asm) is_aligned_mask[where w="init_global_pd", THEN iffD1])
        apply (simp add: s0_ptrs_aligned)
       apply (simp add: kernel_base_def)
      apply (clarsimp simp: objBitsKO_def archObjSize_def valid_pde_mapping_offset'_def pd_asid_slot_def pdBits_def pageBits_def split: if_split_asm)
       apply (cut_tac x="x - High_pd_ptr >> 2" and n=12 and 'a=12 in ucast_mask_drop)
        apply simp
       apply (subst(asm) shiftr_then_mask_commute)
       apply simp
       apply (subst(asm) mask_eqs(4)[symmetric])
       apply (subst(asm) is_aligned_mask[where w="High_pd_ptr", THEN iffD1])
        apply (simp add: s0_ptrs_aligned)
       apply (simp add: kernel_base_def)
      apply (cut_tac x="x - High_pd_ptr >> 2" and n=12 and 'a=12 in ucast_mask_drop)
       apply simp
      apply (subst(asm) shiftr_then_mask_commute)
      apply simp
      apply (subst(asm) mask_eqs(4)[symmetric])
      apply (subst(asm) is_aligned_mask[where w="High_pd_ptr", THEN iffD1])
       apply (simp add: s0_ptrs_aligned)
      apply (simp add: kernel_base_def)
     apply (clarsimp simp: objBitsKO_def archObjSize_def valid_pde_mapping_offset'_def pd_asid_slot_def pdBits_def pageBits_def split: if_split_asm)
      apply (cut_tac x="x - Low_pd_ptr >> 2" and n=12 and 'a=12 in ucast_mask_drop)
       apply simp
      apply (subst(asm) shiftr_then_mask_commute)
      apply simp
      apply (subst(asm) mask_eqs(4)[symmetric])
      apply (subst(asm) is_aligned_mask[where w="Low_pd_ptr", THEN iffD1])
       apply (simp add: s0_ptrs_aligned)
      apply (simp add: kernel_base_def)
     apply (cut_tac x="x - Low_pd_ptr >> 2" and n=12 and 'a=12 in ucast_mask_drop)
      apply simp
     apply (subst(asm) shiftr_then_mask_commute)
     apply simp
     apply (subst(asm) mask_eqs(4)[symmetric])
     apply (subst(asm) is_aligned_mask[where w="Low_pd_ptr", THEN iffD1])
      apply (simp add: s0_ptrs_aligned)
     apply (simp add: kernel_base_def)
    apply (clarsimp split: if_split_asm)
   apply (clarsimp split: if_split_asm)
  apply (rule conjI)
   apply (clarsimp simp: kdr_pspace_domain_valid) (* use axiomatization for now *)
  (* unfold s0H_internal for remaining goals *)
  apply (clarsimp simp: s0H_internal_def cteCaps_of_def
                        untyped_ranges_zero_inv_def
                        dschDomain_def dschLength_def)
  apply (clarsimp simp: newKernelState_def newKSDomSched)
  apply (clarsimp simp: cur_tcb'_def obj_at'_def projectKO_eq project_inject s0H_internal_def objBitsKO_def s0_ptrs_aligned)
  apply (rule pspace_distinctD''[OF _ s0H_pspace_distinct', simplified s0H_internal_def])
  apply (simp add: objBitsKO_def)
  done

