diff --git a/lib/CorresK_Method.thy b/lib/CorresK_Method.thy index 30b494b903..50308a124e 100644 --- a/lib/CorresK_Method.thy +++ b/lib/CorresK_Method.thy @@ -981,13 +981,13 @@ lemma corres_inst_conj_lift[corresKwp_wp_comb]: lemmas [corresKwp_wp_comb] = corresKwp_wp_comb_del[# \-\ \atomize (full), rule allI, rule corres_inst_eq_imp\] valid_validE_R - hoare_vcg_R_conj[OF valid_validE_R] - hoare_vcg_E_elim[OF valid_validE_E] - hoare_vcg_E_conj[OF valid_validE_E] + hoare_vcg_conj_liftE_R[OF valid_validE_R] + hoare_vcg_conj_elimE[OF valid_validE_E] + hoare_vcg_conj_liftE_E[OF valid_validE_E] validE_validE_R - hoare_vcg_R_conj - hoare_vcg_E_elim - hoare_vcg_E_conj + hoare_vcg_conj_liftE_R + hoare_vcg_conj_elimE + hoare_vcg_conj_liftE_E hoare_vcg_conj_lift declare hoare_post_comb_imp_conj[corresKwp_wp_comb_del] diff --git a/lib/ExtraCorres.thy b/lib/ExtraCorres.thy index 30dfd05ab5..15e7138e99 100644 --- a/lib/ExtraCorres.thy +++ b/lib/ExtraCorres.thy @@ -464,14 +464,14 @@ lemma corres_whileLoop_abs_ret: apply (clarsimp simp: validNF_def) apply (rule conjI) apply (intro hoare_vcg_conj_lift_pre_fix; (solves wpsimp)?) - apply (rule_tac Q="\s'. \rv s. (s, s') \ srel \ rrel rv conc_r + apply (rule_tac P'="\s'. \rv s. (s, s') \ srel \ rrel rv conc_r \ P rv s \ (P' conc_r s' \ C' conc_r s') \ s' = new_s" in hoare_weaken_pre[rotated]) apply clarsimp apply (rule hoare_ex_pre) apply (rename_tac abs_r) apply (rule hoare_weaken_pre) - apply (rule_tac G="rrel abs_r conc_r" in hoare_grab_asm) + apply (rule_tac P'="rrel abs_r conc_r" in hoare_grab_asm) apply (wpsimp wp: wp_from_corres_u[OF body_corres] body_inv) apply (fastforce dest: nf) apply (fastforce dest: cond) diff --git a/lib/Monad_Lists.thy b/lib/Monad_Lists.thy index 176101e3d2..832f7bb9bb 100644 --- a/lib/Monad_Lists.thy +++ b/lib/Monad_Lists.thy @@ -482,7 +482,7 @@ lemma filterM_subset: lemma filterM_all: "\ \x y. \ x \ set xs; y \ set xs \ \ \P y\ m x \\rv. P y\ \ \ \\s. \x \ set xs. P x s\ filterM m xs \\rv s. \x \ set rv. P x s\" - apply (rule_tac Q="\rv s. set rv \ set xs \ (\x \ set xs. P x s)" + apply (rule_tac Q'="\rv s. set rv \ set xs \ (\x \ set xs. P x s)" in hoare_strengthen_post) apply (wp filterM_subset hoare_vcg_const_Ball_lift filterM_preserved) apply simp+ diff --git a/lib/Monads/nondet/Nondet_More_VCG.thy b/lib/Monads/nondet/Nondet_More_VCG.thy index 664efd4d99..6740e78210 100644 --- a/lib/Monads/nondet/Nondet_More_VCG.thy +++ b/lib/Monads/nondet/Nondet_More_VCG.thy @@ -20,20 +20,20 @@ lemma hoare_take_disjunct: by (erule hoare_strengthen_post, simp) lemma hoare_post_add: - "\P\ S \\r s. R r s \ Q r s\ \ \P\ S \Q\" + "\P\ f \\r s. Q' r s \ Q r s\ \ \P\ f \Q\" by (erule hoare_strengthen_post, simp) lemma hoare_post_addE: - "\P\ f \\_ s. R s \ Q s\, \T\ \ \P\ f \\_ s. Q s\, \T\" + "\P\ f \\_ s. Q' s \ Q s\,\E\ \ \P\ f \\_ s. Q s\,\E\" by (erule hoare_strengthen_postE; simp) lemma hoare_pre_add: - "(\s. P s \ R s) \ (\P\ f \Q\ \ \P and R\ f \Q\)" + "(\s. P s \ P' s) \ \P\ f \Q\ \ \P and P'\ f \Q\" apply (subst iff_conv_conj_imp) by(intro conjI impI; rule hoare_weaken_pre, assumption, clarsimp) lemma hoare_pre_addE: - "(\s. P s \ R s) \ (\P\ f \Q\, \S\ \ \P and R\ f \Q\, \S\)" + "(\s. P s \ P' s) \ \P\ f \Q\,\E\ \ \P and P'\ f \Q\,\E\" apply (subst iff_conv_conj_imp) by(intro conjI impI; rule hoare_weaken_preE, assumption, clarsimp) @@ -46,15 +46,15 @@ lemma hoare_name_pre_stateE: by (clarsimp simp: validE_def2) lemma hoare_vcg_if_lift_strong: - "\ \P'\ f \P\; \\s. \ P' s\ f \\rv s. \ P rv s\; \Q'\ f \Q\; \R'\ f \R\ \ \ - \\s. if P' s then Q' s else R' s\ f \\rv s. if P rv s then Q rv s else R rv s\" + "\ \P'\ f \P\; \\s. \ P' s\ f \\rv s. \ P rv s\; \Q'\ f \Q\; \S'\ f \S\ \ \ + \\s. if P' s then Q' s else S' s\ f \\rv s. if P rv s then Q rv s else S rv s\" - "\ \P'\ f \P\; \\s. \ P' s\ f \\rv s. \ P rv s\; \Q'\ f \ Q\; \R'\ f \R\ \ \ - \\s. if P' s then Q' s else R' s\ f \\rv s. (if P rv s then Q rv else R rv) s\" + "\ \P'\ f \P\; \\s. \ P' s\ f \\rv s. \ P rv s\; \Q'\ f \ Q\; \S'\ f \S\ \ \ + \\s. if P' s then Q' s else S' s\ f \\rv s. (if P rv s then Q rv else S rv) s\" by (wpsimp wp: hoare_vcg_imp_lift' | assumption | fastforce)+ lemma hoare_vcg_imp_lift_pre_add: - "\ \P and Q\ f \\rv s. R rv s\; f \\s. \ Q s\ \ \ \P\ f \\rv s. Q s \ R rv s\" + "\ \P and Q\ f \\rv s. Q' rv s\; f \\s. \ Q s\ \ \ \P\ f \\rv s. Q s \ Q' rv s\" apply (rule hoare_weaken_pre) apply (rule hoare_vcg_imp_lift') apply fastforce @@ -66,16 +66,17 @@ lemma hoare_pre_tautI: "\ \A and P\ a \B\; \A and not P\ a \B\ \ \ \A\ a \B\" by (fastforce simp: valid_def split_def pred_conj_def pred_neg_def) +\ \FIXME: swap P and Q in these rules?\ lemma hoare_lift_Pf_pre_conj: assumes P: "\x. \\s. Q x s\ m \P x\" - assumes f: "\P. \\s. P (g s) \ R s\ m \\_ s. P (f s)\" - shows "\\s. Q (g s) s \ R s\ m \\rv s. P (f s) rv s\" + assumes f: "\P. \\s. P (g s) \ P' s\ m \\_ s. P (f s)\" + shows "\\s. Q (g s) s \ P' s\ m \\rv s. P (f s) rv s\" apply (clarsimp simp: valid_def) apply (rule use_valid [OF _ P], simp) apply (rule use_valid [OF _ f], simp, simp) done -lemmas hoare_lift_Pf4 = hoare_lift_Pf_pre_conj[where R=\, simplified] +lemmas hoare_lift_Pf4 = hoare_lift_Pf_pre_conj[where P'=\, simplified] lemmas hoare_lift_Pf3 = hoare_lift_Pf4[where f=f and g=f for f] lemmas hoare_lift_Pf2 = hoare_lift_Pf3[where P="\f _. P f" for P] lemmas hoare_lift_Pf = hoare_lift_Pf2[where Q=P and P=P for P] @@ -85,13 +86,13 @@ lemmas hoare_lift_Pf2_pre_conj = hoare_lift_Pf3_pre_conj[where P="\f _. lemmas hoare_lift_Pf_pre_conj' = hoare_lift_Pf2_pre_conj[where Q=P and P=P for P] lemma hoare_if_r_and: - "\P\ f \\r. if R r then Q r else Q' r\ - = \P\ f \\r s. (R r \ Q r s) \ (\R r \ Q' r s)\" + "\P\ f \\r. if P' r then Q r else Q' r\ + = \P\ f \\r s. (P' r \ Q r s) \ (\P' r \ Q' r s)\" by (fastforce simp: valid_def) lemma hoare_convert_imp: - "\ \\s. \ P s\ f \\rv s. \ Q s\; \R\ f \S\ \ - \ \\s. P s \ R s\ f \\rv s. Q s \ S rv s\" + "\ \\s. \ P s\ f \\rv s. \ Q s\; \P'\ f \S\ \ + \ \\s. P s \ P' s\ f \\rv s. Q s \ S rv s\" apply (simp only: imp_conv_disj) apply (erule(1) hoare_vcg_disj_lift) done @@ -108,12 +109,6 @@ lemma hoare_case_option_wpR: \ \case_option P P' v\ f v \\rv. case v of None \ Q rv | Some x \ Q' x rv\,-" by (cases v) auto -lemma hoare_vcg_conj_liftE_R: - "\ \P\ f \P'\,-; \Q\ f \Q'\,- \ \ \P and Q\ f \\rv s. P' rv s \ Q' rv s\, -" - apply (simp add: validE_R_def validE_def valid_def split: sum.splits) - apply blast - done - lemma K_valid[wp]: "\K P\ f \\_. K P\" by (simp add: valid_def) @@ -133,18 +128,18 @@ lemma hoare_imp_eq_substR: by (fastforce simp add: valid_def validE_R_def validE_def split: sum.splits) lemma hoare_split_bind_case_sum: - assumes x: "\rv. \R rv\ g rv \Q\" - "\rv. \S rv\ h rv \Q\" - assumes y: "\P\ f \S\,\R\" + assumes x: "\rv. \E rv\ g rv \Q\" + "\rv. \Q' rv\ h rv \Q\" + assumes y: "\P\ f \Q'\,\E\" shows "\P\ f >>= case_sum g h \Q\" apply (rule bind_wp[OF _ y[unfolded validE_def]]) apply (wpsimp wp: x split: sum.splits) done lemma hoare_split_bind_case_sumE: - assumes x: "\rv. \R rv\ g rv \Q\,\E\" - "\rv. \S rv\ h rv \Q\,\E\" - assumes y: "\P\ f \S\,\R\" + assumes x: "\rv. \E' rv\ g rv \Q\,\E\" + "\rv. \Q' rv\ h rv \Q\,\E\" + assumes y: "\P\ f \Q'\,\E'\" shows "\P\ f >>= case_sum g h \Q\,\E\" apply (unfold validE_def) apply (rule bind_wp[OF _ y[unfolded validE_def]]) @@ -167,13 +162,13 @@ lemma select_inv: "\ P \ select S \ \r. P \" by wpsimp -lemmas return_inv = hoare_return_drop_var - -lemma assert_inv: "\P\ assert Q \\r. P\" +lemma assert_inv: + "\P\ assert Q \\r. P\" unfolding assert_def by (cases Q) simp+ -lemma assert_opt_inv: "\P\ assert_opt Q \\r. P\" +lemma assert_opt_inv: + "\P\ assert_opt Q \\r. P\" unfolding assert_opt_def by (cases Q) simp+ @@ -181,7 +176,7 @@ lemma case_options_weak_wp: "\ \P\ f \Q\; \x. \P'\ g x \Q\ \ \ \P and P'\ case opt of None \ f | Some x \ g x \Q\" apply (cases opt) apply (clarsimp elim!: hoare_weaken_pre) - apply (rule hoare_weaken_pre [where Q=P']) + apply (rule hoare_weaken_pre[where P'=P']) apply simp+ done @@ -217,19 +212,19 @@ lemma list_cases_weak_wp: lemmas hoare_FalseE_R = hoare_FalseE[where E="\\", folded validE_R_def] lemma hoare_vcg_if_lift2: - "\R\ f \\rv s. (P rv s \ X rv s) \ (\ P rv s \ Y rv s)\ \ - \R\ f \\rv s. if P rv s then X rv s else Y rv s\" + "\P\ f \\rv s. (Q rv s \ X rv s) \ (\ Q rv s \ Y rv s)\ \ + \P\ f \\rv s. if Q rv s then X rv s else Y rv s\" - "\R\ f \\rv s. (P' rv \ X rv s) \ (\ P' rv \ Y rv s)\ \ - \R\ f \\rv. if P' rv then X rv else Y rv\" + "\P\ f \\rv s. (Q' rv \ X rv s) \ (\ Q' rv \ Y rv s)\ \ + \P\ f \\rv. if Q' rv then X rv else Y rv\" by (auto simp: valid_def split_def) lemma hoare_vcg_if_lift_ER: (* Required because of lack of rv in lifting rules *) - "\R\ f \\rv s. (P rv s \ X rv s) \ (\ P rv s \ Y rv s)\, - \ - \R\ f \\rv s. if P rv s then X rv s else Y rv s\, -" + "\P\ f \\rv s. (Q rv s \ X rv s) \ (\ Q rv s \ Y rv s)\, - \ + \P\ f \\rv s. if Q rv s then X rv s else Y rv s\, -" - "\R\ f \\rv s. (P' rv \ X rv s) \ (\ P' rv \ Y rv s)\, - \ - \R\ f \\rv. if P' rv then X rv else Y rv\, -" + "\P\ f \\rv s. (Q' rv \ X rv s) \ (\ Q' rv \ Y rv s)\, - \ + \P\ f \\rv. if Q' rv then X rv else Y rv\, -" by (auto simp: valid_def validE_R_def validE_def split_def) lemma hoare_list_all_lift: @@ -365,8 +360,8 @@ lemma valid_return_unit: by (auto simp: valid_def in_bind in_return Ball_def) lemma hoare_weak_lift_imp_conj: - "\ \Q\ m \Q'\; \R\ m \R'\ \ - \ \\s. (P \ Q s) \ R s\ m \\rv s. (P \ Q' rv s) \ R' rv s\" + "\ \P'\ m \Q'\; \P''\ m \Q''\ \ + \ \\s. (P \ P' s) \ P'' s\ m \\rv s. (P \ Q' rv s) \ Q'' rv s\" apply (rule hoare_vcg_conj_lift) apply (rule hoare_weak_lift_imp) apply assumption+ @@ -378,7 +373,7 @@ lemma hoare_eq_P: by (rule assms) lemma hoare_validE_R_conj: - "\\P\ f \Q\, -; \P\ f \R\, -\ \ \P\ f \Q and R\, -" + "\\P\ f \Q\, -; \P\ f \Q'\, -\ \ \P\ f \Q and Q'\, -" by (simp add: valid_def validE_def validE_R_def Let_def split_def split: sum.splits) lemmas throwError_validE_R = throwError_wp [where E="\\", folded validE_R_def] @@ -421,9 +416,9 @@ lemma hoare_Ball_helper: lemma handy_prop_divs: assumes x: "\P. \\s. P (Q s) \ S s\ f \\rv s. P (Q' rv s)\" - "\P. \\s. P (R s) \ S s\ f \\rv s. P (R' rv s)\" - shows "\\s. P (Q s \ R s) \ S s\ f \\rv s. P (Q' rv s \ R' rv s)\" - "\\s. P (Q s \ R s) \ S s\ f \\rv s. P (Q' rv s \ R' rv s)\" + "\P. \\s. P (T s) \ S s\ f \\rv s. P (T' rv s)\" + shows "\\s. P (Q s \ T s) \ S s\ f \\rv s. P (Q' rv s \ T' rv s)\" + "\\s. P (Q s \ T s) \ S s\ f \\rv s. P (Q' rv s \ T' rv s)\" apply (clarsimp simp: valid_def elim!: subst[rotated, where P=P]) apply (rule use_valid [OF _ x(1)], assumption) @@ -517,36 +512,26 @@ lemma weaker_hoare_ifE: lemma wp_split_const_if: assumes x: "\P\ f \Q\" assumes y: "\P'\ f \Q'\" - shows "\\s. (G \ P s) \ (\ G \ P' s)\ f \\rv s. (G \ Q rv s) \ (\ G \ Q' rv s)\" - by (cases G; simp add: x y) + shows "\\s. (S \ P s) \ (\ S \ P' s)\ f \\rv s. (S \ Q rv s) \ (\ S \ Q' rv s)\" + by (cases S; simp add: x y) lemma wp_split_const_if_R: assumes x: "\P\ f \Q\,-" assumes y: "\P'\ f \Q'\,-" - shows "\\s. (G \ P s) \ (\ G \ P' s)\ f \\rv s. (G \ Q rv s) \ (\ G \ Q' rv s)\,-" - by (cases G; simp add: x y) + shows "\\s. (S \ P s) \ (\ S \ P' s)\ f \\rv s. (S \ Q rv s) \ (\ S \ Q' rv s)\,-" + by (cases S; simp add: x y) lemma hoare_disj_division: - "\ P \ Q; P \ \R\ f \S\; Q \ \T\ f \S\ \ - \ \\s. (P \ R s) \ (Q \ T s)\ f \S\" - apply safe - apply (rule hoare_pre_imp) - prefer 2 - apply simp - apply simp - apply (rule hoare_pre_imp) - prefer 2 - apply simp - apply simp - done + "\ P \ P'; P \ \S\ f \Q\; P' \ \T\ f \Q\ \ + \ \\s. (P \ S s) \ (P' \ T s)\ f \Q\" + by (fastforce intro: hoare_weaken_pre) lemma hoare_grab_asm: - "\ G \ \P\ f \Q\ \ \ \\s. G \ P s\ f \Q\" - by (cases G, simp+) + "\ P' \ \P\ f \Q\ \ \ \\s. P' \ P s\ f \Q\" + by (cases P', simp+) lemma hoare_grab_asm2: - "\P' \ \\s. P s \ R s\ f \Q\\ - \ \\s. P s \ P' \ R s\ f \Q\" + "\P' \ \\s. P s \ P'' s\ f \Q\\ \ \\s. P s \ P' \ P'' s\ f \Q\" by (fastforce simp: valid_def) lemma hoare_grab_exs: @@ -560,15 +545,6 @@ lemma hoare_prop_E: "\\rv. P\ f -,\\rv s unfolding validE_E_def by (rule hoare_pre, wp, simp) -lemma hoare_vcg_conj_lift_R: - "\ \P\ f \Q\,-; \R\ f \S\,- \ - \ \\s. P s \ R s\ f \\rv s. Q rv s \ S rv s\,-" - apply (simp add: validE_R_def validE_def) - apply (drule(1) hoare_vcg_conj_lift) - apply (erule hoare_strengthen_post) - apply (clarsimp split: sum.splits) - done - lemma hoare_walk_assmsE: assumes x: "\P\ f \\rv. P\" and y: "\s. P s \ Q s" and z: "\P\ g \\rv. Q\" shows "\P\ doE x \ f; g odE \\rv. Q\" @@ -622,8 +598,8 @@ lemma weak_if_wp': by (auto simp add: valid_def split_def) lemma bindE_split_recursive_asm: - assumes x: "\x s'. \ (Inr x, s') \ fst (f s) \ \ \\s. B x s \ s = s'\ g x \C\, \E\" - shows "\A\ f \B\, \E\ \ \\st. A st \ st = s\ f >>=E g \C\, \E\" + assumes x: "\x s'. \ (Inr x, s') \ fst (f s) \ \ \\s. Q' x s \ s = s'\ g x \Q\,\E\" + shows "\P\ f \Q'\, \E\ \ \\st. P st \ st = s\ f >>=E g \Q\,\E\" apply (clarsimp simp: validE_def valid_def bindE_def in_bind lift_def) apply (erule allE, erule(1) impE) apply (drule(1) bspec, simp) @@ -708,7 +684,7 @@ lemma valid_pre_satisfies_post: by (clarsimp simp: valid_def) lemma validE_pre_satisfies_post: - "\ \s r' s'. P s \ Q r' s'; \s r' s'. P s \ R r' s' \ \ \ P \ m \ Q \,\ R \" + "\ \s r' s'. P s \ Q r' s'; \s r' s'. P s \ E r' s' \ \ \ P \ m \ Q \,\ E \" by (clarsimp simp: validE_def2 split: sum.splits) lemma hoare_validE_R_conjI: @@ -720,11 +696,11 @@ lemma hoare_validE_E_conjI: by (clarsimp simp: Ball_def validE_E_def validE_def valid_def split: sum.splits) lemma validE_R_post_conjD1: - "\P\ f \\r s. Q r s \ R r s\,- \ \P\ f \Q\,-" + "\P\ f \\r s. Q r s \ Q' r s\,- \ \P\ f \Q\,-" by (fastforce simp: validE_R_def validE_def valid_def split: sum.splits) lemma validE_R_post_conjD2: - "\P\ f \\r s. Q r s \ R r s\,- \ \P\ f \R\,-" + "\P\ f \\r s. Q r s \ Q' r s\,- \ \P\ f \Q'\,-" by (fastforce simp: validE_R_def validE_def valid_def split: sum.splits) lemma throw_opt_wp[wp]: @@ -735,10 +711,12 @@ lemma hoare_name_pre_state2: "(\s. \P and ((=) s)\ f \Q\) \ \P\ f \Q\" by (auto simp: valid_def intro: hoare_name_pre_state) -lemma returnOk_E': "\P\ returnOk r -,\E\" +lemma returnOk_E': + "\P\ returnOk r -,\E\" by wpsimp -lemma throwError_R': "\P\ throwError e \Q\,-" +lemma throwError_R': + "\P\ throwError e \Q\,-" by wpsimp end \ No newline at end of file diff --git a/lib/Monads/nondet/Nondet_VCG.thy b/lib/Monads/nondet/Nondet_VCG.thy index b6ff25d648..9e0a7199d7 100644 --- a/lib/Monads/nondet/Nondet_VCG.thy +++ b/lib/Monads/nondet/Nondet_VCG.thy @@ -91,13 +91,13 @@ lemma validE_make_schematic_post: section \Pre Lemmas\ lemma hoare_pre_imp: - "\ \s. P s \ Q s; \Q\ a \R\ \ \ \P\ a \R\" + "\ \s. P s \ P' s; \P'\ f \Q\ \ \ \P\ f \Q\" by (fastforce simp: valid_def) lemmas hoare_weaken_pre = hoare_pre_imp[rotated] lemma hoare_weaken_preE: - "\ \Q\ f \R\,\E\; \s. P s \ Q s \ \ \P\ f \R\,\E\" + "\ \P'\ f \Q\,\E\; \s. P s \ P' s \ \ \P\ f \Q\,\E\" by (fastforce simp: validE_def2) lemma hoare_weaken_preE_R: @@ -202,11 +202,11 @@ lemmas wp_post_tautE_E = hoareE_E_TrueI[where P=\] lemmas wp_post_tauts[intro] = wp_post_taut wp_post_tautE wp_post_tautE_R wp_post_tautE_E lemma hoare_post_conj[intro]: - "\ \P\ f \Q\; \P\ f \R\ \ \ \P\ f \Q and R\" + "\ \P\ f \Q\; \P\ f \Q'\ \ \ \P\ f \Q and Q'\" by (fastforce simp: valid_def) lemma hoare_pre_disj[intro]: - "\ \P\ f \R\; \Q\ f \R\ \ \ \P or Q\ f \R\" + "\ \P\ f \Q\; \P'\ f \Q\ \ \ \P or P'\ f \Q\" by (simp add:valid_def pred_disj_def) lemma hoare_conj: @@ -218,46 +218,35 @@ lemma hoare_pre_cont[simp]: by (simp add:valid_def) lemma hoare_FalseE[simp]: - "\\\ f \Q\, \E\" + "\\\ f \Q\,\E\" by (simp add: valid_def validE_def) -\ \FIXME: remove?\ -lemma hoare_return_drop_var[iff]: +lemma return_inv[iff]: "\Q\ return x \\r. Q\" by (simp add: valid_def return_def) -\ \FIXME: remove?\ -lemma hoare_gets[intro]: - "\ \s. P s \ Q (f s) s \ \ \P\ gets f \Q\" - by (simp add:valid_def gets_def get_def bind_def return_def) - -\ \FIXME: remove?\ lemma hoare_modifyE_var: "\ \s. P s \ Q (f s) \ \ \P\ modify f \\_ s. Q s\" by(simp add: valid_def modify_def put_def get_def bind_def) -\ \FIXME: remove?\ lemma hoare_if: - "\ P \ \Q\ a \R\; \ P \ \Q\ b \R\ \ \ \Q\ if P then a else b \R\" + "\ P' \ \P\ f \Q\; \ P' \ \P\ g \Q\ \ \ \P\ if P' then f else g \Q\" by (simp add: valid_def) -\ \FIXME: remove?\ lemma hoare_pre_subst: - "\ A = B; \A\ a \C\ \ \ \B\ a \C\" + "\ P = P'; \P\ f \Q\ \ \ \P'\ f \Q\" by (erule subst) -\ \FIXME: remove?\ lemma hoare_post_subst: - "\ B = C; \A\ a \B\ \ \ \A\ a \C\" + "\ Q = Q'; \P\ f \Q\ \ \ \P\ f \Q'\" by (erule subst) -\ \FIXME: change R to Q and Q to Q'\ lemma hoare_post_imp: - "\ \rv s. Q rv s \ R rv s; \P\ a \Q\ \ \ \P\ a \R\" - by(fastforce simp:valid_def split_def) + "\ \rv s. Q' rv s \ Q rv s; \P\ f \Q'\ \ \ \P\ f \Q\" + by(fastforce simp: valid_def split_def) lemma hoare_post_impE: - "\ \rv s. Q rv s \ R rv s; \e s. E e s \ F e s; \P\ a \Q\,\E\ \ \ \P\ a \R\,\F\" + "\ \rv s. Q' rv s \ Q rv s; \e s. E' e s \ E e s; \P\ f \Q'\,\E'\ \ \ \P\ f \Q\,\E\" by(fastforce simp: validE_def2 split: sum.splits) lemmas hoare_strengthen_post = hoare_post_imp[rotated] @@ -269,48 +258,48 @@ lemma hoare_strengthen_postE_R: by (erule hoare_post_impE) lemma hoare_strengthen_postE_E: - "\ \P\ f -,\Q'\; \rv s. Q' rv s \ Q rv s \ \ \P\ f -,\Q\" + "\ \P\ f -,\E'\; \rv s. E' rv s \ E rv s \ \ \P\ f -,\E\" unfolding validE_E_def by (rule hoare_post_impE) lemma hoare_validE_cases: - "\ \P\ f \Q\, \\_ _. True\; \P\ f \\_ _. True\, \R\ \ \ \P\ f \Q\, \R\" + "\ \P\ f \Q\,\\_ _. True\; \P\ f \\_ _. True\,\E\ \ \ \P\ f \Q\,\E\" by (fastforce simp: validE_def valid_def split: sum.splits) -lemma hoare_post_imp_dc: - "\\P\ a \\_. Q\; \s. Q s \ R s\ \ \P\ a \\_. R\, \\_. R\" +lemma hoare_post_impE_dc: + "\\P\ f \\_. Q'\; \s. Q' s \ Q s\ \ \P\ f \\_. Q\, \\_. Q\" by (fastforce simp: validE_def valid_def split: sum.splits) -lemma hoare_post_imp_dc2: - "\\P\ a \\_. Q\; \s. Q s \ R s\ \ \P\ a \\_. R\, \\_. \\" +lemma hoare_post_impE_R_dc: + "\\P\ f \\_. Q'\; \s. Q' s \ Q s\ \ \P\ f \\_. Q\, \\_. \\" by (fastforce simp: validE_def valid_def split: sum.splits) -lemma hoare_post_imp_dc2E: - "\\P\ a \\_. Q\; \s. Q s \ R s\ \ \P\ a \\_. \\, \\_. R\" +lemma hoare_post_impE_E_dc: + "\\P\ f \\_. Q'\; \s. Q' s \ Q s\ \ \P\ f \\_. \\, \\_. Q\" by (fastforce simp: validE_def valid_def split: sum.splits) -lemma hoare_post_imp_dc2_actual: - "\P\ a \\_. R\ \ \P\ a \\_. R\, \\_. \\" - by (rule hoare_post_imp_dc2) +lemma hoare_post_impE_R_dc_actual: + "\P\ f \\_. Q\ \ \P\ f \\_. Q\, \\_. \\" + by (rule hoare_post_impE_R_dc) -lemma hoare_post_imp_dc2E_actual: - "\P\ a \\_. R\ \ \P\ a \\_. \\, \\_. R\" - by (rule hoare_post_imp_dc2E) +lemma hoare_post_impE_E_dc_actual: + "\P\ f \\_. Q\ \ \P\ f \\_. \\, \\_. Q\" + by (rule hoare_post_impE_E_dc) lemma hoare_conjD1: - "\P\ f \\rv. Q rv and R rv\ \ \P\ f \\rv. Q rv\" + "\P\ f \\rv. Q rv and Q' rv\ \ \P\ f \\rv. Q rv\" unfolding valid_def by auto lemma hoare_conjD2: - "\P\ f \\rv. Q rv and R rv\ \ \P\ f \\rv. R rv\" + "\P\ f \\rv. Q rv and Q' rv\ \ \P\ f \\rv. Q' rv\" unfolding valid_def by auto lemma hoare_post_disjI1: - "\P\ f \\rv. Q rv\ \ \P\ f \\rv. Q rv or R rv\" + "\P\ f \\rv. Q rv\ \ \P\ f \\rv. Q rv or Q' rv\" unfolding valid_def by auto lemma hoare_post_disjI2: - "\P\ f \\rv. R rv\ \ \P\ f \\rv. Q rv or R rv\" + "\P\ f \\rv. Q' rv\ \ \P\ f \\rv. Q rv or Q' rv\" unfolding valid_def by auto lemma use_valid: @@ -326,11 +315,11 @@ lemma use_valid_inv: using use_valid[where f=f, OF step pres[where N="\p. p = P s"]] by simp lemma use_validE_norm: - "\ (Inr r', s') \ fst (B s); \ P \ B \ Q \,\ E \; P s \ \ Q r' s'" + "\ (Inr r', s') \ fst (f s); \ P \ f \ Q \,\ E \; P s \ \ Q r' s'" unfolding validE_def valid_def by force lemma use_validE_except: - "\ (Inl r', s') \ fst (B s); \ P \ B \ Q \,\ E \; P s \ \ E r' s'" + "\ (Inl r', s') \ fst (f s); \ P \ f \ Q \,\ E \; P s \ \ E r' s'" unfolding validE_def valid_def by force lemma in_inv_by_hoareD: @@ -353,23 +342,23 @@ lemma hoare_gen_asm_lk: \ \Useful for forward reasoning, when P is known. The first version allows weakening the precondition.\ lemma hoare_gen_asm_spec': - "\ \s. P s \ S \ R s; S \ \R\ f \Q\ \ \ \P\ f \Q\" + "\ \s. P s \ S \ P' s; S \ \P'\ f \Q\ \ \ \P\ f \Q\" by (fastforce simp: valid_def) lemma hoare_gen_asm_spec: "\ \s. P s \ S; S \ \P\ f \Q\ \ \ \P\ f \Q\" - by (rule hoare_gen_asm_spec'[where S=S and R=P]) simp + by (rule hoare_gen_asm_spec'[where S=S and P'=P]) simp lemma hoare_conjI: - "\ \P\ f \Q\; \P\ f \R\ \ \ \P\ f \\r s. Q r s \ R r s\" + "\ \P\ f \Q\; \P\ f \Q'\ \ \ \P\ f \\r s. Q r s \ Q' r s\" unfolding valid_def by blast lemma hoare_disjI1: - "\ \P\ f \Q\ \ \ \P\ f \\rv s. Q rv s \ R rv s \" + "\ \P\ f \Q\ \ \ \P\ f \\rv s. Q rv s \ Q' rv s \" unfolding valid_def by blast lemma hoare_disjI2: - "\ \P\ f \R\ \ \ \P\ f \\rv s. Q rv s \ R rv s \" + "\ \P\ f \Q'\ \ \ \P\ f \\rv s. Q rv s \ Q' rv s \" unfolding valid_def by blast lemma hoare_assume_pre: @@ -377,7 +366,7 @@ lemma hoare_assume_pre: by (auto simp: valid_def) lemma hoare_assume_preE: - "(\s. P s \ \P\ f \Q\,\R\) \ \P\ f \Q\,\R\" + "(\s. P s \ \P\ f \Q\,\E\) \ \P\ f \Q\,\E\" by (auto simp: valid_def validE_def) lemma hoare_allI: @@ -393,7 +382,7 @@ lemma hoare_exI: by (simp add: valid_def) blast lemma hoare_impI: - "(R \ \P\ f \Q\) \ \P\ f \\rv s. R \ Q rv s\" + "(P' \ \P\ f \Q\) \ \P\ f \\rv s. P' \ Q rv s\" by (simp add: valid_def) blast lemma validE_impI: @@ -425,7 +414,7 @@ subsection \@{const valid} and @{const validE}, @{const validE_R}, @{const lemma valid_validE: "\P\ f \\_. Q\ \ \P\ f \\_. Q\, \\_. Q\" - by (rule hoare_post_imp_dc) + by (rule hoare_post_impE_dc) lemma valid_validE2: "\ \P\ f \\_. Q'\; \s. Q' s \ Q s; \s. Q' s \ E s \ \ \P\ f \\_. Q\, \\_. E\" @@ -486,33 +475,33 @@ lemma liftE_validE[simp]: subsection \Operator lifting/splitting\ lemma hoare_vcg_if_split: - "\ P \ \Q\ f \S\; \P \ \R\ g \S\ \ \ \\s. (P \ Q s) \ (\P \ R s)\ if P then f else g \S\" + "\ P \ \P'\ f \Q\; \P \ \P''\ g \Q\ \ \ \\s. (P \ P' s) \ (\P \ P'' s)\ if P then f else g \Q\" by simp lemma hoare_vcg_if_splitE: - "\ P \ \Q\ f \S\,\E\; \P \ \R\ g \S\,\E\ \ \ - \\s. (P \ Q s) \ (\P \ R s)\ if P then f else g \S\,\E\" + "\ P \ \P'\ f \Q\,\E\; \P \ \P''\ g \Q\,\E\ \ \ + \\s. (P \ P' s) \ (\P \ P'' s)\ if P then f else g \Q\,\E\" by simp lemma hoare_vcg_split_case_option: - "\ \x. x = None \ \P x\ f x \R x\; \x y. x = Some y \ \Q x y\ g x y \R x\ \ - \ \\s. (x = None \ P x s) \ (\y. x = Some y \ Q x y s)\ + "\ \x. x = None \ \P x\ f x \Q x\; \x y. x = Some y \ \P' x y\ g x y \Q x\ \ + \ \\s. (x = None \ P x s) \ (\y. x = Some y \ P' x y s)\ case x of None \ f x | Some y \ g x y - \R x\" + \Q x\" by (cases x; simp) lemma hoare_vcg_split_case_optionE: - "\ \x. x = None \ \P x\ f x \R x\,\E x\; \x y. x = Some y \ \Q x y\ g x y \R x\,\E x\ \ - \ \\s. (x = None \ P x s) \ (\y. x = Some y \ Q x y s)\ + "\ \x. x = None \ \P x\ f x \Q x\,\E x\; \x y. x = Some y \ \P' x y\ g x y \Q x\,\E x\ \ + \ \\s. (x = None \ P x s) \ (\y. x = Some y \ P' x y s)\ case x of None \ f x | Some y \ g x y - \R x\, \E x\" + \Q x\, \E x\" by (cases x; simp) lemma hoare_vcg_split_case_sum: - "\ \x a. x = Inl a \ \P x a\ f x a \R x\; \x b. x = Inr b \ \Q x b\ g x b \R x\ \ - \ \\s. (\a. x = Inl a \ P x a s) \ (\b. x = Inr b \ Q x b s)\ + "\ \x a. x = Inl a \ \P x a\ f x a \Q x\; \x b. x = Inr b \ \P' x b\ g x b \Q x\ \ + \ \\s. (\a. x = Inl a \ P x a s) \ (\b. x = Inr b \ P' x b s)\ case x of Inl a \ f x a | Inr b \ g x b - \R x\" + \Q x\" by (cases x; simp) lemma bind_wp_nobind: @@ -526,7 +515,7 @@ lemma bindE_wp_nobind: lemmas bind_wp_skip = bind_wp[where Q=Q and Q'=Q for Q] lemma hoare_chain: - "\ \P\ f \Q\; \s. R s \ P s; \rv s. Q rv s \ S rv s \ \ \R\ f \S\" + "\ \P'\ f \Q'\; \s. P s \ P' s; \rv s. Q' rv s \ Q rv s \ \ \P\ f \Q\" by (wp_pre, rule hoare_post_imp) lemma hoare_chainE: @@ -540,7 +529,7 @@ lemma hoare_vcg_conj_lift: by fastforce \ \A variant which works nicely with subgoals that do not contain schematics\ -lemmas hoare_vcg_conj_lift_pre_fix = hoare_vcg_conj_lift[where P=R and P'=R for R, simplified] +lemmas hoare_vcg_conj_lift_pre_fix = hoare_vcg_conj_lift[where P=P and P'=P for P, simplified] lemma hoare_vcg_conj_liftE1: "\ \P\ f \Q\,-; \P'\ f \Q'\,\E\ \ \ \P and P'\ f \\rv s. Q rv s \ Q' rv s\,\E\" @@ -581,13 +570,13 @@ lemma hoare_vcg_const_Ball_liftE: "\ \x. x \ S \ \P x\ f \Q x\,\E\; \\s. True\ f \\r s. True\, \E\ \ \ \\s. \x\S. P x s\ f \\rv s. \x\S. Q x rv s\,\E\" by (fastforce simp: validE_def valid_def split: sum.splits) -lemma hoare_vcg_const_Ball_lift_R: +lemma hoare_vcg_const_Ball_liftE_R: "\ \x. x \ S \ \P x\ f \Q x\,- \ \ \\s. \x \ S. P x s\ f \\rv s. \x \ S. Q x rv s\,-" unfolding validE_R_def validE_def by (rule hoare_strengthen_post) (fastforce intro!: hoare_vcg_const_Ball_lift split: sum.splits)+ -lemma hoare_vcg_const_Ball_lift_E_E: +lemma hoare_vcg_const_Ball_liftE_E: "(\x. x \ S \ \P x\ f -,\Q x\) \ \\s. \x \ S. P x s\ f -,\\rv s. \x \ S. Q x rv s\" unfolding validE_E_def validE_def valid_def by (fastforce split: sum.splits) @@ -602,11 +591,11 @@ lemma hoare_vcg_all_liftE: lemma hoare_vcg_all_liftE_R: "(\x. \P x\ f \Q x\, -) \ \\s. \x. P x s\ f \\rv s. \x. Q x rv s\, -" - by (rule hoare_vcg_const_Ball_lift_R[where S=UNIV, simplified]) + by (rule hoare_vcg_const_Ball_liftE_R[where S=UNIV, simplified]) lemma hoare_vcg_all_liftE_E: - "(\x. \P x\ f -, \Q x\) \ \\s. \x. P x s\ f -,\\rv s. \x. Q x rv s\" - by (rule hoare_vcg_const_Ball_lift_E_E[where S=UNIV, simplified]) + "(\x. \P x\ f -, \E x\) \ \\s. \x. P x s\ f -,\\rv s. \x. E x rv s\" + by (rule hoare_vcg_const_Ball_liftE_E[where S=UNIV, simplified]) lemma hoare_vcg_imp_lift: "\ \P'\ f \\rv s. \ P rv s\; \Q'\ f \Q\ \ \ \\s. P' s \ Q' s\ f \\rv s. P rv s \ Q rv s\" @@ -626,11 +615,11 @@ lemma hoare_vcg_imp_liftE': \ \\s. \ P' s \ Q' s\ f \\rv s. P rv s \ Q rv s\, \E\" by (fastforce simp: validE_def valid_def split: sum.splits) -lemma hoare_vcg_imp_lift_R: +lemma hoare_vcg_imp_liftE_R: "\ \P'\ f \\rv s. \ P rv s\, -; \Q'\ f \Q\, - \ \ \\s. P' s \ Q' s\ f \\rv s. P rv s \ Q rv s\, -" by (auto simp add: valid_def validE_R_def validE_def split_def split: sum.splits) -lemma hoare_vcg_imp_lift_R': +lemma hoare_vcg_imp_liftE_R': "\ \P'\ f \\rv s. \ P rv s\, -; \Q'\ f \Q\, - \ \ \\s. \P' s \ Q' s\ f \\rv s. P rv s \ Q rv s\, -" by (auto simp add: valid_def validE_R_def validE_def split_def split: sum.splits) @@ -652,24 +641,24 @@ lemma hoare_vcg_imp_conj_lift[wp_comb]: lemmas hoare_vcg_imp_conj_lift'[wp_unsafe] = hoare_vcg_imp_conj_lift[where Q'''="\\", simplified] lemma hoare_absorb_imp: - "\ P \ f \\rv s. Q rv s \ R rv s\ \ \ P \ f \\rv s. Q rv s \ R rv s\" + "\ P \ f \\rv s. Q rv s \ Q' rv s\ \ \ P \ f \\rv s. Q rv s \ Q' rv s\" by (erule hoare_post_imp[rotated], blast) lemma hoare_weaken_imp: - "\ \rv s. Q rv s \ Q' rv s ; \P\ f \\rv s. Q' rv s \ R rv s\ \ - \ \P\ f \\rv s. Q rv s \ R rv s\" + "\ \rv s. Q rv s \ Q' rv s ; \P\ f \\rv s. Q' rv s \ S rv s\ \ + \ \P\ f \\rv s. Q rv s \ S rv s\" by (clarsimp simp: valid_def split_def) lemma hoare_vcg_const_imp_lift: - "\ P \ \Q\ m \R\ \ \ \\s. P \ Q s\ m \\rv s. P \ R rv s\" + "\ P \ \P'\ m \Q\ \ \ \\s. P \ P' s\ m \\rv s. P \ Q rv s\" by (cases P, simp_all add: hoare_vcg_prop) -lemma hoare_vcg_const_imp_lift_E: - "(P \ \Q\ f -, \R\) \ \\s. P \ Q s\ f -, \\rv s. P \ R rv s\" +lemma hoare_vcg_const_imp_liftE_E: + "(P \ \P'\ f -, \E\) \ \\s. P \ P' s\ f -, \\rv s. P \ E rv s\" by (fastforce simp: validE_E_def validE_def valid_def split_def split: sum.splits) -lemma hoare_vcg_const_imp_lift_R: - "(P \ \Q\ m \R\,-) \ \\s. P \ Q s\ m \\rv s. P \ R rv s\,-" +lemma hoare_vcg_const_imp_liftE_R: + "(P \ \P'\ m \Q\,-) \ \\s. P \ P' s\ m \\rv s. P \ Q rv s\,-" by (fastforce simp: validE_R_def validE_def valid_def split_def split: sum.splits) lemma hoare_weak_lift_imp: @@ -677,11 +666,11 @@ lemma hoare_weak_lift_imp: by (auto simp add: valid_def split_def) lemma hoare_weak_lift_impE: - "\Q\ m \R\,\E\ \ \\s. P \ Q s\ m \\rv s. P \ R rv s\,\\rv s. P \ E rv s\" + "\P'\ m \Q\,\E\ \ \\s. P \ P' s\ m \\rv s. P \ Q rv s\,\\rv s. P \ E rv s\" by (cases P; simp add: validE_def hoare_vcg_prop) -lemma hoare_weak_lift_imp_R: - "\Q\ m \R\,- \ \\s. P \ Q s\ m \\rv s. P \ R rv s\,-" +lemma hoare_weak_lift_impE_R: + "\P'\ m \Q\,- \ \\s. P \ P' s\ m \\rv s. P \ Q rv s\,-" by (cases P; wpsimp wp: wp_post_tautE_R) lemma hoare_vcg_ex_lift: @@ -712,25 +701,31 @@ lemma hoare_liftP_ext: done (* for instantiations *) -lemma hoare_triv: "\P\f\Q\ \ \P\f\Q\" . +lemma hoare_triv: "\P\ f \Q\ \ \P\ f \Q\" . lemma hoare_trivE: "\P\ f \Q\,\E\ \ \P\ f \Q\,\E\" . lemma hoare_trivE_R: "\P\ f \Q\,- \ \P\ f \Q\,-" . lemma hoare_trivR_R: "\P\ f -,\E\ \ \P\ f -,\E\" . -lemma hoare_vcg_E_conj: +lemma hoare_vcg_conj_liftE_E: "\ \P\ f -,\E\; \P'\ f \Q'\,\E'\ \ \ \\s. P s \ P' s\ f \Q'\, \\rv s. E rv s \ E' rv s\" unfolding validE_def validE_E_def by (rule hoare_post_imp[OF _ hoare_vcg_conj_lift]; simp split: sum.splits) -lemma hoare_vcg_E_elim: +lemma hoare_vcg_conj_elimE: "\ \P\ f -,\E\; \P'\ f \Q\,- \ \ \\s. P s \ P' s\ f \Q\,\E\" - by (rule hoare_strengthen_postE[OF hoare_vcg_E_conj]) (simp add: validE_R_def)+ + by (rule hoare_strengthen_postE[OF hoare_vcg_conj_liftE_E]) (simp add: validE_R_def)+ -lemma hoare_vcg_R_conj: +lemma hoare_vcg_conj_liftE_R: "\ \P\ f \Q\,-; \P'\ f \Q'\,- \ \ \\s. P s \ P' s\ f \\rv s. Q rv s \ Q' rv s\,-" unfolding validE_R_def validE_def by (rule hoare_post_imp[OF _ hoare_vcg_conj_lift]; simp split: sum.splits) +lemma hoare_vcg_conj_liftE_R': + "\ \P\ f \Q\,-; \P'\ f \Q'\,- \ \ \P and P'\ f \\rv s. Q rv s \ Q' rv s\, -" + apply (simp add: validE_R_def validE_def valid_def split: sum.splits) + apply blast + done + lemma hoare_lift_Pf_E_R: "\ \x. \P x\ m \\_. P x\, -; \P. \\s. P (f s)\ m \\_ s. P (f s)\, - \ \ \\s. P (f s) s\ m \\_ s. P (f s) s\, -" @@ -746,11 +741,11 @@ lemma hoare_post_comb_imp_conj: by (wpsimp wp: hoare_vcg_conj_lift) lemma hoare_vcg_if_lift: - "\R\ f \\rv s. (P \ X rv s) \ (\P \ Y rv s)\ \ - \R\ f \\rv s. if P then X rv s else Y rv s\" + "\P\ f \\rv s. (P' \ X rv s) \ (\P' \ Y rv s)\ \ + \P\ f \\rv s. if P' then X rv s else Y rv s\" - "\R\ f \\rv s. (P \ X rv s) \ (\P \ Y rv s)\ \ - \R\ f \\rv. if P then X rv else Y rv\" + "\P\ f \\rv s. (P' \ X rv s) \ (\P' \ Y rv s)\ \ + \P\ f \\rv. if P' then X rv else Y rv\" by (auto simp: valid_def split_def) lemma hoare_vcg_split_lift[wp]: @@ -760,8 +755,8 @@ lemma hoare_vcg_split_lift[wp]: named_theorems hoare_vcg_op_lift lemmas [hoare_vcg_op_lift] = hoare_vcg_const_imp_lift - hoare_vcg_const_imp_lift_E - hoare_vcg_const_imp_lift_R + hoare_vcg_const_imp_liftE_E + hoare_vcg_const_imp_liftE_R (* leaving out hoare_vcg_conj_lift*, because that is built into wp *) hoare_vcg_disj_lift hoare_vcg_disj_lift_R @@ -774,13 +769,13 @@ lemmas [hoare_vcg_op_lift] = hoare_vcg_all_liftE_R hoare_vcg_const_Ball_lift hoare_vcg_const_Ball_liftE - hoare_vcg_const_Ball_lift_R - hoare_vcg_const_Ball_lift_E_E + hoare_vcg_const_Ball_liftE_R + hoare_vcg_const_Ball_liftE_E hoare_vcg_split_lift hoare_vcg_if_lift hoare_vcg_imp_lift' hoare_vcg_imp_liftE' - hoare_vcg_imp_lift_R' + hoare_vcg_imp_liftE_R' hoare_vcg_imp_liftE_E' @@ -867,8 +862,8 @@ lemma list_cases_wp: by (cases ts, auto simp: a b) lemma hoare_vcg_handle_elseE: - "\ \P\ f \Q\,\E\; \e. \E e\ g e \R\,\F\; \x. \Q x\ h x \R\,\F\ \ \ - \P\ f g h \R\,\F\" + "\ \P\ f \Q'\,\E'\; \e. \E' e\ g e \Q\,\E\; \x. \Q' x\ h x \Q\,\E\ \ \ + \P\ f g h \Q\,\E\" unfolding handle_elseE_def validE_def by (wpsimp wp: bind_wp_fwd | assumption | rule conjI)+ @@ -911,11 +906,11 @@ lemma state_select_wp: by (wpsimp wp: put_wp select_wp return_wp get_wp assert_wp) lemma condition_wp: - "\ \Q\ A \P\; \R\ B \P\ \ \ \\s. if C s then Q s else R s\ condition C A B \P\" + "\ \P\ f \Q\; \P'\ g \Q\ \ \ \\s. if C s then P s else P' s\ condition C f g \Q\" by (clarsimp simp: condition_def valid_def) lemma conditionE_wp: - "\ \P\ A \Q\,\R\; \P'\ B \Q\,\R\ \ \ \\s. if C s then P s else P' s\ condition C A B \Q\,\R\" + "\ \P\ f \Q\,\E\; \P'\ g \Q\,\E\ \ \ \\s. if C s then P s else P' s\ condition C f g \Q\,\E\" by (clarsimp simp: condition_def validE_def valid_def) lemma state_assert_wp: @@ -924,19 +919,19 @@ lemma state_assert_wp: by (wp bind_wp_fwd get_wp assert_wp) lemma when_wp[wp_split]: - "\ P \ \Q\ f \R\ \ \ \if P then Q else R ()\ when P f \R\" + "\ P \ \P'\ f \Q\ \ \ \if P then P' else Q ()\ when P f \Q\" by (clarsimp simp: when_def valid_def return_def) lemma unless_wp[wp_split]: - "(\P \ \Q\ f \R\) \ \if P then R () else Q\ unless P f \R\" + "(\P \ \P'\ f \Q\) \ \if P then Q () else P'\ unless P f \Q\" unfolding unless_def by wp auto lemma whenE_wp: - "(P \ \Q\ f \R\, \E\) \ \if P then Q else R ()\ whenE P f \R\, \E\" + "(P \ \P'\ f \Q\,\E\) \ \if P then P' else Q ()\ whenE P f \Q\,\E\" unfolding whenE_def by clarsimp (wp returnOk_wp) lemma unlessE_wp: - "(\ P \ \Q\ f \R\, \E\) \ \if P then R () else Q\ unlessE P f \R\, \E\" + "(\ P \ \P'\ f \Q\,\E\) \ \if P then Q () else P'\ unlessE P f \Q\,\E\" unfolding unlessE_def by (wpsimp wp: returnOk_wp) @@ -950,8 +945,8 @@ lemma notM_wp: unfolding notM_def by (wpsimp wp: return_wp) lemma ifM_wp: - assumes [wp]: "\Q\ f \S\" "\R\ g \S\" - assumes [wp]: "\A\ P \\c s. c \ Q s\" "\B\ P \\c s. \c \ R s\" + assumes [wp]: "\Q\ f \S\" "\Q'\ g \S\" + assumes [wp]: "\A\ P \\c s. c \ Q s\" "\B\ P \\c s. \c \ Q' s\" shows "\A and B\ ifM P f g \S\" unfolding ifM_def by (wpsimp wp: hoare_vcg_if_split hoare_vcg_conj_lift) @@ -1072,15 +1067,16 @@ lemmas hoare_wp_combs = hoare_vcg_conj_lift lemmas hoare_wp_combsE = validE_validE_R - hoare_vcg_R_conj - hoare_vcg_E_elim - hoare_vcg_E_conj + validE_validE_E + hoare_vcg_conj_liftE_R + hoare_vcg_conj_elimE + hoare_vcg_conj_liftE_E lemmas hoare_wp_state_combsE = valid_validE_R - hoare_vcg_R_conj[OF valid_validE_R] - hoare_vcg_E_elim[OF valid_validE_E] - hoare_vcg_E_conj[OF valid_validE_E] + hoare_vcg_conj_liftE_R[OF valid_validE_R] + hoare_vcg_conj_elimE[OF valid_validE_E] + hoare_vcg_conj_liftE_E[OF valid_validE_E] lemmas hoare_classic_wp_combs = hoare_post_comb_imp_conj hoare_weaken_pre hoare_wp_combs lemmas hoare_classic_wp_combsE = hoare_weaken_preE hoare_weaken_preE_R hoare_wp_combsE @@ -1153,9 +1149,9 @@ lemmas [wp] = wp_post_tauts lemmas [wp_trip] = valid_is_triple validE_is_triple validE_E_is_triple validE_R_is_triple lemmas validE_E_combs[wp_comb] = - hoare_vcg_E_conj[where Q'="\\", folded validE_E_def] + hoare_vcg_conj_liftE_E[where Q'="\\", folded validE_E_def] valid_validE_E - hoare_vcg_E_conj[where Q'="\\", folded validE_E_def, OF valid_validE_E] + hoare_vcg_conj_liftE_E[where Q'="\\", folded validE_E_def, OF valid_validE_E] subsection \Simplifications on conjunction\ @@ -1252,7 +1248,7 @@ bundle classic_wp_pre = hoare_pre [wp_pre del] text \Miscellaneous lemmas on hoare triples\ lemma hoare_pre_cases: - "\ \\s. R s \ P s\ f \Q\; \\s. \R s \ P' s\ f \Q\ \ \ \P and P'\ f \Q\" + "\ \\s. C s \ P s\ f \Q\; \\s. \C s \ P' s\ f \Q\ \ \ \P and P'\ f \Q\" unfolding valid_def by fastforce lemma hoare_vcg_mp: @@ -1286,7 +1282,7 @@ lemma hoare_use_eq: assumes "\P. \\s. P (f s)\ m \\_ s. P (f s)\" assumes "\f. \\s. P f s\ m \\_ s. Q f s\" shows "\\s. P (f s) s\ m \\_ s. Q (f s) s \" - apply (rule hoare_post_imp[where Q="\_ s. \y. y = f s \ Q y s"], simp) + apply (rule hoare_post_imp[where Q'="\_ s. \y. y = f s \ Q y s"], simp) apply (wpsimp wp: hoare_vcg_ex_lift assms) done @@ -1299,39 +1295,37 @@ lemma hoare_failE[simp]: by wp lemma hoare_validE_pred_conj: - "\ \P\ f \Q\, \E\; \P\ f \R\, \E\ \ \ \P\ f \Q and R\, \E\" + "\ \P\ f \Q\,\E\; \P\ f \Q'\,\E\ \ \ \P\ f \Q and Q'\,\E\" unfolding valid_def validE_def by (simp add: split_def split: sum.splits) lemma hoare_validE_conj: - "\ \P\ f \Q\, \E\; \P\ f \R\, \E\ \ \ \P\ f \\rv s. Q rv s \ R rv s\, \E\" + "\ \P\ f \Q\,\E\; \P\ f \Q'\,\E\ \ \ \P\ f \\rv s. Q rv s \ Q' rv s\,\E\" unfolding valid_def validE_def by (simp add: split_def split: sum.splits) -lemmas hoare_valid_validE = valid_validE (* FIXME lib: eliminate one *) - -declare validE_validE_E[wp_comb] - lemmas if_validE_E[wp_split] = validE_validE_E[OF hoare_vcg_if_splitE[OF validE_E_validE validE_E_validE]] lemma hoare_drop_imp: - "\P\ f \Q\ \ \P\ f \\rv s. R rv s \ Q rv s\" + "\P\ f \Q\ \ \P\ f \\rv s. Q' rv s \ Q rv s\" by (auto simp: valid_def) lemma hoare_drop_impE: - "\\P\ f \\r. Q\, \E\\ \ \P\ f \\rv s. R rv s \ Q s\, \E\" + "\\P\ f \Q\, \E\\ \ \P\ f \\rv s. Q' rv s \ Q rv s\, \E\" by (simp add: hoare_chainE) lemma hoare_drop_impE_R: - "\P\ f \Q\,- \ \P\ f \\rv s. R rv s \ Q rv s\, -" + "\P\ f \Q\,- \ \P\ f \\rv s. Q' rv s \ Q rv s\, -" by (auto simp: validE_R_def validE_def valid_def split_def split: sum.splits) +(*Q is used instead of E so that hoare_drop_imps can be instantiated, which requires that all of its + thms have the same variables.*) lemma hoare_drop_impE_E: - "\P\ f -,\Q\ \ \P\ f -, \\rv s. R rv s \ Q rv s\" + "\P\ f -,\Q\ \ \P\ f -, \\rv s. Q' rv s \ Q rv s\" by (auto simp: validE_E_def validE_def valid_def split_def split: sum.splits) -lemmas hoare_drop_imps = hoare_drop_imp hoare_drop_impE_R hoare_drop_impE_E +lemmas hoare_drop_imps = hoare_drop_imp hoare_drop_impE hoare_drop_impE_R hoare_drop_impE_E (*This is unsafe, but can be very useful when supplied as a comb rule.*) lemma hoare_drop_imp_conj[wp_unsafe]: diff --git a/lib/Monads/nondet/Nondet_While_Loop_Rules.thy b/lib/Monads/nondet/Nondet_While_Loop_Rules.thy index 8cd774ab7d..84a9ede9e1 100644 --- a/lib/Monads/nondet/Nondet_While_Loop_Rules.thy +++ b/lib/Monads/nondet/Nondet_While_Loop_Rules.thy @@ -867,6 +867,6 @@ lemma whileM_inv: by (fastforce intro: whileM_wp_gen) lemmas whileM_post_inv - = hoare_strengthen_post[where R="\_. Q" for Q, OF whileM_inv[where P=C for C], rotated -1] + = hoare_strengthen_post[where Q'="\_. Q" for Q, OF whileM_inv[where P=C for C], rotated -1] end diff --git a/lib/Monads/trace/Trace_More_RG.thy b/lib/Monads/trace/Trace_More_RG.thy index e868b46f05..d75e92433e 100644 --- a/lib/Monads/trace/Trace_More_RG.thy +++ b/lib/Monads/trace/Trace_More_RG.thy @@ -19,11 +19,11 @@ lemma rg_take_disjunct: by (erule rg_strengthen_post, simp) lemma rg_post_add: - "\P\,\R\ S \G\,\\r s0 s. Q' r s0 s \ Q r s0 s\ \ \P\,\R\ S \G\,\Q\" + "\P\,\R\ f \G\,\\r s0 s. Q' r s0 s \ Q r s0 s\ \ \P\,\R\ f \G\,\Q\" by (erule rg_strengthen_post, simp) lemma rg_post_addE: - "\P\,\R\ f \G\,\\_ s0 s. R s0 s \ Q s0 s\,\T\ \ \P\,\R\ f \G\,\\_ s0 s. Q s0 s\,\T\" + "\P\,\R\ f \G\,\\_ s0 s. R s0 s \ Q s0 s\,\E\ \ \P\,\R\ f \G\,\\_ s0 s. Q s0 s\,\E\" by (erule rg_strengthen_postE; simp) lemma rg_pre_add: @@ -32,7 +32,7 @@ lemma rg_pre_add: by(intro conjI impI; rule rg_weaken_pre, assumption, clarsimp) lemma rg_pre_addE: - "(\s0 s. P s0 s \ R s0 s) \ \P\,\R\ f \G\,\Q\,\S\ \ \P and R\,\R\ f \G\,\Q\,\S\" + "(\s0 s. P s0 s \ R s0 s) \ \P\,\R\ f \G\,\Q\,\E\ \ \P and R\,\R\ f \G\,\Q\,\E\" apply (subst iff_conv_conj_imp) by(intro conjI impI; rule rg_weaken_preE, assumption, clarsimp) @@ -85,8 +85,8 @@ lemmas rg_lift_Pf2_pre_conj = rg_lift_Pf3_pre_conj[where P="\f _. P f" f lemmas rg_lift_Pf_pre_conj' = rg_lift_Pf2_pre_conj[where Q=P and P=P for P] lemma rg_if_r_and: - "\P\,\R'\ f \G\,\\r. if R r then Q r else Q' r\ - = \P\,\R'\ f \G\,\\r s0 s. (R r \ Q r s0 s) \ (\R r \ Q' r s0 s)\" + "\P\,\R\ f \G\,\\r. if P' r then Q r else Q' r\ + = \P\,\R\ f \G\,\\r s0 s. (P' r \ Q r s0 s) \ (\P' r \ Q' r s0 s)\" by (fastforce simp: validI_def) lemma rg_convert_imp: @@ -117,8 +117,8 @@ lemma rg_imp_eq_substR: lemma rg_split_bind_case_sum: assumes x: "\rv. \E rv\,\R\ g rv \G\,\Q\" - "\rv. \S rv\,\R\ h rv \G\,\Q\" - assumes y: "\P\,\R\ f \G\,\S\,\E\" + "\rv. \Q' rv\,\R\ h rv \G\,\Q\" + assumes y: "\P\,\R\ f \G\,\Q'\,\E\" shows "\P\,\R\ f >>= case_sum g h \G\,\Q\" apply (rule bind_twp[OF _ y[unfolded validIE_def]]) apply (wpsimp wp: x split: sum.splits) @@ -324,8 +324,8 @@ lemma opt_return_pres_lift_rg: by (wpsimp wp: x) lemma rg_weak_lift_imp_conj: - "\ \Q\,\R\ m -,\Q'\; \R\,\R\ m -,\R'\; \S\,\R\ m \G\,\\\\\ \ - \ \\s0 s. (P \ Q s0 s) \ R s0 s \ S s0 s\,\R\ m \G\,\\rv s0 s. (P \ Q' rv s0 s) \ R' rv s0 s\" + "\ \P'\,\R\ m -,\Q'\; \P''\,\R\ m -,\Q''\; \S\,\R\ m \G\,\\\\\ \ + \ \\s0 s. (P \ P' s0 s) \ P'' s0 s \ S s0 s\,\R\ m \G\,\\rv s0 s. (P \ Q' rv s0 s) \ Q'' rv s0 s\" apply wp_pre apply (rule rg_vcg_conj_lift) apply (rule rg_weak_lift_imp; assumption) @@ -379,9 +379,9 @@ lemma rg_Ball_helper: lemma handy_prop_divs_rg: assumes x: "\P. \\s0 s. P (Q s0 s) \ S s0 s\,\R\ f -,\\rv s0 s. P (Q' rv s0 s)\" - "\P. \\s0 s. P (R s0 s) \ S s0 s\,\R\ f -,\\rv s0 s. P (R' rv s0 s)\" - shows "\\s0 s. P (Q s0 s \ R s0 s) \ S s0 s\,\R\ f -,\\rv s0 s. P (Q' rv s0 s \ R' rv s0 s)\" - "\\s0 s. P (Q s0 s \ R s0 s) \ S s0 s\,\R\ f -,\\rv s0 s. P (Q' rv s0 s \ R' rv s0 s)\" + "\P. \\s0 s. P (T s0 s) \ S s0 s\,\R\ f -,\\rv s0 s. P (T' rv s0 s)\" + shows "\\s0 s. P (Q s0 s \ T s0 s) \ S s0 s\,\R\ f -,\\rv s0 s. P (Q' rv s0 s \ T' rv s0 s)\" + "\\s0 s. P (Q s0 s \ T s0 s) \ S s0 s\,\R\ f -,\\rv s0 s. P (Q' rv s0 s \ T' rv s0 s)\" apply (clarsimp simp: validI_def validI_prefix_closed[OF x(1)] elim!: subst[rotated, where P=P]) apply (rule use_validI [OF _ x(1)], assumption) @@ -481,8 +481,8 @@ lemma twp_split_const_ifE_R: by (cases S, simp_all add: x y) lemma rg_disj_division: - "\ P \ Q; P \ \R\,\R\ f \G\,\S\; Q \ \T\,\R\ f \G\,\S\ \ - \ \\s0 s. (P \ R s0 s) \ (Q \ T s0 s)\,\R\ f \G\,\S\" + "\ P \ P'; P \ \S\,\R\ f \G\,\Q\; P' \ \T\,\R\ f \G\,\Q\ \ + \ \\s0 s. (P \ S s0 s) \ (P' \ T s0 s)\,\R\ f \G\,\Q\" by (fastforce intro: rg_weaken_pre) lemma rg_grab_asm: diff --git a/lib/Monads/trace/Trace_More_VCG.thy b/lib/Monads/trace/Trace_More_VCG.thy index 425738765d..b3f0fa9992 100644 --- a/lib/Monads/trace/Trace_More_VCG.thy +++ b/lib/Monads/trace/Trace_More_VCG.thy @@ -20,20 +20,20 @@ lemma hoare_take_disjunct: by (erule hoare_strengthen_post, simp) lemma hoare_post_add: - "\P\ S \\r s. R r s \ Q r s\ \ \P\ S \Q\" + "\P\ f \\r s. Q' r s \ Q r s\ \ \P\ f \Q\" by (erule hoare_strengthen_post, simp) lemma hoare_post_addE: - "\P\ f \\_ s. R s \ Q s\, \T\ \ \P\ f \\_ s. Q s\, \T\" + "\P\ f \\_ s. Q' s \ Q s\,\E\ \ \P\ f \\_ s. Q s\,\E\" by (erule hoare_strengthen_postE; simp) lemma hoare_pre_add: - "(\s. P s \ R s) \ (\P\ f \Q\ \ \P and R\ f \Q\)" + "(\s. P s \ P' s) \ \P\ f \Q\ \ \P and P'\ f \Q\" apply (subst iff_conv_conj_imp) by(intro conjI impI; rule hoare_weaken_pre, assumption, clarsimp) lemma hoare_pre_addE: - "(\s. P s \ R s) \ (\P\ f \Q\, \S\ \ \P and R\ f \Q\, \S\)" + "(\s. P s \ P' s) \ \P\ f \Q\,\E\ \ \P and P'\ f \Q\,\E\" apply (subst iff_conv_conj_imp) by(intro conjI impI; rule hoare_weaken_preE, assumption, clarsimp) @@ -46,15 +46,15 @@ lemma hoare_name_pre_stateE: by (clarsimp simp: validE_def2) lemma hoare_vcg_if_lift_strong: - "\ \P'\ f \P\; \\s. \ P' s\ f \\rv s. \ P rv s\; \Q'\ f \Q\; \R'\ f \R\ \ \ - \\s. if P' s then Q' s else R' s\ f \\rv s. if P rv s then Q rv s else R rv s\" + "\ \P'\ f \P\; \\s. \ P' s\ f \\rv s. \ P rv s\; \Q'\ f \Q\; \S'\ f \S\ \ \ + \\s. if P' s then Q' s else S' s\ f \\rv s. if P rv s then Q rv s else S rv s\" - "\ \P'\ f \P\; \\s. \ P' s\ f \\rv s. \ P rv s\; \Q'\ f \ Q\; \R'\ f \R\ \ \ - \\s. if P' s then Q' s else R' s\ f \\rv s. (if P rv s then Q rv else R rv) s\" + "\ \P'\ f \P\; \\s. \ P' s\ f \\rv s. \ P rv s\; \Q'\ f \ Q\; \S'\ f \S\ \ \ + \\s. if P' s then Q' s else S' s\ f \\rv s. (if P rv s then Q rv else S rv) s\" by (wpsimp wp: hoare_vcg_imp_lift' | assumption | fastforce)+ lemma hoare_vcg_imp_lift_pre_add: - "\ \P and Q\ f \\rv s. R rv s\; f \\s. \ Q s\ \ \ \P\ f \\rv s. Q s \ R rv s\" + "\ \P and Q\ f \\rv s. Q' rv s\; f \\s. \ Q s\ \ \ \P\ f \\rv s. Q s \ Q' rv s\" apply (rule hoare_weaken_pre) apply (rule hoare_vcg_imp_lift') apply fastforce @@ -66,16 +66,17 @@ lemma hoare_pre_tautI: "\ \A and P\ a \B\; \A and not P\ a \B\ \ \ \A\ a \B\" by (fastforce simp: valid_def split_def pred_conj_def pred_neg_def) +\ \FIXME: swap P and Q in these rules?\ lemma hoare_lift_Pf_pre_conj: assumes P: "\x. \\s. Q x s\ m \P x\" - assumes f: "\P. \\s. P (g s) \ R s\ m \\_ s. P (f s)\" - shows "\\s. Q (g s) s \ R s\ m \\rv s. P (f s) rv s\" + assumes f: "\P. \\s. P (g s) \ P' s\ m \\_ s. P (f s)\" + shows "\\s. Q (g s) s \ P' s\ m \\rv s. P (f s) rv s\" apply (clarsimp simp: valid_def) apply (rule use_valid [OF _ P], simp) apply (rule use_valid [OF _ f], simp, simp) done -lemmas hoare_lift_Pf4 = hoare_lift_Pf_pre_conj[where R=\, simplified] +lemmas hoare_lift_Pf4 = hoare_lift_Pf_pre_conj[where P'=\, simplified] lemmas hoare_lift_Pf3 = hoare_lift_Pf4[where f=f and g=f for f] lemmas hoare_lift_Pf2 = hoare_lift_Pf3[where P="\f _. P f" for P] lemmas hoare_lift_Pf = hoare_lift_Pf2[where Q=P and P=P for P] @@ -85,13 +86,13 @@ lemmas hoare_lift_Pf2_pre_conj = hoare_lift_Pf3_pre_conj[where P="\f _. lemmas hoare_lift_Pf_pre_conj' = hoare_lift_Pf2_pre_conj[where Q=P and P=P for P] lemma hoare_if_r_and: - "\P\ f \\r. if R r then Q r else Q' r\ - = \P\ f \\r s. (R r \ Q r s) \ (\R r \ Q' r s)\" + "\P\ f \\r. if P' r then Q r else Q' r\ + = \P\ f \\r s. (P' r \ Q r s) \ (\P' r \ Q' r s)\" by (fastforce simp: valid_def) lemma hoare_convert_imp: - "\ \\s. \ P s\ f \\rv s. \ Q s\; \R\ f \S\ \ - \ \\s. P s \ R s\ f \\rv s. Q s \ S rv s\" + "\ \\s. \ P s\ f \\rv s. \ Q s\; \P'\ f \S\ \ + \ \\s. P s \ P' s\ f \\rv s. Q s \ S rv s\" apply (simp only: imp_conv_disj) apply (erule(1) hoare_vcg_disj_lift) done @@ -108,12 +109,6 @@ lemma hoare_case_option_wpR: \ \case_option P P' v\ f v \\rv. case v of None \ Q rv | Some x \ Q' x rv\,-" by (cases v) auto -lemma hoare_vcg_conj_liftE_R: - "\ \P\ f \P'\,-; \Q\ f \Q'\,- \ \ \P and Q\ f \\rv s. P' rv s \ Q' rv s\, -" - apply (simp add: validE_R_def validE_def valid_def split: sum.splits) - apply blast - done - lemma K_valid[wp]: "\K P\ f \\_. K P\" by (simp add: valid_def) @@ -133,18 +128,18 @@ lemma hoare_imp_eq_substR: by (fastforce simp add: valid_def validE_R_def validE_def split: sum.splits) lemma hoare_split_bind_case_sum: - assumes x: "\rv. \R rv\ g rv \Q\" - "\rv. \S rv\ h rv \Q\" - assumes y: "\P\ f \S\,\R\" + assumes x: "\rv. \E rv\ g rv \Q\" + "\rv. \Q' rv\ h rv \Q\" + assumes y: "\P\ f \Q'\,\E\" shows "\P\ f >>= case_sum g h \Q\" apply (rule bind_wp[OF _ y[unfolded validE_def]]) apply (wpsimp wp: x split: sum.splits) done lemma hoare_split_bind_case_sumE: - assumes x: "\rv. \R rv\ g rv \Q\,\E\" - "\rv. \S rv\ h rv \Q\,\E\" - assumes y: "\P\ f \S\,\R\" + assumes x: "\rv. \E' rv\ g rv \Q\,\E\" + "\rv. \Q' rv\ h rv \Q\,\E\" + assumes y: "\P\ f \Q'\,\E'\" shows "\P\ f >>= case_sum g h \Q\,\E\" apply (unfold validE_def) apply (rule bind_wp[OF _ y[unfolded validE_def]]) @@ -167,13 +162,13 @@ lemma select_inv: "\ P \ select S \ \r. P \" by wpsimp -lemmas return_inv = hoare_return_drop_var - -lemma assert_inv: "\P\ assert Q \\r. P\" +lemma assert_inv: + "\P\ assert Q \\r. P\" unfolding assert_def by (cases Q) simp+ -lemma assert_opt_inv: "\P\ assert_opt Q \\r. P\" +lemma assert_opt_inv: + "\P\ assert_opt Q \\r. P\" unfolding assert_opt_def by (cases Q) simp+ @@ -181,7 +176,7 @@ lemma case_options_weak_wp: "\ \P\ f \Q\; \x. \P'\ g x \Q\ \ \ \P and P'\ case opt of None \ f | Some x \ g x \Q\" apply (cases opt) apply (clarsimp elim!: hoare_weaken_pre) - apply (rule hoare_weaken_pre [where Q=P']) + apply (rule hoare_weaken_pre[where P'=P']) apply simp+ done @@ -217,19 +212,19 @@ lemma list_cases_weak_wp: lemmas hoare_FalseE_R = hoare_FalseE[where E="\\", folded validE_R_def] lemma hoare_vcg_if_lift2: - "\R\ f \\rv s. (P rv s \ X rv s) \ (\ P rv s \ Y rv s)\ \ - \R\ f \\rv s. if P rv s then X rv s else Y rv s\" + "\P\ f \\rv s. (Q rv s \ X rv s) \ (\ Q rv s \ Y rv s)\ \ + \P\ f \\rv s. if Q rv s then X rv s else Y rv s\" - "\R\ f \\rv s. (P' rv \ X rv s) \ (\ P' rv \ Y rv s)\ \ - \R\ f \\rv. if P' rv then X rv else Y rv\" + "\P\ f \\rv s. (Q' rv \ X rv s) \ (\ Q' rv \ Y rv s)\ \ + \P\ f \\rv. if Q' rv then X rv else Y rv\" by (auto simp: valid_def split_def) lemma hoare_vcg_if_lift_ER: (* Required because of lack of rv in lifting rules *) - "\R\ f \\rv s. (P rv s \ X rv s) \ (\ P rv s \ Y rv s)\, - \ - \R\ f \\rv s. if P rv s then X rv s else Y rv s\, -" + "\P\ f \\rv s. (Q rv s \ X rv s) \ (\ Q rv s \ Y rv s)\, - \ + \P\ f \\rv s. if Q rv s then X rv s else Y rv s\, -" - "\R\ f \\rv s. (P' rv \ X rv s) \ (\ P' rv \ Y rv s)\, - \ - \R\ f \\rv. if P' rv then X rv else Y rv\, -" + "\P\ f \\rv s. (Q' rv \ X rv s) \ (\ Q' rv \ Y rv s)\, - \ + \P\ f \\rv. if Q' rv then X rv else Y rv\, -" by (auto simp: valid_def validE_R_def validE_def split_def) lemma hoare_list_all_lift: @@ -361,8 +356,8 @@ lemma valid_return_unit: by (auto simp: valid_def in_bind in_return Ball_def) lemma hoare_weak_lift_imp_conj: - "\ \Q\ m \Q'\; \R\ m \R'\ \ - \ \\s. (P \ Q s) \ R s\ m \\rv s. (P \ Q' rv s) \ R' rv s\" + "\ \P'\ m \Q'\; \P''\ m \Q''\ \ + \ \\s. (P \ P' s) \ P'' s\ m \\rv s. (P \ Q' rv s) \ Q'' rv s\" apply (rule hoare_vcg_conj_lift) apply (rule hoare_weak_lift_imp) apply assumption+ @@ -374,7 +369,7 @@ lemma hoare_eq_P: by (rule assms) lemma hoare_validE_R_conj: - "\\P\ f \Q\, -; \P\ f \R\, -\ \ \P\ f \Q and R\, -" + "\\P\ f \Q\, -; \P\ f \Q'\, -\ \ \P\ f \Q and Q'\, -" by (simp add: valid_def validE_def validE_R_def Let_def split_def split: sum.splits) lemmas throwError_validE_R = throwError_wp [where E="\\", folded validE_R_def] @@ -404,10 +399,6 @@ lemmas fail_inv = hoare_fail_any[where Q="\_. P" and P=P for P] lemma gets_sp: "\P\ gets f \\rv. P and (\s. f s = rv)\" by (wp, simp) -lemma post_by_hoare2: - "\ \P\ f \Q\; (r, s') \ mres (f s); P s \ \ Q r s'" - by (rule post_by_hoare, assumption+) - lemma hoare_Ball_helper: assumes x: "\x. \P x\ f \Q x\" assumes y: "\P. \\s. P (S s)\ f \\rv s. P (S s)\" @@ -421,9 +412,9 @@ lemma hoare_Ball_helper: lemma handy_prop_divs: assumes x: "\P. \\s. P (Q s) \ S s\ f \\rv s. P (Q' rv s)\" - "\P. \\s. P (R s) \ S s\ f \\rv s. P (R' rv s)\" - shows "\\s. P (Q s \ R s) \ S s\ f \\rv s. P (Q' rv s \ R' rv s)\" - "\\s. P (Q s \ R s) \ S s\ f \\rv s. P (Q' rv s \ R' rv s)\" + "\P. \\s. P (T s) \ S s\ f \\rv s. P (T' rv s)\" + shows "\\s. P (Q s \ T s) \ S s\ f \\rv s. P (Q' rv s \ T' rv s)\" + "\\s. P (Q s \ T s) \ S s\ f \\rv s. P (Q' rv s \ T' rv s)\" apply (clarsimp simp: valid_def elim!: subst[rotated, where P=P]) apply (rule use_valid [OF _ x(1)], assumption) @@ -517,36 +508,26 @@ lemma weaker_hoare_ifE: lemma wp_split_const_if: assumes x: "\P\ f \Q\" assumes y: "\P'\ f \Q'\" - shows "\\s. (G \ P s) \ (\ G \ P' s)\ f \\rv s. (G \ Q rv s) \ (\ G \ Q' rv s)\" - by (cases G, simp_all add: x y) + shows "\\s. (S \ P s) \ (\ S \ P' s)\ f \\rv s. (S \ Q rv s) \ (\ S \ Q' rv s)\" + by (cases S; simp add: x y) lemma wp_split_const_if_R: assumes x: "\P\ f \Q\,-" assumes y: "\P'\ f \Q'\,-" - shows "\\s. (G \ P s) \ (\ G \ P' s)\ f \\rv s. (G \ Q rv s) \ (\ G \ Q' rv s)\,-" - by (cases G, simp_all add: x y) + shows "\\s. (S \ P s) \ (\ S \ P' s)\ f \\rv s. (S \ Q rv s) \ (\ S \ Q' rv s)\,-" + by (cases S; simp add: x y) lemma hoare_disj_division: - "\ P \ Q; P \ \R\ f \S\; Q \ \T\ f \S\ \ - \ \\s. (P \ R s) \ (Q \ T s)\ f \S\" - apply safe - apply (rule hoare_pre_imp) - prefer 2 - apply simp - apply simp - apply (rule hoare_pre_imp) - prefer 2 - apply simp - apply simp - done + "\ P \ P'; P \ \S\ f \Q\; P' \ \T\ f \Q\ \ + \ \\s. (P \ S s) \ (P' \ T s)\ f \Q\" + by (fastforce intro: hoare_weaken_pre) lemma hoare_grab_asm: - "\ G \ \P\ f \Q\ \ \ \\s. G \ P s\ f \Q\" - by (cases G, simp+) + "\ P' \ \P\ f \Q\ \ \ \\s. P' \ P s\ f \Q\" + by (cases P', simp+) lemma hoare_grab_asm2: - "\P' \ \\s. P s \ R s\ f \Q\\ - \ \\s. P s \ P' \ R s\ f \Q\" + "\P' \ \\s. P s \ P'' s\ f \Q\\ \ \\s. P s \ P' \ P'' s\ f \Q\" by (fastforce simp: valid_def) lemma hoare_grab_exs: @@ -560,15 +541,6 @@ lemma hoare_prop_E: "\\rv. P\ f -,\\rv s unfolding validE_E_def by (rule hoare_pre, wp, simp) -lemma hoare_vcg_conj_lift_R: - "\ \P\ f \Q\,-; \R\ f \S\,- \ - \ \\s. P s \ R s\ f \\rv s. Q rv s \ S rv s\,-" - apply (simp add: validE_R_def validE_def) - apply (drule(1) hoare_vcg_conj_lift) - apply (erule hoare_strengthen_post) - apply (clarsimp split: sum.splits) - done - lemma hoare_walk_assmsE: assumes x: "\P\ f \\rv. P\" and y: "\s. P s \ Q s" and z: "\P\ g \\rv. Q\" shows "\P\ doE x \ f; g odE \\rv. Q\" @@ -622,8 +594,8 @@ lemma weak_if_wp': by (auto simp add: valid_def split_def) lemma bindE_split_recursive_asm: - assumes x: "\x s'. \ (Inr x, s') \ mres (f s) \ \ \\s. B x s \ s = s'\ g x \C\, \E\" - shows "\A\ f \B\, \E\ \ \\st. A st \ st = s\ f >>=E g \C\, \E\" + assumes x: "\x s'. \ (Inr x, s') \ mres (f s) \ \ \\s. Q' x s \ s = s'\ g x \Q\,\E\" + shows "\P\ f \Q'\, \E\ \ \\st. P st \ st = s\ f >>=E g \Q\,\E\" apply (clarsimp simp: validE_def valid_def bindE_def in_bind lift_def) apply (erule allE, erule(1) impE) apply (drule(1) bspec, simp) @@ -708,23 +680,23 @@ lemma valid_pre_satisfies_post: by (clarsimp simp: valid_def) lemma validE_pre_satisfies_post: - "\ \s r' s'. P s \ Q r' s'; \s r' s'. P s \ R r' s' \ \ \ P \ m \ Q \,\ R \" + "\ \s r' s'. P s \ Q r' s'; \s r' s'. P s \ E r' s' \ \ \ P \ m \ Q \,\ E \" by (clarsimp simp: validE_def2 split: sum.splits) lemma hoare_validE_R_conjI: "\ \P\ f \Q\, - ; \P\ f \Q'\, - \ \ \P\ f \\rv s. Q rv s \ Q' rv s\, -" - by (fastforce simp: Ball_def validE_R_def validE_def valid_def split: sum.splits) + by (clarsimp simp: Ball_def validE_R_def validE_def valid_def split: sum.splits) lemma hoare_validE_E_conjI: "\ \P\ f -, \Q\ ; \P\ f -, \Q'\ \ \ \P\ f -, \\rv s. Q rv s \ Q' rv s\" - by (fastforce simp: Ball_def validE_E_def validE_def valid_def split: sum.splits) + by (clarsimp simp: Ball_def validE_E_def validE_def valid_def split: sum.splits) lemma validE_R_post_conjD1: - "\P\ f \\r s. Q r s \ R r s\,- \ \P\ f \Q\,-" + "\P\ f \\r s. Q r s \ Q' r s\,- \ \P\ f \Q\,-" by (fastforce simp: validE_R_def validE_def valid_def split: sum.splits) lemma validE_R_post_conjD2: - "\P\ f \\r s. Q r s \ R r s\,- \ \P\ f \R\,-" + "\P\ f \\r s. Q r s \ Q' r s\,- \ \P\ f \Q'\,-" by (fastforce simp: validE_R_def validE_def valid_def split: sum.splits) lemma throw_opt_wp[wp]: @@ -735,10 +707,12 @@ lemma hoare_name_pre_state2: "(\s. \P and ((=) s)\ f \Q\) \ \P\ f \Q\" by (auto simp: valid_def intro: hoare_name_pre_state) -lemma returnOk_E': "\P\ returnOk r -,\E\" +lemma returnOk_E': + "\P\ returnOk r -,\E\" by wpsimp -lemma throwError_R': "\P\ throwError e \Q\,-" +lemma throwError_R': + "\P\ throwError e \Q\,-" by wpsimp end \ No newline at end of file diff --git a/lib/Monads/trace/Trace_RG.thy b/lib/Monads/trace/Trace_RG.thy index e462485b84..42889d9236 100644 --- a/lib/Monads/trace/Trace_RG.thy +++ b/lib/Monads/trace/Trace_RG.thy @@ -363,8 +363,7 @@ lemma rg_FalseE[simp]: by (simp add: validI_def validIE_def) lemma rg_post_imp: - "\\v s0 s. Q' v s0 s \ Q v s0 s; \P\,\R\ f \G\,\Q'\\ - \ \P\,\R\ f \G\,\Q\" + "\\v s0 s. Q' v s0 s \ Q v s0 s; \P\,\R\ f \G\,\Q'\\ \ \P\,\R\ f \G\,\Q\" by (simp add: validI_def) lemma rg_post_impE: @@ -375,16 +374,24 @@ lemma rg_post_impE: lemmas rg_strengthen_post = rg_post_imp[rotated] lemmas rg_strengthen_postE = rg_post_impE[rotated 2] -lemma rg_post_imp_dc: - "\\P\,\R\ a \G\,\\_. Q'\; \s0 s. Q' s0 s \ Q s0 s\ \ \P\,\R\ a \G\,\\_. Q\,\\_. Q\" +lemma rg_strengthen_postE_R: + "\ \P\,\R\ f \G\,\Q'\,-; \rv s0 s. Q' rv s0 s \ Q rv s0 s \ \ \P\,\R\ f \G\,\Q\,-" + by (erule rg_post_impE) + +lemma rg_strengthen_postE_E: + "\ \P\,\R\ f \G\,-,\E'\; \rv s0 s. E' rv s0 s \ E rv s0 s \ \ \P\,\R\ f \G\,-,\E\" + by (rule rg_post_impE) + +lemma rg_post_impE_dc: + "\\P\,\R\ f \G\,\\_. Q'\; \s0 s. Q' s0 s \ Q s0 s\ \ \P\,\R\ f \G\,\\_. Q\,\\_. Q\" by (fastforce simp: validIE_def validI_def split: sum.splits) -lemma rg_post_imp_dc2: - "\\P\,\R\ a \G\,\\_. Q'\; \s0 s. Q' s0 s \ Q s0 s\ \ \P\,\R\ a \G\,\\_. Q\,-" +lemma rg_post_impE_R_dc: + "\\P\,\R\ f \G\,\\_. Q'\; \s0 s. Q' s0 s \ Q s0 s\ \ \P\,\R\ f \G\,\\_. Q\,-" by (fastforce simp: validIE_def validI_def split: sum.splits) -lemma rg_post_imp_dc2E: - "\\P\,\R\ a \G\,\\_. Q'\; \s0 s. Q' s0 s \ Q s0 s\ \ \P\,\R\ a \G\,-,\\_. Q\" +lemma rg_post_impE_E_dc: + "\\P\,\R\ f \G\,\\_. Q'\; \s0 s. Q' s0 s \ Q s0 s\ \ \P\,\R\ f \G\,-,\\_. Q\" by (fastforce simp: validIE_def validI_def split: sum.splits) lemma rg_guar_imp: @@ -778,7 +785,7 @@ subsection \@{const validI} and @{const validIE}, @{const validIE_R}, @{co lemma validI_validIE: "\P\,\R\ f \G\,\\_. Q\ \ \P\,\R\ f \G\,\\_. Q\,\\_. Q\" - by (rule rg_post_imp_dc) + by (rule rg_post_impE_dc) lemma validI_validIE2: "\\P\,\R\ f \G\,\\_. Q'\; \s0 s. Q' s0 s \ Q s0 s; \s0 s. Q' s0 s \ E s0 s\ @@ -793,11 +800,11 @@ lemma validIE_validI: lemma validI_validIE_R: "\P\,\R\ f \G\,\\_. Q\ \ \P\,\R\ f \G\,\\_. Q\,-" - by (rule rg_post_imp_dc2) + by (rule rg_post_impE_R_dc) lemma validI_validIE_E: "\P\,\R\ f \G\,\\_. Q\ \ \P\,\R\ f \G\,-,\\_. Q\" - by (rule rg_post_imp_dc2E) + by (rule rg_post_impE_E_dc) lemma validIE_eq_validI: "\P\,\R\ f \G\,\\rv. Q\,\\rv. Q\ = \P\,\R\ f \G\,\\rv. Q\" @@ -875,8 +882,8 @@ lemma bindE_twp_nobind: lemmas bind_twp_skip = bind_twp[where Q=Q and Q'=Q for Q] lemma rg_chain: - "\\P\,\R\ f \G\,\Q\; \s0 s. P' s0 s \ P s0 s; \rv s0 s. Q rv s0 s \ S rv s0 s\ - \ \P'\,\R\ f \G\,\S\" + "\\P'\,\R\ f \G\,\Q'\; \s0 s. P s0 s \ P' s0 s; \rv s0 s. Q' rv s0 s \ Q rv s0 s\ + \ \P'\,\R\ f \G\,\Q\" by (wp_pre, rule rg_post_imp) lemma rg_chainE: @@ -1005,7 +1012,7 @@ lemma rg_absorb_imp: by (erule rg_post_imp[rotated], blast) lemma rg_weaken_imp: - "\\rv s0 s. Q rv s0 s \ Q' rv s0 s ; \P\,\R\ f \G\,\\rv s0 s. Q' rv s0 s \ S rv s0 s\\ + "\\rv s0 s. Q rv s0 s \ Q' rv s0 s ; \P\,\R\ f \G\,\\rv s0 s. Q' rv s0 s \ S rv s0 s\\ \ \P\,\R\ f \G\,\\rv s0 s. Q rv s0 s \ S rv s0 s\" by (clarsimp simp: validI_def split_def) @@ -1099,23 +1106,15 @@ lemma rg_trivE: "\P\,\R\ f \G\ lemma rg_trivE_R: "\P\,\R\ f \G\,\Q\,- \ \P\,\R\ f \G\,\Q\,-" . lemma rg_trivR_R: "\P\,\R\ f \G\,-,\E\ \ \P\,\R\ f \G\,-,\E\" . -lemma rg_vcg_E_conj: +lemma rg_vcg_conj_liftE_E: "\\P\,\R\ f \G\,-,\E\; \P'\,\R\ f \G\,\Q\,\E'\\ \ \\s0 s. P s0 s \ P' s0 s\,\R\ f \G\,\Q\,\\rv s0 s. E rv s0 s \ E' rv s0 s\" unfolding validIE_def by (rule rg_post_imp[OF _ rg_vcg_conj_lift]; simp split: sum.splits) -lemma rg_vcg_E_elim: +lemma rg_vcg_conj_elimE: "\\P\,\R\ f \G\,-,\E\; \P'\,\R\ f \G\,\Q\,-\ \ \\s0 s. P s0 s \ P' s0 s\,\R\ f \G\,\Q\,\E\" - by (rule rg_strengthen_postE[OF rg_vcg_E_conj]) simp+ - -lemma rg_strengthen_post_R: - "\ \P\,\R\ f \G\,\Q'\,-; \rv s0 s. Q' rv s0 s \ Q rv s0 s \ \ \P\,\R\ f \G\,\Q\,-" - by (erule rg_post_impE) - -lemma rg_strengthen_post_E: - "\ \P\,\R\ f \G\,-,\Q'\; \rv s0 s. Q' rv s0 s \ Q rv s0 s \ \ \P\,\R\ f \G\,-,\Q\" - by (rule rg_post_impE) + by (rule rg_strengthen_postE[OF rg_vcg_conj_liftE_E]) simp+ lemma rg_post_comb_imp_conj: "\\P'\,\R\ f \G\,\Q\; \P\,\R\ f \G\,\Q'\; \s0 s. P s0 s \ P' s0 s\ @@ -1123,11 +1122,11 @@ lemma rg_post_comb_imp_conj: by (wpsimp wp: rg_vcg_conj_lift) lemma rg_vcg_if_lift: - "\R\,\R\ f \G\,\\rv s0 s. (P \ X rv s0 s) \ (\P \ Y rv s0 s)\ \ - \R\,\R\ f \G\,\\rv s0 s. if P then X rv s0 s else Y rv s0 s\" + "\P\,\R\ f \G\,\\rv s0 s. (P' \ X rv s0 s) \ (\P' \ Y rv s0 s)\ \ + \P\,\R\ f \G\,\\rv s0 s. if P' then X rv s0 s else Y rv s0 s\" - "\R\,\R\ f \G\,\\rv s0 s. (P \ X rv s0 s) \ (\P \ Y rv s0 s)\ \ - \R\,\R\ f \G\,\\rv. if P then X rv else Y rv\" + "\P\,\R\ f \G\,\\rv s0 s. (P' \ X rv s0 s) \ (\P' \ Y rv s0 s)\ \ + \P\,\R\ f \G\,\\rv. if P' then X rv else Y rv\" by (auto simp: validI_def split_def) lemma rg_vcg_split_lift[wp]: @@ -1398,12 +1397,12 @@ lemmas rg_wp_combs = rg_vcg_conj_lift lemmas rg_wp_combsE = rg_vcg_conj_liftE1 rg_vcg_conj_liftE2 - rg_vcg_E_elim + rg_vcg_conj_elimE lemmas rg_wp_state_combsE = validI_validIE_R rg_vcg_conj_liftE1[OF validI_validIE_R] - rg_vcg_E_elim[OF validI_validIE_E] + rg_vcg_conj_elimE[OF validI_validIE_E] rg_vcg_conj_liftE2[OF validI_validIE_E] lemmas rg_classic_wp_combs = rg_post_comb_imp_conj rg_weaken_pre rg_wp_combs @@ -1578,11 +1577,13 @@ lemma rg_drop_imp: by (auto simp: validI_def) lemma rg_drop_impE: - "\\P\,\R\ f \G\,\\r. Q\, \E\\ \ \P\,\R\ f \G\,\\rv s0 s. Q' rv s0 s \ Q s0 s\, \E\" + "\\P\,\R\ f \G\,\Q\, \E\\ \ \P\,\R\ f \G\,\\rv s0 s. Q' rv s0 s \ Q rv s0 s\, \E\" by (simp add: rg_chainE) +(*Q is used instead of E so that hoare_drop_imps can be instantiated, which requires that all of its + thms have the same variables.*) lemma rg_drop_impE_E: - "\P\,\R\ f \G\,\Q\,\E\ \ \P\,\R\ f \G\,\Q\, \\rv s0 s. E' rv s0 s \ E rv s0 s\" + "\P\,\R\ f \G\,\Q''\,\Q\ \ \P\,\R\ f \G\,\Q''\, \\rv s0 s. Q' rv s0 s \ Q rv s0 s\" by (auto simp: validIE_def validI_def split: sum.splits) lemmas rg_drop_imps = rg_drop_imp rg_drop_impE rg_drop_impE_E diff --git a/lib/Monads/trace/Trace_VCG.thy b/lib/Monads/trace/Trace_VCG.thy index 25bd787b85..4b8170b5d3 100644 --- a/lib/Monads/trace/Trace_VCG.thy +++ b/lib/Monads/trace/Trace_VCG.thy @@ -87,16 +87,16 @@ lemma validE_make_schematic_post: section \Pre Lemmas\ lemma hoare_pre_imp: - "\ \s. P s \ Q s; \Q\ a \R\ \ \ \P\ a \R\" + "\ \s. P s \ P' s; \P'\ f \Q\ \ \ \P\ f \Q\" by (fastforce simp: valid_def) lemmas hoare_weaken_pre = hoare_pre_imp[rotated] lemma hoare_weaken_preE: - "\ \Q\ f \R\,\E\; \s. P s \ Q s \ \ \P\ f \R\,\E\" + "\ \P'\ f \Q\,\E\; \s. P s \ P' s \ \ \P\ f \Q\,\E\" by (fastforce simp: validE_def2) -lemma hoare_weaken_preE_R: (* FIXME lib: rename to hoare_weaken_preE_R *) +lemma hoare_weaken_preE_R: "\ \P'\ f \Q\,-; \s. P s \ P' s \ \ \P\ f \Q\,-" unfolding validE_R_def by (rule hoare_weaken_preE) @@ -130,7 +130,6 @@ lemma wpc_helper_validR_R: "\Q\ f -,\E\ \ wpc_helper (P, P', P'') (Q, Q', Q'') \P\ f -,\E\" by (clarsimp simp: wpc_helper_def elim!: hoare_pre) - wpc_setup "\m. \P\ m \Q\" wpc_helper_valid wpc_setup "\m. \P\ m \Q\,\E\" wpc_helper_validE wpc_setup "\m. \P\ m \Q\,-" wpc_helper_validE_R @@ -140,21 +139,21 @@ wpc_setup "\m. \P\ m -,\E\" wpc_helper_v subsection "Hoare Logic Rules" lemma bind_wp[wp_split]: - "\ \r. \Q' r\ g r \Q\; \P\ f \Q'\ \ \ \P\ f >>= (\rv. g rv) \Q\" + "\\rv. \Q' rv\ g rv \Q\; \P\ f \Q'\\ \ \P\ f >>= (\rv. g rv) \Q\" by (fastforce simp: valid_def bind_def' mres_def intro: image_eqI[rotated]) lemma bindE_wp[wp_split]: - "\ \r. \Q' r\ g r \Q\,\E\; \P\ f \Q'\,\E\ \ \ \P\ f >>=E (\rv. g rv) \Q\,\E\" + "\\rv. \Q' rv\ g rv \Q\,\E\; \P\ f \Q'\,\E\\ \ \P\ f >>=E (\rv. g rv) \Q\,\E\" by (fastforce simp: validE_def2 bindE_def bind_def throwError_def return_def lift_def mres_def image_def split: sum.splits tmres.splits) lemma bindE_R_wp: - "\\r. \Q' r\ g r \Q\,-; \P\ f \Q'\,-\ \ \P\ f >>=E (\rv. g rv) \Q\,-" + "\\rv. \Q' rv\ g rv \Q\,-; \P\ f \Q'\,-\ \ \P\ f >>=E (\rv. g rv) \Q\,-" apply (clarsimp simp: validE_R_def) by (wp | assumption)+ lemma bindE_E_wp: - "\\r. \Q' r\ g r -,\E\; \P\ f \Q'\,\E\\ \ \P\ f >>=E (\rv. g rv) -,\E\" + "\\rv. \Q' rv\ g rv -,\E\; \P\ f \Q'\,\E\\ \ \P\ f >>=E (\rv. g rv) -,\E\" apply (clarsimp simp: validE_E_def) by (wp | assumption)+ @@ -162,17 +161,17 @@ lemmas bind_wp_fwd = bind_wp[rotated] lemmas bindE_wp_fwd = bindE_wp[rotated] lemma bind_wpE_R: - "\\x. \Q' x\ g x \Q\,-; \P\ f \Q'\\ \ \P\ f >>= g \Q\,-" + "\\rv. \Q' rv\ g rv \Q\,-; \P\ f \Q'\\ \ \P\ f >>= (\rv. g rv) \Q\,-" apply (clarsimp simp: validE_R_def validE_def) by (wp | assumption)+ lemma bind_wpE_E: - "\\x. \Q' x\ g x -,\E\; \P\ f \Q'\\ \ \P\ f >>= g -,\E\" + "\\rv. \Q' rv\ g rv -,\E\; \P\ f \Q'\\ \ \P\ f >>= (\rv. g rv) -,\E\" apply (clarsimp simp: validE_E_def validE_def) by (wp | assumption)+ lemma bind_wpE: - "\\x. \Q' x\ g x \Q\,\E\; \P\ f \Q'\\ \ \P\ f >>= g \Q\,\E\" + "\\rv. \Q' rv\ g rv \Q\,\E\; \P\ f \Q'\\ \ \P\ f >>= (\rv. g rv) \Q\,\E\" apply (clarsimp simp: validE_def) by (wp | assumption)+ @@ -199,11 +198,11 @@ lemmas wp_post_tautE_E = hoareE_E_TrueI[where P=\] lemmas wp_post_tauts[intro] = wp_post_taut wp_post_tautE wp_post_tautE_R wp_post_tautE_E lemma hoare_post_conj[intro]: - "\ \P\ f \Q\; \P\ f \R\ \ \ \P\ f \Q and R\" + "\ \P\ f \Q\; \P\ f \Q'\ \ \ \P\ f \Q and Q'\" by (fastforce simp: valid_def) lemma hoare_pre_disj[intro]: - "\ \P\ f \R\; \Q\ f \R\ \ \ \P or Q\ f \R\" + "\ \P\ f \Q\; \P'\ f \Q\ \ \ \P or P'\ f \Q\" by (simp add:valid_def pred_disj_def) lemma hoare_conj: @@ -215,39 +214,35 @@ lemma hoare_pre_cont[simp]: by (simp add:valid_def) lemma hoare_FalseE[simp]: - "\\\ f \Q\, \E\" + "\\\ f \Q\,\E\" by (simp add: valid_def validE_def) -lemma hoare_return_drop_var[iff]: +lemma return_inv[iff]: "\Q\ return x \\r. Q\" by (simp add: valid_def return_def mres_def) -lemma hoare_gets[intro]: - "\ \s. P s \ Q (f s) s \ \ \P\ gets f \Q\" - by (simp add:valid_def gets_def get_def bind_def return_def mres_def) - lemma hoare_modifyE_var: "\ \s. P s \ Q (f s) \ \ \P\ modify f \\_ s. Q s\" by(simp add: valid_def modify_def put_def get_def bind_def mres_def) lemma hoare_if: - "\ P \ \Q\ a \R\; \ P \ \Q\ b \R\ \ \ \Q\ if P then a else b \R\" + "\ P' \ \P\ f \Q\; \ P' \ \P\ g \Q\ \ \ \P\ if P' then f else g \Q\" by (simp add: valid_def) lemma hoare_pre_subst: - "\ A = B; \A\ a \C\ \ \ \B\ a \C\" + "\ P = P'; \P\ f \Q\ \ \ \P'\ f \Q\" by (erule subst) lemma hoare_post_subst: - "\ B = C; \A\ a \B\ \ \ \A\ a \C\" + "\ Q = Q'; \P\ f \Q\ \ \ \P\ f \Q'\" by (erule subst) lemma hoare_post_imp: - "\ \rv s. Q rv s \ R rv s; \P\ a \Q\ \ \ \P\ a \R\" + "\ \rv s. Q' rv s \ Q rv s; \P\ f \Q'\ \ \ \P\ f \Q\" by(fastforce simp:valid_def split_def) lemma hoare_post_impE: - "\ \rv s. Q rv s \ R rv s; \e s. E e s \ F e s; \P\ a \Q\,\E\ \ \ \P\ a \R\,\F\" + "\ \rv s. Q' rv s \ Q rv s; \e s. E' e s \ E e s; \P\ f \Q'\,\E'\ \ \ \P\ f \Q\,\E\" by(fastforce simp: validE_def2 split: sum.splits) lemmas hoare_strengthen_post = hoare_post_imp[rotated] @@ -259,48 +254,48 @@ lemma hoare_strengthen_postE_R: by (erule hoare_post_impE) lemma hoare_strengthen_postE_E: - "\ \P\ f -,\Q'\; \rv s. Q' rv s \ Q rv s \ \ \P\ f -,\Q\" + "\ \P\ f -,\E'\; \rv s. E' rv s \ E rv s \ \ \P\ f -,\E\" unfolding validE_E_def by (rule hoare_post_impE) lemma hoare_validE_cases: - "\ \P\ f \Q\, \\_ _. True\; \P\ f \\_ _. True\, \R\ \ \ \P\ f \Q\, \R\" + "\ \P\ f \Q\,\\_ _. True\; \P\ f \\_ _. True\,\E\ \ \ \P\ f \Q\,\E\" by (fastforce simp: validE_def valid_def split: sum.splits) -lemma hoare_post_imp_dc: - "\\P\ a \\_. Q\; \s. Q s \ R s\ \ \P\ a \\_. R\, \\_. R\" +lemma hoare_post_impE_dc: + "\\P\ f \\_. Q'\; \s. Q' s \ Q s\ \ \P\ f \\_. Q\, \\_. Q\" by (fastforce simp: validE_def valid_def split: sum.splits) -lemma hoare_post_imp_dc2: - "\\P\ a \\_. Q\; \s. Q s \ R s\ \ \P\ a \\_. R\, \\_. \\" +lemma hoare_post_impE_R_dc: + "\\P\ f \\_. Q'\; \s. Q' s \ Q s\ \ \P\ f \\_. Q\, \\_. \\" by (fastforce simp: validE_def valid_def split: sum.splits) -lemma hoare_post_imp_dc2E: - "\\P\ a \\_. Q\; \s. Q s \ R s\ \ \P\ a \\_. \\, \\_. R\" +lemma hoare_post_impE_E_dc: + "\\P\ f \\_. Q'\; \s. Q' s \ Q s\ \ \P\ f \\_. \\, \\_. Q\" by (fastforce simp: validE_def valid_def split: sum.splits) -lemma hoare_post_imp_dc2_actual: - "\P\ a \\_. R\ \ \P\ a \\_. R\, \\_. \\" - by (rule hoare_post_imp_dc2) +lemma hoare_post_impE_R_dc_actual: + "\P\ f \\_. Q\ \ \P\ f \\_. Q\, \\_. \\" + by (rule hoare_post_impE_R_dc) -lemma hoare_post_imp_dc2E_actual: - "\P\ a \\_. R\ \ \P\ a \\_. \\, \\_. R\" - by (rule hoare_post_imp_dc2E) +lemma hoare_post_impE_E_dc_actual: + "\P\ f \\_. Q\ \ \P\ f \\_. \\, \\_. Q\" + by (rule hoare_post_impE_E_dc) lemma hoare_conjD1: - "\P\ f \\rv. Q rv and R rv\ \ \P\ f \\rv. Q rv\" + "\P\ f \\rv. Q rv and Q' rv\ \ \P\ f \\rv. Q rv\" unfolding valid_def by auto lemma hoare_conjD2: - "\P\ f \\rv. Q rv and R rv\ \ \P\ f \\rv. R rv\" + "\P\ f \\rv. Q rv and Q' rv\ \ \P\ f \\rv. Q' rv\" unfolding valid_def by auto lemma hoare_post_disjI1: - "\P\ f \\rv. Q rv\ \ \P\ f \\rv. Q rv or R rv\" + "\P\ f \\rv. Q rv\ \ \P\ f \\rv. Q rv or Q' rv\" unfolding valid_def by auto lemma hoare_post_disjI2: - "\P\ f \\rv. R rv\ \ \P\ f \\rv. Q rv or R rv\" + "\P\ f \\rv. Q' rv\ \ \P\ f \\rv. Q rv or Q' rv\" unfolding valid_def by auto lemma use_valid: @@ -316,11 +311,11 @@ lemma use_valid_inv: using use_valid[where f=f, OF step pres[where N="\p. p = P s"]] by simp lemma use_validE_norm: - "\ (Inr r', s') \ mres (B s); \P\ B \Q\,\ E \; P s \ \ Q r' s'" + "\ (Inr r', s') \ mres (f s); \P\ f \Q\,\E\; P s \ \ Q r' s'" unfolding validE_def valid_def by force lemma use_validE_except: - "\ (Inl r', s') \ mres (B s); \P\ B \Q\,\ E \; P s \ \ E r' s'" + "\ (Inl r', s') \ mres (f s); \P\ f \Q\,\E\; P s \ \ E r' s'" unfolding validE_def valid_def by force lemma in_inv_by_hoareD: @@ -343,23 +338,23 @@ lemma hoare_gen_asm_lk: \ \Useful for forward reasoning, when P is known. The first version allows weakening the precondition.\ lemma hoare_gen_asm_spec': - "\ \s. P s \ S \ R s; S \ \R\ f \Q\ \ \ \P\ f \Q\" + "\ \s. P s \ S \ P' s; S \ \P'\ f \Q\ \ \ \P\ f \Q\" by (fastforce simp: valid_def) lemma hoare_gen_asm_spec: "\ \s. P s \ S; S \ \P\ f \Q\ \ \ \P\ f \Q\" - by (rule hoare_gen_asm_spec'[where S=S and R=P]) simp + by (rule hoare_gen_asm_spec'[where S=S and P'=P]) simp lemma hoare_conjI: - "\ \P\ f \Q\; \P\ f \R\ \ \ \P\ f \\r s. Q r s \ R r s\" + "\ \P\ f \Q\; \P\ f \Q'\ \ \ \P\ f \\r s. Q r s \ Q' r s\" unfolding valid_def by blast lemma hoare_disjI1: - "\ \P\ f \Q\ \ \ \P\ f \\rv s. Q rv s \ R rv s \" + "\ \P\ f \Q\ \ \ \P\ f \\rv s. Q rv s \ Q' rv s \" unfolding valid_def by blast lemma hoare_disjI2: - "\ \P\ f \R\ \ \ \P\ f \\rv s. Q rv s \ R rv s \" + "\ \P\ f \Q'\ \ \ \P\ f \\rv s. Q rv s \ Q' rv s \" unfolding valid_def by blast lemma hoare_assume_pre: @@ -367,7 +362,7 @@ lemma hoare_assume_pre: by (auto simp: valid_def) lemma hoare_assume_preE: - "(\s. P s \ \P\ f \Q\,\R\) \ \P\ f \Q\,\R\" + "(\s. P s \ \P\ f \Q\,\E\) \ \P\ f \Q\,\E\" by (auto simp: valid_def validE_def) lemma hoare_allI: @@ -383,7 +378,7 @@ lemma hoare_exI: by (simp add: valid_def) blast lemma hoare_impI: - "(R \ \P\ f \Q\) \ \P\ f \\rv s. R \ Q rv s\" + "(P' \ \P\ f \Q\) \ \P\ f \\rv s. P' \ Q rv s\" by (simp add: valid_def) blast lemma validE_impI: @@ -415,7 +410,7 @@ subsection \@{const valid} and @{const validE}, @{const validE_R}, @{const lemma valid_validE: "\P\ f \\_. Q\ \ \P\ f \\_. Q\, \\_. Q\" - by (rule hoare_post_imp_dc) + by (rule hoare_post_impE_dc) lemma valid_validE2: "\ \P\ f \\_. Q'\; \s. Q' s \ Q s; \s. Q' s \ E s \ \ \P\ f \\_. Q\, \\_. E\" @@ -483,33 +478,33 @@ lemma liftE_validE[simp]: subsection \Operator lifting/splitting\ lemma hoare_vcg_if_split: - "\ P \ \Q\ f \S\; \P \ \R\ g \S\ \ \ \\s. (P \ Q s) \ (\P \ R s)\ if P then f else g \S\" + "\ P \ \P'\ f \Q\; \P \ \P''\ g \Q\ \ \ \\s. (P \ P' s) \ (\P \ P'' s)\ if P then f else g \Q\" by simp lemma hoare_vcg_if_splitE: - "\ P \ \Q\ f \S\,\E\; \P \ \R\ g \S\,\E\ \ \ - \\s. (P \ Q s) \ (\P \ R s)\ if P then f else g \S\,\E\" + "\ P \ \P'\ f \Q\,\E\; \P \ \P''\ g \Q\,\E\ \ \ + \\s. (P \ P' s) \ (\P \ P'' s)\ if P then f else g \Q\,\E\" by simp lemma hoare_vcg_split_case_option: - "\ \x. x = None \ \P x\ f x \R x\; \x y. x = Some y \ \Q x y\ g x y \R x\ \ - \ \\s. (x = None \ P x s) \ (\y. x = Some y \ Q x y s)\ + "\ \x. x = None \ \P x\ f x \Q x\; \x y. x = Some y \ \P' x y\ g x y \Q x\ \ + \ \\s. (x = None \ P x s) \ (\y. x = Some y \ P' x y s)\ case x of None \ f x | Some y \ g x y - \R x\" + \Q x\" by (cases x; simp) lemma hoare_vcg_split_case_optionE: - "\ \x. x = None \ \P x\ f x \R x\,\E x\; \x y. x = Some y \ \Q x y\ g x y \R x\,\E x\ \ - \ \\s. (x = None \ P x s) \ (\y. x = Some y \ Q x y s)\ + "\ \x. x = None \ \P x\ f x \Q x\,\E x\; \x y. x = Some y \ \P' x y\ g x y \Q x\,\E x\ \ + \ \\s. (x = None \ P x s) \ (\y. x = Some y \ P' x y s)\ case x of None \ f x | Some y \ g x y - \R x\, \E x\" + \Q x\, \E x\" by (cases x; simp) lemma hoare_vcg_split_case_sum: - "\ \x a. x = Inl a \ \P x a\ f x a \R x\; \x b. x = Inr b \ \Q x b\ g x b \R x\ \ - \ \\s. (\a. x = Inl a \ P x a s) \ (\b. x = Inr b \ Q x b s)\ + "\ \x a. x = Inl a \ \P x a\ f x a \Q x\; \x b. x = Inr b \ \P' x b\ g x b \Q x\ \ + \ \\s. (\a. x = Inl a \ P x a s) \ (\b. x = Inr b \ P' x b s)\ case x of Inl a \ f x a | Inr b \ g x b - \R x\" + \Q x\" by (cases x; simp) lemma bind_wp_nobind: @@ -523,7 +518,7 @@ lemma bindE_wp_nobind: lemmas bind_wp_skip = bind_wp[where Q=Q and Q'=Q for Q] lemma hoare_chain: - "\ \P\ f \Q\; \s. R s \ P s; \rv s. Q rv s \ S rv s \ \ \R\ f \S\" + "\ \P'\ f \Q'\; \s. P s \ P' s; \rv s. Q' rv s \ Q rv s \ \ \P\ f \Q\" by (wp_pre, rule hoare_post_imp) lemma hoare_chainE: @@ -537,7 +532,7 @@ lemma hoare_vcg_conj_lift: by fastforce \ \A variant which works nicely with subgoals that do not contain schematics\ -lemmas hoare_vcg_conj_lift_pre_fix = hoare_vcg_conj_lift[where P=R and P'=R for R, simplified] +lemmas hoare_vcg_conj_lift_pre_fix = hoare_vcg_conj_lift[where P=P and P'=P for P, simplified] lemma hoare_vcg_conj_liftE1: "\ \P\ f \Q\,-; \P'\ f \Q'\,\E\ \ \ \P and P'\ f \\rv s. Q rv s \ Q' rv s\,\E\" @@ -578,13 +573,13 @@ lemma hoare_vcg_const_Ball_liftE: "\ \x. x \ S \ \P x\ f \Q x\,\E\; \\s. True\ f \\r s. True\, \E\ \ \ \\s. \x\S. P x s\ f \\rv s. \x\S. Q x rv s\,\E\" by (fastforce simp: validE_def valid_def split: sum.splits) -lemma hoare_vcg_const_Ball_lift_R: +lemma hoare_vcg_const_Ball_liftE_R: "\ \x. x \ S \ \P x\ f \Q x\,- \ \ \\s. \x \ S. P x s\ f \\rv s. \x \ S. Q x rv s\,-" unfolding validE_R_def validE_def by (rule hoare_strengthen_post) (fastforce intro!: hoare_vcg_const_Ball_lift split: sum.splits)+ -lemma hoare_vcg_const_Ball_lift_E_E: +lemma hoare_vcg_const_Ball_liftE_E: "(\x. x \ S \ \P x\ f -,\Q x\) \ \\s. \x \ S. P x s\ f -,\\rv s. \x \ S. Q x rv s\" unfolding validE_E_def validE_def valid_def by (fastforce split: sum.splits) @@ -599,11 +594,11 @@ lemma hoare_vcg_all_liftE: lemma hoare_vcg_all_liftE_R: "(\x. \P x\ f \Q x\, -) \ \\s. \x. P x s\ f \\rv s. \x. Q x rv s\, -" - by (rule hoare_vcg_const_Ball_lift_R[where S=UNIV, simplified]) + by (rule hoare_vcg_const_Ball_liftE_R[where S=UNIV, simplified]) lemma hoare_vcg_all_liftE_E: "(\x. \P x\ f -, \Q x\) \ \\s. \x. P x s\ f -,\\rv s. \x. Q x rv s\" - by (rule hoare_vcg_const_Ball_lift_E_E[where S=UNIV, simplified]) + by (rule hoare_vcg_const_Ball_liftE_E[where S=UNIV, simplified]) lemma hoare_vcg_imp_lift: "\ \P'\ f \\rv s. \ P rv s\; \Q'\ f \Q\ \ \ \\s. P' s \ Q' s\ f \\rv s. P rv s \ Q rv s\" @@ -623,11 +618,11 @@ lemma hoare_vcg_imp_liftE': \ \\s. \ P' s \ Q' s\ f \\rv s. P rv s \ Q rv s\, \E\" by (fastforce simp: validE_def valid_def split: sum.splits) -lemma hoare_vcg_imp_lift_R: +lemma hoare_vcg_imp_liftE_R: "\ \P'\ f \\rv s. \ P rv s\, -; \Q'\ f \Q\, - \ \ \\s. P' s \ Q' s\ f \\rv s. P rv s \ Q rv s\, -" by (auto simp add: valid_def validE_R_def validE_def split_def split: sum.splits) -lemma hoare_vcg_imp_lift_R': +lemma hoare_vcg_imp_liftE_R': "\ \P'\ f \\rv s. \ P rv s\, -; \Q'\ f \Q\, - \ \ \\s. \P' s \ Q' s\ f \\rv s. P rv s \ Q rv s\, -" by (auto simp add: valid_def validE_R_def validE_def split_def split: sum.splits) @@ -649,24 +644,24 @@ lemma hoare_vcg_imp_conj_lift[wp_comb]: lemmas hoare_vcg_imp_conj_lift'[wp_unsafe] = hoare_vcg_imp_conj_lift[where Q'''="\\", simplified] lemma hoare_absorb_imp: - "\ P \ f \\rv s. Q rv s \ R rv s\ \ \ P \ f \\rv s. Q rv s \ R rv s\" + "\ P \ f \\rv s. Q rv s \ Q' rv s\ \ \ P \ f \\rv s. Q rv s \ Q' rv s\" by (erule hoare_post_imp[rotated], blast) lemma hoare_weaken_imp: - "\ \rv s. Q rv s \ Q' rv s ; \P\ f \\rv s. Q' rv s \ R rv s\ \ - \ \P\ f \\rv s. Q rv s \ R rv s\" + "\ \rv s. Q rv s \ Q' rv s ; \P\ f \\rv s. Q' rv s \ S rv s\ \ + \ \P\ f \\rv s. Q rv s \ S rv s\" by (clarsimp simp: valid_def split_def) lemma hoare_vcg_const_imp_lift: - "\ P \ \Q\ m \R\ \ \ \\s. P \ Q s\ m \\rv s. P \ R rv s\" + "\ P \ \P'\ m \Q\ \ \ \\s. P \ P' s\ m \\rv s. P \ Q rv s\" by (cases P, simp_all add: hoare_vcg_prop) -lemma hoare_vcg_const_imp_lift_E: - "(P \ \Q\ f -, \R\) \ \\s. P \ Q s\ f -, \\rv s. P \ R rv s\" +lemma hoare_vcg_const_imp_liftE_E: + "(P \ \P'\ f -, \E\) \ \\s. P \ P' s\ f -, \\rv s. P \ E rv s\" by (fastforce simp: validE_E_def validE_def valid_def split_def split: sum.splits) -lemma hoare_vcg_const_imp_lift_R: - "(P \ \Q\ m \R\,-) \ \\s. P \ Q s\ m \\rv s. P \ R rv s\,-" +lemma hoare_vcg_const_imp_liftE_R: + "(P \ \P'\ m \Q\,-) \ \\s. P \ P' s\ m \\rv s. P \ Q rv s\,-" by (fastforce simp: validE_R_def validE_def valid_def split_def split: sum.splits) lemma hoare_weak_lift_imp: @@ -674,11 +669,11 @@ lemma hoare_weak_lift_imp: by (auto simp add: valid_def split_def) lemma hoare_weak_lift_impE: - "\Q\ m \R\,\E\ \ \\s. P \ Q s\ m \\rv s. P \ R rv s\,\\rv s. P \ E rv s\" + "\P'\ m \Q\,\E\ \ \\s. P \ P' s\ m \\rv s. P \ Q rv s\,\\rv s. P \ E rv s\" by (cases P; simp add: validE_def hoare_vcg_prop) -lemma hoare_weak_lift_imp_R: - "\Q\ m \R\,- \ \\s. P \ Q s\ m \\rv s. P \ R rv s\,-" +lemma hoare_weak_lift_impE_R: + "\P'\ m \Q\,- \ \\s. P \ P' s\ m \\rv s. P \ Q rv s\,-" by (cases P; wpsimp wp: wp_post_tautE_R) lemma hoare_vcg_ex_lift: @@ -709,25 +704,31 @@ lemma hoare_liftP_ext: done (* for instantiations *) -lemma hoare_triv: "\P\f\Q\ \ \P\f\Q\" . +lemma hoare_triv: "\P\ f \Q\ \ \P\ f \Q\" . lemma hoare_trivE: "\P\ f \Q\,\E\ \ \P\ f \Q\,\E\" . lemma hoare_trivE_R: "\P\ f \Q\,- \ \P\ f \Q\,-" . lemma hoare_trivR_R: "\P\ f -,\E\ \ \P\ f -,\E\" . -lemma hoare_vcg_E_conj: +lemma hoare_vcg_conj_liftE_E: "\ \P\ f -,\E\; \P'\ f \Q'\,\E'\ \ \ \\s. P s \ P' s\ f \Q'\, \\rv s. E rv s \ E' rv s\" unfolding validE_def validE_E_def by (rule hoare_post_imp[OF _ hoare_vcg_conj_lift]; simp split: sum.splits) -lemma hoare_vcg_E_elim: +lemma hoare_vcg_conj_elimE: "\ \P\ f -,\E\; \P'\ f \Q\,- \ \ \\s. P s \ P' s\ f \Q\,\E\" - by (rule hoare_strengthen_postE[OF hoare_vcg_E_conj]) (simp add: validE_R_def)+ + by (rule hoare_strengthen_postE[OF hoare_vcg_conj_liftE_E]) (simp add: validE_R_def)+ -lemma hoare_vcg_R_conj: +lemma hoare_vcg_conj_liftE_R: "\ \P\ f \Q\,-; \P'\ f \Q'\,- \ \ \\s. P s \ P' s\ f \\rv s. Q rv s \ Q' rv s\,-" unfolding validE_R_def validE_def by (rule hoare_post_imp[OF _ hoare_vcg_conj_lift]; simp split: sum.splits) +lemma hoare_vcg_conj_liftE_R': + "\ \P\ f \Q\,-; \P'\ f \Q'\,- \ \ \P and P'\ f \\rv s. Q rv s \ Q' rv s\, -" + apply (simp add: validE_R_def validE_def valid_def split: sum.splits) + apply blast + done + lemma hoare_lift_Pf_E_R: "\ \x. \P x\ m \\_. P x\, -; \P. \\s. P (f s)\ m \\_ s. P (f s)\, - \ \ \\s. P (f s) s\ m \\_ s. P (f s) s\, -" @@ -743,11 +744,11 @@ lemma hoare_post_comb_imp_conj: by (wpsimp wp: hoare_vcg_conj_lift) lemma hoare_vcg_if_lift: - "\R\ f \\rv s. (P \ X rv s) \ (\P \ Y rv s)\ \ - \R\ f \\rv s. if P then X rv s else Y rv s\" + "\P\ f \\rv s. (P' \ X rv s) \ (\P' \ Y rv s)\ \ + \P\ f \\rv s. if P' then X rv s else Y rv s\" - "\R\ f \\rv s. (P \ X rv s) \ (\P \ Y rv s)\ \ - \R\ f \\rv. if P then X rv else Y rv\" + "\P\ f \\rv s. (P' \ X rv s) \ (\P' \ Y rv s)\ \ + \P\ f \\rv. if P' then X rv else Y rv\" by (auto simp: valid_def split_def) lemma hoare_vcg_split_lift[wp]: @@ -757,8 +758,8 @@ lemma hoare_vcg_split_lift[wp]: named_theorems hoare_vcg_op_lift lemmas [hoare_vcg_op_lift] = hoare_vcg_const_imp_lift - hoare_vcg_const_imp_lift_E - hoare_vcg_const_imp_lift_R + hoare_vcg_const_imp_liftE_E + hoare_vcg_const_imp_liftE_R (* leaving out hoare_vcg_conj_lift*, because that is built into wp *) hoare_vcg_disj_lift hoare_vcg_disj_lift_R @@ -771,13 +772,13 @@ lemmas [hoare_vcg_op_lift] = hoare_vcg_all_liftE_R hoare_vcg_const_Ball_lift hoare_vcg_const_Ball_liftE - hoare_vcg_const_Ball_lift_R - hoare_vcg_const_Ball_lift_E_E + hoare_vcg_const_Ball_liftE_R + hoare_vcg_const_Ball_liftE_E hoare_vcg_split_lift hoare_vcg_if_lift hoare_vcg_imp_lift' hoare_vcg_imp_liftE' - hoare_vcg_imp_lift_R' + hoare_vcg_imp_liftE_R' hoare_vcg_imp_liftE_E' @@ -864,8 +865,8 @@ lemma list_cases_wp: by (cases ts, auto simp: a b) lemma hoare_vcg_handle_elseE: - "\ \P\ f \Q\,\E\; \e. \E e\ g e \R\,\F\; \x. \Q x\ h x \R\,\F\ \ \ - \P\ f g h \R\,\F\" + "\ \P\ f \Q'\,\E'\; \e. \E' e\ g e \Q\,\E\; \x. \Q' x\ h x \Q\,\E\ \ \ + \P\ f g h \Q\,\E\" unfolding handle_elseE_def validE_def by (wpsimp wp: bind_wp_fwd | assumption | rule conjI)+ @@ -904,11 +905,11 @@ lemma state_select_wp: by (wpsimp wp: put_wp select_wp return_wp get_wp assert_wp) lemma condition_wp: - "\ \Q\ A \P\; \R\ B \P\ \ \ \\s. if C s then Q s else R s\ condition C A B \P\" + "\ \P\ f \Q\; \P'\ g \Q\ \ \ \\s. if C s then P s else P' s\ condition C f g \Q\" by (clarsimp simp: condition_def valid_def) lemma conditionE_wp: - "\ \P\ A \Q\,\R\; \P'\ B \Q\,\R\ \ \ \\s. if C s then P s else P' s\ condition C A B \Q\,\R\" + "\ \P\ f \Q\,\E\; \P'\ g \Q\,\E\ \ \ \\s. if C s then P s else P' s\ condition C f g \Q\,\E\" by (clarsimp simp: condition_def validE_def valid_def) lemma state_assert_wp: @@ -917,19 +918,19 @@ lemma state_assert_wp: by (wp bind_wp_fwd get_wp assert_wp) lemma when_wp[wp_split]: - "\ P \ \Q\ f \R\ \ \ \if P then Q else R ()\ when P f \R\" + "\ P \ \P'\ f \Q\ \ \ \if P then P' else Q ()\ when P f \Q\" by (clarsimp simp: when_def valid_def return_def mres_def) lemma unless_wp[wp_split]: - "(\P \ \Q\ f \R\) \ \if P then R () else Q\ unless P f \R\" + "(\P \ \P'\ f \Q\) \ \if P then Q () else P'\ unless P f \Q\" unfolding unless_def by wp auto lemma whenE_wp: - "(P \ \Q\ f \R\, \E\) \ \if P then Q else R ()\ whenE P f \R\, \E\" + "(P \ \P'\ f \Q\,\E\) \ \if P then P' else Q ()\ whenE P f \Q\,\E\" unfolding whenE_def by clarsimp (wp returnOk_wp) lemma unlessE_wp: - "(\ P \ \Q\ f \R\, \E\) \ \if P then R () else Q\ unlessE P f \R\, \E\" + "(\ P \ \P'\ f \Q\,\E\) \ \if P then Q () else P'\ unlessE P f \Q\,\E\" unfolding unlessE_def by (wpsimp wp: returnOk_wp) @@ -943,8 +944,8 @@ lemma notM_wp: unfolding notM_def by (wpsimp wp: return_wp) lemma ifM_wp: - assumes [wp]: "\Q\ f \S\" "\R\ g \S\" - assumes [wp]: "\A\ P \\c s. c \ Q s\" "\B\ P \\c s. \c \ R s\" + assumes [wp]: "\Q\ f \S\" "\Q'\ g \S\" + assumes [wp]: "\A\ P \\c s. c \ Q s\" "\B\ P \\c s. \c \ Q' s\" shows "\A and B\ ifM P f g \S\" unfolding ifM_def by (wpsimp wp: hoare_vcg_if_split hoare_vcg_conj_lift) @@ -1067,15 +1068,16 @@ lemmas hoare_wp_combs = hoare_vcg_conj_lift lemmas hoare_wp_combsE = validE_validE_R - hoare_vcg_R_conj - hoare_vcg_E_elim - hoare_vcg_E_conj + validE_validE_E + hoare_vcg_conj_liftE_R + hoare_vcg_conj_elimE + hoare_vcg_conj_liftE_E lemmas hoare_wp_state_combsE = valid_validE_R - hoare_vcg_R_conj[OF valid_validE_R] - hoare_vcg_E_elim[OF valid_validE_E] - hoare_vcg_E_conj[OF valid_validE_E] + hoare_vcg_conj_liftE_R[OF valid_validE_R] + hoare_vcg_conj_elimE[OF valid_validE_E] + hoare_vcg_conj_liftE_E[OF valid_validE_E] lemmas hoare_classic_wp_combs = hoare_post_comb_imp_conj hoare_weaken_pre hoare_wp_combs lemmas hoare_classic_wp_combsE = hoare_weaken_preE hoare_weaken_preE_R hoare_wp_combsE @@ -1147,9 +1149,9 @@ lemmas [wp] = wp_post_tauts lemmas [wp_trip] = valid_is_triple validE_is_triple validE_E_is_triple validE_R_is_triple lemmas validE_E_combs[wp_comb] = - hoare_vcg_E_conj[where Q'="\\", folded validE_E_def] + hoare_vcg_conj_liftE_E[where Q'="\\", folded validE_E_def] valid_validE_E - hoare_vcg_E_conj[where Q'="\\", folded validE_E_def, OF valid_validE_E] + hoare_vcg_conj_liftE_E[where Q'="\\", folded validE_E_def, OF valid_validE_E] subsection \Simplifications on conjunction\ @@ -1246,7 +1248,7 @@ bundle classic_wp_pre = hoare_pre [wp_pre del] text \Miscellaneous lemmas on hoare triples\ lemma hoare_pre_cases: - "\ \\s. R s \ P s\ f \Q\; \\s. \R s \ P' s\ f \Q\ \ \ \P and P'\ f \Q\" + "\ \\s. C s \ P s\ f \Q\; \\s. \C s \ P' s\ f \Q\ \ \ \P and P'\ f \Q\" unfolding valid_def by fastforce lemma hoare_vcg_mp: @@ -1280,7 +1282,7 @@ lemma hoare_use_eq: assumes "\P. \\s. P (f s)\ m \\_ s. P (f s)\" assumes "\f. \\s. P f s\ m \\_ s. Q f s\" shows "\\s. P (f s) s\ m \\_ s. Q (f s) s \" - apply (rule hoare_post_imp[where Q="\_ s. \y. y = f s \ Q y s"], simp) + apply (rule hoare_post_imp[where Q'="\_ s. \y. y = f s \ Q y s"], simp) apply (wpsimp wp: hoare_vcg_ex_lift assms) done @@ -1293,39 +1295,37 @@ lemma hoare_failE[simp]: by wp lemma hoare_validE_pred_conj: - "\ \P\ f \Q\, \E\; \P\ f \R\, \E\ \ \ \P\ f \Q and R\, \E\" + "\ \P\ f \Q\,\E\; \P\ f \Q'\,\E\ \ \ \P\ f \Q and Q'\,\E\" unfolding valid_def validE_def by (simp add: split_def split: sum.splits) lemma hoare_validE_conj: - "\ \P\ f \Q\, \E\; \P\ f \R\, \E\ \ \ \P\ f \\rv s. Q rv s \ R rv s\, \E\" + "\ \P\ f \Q\,\E\; \P\ f \Q'\,\E\ \ \ \P\ f \\rv s. Q rv s \ Q' rv s\,\E\" unfolding valid_def validE_def by (simp add: split_def split: sum.splits) -lemmas hoare_valid_validE = valid_validE (* FIXME lib: eliminate one *) - -declare validE_validE_E[wp_comb] - lemmas if_validE_E[wp_split] = validE_validE_E[OF hoare_vcg_if_splitE[OF validE_E_validE validE_E_validE]] lemma hoare_drop_imp: - "\P\ f \Q\ \ \P\ f \\rv s. R rv s \ Q rv s\" + "\P\ f \Q\ \ \P\ f \\rv s. Q' rv s \ Q rv s\" by (auto simp: valid_def) lemma hoare_drop_impE: - "\\P\ f \\r. Q\, \E\\ \ \P\ f \\rv s. R rv s \ Q s\, \E\" + "\\P\ f \Q\, \E\\ \ \P\ f \\rv s. Q' rv s \ Q rv s\, \E\" by (simp add: hoare_chainE) lemma hoare_drop_impE_R: - "\P\ f \Q\,- \ \P\ f \\rv s. R rv s \ Q rv s\, -" + "\P\ f \Q\,- \ \P\ f \\rv s. Q' rv s \ Q rv s\, -" by (auto simp: validE_R_def validE_def valid_def split_def split: sum.splits) +(*Q is used instead of E so that hoare_drop_imps can be instantiated, which requires that all of its + thms have the same variables.*) lemma hoare_drop_impE_E: - "\P\ f -,\Q\ \ \P\ f -, \\rv s. R rv s \ Q rv s\" + "\P\ f -,\Q\ \ \P\ f -, \\rv s. Q' rv s \ Q rv s\" by (auto simp: validE_E_def validE_def valid_def split_def split: sum.splits) -lemmas hoare_drop_imps = hoare_drop_imp hoare_drop_impE_R hoare_drop_impE_E +lemmas hoare_drop_imps = hoare_drop_imp hoare_drop_impE hoare_drop_impE_R hoare_drop_impE_E (*This is unsafe, but can be very useful when supplied as a comb rule.*) lemma hoare_drop_imp_conj[wp_unsafe]: @@ -1393,7 +1393,7 @@ lemma hoare_return_sp: (* FIXME lib: eliminate *) by (simp add: valid_def return_def mres_def) lemma assert_sp: - "\P\ assert Q \\_ s. P s \ Q \" + "\P\ assert Q \\_ s. P s \ Q\" by (simp add: assert_def fail_def return_def valid_def mres_def) lemma hoare_gets_sp: diff --git a/lib/Monads/wp/WPBang.thy b/lib/Monads/wp/WPBang.thy index dcb57538f4..e7f21e2d3a 100644 --- a/lib/Monads/wp/WPBang.thy +++ b/lib/Monads/wp/WPBang.thy @@ -24,7 +24,7 @@ fun check_has_frees_tac Ps (_ : int) thm = let in if null fs then Seq.empty else Seq.single thm end fun wp_bang wp_safe_rules ctxt = let - val wp_safe_rules_conj = ((wp_safe_rules RL @{thms hoare_vcg_conj_lift hoare_vcg_R_conj}) + val wp_safe_rules_conj = ((wp_safe_rules RL @{thms hoare_vcg_conj_lift hoare_vcg_conj_liftE_R}) RL @{thms hoare_strengthen_post hoare_strengthen_postE_R hoare_strengthen_postE_E}) |> map (rotate_prems 1) in diff --git a/lib/sep_algebra/MonadSep.thy b/lib/sep_algebra/MonadSep.thy index 26abb4d128..40f23963fc 100644 --- a/lib/sep_algebra/MonadSep.thy +++ b/lib/sep_algebra/MonadSep.thy @@ -134,8 +134,8 @@ lemma foldM_set_sep: lemma sep_list_conj_map_singleton_wp: "\x \ set xs; \R. \

