adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lh-l4v/proof/access-control/Retype_AC.thy

1550 lines
66 KiB
Plaintext
Raw Blame History

(*
* Copyright 2020, Data61, CSIRO (ABN 41 687 119 230)
*
* SPDX-License-Identifier: GPL-2.0-only
*)
theory Retype_AC
imports CNode_AC
begin
context begin interpretation Arch . (*FIXME: arch_split*)
(* put in here that we own the region mentioned in the invocation *)
definition
authorised_untyped_inv :: "'a PAS \<Rightarrow> Invocations_A.untyped_invocation \<Rightarrow> bool"
where
"authorised_untyped_inv aag ui \<equiv> case ui of
Invocations_A.untyped_invocation.Retype src_slot reset base aligned_free_ref new_type obj_sz slots dev \<Rightarrow>
is_subject aag (fst src_slot) \<and> (0::word32) < of_nat (length slots) \<and>
(\<forall>x\<in>set (retype_addrs aligned_free_ref new_type (length slots) obj_sz). is_subject aag x) \<and>
(\<forall>x\<in>{aligned_free_ref..aligned_free_ref + of_nat (length slots)*2^(obj_bits_api new_type obj_sz) - 1}. is_subject aag x) \<and>
new_type \<noteq> ArchObject ASIDPoolObj \<and>
(\<forall>x\<in>set slots. is_subject aag (fst x))"
subsection\<open>invoke\<close>
lemma create_cap_integrity:
"\<lbrace>integrity aag X st and K (is_subject aag (fst (fst ref)))\<rbrace>
create_cap typ sz untyped_ptr is_device ref
\<lbrace>\<lambda>rv. integrity aag X st\<rbrace>"
apply (simp add: create_cap_def split_def)
apply (wp set_cap_integrity_autarch[unfolded pred_conj_def K_def]
create_cap_extended.list_integ_lift
create_cap_list_integrity
set_original_integrity_autarch
| simp add: set_cdt_def)+
by (auto simp: integrity_def)
crunch inv[wp]: reserve_region P
lemma mol_respects:
"\<lbrace>\<lambda>ms. integrity aag X st (s\<lparr>machine_state := ms\<rparr>)\<rbrace>
machine_op_lift mop
\<lbrace>\<lambda>a b. integrity aag X st (s\<lparr>machine_state := b\<rparr>)\<rbrace>"
unfolding machine_op_lift_def
apply (simp add: machine_rest_lift_def split_def)
apply wp
apply (clarsimp simp: integrity_def)
done
lemma ptr_range_memI:
"is_aligned p n \<Longrightarrow> p \<in> ptr_range p n"
unfolding ptr_range_def
apply (erule is_aligned_get_word_bits)
apply (drule (1) base_member_set)
apply (simp add: field_simps)
apply simp
done
lemma ptr_range_add_memI:
"\<lbrakk> is_aligned (p :: 'a :: len word) n; k < 2 ^ n \<rbrakk> \<Longrightarrow> (p + k) \<in> ptr_range p n"
unfolding ptr_range_def
apply (erule is_aligned_get_word_bits)
apply clarsimp
apply (rule conjI)
apply (erule (1) is_aligned_no_wrap')
apply (subst p_assoc_help, rule word_plus_mono_right)
apply simp
apply (erule is_aligned_no_overflow')
apply (subgoal_tac "2 ^ n = (0 :: 'a word)")
apply simp
apply (simp add: word_bits_conv)
done
lemma storeWord_integrity_autarch:
"\<lbrace>\<lambda>ms. integrity aag X st (s\<lparr>machine_state := ms\<rparr>) \<and> (is_aligned p 2 \<longrightarrow> (\<forall>p' \<in> ptr_range p 2. is_subject aag p'))\<rbrace> storeWord p v \<lbrace>\<lambda>a b. integrity aag X st (s\<lparr>machine_state := b\<rparr>)\<rbrace>"
unfolding storeWord_def
apply wp
apply (auto simp: integrity_def is_aligned_mask [symmetric] intro!: trm_lrefl ptr_range_memI ptr_range_add_memI)
done
lemma word_minus_1:
"x + (0xFFFFFFFF::word32) = x - 1"
by simp
lemma Suc_0_lt_cases:
"\<lbrakk>(x = 0 \<Longrightarrow> False); (x = 1 \<Longrightarrow> False)\<rbrakk> \<Longrightarrow> Suc 0 < x"
apply (rule classical)
apply (auto simp add: not_less le_Suc_eq)
done
lemmas upto_enum_step_shift_red =
upto_enum_step_shift_red[where 'a=32, simplified, simplified word_bits_def[symmetric, simplified]]
lemma clearMemory_respects:
"\<lbrace>\<lambda> a. integrity aag X st (s\<lparr>machine_state := a\<rparr>) \<and>
is_aligned ptr sz \<and> sz < word_bits \<and> 2 \<le> sz \<and>
(\<forall> y\<in>ptr_range ptr sz. is_subject aag y)\<rbrace>
clearMemory ptr (2 ^ sz)
\<lbrace>\<lambda>rv a. integrity aag X st (s\<lparr>machine_state := a\<rparr>)\<rbrace>"
unfolding clearMemory_def
apply (rule hoare_pre)
apply (simp add: split_def cleanCacheRange_PoU_def)
apply wp
apply (simp add: cleanByVA_PoU_def)
apply (wp mol_respects)
apply (rule_tac Q="\<lambda> x ms. integrity aag X st (s\<lparr>machine_state := ms\<rparr>) \<and> (\<forall> y\<in> set [ptr , ptr + 4 .e. ptr + of_nat (2 ^ sz) - 1]. (is_aligned y 2 \<longrightarrow> (\<forall> z \<in> ptr_range y 2. is_subject aag z)))" in hoare_strengthen_post)
apply(wp mapM_x_wp' storeWord_integrity_autarch | simp add: no_irq_storeWord word_size_def)+
apply(clarsimp simp: upto_enum_step_shift_red[where us=2, simplified] word_bits_def)
apply(erule bspec)
apply(erule subsetD[rotated])
apply(rule ptr_range_subset)
apply assumption
apply(rule is_aligned_mult_triv2[where n=2, simplified])
apply assumption
apply (auto simp: word_bits_def
intro: word_less_power_trans_ofnat[where k=2, simplified])
done
crunch integrity_autarch: set_pd "integrity aag X st"
(wp: crunch_wps simp: crunch_simps)
lemma store_pde_integrity:
"\<lbrace>integrity aag X st and K (is_subject aag (p && ~~ mask pd_bits))\<rbrace>
store_pde p pde
\<lbrace>\<lambda>rv. integrity aag X st\<rbrace>"
apply(simp add: store_pde_def)
apply(wp set_pd_integrity_autarch)
apply(auto)
done
(* Borrowed from part of copy_global_mappings_nonempty_table in Untyped_R.thy *)
lemma copy_global_mappings_index_subset:
"set [kernel_base >> 20.e.2 ^ (pd_bits - 2) - 1] \<subseteq> {x. \<exists>y. x = y >> 20}"
apply clarsimp
apply (rule_tac x="x << 20" in exI)
apply (subst shiftl_shiftr1, simp)
apply (simp add: word_size)
apply (rule sym, rule less_mask_eq)
apply (simp add: word_leq_minus_one_le pd_bits_def pageBits_def)
done
lemma copy_global_mappings_integrity:
"is_aligned x pd_bits \<Longrightarrow>
\<lbrace>integrity aag X st and K (is_subject aag x)\<rbrace>
copy_global_mappings x
\<lbrace>\<lambda>rv. integrity aag X st\<rbrace>"
apply (rule hoare_gen_asm)
apply (simp add: copy_global_mappings_def)
apply (wp mapM_x_wp[OF _ subset_refl] store_pde_integrity)
apply (drule subsetD[OF copy_global_mappings_index_subset])
apply (fastforce simp: pd_shifting')
apply wpsimp+
done
lemma dmo_mol_respects:
"\<lbrace>integrity aag X st\<rbrace> do_machine_op (machine_op_lift mop) \<lbrace>\<lambda>rv. integrity aag X st\<rbrace>"
unfolding do_machine_op_def
apply (simp add: split_def)
apply wp
apply clarsimp
apply (erule use_valid)
apply (wp mol_respects)
apply simp
done
lemma dmo_bind_valid:
"\<lbrace>P\<rbrace> do_machine_op (a >>= b) \<lbrace>Q\<rbrace> = \<lbrace>P\<rbrace> do_machine_op a >>= (\<lambda>rv. do_machine_op (b rv)) \<lbrace>Q\<rbrace>"
by (fastforce simp: do_machine_op_def gets_def get_def select_f_def modify_def put_def return_def bind_def valid_def)
lemma dmo_bind_valid':
"\<lbrace>P\<rbrace> a >>= (\<lambda>rv. do_machine_op (b rv >>= c rv)) \<lbrace>Q\<rbrace>
= \<lbrace>P\<rbrace> a >>= (\<lambda>rv. do_machine_op (b rv) >>= (\<lambda>rv'. do_machine_op (c rv rv'))) \<lbrace>Q\<rbrace>"
by (fastforce simp: do_machine_op_def gets_def get_def select_f_def modify_def put_def return_def bind_def valid_def)
lemma dmo_mapM_wp:
assumes x: "\<And>x. x \<in> S \<Longrightarrow> \<lbrace>P\<rbrace> do_machine_op (f x) \<lbrace>\<lambda>rv. P\<rbrace>"
shows "set xs \<subseteq> S \<Longrightarrow> \<lbrace>P\<rbrace> do_machine_op (mapM f xs) \<lbrace>\<lambda>rv. P\<rbrace>"
apply (induct xs)
apply (simp add: mapM_def sequence_def)
apply (simp add: mapM_Cons dmo_bind_valid dmo_bind_valid')
apply (wpsimp | rule x)+
done
lemma dmo_mapM_x_wp:
assumes x: "\<And>x. x \<in> S \<Longrightarrow> \<lbrace>P\<rbrace> do_machine_op (f x) \<lbrace>\<lambda>rv. P\<rbrace>"
shows "set xs \<subseteq> S \<Longrightarrow> \<lbrace>P\<rbrace> do_machine_op (mapM_x f xs) \<lbrace>\<lambda>rv. P\<rbrace>"
apply (subst mapM_x_mapM)
apply (simp add: do_machine_op_return_foo)
apply wp
apply (rule dmo_mapM_wp)
apply (rule x)
apply assumption+
done
lemmas dmo_mapM_x_wp_inv = dmo_mapM_x_wp[where S=UNIV, simplified]
lemma dmo_cacheRangeOp_lift:
"(\<And>a b. \<lbrace>P\<rbrace> do_machine_op (oper a b) \<lbrace>\<lambda>_. P\<rbrace>)
\<Longrightarrow> \<lbrace>P\<rbrace> do_machine_op (cacheRangeOp oper x y z) \<lbrace>\<lambda>_. P\<rbrace>"
apply (simp add: cacheRangeOp_def)
apply (wp dmo_mapM_x_wp_inv)
apply (simp add: split_def)+
done
lemma dmo_cleanCacheRange_PoU_respects [wp]:
"\<lbrace>integrity aag X st\<rbrace> do_machine_op (cleanCacheRange_PoU vstart vend pstart) \<lbrace>\<lambda>rv. integrity aag X st\<rbrace>"
by (simp add: cleanCacheRange_PoU_def cleanByVA_PoU_def | wp dmo_cacheRangeOp_lift dmo_mol_respects)+
lemma dmo_mapM_x_cleanCacheRange_PoU_integrity:
"\<lbrace>integrity aag X st\<rbrace>
do_machine_op
(mapM_x (\<lambda>x. cleanCacheRange_PoU (f x) (g x) (h x)) refs)
\<lbrace>\<lambda>_. integrity aag X st\<rbrace>"
by (wp dmo_mapM_x_wp_inv)
definition word_object_size :: "apiobject_type \<Rightarrow> nat" where
"word_object_size aobject_type \<equiv>
(case aobject_type of
(ArchObject SmallPageObj) \<Rightarrow> 12 |
(ArchObject LargePageObj) \<Rightarrow> 16 |
(ArchObject SectionObj) \<Rightarrow> 20 |
(ArchObject SuperSectionObj) \<Rightarrow> 24)"
lemma init_arch_objects_integrity:
"\<lbrace>integrity aag X st and
K (\<forall> x\<in>set refs. is_subject aag x) and
K (\<forall>ref \<in> set refs. is_aligned ref (obj_bits_api new_type obj_sz))\<rbrace>
init_arch_objects new_type ptr num_objects obj_sz refs
\<lbrace>\<lambda>rv. integrity aag X st\<rbrace>"
apply(rule hoare_gen_asm)+
apply(cases new_type)
apply(simp_all add: init_arch_objects_def split del: if_split)
apply(rule hoare_pre)
apply(wpc
| wp mapM_x_wp[OF _ subset_refl]
copy_global_mappings_integrity dmo_mapM_x_cleanCacheRange_PoU_integrity
| simp add: obj_bits_api_def default_arch_object_def pd_bits_def pageBits_def)+
done
lemma foldr_upd_app_if': "foldr (\<lambda>p ps. ps(p := f p)) as g = (\<lambda>x. if x \<in> set as then (f x) else g x)"
apply (induct as)
apply simp
apply simp
apply (rule ext)
apply simp
done
lemma retype_region_integrity:
"\<lbrace>integrity aag X st and
K (range_cover ptr sz (obj_bits_api type o_bits) num_objects \<and>
(\<forall>x\<in>{ptr..(ptr && ~~ mask sz) + (2 ^ sz - 1)}. is_subject aag x))\<rbrace>
retype_region ptr num_objects o_bits type dev
\<lbrace>\<lambda>rv. integrity aag X st\<rbrace>"
apply (rule hoare_gen_asm)+
apply (simp only: retype_region_def retype_region_ext_extended.dxo_eq)
apply (simp only: retype_addrs_def retype_region_ext_def
foldr_upd_app_if' fun_app_def K_bind_def)
apply wp
apply (clarsimp simp: not_less)
apply (erule integrity_trans)
apply (clarsimp simp add: integrity_def)
apply(fastforce intro: tro_lrefl tre_lrefl
dest: retype_addrs_subset_ptr_bits[simplified retype_addrs_def]
simp: image_def p_assoc_help power_sub integrity_def)
done
lemma retype_region_ret_is_subject:
"\<lbrace>K (range_cover ptr sz (obj_bits_api tp us) num_objects \<and>
(\<forall>x\<in>{ptr..(ptr && ~~ mask sz) + (2 ^ sz - 1)}. is_subject aag x))\<rbrace>
retype_region ptr num_objects us tp dev
\<lbrace>\<lambda>rv. K (\<forall> ref \<in> set rv. is_subject aag ref)\<rbrace>"
apply(rule hoare_gen_asm2 | rule hoare_gen_asm)+
apply(rule hoare_strengthen_post)
apply(rule retype_region_ret)
apply(simp only: K_def)
apply(rule ballI)
apply(elim conjE)
apply(erule bspec)
apply(rule rev_subsetD, assumption)
apply(simp add: p_assoc_help del: set_map)
apply(rule retype_addrs_subset_ptr_bits[simplified retype_addrs_def])
apply simp
done
lemma retype_region_ret_pd_aligned:
"\<lbrace>K (range_cover ptr sz (obj_bits_api tp us) num_objects)\<rbrace>
retype_region ptr num_objects us tp dev
\<lbrace>\<lambda>rv. K (\<forall> ref \<in> set rv. tp = ArchObject PageDirectoryObj \<longrightarrow> is_aligned ref pd_bits)\<rbrace>"
apply(rule hoare_strengthen_post)
apply(rule hoare_weaken_pre)
apply(rule retype_region_aligned_for_init)
apply simp
apply (clarsimp simp: obj_bits_api_def default_arch_object_def pd_bits_def pageBits_def)
done
declare wrap_ext_det_ext_ext_def[simp]
lemma detype_integrity:
"\<lbrakk>integrity aag X st s; (\<forall> r\<in>refs. is_subject aag r)\<rbrakk> \<Longrightarrow>
integrity aag X st (detype refs s)"
apply (erule integrity_trans)
by (auto simp: detype_def detype_ext_def integrity_def)
lemma state_vrefs_detype [simp]:
"state_vrefs (detype R s) = (\<lambda>x. if x \<in> R then {} else state_vrefs s x)"
unfolding state_vrefs_def
apply (rule ext)
apply (clarsimp simp: detype_def)
done
lemma global_refs_detype [simp]:
"global_refs (detype R s) = global_refs s"
by(simp add: detype_def)
lemma thread_states_detype[simp]:
"thread_states (detype S s) = (\<lambda>x. if x \<in> S then {} else thread_states s x)"
by (rule ext, simp add: thread_states_def get_tcb_def o_def detype_def tcb_states_of_state_def)
lemma thread_bound_ntfns_detype[simp]:
"thread_bound_ntfns (detype S s) = (\<lambda>x. if x \<in> S then None else thread_bound_ntfns s x)"
by (rule ext, simp add: thread_bound_ntfns_def get_tcb_def o_def detype_def tcb_states_of_state_def)
lemma sta_detype:
"state_objs_to_policy (detype R s) \<subseteq> state_objs_to_policy s"
apply (clarsimp simp add: state_objs_to_policy_def state_refs_of_detype)
apply (erule state_bits_to_policy.induct)
apply (auto intro: state_bits_to_policy.intros split: if_split_asm)
done
lemma sita_detype:
"state_irqs_to_policy aag (detype R s) \<subseteq> state_irqs_to_policy aag s"
apply (clarsimp)
apply (erule state_irqs_to_policy_aux.induct)
apply (auto simp: detype_def intro: state_irqs_to_policy_aux.intros split: if_split_asm)
done
lemma sata_detype:
"state_asids_to_policy aag (detype R s) \<subseteq> state_asids_to_policy aag s"
apply (clarsimp)
apply (erule state_asids_to_policy_aux.induct)
apply (auto intro: state_asids_to_policy_aux.intros split: if_split_asm)
done
(* FIXME: move *)
lemmas pas_refined_by_subsets = pas_refined_state_objs_to_policy_subset
lemma detype_irqs [simp]:
"interrupt_irq_node (detype R s) = interrupt_irq_node s"
unfolding detype_def by simp
lemma dtsa_detype: "domains_of_state (detype R s) \<subseteq> domains_of_state s"
by (auto simp: detype_def detype_ext_def
intro: domtcbs
elim!: domains_of_state_aux.cases
split: if_splits)
lemma pas_refined_detype:
"pas_refined aag s \<Longrightarrow> pas_refined aag (detype R s)"
apply (rule pas_refined_by_subsets)
apply (blast intro!: sta_detype sata_detype sita_detype detype_irqs dtsa_detype)+
done
(* TODO: proof has mainly been copied from dmo_clearMemory_respects *)
lemma dmo_freeMemory_respects:
"\<lbrace>integrity aag X st and
K (is_aligned ptr bits \<and> bits < word_bits \<and> 2 \<le> bits \<and>
(\<forall>p \<in> ptr_range ptr bits. is_subject aag p))\<rbrace>
do_machine_op (freeMemory ptr bits) \<lbrace>\<lambda>rv. integrity aag X st\<rbrace>"
unfolding do_machine_op_def freeMemory_def
apply (simp add: split_def)
apply wp
apply clarsimp
apply (erule use_valid)
apply (wp mol_respects mapM_x_wp' storeWord_integrity_autarch)
apply simp
apply (clarsimp simp: word_size_def word_bits_def upto_enum_step_shift_red [where us=2, simplified])