lemma kh0_pspace_dom:
  "pspace_dom kh0 = {init_globals_frame, idle_tcb_ptr, High_tcb_ptr, Low_tcb_ptr,
              irq_cnode_ptr, ntfn_ptr} \<union>
             irq_node_offs_range \<union>
             cnode_offs_range Silc_cnode_ptr \<union>
             cnode_offs_range High_cnode_ptr \<union>
             cnode_offs_range Low_cnode_ptr \<union>
             pd_offs_range init_global_pd \<union>
             pd_offs_range High_pd_ptr \<union>
             pd_offs_range Low_pd_ptr \<union>
             pt_offs_range High_pt_ptr \<union>
             pt_offs_range Low_pt_ptr"
  supply nonzero_gt_zero[simp] gt_zero_nonzero[simp]
  apply (rule equalityI)
   apply (simp add: dom_def pspace_dom_def)
   apply clarsimp
   apply (clarsimp simp: kh0_def obj_relation_cuts_def pd_offs_in_range pt_offs_in_range
                         cnode_offs_in_range irq_node_offs_in_range s0_ptrs_aligned pageBits_def
                         kh0_obj_def cte_map_def' caps_dom_length_10
                  split: if_split_asm)
  apply (clarsimp simp: pspace_dom_def dom_def)
  apply (rule conjI)
   apply (rule_tac x=init_globals_frame in exI)
   apply (clarsimp simp: kh0_def kh0_obj_def s0_ptr_defs image_def)
   apply (rule_tac x=0 in exI)
   apply simp
  apply (rule conjI)
   apply (rule_tac x=idle_tcb_ptr in exI)
   apply (clarsimp simp: kh0_def kh0_obj_def s0_ptr_defs image_def)
  apply (rule conjI)
   apply (rule_tac x=High_tcb_ptr in exI)
   apply (clarsimp simp: kh0_def kh0_obj_def s0_ptr_defs image_def)
  apply (rule conjI)
   apply (rule_tac x=Low_tcb_ptr in exI)
   apply (clarsimp simp: kh0_def kh0_obj_def s0_ptr_defs image_def)
  apply (rule conjI)
   apply (rule_tac x=irq_cnode_ptr in exI)
   apply (clarsimp simp: kh0_def kh0_obj_def s0_ptr_defs image_def cte_map_def)
  apply (rule conjI)
   apply (rule_tac x=ntfn_ptr in exI)
   apply (clarsimp simp: kh0_def kh0_obj_def s0_ptr_defs image_def)
  apply (rule conjI)
   apply clarsimp
   apply (rule_tac x=x in exI)
   apply (drule offs_range_correct)
   apply clarsimp
   apply (force simp: kh0_def kh0_obj_def image_def cte_map_def')
  apply (rule conjI)
   apply clarsimp
   apply (rule_tac x=Silc_cnode_ptr in exI)
   apply (drule offs_range_correct)
   apply (force simp: kh0_def kh0_obj_def image_def s0_ptr_defs cte_map_def' dom_caps)
  apply (rule conjI)
   apply clarsimp
   apply (rule_tac x=High_cnode_ptr in exI)
   apply (drule offs_range_correct)
   apply (force simp: kh0_def kh0_obj_def image_def s0_ptr_defs cte_map_def' dom_caps)
  apply (rule conjI)
   apply clarsimp
   apply (rule_tac x=Low_cnode_ptr in exI)
   apply (drule offs_range_correct)
   apply (force simp: kh0_def kh0_obj_def image_def s0_ptr_defs cte_map_def' dom_caps)
  apply (rule conjI)
   apply clarsimp
   apply (rule_tac x=init_global_pd in exI)
   apply (drule offs_range_correct)
   apply (force simp: kh0_def kh0_obj_def image_def s0_ptr_defs)
  apply (rule conjI)
   apply clarsimp
   apply (rule_tac x=High_pd_ptr in exI)
   apply (drule offs_range_correct)
   apply (force simp: kh0_def kh0_obj_def image_def s0_ptr_defs)
  apply (rule conjI)
   apply clarsimp
   apply (rule_tac x=Low_pd_ptr in exI)
   apply (drule offs_range_correct)
   apply (force simp: kh0_def kh0_obj_def image_def s0_ptr_defs)
  apply (rule conjI)
   apply clarsimp
   apply (rule_tac x=High_pt_ptr in exI)
   apply (drule offs_range_correct)
   apply (force simp: kh0_def kh0_obj_def image_def s0_ptr_defs)
  apply clarsimp
  apply (rule_tac x=Low_pt_ptr in exI)
  apply (drule offs_range_correct)
  apply (force simp: kh0_def kh0_obj_def image_def s0_ptr_defs)
  done

lemma shiftl_shiftr_2_word12[simp]:
  "ucast (((ucast (x:: 12 word) << 2)::word32) >> 2) = x"
  apply (subst shiftl_shiftr_id)
    apply simp
   apply (cut_tac ucast_less[where x=x])
    apply (erule less_trans)
    apply simp
   apply simp
  apply (rule ucast_ucast_id)
  apply simp
  done