* I x \* R>\ f \\_. * I x \* R>\\ \ \

* \* map I xs \* R>\ f \\_. * \* map I xs \* R>\" - apply (rule hoare_chain [where P="

* I x \* \* map I (remove1 x xs) \* R>" and - Q="\_. * I x \* \* map I (remove1 x xs) \* R>"]) + apply (rule hoare_chain[where P'="

* I x \* \* map I (remove1 x xs) \* R>" and + Q'="\_. * I x \* \* map I (remove1 x xs) \* R>"]) apply fastforce apply (subst (asm) sep_list_conj_map_remove1, assumption) apply (sep_select_asm 3) @@ -146,8 +146,8 @@ lemma sep_list_conj_map_singleton_wp: lemma sep_set_conj_map_singleton_wp: "\finite xs; x \ xs; \R. \

* I x \* R>\ f \\_. * I x \* R>\\ \ \

* (\* x\xs. I x) \* R>\ f \\_. * (\* x\xs. I x) \* R>\" - apply (rule hoare_chain [where P="

* I x \* (\* x\xs - {x}. I x) \* R>" and - Q="\_. * I x \* (\* x\xs - {x}. I x) \* R>"], assumption) + apply (rule hoare_chain[where P'="

* I x \* (\* x\xs - {x}. I x) \* R>" and + Q'="\_. * I x \* (\* x\xs - {x}. I x) \* R>"], assumption) apply (subst (asm) sep.prod.remove, assumption+) apply sep_solve apply (subst sep.prod.remove, assumption+) diff --git a/proof/access-control/ARM/ArchArch_AC.thy b/proof/access-control/ARM/ArchArch_AC.thy index f2f23fa780..93c3edfaa9 100644 --- a/proof/access-control/ARM/ArchArch_AC.thy +++ b/proof/access-control/ARM/ArchArch_AC.thy @@ -427,7 +427,7 @@ lemma unmap_page_respects: mapM_set''[where f="(\a. store_pde a InvalidPDE)" and I="\x s. is_subject aag (x && ~~ mask pd_bits)" and Q="integrity aag X st"] - | wp (once) hoare_drop_imps[where R="\rv s. rv"])+ + | wp (once) hoare_drop_imps[where Q'="\rv s. rv"])+ done (* FIXME: CLAG *) @@ -609,7 +609,7 @@ lemma perform_asid_control_invocation_pas_refined [wp]: apply (rename_tac frame slot parent base cap) apply (case_tac slot, rename_tac slot_ptr slot_idx) apply (case_tac parent, rename_tac parent_ptr parent_idx) - apply (rule_tac Q="\rv s. + apply (rule_tac Q'="\rv s. (\idx. cte_wp_at ((=) (UntypedCap False frame pageBits idx)) parent s) \ (\x\ptr_range frame pageBits. is_subject aag x) \ pas_refined aag s \ @@ -963,7 +963,7 @@ lemma delete_asid_pool_pas_refined [wp]: "delete_asid_pool param_a param_b \pas_refined aag\" unfolding delete_asid_pool_def apply (wp | wpc | simp)+ - apply (rule_tac Q = "\_ s. pas_refined aag s \ + apply (rule_tac Q'="\_ s. pas_refined aag s \ asid_table = arm_asid_table (arch_state s)" in hoare_post_imp) apply clarsimp apply (erule pas_refined_clear_asid) diff --git a/proof/access-control/ARM/ArchDomainSepInv.thy b/proof/access-control/ARM/ArchDomainSepInv.thy index a624d1642e..a71f853432 100644 --- a/proof/access-control/ARM/ArchDomainSepInv.thy +++ b/proof/access-control/ARM/ArchDomainSepInv.thy @@ -114,7 +114,7 @@ lemma arch_invoke_irq_control_domain_sep_inv[DomainSepInv_assms]: \\_. domain_sep_inv irqs st\" apply (cases ivk) apply (wpsimp wp: cap_insert_domain_sep_inv' simp: set_irq_state_def) - apply (rule_tac Q="\_. domain_sep_inv irqs st and arch_irq_control_inv_valid ivk" + apply (rule_tac Q'="\_. domain_sep_inv irqs st and arch_irq_control_inv_valid ivk" in hoare_strengthen_post[rotated]) apply (fastforce simp: domain_sep_inv_def domain_sep_inv_cap_def arch_irq_control_inv_valid_def) apply (wpsimp wp: do_machine_op_domain_sep_inv simp: arch_irq_control_inv_valid_def)+ diff --git a/proof/access-control/ARM/ArchRetype_AC.thy b/proof/access-control/ARM/ArchRetype_AC.thy index 61d3058826..63deb8b9a8 100644 --- a/proof/access-control/ARM/ArchRetype_AC.thy +++ b/proof/access-control/ARM/ArchRetype_AC.thy @@ -169,7 +169,7 @@ lemma copy_global_mappings_pas_refined: apply wp (* Use \ to avoid wp filtering out the global_pd condition here TODO: see if we can clean this up *) - apply (rule_tac Q="\rv s. is_aligned global_pd pd_bits \ + apply (rule_tac Q'="\rv s. is_aligned global_pd pd_bits \ (global_pd = (arm_global_pd \ arch_state) s \ valid_kernel_mappings s \ valid_arch_state s \ valid_global_objs s \ valid_global_refs s \ pas_refined aag s)" @@ -219,7 +219,7 @@ lemma init_arch_objects_pas_refined[Retype_AC_assms]: apply (case_tac aobject_type, simp_all) apply ((simp | wp)+)[5] apply wp - apply (rule_tac Q="\rv. pas_refined aag and + apply (rule_tac Q'="\rv. pas_refined aag and all_invs_but_equal_kernel_mappings_restricted (set refs) and (\s. \x \ set refs. x \ global_refs s)" in hoare_strengthen_post) apply (wp mapM_x_wp[OF _ subset_refl]) diff --git a/proof/access-control/ARM/ArchTcb_AC.thy b/proof/access-control/ARM/ArchTcb_AC.thy index 47b8afb247..ac6be4cc0a 100644 --- a/proof/access-control/ARM/ArchTcb_AC.thy +++ b/proof/access-control/ARM/ArchTcb_AC.thy @@ -41,7 +41,7 @@ lemma invoke_tcb_tc_respects_aag[Tcb_AC_assms]: strengthen imp_consequent[where Q="x = None" for x], simp cong: conj_cong) | strengthen invs_psp_aligned invs_vspace_objs invs_arch_state | rule wp_split_const_if wp_split_const_if_R hoare_vcg_all_liftE_R - hoare_vcg_E_elim hoare_vcg_const_imp_lift_R hoare_vcg_R_conj + hoare_vcg_conj_elimE hoare_vcg_const_imp_liftE_R hoare_vcg_conj_liftE_R | wp restart_integrity_autarch set_mcpriority_integrity_autarch as_user_integrity_autarch thread_set_integrity_autarch option_update_thread_integrity_autarch @@ -54,7 +54,7 @@ lemma invoke_tcb_tc_respects_aag[Tcb_AC_assms]: out_invs_trivial case_option_wpE cap_delete_deletes cap_delete_valid_cap cap_insert_valid_cap out_cte_at cap_insert_cte_at cap_delete_cte_at out_valid_cap out_tcb_valid - hoare_vcg_const_imp_lift_R hoare_vcg_all_liftE_R + hoare_vcg_const_imp_liftE_R hoare_vcg_all_liftE_R thread_set_tcb_ipc_buffer_cap_cleared_invs thread_set_invs_trivial[OF ball_tcb_cap_casesI] hoare_vcg_all_lift thread_set_valid_cap out_emptyable diff --git a/proof/access-control/Access_AC.thy b/proof/access-control/Access_AC.thy index 81a175c0ce..1205f16c3e 100644 --- a/proof/access-control/Access_AC.thy +++ b/proof/access-control/Access_AC.thy @@ -1301,7 +1301,7 @@ lemma hoare_gen_asm2: lemma hoare_vcg_all_liftE: "(\x. \P x\ f \Q x\, \Q' x\) \ \\s. \x. P x s\ f \\rv s. \x. Q x rv s\, \\rv s. \x. Q' x rv s\" unfolding validE_def - apply (rule hoare_post_imp [where Q = "\v s. \x. case v of Inl e \ Q' x e s | Inr r \ Q x r s"]) + apply (rule hoare_post_imp[where Q'="\v s. \x. case v of Inl e \ Q' x e s | Inr r \ Q x r s"]) apply (clarsimp split: sum.splits) apply (erule hoare_vcg_all_lift) done diff --git a/proof/access-control/CNode_AC.thy b/proof/access-control/CNode_AC.thy index 19455001cd..383935f0bf 100644 --- a/proof/access-control/CNode_AC.thy +++ b/proof/access-control/CNode_AC.thy @@ -246,7 +246,7 @@ lemma decode_cnode_inv_authorised: apply (simp add: authorised_cnode_inv_def decode_cnode_invocation_def split_def whenE_def unlessE_def set_eq_iff cong: if_cong Invocations_A.cnode_invocation.case_cong split del: if_split) - apply (wpsimp wp: hoare_vcg_all_lift hoare_vcg_const_imp_lift_R hoare_vcg_all_liftE_R lsfco_cte_at + apply (wpsimp wp: hoare_vcg_all_lift hoare_vcg_const_imp_liftE_R hoare_vcg_all_liftE_R lsfco_cte_at | wp (once) get_cap_cur_auth)+ apply (subgoal_tac "\n. n < length excaps \ (is_cnode_cap (excaps ! n) @@ -866,7 +866,7 @@ lemma empty_slot_integrity_transferable[wp_transferable]: apply (simp add: set_cdt_def) apply (wp set_original_wp) apply (rename_tac cdtv x) - apply (rule_tac Q = "\_ s'. integrity aag X s s'\ cdtv = cdt s \ + apply (rule_tac Q'="\_ s'. integrity aag X s s'\ cdtv = cdt s \ is_original_cap s = is_original_cap s'" in hoare_post_imp) apply (clarsimp simp add: integrity_def) diff --git a/proof/access-control/DomainSepInv.thy b/proof/access-control/DomainSepInv.thy index 93a6d85ff3..6f33d347fd 100644 --- a/proof/access-control/DomainSepInv.thy +++ b/proof/access-control/DomainSepInv.thy @@ -878,7 +878,7 @@ lemma send_ipc_domain_sep_inv: \\_ s. domain_sep_inv irqs (st :: 'state_ext state) (s :: det_ext state)\" unfolding send_ipc_def apply (wp setup_caller_cap_domain_sep_inv hoare_vcg_if_lift | wpc | simp split del:if_split)+ - apply (rule_tac Q="\ r s. domain_sep_inv irqs st s" in hoare_strengthen_post) + apply (rule_tac Q'="\ r s. domain_sep_inv irqs st s" in hoare_strengthen_post) apply (wp do_ipc_transfer_domain_sep_inv dxo_wp_weak | wpc | simp)+ apply (wp (once) hoare_drop_imps) apply (wp get_simple_ko_wp)+ @@ -895,7 +895,7 @@ lemma receive_ipc_base_domain_sep_inv: \\_ s. domain_sep_inv irqs (st :: 'state_ext state) (s :: det_ext state)\" apply (clarsimp cong: endpoint.case_cong thread_get_def get_thread_state_def) apply (wp setup_caller_cap_domain_sep_inv dxo_wp_weak | wpc | simp split del: if_split)+ - apply (rule_tac Q="\ r s. domain_sep_inv irqs st s" in hoare_strengthen_post) + apply (rule_tac Q'="\ r s. domain_sep_inv irqs st s" in hoare_strengthen_post) apply (wp do_ipc_transfer_domain_sep_inv hoare_vcg_all_lift | wpc | simp)+ apply (wpsimp wp: hoare_vcg_imp_lift[OF set_simple_ko_get_tcb, unfolded disj_not1] hoare_vcg_all_lift get_simple_ko_wp @@ -1052,7 +1052,7 @@ lemma invoke_tcb_domain_sep_inv: apply ((wp | simp)+)[1] apply (simp add: split_def cong: option.case_cong) apply (wp checked_cap_insert_domain_sep_inv hoare_vcg_all_liftE_R hoare_vcg_all_lift - hoare_vcg_const_imp_lift_R cap_delete_domain_sep_inv cap_delete_deletes + hoare_vcg_const_imp_liftE_R cap_delete_domain_sep_inv cap_delete_deletes dxo_wp_weak cap_delete_valid_cap cap_delete_cte_at hoare_weak_lift_imp | wpc | strengthen | simp add: option_update_thread_def emptyable_def tcb_cap_cases_def @@ -1089,13 +1089,15 @@ lemma handle_invocation_domain_sep_inv: split_def liftE_liftM_liftME liftME_def bindE_assoc) apply (wp syscall_valid perform_invocation_domain_sep_inv set_thread_state_runnable_valid_sched | simp split del: if_split)+ - apply (rule_tac E="\ft. domain_sep_inv irqs st and valid_objs and sym_refs \ state_refs_of - and valid_mdb and (\y. valid_fault ft)" - and R="Q" and Q=Q for Q in hoare_strengthen_postE) + apply (rule_tac E'="\ft. domain_sep_inv irqs st and valid_objs and sym_refs \ state_refs_of + and valid_mdb and (\y. valid_fault ft)" + and Q="Q" and Q'=Q for Q + in hoare_strengthen_postE) apply (wp | simp | clarsimp)+ - apply (rule_tac E="\ft. domain_sep_inv irqs st and valid_objs and sym_refs \ state_refs_of and - valid_mdb and (\y. valid_fault (CapFault x False ft))" - and R="Q" and Q=Q for Q in hoare_strengthen_postE) + apply (rule_tac E'="\ft. domain_sep_inv irqs st and valid_objs and sym_refs \ state_refs_of and + valid_mdb and (\y. valid_fault (CapFault x False ft))" + and Q="Q" and Q'=Q for Q + in hoare_strengthen_postE) apply (wp lcs_ex_cap_to2 | clarsimp)+ apply (auto intro: st_tcb_ex_cap simp: ct_in_state_def) done @@ -1158,7 +1160,7 @@ lemma handle_recv_domain_sep_inv: apply (wp hoare_vcg_all_lift lookup_slot_for_thread_cap_fault receive_ipc_domain_sep_inv delete_caller_cap_domain_sep_inv get_cap_wp get_simple_ko_wp | wpc | simp - | (rule_tac Q="\rv. invs and (\s. cur_thread s = thread)" in hoare_strengthen_post, wp, + | (rule_tac Q'="\rv. invs and (\s. cur_thread s = thread)" in hoare_strengthen_post, wp, clarsimp simp: invs_valid_objs invs_sym_refs))+ apply (rule_tac Q'="\r s. domain_sep_inv irqs st s \ invs s \ tcb_at thread s \ thread = cur_thread s" in hoare_strengthen_postE_R) @@ -1184,8 +1186,10 @@ lemma handle_event_domain_sep_inv: apply (wpsimp wp: handle_send_domain_sep_inv handle_call_domain_sep_inv handle_recv_domain_sep_inv handle_reply_domain_sep_inv hy_inv | simp add: invs_valid_objs invs_mdb invs_sym_refs valid_fault_def)+ - apply (rule_tac E="\rv s. domain_sep_inv irqs (st :: 'state_ext state) (s :: det_ext state) \ - invs s \ valid_fault rv" and R="Q" and Q=Q for Q in hoare_strengthen_postE) + apply (rule_tac E'="\rv s. domain_sep_inv irqs (st :: 'state_ext state) (s :: det_ext state) \ + invs s \ valid_fault rv" + and Q="Q" and Q'=Q for Q + in hoare_strengthen_postE) apply (wp | simp add: invs_valid_objs invs_mdb invs_sym_refs valid_fault_def | auto)+ done diff --git a/proof/access-control/Finalise_AC.thy b/proof/access-control/Finalise_AC.thy index 518d55ceef..465471bb1f 100644 --- a/proof/access-control/Finalise_AC.thy +++ b/proof/access-control/Finalise_AC.thy @@ -283,7 +283,7 @@ lemma cancel_all_ipc_pas_refined[wp]: cancel_all_ipc epptr \\_. pas_refined aag\" apply (clarsimp simp: cancel_all_ipc_def get_ep_queue_def cong: endpoint.case_cong) - apply (rule_tac Q="\_. pas_refined aag and pspace_aligned + apply (rule_tac Q'="\_. pas_refined aag and pspace_aligned and valid_vspace_objs and valid_arch_state" in hoare_strengthen_post) @@ -296,7 +296,7 @@ lemma cancel_all_signals_pas_refined[wp]: cancel_all_signals ntfnptr \\_. pas_refined aag\" apply (clarsimp simp: cancel_all_signals_def cong: ntfn.case_cong) - apply (rule_tac Q="\_. pas_refined aag and pspace_aligned + apply (rule_tac Q'="\_. pas_refined aag and pspace_aligned and valid_vspace_objs and valid_arch_state" in hoare_strengthen_post) @@ -352,7 +352,7 @@ lemma reply_cancel_ipc_pas_refined[wp]: apply (rule hoare_gen_asm) apply (simp add: reply_cancel_ipc_def) apply (wp add: wp_transferable del: wp_not_transferable) - apply (rule hoare_strengthen_post[where Q="\_. invs and tcb_at t and pas_refined aag"]) + apply (rule hoare_strengthen_post[where Q'="\_. invs and tcb_at t and pas_refined aag"]) apply (wpsimp wp: hoare_wp_combs thread_set_tcb_fault_reset_invs thread_set_pas_refined)+ apply (frule(1) reply_cap_descends_from_master0) apply (fastforce simp: cte_wp_at_caps_of_state intro:it_Reply) @@ -1167,7 +1167,7 @@ next simp_thms disj_not1], simp_all)[1] apply (simp add: cte_wp_at_caps_of_state) apply wp+ - apply (rule_tac Q = "\rv' s. (slot \ p \ exposed \ cte_wp_at P p s) \ P (fst rv') + apply (rule_tac Q'="\rv' s. (slot \ p \ exposed \ cte_wp_at P p s) \ P (fst rv') \ cte_at slot s" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_caps_of_state) apply (wp hoare_weak_lift_imp set_cap_cte_wp_at' finalise_cap_cte_wp_at_nullinv diff --git a/proof/access-control/Interrupt_AC.thy b/proof/access-control/Interrupt_AC.thy index 7fc6003aab..42dee66806 100644 --- a/proof/access-control/Interrupt_AC.thy +++ b/proof/access-control/Interrupt_AC.thy @@ -84,7 +84,7 @@ lemma invoke_irq_handler_pas_refined: apply (wp cap_insert_pas_refined_not_transferable delete_one_caps_of_state | strengthen invs_mdb | simp add: cte_wp_at_caps_of_state)+ apply (rename_tac irq cap slot) - apply (rule_tac Q = + apply (rule_tac Q'= "\ irq_slot. K(irq_slot \ slot) and invs and emptyable irq_slot and cte_wp_at can_fast_finalise irq_slot and not cte_wp_at is_transferable_cap slot diff --git a/proof/access-control/Ipc_AC.thy b/proof/access-control/Ipc_AC.thy index f77d6de78f..aec0b47790 100644 --- a/proof/access-control/Ipc_AC.thy +++ b/proof/access-control/Ipc_AC.thy @@ -540,7 +540,7 @@ next and solve this using derived_cap_is_derived, and then solve the rest using derive_cap_is_derived_foo *) apply (rule_tac Q'="\r s. S r s \ Q r s" for S Q in hoare_strengthen_postE_R) - apply (rule hoare_vcg_conj_lift_R) + apply (rule hoare_vcg_conj_liftE_R) apply (rule derive_cap_is_derived) prefer 2 apply clarsimp @@ -765,7 +765,7 @@ lemma transfer_caps_loop_presM_extended: | assumption | simp split del: if_split)+ apply (rule cap_insert_assume_null) apply (wp x hoare_vcg_const_Ball_lift cap_insert_cte_wp_at hoare_weak_lift_imp)+ - apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R') apply (rule derive_cap_is_derived_foo') apply (rule_tac Q' ="\cap' s. (vo \ cap'\ NullCap \ cte_wp_at (is_derived (cdt s) (aa, b) cap') (aa, b) s) \ @@ -773,8 +773,8 @@ lemma transfer_caps_loop_presM_extended: prefer 2 apply clarsimp apply assumption - apply (rule hoare_vcg_conj_liftE_R) - apply (rule hoare_vcg_const_imp_lift_R) + apply (rule hoare_vcg_conj_liftE_R') + apply (rule hoare_vcg_const_imp_liftE_R) apply (rule derive_cap_is_derived) apply (wp derive_cap_is_derived_foo')+ apply (clarsimp simp: cte_wp_at_caps_of_state @@ -850,7 +850,7 @@ lemma copy_mrs_pas_refined: copy_mrs sender sbuf receiver rbuf n \\_. pas_refined aag\" unfolding copy_mrs_def - apply (rule_tac Q="\_. pas_refined aag and pspace_aligned + apply (rule_tac Q'="\_. pas_refined aag and pspace_aligned and valid_vspace_objs and valid_arch_state" in hoare_strengthen_post[rotated], clarsimp) @@ -1059,7 +1059,7 @@ lemma send_ipc_pas_refined: apply (simp add: hoare_if_r_and split del:if_split) apply (wp setup_caller_cap_pas_refined set_thread_state_pas_refined)+ apply (simp split del:if_split) - apply (rule_tac Q="\rv. pas_refined aag and pspace_aligned and valid_vspace_objs and + apply (rule_tac Q'="\rv. pas_refined aag and pspace_aligned and valid_vspace_objs and valid_arch_state and valid_mdb and K (can_grant \ can_grant_reply \ (reply_can_grant \ is_subject aag x21) \ @@ -1203,7 +1203,7 @@ lemma receive_ipc_base_pas_refined: apply (wp set_thread_state_pas_refined get_simple_ko_wp setup_caller_cap_pas_refined | wpc | simp add: thread_get_def do_nbrecv_failed_transfer_def split del: if_split)+ apply (rename_tac list sss data) - apply (rule_tac Q="\rv s. pas_refined aag s \ pspace_aligned s \ valid_vspace_objs s \ + apply (rule_tac Q'="\rv s. pas_refined aag s \ pspace_aligned s \ valid_vspace_objs s \ valid_arch_state s \ valid_mdb s \ (sender_can_grant data \ is_subject aag (hd list)) \ (sender_can_grant_reply data \ @@ -1529,7 +1529,7 @@ lemma receive_ipc_base_integrity: sts_receive_Inactive_respects[where ep = epptr] as_user_integrity_autarch) apply (rename_tac list tcb data) - apply (rule_tac Q="\rv s. integrity aag X st s + apply (rule_tac Q'="\rv s. integrity aag X st s \ valid_mdb s \ is_subject aag receiver \ (sender_can_call data \ AllowGrant \ rights @@ -2080,7 +2080,7 @@ valid_objs and valid_mdb and st_tcb_at can_receive_ipc receiver and apply (wpsimp wp: as_user_respects_in_ipc set_message_info_respects_in_ipc copy_mrs_pas_refined copy_mrs_respects_in_ipc transfer_caps_respects_in_ipc get_mi_length lookup_extra_caps_authorised lookup_extra_caps_length hoare_vcg_const_Ball_lift - hoare_vcg_conj_lift_R hoare_vcg_const_imp_lift lec_valid_cap' + hoare_vcg_conj_liftE_R hoare_vcg_const_imp_lift lec_valid_cap' | rule hoare_drop_imps)+ apply (auto simp: null_def intro: st_tcb_at_tcb_at) done @@ -2353,7 +2353,7 @@ lemma send_ipc_integrity_autarch: apply (rule hoare_pre) apply (wp setup_caller_cap_integrity_autarch set_thread_state_integrity_autarch thread_get_wp' | wpc)+ - apply (rule_tac Q="\rv s. integrity aag X st s \ (can_grant \ is_subject aag (hd list))" + apply (rule_tac Q'="\rv s. integrity aag X st s \ (can_grant \ is_subject aag (hd list))" in hoare_strengthen_post[rotated]) apply simp+ apply (wp set_thread_state_integrity_autarch thread_get_wp' @@ -2368,7 +2368,7 @@ lemma send_ipc_integrity_autarch: apply (rule hoare_pre) apply (wpc, wp) apply (rename_tac list s receiver queue) - apply (rule_tac Q="\_ s'. integrity aag X st s \ + apply (rule_tac Q'="\_ s'. integrity aag X st s \ integrity_tcb_in_ipc aag X receiver epptr TRFinal s s'" in hoare_post_imp) apply (fastforce dest!: integrity_tcb_in_ipc_final elim!: integrity_trans) apply (wp setup_caller_cap_respects_in_ipc_reply @@ -2437,11 +2437,11 @@ lemma handle_fault_pas_refined: handle_fault thread fault \\_. pas_refined aag\" apply (wpsimp wp: set_thread_state_pas_refined simp: handle_fault_def handle_double_fault_def) - apply (rule hoare_vcg_E_elim) + apply (rule hoare_vcg_conj_elimE) apply (clarsimp simp: send_fault_ipc_def Let_def) apply wp apply wpsimp - apply (rule hoare_strengthen_postE[where E=E and F=E for E]) + apply (rule hoare_strengthen_postE[where E'=E and E=E for E]) apply (rule valid_validE) apply (wpsimp wp: send_fault_ipc_pas_refined)+ apply fastforce @@ -2478,7 +2478,7 @@ lemma send_fault_ipc_integrity_autarch: | wpc | simp add: is_obj_defs)+ (* 14 subgoals *) apply (rename_tac word1 word2 set) - apply (rule_tac R="\rv s. ep_at word1 s" in hoare_post_add) + apply (rule_tac Q'="\rv s. ep_at word1 s" in hoare_post_add) apply (simp only: obj_at_conj_distrib[symmetric] flip: conj_assoc) apply (wp thread_set_obj_at_impossible thread_set_tcb_fault_set_invs get_cap_auth_wp[where aag=aag] @@ -2812,7 +2812,7 @@ lemma do_reply_transfer_respects: \ \receiver is not a subject\ apply (rule use_spec') \ \Name initial state\ apply (simp add: spec_valid_def) \ \no imp rule?\ - apply (rule_tac Q="\_ s'. integrity aag X st s \ + apply (rule_tac Q'="\_ s'. integrity aag X st s \ integrity_tcb_in_ipc aag X receiver _ TRFinal s s'" in hoare_post_imp) apply (fastforce dest!: integrity_tcb_in_ipc_final elim!: integrity_trans) apply ((wp possible_switch_to_respects_in_ipc_autarch @@ -2835,7 +2835,7 @@ lemma do_reply_transfer_respects: apply (rule use_spec') \ \Name initial state\ apply (simp add: spec_valid_def) \ \no imp rule?\ apply wp - apply (rule_tac Q="\_ s'. integrity aag X st s \ + apply (rule_tac Q'="\_ s'. integrity aag X st s \ integrity_tcb_in_fault_reply aag X receiver TRFFinal s s'" in hoare_post_imp) apply (fastforce dest!: integrity_tcb_in_fault_reply_final elim!: integrity_trans) diff --git a/proof/access-control/RISCV64/ArchArch_AC.thy b/proof/access-control/RISCV64/ArchArch_AC.thy index e93408f877..4519236a7b 100644 --- a/proof/access-control/RISCV64/ArchArch_AC.thy +++ b/proof/access-control/RISCV64/ArchArch_AC.thy @@ -918,7 +918,7 @@ lemma unmap_page_table_respects: apply (simp add: unmap_page_table_def sfence_def) apply (wpsimp wp: pt_lookup_from_level_is_subject dmo_mol_respects hoare_vcg_conj_liftE_weaker store_pte_respects pt_lookup_from_level_wrp[where Q="\_. integrity aag X st"] - | wp (once) hoare_drop_imps hoare_vcg_E_elim)+ + | wp (once) hoare_drop_imps hoare_vcg_conj_elimE)+ apply (intro conjI; clarsimp) apply fastforce apply (rule aag_Control_into_owns[rotated], assumption) @@ -1070,7 +1070,7 @@ lemma perform_pg_inv_map_pas_refined: apply (rule hoare_vcg_conj_lift, wpsimp) apply wps apply (rule state_vrefs_store_NonPageTablePTE_wp) - apply (rule_tac Q="\_. invs and pas_refined aag and K (\ is_PageTablePTE pte) + apply (rule_tac Q'="\_. invs and pas_refined aag and K (\ is_PageTablePTE pte) and authorised_page_inv aag (PageMap cap ct_slot (pte,slot)) and same_ref (pte,slot) (ArchObjectCap cap)" in hoare_strengthen_post[rotated]) @@ -1152,7 +1152,7 @@ lemma unmap_page_respects: mapM_set''[where f="(\a. store_pte a InvalidPTE)" and I="\x s. is_subject aag (x && ~~ mask pt_bits)" and Q="integrity aag X st"] - | wp (once) hoare_drop_imps[where R="\rv s. rv"])+ + | wp (once) hoare_drop_imps[where Q'="\rv s. rv"])+ apply (clarsimp simp: pt_lookup_slot_def) apply (frule pt_lookup_slot_from_level_is_subject) apply (fastforce simp: valid_arch_state_asid_table @@ -1336,7 +1336,7 @@ lemma perform_asid_control_invocation_pas_refined: apply (rename_tac frame slot parent base ) apply (case_tac slot, rename_tac slot_ptr slot_idx) apply (case_tac parent, rename_tac parent_ptr parent_idx) - apply (rule_tac Q="\rv s. + apply (rule_tac Q'="\rv s. (\idx. cte_wp_at ((=) (UntypedCap False frame pageBits idx)) parent s) \ (\x\ptr_range frame pageBits. is_subject aag x) \ pas_refined aag s \ pas_cur_domain aag s \ @@ -1467,7 +1467,7 @@ lemma copy_global_mappings_state_vrefs: unfolding copy_global_mappings_def apply clarsimp apply wp - apply (rule_tac Q="\_ s. P (state_vrefs s) \ pspace_aligned s \ valid_vspace_objs s \ + apply (rule_tac Q'="\_ s. P (state_vrefs s) \ pspace_aligned s \ valid_vspace_objs s \ valid_asid_table s \ unique_table_refs s \ valid_vs_lookup s \ valid_objs s \ is_aligned pt_ptr pt_bits \ is_aligned global_pt pt_bits \ (\level. \ \\ (level, table_base (pt_ptr)) s) \ @@ -1672,7 +1672,7 @@ lemma copy_global_mappings_vs_lookup_table_noteq: unfolding copy_global_mappings_def apply clarsimp apply wp - apply (rule_tac Q="\_. pspace_aligned and valid_vspace_objs and valid_asid_table and + apply (rule_tac Q'="\_. pspace_aligned and valid_vspace_objs and valid_asid_table and unique_table_refs and valid_vs_lookup and valid_objs and (\s. vs_lookup_table level asid vref s \ Some (level, pt_ptr) \ vref \ user_region \ is_aligned pt_ptr pt_bits \ diff --git a/proof/access-control/RISCV64/ArchDomainSepInv.thy b/proof/access-control/RISCV64/ArchDomainSepInv.thy index 642025ca8c..6d295b84e4 100644 --- a/proof/access-control/RISCV64/ArchDomainSepInv.thy +++ b/proof/access-control/RISCV64/ArchDomainSepInv.thy @@ -106,7 +106,7 @@ lemma arch_invoke_irq_control_domain_sep_inv[DomainSepInv_assms]: \\_. domain_sep_inv irqs st\" apply (cases ivk) apply (wpsimp wp: cap_insert_domain_sep_inv' simp: set_irq_state_def) - apply (rule_tac Q="\_. domain_sep_inv irqs st and arch_irq_control_inv_valid ivk" + apply (rule_tac Q'="\_. domain_sep_inv irqs st and arch_irq_control_inv_valid ivk" in hoare_strengthen_post[rotated]) apply (fastforce simp: domain_sep_inv_def domain_sep_inv_cap_def arch_irq_control_inv_valid_def) apply (wpsimp wp: do_machine_op_domain_sep_inv simp: arch_irq_control_inv_valid_def)+ diff --git a/proof/access-control/RISCV64/ArchFinalise_AC.thy b/proof/access-control/RISCV64/ArchFinalise_AC.thy index 0485264899..c523ccf513 100644 --- a/proof/access-control/RISCV64/ArchFinalise_AC.thy +++ b/proof/access-control/RISCV64/ArchFinalise_AC.thy @@ -70,7 +70,7 @@ lemma delete_asid_pas_refined[wp]: unfolding delete_asid_def apply (rule bind_wp) apply (wpsimp simp: set_asid_pool_def wp: set_object_wp hoare_vcg_imp_lift' hoare_vcg_all_lift) - apply (rule_tac Q="\_ s. riscv_asid_table (arch_state s) = asid_table \ + apply (rule_tac Q'="\_ s. riscv_asid_table (arch_state s) = asid_table \ ako_at (ASIDPool pool) x2 s \ pas_refined aag s" in hoare_strengthen_post[rotated]) defer diff --git a/proof/access-control/RISCV64/ArchTcb_AC.thy b/proof/access-control/RISCV64/ArchTcb_AC.thy index 2ffd9ef907..800f889a7e 100644 --- a/proof/access-control/RISCV64/ArchTcb_AC.thy +++ b/proof/access-control/RISCV64/ArchTcb_AC.thy @@ -41,7 +41,7 @@ lemma invoke_tcb_tc_respects_aag[Tcb_AC_assms]: strengthen imp_consequent[where Q="x = None" for x], simp cong: conj_cong) | strengthen invs_psp_aligned invs_vspace_objs invs_arch_state | rule wp_split_const_if wp_split_const_if_R hoare_vcg_all_liftE_R - hoare_vcg_E_elim hoare_vcg_const_imp_lift_R hoare_vcg_R_conj + hoare_vcg_conj_elimE hoare_vcg_const_imp_liftE_R hoare_vcg_conj_liftE_R | wp restart_integrity_autarch set_mcpriority_integrity_autarch as_user_integrity_autarch thread_set_integrity_autarch option_update_thread_integrity_autarch @@ -54,7 +54,7 @@ lemma invoke_tcb_tc_respects_aag[Tcb_AC_assms]: out_invs_trivial case_option_wpE cap_delete_deletes cap_delete_valid_cap cap_insert_valid_cap out_cte_at cap_insert_cte_at cap_delete_cte_at out_valid_cap out_tcb_valid - hoare_vcg_const_imp_lift_R hoare_vcg_all_liftE_R + hoare_vcg_const_imp_liftE_R hoare_vcg_all_liftE_R thread_set_tcb_ipc_buffer_cap_cleared_invs thread_set_invs_trivial[OF ball_tcb_cap_casesI] hoare_vcg_all_lift thread_set_valid_cap out_emptyable diff --git a/proof/access-control/Retype_AC.thy b/proof/access-control/Retype_AC.thy index 86d29cd81e..dbda41be06 100644 --- a/proof/access-control/Retype_AC.thy +++ b/proof/access-control/Retype_AC.thy @@ -1028,7 +1028,7 @@ lemma reset_untyped_cap_pas_refined[wp]: apply (wps | wp set_cap_pas_refined_not_transferable | simp add: unless_def)+ apply (rule valid_validE) apply (rule_tac P="is_untyped_cap cap \ pas_cap_cur_auth aag cap" in hoare_gen_asm) - apply (rule_tac Q="\_. cte_wp_at (\ c. \ is_transferable (Some c)) slot and pas_refined aag and + apply (rule_tac Q'="\_. cte_wp_at (\ c. \ is_transferable (Some c)) slot and pas_refined aag and pspace_aligned and valid_vspace_objs and valid_arch_state" in hoare_strengthen_post) apply (rule validE_valid, rule mapME_x_inv_wp) @@ -1056,7 +1056,7 @@ lemma invoke_untyped_pas_refined: \\_. pas_refined aag\" apply (rule hoare_gen_asm) apply (rule hoare_pre) - apply (rule_tac Q="\_. pas_refined aag and pspace_aligned and valid_vspace_objs + apply (rule_tac Q'="\_. pas_refined aag and pspace_aligned and valid_vspace_objs and valid_arch_state and pas_cur_domain aag" in hoare_strengthen_post) apply (rule invoke_untyped_Q) apply (rule hoare_pre, wp create_cap_pas_refined) @@ -1084,7 +1084,7 @@ lemma invoke_untyped_pas_refined: apply blast apply (rule hoare_name_pre_state, clarsimp) apply (rule hoare_pre, wp retype_region_pas_refined) - apply (rule_tac Q="\rv. post_retype_invs tp rv and pas_cur_domain aag" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. post_retype_invs tp rv and pas_cur_domain aag" in hoare_strengthen_post) apply (wp retype_region_post_retype_invs_spec) apply (clarsimp simp: post_retype_invs_def invs_def valid_state_def valid_pspace_def split: if_splits) apply (clarsimp simp: authorised_untyped_inv_def) @@ -1173,7 +1173,7 @@ lemma decode_untyped_invocation_authorised: apply (wp whenE_throwError_wp hoare_vcg_all_lift mapME_x_inv_wp | simp split: untyped_invocation.splits | (auto)[1])+ - apply (rule_tac Q="\node_cap s. + apply (rule_tac Q'="\node_cap s. (is_cnode_cap node_cap \ is_subject aag (obj_ref_of node_cap)) \ is_subject aag (fst slot) \ new_type \ ArchObject ASIDPoolObj \ (\cap. cte_wp_at ((=) cap) slot s diff --git a/proof/access-control/Syscall_AC.thy b/proof/access-control/Syscall_AC.thy index ce793138f0..b505d09d9c 100644 --- a/proof/access-control/Syscall_AC.thy +++ b/proof/access-control/Syscall_AC.thy @@ -203,7 +203,7 @@ lemma lcs_reply_owns: \\rv _. \ep. (\m R. fst rv = ReplyCap ep m R \ AllowGrant \ R) \ is_subject aag ep\, -" apply (rule hoare_strengthen_postE_R) apply (rule hoare_pre) - apply (rule hoare_vcg_conj_lift_R [where S = "K (pas_refined aag)"]) + apply (rule hoare_vcg_conj_liftE_R[where Q'="K (pas_refined aag)"]) apply (rule lookup_cap_and_slot_cur_auth) apply (simp | wp lookup_cap_and_slot_inv)+ apply (force simp: aag_cap_auth_def cap_auth_conferred_def reply_cap_rights_to_auth_def @@ -283,7 +283,7 @@ lemma handle_invocation_pas_refined: | simp add: if_apply_def2 conj_comms split del: if_split)+, (wp lookup_extra_caps_auth lookup_extra_caps_authorised decode_invocation_authorised lookup_cap_and_slot_authorised lookup_cap_and_slot_cur_auth as_user_pas_refined - lookup_cap_and_slot_valid_fault3 hoare_vcg_const_imp_lift_R + lookup_cap_and_slot_valid_fault3 hoare_vcg_const_imp_liftE_R | simp add: comp_def runnable_eq_active split del: if_split)+, fastforce intro: guarded_to_cur_domain if_live_then_nonz_capD simp: ct_in_state_def st_tcb_at_def live_def)+ @@ -317,7 +317,7 @@ lemma handle_invocation_respects: set_thread_state_integrity_autarch lookup_cap_and_slot_cur_auth lookup_cap_and_slot_authorised hoare_vcg_const_imp_lift perform_invocation_pas_refined - set_thread_state_ct_st hoare_vcg_const_imp_lift_R + set_thread_state_ct_st hoare_vcg_const_imp_liftE_R lookup_cap_and_slot_valid_fault3 | (rule valid_validE, strengthen invs_vobjs_strgs))+ by (fastforce intro: st_tcb_ex_cap' guarded_to_cur_domain @@ -336,7 +336,7 @@ lemma handle_recv_pas_refined: lookup_slot_for_thread_authorised lookup_slot_for_thread_cap_fault hoare_vcg_all_liftE_R get_simple_ko_wp | wpc | simp - | (rule_tac Q="\rv s. invs s \ is_subject aag thread \ aag_has_auth_to aag Receive thread" + | (rule_tac Q'="\rv s. invs s \ is_subject aag thread \ aag_has_auth_to aag Receive thread" in hoare_strengthen_post, wp, clarsimp simp: invs_valid_objs invs_sym_refs))+ apply (rule_tac Q'="\rv s. pas_refined aag s \ invs s \ tcb_at thread s @@ -363,7 +363,7 @@ lemma handle_recv_integrity: lookup_slot_for_thread_cap_fault get_cap_auth_wp [where aag=aag] get_simple_ko_wp | wpc | simp - | rule_tac Q="\rv s. invs s \ is_subject aag thread \ aag_has_auth_to aag Receive thread" + | rule_tac Q'="\rv s. invs s \ is_subject aag thread \ aag_has_auth_to aag Receive thread" in hoare_strengthen_post, wp, clarsimp simp: invs_valid_objs invs_sym_refs)+ apply (rule_tac Q'="\rv s. pas_refined aag s \ einvs s \ is_subject aag (cur_thread s) \ tcb_at thread s \ cur_thread s = thread \ is_subject aag thread @@ -705,7 +705,7 @@ lemma handle_event_integrity: handle_reply_valid_sched hoare_vcg_conj_lift hoare_vcg_all_lift hoare_drop_imps simp: domain_sep_inv_def - | rule dmo_wp hoare_vcg_E_elim + | rule dmo_wp hoare_vcg_conj_elimE | fastforce | (rule hoare_vcg_conj_lift)?, wpsimp wp: getActiveIRQ_inv)+ @@ -1155,11 +1155,11 @@ lemma call_kernel_integrity': apply (wpsimp wp: activate_thread_respects schedule_integrity_pasMayEditReadyQueues handle_interrupt_integrity dmo_wp handle_interrupt_pas_refined) apply (clarsimp simp: if_fun_split) - apply (rule_tac Q="\rv ms. (rv \ None \ the rv \ non_kernel_IRQs) \ - R True (domain_sep_inv (pasMaySendIrqs aag) st' s) rv ms" - and R="\rv ms. R (the rv \ non_kernel_IRQs \ scheduler_act_sane s \ ct_not_queued s) + apply (rule_tac Q'="\rv ms. (rv \ None \ the rv \ non_kernel_IRQs) \ + Q True (domain_sep_inv (pasMaySendIrqs aag) st' s) rv ms" + and Q="\rv ms. Q (the rv \ non_kernel_IRQs \ scheduler_act_sane s \ ct_not_queued s) (pasMaySendIrqs aag \ interrupt_states s (the rv) \ IRQSignal) rv ms" - for R in hoare_strengthen_post[rotated], fastforce simp: domain_sep_inv_def) + for Q in hoare_strengthen_post[rotated], fastforce simp: domain_sep_inv_def) apply (wpsimp wp: getActiveIRQ_rv_None hoare_drop_imps getActiveIRQ_inv) apply (rule hoare_strengthen_postE, rule_tac Q="integrity aag X st and pas_refined aag and einvs and guarded_pas_domain aag diff --git a/proof/access-control/Tcb_AC.thy b/proof/access-control/Tcb_AC.thy index 6b9ebade6b..9555729fdf 100644 --- a/proof/access-control/Tcb_AC.thy +++ b/proof/access-control/Tcb_AC.thy @@ -383,7 +383,7 @@ lemma invoke_tcb_pas_refined: apply (rule hoare_gen_asm) apply (cases ti, simp_all add: authorised_tcb_inv_def) apply (wp ita_wps hoare_drop_imps - hoare_strengthen_post[where Q="\_. pas_refined aag and pspace_aligned + hoare_strengthen_post[where Q'="\_. pas_refined aag and pspace_aligned and valid_vspace_objs and valid_arch_state", OF mapM_x_wp'] @@ -440,7 +440,7 @@ lemma decode_set_space_authorised: apply (simp cong: list.case_cong split del: if_split) apply (clarsimp simp: ball_Un split del: if_split | wp (once) derive_cap_obj_refs_auth derive_cap_untyped_range_subset derive_cap_clas - derive_cap_cli hoare_vcg_const_imp_lift_R hoare_vcg_all_liftE_R + derive_cap_cli hoare_vcg_const_imp_liftE_R hoare_vcg_all_liftE_R whenE_throwError_wp slot_long_running_inv)+ apply (clarsimp simp: not_less all_set_conv_all_nth dest!: P_0_1_spec) apply (auto simp: aag_cap_auth_def update_cap_cli diff --git a/proof/capDL-api/Arch_DP.thy b/proof/capDL-api/Arch_DP.thy index f08e6c7293..032f63e90e 100644 --- a/proof/capDL-api/Arch_DP.thy +++ b/proof/capDL-api/Arch_DP.thy @@ -224,7 +224,7 @@ lemma seL4_Page_Table_Map: in hoare_gen_asmEx) apply (elim conjE exE) apply simp - apply (rule_tac Q = "\iv s. cdl_current_thread s = Some root_tcb_id \ + apply (rule_tac Q'="\iv s. cdl_current_thread s = Some root_tcb_id \ cdl_current_domain s = minBound \ <(root_tcb_id, tcb_pending_op_slot) \c RunningCap \* (root_tcb_id, tcb_cspace_slot) \c cnode_cap @@ -238,7 +238,7 @@ lemma seL4_Page_Table_Map: in hoare_strengthen_postE[rotated -1]) apply assumption apply clarsimp - apply (rule hoare_vcg_E_elim) + apply (rule hoare_vcg_conj_elimE) apply wp apply wp apply (rule validE_validE_R) @@ -353,7 +353,7 @@ lemma seL4_Section_Map_wp: in hoare_gen_asmEx) apply (elim exE)+ apply simp - apply (rule_tac Q = "\iv s. cdl_current_thread s = Some root_tcb_id \ + apply (rule_tac Q'="\iv s. cdl_current_thread s = Some root_tcb_id \ cdl_current_domain s = minBound \ <(root_tcb_id, tcb_pending_op_slot) \c RunningCap \* (root_tcb_id, tcb_cspace_slot) \c cnode_cap @@ -367,7 +367,7 @@ lemma seL4_Section_Map_wp: [cdl_lookup_pd_slot pd_ptr vaddr])" in hoare_strengthen_postE[rotated -1]) apply assumption - apply (rule hoare_vcg_E_elim) + apply (rule hoare_vcg_conj_elimE) apply wp apply wp apply (rule validE_validE_R) @@ -492,7 +492,7 @@ lemma seL4_Page_Map_wp: in hoare_gen_asmEx) apply (elim exE)+ apply simp - apply (rule_tac Q = "\iv s. cdl_current_thread s = Some root_tcb_id \ + apply (rule_tac Q'="\iv s. cdl_current_thread s = Some root_tcb_id \ cdl_current_domain s = minBound \ <(root_tcb_id, tcb_pending_op_slot) \c RunningCap \* (root_tcb_id, tcb_cspace_slot) \c cnode_cap @@ -508,7 +508,7 @@ lemma seL4_Page_Map_wp: (cnode_id,frame_offset) [ (pt_ptr, unat ((vaddr >> 12) && 0xFF))] )" in hoare_strengthen_postE[rotated -1]) apply assumption - apply (rule hoare_vcg_E_elim) + apply (rule hoare_vcg_conj_elimE) apply wp apply wp apply (rule validE_validE_R) diff --git a/proof/capDL-api/CNode_DP.thy b/proof/capDL-api/CNode_DP.thy index 9f19df9f55..70da008a81 100644 --- a/proof/capDL-api/CNode_DP.thy +++ b/proof/capDL-api/CNode_DP.thy @@ -189,7 +189,7 @@ lemma seL4_CNode_Mint_sep: apply (sep_solve) apply sep_solve apply (assumption) - apply (rule_tac Q = "\r. (\s. cdl_current_thread s = Some root_tcb_id \ + apply (rule_tac Q'="\r. (\s. cdl_current_thread s = Some root_tcb_id \ cdl_current_domain s = minBound) and < (root_tcb_id, tcb_pending_op_slot) \c RestartCap \* Q > and K (\cap''. reset_cap_asid cap'' = reset_cap_asid cap' \ iv = InvokeCNode @@ -354,7 +354,7 @@ lemma seL4_CNode_Mutate_sep: apply (sep_solve) apply sep_solve apply (assumption) - apply (rule_tac Q = "\r. < (root_tcb_id, tcb_pending_op_slot) \c RestartCap \* Q > + apply (rule_tac Q'="\r. < (root_tcb_id, tcb_pending_op_slot) \c RestartCap \* Q > and (\a. cdl_current_thread a = Some root_tcb_id \ cdl_current_domain a = minBound) and K(\dcap. reset_cap_asid dcap = reset_cap_asid src_cap \ @@ -513,7 +513,7 @@ lemma seL4_CNode_Move_sep: apply (sep_solve) apply sep_solve apply (assumption) - apply (rule_tac Q = "\r. < (root_tcb_id, tcb_pending_op_slot) \c RestartCap \* Q> + apply (rule_tac Q'="\r. < (root_tcb_id, tcb_pending_op_slot) \c RestartCap \* Q> and (\a. cdl_current_thread a = Some root_tcb_id \ cdl_current_domain a = minBound) and K(\dcap. reset_cap_asid dcap = reset_cap_asid src_cap \ @@ -670,7 +670,7 @@ lemma seL4_CNode_Copy_sep: apply (sep_solve) apply sep_solve apply (assumption) - apply (rule_tac Q = "\r. (\s. cdl_current_thread s = Some root_tcb_id + apply (rule_tac Q'="\r. (\s. cdl_current_thread s = Some root_tcb_id \ cdl_current_domain s = minBound) and < (root_tcb_id, tcb_pending_op_slot) \c RestartCap \* Q> and K (\cap''. reset_cap_asid cap'' = reset_cap_asid src_cap \ iv = InvokeCNode diff --git a/proof/capDL-api/Invocation_DP.thy b/proof/capDL-api/Invocation_DP.thy index 484b006285..7013f148e3 100644 --- a/proof/capDL-api/Invocation_DP.thy +++ b/proof/capDL-api/Invocation_DP.thy @@ -569,7 +569,7 @@ lemma call_kernel_with_intent_no_fault_helper: apply wp apply (rule_tac P = "thread_ptr = root_tcb_id" in hoare_gen_asm) apply (simp add:call_kernel_loop_def) - apply (rule_tac Q = "\r s. cdl_current_thread s = Some root_tcb_id + apply (rule_tac Q'="\r s. cdl_current_thread s = Some root_tcb_id \ cdl_current_domain s = minBound \ Q s " in hoare_strengthen_post[rotated]) apply fastforce @@ -580,7 +580,7 @@ lemma call_kernel_with_intent_no_fault_helper: apply (rule hoare_pre_cont) apply (wp has_restart_cap_sep_wp[where cap = RunningCap])[1] apply wp - apply (rule_tac Q = "\r s. cdl_current_thread s = Some root_tcb_id + apply (rule_tac Q'="\r s. cdl_current_thread s = Some root_tcb_id \ cdl_current_domain s = minBound \ (Q s \ <(root_tcb_id, tcb_pending_op_slot) \c RunningCap \* (\s. True)> s)" in hoare_strengthen_post) @@ -870,8 +870,7 @@ lemma tcb_has_error_set_cap: \\ya s. P (tcb_has_error p s)\" apply (rule hoare_name_pre_state) apply clarsimp - apply (rule_tac Q = "\r s'. tcb_has_error p s' = tcb_has_error p s" in - hoare_strengthen_post) + apply (rule_tac Q'="\r s'. tcb_has_error p s' = tcb_has_error p s" in hoare_strengthen_post) apply (simp add:set_cap_def gets_the_def set_object_def split_def) @@ -1049,7 +1048,7 @@ lemma call_kernel_with_intent_allow_error_helper: apply (wp thread_has_error_wp) apply (simp add:call_kernel_loop_def) apply (rule_tac P = "thread_ptr = root_tcb_id" in hoare_gen_asm) - apply (rule_tac Q = "\r s. (cdl_current_thread s = Some root_tcb_id + apply (rule_tac Q'="\r s. (cdl_current_thread s = Some root_tcb_id \ cdl_current_domain s = minBound) \ (\tcb_has_error (the (cdl_current_thread s)) s \ Q s) \ (tcb_has_error (the (cdl_current_thread s)) s \ Perror s)" @@ -1067,7 +1066,7 @@ lemma call_kernel_with_intent_allow_error_helper: hoare_strengthen_post[OF schedule_no_choice_wp]) apply (clarsimp, assumption) apply clarsimp - apply (rule_tac Q = + apply (rule_tac Q'= "\r a. (\ tcb_has_error root_tcb_id a \ (Q a \ cdl_current_thread a = Some root_tcb_id \ cdl_current_domain a = minBound diff --git a/proof/capDL-api/Retype_DP.thy b/proof/capDL-api/Retype_DP.thy index bee27bb3c6..3286b4742c 100644 --- a/proof/capDL-api/Retype_DP.thy +++ b/proof/capDL-api/Retype_DP.thy @@ -613,9 +613,9 @@ lemma seL4_Untyped_Retype_sep: has_kids 1)" in hoare_gen_asmEx) apply clarsimp - apply (rule hoare_vcg_E_elim[where P = P and P' = P for P,simplified,rotated]) + apply (rule hoare_vcg_conj_elimE[where P = P and P' = P for P,simplified,rotated]) apply wp - apply (rule hoare_strengthen_postE_R[OF hoare_vcg_conj_lift_R]) + apply (rule hoare_strengthen_postE_R[OF hoare_vcg_conj_liftE_R]) apply (rule invoke_untyped_one_has_children) apply fastforce apply (rule_tac P = "P1 \* P2" for P1 P2 in @@ -714,7 +714,6 @@ lemma unify_failure_cdt_lift: including no_pre apply (wp hoare_drop_imps) apply (clarsimp simp:validE_def valid_def) - apply (case_tac a,fastforce+) done lemma validE_def2: @@ -792,7 +791,7 @@ lemma invoke_untyped_cdt_inc[wp]: apply (wp set_parent_other unless_wp unlessE_wp | wpc | simp)+ apply (simp add: reset_untyped_cap_def validE_def sum.case_eq_if) - apply (rule_tac Q = "\r s. cdl_cdt s child = Some parent" in hoare_post_imp) + apply (rule_tac Q'="\r s. cdl_cdt s child = Some parent" in hoare_post_imp) apply simp apply (wp whenE_wp mapME_x_inv_wp | simp)+ apply (clarsimp simp:detype_def) @@ -960,7 +959,7 @@ lemma invoke_untyped_preempt: apply (wp unlessE_wp) apply (simp add: reset_untyped_cap_def whenE_liftE | wp whenE_wp)+ apply (rule_tac P = "\a. cap = UntypedCap dev obj_range a" in hoare_gen_asmEx) - apply (rule hoare_strengthen_postE[where E = E and F = E for E]) + apply (rule hoare_strengthen_postE[where E'=E and E=E for E]) apply (rule mapME_x_inv_wp[where P = P and E = "\r. P" for P]) apply wp apply simp @@ -1237,9 +1236,9 @@ lemma seL4_Untyped_Retype_inc_no_preempt: has_kids 1)" in hoare_gen_asmEx) apply clarsimp - apply (rule hoare_vcg_E_elim[where P = P and P' = P for P,simplified,rotated]) + apply (rule hoare_vcg_conj_elimE[where P = P and P' = P for P,simplified,rotated]) apply wp - apply (rule hoare_strengthen_postE_R[OF hoare_vcg_conj_lift_R]) + apply (rule hoare_strengthen_postE_R[OF hoare_vcg_conj_liftE_R]) apply (rule valid_validE_R) apply (rule invoke_untyped_cdt_inc) apply (rule_tac P = "P1 \* P2" for P1 P2 in diff --git a/proof/capDL-api/TCB_DP.thy b/proof/capDL-api/TCB_DP.thy index edfcd78008..e2906b1820 100644 --- a/proof/capDL-api/TCB_DP.thy +++ b/proof/capDL-api/TCB_DP.thy @@ -220,8 +220,8 @@ lemma tcb_update_cspace_root_wp: apply (wpsimp wp: whenE_wp tcb_update_thread_slot_wp[sep_wand_side_wpE] get_cap_rv hoare_vcg_conj_liftE1) apply (wpsimp wp: tcb_empty_thread_slot_wpE[sep_wand_wpE] simp: sep_conj_assoc) - apply (wpsimp wp: hoare_vcg_all_liftE_R[THEN hoare_vcg_E_elim[rotated]] - hoare_vcg_const_imp_lift_R + apply (wpsimp wp: hoare_vcg_all_liftE_R[THEN hoare_vcg_conj_elimE[rotated]] + hoare_vcg_const_imp_liftE_R tcb_empty_thread_slot_wpE[sep_wand_wpE] split_del: if_split simp: if_apply_def2) apply (clarsimp) @@ -534,7 +534,7 @@ lemma invoke_tcb_ThreadControl_cur_thread: apply (rule hoare_post_imp[OF _ insert_cap_sibling_wp]) apply (sep_erule_concl refl_imp sep_any_imp)+ apply (assumption) - apply (rule_tac Q = "\r s. P (cdl_current_thread s) + apply (rule_tac Q'="\r s. P (cdl_current_thread s) \ (<(target_tcb, tcb_vspace_slot) \c - \* (target_tcb, tcb_cspace_slot) \c - \* (target_tcb, tcb_ipcbuffer_slot) \c NullCap @@ -542,7 +542,7 @@ lemma invoke_tcb_ThreadControl_cur_thread: " in hoare_post_imp) apply (clarsimp simp:sep_conj_ac) apply wp+ - apply (rule_tac Q = "\r s. P (cdl_current_thread s) + apply (rule_tac Q'="\r s. P (cdl_current_thread s) \ (<(target_tcb, tcb_vspace_slot) \c - \* (target_tcb,tcb_cspace_slot) \c - \* (target_tcb, tcb_ipcbuffer_slot) \c NullCap @@ -563,7 +563,7 @@ lemma invoke_tcb_ThreadControl_cur_thread: apply (sep_select 2) apply (drule sep_map_c_any) apply assumption - apply (rule_tac Q = "\r s. P (cdl_current_thread s) + apply (rule_tac Q'="\r s. P (cdl_current_thread s) \ (<(target_tcb, tcb_vspace_slot) \c - \* (target_tcb,tcb_cspace_slot) \c - \* (target_tcb, tcb_ipcbuffer_slot) \c NullCap @@ -572,7 +572,7 @@ lemma invoke_tcb_ThreadControl_cur_thread: " in hoare_post_imp) apply (clarsimp simp:sep_conj_ac) apply wp+ - apply (rule_tac Q = "\r s. P (cdl_current_thread s) + apply (rule_tac Q'="\r s. P (cdl_current_thread s) \ (<(target_tcb, tcb_vspace_slot) \c - \* (target_tcb, tcb_cspace_slot) \c - \* (target_tcb, tcb_ipcbuffer_slot) \c NullCap @@ -582,7 +582,7 @@ lemma invoke_tcb_ThreadControl_cur_thread: apply (wp tcb_empty_thread_slot_wp_inv) apply clarsimp apply sep_solve - apply (rule_tac Q = "\r s. P (cdl_current_thread s) + apply (rule_tac Q'="\r s. P (cdl_current_thread s) \ (<(target_tcb, tcb_vspace_slot) \c NullCap \* (target_tcb,tcb_cspace_slot) \c - \* (target_tcb, tcb_ipcbuffer_slot) \c NullCap @@ -596,7 +596,7 @@ lemma invoke_tcb_ThreadControl_cur_thread: apply (sep_schem) apply wp apply (rule hoare_post_imp[OF _ insert_cap_sibling_wp], sep_schem) - apply (rule_tac Q = "\r s. P (cdl_current_thread s) + apply (rule_tac Q'="\r s. P (cdl_current_thread s) \ (<(target_tcb, tcb_vspace_slot) \c NullCap \* (target_tcb,tcb_cspace_slot) \c - \* (target_tcb, tcb_ipcbuffer_slot) \c NullCap @@ -605,7 +605,7 @@ lemma invoke_tcb_ThreadControl_cur_thread: apply (clarsimp simp:sep_conj_ac, sep_solve) apply wp+ apply (rule_tac P = "cap_type (fst x2) \ Some UntypedType" in hoare_gen_asmEx) - apply (rule_tac Q = "\r s. P (cdl_current_thread s) + apply (rule_tac Q'="\r s. P (cdl_current_thread s) \ (<(target_tcb, tcb_vspace_slot) \c NullCap \* (target_tcb, tcb_cspace_slot) \c - \* (target_tcb, tcb_ipcbuffer_slot) \c NullCap @@ -620,7 +620,7 @@ lemma invoke_tcb_ThreadControl_cur_thread: apply sep_solve+ apply (rule hoare_pre) apply (wp|wpc|simp)+ - apply (rule_tac Q = "\r s. P (cdl_current_thread s) + apply (rule_tac Q'="\r s. P (cdl_current_thread s) \ (<(target_tcb, tcb_vspace_slot) \c NullCap \* (target_tcb,tcb_cspace_slot) \c NullCap \* (target_tcb, tcb_ipcbuffer_slot) \c NullCap @@ -799,7 +799,7 @@ lemma invoke_tcb_ThreadControl_cdl_current_domain: apply wp apply (rule hoare_post_imp[OF _ insert_cap_sibling_wp]) apply (sep_schem) - apply (rule_tac Q = "\r s. P (cdl_current_domain s) + apply (rule_tac Q'="\r s. P (cdl_current_domain s) \ (<(target_tcb, tcb_vspace_slot) \c - \* (target_tcb, tcb_cspace_slot) \c - \* (target_tcb, tcb_ipcbuffer_slot) \c NullCap @@ -807,7 +807,7 @@ lemma invoke_tcb_ThreadControl_cdl_current_domain: " in hoare_post_imp) apply (clarsimp simp: sep_conj_ac, sep_solve) apply wp+ - apply (rule_tac Q = "\r s. P (cdl_current_domain s) + apply (rule_tac Q'="\r s. P (cdl_current_domain s) \ (<(target_tcb, tcb_vspace_slot) \c - \* (target_tcb,tcb_cspace_slot) \c - \* (target_tcb, tcb_ipcbuffer_slot) \c NullCap @@ -828,7 +828,7 @@ lemma invoke_tcb_ThreadControl_cdl_current_domain: apply (sep_select 2) apply (drule sep_map_c_any) apply assumption - apply (rule_tac Q = "\r s. P (cdl_current_domain s) + apply (rule_tac Q'="\r s. P (cdl_current_domain s) \ (<(target_tcb, tcb_vspace_slot) \c - \* (target_tcb,tcb_cspace_slot) \c - \* (target_tcb, tcb_ipcbuffer_slot) \c NullCap @@ -837,7 +837,7 @@ lemma invoke_tcb_ThreadControl_cdl_current_domain: " in hoare_post_imp) apply (clarsimp simp:sep_conj_ac) apply wp+ - apply (rule_tac Q = "\r s. P (cdl_current_domain s) + apply (rule_tac Q'="\r s. P (cdl_current_domain s) \ (<(target_tcb, tcb_vspace_slot) \c - \* (target_tcb, tcb_cspace_slot) \c - \* (target_tcb, tcb_ipcbuffer_slot) \c NullCap @@ -847,7 +847,7 @@ lemma invoke_tcb_ThreadControl_cdl_current_domain: apply (wp tcb_empty_thread_slot_wp_inv) apply clarsimp apply sep_solve - apply (rule_tac Q = "\r s. P (cdl_current_domain s) + apply (rule_tac Q'="\r s. P (cdl_current_domain s) \ (<(target_tcb, tcb_vspace_slot) \c NullCap \* (target_tcb,tcb_cspace_slot) \c - \* (target_tcb, tcb_ipcbuffer_slot) \c NullCap @@ -866,7 +866,7 @@ lemma invoke_tcb_ThreadControl_cdl_current_domain: apply (sep_select 2) apply (drule sep_map_c_any) apply assumption - apply (rule_tac Q = "\r s. P (cdl_current_domain s) + apply (rule_tac Q'="\r s. P (cdl_current_domain s) \ (<(target_tcb, tcb_vspace_slot) \c NullCap \* (target_tcb,tcb_cspace_slot) \c - \* (target_tcb, tcb_ipcbuffer_slot) \c NullCap @@ -875,7 +875,7 @@ lemma invoke_tcb_ThreadControl_cdl_current_domain: apply (clarsimp simp:sep_conj_ac) apply wp+ apply (rule_tac P = "cap_type (fst x2) \ Some UntypedType" in hoare_gen_asmEx) - apply (rule_tac Q = "\r s. P (cdl_current_domain s) + apply (rule_tac Q'="\r s. P (cdl_current_domain s) \ (<(target_tcb, tcb_vspace_slot) \c NullCap \* (target_tcb, tcb_cspace_slot) \c - \* (target_tcb, tcb_ipcbuffer_slot) \c NullCap @@ -890,7 +890,7 @@ lemma invoke_tcb_ThreadControl_cdl_current_domain: apply sep_solve+ apply (rule hoare_pre) apply (wp|wpc|simp)+ - apply (rule_tac Q = "\r s. P (cdl_current_domain s) + apply (rule_tac Q'="\r s. P (cdl_current_domain s) \ (<(target_tcb, tcb_vspace_slot) \c NullCap \* (target_tcb,tcb_cspace_slot) \c NullCap \* (target_tcb, tcb_ipcbuffer_slot) \c NullCap @@ -1060,7 +1060,7 @@ shows apply (sep_schem) apply sep_solve apply assumption - apply (rule_tac Q = "\r s. cdl_current_thread s = Some root_tcb_id \ + apply (rule_tac Q'="\r s. cdl_current_thread s = Some root_tcb_id \ cdl_current_domain s = minBound \ (\cspace_cap' vspace_cap' buffer_frame_cap'. iv = (InvokeTcb $ @@ -1082,7 +1082,7 @@ shows root_tcb_id \f Tcb cdl_tcb \* cap_object cnode_cap \f CNode (empty_cnode root_size) \* (root_tcb_id, tcb_cspace_slot) \c cnode_cap \* (cap_object cnode_cap, cnode_cap_slot) \c cnode_cap' \* R> s" - in hoare_strengthen_post) + in hoare_strengthen_post) apply wp apply clarsimp apply (rule hoare_strengthen_post[OF set_cap_wp]) diff --git a/proof/crefine/AARCH64/Arch_C.thy b/proof/crefine/AARCH64/Arch_C.thy index c20fee73d1..be910a494d 100644 --- a/proof/crefine/AARCH64/Arch_C.thy +++ b/proof/crefine/AARCH64/Arch_C.thy @@ -588,7 +588,7 @@ shows apply clarsimp apply (wp getSlotCap_wp) apply clarsimp - apply (rule_tac Q="\_. cte_wp_at' ((=) (UntypedCap isdev frame pageBits idx) o cteCap) parent + apply (rule_tac Q'="\_. cte_wp_at' ((=) (UntypedCap isdev frame pageBits idx) o cteCap) parent and (\s. descendants_range_in' {frame..frame + (2::machine_word) ^ pageBits - (1::machine_word)} parent (ctes_of s)) and pspace_no_overlap' frame pageBits and invs' diff --git a/proof/crefine/AARCH64/DetWP.thy b/proof/crefine/AARCH64/DetWP.thy index 222fe22aa5..200baa7eaf 100644 --- a/proof/crefine/AARCH64/DetWP.thy +++ b/proof/crefine/AARCH64/DetWP.thy @@ -120,7 +120,7 @@ lemma det_wp_asUser [wp]: apply (drule det_wp_det) apply (erule det_wp_select_f) apply wp+ - apply (rule_tac Q="\_. tcb_at' t" in hoare_post_imp) + apply (rule_tac Q'="\_. tcb_at' t" in hoare_post_imp) apply simp apply wp apply simp diff --git a/proof/crefine/AARCH64/Fastpath_C.thy b/proof/crefine/AARCH64/Fastpath_C.thy index beb302d285..47eac532e3 100644 --- a/proof/crefine/AARCH64/Fastpath_C.thy +++ b/proof/crefine/AARCH64/Fastpath_C.thy @@ -1580,7 +1580,7 @@ lemma user_getreg_wp: "\\s. tcb_at' t s \ (\rv. obj_at' (\tcb. (user_regs \ atcbContextGet \ tcbArch) tcb r = rv) t s \ Q rv s)\ asUser t (getRegister r) \Q\" - apply (rule_tac Q="\rv s. \rv'. rv' = rv \ Q rv' s" in hoare_post_imp) + apply (rule_tac Q'="\rv s. \rv'. rv' = rv \ Q rv' s" in hoare_post_imp) apply simp apply (rule hoare_pre, wp hoare_vcg_ex_lift user_getreg_rv) apply (clarsimp simp: obj_at'_def) @@ -2468,7 +2468,7 @@ proof - set_ep_valid_objs' asid_has_vmid_lift setObject_no_0_obj'[where 'a=endpoint, folded setEndpoint_def] | strengthen not_obj_at'_strengthen)+ - apply (rule_tac Q="\_ s. hd (epQueue send_ep) \ curThread + apply (rule_tac Q'="\_ s. hd (epQueue send_ep) \ curThread \ pred_tcb_at' itcbState ((=) (tcbState xa)) (hd (epQueue send_ep)) s" in hoare_post_imp) apply fastforce diff --git a/proof/crefine/AARCH64/Fastpath_Equiv.thy b/proof/crefine/AARCH64/Fastpath_Equiv.thy index 722ed730fc..e68c67d1be 100644 --- a/proof/crefine/AARCH64/Fastpath_Equiv.thy +++ b/proof/crefine/AARCH64/Fastpath_Equiv.thy @@ -243,7 +243,7 @@ lemma ctes_of_Some_cte_wp_at: lemma user_getreg_wp: "\\s. tcb_at' t s \ (\rv. obj_at' (\tcb. (user_regs \ atcbContextGet o tcbArch) tcb r = rv) t s \ Q rv s)\ asUser t (getRegister r) \Q\" - apply (rule_tac Q="\rv s. \rv'. rv' = rv \ Q rv' s" in hoare_post_imp) + apply (rule_tac Q'="\rv s. \rv'. rv' = rv \ Q rv' s" in hoare_post_imp) apply simp apply (rule hoare_pre, wp hoare_vcg_ex_lift user_getreg_rv) apply (clarsimp simp: obj_at'_def) diff --git a/proof/crefine/AARCH64/Finalise_C.thy b/proof/crefine/AARCH64/Finalise_C.thy index ce4715ef54..ce4a38f214 100644 --- a/proof/crefine/AARCH64/Finalise_C.thy +++ b/proof/crefine/AARCH64/Finalise_C.thy @@ -757,7 +757,7 @@ lemma suspend_ccorres: apply ceqv apply (ctac(no_vcg) add: setThreadState_ccorres_simple) apply (ctac add: tcbSchedDequeue_ccorres) - apply (rule_tac Q="\_. valid_objs' and tcb_at' thread and pspace_aligned' and pspace_distinct'" + apply (rule_tac Q'="\_. valid_objs' and tcb_at' thread and pspace_aligned' and pspace_distinct'" in hoare_post_imp) apply clarsimp apply (wp sts_valid_objs')[1] @@ -2394,7 +2394,7 @@ lemma associateVCPUTCB_ccorres: apply ((wpsimp wp: hoare_vcg_all_lift hoare_drop_imps | strengthen invs_valid_objs' invs_arch_state')+)[1] apply (vcg exspec=dissociateVCPUTCB_modifies) - apply (rule_tac Q="\_. invs' and vcpu_at' vcpuptr and tcb_at' tptr" in hoare_post_imp) + apply (rule_tac Q'="\_. invs' and vcpu_at' vcpuptr and tcb_at' tptr" in hoare_post_imp) apply (clarsimp simp: typ_at_tcb' obj_at'_def) apply (rename_tac vcpu obj, case_tac vcpu) apply (fastforce simp: valid_arch_tcb'_def valid_vcpu'_def objBits_simps) diff --git a/proof/crefine/AARCH64/Invoke_C.thy b/proof/crefine/AARCH64/Invoke_C.thy index 296bcb3cd1..3a9fbeed08 100644 --- a/proof/crefine/AARCH64/Invoke_C.thy +++ b/proof/crefine/AARCH64/Invoke_C.thy @@ -76,7 +76,7 @@ lemma setDomain_ccorres: apply (simp add: guard_is_UNIV_def) apply simp apply wp - apply (rule_tac Q="\_. all_invs_but_sch_extra and tcb_at' t and sch_act_simple + apply (rule_tac Q'="\_. all_invs_but_sch_extra and tcb_at' t and sch_act_simple and (\s. curThread = ksCurThread s)" in hoare_strengthen_post) apply (wp threadSet_all_invs_but_sch_extra) @@ -84,7 +84,7 @@ lemma setDomain_ccorres: sch_act_simple_def st_tcb_at'_def weak_sch_act_wf_def split: if_splits) apply (simp add: guard_is_UNIV_def) - apply (rule_tac Q="\_. invs' and tcb_at' t and sch_act_simple and (\s. curThread = ksCurThread s)" + apply (rule_tac Q'="\_. invs' and tcb_at' t and sch_act_simple and (\s. curThread = ksCurThread s)" in hoare_strengthen_post) apply (wp weak_sch_act_wf_lift_linear tcbSchedDequeue_not_queued hoare_vcg_imp_lift hoare_vcg_all_lift) @@ -762,7 +762,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule_tac Q'="\rv. valid_pspace' and valid_cap' rv and valid_objs' and tcb_at' thread and (\s. sch_act_wf (ksSchedulerAction s) s)" - in hoare_vcg_R_conj) + in hoare_vcg_conj_liftE_R) apply (rule deriveCap_Null_helper[OF deriveCap_derived]) apply wp apply (clarsimp simp: cte_wp_at_ctes_of) @@ -838,7 +838,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule_tac Q'="\rv. valid_pspace' and valid_cap' rv and valid_objs' and tcb_at' thread and (\s. sch_act_wf (ksSchedulerAction s) s)" - in hoare_vcg_R_conj) + in hoare_vcg_conj_liftE_R) apply (rule deriveCap_Null_helper [OF deriveCap_derived]) apply wp apply (clarsimp simp: cte_wp_at_ctes_of) @@ -959,7 +959,7 @@ lemma decodeCNodeInvocation_ccorres: apply (clarsimp simp:valid_updateCapDataI invs_valid_objs' invs_valid_pspace') apply assumption apply (wp hoare_vcg_all_liftE_R injection_wp_E[OF refl] - lsfco_cte_at' hoare_vcg_const_imp_lift_R + lsfco_cte_at' hoare_vcg_const_imp_liftE_R )+ apply (simp add: Collect_const_mem word_sle_def word_sless_def all_ex_eq_helper) @@ -1336,7 +1336,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule ccorres_return_C_errorE, simp+)[1] apply vcg apply simp - apply (wp injection_wp_E[OF refl] hoare_vcg_const_imp_lift_R + apply (wp injection_wp_E[OF refl] hoare_vcg_const_imp_liftE_R hoare_vcg_all_liftE_R lsfco_cte_at' hoare_weak_lift_imp | simp add: hasCancelSendRights_not_Null ctes_of_valid_strengthen cong: conj_cong diff --git a/proof/crefine/AARCH64/IpcCancel_C.thy b/proof/crefine/AARCH64/IpcCancel_C.thy index e8b850c010..c38f0f859d 100644 --- a/proof/crefine/AARCH64/IpcCancel_C.thy +++ b/proof/crefine/AARCH64/IpcCancel_C.thy @@ -2774,7 +2774,7 @@ lemma cancelIPC_ccorres1: ghost_assertion_data_set_def cap_tag_defs) apply (simp add: locateSlot_conv, wp) apply vcg - apply (rule_tac Q="\rv. tcb_at' thread and invs'" in hoare_post_imp) + apply (rule_tac Q'="\rv. tcb_at' thread and invs'" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_ctes_of capHasProperty_def cap_get_tag_isCap ucast_id) apply (wp threadSet_invs_trivial | simp)+ diff --git a/proof/crefine/AARCH64/Ipc_C.thy b/proof/crefine/AARCH64/Ipc_C.thy index 24eb43ab77..3c5a995444 100644 --- a/proof/crefine/AARCH64/Ipc_C.thy +++ b/proof/crefine/AARCH64/Ipc_C.thy @@ -1406,7 +1406,7 @@ lemma asUser_atcbContext_obj_at: lemma asUser_tcbFault_inv: "\\s. \t. ko_at' t p' s \ tcbFault t = f\ asUser p m \\rv s. \t. ko_at' t p' s \ tcbFault t = f\" - apply (rule_tac Q="\rv. obj_at' (\t. tcbFault t = f) p'" + apply (rule_tac Q'="\rv. obj_at' (\t. tcbFault t = f) p'" in hoare_strengthen_post) apply (wp asUser_tcbFault_obj_at) apply (clarsimp simp: obj_at'_def)+ @@ -3719,7 +3719,7 @@ lemma doIPCTransfer_ccorres [corres]: fault_to_fault_tag_nonzero) apply ctac apply (clarsimp simp: guard_is_UNIV_def option_to_ptr_def split: option.splits) - apply (rule_tac Q="\rv. valid_pspace' and cur_tcb' and tcb_at' sender + apply (rule_tac Q'="\rv. valid_pspace' and cur_tcb' and tcb_at' sender and tcb_at' receiver and K (rv \ Some 0) and (case_option \ valid_ipc_buffer_ptr' rv) and K (receiver \ sender \ endpoint \ Some 0)" @@ -4487,7 +4487,7 @@ lemma doReplyTransfer_ccorres [corres]: | simp add: valid_tcb_state'_def)+)[1] apply (clarsimp simp: guard_is_UNIV_def ThreadState_defs mask_def option_to_ctcb_ptr_def) - apply (rule_tac Q="\rv. tcb_at' receiver and + apply (rule_tac Q'="\rv. tcb_at' receiver and valid_objs' and sch_act_simple and (\s. ksCurDomain s \ maxDomain) and (\s. sch_act_wf (ksSchedulerAction s) s) and pspace_aligned' and pspace_distinct'" in hoare_post_imp) @@ -4586,7 +4586,7 @@ lemma setupCallerCap_ccorres [corres]: ptr_add_assertion_positive Collect_const_mem tcb_cnode_index_defs) apply simp - apply (rule_tac Q="\rv. valid_pspace' and tcb_at' receiver" in hoare_post_imp) + apply (rule_tac Q'="\rv. valid_pspace' and tcb_at' receiver" in hoare_post_imp) apply (auto simp: cte_wp_at_ctes_of isCap_simps valid_pspace'_def tcbSlots Kernel_C.tcbCaller_def size_of_def cte_level_bits_def)[1] @@ -6000,7 +6000,7 @@ lemma receiveIPC_ccorres [corres]: apply (fastforce simp: guard_is_UNIV_def ThreadState_defs mask_def cap_get_tag_isCap ccap_relation_ep_helpers) apply (clarsimp simp: valid_tcb_state'_def) - apply (rule_tac Q="\_. valid_pspace' + apply (rule_tac Q'="\_. valid_pspace' and st_tcb_at' ((=) sendState) sender and tcb_at' thread and (\s. sch_act_wf (ksSchedulerAction s) s) and sch_act_not sender and K (thread \ sender) @@ -6008,7 +6008,7 @@ lemma receiveIPC_ccorres [corres]: apply (fastforce simp: valid_pspace_valid_objs' pred_tcb_at'_def sch_act_wf_weak obj_at'_def) apply (wpsimp simp: guard_is_UNIV_def option_to_ptr_def option_to_0_def conj_ac)+ - apply (rule_tac Q="\rv. valid_pspace' + apply (rule_tac Q'="\rv. valid_pspace' and cur_tcb' and tcb_at' sender and tcb_at' thread and sch_act_not sender and K (thread \ sender) and ep_at' (capEPPtr cap) @@ -6302,7 +6302,7 @@ lemma sendSignal_ccorres [corres]: apply (ctac add: possibleSwitchTo_ccorres) apply (wp sts_valid_objs' sts_st_tcb_at'_cases | simp add: option_to_ctcb_ptr_def split del: if_split)+ - apply (rule_tac Q="\_. tcb_at' (the (ntfnBoundTCB ntfn)) and invs'" + apply (rule_tac Q'="\_. tcb_at' (the (ntfnBoundTCB ntfn)) and invs'" in hoare_post_imp) apply auto[1] apply wp @@ -6691,7 +6691,7 @@ lemma receiveSignal_ccorres [corres]: apply (rule receiveSignal_enqueue_ccorres_helper[simplified]) apply (simp add: valid_ntfn'_def) apply (wp sts_st_tcb') - apply (rule_tac Q="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn + apply (rule_tac Q'="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn \ projectKO_opt x = (None::tcb option)) (capNtfnPtr cap)" in hoare_post_imp) @@ -6758,7 +6758,7 @@ lemma receiveSignal_ccorres [corres]: apply (rule_tac ntfn="ntfn" in receiveSignal_enqueue_ccorres_helper[simplified]) apply (simp add: valid_ntfn'_def) apply (wp sts_st_tcb') - apply (rule_tac Q="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn + apply (rule_tac Q'="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn \ projectKO_opt x = (None::tcb option)) (capNtfnPtr cap) and K (thread \ set list)" diff --git a/proof/crefine/AARCH64/IsolatedThreadAction.thy b/proof/crefine/AARCH64/IsolatedThreadAction.thy index 3c163928ec..d8c1d0cf50 100644 --- a/proof/crefine/AARCH64/IsolatedThreadAction.thy +++ b/proof/crefine/AARCH64/IsolatedThreadAction.thy @@ -602,7 +602,7 @@ lemma select_f_isolatable: lemma doMachineOp_isolatable: "thread_actions_isolatable idx (doMachineOp m)" apply (simp add: doMachineOp_def split_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] gets_isolatable thread_actions_isolatable_returns modify_isolatable select_f_isolatable) apply (simp | wp)+ @@ -622,8 +622,8 @@ lemma getASIDPoolEntry_isolatable: case_option_If2 assertE_def liftE_def checkPTAt_def stateAssert_def2 assert_def liftM_def cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] - thread_actions_isolatable_bindE[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_bindE[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable getObject_isolatable) @@ -638,8 +638,8 @@ lemma findVSpaceForASID_isolatable: case_option_If2 assertE_def liftE_def checkPTAt_def stateAssert_def2 cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] - thread_actions_isolatable_bindE[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_bindE[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable getObject_isolatable getASIDPoolEntry_isolatable @@ -738,7 +738,7 @@ lemma setASIDPool_isolatable: lemma vcpuUpdate_isolatable: "thread_actions_isolatable idx (vcpuUpdate p f)" apply (clarsimp simp: vcpuUpdate_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] getVCPU_isolatable setVCPU_isolatable |wp|assumption|clarsimp)+ done @@ -754,7 +754,7 @@ lemma vgicUpdateLR_isolatable: lemma vcpuWriteReg_isolatable: "thread_actions_isolatable idx (vcpuWriteReg v p val)" apply (clarsimp simp: vcpuWriteReg_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] vcpuUpdate_isolatable doMachineOp_isolatable | wpsimp)+ done @@ -762,7 +762,7 @@ lemma vcpuWriteReg_isolatable: lemma vcpuReadReg_isolatable: "thread_actions_isolatable idx (vcpuReadReg v p)" apply (clarsimp simp: vcpuReadReg_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] vcpuUpdate_isolatable getVCPU_isolatable thread_actions_isolatable_return | wpsimp)+ done @@ -770,7 +770,7 @@ lemma vcpuReadReg_isolatable: lemma vcpuSaveReg_isolatable: "thread_actions_isolatable idx (vcpuSaveReg p v)" apply (clarsimp simp: vcpuSaveReg_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] vcpuUpdate_isolatable doMachineOp_isolatable | wpsimp)+ done @@ -778,7 +778,7 @@ lemma vcpuSaveReg_isolatable: lemma vcpuRestoreReg_isolatable: "thread_actions_isolatable idx (vcpuRestoreReg p v)" apply (clarsimp simp: vcpuRestoreReg_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] vcpuUpdate_isolatable doMachineOp_isolatable getVCPU_isolatable | wpsimp)+ done @@ -787,14 +787,14 @@ lemma thread_actions_isolatable_mapM_x: "\ \x. thread_actions_isolatable idx (f x); \x t. f x \tcb_at' t\ \ \ thread_actions_isolatable idx (mapM_x f xs)" apply (induct xs; clarsimp simp: mapM_x_Nil mapM_x_Cons thread_actions_isolatable_returns) - apply (rule thread_actions_isolatable_bind[OF _ _ hoare_pre(1)]; clarsimp?) + apply (rule thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre]; clarsimp?) apply assumption+ done lemma vcpuSaveRegRange_isolatable: "thread_actions_isolatable idx (vcpuSaveRegRange p r rt)" apply (clarsimp simp: vcpuSaveRegRange_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] vcpuSaveReg_isolatable thread_actions_isolatable_mapM_x | wpsimp)+ done @@ -802,7 +802,7 @@ lemma vcpuSaveRegRange_isolatable: lemma vcpuRestoreRegRange_isolatable: "thread_actions_isolatable idx (vcpuRestoreRegRange p r rt)" apply (clarsimp simp: vcpuRestoreRegRange_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] vcpuRestoreReg_isolatable thread_actions_isolatable_mapM_x | wpsimp)+ done @@ -810,7 +810,7 @@ lemma vcpuRestoreRegRange_isolatable: lemma saveVirtTimer_isolatable: "thread_actions_isolatable idx (saveVirtTimer v)" apply (clarsimp simp: saveVirtTimer_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable doMachineOp_isolatable vcpuSaveReg_isolatable @@ -821,7 +821,7 @@ lemma saveVirtTimer_isolatable: lemma getIRQState_isolatable: "thread_actions_isolatable idx (getIRQState irq)" apply (clarsimp simp: getIRQState_def liftM_def getInterruptState_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_returns gets_isolatable | wpsimp | fastforce)+ done @@ -829,7 +829,7 @@ lemma getIRQState_isolatable: lemma restoreVirtTimer_isolatable: "thread_actions_isolatable idx (restoreVirtTimer v)" apply (clarsimp simp: restoreVirtTimer_def when_def isIRQActive_def liftM_bind) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable doMachineOp_isolatable vcpuSaveReg_isolatable @@ -843,7 +843,7 @@ lemma vcpuSave_isolatable: supply if_split[split del] apply (clarsimp simp: vcpuSave_def armvVCPUSave_def thread_actions_isolatable_fail when_def split: option.splits) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable doMachineOp_isolatable vcpuSaveReg_isolatable @@ -856,7 +856,7 @@ lemma vcpuSave_isolatable: lemma vcpuEnable_isolatable: "thread_actions_isolatable idx (vcpuEnable v)" apply (clarsimp simp: vcpuEnable_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] vcpuRestoreReg_isolatable doMachineOp_isolatable getVCPU_isolatable restoreVirtTimer_isolatable | wpsimp)+ @@ -865,7 +865,7 @@ lemma vcpuEnable_isolatable: lemma vcpuRestore_isolatable: "thread_actions_isolatable idx (vcpuRestore v)" apply (clarsimp simp: vcpuRestore_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] getVCPU_isolatable gets_isolatable doMachineOp_isolatable vcpuEnable_isolatable vcpuRestoreRegRange_isolatable | wpsimp)+ @@ -874,7 +874,7 @@ lemma vcpuRestore_isolatable: lemma vcpuDisable_isolatable: "thread_actions_isolatable idx (vcpuDisable v)" apply (clarsimp simp: vcpuDisable_def split: option.splits, intro conjI) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] doMachineOp_isolatable vcpuEnable_isolatable vgicUpdate_isolatable vcpuSaveReg_isolatable saveVirtTimer_isolatable | wpsimp)+ @@ -885,16 +885,16 @@ lemma vcpuSwitch_isolatable: supply if_cong[cong] option.case_cong[cong] apply (clarsimp simp: vcpuSwitch_def when_def split: option.splits) apply (safe intro!: - thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] - thread_actions_isolatable_bindE[OF _ _ hoare_pre(1)] - thread_actions_isolatable_catch[OF _ _ hoare_pre(1)] + thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_bindE[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_catch[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable) apply (clarsimp simp: thread_actions_isolatable_returns split: option.splits |intro thread_actions_isolatable_if thread_actions_isolatable_returns - thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] vcpuSave_isolatable vcpuRestore_isolatable vcpuDisable_isolatable vcpuEnable_isolatable modifyArchState_isolatable conjI doMachineOp_isolatable @@ -965,9 +965,9 @@ lemma armContextSwitch_isolatable: "thread_actions_isolatable idx (armContextSwitch p asid)" supply if_split[split del] apply (simp add: armContextSwitch_def getVMID_def loadVMID_def getASIDPoolEntry_def getPoolPtr_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] - thread_actions_isolatable_bindE[OF _ _ hoare_pre(1)] - thread_actions_isolatable_catch[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_bindE[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_catch[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable getASIDPool_isolatable setASIDPool_isolatable doMachineOp_isolatable @@ -988,9 +988,9 @@ lemma setVMRoot_isolatable: whenE_def liftE_def stateAssert_def2 cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] - thread_actions_isolatable_bindE[OF _ _ hoare_pre(1)] - thread_actions_isolatable_catch[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_bindE[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_catch[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable getCTE_isolatable @@ -1325,7 +1325,7 @@ lemma setThreadState_no_sch_change: (is "Nondet_VCG.valid ?P ?f ?Q") apply (simp add: setThreadState_def setSchedulerAction_def) apply (wp hoare_pre_cont[where f=rescheduleRequired]) - apply (rule_tac Q="\_. ?P and st_tcb_at' ((=) st) t" in hoare_post_imp) + apply (rule_tac Q'="\_. ?P and st_tcb_at' ((=) st) t" in hoare_post_imp) apply (clarsimp split: if_split) apply (clarsimp simp: obj_at'_def st_tcb_at'_def projectKOs) apply (wp threadSet_pred_tcb_at_state) @@ -1387,7 +1387,7 @@ lemma setEndpoint_isolatable: apply (simp add: obj_at_partial_overwrite_id2) apply (drule_tac x=x in spec) apply (clarsimp simp: obj_at'_def projectKOs select_f_asserts) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_return thread_actions_isolatable_fail) @@ -1533,7 +1533,7 @@ lemma cteInsert_isolatable: supply if_split[split del] if_cong[cong] apply (simp add: cteInsert_def updateCap_def updateMDB_def Let_def setUntypedCapAsFull_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns getCTE_isolatable setCTE_isolatable) @@ -1619,7 +1619,7 @@ lemma switchToThread_isolatable: "thread_actions_isolatable idx (Arch.switchToThread t)" apply (simp add: switchToThread_def getTCB_threadGet storeWordUser_def stateAssert_def2) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] gets_isolatable setVMRoot_isolatable thread_actions_isolatable_if doMachineOp_isolatable @@ -1640,7 +1640,7 @@ lemma tcbQueued_put_tcb_state_regs_tcb: lemma idleThreadNotQueued_isolatable: "thread_actions_isolatable idx (stateAssert idleThreadNotQueued [])" apply (simp add: stateAssert_def2 stateAssert_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] gets_isolatable thread_actions_isolatable_if thread_actions_isolatable_returns @@ -1858,7 +1858,7 @@ lemma updateMDB_isolatable: "thread_actions_isolatable idx (updateMDB slot f)" apply (simp add: updateMDB_def thread_actions_isolatable_return split: if_split) - apply (intro impI thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro impI thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] getCTE_isolatable setCTE_isolatable, (wp | simp)+) done @@ -1880,7 +1880,7 @@ lemma emptySlot_isolatable: "thread_actions_isolatable idx (emptySlot slot NullCap)" apply (simp add: emptySlot_def updateCap_def case_Null_If Retype_H.postCapDeletion_def cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] clearUntypedFreeIndex_isolatable thread_actions_isolatable_if getCTE_isolatable setCTE_isolatable diff --git a/proof/crefine/AARCH64/Refine_C.thy b/proof/crefine/AARCH64/Refine_C.thy index d81647f9a1..aadd023227 100644 --- a/proof/crefine/AARCH64/Refine_C.thy +++ b/proof/crefine/AARCH64/Refine_C.thy @@ -75,7 +75,7 @@ proof - apply (wp schedule_sch_act_wf schedule_invs' | strengthen invs_valid_objs_strengthen invs_pspace_aligned' invs_pspace_distinct')+ apply simp - apply (rule_tac Q="\rv s. invs' s \ (\x. rv = Some x \ x \ Kernel_Config.maxIRQ) \ + apply (rule_tac Q'="\rv s. invs' s \ (\x. rv = Some x \ x \ Kernel_Config.maxIRQ) \ sch_act_not (ksCurThread s) s" in hoare_post_imp) apply (solves clarsimp) apply (wp getActiveIRQ_le_maxIRQ | simp)+ @@ -363,7 +363,7 @@ lemma handleSyscall_ccorres: apply wp[1] apply clarsimp apply wp - apply (rule_tac Q="\rv s. ct_in_state' simple' s \ sch_act_sane s" + apply (rule_tac Q'="\rv s. ct_in_state' simple' s \ sch_act_sane s" in hoare_post_imp) apply (simp add: ct_in_state'_def) apply (wp handleReply_sane) @@ -401,15 +401,15 @@ lemma handleSyscall_ccorres: | wpc | wp hoare_drop_imp handleReply_sane handleReply_nonz_cap_to_ct schedule_invs' | strengthen ct_active_not_idle'_strengthen invs_valid_objs_strengthen)+ - apply (rule_tac Q="\rv. invs' and ct_active'" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs' and ct_active'" in hoare_post_imp, simp) apply (wp hy_invs') apply (clarsimp simp add: liftE_def) apply wp - apply (rule_tac Q="\rv. invs' and ct_active'" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs' and ct_active'" in hoare_post_imp, simp) apply (wp hy_invs') apply (clarsimp simp: liftE_def) apply (wp) - apply (rule_tac Q="\_. invs'" in hoare_post_imp, simp) + apply (rule_tac Q'="\_. invs'" in hoare_post_imp, simp) apply (wp hw_invs') apply (simp add: guard_is_UNIV_def) apply clarsimp diff --git a/proof/crefine/AARCH64/Retype_C.thy b/proof/crefine/AARCH64/Retype_C.thy index fcdc49585c..448703ed1e 100644 --- a/proof/crefine/AARCH64/Retype_C.thy +++ b/proof/crefine/AARCH64/Retype_C.thy @@ -7337,7 +7337,7 @@ lemma createObject_valid_cap': apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7412,7 +7412,7 @@ lemma createObject_caps_overlap_reserved_ret': apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7435,7 +7435,7 @@ lemma createObject_descendants_range': apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7466,7 +7466,7 @@ lemma createObject_idlethread_range: apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7486,7 +7486,7 @@ lemma createObject_IRQHandler: apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7504,7 +7504,7 @@ lemma createObject_capClass[wp]: apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7551,7 +7551,7 @@ lemma createObject_parent_helper: \ createObject ty ptr us dev \\rv. cte_wp_at' (\cte. isUntypedCap (cteCap cte) \ (sameRegionAs (cteCap cte) rv)) p\" - apply (rule hoare_post_imp [where Q="\rv s. \cte. cte_wp_at' ((=) cte) p s + apply (rule hoare_post_imp[where Q'="\rv s. \cte. cte_wp_at' ((=) cte) p s \ isUntypedCap (cteCap cte) \ sameRegionAs (cteCap cte) rv"]) apply (clarsimp simp:cte_wp_at_ctes_of) @@ -8334,7 +8334,7 @@ shows "ccorres dc xfdc (cnodeptr + (of_nat k * 0x20 + start * 0x20 + of_nat n * 0x20)) s) \ descendants_range_in' {(of_nat n << APIType_capBits newType userSize) + ptr.. (ptr && ~~ mask sz) + 2 ^ sz - 1} srcSlot (ctes_of s)" - in hoare_pre(1)) + in hoare_weaken_pre) apply wp apply (clarsimp simp:createObject_hs_preconds_def conj_comms add.commute[where b=ptr] invs_valid_pspace' invs_pspace_distinct' invs_pspace_aligned' diff --git a/proof/crefine/AARCH64/Schedule_C.thy b/proof/crefine/AARCH64/Schedule_C.thy index 37e01bd880..1f613ac14a 100644 --- a/proof/crefine/AARCH64/Schedule_C.thy +++ b/proof/crefine/AARCH64/Schedule_C.thy @@ -90,7 +90,7 @@ lemma Arch_switchToThread_ccorres: apply wpsimp apply (vcg exspec=vcpu_switch_modifies) apply wpsimp+ - apply (rule_tac Q="\rv s. all_invs_but_ct_idle_or_in_cur_domain' s + apply (rule_tac Q'="\rv s. all_invs_but_ct_idle_or_in_cur_domain' s \ case_option \ (ko_wp_at' (is_vcpu' and hyp_live')) (atcbVCPUPtr (tcbArch rv)) s \ obj_at' (\t::tcb. True) t s" in hoare_strengthen_post[rotated]) apply (clarsimp simp: vcpu_at_is_vcpu' invs_no_cicd'_def valid_state'_def valid_pspace'_def @@ -717,7 +717,7 @@ lemma schedule_ccorres: apply wp apply clarsimp (* when runnable tcbSchedEnqueue curThread *) - apply (rule_tac Q="\rv s. invs' s \ ksCurThread s = curThread + apply (rule_tac Q'="\rv s. invs' s \ ksCurThread s = curThread \ ksSchedulerAction s = SwitchToThread candidate" in hoare_post_imp) apply (clarsimp simp: invs'_bitmapQ_no_L1_orphans invs_ksCurDomain_maxDomain') apply (fastforce dest: invs_sch_act_wf') diff --git a/proof/crefine/AARCH64/SyscallArgs_C.thy b/proof/crefine/AARCH64/SyscallArgs_C.thy index 896502b2a3..daec411010 100644 --- a/proof/crefine/AARCH64/SyscallArgs_C.thy +++ b/proof/crefine/AARCH64/SyscallArgs_C.thy @@ -952,7 +952,7 @@ lemma getMRs_user_word: linorder_not_less [symmetric]) apply (wp mapM_loadWordUser_user_words_at) apply (wp hoare_vcg_all_lift) - apply (rule_tac Q="\_. \" in hoare_strengthen_post) + apply (rule_tac Q'="\_. \" in hoare_strengthen_post) apply wp apply clarsimp defer @@ -1008,7 +1008,7 @@ lemma getMRs_rel: apply (rule hoare_pre) apply (rule_tac x=mi in hoare_exI) apply wp - apply (rule_tac Q="\rv s. thread = ksCurThread s \ fst (getMRs thread buffer mi s) = {(rv,s)}" in hoare_strengthen_post) + apply (rule_tac Q'="\rv s. thread = ksCurThread s \ fst (getMRs thread buffer mi s) = {(rv,s)}" in hoare_strengthen_post) apply (wp det_result det_wp_getMRs) apply clarsimp apply (clarsimp simp: cur_tcb'_def) @@ -1175,7 +1175,7 @@ lemma getSyscallArg_ccorres_foo: apply (clarsimp simp: option_to_ptr_def option_to_0_def) apply (rule_tac P="\s. valid_ipc_buffer_ptr' (ptr_val (Ptr b)) s \ i < msgLength mi \ msgLength mi \ msgMaxLength \ scast n_msgRegisters \ i" - in hoare_pre(1)) + in hoare_weaken_pre) apply (wp getMRs_user_word) apply (clarsimp simp: msgMaxLength_def unat_less_helper) apply fastforce diff --git a/proof/crefine/AARCH64/Syscall_C.thy b/proof/crefine/AARCH64/Syscall_C.thy index 7eb4719daf..aa8f96bf94 100644 --- a/proof/crefine/AARCH64/Syscall_C.thy +++ b/proof/crefine/AARCH64/Syscall_C.thy @@ -259,7 +259,7 @@ lemma decodeInvocation_ccorres: apply simp apply (vcg exspec=performInvocation_Reply_modifies) apply (simp add: cur_tcb'_def[symmetric]) - apply (rule_tac R="\rv s. ksCurThread s = thread" in hoare_post_add) + apply (rule_tac Q'="\rv s. ksCurThread s = thread" in hoare_post_add) apply (simp cong: conj_cong) apply (strengthen imp_consequent) apply (wp sts_invs_minor' sts_st_tcb_at'_cases) @@ -682,9 +682,9 @@ lemma sendFaultIPC_ccorres: , assumption) apply vcg apply (clarsimp simp: inQ_def) - apply (rule_tac Q="\a b. invs' b \ st_tcb_at' simple' tptr b + apply (rule_tac Q'="\a b. invs' b \ st_tcb_at' simple' tptr b \ sch_act_not tptr b \ valid_cap' a b" - and E="\ _. \" + and E'="\ _. \" in hoare_strengthen_postE) apply (wp) apply (clarsimp simp: isCap_simps) @@ -884,8 +884,8 @@ lemma handleInvocation_ccorres: apply (rule ccorres_return_C_errorE, simp+)[1] apply vcg apply (simp add: invocationCatch_def o_def) - apply (rule_tac Q="\rv'. invs' and tcb_at' rv" - and E="\ft. invs' and tcb_at' rv" + apply (rule_tac Q'="\rv'. invs' and tcb_at' rv" + and E'="\ft. invs' and tcb_at' rv" in hoare_strengthen_postE) apply (wp hoare_split_bind_case_sumE hoare_drop_imps setThreadState_nonqueued_state_update @@ -2014,7 +2014,7 @@ proof - (* clean up get_gic_vcpu_ctrl_misr postcondition *) apply (wp hoare_vcg_all_lift) - apply (rule_tac Q="\_ s. ?PRE s \ armHSCurVCPU (ksArchState s) = Some (vcpuPtr, active)" in hoare_post_imp) + apply (rule_tac Q'="\_ s. ?PRE s \ armHSCurVCPU (ksArchState s) = Some (vcpuPtr, active)" in hoare_post_imp) apply clarsimp subgoal for _ _ eisr0 eisr1 apply (clarsimp simp: invs'_HScurVCPU_vcpu_at' valid_arch_state'_def max_armKSGICVCPUNumListRegs_def dest!: invs_arch_state') diff --git a/proof/crefine/AARCH64/Tcb_C.thy b/proof/crefine/AARCH64/Tcb_C.thy index 1e11db317f..bc4b2fb7ba 100644 --- a/proof/crefine/AARCH64/Tcb_C.thy +++ b/proof/crefine/AARCH64/Tcb_C.thy @@ -428,7 +428,7 @@ lemma setPriority_ccorres: simp: st_tcb_at'_def o_def split: if_splits) apply (simp add: guard_is_UNIV_def) apply (rule hoare_strengthen_post[ - where Q="\rv s. + where Q'="\rv s. obj_at' (\_. True) t s \ priority \ maxPriority \ ksCurDomain s \ maxDomain \ @@ -675,7 +675,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply wp apply (clarsimp simp : guard_is_UNIV_def Collect_const_mem) apply (rule hoare_strengthen_post[ - where Q= "\rv s. + where Q'="\rv s. valid_objs' s \ weak_sch_act_wf (ksSchedulerAction s) s \ ((\a b. priority = Some (a, b)) \ @@ -771,7 +771,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply (clarsimp simp : guard_is_UNIV_def Collect_const_mem) apply (simp cong: conj_cong) apply (rule hoare_strengthen_post[ - where Q="\a b. (valid_objs' b \ + where Q'="\a b. (valid_objs' b \ sch_act_wf (ksSchedulerAction b) b \ pspace_aligned' b \ pspace_distinct' b \ ((\a b. priority = Some (a, b)) \ @@ -816,7 +816,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply vcg apply (simp add: conj_comms cong: conj_cong) apply (strengthen invs_ksCurDomain_maxDomain' invs_pspace_distinct') - apply (wp hoare_vcg_const_imp_lift_R cteDelete_invs') + apply (wp hoare_vcg_const_imp_liftE_R cteDelete_invs') apply simp apply (rule ccorres_split_nothrow_novcg_dc) apply (rule ccorres_cond2[where R=\], simp add: Collect_const_mem) @@ -1234,13 +1234,13 @@ lemma invokeTCB_CopyRegisters_ccorres: apply (simp add: pred_conj_def guard_is_UNIV_def cong: if_cong | wp mapM_x_wp_inv hoare_drop_imp)+ apply clarsimp - apply (rule_tac Q="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak) apply (wpsimp wp: hoare_drop_imp restart_invs')+ apply (clarsimp simp add: guard_is_UNIV_def) apply (wp hoare_drop_imp hoare_vcg_if_lift)+ apply simp - apply (rule_tac Q="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak) apply (wpsimp wp: hoare_drop_imp)+ apply (clarsimp simp add: guard_is_UNIV_def) @@ -1649,7 +1649,7 @@ lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]: apply wp apply (simp add: guard_is_UNIV_def) apply (wp hoare_drop_imp) - apply (rule_tac Q="\rv. invs' and tcb_at' dst" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\rv. invs' and tcb_at' dst" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak) apply (wpsimp wp: restart_invs')+ apply (clarsimp simp add: guard_is_UNIV_def) @@ -2165,7 +2165,7 @@ shows apply wp apply (simp add: Collect_const_mem ThreadState_defs mask_def) apply vcg - apply (rule_tac Q="\rv. invs' and st_tcb_at' ((=) Restart) thread + apply (rule_tac Q'="\rv. invs' and st_tcb_at' ((=) Restart) thread and tcb_at' target" in hoare_post_imp) apply (clarsimp simp: pred_tcb_at') apply (auto elim!: pred_tcb'_weakenE)[1] diff --git a/proof/crefine/AARCH64/VSpace_C.thy b/proof/crefine/AARCH64/VSpace_C.thy index e58b1de61f..ad5c870cc5 100644 --- a/proof/crefine/AARCH64/VSpace_C.thy +++ b/proof/crefine/AARCH64/VSpace_C.thy @@ -2134,7 +2134,7 @@ lemma performASIDPoolInvocation_ccorres: apply wp apply simp apply vcg - apply (rule hoare_strengthen_post[where Q="\_. \"], wp) + apply (rule hoare_strengthen_post[where Q'="\_. \"], wp) apply (clarsimp simp: typ_at'_def ko_wp_at'_def obj_at'_def) apply simp apply vcg @@ -2741,7 +2741,7 @@ lemma vcpu_enable_ccorres: apply wpsimp apply (vcg exspec=set_gic_vcpu_ctrl_hcr_modifies) apply wpsimp+ - apply (rule_tac Q="\_. vcpu_at' v" in hoare_post_imp, fastforce) + apply (rule_tac Q'="\_. vcpu_at' v" in hoare_post_imp, fastforce) apply wpsimp apply (clarsimp simp: typ_heap_simps' Collect_const_mem cvcpu_relation_def cvcpu_regs_relation_def Let_def cvgic_relation_def hcrVCPU_def diff --git a/proof/crefine/ARM/Arch_C.thy b/proof/crefine/ARM/Arch_C.thy index df640d4bba..a1ae08610c 100644 --- a/proof/crefine/ARM/Arch_C.thy +++ b/proof/crefine/ARM/Arch_C.thy @@ -475,7 +475,7 @@ shows apply clarsimp apply (wp getSlotCap_wp) apply clarsimp - apply (rule_tac Q="\_. cte_wp_at' ((=) (UntypedCap isdev frame pageBits idx) o cteCap) parent + apply (rule_tac Q'="\_. cte_wp_at' ((=) (UntypedCap isdev frame pageBits idx) o cteCap) parent and (\s. descendants_range_in' {frame..frame + (2::word32) ^ pageBits - (1::word32)} parent (ctes_of s)) and pspace_no_overlap' frame pageBits and invs' diff --git a/proof/crefine/ARM/DetWP.thy b/proof/crefine/ARM/DetWP.thy index ebd0aef2fe..82163aafb2 100644 --- a/proof/crefine/ARM/DetWP.thy +++ b/proof/crefine/ARM/DetWP.thy @@ -120,7 +120,7 @@ lemma det_wp_asUser [wp]: apply (drule det_wp_det) apply (erule det_wp_select_f) apply wp+ - apply (rule_tac Q="\_. tcb_at' t" in hoare_post_imp) + apply (rule_tac Q'="\_. tcb_at' t" in hoare_post_imp) apply simp apply wp apply simp diff --git a/proof/crefine/ARM/Fastpath_C.thy b/proof/crefine/ARM/Fastpath_C.thy index 8e64ebfeca..76f516b983 100644 --- a/proof/crefine/ARM/Fastpath_C.thy +++ b/proof/crefine/ARM/Fastpath_C.thy @@ -1571,7 +1571,7 @@ lemma ctes_of_Some_cte_wp_at: lemma user_getreg_wp: "\\s. tcb_at' t s \ (\rv. obj_at' (\tcb. (user_regs o atcbContextGet o tcbArch) tcb r = rv) t s \ Q rv s)\ asUser t (getRegister r) \Q\" - apply (rule_tac Q="\rv s. \rv'. rv' = rv \ Q rv' s" in hoare_post_imp) + apply (rule_tac Q'="\rv s. \rv'. rv' = rv \ Q rv' s" in hoare_post_imp) apply simp apply (rule hoare_pre, wp hoare_vcg_ex_lift user_getreg_rv) apply (clarsimp simp: obj_at'_def) @@ -2266,7 +2266,7 @@ proof - set_ep_valid_objs' setObject_no_0_obj'[where 'a=endpoint, folded setEndpoint_def] | strengthen not_obj_at'_strengthen)+ - apply (rule_tac Q="\_ s. hd (epQueue send_ep) \ curThread + apply (rule_tac Q'="\_ s. hd (epQueue send_ep) \ curThread \ pred_tcb_at' itcbState ((=) (tcbState xa)) (hd (epQueue send_ep)) s" in hoare_post_imp) apply fastforce diff --git a/proof/crefine/ARM/Fastpath_Equiv.thy b/proof/crefine/ARM/Fastpath_Equiv.thy index 3aa5d2e4c0..0d2e4b88a2 100644 --- a/proof/crefine/ARM/Fastpath_Equiv.thy +++ b/proof/crefine/ARM/Fastpath_Equiv.thy @@ -250,7 +250,7 @@ lemma ctes_of_Some_cte_wp_at: lemma user_getreg_wp: "\\s. tcb_at' t s \ (\rv. obj_at' (\tcb. (user_regs o atcbContextGet o tcbArch) tcb r = rv) t s \ Q rv s)\ asUser t (getRegister r) \Q\" - apply (rule_tac Q="\rv s. \rv'. rv' = rv \ Q rv' s" in hoare_post_imp) + apply (rule_tac Q'="\rv s. \rv'. rv' = rv \ Q rv' s" in hoare_post_imp) apply simp apply (rule hoare_pre, wp hoare_vcg_ex_lift user_getreg_rv) apply (clarsimp simp: obj_at'_def) diff --git a/proof/crefine/ARM/Finalise_C.thy b/proof/crefine/ARM/Finalise_C.thy index 1dc29d3be6..6756444dd3 100644 --- a/proof/crefine/ARM/Finalise_C.thy +++ b/proof/crefine/ARM/Finalise_C.thy @@ -720,7 +720,7 @@ lemma suspend_ccorres: apply ceqv apply (ctac(no_vcg) add: setThreadState_ccorres_simple) apply (ctac add: tcbSchedDequeue_ccorres) - apply (rule_tac Q="\_. valid_objs' and tcb_at' thread and pspace_aligned' and pspace_distinct'" + apply (rule_tac Q'="\_. valid_objs' and tcb_at' thread and pspace_aligned' and pspace_distinct'" in hoare_post_imp) apply clarsimp apply (wp sts_valid_objs')[1] @@ -1519,7 +1519,7 @@ lemma unmapPageTable_ccorres: apply wp apply (fastforce simp: guard_is_UNIV_def Collect_const_mem Let_def shiftl_t2n field_simps lookup_pd_slot_def) - apply (rule_tac Q="\rv s. (case rv of Some pd \ page_directory_at' pd s | _ \ True) \ invs' s" + apply (rule_tac Q'="\rv s. (case rv of Some pd \ page_directory_at' pd s | _ \ True) \ invs' s" in hoare_post_imp) apply (clarsimp simp: lookup_pd_slot_def Let_def mask_add_aligned less_pptrBase_valid_pde_offset'' diff --git a/proof/crefine/ARM/Invoke_C.thy b/proof/crefine/ARM/Invoke_C.thy index 9fd4f72463..34ac785154 100644 --- a/proof/crefine/ARM/Invoke_C.thy +++ b/proof/crefine/ARM/Invoke_C.thy @@ -75,7 +75,7 @@ lemma setDomain_ccorres: apply (simp add: guard_is_UNIV_def) apply simp apply wp - apply (rule_tac Q="\_. all_invs_but_sch_extra and tcb_at' t and sch_act_simple + apply (rule_tac Q'="\_. all_invs_but_sch_extra and tcb_at' t and sch_act_simple and (\s. curThread = ksCurThread s)" in hoare_strengthen_post) apply (wp threadSet_all_invs_but_sch_extra) @@ -83,7 +83,7 @@ lemma setDomain_ccorres: sch_act_simple_def st_tcb_at'_def weak_sch_act_wf_def split: if_splits) apply (simp add: guard_is_UNIV_def) - apply (rule_tac Q="\_. invs' and tcb_at' t and sch_act_simple and (\s. curThread = ksCurThread s)" + apply (rule_tac Q'="\_. invs' and tcb_at' t and sch_act_simple and (\s. curThread = ksCurThread s)" in hoare_strengthen_post) apply (wp weak_sch_act_wf_lift_linear tcbSchedDequeue_not_queued hoare_vcg_imp_lift hoare_vcg_all_lift) @@ -752,7 +752,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule_tac Q'="\rv. valid_pspace' and valid_cap' rv and valid_objs' and tcb_at' thread and (\s. sch_act_wf (ksSchedulerAction s) s)" - in hoare_vcg_R_conj) + in hoare_vcg_conj_liftE_R) apply (rule deriveCap_Null_helper[OF deriveCap_derived]) apply wp apply (clarsimp simp: cte_wp_at_ctes_of) @@ -828,7 +828,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule_tac Q'="\rv. valid_pspace' and valid_cap' rv and valid_objs' and tcb_at' thread and (\s. sch_act_wf (ksSchedulerAction s) s)" - in hoare_vcg_R_conj) + in hoare_vcg_conj_liftE_R) apply (rule deriveCap_Null_helper [OF deriveCap_derived]) apply wp apply (clarsimp simp: cte_wp_at_ctes_of) @@ -949,7 +949,7 @@ lemma decodeCNodeInvocation_ccorres: apply (clarsimp simp:valid_updateCapDataI invs_valid_objs' invs_valid_pspace') apply assumption apply (wp hoare_vcg_all_liftE_R injection_wp_E[OF refl] - lsfco_cte_at' hoare_vcg_const_imp_lift_R + lsfco_cte_at' hoare_vcg_const_imp_liftE_R )+ apply (simp add: Collect_const_mem word_sle_def word_sless_def all_ex_eq_helper) @@ -1326,7 +1326,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule ccorres_return_C_errorE, simp+)[1] apply vcg apply simp - apply (wp injection_wp_E[OF refl] hoare_vcg_const_imp_lift_R + apply (wp injection_wp_E[OF refl] hoare_vcg_const_imp_liftE_R hoare_vcg_all_liftE_R lsfco_cte_at' hoare_weak_lift_imp | simp add: hasCancelSendRights_not_Null ctes_of_valid_strengthen cong: conj_cong diff --git a/proof/crefine/ARM/IpcCancel_C.thy b/proof/crefine/ARM/IpcCancel_C.thy index 2d81df1fda..e1bf300dee 100644 --- a/proof/crefine/ARM/IpcCancel_C.thy +++ b/proof/crefine/ARM/IpcCancel_C.thy @@ -2733,7 +2733,7 @@ lemma cancelIPC_ccorres1: ghost_assertion_data_set_def cap_tag_defs) apply (simp add: locateSlot_conv, wp) apply vcg - apply (rule_tac Q="\rv. tcb_at' thread and invs'" in hoare_post_imp) + apply (rule_tac Q'="\rv. tcb_at' thread and invs'" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_ctes_of capHasProperty_def cap_get_tag_isCap ucast_id) apply (wp threadSet_invs_trivial | simp)+ diff --git a/proof/crefine/ARM/Ipc_C.thy b/proof/crefine/ARM/Ipc_C.thy index 4614237fa1..e484a4a691 100644 --- a/proof/crefine/ARM/Ipc_C.thy +++ b/proof/crefine/ARM/Ipc_C.thy @@ -3305,7 +3305,7 @@ lemma doIPCTransfer_ccorres [corres]: fault_to_fault_tag_nonzero) apply ctac apply (clarsimp simp: guard_is_UNIV_def option_to_ptr_def split: option.splits) - apply (rule_tac Q="\rv. valid_pspace' and cur_tcb' and tcb_at' sender + apply (rule_tac Q'="\rv. valid_pspace' and cur_tcb' and tcb_at' sender and tcb_at' receiver and K (rv \ Some 0) and (case_option \ valid_ipc_buffer_ptr' rv) and K (receiver \ sender \ endpoint \ Some 0)" @@ -4020,7 +4020,7 @@ lemma doReplyTransfer_ccorres [corres]: | simp add: valid_tcb_state'_def)+)[1] apply (clarsimp simp: guard_is_UNIV_def ThreadState_defs mask_def option_to_ctcb_ptr_def) - apply (rule_tac Q="\rv. tcb_at' receiver and + apply (rule_tac Q'="\rv. tcb_at' receiver and valid_objs' and sch_act_simple and (\s. ksCurDomain s \ maxDomain) and (\s. sch_act_wf (ksSchedulerAction s) s) and pspace_aligned' and pspace_distinct'" in hoare_post_imp) @@ -4119,7 +4119,7 @@ lemma setupCallerCap_ccorres [corres]: ptr_add_assertion_positive Collect_const_mem tcb_cnode_index_defs) apply simp - apply (rule_tac Q="\rv. valid_pspace' and tcb_at' receiver" in hoare_post_imp) + apply (rule_tac Q'="\rv. valid_pspace' and tcb_at' receiver" in hoare_post_imp) apply (auto simp: cte_wp_at_ctes_of isCap_simps tcbSlots Kernel_C.tcbCaller_def size_of_def cte_level_bits_def)[1] @@ -5479,7 +5479,7 @@ lemma receiveIPC_ccorres [corres]: apply (fastforce simp: guard_is_UNIV_def ThreadState_defs mask_def cap_get_tag_isCap ccap_relation_ep_helpers) apply (clarsimp simp: valid_tcb_state'_def) - apply (rule_tac Q="\_. valid_pspace' + apply (rule_tac Q'="\_. valid_pspace' and st_tcb_at' ((=) sendState) sender and tcb_at' thread and (\s. sch_act_wf (ksSchedulerAction s) s) and sch_act_not sender and K (thread \ sender) @@ -5487,7 +5487,7 @@ lemma receiveIPC_ccorres [corres]: apply (fastforce simp: valid_pspace_valid_objs' pred_tcb_at'_def sch_act_wf_weak obj_at'_def) apply (wpsimp simp: guard_is_UNIV_def option_to_ptr_def option_to_0_def conj_ac)+ - apply (rule_tac Q="\rv. valid_pspace' + apply (rule_tac Q'="\rv. valid_pspace' and cur_tcb' and tcb_at' sender and tcb_at' thread and sch_act_not sender and K (thread \ sender) and ep_at' (capEPPtr cap) @@ -5774,7 +5774,7 @@ lemma sendSignal_ccorres [corres]: apply (ctac add: possibleSwitchTo_ccorres) apply (wp sts_valid_objs' sts_st_tcb_at'_cases | simp add: option_to_ctcb_ptr_def split del: if_split)+ - apply (rule_tac Q="\_. tcb_at' (the (ntfnBoundTCB ntfn)) and invs'" + apply (rule_tac Q'="\_. tcb_at' (the (ntfnBoundTCB ntfn)) and invs'" in hoare_post_imp) apply auto[1] apply wp @@ -6139,7 +6139,7 @@ lemma receiveSignal_ccorres [corres]: apply (rule receiveSignal_enqueue_ccorres_helper[simplified]) apply (simp add: valid_ntfn'_def) apply (wp sts_st_tcb') - apply (rule_tac Q="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn + apply (rule_tac Q'="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn \ projectKO_opt x = (None::tcb option)) (capNtfnPtr cap)" in hoare_post_imp) @@ -6206,7 +6206,7 @@ lemma receiveSignal_ccorres [corres]: apply (rule_tac ntfn="ntfn" in receiveSignal_enqueue_ccorres_helper[simplified]) apply (simp add: valid_ntfn'_def) apply (wp sts_st_tcb') - apply (rule_tac Q="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn + apply (rule_tac Q'="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn \ projectKO_opt x = (None::tcb option)) (capNtfnPtr cap) and K (thread \ set list)" diff --git a/proof/crefine/ARM/IsolatedThreadAction.thy b/proof/crefine/ARM/IsolatedThreadAction.thy index 8f886167ea..d8e5757393 100644 --- a/proof/crefine/ARM/IsolatedThreadAction.thy +++ b/proof/crefine/ARM/IsolatedThreadAction.thy @@ -610,7 +610,7 @@ lemma select_f_isolatable: lemma doMachineOp_isolatable: "thread_actions_isolatable idx (doMachineOp m)" apply (simp add: doMachineOp_def split_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] gets_isolatable thread_actions_isolatable_returns modify_isolatable select_f_isolatable) apply (simp | wp)+ @@ -630,8 +630,8 @@ lemma findPDForASID_isolatable: case_option_If2 assertE_def liftE_def checkPDAt_def stateAssert_def2 cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] - thread_actions_isolatable_bindE[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_bindE[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable getObject_isolatable) @@ -652,9 +652,9 @@ lemma getHWASID_isolatable: invalidateHWASIDEntry_def storeHWASID_def cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] - thread_actions_isolatable_bindE[OF _ _ hoare_pre(1)] - thread_actions_isolatable_catch[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_bindE[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_catch[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable modify_isolatable @@ -673,9 +673,9 @@ lemma setVMRoot_isolatable: checkPDNotInASIDMap_def stateAssert_def2 checkPDASIDMapMembership_def armv_contextSwitch_def cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] - thread_actions_isolatable_bindE[OF _ _ hoare_pre(1)] - thread_actions_isolatable_catch[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_bindE[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_catch[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable getCTE_isolatable getHWASID_isolatable @@ -936,7 +936,7 @@ lemma setThreadState_no_sch_change: (is "Nondet_VCG.valid ?P ?f ?Q") apply (simp add: setThreadState_def setSchedulerAction_def) apply (wp hoare_pre_cont[where f=rescheduleRequired]) - apply (rule_tac Q="\_. ?P and st_tcb_at' ((=) st) t" in hoare_post_imp) + apply (rule_tac Q'="\_. ?P and st_tcb_at' ((=) st) t" in hoare_post_imp) apply (clarsimp split: if_split) apply (clarsimp simp: obj_at'_def st_tcb_at'_def projectKOs) apply (wp threadSet_pred_tcb_at_state) @@ -998,7 +998,7 @@ lemma setEndpoint_isolatable: apply (simp add: obj_at_partial_overwrite_id2) apply (drule_tac x=x in spec) apply (clarsimp simp: obj_at'_def projectKOs select_f_asserts) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_return thread_actions_isolatable_fail) @@ -1146,7 +1146,7 @@ lemma cteInsert_isolatable: supply if_split[split del] if_cong[cong] apply (simp add: cteInsert_def updateCap_def updateMDB_def Let_def setUntypedCapAsFull_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns assert_isolatable getCTE_isolatable setCTE_isolatable) @@ -1232,7 +1232,7 @@ lemma threadGet_isolatable: "thread_actions_isolatable idx (Arch.switchToThread t)" apply (simp add: switchToThread_def storeWordUser_def stateAssert_def2) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] gets_isolatable setVMRoot_isolatable thread_actions_isolatable_if doMachineOp_isolatable @@ -1255,7 +1255,7 @@ lemma tcbQueued_put_tcb_state_regs_tcb: lemma idleThreadNotQueued_isolatable: "thread_actions_isolatable idx (stateAssert idleThreadNotQueued [])" apply (simp add: stateAssert_def2 stateAssert_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] gets_isolatable thread_actions_isolatable_if thread_actions_isolatable_returns @@ -1441,7 +1441,7 @@ lemma updateMDB_isolatable: "thread_actions_isolatable idx (updateMDB slot f)" apply (simp add: updateMDB_def thread_actions_isolatable_return split: if_split) - apply (intro impI thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro impI thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] getCTE_isolatable setCTE_isolatable, (wp | simp)+) done @@ -1463,7 +1463,7 @@ lemma emptySlot_isolatable: "thread_actions_isolatable idx (emptySlot slot NullCap)" apply (simp add: emptySlot_def updateCap_def case_Null_If Retype_H.postCapDeletion_def cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] clearUntypedFreeIndex_isolatable thread_actions_isolatable_if getCTE_isolatable setCTE_isolatable diff --git a/proof/crefine/ARM/Refine_C.thy b/proof/crefine/ARM/Refine_C.thy index b8dae22123..425b40c3ea 100644 --- a/proof/crefine/ARM/Refine_C.thy +++ b/proof/crefine/ARM/Refine_C.thy @@ -84,7 +84,7 @@ proof - apply (clarsimp simp: return_def) apply (wp schedule_sch_act_wf schedule_invs' | strengthen invs_valid_objs_strengthen invs_pspace_aligned' invs_pspace_distinct')+ - apply (rule_tac Q="\rv s. invs' s \ (\x. rv = Some x \ x \ Kernel_Config.maxIRQ)" in hoare_post_imp) + apply (rule_tac Q'="\rv s. invs' s \ (\x. rv = Some x \ x \ Kernel_Config.maxIRQ)" in hoare_post_imp) apply (solves clarsimp) apply (wp getActiveIRQ_le_maxIRQ | simp)+ apply (clarsimp simp: invs'_def valid_state'_def) @@ -267,12 +267,12 @@ lemma handleSyscall_ccorres: apply wp apply (simp add: guard_is_UNIV_def) apply clarsimp - apply (rule_tac Q="\rv s. invs' s \ + apply (rule_tac Q'="\rv s. invs' s \ (\x. rv = Some x \ x \ Kernel_Config.maxIRQ)" in hoare_post_imp) apply (solves clarsimp) apply (wp getActiveIRQ_le_maxIRQ | simp)+ - apply (rule_tac Q=" invs' " in hoare_post_imp_dc2E, wp) + apply (rule_tac Q'=" invs' " in hoare_post_impE_E_dc, wp) apply (simp add: invs'_def valid_state'_def) apply clarsimp apply (vcg exspec=handleInvocation_modifies) @@ -301,12 +301,12 @@ lemma handleSyscall_ccorres: apply wp apply (simp add: guard_is_UNIV_def) apply clarsimp - apply (rule_tac Q="\rv s. invs' s \ + apply (rule_tac Q'="\rv s. invs' s \ (\x. rv = Some x \ x \ Kernel_Config.maxIRQ)" in hoare_post_imp) apply (solves clarsimp) apply (wp getActiveIRQ_le_maxIRQ | simp)+ - apply (rule_tac Q=" invs' " in hoare_post_imp_dc2E, wp) + apply (rule_tac Q'=" invs' " in hoare_post_impE_E_dc, wp) apply (simp add: invs'_def valid_state'_def) apply clarsimp apply (vcg exspec=handleInvocation_modifies) @@ -335,12 +335,12 @@ lemma handleSyscall_ccorres: apply wp apply (simp add: guard_is_UNIV_def) apply clarsimp - apply (rule_tac Q="\rv s. invs' s \ + apply (rule_tac Q'="\rv s. invs' s \ (\x. rv = Some x \ x \ Kernel_Config.maxIRQ)" in hoare_post_imp) apply (solves clarsimp) apply (wp getActiveIRQ_le_maxIRQ | simp)+ - apply (rule_tac Q=" invs'" in hoare_post_imp_dc2E, wp) + apply (rule_tac Q'=" invs'" in hoare_post_impE_E_dc, wp) apply (simp add: invs'_def valid_state'_def) apply clarsimp apply (vcg exspec=handleInvocation_modifies) @@ -373,7 +373,7 @@ lemma handleSyscall_ccorres: apply wp[1] apply clarsimp apply wp - apply (rule_tac Q="\rv s. ct_in_state' simple' s \ sch_act_sane s" + apply (rule_tac Q'="\rv s. ct_in_state' simple' s \ sch_act_sane s" in hoare_post_imp) apply (simp add: ct_in_state'_def) apply (wp handleReply_sane) @@ -408,15 +408,15 @@ lemma handleSyscall_ccorres: | wpc | wp hoare_drop_imp handleReply_sane handleReply_nonz_cap_to_ct schedule_invs' | strengthen ct_active_not_idle'_strengthen invs_valid_objs_strengthen)+ - apply (rule_tac Q="\rv. invs' and ct_active'" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs' and ct_active'" in hoare_post_imp, simp) apply (wp hy_invs') apply (clarsimp simp add: liftE_def) apply wp - apply (rule_tac Q="\rv. invs' and ct_active'" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs' and ct_active'" in hoare_post_imp, simp) apply (wp hy_invs') apply (clarsimp simp: liftE_def) apply (wp) - apply (rule_tac Q="\_. invs'" in hoare_post_imp, simp) + apply (rule_tac Q'="\_. invs'" in hoare_post_imp, simp) apply (wp hw_invs') apply (simp add: guard_is_UNIV_def) apply clarsimp diff --git a/proof/crefine/ARM/Retype_C.thy b/proof/crefine/ARM/Retype_C.thy index 53a4f7d339..688272dac9 100644 --- a/proof/crefine/ARM/Retype_C.thy +++ b/proof/crefine/ARM/Retype_C.thy @@ -5894,7 +5894,7 @@ lemma createObject_valid_cap': apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -5966,7 +5966,7 @@ lemma createObject_caps_overlap_reserved_ret': apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -5989,7 +5989,7 @@ lemma createObject_descendants_range': apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -6020,7 +6020,7 @@ lemma createObject_idlethread_range: apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -6036,7 +6036,7 @@ lemma createObject_IRQHandler: apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -6054,7 +6054,7 @@ lemma createObject_capClass[wp]: apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -6099,7 +6099,7 @@ lemma createObject_parent_helper: \ createObject ty ptr us dev \\rv. cte_wp_at' (\cte. isUntypedCap (cteCap cte) \ (sameRegionAs (cteCap cte) rv)) p\" - apply (rule hoare_post_imp [where Q="\rv s. \cte. cte_wp_at' ((=) cte) p s + apply (rule hoare_post_imp[where Q'="\rv s. \cte. cte_wp_at' ((=) cte) p s \ isUntypedCap (cteCap cte) \ sameRegionAs (cteCap cte) rv"]) apply (clarsimp simp:cte_wp_at_ctes_of) @@ -6808,7 +6808,7 @@ shows "ccorres dc xfdc (cnodeptr + (of_nat k * 0x10 + start * 0x10 + of_nat n * 0x10)) s) \ descendants_range_in' {(of_nat n << APIType_capBits newType userSize) + ptr.. (ptr && ~~ mask sz) + 2 ^ sz - 1} srcSlot (ctes_of s)" - in hoare_pre(1)) + in hoare_weaken_pre) apply wp apply (clarsimp simp:createObject_hs_preconds_def conj_comms invs_valid_pspace' invs_pspace_distinct' invs_pspace_aligned' diff --git a/proof/crefine/ARM/Schedule_C.thy b/proof/crefine/ARM/Schedule_C.thy index c9a827f206..4e3aac750b 100644 --- a/proof/crefine/ARM/Schedule_C.thy +++ b/proof/crefine/ARM/Schedule_C.thy @@ -636,7 +636,7 @@ lemma schedule_ccorres: apply wp apply clarsimp (* when runnable tcbSchedEnqueue curThread *) - apply (rule_tac Q="\rv s. invs' s \ ksCurThread s = curThread + apply (rule_tac Q'="\rv s. invs' s \ ksCurThread s = curThread \ ksSchedulerAction s = SwitchToThread candidate" in hoare_post_imp) apply (clarsimp simp: invs'_bitmapQ_no_L1_orphans invs_ksCurDomain_maxDomain') apply (fastforce dest: invs_sch_act_wf') diff --git a/proof/crefine/ARM/SyscallArgs_C.thy b/proof/crefine/ARM/SyscallArgs_C.thy index 4f5e657ee8..2cac960a08 100644 --- a/proof/crefine/ARM/SyscallArgs_C.thy +++ b/proof/crefine/ARM/SyscallArgs_C.thy @@ -1006,7 +1006,7 @@ lemma getMRs_user_word: linorder_not_less [symmetric]) apply (wp mapM_loadWordUser_user_words_at) apply (wp hoare_vcg_all_lift) - apply (rule_tac Q="\_. \" in hoare_strengthen_post) + apply (rule_tac Q'="\_. \" in hoare_strengthen_post) apply wp apply clarsimp defer @@ -1062,7 +1062,7 @@ lemma getMRs_rel: apply (rule hoare_pre) apply (rule_tac x=mi in hoare_exI) apply wp - apply (rule_tac Q="\rv s. thread = ksCurThread s \ fst (getMRs thread buffer mi s) = {(rv,s)}" in hoare_strengthen_post) + apply (rule_tac Q'="\rv s. thread = ksCurThread s \ fst (getMRs thread buffer mi s) = {(rv,s)}" in hoare_strengthen_post) apply (wp det_result det_wp_getMRs) apply clarsimp apply (clarsimp simp: cur_tcb'_def) @@ -1230,7 +1230,7 @@ lemma getSyscallArg_ccorres_foo: apply (clarsimp simp: option_to_ptr_def option_to_0_def) apply (rule_tac P="\s. valid_ipc_buffer_ptr' (ptr_val (Ptr b)) s \ i < msgLength mi \ msgLength mi \ msgMaxLength \ scast n_msgRegisters \ i" - in hoare_pre(1)) + in hoare_weaken_pre) apply (wp getMRs_user_word) apply (clarsimp simp: msgMaxLength_def unat_less_helper) apply fastforce diff --git a/proof/crefine/ARM/Syscall_C.thy b/proof/crefine/ARM/Syscall_C.thy index 5165426c18..801b4c6ceb 100644 --- a/proof/crefine/ARM/Syscall_C.thy +++ b/proof/crefine/ARM/Syscall_C.thy @@ -253,7 +253,7 @@ lemma decodeInvocation_ccorres: apply simp apply (vcg exspec=performInvocation_Reply_modifies) apply (simp add: cur_tcb'_def[symmetric]) - apply (rule_tac R="\rv s. ksCurThread s = thread" in hoare_post_add) + apply (rule_tac Q'="\rv s. ksCurThread s = thread" in hoare_post_add) apply (simp cong: conj_cong) apply (strengthen imp_consequent) apply (wp sts_invs_minor' sts_st_tcb_at'_cases) @@ -627,9 +627,9 @@ lemma sendFaultIPC_ccorres: , assumption) apply vcg apply (clarsimp simp: inQ_def) - apply (rule_tac Q="\a b. invs' b \ st_tcb_at' simple' tptr b + apply (rule_tac Q'="\a b. invs' b \ st_tcb_at' simple' tptr b \ sch_act_not tptr b \ valid_cap' a b" - and E="\ _. \" + and E'="\ _. \" in hoare_strengthen_postE) apply (wp) apply (clarsimp simp: isCap_simps) @@ -847,8 +847,8 @@ lemma handleInvocation_ccorres: apply (rule ccorres_return_C_errorE, simp+)[1] apply vcg apply (simp add: invocationCatch_def o_def) - apply (rule_tac Q="\rv'. invs' and tcb_at' rv" - and E="\ft. invs' and tcb_at' rv" + apply (rule_tac Q'="\rv'. invs' and tcb_at' rv" + and E'="\ft. invs' and tcb_at' rv" in hoare_strengthen_postE) apply (wp hoare_split_bind_case_sumE hoare_drop_imps setThreadState_nonqueued_state_update diff --git a/proof/crefine/ARM/Tcb_C.thy b/proof/crefine/ARM/Tcb_C.thy index 217095f7a8..264da21d5b 100644 --- a/proof/crefine/ARM/Tcb_C.thy +++ b/proof/crefine/ARM/Tcb_C.thy @@ -384,7 +384,7 @@ lemma setPriority_ccorres: simp: st_tcb_at'_def o_def split: if_splits) apply (simp add: guard_is_UNIV_def) apply (rule hoare_strengthen_post[ - where Q="\rv s. + where Q'="\rv s. obj_at' (\_. True) t s \ priority \ maxPriority \ ksCurDomain s \ maxDomain \ @@ -607,7 +607,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply wp apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (rule hoare_strengthen_post[ - where Q= "\rv s. + where Q'="\rv s. valid_objs' s \ weak_sch_act_wf (ksSchedulerAction s) s \ ((\a b. priority = Some (a, b)) \ @@ -698,7 +698,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (simp cong: conj_cong) apply (rule hoare_strengthen_post[ - where Q="\a b. (valid_objs' b \ + where Q'="\a b. (valid_objs' b \ sch_act_wf (ksSchedulerAction b) b \ pspace_aligned' b \ pspace_distinct' b \ ((\a b. priority = Some (a, b)) \ @@ -745,7 +745,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply vcg apply (simp add: conj_comms cong: conj_cong) apply (strengthen invs_ksCurDomain_maxDomain' invs_pspace_distinct') - apply (wp hoare_vcg_const_imp_lift_R cteDelete_invs') + apply (wp hoare_vcg_const_imp_liftE_R cteDelete_invs') apply simp apply (rule ccorres_split_nothrow_novcg_dc) apply (rule ccorres_cond2[where R=\], simp add: Collect_const_mem) @@ -1156,13 +1156,13 @@ lemma invokeTCB_CopyRegisters_ccorres: apply (simp add: pred_conj_def guard_is_UNIV_def cong: if_cong | wp mapM_x_wp_inv hoare_drop_imp)+ apply clarsimp - apply (rule_tac Q="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak) apply (wpsimp wp: hoare_drop_imp restart_invs')+ apply (clarsimp simp add: guard_is_UNIV_def) apply (wp hoare_drop_imp hoare_vcg_if_lift)+ apply simp - apply (rule_tac Q="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak) apply (wpsimp wp: hoare_drop_imp)+ apply (clarsimp simp add: guard_is_UNIV_def) @@ -1553,7 +1553,7 @@ lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]: apply wp apply (simp add: guard_is_UNIV_def) apply (wp hoare_drop_imp) - apply (rule_tac Q="\rv. invs' and tcb_at' dst" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\rv. invs' and tcb_at' dst" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak) apply (wpsimp wp: restart_invs')+ apply (clarsimp simp add: guard_is_UNIV_def) @@ -2062,7 +2062,7 @@ shows apply wp apply (simp add: Collect_const_mem ThreadState_defs mask_def) apply vcg - apply (rule_tac Q="\rv. invs' and st_tcb_at' ((=) Restart) thread + apply (rule_tac Q'="\rv. invs' and st_tcb_at' ((=) Restart) thread and tcb_at' target" in hoare_post_imp) apply (clarsimp simp: pred_tcb_at') apply (auto elim!: pred_tcb'_weakenE)[1] diff --git a/proof/crefine/ARM/VSpace_C.thy b/proof/crefine/ARM/VSpace_C.thy index a452d50196..03bea4c91a 100644 --- a/proof/crefine/ARM/VSpace_C.thy +++ b/proof/crefine/ARM/VSpace_C.thy @@ -1648,7 +1648,7 @@ lemma performPageFlush_ccorres: apply (ctac add: setVMRoot_ccorres) apply (rule ccorres_return_Skip) apply (simp add: cur_tcb'_def[symmetric]) - apply (rule_tac Q="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) + apply (rule_tac Q'="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) apply (simp add: invs'_invs_no_cicd) apply wp+ apply (rule ccorres_return_Skip) @@ -1786,7 +1786,7 @@ lemma performPageDirectoryInvocationFlush_ccorres: apply wp apply (simp add: guard_is_UNIV_def) apply (simp add: cur_tcb'_def[symmetric]) - apply (rule_tac Q="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) + apply (rule_tac Q'="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) apply (simp add: invs'_invs_no_cicd) apply wp+ apply (simp) @@ -1840,7 +1840,7 @@ lemma flushPage_ccorres: apply (ctac add: setVMRoot_ccorres) apply (rule ccorres_return_Skip) apply (wp | simp add: cur_tcb'_def[symmetric])+ - apply (rule_tac Q="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) + apply (rule_tac Q'="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) apply (simp add: invs'_invs_no_cicd) apply (wp | simp add: cur_tcb'_def[symmetric])+ apply (rule ccorres_return_Skip) @@ -2371,7 +2371,7 @@ lemma unmapPage_ccorres: apply (rule ccorres_return_void_C) apply vcg apply (simp add: lookup_pd_slot_def Let_def) - apply (wp hoare_vcg_const_imp_lift_R) + apply (wp hoare_vcg_const_imp_liftE_R) apply (simp add: Collect_const_mem) apply (vcg exspec=findPDForASID_modifies) apply (clarsimp simp: invs_arch_state' invs_no_0_obj' invs_valid_objs' @@ -3016,7 +3016,7 @@ lemma flushTable_ccorres: apply (rule ccorres_return_Skip) apply (wp hoare_weak_lift_imp) apply clarsimp - apply (rule_tac Q="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) + apply (rule_tac Q'="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) apply (simp add: invs'_invs_no_cicd cur_tcb'_def) apply (wp mapM_x_wp_inv getPTE_wp | wpc)+ apply (rule ccorres_return_Skip) diff --git a/proof/crefine/ARM_HYP/Arch_C.thy b/proof/crefine/ARM_HYP/Arch_C.thy index 8003df0845..a464729ab9 100644 --- a/proof/crefine/ARM_HYP/Arch_C.thy +++ b/proof/crefine/ARM_HYP/Arch_C.thy @@ -517,7 +517,7 @@ shows apply clarsimp apply (wp getSlotCap_wp) apply clarsimp - apply (rule_tac Q="\_. cte_wp_at' ((=) (UntypedCap isdev frame pageBits idx) o cteCap) parent + apply (rule_tac Q'="\_. cte_wp_at' ((=) (UntypedCap isdev frame pageBits idx) o cteCap) parent and (\s. descendants_range_in' {frame..frame + (2::word32) ^ pageBits - (1::word32)} parent (ctes_of s)) and pspace_no_overlap' frame pageBits and invs' diff --git a/proof/crefine/ARM_HYP/DetWP.thy b/proof/crefine/ARM_HYP/DetWP.thy index ebd0aef2fe..82163aafb2 100644 --- a/proof/crefine/ARM_HYP/DetWP.thy +++ b/proof/crefine/ARM_HYP/DetWP.thy @@ -120,7 +120,7 @@ lemma det_wp_asUser [wp]: apply (drule det_wp_det) apply (erule det_wp_select_f) apply wp+ - apply (rule_tac Q="\_. tcb_at' t" in hoare_post_imp) + apply (rule_tac Q'="\_. tcb_at' t" in hoare_post_imp) apply simp apply wp apply simp diff --git a/proof/crefine/ARM_HYP/Fastpath_C.thy b/proof/crefine/ARM_HYP/Fastpath_C.thy index 8109106551..6052add3d7 100644 --- a/proof/crefine/ARM_HYP/Fastpath_C.thy +++ b/proof/crefine/ARM_HYP/Fastpath_C.thy @@ -790,7 +790,7 @@ lemma switchToThread_fp_ccorres: apply (rule ccorres_False[where P'=UNIV]) apply simp apply (wp findPDForASID_pd_at_wp)[1] - apply (rule_tac Q= + apply (rule_tac Q'= "\r s. \cte. map_to_ctes (ksPSpace s) (thread + 2 ^ cte_level_bits * tcbVTableSlot) = Some cte \ pd \ ran (\a. map_option snd (armKSASIDMap (ksArchState s) a)) \ page_directory_at' pd s @@ -1617,7 +1617,7 @@ lemma ctes_of_Some_cte_wp_at: lemma user_getreg_wp: "\\s. tcb_at' t s \ (\rv. obj_at' (\tcb. (user_regs o atcbContextGet o tcbArch) tcb r = rv) t s \ Q rv s)\ asUser t (getRegister r) \Q\" - apply (rule_tac Q="\rv s. \rv'. rv' = rv \ Q rv' s" in hoare_post_imp) + apply (rule_tac Q'="\rv s. \rv'. rv' = rv \ Q rv' s" in hoare_post_imp) apply simp apply (rule hoare_pre, wp hoare_vcg_ex_lift user_getreg_rv) apply (clarsimp simp: obj_at'_def) @@ -2309,7 +2309,7 @@ proof - set_ep_valid_objs' setObject_no_0_obj'[where 'a=endpoint, folded setEndpoint_def] | strengthen not_obj_at'_strengthen)+ - apply (rule_tac Q="\_ s. hd (epQueue send_ep) \ curThread + apply (rule_tac Q'="\_ s. hd (epQueue send_ep) \ curThread \ pred_tcb_at' itcbState ((=) (tcbState xa)) (hd (epQueue send_ep)) s" in hoare_post_imp) apply fastforce diff --git a/proof/crefine/ARM_HYP/Fastpath_Equiv.thy b/proof/crefine/ARM_HYP/Fastpath_Equiv.thy index 03a8f009b0..99b1e043df 100644 --- a/proof/crefine/ARM_HYP/Fastpath_Equiv.thy +++ b/proof/crefine/ARM_HYP/Fastpath_Equiv.thy @@ -250,7 +250,7 @@ lemma ctes_of_Some_cte_wp_at: lemma user_getreg_wp: "\\s. tcb_at' t s \ (\rv. obj_at' (\tcb. (user_regs o atcbContextGet o tcbArch) tcb r = rv) t s \ Q rv s)\ asUser t (getRegister r) \Q\" - apply (rule_tac Q="\rv s. \rv'. rv' = rv \ Q rv' s" in hoare_post_imp) + apply (rule_tac Q'="\rv s. \rv'. rv' = rv \ Q rv' s" in hoare_post_imp) apply simp apply (rule hoare_pre, wp hoare_vcg_ex_lift user_getreg_rv) apply (clarsimp simp: obj_at'_def) diff --git a/proof/crefine/ARM_HYP/Finalise_C.thy b/proof/crefine/ARM_HYP/Finalise_C.thy index c8511b29c0..2172eadadf 100644 --- a/proof/crefine/ARM_HYP/Finalise_C.thy +++ b/proof/crefine/ARM_HYP/Finalise_C.thy @@ -754,7 +754,7 @@ lemma suspend_ccorres: apply ceqv apply (ctac(no_vcg) add: setThreadState_ccorres_simple) apply (ctac add: tcbSchedDequeue_ccorres) - apply (rule_tac Q="\_. valid_objs' and tcb_at' thread and pspace_aligned' and pspace_distinct'" + apply (rule_tac Q'="\_. valid_objs' and tcb_at' thread and pspace_aligned' and pspace_distinct'" in hoare_post_imp) apply clarsimp apply (wp sts_valid_objs')[1] @@ -1592,7 +1592,7 @@ lemma unmapPageTable_ccorres: apply wp apply (fastforce simp: guard_is_UNIV_def Collect_const_mem Let_def shiftl_t2n field_simps lookup_pd_slot_def table_bits_defs) - apply (rule_tac Q="\rv s. (case rv of Some pd \ page_directory_at' pd s | _ \ True) \ invs' s" + apply (rule_tac Q'="\rv s. (case rv of Some pd \ page_directory_at' pd s | _ \ True) \ invs' s" in hoare_post_imp) apply (clarsimp simp: lookup_pd_slot_def Let_def mask_add_aligned less_pptrBase_valid_pde_offset'' @@ -2259,7 +2259,7 @@ lemma associateVCPUTCB_ccorres: apply ((wpsimp wp: hoare_vcg_all_lift hoare_drop_imps | strengthen invs_valid_objs' invs_arch_state')+)[1] apply (vcg exspec=dissociateVCPUTCB_modifies) - apply (rule_tac Q="\_. invs' and vcpu_at' vcpuptr and tcb_at' tptr" in hoare_post_imp) + apply (rule_tac Q'="\_. invs' and vcpu_at' vcpuptr and tcb_at' tptr" in hoare_post_imp) apply (clarsimp simp: valid_vcpu'_def typ_at_tcb' obj_at'_def projectKOs) apply (rename_tac vcpu obj, case_tac vcpu) apply (fastforce simp: valid_arch_tcb'_def) diff --git a/proof/crefine/ARM_HYP/Invoke_C.thy b/proof/crefine/ARM_HYP/Invoke_C.thy index ad276e5036..78502779c2 100644 --- a/proof/crefine/ARM_HYP/Invoke_C.thy +++ b/proof/crefine/ARM_HYP/Invoke_C.thy @@ -75,7 +75,7 @@ lemma setDomain_ccorres: apply (simp add: guard_is_UNIV_def) apply simp apply wp - apply (rule_tac Q="\_. all_invs_but_sch_extra and tcb_at' t and sch_act_simple + apply (rule_tac Q'="\_. all_invs_but_sch_extra and tcb_at' t and sch_act_simple and (\s. curThread = ksCurThread s)" in hoare_strengthen_post) apply (wp threadSet_all_invs_but_sch_extra) @@ -83,7 +83,7 @@ lemma setDomain_ccorres: sch_act_simple_def st_tcb_at'_def weak_sch_act_wf_def split: if_splits) apply (simp add: guard_is_UNIV_def) - apply (rule_tac Q="\_. invs' and tcb_at' t and sch_act_simple and (\s. curThread = ksCurThread s)" + apply (rule_tac Q'="\_. invs' and tcb_at' t and sch_act_simple and (\s. curThread = ksCurThread s)" in hoare_strengthen_post) apply (wp weak_sch_act_wf_lift_linear tcbSchedDequeue_not_queued hoare_vcg_imp_lift hoare_vcg_all_lift) @@ -770,7 +770,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule_tac Q'="\rv. valid_pspace' and valid_cap' rv and valid_objs' and tcb_at' thread and (\s. sch_act_wf (ksSchedulerAction s) s)" - in hoare_vcg_R_conj) + in hoare_vcg_conj_liftE_R) apply (rule deriveCap_Null_helper[OF deriveCap_derived]) apply wp apply (clarsimp simp: cte_wp_at_ctes_of) @@ -846,7 +846,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule_tac Q'="\rv. valid_pspace' and valid_cap' rv and valid_objs' and tcb_at' thread and (\s. sch_act_wf (ksSchedulerAction s) s)" - in hoare_vcg_R_conj) + in hoare_vcg_conj_liftE_R) apply (rule deriveCap_Null_helper [OF deriveCap_derived]) apply wp apply (clarsimp simp: cte_wp_at_ctes_of) @@ -967,7 +967,7 @@ lemma decodeCNodeInvocation_ccorres: apply (clarsimp simp:valid_updateCapDataI invs_valid_objs' invs_valid_pspace') apply assumption apply (wp hoare_vcg_all_liftE_R injection_wp_E[OF refl] - lsfco_cte_at' hoare_vcg_const_imp_lift_R + lsfco_cte_at' hoare_vcg_const_imp_liftE_R )+ apply (simp add: Collect_const_mem word_sle_def word_sless_def all_ex_eq_helper) @@ -1344,7 +1344,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule ccorres_return_C_errorE, simp+)[1] apply vcg apply simp - apply (wp injection_wp_E[OF refl] hoare_vcg_const_imp_lift_R + apply (wp injection_wp_E[OF refl] hoare_vcg_const_imp_liftE_R hoare_vcg_all_liftE_R lsfco_cte_at' hoare_weak_lift_imp | simp add: hasCancelSendRights_not_Null ctes_of_valid_strengthen cong: conj_cong diff --git a/proof/crefine/ARM_HYP/IpcCancel_C.thy b/proof/crefine/ARM_HYP/IpcCancel_C.thy index 6e37692e84..876185269a 100644 --- a/proof/crefine/ARM_HYP/IpcCancel_C.thy +++ b/proof/crefine/ARM_HYP/IpcCancel_C.thy @@ -2804,7 +2804,7 @@ lemma cancelIPC_ccorres1: ghost_assertion_data_set_def cap_tag_defs) apply (simp add: locateSlot_conv, wp) apply vcg - apply (rule_tac Q="\rv. tcb_at' thread and invs'" in hoare_post_imp) + apply (rule_tac Q'="\rv. tcb_at' thread and invs'" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_ctes_of capHasProperty_def cap_get_tag_isCap ucast_id) apply (wp threadSet_invs_trivial | simp)+ diff --git a/proof/crefine/ARM_HYP/Ipc_C.thy b/proof/crefine/ARM_HYP/Ipc_C.thy index 349347e86d..376139a7dc 100644 --- a/proof/crefine/ARM_HYP/Ipc_C.thy +++ b/proof/crefine/ARM_HYP/Ipc_C.thy @@ -1455,7 +1455,7 @@ lemma asUser_atcbContext_obj_at: lemma asUser_tcbFault_inv: "\\s. \t. ko_at' t p' s \ tcbFault t = f\ asUser p m \\rv s. \t. ko_at' t p' s \ tcbFault t = f\" - apply (rule_tac Q="\rv. obj_at' (\t. tcbFault t = f) p'" + apply (rule_tac Q'="\rv. obj_at' (\t. tcbFault t = f) p'" in hoare_strengthen_post) apply (wp asUser_tcbFault_obj_at) apply (clarsimp simp: obj_at'_def)+ @@ -3782,7 +3782,7 @@ lemma doIPCTransfer_ccorres [corres]: fault_to_fault_tag_nonzero) apply ctac apply (clarsimp simp: guard_is_UNIV_def option_to_ptr_def split: option.splits) - apply (rule_tac Q="\rv. valid_pspace' and cur_tcb' and tcb_at' sender + apply (rule_tac Q'="\rv. valid_pspace' and cur_tcb' and tcb_at' sender and tcb_at' receiver and K (rv \ Some 0) and (case_option \ valid_ipc_buffer_ptr' rv) and K (receiver \ sender \ endpoint \ Some 0)" @@ -4549,7 +4549,7 @@ lemma doReplyTransfer_ccorres [corres]: | simp add: valid_tcb_state'_def)+)[1] apply (clarsimp simp: guard_is_UNIV_def ThreadState_defs mask_def option_to_ctcb_ptr_def) - apply (rule_tac Q="\rv. tcb_at' receiver and + apply (rule_tac Q'="\rv. tcb_at' receiver and valid_objs' and sch_act_simple and (\s. ksCurDomain s \ maxDomain) and (\s. sch_act_wf (ksSchedulerAction s) s) and pspace_aligned' and pspace_distinct'" in hoare_post_imp) @@ -4647,7 +4647,7 @@ lemma setupCallerCap_ccorres [corres]: ptr_add_assertion_positive Collect_const_mem tcb_cnode_index_defs) apply simp - apply (rule_tac Q="\rv. valid_pspace' and tcb_at' receiver" in hoare_post_imp) + apply (rule_tac Q'="\rv. valid_pspace' and tcb_at' receiver" in hoare_post_imp) apply (auto simp: cte_wp_at_ctes_of isCap_simps tcbSlots Kernel_C.tcbCaller_def size_of_def cte_level_bits_def)[1] @@ -6004,7 +6004,7 @@ lemma receiveIPC_ccorres [corres]: apply (fastforce simp: guard_is_UNIV_def ThreadState_defs mask_def cap_get_tag_isCap ccap_relation_ep_helpers) apply (clarsimp simp: valid_tcb_state'_def) - apply (rule_tac Q="\_. valid_pspace' + apply (rule_tac Q'="\_. valid_pspace' and st_tcb_at' ((=) sendState) sender and tcb_at' thread and (\s. sch_act_wf (ksSchedulerAction s) s) and sch_act_not sender and K (thread \ sender) @@ -6012,7 +6012,7 @@ lemma receiveIPC_ccorres [corres]: apply (fastforce simp: valid_pspace_valid_objs' pred_tcb_at'_def sch_act_wf_weak obj_at'_def) apply (wpsimp simp: guard_is_UNIV_def option_to_ptr_def option_to_0_def conj_ac)+ - apply (rule_tac Q="\rv. valid_pspace' + apply (rule_tac Q'="\rv. valid_pspace' and cur_tcb' and tcb_at' sender and tcb_at' thread and sch_act_not sender and K (thread \ sender) and ep_at' (capEPPtr cap) @@ -6302,7 +6302,7 @@ lemma sendSignal_ccorres [corres]: apply (ctac add: possibleSwitchTo_ccorres) apply (wp sts_valid_objs' sts_st_tcb_at'_cases | simp add: option_to_ctcb_ptr_def split del: if_split)+ - apply (rule_tac Q="\_. tcb_at' (the (ntfnBoundTCB ntfn)) and invs'" + apply (rule_tac Q'="\_. tcb_at' (the (ntfnBoundTCB ntfn)) and invs'" in hoare_post_imp) apply auto[1] apply wp @@ -6668,7 +6668,7 @@ lemma receiveSignal_ccorres [corres]: apply (rule receiveSignal_enqueue_ccorres_helper[simplified]) apply (simp add: valid_ntfn'_def) apply (wp sts_st_tcb') - apply (rule_tac Q="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn + apply (rule_tac Q'="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn \ projectKO_opt x = (None::tcb option)) (capNtfnPtr cap)" in hoare_post_imp) @@ -6735,7 +6735,7 @@ lemma receiveSignal_ccorres [corres]: apply (rule_tac ntfn="ntfn" in receiveSignal_enqueue_ccorres_helper[simplified]) apply (simp add: valid_ntfn'_def) apply (wp sts_st_tcb') - apply (rule_tac Q="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn + apply (rule_tac Q'="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn \ projectKO_opt x = (None::tcb option)) (capNtfnPtr cap) and K (thread \ set list)" diff --git a/proof/crefine/ARM_HYP/IsolatedThreadAction.thy b/proof/crefine/ARM_HYP/IsolatedThreadAction.thy index c8d92d2af5..4fad3331b4 100644 --- a/proof/crefine/ARM_HYP/IsolatedThreadAction.thy +++ b/proof/crefine/ARM_HYP/IsolatedThreadAction.thy @@ -573,7 +573,7 @@ lemma thread_actions_isolatable_assert[simp]: lemma doMachineOp_isolatable: "thread_actions_isolatable idx (doMachineOp m)" apply (simp add: doMachineOp_def split_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] gets_isolatable thread_actions_isolatable_returns modify_isolatable select_f_isolatable) apply (simp | wp)+ @@ -593,8 +593,8 @@ lemma findPDForASID_isolatable: case_option_If2 assertE_def liftE_def checkPDAt_def stateAssert_def2 cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] - thread_actions_isolatable_bindE[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_bindE[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable getObject_isolatable) @@ -615,9 +615,9 @@ lemma getHWASID_isolatable: invalidateHWASIDEntry_def storeHWASID_def cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] - thread_actions_isolatable_bindE[OF _ _ hoare_pre(1)] - thread_actions_isolatable_catch[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_bindE[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_catch[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable modify_isolatable @@ -683,7 +683,7 @@ lemma setVCPU_isolatable: lemma vcpuUpdate_isolatable: "thread_actions_isolatable idx (vcpuUpdate p f)" apply (clarsimp simp: vcpuUpdate_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] getVCPU_isolatable setVCPU_isolatable |wp|assumption|clarsimp)+ done @@ -699,7 +699,7 @@ lemma vgicUpdateLR_isolatable: lemma vcpuWriteReg_isolatable: "thread_actions_isolatable idx (vcpuWriteReg v p val)" apply (clarsimp simp: vcpuWriteReg_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] vcpuUpdate_isolatable doMachineOp_isolatable | wpsimp)+ done @@ -707,7 +707,7 @@ lemma vcpuWriteReg_isolatable: lemma vcpuReadReg_isolatable: "thread_actions_isolatable idx (vcpuReadReg v p)" apply (clarsimp simp: vcpuReadReg_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] vcpuUpdate_isolatable getVCPU_isolatable thread_actions_isolatable_return | wpsimp)+ done @@ -715,7 +715,7 @@ lemma vcpuReadReg_isolatable: lemma vcpuSaveReg_isolatable: "thread_actions_isolatable idx (vcpuSaveReg p v)" apply (clarsimp simp: vcpuSaveReg_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] vcpuUpdate_isolatable doMachineOp_isolatable |wpsimp)+ done @@ -723,7 +723,7 @@ lemma vcpuSaveReg_isolatable: lemma vcpuRestoreReg_isolatable: "thread_actions_isolatable idx (vcpuRestoreReg p v)" apply (clarsimp simp: vcpuRestoreReg_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] vcpuUpdate_isolatable doMachineOp_isolatable getVCPU_isolatable |wpsimp)+ done @@ -732,14 +732,14 @@ lemma thread_actions_isolatable_mapM_x: "\ \x. thread_actions_isolatable idx (f x); \x t. f x \tcb_at' t\ \ \ thread_actions_isolatable idx (mapM_x f xs)" apply (induct xs; clarsimp simp: mapM_x_Nil mapM_x_Cons thread_actions_isolatable_returns) - apply (rule thread_actions_isolatable_bind[OF _ _ hoare_pre(1)]; clarsimp?) + apply (rule thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre]; clarsimp?) apply assumption+ done lemma vcpuSaveRegRange_isolatable: "thread_actions_isolatable idx (vcpuSaveRegRange p r rt)" apply (clarsimp simp: vcpuSaveRegRange_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] vcpuSaveReg_isolatable thread_actions_isolatable_mapM_x | wpsimp)+ done @@ -747,7 +747,7 @@ lemma vcpuSaveRegRange_isolatable: lemma vcpuRestoreRegRange_isolatable: "thread_actions_isolatable idx (vcpuRestoreRegRange p r rt)" apply (clarsimp simp: vcpuRestoreRegRange_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] vcpuRestoreReg_isolatable thread_actions_isolatable_mapM_x | wpsimp)+ done @@ -755,7 +755,7 @@ lemma vcpuRestoreRegRange_isolatable: lemma saveVirtTimer_isolatable: "thread_actions_isolatable idx (saveVirtTimer v)" apply (clarsimp simp: saveVirtTimer_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable doMachineOp_isolatable vcpuSaveReg_isolatable @@ -766,7 +766,7 @@ lemma saveVirtTimer_isolatable: lemma getIRQState_isolatable: "thread_actions_isolatable idx (getIRQState irq)" apply (clarsimp simp: getIRQState_def liftM_def getInterruptState_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_returns gets_isolatable | wpsimp | fastforce)+ done @@ -774,7 +774,7 @@ lemma getIRQState_isolatable: lemma restoreVirtTimer_isolatable: "thread_actions_isolatable idx (restoreVirtTimer v)" apply (clarsimp simp: restoreVirtTimer_def when_def isIRQActive_def liftM_bind) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable doMachineOp_isolatable vcpuSaveReg_isolatable @@ -788,7 +788,7 @@ lemma vcpuSave_isolatable: supply if_split[split del] apply (clarsimp simp: vcpuSave_def armvVCPUSave_def thread_actions_isolatable_fail when_def split: option.splits) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable doMachineOp_isolatable vcpuSaveReg_isolatable @@ -801,7 +801,7 @@ lemma vcpuSave_isolatable: lemma vcpuEnable_isolatable: "thread_actions_isolatable idx (vcpuEnable v)" apply (clarsimp simp: vcpuEnable_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] vcpuRestoreReg_isolatable doMachineOp_isolatable getVCPU_isolatable restoreVirtTimer_isolatable | wpsimp)+ @@ -810,7 +810,7 @@ lemma vcpuEnable_isolatable: lemma vcpuRestore_isolatable: "thread_actions_isolatable idx (vcpuRestore v)" apply (clarsimp simp: vcpuRestore_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] getVCPU_isolatable gets_isolatable doMachineOp_isolatable vcpuEnable_isolatable vcpuRestoreRegRange_isolatable | wpsimp)+ @@ -819,7 +819,7 @@ lemma vcpuRestore_isolatable: lemma vcpuDisable_isolatable: "thread_actions_isolatable idx (vcpuDisable v)" apply (clarsimp simp: vcpuDisable_def split: option.splits, intro conjI) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] doMachineOp_isolatable vcpuEnable_isolatable vgicUpdate_isolatable vcpuSaveReg_isolatable saveVirtTimer_isolatable | wpsimp)+ @@ -830,16 +830,16 @@ lemma vcpuSwitch_isolatable: supply if_cong[cong] option.case_cong[cong] apply (clarsimp simp: vcpuSwitch_def when_def split: option.splits) apply (safe intro!: - thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] - thread_actions_isolatable_bindE[OF _ _ hoare_pre(1)] - thread_actions_isolatable_catch[OF _ _ hoare_pre(1)] + thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_bindE[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_catch[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable) apply (clarsimp simp: thread_actions_isolatable_returns split: option.splits |intro thread_actions_isolatable_if thread_actions_isolatable_returns - thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] vcpuSave_isolatable vcpuRestore_isolatable vcpuDisable_isolatable vcpuEnable_isolatable modifyArchState_isolatable conjI doMachineOp_isolatable @@ -901,9 +901,9 @@ lemma setVMRoot_isolatable: checkPDNotInASIDMap_def stateAssert_def2 checkPDASIDMapMembership_def armv_contextSwitch_def cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] - thread_actions_isolatable_bindE[OF _ _ hoare_pre(1)] - thread_actions_isolatable_catch[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_bindE[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_catch[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable getCTE_isolatable getHWASID_isolatable @@ -1211,7 +1211,7 @@ lemma setThreadState_no_sch_change: (is "Nondet_VCG.valid ?P ?f ?Q") apply (simp add: setThreadState_def setSchedulerAction_def) apply (wp hoare_pre_cont[where f=rescheduleRequired]) - apply (rule_tac Q="\_. ?P and st_tcb_at' ((=) st) t" in hoare_post_imp) + apply (rule_tac Q'="\_. ?P and st_tcb_at' ((=) st) t" in hoare_post_imp) apply (clarsimp split: if_split) apply (clarsimp simp: obj_at'_def st_tcb_at'_def projectKOs) apply (wp threadSet_pred_tcb_at_state) @@ -1273,7 +1273,7 @@ lemma setEndpoint_isolatable: apply (simp add: obj_at_partial_overwrite_id2) apply (drule_tac x=x in spec) apply (clarsimp simp: obj_at'_def projectKOs select_f_asserts) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_return thread_actions_isolatable_fail) @@ -1421,7 +1421,7 @@ lemma cteInsert_isolatable: supply if_split[split del] if_cong[cong] apply (simp add: cteInsert_def updateCap_def updateMDB_def Let_def setUntypedCapAsFull_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns assert_isolatable getCTE_isolatable setCTE_isolatable) @@ -1507,7 +1507,7 @@ lemma switchToThread_isolatable: "thread_actions_isolatable idx (Arch.switchToThread t)" apply (simp add: switchToThread_def getTCB_threadGet storeWordUser_def stateAssert_def2) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] gets_isolatable setVMRoot_isolatable thread_actions_isolatable_if doMachineOp_isolatable @@ -1528,7 +1528,7 @@ lemma tcbQueued_put_tcb_state_regs_tcb: lemma idleThreadNotQueued_isolatable: "thread_actions_isolatable idx (stateAssert idleThreadNotQueued [])" apply (simp add: stateAssert_def2 stateAssert_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] gets_isolatable thread_actions_isolatable_if thread_actions_isolatable_returns @@ -1745,7 +1745,7 @@ lemma updateMDB_isolatable: "thread_actions_isolatable idx (updateMDB slot f)" apply (simp add: updateMDB_def thread_actions_isolatable_return split: if_split) - apply (intro impI thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro impI thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] getCTE_isolatable setCTE_isolatable, (wp | simp)+) done @@ -1767,7 +1767,7 @@ lemma emptySlot_isolatable: "thread_actions_isolatable idx (emptySlot slot NullCap)" apply (simp add: emptySlot_def updateCap_def case_Null_If Retype_H.postCapDeletion_def cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] clearUntypedFreeIndex_isolatable thread_actions_isolatable_if getCTE_isolatable setCTE_isolatable diff --git a/proof/crefine/ARM_HYP/Refine_C.thy b/proof/crefine/ARM_HYP/Refine_C.thy index 7db89fdaf7..d54fc1d452 100644 --- a/proof/crefine/ARM_HYP/Refine_C.thy +++ b/proof/crefine/ARM_HYP/Refine_C.thy @@ -80,7 +80,7 @@ proof - apply (wp schedule_sch_act_wf schedule_invs' | strengthen invs_valid_objs_strengthen invs_pspace_aligned' invs_pspace_distinct')+ apply simp - apply (rule_tac Q="\rv s. invs' s \ (\x. rv = Some x \ x \ Kernel_Config.maxIRQ) \ + apply (rule_tac Q'="\rv s. invs' s \ (\x. rv = Some x \ x \ Kernel_Config.maxIRQ) \ sch_act_not (ksCurThread s) s" in hoare_post_imp) apply (solves clarsimp) @@ -370,7 +370,7 @@ lemma handleSyscall_ccorres: apply wp[1] apply clarsimp apply wp - apply (rule_tac Q="\rv s. ct_in_state' simple' s \ sch_act_sane s" + apply (rule_tac Q'="\rv s. ct_in_state' simple' s \ sch_act_sane s" in hoare_post_imp) apply (simp add: ct_in_state'_def) apply (wp handleReply_sane) @@ -408,15 +408,15 @@ lemma handleSyscall_ccorres: | wpc | wp hoare_drop_imp handleReply_sane handleReply_nonz_cap_to_ct schedule_invs' | strengthen ct_active_not_idle'_strengthen invs_valid_objs_strengthen)+ - apply (rule_tac Q="\rv. invs' and ct_active'" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs' and ct_active'" in hoare_post_imp, simp) apply (wp hy_invs') apply (clarsimp simp add: liftE_def) apply wp - apply (rule_tac Q="\rv. invs' and ct_active'" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs' and ct_active'" in hoare_post_imp, simp) apply (wp hy_invs') apply (clarsimp simp: liftE_def) apply (wp) - apply (rule_tac Q="\_. invs'" in hoare_post_imp, simp) + apply (rule_tac Q'="\_. invs'" in hoare_post_imp, simp) apply (wp hw_invs') apply (simp add: guard_is_UNIV_def) apply clarsimp diff --git a/proof/crefine/ARM_HYP/Retype_C.thy b/proof/crefine/ARM_HYP/Retype_C.thy index 37edfdae5d..53b9ab7c7a 100644 --- a/proof/crefine/ARM_HYP/Retype_C.thy +++ b/proof/crefine/ARM_HYP/Retype_C.thy @@ -7196,7 +7196,7 @@ lemma createObject_valid_cap': apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7268,7 +7268,7 @@ lemma createObject_caps_overlap_reserved_ret': apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7291,7 +7291,7 @@ lemma createObject_descendants_range': apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7322,7 +7322,7 @@ lemma createObject_idlethread_range: apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7342,7 +7342,7 @@ lemma createObject_IRQHandler: apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7360,7 +7360,7 @@ lemma createObject_capClass[wp]: apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7407,7 +7407,7 @@ lemma createObject_parent_helper: \ createObject ty ptr us dev \\rv. cte_wp_at' (\cte. isUntypedCap (cteCap cte) \ (sameRegionAs (cteCap cte) rv)) p\" - apply (rule hoare_post_imp [where Q="\rv s. \cte. cte_wp_at' ((=) cte) p s + apply (rule hoare_post_imp[where Q'="\rv s. \cte. cte_wp_at' ((=) cte) p s \ isUntypedCap (cteCap cte) \ sameRegionAs (cteCap cte) rv"]) apply (clarsimp simp:cte_wp_at_ctes_of) @@ -8152,7 +8152,7 @@ shows "ccorres dc xfdc (cnodeptr + (of_nat k * 0x10 + start * 0x10 + of_nat n * 0x10)) s) \ descendants_range_in' {(of_nat n << APIType_capBits newType userSize) + ptr.. (ptr && ~~ mask sz) + 2 ^ sz - 1} srcSlot (ctes_of s)" - in hoare_pre(1)) + in hoare_weaken_pre) apply wp apply (clarsimp simp:createObject_hs_preconds_def conj_comms invs_valid_pspace' invs_pspace_distinct' invs_pspace_aligned' diff --git a/proof/crefine/ARM_HYP/Schedule_C.thy b/proof/crefine/ARM_HYP/Schedule_C.thy index 4c0ca2714c..858e21009b 100644 --- a/proof/crefine/ARM_HYP/Schedule_C.thy +++ b/proof/crefine/ARM_HYP/Schedule_C.thy @@ -70,7 +70,7 @@ lemma Arch_switchToThread_ccorres: apply wpsimp+ apply (vcg exspec=vcpu_switch_modifies) apply wpsimp+ - apply (rule_tac Q="\rv s. all_invs_but_ct_idle_or_in_cur_domain' s + apply (rule_tac Q'="\rv s. all_invs_but_ct_idle_or_in_cur_domain' s \ case_option (\_. True) (ko_wp_at' (is_vcpu' and hyp_live')) (atcbVCPUPtr (tcbArch rv)) s \ obj_at' (\t::tcb. True) t s" in hoare_strengthen_post[rotated]) apply (clarsimp simp: vcpu_at_is_vcpu' elim!: ko_wp_at'_weakenE split: option.splits) @@ -677,7 +677,7 @@ lemma schedule_ccorres: apply wp apply clarsimp (* when runnable tcbSchedEnqueue curThread *) - apply (rule_tac Q="\rv s. invs' s \ ksCurThread s = curThread + apply (rule_tac Q'="\rv s. invs' s \ ksCurThread s = curThread \ ksSchedulerAction s = SwitchToThread candidate" in hoare_post_imp) apply (clarsimp simp: invs'_bitmapQ_no_L1_orphans invs_ksCurDomain_maxDomain') apply (fastforce dest: invs_sch_act_wf') diff --git a/proof/crefine/ARM_HYP/SyscallArgs_C.thy b/proof/crefine/ARM_HYP/SyscallArgs_C.thy index f8b79a93ac..f94d5c2bd8 100644 --- a/proof/crefine/ARM_HYP/SyscallArgs_C.thy +++ b/proof/crefine/ARM_HYP/SyscallArgs_C.thy @@ -1039,7 +1039,7 @@ lemma getMRs_user_word: linorder_not_less [symmetric]) apply (wp mapM_loadWordUser_user_words_at) apply (wp hoare_vcg_all_lift) - apply (rule_tac Q="\_. \" in hoare_strengthen_post) + apply (rule_tac Q'="\_. \" in hoare_strengthen_post) apply wp apply clarsimp defer @@ -1095,7 +1095,7 @@ lemma getMRs_rel: apply (rule hoare_pre) apply (rule_tac x=mi in hoare_exI) apply wp - apply (rule_tac Q="\rv s. thread = ksCurThread s \ fst (getMRs thread buffer mi s) = {(rv,s)}" in hoare_strengthen_post) + apply (rule_tac Q'="\rv s. thread = ksCurThread s \ fst (getMRs thread buffer mi s) = {(rv,s)}" in hoare_strengthen_post) apply (wp det_result det_wp_getMRs) apply clarsimp apply (clarsimp simp: cur_tcb'_def) @@ -1263,7 +1263,7 @@ lemma getSyscallArg_ccorres_foo: apply (clarsimp simp: option_to_ptr_def option_to_0_def) apply (rule_tac P="\s. valid_ipc_buffer_ptr' (ptr_val (Ptr b)) s \ i < msgLength mi \ msgLength mi \ msgMaxLength \ scast n_msgRegisters \ i" - in hoare_pre(1)) + in hoare_weaken_pre) apply (wp getMRs_user_word) apply (clarsimp simp: msgMaxLength_def unat_less_helper) apply fastforce diff --git a/proof/crefine/ARM_HYP/Syscall_C.thy b/proof/crefine/ARM_HYP/Syscall_C.thy index 3c0c5f044e..3476c56537 100644 --- a/proof/crefine/ARM_HYP/Syscall_C.thy +++ b/proof/crefine/ARM_HYP/Syscall_C.thy @@ -259,7 +259,7 @@ lemma decodeInvocation_ccorres: apply simp apply (vcg exspec=performInvocation_Reply_modifies) apply (simp add: cur_tcb'_def[symmetric]) - apply (rule_tac R="\rv s. ksCurThread s = thread" in hoare_post_add) + apply (rule_tac Q'="\rv s. ksCurThread s = thread" in hoare_post_add) apply (simp cong: conj_cong) apply (strengthen imp_consequent) apply (wp sts_invs_minor' sts_st_tcb_at'_cases) @@ -712,9 +712,9 @@ lemma sendFaultIPC_ccorres: , assumption) apply vcg apply (clarsimp simp: inQ_def) - apply (rule_tac Q="\a b. invs' b \ st_tcb_at' simple' tptr b + apply (rule_tac Q'="\a b. invs' b \ st_tcb_at' simple' tptr b \ sch_act_not tptr b \ valid_cap' a b" - and E="\ _. \" + and E'="\ _. \" in hoare_strengthen_postE) apply (wp) apply (clarsimp simp: isCap_simps) @@ -944,8 +944,8 @@ lemma handleInvocation_ccorres: apply (rule ccorres_return_C_errorE, simp+)[1] apply vcg apply (simp add: invocationCatch_def o_def) - apply (rule_tac Q="\rv'. invs' and tcb_at' rv" - and E="\ft. invs' and tcb_at' rv" + apply (rule_tac Q'="\rv'. invs' and tcb_at' rv" + and E'="\ft. invs' and tcb_at' rv" in hoare_strengthen_postE) apply (wp hoare_split_bind_case_sumE hoare_drop_imps setThreadState_nonqueued_state_update @@ -1997,7 +1997,7 @@ proof - (* clean up get_gic_vcpu_ctrl_misr postcondition *) apply (wp hoare_vcg_all_lift) - apply (rule_tac Q="\_ s. ?PRE s \ armHSCurVCPU (ksArchState s) = Some (vcpuPtr, active)" in hoare_post_imp) + apply (rule_tac Q'="\_ s. ?PRE s \ armHSCurVCPU (ksArchState s) = Some (vcpuPtr, active)" in hoare_post_imp) apply clarsimp apply (clarsimp simp: invs'_HScurVCPU_vcpu_at' valid_arch_state'_def max_armKSGICVCPUNumListRegs_def dest!: invs_arch_state') apply (erule eisr_calc_signed_limits) diff --git a/proof/crefine/ARM_HYP/Tcb_C.thy b/proof/crefine/ARM_HYP/Tcb_C.thy index 379b114362..761e00e61f 100644 --- a/proof/crefine/ARM_HYP/Tcb_C.thy +++ b/proof/crefine/ARM_HYP/Tcb_C.thy @@ -422,7 +422,7 @@ lemma setPriority_ccorres: simp: st_tcb_at'_def o_def split: if_splits) apply (simp add: guard_is_UNIV_def) apply (rule hoare_strengthen_post[ - where Q="\rv s. + where Q'="\rv s. obj_at' (\_. True) t s \ priority \ maxPriority \ ksCurDomain s \ maxDomain \ @@ -667,8 +667,8 @@ lemma invokeTCB_ThreadControl_ccorres: apply clarsimp apply wp apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) - apply (rule hoare_strengthen_post [ - where Q= "\rv s. + apply (rule hoare_strengthen_post[ + where Q'="\rv s. valid_objs' s \ weak_sch_act_wf (ksSchedulerAction s) s \ ((\a b. priority = Some (a, b)) \ @@ -759,7 +759,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (simp cong: conj_cong) apply (rule hoare_strengthen_post[ - where Q="\a b. (valid_objs' b \ + where Q'="\a b. (valid_objs' b \ sch_act_wf (ksSchedulerAction b) b \ pspace_aligned' b \ pspace_distinct' b \ ((\a b. priority = Some (a, b)) \ @@ -806,7 +806,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply vcg apply (simp add: conj_comms cong: conj_cong) apply (strengthen invs_ksCurDomain_maxDomain' invs_pspace_distinct') - apply (wp hoare_vcg_const_imp_lift_R cteDelete_invs') + apply (wp hoare_vcg_const_imp_liftE_R cteDelete_invs') apply simp apply (rule ccorres_split_nothrow_novcg_dc) apply (rule ccorres_cond2[where R=\], simp add: Collect_const_mem) @@ -1217,13 +1217,13 @@ lemma invokeTCB_CopyRegisters_ccorres: apply (simp add: pred_conj_def guard_is_UNIV_def cong: if_cong | wp mapM_x_wp_inv hoare_drop_imp)+ apply clarsimp - apply (rule_tac Q="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak) apply (wpsimp wp: hoare_drop_imp restart_invs')+ apply (clarsimp simp add: guard_is_UNIV_def) apply (wp hoare_drop_imp hoare_vcg_if_lift)+ apply simp - apply (rule_tac Q="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak) apply (wpsimp wp: hoare_drop_imp)+ apply (clarsimp simp add: guard_is_UNIV_def) @@ -1627,7 +1627,7 @@ lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]: apply wp apply (simp add: guard_is_UNIV_def) apply (wp hoare_drop_imp) - apply (rule_tac Q="\rv. invs' and tcb_at' dst" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\rv. invs' and tcb_at' dst" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak) apply (wpsimp wp: restart_invs')+ apply (clarsimp simp add: guard_is_UNIV_def) @@ -2142,7 +2142,7 @@ shows apply wp apply (simp add: Collect_const_mem ThreadState_defs mask_def) apply vcg - apply (rule_tac Q="\rv. invs' and st_tcb_at' ((=) Restart) thread + apply (rule_tac Q'="\rv. invs' and st_tcb_at' ((=) Restart) thread and tcb_at' target" in hoare_post_imp) apply (clarsimp simp: pred_tcb_at') apply (auto elim!: pred_tcb'_weakenE)[1] diff --git a/proof/crefine/ARM_HYP/VSpace_C.thy b/proof/crefine/ARM_HYP/VSpace_C.thy index 29920f4016..37006652dd 100644 --- a/proof/crefine/ARM_HYP/VSpace_C.thy +++ b/proof/crefine/ARM_HYP/VSpace_C.thy @@ -2081,7 +2081,7 @@ lemma vcpu_enable_ccorres: apply wpsimp apply (vcg exspec=set_gic_vcpu_ctrl_hcr_modifies) apply wpsimp+ - apply (rule_tac Q="\_. vcpu_at' v" in hoare_post_imp, fastforce) + apply (rule_tac Q'="\_. vcpu_at' v" in hoare_post_imp, fastforce) apply wpsimp apply (clarsimp simp: typ_heap_simps' Collect_const_mem cvcpu_relation_def cvcpu_regs_relation_def Let_def cvgic_relation_def hcrVCPU_def @@ -2761,7 +2761,7 @@ lemma performPageFlush_ccorres: apply (ctac add: setVMRoot_ccorres) apply (rule ccorres_return_Skip) apply (simp add: cur_tcb'_def[symmetric]) - apply (rule_tac Q="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) + apply (rule_tac Q'="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) apply (simp add: invs'_invs_no_cicd) apply wp+ apply (rule ccorres_return_Skip) @@ -2941,7 +2941,7 @@ lemma performPageDirectoryInvocationFlush_ccorres: apply wp apply (simp add: guard_is_UNIV_def) apply (simp add: cur_tcb'_def[symmetric]) - apply (rule_tac Q="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) + apply (rule_tac Q'="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) apply (simp add: invs'_invs_no_cicd) apply wp+ apply (simp) @@ -2995,7 +2995,7 @@ lemma flushPage_ccorres: apply (ctac add: setVMRoot_ccorres) apply (rule ccorres_return_Skip) apply (wp | simp add: cur_tcb'_def[symmetric])+ - apply (rule_tac Q="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) + apply (rule_tac Q'="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) apply (simp add: invs'_invs_no_cicd) apply (wp | simp add: cur_tcb'_def[symmetric])+ apply (rule ccorres_return_Skip) @@ -3541,7 +3541,7 @@ lemma unmapPage_ccorres: apply (rule ccorres_return_void_C) apply vcg apply (simp add: lookup_pd_slot_def Let_def table_bits_defs) - apply (wp hoare_vcg_const_imp_lift_R findPDForASID_valid_offset'[simplified table_bits_defs] + apply (wp hoare_vcg_const_imp_liftE_R findPDForASID_valid_offset'[simplified table_bits_defs] findPDForASID_aligned[simplified table_bits_defs]) apply (simp add: Collect_const_mem) apply (vcg exspec=findPDForASID_modifies) @@ -4183,7 +4183,7 @@ lemma flushTable_ccorres: apply (rule ccorres_return_Skip) apply (wp hoare_weak_lift_imp) apply clarsimp - apply (rule_tac Q="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) + apply (rule_tac Q'="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) apply (simp add: invs'_invs_no_cicd cur_tcb'_def) apply (wp mapM_x_wp_inv getPTE_wp | wpc)+ apply (rule ccorres_return_Skip) diff --git a/proof/crefine/Move_C.thy b/proof/crefine/Move_C.thy index 330b38bce3..7377cd1bfc 100644 --- a/proof/crefine/Move_C.thy +++ b/proof/crefine/Move_C.thy @@ -124,10 +124,6 @@ lemma option_to_0_simps [simp]: lemma of_bool_from_bool: "of_bool = from_bool" by (rule ext, simp add: from_bool_def split: bool.split) -lemma hoare_vcg_imp_lift_R: - "\ \P'\ f \\rv s. \ P rv s\, -; \Q'\ f \Q\, - \ \ \\s. P' s \ Q' s\ f \\rv s. P rv s \ Q rv s\, -" - by (auto simp add: valid_def validE_R_def validE_def split_def split: sum.splits) - (* FIXME: move to Lib *) lemma length_Suc_0_conv: "length x = Suc 0 = (\y. x = [y])" @@ -642,7 +638,7 @@ lemma getMessageInfo_le3: including no_pre apply (simp add: getMessageInfo_def) apply wp - apply (rule_tac Q="\_. \" in hoare_strengthen_post) + apply (rule_tac Q'="\_. \" in hoare_strengthen_post) apply wp apply (rename_tac rv s) apply (simp add: messageInfoFromWord_def Let_def msgExtraCapBits_def) @@ -655,7 +651,7 @@ lemma getMessageInfo_msgLength: including no_pre apply (simp add: getMessageInfo_def) apply wp - apply (rule_tac Q="\_. \" in hoare_strengthen_post) + apply (rule_tac Q'="\_. \" in hoare_strengthen_post) apply wp apply (simp add: messageInfoFromWord_def Let_def not_less msgMaxLength_def msgLengthBits_def split: if_split) @@ -993,7 +989,7 @@ lemma cancelIPC_st_tcb_at': "\\s. t\t' \ st_tcb_at' P t' s\ cancelIPC t \\_. st_tcb_at' P t'\" apply (simp add: cancelIPC_def Let_def getThreadReplySlot_def locateSlot_conv) apply (wp sts_pred_tcb_neq' getEndpoint_wp cteDeleteOne_Reply getCTE_wp' | wpc)+ - apply (rule hoare_strengthen_post [where Q="\_. st_tcb_at' P t'"]) + apply (rule hoare_strengthen_post[where Q'="\_. st_tcb_at' P t'"]) apply (wp threadSet_st_tcb_at2) apply simp apply (clarsimp simp: cte_wp_at_ctes_of capHasProperty_def) diff --git a/proof/crefine/RISCV64/Arch_C.thy b/proof/crefine/RISCV64/Arch_C.thy index 6b050db08e..c31d485244 100644 --- a/proof/crefine/RISCV64/Arch_C.thy +++ b/proof/crefine/RISCV64/Arch_C.thy @@ -521,7 +521,7 @@ shows apply clarsimp apply (wp getSlotCap_wp) apply clarsimp - apply (rule_tac Q="\_. cte_wp_at' ((=) (UntypedCap isdev frame pageBits idx) o cteCap) parent + apply (rule_tac Q'="\_. cte_wp_at' ((=) (UntypedCap isdev frame pageBits idx) o cteCap) parent and (\s. descendants_range_in' {frame..frame + (2::machine_word) ^ pageBits - (1::machine_word)} parent (ctes_of s)) and pspace_no_overlap' frame pageBits and invs' diff --git a/proof/crefine/RISCV64/DetWP.thy b/proof/crefine/RISCV64/DetWP.thy index 222fe22aa5..200baa7eaf 100644 --- a/proof/crefine/RISCV64/DetWP.thy +++ b/proof/crefine/RISCV64/DetWP.thy @@ -120,7 +120,7 @@ lemma det_wp_asUser [wp]: apply (drule det_wp_det) apply (erule det_wp_select_f) apply wp+ - apply (rule_tac Q="\_. tcb_at' t" in hoare_post_imp) + apply (rule_tac Q'="\_. tcb_at' t" in hoare_post_imp) apply simp apply wp apply simp diff --git a/proof/crefine/RISCV64/Finalise_C.thy b/proof/crefine/RISCV64/Finalise_C.thy index b478c7ce45..359a0b2c59 100644 --- a/proof/crefine/RISCV64/Finalise_C.thy +++ b/proof/crefine/RISCV64/Finalise_C.thy @@ -774,7 +774,7 @@ lemma suspend_ccorres: apply ceqv apply (ctac(no_vcg) add: setThreadState_ccorres_simple) apply (ctac add: tcbSchedDequeue_ccorres) - apply (rule_tac Q="\_. valid_objs' and tcb_at' thread and pspace_aligned' and pspace_distinct'" + apply (rule_tac Q'="\_. valid_objs' and tcb_at' thread and pspace_aligned' and pspace_distinct'" in hoare_post_imp) apply clarsimp apply (wp sts_valid_objs')[1] diff --git a/proof/crefine/RISCV64/Invoke_C.thy b/proof/crefine/RISCV64/Invoke_C.thy index e02cf94321..bdf8dcadcf 100644 --- a/proof/crefine/RISCV64/Invoke_C.thy +++ b/proof/crefine/RISCV64/Invoke_C.thy @@ -76,7 +76,7 @@ lemma setDomain_ccorres: apply (simp add: guard_is_UNIV_def) apply simp apply wp - apply (rule_tac Q="\_. all_invs_but_sch_extra and tcb_at' t and sch_act_simple + apply (rule_tac Q'="\_. all_invs_but_sch_extra and tcb_at' t and sch_act_simple and (\s. curThread = ksCurThread s)" in hoare_strengthen_post) apply (wp threadSet_all_invs_but_sch_extra) @@ -84,7 +84,7 @@ lemma setDomain_ccorres: sch_act_simple_def st_tcb_at'_def weak_sch_act_wf_def split: if_splits) apply (simp add: guard_is_UNIV_def) - apply (rule_tac Q="\_. invs' and tcb_at' t and sch_act_simple and (\s. curThread = ksCurThread s)" + apply (rule_tac Q'="\_. invs' and tcb_at' t and sch_act_simple and (\s. curThread = ksCurThread s)" in hoare_strengthen_post) apply (wp weak_sch_act_wf_lift_linear tcbSchedDequeue_not_queued hoare_vcg_imp_lift hoare_vcg_all_lift) @@ -762,7 +762,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule_tac Q'="\rv. valid_pspace' and valid_cap' rv and valid_objs' and tcb_at' thread and (\s. sch_act_wf (ksSchedulerAction s) s)" - in hoare_vcg_R_conj) + in hoare_vcg_conj_liftE_R) apply (rule deriveCap_Null_helper[OF deriveCap_derived]) apply wp apply (clarsimp simp: cte_wp_at_ctes_of) @@ -838,7 +838,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule_tac Q'="\rv. valid_pspace' and valid_cap' rv and valid_objs' and tcb_at' thread and (\s. sch_act_wf (ksSchedulerAction s) s)" - in hoare_vcg_R_conj) + in hoare_vcg_conj_liftE_R) apply (rule deriveCap_Null_helper [OF deriveCap_derived]) apply wp apply (clarsimp simp: cte_wp_at_ctes_of) @@ -959,7 +959,7 @@ lemma decodeCNodeInvocation_ccorres: apply (clarsimp simp:valid_updateCapDataI invs_valid_objs' invs_valid_pspace') apply assumption apply (wp hoare_vcg_all_liftE_R injection_wp_E[OF refl] - lsfco_cte_at' hoare_vcg_const_imp_lift_R + lsfco_cte_at' hoare_vcg_const_imp_liftE_R )+ apply (simp add: Collect_const_mem word_sle_def word_sless_def all_ex_eq_helper) @@ -1336,7 +1336,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule ccorres_return_C_errorE, simp+)[1] apply vcg apply simp - apply (wp injection_wp_E[OF refl] hoare_vcg_const_imp_lift_R + apply (wp injection_wp_E[OF refl] hoare_vcg_const_imp_liftE_R hoare_vcg_all_liftE_R lsfco_cte_at' hoare_weak_lift_imp | simp add: hasCancelSendRights_not_Null ctes_of_valid_strengthen cong: conj_cong diff --git a/proof/crefine/RISCV64/IpcCancel_C.thy b/proof/crefine/RISCV64/IpcCancel_C.thy index 5317a35e45..1949d3c631 100644 --- a/proof/crefine/RISCV64/IpcCancel_C.thy +++ b/proof/crefine/RISCV64/IpcCancel_C.thy @@ -2759,7 +2759,7 @@ lemma cancelIPC_ccorres1: ghost_assertion_data_set_def cap_tag_defs) apply (simp add: locateSlot_conv, wp) apply vcg - apply (rule_tac Q="\rv. tcb_at' thread and invs'" in hoare_post_imp) + apply (rule_tac Q'="\rv. tcb_at' thread and invs'" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_ctes_of capHasProperty_def cap_get_tag_isCap ucast_id) apply (wp threadSet_invs_trivial | simp)+ diff --git a/proof/crefine/RISCV64/Ipc_C.thy b/proof/crefine/RISCV64/Ipc_C.thy index c2e177a725..cf52e6112d 100644 --- a/proof/crefine/RISCV64/Ipc_C.thy +++ b/proof/crefine/RISCV64/Ipc_C.thy @@ -1380,7 +1380,7 @@ lemma asUser_atcbContext_obj_at: lemma asUser_tcbFault_inv: "\\s. \t. ko_at' t p' s \ tcbFault t = f\ asUser p m \\rv s. \t. ko_at' t p' s \ tcbFault t = f\" - apply (rule_tac Q="\rv. obj_at' (\t. tcbFault t = f) p'" + apply (rule_tac Q'="\rv. obj_at' (\t. tcbFault t = f) p'" in hoare_strengthen_post) apply (wp asUser_tcbFault_obj_at) apply (clarsimp simp: obj_at'_def)+ @@ -3533,7 +3533,7 @@ lemma doIPCTransfer_ccorres [corres]: fault_to_fault_tag_nonzero) apply ctac apply (clarsimp simp: guard_is_UNIV_def option_to_ptr_def split: option.splits) - apply (rule_tac Q="\rv. valid_pspace' and cur_tcb' and tcb_at' sender + apply (rule_tac Q'="\rv. valid_pspace' and cur_tcb' and tcb_at' sender and tcb_at' receiver and K (rv \ Some 0) and (case_option \ valid_ipc_buffer_ptr' rv) and K (receiver \ sender \ endpoint \ Some 0)" @@ -4259,7 +4259,7 @@ lemma doReplyTransfer_ccorres [corres]: | simp add: valid_tcb_state'_def)+)[1] apply (clarsimp simp: guard_is_UNIV_def ThreadState_defs mask_def option_to_ctcb_ptr_def) - apply (rule_tac Q="\rv. tcb_at' receiver