apply (erule bspec)
apply (erule set_mp [rotated])
apply (rule ptr_range_subset)
apply simp
apply (simp add: is_aligned_mult_triv2 [where n = 2, simplified])
apply assumption
apply (erule word_less_power_trans_ofnat [where k = 2, simplified])
apply assumption
apply simp
apply simp
done
lemma delete_objects_respects[wp]:
"\<lbrace>integrity aag X st and
K (is_aligned ptr bits \<and> bits < word_bits \<and>
2 \<le> bits \<and> (\<forall>p\<in>ptr_range ptr bits. is_subject aag p))\<rbrace>
delete_objects ptr bits
\<lbrace>\<lambda>rv. integrity aag X st\<rbrace>"
apply (simp add: delete_objects_def)
apply (rule_tac seq_ext)
apply (rule hoare_triv[of P _ "%_. P" for P])
apply (wp dmo_freeMemory_respects | simp)+
by (fastforce simp: ptr_range_def intro!: detype_integrity)
lemma storeWord_respects:
"\<lbrace>\<lambda>ms. integrity aag X st (s\<lparr>machine_state := ms\<rparr>)
\<and> (\<forall>p' \<in> ptr_range p 2. aag_has_auth_to aag Write p')\<rbrace>
storeWord p v
\<lbrace>\<lambda>a b. integrity aag X st (s\<lparr>machine_state := b\<rparr>)\<rbrace>"
unfolding storeWord_def
apply wp
apply (auto simp: integrity_def is_aligned_mask [symmetric]
intro!: trm_write ptr_range_memI ptr_range_add_memI)
done
lemma dmo_clearMemory_respects':
"\<lbrace>integrity aag X st and K (is_aligned ptr bits \<and> bits < word_bits \<and> 2 \<le> bits \<and> (\<forall>p \<in> ptr_range ptr bits. aag_has_auth_to aag Write p))\<rbrace>
do_machine_op (clearMemory ptr (2 ^ bits))
\<lbrace>\<lambda>rv. integrity aag X st\<rbrace>"
unfolding do_machine_op_def clearMemory_def
apply (simp add: split_def cleanCacheRange_PoU_def)
apply wp
apply clarsimp
apply (erule use_valid)
apply wp
apply (simp add: cleanByVA_PoU_def)
apply (wp mol_respects mapM_x_wp' storeWord_respects)+
apply simp
apply (clarsimp simp add: word_size_def word_bits_def upto_enum_step_shift_red[where us=2, simplified])
apply (erule bspec)
apply (erule set_mp [rotated])
apply (rule ptr_range_subset)
apply simp
apply (simp add: is_aligned_mult_triv2 [where n = 2, simplified])
apply assumption
apply (erule word_less_power_trans_ofnat [where k = 2, simplified])
apply assumption
apply simp
apply simp
done
lemma integrity_work_units_completed_update[simp]:
"integrity aag X st (work_units_completed_update f s) = integrity aag X st s"
by (simp add: integrity_def)
lemma reset_untyped_cap_integrity:
"\<lbrace>integrity aag X st and pas_refined aag
and valid_objs and cte_wp_at is_untyped_cap slot
and K (is_subject aag (fst slot))\<rbrace>
reset_untyped_cap slot
\<lbrace>\<lambda>rv. integrity aag X st\<rbrace>"
apply (rule hoare_gen_asm)
apply (simp add: reset_untyped_cap_def)
apply (rule hoare_pre)
apply (wp set_cap_integrity_autarch dmo_clearMemory_respects'
| simp add: unless_def)+
apply (rule valid_validE, rule_tac P="cap_aligned cap \<and> is_untyped_cap cap
\<and> (\<forall>r \<in> cap_range cap. aag_has_auth_to aag Write r)" in hoare_gen_asm)
apply (rule validE_valid, rule mapME_x_wp')
apply (rule hoare_pre)
apply (wp mapME_x_inv_wp[OF hoare_pre(2)] preemption_point_inv'
set_cap_integrity_autarch dmo_clearMemory_respects' | simp)+
apply (clarsimp simp: cap_aligned_def is_cap_simps bits_of_def)
apply (subst aligned_add_aligned, assumption, rule is_aligned_shiftl, simp+)
apply (clarsimp simp: arg_cong2[where f="(\<le>)", OF refl reset_chunk_bits_def])
apply (drule bspec, erule subsetD[rotated])
apply (simp only: ptr_range_def, rule new_range_subset',
simp_all add: is_aligned_shiftl)[1]
apply (rule shiftl_less_t2n)
apply (rule word_of_nat_less)
apply simp
apply (simp add: word_bits_def)
apply clarsimp
apply (simp add: if_apply_def2)
apply (wp hoare_vcg_const_imp_lift get_cap_wp)+
apply (clarsimp simp: cte_wp_at_caps_of_state)
apply (frule caps_of_state_valid_cap, clarsimp+)
apply (clarsimp simp: cap_aligned_def is_cap_simps valid_cap_simps bits_of_def
untyped_min_bits_def)
apply (frule(2) cap_cur_auth_caps_of_state)
apply (clarsimp simp: aag_cap_auth_def ptr_range_def aag_has_Control_iff_owns
pas_refined_refl)
done
lemma bool_enum[simp]: "(\<forall>x. d = (\<not> x)) = False" "(\<forall>x. d = x) = False"
by blast+
lemma invoke_untyped_integrity:
"\<lbrace>integrity aag X st and pas_refined aag
and valid_objs
and valid_untyped_inv ui and K (authorised_untyped_inv aag ui)\<rbrace>
invoke_untyped ui
\<lbrace>\<lambda>rv. integrity aag X st\<rbrace>"
apply (rule hoare_name_pre_state)
apply (clarsimp simp only: valid_untyped_inv_wcap)
apply (cases ui)
apply (simp add: mapM_x_def[symmetric] authorised_untyped_inv_def
invoke_untyped_def)
apply (rule hoare_pre)
apply (wp mapM_x_wp[OF _ subset_refl] create_cap_integrity
init_arch_objects_integrity retype_region_integrity
retype_region_ret_is_subject retype_region_ret_pd_aligned
set_cap_integrity_autarch hoare_vcg_if_lift
hoare_whenE_wp reset_untyped_cap_integrity
| clarsimp simp: split_paired_Ball
| erule in_set_zipE
| blast)+
apply (clarsimp simp: is_aligned_neg_mask_eq
ptr_range_def p_assoc_help bits_of_def
cte_wp_at_caps_of_state)
apply (frule(1) cap_cur_auth_caps_of_state, simp+)
apply (clarsimp simp: aag_cap_auth_def pas_refined_all_auth_is_owns)
apply (simp add: word_and_le2 field_simps
| erule ball_subset[where A="{a && c .. b}" for a b c]
| rule conjI impI)+
done
lemma clas_default_cap:
"tp \<noteq> ArchObject ASIDPoolObj \<Longrightarrow> cap_links_asid_slot aag p (default_cap tp p' sz dev)"
unfolding cap_links_asid_slot_def
apply (cases tp, simp_all)
apply (rename_tac aobject_type)
apply (case_tac aobject_type, simp_all add: arch_default_cap_def)
done
lemma cli_default_cap:
"tp \<noteq> ArchObject ASIDPoolObj \<Longrightarrow> cap_links_irq aag p (default_cap tp p' sz dev)"
unfolding cap_links_irq_def
apply (cases tp, simp_all)
done
lemma obj_refs_default_nut:
"\<lbrakk> tp \<noteq> Untyped; \<forall>atp. tp \<noteq> ArchObject atp \<rbrakk> \<Longrightarrow>
obj_refs (default_cap tp oref sz dev) = {oref}"
by (cases tp, simp_all add: arch_default_cap_def split: aobject_type.splits)
lemma obj_refs_default':
"is_aligned oref (obj_bits_api tp sz) \<Longrightarrow> obj_refs (default_cap tp oref sz dev) \<subseteq> ptr_range oref (obj_bits_api tp sz)"
by (cases tp, simp_all add: arch_default_cap_def ptr_range_memI obj_bits_api_def default_arch_object_def split: aobject_type.splits)
lemma create_cap_pas_refined:
"\<lbrace>pas_refined aag and K (tp \<noteq> ArchObject ASIDPoolObj \<and> is_subject aag (fst p) \<and> is_subject aag (fst (fst ref)) \<and>
(\<forall>x \<in> ptr_range (snd ref) (obj_bits_api tp sz). is_subject aag x)
\<and> is_aligned (snd ref) (obj_bits_api tp sz))\<rbrace>
create_cap tp sz p dev ref
\<lbrace>\<lambda>rv. pas_refined aag\<rbrace>"
apply (simp add: create_cap_def split_def)
apply (wps | wp set_cdt_pas_refined set_cap_pas_refined set_original_wp | clarsimp)+
apply (rule conjI)
apply (cases "fst ref", clarsimp simp: pas_refined_refl)
apply (cases "tp = Untyped")
apply (simp add: cap_links_asid_slot_def pas_refined_refl cap_links_irq_def aag_cap_auth_def ptr_range_def obj_bits_api_def)
apply (clarsimp simp add: obj_refs_default_nut clas_default_cap pas_refined_refl cli_default_cap aag_cap_auth_def)
apply (drule obj_refs_default')
apply (case_tac tp, simp_all)
apply (auto intro: pas_refined_refl dest!: subsetD)
done
lemma pd_shifting_dual':
"is_aligned (pd::word32) pd_bits \<Longrightarrow>
pd + (vptr >> 20 << 2) && mask pd_bits = vptr >> 20 << 2"
apply (subst (asm) pd_bits_def)