lemma shiftl_shiftr_2_word10[simp]:
  "ucast (((ucast (x:: 10 word) << 2)::word32) >> 2) = x"
  apply (subst shiftl_shiftr_id)
    apply simp
   apply (cut_tac ucast_less[where x=x])
    apply (erule less_trans)
    apply simp
   apply simp
  apply (rule ucast_ucast_id)
  apply simp
  done

lemma shiftl_shiftr_2_word8[simp]:
  "ucast (((ucast (x:: 8 word) << 2)::word32) >> 2) = x"
  apply (subst shiftl_shiftr_id)
    apply simp
   apply (cut_tac ucast_less[where x=x])
    apply (erule less_trans)
    apply simp
   apply simp
  apply (rule ucast_ucast_id)
  apply simp
  done

lemma mult_shiftr_id[simp]:
  "length x = 10 \<Longrightarrow> of_bl x * (0x10::word32) >> 4 = of_bl x"
  apply (simp add: shiftl_t2n[symmetric, where n=4, simplified mult.commute, simplified] )
  apply (subst shiftl_shiftr_id)
    apply simp
   apply (rule less_trans)
    apply (rule of_bl_length_less)
     apply assumption
    apply simp
   apply simp
  apply simp
  done

lemma to_bl_ucast_of_bl[simp]:
  "length x = 10 \<Longrightarrow> to_bl ((ucast ((of_bl x)::word32))::10 word) = x"
  apply (subst ucast_of_bl_up)
   apply (simp add: word_size)
  apply (simp add: word_rep_drop)
  done

lemma s0_pspace_rel:
  "pspace_relation (kheap s0_internal) kh0H"
  apply (simp add: pspace_relation_def s0_internal_def s0H_internal_def kh0H_dom kh0_pspace_dom)
  apply clarsimp
  apply (drule kh0_SomeD)
  apply (rename_tac y)
  apply (elim disjE)
                apply (clarsimp simp: pageBits_def)
               apply (clarsimp simp: kh0H_obj_def split del: if_split)
               apply (cut_tac x=y in pd_offs_in_range(3))
               apply (clarsimp simp: pd_offs_range_def pde_relation_def pde_relation_aligned_def)
              apply (clarsimp simp: kh0H_all_obj_def kh0_obj_def other_obj_relation_def
                                    tcb_relation_def arch_tcb_relation_def fault_rel_optionation_def
                                    word_bits_def the_nat_to_bl_simps)+
           apply (clarsimp simp: kh0H_obj_def High_pt_def High_pt'H_def High_pt'_def split del: if_split)
           apply (cut_tac x=y in pt_offs_in_range(2))
           apply (clarsimp simp: pt_offs_range_def pte_relation_def pte_relation_aligned_def pte_relation'_def)
          apply (clarsimp simp: kh0H_obj_def Low_pt_def Low_pt'H_def Low_pt'_def split del: if_split)
          apply (cut_tac x=y in pt_offs_in_range(1))
          apply (clarsimp simp: pt_offs_range_def pte_relation_def pte_relation_aligned_def pte_relation'_def)
         apply (clarsimp simp: kh0H_obj_def High_pd_def High_pd'H_def High_pd'_def split del: if_split)
         apply (cut_tac x=y in pd_offs_in_range(2))
         apply (clarsimp simp: pd_offs_range_def pde_relation_def pde_relation_aligned_def pde_relation'_def)
        apply (clarsimp simp: kh0H_obj_def Low_pd_def Low_pd'H_def Low_pd'_def split del: if_split)
        apply (cut_tac x=y in pd_offs_in_range(1))
        apply (clarsimp simp: pd_offs_range_def pde_relation_def pde_relation_aligned_def pde_relation'_def)
       apply (clarsimp simp: kh0H_obj_def irq_cnode_def cte_map_def cte_relation_def well_formed_cnode_n_def split: if_split_asm)
      apply (clarsimp simp: kh0H_obj_def kh0_obj_def other_obj_relation_def ntfn_relation_def)
     apply (clarsimp simp: kh0H_obj_def kh0_obj_def cte_relation_def cte_map_def)
     apply (cut_tac dom_caps(1))[1]
     apply (frule_tac m="Silc_caps" in domI)
     apply (cut_tac x=y in cnode_offs_in_range(3))
      apply simp
     apply (clarsimp simp: cnode_offs_range_def Silc_cte_def Silc_cte'_def Silc_capsH_def the_nat_to_bl_simps Silc_caps_def cte_level_bits_def empty_cte_def split: if_split_asm)
    apply (clarsimp simp: kh0H_obj_def kh0_obj_def cte_relation_def cte_map_def)
    apply (cut_tac dom_caps(2))[1]
    apply (frule_tac m="High_caps" in domI)
    apply (cut_tac x=y in cnode_offs_in_range(2))
     apply simp
    apply (clarsimp simp: cnode_offs_range_def High_cte_def High_cte'_def High_capsH_def the_nat_to_bl_simps High_caps_def cte_level_bits_def empty_cte_def split: if_split_asm)
   apply (clarsimp simp: kh0H_obj_def kh0_obj_def cte_relation_def cte_map_def)
   apply (cut_tac dom_caps(3))[1]
   apply (frule_tac m="Low_caps" in domI)
   apply (cut_tac x=y in cnode_offs_in_range(1))
    apply simp
   apply (clarsimp simp: cnode_offs_range_def Low_cte_def Low_cte'_def Low_capsH_def the_nat_to_bl_simps Low_caps_def cte_level_bits_def empty_cte_def split: if_split_asm)
  apply (clarsimp simp: kh0H_obj_def irq_cnode_def cte_map_def cte_relation_def well_formed_cnode_n_def empty_cte_def dom_def split: if_split_asm)
  apply (drule irq_node_offs_range_correct)
  apply clarsimp
  done