and + apply (rule_tac Q'="\rv. tcb_at' receiver and valid_objs' and sch_act_simple and (\s. ksCurDomain s \ maxDomain) and (\s. sch_act_wf (ksSchedulerAction s) s) and pspace_aligned' and pspace_distinct'" in hoare_post_imp) @@ -4358,7 +4358,7 @@ lemma setupCallerCap_ccorres [corres]: ptr_add_assertion_positive Collect_const_mem tcb_cnode_index_defs) apply simp - apply (rule_tac Q="\rv. valid_pspace' and tcb_at' receiver" in hoare_post_imp) + apply (rule_tac Q'="\rv. valid_pspace' and tcb_at' receiver" in hoare_post_imp) apply (auto simp: cte_wp_at_ctes_of isCap_simps valid_pspace'_def tcbSlots Kernel_C.tcbCaller_def size_of_def cte_level_bits_def)[1] @@ -5766,7 +5766,7 @@ lemma receiveIPC_ccorres [corres]: apply (fastforce simp: guard_is_UNIV_def ThreadState_defs mask_def cap_get_tag_isCap ccap_relation_ep_helpers) apply (clarsimp simp: valid_tcb_state'_def) - apply (rule_tac Q="\_. valid_pspace' + apply (rule_tac Q'="\_. valid_pspace' and st_tcb_at' ((=) sendState) sender and tcb_at' thread and (\s. sch_act_wf (ksSchedulerAction s) s) and sch_act_not sender and K (thread \ sender) @@ -5774,7 +5774,7 @@ lemma receiveIPC_ccorres [corres]: apply (fastforce simp: valid_pspace_valid_objs' pred_tcb_at'_def sch_act_wf_weak obj_at'_def) apply (wpsimp simp: guard_is_UNIV_def option_to_ptr_def option_to_0_def conj_ac)+ - apply (rule_tac Q="\rv. valid_pspace' + apply (rule_tac Q'="\rv. valid_pspace' and cur_tcb' and tcb_at' sender and tcb_at' thread and sch_act_not sender and K (thread \ sender) and ep_at' (capEPPtr cap) @@ -6068,7 +6068,7 @@ lemma sendSignal_ccorres [corres]: apply (ctac add: possibleSwitchTo_ccorres) apply (wp sts_valid_objs' sts_st_tcb_at'_cases | simp add: option_to_ctcb_ptr_def split del: if_split)+ - apply (rule_tac Q="\_. tcb_at' (the (ntfnBoundTCB ntfn)) and invs'" + apply (rule_tac Q'="\_. tcb_at' (the (ntfnBoundTCB ntfn)) and invs'" in hoare_post_imp) apply auto[1] apply wp @@ -6460,7 +6460,7 @@ lemma receiveSignal_ccorres [corres]: apply (rule receiveSignal_enqueue_ccorres_helper[simplified]) apply (simp add: valid_ntfn'_def) apply (wp sts_st_tcb') - apply (rule_tac Q="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn + apply (rule_tac Q'="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn \ projectKO_opt x = (None::tcb option)) (capNtfnPtr cap)" in hoare_post_imp) @@ -6527,7 +6527,7 @@ lemma receiveSignal_ccorres [corres]: apply (rule_tac ntfn="ntfn" in receiveSignal_enqueue_ccorres_helper[simplified]) apply (simp add: valid_ntfn'_def) apply (wp sts_st_tcb') - apply (rule_tac Q="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn + apply (rule_tac Q'="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn \ projectKO_opt x = (None::tcb option)) (capNtfnPtr cap) and K (thread \ set list)" diff --git a/proof/crefine/RISCV64/IsolatedThreadAction.thy b/proof/crefine/RISCV64/IsolatedThreadAction.thy index f307e46a88..33832f8596 100644 --- a/proof/crefine/RISCV64/IsolatedThreadAction.thy +++ b/proof/crefine/RISCV64/IsolatedThreadAction.thy @@ -601,7 +601,7 @@ lemma select_f_isolatable: lemma doMachineOp_isolatable: "thread_actions_isolatable idx (doMachineOp m)" apply (simp add: doMachineOp_def split_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] gets_isolatable thread_actions_isolatable_returns modify_isolatable select_f_isolatable) apply (simp | wp)+ @@ -621,8 +621,8 @@ lemma findVSpaceForASID_isolatable: case_option_If2 assertE_def liftE_def checkPTAt_def stateAssert_def2 cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] - thread_actions_isolatable_bindE[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_bindE[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable getObject_isolatable) @@ -657,7 +657,7 @@ lemma thread_actions_isolatable_mapM_x: "\ \x. thread_actions_isolatable idx (f x); \x t. f x \tcb_at' t\ \ \ thread_actions_isolatable idx (mapM_x f xs)" apply (induct xs; clarsimp simp: mapM_x_Nil mapM_x_Cons thread_actions_isolatable_returns) - apply (rule thread_actions_isolatable_bind[OF _ _ hoare_pre(1)]; clarsimp?) + apply (rule thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre]; clarsimp?) apply assumption+ done @@ -687,9 +687,9 @@ lemma setVMRoot_isolatable: whenE_def liftE_def stateAssert_def2 assert_def cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] - thread_actions_isolatable_bindE[OF _ _ hoare_pre(1)] - thread_actions_isolatable_catch[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_bindE[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_catch[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable getCTE_isolatable @@ -970,7 +970,7 @@ lemma setThreadState_no_sch_change: (is "Nondet_VCG.valid ?P ?f ?Q") apply (simp add: setThreadState_def setSchedulerAction_def) apply (wp hoare_pre_cont[where f=rescheduleRequired]) - apply (rule_tac Q="\_. ?P and st_tcb_at' ((=) st) t" in hoare_post_imp) + apply (rule_tac Q'="\_. ?P and st_tcb_at' ((=) st) t" in hoare_post_imp) apply (clarsimp split: if_split) apply (clarsimp simp: obj_at'_def st_tcb_at'_def projectKOs) apply (wp threadSet_pred_tcb_at_state) @@ -1032,7 +1032,7 @@ lemma setEndpoint_isolatable: apply (simp add: obj_at_partial_overwrite_id2) apply (drule_tac x=x in spec) apply (clarsimp simp: obj_at'_def projectKOs select_f_asserts) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_return thread_actions_isolatable_fail) @@ -1182,7 +1182,7 @@ lemma cteInsert_isolatable: supply if_split[split del] if_cong[cong] apply (simp add: cteInsert_def updateCap_def updateMDB_def Let_def setUntypedCapAsFull_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns assert_isolatable getCTE_isolatable setCTE_isolatable) @@ -1268,7 +1268,7 @@ lemma threadGet_isolatable: "thread_actions_isolatable idx (Arch.switchToThread t)" apply (simp add: switchToThread_def storeWordUser_def stateAssert_def2) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] gets_isolatable setVMRoot_isolatable thread_actions_isolatable_if doMachineOp_isolatable @@ -1285,7 +1285,7 @@ lemma tcbQueued_put_tcb_state_regs_tcb: lemma idleThreadNotQueued_isolatable: "thread_actions_isolatable idx (stateAssert idleThreadNotQueued [])" apply (simp add: stateAssert_def2 stateAssert_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] gets_isolatable thread_actions_isolatable_if thread_actions_isolatable_returns @@ -1503,7 +1503,7 @@ lemma updateMDB_isolatable: "thread_actions_isolatable idx (updateMDB slot f)" apply (simp add: updateMDB_def thread_actions_isolatable_return split: if_split) - apply (intro impI thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro impI thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] getCTE_isolatable setCTE_isolatable, (wp | simp)+) done @@ -1525,7 +1525,7 @@ lemma emptySlot_isolatable: "thread_actions_isolatable idx (emptySlot slot NullCap)" apply (simp add: emptySlot_def updateCap_def case_Null_If Retype_H.postCapDeletion_def cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] clearUntypedFreeIndex_isolatable thread_actions_isolatable_if getCTE_isolatable setCTE_isolatable diff --git a/proof/crefine/RISCV64/Refine_C.thy b/proof/crefine/RISCV64/Refine_C.thy index 9221faee95..afb6849fdc 100644 --- a/proof/crefine/RISCV64/Refine_C.thy +++ b/proof/crefine/RISCV64/Refine_C.thy @@ -79,7 +79,7 @@ proof - apply (clarsimp simp: return_def) apply (wp schedule_sch_act_wf schedule_invs' | strengthen invs_valid_objs_strengthen invs_pspace_aligned' invs_pspace_distinct')+ - apply (rule_tac Q="\rv s. invs' s \ (\x. rv = Some x \ x \ RISCV64.maxIRQ) \ rv \ Some 0x3FF" in hoare_post_imp) + apply (rule_tac Q'="\rv s. invs' s \ (\x. rv = Some x \ x \ RISCV64.maxIRQ) \ rv \ Some 0x3FF" in hoare_post_imp) apply (clarsimp simp: non_kernel_IRQs_def) apply (wp getActiveIRQ_le_maxIRQ getActiveIRQ_neq_Some0x3FF | simp)+ apply (clarsimp simp: invs'_def valid_state'_def) @@ -265,12 +265,12 @@ lemma handleSyscall_ccorres: apply wp apply (simp add: guard_is_UNIV_def) apply clarsimp - apply (rule_tac Q="\rv s. invs' s \ + apply (rule_tac Q'="\rv s. invs' s \ (\x. rv = Some x \ x \ RISCV64.maxIRQ) \ rv \ Some 0x3FF" in hoare_post_imp) apply (clarsimp simp: non_kernel_IRQs_def) apply (wp getActiveIRQ_le_maxIRQ getActiveIRQ_neq_Some0x3FF | simp)+ - apply (rule_tac Q=" invs' " in hoare_post_imp_dc2E, wp) + apply (rule_tac Q'=" invs' " in hoare_post_impE_E_dc, wp) apply (simp add: invs'_def valid_state'_def) apply clarsimp apply (vcg exspec=handleInvocation_modifies) @@ -301,12 +301,12 @@ lemma handleSyscall_ccorres: apply wp apply (simp add: guard_is_UNIV_def) apply clarsimp - apply (rule_tac Q="\rv s. invs' s \ + apply (rule_tac Q'="\rv s. invs' s \ (\x. rv = Some x \ x \ RISCV64.maxIRQ) \ rv \ Some 0x3FF" in hoare_post_imp) apply (clarsimp simp: non_kernel_IRQs_def) apply (wp getActiveIRQ_le_maxIRQ getActiveIRQ_neq_Some0x3FF | simp)+ - apply (rule_tac Q=" invs' " in hoare_post_imp_dc2E, wp) + apply (rule_tac Q'=" invs' " in hoare_post_impE_E_dc, wp) apply (simp add: invs'_def valid_state'_def) apply clarsimp apply (vcg exspec=handleInvocation_modifies) @@ -336,12 +336,12 @@ lemma handleSyscall_ccorres: apply wp apply (simp add: guard_is_UNIV_def) apply clarsimp - apply (rule_tac Q="\rv s. invs' s \ + apply (rule_tac Q'="\rv s. invs' s \ (\x. rv = Some x \ x \ RISCV64.maxIRQ) \ rv \ Some 0x3FF" in hoare_post_imp) apply (clarsimp simp: non_kernel_IRQs_def) apply (wp getActiveIRQ_le_maxIRQ getActiveIRQ_neq_Some0x3FF | simp)+ - apply (rule_tac Q=" invs' " in hoare_post_imp_dc2E, wp) + apply (rule_tac Q'=" invs' " in hoare_post_impE_E_dc, wp) apply (simp add: invs'_def valid_state'_def) apply clarsimp apply (vcg exspec=handleInvocation_modifies) @@ -374,7 +374,7 @@ lemma handleSyscall_ccorres: apply wp[1] apply clarsimp apply wp - apply (rule_tac Q="\rv s. ct_in_state' simple' s \ sch_act_sane s" + apply (rule_tac Q'="\rv s. ct_in_state' simple' s \ sch_act_sane s" in hoare_post_imp) apply (simp add: ct_in_state'_def) apply (wp handleReply_sane) @@ -409,15 +409,15 @@ lemma handleSyscall_ccorres: | wpc | wp hoare_drop_imp handleReply_sane handleReply_nonz_cap_to_ct schedule_invs' | strengthen ct_active_not_idle'_strengthen invs_valid_objs_strengthen)+ - apply (rule_tac Q="\rv. invs' and ct_active'" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs' and ct_active'" in hoare_post_imp, simp) apply (wp hy_invs') apply (clarsimp simp add: liftE_def) apply wp - apply (rule_tac Q="\rv. invs' and ct_active'" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs' and ct_active'" in hoare_post_imp, simp) apply (wp hy_invs') apply (clarsimp simp: liftE_def) apply (wp) - apply (rule_tac Q="\_. invs'" in hoare_post_imp, simp) + apply (rule_tac Q'="\_. invs'" in hoare_post_imp, simp) apply (wp hw_invs') apply (simp add: guard_is_UNIV_def) apply clarsimp diff --git a/proof/crefine/RISCV64/Retype_C.thy b/proof/crefine/RISCV64/Retype_C.thy index fe6c583ee4..0c4366d6c6 100644 --- a/proof/crefine/RISCV64/Retype_C.thy +++ b/proof/crefine/RISCV64/Retype_C.thy @@ -6302,7 +6302,7 @@ lemma createObject_valid_cap': apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -6376,7 +6376,7 @@ lemma createObject_caps_overlap_reserved_ret': apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -6399,7 +6399,7 @@ lemma createObject_descendants_range': apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -6430,7 +6430,7 @@ lemma createObject_idlethread_range: apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -6450,7 +6450,7 @@ lemma createObject_IRQHandler: apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -6468,7 +6468,7 @@ lemma createObject_capClass[wp]: apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -6515,7 +6515,7 @@ lemma createObject_parent_helper: \ createObject ty ptr us dev \\rv. cte_wp_at' (\cte. isUntypedCap (cteCap cte) \ (sameRegionAs (cteCap cte) rv)) p\" - apply (rule hoare_post_imp [where Q="\rv s. \cte. cte_wp_at' ((=) cte) p s + apply (rule hoare_post_imp[where Q'="\rv s. \cte. cte_wp_at' ((=) cte) p s \ isUntypedCap (cteCap cte) \ sameRegionAs (cteCap cte) rv"]) apply (clarsimp simp:cte_wp_at_ctes_of) @@ -7285,7 +7285,7 @@ shows "ccorres dc xfdc (cnodeptr + (of_nat k * 0x20 + start * 0x20 + of_nat n * 0x20)) s) \ descendants_range_in' {(of_nat n << APIType_capBits newType userSize) + ptr.. (ptr && ~~ mask sz) + 2 ^ sz - 1} srcSlot (ctes_of s)" - in hoare_pre(1)) + in hoare_weaken_pre) apply wp apply (clarsimp simp:createObject_hs_preconds_def conj_comms add.commute[where b=ptr] invs_valid_pspace' invs_pspace_distinct' invs_pspace_aligned' diff --git a/proof/crefine/RISCV64/Schedule_C.thy b/proof/crefine/RISCV64/Schedule_C.thy index 5d97c3c95b..4edbc93860 100644 --- a/proof/crefine/RISCV64/Schedule_C.thy +++ b/proof/crefine/RISCV64/Schedule_C.thy @@ -679,7 +679,7 @@ lemma schedule_ccorres: apply wp apply clarsimp (* when runnable tcbSchedEnqueue curThread *) - apply (rule_tac Q="\rv s. invs' s \ ksCurThread s = curThread + apply (rule_tac Q'="\rv s. invs' s \ ksCurThread s = curThread \ ksSchedulerAction s = SwitchToThread candidate" in hoare_post_imp) apply (clarsimp simp: invs'_bitmapQ_no_L1_orphans invs_ksCurDomain_maxDomain') apply (fastforce dest: invs_sch_act_wf') diff --git a/proof/crefine/RISCV64/SyscallArgs_C.thy b/proof/crefine/RISCV64/SyscallArgs_C.thy index ac54b61437..d18a4884a7 100644 --- a/proof/crefine/RISCV64/SyscallArgs_C.thy +++ b/proof/crefine/RISCV64/SyscallArgs_C.thy @@ -942,7 +942,7 @@ lemma getMRs_user_word: linorder_not_less [symmetric]) apply (wp mapM_loadWordUser_user_words_at) apply (wp hoare_vcg_all_lift) - apply (rule_tac Q="\_. \" in hoare_strengthen_post) + apply (rule_tac Q'="\_. \" in hoare_strengthen_post) apply wp apply clarsimp defer @@ -998,7 +998,7 @@ lemma getMRs_rel: apply (rule hoare_pre) apply (rule_tac x=mi in hoare_exI) apply wp - apply (rule_tac Q="\rv s. thread = ksCurThread s \ fst (getMRs thread buffer mi s) = {(rv,s)}" in hoare_strengthen_post) + apply (rule_tac Q'="\rv s. thread = ksCurThread s \ fst (getMRs thread buffer mi s) = {(rv,s)}" in hoare_strengthen_post) apply (wp det_result det_wp_getMRs) apply clarsimp apply (clarsimp simp: cur_tcb'_def) @@ -1164,7 +1164,7 @@ lemma getSyscallArg_ccorres_foo: apply (clarsimp simp: option_to_ptr_def option_to_0_def) apply (rule_tac P="\s. valid_ipc_buffer_ptr' (ptr_val (Ptr b)) s \ i < msgLength mi \ msgLength mi \ msgMaxLength \ scast n_msgRegisters \ i" - in hoare_pre(1)) + in hoare_weaken_pre) apply (wp getMRs_user_word) apply (clarsimp simp: msgMaxLength_def unat_less_helper) apply fastforce diff --git a/proof/crefine/RISCV64/Syscall_C.thy b/proof/crefine/RISCV64/Syscall_C.thy index 9872d83a0f..ac1155ee5a 100644 --- a/proof/crefine/RISCV64/Syscall_C.thy +++ b/proof/crefine/RISCV64/Syscall_C.thy @@ -259,7 +259,7 @@ lemma decodeInvocation_ccorres: apply simp apply (vcg exspec=performInvocation_Reply_modifies) apply (simp add: cur_tcb'_def[symmetric]) - apply (rule_tac R="\rv s. ksCurThread s = thread" in hoare_post_add) + apply (rule_tac Q'="\rv s. ksCurThread s = thread" in hoare_post_add) apply (simp cong: conj_cong) apply (strengthen imp_consequent) apply (wp sts_invs_minor' sts_st_tcb_at'_cases) @@ -683,9 +683,9 @@ lemma sendFaultIPC_ccorres: , assumption) apply vcg apply (clarsimp simp: inQ_def) - apply (rule_tac Q="\a b. invs' b \ st_tcb_at' simple' tptr b + apply (rule_tac Q'="\a b. invs' b \ st_tcb_at' simple' tptr b \ sch_act_not tptr b \ valid_cap' a b" - and E="\ _. \" + and E'="\ _. \" in hoare_strengthen_postE) apply (wp) apply (clarsimp simp: isCap_simps) @@ -885,8 +885,8 @@ lemma handleInvocation_ccorres: apply (rule ccorres_return_C_errorE, simp+)[1] apply vcg apply (simp add: invocationCatch_def o_def) - apply (rule_tac Q="\rv'. invs' and tcb_at' rv" - and E="\ft. invs' and tcb_at' rv" + apply (rule_tac Q'="\rv'. invs' and tcb_at' rv" + and E'="\ft. invs' and tcb_at' rv" in hoare_strengthen_postE) apply (wp hoare_split_bind_case_sumE hoare_drop_imps setThreadState_nonqueued_state_update diff --git a/proof/crefine/RISCV64/Tcb_C.thy b/proof/crefine/RISCV64/Tcb_C.thy index b5163fbabb..0276c84f55 100644 --- a/proof/crefine/RISCV64/Tcb_C.thy +++ b/proof/crefine/RISCV64/Tcb_C.thy @@ -429,7 +429,7 @@ lemma setPriority_ccorres: simp: st_tcb_at'_def o_def split: if_splits) apply (simp add: guard_is_UNIV_def) apply (rule hoare_strengthen_post[ - where Q="\rv s. + where Q'="\rv s. obj_at' (\_. True) t s \ priority \ maxPriority \ ksCurDomain s \ maxDomain \ @@ -682,7 +682,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply wp apply (clarsimp simp : guard_is_UNIV_def Collect_const_mem) apply (rule hoare_strengthen_post[ - where Q= "\rv s. + where Q'="\rv s. valid_objs' s \ weak_sch_act_wf (ksSchedulerAction s) s \ ((\a b. priority = Some (a, b)) \ @@ -777,7 +777,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply (clarsimp simp : guard_is_UNIV_def Collect_const_mem) apply (simp cong: conj_cong) apply (rule hoare_strengthen_post[ - where Q="\a b. (valid_objs' b \ + where Q'="\a b. (valid_objs' b \ sch_act_wf (ksSchedulerAction b) b \ pspace_aligned' b \ pspace_distinct' b \ ((\a b. priority = Some (a, b)) \ @@ -822,7 +822,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply vcg apply (simp add: conj_comms cong: conj_cong) apply (strengthen invs_ksCurDomain_maxDomain' invs_pspace_distinct') - apply (wp hoare_vcg_const_imp_lift_R cteDelete_invs') + apply (wp hoare_vcg_const_imp_liftE_R cteDelete_invs') apply simp apply (rule ccorres_split_nothrow_novcg_dc) apply (rule ccorres_cond2[where R=\], simp add: Collect_const_mem) @@ -1242,13 +1242,13 @@ lemma invokeTCB_CopyRegisters_ccorres: apply (simp add: pred_conj_def guard_is_UNIV_def cong: if_cong | wp mapM_x_wp_inv hoare_drop_imp)+ apply clarsimp - apply (rule_tac Q="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak) apply (wpsimp wp: hoare_drop_imp restart_invs')+ apply (clarsimp simp add: guard_is_UNIV_def) apply (wp hoare_drop_imp hoare_vcg_if_lift)+ apply simp - apply (rule_tac Q="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak) apply (wpsimp wp: hoare_drop_imp)+ apply (clarsimp simp add: guard_is_UNIV_def) @@ -1657,7 +1657,7 @@ lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]: apply wp apply (simp add: guard_is_UNIV_def) apply (wp hoare_drop_imp) - apply (rule_tac Q="\rv. invs' and tcb_at' dst" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\rv. invs' and tcb_at' dst" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak) apply (wpsimp wp: restart_invs')+ apply (clarsimp simp add: guard_is_UNIV_def) @@ -2173,7 +2173,7 @@ shows apply wp apply (simp add: Collect_const_mem ThreadState_defs mask_def) apply vcg - apply (rule_tac Q="\rv. invs' and st_tcb_at' ((=) Restart) thread + apply (rule_tac Q'="\rv. invs' and st_tcb_at' ((=) Restart) thread and tcb_at' target" in hoare_post_imp) apply (clarsimp simp: pred_tcb_at') apply (auto elim!: pred_tcb'_weakenE)[1] diff --git a/proof/crefine/RISCV64/VSpace_C.thy b/proof/crefine/RISCV64/VSpace_C.thy index 88666c56e4..bde407edbf 100644 --- a/proof/crefine/RISCV64/VSpace_C.thy +++ b/proof/crefine/RISCV64/VSpace_C.thy @@ -1750,7 +1750,7 @@ lemma performASIDPoolInvocation_ccorres: apply wp apply simp apply vcg - apply (rule hoare_strengthen_post[where Q="\_. \"], wp) + apply (rule hoare_strengthen_post[where Q'="\_. \"], wp) apply (clarsimp simp: typ_at'_def ko_wp_at'_def obj_at'_def) apply wp apply simp diff --git a/proof/crefine/X64/Arch_C.thy b/proof/crefine/X64/Arch_C.thy index 7b7de39cca..668b7aa5bc 100644 --- a/proof/crefine/X64/Arch_C.thy +++ b/proof/crefine/X64/Arch_C.thy @@ -826,7 +826,7 @@ shows apply clarsimp apply (wp getSlotCap_wp) apply clarsimp - apply (rule_tac Q="\_. cte_wp_at' ((=) (UntypedCap isdev frame pageBits idx) o cteCap) parent + apply (rule_tac Q'="\_. cte_wp_at' ((=) (UntypedCap isdev frame pageBits idx) o cteCap) parent and (\s. descendants_range_in' {frame..frame + (2::machine_word) ^ pageBits - (1::machine_word)} parent (ctes_of s)) and pspace_no_overlap' frame pageBits and invs' @@ -1243,7 +1243,7 @@ lemma decodeX64PageTableInvocation_ccorres: apply simp apply (vcg exspec=findVSpaceForASID_modifies) apply simp - apply (rule_tac Q="\a b. invs' b \ valid_cap' (fst (extraCaps ! 0)) b \ tcb_at' thread b \ + apply (rule_tac Q'="\a b. invs' b \ valid_cap' (fst (extraCaps ! 0)) b \ tcb_at' thread b \ sch_act_wf (ksSchedulerAction b) b \ cte_wp_at' (\_. True) slot b" in hoare_strengthen_post) apply wp @@ -3232,7 +3232,7 @@ lemma decodeX64PageDirectoryInvocation_ccorres: apply simp apply (vcg exspec=findVSpaceForASID_modifies) apply simp - apply (rule_tac Q="\a b. invs' b \ valid_cap' (fst (extraCaps ! 0)) b \ tcb_at' thread b \ + apply (rule_tac Q'="\a b. invs' b \ valid_cap' (fst (extraCaps ! 0)) b \ tcb_at' thread b \ sch_act_wf (ksSchedulerAction b) b \ cte_wp_at' (\_. True) slot b" in hoare_strengthen_post) apply wp @@ -5362,7 +5362,7 @@ proof - apply (simp add: all_ex_eq_helper) apply (vcg exspec=lookupTargetSlot_modifies) apply (wpsimp wp: isIOPortRangeFree_wp) - apply (rule_tac Q="\rv. invs' and valid_cap' a and st_tcb_at' runnable' thread + apply (rule_tac Q'="\rv. invs' and valid_cap' a and st_tcb_at' runnable' thread and sch_act_simple and cte_wp_at' \ slot and (\s. thread = ksCurThread s)" in hoare_strengthen_post) apply (wpsimp wp: getSlotCap_wp) @@ -5382,7 +5382,7 @@ proof - apply (simp add: all_ex_eq_helper, vcg exspec=getSyscallArg_modifies) apply wp apply (simp add: all_ex_eq_helper, vcg exspec=getSyscallArg_modifies) - apply (rule_tac Q="\rv. ?apre" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. ?apre" in hoare_strengthen_post) apply wp apply (clarsimp simp: sysargs_rel_to_n excaps_in_mem_def slotcap_in_mem_def cte_wp_at_ctes_of interpret_excaps_eq diff --git a/proof/crefine/X64/DetWP.thy b/proof/crefine/X64/DetWP.thy index 7e4f8297f8..116016144b 100644 --- a/proof/crefine/X64/DetWP.thy +++ b/proof/crefine/X64/DetWP.thy @@ -121,7 +121,7 @@ lemma det_wp_asUser [wp]: apply (drule det_wp_det) apply (erule det_wp_select_f) apply wp+ - apply (rule_tac Q="\_. tcb_at' t" in hoare_post_imp) + apply (rule_tac Q'="\_. tcb_at' t" in hoare_post_imp) apply simp apply wp apply simp diff --git a/proof/crefine/X64/Finalise_C.thy b/proof/crefine/X64/Finalise_C.thy index 580bee81f3..0c878db8ed 100644 --- a/proof/crefine/X64/Finalise_C.thy +++ b/proof/crefine/X64/Finalise_C.thy @@ -759,7 +759,7 @@ lemma suspend_ccorres: apply ceqv apply (ctac(no_vcg) add: setThreadState_ccorres_simple) apply (ctac add: tcbSchedDequeue_ccorres) - apply (rule_tac Q="\_. valid_objs' and tcb_at' thread and pspace_aligned' and pspace_distinct'" + apply (rule_tac Q'="\_. valid_objs' and tcb_at' thread and pspace_aligned' and pspace_distinct'" in hoare_post_imp) apply clarsimp apply (wp sts_valid_objs')[1] diff --git a/proof/crefine/X64/Invoke_C.thy b/proof/crefine/X64/Invoke_C.thy index f5820fb9e7..d60019524b 100644 --- a/proof/crefine/X64/Invoke_C.thy +++ b/proof/crefine/X64/Invoke_C.thy @@ -75,7 +75,7 @@ lemma setDomain_ccorres: apply (simp add: guard_is_UNIV_def) apply simp apply wp - apply (rule_tac Q="\_. all_invs_but_sch_extra and tcb_at' t and sch_act_simple + apply (rule_tac Q'="\_. all_invs_but_sch_extra and tcb_at' t and sch_act_simple and (\s. curThread = ksCurThread s)" in hoare_strengthen_post) apply (wp threadSet_all_invs_but_sch_extra) @@ -83,7 +83,7 @@ lemma setDomain_ccorres: sch_act_simple_def st_tcb_at'_def weak_sch_act_wf_def split: if_splits) apply (simp add: guard_is_UNIV_def) - apply (rule_tac Q="\_. invs' and tcb_at' t and sch_act_simple and (\s. curThread = ksCurThread s)" + apply (rule_tac Q'="\_. invs' and tcb_at' t and sch_act_simple and (\s. curThread = ksCurThread s)" in hoare_strengthen_post) apply (wp weak_sch_act_wf_lift_linear tcbSchedDequeue_not_queued hoare_vcg_imp_lift hoare_vcg_all_lift) @@ -760,7 +760,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule_tac Q'="\rv. valid_pspace' and valid_cap' rv and valid_objs' and tcb_at' thread and (\s. sch_act_wf (ksSchedulerAction s) s)" - in hoare_vcg_R_conj) + in hoare_vcg_conj_liftE_R) apply (rule deriveCap_Null_helper[OF deriveCap_derived]) apply wp apply (clarsimp simp: cte_wp_at_ctes_of) @@ -836,7 +836,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule_tac Q'="\rv. valid_pspace' and valid_cap' rv and valid_objs' and tcb_at' thread and (\s. sch_act_wf (ksSchedulerAction s) s)" - in hoare_vcg_R_conj) + in hoare_vcg_conj_liftE_R) apply (rule deriveCap_Null_helper [OF deriveCap_derived]) apply wp apply (clarsimp simp: cte_wp_at_ctes_of) @@ -957,7 +957,7 @@ lemma decodeCNodeInvocation_ccorres: apply (clarsimp simp:valid_updateCapDataI invs_valid_objs' invs_valid_pspace') apply assumption apply (wp hoare_vcg_all_liftE_R injection_wp_E[OF refl] - lsfco_cte_at' hoare_vcg_const_imp_lift_R + lsfco_cte_at' hoare_vcg_const_imp_liftE_R )+ apply (simp add: Collect_const_mem word_sle_def word_sless_def all_ex_eq_helper) @@ -1334,7 +1334,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule ccorres_return_C_errorE, simp+)[1] apply vcg apply simp - apply (wp injection_wp_E[OF refl] hoare_vcg_const_imp_lift_R + apply (wp injection_wp_E[OF refl] hoare_vcg_const_imp_liftE_R hoare_vcg_all_liftE_R lsfco_cte_at' hoare_weak_lift_imp | simp add: hasCancelSendRights_not_Null ctes_of_valid_strengthen cong: conj_cong diff --git a/proof/crefine/X64/IpcCancel_C.thy b/proof/crefine/X64/IpcCancel_C.thy index c8940571d2..9f1f5e1ded 100644 --- a/proof/crefine/X64/IpcCancel_C.thy +++ b/proof/crefine/X64/IpcCancel_C.thy @@ -2816,7 +2816,7 @@ lemma cancelIPC_ccorres1: ghost_assertion_data_set_def cap_tag_defs) apply (simp add: locateSlot_conv, wp) apply vcg - apply (rule_tac Q="\rv. tcb_at' thread and invs'" in hoare_post_imp) + apply (rule_tac Q'="\rv. tcb_at' thread and invs'" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_ctes_of capHasProperty_def cap_get_tag_isCap ucast_id) apply (wp threadSet_invs_trivial | simp)+ diff --git a/proof/crefine/X64/Ipc_C.thy b/proof/crefine/X64/Ipc_C.thy index bb049bfeea..cd1102418f 100644 --- a/proof/crefine/X64/Ipc_C.thy +++ b/proof/crefine/X64/Ipc_C.thy @@ -1383,7 +1383,7 @@ lemma asUser_atcbContext_obj_at: lemma asUser_tcbFault_inv: "\\s. \t. ko_at' t p' s \ tcbFault t = f\ asUser p m \\rv s. \t. ko_at' t p' s \ tcbFault t = f\" - apply (rule_tac Q="\rv. obj_at' (\t. tcbFault t = f) p'" + apply (rule_tac Q'="\rv. obj_at' (\t. tcbFault t = f) p'" in hoare_strengthen_post) apply (wp asUser_tcbFault_obj_at) apply (clarsimp simp: obj_at'_def)+ @@ -3541,7 +3541,7 @@ lemma doIPCTransfer_ccorres [corres]: fault_to_fault_tag_nonzero) apply ctac apply (clarsimp simp: guard_is_UNIV_def option_to_ptr_def split: option.splits) - apply (rule_tac Q="\rv. valid_pspace' and cur_tcb' and tcb_at' sender + apply (rule_tac Q'="\rv. valid_pspace' and cur_tcb' and tcb_at' sender and tcb_at' receiver and K (rv \ Some 0) and (case_option \ valid_ipc_buffer_ptr' rv) and K (receiver \ sender \ endpoint \ Some 0)" @@ -4267,7 +4267,7 @@ lemma doReplyTransfer_ccorres [corres]: | simp add: valid_tcb_state'_def)+)[1] apply (clarsimp simp: guard_is_UNIV_def ThreadState_defs mask_def option_to_ctcb_ptr_def) - apply (rule_tac Q="\rv. tcb_at' receiver and + apply (rule_tac Q'="\rv. tcb_at' receiver and valid_objs' and sch_act_simple and (\s. ksCurDomain s \ maxDomain) and (\s. sch_act_wf (ksSchedulerAction s) s) and pspace_aligned' and pspace_distinct'" in hoare_post_imp) @@ -4366,7 +4366,7 @@ lemma setupCallerCap_ccorres [corres]: ptr_add_assertion_positive Collect_const_mem tcb_cnode_index_defs) apply simp - apply (rule_tac Q="\rv. valid_pspace' and tcb_at' receiver" in hoare_post_imp) + apply (rule_tac Q'="\rv. valid_pspace' and tcb_at' receiver" in hoare_post_imp) apply (auto simp: cte_wp_at_ctes_of isCap_simps valid_pspace'_def tcbSlots Kernel_C.tcbCaller_def size_of_def cte_level_bits_def)[1] @@ -5785,7 +5785,7 @@ lemma receiveIPC_ccorres [corres]: apply (fastforce simp: guard_is_UNIV_def ThreadState_defs mask_def cap_get_tag_isCap ccap_relation_ep_helpers) apply (clarsimp simp: valid_tcb_state'_def) - apply (rule_tac Q="\_. valid_pspace' + apply (rule_tac Q'="\_. valid_pspace' and st_tcb_at' ((=) sendState) sender and tcb_at' thread and (\s. sch_act_wf (ksSchedulerAction s) s) and sch_act_not sender and K (thread \ sender) @@ -5793,7 +5793,7 @@ lemma receiveIPC_ccorres [corres]: apply (fastforce simp: valid_pspace_valid_objs' pred_tcb_at'_def sch_act_wf_weak obj_at'_def) apply (wpsimp simp: guard_is_UNIV_def option_to_ptr_def option_to_0_def conj_ac)+ - apply (rule_tac Q="\rv. valid_pspace' + apply (rule_tac Q'="\rv. valid_pspace' and cur_tcb' and tcb_at' sender and tcb_at' thread and sch_act_not sender and K (thread \ sender) and ep_at' (capEPPtr cap) @@ -6094,7 +6094,7 @@ lemma sendSignal_ccorres [corres]: apply (ctac add: possibleSwitchTo_ccorres) apply (wp sts_valid_objs' sts_st_tcb_at'_cases | simp add: option_to_ctcb_ptr_def split del: if_split)+ - apply (rule_tac Q="\_. tcb_at' (the (ntfnBoundTCB ntfn)) and invs'" + apply (rule_tac Q'="\_. tcb_at' (the (ntfnBoundTCB ntfn)) and invs'" in hoare_post_imp) apply auto[1] apply wp @@ -6492,7 +6492,7 @@ lemma receiveSignal_ccorres [corres]: apply (rule receiveSignal_enqueue_ccorres_helper[simplified]) apply (simp add: valid_ntfn'_def) apply (wp sts_st_tcb') - apply (rule_tac Q="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn + apply (rule_tac Q'="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn \ projectKO_opt x = (None::tcb option)) (capNtfnPtr cap)" in hoare_post_imp) @@ -6560,7 +6560,7 @@ lemma receiveSignal_ccorres [corres]: apply (rule_tac ntfn="ntfn" in receiveSignal_enqueue_ccorres_helper[simplified]) apply (simp add: valid_ntfn'_def) apply (wp sts_st_tcb') - apply (rule_tac Q="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn + apply (rule_tac Q'="\rv. ko_wp_at' (\x. projectKO_opt x = Some ntfn \ projectKO_opt x = (None::tcb option)) (capNtfnPtr cap) and K (thread \ set list)" diff --git a/proof/crefine/X64/IsolatedThreadAction.thy b/proof/crefine/X64/IsolatedThreadAction.thy index a9a2b58a84..d7caf73cbd 100644 --- a/proof/crefine/X64/IsolatedThreadAction.thy +++ b/proof/crefine/X64/IsolatedThreadAction.thy @@ -602,7 +602,7 @@ lemma select_f_isolatable: lemma doMachineOp_isolatable: "thread_actions_isolatable idx (doMachineOp m)" apply (simp add: doMachineOp_def split_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] gets_isolatable thread_actions_isolatable_returns modify_isolatable select_f_isolatable) apply (simp | wp)+ @@ -622,8 +622,8 @@ lemma findVSpaceForASID_isolatable: case_option_If2 assertE_def liftE_def checkPML4At_def stateAssert_def2 cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] - thread_actions_isolatable_bindE[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_bindE[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail gets_isolatable getObject_isolatable) @@ -658,7 +658,7 @@ lemma thread_actions_isolatable_mapM_x: "\ \x. thread_actions_isolatable idx (f x); \x t. f x \tcb_at' t\ \ \ thread_actions_isolatable idx (mapM_x f xs)" apply (induct xs; clarsimp simp: mapM_x_Nil mapM_x_Cons thread_actions_isolatable_returns) - apply (rule thread_actions_isolatable_bind[OF _ _ hoare_pre(1)]; clarsimp?) + apply (rule thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre]; clarsimp?) apply assumption+ done @@ -674,7 +674,7 @@ lemma setCurrentUserCR3_isolatable: "thread_actions_isolatable idx (setCurrentUserCR3 f)" apply (clarsimp simp: setCurrentUserCR3_def) apply (intro modify_isolatable doMachineOp_isolatable - thread_actions_isolatable_bind[OF _ _ hoare_pre(1)]) + thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre]) apply wpsimp+ done @@ -691,9 +691,9 @@ lemma setVMRoot_isolatable: whenE_def liftE_def stateAssert_def2 cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] - thread_actions_isolatable_bindE[OF _ _ hoare_pre(1)] - thread_actions_isolatable_catch[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_bindE[OF _ _ hoare_weaken_pre] + thread_actions_isolatable_catch[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns thread_actions_isolatable_fail getCurrentUserCR3_isolatable setCurrentUserCR3_isolatable @@ -958,7 +958,7 @@ lemma setThreadState_no_sch_change: (is "Nondet_VCG.valid ?P ?f ?Q") apply (simp add: setThreadState_def setSchedulerAction_def) apply (wp hoare_pre_cont[where f=rescheduleRequired]) - apply (rule_tac Q="\_. ?P and st_tcb_at' ((=) st) t" in hoare_post_imp) + apply (rule_tac Q'="\_. ?P and st_tcb_at' ((=) st) t" in hoare_post_imp) apply (clarsimp split: if_split) apply (clarsimp simp: obj_at'_def st_tcb_at'_def projectKOs) apply (wp threadSet_pred_tcb_at_state) @@ -1020,7 +1020,7 @@ lemma setEndpoint_isolatable: apply (simp add: obj_at_partial_overwrite_id2) apply (drule_tac x=x in spec) apply (clarsimp simp: obj_at'_def projectKOs select_f_asserts) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_return thread_actions_isolatable_fail) @@ -1172,7 +1172,7 @@ lemma cteInsert_isolatable: supply if_split[split del] if_cong[cong] apply (simp add: cteInsert_def updateCap_def updateMDB_def Let_def setUntypedCapAsFull_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] thread_actions_isolatable_if thread_actions_isolatable_returns assert_isolatable getCTE_isolatable setCTE_isolatable) @@ -1258,7 +1258,7 @@ lemma threadGet_isolatable: "thread_actions_isolatable idx (Arch.switchToThread t)" apply (simp add: switchToThread_def storeWordUser_def stateAssert_def2) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] gets_isolatable setVMRoot_isolatable thread_actions_isolatable_if doMachineOp_isolatable @@ -1275,7 +1275,7 @@ lemma tcbQueued_put_tcb_state_regs_tcb: lemma idleThreadNotQueued_isolatable: "thread_actions_isolatable idx (stateAssert idleThreadNotQueued [])" apply (simp add: stateAssert_def2 stateAssert_def) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] gets_isolatable thread_actions_isolatable_if thread_actions_isolatable_returns @@ -1493,7 +1493,7 @@ lemma updateMDB_isolatable: "thread_actions_isolatable idx (updateMDB slot f)" apply (simp add: updateMDB_def thread_actions_isolatable_return split: if_split) - apply (intro impI thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro impI thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] getCTE_isolatable setCTE_isolatable, (wp | simp)+) done @@ -1515,7 +1515,7 @@ lemma emptySlot_isolatable: "thread_actions_isolatable idx (emptySlot slot NullCap)" apply (simp add: emptySlot_def updateCap_def case_Null_If Retype_H.postCapDeletion_def cong: if_cong) - apply (intro thread_actions_isolatable_bind[OF _ _ hoare_pre(1)] + apply (intro thread_actions_isolatable_bind[OF _ _ hoare_weaken_pre] clearUntypedFreeIndex_isolatable thread_actions_isolatable_if getCTE_isolatable setCTE_isolatable diff --git a/proof/crefine/X64/Refine_C.thy b/proof/crefine/X64/Refine_C.thy index c18eed69cb..9b68fde3d7 100644 --- a/proof/crefine/X64/Refine_C.thy +++ b/proof/crefine/X64/Refine_C.thy @@ -79,7 +79,7 @@ proof - apply (clarsimp simp: return_def) apply (wp schedule_sch_act_wf schedule_invs' | strengthen invs_valid_objs_strengthen invs_pspace_aligned' invs_pspace_distinct')+ - apply (rule_tac Q="\rv s. invs' s \ (\x. rv = Some x \ x \ X64.maxIRQ) \ rv \ Some 0x3FF" in hoare_post_imp) + apply (rule_tac Q'="\rv s. invs' s \ (\x. rv = Some x \ x \ X64.maxIRQ) \ rv \ Some 0x3FF" in hoare_post_imp) apply (clarsimp simp: non_kernel_IRQs_def) apply (wp getActiveIRQ_le_maxIRQ getActiveIRQ_neq_Some0xFF | simp)+ apply (clarsimp simp: invs'_def valid_state'_def) @@ -264,12 +264,12 @@ lemma handleSyscall_ccorres: apply wp apply (simp add: guard_is_UNIV_def) apply clarsimp - apply (rule_tac Q="\rv s. invs' s \ + apply (rule_tac Q'="\rv s. invs' s \ (\x. rv = Some x \ x \ X64.maxIRQ) \ rv \ Some 0x3FF" in hoare_post_imp) apply (clarsimp simp: non_kernel_IRQs_def) apply (wp getActiveIRQ_le_maxIRQ getActiveIRQ_neq_Some0xFF | simp)+ - apply (rule_tac Q=" invs' " in hoare_post_imp_dc2E, wp) + apply (rule_tac Q'=" invs' " in hoare_post_impE_E_dc, wp) apply (simp add: invs'_def valid_state'_def) apply clarsimp apply (vcg exspec=handleInvocation_modifies) @@ -300,12 +300,12 @@ lemma handleSyscall_ccorres: apply wp apply (simp add: guard_is_UNIV_def) apply clarsimp - apply (rule_tac Q="\rv s. invs' s \ + apply (rule_tac Q'="\rv s. invs' s \ (\x. rv = Some x \ x \ X64.maxIRQ) \ rv \ Some 0x3FF" in hoare_post_imp) apply (clarsimp simp: non_kernel_IRQs_def) apply (wp getActiveIRQ_le_maxIRQ getActiveIRQ_neq_Some0xFF | simp)+ - apply (rule_tac Q=" invs' " in hoare_post_imp_dc2E, wp) + apply (rule_tac Q'=" invs' " in hoare_post_impE_E_dc, wp) apply (simp add: invs'_def valid_state'_def) apply clarsimp apply (vcg exspec=handleInvocation_modifies) @@ -337,12 +337,12 @@ lemma handleSyscall_ccorres: apply wp apply (simp add: guard_is_UNIV_def) apply clarsimp - apply (rule_tac Q="\rv s. invs' s \ + apply (rule_tac Q'="\rv s. invs' s \ (\x. rv = Some x \ x \ X64.maxIRQ) \ rv \ Some 0x3FF" in hoare_post_imp) apply (clarsimp simp: non_kernel_IRQs_def) apply (wp getActiveIRQ_le_maxIRQ getActiveIRQ_neq_Some0xFF | simp)+ - apply (rule_tac Q=" invs' " in hoare_post_imp_dc2E, wp) + apply (rule_tac Q'=" invs' " in hoare_post_impE_E_dc, wp) apply (simp add: invs'_def valid_state'_def) apply clarsimp apply (vcg exspec=handleInvocation_modifies) @@ -375,7 +375,7 @@ lemma handleSyscall_ccorres: apply wp[1] apply clarsimp apply wp - apply (rule_tac Q="\rv s. ct_in_state' simple' s \ sch_act_sane s" + apply (rule_tac Q'="\rv s. ct_in_state' simple' s \ sch_act_sane s" in hoare_post_imp) apply (simp add: ct_in_state'_def) apply (wp handleReply_sane) @@ -410,15 +410,15 @@ lemma handleSyscall_ccorres: | wpc | wp hoare_drop_imp handleReply_sane handleReply_nonz_cap_to_ct schedule_invs' | strengthen ct_active_not_idle'_strengthen invs_valid_objs_strengthen)+ - apply (rule_tac Q="\rv. invs' and ct_active'" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs' and ct_active'" in hoare_post_imp, simp) apply (wp hy_invs') apply (clarsimp simp add: liftE_def) apply wp - apply (rule_tac Q="\rv. invs' and ct_active'" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs' and ct_active'" in hoare_post_imp, simp) apply (wp hy_invs') apply (clarsimp simp: liftE_def) apply (wp) - apply (rule_tac Q="\_. invs'" in hoare_post_imp, simp) + apply (rule_tac Q'="\_. invs'" in hoare_post_imp, simp) apply (wp hw_invs') apply (simp add: guard_is_UNIV_def) apply clarsimp diff --git a/proof/crefine/X64/Retype_C.thy b/proof/crefine/X64/Retype_C.thy index f3ba86dab7..5f4bdf4f46 100644 --- a/proof/crefine/X64/Retype_C.thy +++ b/proof/crefine/X64/Retype_C.thy @@ -7412,7 +7412,7 @@ lemma createObject_valid_cap': apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7486,7 +7486,7 @@ lemma createObject_caps_overlap_reserved_ret': apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7509,7 +7509,7 @@ lemma createObject_descendants_range': apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7540,7 +7540,7 @@ lemma createObject_idlethread_range: apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7560,7 +7560,7 @@ lemma createObject_IRQHandler: apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7578,7 +7578,7 @@ lemma createObject_capClass[wp]: apply (simp add:createObject_def3) apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. r \ [] \ Q r s" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule hoare_strengthen_post[OF createNewCaps_ret_len]) apply clarsimp @@ -7626,7 +7626,7 @@ lemma createObject_parent_helper: \ createObject ty ptr us dev \\rv. cte_wp_at' (\cte. isUntypedCap (cteCap cte) \ (sameRegionAs (cteCap cte) rv)) p\" - apply (rule hoare_post_imp [where Q="\rv s. \cte. cte_wp_at' ((=) cte) p s + apply (rule hoare_post_imp[where Q'="\rv s. \cte. cte_wp_at' ((=) cte) p s \ isUntypedCap (cteCap cte) \ sameRegionAs (cteCap cte) rv"]) apply (clarsimp simp:cte_wp_at_ctes_of) @@ -8415,7 +8415,7 @@ shows "ccorres dc xfdc (cnodeptr + (of_nat k * 0x20 + start * 0x20 + of_nat n * 0x20)) s) \ descendants_range_in' {(of_nat n << APIType_capBits newType userSize) + ptr.. (ptr && ~~ mask sz) + 2 ^ sz - 1} srcSlot (ctes_of s)" - in hoare_pre(1)) + in hoare_weaken_pre) apply wp apply (clarsimp simp:createObject_hs_preconds_def conj_comms add.commute[where b=ptr] invs_valid_pspace' invs_pspace_distinct' invs_pspace_aligned' diff --git a/proof/crefine/X64/Schedule_C.thy b/proof/crefine/X64/Schedule_C.thy index e0b618e692..72020d91bb 100644 --- a/proof/crefine/X64/Schedule_C.thy +++ b/proof/crefine/X64/Schedule_C.thy @@ -678,7 +678,7 @@ lemma schedule_ccorres: apply wp apply clarsimp (* when runnable tcbSchedEnqueue curThread *) - apply (rule_tac Q="\rv s. invs' s \ ksCurThread s = curThread + apply (rule_tac Q'="\rv s. invs' s \ ksCurThread s = curThread \ ksSchedulerAction s = SwitchToThread candidate" in hoare_post_imp) apply (clarsimp simp: invs'_bitmapQ_no_L1_orphans invs_ksCurDomain_maxDomain') apply (fastforce dest: invs_sch_act_wf') diff --git a/proof/crefine/X64/SyscallArgs_C.thy b/proof/crefine/X64/SyscallArgs_C.thy index 34626e3585..6cf0b08990 100644 --- a/proof/crefine/X64/SyscallArgs_C.thy +++ b/proof/crefine/X64/SyscallArgs_C.thy @@ -948,7 +948,7 @@ lemma getMRs_user_word: linorder_not_less [symmetric]) apply (wp mapM_loadWordUser_user_words_at) apply (wp hoare_vcg_all_lift) - apply (rule_tac Q="\_. \" in hoare_strengthen_post) + apply (rule_tac Q'="\_. \" in hoare_strengthen_post) apply wp apply clarsimp defer @@ -1004,7 +1004,7 @@ lemma getMRs_rel: apply (rule hoare_pre) apply (rule_tac x=mi in hoare_exI) apply wp - apply (rule_tac Q="\rv s. thread = ksCurThread s \ fst (getMRs thread buffer mi s) = {(rv,s)}" in hoare_strengthen_post) + apply (rule_tac Q'="\rv s. thread = ksCurThread s \ fst (getMRs thread buffer mi s) = {(rv,s)}" in hoare_strengthen_post) apply (wp det_result det_wp_getMRs) apply clarsimp apply (clarsimp simp: cur_tcb'_def) @@ -1170,7 +1170,7 @@ lemma getSyscallArg_ccorres_foo: apply (clarsimp simp: option_to_ptr_def option_to_0_def) apply (rule_tac P="\s. valid_ipc_buffer_ptr' (ptr_val (Ptr b)) s \ i < msgLength mi \ msgLength mi \ msgMaxLength \ scast n_msgRegisters \ i" - in hoare_pre(1)) + in hoare_weaken_pre) apply (wp getMRs_user_word) apply (clarsimp simp: msgMaxLength_def unat_less_helper) apply fastforce diff --git a/proof/crefine/X64/Syscall_C.thy b/proof/crefine/X64/Syscall_C.thy index 1f7a8c3977..1deddeb2bf 100644 --- a/proof/crefine/X64/Syscall_C.thy +++ b/proof/crefine/X64/Syscall_C.thy @@ -257,7 +257,7 @@ lemma decodeInvocation_ccorres: apply simp apply (vcg exspec=performInvocation_Reply_modifies) apply (simp add: cur_tcb'_def[symmetric]) - apply (rule_tac R="\rv s. ksCurThread s = thread" in hoare_post_add) + apply (rule_tac Q'="\rv s. ksCurThread s = thread" in hoare_post_add) apply (simp cong: conj_cong) apply (strengthen imp_consequent) apply (wp sts_invs_minor' sts_st_tcb_at'_cases) @@ -680,9 +680,9 @@ lemma sendFaultIPC_ccorres: , assumption) apply vcg apply (clarsimp simp: inQ_def) - apply (rule_tac Q="\a b. invs' b \ st_tcb_at' simple' tptr b + apply (rule_tac Q'="\a b. invs' b \ st_tcb_at' simple' tptr b \ sch_act_not tptr b \ valid_cap' a b" - and E="\ _. \" + and E'="\ _. \" in hoare_strengthen_postE) apply (wp) apply (clarsimp simp: isCap_simps) @@ -882,8 +882,8 @@ lemma handleInvocation_ccorres: apply (rule ccorres_return_C_errorE, simp+)[1] apply vcg apply (simp add: invocationCatch_def o_def) - apply (rule_tac Q="\rv'. invs' and tcb_at' rv" - and E="\ft. invs' and tcb_at' rv" + apply (rule_tac Q'="\rv'. invs' and tcb_at' rv" + and E'="\ft. invs' and tcb_at' rv" in hoare_strengthen_postE) apply (wp hoare_split_bind_case_sumE hoare_drop_imps setThreadState_nonqueued_state_update diff --git a/proof/crefine/X64/Tcb_C.thy b/proof/crefine/X64/Tcb_C.thy index 738644df8e..aa55b64626 100644 --- a/proof/crefine/X64/Tcb_C.thy +++ b/proof/crefine/X64/Tcb_C.thy @@ -422,7 +422,7 @@ lemma setPriority_ccorres: simp: st_tcb_at'_def o_def split: if_splits) apply (simp add: guard_is_UNIV_def) apply (rule hoare_strengthen_post[ - where Q="\rv s. + where Q'="\rv s. obj_at' (\_. True) t s \ priority \ maxPriority \ ksCurDomain s \ maxDomain \ @@ -675,7 +675,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply wp apply (clarsimp simp : guard_is_UNIV_def Collect_const_mem) apply (rule hoare_strengthen_post[ - where Q= "\rv s. + where Q'="\rv s. valid_objs' s \ weak_sch_act_wf (ksSchedulerAction s) s \ ((\a b. priority = Some (a, b)) \ @@ -769,7 +769,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply (clarsimp simp : guard_is_UNIV_def Collect_const_mem) apply (simp cong: conj_cong) apply (rule hoare_strengthen_post[ - where Q="\a b. (valid_objs' b \ + where Q'="\a b. (valid_objs' b \ sch_act_wf (ksSchedulerAction b) b \ pspace_aligned' b \ pspace_distinct' b \ ((\a b. priority = Some (a, b)) \ @@ -814,7 +814,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply vcg apply (simp add: conj_comms cong: conj_cong) apply (strengthen invs_ksCurDomain_maxDomain' invs_pspace_distinct') - apply (wp hoare_vcg_const_imp_lift_R cteDelete_invs') + apply (wp hoare_vcg_const_imp_liftE_R cteDelete_invs') apply simp apply (rule ccorres_split_nothrow_novcg_dc) apply (rule ccorres_cond2[where R=\], simp add: Collect_const_mem) @@ -1237,13 +1237,13 @@ lemma invokeTCB_CopyRegisters_ccorres: apply (simp add: pred_conj_def guard_is_UNIV_def cong: if_cong | wp mapM_x_wp_inv hoare_drop_imp)+ apply clarsimp - apply (rule_tac Q="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak) apply (wpsimp wp: hoare_drop_imp restart_invs')+ apply (clarsimp simp add: guard_is_UNIV_def) apply (wp hoare_drop_imp hoare_vcg_if_lift)+ apply simp - apply (rule_tac Q="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\rv. invs' and tcb_at' destn" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak) apply (wpsimp wp: hoare_drop_imp)+ apply (clarsimp simp add: guard_is_UNIV_def) @@ -1647,7 +1647,7 @@ lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]: apply wp apply (simp add: guard_is_UNIV_def) apply (wp hoare_drop_imp) - apply (rule_tac Q="\rv. invs' and tcb_at' dst" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\rv. invs' and tcb_at' dst" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak) apply (wpsimp wp: restart_invs')+ apply (clarsimp simp add: guard_is_UNIV_def) @@ -2163,7 +2163,7 @@ shows apply wp apply (simp add: Collect_const_mem ThreadState_defs mask_def) apply vcg - apply (rule_tac Q="\rv. invs' and st_tcb_at' ((=) Restart) thread + apply (rule_tac Q'="\rv. invs' and st_tcb_at' ((=) Restart) thread and tcb_at' target" in hoare_post_imp) apply (clarsimp simp: pred_tcb_at') apply (auto elim!: pred_tcb'_weakenE)[1] diff --git a/proof/crefine/lib/Ctac.thy b/proof/crefine/lib/Ctac.thy index e5b71f8994..2ffa6f2023 100644 --- a/proof/crefine/lib/Ctac.thy +++ b/proof/crefine/lib/Ctac.thy @@ -1770,7 +1770,7 @@ next apply assumption apply (clarsimp elim!: inl_inrE) apply simp - apply (rule hoare_vcg_const_imp_lift_R) + apply (rule hoare_vcg_const_imp_liftE_R) apply (rule hoare_gen_asmE) apply (erule Cons.prems(3)[where n=0, simplified]) apply (rule_tac P="Q \ {s. \\. P \ \ (\, s) \ sr}" diff --git a/proof/drefine/Arch_DR.thy b/proof/drefine/Arch_DR.thy index bd92646ddb..b0450bbbd3 100644 --- a/proof/drefine/Arch_DR.thy +++ b/proof/drefine/Arch_DR.thy @@ -166,7 +166,7 @@ lemma dcorres_lookup_pt_slot: apply simp apply simp apply (simp add: transform_pde_def)+ - apply (rule hoare_strengthen_post[where Q = "\r. valid_pde r and pspace_aligned"] ) + apply (rule hoare_strengthen_post[where Q'="\r. valid_pde r and pspace_aligned"] ) apply (wp get_pde_valid) apply (clarsimp simp:valid_pde_def dest!:pt_aligned split:ARM_A.pde.splits) @@ -184,7 +184,7 @@ lemma lookup_pt_slot_aligned_6': apply (simp add:lookup_pt_slot_def) apply (wp|wpc)+ apply clarsimp - apply (rule hoare_strengthen_post[where Q = "\r. valid_pde r and pspace_aligned"] ) + apply (rule hoare_strengthen_post[where Q'="\r. valid_pde r and pspace_aligned"] ) apply wp apply simp+ apply (clarsimp simp:valid_pde_def dest!:pt_aligned split:ARM_A.pde.splits) @@ -1207,7 +1207,7 @@ lemma invoke_page_table_corres: apply (wp store_pte_cte_wp_at) apply fastforce apply wpsimp+ - apply (rule_tac Q="\rv s. invs s \ valid_etcbs s \ a \ idle_thread s \ cte_wp_at \ (a,b) s \ + apply (rule_tac Q'="\rv s. invs s \ valid_etcbs s \ a \ idle_thread s \ cte_wp_at \ (a,b) s \ caps_of_state s' = caps_of_state s" in hoare_strengthen_post) apply wp apply (clarsimp simp:invs_def valid_state_def) @@ -1235,7 +1235,7 @@ lemma set_vm_root_for_flush_dwp[wp]: apply (rule hoare_conjI,rule hoare_drop_imp) apply (wp do_machine_op_wp|clarsimp simp:load_hw_asid_def)+ apply (wpc|wp)+ - apply (rule_tac Q="\rv s. transform s = cs" in hoare_strengthen_post) + apply (rule_tac Q'="\rv s. transform s = cs" in hoare_strengthen_post) apply (wp|clarsimp)+ done @@ -1548,7 +1548,7 @@ lemma invoke_page_corres: apply (clarsimp simp: transform_mapping_def update_map_data_def) apply (wp get_cap_cte_wp_at_rv unmap_page_pred_tcb_at | clarsimp simp:valid_idle_def not_idle_thread_def)+ - apply (rule_tac Q="\rv s. valid_etcbs s \ + apply (rule_tac Q'="\rv s. valid_etcbs s \ idle_tcb_at (\(st, ntfn, arch). idle st \ ntfn = None \ valid_arch_idle arch) (idle_thread s) s \ a \ idle_thread s \ idle_thread s = idle_thread_ptr \ cte_wp_at \ (a,b) s \ @@ -1683,7 +1683,7 @@ proof - apply (clarsimp simp: transform_asid_table_def transform_asid_def fun_upd_def[symmetric] unat_map_upd) apply wp+ - apply (rule_tac Q="\rv s. cte_wp_at (\c. \idx. c = (cap.UntypedCap False frame pageBits idx)) cref s + apply (rule_tac Q'="\rv s. cte_wp_at (\c. \idx. c = (cap.UntypedCap False frame pageBits idx)) cref s \ asid_pool_at frame s \ cte_wp_at ((=) cap.NullCap) cnode_ref s \ ex_cte_cap_to cnode_ref s \ invs s \ valid_etcbs s" @@ -1719,7 +1719,7 @@ proof - apply (rule_tac P = "is_aligned frame page_bits \ page_bits \ word_bits \ 2 \ page_bits" in hoare_gen_asm) apply (simp add: delete_objects_rewrite[unfolded word_size_bits_def] is_aligned_neg_mask_eq) - apply (rule_tac Q="\_ s. + apply (rule_tac Q'="\_ s. invs s \ valid_etcbs s \ pspace_no_overlap_range_cover frame pageBits s \ descendants_range_in (untyped_range (cap.UntypedCap False frame pageBits idx)) cref s \ cte_wp_at ((=) (cap.UntypedCap False frame pageBits idx)) cref s \ diff --git a/proof/drefine/CNode_DR.thy b/proof/drefine/CNode_DR.thy index e60d2346aa..147442a785 100644 --- a/proof/drefine/CNode_DR.thy +++ b/proof/drefine/CNode_DR.thy @@ -222,7 +222,7 @@ lemma insert_cap_sibling_corres: | simp add: swp_def cte_wp_at_caps_of_state)+) apply (wp set_cap_idle | simp add:set_untyped_cap_as_full_def split del: if_split)+ - apply (rule_tac Q = "\r s. cdt s sibling = None + apply (rule_tac Q'="\r s. cdt s sibling = None \ \ should_be_parent_of src_capa (is_original_cap s sibling) cap (cap_insert_dest_original cap src_capa) \ mdb_cte_at (swp (cte_wp_at ((\) cap.NullCap)) s) (cdt s)" in hoare_strengthen_post) @@ -234,7 +234,7 @@ lemma insert_cap_sibling_corres: apply (wp get_cap_wp set_cap_idle hoare_weak_lift_imp | simp add:set_untyped_cap_as_full_def split del: if_split)+ - apply (rule_tac Q = "\r s. cdt s sibling = None + apply (rule_tac Q'="\r s. cdt s sibling = None \ (\cap. caps_of_state s src = Some cap) \ \ should_be_parent_of src_capa (is_original_cap s src) cap (cap_insert_dest_original cap src_capa) \ mdb_cte_at (swp (cte_wp_at ((\) cap.NullCap)) s) (cdt s)" @@ -306,7 +306,7 @@ lemma insert_cap_child_corres: | simp add: swp_def cte_wp_at_caps_of_state)+ apply (wp set_cap_idle | simp add:set_untyped_cap_as_full_def split del:if_split)+ - apply (rule_tac Q = "\r s. not_idle_thread (fst child) s + apply (rule_tac Q'="\r s. not_idle_thread (fst child) s \ should_be_parent_of src_capa (is_original_cap s child) cap (cap_insert_dest_original cap src_capa) \ mdb_cte_at (swp (cte_wp_at ((\) cap.NullCap)) s) (cdt s)" in hoare_strengthen_post) @@ -315,7 +315,7 @@ lemma insert_cap_child_corres: apply fastforce apply (wp get_cap_wp set_cap_idle hoare_weak_lift_imp | simp split del:if_split add:set_untyped_cap_as_full_def)+ - apply (rule_tac Q = "\r s. not_idle_thread (fst child) s + apply (rule_tac Q'="\r s. not_idle_thread (fst child) s \ (\cap. caps_of_state s src = Some cap) \ should_be_parent_of src_capa (is_original_cap s src) cap (cap_insert_dest_original cap src_capa) \ mdb_cte_at (swp (cte_wp_at ((\) cap.NullCap)) s) (cdt s)" @@ -521,7 +521,7 @@ lemma delete_cap_corres: apply (rule validE_validE_R) apply (simp add:validE_def weak_valid_mdb_def) apply (rule hoare_drop_imp) - apply (rule_tac Q = "\r. invs and not_idle_thread a and valid_etcbs" in hoare_strengthen_post) + apply (rule_tac Q'="\r. invs and not_idle_thread a and valid_etcbs" in hoare_strengthen_post) apply (wp rec_del_invs) apply (simp add:not_idle_thread_def validE_def) apply wp @@ -550,7 +550,7 @@ lemma delete_cap_corres': apply (rule validE_validE_R) apply (simp add:validE_def weak_valid_mdb_def) apply (rule hoare_drop_imp) - apply (rule_tac Q = "\r. invs and not_idle_thread a and valid_etcbs" in hoare_strengthen_post) + apply (rule_tac Q'="\r. invs and not_idle_thread a and valid_etcbs" in hoare_strengthen_post) apply (wp rec_del_invs) apply (simp add:not_idle_thread_def validE_def) apply wp @@ -1004,7 +1004,7 @@ lemma dcorres_ep_cancel_badge_sends: apply simp+ apply (clarsimp simp:bind_assoc not_idle_thread_def) apply (wp sts_st_tcb_at_neq) - apply (rule_tac Q="\r a. valid_idle a \ idle_thread a = idle_thread s' \ + apply (rule_tac Q'="\r a. valid_idle a \ idle_thread a = idle_thread s' \ st_tcb_at (\ts. \pl. ts = Structures_A.thread_state.BlockedOnSend epptr pl) y a \ y \ idle_thread a \ valid_etcbs a" in hoare_strengthen_post) apply wp @@ -1524,7 +1524,7 @@ lemma store_pte_ct: apply wp apply (simp add:set_pt_def) apply wp - apply (rule_tac Q = "\r s. P (cur_thread s)" in hoare_strengthen_post) + apply (rule_tac Q'="\r s. P (cur_thread s)" in hoare_strengthen_post) apply (wp|clarsimp)+ done @@ -1535,7 +1535,7 @@ lemma invalidate_tlb_by_asid_dwp: apply (wp do_machine_op_wp|wpc)+ apply clarsimp apply (wp) - apply (rule_tac Q = "\r s. transform s = cs" in hoare_strengthen_post) + apply (rule_tac Q'="\r s. transform s = cs" in hoare_strengthen_post) apply (simp add:load_hw_asid_def) apply (wp|clarsimp)+ done @@ -1569,10 +1569,10 @@ lemma copy_global_mappings_dwp: "is_aligned word pd_bits\ \\ps. valid_idle (ps :: det_state) \ transform ps = cs\ copy_global_mappings word \\r s. transform s = cs\" apply (simp add:copy_global_mappings_def) apply wp - apply (rule_tac Q = "\r s. valid_idle s \ transform s = cs" in hoare_strengthen_post) + apply (rule_tac Q'="\r s. valid_idle s \ transform s = cs" in hoare_strengthen_post) apply (rule mapM_x_wp') apply wp - apply (rule_tac Q="\s. valid_idle s \ transform s = cs" in hoare_weaken_pre) + apply (rule_tac P'="\s. valid_idle s \ transform s = cs" in hoare_weaken_pre) apply (rule dcorres_to_wp) apply (rule corres_guard_imp[OF store_pde_set_cap_corres]) apply (clarsimp simp:kernel_mapping_slots_def) @@ -1782,7 +1782,7 @@ lemma thread_set_valid_idle: apply (simp add: thread_set_def not_idle_thread_def) apply (simp add: gets_the_def valid_idle_def) apply wp - apply (rule_tac Q="not_idle_thread thread and valid_idle" in hoare_weaken_pre) + apply (rule_tac P'="not_idle_thread thread and valid_idle" in hoare_weaken_pre) apply (clarsimp simp: KHeap_A.set_object_def get_object_def in_monad get_def put_def bind_def obj_at_def return_def valid_def not_idle_thread_def valid_idle_def pred_tcb_at_def) apply simp+ diff --git a/proof/drefine/Finalise_DR.thy b/proof/drefine/Finalise_DR.thy index 288b5d876a..142c3f39f7 100644 --- a/proof/drefine/Finalise_DR.thy +++ b/proof/drefine/Finalise_DR.thy @@ -214,10 +214,10 @@ lemma delete_cap_one_shrink_descendants: apply (rule_tac P="\s. valid_mdb s \ cdt s = cdt' \ cdt pres = cdt' \ slot \ CSpaceAcc_A.descendants_of p (cdt s) \ mdb_cte_at (swp (cte_wp_at ((\) cap.NullCap)) s) (cdt s)" in hoare_weaken_pre) - apply (rule_tac Q ="\r s. Q r s \ (mdb_cte_at (swp (cte_wp_at ((\) cap.NullCap)) s) (cdt s))" for Q in hoare_strengthen_post) + apply (rule_tac Q'="\r s. Q r s \ (mdb_cte_at (swp (cte_wp_at ((\) cap.NullCap)) s) (cdt s))" for Q in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply (rule delete_cdt_slot_shrink_descendants[where y= "cdt pres" and p = p]) - apply (rule_tac Q="\s. mdb_cte_at (swp (cte_wp_at ((\)cap.NullCap)) s ) cdt'" in hoare_weaken_pre) + apply (rule_tac P'="\s. mdb_cte_at (swp (cte_wp_at ((\)cap.NullCap)) s ) cdt'" in hoare_weaken_pre) apply (case_tac slot) apply (clarsimp simp:set_cdt_def get_def put_def bind_def valid_def mdb_cte_at_def) apply (assumption) @@ -486,7 +486,7 @@ lemma dcorres_deleting_irq_handler: apply (rule corres_guard_imp) apply (rule corres_split[OF dcorres_get_irq_slot]) apply (simp, rule delete_cap_simple_corres,simp) - apply (rule hoare_weaken_pre [where Q="invs and valid_etcbs"]) + apply (rule hoare_weaken_pre[where P'="invs and valid_etcbs"]) including classic_wp_pre apply (wpsimp simp:get_irq_slot_def)+ apply (rule irq_node_image_not_idle) @@ -697,7 +697,7 @@ lemma dcorres_set_vm_root: apply wp+ apply wpc apply (wp do_machine_op_wp | clarsimp)+ - apply (rule_tac Q = "\_ s. transform s = cs" in hoare_post_imp) + apply (rule_tac Q'="\_ s. transform s = cs" in hoare_post_imp) apply simp apply (wpsimp wp: whenE_wp do_machine_op_wp [OF allI] hoare_drop_imps find_pd_for_asid_inv simp: arm_context_switch_def get_hw_asid_def load_hw_asid_def if_apply_def2)+ @@ -796,7 +796,7 @@ lemma dcorres_flush_page: apply (rule hoare_conjI,rule hoare_drop_imp) apply (wp do_machine_op_wp|clarsimp simp:load_hw_asid_def)+ apply (wpc|wp)+ - apply (rule_tac Q="\rv s. transform s = cs" in hoare_strengthen_post) + apply (rule_tac Q'="\rv s. transform s = cs" in hoare_strengthen_post) apply (wp|clarsimp)+ done @@ -821,7 +821,7 @@ lemma dcorres_flush_table: apply (rule hoare_conjI,rule hoare_drop_imp) apply (wp do_machine_op_wp|clarsimp simp:load_hw_asid_def)+ apply (wpc|wp)+ - apply (rule_tac Q="\rv s. transform s = cs" in hoare_strengthen_post) + apply (rule_tac Q'="\rv s. transform s = cs" in hoare_strengthen_post) apply (wp|clarsimp)+ done @@ -1403,10 +1403,10 @@ lemma remain_pt_pd_relation: apply (subgoal_tac "ptr\ y") apply (simp add: store_pte_def) apply wp - apply (rule_tac Q = "ko_at (ArchObj (arch_kernel_obj.PageTable rv)) (ptr && ~~ mask pt_bits) + apply (rule_tac P'="ko_at (ArchObj (arch_kernel_obj.PageTable rv)) (ptr && ~~ mask pt_bits) and pt_page_relation (y && ~~ mask pt_bits) pg_id y S" in hoare_weaken_pre) apply (clarsimp simp: set_pt_def) - apply (rule_tac Q = "ko_at (ArchObj (arch_kernel_obj.PageTable rv)) (ptr && ~~ mask pt_bits) + apply (rule_tac P'="ko_at (ArchObj (arch_kernel_obj.PageTable rv)) (ptr && ~~ mask pt_bits) and pt_page_relation (y && ~~ mask pt_bits) pg_id y S" in hoare_weaken_pre) apply (clarsimp simp: valid_def set_object_def get_object_def in_monad) apply (drule_tac x= y in bspec,simp) @@ -1427,10 +1427,10 @@ lemma remain_pd_section_relation: \\r s. pd_section_relation (y && ~~ mask pd_bits) sid y s\" apply (simp add: store_pde_def) apply wp - apply (rule_tac Q = "ko_at (ArchObj (arch_kernel_obj.PageDirectory rv)) (ptr && ~~ mask pd_bits) + apply (rule_tac P'="ko_at (ArchObj (arch_kernel_obj.PageDirectory rv)) (ptr && ~~ mask pd_bits) and pd_section_relation (y && ~~ mask pd_bits) sid y " in hoare_weaken_pre) apply (clarsimp simp: set_pd_def) - apply (rule_tac Q = "ko_at (ArchObj (arch_kernel_obj.PageDirectory rv)) (ptr && ~~ mask pd_bits) + apply (rule_tac P'="ko_at (ArchObj (arch_kernel_obj.PageDirectory rv)) (ptr && ~~ mask pd_bits) and pd_section_relation (y && ~~ mask pd_bits) sid y " in hoare_weaken_pre) apply (clarsimp simp: valid_def set_object_def get_object_def in_monad) apply (clarsimp simp: pd_section_relation_def dest!: ucast_inj_mask | rule conjI)+ @@ -1449,10 +1449,10 @@ lemma remain_pd_super_section_relation: \\r s. pd_super_section_relation (y && ~~ mask pd_bits) sid y s\" apply (simp add: store_pde_def) apply wp - apply (rule_tac Q = "ko_at (ArchObj (arch_kernel_obj.PageDirectory rv)) (ptr && ~~ mask pd_bits) + apply (rule_tac P'="ko_at (ArchObj (arch_kernel_obj.PageDirectory rv)) (ptr && ~~ mask pd_bits) and pd_super_section_relation (y && ~~ mask pd_bits) sid y " in hoare_weaken_pre) apply (clarsimp simp: set_pd_def) - apply (rule_tac Q = "ko_at (ArchObj (arch_kernel_obj.PageDirectory rv)) (ptr && ~~ mask pd_bits) + apply (rule_tac P'="ko_at (ArchObj (arch_kernel_obj.PageDirectory rv)) (ptr && ~~ mask pd_bits) and pd_super_section_relation (y && ~~ mask pd_bits) sid y " in hoare_weaken_pre) apply (clarsimp simp: valid_def set_object_def get_object_def in_monad) apply (clarsimp simp: pd_super_section_relation_def dest!: ucast_inj_mask | rule conjI)+ @@ -2040,7 +2040,7 @@ lemma pd_pt_relation_page_table_mapped_wp: apply (simp add:get_pde_def) apply wp apply (simp add:validE_def) - apply (rule hoare_strengthen_post[where Q="\rv. page_table_at w"]) + apply (rule hoare_strengthen_post[where Q'="\rv. page_table_at w"]) apply wp apply (clarsimp simp:pd_pt_relation_def obj_at_def)+ done @@ -3416,7 +3416,7 @@ proof (induct arbitrary: S rule: rec_del.induct, apply (wp cutMon_validE_R_drop rec_del_invs | simp add: not_idle_thread_def | strengthen invs_weak_valid_mdb invs_valid_idle_strg - | rule hoare_vcg_E_elim[rotated])+ + | rule hoare_vcg_conj_elimE[rotated])+ done next diff --git a/proof/drefine/Intent_DR.thy b/proof/drefine/Intent_DR.thy index 14696e0c51..3ffe0157c2 100644 --- a/proof/drefine/Intent_DR.thy +++ b/proof/drefine/Intent_DR.thy @@ -1091,7 +1091,7 @@ lemma get_tcb_mrs_wp: apply (rule_tac P = "tcb = obj" in hoare_gen_asm) apply (clarsimp simp: get_tcb_mrs_def Let_def get_tcb_message_info_def Suc_leI[OF msg_registers_lt_msg_max_length] split del:if_split) - apply (rule_tac Q="\buf_mrs s. buf_mrs = + apply (rule_tac Q'="\buf_mrs s. buf_mrs = (get_ipc_buffer_words (machine_state sa) obj ([Suc (length msg_registers)..r s. cte_wp_at ((=) cap.IRQControlCap) (aa,ba) s \ is_original_cap s (aa, ba)" in hoare_strengthen_post) apply (wp set_irq_state_cte_wp_at set_irq_state_original) apply (simp add:cte_wp_at_def should_be_parent_of_def) @@ -578,7 +578,7 @@ lemma cte_wp_at_neq_slot_cap_delete_one: apply (wp dxo_wp_weak | simp)+ apply (clarsimp simp:set_cdt_def) apply (wp | clarsimp)+ - apply (rule_tac Q = "\r s. cte_wp_at P slot s \ cte_at slot' s" in hoare_strengthen_post) + apply (rule_tac Q'="\r s. cte_wp_at P slot s \ cte_at slot' s" in hoare_strengthen_post) apply (rule hoare_vcg_conj_lift) apply wp apply (wp get_cap_cte) diff --git a/proof/drefine/Ipc_DR.thy b/proof/drefine/Ipc_DR.thy index 8c75345b2c..58212777d7 100644 --- a/proof/drefine/Ipc_DR.thy +++ b/proof/drefine/Ipc_DR.thy @@ -581,7 +581,7 @@ lemma recv_signal_corres: apply (rule corres_dummy_return_l) apply (rule corres_split[OF set_register_corres corres_dummy_set_notification]) apply (wp |clarsimp)+ - apply (rule_tac Q="\r. ko_at (kernel_object.Notification r) word1 and valid_state" in hoare_strengthen_post) + apply (rule_tac Q'="\r. ko_at (kernel_object.Notification r) word1 and valid_state" in hoare_strengthen_post) apply (wp get_simple_ko_ko_at | clarsimp)+ apply (rule valid_objs_valid_ntfn_simp) apply (clarsimp simp:valid_objs_valid_ntfn_simp valid_state_def valid_pspace_def) @@ -815,7 +815,7 @@ lemma cancel_ipc_valid_idle: apply (clarsimp simp: cancel_ipc_def) apply (wp not_idle_after_blocked_cancel_ipc not_idle_after_reply_cancel_ipc not_idle_thread_cancel_signal | wpc | simp)+ - apply (rule hoare_strengthen_post[where Q="\r. st_tcb_at ((=) r) obj_id' + apply (rule hoare_strengthen_post[where Q'="\r. st_tcb_at ((=) r) obj_id' and not_idle_thread obj_id' and invs"]) apply (wp gts_sp) apply (clarsimp simp: invs_def valid_state_def valid_pspace_def not_idle_thread_def | rule conjI)+ @@ -1207,7 +1207,7 @@ lemma ipc_buffer_wp_at_cap_insert[wp]: "\ipc_buffer_wp_at buf t :: det_state \ bool \ cap_insert cap' (slot_ptr, slot_idx) a \\r. ipc_buffer_wp_at buf t\" apply (simp add:cap_insert_def set_untyped_cap_as_full_def) apply (wp|simp split del:if_split)+ - apply (rule_tac Q = "\r. ipc_buffer_wp_at buf t" in hoare_strengthen_post) + apply (rule_tac Q'="\r. ipc_buffer_wp_at buf t" in hoare_strengthen_post) apply wp apply (clarsimp simp:ipc_buffer_wp_at_def) apply (wp get_cap_inv hoare_drop_imp)+ @@ -1355,7 +1355,7 @@ next apply simp apply (clarsimp simp:cte_wp_at_caps_of_state) apply (subst imp_conjR) - apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R') apply (rule derive_cap_is_derived) apply (rule derive_cap_is_derived_foo) apply wp+ @@ -1870,7 +1870,7 @@ lemma ipc_buffer_wp_at_copy_mrs[wp]: prefer 2 apply fastforce apply (clarsimp simp:ipc_buffer_wp_at_def) - apply (rule_tac Q="\rv. ipc_buffer_wp_at buf t" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. ipc_buffer_wp_at buf t" in hoare_strengthen_post) apply (wp mapM_wp) apply fastforce apply (clarsimp) @@ -1936,7 +1936,7 @@ lemma corres_complete_ipc_transfer: apply (rule hoare_strengthen_postE_R) apply (rule validE_validE_R) apply (rule hoare_vcg_conj_liftE1[OF lookup_extra_caps_srcs]) - apply (rule hoare_post_imp_dc2_actual[OF lookup_extra_caps_inv[where P=valid_objs]]) + apply (rule hoare_post_impE_R_dc_actual[OF lookup_extra_caps_inv[where P=valid_objs]]) apply clarsimp apply (drule(1) bspec) apply (clarsimp simp:cte_wp_at_caps_of_state) @@ -2236,9 +2236,9 @@ lemma do_reply_transfer_corres: hoare_drop_imps thread_set_cur_thread_idle_thread thread_set_valid_idle | simp add:not_idle_thread_def)+ - apply (rule_tac Q = "\r s. invs s \ not_idle_thread recver s \ valid_etcbs s + apply (rule_tac Q'="\r s. invs s \ not_idle_thread recver s \ valid_etcbs s \ tcb_at recver s " - in hoare_strengthen_post) + in hoare_strengthen_post) apply (clarsimp simp:not_idle_thread_def) apply (wp cap_delete_one_reply_st_tcb_at)+ apply (clarsimp simp:not_idle_thread_def invs_valid_idle st_tcb_at_tcb_at) @@ -2261,7 +2261,7 @@ lemma set_endpoint_valid_irq_node[wp]: apply wp apply (simp add:set_simple_ko_def) apply (wp hoare_vcg_all_lift) - apply (rule_tac Q="\s. \irq. cap_table_at 0 (interrupt_irq_node s irq) s \ ep_at w s" in hoare_weaken_pre) + apply (rule_tac P'="\s. \irq. cap_table_at 0 (interrupt_irq_node s irq) s \ ep_at w s" in hoare_weaken_pre) apply (clarsimp simp: set_object_def get_object_def in_monad get_def put_def bind_def return_def valid_def obj_at_def) apply (drule_tac x = irq in spec) @@ -2397,7 +2397,7 @@ lemma dcorres_receive_sync: apply (rule set_thread_state_corres[unfolded tcb_slots]) apply wp apply (wp hoare_drop_imps gts_st_tcb_at | simp add:not_idle_thread_def)+ - apply (rule_tac Q="\fault. valid_mdb and valid_objs and pspace_aligned + apply (rule_tac Q'="\fault. valid_mdb and valid_objs and pspace_aligned and pspace_distinct and not_idle_thread t and not_idle_thread thread and valid_idle and valid_irq_node and (\s. cur_thread s \ idle_thread s) and tcb_at t and tcb_at thread @@ -2651,7 +2651,7 @@ lemma send_sync_ipc_corres: apply (rule corres_alternate2) apply (rule corres_return_trivial) apply wp - apply (rule_tac Q="\r. valid_mdb and valid_idle and valid_objs + apply (rule_tac Q'="\r. valid_mdb and valid_idle and valid_objs and not_idle_thread thread and not_idle_thread y and tcb_at thread and tcb_at y and st_tcb_at runnable thread and valid_etcbs" in hoare_strengthen_post[rotated]) @@ -2692,8 +2692,8 @@ lemma not_idle_thread_resolve_address_bits: apply (rule validE_R_validE) apply (rule_tac hoare_weaken_preE_R) apply (rule validE_validE_R) - apply (rule_tac Q="\r. valid_global_refs and valid_objs and valid_idle and valid_irq_node and ex_cte_cap_to (fst r)" - in hoare_strengthen_postE[where E="\x y. True"]) + apply (rule_tac Q'="\r. valid_global_refs and valid_objs and valid_idle and valid_irq_node and ex_cte_cap_to (fst r)" + in hoare_strengthen_postE[where E'="\x y. True"]) apply (wp rab_cte_cap_to) apply clarsimp apply (drule ex_cte_cap_to_not_idle, auto simp: not_idle_thread_def)[1] diff --git a/proof/drefine/KHeap_DR.thy b/proof/drefine/KHeap_DR.thy index be1037241a..7dc895aa79 100644 --- a/proof/drefine/KHeap_DR.thy +++ b/proof/drefine/KHeap_DR.thy @@ -1384,10 +1384,10 @@ lemma valid_idle_fast_finalise[wp]: apply (case_tac p) apply simp_all apply (wp,simp add:valid_state_def invs_def) - apply (rule hoare_post_imp[where Q="%r. invs"]) + apply (rule hoare_post_imp[where Q'="%r. invs"]) apply (clarsimp simp:valid_state_def invs_def,wp cancel_all_ipc_invs) apply clarsimp - apply (rule hoare_post_imp[where Q="%r. invs"]) + apply (rule hoare_post_imp[where Q'="%r. invs"]) apply (clarsimp simp:valid_state_def invs_def,wp unbind_maybe_notification_invs cancel_all_signals_invs) apply clarsimp apply wp @@ -1398,10 +1398,10 @@ lemma valid_irq_node_fast_finalise[wp]: "\invs\ IpcCancel_A.fast_finalise p q \%r. valid_irq_node\" apply (case_tac p; simp) apply (wp,simp add:valid_state_def invs_def) - apply (rule hoare_post_imp[where Q="%r. invs"]) + apply (rule hoare_post_imp[where Q'="%r. invs"]) apply (clarsimp simp:valid_state_def invs_def,wp cancel_all_ipc_invs) apply clarsimp - apply (rule hoare_post_imp[where Q="%r. invs"]) + apply (rule hoare_post_imp[where Q'="%r. invs"]) apply (clarsimp simp:valid_state_def invs_def,wp unbind_maybe_notification_invs cancel_all_signals_invs) apply clarsimp apply wp @@ -1412,10 +1412,10 @@ lemma invs_mdb_fast_finalise[wp]: "\invs\ IpcCancel_A.fast_finalise p q \%r. valid_mdb\" apply (case_tac p; simp) apply (wp,simp add:valid_state_def invs_def) - apply (rule hoare_post_imp[where Q="%r. invs"]) + apply (rule hoare_post_imp[where Q'="%r. invs"]) apply (clarsimp simp:valid_state_def invs_def,wp cancel_all_ipc_invs) apply clarsimp - apply (rule hoare_post_imp[where Q="%r. invs"]) + apply (rule hoare_post_imp[where Q'="%r. invs"]) apply (clarsimp simp:valid_state_def invs_def,wp unbind_maybe_notification_invs cancel_all_signals_invs) apply clarsimp apply wp @@ -2745,7 +2745,7 @@ lemma get_tcb_reply_cap_wp_cte_at: "\tcb_at sid and valid_objs and cte_wp_at ((\) cap.NullCap) (sid, tcb_cnode_index 2)\ CSpaceAcc_A.get_cap (sid, tcb_cnode_index 2) \\rv. cte_wp_at ((\) cap.NullCap) (obj_ref_of rv, tcb_cnode_index 2)\" apply (rule hoare_post_imp - [where Q="\r. cte_wp_at (\c. r \ cap.NullCap) (sid,tcb_cnode_index 2) + [where Q'="\r. cte_wp_at (\c. r \ cap.NullCap) (sid,tcb_cnode_index 2) and tcb_at sid and valid_objs and cte_wp_at ((=) r) (sid,tcb_cnode_index 2)"]) apply clarsimp apply (frule cte_wp_tcb_cap_valid) @@ -2759,7 +2759,7 @@ lemma get_tcb_reply_cap_wp_master_cap: "\tcb_at sid and valid_objs and cte_wp_at ((\) cap.NullCap) (sid,tcb_cnode_index 2) \ CSpaceAcc_A.get_cap (sid, tcb_cnode_index 2) \\rv s. (is_master_reply_cap rv) \" apply (rule hoare_post_imp - [where Q="\r. cte_wp_at (\c. r \ cap.NullCap) (sid,tcb_cnode_index 2) + [where Q'="\r. cte_wp_at (\c. r \ cap.NullCap) (sid,tcb_cnode_index 2) and tcb_at sid and valid_objs and cte_wp_at ((=) r) (sid,tcb_cnode_index 2)"]) apply clarsimp apply (frule cte_wp_tcb_cap_valid) @@ -2773,7 +2773,7 @@ lemma get_tcb_reply_cap_wp_original_cap: "\tcb_at sid and valid_objs and cte_wp_at ((\) cap.NullCap) (sid,tcb_cnode_index 2) and valid_mdb \ CSpaceAcc_A.get_cap (sid, tcb_cnode_index 2) \\rv s. is_original_cap s (obj_ref_of rv, tcb_cnode_index 2)\" apply (rule hoare_post_imp - [where Q="\r. cte_wp_at (\c. r \ cap.NullCap) (sid,tcb_cnode_index 2) and valid_mdb + [where Q'="\r. cte_wp_at (\c. r \ cap.NullCap) (sid,tcb_cnode_index 2) and valid_mdb and tcb_at sid and valid_objs and cte_wp_at ((=) r) (sid,tcb_cnode_index 2)"]) apply (rename_tac rv s) apply clarsimp @@ -2797,7 +2797,7 @@ lemma get_tcb_reply_cap_wp_obj_ref: "\tcb_at sid and valid_objs and cte_wp_at ((\) cap.NullCap) (sid,tcb_cnode_index 2) \ CSpaceAcc_A.get_cap (sid, tcb_cnode_index 2) \\rv s. (obj_ref_of rv = sid) \" apply (rule hoare_post_imp - [where Q="\r. cte_wp_at (\c. r \ cap.NullCap) (sid,tcb_cnode_index 2) + [where Q'="\r. cte_wp_at (\c. r \ cap.NullCap) (sid,tcb_cnode_index 2) and tcb_at sid and valid_objs and cte_wp_at ((=) r) (sid,tcb_cnode_index 2)"]) apply clarsimp apply (frule cte_wp_tcb_cap_valid) @@ -2944,7 +2944,7 @@ lemma delete_cap_simple_corres: apply (rule always_empty_slot_corres) apply simp apply wp - apply (rule hoare_post_imp [where Q="\r. valid_mdb and valid_idle + apply (rule hoare_post_imp[where Q'="\r. valid_mdb and valid_idle and not_idle_thread (fst slot) and valid_etcbs"]) apply (simp add:valid_mdb_def weak_valid_mdb_def) apply wp @@ -2956,7 +2956,7 @@ lemma delete_cap_simple_corres: lemma cap_delete_one_valid_mdb[wp]: "\invs and emptyable slot\ cap_delete_one slot \\yc. valid_mdb\" - apply (rule hoare_post_imp [where Q="%x. invs"]) + apply (rule hoare_post_imp[where Q'="%x. invs"]) apply (simp add:invs_def valid_state_def valid_pspace_def) apply (rule delete_one_invs) done @@ -3375,9 +3375,9 @@ lemma not_idle_thread_resolve_address_bits: apply (rule validE_R_validE) apply (rule_tac hoare_weaken_preE_R) apply (rule validE_validE_R) - apply (rule_tac Q="\r. valid_etcbs and valid_global_refs and valid_objs and valid_idle and + apply (rule_tac Q'="\r. valid_etcbs and valid_global_refs and valid_objs and valid_idle and valid_irq_node and ex_cte_cap_to (fst r)" - in hoare_strengthen_postE[where E="\x y. True"]) + in hoare_strengthen_postE[where E'="\x y. True"]) apply (wp rab_cte_cap_to) apply (auto intro: ex_cte_cap_wp_to_not_idle)[2] apply (clarsimp simp:ex_cte_cap_to_def) diff --git a/proof/drefine/Refine_D.thy b/proof/drefine/Refine_D.thy index d1801ef625..d3337e6846 100644 --- a/proof/drefine/Refine_D.thy +++ b/proof/drefine/Refine_D.thy @@ -48,7 +48,7 @@ lemma dcorres_call_kernel: apply (clarsimp simp: when_def split: option.splits) apply (rule handle_interrupt_corres[simplified dc_def]) apply ((wp | simp)+)[3] - apply (rule hoare_post_imp_dc2E, rule handle_event_invs_and_valid_sched) + apply (rule hoare_post_impE_E_dc, rule handle_event_invs_and_valid_sched) apply (clarsimp simp: invs_def valid_state_def) apply (simp add: conj_comms if_apply_def2 non_kernel_IRQs_def | wp | strengthen valid_etcbs_sched valid_idle_invs_strg)+ diff --git a/proof/drefine/Syscall_DR.thy b/proof/drefine/Syscall_DR.thy index fd55c4a479..e8f9877fc9 100644 --- a/proof/drefine/Syscall_DR.thy +++ b/proof/drefine/Syscall_DR.thy @@ -858,7 +858,7 @@ lemma get_tcb_mrs_wp: apply (clarsimp simp: get_tcb_mrs_def Let_def get_tcb_message_info_def Suc_leI[OF msg_registers_lt_msg_max_length] arch_tcb_context_get_def split del:if_split) - apply (rule_tac Q="\buf_mrs s. buf_mrs = + apply (rule_tac Q'="\buf_mrs s. buf_mrs = (get_ipc_buffer_words (machine_state sa) obj ([Suc (length msg_registers)..cap. cte_wp_at (\x. x = cap) (fst rv) and real_cte_at (fst rv) and valid_reply_masters and valid_objs" in hoare_strengthen_post) apply (wp get_cap_cte_wp_at) apply clarify @@ -1344,7 +1344,7 @@ lemma handle_invocation_corres: apply (wp sts_Restart_invs set_thread_state_ct_active)+ apply (simp add: split_def msg_from_syscall_error_simp) apply (wp | simp add: split_def)+ - apply (rule_tac Q="\r s. s = s'a \ + apply (rule_tac Q'="\r s. s = s'a \ evalMonad (lookup_ipc_buffer False (cur_thread s'a)) s'a = Some r \ cte_wp_at (Not \ is_master_reply_cap) (snd rv) s \ cte_wp_at ((=) (fst rv)) (snd rv) s \ @@ -1377,17 +1377,17 @@ lemma receive_ipc_cur_thread: apply (wp|wpc|clarsimp)+ apply (simp add:setup_caller_cap_def) apply (wp dxo_wp_weak | simp)+ - apply (rule_tac Q="\r s. P (cur_thread s)" in hoare_strengthen_post) + apply (rule_tac Q'="\r s. P (cur_thread s)" in hoare_strengthen_post) apply clarsimp apply (wp|wpc)+ apply clarsimp apply (clarsimp simp:neq_Nil_conv) apply (rename_tac list queue sender) - apply (rule_tac Q="\r s. P (cur_thread s) \ tcb_at (hd list) s" in hoare_strengthen_post) + apply (rule_tac Q'="\r s. P (cur_thread s) \ tcb_at (hd list) s" in hoare_strengthen_post) apply wp apply (clarsimp simp:st_tcb_at_def tcb_at_def) apply (wp get_simple_ko_wp[where f=Notification] gbn_wp | wpc | simp add: Ipc_A.isActive_def)+ - apply (rule_tac Q="\r s. valid_ep r s \ P (cur_thread s)" in hoare_strengthen_post) + apply (rule_tac Q'="\r s. valid_ep r s \ P (cur_thread s)" in hoare_strengthen_post) apply (wp get_simple_ko_valid[where f=Endpoint, simplified valid_ep_def2[symmetric]]) apply (clarsimp simp:valid_ep_def) apply auto[1] @@ -1446,7 +1446,7 @@ lemma handle_recv_corres: apply (rule hoare_vcg_conj_lift) apply (rule_tac t1="cur_thread s'" in hoare_post_imp[OF _ cap_delete_one_st_tcb_at_and_valid_etcbs]) apply (fastforce simp: obj_at_def generates_pending_def st_tcb_at_def) - apply (rule_tac Q="\rv. invs and valid_etcbs" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs and valid_etcbs" in hoare_strengthen_post) apply wp apply (clarsimp simp: invs_def) apply clarsimp @@ -1454,7 +1454,7 @@ lemma handle_recv_corres: defer(* NEED RECEIVE ASYNC IPC *) apply clarsimp apply wp+ - apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R') apply (rule hoare_strengthen_postE_R, rule lookup_cap_valid) apply (clarsimp simp: valid_cap_def) apply wp+ @@ -1462,7 +1462,7 @@ lemma handle_recv_corres: apply (wp get_simple_ko_wp |wpc)+ apply (simp only: conj_ac) apply wp - apply (rule hoare_vcg_E_elim) + apply (rule hoare_vcg_conj_elimE) apply (simp add: lookup_cap_def lookup_slot_for_thread_def split_def) apply wp apply (rule hoare_strengthen_postE[OF resolve_address_bits_valid_fault]) @@ -1471,7 +1471,7 @@ lemma handle_recv_corres: apply wp apply (rule validE_validE_R) apply (clarsimp simp:validE_def) - apply (rule_tac Q = "\r s. cur_thread s = cur_thread s' \ + apply (rule_tac Q'="\r s. cur_thread s = cur_thread s' \ not_idle_thread (cur_thread s) s \ st_tcb_at active (cur_thread s) s \ invs s \ valid_etcbs s \ @@ -1645,9 +1645,9 @@ lemma handle_event_corres: apply wp[1] apply clarsimp apply (frule (1) ct_running_not_idle_etc) - apply (fastforce simp: st_tcb_at_def obj_at_def generates_pending_def gets_def get_def - valid_fault_def - split: Structures_A.thread_state.splits)+ + apply (fastforce simp: st_tcb_at_def obj_at_def generates_pending_def valid_fault_def + split: Structures_A.thread_state.splits) + apply wpsimp+ apply (rule corres_symb_exec_r[OF handle_fault_corres]) apply wp[1] apply clarsimp @@ -1664,8 +1664,8 @@ lemma handle_event_corres: apply (rule corres_symb_exec_catch_r) apply (rule handle_fault_corres) apply (simp only: conj_comms) - apply (rule hoare_vcg_E_conj) - apply (wp handle_vm_fault_wp | rule hoare_vcg_E_conj)+ + apply (rule hoare_vcg_conj_liftE_E) + apply (wp handle_vm_fault_wp | rule hoare_vcg_conj_liftE_E)+ apply (simp add:no_fail_def) apply wp apply clarsimp diff --git a/proof/drefine/Tcb_DR.thy b/proof/drefine/Tcb_DR.thy index 0aae25db59..6fa7a6be13 100644 --- a/proof/drefine/Tcb_DR.thy +++ b/proof/drefine/Tcb_DR.thy @@ -568,9 +568,9 @@ lemma restart_corres: apply wp apply (simp add:not_idle_thread_def) apply ((wp|wps)+)[2] - apply (rule_tac Q="(=) s' and invs" in hoare_weaken_pre) + apply (rule_tac P'="(=) s' and invs" in hoare_weaken_pre) apply (rule hoare_strengthen_post - [where Q="\r. invs and tcb_at obj_id and not_idle_thread obj_id and valid_etcbs"]) + [where Q'="\r. invs and tcb_at obj_id and not_idle_thread obj_id and valid_etcbs"]) apply (simp add:not_idle_thread_def) apply (wp) apply (clarsimp simp:invs_def valid_state_def valid_pspace_def @@ -701,7 +701,7 @@ lemma not_idle_after_restart [wp]: apply (simp add:cancel_ipc_def) apply (wp not_idle_after_blocked_cancel_ipc not_idle_after_reply_cancel_ipc not_idle_thread_cancel_signal | wpc)+ - apply (rule hoare_strengthen_post[where Q="\r. st_tcb_at ((=) r) obj_id' + apply (rule hoare_strengthen_post[where Q'="\r. st_tcb_at ((=) r) obj_id' and not_idle_thread obj_id' and invs"]) apply (wp gts_sp) apply (clarsimp simp: invs_def valid_state_def valid_pspace_def not_idle_thread_def | rule conjI)+ @@ -788,7 +788,7 @@ lemma cnode_cap_unique_bits: CSpaceAcc_A.get_cap (ba, c) \\rv s. (Structures_A.is_cnode_cap rv \ obj_refs rv = obj_refs cap) \ (bits_of rv = bits_of cap)\" apply (rule hoare_pre) - apply (rule_tac Q="\r s. (\a b. \ cte_wp_at (\c. obj_refs c = obj_refs cap \ + apply (rule_tac Q'="\r s. (\a b. \ cte_wp_at (\c. obj_refs c = obj_refs cap \ table_cap_ref c \ table_cap_ref cap) (a, b) s) \ valid_cap cap s \ valid_objs s \ valid_objs s \ cte_wp_at (\x. x = r) (ba,c) s" @@ -1057,8 +1057,8 @@ lemma dcorres_tcb_update_ipc_buffer: apply simp apply wpsimp+ apply (rule validE_validE_R) - apply (rule_tac Q = "\r s. invs s \ valid_etcbs s \ not_idle_thread obj_id' s \ tcb_at obj_id' s" - in hoare_strengthen_postE[where E="\x. \"]) + apply (rule_tac Q'="\r s. invs s \ valid_etcbs s \ not_idle_thread obj_id' s \ tcb_at obj_id' s" + in hoare_strengthen_postE[where E'="\x. \"]) apply (simp add:not_idle_thread_def) apply (wp cap_delete_cte_at cap_delete_deletes) apply (clarsimp simp:invs_def valid_state_def not_idle_thread_def) @@ -1100,7 +1100,7 @@ lemma dcorres_tcb_update_ipc_buffer: apply (rule dcorres_insert_cap_combine) apply clarsimp apply wp - apply (rule_tac Q = "\r s. cte_wp_at ((=) cap.NullCap) (obj_id', tcb_cnode_index 4) s + apply (rule_tac Q'="\r s. cte_wp_at ((=) cap.NullCap) (obj_id', tcb_cnode_index 4) s \ cte_wp_at (\_. True) (ab, ba) s \ valid_global_refs s \ valid_idle s \ valid_irq_node s \ valid_mdb s \ valid_objs s\ not_idle_thread ab s \ valid_etcbs s @@ -1139,10 +1139,10 @@ lemma dcorres_tcb_update_ipc_buffer: apply (simp add: transform_tcb_slot_4) apply (rule hoare_strengthen_postE[OF validE_R_validE[OF hoareE_R_TrueI]]) apply simp+ - apply (rule_tac Q = "\r s. invs s \ valid_etcbs s \ not_idle_thread (fst a') s \ tcb_at obj_id' s + apply (rule_tac Q'="\r s. invs s \ valid_etcbs s \ not_idle_thread (fst a') s \ tcb_at obj_id' s \ not_idle_thread obj_id' s \ not_idle_thread ab s \ cte_wp_at (\a. True) (ab,ba) s \ cte_wp_at (\c. c = cap.NullCap) (obj_id', tcb_cnode_index 4) s \ is_aligned a msg_align_bits" - in hoare_strengthen_postE[where E="\x. \"]) + in hoare_strengthen_postE[where E'="\x. \"]) apply (simp add:not_idle_thread_def) apply (wp cap_delete_cte_at cap_delete_deletes cap_delete_valid_cap) apply (clarsimp simp:invs_valid_objs invs_mdb invs_valid_idle) @@ -1207,7 +1207,7 @@ lemma dcorres_tcb_update_vspace_root: apply (simp add: transform_cap_def) apply wp apply (simp add: same_object_as_def) - apply (rule_tac Q = "\r s. cte_wp_at ((=) cap.NullCap) (obj_id', tcb_cnode_index (Suc 0)) s \ cte_wp_at (\_. True) (ba, c) s + apply (rule_tac Q'="\r s. cte_wp_at ((=) cap.NullCap) (obj_id', tcb_cnode_index (Suc 0)) s \ cte_wp_at (\_. True) (ba, c) s \ valid_global_refs s \ valid_idle s \ valid_irq_node s \ valid_mdb s \ not_idle_thread ba s \ valid_objs s \ valid_etcbs s \ ((is_thread_cap r \ obj_ref_of r = obj_id') \ ex_cte_cap_wp_to (\_. True) (obj_id', tcb_cnode_index (Suc 0)) s)" in hoare_strengthen_post) @@ -1224,10 +1224,10 @@ lemma dcorres_tcb_update_vspace_root: apply (rule hoare_drop_imp) apply (wp | simp)+ apply (rule validE_validE_R) - apply (rule_tac Q = "\r s. invs s \ valid_etcbs s \ not_idle_thread ba s \ + apply (rule_tac Q'="\r s. invs s \ valid_etcbs s \ not_idle_thread ba s \ not_idle_thread (fst a') s \ cte_wp_at (\_. True) (ba, c) s \ cte_wp_at (\c. c = cap.NullCap) (obj_id', tcb_cnode_index (Suc 0)) s" - in hoare_strengthen_postE[where E="\x. \"]) + in hoare_strengthen_postE[where E'="\x. \"]) apply (simp add: not_idle_thread_def) apply (wp cap_delete_cte_at cap_delete_deletes) apply (clarsimp simp: invs_def valid_state_def valid_pspace_def) @@ -1293,7 +1293,7 @@ lemma dcorres_tcb_update_cspace_root: apply (rule dcorres_insert_cap_combine[folded alternative_com]) apply (clarsimp simp:is_cap_simps) apply wp - apply (rule_tac Q = "\r s. cte_wp_at ((=) cap.NullCap) (obj_id', tcb_cnode_index 0) s \ cte_wp_at (\_. True) (ba, c) s + apply (rule_tac Q'="\r s. cte_wp_at ((=) cap.NullCap) (obj_id', tcb_cnode_index 0) s \ cte_wp_at (\_. True) (ba, c) s \ valid_global_refs s \ valid_idle s \ valid_irq_node s \ valid_mdb s \ not_idle_thread ba s \ valid_objs s \ valid_etcbs s \ ((is_thread_cap r \ obj_ref_of r = obj_id') \ ex_cte_cap_wp_to (\_. True) (obj_id', tcb_cnode_index 0) s)" in hoare_strengthen_post) @@ -1316,11 +1316,11 @@ lemma dcorres_tcb_update_cspace_root: apply clarsimp apply wp apply (clarsimp simp:conj_comms) - apply (rule_tac Q = "\r s. invs s \ valid_etcbs s \ not_idle_thread ba s \ valid_cap aaa s \ + apply (rule_tac Q'="\r s. invs s \ valid_etcbs s \ not_idle_thread ba s \ valid_cap aaa s \ not_idle_thread (fst a') s \ cte_wp_at (\_. True) (ba, c) s \ cte_wp_at (\c. c = cap.NullCap) (obj_id', tcb_cnode_index 0) s \ no_cap_to_obj_dr_emp aaa s" - in hoare_strengthen_postE[where E = "\r. \"]) + in hoare_strengthen_postE[where E'="\r. \"]) apply (simp add:not_idle_thread_def) apply (wp cap_delete_cte_at cap_delete_deletes cap_delete_valid_cap) apply (simp add:invs_valid_objs) @@ -1623,7 +1623,7 @@ lemma dcorres_thread_control: | intro conjI allI impI | clarsimp split: option.split)+ apply (wp case_option_wpE)+ - apply (rule_tac Q="\_. ?P" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\_. ?P" in hoare_strengthen_post[rotated]) apply (clarsimp simp: is_valid_vtable_root_def is_cnode_or_valid_arch_def is_arch_cap_def not_idle_thread_def emptyable_def split: option.splits) diff --git a/proof/drefine/Untyped_DR.thy b/proof/drefine/Untyped_DR.thy index 25232789b5..f3f602537c 100644 --- a/proof/drefine/Untyped_DR.thy +++ b/proof/drefine/Untyped_DR.thy @@ -1500,7 +1500,7 @@ lemma invoke_untyped_corres: retype_region_obj_at[THEN hoare_vcg_const_imp_lift] retype_region_caps_of[where sza = "\_. sz"] | simp add: misc)+ - apply (rule_tac Q="\rv s. cte_wp_at ((\) cap.NullCap) cref s + apply (rule_tac Q'="\rv s. cte_wp_at ((\) cap.NullCap) cref s \ post_retype_invs tp rv s \ idle_thread s \ fst ` set slots \ untyped_is_device (transform_cap cap) = dev @@ -1516,7 +1516,7 @@ lemma invoke_untyped_corres: retype_region_post_retype_invs[where sz = sz] hoare_vcg_const_Ball_lift retype_region_aligned_for_init)+ apply (clarsimp simp:conj_comms misc cover) - apply (rule_tac Q="\r s. + apply (rule_tac Q'="\r s. cte_wp_at (\cp. \idx. cp = (cap.UntypedCap dev ptr' sz idx)) cref s \ invs s \ pspace_no_overlap_range_cover ptr sz s \ caps_no_overlap ptr sz s \ region_in_kernel_window {ptr..