apply (subst (asm) pageBits_def)
apply (simp add: pd_shifting_dual)
done
lemma empty_table_update_from_arm_global_pts:
"\<lbrakk>valid_global_objs s;
kernel_base >> 20 \<le> y >> 20; y >> 20 \<le> 2 ^ (pd_bits - 2) - 1;
is_aligned pd pd_bits;
kheap s (arm_global_pd (arch_state s)) = Some (ArchObj (PageDirectory pda));
obj_at (empty_table (set (second_level_tables (arch_state s)))) pd s\<rbrakk>
\<Longrightarrow>
(\<forall>pdb. ko_at (ArchObj (PageDirectory pdb)) pd s \<longrightarrow>
empty_table (set (second_level_tables (arch_state s)))
(ArchObj
(PageDirectory
(pdb(ucast (y >> 20) := pda (ucast (y >> 20)))))))"
apply(clarsimp simp: empty_table_def obj_at_def)
apply(clarsimp simp: valid_global_objs_def obj_at_def empty_table_def)
done
lemma copy_global_mappings_pas_refined:
"is_aligned pd pd_bits \<Longrightarrow>
\<lbrace>pas_refined aag and valid_kernel_mappings and
valid_arch_state and valid_global_objs and valid_global_refs and
pspace_aligned\<rbrace>
copy_global_mappings pd
\<lbrace>\<lambda>rv. pas_refined aag\<rbrace>"
apply(simp add: copy_global_mappings_def)
apply(rule hoare_weaken_pre)
apply(wp)
(* Use \<circ> to avoid wp filtering out the global_pd condition here
TODO: see if we can clean this up *)
apply(rule_tac Q="\<lambda> rv s. is_aligned global_pd pd_bits \<and> (global_pd = (arm_global_pd \<circ> arch_state) s \<and> valid_kernel_mappings s \<and> valid_arch_state s \<and> valid_global_objs s \<and> valid_global_refs s \<and> pas_refined aag s)" in hoare_strengthen_post)
apply(rule mapM_x_wp[OF _ subset_refl])
apply (rule hoare_seq_ext)
apply(unfold o_def)
(* Use [1] so wp doesn't filter out the global_pd condition *)
apply(wp store_pde_pas_refined store_pde_valid_kernel_mappings_map_global)[1]
apply(frule subsetD[OF copy_global_mappings_index_subset])
apply(rule hoare_gen_asm[simplified K_def pred_conj_def conj_commute])
apply(simp add: get_pde_def)
apply(subst kernel_vsrefs_kernel_mapping_slots[symmetric])
apply(wp)
apply(clarsimp simp: get_pde_def pd_shifting' pd_shifting_dual' triple_shift_fun)
apply(subst (asm) obj_at_def, erule exE, erule conjE)
apply(rotate_tac -1, drule sym, simp)
apply(frule (1) valid_kernel_mappingsD[folded obj_at_def])
apply(clarsimp simp: kernel_mapping_slots_def shiftr_20_less
empty_table_update_from_arm_global_pts
global_refs_def pde_ref_def)
apply(fastforce)
apply fastforce
apply(rule gets_wp)
apply(simp, blast intro: invs_aligned_pdD)
done
lemma copy_global_invs_mappings_restricted':
"pd \<in> S \<Longrightarrow>
\<lbrace>all_invs_but_equal_kernel_mappings_restricted S
and (\<lambda>s. S \<inter> global_refs s = {})
and K (is_aligned pd pd_bits)\<rbrace>
copy_global_mappings pd
\<lbrace>\<lambda>rv. all_invs_but_equal_kernel_mappings_restricted S\<rbrace>"
apply(rule hoare_weaken_pre)
apply(rule copy_global_invs_mappings_restricted)
apply(simp add: insert_absorb)
done
lemma init_arch_objects_pas_refined:
"\<lbrace>pas_refined aag and
post_retype_invs tp refs and
(\<lambda> s. \<forall> x\<in>set refs. x \<notin> global_refs s) and
K (\<forall>ref \<in> set refs. is_aligned ref (obj_bits_api tp obj_sz))\<rbrace>
init_arch_objects tp ptr bits obj_sz refs
\<lbrace>\<lambda>rv. pas_refined aag\<rbrace>"
apply(rule hoare_gen_asm)
apply(cases tp)
apply(simp_all add: init_arch_objects_def)
apply(wp | simp)+
apply(rename_tac aobject_type)
apply(case_tac aobject_type, simp_all)
apply((simp | wp)+)[5]
apply(wp)
apply(rule_tac Q="\<lambda> rv. pas_refined aag and all_invs_but_equal_kernel_mappings_restricted (set refs) and (\<lambda> s. \<forall> x\<in>set refs. x \<notin> global_refs s)" in hoare_strengthen_post)
apply(wp mapM_x_wp[OF _ subset_refl])
apply((wp copy_global_mappings_pas_refined
copy_global_invs_mappings_restricted'
copy_global_mappings_global_refs_inv
copy_global_invs_mappings_restricted' |
fastforce simp: obj_bits_api_def default_arch_object_def
pd_bits_def pageBits_def)+)[2]
apply(wp dmo_invs hoare_vcg_const_Ball_lift
valid_irq_node_typ |
fastforce simp: post_retype_invs_def)+
done
end
locale retype_region_proofs' = retype_region_proofs + constrains s ::"det_ext state" and s' :: "det_ext state"
context retype_region_proofs
begin
interpretation Arch . (*FIXME; arch_split*)
lemma vs_refs_no_global_pts_default [simp]:
"vs_refs_no_global_pts (default_object ty dev us) = {}"
by (simp add: default_object_def default_arch_object_def tyunt
vs_refs_no_global_pts_def pde_ref2_def pte_ref_def
o_def
split: Structures_A.apiobject_type.splits aobject_type.splits)
lemma vrefs_eq: "state_vrefs s' = state_vrefs s"
apply(rule ext)
apply(simp add: s'_def state_vrefs_def ps_def orthr split: option.split)
done
lemma ts_eq[simp]: "thread_states s' = thread_states s"
apply (rule ext)
apply (simp add: s'_def ps_def thread_states_def get_tcb_def orthr tcb_states_of_state_def
split: option.split Structures_A.kernel_object.split)
apply (simp add: default_object_def default_tcb_def tyunt
split: Structures_A.apiobject_type.split)
done
lemma bas_eq[simp]: "thread_bound_ntfns s' = thread_bound_ntfns s"
apply (rule ext)
apply (simp add: s'_def ps_def thread_bound_ntfns_def get_tcb_def orthr tcb_states_of_state_def
split: option.split Structures_A.kernel_object.split)
apply (simp add: default_object_def default_tcb_def tyunt
split: Structures_A.apiobject_type.split)
done
end
lemma invs_mdb_cte':
"invs s \<Longrightarrow> mdb_cte_at (\<lambda>p. \<exists>c. caps_of_state s p = Some c \<and> NullCap \<noteq> c) (cdt s)"
by (drule invs_mdb) (simp add: valid_mdb_def2)
context retype_region_proofs'
begin
interpretation Arch . (*FIXME; arch_split*)
lemma domains_of_state: "domains_of_state s' \<subseteq> domains_of_state s"
unfolding s'_def by simp
(* FIXME MOVE next to cte_at_pres *)
lemma cte_wp_at_pres:
"cte_wp_at P p s \<Longrightarrow> cte_wp_at P p s'"
unfolding cte_wp_at_cases s'_def ps_def
apply (erule disjE)
apply (clarsimp simp: well_formed_cnode_n_def orthr)+
done
(* FIXME MOVE next to cte_at_pres *)
lemma caps_of_state_pres:
"caps_of_state s p = Some cap \<Longrightarrow> caps_of_state s' p = Some cap"
using cte_wp_at_pres by (simp add: F)
lemma pas_refined: "invs s \<Longrightarrow> pas_refined aag s \<Longrightarrow> pas_refined aag s'"
apply(erule pas_refined_state_objs_to_policy_subset)
apply(simp add: state_objs_to_policy_def refs_eq vrefs_eq mdb_and_revokable)
apply(rule subsetI, rename_tac x, case_tac x, simp)
apply(erule state_bits_to_policy.cases)
apply (solves \<open>auto intro!: sbta_caps intro: caps_retype split: cap.split\<close>)
apply (solves \<open>auto intro!: sbta_untyped intro: caps_retype split: cap.split\<close>)
apply (blast intro: state_bits_to_policy.intros)
apply (blast intro: state_bits_to_policy.intros)
apply (force intro!: sbta_cdt
dest: caps_of_state_pres invs_mdb_cte'[THEN mdb_cte_atD[rotated]])
apply (force intro!: sbta_cdt_transferable
dest: caps_of_state_pres invs_mdb_cte'[THEN mdb_cte_atD[rotated]])
apply (simp add: vrefs_eq)
apply (blast intro: state_bits_to_policy.intros)
apply (simp add: vrefs_eq)
apply (force elim!: state_asids_to_policy_aux.cases
intro: state_asids_to_policy_aux.intros caps_retype
split: cap.split
dest: sata_asid[OF caps_retype, rotated])
apply clarsimp
apply (erule state_irqs_to_policy_aux.cases)
apply (solves\<open>auto intro!: sita_controlled intro: caps_retype split: cap.split\<close>)
apply (rule domains_of_state)
apply simp
done
end
context begin interpretation Arch . (*FIXME: arch_split*)
lemma retype_region_ext_kheap_update:
"\<lbrace>Q xs and R xs\<rbrace> retype_region_ext xs ty \<lbrace>\<lambda>_. Q xs\<rbrace>
\<Longrightarrow> \<lbrace>\<lambda>s. Q xs (kheap_update f s) \<and> R xs (kheap_update f s)\<rbrace> retype_region_ext xs ty \<lbrace>\<lambda>_ s. Q xs (kheap_update f s)\<rbrace>"
apply (clarsimp simp: valid_def retype_region_ext_def)
apply (erule_tac x="kheap_update f s" in allE)
apply (clarsimp simp: split_def bind_def gets_def get_def return_def modify_def put_def)
done
lemma use_retype_region_proofs_ext':
assumes x: "\<And>(s::det_ext state). \<lbrakk> retype_region_proofs s ty us ptr sz n dev; P s \<rbrakk>
\<Longrightarrow> Q (retype_addrs ptr ty n us) (s\<lparr>kheap :=
\<lambda>x. if x \<in> set (retype_addrs ptr ty n us)
then Some (default_object ty dev us )
else kheap s x\<rparr>)"
assumes y: "\<And>xs. \<lbrace>Q xs and R xs\<rbrace> retype_region_ext xs ty \<lbrace>\<lambda>_. Q xs\<rbrace>"
assumes z: "\<And>f xs s. R xs (kheap_update f s) = R xs s"
shows
"\<lbrakk> ty = CapTableObject \<Longrightarrow> 0 < us;
\<And>s. P s \<Longrightarrow> Q (retype_addrs ptr ty n us) s \<rbrakk> \<Longrightarrow>
\<lbrace>\<lambda>s. valid_pspace s \<and> valid_mdb s \<and> range_cover ptr sz (obj_bits_api ty us) n
\<and> caps_overlap_reserved {ptr..ptr + of_nat n * 2 ^ obj_bits_api ty us - 1} s
\<and> caps_no_overlap ptr sz s \<and> pspace_no_overlap_range_cover ptr sz s
\<and> (\<exists>slot. cte_wp_at (\<lambda>c. up_aligned_area ptr sz \<subseteq> cap_range c \<and> cap_is_device c = dev) slot s) \<and>
P s \<and> R (retype_addrs ptr ty n us) s\<rbrace> retype_region ptr n us ty dev \<lbrace>Q\<rbrace>"
apply (simp add: retype_region_def split del: if_split)
apply (rule hoare_pre, (wp|simp)+)
apply (rule retype_region_ext_kheap_update[OF y])
apply (wp|simp)+
apply (clarsimp simp: retype_addrs_fold
foldr_upd_app_if fun_upd_def[symmetric])
apply safe
apply (rule x)
apply (rule retype_region_proofs.intro, simp_all)[1]
apply (fastforce simp add: range_cover_def obj_bits_api_def z
slot_bits_def word_bits_def cte_level_bits_def)+
done
lemmas use_retype_region_proofs_ext
= use_retype_region_proofs_ext'[where Q="\<lambda>_. Q" and P=Q, simplified] for Q
end
lemma (in is_extended) pas_refined_tcb_domain_map_wellformed':
assumes tdmw: "\<lbrace>tcb_domain_map_wellformed aag and P\<rbrace> f \<lbrace>\<lambda>_. tcb_domain_map_wellformed aag\<rbrace>"
shows "\<lbrace>pas_refined aag and P\<rbrace> f \<lbrace>\<lambda>_. pas_refined aag\<rbrace>"
apply (simp add: pas_refined_def)
apply (wp tdmw)
apply (wp lift_inv)
apply simp+
done
context begin interpretation Arch . (*FIXME: arch_split*)
lemma retype_region_ext_pas_refined:
"\<lbrace>pas_refined aag and pas_cur_domain aag and K (\<forall>x\<in> set xs. is_subject aag x)\<rbrace> retype_region_ext xs ty \<lbrace>\<lambda>_. pas_refined aag\<rbrace>"
including no_pre
apply (subst and_assoc[symmetric])
apply (wp retype_region_ext_extended.pas_refined_tcb_domain_map_wellformed')
apply (simp add: retype_region_ext_def, wp)
apply (clarsimp simp: tcb_domain_map_wellformed_aux_def)
apply (erule domains_of_state_aux.cases)
apply (clarsimp simp: foldr_upd_app_if' fun_upd_def[symmetric] split: if_split_asm)
apply (clarsimp simp: default_ext_def default_etcb_def split: apiobject_type.splits)
defer
apply (force intro: domtcbs)
done
lemma retype_region_pas_refined:
"\<lbrace>pas_refined aag and invs and pas_cur_domain aag and
caps_overlap_reserved
{ptr..ptr + of_nat num_objects * 2 ^ obj_bits_api type o_bits -
1} and
caps_no_overlap ptr sz and pspace_no_overlap_range_cover ptr sz and
(\<lambda>s. \<exists>slot. cte_wp_at (\<lambda>c. up_aligned_area ptr sz \<subseteq> cap_range c \<and> cap_is_device c = dev) slot s) and
K (range_cover ptr sz (obj_bits_api type o_bits) num_objects) and
K (\<forall>x\<in>set (retype_addrs ptr type num_objects o_bits). is_subject aag x) and
K ((type = CapTableObject \<longrightarrow> 0 < o_bits))\<rbrace>
retype_region ptr num_objects o_bits type dev
\<lbrace>\<lambda>rv. pas_refined aag\<rbrace>"
apply (rule hoare_gen_asm)
apply (rule hoare_pre)
apply (rule use_retype_region_proofs_ext'[where P = "invs and pas_refined aag"])
apply clarsimp
apply (erule (2) retype_region_proofs'.pas_refined[OF retype_region_proofs'.intro])
apply (wp retype_region_ext_pas_refined)
apply simp
apply auto
done
(* FIXME MOVE *)
lemma retype_region_aag_bits:
"\<lbrace>\<lambda>s. P (null_filter (caps_of_state s)) (state_refs_of s) (cdt s) (state_vrefs s)
\<and> valid_pspace s \<and> valid_mdb s \<and>
caps_overlap_reserved
{ptr..ptr + of_nat num_objects * 2 ^ obj_bits_api tp us - 1} s \<and>
caps_no_overlap ptr sz s \<and> pspace_no_overlap_range_cover ptr sz s \<and>
(\<exists>slot. cte_wp_at (\<lambda>c. up_aligned_area ptr sz \<subseteq> cap_range c \<and> cap_is_device c = dev) slot s)
\<and> ((tp = CapTableObject \<longrightarrow> 0 < us) \<and> range_cover ptr sz (obj_bits_api tp us) num_objects)\<rbrace>
retype_region ptr num_objects us tp dev
\<lbrace>\<lambda>_ s. P (null_filter (caps_of_state s)) (state_refs_of s) (cdt s) (state_vrefs s)\<rbrace>"
apply (subst conj_assoc [symmetric])+
apply (rule hoare_gen_asm [unfolded pred_conj_def K_def])+
apply (rule hoare_pre)
apply (rule use_retype_region_proofs)
apply (frule retype_region_proofs.null_filter, erule ssubst)
apply (frule retype_region_proofs.refs_eq, erule ssubst)
apply (frule retype_region_proofs.vrefs_eq, erule ssubst)
apply (frule retype_region_proofs.mdb_and_revokable, erule ssubst)
apply assumption
apply simp
apply simp
apply simp
apply blast
done
lemma retype_region_ranges'':
"\<lbrace>K (range_cover ptr sz (obj_bits_api tp us) num_objects \<and> num_objects \<noteq> 0)\<rbrace>
retype_region ptr num_objects us tp dev
\<lbrace>\<lambda>rv s. \<forall>y\<in>set rv. ptr_range y (obj_bits_api tp us) \<subseteq> {ptr..ptr + of_nat num_objects * 2 ^ (obj_bits_api tp us) - 1}\<rbrace>"
apply simp
apply (rule hoare_gen_asm[where P'="\<top>", simplified])
apply (rule hoare_strengthen_post [OF retype_region_ret])
apply (clarsimp)
apply (frule_tac p=y in range_cover_subset)
apply assumption
apply simp
apply(rule conjI)
apply (fastforce simp: ptr_range_def ptr_add_def)
apply(clarsimp simp: ptr_range_def ptr_add_def intro: order_trans)
apply(erule order_trans)
apply(erule impE)
apply(simp add: p_assoc_help)
apply(rule is_aligned_no_wrap')
apply(rule is_aligned_add)
apply(fastforce simp: range_cover_def)
apply(simp add: is_aligned_mult_triv2)
apply(rule word_leq_le_minus_one, simp)
apply(rule power_not_zero)
apply(simp add: range_cover_def)
apply simp
done
lemma region_in_kernel_window_preserved:
assumes "\<And> P. \<lbrace>\<lambda> s. P (arch_state s) \<rbrace> f \<lbrace>\<lambda> rv s. P (arch_state s) \<rbrace>"
shows "\<And> S. \<lbrace> region_in_kernel_window S \<rbrace> f \<lbrace> \<lambda>_. region_in_kernel_window S \<rbrace>"
apply(clarsimp simp: valid_def region_in_kernel_window_def)
apply(erule use_valid)
apply(rule assms)
apply simp
done
lemma pspace_no_overlap_msu[simp]:
"pspace_no_overlap S (machine_state_update f s) = pspace_no_overlap S s"
apply(clarsimp simp: pspace_no_overlap_def)
done
lemma descendants_range_in_msu[simp]:
"descendants_range_in S slot (machine_state_update f s) = descendants_range_in S slot s"
apply(clarsimp simp: descendants_range_in_def)
done
(* proof clagged from Retype_AI.clearMemory_vms *)
lemma freeMemory_vms:
"valid_machine_state s \<Longrightarrow>
\<forall>x\<in>fst (freeMemory ptr bits (machine_state s)).
