diff --git a/camkes/cdl-refine/Eval_CAMKES_CDL.thy b/camkes/cdl-refine/Eval_CAMKES_CDL.thy index a02b4ad5e5..1a1347223d 100644 --- a/camkes/cdl-refine/Eval_CAMKES_CDL.thy +++ b/camkes/cdl-refine/Eval_CAMKES_CDL.thy @@ -211,7 +211,7 @@ lemma Collect_asid_high__eval_helper: section \Assorted helpers\ lemma fun_upds_to_map_of[THEN eq_reflection]: "Map.empty = map_of []" - "(map_of xs(k \ v)) = map_of ((k, v) # xs)" + "((map_of xs)(k \ v)) = map_of ((k, v) # xs)" by auto lemma subst_eqn_helper: diff --git a/lib/Eisbach_Tools/Apply_Debug.thy b/lib/Eisbach_Tools/Apply_Debug.thy index ac9104eea0..3a13e03dc1 100644 --- a/lib/Eisbach_Tools/Apply_Debug.thy +++ b/lib/Eisbach_Tools/Apply_Debug.thy @@ -484,14 +484,14 @@ fun maybe_bind st (_,[tok]) ctxt = val local_facts = Facts.dest_static true [(Proof_Context.facts_of target)] local_facts; - val _ = Token.assign (SOME (Token.Declaration (fn phi => - Data.put (SOME (phi,ctxt, {private_dyn_facts = private_dyns, local_facts = local_facts}))))) tok; + val _ = Token.assign (SOME (Token.Declaration (Morphism.entity (fn phi => + Data.put (SOME (phi,ctxt, {private_dyn_facts = private_dyns, local_facts = local_facts})))))) tok; in ctxt end else let val SOME (Token.Declaration decl) = Token.get_value tok; - val dummy_ctxt = decl Morphism.identity (Context.Proof ctxt); + val dummy_ctxt = Morphism.form decl (Context.Proof ctxt); val SOME (phi,static_ctxt,{private_dyn_facts, local_facts}) = Data.get dummy_ctxt; val old_facts = Proof_Context.facts_of static_ctxt; diff --git a/lib/Eisbach_Tools/Apply_Trace.thy b/lib/Eisbach_Tools/Apply_Trace.thy index dba9ed5052..3e7a0943e8 100644 --- a/lib/Eisbach_Tools/Apply_Trace.thy +++ b/lib/Eisbach_Tools/Apply_Trace.thy @@ -225,7 +225,7 @@ let val deps = case query of SOME (raw_query,pos) => let - val pos' = perhaps (try (Position.advance_offsets 1)) pos; + val pos' = perhaps (try (Position.shift_offsets {remove_id = false} 1)) pos; val q = Find_Theorems.read_query pos' raw_query; val results = Find_Theorems.find_theorems_cmd ctxt (SOME thm) (SOME 1000000000) false q |> snd diff --git a/lib/Lib.thy b/lib/Lib.thy index 0948aa45c1..69c29df3f7a 100644 --- a/lib/Lib.thy +++ b/lib/Lib.thy @@ -2237,7 +2237,7 @@ lemma map_of_zip_is_index: lemma map_of_zip_take_update: "\i < length xs; length xs \ length ys; distinct xs\ - \ map_of (zip (take i xs) ys)(xs ! i \ (ys ! i)) = map_of (zip (take (Suc i) xs) ys)" + \ (map_of (zip (take i xs) ys)) (xs ! i \ ys ! i) = map_of (zip (take (Suc i) xs) ys)" apply (rule ext, rename_tac x) apply (case_tac "x=xs ! i"; clarsimp) apply (rule map_of_is_SomeI[symmetric]) diff --git a/lib/ML_Goal.thy b/lib/ML_Goal.thy index 3c9f499177..2121edb5d7 100644 --- a/lib/ML_Goal.thy +++ b/lib/ML_Goal.thy @@ -109,7 +109,7 @@ fun begin_proof ((name, attrs): Attrib.binding, ml_block: Input.source) ctxt = val ((res_name, res), ctxt') = Local_Theory.note (binding, thms) ctxt; val _ = - Proof_Display.print_results true start_pos ctxt' + Proof_Display.print_results { interactive = true, pos = start_pos, proof_state = true } ctxt' (("theorem", res_name), [("", res)]) in ctxt' end in diff --git a/lib/Qualify.thy b/lib/Qualify.thy index f8353cf152..4e73330173 100644 --- a/lib/Qualify.thy +++ b/lib/Qualify.thy @@ -110,7 +110,7 @@ val _ = Toplevel.theory (set_global_qualify {name = str, target_name = case target of SOME (nm, _) => nm | _ => str}))); fun syntax_alias global_alias local_alias b name = - Local_Theory.declaration {syntax = true, pervasive = true} (fn phi => + Local_Theory.declaration {syntax = true, pos = Position.none, pervasive = true} (fn phi => let val b' = Morphism.binding phi b in Context.mapping (global_alias b' name) (local_alias b' name) end); diff --git a/lib/Requalify.thy b/lib/Requalify.thy index 34facce853..b06fdb3719 100644 --- a/lib/Requalify.thy +++ b/lib/Requalify.thy @@ -49,7 +49,7 @@ in end fun syntax_alias global_alias local_alias b (name : string) = - Local_Theory.declaration {syntax = false, pervasive = true} (fn phi => + Local_Theory.declaration {syntax = false, pos = Position.none, pervasive = true} (fn phi => let val b' = Morphism.binding phi b in Context.mapping (global_alias b' name) (local_alias b' name) end); diff --git a/lib/Word_Lib/Bitwise.thy b/lib/Word_Lib/Bitwise.thy index 4c5ffdfbeb..55e363a291 100644 --- a/lib/Word_Lib/Bitwise.thy +++ b/lib/Word_Lib/Bitwise.thy @@ -365,7 +365,7 @@ lemma upt_eq_list_intros: by (simp_all add: upt_eq_Cons_conv) -subsection \Tactic definition\ +text \Tactic definition\ lemma if_bool_simps: "If p True y = (p \ y) \ If p False y = (\ p \ y) \ diff --git a/lib/Word_Lib/More_Word.thy b/lib/Word_Lib/More_Word.thy index e4823f5085..6dd119ef44 100644 --- a/lib/Word_Lib/More_Word.thy +++ b/lib/Word_Lib/More_Word.thy @@ -1872,14 +1872,14 @@ lemma nth_0: "\ bit (0 :: 'a::len word) n" lemma nth_minus1: "bit (-1 :: 'a::len word) n \ n < LENGTH('a)" by transfer simp -lemma nth_ucast: +lemma nth_ucast_weak: "bit (ucast w::'a::len word) n = (bit w n \ n < LENGTH('a))" by transfer (simp add: bit_take_bit_iff ac_simps) -lemma drop_bit_numeral_bit0_1 [simp]: - \drop_bit (Suc 0) (numeral k) = - (word_of_int (drop_bit (Suc 0) (take_bit LENGTH('a) (numeral k))) :: 'a::len word)\ - by (metis Word_eq_word_of_int drop_bit_word.abs_eq of_int_numeral) +lemma nth_ucast: + "bit (ucast (w::'a::len word)::'b::len word) n = + (bit w n \ n < min LENGTH('a) LENGTH('b))" + by (auto simp: not_le nth_ucast_weak dest: bit_imp_le_length) lemma nth_mask: \bit (mask n :: 'a::len word) i \ i < n \ i < size (mask n :: 'a word)\ diff --git a/lib/Word_Lib/More_Word_Operations.thy b/lib/Word_Lib/More_Word_Operations.thy index 820adfaf8b..4cd8f6a1ca 100644 --- a/lib/Word_Lib/More_Word_Operations.thy +++ b/lib/Word_Lib/More_Word_Operations.thy @@ -302,13 +302,21 @@ lemma alignUp_not_aligned_eq: and sz: "n < LENGTH('a)" shows "alignUp a n = (a div 2 ^ n + 1) * 2 ^ n" proof - + from \n < LENGTH('a)\ have \(2::int) ^ n < 2 ^ LENGTH('a)\ + by simp + with take_bit_int_less_exp [of n] + have *: \take_bit n k < 2 ^ LENGTH('a)\ for k :: int + by (rule less_trans) have anz: "a mod 2 ^ n \ 0" by (rule not_aligned_mod_nz) fact+ - - then have um: "unat (a mod 2 ^ n - 1) div 2 ^ n = 0" using sz - by (meson Euclidean_Division.div_eq_0_iff le_m1_iff_lt measure_unat order_less_trans - unat_less_power word_less_sub_le word_mod_less_divisor) - + then have um: "unat (a mod 2 ^ n - 1) div 2 ^ n = 0" + apply (transfer fixing: n) using sz + apply (simp flip: take_bit_eq_mod add: div_eq_0_iff) + apply (subst take_bit_int_eq_self) + using * + apply (auto simp add: diff_less_eq intro: less_imp_le) + apply (simp add: less_le) + done have "a + 2 ^ n - 1 = (a div 2 ^ n) * 2 ^ n + (a mod 2 ^ n) + 2 ^ n - 1" by (simp add: word_mod_div_equality) also have "\ = (a mod 2 ^ n - 1) + (a div 2 ^ n + 1) * 2 ^ n" diff --git a/lib/Word_Lib/Signed_Division_Word.thy b/lib/Word_Lib/Signed_Division_Word.thy index 14a7ab54cf..f5d9445df5 100644 --- a/lib/Word_Lib/Signed_Division_Word.thy +++ b/lib/Word_Lib/Signed_Division_Word.thy @@ -10,6 +10,12 @@ theory Signed_Division_Word imports "HOL-Library.Signed_Division" "HOL-Library.Word" begin +text \ + The following specification of division follows ISO C99, which in turn adopted the typical + behavior of hardware modern in the beginning of the 1990ies. + The underlying integer division is named ``T-division'' in \cite{leijen01}. +\ + instantiation word :: (len) signed_division begin diff --git a/lib/Word_Lib/Word_Lemmas.thy b/lib/Word_Lib/Word_Lemmas.thy index f0f25f1d7e..965ace53e7 100644 --- a/lib/Word_Lib/Word_Lemmas.thy +++ b/lib/Word_Lib/Word_Lemmas.thy @@ -153,8 +153,8 @@ lemma sshiftr_n1: "-1 >>> n = -1" lemma nth_sshiftr: "bit (w >>> m) n = (n < size w \ (if n + m \ size w then bit w (size w - 1) else bit w (n + m)))" - apply (clarsimp simp add: bit_simps word_size ac_simps not_less) - apply (metis add.commute bit_imp_le_length bit_shiftr_word_iff le_diff_conv not_le) + apply (auto simp add: bit_simps word_size ac_simps not_less) + apply (meson bit_imp_le_length bit_shiftr_word_iff leD) done lemma sshiftr_numeral: @@ -508,8 +508,9 @@ next also have \\ \ unat x < 2 ^ n div 2 ^ y\ using * by (simp add: less_le) finally show ?thesis - using that \x \ 0\ by (simp flip: push_bit_eq_mult drop_bit_eq_div - add: shiftr_def shiftl_def unat_drop_bit_eq word_less_iff_unsigned [where ?'a = nat]) + using that \x \ 0\ + by (simp flip: push_bit_eq_mult drop_bit_eq_div + add: shiftr_def shiftl_def unat_drop_bit_eq word_less_iff_unsigned [where ?'a = nat]) qed qed qed @@ -716,7 +717,8 @@ lemma word_and_notzeroD: lemma shiftr_le_0: "unat (w::'a::len word) < 2 ^ n \ w >> n = (0::'a::len word)" by (auto simp add: take_bit_word_eq_self_iff word_less_nat_alt shiftr_def - simp flip: take_bit_eq_self_iff_drop_bit_eq_0 intro: ccontr) + simp flip: take_bit_eq_self_iff_drop_bit_eq_0 + intro: ccontr) lemma of_nat_shiftl: "(of_nat x << n) = (of_nat (x * 2 ^ n) :: ('a::len) word)" @@ -1466,9 +1468,9 @@ lemma mask_shift_sum: "\ a \ b; unat n = unat (p AND mask b) \ \ (p AND NOT(mask a)) + (p AND mask a >> b) * (1 << b) + n = (p :: 'a :: len word)" apply (simp add: shiftl_def shiftr_def flip: push_bit_eq_mult take_bit_eq_mask word_unat_eq_iff) - apply (subst disjunctive_add, clarsimp simp add: bit_simps)+ + apply (subst disjunctive_add, fastforce simp: bit_simps)+ apply (rule bit_word_eqI) - apply (auto simp add: bit_simps) + apply (fastforce simp: bit_simps)[1] done lemma is_up_compose: @@ -1583,10 +1585,7 @@ next apply (rule impI) apply (subst bit_eq_iff) apply (simp add: bit_take_bit_iff bit_signed_take_bit_iff min_def) - apply (auto simp add: Suc_le_eq) - using less_imp_le_nat apply blast - using less_imp_le_nat apply blast - done + by (auto simp add: Suc_le_eq) (meson dual_order.strict_iff_not)+ qed lemma scast_ucast_mask_compare: @@ -1820,11 +1819,7 @@ proof (rule classical) apply (insert sdiv_int_range [where a="sint a" and b="sint b"])[1] apply (clarsimp simp: word_size) apply (insert sdiv_int_range [where a="sint a" and b="sint b"])[1] - apply auto - apply (cases \size a\) - apply simp_all - apply (smt (z3) One_nat_def diff_Suc_1 signed_word_eqI sint_int_min sint_range_size wsst_TYs(3)) - done + by (smt (verit, best) One_nat_def signed_word_eqI sint_greater_eq sint_int_min sint_less wsst_TYs(3)) have result_range_simple: "(sint a sdiv sint b \ ?range) \ ?thesis" apply (insert sdiv_int_range [where a="sint a" and b="sint b"]) diff --git a/lib/Word_Lib/Word_Lib_Sumo.thy b/lib/Word_Lib/Word_Lib_Sumo.thy index c2eef56648..b12d5acdf5 100644 --- a/lib/Word_Lib/Word_Lib_Sumo.thy +++ b/lib/Word_Lib/Word_Lib_Sumo.thy @@ -131,10 +131,4 @@ notation (input) lemmas cast_simps = cast_simps ucast_down_bl -(* shadows the slightly weaker Word.nth_ucast *) -lemma nth_ucast: - "(ucast (w::'a::len word)::'b::len word) !! n = - (w !! n \ n < min LENGTH('a) LENGTH('b))" - by (auto simp: not_le dest: bit_imp_le_length) - end diff --git a/lib/clib/CCorresLemmas.thy b/lib/clib/CCorresLemmas.thy index 94a6a6cc08..8f712fb50a 100644 --- a/lib/clib/CCorresLemmas.thy +++ b/lib/clib/CCorresLemmas.thy @@ -518,7 +518,7 @@ lemma lift_t_super_update: and eu: "export_uinfo s = typ_uinfo_t TYPE('b)" and lp: "lift_t g (h, d) p = Some v'" shows "lift_t g (heap_update (Ptr &(p\f)) v h, d) - = lift_t g (h, d)(p \ field_update (field_desc s) (to_bytes_p v) v')" + = (lift_t g (h, d)) (p \ field_update (field_desc s) (to_bytes_p v) v')" using fl eu lp apply - apply (rule trans [OF lift_t_super_field_update super_field_update_lookup]) diff --git a/lib/defs.ML b/lib/defs.ML index 324867ed36..57e72712bd 100644 --- a/lib/defs.ML +++ b/lib/defs.ML @@ -29,7 +29,7 @@ val opt_unchecked_overloaded = @{keyword "overloaded"} >> K (false, true)) --| @{keyword ")"})) (false, false); fun syntax_alias global_alias local_alias b name = - Local_Theory.declaration {syntax = true, pervasive = true} (fn phi => + Local_Theory.declaration {syntax = true, pos = Position.none, pervasive = true} (fn phi => let val b' = Morphism.binding phi b in Context.mapping (global_alias b' name) (local_alias b' name) end); diff --git a/misc/jedit/macros/goto-error.bsh b/misc/jedit/macros/goto-error.bsh index d727d5dfb4..3fc260c0d8 100644 --- a/misc/jedit/macros/goto-error.bsh +++ b/misc/jedit/macros/goto-error.bsh @@ -25,8 +25,8 @@ import isabelle.jedit.*; msg(s) { Macros.message(view, s); } // isabelle setup -model = Document_Model.get(textArea.getBuffer()); -snapshot = model.get().snapshot(); +model = Document_Model.get_model(textArea.getBuffer()); +snapshot = Document_Model.snapshot(model.get()); class FirstError { public int first_error_pos = -1; diff --git a/proof/access-control/ARM/ArchAccess.thy b/proof/access-control/ARM/ArchAccess.thy index 4538c300a7..f84b5dde16 100644 --- a/proof/access-control/ARM/ArchAccess.thy +++ b/proof/access-control/ARM/ArchAccess.thy @@ -196,10 +196,10 @@ lemmas integrity_asids_kh_upds = declare integrity_asids_def[simp] lemma integrity_asids_kh_upds': - "integrity_asids aag subjects x a (s\kheap := kheap s(p \ CNode sz cs)\) s" - "integrity_asids aag subjects x a (s\kheap := kheap s(p \ TCB tcb)\) s" - "integrity_asids aag subjects x a (s\kheap := kheap s(p \ Endpoint ep)\) s" - "integrity_asids aag subjects x a (s\kheap := kheap s(p \ Notification ntfn)\) s" + "integrity_asids aag subjects x a (s\kheap := (kheap s)(p \ CNode sz cs)\) s" + "integrity_asids aag subjects x a (s\kheap := (kheap s)(p \ TCB tcb)\) s" + "integrity_asids aag subjects x a (s\kheap := (kheap s)(p \ Endpoint ep)\) s" + "integrity_asids aag subjects x a (s\kheap := (kheap s)(p \ Notification ntfn)\) s" by auto lemma integrity_asids_kh_update: diff --git a/proof/access-control/ARM/ArchAccess_AC.thy b/proof/access-control/ARM/ArchAccess_AC.thy index af0d42118d..39112a65cc 100644 --- a/proof/access-control/ARM/ArchAccess_AC.thy +++ b/proof/access-control/ARM/ArchAccess_AC.thy @@ -91,7 +91,7 @@ lemma integrity_asids_refl[Access_AC_assms, simp]: lemma integrity_asids_update_autarch[Access_AC_assms]: "\ \x a. integrity_asids aag subjects x a st s; is_subject aag ptr \ - \ \x a. integrity_asids aag subjects x a st (s\kheap := kheap s(ptr \ obj)\)" + \ \x a. integrity_asids aag subjects x a st (s\kheap := (kheap s)(ptr \ obj)\)" by simp end diff --git a/proof/access-control/ARM/ArchCNode_AC.thy b/proof/access-control/ARM/ArchCNode_AC.thy index 1e5cc2acb5..9c69e20017 100644 --- a/proof/access-control/ARM/ArchCNode_AC.thy +++ b/proof/access-control/ARM/ArchCNode_AC.thy @@ -78,14 +78,14 @@ crunches prepare_thread_delete, arch_finalise_cap (wp: crunch_wps hoare_vcg_if_lift2 simp: unless_def) lemma state_vrefs_tcb_upd[CNode_AC_assms]: - "tcb_at t s \ state_vrefs (s\kheap := kheap s(t \ TCB tcb)\) = state_vrefs s" + "tcb_at t s \ state_vrefs (s\kheap := (kheap s)(t \ TCB tcb)\) = state_vrefs s" apply (rule ext) apply (auto simp: state_vrefs_def vs_refs_no_global_pts_def tcb_at_def dest!: get_tcb_SomeD) done lemma state_vrefs_simple_type_upd[CNode_AC_assms]: "\ ko_at ko ptr s; is_simple_type ko; a_type ko = a_type (f val) \ - \ state_vrefs (s\kheap := kheap s(ptr \ f val)\) = state_vrefs s" + \ state_vrefs (s\kheap := (kheap s)(ptr \ f val)\) = state_vrefs s" apply (rule ext) apply (auto simp: state_vrefs_def vs_refs_no_global_pts_def obj_at_def partial_inv_def a_type_def split: kernel_object.splits arch_kernel_obj.splits if_splits) diff --git a/proof/access-control/ARM/ArchFinalise_AC.thy b/proof/access-control/ARM/ArchFinalise_AC.thy index 901acccf2c..37a9bdfdd2 100644 --- a/proof/access-control/ARM/ArchFinalise_AC.thy +++ b/proof/access-control/ARM/ArchFinalise_AC.thy @@ -93,7 +93,7 @@ proof (induct rule: cap_revoke.induct[where ?a1.0=s]) qed lemma finalise_cap_caps_of_state_nullinv[Finalise_AC_assms]: - "\\s. P (caps_of_state s) \ (\p. P (caps_of_state s(p \ NullCap)))\ + "\\s. P (caps_of_state s) \ (\p. P ((caps_of_state s)(p \ NullCap)))\ finalise_cap cap final \\_ s. P (caps_of_state s)\" by (cases cap; diff --git a/proof/access-control/ARM/ArchIpc_AC.thy b/proof/access-control/ARM/ArchIpc_AC.thy index ccd47639e2..74034f569a 100644 --- a/proof/access-control/ARM/ArchIpc_AC.thy +++ b/proof/access-control/ARM/ArchIpc_AC.thy @@ -175,7 +175,7 @@ lemma handle_arch_fault_reply_respects[Ipc_AC_assms]: lemma auth_ipc_buffers_kheap_update[Ipc_AC_assms]: "\ x \ auth_ipc_buffers st thread; kheap st thread = Some (TCB tcb); kheap s thread = Some (TCB tcb'); tcb_ipcframe tcb = tcb_ipcframe tcb' \ - \ x \ auth_ipc_buffers (s\kheap := kheap s(thread \ TCB tcb)\) thread" + \ x \ auth_ipc_buffers (s\kheap := (kheap s)(thread \ TCB tcb)\) thread" by (clarsimp simp: auth_ipc_buffers_member_def get_tcb_def caps_of_state_tcb) lemma auth_ipc_buffers_machine_state_update[Ipc_AC_assms, simp]: diff --git a/proof/access-control/Access_AC.thy b/proof/access-control/Access_AC.thy index 95a7b899b0..1c061ed0d2 100644 --- a/proof/access-control/Access_AC.thy +++ b/proof/access-control/Access_AC.thy @@ -208,17 +208,17 @@ lemmas state_objs_to_policy_cases lemma tcb_states_of_state_preserved: "\ get_tcb thread s = Some tcb; tcb_state tcb' = tcb_state tcb \ - \ tcb_states_of_state (s\kheap := kheap s(thread \ TCB tcb')\) = tcb_states_of_state s" + \ tcb_states_of_state (s\kheap := (kheap s)(thread \ TCB tcb')\) = tcb_states_of_state s" by (auto split: option.splits simp: tcb_states_of_state_def get_tcb_def) lemma thread_st_auth_preserved: "\ get_tcb thread s = Some tcb; tcb_state tcb' = tcb_state tcb \ - \ thread_st_auth (s\kheap := kheap s(thread \ TCB tcb')\) = thread_st_auth s" + \ thread_st_auth (s\kheap := (kheap s)(thread \ TCB tcb')\) = thread_st_auth s" by (simp add: tcb_states_of_state_preserved thread_st_auth_def) lemma thread_bound_ntfns_preserved: "\ get_tcb thread s = Some tcb; tcb_bound_notification tcb' = tcb_bound_notification tcb \ - \ thread_bound_ntfns (s\kheap := kheap s(thread \ TCB tcb')\) = thread_bound_ntfns s" + \ thread_bound_ntfns (s\kheap := (kheap s)(thread \ TCB tcb')\) = thread_bound_ntfns s" by (auto simp: thread_bound_ntfns_def get_tcb_def split: option.splits) lemma is_transferable_null_filter[simp]: @@ -865,7 +865,7 @@ locale Access_AC_2 = Access_AC_1 + \ (\x a. integrity_asids aag subjects x a s s'')" and integrity_asids_update_autarch: "\ \x a. integrity_asids aag {pasSubject aag} x a s s'; is_subject aag ptr \ - \ \x a. integrity_asids aag {pasSubject aag} x a s (s'\kheap := kheap s'(ptr \ obj)\)" + \ \x a. integrity_asids aag {pasSubject aag} x a s (s'\kheap := (kheap s')(ptr \ obj)\)" begin section \Generic AC stuff\ @@ -980,7 +980,7 @@ lemma integrity_refl [simp]: lemma integrity_update_autarch: "\ integrity aag X st s; is_subject aag ptr \ - \ integrity aag X st (s\kheap := kheap s(ptr \ obj)\)" + \ integrity aag X st (s\kheap := (kheap s)(ptr \ obj)\)" unfolding integrity_subjects_def apply (intro conjI,simp_all) apply clarsimp diff --git a/proof/access-control/CNode_AC.thy b/proof/access-control/CNode_AC.thy index de40cd12e5..a1d2631eec 100644 --- a/proof/access-control/CNode_AC.thy +++ b/proof/access-control/CNode_AC.thy @@ -56,11 +56,11 @@ locale CNode_AC_1 = \ state_asids_to_policy_arch aag (caps(ptr \ cap, ptr' \ cap')) as vrefs \ pasPolicy aag" and state_vrefs_tcb_upd: "\ pspace_aligned s; valid_vspace_objs s; valid_arch_state s; tcb_at tptr s \ - \ state_vrefs (s\kheap := kheap s(tptr \ TCB tcb)\) = state_vrefs s" + \ state_vrefs (s\kheap := (kheap s)(tptr \ TCB tcb)\) = state_vrefs s" and state_vrefs_simple_type_upd: "\ pspace_aligned s; valid_vspace_objs s; valid_arch_state s; ko_at ko p s; is_simple_type ko; a_type ko = a_type (f (val :: 'b)) \ - \ state_vrefs (s\kheap := kheap s(p \ f val)\) = state_vrefs s" + \ state_vrefs (s\kheap := (kheap s)(p \ f val)\) = state_vrefs s" and a_type_arch_object_not_tcb[simp]: "a_type (ArchObj arch_kernel_obj) \ ATCB" and set_cap_state_vrefs: @@ -969,10 +969,10 @@ lemma set_untyped_cap_as_full_is_transferable[wp]: using untyped_not_transferable max_free_index_update_preserve_untyped by simp lemma set_untyped_cap_as_full_is_transferable': - "\\s. is_transferable ((caps_of_state s(slot2 \ new_cap)) slot3) \ + "\\s. is_transferable (((caps_of_state s)(slot2 \ new_cap)) slot3) \ Some src_cap = (caps_of_state s slot)\ set_untyped_cap_as_full src_cap new_cap slot - \\_ s. is_transferable ((caps_of_state s(slot2 \ new_cap)) slot3)\" + \\_ s. is_transferable (((caps_of_state s)(slot2 \ new_cap)) slot3)\" apply (clarsimp simp: set_untyped_cap_as_full_def) apply safe apply (wp,fastforce)+ diff --git a/proof/access-control/DomainSepInv.thy b/proof/access-control/DomainSepInv.thy index 9dd12f51f8..4ea7c3ce0a 100644 --- a/proof/access-control/DomainSepInv.thy +++ b/proof/access-control/DomainSepInv.thy @@ -133,7 +133,7 @@ crunch domain_sep_inv[wp]: set_extra_badge "domain_sep_inv irqs st" lemma set_cap_neg_cte_wp_at_other_helper': "\ oslot \ slot; ko_at (TCB x) (fst oslot) s; tcb_cap_cases (snd oslot) = Some (ogetF, osetF, orestr); - kheap (s\kheap := kheap s(fst oslot \ TCB (osetF (\ x. cap) x))\) (fst slot) = Some (TCB tcb); + kheap (s\kheap := (kheap s)(fst oslot \ TCB (osetF (\ x. cap) x))\) (fst slot) = Some (TCB tcb); tcb_cap_cases (snd slot) = Some (getF, setF, restr); P (getF tcb) \ \ cte_wp_at P slot s" apply (case_tac "fst oslot = fst slot") @@ -150,7 +150,7 @@ lemma set_cap_neg_cte_wp_at_other_helper': lemma set_cap_neg_cte_wp_at_other_helper: "\ \ cte_wp_at P slot s; oslot \ slot; ko_at (TCB x) (fst oslot) s; tcb_cap_cases (snd oslot) = Some (getF, setF, restr) \ - \ \ cte_wp_at P slot (s\kheap := kheap s(fst oslot \ TCB (setF (\ x. cap) x))\)" + \ \ cte_wp_at P slot (s\kheap := (kheap s)(fst oslot \ TCB (setF (\ x. cap) x))\)" apply (rule notI) apply (erule cte_wp_atE) apply (fastforce elim: notE intro: cte_wp_at_cteI split: if_splits) diff --git a/proof/access-control/Finalise_AC.thy b/proof/access-control/Finalise_AC.thy index 6910643e74..d457a2c991 100644 --- a/proof/access-control/Finalise_AC.thy +++ b/proof/access-control/Finalise_AC.thy @@ -1085,7 +1085,7 @@ lemma empty_slot_cte_wp_at: by (wpsimp wp: empty_slot_caps_of_state) lemma deleting_irq_handler_caps_of_state_nullinv: - "\\s. \p. P (caps_of_state s(p \ NullCap))\ + "\\s. \p. P ((caps_of_state s)(p \ NullCap))\ deleting_irq_handler irq \\_ s. P (caps_of_state s)\" unfolding deleting_irq_handler_def @@ -1104,7 +1104,7 @@ locale Finalise_AC_2 = Finalise_AC_1 + \\_. (\s. trp \ integrity aag X st s) and pas_refined aag\, \\_. (\s. trp \ integrity aag X st s) and pas_refined aag\" and finalise_cap_caps_of_state_nullinv: - "\P. \\s :: det_ext state. P (caps_of_state s) \ (\p. P (caps_of_state s(p \ NullCap)))\ + "\P. \\s :: det_ext state. P (caps_of_state s) \ (\p. P ((caps_of_state s)(p \ NullCap)))\ finalise_cap cap final \\rv s. P (caps_of_state s)\" and finalise_cap_fst_ret: diff --git a/proof/access-control/Ipc_AC.thy b/proof/access-control/Ipc_AC.thy index 08b05b44d6..622495d2c9 100644 --- a/proof/access-control/Ipc_AC.thy +++ b/proof/access-control/Ipc_AC.thy @@ -178,8 +178,8 @@ lemma send_upd_ctxintegrity: integrity aag X st s; st_tcb_at ((=) Running) thread s; get_tcb thread st = Some tcb; get_tcb thread s = Some tcb'\ \ integrity aag X st - (s\kheap := kheap s(thread \ - TCB (tcb'\tcb_arch := arch_tcb_context_set c' (tcb_arch tcb')\))\)" + (s\kheap := (kheap s) + (thread \ TCB (tcb'\tcb_arch := arch_tcb_context_set c' (tcb_arch tcb')\))\)" apply (clarsimp simp: integrity_def tcb_states_of_state_preserved st_tcb_def2) apply (rule conjI) prefer 2 @@ -1742,7 +1742,7 @@ locale Ipc_AC_2 = Ipc_AC_1 + and auth_ipc_buffers_kheap_update: "\ x \ auth_ipc_buffers st thread; kheap st thread = Some (TCB tcb); kheap s thread = Some (TCB tcb'); tcb_ipcframe tcb = tcb_ipcframe tcb' \ - \ x \ auth_ipc_buffers (s\kheap := kheap s(thread \ TCB tcb)\) thread" + \ x \ auth_ipc_buffers (s\kheap := (kheap s)(thread \ TCB tcb)\) thread" and auth_ipc_buffers_machine_state_update[simp]: "auth_ipc_buffers (machine_state_update f s) = auth_ipc_buffers (s :: det_ext state)" and empty_slot_extended_list_integ_lift_in_ipc: diff --git a/proof/access-control/RISCV64/ArchAccess.thy b/proof/access-control/RISCV64/ArchAccess.thy index 98caca94ee..8c48f69eb3 100644 --- a/proof/access-control/RISCV64/ArchAccess.thy +++ b/proof/access-control/RISCV64/ArchAccess.thy @@ -186,10 +186,10 @@ lemmas integrity_asids_kh_upds = declare integrity_asids_def[simp] lemma integrity_asids_kh_upds': - "integrity_asids aag subjects x a (s\kheap := kheap s(p \ CNode sz cs)\) s" - "integrity_asids aag subjects x a (s\kheap := kheap s(p \ TCB tcb)\) s" - "integrity_asids aag subjects x a (s\kheap := kheap s(p \ Endpoint ep)\) s" - "integrity_asids aag subjects x a (s\kheap := kheap s(p \ Notification ntfn)\) s" + "integrity_asids aag subjects x a (s\kheap := (kheap s)(p \ CNode sz cs)\) s" + "integrity_asids aag subjects x a (s\kheap := (kheap s)(p \ TCB tcb)\) s" + "integrity_asids aag subjects x a (s\kheap := (kheap s)(p \ Endpoint ep)\) s" + "integrity_asids aag subjects x a (s\kheap := (kheap s)(p \ Notification ntfn)\) s" by (auto simp: opt_map_def split: option.splits) lemma integrity_asids_kh_update: diff --git a/proof/access-control/RISCV64/ArchAccess_AC.thy b/proof/access-control/RISCV64/ArchAccess_AC.thy index c07e39b7d6..0d5405dbed 100644 --- a/proof/access-control/RISCV64/ArchAccess_AC.thy +++ b/proof/access-control/RISCV64/ArchAccess_AC.thy @@ -82,7 +82,7 @@ lemma integrity_asids_refl[Access_AC_assms, simp]: lemma integrity_asids_update_autarch[Access_AC_assms]: "\ \x a. integrity_asids aag {pasSubject aag} x a st s; is_subject aag ptr \ - \ \x a. integrity_asids aag {pasSubject aag} x a st (s\kheap := kheap s(ptr \ obj)\)" + \ \x a. integrity_asids aag {pasSubject aag} x a st (s\kheap := (kheap s)(ptr \ obj)\)" by (auto simp: opt_map_def) end diff --git a/proof/access-control/RISCV64/ArchArch_AC.thy b/proof/access-control/RISCV64/ArchArch_AC.thy index 6bf14bae47..6389915bfa 100644 --- a/proof/access-control/RISCV64/ArchArch_AC.thy +++ b/proof/access-control/RISCV64/ArchArch_AC.thy @@ -541,7 +541,7 @@ lemma perform_pt_inv_unmap_pas_refined: lemma vs_lookup_PageTablePTE: "\ vs_lookup_table level asid vref s' = Some (lvl', pt); pspace_aligned s; valid_vspace_objs s; valid_asid_table s; - invalid_pte_at p s; ptes_of s' = ptes_of s (p \ pte); is_PageTablePTE pte; + invalid_pte_at p s; ptes_of s' = (ptes_of s)(p \ pte); is_PageTablePTE pte; asid_pools_of s' = asid_pools_of s; asid_table s' = asid_table s; vref \ user_region; pts_of s (the (pte_ref pte)) = Some empty_pt; pt \ pptr_from_pte pte \ @@ -584,7 +584,7 @@ lemma vs_lookup_PageTablePTE: lemma vs_lookup_PageTablePTE': "\ vs_lookup_table level asid vref s = Some (lvl', pt); pspace_aligned s; valid_vspace_objs s; valid_asid_table s; - invalid_pte_at p s; ptes_of s' = ptes_of s (p \ pte); is_PageTablePTE pte; + invalid_pte_at p s; ptes_of s' = (ptes_of s)(p \ pte); is_PageTablePTE pte; asid_pools_of s' = asid_pools_of s; asid_table s' = asid_table s; vref \ user_region \ \ \level' \ level. vs_lookup_table level' asid vref s' = Some (lvl', pt)" apply (induct level arbitrary: lvl' pt rule: bit0.from_top_full_induct[where y=max_pt_level]) diff --git a/proof/access-control/RISCV64/ArchCNode_AC.thy b/proof/access-control/RISCV64/ArchCNode_AC.thy index ae5a893e22..ee263cd699 100644 --- a/proof/access-control/RISCV64/ArchCNode_AC.thy +++ b/proof/access-control/RISCV64/ArchCNode_AC.thy @@ -101,14 +101,14 @@ crunches prepare_thread_delete, arch_finalise_cap lemma state_vrefs_tcb_upd[CNode_AC_assms]: "\ pspace_aligned s; valid_vspace_objs s; valid_arch_state s; tcb_at t s \ - \ state_vrefs (s\kheap := kheap s(t \ TCB tcb)\) = state_vrefs s" + \ state_vrefs (s\kheap := (kheap s)(t \ TCB tcb)\) = state_vrefs s" apply (rule state_vrefs_eqI) by (fastforce simp: opt_map_def obj_at_def is_obj_defs valid_arch_state_def)+ lemma state_vrefs_simple_type_upd[CNode_AC_assms]: "\ pspace_aligned s; valid_vspace_objs s; valid_arch_state s; ko_at ko ptr s; is_simple_type ko; a_type ko = a_type (f val) \ - \ state_vrefs (s\kheap := kheap s(ptr \ f val)\) = state_vrefs s" + \ state_vrefs (s\kheap := (kheap s)(ptr \ f val)\) = state_vrefs s" apply (case_tac ko; case_tac "f val"; clarsimp) by (fastforce intro!: state_vrefs_eqI simp: opt_map_def obj_at_def is_obj_defs valid_arch_state_def)+ diff --git a/proof/access-control/RISCV64/ArchFinalise_AC.thy b/proof/access-control/RISCV64/ArchFinalise_AC.thy index 821507266c..6068ca8b1f 100644 --- a/proof/access-control/RISCV64/ArchFinalise_AC.thy +++ b/proof/access-control/RISCV64/ArchFinalise_AC.thy @@ -172,7 +172,7 @@ crunches set_asid_pool lemma set_asid_pool_tcb_states_of_state[wp]: "set_asid_pool p pool \\s. P (tcb_states_of_state s)\" apply (wpsimp wp: set_object_wp_strong simp: obj_at_def set_asid_pool_def) - apply (prop_tac "\x. get_tcb x (s\kheap := kheap s(p \ ArchObj (ASIDPool pool))\) = get_tcb x s") + apply (prop_tac "\x. get_tcb x (s\kheap := (kheap s)(p \ ArchObj (ASIDPool pool))\) = get_tcb x s") apply (auto simp: tcb_states_of_state_def get_tcb_def) done @@ -266,7 +266,7 @@ proof (induct rule: cap_revoke.induct[where ?a1.0=s]) qed lemma finalise_cap_caps_of_state_nullinv[Finalise_AC_assms]: - "\\s. P (caps_of_state s) \ (\p. P (caps_of_state s(p \ NullCap)))\ + "\\s. P (caps_of_state s) \ (\p. P ((caps_of_state s)(p \ NullCap)))\ finalise_cap cap final \\_ s. P (caps_of_state s)\" by (cases cap; diff --git a/proof/access-control/RISCV64/ArchIpc_AC.thy b/proof/access-control/RISCV64/ArchIpc_AC.thy index 091abf877a..c3cd95d626 100644 --- a/proof/access-control/RISCV64/ArchIpc_AC.thy +++ b/proof/access-control/RISCV64/ArchIpc_AC.thy @@ -175,7 +175,7 @@ lemma handle_arch_fault_reply_respects[Ipc_AC_assms]: lemma auth_ipc_buffers_kheap_update[Ipc_AC_assms]: "\ x \ auth_ipc_buffers st thread; kheap st thread = Some (TCB tcb); kheap s thread = Some (TCB tcb'); tcb_ipcframe tcb = tcb_ipcframe tcb' \ - \ x \ auth_ipc_buffers (s\kheap := kheap s(thread \ TCB tcb)\) thread" + \ x \ auth_ipc_buffers (s\kheap := (kheap s)(thread \ TCB tcb)\) thread" by (clarsimp simp: auth_ipc_buffers_member_def get_tcb_def caps_of_state_tcb) lemma auth_ipc_buffers_machine_state_update[Ipc_AC_assms, simp]: diff --git a/proof/capDL-api/Invocation_DP.thy b/proof/capDL-api/Invocation_DP.thy index 56a9ae7c76..d1736068d1 100644 --- a/proof/capDL-api/Invocation_DP.thy +++ b/proof/capDL-api/Invocation_DP.thy @@ -1142,13 +1142,13 @@ lemma sep_map_c_asid_reset: apply clarsimp apply (case_tac "\ has_slots obj") apply simp - apply (rule_tac x = "update_slots (object_slots obj(snd ptr \ cap')) obj" + apply (rule_tac x = "update_slots ((object_slots obj)(snd ptr \ cap')) obj" in exI) apply (simp add:sep_map_general_def object_to_sep_state_slot) apply clarsimp apply (case_tac "\ has_slots obj") apply simp - apply (rule_tac x = "update_slots (object_slots obj(snd ptr \ cap)) obj" + apply (rule_tac x = "update_slots ((object_slots obj)(snd ptr \ cap)) obj" in exI) apply (simp add:sep_map_general_def object_to_sep_state_slot) done diff --git a/proof/crefine/ARM/IpcCancel_C.thy b/proof/crefine/ARM/IpcCancel_C.thy index 1b448ccab0..5a7a7e1216 100644 --- a/proof/crefine/ARM/IpcCancel_C.thy +++ b/proof/crefine/ARM/IpcCancel_C.thy @@ -2637,8 +2637,8 @@ lemma cpspace_relation_ep_update_an_ep: and pal: "pspace_aligned' s" "pspace_distinct' s" and others: "\epptr' ep'. \ ko_at' ep' epptr' s; epptr' \ epptr; ep' \ IdleEP \ \ set (epQueue ep') \ (ctcb_ptr_to_tcb_ptr ` S) = {}" - shows "cmap_relation (map_to_eps (ksPSpace s(epptr \ KOEndpoint ep'))) - (cslift t(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" + shows "cmap_relation (map_to_eps ((ksPSpace s)(epptr \ KOEndpoint ep'))) + ((cslift t)(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" using cp koat pal rel unfolding cmap_relation_def apply - apply (clarsimp elim!: obj_atE' simp: map_comp_update projectKO_opts_defs) @@ -2660,8 +2660,8 @@ lemma cpspace_relation_ep_update_ep: and cp: "cmap_relation (map_to_eps (ksPSpace s)) (cslift t) Ptr (cendpoint_relation mp)" and rel: "cendpoint_relation mp' ep' endpoint" and mpeq: "(mp' |` (- (tcb_ptr_to_ctcb_ptr ` qs))) = (mp |` (- (tcb_ptr_to_ctcb_ptr ` qs)))" - shows "cmap_relation (map_to_eps (ksPSpace s(epptr \ KOEndpoint ep'))) - (cslift t(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" + shows "cmap_relation (map_to_eps ((ksPSpace s)(epptr \ KOEndpoint ep'))) + ((cslift t)(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" using invs apply (intro cpspace_relation_ep_update_an_ep[OF koat cp rel mpeq]) apply clarsimp+ @@ -2673,15 +2673,15 @@ lemma cpspace_relation_ep_update_ep': fixes ep :: "endpoint" and ep' :: "endpoint" and epptr :: "word32" and s :: "kernel_state" defines "qs \ if (isSendEP ep' \ isRecvEP ep') then set (epQueue ep') else {}" - defines "s' \ s\ksPSpace := ksPSpace s(epptr \ KOEndpoint ep')\" + defines "s' \ s\ksPSpace := (ksPSpace s)(epptr \ KOEndpoint ep')\" assumes koat: "ko_at' ep epptr s" and vp: "valid_pspace' s" and cp: "cmap_relation (map_to_eps (ksPSpace s)) (cslift t) Ptr (cendpoint_relation mp)" and srs: "sym_refs (state_refs_of' s')" and rel: "cendpoint_relation mp' ep' endpoint" and mpeq: "(mp' |` (- (tcb_ptr_to_ctcb_ptr ` qs))) = (mp |` (- (tcb_ptr_to_ctcb_ptr ` qs)))" - shows "cmap_relation (map_to_eps (ksPSpace s(epptr \ KOEndpoint ep'))) - (cslift t(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" + shows "cmap_relation (map_to_eps ((ksPSpace s)(epptr \ KOEndpoint ep'))) + ((cslift t)(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" proof - from koat have koat': "ko_at' ep' epptr s'" by (clarsimp simp: obj_at'_def s'_def objBitsKO_def ps_clear_def projectKOs) diff --git a/proof/crefine/ARM/Ipc_C.thy b/proof/crefine/ARM/Ipc_C.thy index 1b6c7a07ab..4ec3ea85ef 100644 --- a/proof/crefine/ARM/Ipc_C.thy +++ b/proof/crefine/ARM/Ipc_C.thy @@ -4552,12 +4552,12 @@ lemma sendIPC_enqueue_ccorres_helper: apply (simp add: cendpoint_relation_def Let_def) apply (case_tac ep, simp_all add: init_def valid_ep'_def)[1] apply (subgoal_tac "sym_refs (state_refs_of' (\\ksPSpace := - ksPSpace \(epptr \ KOEndpoint (SendEP queue))\))") + (ksPSpace \)(epptr \ KOEndpoint (SendEP queue))\))") prefer 2 apply (clarsimp simp: state_refs_of'_upd ko_wp_at'_def obj_at'_def projectKOs objBitsKO_def) apply (subgoal_tac "ko_at' (SendEP queue) epptr (\\ksPSpace := - ksPSpace \(epptr \ KOEndpoint (SendEP queue))\)") + (ksPSpace \)(epptr \ KOEndpoint (SendEP queue))\)") prefer 2 apply (clarsimp simp: obj_at'_def projectKOs objBitsKO_def ps_clear_upd) apply (intro conjI impI allI) @@ -4948,12 +4948,12 @@ lemma receiveIPC_enqueue_ccorres_helper: apply (simp add: cendpoint_relation_def Let_def) apply (case_tac ep, simp_all add: init_def valid_ep'_def)[1] apply (subgoal_tac "sym_refs (state_refs_of' (\\ksPSpace := - ksPSpace \(epptr \ KOEndpoint (RecvEP queue))\))") + (ksPSpace \)(epptr \ KOEndpoint (RecvEP queue))\))") prefer 2 apply (clarsimp simp: state_refs_of'_upd ko_wp_at'_def obj_at'_def projectKOs objBitsKO_def) apply (subgoal_tac "ko_at' (RecvEP queue) epptr (\\ksPSpace := - ksPSpace \(epptr \ KOEndpoint (RecvEP queue))\)") + (ksPSpace \)(epptr \ KOEndpoint (RecvEP queue))\)") prefer 2 apply (clarsimp simp: obj_at'_def projectKOs objBitsKO_def ps_clear_upd) apply (intro conjI impI allI) @@ -5948,16 +5948,17 @@ lemma cpspace_relation_ntfn_update_ntfn': fixes ntfn :: "Structures_H.notification" and ntfn' :: "Structures_H.notification" and ntfnptr :: "word32" and s :: "kernel_state" defines "qs \ if isWaitingNtfn (ntfnObj ntfn') then set (ntfnQueue (ntfnObj ntfn')) else {}" - defines "s' \ s\ksPSpace := ksPSpace s(ntfnptr \ KONotification ntfn')\" + defines "s' \ s\ksPSpace := (ksPSpace s)(ntfnptr \ KONotification ntfn')\" assumes koat: "ko_at' ntfn ntfnptr s" and vp: "valid_pspace' s" and cp: "cmap_relation (map_to_ntfns (ksPSpace s)) (cslift t) Ptr (cnotification_relation (cslift t))" and srs: "sym_refs (state_refs_of' s')" and rel: "cnotification_relation (cslift t') ntfn' notification" and mpeq: "(cslift t' |` (- (tcb_ptr_to_ctcb_ptr ` qs))) = (cslift t |` (- (tcb_ptr_to_ctcb_ptr ` qs)))" - shows "cmap_relation (map_to_ntfns (ksPSpace s(ntfnptr \ KONotification ntfn'))) - (cslift t(Ptr ntfnptr \ notification)) Ptr - (cnotification_relation (cslift t'))" + shows "cmap_relation (map_to_ntfns ((ksPSpace s)(ntfnptr \ KONotification ntfn'))) + ((cslift t)(Ptr ntfnptr \ notification)) + Ptr + (cnotification_relation (cslift t'))" proof - from koat have koat': "ko_at' ntfn' ntfnptr s'" by (clarsimp simp: obj_at'_def s'_def objBitsKO_def ps_clear_def projectKOs) @@ -6035,12 +6036,12 @@ lemma receiveSignal_enqueue_ccorres_helper: apply (simp add: cnotification_relation_def Let_def) apply (case_tac "ntfnObj ntfn", simp_all add: init_def valid_ntfn'_def)[1] apply (subgoal_tac "sym_refs (state_refs_of' (\\ksPSpace := - ksPSpace \(ntfnptr \ KONotification (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)))\))") + (ksPSpace \)(ntfnptr \ KONotification (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)))\))") prefer 2 apply (clarsimp simp: state_refs_of'_upd ko_wp_at'_def ntfnBound_state_refs_equivalence obj_at'_def projectKOs objBitsKO_def) apply (subgoal_tac "ko_at' (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)) ntfnptr (\\ksPSpace := - ksPSpace \(ntfnptr \ KONotification (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)))\)") + (ksPSpace \)(ntfnptr \ KONotification (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)))\)") prefer 2 apply (clarsimp simp: obj_at'_def projectKOs objBitsKO_def ps_clear_upd) apply (intro conjI impI allI) diff --git a/proof/crefine/ARM/PSpace_C.thy b/proof/crefine/ARM/PSpace_C.thy index b08ffdecc2..3cb5beee00 100644 --- a/proof/crefine/ARM/PSpace_C.thy +++ b/proof/crefine/ARM/PSpace_C.thy @@ -49,7 +49,7 @@ lemma setObject_ccorres_helper: fixes ko :: "'a :: pspace_storable" assumes valid: "\\ (ko' :: 'a). \ \ {s. (\, s) \ rf_sr \ P \ \ s \ P' \ ko_at' ko' p \} - c {s. (\\ksPSpace := ksPSpace \ (p \ injectKO ko)\, s) \ rf_sr}" + c {s. (\\ksPSpace := (ksPSpace \)(p \ injectKO ko)\, s) \ rf_sr}" shows "\ \ko :: 'a. updateObject ko = updateObject_default ko; \ko :: 'a. (1 :: word32) < 2 ^ objBits ko \ \ ccorres dc xfdc P P' hs (setObject p ko) c" diff --git a/proof/crefine/ARM/Recycle_C.thy b/proof/crefine/ARM/Recycle_C.thy index f3f5c1cda7..b1e5e98d21 100644 --- a/proof/crefine/ARM/Recycle_C.thy +++ b/proof/crefine/ARM/Recycle_C.thy @@ -230,7 +230,7 @@ lemma mapM_x_store_memset_ccorres_assist: "\ko :: 'a. (1 :: word32) < 2 ^ objBits ko" assumes restr: "set slots \ S" assumes worker: "\ptr s s' (ko :: 'a). \ (s, s') \ rf_sr; ko_at' ko ptr s; ptr \ S \ - \ (s \ ksPSpace := ksPSpace s (ptr \ injectKO val)\, + \ (s \ ksPSpace := (ksPSpace s)(ptr \ injectKO val)\, globals_update (t_hrs_'_update (hrs_mem_update (heap_update_list ptr (replicateHider (2 ^ objBits val) (ucast c))))) s') \ rf_sr" @@ -484,8 +484,8 @@ lemma cpspace_relation_ep_update_ep2: (cslift t) ep_Ptr (cendpoint_relation (cslift t)); cendpoint_relation (cslift t') ep' endpoint; (cslift t' :: tcb_C ptr \ tcb_C) = cslift t \ - \ cmap_relation (map_to_eps (ksPSpace s(epptr \ KOEndpoint ep'))) - (cslift t(ep_Ptr epptr \ endpoint)) + \ cmap_relation (map_to_eps ((ksPSpace s)(epptr \ KOEndpoint ep'))) + ((cslift t)(ep_Ptr epptr \ endpoint)) ep_Ptr (cendpoint_relation (cslift t'))" apply (rule cmap_relationE1, assumption, erule ko_at_projectKO_opt) apply (rule_tac P="\a. cmap_relation a b c d" for b c d in rsubst, diff --git a/proof/crefine/ARM/Retype_C.thy b/proof/crefine/ARM/Retype_C.thy index 1c4f15978b..baaeaa0efb 100644 --- a/proof/crefine/ARM/Retype_C.thy +++ b/proof/crefine/ARM/Retype_C.thy @@ -4777,7 +4777,7 @@ lemma gsCNodes_update_ccorres: (* FIXME: move *) lemma map_to_tcbs_upd: - "map_to_tcbs (ksPSpace s(t \ KOTCB tcb')) = map_to_tcbs (ksPSpace s)(t \ tcb')" + "map_to_tcbs ((ksPSpace s)(t \ KOTCB tcb')) = (map_to_tcbs (ksPSpace s))(t \ tcb')" apply (rule ext) apply (clarsimp simp: map_comp_def projectKOs split: option.splits if_splits) done diff --git a/proof/crefine/ARM/SR_lemmas_C.thy b/proof/crefine/ARM/SR_lemmas_C.thy index 11f560c3f7..f37cc9137c 100644 --- a/proof/crefine/ARM/SR_lemmas_C.thy +++ b/proof/crefine/ARM/SR_lemmas_C.thy @@ -309,15 +309,15 @@ lemma tcb_cte_cases_proj_eq [simp]: by (auto split: if_split_asm) lemma map_to_ctes_upd_tcb': - "[| ksPSpace s p = Some (KOTCB tcb'); is_aligned p tcbBlockSizeBits; - ps_clear p tcbBlockSizeBits s |] -==> map_to_ctes (ksPSpace s(p |-> KOTCB tcb)) = - (%x. if EX getF setF. + "\ ksPSpace s p = Some (KOTCB tcb'); is_aligned p tcbBlockSizeBits; + ps_clear p tcbBlockSizeBits s \ + \ map_to_ctes ((ksPSpace s)(p \ KOTCB tcb)) = + (\x. if EX getF setF. tcb_cte_cases (x - p) = Some (getF, setF) & - getF tcb ~= getF tcb' - then case tcb_cte_cases (x - p) of - Some (getF, setF) => Some (getF tcb) - else ctes_of s x)" + getF tcb \ getF tcb' + then case tcb_cte_cases (x - p) of + Some (getF, setF) \ Some (getF tcb) + else ctes_of s x)" apply (erule (1) map_to_ctes_upd_tcb) apply (simp add: field_simps ps_clear_def3 mask_def objBits_defs) done @@ -431,18 +431,19 @@ qed lemma fst_setCTE: assumes ct: "cte_at' dest s" and rl: "\s'. \ ((), s') \ fst (setCTE dest cte s); - (s' = s \ ksPSpace := ksPSpace s' \); - (ctes_of s' = ctes_of s(dest \ cte)); - (map_to_eps (ksPSpace s) = map_to_eps (ksPSpace s')); - (map_to_ntfns (ksPSpace s) = map_to_ntfns (ksPSpace s')); - (map_to_pdes (ksPSpace s) = map_to_pdes (ksPSpace s')); - (map_to_ptes (ksPSpace s) = map_to_ptes (ksPSpace s')); - (map_to_asidpools (ksPSpace s) = map_to_asidpools (ksPSpace s')); - (map_to_user_data (ksPSpace s) = map_to_user_data (ksPSpace s')); - (map_to_user_data_device (ksPSpace s) = map_to_user_data_device (ksPSpace s')); - (map_option tcb_no_ctes_proj \ map_to_tcbs (ksPSpace s) - = map_option tcb_no_ctes_proj \ map_to_tcbs (ksPSpace s')); - \T p. typ_at' T p s = typ_at' T p s'\ \ P" + s' = s \ ksPSpace := ksPSpace s' \; + ctes_of s' = (ctes_of s)(dest \ cte); + map_to_eps (ksPSpace s) = map_to_eps (ksPSpace s'); + map_to_ntfns (ksPSpace s) = map_to_ntfns (ksPSpace s'); + map_to_pdes (ksPSpace s) = map_to_pdes (ksPSpace s'); + map_to_ptes (ksPSpace s) = map_to_ptes (ksPSpace s'); + map_to_asidpools (ksPSpace s) = map_to_asidpools (ksPSpace s'); + map_to_user_data (ksPSpace s) = map_to_user_data (ksPSpace s'); + map_to_user_data_device (ksPSpace s) = map_to_user_data_device (ksPSpace s'); + map_option tcb_no_ctes_proj \ map_to_tcbs (ksPSpace s) + = map_option tcb_no_ctes_proj \ map_to_tcbs (ksPSpace s'); + \T p. typ_at' T p s = typ_at' T p s'\ + \ P" shows "P" proof - from fst_setCTE0 [where cte = cte, OF ct] @@ -458,7 +459,7 @@ proof - by clarsimp note thms = this - have ceq: "ctes_of s' = ctes_of s(dest \ cte)" + have ceq: "ctes_of s' = (ctes_of s)(dest \ cte)" by (rule use_valid [OF thms(1) setCTE_ctes_of_wp]) simp show ?thesis @@ -1406,7 +1407,7 @@ lemma ntfnQueue_tail_mask_4 [simp]: lemma map_to_ctes_upd_tcb_no_ctes: "\ko_at' tcb thread s ; \x\ran tcb_cte_cases. (\(getF, setF). getF tcb' = getF tcb) x \ - \ map_to_ctes (ksPSpace s(thread \ KOTCB tcb')) = map_to_ctes (ksPSpace s)" + \ map_to_ctes ((ksPSpace s)(thread \ KOTCB tcb')) = map_to_ctes (ksPSpace s)" apply (erule obj_atE') apply (simp add: projectKOs objBits_simps) apply (subst map_to_ctes_upd_tcb') @@ -1420,14 +1421,14 @@ lemma map_to_ctes_upd_tcb_no_ctes: lemma update_ntfn_map_tos: fixes P :: "Structures_H.notification \ bool" assumes at: "obj_at' P p s" - shows "map_to_eps (ksPSpace s(p \ KONotification ko)) = map_to_eps (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ KONotification ko)) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ KONotification ko)) = map_to_ctes (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ KONotification ko)) = map_to_pdes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ KONotification ko)) = map_to_ptes (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ KONotification ko)) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ KONotification ko)) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ KONotification ko)) = map_to_user_data_device (ksPSpace s)" + shows "map_to_eps ((ksPSpace s)(p \ KONotification ko)) = map_to_eps (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ KONotification ko)) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ KONotification ko)) = map_to_ctes (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ KONotification ko)) = map_to_pdes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ KONotification ko)) = map_to_ptes (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ KONotification ko)) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ KONotification ko)) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ KONotification ko)) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+ @@ -1435,14 +1436,14 @@ lemma update_ntfn_map_tos: lemma update_ep_map_tos: fixes P :: "endpoint \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ KOEndpoint ko)) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ KOEndpoint ko)) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ KOEndpoint ko)) = map_to_ctes (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ KOEndpoint ko)) = map_to_pdes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ KOEndpoint ko)) = map_to_ptes (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ KOEndpoint ko)) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ KOEndpoint ko)) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ KOEndpoint ko)) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_ctes (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_pdes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_ptes (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+ @@ -1450,13 +1451,13 @@ lemma update_ep_map_tos: lemma update_tcb_map_tos: fixes P :: "tcb \ bool" assumes at: "obj_at' P p s" - shows "map_to_eps (ksPSpace s(p \ KOTCB ko)) = map_to_eps (ksPSpace s)" - and "map_to_ntfns (ksPSpace s(p \ KOTCB ko)) = map_to_ntfns (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ KOTCB ko)) = map_to_pdes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ KOTCB ko)) = map_to_ptes (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ KOTCB ko)) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ KOTCB ko)) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ KOTCB ko)) = map_to_user_data_device (ksPSpace s)" + shows "map_to_eps ((ksPSpace s)(p \ KOTCB ko)) = map_to_eps (ksPSpace s)" + and "map_to_ntfns ((ksPSpace s)(p \ KOTCB ko)) = map_to_ntfns (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ KOTCB ko)) = map_to_pdes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ KOTCB ko)) = map_to_ptes (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ KOTCB ko)) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ KOTCB ko)) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ KOTCB ko)) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+ @@ -1464,14 +1465,14 @@ lemma update_tcb_map_tos: lemma update_asidpool_map_tos: fixes P :: "asidpool \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_ctes (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_pdes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_ptes (ksPSpace s)" - and "map_to_eps (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_eps (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_ctes (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_pdes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_ptes (ksPSpace s)" + and "map_to_eps ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_eps (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI @@ -1480,26 +1481,26 @@ lemma update_asidpool_map_tos: arch_kernel_object.split_asm) lemma update_asidpool_map_to_asidpools: - "map_to_asidpools (ksPSpace s(p \ KOArch (KOASIDPool ap))) + "map_to_asidpools ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = (map_to_asidpools (ksPSpace s))(p \ ap)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) lemma update_pte_map_to_ptes: - "map_to_ptes (ksPSpace s(p \ KOArch (KOPTE pte))) + "map_to_ptes ((ksPSpace s)(p \ KOArch (KOPTE pte))) = (map_to_ptes (ksPSpace s))(p \ pte)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) lemma update_pte_map_tos: fixes P :: "pte \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_ctes (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_pdes (ksPSpace s)" - and "map_to_eps (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_eps (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_ctes (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_pdes (ksPSpace s)" + and "map_to_eps ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_eps (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_comp_eqI map_to_ctes_upd_other split: if_split_asm if_split @@ -1507,21 +1508,21 @@ lemma update_pte_map_tos: auto simp: projectKO_opts_defs) lemma update_pde_map_to_pdes: - "map_to_pdes (ksPSpace s(p \ KOArch (KOPDE pde))) + "map_to_pdes ((ksPSpace s)(p \ KOArch (KOPDE pde))) = (map_to_pdes (ksPSpace s))(p \ pde)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) lemma update_pde_map_tos: fixes P :: "pde \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_ctes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_ptes (ksPSpace s)" - and "map_to_eps (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_eps (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_ctes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_ptes (ksPSpace s)" + and "map_to_eps ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_eps (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_comp_eqI map_to_ctes_upd_other split: if_split_asm if_split diff --git a/proof/crefine/ARM/Schedule_C.thy b/proof/crefine/ARM/Schedule_C.thy index 020d4a4d9f..b7c80e2f54 100644 --- a/proof/crefine/ARM/Schedule_C.thy +++ b/proof/crefine/ARM/Schedule_C.thy @@ -630,7 +630,7 @@ lemma schedule_ccorres: (* FIXME: move *) lemma map_to_tcbs_upd: - "map_to_tcbs (ksPSpace s(t \ KOTCB tcb')) = map_to_tcbs (ksPSpace s)(t \ tcb')" + "map_to_tcbs ((ksPSpace s)(t \ KOTCB tcb')) = (map_to_tcbs (ksPSpace s))(t \ tcb')" apply (rule ext) apply (clarsimp simp: map_comp_def projectKOs split: option.splits if_splits) done diff --git a/proof/crefine/ARM/TcbAcc_C.thy b/proof/crefine/ARM/TcbAcc_C.thy index 4fd5f9ddda..c9e9e58920 100644 --- a/proof/crefine/ARM/TcbAcc_C.thy +++ b/proof/crefine/ARM/TcbAcc_C.thy @@ -110,7 +110,7 @@ lemma threadSet_corres_lemma: assumes spec: "\s. \\ \s. P s\ Call f {t. Q s t}" and mod: "modifies_heap_spec f" and rl: "\\ x t ko. \(\, x) \ rf_sr; Q x t; x \ P'; ko_at' ko thread \\ - \ (\\ksPSpace := ksPSpace \(thread \ KOTCB (g ko))\, + \ (\\ksPSpace := (ksPSpace \)(thread \ KOTCB (g ko))\, t\globals := globals x\t_hrs_' := t_hrs_' (globals t)\\) \ rf_sr" and g: "\s x. \tcb_at' thread s; x \ P'; (s, x) \ rf_sr\ \ P x" shows "ccorres dc xfdc (tcb_at' thread) P' [] (threadSet g thread) (Call f)" @@ -139,7 +139,7 @@ lemma threadSet_corres_lemma: lemma threadSet_ccorres_lemma4: - "\ \s tcb. \ \ (Q s tcb) c {s'. (s \ksPSpace := ksPSpace s(thread \ injectKOS (F tcb))\, s') \ rf_sr}; + "\ \s tcb. \ \ (Q s tcb) c {s'. (s \ksPSpace := (ksPSpace s)(thread \ injectKOS (F tcb))\, s') \ rf_sr}; \s s' tcb tcb'. \ (s, s') \ rf_sr; P tcb; ko_at' tcb thread s; cslift s' (tcb_ptr_to_ctcb_ptr thread) = Some tcb'; ctcb_relation tcb tcb'; P' s ; s' \ R\ \ s' \ Q s tcb \ diff --git a/proof/crefine/ARM/TcbQueue_C.thy b/proof/crefine/ARM/TcbQueue_C.thy index ccc1d1bfe7..e14fa45ae9 100644 --- a/proof/crefine/ARM/TcbQueue_C.thy +++ b/proof/crefine/ARM/TcbQueue_C.thy @@ -970,8 +970,8 @@ lemma cpspace_relation_ntfn_update_ntfn: and cp: "cpspace_ntfn_relation (ksPSpace s) (t_hrs_' (globals t))" and rel: "cnotification_relation (cslift t') ntfn' notification" and mpeq: "(cslift t' |` (- (tcb_ptr_to_ctcb_ptr ` qs))) = (cslift t |` (- (tcb_ptr_to_ctcb_ptr ` qs)))" - shows "cmap_relation (map_to_ntfns (ksPSpace s(ntfnptr \ KONotification ntfn'))) - (cslift t(Ptr ntfnptr \ notification)) Ptr (cnotification_relation (cslift t'))" + shows "cmap_relation (map_to_ntfns ((ksPSpace s)(ntfnptr \ KONotification ntfn'))) + ((cslift t)(Ptr ntfnptr \ notification)) Ptr (cnotification_relation (cslift t'))" using koat invs cp rel apply - apply (subst map_comp_update) @@ -1059,7 +1059,7 @@ lemma rf_sr_tcb_update_no_queue: (\x\ran tcb_cte_cases. (\(getF, setF). getF tcb' = getF tcb) x); ctcb_relation tcb' ctcb \ - \ (s\ksPSpace := ksPSpace s(thread \ KOTCB tcb')\, x\globals := globals s'\t_hrs_' := t_hrs_' (globals t)\\) \ rf_sr" + \ (s\ksPSpace := (ksPSpace s)(thread \ KOTCB tcb')\, x\globals := globals s'\t_hrs_' := t_hrs_' (globals t)\\) \ rf_sr" unfolding rf_sr_def state_relation_def cstate_relation_def cpspace_relation_def apply (clarsimp simp: Let_def update_tcb_map_tos map_to_ctes_upd_tcb_no_ctes heap_to_user_data_def) @@ -1108,7 +1108,7 @@ lemma rf_sr_tcb_update_not_in_queue: \ live' (KOTCB tcb); invs' s; (\x\ran tcb_cte_cases. (\(getF, setF). getF tcb' = getF tcb) x); ctcb_relation tcb' ctcb \ - \ (s\ksPSpace := ksPSpace s(thread \ KOTCB tcb')\, + \ (s\ksPSpace := (ksPSpace s)(thread \ KOTCB tcb')\, x\globals := globals s'\t_hrs_' := t_hrs_' (globals t)\\) \ rf_sr" unfolding rf_sr_def state_relation_def cstate_relation_def cpspace_relation_def apply (clarsimp simp: Let_def update_tcb_map_tos map_to_ctes_upd_tcb_no_ctes diff --git a/proof/crefine/ARM/Tcb_C.thy b/proof/crefine/ARM/Tcb_C.thy index e1cf49fd0c..8a515d6123 100644 --- a/proof/crefine/ARM/Tcb_C.thy +++ b/proof/crefine/ARM/Tcb_C.thy @@ -72,8 +72,8 @@ begin lemma getObject_state: " \(x, s') \ fst (getObject t' s); ko_at' ko t s\ \ (if t = t' then tcbState_update (\_. st) x else x, - s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\) - \ fst (getObject t' (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\))" + s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\) + \ fst (getObject t' (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\))" apply (simp split: if_split) apply (rule conjI) apply clarsimp @@ -131,8 +131,8 @@ lemma getObject_state: lemma threadGet_state: "\ (uc, s') \ fst (threadGet (atcbContextGet o tcbArch) t' s); ko_at' ko t s \ \ - (uc, s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\) \ - fst (threadGet (atcbContextGet o tcbArch) t' (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\))" + (uc, s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\) \ + fst (threadGet (atcbContextGet o tcbArch) t' (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\))" apply (clarsimp simp: threadGet_def liftM_def in_monad) apply (drule (1) getObject_state [where st=st]) apply (rule exI) @@ -142,8 +142,8 @@ lemma threadGet_state: lemma asUser_state: "\(x,s) \ fst (asUser t' f s); ko_at' ko t s; \s. \(=) s\ f \\_. (=) s\ \ \ - (x,s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\) \ - fst (asUser t' f (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\))" + (x,s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\) \ + fst (asUser t' f (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\))" apply (clarsimp simp: asUser_def in_monad select_f_def) apply (frule use_valid, rule threadGet_inv [where P="(=) s"], rule refl) apply (frule use_valid, assumption, rule refl) @@ -240,8 +240,8 @@ lemma asUser_state: lemma doMachineOp_state: "(rv,s') \ fst (doMachineOp f s) \ - (rv,s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\) - \ fst (doMachineOp f (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\))" + (rv,s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\) + \ fst (doMachineOp f (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\))" apply (clarsimp simp: doMachineOp_def split_def in_monad select_f_def) apply fastforce done @@ -274,7 +274,7 @@ lemma getMRs_rel_state: "\getMRs_rel args buffer s; (cur_tcb' and case_option \ valid_ipc_buffer_ptr' buffer) s; ko_at' ko t s \ \ - getMRs_rel args buffer (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\)" + getMRs_rel args buffer (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\)" apply (clarsimp simp: getMRs_rel_def) apply (rule exI, erule conjI) apply (subst (asm) det_wp_use, rule det_wp_getMRs) @@ -1207,8 +1207,8 @@ lemma invokeTCB_WriteRegisters_ccorres_helper: lemma doMachineOp_context: "(rv,s') \ fst (doMachineOp f s) \ - (rv,s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbContext_update (\_. st) ko))\) - \ fst (doMachineOp f (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbContext_update (\_. st) ko))\))" + (rv,s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbContext_update (\_. st) ko))\) + \ fst (doMachineOp f (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbContext_update (\_. st) ko))\))" apply (clarsimp simp: doMachineOp_def split_def in_monad select_f_def) apply fastforce done @@ -1217,8 +1217,8 @@ lemma doMachineOp_context: lemma getObject_context: " \(x, s') \ fst (getObject t' s); ko_at' ko t s\ \ (if t = t' then tcbContext_update (\_. st) x else x, - s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbContext_update (\_. st) ko))\) - \ fst (getObject t' (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbContext_update (\_. st) ko))\))" + s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbContext_update (\_. st) ko))\) + \ fst (getObject t' (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbContext_update (\_. st) ko))\))" apply (simp split: if_split) apply (rule conjI) apply clarsimp @@ -1277,8 +1277,8 @@ lemma getObject_context: lemma threadGet_context: "\ (uc, s') \ fst (threadGet (atcbContextGet o tcbArch) (ksCurThread s) s); ko_at' ko t s; t \ ksCurThread s \ \ - (uc, s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\) \ - fst (threadGet (atcbContextGet o tcbArch) (ksCurThread s) (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\))" + (uc, s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\) \ + fst (threadGet (atcbContextGet o tcbArch) (ksCurThread s) (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\))" apply (clarsimp simp: threadGet_def liftM_def in_monad) apply (drule (1) getObject_context [where st=st]) apply (rule exI) @@ -1290,8 +1290,8 @@ done lemma asUser_context: "\(x,s) \ fst (asUser (ksCurThread s) f s); ko_at' ko t s; \s. \(=) s\ f \\_. (=) s\ ; t \ ksCurThread s\ \ - (x,s\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\) \ - fst (asUser (ksCurThread s) f (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\))" + (x,s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\) \ + fst (asUser (ksCurThread s) f (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\))" apply (clarsimp simp: asUser_def in_monad select_f_def) apply (frule use_valid, rule threadGet_inv [where P="(=) s"], rule refl) apply (frule use_valid, assumption, rule refl) @@ -1362,7 +1362,7 @@ lemma getMRs_rel_context: "\getMRs_rel args buffer s; (cur_tcb' and case_option \ valid_ipc_buffer_ptr' buffer) s; ko_at' ko t s ; t \ ksCurThread s\ \ - getMRs_rel args buffer (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\)" + getMRs_rel args buffer (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\)" apply (clarsimp simp: getMRs_rel_def) apply (rule exI, erule conjI) apply (subst (asm) det_wp_use, rule det_wp_getMRs) diff --git a/proof/crefine/ARM_HYP/ArchMove_C.thy b/proof/crefine/ARM_HYP/ArchMove_C.thy index 59302d72e2..530b503ebb 100644 --- a/proof/crefine/ARM_HYP/ArchMove_C.thy +++ b/proof/crefine/ARM_HYP/ArchMove_C.thy @@ -486,7 +486,7 @@ lemma ps_clear_entire_slotI: by (fastforce simp: ps_clear_def) lemma ps_clear_ksPSpace_upd_same[simp]: - "ps_clear p n (s\ksPSpace := ksPSpace s(p \ v)\) = ps_clear p n s" + "ps_clear p n (s\ksPSpace := (ksPSpace s)(p \ v)\) = ps_clear p n s" by (fastforce simp: ps_clear_def) lemma getObject_vcpu_prop: diff --git a/proof/crefine/ARM_HYP/Finalise_C.thy b/proof/crefine/ARM_HYP/Finalise_C.thy index 732f2318b7..31b8baa885 100644 --- a/proof/crefine/ARM_HYP/Finalise_C.thy +++ b/proof/crefine/ARM_HYP/Finalise_C.thy @@ -1295,7 +1295,7 @@ lemma deleteASID_ccorres: lemma setObject_ccorres_lemma: fixes val :: "'a :: pspace_storable" shows - "\ \s. \ \ (Q s) c {s'. (s \ ksPSpace := ksPSpace s (ptr \ injectKO val) \, s') \ rf_sr},{}; + "\ \s. \ \ (Q s) c {s'. (s \ ksPSpace := (ksPSpace s)(ptr \ injectKO val) \, s') \ rf_sr},{}; \s s' val (val' :: 'a). \ ko_at' val' ptr s; (s, s') \ rf_sr \ \ s' \ Q s; \val :: 'a. updateObject val = updateObject_default val; @@ -1707,7 +1707,7 @@ lemma option_to_ctcb_ptr_not_0: done lemma update_tcb_map_to_tcb: - "map_to_tcbs (ksPSpace s(p \ KOTCB tcb)) + "map_to_tcbs ((ksPSpace s)(p \ KOTCB tcb)) = (map_to_tcbs (ksPSpace s))(p \ tcb)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) @@ -1747,7 +1747,7 @@ lemma sched_queue_relation_shift: lemma cendpoint_relation_udpate_arch: "\ cslift x p = Some tcb ; cendpoint_relation (cslift x) v v' \ - \ cendpoint_relation (cslift x(p \ tcbArch_C_update f tcb)) v v'" + \ cendpoint_relation ((cslift x)(p \ tcbArch_C_update f tcb)) v v'" apply (clarsimp simp: cendpoint_relation_def Let_def tcb_queue_relation'_def split: endpoint.splits) apply (subst ep_queue_relation_shift2; simp add: fun_eq_iff) @@ -1758,7 +1758,7 @@ lemma cendpoint_relation_udpate_arch: lemma cnotification_relation_udpate_arch: "\ cslift x p = Some tcb ; cnotification_relation (cslift x) v v' \ - \ cnotification_relation (cslift x(p \ tcbArch_C_update f tcb)) v v'" + \ cnotification_relation ((cslift x)(p \ tcbArch_C_update f tcb)) v v'" apply (clarsimp simp: cnotification_relation_def Let_def tcb_queue_relation'_def split: notification.splits ntfn.splits) apply (subst ep_queue_relation_shift2; simp add: fun_eq_iff) @@ -1799,7 +1799,7 @@ lemma archThreadSet_tcbVCPU_Basic_ccorres: (* MOVE *) lemma update_vcpu_map_to_vcpu: - "map_to_vcpus (ksPSpace s(p \ KOArch (KOVCPU vcpu))) + "map_to_vcpus ((ksPSpace s)(p \ KOArch (KOVCPU vcpu))) = (map_to_vcpus (ksPSpace s))(p \ vcpu)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) diff --git a/proof/crefine/ARM_HYP/IpcCancel_C.thy b/proof/crefine/ARM_HYP/IpcCancel_C.thy index a028d1e788..ba7082881e 100644 --- a/proof/crefine/ARM_HYP/IpcCancel_C.thy +++ b/proof/crefine/ARM_HYP/IpcCancel_C.thy @@ -2817,8 +2817,8 @@ lemma cpspace_relation_ep_update_an_ep: and pal: "pspace_aligned' s" "pspace_distinct' s" and others: "\epptr' ep'. \ ko_at' ep' epptr' s; epptr' \ epptr; ep' \ IdleEP \ \ set (epQueue ep') \ (ctcb_ptr_to_tcb_ptr ` S) = {}" - shows "cmap_relation (map_to_eps (ksPSpace s(epptr \ KOEndpoint ep'))) - (cslift t(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" + shows "cmap_relation (map_to_eps ((ksPSpace s)(epptr \ KOEndpoint ep'))) + ((cslift t)(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" using cp koat pal rel unfolding cmap_relation_def apply - apply (clarsimp elim!: obj_atE' simp: map_comp_update projectKO_opts_defs) @@ -2840,8 +2840,8 @@ lemma cpspace_relation_ep_update_ep: and cp: "cmap_relation (map_to_eps (ksPSpace s)) (cslift t) Ptr (cendpoint_relation mp)" and rel: "cendpoint_relation mp' ep' endpoint" and mpeq: "(mp' |` (- (tcb_ptr_to_ctcb_ptr ` qs))) = (mp |` (- (tcb_ptr_to_ctcb_ptr ` qs)))" - shows "cmap_relation (map_to_eps (ksPSpace s(epptr \ KOEndpoint ep'))) - (cslift t(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" + shows "cmap_relation (map_to_eps ((ksPSpace s)(epptr \ KOEndpoint ep'))) + ((cslift t)(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" using invs apply (intro cpspace_relation_ep_update_an_ep[OF koat cp rel mpeq]) apply clarsimp+ @@ -2853,15 +2853,15 @@ lemma cpspace_relation_ep_update_ep': fixes ep :: "endpoint" and ep' :: "endpoint" and epptr :: "word32" and s :: "kernel_state" defines "qs \ if (isSendEP ep' \ isRecvEP ep') then set (epQueue ep') else {}" - defines "s' \ s\ksPSpace := ksPSpace s(epptr \ KOEndpoint ep')\" + defines "s' \ s\ksPSpace := (ksPSpace s)(epptr \ KOEndpoint ep')\" assumes koat: "ko_at' ep epptr s" and vp: "valid_pspace' s" and cp: "cmap_relation (map_to_eps (ksPSpace s)) (cslift t) Ptr (cendpoint_relation mp)" and srs: "sym_refs (state_refs_of' s')" and rel: "cendpoint_relation mp' ep' endpoint" and mpeq: "(mp' |` (- (tcb_ptr_to_ctcb_ptr ` qs))) = (mp |` (- (tcb_ptr_to_ctcb_ptr ` qs)))" - shows "cmap_relation (map_to_eps (ksPSpace s(epptr \ KOEndpoint ep'))) - (cslift t(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" + shows "cmap_relation (map_to_eps ((ksPSpace s)(epptr \ KOEndpoint ep'))) + ((cslift t)(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" proof - from koat have koat': "ko_at' ep' epptr s'" by (clarsimp simp: obj_at'_def s'_def objBitsKO_def ps_clear_def projectKOs) diff --git a/proof/crefine/ARM_HYP/Ipc_C.thy b/proof/crefine/ARM_HYP/Ipc_C.thy index 8d4feddeff..8e8a9c706c 100644 --- a/proof/crefine/ARM_HYP/Ipc_C.thy +++ b/proof/crefine/ARM_HYP/Ipc_C.thy @@ -5078,12 +5078,12 @@ lemma sendIPC_enqueue_ccorres_helper: apply (simp add: cendpoint_relation_def Let_def) apply (case_tac ep, simp_all add: init_def valid_ep'_def)[1] apply (subgoal_tac "sym_refs (state_refs_of' (\\ksPSpace := - ksPSpace \(epptr \ KOEndpoint (SendEP queue))\))") + (ksPSpace \)(epptr \ KOEndpoint (SendEP queue))\))") prefer 2 apply (clarsimp simp: state_refs_of'_upd ko_wp_at'_def obj_at'_def projectKOs objBitsKO_def) apply (subgoal_tac "ko_at' (SendEP queue) epptr (\\ksPSpace := - ksPSpace \(epptr \ KOEndpoint (SendEP queue))\)") + (ksPSpace \)(epptr \ KOEndpoint (SendEP queue))\)") prefer 2 apply (clarsimp simp: obj_at'_def projectKOs objBitsKO_def ps_clear_upd) apply (intro conjI impI allI) @@ -5473,12 +5473,12 @@ lemma receiveIPC_enqueue_ccorres_helper: apply (simp add: cendpoint_relation_def Let_def) apply (case_tac ep, simp_all add: init_def valid_ep'_def)[1] apply (subgoal_tac "sym_refs (state_refs_of' (\\ksPSpace := - ksPSpace \(epptr \ KOEndpoint (RecvEP queue))\))") + (ksPSpace \)(epptr \ KOEndpoint (RecvEP queue))\))") prefer 2 apply (clarsimp simp: state_refs_of'_upd ko_wp_at'_def obj_at'_def projectKOs objBitsKO_def) apply (subgoal_tac "ko_at' (RecvEP queue) epptr (\\ksPSpace := - ksPSpace \(epptr \ KOEndpoint (RecvEP queue))\)") + (ksPSpace \)(epptr \ KOEndpoint (RecvEP queue))\)") prefer 2 apply (clarsimp simp: obj_at'_def projectKOs objBitsKO_def ps_clear_upd) apply (intro conjI impI allI) @@ -6475,16 +6475,17 @@ lemma cpspace_relation_ntfn_update_ntfn': fixes ntfn :: "Structures_H.notification" and ntfn' :: "Structures_H.notification" and ntfnptr :: "word32" and s :: "kernel_state" defines "qs \ if isWaitingNtfn (ntfnObj ntfn') then set (ntfnQueue (ntfnObj ntfn')) else {}" - defines "s' \ s\ksPSpace := ksPSpace s(ntfnptr \ KONotification ntfn')\" + defines "s' \ s\ksPSpace := (ksPSpace s)(ntfnptr \ KONotification ntfn')\" assumes koat: "ko_at' ntfn ntfnptr s" and vp: "valid_pspace' s" and cp: "cmap_relation (map_to_ntfns (ksPSpace s)) (cslift t) Ptr (cnotification_relation (cslift t))" and srs: "sym_refs (state_refs_of' s')" and rel: "cnotification_relation (cslift t') ntfn' notification" and mpeq: "(cslift t' |` (- (tcb_ptr_to_ctcb_ptr ` qs))) = (cslift t |` (- (tcb_ptr_to_ctcb_ptr ` qs)))" - shows "cmap_relation (map_to_ntfns (ksPSpace s(ntfnptr \ KONotification ntfn'))) - (cslift t(Ptr ntfnptr \ notification)) Ptr - (cnotification_relation (cslift t'))" + shows "cmap_relation (map_to_ntfns ((ksPSpace s)(ntfnptr \ KONotification ntfn'))) + ((cslift t)(Ptr ntfnptr \ notification)) + Ptr + (cnotification_relation (cslift t'))" proof - from koat have koat': "ko_at' ntfn' ntfnptr s'" by (clarsimp simp: obj_at'_def s'_def objBitsKO_def ps_clear_def projectKOs) @@ -6563,12 +6564,12 @@ lemma receiveSignal_enqueue_ccorres_helper: apply (simp add: cnotification_relation_def Let_def) apply (case_tac "ntfnObj ntfn", simp_all add: init_def valid_ntfn'_def)[1] apply (subgoal_tac "sym_refs (state_refs_of' (\\ksPSpace := - ksPSpace \(ntfnptr \ KONotification (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)))\))") + (ksPSpace \)(ntfnptr \ KONotification (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)))\))") prefer 2 apply (clarsimp simp: state_refs_of'_upd ko_wp_at'_def ntfnBound_state_refs_equivalence obj_at'_def projectKOs objBitsKO_def) apply (subgoal_tac "ko_at' (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)) ntfnptr (\\ksPSpace := - ksPSpace \(ntfnptr \ KONotification (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)))\)") + (ksPSpace \)(ntfnptr \ KONotification (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)))\)") prefer 2 apply (clarsimp simp: obj_at'_def projectKOs objBitsKO_def ps_clear_upd) apply (intro conjI impI allI) diff --git a/proof/crefine/ARM_HYP/PSpace_C.thy b/proof/crefine/ARM_HYP/PSpace_C.thy index 50d4aed6cd..97b7236e95 100644 --- a/proof/crefine/ARM_HYP/PSpace_C.thy +++ b/proof/crefine/ARM_HYP/PSpace_C.thy @@ -47,7 +47,7 @@ lemma setObject_ccorres_helper: fixes ko :: "'a :: pspace_storable" assumes valid: "\\ (ko' :: 'a). \ \ {s. (\, s) \ rf_sr \ P \ \ s \ P' \ ko_at' ko' p \} - c {s. (\\ksPSpace := ksPSpace \ (p \ injectKO ko)\, s) \ rf_sr}" + c {s. (\\ksPSpace := (ksPSpace \)(p \ injectKO ko)\, s) \ rf_sr}" shows "\ \ko :: 'a. updateObject ko = updateObject_default ko; \ko :: 'a. (1 :: word32) < 2 ^ objBits ko \ \ ccorres dc xfdc P P' hs (setObject p ko) c" diff --git a/proof/crefine/ARM_HYP/Recycle_C.thy b/proof/crefine/ARM_HYP/Recycle_C.thy index 995f2129e6..ed2183467f 100644 --- a/proof/crefine/ARM_HYP/Recycle_C.thy +++ b/proof/crefine/ARM_HYP/Recycle_C.thy @@ -456,7 +456,7 @@ lemma mapM_x_store_memset_ccorres_assist: "\ko :: 'a. (1 :: word32) < 2 ^ objBits ko" assumes restr: "set slots \ S" assumes worker: "\ptr s s' (ko :: 'a). \ (s, s') \ rf_sr; ko_at' ko ptr s; ptr \ S \ - \ (s \ ksPSpace := ksPSpace s (ptr \ injectKO val)\, + \ (s \ ksPSpace := (ksPSpace s)(ptr \ injectKO val)\, globals_update (t_hrs_'_update (hrs_mem_update (heap_update_list ptr (replicateHider (2 ^ objBits val) (ucast c))))) s') \ rf_sr" @@ -812,8 +812,8 @@ lemma cpspace_relation_ep_update_ep2: (cslift t) ep_Ptr (cendpoint_relation (cslift t)); cendpoint_relation (cslift t') ep' endpoint; (cslift t' :: tcb_C ptr \ tcb_C) = cslift t \ - \ cmap_relation (map_to_eps (ksPSpace s(epptr \ KOEndpoint ep'))) - (cslift t(ep_Ptr epptr \ endpoint)) + \ cmap_relation (map_to_eps ((ksPSpace s)(epptr \ KOEndpoint ep'))) + ((cslift t)(ep_Ptr epptr \ endpoint)) ep_Ptr (cendpoint_relation (cslift t'))" apply (rule cmap_relationE1, assumption, erule ko_at_projectKO_opt) apply (rule_tac P="\a. cmap_relation a b c d" for b c d in rsubst, diff --git a/proof/crefine/ARM_HYP/Retype_C.thy b/proof/crefine/ARM_HYP/Retype_C.thy index 1e888203eb..767dcac4dc 100644 --- a/proof/crefine/ARM_HYP/Retype_C.thy +++ b/proof/crefine/ARM_HYP/Retype_C.thy @@ -5365,7 +5365,7 @@ lemma ptr_retyp_fromzeroVCPU: assumes cover: "range_cover p vcpu_bits vcpu_bits 1" assumes al: "is_aligned p vcpu_bits" assumes sr: "(\, \') \ rf_sr" - shows "(\\ksPSpace := ksPSpace \(p \ ko_vcpu)\, + shows "(\\ksPSpace := (ksPSpace \)(p \ ko_vcpu)\, globals_update (t_hrs_'_update (hrs_htd_update (ptr_retyp (vcpu_Ptr p)))) \') \ rf_sr" (is "(\\ksPSpace := ?ks\, globals_update ?gs' \') \ rf_sr") @@ -5436,8 +5436,8 @@ proof - have map_vcpus: "cmap_relation (map_to_vcpus (ksPSpace \)) (cslift \') vcpu_Ptr cvcpu_relation - \ cmap_relation (map_to_vcpus (ksPSpace \)(p \ vcpu0)) - (cslift \'(vcpu_Ptr p \ ?zeros)) vcpu_Ptr cvcpu_relation" + \ cmap_relation ((map_to_vcpus (ksPSpace \))(p \ vcpu0)) + ((cslift \')(vcpu_Ptr p \ ?zeros)) vcpu_Ptr cvcpu_relation" apply (erule cmap_vcpus) apply (simp add: vcpu0_def from_bytes_def) apply (simp add: typ_info_simps vcpu_C_tag_def) @@ -5540,13 +5540,13 @@ proof - by (simp add: objBitsKO_def archObjSize_def vcpu_bits_def' vcpuBits_def') have rl_vcpu: - "(projectKO_opt \\<^sub>m (ksPSpace \(p \ KOArch (KOVCPU vcpu0))) :: word32 \ vcpu option) + "(projectKO_opt \\<^sub>m ((ksPSpace \)(p \ KOArch (KOVCPU vcpu0))) :: word32 \ vcpu option) = (projectKO_opt \\<^sub>m ksPSpace \)(p \ vcpu0)" by (rule ext) (clarsimp simp: projectKOs map_comp_def vcpu0_def split: if_split) have ctes: - "map_to_ctes (ksPSpace \(p \ KOArch (KOVCPU vcpu0))) = ctes_of \" + "map_to_ctes ((ksPSpace \)(p \ KOArch (KOVCPU vcpu0))) = ctes_of \" using pal pdst al pno apply (clarsimp simp: fun_upd_def) apply (frule (2) pspace_no_overlap_base') @@ -5963,7 +5963,7 @@ lemma gsCNodes_update_ccorres: (* FIXME: move *) lemma map_to_tcbs_upd: - "map_to_tcbs (ksPSpace s(t \ KOTCB tcb')) = map_to_tcbs (ksPSpace s)(t \ tcb')" + "map_to_tcbs ((ksPSpace s)(t \ KOTCB tcb')) = (map_to_tcbs (ksPSpace s))(t \ tcb')" apply (rule ext) apply (clarsimp simp: map_comp_def projectKOs split: option.splits if_splits) done diff --git a/proof/crefine/ARM_HYP/SR_lemmas_C.thy b/proof/crefine/ARM_HYP/SR_lemmas_C.thy index 9ea8c722d2..6a34b458be 100644 --- a/proof/crefine/ARM_HYP/SR_lemmas_C.thy +++ b/proof/crefine/ARM_HYP/SR_lemmas_C.thy @@ -324,21 +324,21 @@ lemma tcb_cte_cases_proj_eq [simp]: lemma map_to_ctes_upd_cte': "\ ksPSpace s p = Some (KOCTE cte'); is_aligned p cte_level_bits; ps_clear p cte_level_bits s \ - \ map_to_ctes (ksPSpace s(p |-> KOCTE cte)) = (map_to_ctes (ksPSpace s))(p |-> cte)" + \ map_to_ctes ((ksPSpace s)(p |-> KOCTE cte)) = (map_to_ctes (ksPSpace s))(p |-> cte)" apply (erule (1) map_to_ctes_upd_cte) apply (simp add: field_simps ps_clear_def3 cte_level_bits_def mask_def) done lemma map_to_ctes_upd_tcb': - "[| ksPSpace s p = Some (KOTCB tcb'); is_aligned p tcbBlockSizeBits; - ps_clear p tcbBlockSizeBits s |] -==> map_to_ctes (ksPSpace s(p |-> KOTCB tcb)) = - (%x. if EX getF setF. + "\ ksPSpace s p = Some (KOTCB tcb'); is_aligned p tcbBlockSizeBits; + ps_clear p tcbBlockSizeBits s \ + \ map_to_ctes ((ksPSpace s)(p \ KOTCB tcb)) = + (\x. if EX getF setF. tcb_cte_cases (x - p) = Some (getF, setF) & - getF tcb ~= getF tcb' - then case tcb_cte_cases (x - p) of - Some (getF, setF) => Some (getF tcb) - else ctes_of s x)" + getF tcb \ getF tcb' + then case tcb_cte_cases (x - p) of + Some (getF, setF) \ Some (getF tcb) + else ctes_of s x)" apply (erule (1) map_to_ctes_upd_tcb) apply (simp add: field_simps ps_clear_def3 mask_def objBits_defs) done @@ -459,7 +459,7 @@ lemma fst_setCTE: assumes ct: "cte_at' dest s" and rl: "\s'. \ ((), s') \ fst (setCTE dest cte s); (s' = s \ ksPSpace := ksPSpace s' \); - (ctes_of s' = ctes_of s(dest \ cte)); + (ctes_of s' = (ctes_of s)(dest \ cte)); (map_to_eps (ksPSpace s) = map_to_eps (ksPSpace s')); (map_to_ntfns (ksPSpace s) = map_to_ntfns (ksPSpace s')); (map_to_pdes (ksPSpace s) = map_to_pdes (ksPSpace s')); @@ -486,7 +486,7 @@ proof - by clarsimp note thms = this - have ceq: "ctes_of s' = ctes_of s(dest \ cte)" + have ceq: "ctes_of s' = (ctes_of s)(dest \ cte)" by (rule use_valid [OF thms(1) setCTE_ctes_of_wp]) simp show ?thesis @@ -1511,7 +1511,7 @@ lemma ntfnQueue_tail_mask_4 [simp]: lemma map_to_ctes_upd_tcb_no_ctes: "\ko_at' tcb thread s ; \x\ran tcb_cte_cases. (\(getF, setF). getF tcb' = getF tcb) x \ - \ map_to_ctes (ksPSpace s(thread \ KOTCB tcb')) = map_to_ctes (ksPSpace s)" + \ map_to_ctes ((ksPSpace s)(thread \ KOTCB tcb')) = map_to_ctes (ksPSpace s)" apply (erule obj_atE') apply (simp add: projectKOs objBits_simps) apply (subst map_to_ctes_upd_tcb') @@ -1525,15 +1525,15 @@ lemma map_to_ctes_upd_tcb_no_ctes: lemma update_ntfn_map_tos: fixes P :: "Structures_H.notification \ bool" assumes at: "obj_at' P p s" - shows "map_to_eps (ksPSpace s(p \ KONotification ko)) = map_to_eps (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ KONotification ko)) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ KONotification ko)) = map_to_ctes (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ KONotification ko)) = map_to_pdes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ KONotification ko)) = map_to_ptes (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ KONotification ko)) = map_to_asidpools (ksPSpace s)" - and "map_to_vcpus (ksPSpace s(p \ KONotification ko)) = map_to_vcpus (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ KONotification ko)) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ KONotification ko)) = map_to_user_data_device (ksPSpace s)" + shows "map_to_eps ((ksPSpace s)(p \ KONotification ko)) = map_to_eps (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ KONotification ko)) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ KONotification ko)) = map_to_ctes (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ KONotification ko)) = map_to_pdes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ KONotification ko)) = map_to_ptes (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ KONotification ko)) = map_to_asidpools (ksPSpace s)" + and "map_to_vcpus ((ksPSpace s)(p \ KONotification ko)) = map_to_vcpus (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ KONotification ko)) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ KONotification ko)) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+ @@ -1541,15 +1541,15 @@ lemma update_ntfn_map_tos: lemma update_ep_map_tos: fixes P :: "endpoint \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ KOEndpoint ko)) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ KOEndpoint ko)) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ KOEndpoint ko)) = map_to_ctes (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ KOEndpoint ko)) = map_to_pdes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ KOEndpoint ko)) = map_to_ptes (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ KOEndpoint ko)) = map_to_asidpools (ksPSpace s)" - and "map_to_vcpus (ksPSpace s(p \ KOEndpoint ko)) = map_to_vcpus (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ KOEndpoint ko)) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ KOEndpoint ko)) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_ctes (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_pdes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_ptes (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_asidpools (ksPSpace s)" + and "map_to_vcpus ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_vcpus (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+ @@ -1557,14 +1557,14 @@ lemma update_ep_map_tos: lemma update_tcb_map_tos: fixes P :: "tcb \ bool" assumes at: "obj_at' P p s" - shows "map_to_eps (ksPSpace s(p \ KOTCB ko)) = map_to_eps (ksPSpace s)" - and "map_to_ntfns (ksPSpace s(p \ KOTCB ko)) = map_to_ntfns (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ KOTCB ko)) = map_to_pdes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ KOTCB ko)) = map_to_ptes (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ KOTCB ko)) = map_to_asidpools (ksPSpace s)" - and "map_to_vcpus (ksPSpace s(p \ KOTCB ko)) = map_to_vcpus (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ KOTCB ko)) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ KOTCB ko)) = map_to_user_data_device (ksPSpace s)" + shows "map_to_eps ((ksPSpace s)(p \ KOTCB ko)) = map_to_eps (ksPSpace s)" + and "map_to_ntfns ((ksPSpace s)(p \ KOTCB ko)) = map_to_ntfns (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ KOTCB ko)) = map_to_pdes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ KOTCB ko)) = map_to_ptes (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ KOTCB ko)) = map_to_asidpools (ksPSpace s)" + and "map_to_vcpus ((ksPSpace s)(p \ KOTCB ko)) = map_to_vcpus (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ KOTCB ko)) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ KOTCB ko)) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+ @@ -1572,15 +1572,15 @@ lemma update_tcb_map_tos: lemma update_asidpool_map_tos: fixes P :: "asidpool \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_ctes (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_pdes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_ptes (ksPSpace s)" - and "map_to_eps (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_eps (ksPSpace s)" - and "map_to_vcpus (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_vcpus (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_ctes (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_pdes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_ptes (ksPSpace s)" + and "map_to_eps ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_eps (ksPSpace s)" + and "map_to_vcpus ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_vcpus (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI @@ -1589,27 +1589,27 @@ lemma update_asidpool_map_tos: arch_kernel_object.split_asm) lemma update_asidpool_map_to_asidpools: - "map_to_asidpools (ksPSpace s(p \ KOArch (KOASIDPool ap))) + "map_to_asidpools ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = (map_to_asidpools (ksPSpace s))(p \ ap)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) lemma update_pte_map_to_ptes: - "map_to_ptes (ksPSpace s(p \ KOArch (KOPTE pte))) + "map_to_ptes ((ksPSpace s)(p \ KOArch (KOPTE pte))) = (map_to_ptes (ksPSpace s))(p \ pte)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) lemma update_pte_map_tos: fixes P :: "pte \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_ctes (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_pdes (ksPSpace s)" - and "map_to_eps (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_eps (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_asidpools (ksPSpace s)" - and "map_to_vcpus (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_vcpus (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_ctes (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_pdes (ksPSpace s)" + and "map_to_eps ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_eps (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_asidpools (ksPSpace s)" + and "map_to_vcpus ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_vcpus (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_comp_eqI map_to_ctes_upd_other split: if_split_asm if_split @@ -1617,22 +1617,22 @@ lemma update_pte_map_tos: auto simp: projectKO_opts_defs) lemma update_pde_map_to_pdes: - "map_to_pdes (ksPSpace s(p \ KOArch (KOPDE pde))) + "map_to_pdes ((ksPSpace s)(p \ KOArch (KOPDE pde))) = (map_to_pdes (ksPSpace s))(p \ pde)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) lemma update_pde_map_tos: fixes P :: "pde \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_ctes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_ptes (ksPSpace s)" - and "map_to_eps (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_eps (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_asidpools (ksPSpace s)" - and "map_to_vcpus (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_vcpus (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_ctes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_ptes (ksPSpace s)" + and "map_to_eps ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_eps (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_asidpools (ksPSpace s)" + and "map_to_vcpus ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_vcpus (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_comp_eqI map_to_ctes_upd_other split: if_split_asm if_split @@ -1642,15 +1642,15 @@ lemma update_pde_map_tos: lemma update_vcpu_map_tos: fixes P :: "vcpu \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ (KOArch (KOVCPU vcpu)))) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ (KOArch (KOVCPU vcpu)))) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ (KOArch (KOVCPU vcpu)))) = map_to_ctes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ (KOArch (KOVCPU vcpu)))) = map_to_ptes (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ (KOArch (KOVCPU vcpu)))) = map_to_pdes (ksPSpace s)" - and "map_to_eps (ksPSpace s(p \ (KOArch (KOVCPU vcpu)))) = map_to_eps (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ (KOArch (KOVCPU vcpu)))) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ (KOArch (KOVCPU vcpu)))) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ (KOArch (KOVCPU vcpu)))) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ (KOArch (KOVCPU vcpu)))) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ (KOArch (KOVCPU vcpu)))) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ (KOArch (KOVCPU vcpu)))) = map_to_ctes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ (KOArch (KOVCPU vcpu)))) = map_to_ptes (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ (KOArch (KOVCPU vcpu)))) = map_to_pdes (ksPSpace s)" + and "map_to_eps ((ksPSpace s)(p \ (KOArch (KOVCPU vcpu)))) = map_to_eps (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ (KOArch (KOVCPU vcpu)))) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ (KOArch (KOVCPU vcpu)))) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ (KOArch (KOVCPU vcpu)))) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_comp_eqI map_to_ctes_upd_other split: if_split_asm if_split @@ -2134,7 +2134,7 @@ lemma gs_set_assn_Delete_cstate_relation: lemma update_typ_at: assumes at: "obj_at' P p s" and tp: "\obj. P obj \ koTypeOf (injectKOS obj) = koTypeOf ko" - shows "typ_at' T p' (s \ksPSpace := ksPSpace s(p \ ko)\) = typ_at' T p' s" + shows "typ_at' T p' (s \ksPSpace := (ksPSpace s)(p \ ko)\) = typ_at' T p' s" using at by (auto elim!: obj_atE' simp: typ_at'_def ko_wp_at'_def dest!: tp[rule_format] @@ -2402,7 +2402,7 @@ lemma rf_sr_armKSGICVCPUNumListRegs: by (clarsimp simp: rf_sr_def cstate_relation_def carch_state_relation_def Let_def) lemma update_vcpu_map_to_vcpu: - "map_to_vcpus (ksPSpace s(p \ KOArch (KOVCPU vcpu))) + "map_to_vcpus ((ksPSpace s)(p \ KOArch (KOVCPU vcpu))) = (map_to_vcpus (ksPSpace s))(p \ vcpu)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) diff --git a/proof/crefine/ARM_HYP/Schedule_C.thy b/proof/crefine/ARM_HYP/Schedule_C.thy index 697ff77c8e..5e2a90cd7f 100644 --- a/proof/crefine/ARM_HYP/Schedule_C.thy +++ b/proof/crefine/ARM_HYP/Schedule_C.thy @@ -684,7 +684,7 @@ lemma schedule_ccorres: (* FIXME: move *) lemma map_to_tcbs_upd: - "map_to_tcbs (ksPSpace s(t \ KOTCB tcb')) = map_to_tcbs (ksPSpace s)(t \ tcb')" + "map_to_tcbs ((ksPSpace s)(t \ KOTCB tcb')) = (map_to_tcbs (ksPSpace s))(t \ tcb')" apply (rule ext) apply (clarsimp simp: map_comp_def projectKOs split: option.splits if_splits) done diff --git a/proof/crefine/ARM_HYP/TcbAcc_C.thy b/proof/crefine/ARM_HYP/TcbAcc_C.thy index 73f1b5c191..1ea50d2157 100644 --- a/proof/crefine/ARM_HYP/TcbAcc_C.thy +++ b/proof/crefine/ARM_HYP/TcbAcc_C.thy @@ -178,7 +178,7 @@ lemma threadSet_corres_lemma: assumes spec: "\s. \\ \s. P s\ Call f {t. Q s t}" and mod: "modifies_heap_spec f" and rl: "\\ x t ko. \(\, x) \ rf_sr; Q x t; x \ P'; ko_at' ko thread \\ - \ (\\ksPSpace := ksPSpace \(thread \ KOTCB (g ko))\, + \ (\\ksPSpace := (ksPSpace \)(thread \ KOTCB (g ko))\, t\globals := globals x\t_hrs_' := t_hrs_' (globals t)\\) \ rf_sr" and g: "\s x. \tcb_at' thread s; x \ P'; (s, x) \ rf_sr\ \ P x" shows "ccorres dc xfdc (tcb_at' thread) P' [] (threadSet g thread) (Call f)" @@ -207,7 +207,7 @@ lemma threadSet_corres_lemma: lemma threadSet_ccorres_lemma4: - "\ \s tcb. \ \ (Q s tcb) c {s'. (s \ksPSpace := ksPSpace s(thread \ injectKOS (F tcb))\, s') \ rf_sr}; + "\ \s tcb. \ \ (Q s tcb) c {s'. (s \ksPSpace := (ksPSpace s)(thread \ injectKOS (F tcb))\, s') \ rf_sr}; \s s' tcb tcb'. \ (s, s') \ rf_sr; P tcb; ko_at' tcb thread s; cslift s' (tcb_ptr_to_ctcb_ptr thread) = Some tcb'; ctcb_relation tcb tcb'; P' s ; s' \ R\ \ s' \ Q s tcb \ diff --git a/proof/crefine/ARM_HYP/TcbQueue_C.thy b/proof/crefine/ARM_HYP/TcbQueue_C.thy index 3fb6ca79a9..853d4615e5 100644 --- a/proof/crefine/ARM_HYP/TcbQueue_C.thy +++ b/proof/crefine/ARM_HYP/TcbQueue_C.thy @@ -1017,8 +1017,8 @@ lemma cpspace_relation_ntfn_update_ntfn: and cp: "cpspace_ntfn_relation (ksPSpace s) (t_hrs_' (globals t))" and rel: "cnotification_relation (cslift t') ntfn' notification" and mpeq: "(cslift t' |` (- (tcb_ptr_to_ctcb_ptr ` qs))) = (cslift t |` (- (tcb_ptr_to_ctcb_ptr ` qs)))" - shows "cmap_relation (map_to_ntfns (ksPSpace s(ntfnptr \ KONotification ntfn'))) - (cslift t(Ptr ntfnptr \ notification)) Ptr (cnotification_relation (cslift t'))" + shows "cmap_relation (map_to_ntfns ((ksPSpace s)(ntfnptr \ KONotification ntfn'))) + ((cslift t)(Ptr ntfnptr \ notification)) Ptr (cnotification_relation (cslift t'))" using koat invs cp rel apply - apply (subst map_comp_update) @@ -1106,7 +1106,7 @@ lemma rf_sr_tcb_update_no_queue: (\x\ran tcb_cte_cases. (\(getF, setF). getF tcb' = getF tcb) x); ctcb_relation tcb' ctcb \ - \ (s\ksPSpace := ksPSpace s(thread \ KOTCB tcb')\, x\globals := globals s'\t_hrs_' := t_hrs_' (globals t)\\) \ rf_sr" + \ (s\ksPSpace := (ksPSpace s)(thread \ KOTCB tcb')\, x\globals := globals s'\t_hrs_' := t_hrs_' (globals t)\\) \ rf_sr" unfolding rf_sr_def state_relation_def cstate_relation_def cpspace_relation_def apply (clarsimp simp: Let_def update_tcb_map_tos map_to_ctes_upd_tcb_no_ctes heap_to_user_data_def) @@ -1155,7 +1155,7 @@ lemma rf_sr_tcb_update_not_in_queue: \ live' (KOTCB tcb); invs' s; (\x\ran tcb_cte_cases. (\(getF, setF). getF tcb' = getF tcb) x); ctcb_relation tcb' ctcb \ - \ (s\ksPSpace := ksPSpace s(thread \ KOTCB tcb')\, + \ (s\ksPSpace := (ksPSpace s)(thread \ KOTCB tcb')\, x\globals := globals s'\t_hrs_' := t_hrs_' (globals t)\\) \ rf_sr" unfolding rf_sr_def state_relation_def cstate_relation_def cpspace_relation_def apply (clarsimp simp: Let_def update_tcb_map_tos map_to_ctes_upd_tcb_no_ctes diff --git a/proof/crefine/ARM_HYP/Tcb_C.thy b/proof/crefine/ARM_HYP/Tcb_C.thy index cb45ff7215..b4b2fd819c 100644 --- a/proof/crefine/ARM_HYP/Tcb_C.thy +++ b/proof/crefine/ARM_HYP/Tcb_C.thy @@ -97,8 +97,8 @@ lemma getMRs_rel_sched: lemma getObject_state: " \(x, s') \ fst (getObject t' s); ko_at' ko t s\ \ (if t = t' then tcbState_update (\_. st) x else x, - s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\) - \ fst (getObject t' (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\))" + s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\) + \ fst (getObject t' (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\))" apply (simp split: if_split) apply (rule conjI) apply clarsimp @@ -156,8 +156,8 @@ lemma getObject_state: lemma threadGet_state: "\ (uc, s') \ fst (threadGet (atcbContextGet o tcbArch) t' s); ko_at' ko t s \ \ - (uc, s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\) \ - fst (threadGet (atcbContextGet o tcbArch) t' (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\))" + (uc, s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\) \ + fst (threadGet (atcbContextGet o tcbArch) t' (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\))" apply (clarsimp simp: threadGet_def liftM_def in_monad) apply (drule (1) getObject_state [where st=st]) apply (rule exI) @@ -167,8 +167,8 @@ lemma threadGet_state: lemma asUser_state: "\(x,s) \ fst (asUser t' f s); ko_at' ko t s; \s. \(=) s\ f \\_. (=) s\ \ \ - (x,s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\) \ - fst (asUser t' f (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\))" + (x,s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\) \ + fst (asUser t' f (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\))" apply (clarsimp simp: asUser_def in_monad select_f_def) apply (frule use_valid, rule threadGet_inv [where P="(=) s"], rule refl) apply (frule use_valid, assumption, rule refl) @@ -265,8 +265,8 @@ lemma asUser_state: lemma doMachineOp_state: "(rv,s') \ fst (doMachineOp f s) \ - (rv,s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\) - \ fst (doMachineOp f (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\))" + (rv,s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\) + \ fst (doMachineOp f (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\))" apply (clarsimp simp: doMachineOp_def split_def in_monad select_f_def) apply fastforce done @@ -299,7 +299,7 @@ lemma getMRs_rel_state: "\getMRs_rel args buffer s; (cur_tcb' and case_option \ valid_ipc_buffer_ptr' buffer) s; ko_at' ko t s \ \ - getMRs_rel args buffer (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\)" + getMRs_rel args buffer (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\)" apply (clarsimp simp: getMRs_rel_def) apply (rule exI, erule conjI) apply (subst (asm) det_wp_use, rule det_wp_getMRs) @@ -1270,8 +1270,8 @@ lemma invokeTCB_WriteRegisters_ccorres_helper: lemma doMachineOp_context: "(rv,s') \ fst (doMachineOp f s) \ - (rv,s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbContext_update (\_. st) ko))\) - \ fst (doMachineOp f (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbContext_update (\_. st) ko))\))" + (rv,s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbContext_update (\_. st) ko))\) + \ fst (doMachineOp f (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbContext_update (\_. st) ko))\))" apply (clarsimp simp: doMachineOp_def split_def in_monad select_f_def) apply fastforce done @@ -1280,8 +1280,8 @@ lemma doMachineOp_context: lemma getObject_context: " \(x, s') \ fst (getObject t' s); ko_at' ko t s\ \ (if t = t' then tcbContext_update (\_. st) x else x, - s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbContext_update (\_. st) ko))\) - \ fst (getObject t' (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbContext_update (\_. st) ko))\))" + s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbContext_update (\_. st) ko))\) + \ fst (getObject t' (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbContext_update (\_. st) ko))\))" apply (simp split: if_split) apply (rule conjI) apply clarsimp @@ -1340,8 +1340,8 @@ lemma getObject_context: lemma threadGet_context: "\ (uc, s') \ fst (threadGet (atcbContextGet o tcbArch) (ksCurThread s) s); ko_at' ko t s; t \ ksCurThread s \ \ - (uc, s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\) \ - fst (threadGet (atcbContextGet o tcbArch) (ksCurThread s) (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\))" + (uc, s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\) \ + fst (threadGet (atcbContextGet o tcbArch) (ksCurThread s) (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\))" apply (clarsimp simp: threadGet_def liftM_def in_monad) apply (drule (1) getObject_context [where st=st]) apply (rule exI) @@ -1353,8 +1353,8 @@ done lemma asUser_context: "\(x,s) \ fst (asUser (ksCurThread s) f s); ko_at' ko t s; \s. \(=) s\ f \\_. (=) s\ ; t \ ksCurThread s\ \ - (x,s\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\) \ - fst (asUser (ksCurThread s) f (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\))" + (x,s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\) \ + fst (asUser (ksCurThread s) f (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\))" apply (clarsimp simp: asUser_def in_monad select_f_def) apply (frule use_valid, rule threadGet_inv [where P="(=) s"], rule refl) apply (frule use_valid, assumption, rule refl) @@ -1425,7 +1425,7 @@ lemma getMRs_rel_context: "\getMRs_rel args buffer s; (cur_tcb' and case_option \ valid_ipc_buffer_ptr' buffer) s; ko_at' ko t s ; t \ ksCurThread s\ \ - getMRs_rel args buffer (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\)" + getMRs_rel args buffer (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\)" apply (clarsimp simp: getMRs_rel_def) apply (rule exI, erule conjI) apply (subst (asm) det_wp_use, rule det_wp_getMRs) diff --git a/proof/crefine/Move_C.thy b/proof/crefine/Move_C.thy index 7f983d812d..3db339c08d 100644 --- a/proof/crefine/Move_C.thy +++ b/proof/crefine/Move_C.thy @@ -568,7 +568,7 @@ lemma map_to_ko_at_updI': \ (projectKO_opt \\<^sub>m (ksPSpace s)) x = Some y; valid_pspace' s; ko_at' y' x' s; objBitsKO (injectKO y') = objBitsKO y''; x \ x' \ \ - ko_at' y x (s\ksPSpace := ksPSpace s(x' \ y'')\)" + ko_at' y x (s\ksPSpace := (ksPSpace s)(x' \ y'')\)" by (fastforce simp: obj_at'_def projectKOs objBitsKO_def ps_clear_upd dest: map_to_ko_atI) @@ -903,7 +903,7 @@ lemma setNotification_tcb: lemma state_refs_of'_upd: "\ valid_pspace' s; ko_wp_at' (\ko. objBitsKO ko = objBitsKO ko') ptr s \ \ - state_refs_of' (s\ksPSpace := ksPSpace s(ptr \ ko')\) = + state_refs_of' (s\ksPSpace := (ksPSpace s)(ptr \ ko')\) = (state_refs_of' s)(ptr := refs_of' ko')" apply (rule ext) apply (clarsimp simp: ps_clear_upd valid_pspace'_def pspace_aligned'_def @@ -1463,7 +1463,7 @@ lemma asUser_obj_at': lemma update_ep_map_to_ctes: fixes P :: "endpoint \ bool" assumes at: "obj_at' P p s" - shows "map_to_ctes (ksPSpace s(p \ KOEndpoint ko)) = map_to_ctes (ksPSpace s)" + shows "map_to_ctes ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_ctes (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm) diff --git a/proof/crefine/RISCV64/Finalise_C.thy b/proof/crefine/RISCV64/Finalise_C.thy index 06ed79d48b..7456e4fd20 100644 --- a/proof/crefine/RISCV64/Finalise_C.thy +++ b/proof/crefine/RISCV64/Finalise_C.thy @@ -1152,7 +1152,7 @@ lemma deleteASID_ccorres: lemma setObject_ccorres_lemma: fixes val :: "'a :: pspace_storable" shows - "\ \s. \ \ (Q s) c {s'. (s \ ksPSpace := ksPSpace s (ptr \ injectKO val) \, s') \ rf_sr},{}; + "\ \s. \ \ (Q s) c {s'. (s \ ksPSpace := (ksPSpace s)(ptr \ injectKO val) \, s') \ rf_sr},{}; \s s' val'::'a. \ ko_at' val' ptr s; (s, s') \ rf_sr \ \ s' \ Q s; \val :: 'a. updateObject val = updateObject_default val; @@ -1667,7 +1667,7 @@ lemma option_to_ctcb_ptr_not_0: done lemma update_tcb_map_to_tcb: - "map_to_tcbs (ksPSpace s(p \ KOTCB tcb)) = (map_to_tcbs (ksPSpace s))(p \ tcb)" + "map_to_tcbs ((ksPSpace s)(p \ KOTCB tcb)) = (map_to_tcbs (ksPSpace s))(p \ tcb)" by (rule ext, clarsimp simp: map_comp_def split: if_split) lemma ep_queue_relation_shift2: @@ -1697,7 +1697,7 @@ lemma sched_queue_relation_shift: lemma cendpoint_relation_udpate_arch: "\ cslift x p = Some tcb ; cendpoint_relation (cslift x) v v' \ - \ cendpoint_relation (cslift x(p \ tcbArch_C_update f tcb)) v v'" + \ cendpoint_relation ((cslift x)(p \ tcbArch_C_update f tcb)) v v'" apply (clarsimp simp: cendpoint_relation_def Let_def tcb_queue_relation'_def split: endpoint.splits) apply (subst ep_queue_relation_shift2; simp add: fun_eq_iff) @@ -1708,7 +1708,7 @@ lemma cendpoint_relation_udpate_arch: lemma cnotification_relation_udpate_arch: "\ cslift x p = Some tcb ; cnotification_relation (cslift x) v v' \ - \ cnotification_relation (cslift x(p \ tcbArch_C_update f tcb)) v v'" + \ cnotification_relation ((cslift x)(p \ tcbArch_C_update f tcb)) v v'" apply (clarsimp simp: cnotification_relation_def Let_def tcb_queue_relation'_def split: notification.splits ntfn.splits) apply (subst ep_queue_relation_shift2; simp add: fun_eq_iff) diff --git a/proof/crefine/RISCV64/IpcCancel_C.thy b/proof/crefine/RISCV64/IpcCancel_C.thy index 4ee693f639..f06b9d102c 100644 --- a/proof/crefine/RISCV64/IpcCancel_C.thy +++ b/proof/crefine/RISCV64/IpcCancel_C.thy @@ -2770,8 +2770,8 @@ lemma cpspace_relation_ep_update_an_ep: and pal: "pspace_aligned' s" "pspace_distinct' s" and others: "\epptr' ep'. \ ko_at' ep' epptr' s; epptr' \ epptr; ep' \ IdleEP \ \ set (epQueue ep') \ (ctcb_ptr_to_tcb_ptr ` S) = {}" - shows "cmap_relation (map_to_eps (ksPSpace s(epptr \ KOEndpoint ep'))) - (cslift t(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" + shows "cmap_relation (map_to_eps ((ksPSpace s)(epptr \ KOEndpoint ep'))) + ((cslift t)(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" using cp koat pal rel unfolding cmap_relation_def apply - apply (clarsimp elim!: obj_atE' simp: map_comp_update projectKO_opts_defs) @@ -2793,8 +2793,8 @@ lemma cpspace_relation_ep_update_ep: and cp: "cmap_relation (map_to_eps (ksPSpace s)) (cslift t) Ptr (cendpoint_relation mp)" and rel: "cendpoint_relation mp' ep' endpoint" and mpeq: "(mp' |` (- (tcb_ptr_to_ctcb_ptr ` qs))) = (mp |` (- (tcb_ptr_to_ctcb_ptr ` qs)))" - shows "cmap_relation (map_to_eps (ksPSpace s(epptr \ KOEndpoint ep'))) - (cslift t(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" + shows "cmap_relation (map_to_eps ((ksPSpace s)(epptr \ KOEndpoint ep'))) + ((cslift t)(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" using invs apply (intro cpspace_relation_ep_update_an_ep[OF koat cp rel mpeq]) apply clarsimp+ @@ -2806,15 +2806,15 @@ lemma cpspace_relation_ep_update_ep': fixes ep :: "endpoint" and ep' :: "endpoint" and epptr :: "machine_word" and s :: "kernel_state" defines "qs \ if (isSendEP ep' \ isRecvEP ep') then set (epQueue ep') else {}" - defines "s' \ s\ksPSpace := ksPSpace s(epptr \ KOEndpoint ep')\" + defines "s' \ s\ksPSpace := (ksPSpace s)(epptr \ KOEndpoint ep')\" assumes koat: "ko_at' ep epptr s" and vp: "valid_pspace' s" and cp: "cmap_relation (map_to_eps (ksPSpace s)) (cslift t) Ptr (cendpoint_relation mp)" and srs: "sym_refs (state_refs_of' s')" and rel: "cendpoint_relation mp' ep' endpoint" and mpeq: "(mp' |` (- (tcb_ptr_to_ctcb_ptr ` qs))) = (mp |` (- (tcb_ptr_to_ctcb_ptr ` qs)))" - shows "cmap_relation (map_to_eps (ksPSpace s(epptr \ KOEndpoint ep'))) - (cslift t(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" + shows "cmap_relation (map_to_eps ((ksPSpace s)(epptr \ KOEndpoint ep'))) + ((cslift t)(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" proof - from koat have koat': "ko_at' ep' epptr s'" by (clarsimp simp: obj_at'_def s'_def objBitsKO_def ps_clear_def projectKOs) diff --git a/proof/crefine/RISCV64/Ipc_C.thy b/proof/crefine/RISCV64/Ipc_C.thy index 030f7b34ac..c66872cdf3 100644 --- a/proof/crefine/RISCV64/Ipc_C.thy +++ b/proof/crefine/RISCV64/Ipc_C.thy @@ -4799,12 +4799,12 @@ lemma sendIPC_enqueue_ccorres_helper: apply (simp add: cendpoint_relation_def Let_def) apply (case_tac ep, simp_all add: init_def valid_ep'_def)[1] apply (subgoal_tac "sym_refs (state_refs_of' (\\ksPSpace := - ksPSpace \(epptr \ KOEndpoint (SendEP queue))\))") + (ksPSpace \)(epptr \ KOEndpoint (SendEP queue))\))") prefer 2 apply (clarsimp simp: state_refs_of'_upd ko_wp_at'_def obj_at'_def projectKOs objBitsKO_def) apply (subgoal_tac "ko_at' (SendEP queue) epptr (\\ksPSpace := - ksPSpace \(epptr \ KOEndpoint (SendEP queue))\)") + (ksPSpace \)(epptr \ KOEndpoint (SendEP queue))\)") prefer 2 apply (clarsimp simp: obj_at'_def projectKOs objBitsKO_def ps_clear_upd) apply (intro conjI impI allI) @@ -5216,12 +5216,12 @@ lemma receiveIPC_enqueue_ccorres_helper: apply (simp add: cendpoint_relation_def Let_def) apply (case_tac ep, simp_all add: init_def valid_ep'_def)[1] apply (subgoal_tac "sym_refs (state_refs_of' (\\ksPSpace := - ksPSpace \(epptr \ KOEndpoint (RecvEP queue))\))") + (ksPSpace \)(epptr \ KOEndpoint (RecvEP queue))\))") prefer 2 apply (clarsimp simp: state_refs_of'_upd ko_wp_at'_def obj_at'_def projectKOs objBitsKO_def) apply (subgoal_tac "ko_at' (RecvEP queue) epptr (\\ksPSpace := - ksPSpace \(epptr \ KOEndpoint (RecvEP queue))\)") + (ksPSpace \)(epptr \ KOEndpoint (RecvEP queue))\)") prefer 2 apply (clarsimp simp: obj_at'_def projectKOs objBitsKO_def ps_clear_upd) apply (intro conjI impI allI) @@ -6246,16 +6246,17 @@ lemma cpspace_relation_ntfn_update_ntfn': fixes ntfn :: "Structures_H.notification" and ntfn' :: "Structures_H.notification" and ntfnptr :: "machine_word" and s :: "kernel_state" defines "qs \ if isWaitingNtfn (ntfnObj ntfn') then set (ntfnQueue (ntfnObj ntfn')) else {}" - defines "s' \ s\ksPSpace := ksPSpace s(ntfnptr \ KONotification ntfn')\" + defines "s' \ s\ksPSpace := (ksPSpace s)(ntfnptr \ KONotification ntfn')\" assumes koat: "ko_at' ntfn ntfnptr s" and vp: "valid_pspace' s" and cp: "cmap_relation (map_to_ntfns (ksPSpace s)) (cslift t) Ptr (cnotification_relation (cslift t))" and srs: "sym_refs (state_refs_of' s')" and rel: "cnotification_relation (cslift t') ntfn' notification" and mpeq: "(cslift t' |` (- (tcb_ptr_to_ctcb_ptr ` qs))) = (cslift t |` (- (tcb_ptr_to_ctcb_ptr ` qs)))" - shows "cmap_relation (map_to_ntfns (ksPSpace s(ntfnptr \ KONotification ntfn'))) - (cslift t(Ptr ntfnptr \ notification)) Ptr - (cnotification_relation (cslift t'))" + shows "cmap_relation (map_to_ntfns ((ksPSpace s)(ntfnptr \ KONotification ntfn'))) + ((cslift t)(Ptr ntfnptr \ notification)) + Ptr + (cnotification_relation (cslift t'))" proof - from koat have koat': "ko_at' ntfn' ntfnptr s'" by (clarsimp simp: obj_at'_def s'_def objBitsKO_def ps_clear_def projectKOs) @@ -6331,12 +6332,12 @@ lemma receiveSignal_enqueue_ccorres_helper: apply (simp add: cnotification_relation_def Let_def) apply (case_tac "ntfnObj ntfn", simp_all add: init_def valid_ntfn'_def)[1] apply (subgoal_tac "sym_refs (state_refs_of' (\\ksPSpace := - ksPSpace \(ntfnptr \ KONotification (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)))\))") + (ksPSpace \)(ntfnptr \ KONotification (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)))\))") prefer 2 apply (clarsimp simp: state_refs_of'_upd ko_wp_at'_def ntfnBound_state_refs_equivalence obj_at'_def projectKOs objBitsKO_def) apply (subgoal_tac "ko_at' (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)) ntfnptr (\\ksPSpace := - ksPSpace \(ntfnptr \ KONotification (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)))\)") + (ksPSpace \)(ntfnptr \ KONotification (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)))\)") prefer 2 apply (clarsimp simp: obj_at'_def projectKOs objBitsKO_def ps_clear_upd) apply (intro conjI impI allI) diff --git a/proof/crefine/RISCV64/PSpace_C.thy b/proof/crefine/RISCV64/PSpace_C.thy index cbce98552a..a499d77aa6 100644 --- a/proof/crefine/RISCV64/PSpace_C.thy +++ b/proof/crefine/RISCV64/PSpace_C.thy @@ -43,7 +43,7 @@ lemma setObject_ccorres_helper: fixes ko :: "'a :: pspace_storable" assumes valid: "\\ (ko' :: 'a). \ \ {s. (\, s) \ rf_sr \ P \ \ s \ P' \ ko_at' ko' p \} - c {s. (\\ksPSpace := ksPSpace \ (p \ injectKO ko)\, s) \ rf_sr}" + c {s. (\\ksPSpace := (ksPSpace \)(p \ injectKO ko)\, s) \ rf_sr}" shows "\ \ko :: 'a. updateObject ko = updateObject_default ko; \ko :: 'a. (1 :: machine_word) < 2 ^ objBits ko \ \ ccorres dc xfdc P P' hs (setObject p ko) c" diff --git a/proof/crefine/RISCV64/Recycle_C.thy b/proof/crefine/RISCV64/Recycle_C.thy index e4d91a565d..d611410f77 100644 --- a/proof/crefine/RISCV64/Recycle_C.thy +++ b/proof/crefine/RISCV64/Recycle_C.thy @@ -419,7 +419,7 @@ lemma mapM_x_store_memset_ccorres_assist: "\ko :: 'a. (1 :: machine_word) < 2 ^ objBits ko" assumes restr: "set slots \ S" assumes worker: "\ptr s s' (ko :: 'a). \ (s, s') \ rf_sr; ko_at' ko ptr s; ptr \ S \ - \ (s \ ksPSpace := ksPSpace s (ptr \ injectKO val)\, + \ (s \ ksPSpace := (ksPSpace s)(ptr \ injectKO val)\, globals_update (t_hrs_'_update (hrs_mem_update (heap_update_list ptr (replicateHider (2 ^ objBits val) (ucast c))))) s') \ rf_sr" @@ -697,8 +697,8 @@ lemma cpspace_relation_ep_update_ep2: (cslift t) ep_Ptr (cendpoint_relation (cslift t)); cendpoint_relation (cslift t') ep' endpoint; (cslift t' :: tcb_C ptr \ tcb_C) = cslift t \ - \ cmap_relation (map_to_eps (ksPSpace s(epptr \ KOEndpoint ep'))) - (cslift t(ep_Ptr epptr \ endpoint)) + \ cmap_relation (map_to_eps ((ksPSpace s)(epptr \ KOEndpoint ep'))) + ((cslift t)(ep_Ptr epptr \ endpoint)) ep_Ptr (cendpoint_relation (cslift t'))" apply (rule cmap_relationE1, assumption, erule ko_at_projectKO_opt) apply (rule_tac P="\a. cmap_relation a b c d" for b c d in rsubst, diff --git a/proof/crefine/RISCV64/Retype_C.thy b/proof/crefine/RISCV64/Retype_C.thy index e0a9fcd24d..dfadb59a5e 100644 --- a/proof/crefine/RISCV64/Retype_C.thy +++ b/proof/crefine/RISCV64/Retype_C.thy @@ -5154,7 +5154,7 @@ lemma gsCNodes_update_ccorres: (* FIXME: move *) lemma map_to_tcbs_upd: - "map_to_tcbs (ksPSpace s(t \ KOTCB tcb')) = map_to_tcbs (ksPSpace s)(t \ tcb')" + "map_to_tcbs ((ksPSpace s)(t \ KOTCB tcb')) = (map_to_tcbs (ksPSpace s))(t \ tcb')" apply (rule ext) apply (clarsimp simp: map_comp_def projectKOs split: option.splits if_splits) done diff --git a/proof/crefine/RISCV64/SR_lemmas_C.thy b/proof/crefine/RISCV64/SR_lemmas_C.thy index 1dd0aa898d..bd30c0165a 100644 --- a/proof/crefine/RISCV64/SR_lemmas_C.thy +++ b/proof/crefine/RISCV64/SR_lemmas_C.thy @@ -319,7 +319,7 @@ lemma tcb_cte_cases_proj_eq [simp]: (* NOTE: 5 = cte_level_bits *) lemma map_to_ctes_upd_cte': "\ ksPSpace s p = Some (KOCTE cte'); is_aligned p cte_level_bits; ps_clear p cte_level_bits s \ - \ map_to_ctes (ksPSpace s(p |-> KOCTE cte)) = (map_to_ctes (ksPSpace s))(p |-> cte)" + \ map_to_ctes ((ksPSpace s)(p |-> KOCTE cte)) = (map_to_ctes (ksPSpace s))(p |-> cte)" apply (erule (1) map_to_ctes_upd_cte) apply (simp add: field_simps ps_clear_def3 cte_level_bits_def mask_def) done @@ -327,7 +327,7 @@ lemma map_to_ctes_upd_cte': lemma map_to_ctes_upd_tcb': "[| ksPSpace s p = Some (KOTCB tcb'); is_aligned p tcbBlockSizeBits; ps_clear p tcbBlockSizeBits s |] -==> map_to_ctes (ksPSpace s(p |-> KOTCB tcb)) = +==> map_to_ctes ((ksPSpace s)(p |-> KOTCB tcb)) = (%x. if EX getF setF. tcb_cte_cases (x - p) = Some (getF, setF) & getF tcb ~= getF tcb' @@ -454,7 +454,7 @@ lemma fst_setCTE: assumes ct: "cte_at' dest s" and rl: "\s'. \ ((), s') \ fst (setCTE dest cte s); (s' = s \ ksPSpace := ksPSpace s' \); - (ctes_of s' = ctes_of s(dest \ cte)); + (ctes_of s' = (ctes_of s)(dest \ cte)); (map_to_eps (ksPSpace s) = map_to_eps (ksPSpace s')); (map_to_ntfns (ksPSpace s) = map_to_ntfns (ksPSpace s')); (map_to_ptes (ksPSpace s) = map_to_ptes (ksPSpace s')); @@ -479,7 +479,7 @@ proof - by clarsimp note thms = this - have ceq: "ctes_of s' = ctes_of s(dest \ cte)" + have ceq: "ctes_of s' = (ctes_of s)(dest \ cte)" by (rule use_valid [OF thms(1) setCTE_ctes_of_wp]) simp show ?thesis @@ -1426,7 +1426,7 @@ lemma ctcb_relation_null_queue_ptrs: lemma map_to_ctes_upd_tcb_no_ctes: "\ko_at' tcb thread s ; \x\ran tcb_cte_cases. (\(getF, setF). getF tcb' = getF tcb) x \ - \ map_to_ctes (ksPSpace s(thread \ KOTCB tcb')) = map_to_ctes (ksPSpace s)" + \ map_to_ctes ((ksPSpace s)(thread \ KOTCB tcb')) = map_to_ctes (ksPSpace s)" apply (erule obj_atE') apply (simp add: projectKOs objBits_simps) apply (subst map_to_ctes_upd_tcb') @@ -1440,13 +1440,13 @@ lemma map_to_ctes_upd_tcb_no_ctes: lemma update_ntfn_map_tos: fixes P :: "Structures_H.notification \ bool" assumes at: "obj_at' P p s" - shows "map_to_eps (ksPSpace s(p \ KONotification ko)) = map_to_eps (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ KONotification ko)) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ KONotification ko)) = map_to_ctes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ KONotification ko)) = map_to_ptes (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ KONotification ko)) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ KONotification ko)) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ KONotification ko)) = map_to_user_data_device (ksPSpace s)" + shows "map_to_eps ((ksPSpace s)(p \ KONotification ko)) = map_to_eps (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ KONotification ko)) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ KONotification ko)) = map_to_ctes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ KONotification ko)) = map_to_ptes (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ KONotification ko)) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ KONotification ko)) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ KONotification ko)) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+ @@ -1454,13 +1454,13 @@ lemma update_ntfn_map_tos: lemma update_ep_map_tos: fixes P :: "endpoint \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ KOEndpoint ko)) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ KOEndpoint ko)) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ KOEndpoint ko)) = map_to_ctes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ KOEndpoint ko)) = map_to_ptes (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ KOEndpoint ko)) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ KOEndpoint ko)) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ KOEndpoint ko)) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_ctes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_ptes (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+ @@ -1468,12 +1468,12 @@ lemma update_ep_map_tos: lemma update_tcb_map_tos: fixes P :: "tcb \ bool" assumes at: "obj_at' P p s" - shows "map_to_eps (ksPSpace s(p \ KOTCB ko)) = map_to_eps (ksPSpace s)" - and "map_to_ntfns (ksPSpace s(p \ KOTCB ko)) = map_to_ntfns (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ KOTCB ko)) = map_to_ptes (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ KOTCB ko)) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ KOTCB ko)) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ KOTCB ko)) = map_to_user_data_device (ksPSpace s)" + shows "map_to_eps ((ksPSpace s)(p \ KOTCB ko)) = map_to_eps (ksPSpace s)" + and "map_to_ntfns ((ksPSpace s)(p \ KOTCB ko)) = map_to_ntfns (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ KOTCB ko)) = map_to_ptes (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ KOTCB ko)) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ KOTCB ko)) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ KOTCB ko)) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+ @@ -1481,13 +1481,13 @@ lemma update_tcb_map_tos: lemma update_asidpool_map_tos: fixes P :: "asidpool \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_ctes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_ptes (ksPSpace s)" - and "map_to_eps (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_eps (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_ctes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_ptes (ksPSpace s)" + and "map_to_eps ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_eps (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI @@ -1496,25 +1496,25 @@ lemma update_asidpool_map_tos: arch_kernel_object.split_asm) lemma update_asidpool_map_to_asidpools: - "map_to_asidpools (ksPSpace s(p \ KOArch (KOASIDPool ap))) + "map_to_asidpools ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = (map_to_asidpools (ksPSpace s))(p \ ap)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) lemma update_pte_map_to_ptes: - "map_to_ptes (ksPSpace s(p \ KOArch (KOPTE pte))) + "map_to_ptes ((ksPSpace s)(p \ KOArch (KOPTE pte))) = (map_to_ptes (ksPSpace s))(p \ pte)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) lemma update_pte_map_tos: fixes P :: "pte \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_ctes (ksPSpace s)" - and "map_to_eps (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_eps (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_ctes (ksPSpace s)" + and "map_to_eps ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_eps (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_comp_eqI map_to_ctes_upd_other split: if_split_asm if_split @@ -1909,7 +1909,7 @@ lemma gs_set_assn_Delete_cstate_relation: lemma update_typ_at: assumes at: "obj_at' P p s" and tp: "\obj. P obj \ koTypeOf (injectKOS obj) = koTypeOf ko" - shows "typ_at' T p' (s \ksPSpace := ksPSpace s(p \ ko)\) = typ_at' T p' s" + shows "typ_at' T p' (s \ksPSpace := (ksPSpace s)(p \ ko)\) = typ_at' T p' s" using at by (auto elim!: obj_atE' simp: typ_at'_def ko_wp_at'_def dest!: tp[rule_format] diff --git a/proof/crefine/RISCV64/Schedule_C.thy b/proof/crefine/RISCV64/Schedule_C.thy index e652c7132b..174c280acf 100644 --- a/proof/crefine/RISCV64/Schedule_C.thy +++ b/proof/crefine/RISCV64/Schedule_C.thy @@ -656,7 +656,7 @@ lemma schedule_ccorres: (* FIXME: move *) lemma map_to_tcbs_upd: - "map_to_tcbs (ksPSpace s(t \ KOTCB tcb')) = map_to_tcbs (ksPSpace s)(t \ tcb')" + "map_to_tcbs ((ksPSpace s)(t \ KOTCB tcb')) = (map_to_tcbs (ksPSpace s))(t \ tcb')" apply (rule ext) apply (clarsimp simp: map_comp_def projectKOs split: option.splits if_splits) done diff --git a/proof/crefine/RISCV64/TcbAcc_C.thy b/proof/crefine/RISCV64/TcbAcc_C.thy index 87af5af1f6..87ce07b8a8 100644 --- a/proof/crefine/RISCV64/TcbAcc_C.thy +++ b/proof/crefine/RISCV64/TcbAcc_C.thy @@ -176,7 +176,7 @@ lemma threadSet_corres_lemma: assumes spec: "\s. \\ \s. P s\ Call f {t. Q s t}" and mod: "modifies_heap_spec f" and rl: "\\ x t ko. \(\, x) \ rf_sr; Q x t; x \ P'; ko_at' ko thread \\ - \ (\\ksPSpace := ksPSpace \(thread \ KOTCB (g ko))\, + \ (\\ksPSpace := (ksPSpace \)(thread \ KOTCB (g ko))\, t\globals := globals x\t_hrs_' := t_hrs_' (globals t)\\) \ rf_sr" and g: "\s x. \tcb_at' thread s; x \ P'; (s, x) \ rf_sr\ \ P x" shows "ccorres dc xfdc (tcb_at' thread) P' [] (threadSet g thread) (Call f)" @@ -205,7 +205,7 @@ lemma threadSet_corres_lemma: lemma threadSet_ccorres_lemma4: - "\ \s tcb. \ \ (Q s tcb) c {s'. (s \ksPSpace := ksPSpace s(thread \ injectKOS (F tcb))\, s') \ rf_sr}; + "\ \s tcb. \ \ (Q s tcb) c {s'. (s \ksPSpace := (ksPSpace s)(thread \ injectKOS (F tcb))\, s') \ rf_sr}; \s s' tcb tcb'. \ (s, s') \ rf_sr; P tcb; ko_at' tcb thread s; cslift s' (tcb_ptr_to_ctcb_ptr thread) = Some tcb'; ctcb_relation tcb tcb'; P' s ; s' \ R\ \ s' \ Q s tcb \ diff --git a/proof/crefine/RISCV64/TcbQueue_C.thy b/proof/crefine/RISCV64/TcbQueue_C.thy index 5cc7952bb1..60ca67b668 100644 --- a/proof/crefine/RISCV64/TcbQueue_C.thy +++ b/proof/crefine/RISCV64/TcbQueue_C.thy @@ -1093,8 +1093,8 @@ lemma cpspace_relation_ntfn_update_ntfn: and cp: "cpspace_ntfn_relation (ksPSpace s) (t_hrs_' (globals t))" and rel: "cnotification_relation (cslift t') ntfn' notification" and mpeq: "(cslift t' |` (- (tcb_ptr_to_ctcb_ptr ` qs))) = (cslift t |` (- (tcb_ptr_to_ctcb_ptr ` qs)))" - shows "cmap_relation (map_to_ntfns (ksPSpace s(ntfnptr \ KONotification ntfn'))) - (cslift t(Ptr ntfnptr \ notification)) Ptr (cnotification_relation (cslift t'))" + shows "cmap_relation (map_to_ntfns ((ksPSpace s)(ntfnptr \ KONotification ntfn'))) + ((cslift t)(Ptr ntfnptr \ notification)) Ptr (cnotification_relation (cslift t'))" using koat invs cp rel apply - apply (subst map_comp_update) @@ -1381,7 +1381,7 @@ lemma rf_sr_tcb_update_no_queue: (\x\ran tcb_cte_cases. (\(getF, setF). getF tcb' = getF tcb) x); ctcb_relation tcb' ctcb \ - \ (s\ksPSpace := ksPSpace s(thread \ KOTCB tcb')\, + \ (s\ksPSpace := (ksPSpace s)(thread \ KOTCB tcb')\, x\globals := globals s'\t_hrs_' := t_hrs_' (globals t)\\) \ rf_sr" unfolding rf_sr_def state_relation_def cstate_relation_def cpspace_relation_def apply (clarsimp simp: Let_def update_tcb_map_tos map_to_ctes_upd_tcb_no_ctes @@ -1431,7 +1431,7 @@ lemma rf_sr_tcb_update_not_in_queue: \ live' (KOTCB tcb); invs' s; (\x\ran tcb_cte_cases. (\(getF, setF). getF tcb' = getF tcb) x); ctcb_relation tcb' ctcb \ - \ (s\ksPSpace := ksPSpace s(thread \ KOTCB tcb')\, + \ (s\ksPSpace := (ksPSpace s)(thread \ KOTCB tcb')\, x\globals := globals s'\t_hrs_' := t_hrs_' (globals t)\\) \ rf_sr" unfolding rf_sr_def state_relation_def cstate_relation_def cpspace_relation_def apply (clarsimp simp: Let_def update_tcb_map_tos map_to_ctes_upd_tcb_no_ctes diff --git a/proof/crefine/RISCV64/Tcb_C.thy b/proof/crefine/RISCV64/Tcb_C.thy index 16cc2e5a3c..fecb1947de 100644 --- a/proof/crefine/RISCV64/Tcb_C.thy +++ b/proof/crefine/RISCV64/Tcb_C.thy @@ -98,8 +98,8 @@ lemma getMRs_rel_sched: lemma getObject_state: " \(x, s') \ fst (getObject t' s); ko_at' ko t s\ \ (if t = t' then tcbState_update (\_. st) x else x, - s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\) - \ fst (getObject t' (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\))" + s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\) + \ fst (getObject t' (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\))" apply (simp split: if_split) apply (rule conjI) apply clarsimp @@ -160,8 +160,8 @@ lemma getObject_state: lemma threadGet_state: "\ (uc, s') \ fst (threadGet (atcbContextGet o tcbArch) t' s); ko_at' ko t s \ \ - (uc, s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\) \ - fst (threadGet (atcbContextGet o tcbArch) t' (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\))" + (uc, s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\) \ + fst (threadGet (atcbContextGet o tcbArch) t' (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\))" apply (clarsimp simp: threadGet_def liftM_def in_monad) apply (drule (1) getObject_state [where st=st]) apply (rule exI) @@ -171,8 +171,8 @@ lemma threadGet_state: lemma asUser_state: "\(x,s) \ fst (asUser t' f s); ko_at' ko t s; \s. \(=) s\ f \\_. (=) s\ \ \ - (x,s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\) \ - fst (asUser t' f (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\))" + (x,s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\) \ + fst (asUser t' f (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\))" apply (clarsimp simp: asUser_def in_monad select_f_def) apply (frule use_valid, rule threadGet_inv [where P="(=) s"], rule refl) apply (frule use_valid, assumption, rule refl) @@ -272,8 +272,8 @@ lemma asUser_state: lemma doMachineOp_state: "(rv,s') \ fst (doMachineOp f s) \ - (rv,s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\) - \ fst (doMachineOp f (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\))" + (rv,s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\) + \ fst (doMachineOp f (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\))" apply (clarsimp simp: doMachineOp_def split_def in_monad select_f_def) apply fastforce done @@ -306,7 +306,7 @@ lemma getMRs_rel_state: "\getMRs_rel args buffer s; (cur_tcb' and case_option \ valid_ipc_buffer_ptr' buffer) s; ko_at' ko t s \ \ - getMRs_rel args buffer (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\)" + getMRs_rel args buffer (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\)" apply (clarsimp simp: getMRs_rel_def) apply (rule exI, erule conjI) apply (subst (asm) det_wp_use, rule det_wp_getMRs) @@ -1294,8 +1294,8 @@ lemma invokeTCB_WriteRegisters_ccorres_helper: lemma doMachineOp_context: "(rv,s') \ fst (doMachineOp f s) \ - (rv,s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbContext_update (\_. st) ko))\) - \ fst (doMachineOp f (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbContext_update (\_. st) ko))\))" + (rv,s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbContext_update (\_. st) ko))\) + \ fst (doMachineOp f (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbContext_update (\_. st) ko))\))" apply (clarsimp simp: doMachineOp_def split_def in_monad select_f_def) apply fastforce done @@ -1304,8 +1304,8 @@ lemma doMachineOp_context: lemma getObject_context: " \(x, s') \ fst (getObject t' s); ko_at' ko t s\ \ (if t = t' then tcbContext_update (\_. st) x else x, - s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbContext_update (\_. st) ko))\) - \ fst (getObject t' (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbContext_update (\_. st) ko))\))" + s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbContext_update (\_. st) ko))\) + \ fst (getObject t' (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbContext_update (\_. st) ko))\))" apply (simp split: if_split) apply (rule conjI) apply clarsimp @@ -1367,8 +1367,8 @@ lemma getObject_context: lemma threadGet_context: "\ (uc, s') \ fst (threadGet (atcbContextGet o tcbArch) (ksCurThread s) s); ko_at' ko t s; t \ ksCurThread s \ \ - (uc, s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\) \ - fst (threadGet (atcbContextGet o tcbArch) (ksCurThread s) (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\))" + (uc, s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\) \ + fst (threadGet (atcbContextGet o tcbArch) (ksCurThread s) (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\))" apply (clarsimp simp: threadGet_def liftM_def in_monad) apply (drule (1) getObject_context [where st=st]) apply (rule exI) @@ -1380,8 +1380,8 @@ done lemma asUser_context: "\(x,s) \ fst (asUser (ksCurThread s) f s); ko_at' ko t s; \s. \(=) s\ f \\_. (=) s\ ; t \ ksCurThread s\ \ - (x,s\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\) \ - fst (asUser (ksCurThread s) f (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\))" + (x,s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\) \ + fst (asUser (ksCurThread s) f (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\))" apply (clarsimp simp: asUser_def in_monad select_f_def) apply (frule use_valid, rule threadGet_inv [where P="(=) s"], rule refl) apply (frule use_valid, assumption, rule refl) @@ -1454,7 +1454,7 @@ lemma getMRs_rel_context: "\getMRs_rel args buffer s; (cur_tcb' and case_option \ valid_ipc_buffer_ptr' buffer) s; ko_at' ko t s ; t \ ksCurThread s\ \ - getMRs_rel args buffer (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\)" + getMRs_rel args buffer (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\)" apply (clarsimp simp: getMRs_rel_def) apply (rule exI, erule conjI) apply (subst (asm) det_wp_use, rule det_wp_getMRs) diff --git a/proof/crefine/X64/Finalise_C.thy b/proof/crefine/X64/Finalise_C.thy index 76c5bf9e67..7425df66fc 100644 --- a/proof/crefine/X64/Finalise_C.thy +++ b/proof/crefine/X64/Finalise_C.thy @@ -1283,7 +1283,7 @@ lemma deleteASID_ccorres: lemma setObject_ccorres_lemma: fixes val :: "'a :: pspace_storable" shows - "\ \s. \ \ (Q s) c {s'. (s \ ksPSpace := ksPSpace s (ptr \ injectKO val) \, s') \ rf_sr},{}; + "\ \s. \ \ (Q s) c {s'. (s \ ksPSpace := (ksPSpace s)(ptr \ injectKO val) \, s') \ rf_sr},{}; \s s' val (val' :: 'a). \ ko_at' val' ptr s; (s, s') \ rf_sr \ \ s' \ Q s; \val :: 'a. updateObject val = updateObject_default val; @@ -1730,7 +1730,7 @@ lemma option_to_ctcb_ptr_not_0: done lemma update_tcb_map_to_tcb: - "map_to_tcbs (ksPSpace s(p \ KOTCB tcb)) + "map_to_tcbs ((ksPSpace s)(p \ KOTCB tcb)) = (map_to_tcbs (ksPSpace s))(p \ tcb)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) @@ -1770,7 +1770,7 @@ lemma sched_queue_relation_shift: lemma cendpoint_relation_udpate_arch: "\ cslift x p = Some tcb ; cendpoint_relation (cslift x) v v' \ - \ cendpoint_relation (cslift x(p \ tcbArch_C_update f tcb)) v v'" + \ cendpoint_relation ((cslift x)(p \ tcbArch_C_update f tcb)) v v'" apply (clarsimp simp: cendpoint_relation_def Let_def tcb_queue_relation'_def split: endpoint.splits) apply (subst ep_queue_relation_shift2; simp add: fun_eq_iff) @@ -1781,7 +1781,7 @@ lemma cendpoint_relation_udpate_arch: lemma cnotification_relation_udpate_arch: "\ cslift x p = Some tcb ; cnotification_relation (cslift x) v v' \ - \ cnotification_relation (cslift x(p \ tcbArch_C_update f tcb)) v v'" + \ cnotification_relation ((cslift x)(p \ tcbArch_C_update f tcb)) v v'" apply (clarsimp simp: cnotification_relation_def Let_def tcb_queue_relation'_def split: notification.splits ntfn.splits) apply (subst ep_queue_relation_shift2; simp add: fun_eq_iff) diff --git a/proof/crefine/X64/IpcCancel_C.thy b/proof/crefine/X64/IpcCancel_C.thy index adcd34e2ee..cca60bcadd 100644 --- a/proof/crefine/X64/IpcCancel_C.thy +++ b/proof/crefine/X64/IpcCancel_C.thy @@ -2824,8 +2824,8 @@ lemma cpspace_relation_ep_update_an_ep: and pal: "pspace_aligned' s" "pspace_distinct' s" and others: "\epptr' ep'. \ ko_at' ep' epptr' s; epptr' \ epptr; ep' \ IdleEP \ \ set (epQueue ep') \ (ctcb_ptr_to_tcb_ptr ` S) = {}" - shows "cmap_relation (map_to_eps (ksPSpace s(epptr \ KOEndpoint ep'))) - (cslift t(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" + shows "cmap_relation (map_to_eps ((ksPSpace s)(epptr \ KOEndpoint ep'))) + ((cslift t)(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" using cp koat pal rel unfolding cmap_relation_def apply - apply (clarsimp elim!: obj_atE' simp: map_comp_update projectKO_opts_defs) @@ -2847,8 +2847,8 @@ lemma cpspace_relation_ep_update_ep: and cp: "cmap_relation (map_to_eps (ksPSpace s)) (cslift t) Ptr (cendpoint_relation mp)" and rel: "cendpoint_relation mp' ep' endpoint" and mpeq: "(mp' |` (- (tcb_ptr_to_ctcb_ptr ` qs))) = (mp |` (- (tcb_ptr_to_ctcb_ptr ` qs)))" - shows "cmap_relation (map_to_eps (ksPSpace s(epptr \ KOEndpoint ep'))) - (cslift t(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" + shows "cmap_relation (map_to_eps ((ksPSpace s)(epptr \ KOEndpoint ep'))) + ((cslift t)(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" using invs apply (intro cpspace_relation_ep_update_an_ep[OF koat cp rel mpeq]) apply clarsimp+ @@ -2860,15 +2860,15 @@ lemma cpspace_relation_ep_update_ep': fixes ep :: "endpoint" and ep' :: "endpoint" and epptr :: "machine_word" and s :: "kernel_state" defines "qs \ if (isSendEP ep' \ isRecvEP ep') then set (epQueue ep') else {}" - defines "s' \ s\ksPSpace := ksPSpace s(epptr \ KOEndpoint ep')\" + defines "s' \ s\ksPSpace := (ksPSpace s)(epptr \ KOEndpoint ep')\" assumes koat: "ko_at' ep epptr s" and vp: "valid_pspace' s" and cp: "cmap_relation (map_to_eps (ksPSpace s)) (cslift t) Ptr (cendpoint_relation mp)" and srs: "sym_refs (state_refs_of' s')" and rel: "cendpoint_relation mp' ep' endpoint" and mpeq: "(mp' |` (- (tcb_ptr_to_ctcb_ptr ` qs))) = (mp |` (- (tcb_ptr_to_ctcb_ptr ` qs)))" - shows "cmap_relation (map_to_eps (ksPSpace s(epptr \ KOEndpoint ep'))) - (cslift t(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" + shows "cmap_relation (map_to_eps ((ksPSpace s)(epptr \ KOEndpoint ep'))) + ((cslift t)(Ptr epptr \ endpoint)) Ptr (cendpoint_relation mp')" proof - from koat have koat': "ko_at' ep' epptr s'" by (clarsimp simp: obj_at'_def s'_def objBitsKO_def ps_clear_def projectKOs) diff --git a/proof/crefine/X64/Ipc_C.thy b/proof/crefine/X64/Ipc_C.thy index 3d2bc76c34..2adbeff243 100644 --- a/proof/crefine/X64/Ipc_C.thy +++ b/proof/crefine/X64/Ipc_C.thy @@ -4820,12 +4820,12 @@ lemma sendIPC_enqueue_ccorres_helper: apply (simp add: cendpoint_relation_def Let_def) apply (case_tac ep, simp_all add: init_def valid_ep'_def)[1] apply (subgoal_tac "sym_refs (state_refs_of' (\\ksPSpace := - ksPSpace \(epptr \ KOEndpoint (SendEP queue))\))") + (ksPSpace \)(epptr \ KOEndpoint (SendEP queue))\))") prefer 2 apply (clarsimp simp: state_refs_of'_upd ko_wp_at'_def obj_at'_def projectKOs objBitsKO_def) apply (subgoal_tac "ko_at' (SendEP queue) epptr (\\ksPSpace := - ksPSpace \(epptr \ KOEndpoint (SendEP queue))\)") + (ksPSpace \)(epptr \ KOEndpoint (SendEP queue))\)") prefer 2 apply (clarsimp simp: obj_at'_def projectKOs objBitsKO_def ps_clear_upd) apply (intro conjI impI allI) @@ -5241,12 +5241,12 @@ lemma receiveIPC_enqueue_ccorres_helper: apply (simp add: cendpoint_relation_def Let_def) apply (case_tac ep, simp_all add: init_def valid_ep'_def)[1] apply (subgoal_tac "sym_refs (state_refs_of' (\\ksPSpace := - ksPSpace \(epptr \ KOEndpoint (RecvEP queue))\))") + (ksPSpace \)(epptr \ KOEndpoint (RecvEP queue))\))") prefer 2 apply (clarsimp simp: state_refs_of'_upd ko_wp_at'_def obj_at'_def projectKOs objBitsKO_def) apply (subgoal_tac "ko_at' (RecvEP queue) epptr (\\ksPSpace := - ksPSpace \(epptr \ KOEndpoint (RecvEP queue))\)") + (ksPSpace \)(epptr \ KOEndpoint (RecvEP queue))\)") prefer 2 apply (clarsimp simp: obj_at'_def projectKOs objBitsKO_def ps_clear_upd) apply (intro conjI impI allI) @@ -6291,16 +6291,17 @@ lemma cpspace_relation_ntfn_update_ntfn': fixes ntfn :: "Structures_H.notification" and ntfn' :: "Structures_H.notification" and ntfnptr :: "machine_word" and s :: "kernel_state" defines "qs \ if isWaitingNtfn (ntfnObj ntfn') then set (ntfnQueue (ntfnObj ntfn')) else {}" - defines "s' \ s\ksPSpace := ksPSpace s(ntfnptr \ KONotification ntfn')\" + defines "s' \ s\ksPSpace := (ksPSpace s)(ntfnptr \ KONotification ntfn')\" assumes koat: "ko_at' ntfn ntfnptr s" and vp: "valid_pspace' s" and cp: "cmap_relation (map_to_ntfns (ksPSpace s)) (cslift t) Ptr (cnotification_relation (cslift t))" and srs: "sym_refs (state_refs_of' s')" and rel: "cnotification_relation (cslift t') ntfn' notification" and mpeq: "(cslift t' |` (- (tcb_ptr_to_ctcb_ptr ` qs))) = (cslift t |` (- (tcb_ptr_to_ctcb_ptr ` qs)))" - shows "cmap_relation (map_to_ntfns (ksPSpace s(ntfnptr \ KONotification ntfn'))) - (cslift t(Ptr ntfnptr \ notification)) Ptr - (cnotification_relation (cslift t'))" + shows "cmap_relation (map_to_ntfns ((ksPSpace s)(ntfnptr \ KONotification ntfn'))) + ((cslift t)(Ptr ntfnptr \ notification)) + Ptr + (cnotification_relation (cslift t'))" proof - from koat have koat': "ko_at' ntfn' ntfnptr s'" by (clarsimp simp: obj_at'_def s'_def objBitsKO_def ps_clear_def projectKOs) @@ -6376,12 +6377,12 @@ lemma receiveSignal_enqueue_ccorres_helper: apply (simp add: cnotification_relation_def Let_def) apply (case_tac "ntfnObj ntfn", simp_all add: init_def valid_ntfn'_def)[1] apply (subgoal_tac "sym_refs (state_refs_of' (\\ksPSpace := - ksPSpace \(ntfnptr \ KONotification (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)))\))") + (ksPSpace \)(ntfnptr \ KONotification (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)))\))") prefer 2 apply (clarsimp simp: state_refs_of'_upd ko_wp_at'_def ntfnBound_state_refs_equivalence obj_at'_def projectKOs objBitsKO_def) apply (subgoal_tac "ko_at' (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)) ntfnptr (\\ksPSpace := - ksPSpace \(ntfnptr \ KONotification (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)))\)") + (ksPSpace \)(ntfnptr \ KONotification (NTFN (WaitingNtfn queue) (ntfnBoundTCB ntfn)))\)") prefer 2 apply (clarsimp simp: obj_at'_def projectKOs objBitsKO_def ps_clear_upd) apply (intro conjI impI allI) diff --git a/proof/crefine/X64/PSpace_C.thy b/proof/crefine/X64/PSpace_C.thy index 14a69364ef..1c5b5ee0ba 100644 --- a/proof/crefine/X64/PSpace_C.thy +++ b/proof/crefine/X64/PSpace_C.thy @@ -47,7 +47,7 @@ lemma setObject_ccorres_helper: fixes ko :: "'a :: pspace_storable" assumes valid: "\\ (ko' :: 'a). \ \ {s. (\, s) \ rf_sr \ P \ \ s \ P' \ ko_at' ko' p \} - c {s. (\\ksPSpace := ksPSpace \ (p \ injectKO ko)\, s) \ rf_sr}" + c {s. (\\ksPSpace := (ksPSpace \)(p \ injectKO ko)\, s) \ rf_sr}" shows "\ \ko :: 'a. updateObject ko = updateObject_default ko; \ko :: 'a. (1 :: machine_word) < 2 ^ objBits ko \ \ ccorres dc xfdc P P' hs (setObject p ko) c" diff --git a/proof/crefine/X64/Recycle_C.thy b/proof/crefine/X64/Recycle_C.thy index e904218590..1ef25598af 100644 --- a/proof/crefine/X64/Recycle_C.thy +++ b/proof/crefine/X64/Recycle_C.thy @@ -454,7 +454,7 @@ lemma mapM_x_store_memset_ccorres_assist: "\ko :: 'a. (1 :: machine_word) < 2 ^ objBits ko" assumes restr: "set slots \ S" assumes worker: "\ptr s s' (ko :: 'a). \ (s, s') \ rf_sr; ko_at' ko ptr s; ptr \ S \ - \ (s \ ksPSpace := ksPSpace s (ptr \ injectKO val)\, + \ (s \ ksPSpace := (ksPSpace s)(ptr \ injectKO val)\, globals_update (t_hrs_'_update (hrs_mem_update (heap_update_list ptr (replicateHider (2 ^ objBits val) (ucast c))))) s') \ rf_sr" @@ -793,8 +793,8 @@ lemma cpspace_relation_ep_update_ep2: (cslift t) ep_Ptr (cendpoint_relation (cslift t)); cendpoint_relation (cslift t') ep' endpoint; (cslift t' :: tcb_C ptr \ tcb_C) = cslift t \ - \ cmap_relation (map_to_eps (ksPSpace s(epptr \ KOEndpoint ep'))) - (cslift t(ep_Ptr epptr \ endpoint)) + \ cmap_relation (map_to_eps ((ksPSpace s)(epptr \ KOEndpoint ep'))) + ((cslift t)(ep_Ptr epptr \ endpoint)) ep_Ptr (cendpoint_relation (cslift t'))" apply (rule cmap_relationE1, assumption, erule ko_at_projectKO_opt) apply (rule_tac P="\a. cmap_relation a b c d" for b c d in rsubst, diff --git a/proof/crefine/X64/Retype_C.thy b/proof/crefine/X64/Retype_C.thy index eec9e32085..4f37ce630d 100644 --- a/proof/crefine/X64/Retype_C.thy +++ b/proof/crefine/X64/Retype_C.thy @@ -6121,7 +6121,7 @@ lemma gsCNodes_update_ccorres: (* FIXME: move *) lemma map_to_tcbs_upd: - "map_to_tcbs (ksPSpace s(t \ KOTCB tcb')) = map_to_tcbs (ksPSpace s)(t \ tcb')" + "map_to_tcbs ((ksPSpace s)(t \ KOTCB tcb')) = (map_to_tcbs (ksPSpace s))(t \ tcb')" apply (rule ext) apply (clarsimp simp: map_comp_def projectKOs split: option.splits if_splits) done diff --git a/proof/crefine/X64/SR_lemmas_C.thy b/proof/crefine/X64/SR_lemmas_C.thy index 5d9028cacb..8263af60a8 100644 --- a/proof/crefine/X64/SR_lemmas_C.thy +++ b/proof/crefine/X64/SR_lemmas_C.thy @@ -307,7 +307,7 @@ lemma tcb_cte_cases_proj_eq [simp]: (* NOTE: 5 = cte_level_bits *) lemma map_to_ctes_upd_cte': "\ ksPSpace s p = Some (KOCTE cte'); is_aligned p cte_level_bits; ps_clear p cte_level_bits s \ - \ map_to_ctes (ksPSpace s(p |-> KOCTE cte)) = (map_to_ctes (ksPSpace s))(p |-> cte)" + \ map_to_ctes ((ksPSpace s)(p |-> KOCTE cte)) = (map_to_ctes (ksPSpace s))(p |-> cte)" apply (erule (1) map_to_ctes_upd_cte) apply (simp add: field_simps ps_clear_def3 cte_level_bits_def mask_def) done @@ -315,7 +315,7 @@ lemma map_to_ctes_upd_cte': lemma map_to_ctes_upd_tcb': "[| ksPSpace s p = Some (KOTCB tcb'); is_aligned p tcbBlockSizeBits; ps_clear p tcbBlockSizeBits s |] -==> map_to_ctes (ksPSpace s(p |-> KOTCB tcb)) = +==> map_to_ctes ((ksPSpace s)(p |-> KOTCB tcb)) = (%x. if EX getF setF. tcb_cte_cases (x - p) = Some (getF, setF) & getF tcb ~= getF tcb' @@ -442,7 +442,7 @@ lemma fst_setCTE: assumes ct: "cte_at' dest s" and rl: "\s'. \ ((), s') \ fst (setCTE dest cte s); (s' = s \ ksPSpace := ksPSpace s' \); - (ctes_of s' = ctes_of s(dest \ cte)); + (ctes_of s' = (ctes_of s)(dest \ cte)); (map_to_eps (ksPSpace s) = map_to_eps (ksPSpace s')); (map_to_ntfns (ksPSpace s) = map_to_ntfns (ksPSpace s')); (map_to_pml4es (ksPSpace s) = map_to_pml4es (ksPSpace s')); @@ -470,7 +470,7 @@ proof - by clarsimp note thms = this - have ceq: "ctes_of s' = ctes_of s(dest \ cte)" + have ceq: "ctes_of s' = (ctes_of s)(dest \ cte)" by (rule use_valid [OF thms(1) setCTE_ctes_of_wp]) simp show ?thesis @@ -1493,7 +1493,7 @@ lemma ntfnQueue_tail_mask_4 [simp]: lemma map_to_ctes_upd_tcb_no_ctes: "\ko_at' tcb thread s ; \x\ran tcb_cte_cases. (\(getF, setF). getF tcb' = getF tcb) x \ - \ map_to_ctes (ksPSpace s(thread \ KOTCB tcb')) = map_to_ctes (ksPSpace s)" + \ map_to_ctes ((ksPSpace s)(thread \ KOTCB tcb')) = map_to_ctes (ksPSpace s)" apply (erule obj_atE') apply (simp add: projectKOs objBits_simps) apply (subst map_to_ctes_upd_tcb') @@ -1507,16 +1507,16 @@ lemma map_to_ctes_upd_tcb_no_ctes: lemma update_ntfn_map_tos: fixes P :: "Structures_H.notification \ bool" assumes at: "obj_at' P p s" - shows "map_to_eps (ksPSpace s(p \ KONotification ko)) = map_to_eps (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ KONotification ko)) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ KONotification ko)) = map_to_ctes (ksPSpace s)" - and "map_to_pml4es (ksPSpace s(p \ KONotification ko)) = map_to_pml4es (ksPSpace s)" - and "map_to_pdptes (ksPSpace s(p \ KONotification ko)) = map_to_pdptes (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ KONotification ko)) = map_to_pdes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ KONotification ko)) = map_to_ptes (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ KONotification ko)) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ KONotification ko)) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ KONotification ko)) = map_to_user_data_device (ksPSpace s)" + shows "map_to_eps ((ksPSpace s)(p \ KONotification ko)) = map_to_eps (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ KONotification ko)) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ KONotification ko)) = map_to_ctes (ksPSpace s)" + and "map_to_pml4es ((ksPSpace s)(p \ KONotification ko)) = map_to_pml4es (ksPSpace s)" + and "map_to_pdptes ((ksPSpace s)(p \ KONotification ko)) = map_to_pdptes (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ KONotification ko)) = map_to_pdes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ KONotification ko)) = map_to_ptes (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ KONotification ko)) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ KONotification ko)) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ KONotification ko)) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+ @@ -1524,16 +1524,16 @@ lemma update_ntfn_map_tos: lemma update_ep_map_tos: fixes P :: "endpoint \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ KOEndpoint ko)) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ KOEndpoint ko)) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ KOEndpoint ko)) = map_to_ctes (ksPSpace s)" - and "map_to_pml4es (ksPSpace s(p \ KOEndpoint ko)) = map_to_pml4es (ksPSpace s)" - and "map_to_pdptes (ksPSpace s(p \ KOEndpoint ko)) = map_to_pdptes (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ KOEndpoint ko)) = map_to_pdes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ KOEndpoint ko)) = map_to_ptes (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ KOEndpoint ko)) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ KOEndpoint ko)) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ KOEndpoint ko)) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_ctes (ksPSpace s)" + and "map_to_pml4es ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_pml4es (ksPSpace s)" + and "map_to_pdptes ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_pdptes (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_pdes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_ptes (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ KOEndpoint ko)) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+ @@ -1541,15 +1541,15 @@ lemma update_ep_map_tos: lemma update_tcb_map_tos: fixes P :: "tcb \ bool" assumes at: "obj_at' P p s" - shows "map_to_eps (ksPSpace s(p \ KOTCB ko)) = map_to_eps (ksPSpace s)" - and "map_to_ntfns (ksPSpace s(p \ KOTCB ko)) = map_to_ntfns (ksPSpace s)" - and "map_to_pml4es (ksPSpace s(p \ KOTCB ko)) = map_to_pml4es (ksPSpace s)" - and "map_to_pdptes (ksPSpace s(p \ KOTCB ko)) = map_to_pdptes (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ KOTCB ko)) = map_to_pdes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ KOTCB ko)) = map_to_ptes (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ KOTCB ko)) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ KOTCB ko)) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ KOTCB ko)) = map_to_user_data_device (ksPSpace s)" + shows "map_to_eps ((ksPSpace s)(p \ KOTCB ko)) = map_to_eps (ksPSpace s)" + and "map_to_ntfns ((ksPSpace s)(p \ KOTCB ko)) = map_to_ntfns (ksPSpace s)" + and "map_to_pml4es ((ksPSpace s)(p \ KOTCB ko)) = map_to_pml4es (ksPSpace s)" + and "map_to_pdptes ((ksPSpace s)(p \ KOTCB ko)) = map_to_pdptes (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ KOTCB ko)) = map_to_pdes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ KOTCB ko)) = map_to_ptes (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ KOTCB ko)) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ KOTCB ko)) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ KOTCB ko)) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI simp: projectKOs projectKO_opts_defs split: kernel_object.splits if_split_asm)+ @@ -1557,16 +1557,16 @@ lemma update_tcb_map_tos: lemma update_asidpool_map_tos: fixes P :: "asidpool \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_ctes (ksPSpace s)" - and "map_to_pml4es (ksPSpace s(p \ KOArch (KOASIDPool ko))) = map_to_pml4es (ksPSpace s)" - and "map_to_pdptes (ksPSpace s(p \ KOArch (KOASIDPool ko))) = map_to_pdptes (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_pdes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_ptes (ksPSpace s)" - and "map_to_eps (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_eps (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ KOArch (KOASIDPool ap))) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_ctes (ksPSpace s)" + and "map_to_pml4es ((ksPSpace s)(p \ KOArch (KOASIDPool ko))) = map_to_pml4es (ksPSpace s)" + and "map_to_pdptes ((ksPSpace s)(p \ KOArch (KOASIDPool ko))) = map_to_pdptes (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_pdes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_ptes (ksPSpace s)" + and "map_to_eps ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_eps (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_to_ctes_upd_other map_comp_eqI @@ -1575,28 +1575,28 @@ lemma update_asidpool_map_tos: arch_kernel_object.split_asm) lemma update_asidpool_map_to_asidpools: - "map_to_asidpools (ksPSpace s(p \ KOArch (KOASIDPool ap))) + "map_to_asidpools ((ksPSpace s)(p \ KOArch (KOASIDPool ap))) = (map_to_asidpools (ksPSpace s))(p \ ap)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) lemma update_pte_map_to_ptes: - "map_to_ptes (ksPSpace s(p \ KOArch (KOPTE pte))) + "map_to_ptes ((ksPSpace s)(p \ KOArch (KOPTE pte))) = (map_to_ptes (ksPSpace s))(p \ pte)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) lemma update_pte_map_tos: fixes P :: "pte \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_ctes (ksPSpace s)" - and "map_to_pml4es (ksPSpace s(p \ KOArch (KOPTE ko))) = map_to_pml4es (ksPSpace s)" - and "map_to_pdptes (ksPSpace s(p \ KOArch (KOPTE ko))) = map_to_pdptes (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_pdes (ksPSpace s)" - and "map_to_eps (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_eps (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ (KOArch (KOPTE pte)))) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_ctes (ksPSpace s)" + and "map_to_pml4es ((ksPSpace s)(p \ KOArch (KOPTE ko))) = map_to_pml4es (ksPSpace s)" + and "map_to_pdptes ((ksPSpace s)(p \ KOArch (KOPTE ko))) = map_to_pdptes (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_pdes (ksPSpace s)" + and "map_to_eps ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_eps (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ (KOArch (KOPTE pte)))) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_comp_eqI map_to_ctes_upd_other split: if_split_asm if_split @@ -1604,23 +1604,23 @@ lemma update_pte_map_tos: auto simp: projectKO_opts_defs) lemma update_pde_map_to_pdes: - "map_to_pdes (ksPSpace s(p \ KOArch (KOPDE pde))) + "map_to_pdes ((ksPSpace s)(p \ KOArch (KOPDE pde))) = (map_to_pdes (ksPSpace s))(p \ pde)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) lemma update_pde_map_tos: fixes P :: "pde \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_ctes (ksPSpace s)" - and "map_to_pml4es (ksPSpace s(p \ KOArch (KOPDE ko))) = map_to_pml4es (ksPSpace s)" - and "map_to_pdptes (ksPSpace s(p \ KOArch (KOPDE ko))) = map_to_pdptes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_ptes (ksPSpace s)" - and "map_to_eps (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_eps (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ (KOArch (KOPDE pde)))) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_ctes (ksPSpace s)" + and "map_to_pml4es ((ksPSpace s)(p \ KOArch (KOPDE ko))) = map_to_pml4es (ksPSpace s)" + and "map_to_pdptes ((ksPSpace s)(p \ KOArch (KOPDE ko))) = map_to_pdptes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_ptes (ksPSpace s)" + and "map_to_eps ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_eps (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ (KOArch (KOPDE pde)))) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_comp_eqI map_to_ctes_upd_other split: if_split_asm if_split @@ -1628,23 +1628,23 @@ lemma update_pde_map_tos: auto simp: projectKO_opts_defs) lemma update_pdpte_map_to_pdptes: - "map_to_pdptes (ksPSpace s(p \ KOArch (KOPDPTE pdpte))) + "map_to_pdptes ((ksPSpace s)(p \ KOArch (KOPDPTE pdpte))) = (map_to_pdptes (ksPSpace s))(p \ pdpte)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) lemma update_pdpte_map_tos: fixes P :: "pdpte \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ (KOArch (KOPDPTE pdpte)))) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ (KOArch (KOPDPTE pdpte)))) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ (KOArch (KOPDPTE pdpte)))) = map_to_ctes (ksPSpace s)" - and "map_to_pml4es (ksPSpace s(p \ KOArch (KOPDPTE ko))) = map_to_pml4es (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ KOArch (KOPDPTE ko))) = map_to_pdes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ (KOArch (KOPDPTE pdpte)))) = map_to_ptes (ksPSpace s)" - and "map_to_eps (ksPSpace s(p \ (KOArch (KOPDPTE pdpte)))) = map_to_eps (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ (KOArch (KOPDPTE pdpte)))) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ (KOArch (KOPDPTE pdpte)))) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ (KOArch (KOPDPTE pdpte)))) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ (KOArch (KOPDPTE pdpte)))) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ (KOArch (KOPDPTE pdpte)))) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ (KOArch (KOPDPTE pdpte)))) = map_to_ctes (ksPSpace s)" + and "map_to_pml4es ((ksPSpace s)(p \ KOArch (KOPDPTE ko))) = map_to_pml4es (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ KOArch (KOPDPTE ko))) = map_to_pdes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ (KOArch (KOPDPTE pdpte)))) = map_to_ptes (ksPSpace s)" + and "map_to_eps ((ksPSpace s)(p \ (KOArch (KOPDPTE pdpte)))) = map_to_eps (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ (KOArch (KOPDPTE pdpte)))) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ (KOArch (KOPDPTE pdpte)))) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ (KOArch (KOPDPTE pdpte)))) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_comp_eqI map_to_ctes_upd_other split: if_split_asm if_split @@ -1652,23 +1652,23 @@ lemma update_pdpte_map_tos: auto simp: projectKO_opts_defs) lemma update_pml4e_map_to_pml4es: - "map_to_pml4es (ksPSpace s(p \ KOArch (KOPML4E pml4e))) + "map_to_pml4es ((ksPSpace s)(p \ KOArch (KOPML4E pml4e))) = (map_to_pml4es (ksPSpace s))(p \ pml4e)" by (rule ext, clarsimp simp: projectKOs map_comp_def split: if_split) lemma update_pml4e_map_tos: fixes P :: "pml4e \ bool" assumes at: "obj_at' P p s" - shows "map_to_ntfns (ksPSpace s(p \ (KOArch (KOPML4E pml4e)))) = map_to_ntfns (ksPSpace s)" - and "map_to_tcbs (ksPSpace s(p \ (KOArch (KOPML4E pml4e)))) = map_to_tcbs (ksPSpace s)" - and "map_to_ctes (ksPSpace s(p \ (KOArch (KOPML4E pml4e)))) = map_to_ctes (ksPSpace s)" - and "map_to_pdptes (ksPSpace s(p \ KOArch (KOPML4E ko))) = map_to_pdptes (ksPSpace s)" - and "map_to_pdes (ksPSpace s(p \ KOArch (KOPML4E ko))) = map_to_pdes (ksPSpace s)" - and "map_to_ptes (ksPSpace s(p \ (KOArch (KOPML4E pml4e)))) = map_to_ptes (ksPSpace s)" - and "map_to_eps (ksPSpace s(p \ (KOArch (KOPML4E pml4e)))) = map_to_eps (ksPSpace s)" - and "map_to_asidpools (ksPSpace s(p \ (KOArch (KOPML4E pml4e)))) = map_to_asidpools (ksPSpace s)" - and "map_to_user_data (ksPSpace s(p \ (KOArch (KOPML4E pml4e)))) = map_to_user_data (ksPSpace s)" - and "map_to_user_data_device (ksPSpace s(p \ (KOArch (KOPML4E pml4e)))) = map_to_user_data_device (ksPSpace s)" + shows "map_to_ntfns ((ksPSpace s)(p \ (KOArch (KOPML4E pml4e)))) = map_to_ntfns (ksPSpace s)" + and "map_to_tcbs ((ksPSpace s)(p \ (KOArch (KOPML4E pml4e)))) = map_to_tcbs (ksPSpace s)" + and "map_to_ctes ((ksPSpace s)(p \ (KOArch (KOPML4E pml4e)))) = map_to_ctes (ksPSpace s)" + and "map_to_pdptes ((ksPSpace s)(p \ KOArch (KOPML4E ko))) = map_to_pdptes (ksPSpace s)" + and "map_to_pdes ((ksPSpace s)(p \ KOArch (KOPML4E ko))) = map_to_pdes (ksPSpace s)" + and "map_to_ptes ((ksPSpace s)(p \ (KOArch (KOPML4E pml4e)))) = map_to_ptes (ksPSpace s)" + and "map_to_eps ((ksPSpace s)(p \ (KOArch (KOPML4E pml4e)))) = map_to_eps (ksPSpace s)" + and "map_to_asidpools ((ksPSpace s)(p \ (KOArch (KOPML4E pml4e)))) = map_to_asidpools (ksPSpace s)" + and "map_to_user_data ((ksPSpace s)(p \ (KOArch (KOPML4E pml4e)))) = map_to_user_data (ksPSpace s)" + and "map_to_user_data_device ((ksPSpace s)(p \ (KOArch (KOPML4E pml4e)))) = map_to_user_data_device (ksPSpace s)" using at by (auto elim!: obj_atE' intro!: map_comp_eqI map_to_ctes_upd_other split: if_split_asm if_split @@ -2167,7 +2167,7 @@ lemma gs_set_assn_Delete_cstate_relation: lemma update_typ_at: assumes at: "obj_at' P p s" and tp: "\obj. P obj \ koTypeOf (injectKOS obj) = koTypeOf ko" - shows "typ_at' T p' (s \ksPSpace := ksPSpace s(p \ ko)\) = typ_at' T p' s" + shows "typ_at' T p' (s \ksPSpace := (ksPSpace s)(p \ ko)\) = typ_at' T p' s" using at by (auto elim!: obj_atE' simp: typ_at'_def ko_wp_at'_def dest!: tp[rule_format] diff --git a/proof/crefine/X64/Schedule_C.thy b/proof/crefine/X64/Schedule_C.thy index 6b3e08eb3a..ec4adcf619 100644 --- a/proof/crefine/X64/Schedule_C.thy +++ b/proof/crefine/X64/Schedule_C.thy @@ -652,7 +652,7 @@ lemma schedule_ccorres: (* FIXME: move *) lemma map_to_tcbs_upd: - "map_to_tcbs (ksPSpace s(t \ KOTCB tcb')) = map_to_tcbs (ksPSpace s)(t \ tcb')" + "map_to_tcbs ((ksPSpace s)(t \ KOTCB tcb')) = (map_to_tcbs (ksPSpace s))(t \ tcb')" apply (rule ext) apply (clarsimp simp: map_comp_def projectKOs split: option.splits if_splits) done diff --git a/proof/crefine/X64/TcbAcc_C.thy b/proof/crefine/X64/TcbAcc_C.thy index 8dd61964ef..31ce2674f0 100644 --- a/proof/crefine/X64/TcbAcc_C.thy +++ b/proof/crefine/X64/TcbAcc_C.thy @@ -177,7 +177,7 @@ lemma threadSet_corres_lemma: assumes spec: "\s. \\ \s. P s\ Call f {t. Q s t}" and mod: "modifies_heap_spec f" and rl: "\\ x t ko. \(\, x) \ rf_sr; Q x t; x \ P'; ko_at' ko thread \\ - \ (\\ksPSpace := ksPSpace \(thread \ KOTCB (g ko))\, + \ (\\ksPSpace := (ksPSpace \)(thread \ KOTCB (g ko))\, t\globals := globals x\t_hrs_' := t_hrs_' (globals t)\\) \ rf_sr" and g: "\s x. \tcb_at' thread s; x \ P'; (s, x) \ rf_sr\ \ P x" shows "ccorres dc xfdc (tcb_at' thread) P' [] (threadSet g thread) (Call f)" @@ -206,7 +206,7 @@ lemma threadSet_corres_lemma: lemma threadSet_ccorres_lemma4: - "\ \s tcb. \ \ (Q s tcb) c {s'. (s \ksPSpace := ksPSpace s(thread \ injectKOS (F tcb))\, s') \ rf_sr}; + "\ \s tcb. \ \ (Q s tcb) c {s'. (s \ksPSpace := (ksPSpace s)(thread \ injectKOS (F tcb))\, s') \ rf_sr}; \s s' tcb tcb'. \ (s, s') \ rf_sr; P tcb; ko_at' tcb thread s; cslift s' (tcb_ptr_to_ctcb_ptr thread) = Some tcb'; ctcb_relation tcb tcb'; P' s ; s' \ R\ \ s' \ Q s tcb \ diff --git a/proof/crefine/X64/TcbQueue_C.thy b/proof/crefine/X64/TcbQueue_C.thy index e91e912be0..0e1843dd58 100644 --- a/proof/crefine/X64/TcbQueue_C.thy +++ b/proof/crefine/X64/TcbQueue_C.thy @@ -1090,8 +1090,8 @@ lemma cpspace_relation_ntfn_update_ntfn: and cp: "cpspace_ntfn_relation (ksPSpace s) (t_hrs_' (globals t))" and rel: "cnotification_relation (cslift t') ntfn' notification" and mpeq: "(cslift t' |` (- (tcb_ptr_to_ctcb_ptr ` qs))) = (cslift t |` (- (tcb_ptr_to_ctcb_ptr ` qs)))" - shows "cmap_relation (map_to_ntfns (ksPSpace s(ntfnptr \ KONotification ntfn'))) - (cslift t(Ptr ntfnptr \ notification)) Ptr (cnotification_relation (cslift t'))" + shows "cmap_relation (map_to_ntfns ((ksPSpace s)(ntfnptr \ KONotification ntfn'))) + ((cslift t)(Ptr ntfnptr \ notification)) Ptr (cnotification_relation (cslift t'))" using koat invs cp rel apply - apply (subst map_comp_update) @@ -1462,7 +1462,7 @@ lemma rf_sr_tcb_update_no_queue: (\x\ran tcb_cte_cases. (\(getF, setF). getF tcb' = getF tcb) x); ctcb_relation tcb' ctcb \ - \ (s\ksPSpace := ksPSpace s(thread \ KOTCB tcb')\, + \ (s\ksPSpace := (ksPSpace s)(thread \ KOTCB tcb')\, x\globals := globals s'\t_hrs_' := t_hrs_' (globals t)\\) \ rf_sr" unfolding rf_sr_def state_relation_def cstate_relation_def cpspace_relation_def apply (clarsimp simp: Let_def update_tcb_map_tos map_to_ctes_upd_tcb_no_ctes @@ -1512,7 +1512,7 @@ lemma rf_sr_tcb_update_not_in_queue: \ live' (KOTCB tcb); invs' s; (\x\ran tcb_cte_cases. (\(getF, setF). getF tcb' = getF tcb) x); ctcb_relation tcb' ctcb \ - \ (s\ksPSpace := ksPSpace s(thread \ KOTCB tcb')\, + \ (s\ksPSpace := (ksPSpace s)(thread \ KOTCB tcb')\, x\globals := globals s'\t_hrs_' := t_hrs_' (globals t)\\) \ rf_sr" unfolding rf_sr_def state_relation_def cstate_relation_def cpspace_relation_def apply (clarsimp simp: Let_def update_tcb_map_tos map_to_ctes_upd_tcb_no_ctes diff --git a/proof/crefine/X64/Tcb_C.thy b/proof/crefine/X64/Tcb_C.thy index 541b7494c2..2625d70415 100644 --- a/proof/crefine/X64/Tcb_C.thy +++ b/proof/crefine/X64/Tcb_C.thy @@ -97,8 +97,8 @@ lemma getMRs_rel_sched: lemma getObject_state: " \(x, s') \ fst (getObject t' s); ko_at' ko t s\ \ (if t = t' then tcbState_update (\_. st) x else x, - s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\) - \ fst (getObject t' (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\))" + s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\) + \ fst (getObject t' (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\))" apply (simp split: if_split) apply (rule conjI) apply clarsimp @@ -156,8 +156,8 @@ lemma getObject_state: lemma threadGet_state: "\ (uc, s') \ fst (threadGet (atcbContextGet o tcbArch) t' s); ko_at' ko t s \ \ - (uc, s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\) \ - fst (threadGet (atcbContextGet o tcbArch) t' (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\))" + (uc, s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\) \ + fst (threadGet (atcbContextGet o tcbArch) t' (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\))" apply (clarsimp simp: threadGet_def liftM_def in_monad) apply (drule (1) getObject_state [where st=st]) apply (rule exI) @@ -167,8 +167,8 @@ lemma threadGet_state: lemma asUser_state: "\(x,s) \ fst (asUser t' f s); ko_at' ko t s; \s. \(=) s\ f \\_. (=) s\ \ \ - (x,s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\) \ - fst (asUser t' f (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\))" + (x,s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\) \ + fst (asUser t' f (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\))" apply (clarsimp simp: asUser_def in_monad select_f_def) apply (frule use_valid, rule threadGet_inv [where P="(=) s"], rule refl) apply (frule use_valid, assumption, rule refl) @@ -265,8 +265,8 @@ lemma asUser_state: lemma doMachineOp_state: "(rv,s') \ fst (doMachineOp f s) \ - (rv,s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\) - \ fst (doMachineOp f (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\))" + (rv,s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\) + \ fst (doMachineOp f (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\))" apply (clarsimp simp: doMachineOp_def split_def in_monad select_f_def) apply fastforce done @@ -299,7 +299,7 @@ lemma getMRs_rel_state: "\getMRs_rel args buffer s; (cur_tcb' and case_option \ valid_ipc_buffer_ptr' buffer) s; ko_at' ko t s \ \ - getMRs_rel args buffer (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbState_update (\_. st) ko))\)" + getMRs_rel args buffer (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbState_update (\_. st) ko))\)" apply (clarsimp simp: getMRs_rel_def) apply (rule exI, erule conjI) apply (subst (asm) det_wp_use, rule det_wp_getMRs) @@ -1289,8 +1289,8 @@ lemma invokeTCB_WriteRegisters_ccorres_helper: lemma doMachineOp_context: "(rv,s') \ fst (doMachineOp f s) \ - (rv,s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbContext_update (\_. st) ko))\) - \ fst (doMachineOp f (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbContext_update (\_. st) ko))\))" + (rv,s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbContext_update (\_. st) ko))\) + \ fst (doMachineOp f (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbContext_update (\_. st) ko))\))" apply (clarsimp simp: doMachineOp_def split_def in_monad select_f_def) apply fastforce done @@ -1299,8 +1299,8 @@ lemma doMachineOp_context: lemma getObject_context: " \(x, s') \ fst (getObject t' s); ko_at' ko t s\ \ (if t = t' then tcbContext_update (\_. st) x else x, - s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbContext_update (\_. st) ko))\) - \ fst (getObject t' (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbContext_update (\_. st) ko))\))" + s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbContext_update (\_. st) ko))\) + \ fst (getObject t' (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbContext_update (\_. st) ko))\))" apply (simp split: if_split) apply (rule conjI) apply clarsimp @@ -1359,8 +1359,8 @@ lemma getObject_context: lemma threadGet_context: "\ (uc, s') \ fst (threadGet (atcbContextGet o tcbArch) (ksCurThread s) s); ko_at' ko t s; t \ ksCurThread s \ \ - (uc, s'\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\) \ - fst (threadGet (atcbContextGet o tcbArch) (ksCurThread s) (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\))" + (uc, s'\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\) \ + fst (threadGet (atcbContextGet o tcbArch) (ksCurThread s) (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\))" apply (clarsimp simp: threadGet_def liftM_def in_monad) apply (drule (1) getObject_context [where st=st]) apply (rule exI) @@ -1372,8 +1372,8 @@ done lemma asUser_context: "\(x,s) \ fst (asUser (ksCurThread s) f s); ko_at' ko t s; \s. \(=) s\ f \\_. (=) s\ ; t \ ksCurThread s\ \ - (x,s\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\) \ - fst (asUser (ksCurThread s) f (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\))" + (x,s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\) \ + fst (asUser (ksCurThread s) f (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\))" apply (clarsimp simp: asUser_def in_monad select_f_def) apply (frule use_valid, rule threadGet_inv [where P="(=) s"], rule refl) apply (frule use_valid, assumption, rule refl) @@ -1444,7 +1444,7 @@ lemma getMRs_rel_context: "\getMRs_rel args buffer s; (cur_tcb' and case_option \ valid_ipc_buffer_ptr' buffer) s; ko_at' ko t s ; t \ ksCurThread s\ \ - getMRs_rel args buffer (s\ksPSpace := ksPSpace s(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\)" + getMRs_rel args buffer (s\ksPSpace := (ksPSpace s)(t \ KOTCB (tcbArch_update (\_. atcbContextSet st (tcbArch ko)) ko))\)" apply (clarsimp simp: getMRs_rel_def) apply (rule exI, erule conjI) apply (subst (asm) det_wp_use, rule det_wp_getMRs) diff --git a/proof/crefine/lib/AutoCorresModifiesProofs.thy b/proof/crefine/lib/AutoCorresModifiesProofs.thy index 1e10f1c320..bbd0fb16f4 100644 --- a/proof/crefine/lib/AutoCorresModifiesProofs.thy +++ b/proof/crefine/lib/AutoCorresModifiesProofs.thy @@ -413,7 +413,7 @@ fun modifies_call_tac (callee_modifies: incr_net) ctxt n = DETERM ( (* VCG for trivial state invariants, such as globals modifies specs. * Takes vcg rules from "valid_inv". *) -val valid_invN = Context.theory_name @{theory} ^ ".valid_inv" +val valid_invN = Context.theory_name { long=true } @{theory} ^ ".valid_inv" fun modifies_vcg_tac leaf_tac ctxt n = let val vcg_rules = Named_Theorems.get ctxt valid_invN |> Tactic.build_net; fun vcg n st = Seq.make (fn () => let diff --git a/proof/crefine/lib/Corres_C.thy b/proof/crefine/lib/Corres_C.thy index aaf74e4a17..b3dc183795 100644 --- a/proof/crefine/lib/Corres_C.thy +++ b/proof/crefine/lib/Corres_C.thy @@ -666,7 +666,7 @@ lemma cte_C_cap_C_update: fixes val :: "cap_C" and ptr :: "cte_C ptr" assumes cl: "clift hp ptr = Some z" shows "(clift (hrs_mem_update (heap_update (Ptr &(ptr\[''cap_C''])) val) hp)) = - clift hp(ptr \ cte_C.cap_C_update (\_. val) z)" + (clift hp)(ptr \ cte_C.cap_C_update (\_. val) z)" using cl by (simp add: clift_field_update) diff --git a/proof/drefine/Arch_DR.thy b/proof/drefine/Arch_DR.thy index 49d55c95a9..7ac7351dd6 100644 --- a/proof/drefine/Arch_DR.thy +++ b/proof/drefine/Arch_DR.thy @@ -1587,23 +1587,20 @@ lemma valid_etcbs_clear_um_detype: by (clarsimp simp: valid_etcbs_def st_tcb_at_def is_etcb_at_def st_tcb_at_kh_def obj_at_kh_def obj_at_def detype_def detype_ext_def clear_um_def) - lemma unat_map_upd: - "unat_map (Some \ transform_asid_table_entry \ arm_asid_table - as (asid_high_bits_of base \ frame)) = - unat_map (Some \ transform_asid_table_entry \ arm_asid_table as) - (unat (asid_high_bits_of base) \ AsidPoolCap frame 0)" + "unat_map (Some \ transform_asid_table_entry \ (asid_table as)(asid_high_bits_of base \ frame)) = + (unat_map (Some \ transform_asid_table_entry \ asid_table as)) + (unat (asid_high_bits_of base) \ AsidPoolCap frame 0)" apply (rule ext) - apply (clarsimp simp:unat_map_def asid_high_bits_of_def - transform_asid_table_entry_def) + apply (clarsimp simp:unat_map_def asid_high_bits_of_def transform_asid_table_entry_def) apply (intro impI conjI) apply (subgoal_tac "x<256") - apply (clarsimp simp:unat_map_def asid_high_bits_of_def asid_low_bits_def - transform_asid_table_entry_def transform_asid_def) + apply (clarsimp simp: unat_map_def asid_high_bits_of_def asid_low_bits_def + transform_asid_table_entry_def transform_asid_def) apply (drule_tac x="of_nat x" in unat_cong) apply (subst (asm) word_unat.Abs_inverse) apply (clarsimp simp:unats_def unat_ucast)+ -done + done declare descendants_of_empty[simp] diff --git a/proof/drefine/CNode_DR.thy b/proof/drefine/CNode_DR.thy index 5361f6ba10..f8bf527b4f 100644 --- a/proof/drefine/CNode_DR.thy +++ b/proof/drefine/CNode_DR.thy @@ -121,7 +121,7 @@ lemma dcorres_opt_parent_set_parent_helper: "dcorres dc \ P (gets (opt_parent (transform_cslot_ptr src)) >>= case_option (return ()) - (\parent. modify (\s. s\cdl_cdt := cdl_cdt s(transform_cslot_ptr child \ parent)\))) + (\parent. modify (\s. s\cdl_cdt := (cdl_cdt s)(transform_cslot_ptr child \ parent)\))) g \ dcorres dc \ (\s. cdt s child = None \ cte_at child s \ mdb_cte_at (swp (cte_wp_at ((\) cap.NullCap)) s) (cdt s) \ P s) @@ -143,7 +143,7 @@ lemma dcorres_opt_parent_set_parent_helper: lemma dcorres_set_parent_helper: "dcorres dc \ P - (modify (\s. s\cdl_cdt := cdl_cdt s(transform_cslot_ptr child \ parent)\)) + (modify (\s. s\cdl_cdt := (cdl_cdt s)(transform_cslot_ptr child \ parent)\)) g \ dcorres dc \ (\s. cdt s child = None \ cte_at child s \ mdb_cte_at (swp (cte_wp_at ((\) cap.NullCap)) s) (cdt s) \ P s) @@ -878,21 +878,21 @@ lemma corres_mapM_to_mapM_x: by (simp add: mapM_x_mapM liftM_def[symmetric]) lemma ep_waiting_set_recv_upd_kh: - "ep_at epptr s \ (ep_waiting_set_recv epptr (update_kheap (kheap s(epptr \ kernel_object.Endpoint X)) s)) + "ep_at epptr s \ (ep_waiting_set_recv epptr (update_kheap ((kheap s)(epptr \ kernel_object.Endpoint X)) s)) = (ep_waiting_set_recv epptr s)" apply (rule set_eqI) apply (clarsimp simp:ep_waiting_set_recv_def obj_at_def is_ep_def) done lemma ep_waiting_set_send_upd_kh: - "ep_at epptr s \ (ep_waiting_set_send epptr (update_kheap (kheap s(epptr \ kernel_object.Endpoint X)) s)) + "ep_at epptr s \ (ep_waiting_set_send epptr (update_kheap ((kheap s)(epptr \ kernel_object.Endpoint X)) s)) = (ep_waiting_set_send epptr s)" apply (rule set_eqI) apply (clarsimp simp:ep_waiting_set_send_def obj_at_def is_ep_def) done lemma ntfn_waiting_set_upd_kh: - "ep_at epptr s \ (ntfn_waiting_set epptr (update_kheap (kheap s(epptr \ kernel_object.Endpoint X)) s)) + "ep_at epptr s \ (ntfn_waiting_set epptr (update_kheap ((kheap s)(epptr \ kernel_object.Endpoint X)) s)) = (ntfn_waiting_set epptr s)" apply (rule set_eqI) apply (clarsimp simp:ntfn_waiting_set_def obj_at_def is_ep_def) diff --git a/proof/drefine/Corres_D.thy b/proof/drefine/Corres_D.thy index ecc31e2647..db947dae27 100644 --- a/proof/drefine/Corres_D.thy +++ b/proof/drefine/Corres_D.thy @@ -84,7 +84,7 @@ lemma corres_free_return: lemma corres_free_set_object: "\ \ s s'. s = transform s' \ P s \ P' s' \ - s = transform ((\s. s \kheap := kheap s (ptr \ obj)\) s')\ \ + s = transform ((\s. s \kheap := (kheap s)(ptr \ obj)\) s')\ \ dcorres dc P P' (return a) (set_object ptr obj )" by (clarsimp simp: corres_underlying_def put_def return_def modify_def bind_def get_def set_object_def get_object_def in_monad) diff --git a/proof/drefine/Finalise_DR.thy b/proof/drefine/Finalise_DR.thy index fd7fdb63fd..4ce1997a8b 100644 --- a/proof/drefine/Finalise_DR.thy +++ b/proof/drefine/Finalise_DR.thy @@ -650,7 +650,7 @@ lemma opt_object_asid_pool: lemma transform_asid_pool_contents_upd: "transform_asid_pool_contents (pool(ucast asid := pd)) = - transform_asid_pool_contents pool(snd (transform_asid asid) \ transform_asid_pool_entry pd)" + (transform_asid_pool_contents pool)(snd (transform_asid asid) \ transform_asid_pool_entry pd)" apply (clarsimp simp:transform_asid_pool_contents_def transform_asid_def) apply (rule ext) apply (case_tac x) @@ -1148,7 +1148,7 @@ lemma dcorres_delete_cap_simple_set_pt: lemma transform_page_table_contents_upd: - "transform_page_table_contents fun(unat (y && mask pt_bits >> 2) \ transform_pte pte) = + "(transform_page_table_contents fun)(unat (y && mask pt_bits >> 2) \ transform_pte pte) = transform_page_table_contents (fun(ucast ((y::word32) && mask pt_bits >> 2) := pte))" apply (rule ext) apply (clarsimp simp: transform_page_table_contents_def unat_map_def) @@ -1167,7 +1167,7 @@ lemma transform_page_table_contents_upd: lemma transform_page_directory_contents_upd: "ucast ((ptr::word32) && mask pd_bits >> 2) \ kernel_mapping_slots - \ transform_page_directory_contents f(unat (ptr && mask pd_bits >> 2) \ transform_pde a_pde) + \ (transform_page_directory_contents f)(unat (ptr && mask pd_bits >> 2) \ transform_pde a_pde) = transform_page_directory_contents (f(ucast (ptr && mask pd_bits >> 2) := a_pde))" apply (rule ext) apply (simp (no_asm) add: transform_page_directory_contents_def unat_map_def) diff --git a/proof/drefine/KHeap_DR.thy b/proof/drefine/KHeap_DR.thy index e90af545b5..dbf6089e4c 100644 --- a/proof/drefine/KHeap_DR.thy +++ b/proof/drefine/KHeap_DR.thy @@ -601,7 +601,7 @@ lemma xf_cnode_contents: lemma transform_cnode_contents_upd: "\well_formed_cnode_n sz cn; cn sl' = Some ocap'\ \ - transform_cnode_contents sz cn(nat (bl_to_bin sl') \ transform_cap cap') = + (transform_cnode_contents sz cn)(nat (bl_to_bin sl') \ transform_cap cap') = transform_cnode_contents sz (cn(sl' \ cap'))" apply (rule ext) apply clarsimp @@ -620,7 +620,7 @@ lemma transform_cnode_contents_upd: lemma caps_of_state_cnode_upd: "\ kheap s p' = Some (CNode sz cn); well_formed_cnode_n sz cn; cn sl' = Some ocap' \ \ - caps_of_state (update_kheap (kheap s(p' \ CNode sz (cn(sl' \ cap')))) s) = + caps_of_state (update_kheap ((kheap s)(p' \ CNode sz (cn(sl' \ cap')))) s) = (caps_of_state s) ((p',sl') \ cap')" apply (rule ext) apply (auto simp: caps_of_state_cte_wp_at cte_wp_at_cases wf_cs_upd) @@ -2714,7 +2714,7 @@ lemma set_parent_corres: get_def set_cdt_def return_def bind_def) apply (simp add:transform_current_thread_def weak_valid_mdb_def) apply (rename_tac s') - apply (subgoal_tac "transform s'\cdl_cdt:=cdl_cdt(transform s') + apply (subgoal_tac "transform s'\cdl_cdt:=(cdl_cdt(transform s')) (transform_cslot_ptr slot' \ transform_cslot_ptr pslot')\ = cdl_cdt_single_update (transform s') (transform_cslot_ptr slot') (transform_cslot_ptr pslot')") apply (clarsimp simp:cdl_cdt_transform) @@ -2819,7 +2819,7 @@ done lemma transform_objects_update_kheap_simp: "\kheap s ptr = Some ko; ekheap s ptr = opt_etcb\ - \ transform_objects (update_kheap (kheap s(ptr \ obj)) s) = + \ transform_objects (update_kheap ((kheap s)(ptr \ obj)) s) = (\x. if x \ ptr then transform_objects s x else (if ptr = idle_thread s then None else Some (transform_object (machine_state s) ptr opt_etcb obj)))" diff --git a/proof/drefine/StateTranslationProofs_DR.thy b/proof/drefine/StateTranslationProofs_DR.thy index dfcd7e6a77..d2913c5452 100644 --- a/proof/drefine/StateTranslationProofs_DR.thy +++ b/proof/drefine/StateTranslationProofs_DR.thy @@ -66,7 +66,7 @@ abbreviation "update_tcb_boundntfn ntfn_opt tcb \ tcb \tcb_bound_notification := ntfn_opt\" abbreviation -"dupdate_cdl_object ptr obj s \ cdl_objects_update (\_. cdl_objects s(ptr \ obj)) s" +"dupdate_cdl_object ptr obj s \ cdl_objects_update (\_. (cdl_objects s)(ptr \ obj)) s" abbreviation "dupdate_tcb_intent intent tcb\ tcb \cdl_tcb_intent := intent\" diff --git a/proof/drefine/Tcb_DR.thy b/proof/drefine/Tcb_DR.thy index 5cfaa6ca65..6effc4ba93 100644 --- a/proof/drefine/Tcb_DR.thy +++ b/proof/drefine/Tcb_DR.thy @@ -427,7 +427,9 @@ lemma dcorres_idempotent_as_user: done lemma transform_full_intent_kheap_update_eq: - "\ q \ u' \ \ transform_full_intent (machine_state (s\kheap := kheap s(u' \ x')\)) q = transform_full_intent (machine_state s) q" + "q \ u' \ + transform_full_intent (machine_state (s\kheap := (kheap s)(u' \ x')\)) q = + transform_full_intent (machine_state s) q" by simp (* Suspend functions correspond. *) diff --git a/proof/drefine/Untyped_DR.thy b/proof/drefine/Untyped_DR.thy index dd40ff9e4d..ef6cb7d92f 100644 --- a/proof/drefine/Untyped_DR.thy +++ b/proof/drefine/Untyped_DR.thy @@ -736,7 +736,7 @@ lemma init_arch_objects_corres_noop: done lemma monad_commute_set_cap_cdt: - "monad_commute \ (KHeap_D.set_cap ptr cap) (modify (\s. s\cdl_cdt := cdl_cdt s(ptr2 \ ptr3)\))" + "monad_commute \ (KHeap_D.set_cap ptr cap) (modify (\s. s\cdl_cdt := (cdl_cdt s)(ptr2 \ ptr3)\))" apply (clarsimp simp:monad_commute_def) apply (rule sym) apply (subst bind_assoc[symmetric]) diff --git a/proof/infoflow/ARM/ArchArch_IF.thy b/proof/infoflow/ARM/ArchArch_IF.thy index f5c0527ab9..0f42093362 100644 --- a/proof/infoflow/ARM/ArchArch_IF.thy +++ b/proof/infoflow/ARM/ArchArch_IF.thy @@ -765,9 +765,9 @@ lemma perform_page_invocation_reads_respects: lemma equiv_asids_arm_asid_table_update: "\ equiv_asids R s t; kheap s pool_ptr = kheap t pool_ptr \ \ equiv_asids R - (s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s) + (s\arch_state := arch_state s\arm_asid_table := (asid_table s) (asid_high_bits_of asid \ pool_ptr)\\) - (t\arch_state := arch_state t\arm_asid_table := arm_asid_table (arch_state t) + (t\arch_state := arch_state t\arm_asid_table := (asid_table t) (asid_high_bits_of asid \ pool_ptr)\\)" by (clarsimp simp: equiv_asids_def equiv_asid_def asid_pool_at_kheap) diff --git a/proof/infoflow/ARM/ArchNoninterference.thy b/proof/infoflow/ARM/ArchNoninterference.thy index ca5ab33ac2..b9958a3093 100644 --- a/proof/infoflow/ARM/ArchNoninterference.thy +++ b/proof/infoflow/ARM/ArchNoninterference.thy @@ -376,7 +376,7 @@ lemma dmo_getActive_IRQ_reads_respect_scheduler[Noninterference_assms]: lemma integrity_asids_update_reference_state[Noninterference_assms]: "is_subject aag t - \ integrity_asids aag {pasSubject aag} x asid s (s\kheap := kheap s(t \ blah)\)" + \ integrity_asids aag {pasSubject aag} x asid s (s\kheap := (kheap s)(t \ blah)\)" by clarsimp lemma getActiveIRQ_no_non_kernel_IRQs[Noninterference_assms]: diff --git a/proof/infoflow/ARM/ArchScheduler_IF.thy b/proof/infoflow/ARM/ArchScheduler_IF.thy index f2406c7032..54cc779509 100644 --- a/proof/infoflow/ARM/ArchScheduler_IF.thy +++ b/proof/infoflow/ARM/ArchScheduler_IF.thy @@ -131,12 +131,12 @@ lemma thread_set_context_globals_equiv[Scheduler_IF_assms]: lemma arch_scheduler_affects_equiv_update[Scheduler_IF_assms]: "arch_scheduler_affects_equiv st s - \ arch_scheduler_affects_equiv st (s\kheap := kheap s(x \ TCB y')\)" + \ arch_scheduler_affects_equiv st (s\kheap := (kheap s)(x \ TCB y')\)" by (clarsimp simp: arch_scheduler_affects_equiv_def) lemma equiv_asid_equiv_update[Scheduler_IF_assms]: "\ get_tcb x s = Some y; equiv_asid asid st s \ - \ equiv_asid asid st (s\kheap := kheap s(x \ TCB y')\)" + \ equiv_asid asid st (s\kheap := (kheap s)(x \ TCB y')\)" by (clarsimp simp: equiv_asid_def obj_at_def get_tcb_def) end @@ -434,7 +434,7 @@ lemma thread_set_scheduler_affects_equiv[Scheduler_IF_assms, wp]: split: option.splits kernel_object.splits) apply (subst arch_tcb_update_aux) apply simp - apply (subgoal_tac "s = (s\kheap := kheap s(idle_thread s \ TCB y)\)", simp) + apply (subgoal_tac "s = (s\kheap := (kheap s)(idle_thread s \ TCB y)\)", simp) apply (rule state.equality) apply (rule ext) apply simp+ diff --git a/proof/infoflow/FinalCaps.thy b/proof/infoflow/FinalCaps.thy index 1af9df37ec..c90d1c1e32 100644 --- a/proof/infoflow/FinalCaps.thy +++ b/proof/infoflow/FinalCaps.thy @@ -647,8 +647,7 @@ lemma set_cap_slots_holding_overlapping_caps_helper: obj_refs cap = {} \ cap_irqs cap \ {}; ko_at (TCB tcb) (fst slot) s; tcb_cap_cases (snd slot) = Some (getF, setF, blah) \ \ x \ slots_holding_overlapping_caps cap - (s\kheap := kheap s(fst slot \ - TCB (setF (\ x. capa) tcb))\)" + (s\kheap := (kheap s)(fst slot \ TCB (setF (\x. capa) tcb))\)" apply (clarsimp simp: slots_holding_overlapping_caps_def) apply (rule_tac x=cap' in exI) apply (clarsimp simp: get_cap_cte_wp_at') diff --git a/proof/infoflow/InfoFlow_IF.thy b/proof/infoflow/InfoFlow_IF.thy index 1b2e1eeb73..2de302236b 100644 --- a/proof/infoflow/InfoFlow_IF.thy +++ b/proof/infoflow/InfoFlow_IF.thy @@ -677,7 +677,7 @@ lemma requiv_wuc_eq[intro]: by (simp add: reads_equiv_def2) lemma update_object_noop: - "kheap s ptr = Some obj \ s\kheap := kheap s(ptr \ obj)\ = s" + "kheap s ptr = Some obj \ s\kheap := (kheap s)(ptr \ obj)\ = s" by (clarsimp simp: map_upd_triv) lemma set_object_rev: diff --git a/proof/infoflow/Ipc_IF.thy b/proof/infoflow/Ipc_IF.thy index 67a649d0a7..80f3d615df 100644 --- a/proof/infoflow/Ipc_IF.thy +++ b/proof/infoflow/Ipc_IF.thy @@ -332,7 +332,7 @@ lemma sts_noop: lemma sts_to_modify': "monadic_rewrite True True (tcb_at tcb and (\s :: det_state. tcb \ cur_thread s)) (set_thread_state tcb st) - (modify (\s. s\kheap := kheap s(tcb \ TCB (the (get_tcb tcb s)\tcb_state := st\))\))" + (modify (\s. s\kheap := (kheap s)(tcb \ TCB (the (get_tcb tcb s)\tcb_state := st\))\))" apply (clarsimp simp: set_thread_state_def set_object_def) apply (monadic_rewrite_l sts_noop \wpsimp wp: get_object_wp\) apply (simp add: bind_assoc) diff --git a/proof/infoflow/Noninterference.thy b/proof/infoflow/Noninterference.thy index b4435fc1a8..681fa56e8a 100644 --- a/proof/infoflow/Noninterference.thy +++ b/proof/infoflow/Noninterference.thy @@ -325,7 +325,7 @@ lemma prop_of_two_valid: by (rule hoare_pre, wps f g, wp, simp) lemma thread_set_tcb_context_update_wp: - "\\s. P (s\kheap := kheap s(t \ TCB (tcb_arch_update f (the (get_tcb t s))))\)\ + "\\s. P (s\kheap := (kheap s)(t \ TCB (tcb_arch_update f (the (get_tcb t s))))\)\ thread_set (tcb_arch_update f) t \\_. P\" apply (simp add: thread_set_def) @@ -631,7 +631,7 @@ locale Noninterference_1 = "reads_respects_g aag l \ (do_machine_op (storeWord ptr w))" and integrity_asids_update_reference_state: "is_subject aag t - \ integrity_asids aag {pasSubject aag} x asid s (s\kheap := kheap s(t \ blah)\)" + \ integrity_asids aag {pasSubject aag} x asid s (s\kheap := (kheap s)(t \ blah)\)" and partitionIntegrity_subjectAffects_aobj: "\ partitionIntegrity aag s s'; kheap s x = Some (ArchObj ao); kheap s x \ kheap s' x; silc_inv aag st s; pas_refined aag s; pas_wellformed_noninterference aag \ @@ -685,7 +685,7 @@ locale Noninterference_1 = begin lemma integrity_update_reference_state: - "\ is_subject aag t; integrity aag X st s; st = st'\kheap := kheap st'(t \ blah)\ \ + "\ is_subject aag t; integrity aag X st s; st = st'\kheap := (kheap st')(t \ blah)\ \ \ integrity (aag :: 'a subject_label PAS) X st' s" apply (erule integrity_trans[rotated]) apply (clarsimp simp: integrity_def opt_map_def integrity_asids_update_reference_state) diff --git a/proof/infoflow/RISCV64/ArchArch_IF.thy b/proof/infoflow/RISCV64/ArchArch_IF.thy index a2f63f2769..46de768008 100644 --- a/proof/infoflow/RISCV64/ArchArch_IF.thy +++ b/proof/infoflow/RISCV64/ArchArch_IF.thy @@ -400,10 +400,10 @@ lemma perform_page_invocation_reads_respects: lemma equiv_asids_riscv_asid_table_update: "\ equiv_asids R s t; kheap s pool_ptr = kheap t pool_ptr \ \ equiv_asids R - (s\arch_state := arch_state s\riscv_asid_table := riscv_asid_table (arch_state s) - (asid_high_bits_of asid \ pool_ptr)\\) - (t\arch_state := arch_state t\riscv_asid_table := riscv_asid_table (arch_state t) - (asid_high_bits_of asid \ pool_ptr)\\)" + (s\arch_state := arch_state s\riscv_asid_table := (asid_table s) + (asid_high_bits_of asid \ pool_ptr)\\) + (t\arch_state := arch_state t\riscv_asid_table := (asid_table t) + (asid_high_bits_of asid \ pool_ptr)\\)" by (clarsimp simp: equiv_asids_def equiv_asid_def asid_pool_at_kheap opt_map_def) lemma riscv_asid_table_update_reads_respects: diff --git a/proof/infoflow/RISCV64/ArchNoninterference.thy b/proof/infoflow/RISCV64/ArchNoninterference.thy index 1ccab6450b..6ebdc9d167 100644 --- a/proof/infoflow/RISCV64/ArchNoninterference.thy +++ b/proof/infoflow/RISCV64/ArchNoninterference.thy @@ -94,7 +94,7 @@ lemma arch_globals_equiv_strengthener_thread_independent[Noninterference_assms]: lemma integrity_asids_update_reference_state[Noninterference_assms]: "is_subject aag t - \ integrity_asids aag {pasSubject aag} x a s (s\kheap := kheap s(t \ blah)\)" + \ integrity_asids aag {pasSubject aag} x a s (s\kheap := (kheap s)(t \ blah)\)" by (clarsimp simp: opt_map_def) lemma inte_obj_arch: diff --git a/proof/infoflow/RISCV64/ArchScheduler_IF.thy b/proof/infoflow/RISCV64/ArchScheduler_IF.thy index f39e0482a4..28df9083df 100644 --- a/proof/infoflow/RISCV64/ArchScheduler_IF.thy +++ b/proof/infoflow/RISCV64/ArchScheduler_IF.thy @@ -130,12 +130,12 @@ lemma thread_set_context_globals_equiv[Scheduler_IF_assms]: lemma arch_scheduler_affects_equiv_update[Scheduler_IF_assms]: "arch_scheduler_affects_equiv st s - \ arch_scheduler_affects_equiv st (s\kheap := kheap s(x \ TCB y')\)" + \ arch_scheduler_affects_equiv st (s\kheap := (kheap s)(x \ TCB y')\)" by (clarsimp simp: arch_scheduler_affects_equiv_def) lemma equiv_asid_equiv_update[Scheduler_IF_assms]: "\ get_tcb x s = Some y; equiv_asid asid st s \ - \ equiv_asid asid st (s\kheap := kheap s(x \ TCB y')\)" + \ equiv_asid asid st (s\kheap := (kheap s)(x \ TCB y')\)" by (clarsimp simp: equiv_asid_def obj_at_def get_tcb_def) end @@ -363,7 +363,7 @@ lemma thread_set_scheduler_affects_equiv[Scheduler_IF_assms, wp]: split: option.splits kernel_object.splits) apply (subst arch_tcb_update_aux) apply simp - apply (subgoal_tac "s = (s\kheap := kheap s(idle_thread s \ TCB y)\)", simp) + apply (subgoal_tac "s = (s\kheap := (kheap s)(idle_thread s \ TCB y)\)", simp) apply (rule state.equality) apply (rule ext) apply simp+ diff --git a/proof/infoflow/Scheduler_IF.thy b/proof/infoflow/Scheduler_IF.thy index a1f0c91f38..de3d3aeaa4 100644 --- a/proof/infoflow/Scheduler_IF.thy +++ b/proof/infoflow/Scheduler_IF.thy @@ -60,7 +60,7 @@ locale Scheduler_IF_1 = "arch_scheduler_affects_equiv s s' \ arch_scheduler_affects_equiv s' s" and arch_scheduler_affects_equiv_update: "arch_scheduler_affects_equiv st s - \ arch_scheduler_affects_equiv st (s\kheap := kheap s(x \ TCB y')\)" + \ arch_scheduler_affects_equiv st (s\kheap := (kheap s)(x \ TCB y')\)" and arch_scheduler_affects_equiv_sa_update[simp]: "\f. arch_scheduler_affects_equiv (scheduler_action_update f s) s' = arch_scheduler_affects_equiv s s'" @@ -106,7 +106,7 @@ locale Scheduler_IF_1 = "\P. arch_switch_to_idle_thread \\s. P (work_units_completed s)\" and equiv_asid_equiv_update: "\ get_tcb x s = Some y; equiv_asid asid st s \ - \ equiv_asid asid st (s\kheap := kheap s(x \ TCB y')\)" + \ equiv_asid asid st (s\kheap := (kheap s)(x \ TCB y')\)" and equiv_asid_cur_thread_update[simp]: "\f. equiv_asid asid (cur_thread_update f s) s' = equiv_asid asid s s'" "\f. equiv_asid asid s (cur_thread_update f s') = equiv_asid asid s s'" @@ -2221,7 +2221,7 @@ context Scheduler_IF_1 begin lemma scheduler_affects_equiv_update: "\ get_tcb x s = Some y; pasObjectAbs aag x \ reads_scheduler aag l; scheduler_affects_equiv aag l st s \ - \ scheduler_affects_equiv aag l st (s\kheap := kheap s(x \ TCB y')\)" + \ scheduler_affects_equiv aag l st (s\kheap := (kheap s)(x \ TCB y')\)" by (clarsimp simp: scheduler_affects_equiv_def equiv_for_def equiv_asids_def states_equiv_for_def scheduler_globals_frame_equiv_def arch_scheduler_affects_equiv_update equiv_asid_equiv_update) diff --git a/proof/invariant-abstract/AARCH64/ArchAcc_AI.thy b/proof/invariant-abstract/AARCH64/ArchAcc_AI.thy index a5c1e712b1..d87ce20c4c 100644 --- a/proof/invariant-abstract/AARCH64/ArchAcc_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchAcc_AI.thy @@ -1139,7 +1139,7 @@ lemma set_object_caps_of_state: done lemma set_pt_aobjs_of: - "\\s. aobjs_of s p \ None \ P (aobjs_of s(p \ PageTable pt)) \ set_pt p pt \\_ s. P (aobjs_of s)\" + "\\s. aobjs_of s p \ None \ P ((aobjs_of s)(p \ PageTable pt)) \ set_pt p pt \\_ s. P (aobjs_of s)\" unfolding set_pt_def supply fun_upd_apply[simp del] by (wpsimp wp: set_object_wp) @@ -1267,7 +1267,7 @@ lemma pt_walk_upd_idem: \ pt_walk top_level level' pt_ptr vptr (ptes_of s) = Some (level', pt_ptr') \ pt_ptr' \ obj_ref; is_aligned pt_ptr (pt_bits top_level); top_level \ max_pt_level \ - \ pt_walk top_level level pt_ptr vptr (ptes_of (s\kheap := kheap s(obj_ref \ ko)\)) + \ pt_walk top_level level pt_ptr vptr (ptes_of (s\kheap := (kheap s)(obj_ref \ ko)\)) = pt_walk top_level level pt_ptr vptr (ptes_of s)" by (rule pt_walk_eqI; simp split del: if_split) (clarsimp simp: opt_map_def split: option.splits) @@ -1334,7 +1334,7 @@ lemma vs_lookup_table_upd_idem: \ vs_lookup_table level' asid vref s = Some (level', p') \ p' \ obj_ref; pspace_aligned s; valid_vspace_objs s; valid_asid_table s \ - \ vs_lookup_table level asid vref (s\kheap := kheap s(obj_ref \ ko)\) + \ vs_lookup_table level asid vref (s\kheap := (kheap s)(obj_ref \ ko)\) = vs_lookup_table level asid vref s" by (rule vs_lookup_table_eqI; simp split del: if_split) (clarsimp simp: opt_map_def split: option.splits) @@ -1343,7 +1343,7 @@ lemma vs_lookup_table_Some_upd_idem: "\ vs_lookup_table level asid vref s = Some (level, obj_ref); vref \ user_region; pspace_aligned s; pspace_distinct s; valid_vspace_objs s; valid_asid_table s \ - \ vs_lookup_table level asid vref (s\kheap := kheap s(obj_ref \ ko)\) + \ vs_lookup_table level asid vref (s\kheap := (kheap s)(obj_ref \ ko)\) = vs_lookup_table level asid vref s" by (subst vs_lookup_table_upd_idem; simp?) (fastforce dest: no_loop_vs_lookup_table) @@ -1352,7 +1352,7 @@ lemma ex_vs_lookup_upd_idem: "\ \\ (level, p) s; pspace_aligned s; pspace_distinct s; valid_vspace_objs s; valid_asid_table s; unique_table_refs s; valid_vs_lookup s; valid_caps (caps_of_state s) s \ - \ \\ (level, p) (s\kheap := kheap s(p \ ko)\) = \\ (level, p) s" + \ \\ (level, p) (s\kheap := (kheap s)(p \ ko)\) = \\ (level, p) s" apply (rule iffI; clarsimp) apply (rule_tac x=asid in exI) apply (rule_tac x=vref in exI) @@ -1430,7 +1430,7 @@ lemma pt_lookup_target_pt_upd_eq: by (rule pt_lookup_target_pt_eqI; clarsimp) lemma kheap_pt_upd_simp[simp]: - "(kheap s(p \ ArchObj (PageTable pt)) |> aobj_of |> pt_of) + "((kheap s)(p \ ArchObj (PageTable pt)) |> aobj_of |> pt_of) = (kheap s |> aobj_of |> pt_of)(p \ pt)" unfolding aobj_of_def opt_map_def by (auto split: kernel_object.split) @@ -1510,7 +1510,7 @@ lemma valid_machine_stateE: lemma in_user_frame_same_type_upd: "\typ_at type p s; type = a_type obj; in_user_frame q s\ - \ in_user_frame q (s\kheap := kheap s(p \ obj)\)" + \ in_user_frame q (s\kheap := (kheap s)(p \ obj)\)" apply (clarsimp simp: in_user_frame_def obj_at_def) apply (rule_tac x=sz in exI) apply (auto simp: a_type_simps) @@ -1518,7 +1518,7 @@ lemma in_user_frame_same_type_upd: lemma in_device_frame_same_type_upd: "\typ_at type p s; type = a_type obj ; in_device_frame q s\ - \ in_device_frame q (s\kheap := kheap s(p \ obj)\)" + \ in_device_frame q (s\kheap := (kheap s)(p \ obj)\)" apply (clarsimp simp: in_device_frame_def obj_at_def) apply (rule_tac x=sz in exI) apply (auto simp: a_type_simps) @@ -1543,7 +1543,7 @@ lemma load_word_offs_in_user_frame[wp]: lemma valid_machine_state_heap_updI: "\ valid_machine_state s; typ_at type p s; a_type obj = type \ - \ valid_machine_state (s\kheap := kheap s(p \ obj)\)" + \ valid_machine_state (s\kheap := (kheap s)(p \ obj)\)" by (fastforce simp: valid_machine_state_def intro: in_user_frame_same_type_upd elim: valid_machine_stateE) @@ -1664,7 +1664,7 @@ lemma set_asid_pool_valid_global [wp]: lemma vs_lookup_table_unreachable_upd_idem: "\ \level. vs_lookup_table level asid vref s \ Some (level, obj_ref); vref \ user_region; pspace_aligned s; valid_vspace_objs s; valid_asid_table s \ - \ vs_lookup_table level asid vref (s\kheap := kheap s(obj_ref \ ko)\) + \ vs_lookup_table level asid vref (s\kheap := (kheap s)(obj_ref \ ko)\) = vs_lookup_table level asid vref s" apply (subst vs_lookup_table_upd_idem; fastforce) done @@ -1672,14 +1672,14 @@ lemma vs_lookup_table_unreachable_upd_idem: lemma vs_lookup_table_unreachable_upd_idem': "\ \(\level. \\ (level, obj_ref) s); vref \ user_region; pspace_aligned s; valid_vspace_objs s; valid_asid_table s \ - \ vs_lookup_table level asid vref (s\kheap := kheap s(obj_ref \ ko)\) + \ vs_lookup_table level asid vref (s\kheap := (kheap s)(obj_ref \ ko)\) = vs_lookup_table level asid vref s" by (rule vs_lookup_table_unreachable_upd_idem; fastforce) lemma vs_lookup_target_unreachable_upd_idem: "\ \level. vs_lookup_table level asid vref s \ Some (level, obj_ref); vref \ user_region; pspace_aligned s; valid_vspace_objs s; valid_asid_table s \ - \ vs_lookup_target level asid vref (s\kheap := kheap s(obj_ref \ ko)\) + \ vs_lookup_target level asid vref (s\kheap := (kheap s)(obj_ref \ ko)\) = vs_lookup_target level asid vref s" supply fun_upd_apply[simp del] apply (clarsimp simp: vs_lookup_target_def vs_lookup_slot_def obind_assoc) @@ -1714,12 +1714,12 @@ lemma vs_lookup_target_unreachable_upd_idem: lemma vs_lookup_target_unreachable_upd_idem': "\ \(\level. \\ (level, obj_ref) s); vref \ user_region; pspace_aligned s; valid_vspace_objs s; valid_asid_table s \ - \ vs_lookup_target level asid vref (s\kheap := kheap s(obj_ref \ ko)\) + \ vs_lookup_target level asid vref (s\kheap := (kheap s)(obj_ref \ ko)\) = vs_lookup_target level asid vref s" by (rule vs_lookup_target_unreachable_upd_idem; fastforce) lemma vs_lookup_table_fun_upd_deep_idem: - "\ vs_lookup_table level asid vref (s\kheap := kheap s(p \ ko)\) = Some (level, p'); + "\ vs_lookup_table level asid vref (s\kheap := (kheap s)(p \ ko)\) = Some (level, p'); vs_lookup_table level' asid vref s = Some (level', p); level' \ level; vref \ user_region; valid_vspace_objs s; valid_asid_table s; pspace_aligned s; pspace_distinct s \ @@ -1808,8 +1808,8 @@ lemma vs_lookup_target_pt_levelI: lemma vs_lookup_target_asid_pool_level_upd_helper: "\ graph_of ap \ graph_of ap'; kheap s p = Some (ArchObj (ASIDPool ap')); vref \ user_region; - vspace_for_pool pool_ptr asid (asid_pools_of s(p \ ap)) = Some pt_ptr; - pool_for_asid asid (s\kheap := kheap s(p \ ArchObj (ASIDPool ap))\) = Some pool_ptr\ + vspace_for_pool pool_ptr asid ((asid_pools_of s)(p \ ap)) = Some pt_ptr; + pool_for_asid asid (s\kheap := (kheap s)(p \ ArchObj (ASIDPool ap))\) = Some pool_ptr\ \ vs_lookup_target asid_pool_level asid vref s = Some (asid_pool_level, pt_ptr)" apply (clarsimp simp: pool_for_asid_vs_lookup vspace_for_pool_def entry_for_pool_def in_omonad) apply (clarsimp split: if_splits) @@ -1820,7 +1820,7 @@ lemma vs_lookup_target_asid_pool_level_upd_helper: done lemma vs_lookup_target_None_upd_helper: - "\ vs_lookup_table level asid vref (s\kheap := kheap s(p \ ArchObj (ASIDPool ap))\) = + "\ vs_lookup_table level asid vref (s\kheap := (kheap s)(p \ ArchObj (ASIDPool ap))\) = Some (level, table_ptr); ((\pa. level_pte_of (level_type level) pa ((pts_of s)(p := None))) |> pte_ref) (pt_slot_offset level table_ptr vref) @@ -1912,7 +1912,7 @@ lemma set_asid_pool_equal_mappings[wp]: lemma translate_address_asid_pool_upd: "pts_of s p = None \ translate_address pt_ptr vref - (\pt_t pa. level_pte_of pt_t pa (kheap s(p \ ArchObj (ASIDPool ap)) |> aobj_of |> pt_of)) + (\pt_t pa. level_pte_of pt_t pa ((kheap s)(p \ ArchObj (ASIDPool ap)) |> aobj_of |> pt_of)) = translate_address pt_ptr vref (ptes_of s)" by simp @@ -2253,7 +2253,7 @@ lemma pt_walk_below_pt_upd_idem: pt_walk (level' - 1) level (pptr_from_pte (pt_apply (pt_upd pt (table_index (level_type level') p) pte) (pt_index level' vref))) vref - (\pt_t pa. level_pte_of pt_t pa (pts_of s(table_base (level_type level') p \ + (\pt_t pa. level_pte_of pt_t pa ((pts_of s)(table_base (level_type level') p \ pt_upd pt (table_index (level_type level') p) pte))) = pt_walk (level' - 1) level (pptr_from_pte (pt_apply (pt_upd pt (table_index (level_type level') p) pte) diff --git a/proof/invariant-abstract/AARCH64/ArchArch_AI.thy b/proof/invariant-abstract/AARCH64/ArchArch_AI.thy index 6d5af8020e..0d9d21e69f 100644 --- a/proof/invariant-abstract/AARCH64/ArchArch_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchArch_AI.thy @@ -417,7 +417,7 @@ context Arch begin global_naming AARCH64 lemma vmid_for_asid_empty_update: "\ asid_table s asid_high = None; asid_pools_of s ap = Some Map.empty \ \ - vmid_for_asid_2 asid (asid_table s(asid_high \ ap)) (asid_pools_of s) = vmid_for_asid s asid" + vmid_for_asid_2 asid ((asid_table s)(asid_high \ ap)) (asid_pools_of s) = vmid_for_asid s asid" by (clarsimp simp: vmid_for_asid_2_def obind_def entry_for_pool_def opt_map_def split: option.splits) @@ -451,7 +451,7 @@ lemma valid_asid_pool_caps_upd_strg: (\ptr cap. caps_of_state s ptr = Some cap \ obj_refs cap = {ap} \ vs_cap_ref cap = Some (ucast asid << asid_low_bits, 0)) \ - valid_asid_pool_caps_2 (caps_of_state s) (asid_table s(asid \ ap))" + valid_asid_pool_caps_2 (caps_of_state s) ((asid_table s)(asid \ ap))" apply clarsimp apply (prop_tac "asid_update ap asid s", (unfold_locales; assumption)) apply (fastforce dest: asid_update.valid_asid_pool_caps') @@ -544,7 +544,7 @@ lemma cap_insert_simple_arch_caps_ap: and K (cap = ArchObjectCap (ASIDPoolCap ap asid) \ is_aligned asid asid_low_bits) \ cap_insert cap src dest \\rv s. valid_arch_caps (s\arch_state := arch_state s - \arm_asid_table := arm_asid_table (arch_state s)(asid_high_bits_of asid \ ap)\\)\" + \arm_asid_table := (asid_table s)(asid_high_bits_of asid \ ap)\\)\" apply (simp add: cap_insert_def update_cdt_def set_cdt_def valid_arch_caps_def set_untyped_cap_as_full_def bind_assoc) apply (strengthen valid_vs_lookup_at_upd_strg valid_asid_pool_caps_upd_strg) @@ -890,7 +890,8 @@ lemmas aci_invs[wp] = aci_invs'[where Q=\,simplified hoare_post_taut, OF refl refl refl TrueI TrueI TrueI,simplified] lemma obj_at_upd2: - "obj_at P t' (s\kheap := kheap s(t \ v, x \ v')\) = (if t' = x then P v' else obj_at P t' (s\kheap := kheap s(t \ v)\))" + "obj_at P t' (s\kheap := (kheap s)(t \ v, x \ v')\) = + (if t' = x then P v' else obj_at P t' (s\kheap := (kheap s)(t \ v)\))" by (simp add: obj_at_update obj_at_def) lemma vcpu_invalidate_active_hyp_refs_empty[wp]: @@ -964,7 +965,7 @@ lemma ex_nonz_cap_to_vcpu_udpate[simp]: by (simp add: ex_nonz_cap_to_def) lemma caps_of_state_VCPU_update: - "vcpu_at a s \ caps_of_state (s\kheap := kheap s(a \ ArchObj (VCPU b))\) = caps_of_state s" + "vcpu_at a s \ caps_of_state (s\kheap := (kheap s)(a \ ArchObj (VCPU b))\) = caps_of_state s" by (rule ext) (auto simp: caps_of_state_cte_wp_at cte_wp_at_cases obj_at_def) lemma set_vcpu_ex_nonz_cap_to[wp]: @@ -974,7 +975,7 @@ lemma set_vcpu_ex_nonz_cap_to[wp]: done lemma caps_of_state_tcb_arch_update: - "ko_at (TCB y) t' s \ caps_of_state (s\kheap := kheap s(t' \ TCB (y\tcb_arch := f (tcb_arch y)\))\) = caps_of_state s" + "ko_at (TCB y) t' s \ caps_of_state (s\kheap := (kheap s)(t' \ TCB (y\tcb_arch := f (tcb_arch y)\))\) = caps_of_state s" by (rule ext) (auto simp: caps_of_state_cte_wp_at cte_wp_at_cases obj_at_def tcb_cap_cases_def) lemma arch_thread_set_ex_nonz_cap_to[wp]: diff --git a/proof/invariant-abstract/AARCH64/ArchCNodeInv_AI.thy b/proof/invariant-abstract/AARCH64/ArchCNodeInv_AI.thy index c192246603..0cbede9b26 100644 --- a/proof/invariant-abstract/AARCH64/ArchCNodeInv_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchCNodeInv_AI.thy @@ -540,7 +540,7 @@ context Arch begin global_naming AARCH64 lemma post_cap_delete_pre_is_final_cap': "\valid_ioports s; caps_of_state s slot = Some cap; is_final_cap' cap s; cap_cleanup_opt cap \ NullCap\ - \ post_cap_delete_pre (cap_cleanup_opt cap) (caps_of_state s(slot \ NullCap))" + \ post_cap_delete_pre (cap_cleanup_opt cap) ((caps_of_state s)(slot \ NullCap))" apply (clarsimp simp: cap_cleanup_opt_def cte_wp_at_def post_cap_delete_pre_def split: cap.split_asm if_split_asm elim!: ranE dest!: caps_of_state_cteD) diff --git a/proof/invariant-abstract/AARCH64/ArchCSpacePre_AI.thy b/proof/invariant-abstract/AARCH64/ArchCSpacePre_AI.thy index 5f85806480..38a0a88e20 100644 --- a/proof/invariant-abstract/AARCH64/ArchCSpacePre_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchCSpacePre_AI.thy @@ -154,7 +154,7 @@ lemma arch_derived_is_device: lemma valid_arch_mdb_simple: "\ valid_arch_mdb (is_original_cap s) (caps_of_state s); is_simple_cap cap; caps_of_state s src = Some capa\ \ - valid_arch_mdb ((is_original_cap s) (dest := is_cap_revocable cap capa)) (caps_of_state s(dest \ cap))" + valid_arch_mdb ((is_original_cap s) (dest := is_cap_revocable cap capa)) ((caps_of_state s)(dest \ cap))" by (auto simp: valid_arch_mdb_def is_cap_revocable_def arch_is_cap_revocable_def is_simple_cap_def safe_parent_for_def is_cap_simps) @@ -179,34 +179,34 @@ lemma set_untyped_cap_as_full_valid_arch_mdb: lemma valid_arch_mdb_not_arch_cap_update: "\s cap capa. \\is_arch_cap cap; valid_arch_mdb (is_original_cap s) (caps_of_state s)\ \ valid_arch_mdb ((is_original_cap s)(dest := True)) - (caps_of_state s(src \ cap, dest\capa))" + ((caps_of_state s)(src \ cap, dest\capa))" by (auto simp: valid_arch_mdb_def) lemma valid_arch_mdb_derived_cap_update: "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); is_derived (cdt s) src cap capa\ \ valid_arch_mdb ((is_original_cap s)(dest := is_cap_revocable cap capa)) - (caps_of_state s(dest \ cap))" + ((caps_of_state s)(dest \ cap))" by (clarsimp simp: valid_arch_mdb_def) lemma valid_arch_mdb_free_index_update': "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); caps_of_state s src = Some capa; is_untyped_cap cap\ \ valid_arch_mdb ((is_original_cap s) (dest := is_cap_revocable cap capa)) - (caps_of_state s(dest \ cap, src \ max_free_index_update capa))" + ((caps_of_state s)(dest \ cap, src \ max_free_index_update capa))" by (auto simp: valid_arch_mdb_def) lemma valid_arch_mdb_weak_derived_update: "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); caps_of_state s src = Some capa; weak_derived cap capa\ \ valid_arch_mdb ((is_original_cap s) (dest := is_original_cap s src, src := False)) - (caps_of_state s(dest \ cap, src \ NullCap))" + ((caps_of_state s)(dest \ cap, src \ NullCap))" by (auto simp: valid_arch_mdb_def) lemma valid_arch_mdb_tcb_cnode_update: "valid_arch_mdb (is_original_cap s) (caps_of_state s) \ valid_arch_mdb ((is_original_cap s) ((t, tcb_cnode_index 2) := True)) - (caps_of_state s((t, tcb_cnode_index 2) \ ReplyCap t True canReplyGrant))" + ((caps_of_state s)((t, tcb_cnode_index 2) \ ReplyCap t True canReplyGrant))" by (clarsimp simp: valid_arch_mdb_def) lemmas valid_arch_mdb_updates = valid_arch_mdb_free_index_update valid_arch_mdb_not_arch_cap_update @@ -239,10 +239,10 @@ lemma valid_arch_mdb_null_filter: lemma valid_arch_mdb_untypeds: "\s. valid_arch_mdb (is_original_cap s) (caps_of_state s) \ valid_arch_mdb (\x. x \ cref \ is_original_cap s x) - (caps_of_state s(cref \ default_cap tp oref sz dev))" + ((caps_of_state s)(cref \ default_cap tp oref sz dev))" "\s. valid_arch_mdb (is_original_cap s) (caps_of_state s) \ valid_arch_mdb (is_original_cap s) - (caps_of_state s(cref \ UntypedCap dev ptr sz idx))" + ((caps_of_state s)(cref \ UntypedCap dev ptr sz idx))" by (clarsimp simp: valid_arch_mdb_def)+ end diff --git a/proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy b/proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy index 8e74745c27..99901c650d 100644 --- a/proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy @@ -175,7 +175,7 @@ lemma is_derived_is_cap: lemma vs_lookup_pages_non_aobj_upd: "\ kheap s p = Some ko; \ is_ArchObj ko; \ is_ArchObj ko' \ - \ vs_lookup_pages (s\kheap := kheap s(p \ ko')\) = vs_lookup_pages s" + \ vs_lookup_pages (s\kheap := (kheap s)(p \ ko')\) = vs_lookup_pages s" unfolding vs_lookup_target_def vs_lookup_slot_def apply (frule aobjs_of_non_aobj_upd[where ko'=ko'], simp+) apply (rule ext)+ @@ -190,7 +190,7 @@ lemma vs_lookup_pages_non_aobj_upd: lemma vs_lookup_target_non_aobj_upd: "\ kheap s p = Some ko; \ is_ArchObj ko; \ is_ArchObj ko' \ - \ vs_lookup_target level asid vref (s\kheap := kheap s(p \ ko')\) + \ vs_lookup_target level asid vref (s\kheap := (kheap s)(p \ ko')\) = vs_lookup_target level asid vref s" by (drule vs_lookup_pages_non_aobj_upd[where ko'=ko'], auto dest: fun_cong) diff --git a/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy b/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy index 4206c6c8fd..5bd5f26a34 100644 --- a/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy @@ -469,7 +469,7 @@ lemma arch_thread_set_cur_tcb[wp]: "\cur_tcb\ arch_thread_set p lemma cte_wp_at_update_some_tcb: "\kheap s v = Some (TCB tcb) ; tcb_cnode_map tcb = tcb_cnode_map (f tcb)\ - \ cte_wp_at P p (s\kheap := kheap s (v \ TCB (f tcb))\) = cte_wp_at P p s" + \ cte_wp_at P p (s\kheap := (kheap s)(v \ TCB (f tcb))\) = cte_wp_at P p s" apply (clarsimp simp: cte_wp_at_cases2 dest!: get_tcb_SomeD) done @@ -664,7 +664,7 @@ lemma arch_thread_set_valid_objs_vcpu_Some[wp]: lemma sym_refs_update_some_tcb: "\kheap s v = Some (TCB tcb) ; refs_of (TCB tcb) = refs_of (TCB (f tcb))\ - \ sym_refs (state_refs_of (s\kheap := kheap s (v \ TCB (f tcb))\)) = sym_refs (state_refs_of s)" + \ sym_refs (state_refs_of (s\kheap := (kheap s)(v \ TCB (f tcb))\)) = sym_refs (state_refs_of s)" apply (rule_tac f=sym_refs in arg_cong) apply (rule all_ext) apply (clarsimp simp: sym_refs_def state_refs_of_def) @@ -705,7 +705,7 @@ lemma vcpu_invalidate_tcbs_inv[wp]: lemma sym_refs_vcpu_None: assumes sym_refs: "sym_refs (state_hyp_refs_of s)" assumes tcb: "ko_at (TCB tcb) t s" "tcb_vcpu (tcb_arch tcb) = Some vr" - shows "sym_refs (state_hyp_refs_of (s\kheap := kheap s(t \ TCB (tcb\tcb_arch := tcb_vcpu_update Map.empty (tcb_arch tcb)\), + shows "sym_refs (state_hyp_refs_of (s\kheap := (kheap s)(t \ TCB (tcb\tcb_arch := tcb_vcpu_update Map.empty (tcb_arch tcb)\), vr \ ArchObj (VCPU (vcpu_tcb_update Map.empty v)))\))" (is "sym_refs (state_hyp_refs_of ?s')") proof - @@ -739,7 +739,7 @@ proof - qed lemma arch_thread_set_wp: - "\\s. get_tcb p s \ None \ Q (s\kheap := kheap s(p \ TCB (the (get_tcb p s)\tcb_arch := f (tcb_arch (the (get_tcb p s)))\))\) \ + "\\s. get_tcb p s \ None \ Q (s\kheap := (kheap s)(p \ TCB (the (get_tcb p s)\tcb_arch := f (tcb_arch (the (get_tcb p s)))\))\) \ arch_thread_set f p \\_. Q\" apply (simp add: arch_thread_set_def) @@ -1908,7 +1908,7 @@ lemma set_asid_pool_obj_at_ptr: locale_abbrev "asid_table_update asid ap s \ - s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(asid \ ap)\\" + s\arch_state := arch_state s\arm_asid_table := (asid_table s)(asid \ ap)\\" lemma valid_table_caps_table [simp]: "valid_table_caps (s\arch_state := arch_state s\arm_asid_table := table'\\) = valid_table_caps s" diff --git a/proof/invariant-abstract/AARCH64/ArchInvariants_AI.thy b/proof/invariant-abstract/AARCH64/ArchInvariants_AI.thy index 7b2b748002..9180267283 100644 --- a/proof/invariant-abstract/AARCH64/ArchInvariants_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchInvariants_AI.thy @@ -2896,7 +2896,7 @@ lemma vs_lookup_table_eq_lift: lemma aobjs_of_non_aobj_upd: "\ kheap s p = Some ko; \ is_ArchObj ko; \ is_ArchObj ko' \ - \ kheap s(p \ ko') |> aobj_of = aobjs_of s" + \ (kheap s)(p \ ko') |> aobj_of = aobjs_of s" by (rule ext) (auto simp: opt_map_def is_ArchObj_def aobj_of_def split: kernel_object.splits if_split_asm) diff --git a/proof/invariant-abstract/AARCH64/ArchIpc_AI.thy b/proof/invariant-abstract/AARCH64/ArchIpc_AI.thy index b71a087568..1896b217a4 100644 --- a/proof/invariant-abstract/AARCH64/ArchIpc_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchIpc_AI.thy @@ -511,7 +511,7 @@ lemma valid_arch_mdb_cap_swap: \ valid_arch_mdb ((is_original_cap s) (a := is_original_cap s b, b := is_original_cap s a)) - (caps_of_state s(a \ c', b \ c))" + ((caps_of_state s)(a \ c', b \ c))" by (auto simp: valid_arch_mdb_def) end diff --git a/proof/invariant-abstract/AARCH64/ArchKHeap_AI.thy b/proof/invariant-abstract/AARCH64/ArchKHeap_AI.thy index 55f4b83abb..dab8bd5aef 100644 --- a/proof/invariant-abstract/AARCH64/ArchKHeap_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchKHeap_AI.thy @@ -409,7 +409,7 @@ lemma valid_vspace_objs_lift_weak: by (intro valid_vspace_objs_lift vspace_obj_pred_vspace_objs assms) lemma set_pt_pts_of: - "\\s. pts_of s p \ None \ P (pts_of s (p \ pt)) \ set_pt p pt \\_ s. P (pts_of s)\" + "\\s. pts_of s p \ None \ P ((pts_of s)(p \ pt)) \ set_pt p pt \\_ s. P (pts_of s)\" unfolding set_pt_def by (wpsimp wp: set_object_wp) (auto elim!: rsubst[where P=P] simp: opt_map_def split: option.splits) @@ -458,7 +458,7 @@ lemma pt_apply_pt_upd_neq: lemma ptes_of_pts_of_upd: "\ is_aligned p pte_bits; pts_of s (table_base pt_t p) = Some pt; pt_t = pt_type pt \ \ (\pt_t' p'. level_pte_of pt_t' p' - (pts_of s (table_base pt_t p \ pt_upd pt (table_index pt_t p) pte))) = + ((pts_of s)(table_base pt_t p \ pt_upd pt (table_index pt_t p) pte))) = ptes_of s (pt_t, p \ pte)" apply (rule ext)+ apply (clarsimp simp: fun_upd2_def) @@ -479,7 +479,7 @@ lemma store_pte_ptes_of_full: done lemma store_pte_ptes_of: - "\\s. ptes_of s pt_t p \ None \ P (ptes_of s pt_t (p \ pte)) \ + "\\s. ptes_of s pt_t p \ None \ P ((ptes_of s pt_t)(p \ pte)) \ store_pte pt_t p pte \\_ s. P (ptes_of s pt_t)\" by (wpsimp wp: store_pte_ptes_of_full simp: fun_upd2_def simp_del: fun_upd_apply) @@ -670,7 +670,7 @@ lemma store_pte_non_PageTablePTE_vs_lookup: lemma store_pte_not_ao: "\\s. \pt. aobjs_of s (table_base pt_t p) = Some (PageTable pt) \ - P (aobjs_of s (table_base pt_t p \ PageTable (pt_upd pt (table_index pt_t p) pte)))\ + P ((aobjs_of s)(table_base pt_t p \ PageTable (pt_upd pt (table_index pt_t p) pte)))\ store_pte pt_t p pte \\_ s. P (aobjs_of s)\" unfolding store_pte_def set_pt_def @@ -956,20 +956,20 @@ crunch device_state_inv: storeWord "\ms. P (device_state ms)" (* some hyp_ref invariants *) lemma state_hyp_refs_of_ep_update: "\s ep val. typ_at AEndpoint ep s \ - state_hyp_refs_of (s\kheap := kheap s(ep \ Endpoint val)\) = state_hyp_refs_of s" + state_hyp_refs_of (s\kheap := (kheap s)(ep \ Endpoint val)\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: state_hyp_refs_of_def obj_at_def hyp_refs_of_def) done lemma state_hyp_refs_of_ntfn_update: "\s ep val. typ_at ANTFN ep s \ - state_hyp_refs_of (s\kheap := kheap s(ep \ Notification val)\) = state_hyp_refs_of s" + state_hyp_refs_of (s\kheap := (kheap s)(ep \ Notification val)\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: state_hyp_refs_of_def obj_at_def hyp_refs_of_def) done lemma state_hyp_refs_of_tcb_bound_ntfn_update: "kheap s t = Some (TCB tcb) \ - state_hyp_refs_of (s\kheap := kheap s(t \ TCB (tcb\tcb_bound_notification := ntfn\))\) + state_hyp_refs_of (s\kheap := (kheap s)(t \ TCB (tcb\tcb_bound_notification := ntfn\))\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: state_hyp_refs_of_def obj_at_def split: option.splits) @@ -977,7 +977,7 @@ lemma state_hyp_refs_of_tcb_bound_ntfn_update: lemma state_hyp_refs_of_tcb_state_update: "kheap s t = Some (TCB tcb) \ - state_hyp_refs_of (s\kheap := kheap s(t \ TCB (tcb\tcb_state := ts\))\) + state_hyp_refs_of (s\kheap := (kheap s)(t \ TCB (tcb\tcb_state := ts\))\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: state_hyp_refs_of_def obj_at_def split: option.splits) @@ -1001,12 +1001,12 @@ lemma default_tcb_not_live[simp]: "\ live (TCB default_tcb)" lemma valid_vcpu_same_type: "\ valid_vcpu v s; kheap s p = Some ko; a_type k = a_type ko \ - \ valid_vcpu v (s\kheap := kheap s(p \ k)\)" + \ valid_vcpu v (s\kheap := (kheap s)(p \ k)\)" by (cases v; case_tac vcpu_tcb; clarsimp simp: valid_vcpu_def typ_at_same_type) lemma valid_arch_tcb_same_type: "\ valid_arch_tcb t s; valid_obj p k s; kheap s p = Some ko; a_type k = a_type ko \ - \ valid_arch_tcb t (s\kheap := kheap s(p \ k)\)" + \ valid_arch_tcb t (s\kheap := (kheap s)(p \ k)\)" by (auto simp: valid_arch_tcb_def obj_at_def) @@ -1027,14 +1027,14 @@ lemma valid_arch_mdb_lift: (* interface lemma *) lemma arch_valid_obj_same_type: "\ arch_valid_obj ao s; kheap s p = Some ko; a_type k = a_type ko \ - \ arch_valid_obj ao (s\kheap := kheap s(p \ k)\)" + \ arch_valid_obj ao (s\kheap := (kheap s)(p \ k)\)" apply (cases ao; simp) apply (fastforce simp: valid_vcpu_def obj_at_def split: option.splits) done lemma valid_vspace_obj_same_type: "\valid_vspace_obj l ao s; kheap s p = Some ko; a_type ko' = a_type ko\ - \ valid_vspace_obj l ao (s\kheap := kheap s(p \ ko')\)" + \ valid_vspace_obj l ao (s\kheap := (kheap s)(p \ ko')\)" apply (rule hoare_to_pure_kheap_upd[OF valid_vspace_obj_typ]) by (auto simp: obj_at_def) diff --git a/proof/invariant-abstract/AARCH64/ArchVCPU_AI.thy b/proof/invariant-abstract/AARCH64/ArchVCPU_AI.thy index 91d376d8ff..d64c744f1c 100644 --- a/proof/invariant-abstract/AARCH64/ArchVCPU_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchVCPU_AI.thy @@ -76,7 +76,7 @@ crunches do_machine_op (wp: valid_cur_vcpu_lift_cur_thread_update valid_cur_vcpu_lift crunch_wps) lemma valid_cur_vcpu_vcpu_update[simp]: - "vcpu_at v s \ valid_cur_vcpu (s\kheap := kheap s(v \ ArchObj (VCPU vcpu))\) = valid_cur_vcpu s" + "vcpu_at v s \ valid_cur_vcpu (s\kheap := (kheap s)(v \ ArchObj (VCPU vcpu))\) = valid_cur_vcpu s" by (clarsimp simp: valid_cur_vcpu_def active_cur_vcpu_of_def pred_tcb_at_def obj_at_def) crunches vcpu_save_reg, vcpu_write_reg, save_virt_timer, vgic_update, vcpu_disable diff --git a/proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy b/proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy index f2da935538..76d2dad7f1 100644 --- a/proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy @@ -250,14 +250,14 @@ crunches vgic_update_lr, vcpu_write_reg, vcpu_save_reg, vcpu_disable, vcpu_resto (ignore: vcpu_update simp: vcpu_update_def valid_vcpu_def wp: crunch_wps) lemma set_vcpu_wp: - "\\s. vcpu_at p s \ Q (s\kheap := kheap s(p \ (ArchObj (VCPU vcpu))) \) \ set_vcpu p vcpu \\_. Q\" + "\\s. vcpu_at p s \ Q (s\kheap := (kheap s)(p \ (ArchObj (VCPU vcpu))) \) \ set_vcpu p vcpu \\_. Q\" unfolding set_vcpu_def apply (wp set_object_wp_strong) apply (clarsimp simp: obj_at_def split: kernel_object.splits arch_kernel_obj.splits) done lemma set_vcpu_vcpus_of[wp]: - "\\s. vcpus_of s p \ None \ P (vcpus_of s (p \ vcpu)) \ set_vcpu p vcpu \\_ s. P (vcpus_of s)\" + "\\s. vcpus_of s p \ None \ P ((vcpus_of s)(p \ vcpu)) \ set_vcpu p vcpu \\_ s. P (vcpus_of s)\" by (wp set_vcpu_wp) (clarsimp simp: in_omonad obj_at_def) lemma get_vcpu_wp: @@ -680,8 +680,8 @@ lemma vmid_for_asid_upd_eq: \ (\asid'. vmid_for_asid_2 asid' (asid_table s) - (asid_pools_of s(pool_ptr \ ap(asid_low_bits_of asid \ - ASIDPoolVSpace vmid vsp)))) + ((asid_pools_of s)(pool_ptr \ ap(asid_low_bits_of asid \ + ASIDPoolVSpace vmid vsp)))) = (vmid_for_asid s) (asid := vmid)" apply (rule ext) apply (clarsimp simp: vmid_for_asid_2_def entry_for_pool_def pool_for_asid_def obind_def @@ -2147,7 +2147,7 @@ end locale asid_pool_map = Arch + fixes s ap pool asid ptp pt and s' :: "'a::state_ext state" - defines "s' \ s\kheap := kheap s(ap \ ArchObj (ASIDPool (pool(asid_low_bits_of asid \ ptp))))\" + defines "s' \ s\kheap := (kheap s)(ap \ ArchObj (ASIDPool (pool(asid_low_bits_of asid \ ptp))))\" assumes ap: "asid_pools_of s ap = Some pool" assumes new: "pool (asid_low_bits_of asid) = None" assumes pt: "pts_of s (ap_vspace ptp) = Some pt" @@ -2386,7 +2386,7 @@ lemma vmid_for_asid_map_None: "\ asid_pools_of s ap = Some pool; pool_for_asid asid s = Some ap; pool (asid_low_bits_of asid) = None; ap_vmid ape = None \ \ (\asid'. vmid_for_asid_2 asid' (asid_table s) - (asid_pools_of s(ap \ pool(asid_low_bits_of asid \ ape)))) = + ((asid_pools_of s)(ap \ pool(asid_low_bits_of asid \ ape)))) = vmid_for_asid s" unfolding vmid_for_asid_def apply (rule ext) @@ -2765,12 +2765,12 @@ lemma set_vcpu_sym_refs[wp]: apply (clarsimp simp: obj_at_def) done -lemma state_hyp_refs_of_simp_neq: "\ a \ p \ \ state_hyp_refs_of (s\kheap := kheap s(p \ v) \) a = state_hyp_refs_of s a " +lemma state_hyp_refs_of_simp_neq: "\ a \ p \ \ state_hyp_refs_of (s\kheap := (kheap s)(p \ v) \) a = state_hyp_refs_of s a " by (simp add: state_hyp_refs_of_def) lemma state_hyp_refs_of_simp_eq: "obj_at (\ko'. hyp_refs_of ko' = hyp_refs_of v) p s - \ state_hyp_refs_of (s\kheap := kheap s(p \ v) \) p = state_hyp_refs_of s p" + \ state_hyp_refs_of (s\kheap := (kheap s)(p \ v) \) p = state_hyp_refs_of s p" by (clarsimp simp: state_hyp_refs_of_def obj_at_def) lemma set_object_vcpu_sym_refs_hyp: @@ -2809,11 +2809,11 @@ lemma set_vcpu_valid_pspace: done lemma vmid_inv_set_vcpu: - "vcpu_at p s \ vmid_inv (s\kheap := kheap s(p \ ArchObj (VCPU v))\) = vmid_inv s" + "vcpu_at p s \ vmid_inv (s\kheap := (kheap s)(p \ ArchObj (VCPU v))\) = vmid_inv s" by (simp add: vmid_inv_def asid_pools_of_vcpu_None_upd_idem) lemma pt_at_eq_set_vcpu: - "vcpu_at p s \ pt_at pt_t p' (s\kheap := kheap s(p \ ArchObj (VCPU v))\) = pt_at pt_t p' s" + "vcpu_at p s \ pt_at pt_t p' (s\kheap := (kheap s)(p \ ArchObj (VCPU v))\) = pt_at pt_t p' s" by (auto simp add: obj_at_def) lemma set_vcpu_valid_arch_eq_hyp: @@ -3030,7 +3030,7 @@ crunches save_virt_timer, vcpu_disable, vcpu_invalidate_active, vcpu_restore, vc lemma obj_at_hyp_live_vcpu_regs: "vcpus_of s vcpu_ptr = Some v \ - obj_at hyp_live p (s\kheap := kheap s(vcpu_ptr \ ArchObj (VCPU (v\vcpu_regs := x\)))\) = + obj_at hyp_live p (s\kheap := (kheap s)(vcpu_ptr \ ArchObj (VCPU (v\vcpu_regs := x\)))\) = obj_at hyp_live p s" by (clarsimp simp: in_omonad obj_at_def) diff --git a/proof/invariant-abstract/AInvs.thy b/proof/invariant-abstract/AInvs.thy index 89fdb035fd..b3475cbebd 100644 --- a/proof/invariant-abstract/AInvs.thy +++ b/proof/invariant-abstract/AInvs.thy @@ -14,7 +14,7 @@ begin lemma st_tcb_at_nostate_upd: "\ get_tcb t s = Some y; tcb_state y = tcb_state y' \ \ - st_tcb_at P t' (s \kheap := kheap s(t \ TCB y')\) = st_tcb_at P t' s" + st_tcb_at P t' (s \kheap := (kheap s)(t \ TCB y')\) = st_tcb_at P t' s" by (clarsimp simp add: pred_tcb_at_def obj_at_def dest!: get_tcb_SomeD) lemma pred_tcb_at_upd_apply: diff --git a/proof/invariant-abstract/ARM/ArchAcc_AI.thy b/proof/invariant-abstract/ARM/ArchAcc_AI.thy index f37223aaae..344ea952eb 100644 --- a/proof/invariant-abstract/ARM/ArchAcc_AI.thy +++ b/proof/invariant-abstract/ARM/ArchAcc_AI.thy @@ -1171,7 +1171,7 @@ lemma valid_objs_caps: lemma simpler_set_pt_def: "set_pt p pt = (\s. if \pt. kheap s p = Some (ArchObj (PageTable pt)) then - ({((), s\kheap := kheap s(p \ ArchObj (PageTable pt))\)}, False) + ({((), s\kheap := (kheap s)(p \ ArchObj (PageTable pt))\)}, False) else ({}, True))" apply (rule ext) apply (clarsimp simp: set_pt_def set_object_def get_object_def assert_def @@ -1188,7 +1188,7 @@ lemma simpler_set_pt_def: lemma valid_set_ptI: "(!!s opt. \P s; kheap s p = Some (ArchObj (PageTable opt))\ - \ Q () (s\kheap := kheap s(p \ ArchObj (PageTable pt))\)) + \ Q () (s\kheap := (kheap s)(p \ ArchObj (PageTable pt))\)) \ \P\ set_pt p pt \Q\" by (rule validI) (clarsimp simp: simpler_set_pt_def split: if_split_asm) @@ -1476,7 +1476,7 @@ lemma valid_machine_stateE: lemma in_user_frame_same_type_upd: "\typ_at type p s; type = a_type obj; in_user_frame q s\ - \ in_user_frame q (s\kheap := kheap s(p \ obj)\)" + \ in_user_frame q (s\kheap := (kheap s)(p \ obj)\)" apply (clarsimp simp: in_user_frame_def obj_at_def) apply (rule_tac x=sz in exI) apply (auto simp: a_type_simps) @@ -1484,7 +1484,7 @@ lemma in_user_frame_same_type_upd: lemma in_device_frame_same_type_upd: "\typ_at type p s; type = a_type obj ; in_device_frame q s\ - \ in_device_frame q (s\kheap := kheap s(p \ obj)\)" + \ in_device_frame q (s\kheap := (kheap s)(p \ obj)\)" apply (clarsimp simp: in_device_frame_def obj_at_def) apply (rule_tac x=sz in exI) apply (auto simp: a_type_simps) @@ -1522,7 +1522,7 @@ lemma valid_machine_state_heap_updI: assumes vm : "valid_machine_state s" assumes tyat : "typ_at type p s" shows - " a_type obj = type \ valid_machine_state (s\kheap := kheap s(p \ obj)\)" + " a_type obj = type \ valid_machine_state (s\kheap := (kheap s)(p \ obj)\)" apply (clarsimp simp: valid_machine_state_def) subgoal for p apply (rule valid_machine_stateE[OF vm,where p = p]) @@ -1861,7 +1861,7 @@ lemma valid_pde_typ_at: lemma valid_vspace_obj_same_type: "\valid_vspace_obj ao s; kheap s p = Some ko; a_type ko' = a_type ko\ - \ valid_vspace_obj ao (s\kheap := kheap s(p \ ko')\)" + \ valid_vspace_obj ao (s\kheap := (kheap s)(p \ ko')\)" apply (rule hoare_to_pure_kheap_upd[OF valid_vspace_obj_typ]) by (auto simp: obj_at_def) diff --git a/proof/invariant-abstract/ARM/ArchArch_AI.thy b/proof/invariant-abstract/ARM/ArchArch_AI.thy index c217b7e022..bb75b1b66f 100644 --- a/proof/invariant-abstract/ARM/ArchArch_AI.thy +++ b/proof/invariant-abstract/ARM/ArchArch_AI.thy @@ -19,7 +19,7 @@ definition cte_wp_at (\cap. \idx. cap = cap.UntypedCap False frame pageBits idx ) parent s \ descendants_of parent (cdt s) = {} \ is_aligned base asid_low_bits \ base \ 2^asid_bits - 1 \ - arm_asid_table (arch_state s) (asid_high_bits_of base) = None" + asid_table s (asid_high_bits_of base) = None" lemma safe_parent_strg: @@ -270,8 +270,8 @@ end locale asid_update = Arch + fixes ap asid s s' assumes ko: "ko_at (ArchObj (ASIDPool Map.empty)) ap s" - assumes empty: "arm_asid_table (arch_state s) asid = None" - defines "s' \ s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(asid \ ap)\\" + assumes empty: "asid_table s asid = None" + defines "s' \ s\arch_state := arch_state s\arm_asid_table := (asid_table s)(asid \ ap)\\" begin lemma vs_lookup1' [simp]: @@ -286,7 +286,7 @@ lemma vs_lookup_pages1' [simp]: lemma vs_asid_refs' [simp]: "vs_asid_refs (arm_asid_table (arch_state s')) = - vs_asid_refs (arm_asid_table (arch_state s)) \ {([VSRef (ucast asid) None], ap)}" + vs_asid_refs (asid_table s) \ {([VSRef (ucast asid) None], ap)}" apply (simp add: s'_def) apply (rule set_eqI) apply (rule iffI) @@ -401,8 +401,8 @@ end context Arch begin global_naming ARM lemma valid_arch_state_strg: - "valid_arch_state s \ ap \ ran (arm_asid_table (arch_state s)) \ asid_pool_at ap s \ - valid_arch_state (s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(asid \ ap)\\)" + "valid_arch_state s \ ap \ ran (asid_table s) \ asid_pool_at ap s \ + valid_arch_state (s\arch_state := arch_state s\arm_asid_table := (asid_table s)(asid \ ap)\\)" apply (clarsimp simp: valid_arch_state_def) apply (clarsimp simp: valid_asid_table_def ran_def) apply (fastforce intro!: inj_on_fun_updI) @@ -412,11 +412,11 @@ lemma valid_arch_state_strg: lemma valid_vs_lookup_at_upd_strg: "valid_vs_lookup s \ ko_at (ArchObj (ASIDPool Map.empty)) ap s \ - arm_asid_table (arch_state s) asid = None \ + asid_table s asid = None \ (\ptr cap. caps_of_state s ptr = Some cap \ ap \ obj_refs cap \ vs_cap_ref cap = Some [VSRef (ucast asid) None]) \ - valid_vs_lookup (s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(asid \ ap)\\)" + valid_vs_lookup (s\arch_state := arch_state s\arm_asid_table := (asid_table s)(asid \ ap)\\)" apply clarsimp apply (subgoal_tac "asid_update ap asid s") prefer 2 @@ -489,7 +489,7 @@ lemma valid_table_caps_asid_upd [iff]: lemma vs_asid_ref_upd: "([VSRef (ucast (asid_high_bits_of asid')) None] \ ap') - (s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(asid_high_bits_of asid \ ap)\\) + (s\arch_state := arch_state s\arm_asid_table := (asid_table s)(asid_high_bits_of asid \ ap)\\) = (if asid_high_bits_of asid' = asid_high_bits_of asid then ap' = ap else ([VSRef (ucast (asid_high_bits_of asid')) None] \ ap') s)" @@ -498,7 +498,7 @@ lemma vs_asid_ref_upd: lemma vs_asid_ref_eq: "([VSRef (ucast asid) None] \ ap) s - = (arm_asid_table (arch_state s) asid = Some ap)" + = (asid_table s asid = Some ap)" by (fastforce elim: vs_lookup_atE intro: vs_lookup_atI) @@ -510,12 +510,12 @@ lemma set_cap_reachable_pg_cap: lemma cap_insert_simple_arch_caps_ap: "\valid_arch_caps and (\s. cte_wp_at (safe_parent_for (cdt s) src cap) src s) and no_cap_to_obj_with_diff_ref cap {dest} - and (\s. arm_asid_table (arch_state s) (asid_high_bits_of asid) = None) + and (\s. asid_table s (asid_high_bits_of asid) = None) and ko_at (ArchObj (ASIDPool Map.empty)) ap and K (cap = ArchObjectCap (ASIDPoolCap ap asid)) \ cap_insert cap src dest \\rv s. valid_arch_caps (s\arch_state := arch_state s - \arm_asid_table := arm_asid_table (arch_state s)(asid_high_bits_of asid \ ap)\\)\" + \arm_asid_table := (asid_table s)(asid_high_bits_of asid \ ap)\\)\" apply (simp add: cap_insert_def update_cdt_def set_cdt_def valid_arch_caps_def set_untyped_cap_as_full_def bind_assoc) apply (strengthen valid_vs_lookup_at_upd_strg) @@ -547,8 +547,8 @@ lemma cap_insert_simple_arch_caps_ap: lemma valid_asid_map_asid_upd_strg: "valid_asid_map s \ ko_at (ArchObj (ASIDPool Map.empty)) ap s \ - arm_asid_table (arch_state s) asid = None \ - valid_asid_map (s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(asid \ ap)\\)" + asid_table s asid = None \ + valid_asid_map (s\arch_state := arch_state s\arm_asid_table := (asid_table s)(asid \ ap)\\)" apply clarsimp apply (subgoal_tac "asid_update ap asid s") prefer 2 @@ -560,8 +560,8 @@ lemma valid_asid_map_asid_upd_strg: lemma valid_vspace_objs_asid_upd_strg: "valid_vspace_objs s \ ko_at (ArchObj (ASIDPool Map.empty)) ap s \ - arm_asid_table (arch_state s) asid = None \ - valid_vspace_objs (s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(asid \ ap)\\)" + asid_table s asid = None \ + valid_vspace_objs (s\arch_state := arch_state s\arm_asid_table := (asid_table s)(asid \ ap)\\)" apply clarsimp apply (subgoal_tac "asid_update ap asid s") prefer 2 @@ -573,8 +573,8 @@ lemma valid_vspace_objs_asid_upd_strg: lemma valid_global_objs_asid_upd_strg: "valid_global_objs s \ ko_at (ArchObj (arch_kernel_obj.ASIDPool Map.empty)) ap s \ - arm_asid_table (arch_state s) asid = None \ - valid_global_objs (s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(asid \ ap)\\)" + asid_table s asid = None \ + valid_global_objs (s\arch_state := arch_state s\arm_asid_table := (asid_table s)(asid \ ap)\\)" by clarsimp @@ -591,11 +591,11 @@ lemma cap_insert_ap_invs: K (cap = cap.ArchObjectCap (arch_cap.ASIDPoolCap ap asid)) and (\s. \irq \ cap_irqs cap. irq_issued irq s) and ko_at (ArchObj (arch_kernel_obj.ASIDPool Map.empty)) ap and - (\s. ap \ ran (arm_asid_table (arch_state s)) \ - arm_asid_table (arch_state s) (asid_high_bits_of asid) = None)\ + (\s. ap \ ran (asid_table s) \ + asid_table s (asid_high_bits_of asid) = None)\ cap_insert cap src dest \\rv s. invs (s\arch_state := arch_state s - \arm_asid_table := (arm_asid_table \ arch_state) s(asid_high_bits_of asid \ ap)\\)\" + \arm_asid_table := ((arm_asid_table \ arch_state) s)(asid_high_bits_of asid \ ap)\\)\" apply (simp add: invs_def valid_state_def valid_pspace_def) apply (strengthen valid_arch_state_strg valid_asid_map_asid_upd_strg valid_vspace_objs_asid_upd_strg ) @@ -742,17 +742,17 @@ proof - K (cap = ArchObjectCap (ASIDPoolCap ap asid)) and (\s. \irq\cap_irqs cap. irq_issued irq s) and ko_at (ArchObj (ASIDPool Map.empty)) ap and - (\s. ap \ ran (arm_asid_table (arch_state s)) \ - arm_asid_table (arch_state s) (asid_high_bits_of asid) = None))\ + (\s. ap \ ran (asid_table s) \ + asid_table s (asid_high_bits_of asid) = None))\ cap_insert cap src dest \\rv s. invs (s\arch_state := arch_state s - \arm_asid_table := (arm_asid_table \ arch_state) s + \arm_asid_table := ((arm_asid_table \ arch_state) s) (asid_high_bits_of asid \ ap)\\) \ Q (s\arch_state := arch_state s - \arm_asid_table := (arm_asid_table \ arch_state) s + \arm_asid_table := ((arm_asid_table \ arch_state) s) (asid_high_bits_of asid \ ap)\\)\" apply (wp cap_insert_ap_invs) apply simp diff --git a/proof/invariant-abstract/ARM/ArchCNodeInv_AI.thy b/proof/invariant-abstract/ARM/ArchCNodeInv_AI.thy index 48e18ca421..bfa6e9deed 100644 --- a/proof/invariant-abstract/ARM/ArchCNodeInv_AI.thy +++ b/proof/invariant-abstract/ARM/ArchCNodeInv_AI.thy @@ -540,7 +540,7 @@ context Arch begin global_naming ARM lemma post_cap_delete_pre_is_final_cap': "\rv s'' rva s''a s. \valid_ioports s; caps_of_state s slot = Some cap; is_final_cap' cap s; cap_cleanup_opt cap \ NullCap\ - \ post_cap_delete_pre (cap_cleanup_opt cap) (caps_of_state s(slot \ NullCap))" + \ post_cap_delete_pre (cap_cleanup_opt cap) ((caps_of_state s)(slot \ NullCap))" apply (clarsimp simp: cap_cleanup_opt_def cte_wp_at_def post_cap_delete_pre_def arch_cap_cleanup_opt_def split: cap.split_asm if_split_asm elim!: ranE dest!: caps_of_state_cteD) diff --git a/proof/invariant-abstract/ARM/ArchCSpacePre_AI.thy b/proof/invariant-abstract/ARM/ArchCSpacePre_AI.thy index 651cda9600..60f531706b 100644 --- a/proof/invariant-abstract/ARM/ArchCSpacePre_AI.thy +++ b/proof/invariant-abstract/ARM/ArchCSpacePre_AI.thy @@ -165,7 +165,7 @@ lemma valid_arch_mdb_simple: "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); is_simple_cap cap; caps_of_state s src = Some capa\ \ valid_arch_mdb ((is_original_cap s) (dest := is_cap_revocable cap capa)) - (caps_of_state s(dest \ cap))" + ((caps_of_state s)(dest \ cap))" by auto lemma valid_arch_mdb_free_index_update: @@ -189,34 +189,34 @@ lemma set_untyped_cap_as_full_valid_arch_mdb: lemma valid_arch_mdb_not_arch_cap_update: "\s cap capa. \\is_arch_cap cap; valid_arch_mdb (is_original_cap s) (caps_of_state s)\ \ valid_arch_mdb ((is_original_cap s)(dest := True)) - (caps_of_state s(src \ cap, dest\capa))" + ((caps_of_state s)(src \ cap, dest\capa))" by auto lemma valid_arch_mdb_derived_cap_update: "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); is_derived (cdt s) src cap capa\ \ valid_arch_mdb ((is_original_cap s)(dest := is_cap_revocable cap capa)) - (caps_of_state s(dest \ cap))" + ((caps_of_state s)(dest \ cap))" by auto lemma valid_arch_mdb_free_index_update': "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); caps_of_state s src = Some capa; is_untyped_cap cap\ \ valid_arch_mdb ((is_original_cap s) (dest := is_cap_revocable cap capa)) - (caps_of_state s(dest \ cap, src \ max_free_index_update capa))" + ((caps_of_state s)(dest \ cap, src \ max_free_index_update capa))" by auto lemma valid_arch_mdb_weak_derived_update: "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); caps_of_state s src = Some capa; weak_derived cap capa\ \ valid_arch_mdb ((is_original_cap s) (dest := is_original_cap s src, src := False)) - (caps_of_state s(dest \ cap, src \ NullCap))" + ((caps_of_state s)(dest \ cap, src \ NullCap))" by auto lemma valid_arch_mdb_tcb_cnode_update: "valid_arch_mdb (is_original_cap s) (caps_of_state s) \ valid_arch_mdb ((is_original_cap s) ((t, tcb_cnode_index 2) := True)) - (caps_of_state s((t, tcb_cnode_index 2) \ ReplyCap t True r))" + ((caps_of_state s)((t, tcb_cnode_index 2) \ ReplyCap t True r))" by auto lemmas valid_arch_mdb_updates = valid_arch_mdb_free_index_update valid_arch_mdb_not_arch_cap_update @@ -249,10 +249,10 @@ lemma valid_arch_mdb_null_filter: lemma valid_arch_mdb_untypeds: "\s. valid_arch_mdb (is_original_cap s) (caps_of_state s) \ valid_arch_mdb (\x. x \ cref \ is_original_cap s x) - (caps_of_state s(cref \ default_cap tp oref sz dev))" + ((caps_of_state s)(cref \ default_cap tp oref sz dev))" "\s. valid_arch_mdb (is_original_cap s) (caps_of_state s) \ valid_arch_mdb (is_original_cap s) - (caps_of_state s(cref \ UntypedCap dev ptr sz idx))" + ((caps_of_state s)(cref \ UntypedCap dev ptr sz idx))" by auto end diff --git a/proof/invariant-abstract/ARM/ArchCSpace_AI.thy b/proof/invariant-abstract/ARM/ArchCSpace_AI.thy index a9d8aabf81..57dbba4c49 100644 --- a/proof/invariant-abstract/ARM/ArchCSpace_AI.thy +++ b/proof/invariant-abstract/ARM/ArchCSpace_AI.thy @@ -184,20 +184,20 @@ lemma is_derived_is_cap: (* FIXME: move to CSpace_I near lemma vs_lookup1_tcb_update *) lemma vs_lookup_pages1_tcb_update: "kheap s p = Some (TCB t) \ - vs_lookup_pages1 (s\kheap := kheap s(p \ TCB t')\) = vs_lookup_pages1 s" + vs_lookup_pages1 (s\kheap := (kheap s)(p \ TCB t')\) = vs_lookup_pages1 s" by (clarsimp simp: vs_lookup_pages1_def obj_at_def vs_refs_pages_def intro!: set_eqI) (* FIXME: move to CSpace_I near lemma vs_lookup_tcb_update *) lemma vs_lookup_pages_tcb_update: "kheap s p = Some (TCB t) \ - vs_lookup_pages (s\kheap := kheap s(p \ TCB t')\) = vs_lookup_pages s" + vs_lookup_pages (s\kheap := (kheap s)(p \ TCB t')\) = vs_lookup_pages s" by (clarsimp simp add: vs_lookup_pages_def vs_lookup_pages1_tcb_update) (* FIXME: move to CSpace_I near lemma vs_lookup1_cnode_update *) lemma vs_lookup_pages1_cnode_update: "kheap s p = Some (CNode n cs) \ - vs_lookup_pages1 (s\kheap := kheap s(p \ CNode m cs')\) = + vs_lookup_pages1 (s\kheap := (kheap s)(p \ CNode m cs')\) = vs_lookup_pages1 s" by (clarsimp simp: vs_lookup_pages1_def obj_at_def vs_refs_pages_def intro!: set_eqI) @@ -205,7 +205,7 @@ lemma vs_lookup_pages1_cnode_update: (* FIXME: move to CSpace_I near lemma vs_lookup_cnode_update *) lemma vs_lookup_pages_cnode_update: "kheap s p = Some (CNode n cs) \ - vs_lookup_pages (s\kheap := kheap s(p \ CNode n cs')\) = vs_lookup_pages s" + vs_lookup_pages (s\kheap := (kheap s)(p \ CNode n cs')\) = vs_lookup_pages s" by (clarsimp simp: vs_lookup_pages_def dest!: vs_lookup_pages1_cnode_update[where m=n and cs'=cs']) diff --git a/proof/invariant-abstract/ARM/ArchFinalise_AI.thy b/proof/invariant-abstract/ARM/ArchFinalise_AI.thy index 9a09ed053b..f0b9d7b2f6 100644 --- a/proof/invariant-abstract/ARM/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/ARM/ArchFinalise_AI.thy @@ -1366,7 +1366,7 @@ lemma set_asid_pool_obj_at_ptr: lemma valid_arch_state_table_strg: "valid_arch_state s \ asid_pool_at p s \ Some p \ arm_asid_table (arch_state s) ` (dom (arm_asid_table (arch_state s)) - {x}) \ - valid_arch_state (s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(x \ p)\\)" + valid_arch_state (s\arch_state := arch_state s\arm_asid_table := (arm_asid_table (arch_state s))(x \ p)\\)" apply (clarsimp simp: valid_arch_state_def valid_asid_table_def ran_def) apply (rule conjI, fastforce) apply (erule inj_on_fun_upd_strongerI) @@ -1399,8 +1399,8 @@ lemma vs_lookup1_arch [simp]: lemma vs_lookup_empty_table: "(rs \ q) - (s\kheap := kheap s(p \ ArchObj (ASIDPool Map.empty)), - arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(x \ p)\\) \ + (s\kheap := (kheap s)(p \ ArchObj (ASIDPool Map.empty)), + arch_state := arch_state s\arm_asid_table := (arm_asid_table (arch_state s))(x \ p)\\) \ (rs \ q) s \ (rs = [VSRef (ucast x) None] \ q = p)" apply (erule vs_lookupE) apply clarsimp @@ -1432,8 +1432,8 @@ lemma vs_lookup_empty_table: lemma vs_lookup_pages_empty_table: "(rs \ q) - (s\kheap := kheap s(p \ ArchObj (ASIDPool Map.empty)), - arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(x \ p)\\) \ + (s\kheap := (kheap s)(p \ ArchObj (ASIDPool Map.empty)), + arch_state := arch_state s\arm_asid_table := (arm_asid_table (arch_state s))(x \ p)\\) \ (rs \ q) s \ (rs = [VSRef (ucast x) None] \ q = p)" apply (subst (asm) vs_lookup_pages_def) apply (clarsimp simp: Image_def) @@ -1468,7 +1468,7 @@ lemma set_asid_pool_empty_table_objs: set_asid_pool p Map.empty \\rv s. valid_vspace_objs (s\arch_state := arch_state s\arm_asid_table := - arm_asid_table (arch_state s)(asid_high_bits_of word2 \ p)\\)\" + (arm_asid_table (arch_state s))(asid_high_bits_of word2 \ p)\\)\" apply (simp add: set_asid_pool_def set_object_def) apply (wp get_object_wp) apply (clarsimp simp: obj_at_def valid_vspace_objs_def @@ -1493,7 +1493,7 @@ lemma set_asid_pool_empty_table_lookup: set_asid_pool p Map.empty \\rv s. valid_vs_lookup (s\arch_state := arch_state s\arm_asid_table := - arm_asid_table (arch_state s)(asid_high_bits_of base \ p)\\)\" + (arm_asid_table (arch_state s))(asid_high_bits_of base \ p)\\)\" apply (simp add: set_asid_pool_def set_object_def) apply (wp get_object_wp) apply (clarsimp simp: obj_at_def valid_vs_lookup_def @@ -1515,7 +1515,7 @@ lemma set_asid_pool_empty_valid_asid_map: \ (\p'. \ ([VSRef (ucast (asid_high_bits_of base)) None] \ p') s)\ set_asid_pool p Map.empty \\rv s. valid_asid_map (s\arch_state := arch_state s\arm_asid_table := - arm_asid_table (arch_state s)(asid_high_bits_of base \ p)\\)\" + (arm_asid_table (arch_state s))(asid_high_bits_of base \ p)\\)\" apply (simp add: set_asid_pool_def set_object_def) apply (wp get_object_wp) apply (clarsimp simp: valid_asid_map_def vspace_at_asid_def @@ -1547,7 +1547,7 @@ lemma set_asid_pool_invs_table: \ (\p'. \ ([VSRef (ucast (asid_high_bits_of base)) None] \ p') s)\ set_asid_pool p Map.empty \\x s. invs (s\arch_state := arch_state s\arm_asid_table := - arm_asid_table (arch_state s)(asid_high_bits_of base \ p)\\)\" + (arm_asid_table (arch_state s))(asid_high_bits_of base \ p)\\)\" apply (simp add: invs_def valid_state_def valid_pspace_def valid_arch_caps_def) apply (rule hoare_pre) apply (wp valid_irq_node_typ set_asid_pool_typ_at diff --git a/proof/invariant-abstract/ARM/ArchIpc_AI.thy b/proof/invariant-abstract/ARM/ArchIpc_AI.thy index b9cd9eea53..dc384972b7 100644 --- a/proof/invariant-abstract/ARM/ArchIpc_AI.thy +++ b/proof/invariant-abstract/ARM/ArchIpc_AI.thy @@ -467,7 +467,7 @@ lemma valid_arch_mdb_cap_swap: \ valid_arch_mdb ((is_original_cap s) (a := is_original_cap s b, b := is_original_cap s a)) - (caps_of_state s(a \ c', b \ c))" + ((caps_of_state s)(a \ c', b \ c))" by auto end diff --git a/proof/invariant-abstract/ARM/ArchKHeap_AI.thy b/proof/invariant-abstract/ARM/ArchKHeap_AI.thy index 4ea13b4a35..6680999a50 100644 --- a/proof/invariant-abstract/ARM/ArchKHeap_AI.thy +++ b/proof/invariant-abstract/ARM/ArchKHeap_AI.thy @@ -800,20 +800,20 @@ crunch device_state_inv: storeWord "\ms. P (device_state ms)" (* some hyp_ref invariants *) lemma state_hyp_refs_of_ep_update: "\s ep val. typ_at AEndpoint ep s \ - state_hyp_refs_of (s\kheap := kheap s(ep \ Endpoint val)\) = state_hyp_refs_of s" + state_hyp_refs_of (s\kheap := (kheap s)(ep \ Endpoint val)\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: ARM.state_hyp_refs_of_def obj_at_def ARM.hyp_refs_of_def) done lemma state_hyp_refs_of_ntfn_update: "\s ep val. typ_at ANTFN ep s \ - state_hyp_refs_of (s\kheap := kheap s(ep \ Notification val)\) = state_hyp_refs_of s" + state_hyp_refs_of (s\kheap := (kheap s)(ep \ Notification val)\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: ARM.state_hyp_refs_of_def obj_at_def ARM.hyp_refs_of_def) done lemma state_hyp_refs_of_tcb_bound_ntfn_update: "kheap s t = Some (TCB tcb) \ - state_hyp_refs_of (s\kheap := kheap s(t \ TCB (tcb\tcb_bound_notification := ntfn\))\) + state_hyp_refs_of (s\kheap := (kheap s)(t \ TCB (tcb\tcb_bound_notification := ntfn\))\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: ARM.state_hyp_refs_of_def obj_at_def split: option.splits) @@ -821,7 +821,7 @@ lemma state_hyp_refs_of_tcb_bound_ntfn_update: lemma state_hyp_refs_of_tcb_state_update: "kheap s t = Some (TCB tcb) \ - state_hyp_refs_of (s\kheap := kheap s(t \ TCB (tcb\tcb_state := ts\))\) + state_hyp_refs_of (s\kheap := (kheap s)(t \ TCB (tcb\tcb_state := ts\))\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: ARM.state_hyp_refs_of_def obj_at_def split: option.splits) @@ -829,7 +829,7 @@ lemma state_hyp_refs_of_tcb_state_update: lemma arch_valid_obj_same_type: "\ arch_valid_obj ao s; kheap s p = Some ko; a_type k = a_type ko \ - \ arch_valid_obj ao (s\kheap := kheap s(p \ k)\)" + \ arch_valid_obj ao (s\kheap := (kheap s)(p \ k)\)" by (induction ao rule: arch_kernel_obj.induct; clarsimp simp: typ_at_same_type) @@ -843,7 +843,7 @@ lemma default_tcb_not_live: "\ live (TCB default_tcb)" lemma valid_arch_tcb_same_type: "\ valid_arch_tcb t s; valid_obj p k s; kheap s p = Some ko; a_type k = a_type ko \ - \ valid_arch_tcb t (s\kheap := kheap s(p \ k)\)" + \ valid_arch_tcb t (s\kheap := (kheap s)(p \ k)\)" by (auto simp: valid_arch_tcb_def obj_at_def) lemma valid_ioports_lift: diff --git a/proof/invariant-abstract/ARM/ArchUntyped_AI.thy b/proof/invariant-abstract/ARM/ArchUntyped_AI.thy index ffe81a3d02..b492162a06 100644 --- a/proof/invariant-abstract/ARM/ArchUntyped_AI.thy +++ b/proof/invariant-abstract/ARM/ArchUntyped_AI.thy @@ -421,7 +421,7 @@ proof - Some (ArchObj (PageDirectory pd))" let ?ko' = "ArchObj (PageDirectory (pd(ucast (pde_ptr && mask pd_bits >> 2) := pde)))" - let ?s' = "s\kheap := kheap s(pde_ptr && ~~ mask pd_bits \ ?ko')\" + let ?s' = "s\kheap := (kheap s)(pde_ptr && ~~ mask pd_bits \ ?ko')\" have typ_at: "\T p. typ_at T p s \ typ_at T p ?s'" using pd by (clarsimp simp: obj_at_def a_type_def) diff --git a/proof/invariant-abstract/ARM/ArchVSpace_AI.thy b/proof/invariant-abstract/ARM/ArchVSpace_AI.thy index c9b349a447..23b6cae611 100644 --- a/proof/invariant-abstract/ARM/ArchVSpace_AI.thy +++ b/proof/invariant-abstract/ARM/ArchVSpace_AI.thy @@ -1677,7 +1677,7 @@ end locale vs_lookup_map_some_pdes = Arch + fixes pd pdp s s' S T pd' - defines "s' \ s\kheap := kheap s(pdp \ ArchObj (PageDirectory pd'))\" + defines "s' \ s\kheap := (kheap s)(pdp \ ArchObj (PageDirectory pd'))\" assumes refs: "vs_refs (ArchObj (PageDirectory pd')) = (vs_refs (ArchObj (PageDirectory pd)) - T) \ S" assumes old: "kheap s pdp = Some (ArchObj (PageDirectory pd))" @@ -1790,7 +1790,7 @@ lemma set_pd_vspace_objs_map: lemma simpler_set_pd_def: "set_pd p pd = (\s. if \pd. kheap s p = Some (ArchObj (PageDirectory pd)) - then ({((), s\kheap := kheap s(p \ ArchObj (PageDirectory pd))\)}, + then ({((), s\kheap := (kheap s)(p \ ArchObj (PageDirectory pd))\)}, False) else ({}, True))" apply (rule ext) @@ -1847,7 +1847,7 @@ lemma set_pd_valid_vs_lookup_map: apply (drule vs_lookup_pages_apI) apply (simp split: if_split_asm) apply (simp+)[2] - apply (frule_tac s="s\kheap := kheap s(p \ ArchObj (PageDirectory pd))\" + apply (frule_tac s="s\kheap := (kheap s)(p \ ArchObj (PageDirectory pd))\" in vs_lookup_pages_pdI[rotated -1]) apply (simp del: fun_upd_apply)+ apply (frule vs_lookup_pages_apI) @@ -2760,8 +2760,8 @@ lemma simpler_store_pde_def: "store_pde p pde s = (case kheap s (p && ~~ mask pd_bits) of Some (ArchObj (PageDirectory pd)) => - ({((), s\kheap := (kheap s((p && ~~ mask pd_bits) \ - (ArchObj (PageDirectory (pd(ucast (p && mask pd_bits >> 2) := pde))))))\)}, False) + ({((), s\kheap := (kheap s)(p && ~~ mask pd_bits \ + ArchObj (PageDirectory (pd(ucast (p && mask pd_bits >> 2) := pde))))\)}, False) | _ => ({}, True))" by (auto simp: store_pde_def simpler_set_pd_def get_object_def simpler_gets_def assert_def return_def fail_def set_object_def get_def put_def bind_def get_pd_def @@ -2770,7 +2770,7 @@ lemma simpler_store_pde_def: lemma pde_update_valid_vspace_objs: "[|valid_vspace_objs s; valid_pde pde s; pde_ref pde = None; kheap s (p && ~~ mask pd_bits) = Some (ArchObj (PageDirectory pd))|] ==> valid_vspace_objs - (s\kheap := kheap s(p && ~~ mask pd_bits \ ArchObj (PageDirectory (pd(ucast (p && mask pd_bits >> 2) := pde))))\)" + (s\kheap := (kheap s)(p && ~~ mask pd_bits \ ArchObj (PageDirectory (pd(ucast (p && mask pd_bits >> 2) := pde))))\)" apply (cut_tac pde=pde and p=p in store_pde_vspace_objs_unmap) apply (clarsimp simp: valid_def) apply (erule allE[where x=s]) @@ -4547,8 +4547,7 @@ end locale asid_pool_map = Arch + fixes s ap pool asid pdp pd s' defines "(s' :: ('a::state_ext) state) \ - s\kheap := kheap s(ap \ ArchObj (ASIDPool - (pool(asid \ pdp))))\" + s\kheap := (kheap s)(ap \ ArchObj (ASIDPool (pool(asid \ pdp))))\" assumes ap: "kheap s ap = Some (ArchObj (ASIDPool pool))" assumes new: "pool asid = None" assumes pd: "kheap s pdp = Some (ArchObj (PageDirectory pd))" diff --git a/proof/invariant-abstract/ARM_HYP/ArchAcc_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchAcc_AI.thy index e879c59a66..1bd1e8f52c 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchAcc_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchAcc_AI.thy @@ -1259,7 +1259,7 @@ lemma valid_objs_caps: lemma simpler_set_pt_def: "set_pt p pt = (\s. if \pt. kheap s p = Some (ArchObj (PageTable pt)) then - ({((), s\kheap := kheap s(p \ ArchObj (PageTable pt))\)}, False) + ({((), s\kheap := (kheap s)(p \ ArchObj (PageTable pt))\)}, False) else ({}, True))" apply (rule ext) apply (clarsimp simp: set_pt_def set_object_def get_object_def assert_def @@ -1275,7 +1275,7 @@ lemma simpler_set_pt_def: lemma valid_set_ptI: "(!!s opt. \P s; kheap s p = Some (ArchObj (PageTable opt))\ - \ Q () (s\kheap := kheap s(p \ ArchObj (PageTable pt))\)) + \ Q () (s\kheap := (kheap s)(p \ ArchObj (PageTable pt))\)) \ \P\ set_pt p pt \Q\" by (rule validI) (clarsimp simp: simpler_set_pt_def split: if_split_asm) @@ -1582,7 +1582,7 @@ lemma valid_machine_stateE: lemma in_user_frame_same_type_upd: "\typ_at type p s; type = a_type obj; in_user_frame q s\ - \ in_user_frame q (s\kheap := kheap s(p \ obj)\)" + \ in_user_frame q (s\kheap := (kheap s)(p \ obj)\)" apply (clarsimp simp: in_user_frame_def obj_at_def) apply (rule_tac x=sz in exI) apply (auto simp: a_type_simps) @@ -1590,7 +1590,7 @@ lemma in_user_frame_same_type_upd: lemma in_device_frame_same_type_upd: "\typ_at type p s; type = a_type obj ; in_device_frame q s\ - \ in_device_frame q (s\kheap := kheap s(p \ obj)\)" + \ in_device_frame q (s\kheap := (kheap s)(p \ obj)\)" apply (clarsimp simp: in_device_frame_def obj_at_def) apply (rule_tac x=sz in exI) apply (auto simp: a_type_simps) @@ -1628,7 +1628,7 @@ lemma valid_machine_state_heap_updI: assumes vm : "valid_machine_state s" assumes tyat : "typ_at type p s" shows - " a_type obj = type \ valid_machine_state (s\kheap := kheap s(p \ obj)\)" + " a_type obj = type \ valid_machine_state (s\kheap := (kheap s)(p \ obj)\)" apply (clarsimp simp: valid_machine_state_def) subgoal for p apply (rule valid_machine_stateE[OF vm,where p = p]) @@ -1933,7 +1933,7 @@ lemma set_asid_pool_vspace_objs_unmap': lemma valid_vspace_obj_same_type: "\valid_vspace_obj ao s; kheap s p = Some ko; a_type ko' = a_type ko\ - \ valid_vspace_obj ao (s\kheap := kheap s(p \ ko')\)" + \ valid_vspace_obj ao (s\kheap := (kheap s)(p \ ko')\)" apply (rule hoare_to_pure_kheap_upd[OF valid_vspace_obj_typ]) by (auto simp: obj_at_def) diff --git a/proof/invariant-abstract/ARM_HYP/ArchArch_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchArch_AI.thy index e3b292e5f8..fef2a435b3 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchArch_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchArch_AI.thy @@ -295,7 +295,7 @@ locale asid_update = Arch + fixes ap asid s s' assumes ko: "ko_at (ArchObj (ASIDPool Map.empty)) ap s" assumes empty: "arm_asid_table (arch_state s) asid = None" - defines "s' \ s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(asid \ ap)\\" + defines "s' \ s\arch_state := arch_state s\arm_asid_table := (arm_asid_table (arch_state s))(asid \ ap)\\" context asid_update begin @@ -419,7 +419,7 @@ context Arch begin global_naming ARM_HYP lemma valid_arch_state_strg: "valid_arch_state s \ ap \ ran (arm_asid_table (arch_state s)) \ asid_pool_at ap s \ - valid_arch_state (s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(asid \ ap)\\)" + valid_arch_state (s\arch_state := arch_state s\arm_asid_table := (arm_asid_table (arch_state s))(asid \ ap)\\)" apply (clarsimp simp: valid_arch_state_def split: option.split) apply (clarsimp simp: valid_asid_table_def ran_def) apply (fastforce intro!: inj_on_fun_updI) @@ -433,7 +433,7 @@ lemma valid_vs_lookup_at_upd_strg: (\ptr cap. caps_of_state s ptr = Some cap \ ap \ obj_refs cap \ vs_cap_ref cap = Some [VSRef (ucast asid) None]) \ - valid_vs_lookup (s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(asid \ ap)\\)" + valid_vs_lookup (s\arch_state := arch_state s\arm_asid_table := (arm_asid_table (arch_state s))(asid \ ap)\\)" apply clarsimp apply (subgoal_tac "asid_update ap asid s") prefer 2 @@ -506,7 +506,7 @@ lemma valid_table_caps_asid_upd [iff]: lemma vs_asid_ref_upd: "([VSRef (ucast (asid_high_bits_of asid')) None] \ ap') - (s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(asid_high_bits_of asid \ ap)\\) + (s\arch_state := arch_state s\arm_asid_table := (arm_asid_table (arch_state s))(asid_high_bits_of asid \ ap)\\) = (if asid_high_bits_of asid' = asid_high_bits_of asid then ap' = ap else ([VSRef (ucast (asid_high_bits_of asid')) None] \ ap') s)" @@ -532,7 +532,7 @@ lemma cap_insert_simple_arch_caps_ap: and K (cap = ArchObjectCap (ASIDPoolCap ap asid)) \ cap_insert cap src dest \\rv s. valid_arch_caps (s\arch_state := arch_state s - \arm_asid_table := arm_asid_table (arch_state s)(asid_high_bits_of asid \ ap)\\)\" + \arm_asid_table := (arm_asid_table (arch_state s))(asid_high_bits_of asid \ ap)\\)\" apply (simp add: cap_insert_def update_cdt_def set_cdt_def valid_arch_caps_def set_untyped_cap_as_full_def bind_assoc) apply (strengthen valid_vs_lookup_at_upd_strg) @@ -565,7 +565,7 @@ lemma valid_asid_map_asid_upd_strg: "valid_asid_map s \ ko_at (ArchObj (ASIDPool Map.empty)) ap s \ arm_asid_table (arch_state s) asid = None \ - valid_asid_map (s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(asid \ ap)\\)" + valid_asid_map (s\arch_state := arch_state s\arm_asid_table := (arm_asid_table (arch_state s))(asid \ ap)\\)" apply clarsimp apply (subgoal_tac "asid_update ap asid s") prefer 2 @@ -578,7 +578,7 @@ lemma valid_vspace_objs_asid_upd_strg: "valid_vspace_objs s \ ko_at (ArchObj (ASIDPool Map.empty)) ap s \ arm_asid_table (arch_state s) asid = None \ - valid_vspace_objs (s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(asid \ ap)\\)" + valid_vspace_objs (s\arch_state := arch_state s\arm_asid_table := (arm_asid_table (arch_state s))(asid \ ap)\\)" apply clarsimp apply (subgoal_tac "asid_update ap asid s") prefer 2 @@ -604,7 +604,7 @@ lemma cap_insert_ap_invs: arm_asid_table (arch_state s) (asid_high_bits_of asid) = None)\ cap_insert cap src dest \\rv s. invs (s\arch_state := arch_state s - \arm_asid_table := (arm_asid_table \ arch_state) s(asid_high_bits_of asid \ ap)\\)\" + \arm_asid_table := ((arm_asid_table \ arch_state) s)(asid_high_bits_of asid \ ap)\\)\" apply (simp add: invs_def valid_state_def valid_pspace_def) apply (strengthen valid_arch_state_strg valid_vspace_objs_asid_upd_strg @@ -755,11 +755,11 @@ proof - \\rv s. invs (s\arch_state := arch_state s - \arm_asid_table := (arm_asid_table \ arch_state) s + \arm_asid_table := ((arm_asid_table \ arch_state) s) (asid_high_bits_of asid \ ap)\\) \ Q (s\arch_state := arch_state s - \arm_asid_table := (arm_asid_table \ arch_state) s + \arm_asid_table := ((arm_asid_table \ arch_state) s) (asid_high_bits_of asid \ ap)\\)\" apply (wp cap_insert_ap_invs) apply simp @@ -872,7 +872,8 @@ qed lemmas aci_invs[wp] = aci_invs'[where Q=\,simplified hoare_post_taut, OF refl refl refl TrueI TrueI TrueI,simplified] lemma obj_at_upd2: - "obj_at P t' (s\kheap := kheap s(t \ v, x \ v')\) = (if t' = x then P v' else obj_at P t' (s\kheap := kheap s(t \ v)\))" + "obj_at P t' (s\kheap := (kheap s)(t \ v, x \ v')\) = + (if t' = x then P v' else obj_at P t' (s\kheap := (kheap s)(t \ v)\))" by (simp add: obj_at_update obj_at_def) lemma vcpu_invalidate_active_hyp_refs_empty[wp]: @@ -942,7 +943,7 @@ lemma ex_nonz_cap_to_vcpu_udpate[simp]: by (simp add: ex_nonz_cap_to_def) lemma caps_of_state_VCPU_update: - "vcpu_at a s \ caps_of_state (s\kheap := kheap s(a \ ArchObj (VCPU b))\) = caps_of_state s" + "vcpu_at a s \ caps_of_state (s\kheap := (kheap s)(a \ ArchObj (VCPU b))\) = caps_of_state s" by (rule ext) (auto simp: caps_of_state_cte_wp_at cte_wp_at_cases obj_at_def) lemma set_vcpu_ex_nonz_cap_to[wp]: @@ -952,7 +953,7 @@ lemma set_vcpu_ex_nonz_cap_to[wp]: done lemma caps_of_state_tcb_arch_update: - "ko_at (TCB y) t' s \ caps_of_state (s\kheap := kheap s(t' \ TCB (y\tcb_arch := f (tcb_arch y)\))\) = caps_of_state s" + "ko_at (TCB y) t' s \ caps_of_state (s\kheap := (kheap s)(t' \ TCB (y\tcb_arch := f (tcb_arch y)\))\) = caps_of_state s" by (rule ext) (auto simp: caps_of_state_cte_wp_at cte_wp_at_cases obj_at_def tcb_cap_cases_def) lemma arch_thread_set_ex_nonz_cap_to[wp]: diff --git a/proof/invariant-abstract/ARM_HYP/ArchCNodeInv_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchCNodeInv_AI.thy index eaa223d09f..44ed01477f 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchCNodeInv_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchCNodeInv_AI.thy @@ -556,7 +556,7 @@ context Arch begin global_naming ARM_HYP lemma post_cap_delete_pre_is_final_cap': "\rv s'' rva s''a s. \valid_ioports s; caps_of_state s slot = Some cap; is_final_cap' cap s; cap_cleanup_opt cap \ NullCap\ - \ post_cap_delete_pre (cap_cleanup_opt cap) (caps_of_state s(slot \ NullCap))" + \ post_cap_delete_pre (cap_cleanup_opt cap) ((caps_of_state s)(slot \ NullCap))" apply (clarsimp simp: cap_cleanup_opt_def cte_wp_at_def post_cap_delete_pre_def arch_cap_cleanup_opt_def split: cap.split_asm if_split_asm elim!: ranE dest!: caps_of_state_cteD) diff --git a/proof/invariant-abstract/ARM_HYP/ArchCSpacePre_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchCSpacePre_AI.thy index d7eff35935..117d79537e 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchCSpacePre_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchCSpacePre_AI.thy @@ -171,7 +171,7 @@ lemma valid_arch_mdb_simple: "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); is_simple_cap cap; caps_of_state s src = Some capa\ \ valid_arch_mdb ((is_original_cap s) (dest := is_cap_revocable cap capa)) - (caps_of_state s(dest \ cap))" + ((caps_of_state s)(dest \ cap))" by auto lemma valid_arch_mdb_free_index_update: @@ -195,34 +195,34 @@ lemma set_untyped_cap_as_full_valid_arch_mdb: lemma valid_arch_mdb_not_arch_cap_update: "\s cap capa. \\is_arch_cap cap; valid_arch_mdb (is_original_cap s) (caps_of_state s)\ \ valid_arch_mdb ((is_original_cap s)(dest := True)) - (caps_of_state s(src \ cap, dest\capa))" + ((caps_of_state s)(src \ cap, dest\capa))" by auto lemma valid_arch_mdb_derived_cap_update: "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); is_derived (cdt s) src cap capa\ \ valid_arch_mdb ((is_original_cap s)(dest := is_cap_revocable cap capa)) - (caps_of_state s(dest \ cap))" + ((caps_of_state s)(dest \ cap))" by auto lemma valid_arch_mdb_free_index_update': "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); caps_of_state s src = Some capa; is_untyped_cap cap\ \ valid_arch_mdb ((is_original_cap s) (dest := is_cap_revocable cap capa)) - (caps_of_state s(dest \ cap, src \ max_free_index_update capa))" + ((caps_of_state s)(dest \ cap, src \ max_free_index_update capa))" by auto lemma valid_arch_mdb_weak_derived_update: "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); caps_of_state s src = Some capa; weak_derived cap capa\ \ valid_arch_mdb ((is_original_cap s) (dest := is_original_cap s src, src := False)) - (caps_of_state s(dest \ cap, src \ NullCap))" + ((caps_of_state s)(dest \ cap, src \ NullCap))" by auto lemma valid_arch_mdb_tcb_cnode_update: "valid_arch_mdb (is_original_cap s) (caps_of_state s) \ valid_arch_mdb ((is_original_cap s) ((t, tcb_cnode_index 2) := True)) - (caps_of_state s((t, tcb_cnode_index 2) \ ReplyCap t True r))" + ((caps_of_state s)((t, tcb_cnode_index 2) \ ReplyCap t True r))" by auto lemmas valid_arch_mdb_updates = valid_arch_mdb_free_index_update valid_arch_mdb_not_arch_cap_update @@ -255,10 +255,10 @@ lemma valid_arch_mdb_null_filter: lemma valid_arch_mdb_untypeds: "\s. valid_arch_mdb (is_original_cap s) (caps_of_state s) \ valid_arch_mdb (\x. x \ cref \ is_original_cap s x) - (caps_of_state s(cref \ default_cap tp oref sz dev))" + ((caps_of_state s)(cref \ default_cap tp oref sz dev))" "\s. valid_arch_mdb (is_original_cap s) (caps_of_state s) \ valid_arch_mdb (is_original_cap s) - (caps_of_state s(cref \ UntypedCap dev ptr sz idx))" + ((caps_of_state s)(cref \ UntypedCap dev ptr sz idx))" by auto diff --git a/proof/invariant-abstract/ARM_HYP/ArchCSpace_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchCSpace_AI.thy index 211db78a86..b0d3ab04b2 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchCSpace_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchCSpace_AI.thy @@ -183,20 +183,20 @@ lemma is_derived_is_cap: (* FIXME: move to CSpace_I near lemma vs_lookup1_tcb_update *) lemma vs_lookup_pages1_tcb_update: "kheap s p = Some (TCB t) \ - vs_lookup_pages1 (s\kheap := kheap s(p \ TCB t')\) = vs_lookup_pages1 s" + vs_lookup_pages1 (s\kheap := (kheap s)(p \ TCB t')\) = vs_lookup_pages1 s" by (clarsimp simp: vs_lookup_pages1_def obj_at_def vs_refs_pages_def intro!: set_eqI) (* FIXME: move to CSpace_I near lemma vs_lookup_tcb_update *) lemma vs_lookup_pages_tcb_update: "kheap s p = Some (TCB t) \ - vs_lookup_pages (s\kheap := kheap s(p \ TCB t')\) = vs_lookup_pages s" + vs_lookup_pages (s\kheap := (kheap s)(p \ TCB t')\) = vs_lookup_pages s" by (clarsimp simp add: vs_lookup_pages_def vs_lookup_pages1_tcb_update) (* FIXME: move to CSpace_I near lemma vs_lookup1_cnode_update *) lemma vs_lookup_pages1_cnode_update: "kheap s p = Some (CNode n cs) \ - vs_lookup_pages1 (s\kheap := kheap s(p \ CNode m cs')\) = + vs_lookup_pages1 (s\kheap := (kheap s)(p \ CNode m cs')\) = vs_lookup_pages1 s" by (clarsimp simp: vs_lookup_pages1_def obj_at_def vs_refs_pages_def intro!: set_eqI) @@ -204,7 +204,7 @@ lemma vs_lookup_pages1_cnode_update: (* FIXME: move to CSpace_I near lemma vs_lookup_cnode_update *) lemma vs_lookup_pages_cnode_update: "kheap s p = Some (CNode n cs) \ - vs_lookup_pages (s\kheap := kheap s(p \ CNode n cs')\) = vs_lookup_pages s" + vs_lookup_pages (s\kheap := (kheap s)(p \ CNode n cs')\) = vs_lookup_pages s" by (clarsimp simp: vs_lookup_pages_def dest!: vs_lookup_pages1_cnode_update[where m=n and cs'=cs']) diff --git a/proof/invariant-abstract/ARM_HYP/ArchFinalise_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchFinalise_AI.thy index 71b98056fd..3f17be88cd 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchFinalise_AI.thy @@ -463,7 +463,7 @@ lemma arch_thread_set_cur_tcb[wp]: "\cur_tcb\ arch_thread_set p lemma cte_wp_at_update_some_tcb: "\kheap s v = Some (TCB tcb) ; tcb_cnode_map tcb = tcb_cnode_map (f tcb)\ - \ cte_wp_at P p (s\kheap := kheap s (v \ TCB (f tcb))\) = cte_wp_at P p s" + \ cte_wp_at P p (s\kheap := (kheap s)(v \ TCB (f tcb))\) = cte_wp_at P p s" apply (clarsimp simp: cte_wp_at_cases2 dest!: get_tcb_SomeD) done @@ -658,7 +658,7 @@ lemma arch_thread_set_valid_objs_vcpu_Some[wp]: lemma sym_refs_update_some_tcb: "\kheap s v = Some (TCB tcb) ; refs_of (TCB tcb) = refs_of (TCB (f tcb))\ - \ sym_refs (state_refs_of (s\kheap := kheap s (v \ TCB (f tcb))\)) = sym_refs (state_refs_of s)" + \ sym_refs (state_refs_of (s\kheap := (kheap s)(v \ TCB (f tcb))\)) = sym_refs (state_refs_of s)" apply (rule_tac f=sym_refs in arg_cong) apply (rule all_ext) apply (clarsimp simp: sym_refs_def state_refs_of_def) @@ -706,7 +706,7 @@ lemma vcpu_invalidate_tcbs_inv[wp]: lemma sym_refs_vcpu_None: assumes sym_refs: "sym_refs (state_hyp_refs_of s)" assumes tcb: "ko_at (TCB tcb) t s" "tcb_vcpu (tcb_arch tcb) = Some vr" - shows "sym_refs (state_hyp_refs_of (s\kheap := kheap s(t \ TCB (tcb\tcb_arch := tcb_vcpu_update Map.empty (tcb_arch tcb)\), + shows "sym_refs (state_hyp_refs_of (s\kheap := (kheap s)(t \ TCB (tcb\tcb_arch := tcb_vcpu_update Map.empty (tcb_arch tcb)\), vr \ ArchObj (VCPU (vcpu_tcb_update Map.empty v)))\))" (is "sym_refs (state_hyp_refs_of ?s')") proof - @@ -2109,7 +2109,7 @@ lemma set_asid_pool_obj_at_ptr: lemma valid_arch_state_table_strg: "valid_arch_state s \ asid_pool_at p s \ Some p \ arm_asid_table (arch_state s) ` (dom (arm_asid_table (arch_state s)) - {x}) \ - valid_arch_state (s\arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(x \ p)\\)" + valid_arch_state (s\arch_state := arch_state s\arm_asid_table := (arm_asid_table (arch_state s))(x \ p)\\)" apply (clarsimp simp: valid_arch_state_def valid_asid_table_def ran_def split: option.split) apply (rule conjI; clarsimp) apply (rule conjI, fastforce) @@ -2142,8 +2142,8 @@ lemma vs_lookup1_arch [simp]: lemma vs_lookup_empty_table: "(rs \ q) - (s\kheap := kheap s(p \ ArchObj (ASIDPool Map.empty)), - arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(x \ p)\\) \ + (s\kheap := (kheap s)(p \ ArchObj (ASIDPool Map.empty)), + arch_state := arch_state s\arm_asid_table := (arm_asid_table (arch_state s))(x \ p)\\) \ (rs \ q) s \ (rs = [VSRef (ucast x) None] \ q = p)" apply (erule vs_lookupE) apply clarsimp @@ -2175,8 +2175,8 @@ lemma vs_lookup_empty_table: lemma vs_lookup_pages_empty_table: "(rs \ q) - (s\kheap := kheap s(p \ ArchObj (ASIDPool Map.empty)), - arch_state := arch_state s\arm_asid_table := arm_asid_table (arch_state s)(x \ p)\\) \ + (s\kheap := (kheap s)(p \ ArchObj (ASIDPool Map.empty)), + arch_state := arch_state s\arm_asid_table := (arm_asid_table (arch_state s))(x \ p)\\) \ (rs \ q) s \ (rs = [VSRef (ucast x) None] \ q = p)" apply (subst (asm) vs_lookup_pages_def) apply (clarsimp simp: Image_def) @@ -2211,7 +2211,7 @@ lemma set_asid_pool_empty_table_objs: set_asid_pool p Map.empty \\rv s. valid_vspace_objs (s\arch_state := arch_state s\arm_asid_table := - arm_asid_table (arch_state s)(asid_high_bits_of word2 \ p)\\)\" + (arm_asid_table (arch_state s))(asid_high_bits_of word2 \ p)\\)\" apply (simp add: set_asid_pool_def set_object_def) apply (wp get_object_wp) apply (clarsimp simp: obj_at_def valid_vspace_objs_def @@ -2236,7 +2236,7 @@ lemma set_asid_pool_empty_table_lookup: set_asid_pool p Map.empty \\rv s. valid_vs_lookup (s\arch_state := arch_state s\arm_asid_table := - arm_asid_table (arch_state s)(asid_high_bits_of base \ p)\\)\" + (arm_asid_table (arch_state s))(asid_high_bits_of base \ p)\\)\" apply (simp add: set_asid_pool_def set_object_def) apply (wp get_object_wp) apply (clarsimp simp: obj_at_def valid_vs_lookup_def @@ -2258,7 +2258,7 @@ lemma set_asid_pool_empty_valid_asid_map: \ (\p'. \ ([VSRef (ucast (asid_high_bits_of base)) None] \ p') s)\ set_asid_pool p Map.empty \\rv s. valid_asid_map (s\arch_state := arch_state s\arm_asid_table := - arm_asid_table (arch_state s)(asid_high_bits_of base \ p)\\)\" + (arm_asid_table (arch_state s))(asid_high_bits_of base \ p)\\)\" apply (simp add: set_asid_pool_def set_object_def) apply (wp get_object_wp) apply (clarsimp simp: valid_asid_map_def vspace_at_asid_def @@ -2290,7 +2290,7 @@ lemma set_asid_pool_invs_table: \ (\p'. \ ([VSRef (ucast (asid_high_bits_of base)) None] \ p') s)\ set_asid_pool p Map.empty \\x s. invs (s\arch_state := arch_state s\arm_asid_table := - arm_asid_table (arch_state s)(asid_high_bits_of base \ p)\\)\" + (arm_asid_table (arch_state s))(asid_high_bits_of base \ p)\\)\" apply (simp add: invs_def valid_state_def valid_pspace_def