(ptr && ~~ mask sz) + 2 ^ sz - 1} s \ @@ -1558,8 +1558,8 @@ lemma invoke_untyped_corres: apply (wp (once) hoare_drop_imps) apply wp apply ((rule validE_validE_R)?, - rule_tac E="\\" and - Q="\_. valid_etcbs and invs and valid_untyped_inv_wcap untyped_invocation + rule_tac E'="\\" and + Q'="\_. valid_etcbs and invs and valid_untyped_inv_wcap untyped_invocation (Some (cap.UntypedCap dev ptr' sz (if reset then 0 else idx))) and ct_active and (\s. reset \ pspace_no_overlap {ptr' .. ptr' + 2 ^ sz - 1} s)" in hoare_strengthen_postE) diff --git a/proof/infoflow/ADT_IF.thy b/proof/infoflow/ADT_IF.thy index b3447308d2..c7a5213ab9 100644 --- a/proof/infoflow/ADT_IF.thy +++ b/proof/infoflow/ADT_IF.thy @@ -1124,7 +1124,7 @@ lemma handle_preemption_if_irq_masks: handle_preemption_if tc \\_ s. P (irq_masks_of_state s)\" apply (simp add: handle_preemption_if_def | wp handle_interrupt_irq_masks[where st=st])+ - apply (rule_tac Q="\rv s. P (irq_masks_of_state s) \ domain_sep_inv False st s \ + apply (rule_tac Q'="\rv s. P (irq_masks_of_state s) \ domain_sep_inv False st s \ (\x. rv = Some x \ x \ maxIRQ)" in hoare_strengthen_post) by (wp | simp)+ @@ -1607,7 +1607,7 @@ lemma kernel_entry_if_domain_time_sched_action: apply (case_tac "e = Interrupt") apply (simp add: kernel_entry_if_def) apply (wp handle_interrupt_valid_domain_time| wpc | simp)+ - apply (rule_tac Q="\r s. domain_time s > 0" in hoare_strengthen_post) + apply (rule_tac Q'="\r s. domain_time s > 0" in hoare_strengthen_post) apply (wp | simp)+ apply (wp hoare_false_imp kernel_entry_if_domain_fields | fastforce)+ done @@ -1623,7 +1623,7 @@ lemma handle_preemption_if_domain_time_sched_action: \\_ s. domain_time s = 0 \ scheduler_action s = choose_new_thread\" apply (simp add: handle_preemption_if_def) apply (wp handle_interrupt_valid_domain_time| wpc | simp)+ - apply (rule_tac Q="\r s. domain_time s > 0" in hoare_strengthen_post) + apply (rule_tac Q'="\r s. domain_time s > 0" in hoare_strengthen_post) apply wpsimp+ done @@ -1945,7 +1945,7 @@ lemma handle_preemption_if_valid_sched[wp]: handle_preemption_if irq \\_. valid_sched\" apply (wpsimp simp: handle_preemption_if_def cong: if_cong) - apply (rule_tac Q="\rv. valid_sched and invs and K (rv \ Some ` non_kernel_IRQs)" + apply (rule_tac Q'="\rv. valid_sched and invs and K (rv \ Some ` non_kernel_IRQs)" in hoare_strengthen_post[rotated]) apply clarsimp apply (wpsimp wp: getActiveIRQ_neq_non_kernel)+ @@ -2049,7 +2049,7 @@ lemma invs_if_Step_ADT_A_if: apply simp apply simp apply (erule use_valid, erule use_valid[OF _ check_active_irq_if_wp]) - apply (rule_tac Q="\a. (invs and ct_running) and + apply (rule_tac Q'="\a. (invs and ct_running) and (\b. valid_vspace_objs_if b \ valid_list b \ valid_sched b \ only_timer_irq_inv timer_irq s0_internal b \ silc_inv initial_aag s0_internal b \ @@ -2071,7 +2071,7 @@ lemma invs_if_Step_ADT_A_if: apply simp apply simp apply (erule use_valid, erule use_valid[OF _ check_active_irq_if_wp]) - apply (rule_tac Q="\a. (invs and ct_running) and + apply (rule_tac Q'="\a. (invs and ct_running) and (\b. valid_vspace_objs_if b \ valid_list b \ valid_sched b \ only_timer_irq_inv timer_irq s0_internal b \ silc_inv initial_aag s0_internal b \ @@ -2822,7 +2822,7 @@ lemma schedule_if_irq_measure_if: lemma schedule_if_next_irq_state_of_state: "(r, b) \ fst (schedule_if uc i_s) \ next_irq_state_of_state b = next_irq_state_of_state i_s" apply (erule use_valid) - apply (rule_tac Q="\_. irq_state_inv i_s" in hoare_strengthen_post) + apply (rule_tac Q'="\_. irq_state_inv i_s" in hoare_strengthen_post) apply (wp schedule_if_irq_state_inv) apply (auto simp: irq_state_inv_def) done diff --git a/proof/infoflow/ARM/ArchADT_IF.thy b/proof/infoflow/ARM/ArchADT_IF.thy index f46d04e49b..0f94f7ae05 100644 --- a/proof/infoflow/ARM/ArchADT_IF.thy +++ b/proof/infoflow/ARM/ArchADT_IF.thy @@ -320,7 +320,7 @@ lemma invoke_tcb_irq_state_inv[ADT_IF_assms]: apply ((wp irq_state_inv_triv | simp)+)[2] (* just ThreadControl left *) apply (simp add: split_def cong: option.case_cong) - by (wp hoare_vcg_all_liftE_R hoare_vcg_all_lift hoare_vcg_const_imp_lift_R + by (wp hoare_vcg_all_liftE_R hoare_vcg_all_lift hoare_vcg_const_imp_liftE_R checked_cap_insert_domain_sep_inv cap_delete_deletes cap_delete_irq_state_inv[where st=st and sta=sta and irq=irq] cap_delete_irq_state_next[where st=st and sta=sta and irq=irq] diff --git a/proof/infoflow/ARM/ArchArch_IF.thy b/proof/infoflow/ARM/ArchArch_IF.thy index c8fee2409a..f0eb76ce4a 100644 --- a/proof/infoflow/ARM/ArchArch_IF.thy +++ b/proof/infoflow/ARM/ArchArch_IF.thy @@ -771,7 +771,7 @@ lemma perform_page_invocation_reads_respects: invalidate_tlb_by_asid_reads_respects get_master_pte_reads_respects get_master_pde_reads_respects set_mrs_reads_respects set_message_info_reads_respects | simp add: cleanByVA_PoU_def pte_check_if_mapped_def pde_check_if_mapped_def - | wpc | wp (once) hoare_drop_imps[where R="\r s. r"])+ + | wpc | wp (once) hoare_drop_imps[where Q'="\r s. r"])+ apply (clarsimp simp: authorised_page_inv_def valid_page_inv_def) apply (auto simp: cte_wp_at_caps_of_state valid_slots_def cap_auth_conferred_def update_map_data_def is_page_cap_def authorised_slots_def valid_page_inv_def @@ -804,9 +804,10 @@ lemma arm_asid_table_update_reads_respects: apply (rule modify_ev2) apply clarsimp apply (drule (1) is_subject_kheap_eq[rotated]) - apply (auto simp: reads_equiv_def2 affects_equiv_def2 states_equiv_for_def equiv_for_def - intro!: equiv_asids_arm_asid_table_update) - done + apply (fastforce simp: reads_equiv_def2 affects_equiv_def2 states_equiv_for_def equiv_for_def + intro!: equiv_asids_arm_asid_table_update) + apply wpsimp + done lemma perform_asid_control_invocation_reads_respects: notes K_bind_ev[wp del] @@ -1260,17 +1261,17 @@ lemma unmap_page_table_globals_equiv: \\rv. globals_equiv st\" unfolding unmap_page_table_def page_table_mapped_def apply (wp store_pde_globals_equiv | wpc | simp add: cleanByVA_PoU_def)+ - apply (rule_tac Q="\_. globals_equiv st and (\sa. lookup_pd_slot pd vaddr && + apply (rule_tac Q'="\_. globals_equiv st and (\sa. lookup_pd_slot pd vaddr && ~~ mask pd_bits \ arm_global_pd (arch_state sa))" in hoare_strengthen_post) - apply (wp find_pd_for_asid_not_arm_global_pd hoare_post_imp_dc2E_actual | simp)+ + apply (wp find_pd_for_asid_not_arm_global_pd hoare_post_impE_E_dc_actual | simp)+ done lemma mapM_x_swp_store_pte_globals_equiv: "\globals_equiv s and valid_arch_state\ mapM_x (swp store_pte A) slots \\_. globals_equiv s\" - apply (rule_tac Q="\_. globals_equiv s and valid_arch_state" in hoare_strengthen_post) + apply (rule_tac Q'="\_. globals_equiv s and valid_arch_state" in hoare_strengthen_post) apply (wp mapM_x_wp' store_pte_globals_equiv | simp)+ done @@ -1333,7 +1334,7 @@ lemma mapM_swp_store_pte_globals_equiv: "\globals_equiv st and valid_arch_state\ mapM (swp store_pte A) slots \\_. globals_equiv st\" - apply (rule_tac Q="\ _. globals_equiv st and valid_arch_state" + apply (rule_tac Q'="\ _. globals_equiv st and valid_arch_state" in hoare_strengthen_post) apply (wp mapM_wp' store_pte_globals_equiv | simp)+ done @@ -1342,7 +1343,7 @@ lemma mapM_swp_store_pde_globals_equiv: "\globals_equiv st and (\s. \x \ set slots. x && ~~ mask pd_bits \ arm_global_pd (arch_state s))\ mapM (swp store_pde A) slots \\_. globals_equiv st\" - apply (rule_tac Q="\_. globals_equiv st and + apply (rule_tac Q'="\_. globals_equiv st and (\s. \x \ set slots. x && ~~ mask pd_bits \ arm_global_pd (arch_state s))" in hoare_strengthen_post) apply (wp mapM_wp' store_pde_globals_equiv | simp)+ @@ -1356,7 +1357,7 @@ lemma mapM_x_swp_store_pde_globals_equiv : "\globals_equiv st and (\s. \x \ set slots. x && ~~ mask pd_bits \ arm_global_pd (arch_state s))\ mapM_x (swp store_pde A) slots \\_. globals_equiv st\" - apply (rule_tac Q="\_. globals_equiv st and + apply (rule_tac Q'="\_. globals_equiv st and (\s. \x \ set slots. x && ~~ mask pd_bits \ arm_global_pd (arch_state s))" in hoare_strengthen_post) apply (wp mapM_x_wp' store_pde_globals_equiv | simp)+ @@ -1378,12 +1379,12 @@ lemma unmap_page_globals_equiv: apply (rule hoare_drop_imps) apply (wp)+ apply (rule hoare_pre) - apply (rule_tac Q="\x. globals_equiv st and + apply (rule_tac Q'="\x. globals_equiv st and (\sa. lookup_pd_slot x vptr && mask 6 = 0 \ (\xa\set [0 , 4 .e. 0x3C]. xa + lookup_pd_slot x vptr && ~~ mask pd_bits \ arm_global_pd (arch_state sa)))" - and E="\_. globals_equiv st" in hoare_strengthen_postE) + and E'="\_. globals_equiv st" in hoare_strengthen_postE) apply (wp find_pd_for_asid_not_arm_global_pd_large_page) apply simp apply simp @@ -1451,7 +1452,7 @@ lemma set_mrs_globals_equiv: apply (simp add: zipWithM_x_mapM_x) apply (rule conjI) apply (rule impI) - apply (rule_tac Q="\_. globals_equiv s" + apply (rule_tac Q'="\_. globals_equiv s" in hoare_strengthen_post) apply (wp mapM_x_wp') apply (simp add: split_def) @@ -1517,7 +1518,7 @@ lemma perform_asid_control_invocation_globals_equiv: (* factor out the implication -- we know what the relevant components of the cap referred to in the cte_wp_at are anyway from valid_aci, so just use those directly to simplify the reasoning later on *) - apply (rule_tac Q="\a b. globals_equiv s b \ invs b \ + apply (rule_tac Q'="\a b. globals_equiv s b \ invs b \ word1 \ arm_global_pd (arch_state b) \ word1 \ idle_thread b \ (\idx. cte_wp_at ((=) (UntypedCap False word1 pageBits idx)) cslot_ptr2 b) \ descendants_of cslot_ptr2 (cdt b) = {} \ diff --git a/proof/infoflow/ARM/ArchFinalCaps.thy b/proof/infoflow/ARM/ArchFinalCaps.thy index 84dc52b1ce..68e8655af1 100644 --- a/proof/infoflow/ARM/ArchFinalCaps.thy +++ b/proof/infoflow/ARM/ArchFinalCaps.thy @@ -302,7 +302,7 @@ lemma invoke_tcb_silc_inv[FinalCaps_assms]: (* slow, ~2 mins *) apply (simp only: conj_ac cong: conj_cong imp_cong | wp checked_insert_pas_refined checked_cap_insert_silc_inv hoare_vcg_all_liftE_R - hoare_vcg_all_lift hoare_vcg_const_imp_lift_R + hoare_vcg_all_lift hoare_vcg_const_imp_liftE_R cap_delete_silc_inv_not_transferable cap_delete_pas_refined' cap_delete_deletes cap_delete_valid_cap cap_delete_cte_at diff --git a/proof/infoflow/ARM/ArchIRQMasks_IF.thy b/proof/infoflow/ARM/ArchIRQMasks_IF.thy index b9fec7e5d4..72b2eb96fc 100644 --- a/proof/infoflow/ARM/ArchIRQMasks_IF.thy +++ b/proof/infoflow/ARM/ArchIRQMasks_IF.thy @@ -139,16 +139,16 @@ lemma invoke_tcb_irq_masks[IRQMasks_IF_assms]: apply (rule hoare_strengthen_postE[OF cap_delete_irq_masks[where P=P]]) apply blast apply blast - apply (wpsimp wp: hoare_vcg_all_liftE_R hoare_vcg_const_imp_lift_R hoare_vcg_all_lift hoare_drop_imps + apply (wpsimp wp: hoare_vcg_all_liftE_R hoare_vcg_const_imp_liftE_R hoare_vcg_all_lift hoare_drop_imps checked_cap_insert_domain_sep_inv)+ - apply (rule_tac Q="\ r s. domain_sep_inv False st s \ P (irq_masks_of_state s)" - and E="\_ s. P (irq_masks_of_state s)" in hoare_strengthen_postE) + apply (rule_tac Q'="\ r s. domain_sep_inv False st s \ P (irq_masks_of_state s)" + and E'="\_ s. P (irq_masks_of_state s)" in hoare_strengthen_postE) apply (wp hoare_vcg_conj_liftE1 cap_delete_irq_masks) apply fastforce apply blast apply (wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checked_cap_insert_domain_sep_inv)+ - apply (rule_tac Q="\ r s. domain_sep_inv False st s \ P (irq_masks_of_state s)" - and E="\_ s. P (irq_masks_of_state s)" in hoare_strengthen_postE) + apply (rule_tac Q'="\ r s. domain_sep_inv False st s \ P (irq_masks_of_state s)" + and E'="\_ s. P (irq_masks_of_state s)" in hoare_strengthen_postE) apply (wp hoare_vcg_conj_liftE1 cap_delete_irq_masks) apply fastforce apply blast diff --git a/proof/infoflow/ARM/ArchIpc_IF.thy b/proof/infoflow/ARM/ArchIpc_IF.thy index 45caca8237..558ca6ca80 100644 --- a/proof/infoflow/ARM/ArchIpc_IF.thy +++ b/proof/infoflow/ARM/ArchIpc_IF.thy @@ -382,7 +382,7 @@ lemma set_mrs_equiv_but_for_labels[Ipc_IF_assms]: unfolding set_mrs_def apply (wp | wpc)+ apply (subst zipWithM_x_mapM_x) - apply (rule_tac Q="\_. equiv_but_for_labels aag L st and K (pasObjectAbs aag thread \ L \ + apply (rule_tac Q'="\_. equiv_but_for_labels aag L st and K (pasObjectAbs aag thread \ L \ (case buf of (Some buf') \ is_aligned buf' msg_align_bits \ (\x \ ptr_range buf' msg_align_bits. pasObjectAbs aag x \ L) diff --git a/proof/infoflow/ARM/ArchNoninterference.thy b/proof/infoflow/ARM/ArchNoninterference.thy index 8178cc6113..717015907a 100644 --- a/proof/infoflow/ARM/ArchNoninterference.thy +++ b/proof/infoflow/ARM/ArchNoninterference.thy @@ -82,7 +82,7 @@ lemma do_user_op_if_partitionIntegrity[Noninterference_assms]: "\partitionIntegrity aag st and pas_refined aag and invs and is_subject aag \ cur_thread\ do_user_op_if tc uop \\_. partitionIntegrity aag st\" - apply (rule_tac Q="\rv s. integrity (aag\pasMayActivate := False, pasMayEditReadyQueues := False\) + apply (rule_tac Q'="\rv s. integrity (aag\pasMayActivate := False, pasMayEditReadyQueues := False\) (scheduler_affects_globals_frame st) st s \ domain_fields_equiv st s \ idle_thread s = idle_thread st \ globals_equiv_scheduler st s \ silc_dom_equiv aag st s" diff --git a/proof/infoflow/ARM/ArchRetype_IF.thy b/proof/infoflow/ARM/ArchRetype_IF.thy index 27f4b2a653..4c50f20ad7 100644 --- a/proof/infoflow/ARM/ArchRetype_IF.thy +++ b/proof/infoflow/ARM/ArchRetype_IF.thy @@ -171,7 +171,7 @@ lemma copy_global_mappings_reads_respects_g: apply simp apply (rule bind_ev_pre) prefer 3 - apply (rule_tac Q="\s. is_subject aag x \ x \ arm_global_pd (arch_state s) \ + apply (rule_tac P'="\s. is_subject aag x \ x \ arm_global_pd (arch_state s) \ pspace_aligned s \ valid_arch_state s" in hoare_weaken_pre) apply (rule gets_sp) apply (assumption) @@ -283,7 +283,7 @@ lemma copy_global_mappings_globals_equiv: unfolding copy_global_mappings_def including classic_wp_pre apply simp apply wp - apply (rule_tac Q="\_. globals_equiv s and (\s. x \ arm_global_pd (arch_state s) \ + apply (rule_tac Q'="\_. globals_equiv s and (\s. x \ arm_global_pd (arch_state s) \ is_aligned x pd_bits)" in hoare_strengthen_post) apply (wp mapM_x_wp[OF _ subset_refl] store_pde_globals_equiv) apply (fastforce dest: subsetD[OF copy_global_mappings_index_subset] simp: pd_shifting') @@ -301,7 +301,7 @@ lemma init_arch_objects_globals_equiv: apply (subst do_machine_op_mapM_x[OF empty_fail_cleanCacheRange_PoU])+ apply (rule hoare_pre) apply (wpc | wp mapM_x_wp[OF dmo_cleanCacheRange_PoU_globals_equiv subset_refl])+ - apply (rule_tac Q="\_. globals_equiv s and (\ s. arm_global_pd (arch_state s) \ set refs)" + apply (rule_tac Q'="\_. globals_equiv s and (\ s. arm_global_pd (arch_state s) \ set refs)" in hoare_strengthen_post) apply (wp mapM_x_wp[OF _ subset_refl] copy_global_mappings_globals_equiv dmo_cleanCacheRange_PoU_globals_equiv @@ -542,11 +542,11 @@ lemma invoke_untyped_reads_respects_g_wcap[Retype_IF_assms]: apply (simp add: invoke_untyped_def mapM_x_def[symmetric]) apply (wpsimp wp: mapM_x_ev'' create_cap_reads_respects_g hoare_vcg_ball_lift init_arch_objects_reads_respects_g)+ - apply (rule_tac Q="\_. invs" in hoare_strengthen_post) + apply (rule_tac Q'="\_. invs" in hoare_strengthen_post) apply (wp init_arch_objects_invs_from_restricted) apply (fastforce simp: invs_def) apply (wp retype_region_reads_respects_g[where sz=sz and slot="slot_of_untyped_inv ui"]) - apply (rule_tac Q="\rvc s. (\x\set rvc. is_subject aag x) \ + apply (rule_tac Q'="\rvc s. (\x\set rvc. is_subject aag x) \ (\x\set rvc. is_aligned x (obj_bits_api apiobject_type nat)) \ ((0::obj_ref) < of_nat (length list)) \ post_retype_invs apiobject_type rvc s \ @@ -582,8 +582,8 @@ lemma invoke_untyped_reads_respects_g_wcap[Retype_IF_assms]: apply (rule_tac P="authorised_untyped_inv aag ui \ (\p \ ptr_range ptr sz. is_subject aag p)" in hoare_gen_asmE) apply (rule validE_validE_R, - rule_tac E="\\" - and Q="\_. invs and valid_untyped_inv_wcap ui (Some (UntypedCap dev ptr sz (If reset 0 idx))) + rule_tac E'="\\" + and Q'="\_. invs and valid_untyped_inv_wcap ui (Some (UntypedCap dev ptr sz (If reset 0 idx))) and ct_active and (\s. reset \ pspace_no_overlap {ptr .. ptr + 2 ^ sz - 1} s)" in hoare_strengthen_postE) @@ -658,7 +658,7 @@ lemma reset_untyped_cap_globals_equiv: preemption_point_inv | simp add: unless_def)+ apply (rule valid_validE) apply (rule_tac P="cap_aligned cap \ is_untyped_cap cap" in hoare_gen_asm) - apply (rule_tac Q="\_ s. valid_global_objs s \ valid_arch_state s \ globals_equiv st s" + apply (rule_tac Q'="\_ s. valid_global_objs s \ valid_arch_state s \ globals_equiv st s" in hoare_strengthen_post) apply (rule validE_valid, rule mapME_x_wp') apply (rule hoare_pre) diff --git a/proof/infoflow/ARM/ArchScheduler_IF.thy b/proof/infoflow/ARM/ArchScheduler_IF.thy index 518d1c8ff3..4556f7f054 100644 --- a/proof/infoflow/ARM/ArchScheduler_IF.thy +++ b/proof/infoflow/ARM/ArchScheduler_IF.thy @@ -178,7 +178,7 @@ lemma globals_equiv_scheduler_inv'[Scheduler_IF_assms]: apply (rule use_spec) apply (simp add: spec_valid_def) apply (erule_tac x="(swap_things sa s)" in allE) - apply (rule_tac Q="\r st. globals_equiv (swap_things sa s) st" in hoare_strengthen_post) + apply (rule_tac Q'="\r st. globals_equiv (swap_things sa s) st" in hoare_strengthen_post) apply (rule hoare_pre) apply assumption apply (clarsimp simp: globals_equiv_def swap_things_def globals_equiv_scheduler_def diff --git a/proof/infoflow/ARM/ArchTcb_IF.thy b/proof/infoflow/ARM/ArchTcb_IF.thy index 93de65eca9..44dd1df9c1 100644 --- a/proof/infoflow/ARM/ArchTcb_IF.thy +++ b/proof/infoflow/ARM/ArchTcb_IF.thy @@ -103,13 +103,13 @@ lemma invoke_tcb_thread_preservation[Tcb_IF_assms]: apply wp apply ((simp add: conj_comms(1, 2) | rule wp_split_const_if wp_split_const_if_R hoare_vcg_all_liftE_R - hoare_vcg_E_elim hoare_vcg_const_imp_lift_R hoare_vcg_R_conj + hoare_vcg_conj_elimE hoare_vcg_const_imp_liftE_R hoare_vcg_conj_liftE_R | (wp check_cap_inv2[where Q="\_. pas_refined aag"] check_cap_inv2[where Q="\_ s. t \ idle_thread s"] out_invs_trivial case_option_wpE cap_delete_deletes cap_delete_valid_cap cap_insert_valid_cap out_cte_at cap_insert_cte_at cap_delete_cte_at out_valid_cap out_tcb_valid - hoare_vcg_const_imp_lift_R hoare_vcg_all_liftE_R + hoare_vcg_const_imp_liftE_R hoare_vcg_all_liftE_R thread_set_tcb_ipc_buffer_cap_cleared_invs thread_set_invs_trivial[OF ball_tcb_cap_casesI] hoare_vcg_all_lift thread_set_valid_cap out_emptyable @@ -155,7 +155,7 @@ lemma tc_reads_respects_f[Tcb_IF_assms]: (invoke_tcb ti)" apply (simp add: split_def cong: option.case_cong) apply (wpsimp wp: set_priority_reads_respects[THEN reads_respects_f[where st=st and Q=\]]) - apply (wpsimp wp: hoare_vcg_const_imp_lift_R simp: when_def | wpc)+ + apply (wpsimp wp: hoare_vcg_const_imp_liftE_R simp: when_def | wpc)+ apply (rule conjI) apply ((wpsimp wp: reschedule_required_reads_respects_f)+)[4] apply ((wp reads_respects_f[OF cap_insert_reads_respects, where st=st] @@ -183,7 +183,7 @@ lemma tc_reads_respects_f[Tcb_IF_assms]: set_mcpriority_only_timer_irq_inv[where st=st' and irq=irq] cap_delete_deletes cap_delete_valid_cap cap_delete_cte_at cap_delete_pas_refined' itr_wps(12) itr_wps(14) cap_insert_cte_at - checked_insert_no_cap_to hoare_vcg_const_imp_lift_R hoare_vcg_conj_lift + checked_insert_no_cap_to hoare_vcg_const_imp_liftE_R hoare_vcg_conj_lift as_user_reads_respects_f thread_set_mdb cap_delete_invs | wpc | simp add: emptyable_def tcb_cap_cases_def tcb_cap_valid_def @@ -214,7 +214,7 @@ lemma tc_reads_respects_f[Tcb_IF_assms]: set_mcpriority_only_timer_irq_inv[where st=st' and irq=irq] cap_delete_deletes cap_delete_valid_cap cap_delete_cte_at cap_delete_pas_refined' itr_wps(12) itr_wps(14) cap_insert_cte_at - checked_insert_no_cap_to hoare_vcg_const_imp_lift_R + checked_insert_no_cap_to hoare_vcg_const_imp_liftE_R as_user_reads_respects_f cap_delete_invs | wpc | simp add: emptyable_def tcb_cap_cases_def tcb_cap_valid_def when_def st_tcb_at_triv diff --git a/proof/infoflow/Decode_IF.thy b/proof/infoflow/Decode_IF.thy index 0e70187967..59fa1a67ce 100644 --- a/proof/infoflow/Decode_IF.thy +++ b/proof/infoflow/Decode_IF.thy @@ -51,7 +51,7 @@ lemma expand_len_gr_Suc_0: by fastforce (* FIXME: remove *) -lemmas hoare_vcg_imp_lift_R = hoare_vcg_const_imp_lift_R +lemmas hoare_vcg_imp_liftE_R = hoare_vcg_const_imp_liftE_R lemma decode_cnode_invocation_rev: "reads_equiv_valid_inv A (aag :: 'a subject_label PAS) @@ -61,7 +61,7 @@ lemma decode_cnode_invocation_rev: apply (rule equiv_valid_guard_imp) apply (simp add: unlessE_whenE) apply wp - apply (wp if_apply_ev derive_cap_rev whenE_inv hoare_vcg_imp_lift_R + apply (wp if_apply_ev derive_cap_rev whenE_inv hoare_vcg_imp_liftE_R lookup_slot_for_cnode_op_rev hoare_vcg_all_liftE_R lookup_slot_for_cnode_op_authorised ensure_empty_rev get_cap_rev | simp add: split_def unlessE_whenE split del: if_split @@ -201,7 +201,7 @@ lemma decode_untyped_invocation_rev: | simp | rule validE_R_validE | strengthen aag_can_read_self)+ apply (rule hoare_strengthen_post[ - where Q="\ rv s. (is_cnode_cap rv + where Q'="\ rv s. (is_cnode_cap rv \ is_subject aag (obj_ref_of rv)) \ pas_refined aag s"]) apply (wp (once) whenE_throwError_wp diff --git a/proof/infoflow/FinalCaps.thy b/proof/infoflow/FinalCaps.thy index 94edeb3ded..63a099ae1a 100644 --- a/proof/infoflow/FinalCaps.thy +++ b/proof/infoflow/FinalCaps.thy @@ -1983,7 +1983,7 @@ lemma reset_untyped_cap_untyped_cap: apply (rule hoare_pre) apply (wp set_cap_cte_wp_at | simp add: unless_def)+ apply (rule valid_validE, - rule_tac Q="\rv. cte_wp_at (\cp. is_untyped_cap cp \ is_untyped_cap cap \ + rule_tac Q'="\rv. cte_wp_at (\cp. is_untyped_cap cp \ is_untyped_cap cap \ untyped_range cp = untyped_range cap \ P True (untyped_range cp)) slot" in hoare_strengthen_post) @@ -2108,7 +2108,7 @@ lemma reset_untyped_cap_silc_inv: apply (simp add: reset_untyped_cap_def cong: if_cong) apply (rule validE_valid, rule hoare_pre) apply (wp set_cap_silc_inv_simple | simp add: unless_def)+ - apply (rule valid_validE, rule_tac Q="\_. cte_wp_at is_untyped_cap slot and + apply (rule valid_validE, rule_tac Q'="\_. cte_wp_at is_untyped_cap slot and silc_inv aag st" in hoare_strengthen_post) apply (rule validE_valid, rule mapME_x_inv_wp, rule hoare_pre) apply (wp mapME_x_inv_wp preemption_point_inv set_cap_cte_wp_at @@ -2135,7 +2135,7 @@ lemma invoke_untyped_silc_inv: \\_. silc_inv aag st\" apply (rule hoare_gen_asm) apply (rule hoare_pre) - apply (rule_tac Q="\_. silc_inv aag st and + apply (rule_tac Q'="\_. silc_inv aag st and cte_wp_at (\cp. is_untyped_cap cp \ (\x \ untyped_range cp. is_subject aag x)) (case ui of Retype src_slot _ _ _ _ _ _ _ \ src_slot)" @@ -2794,15 +2794,17 @@ lemma handle_invocation_silc_inv: apply (wp syscall_valid perform_invocation_silc_inv set_thread_state_runnable_valid_sched set_thread_state_pas_refined decode_invocation_authorised | simp split del: if_split)+ - apply (rule_tac E="\ft. silc_inv aag st and pas_refined aag and - is_subject aag \ cur_thread and invs and - (\_. valid_fault ft \ is_subject aag thread)" - and R="Q" and Q=Q for Q in hoare_strengthen_postE) + apply (rule_tac E'="\ft. silc_inv aag st and pas_refined aag and + is_subject aag \ cur_thread and invs and + (\_. valid_fault ft \ is_subject aag thread)" + and Q="Q" and Q'=Q for Q + in hoare_strengthen_postE) apply (wp lookup_extra_caps_authorised lookup_extra_caps_auth | simp)+ - apply (rule_tac E="\ft. silc_inv aag st and pas_refined aag and - is_subject aag \ cur_thread and invs and - (\_. valid_fault (CapFault x False ft) \ is_subject aag thread)" - and R="Q" and Q=Q for Q in hoare_strengthen_postE) + apply (rule_tac E'="\ft. silc_inv aag st and pas_refined aag and + is_subject aag \ cur_thread and invs and + (\_. valid_fault (CapFault x False ft) \ is_subject aag thread)" + and Q="Q" and Q'=Q for Q + in hoare_strengthen_postE) apply (wp lookup_cap_and_slot_authorised lookup_cap_and_slot_cur_auth | simp)+ apply (auto intro: st_tcb_ex_cap simp: ct_in_state_def runnable_eq_active) done @@ -2840,7 +2842,7 @@ lemma handle_recv_silc_inv: receive_ipc_silc_inv lookup_slot_for_thread_authorised lookup_slot_for_thread_cap_fault get_cap_auth_wp[where aag=aag] | wpc | simp - | rule_tac Q="\rv s. invs s \ pas_refined aag s \ is_subject aag thread \ + | rule_tac Q'="\rv s. invs s \ pas_refined aag s \ is_subject aag thread \ (pasSubject aag, Receive, pasObjectAbs aag x31) \ pasPolicy aag" in hoare_strengthen_post, wp, clarsimp simp: invs_valid_objs invs_sym_refs)+ apply (rule_tac Q'="\r s. silc_inv aag st s \ invs s \ pas_refined aag s \ diff --git a/proof/infoflow/Finalise_IF.thy b/proof/infoflow/Finalise_IF.thy index f30e168a36..476a7a8062 100644 --- a/proof/infoflow/Finalise_IF.thy +++ b/proof/infoflow/Finalise_IF.thy @@ -643,7 +643,7 @@ lemma cancel_all_ipc_reads_respects: | rule subset_refl | wp (once) hoare_drop_imps | assumption - | rule hoare_strengthen_post[where Q="\_. pas_refined aag and pspace_aligned + | rule hoare_strengthen_post[where Q'="\_. pas_refined aag and pspace_aligned and valid_vspace_objs and valid_arch_state", OF mapM_x_wp])+ @@ -777,7 +777,7 @@ lemma cancel_all_signals_reads_respects: | rule subset_refl | wp (once) hoare_drop_imps | simp - | rule hoare_strengthen_post[where Q="\_. pas_refined aag and pspace_aligned + | rule hoare_strengthen_post[where Q'="\_. pas_refined aag and pspace_aligned and valid_vspace_objs and valid_arch_state", OF mapM_x_wp])+ @@ -824,7 +824,7 @@ lemma cap_delete_one_reads_respects_f: reads_respects_f[OF fast_finalise_reads_respects, where st=st] empty_slot_silc_inv | simp | elim conjE)+ - apply (rule_tac Q="\rva s. rva = is_final_cap' rv s \ + apply (rule_tac Q'="\rva s. rva = is_final_cap' rv s \ cte_wp_at ((=) rv) slot s \ silc_inv aag st s \ is_subject aag (fst slot) \ @@ -856,7 +856,7 @@ lemma cap_delete_one_reads_respects_f_transferable: reads_respects_f[OF empty_slot_reads_respects, where st=st] reads_respects_f[OF fast_finalise_reads_respects, where st=st] | simp | elim conjE)+ - apply (rule_tac Q="\rva s. rva = is_final_cap' rv s \ + apply (rule_tac Q'="\rva s. rva = is_final_cap' rv s \ cte_wp_at ((=) rv) slot s \ silc_inv aag st s \ is_transferable_in slot s \ @@ -1001,7 +1001,7 @@ lemma reply_cancel_ipc_reads_respects_f: reads_respects_f[OF thread_set_reads_respects, where st=st] reads_respects_f[OF gets_descendants_of_revrv[folded equiv_valid_def2]] | simp add: when_def split del: if_split | elim conjE)+ - apply (rule_tac Q="\ rv s. silc_inv aag st s \ invs s \ pas_refined aag s + apply (rule_tac Q'="\ rv s. silc_inv aag st s \ invs s \ pas_refined aag s \ tcb_at tptr s \ is_subject aag tptr" in hoare_strengthen_post) apply (wp thread_set_tcb_fault_update_silc_inv hoare_vcg_imp_lift hoare_vcg_ball_lift @@ -1262,7 +1262,7 @@ next apply (clarsimp simp: appropriate_cte_cap_def split: cap.splits) apply (clarsimp cong: conj_cong simp: conj_comms) apply (wp drop_spec_ev[OF liftE_ev] is_final_cap_reads_respects | simp)+ - apply (rule_tac Q="\rva s. rva = is_final_cap' rv s \ cte_wp_at ((=) rv) slot s \ + apply (rule_tac Q'="\rva s. rva = is_final_cap' rv s \ cte_wp_at ((=) rv) slot s \ only_timer_irq_inv irq st' s \ silc_inv aag st s \ pas_refined aag s \ pas_cap_cur_auth aag rv \ invs s \ valid_list s \ valid_sched s \ simple_sched_action s \ diff --git a/proof/infoflow/IRQMasks_IF.thy b/proof/infoflow/IRQMasks_IF.thy index 9d81ea120d..12d66f9571 100644 --- a/proof/infoflow/IRQMasks_IF.thy +++ b/proof/infoflow/IRQMasks_IF.thy @@ -345,7 +345,7 @@ lemma handle_event_irq_masks: | wp (once) hoare_drop_imps)+\)?) apply simp apply (wp handle_interrupt_irq_masks[where st=st] | wpc | simp)+ - apply (rule_tac Q="\rv s. P (irq_masks_of_state s) \ domain_sep_inv False st s \ + apply (rule_tac Q'="\rv s. P (irq_masks_of_state s) \ domain_sep_inv False st s \ (\x. rv = Some x \ x \ maxIRQ)" in hoare_strengthen_post) apply wpsimp+ done @@ -357,11 +357,11 @@ lemma call_kernel_irq_masks: \\rv s. P (irq_masks_of_state s)\" apply (simp add: call_kernel_def) apply (wp handle_interrupt_irq_masks[where st=st])+ - apply (rule_tac Q="\rv s. P (irq_masks_of_state s) \ domain_sep_inv False st s \ + apply (rule_tac Q'="\rv s. P (irq_masks_of_state s) \ domain_sep_inv False st s \ (\x. rv = Some x \ x \ maxIRQ)" in hoare_strengthen_post) apply (wp | simp)+ - apply (rule_tac Q="\x s. P (irq_masks_of_state s) \ domain_sep_inv False st s" - and F="E" for E in hoare_strengthen_postE) + apply (rule_tac Q'="\x s. P (irq_masks_of_state s) \ domain_sep_inv False st s" + and E="E" for E in hoare_strengthen_postE) apply (rule valid_validE) apply (wp handle_event_irq_masks[where st=st] valid_validE[OF handle_event_domain_sep_inv] | simp)+ diff --git a/proof/infoflow/InfoFlow_IF.thy b/proof/infoflow/InfoFlow_IF.thy index 2de302236b..05a68a466b 100644 --- a/proof/infoflow/InfoFlow_IF.thy +++ b/proof/infoflow/InfoFlow_IF.thy @@ -957,8 +957,9 @@ lemma do_machine_op_rev: apply (clarsimp simp: select_f_def equiv_valid_2_def) apply (insert equiv_dmo, clarsimp simp: equiv_valid_def2 equiv_valid_2_def)[1] apply blast - apply (wp select_f_inv)+ + apply (wpsimp wp: select_f_inv)+ apply (fastforce simp: select_f_def dest: state_unchanged[OF mo_inv])+ + apply wpsimp done end diff --git a/proof/infoflow/Ipc_IF.thy b/proof/infoflow/Ipc_IF.thy index eccc55962e..11865a8ea3 100644 --- a/proof/infoflow/Ipc_IF.thy +++ b/proof/infoflow/Ipc_IF.thy @@ -907,7 +907,7 @@ lemma transfer_caps_loop_reads_respects': prefer 2 apply (clarsimp simp: cte_wp_at_caps_of_state split del: if_split) apply (strengthen is_derived_is_transferable[mk_strg I' O], assumption, solves\simp\) - apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R') apply (rule derive_cap_is_derived) apply (wp derive_cap_is_derived_foo') apply wp @@ -1606,7 +1606,7 @@ lemma do_reply_transfer_reads_respects_f: | wp (once) reads_respects_f[where aag=aag and st=st] | elim conjE | wp (once) hoare_drop_imps)+ - apply (rule_tac Q="\ rv s. pas_refined aag s \ pas_cur_domain aag s \ invs s + apply (rule_tac Q'="\ rv s. pas_refined aag s \ pas_cur_domain aag s \ invs s \ is_subject aag (cur_thread s) \ silc_inv aag st s" in hoare_strengthen_post[rotated]) @@ -1703,8 +1703,8 @@ next apply (rule Cons.hyps) apply (simp) apply (wp cap_insert_globals_equiv'') - apply (rule_tac Q="\_. globals_equiv st and valid_arch_state and valid_global_objs" - and E="\_. globals_equiv st and valid_arch_state and valid_global_objs" + apply (rule_tac Q'="\_. globals_equiv st and valid_arch_state and valid_global_objs" + and E'="\_. globals_equiv st and valid_arch_state and valid_global_objs" in hoare_strengthen_postE) apply (simp add: whenE_def, rule conjI) apply (rule impI, wp)+ @@ -1727,12 +1727,12 @@ lemma copy_mrs_globals_equiv: \\_. globals_equiv s\" unfolding copy_mrs_def including classic_wp_pre apply (wp | wpc)+ - apply (rule_tac Q="\_. globals_equiv s" in hoare_strengthen_post) + apply (rule_tac Q'="\_. globals_equiv s" in hoare_strengthen_post) apply (wp mapM_wp' | wpc)+ apply (wp store_word_offs_globals_equiv)+ apply fastforce apply simp - apply (rule_tac Q="\_. globals_equiv s and valid_arch_state and (\sa. receiver \ idle_thread sa)" + apply (rule_tac Q'="\_. globals_equiv s and valid_arch_state and (\sa. receiver \ idle_thread sa)" in hoare_strengthen_post) apply (wp mapM_wp' as_user_globals_equiv) apply (simp) @@ -1803,7 +1803,7 @@ lemma do_ipc_transfer_globals_equiv: \\_. globals_equiv st\" unfolding do_ipc_transfer_def apply (wp do_normal_transfer_globals_equiv do_fault_transfer_globals_equiv | wpc)+ - apply (rule_tac Q="\_. globals_equiv st and valid_arch_state and valid_global_objs and + apply (rule_tac Q'="\_. globals_equiv st and valid_arch_state and valid_global_objs and (\sa. receiver \ idle_thread sa) and (\sa. (\rb. recv_buffer = Some rb \ auth_ipc_buffers sa receiver = ptr_range rb msg_align_bits) \ @@ -1823,7 +1823,7 @@ lemma send_ipc_globals_equiv: unfolding send_ipc_def apply (wp set_simple_ko_globals_equiv set_thread_state_globals_equiv setup_caller_cap_globals_equiv | wpc)+ - apply (rule_tac Q="\_. globals_equiv st and valid_arch_state and valid_global_objs" + apply (rule_tac Q'="\_. globals_equiv st and valid_arch_state and valid_global_objs" in hoare_strengthen_post[rotated]) apply (fastforce) apply (wp set_thread_state_globals_equiv dxo_wp_weak | simp)+ @@ -1832,7 +1832,7 @@ lemma send_ipc_globals_equiv: apply (clarsimp) apply (rule hoare_drop_imps) apply (wp set_simple_ko_globals_equiv)+ - apply (rule_tac Q="\ep. ko_at (Endpoint ep) epptr and globals_equiv st and valid_objs and + apply (rule_tac Q'="\ep. ko_at (Endpoint ep) epptr and globals_equiv st and valid_objs and valid_arch_state and valid_global_refs and pspace_distinct and pspace_aligned and valid_global_objs and (\s. sym_refs (state_refs_of s)) and valid_idle" @@ -1859,7 +1859,7 @@ lemma receive_ipc_globals_equiv: setup_caller_cap_globals_equiv dxo_wp_weak as_user_globals_equiv | wpc | simp split del: if_split)+ - apply (rule hoare_strengthen_post[where Q= "\_. globals_equiv st and valid_arch_state + apply (rule hoare_strengthen_post[where Q'="\_. globals_equiv st and valid_arch_state and valid_global_objs"]) apply (wp do_ipc_transfer_globals_equiv as_user_globals_equiv) apply clarsimp @@ -2011,8 +2011,8 @@ lemma handle_fault_globals_equiv: \\_. globals_equiv st\" unfolding handle_fault_def apply (wp handle_double_fault_globals_equiv) - apply (rule_tac Q="\_. globals_equiv st and valid_arch_state" and - E="\_. globals_equiv st and valid_arch_state" in hoare_strengthen_postE) + apply (rule_tac Q'="\_. globals_equiv st and valid_arch_state" and + E'="\_. globals_equiv st and valid_arch_state" in hoare_strengthen_postE) apply (wp send_fault_ipc_globals_equiv | simp)+ done @@ -2034,7 +2034,7 @@ lemma do_reply_transfer_globals_equiv: apply (wp set_thread_state_globals_equiv cap_delete_one_globals_equiv do_ipc_transfer_globals_equiv thread_set_globals_equiv handle_fault_reply_globals_equiv dxo_wp_weak | wpc | simp split del: if_split)+ - apply (rule_tac Q="\_. globals_equiv st and valid_arch_state and valid_objs and valid_arch_state + apply (rule_tac Q'="\_. globals_equiv st and valid_arch_state and valid_objs and valid_arch_state and valid_global_refs and pspace_distinct and pspace_aligned and valid_global_objs and (\s. receiver \ idle_thread s) and valid_idle" @@ -2049,7 +2049,7 @@ lemma handle_reply_globals_equiv: \\_. globals_equiv st\" unfolding handle_reply_def apply (wp do_reply_transfer_globals_equiv | wpc)+ - apply (rule_tac Q="\_. globals_equiv st and valid_objs and valid_arch_state and valid_global_refs + apply (rule_tac Q'="\_. globals_equiv st and valid_objs and valid_arch_state and valid_global_refs and pspace_distinct and pspace_aligned and valid_global_objs and valid_idle" in hoare_strengthen_post) diff --git a/proof/infoflow/Noninterference.thy b/proof/infoflow/Noninterference.thy index 30267b9772..199b47364e 100644 --- a/proof/infoflow/Noninterference.thy +++ b/proof/infoflow/Noninterference.thy @@ -462,11 +462,11 @@ lemma schedule_cur_domain: supply hoare_pre_cont[where f=next_domain, wp add] ethread_get_wp[wp del] if_split[split del] if_cong[cong] apply (simp add: schedule_def schedule_choose_new_thread_def | wp | wpc)+ - apply (rule_tac Q="\_. ?PRE" in hoare_strengthen_post) + apply (rule_tac Q'="\_. ?PRE" in hoare_strengthen_post) apply (simp | wp gts_wp | wp (once) hoare_drop_imps)+ - apply (rule_tac Q="\_. ?PRE" in hoare_strengthen_post) + apply (rule_tac Q'="\_. ?PRE" in hoare_strengthen_post) apply (simp | wp gts_wp | wp (once) hoare_drop_imps)+ - apply (rule_tac Q="\_. ?PRE" in hoare_strengthen_post) + apply (rule_tac Q'="\_. ?PRE" in hoare_strengthen_post) apply (simp | wp gts_wp | wp (once) hoare_drop_imps)+ apply (clarsimp split: if_split) done @@ -479,11 +479,11 @@ lemma schedule_domain_fields: supply hoare_pre_cont[where f=next_domain, wp add] ethread_get_wp[wp del] if_split[split del] if_cong[cong] apply (simp add: schedule_def schedule_choose_new_thread_def | wp | wpc)+ - apply (rule_tac Q="\_. ?PRE" in hoare_strengthen_post) + apply (rule_tac Q'="\_. ?PRE" in hoare_strengthen_post) apply (simp | wp gts_wp | wp (once) hoare_drop_imps)+ - apply (rule_tac Q="\_. ?PRE" in hoare_strengthen_post) + apply (rule_tac Q'="\_. ?PRE" in hoare_strengthen_post) apply (simp | wp gts_wp | wp (once) hoare_drop_imps)+ - apply (rule_tac Q="\_. ?PRE" in hoare_strengthen_post) + apply (rule_tac Q'="\_. ?PRE" in hoare_strengthen_post) apply (simp | wp gts_wp | wp (once) hoare_drop_imps)+ apply (clarsimp split: if_split) done @@ -495,7 +495,7 @@ lemma schedule_if_partitionIntegrity: schedule_if tc \\_. partitionIntegrity aag st\" apply (simp add: schedule_if_def) - apply (rule_tac Q="\rv s. integrity (aag\pasMayActivate := False, pasMayEditReadyQueues := False\) + apply (rule_tac Q'="\rv s. integrity (aag\pasMayActivate := False, pasMayEditReadyQueues := False\) (scheduler_affects_globals_frame st) st s \ domain_fields_equiv st s \ idle_thread s = idle_thread st \ globals_equiv_scheduler st s \ silc_dom_equiv aag st s" @@ -503,7 +503,7 @@ lemma schedule_if_partitionIntegrity: apply (wpsimp wp: activate_thread_integrity activate_thread_globals_equiv_scheduler silc_dom_equiv_from_silc_inv_valid'[where P="\"] schedule_integrity hoare_vcg_all_lift domain_fields_equiv_lift[where Q="\" and R="\"]) - apply (rule_tac Q="\r s. guarded_pas_domain aag s \ pas_cur_domain aag s \ + apply (rule_tac Q'="\r s. guarded_pas_domain aag s \ pas_cur_domain aag s \ domain_fields_equiv st s \ idle_thread s = idle_thread st \ globals_equiv_scheduler st s \ silc_inv aag st s \ silc_dom_equiv aag st s \ invs s" in hoare_strengthen_post) @@ -702,7 +702,7 @@ lemma kernel_entry_if_integrity: unfolding kernel_entry_if_def apply wp apply (rule valid_validE) - apply (rule_tac Q="\_ s. integrity aag X (st\kheap := + apply (rule_tac Q'="\_ s. integrity aag X (st\kheap := (kheap st)(cur_thread st \ TCB (tcb_arch_update (arch_tcb_context_set tc) (the (get_tcb (cur_thread st) st))))\) s \ is_subject aag (cur_thread s) @@ -737,7 +737,7 @@ lemma kernel_entry_if_partitionIntegrity: and guarded_pas_domain aag and (\s. ev \ Interrupt \ ct_active s) and (=) st\ kernel_entry_if ev tc \\_. partitionIntegrity (aag :: 'a subject_label PAS) st\" - apply (rule_tac Q="\rv s. (\X. integrity (aag\pasMayActivate := False, + apply (rule_tac Q'="\rv s. (\X. integrity (aag\pasMayActivate := False, pasMayEditReadyQueues := False\) X st s) \ domain_fields_equiv st s \ globals_equiv_scheduler st s \ idle_thread s = idle_thread st \ silc_dom_equiv aag st s" @@ -2330,7 +2330,7 @@ lemma schedule_if_reads_respects_g: and (\s. domain_time s > 0) and pas_refined pas) (schedule_if tc)" apply (simp add: schedule_if_def) apply (wp schedule_reads_respects_g activate_thread_reads_respects_g) - apply (rule_tac Q="\rv s. guarded_pas_domain pas s \ invs s \ pas_cur_domain pas s" + apply (rule_tac Q'="\rv s. guarded_pas_domain pas s \ invs s \ pas_cur_domain pas s" in hoare_strengthen_post) apply (wp schedule_guarded_pas_domain schedule_cur_domain | simp add: guarded_pas_domain_def diff --git a/proof/infoflow/RISCV64/ArchADT_IF.thy b/proof/infoflow/RISCV64/ArchADT_IF.thy index 5052a04576..98c0bdff7a 100644 --- a/proof/infoflow/RISCV64/ArchADT_IF.thy +++ b/proof/infoflow/RISCV64/ArchADT_IF.thy @@ -249,7 +249,7 @@ lemma invoke_tcb_irq_state_inv[ADT_IF_assms]: defer apply ((wp irq_state_inv_triv | simp)+)[2] apply (simp add: split_def cong: option.case_cong) - by (wp hoare_vcg_all_liftE_R hoare_vcg_all_lift hoare_vcg_const_imp_lift_R + by (wp hoare_vcg_all_liftE_R hoare_vcg_all_lift hoare_vcg_const_imp_liftE_R checked_cap_insert_domain_sep_inv cap_delete_deletes cap_delete_irq_state_inv[where st=st and sta=sta and irq=irq] cap_delete_irq_state_next[where st=st and sta=sta and irq=irq] diff --git a/proof/infoflow/RISCV64/ArchArch_IF.thy b/proof/infoflow/RISCV64/ArchArch_IF.thy index 1fbfeb01f2..7ac7890e19 100644 --- a/proof/infoflow/RISCV64/ArchArch_IF.thy +++ b/proof/infoflow/RISCV64/ArchArch_IF.thy @@ -394,7 +394,7 @@ lemma perform_page_invocation_reads_respects: mapM_ev'' store_pte_reads_respects unmap_page_reads_respects dmo_mol_2_reads_respects get_cap_rev set_mrs_reads_respects set_message_info_reads_respects | simp add: sfence_def - | wpc | wp (once) hoare_drop_imps[where R="\r s. r"])+ + | wpc | wp (once) hoare_drop_imps[where Q'="\r s. r"])+ apply (clarsimp simp: authorised_page_inv_def valid_page_inv_def) apply (auto simp: cte_wp_at_caps_of_state authorised_slots_def cap_links_asid_slot_def label_owns_asid_slot_def valid_arch_cap_def wellformed_mapdata_def @@ -425,8 +425,9 @@ lemma riscv_asid_table_update_reads_respects: apply (rule modify_ev2) apply clarsimp apply (drule (1) is_subject_kheap_eq[rotated]) - apply (auto simp: reads_equiv_def2 affects_equiv_def2 states_equiv_for_def equiv_for_def - intro!: equiv_asids_riscv_asid_table_update) + apply (fastforce simp: reads_equiv_def2 affects_equiv_def2 states_equiv_for_def equiv_for_def + intro!: equiv_asids_riscv_asid_table_update) + apply wpsimp done lemma perform_asid_control_invocation_reads_respects: @@ -471,7 +472,7 @@ lemma copy_global_mappings_valid_arch_state: unfolding copy_global_mappings_def including classic_wp_pre apply simp apply wp - apply (rule_tac Q="\_. valid_arch_state and valid_global_vspace_mappings and pspace_aligned + apply (rule_tac Q'="\_. valid_arch_state and valid_global_vspace_mappings and pspace_aligned and (\s. x \ global_refs s \ is_aligned x pt_bits)" in hoare_strengthen_post) apply (wp mapM_x_wp[OF _ subset_refl] @@ -769,7 +770,7 @@ lemma mapM_x_swp_store_pte_globals_equiv: and (\s. \x \ set slots. table_base x \ global_refs s)\ mapM_x (swp store_pte pte) slots \\_. globals_equiv s\" - apply (rule_tac Q="\_. pspace_aligned and globals_equiv s and valid_arch_state + apply (rule_tac Q'="\_. pspace_aligned and globals_equiv s and valid_arch_state and valid_global_vspace_mappings and (\s. \x \ set slots. table_base x \ global_refs s)" in hoare_strengthen_post) @@ -785,7 +786,7 @@ lemma mapM_x_swp_store_pte_valid_ko_at_arch[wp]: and (\s. \x \ set slots. table_base x \ global_refs s)\ mapM_x (swp store_pte A) slots \\_. valid_arch_state\" - apply (rule_tac Q="\_. pspace_aligned and valid_arch_state and valid_global_vspace_mappings + apply (rule_tac Q'="\_. pspace_aligned and valid_arch_state and valid_global_vspace_mappings and (\s. \x \ set slots. table_base x \ global_refs s)" in hoare_strengthen_post) apply (wp mapM_x_wp' store_pte_valid_arch_state_unreachable @@ -856,7 +857,7 @@ lemma mapM_swp_store_pte_globals_equiv: and (\s. \x \ set slots. table_base x \ global_refs s)\ mapM (swp store_pte pte) slots \\_. globals_equiv s\" - apply (rule_tac Q="\_. pspace_aligned and globals_equiv s and valid_arch_state + apply (rule_tac Q'="\_. pspace_aligned and globals_equiv s and valid_arch_state and valid_global_vspace_mappings and (\s. \x \ set slots. table_base x \ global_refs s)" in hoare_strengthen_post) @@ -872,7 +873,7 @@ lemma mapM_swp_store_pte_valid_ko_at_arch[wp]: and (\s. \x \ set slots. table_base x \ global_refs s)\ mapM (swp store_pte pte) slots \\_. valid_arch_state\" - apply (rule_tac Q="\_. pspace_aligned and globals_equiv s and valid_arch_state + apply (rule_tac Q'="\_. pspace_aligned and globals_equiv s and valid_arch_state and valid_global_vspace_mappings and (\s. \x \ set slots. table_base x \ global_refs s)" in hoare_strengthen_post) @@ -939,7 +940,7 @@ lemma set_mrs_globals_equiv: apply (simp add: zipWithM_x_mapM_x) apply (rule conjI) apply (rule impI) - apply (rule_tac Q="\_. globals_equiv s" in hoare_strengthen_post) + apply (rule_tac Q'="\_. globals_equiv s" in hoare_strengthen_post) apply (wp mapM_x_wp') apply (simp add: split_def) apply (wp store_word_offs_globals_equiv) @@ -1059,7 +1060,7 @@ lemma perform_asid_control_invocation_globals_equiv: (* factor out the implication -- we know what the relevant components of the cap referred to in the cte_wp_at are anyway from valid_aci, so just use those directly to simplify the reasoning later on *) - apply (rule_tac Q="\a b. globals_equiv s b \ invs b \ + apply (rule_tac Q'="\a b. globals_equiv s b \ invs b \ word1 \ riscv_global_pt (arch_state b) \ word1 \ idle_thread b \ (\idx. cte_wp_at ((=) (UntypedCap False word1 pageBits idx)) cslot_ptr2 b) \ descendants_of cslot_ptr2 (cdt b) = {} \ diff --git a/proof/infoflow/RISCV64/ArchFinalCaps.thy b/proof/infoflow/RISCV64/ArchFinalCaps.thy index 13c35a43af..a2557ae4c0 100644 --- a/proof/infoflow/RISCV64/ArchFinalCaps.thy +++ b/proof/infoflow/RISCV64/ArchFinalCaps.thy @@ -278,7 +278,7 @@ lemma invoke_tcb_silc_inv[FinalCaps_assms]: | clarsimp | simp only: conj_ac cong: conj_cong imp_cong | wp checked_insert_pas_refined checked_cap_insert_silc_inv hoare_vcg_all_liftE_R - hoare_vcg_all_lift hoare_vcg_const_imp_lift_R + hoare_vcg_all_lift hoare_vcg_const_imp_liftE_R cap_delete_silc_inv_not_transferable cap_delete_pas_refined' cap_delete_deletes cap_delete_valid_cap cap_delete_cte_at diff --git a/proof/infoflow/RISCV64/ArchIRQMasks_IF.thy b/proof/infoflow/RISCV64/ArchIRQMasks_IF.thy index 633311b23e..17cd0a26a7 100644 --- a/proof/infoflow/RISCV64/ArchIRQMasks_IF.thy +++ b/proof/infoflow/RISCV64/ArchIRQMasks_IF.thy @@ -135,16 +135,16 @@ lemma invoke_tcb_irq_masks[IRQMasks_IF_assms]: apply (rule hoare_strengthen_postE[OF cap_delete_irq_masks[where P=P]]) apply blast apply blast - apply (wpsimp wp: hoare_vcg_all_liftE_R hoare_vcg_const_imp_lift_R hoare_vcg_all_lift hoare_drop_imps + apply (wpsimp wp: hoare_vcg_all_liftE_R hoare_vcg_const_imp_liftE_R hoare_vcg_all_lift hoare_drop_imps checked_cap_insert_domain_sep_inv)+ - apply (rule_tac Q="\ r s. domain_sep_inv False st s \ P (irq_masks_of_state s)" - and E="\_ s. P (irq_masks_of_state s)" in hoare_strengthen_postE) + apply (rule_tac Q'="\ r s. domain_sep_inv False st s \ P (irq_masks_of_state s)" + and E'="\_ s. P (irq_masks_of_state s)" in hoare_strengthen_postE) apply (wp hoare_vcg_conj_liftE1 cap_delete_irq_masks) apply fastforce apply blast apply (wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checked_cap_insert_domain_sep_inv)+ - apply (rule_tac Q="\ r s. domain_sep_inv False st s \ P (irq_masks_of_state s)" - and E="\_ s. P (irq_masks_of_state s)" in hoare_strengthen_postE) + apply (rule_tac Q'="\ r s. domain_sep_inv False st s \ P (irq_masks_of_state s)" + and E'="\_ s. P (irq_masks_of_state s)" in hoare_strengthen_postE) apply (wp hoare_vcg_conj_liftE1 cap_delete_irq_masks) apply fastforce apply blast diff --git a/proof/infoflow/RISCV64/ArchIpc_IF.thy b/proof/infoflow/RISCV64/ArchIpc_IF.thy index 168462fd66..fa6af54cfa 100644 --- a/proof/infoflow/RISCV64/ArchIpc_IF.thy +++ b/proof/infoflow/RISCV64/ArchIpc_IF.thy @@ -381,7 +381,7 @@ lemma set_mrs_equiv_but_for_labels[Ipc_IF_assms]: unfolding set_mrs_def apply (wp | wpc)+ apply (subst zipWithM_x_mapM_x) - apply (rule_tac Q="\_. equiv_but_for_labels aag L st and K (pasObjectAbs aag thread \ L \ + apply (rule_tac Q'="\_. equiv_but_for_labels aag L st and K (pasObjectAbs aag thread \ L \ (case buf of (Some buf') \ is_aligned buf' msg_align_bits \ (\x \ ptr_range buf' msg_align_bits. pasObjectAbs aag x \ L) diff --git a/proof/infoflow/RISCV64/ArchNoninterference.thy b/proof/infoflow/RISCV64/ArchNoninterference.thy index 596e8a380d..c4fe4fc7a3 100644 --- a/proof/infoflow/RISCV64/ArchNoninterference.thy +++ b/proof/infoflow/RISCV64/ArchNoninterference.thy @@ -66,7 +66,7 @@ lemma do_user_op_if_partitionIntegrity[Noninterference_assms]: "\partitionIntegrity aag st and pas_refined aag and invs and is_subject aag \ cur_thread\ do_user_op_if tc uop \\_. partitionIntegrity aag st\" - apply (rule_tac Q="\rv s. integrity (aag\pasMayActivate := False, pasMayEditReadyQueues := False\) + apply (rule_tac Q'="\rv s. integrity (aag\pasMayActivate := False, pasMayEditReadyQueues := False\) (scheduler_affects_globals_frame st) st s \ domain_fields_equiv st s \ idle_thread s = idle_thread st \ globals_equiv_scheduler st s \ silc_dom_equiv aag st s" diff --git a/proof/infoflow/RISCV64/ArchRetype_IF.thy b/proof/infoflow/RISCV64/ArchRetype_IF.thy index c55d9673b5..13f9d1e402 100644 --- a/proof/infoflow/RISCV64/ArchRetype_IF.thy +++ b/proof/infoflow/RISCV64/ArchRetype_IF.thy @@ -154,7 +154,7 @@ lemma copy_global_mappings_reads_respects_g: apply clarsimp apply (rule bind_ev_pre) prefer 3 - apply (rule_tac Q="\s. is_subject aag x \ x \ riscv_global_pt (arch_state s) \ + apply (rule_tac P'="\s. is_subject aag x \ x \ riscv_global_pt (arch_state s) \ pspace_aligned s \ valid_global_arch_objs s" in hoare_weaken_pre) apply (rule gets_sp) apply (assumption) @@ -237,7 +237,7 @@ lemma copy_global_mappings_globals_equiv: unfolding copy_global_mappings_def including classic_wp_pre apply simp apply wp - apply (rule_tac Q="\_. globals_equiv s and (\s. x \ riscv_global_pt (arch_state s) \ + apply (rule_tac Q'="\_. globals_equiv s and (\s. x \ riscv_global_pt (arch_state s) \ is_aligned x pt_bits)" in hoare_strengthen_post) apply (wp mapM_x_wp[OF _ subset_refl] store_pte_globals_equiv) apply (simp only: pt_index_def) @@ -490,7 +490,7 @@ lemma invoke_untyped_reads_respects_g_wcap[Retype_IF_assms]: apply (wpsimp wp: mapM_x_ev'' create_cap_reads_respects_g hoare_vcg_ball_lift init_arch_objects_reads_respects_g)+ apply (wp retype_region_reads_respects_g[where sz=sz and slot="slot_of_untyped_inv ui"]) - apply (rule_tac Q="\rvc s. (\x\set rvc. is_subject aag x) \ + apply (rule_tac Q'="\rvc s. (\x\set rvc. is_subject aag x) \ (\x\set rvc. is_aligned x (obj_bits_api apiobject_type nat)) \ ((0::obj_ref) < of_nat (length list)) \ post_retype_invs apiobject_type rvc s \ @@ -529,8 +529,8 @@ lemma invoke_untyped_reads_respects_g_wcap[Retype_IF_assms]: apply (rule_tac P="authorised_untyped_inv aag ui \ (\p \ ptr_range ptr sz. is_subject aag p)" in hoare_gen_asmE) apply (rule validE_validE_R, - rule_tac E="\\" - and Q="\_. invs and valid_untyped_inv_wcap ui (Some (UntypedCap dev ptr sz (If reset 0 idx))) + rule_tac E'="\\" + and Q'="\_. invs and valid_untyped_inv_wcap ui (Some (UntypedCap dev ptr sz (If reset 0 idx))) and ct_active and (\s. reset \ pspace_no_overlap {ptr .. ptr + 2 ^ sz - 1} s)" in hoare_strengthen_postE) @@ -605,7 +605,7 @@ lemma reset_untyped_cap_globals_equiv: preemption_point_inv | simp add: unless_def)+ apply (rule valid_validE) apply (rule_tac P="cap_aligned cap \ is_untyped_cap cap" in hoare_gen_asm) - apply (rule_tac Q="\_ s. valid_global_objs s \ valid_arch_state s \ globals_equiv st s" + apply (rule_tac Q'="\_ s. valid_global_objs s \ valid_arch_state s \ globals_equiv st s" in hoare_strengthen_post) apply (rule validE_valid, rule mapME_x_wp') apply (rule hoare_pre) diff --git a/proof/infoflow/RISCV64/ArchScheduler_IF.thy b/proof/infoflow/RISCV64/ArchScheduler_IF.thy index bbb313c199..4f0741d388 100644 --- a/proof/infoflow/RISCV64/ArchScheduler_IF.thy +++ b/proof/infoflow/RISCV64/ArchScheduler_IF.thy @@ -173,7 +173,7 @@ lemma globals_equiv_scheduler_inv'[Scheduler_IF_assms]: apply (rule use_spec) apply (simp add: spec_valid_def) apply (erule_tac x="(swap_things sa s)" in allE) - apply (rule_tac Q="\r st. globals_equiv (swap_things sa s) st" in hoare_strengthen_post) + apply (rule_tac Q'="\r st. globals_equiv (swap_things sa s) st" in hoare_strengthen_post) apply (rule hoare_pre) apply assumption apply (clarsimp simp: globals_equiv_def swap_things_def globals_equiv_scheduler_def diff --git a/proof/infoflow/RISCV64/ArchTcb_IF.thy b/proof/infoflow/RISCV64/ArchTcb_IF.thy index 28494fcbfa..56830a0004 100644 --- a/proof/infoflow/RISCV64/ArchTcb_IF.thy +++ b/proof/infoflow/RISCV64/ArchTcb_IF.thy @@ -105,13 +105,13 @@ lemma invoke_tcb_thread_preservation[Tcb_IF_assms]: tcb_cap_always_valid_strg[where p="tcb_cnode_index (Suc 0)"] | simp add: conj_comms(1, 2) | rule wp_split_const_if wp_split_const_if_R hoare_vcg_all_liftE_R - hoare_vcg_E_elim hoare_vcg_const_imp_lift_R hoare_vcg_R_conj + hoare_vcg_conj_elimE hoare_vcg_const_imp_liftE_R hoare_vcg_conj_liftE_R | (wp check_cap_inv2[where Q="\_. pas_refined aag"] check_cap_inv2[where Q="\_ s. t \ idle_thread s"] out_invs_trivial case_option_wpE cap_delete_deletes cap_delete_valid_cap cap_insert_valid_cap out_cte_at cap_insert_cte_at cap_delete_cte_at out_valid_cap out_tcb_valid - hoare_vcg_const_imp_lift_R hoare_vcg_all_liftE_R + hoare_vcg_const_imp_liftE_R hoare_vcg_all_liftE_R thread_set_tcb_ipc_buffer_cap_cleared_invs thread_set_invs_trivial[OF ball_tcb_cap_casesI] hoare_vcg_all_lift thread_set_valid_cap out_emptyable @@ -151,7 +151,7 @@ lemma tc_reads_respects_f[Tcb_IF_assms]: (invoke_tcb ti)" apply (simp add: split_def cong: option.case_cong) apply (wpsimp wp: set_priority_reads_respects[THEN reads_respects_f[where st=st and Q=\]]) - apply (wpsimp wp: hoare_vcg_const_imp_lift_R simp: when_def | wpc)+ + apply (wpsimp wp: hoare_vcg_const_imp_liftE_R simp: when_def | wpc)+ apply (rule conjI) apply ((wpsimp wp: reschedule_required_reads_respects_f)+)[4] apply ((wp reads_respects_f[OF cap_insert_reads_respects, where st=st] @@ -179,7 +179,7 @@ lemma tc_reads_respects_f[Tcb_IF_assms]: set_mcpriority_only_timer_irq_inv[where st=st' and irq=irq] cap_delete_deletes cap_delete_valid_cap cap_delete_cte_at cap_delete_pas_refined' itr_wps(12) itr_wps(14) cap_insert_cte_at - checked_insert_no_cap_to hoare_vcg_const_imp_lift_R hoare_vcg_conj_lift + checked_insert_no_cap_to hoare_vcg_const_imp_liftE_R hoare_vcg_conj_lift as_user_reads_respects_f thread_set_mdb cap_delete_invs | wpc | simp add: emptyable_def tcb_cap_cases_def tcb_cap_valid_def @@ -210,7 +210,7 @@ lemma tc_reads_respects_f[Tcb_IF_assms]: set_mcpriority_only_timer_irq_inv[where st=st' and irq=irq] cap_delete_deletes cap_delete_valid_cap cap_delete_cte_at cap_delete_pas_refined' itr_wps(12) itr_wps(14) cap_insert_cte_at - checked_insert_no_cap_to hoare_vcg_const_imp_lift_R + checked_insert_no_cap_to hoare_vcg_const_imp_liftE_R as_user_reads_respects_f cap_delete_invs | wpc | simp add: emptyable_def tcb_cap_cases_def tcb_cap_valid_def when_def st_tcb_at_triv diff --git a/proof/infoflow/Syscall_IF.thy b/proof/infoflow/Syscall_IF.thy index ade7ea40bb..6260ef01db 100644 --- a/proof/infoflow/Syscall_IF.thy +++ b/proof/infoflow/Syscall_IF.thy @@ -705,10 +705,10 @@ lemma handle_recv_reads_respects_f: simp: aag_cap_auth_def cap_auth_conferred_def cap_rights_to_auth_def)[1] apply (wp reads_respects_f[OF handle_fault_reads_respects,where st=st]) apply (wpsimp wp: get_simple_ko_wp get_cap_wp)+ - apply (rule_tac Q="\r s. silc_inv aag st s \ einvs s \ pas_refined aag s \ + apply (rule_tac Q'="\r s. silc_inv aag st s \ einvs s \ pas_refined aag s \ tcb_at rv s \ pas_cur_domain aag s \ is_subject aag rv \ is_subject aag (cur_thread s) \ is_subject aag (fst (fst r))" - and E=E and F=E for E in hoare_strengthen_postE) + and E'=E and E=E for E in hoare_strengthen_postE) apply (wp lookup_slot_for_thread_authorised lookup_slot_for_thread_cap_fault) apply ((fastforce simp add:valid_fault_def)+)[3] apply (wp reads_respects_f[OF as_user_reads_respects,where st=st and Q=\]) @@ -723,16 +723,16 @@ lemma handle_recv_globals_equiv: unfolding handle_recv_def apply (wp handle_fault_globals_equiv get_simple_ko_wp | wpc | simp add: Let_def)+ - apply (rule_tac Q="\r s. invs s \ globals_equiv st s" and - E = "\r s. valid_fault (CapFault (of_bl ep_cptr) True r)" + apply (rule_tac Q'="\r s. invs s \ globals_equiv st s" and + E'="\r s. valid_fault (CapFault (of_bl ep_cptr) True r)" in hoare_strengthen_postE) - apply (rule hoare_vcg_E_elim) + apply (rule hoare_vcg_conj_elimE) apply (wp lookup_cap_cap_fault receive_ipc_globals_equiv receive_signal_globals_equiv delete_caller_cap_invs delete_caller_cap_globals_equiv | wpc | simp add: Let_def invs_imps invs_valid_idle valid_fault_def - | rule_tac Q="\rv s. invs s \ thread \ idle_thread s \ globals_equiv st s" + | rule_tac Q'="\rv s. invs s \ thread \ idle_thread s \ globals_equiv st s" in hoare_strengthen_post, wp, clarsimp simp: invs_valid_objs invs_valid_global_objs invs_arch_state invs_distinct)+ @@ -907,11 +907,11 @@ lemma handle_event_reads_respects_f_g: apply ((wp reads_respects_f_g'[OF handle_fault_reads_respects_g, where st=st] | simp)+)[1] prefer 2 apply (simp add: validE_E_def) - apply (rule_tac E="\r s. invs s \ is_subject aag rv \ is_subject aag (cur_thread s) + apply (rule_tac E'="\r s. invs s \ is_subject aag rv \ is_subject aag (cur_thread s) \ valid_fault r \ pas_refined aag s \ pas_cur_domain aag s \ silc_inv aag st s \ rv \ idle_thread s" - and Q="\\" in hoare_strengthen_postE) - apply (rule hoare_vcg_E_conj) + and Q'="\\" in hoare_strengthen_postE) + apply (rule hoare_vcg_conj_liftE_E) apply (wp hv_invs handle_vm_fault_silc_inv)+ apply (simp add: invs_imps invs_mdb invs_valid_idle)+ apply wp+ @@ -987,8 +987,8 @@ lemma handle_invocation_globals_equiv: set_thread_state_globals_equiv hoare_vcg_all_lift | simp split del: if_split | wp (once) hoare_drop_imps)+ - apply (rule_tac Q="\r. invs and globals_equiv st and (\s. thread \ idle_thread s)" - and E="\_. globals_equiv st" in hoare_strengthen_postE) + apply (rule_tac Q'="\r. invs and globals_equiv st and (\s. thread \ idle_thread s)" + and E'="\_. globals_equiv st" in hoare_strengthen_postE) apply (wp pinv_invs perform_invocation_globals_equiv requiv_get_tcb_eq' set_thread_state_globals_equiv sts_authorised_for_globals_inv diff --git a/proof/infoflow/Tcb_IF.thy b/proof/infoflow/Tcb_IF.thy index d59af1f5b9..16cfd1f855 100644 --- a/proof/infoflow/Tcb_IF.thy +++ b/proof/infoflow/Tcb_IF.thy @@ -165,11 +165,11 @@ lemma rec_del_preservation2: rec_del call \\r. P\" apply (insert assms) - apply (rule_tac Q="\s. invs s \ P s \ Q s + apply (rule_tac P'="\s. invs s \ P s \ Q s \ emptyable (slot_rdcall call) s \ valid_rec_del_call call s" in hoare_pre_imp) apply simp - apply (rule_tac Q="\rv s. P s \ Q s" in hoare_strengthen_post) + apply (rule_tac Q'="\rv s. P s \ Q s" in hoare_strengthen_post) apply (rule validE_valid) apply (rule use_spec) apply (rule rec_del_preservation2' [where R=R],simp+) @@ -306,7 +306,7 @@ lemma invoke_tcb_globals_equiv: | clarsimp simp: no_cap_to_idle_thread)+\)?) apply wpsimp apply (rename_tac word1 word2 bool1 bool2 bool3 bool4 arch_copy_register_sets) - apply (rule_tac Q="\_. valid_arch_state and globals_equiv st and + apply (rule_tac Q'="\_. valid_arch_state and globals_equiv st and (\s. word1 \ idle_thread s) and (\s. word2 \ idle_thread s)" in hoare_strengthen_post) apply (wpsimp wp: mapM_x_wp' as_user_globals_equiv invoke_tcb_NotificationControl_globals_equiv @@ -500,7 +500,7 @@ lemma invoke_tcb_reads_respects_f: apply (strengthen invs_mdb | wpsimp wp: when_ev restart_reads_respects_f reschedule_required_reads_respects_f as_user_reads_respects_f restart_silc_inv restart_pas_refined hoare_vcg_if_lift)+ - apply (rule hoare_strengthen_post[where Q="\_ s. \rv. R rv s" and R=R for R, rotated]) + apply (rule hoare_strengthen_post[where Q'="\_ s. \rv. Q rv s" and Q=Q for Q, rotated]) apply (rename_tac rv s) apply (erule_tac x=rv in allE, assumption) apply wpsimp+ @@ -518,7 +518,7 @@ lemma invoke_tcb_reads_respects_f: restart_silc_inv restart_pas_refined | simp split del: if_split add: det_setRegister det_setNextPC | strengthen invs_mdb - | (rule hoare_strengthen_post[where Q="\_. silc_inv aag st and pas_refined aag + | (rule hoare_strengthen_post[where Q'="\_. silc_inv aag st and pas_refined aag and pspace_aligned and valid_vspace_objs and valid_arch_state", diff --git a/proof/infoflow/refine/ADT_IF_Refine.thy b/proof/infoflow/refine/ADT_IF_Refine.thy index b2e8811faf..efd3b4a376 100644 --- a/proof/infoflow/refine/ADT_IF_Refine.thy +++ b/proof/infoflow/refine/ADT_IF_Refine.thy @@ -132,7 +132,7 @@ lemma kernel_entry_if_valid_domain_time: apply (wp handle_interrupt_valid_domain_time | clarsimp | wpc)+ \ \strengthen post of do_machine_op; we know interrupt occurred\ - apply (rule_tac Q="\_ s. 0 < domain_time s" in hoare_post_imp, fastforce) + apply (rule_tac Q'="\_ s. 0 < domain_time s" in hoare_post_imp, fastforce) apply (wp+, simp) done @@ -362,7 +362,7 @@ lemma doUserOp_if_ex_abs[wp]: \\_. ex_abs (einvs)\" apply (rule hoare_pre) apply (rule corres_ex_abs_lift'[OF do_user_op_if_corres']) - apply (rule_tac Q="\a. invs and ct_running and valid_list and valid_sched" in hoare_strengthen_post) + apply (rule_tac Q'="\a. invs and ct_running and valid_list and valid_sched" in hoare_strengthen_post) apply (wp do_user_op_if_invs) apply clarsimp apply (clarsimp simp: ex_abs_def) @@ -433,7 +433,7 @@ lemma handle_preemption_if_valid_domain_time: unfolding handle_preemption_if_def apply (rule hoare_pre) apply (wp handle_interrupt_valid_domain_time) - apply (rule_tac Q="\_ s. 0 < domain_time s" in hoare_post_imp, fastforce) + apply (rule_tac Q'="\_ s. 0 < domain_time s" in hoare_post_imp, fastforce) apply (wp, simp) done @@ -772,7 +772,7 @@ lemma abstract_invs: apply (rule preserves_lifts | wp check_active_irq_if_wp do_user_op_if_invs | clarsimp simp add: full_invs_if_def)+ - apply (rule_tac Q="\r s'. (invs and ct_running) s' \ + apply (rule_tac Q'="\r s'. (invs and ct_running) s' \ valid_list s' \ valid_sched s' \ scheduler_action s' = resume_cur_thread \ valid_domain_list s' \ @@ -782,7 +782,7 @@ lemma abstract_invs: apply clarsimp+ apply (rule preserves_lifts) apply (simp add: full_invs_if_def) - apply (rule_tac Q="\r s'. (invs and ct_running) s' \ + apply (rule_tac Q'="\r s'. (invs and ct_running) s' \ valid_list s' \ valid_domain_list s' \ domain_time s' \ 0 \ diff --git a/proof/infoflow/refine/ADT_IF_Refine_C.thy b/proof/infoflow/refine/ADT_IF_Refine_C.thy index 0825f25e61..0858d60809 100644 --- a/proof/infoflow/refine/ADT_IF_Refine_C.thy +++ b/proof/infoflow/refine/ADT_IF_Refine_C.thy @@ -197,7 +197,7 @@ lemma handleEvent_Interrupt_no_fail: "no_fail (invs' and ex_abs einvs) (handleEv apply wp apply (rule handleInterrupt_no_fail) apply (simp add: crunch_simps) - apply (rule_tac Q="\r s. ex_abs (einvs) s \ invs' s \ + apply (rule_tac Q'="\r s. ex_abs (einvs) s \ invs' s \ (\irq. r = Some irq \ intStateIRQTable (ksInterruptState s) irq \ irqstate.IRQInactive)" in hoare_strengthen_post) @@ -269,7 +269,7 @@ lemma handleEvent_ccorres: apply wp[1] apply clarsimp apply wp - apply (rule_tac Q="\rv s. ct_in_state' simple' s \ sch_act_sane s" + apply (rule_tac Q'="\rv s. ct_in_state' simple' s \ sch_act_sane s" in hoare_post_imp) apply (simp add: ct_in_state'_def) apply (wp handleReply_sane) @@ -510,7 +510,7 @@ lemma schedule_if_corres_C: apply simp apply simp apply (rule wp_post_taut)+ - apply (rule_tac Q="\r. ct_in_state' activatable' and invs' and + apply (rule_tac Q'="\r. ct_in_state' activatable' and invs' and ex_abs (invs and ct_in_state activatable)" in hoare_strengthen_post) apply (wp schedule_invs' corres_ex_abs_lift) apply (rule schedule_corres) diff --git a/proof/infoflow/refine/ARM/ArchADT_IF_Refine_C.thy b/proof/infoflow/refine/ARM/ArchADT_IF_Refine_C.thy index 9feaab8189..c81cd92068 100644 --- a/proof/infoflow/refine/ARM/ArchADT_IF_Refine_C.thy +++ b/proof/infoflow/refine/ARM/ArchADT_IF_Refine_C.thy @@ -38,7 +38,7 @@ proof - apply (rule allI, rule conseqPre, vcg) apply (clarsimp simp: return_def) apply wp - apply (rule_tac Q="\rv s. invs' s \ (\x. rv = Some x \ x \ maxIRQ)" in hoare_post_imp) + apply (rule_tac Q'="\rv s. invs' s \ (\x. rv = Some x \ x \ maxIRQ)" in hoare_post_imp) apply (solves clarsimp) apply (wp getActiveIRQ_le_maxIRQ | simp)+ apply (clarsimp simp: invs'_def valid_state'_def) diff --git a/proof/infoflow/refine/RISCV64/ArchADT_IF_Refine_C.thy b/proof/infoflow/refine/RISCV64/ArchADT_IF_Refine_C.thy index 62a5a61064..d4d0dea8da 100644 --- a/proof/infoflow/refine/RISCV64/ArchADT_IF_Refine_C.thy +++ b/proof/infoflow/refine/RISCV64/ArchADT_IF_Refine_C.thy @@ -38,7 +38,7 @@ proof - apply (rule allI, rule conseqPre, vcg) apply (clarsimp simp: return_def) apply wp - apply (rule_tac Q="\rv s. invs' s \ (\x. rv = Some x \ x \ maxIRQ)" in hoare_post_imp) + apply (rule_tac Q'="\rv s. invs' s \ (\x. rv = Some x \ x \ maxIRQ)" in hoare_post_imp) apply (clarsimp simp: non_kernel_IRQs_def) apply (wp getActiveIRQ_le_maxIRQ | simp)+ apply (clarsimp simp: invs'_def valid_state'_def) diff --git a/proof/invariant-abstract/AARCH64/ArchArch_AI.thy b/proof/invariant-abstract/AARCH64/ArchArch_AI.thy index fd3250c002..ab1bdbbdd6 100644 --- a/proof/invariant-abstract/AARCH64/ArchArch_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchArch_AI.thy @@ -932,7 +932,7 @@ lemma associate_vcpu_tcb_sym_refs_hyp[wp]: obj_at (\ko. hyp_refs_of ko = {} ) t s \ sym_refs (state_hyp_refs_of s)" in hoare_triv) - apply (rule_tac Q="\rv s. obj_at (\ko. hyp_refs_of ko = {} ) vr s \ + apply (rule_tac Q'="\rv s. obj_at (\ko. hyp_refs_of ko = {} ) vr s \ obj_at (\ko. hyp_refs_of ko = {} ) t s \ sym_refs (state_hyp_refs_of s)" in hoare_post_imp) @@ -945,7 +945,7 @@ lemma associate_vcpu_tcb_sym_refs_hyp[wp]: apply (wp | wpc | clarsimp)+ apply (simp add: obj_at_def vcpu_tcb_refs_def) apply (wp get_vcpu_ko | wpc | clarsimp)+ - apply (rule_tac Q="\rv s. (\t'. obj_at (\tcb. tcb = TCB t' \ rv = tcb_vcpu (tcb_arch t')) t s) \ + apply (rule_tac Q'="\rv s. (\t'. obj_at (\tcb. tcb = TCB t' \ rv = tcb_vcpu (tcb_arch t')) t s) \ sym_refs (state_hyp_refs_of s)" in hoare_post_imp) apply (clarsimp simp: obj_at_def) @@ -1137,7 +1137,7 @@ lemma associate_vcpu_tcb_valid_arch_state[wp]: supply fun_upd_apply[simp del] apply (clarsimp simp: associate_vcpu_tcb_def) apply (wpsimp wp: vcpu_switch_valid_arch) - apply (rule_tac Q="\_ s. valid_arch_state s \ vcpu_hyp_live_of s vcpu" in hoare_post_imp) + apply (rule_tac Q'="\_ s. valid_arch_state s \ vcpu_hyp_live_of s vcpu" in hoare_post_imp) apply fastforce apply wpsimp+ done diff --git a/proof/invariant-abstract/AARCH64/ArchCNodeInv_AI.thy b/proof/invariant-abstract/AARCH64/ArchCNodeInv_AI.thy index 88b4688206..04467df833 100644 --- a/proof/invariant-abstract/AARCH64/ArchCNodeInv_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchCNodeInv_AI.thy @@ -714,7 +714,7 @@ next apply simp apply (rule hoare_pre_spec_validE) apply (wp replace_cap_invs | simp add: is_cap_simps)+ - apply (rule_tac Q="\rv s. Q s \ invs s \ cte_wp_at (\cap. cap = rv) slot s + apply (rule_tac Q'="\rv s. Q s \ invs s \ cte_wp_at (\cap. cap = rv) slot s \ cte_wp_at (\cap. cap = cap.NullCap \ \ False \ is_zombie cap \ (ptr, nat_to_cref (zombie_cte_bits bits) n) diff --git a/proof/invariant-abstract/AARCH64/ArchDetSchedDomainTime_AI.thy b/proof/invariant-abstract/AARCH64/ArchDetSchedDomainTime_AI.thy index 6aa3188668..949773c328 100644 --- a/proof/invariant-abstract/AARCH64/ArchDetSchedDomainTime_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchDetSchedDomainTime_AI.thy @@ -76,7 +76,7 @@ lemma vgic_maintenance_valid_domain_time: "\\s. 0 < domain_time s\ vgic_maintenance \\y s. domain_time s = 0 \ scheduler_action s = choose_new_thread\" unfolding vgic_maintenance_def - apply (rule hoare_strengthen_post [where Q="\_ s. 0 < domain_time s"]) + apply (rule hoare_strengthen_post[where Q'="\_ s. 0 < domain_time s"]) apply (wpsimp wp: handle_fault_domain_time_inv hoare_drop_imps) apply clarsimp done @@ -85,7 +85,7 @@ lemma vppi_event_valid_domain_time: "\\s :: det_ext state. 