valid_machine_state (s\<lparr>machine_state := snd x\<rparr>)"
apply (clarsimp simp: valid_machine_state_def
disj_commute[of "in_user_frame p s" for p s])
apply (drule_tac x=p in spec, simp)
apply (drule_tac P4="\<lambda>m'. underlying_memory m' p = 0"
in use_valid[where P=P and Q="\<lambda>_. P" for P], simp_all)
apply (simp add: freeMemory_def machine_op_lift_def
machine_rest_lift_def split_def)
apply (wp hoare_drop_imps | simp | wp mapM_x_wp_inv)+
apply (simp add: storeWord_def | wp)+
apply (simp add: word_rsplit_0)+
done
lemma dmo_freeMemory_vms:
"\<lbrace>valid_machine_state\<rbrace>
do_machine_op (freeMemory ptr bits)
\<lbrace>\<lambda>_. valid_machine_state\<rbrace>"
apply(unfold do_machine_op_def)
apply (wp modify_wp freeMemory_vms | simp add: split_def)+
done
lemma freeMemory_valid_irq_states:
"\<lbrace>\<lambda>m. valid_irq_states (s\<lparr>machine_state := m\<rparr>) \<rbrace>
freeMemory ptr bits
\<lbrace>\<lambda>a b. valid_irq_states (s\<lparr>machine_state := b\<rparr>)\<rbrace>"
unfolding freeMemory_def
apply(wp mapM_x_wp[OF _ subset_refl] storeWord_valid_irq_states)
done
crunch pspace_respects_device_region[wp]: freeMemory "\<lambda>ms. P (device_state ms)"
(wp: crunch_wps)
lemma dmo_freeMemory_invs:
"\<lbrace> invs \<rbrace>
do_machine_op (freeMemory ptr bits)
\<lbrace>\<lambda>_. invs\<rbrace>"
apply (simp add: do_machine_op_def invs_def valid_state_def cur_tcb_def | wp | wpc)+
apply (clarsimp)
apply (frule_tac P1="(=) (device_state (machine_state s))" in
use_valid[OF _ freeMemory_pspace_respects_device_region])
apply simp
apply simp
apply(rule conjI)
apply(erule use_valid[OF _ freeMemory_valid_irq_states], simp)
apply(drule freeMemory_vms)
by auto
lemma delete_objects_pas_refined:
"\<lbrace>pas_refined aag\<rbrace> delete_objects ptr sz \<lbrace>\<lambda>_. pas_refined aag\<rbrace>"
apply(simp add: delete_objects_def do_machine_op_def)
apply (wp modify_wp | simp add: split_def)+
apply clarsimp
apply(rule pas_refined_detype)
apply simp
done
lemma cte_wp_at_sym:
"cte_wp_at (\<lambda> c. c = cap) slot s = cte_wp_at ((=) cap) slot s"
apply(simp add: cte_wp_at_def)
done
lemma untyped_slots_not_in_untyped_range:
"\<lbrakk>invs s; descendants_range_in S slot s; cte_wp_at ((=) cap) slot s;
is_untyped_cap cap; S = untyped_range cap; T \<subseteq> S\<rbrakk> \<Longrightarrow>
fst slot \<notin> T"
apply(erule contra_subsetD)
proof -
assume i: "invs s" and
dr: "descendants_range_in S slot s" and
ct: "cte_wp_at ((=) cap) slot s" and
ut: "is_untyped_cap cap" and
r: "S = untyped_range cap"
hence dt: "detype_locale cap slot s"
by(simp add: detype_locale_def descendants_range_def2 invs_untyped_children)
show "fst slot \<notin> S"
apply -
apply (insert r)
apply (simp, rule detype_locale.non_null_present[OF dt])
apply (insert ct ut)
apply (case_tac cap, simp_all)
apply (auto simp: cte_wp_at_def)
done
qed
lemma descendants_range_in_detype:
"\<lbrakk>invs s; descendants_range_in S slot s; cte_wp_at ((=) cap) slot s;
is_untyped_cap cap; S = untyped_range cap; T \<subseteq> S\<rbrakk> \<Longrightarrow>
descendants_range_in T slot (detype S s)"
apply(erule descendants_range_in_subseteq[rotated])
proof -
assume i: "invs s" and
dr: "descendants_range_in S slot s" and
ct: "cte_wp_at ((=) cap) slot s" and
ut: "is_untyped_cap cap" and
r: "S = untyped_range cap"
hence dt: "detype_locale cap slot s"
by(simp add: detype_locale_def descendants_range_def2 invs_untyped_children)
show "descendants_range_in S slot (detype S s)"
apply -
apply(insert i dr ct ut r)
apply(simp add: valid_mdb_descendants_range_in[OF invs_mdb])
apply(simp add: descendants_range_in_def)
apply(rule ballI)
apply(drule_tac x=p' in bspec, assumption)
apply(clarsimp simp: null_filter_def split: if_split_asm)
apply(rule conjI)
apply(simp add: cte_wp_at_caps_of_state)
apply(rule_tac t=a in ssubst[OF fst_conv[symmetric]])
apply(rule_tac ptr=slot and s=s in detype_locale.non_null_present)
apply(rule dt)
apply(simp add: cte_wp_at_caps_of_state)
apply fastforce
done
qed
lemma descendants_range_in_detype_ex:
"\<lbrakk>invs s; descendants_range_in S slot s; \<exists> cap. cte_wp_at ((=) cap) slot s \<and>
is_untyped_cap cap \<and> S = untyped_range cap; T \<subseteq> S\<rbrakk> \<Longrightarrow>
descendants_range_in T slot (detype S s)"
apply clarsimp
apply(blast intro: descendants_range_in_detype)
done
lemma descendants_range_in_detype_ex_strengthen:
"(invs s \<and> descendants_range_in S slot s \<and> (\<exists> cap. cte_wp_at ((=) cap) slot s \<and>
is_untyped_cap cap \<and> S = untyped_range cap) \<and> T \<subseteq> S) \<longrightarrow>
descendants_range_in T slot (detype S s)"
apply(blast intro: descendants_range_in_detype_ex)
done
lemma delete_objects_descendants_range_in':
notes modify_wp[wp del]
shows
"\<lbrace>invs and (\<lambda> s. \<exists> idx. cte_wp_at ((=) (UntypedCap dev word2 sz idx)) slot s) and
descendants_range_in {word2..word2 + 2 ^ sz - 1} slot\<rbrace>
(delete_objects word2 sz)
\<lbrace>\<lambda>_. descendants_range_in {word2..word2 + 2 ^ sz - 1} slot\<rbrace>"
apply(rule hoare_pre)
unfolding delete_objects_def
apply (wp modify_wp dmo_freeMemory_invs
| strengthen descendants_range_in_detype_ex_strengthen)+
apply (wp descendants_range_in_lift hoare_vcg_ex_lift | elim conjE | simp)+
apply clarsimp
apply(fastforce)
done
lemma untyped_cap_aligned:
"\<lbrakk>cte_wp_at ((=) (UntypedCap dev word sz idx)) slot s; valid_objs s\<rbrakk> \<Longrightarrow>
is_aligned word sz"
apply(fastforce dest: cte_wp_at_valid_objs_valid_cap simp: valid_cap_def cap_aligned_def)
done
lemma delete_objects_descendants_range_in'':
shows
"\<lbrace>invs and (\<lambda> s. \<exists> idx. cte_wp_at ((=) (UntypedCap dev word2 sz idx)) slot s) and
descendants_range_in {word2..word2 + 2 ^ sz - 1} slot\<rbrace>
(delete_objects word2 sz)
\<lbrace>\<lambda>_. descendants_range_in {word2..(word2 && ~~ mask sz) + 2 ^ sz - 1} slot\<rbrace>"
apply(clarsimp simp: valid_def)
apply(frule untyped_cap_aligned, fastforce)
apply(clarsimp simp: is_aligned_neg_mask_eq)
apply(erule use_valid)
apply(wp delete_objects_descendants_range_in' | clarsimp | blast)+
done
lemma delete_objects_descendants_range_in''':
shows
"\<lbrace>invs and (\<lambda> s. \<exists> idx. cte_wp_at ((=) (UntypedCap dev word2 sz idx)) slot s) and
descendants_range_in {word2..word2 + 2 ^ sz - 1} slot\<rbrace>
(delete_objects word2 sz)
\<lbrace>\<lambda>_. descendants_range_in {word2 && ~~ mask sz..(word2 && ~~ mask sz) + 2 ^ sz - 1} slot\<rbrace>"
apply(clarsimp simp: valid_def)
apply(frule untyped_cap_aligned, fastforce)
apply(clarsimp simp: is_aligned_neg_mask_eq)
apply(erule use_valid)
apply(wp delete_objects_descendants_range_in' | clarsimp | blast)+
done
lemma range_cover_subset'':
"\<lbrakk>range_cover ptr sz sbit n; n \<noteq> 0\<rbrakk>
\<Longrightarrow> {ptr ..ptr + of_nat n * 2 ^ sbit - 1} \<subseteq> {ptr && ~~ mask sz..(ptr && ~~ mask sz) + 2^ sz - 1}"
apply (rule order_trans, erule(1) range_cover_subset')
apply (simp add: word_and_le2)
done
lemma delete_objects_descendants_range_in'''':
shows
"\<lbrace>invs and (\<lambda> s. \<exists> idx. cte_wp_at ((=) (UntypedCap dev word2 sz idx)) slot s) and
ct_active and descendants_range_in {word2..word2 + 2 ^ sz - 1} slot and
K (range_cover word2 sz bits n \<and>
n \<noteq> 0)\<rbrace>
(delete_objects word2 sz)
\<lbrace>\<lambda>_. descendants_range_in {word2..word2 + of_nat n * 2 ^ bits - 1} slot\<rbrace>"
apply(clarsimp simp: valid_def)
apply(rule descendants_range_in_subseteq)
apply(erule use_valid)
apply(wp delete_objects_descendants_range_in' | clarsimp | blast)+
apply(drule range_cover_subset'', simp)
apply(fastforce dest: untyped_cap_aligned simp: is_aligned_neg_mask_eq)
done
lemmas delete_objects_descendants_range_in =
delete_objects_descendants_range_in'
delete_objects_descendants_range_in''
delete_objects_descendants_range_in'''
delete_objects_descendants_range_in''''
crunch global_refs[wp]: delete_objects "\<lambda> s. P (global_refs s)"
(ignore: do_machine_op freeMemory)
crunch arch_state[wp]: delete_objects "\<lambda> s. P (arch_state s)"
(ignore: do_machine_op freeMemory)
lemma bits_of_UntypedCap:
"bits_of (UntypedCap dev ptr sz free) = sz"
apply(simp add: bits_of_def split: cap.splits)
done
lemma mask_neg_mask_is_zero:
"((x::word32) && ~~ a) && a = 0"
apply(subst word_bw_assocs)
apply simp
done
(* clagged from Untyped_R.invoke_untyped_proofs.usable_range_disjoint *)
lemma usable_range_disjoint:
assumes cte_wp_at: "cte_wp_at ((=) (cap.UntypedCap dev (ptr && ~~ mask sz) sz idx)) cref s"
assumes misc : "distinct slots" "idx \<le> unat (ptr && mask sz) \<or> ptr = ptr && ~~ mask sz"
"invs s" "slots \<noteq> []" "ct_active s"
"\<forall>slot\<in>set slots. cte_wp_at ((=) cap.NullCap) slot s"
"\<forall>x\<in>set slots. ex_cte_cap_wp_to (\<lambda>_. True) x s"
assumes cover: "range_cover ptr sz (obj_bits_api tp us) (length slots)"
notes blah[simp del] = untyped_range.simps usable_untyped_range.simps atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff
Int_atLeastAtMost atLeastatMost_empty_iff split_paired_Ex
shows
"usable_untyped_range (cap.UntypedCap dev (ptr && ~~ mask sz) sz
(unat ((ptr && mask sz) + of_nat (length slots) * 2 ^ obj_bits_api tp us))) \<inter>
{ptr..ptr + of_nat (length slots) * 2 ^ obj_bits_api tp us - 1} = {}"
proof -
have not_0_ptr[simp]: "ptr\<noteq> 0"
using misc cte_wp_at
apply (clarsimp simp:cte_wp_at_caps_of_state)
apply (drule(1) caps_of_state_valid)
apply (clarsimp simp:valid_cap_def)
done
have idx_compare''[simp]:
"unat ((ptr && mask sz) + (of_nat (length slots) * (2::word32) ^ obj_bits_api tp us)) < 2 ^ sz
\<Longrightarrow> ptr + of_nat (length slots) * 2 ^ obj_bits_api tp us - 1
< ptr + of_nat (length slots) * 2 ^ obj_bits_api tp us"
apply (rule word_leq_le_minus_one,simp)
apply (rule neq_0_no_wrap)
apply (rule machine_word_plus_mono_right_split)
apply (simp add:shiftl_t2n range_cover_unat[OF cover] field_simps)
apply (simp add:range_cover.sz[where 'a=32, folded word_bits_def, OF cover])+
done
show ?thesis
apply (clarsimp simp:mask_out_sub_mask blah)
apply (drule idx_compare'')
apply (simp add:not_le[symmetric])
done
qed
lemma set_free_index_invs':
"\<lbrace> (\<lambda>s. invs s \<and>
cte_wp_at ((=) cap) slot s \<and>
(free_index_of cap \<le> idx' \<or>
(descendants_range_in {word1..word1 + 2 ^ (bits_of cap) - 1} slot s \<and>
pspace_no_overlap_range_cover word1 (bits_of cap) s)) \<and>
idx' \<le> 2 ^ cap_bits cap \<and>
is_untyped_cap cap) and K(word1 = obj_ref_of cap \<and> dev = (cap_is_device cap))\<rbrace>
set_cap
(UntypedCap dev word1 (bits_of cap) idx')
slot
\<lbrace>\<lambda>_. invs \<rbrace>"
apply(rule hoare_gen_asm)
apply(case_tac cap, simp_all add: bits_of_def)
apply(case_tac "free_index_of cap \<le> idx'")
apply simp
apply(cut_tac cap=cap and cref=slot and idx="idx'" in set_free_index_invs)
apply(simp add: free_index_update_def conj_comms is_cap_simps)
apply simp
apply(wp set_untyped_cap_invs_simple | simp)+
apply(fastforce simp: cte_wp_at_def)
done
lemma delete_objects_pspace_no_overlap:
"\<lbrace> pspace_aligned and valid_objs and
cte_wp_at ((=) (UntypedCap dev ptr sz idx)) slot\<rbrace>
delete_objects ptr sz
\<lbrace>\<lambda>rv. pspace_no_overlap_range_cover ptr sz\<rbrace>"
unfolding delete_objects_def do_machine_op_def
apply(wp | simp add: split_def detype_machine_state_update_comm)+
apply clarsimp
apply(rule pspace_no_overlap_detype)
apply(auto dest: cte_wp_at_valid_objs_valid_cap)
done
lemma delete_objects_pspace_no_overlap':
"\<lbrace> pspace_aligned and valid_objs and
cte_wp_at ((=) (UntypedCap dev ptr sz idx)) slot\<rbrace>
delete_objects ptr sz
\<lbrace>\<lambda>rv. pspace_no_overlap_range_cover (ptr && ~~ mask sz) sz\<rbrace>"
apply(clarsimp simp: valid_def)
apply(frule untyped_cap_aligned, simp)
apply(clarsimp simp: is_aligned_neg_mask_eq)
apply(frule(1) cte_wp_at_valid_objs_valid_cap)
apply(erule use_valid, wp delete_objects_pspace_no_overlap, auto)
done
(* FIXME: move *)
lemma valid_cap_range_untyped:
"\<lbrakk> valid_objs s; cte_wp_at ((=) (UntypedCap dev (ptr && ~~ mask sz) sz idx)) slot s\<rbrakk>
\<Longrightarrow> cte_wp_at (\<lambda>c. up_aligned_area ptr sz \<subseteq> cap_range c \<and> cap_is_device c = dev) slot s"
apply (rule cte_wp_at_weakenE)
apply simp
apply (clarsimp simp: word_and_le2 p_assoc_help)
done
lemma retype_region_pas_refined':
"\<lbrace>pas_refined aag and pas_cur_domain aag and invs and
caps_overlap_reserved
{ptr..ptr + of_nat num_objects * 2 ^ obj_bits_api type o_bits -
1} and
(\<lambda> s. \<exists> idx. cte_wp_at (\<lambda> c. c = (UntypedCap dev (ptr && ~~ mask sz) sz idx)) slot s \<and>
(idx \<le> unat (ptr && mask sz) \<or>
(descendants_range_in {ptr..(ptr && ~~ mask sz) + 2 ^ sz - 1} slot s) \<and>
pspace_no_overlap_range_cover ptr sz s)) and
K (sz < word_bits) and
K (range_cover ptr sz (obj_bits_api type o_bits) num_objects) and
K (\<forall>x\<in>set (retype_addrs ptr type num_objects o_bits). is_subject aag x) and
K ((type = CapTableObject \<longrightarrow> 0 < o_bits))\<rbrace>
retype_region ptr num_objects o_bits type dev
\<lbrace>\<lambda>rv. pas_refined aag\<rbrace>"
apply (rule hoare_gen_asm)+
apply (rule hoare_weaken_pre)
apply (rule use_retype_region_proofs_ext'[where P="invs and pas_refined aag"])
apply clarsimp
apply (erule (2) retype_region_proofs'.pas_refined[OF retype_region_proofs'.intro])
apply (wp retype_region_ext_pas_refined)
apply simp
apply fastforce
apply fastforce
apply clarsimp
apply clarsimp
apply (frule valid_cap_range_untyped[OF invs_valid_objs])
apply (fastforce simp: cte_wp_at_caps_of_state)
apply (cases slot)
apply (auto intro: cte_wp_at_caps_no_overlapI descendants_range_caps_no_overlapI
cte_wp_at_pspace_no_overlapI
simp: cte_wp_at_sym)
done
lemma free_index_of_UntypedCap:
"free_index_of (UntypedCap dev ptr sz idx) = idx"
apply(simp add: free_index_of_def)
done
fun slot_of_untyped_inv where "slot_of_untyped_inv (Retype slot _ _ _ _ _ _ _) = slot"
lemma region_in_kernel_window_subseteq:
"\<lbrakk> region_in_kernel_window S s; T \<subseteq> S\<rbrakk> \<Longrightarrow>
region_in_kernel_window T s"
apply(fastforce simp: region_in_kernel_window_def)
done
lemma aag_cap_auth_UntypedCap_idx_dev:
"aag_cap_auth aag l (UntypedCap dev base sz idx) \<Longrightarrow>
aag_cap_auth aag l (UntypedCap dev' base sz idx')"
by (clarsimp simp: aag_cap_auth_def cap_links_asid_slot_def
cap_links_irq_def)
lemma cte_wp_at_pas_cap_cur_auth_UntypedCap_idx_dev:
"\<lbrakk>cte_wp_at ((=) (UntypedCap dev base sz idx)) slot s; is_subject aag (fst slot);
pas_refined aag s\<rbrakk> \<Longrightarrow>
pas_cap_cur_auth aag (UntypedCap dev' base sz idx')"
apply(rule aag_cap_auth_UntypedCap_idx_dev)
apply(auto intro: cap_cur_auth_caps_of_state simp: cte_wp_at_caps_of_state)
done
lemmas caps_pas_cap_cur_auth_UntypedCap_idx_dev
= cte_wp_at_pas_cap_cur_auth_UntypedCap_idx_dev[OF caps_of_state_cteD]
lemma retype_addrs_aligned_range_cover:
assumes xin: "x \<in> set (retype_addrs ptr ty n us)"
and co: "range_cover ptr sz (obj_bits_api ty us) n"
shows "is_aligned x (obj_bits_api ty us)"
using co
apply (clarsimp simp: range_cover_def)
apply (rule retype_addrs_aligned[OF xin, where sz=sz], simp_all)
apply (simp add: word_bits_def)
done
lemma pas_refined_work_units_complete[simp]:
"pas_refined aag (work_units_completed_update f s) = pas_refined aag s"
by (simp add: pas_refined_def)
(*FIXME MOVE *)
lemma set_cap_sets_direct:
"P cap \<Longrightarrow>
\<lbrace>\<top>\<rbrace>
set_cap cap slot
\<lbrace>\<lambda>rv. cte_wp_at P slot\<rbrace>"
apply (rule hoare_strengthen_post)
apply (rule set_cap_sets)
apply (erule cte_wp_at_lift)
by blast
(*FIXME MOVE *)
lemma set_cap_sets_wp:
"\<lbrace>\<lambda>_. P cap\<rbrace>
set_cap cap slot
\<lbrace>\<lambda>rv. cte_wp_at P slot\<rbrace>"
by (rule hoare_gen_asm2[simplified]) (erule set_cap_sets_direct)
lemma reset_untyped_cap_pas_refined[wp]:
"\<lbrace>pas_refined aag and cte_wp_at is_untyped_cap slot
and cte_wp_at (\<lambda>c. fst slot \<notin> untyped_range c) slot
and K (is_subject aag (fst slot))\<rbrace>
reset_untyped_cap slot
\<lbrace>\<lambda>_. pas_refined aag\<rbrace>"
apply (rule hoare_gen_asm)
apply (clarsimp simp: reset_untyped_cap_def)
apply (rule hoare_pre)
apply (wps | wp set_cap_pas_refined_not_transferable | simp add: unless_def)+
apply (rule valid_validE)
apply (rule_tac P="is_untyped_cap cap \<and> pas_cap_cur_auth aag cap" in hoare_gen_asm)
apply (rule_tac Q= "\<lambda>_.cte_wp_at (\<lambda> c. \<not> is_transferable (Some c)) slot and pas_refined aag"
in hoare_strengthen_post)