lemma subtree_node_Some:
  "m \<turnstile> a \<rightarrow> b \<Longrightarrow> m a \<noteq> None"
  by (erule subtree.cases) (auto simp: parentOf_def)

lemma s0_srel:
  "1 \<le> maxDomain \<Longrightarrow> (s0_internal, s0H_internal) \<in> state_relation"
  apply (simp add: state_relation_def)
  apply (intro conjI)
                   apply (simp add: s0_pspace_rel)
                  apply (clarsimp simp: ekheap_relation_def)
                  apply (case_tac "ksPSpace s0H_internal x")
                   apply (clarsimp simp: s0_internal_def s0H_internal_def exst0_def kh0H_def option_update_range_def split: if_split_asm option.splits)
                  apply (clarsimp simp: s0_internal_def s0H_internal_def exst0_def etcb_relation_def idle_tcbH_def High_tcbH_def High_etcb_def Low_tcbH_def Low_etcb_def default_etcb_def split: if_split_asm)
                 apply (simp add: s0_internal_def exst0_def s0H_internal_def sched_act_relation_def)
                apply (simp add: s0_internal_def exst0_def s0H_internal_def ready_queues_relation_def)
               apply (clarsimp simp: s0_internal_def exst0_def s0H_internal_def ghost_relation_def)
               apply (rule conjI)
                apply clarsimp
                apply (rule conjI)
                 apply (clarsimp simp: kh0_def s0_ptr_defs)
                apply clarsimp
                apply (drule kh0_SomeD)
                apply (clarsimp simp: s0_ptr_defs kh0_obj_def)
               apply clarsimp
               apply (rule conjI)
                apply clarsimp
                apply (rule iffI)
                 apply clarsimp
                 apply (drule kh0_SomeD)
                 apply (clarsimp simp: irq_node_offs_in_range)
                apply (fastforce simp: kh0_def well_formed_cnode_n_def empty_cnode_def dom_def)
               apply clarsimp
               apply (clarsimp simp: s0_ptr_defs)
               apply (subgoal_tac "a \<notin> irq_node_offs_range")
                prefer 2
                apply (clarsimp simp: irq_node_offs_range_def s0_ptr_defs cte_level_bits_def)
                apply (erule_tac x="ucast (a - 0xE0008000 >> 4)" in allE)
                apply (subst(asm) ucast_ucast_len)
                 apply (rule shiftr_less_t2n)
                 apply (rule word_less_sub_right)
                  apply simp
                 apply simp
                apply (simp add: shiftr_shiftl1)
                apply (subst(asm) is_aligned_neg_mask_eq)
                 apply (rule aligned_sub_aligned[where n=4])
                   apply simp
                  apply (simp add: is_aligned_def)
                 apply simp
                apply simp
               apply (intro conjI impI)
                   apply clarsimp
                   apply (rule iffI)
                    apply clarsimp
                    apply (drule kh0_SomeD)
                    apply (clarsimp simp: s0_ptr_defs kh0_obj_def)
                   apply (fastforce simp: kh0_def well_formed_cnode_n_def empty_cnode_def dom_def s0_ptr_defs kh0_obj_def Low_caps_def)
                  apply clarsimp
                  apply (rule iffI)
                   apply clarsimp