valid_arch_caps_def) apply (rule hoare_pre) apply (wp valid_irq_node_typ set_asid_pool_typ_at diff --git a/proof/invariant-abstract/ARM_HYP/ArchIpc_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchIpc_AI.thy index a893fa7a99..c3206fe5a9 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchIpc_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchIpc_AI.thy @@ -521,7 +521,7 @@ lemma valid_arch_mdb_cap_swap: \ valid_arch_mdb ((is_original_cap s) (a := is_original_cap s b, b := is_original_cap s a)) - (caps_of_state s(a \ c', b \ c))" + ((caps_of_state s)(a \ c', b \ c))" by auto end diff --git a/proof/invariant-abstract/ARM_HYP/ArchKHeap_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchKHeap_AI.thy index 587289b949..f320a301cc 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchKHeap_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchKHeap_AI.thy @@ -674,20 +674,20 @@ crunch device_state_inv: storeWord "\ms. P (device_state ms)" (* some hyp_ref invariants *) lemma state_hyp_refs_of_ep_update: "\s ep val. typ_at AEndpoint ep s \ - state_hyp_refs_of (s\kheap := kheap s(ep \ Endpoint val)\) = state_hyp_refs_of s" + state_hyp_refs_of (s\kheap := (kheap s)(ep \ Endpoint val)\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: ARM_HYP.state_hyp_refs_of_def obj_at_def ARM_HYP.hyp_refs_of_def) done lemma state_hyp_refs_of_ntfn_update: "\s ep val. typ_at ANTFN ep s \ - state_hyp_refs_of (s\kheap := kheap s(ep \ Notification val)\) = state_hyp_refs_of s" + state_hyp_refs_of (s\kheap := (kheap s)(ep \ Notification val)\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: ARM_HYP.state_hyp_refs_of_def obj_at_def ARM_HYP.hyp_refs_of_def) done lemma state_hyp_refs_of_tcb_bound_ntfn_update: "kheap s t = Some (TCB tcb) \ - state_hyp_refs_of (s\kheap := kheap s(t \ TCB (tcb\tcb_bound_notification := ntfn\))\) + state_hyp_refs_of (s\kheap := (kheap s)(t \ TCB (tcb\tcb_bound_notification := ntfn\))\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: ARM_HYP.state_hyp_refs_of_def obj_at_def split: option.splits) @@ -695,7 +695,7 @@ lemma state_hyp_refs_of_tcb_bound_ntfn_update: lemma state_hyp_refs_of_tcb_state_update: "kheap s t = Some (TCB tcb) \ - state_hyp_refs_of (s\kheap := kheap s(t \ TCB (tcb\tcb_state := ts\))\) + state_hyp_refs_of (s\kheap := (kheap s)(t \ TCB (tcb\tcb_state := ts\))\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: ARM_HYP.state_hyp_refs_of_def obj_at_def split: option.splits) @@ -712,19 +712,19 @@ lemma valid_vcpu_lift: lemma valid_vcpu_update: "\s ep val. typ_at ANTFN ep s \ - state_hyp_refs_of (s\kheap := kheap s(ep \ Notification val)\) = state_hyp_refs_of s" + state_hyp_refs_of (s\kheap := (kheap s)(ep \ Notification val)\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: ARM_HYP.state_hyp_refs_of_def obj_at_def ARM_HYP.hyp_refs_of_def) done lemma valid_vcpu_same_type: "\ valid_vcpu v s; kheap s p = Some ko; a_type k = a_type ko \ - \ valid_vcpu v (s\kheap := kheap s(p \ k)\)" + \ valid_vcpu v (s\kheap := (kheap s)(p \ k)\)" by (cases v; case_tac vcpu_tcb; clarsimp simp: valid_vcpu_def typ_at_same_type) lemma arch_valid_obj_same_type: "\ arch_valid_obj ao s; kheap s p = Some ko; a_type k = a_type ko \ - \ arch_valid_obj ao (s\kheap := kheap s(p \ k)\)" + \ arch_valid_obj ao (s\kheap := (kheap s)(p \ k)\)" by (induction ao rule: arch_kernel_obj.induct; clarsimp simp: typ_at_same_type valid_vcpu_same_type) @@ -738,7 +738,7 @@ lemma default_tcb_not_live: "\ live (TCB default_tcb)" lemma valid_arch_tcb_same_type: "\ valid_arch_tcb t s; valid_obj p k s; kheap s p = Some ko; a_type k = a_type ko \ - \ valid_arch_tcb t (s\kheap := kheap s(p \ k)\)" + \ valid_arch_tcb t (s\kheap := (kheap s)(p \ k)\)" by (auto simp: valid_arch_tcb_def obj_at_def) lemma valid_ioports_lift: diff --git a/proof/invariant-abstract/ARM_HYP/ArchVCPU_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchVCPU_AI.thy index 1273ab1fbf..c4dcb43011 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchVCPU_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchVCPU_AI.thy @@ -75,7 +75,7 @@ crunches do_machine_op (wp: valid_cur_vcpu_lift_cur_thread_update valid_cur_vcpu_lift crunch_wps) lemma valid_cur_vcpu_vcpu_update[simp]: - "vcpu_at v s \ valid_cur_vcpu (s\kheap := kheap s(v \ ArchObj (VCPU vcpu))\) = valid_cur_vcpu s" + "vcpu_at v s \ valid_cur_vcpu (s\kheap := (kheap s)(v \ ArchObj (VCPU vcpu))\) = valid_cur_vcpu s" by (clarsimp simp: valid_cur_vcpu_def active_cur_vcpu_of_def pred_tcb_at_def obj_at_def) crunches vcpu_save_reg, vcpu_write_reg, save_virt_timer, vgic_update, vcpu_disable diff --git a/proof/invariant-abstract/ARM_HYP/ArchVSpace_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchVSpace_AI.thy index 38ecc5c29a..4ab877c8a0 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchVSpace_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchVSpace_AI.thy @@ -1218,7 +1218,7 @@ lemma arch_thread_set_caps_of_state [wp]: by (wpsimp wp: thread_set_caps_of_state_trivial2 simp: arch_thread_set_is_thread_set) lemma arch_thread_set_wp: - "\\s. get_tcb p s \ None \ Q (s\kheap := kheap s(p \ TCB (the (get_tcb p s)\tcb_arch := f (tcb_arch (the (get_tcb p s)))\))\) \ + "\\s. get_tcb p s \ None \ Q (s\kheap := (kheap s)(p \ TCB (the (get_tcb p s)\tcb_arch := f (tcb_arch (the (get_tcb p s)))\))\) \ arch_thread_set f p \\_. Q\" apply (simp add: arch_thread_set_def) @@ -1231,7 +1231,7 @@ lemma a_type_VCPU [simp]: by (simp add: a_type_def) lemma set_vcpu_wp: - "\\s. vcpu_at p s \ Q (s\kheap := kheap s(p \ (ArchObj (VCPU vcpu))) \) \ set_vcpu p vcpu \\_. Q\" + "\\s. vcpu_at p s \ Q (s\kheap := (kheap s)(p \ (ArchObj (VCPU vcpu))) \) \ set_vcpu p vcpu \\_. Q\" unfolding set_vcpu_def apply (wp set_object_wp_strong) apply (clarsimp simp: obj_at_def split: kernel_object.splits arch_kernel_obj.splits) @@ -2337,7 +2337,7 @@ lemma set_vcpu_if_live_then_nonz_cap_Some[wp]: (* FIXME: kind of ugly but hey! it works!! *) -lemma state_refs_of_simp: "\ a \ p \ \ state_refs_of (s\kheap := kheap s(p \ v) \) a = state_refs_of s a " +lemma state_refs_of_simp: "\ a \ p \ \ state_refs_of (s\kheap := (kheap s)(p \ v) \) a = state_refs_of s a " by (simp add: state_refs_of_def) lemma state_refs_of_vcpu_simp: "typ_at (AArch AVCPU) p s \ state_refs_of s p = {}" @@ -2363,12 +2363,12 @@ lemma set_vcpu_sym_refs[wp]: apply (clarsimp simp: obj_at_def) done -lemma state_hyp_refs_of_simp_neq: "\ a \ p \ \ state_hyp_refs_of (s\kheap := kheap s(p \ v) \) a = state_hyp_refs_of s a " +lemma state_hyp_refs_of_simp_neq: "\ a \ p \ \ state_hyp_refs_of (s\kheap := (kheap s)(p \ v) \) a = state_hyp_refs_of s a " by (simp add: state_hyp_refs_of_def) lemma state_hyp_refs_of_simp_eq: "obj_at (\ko'. hyp_refs_of ko' = hyp_refs_of v) p s - \ state_hyp_refs_of (s\kheap := kheap s(p \ v) \) p = state_hyp_refs_of s p" + \ state_hyp_refs_of (s\kheap := (kheap s)(p \ v) \) p = state_hyp_refs_of s p" by (clarsimp simp: state_hyp_refs_of_def obj_at_def) lemma set_object_vcpu_sym_refs_hyp: @@ -2729,7 +2729,7 @@ end locale vs_lookup_map_some_pdes = Arch + fixes pd pdp s s' S T pd' - defines "s' \ s\kheap := kheap s(pdp \ ArchObj (PageDirectory pd'))\" + defines "s' \ s\kheap := (kheap s)(pdp \ ArchObj (PageDirectory pd'))\" assumes refs: "vs_refs (ArchObj (PageDirectory pd')) = (vs_refs (ArchObj (PageDirectory pd)) - T) \ S" assumes old: "kheap s pdp = Some (ArchObj (PageDirectory pd))" @@ -2843,7 +2843,7 @@ lemma set_pd_vspace_objs_map: (* ARMHYP *) lemma simpler_set_pd_def: "set_pd p pd = (\s. if \pd. kheap s p = Some (ArchObj (PageDirectory pd)) - then ({((), s\kheap := kheap s(p \ ArchObj (PageDirectory pd))\)}, + then ({((), s\kheap := (kheap s)(p \ ArchObj (PageDirectory pd))\)}, False) else ({}, True))" apply (rule ext) @@ -2899,7 +2899,7 @@ lemma set_pd_valid_vs_lookup_map: (* ARMHYP *) apply (drule vs_lookup_pages_apI) apply (simp split: if_split_asm) apply (simp+)[2] - apply (frule_tac s="s\kheap := kheap s(p \ ArchObj (PageDirectory pd))\" + apply (frule_tac s="s\kheap := (kheap s)(p \ ArchObj (PageDirectory pd))\" in vs_lookup_pages_pdI[rotated -1]) apply (simp del: fun_upd_apply)+ apply (frule vs_lookup_pages_apI) @@ -3780,8 +3780,8 @@ lemma simpler_store_pde_def: "store_pde p pde s = (case kheap s (p && ~~ mask pd_bits) of Some (ArchObj (PageDirectory pd)) => - ({((), s\kheap := (kheap s((p && ~~ mask pd_bits) \ - (ArchObj (PageDirectory (pd(ucast (p && mask pd_bits >> 3) := pde))))))\)}, False) + ({((), s\kheap := (kheap s)(p && ~~ mask pd_bits \ + (ArchObj (PageDirectory (pd(ucast (p && mask pd_bits >> 3) := pde)))))\)}, False) | _ => ({}, True))" by (auto simp: store_pde_def simpler_set_pd_def get_object_def simpler_gets_def assert_def return_def fail_def set_object_def get_def put_def bind_def get_pd_def vspace_bits_defs @@ -3791,7 +3791,7 @@ lemma pde_update_valid_vspace_objs: "[|valid_vspace_objs s; valid_pde pde s; pde_ref pde = None; kheap s (p && ~~ mask pd_bits) = Some (ArchObj (PageDirectory pd))|] ==> valid_vspace_objs - (s\kheap := kheap s(p && ~~ mask pd_bits \ ArchObj (PageDirectory (pd(ucast (p && mask pd_bits >> 3) := pde))))\)" + (s\kheap := (kheap s)(p && ~~ mask pd_bits \ ArchObj (PageDirectory (pd(ucast (p && mask pd_bits >> 3) := pde))))\)" apply (cut_tac pde=pde and p=p in store_pde_arch_objs_unmap) apply (clarsimp simp: valid_def) apply (erule allE[where x=s]) @@ -5603,8 +5603,7 @@ end locale asid_pool_map = Arch + fixes s ap pool asid pdp pd s' defines "(s' :: ('a::state_ext) state) \ - s\kheap := kheap s(ap \ ArchObj (ASIDPool - (pool(asid \ pdp))))\" + s\kheap := (kheap s)(ap \ ArchObj (ASIDPool (pool(asid \ pdp))))\" assumes ap: "kheap s ap = Some (ArchObj (ASIDPool pool))" assumes new: "pool asid = None" assumes pd: "kheap s pdp = Some (ArchObj (PageDirectory pd))" diff --git a/proof/invariant-abstract/Bits_AI.thy b/proof/invariant-abstract/Bits_AI.thy index 06da5d09f6..fc5c25b318 100644 --- a/proof/invariant-abstract/Bits_AI.thy +++ b/proof/invariant-abstract/Bits_AI.thy @@ -14,7 +14,7 @@ lemmas crunch_simps = split_def whenE_def unlessE_def Let_def if_fun_split assertE_def zipWithM_mapM zipWithM_x_mapM lemma in_set_object: - "(rv, s') \ fst (set_object ptr obj s) \ s' = s \ kheap := kheap s (ptr \ obj) \" + "(rv, s') \ fst (set_object ptr obj s) \ s' = s \ kheap := (kheap s) (ptr \ obj) \" by (clarsimp simp: set_object_def get_object_def in_monad) lemma cap_fault_injection: diff --git a/proof/invariant-abstract/CSpaceInv_AI.thy b/proof/invariant-abstract/CSpaceInv_AI.thy index b15a6e4758..1c98336fcb 100644 --- a/proof/invariant-abstract/CSpaceInv_AI.thy +++ b/proof/invariant-abstract/CSpaceInv_AI.thy @@ -162,12 +162,12 @@ crunch inv [wp]: lookup_cap P lemma cte_at_tcb_update: - "tcb_at t s \ cte_at slot (s\kheap := kheap s(t \ TCB tcb)\) = cte_at slot s" + "tcb_at t s \ cte_at slot (s\kheap := (kheap s)(t \ TCB tcb)\) = cte_at slot s" by (clarsimp simp add: cte_at_cases obj_at_def is_tcb) lemma valid_cap_tcb_update [simp]: - "tcb_at t s \ (s\kheap := kheap s(t \ TCB tcb)\) \ cap = s \ cap" + "tcb_at t s \ (s\kheap := (kheap s)(t \ TCB tcb)\) \ cap = s \ cap" apply (clarsimp simp: is_tcb elim!: obj_atE) apply (subgoal_tac "a_type (TCB tcba) = a_type (TCB tcb)") apply (rule iffI) @@ -181,7 +181,7 @@ lemma valid_cap_tcb_update [simp]: lemma obj_at_tcb_update: "\ tcb_at t s; \x y. P (TCB x) = P (TCB y)\ \ - obj_at P t' (s\kheap := kheap s(t \ TCB tcb)\) = obj_at P t' s" + obj_at P t' (s\kheap := (kheap s)(t \ TCB tcb)\) = obj_at P t' s" apply (simp add: obj_at_def is_tcb_def) apply clarsimp apply (case_tac ko) @@ -191,7 +191,7 @@ lemma obj_at_tcb_update: lemma valid_thread_state_tcb_update: "\ tcb_at t s \ \ - valid_tcb_state ts (s\kheap := kheap s(t \ TCB tcb)\) = valid_tcb_state ts s" + valid_tcb_state ts (s\kheap := (kheap s)(t \ TCB tcb)\) = valid_tcb_state ts s" apply (unfold valid_tcb_state_def) apply (case_tac ts) apply (simp_all add: obj_at_tcb_update is_ep_def is_tcb_def is_ntfn_def) @@ -200,7 +200,7 @@ lemma valid_thread_state_tcb_update: lemma valid_objs_tcb_update: "\tcb_at t s; valid_tcb t tcb s; valid_objs s \ - \ valid_objs (s\kheap := kheap s(t \ TCB tcb)\)" + \ valid_objs (s\kheap := (kheap s)(t \ TCB tcb)\)" apply (clarsimp simp: valid_objs_def dom_def elim!: obj_atE) apply (intro conjI impI) @@ -217,7 +217,7 @@ lemma valid_objs_tcb_update: lemma obj_at_update: - "obj_at P t' (s \kheap := kheap s (t \ v)\) = + "obj_at P t' (s \kheap := (kheap s)(t \ v)\) = (if t = t' then P v else obj_at P t' s)" by (simp add: obj_at_def) @@ -225,7 +225,7 @@ lemma obj_at_update: lemma iflive_tcb_update: "\ if_live_then_nonz_cap s; live (TCB tcb) \ ex_nonz_cap_to t s; obj_at (same_caps (TCB tcb)) t s \ - \ if_live_then_nonz_cap (s\kheap := kheap s(t \ TCB tcb)\)" + \ if_live_then_nonz_cap (s\kheap := (kheap s)(t \ TCB tcb)\)" unfolding fun_upd_def apply (simp add: if_live_then_nonz_cap_def, erule allEI) apply safe @@ -236,7 +236,7 @@ lemma iflive_tcb_update: lemma ifunsafe_tcb_update: "\ if_unsafe_then_cap s; obj_at (same_caps (TCB tcb)) t s \ - \ if_unsafe_then_cap (s\kheap := kheap s(t \ TCB tcb)\)" + \ if_unsafe_then_cap (s\kheap := (kheap s)(t \ TCB tcb)\)" apply (simp add: if_unsafe_then_cap_def, elim allEI) apply (clarsimp dest!: caps_of_state_cteD simp: cte_wp_at_after_update fun_upd_def) @@ -247,7 +247,7 @@ lemma ifunsafe_tcb_update: lemma zombies_tcb_update: "\ zombies_final s; obj_at (same_caps (TCB tcb)) t s \ - \ zombies_final (s\kheap := kheap s(t \ TCB tcb)\)" + \ zombies_final (s\kheap := (kheap s)(t \ TCB tcb)\)" apply (simp add: zombies_final_def is_final_cap'_def2, elim allEI) apply (clarsimp simp: cte_wp_at_after_update fun_upd_def) done @@ -259,14 +259,14 @@ lemma valid_idle_tcb_update: tcb_state t = tcb_state t'; tcb_bound_notification t = tcb_bound_notification t'; tcb_iarch t = tcb_iarch t'; valid_tcb p t' s \ - \ valid_idle (s\kheap := kheap s(p \ TCB t')\)" + \ valid_idle (s\kheap := (kheap s)(p \ TCB t')\)" by (clarsimp simp: valid_idle_def pred_tcb_at_def obj_at_def) lemma valid_reply_caps_tcb_update: "\valid_reply_caps s; ko_at (TCB t) p s; tcb_state t = tcb_state t'; same_caps (TCB t) (TCB t') \ - \ valid_reply_caps (s\kheap := kheap s(p \ TCB t')\)" + \ valid_reply_caps (s\kheap := (kheap s)(p \ TCB t')\)" apply (frule_tac P'="same_caps (TCB t')" in obj_at_weakenE, simp) apply (fastforce simp: valid_reply_caps_def has_reply_cap_def pred_tcb_at_def obj_at_def fun_upd_def @@ -277,13 +277,13 @@ lemma valid_reply_caps_tcb_update: lemma valid_reply_masters_tcb_update: "\valid_reply_masters s; ko_at (TCB t) p s; tcb_state t = tcb_state t'; same_caps (TCB t) (TCB t') \ - \ valid_reply_masters (s\kheap := kheap s(p \ TCB t')\)" + \ valid_reply_masters (s\kheap := (kheap s)(p \ TCB t')\)" by (clarsimp simp: valid_reply_masters_def fun_upd_def is_tcb cte_wp_at_after_update obj_at_def) lemma tcb_state_same_cte_wp_at: "\ ko_at (TCB t) p s; \(getF, v) \ ran tcb_cap_cases. getF t = getF t' \ - \ \P p'. cte_wp_at P p' (s\kheap := kheap s(p \ TCB t')\) + \ \P p'. cte_wp_at P p' (s\kheap := (kheap s)(p \ TCB t')\) = cte_wp_at P p' s" apply (clarsimp simp add: cte_wp_at_cases obj_at_def) apply (case_tac "tcb_cap_cases b") @@ -1468,7 +1468,7 @@ lemma thread_set_mdb: done lemma set_cap_caps_of_state2: - "\\s. P (caps_of_state s (p \ cap)) (cdt s) (is_original_cap s)\ + "\\s. P ((caps_of_state s)(p \ cap)) (cdt s) (is_original_cap s)\ set_cap cap p \\rv s. P (caps_of_state s) (cdt s) (is_original_cap s)\" apply (rule_tac Q="\rv s. \m mr. P (caps_of_state s) m mr @@ -2069,7 +2069,7 @@ lemma cap_insert_obj_at_other: lemma only_idle_tcb_update: "\only_idle s; ko_at (TCB t) p s; tcb_state t = tcb_state t' \ \idle (tcb_state t') \ - \ only_idle (s\kheap := kheap s(p \ TCB t')\)" + \ only_idle (s\kheap := (kheap s)(p \ TCB t')\)" by (clarsimp simp: only_idle_def pred_tcb_at_def obj_at_def) lemma as_user_only_idle : diff --git a/proof/invariant-abstract/CSpace_AI.thy b/proof/invariant-abstract/CSpace_AI.thy index a064743d16..6b406a7f38 100644 --- a/proof/invariant-abstract/CSpace_AI.thy +++ b/proof/invariant-abstract/CSpace_AI.thy @@ -566,9 +566,9 @@ lemma no_True_set_nth: done lemma set_cap_caps_of_state_monad: - "(v, s') \ fst (set_cap cap p s) \ caps_of_state s' = (caps_of_state s (p \ cap))" + "(v, s') \ fst (set_cap cap p s) \ caps_of_state s' = (caps_of_state s)(p \ cap)" apply (drule use_valid) - apply (rule set_cap_caps_of_state [where P="(=) (caps_of_state s (p\cap))"]) + apply (rule set_cap_caps_of_state [where P="(=) ((caps_of_state s)(p\cap))"]) apply (rule refl) apply simp done @@ -1949,15 +1949,15 @@ lemma set_free_index_valid_mdb: proof(intro conjI impI) fix s bits f r dev assume mdb:"untyped_mdb (cdt s) (caps_of_state s)" - assume cstate:"caps_of_state s cref = Some (cap.UntypedCap dev r bits f)" (is "?m cref = Some ?srccap") - show "untyped_mdb (cdt s) (caps_of_state s(cref \ cap.UntypedCap dev r bits idx))" + assume cstate:"caps_of_state s cref = Some (UntypedCap dev r bits f)" (is "?m cref = Some ?srccap") + show "untyped_mdb (cdt s) ((caps_of_state s)(cref \ UntypedCap dev r bits idx))" apply (rule untyped_mdb_update_free_index [where capa = ?srccap and m = "caps_of_state s" and src = cref, unfolded free_index_update_def,simplified,THEN iffD2]) apply (simp add:cstate mdb)+ done assume arch_mdb:"valid_arch_mdb (is_original_cap s) (caps_of_state s)" - show "valid_arch_mdb (is_original_cap s) (caps_of_state s(cref \ UntypedCap dev r bits idx))" + show "valid_arch_mdb (is_original_cap s) ((caps_of_state s)(cref \ UntypedCap dev r bits idx))" apply (rule valid_arch_mdb_updates(1)[where capa = ?srccap and m="caps_of_state s" and src=cref, unfolded free_index_update_def, simplified, THEN iffD2]) @@ -1987,7 +1987,7 @@ lemma set_free_index_valid_mdb: done note blah[simp del] = untyped_range.simps usable_untyped_range.simps - show "untyped_inc (cdt s) (caps_of_state s(cref \ cap.UntypedCap dev r bits idx))" + show "untyped_inc (cdt s) ((caps_of_state s)(cref \ UntypedCap dev r bits idx))" using inc cstate apply (unfold untyped_inc_def) apply (intro allI impI) @@ -2023,11 +2023,11 @@ lemma set_free_index_valid_mdb: apply clarsimp+ done assume "ut_revocable (is_original_cap s) (caps_of_state s)" - thus "ut_revocable (is_original_cap s) (caps_of_state s(cref \ cap.UntypedCap dev r bits idx))" + thus "ut_revocable (is_original_cap s) ((caps_of_state s)(cref \ UntypedCap dev r bits idx))" using cstate by (fastforce simp:ut_revocable_def) assume "reply_caps_mdb (cdt s) (caps_of_state s)" - thus "reply_caps_mdb (cdt s) (caps_of_state s(cref \ cap.UntypedCap dev r bits idx))" + thus "reply_caps_mdb (cdt s) ((caps_of_state s)(cref \ UntypedCap dev r bits idx))" using cstate apply (simp add:reply_caps_mdb_def del:split_paired_All split_paired_Ex) apply (intro allI impI conjI) @@ -2039,7 +2039,7 @@ lemma set_free_index_valid_mdb: apply fastforce done assume "reply_masters_mdb (cdt s) (caps_of_state s)" - thus "reply_masters_mdb (cdt s) (caps_of_state s(cref \ cap.UntypedCap dev r bits idx))" + thus "reply_masters_mdb (cdt s) ((caps_of_state s)(cref \ UntypedCap dev r bits idx))" apply (simp add:reply_masters_mdb_def del:split_paired_All split_paired_Ex) apply (intro allI impI ballI) apply (erule exE) @@ -2051,7 +2051,7 @@ lemma set_free_index_valid_mdb: assume mdb:"mdb_cte_at (swp (cte_wp_at ((\) cap.NullCap)) s) (cdt s)" and desc_inc:"descendants_inc (cdt s) (caps_of_state s)" and cte:"caps_of_state s cref = Some (cap.UntypedCap dev r bits f)" - show "descendants_inc (cdt s) (caps_of_state s(cref \ cap.UntypedCap dev r bits idx))" + show "descendants_inc (cdt s) ((caps_of_state s)(cref \ UntypedCap dev r bits idx))" using mdb cte apply (clarsimp simp:swp_def cte_wp_at_caps_of_state) apply (erule descendants_inc_minor[OF desc_inc]) @@ -2147,10 +2147,10 @@ lemma cap_insert_mdb [wp]: apply (rule conjI) apply (simp add: no_mloop_def mdb_insert_abs.parency) apply (intro allI impI conjI) - apply (rule_tac m1 = "caps_of_state s(dest\ cap)" + apply (rule_tac m1 = "(caps_of_state s)(dest\ cap)" and src1 = src in iffD2[OF untyped_mdb_update_free_index,rotated,rotated]) apply (simp add:fun_upd_twist)+ - apply (drule_tac cs' = "caps_of_state s(src \ max_free_index_update capa)" in descendants_inc_minor) + apply (drule_tac cs' = "(caps_of_state s)(src \ max_free_index_update capa)" in descendants_inc_minor) apply (clarsimp simp:cte_wp_at_caps_of_state swp_def) apply clarsimp apply (subst upd_commute) @@ -2175,7 +2175,7 @@ lemma cap_insert_mdb [wp]: apply (clarsimp simp:is_cap_simps free_index_update_def)+ apply (clarsimp simp: reply_master_revocable_def is_derived_def is_master_reply_cap_def is_cap_revocable_def) apply clarsimp - apply (rule_tac m1 = "caps_of_state s(dest\ cap)" + apply (rule_tac m1 = "(caps_of_state s)(dest\ cap)" and src1 = src in reply_mdb_update_free_index[THEN iffD2]) apply ((simp add:fun_upd_twist)+)[3] apply (clarsimp simp:is_cap_simps is_cap_revocable_def) @@ -2200,11 +2200,11 @@ lemma cap_insert_mdb [wp]: apply (erule (1) valid_arch_mdb_updates) apply (clarsimp) apply (intro impI conjI allI) - apply (rule_tac m1 = "caps_of_state s(dest\ cap)" + apply (rule_tac m1 = "(caps_of_state s)(dest\ cap)" and src1 = src in iffD2[OF untyped_mdb_update_free_index,rotated,rotated]) apply (frule mdb_insert_abs_sib.untyped_mdb_sib) apply (simp add:fun_upd_twist)+ - apply (drule_tac cs' = "caps_of_state s(src \ max_free_index_update capa)" in descendants_inc_minor) + apply (drule_tac cs' = "(caps_of_state s)(src \ max_free_index_update capa)" in descendants_inc_minor) apply (clarsimp simp:cte_wp_at_caps_of_state swp_def) apply clarsimp apply (subst upd_commute) @@ -2215,7 +2215,7 @@ lemma cap_insert_mdb [wp]: apply (simp add: no_mloop_def) apply (simp add: mdb_insert_abs_sib.parent_n_eq) apply (simp add: mdb_insert_abs.dest_no_parent_trancl) - apply (rule_tac m = "caps_of_state s(dest\ cap)" and src = src in untyped_inc_update_free_index) + apply (rule_tac m = "(caps_of_state s)(dest\ cap)" and src = src in untyped_inc_update_free_index) apply (simp add:fun_upd_twist)+ apply (frule(3) mdb_insert_abs_sib.untyped_inc) apply (frule_tac p = src in caps_of_state_valid,assumption) @@ -2228,7 +2228,7 @@ lemma cap_insert_mdb [wp]: apply (intro impI conjI) apply (clarsimp simp:is_cap_simps free_index_update_def)+ apply (clarsimp simp: reply_master_revocable_def is_derived_def is_master_reply_cap_def is_cap_revocable_def) - apply (rule_tac m1 = "caps_of_state s(dest\ cap)" + apply (rule_tac m1 = "(caps_of_state s)(dest\ cap)" and src1 = src in iffD2[OF reply_mdb_update_free_index,rotated,rotated]) apply (frule mdb_insert_abs_sib.reply_mdb_sib,simp+) apply (clarsimp simp:ut_revocable_def,case_tac src,clarsimp,simp) diff --git a/proof/invariant-abstract/Deterministic_AI.thy b/proof/invariant-abstract/Deterministic_AI.thy index 90a38d0182..4eaad8a36b 100644 --- a/proof/invariant-abstract/Deterministic_AI.thy +++ b/proof/invariant-abstract/Deterministic_AI.thy @@ -1474,7 +1474,7 @@ end crunch exst[wp]: set_cap "(\s. P (exst s))" (wp: crunch_wps simp: crunch_simps) lemma set_cap_caps_of_state3: - "\\s. P (caps_of_state s (p \ cap)) (cdt s) (exst s) (is_original_cap s)\ + "\\s. P ((caps_of_state s) (p \ cap)) (cdt s) (exst s) (is_original_cap s)\ set_cap cap p \\rv s. P (caps_of_state s) (cdt s) (exst s) (is_original_cap s)\" apply (rule_tac Q="\rv s. \m mr t. P (caps_of_state s) m t mr diff --git a/proof/invariant-abstract/Ipc_AI.thy b/proof/invariant-abstract/Ipc_AI.thy index 576f36ae95..2db0f918cc 100644 --- a/proof/invariant-abstract/Ipc_AI.thy +++ b/proof/invariant-abstract/Ipc_AI.thy @@ -2270,7 +2270,7 @@ lemma pred_tcb_clear: lemma pred_tcb_upd_apply: - "pred_tcb_at proj P t (s\kheap := kheap s(r \ TCB v)\) = + "pred_tcb_at proj P t (s\kheap := (kheap s)(r \ TCB v)\) = (if t = r then P (proj (tcb_to_itcb v)) else pred_tcb_at proj P t s)" by (simp add: pred_tcb_at_def obj_at_def) diff --git a/proof/invariant-abstract/KHeapPre_AI.thy b/proof/invariant-abstract/KHeapPre_AI.thy index 14f9b8589f..fa1c73be88 100644 --- a/proof/invariant-abstract/KHeapPre_AI.thy +++ b/proof/invariant-abstract/KHeapPre_AI.thy @@ -136,7 +136,7 @@ lemma get_tcb_at: "tcb_at t s \ (\tcb. get_tcb t s = Som lemma typ_at_same_type: assumes "typ_at T p s" "a_type k = a_type ko" "kheap s p' = Some ko" - shows "typ_at T p (s\kheap := kheap s(p' \ k)\)" + shows "typ_at T p (s\kheap := (kheap s)(p' \ k)\)" using assms by (clarsimp simp: obj_at_def) @@ -148,12 +148,12 @@ lemma hoare_to_pure_kheap_upd: assumes typ_eq: "a_type k = a_type ko" assumes valid: "P (s :: ('z :: state_ext) state)" assumes at: "ko_at ko p s" - shows "P (s\kheap := kheap s(p \ k)\)" + shows "P (s\kheap := (kheap s)(p \ k)\)" apply (rule use_valid[where f=" do s' <- get; assert (s' = s); - (modify (\s. s\kheap := kheap s(p \ k)\)); + (modify (\s. s\kheap := (kheap s)(p \ k)\)); return undefined od", OF _ hoare valid]) apply (fastforce simp add: simpler_modify_def get_def bind_def @@ -165,7 +165,7 @@ lemma hoare_to_pure_kheap_upd: by (auto simp add: obj_at_def a_type_def split: kernel_object.splits if_splits) lemma set_object_wp: - "\\s. Q (s\ kheap := kheap s (p \ v)\) \ set_object p v \\_. Q\" + "\\s. Q (s\ kheap := (kheap s) (p \ v)\) \ set_object p v \\_. Q\" apply (simp add: set_object_def get_object_def) apply wp apply blast diff --git a/proof/invariant-abstract/KHeap_AI.thy b/proof/invariant-abstract/KHeap_AI.thy index 5df2a6c967..03fededbf5 100644 --- a/proof/invariant-abstract/KHeap_AI.thy +++ b/proof/invariant-abstract/KHeap_AI.thy @@ -103,7 +103,7 @@ lemma pspace_aligned_obj_update: assumes obj: "obj_at P t s" assumes pa: "pspace_aligned s" assumes R: "\k. P k \ a_type k = a_type k'" - shows "pspace_aligned (s\kheap := kheap s(t \ k')\)" + shows "pspace_aligned (s\kheap := (kheap s)(t \ k')\)" using pa obj apply (simp add: pspace_aligned_def cong: conj_cong) apply (clarsimp simp: obj_at_def obj_bits_T dest!: R) @@ -113,7 +113,7 @@ lemma pspace_aligned_obj_update: lemma cte_at_same_type: "\cte_at t s; a_type k = a_type ko; kheap s p = Some ko\ - \ cte_at t (s\kheap := kheap s(p \ k)\)" + \ cte_at t (s\kheap := (kheap s)(p \ k)\)" apply (clarsimp simp: cte_at_cases del: disjCI) apply (elim exE disjE) apply (clarsimp simp: a_type_def well_formed_cnode_n_def length_set_helper @@ -125,13 +125,13 @@ lemma cte_at_same_type: lemma untyped_same_type: "\valid_untyped (cap.UntypedCap dev r n f) s; a_type k = a_type ko; kheap s p = Some ko\ - \ valid_untyped (cap.UntypedCap dev r n f) (s\kheap := kheap s(p \ k)\)" + \ valid_untyped (cap.UntypedCap dev r n f) (s\kheap := (kheap s)(p \ k)\)" unfolding valid_untyped_def by (clarsimp simp: obj_range_def obj_bits_T) lemma valid_cap_same_type: "\ s \ cap; a_type k = a_type ko; kheap s p = Some ko \ - \ s\kheap := kheap s(p \ k)\ \ cap" + \ s\kheap := (kheap s)(p \ k)\ \ cap" apply (simp add: valid_cap_def split: cap.split) apply (auto elim!: typ_at_same_type untyped_same_type simp: ntfn_at_typ ep_at_typ tcb_at_typ cap_table_at_typ @@ -141,7 +141,7 @@ lemma valid_cap_same_type: lemma valid_obj_same_type: "\ valid_obj p' obj s; valid_obj p k s; kheap s p = Some ko; a_type k = a_type ko \ - \ valid_obj p' obj (s\kheap := kheap s(p \ k)\)" + \ valid_obj p' obj (s\kheap := (kheap s)(p \ k)\)" apply (cases obj; simp) apply (clarsimp simp add: valid_obj_def valid_cs_def) apply (drule (1) bspec) @@ -460,7 +460,7 @@ lemma set_ntfn_refs_of[wp]: lemma pspace_distinct_same_type: "\ kheap s t = Some ko; a_type ko = a_type ko'; pspace_distinct s\ - \ pspace_distinct (s\kheap := kheap s(t \ ko')\)" + \ pspace_distinct (s\kheap := (kheap s)(t \ ko')\)" apply (clarsimp simp add: pspace_distinct_def obj_bits_T) apply fastforce done @@ -573,7 +573,7 @@ lemma cte_wp_at_after_update: lemma cte_wp_at_after_update': "\ obj_at (same_caps val) p' s \ - \ cte_wp_at P p (s\kheap := kheap s(p' \ val)\) + \ cte_wp_at P p (s\kheap := (kheap s)(p' \ val)\) = cte_wp_at P p s" by (fastforce simp: obj_at_def cte_wp_at_cases split: if_split_asm dest: bspec [OF _ ranI]) @@ -584,7 +584,7 @@ lemma ex_cap_to_after_update: lemma ex_cap_to_after_update': "\ ex_nonz_cap_to p s; obj_at (same_caps val) p' s \ - \ ex_nonz_cap_to p (s\kheap := kheap s(p' \ val)\)" + \ ex_nonz_cap_to p (s\kheap := (kheap s)(p' \ val)\)" by (clarsimp simp: ex_nonz_cap_to_def cte_wp_at_after_update') lemma ex_cte_cap_to_after_update: @@ -772,7 +772,7 @@ lemma as_user_bind[wp]: apply clarsimp apply (rename_tac value_g s tcb fail_g value_f fail_f) apply (rule_tac x="value_f" in exI) - apply (rule_tac x="s\kheap := kheap s(t \ TCB (tcb\tcb_arch := arch_tcb_context_set fail_f (tcb_arch tcb)\))\" in exI) + apply (rule_tac x="s\kheap := (kheap s)(t \ TCB (tcb\tcb_arch := arch_tcb_context_set fail_f (tcb_arch tcb)\))\" in exI) apply fastforce apply clarsimp apply (rename_tac value_g ta s tcb value_f fail_g ko) diff --git a/proof/invariant-abstract/RISCV64/ArchAcc_AI.thy b/proof/invariant-abstract/RISCV64/ArchAcc_AI.thy index ac000a55c5..207f86410d 100644 --- a/proof/invariant-abstract/RISCV64/ArchAcc_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchAcc_AI.thy @@ -1018,7 +1018,7 @@ lemma set_object_caps_of_state: done lemma set_pt_aobjs_of: - "\\s. aobjs_of s p \ None \ P (aobjs_of s(p \ PageTable pt)) \ set_pt p pt \\_ s. P (aobjs_of s)\" + "\\s. aobjs_of s p \ None \ P ((aobjs_of s)(p \ PageTable pt)) \ set_pt p pt \\_ s. P (aobjs_of s)\" unfolding set_pt_def supply fun_upd_apply[simp del] by (wpsimp wp: set_object_wp) @@ -1142,7 +1142,7 @@ lemma pt_walk_upd_idem: \ pt_walk top_level level' pt_ptr vptr (ptes_of s) = Some (level', pt_ptr') \ pt_ptr' \ obj_ref; is_aligned pt_ptr pt_bits \ - \ pt_walk top_level level pt_ptr vptr (ptes_of (s\kheap := kheap s(obj_ref \ ko)\)) + \ pt_walk top_level level pt_ptr vptr (ptes_of (s\kheap := (kheap s)(obj_ref \ ko)\)) = pt_walk top_level level pt_ptr vptr (ptes_of s)" by (rule pt_walk_eqI; simp split del: if_split) (clarsimp simp: opt_map_def split: option.splits) @@ -1208,7 +1208,7 @@ lemma vs_lookup_table_upd_idem: \ vs_lookup_table level' asid vref s = Some (level', p') \ p' \ obj_ref; pspace_aligned s; valid_vspace_objs s; valid_asid_table s \ - \ vs_lookup_table level asid vref (s\kheap := kheap s(obj_ref \ ko)\) + \ vs_lookup_table level asid vref (s\kheap := (kheap s)(obj_ref \ ko)\) = vs_lookup_table level asid vref s" by (rule vs_lookup_table_eqI; simp split del: if_split) (clarsimp simp: opt_map_def split: option.splits) @@ -1217,7 +1217,7 @@ lemma vs_lookup_table_Some_upd_idem: "\ vs_lookup_table level asid vref s = Some (level, obj_ref); vref \ user_region; pspace_aligned s; valid_vspace_objs s; valid_asid_table s; unique_table_refs s; valid_vs_lookup s; valid_caps (caps_of_state s) s \ - \ vs_lookup_table level asid vref (s\kheap := kheap s(obj_ref \ ko)\) + \ vs_lookup_table level asid vref (s\kheap := (kheap s)(obj_ref \ ko)\) = vs_lookup_table level asid vref s" by (subst vs_lookup_table_upd_idem; simp?) (fastforce dest: no_loop_vs_lookup_table) @@ -1226,7 +1226,7 @@ lemma ex_vs_lookup_upd_idem: "\ \\ (level, p) s; pspace_aligned s; valid_vspace_objs s; valid_asid_table s; unique_table_refs s; valid_vs_lookup s; valid_caps (caps_of_state s) s \ - \ \\ (level, p) (s\kheap := kheap s(p \ ko)\) = \\ (level, p) s" + \ \\ (level, p) (s\kheap := (kheap s)(p \ ko)\) = \\ (level, p) s" apply (rule iffI; clarsimp) apply (rule_tac x=asid in exI) apply (rule_tac x=vref in exI) @@ -1303,7 +1303,7 @@ lemma pt_lookup_target_pt_upd_eq: by (rule pt_lookup_target_pt_eqI; clarsimp) lemma kheap_pt_upd_simp[simp]: - "(kheap s(p \ ArchObj (PageTable pt)) |> aobj_of |> pt_of) + "((kheap s)(p \ ArchObj (PageTable pt)) |> aobj_of |> pt_of) = (kheap s |> aobj_of |> pt_of)(p \ pt)" unfolding aobj_of_def opt_map_def by (auto split: kernel_object.split) @@ -1463,7 +1463,7 @@ lemma valid_machine_stateE: lemma in_user_frame_same_type_upd: "\typ_at type p s; type = a_type obj; in_user_frame q s\ - \ in_user_frame q (s\kheap := kheap s(p \ obj)\)" + \ in_user_frame q (s\kheap := (kheap s)(p \ obj)\)" apply (clarsimp simp: in_user_frame_def obj_at_def) apply (rule_tac x=sz in exI) apply (auto simp: a_type_simps) @@ -1471,7 +1471,7 @@ lemma in_user_frame_same_type_upd: lemma in_device_frame_same_type_upd: "\typ_at type p s; type = a_type obj ; in_device_frame q s\ - \ in_device_frame q (s\kheap := kheap s(p \ obj)\)" + \ in_device_frame q (s\kheap := (kheap s)(p \ obj)\)" apply (clarsimp simp: in_device_frame_def obj_at_def) apply (rule_tac x=sz in exI) apply (auto simp: a_type_simps) @@ -1509,7 +1509,7 @@ lemma valid_machine_state_heap_updI: assumes vm : "valid_machine_state s" assumes tyat : "typ_at type p s" shows - " a_type obj = type \ valid_machine_state (s\kheap := kheap s(p \ obj)\)" + " a_type obj = type \ valid_machine_state (s\kheap := (kheap s)(p \ obj)\)" apply (clarsimp simp: valid_machine_state_def) subgoal for p apply (rule valid_machine_stateE[OF vm,where p = p]) @@ -1668,7 +1668,7 @@ crunch interrupt_states[wp]: set_asid_pool "\s. P (interrupt_states s)" lemma vs_lookup_table_unreachable_upd_idem: "\ \level. vs_lookup_table level asid vref s \ Some (level, obj_ref); vref \ user_region; pspace_aligned s; valid_vspace_objs s; valid_asid_table s \ - \ vs_lookup_table level asid vref (s\kheap := kheap s(obj_ref \ ko)\) + \ vs_lookup_table level asid vref (s\kheap := (kheap s)(obj_ref \ ko)\) = vs_lookup_table level asid vref s" apply (subst vs_lookup_table_upd_idem; fastforce) done @@ -1676,14 +1676,14 @@ lemma vs_lookup_table_unreachable_upd_idem: lemma vs_lookup_table_unreachable_upd_idem': "\ \(\level. \\ (level, obj_ref) s); vref \ user_region; pspace_aligned s; valid_vspace_objs s; valid_asid_table s \ - \ vs_lookup_table level asid vref (s\kheap := kheap s(obj_ref \ ko)\) + \ vs_lookup_table level asid vref (s\kheap := (kheap s)(obj_ref \ ko)\) = vs_lookup_table level asid vref s" by (rule vs_lookup_table_unreachable_upd_idem; fastforce) lemma vs_lookup_target_unreachable_upd_idem: "\ \level. vs_lookup_table level asid vref s \ Some (level, obj_ref); vref \ user_region; pspace_aligned s; valid_vspace_objs s; valid_asid_table s \ - \ vs_lookup_target level asid vref (s\kheap := kheap s(obj_ref \ ko)\) + \ vs_lookup_target level asid vref (s\kheap := (kheap s)(obj_ref \ ko)\) = vs_lookup_target level asid vref s" supply fun_upd_apply[simp del] apply (clarsimp simp: vs_lookup_target_def vs_lookup_slot_def obind_assoc) @@ -1718,12 +1718,12 @@ lemma vs_lookup_target_unreachable_upd_idem: lemma vs_lookup_target_unreachable_upd_idem': "\ \(\level. \\ (level, obj_ref) s); vref \ user_region; pspace_aligned s; valid_vspace_objs s; valid_asid_table s \ - \ vs_lookup_target level asid vref (s\kheap := kheap s(obj_ref \ ko)\) + \ vs_lookup_target level asid vref (s\kheap := (kheap s)(obj_ref \ ko)\) = vs_lookup_target level asid vref s" by (rule vs_lookup_target_unreachable_upd_idem; fastforce) lemma vs_lookup_table_fun_upd_deep_idem: - "\ vs_lookup_table level asid vref (s\kheap := kheap s(p \ ko)\) = Some (level, p'); + "\ vs_lookup_table level asid vref (s\kheap := (kheap s)(p \ ko)\) = Some (level, p'); vs_lookup_table level' asid vref s = Some (level', p); level' \ level; vref \ user_region; unique_table_refs s; valid_vs_lookup s; valid_vspace_objs s; valid_asid_table s; pspace_aligned s; valid_caps (caps_of_state s) s \ @@ -1816,8 +1816,8 @@ lemma vs_lookup_target_pt_levelI: lemma vs_lookup_target_asid_pool_level_upd_helper: "\ graph_of ap \ graph_of ap'; kheap s p = Some (ArchObj (ASIDPool ap')); vref \ user_region; - vspace_for_pool pool_ptr asid (asid_pools_of s(p \ ap)) = Some pt_ptr; - pool_for_asid asid (s\kheap := kheap s(p \ ArchObj (ASIDPool ap))\) = Some pool_ptr\ + vspace_for_pool pool_ptr asid ((asid_pools_of s)(p \ ap)) = Some pt_ptr; + pool_for_asid asid (s\kheap := (kheap s)(p \ ArchObj (ASIDPool ap))\) = Some pool_ptr\ \ vs_lookup_target asid_pool_level asid vref s = Some (asid_pool_level, pt_ptr)" apply (clarsimp simp: pool_for_asid_vs_lookup vspace_for_pool_def in_omonad) apply (clarsimp split: if_splits) @@ -1828,7 +1828,7 @@ lemma vs_lookup_target_asid_pool_level_upd_helper: done lemma vs_lookup_target_None_upd_helper: - "\ vs_lookup_table level asid vref (s\kheap := kheap s(p \ ArchObj (ASIDPool ap))\) = + "\ vs_lookup_table level asid vref (s\kheap := (kheap s)(p \ ArchObj (ASIDPool ap))\) = Some (level, table_ptr); ((\pa. pte_of pa ((pts_of s)(p := None))) |> pte_ref) (pt_slot_offset level table_ptr vref) = Some target; @@ -1943,7 +1943,7 @@ lemma set_asid_pool_equal_mappings[wp]: lemma translate_address_asid_pool_upd: "pts_of s p = None \ translate_address pt_ptr vref - (\pa. pte_of pa (kheap s(p \ ArchObj (ASIDPool ap)) |> aobj_of |> pt_of)) + (\pa. pte_of pa ((kheap s)(p \ ArchObj (ASIDPool ap)) |> aobj_of |> pt_of)) = translate_address pt_ptr vref (ptes_of s)" by simp diff --git a/proof/invariant-abstract/RISCV64/ArchArch_AI.thy b/proof/invariant-abstract/RISCV64/ArchArch_AI.thy index 2ccb4b0b15..f20e00a577 100644 --- a/proof/invariant-abstract/RISCV64/ArchArch_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchArch_AI.thy @@ -442,7 +442,7 @@ context Arch begin global_naming RISCV64 lemma valid_arch_state_strg: "valid_arch_state s \ ap \ ran (asid_table s) \ asid_pool_at ap s \ - valid_arch_state (s\arch_state := arch_state s\riscv_asid_table := riscv_asid_table (arch_state s)(asid \ ap)\\)" + valid_arch_state (s\arch_state := arch_state s\riscv_asid_table := (asid_table s)(asid \ ap)\\)" apply (clarsimp simp: valid_arch_state_def) apply (clarsimp simp: valid_asid_table_def ran_def) apply (fastforce intro!: inj_on_fun_updI simp: asid_pools_at_eq) @@ -467,7 +467,7 @@ lemma valid_asid_pool_caps_upd_strg: (\ptr cap. caps_of_state s ptr = Some cap \ obj_refs cap = {ap} \ vs_cap_ref cap = Some (ucast asid << asid_low_bits, 0)) \ - valid_asid_pool_caps_2 (caps_of_state s) (asid_table s(asid \ ap))" + valid_asid_pool_caps_2 (caps_of_state s) ((asid_table s)(asid \ ap))" apply clarsimp apply (prop_tac "asid_update ap asid s", (unfold_locales; assumption)) apply (fastforce dest: asid_update.valid_asid_pool_caps') @@ -560,7 +560,7 @@ lemma cap_insert_simple_arch_caps_ap: and K (cap = ArchObjectCap (ASIDPoolCap ap asid) \ is_aligned asid asid_low_bits) \ cap_insert cap src dest \\rv s. valid_arch_caps (s\arch_state := arch_state s - \riscv_asid_table := riscv_asid_table (arch_state s)(asid_high_bits_of asid \ ap)\\)\" + \riscv_asid_table := (asid_table s)(asid_high_bits_of asid \ ap)\\)\" apply (simp add: cap_insert_def update_cdt_def set_cdt_def valid_arch_caps_def set_untyped_cap_as_full_def bind_assoc) apply (strengthen valid_vs_lookup_at_upd_strg valid_asid_pool_caps_upd_strg) @@ -652,7 +652,7 @@ lemma cap_insert_ap_invs: asid_table s (asid_high_bits_of asid) = None)\ cap_insert cap src dest \\rv s. invs (s\arch_state := arch_state s - \riscv_asid_table := (riscv_asid_table \ arch_state) s(asid_high_bits_of asid \ ap)\\)\" + \riscv_asid_table := ((riscv_asid_table \ arch_state) s)(asid_high_bits_of asid \ ap)\\)\" apply (simp add: invs_def valid_state_def valid_pspace_def) apply (strengthen valid_arch_state_strg valid_vspace_objs_asid_upd_strg equal_kernel_mappings_asid_upd_strg valid_asid_map_asid_upd_strg @@ -806,11 +806,11 @@ proof - \\rv s. invs (s\arch_state := arch_state s - \riscv_asid_table := (riscv_asid_table \ arch_state) s + \riscv_asid_table := ((riscv_asid_table \ arch_state) s) (asid_high_bits_of asid \ ap)\\) \ Q (s\arch_state := arch_state s - \riscv_asid_table := (riscv_asid_table \ arch_state) s + \riscv_asid_table := ((riscv_asid_table \ arch_state) s) (asid_high_bits_of asid \ ap)\\)\" apply (wp cap_insert_ap_invs) apply simp diff --git a/proof/invariant-abstract/RISCV64/ArchCNodeInv_AI.thy b/proof/invariant-abstract/RISCV64/ArchCNodeInv_AI.thy index 689a352cd6..1cf7ddc90e 100644 --- a/proof/invariant-abstract/RISCV64/ArchCNodeInv_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchCNodeInv_AI.thy @@ -545,7 +545,7 @@ context Arch begin global_naming RISCV64 lemma post_cap_delete_pre_is_final_cap': "\s. \valid_ioports s; caps_of_state s slot = Some cap; is_final_cap' cap s; cap_cleanup_opt cap \ NullCap\ - \ post_cap_delete_pre (cap_cleanup_opt cap) (caps_of_state s(slot \ NullCap))" + \ post_cap_delete_pre (cap_cleanup_opt cap) ((caps_of_state s)(slot \ NullCap))" apply (clarsimp simp: cap_cleanup_opt_def cte_wp_at_def post_cap_delete_pre_def split: cap.split_asm if_split_asm elim!: ranE dest!: caps_of_state_cteD) diff --git a/proof/invariant-abstract/RISCV64/ArchCSpacePre_AI.thy b/proof/invariant-abstract/RISCV64/ArchCSpacePre_AI.thy index 168c983d2e..63fdd76207 100644 --- a/proof/invariant-abstract/RISCV64/ArchCSpacePre_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchCSpacePre_AI.thy @@ -152,7 +152,7 @@ lemma arch_derived_is_device: lemma valid_arch_mdb_simple: "\ valid_arch_mdb (is_original_cap s) (caps_of_state s); is_simple_cap cap; caps_of_state s src = Some capa\ \ - valid_arch_mdb ((is_original_cap s) (dest := is_cap_revocable cap capa)) (caps_of_state s(dest \ cap))" + valid_arch_mdb ((is_original_cap s) (dest := is_cap_revocable cap capa)) ((caps_of_state s)(dest \ cap))" by (auto simp: valid_arch_mdb_def is_cap_revocable_def arch_is_cap_revocable_def is_simple_cap_def safe_parent_for_def is_cap_simps) @@ -177,34 +177,34 @@ lemma set_untyped_cap_as_full_valid_arch_mdb: lemma valid_arch_mdb_not_arch_cap_update: "\s cap capa. \\is_arch_cap cap; valid_arch_mdb (is_original_cap s) (caps_of_state s)\ \ valid_arch_mdb ((is_original_cap s)(dest := True)) - (caps_of_state s(src \ cap, dest\capa))" + ((caps_of_state s)(src \ cap, dest\capa))" by (auto simp: valid_arch_mdb_def) lemma valid_arch_mdb_derived_cap_update: "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); is_derived (cdt s) src cap capa\ \ valid_arch_mdb ((is_original_cap s)(dest := is_cap_revocable cap capa)) - (caps_of_state s(dest \ cap))" + ((caps_of_state s)(dest \ cap))" by (clarsimp simp: valid_arch_mdb_def) lemma valid_arch_mdb_free_index_update': "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); caps_of_state s src = Some capa; is_untyped_cap cap\ \ valid_arch_mdb ((is_original_cap s) (dest := is_cap_revocable cap capa)) - (caps_of_state s(dest \ cap, src \ max_free_index_update capa))" + ((caps_of_state s)(dest \ cap, src \ max_free_index_update capa))" by (auto simp: valid_arch_mdb_def) lemma valid_arch_mdb_weak_derived_update: "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); caps_of_state s src = Some capa; weak_derived cap capa\ \ valid_arch_mdb ((is_original_cap s) (dest := is_original_cap s src, src := False)) - (caps_of_state s(dest \ cap, src \ NullCap))" + ((caps_of_state s)(dest \ cap, src \ NullCap))" by (auto simp: valid_arch_mdb_def) lemma valid_arch_mdb_tcb_cnode_update: "valid_arch_mdb (is_original_cap s) (caps_of_state s) \ valid_arch_mdb ((is_original_cap s) ((t, tcb_cnode_index 2) := True)) - (caps_of_state s((t, tcb_cnode_index 2) \ ReplyCap t True canReplyGrant))" + ((caps_of_state s)((t, tcb_cnode_index 2) \ ReplyCap t True canReplyGrant))" by (clarsimp simp: valid_arch_mdb_def) lemmas valid_arch_mdb_updates = valid_arch_mdb_free_index_update valid_arch_mdb_not_arch_cap_update @@ -237,10 +237,10 @@ lemma valid_arch_mdb_null_filter: lemma valid_arch_mdb_untypeds: "\s. valid_arch_mdb (is_original_cap s) (caps_of_state s) \ valid_arch_mdb (\x. x \ cref \ is_original_cap s x) - (caps_of_state s(cref \ default_cap tp oref sz dev))" + ((caps_of_state s)(cref \ default_cap tp oref sz dev))" "\s. valid_arch_mdb (is_original_cap s) (caps_of_state s) \ valid_arch_mdb (is_original_cap s) - (caps_of_state s(cref \ UntypedCap dev ptr sz idx))" + ((caps_of_state s)(cref \ UntypedCap dev ptr sz idx))" by (clarsimp simp: valid_arch_mdb_def)+ end diff --git a/proof/invariant-abstract/RISCV64/ArchCSpace_AI.thy b/proof/invariant-abstract/RISCV64/ArchCSpace_AI.thy index c64dcdad81..5465278de5 100644 --- a/proof/invariant-abstract/RISCV64/ArchCSpace_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchCSpace_AI.thy @@ -175,7 +175,7 @@ lemma is_derived_is_cap: lemma vs_lookup_pages_non_aobj_upd: "\ kheap s p = Some ko; \ is_ArchObj ko; \ is_ArchObj ko' \ - \ vs_lookup_pages (s\kheap := kheap s(p \ ko')\) = vs_lookup_pages s" + \ vs_lookup_pages (s\kheap := (kheap s)(p \ ko')\) = vs_lookup_pages s" unfolding vs_lookup_target_def vs_lookup_slot_def apply (frule aobjs_of_non_aobj_upd[where ko'=ko'], simp+) apply (rule ext)+ @@ -190,7 +190,7 @@ lemma vs_lookup_pages_non_aobj_upd: lemma vs_lookup_target_non_aobj_upd: "\ kheap s p = Some ko; \ is_ArchObj ko; \ is_ArchObj ko' \ - \ vs_lookup_target level asid vref (s\kheap := kheap s(p \ ko')\) + \ vs_lookup_target level asid vref (s\kheap := (kheap s)(p \ ko')\) = vs_lookup_target level asid vref s" by (drule vs_lookup_pages_non_aobj_upd[where ko'=ko'], auto dest: fun_cong) diff --git a/proof/invariant-abstract/RISCV64/ArchFinalise_AI.thy b/proof/invariant-abstract/RISCV64/ArchFinalise_AI.thy index c8b3ec5785..b441746b16 100644 --- a/proof/invariant-abstract/RISCV64/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchFinalise_AI.thy @@ -390,7 +390,7 @@ lemma arch_thread_set_cur_tcb[wp]: "\cur_tcb\ arch_thread_set p lemma cte_wp_at_update_some_tcb: "\kheap s v = Some (TCB tcb) ; tcb_cnode_map tcb = tcb_cnode_map (f tcb)\ - \ cte_wp_at P p (s\kheap := kheap s (v \ TCB (f tcb))\) = cte_wp_at P p s" + \ cte_wp_at P p (s\kheap := (kheap s)(v \ TCB (f tcb))\) = cte_wp_at P p s" apply (clarsimp simp: cte_wp_at_cases2 dest!: get_tcb_SomeD) done @@ -551,7 +551,7 @@ lemma arch_thread_set_valid_objs_context[wp]: lemma sym_refs_update_some_tcb: "\kheap s v = Some (TCB tcb) ; refs_of (TCB tcb) = refs_of (TCB (f tcb))\ - \ sym_refs (state_refs_of (s\kheap := kheap s (v \ TCB (f tcb))\)) = sym_refs (state_refs_of s)" + \ sym_refs (state_refs_of (s\kheap := (kheap s)(v \ TCB (f tcb))\)) = sym_refs (state_refs_of s)" apply (rule_tac f=sym_refs in arg_cong) apply (rule all_ext) apply (clarsimp simp: sym_refs_def state_refs_of_def) @@ -707,7 +707,7 @@ lemmas reachable_frame_cap_simps = reachable_frame_cap_def[unfolded is_frame_cap_def arch_cap_fun_lift_def, split_simps cap.split] lemma vs_lookup_slot_non_PageTablePTE: - "\ ptes_of s p \ None; ptes_of s' = ptes_of s(p \ pte); \ is_PageTablePTE pte; + "\ ptes_of s p \ None; ptes_of s' = (ptes_of s)(p \ pte); \ is_PageTablePTE pte; asid_pools_of s' = asid_pools_of s; asid_table s' = asid_table s; valid_asid_table s; pspace_aligned s\ \ vs_lookup_slot level asid vref s' = @@ -1304,7 +1304,7 @@ lemma set_asid_pool_obj_at_ptr: locale_abbrev "asid_table_update asid ap s \ - s\arch_state := arch_state s\riscv_asid_table := riscv_asid_table (arch_state s)(asid \ ap)\\" + s\arch_state := arch_state s\riscv_asid_table := (asid_table s)(asid \ ap)\\" lemma valid_table_caps_table [simp]: "valid_table_caps (s\arch_state := arch_state s\riscv_asid_table := table'\\) = valid_table_caps s" diff --git a/proof/invariant-abstract/RISCV64/ArchInvariants_AI.thy b/proof/invariant-abstract/RISCV64/ArchInvariants_AI.thy index 1282e5da33..44ef380453 100644 --- a/proof/invariant-abstract/RISCV64/ArchInvariants_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchInvariants_AI.thy @@ -2607,7 +2607,7 @@ lemma vs_lookup_table_eq_lift: lemma aobjs_of_non_aobj_upd: "\ kheap s p = Some ko; \ is_ArchObj ko; \ is_ArchObj ko' \ - \ kheap s(p \ ko') |> aobj_of = aobjs_of s" + \ (kheap s)(p \ ko') |> aobj_of = aobjs_of s" by (rule ext) (auto simp: opt_map_def is_ArchObj_def aobj_of_def split: kernel_object.splits if_split_asm) diff --git a/proof/invariant-abstract/RISCV64/ArchIpc_AI.thy b/proof/invariant-abstract/RISCV64/ArchIpc_AI.thy index 0eccce1718..c416daba7d 100644 --- a/proof/invariant-abstract/RISCV64/ArchIpc_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchIpc_AI.thy @@ -492,7 +492,7 @@ lemma valid_arch_mdb_cap_swap: \ valid_arch_mdb ((is_original_cap s) (a := is_original_cap s b, b := is_original_cap s a)) - (caps_of_state s(a \ c', b \ c))" + ((caps_of_state s)(a \ c', b \ c))" by (auto simp: valid_arch_mdb_def) end diff --git a/proof/invariant-abstract/RISCV64/ArchKHeap_AI.thy b/proof/invariant-abstract/RISCV64/ArchKHeap_AI.thy index 2a0ddb8847..5484dab712 100644 --- a/proof/invariant-abstract/RISCV64/ArchKHeap_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchKHeap_AI.thy @@ -288,7 +288,7 @@ lemma translate_address_lift_weak: done lemma set_pt_pts_of: - "\\s. pts_of s p \ None \ P (pts_of s (p \ pt)) \ set_pt p pt \\_ s. P (pts_of s)\" + "\\s. pts_of s p \ None \ P ((pts_of s)(p \ pt)) \ set_pt p pt \\_ s. P (pts_of s)\" unfolding set_pt_def by (wpsimp wp: set_object_wp) (auto elim!: rsubst[where P=P] simp: opt_map_def split: option.splits) @@ -310,7 +310,7 @@ lemma pte_ptr_eq: by (fastforce simp: not_le bit_simps) lemma store_pte_ptes_of: - "\\s. ptes_of s p \ None \ P (ptes_of s (p \ pte)) \ store_pte p pte \\_ s. P (ptes_of s)\" + "\\s. ptes_of s p \ None \ P ((ptes_of s)(p \ pte)) \ store_pte p pte \\_ s. P (ptes_of s)\" unfolding store_pte_def pte_of_def apply (wpsimp wp: set_pt_pts_of simp: in_omonad) by (auto simp: obind_def opt_map_def split: option.splits dest!: pte_ptr_eq elim!: rsubst[where P=P]) @@ -371,7 +371,7 @@ lemma vs_lookup_slot_no_asid: If performing a shallower lookup than the one requested results in p, then any deeper lookup in the updated state will return a higher level result along the original path. *) lemma vs_lookup_non_PageTablePTE: - "\ ptes_of s p \ None; ptes_of s' = ptes_of s (p \ pte); + "\ ptes_of s p \ None; ptes_of s' = (ptes_of s)(p \ pte); \ is_PageTablePTE pte; asid_pools_of s' = asid_pools_of s; asid_table s' = asid_table s; @@ -414,7 +414,7 @@ lemma vs_lookup_non_PageTablePTE: apply (subst pt_walk.simps) apply (subst (2) pt_walk.simps) apply (simp add: less_imp_le cong: if_cong) - apply (subgoal_tac "(ptes_of s(p \ pte)) (pt_slot_offset (x + 1) b vref) + apply (subgoal_tac "((ptes_of s)(p \ pte)) (pt_slot_offset (x + 1) b vref) = ptes_of s (pt_slot_offset (x + 1) b vref)") apply (simp add: obind_def split: option.splits) apply clarsimp @@ -453,7 +453,7 @@ lemma store_pte_non_PageTablePTE_vs_lookup: lemma store_pte_not_ao[wp]: "\\s. \pt. aobjs_of s (p && ~~mask pt_bits) = Some (PageTable pt) \ - P (aobjs_of s (p && ~~mask pt_bits \ + P ((aobjs_of s)(p && ~~mask pt_bits \ PageTable (pt (ucast (p && mask pt_bits >> pte_bits) := pte))))\ store_pte p pte \\_ s. P (aobjs_of s)\" @@ -725,20 +725,20 @@ crunch device_state_inv: storeWord "\ms. P (device_state ms)" (* some hyp_ref invariants *) lemma state_hyp_refs_of_ep_update: "\s ep val. typ_at AEndpoint ep s \ - state_hyp_refs_of (s\kheap := kheap s(ep \ Endpoint val)\) = state_hyp_refs_of s" + state_hyp_refs_of (s\kheap := (kheap s)(ep \ Endpoint val)\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: state_hyp_refs_of_def obj_at_def hyp_refs_of_def) done lemma state_hyp_refs_of_ntfn_update: "\s ep val. typ_at ANTFN ep s \ - state_hyp_refs_of (s\kheap := kheap s(ep \ Notification val)\) = state_hyp_refs_of s" + state_hyp_refs_of (s\kheap := (kheap s)(ep \ Notification val)\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: state_hyp_refs_of_def obj_at_def hyp_refs_of_def) done lemma state_hyp_refs_of_tcb_bound_ntfn_update: "kheap s t = Some (TCB tcb) \ - state_hyp_refs_of (s\kheap := kheap s(t \ TCB (tcb\tcb_bound_notification := ntfn\))\) + state_hyp_refs_of (s\kheap := (kheap s)(t \ TCB (tcb\tcb_bound_notification := ntfn\))\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: state_hyp_refs_of_def obj_at_def split: option.splits) @@ -746,7 +746,7 @@ lemma state_hyp_refs_of_tcb_bound_ntfn_update: lemma state_hyp_refs_of_tcb_state_update: "kheap s t = Some (TCB tcb) \ - state_hyp_refs_of (s\kheap := kheap s(t \ TCB (tcb\tcb_state := ts\))\) + state_hyp_refs_of (s\kheap := (kheap s)(t \ TCB (tcb\tcb_state := ts\))\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: state_hyp_refs_of_def obj_at_def split: option.splits) @@ -761,7 +761,7 @@ lemma default_tcb_not_live[simp]: "\ live (TCB default_tcb)" lemma valid_arch_tcb_same_type: "\ valid_arch_tcb t s; valid_obj p k s; kheap s p = Some ko; a_type k = a_type ko \ - \ valid_arch_tcb t (s\kheap := kheap s(p \ k)\)" + \ valid_arch_tcb t (s\kheap := (kheap s)(p \ k)\)" by (auto simp: valid_arch_tcb_def obj_at_def) @@ -782,12 +782,12 @@ lemma valid_arch_mdb_lift: (* interface lemma *) lemma arch_valid_obj_same_type: "\ arch_valid_obj ao s; kheap s p = Some ko; a_type k = a_type ko \ - \ arch_valid_obj ao (s\kheap := kheap s(p \ k)\)" + \ arch_valid_obj ao (s\kheap := (kheap s)(p \ k)\)" by simp lemma valid_vspace_obj_same_type: "\valid_vspace_obj l ao s; kheap s p = Some ko; a_type ko' = a_type ko\ - \ valid_vspace_obj l ao (s\kheap := kheap s(p \ ko')\)" + \ valid_vspace_obj l ao (s\kheap := (kheap s)(p \ ko')\)" apply (rule hoare_to_pure_kheap_upd[OF valid_vspace_obj_typ]) by (auto simp: obj_at_def) diff --git a/proof/invariant-abstract/RISCV64/ArchVSpace_AI.thy b/proof/invariant-abstract/RISCV64/ArchVSpace_AI.thy index 51085c42f8..1d9310f722 100644 --- a/proof/invariant-abstract/RISCV64/ArchVSpace_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchVSpace_AI.thy @@ -1446,7 +1446,7 @@ end locale asid_pool_map = Arch + fixes s ap pool asid ptp pt and s' :: "'a::state_ext state" - defines "s' \ s\kheap := kheap s(ap \ ArchObj (ASIDPool (pool(asid_low_bits_of asid \ ptp))))\" + defines "s' \ s\kheap := (kheap s)(ap \ ArchObj (ASIDPool (pool(asid_low_bits_of asid \ ptp))))\" assumes ap: "asid_pools_of s ap = Some pool" assumes new: "pool (asid_low_bits_of asid) = None" assumes pt: "pts_of s ptp = Some pt" diff --git a/proof/invariant-abstract/Retype_AI.thy b/proof/invariant-abstract/Retype_AI.thy index efbd4d9931..0aa287b830 100644 --- a/proof/invariant-abstract/Retype_AI.thy +++ b/proof/invariant-abstract/Retype_AI.thy @@ -979,7 +979,7 @@ lemma non_disjoing_subset: "\A \ B; A \ C \ {}\< lemma pspace_no_overlap_same_type: "\pspace_no_overlap S s; ko_at k p s; a_type ko = a_type k\ - \ pspace_no_overlap S (kheap_update (\_. (kheap s(p \ ko))) s)" + \ pspace_no_overlap S (kheap_update (\_. (kheap s)(p \ ko)) s)" unfolding pspace_no_overlap_def by (clarsimp simp: obj_at_def obj_bits_T) diff --git a/proof/invariant-abstract/Syscall_AI.thy b/proof/invariant-abstract/Syscall_AI.thy index 6be4682327..aa77e2d0ad 100644 --- a/proof/invariant-abstract/Syscall_AI.thy +++ b/proof/invariant-abstract/Syscall_AI.thy @@ -323,7 +323,7 @@ lemma (in Systemcall_AI_Pre) handle_fault_reply_cte_wp_at: done have NC: "\p' s tcb P nc. get_tcb p' s = Some tcb - \ cte_wp_at P p (s\kheap := kheap s(p' \ TCB (tcb\tcb_arch := arch_tcb_context_set nc (tcb_arch tcb)\))\) + \ cte_wp_at P p (s\kheap := (kheap s)(p' \ TCB (tcb\tcb_arch := arch_tcb_context_set nc (tcb_arch tcb)\))\) = cte_wp_at P p s" apply (drule_tac nc=nc in SC) apply (drule_tac P=P and p=p in cte_wp_at_after_update) diff --git a/proof/invariant-abstract/TcbAcc_AI.thy b/proof/invariant-abstract/TcbAcc_AI.thy index 5bf5055026..2c1782977a 100644 --- a/proof/invariant-abstract/TcbAcc_AI.thy +++ b/proof/invariant-abstract/TcbAcc_AI.thy @@ -72,7 +72,7 @@ lemma (in TcbAcc_AI_arch_tcb_context_set_eq) thread_get_as_user: apply (clarsimp simp: gets_the_member set_object_def get_object_def in_monad bind_assoc gets_def put_def bind_def get_def return_def select_f_def dest!: get_tcb_SomeD) - apply (subgoal_tac "kheap s(t \ TCB v) = kheap s", simp) + apply (subgoal_tac "(kheap s)(t \ TCB v) = kheap s", simp) apply fastforce done diff --git a/proof/invariant-abstract/Untyped_AI.thy b/proof/invariant-abstract/Untyped_AI.thy index fcecaf74f0..015e552c2a 100644 --- a/proof/invariant-abstract/Untyped_AI.thy +++ b/proof/invariant-abstract/Untyped_AI.thy @@ -36,7 +36,7 @@ primrec \ 'z::state_ext state \ bool" where "valid_untyped_inv_wcap (Retype slot reset ptr_base ptr ty us slots dev) - = (\co s. \sz idx. (cte_wp_at (\c. c = (cap.UntypedCap dev ptr_base sz idx) + = (\co s. \sz idx. (cte_wp_at (\c. c = (UntypedCap dev ptr_base sz idx) \ (co = None \ co = Some c)) slot s \ range_cover ptr sz (obj_bits_api ty us) (length slots) \ (idx \ unat (ptr - ptr_base) \ (reset \ ptr = ptr_base)) @@ -169,7 +169,7 @@ lemma compute_free_index_wp: lemma dui_inv[wp]: - "\P\ decode_untyped_invocation label args slot (cap.UntypedCap dev w n idx) cs \\rv. P\" + "\P\ decode_untyped_invocation label args slot (UntypedCap dev w n idx) cs \\rv. P\" apply (simp add: decode_untyped_invocation_def whenE_def split_def data_to_obj_type_def unlessE_def split del: if_split cong: if_cong) @@ -268,11 +268,11 @@ locale Untyped_AI_arch = assumes data_to_obj_type_sp: "\P x. \P\ data_to_obj_type x \\ts (s::'state_ext state). ts \ ArchObject ASIDPoolObj \ P s\, -" assumes dui_inv_wf[wp]: - "\w sz idx slot cs label args dev.