apply (rule validE_valid, rule mapME_x_inv_wp)
apply (rule hoare_pre)
apply (wps
| wp preemption_point_inv' set_cap_pas_refined_not_transferable set_cap_sets_direct
| simp)+
apply (fastforce simp: is_cap_simps aag_cap_auth_UntypedCap_idx_dev bits_of_def)
apply blast
apply (wps
| wp hoare_vcg_const_imp_lift get_cap_wp delete_objects_pas_refined hoare_drop_imp
| simp)+
apply (clarsimp simp: cte_wp_at_caps_of_state is_cap_simps bits_of_def)
apply (auto elim: caps_pas_cap_cur_auth_UntypedCap_idx_dev)
done
lemma retype_region_post_retype_invs_spec:
"\<lbrace>invs and caps_no_overlap ptr sz and pspace_no_overlap_range_cover ptr sz
and caps_overlap_reserved {ptr..ptr + of_nat n * 2 ^ obj_bits_api ty us - 1}
and region_in_kernel_window {ptr .. (ptr && ~~ mask sz) + 2 ^ sz - 1}
and (\<lambda>s. \<exists>idx. cte_wp_at ((=) (UntypedCap dev (ptr && ~~ mask sz) sz idx)) slot s)
and K (ty = Structures_A.CapTableObject \<longrightarrow> 0 < us)
and K (range_cover ptr sz (obj_bits_api ty us) n) \<rbrace>
retype_region ptr n us ty dev\<lbrace>\<lambda>rv. post_retype_invs ty rv\<rbrace>"
apply (rule hoare_pre)
apply (wp retype_region_post_retype_invs)
apply (clarsimp simp del: split_paired_Ex)
apply (frule valid_cap_range_untyped[OF invs_valid_objs],simp)
apply fastforce
done
lemma invoke_untyped_pas_refined:
notes modify_wp[wp del]
notes usable_untyped_range.simps[simp del]
shows
"\<lbrace>pas_refined aag and pas_cur_domain aag and invs and valid_untyped_inv ui
and ct_active and K (authorised_untyped_inv aag ui)\<rbrace>
invoke_untyped ui
\<lbrace>\<lambda>rv. pas_refined aag\<rbrace>"
apply(rule hoare_gen_asm)
apply (rule hoare_pre)
apply (rule_tac Q="\<lambda>_. pas_refined aag and pas_cur_domain aag" in hoare_strengthen_post)
apply (rule invoke_untyped_Q)
apply (rule hoare_pre, wp create_cap_pas_refined)
apply (clarsimp simp: authorised_untyped_inv_def
range_cover.aligned ptr_range_def[symmetric]
retype_addrs_aligned_range_cover)
apply (clarsimp simp: cte_wp_at_caps_of_state
is_cap_simps ptr_range_def[symmetric])
apply (frule cap_cur_auth_caps_of_state[where
cap="cap.UntypedCap dev p sz idx" for dev p sz idx], simp+)
apply (clarsimp simp add: aag_cap_auth_def ptr_range_def[symmetric]
pas_refined_all_auth_is_owns)
apply blast
apply (rule hoare_pre, wp init_arch_objects_pas_refined)
apply (clarsimp simp: retype_addrs_aligned_range_cover
cte_wp_at_caps_of_state)
apply (drule valid_global_refsD[rotated 2])
apply (clarsimp simp: post_retype_invs_def split: if_split_asm)
apply (erule caps_of_state_cteD)
apply (erule notE, erule subsetD[rotated])
apply (rule order_trans, erule retype_addrs_subset_ptr_bits)
apply (simp add: field_simps word_and_le2)
apply (rule hoare_name_pre_state, clarsimp)
apply (rule hoare_pre, wp retype_region_pas_refined)
apply (clarsimp simp: authorised_untyped_inv_def)
apply (strengthen range_cover_le[mk_strg I E], simp)
apply (intro conjI exI;
(erule cte_wp_at_weakenE)?,
clarsimp simp: field_simps word_and_le2)
apply (rule hoare_pre, wp set_cap_pas_refined)
apply (clarsimp simp: cte_wp_at_caps_of_state is_cap_simps)
apply (cases ui,
clarsimp simp: authorised_untyped_inv_def caps_pas_cap_cur_auth_UntypedCap_idx_dev)
apply wp
apply clarsimp
apply (cases ui, clarsimp)
(* FIXME CLEAN UP ? *)
apply (intro conjI)
prefer 2
apply (simp add: cte_wp_at_caps_of_state del: untyped_range.simps)
apply (rule cte_map_not_null_outside'
[where p="(a, b)" and p'="(a, b)" for a b,
simplified fst_conv, OF caps_of_state_cteD],
assumption)
apply (force simp: descendants_range_def
cte_wp_at_caps_of_state authorised_untyped_inv_def)+
done
subsection\<open>decode\<close>
lemma data_to_obj_type_ret_not_asid_pool:
"\<lbrace> \<top> \<rbrace> data_to_obj_type v \<lbrace> \<lambda>r s. r \<noteq> ArchObject ASIDPoolObj \<rbrace>,-"
apply(clarsimp simp: validE_R_def validE_def valid_def)
apply(auto simp: data_to_obj_type_def arch_data_to_obj_type_def throwError_def simp: returnOk_def bindE_def return_def bind_def lift_def split: if_split_asm)
done
definition authorised_untyped_inv' where
"authorised_untyped_inv' aag ui \<equiv> case ui of
Invocations_A.untyped_invocation.Retype src_slot reset base aligned_free_ref new_type obj_sz slots dev \<Rightarrow>
is_subject aag (fst src_slot) \<and> (0::word32) < of_nat (length slots) \<and>
new_type \<noteq> ArchObject ASIDPoolObj \<and>
(\<forall>x\<in>set slots. is_subject aag (fst x))"
lemma authorised_untyped_invI:
notes blah[simp del] = atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff
Int_atLeastAtMost atLeastatMost_empty_iff split_paired_Ex
shows
"\<lbrakk>valid_untyped_inv ui s; pas_refined aag s;
authorised_untyped_inv' aag ui\<rbrakk> \<Longrightarrow>
authorised_untyped_inv aag ui"
apply(case_tac ui)
apply(clarsimp simp: cte_wp_at_caps_of_state
authorised_untyped_inv_def authorised_untyped_inv'_def
del: ballI)
apply (frule(1) cap_cur_auth_caps_of_state, simp)
apply (simp add: aag_cap_auth_def aag_has_Control_iff_owns)
apply (frule range_cover_subset'', simp)
apply (frule retype_addrs_subset_ptr_bits)
apply (subgoal_tac "case ui of Retype src r base aligned_free_ref new_type obj_sz slots dev \<Rightarrow>
{aligned_free_ref .. base + 2 ^ sz - 1} \<subseteq> {base .. base + 2 ^ sz - 1}")
apply (simp add: field_simps)
apply blast
apply (simp add: blah word_and_le2)
done
lemma nonzero_unat_simp:
"0 < unat (x::word32) \<Longrightarrow> 0 < x"
apply(auto dest: word_of_nat_less)
done
lemma decode_untyped_invocation_authorised:
"\<lbrace>invs and pas_refined aag and valid_cap cap
and cte_wp_at ((=) cap) slot
and (\<lambda>s. \<forall>cap\<in>set excaps.
is_cnode_cap cap \<longrightarrow>
(\<forall>r\<in>cte_refs cap (interrupt_irq_node s).
ex_cte_cap_wp_to is_cnode_cap r s))
and (\<lambda>s. \<forall>x\<in>set excaps. s \<turnstile> x)
and K (cap = cap.UntypedCap dev base sz idx
\<and> is_subject aag (fst slot)
\<and> (\<forall>c \<in> set excaps. pas_cap_cur_auth aag c)
\<and> (\<forall> ref \<in> untyped_range cap. is_subject aag ref))\<rbrace>
decode_untyped_invocation label args slot cap excaps
\<lbrace>\<lambda>rv s. authorised_untyped_inv aag rv\<rbrace>,-"
apply(rule hoare_gen_asmE)
apply(rule hoare_pre)
apply (strengthen authorised_untyped_invI[mk_strg I])
apply(wp dui_inv_wf | simp)+
apply (clarsimp simp: decode_untyped_invocation_def split_def
authorised_untyped_inv'_def
split del: if_split split: untyped_invocation.splits)
(* need to hoist the is_cnode_cap assumption into postcondition later on *)
apply (simp add: unlessE_def[symmetric] whenE_def[symmetric] unlessE_whenE
split del: if_split)
apply (wp whenE_throwError_wp hoare_vcg_all_lift mapME_x_inv_wp
| simp split: untyped_invocation.splits
| (auto)[1])+
apply (rule_tac Q="\<lambda>node_cap s.
(is_cnode_cap node_cap \<longrightarrow> is_subject aag (obj_ref_of node_cap)) \<and>
is_subject aag (fst slot) \<and>
new_type \<noteq> ArchObject ASIDPoolObj \<and>
(\<forall> cap. cte_wp_at ((=) cap) slot s \<longrightarrow>
(\<forall>ref\<in>ptr_range base (bits_of cap). is_subject aag ref))"
in hoare_strengthen_post)
apply (wp get_cap_inv get_cap_ret_is_subject)
apply (fastforce simp: nonzero_unat_simp)
apply clarsimp
apply(wp lookup_slot_for_cnode_op_authorised
lookup_slot_for_cnode_op_inv whenE_throwError_wp)+
apply(rule hoare_drop_imps)+
apply(clarsimp)
apply(rule_tac Q'="\<lambda>rv s. rv \<noteq> ArchObject ASIDPoolObj \<and>
(\<forall> cap. cte_wp_at ((=) cap) slot s \<longrightarrow>
(\<forall>ref\<in>ptr_range base (bits_of cap). is_subject aag ref)) \<and>
is_subject aag (fst slot) \<and>
pas_refined aag s \<and> 2 \<le> sz \<and>
sz < word_bits \<and> is_aligned base sz \<and>
(is_cnode_cap (excaps ! 0) \<longrightarrow>
(\<forall> x\<in>obj_refs (excaps ! 0). is_subject aag x))"
in hoare_post_imp_R)
apply(wp data_to_obj_type_ret_not_asid_pool data_to_obj_type_inv2)
apply(case_tac "excaps ! 0", simp_all, fastforce simp: nonzero_unat_simp)[1]
apply(wp whenE_throwError_wp)+
apply(auto dest!: bang_0_in_set
simp: valid_cap_def cap_aligned_def obj_ref_of_def is_cap_simps
cap_auth_conferred_def pas_refined_all_auth_is_owns
aag_cap_auth_def ptr_range_def untyped_min_bits_def
dest: cte_wp_at_eqD2 simp: bits_of_UntypedCap)
done
end
end
Reference in New Issue View Git Blame Copy Permalink