                   apply (drule kh0_SomeD)
                   apply (clarsimp simp: s0_ptr_defs kh0_obj_def)
                  apply (fastforce simp: kh0_def well_formed_cnode_n_def empty_cnode_def dom_def s0_ptr_defs kh0_obj_def High_caps_def)
                 apply clarsimp
                 apply (rule iffI)
                  apply clarsimp
                  apply (drule kh0_SomeD)
                  apply (clarsimp simp: s0_ptr_defs kh0_obj_def)
                 apply (fastforce simp: kh0_def well_formed_cnode_n_def empty_cnode_def dom_def s0_ptr_defs kh0_obj_def Silc_caps_def)
                apply clarsimp
                apply (rule iffI)
                 apply clarsimp
                 apply (drule kh0_SomeD)
                 apply (clarsimp simp: s0_ptr_defs kh0_obj_def)
                apply (fastforce simp: kh0_def well_formed_cnode_n_def empty_cnode_def dom_def s0_ptr_defs kh0_obj_def Silc_caps_def)
               apply clarsimp
               apply (drule kh0_SomeD)
               apply (clarsimp simp: s0_ptr_defs kh0_obj_def)
              apply (clarsimp simp: s0H_internal_def cdt_relation_def)
              apply (clarsimp simp: descendants_of'_def)
              apply (frule subtree_parent)
              apply (drule subtree_mdb_next)
              apply (case_tac "x = 0")
               apply (cut_tac s0H_valid_pspace')
                apply (simp add: valid_pspace'_def valid_mdb'_def valid_mdb_ctes_def parentOf_def isMDBParentOf_def kh0H_all_obj_def')
               apply simp
              apply (clarsimp simp: mdb_next_trancl_s0H)
              apply (elim disjE, (clarsimp simp: parentOf_def isMDBParentOf_def kh0H_all_obj_def')+)[1]
             apply (clarsimp simp: cdt_list_relation_def s0_internal_def exst0_def split: option.splits)
             apply (clarsimp simp: next_slot_def)
             apply (cut_tac p="(a, b)" and t="(const [])" and m="Map.empty" in next_not_child_NoneI)
                apply fastforce
               apply (simp add: next_sib_def)
              apply (simp add: finite_depth_def)
             apply simp
            apply (clarsimp simp: revokable_relation_def)
            apply (clarsimp simp: null_filter_def split: if_split_asm)
            apply (drule s0_caps_of_state)
            apply clarsimp
            apply (elim disjE)
                           apply (clarsimp simp: cte_map_def s0H_internal_def s0_internal_def kh0H_all_obj_def' cte_level_bits_def split: if_split_asm)+
                 apply (clarsimp simp: tcb_cnode_index_def ucast_bl[symmetric] Low_tcb_cte_def Low_tcbH_def High_tcb_cte_def High_tcbH_def)
                apply ((clarsimp simp: cte_map_def' s0H_internal_def s0_internal_def,
                       clarsimp simp: tcb_cnode_index_def ucast_bl[symmetric] Low_tcb_cte_def Low_tcbH_def High_tcb_cte_def High_tcbH_def)+)[5]
           apply (clarsimp simp: s0_internal_def s0H_internal_def arch_state_relation_def arch_state0_def arch_state0H_def)
          apply (clarsimp simp: s0_internal_def exst0_def s0H_internal_def interrupt_state_relation_def irq_state_relation_def)
         apply (clarsimp simp: s0_internal_def exst0_def s0H_internal_def)+
  done