0 < domain_time s\ vppi_event irq \\y s. domain_time s = 0 \ scheduler_action s = choose_new_thread\" unfolding vppi_event_def - apply (rule hoare_strengthen_post [where Q="\_ s. 0 < domain_time s"]) + apply (rule hoare_strengthen_post[where Q'="\_ s. 0 < domain_time s"]) apply (wpsimp wp: handle_fault_domain_time_inv hoare_drop_imps) apply clarsimp done @@ -112,8 +112,8 @@ lemma timer_tick_valid_domain_time: wp: reschedule_required_valid_domain_time hoare_vcg_const_imp_lift gts_wp (* unless we hit dec_domain_time we know ?dtnot0 holds on the state, so clean up the postcondition once we hit thread_set_time_slice *) - hoare_post_imp[where Q="\_. ?dtnot0" and R="\_ s. domain_time s = 0 \ X s" - and a="thread_set_time_slice t ts" for X t ts] + hoare_post_imp[where Q'="\_. ?dtnot0" and Q="\_ s. domain_time s = 0 \ X s" + and f="thread_set_time_slice t ts" for X t ts] hoare_drop_imp[where f="ethread_get t f" for t f]) apply fastforce done @@ -128,15 +128,15 @@ lemma handle_interrupt_valid_domain_time [DetSchedDomainTime_AI_assms]: apply (case_tac "maxIRQ < i", solves \wpsimp wp: hoare_false_imp\) apply clarsimp apply (wpsimp simp: arch_mask_irq_signal_def) - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="send_signal p c" for p c], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="send_signal p c" for p c], fastforce) apply wpsimp - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="get_cap p" for p], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="get_cap p" for p], fastforce) apply (wpsimp wp: timer_tick_valid_domain_time simp: handle_reserved_irq_def)+ - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="vppi_event i" for i], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="vppi_event i" for i], fastforce) apply wpsimp+ - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="vgic_maintenance"], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="vgic_maintenance"], fastforce) apply wpsimp+ - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="get_irq_state i" for i], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="get_irq_state i" for i], fastforce) apply wpsimp+ done diff --git a/proof/invariant-abstract/AARCH64/ArchDetype_AI.thy b/proof/invariant-abstract/AARCH64/ArchDetype_AI.thy index 899b51d9d1..f448888f1d 100644 --- a/proof/invariant-abstract/AARCH64/ArchDetype_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchDetype_AI.thy @@ -645,7 +645,7 @@ lemma delete_objects_invs[wp]: apply (simp add: delete_objects_def) apply (simp add: freeMemory_def word_size_def bind_assoc) apply (rule hoare_pre) - apply (rule_tac G="is_aligned ptr bits \ word_size_bits \ bits \ bits \ word_bits" + apply (rule_tac P'="is_aligned ptr bits \ word_size_bits \ bits \ bits \ word_bits" in hoare_grab_asm) apply (simp add: mapM_storeWord_clear_um[unfolded word_size_def] intvl_range_conv[where 'a=machine_word_len, folded word_bits_def]) diff --git a/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy b/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy index d88a0c209a..91241010b0 100644 --- a/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy @@ -115,7 +115,7 @@ lemma delete_asid_pool_invs[wp]: apply wpsimp apply (strengthen invs_arm_asid_table_unmap) apply (rename_tac table pool) - apply (rule_tac Q="\_ s. (invs s \ is_aligned base asid_low_bits \ table = asid_table s \ + apply (rule_tac Q'="\_ s. (invs s \ is_aligned base asid_low_bits \ table = asid_table s \ (\ap. asid_pools_of s pptr = Some ap \ (\asid_low. ap asid_low \ None \ pool asid_low \ None))) \ (\x \ set [0 .e. mask asid_low_bits]. @@ -782,7 +782,7 @@ lemma dissociate_vcpu_tcb_sym_refs_hyp[wp]: "\\s. sym_refs (state_hyp_refs_of s)\ dissociate_vcpu_tcb vr t \\rv s. sym_refs (state_hyp_refs_of s)\" apply (simp add: dissociate_vcpu_tcb_def arch_get_sanitise_register_info_def) apply (wp arch_thread_set_wp set_vcpu_wp) - apply (rule_tac Q="\_ s. obj_at (\ko. \tcb. ko = TCB tcb \ tcb_vcpu (tcb_arch tcb) = Some vr) t s + apply (rule_tac Q'="\_ s. obj_at (\ko. \tcb. ko = TCB tcb \ tcb_vcpu (tcb_arch tcb) = Some vr) t s \ sym_refs (state_hyp_refs_of s)" in hoare_post_imp) apply clarsimp apply (clarsimp simp: get_tcb_Some_ko_at obj_at_def sym_refs_vcpu_None split: if_splits) @@ -1127,7 +1127,7 @@ lemma arch_finalise_cap_vcpu: notes simps = replaceable_def is_cap_simps vs_cap_ref_def no_cap_to_obj_with_diff_ref_Null o_def - notes wps = hoare_drop_imp[where R="%_. is_final_cap' cap" for cap] + notes wps = hoare_drop_imp[where Q'="%_. is_final_cap' cap" for cap] valid_cap_typ shows "cap = VCPUCap r \ \\s. s \ cap.ArchObjectCap cap \ @@ -1324,7 +1324,7 @@ lemma delete_asid_no_vs_lookup_target_no_vspace: \\rv s. vs_lookup_target level asid vref s \ Some (level, pt)\" unfolding delete_asid_def (* We know we are in the case where delete_asid does not do anything *) - apply (wpsimp wp: when_wp[where Q="\_. False", simplified]) + apply (wpsimp wp: when_wp[where P'="\_. False", simplified]) apply (rule conjI, fastforce simp: vs_lookup_target_def vs_lookup_slot_def vs_lookup_table_def) (* pool_for_asid asid s \ None *) apply clarsimp @@ -1370,7 +1370,7 @@ lemma arch_finalise_cap_replaceable: is_cap_simps vs_cap_ref_def no_cap_to_obj_with_diff_ref_Null o_def reachable_frame_cap_simps - notes wps = hoare_drop_imp[where R="%_. is_final_cap' cap" for cap] + notes wps = hoare_drop_imp[where Q'="%_. is_final_cap' cap" for cap] valid_cap_typ unmap_page_unreachable unmap_page_table_unreachable delete_asid_unreachable vcpu_finalise_unlive[simplified o_def] @@ -1484,7 +1484,7 @@ lemma prepare_thread_delete_unlive0: lemma prepare_thread_delete_unlive[wp]: "\obj_at (Not \ live0) ptr\ prepare_thread_delete ptr \\rv. obj_at (Not \ live) ptr\" - apply (rule_tac Q="\rv. obj_at (Not \ live0) ptr and obj_at (Not \ hyp_live) ptr" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. obj_at (Not \ live0) ptr and obj_at (Not \ hyp_live) ptr" in hoare_strengthen_post) apply (wpsimp wp: hoare_vcg_conj_lift prepare_thread_delete_unlive_hyp prepare_thread_delete_unlive0) apply (clarsimp simp: obj_at_def) apply (clarsimp simp: obj_at_def, case_tac ko, simp_all add: is_tcb_def live_def) diff --git a/proof/invariant-abstract/AARCH64/ArchInterrupt_AI.thy b/proof/invariant-abstract/AARCH64/ArchInterrupt_AI.thy index 9870475204..4ef745e647 100644 --- a/proof/invariant-abstract/AARCH64/ArchInterrupt_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchInterrupt_AI.thy @@ -146,7 +146,7 @@ lemma invoke_irq_handler_invs'[Interrupt_AI_asms]: apply (wp valid_cap_typ [OF cap_delete_one_typ_at]) apply (strengthen real_cte_tcb_valid) apply (wp real_cte_at_typ_valid [OF cap_delete_one_typ_at]) - apply (rule_tac Q="\rv s. is_ntfn_cap cap \ invs s + apply (rule_tac Q'="\rv s. is_ntfn_cap cap \ invs s \ cte_wp_at (is_derived (cdt s) prod cap) prod s" in hoare_post_imp) apply (clarsimp simp: is_cap_simps is_derived_def cte_wp_at_caps_of_state) @@ -277,7 +277,7 @@ lemma (* handle_interrupt_invs *) [Interrupt_AI_asms]: apply (wpsimp wp: dmo_maskInterrupt_invs maskInterrupt_invs_ARCH dmo_ackInterrupt send_signal_interrupt_states simp: arch_mask_irq_signal_def)+ apply (wp get_cap_wp send_signal_interrupt_states ) - apply (rule_tac Q="\rv. invs and (\s. st = interrupt_states s irq)" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs and (\s. st = interrupt_states s irq)" in hoare_post_imp) apply (clarsimp simp: ex_nonz_cap_to_def invs_valid_objs) apply (intro allI exI, erule cte_wp_at_weakenE) apply (clarsimp simp: is_cap_simps) diff --git a/proof/invariant-abstract/AARCH64/ArchIpc_AI.thy b/proof/invariant-abstract/AARCH64/ArchIpc_AI.thy index 5849d6e007..448c7690d0 100644 --- a/proof/invariant-abstract/AARCH64/ArchIpc_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchIpc_AI.thy @@ -56,8 +56,7 @@ lemma derive_cap_is_derived [Ipc_AI_assms]: | fold validE_R_def | erule cte_wp_at_weakenE | simp split: cap.split_asm)+)[11] - including no_pre - apply(rule hoare_pre, wp hoare_drop_imps arch_derive_cap_is_derived) + apply(wp hoare_drop_imps arch_derive_cap_is_derived) apply(clarify, drule cte_wp_at_norm, clarify) apply(frule(1) cte_wp_at_valid_objs_valid_cap) apply(erule cte_wp_at_weakenE) @@ -288,7 +287,7 @@ lemma transfer_caps_tcb_caps: | wpc | simp)+ apply (erule imp) apply (wp hoare_vcg_conj_lift hoare_vcg_const_imp_lift hoare_vcg_all_lift) - apply (rule_tac Q = "\rv s. (\x\set rv. real_cte_at x s) \ cte_wp_at P (t, ref) s \ tcb_at t s" + apply (rule_tac Q'="\rv s. (\x\set rv. real_cte_at x s) \ cte_wp_at P (t, ref) s \ tcb_at t s" in hoare_strengthen_post) apply (wp get_rs_real_cte_at) apply clarsimp @@ -312,7 +311,7 @@ lemma transfer_caps_non_null_cte_wp_at: apply (wp hoare_vcg_ball_lift transfer_caps_loop_cte_wp_at hoare_weak_lift_imp | wpc | clarsimp simp:imp)+ apply (rule hoare_strengthen_post - [where Q="\rv s'. (cte_wp_at ((\) cap.NullCap) ptr) s' + [where Q'="\rv s'. (cte_wp_at ((\) cap.NullCap) ptr) s' \ (\x\set rv. cte_wp_at ((=) cap.NullCap) x s')", rotated]) apply (clarsimp) diff --git a/proof/invariant-abstract/AARCH64/ArchSchedule_AI.thy b/proof/invariant-abstract/AARCH64/ArchSchedule_AI.thy index 8459bf26ad..b482dcb70f 100644 --- a/proof/invariant-abstract/AARCH64/ArchSchedule_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchSchedule_AI.thy @@ -93,7 +93,7 @@ lemma stt_invs [wp,Schedule_AI_asms]: apply (simp add: switch_to_thread_def) apply wp apply (simp add: trans_state_update[symmetric] del: trans_state_update) - apply (rule_tac Q="\_. invs and tcb_at t'" in hoare_strengthen_post, wp) + apply (rule_tac Q'="\_. invs and tcb_at t'" in hoare_strengthen_post, wp) apply (clarsimp simp: invs_def valid_state_def valid_idle_def valid_irq_node_def valid_machine_state_def) apply (fastforce simp: cur_tcb_def obj_at_def diff --git a/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy b/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy index cdc20b542b..70765d9317 100644 --- a/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy @@ -242,12 +242,12 @@ lemma tc_invs[Tcb_AI_asms]: strengthen imp_consequent[where Q="x = None" for x], simp cong: conj_cong) | rule wp_split_const_if wp_split_const_if_R hoare_vcg_all_liftE_R - hoare_vcg_E_elim hoare_vcg_const_imp_lift_R - hoare_vcg_R_conj + hoare_vcg_conj_elimE hoare_vcg_const_imp_liftE_R + hoare_vcg_conj_liftE_R | (wp out_invs_trivial case_option_wpE cap_delete_deletes cap_delete_valid_cap cap_insert_valid_cap out_cte_at cap_insert_cte_at cap_delete_cte_at out_valid_cap - hoare_vcg_const_imp_lift_R hoare_vcg_all_liftE_R + hoare_vcg_const_imp_liftE_R hoare_vcg_all_liftE_R thread_set_tcb_ipc_buffer_cap_cleared_invs thread_set_invs_trivial[OF ball_tcb_cap_casesI] hoare_vcg_all_lift thread_set_valid_cap out_emptyable diff --git a/proof/invariant-abstract/AARCH64/ArchVCPU_AI.thy b/proof/invariant-abstract/AARCH64/ArchVCPU_AI.thy index fd22fa7196..85de8526a7 100644 --- a/proof/invariant-abstract/AARCH64/ArchVCPU_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchVCPU_AI.thy @@ -211,7 +211,7 @@ lemma associate_vcpu_tcb_valid_cur_vcpu: apply (wpsimp wp: hoare_vcg_imp_lift') apply (wpsimp wp: arch_thread_set_wp) apply (wpsimp wp: arch_thread_set_wp) - apply (rule_tac Q="\_ s. valid_cur_vcpu s \ sym_refs (state_hyp_refs_of s)" in hoare_post_imp) + apply (rule_tac Q'="\_ s. valid_cur_vcpu s \ sym_refs (state_hyp_refs_of s)" in hoare_post_imp) apply (clarsimp simp: pred_tcb_at_def obj_at_def valid_cur_vcpu_def active_cur_vcpu_of_def) by (wpsimp wp: get_vcpu_wp hoare_drop_imps)+ @@ -448,7 +448,7 @@ lemma rec_del_valid_cur_vcpu[wp]: rec_del call \\_. valid_cur_vcpu\" (is "\?pre\ _ \_\") - apply (rule_tac Q="\_. ?pre" in hoare_post_imp, fastforce) + apply (rule_tac Q'="\_. ?pre" in hoare_post_imp, fastforce) by (rule rec_del_preservation; wpsimp) crunch cap_delete @@ -459,7 +459,7 @@ lemma cap_revoke_valid_cur_vcpu[wp]: cap_revoke slot \\_. valid_cur_vcpu\" (is "\?pre\ _ \_\") - apply (rule_tac Q="\_. ?pre" in hoare_post_imp, fastforce) + apply (rule_tac Q'="\_. ?pre" in hoare_post_imp, fastforce) by (wpsimp wp: cap_revoke_preservation) crunch cancel_badged_sends, invoke_irq_control, invoke_irq_handler diff --git a/proof/invariant-abstract/ARM/ArchArch_AI.thy b/proof/invariant-abstract/ARM/ArchArch_AI.thy index 6de41f7193..7533ce0475 100644 --- a/proof/invariant-abstract/ARM/ArchArch_AI.thy +++ b/proof/invariant-abstract/ARM/ArchArch_AI.thy @@ -1237,9 +1237,9 @@ lemma find_pd_for_asid_lookup_pd_wp: "\ \s. valid_vspace_objs s \ (\pd. vspace_at_asid asid pd s \ page_directory_at pd s \ (\\ pd) s \ Q pd s) \ find_pd_for_asid asid \ Q \, -" apply (rule hoare_strengthen_postE_R) - apply (rule hoare_vcg_conj_lift_R[OF find_pd_for_asid_page_directory]) - apply (rule hoare_vcg_conj_lift_R[OF find_pd_for_asid_lookup, simplified]) - apply (rule hoare_vcg_conj_lift_R[OF find_pd_for_asid_pd_at_asid, simplified]) + apply (rule hoare_vcg_conj_liftE_R[OF find_pd_for_asid_page_directory]) + apply (rule hoare_vcg_conj_liftE_R[OF find_pd_for_asid_lookup, simplified]) + apply (rule hoare_vcg_conj_liftE_R[OF find_pd_for_asid_pd_at_asid, simplified]) apply (wp (once) find_pd_for_asid_inv) apply auto done @@ -1352,7 +1352,7 @@ lemma arch_decode_inv_wf[wp]: apply (cases "invocation_type label = ArchInvocationLabel ARMPageMap") apply (rename_tac dev word rights vmpage_size option) apply (rule hoare_pre) - apply (wp whenE_throwError_wp check_vp_wpR hoare_vcg_const_imp_lift_R + apply (wp whenE_throwError_wp check_vp_wpR hoare_vcg_const_imp_liftE_R create_mapping_entries_parent_for_refs find_pd_for_asid_pd_at_asid create_mapping_entries_valid_slots create_mapping_entries_same_refs_ex find_pd_for_asid_lookup_pd_wp hoare_vcg_disj_lift_R diff --git a/proof/invariant-abstract/ARM/ArchCNodeInv_AI.thy b/proof/invariant-abstract/ARM/ArchCNodeInv_AI.thy index 5767c7a513..b5d29d2ee1 100644 --- a/proof/invariant-abstract/ARM/ArchCNodeInv_AI.thy +++ b/proof/invariant-abstract/ARM/ArchCNodeInv_AI.thy @@ -712,7 +712,7 @@ next apply simp apply (rule hoare_pre_spec_validE) apply (wp replace_cap_invs | simp add: is_cap_simps)+ - apply (rule_tac Q="\rv s. Q s \ invs s \ cte_wp_at (\cap. cap = rv) slot s + apply (rule_tac Q'="\rv s. Q s \ invs s \ cte_wp_at (\cap. cap = rv) slot s \ cte_wp_at (\cap. cap = cap.NullCap \ \ False \ is_zombie cap \ (ptr, nat_to_cref (zombie_cte_bits bits) n) diff --git a/proof/invariant-abstract/ARM/ArchDetSchedDomainTime_AI.thy b/proof/invariant-abstract/ARM/ArchDetSchedDomainTime_AI.thy index 064c7ec736..c13ed48e94 100644 --- a/proof/invariant-abstract/ARM/ArchDetSchedDomainTime_AI.thy +++ b/proof/invariant-abstract/ARM/ArchDetSchedDomainTime_AI.thy @@ -74,8 +74,8 @@ lemma timer_tick_valid_domain_time: wp: reschedule_required_valid_domain_time hoare_vcg_const_imp_lift gts_wp (* unless we hit dec_domain_time we know ?dtnot0 holds on the state, so clean up the postcondition once we hit thread_set_time_slice *) - hoare_post_imp[where Q="\_. ?dtnot0" and R="\_ s. domain_time s = 0 \ X s" - and a="thread_set_time_slice t ts" for X t ts] + hoare_post_imp[where Q'="\_. ?dtnot0" and Q="\_ s. domain_time s = 0 \ X s" + and f="thread_set_time_slice t ts" for X t ts] hoare_drop_imp[where f="ethread_get t f" for t f]) apply fastforce done @@ -88,11 +88,11 @@ lemma handle_interrupt_valid_domain_time [DetSchedDomainTime_AI_assms]: apply (case_tac "maxIRQ < i", solves \wpsimp wp: hoare_false_imp\) apply clarsimp apply (wpsimp simp: arch_mask_irq_signal_def) - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="send_signal p c" for p c], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="send_signal p c" for p c], fastforce) apply wpsimp - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="get_cap p" for p], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="get_cap p" for p], fastforce) apply (wpsimp wp: timer_tick_valid_domain_time simp: handle_reserved_irq_def)+ - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="get_irq_state i" for i], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="get_irq_state i" for i], fastforce) apply wpsimp+ done diff --git a/proof/invariant-abstract/ARM/ArchDetype_AI.thy b/proof/invariant-abstract/ARM/ArchDetype_AI.thy index 7224372b96..4d902bae2c 100644 --- a/proof/invariant-abstract/ARM/ArchDetype_AI.thy +++ b/proof/invariant-abstract/ARM/ArchDetype_AI.thy @@ -572,7 +572,7 @@ lemma delete_objects_invs[wp]: apply (simp add: freeMemory_def word_size_def bind_assoc empty_fail_mapM_x ef_storeWord) apply (rule hoare_pre) - apply (rule_tac G="is_aligned ptr bits \ word_size_bits \ bits \ bits \ word_bits" + apply (rule_tac P'="is_aligned ptr bits \ word_size_bits \ bits \ bits \ word_bits" in hoare_grab_asm) apply (simp add: mapM_storeWord_clear_um[unfolded word_size_def] intvl_range_conv[where 'a=machine_word_len, folded word_bits_def]) diff --git a/proof/invariant-abstract/ARM/ArchFinalise_AI.thy b/proof/invariant-abstract/ARM/ArchFinalise_AI.thy index 1dfa9ba1f9..a4b9752fde 100644 --- a/proof/invariant-abstract/ARM/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/ARM/ArchFinalise_AI.thy @@ -147,7 +147,7 @@ lemma delete_asid_pool_unmapped[wp]: \\rv s. \ ([VSRef (ucast (asid_high_bits_of asid)) None] \ poolptr) s\" apply (simp add: delete_asid_pool_def) apply wp - apply (rule hoare_strengthen_post [where Q="\_. \"]) + apply (rule hoare_strengthen_post[where Q'="\_. \"]) apply wp+ defer apply wp+ @@ -423,7 +423,7 @@ lemma arch_finalise_cap_replaceable[wp]: vs_lookup_pages_eq_ap[THEN fun_cong, symmetric] is_cap_simps vs_cap_ref_def no_cap_to_obj_with_diff_ref_Null o_def - notes wps = hoare_drop_imp[where R="%_. is_final_cap' cap" for cap] + notes wps = hoare_drop_imp[where Q'="%_. is_final_cap' cap" for cap] unmap_page_table_unmapped3 valid_cap_typ shows "\\s. s \ cap.ArchObjectCap cap \ @@ -519,7 +519,7 @@ lemma suspend_unlive': supply hoare_vcg_if_split[wp_split del] if_split[split del] apply (wp | simp only: obj_at_exst_update)+ apply (simp add: obj_at_def live_def hyp_live_def) - apply (rule_tac Q="\_. bound_tcb_at ((=) None) t" in hoare_strengthen_post) + apply (rule_tac Q'="\_. bound_tcb_at ((=) None) t" in hoare_strengthen_post) supply hoare_vcg_if_split[wp_split] apply wp apply (auto simp: pred_tcb_def2)[1] @@ -728,9 +728,8 @@ lemma flush_table_empty: apply (wp find_pd_for_asid_inv mapM_wp | simp | wpc - | rule_tac - Q="\_ s. obj_at (empty_table (set (arm_global_pts (arch_state s)))) word s" - in hoare_strengthen_post)+ + | rule_tac Q'="\_ s. obj_at (empty_table (set (arm_global_pts (arch_state s)))) word s" + in hoare_strengthen_post)+ done lemma unmap_page_table_empty: @@ -1601,7 +1600,7 @@ lemma delete_asid_pool_unmapped2: apply (wp delete_asid_pool_unmapped) apply (simp add: delete_asid_pool_def) apply wp - apply (rule_tac Q="\rv s. ?Q s \ asid_table = arm_asid_table (arch_state s)" + apply (rule_tac Q'="\rv s. ?Q s \ asid_table = arm_asid_table (arch_state s)" in hoare_post_imp) apply (clarsimp simp: fun_upd_def[symmetric]) apply (drule vs_lookup_clear_asid_table[rule_format]) diff --git a/proof/invariant-abstract/ARM/ArchInterrupt_AI.thy b/proof/invariant-abstract/ARM/ArchInterrupt_AI.thy index 6dd40fbbdf..61058a2bf9 100644 --- a/proof/invariant-abstract/ARM/ArchInterrupt_AI.thy +++ b/proof/invariant-abstract/ARM/ArchInterrupt_AI.thy @@ -137,7 +137,7 @@ lemma invoke_irq_handler_invs'[Interrupt_AI_asms]: apply (wp valid_cap_typ [OF cap_delete_one_typ_at]) apply (strengthen real_cte_tcb_valid) apply (wp real_cte_at_typ_valid [OF cap_delete_one_typ_at]) - apply (rule_tac Q="\rv s. is_ntfn_cap cap \ invs s + apply (rule_tac Q'="\rv s. is_ntfn_cap cap \ invs s \ cte_wp_at (is_derived (cdt s) prod cap) prod s" in hoare_post_imp) apply (clarsimp simp: is_cap_simps is_derived_def cte_wp_at_caps_of_state) @@ -209,7 +209,7 @@ lemma (* handle_interrupt_invs *) [Interrupt_AI_asms]: apply (wp dmo_maskInterrupt_invs maskInterrupt_invs_ARCH dmo_ackInterrupt send_signal_interrupt_states | wpc | simp add: arch_mask_irq_signal_def)+ apply (wp get_cap_wp send_signal_interrupt_states) - apply (rule_tac Q="\rv. invs and (\s. st = interrupt_states s irq)" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs and (\s. st = interrupt_states s irq)" in hoare_post_imp) apply (clarsimp simp: ex_nonz_cap_to_def invs_valid_objs) apply (intro allI exI, erule cte_wp_at_weakenE) apply (clarsimp simp: is_cap_simps) diff --git a/proof/invariant-abstract/ARM/ArchIpc_AI.thy b/proof/invariant-abstract/ARM/ArchIpc_AI.thy index 09f90d7de0..96848987bf 100644 --- a/proof/invariant-abstract/ARM/ArchIpc_AI.thy +++ b/proof/invariant-abstract/ARM/ArchIpc_AI.thy @@ -297,7 +297,7 @@ lemma transfer_caps_tcb_caps: apply (erule imp) apply (wp hoare_vcg_conj_lift hoare_vcg_const_imp_lift hoare_vcg_all_lift ) - apply (rule_tac Q = "\rv s. ( \x\set rv. real_cte_at x s ) + apply (rule_tac Q'="\rv s. ( \x\set rv. real_cte_at x s ) \ cte_wp_at P (t, ref) s \ tcb_at t s" in hoare_strengthen_post) apply (wp get_rs_real_cte_at) @@ -322,7 +322,7 @@ lemma transfer_caps_non_null_cte_wp_at: apply (wp hoare_vcg_ball_lift transfer_caps_loop_cte_wp_at hoare_weak_lift_imp | wpc | clarsimp simp:imp)+ apply (rule hoare_strengthen_post - [where Q="\rv s'. (cte_wp_at ((\) cap.NullCap) ptr) s' + [where Q'="\rv s'. (cte_wp_at ((\) cap.NullCap) ptr) s' \ (\x\set rv. cte_wp_at ((=) cap.NullCap) x s')", rotated]) apply (clarsimp) diff --git a/proof/invariant-abstract/ARM/ArchSchedule_AI.thy b/proof/invariant-abstract/ARM/ArchSchedule_AI.thy index 5ac31d8efd..713560f6b5 100644 --- a/proof/invariant-abstract/ARM/ArchSchedule_AI.thy +++ b/proof/invariant-abstract/ARM/ArchSchedule_AI.thy @@ -98,7 +98,7 @@ lemma stt_invs [wp,Schedule_AI_asms]: apply (simp add: switch_to_thread_def) apply wp apply (simp add: trans_state_update[symmetric] del: trans_state_update) - apply (rule_tac Q="\_. invs and tcb_at t'" in hoare_strengthen_post, wp) + apply (rule_tac Q'="\_. invs and tcb_at t'" in hoare_strengthen_post, wp) apply (clarsimp simp: invs_def valid_state_def valid_idle_def valid_irq_node_def valid_machine_state_def) apply (fastforce simp: cur_tcb_def obj_at_def diff --git a/proof/invariant-abstract/ARM/ArchTcb_AI.thy b/proof/invariant-abstract/ARM/ArchTcb_AI.thy index e2ec4fe2f3..3fbd5199e5 100644 --- a/proof/invariant-abstract/ARM/ArchTcb_AI.thy +++ b/proof/invariant-abstract/ARM/ArchTcb_AI.thy @@ -245,12 +245,12 @@ lemma tc_invs[Tcb_AI_asms]: | (strengthen invs_strengthen)+ | rule wp_split_const_if wp_split_const_if_R hoare_vcg_all_liftE_R - hoare_vcg_E_elim hoare_vcg_const_imp_lift_R - hoare_vcg_R_conj + hoare_vcg_conj_elimE hoare_vcg_const_imp_liftE_R + hoare_vcg_conj_liftE_R | (wp out_invs_trivial case_option_wpE cap_delete_deletes cap_delete_valid_cap cap_insert_valid_cap out_cte_at cap_insert_cte_at cap_delete_cte_at out_valid_cap - hoare_vcg_const_imp_lift_R hoare_vcg_all_liftE_R + hoare_vcg_const_imp_liftE_R hoare_vcg_all_liftE_R thread_set_tcb_ipc_buffer_cap_cleared_invs thread_set_invs_trivial[OF ball_tcb_cap_casesI] hoare_vcg_all_lift thread_set_valid_cap out_emptyable diff --git a/proof/invariant-abstract/ARM/ArchVSpaceEntries_AI.thy b/proof/invariant-abstract/ARM/ArchVSpaceEntries_AI.thy index c6d38cba56..d3f429a8eb 100644 --- a/proof/invariant-abstract/ARM/ArchVSpaceEntries_AI.thy +++ b/proof/invariant-abstract/ARM/ArchVSpaceEntries_AI.thy @@ -675,7 +675,7 @@ lemma init_arch_objects_valid_pdpt: split del: if_split) apply (rule hoare_pre) apply (wp | wpc)+ - apply (rule_tac Q="\rv. valid_pdpt_objs and pspace_aligned and valid_arch_state" + apply (rule_tac Q'="\rv. valid_pdpt_objs and pspace_aligned and valid_arch_state" in hoare_post_imp, simp) apply (rule mapM_x_wp') apply (rule hoare_pre, wp copy_global_mappings_valid_pdpt_objs) diff --git a/proof/invariant-abstract/ARM/ArchVSpace_AI.thy b/proof/invariant-abstract/ARM/ArchVSpace_AI.thy index 4dade2db4e..8d136dd38b 100644 --- a/proof/invariant-abstract/ARM/ArchVSpace_AI.thy +++ b/proof/invariant-abstract/ARM/ArchVSpace_AI.thy @@ -354,7 +354,7 @@ lemma load_hw_asid_invs[wp]: "\invs\ load_hw_asid asid \ lemma invalidate_tlb_by_asid_invs[wp]: "\invs\ invalidate_tlb_by_asid asid \\_. invs\" apply (clarsimp simp: invalidate_tlb_by_asid_def | wp | wpc)+ - apply (rule_tac Q="K invs" in hoare_post_imp) + apply (rule_tac Q'="K invs" in hoare_post_imp) apply (clarsimp|wp load_hw_asid_invs)+ done @@ -414,14 +414,14 @@ lemma invalidate_asid_entry_arch_state [wp]: lemma flush_space_asid_map[wp]: "\valid_asid_map\ flush_space space \\rv. valid_asid_map\" apply (simp add: flush_space_def) - apply (wp load_hw_asid_wp | wpc | simp | rule_tac Q="\_. valid_asid_map" in hoare_strengthen_post)+ + apply (wp load_hw_asid_wp | wpc | simp | rule_tac Q'="\_. valid_asid_map" in hoare_strengthen_post)+ done lemma flush_space_arch_objs[wp]: "\valid_vspace_objs\ flush_space space \\rv. valid_vspace_objs\" apply (simp add: flush_space_def) - apply (wp load_hw_asid_wp | wpc | simp | rule_tac Q="\_. valid_vspace_objs" in hoare_strengthen_post)+ + apply (wp load_hw_asid_wp | wpc | simp | rule_tac Q'="\_. valid_vspace_objs" in hoare_strengthen_post)+ done @@ -490,7 +490,7 @@ crunch invalidate_asid_entry lemma flush_space_pd_at_asid [wp]: "\vspace_at_asid a pd\ flush_space asid \\_. vspace_at_asid a pd\" apply (simp add: flush_space_def) - apply (wp load_hw_asid_wp|wpc|rule_tac Q="\_. vspace_at_asid a pd" in hoare_strengthen_post|simp)+ + apply (wp load_hw_asid_wp|wpc|rule_tac Q'="\_. vspace_at_asid a pd" in hoare_strengthen_post|simp)+ done @@ -592,7 +592,7 @@ lemma dmo_cleanCaches_PoU_invs[wp]: "\invs\ do_machine_op cleanC lemma flush_space_invs[wp]: "\invs\ flush_space asid \\_. invs\" apply (simp add: flush_space_def | wp | wpc)+ - apply (rule_tac Q="K invs" in hoare_post_imp, (simp|wp)+) + apply (rule_tac Q'="K invs" in hoare_post_imp, (simp|wp)+) done crunch flush_space @@ -993,7 +993,7 @@ lemma set_vm_root_for_flush_asid_map [wp]: apply (simp add: set_vm_root_for_flush_def) apply (wp|wpc|simp)+ apply (rule hoare_strengthen_post [where - Q="\_. valid_asid_map and K (asid \ mask asid_bits)"]) + Q'="\_. valid_asid_map and K (asid \ mask asid_bits)"]) apply wp apply simp apply wp @@ -1706,7 +1706,7 @@ lemma svr_invs [wp]: apply simp apply (rule valid_validE_R) apply (wp find_pd_for_asid_inv | simp add: split_def)+ - apply (rule_tac Q="\c s. invs s \ s \ c" in hoare_strengthen_post) + apply (rule_tac Q'="\c s. invs s \ s \ c" in hoare_strengthen_post) apply wp apply (clarsimp simp: valid_cap_def mask_def) apply(simp add: invs_valid_objs) @@ -3132,7 +3132,7 @@ lemma unmap_page_table_invs[wp]: apply (simp add: unmap_page_table_def) apply (rule hoare_pre) apply (wp dmo_invs | wpc | simp)+ - apply (rule_tac Q="\_. invs and K (asid \ mask asid_bits)" in hoare_post_imp) + apply (rule_tac Q'="\_. invs and K (asid \ mask asid_bits)" in hoare_post_imp) apply safe apply (drule_tac Q="\_ m'. underlying_memory m' p = underlying_memory m p" in use_valid) @@ -3566,7 +3566,7 @@ lemma perform_page_table_invocation_invs[wp]: apply (cases pti) apply (clarsimp simp: valid_pti_def perform_page_table_invocation_def) apply (wp dmo_invs) - apply (rule_tac Q="\_. invs" in hoare_post_imp) + apply (rule_tac Q'="\_. invs" in hoare_post_imp) apply safe apply (drule_tac Q="\_ m'. underlying_memory m' p = underlying_memory m p" in use_valid) @@ -3686,7 +3686,7 @@ lemma find_pd_for_asid_lookup_slot [wp]: \\rv. \\ (lookup_pd_slot rv vptr && ~~ mask pd_bits)\, -" apply (rule hoare_pre) apply (rule hoare_strengthen_postE_R) - apply (rule hoare_vcg_R_conj) + apply (rule hoare_vcg_conj_liftE_R) apply (rule find_pd_for_asid_lookup) apply (rule find_pd_for_asid_aligned_pd) apply (simp add: pd_shifting lookup_pd_slot_def Let_def) @@ -3699,8 +3699,8 @@ lemma find_pd_for_asid_lookup_slot_large_page [wp]: \\rv. \\ (x + lookup_pd_slot rv vptr && ~~ mask pd_bits)\, -" apply (rule hoare_pre) apply (rule hoare_strengthen_postE_R) - apply (rule hoare_vcg_R_conj) - apply (rule hoare_vcg_R_conj) + apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R) apply (rule find_pd_for_asid_inv [where P="K (x \ set [0, 4 .e. 0x3C] \ is_aligned vptr 24)", THEN valid_validE_R]) apply (rule find_pd_for_asid_lookup) apply (rule find_pd_for_asid_aligned_pd) @@ -3713,7 +3713,7 @@ lemma find_pd_for_asid_pde_at_add [wp]: find_pd_for_asid asid \\rv. pde_at (x + lookup_pd_slot rv vptr)\, -" apply (rule hoare_pre) apply (rule hoare_strengthen_postE_R) - apply (rule hoare_vcg_R_conj) + apply (rule hoare_vcg_conj_liftE_R) apply (rule find_pd_for_asid_inv [where P= "K (x \ set [0, 4 .e. 0x3C] \ is_aligned vptr 24) and pspace_aligned", THEN valid_validE_R]) apply (rule find_pd_for_asid_page_directory) @@ -3997,7 +3997,7 @@ lemma unmap_page_invs: apply (rule hoare_pre) apply (wp flush_page_invs hoare_vcg_const_imp_lift) apply (wp hoare_drop_imp[where f="check_mapping_pptr a b c" for a b c] - hoare_drop_impE_R[where R="\x y. x && mask b = c" for b c] + hoare_drop_impE_R[where Q'="\x y. x && mask b = c" for b c] lookup_pt_slot_inv lookup_pt_slot_cap_to2' lookup_pt_slot_cap_to_multiple2 store_pde_invs_unmap mapM_swp_store_pde_invs_unmap @@ -4009,7 +4009,7 @@ lemma unmap_page_invs: page_directory_at_lookup_mask_aligned_strg page_directory_at_lookup_mask_add_aligned_strg)+ apply (wp find_pd_for_asid_page_directory - hoare_vcg_const_imp_lift_R hoare_vcg_const_Ball_lift_R + hoare_vcg_const_imp_liftE_R hoare_vcg_const_Ball_liftE_R | wp (once) hoare_drop_imps)+ apply (auto simp: vmsz_aligned_def) done @@ -4306,7 +4306,7 @@ lemma unmap_page_unmapped: (* Establish that pptr reachable, otherwise trivial *) apply (rule hoare_name_pre_state2) apply (case_tac "\ (ref \ p) s") - apply (rule hoare_pre(1)[OF unmap_page_no_lookup_pages]) + apply (rule hoare_weaken_pre[OF unmap_page_no_lookup_pages]) apply clarsimp+ (* This should be somewhere else but isn't *) @@ -4594,7 +4594,7 @@ lemma perform_page_invs [wp]: apply (rule hoare_pre) apply (wp dmo_invs arch_update_cap_invs_unmap_page get_cap_wp hoare_vcg_const_imp_lift | wpc | simp)+ - apply (rule_tac Q="\_ s. invs s \ + apply (rule_tac Q'="\_ s. invs s \ cte_wp_at (\c. is_pg_cap c \ (\ref. vs_cap_ref c = Some ref \ \ (ref \ obj_ref_of c) s)) cslot_ptr s" diff --git a/proof/invariant-abstract/ARM_HYP/ArchArch_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchArch_AI.thy index a67896ed86..1a97ba31fe 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchArch_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchArch_AI.thy @@ -911,7 +911,7 @@ lemma associate_vcpu_tcb_sym_refs_hyp[wp]: obj_at (\ko. hyp_refs_of ko = {} ) t s \ sym_refs (state_hyp_refs_of s)" in hoare_triv) - apply (rule_tac Q="\rv s. obj_at (\ko. hyp_refs_of ko = {} ) vr s \ + apply (rule_tac Q'="\rv s. obj_at (\ko. hyp_refs_of ko = {} ) vr s \ obj_at (\ko. hyp_refs_of ko = {} ) t s \ sym_refs (state_hyp_refs_of s)" in hoare_post_imp) @@ -924,7 +924,7 @@ lemma associate_vcpu_tcb_sym_refs_hyp[wp]: apply (wp | wpc | clarsimp)+ apply (simp add: obj_at_def) apply (wp get_vcpu_ko | wpc | clarsimp)+ - apply (rule_tac Q="\rv s. (\t'. obj_at (\tcb. tcb = TCB t' \ rv = tcb_vcpu (tcb_arch t')) t s) \ + apply (rule_tac Q'="\rv s. (\t'. obj_at (\tcb. tcb = TCB t' \ rv = tcb_vcpu (tcb_arch t')) t s) \ sym_refs (state_hyp_refs_of s)" in hoare_post_imp) apply (clarsimp simp: obj_at_def) @@ -1109,7 +1109,7 @@ lemma associate_vcpu_tcb_valid_arch_state[wp]: "associate_vcpu_tcb vcpu tcb \valid_arch_state\" apply (clarsimp simp: associate_vcpu_tcb_def) apply (wpsimp wp: vcpu_switch_valid_arch) - apply (rule_tac Q="\_. valid_arch_state and obj_at hyp_live vcpu" in hoare_post_imp) + apply (rule_tac Q'="\_. valid_arch_state and obj_at hyp_live vcpu" in hoare_post_imp) apply fastforce apply wpsimp apply (wpsimp wp: arch_thread_set.valid_arch_state) @@ -1561,9 +1561,9 @@ lemma find_pd_for_asid_lookup_pd_wp: "\ \s. valid_vspace_objs s \ (\pd. vspace_at_asid asid pd s \ page_directory_at pd s \ (\\ pd) s \ Q pd s) \ find_pd_for_asid asid \ Q \, -" apply (rule hoare_strengthen_postE_R) - apply (rule hoare_vcg_conj_lift_R[OF find_pd_for_asid_page_directory]) - apply (rule hoare_vcg_conj_lift_R[OF find_pd_for_asid_lookup, simplified]) - apply (rule hoare_vcg_conj_lift_R[OF find_pd_for_asid_pd_at_asid, simplified]) + apply (rule hoare_vcg_conj_liftE_R[OF find_pd_for_asid_page_directory]) + apply (rule hoare_vcg_conj_liftE_R[OF find_pd_for_asid_lookup, simplified]) + apply (rule hoare_vcg_conj_liftE_R[OF find_pd_for_asid_pd_at_asid, simplified]) apply (wp (once) find_pd_for_asid_inv) apply auto done @@ -1688,7 +1688,7 @@ lemma arch_decode_inv_wf[wp]: apply (wpsimp wp: whenE_throwError_wp check_vp_wpR create_mapping_entries_parent_for_refs find_pd_for_asid_pd_at_asid create_mapping_entries_valid_slots create_mapping_entries_same_refs_ex hoare_vcg_ex_lift_R hoare_vcg_disj_lift_R - hoare_vcg_const_imp_lift_R find_pd_for_asid_lookup_pd_wp + hoare_vcg_const_imp_liftE_R find_pd_for_asid_lookup_pd_wp simp: valid_arch_inv_def valid_page_inv_def is_pg_cap_def cte_wp_at_caps_of_state[where P="\c. same_refs rv c s" for rv s]) apply (clarsimp simp: neq_Nil_conv) diff --git a/proof/invariant-abstract/ARM_HYP/ArchCNodeInv_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchCNodeInv_AI.thy index bc167f994e..2ddeb83c9d 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchCNodeInv_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchCNodeInv_AI.thy @@ -728,7 +728,7 @@ next apply simp apply (rule hoare_pre_spec_validE) apply (wp replace_cap_invs | simp add: is_cap_simps)+ - apply (rule_tac Q="\rv s. Q s \ invs s \ cte_wp_at (\cap. cap = rv) slot s + apply (rule_tac Q'="\rv s. Q s \ invs s \ cte_wp_at (\cap. cap = rv) slot s \ cte_wp_at (\cap. cap = cap.NullCap \ \ False \ is_zombie cap \ (ptr, nat_to_cref (zombie_cte_bits bits) n) diff --git a/proof/invariant-abstract/ARM_HYP/ArchDetSchedDomainTime_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchDetSchedDomainTime_AI.thy index fc97c0e73d..3dc7a909db 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchDetSchedDomainTime_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchDetSchedDomainTime_AI.thy @@ -95,7 +95,7 @@ lemma vgic_maintenance_valid_domain_time: "\\s. 0 < domain_time s\ vgic_maintenance \\y s. domain_time s = 0 \ scheduler_action s = choose_new_thread\" unfolding vgic_maintenance_def - apply (rule hoare_strengthen_post [where Q="\_ s. 0 < domain_time s"]) + apply (rule hoare_strengthen_post[where Q'="\_ s. 0 < domain_time s"]) apply (wpsimp wp: handle_fault_domain_time_inv hoare_drop_imps) apply clarsimp done @@ -104,7 +104,7 @@ lemma vppi_event_valid_domain_time: "\\s. 0 < domain_time s\ vppi_event irq \\y s. domain_time s = 0 \ scheduler_action s = choose_new_thread\" unfolding vppi_event_def - apply (rule hoare_strengthen_post [where Q="\_ s. 0 < domain_time s"]) + apply (rule hoare_strengthen_post[where Q'="\_ s. 0 < domain_time s"]) apply (wpsimp wp: handle_fault_domain_time_inv hoare_drop_imps) apply clarsimp done @@ -127,8 +127,8 @@ lemma timer_tick_valid_domain_time: wp: reschedule_required_valid_domain_time hoare_vcg_const_imp_lift gts_wp (* unless we hit dec_domain_time we know ?dtnot0 holds on the state, so clean up the postcondition once we hit thread_set_time_slice *) - hoare_post_imp[where Q="\_. ?dtnot0" and R="\_ s. domain_time s = 0 \ X s" - and a="thread_set_time_slice t ts" for X t ts] + hoare_post_imp[where Q'="\_. ?dtnot0" and Q="\_ s. domain_time s = 0 \ X s" + and f="thread_set_time_slice t ts" for X t ts] hoare_drop_imp[where f="ethread_get t f" for t f]) apply fastforce done @@ -143,15 +143,15 @@ lemma handle_interrupt_valid_domain_time [DetSchedDomainTime_AI_assms]: apply (case_tac "maxIRQ < i", solves \wpsimp wp: hoare_false_imp\) apply clarsimp apply (wpsimp simp: arch_mask_irq_signal_def) - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="send_signal p c" for p c], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="send_signal p c" for p c], fastforce) apply wpsimp - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="get_cap p" for p], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="get_cap p" for p], fastforce) apply (wpsimp wp: timer_tick_valid_domain_time simp: handle_reserved_irq_def)+ - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="vgic_maintenance"], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="vgic_maintenance"], fastforce) apply wpsimp+ - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="vppi_event i" for i], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="vppi_event i" for i], fastforce) apply wpsimp+ - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="get_irq_state i" for i], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="get_irq_state i" for i], fastforce) apply wpsimp+ done diff --git a/proof/invariant-abstract/ARM_HYP/ArchDetype_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchDetype_AI.thy index e1bd9515bf..ae44dac57a 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchDetype_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchDetype_AI.thy @@ -645,7 +645,7 @@ lemma delete_objects_invs[wp]: apply (simp add: delete_objects_def) apply (simp add: freeMemory_def word_size_def bind_assoc ef_storeWord) apply (rule hoare_pre) - apply (rule_tac G="is_aligned ptr bits \ word_size_bits \ bits \ bits \ word_bits" + apply (rule_tac P'="is_aligned ptr bits \ word_size_bits \ bits \ bits \ word_bits" in hoare_grab_asm) apply (simp add: mapM_storeWord_clear_um[unfolded word_size_def] intvl_range_conv[where 'a=machine_word_len, folded word_bits_def]) diff --git a/proof/invariant-abstract/ARM_HYP/ArchFinalise_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchFinalise_AI.thy index 3a25275d32..9ca314bcf0 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchFinalise_AI.thy @@ -143,7 +143,7 @@ lemma delete_asid_pool_unmapped[wp]: \\rv s. \ ([VSRef (ucast (asid_high_bits_of asid)) None] \ poolptr) s\" apply (simp add: delete_asid_pool_def) apply wp - apply (rule hoare_strengthen_post [where Q="\_. \"]) + apply (rule hoare_strengthen_post[where Q'="\_. \"]) apply wp defer apply wp+ @@ -760,7 +760,7 @@ lemma dissociate_vcpu_tcb_sym_refs_hyp[wp]: "\\s. sym_refs (state_hyp_refs_of s)\ dissociate_vcpu_tcb vr t \\rv s. sym_refs (state_hyp_refs_of s)\" apply (simp add: dissociate_vcpu_tcb_def arch_get_sanitise_register_info_def) apply (wp arch_thread_set_wp set_vcpu_wp) - apply (rule_tac Q="\_ s. obj_at (\ko. \tcb. ko = TCB tcb \ tcb_vcpu (tcb_arch tcb) = Some vr) t s + apply (rule_tac Q'="\_ s. obj_at (\ko. \tcb. ko = TCB tcb \ tcb_vcpu (tcb_arch tcb) = Some vr) t s \ sym_refs (state_hyp_refs_of s)" in hoare_post_imp) apply clarsimp apply (clarsimp simp: get_tcb_Some_ko_at obj_at_def sym_refs_vcpu_None split: if_splits) @@ -1124,7 +1124,7 @@ lemma arch_finalise_cap_vcpu: notes simps = replaceable_def is_cap_simps vs_cap_ref_def no_cap_to_obj_with_diff_ref_Null o_def - notes wps = hoare_drop_imp[where R="%_. is_final_cap' cap" for cap] + notes wps = hoare_drop_imp[where Q'="%_. is_final_cap' cap" for cap] valid_cap_typ shows "cap = VCPUCap r \ \\s. s \ cap.ArchObjectCap cap \ @@ -1161,7 +1161,7 @@ lemma arch_finalise_cap_replaceable1: vs_lookup_pages_eq_ap[THEN fun_cong, symmetric] is_cap_simps vs_cap_ref_def no_cap_to_obj_with_diff_ref_Null o_def - notes wps = hoare_drop_imp[where R="%_. is_final_cap' cap" for cap] + notes wps = hoare_drop_imp[where Q'="%_. is_final_cap' cap" for cap] unmap_page_table_unmapped3 valid_cap_typ assumes X: "\r. cap \ VCPUCap r" shows @@ -1278,7 +1278,7 @@ lemma prepare_thread_delete_unlive0: lemma prepare_thread_delete_unlive[wp]: "\obj_at (Not \ live0) ptr\ prepare_thread_delete ptr \\rv. obj_at (Not \ live) ptr\" - apply (rule_tac Q="\rv. obj_at (Not \ live0) ptr and obj_at (Not \ hyp_live) ptr" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. obj_at (Not \ live0) ptr and obj_at (Not \ hyp_live) ptr" in hoare_strengthen_post) apply (wpsimp wp: hoare_vcg_conj_lift prepare_thread_delete_unlive_hyp prepare_thread_delete_unlive0)+ apply (clarsimp simp: obj_at_def, case_tac ko, simp_all add: is_tcb_def live_def) done @@ -1531,9 +1531,7 @@ lemma flush_table_empty: apply (wp find_pd_for_asid_inv mapM_wp | simp | wpc - | rule_tac - Q="\_ s. obj_at (empty_table {}) word s" - in hoare_strengthen_post)+ + | rule_tac Q'="\_ s. obj_at (empty_table {}) word s" in hoare_strengthen_post)+ done lemma unmap_page_table_empty: @@ -2371,7 +2369,7 @@ lemma delete_asid_pool_unmapped2: apply (wp delete_asid_pool_unmapped) apply (simp add: delete_asid_pool_def) apply wp - apply (rule_tac Q="\rv s. ?Q s \ asid_table = arm_asid_table (arch_state s)" + apply (rule_tac Q'="\rv s. ?Q s \ asid_table = arm_asid_table (arch_state s)" in hoare_post_imp) apply (clarsimp simp: fun_upd_def[symmetric]) apply (drule vs_lookup_clear_asid_table[rule_format]) diff --git a/proof/invariant-abstract/ARM_HYP/ArchInterrupt_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchInterrupt_AI.thy index 3f542a61a5..d193d18e47 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchInterrupt_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchInterrupt_AI.thy @@ -130,7 +130,7 @@ lemma invoke_irq_handler_invs'[Interrupt_AI_asms]: apply (wp valid_cap_typ [OF cap_delete_one_typ_at]) apply (strengthen real_cte_tcb_valid) apply (wp real_cte_at_typ_valid [OF cap_delete_one_typ_at]) - apply (rule_tac Q="\rv s. is_ntfn_cap cap \ invs s + apply (rule_tac Q'="\rv s. is_ntfn_cap cap \ invs s \ cte_wp_at (is_derived (cdt s) prod cap) prod s" in hoare_post_imp) apply (clarsimp simp: is_cap_simps is_derived_def cte_wp_at_caps_of_state) @@ -262,7 +262,7 @@ lemma (* handle_interrupt_invs *) [Interrupt_AI_asms]: apply (wp dmo_maskInterrupt_invs maskInterrupt_invs_ARCH dmo_ackInterrupt send_signal_interrupt_states | wpc | simp add: arch_mask_irq_signal_def)+ apply (wp get_cap_wp send_signal_interrupt_states ) - apply (rule_tac Q="\rv. invs and (\s. st = interrupt_states s irq)" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs and (\s. st = interrupt_states s irq)" in hoare_post_imp) apply (clarsimp simp: ex_nonz_cap_to_def invs_valid_objs) apply (intro allI exI, erule cte_wp_at_weakenE) apply (clarsimp simp: is_cap_simps) diff --git a/proof/invariant-abstract/ARM_HYP/ArchIpc_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchIpc_AI.thy index 55e0d4368e..3a452518ea 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchIpc_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchIpc_AI.thy @@ -55,8 +55,7 @@ lemma derive_cap_is_derived [Ipc_AI_assms]: | fold validE_R_def | erule cte_wp_at_weakenE | simp split: cap.split_asm)+)[11] - including no_pre - apply(rule hoare_pre, wp hoare_drop_imps arch_derive_cap_is_derived) + apply(wp hoare_drop_imps arch_derive_cap_is_derived) apply(clarify, drule cte_wp_at_norm, clarify) apply(frule(1) cte_wp_at_valid_objs_valid_cap) apply(erule cte_wp_at_weakenE) @@ -300,7 +299,7 @@ lemma transfer_caps_tcb_caps: apply (erule imp) apply (wp hoare_vcg_conj_lift hoare_vcg_const_imp_lift hoare_vcg_all_lift ) - apply (rule_tac Q = "\rv s. ( \x\set rv. real_cte_at x s ) + apply (rule_tac Q'="\rv s. ( \x\set rv. real_cte_at x s ) \ cte_wp_at P (t, ref) s \ tcb_at t s" in hoare_strengthen_post) apply (wp get_rs_real_cte_at) @@ -325,7 +324,7 @@ lemma transfer_caps_non_null_cte_wp_at: apply (wp hoare_vcg_ball_lift transfer_caps_loop_cte_wp_at hoare_weak_lift_imp | wpc | clarsimp simp:imp)+ apply (rule hoare_strengthen_post - [where Q="\rv s'. (cte_wp_at ((\) cap.NullCap) ptr) s' + [where Q'="\rv s'. (cte_wp_at ((\) cap.NullCap) ptr) s' \ (\x\set rv. cte_wp_at ((=) cap.NullCap) x s')", rotated]) apply (clarsimp) diff --git a/proof/invariant-abstract/ARM_HYP/ArchSchedule_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchSchedule_AI.thy index 30c78f1fd6..296b00e0bf 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchSchedule_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchSchedule_AI.thy @@ -111,7 +111,7 @@ lemma stt_invs [wp,Schedule_AI_asms]: apply (simp add: switch_to_thread_def) apply wp apply (simp add: trans_state_update[symmetric] del: trans_state_update) - apply (rule_tac Q="\_. invs and tcb_at t'" in hoare_strengthen_post, wp) + apply (rule_tac Q'="\_. invs and tcb_at t'" in hoare_strengthen_post, wp) apply (clarsimp simp: invs_def valid_state_def valid_idle_def valid_irq_node_def valid_machine_state_def) apply (fastforce simp: cur_tcb_def obj_at_def diff --git a/proof/invariant-abstract/ARM_HYP/ArchTcb_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchTcb_AI.thy index fbb71acf87..e6a5abc176 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchTcb_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchTcb_AI.thy @@ -247,12 +247,12 @@ lemma tc_invs[Tcb_AI_asms]: | (strengthen invs_strengthen)+ | rule wp_split_const_if wp_split_const_if_R hoare_vcg_all_liftE_R - hoare_vcg_E_elim hoare_vcg_const_imp_lift_R - hoare_vcg_R_conj + hoare_vcg_conj_elimE hoare_vcg_const_imp_liftE_R + hoare_vcg_conj_liftE_R | (wp out_invs_trivial case_option_wpE cap_delete_deletes cap_delete_valid_cap cap_insert_valid_cap out_cte_at cap_insert_cte_at cap_delete_cte_at out_valid_cap - hoare_vcg_const_imp_lift_R hoare_vcg_all_liftE_R + hoare_vcg_const_imp_liftE_R hoare_vcg_all_liftE_R thread_set_tcb_ipc_buffer_cap_cleared_invs thread_set_invs_trivial[OF ball_tcb_cap_casesI] hoare_vcg_all_lift thread_set_valid_cap out_emptyable diff --git a/proof/invariant-abstract/ARM_HYP/ArchVCPU_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchVCPU_AI.thy index f0d43be4a3..019acf8bad 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchVCPU_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchVCPU_AI.thy @@ -214,7 +214,7 @@ lemma associate_vcpu_tcb_valid_cur_vcpu: apply (wpsimp wp: hoare_vcg_imp_lift') apply (wpsimp wp: arch_thread_set_wp) apply (wpsimp wp: arch_thread_set_wp) - apply (rule_tac Q="\_ s. valid_cur_vcpu s \ sym_refs (state_hyp_refs_of s)" in hoare_post_imp) + apply (rule_tac Q'="\_ s. valid_cur_vcpu s \ sym_refs (state_hyp_refs_of s)" in hoare_post_imp) apply (clarsimp simp: pred_tcb_at_def obj_at_def valid_cur_vcpu_def active_cur_vcpu_of_def) by (wpsimp wp: get_vcpu_wp hoare_drop_imps)+ @@ -458,7 +458,7 @@ lemma rec_del_valid_cur_vcpu[wp]: rec_del call \\_. valid_cur_vcpu\" (is "\?pre\ _ \_\") - apply (rule_tac Q="\_. ?pre" in hoare_post_imp, fastforce) + apply (rule_tac Q'="\_. ?pre" in hoare_post_imp, fastforce) by (rule rec_del_preservation; wpsimp) crunch cap_delete @@ -469,7 +469,7 @@ lemma cap_revoke_valid_cur_vcpu[wp]: cap_revoke slot \\_. valid_cur_vcpu\" (is "\?pre\ _ \_\") - apply (rule_tac Q="\_. ?pre" in hoare_post_imp, fastforce) + apply (rule_tac Q'="\_. ?pre" in hoare_post_imp, fastforce) by (wpsimp wp: cap_revoke_preservation) crunch cancel_badged_sends, invoke_irq_control, invoke_irq_handler diff --git a/proof/invariant-abstract/ARM_HYP/ArchVSpaceEntries_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchVSpaceEntries_AI.thy index efdcf8dd6d..caafa1c4e1 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchVSpaceEntries_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchVSpaceEntries_AI.thy @@ -607,7 +607,7 @@ lemma init_arch_objects_valid_pdpt: split del: if_split) apply (rule hoare_pre) apply (wp | wpc)+ - apply (rule_tac Q="\rv. valid_pdpt_objs and pspace_aligned and valid_arch_state" + apply (rule_tac Q'="\rv. valid_pdpt_objs and pspace_aligned and valid_arch_state" in hoare_post_imp, simp) apply (rule mapM_x_wp') apply (rule hoare_pre, wp copy_global_mappings_valid_pdpt_objs) diff --git a/proof/invariant-abstract/ARM_HYP/ArchVSpace_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchVSpace_AI.thy index fbac0db1a3..60680d4ab9 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchVSpace_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchVSpace_AI.thy @@ -465,7 +465,7 @@ lemma load_hw_asid_invs[wp]: "\invs\ load_hw_asid asid \ lemma invalidate_tlb_by_asid_invs[wp]: "\invs\ invalidate_tlb_by_asid asid \\_. invs\" apply (wpsimp simp: invalidate_tlb_by_asid_def)+ - apply (rule_tac Q="K invs" in hoare_post_imp) + apply (rule_tac Q'="K invs" in hoare_post_imp) apply (wpsimp simp: load_hw_asid_invs)+ done @@ -527,7 +527,7 @@ lemma invalidate_asid_entry_arch_state [wp]: lemma flush_space_asid_map[wp]: "\valid_asid_map\ flush_space space \\rv. valid_asid_map\" apply (simp add: flush_space_def) - apply (wp load_hw_asid_wp | wpc | simp | rule_tac Q="\_. valid_asid_map" in hoare_strengthen_post)+ + apply (wp load_hw_asid_wp | wpc | simp | rule_tac Q'="\_. valid_asid_map" in hoare_strengthen_post)+ done @@ -595,7 +595,7 @@ crunch invalidate_asid_entry lemma flush_space_pd_at_asid [wp]: "\vspace_at_asid a pd\ flush_space asid \\_. vspace_at_asid a pd\" apply (simp add: flush_space_def) - apply (wp load_hw_asid_wp|wpc|rule_tac Q="\_. vspace_at_asid a pd" in hoare_strengthen_post|simp)+ + apply (wp load_hw_asid_wp|wpc|rule_tac Q'="\_. vspace_at_asid a pd" in hoare_strengthen_post|simp)+ done @@ -703,7 +703,7 @@ lemma dmo_cleanCaches_PoU_invs[wp]: "\invs\ do_machine_op cleanC lemma flush_space_invs[wp]: "\invs\ flush_space asid \\_. invs\" apply (wpsimp simp: flush_space_def) - apply (rule_tac Q="K invs" in hoare_post_imp, wpsimp+) + apply (rule_tac Q'="K invs" in hoare_post_imp, wpsimp+) done crunch flush_space @@ -1095,7 +1095,7 @@ lemma set_vm_root_for_flush_asid_map [wp]: apply (simp add: set_vm_root_for_flush_def) apply (wp|wpc|simp)+ apply (rule hoare_strengthen_post [where - Q="\_. valid_asid_map and K (asid \ mask asid_bits)"]) + Q'="\_. valid_asid_map and K (asid \ mask asid_bits)"]) apply wp apply simp apply wp @@ -4185,7 +4185,7 @@ lemma unmap_page_table_invs[wp]: apply (simp add: unmap_page_table_def) apply (rule hoare_pre) apply (wp dmo_invs | wpc | simp)+ - apply (rule_tac Q="\_. invs and K (asid \ mask asid_bits)" in hoare_post_imp) + apply (rule_tac Q'="\_. invs and K (asid \ mask asid_bits)" in hoare_post_imp) apply safe apply (drule_tac Q="\_ m'. underlying_memory m' p = underlying_memory m p" in use_valid) @@ -4658,7 +4658,7 @@ lemma perform_page_table_invocation_invs[wp]: apply (cases pti) apply (clarsimp simp: valid_pti_def perform_page_table_invocation_def) apply (wp dmo_invs) - apply (rule_tac Q="\_. invs" in hoare_post_imp) + apply (rule_tac Q'="\_. invs" in hoare_post_imp) apply safe apply (drule_tac Q="\_ m'. underlying_memory m' p = underlying_memory m p" in use_valid) @@ -4777,7 +4777,7 @@ lemma find_pd_for_asid_lookup_slot [wp]: \\rv. \\ (lookup_pd_slot rv vptr && ~~ mask pd_bits)\, -" apply (rule hoare_pre) apply (rule hoare_strengthen_postE_R) - apply (rule hoare_vcg_R_conj) + apply (rule hoare_vcg_conj_liftE_R) apply (rule find_pd_for_asid_lookup) apply (rule find_pd_for_asid_aligned_pd) apply (simp add: pd_shifting lookup_pd_slot_def Let_def) @@ -4790,8 +4790,8 @@ lemma find_pd_for_asid_lookup_slot_large_page [wp]: \\rv. \\ (x + lookup_pd_slot rv vptr && ~~ mask pd_bits)\, -" apply (rule hoare_pre) apply (rule hoare_strengthen_postE_R) - apply (rule hoare_vcg_R_conj) - apply (rule hoare_vcg_R_conj) + apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R) apply (rule find_pd_for_asid_inv [where P="K (x \ set [0, 8 .e. 0x78] \ is_aligned vptr 25)", THEN valid_validE_R]) apply (rule find_pd_for_asid_lookup) apply (rule find_pd_for_asid_aligned_pd) @@ -4804,7 +4804,7 @@ lemma find_pd_for_asid_pde_at_add [wp]: find_pd_for_asid asid \\rv. pde_at (x + lookup_pd_slot rv vptr)\, -" apply (rule hoare_pre) apply (rule hoare_strengthen_postE_R) - apply (rule hoare_vcg_R_conj) + apply (rule hoare_vcg_conj_liftE_R) apply (rule find_pd_for_asid_inv [where P= "K (x \ set [0, 8 .e. 0x78] \ is_aligned vptr 25) and pspace_aligned", THEN valid_validE_R]) apply (rule find_pd_for_asid_page_directory) @@ -5073,7 +5073,7 @@ lemma unmap_page_invs: apply (rule hoare_pre) apply (wp flush_page_invs hoare_vcg_const_imp_lift) apply (wp hoare_drop_imp[where f="check_mapping_pptr a b c" for a b c] - hoare_drop_impE_R[where R="\x y. x && mask b = c" for b c] + hoare_drop_impE_R[where Q'="\x y. x && mask b = c" for b c] store_pde_invs_unmap lookup_pt_slot_inv lookup_pt_slot_cap_to2' lookup_pt_slot_cap_to_multiple2 store_pde_invs_unmap mapM_swp_store_pde_invs_unmap @@ -5083,7 +5083,7 @@ lemma unmap_page_invs: page_directory_at_lookup_mask_aligned_strg page_directory_at_lookup_mask_add_aligned_strg)+ apply (wp find_pd_for_asid_page_directory - hoare_vcg_const_imp_lift_R hoare_vcg_const_Ball_lift_R + hoare_vcg_const_imp_liftE_R hoare_vcg_const_Ball_liftE_R | wp (once) hoare_drop_imps)+ apply (auto simp: vmsz_aligned_def) done @@ -5357,7 +5357,7 @@ lemma unmap_page_unmapped: (* Establish that pptr reachable, otherwise trivial *) apply (rule hoare_name_pre_state2) apply (case_tac "\ (ref \ p) s") - apply (rule hoare_pre(1)[OF unmap_page_no_lookup_pages]) + apply (rule hoare_weaken_pre[OF unmap_page_no_lookup_pages]) apply clarsimp+ (* This should be somewhere else but isn't *) @@ -5666,7 +5666,7 @@ lemma perform_page_invs [wp]: apply (rule hoare_pre) apply (wp dmo_invs arch_update_cap_invs_unmap_page get_cap_wp hoare_vcg_const_imp_lift | wpc | simp)+ - apply (rule_tac Q="\_ s. invs s \ + apply (rule_tac Q'="\_ s. invs s \ cte_wp_at (\c. is_pg_cap c \ (\ref. vs_cap_ref c = Some ref \ \ (ref \ obj_ref_of c) s)) cslot_ptr s" diff --git a/proof/invariant-abstract/CNodeInv_AI.thy b/proof/invariant-abstract/CNodeInv_AI.thy index 36fae1e676..ac470e88d1 100644 --- a/proof/invariant-abstract/CNodeInv_AI.thy +++ b/proof/invariant-abstract/CNodeInv_AI.thy @@ -443,7 +443,7 @@ lemma decode_cnode_inv_wf[wp]: apply (wp whenE_throwError_wp | wpcw)+ apply (rename_tac dest_slot y src_slot) apply simp - apply (rule_tac Q="\src_cap. valid_cap src_cap and ex_cte_cap_wp_to is_cnode_cap dest_slot + apply (rule_tac Q'="\src_cap. valid_cap src_cap and ex_cte_cap_wp_to is_cnode_cap dest_slot and zombies_final and valid_objs and real_cte_at src_slot and real_cte_at dest_slot and cte_wp_at (\c. c = src_cap) src_slot @@ -3129,7 +3129,7 @@ lemma duplicate_creation: set_cap cap p' \\rv s. cte_wp_at (\cap. \ is_final_cap' cap s) p s\" apply (rule hoare_gen_asm) - apply (rule hoare_post_imp [where Q="\rv. cte_wp_at (\c. gen_obj_refs c = gen_obj_refs cap) p + apply (rule hoare_post_imp[where Q'="\rv. cte_wp_at (\c. gen_obj_refs c = gen_obj_refs cap) p and cte_wp_at ((=) cap) p'"]) apply (clarsimp simp: cte_wp_at_def) apply (case_tac "\x. x \ obj_refs cap \ x \ obj_refs capa") diff --git a/proof/invariant-abstract/CSpaceInv_AI.thy b/proof/invariant-abstract/CSpaceInv_AI.thy index 1216d08f9f..538d6d0a7f 100644 --- a/proof/invariant-abstract/CSpaceInv_AI.thy +++ b/proof/invariant-abstract/CSpaceInv_AI.thy @@ -1477,7 +1477,7 @@ lemma set_cap_caps_of_state2: "\\s. P ((caps_of_state s)(p \ cap)) (cdt s) (is_original_cap s)\ set_cap cap p \\rv s. P (caps_of_state s) (cdt s) (is_original_cap s)\" - apply (rule_tac Q="\rv s. \m mr. P (caps_of_state s) m mr + apply (rule_tac Q'="\rv s. \m mr. P (caps_of_state s) m mr \ (cdt s = m) \ (is_original_cap s = mr)" in hoare_post_imp) apply simp diff --git a/proof/invariant-abstract/CSpace_AI.thy b/proof/invariant-abstract/CSpace_AI.thy index 67acca465a..5d043c1782 100644 --- a/proof/invariant-abstract/CSpace_AI.thy +++ b/proof/invariant-abstract/CSpace_AI.thy @@ -4174,7 +4174,7 @@ lemma ensure_empty_inv[wp]: lemma get_cap_cte_wp_at3: "\not cte_wp_at (not P) p\ get_cap p \\rv s. P rv\" - apply (rule hoare_post_imp [where Q="\rv. cte_wp_at (\c. c = rv) p and not cte_wp_at (not P) p"]) + apply (rule hoare_post_imp[where Q'="\rv. cte_wp_at (\c. c = rv) p and not cte_wp_at (not P) p"]) apply (clarsimp simp: cte_wp_at_def pred_neg_def) apply (wp get_cap_cte_wp_at) done diff --git a/proof/invariant-abstract/DetSchedDomainTime_AI.thy b/proof/invariant-abstract/DetSchedDomainTime_AI.thy index 6ec4f077a5..5a65db9c90 100644 --- a/proof/invariant-abstract/DetSchedDomainTime_AI.thy +++ b/proof/invariant-abstract/DetSchedDomainTime_AI.thy @@ -472,12 +472,12 @@ lemma call_kernel_domain_time_inv_det_ext: apply (rule hoare_pre) apply ((wp schedule_domain_time_left handle_interrupt_valid_domain_time | wpc | simp)+)[1] - apply (rule_tac Q="\_ s. 0 < domain_time s \ valid_domain_list s" in hoare_strengthen_post) + apply (rule_tac Q'="\_ s. 0 < domain_time s \ valid_domain_list s" in hoare_strengthen_post) apply wp apply fastforce+ (* now non-interrupt case; may throw but does not touch domain_time in handle_event *) apply (wp schedule_domain_time_left without_preemption_wp handle_interrupt_valid_domain_time) - apply (rule_tac Q="\_ s. 0 < domain_time s \ valid_domain_list s" in hoare_post_imp) + apply (rule_tac Q'="\_ s. 0 < domain_time s \ valid_domain_list s" in hoare_post_imp) apply fastforce apply (wp handle_event_domain_time_inv)+ apply (rule_tac Q'="\_ s. 0 < domain_time s" in hoare_strengthen_postE_R) diff --git a/proof/invariant-abstract/DetSchedSchedule_AI.thy b/proof/invariant-abstract/DetSchedSchedule_AI.thy index 7696149a21..315dabcbb7 100644 --- a/proof/invariant-abstract/DetSchedSchedule_AI.thy +++ b/proof/invariant-abstract/DetSchedSchedule_AI.thy @@ -2093,7 +2093,7 @@ lemma restart_valid_sched[wp]: set_thread_state_valid_blocked_except sts_st_tcb_at' cancel_ipc_simple2 possible_switch_to_valid_sched)+ - apply (rule_tac Q="\_. valid_sched and not_cur_thread thread and (\s. thread \ idle_thread s)" in hoare_strengthen_post) + apply (rule_tac Q'="\_. valid_sched and not_cur_thread thread and (\s. thread \ idle_thread s)" in hoare_strengthen_post) apply wp apply (simp add: valid_sched_def) apply (simp add: if_fun_split) @@ -2595,7 +2595,7 @@ lemma do_reply_transfer_valid_sched[wp]: apply (wp set_thread_state_runnable_valid_queues set_thread_state_runnable_valid_sched_action set_thread_state_valid_blocked_except sts_st_tcb_at')[1] - apply (rule_tac Q="\_. valid_sched and not_cur_thread receiver + apply (rule_tac Q'="\_. valid_sched and not_cur_thread receiver and (\s. receiver \ idle_thread s)" in hoare_strengthen_post) apply wp @@ -2750,7 +2750,7 @@ lemma send_ipc_valid_sched: set_thread_state_valid_blocked_except sts_st_tcb_at') apply (clarsimp simp: conj.commute eq_commute) apply (rename_tac recvr q recv_state) - apply (rule_tac Q="\_. valid_sched and scheduler_act_not thread and not_queued thread + apply (rule_tac Q'="\_. valid_sched and scheduler_act_not thread and not_queued thread and (\s. recvr \ cur_thread s) and (\s. recvr \ idle_thread s \ recvr \ thread)" in hoare_strengthen_post) @@ -2878,7 +2878,7 @@ lemma send_signal_valid_sched[wp]: set_thread_state_runnable_valid_queues set_thread_state_runnable_valid_sched_action set_thread_state_valid_blocked_except sts_st_tcb_at' gts_wp | wpc | clarsimp)+ apply (rename_tac ntfn a st) - apply (rule_tac Q="\rv s. valid_sched s \ a \ idle_thread s \ not_cur_thread a s" in hoare_strengthen_post) + apply (rule_tac Q'="\rv s. valid_sched s \ a \ idle_thread s \ not_cur_thread a s" in hoare_strengthen_post) apply (wp gts_wp get_simple_ko_wp | simp add: valid_sched_def)+ apply (clarsimp) apply (rule conjI, clarsimp, rule conjI) @@ -2928,7 +2928,7 @@ lemma receive_ipc_valid_sched: set_thread_state_runnable_valid_queues set_thread_state_runnable_valid_sched_action set_thread_state_valid_blocked_except | simp | wpc)+)[3] - apply (rule_tac Q="\_. valid_sched and scheduler_act_not (sender) and not_queued (sender) + apply (rule_tac Q'="\_. valid_sched and scheduler_act_not (sender) and not_queued (sender) and not_cur_thread (sender) and (\s. sender \ idle_thread s)" in hoare_strengthen_post) apply wp @@ -3208,7 +3208,7 @@ lemma handle_recv_valid_sched: cong: if_cong) apply (wp get_simple_ko_wp handle_fault_valid_sched delete_caller_cap_not_queued receive_ipc_valid_sched receive_signal_valid_sched | simp)+ - apply (rule hoare_vcg_E_elim) + apply (rule hoare_vcg_conj_elimE) apply (wpsimp simp: lookup_cap_def lookup_slot_for_thread_def) apply (wp resolve_address_bits_valid_fault2)+ apply (simp add: valid_fault_def) @@ -3327,7 +3327,7 @@ lemma invoke_domain_valid_sched[wp]: apply (wp hoare_weak_lift_imp hoare_weak_lift_imp_conj tcb_dequeue_not_queued tcb_sched_action_dequeue_valid_blocked_except) apply simp apply (wp hoare_vcg_disj_lift) - apply (rule_tac Q="\_. valid_sched and not_queued t and valid_idle and (\s. t \ idle_thread s)" in hoare_strengthen_post) + apply (rule_tac Q'="\_. valid_sched and not_queued t and valid_idle and (\s. t \ idle_thread s)" in hoare_strengthen_post) apply (wp tcb_sched_action_dequeue_valid_sched_not_runnable tcb_dequeue_not_queued) apply (simp add: valid_sched_def valid_sched_action_def) apply simp @@ -3385,7 +3385,7 @@ lemma handle_invocation_valid_sched: apply (wp set_thread_state_runnable_valid_sched)[1] apply wp+ apply (wp gts_wp hoare_vcg_all_lift) - apply (rule_tac Q="\_. valid_sched" and E="\_. valid_sched" in hoare_strengthen_postE) + apply (rule_tac Q'="\_. valid_sched" and E'="\_. valid_sched" in hoare_strengthen_postE) apply wp apply ((clarsimp simp: st_tcb_at_def obj_at_def)+)[2] apply (wp ct_in_state_set set_thread_state_runnable_valid_sched @@ -3626,14 +3626,14 @@ lemma call_kernel_valid_sched: \\_. valid_sched\" apply (simp add: call_kernel_def) apply (wp schedule_valid_sched activate_thread_valid_sched | simp)+ - apply (rule_tac Q="\rv. invs" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs" in hoare_strengthen_post) apply wp apply (erule invs_valid_idle) - apply (rule hoare_strengthen_post [where Q="\irq s. irq \ Some ` non_kernel_IRQs \ valid_sched s \ invs s"]) + apply (rule hoare_strengthen_post[where Q'="\irq s. irq \ Some ` non_kernel_IRQs \ valid_sched s \ invs s"]) apply (wpsimp wp: getActiveIRQ_neq_non_kernel) apply auto[1] - apply (rule_tac Q="\rv. valid_sched and invs" and - E="\rv. valid_sched and invs" in hoare_strengthen_postE) + apply (rule_tac Q'="\rv. valid_sched and invs" and + E'="\rv. valid_sched and invs" in hoare_strengthen_postE) apply (rule valid_validE) apply (wp handle_event_valid_sched) apply (force intro: active_from_running)+ diff --git a/proof/invariant-abstract/Deterministic_AI.thy b/proof/invariant-abstract/Deterministic_AI.thy index 8b9ef40d10..f9452d06bf 100644 --- a/proof/invariant-abstract/Deterministic_AI.thy +++ b/proof/invariant-abstract/Deterministic_AI.thy @@ -1478,7 +1478,7 @@ lemma set_cap_caps_of_state3: "\\s. P ((caps_of_state s) (p \ cap)) (cdt s) (exst s) (is_original_cap s)\ set_cap cap p \\rv s. P (caps_of_state s) (cdt s) (exst s) (is_original_cap s)\" - apply (rule_tac Q="\rv s. \m mr t. P (caps_of_state s) m t mr + apply (rule_tac Q'="\rv s. \m mr t. P (caps_of_state s) m t mr \ (cdt s = m) \ (exst s = t) \ (is_original_cap s = mr)" in hoare_post_imp) apply simp diff --git a/proof/invariant-abstract/Finalise_AI.thy b/proof/invariant-abstract/Finalise_AI.thy index 3ddca3ef69..9361002b75 100644 --- a/proof/invariant-abstract/Finalise_AI.thy +++ b/proof/invariant-abstract/Finalise_AI.thy @@ -493,7 +493,7 @@ lemma cancel_ipc_caps_of_state: apply (simp add: cancel_ipc_def reply_cancel_ipc_def cong: Structures_A.thread_state.case_cong) apply (wpsimp wp: cap_delete_one_caps_of_state) - apply (rule_tac Q="\_ s. (\p. cte_wp_at can_fast_finalise p s + apply (rule_tac Q'="\_ s. (\p. cte_wp_at can_fast_finalise p s \ P ((caps_of_state s) (p \ cap.NullCap))) \ P (caps_of_state s)" in hoare_post_imp) @@ -941,7 +941,7 @@ lemma cap_delete_one_deletes_reply: \\rv s. \ has_reply_cap t s\" apply (simp add: cap_delete_one_def unless_def is_final_cap_def) apply wp - apply (rule_tac Q="\rv s. \sl' R. if (sl' = slot) + apply (rule_tac Q'="\rv s. \sl' R. if (sl' = slot) then cte_wp_at (\c. c = cap.NullCap) sl' s else caps_of_state s sl' \ Some (cap.ReplyCap t False R)" in hoare_post_imp) diff --git a/proof/invariant-abstract/IpcCancel_AI.thy b/proof/invariant-abstract/IpcCancel_AI.thy index b47a615781..613971c5c1 100644 --- a/proof/invariant-abstract/IpcCancel_AI.thy +++ b/proof/invariant-abstract/IpcCancel_AI.thy @@ -441,7 +441,7 @@ lemma reply_cancel_ipc_invs: shows "\invs\ (reply_cancel_ipc t :: (unit,'z::state_ext) s_monad) \\rv. invs\" apply (simp add: reply_cancel_ipc_def) apply (wp delete) - apply (rule_tac Q="\rv. invs" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs" in hoare_post_imp) apply (fastforce simp: emptyable_def dest: reply_slot_not_descendant) apply (wp thread_set_invs_trivial) apply (auto simp: tcb_cap_cases_def)+ @@ -574,7 +574,7 @@ lemma (in delete_one_abs) reply_cancel_ipc_no_reply_cap[wp]: shows "\invs and tcb_at t\ (reply_cancel_ipc t :: (unit,'a) s_monad) \\rv s. \ has_reply_cap t s\" apply (simp add: reply_cancel_ipc_def) apply wp - apply (rule_tac Q="\rvp s. cte_wp_at (\c. c = cap.NullCap) rv s \ + apply (rule_tac Q'="\rvp s. cte_wp_at (\c. c = cap.NullCap) rv s \ (\sl R. sl \ rv \ caps_of_state s sl \ Some (cap.ReplyCap t False R))" in hoare_strengthen_post) @@ -583,7 +583,7 @@ lemma (in delete_one_abs) reply_cancel_ipc_no_reply_cap[wp]: apply (clarsimp simp: has_reply_cap_def cte_wp_at_caps_of_state is_reply_cap_to_def) apply (case_tac "(aa, ba) = (a, b)",simp_all)[1] apply (wp hoare_vcg_all_lift | simp del: split_paired_All)+ - apply (rule_tac Q="\_ s. invs s \ tcb_at t s" in hoare_post_imp) + apply (rule_tac Q'="\_ s. invs s \ tcb_at t s" in hoare_post_imp) apply (erule conjE) apply (frule(1) reply_cap_descends_from_master) apply (auto dest: reply_master_no_descendants_no_reply[rotated -1])[1] @@ -599,7 +599,7 @@ lemma (in delete_one_abs) cancel_ipc_no_reply_cap[wp]: cancel_signal_invs cancel_signal_st_tcb_at_general blocked_cancel_ipc_invs blocked_ipc_st_tcb_at_general | strengthen reply_cap_doesnt_exist_strg)+ - apply (rule_tac Q="\rv. st_tcb_at ((=) rv) t and invs" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. st_tcb_at ((=) rv) t and invs" in hoare_strengthen_post) apply (wpsimp wp: gts_st_tcb) apply (fastforce simp: invs_def valid_state_def st_tcb_at_tcb_at elim!: pred_tcb_weakenE)+ @@ -651,7 +651,7 @@ lemma (in delete_one_pre) reply_cancel_ipc_cte_wp_at_preserved: \cte_wp_at P p\ (reply_cancel_ipc t :: (unit,'a) s_monad) \\rv. cte_wp_at P p\" unfolding reply_cancel_ipc_def apply (wpsimp wp: delete_one_cte_wp_at_preserved) - apply (rule_tac Q="\_. cte_wp_at P p" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. cte_wp_at P p" in hoare_post_imp, clarsimp) apply (wpsimp wp: thread_set_cte_wp_at_trivial simp: ran_tcb_cap_cases) apply assumption done @@ -746,7 +746,7 @@ lemma reply_cancel_ipc_bound_tcb_at[wp]: \\_. bound_tcb_at P t\" unfolding reply_cancel_ipc_def apply (wpsimp wp: cap_delete_one_bound_tcb_at select_inv) - apply (rule_tac Q="\_. bound_tcb_at P t and valid_mdb and valid_objs and tcb_at p" in hoare_strengthen_post) + apply (rule_tac Q'="\_. bound_tcb_at P t and valid_mdb and valid_objs and tcb_at p" in hoare_strengthen_post) apply (wpsimp wp: thread_set_no_change_tcb_pred thread_set_mdb) apply (fastforce simp:tcb_cap_cases_def) apply (wpsimp wp: thread_set_valid_objs_triv simp: ran_tcb_cap_cases) @@ -786,7 +786,7 @@ lemma suspend_unlive: supply hoare_vcg_if_split[wp_split del] if_split[split del] apply (wp | simp only: obj_at_exst_update)+ apply (simp add: obj_at_def) - apply (rule_tac Q="\_. bound_tcb_at ((=) None) t" in hoare_strengthen_post) + apply (rule_tac Q'="\_. bound_tcb_at ((=) None) t" in hoare_strengthen_post) supply hoare_vcg_if_split[wp_split] apply wp apply (auto simp: pred_tcb_def2)[1] @@ -1113,7 +1113,7 @@ lemma cancel_all_signals_unlive[wp]: apply (wp | wpc | simp add: unbind_maybe_notification_def)+ - apply (rule_tac Q="\_. obj_at (is_ntfn and Not \ live) ntfnptr" in hoare_post_imp) + apply (rule_tac Q'="\_. obj_at (is_ntfn and Not \ live) ntfnptr" in hoare_post_imp) apply (fastforce elim: obj_at_weakenE) apply (wp mapM_x_wp' sts_obj_at_impossible | simp add: is_ntfn)+ diff --git a/proof/invariant-abstract/Ipc_AI.thy b/proof/invariant-abstract/Ipc_AI.thy index 1b254920a9..d47d10b33d 100644 --- a/proof/invariant-abstract/Ipc_AI.thy +++ b/proof/invariant-abstract/Ipc_AI.thy @@ -584,7 +584,7 @@ lemma cap_insert_assume_null: apply (rule bind_wp[OF _ get_cap_sp])+ apply (clarsimp simp: valid_def cte_wp_at_caps_of_state in_monad split del: if_split) - apply (erule hoare_pre(1)) + apply (erule hoare_weaken_pre) apply simp done @@ -618,7 +618,7 @@ lemma transfer_caps_loop_presM: | assumption | simp split del: if_split)+ apply (rule cap_insert_assume_null) apply (wp x hoare_vcg_const_Ball_lift cap_insert_cte_wp_at hoare_weak_lift_imp)+ - apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R') apply (rule derive_cap_is_derived_foo) apply (rule_tac Q' ="\cap' s. (vo \ cap'\ cap.NullCap \ cte_wp_at (is_derived (cdt s) (aa, b) cap') (aa, b) s) @@ -627,8 +627,8 @@ lemma transfer_caps_loop_presM: prefer 2 apply clarsimp apply assumption - apply (rule hoare_vcg_conj_liftE_R) - apply (rule hoare_vcg_const_imp_lift_R) + apply (rule hoare_vcg_conj_liftE_R') + apply (rule hoare_vcg_const_imp_liftE_R) apply (rule derive_cap_is_derived) apply (wp derive_cap_is_derived_foo)+ apply (clarsimp simp: cte_wp_at_caps_of_state @@ -948,11 +948,11 @@ lemma tcl_reply': done lemmas tcl_reply[wp] = tcl_reply' [THEN hoare_strengthen_post - [where R="\_. valid_reply_caps"], + [where Q="\_. valid_reply_caps"], simplified] lemmas tcl_reply_masters[wp] = tcl_reply' [THEN hoare_strengthen_post - [where R="\_. valid_reply_masters"], + [where Q="\_. valid_reply_masters"], simplified] lemma transfer_caps_loop_irq_node[wp]: @@ -2543,7 +2543,7 @@ lemma setup_caller_cap_reply[wp]: \\rv. valid_reply_caps\" unfolding setup_caller_cap_def apply wp - apply (rule_tac Q="\rv s. pspace_aligned s \ tcb_at st s \ + apply (rule_tac Q'="\rv s. pspace_aligned s \ tcb_at st s \ st_tcb_at (\ts. ts = Structures_A.thread_state.BlockedOnReply) st s \ \ has_reply_cap st s" in hoare_post_imp) @@ -2735,7 +2735,7 @@ lemma complete_signal_invs: apply (rule bind_wp[OF _ get_simple_ko_sp]) apply (rule hoare_pre) apply (wp set_ntfn_minor_invs | wpc | simp)+ - apply (rule_tac Q="\_ s. (state_refs_of s ntfnptr = ntfn_bound_refs (ntfn_bound_tcb ntfn)) + apply (rule_tac Q'="\_ s. (state_refs_of s ntfnptr = ntfn_bound_refs (ntfn_bound_tcb ntfn)) \ (\T. typ_at T ntfnptr s) \ valid_ntfn (ntfn_set_obj ntfn IdleNtfn) s \ ((\y. ntfn_bound_tcb ntfn = Some y) \ ex_nonz_cap_to ntfnptr s)" in hoare_strengthen_post) @@ -2775,7 +2775,7 @@ lemma ri_invs': apply (rule bind_wp[OF _ gbn_sp]) apply (rule bind_wp) (* set up precondition for old proof *) - apply (rule_tac R="ko_at (Endpoint rv) ep and ?pre" in hoare_vcg_if_split) + apply (rule_tac P''="ko_at (Endpoint rv) ep and ?pre" in hoare_vcg_if_split) apply (wp complete_signal_invs) apply (case_tac rv) apply (wp | rule hoare_pre, wpc | simp)+ @@ -3385,7 +3385,7 @@ lemma ri_makes_simple: apply (rule bind_wp [OF _ gbn_sp]) apply (rule bind_wp) apply (rename_tac ep I DO rv CARE NOT) - apply (rule_tac R="ko_at (Endpoint rv) ep and ?pre" in hoare_vcg_if_split) + apply (rule_tac P''="ko_at (Endpoint rv) ep and ?pre" in hoare_vcg_if_split) apply (wp complete_signal_invs) apply (case_tac rv, simp_all) apply (rule hoare_pre, wpc) diff --git a/proof/invariant-abstract/RISCV64/ArchCNodeInv_AI.thy b/proof/invariant-abstract/RISCV64/ArchCNodeInv_AI.thy index 990ce365d5..8f4a1fb28a 100644 --- a/proof/invariant-abstract/RISCV64/ArchCNodeInv_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchCNodeInv_AI.thy @@ -719,7 +719,7 @@ next apply simp apply (rule hoare_pre_spec_validE) apply (wp replace_cap_invs | simp add: is_cap_simps)+ - apply (rule_tac Q="\rv s. Q s \ invs s \ cte_wp_at (\cap. cap = rv) slot s + apply (rule_tac Q'="\rv s. Q s \ invs s \ cte_wp_at (\cap. cap = rv) slot s \ cte_wp_at (\cap. cap = cap.NullCap \ \ False \ is_zombie cap \ (ptr, nat_to_cref (zombie_cte_bits bits) n) diff --git a/proof/invariant-abstract/RISCV64/ArchDetSchedDomainTime_AI.thy b/proof/invariant-abstract/RISCV64/ArchDetSchedDomainTime_AI.thy index 41d56637ef..2c9204f950 100644 --- a/proof/invariant-abstract/RISCV64/ArchDetSchedDomainTime_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchDetSchedDomainTime_AI.thy @@ -75,8 +75,8 @@ lemma timer_tick_valid_domain_time: wp: reschedule_required_valid_domain_time hoare_vcg_const_imp_lift gts_wp (* unless we hit dec_domain_time we know ?dtnot0 holds on the state, so clean up the postcondition once we hit thread_set_time_slice *) - hoare_post_imp[where Q="\_. ?dtnot0" and R="\_ s. domain_time s = 0 \ X s" - and a="thread_set_time_slice t ts" for X t ts] + hoare_post_imp[where Q'="\_. ?dtnot0" and Q="\_ s. domain_time s = 0 \ X s" + and f="thread_set_time_slice t ts" for X t ts] hoare_drop_imp[where f="ethread_get t f" for t f]) apply fastforce done @@ -89,11 +89,11 @@ lemma handle_interrupt_valid_domain_time [DetSchedDomainTime_AI_assms]: apply (case_tac "maxIRQ < i", solves \wpsimp wp: hoare_false_imp\) apply clarsimp apply (wpsimp simp: arch_mask_irq_signal_def) - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="send_signal p c" for p c], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="send_signal p c" for p c], fastforce) apply wpsimp - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="get_cap p" for p], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="get_cap p" for p], fastforce) apply (wpsimp wp: timer_tick_valid_domain_time simp: handle_reserved_irq_def)+ - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="get_irq_state i" for i], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="get_irq_state i" for i], fastforce) apply wpsimp+ done diff --git a/proof/invariant-abstract/RISCV64/ArchDetype_AI.thy b/proof/invariant-abstract/RISCV64/ArchDetype_AI.thy index ff5c24d729..c8dc4f125b 100644 --- a/proof/invariant-abstract/RISCV64/ArchDetype_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchDetype_AI.thy @@ -616,7 +616,7 @@ lemma delete_objects_invs[wp]: apply (simp add: delete_objects_def) apply (simp add: freeMemory_def word_size_def bind_assoc ef_storeWord) apply (rule hoare_pre) - apply (rule_tac G="is_aligned ptr bits \ word_size_bits \ bits \ bits \ word_bits" + apply (rule_tac P'="is_aligned ptr bits \ word_size_bits \ bits \ bits \ word_bits" in hoare_grab_asm) apply (simp add: mapM_storeWord_clear_um[unfolded word_size_def] intvl_range_conv[where 'a=machine_word_len, folded word_bits_def]) diff --git a/proof/invariant-abstract/RISCV64/ArchFinalise_AI.thy b/proof/invariant-abstract/RISCV64/ArchFinalise_AI.thy index eb72e668bf..655652f695 100644 --- a/proof/invariant-abstract/RISCV64/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchFinalise_AI.thy @@ -803,7 +803,7 @@ lemma arch_finalise_cap_replaceable: is_cap_simps vs_cap_ref_def no_cap_to_obj_with_diff_ref_Null o_def reachable_frame_cap_simps - notes wps = hoare_drop_imp[where R="%_. is_final_cap' cap" for cap] + notes wps = hoare_drop_imp[where Q'="%_. is_final_cap' cap" for cap] valid_cap_typ unmap_page_unreachable unmap_page_table_unreachable delete_asid_unreachable @@ -897,7 +897,7 @@ lemma prepare_thread_delete_unlive0: lemma prepare_thread_delete_unlive[wp]: "\obj_at (Not \ live0) ptr\ prepare_thread_delete ptr \\rv. obj_at (Not \ live) ptr\" - apply (rule_tac Q="\rv. obj_at (Not \ live0) ptr and obj_at (Not \ hyp_live) ptr" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. obj_at (Not \ live0) ptr and obj_at (Not \ hyp_live) ptr" in hoare_strengthen_post) apply (wpsimp wp: hoare_vcg_conj_lift prepare_thread_delete_unlive_hyp prepare_thread_delete_unlive0) apply (clarsimp simp: obj_at_def) apply (clarsimp simp: obj_at_def, case_tac ko, simp_all add: is_tcb_def live_def) diff --git a/proof/invariant-abstract/RISCV64/ArchInterrupt_AI.thy b/proof/invariant-abstract/RISCV64/ArchInterrupt_AI.thy index c218f4ef6c..62e1bc469d 100644 --- a/proof/invariant-abstract/RISCV64/ArchInterrupt_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchInterrupt_AI.thy @@ -149,7 +149,7 @@ lemma invoke_irq_handler_invs'[Interrupt_AI_asms]: apply (wp valid_cap_typ [OF cap_delete_one_typ_at]) apply (strengthen real_cte_tcb_valid) apply (wp real_cte_at_typ_valid [OF cap_delete_one_typ_at]) - apply (rule_tac Q="\rv s. is_ntfn_cap cap \ invs s + apply (rule_tac Q'="\rv s. is_ntfn_cap cap \ invs s \ cte_wp_at (is_derived (cdt s) prod cap) prod s" in hoare_post_imp) apply (clarsimp simp: is_cap_simps is_derived_def cte_wp_at_caps_of_state) @@ -244,7 +244,7 @@ lemma (* handle_interrupt_invs *) [Interrupt_AI_asms]: apply (wpsimp wp: dmo_maskInterrupt_invs maskInterrupt_invs_ARCH dmo_ackInterrupt send_signal_interrupt_states simp: arch_mask_irq_signal_def)+ apply (wp get_cap_wp send_signal_interrupt_states ) - apply (rule_tac Q="\rv. invs and (\s. st = interrupt_states s irq)" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs and (\s. st = interrupt_states s irq)" in hoare_post_imp) apply (clarsimp simp: ex_nonz_cap_to_def invs_valid_objs) apply (intro allI exI, erule cte_wp_at_weakenE) apply (clarsimp simp: is_cap_simps) diff --git a/proof/invariant-abstract/RISCV64/ArchIpc_AI.thy b/proof/invariant-abstract/RISCV64/ArchIpc_AI.thy index a17f62759c..47cdc4fce8 100644 --- a/proof/invariant-abstract/RISCV64/ArchIpc_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchIpc_AI.thy @@ -55,8 +55,7 @@ lemma derive_cap_is_derived [Ipc_AI_assms]: | fold validE_R_def | erule cte_wp_at_weakenE | simp split: cap.split_asm)+)[11] - including no_pre - apply(rule hoare_pre, wp hoare_drop_imps arch_derive_cap_is_derived) + apply(wp hoare_drop_imps arch_derive_cap_is_derived) apply(clarify, drule cte_wp_at_norm, clarify) apply(frule(1) cte_wp_at_valid_objs_valid_cap) apply(erule cte_wp_at_weakenE) @@ -287,7 +286,7 @@ lemma transfer_caps_tcb_caps: | wpc | simp)+ apply (erule imp) apply (wp hoare_vcg_conj_lift hoare_vcg_const_imp_lift hoare_vcg_all_lift) - apply (rule_tac Q = "\rv s. (\x\set rv. real_cte_at x s) \ cte_wp_at P (t, ref) s \ tcb_at t s" + apply (rule_tac Q'="\rv s. (\x\set rv. real_cte_at x s) \ cte_wp_at P (t, ref) s \ tcb_at t s" in hoare_strengthen_post) apply (wp get_rs_real_cte_at) apply clarsimp @@ -311,7 +310,7 @@ lemma transfer_caps_non_null_cte_wp_at: apply (wp hoare_vcg_ball_lift transfer_caps_loop_cte_wp_at hoare_weak_lift_imp | wpc | clarsimp simp:imp)+ apply (rule hoare_strengthen_post - [where Q="\rv s'. (cte_wp_at ((\) cap.NullCap) ptr) s' + [where Q'="\rv s'. (cte_wp_at ((\) cap.NullCap) ptr) s' \ (\x\set rv. cte_wp_at ((=) cap.NullCap) x s')", rotated]) apply (clarsimp) diff --git a/proof/invariant-abstract/RISCV64/ArchSchedule_AI.thy b/proof/invariant-abstract/RISCV64/ArchSchedule_AI.thy index a872f20bd7..24d12b1b3f 100644 --- a/proof/invariant-abstract/RISCV64/ArchSchedule_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchSchedule_AI.thy @@ -92,7 +92,7 @@ lemma stt_invs [wp,Schedule_AI_asms]: apply (simp add: switch_to_thread_def) apply wp apply (simp add: trans_state_update[symmetric] del: trans_state_update) - apply (rule_tac Q="\_. invs and tcb_at t'" in hoare_strengthen_post, wp) + apply (rule_tac Q'="\_. invs and tcb_at t'" in hoare_strengthen_post, wp) apply (clarsimp simp: invs_def valid_state_def valid_idle_def valid_irq_node_def valid_machine_state_def) apply (fastforce simp: cur_tcb_def obj_at_def diff --git a/proof/invariant-abstract/RISCV64/ArchTcb_AI.thy b/proof/invariant-abstract/RISCV64/ArchTcb_AI.thy index 7cc6b66e02..3760f53e18 100644 --- a/proof/invariant-abstract/RISCV64/ArchTcb_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchTcb_AI.thy @@ -244,12 +244,12 @@ lemma tc_invs[Tcb_AI_asms]: strengthen imp_consequent[where Q="x = None" for x], simp cong: conj_cong) | rule wp_split_const_if wp_split_const_if_R hoare_vcg_all_liftE_R - hoare_vcg_E_elim hoare_vcg_const_imp_lift_R - hoare_vcg_R_conj + hoare_vcg_conj_elimE hoare_vcg_const_imp_liftE_R + hoare_vcg_conj_liftE_R | (wp out_invs_trivial case_option_wpE cap_delete_deletes cap_delete_valid_cap cap_insert_valid_cap out_cte_at cap_insert_cte_at cap_delete_cte_at out_valid_cap - hoare_vcg_const_imp_lift_R hoare_vcg_all_liftE_R + hoare_vcg_const_imp_liftE_R hoare_vcg_all_liftE_R thread_set_tcb_ipc_buffer_cap_cleared_invs thread_set_invs_trivial[OF ball_tcb_cap_casesI] hoare_vcg_all_lift thread_set_valid_cap out_emptyable diff --git a/proof/invariant-abstract/RISCV64/ArchVSpace_AI.thy b/proof/invariant-abstract/RISCV64/ArchVSpace_AI.thy index ca95f61ead..b7688d857a 100644 --- a/proof/invariant-abstract/RISCV64/ArchVSpace_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchVSpace_AI.thy @@ -688,7 +688,7 @@ lemma unmap_page_table_invs[wp]: apply (simp add: unmap_page_table_def) apply (rule hoare_pre) apply (wp dmo_invs | wpc | simp)+ - apply (rule_tac Q="\_. invs" in hoare_post_imp) + apply (rule_tac Q'="\_. invs" in hoare_post_imp) apply safe apply (drule_tac Q="\_ m'. underlying_memory m' p = underlying_memory m p" in use_valid) diff --git a/proof/invariant-abstract/Retype_AI.thy b/proof/invariant-abstract/Retype_AI.thy index 192ccf0470..08fb0e5487 100644 --- a/proof/invariant-abstract/Retype_AI.thy +++ b/proof/invariant-abstract/Retype_AI.thy @@ -1228,7 +1228,7 @@ lemma retype_region_cur_tcb[wp]: supply is_aligned_neg_mask_eq[simp del] is_aligned_neg_mask_weaken[simp del] - apply (rule hoare_post_imp [where Q="\rv s. \tp. tcb_at tp s \ cur_thread s = tp"]) + apply (rule hoare_post_imp[where Q'="\rv s. \tp. tcb_at tp s \ cur_thread s = tp"]) apply (simp add: cur_tcb_def) apply (wpsimp wp: hoare_vcg_ex_lift retype_region_obj_at_other3 simp: retype_region_def) apply (auto simp: cur_tcb_def cong: if_cong) diff --git a/proof/invariant-abstract/Schedule_AI.thy b/proof/invariant-abstract/Schedule_AI.thy index 46a94289d5..f471e9a01f 100644 --- a/proof/invariant-abstract/Schedule_AI.thy +++ b/proof/invariant-abstract/Schedule_AI.thy @@ -133,7 +133,7 @@ lemma (in Schedule_AI) stt_invs [wp]: apply (simp add: switch_to_thread_def) apply wp apply (simp add: trans_state_update[symmetric] del: trans_state_update) - apply (rule_tac Q="\_. invs and tcb_at t'" in hoare_strengthen_post, wp) + apply (rule_tac Q'="\_. invs and tcb_at t'" in hoare_strengthen_post, wp) apply (clarsimp simp: invs_def valid_state_def valid_idle_def valid_irq_node_def valid_machine_state_def) apply (fastforce simp: cur_tcb_def obj_at_def diff --git a/proof/invariant-abstract/Syscall_AI.thy b/proof/invariant-abstract/Syscall_AI.thy index c53127fcd4..22715346a5 100644 --- a/proof/invariant-abstract/Syscall_AI.thy +++ b/proof/invariant-abstract/Syscall_AI.thy @@ -364,10 +364,10 @@ lemma (in Systemcall_AI_Pre2) do_reply_invs[wp]: apply (wp sts_invs_minor) apply (clarsimp) apply (wp cap_delete_one_st_tcb_at) - apply (rule_tac Q = "\_. invs and if_live_then_nonz_cap and + apply (rule_tac Q'="\_. invs and if_live_then_nonz_cap and st_tcb_at awaiting_reply t and - (\s. \has_reply_cap t s)" in - hoare_strengthen_post[rotated]) + (\s. \has_reply_cap t s)" + in hoare_strengthen_post[rotated]) apply (clarsimp) apply (rule conjI, erule(1) st_tcb_ex_cap, clarsimp) apply (rule conjI) @@ -377,13 +377,11 @@ lemma (in Systemcall_AI_Pre2) do_reply_invs[wp]: apply (rule disjI1) apply (erule pred_tcb_weakenE) apply (clarsimp) - apply (rule_tac Q = "\_. invs and st_tcb_at awaiting_reply t and - (\s. \has_reply_cap t s)" in - hoare_strengthen_post[rotated], clarsimp) + apply (rule_tac Q'="\_. invs and st_tcb_at awaiting_reply t and (\s. \has_reply_cap t s)" + in hoare_strengthen_post[rotated], clarsimp) apply (wp cap_delete_one_reply_st_tcb_at cap_delete_one_deletes_reply | simp)+ - apply (rule_tac Q = "\_. valid_reply_caps and - cte_wp_at (is_reply_cap_to t) slot" in - hoare_strengthen_post[rotated], clarsimp) + apply (rule_tac Q'="\_. valid_reply_caps and cte_wp_at (is_reply_cap_to t) slot" + in hoare_strengthen_post[rotated], clarsimp) apply (erule cte_wp_at_weakenE, simp) apply (wp) apply (rule do_ipc_transfer_non_null_cte_wp_at2, clarsimp simp add: is_reply_cap_to_def) @@ -396,17 +394,16 @@ lemma (in Systemcall_AI_Pre2) do_reply_invs[wp]: apply (clarsimp) apply (wp thread_set_cap_to thread_set_it | clarsimp simp add: tcb_cap_cases_def)+ - apply (rule_tac Q = "\_. invs and st_tcb_at awaiting_reply t and - (\s. \has_reply_cap t s)" in - hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\_. invs and st_tcb_at awaiting_reply t and (\s. \has_reply_cap t s)" + in hoare_strengthen_post[rotated]) apply (clarsimp) apply (erule pred_tcb_weakenE) apply (clarsimp) apply (wp thread_set_invs_trivial thread_set_no_change_tcb_state thread_set_has_no_reply_cap | clarsimp simp add: tcb_cap_cases_def)+ - apply (rule_tac Q = "\_. st_tcb_at (\s. tcb_st_refs_of s = {}) t and invs and - st_tcb_at awaiting_reply t and (\s. \has_reply_cap t s)" in - hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\_. st_tcb_at (\s. tcb_st_refs_of s = {}) t and invs and + st_tcb_at awaiting_reply t and (\s. \has_reply_cap t s)" + in hoare_strengthen_post[rotated]) apply (clarsimp) apply (rule conjI) apply (erule(1) st_tcb_ex_cap'[where P=awaiting_reply]) @@ -415,7 +412,7 @@ lemma (in Systemcall_AI_Pre2) do_reply_invs[wp]: apply (drule st_tcb_at_eq, erule pred_tcb_weaken_strongerE, simp) apply clarsimp apply (wp handle_fault_reply_has_no_reply_cap) - apply (rule_tac Q = "\_. st_tcb_at awaiting_reply t and invs and + apply (rule_tac Q'="\_. st_tcb_at awaiting_reply t and invs and (\s. \has_reply_cap t s)" in hoare_strengthen_post[rotated]) apply (clarsimp) apply (erule pred_tcb_weakenE) @@ -425,10 +422,9 @@ lemma (in Systemcall_AI_Pre2) do_reply_invs[wp]: apply (wp hoare_drop_imp hoare_allI)[1] apply (wp assert_wp) apply (clarsimp) - apply (rule_tac Q = "\rv. st_tcb_at ((=) rv) t and tcb_at t' and invs and - emptyable slot and - cte_wp_at (is_reply_cap_to t) slot" in - hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\rv. st_tcb_at ((=) rv) t and tcb_at t' and invs and + emptyable slot and cte_wp_at (is_reply_cap_to t) slot" + in hoare_strengthen_post[rotated]) apply (clarsimp simp add: st_tcb_at_tcb_at) apply (rule conjI, erule pred_tcb_weakenE, clarsimp)+ apply (clarsimp simp add: invs_def valid_state_def valid_pspace_def) @@ -953,7 +949,7 @@ lemma lcs_ex_cap_to2[wp]: done (* FIXME AARCH64: this should really not be wp *) -declare hoare_vcg_const_imp_lift_E[wp] +declare hoare_vcg_const_imp_liftE_E[wp] context Syscall_AI begin @@ -980,8 +976,7 @@ lemma hinv_invs': apply (wp syscall_valid sts_invs_minor2 rfk_invs hoare_vcg_all_lift hoare_vcg_disj_lift | simp split del: if_split)+ - apply (rule_tac Q = "\st. st_tcb_at ((=) st) thread and (invs and Q)" in - hoare_post_imp) + apply (rule_tac Q'="\st. st_tcb_at ((=) st) thread and (invs and Q)" in hoare_post_imp) apply (auto elim!: pred_tcb_weakenE st_tcb_ex_cap dest: st_tcb_at_idle_thread simp: st_tcb_at_tcb_at)[1] @@ -989,12 +984,11 @@ lemma hinv_invs': apply wp apply (simp add: ct_in_state_def conj_commute conj_left_commute) apply wp - apply (rule_tac Q = "\rv s. st_tcb_at active thread s \ cur_thread s = thread" in - hoare_post_imp) + apply (rule_tac Q'="\rv s. st_tcb_at active thread s \ cur_thread s = thread" in hoare_post_imp) apply simp apply (wp sts_st_tcb_at') apply (simp only: simp_thms K_def if_apply_def2) - apply (rule hoare_vcg_E_elim) + apply (rule hoare_vcg_conj_elimE) apply (wp | simp add: if_apply_def2)+ apply (auto simp: ct_in_state_def elim: st_tcb_ex_cap) done @@ -1089,7 +1083,7 @@ lemma delete_caller_cap_simple[wp]: lemma delete_caller_deletes_caller[wp]: "\\\ delete_caller_cap t \\rv. cte_wp_at ((=) cap.NullCap) (t, tcb_cnode_index 3)\" - apply (rule_tac Q="\rv. cte_wp_at (\c. c = cap.NullCap) (t, tcb_cnode_index 3)" + apply (rule_tac Q'="\rv. cte_wp_at (\c. c = cap.NullCap) (t, tcb_cnode_index 3)" in hoare_post_imp, clarsimp elim!: cte_wp_at_weakenE) apply (simp add: delete_caller_cap_def cap_delete_one_def unless_def, wp) @@ -1111,7 +1105,7 @@ lemma hw_invs[wp]: "\invs and ct_active\ handle_recv is_blocking cong: if_cong) apply (wp get_simple_ko_wp | clarsimp)+ apply (wp delete_caller_cap_nonz_cap get_simple_ko_wp hoare_vcg_ball_lift | simp)+ - apply (rule hoare_vcg_E_elim) + apply (rule hoare_vcg_conj_elimE) apply (simp add: lookup_cap_def lookup_slot_for_thread_def) apply wp apply (simp add: split_def) @@ -1274,7 +1268,7 @@ lemma handle_reply_nonz_cap_to_ct: "\\s. ex_nonz_cap_to (cur_thread s) s \ valid_objs s \ valid_mdb s \ tcb_at (cur_thread s) s\ handle_reply \\rv s :: 'state_ext state. ex_nonz_cap_to (cur_thread s) s\" - apply (rule_tac Q="\rv s. \ct. (ct = cur_thread s) \ ex_nonz_cap_to ct s" + apply (rule_tac Q'="\rv s. \ct. (ct = cur_thread s) \ ex_nonz_cap_to ct s" in hoare_post_imp) apply simp apply (wp hoare_vcg_ex_lift handle_reply_nonz_cap) diff --git a/proof/invariant-abstract/TcbAcc_AI.thy b/proof/invariant-abstract/TcbAcc_AI.thy index 97366ec27d..85c17f7675 100644 --- a/proof/invariant-abstract/TcbAcc_AI.thy +++ b/proof/invariant-abstract/TcbAcc_AI.thy @@ -962,7 +962,7 @@ lemma ct_in_state_decomp: assumes x: "\\s. t = (cur_thread s)\ f \\rv s. t = (cur_thread s)\" assumes y: "\Pre\ f \\rv. st_tcb_at Prop t\" shows "\\s. Pre s \ t = (cur_thread s)\ f \\rv. ct_in_state Prop\" - apply (rule hoare_post_imp [where Q="\rv s. t = cur_thread s \ st_tcb_at Prop t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. t = cur_thread s \ st_tcb_at Prop t s"]) apply (clarsimp simp add: ct_in_state_def) apply (rule hoare_weaken_pre) apply (wp x y) diff --git a/proof/invariant-abstract/Tcb_AI.thy b/proof/invariant-abstract/Tcb_AI.thy index 2d7c2b5205..55406a0718 100644 --- a/proof/invariant-abstract/Tcb_AI.thy +++ b/proof/invariant-abstract/Tcb_AI.thy @@ -76,7 +76,7 @@ lemma (in Tcb_AI_1) activate_invs: apply wp apply (clarsimp elim!: pred_tcb_weakenE simp: ct_in_state_def) - apply (rule_tac Q="\rv. invs and ct_running" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs and ct_running" in hoare_post_imp, simp) apply (rule hoare_pre) apply (wp sts_invs_minor ct_in_state_set) apply simp @@ -88,7 +88,7 @@ lemma (in Tcb_AI_1) activate_invs: valid_idle_def valid_pspace_def elim: st_tcb_ex_cap pred_tcb_weakenE, auto simp: st_tcb_def2 pred_tcb_at_def obj_at_def)[1] - apply (rule_tac Q="\rv. invs and ct_idle" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs and ct_idle" in hoare_post_imp, simp) apply (wp activate_idle_invs hoare_post_imp [OF disjI2]) apply (clarsimp simp: ct_in_state_def elim!: pred_tcb_weakenE) done diff --git a/proof/invariant-abstract/X64/ArchArch_AI.thy b/proof/invariant-abstract/X64/ArchArch_AI.thy index ecc37756b9..422d02d6f1 100644 --- a/proof/invariant-abstract/X64/ArchArch_AI.thy +++ b/proof/invariant-abstract/X64/ArchArch_AI.thy @@ -1351,8 +1351,8 @@ lemma decode_page_invocation_wf[wp]: apply (cases "invocation_type label = ArchInvocationLabel X64PageMap") apply (simp split del: if_split) apply (rule hoare_pre) - apply (wpsimp wp: whenE_throwError_wp check_vp_wpR hoare_vcg_const_imp_lift_R - hoare_vcg_disj_lift_R hoare_vcg_conj_lift_R create_mapping_entries_parent_for_refs + apply (wpsimp wp: whenE_throwError_wp check_vp_wpR hoare_vcg_const_imp_liftE_R + hoare_vcg_disj_lift_R hoare_vcg_conj_liftE_R create_mapping_entries_parent_for_refs hoare_vcg_ex_lift_R find_vspace_for_asid_vspace_at_asid create_mapping_entries_valid_slots create_mapping_entries_same_refs_ex find_vspace_for_asid_lookup_vspace_wp @@ -1555,7 +1555,7 @@ lemma decode_ioport_control_inv_wf[wp]: split del: if_split cong: if_cong) apply (rule hoare_pre) - apply (wp ensure_empty_stronger hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + apply (wp ensure_empty_stronger hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift is_ioport_range_free_wp | simp add: cte_wp_at_eq_simp valid_iocontrol_inv_def valid_arch_inv_def split del: if_split diff --git a/proof/invariant-abstract/X64/ArchCNodeInv_AI.thy b/proof/invariant-abstract/X64/ArchCNodeInv_AI.thy index 731afdab73..e8f9400091 100644 --- a/proof/invariant-abstract/X64/ArchCNodeInv_AI.thy +++ b/proof/invariant-abstract/X64/ArchCNodeInv_AI.thy @@ -743,7 +743,7 @@ next apply simp apply (rule hoare_pre_spec_validE) apply (wp replace_cap_invs | simp add: is_cap_simps)+ - apply (rule_tac Q="\rv s. Q s \ invs s \ cte_wp_at (\cap. cap = rv) slot s + apply (rule_tac Q'="\rv s. Q s \ invs s \ cte_wp_at (\cap. cap = rv) slot s \ cte_wp_at (\cap. cap = cap.NullCap \ \ False \ is_zombie cap \ (ptr, nat_to_cref (zombie_cte_bits bits) n) diff --git a/proof/invariant-abstract/X64/ArchDetSchedDomainTime_AI.thy b/proof/invariant-abstract/X64/ArchDetSchedDomainTime_AI.thy index 623f48502c..dc583a270a 100644 --- a/proof/invariant-abstract/X64/ArchDetSchedDomainTime_AI.thy +++ b/proof/invariant-abstract/X64/ArchDetSchedDomainTime_AI.thy @@ -89,8 +89,8 @@ lemma timer_tick_valid_domain_time: wp: reschedule_required_valid_domain_time hoare_vcg_const_imp_lift gts_wp (* unless we hit dec_domain_time we know ?dtnot0 holds on the state, so clean up the postcondition once we hit thread_set_time_slice *) - hoare_post_imp[where Q="\_. ?dtnot0" and R="\_ s. domain_time s = 0 \ X s" - and a="thread_set_time_slice t ts" for X t ts] + hoare_post_imp[where Q'="\_. ?dtnot0" and Q="\_ s. domain_time s = 0 \ X s" + and f="thread_set_time_slice t ts" for X t ts] hoare_drop_imp[where f="ethread_get t f" for t f]) apply fastforce done @@ -103,11 +103,11 @@ lemma handle_interrupt_valid_domain_time [DetSchedDomainTime_AI_assms]: apply (case_tac "maxIRQ < i", solves \wpsimp wp: hoare_false_imp\) apply clarsimp apply (wpsimp simp: arch_mask_irq_signal_def) - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="send_signal p c" for p c], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="send_signal p c" for p c], fastforce) apply wpsimp - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="get_cap p" for p], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="get_cap p" for p], fastforce) apply (wpsimp wp: timer_tick_valid_domain_time simp: handle_reserved_irq_def)+ - apply (rule hoare_post_imp[where Q="\_. ?dtnot0" and a="get_irq_state i" for i], fastforce) + apply (rule hoare_post_imp[where Q'="\_. ?dtnot0" and f="get_irq_state i" for i], fastforce) apply wpsimp+ done diff --git a/proof/invariant-abstract/X64/ArchDetype_AI.thy b/proof/invariant-abstract/X64/ArchDetype_AI.thy index f1b28872b2..17a3f8a37b 100644 --- a/proof/invariant-abstract/X64/ArchDetype_AI.thy +++ b/proof/invariant-abstract/X64/ArchDetype_AI.thy @@ -568,7 +568,7 @@ lemma delete_objects_invs[wp]: apply (simp add: delete_objects_def) apply (simp add: freeMemory_def word_size_def bind_assoc ef_storeWord) apply (rule hoare_pre) - apply (rule_tac G="is_aligned ptr bits \ word_size_bits \ bits \ bits \ word_bits" + apply (rule_tac P'="is_aligned ptr bits \ word_size_bits \ bits \ bits \ word_bits" in hoare_grab_asm) apply (simp add: mapM_storeWord_clear_um[unfolded word_size_def] intvl_range_conv[where 'a=machine_word_len, folded word_bits_def]) diff --git a/proof/invariant-abstract/X64/ArchFinalise_AI.thy b/proof/invariant-abstract/X64/ArchFinalise_AI.thy index 08e996ed1f..c0282a4598 100644 --- a/proof/invariant-abstract/X64/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/X64/ArchFinalise_AI.thy @@ -108,7 +108,7 @@ lemma delete_asid_pool_unmapped[wp]: \\rv s. \ ([VSRef (ucast (asid_high_bits_of asid)) None] \ poolptr) s\" apply (simp add: delete_asid_pool_def) apply wp - apply (rule hoare_strengthen_post [where Q="\_. \"]) + apply (rule hoare_strengthen_post[where Q'="\_. \"]) apply wp+ defer apply wp+ @@ -428,7 +428,7 @@ lemma arch_finalise_cap_replaceable[wp]: vs_lookup_pages_eq_ap[THEN fun_cong, symmetric] is_cap_simps vs_cap_ref_def no_cap_to_obj_with_diff_ref_Null o_def - notes wps = hoare_drop_imp[where R="%_. is_final_cap' cap" for cap] + notes wps = hoare_drop_imp[where Q'="%_. is_final_cap' cap" for cap] valid_cap_typ unmap_page_vs_lookup_pages_small unmap_page_vs_lookup_pages_large unmap_page_vs_lookup_pages_huge shows @@ -523,7 +523,7 @@ lemma suspend_unlive': supply hoare_vcg_if_split[wp_split del] if_split[split del] apply (wp | simp only: obj_at_exst_update)+ apply (simp add: obj_at_def live_def hyp_live_def) - apply (rule_tac Q="\_. bound_tcb_at ((=) None) t" in hoare_strengthen_post) + apply (rule_tac Q'="\_. bound_tcb_at ((=) None) t" in hoare_strengthen_post) supply hoare_vcg_if_split[wp_split] apply wp apply (auto simp: pred_tcb_def2)[1] @@ -1583,7 +1583,7 @@ lemma delete_asid_pool_unmapped2: apply (wp delete_asid_pool_unmapped) apply (simp add: delete_asid_pool_def) apply wp - apply (rule_tac Q="\rv s. ?Q s \ asid_table = x64_asid_table (arch_state s)" + apply (rule_tac Q'="\rv s. ?Q s \ asid_table = x64_asid_table (arch_state s)" in hoare_post_imp) apply (clarsimp simp: fun_upd_def[symmetric]) apply (drule vs_lookup_clear_asid_table[rule_format]) diff --git a/proof/invariant-abstract/X64/ArchInterrupt_AI.thy b/proof/invariant-abstract/X64/ArchInterrupt_AI.thy index 66267044e2..25468596be 100644 --- a/proof/invariant-abstract/X64/ArchInterrupt_AI.thy +++ b/proof/invariant-abstract/X64/ArchInterrupt_AI.thy @@ -115,11 +115,11 @@ lemma arch_decode_irq_control_valid[wp]: split del: if_split cong: if_cong) apply (rule hoare_pre) - apply (wp ensure_empty_stronger hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + apply (wp ensure_empty_stronger hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift | simp add: cte_wp_at_eq_simp split del: if_split | wpc - | wp hoare_vcg_imp_lift_R[where P="\rv s. \ x64_num_ioapics (arch_state s) - 1 < args ! 