\invs and cte_wp_at ((=) (cap.UntypedCap dev w sz idx)) slot + "\w sz idx slot cs label args dev.\invs and cte_wp_at ((=) (UntypedCap dev w sz idx)) slot and (\(s::'state_ext state). \cap \ set cs. is_cnode_cap cap \ (\r\cte_refs cap (interrupt_irq_node s). ex_cte_cap_wp_to is_cnode_cap r s)) and (\s. \x \ set cs. s \ x)\ - decode_untyped_invocation label args slot (cap.UntypedCap dev w sz idx) cs + decode_untyped_invocation label args slot (UntypedCap dev w sz idx) cs \valid_untyped_inv\,-" assumes retype_ret_valid_caps_captable: "\ptr sz dev us n s.\pspace_no_overlap_range_cover ptr sz (s::'state_ext state) \ 0 < us \ range_cover ptr sz (obj_bits_api CapTableObject us) n \ ptr \ 0 @@ -536,7 +536,7 @@ end lemma cte_wp_at_range_cover: "\bits < word_bits; rv\ 2^ sz; invs s; - cte_wp_at ((=) (cap.UntypedCap dev w sz idx)) p s; + cte_wp_at ((=) (UntypedCap dev w sz idx)) p s; 0 < n; n \ unat ((2::machine_word) ^ sz - of_nat rv >> bits)\ \ range_cover (alignUp (w + of_nat rv) bits) sz bits n" apply (clarsimp simp: cte_wp_at_caps_of_state) @@ -567,7 +567,7 @@ lemma diff_neg_mask[simp]: lemma cte_wp_at_caps_descendants_range_inI: - "\ invs s;cte_wp_at (\c. c = cap.UntypedCap dev (ptr && ~~ mask sz) sz idx) cref s; + "\ invs s;cte_wp_at (\c. c = UntypedCap dev (ptr && ~~ mask sz) sz idx) cref s; idx \ unat (ptr && mask sz);sz < word_bits \ \ descendants_range_in {ptr .. (ptr && ~~mask sz) + 2^sz - 1} cref s" apply (frule invs_mdb) apply (frule(1) le_mask_le_2p) @@ -717,15 +717,15 @@ lemma of_nat_shiftR: lemma valid_untypedD: - "\ s \ cap.UntypedCap dev ptr bits idx; kheap s p = Some ko; pspace_aligned s\ \ - obj_range p ko \ cap_range (cap.UntypedCap dev ptr bits idx) \ {} \ - obj_range p ko \ cap_range (cap.UntypedCap dev ptr bits idx) - \ obj_range p ko \ usable_untyped_range (cap.UntypedCap dev ptr bits idx) = {}" + "\ s \ UntypedCap dev ptr bits idx; kheap s p = Some ko; pspace_aligned s\ \ + obj_range p ko \ cap_range (UntypedCap dev ptr bits idx) \ {} \ + obj_range p ko \ cap_range (UntypedCap dev ptr bits idx) + \ obj_range p ko \ usable_untyped_range (UntypedCap dev ptr bits idx) = {}" by (clarsimp simp: valid_untyped_def valid_cap_def cap_range_def obj_range_def) (meson order_trans) lemma pspace_no_overlap_detype': - "\ s \ cap.UntypedCap dev ptr bits idx; pspace_aligned s; valid_objs s \ + "\ s \ UntypedCap dev ptr bits idx; pspace_aligned s; valid_objs s \ \ pspace_no_overlap {ptr .. ptr + 2 ^ bits - 1} (detype {ptr .. ptr + 2 ^ bits - 1} s)" apply (clarsimp simp del: atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff @@ -740,7 +740,7 @@ lemma pspace_no_overlap_detype': done lemma pspace_no_overlap_detype: - "\ s \ cap.UntypedCap dev ptr bits idx; pspace_aligned s; valid_objs s \ + "\ s \ UntypedCap dev ptr bits idx; pspace_aligned s; valid_objs s \ \ pspace_no_overlap_range_cover ptr bits (detype {ptr .. ptr + 2 ^ bits - 1} s)" apply (drule(2) pspace_no_overlap_detype'[rotated]) apply (drule valid_cap_aligned) @@ -1394,8 +1394,8 @@ lemma set_zip_helper: lemma ex_cte_cap_protects: - "\ ex_cte_cap_wp_to P p s; cte_wp_at ((=) (cap.UntypedCap dev ptr bits idx)) p' s; - descendants_range_in S p' s; untyped_children_in_mdb s; S\ untyped_range (cap.UntypedCap dev ptr bits idx); + "\ ex_cte_cap_wp_to P p s; cte_wp_at ((=) (UntypedCap dev ptr bits idx)) p' s; + descendants_range_in S p' s; untyped_children_in_mdb s; S\ untyped_range (UntypedCap dev ptr bits idx); valid_global_refs s \ \ fst p \ S" apply (drule ex_cte_cap_to_obj_ref_disj, erule disjE) @@ -1582,7 +1582,7 @@ crunch mdb[wp]: do_machine_op "\s. P (cdt s)" lemmas dmo_valid_cap[wp] = valid_cap_typ [OF do_machine_op_obj_at] lemma delete_objects_pspace_no_overlap[wp]: - "\\s. (\dev idx. s \ (cap.UntypedCap dev ptr bits idx)) + "\\s. (\dev idx. s \ (UntypedCap dev ptr bits idx)) \ pspace_aligned s \ valid_objs s \ (S = {ptr .. ptr + 2 ^ bits - 1})\ delete_objects ptr bits \\_. pspace_no_overlap S\" @@ -1667,7 +1667,7 @@ lemma caps_overlap_reserved_def2: lemma set_cap_valid_mdb_simple: "\\s. valid_objs s \ valid_mdb s \ descendants_range_in {ptr .. ptr+2^sz - 1} cref s \ cte_wp_at (\c. is_untyped_cap c \ cap_bits c = sz \ obj_ref_of c = ptr \ cap_is_device c = dev) cref s\ - set_cap (cap.UntypedCap dev ptr sz idx) cref + set_cap (UntypedCap dev ptr sz idx) cref \\rv s'. valid_mdb s'\" apply (simp add: valid_mdb_def) apply (rule hoare_pre) @@ -1682,8 +1682,8 @@ lemma set_cap_valid_mdb_simple: fix s f r bits dev assume obj:"valid_objs s" assume mdb:"untyped_mdb (cdt s) (caps_of_state s)" - assume cstate:"caps_of_state s cref = Some (cap.UntypedCap dev r bits f)" (is "?m cref = Some ?srccap") - show "untyped_mdb (cdt s) (caps_of_state s(cref \ cap.UntypedCap dev r bits idx))" + assume cstate:"caps_of_state s cref = Some (UntypedCap dev r bits f)" (is "?m cref = Some ?srccap") + show "untyped_mdb (cdt s) ((caps_of_state s)(cref \ UntypedCap dev r bits idx))" apply (rule untyped_mdb_update_free_index [where capa = ?srccap and m = "caps_of_state s" and src = cref, unfolded free_index_update_def,simplified,THEN iffD2]) @@ -1691,12 +1691,12 @@ lemma set_cap_valid_mdb_simple: done assume inc: "untyped_inc (cdt s) (caps_of_state s)" assume drange: "descendants_range_in {r..r + 2 ^ bits - 1} cref s" - have untyped_range_simp: "untyped_range (cap.UntypedCap dev r bits f) = untyped_range (cap.UntypedCap dev r bits idx)" + have untyped_range_simp: "untyped_range (UntypedCap dev r bits f) = untyped_range (UntypedCap dev r bits idx)" by simp note blah[simp del] = untyped_range.simps usable_untyped_range.simps atLeastAtMost_iff atLeastatMost_subset_iff atLeastLessThan_iff Int_atLeastAtMost atLeastatMost_empty_iff split_paired_Ex - show "untyped_inc (cdt s) (caps_of_state s(cref \ cap.UntypedCap dev r bits idx))" + show "untyped_inc (cdt s) ((caps_of_state s)(cref \ UntypedCap dev r bits idx))" using inc cstate drange apply (unfold untyped_inc_def) apply (intro allI impI) @@ -1763,15 +1763,15 @@ lemma set_cap_valid_mdb_simple: apply simp+ done assume "ut_revocable (is_original_cap s) (caps_of_state s)" - thus "ut_revocable (is_original_cap s) (caps_of_state s(cref \ cap.UntypedCap dev r bits idx))" + thus "ut_revocable (is_original_cap s) ((caps_of_state s)(cref \ UntypedCap dev r bits idx))" using cstate by (fastforce simp: ut_revocable_def) assume "valid_arch_mdb (is_original_cap s) (caps_of_state s)" - thus "valid_arch_mdb (is_original_cap s) (caps_of_state s(cref \ cap.UntypedCap dev r bits idx))" + thus "valid_arch_mdb (is_original_cap s) ((caps_of_state s)(cref \ UntypedCap dev r bits idx))" using cstate by (fastforce elim!: valid_arch_mdb_untypeds) assume "reply_caps_mdb (cdt s) (caps_of_state s)" - thus "reply_caps_mdb (cdt s) (caps_of_state s(cref \ cap.UntypedCap dev r bits idx))" + thus "reply_caps_mdb (cdt s) ((caps_of_state s)(cref \ UntypedCap dev r bits idx))" using cstate apply (simp add: reply_caps_mdb_def del: split_paired_All) apply (intro allI impI conjI) @@ -1782,7 +1782,7 @@ lemma set_cap_valid_mdb_simple: apply clarsimp done assume "reply_masters_mdb (cdt s) (caps_of_state s)" - thus "reply_masters_mdb (cdt s) (caps_of_state s(cref \ cap.UntypedCap dev r bits idx))" + thus "reply_masters_mdb (cdt s) ((caps_of_state s)(cref \ UntypedCap dev r bits idx))" apply (simp add: reply_masters_mdb_def del: split_paired_All) apply (intro allI impI ballI) apply (erule exE) @@ -1794,8 +1794,8 @@ lemma set_cap_valid_mdb_simple: assume misc: "mdb_cte_at (swp (cte_wp_at ((\) cap.NullCap)) s) (cdt s)" "descendants_inc (cdt s) (caps_of_state s)" - "caps_of_state s cref = Some (cap.UntypedCap dev r bits f)" - thus "descendants_inc (cdt s) (caps_of_state s(cref \ cap.UntypedCap dev r bits idx))" + "caps_of_state s cref = Some (UntypedCap dev r bits f)" + thus "descendants_inc (cdt s) ((caps_of_state s)(cref \ UntypedCap dev r bits idx))" apply - apply (erule descendants_inc_minor) apply (clarsimp simp: swp_def cte_wp_at_caps_of_state) @@ -1810,7 +1810,7 @@ lemma set_free_index_valid_pspace_simple: \ descendants_range_in {ptr .. ptr+2^sz - 1} cref s \ cte_wp_at (\c. is_untyped_cap c \ cap_bits c = sz \ obj_ref_of c = ptr) cref s \ idx \ 2^ sz\ - set_cap (cap.UntypedCap dev ptr sz idx) cref + set_cap (UntypedCap dev ptr sz idx) cref \\rv s'. valid_pspace s'\" apply (clarsimp simp: valid_pspace_def) apply (wp set_cap_valid_objs update_cap_iflive set_cap_zombies') @@ -1844,9 +1844,9 @@ lemma set_untyped_cap_refs_respects_device_simple: lemma set_untyped_cap_caps_overlap_reserved: "\\s. invs s \ S \ {ptr..ptr + 2 ^ sz - 1} \ - usable_untyped_range (cap.UntypedCap dev ptr sz idx') \ S = {} \ - descendants_range_in S cref s \ cte_wp_at ((=) (cap.UntypedCap dev ptr sz idx)) cref s\ - set_cap (cap.UntypedCap dev ptr sz idx') cref + usable_untyped_range (UntypedCap dev ptr sz idx') \ S = {} \ + descendants_range_in S cref s \ cte_wp_at ((=) (UntypedCap dev ptr sz idx)) cref s\ + set_cap (UntypedCap dev ptr sz idx') cref \\rv s. caps_overlap_reserved S s\" apply (unfold caps_overlap_reserved_def) apply wp @@ -1982,7 +1982,7 @@ lemma descendants_range_in_subseteq: lemma cte_wp_at_pspace_no_overlapI: "\invs s; - cte_wp_at (\c. c = cap.UntypedCap dev (ptr && ~~ mask sz) sz idx) cref s; + cte_wp_at (\c. c = UntypedCap dev (ptr && ~~ mask sz) sz idx) cref s; idx \ unat (ptr && mask sz); sz < word_bits\ \ pspace_no_overlap_range_cover ptr sz s" apply (clarsimp simp: cte_wp_at_caps_of_state) @@ -2016,7 +2016,7 @@ lemma cte_wp_at_pspace_no_overlapI: lemma descendants_range_caps_no_overlapI: - "\invs s; cte_wp_at ((=) (cap.UntypedCap dev (ptr && ~~ mask sz) sz idx)) cref s; + "\invs s; cte_wp_at ((=) (UntypedCap dev (ptr && ~~ mask sz) sz idx)) cref s; descendants_range_in {ptr .. (ptr && ~~ mask sz) +2^sz - 1} cref s\ \ caps_no_overlap ptr sz s" apply (frule invs_mdb) apply (clarsimp simp: valid_mdb_def cte_wp_at_caps_of_state) @@ -2055,7 +2055,7 @@ lemma shiftr_then_mask_commute: lemma cte_wp_at_caps_no_overlapI: - "\ invs s;cte_wp_at (\c. c = cap.UntypedCap dev (ptr && ~~ mask sz) sz idx) cref s; + "\ invs s;cte_wp_at (\c. c = UntypedCap dev (ptr && ~~ mask sz) sz idx) cref s; idx \ unat (ptr && mask sz);sz < word_bits \ \ caps_no_overlap ptr sz s" apply (frule invs_mdb) apply (frule(1) le_mask_le_2p) @@ -2177,7 +2177,7 @@ lemma subset_stuff[simp]: done lemma cte_wp_at: - "cte_wp_at ((=) (cap.UntypedCap dev (ptr && ~~ mask sz) sz idx)) cref s" + "cte_wp_at ((=) (UntypedCap dev (ptr && ~~ mask sz) sz idx)) cref s" using vui by (clarsimp simp: cte_wp_at_caps_of_state) @@ -2210,7 +2210,7 @@ proof - by (rule descendants_range_in_subseteq[OF _ subset_stuff]) qed -lemma vc[simp] : "s \cap.UntypedCap dev (ptr && ~~ mask sz) sz idx" +lemma vc[simp] : "s \UntypedCap dev (ptr && ~~ mask sz) sz idx" using misc cte_wp_at apply (clarsimp simp: cte_wp_at_caps_of_state) apply (erule caps_of_state_valid) @@ -2291,7 +2291,7 @@ lemma slots_invD: "\x. x \ set slots \ done lemma usable_range_disjoint: - "usable_untyped_range (cap.UntypedCap dev (ptr && ~~ mask sz) sz + "usable_untyped_range (UntypedCap dev (ptr && ~~ mask sz) sz (unat ((ptr && mask sz) + of_nat (length slots) * 2 ^ obj_bits_api tp us))) \ {ptr..ptr + of_nat (length slots) * 2 ^ obj_bits_api tp us - 1} = {}" proof - @@ -2313,7 +2313,7 @@ lemma usable_range_disjoint: qed lemma detype_locale:"ptr && ~~ mask sz = ptr - \ detype_locale (cap.UntypedCap dev (ptr && ~~ mask sz) sz idx) cref s" + \ detype_locale (UntypedCap dev (ptr && ~~ mask sz) sz idx) cref s" using cte_wp_at descendants_range misc by (simp add:detype_locale_def descendants_range_def2 blah invs_untyped_children) @@ -2392,9 +2392,9 @@ crunch tcb[wp]: create_cap "tcb_at t" lemma valid_untyped_cap_inc: - "\s \ cap.UntypedCap dev (ptr&&~~ mask sz) sz idx; + "\s \ UntypedCap dev (ptr&&~~ mask sz) sz idx; idx \ unat (ptr && mask sz); range_cover ptr sz sb n\ - \ s \ cap.UntypedCap dev (ptr && ~~ mask sz) sz + \ s \ UntypedCap dev (ptr && ~~ mask sz) sz (unat ((ptr && mask sz) + of_nat n * 2 ^ sb))" apply (clarsimp simp: valid_cap_def cap_aligned_def valid_untyped_def simp del: usable_untyped_range.simps) apply (intro conjI allI impI) @@ -2417,8 +2417,8 @@ lemma valid_untyped_cap_inc: (* FIXME: move maybe *) lemma tcb_cap_valid_untyped_cong: - "tcb_cap_valid (cap.UntypedCap dev1 a1 b1 c) = - tcb_cap_valid (cap.UntypedCap dev2 a2 b2 c2)" + "tcb_cap_valid (UntypedCap dev1 a1 b1 c) = + tcb_cap_valid (UntypedCap dev2 a2 b2 c2)" apply (rule ext)+ apply (clarsimp simp:tcb_cap_valid_def valid_ipc_buffer_cap_def split:option.splits) apply (simp add: tcb_cap_cases_def @@ -2427,7 +2427,7 @@ lemma tcb_cap_valid_untyped_cong: done lemma tcb_cap_valid_untyped_to_thread: - "tcb_cap_valid (cap.UntypedCap dev a1 b1 c) = + "tcb_cap_valid (UntypedCap dev a1 b1 c) = tcb_cap_valid (cap.ThreadCap 0)" apply (rule ext)+ apply (clarsimp simp:tcb_cap_valid_def valid_ipc_buffer_cap_def split:option.splits) @@ -2457,9 +2457,9 @@ lemma ex_nonz_cap_to_overlap: lemma detype_valid_untyped: - "\invs s; detype S s \ cap.UntypedCap dev ptr sz idx1; + "\invs s; detype S s \ UntypedCap dev ptr sz idx1; {ptr .. ptr + 2 ^ sz - 1} \ S; idx2 \ 2 ^ sz\ - \ detype S s \ cap.UntypedCap dev ptr sz idx2" + \ detype S s \ UntypedCap dev ptr sz idx2" apply (clarsimp simp: detype_def valid_cap_def valid_untyped_def cap_aligned_def) apply (drule_tac x = p in spec) apply clarsimp @@ -2672,7 +2672,7 @@ lemmas unat_of_nat_word_bits = unat_of_nat_eq[where 'a = machine_word_len, unfolded word_bits_len_of, simplified] lemma caps_of_state_pspace_no_overlapD: - "\ caps_of_state s cref = Some (cap.UntypedCap dev ptr sz idx); invs s; + "\ caps_of_state s cref = Some (UntypedCap dev ptr sz idx); invs s; idx < 2 ^ sz \ \ pspace_no_overlap_range_cover (ptr + of_nat idx) sz s" apply (frule(1) caps_of_state_valid) @@ -2693,7 +2693,7 @@ lemma set_untyped_cap_invs_simple: \ pspace_no_overlap_range_cover ptr sz s \ invs s \ cte_wp_at (\c. is_untyped_cap c \ cap_bits c = sz \ cap_is_device c = dev\ obj_ref_of c = ptr) cref s \ idx \ 2^ sz\ - set_cap (cap.UntypedCap dev ptr sz idx) cref + set_cap (UntypedCap dev ptr sz idx) cref \\rv s. invs s\" apply (rule hoare_name_pre_state) apply (clarsimp simp:cte_wp_at_caps_of_state invs_def valid_state_def) @@ -3364,8 +3364,8 @@ lemma retype_region_refs_distinct[wp]: lemma unsafe_protected: - "\ cte_wp_at P p s; cte_wp_at ((=) (cap.UntypedCap dev ptr bits idx)) p' s; - descendants_range_in S p' s; invs s; S \ untyped_range (cap.UntypedCap dev ptr bits idx); + "\ cte_wp_at P p s; cte_wp_at ((=) (UntypedCap dev ptr bits idx)) p' s; + descendants_range_in S p' s; invs s; S \ untyped_range (UntypedCap dev ptr bits idx); \cap. P cap \ cap \ cap.NullCap \ \ fst p \ S" apply (rule ex_cte_cap_protects) @@ -3377,8 +3377,8 @@ lemma unsafe_protected: done lemma cap_to_protected: - "\ ex_cte_cap_wp_to P p s; cte_wp_at ((=) (cap.UntypedCap dev ptr bits idx)) p' s; - descendants_range (cap.UntypedCap dev ptr bits idx) p' s; invs s \ + "\ ex_cte_cap_wp_to P p s; cte_wp_at ((=) (UntypedCap dev ptr bits idx)) p' s; + descendants_range (UntypedCap dev ptr bits idx) p' s; invs s \ \ ex_cte_cap_wp_to P p (detype {ptr .. ptr + 2 ^ bits - 1} s)" apply (clarsimp simp: ex_cte_cap_wp_to_def, simp add: detype_def descendants_range_def2) apply (intro exI conjI, assumption) @@ -3603,14 +3603,14 @@ lemma invoke_untyp_invs': assumes init_arch_Q: "\tp slot reset sz slots ptr n us refs dev. ui = Invocations_A.Retype slot reset (ptr && ~~ mask sz) ptr tp us slots dev \ \Q and post_retype_invs tp refs - and cte_wp_at (\c. \idx. c = cap.UntypedCap dev (ptr && ~~ mask sz) sz idx) slot + and cte_wp_at (\c. \idx. c = UntypedCap dev (ptr && ~~ mask sz) sz idx) slot and K (refs = retype_addrs ptr tp n us \ range_cover ptr sz (obj_bits_api tp us) n)\ init_arch_objects tp ptr n us refs \\_. Q\" assumes retype_region_Q: "\ptr us tp slot reset sz slots dev. ui = Invocations_A.Retype slot reset (ptr && ~~ mask sz) ptr tp us slots dev \ \\s. invs s \ Q s - \ cte_wp_at (\c. \idx. c = cap.UntypedCap dev (ptr && ~~ mask sz) sz idx) slot s + \ cte_wp_at (\c. \idx. c = UntypedCap dev (ptr && ~~ mask sz) sz idx) slot s \ pspace_no_overlap {ptr..(ptr && ~~ mask sz) + (2 ^ sz - 1)} s \ range_cover ptr sz (obj_bits_api tp us) (length slots) \ (tp = CapTableObject \ 0 < us) @@ -3623,7 +3623,7 @@ lemma invoke_untyp_invs': \ (case ui of Invocations_A.Retype slot reset ptr' ptr tp us slots dev' \ cref = slot \ dev' = dev) \ idx \ 2^ sz\ - set_cap (cap.UntypedCap dev ptr sz idx) cref + set_cap (UntypedCap dev ptr sz idx) cref \\rv. Q\" assumes reset_Q: "\Q'\ reset_untyped_cap (case ui of Retype src_slot _ _ _ _ _ _ _ \ src_slot) \\_. Q\" shows @@ -3667,7 +3667,7 @@ lemma invoke_untyp_invs': note neg_mask_add_mask = word_plus_and_or_coroll2[symmetric,where w = "mask sz" and t = ptr,symmetric] note set_cap_free_index_invs_spec = set_free_index_invs[where - cap = "cap.UntypedCap dev (ptr && ~~ mask sz) sz (if reset then 0 else idx)", + cap = "UntypedCap dev (ptr && ~~ mask sz) sz (if reset then 0 else idx)", unfolded free_index_update_def free_index_of_def,simplified] have slot_not_in: "(cref, oref) \ set slots" @@ -3906,7 +3906,7 @@ lemma update_untyped_cap_valid_objs: lemma valid_untyped_pspace_no_overlap: "pspace_no_overlap {ptr .. ptr + 2 ^ sz - 1} s - \ valid_untyped (cap.UntypedCap dev ptr sz idx) s" + \ valid_untyped (UntypedCap dev ptr sz idx) s" apply (clarsimp simp: valid_untyped_def split del: if_split) apply (drule(1) pspace_no_overlap_obj_range) apply simp diff --git a/proof/invariant-abstract/X64/ArchAcc_AI.thy b/proof/invariant-abstract/X64/ArchAcc_AI.thy index 0184ca9c61..1a1745e2f2 100644 --- a/proof/invariant-abstract/X64/ArchAcc_AI.thy +++ b/proof/invariant-abstract/X64/ArchAcc_AI.thy @@ -1210,17 +1210,16 @@ lemma valid_machine_stateE: lemma in_user_frame_same_type_upd: "\typ_at type p s; type = a_type obj; in_user_frame q s\ - \ in_user_frame q (s\kheap := kheap s(p \ obj)\)" + \ in_user_frame q (s\kheap := (kheap s)(p \ obj)\)" apply (clarsimp simp: in_user_frame_def obj_at_def) apply (rule_tac x=sz in exI) apply (auto simp: a_type_simps) done lemma valid_machine_state_heap_updI: -assumes vm : "valid_machine_state s" -assumes tyat : "typ_at type p s" -shows - " a_type obj = type \ valid_machine_state (s\kheap := kheap s(p \ obj)\)" + assumes vm : "valid_machine_state s" + assumes tyat : "typ_at type p s" + shows "a_type obj = type \ valid_machine_state (s\kheap := (kheap s)(p \ obj)\)" apply (clarsimp simp: valid_machine_state_def) subgoal for p apply (rule valid_machine_stateE[OF vm,where p = p]) @@ -1355,7 +1354,7 @@ lemma vs_ref_lvl_obj_same_type: lemma valid_vspace_obj_kheap_upd: "\typ_at (a_type (ArchObj obj)) ptr s; valid_vspace_obj ao s\ - \ valid_vspace_obj ao (s\kheap := kheap s(ptr \ ArchObj obj)\)" + \ valid_vspace_obj ao (s\kheap := (kheap s)(ptr \ ArchObj obj)\)" apply (cases ao, simp_all) apply (fastforce simp: a_type_simps obj_at_def valid_pte_def)+ apply (clarsimp) @@ -1421,7 +1420,7 @@ lemma set_object_valid_vspace_objs[wp]: apply simp apply simp apply (rule vs_lookup1_wellformed.wellformed_lookup_axioms - [where s = "s\kheap := kheap s(ptr \ ArchObj obj)\" for s,simplified]) + [where s = "s\kheap := (kheap s)(ptr \ ArchObj obj)\" for s,simplified]) apply (clarsimp simp: obj_at_def cong:vs_ref_lvl_obj_same_type) apply clarsimp apply (rule valid_vspace_obj_kheap_upd) @@ -1486,7 +1485,7 @@ lemma set_object_valid_vs_lookup[wp]: apply simp apply simp apply (rule vs_lookup_pages1_wellformed.wellformed_lookup_axioms - [where s = "s\kheap := kheap s(ptr \ ArchObj obj)\" for s, simplified]) + [where s = "s\kheap := (kheap s)(ptr \ ArchObj obj)\" for s, simplified]) apply (clarsimp simp: obj_at_def cong:vs_ref_lvl_obj_same_type) apply (clarsimp simp: fun_upd_def) apply (subst caps_of_state_after_update) @@ -1591,7 +1590,7 @@ lemma valid_global_refsD: lemma in_device_frame_same_type_upd: "\typ_at type p s; type = a_type obj ; in_device_frame q s\ - \ in_device_frame q (s\kheap := kheap s(p \ obj)\)" + \ in_device_frame q (s\kheap := (kheap s)(p \ obj)\)" apply (clarsimp simp: in_device_frame_def obj_at_def) apply (rule_tac x=sz in exI) apply (auto simp: a_type_simps) @@ -1642,7 +1641,7 @@ lemma vs_lookup_pages_pt_eq: lemma valid_vspace_obj_same_type: "\valid_vspace_obj ao s; kheap s p = Some ko; a_type ko' = a_type ko\ - \ valid_vspace_obj ao (s\kheap := kheap s(p \ ko')\)" + \ valid_vspace_obj ao (s\kheap := (kheap s)(p \ ko')\)" apply (rule hoare_to_pure_kheap_upd[OF valid_vspace_obj_typ]) by (auto simp: obj_at_def) diff --git a/proof/invariant-abstract/X64/ArchArch_AI.thy b/proof/invariant-abstract/X64/ArchArch_AI.thy index 4f0cce3de3..1a19b99356 100644 --- a/proof/invariant-abstract/X64/ArchArch_AI.thy +++ b/proof/invariant-abstract/X64/ArchArch_AI.thy @@ -286,7 +286,7 @@ locale asid_update = Arch + fixes ap asid s s' assumes ko: "ko_at (ArchObj (ASIDPool Map.empty)) ap s" assumes empty: "x64_asid_table (arch_state s) asid = None" - defines "s' \ s\arch_state := arch_state s\x64_asid_table := x64_asid_table (arch_state s)(asid \ ap)\\" + defines "s' \ s\arch_state := arch_state s\x64_asid_table := (x64_asid_table (arch_state s))(asid \ ap)\\" context asid_update begin @@ -402,7 +402,7 @@ context Arch begin global_naming X64 lemma valid_arch_state_strg: "valid_arch_state s \ ap \ ran (x64_asid_table (arch_state s)) \ asid_pool_at ap s \ - valid_arch_state (s\arch_state := arch_state s\x64_asid_table := x64_asid_table (arch_state s)(asid \ ap)\\)" + valid_arch_state (s\arch_state := arch_state s\x64_asid_table := (x64_asid_table (arch_state s))(asid \ ap)\\)" apply (clarsimp simp: valid_arch_state_def) apply (clarsimp simp: valid_asid_table_def ran_def) apply (fastforce intro!: inj_on_fun_updI) @@ -416,7 +416,7 @@ lemma valid_vs_lookup_at_upd_strg: (\ptr cap. caps_of_state s ptr = Some cap \ ap \ obj_refs cap \ vs_cap_ref cap = Some [VSRef (ucast asid) None]) \ - valid_vs_lookup (s\arch_state := arch_state s\x64_asid_table := x64_asid_table (arch_state s)(asid \ ap)\\)" + valid_vs_lookup (s\arch_state := arch_state s\x64_asid_table := (x64_asid_table (arch_state s))(asid \ ap)\\)" apply clarsimp apply (subgoal_tac "asid_update ap asid s") prefer 2 @@ -489,7 +489,7 @@ lemma valid_table_caps_asid_upd [iff]: lemma vs_asid_ref_upd: "([VSRef (ucast (asid_high_bits_of asid')) None] \ ap') - (s\arch_state := arch_state s\x64_asid_table := x64_asid_table (arch_state s)(asid_high_bits_of asid \ ap)\\) + (s\arch_state := arch_state s\x64_asid_table := (x64_asid_table (arch_state s))(asid_high_bits_of asid \ ap)\\) = (if asid_high_bits_of asid' = asid_high_bits_of asid then ap' = ap else ([VSRef (ucast (asid_high_bits_of asid')) None] \ ap') s)" @@ -514,7 +514,7 @@ lemma cap_insert_simple_arch_caps_ap: and K (cap = ArchObjectCap (ASIDPoolCap ap asid)) \ cap_insert cap src dest \\rv s. valid_arch_caps (s\arch_state := arch_state s - \x64_asid_table := x64_asid_table (arch_state s)(asid_high_bits_of asid \ ap)\\)\" + \x64_asid_table := (x64_asid_table (arch_state s))(asid_high_bits_of asid \ ap)\\)\" apply (simp add: cap_insert_def update_cdt_def set_cdt_def valid_arch_caps_def set_untyped_cap_as_full_def bind_assoc) apply (strengthen valid_vs_lookup_at_upd_strg) @@ -547,7 +547,7 @@ lemma valid_asid_map_asid_upd_strg: "valid_asid_map s \ ko_at (ArchObj (ASIDPool Map.empty)) ap s \ x64_asid_table (arch_state s) asid = None \ - valid_asid_map (s\arch_state := arch_state s\x64_asid_table := x64_asid_table (arch_state s)(asid \ ap)\\)" + valid_asid_map (s\arch_state := arch_state s\x64_asid_table := (x64_asid_table (arch_state s))(asid \ ap)\\)" apply clarsimp apply (subgoal_tac "asid_update ap asid s") prefer 2 @@ -560,7 +560,7 @@ lemma valid_vspace_objs_asid_upd_strg: "valid_vspace_objs s \ ko_at (ArchObj (ASIDPool Map.empty)) ap s \ x64_asid_table (arch_state s) asid = None \ - valid_vspace_objs (s\arch_state := arch_state s\x64_asid_table := x64_asid_table (arch_state s)(asid \ ap)\\)" + valid_vspace_objs (s\arch_state := arch_state s\x64_asid_table := (x64_asid_table (arch_state s))(asid \ ap)\\)" apply clarsimp apply (subgoal_tac "asid_update ap asid s") prefer 2 @@ -573,7 +573,7 @@ lemma valid_global_objs_asid_upd_strg: "valid_global_objs s \ ko_at (ArchObj (arch_kernel_obj.ASIDPool Map.empty)) ap s \ x64_asid_table (arch_state s) asid = None \ - valid_global_objs (s\arch_state := arch_state s\x64_asid_table := x64_asid_table (arch_state s)(asid \ ap)\\)" + valid_global_objs (s\arch_state := arch_state s\x64_asid_table := (x64_asid_table (arch_state s))(asid \ ap)\\)" by clarsimp lemma safe_parent_cap_is_device: @@ -604,7 +604,7 @@ lemma cap_insert_ap_invs: x64_asid_table (arch_state s) (asid_high_bits_of asid) = None)\ cap_insert cap src dest \\rv s. invs (s\arch_state := arch_state s - \x64_asid_table := (x64_asid_table \ arch_state) s(asid_high_bits_of asid \ ap)\\)\" + \x64_asid_table := ((x64_asid_table \ arch_state) s)(asid_high_bits_of asid \ ap)\\)\" apply (simp add: invs_def valid_state_def valid_pspace_def) apply (strengthen valid_arch_state_strg valid_vspace_objs_asid_upd_strg valid_asid_map_asid_upd_strg ) @@ -758,11 +758,11 @@ proof - \\rv s. invs (s\arch_state := arch_state s - \x64_asid_table := (x64_asid_table \ arch_state) s + \x64_asid_table := ((x64_asid_table \ arch_state) s) (asid_high_bits_of asid \ ap)\\) \ Q (s\arch_state := arch_state s - \x64_asid_table := (x64_asid_table \ arch_state) s + \x64_asid_table := ((x64_asid_table \ arch_state) s) (asid_high_bits_of asid \ ap)\\)\" apply (wp cap_insert_ap_invs) apply simp diff --git a/proof/invariant-abstract/X64/ArchCNodeInv_AI.thy b/proof/invariant-abstract/X64/ArchCNodeInv_AI.thy index a6a4987054..3beca7cd06 100644 --- a/proof/invariant-abstract/X64/ArchCNodeInv_AI.thy +++ b/proof/invariant-abstract/X64/ArchCNodeInv_AI.thy @@ -556,7 +556,7 @@ context Arch begin global_naming X64 lemma post_cap_delete_pre_is_final_cap': "\rv s'' rva s''a s. \valid_ioports s; caps_of_state s slot = Some cap; is_final_cap' cap s; cap_cleanup_opt cap \ NullCap\ - \ post_cap_delete_pre (cap_cleanup_opt cap) (caps_of_state s(slot \ NullCap))" + \ post_cap_delete_pre (cap_cleanup_opt cap) ((caps_of_state s)(slot \ NullCap))" apply (clarsimp simp: cap_cleanup_opt_def cte_wp_at_def post_cap_delete_pre_def split: cap.split_asm if_split_asm elim!: ranE dest!: caps_of_state_cteD) diff --git a/proof/invariant-abstract/X64/ArchCSpacePre_AI.thy b/proof/invariant-abstract/X64/ArchCSpacePre_AI.thy index bee60b2a66..2353cdb6d8 100644 --- a/proof/invariant-abstract/X64/ArchCSpacePre_AI.thy +++ b/proof/invariant-abstract/X64/ArchCSpacePre_AI.thy @@ -127,7 +127,7 @@ lemma masked_as_full_test_function_stuff[simp]: lemma same_aobject_as_commute: "same_aobject_as x y \ same_aobject_as y x" - by (cases x; cases y; clarsimp simp: same_aobject_as_def) + by (cases x; cases y; clarsimp) lemmas wellformed_cap_simps = wellformed_cap_def [simplified wellformed_acap_def, split_simps cap.split arch_cap.split] @@ -175,7 +175,7 @@ lemma valid_arch_mdb_simple: "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); is_simple_cap cap; caps_of_state s src = Some capa\ \ valid_arch_mdb ((is_original_cap s) (dest := is_cap_revocable cap capa)) - (caps_of_state s(dest \ cap))" + ((caps_of_state s)(dest \ cap))" by (auto simp: valid_arch_mdb_def ioport_revocable_def is_cap_revocable_def arch_is_cap_revocable_def is_simple_cap_def safe_parent_for_def is_cap_simps) @@ -217,14 +217,14 @@ lemma set_untyped_cap_as_full_valid_arch_mdb: lemma valid_arch_mdb_not_arch_cap_update: "\s cap capa. \\is_arch_cap cap; valid_arch_mdb (is_original_cap s) (caps_of_state s)\ \ valid_arch_mdb ((is_original_cap s)(dest := True)) - (caps_of_state s(src \ cap, dest\capa))" + ((caps_of_state s)(src \ cap, dest\capa))" by (auto simp: valid_arch_mdb_def ioport_revocable_def is_cap_simps) lemma valid_arch_mdb_derived_cap_update: "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); is_derived (cdt s) src cap capa\ \ valid_arch_mdb ((is_original_cap s)(dest := is_cap_revocable cap capa)) - (caps_of_state s(dest \ cap))" + ((caps_of_state s)(dest \ cap))" apply (clarsimp simp: valid_arch_mdb_def ioport_revocable_def is_cap_simps is_cap_revocable_def arch_is_cap_revocable_def) by (clarsimp simp: is_derived_def is_cap_simps is_derived_arch_def split: if_split_asm) @@ -233,7 +233,7 @@ lemma valid_arch_mdb_free_index_update': "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); caps_of_state s src = Some capa; is_untyped_cap cap\ \ valid_arch_mdb ((is_original_cap s) (dest := is_cap_revocable cap capa)) - (caps_of_state s(dest \ cap, src \ max_free_index_update capa))" + ((caps_of_state s)(dest \ cap, src \ max_free_index_update capa))" by (auto simp: valid_arch_mdb_def ioport_revocable_def is_cap_simps is_cap_revocable_def arch_is_cap_revocable_def free_index_update_def split: cap.splits) @@ -247,7 +247,7 @@ lemma valid_arch_mdb_weak_derived_update: "\s capa. \valid_arch_mdb (is_original_cap s) (caps_of_state s); caps_of_state s src = Some capa; weak_derived cap capa\ \ valid_arch_mdb ((is_original_cap s) (dest := is_original_cap s src, src := False)) - (caps_of_state s(dest \ cap, src \ NullCap))" + ((caps_of_state s)(dest \ cap, src \ NullCap))" by (auto simp: valid_arch_mdb_def ioport_revocable_def split: if_split_asm simp del: split_paired_All) @@ -255,7 +255,7 @@ lemma valid_arch_mdb_weak_derived_update: lemma valid_arch_mdb_tcb_cnode_update: "valid_arch_mdb (is_original_cap s) (caps_of_state s) \ valid_arch_mdb ((is_original_cap s) ((t, tcb_cnode_index 2) := True)) - (caps_of_state s((t, tcb_cnode_index 2) \ ReplyCap t True canReplyGrant))" + ((caps_of_state s)((t, tcb_cnode_index 2) \ ReplyCap t True canReplyGrant))" by (clarsimp simp: valid_arch_mdb_def ioport_revocable_def) lemmas valid_arch_mdb_updates = valid_arch_mdb_free_index_update valid_arch_mdb_not_arch_cap_update @@ -295,10 +295,10 @@ lemma valid_arch_mdb_null_filter: lemma valid_arch_mdb_untypeds: "\s. valid_arch_mdb (is_original_cap s) (caps_of_state s) \ valid_arch_mdb (\x. x \ cref \ is_original_cap s x) - (caps_of_state s(cref \ default_cap tp oref sz dev))" + ((caps_of_state s)(cref \ default_cap tp oref sz dev))" "\s. valid_arch_mdb (is_original_cap s) (caps_of_state s) \ valid_arch_mdb (is_original_cap s) - (caps_of_state s(cref \ UntypedCap dev ptr sz idx))" + ((caps_of_state s)(cref \ UntypedCap dev ptr sz idx))" by (clarsimp simp: valid_arch_mdb_def ioport_revocable_def)+ lemma same_object_as_ioports: diff --git a/proof/invariant-abstract/X64/ArchCSpace_AI.thy b/proof/invariant-abstract/X64/ArchCSpace_AI.thy index bbfa3ce641..a42d297b63 100644 --- a/proof/invariant-abstract/X64/ArchCSpace_AI.thy +++ b/proof/invariant-abstract/X64/ArchCSpace_AI.thy @@ -186,20 +186,20 @@ lemma is_derived_is_cap: (* FIXME: move to CSpace_I near lemma vs_lookup1_tcb_update *) lemma vs_lookup_pages1_tcb_update: "kheap s p = Some (TCB t) \ - vs_lookup_pages1 (s\kheap := kheap s(p \ TCB t')\) = vs_lookup_pages1 s" + vs_lookup_pages1 (s\kheap := (kheap s)(p \ TCB t')\) = vs_lookup_pages1 s" by (clarsimp simp: vs_lookup_pages1_def obj_at_def vs_refs_pages_def intro!: set_eqI) (* FIXME: move to CSpace_I near lemma vs_lookup_tcb_update *) lemma vs_lookup_pages_tcb_update: "kheap s p = Some (TCB t) \ - vs_lookup_pages (s\kheap := kheap s(p \ TCB t')\) = vs_lookup_pages s" + vs_lookup_pages (s\kheap := (kheap s)(p \ TCB t')\) = vs_lookup_pages s" by (clarsimp simp add: vs_lookup_pages_def vs_lookup_pages1_tcb_update) (* FIXME: move to CSpace_I near lemma vs_lookup1_cnode_update *) lemma vs_lookup_pages1_cnode_update: "kheap s p = Some (CNode n cs) \ - vs_lookup_pages1 (s\kheap := kheap s(p \ CNode m cs')\) = + vs_lookup_pages1 (s\kheap := (kheap s)(p \ CNode m cs')\) = vs_lookup_pages1 s" by (clarsimp simp: vs_lookup_pages1_def obj_at_def vs_refs_pages_def intro!: set_eqI) @@ -207,7 +207,7 @@ lemma vs_lookup_pages1_cnode_update: (* FIXME: move to CSpace_I near lemma vs_lookup_cnode_update *) lemma vs_lookup_pages_cnode_update: "kheap s p = Some (CNode n cs) \ - vs_lookup_pages (s\kheap := kheap s(p \ CNode n cs')\) = vs_lookup_pages s" + vs_lookup_pages (s\kheap := (kheap s)(p \ CNode n cs')\) = vs_lookup_pages s" by (clarsimp simp: vs_lookup_pages_def dest!: vs_lookup_pages1_cnode_update[where m=n and cs'=cs']) diff --git a/proof/invariant-abstract/X64/ArchFinalise_AI.thy b/proof/invariant-abstract/X64/ArchFinalise_AI.thy index 5d612a2ed2..9a1b9f1cb5 100644 --- a/proof/invariant-abstract/X64/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/X64/ArchFinalise_AI.thy @@ -1379,7 +1379,7 @@ lemma set_asid_pool_obj_at_ptr: lemma valid_arch_state_table_strg: "valid_arch_state s \ asid_pool_at p s \ Some p \ x64_asid_table (arch_state s) ` (dom (x64_asid_table (arch_state s)) - {x}) \ - valid_arch_state (s\arch_state := arch_state s\x64_asid_table := x64_asid_table (arch_state s)(x \ p)\\)" + valid_arch_state (s\arch_state := arch_state s\x64_asid_table := (x64_asid_table (arch_state s))(x \ p)\\)" apply (clarsimp simp: valid_arch_state_def valid_asid_table_def ran_def) apply (rule conjI, fastforce) apply (erule inj_on_fun_upd_strongerI) @@ -1412,8 +1412,8 @@ lemma vs_lookup1_arch [simp]: lemma vs_lookup_empty_table: "(rs \ q) - (s\kheap := kheap s(p \ ArchObj (ASIDPool Map.empty)), - arch_state := arch_state s\x64_asid_table := x64_asid_table (arch_state s)(x \ p)\\) \ + (s\kheap := (kheap s)(p \ ArchObj (ASIDPool Map.empty)), + arch_state := arch_state s\x64_asid_table := (x64_asid_table (arch_state s))(x \ p)\\) \ (rs \ q) s \ (rs = [VSRef (ucast x) None] \ q = p)" apply (erule vs_lookupE) apply clarsimp @@ -1445,8 +1445,8 @@ lemma vs_lookup_empty_table: lemma vs_lookup_pages_empty_table: "(rs \ q) - (s\kheap := kheap s(p \ ArchObj (ASIDPool Map.empty)), - arch_state := arch_state s\x64_asid_table := x64_asid_table (arch_state s)(x \ p)\\) \ + (s\kheap := (kheap s)(p \ ArchObj (ASIDPool Map.empty)), + arch_state := arch_state s\x64_asid_table := (x64_asid_table (arch_state s))(x \ p)\\) \ (rs \ q) s \ (rs = [VSRef (ucast x) None] \ q = p)" apply (subst (asm) vs_lookup_pages_def) apply (clarsimp simp: Image_def) @@ -1481,7 +1481,7 @@ lemma set_asid_pool_empty_table_objs: set_asid_pool p Map.empty \\rv s. valid_vspace_objs (s\arch_state := arch_state s\x64_asid_table := - x64_asid_table (arch_state s)(asid_high_bits_of word2 \ p)\\)\" + (x64_asid_table (arch_state s))(asid_high_bits_of word2 \ p)\\)\" apply (simp add: set_asid_pool_def set_object_def) apply (wp get_object_wp) apply (clarsimp simp: obj_at_def valid_vspace_objs_def @@ -1506,7 +1506,7 @@ lemma set_asid_pool_empty_table_lookup: set_asid_pool p Map.empty \\rv s. valid_vs_lookup (s\arch_state := arch_state s\x64_asid_table := - x64_asid_table (arch_state s)(asid_high_bits_of base \ p)\\)\" + (x64_asid_table (arch_state s))(asid_high_bits_of base \ p)\\)\" apply (simp add: set_asid_pool_def set_object_def) apply (wp get_object_wp) apply (clarsimp simp: obj_at_def valid_vs_lookup_def @@ -1525,7 +1525,7 @@ lemma set_asid_pool_empty_table_lookup: lemma valid_ioports_asid_table_upd[iff]: "valid_ioports (s\arch_state := arch_state s - \x64_asid_table := x64_asid_table (arch_state s) + \x64_asid_table := (x64_asid_table (arch_state s)) (asid_high_bits_of base \ p)\\) = valid_ioports s" by (clarsimp simp: valid_ioports_def all_ioports_issued_def issued_ioports_def) @@ -1536,7 +1536,7 @@ lemma set_asid_pool_invs_table: \ (\p'. \ ([VSRef (ucast (asid_high_bits_of base)) None] \ p') s)\ set_asid_pool p Map.empty \\x s. invs (s\arch_state := arch_state s\x64_asid_table := - x64_asid_table (arch_state s)(asid_high_bits_of base \ p)\\)\" + (x64_asid_table (arch_state s))(asid_high_bits_of base \ p)\\)\" apply (simp add: invs_def valid_state_def valid_pspace_def valid_arch_caps_def valid_asid_map_def) apply (wp valid_irq_node_typ set_asid_pool_typ_at set_asid_pool_empty_table_objs valid_ioports_lift diff --git a/proof/invariant-abstract/X64/ArchIpc_AI.thy b/proof/invariant-abstract/X64/ArchIpc_AI.thy index 4174c8ddf3..cbbebda211 100644 --- a/proof/invariant-abstract/X64/ArchIpc_AI.thy +++ b/proof/invariant-abstract/X64/ArchIpc_AI.thy @@ -465,7 +465,7 @@ lemma valid_arch_mdb_cap_swap: \ valid_arch_mdb ((is_original_cap s) (a := is_original_cap s b, b := is_original_cap s a)) - (caps_of_state s(a \ c', b \ c))" + ((caps_of_state s)(a \ c', b \ c))" apply (clarsimp simp: valid_arch_mdb_def ioport_revocable_def simp del: split_paired_All) apply (intro conjI impI allI) apply (simp del: split_paired_All) diff --git a/proof/invariant-abstract/X64/ArchKHeap_AI.thy b/proof/invariant-abstract/X64/ArchKHeap_AI.thy index 80aabdb69c..8536e57d88 100644 --- a/proof/invariant-abstract/X64/ArchKHeap_AI.thy +++ b/proof/invariant-abstract/X64/ArchKHeap_AI.thy @@ -835,20 +835,20 @@ crunch device_state_inv: storeWord "\ms. P (device_state ms)" (* some hyp_ref invariants *) lemma state_hyp_refs_of_ep_update: "\s ep val. typ_at AEndpoint ep s \ - state_hyp_refs_of (s\kheap := kheap s(ep \ Endpoint val)\) = state_hyp_refs_of s" + state_hyp_refs_of (s\kheap := (kheap s)(ep \ Endpoint val)\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: state_hyp_refs_of_def obj_at_def hyp_refs_of_def) done lemma state_hyp_refs_of_ntfn_update: "\s ep val. typ_at ANTFN ep s \ - state_hyp_refs_of (s\kheap := kheap s(ep \ Notification val)\) = state_hyp_refs_of s" + state_hyp_refs_of (s\kheap := (kheap s)(ep \ Notification val)\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: state_hyp_refs_of_def obj_at_def hyp_refs_of_def) done lemma state_hyp_refs_of_tcb_bound_ntfn_update: "kheap s t = Some (TCB tcb) \ - state_hyp_refs_of (s\kheap := kheap s(t \ TCB (tcb\tcb_bound_notification := ntfn\))\) + state_hyp_refs_of (s\kheap := (kheap s)(t \ TCB (tcb\tcb_bound_notification := ntfn\))\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: state_hyp_refs_of_def obj_at_def split: option.splits) @@ -856,7 +856,7 @@ lemma state_hyp_refs_of_tcb_bound_ntfn_update: lemma state_hyp_refs_of_tcb_state_update: "kheap s t = Some (TCB tcb) \ - state_hyp_refs_of (s\kheap := kheap s(t \ TCB (tcb\tcb_state := ts\))\) + state_hyp_refs_of (s\kheap := (kheap s)(t \ TCB (tcb\tcb_state := ts\))\) = state_hyp_refs_of s" apply (rule all_ext) apply (clarsimp simp add: state_hyp_refs_of_def obj_at_def split: option.splits) @@ -864,7 +864,7 @@ lemma state_hyp_refs_of_tcb_state_update: lemma arch_valid_obj_same_type: "\ arch_valid_obj ao s; kheap s p = Some ko; a_type k = a_type ko \ - \ arch_valid_obj ao (s\kheap := kheap s(p \ k)\)" + \ arch_valid_obj ao (s\kheap := (kheap s)(p \ k)\)" by (induction ao rule: arch_kernel_obj.induct; clarsimp simp: typ_at_same_type) @@ -878,7 +878,7 @@ lemma default_tcb_not_live: "\ live (TCB default_tcb)" lemma valid_arch_tcb_same_type: "\ valid_arch_tcb t s; valid_obj p k s; kheap s p = Some ko; a_type k = a_type ko \ - \ valid_arch_tcb t (s\kheap := kheap s(p \ k)\)" + \ valid_arch_tcb t (s\kheap := (kheap s)(p \ k)\)" by (auto simp: valid_arch_tcb_def obj_at_def) lemma valid_ioports_lift: diff --git a/proof/invariant-abstract/X64/ArchUntyped_AI.thy b/proof/invariant-abstract/X64/ArchUntyped_AI.thy index c619f5257c..2606255a45 100644 --- a/proof/invariant-abstract/X64/ArchUntyped_AI.thy +++ b/proof/invariant-abstract/X64/ArchUntyped_AI.thy @@ -389,10 +389,10 @@ lemma create_cap_ioports[wp, Untyped_AI_assms]: (* FIXME: move *) lemma simpler_store_pml4e_def: "store_pml4e p pde s = - (case kheap s (p && ~~ mask pml4_bits) of + (case (kheap s)(p && ~~ mask pml4_bits) of Some (ArchObj (PageMapL4 pml4)) => - ({((), s\kheap := (kheap s((p && ~~ mask pml4_bits) \ - (ArchObj (PageMapL4 (pml4(ucast (p && mask pml4_bits >> word_size_bits) := pde))))))\)}, False) + ({((), s\kheap := (kheap s)(p && ~~ mask pml4_bits \ + (ArchObj (PageMapL4 (pml4(ucast (p && mask pml4_bits >> word_size_bits) := pde)))))\)}, False) | _ => ({}, True))" apply (auto simp: store_pml4e_def set_object_def get_object_def simpler_gets_def assert_def a_type_simps return_def fail_def set_object_def get_def put_def bind_def get_pml4_def aa_type_simps diff --git a/proof/invariant-abstract/X64/ArchVSpace_AI.thy b/proof/invariant-abstract/X64/ArchVSpace_AI.thy index 77cb57e10c..7827e8e199 100644 --- a/proof/invariant-abstract/X64/ArchVSpace_AI.thy +++ b/proof/invariant-abstract/X64/ArchVSpace_AI.thy @@ -1627,7 +1627,7 @@ lemma update_aobj_not_reachable: apply (rule_tac x = "(aa, baa)" in bexI[rotated]) apply assumption apply (simp add: fun_upd_def[symmetric]) - apply (rule_tac s4 = s in vs_lookup_pages1_is_wellformed_lookup[where s = "s\kheap := kheap s(p \ ArchObj aobj)\" for s + apply (rule_tac s4 = s in vs_lookup_pages1_is_wellformed_lookup[where s = "s\kheap := (kheap s)(p \ ArchObj aobj)\" for s ,simplified]) apply (clarsimp simp: lookup_refs_def vs_lookup_pages1_on_heap_obj_def vs_refs_pages_def image_def obj_at_def graph_of_def pde_ref_pages_def Image_def split: if_split_asm pde.split_asm) @@ -2838,7 +2838,7 @@ lemma lookup_pages_shrink_store_pdpte: apply (simp add: vs_lookup_pages_def) apply (drule_tac s1 = s in lookup_bound_estimate[OF vs_lookup_pages1_is_wellformed_lookup, rotated -1]) apply (simp add: fun_upd_def[symmetric]) - apply (rule vs_lookup_pages1_is_wellformed_lookup[where s = "s\kheap := kheap s(ptr \ ArchObj obj)\" for s ptr obj + apply (rule vs_lookup_pages1_is_wellformed_lookup[where s = "s\kheap := (kheap s)(ptr \ ArchObj obj)\" for s ptr obj ,simplified]) apply (clarsimp simp: lookup_refs_def vs_lookup_pages1_on_heap_obj_def vs_refs_pages_def image_def obj_at_def graph_of_def pdpte_ref_pages_def split: if_split_asm pde.split_asm) @@ -2852,7 +2852,7 @@ lemma lookup_pages_shrink_store_pde: apply (simp add: vs_lookup_pages_def) apply (drule_tac s1 = s in lookup_bound_estimate[OF vs_lookup_pages1_is_wellformed_lookup, rotated -1]) apply (simp add: fun_upd_def[symmetric]) - apply (rule vs_lookup_pages1_is_wellformed_lookup[where s = "s\kheap := kheap s(ptr \ ArchObj obj)\" for s ptr obj + apply (rule vs_lookup_pages1_is_wellformed_lookup[where s = "s\kheap := (kheap s)(ptr \ ArchObj obj)\" for s ptr obj ,simplified]) apply (clarsimp simp: lookup_refs_def vs_lookup_pages1_on_heap_obj_def vs_refs_pages_def image_def obj_at_def graph_of_def pde_ref_pages_def split: if_split_asm pde.split_asm) @@ -2866,7 +2866,7 @@ lemma lookup_pages_shrink_store_pte: apply (simp add: vs_lookup_pages_def) apply (drule_tac s1 = s in lookup_bound_estimate[OF vs_lookup_pages1_is_wellformed_lookup, rotated -1]) apply (simp add: fun_upd_def[symmetric]) - apply (rule vs_lookup_pages1_is_wellformed_lookup[where s = "s\kheap := kheap s(ptr \ ArchObj obj)\" for s ptr obj + apply (rule vs_lookup_pages1_is_wellformed_lookup[where s = "s\kheap := (kheap s)(ptr \ ArchObj obj)\" for s ptr obj ,simplified]) apply (clarsimp simp: lookup_refs_def vs_lookup_pages1_on_heap_obj_def vs_refs_pages_def image_def obj_at_def graph_of_def pde_ref_pages_def split: if_split_asm pde.split_asm) diff --git a/proof/refine/AARCH64/Arch_R.thy b/proof/refine/AARCH64/Arch_R.thy index bb55328489..4512ce955c 100644 --- a/proof/refine/AARCH64/Arch_R.thy +++ b/proof/refine/AARCH64/Arch_R.thy @@ -1903,7 +1903,7 @@ lemma performARMVCPUInvocation_invs'[wp]: lemma invs_asid_table_strengthen': "invs' s \ asid_pool_at' ap s \ asid \ 2 ^ asid_high_bits - 1 \ invs' (s\ksArchState := - armKSASIDTable_update (\_. (armKSASIDTable \ ksArchState) s(asid \ ap)) (ksArchState s)\)" + armKSASIDTable_update (\_. ((armKSASIDTable \ ksArchState) s)(asid \ ap)) (ksArchState s)\)" apply (clarsimp simp: invs'_def valid_state'_def) apply (rule conjI) apply (clarsimp simp: valid_global_refs'_def global_refs'_def) diff --git a/proof/refine/AARCH64/CSpace1_R.thy b/proof/refine/AARCH64/CSpace1_R.thy index 07e74b4e3d..d9c1fb277c 100644 --- a/proof/refine/AARCH64/CSpace1_R.thy +++ b/proof/refine/AARCH64/CSpace1_R.thy @@ -830,7 +830,7 @@ lemma setCTE_tcb_in_cur_domain': done lemma setCTE_ctes_of_wp [wp]: - "\\s. P (ctes_of s (p \ cte))\ + "\\s. P ((ctes_of s) (p \ cte))\ setCTE p cte \\rv s. P (ctes_of s)\" by (simp add: setCTE_def ctes_of_setObject_cte) diff --git a/proof/refine/AARCH64/CSpace_R.thy b/proof/refine/AARCH64/CSpace_R.thy index bfc0511156..0e53eb1ff7 100644 --- a/proof/refine/AARCH64/CSpace_R.thy +++ b/proof/refine/AARCH64/CSpace_R.thy @@ -2227,7 +2227,7 @@ proof - let ?c2 = "(CTE capability.NullCap (MDB 0 0 bool1 bool2))" let ?C = "(modify_map (modify_map - (modify_map (ctes_of s(dest \ CTE cap (MDB 0 0 bool1 bool2))) dest + (modify_map ((ctes_of s)(dest \ CTE cap (MDB 0 0 bool1 bool2))) dest (cteMDBNode_update (\a. MDB word1 src (isCapRevocable cap src_cap) (isCapRevocable cap src_cap)))) src (cteMDBNode_update (mdbNext_update (\_. dest)))) word1 (cteMDBNode_update (mdbPrev_update (\_. dest))))" @@ -2937,7 +2937,7 @@ lemma cteInsert_valid_irq_handlers'[wp]: done lemma setCTE_arch_ctes_of_wp [wp]: - "\\s. P (ksArchState s) (ctes_of s (p \ cte))\ + "\\s. P (ksArchState s) ((ctes_of s)(p \ cte))\ setCTE p cte \\rv s. P (ksArchState s) (ctes_of s)\" apply (simp add: setCTE_def ctes_of_setObject_cte) diff --git a/proof/refine/AARCH64/Detype_R.thy b/proof/refine/AARCH64/Detype_R.thy index 0a46a4ecf0..0a4130fecd 100644 --- a/proof/refine/AARCH64/Detype_R.thy +++ b/proof/refine/AARCH64/Detype_R.thy @@ -2591,7 +2591,7 @@ lemma setCTE_pte_at': lemma storePTE_det: "ko_wp_at' ((=) (KOArch (KOPTE pte))) ptr s \ storePTE ptr (new_pte::pte) s = - modify (ksPSpace_update (\_. ksPSpace s(ptr \ KOArch (KOPTE new_pte)))) s" + modify (ksPSpace_update (\_. (ksPSpace s)(ptr \ KOArch (KOPTE new_pte)))) s" apply (clarsimp simp:ko_wp_at'_def storePTE_def split_def bind_def gets_def return_def get_def setObject_def diff --git a/proof/refine/AARCH64/Finalise_R.thy b/proof/refine/AARCH64/Finalise_R.thy index b8bfb3320d..363adae063 100644 --- a/proof/refine/AARCH64/Finalise_R.thy +++ b/proof/refine/AARCH64/Finalise_R.thy @@ -1278,7 +1278,7 @@ crunch gsMaxObjectSize[wp]: emptySlot "\s. P (gsMaxObjectSize s)" end lemma emptySlot_cteCaps_of: - "\\s. P (cteCaps_of s(p \ NullCap))\ + "\\s. P ((cteCaps_of s)(p \ NullCap))\ emptySlot p opt \\rv s. P (cteCaps_of s)\" apply (simp add: emptySlot_def case_Null_If) @@ -2762,7 +2762,7 @@ crunches finaliseCapTrue_standin, unbindNotification lemma cteDeleteOne_cteCaps_of: "\\s. (cte_wp_at' (\cte. \final. finaliseCap (cteCap cte) final True \ fail) p s \ - P (cteCaps_of s(p \ NullCap)))\ + P ((cteCaps_of s)(p \ NullCap)))\ cteDeleteOne p \\rv s. P (cteCaps_of