definition
  "s0H \<equiv> ((if ct_idle' s0H_internal then idle_context s0_internal else s0_context,s0H_internal),KernelExit)"

lemma step_restrict_s0:
  "1 \<le> maxDomain \<Longrightarrow> step_restrict s0"
  supply option.case_cong[cong] if_cong[cong]
  apply (clarsimp simp: step_restrict_def has_srel_state_def)
  apply (rule_tac x="fst (fst s0H)" in exI)
  apply (rule_tac x="snd (fst s0H)" in exI)
  apply (rule_tac x="snd s0H" in exI)
  apply (simp add: s0H_def lift_fst_rel_def lift_snd_rel_def s0_srel s0_def split del: if_split)
  apply (rule conjI)
   apply (clarsimp split: if_split_asm)
   apply (rule conjI)
    apply clarsimp
    apply (frule ct_idle'_related[OF s0_srel s0H_invs]; solves simp)
   apply clarsimp
   apply (drule ct_idle_related[OF s0_srel]; simp)
  apply (clarsimp simp: full_invs_if'_def s0H_invs)
  apply (rule conjI)
   apply (simp only: ex_abs_def)
   apply (rule_tac x="s0_internal" in exI)
   apply (simp only: einvs_s0 s0_srel)
  apply (simp add: s0H_internal_def valid_domain_list'_def)
  apply (rule conjI)
   apply (clarsimp simp: vs_valid_duplicates'_def split: option.splits)
   apply (frule kh0H_SomeD)
   apply (elim disjE, simp_all add: vs_ptr_align_def kh0H_all_obj_def')[1]
          apply (clarsimp simp: the_nat_to_bl_simps split: if_split_asm)
         apply (clarsimp simp: the_nat_to_bl_simps split: if_split_asm)
        apply (clarsimp simp: the_nat_to_bl_simps split: if_split_asm)
       apply (clarsimp split: if_split_asm)
      apply (clarsimp simp: High_pd'H_def split: if_split_asm)
     apply (clarsimp simp: Low_pd'H_def split: if_split_asm)
    apply (clarsimp simp: High_pt'H_def split: if_split_asm)
   apply (clarsimp simp: Low_pt'H_def split: if_split_asm)
  apply (clarsimp simp: ct_in_state'_def st_tcb_at'_def obj_at'_def projectKO_eq project_inject
                        s0H_internal_def objBits_simps' s0_ptrs_aligned Low_tcbH_def)
  apply (rule pspace_distinctD''[OF _ s0H_pspace_distinct', simplified s0H_internal_def])
  apply (simp add: objBits_simps')
  done

lemma Sys1_valid_initial_state_noenabled:
  assumes domains: "1 \<le> maxDomain"
  assumes utf_det: "\<forall>pl pr pxn tc ms s. det_inv InUserMode tc s \<and> einvs s \<and> context_matches_state pl pr pxn ms s \<and> ct_running s
                   \<longrightarrow> (\<exists>x. utf (cur_thread s) pl pr pxn (tc, ms) = {x})"
  assumes utf_non_empty: "\<forall>t pl pr pxn tc ms. utf t pl pr pxn (tc, ms) \<noteq> {}"
  assumes utf_non_interrupt: "\<forall>t pl pr pxn tc ms e f g. (e,f,g) \<in> utf t pl pr pxn (tc, ms) \<longrightarrow> e \<noteq> Some Interrupt"
  assumes det_inv_invariant: "invariant_over_ADT_if det_inv utf"
  assumes det_inv_s0: "det_inv KernelExit (cur_context s0_internal) s0_internal"
  shows "valid_initial_state_noenabled det_inv utf s0_internal Sys1PAS timer_irq s0_context"
  by (rule Sys1_valid_initial_state_noenabled[OF step_restrict_s0 utf_det utf_non_empty
                                                 utf_non_interrupt det_inv_invariant det_inv_s0
                                                 ],
      rule domains)

end

end