2"] - | wp hoare_vcg_imp_lift_R[where P="\rv s. x64_num_ioapics (arch_state s) \ 0"] + | wp hoare_vcg_imp_liftE_R[where P="\rv s. \ x64_num_ioapics (arch_state s) - 1 < args ! 2"] + | wp hoare_vcg_imp_liftE_R[where P="\rv s. x64_num_ioapics (arch_state s) \ 0"] | wp (once) hoare_drop_imps)+ apply ( safe; auto simp: word_le_not_less[symmetric] word_leq_minus_one_le irq_plus_min_ge_min irq_plus_min_le_max ioapicIRQLines_def @@ -235,7 +235,7 @@ lemma invoke_irq_handler_invs'[Interrupt_AI_asms]: apply (wp valid_cap_typ [OF cap_delete_one_typ_at]) apply (strengthen real_cte_tcb_valid) apply (wp real_cte_at_typ_valid [OF cap_delete_one_typ_at]) - apply (rule_tac Q="\rv s. is_ntfn_cap cap \ invs s + apply (rule_tac Q'="\rv s. is_ntfn_cap cap \ invs s \ cte_wp_at (is_derived (cdt s) prod cap) prod s" in hoare_post_imp) apply (clarsimp simp: is_cap_simps is_derived_def cte_wp_at_caps_of_state) @@ -360,7 +360,7 @@ lemma (* handle_interrupt_invs *) [Interrupt_AI_asms]: apply (wp dmo_maskInterrupt_invs maskInterrupt_invs_ARCH dmo_ackInterrupt | wpc | simp add: arch_mask_irq_signal_def)+ apply (wp get_cap_wp send_signal_interrupt_states) - apply (rule_tac Q="\rv. invs and (\s. st = interrupt_states s irq)" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs and (\s. st = interrupt_states s irq)" in hoare_post_imp) apply (clarsimp simp: ex_nonz_cap_to_def invs_valid_objs) apply (intro allI exI, erule cte_wp_at_weakenE) apply (clarsimp simp: is_cap_simps) diff --git a/proof/invariant-abstract/X64/ArchIpc_AI.thy b/proof/invariant-abstract/X64/ArchIpc_AI.thy index 9dd4e7786c..1a2c34122c 100644 --- a/proof/invariant-abstract/X64/ArchIpc_AI.thy +++ b/proof/invariant-abstract/X64/ArchIpc_AI.thy @@ -297,7 +297,7 @@ lemma transfer_caps_tcb_caps: apply (erule imp) apply (wp hoare_vcg_conj_lift hoare_vcg_const_imp_lift hoare_vcg_all_lift ) - apply (rule_tac Q = "\rv s. ( \x\set rv. real_cte_at x s ) + apply (rule_tac Q'="\rv s. ( \x\set rv. real_cte_at x s ) \ cte_wp_at P (t, ref) s \ tcb_at t s" in hoare_strengthen_post) apply (wp get_rs_real_cte_at) @@ -322,7 +322,7 @@ lemma transfer_caps_non_null_cte_wp_at: apply (wp hoare_vcg_ball_lift transfer_caps_loop_cte_wp_at hoare_weak_lift_imp | wpc | clarsimp simp:imp)+ apply (rule hoare_strengthen_post - [where Q="\rv s'. (cte_wp_at ((\) cap.NullCap) ptr) s' + [where Q'="\rv s'. (cte_wp_at ((\) cap.NullCap) ptr) s' \ (\x\set rv. cte_wp_at ((=) cap.NullCap) x s')", rotated]) apply (clarsimp) @@ -440,7 +440,7 @@ lemma do_ipc_transfer_respects_device_region[Ipc_AI_cont_assms]: apply (subst ball_conj_distrib) apply (wp get_rs_cte_at2 thread_get_wp hoare_weak_lift_imp grs_distinct hoare_vcg_ball_lift hoare_vcg_all_lift hoare_vcg_conj_lift | simp)+ - apply (rule hoare_strengthen_post[where Q = "\r s. cap_refs_respects_device_region s + apply (rule hoare_strengthen_post[where Q'="\r s. cap_refs_respects_device_region s \ valid_objs s \ valid_mdb s \ obj_at (\ko. \tcb. ko = TCB tcb) t s"]) apply wp apply auto[1] diff --git a/proof/invariant-abstract/X64/ArchSchedule_AI.thy b/proof/invariant-abstract/X64/ArchSchedule_AI.thy index 7a117ae942..09ba73456b 100644 --- a/proof/invariant-abstract/X64/ArchSchedule_AI.thy +++ b/proof/invariant-abstract/X64/ArchSchedule_AI.thy @@ -92,7 +92,7 @@ lemma stt_invs [wp,Schedule_AI_asms]: apply (simp add: switch_to_thread_def) apply wp apply (simp add: trans_state_update[symmetric] del: trans_state_update) - apply (rule_tac Q="\_. invs and tcb_at t'" in hoare_strengthen_post, wp) + apply (rule_tac Q'="\_. invs and tcb_at t'" in hoare_strengthen_post, wp) apply (clarsimp simp: invs_def valid_state_def valid_idle_def valid_irq_node_def valid_machine_state_def) apply (fastforce simp: cur_tcb_def obj_at_def diff --git a/proof/invariant-abstract/X64/ArchTcb_AI.thy b/proof/invariant-abstract/X64/ArchTcb_AI.thy index ed08ab6b66..f1b0533036 100644 --- a/proof/invariant-abstract/X64/ArchTcb_AI.thy +++ b/proof/invariant-abstract/X64/ArchTcb_AI.thy @@ -241,12 +241,12 @@ lemma tc_invs[Tcb_AI_asms]: strengthen imp_consequent[where Q="x = None" for x], simp cong: conj_cong) | rule wp_split_const_if wp_split_const_if_R hoare_vcg_all_liftE_R - hoare_vcg_E_elim hoare_vcg_const_imp_lift_R - hoare_vcg_R_conj + hoare_vcg_conj_elimE hoare_vcg_const_imp_liftE_R + hoare_vcg_conj_liftE_R | (wp out_invs_trivial case_option_wpE cap_delete_deletes cap_delete_valid_cap cap_insert_valid_cap out_cte_at cap_insert_cte_at cap_delete_cte_at out_valid_cap - hoare_vcg_const_imp_lift_R hoare_vcg_all_liftE_R + hoare_vcg_const_imp_liftE_R hoare_vcg_all_liftE_R thread_set_tcb_ipc_buffer_cap_cleared_invs thread_set_invs_trivial[OF ball_tcb_cap_casesI] hoare_vcg_all_lift thread_set_valid_cap out_emptyable diff --git a/proof/invariant-abstract/X64/ArchVSpaceEntries_AI.thy b/proof/invariant-abstract/X64/ArchVSpaceEntries_AI.thy index 0f2963ee59..cd4e27b7e1 100644 --- a/proof/invariant-abstract/X64/ArchVSpaceEntries_AI.thy +++ b/proof/invariant-abstract/X64/ArchVSpaceEntries_AI.thy @@ -534,7 +534,7 @@ lemma init_arch_objects_valid_vspace: apply (simp add: init_arch_objects_def) apply (rule hoare_pre) apply (wp | wpc)+ - apply (rule_tac Q="\rv. valid_vspace_objs' and pspace_aligned and valid_arch_state" + apply (rule_tac Q'="\rv. valid_vspace_objs' and pspace_aligned and valid_arch_state" in hoare_post_imp, simp) apply (rule mapM_x_wp') apply (rule hoare_pre, wp copy_global_mappings_valid_vspace_objs') diff --git a/proof/invariant-abstract/X64/ArchVSpace_AI.thy b/proof/invariant-abstract/X64/ArchVSpace_AI.thy index 6dcc8588c2..c9b61a60c6 100644 --- a/proof/invariant-abstract/X64/ArchVSpace_AI.thy +++ b/proof/invariant-abstract/X64/ArchVSpace_AI.thy @@ -3051,7 +3051,7 @@ lemma perform_page_directory_invocation_invs[wp]: apply (rule hoare_pre) apply (wpc | clarsimp simp: cte_wp_at_caps_of_state | wp arch_update_cap_invs_unmap_page_directory get_cap_wp)+ apply (rule_tac P = "is_pd_cap (ArchObjectCap (PageDirectoryCap p (Some (x1, x2a))))" in hoare_gen_asm) - apply (rule_tac Q = "\r. cte_wp_at ((=) (ArchObjectCap (PageDirectoryCap p (Some (x1, x2a))))) (a,b) + apply (rule_tac Q'="\r. cte_wp_at ((=) (ArchObjectCap (PageDirectoryCap p (Some (x1, x2a))))) (a,b) and invs and is_final_cap' (ArchObjectCap (PageDirectoryCap p (Some (x1, x2a)))) and (\s. (the (vs_cap_ref (ArchObjectCap (PageDirectoryCap p (Some (x1, x2a))))), p) \ vs_lookup_pages s) and obj_at (empty_table {}) (the (aobj_ref (update_map_data @@ -3133,7 +3133,7 @@ lemma perform_page_table_invocation_invs[wp]: apply (rule hoare_pre) apply (wpc | clarsimp simp: cte_wp_at_caps_of_state | wp arch_update_cap_invs_unmap_page_table get_cap_wp)+ apply (rule_tac P = "is_pt_cap (ArchObjectCap (PageTableCap p (Some (x1, x2a))))" in hoare_gen_asm) - apply (rule_tac Q = "\r. cte_wp_at ((=) (ArchObjectCap (PageTableCap p (Some (x1, x2a))))) (a,b) + apply (rule_tac Q'="\r. cte_wp_at ((=) (ArchObjectCap (PageTableCap p (Some (x1, x2a))))) (a,b) and invs and is_final_cap' (ArchObjectCap (PageTableCap p (Some (x1, x2a)))) and (\s. (the (vs_cap_ref (ArchObjectCap (PageTableCap p (Some (x1, x2a))))), p) \ vs_lookup_pages s) and obj_at (empty_table {}) (the (aobj_ref (update_map_data @@ -3245,7 +3245,7 @@ lemma perform_pdpt_invocation_invs[wp]: apply (rule hoare_pre) apply (wpc | clarsimp simp: cte_wp_at_caps_of_state | wp arch_update_cap_invs_unmap_pd_pointer_table get_cap_wp)+ apply (rule_tac P = "is_pdpt_cap (ArchObjectCap (PDPointerTableCap p (Some (x1, x2a))))" in hoare_gen_asm) - apply (rule_tac Q = "\r. cte_wp_at ((=) (ArchObjectCap (PDPointerTableCap p (Some (x1, x2a))))) (a,b) + apply (rule_tac Q'="\r. cte_wp_at ((=) (ArchObjectCap (PDPointerTableCap p (Some (x1, x2a))))) (a,b) and invs and is_final_cap' (ArchObjectCap (PDPointerTableCap p (Some (x1, x2a)))) and (\s. (the (vs_cap_ref (ArchObjectCap (PDPointerTableCap p (Some (x1, x2a))))), p) \ vs_lookup_pages s) and obj_at (empty_table {}) (the (aobj_ref (update_map_data @@ -3548,7 +3548,7 @@ lemma perform_page_invs [wp]: apply (rule hoare_pre) apply (wp dmo_invs arch_update_cap_invs_unmap_page get_cap_wp | wpc | simp add: perform_page_invocation_unmap_def)+ - apply (rule_tac Q="\_ s. invs s \ + apply (rule_tac Q'="\_ s. invs s \ cte_wp_at (\c. is_pg_cap c \ (\ref. vs_cap_ref c = Some ref \ \ (ref \ obj_ref_of c) s)) cslot_ptr s" diff --git a/proof/refine/AARCH64/Arch_R.thy b/proof/refine/AARCH64/Arch_R.thy index aedabdb2d3..e7998f0d9e 100644 --- a/proof/refine/AARCH64/Arch_R.thy +++ b/proof/refine/AARCH64/Arch_R.thy @@ -1331,7 +1331,7 @@ lemma associateVCPUTCB_corres: corres: getObject_vcpu_corres setObject_VCPU_corres vcpuSwitch_corres'' wp: hoare_drop_imps get_vcpu_wp getVCPU_wp | corres_cases_both simp: vcpu_relation_def)+ - apply (rule_tac Q="\_. invs and tcb_at t" in hoare_strengthen_post) + apply (rule_tac Q'="\_. invs and tcb_at t" in hoare_strengthen_post) apply wp apply clarsimp apply (rule conjI) @@ -1339,7 +1339,7 @@ lemma associateVCPUTCB_corres: apply (clarsimp simp: obj_at_def in_omonad) apply (fastforce simp: obj_at_def in_omonad) apply wpsimp+ - apply (rule_tac Q="\_. invs' and tcb_at' t and vcpu_at' v" in hoare_strengthen_post) + apply (rule_tac Q'="\_. invs' and tcb_at' t and vcpu_at' v" in hoare_strengthen_post) apply wpsimp apply fastforce apply (wpsimp wp: arch_thread_get_wp archThreadGet_wp)+ @@ -1947,14 +1947,14 @@ lemma associateVCPUTCB_invs'[wp]: apply (clarsimp simp: associateVCPUTCB_def) apply (subst bind_assoc[symmetric], fold associateVCPUTCB_helper_def) apply wpsimp - apply (rule_tac Q="\_ s. invs' s \ ko_wp_at' (is_vcpu' and hyp_live') vcpu s" in hoare_post_imp) + apply (rule_tac Q'="\_ s. invs' s \ ko_wp_at' (is_vcpu' and hyp_live') vcpu s" in hoare_post_imp) apply simp apply (rule hoare_vcg_conj_lift) apply (wpsimp wp: assoc_invs'[folded associateVCPUTCB_helper_def]) apply (clarsimp simp: associateVCPUTCB_helper_def) apply (wpsimp simp: vcpu_at_is_vcpu'[symmetric])+ apply (wpsimp wp: getVCPU_wp) - apply (rule_tac Q="\_. invs' and obj_at' (\tcb. atcbVCPUPtr (tcbArch tcb) = None) tcb and + apply (rule_tac Q'="\_. invs' and obj_at' (\tcb. atcbVCPUPtr (tcbArch tcb) = None) tcb and ex_nonz_cap_to' vcpu and ex_nonz_cap_to' tcb and vcpu_at' vcpu" in hoare_strengthen_post) apply wpsimp diff --git a/proof/refine/AARCH64/CNodeInv_R.thy b/proof/refine/AARCH64/CNodeInv_R.thy index b2f9f41855..a94e19d200 100644 --- a/proof/refine/AARCH64/CNodeInv_R.thy +++ b/proof/refine/AARCH64/CNodeInv_R.thy @@ -208,7 +208,7 @@ lemma decodeCNodeInvocation_corres: apply (rule corres_trivial) subgoal by (auto simp add: whenE_def, auto simp add: returnOk_def) apply (wp | wpc | simp(no_asm))+ - apply (wp hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + apply (wp hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift hoare_vcg_all_liftE_R hoare_vcg_all_lift lsfco_cte_at' hoare_drop_imps | clarsimp)+ subgoal by (auto elim!: valid_cnode_capI) @@ -6110,7 +6110,7 @@ lemma reduceZombie_invs'': apply (wp | simp)+ apply (rule getCTE_wp) apply (wp | simp)+ - apply (rule_tac Q="\cte s. rv = capZombiePtr cap + + apply (rule_tac Q'="\cte s. rv = capZombiePtr cap + of_nat (capZombieNumber cap) * 2^cteSizeBits - 2^cteSizeBits \ cte_wp_at' (\c. c = cte) slot s \ invs' s \ no_cte_prop Q s \ sch_act_simple s" @@ -6436,8 +6436,8 @@ lemmas cteDelete_typ_at'_lifts [wp] = typ_at_lifts [OF cteDelete_typ_at'] lemma cteDelete_cte_at: "\\\ cteDelete slot bool \\rv. cte_at' slot\" - apply (rule_tac Q="\s. cte_at' slot s \ \ cte_at' slot s" - in hoare_pre(1)) + apply (rule_tac P'="\s. cte_at' slot s \ \ cte_at' slot s" + in hoare_weaken_pre) apply (rule hoare_strengthen_post) apply (rule hoare_vcg_disj_lift) apply (rule typ_at_lifts, rule cteDelete_typ_at') @@ -6476,7 +6476,7 @@ lemma cteDelete_cte_wp_at_invs: apply (clarsimp simp: cte_wp_at_ctes_of) apply wp apply (simp add: imp_conjR conj_comms) - apply (rule_tac Q="\rv s. invs' s \ sch_act_simple s \ + apply (rule_tac Q'="\rv s. invs' s \ sch_act_simple s \ (fst rv \ cte_wp_at' (\cte. removeable' slot s (cteCap cte)) slot s) \ (fst rv \ @@ -6486,9 +6486,9 @@ lemma cteDelete_cte_wp_at_invs: cteCap cte = NullCap \ (\zb n. cteCap cte = Zombie slot zb n)) slot s)" - and E="\rv. \" in hoare_strengthen_postE) + and E'="\rv. \" in hoare_strengthen_postE) apply (wp finaliseSlot_invs finaliseSlot_removeable finaliseSlot_sch_act_simple - hoare_drop_imps(2)[OF finaliseSlot_irqs]) + hoare_drop_impE_R[OF finaliseSlot_irqs]) apply (rule hoare_strengthen_postE_R, rule finaliseSlot_abort_cases) apply (clarsimp simp: cte_wp_at_ctes_of dest!: isCapDs) apply simp @@ -6509,7 +6509,7 @@ lemma cteDelete_cte_wp_at_invs: p s" in hoare_strengthen_postE_R) apply (wp finaliseSlot_invs finaliseSlot_removeable finaliseSlot_sch_act_simple - hoare_drop_imps(2)[OF finaliseSlot_irqs]) + hoare_drop_impE_R[OF finaliseSlot_irqs]) apply (rule hoare_strengthen_postE_R [OF finaliseSlot_cte_wp_at[where p=p and P=P]]) apply simp+ apply (clarsimp simp: cte_wp_at_ctes_of) @@ -6523,8 +6523,8 @@ lemma cteDelete_sch_act_simple: cteDelete slot exposed \\rv. sch_act_simple\" apply (simp add: cteDelete_def whenE_def split_def) apply (wp hoare_drop_imps | simp)+ - apply (rule_tac hoare_strengthen_postE [where Q="\rv. sch_act_simple" - and E="\rv. sch_act_simple"]) + apply (rule_tac hoare_strengthen_postE [where Q'="\rv. sch_act_simple" + and E'="\rv. sch_act_simple"]) apply (rule valid_validE) apply (wp finaliseSlot_sch_act_simple) apply simp+ @@ -6711,7 +6711,7 @@ proof (induct rule: finalise_induct3) apply ((wp | simp add: locateSlot_conv)+)[2] apply (rule drop_spec_validE) apply simp - apply (rule_tac Q="\rv s. revoke_progress_ord m (option_map capToRPO \ cteCaps_of s) + apply (rule_tac Q'="\rv s. revoke_progress_ord m (option_map capToRPO \ cteCaps_of s) \ cte_wp_at' (\cte. cteCap cte = fst rvb) sl s" in hoare_post_imp) apply (clarsimp simp: o_def cte_wp_at_ctes_of capToRPO_def @@ -7282,7 +7282,7 @@ next apply (rule updateCap_corres) apply simp apply (simp add: is_cap_simps) - apply (rule_tac R="\rv. cte_at' (cte_map ?target)" in hoare_post_add) + apply (rule_tac Q'="\rv. cte_at' (cte_map ?target)" in hoare_post_add) apply (wp, (wp getCTE_wp)+) apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule no_fail_pre, wp, simp) @@ -7444,7 +7444,7 @@ lemma cteRevoke_typ_at': lemma cteRevoke_invs': "\invs' and sch_act_simple\ cteRevoke ptr \\rv. invs'\" - apply (rule_tac Q="\rv. invs' and sch_act_simple" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs' and sch_act_simple" in hoare_strengthen_post) apply (wp cteRevoke_preservation cteDelete_invs' cteDelete_sch_act_simple)+ apply simp_all done @@ -9018,7 +9018,7 @@ proof (induct rule: finalise_spec_induct) apply (unfold Let_def split_def fst_conv snd_conv case_Zombie_assert_fold haskell_fail_def) apply (wp getCTE_wp' preemptionPoint_invR| simp add: o_def irq_state_independent_HI)+ - apply (rule hoare_post_imp [where Q="\_. valid_irq_states'"]) + apply (rule hoare_post_imp[where Q'="\_. valid_irq_states'"]) apply simp apply wp[1] apply (rule spec_strengthen_postE) @@ -9061,7 +9061,7 @@ lemma cteDelete_irq_states': apply (simp add: cteDelete_def split_def) apply (wp whenE_wp) apply (rule hoare_strengthen_postE) - apply (rule hoare_valid_validE) + apply (rule valid_validE) apply (rule finaliseSlot_irq_states') apply simp apply simp diff --git a/proof/refine/AARCH64/CSpace_R.thy b/proof/refine/AARCH64/CSpace_R.thy index df604359a7..8fb8c5a2fc 100644 --- a/proof/refine/AARCH64/CSpace_R.thy +++ b/proof/refine/AARCH64/CSpace_R.thy @@ -2147,7 +2147,7 @@ lemma cteInsert_mdb' [wp]: cteInsert cap src dest \\_. valid_mdb'\" apply (simp add:valid_mdb'_def valid_mdb_ctes_def) - apply (rule_tac Q = "\r s. valid_dlist (ctes_of s) \ irq_control (ctes_of s) \ + apply (rule_tac Q'="\r s. valid_dlist (ctes_of s) \ irq_control (ctes_of s) \ no_0 (ctes_of s) \ mdb_chain_0 (ctes_of s) \ mdb_chunked (ctes_of s) \ untyped_mdb' (ctes_of s) \ untyped_inc' (ctes_of s) \ Q s" for Q @@ -3963,12 +3963,12 @@ lemma setupReplyMaster_corres: apply (fastforce dest: pspace_relation_no_reply_caps state_relation_pspace_relation) apply (clarsimp simp: cte_map_def tcb_cnode_index_def cte_wp_at_ctes_of) - apply (rule_tac Q="\rv. einvs and tcb_at t and + apply (rule_tac Q'="\rv. einvs and tcb_at t and cte_wp_at ((=) rv) (t, tcb_cnode_index 2)" in hoare_strengthen_post) apply (wp hoare_drop_imps get_cap_wp) apply (clarsimp simp: invs_def valid_state_def elim!: cte_wp_at_weakenE) - apply (rule_tac Q="\rv. valid_pspace' and valid_mdb' and + apply (rule_tac Q'="\rv. valid_pspace' and valid_mdb' and cte_wp_at' ((=) rv) (cte_map (t, tcb_cnode_index 2))" in hoare_strengthen_post) apply (wp hoare_drop_imps getCTE_wp') diff --git a/proof/refine/AARCH64/Detype_R.thy b/proof/refine/AARCH64/Detype_R.thy index 1913cd8d62..79d19372a7 100644 --- a/proof/refine/AARCH64/Detype_R.thy +++ b/proof/refine/AARCH64/Detype_R.thy @@ -65,7 +65,7 @@ lemma descendants_range_in_lift': apply (simp only: Ball_def[unfolded imp_conv_disj]) apply (rule hoare_pre) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift st cap_range) - apply (rule_tac Q = "\r s. cte_wp_at' (\c. capRange (cteCap c) \ S = {}) x s" + apply (rule_tac Q'="\r s. cte_wp_at' (\c. capRange (cteCap c) \ S = {}) x s" in hoare_strengthen_post) apply (wp cap_range) apply (clarsimp simp:cte_wp_at_ctes_of null_filter'_def) @@ -1830,7 +1830,7 @@ lemma deleteObjects_invs': proof - show ?thesis apply (rule hoare_pre) - apply (rule_tac G="is_aligned ptr bits \ 3 \ bits \ bits \ word_bits" in hoare_grab_asm) + apply (rule_tac P'="is_aligned ptr bits \ 3 \ bits \ bits \ word_bits" in hoare_grab_asm) apply (clarsimp simp add: deleteObjects_def2) apply (simp add: freeMemory_def bind_assoc doMachineOp_bind) apply (simp add: bind_assoc[where f="\_. modify f" for f, symmetric]) @@ -3798,7 +3798,7 @@ lemma createNewCaps_pspace_no_overlap': apply simp+ apply (simp add:range_cover_def) apply (simp add:range_cover.sz(1)[where 'a=machine_word_len, folded word_bits_def]) - apply (rule_tac Q = "\r. pspace_no_overlap' (ptr + (1 + of_nat n << Types_H.getObjectSize ty us)) + apply (rule_tac Q'="\r. pspace_no_overlap' (ptr + (1 + of_nat n << Types_H.getObjectSize ty us)) (Types_H.getObjectSize ty us) and pspace_aligned' and pspace_distinct'" in hoare_strengthen_post) apply (case_tac ty) diff --git a/proof/refine/AARCH64/Finalise_R.thy b/proof/refine/AARCH64/Finalise_R.thy index 8995d0e0fb..3cdb22b01a 100644 --- a/proof/refine/AARCH64/Finalise_R.thy +++ b/proof/refine/AARCH64/Finalise_R.thy @@ -1823,7 +1823,7 @@ lemma isFinalCapability_inv: apply (simp add: isFinalCapability_def Let_def split del: if_split cong: if_cong) apply (rule hoare_pre, wp) - apply (rule hoare_post_imp [where Q="\s. P"], simp) + apply (rule hoare_post_imp[where Q'="\s. P"], simp) apply wp apply simp done @@ -3087,7 +3087,7 @@ lemma cancelIPC_bound_tcb_at'[wp]: apply (simp add: getThreadReplySlot_def locateSlot_conv liftM_def) apply (rule hoare_pre) apply (wp capDeleteOne_bound_tcb_at' getCTE_ctes_of) - apply (rule_tac Q="\_. bound_tcb_at' P tptr" in hoare_post_imp) + apply (rule_tac Q'="\_. bound_tcb_at' P tptr" in hoare_post_imp) apply (clarsimp simp: capHasProperty_def cte_wp_at_ctes_of) apply (wp threadSet_pred_tcb_no_state | simp)+ done @@ -3712,7 +3712,7 @@ lemma no_idle_thread_cap: lemmas getCTE_no_0_obj'_helper = getCTE_inv - hoare_strengthen_post[where Q="\_. no_0_obj'" and P=no_0_obj' and a="getCTE slot" for slot] + hoare_strengthen_post[where Q'="\_. no_0_obj'" and P=no_0_obj' and f="getCTE slot" for slot] context begin interpretation Arch . (*FIXME: arch_split*) diff --git a/proof/refine/AARCH64/Interrupt_R.thy b/proof/refine/AARCH64/Interrupt_R.thy index 3f9107f45a..cc5585adab 100644 --- a/proof/refine/AARCH64/Interrupt_R.thy +++ b/proof/refine/AARCH64/Interrupt_R.thy @@ -363,7 +363,7 @@ lemma invokeIRQHandler_corres: apply simp apply (rule corres_split_nor[OF cap_delete_one_corres]) apply (rule cteInsert_corres, simp+) - apply (rule_tac Q="\rv s. einvs s \ cte_wp_at (\c. c = cap.NullCap) irq_slot s + apply (rule_tac Q'="\rv s. einvs s \ cte_wp_at (\c. c = cap.NullCap) irq_slot s \ (a, b) \ irq_slot \ cte_wp_at (is_derived (cdt s) (a, b) cap) (a, b) s" in hoare_post_imp) @@ -808,7 +808,7 @@ proof - apply (wp gts_wp) apply (wp gts_wp') apply (rule_tac - Q="\rv. tcb_at rv and einvs + Q'="\rv. tcb_at rv and einvs and (\_. valid_fault (ExceptionTypes_A.fault.ArchFault rva))" in hoare_post_imp) apply (clarsimp cong: imp_cong conj_cong simp: not_pred_tcb runnable_eq pred_conj_def) @@ -816,7 +816,7 @@ proof - apply (fastforce simp: pred_tcb_at_def obj_at_def) apply wp apply clarsimp - apply (rule_tac Q="\rv x. tcb_at' rv x + apply (rule_tac Q'="\rv x. tcb_at' rv x \ invs' x \ sch_act_not rv x" in hoare_post_imp) @@ -881,7 +881,7 @@ lemma vppiEvent_corres: is runnable directly afterwards, which is obvious and should not propagate further; clean up the postconditions of the thread_get and threadGet *) apply (rule_tac - Q="\rv. tcb_at rv and einvs + Q'="\rv. tcb_at rv and einvs and (\_. valid_fault (ExceptionTypes_A.fault.ArchFault (AARCH64_A.VPPIEvent irq)))" in hoare_post_imp) @@ -889,7 +889,7 @@ lemma vppiEvent_corres: apply (strengthen st_tcb_ex_cap'[where P=active], fastforce) apply wp apply (clarsimp cong: imp_cong conj_cong simp: pred_conj_def) - apply (rule_tac Q="\rv x. tcb_at' rv x + apply (rule_tac Q'="\rv x. tcb_at' rv x \ invs' x \ sch_act_not rv x" in hoare_post_imp) apply (rename_tac rv s) @@ -1025,7 +1025,7 @@ lemma timerTick_invs'[wp]: apply (wpsimp wp: threadSet_invs_trivial threadSet_pred_tcb_no_state rescheduleRequired_all_invs_but_ct_not_inQ simp: tcb_cte_cases_def) - apply (rule_tac Q="\rv. invs'" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs'" in hoare_post_imp) apply (clarsimp simp: invs'_def valid_state'_def) apply (simp add: decDomainTime_def) apply wp @@ -1036,7 +1036,7 @@ lemma timerTick_invs'[wp]: hoare_vcg_imp_lift threadSet_ct_idle_or_in_cur_domain')+ apply (rule hoare_strengthen_post[OF tcbSchedAppend_all_invs_but_ct_not_inQ']) apply (wpsimp simp: invs'_def valid_state'_def valid_pspace'_def sch_act_wf_weak)+ - apply (rule_tac Q="\_. invs'" in hoare_strengthen_post) + apply (rule_tac Q'="\_. invs'" in hoare_strengthen_post) apply (wpsimp wp: threadSet_pred_tcb_no_state threadSet_tcbDomain_triv threadSet_valid_objs' threadSet_timeslice_invs)+ apply (clarsimp simp: invs'_def valid_state'_def valid_pspace'_def) @@ -1083,7 +1083,7 @@ lemma vgicMaintenance_invs'[wp]: apply (strengthen st_tcb_ex_cap''[where P=active']) apply (strengthen invs_iflive') apply (clarsimp cong: imp_cong conj_cong simp: pred_conj_def) - apply (rule_tac Q="\_ s. tcb_at' (ksCurThread s) s + apply (rule_tac Q'="\_ s. tcb_at' (ksCurThread s) s \ invs' s \ sch_act_not (ksCurThread s) s" in hoare_post_imp) @@ -1117,7 +1117,7 @@ lemma vppiEvent_invs'[wp]: apply (strengthen st_tcb_ex_cap''[where P=active']) apply (strengthen invs_iflive') apply (clarsimp cong: imp_cong conj_cong simp: pred_conj_def) - apply (rule_tac Q="\_ s. tcb_at' (ksCurThread s) s + apply (rule_tac Q'="\_ s. tcb_at' (ksCurThread s) s \ invs' s \ sch_act_not (ksCurThread s) s" in hoare_post_imp) @@ -1139,7 +1139,7 @@ lemma hint_invs[wp]: apply (simp add: handleInterrupt_def getSlotCap_def cong: irqstate.case_cong) apply (rule conjI; rule impI) apply (wp dmo_maskInterrupt_True getCTE_wp' | wpc | simp add: doMachineOp_bind maskIrqSignal_def)+ - apply (rule_tac Q="\rv. invs'" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs'" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_ctes_of ex_nonz_cap_to'_def) apply fastforce apply (wpsimp wp: threadSet_invs_trivial getIRQState_wp diff --git a/proof/refine/AARCH64/IpcCancel_R.thy b/proof/refine/AARCH64/IpcCancel_R.thy index 2a3df08600..3321c4a9aa 100644 --- a/proof/refine/AARCH64/IpcCancel_R.thy +++ b/proof/refine/AARCH64/IpcCancel_R.thy @@ -900,7 +900,7 @@ lemma (in delete_one_conc_pre) cancelIPC_sch_act_simple[wp]: apply (wp hoare_drop_imps delete_one_sch_act_simple | simp add: getThreadReplySlot_def | wpcw | rule sch_act_simple_lift - | (rule_tac Q="\rv. sch_act_simple" in hoare_post_imp, simp))+ + | (rule_tac Q'="\rv. sch_act_simple" in hoare_post_imp, simp))+ done lemma cancelSignal_st_tcb_at: @@ -910,7 +910,7 @@ lemma cancelSignal_st_tcb_at: \\rv. st_tcb_at' P t\" apply (simp add: cancelSignal_def Let_def list_case_If) apply (wp sts_st_tcb_at'_cases hoare_vcg_const_imp_lift - hoare_drop_imp[where R="%rv s. P' rv" for P']) + hoare_drop_imp[where Q'="%rv s. P' rv" for P']) apply clarsimp+ done @@ -999,7 +999,7 @@ lemma (in delete_one_conc_pre) cancelIPC_tcb_at_runnable': apply (case_tac rv; simp) apply (wp sts_pred_tcb_neq' | simp | wpc)+ apply (clarsimp) - apply (rule_tac Q="\rv. ?PRE" in hoare_post_imp, fastforce) + apply (rule_tac Q'="\rv. ?PRE" in hoare_post_imp, fastforce) apply (wp cteDeleteOne_tcb_at_runnable' threadSet_pred_tcb_no_state cancelSignal_tcb_at_runnable' @@ -1098,7 +1098,7 @@ lemma sts_weak_sch_act_wf[wp]: including classic_wp_pre apply (simp add: setThreadState_def) apply (wp rescheduleRequired_weak_sch_act_wf) - apply (rule_tac Q="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp, simp) + apply (rule_tac Q'="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp, simp) apply (simp add: weak_sch_act_wf_def) apply (wp hoare_vcg_all_lift) apply (wps threadSet_nosch) @@ -1226,11 +1226,11 @@ lemma (in delete_one) suspend_corres: apply wp apply (wpsimp wp: sts_valid_objs') apply (wpsimp simp: update_restart_pc_def updateRestartPC_def valid_tcb_state'_def)+ - apply (rule hoare_post_imp[where Q = "\rv s. einvs s \ tcb_at t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. einvs s \ tcb_at t s"]) apply (simp add: invs_implies invs_strgs valid_queues_in_correct_ready_q valid_queues_ready_qs_distinct valid_sched_def) apply wp - apply (rule hoare_post_imp[where Q = "\_ s. invs' s \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\_ s. invs' s \ tcb_at' t s"]) apply (fastforce simp: invs'_def valid_tcb_state'_def) apply (wpsimp simp: update_restart_pc_def updateRestartPC_def)+ apply fastforce+ @@ -1425,7 +1425,7 @@ lemma (in delete_one_conc) suspend_invs'[wp]: apply (simp add: suspend_def) apply (wpsimp wp: sts_invs_minor' gts_wp' simp: updateRestartPC_def | strengthen no_refs_simple_strg')+ - apply (rule_tac Q="\_. invs' and sch_act_simple and st_tcb_at' simple' t + apply (rule_tac Q'="\_. invs' and sch_act_simple and st_tcb_at' simple' t and (\s. t \ ksIdleThread s)" in hoare_post_imp) apply clarsimp @@ -1453,7 +1453,7 @@ lemma (in delete_one_conc_pre) suspend_sch_act_simple[wp]: lemma (in delete_one_conc) suspend_objs': "\invs' and sch_act_simple and tcb_at' t and (\s. t \ ksIdleThread s)\ suspend t \\rv. valid_objs'\" - apply (rule_tac Q="\_. invs'" in hoare_strengthen_post) + apply (rule_tac Q'="\_. invs'" in hoare_strengthen_post) apply (wp suspend_invs') apply fastforce done @@ -1567,7 +1567,7 @@ proof - apply (rule ep_cancel_corres_helper) apply (rule mapM_x_wp') apply (wp weak_sch_act_wf_lift_linear set_thread_state_runnable_weak_valid_sched_action | simp)+ - apply (rule_tac R="\_ s. \x\set list. tcb_at' x s \ valid_objs' s \ pspace_aligned' s \ pspace_distinct' s" + apply (rule_tac Q'="\_ s. \x\set list. tcb_at' x s \ valid_objs' s \ pspace_aligned' s \ pspace_distinct' s" in hoare_post_add) apply (rule mapM_x_wp') apply ((wpsimp wp: hoare_vcg_const_Ball_lift mapM_x_wp' sts_st_tcb' sts_valid_objs' @@ -1627,7 +1627,7 @@ lemma cancelAllSignals_corres: set_thread_state_runnable_weak_valid_sched_action | simp)+ apply (rename_tac list) - apply (rule_tac R="\_ s. (\x\set list. tcb_at' x s) \ valid_objs' s + apply (rule_tac Q'="\_ s. (\x\set list. tcb_at' x s) \ valid_objs' s \ sym_heap_sched_pointers s \ valid_sched_pointers s \ valid_objs' s \ pspace_aligned' s \ pspace_distinct' s" in hoare_post_add) @@ -1675,7 +1675,7 @@ proof - show ?thesis apply (simp add: setThreadState_def) apply (wpsimp wp: hoare_vcg_imp_lift [OF nrct]) - apply (rule_tac Q="\_. ?PRE" in hoare_post_imp) + apply (rule_tac Q'="\_. ?PRE" in hoare_post_imp) apply (clarsimp) apply (rule hoare_convert_imp [OF threadSet_nosch threadSet_ct]) apply assumption @@ -1927,7 +1927,7 @@ lemma cancelAllIPC_valid_objs'[wp]: apply (rule bind_wp [OF _ get_ep_sp']) apply (rule hoare_pre) apply (wp set_ep_valid_objs' setSchedulerAction_valid_objs') - apply (rule_tac Q="\_ s. valid_objs' s \ pspace_aligned' s \ pspace_distinct' s + apply (rule_tac Q'="\_ s. valid_objs' s \ pspace_aligned' s \ pspace_distinct' s \ (\x\set (epQueue ep). tcb_at' x s)" in hoare_post_imp) apply simp @@ -1953,7 +1953,7 @@ lemma cancelAllSignals_valid_objs'[wp]: apply (wp, simp) apply (wp, simp) apply (rename_tac list) - apply (rule_tac Q="\rv s. valid_objs' s \ (\x\set list. tcb_at' x s)" + apply (rule_tac Q'="\rv s. valid_objs' s \ (\x\set list. tcb_at' x s)" in hoare_post_imp) apply (simp add: valid_ntfn'_def) apply (simp add: Ball_def) @@ -2257,7 +2257,7 @@ lemma cancelBadgedSends_corres: apply (rule corres_split_nor[OF setEndpoint_corres]) apply (simp add: ep_relation_def) apply (rule corres_split_eqr[OF _ _ _ hoare_post_add - [where R="\_. valid_objs' and pspace_aligned' + [where Q'="\_. valid_objs' and pspace_aligned' and pspace_distinct'"]]) apply (rule_tac S="(=)" and Q="\xs s. (\x \ set xs. (epptr, TCBBlockedSend) \ state_refs_of s x) \ diff --git a/proof/refine/AARCH64/Ipc_R.thy b/proof/refine/AARCH64/Ipc_R.thy index 3e045f61b2..6d1f0ba0f0 100644 --- a/proof/refine/AARCH64/Ipc_R.thy +++ b/proof/refine/AARCH64/Ipc_R.thy @@ -53,7 +53,7 @@ lemma lsfco_cte_at': apply (wp) apply (clarsimp simp: split_def unlessE_def split del: if_split) - apply (wp hoare_drop_imps throwE_R) + apply (wpsimp wp: hoare_drop_imps throwE_R) done declare unifyFailure_wp [wp] @@ -493,7 +493,7 @@ next apply clarsimp apply assumption apply (subst imp_conjR) - apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R') apply (rule derive_cap_is_derived) apply (wp derive_cap_is_derived_foo)+ apply (simp split del: if_split) @@ -505,7 +505,7 @@ next apply clarsimp apply assumption apply (subst imp_conjR) - apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R') apply (rule hoare_strengthen_postE_R[OF deriveCap_derived]) apply (clarsimp simp:cte_wp_at_ctes_of) apply (wp deriveCap_derived_foo) @@ -617,7 +617,7 @@ lemma cteInsert_assume_Null: apply (rule bind_wp[OF _ getCTE_sp])+ apply (rule hoare_name_pre_state) apply (clarsimp simp: cte_wp_at_ctes_of) - apply (erule hoare_pre(1)) + apply (erule hoare_weaken_pre) apply simp done @@ -1779,7 +1779,7 @@ declare asUser_global_refs' [wp] lemma lec_valid_cap' [wp]: "\valid_objs'\ lookupExtraCaps thread xa mi \\rv s. (\x\set rv. s \' fst x)\, -" apply (rule hoare_pre, rule hoare_strengthen_postE_R) - apply (rule hoare_vcg_conj_lift_R[where R=valid_objs' and S="\_. valid_objs'"]) + apply (rule hoare_vcg_conj_liftE_R[where P'=valid_objs' and Q'="\_. valid_objs'"]) apply (rule lookupExtraCaps_srcs) apply wp apply (clarsimp simp: cte_wp_at_ctes_of) @@ -2160,7 +2160,7 @@ lemma doReplyTransfer_corres: apply (fastforce) apply (clarsimp simp:is_cap_simps) apply (wp weak_valid_sched_action_lift)+ - apply (rule_tac Q="\_ s. valid_objs' s \ cur_tcb' s \ tcb_at' receiver s + apply (rule_tac Q'="\_ s. valid_objs' s \ cur_tcb' s \ tcb_at' receiver s \ sch_act_wf (ksSchedulerAction s) s \ sym_heap_sched_pointers s \ valid_sched_pointers s \ pspace_aligned' s \ pspace_distinct' s" @@ -2217,7 +2217,7 @@ lemma doReplyTransfer_corres: threadSet_tcbDomain_triv threadSet_valid_objs' threadSet_sched_pointers threadSet_valid_sched_pointers | simp add: valid_tcb_state'_def)+ - apply (rule_tac Q="\_. valid_sched and cur_tcb and tcb_at sender and tcb_at receiver and + apply (rule_tac Q'="\_. valid_sched and cur_tcb and tcb_at sender and tcb_at receiver and valid_objs and pspace_aligned and pspace_distinct" in hoare_strengthen_post [rotated], clarsimp) apply (wp) @@ -2225,7 +2225,7 @@ lemma doReplyTransfer_corres: apply (assumption) apply (rule conjI, clarsimp) apply (clarsimp simp add: invs_def valid_state_def valid_pspace_def) - apply (rule_tac Q="\_. tcb_at' sender and tcb_at' receiver and invs'" + apply (rule_tac Q'="\_. tcb_at' sender and tcb_at' receiver and invs'" in hoare_strengthen_post [rotated]) apply (solves\auto simp: invs'_def valid_state'_def\) apply wp @@ -2303,14 +2303,14 @@ lemma setupCallerCap_corres: tcb_cnode_index_def cte_level_bits_def) apply (simp add: cte_map_def tcbCallerSlot_def tcb_cnode_index_def cte_level_bits_def) - apply (rule_tac R="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" + apply (rule_tac Q'="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" in hoare_post_add) apply (wp, (wp getSlotCap_wp)+) apply blast apply (rule no_fail_pre, wp) apply (clarsimp simp: cte_wp_at'_def cte_at'_def) - apply (rule_tac R="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" + apply (rule_tac Q'="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" in hoare_post_add) apply (wp, (wp getCTE_wp')+) apply blast @@ -2645,7 +2645,7 @@ lemma sendSignal_corres: valid_queues_in_correct_ready_q valid_queues_ready_qs_distinct valid_sched_valid_queues | simp add: valid_tcb_state_def)+ - apply (rule_tac Q="\rv. invs' and tcb_at' a" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs' and tcb_at' a" in hoare_strengthen_post) apply wp apply (fastforce simp: invs'_def valid_state'_def sch_act_wf_weak valid_tcb_state'_def) apply (rule setNotification_corres) @@ -2673,7 +2673,7 @@ lemma sendSignal_corres: apply (rule corres_split[OF asUser_setRegister_corres]) apply (rule possibleSwitchTo_corres) apply ((wp | simp)+)[1] - apply (rule_tac Q="\_. (\s. sch_act_wf (ksSchedulerAction s) s) and + apply (rule_tac Q'="\_. (\s. sch_act_wf (ksSchedulerAction s) s) and cur_tcb' and st_tcb_at' runnable' (hd list) and valid_objs' and sym_heap_sched_pointers and valid_sched_pointers and @@ -2872,7 +2872,7 @@ lemma cancelIPC_nonz_cap_to'[wp]: | wpc | simp | clarsimp elim!: cte_wp_at_weakenE' - | rule hoare_post_imp[where Q="\rv. ex_nonz_cap_to' p"])+ + | rule hoare_post_imp[where Q'="\rv. ex_nonz_cap_to' p"])+ done @@ -2952,7 +2952,7 @@ proof - apply (wpc) apply (wp | simp)+ apply (wpc, wp+) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp) apply simp done @@ -2964,7 +2964,7 @@ proof - apply (wp) apply (wp hoare_convert_imp)[1] apply (wp) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp hoare_convert_imp | simp)+ done show ?thesis @@ -2977,16 +2977,16 @@ proof - apply (wp)+ apply (wp hoare_convert_imp)[1] apply (wpc, wp+) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp cdo)+ - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply ((wp aipc hoare_convert_imp)+)[6] apply (wp) apply (wp hoare_convert_imp)[1] apply (wpc, wp+) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp) apply simp done @@ -3241,7 +3241,7 @@ lemma receiveIPC_corres: valid_sched_action_def) apply (clarsimp split: if_split_asm) apply (clarsimp | wp do_ipc_transfer_tcb_caps)+ - apply (rule_tac Q="\_ s. sch_act_wf (ksSchedulerAction s) s + apply (rule_tac Q'="\_ s. sch_act_wf (ksSchedulerAction s) s \ sym_heap_sched_pointers s \ valid_sched_pointers s \ pspace_aligned' s \ pspace_distinct' s" in hoare_post_imp) @@ -3504,7 +3504,7 @@ lemma setupCallerCap_vp[wp]: apply (simp add: valid_pspace'_def setupCallerCap_def getThreadCallerSlot_def getThreadReplySlot_def locateSlot_conv getSlotCap_def) apply (wp getCTE_wp) - apply (rule_tac Q="\_. valid_pspace' and + apply (rule_tac Q'="\_. valid_pspace' and tcb_at' sender and tcb_at' rcvr" in hoare_post_imp) apply (clarsimp simp: valid_cap'_def o_def cte_wp_at_ctes_of isCap_simps @@ -3537,7 +3537,7 @@ lemma setupCallerCap_ifunsafe[wp]: apply (wp getSlotCap_cte_wp_at | simp add: unique_master_reply_cap' | strengthen eq_imp_strg | wp (once) hoare_drop_imp[where f="getCTE rs" for rs])+ - apply (rule_tac Q="\rv. valid_objs' and tcb_at' rcvr and ex_nonz_cap_to' rcvr" + apply (rule_tac Q'="\rv. valid_objs' and tcb_at' rcvr and ex_nonz_cap_to' rcvr" in hoare_post_imp) apply (clarsimp simp: ex_nonz_tcb_cte_caps' tcbCallerSlot_def objBits_def objBitsKO_def dom_def cte_level_bits_def) @@ -3694,7 +3694,7 @@ lemma completeSignal_invs: apply (rule bind_wp[OF _ get_ntfn_sp']) apply (rule hoare_pre) apply (wp set_ntfn_minor_invs' | wpc | simp)+ - apply (rule_tac Q="\_ s. (state_refs_of' s ntfnptr = ntfn_bound_refs' (ntfnBoundTCB ntfn)) + apply (rule_tac Q'="\_ s. (state_refs_of' s ntfnptr = ntfn_bound_refs' (ntfnBoundTCB ntfn)) \ ntfn_at' ntfnptr s \ valid_ntfn' (ntfnObj_update (\_. Structures_H.ntfn.IdleNtfn) ntfn) s \ ((\y. ntfnBoundTCB ntfn = Some y) \ ex_nonz_cap_to' ntfnptr s) @@ -3723,7 +3723,7 @@ lemma setupCallerCap_urz[wp]: getThreadCallerSlot_def getThreadReplySlot_def locateSlot_conv) apply (wp getCTE_wp') - apply (rule_tac Q="\_. untyped_ranges_zero' and valid_mdb' and valid_objs'" in hoare_post_imp) + apply (rule_tac Q'="\_. untyped_ranges_zero' and valid_mdb' and valid_objs'" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_ctes_of cteCaps_of_def untyped_derived_eq_def isCap_simps) apply (wp sts_valid_pspace_hangers) @@ -3775,7 +3775,7 @@ lemma ri_invs' [wp]: apply (rule bind_wp [OF _ gbn_sp']) apply (rule bind_wp) (* set up precondition for old proof *) - apply (rule_tac R="ko_at' ep (capEPPtr cap) and ?pre" in hoare_vcg_if_split) + apply (rule_tac P''="ko_at' ep (capEPPtr cap) and ?pre" in hoare_vcg_if_split) apply (wp completeSignal_invs) apply (case_tac ep) \ \endpoint = RecvEP\ @@ -4037,9 +4037,9 @@ lemma si_invs'[wp]: hoare_convert_imp [OF setEndpoint_nosch setEndpoint_ct'] hoare_drop_imp [where f="threadGet tcbFault t"] | rule_tac f="getThreadState a" in hoare_drop_imp - | wp (once) hoare_drop_imp[where R="\_ _. call"] - hoare_drop_imp[where R="\_ _. \ call"] - hoare_drop_imp[where R="\_ _. cg"] + | wp (once) hoare_drop_imp[where Q'="\_ _. call"] + hoare_drop_imp[where Q'="\_ _. \ call"] + hoare_drop_imp[where Q'="\_ _. cg"] | simp add: valid_tcb_state'_def case_bool_If case_option_If cong: if_cong diff --git a/proof/refine/AARCH64/Refine.thy b/proof/refine/AARCH64/Refine.thy index 0504e3f14a..ea34ea6b8f 100644 --- a/proof/refine/AARCH64/Refine.thy +++ b/proof/refine/AARCH64/Refine.thy @@ -221,12 +221,12 @@ lemma set_thread_state_sched_act: apply (simp add: set_thread_state_ext_def) apply wp apply (rule hoare_pre_cont) - apply (rule_tac Q="\rv. (\s. runnable ts) and (\s. P (scheduler_action s))" + apply (rule_tac Q'="\rv. (\s. runnable ts) and (\s. P (scheduler_action s))" in hoare_strengthen_post) apply wp apply force apply (wp gts_st_tcb_at)+ - apply (rule_tac Q="\rv. st_tcb_at ((=) state) thread and (\s. runnable state) and (\s. P (scheduler_action s))" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. st_tcb_at ((=) state) thread and (\s. runnable state) and (\s. P (scheduler_action s))" in hoare_strengthen_post) apply (simp add: st_tcb_at_def) apply (wp obj_set_prop_at)+ apply (force simp: st_tcb_at_def obj_at_def) @@ -265,7 +265,7 @@ lemma kernel_entry_invs: \\rv. einvs and (\s. ct_running s \ ct_idle s) and (\s. 0 < domain_time s) and valid_domain_list and (\s. scheduler_action s = resume_cur_thread)\" - apply (rule_tac Q="\rv. invs and (\s. ct_running s \ ct_idle s) and valid_sched and + apply (rule_tac Q'="\rv. invs and (\s. ct_running s \ ct_idle s) and valid_sched and (\s. 0 < domain_time s) and valid_domain_list and valid_list and (\s. scheduler_action s = resume_cur_thread)" in hoare_post_imp) @@ -311,7 +311,7 @@ lemma do_user_op_invs2: do_user_op f tc \\_. (einvs and ct_running and (\s. scheduler_action s = resume_cur_thread)) and (\s. 0 < domain_time s) and valid_domain_list \" - apply (rule_tac Q="\_. valid_list and valid_sched and + apply (rule_tac Q'="\_. valid_list and valid_sched and (\s. scheduler_action s = resume_cur_thread) and (invs and ct_running) and (\s. 0 < domain_time s) and valid_domain_list" in hoare_strengthen_post) @@ -398,7 +398,7 @@ lemma ckernel_invs: apply (rule hoare_pre) apply (wp activate_invs' activate_sch_act schedule_sch schedule_sch_act_simple he_invs' schedule_invs' hoare_vcg_if_lift3 - hoare_drop_imp[where R="\_. kernelExitAssertions"] + hoare_drop_imp[where Q'="\_. kernelExitAssertions"] | simp add: no_irq_getActiveIRQ | strengthen non_kernel_IRQs_strg[where Q=True, simplified], simp cong: conj_cong)+ done @@ -591,22 +591,22 @@ lemma kernel_corres': apply simp apply (wpsimp wp: hoare_drop_imps hoare_vcg_all_lift simp: schact_is_rct_def)[1] apply simp - apply (rule_tac Q="\irq s. invs' s \ + apply (rule_tac Q'="\irq s. invs' s \ (\irq'. irq = Some irq' \ intStateIRQTable (ksInterruptState s ) irq' \ IRQInactive)" in hoare_post_imp) apply simp apply (wp doMachineOp_getActiveIRQ_IRQ_active handle_event_valid_sched | simp)+ - apply (rule_tac Q="\_. \" and E="\_. invs'" in hoare_strengthen_postE) + apply (rule_tac Q'="\_. \" and E'="\_. invs'" in hoare_strengthen_postE) apply wpsimp+ apply (simp add: invs'_def valid_state'_def) apply (rule corres_split[OF schedule_corres]) apply (rule activateThread_corres) apply (wp schedule_invs' hoare_vcg_if_lift2 dmo_getActiveIRQ_non_kernel | simp cong: rev_conj_cong | strengthen None_drop | subst Ex_Some_conv)+ - apply (rule_tac Q="\_. valid_sched and invs and valid_list" and - E="\_. valid_sched and invs and valid_list" + apply (rule_tac Q'="\_. valid_sched and invs and valid_list" and + E'="\_. valid_sched and invs and valid_list" in hoare_strengthen_postE) apply (wp handle_event_valid_sched hoare_vcg_imp_lift' |simp)+ apply (wp handle_event_valid_sched hoare_vcg_if_lift3 diff --git a/proof/refine/AARCH64/Retype_R.thy b/proof/refine/AARCH64/Retype_R.thy index 8f568ea723..9d642869eb 100644 --- a/proof/refine/AARCH64/Retype_R.thy +++ b/proof/refine/AARCH64/Retype_R.thy @@ -4222,7 +4222,7 @@ lemma createNewCaps_cur: cur_tcb' s\ createNewCaps ty ptr n us d \\rv. cur_tcb'\" - apply (rule hoare_post_imp [where Q="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) apply (simp add: cur_tcb'_def) apply (wp hoare_vcg_ex_lift createNewCaps_obj_at') apply (clarsimp simp: pspace_no_overlap'_def cur_tcb'_def valid_pspace'_def) @@ -4296,20 +4296,21 @@ lemma createNewCaps_idle'[wp]: split del: if_split) apply (cases ty, simp_all add: Arch_createNewCaps_def split del: if_split) - apply (rename_tac apiobject_type) - apply (case_tac apiobject_type, simp_all split del: if_split)[1] - apply (wp, simp) + apply (rename_tac apiobject_type) + apply (case_tac apiobject_type, simp_all split del: if_split)[1] + apply wpsimp + (* The following step does not use wpsimp to avoid clarsimp_no_cond, which for some reason + leads to a failed proof state. If this could be fixed then the inclusion of + classic_wp_pre could also be removed. *) including classic_wp_pre - apply (wp mapM_x_wp' - createObjects_idle' - threadSet_idle' - | simp add: projectKO_opt_tcb projectKO_opt_cte mult_2 - makeObject_cte makeObject_tcb archObjSize_def - tcb_cte_cases_def objBitsKO_def APIType_capBits_def - objBits_def createObjects_def cteSizeBits_def - | simp add: field_simps - | intro conjI impI - | fastforce simp: curDomain_def)+ + apply (wp mapM_x_wp' createObjects_idle' threadSet_idle' + | simp add: projectKO_opt_tcb projectKO_opt_cte mult_2 + makeObject_cte makeObject_tcb archObjSize_def + tcb_cte_cases_def objBitsKO_def APIType_capBits_def + objBits_def createObjects_def cteSizeBits_def + | simp add: field_simps + | intro conjI impI + | clarsimp simp: curDomain_def)+ done crunch createNewCaps @@ -4329,7 +4330,7 @@ lemma createNewCaps_global_refs': createNewCaps ty ptr n us d \\rv. valid_global_refs'\" apply (simp add: valid_global_refs'_def valid_cap_sizes'_def valid_refs'_def) - apply (rule_tac Q="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} + apply (rule_tac Q'="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} \ 2 ^ capBits (cteCap cte) > gsMaxObjectSize s)) ptr s \ global_refs' s \ kernel_data_refs" in hoare_post_imp) apply (auto simp: cte_wp_at_ctes_of linorder_not_less elim!: ranE)[1] @@ -4880,7 +4881,7 @@ proof (rule hoare_gen_asm, elim conjE) "\ct_not_inQ and valid_pspace' and pspace_no_overlap' ptr sz\ createNewCaps ty ptr n us dev \\_. ct_not_inQ\" unfolding ct_not_inQ_def - apply (rule_tac Q="\s. ksSchedulerAction s = ResumeCurrentThread + apply (rule_tac P'="\s. ksSchedulerAction s = ResumeCurrentThread \ (obj_at' (Not \ tcbQueued) (ksCurThread s) s \ valid_pspace' s \ pspace_no_overlap' ptr sz s)" in hoare_pre_imp, clarsimp) @@ -5019,7 +5020,7 @@ lemma createObjects_no_cte_valid_global: createObjects ptr n val gbits \\rv s. valid_global_refs' s\" apply (simp add: valid_global_refs'_def valid_cap_sizes'_def valid_refs'_def) - apply (rule_tac Q="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} + apply (rule_tac Q'="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} \ 2 ^ capBits (cteCap cte) > gsMaxObjectSize s)) ptr s \ global_refs' s \ kernel_data_refs" in hoare_post_imp) apply (auto simp: cte_wp_at_ctes_of linorder_not_less elim!: ranE)[1] @@ -5124,7 +5125,7 @@ lemma createObjects_cur': cur_tcb' s\ createObjects ptr n val gbits \\rv s. cur_tcb' s\" - apply (rule hoare_post_imp [where Q="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) apply (simp add: cur_tcb'_def) apply (wp hoare_vcg_ex_lift createObjects_orig_obj_at3) apply (clarsimp simp: cur_tcb'_def) @@ -5210,7 +5211,7 @@ proof - createObjects ptr n val gbits \\_. ct_not_inQ\" (is "\ _; _ \ \ \\s. ct_not_inQ s \ ?REST s\ _ \_\") apply (simp add: ct_not_inQ_def) - apply (rule_tac Q="\s. (ksSchedulerAction s = ResumeCurrentThread) \ + apply (rule_tac P'="\s. (ksSchedulerAction s = ResumeCurrentThread) \ (obj_at' (Not \ tcbQueued) (ksCurThread s) s \ ?REST s)" in hoare_pre_imp, clarsimp) apply (rule hoare_convert_imp [OF createObjects_nosch]) diff --git a/proof/refine/AARCH64/Schedule_R.thy b/proof/refine/AARCH64/Schedule_R.thy index 818866bec1..0f31f50b4b 100644 --- a/proof/refine/AARCH64/Schedule_R.thy +++ b/proof/refine/AARCH64/Schedule_R.thy @@ -754,7 +754,7 @@ lemma tcbSchedDequeue_valid_mdb'[wp]: "\valid_mdb' and valid_objs'\ tcbSchedDequeue tcbPtr \\_. valid_mdb'\" unfolding tcbSchedDequeue_def apply (wpsimp simp: bitmap_fun_defs setQueue_def wp: threadSet_mdb' tcbQueueRemove_valid_mdb') - apply (rule_tac Q="\_. tcb_at' tcbPtr" in hoare_post_imp) + apply (rule_tac Q'="\_. tcb_at' tcbPtr" in hoare_post_imp) apply (fastforce simp: tcb_cte_cases_def cteSizeBits_def) apply (wpsimp wp: threadGet_wp)+ apply (fastforce simp: obj_at'_def) @@ -1078,7 +1078,7 @@ lemma tcbSchedDequeue_not_tcbQueued: "\\\ tcbSchedDequeue t \\_. obj_at' (\x. \ tcbQueued x) t\" apply (simp add: tcbSchedDequeue_def) apply (wp|clarsimp)+ - apply (rule_tac Q="\queued. obj_at' (\x. tcbQueued x = queued) t" in hoare_post_imp) + apply (rule_tac Q'="\queued. obj_at' (\x. tcbQueued x = queued) t" in hoare_post_imp) apply (clarsimp simp: obj_at'_def) apply (wpsimp wp: threadGet_wp)+ apply (clarsimp simp: obj_at'_def) @@ -2118,13 +2118,13 @@ lemma schedule_corres: apply (clarsimp simp: conj_ac cong: conj_cong) apply wp - apply (rule_tac Q="\_ s. valid_blocked_except t s \ scheduler_action s = switch_thread t" + apply (rule_tac Q'="\_ s. valid_blocked_except t s \ scheduler_action s = switch_thread t" in hoare_post_imp, fastforce) apply (wp add: tcb_sched_action_enqueue_valid_blocked_except tcbSchedEnqueue_invs'_not_ResumeCurrentThread thread_get_wp del: gets_wp | strengthen valid_objs'_valid_tcbs')+ - apply (clarsimp simp: conj_ac if_apply_def2 cong: imp_cong conj_cong del: hoare_gets) + apply (clarsimp simp: conj_ac if_apply_def2 cong: imp_cong conj_cong) apply (wp gets_wp)+ (* abstract final subgoal *) @@ -2387,7 +2387,7 @@ lemma schedule_invs': apply (wpsimp wp: scheduleChooseNewThread_invs' ssa_invs' chooseThread_invs_no_cicd' setSchedulerAction_invs' setSchedulerAction_direct switchToThread_tcb_in_cur_domain' switchToThread_ct_not_queued_2 - | wp hoare_disjI2[where R="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] + | wp hoare_disjI2[where Q'="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] | wp hoare_drop_imp[where f="isHighestPrio d p" for d p] | simp only: obj_at'_activatable_st_tcb_at'[simplified comp_def] | strengthen invs'_invs_no_cicd diff --git a/proof/refine/AARCH64/SubMonad_R.thy b/proof/refine/AARCH64/SubMonad_R.thy index de45a90d91..985284603c 100644 --- a/proof/refine/AARCH64/SubMonad_R.thy +++ b/proof/refine/AARCH64/SubMonad_R.thy @@ -76,7 +76,7 @@ lemma threadSet_modify_asUser: apply (clarsimp simp: threadSet_def setObject_def split_def updateObject_default_def) apply wp - apply (rule_tac Q="\rv. obj_at' ((=) rv) t and ((=) st)" in hoare_post_imp) + apply (rule_tac Q'="\rv. obj_at' ((=) rv) t and ((=) st)" in hoare_post_imp) apply (clarsimp simp: asUser_replace_def Let_def obj_at'_def fun_upd_def split: option.split kernel_object.split) apply (wp getObject_obj_at' | clarsimp simp: objBits_simps' atcbContextSet_def)+ diff --git a/proof/refine/AARCH64/Syscall_R.thy b/proof/refine/AARCH64/Syscall_R.thy index eb1f4395d5..92b31ca04f 100644 --- a/proof/refine/AARCH64/Syscall_R.thy +++ b/proof/refine/AARCH64/Syscall_R.thy @@ -340,7 +340,7 @@ lemma threadSet_tcbDomain_update_sch_act_wf[wp]: apply (wps setObject_sa_unchanged) apply (wp hoare_weak_lift_imp getObject_tcb_wp hoare_vcg_all_lift)+ apply (rename_tac word) - apply (rule_tac Q="\_ s. ksSchedulerAction s = SwitchToThread word \ + apply (rule_tac Q'="\_ s. ksSchedulerAction s = SwitchToThread word \ st_tcb_at' runnable' word s \ tcb_in_cur_domain' word s \ word \ t" in hoare_strengthen_post) apply (wp hoare_vcg_all_lift hoare_vcg_conj_lift hoare_vcg_imp_lift)+ @@ -377,20 +377,20 @@ lemma setDomain_corres: apply ((wpsimp wp: hoare_vcg_imp_lift' ethread_set_not_queued_valid_queues hoare_vcg_all_lift | strengthen valid_objs'_valid_tcbs' valid_queues_in_correct_ready_q valid_queues_ready_qs_distinct)+)[1] - apply (rule_tac Q="\_. valid_objs' and sym_heap_sched_pointers and valid_sched_pointers + apply (rule_tac Q'="\_. valid_objs' and sym_heap_sched_pointers and valid_sched_pointers and pspace_aligned' and pspace_distinct' and (\s. sch_act_wf (ksSchedulerAction s) s) and tcb_at' tptr" in hoare_strengthen_post[rotated]) apply (fastforce simp: invs'_def valid_state'_def sch_act_wf_weak st_tcb_at'_def o_def) apply (wpsimp wp: threadSet_valid_objs' threadSet_sched_pointers threadSet_valid_sched_pointers)+ - apply (rule_tac Q="\_ s. valid_queues s \ not_queued tptr s + apply (rule_tac Q'="\_ s. valid_queues s \ not_queued tptr s \ pspace_aligned s \ pspace_distinct s \ valid_etcbs s \ weak_valid_sched_action s" in hoare_post_imp) apply (fastforce simp: pred_tcb_at_def obj_at_def) apply (wpsimp wp: tcb_dequeue_not_queued) - apply (rule_tac Q = "\_ s. invs' s \ obj_at' (Not \ tcbQueued) tptr s \ sch_act_simple s + apply (rule_tac Q'="\_ s. invs' s \ obj_at' (Not \ tcbQueued) tptr s \ sch_act_simple s \ tcb_at' tptr s" in hoare_strengthen_post[rotated]) apply (clarsimp simp: invs'_def valid_state'_def valid_pspace'_def sch_act_simple_def) @@ -792,7 +792,7 @@ lemma doReply_invs[wp]: apply simp apply (wp (once) sts_st_tcb') apply wp - apply (rule_tac Q="\_ s. invs' s \ t \ ksIdleThread s \ st_tcb_at' awaiting_reply' t s" + apply (rule_tac Q'="\_ s. invs' s \ t \ ksIdleThread s \ st_tcb_at' awaiting_reply' t s" in hoare_post_imp) apply clarsimp apply (rule conjI, erule pred_tcb'_weakenE, case_tac st, clarsimp+) @@ -805,7 +805,7 @@ lemma doReply_invs[wp]: apply (case_tac st, clarsimp+) apply (wp cteDeleteOne_reply_pred_tcb_at)+ apply clarsimp - apply (rule_tac Q="\_. (\s. t \ ksIdleThread s) + apply (rule_tac Q'="\_. (\s. t \ ksIdleThread s) and cte_wp_at' (\cte. \grant. cteCap cte = capability.ReplyCap t False grant) slot" in hoare_strengthen_post [rotated]) @@ -817,7 +817,7 @@ lemma doReply_invs[wp]: apply (erule cte_wp_at_weakenE') apply (fastforce) apply (wp sts_invs_minor'' sts_st_tcb' hoare_weak_lift_imp) - apply (rule_tac Q="\_ s. invs' s \ sch_act_simple s + apply (rule_tac Q'="\_ s. invs' s \ sch_act_simple s \ st_tcb_at' awaiting_reply' t s \ t \ ksIdleThread s" in hoare_post_imp) @@ -832,7 +832,7 @@ lemma doReply_invs[wp]: apply (case_tac st, clarsimp+) apply (wp threadSet_invs_trivial threadSet_st_tcb_at2 hoare_weak_lift_imp | clarsimp simp add: inQ_def)+ - apply (rule_tac Q="\_. invs' and tcb_at' t + apply (rule_tac Q'="\_. invs' and tcb_at' t and sch_act_simple and st_tcb_at' awaiting_reply' t" in hoare_strengthen_post [rotated]) apply clarsimp @@ -949,7 +949,7 @@ lemma setDomain_invs': apply (simp add:setDomain_def ) apply (wp add: when_wp hoare_weak_lift_imp hoare_weak_lift_imp_conj rescheduleRequired_all_invs_but_extra tcbSchedEnqueue_valid_action hoare_vcg_if_lift2) - apply (rule_tac Q = "\r s. all_invs_but_sch_extra s \ curThread = ksCurThread s + apply (rule_tac Q'="\r s. all_invs_but_sch_extra s \ curThread = ksCurThread s \ (ptr \ curThread \ ct_not_inQ s \ sch_act_wf (ksSchedulerAction s) s \ ct_idle_or_in_cur_domain' s)" in hoare_strengthen_post[rotated]) apply (clarsimp simp:invs'_def valid_state'_def st_tcb_at'_def[symmetric] valid_pspace'_def) @@ -961,7 +961,7 @@ lemma setDomain_invs': apply assumption apply (wp hoare_weak_lift_imp threadSet_pred_tcb_no_state threadSet_not_curthread_ct_domain threadSet_tcbDomain_update_ct_not_inQ | simp)+ - apply (rule_tac Q = "\r s. invs' s \ curThread = ksCurThread s \ sch_act_simple s + apply (rule_tac Q'="\r s. invs' s \ curThread = ksCurThread s \ sch_act_simple s \ domain \ maxDomain \ (ptr \ curThread \ ct_not_inQ s \ sch_act_not ptr s)" in hoare_strengthen_post[rotated]) @@ -1193,7 +1193,7 @@ lemma handleInvocation_corres: apply (wp reply_from_kernel_tcb_at) apply (rule impI, wp+) apply (wpsimp wp: hoare_drop_imps|strengthen invs_distinct invs_psp_aligned)+ - apply (rule_tac Q="\rv. einvs and schact_is_rct and valid_invocation rve + apply (rule_tac Q'="\rv. einvs and schact_is_rct and valid_invocation rve and (\s. thread = cur_thread s) and st_tcb_at active thread" in hoare_post_imp) @@ -1201,7 +1201,7 @@ lemma handleInvocation_corres: elim!: st_tcb_weakenE) apply (wp sts_st_tcb_at' set_thread_state_simple_sched_action set_thread_state_schact_is_rct set_thread_state_active_valid_sched) - apply (rule_tac Q="\rv. invs' and valid_invocation' rve' + apply (rule_tac Q'="\rv. invs' and valid_invocation' rve' and (\s. thread = ksCurThread s) and st_tcb_at' active' thread and (\s. ksSchedulerAction s = ResumeCurrentThread)" @@ -1213,7 +1213,7 @@ lemma handleInvocation_corres: apply (wp lec_caps_to lsft_ex_cte_cap_to | simp add: split_def liftE_bindE[symmetric] ct_in_state'_def ball_conj_distrib - | rule hoare_vcg_E_elim)+ + | rule hoare_vcg_conj_elimE)+ apply (clarsimp simp: tcb_at_invs invs_valid_objs valid_tcb_state_def ct_in_state_def simple_from_active invs_mdb @@ -1282,7 +1282,7 @@ lemma hinv_invs'[wp]: apply (clarsimp simp: valid_idle'_def valid_state'_def invs'_def pred_tcb_at'_def obj_at'_def idle_tcb'_def) apply wp+ - apply (rule_tac Q="\rv'. invs' and valid_invocation' rv + apply (rule_tac Q'="\rv'. invs' and valid_invocation' rv and (\s. ksSchedulerAction s = ResumeCurrentThread) and (\s. ksCurThread s = thread) and st_tcb_at' active' thread" @@ -1484,7 +1484,7 @@ lemma handleRecv_isBlocking_corres': apply (rule handleFault_corres) apply simp apply (wp get_simple_ko_wp | wpcw | simp)+ - apply (rule hoare_vcg_E_elim) + apply (rule hoare_vcg_conj_elimE) apply (simp add: lookup_cap_def lookup_slot_for_thread_def) apply wp apply (simp add: split_def) @@ -1532,14 +1532,14 @@ lemma hw_invs'[wp]: deleteCallerCap_ct'] | wpc | simp add: ct_in_state'_def whenE_def split del: if_split)+ apply (rule validE_validE_R) - apply (rule_tac Q="\rv s. invs' s + apply (rule_tac Q'="\rv s. invs' s \ sch_act_sane s \ thread = ksCurThread s \ ct_in_state' simple' s \ ex_nonz_cap_to' thread s \ thread \ ksIdleThread s \ (\x \ zobj_refs' rv. ex_nonz_cap_to' x s)" - and E="\_ _. True" + and E'="\_ _. True" in hoare_strengthen_postE[rotated]) apply (clarsimp simp: isCap_simps ct_in_state'_def pred_tcb_at' invs_valid_objs' sch_act_sane_not obj_at'_def pred_tcb_at'_def) @@ -1588,7 +1588,7 @@ lemma hy_invs': "\invs' and ct_active'\ handleYield \\r. invs' and ct_active'\" apply (simp add: handleYield_def) apply (wpsimp wp: ct_in_state_thread_state_lift' rescheduleRequired_all_invs_but_ct_not_inQ) - apply (rule_tac Q="\_. all_invs_but_ct_not_inQ' and ct_active'" in hoare_post_imp) + apply (rule_tac Q'="\_. all_invs_but_ct_not_inQ' and ct_active'" in hoare_post_imp) apply clarsimp apply (subst pred_conj_def) apply (rule hoare_vcg_conj_lift) @@ -1812,7 +1812,7 @@ lemma handleReply_nonz_cap_to_ct: "\ct_active' and invs' and sch_act_simple\ handleReply \\rv s. ex_nonz_cap_to' (ksCurThread s) s\" - apply (rule_tac Q="\rv. ct_active' and invs'" + apply (rule_tac Q'="\rv. ct_active' and invs'" in hoare_post_imp) apply (auto simp: ct_in_state'_def elim: st_tcb_ex_cap'')[1] apply (wp | simp)+ diff --git a/proof/refine/AARCH64/TcbAcc_R.thy b/proof/refine/AARCH64/TcbAcc_R.thy index c7b00e02f3..ee1063afae 100644 --- a/proof/refine/AARCH64/TcbAcc_R.thy +++ b/proof/refine/AARCH64/TcbAcc_R.thy @@ -1093,7 +1093,7 @@ lemma threadSet_obj_at'_really_strongest: apply (simp add: threadSet_def) apply (wp setObject_tcb_strongest) apply (subst simp_thms(32)[symmetric], rule hoare_vcg_disj_lift) - apply (rule hoare_post_imp [where Q="\rv s. \ tcb_at' t s \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \ tcb_at' t s \ tcb_at' t s"]) apply simp apply (subst simp_thms(21)[symmetric], rule hoare_vcg_conj_lift) apply (rule getObject_inv_tcb) @@ -1179,7 +1179,7 @@ proof - show ?thesis apply (rule_tac P=P in P_bool_lift) apply (rule pos) - apply (rule_tac Q="\_ s. \ tcb_at' t' s \ pred_tcb_at' proj (\tcb. \ P' tcb) t' s" + apply (rule_tac Q'="\_ s. \ tcb_at' t' s \ pred_tcb_at' proj (\tcb. \ P' tcb) t' s" in hoare_post_imp) apply (erule disjE) apply (clarsimp dest!: pred_tcb_at') @@ -3344,7 +3344,7 @@ lemma sts_valid_objs': setThreadState st t \\_. valid_objs'\" apply (wpsimp simp: setThreadState_def wp: threadSet_valid_objs') - apply (rule_tac Q="\_. valid_objs' and pspace_aligned' and pspace_distinct'" in hoare_post_imp) + apply (rule_tac Q'="\_. valid_objs' and pspace_aligned' and pspace_distinct'" in hoare_post_imp) apply fastforce apply (wpsimp wp: threadSet_valid_objs') apply (simp add: valid_tcb'_def tcb_cte_cases_def cteSizeBits_def) @@ -3608,7 +3608,7 @@ lemma sts_sch_act': apply assumption apply (case_tac "runnable' st") apply ((wp threadSet_runnable_sch_act hoare_drop_imps | simp)+)[1] - apply (rule_tac Q="\rv s. st_tcb_at' (Not \ runnable') t s \ + apply (rule_tac Q'="\rv s. st_tcb_at' (Not \ runnable') t s \ (ksCurThread s \ t \ ksSchedulerAction s \ ResumeCurrentThread \ sch_act_wf (ksSchedulerAction s) s)" in hoare_post_imp) @@ -3628,10 +3628,10 @@ lemma sts_sch_act[wp]: prefer 2 apply assumption apply (case_tac "runnable' st") - apply (rule_tac Q="\s. sch_act_wf (ksSchedulerAction s) s" + apply (rule_tac P'="\s. sch_act_wf (ksSchedulerAction s) s" in hoare_pre_imp, simp) apply ((wp hoare_drop_imps threadSet_runnable_sch_act | simp)+)[1] - apply (rule_tac Q="\rv s. st_tcb_at' (Not \ runnable') t s \ + apply (rule_tac Q'="\rv s. st_tcb_at' (Not \ runnable') t s \ (ksCurThread s \ t \ ksSchedulerAction s \ ResumeCurrentThread \ sch_act_wf (ksSchedulerAction s) s)" in hoare_post_imp) @@ -3907,7 +3907,7 @@ lemma addToBitmap_valid_bitmapQ: addToBitmap d p \\_. valid_bitmapQ\" (is "\?pre\ _ \_\") - apply (rule_tac Q="\_ s. ?pre s \ bitmapQ d p s" in hoare_strengthen_post) + apply (rule_tac Q'="\_ s. ?pre s \ bitmapQ d p s" in hoare_strengthen_post) apply (wpsimp wp: addToBitmap_valid_bitmapQ_except addToBitmap_bitmapQ) apply (fastforce elim: valid_bitmap_valid_bitmapQ_exceptE) done @@ -4603,7 +4603,7 @@ lemma ct_in_state'_decomp: assumes x: "\\s. t = (ksCurThread s)\ f \\rv s. t = (ksCurThread s)\" assumes y: "\Pre\ f \\rv. st_tcb_at' Prop t\" shows "\\s. Pre s \ t = (ksCurThread s)\ f \\rv. ct_in_state' Prop\" - apply (rule hoare_post_imp [where Q="\rv s. t = ksCurThread s \ st_tcb_at' Prop t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. t = ksCurThread s \ st_tcb_at' Prop t s"]) apply (clarsimp simp add: ct_in_state'_def) apply (rule hoare_weaken_pre) apply (wp x y) @@ -4674,7 +4674,7 @@ lemma setQueue_pred_tcb_at[wp]: unfolding pred_tcb_at'_def apply (rule_tac P=P' in P_bool_lift) apply (rule setQueue_obj_at) - apply (rule_tac Q="\_ s. \typ_at' TCBT t s \ obj_at' (Not \ (P \ proj \ tcb_to_itcb')) t s" + apply (rule_tac Q'="\_ s. \typ_at' TCBT t s \ obj_at' (Not \ (P \ proj \ tcb_to_itcb')) t s" in hoare_post_imp, simp add: not_obj_at' o_def) apply (wp hoare_vcg_disj_lift) apply (clarsimp simp: not_obj_at' o_def) @@ -4953,7 +4953,7 @@ lemma sts_iflive'[wp]: \\rv. if_live_then_nonz_cap'\" apply (simp add: setThreadState_def setQueue_def) apply wpsimp - apply (rule_tac Q="\rv. if_live_then_nonz_cap' and pspace_aligned' and pspace_distinct'" + apply (rule_tac Q'="\rv. if_live_then_nonz_cap' and pspace_aligned' and pspace_distinct'" in hoare_post_imp) apply clarsimp apply (wpsimp wp: threadSet_iflive') @@ -5097,7 +5097,7 @@ lemma tcbSchedEnqueue_ct_not_inQ: proof - have ts: "\?PRE\ threadSet (tcbQueued_update (\_. True)) t \\_. ct_not_inQ\" apply (simp add: ct_not_inQ_def) - apply (rule_tac Q="\s. ksSchedulerAction s = ResumeCurrentThread + apply (rule_tac P'="\s. ksSchedulerAction s = ResumeCurrentThread \ obj_at' (Not \ tcbQueued) (ksCurThread s) s \ ksCurThread s \ t" in hoare_pre_imp, clarsimp) apply (rule hoare_convert_imp [OF threadSet_nosch]) @@ -5124,7 +5124,7 @@ lemma tcbSchedAppend_ct_not_inQ: proof - have ts: "\?PRE\ threadSet (tcbQueued_update (\_. True)) t \\_. ct_not_inQ\" apply (simp add: ct_not_inQ_def) - apply (rule_tac Q="\s. ksSchedulerAction s = ResumeCurrentThread + apply (rule_tac P'="\s. ksSchedulerAction s = ResumeCurrentThread \ obj_at' (Not \ tcbQueued) (ksCurThread s) s \ ksCurThread s \ t" in hoare_pre_imp, clarsimp) apply (rule hoare_convert_imp [OF threadSet_nosch]) @@ -5151,7 +5151,7 @@ lemma setSchedulerAction_direct: lemma rescheduleRequired_ct_not_inQ: "\\\ rescheduleRequired \\_. ct_not_inQ\" apply (simp add: rescheduleRequired_def ct_not_inQ_def) - apply (rule_tac Q="\_ s. ksSchedulerAction s = ChooseNewThread" + apply (rule_tac Q'="\_ s. ksSchedulerAction s = ChooseNewThread" in hoare_post_imp, clarsimp) apply (wp setSchedulerAction_direct) done @@ -5222,7 +5222,7 @@ lemma setThreadState_ct_not_inQ: including no_pre apply (simp add: setThreadState_def) apply (wp rescheduleRequired_ct_not_inQ) - apply (rule_tac Q="\_. ?PRE" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE" in hoare_post_imp, clarsimp) apply (wp) done @@ -5379,7 +5379,7 @@ lemma removeFromBitmap_valid_bitmapQ[wp]: removeFromBitmap d p \\_. valid_bitmapQ\" (is "\?pre\ _ \_\") - apply (rule_tac Q="\_ s. ?pre s \ \ bitmapQ d p s" in hoare_strengthen_post) + apply (rule_tac Q'="\_ s. ?pre s \ \ bitmapQ d p s" in hoare_strengthen_post) apply (wpsimp wp: removeFromBitmap_valid_bitmapQ_except removeFromBitmap_bitmapQ) apply (fastforce elim: valid_bitmap_valid_bitmapQ_exceptE) done diff --git a/proof/refine/AARCH64/Tcb_R.thy b/proof/refine/AARCH64/Tcb_R.thy index 1a78ef01fd..506b267cf8 100644 --- a/proof/refine/AARCH64/Tcb_R.thy +++ b/proof/refine/AARCH64/Tcb_R.thy @@ -82,7 +82,7 @@ abbreviation lemma gts_st_tcb': "\tcb_at' t\ getThreadState t \\rv. st_tcb_at' (\st. st = rv) t\" apply (rule hoare_weaken_pre) - apply (rule hoare_post_imp[where Q="\rv s. \rv'. rv = rv' \ st_tcb_at' (\st. st = rv') t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \rv'. rv = rv' \ st_tcb_at' (\st. st = rv') t s"]) apply simp apply (wp hoare_vcg_ex_lift) apply (clarsimp simp add: pred_tcb_at'_def obj_at'_def) @@ -107,15 +107,15 @@ lemma activate_invs': apply (case_tac rv; simp add: isTS_defs split del: if_split cong: if_cong) apply (wp) apply (clarsimp simp: ct_in_state'_def) - apply (rule_tac Q="\rv. invs' and ct_idle'" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs' and ct_idle'" in hoare_post_imp, simp) apply (wp activateIdle_invs) apply (clarsimp simp: ct_in_state'_def) - apply (rule_tac Q="\rv. invs' and ct_running' and sch_act_simple" + apply (rule_tac Q'="\rv. invs' and ct_running' and sch_act_simple" in hoare_post_imp, simp) apply (rule hoare_weaken_pre) apply (wp ct_in_state'_set asUser_ct sts_invs_minor' | wp (once) sch_act_simple_lift)+ - apply (rule_tac Q="\_. st_tcb_at' runnable' thread + apply (rule_tac Q'="\_. st_tcb_at' runnable' thread and sch_act_simple and invs' and (\s. thread = ksCurThread s)" in hoare_post_imp, clarsimp) @@ -185,7 +185,7 @@ lemma setupReplyMaster_weak_sch_act_wf[wp]: \\rv s. weak_sch_act_wf (ksSchedulerAction s) s\" apply (simp add: setupReplyMaster_def) apply (wp) - apply (rule_tac Q="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" + apply (rule_tac Q'="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp, clarsimp) apply (wp)+ apply assumption @@ -211,11 +211,11 @@ lemma restart_corres: apply (wp set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at' sts_st_tcb' sts_valid_objs' | clarsimp simp: valid_tcb_state'_def | strengthen valid_objs'_valid_tcbs')+ - apply (rule_tac Q="\rv. valid_sched and cur_tcb and pspace_aligned and pspace_distinct" + apply (rule_tac Q'="\rv. valid_sched and cur_tcb and pspace_aligned and pspace_distinct" in hoare_strengthen_post) apply wp apply (fastforce simp: valid_sched_def valid_sched_action_def) - apply (rule_tac Q="\rv. invs' and ex_nonz_cap_to' t" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs' and ex_nonz_cap_to' t" in hoare_strengthen_post) apply wp apply (clarsimp simp: invs'_def valid_state'_def sch_act_wf_weak valid_pspace'_def valid_tcb_state'_def) @@ -347,11 +347,11 @@ lemma invokeTCB_WriteRegisters_corres: valid_sched_valid_queues valid_objs'_valid_tcbs' invs_valid_objs' | clarsimp simp: invs_def valid_state_def valid_sched_def invs'_def valid_state'_def dest!: global'_no_ex_cap idle_no_ex_cap)+)[2] - apply (rule_tac Q="\_. einvs and tcb_at dest and ex_nonz_cap_to dest" in hoare_post_imp) + apply (rule_tac Q'="\_. einvs and tcb_at dest and ex_nonz_cap_to dest" in hoare_post_imp) apply (fastforce simp: invs_def valid_sched_weak_strg valid_sched_def valid_state_def dest!: idle_no_ex_cap) prefer 2 - apply (rule_tac Q="\_. invs' and tcb_at' dest and ex_nonz_cap_to' dest" in hoare_post_imp) + apply (rule_tac Q'="\_. invs' and tcb_at' dest and ex_nonz_cap_to' dest" in hoare_post_imp) apply (fastforce simp: sch_act_wf_weak invs'_def valid_state'_def dest!: global'_no_ex_cap) apply (wpsimp simp: archThreadGet_def)+ apply fastforce @@ -457,10 +457,10 @@ proof - apply (rule_tac P=\ and P'=\ in corres_inst) apply simp apply (solves \wp hoare_weak_lift_imp\)+ - apply (rule_tac Q="\_. einvs and tcb_at dest" in hoare_post_imp) + apply (rule_tac Q'="\_. einvs and tcb_at dest" in hoare_post_imp) apply (fastforce simp: invs_def valid_state_def valid_pspace_def valid_sched_weak_strg valid_sched_def) prefer 2 - apply (rule_tac Q="\_. invs' and tcb_at' dest" in hoare_post_imp) + apply (rule_tac Q'="\_. invs' and tcb_at' dest" in hoare_post_imp) apply (fastforce simp: invs'_def valid_state'_def invs_weak_sch_act_wf cur_tcb'_def) apply ((wp mapM_x_wp' hoare_weak_lift_imp | (simp add: cur_tcb'_def[symmetric])+)+)[8] apply ((wp hoare_weak_lift_imp restart_invs' | wpc | clarsimp simp: if_apply_def2)+)[2] @@ -528,7 +528,7 @@ lemma tcbSchedDequeue_not_queued: \\rv. obj_at' (Not \ tcbQueued) t\" apply (simp add: tcbSchedDequeue_def) apply (wp | simp)+ - apply (rule_tac Q="\rv. obj_at' (\obj. tcbQueued obj = rv) t" + apply (rule_tac Q'="\rv. obj_at' (\obj. tcbQueued obj = rv) t" in hoare_post_imp) apply (clarsimp simp: obj_at'_def) apply (wp tg_sp' [where P=\, simplified] | simp)+ @@ -1401,7 +1401,7 @@ proof - have B: "\t v. \invs' and tcb_at' t\ threadSet (tcbFaultHandler_update v) t \\rv. invs'\" by (wp threadSet_invs_trivial | clarsimp simp: inQ_def)+ note stuff = Z B out_invs_trivial hoare_case_option_wp - hoare_vcg_const_Ball_lift hoare_vcg_const_Ball_lift_R + hoare_vcg_const_Ball_lift hoare_vcg_const_Ball_liftE_R cap_delete_deletes cap_delete_valid_cap out_valid_objs cap_insert_objs cteDelete_deletes cteDelete_sch_act_simple @@ -1436,7 +1436,7 @@ proof - apply (rule corres_returnOkTT, simp) apply wp apply wp - apply (wpsimp wp: hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + apply (wpsimp wp: hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift hoare_vcg_all_liftE_R hoare_vcg_all_lift as_user_invs thread_set_ipc_tcb_cap_valid thread_set_tcb_ipc_buffer_cap_cleared_invs @@ -1457,7 +1457,7 @@ proof - threadSet_invs_tcbIPCBuffer_update threadSet_cte_wp_at' | strengthen simple_sched_action_sched_act_not)+ apply ((wpsimp wp: stuff hoare_vcg_all_liftE_R hoare_vcg_all_lift - hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift threadSet_valid_objs' thread_set_not_state_valid_sched thread_set_tcb_ipc_buffer_cap_cleared_invs thread_set_cte_wp_at_trivial thread_set_no_cap_to_trivial getThreadBufferSlot_dom_tcb_cte_cases @@ -1492,7 +1492,7 @@ proof - in hoare_strengthen_postE_R[simplified validE_R_def, rotated]) apply (case_tac g'; clarsimp simp: isCap_simps ; clarsimp cong:imp_cong) apply (wp add: stuff hoare_vcg_all_liftE_R hoare_vcg_all_lift - hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift setMCPriority_invs' + hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift setMCPriority_invs' threadSet_valid_objs' thread_set_not_state_valid_sched setP_invs' typ_at_lifts [OF setPriority_typ_at'] typ_at_lifts [OF setMCPriority_typ_at'] @@ -1570,15 +1570,15 @@ lemma tc_invs': apply (wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak threadSet_invs_trivial2 threadSet_tcb' hoare_vcg_all_lift threadSet_cte_wp_at')+ - apply (wpsimp wp: hoare_weak_lift_imp_R cteDelete_deletes - hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R + apply (wpsimp wp: hoare_weak_lift_impE_R cteDelete_deletes + hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_liftE_R hoare_vcg_propE_R cteDelete_invs' cteDelete_invs' cteDelete_typ_at'_lifts)+ apply (assumption | clarsimp cong: conj_cong imp_cong | (rule case_option_wp_None_returnOk) | wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak hoare_vcg_imp_lift' hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P=sch_act_simple] - hoare_vcg_const_imp_lift_R assertDerived_wp_weak hoare_weak_lift_imp_R cteDelete_deletes - hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R + hoare_vcg_const_imp_liftE_R assertDerived_wp_weak hoare_weak_lift_impE_R cteDelete_deletes + hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_liftE_R hoare_vcg_propE_R cteDelete_invs' cteDelete_typ_at'_lifts cteDelete_sch_act_simple)+ apply (clarsimp simp: tcb_cte_cases_def cte_level_bits_def objBits_defs tcbIPCBufferSlot_def) by (auto dest!: isCapDs isReplyCapD isValidVTableRootD simp: isCap_simps) @@ -2641,7 +2641,7 @@ lemma inv_tcb_IRQInactive: apply (rule hoare_pre) apply (wpc | wp withoutPreemption_R cteDelete_IRQInactive checkCap_inv - hoare_vcg_const_imp_lift_R cteDelete_irq_states' + hoare_vcg_const_imp_liftE_R cteDelete_irq_states' hoare_vcg_const_imp_lift | simp add: split_def)+ done diff --git a/proof/refine/AARCH64/Untyped_R.thy b/proof/refine/AARCH64/Untyped_R.thy index 69ae323abb..5ab6f6043a 100644 --- a/proof/refine/AARCH64/Untyped_R.thy +++ b/proof/refine/AARCH64/Untyped_R.thy @@ -400,7 +400,7 @@ next apply (simp add: word_le_nat_alt) apply (simp add: unat_arith_simps) apply wpsimp+ - apply (rule hoare_strengthen_post [where Q = "\r. invs and valid_cap r and cte_at slot"]) + apply (rule hoare_strengthen_post[where Q'="\r. invs and valid_cap r and cte_at slot"]) apply wp+ apply (clarsimp simp: is_cap_simps bits_of_def cap_aligned_def valid_cap_def word_bits_def) @@ -408,7 +408,7 @@ next apply (strengthen refl exI[mk_strg I E] exI[where x=d])+ apply simp apply wp+ - apply (rule hoare_strengthen_post [where Q = "\r. invs' and cte_at' (cte_map slot)"]) + apply (rule hoare_strengthen_post[where Q'="\r. invs' and cte_at' (cte_map slot)"]) apply wp+ apply (clarsimp simp:invs_pspace_aligned' invs_pspace_distinct') apply (wp whenE_throwError_wp | wp (once) hoare_drop_imps)+ @@ -3167,7 +3167,7 @@ lemma createNewCaps_parent_helper: (\tup\set (zip (xs rv) rv). sameRegionAs (cteCap cte) (snd tup))) p\" - apply (rule hoare_post_imp [where Q="\rv s. \cte. cte_wp_at' ((=) cte) p s + apply (rule hoare_post_imp[where Q'="\rv s. \cte. cte_wp_at' ((=) cte) p s \ isUntypedCap (cteCap cte) \ (\tup\set (zip (xs rv) rv). sameRegionAs (cteCap cte) (snd tup))"]) @@ -4564,7 +4564,7 @@ lemma resetUntypedCap_invs_etc: | strengthen invs_pspace_aligned' invs_pspace_distinct' | simp add: ct_in_state'_def sch_act_simple_def - | rule hoare_vcg_conj_lift_R + | rule hoare_vcg_conj_liftE_R | wp (once) preemptionPoint_inv | wps | wp (once) ex_cte_cap_to'_pres)+ @@ -5240,7 +5240,7 @@ lemma insertNewCap_valid_irq_handlers: lemma insertNewCap_ct_idle_or_in_cur_domain'[wp]: "\ct_idle_or_in_cur_domain' and ct_active'\ insertNewCap parent slot cap \\_. ct_idle_or_in_cur_domain'\" apply (wp