s)\" apply (simp add: cteDeleteOne_def unless_def split_def) @@ -3195,7 +3195,7 @@ crunch ctes_of[wp]: cancelSignal "\s. P (ctes_of s)" lemma cancelIPC_cteCaps_of: "\\s. (\p. cte_wp_at' (\cte. \final. finaliseCap (cteCap cte) final True \ fail) p s \ - P (cteCaps_of s(p \ NullCap))) \ + P ((cteCaps_of s)(p \ NullCap))) \ P (cteCaps_of s)\ cancelIPC t \\rv s. P (cteCaps_of s)\" @@ -4117,7 +4117,7 @@ definition set_thread_all :: "obj_ref \ Structures_A.tcb \ unit det_ext_monad" where "set_thread_all ptr tcb etcb \ do s \ get; - kh \ return $ kheap s(ptr \ (TCB tcb)); + kh \ return $ (kheap s)(ptr \ (TCB tcb)); ekh \ return $ (ekheap s)(ptr \ etcb); put (s\kheap := kh, ekheap := ekh\) od" diff --git a/proof/refine/AARCH64/InvariantUpdates_H.thy b/proof/refine/AARCH64/InvariantUpdates_H.thy index cda86ad7cd..3c307580e2 100644 --- a/proof/refine/AARCH64/InvariantUpdates_H.thy +++ b/proof/refine/AARCH64/InvariantUpdates_H.thy @@ -16,7 +16,7 @@ lemma ps_clear_domE[elim?]: lemma ps_clear_upd: "ksPSpace s y = Some v \ - ps_clear x n (ksPSpace_update (\a. ksPSpace s(y \ v')) s') = ps_clear x n s" + ps_clear x n (ksPSpace_update (\a. (ksPSpace s)(y \ v')) s') = ps_clear x n s" by (rule iffI | clarsimp elim!: ps_clear_domE | fastforce)+ lemmas ps_clear_updE[elim] = iffD2[OF ps_clear_upd, rotated] diff --git a/proof/refine/AARCH64/Schedule_R.thy b/proof/refine/AARCH64/Schedule_R.thy index fa8bbb3d93..ec6dffbdf6 100644 --- a/proof/refine/AARCH64/Schedule_R.thy +++ b/proof/refine/AARCH64/Schedule_R.thy @@ -69,7 +69,7 @@ declare objBitsT_koTypeOf [simp] lemma vs_lookup_pages_vcpu_update: "typ_at (AArch AVCPU) vcpuPtr s \ - vs_lookup_target level asid vref (s\kheap := kheap s(vcpuPtr \ ArchObj (VCPU vcpu))\) = + vs_lookup_target level asid vref (s\kheap := (kheap s)(vcpuPtr \ ArchObj (VCPU vcpu))\) = vs_lookup_target level asid vref s" unfolding vs_lookup_target_def vs_lookup_slot_def vs_lookup_table_def apply (prop_tac "asid_pools_of s vcpuPtr = None", clarsimp simp: opt_map_def obj_at_def) @@ -79,7 +79,7 @@ lemma vs_lookup_pages_vcpu_update: lemma valid_vs_lookup_vcpu_update: "typ_at (AArch AVCPU) vcpuPtr s \ - valid_vs_lookup (s\kheap := kheap s(vcpuPtr \ ArchObj (VCPU vcpu))\) = valid_vs_lookup s" + valid_vs_lookup (s\kheap := (kheap s)(vcpuPtr \ ArchObj (VCPU vcpu))\) = valid_vs_lookup s" by (clarsimp simp: valid_vs_lookup_def caps_of_state_VCPU_update vs_lookup_pages_vcpu_update) lemma set_vpcu_valid_vs_lookup[wp]: diff --git a/proof/refine/AARCH64/TcbAcc_R.thy b/proof/refine/AARCH64/TcbAcc_R.thy index 950f7950b0..2ae604d46e 100644 --- a/proof/refine/AARCH64/TcbAcc_R.thy +++ b/proof/refine/AARCH64/TcbAcc_R.thy @@ -423,7 +423,7 @@ proof - apply (simp add: return_def thread_set_def gets_the_def assert_def assert_opt_def simpler_gets_def set_object_def get_object_def put_def get_def bind_def) - apply (subgoal_tac "kheap s(t \ TCB tcb) = kheap s", simp) + apply (subgoal_tac "(kheap s)(t \ TCB tcb) = kheap s", simp) apply (simp add: map_upd_triv get_tcb_SomeD)+ done show ?thesis diff --git a/proof/refine/AARCH64/Untyped_R.thy b/proof/refine/AARCH64/Untyped_R.thy index 97a6606520..091f209b24 100644 --- a/proof/refine/AARCH64/Untyped_R.thy +++ b/proof/refine/AARCH64/Untyped_R.thy @@ -3505,7 +3505,7 @@ lemma updateFreeIndex_mdb_simple': and cte_wp_at' :"ctes_of s src = Some cte" "cteCap cte = capability.UntypedCap d ptr sz idx'" and unt_inc' :"untyped_inc' (ctes_of s)" and valid_objs' :"valid_objs' s" - and invp: "mdb_inv_preserve (ctes_of s) (ctes_of s(src \ cteCap_update (\_. capability.UntypedCap d ptr sz idx) cte))" + and invp: "mdb_inv_preserve (ctes_of s) ((ctes_of s)(src \ cteCap_update (\_. UntypedCap d ptr sz idx) cte))" (is "mdb_inv_preserve (ctes_of s) ?ctes") show "untyped_inc' ?ctes" diff --git a/proof/refine/ARM/Arch_R.thy b/proof/refine/ARM/Arch_R.thy index 99153796fb..e3410084ae 100644 --- a/proof/refine/ARM/Arch_R.thy +++ b/proof/refine/ARM/Arch_R.thy @@ -1778,7 +1778,7 @@ crunch st_tcb_at' [wp]: "Arch.finaliseCap" "st_tcb_at' P t" lemma invs_asid_table_strengthen': "invs' s \ asid_pool_at' ap s \ asid \ 2 ^ asid_high_bits - 1 \ invs' (s\ksArchState := - armKSASIDTable_update (\_. (armKSASIDTable \ ksArchState) s(asid \ ap)) (ksArchState s)\)" + armKSASIDTable_update (\_. ((armKSASIDTable \ ksArchState) s)(asid \ ap)) (ksArchState s)\)" apply (clarsimp simp: invs'_def valid_state'_def) apply (rule conjI) apply (clarsimp simp: valid_global_refs'_def global_refs'_def) diff --git a/proof/refine/ARM/CSpace1_R.thy b/proof/refine/ARM/CSpace1_R.thy index 8e10bb1125..f60dd64bc3 100644 --- a/proof/refine/ARM/CSpace1_R.thy +++ b/proof/refine/ARM/CSpace1_R.thy @@ -810,7 +810,7 @@ lemma setCTE_tcb_in_cur_domain': done lemma setCTE_ctes_of_wp [wp]: - "\\s. P (ctes_of s (p \ cte))\ + "\\s. P ((ctes_of s) (p \ cte))\ setCTE p cte \\rv s. P (ctes_of s)\" by (simp add: setCTE_def ctes_of_setObject_cte) diff --git a/proof/refine/ARM/CSpace_R.thy b/proof/refine/ARM/CSpace_R.thy index ba40e62b14..3e438cadef 100644 --- a/proof/refine/ARM/CSpace_R.thy +++ b/proof/refine/ARM/CSpace_R.thy @@ -2227,7 +2227,7 @@ proof - let ?c2 = "(CTE capability.NullCap (MDB 0 0 bool1 bool2))" let ?C = "(modify_map (modify_map - (modify_map (ctes_of s(dest \ CTE cap (MDB 0 0 bool1 bool2))) dest + (modify_map ((ctes_of s)(dest \ CTE cap (MDB 0 0 bool1 bool2))) dest (cteMDBNode_update (\a. MDB word1 src (revokable' src_cap cap) (revokable' src_cap cap)))) src (cteMDBNode_update (mdbNext_update (\_. dest)))) word1 (cteMDBNode_update (mdbPrev_update (\_. dest))))" diff --git a/proof/refine/ARM/Detype_R.thy b/proof/refine/ARM/Detype_R.thy index a6ee0813ae..e6e2289b0d 100644 --- a/proof/refine/ARM/Detype_R.thy +++ b/proof/refine/ARM/Detype_R.thy @@ -2702,7 +2702,7 @@ lemma storePDE_det: "ko_wp_at' ((=) (KOArch (KOPDE pde))) ptr s \ storePDE ptr (new_pde::ARM_H.pde) s = modify - (ksPSpace_update (\_. ksPSpace s(ptr \ KOArch (KOPDE new_pde)))) s" + (ksPSpace_update (\_. (ksPSpace s)(ptr \ KOArch (KOPDE new_pde)))) s" apply (clarsimp simp:ko_wp_at'_def storePDE_def split_def bind_def gets_def return_def get_def setObject_def @@ -2950,7 +2950,7 @@ lemma cte_wp_at_modify_pde: atLeastAtMost_iff shows "\ksPSpace s ptr' = Some (KOArch (KOPDE pde)); pspace_aligned' s;cte_wp_at' \ ptr s\ - \ cte_wp_at' \ ptr (s\ksPSpace := ksPSpace s(ptr' \ (KOArch (KOPDE pde')))\)" + \ cte_wp_at' \ ptr (s\ksPSpace := (ksPSpace s)(ptr' \ (KOArch (KOPDE pde')))\)" apply (simp add:cte_wp_at_obj_cases_mask obj_at'_real_def) apply (frule(1) pspace_alignedD') apply (elim disjE) diff --git a/proof/refine/ARM/Finalise_R.thy b/proof/refine/ARM/Finalise_R.thy index d9e5c3fd04..58eb7048a8 100644 --- a/proof/refine/ARM/Finalise_R.thy +++ b/proof/refine/ARM/Finalise_R.thy @@ -1279,7 +1279,7 @@ crunch gsMaxObjectSize[wp]: emptySlot "\s. P (gsMaxObjectSize s)" end lemma emptySlot_cteCaps_of: - "\\s. P (cteCaps_of s(p \ NullCap))\ + "\\s. P ((cteCaps_of s)(p \ NullCap))\ emptySlot p opt \\rv s. P (cteCaps_of s)\" apply (simp add: emptySlot_def case_Null_If) @@ -2448,10 +2448,7 @@ lemma prepares_delete_helper'': apply (clarsimp simp: removeable'_def) done -lemma ctes_of_cteCaps_of_lift: - "\ \P. \\s. P (ctes_of s)\ f \\rv s. P (ctes_of s)\ \ - \ \\s. P (cteCaps_of s)\ f \\rv s. P (cteCaps_of s)\" - by (wp | simp add: cteCaps_of_def)+ +lemmas ctes_of_cteCaps_of_lift = cteCaps_of_ctes_of_lift crunches finaliseCapTrue_standin, unbindNotification for ctes_of[wp]: "\s. P (ctes_of s)" @@ -2459,7 +2456,7 @@ crunches finaliseCapTrue_standin, unbindNotification lemma cteDeleteOne_cteCaps_of: "\\s. (cte_wp_at' (\cte. \final. finaliseCap (cteCap cte) final True \ fail) p s \ - P (cteCaps_of s(p \ NullCap)))\ + P ((cteCaps_of s)(p \ NullCap)))\ cteDeleteOne p \\rv s. P (cteCaps_of s)\" apply (simp add: cteDeleteOne_def unless_def split_def) @@ -2800,7 +2797,7 @@ crunch ctes_of[wp]: cancelSignal "\s. P (ctes_of s)" lemma cancelIPC_cteCaps_of: "\\s. (\p. cte_wp_at' (\cte. \final. finaliseCap (cteCap cte) final True \ fail) p s \ - P (cteCaps_of s(p \ NullCap))) \ + P ((cteCaps_of s)(p \ NullCap))) \ P (cteCaps_of s)\ cancelIPC t \\rv s. P (cteCaps_of s)\" @@ -3679,7 +3676,7 @@ definition set_thread_all :: "obj_ref \ Structures_A.tcb \ unit det_ext_monad" where "set_thread_all ptr tcb etcb \ do s \ get; - kh \ return $ kheap s(ptr \ (TCB tcb)); + kh \ return $ (kheap s)(ptr \ (TCB tcb)); ekh \ return $ (ekheap s)(ptr \ etcb); put (s\kheap := kh, ekheap := ekh\) od" diff --git a/proof/refine/ARM/InvariantUpdates_H.thy b/proof/refine/ARM/InvariantUpdates_H.thy index 377bda1525..938a45b494 100644 --- a/proof/refine/ARM/InvariantUpdates_H.thy +++ b/proof/refine/ARM/InvariantUpdates_H.thy @@ -16,7 +16,7 @@ lemma ps_clear_domE[elim?]: lemma ps_clear_upd: "ksPSpace s y = Some v \ - ps_clear x n (ksPSpace_update (\a. ksPSpace s(y \ v')) s') = ps_clear x n s" + ps_clear x n (ksPSpace_update (\a. (ksPSpace s)(y \ v')) s') = ps_clear x n s" by (rule iffI | clarsimp elim!: ps_clear_domE | fastforce)+ lemmas ps_clear_updE[elim] = iffD2[OF ps_clear_upd, rotated] diff --git a/proof/refine/ARM/TcbAcc_R.thy b/proof/refine/ARM/TcbAcc_R.thy index 877aa4285b..b697dafd55 100644 --- a/proof/refine/ARM/TcbAcc_R.thy +++ b/proof/refine/ARM/TcbAcc_R.thy @@ -369,7 +369,7 @@ proof - apply (simp add: return_def thread_set_def gets_the_def assert_opt_def simpler_gets_def set_object_def get_object_def put_def get_def bind_def assert_def a_type_def[split_simps kernel_object.split arch_kernel_obj.split]) - apply (subgoal_tac "kheap s(t \ TCB tcb) = kheap s", simp) + apply (subgoal_tac "(kheap s)(t \ TCB tcb) = kheap s", simp) apply (simp add: map_upd_triv get_tcb_SomeD) apply (simp add: get_tcb_SomeD map_upd_triv) done diff --git a/proof/refine/ARM/Untyped_R.thy b/proof/refine/ARM/Untyped_R.thy index 09e2b5e352..fc4f37995c 100644 --- a/proof/refine/ARM/Untyped_R.thy +++ b/proof/refine/ARM/Untyped_R.thy @@ -3505,7 +3505,7 @@ lemma updateFreeIndex_mdb_simple': and cte_wp_at' :"ctes_of s src = Some cte" "cteCap cte = capability.UntypedCap d ptr sz idx'" and unt_inc' :"untyped_inc' (ctes_of s)" and valid_objs' :"valid_objs' s" - and invp: "mdb_inv_preserve (ctes_of s) (ctes_of s(src \ cteCap_update (\_. capability.UntypedCap d ptr sz idx) cte))" + and invp: "mdb_inv_preserve (ctes_of s) ((ctes_of s)(src \ cteCap_update (\_. UntypedCap d ptr sz idx) cte))" (is "mdb_inv_preserve (ctes_of s) ?ctes") show "untyped_inc' ?ctes" diff --git a/proof/refine/ARM/VSpace_R.thy b/proof/refine/ARM/VSpace_R.thy index 588807b5ef..87707612c3 100644 --- a/proof/refine/ARM/VSpace_R.thy +++ b/proof/refine/ARM/VSpace_R.thy @@ -1976,7 +1976,7 @@ lemma duplicate_address_set_simp: lemma valid_duplicates'_non_pd_pt_I: "\koTypeOf ko \ ArchT PDET; koTypeOf ko \ ArchT PTET; vs_valid_duplicates' (ksPSpace s) ; ksPSpace s p = Some ko; koTypeOf ko = koTypeOf m\ - \ vs_valid_duplicates' (ksPSpace s(p \ m))" + \ vs_valid_duplicates' ((ksPSpace s)(p \ m))" apply (subst vs_valid_duplicates'_def) apply (intro allI impI) apply (clarsimp split:if_splits simp:duplicate_address_set_simp option.splits) diff --git a/proof/refine/ARM_HYP/Arch_R.thy b/proof/refine/ARM_HYP/Arch_R.thy index 65dc8de207..342ea2cffb 100644 --- a/proof/refine/ARM_HYP/Arch_R.thy +++ b/proof/refine/ARM_HYP/Arch_R.thy @@ -2093,7 +2093,7 @@ crunch cte_wp_at': "Arch.finaliseCap" "cte_wp_at' P p" lemma invs_asid_table_strengthen': "invs' s \ asid_pool_at' ap s \ asid \ 2 ^ asid_high_bits - 1 \ invs' (s\ksArchState := - armKSASIDTable_update (\_. (armKSASIDTable \ ksArchState) s(asid \ ap)) (ksArchState s)\)" + armKSASIDTable_update (\_. ((armKSASIDTable \ ksArchState) s)(asid \ ap)) (ksArchState s)\)" apply (clarsimp simp: invs'_def valid_state'_def) apply (rule conjI) apply (clarsimp simp: valid_global_refs'_def global_refs'_def) diff --git a/proof/refine/ARM_HYP/CSpace1_R.thy b/proof/refine/ARM_HYP/CSpace1_R.thy index 6a82520a9c..d6e54b253a 100644 --- a/proof/refine/ARM_HYP/CSpace1_R.thy +++ b/proof/refine/ARM_HYP/CSpace1_R.thy @@ -823,7 +823,7 @@ lemma tcbVTable_upd_simp [simp]: by (cases tcb) simp lemma setCTE_ctes_of_wp [wp]: - "\\s. P (ctes_of s (p \ cte))\ + "\\s. P ((ctes_of s) (p \ cte))\ setCTE p cte \\rv s. P (ctes_of s)\" by (simp add: setCTE_def ctes_of_setObject_cte) diff --git a/proof/refine/ARM_HYP/CSpace_R.thy b/proof/refine/ARM_HYP/CSpace_R.thy index 356b58ea29..e56496a8d4 100644 --- a/proof/refine/ARM_HYP/CSpace_R.thy +++ b/proof/refine/ARM_HYP/CSpace_R.thy @@ -2227,7 +2227,7 @@ proof - let ?c2 = "(CTE capability.NullCap (MDB 0 0 bool1 bool2))" let ?C = "(modify_map (modify_map - (modify_map (ctes_of s(dest \ CTE cap (MDB 0 0 bool1 bool2))) dest + (modify_map ((ctes_of s)(dest \ CTE cap (MDB 0 0 bool1 bool2))) dest (cteMDBNode_update (\a. MDB word1 src (revokable' src_cap cap) (revokable' src_cap cap)))) src (cteMDBNode_update (mdbNext_update (\_. dest)))) word1 (cteMDBNode_update (mdbPrev_update (\_. dest))))" diff --git a/proof/refine/ARM_HYP/Detype_R.thy b/proof/refine/ARM_HYP/Detype_R.thy index 2ad9254d39..680aabb2e3 100644 --- a/proof/refine/ARM_HYP/Detype_R.thy +++ b/proof/refine/ARM_HYP/Detype_R.thy @@ -2740,7 +2740,7 @@ lemma storePDE_det: "ko_wp_at' ((=) (KOArch (KOPDE pde))) ptr s \ storePDE ptr (new_pde::ARM_HYP_H.pde) s = modify - (ksPSpace_update (\_. ksPSpace s(ptr \ KOArch (KOPDE new_pde)))) s" + (ksPSpace_update (\_. (ksPSpace s)(ptr \ KOArch (KOPDE new_pde)))) s" apply (clarsimp simp:ko_wp_at'_def storePDE_def split_def bind_def gets_def return_def wordsFromPDE_def get_def setObject_def headM_def tailM_def @@ -2988,7 +2988,7 @@ lemma cte_wp_at_modify_pde: atLeastAtMost_iff shows "\ksPSpace s ptr' = Some (KOArch (KOPDE pde)); pspace_aligned' s;cte_wp_at' \ ptr s\ - \ cte_wp_at' \ ptr (s\ksPSpace := ksPSpace s(ptr' \ (KOArch (KOPDE pde')))\)" + \ cte_wp_at' \ ptr (s\ksPSpace := (ksPSpace s)(ptr' \ (KOArch (KOPDE pde')))\)" apply (simp add:cte_wp_at_obj_cases_mask obj_at'_real_def) apply (frule(1) pspace_alignedD') apply (elim disjE) diff --git a/proof/refine/ARM_HYP/Finalise_R.thy b/proof/refine/ARM_HYP/Finalise_R.thy index 536280436e..51064db0a5 100644 --- a/proof/refine/ARM_HYP/Finalise_R.thy +++ b/proof/refine/ARM_HYP/Finalise_R.thy @@ -1283,7 +1283,7 @@ crunch gsMaxObjectSize[wp]: emptySlot "\s. P (gsMaxObjectSize s)" end lemma emptySlot_cteCaps_of: - "\\s. P (cteCaps_of s(p \ NullCap))\ + "\\s. P ((cteCaps_of s)(p \ NullCap))\ emptySlot p opt \\rv s. P (cteCaps_of s)\" apply (simp add: emptySlot_def case_Null_If) @@ -2769,10 +2769,7 @@ lemma prepares_delete_helper'': apply (clarsimp simp: removeable'_def) done -lemma ctes_of_cteCaps_of_lift: - "\ \P. \\s. P (ctes_of s)\ f \\rv s. P (ctes_of s)\ \ - \ \\s. P (cteCaps_of s)\ f \\rv s. P (cteCaps_of s)\" - by (wp | simp add: cteCaps_of_def)+ +lemmas ctes_of_cteCaps_of_lift = cteCaps_of_ctes_of_lift crunches finaliseCapTrue_standin, unbindNotification for ctes_of[wp]: "\s. P (ctes_of s)" @@ -2780,7 +2777,7 @@ crunches finaliseCapTrue_standin, unbindNotification lemma cteDeleteOne_cteCaps_of: "\\s. (cte_wp_at' (\cte. \final. finaliseCap (cteCap cte) final True \ fail) p s \ - P (cteCaps_of s(p \ NullCap)))\ + P ((cteCaps_of s)(p \ NullCap)))\ cteDeleteOne p \\rv s. P (cteCaps_of s)\" apply (simp add: cteDeleteOne_def unless_def split_def) @@ -3225,7 +3222,7 @@ crunch ctes_of[wp]: cancelSignal "\s. P (ctes_of s)" lemma cancelIPC_cteCaps_of: "\\s. (\p. cte_wp_at' (\cte. \final. finaliseCap (cteCap cte) final True \ fail) p s \ - P (cteCaps_of s(p \ NullCap))) \ + P ((cteCaps_of s)(p \ NullCap))) \ P (cteCaps_of s)\ cancelIPC t \\rv s. P (cteCaps_of s)\" @@ -4217,7 +4214,7 @@ definition set_thread_all :: "obj_ref \ Structures_A.tcb \ unit det_ext_monad" where "set_thread_all ptr tcb etcb \ do s \ get; - kh \ return $ kheap s(ptr \ (TCB tcb)); + kh \ return $ (kheap s)(ptr \ (TCB tcb)); ekh \ return $ (ekheap s)(ptr \ etcb); put (s\kheap := kh, ekheap := ekh\) od" diff --git a/proof/refine/ARM_HYP/InvariantUpdates_H.thy b/proof/refine/ARM_HYP/InvariantUpdates_H.thy index 29ef82a6b5..c15fac0053 100644 --- a/proof/refine/ARM_HYP/InvariantUpdates_H.thy +++ b/proof/refine/ARM_HYP/InvariantUpdates_H.thy @@ -16,7 +16,7 @@ lemma ps_clear_domE[elim?]: lemma ps_clear_upd: "ksPSpace s y = Some v \ - ps_clear x n (ksPSpace_update (\a. ksPSpace s(y \ v')) s') = ps_clear x n s" + ps_clear x n (ksPSpace_update (\a. (ksPSpace s)(y \ v')) s') = ps_clear x n s" by (rule iffI | clarsimp elim!: ps_clear_domE | fastforce)+ lemmas ps_clear_updE[elim] = iffD2[OF ps_clear_upd, rotated] diff --git a/proof/refine/ARM_HYP/Invariants_H.thy b/proof/refine/ARM_HYP/Invariants_H.thy index 24fad7bcb9..7d3acef6cc 100644 --- a/proof/refine/ARM_HYP/Invariants_H.thy +++ b/proof/refine/ARM_HYP/Invariants_H.thy @@ -1529,7 +1529,7 @@ lemmas valid_duplicates'_D = valid_duplicates'_pdeD valid_duplicates'_pteD lemma valid_duplicates'_non_pd_pt_I: "\koTypeOf ko \ ArchT PDET; koTypeOf ko \ ArchT PTET; vs_valid_duplicates' (ksPSpace s) ; ksPSpace s p = Some ko; koTypeOf ko = koTypeOf m\ - \ vs_valid_duplicates' (ksPSpace s(p \ m))" + \ vs_valid_duplicates' ((ksPSpace s)(p \ m))" apply (subst vs_valid_duplicates'_def) apply (rule allI) apply (clarsimp simp: option.splits kernel_object.splits arch_kernel_object.splits) diff --git a/proof/refine/ARM_HYP/Schedule_R.thy b/proof/refine/ARM_HYP/Schedule_R.thy index 92162ab7e0..0b6d59bdc9 100644 --- a/proof/refine/ARM_HYP/Schedule_R.thy +++ b/proof/refine/ARM_HYP/Schedule_R.thy @@ -76,17 +76,17 @@ lemma vs_refs_pages_vcpu: by (simp add: vs_refs_pages_def) lemma vs_lookup_pages1_vcpu_update: - "typ_at (AArch AVCPU) vcpuPtr s \ vs_lookup_pages1 (s\kheap := kheap s(vcpuPtr \ ArchObj (VCPU vcpu))\) + "typ_at (AArch AVCPU) vcpuPtr s \ vs_lookup_pages1 (s\kheap := (kheap s)(vcpuPtr \ ArchObj (VCPU vcpu))\) = vs_lookup_pages1 s" by (clarsimp intro!: set_eqI simp: vs_lookup_pages1_def vs_refs_pages_vcpu obj_at_def) lemma vs_lookup_pages_vcpu_update: - "typ_at (AArch AVCPU) vcpuPtr s \ vs_lookup_pages (s\kheap := kheap s(vcpuPtr \ ArchObj (VCPU vcpu))\) + "typ_at (AArch AVCPU) vcpuPtr s \ vs_lookup_pages (s\kheap := (kheap s)(vcpuPtr \ ArchObj (VCPU vcpu))\) = vs_lookup_pages s" by (clarsimp simp: vs_lookup_pages_def vs_lookup_pages1_vcpu_update) lemma valid_vs_lookup_vcpu_update: - "typ_at (AArch AVCPU) vcpuPtr s \ valid_vs_lookup (s\kheap := kheap s(vcpuPtr \ ArchObj (VCPU vcpu))\) + "typ_at (AArch AVCPU) vcpuPtr s \ valid_vs_lookup (s\kheap := (kheap s)(vcpuPtr \ ArchObj (VCPU vcpu))\) = valid_vs_lookup s" apply (clarsimp simp: valid_vs_lookup_def caps_of_state_VCPU_update) apply (rule all_cong1) @@ -769,12 +769,12 @@ lemma valid_vs_lookup_arm_current_vcpu_inv[simp]: "valid_vs_lookup (s\arc lemma vs_lookup_pages1_vcpu_update': "kheap s p = Some (ArchObj (VCPU x)) \ - vs_lookup_pages1 (s\kheap := kheap s(p \ ArchObj (VCPU x'))\) = vs_lookup_pages1 s" + vs_lookup_pages1 (s\kheap := (kheap s)(p \ ArchObj (VCPU x'))\) = vs_lookup_pages1 s" by (clarsimp simp: vs_lookup_pages1_def obj_at_def vs_refs_pages_def intro!: set_eqI) lemma vs_lookup_pages_vcpu_update': "kheap s y = Some (ArchObj (VCPU x)) \ - (ref \ p) s = (ref \ p) (s\kheap := kheap s(y \ ArchObj (VCPU x'))\)" + (ref \ p) s = (ref \ p) (s\kheap := (kheap s)(y \ ArchObj (VCPU x'))\)" by (clarsimp simp: vs_lookup_pages_def vs_lookup_pages1_vcpu_update') lemma tcb_at'_ksIdleThread_lift: diff --git a/proof/refine/ARM_HYP/TcbAcc_R.thy b/proof/refine/ARM_HYP/TcbAcc_R.thy index 2eb81e8d9f..409f3d5673 100644 --- a/proof/refine/ARM_HYP/TcbAcc_R.thy +++ b/proof/refine/ARM_HYP/TcbAcc_R.thy @@ -383,7 +383,7 @@ proof - apply (simp add: return_def thread_set_def gets_the_def assert_def assert_opt_def simpler_gets_def set_object_def get_object_def put_def get_def bind_def) - apply (subgoal_tac "kheap s(t \ TCB tcb) = kheap s") + apply (subgoal_tac "(kheap s)(t \ TCB tcb) = kheap s") apply (simp add: map_upd_triv get_tcb_SomeD)+ done show ?thesis diff --git a/proof/refine/ARM_HYP/Untyped_R.thy b/proof/refine/ARM_HYP/Untyped_R.thy index 721aaea69f..1a2f984f24 100644 --- a/proof/refine/ARM_HYP/Untyped_R.thy +++ b/proof/refine/ARM_HYP/Untyped_R.thy @@ -3556,7 +3556,7 @@ lemma updateFreeIndex_mdb_simple': and cte_wp_at' :"ctes_of s src = Some cte" "cteCap cte = capability.UntypedCap d ptr sz idx'" and unt_inc' :"untyped_inc' (ctes_of s)" and valid_objs' :"valid_objs' s" - and invp: "mdb_inv_preserve (ctes_of s) (ctes_of s(src \ cteCap_update (\_. capability.UntypedCap d ptr sz idx) cte))" + and invp: "mdb_inv_preserve (ctes_of s) ((ctes_of s)(src \ cteCap_update (\_. UntypedCap d ptr sz idx) cte))" (is "mdb_inv_preserve (ctes_of s) ?ctes") show "untyped_inc' ?ctes" diff --git a/proof/refine/RISCV64/Arch_R.thy b/proof/refine/RISCV64/Arch_R.thy index 753aad7b41..0a0d28d318 100644 --- a/proof/refine/RISCV64/Arch_R.thy +++ b/proof/refine/RISCV64/Arch_R.thy @@ -1256,7 +1256,7 @@ crunch st_tcb_at' [wp]: "Arch.finaliseCap" "st_tcb_at' P t" lemma invs_asid_table_strengthen': "invs' s \ asid_pool_at' ap s \ asid \ 2 ^ asid_high_bits - 1 \ invs' (s\ksArchState := - riscvKSASIDTable_update (\_. (riscvKSASIDTable \ ksArchState) s(asid \ ap)) (ksArchState s)\)" + riscvKSASIDTable_update (\_. ((riscvKSASIDTable \ ksArchState) s)(asid \ ap)) (ksArchState s)\)" apply (clarsimp simp: invs'_def valid_state'_def) apply (rule conjI) apply (clarsimp simp: valid_global_refs'_def global_refs'_def) diff --git a/proof/refine/RISCV64/CSpace1_R.thy b/proof/refine/RISCV64/CSpace1_R.thy index b2ea3e319b..437285321d 100644 --- a/proof/refine/RISCV64/CSpace1_R.thy +++ b/proof/refine/RISCV64/CSpace1_R.thy @@ -829,7 +829,7 @@ lemma setCTE_tcb_in_cur_domain': done lemma setCTE_ctes_of_wp [wp]: - "\\s. P (ctes_of s (p \ cte))\ + "\\s. P ((ctes_of s) (p \ cte))\ setCTE p cte \\rv s. P (ctes_of s)\" by (simp add: setCTE_def ctes_of_setObject_cte) diff --git a/proof/refine/RISCV64/CSpace_R.thy b/proof/refine/RISCV64/CSpace_R.thy index 96aace7137..797bc486ce 100644 --- a/proof/refine/RISCV64/CSpace_R.thy +++ b/proof/refine/RISCV64/CSpace_R.thy @@ -2226,7 +2226,7 @@ proof - let ?c2 = "(CTE capability.NullCap (MDB 0 0 bool1 bool2))" let ?C = "(modify_map (modify_map - (modify_map (ctes_of s(dest \ CTE cap (MDB 0 0 bool1 bool2))) dest + (modify_map ((ctes_of s)(dest \ CTE cap (MDB 0 0 bool1 bool2))) dest (cteMDBNode_update (\a. MDB word1 src (isCapRevocable cap src_cap) (isCapRevocable cap src_cap)))) src (cteMDBNode_update (mdbNext_update (\_. dest)))) word1 (cteMDBNode_update (mdbPrev_update (\_. dest))))" @@ -2921,7 +2921,7 @@ lemma cteInsert_valid_irq_handlers'[wp]: done lemma setCTE_arch_ctes_of_wp [wp]: - "\\s. P (ksArchState s) (ctes_of s (p \ cte))\ + "\\s. P (ksArchState s) ((ctes_of s)(p \ cte))\ setCTE p cte \\rv s. P (ksArchState s) (ctes_of s)\" apply (simp add: setCTE_def ctes_of_setObject_cte) diff --git a/proof/refine/RISCV64/Detype_R.thy b/proof/refine/RISCV64/Detype_R.thy index 27b02533be..b0ec6c2aba 100644 --- a/proof/refine/RISCV64/Detype_R.thy +++ b/proof/refine/RISCV64/Detype_R.thy @@ -2514,7 +2514,7 @@ lemma setCTE_pte_at': lemma storePTE_det: "ko_wp_at' ((=) (KOArch (KOPTE pte))) ptr s \ storePTE ptr (new_pte::pte) s = - modify (ksPSpace_update (\_. ksPSpace s(ptr \ KOArch (KOPTE new_pte)))) s" + modify (ksPSpace_update (\_. (ksPSpace s)(ptr \ KOArch (KOPTE new_pte)))) s" apply (clarsimp simp:ko_wp_at'_def storePTE_def split_def bind_def gets_def return_def get_def setObject_def diff --git a/proof/refine/RISCV64/Finalise_R.thy b/proof/refine/RISCV64/Finalise_R.thy index ca005a3037..2c2b684e63 100644 --- a/proof/refine/RISCV64/Finalise_R.thy +++ b/proof/refine/RISCV64/Finalise_R.thy @@ -1291,7 +1291,7 @@ crunch gsMaxObjectSize[wp]: emptySlot "\s. P (gsMaxObjectSize s)" end lemma emptySlot_cteCaps_of: - "\\s. P (cteCaps_of s(p \ NullCap))\ + "\\s. P ((cteCaps_of s)(p \ NullCap))\ emptySlot p opt \\rv s. P (cteCaps_of s)\" apply (simp add: emptySlot_def case_Null_If) @@ -2465,7 +2465,7 @@ crunches finaliseCapTrue_standin, unbindNotification lemma cteDeleteOne_cteCaps_of: "\\s. (cte_wp_at' (\cte. \final. finaliseCap (cteCap cte) final True \ fail) p s \ - P (cteCaps_of s(p \ NullCap)))\ + P ((cteCaps_of s)(p \ NullCap)))\ cteDeleteOne p \\rv s. P (cteCaps_of s)\" apply (simp add: cteDeleteOne_def unless_def split_def) @@ -2823,7 +2823,7 @@ crunch ctes_of[wp]: cancelSignal "\s. P (ctes_of s)" lemma cancelIPC_cteCaps_of: "\\s. (\p. cte_wp_at' (\cte. \final. finaliseCap (cteCap cte) final True \ fail) p s \ - P (cteCaps_of s(p \ NullCap))) \ + P ((cteCaps_of s)(p \ NullCap))) \ P (cteCaps_of s)\ cancelIPC t \\rv s. P (cteCaps_of s)\" @@ -3707,7 +3707,7 @@ definition set_thread_all :: "obj_ref \ Structures_A.tcb \ unit det_ext_monad" where "set_thread_all ptr tcb etcb \ do s \ get; - kh \ return $ kheap s(ptr \ (TCB tcb)); + kh \ return $ (kheap s)(ptr \ (TCB tcb)); ekh \ return $ (ekheap s)(ptr \ etcb); put (s\kheap := kh, ekheap := ekh\) od" diff --git a/proof/refine/RISCV64/InvariantUpdates_H.thy b/proof/refine/RISCV64/InvariantUpdates_H.thy index 377bda1525..938a45b494 100644 --- a/proof/refine/RISCV64/InvariantUpdates_H.thy +++ b/proof/refine/RISCV64/InvariantUpdates_H.thy @@ -16,7 +16,7 @@ lemma ps_clear_domE[elim?]: lemma ps_clear_upd: "ksPSpace s y = Some v \ - ps_clear x n (ksPSpace_update (\a. ksPSpace s(y \ v')) s') = ps_clear x n s" + ps_clear x n (ksPSpace_update (\a. (ksPSpace s)(y \ v')) s') = ps_clear x n s" by (rule iffI | clarsimp elim!: ps_clear_domE | fastforce)+ lemmas ps_clear_updE[elim] = iffD2[OF ps_clear_upd, rotated] diff --git a/proof/refine/RISCV64/TcbAcc_R.thy b/proof/refine/RISCV64/TcbAcc_R.thy index 472d75b3ea..708fdaedcc 100644 --- a/proof/refine/RISCV64/TcbAcc_R.thy +++ b/proof/refine/RISCV64/TcbAcc_R.thy @@ -422,7 +422,7 @@ proof - apply (simp add: return_def thread_set_def gets_the_def assert_def assert_opt_def simpler_gets_def set_object_def get_object_def put_def get_def bind_def) - apply (subgoal_tac "kheap s(t \ TCB tcb) = kheap s", simp) + apply (subgoal_tac "(kheap s)(t \ TCB tcb) = kheap s", simp) apply (simp add: map_upd_triv get_tcb_SomeD)+ done show ?thesis diff --git a/proof/refine/RISCV64/Untyped_R.thy b/proof/refine/RISCV64/Untyped_R.thy index 0cba959861..2cec6691c7 100644 --- a/proof/refine/RISCV64/Untyped_R.thy +++ b/proof/refine/RISCV64/Untyped_R.thy @@ -3524,7 +3524,7 @@ lemma updateFreeIndex_mdb_simple': and cte_wp_at' :"ctes_of s src = Some cte" "cteCap cte = capability.UntypedCap d ptr sz idx'" and unt_inc' :"untyped_inc' (ctes_of s)" and valid_objs' :"valid_objs' s" - and invp: "mdb_inv_preserve (ctes_of s) (ctes_of s(src \ cteCap_update (\_. capability.UntypedCap d ptr sz idx) cte))" + and invp: "mdb_inv_preserve (ctes_of s) ((ctes_of s)(src \ cteCap_update (\_. UntypedCap d ptr sz idx) cte))" (is "mdb_inv_preserve (ctes_of s) ?ctes") show "untyped_inc' ?ctes" diff --git a/proof/refine/X64/Arch_R.thy b/proof/refine/X64/Arch_R.thy index 242ff6183c..395b554113 100644 --- a/proof/refine/X64/Arch_R.thy +++ b/proof/refine/X64/Arch_R.thy @@ -1950,7 +1950,7 @@ crunch cte_wp_at': "Arch.finaliseCap" "cte_wp_at' P p" lemma invs_asid_table_strengthen': "invs' s \ asid_pool_at' ap s \ asid \ 2 ^ asid_high_bits - 1 \ invs' (s\ksArchState := - x64KSASIDTable_update (\_. (x64KSASIDTable \ ksArchState) s(asid \ ap)) (ksArchState s)\)" + x64KSASIDTable_update (\_. ((x64KSASIDTable \ ksArchState) s)(asid \ ap)) (ksArchState s)\)" apply (clarsimp simp: invs'_def valid_state'_def) apply (rule conjI) apply (clarsimp simp: valid_global_refs'_def global_refs'_def) diff --git a/proof/refine/X64/CSpace1_R.thy b/proof/refine/X64/CSpace1_R.thy index 72c6e7ce40..9d060788b7 100644 --- a/proof/refine/X64/CSpace1_R.thy +++ b/proof/refine/X64/CSpace1_R.thy @@ -833,7 +833,7 @@ lemma setCTE_tcb_in_cur_domain': done lemma setCTE_ctes_of_wp [wp]: - "\\s. P (ctes_of s (p \ cte))\ + "\\s. P ((ctes_of s) (p \ cte))\ setCTE p cte \\rv s. P (ctes_of s)\" by (simp add: setCTE_def ctes_of_setObject_cte) diff --git a/proof/refine/X64/CSpace_R.thy b/proof/refine/X64/CSpace_R.thy index eb02e8ac8c..8917fedb54 100644 --- a/proof/refine/X64/CSpace_R.thy +++ b/proof/refine/X64/CSpace_R.thy @@ -2319,7 +2319,7 @@ proof - let ?c2 = "(CTE capability.NullCap (MDB 0 0 bool1 bool2))" let ?C = "(modify_map (modify_map - (modify_map (ctes_of s(dest \ CTE cap (MDB 0 0 bool1 bool2))) dest + (modify_map ((ctes_of s)(dest \ CTE cap (MDB 0 0 bool1 bool2))) dest (cteMDBNode_update (\a. MDB word1 src (isCapRevocable cap src_cap) (isCapRevocable cap src_cap)))) src (cteMDBNode_update (mdbNext_update (\_. dest)))) word1 (cteMDBNode_update (mdbPrev_update (\_. dest))))" @@ -3044,7 +3044,7 @@ definition cap_ioports' newcap - cap_ioports' oldcap \ issued_ioports' (ksArchState s)" lemma setCTE_arch_ctes_of_wp [wp]: - "\\s. P (ksArchState s) (ctes_of s (p \ cte))\ + "\\s. P (ksArchState s) ((ctes_of s)(p \ cte))\ setCTE p cte \\rv s. P (ksArchState s) (ctes_of s)\" apply (simp add: setCTE_def ctes_of_setObject_cte) diff --git a/proof/refine/X64/Detype_R.thy b/proof/refine/X64/Detype_R.thy index fd4f2c0b28..61d12ae49b 100644 --- a/proof/refine/X64/Detype_R.thy +++ b/proof/refine/X64/Detype_R.thy @@ -2643,7 +2643,7 @@ lemma storePDE_det: "ko_wp_at' ((=) (KOArch (KOPDE pde))) ptr s \ storePDE ptr (new_pde::X64_H.pde) s = modify - (ksPSpace_update (\_. ksPSpace s(ptr \ KOArch (KOPDE new_pde)))) s" + (ksPSpace_update (\_. (ksPSpace s)(ptr \ KOArch (KOPDE new_pde)))) s" apply (clarsimp simp:ko_wp_at'_def storePDE_def split_def bind_def gets_def return_def get_def setObject_def @@ -2796,7 +2796,7 @@ lemma cte_wp_at_modify_pde: atLeastAtMost_iff shows "\ksPSpace s ptr' = Some (KOArch (KOPDE pde)); pspace_aligned' s;cte_wp_at' \ ptr s\ - \ cte_wp_at' \ ptr (s\ksPSpace := ksPSpace s(ptr' \ (KOArch (KOPDE pde')))\)" + \ cte_wp_at' \ ptr (s\ksPSpace := (ksPSpace s)(ptr' \ (KOArch (KOPDE pde')))\)" apply (simp add:cte_wp_at_obj_cases_mask obj_at'_real_def) apply (frule(1) pspace_alignedD') apply (elim disjE) @@ -3006,7 +3006,7 @@ lemma storePML4E_det: "ko_wp_at' ((=) (KOArch (KOPML4E pml4e))) ptr s \ storePML4E ptr (new_pml4e::X64_H.pml4e) s = modify - (ksPSpace_update (\_. ksPSpace s(ptr \ KOArch (KOPML4E new_pml4e)))) s" + (ksPSpace_update (\_. (ksPSpace s)(ptr \ KOArch (KOPML4E new_pml4e)))) s" apply (clarsimp simp:ko_wp_at'_def storePML4E_def split_def bind_def gets_def return_def get_def setObject_def @@ -3208,7 +3208,7 @@ lemma cte_wp_at_modify_pml4e: atLeastAtMost_iff shows "\ksPSpace s ptr' = Some (KOArch (KOPML4E pml4e)); pspace_aligned' s;cte_wp_at' \ ptr s\ - \ cte_wp_at' \ ptr (s\ksPSpace := ksPSpace s(ptr' \ (KOArch (KOPML4E pml4e')))\)" + \ cte_wp_at' \ ptr (s\ksPSpace := (ksPSpace s)(ptr' \ (KOArch (KOPML4E pml4e')))\)" apply (simp add:cte_wp_at_obj_cases_mask obj_at'_real_def) apply (frule(1) pspace_alignedD') apply (elim disjE) diff --git a/proof/refine/X64/Finalise_R.thy b/proof/refine/X64/Finalise_R.thy index 12db176ef9..733a72db45 100644 --- a/proof/refine/X64/Finalise_R.thy +++ b/proof/refine/X64/Finalise_R.thy @@ -1296,7 +1296,7 @@ crunches deletedIRQHandler, getSlotCap, clearUntypedFreeIndex, updateMDB, getCTE end lemma emptySlot_cteCaps_of: - "\\s. P (cteCaps_of s(p \ NullCap))\ + "\\s. P ((cteCaps_of s)(p \ NullCap))\ emptySlot p opt \\rv s. P (cteCaps_of s)\" apply (simp add: emptySlot_def case_Null_If) @@ -2622,7 +2622,7 @@ crunches finaliseCapTrue_standin, unbindNotification lemma cteDeleteOne_cteCaps_of: "\\s. (cte_wp_at' (\cte. \final. finaliseCap (cteCap cte) final True \ fail) p s \ - P (cteCaps_of s(p \ NullCap)))\ + P ((cteCaps_of s)(p \ NullCap)))\ cteDeleteOne p \\rv s. P (cteCaps_of s)\" apply (simp add: cteDeleteOne_def unless_def split_def) @@ -2994,7 +2994,7 @@ crunch ctes_of[wp]: cancelSignal "\s. P (ctes_of s)" lemma cancelIPC_cteCaps_of: "\\s. (\p. cte_wp_at' (\cte. \final. finaliseCap (cteCap cte) final True \ fail) p s \ - P (cteCaps_of s(p \ NullCap))) \ + P ((cteCaps_of s)(p \ NullCap))) \ P (cteCaps_of s)\ cancelIPC t \\rv s. P (cteCaps_of s)\" @@ -3923,7 +3923,7 @@ definition set_thread_all :: "obj_ref \ Structures_A.tcb \ unit det_ext_monad" where "set_thread_all ptr tcb etcb \ do s \ get; - kh \ return $ kheap s(ptr \ (TCB tcb)); + kh \ return $ (kheap s)(ptr \ (TCB tcb)); ekh \ return $ (ekheap s)(ptr \ etcb); put (s\kheap := kh, ekheap := ekh\) od" diff --git a/proof/refine/X64/InvariantUpdates_H.thy b/proof/refine/X64/InvariantUpdates_H.thy index 523019315d..25a95f3d15 100644 --- a/proof/refine/X64/InvariantUpdates_H.thy +++ b/proof/refine/X64/InvariantUpdates_H.thy @@ -16,7 +16,7 @@ lemma ps_clear_domE[elim?]: lemma ps_clear_upd: "ksPSpace s y = Some v \ - ps_clear x n (ksPSpace_update (\a. ksPSpace s(y \ v')) s') = ps_clear x n s" + ps_clear x n (ksPSpace_update (\a. (ksPSpace s)(y \ v')) s') = ps_clear x n s" by (rule iffI | clarsimp elim!: ps_clear_domE | fastforce)+ lemmas ps_clear_updE[elim] = iffD2[OF ps_clear_upd, rotated] diff --git a/proof/refine/X64/TcbAcc_R.thy b/proof/refine/X64/TcbAcc_R.thy index a1e2648535..d4a9418bee 100644 --- a/proof/refine/X64/TcbAcc_R.thy +++ b/proof/refine/X64/TcbAcc_R.thy @@ -398,7 +398,7 @@ proof - apply (simp add: return_def thread_set_def gets_the_def assert_def assert_opt_def simpler_gets_def set_object_def get_object_def put_def get_def bind_def) - apply (subgoal_tac "kheap s(t \ TCB tcb) = kheap s", simp) + apply (subgoal_tac "(kheap s)(t \ TCB tcb) = kheap s", simp) apply (simp add: map_upd_triv get_tcb_SomeD)+ done show ?thesis diff --git a/proof/refine/X64/Untyped_R.thy b/proof/refine/X64/Untyped_R.thy index 01734b8b21..475c6f089e 100644 --- a/proof/refine/X64/Untyped_R.thy +++ b/proof/refine/X64/Untyped_R.thy @@ -3616,7 +3616,7 @@ lemma updateFreeIndex_mdb_simple': and cte_wp_at' :"ctes_of s src = Some cte" "cteCap cte = capability.UntypedCap d ptr sz idx'" and unt_inc' :"untyped_inc' (ctes_of s)" and valid_objs' :"valid_objs' s" - and invp: "mdb_inv_preserve (ctes_of s) (ctes_of s(src \ cteCap_update (\_. capability.UntypedCap d ptr sz idx) cte))" + and invp: "mdb_inv_preserve (ctes_of s) ((ctes_of s)(src \ cteCap_update (\_. UntypedCap d ptr sz idx) cte))" (is "mdb_inv_preserve (ctes_of s) ?ctes") show "untyped_inc' ?ctes" diff --git a/proof/sep-capDL/Frame_SD.thy b/proof/sep-capDL/Frame_SD.thy index 30ab6b796f..3c7937e4ad 100644 --- a/proof/sep-capDL/Frame_SD.thy +++ b/proof/sep-capDL/Frame_SD.thy @@ -85,13 +85,13 @@ lemma disjoint_union_diff: by auto lemma intent_reset_update_slots_single: - "intent_reset (update_slots (object_slots obj(slot \ cap)) obj) - = update_slots (object_slots (intent_reset obj)(slot \ cap)) (intent_reset obj)" + "intent_reset (update_slots ((object_slots obj)(slot \ cap)) obj) + = update_slots ((object_slots (intent_reset obj))(slot \ cap)) (intent_reset obj)" by simp lemma object_clean_update_slots_single: - "object_clean (update_slots (object_slots obj(slot \ cap)) obj) - = update_slots (object_slots (object_clean obj)(slot \ reset_cap_asid cap)) (object_clean obj)" + "object_clean (update_slots ((object_slots obj)(slot \ cap)) obj) + = update_slots ((object_slots (object_clean obj))(slot \ reset_cap_asid cap)) (object_clean obj)" by (auto simp: object_clean_def intent_reset_def asid_reset_def update_slots_def object_slots_def fun_eq_iff split: cdl_object.splits) @@ -203,7 +203,7 @@ lemma object_clean_has_slots: lemma set_object_slot_wp_helper: "\\s. <(obj_id, slot) \c - \* R> s \ cdl_objects s obj_id = Some obj \ object_clean obj = object_clean obj'\ - set_object obj_id (update_slots (object_slots obj' (slot \ cap)) obj') + set_object obj_id (update_slots ((object_slots obj') (slot \ cap)) obj') \\rv. <(obj_id, slot) \c cap \* R>\" apply (clarsimp simp: set_object_def sep_any_def) apply wp @@ -230,7 +230,7 @@ lemma set_object_slot_wp: "\\s. <(obj_id, slot) \c - \* R> s \ cdl_objects s obj_id = Some obj \ (\obj'. object_clean obj = object_clean obj' \ - nobj = (update_slots (object_slots obj' (slot \ cap)) obj'))\ + nobj = (update_slots ((object_slots obj') (slot \ cap)) obj'))\ set_object obj_id nobj \\rv. <(obj_id, slot) \c cap \* R>\" apply (rule hoare_name_pre_state) diff --git a/spec/abstract/ARM_HYP/Init_A.thy b/spec/abstract/ARM_HYP/Init_A.thy index a737025ba8..0d25ded079 100644 --- a/spec/abstract/ARM_HYP/Init_A.thy +++ b/spec/abstract/ARM_HYP/Init_A.thy @@ -77,8 +77,8 @@ definition tcb_bound_notification = None, tcb_mcpriority = minBound, tcb_arch = init_arch_tcb - \) - (us_global_pd_ptr \ us_global_pd)" + \, + us_global_pd_ptr \ us_global_pd)" definition "init_cdt \ Map.empty" diff --git a/spec/abstract/Deterministic_A.thy b/spec/abstract/Deterministic_A.thy index 6da11444d7..f84aa166b8 100644 --- a/spec/abstract/Deterministic_A.thy +++ b/spec/abstract/Deterministic_A.thy @@ -244,7 +244,7 @@ definition set_eobject :: "obj_ref \ etcb \ unit det_ext where "set_eobject ptr obj \ do es \ get; - ekh \ return $ ekheap es(ptr \ obj); + ekh \ return $ (ekheap es)(ptr \ obj); put (es\ekheap := ekh\) od" diff --git a/spec/abstract/KHeap_A.thy b/spec/abstract/KHeap_A.thy index dff81ee501..3d9a4542e1 100644 --- a/spec/abstract/KHeap_A.thy +++ b/spec/abstract/KHeap_A.thy @@ -35,7 +35,7 @@ where kobj <- get_object ptr; assert (a_type kobj = a_type obj); s \ get; - put (s\kheap := kheap s(ptr \ obj)\) + put (s\kheap := (kheap s)(ptr \ obj)\) od" diff --git a/tools/autocorres/TypHeapSimple.thy b/tools/autocorres/TypHeapSimple.thy index 074ec1932c..d5e303c10a 100644 --- a/tools/autocorres/TypHeapSimple.thy +++ b/tools/autocorres/TypHeapSimple.thy @@ -512,7 +512,7 @@ lemma simple_lift_field_update': and xf_xfu: "fg_cons xf xfu" and cl: "simple_lift hp ptr = Some z" shows "(simple_lift (hrs_mem_update (heap_update (Ptr &(ptr\f)) val) hp)) = - simple_lift hp(ptr \ xfu val z)" + (simple_lift hp)(ptr \ xfu val z)" (is "?LHS = ?RHS") proof (rule ext) fix p @@ -581,7 +581,7 @@ lemma simple_lift_field_update: and xf_xfu: "fg_cons xf (xfu o (\x _. x))" and cl: "simple_lift hp ptr = Some z" shows "(simple_lift (hrs_mem_update (heap_update (Ptr &(ptr\f)) val) hp)) = - simple_lift hp(ptr \ xfu (\_. val) z)" + (simple_lift hp)(ptr \ xfu (\_. val) z)" (is "?LHS = ?RHS") apply (insert fl [unfolded field_ti_def]) apply (clarsimp split: option.splits) diff --git a/tools/autocorres/utils.ML b/tools/autocorres/utils.ML index 6059cb8055..cdb45d5394 100644 --- a/tools/autocorres/utils.ML +++ b/tools/autocorres/utils.ML @@ -459,7 +459,7 @@ fun term_fold_map_top f x = *) fun simp_map f = Context.map_proof ( - Local_Theory.declaration {syntax = false, pervasive = false} ( + Local_Theory.declaration {syntax = false, pervasive = false, pos = @{here}} ( K (Simplifier.map_ss f))) |> Context.proof_map diff --git a/tools/c-parser/Simpl/AlternativeSmallStep.thy b/tools/c-parser/Simpl/AlternativeSmallStep.thy index dfc7cfcfd1..c06998995b 100644 --- a/tools/c-parser/Simpl/AlternativeSmallStep.thy +++ b/tools/c-parser/Simpl/AlternativeSmallStep.thy @@ -33,7 +33,7 @@ begin text \ -This is the small-step semantics, which is described and used in my PhD-thesis \cite{Schirmer-PhD}. +This is the small-step semantics, which is described and used in my PhD-thesis \<^cite>\"Schirmer-PhD"\. It decomposes the statement into a list of statements and finally executes the head. So the redex is always the head of the list. The equivalence between termination (based on the big-step semantics) and the absence of infinite computations in diff --git a/tools/c-parser/Simpl/ROOT b/tools/c-parser/Simpl/ROOT index 9bcdd6de64..404fb59db6 100644 --- a/tools/c-parser/Simpl/ROOT +++ b/tools/c-parser/Simpl/ROOT @@ -1,6 +1,6 @@ chapter AFP -session Simpl (AFP) = HOL + +session Simpl = HOL + options [timeout = 600] sessions "HOL-Library" diff --git a/tools/c-parser/Simpl/UserGuide.thy b/tools/c-parser/Simpl/UserGuide.thy index 82b629d2f5..cfeb2e1a08 100644 --- a/tools/c-parser/Simpl/UserGuide.thy +++ b/tools/c-parser/Simpl/UserGuide.thy @@ -222,7 +222,7 @@ for procedure calls (that creates the proper @{term init}, @{term return} and @{term result} functions on the fly) and creates locales and statespaces to reason about the procedure. The purpose of locales is to set up logical contexts to support modular reasoning. Locales can be seen as freeze-dried proof contexts that -get alive as you setup a new lemma or theorem (\cite{Ballarin-04-locales}). +get alive as you setup a new lemma or theorem (\<^cite>\"Ballarin-04-locales"\). The locale the user deals with is named \Square_impl\. It defines the procedure name (internally @{term "Square_'proc"}), the procedure body (named \Square_body\) and the statespaces for parameters and local and @@ -537,7 +537,7 @@ the lookup of variable \x\ in the state \\\. The approach to specify procedures on lists -basically follows \cite{MehtaN-CADE03}. From the pointer structure +basically follows \<^cite>\"MehtaN-CADE03"\. From the pointer structure in the heap we (relationally) abstract to HOL lists of references. Then we can specify further properties on the level of HOL lists, rather then on the heap. The basic abstractions are: @@ -795,7 +795,7 @@ since the lists are already uniquely determined by the relational abstraction: \ text \ -The next contrived example is taken from \cite{Homeier-95-vcg}, to illustrate +The next contrived example is taken from \<^cite>\"Homeier-95-vcg"\, to illustrate a more complex termination criterion for mutually recursive procedures. The procedures do not calculate anything useful. @@ -1534,7 +1534,7 @@ procedures init' (|p) = subsubsection \Extending State Spaces\ text \ The records in Isabelle are -extensible \cite{Nipkow-02-hol,NaraschewskiW-TPHOLs98}. In principle this can be exploited +extensible \<^cite>\"Nipkow-02-hol" and "NaraschewskiW-TPHOLs98"\. In principle this can be exploited during verification. The state space can be extended while we we add procedures. But there is one major drawback: \begin{itemize} diff --git a/tools/c-parser/Simpl/hoare.ML b/tools/c-parser/Simpl/hoare.ML index 0fb153d5af..e69f5545d0 100644 --- a/tools/c-parser/Simpl/hoare.ML +++ b/tools/c-parser/Simpl/hoare.ML @@ -540,7 +540,7 @@ fun dest_Guard (Const (@{const_name Language.com.Guard},_)$f$g$c) = (f,g,c,false fun add_declaration name decl thy = thy |> Named_Target.init [] name - |> Local_Theory.declaration {syntax = false, pervasive = false} decl + |> Local_Theory.declaration {syntax = false, pervasive = false, pos = \<^here>} decl |> Local_Theory.exit |> Proof_Context.theory_of; @@ -939,7 +939,7 @@ fun procedures_definition locname procs thy = val context = Context.Theory thy |> fold (add_parameter_info Morphism.identity (unsuffix proc_deco)) name_pars - |> StateSpace.set_silent true + |> Config.put_generic StateSpace.silent true fun read_body (_, body) = Syntax.read_term (Context.proof_of context) body; @@ -1058,7 +1058,7 @@ fun procedures_definition locname procs thy = ctxt |> Proof_Context.theory_of |> Named_Target.init [] lname - |> Local_Theory.declaration {syntax = false, pervasive = false} parameter_info_decl + |> Local_Theory.declaration {syntax = false, pervasive = false, pos = \<^here>} parameter_info_decl |> (fn lthy => if has_body name then snd (Local_Theory.define (def lthy) lthy) else lthy) diff --git a/tools/c-parser/Simpl/hoare_syntax.ML b/tools/c-parser/Simpl/hoare_syntax.ML index 81906c78de..db3f4046f5 100644 --- a/tools/c-parser/Simpl/hoare_syntax.ML +++ b/tools/c-parser/Simpl/hoare_syntax.ML @@ -880,7 +880,7 @@ fun mk_call_tr ctxt grd Call formals pn pt actuals has_args cont = (lookup_comp ctxt [] name (Bound 1)) arg end; - val _ = if not (StateSpace.get_silent (Context.Proof ctxt)) andalso + val _ = if not (Config.get ctxt StateSpace.silent) andalso ((not fcall andalso length formals <> length actuals) orelse (fcall andalso length formals <> length actuals + 1)) @@ -932,7 +932,7 @@ fun mk_call_tr ctxt grd Call formals pn pt actuals has_args cont = (case res_formals of [(_, n)] => Abs ("s", dummyT, lookup_comp ctxt [] n (Bound 0)) | _ => - if StateSpace.get_silent (Context.Proof ctxt) + if Config.get ctxt StateSpace.silent then Abs ("s", dummyT, lookup_comp ctxt [] "dummy" (Bound 0)) else raise TERM ("call_tr: function " ^ pn ^ "may only have one result parameter", [])); in Call $ init $ pt $ ret $ res $ c end) @@ -999,7 +999,7 @@ fun gen_call_tr prfx dyn grd ctxt p actuals has_args cont = SOME formals => mk_call_tr ctxt grd (Call dyn has_args cont) formals pn pt actuals has_args cont | NONE => - if StateSpace.get_silent (Context.Proof ctxt) + if Config.get ctxt StateSpace.silent then mk_call_tr ctxt grd (Call dyn has_args cont) [] pn pt [] has_args cont else raise TERM ("gen_call_tr: procedure " ^ quote pn ^ " not defined", [])) end; diff --git a/tools/c-parser/TypHeapLib.thy b/tools/c-parser/TypHeapLib.thy index ae9f3569a5..06f9232880 100644 --- a/tools/c-parser/TypHeapLib.thy +++ b/tools/c-parser/TypHeapLib.thy @@ -37,7 +37,7 @@ lemma c_guard_clift: lemma clift_heap_update: fixes p :: "'a :: mem_type ptr" - shows "hrs_htd hp \\<^sub>t p \ clift (hrs_mem_update (heap_update p v) hp) = clift hp(p \ v)" + shows "hrs_htd hp \\<^sub>t p \ clift (hrs_mem_update (heap_update p v) hp) = (clift hp)(p \ v)" unfolding hrs_mem_update_def apply (cases hp) apply (simp add: split_def hrs_htd_def) @@ -172,7 +172,7 @@ lemma clift_field_update: and eu: "export_uinfo t = export_uinfo (typ_info_t TYPE('b))" and cl: "clift hp ptr = Some z" shows "(clift (hrs_mem_update (heap_update (Ptr &(ptr\f)) val) hp)) = - clift hp(ptr \ field_update (field_desc t) (to_bytes_p val) z)" + (clift hp)(ptr \ field_update (field_desc t) (to_bytes_p val) z)" (is "?LHS = ?RHS") proof - have cl': "clift (fst hp, snd hp) ptr = Some z" using cl by simp diff --git a/tools/c-parser/standalone-parser/basics.sml b/tools/c-parser/standalone-parser/basics.sml index ab2f9ca988..2f2a5491d6 100644 --- a/tools/c-parser/standalone-parser/basics.sml +++ b/tools/c-parser/standalone-parser/basics.sml @@ -72,6 +72,9 @@ struct fun K x y = x fun I x = x + fun the_default x (SOME y) = y + | the_default x NONE = x; + end open Basics @@ -145,9 +148,6 @@ struct fun uncurry f (x,y) = f x y - (*union of sets represented as lists: no repetitions*) - fun union eq = List.foldl (uncurry (insert eq)) - fun single x = [x] fun get_first f l = @@ -164,6 +164,4 @@ struct end -infix union - open Library diff --git a/tools/c-parser/standalone-parser/c-parser.mlb b/tools/c-parser/standalone-parser/c-parser.mlb index 18d5e68264..1aa358895a 100644 --- a/tools/c-parser/standalone-parser/c-parser.mlb +++ b/tools/c-parser/standalone-parser/c-parser.mlb @@ -12,6 +12,8 @@ in ../Feedback.ML ../Binaryset.ML basics.sml + library.ML + unsynchronized.ML ../topo_sort.ML ann "nonexhaustiveMatch ignore" diff --git a/tools/c-parser/standalone-parser/library.ML b/tools/c-parser/standalone-parser/library.ML index 378c57d883..f4a4f9b44f 100644 --- a/tools/c-parser/standalone-parser/library.ML +++ b/tools/c-parser/standalone-parser/library.ML @@ -7,13 +7,28 @@ signature LIBRARY = sig + val is_equal: order -> bool + + val build: ('a list -> 'a list) -> 'a list val sort : ('a * 'a -> order) -> 'a list -> 'a list + val foldl: ('a * 'b -> 'a) -> 'a * 'b list -> 'a + + val insert: ('a * 'a -> bool) -> 'a -> 'a list -> 'a list + val remove: ('b * 'a -> bool) -> 'b -> 'a list -> 'a list + val update: ('a * 'a -> bool) -> 'a -> 'a list -> 'a list + val union: ('a * 'a -> bool) -> 'a list -> 'a list -> 'a list + val merge: ('a * 'a -> bool) -> 'a list * 'a list -> 'a list + end structure Library : LIBRARY = struct +fun is_equal ord = ord = EQUAL; + +fun build (f: 'a list -> 'a list) = f []; + (*stable mergesort -- preserves order of equal elements*) fun mergesort unique ord = let @@ -63,4 +78,31 @@ fun mergesort unique ord = fun sort ord = mergesort false ord; +(* (op @) (e, [x1, ..., xn]) ===> ((e @ x1) @ x2) ... @ xn + for operators that associate to the left (TAIL RECURSIVE)*) +fun foldl (f: 'a * 'b -> 'a) : 'a * 'b list -> 'a = + let fun itl (e, []) = e + | itl (e, a::l) = itl (f(e, a), l) + in itl end; + +fun insert eq x xs = if member eq xs x then xs else x :: xs; + +fun remove eq x xs = if member eq xs x then filter_out (fn y => eq (x, y)) xs else xs; + +fun update eq x list = + (case list of + [] => [x] + | y :: rest => + if member eq rest x then x :: remove eq x list + else if eq (x, y) then list else x :: list); + +fun union eq = fold (insert eq); + +fun merge eq (xs, ys) = + if pointer_eq (xs, ys) then xs + else if null xs then ys + else fold_rev (insert eq) ys xs; + end + +val is_equal = Library.is_equal diff --git a/tools/c-parser/standalone-parser/tokenizer.mlb b/tools/c-parser/standalone-parser/tokenizer.mlb index 51e7dd06db..a7f01a43bc 100644 --- a/tools/c-parser/standalone-parser/tokenizer.mlb +++ b/tools/c-parser/standalone-parser/tokenizer.mlb @@ -9,6 +9,8 @@ $(SML_LIB)/basis/mlton.mlb (* for pointer equality *) ../Feedback.ML ../Binaryset.ML basics.sml +library.ML +unsynchronized.ML ../topo_sort.ML ann "nonexhaustiveMatch ignore" diff --git a/tools/c-parser/standalone-parser/unsynchronized.ML b/tools/c-parser/standalone-parser/unsynchronized.ML new file mode 100644 index 0000000000..114cec177e --- /dev/null +++ b/tools/c-parser/standalone-parser/unsynchronized.ML @@ -0,0 +1,36 @@ +(* SPDX-License-Identifier: BSD-3-Clause *) +(* SPDX-FileCopyrightText: Markus Wenzel, TU Muenchen *) + +(* Extracted from Isabelle sources (src/Pure/Concurrent/unsynchronized.ML), + reduced to work for mlton *) + +signature UNSYNCHRONIZED = +sig + datatype ref = datatype ref + val := : 'a ref * 'a -> unit + val ! : 'a ref -> 'a + val change: 'a ref -> ('a -> 'a) -> unit + val change_result: 'a ref -> ('a -> 'b * 'a) -> 'b + val inc: int ref -> int + val dec: int ref -> int + val add: int ref -> int -> int +end; + +structure Unsynchronized: UNSYNCHRONIZED = +struct + +(* regular references *) + +datatype ref = datatype ref; + +val op := = op :=; +val ! = !; + +fun change r f = r := f (! r); +fun change_result r f = let val (x, y) = f (! r) in r := y; x end; + +fun inc i = (i := ! i + (1: int); ! i); +fun dec i = (i := ! i - (1: int); ! i); +fun add i n = (i := ! i + (n: int); ! i); + +end; diff --git a/tools/c-parser/umm_heap/StructSupport.thy b/tools/c-parser/umm_heap/StructSupport.thy index 1eff974eb8..a18f00d3b6 100644 --- a/tools/c-parser/umm_heap/StructSupport.thy +++ b/tools/c-parser/umm_heap/StructSupport.thy @@ -541,8 +541,8 @@ lemma lift_t_hrs_mem_update_fld: Some (adjust_ti (typ_info_t TYPE('b)) xf (xfu \ (\x _. x)), m')" and xf_xfu: "fg_cons xf (xfu \ (\x _. x))" and cl: "lift_t g hp ptr = Some z" - shows "(lift_t g (hrs_mem_update (heap_update (Ptr &(ptr\f)) val) hp)) = - lift_t g hp(ptr \ xfu (\_. val) z)" + shows "((lift_t g) (hrs_mem_update (heap_update (Ptr &(ptr\f)) val) hp)) = + (lift_t g hp)(ptr \ xfu (\_. val) z)" (is "?LHS = ?RHS") proof - let ?ati = "adjust_ti (typ_info_t TYPE('b)) xf (xfu \ (\x _. x))" @@ -566,8 +566,8 @@ proof - qed also - have "\ = lift_t g hp(ptr \ update_ti_t (adjust_ti (typ_info_t TYPE('b)) xf (xfu \ (\x _. x))) - (to_bytes_p val) z)" + have "\ = (lift_t g hp)(ptr \ update_ti_t (adjust_ti (typ_info_t TYPE('b)) xf (xfu \ (\x _. x))) + (to_bytes_p val) z)" by (simp add: cl eui fl super_field_update_lookup) also have "\ = ?RHS" using xf_xfu diff --git a/tools/c-parser/umm_heap/TypHeap.thy b/tools/c-parser/umm_heap/TypHeap.thy index 9bd4fa5c62..1378b095db 100644 --- a/tools/c-parser/umm_heap/TypHeap.thy +++ b/tools/c-parser/umm_heap/TypHeap.thy @@ -1799,7 +1799,7 @@ lemma field_names_same: lemma lift_t_heap_update: "d,g \\<^sub>t p \ lift_t g (heap_update p v h,d) = - (lift_t g (h,d) (p \ (v::'a::mem_type)))" + ((lift_t g (h,d)) (p \ (v::'a::mem_type)))" apply(subst lift_t_sub_field_update) apply fast apply(simp add: sub_typ_proper_def)