ct_idle_or_in_cur_domain'_lift_futz[where Q=\]) -apply (rule_tac Q="\_. obj_at' (\tcb. tcbState tcb \ Structures_H.thread_state.Inactive) t and obj_at' (\tcb. d = tcbDomain tcb) t" +apply (rule_tac Q'="\_. obj_at' (\tcb. tcbState tcb \ Structures_H.thread_state.Inactive) t and obj_at' (\tcb. d = tcbDomain tcb) t" in hoare_strengthen_post) apply (wp | clarsimp elim: obj_at'_weakenE)+ apply (auto simp: obj_at'_def) diff --git a/proof/refine/AARCH64/VSpace_R.thy b/proof/refine/AARCH64/VSpace_R.thy index 5a11965cf1..8c9711ad8b 100644 --- a/proof/refine/AARCH64/VSpace_R.thy +++ b/proof/refine/AARCH64/VSpace_R.thy @@ -907,7 +907,7 @@ lemma setVCPU_valid_arch': lemma setObject_vcpu_no_tcb_update: "\ vcpuTCBPtr (f vcpu) = vcpuTCBPtr vcpu \ \ \ valid_objs' and ko_at' (vcpu :: vcpu) p\ setObject p (f vcpu) \ \_. valid_objs' \" - apply (rule_tac Q="valid_objs' and (ko_at' vcpu p and valid_obj' (KOArch (KOVCPU vcpu)))" in hoare_pre_imp) + apply (rule_tac P'="valid_objs' and (ko_at' vcpu p and valid_obj' (KOArch (KOVCPU vcpu)))" in hoare_pre_imp) apply (clarsimp) apply (simp add: valid_obj'_def) apply (drule (1) ko_at_valid_objs', simp) @@ -1843,7 +1843,7 @@ lemma deleteASID_corres [corres]: wp: set_asid_pool_None_vmid_inv set_asid_pool_vspace_objs_unmap_single) apply (wp getASID_wp)+ apply (rename_tac p pool pool' a b) - apply (rule_tac Q="\_ s. invs s \ + apply (rule_tac Q'="\_ s. invs s \ (\high. asid_table s high = Some p \ vmid_for_asid s (asid_of high (asid_low_bits_of asid)) = None)" in hoare_strengthen_post) diff --git a/proof/refine/AARCH64/orphanage/Orphanage.thy b/proof/refine/AARCH64/orphanage/Orphanage.thy index d8c025312b..ad6b472205 100644 --- a/proof/refine/AARCH64/orphanage/Orphanage.thy +++ b/proof/refine/AARCH64/orphanage/Orphanage.thy @@ -558,7 +558,7 @@ lemma tcbSchedDequeue_no_orphans[wp]: apply (rule hoare_allI) apply (rename_tac tcb_ptr) apply (case_tac "tcb_ptr = tcbPtr") - apply (rule_tac Q="\_ s. st_tcb_at' (\state. \ is_active_thread_state state) tcbPtr s" + apply (rule_tac Q'="\_ s. st_tcb_at' (\state. \ is_active_thread_state state) tcbPtr s" in hoare_post_imp) apply fastforce apply wpsimp @@ -575,7 +575,7 @@ lemma switchToIdleThread_no_orphans' [wp]: apply (clarsimp simp: switchToIdleThread_def setCurThread_def AARCH64_H.switchToIdleThread_def) apply (simp add: no_orphans_disj all_queued_tcb_ptrs_def) apply (wpsimp wp: hoare_vcg_all_lift hoare_vcg_disj_lift - hoare_drop_imp[where R="\_. idleThreadNotQueued"] hoare_vcg_imp_lift') + hoare_drop_imp[where Q'="\_. idleThreadNotQueued"] hoare_vcg_imp_lift') apply (force simp: is_active_tcb_ptr_def st_tcb_at_neg' typ_at_tcb') done @@ -862,7 +862,7 @@ proof - \\_. no_orphans\" apply (wpsimp wp: scheduleChooseNewThread_no_orphans ssa_no_orphans hoare_vcg_all_lift ThreadDecls_H_switchToThread_no_orphans)+ - apply (rule_tac Q="\_ s. (t = candidate \ ksCurThread s = candidate) \ + apply (rule_tac Q'="\_ s. (t = candidate \ ksCurThread s = candidate) \ (t \ candidate \ sch_act_not t s)" in hoare_post_imp) apply (wpsimp wp: stt_nosch hoare_weak_lift_imp)+ @@ -1072,7 +1072,7 @@ lemma sendIPC_no_orphans [wp]: possibleSwitchTo_almost_no_orphans' | wpc | clarsimp simp: is_active_thread_state_def isRestart_def isRunning_def)+ - apply (rule_tac Q="\rv. no_orphans and valid_objs' and ko_at' rv epptr + apply (rule_tac Q'="\rv. no_orphans and valid_objs' and ko_at' rv epptr and (\s. sch_act_wf (ksSchedulerAction s) s)" in hoare_post_imp) apply (fastforce simp: valid_objs'_def valid_obj'_def valid_ep'_def obj_at'_def) apply (wp get_ep_sp' | clarsimp)+ @@ -1277,7 +1277,7 @@ lemma cancelAllIPC_no_orphans [wp]: and I="no_orphans and (\s. \t\set list. tcb_at' t s)" in mapM_x_inv_wp2 | clarsimp simp: valid_tcb_state'_def)+ - apply (rule_tac Q="\rv. no_orphans and valid_objs' and pspace_aligned' and pspace_distinct' and + apply (rule_tac Q'="\rv. no_orphans and valid_objs' and pspace_aligned' and pspace_distinct' and ko_at' rv epptr" in hoare_post_imp) apply (fastforce simp: valid_obj'_def valid_ep'_def obj_at'_def) @@ -1301,7 +1301,7 @@ lemma cancelAllSignals_no_orphans [wp]: apply (wp sts_valid_objs' set_ntfn_valid_objs' sts_st_tcb' hoare_vcg_const_Ball_lift tcbSchedEnqueue_almost_no_orphans| clarsimp simp: valid_tcb_state'_def)+ - apply (rule_tac Q="\rv. no_orphans and valid_objs' and pspace_aligned' and pspace_distinct' and + apply (rule_tac Q'="\rv. no_orphans and valid_objs' and pspace_aligned' and pspace_distinct' and ko_at' rv ntfn" in hoare_post_imp) apply (fastforce simp: valid_obj'_def valid_ntfn'_def obj_at'_def) @@ -1442,7 +1442,7 @@ lemma deleteASIDPool_no_orphans [wp]: \ \rv s. no_orphans s \" unfolding deleteASIDPool_def apply (wp | clarsimp)+ - apply (rule_tac Q="\rv s. no_orphans s" in hoare_post_imp) + apply (rule_tac Q'="\rv s. no_orphans s" in hoare_post_imp) apply (clarsimp simp: no_orphans_def all_queued_tcb_ptrs_def all_active_tcb_ptrs_def is_active_tcb_ptr_def) apply (wp mapM_wp_inv getObject_inv loadObject_default_inv | clarsimp)+ @@ -1541,7 +1541,7 @@ lemma cteRevoke_no_orphans [wp]: "\ \s. no_orphans s \ invs' s \ sch_act_simple s \ cteRevoke ptr \ \rv s. no_orphans s \" - apply (rule_tac Q="\rv s. no_orphans s \ invs' s \ sch_act_simple s" in hoare_strengthen_post) + apply (rule_tac Q'="\rv s. no_orphans s \ invs' s \ sch_act_simple s" in hoare_strengthen_post) apply (wpsimp wp: cteRevoke_preservation cteDelete_invs' cteDelete_sch_act_simple)+ done @@ -1564,7 +1564,7 @@ lemma doReplyTransfer_no_orphans[wp]: | wpc | clarsimp simp: is_active_thread_state_def isRunning_def isRestart_def | wp (once) hoare_drop_imps | strengthen sch_act_wf_weak)+ - apply (rule_tac Q="\rv. invs' and no_orphans" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs' and no_orphans" in hoare_post_imp) apply (fastforce simp: inQ_def) apply (wp hoare_drop_imps | clarsimp)+ apply (clarsimp simp:invs'_def valid_state'_def valid_pspace'_def) @@ -1638,7 +1638,7 @@ lemma setPriority_no_orphans[wp]: \\_. no_orphans\" unfolding setPriority_def apply wpsimp - apply (rule_tac Q="\_ s. almost_no_orphans tptr s \ weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp) + apply (rule_tac Q'="\_ s. almost_no_orphans tptr s \ weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp) apply clarsimp apply (clarsimp simp: is_active_tcb_ptr_runnable' pred_tcb_at'_def obj_at'_def almost_no_orphans_no_orphans elim!: almost_no_orphans_no_orphans') @@ -1690,7 +1690,7 @@ lemma tc_no_orphans: checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P=sch_act_simple] checkCap_inv[where P=no_orphans] checkCap_inv[where P="tcb_at' a"] threadSet_cte_wp_at' hoare_vcg_all_liftE_R hoare_vcg_all_lift threadSet_no_orphans - hoare_vcg_const_imp_lift_R hoare_weak_lift_imp hoare_drop_imp threadSet_ipcbuffer_invs + hoare_vcg_const_imp_liftE_R hoare_weak_lift_imp hoare_drop_imp threadSet_ipcbuffer_invs | (simp add: locateSlotTCB_def locateSlotBasic_def objBits_def objBitsKO_def tcbIPCBufferSlot_def tcb_cte_cases_def, wp hoare_return_sp) @@ -1791,7 +1791,7 @@ lemma performASIDControlInvocation_no_orphans [wp]: apply (clarsimp simp: performASIDControlInvocation_def split: asidcontrol_invocation.splits) apply (wp hoare_weak_lift_imp | clarsimp)+ - apply (rule_tac Q="\rv s. no_orphans s" in hoare_post_imp) + apply (rule_tac Q'="\rv s. no_orphans s" in hoare_post_imp) apply (clarsimp simp: no_orphans_def all_active_tcb_ptrs_def is_active_tcb_ptr_def all_queued_tcb_ptrs_def) apply (wp | clarsimp simp:placeNewObject_def2)+ @@ -1860,7 +1860,7 @@ lemma handleInvocation_no_orphans [wp]: unfolding handleInvocation_def apply (rule hoare_pre) apply (wp syscall_valid' setThreadState_isRestart_no_orphans | wpc | clarsimp)+ - apply (rule_tac Q="\state s. no_orphans s \ invs' s \ + apply (rule_tac Q'="\state s. no_orphans s \ invs' s \ (state = Structures_H.thread_state.Restart \ st_tcb_at' isRestart thread s)" in hoare_post_imp) @@ -1919,7 +1919,7 @@ notes if_cong[cong] shows apply (clarsimp simp: whenE_def split del: if_split | wp hoare_drop_imps getNotification_wp | wpc )+ (*takes a while*) apply (rule_tac Q'="\rv s. no_orphans s \ invs' s" in hoare_strengthen_postE_R) apply (wp, fastforce) - apply (rule_tac Q="\rv s. no_orphans s \ invs' s" in hoare_post_imp) + apply (rule_tac Q'="\rv s. no_orphans s \ invs' s" in hoare_post_imp) apply (wp | clarsimp | fastforce)+ done @@ -1931,7 +1931,7 @@ lemma handleReply_no_orphans [wp]: unfolding handleReply_def apply (wpsimp wp: hoare_drop_imps) apply (wp (once) hoare_vcg_all_lift) - apply (rule_tac Q="\rv s. no_orphans s \ invs' s \ tcb_at' thread s \ + apply (rule_tac Q'="\rv s. no_orphans s \ invs' s \ tcb_at' thread s \ valid_cap' rv s" in hoare_post_imp) apply (wpsimp wp: hoare_drop_imps simp: valid_cap'_def invs'_def cur_tcb'_def valid_state'_def)+ @@ -1985,8 +1985,8 @@ theorem callKernel_no_orphans[wp]: apply (wpsimp wp: hoare_drop_imp[where f=activateThread] schedule_invs' (* getActiveIRQ can't return a non-kernel IRQ *) | wp (once) hoare_post_imp[ - where a="doMachineOp (getActiveIRQ True)" - and Q="\rv s. no_orphans s \ invs' s \ rv \ Some ` non_kernel_IRQs"])+ + where f="doMachineOp (getActiveIRQ True)" + and Q'="\rv s. no_orphans s \ invs' s \ rv \ Some ` non_kernel_IRQs"])+ done end diff --git a/proof/refine/ARM/Arch_R.thy b/proof/refine/ARM/Arch_R.thy index 4aaa4f12e8..8cf7c26e96 100644 --- a/proof/refine/ARM/Arch_R.thy +++ b/proof/refine/ARM/Arch_R.thy @@ -1659,8 +1659,8 @@ lemma arch_decodeInvocation_wf[wp]: cong: list.case_cong prod.case_cong) apply (rule hoare_pre) apply (wpsimp simp: valid_arch_inv'_def valid_page_inv'_def) - apply (rule hoare_vcg_conj_lift_R,(wp ensureSafeMapping_inv)[1])+ - apply (wpsimp wp: whenE_throwError_wp checkVP_wpR hoare_vcg_const_imp_lift_R + apply (rule hoare_vcg_conj_liftE_R,(wp ensureSafeMapping_inv)[1])+ + apply (wpsimp wp: whenE_throwError_wp checkVP_wpR hoare_vcg_const_imp_liftE_R hoare_drop_impE_R ensureSafeMapping_valid_slots_duplicated' createMappingEntries_valid_pde_slots' findPDForASID_page_directory_at' simp: valid_arch_inv'_def valid_page_inv'_def)+ diff --git a/proof/refine/ARM/CNodeInv_R.thy b/proof/refine/ARM/CNodeInv_R.thy index f61e8f6fe7..ea9acc2e68 100644 --- a/proof/refine/ARM/CNodeInv_R.thy +++ b/proof/refine/ARM/CNodeInv_R.thy @@ -206,7 +206,7 @@ lemma decodeCNodeInvocation_corres: apply (rule corres_trivial) subgoal by (auto simp add: whenE_def, auto simp add: returnOk_def) apply (wp | wpc | simp(no_asm))+ - apply (wp hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + apply (wp hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift hoare_vcg_all_liftE_R hoare_vcg_all_lift lsfco_cte_at' hoare_drop_imps | clarsimp)+ subgoal by (auto elim!: valid_cnode_capI) @@ -6101,7 +6101,7 @@ lemma reduceZombie_invs'': apply (wp | simp)+ apply (rule getCTE_wp) apply (wp | simp)+ - apply (rule_tac Q="\cte s. rv = capZombiePtr cap + + apply (rule_tac Q'="\cte s. rv = capZombiePtr cap + of_nat (capZombieNumber cap) * 2^cteSizeBits - 2^cteSizeBits \ cte_wp_at' (\c. c = cte) slot s \ invs' s \ no_cte_prop Q s \ sch_act_simple s" @@ -6424,8 +6424,8 @@ lemmas cteDelete_typ_at'_lifts [wp] = typ_at_lifts [OF cteDelete_typ_at'] lemma cteDelete_cte_at: "\\\ cteDelete slot bool \\rv. cte_at' slot\" - apply (rule_tac Q="\s. cte_at' slot s \ \ cte_at' slot s" - in hoare_pre(1)) + apply (rule_tac P'="\s. cte_at' slot s \ \ cte_at' slot s" + in hoare_weaken_pre) apply (rule hoare_strengthen_post) apply (rule hoare_vcg_disj_lift) apply (rule typ_at_lifts, rule cteDelete_typ_at') @@ -6464,7 +6464,7 @@ lemma cteDelete_cte_wp_at_invs: apply (clarsimp simp: cte_wp_at_ctes_of) apply wp apply (simp add: imp_conjR conj_comms) - apply (rule_tac Q="\rv s. invs' s \ sch_act_simple s \ + apply (rule_tac Q'="\rv s. invs' s \ sch_act_simple s \ (fst rv \ cte_wp_at' (\cte. removeable' slot s (cteCap cte)) slot s) \ (fst rv \ @@ -6475,9 +6475,9 @@ lemma cteDelete_cte_wp_at_invs: cteCap cte = NullCap \ (\zb n. cteCap cte = Zombie slot zb n)) slot s)" - and E="\rv. \" in hoare_strengthen_postE) + and E'="\rv. \" in hoare_strengthen_postE) apply (wp finaliseSlot_invs finaliseSlot_removeable finaliseSlot_sch_act_simple - hoare_drop_imps(2)[OF finaliseSlot_irqs]) + hoare_drop_impE_R[OF finaliseSlot_irqs]) apply (rule hoare_strengthen_postE_R, rule finaliseSlot_abort_cases) apply (clarsimp simp: cte_wp_at_ctes_of dest!: isCapDs) apply simp @@ -6499,7 +6499,7 @@ lemma cteDelete_cte_wp_at_invs: p s" in hoare_strengthen_postE_R) apply (wp finaliseSlot_invs finaliseSlot_removeable finaliseSlot_sch_act_simple - hoare_drop_imps(2)[OF finaliseSlot_irqs]) + hoare_drop_impE_R[OF finaliseSlot_irqs]) apply (rule hoare_strengthen_postE_R [OF finaliseSlot_cte_wp_at[where p=p and P=P]]) apply simp+ apply (clarsimp simp: cte_wp_at_ctes_of) @@ -6513,8 +6513,8 @@ lemma cteDelete_sch_act_simple: cteDelete slot exposed \\rv. sch_act_simple\" apply (simp add: cteDelete_def whenE_def split_def) apply (wp hoare_drop_imps | simp)+ - apply (rule_tac hoare_strengthen_postE [where Q="\rv. sch_act_simple" - and E="\rv. sch_act_simple"]) + apply (rule_tac hoare_strengthen_postE [where Q'="\rv. sch_act_simple" + and E'="\rv. sch_act_simple"]) apply (rule valid_validE) apply (wp finaliseSlot_sch_act_simple) apply simp+ @@ -6684,7 +6684,7 @@ proof (induct rule: finalise_induct3) apply ((wp | simp add: locateSlot_conv)+)[2] apply (rule drop_spec_validE) apply simp - apply (rule_tac Q="\rv s. revoke_progress_ord m (option_map capToRPO \ cteCaps_of s) + apply (rule_tac Q'="\rv s. revoke_progress_ord m (option_map capToRPO \ cteCaps_of s) \ cte_wp_at' (\cte. cteCap cte = fst rvb) sl s" in hoare_post_imp) apply (clarsimp simp: o_def cte_wp_at_ctes_of capToRPO_def @@ -7259,7 +7259,7 @@ next apply (rule updateCap_corres) apply simp apply (simp add: is_cap_simps) - apply (rule_tac R="\rv. cte_at' (cte_map ?target)" in hoare_post_add) + apply (rule_tac Q'="\rv. cte_at' (cte_map ?target)" in hoare_post_add) apply (wp, (wp getCTE_wp)+) apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule no_fail_pre, wp, simp) @@ -7421,7 +7421,7 @@ lemma cteRevoke_typ_at': lemma cteRevoke_invs': "\invs' and sch_act_simple\ cteRevoke ptr \\rv. invs'\" - apply (rule_tac Q="\rv. invs' and sch_act_simple" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs' and sch_act_simple" in hoare_strengthen_post) apply (wpsimp wp: cteRevoke_preservation cteDelete_invs' cteDelete_sch_act_simple)+ done @@ -8869,7 +8869,7 @@ proof (induct rule: finalise_spec_induct) apply (unfold Let_def split_def fst_conv snd_conv case_Zombie_assert_fold haskell_fail_def) apply (wp getCTE_wp' preemptionPoint_invR| simp add: o_def irq_state_independent_HI)+ - apply (rule hoare_post_imp [where Q="\_. valid_irq_states'"]) + apply (rule hoare_post_imp[where Q'="\_. valid_irq_states'"]) apply simp apply wp[1] apply (rule spec_strengthen_postE) @@ -8912,7 +8912,7 @@ lemma cteDelete_irq_states': apply (simp add: cteDelete_def split_def) apply (wp whenE_wp) apply (rule hoare_strengthen_postE) - apply (rule hoare_valid_validE) + apply (rule valid_validE) apply (rule finaliseSlot_irq_states') apply simp apply simp diff --git a/proof/refine/ARM/CSpace_R.thy b/proof/refine/ARM/CSpace_R.thy index 5ccf916290..c7d6831f50 100644 --- a/proof/refine/ARM/CSpace_R.thy +++ b/proof/refine/ARM/CSpace_R.thy @@ -2147,7 +2147,7 @@ lemma cteInsert_mdb' [wp]: cteInsert cap src dest \\_. valid_mdb'\" apply (simp add:valid_mdb'_def valid_mdb_ctes_def) - apply (rule_tac Q = "\r s. valid_dlist (ctes_of s) \ irq_control (ctes_of s) \ + apply (rule_tac Q'="\r s. valid_dlist (ctes_of s) \ irq_control (ctes_of s) \ no_0 (ctes_of s) \ mdb_chain_0 (ctes_of s) \ mdb_chunked (ctes_of s) \ untyped_mdb' (ctes_of s) \ untyped_inc' (ctes_of s) \ Q s" for Q @@ -3963,12 +3963,12 @@ lemma setupReplyMaster_corres: apply (fastforce dest: pspace_relation_no_reply_caps state_relation_pspace_relation) apply (clarsimp simp: cte_map_def tcb_cnode_index_def cte_wp_at_ctes_of) - apply (rule_tac Q="\rv. einvs and tcb_at t and + apply (rule_tac Q'="\rv. einvs and tcb_at t and cte_wp_at ((=) rv) (t, tcb_cnode_index 2)" in hoare_strengthen_post) apply (wp hoare_drop_imps get_cap_wp) apply (clarsimp simp: invs_def valid_state_def elim!: cte_wp_at_weakenE) - apply (rule_tac Q="\rv. valid_pspace' and valid_mdb' and + apply (rule_tac Q'="\rv. valid_pspace' and valid_mdb' and cte_wp_at' ((=) rv) (cte_map (t, tcb_cnode_index 2))" in hoare_strengthen_post) apply (wp hoare_drop_imps getCTE_wp') diff --git a/proof/refine/ARM/Detype_R.thy b/proof/refine/ARM/Detype_R.thy index 9f397037b1..84a1e00ec9 100644 --- a/proof/refine/ARM/Detype_R.thy +++ b/proof/refine/ARM/Detype_R.thy @@ -64,7 +64,7 @@ lemma descendants_range_in_lift': apply (simp only: Ball_def[unfolded imp_conv_disj]) apply (rule hoare_pre) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift st cap_range) - apply (rule_tac Q = "\r s. cte_wp_at' (\c. capRange (cteCap c) \ S = {}) x s" + apply (rule_tac Q'="\r s. cte_wp_at' (\c. capRange (cteCap c) \ S = {}) x s" in hoare_strengthen_post) apply (wp cap_range) apply (clarsimp simp:cte_wp_at_ctes_of null_filter'_def) @@ -1766,7 +1766,7 @@ lemma deleteObjects_invs': proof - show ?thesis apply (rule hoare_pre) - apply (rule_tac G="is_aligned ptr bits \ 2 \ bits \ bits \ word_bits" in hoare_grab_asm) + apply (rule_tac P'="is_aligned ptr bits \ 2 \ bits \ bits \ word_bits" in hoare_grab_asm) apply (clarsimp simp add: deleteObjects_def2) apply (simp add: freeMemory_def bind_assoc doMachineOp_bind ef_storeWord) apply (simp add: bind_assoc[where f="\_. modify f" for f, symmetric]) @@ -4138,7 +4138,7 @@ lemma createNewCaps_pspace_no_overlap': apply simp+ apply (simp add:range_cover_def) apply (simp add:range_cover.sz(1)[where 'a=32, folded word_bits_def]) - apply (rule_tac Q = "\r. pspace_no_overlap' (ptr + (1 + of_nat n << Types_H.getObjectSize ty us)) + apply (rule_tac Q'="\r. pspace_no_overlap' (ptr + (1 + of_nat n << Types_H.getObjectSize ty us)) (Types_H.getObjectSize ty us) and pspace_aligned' and pspace_distinct'" in hoare_strengthen_post) apply (case_tac ty) diff --git a/proof/refine/ARM/Finalise_R.thy b/proof/refine/ARM/Finalise_R.thy index 8a6347c01e..c00ef6ca73 100644 --- a/proof/refine/ARM/Finalise_R.thy +++ b/proof/refine/ARM/Finalise_R.thy @@ -1787,7 +1787,7 @@ lemma isFinalCapability_inv: apply (simp add: isFinalCapability_def Let_def split del: if_split cong: if_cong) apply (rule hoare_pre, wp) - apply (rule hoare_post_imp [where Q="\s. P"], simp) + apply (rule hoare_post_imp[where Q'="\s. P"], simp) apply wp apply simp done @@ -2445,7 +2445,7 @@ lemma deleteASID_invs'[wp]: apply (simp add: deleteASID_def cong: option.case_cong) apply (rule hoare_pre) apply (wp | wpc)+ - apply (rule_tac Q="\rv. valid_obj' (injectKO rv) and invs'" + apply (rule_tac Q'="\rv. valid_obj' (injectKO rv) and invs'" in hoare_post_imp) apply (rename_tac rv s) apply (clarsimp split: if_split_asm del: subsetI) @@ -2727,7 +2727,7 @@ lemma cancelIPC_bound_tcb_at'[wp]: apply (simp add: getThreadReplySlot_def locateSlot_conv liftM_def) apply (rule hoare_pre) apply (wp capDeleteOne_bound_tcb_at' getCTE_ctes_of) - apply (rule_tac Q="\_. bound_tcb_at' P tptr" in hoare_post_imp) + apply (rule_tac Q'="\_. bound_tcb_at' P tptr" in hoare_post_imp) apply (clarsimp simp: capHasProperty_def cte_wp_at_ctes_of) apply (wp threadSet_pred_tcb_no_state | simp)+ done diff --git a/proof/refine/ARM/Interrupt_R.thy b/proof/refine/ARM/Interrupt_R.thy index d0876f76e1..22dcf3c661 100644 --- a/proof/refine/ARM/Interrupt_R.thy +++ b/proof/refine/ARM/Interrupt_R.thy @@ -391,7 +391,7 @@ lemma invokeIRQHandler_corres: apply simp apply (rule corres_split_nor[OF cap_delete_one_corres]) apply (rule cteInsert_corres, simp+) - apply (rule_tac Q="\rv s. einvs s \ cte_wp_at (\c. c = cap.NullCap) irq_slot s + apply (rule_tac Q'="\rv s. einvs s \ cte_wp_at (\c. c = cap.NullCap) irq_slot s \ (a, b) \ irq_slot \ cte_wp_at (is_derived (cdt s) (a, b) cap) (a, b) s" in hoare_post_imp) @@ -805,7 +805,7 @@ lemma timerTick_invs'[wp]: apply (wpsimp wp: threadSet_invs_trivial threadSet_pred_tcb_no_state rescheduleRequired_all_invs_but_ct_not_inQ simp: tcb_cte_cases_def) - apply (rule_tac Q="\rv. invs'" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs'" in hoare_post_imp) apply (clarsimp simp: invs'_def valid_state'_def) apply (simp add: decDomainTime_def) apply wp @@ -816,7 +816,7 @@ lemma timerTick_invs'[wp]: hoare_vcg_imp_lift threadSet_ct_idle_or_in_cur_domain')+ apply (rule hoare_strengthen_post[OF tcbSchedAppend_all_invs_but_ct_not_inQ']) apply (wpsimp simp: invs'_def valid_state'_def valid_pspace'_def sch_act_wf_weak)+ - apply (rule_tac Q="\_. invs'" in hoare_strengthen_post) + apply (rule_tac Q'="\_. invs'" in hoare_strengthen_post) apply (wpsimp wp: threadSet_pred_tcb_no_state threadSet_tcbDomain_triv threadSet_valid_objs' threadSet_timeslice_invs)+ apply (clarsimp simp: invs'_def valid_state'_def valid_pspace'_def) @@ -854,7 +854,7 @@ lemma hint_invs[wp]: apply (rule conjI; rule impI) apply (wp dmo_maskInterrupt_True getCTE_wp' | wpc | simp add: doMachineOp_bind maskIrqSignal_def )+ - apply (rule_tac Q="\rv. invs'" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs'" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_ctes_of ex_nonz_cap_to'_def) apply fastforce apply (wp threadSet_invs_trivial | simp add: inQ_def handleReservedIRQ_def)+ diff --git a/proof/refine/ARM/IpcCancel_R.thy b/proof/refine/ARM/IpcCancel_R.thy index 6ef67138c4..ccf26057b2 100644 --- a/proof/refine/ARM/IpcCancel_R.thy +++ b/proof/refine/ARM/IpcCancel_R.thy @@ -927,7 +927,7 @@ lemma (in delete_one_conc_pre) cancelIPC_sch_act_simple[wp]: apply (wp hoare_drop_imps delete_one_sch_act_simple | simp add: getThreadReplySlot_def | wpcw | rule sch_act_simple_lift - | (rule_tac Q="\rv. sch_act_simple" in hoare_post_imp, simp))+ + | (rule_tac Q'="\rv. sch_act_simple" in hoare_post_imp, simp))+ done lemma cancelSignal_st_tcb_at: @@ -937,7 +937,7 @@ lemma cancelSignal_st_tcb_at: \\rv. st_tcb_at' P t\" apply (simp add: cancelSignal_def Let_def list_case_If) apply (wp sts_st_tcb_at'_cases hoare_vcg_const_imp_lift - hoare_drop_imp[where R="%rv s. P' rv" for P']) + hoare_drop_imp[where Q'="%rv s. P' rv" for P']) apply clarsimp+ done @@ -1026,7 +1026,7 @@ lemma (in delete_one_conc_pre) cancelIPC_tcb_at_runnable': in bind_wp) apply(case_tac rv; simp) apply (wpsimp wp: sts_pred_tcb_neq')+ - apply (rule_tac Q="\rv. ?PRE" in hoare_post_imp, fastforce) + apply (rule_tac Q'="\rv. ?PRE" in hoare_post_imp, fastforce) apply (wp cteDeleteOne_tcb_at_runnable' threadSet_pred_tcb_no_state cancelSignal_tcb_at_runnable' @@ -1129,7 +1129,7 @@ lemma sts_weak_sch_act_wf[wp]: including classic_wp_pre apply (simp add: setThreadState_def) apply (wp rescheduleRequired_weak_sch_act_wf) - apply (rule_tac Q="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp, simp) + apply (rule_tac Q'="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp, simp) apply (simp add: weak_sch_act_wf_def) apply (wp hoare_vcg_all_lift) apply (wps threadSet_nosch) @@ -1257,11 +1257,11 @@ lemma (in delete_one) suspend_corres: apply wp apply (wpsimp wp: sts_valid_objs') apply (wpsimp simp: update_restart_pc_def updateRestartPC_def valid_tcb_state'_def)+ - apply (rule hoare_post_imp[where Q = "\rv s. einvs s \ tcb_at t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. einvs s \ tcb_at t s"]) apply (simp add: invs_implies invs_strgs valid_queues_in_correct_ready_q valid_queues_ready_qs_distinct valid_sched_def) apply wp - apply (rule hoare_post_imp[where Q = "\_ s. invs' s \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\_ s. invs' s \ tcb_at' t s"]) apply (fastforce simp: invs'_def valid_tcb_state'_def) apply (wpsimp simp: update_restart_pc_def updateRestartPC_def)+ apply fastforce+ @@ -1307,7 +1307,7 @@ lemma (in delete_one_conc) suspend_invs'[wp]: apply (simp add: suspend_def) apply (wpsimp wp: sts_invs_minor' gts_wp' simp: updateRestartPC_def | strengthen no_refs_simple_strg')+ - apply (rule_tac Q="\_. invs' and sch_act_simple and st_tcb_at' simple' t + apply (rule_tac Q'="\_. invs' and sch_act_simple and st_tcb_at' simple' t and (\s. t \ ksIdleThread s)" in hoare_post_imp) apply clarsimp @@ -1337,7 +1337,7 @@ lemma (in delete_one_conc_pre) suspend_sch_act_simple[wp]: lemma (in delete_one_conc) suspend_objs': "\invs' and sch_act_simple and tcb_at' t and (\s. t \ ksIdleThread s)\ suspend t \\rv. valid_objs'\" - apply (rule_tac Q="\_. invs'" in hoare_strengthen_post) + apply (rule_tac Q'="\_. invs'" in hoare_strengthen_post) apply (wp suspend_invs') apply fastforce done @@ -1450,7 +1450,7 @@ proof - apply (rule ep_cancel_corres_helper) apply (rule mapM_x_wp') apply (wp weak_sch_act_wf_lift_linear set_thread_state_runnable_weak_valid_sched_action | simp)+ - apply (rule_tac R="\_ s. \x\set list. tcb_at' x s \ valid_objs' s \ pspace_aligned' s \ pspace_distinct' s" + apply (rule_tac Q'="\_ s. \x\set list. tcb_at' x s \ valid_objs' s \ pspace_aligned' s \ pspace_distinct' s" in hoare_post_add) apply (rule mapM_x_wp') apply ((wpsimp wp: hoare_vcg_const_Ball_lift mapM_x_wp' sts_st_tcb' sts_valid_objs' @@ -1510,7 +1510,7 @@ lemma cancelAllSignals_corres: set_thread_state_runnable_weak_valid_sched_action | simp)+ apply (rename_tac list) - apply (rule_tac R="\_ s. (\x\set list. tcb_at' x s) \ valid_objs' s + apply (rule_tac Q'="\_ s. (\x\set list. tcb_at' x s) \ valid_objs' s \ sym_heap_sched_pointers s \ valid_sched_pointers s \ valid_objs' s \ pspace_aligned' s \ pspace_distinct' s" in hoare_post_add) @@ -1557,7 +1557,7 @@ proof - show ?thesis apply (simp add: setThreadState_def) apply (wpsimp wp: hoare_vcg_imp_lift [OF nrct]) - apply (rule_tac Q="\_. ?PRE" in hoare_post_imp) + apply (rule_tac Q'="\_. ?PRE" in hoare_post_imp) apply (clarsimp) apply (rule hoare_convert_imp [OF threadSet_nosch threadSet_ct]) apply assumption @@ -1825,7 +1825,7 @@ lemma cancelAllIPC_valid_objs'[wp]: apply (rule bind_wp [OF _ get_ep_sp']) apply (rule hoare_pre) apply (wp set_ep_valid_objs' setSchedulerAction_valid_objs') - apply (rule_tac Q="\_ s. valid_objs' s \ pspace_aligned' s \ pspace_distinct' s + apply (rule_tac Q'="\_ s. valid_objs' s \ pspace_aligned' s \ pspace_distinct' s \ (\x\set (epQueue ep). tcb_at' x s)" in hoare_post_imp) apply simp @@ -1851,7 +1851,7 @@ lemma cancelAllSignals_valid_objs'[wp]: apply (wp, simp) apply (wp, simp) apply (rename_tac list) - apply (rule_tac Q="\rv s. valid_objs' s \ (\x\set list. tcb_at' x s)" + apply (rule_tac Q'="\rv s. valid_objs' s \ (\x\set list. tcb_at' x s)" in hoare_post_imp) apply (simp add: valid_ntfn'_def) apply (simp add: Ball_def) @@ -2155,7 +2155,7 @@ lemma cancelBadgedSends_corres: apply (rule corres_split_nor[OF setEndpoint_corres]) apply (simp add: ep_relation_def) apply (rule corres_split_eqr[OF _ _ _ hoare_post_add - [where R="\_. valid_objs' and pspace_aligned' + [where Q'="\_. valid_objs' and pspace_aligned' and pspace_distinct'"]]) apply (rule_tac S="(=)" and Q="\xs s. (\x \ set xs. (epptr, TCBBlockedSend) \ state_refs_of s x) \ diff --git a/proof/refine/ARM/Ipc_R.thy b/proof/refine/ARM/Ipc_R.thy index 95dba8e05f..97c78c7503 100644 --- a/proof/refine/ARM/Ipc_R.thy +++ b/proof/refine/ARM/Ipc_R.thy @@ -52,7 +52,7 @@ lemma lsfco_cte_at': apply (wp) apply (clarsimp simp: split_def unlessE_def split del: if_split) - apply (wp hoare_drop_imps throwE_R) + apply (wpsimp wp: hoare_drop_imps throwE_R) done declare unifyFailure_wp [wp] @@ -478,7 +478,7 @@ next apply clarsimp apply assumption apply (subst imp_conjR) - apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R') apply (rule derive_cap_is_derived) apply (wp derive_cap_is_derived_foo)+ apply (simp split del: if_split) @@ -490,7 +490,7 @@ next apply clarsimp apply assumption apply (subst imp_conjR) - apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R') apply (rule hoare_strengthen_postE_R[OF deriveCap_derived]) apply (clarsimp simp:cte_wp_at_ctes_of) apply (wp deriveCap_derived_foo) @@ -602,7 +602,7 @@ lemma cteInsert_assume_Null: apply (rule bind_wp[OF _ getCTE_sp])+ apply (rule hoare_name_pre_state) apply (clarsimp simp: cte_wp_at_ctes_of) - apply (erule hoare_pre(1)) + apply (erule hoare_weaken_pre) apply simp done @@ -1759,7 +1759,7 @@ declare asUser_global_refs' [wp] lemma lec_valid_cap' [wp]: "\valid_objs'\ lookupExtraCaps thread xa mi \\rv s. (\x\set rv. s \' fst x)\, -" apply (rule hoare_pre, rule hoare_strengthen_postE_R) - apply (rule hoare_vcg_conj_lift_R[where R=valid_objs' and S="\_. valid_objs'"]) + apply (rule hoare_vcg_conj_liftE_R[where P'=valid_objs' and Q'="\_. valid_objs'"]) apply (rule lookupExtraCaps_srcs) apply wp apply (clarsimp simp: cte_wp_at_ctes_of) @@ -2134,7 +2134,7 @@ lemma doReplyTransfer_corres: apply (fastforce) apply (clarsimp simp:is_cap_simps) apply (wp weak_valid_sched_action_lift)+ - apply (rule_tac Q="\_ s. valid_objs' s \ cur_tcb' s \ tcb_at' receiver s + apply (rule_tac Q'="\_ s. valid_objs' s \ cur_tcb' s \ tcb_at' receiver s \ sch_act_wf (ksSchedulerAction s) s \ sym_heap_sched_pointers s \ valid_sched_pointers s \ pspace_aligned' s \ pspace_distinct' s" @@ -2191,7 +2191,7 @@ lemma doReplyTransfer_corres: threadSet_tcbDomain_triv threadSet_valid_objs' threadSet_sched_pointers threadSet_valid_sched_pointers | simp add: valid_tcb_state'_def)+ - apply (rule_tac Q="\_. valid_sched and cur_tcb and tcb_at sender and tcb_at receiver and + apply (rule_tac Q'="\_. valid_sched and cur_tcb and tcb_at sender and tcb_at receiver and valid_objs and pspace_aligned and pspace_distinct" in hoare_strengthen_post [rotated], clarsimp) apply (wp) @@ -2199,7 +2199,7 @@ lemma doReplyTransfer_corres: apply (assumption) apply (rule conjI, clarsimp) apply (clarsimp simp add: invs_def valid_state_def valid_pspace_def) - apply (rule_tac Q="\_. tcb_at' sender and tcb_at' receiver and invs'" + apply (rule_tac Q'="\_. tcb_at' sender and tcb_at' receiver and invs'" in hoare_strengthen_post [rotated]) apply (solves\auto simp: invs'_def valid_state'_def\) apply wp @@ -2281,14 +2281,14 @@ lemma setupCallerCap_corres: tcb_cnode_index_def cte_level_bits_def) apply (simp add: cte_map_def tcbCallerSlot_def tcb_cnode_index_def cte_level_bits_def) - apply (rule_tac R="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" + apply (rule_tac Q'="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" in hoare_post_add) apply (wp, (wp getSlotCap_wp)+) apply blast apply (rule no_fail_pre, wp) apply (clarsimp simp: cte_wp_at'_def cte_at'_def) - apply (rule_tac R="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" + apply (rule_tac Q'="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" in hoare_post_add) apply (wp, (wp getCTE_wp')+) apply blast @@ -2628,7 +2628,7 @@ lemma sendSignal_corres: valid_queues_in_correct_ready_q valid_queues_ready_qs_distinct valid_sched_valid_queues | simp add: valid_tcb_state_def)+ - apply (rule_tac Q="\rv. invs' and tcb_at' a" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs' and tcb_at' a" in hoare_strengthen_post) apply wp apply (fastforce simp: invs'_def valid_state'_def sch_act_wf_weak valid_tcb_state'_def) apply (rule setNotification_corres) @@ -2656,7 +2656,7 @@ lemma sendSignal_corres: apply (rule corres_split[OF asUser_setRegister_corres]) apply (rule possibleSwitchTo_corres) apply ((wp | simp)+)[1] - apply (rule_tac Q="\_. (\s. sch_act_wf (ksSchedulerAction s) s) and + apply (rule_tac Q'="\_. (\s. sch_act_wf (ksSchedulerAction s) s) and cur_tcb' and st_tcb_at' runnable' (hd list) and valid_objs' and sym_heap_sched_pointers and valid_sched_pointers and @@ -2843,7 +2843,7 @@ lemma cancelIPC_nonz_cap_to'[wp]: | wpc | simp | clarsimp elim!: cte_wp_at_weakenE' - | rule hoare_post_imp[where Q="\rv. ex_nonz_cap_to' p"])+ + | rule hoare_post_imp[where Q'="\rv. ex_nonz_cap_to' p"])+ done @@ -2923,7 +2923,7 @@ proof - apply (wpc) apply (wp | simp)+ apply (wpc, wp+) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp) apply simp done @@ -2935,7 +2935,7 @@ proof - apply (wp) apply (wp hoare_convert_imp)[1] apply (wp) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp hoare_convert_imp | simp)+ done show ?thesis @@ -2948,16 +2948,16 @@ proof - apply (wp)+ apply (wp hoare_convert_imp)[1] apply (wpc, wp+) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp cdo)+ - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply ((wp aipc hoare_convert_imp)+)[6] apply (wp) apply (wp hoare_convert_imp)[1] apply (wpc, wp+) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp) apply simp done @@ -3221,7 +3221,7 @@ lemma receiveIPC_corres: valid_sched_action_def) apply (clarsimp split: if_split_asm) apply (clarsimp | wp do_ipc_transfer_tcb_caps)+ - apply (rule_tac Q="\_ s. sch_act_wf (ksSchedulerAction s) s + apply (rule_tac Q'="\_ s. sch_act_wf (ksSchedulerAction s) s \ sym_heap_sched_pointers s \ valid_sched_pointers s \ pspace_aligned' s \ pspace_distinct' s" in hoare_post_imp) @@ -3484,7 +3484,7 @@ lemma setupCallerCap_vp[wp]: apply (simp add: valid_pspace'_def setupCallerCap_def getThreadCallerSlot_def getThreadReplySlot_def locateSlot_conv getSlotCap_def) apply (wp getCTE_wp) - apply (rule_tac Q="\_. valid_pspace' and + apply (rule_tac Q'="\_. valid_pspace' and tcb_at' sender and tcb_at' rcvr" in hoare_post_imp) apply (clarsimp simp: valid_cap'_def o_def cte_wp_at_ctes_of isCap_simps @@ -3517,7 +3517,7 @@ lemma setupCallerCap_ifunsafe[wp]: apply (wp getSlotCap_cte_wp_at | simp add: unique_master_reply_cap' | strengthen eq_imp_strg | wp (once) hoare_drop_imp[where f="getCTE rs" for rs])+ - apply (rule_tac Q="\rv. valid_objs' and tcb_at' rcvr and ex_nonz_cap_to' rcvr" + apply (rule_tac Q'="\rv. valid_objs' and tcb_at' rcvr and ex_nonz_cap_to' rcvr" in hoare_post_imp) apply (clarsimp simp: ex_nonz_tcb_cte_caps' tcbCallerSlot_def objBits_def objBitsKO_def dom_def cte_level_bits_def) @@ -3685,7 +3685,7 @@ lemma completeSignal_invs: apply (rule bind_wp[OF _ get_ntfn_sp']) apply (rule hoare_pre) apply (wp set_ntfn_minor_invs' | wpc | simp)+ - apply (rule_tac Q="\_ s. (state_refs_of' s ntfnptr = ntfn_bound_refs' (ntfnBoundTCB ntfn)) + apply (rule_tac Q'="\_ s. (state_refs_of' s ntfnptr = ntfn_bound_refs' (ntfnBoundTCB ntfn)) \ ntfn_at' ntfnptr s \ valid_ntfn' (ntfnObj_update (\_. Structures_H.ntfn.IdleNtfn) ntfn) s \ ((\y. ntfnBoundTCB ntfn = Some y) \ ex_nonz_cap_to' ntfnptr s) @@ -3715,7 +3715,7 @@ lemma setupCallerCap_urz[wp]: getThreadCallerSlot_def getThreadReplySlot_def locateSlot_conv) apply (wp getCTE_wp') - apply (rule_tac Q="\_. untyped_ranges_zero' and valid_mdb' and valid_objs'" in hoare_post_imp) + apply (rule_tac Q'="\_. untyped_ranges_zero' and valid_mdb' and valid_objs'" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_ctes_of cteCaps_of_def untyped_derived_eq_def isCap_simps) apply (wp sts_valid_pspace_hangers) @@ -3762,7 +3762,7 @@ lemma ri_invs' [wp]: apply (rule bind_wp [OF _ gbn_sp']) apply (rule bind_wp) (* set up precondition for old proof *) - apply (rule_tac R="ko_at' ep (capEPPtr cap) and ?pre" in hoare_vcg_if_split) + apply (rule_tac P''="ko_at' ep (capEPPtr cap) and ?pre" in hoare_vcg_if_split) apply (wp completeSignal_invs) apply (case_tac ep) \ \endpoint = RecvEP\ @@ -4049,9 +4049,9 @@ lemma si_invs'[wp]: hoare_convert_imp [OF setEndpoint_nosch setEndpoint_ct'] hoare_drop_imp [where f="threadGet tcbFault t"] | rule_tac f="getThreadState a" in hoare_drop_imp - | wp (once) hoare_drop_imp[where R="\_ _. call"] - hoare_drop_imp[where R="\_ _. \ call"] - hoare_drop_imp[where R="\_ _. cg"] + | wp (once) hoare_drop_imp[where Q'="\_ _. call"] + hoare_drop_imp[where Q'="\_ _. \ call"] + hoare_drop_imp[where Q'="\_ _. cg"] | simp add: valid_tcb_state'_def case_bool_If case_option_If cong: if_cong diff --git a/proof/refine/ARM/PageTableDuplicates.thy b/proof/refine/ARM/PageTableDuplicates.thy index bc2d5e51fe..395285ee92 100644 --- a/proof/refine/ARM/PageTableDuplicates.thy +++ b/proof/refine/ARM/PageTableDuplicates.thy @@ -635,7 +635,7 @@ lemma copyGlobalMappings_ksPSpace_stable: apply (case_tac "\ is_aligned x 2") apply (rule hoare_name_pre_state) apply (clarsimp) - apply (rule_tac Q = "\r s. is_aligned (armKSGlobalPD (ksArchState s)) 2 + apply (rule_tac Q'="\r s. is_aligned (armKSGlobalPD (ksArchState s)) 2 \ pspace_aligned' s" in hoare_post_imp) apply (frule_tac x = x in not_aligned_eq_None) apply simp @@ -726,7 +726,7 @@ lemma copyGlobalMappings_ksPSpace_stable: apply (rule hoare_pre) apply (rule hoare_vcg_const_imp_lift) apply wp - apply (rule_tac Q = "\r s'. ksPSpace s' x = ksPSpace s x \ globalPD = armKSGlobalPD (ksArchState s)" + apply (rule_tac Q'="\r s'. ksPSpace s' x = ksPSpace s x \ globalPD = armKSGlobalPD (ksArchState s)" in hoare_post_imp) apply (wp hoare_vcg_all_lift getPDE_wp mapM_x_wp' | simp add: storePDE_def setObject_def split_def @@ -753,7 +753,7 @@ lemma copyGlobalMappings_ksPSpace_same: apply clarsimp apply (rule hoare_pre) apply wp - apply (rule_tac Q = "\r s'. ksPSpace s' x = ksPSpace s x \ globalPD = armKSGlobalPD (ksArchState s)" + apply (rule_tac Q'="\r s'. ksPSpace s' x = ksPSpace s x \ globalPD = armKSGlobalPD (ksArchState s)" in hoare_post_imp) apply simp apply (wp hoare_vcg_all_lift getPDE_wp mapM_x_wp' @@ -1045,10 +1045,10 @@ lemma createObject_valid_duplicates'[wp]: apply (wpc | wp| simp add: ARM_H.createObject_def split del: if_split)+ apply (simp add: placeNewObject_def placeNewDataObject_def placeNewObject'_def split_def split del: if_split - | wp unless_wp[where P="d"] unless_wp[where Q=\] + | wp unless_wp[where P="d"] unless_wp[where P'=\] | wpc | simp add: alignError_def split del: if_split)+ apply (rule copyGlobalMappings_valid_duplicates') - apply ((wp unless_wp[where P="d"] unless_wp[where Q=\] | wpc + apply ((wp unless_wp[where P="d"] unless_wp[where P'=\] | wpc | simp add: alignError_def placeNewObject_def placeNewObject'_def split_def split del: if_split)+)[2] apply (intro conjI impI) @@ -2076,7 +2076,7 @@ lemma tc_valid_duplicates': checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P="\s. P (ksReadyQueues s)" for P] checkCap_inv[where P="\s. vs_valid_duplicates' (ksPSpace s)"] - checkCap_inv[where P=sch_act_simple] cteDelete_valid_duplicates' hoare_vcg_const_imp_lift_R + checkCap_inv[where P=sch_act_simple] cteDelete_valid_duplicates' hoare_vcg_const_imp_liftE_R typ_at_lifts[OF setPriority_typ_at'] assertDerived_wp threadSet_cte_wp_at' hoare_vcg_all_liftE_R hoare_vcg_all_lift hoare_weak_lift_imp)[1] | wpc @@ -2244,7 +2244,7 @@ lemma handleRecv_valid_duplicates'[wp]: apply wp apply ((wp getNotification_wp | wpc | simp add: whenE_def split del: if_split)+)[1] - apply (rule_tac Q="\rv s. vs_valid_duplicates' (ksPSpace s)" + apply (rule_tac Q'="\rv s. vs_valid_duplicates' (ksPSpace s)" in hoare_strengthen_postE[rotated]) diff --git a/proof/refine/ARM/Refine.thy b/proof/refine/ARM/Refine.thy index 699381f43a..67c403257c 100644 --- a/proof/refine/ARM/Refine.thy +++ b/proof/refine/ARM/Refine.thy @@ -226,12 +226,12 @@ lemma set_thread_state_sched_act: apply (simp add: set_thread_state_ext_def) apply wp apply (rule hoare_pre_cont) - apply (rule_tac Q="\rv. (\s. runnable ts) and (\s. P (scheduler_action s))" + apply (rule_tac Q'="\rv. (\s. runnable ts) and (\s. P (scheduler_action s))" in hoare_strengthen_post) apply wp apply force apply (wp gts_st_tcb_at)+ - apply (rule_tac Q="\rv. st_tcb_at ((=) state) thread and (\s. runnable state) and (\s. P (scheduler_action s))" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. st_tcb_at ((=) state) thread and (\s. runnable state) and (\s. P (scheduler_action s))" in hoare_strengthen_post) apply (simp add: st_tcb_at_def) apply (wp obj_set_prop_at)+ apply (force simp: st_tcb_at_def obj_at_def) @@ -270,7 +270,7 @@ lemma kernel_entry_invs: \\rv. einvs and (\s. ct_running s \ ct_idle s) and (\s. 0 < domain_time s) and valid_domain_list and (\s. scheduler_action s = resume_cur_thread)\" - apply (rule_tac Q="\rv. invs and (\s. ct_running s \ ct_idle s) and valid_sched and + apply (rule_tac Q'="\rv. invs and (\s. ct_running s \ ct_idle s) and valid_sched and (\s. 0 < domain_time s) and valid_domain_list and valid_list and (\s. scheduler_action s = resume_cur_thread)" in hoare_post_imp) @@ -316,7 +316,7 @@ lemma do_user_op_invs2: do_user_op f tc \\_. (einvs and ct_running and (\s. scheduler_action s = resume_cur_thread)) and (\s. 0 < domain_time s) and valid_domain_list \" - apply (rule_tac Q="\_. valid_list and valid_sched and + apply (rule_tac Q'="\_. valid_list and valid_sched and (\s. scheduler_action s = resume_cur_thread) and (invs and ct_running) and (\s. 0 < domain_time s) and valid_domain_list" in hoare_strengthen_post) @@ -391,7 +391,7 @@ lemma ckernel_invs: apply (rule hoare_pre) apply (wp activate_invs' activate_sch_act schedule_sch schedule_sch_act_simple he_invs' schedule_invs' - hoare_drop_imp[where R="\_. kernelExitAssertions"] + hoare_drop_imp[where Q'="\_. kernelExitAssertions"] | simp add: no_irq_getActiveIRQ)+ done @@ -567,22 +567,22 @@ lemma kernel_corres': apply simp apply (wpsimp wp: hoare_drop_imps hoare_vcg_all_lift simp: schact_is_rct_def)[1] apply simp - apply (rule_tac Q="\irq s. invs' s \ + apply (rule_tac Q'="\irq s. invs' s \ (\irq'. irq = Some irq' \ intStateIRQTable (ksInterruptState s ) irq' \ IRQInactive)" in hoare_post_imp) apply simp apply (wp doMachineOp_getActiveIRQ_IRQ_active handle_event_valid_sched | simp)+ - apply (rule_tac Q="\_. \" and E="\_. invs'" in hoare_strengthen_postE) + apply (rule_tac Q'="\_. \" and E'="\_. invs'" in hoare_strengthen_postE) apply wpsimp+ apply (simp add: invs'_def valid_state'_def) apply (rule corres_split[OF schedule_corres]) apply (rule activateThread_corres) apply (wp handle_interrupt_valid_sched[unfolded non_kernel_IRQs_def, simplified] schedule_invs' hoare_vcg_if_lift2 hoare_drop_imps |simp)+ - apply (rule_tac Q="\_. valid_sched and invs and valid_list" and - E="\_. valid_sched and invs and valid_list" + apply (rule_tac Q'="\_. valid_sched and invs and valid_list" and + E'="\_. valid_sched and invs and valid_list" in hoare_strengthen_postE) apply (wp handle_event_valid_sched hoare_vcg_imp_lift' |simp)+ apply (clarsimp simp: active_from_running schact_is_rct_def) diff --git a/proof/refine/ARM/Retype_R.thy b/proof/refine/ARM/Retype_R.thy index f50bd14a82..cd24cc2b06 100644 --- a/proof/refine/ARM/Retype_R.thy +++ b/proof/refine/ARM/Retype_R.thy @@ -4202,7 +4202,7 @@ lemma createNewCaps_cur: cur_tcb' s\ createNewCaps ty ptr n us d \\rv. cur_tcb'\" - apply (rule hoare_post_imp [where Q="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) apply (simp add: cur_tcb'_def) apply (wp hoare_vcg_ex_lift createNewCaps_obj_at') apply (clarsimp simp: pspace_no_overlap'_def cur_tcb'_def valid_pspace'_def) @@ -4277,20 +4277,17 @@ lemma createNewCaps_idle'[wp]: split del: if_split) apply (cases ty, simp_all add: Arch_createNewCaps_def split del: if_split) - apply (rename_tac apiobject_type) - apply (case_tac apiobject_type, simp_all split del: if_split)[1] - apply (wp, simp) - including classic_wp_pre - apply (wp mapM_x_wp' - createObjects_idle' - threadSet_idle' - | simp add: projectKO_opt_tcb projectKO_opt_cte - makeObject_cte makeObject_tcb archObjSize_def - tcb_cte_cases_def objBitsKO_def APIType_capBits_def - ptBits_def pdBits_def pageBits_def objBits_def - createObjects_def pteBits_def pdeBits_def - | intro conjI impI - | fastforce simp: curDomain_def)+ + apply (rename_tac apiobject_type) + apply (case_tac apiobject_type, simp_all split del: if_split)[1] + apply wpsimp + apply (wpsimp wp: mapM_x_wp' createObjects_idle' threadSet_idle' + | simp add: projectKO_opt_tcb projectKO_opt_cte + makeObject_cte makeObject_tcb archObjSize_def + tcb_cte_cases_def objBitsKO_def APIType_capBits_def + ptBits_def pdBits_def pageBits_def objBits_def + createObjects_def pteBits_def pdeBits_def + | intro conjI impI + | clarsimp simp: curDomain_def)+ done crunch createNewCaps @@ -4311,7 +4308,7 @@ lemma createNewCaps_global_refs': createNewCaps ty ptr n us d \\rv. valid_global_refs'\" apply (simp add: valid_global_refs'_def valid_cap_sizes'_def valid_refs'_def) - apply (rule_tac Q="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} + apply (rule_tac Q'="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} \ 2 ^ capBits (cteCap cte) > gsMaxObjectSize s)) ptr s \ global_refs' s \ kernel_data_refs" in hoare_post_imp) apply (auto simp: cte_wp_at_ctes_of linorder_not_less elim!: ranE)[1] @@ -5030,7 +5027,7 @@ proof (rule hoare_gen_asm, erule conjE) "\ct_not_inQ and valid_pspace' and pspace_no_overlap' ptr sz\ createNewCaps ty ptr n us dev \\_. ct_not_inQ\" unfolding ct_not_inQ_def - apply (rule_tac Q="\s. ksSchedulerAction s = ResumeCurrentThread + apply (rule_tac P'="\s. ksSchedulerAction s = ResumeCurrentThread \ (obj_at' (Not \ tcbQueued) (ksCurThread s) s \ valid_pspace' s \ pspace_no_overlap' ptr sz s)" in hoare_pre_imp, clarsimp) @@ -5141,7 +5138,7 @@ lemma createObjects_no_cte_valid_global: createObjects ptr n val gbits \\rv s. valid_global_refs' s\" apply (simp add: valid_global_refs'_def valid_cap_sizes'_def valid_refs'_def) - apply (rule_tac Q="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} + apply (rule_tac Q'="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} \ 2 ^ capBits (cteCap cte) > gsMaxObjectSize s)) ptr s \ global_refs' s \ kernel_data_refs" in hoare_post_imp) apply (auto simp: cte_wp_at_ctes_of linorder_not_less elim!: ranE)[1] @@ -5252,7 +5249,7 @@ lemma createObjects_cur': cur_tcb' s\ createObjects ptr n val gbits \\rv s. cur_tcb' s\" - apply (rule hoare_post_imp [where Q="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) apply (simp add: cur_tcb'_def) apply (wp hoare_vcg_ex_lift createObjects_orig_obj_at3) apply (clarsimp simp: cur_tcb'_def) @@ -5342,7 +5339,7 @@ proof - createObjects ptr n val gbits \\_. ct_not_inQ\" (is "\ _; _ \ \ \\s. ct_not_inQ s \ ?REST s\ _ \_\") apply (simp add: ct_not_inQ_def) - apply (rule_tac Q="\s. (ksSchedulerAction s = ResumeCurrentThread) \ + apply (rule_tac P'="\s. (ksSchedulerAction s = ResumeCurrentThread) \ (obj_at' (Not \ tcbQueued) (ksCurThread s) s \ ?REST s)" in hoare_pre_imp, clarsimp) apply (rule hoare_convert_imp [OF createObjects_nosch]) diff --git a/proof/refine/ARM/Schedule_R.thy b/proof/refine/ARM/Schedule_R.thy index 61350df138..ef40db58db 100644 --- a/proof/refine/ARM/Schedule_R.thy +++ b/proof/refine/ARM/Schedule_R.thy @@ -645,7 +645,7 @@ lemma tcbSchedDequeue_valid_mdb'[wp]: "\valid_mdb' and valid_objs'\ tcbSchedDequeue tcbPtr \\_. valid_mdb'\" unfolding tcbSchedDequeue_def apply (wpsimp simp: bitmap_fun_defs setQueue_def wp: threadSet_mdb' tcbQueueRemove_valid_mdb') - apply (rule_tac Q="\_. tcb_at' tcbPtr" in hoare_post_imp) + apply (rule_tac Q'="\_. tcb_at' tcbPtr" in hoare_post_imp) apply (fastforce simp: tcb_cte_cases_def cteSizeBits_def) apply (wpsimp wp: threadGet_wp)+ apply (fastforce simp: obj_at'_def) @@ -954,7 +954,7 @@ lemma tcbSchedDequeue_not_tcbQueued: "\\\ tcbSchedDequeue t \\_. obj_at' (\x. \ tcbQueued x) t\" apply (simp add: tcbSchedDequeue_def) apply (wp|clarsimp)+ - apply (rule_tac Q="\queued. obj_at' (\x. tcbQueued x = queued) t" in hoare_post_imp) + apply (rule_tac Q'="\queued. obj_at' (\x. tcbQueued x = queued) t" in hoare_post_imp) apply (clarsimp simp: obj_at'_def) apply (wpsimp wp: threadGet_wp)+ apply (clarsimp simp: obj_at'_def) @@ -1904,13 +1904,13 @@ lemma schedule_corres: apply (clarsimp simp: conj_ac cong: conj_cong) apply wp - apply (rule_tac Q="\_ s. valid_blocked_except t s \ scheduler_action s = switch_thread t" + apply (rule_tac Q'="\_ s. valid_blocked_except t s \ scheduler_action s = switch_thread t" in hoare_post_imp, fastforce) apply (wp add: tcb_sched_action_enqueue_valid_blocked_except tcbSchedEnqueue_invs'_not_ResumeCurrentThread thread_get_wp del: gets_wp | strengthen valid_objs'_valid_tcbs')+ - apply (clarsimp simp: conj_ac if_apply_def2 cong: imp_cong conj_cong del: hoare_gets) + apply (clarsimp simp: conj_ac if_apply_def2 cong: imp_cong conj_cong) apply (wp gets_wp)+ (* abstract final subgoal *) @@ -2173,7 +2173,7 @@ lemma schedule_invs': apply (wpsimp wp: scheduleChooseNewThread_invs' ssa_invs' chooseThread_invs_no_cicd' setSchedulerAction_invs' setSchedulerAction_direct switchToThread_tcb_in_cur_domain' switchToThread_ct_not_queued_2 - | wp hoare_disjI2[where R="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] + | wp hoare_disjI2[where Q'="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] | wp hoare_drop_imp[where f="isHighestPrio d p" for d p] | simp only: obj_at'_activatable_st_tcb_at'[simplified comp_def] | strengthen invs'_invs_no_cicd diff --git a/proof/refine/ARM/SubMonad_R.thy b/proof/refine/ARM/SubMonad_R.thy index f43e222dd3..d1879c6f1f 100644 --- a/proof/refine/ARM/SubMonad_R.thy +++ b/proof/refine/ARM/SubMonad_R.thy @@ -79,7 +79,7 @@ lemma threadSet_modify_asUser: apply (clarsimp simp: threadSet_def setObject_def split_def updateObject_default_def) apply wp - apply (rule_tac Q="\rv. obj_at' ((=) rv) t and ((=) st)" in hoare_post_imp) + apply (rule_tac Q'="\rv. obj_at' ((=) rv) t and ((=) st)" in hoare_post_imp) apply (clarsimp simp: asUser_replace_def Let_def obj_at'_def projectKOs fun_upd_def split: option.split kernel_object.split) diff --git a/proof/refine/ARM/Syscall_R.thy b/proof/refine/ARM/Syscall_R.thy index b2d7ab5185..e2b5b5c8fb 100644 --- a/proof/refine/ARM/Syscall_R.thy +++ b/proof/refine/ARM/Syscall_R.thy @@ -330,7 +330,7 @@ lemma threadSet_tcbDomain_update_sch_act_wf[wp]: apply (wps setObject_sa_unchanged) apply (wp hoare_weak_lift_imp getObject_tcb_wp hoare_vcg_all_lift)+ apply (rename_tac word) - apply (rule_tac Q="\_ s. ksSchedulerAction s = SwitchToThread word \ + apply (rule_tac Q'="\_ s. ksSchedulerAction s = SwitchToThread word \ st_tcb_at' runnable' word s \ tcb_in_cur_domain' word s \ word \ t" in hoare_strengthen_post) apply (wp hoare_vcg_all_lift hoare_vcg_conj_lift hoare_vcg_imp_lift)+ @@ -367,20 +367,20 @@ lemma setDomain_corres: apply ((wpsimp wp: hoare_vcg_imp_lift' ethread_set_not_queued_valid_queues hoare_vcg_all_lift | strengthen valid_objs'_valid_tcbs' valid_queues_in_correct_ready_q valid_queues_ready_qs_distinct)+)[1] - apply (rule_tac Q="\_. valid_objs' and sym_heap_sched_pointers and valid_sched_pointers + apply (rule_tac Q'="\_. valid_objs' and sym_heap_sched_pointers and valid_sched_pointers and pspace_aligned' and pspace_distinct' and (\s. sch_act_wf (ksSchedulerAction s) s) and tcb_at' tptr" in hoare_strengthen_post[rotated]) apply (fastforce simp: invs'_def valid_state'_def sch_act_wf_weak st_tcb_at'_def o_def) apply (wpsimp wp: threadSet_valid_objs' threadSet_sched_pointers threadSet_valid_sched_pointers)+ - apply (rule_tac Q="\_ s. valid_queues s \ not_queued tptr s + apply (rule_tac Q'="\_ s. valid_queues s \ not_queued tptr s \ pspace_aligned s \ pspace_distinct s \ valid_etcbs s \ weak_valid_sched_action s" in hoare_post_imp) apply (fastforce simp: pred_tcb_at_def obj_at_def) apply (wpsimp wp: tcb_dequeue_not_queued) - apply (rule_tac Q = "\_ s. invs' s \ obj_at' (Not \ tcbQueued) tptr s \ sch_act_simple s + apply (rule_tac Q'="\_ s. invs' s \ obj_at' (Not \ tcbQueued) tptr s \ sch_act_simple s \ tcb_at' tptr s" in hoare_strengthen_post[rotated]) apply (clarsimp simp: invs'_def valid_state'_def valid_pspace'_def sch_act_simple_def) @@ -788,7 +788,7 @@ lemma doReply_invs[wp]: apply simp apply (wp (once) sts_st_tcb') apply wp - apply (rule_tac Q="\_ s. invs' s \ t \ ksIdleThread s \ st_tcb_at' awaiting_reply' t s" + apply (rule_tac Q'="\_ s. invs' s \ t \ ksIdleThread s \ st_tcb_at' awaiting_reply' t s" in hoare_post_imp) apply clarsimp apply (rule conjI, erule pred_tcb'_weakenE, case_tac st, clarsimp+) @@ -801,7 +801,7 @@ lemma doReply_invs[wp]: apply (case_tac st, clarsimp+) apply (wp cteDeleteOne_reply_pred_tcb_at)+ apply clarsimp - apply (rule_tac Q="\_. (\s. t \ ksIdleThread s) + apply (rule_tac Q'="\_. (\s. t \ ksIdleThread s) and cte_wp_at' (\cte. \grant. cteCap cte = capability.ReplyCap t False grant) slot" in hoare_strengthen_post [rotated]) @@ -813,7 +813,7 @@ lemma doReply_invs[wp]: apply (erule cte_wp_at_weakenE') apply (fastforce) apply (wp sts_invs_minor'' sts_st_tcb' hoare_weak_lift_imp) - apply (rule_tac Q="\_ s. invs' s \ sch_act_simple s + apply (rule_tac Q'="\_ s. invs' s \ sch_act_simple s \ st_tcb_at' awaiting_reply' t s \ t \ ksIdleThread s" in hoare_post_imp) @@ -828,7 +828,7 @@ lemma doReply_invs[wp]: apply (case_tac st, clarsimp+) apply (wp threadSet_invs_trivial threadSet_st_tcb_at2 hoare_weak_lift_imp | clarsimp simp add: inQ_def)+ - apply (rule_tac Q="\_. invs' and tcb_at' t + apply (rule_tac Q'="\_. invs' and tcb_at' t and sch_act_simple and st_tcb_at' awaiting_reply' t" in hoare_strengthen_post [rotated]) apply clarsimp @@ -940,7 +940,7 @@ lemma setDomain_invs': apply (simp add:setDomain_def ) apply (wp add: when_wp hoare_weak_lift_imp hoare_weak_lift_imp_conj rescheduleRequired_all_invs_but_extra tcbSchedEnqueue_valid_action hoare_vcg_if_lift2) - apply (rule_tac Q = "\r s. all_invs_but_sch_extra s \ curThread = ksCurThread s + apply (rule_tac Q'="\r s. all_invs_but_sch_extra s \ curThread = ksCurThread s \ (ptr \ curThread \ ct_not_inQ s \ sch_act_wf (ksSchedulerAction s) s \ ct_idle_or_in_cur_domain' s)" in hoare_strengthen_post[rotated]) apply (clarsimp simp:invs'_def valid_state'_def st_tcb_at'_def[symmetric] valid_pspace'_def) @@ -952,7 +952,7 @@ lemma setDomain_invs': apply assumption apply (wp hoare_weak_lift_imp threadSet_pred_tcb_no_state threadSet_not_curthread_ct_domain threadSet_tcbDomain_update_ct_not_inQ | simp)+ - apply (rule_tac Q = "\r s. invs' s \ curThread = ksCurThread s \ sch_act_simple s + apply (rule_tac Q'="\r s. invs' s \ curThread = ksCurThread s \ sch_act_simple s \ domain \ maxDomain \ (ptr \ curThread \ ct_not_inQ s \ sch_act_not ptr s)" in hoare_strengthen_post[rotated]) @@ -1218,7 +1218,7 @@ lemma handleInvocation_corres: apply (wp reply_from_kernel_tcb_at) apply (rule impI, wp+) apply (wpsimp wp: hoare_drop_imps|strengthen invs_distinct invs_psp_aligned)+ - apply (rule_tac Q="\rv. einvs and schact_is_rct and valid_invocation rve + apply (rule_tac Q'="\rv. einvs and schact_is_rct and valid_invocation rve and (\s. thread = cur_thread s) and st_tcb_at active thread" in hoare_post_imp) @@ -1226,7 +1226,7 @@ lemma handleInvocation_corres: elim!: st_tcb_weakenE) apply (wp sts_st_tcb_at' set_thread_state_schact_is_rct set_thread_state_active_valid_sched) - apply (rule_tac Q="\rv. invs' and valid_invocation' rve' + apply (rule_tac Q'="\rv. invs' and valid_invocation' rve' and (\s. thread = ksCurThread s) and st_tcb_at' active' thread and (\s. ksSchedulerAction s = ResumeCurrentThread) @@ -1239,7 +1239,7 @@ lemma handleInvocation_corres: apply (wp lec_caps_to lsft_ex_cte_cap_to | simp add: split_def liftE_bindE[symmetric] ct_in_state'_def ball_conj_distrib - | rule hoare_vcg_E_elim)+ + | rule hoare_vcg_conj_elimE)+ apply (clarsimp simp: tcb_at_invs invs_valid_objs valid_tcb_state_def ct_in_state_def simple_from_active invs_mdb @@ -1309,7 +1309,7 @@ lemma hinv_invs'[wp]: apply (clarsimp simp: valid_idle'_def valid_state'_def invs'_def pred_tcb_at'_def obj_at'_def idle_tcb'_def) apply wp+ - apply (rule_tac Q="\rv'. invs' and valid_invocation' rv + apply (rule_tac Q'="\rv'. invs' and valid_invocation' rv and (\s. ksSchedulerAction s = ResumeCurrentThread) and (\s. ksCurThread s = thread) and st_tcb_at' active' thread" @@ -1512,7 +1512,7 @@ lemma handleRecv_isBlocking_corres': apply (rule handleFault_corres) apply simp apply (wp get_simple_ko_wp | wpcw | simp)+ - apply (rule hoare_vcg_E_elim) + apply (rule hoare_vcg_conj_elimE) apply (simp add: lookup_cap_def lookup_slot_for_thread_def) apply wp apply (simp add: split_def) @@ -1560,14 +1560,14 @@ lemma hw_invs'[wp]: deleteCallerCap_ct'] | wpc | simp add: ct_in_state'_def whenE_def split del: if_split)+ apply (rule validE_validE_R) - apply (rule_tac Q="\rv s. invs' s + apply (rule_tac Q'="\rv s. invs' s \ sch_act_sane s \ thread = ksCurThread s \ ct_in_state' simple' s \ ex_nonz_cap_to' thread s \ thread \ ksIdleThread s \ (\x \ zobj_refs' rv. ex_nonz_cap_to' x s)" - and E="\_ _. True" + and E'="\_ _. True" in hoare_strengthen_postE[rotated]) apply (clarsimp simp: isCap_simps ct_in_state'_def pred_tcb_at' invs_valid_objs' sch_act_sane_not obj_at'_def projectKOs pred_tcb_at'_def) @@ -1616,7 +1616,7 @@ lemma hy_invs': "\invs' and ct_active'\ handleYield \\r. invs' and ct_active'\" apply (simp add: handleYield_def) apply (wpsimp wp: ct_in_state_thread_state_lift' rescheduleRequired_all_invs_but_ct_not_inQ) - apply (rule_tac Q="\_. all_invs_but_ct_not_inQ' and ct_active'" in hoare_post_imp) + apply (rule_tac Q'="\_. all_invs_but_ct_not_inQ' and ct_active'" in hoare_post_imp) apply clarsimp apply (subst pred_conj_def) apply (rule hoare_vcg_conj_lift) @@ -1841,7 +1841,7 @@ lemma handleReply_nonz_cap_to_ct: "\ct_active' and invs' and sch_act_simple\ handleReply \\rv s. ex_nonz_cap_to' (ksCurThread s) s\" - apply (rule_tac Q="\rv. ct_active' and invs'" + apply (rule_tac Q'="\rv. ct_active' and invs'" in hoare_post_imp) apply (auto simp: ct_in_state'_def elim: st_tcb_ex_cap'')[1] apply (wp | simp)+ @@ -1957,7 +1957,7 @@ proof - apply (rule handleVMFault_corres) apply (erule handleFault_corres) apply (rule hoare_elim_pred_conjE2) - apply (rule hoare_vcg_E_conj, rule valid_validE_E, wp) + apply (rule hoare_vcg_conj_liftE_E, rule valid_validE_E, wp) apply (wp handle_vm_fault_valid_fault) apply (rule hv_inv_ex') apply wp diff --git a/proof/refine/ARM/TcbAcc_R.thy b/proof/refine/ARM/TcbAcc_R.thy index bddf600a7a..4f4329403a 100644 --- a/proof/refine/ARM/TcbAcc_R.thy +++ b/proof/refine/ARM/TcbAcc_R.thy @@ -1083,7 +1083,7 @@ lemma threadSet_obj_at'_really_strongest: apply (simp add: threadSet_def) apply (wp setObject_tcb_strongest) apply (subst simp_thms(32)[symmetric], rule hoare_vcg_disj_lift) - apply (rule hoare_post_imp [where Q="\rv s. \ tcb_at' t s \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \ tcb_at' t s \ tcb_at' t s"]) apply simp apply (subst simp_thms(21)[symmetric], rule hoare_vcg_conj_lift) apply (rule getObject_inv_tcb) @@ -1170,7 +1170,7 @@ proof - show ?thesis apply (rule_tac P=P in P_bool_lift) apply (rule pos) - apply (rule_tac Q="\_ s. \ tcb_at' t' s \ pred_tcb_at' proj (\tcb. \ P' tcb) t' s" + apply (rule_tac Q'="\_ s. \ tcb_at' t' s \ pred_tcb_at' proj (\tcb. \ P' tcb) t' s" in hoare_post_imp) apply (erule disjE) apply (clarsimp dest!: pred_tcb_at') @@ -3320,7 +3320,7 @@ lemma sts_valid_objs': setThreadState st t \\_. valid_objs'\" apply (wpsimp simp: setThreadState_def wp: threadSet_valid_objs') - apply (rule_tac Q="\_. valid_objs' and pspace_aligned' and pspace_distinct'" in hoare_post_imp) + apply (rule_tac Q'="\_. valid_objs' and pspace_aligned' and pspace_distinct'" in hoare_post_imp) apply fastforce apply (wpsimp wp: threadSet_valid_objs') apply (simp add: valid_tcb'_def tcb_cte_cases_def cteSizeBits_def) @@ -3585,7 +3585,7 @@ lemma sts_sch_act': apply assumption apply (case_tac "runnable' st") apply ((wp threadSet_runnable_sch_act hoare_drop_imps | simp)+)[1] - apply (rule_tac Q="\rv s. st_tcb_at' (Not \ runnable') t s \ + apply (rule_tac Q'="\rv s. st_tcb_at' (Not \ runnable') t s \ (ksCurThread s \ t \ ksSchedulerAction s \ ResumeCurrentThread \ sch_act_wf (ksSchedulerAction s) s)" in hoare_post_imp) @@ -3605,10 +3605,10 @@ lemma sts_sch_act[wp]: prefer 2 apply assumption apply (case_tac "runnable' st") - apply (rule_tac Q="\s. sch_act_wf (ksSchedulerAction s) s" + apply (rule_tac P'="\s. sch_act_wf (ksSchedulerAction s) s" in hoare_pre_imp, simp) apply ((wp hoare_drop_imps threadSet_runnable_sch_act | simp)+)[1] - apply (rule_tac Q="\rv s. st_tcb_at' (Not \ runnable') t s \ + apply (rule_tac Q'="\rv s. st_tcb_at' (Not \ runnable') t s \ (ksCurThread s \ t \ ksSchedulerAction s \ ResumeCurrentThread \ sch_act_wf (ksSchedulerAction s) s)" in hoare_post_imp) @@ -3879,7 +3879,7 @@ lemma addToBitmap_valid_bitmapQ: addToBitmap d p \\_. valid_bitmapQ\" (is "\?pre\ _ \_\") - apply (rule_tac Q="\_ s. ?pre s \ bitmapQ d p s" in hoare_strengthen_post) + apply (rule_tac Q'="\_ s. ?pre s \ bitmapQ d p s" in hoare_strengthen_post) apply (wpsimp wp: addToBitmap_valid_bitmapQ_except addToBitmap_bitmapQ) apply (fastforce elim: valid_bitmap_valid_bitmapQ_exceptE) done @@ -4576,7 +4576,7 @@ lemma ct_in_state'_decomp: assumes x: "\\s. t = (ksCurThread s)\ f \\rv s. t = (ksCurThread s)\" assumes y: "\Pre\ f \\rv. st_tcb_at' Prop t\" shows "\\s. Pre s \ t = (ksCurThread s)\ f \\rv. ct_in_state' Prop\" - apply (rule hoare_post_imp [where Q="\rv s. t = ksCurThread s \ st_tcb_at' Prop t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. t = ksCurThread s \ st_tcb_at' Prop t s"]) apply (clarsimp simp add: ct_in_state'_def) apply (rule hoare_weaken_pre) apply (wp x y) @@ -4647,7 +4647,7 @@ lemma setQueue_pred_tcb_at[wp]: unfolding pred_tcb_at'_def apply (rule_tac P=P' in P_bool_lift) apply (rule setQueue_obj_at) - apply (rule_tac Q="\_ s. \typ_at' TCBT t s \ obj_at' (Not \ (P \ proj \ tcb_to_itcb')) t s" + apply (rule_tac Q'="\_ s. \typ_at' TCBT t s \ obj_at' (Not \ (P \ proj \ tcb_to_itcb')) t s" in hoare_post_imp, simp add: not_obj_at' o_def) apply (wp hoare_vcg_disj_lift) apply (clarsimp simp: not_obj_at' o_def) @@ -4898,7 +4898,7 @@ lemma sts_iflive'[wp]: \\rv. if_live_then_nonz_cap'\" apply (simp add: setThreadState_def setQueue_def) apply wpsimp - apply (rule_tac Q="\rv. if_live_then_nonz_cap' and pspace_aligned' and pspace_distinct'" + apply (rule_tac Q'="\rv. if_live_then_nonz_cap' and pspace_aligned' and pspace_distinct'" in hoare_post_imp) apply clarsimp apply (wpsimp wp: threadSet_iflive') @@ -5037,7 +5037,7 @@ lemma tcbSchedEnqueue_ct_not_inQ: proof - have ts: "\?PRE\ threadSet (tcbQueued_update (\_. True)) t \\_. ct_not_inQ\" apply (simp add: ct_not_inQ_def) - apply (rule_tac Q="\s. ksSchedulerAction s = ResumeCurrentThread + apply (rule_tac P'="\s. ksSchedulerAction s = ResumeCurrentThread \ obj_at' (Not \ tcbQueued) (ksCurThread s) s \ ksCurThread s \ t" in hoare_pre_imp, clarsimp) apply (rule hoare_convert_imp [OF threadSet_nosch]) @@ -5064,7 +5064,7 @@ lemma tcbSchedAppend_ct_not_inQ: proof - have ts: "\?PRE\ threadSet (tcbQueued_update (\_. True)) t \\_. ct_not_inQ\" apply (simp add: ct_not_inQ_def) - apply (rule_tac Q="\s. ksSchedulerAction s = ResumeCurrentThread + apply (rule_tac P'="\s. ksSchedulerAction s = ResumeCurrentThread \ obj_at' (Not \ tcbQueued) (ksCurThread s) s \ ksCurThread s \ t" in hoare_pre_imp, clarsimp) apply (rule hoare_convert_imp [OF threadSet_nosch]) @@ -5091,7 +5091,7 @@ lemma setSchedulerAction_direct: lemma rescheduleRequired_ct_not_inQ: "\\\ rescheduleRequired \\_. ct_not_inQ\" apply (simp add: rescheduleRequired_def ct_not_inQ_def) - apply (rule_tac Q="\_ s. ksSchedulerAction s = ChooseNewThread" + apply (rule_tac Q'="\_ s. ksSchedulerAction s = ChooseNewThread" in hoare_post_imp, clarsimp) apply (wp setSchedulerAction_direct) done @@ -5162,7 +5162,7 @@ lemma setThreadState_ct_not_inQ: including no_pre apply (simp add: setThreadState_def) apply (wp rescheduleRequired_ct_not_inQ) - apply (rule_tac Q="\_. ?PRE" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE" in hoare_post_imp, clarsimp) apply (wp) done @@ -5319,7 +5319,7 @@ lemma removeFromBitmap_valid_bitmapQ[wp]: removeFromBitmap d p \\_. valid_bitmapQ\" (is "\?pre\ _ \_\") - apply (rule_tac Q="\_ s. ?pre s \ \ bitmapQ d p s" in hoare_strengthen_post) + apply (rule_tac Q'="\_ s. ?pre s \ \ bitmapQ d p s" in hoare_strengthen_post) apply (wpsimp wp: removeFromBitmap_valid_bitmapQ_except removeFromBitmap_bitmapQ) apply (fastforce elim: valid_bitmap_valid_bitmapQ_exceptE) done diff --git a/proof/refine/ARM/Tcb_R.thy b/proof/refine/ARM/Tcb_R.thy index 8a2a164e83..2fb6160a1d 100644 --- a/proof/refine/ARM/Tcb_R.thy +++ b/proof/refine/ARM/Tcb_R.thy @@ -81,7 +81,7 @@ abbreviation lemma gts_st_tcb': "\tcb_at' t\ getThreadState t \\rv. st_tcb_at' (\st. st = rv) t\" apply (rule hoare_weaken_pre) - apply (rule hoare_post_imp[where Q="\rv s. \rv'. rv = rv' \ st_tcb_at' (\st. st = rv') t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \rv'. rv = rv' \ st_tcb_at' (\st. st = rv') t s"]) apply simp apply (wp hoare_vcg_ex_lift) apply (clarsimp simp add: pred_tcb_at'_def obj_at'_def) @@ -107,15 +107,15 @@ lemma activate_invs': split del: if_splits cong: if_cong) apply (wp) apply (clarsimp simp: ct_in_state'_def) - apply (rule_tac Q="\rv. invs' and ct_idle'" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs' and ct_idle'" in hoare_post_imp, simp) apply (wp activateIdle_invs) apply (clarsimp simp: ct_in_state'_def) - apply (rule_tac Q="\rv. invs' and ct_running' and sch_act_simple" + apply (rule_tac Q'="\rv. invs' and ct_running' and sch_act_simple" in hoare_post_imp, simp) apply (rule hoare_weaken_pre) apply (wp ct_in_state'_set asUser_ct sts_invs_minor' | wp (once) sch_act_simple_lift)+ - apply (rule_tac Q="\_. st_tcb_at' runnable' thread + apply (rule_tac Q'="\_. st_tcb_at' runnable' thread and sch_act_simple and invs' and (\s. thread = ksCurThread s)" in hoare_post_imp, clarsimp) @@ -194,7 +194,7 @@ lemma setupReplyMaster_weak_sch_act_wf[wp]: \\rv s. weak_sch_act_wf (ksSchedulerAction s) s\" apply (simp add: setupReplyMaster_def) apply (wp) - apply (rule_tac Q="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" + apply (rule_tac Q'="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp, clarsimp) apply (wp)+ apply assumption @@ -220,11 +220,11 @@ lemma restart_corres: apply (wp set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at' sts_st_tcb' sts_valid_objs' | clarsimp simp: valid_tcb_state'_def | strengthen valid_objs'_valid_tcbs')+ - apply (rule_tac Q="\rv. valid_sched and cur_tcb and pspace_aligned and pspace_distinct" + apply (rule_tac Q'="\rv. valid_sched and cur_tcb and pspace_aligned and pspace_distinct" in hoare_strengthen_post) apply wp apply (fastforce simp: valid_sched_def valid_sched_action_def) - apply (rule_tac Q="\rv. invs' and ex_nonz_cap_to' t" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs' and ex_nonz_cap_to' t" in hoare_strengthen_post) apply wp apply (clarsimp simp: invs'_def valid_state'_def sch_act_wf_weak valid_pspace'_def valid_tcb_state'_def) @@ -360,10 +360,10 @@ lemma invokeTCB_WriteRegisters_corres: valid_sched_valid_queues valid_objs'_valid_tcbs' invs_valid_objs' | clarsimp simp: invs_def valid_state_def valid_sched_def invs'_def valid_state'_def dest!: global'_no_ex_cap idle_no_ex_cap)+)[2] - apply (rule_tac Q="\_. einvs and tcb_at dest and ex_nonz_cap_to dest" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\_. einvs and tcb_at dest and ex_nonz_cap_to dest" in hoare_strengthen_post[rotated]) apply (fastforce simp: invs_def valid_sched_weak_strg valid_sched_def valid_state_def dest!: idle_no_ex_cap) prefer 2 - apply (rule_tac Q="\_. invs' and tcb_at' dest and ex_nonz_cap_to' dest" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\_. invs' and tcb_at' dest and ex_nonz_cap_to' dest" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak invs'_def valid_state'_def dest!: global'_no_ex_cap) apply (wp | clarsimp)+ done @@ -471,10 +471,10 @@ proof - apply (rule_tac P=\ and P'=\ in corres_inst) apply simp apply (solves \wp hoare_weak_lift_imp\)+ - apply (rule_tac Q="\_. einvs and tcb_at dest" in hoare_post_imp) + apply (rule_tac Q'="\_. einvs and tcb_at dest" in hoare_post_imp) apply (fastforce simp: invs_def valid_state_def valid_pspace_def valid_sched_weak_strg valid_sched_def) prefer 2 - apply (rule_tac Q="\_. invs' and tcb_at' dest" in hoare_post_imp) + apply (rule_tac Q'="\_. invs' and tcb_at' dest" in hoare_post_imp) apply (fastforce simp: invs'_def valid_state'_def invs_weak_sch_act_wf cur_tcb'_def) apply ((wp mapM_x_wp' hoare_weak_lift_imp | (simp add: cur_tcb'_def[symmetric])+)+)[8] apply ((wp hoare_weak_lift_imp restart_invs' | wpc | clarsimp simp: if_apply_def2)+)[2] @@ -546,7 +546,7 @@ lemma tcbSchedDequeue_not_queued: \\rv. obj_at' (Not \ tcbQueued) t\" apply (simp add: tcbSchedDequeue_def) apply (wp | simp)+ - apply (rule_tac Q="\rv. obj_at' (\obj. tcbQueued obj = rv) t" + apply (rule_tac Q'="\rv. obj_at' (\obj. tcbQueued obj = rv) t" in hoare_post_imp) apply (clarsimp simp: obj_at'_def) apply (wp tg_sp' [where P=\, simplified] | simp)+ @@ -1436,7 +1436,7 @@ proof - have B: "\t v. \invs' and tcb_at' t\ threadSet (tcbFaultHandler_update v) t \\rv. invs'\" by (wp threadSet_invs_trivial | clarsimp simp: inQ_def)+ note stuff = Z B out_invs_trivial hoare_case_option_wp - hoare_vcg_const_Ball_lift hoare_vcg_const_Ball_lift_R + hoare_vcg_const_Ball_lift hoare_vcg_const_Ball_liftE_R cap_delete_deletes cap_delete_valid_cap out_valid_objs cap_insert_objs cteDelete_deletes cteDelete_sch_act_simple @@ -1471,7 +1471,7 @@ proof - apply (rule corres_returnOkTT, simp) apply wp apply wp - apply (wpsimp wp: hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + apply (wpsimp wp: hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift hoare_vcg_all_liftE_R hoare_vcg_all_lift as_user_invs thread_set_ipc_tcb_cap_valid thread_set_tcb_ipc_buffer_cap_cleared_invs @@ -1492,7 +1492,7 @@ proof - threadSet_invs_tcbIPCBuffer_update threadSet_cte_wp_at' | strengthen simple_sched_action_sched_act_not)+ apply ((wpsimp wp: stuff hoare_vcg_all_liftE_R hoare_vcg_all_lift - hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift threadSet_valid_objs' thread_set_not_state_valid_sched thread_set_tcb_ipc_buffer_cap_cleared_invs thread_set_cte_wp_at_trivial thread_set_no_cap_to_trivial getThreadBufferSlot_dom_tcb_cte_cases @@ -1528,7 +1528,7 @@ proof - in hoare_strengthen_postE_R[simplified validE_R_def, rotated]) apply (case_tac g'; clarsimp simp: isCap_simps ; clarsimp elim: invs_valid_objs' cong:imp_cong) apply (wp add: stuff hoare_vcg_all_liftE_R hoare_vcg_all_lift - hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift setMCPriority_invs' + hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift setMCPriority_invs' threadSet_valid_objs' thread_set_not_state_valid_sched setP_invs' typ_at_lifts [OF setPriority_typ_at'] typ_at_lifts [OF setMCPriority_typ_at'] @@ -1605,15 +1605,15 @@ lemma tc_invs': apply (wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak threadSet_invs_trivial2 threadSet_tcb' hoare_vcg_all_lift threadSet_cte_wp_at')+ - apply (wpsimp wp: hoare_weak_lift_imp_R cteDelete_deletes - hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R + apply (wpsimp wp: hoare_weak_lift_impE_R cteDelete_deletes + hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_liftE_R hoare_vcg_propE_R cteDelete_invs' cteDelete_invs' cteDelete_typ_at'_lifts)+ apply (assumption | clarsimp cong: conj_cong imp_cong | (rule case_option_wp_None_returnOk) | wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak hoare_vcg_imp_lift' hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P=sch_act_simple] - hoare_vcg_const_imp_lift_R assertDerived_wp_weak hoare_weak_lift_imp_R cteDelete_deletes - hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R + hoare_vcg_const_imp_liftE_R assertDerived_wp_weak hoare_weak_lift_impE_R cteDelete_deletes + hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_liftE_R hoare_vcg_propE_R cteDelete_invs' cteDelete_typ_at'_lifts cteDelete_sch_act_simple)+ apply (clarsimp simp: tcb_cte_cases_def cte_level_bits_def objBits_defs tcbIPCBufferSlot_def) by (auto dest!: isCapDs isReplyCapD isValidVTableRootD simp: isCap_simps) @@ -2654,7 +2654,7 @@ lemma inv_tcb_IRQInactive: apply (rule hoare_pre) apply (wpc | wp withoutPreemption_R cteDelete_IRQInactive checkCap_inv - hoare_vcg_const_imp_lift_R cteDelete_irq_states' + hoare_vcg_const_imp_liftE_R cteDelete_irq_states' hoare_vcg_const_imp_lift | simp add: split_def)+ done diff --git a/proof/refine/ARM/Untyped_R.thy b/proof/refine/ARM/Untyped_R.thy index a514c2b531..bafa0f2651 100644 --- a/proof/refine/ARM/Untyped_R.thy +++ b/proof/refine/ARM/Untyped_R.thy @@ -399,7 +399,7 @@ next apply (simp add: unat_arith_simps) apply wp+ apply simp - apply (rule hoare_strengthen_post [where Q = "\r. invs and valid_cap r and cte_at slot"]) + apply (rule hoare_strengthen_post[where Q'="\r. invs and valid_cap r and cte_at slot"]) apply wp+ apply (clarsimp simp: is_cap_simps bits_of_def cap_aligned_def valid_cap_def word_bits_def) @@ -407,7 +407,7 @@ next apply (strengthen refl exI[mk_strg I E] exI[where x=d])+ apply simp apply wp+ - apply (rule hoare_strengthen_post [where Q = "\r. invs' and cte_at' (cte_map slot)"]) + apply (rule hoare_strengthen_post[where Q'="\r. invs' and cte_at' (cte_map slot)"]) apply wp+ apply (clarsimp simp:invs_pspace_aligned' invs_pspace_distinct') apply auto[1] @@ -3149,7 +3149,7 @@ lemma createNewCaps_parent_helper: (\tup\set (zip (xs rv) rv). sameRegionAs (cteCap cte) (snd tup))) p\" - apply (rule hoare_post_imp [where Q="\rv s. \cte. cte_wp_at' ((=) cte) p s + apply (rule hoare_post_imp[where Q'="\rv s. \cte. cte_wp_at' ((=) cte) p s \ isUntypedCap (cteCap cte) \ (\tup\set (zip (xs rv) rv). sameRegionAs (cteCap cte) (snd tup))"]) @@ -4516,7 +4516,7 @@ lemma resetUntypedCap_invs_etc: | strengthen invs_pspace_aligned' invs_pspace_distinct' | simp add: ct_in_state'_def sch_act_simple_def - | rule hoare_vcg_conj_lift_R + | rule hoare_vcg_conj_liftE_R | wp (once) preemptionPoint_inv | wps | wp (once) ex_cte_cap_to'_pres)+ @@ -5228,7 +5228,7 @@ crunch insertNewCap lemma insertNewCap_ct_idle_or_in_cur_domain'[wp]: "\ct_idle_or_in_cur_domain' and ct_active'\ insertNewCap parent slot cap \\_. ct_idle_or_in_cur_domain'\" apply (wp ct_idle_or_in_cur_domain'_lift_futz[where Q=\]) -apply (rule_tac Q="\_. obj_at' (\tcb. tcbState tcb \ Structures_H.thread_state.Inactive) t and obj_at' (\tcb. d = tcbDomain tcb) t" +apply (rule_tac Q'="\_. obj_at' (\tcb. tcbState tcb \ Structures_H.thread_state.Inactive) t and obj_at' (\tcb. d = tcbDomain tcb) t" in hoare_strengthen_post) apply (wp | clarsimp elim: obj_at'_weakenE)+ apply (auto simp: obj_at'_def) diff --git a/proof/refine/ARM/VSpace_R.thy b/proof/refine/ARM/VSpace_R.thy index 56efaaa772..bd48b95cf9 100644 --- a/proof/refine/ARM/VSpace_R.thy +++ b/proof/refine/ARM/VSpace_R.thy @@ -612,12 +612,12 @@ lemma find_pd_for_asid_pd_at_asid_again: apply (unfold validE_def, rule hoare_name_pre_state, fold validE_def) apply (case_tac "\pd. vspace_at_asid asid pd s") apply clarsimp - apply (rule_tac Q="\rv s'. s' = s \ rv = pd" and E="\\" in hoare_strengthen_postE) + apply (rule_tac Q'="\rv s'. s' = s \ rv = pd" and E'="\\" in hoare_strengthen_postE) apply (rule hoare_pre, wp find_pd_for_asid_valids) apply fastforce apply simp+ - apply (rule_tac Q="\rv s'. s' = s \ vspace_at_asid asid rv s'" - and E="\rv s'. s' = s" in hoare_strengthen_postE) + apply (rule_tac Q'="\rv s'. s' = s \ vspace_at_asid asid rv s'" + and E'="\rv s'. s' = s" in hoare_strengthen_postE) apply (rule hoare_pre, wp) apply clarsimp+ done @@ -1021,7 +1021,7 @@ lemma deleteASIDPool_corres: apply (simp only:) apply (rule setVMRoot_corres) apply wp+ - apply (rule_tac R="\_ s. rv = arm_asid_table (arch_state s)" + apply (rule_tac Q'="\_ s. rv = arm_asid_table (arch_state s)" in hoare_post_add) apply (drule sym, simp only: ) apply (drule sym, simp only: ) @@ -1037,7 +1037,7 @@ lemma deleteASIDPool_corres: apply (rule hoare_vcg_conj_lift, (rule mapM_invalidate[where ptr=ptr])?, ((wp mapM_wp' | simp)+)[1])+ - apply (rule_tac R="\_ s. rv' = armKSASIDTable (ksArchState s)" + apply (rule_tac Q'="\_ s. rv' = armKSASIDTable (ksArchState s)" in hoare_post_add) apply (simp only: pred_conj_def cong: conj_cong) apply simp @@ -1629,11 +1629,11 @@ lemma unmapPage_corres: | wp mapM_wp')+ apply (fastforce simp: invs_vspace_objs[simplified]) apply (wp lookupPTSlot_inv mapM_wp' | wpc | clarsimp)+ - apply (wp hoare_vcg_const_imp_lift_R + apply (wp hoare_vcg_const_imp_liftE_R | strengthen lookup_pd_slot_kernel_mappings_strg not_in_global_refs_vs_lookup page_directory_at_lookup_mask_aligned_strg lookup_pd_slot_kernel_mappings_set_strg page_directory_at_lookup_mask_add_aligned_strg - | wp hoare_vcg_const_Ball_lift_R + | wp hoare_vcg_const_Ball_liftE_R | simp)+ apply (clarsimp simp add: valid_unmap_def valid_asid_def) apply (case_tac sz) @@ -2142,7 +2142,7 @@ proof - apply (clarsimp simp add: when_def) apply (rule invalidate_tlb_by_asid_corres_ex) apply (wp hoare_vcg_ex_lift)+ - apply (rule_tac Q="\_. K (word \ mask asid_bits \ word \ 0) and invs + apply (rule_tac Q'="\_. K (word \ mask asid_bits \ word \ 0) and invs and (\s. \pd. vspace_at_asid word pd s)" in hoare_strengthen_post) prefer 2 @@ -2194,7 +2194,7 @@ proof - apply (clarsimp simp: when_def) apply (rule invalidate_tlb_by_asid_corres_ex) apply (wp hoare_vcg_ex_lift)+ - apply (rule_tac Q="\_. K (word \ mask asid_bits \ word \ 0) and invs + apply (rule_tac Q'="\_. K (word \ mask asid_bits \ word \ 0) and invs and (\s. \pd. vspace_at_asid word pd s)" in hoare_strengthen_post) prefer 2 apply (auto simp: invs_vspace_objs[simplified])[1] @@ -3488,7 +3488,7 @@ lemma perform_pt_invs [wp]: apply clarsimp apply (wp arch_update_updateCap_invs unmapPage_cte_wp_at' getSlotCap_wp|wpc)+ apply (rename_tac acap word a b) - apply (rule_tac Q="\_. invs' and cte_wp_at' (\cte. \d r R sz m. cteCap cte = + apply (rule_tac Q'="\_. invs' and cte_wp_at' (\cte. \d r R sz m. cteCap cte = ArchObjectCap (PageCap d r R sz m)) word" in hoare_strengthen_post) apply (wp unmapPage_cte_wp_at') diff --git a/proof/refine/ARM/orphanage/Orphanage.thy b/proof/refine/ARM/orphanage/Orphanage.thy index 3263418c7b..694806b1d1 100644 --- a/proof/refine/ARM/orphanage/Orphanage.thy +++ b/proof/refine/ARM/orphanage/Orphanage.thy @@ -575,7 +575,7 @@ lemma tcbSchedDequeue_no_orphans[wp]: apply (rule hoare_allI) apply (rename_tac tcb_ptr) apply (case_tac "tcb_ptr = tcbPtr") - apply (rule_tac Q="\_ s. st_tcb_at' (\state. \ is_active_thread_state state) tcbPtr s" + apply (rule_tac Q'="\_ s. st_tcb_at' (\state. \ is_active_thread_state state) tcbPtr s" in hoare_post_imp) apply fastforce apply wpsimp @@ -863,7 +863,7 @@ proof - \\_. no_orphans\" apply (wpsimp wp: scheduleChooseNewThread_no_orphans ssa_no_orphans hoare_vcg_all_lift ThreadDecls_H_switchToThread_no_orphans)+ - apply (rule_tac Q="\_ s. (t = candidate \ ksCurThread s = candidate) \ + apply (rule_tac Q'="\_ s. (t = candidate \ ksCurThread s = candidate) \ (t \ candidate \ sch_act_not t s)" in hoare_post_imp) apply (wpsimp wp: stt_nosch hoare_weak_lift_imp)+ @@ -1069,7 +1069,7 @@ lemma sendIPC_no_orphans [wp]: possibleSwitchTo_almost_no_orphans' | wpc | clarsimp simp: is_active_thread_state_def isRestart_def isRunning_def)+ - apply (rule_tac Q="\rv. no_orphans and valid_objs' and ko_at' rv epptr + apply (rule_tac Q'="\rv. no_orphans and valid_objs' and ko_at' rv epptr and (\s. sch_act_wf (ksSchedulerAction s) s)" in hoare_post_imp) apply (fastforce simp: valid_objs'_def valid_obj'_def valid_ep'_def obj_at'_def projectKOs) apply (wp get_ep_sp' | clarsimp)+ @@ -1294,7 +1294,7 @@ lemma cancelAllIPC_no_orphans[wp]: and I="no_orphans and (\s. \t\set list. tcb_at' t s)" in mapM_x_inv_wp2 | clarsimp simp: valid_tcb_state'_def)+ - apply (rule_tac Q="\rv. no_orphans and valid_objs' and pspace_aligned' and pspace_distinct' + apply (rule_tac Q'="\rv. no_orphans and valid_objs' and pspace_aligned' and pspace_distinct' and ko_at' rv epptr" in hoare_post_imp) apply (fastforce simp: valid_obj'_def valid_ep'_def obj_at'_def projectKOs) @@ -1318,7 +1318,7 @@ lemma cancelAllSignals_no_orphans[wp]: apply (wp sts_valid_objs' set_ntfn_valid_objs' sts_st_tcb' hoare_vcg_const_Ball_lift tcbSchedEnqueue_almost_no_orphans| clarsimp simp: valid_tcb_state'_def)+ - apply (rule_tac Q="\rv. no_orphans and valid_objs' and pspace_aligned' and pspace_distinct' + apply (rule_tac Q'="\rv. no_orphans and valid_objs' and pspace_aligned' and pspace_distinct' and ko_at' rv ntfn" in hoare_post_imp) apply (fastforce simp: valid_obj'_def valid_ntfn'_def obj_at'_def projectKOs) @@ -1464,7 +1464,7 @@ lemma deleteASIDPool_no_orphans [wp]: \ \rv s. no_orphans s \" unfolding deleteASIDPool_def apply (wp | clarsimp)+ - apply (rule_tac Q="\rv s. no_orphans s" in hoare_post_imp) + apply (rule_tac Q'="\rv s. no_orphans s" in hoare_post_imp) apply (clarsimp simp: no_orphans_def all_queued_tcb_ptrs_def all_active_tcb_ptrs_def is_active_tcb_ptr_def) apply (wp mapM_wp_inv getObject_inv loadObject_default_inv | clarsimp)+ @@ -1580,7 +1580,7 @@ lemma cteRevoke_no_orphans [wp]: "\ \s. no_orphans s \ invs' s \ sch_act_simple s \ cteRevoke ptr \ \rv s. no_orphans s \" - apply (rule_tac Q="\rv s. no_orphans s \ invs' s \ sch_act_simple s" + apply (rule_tac Q'="\rv s. no_orphans s \ invs' s \ sch_act_simple s" in hoare_strengthen_post) apply (wp cteRevoke_preservation cteDelete_invs' cteDelete_sch_act_simple)+ apply auto @@ -1609,7 +1609,7 @@ lemma doReplyTransfer_no_orphans[wp]: | wpc | clarsimp simp: is_active_thread_state_def isRunning_def isRestart_def | wp (once) hoare_drop_imps | strengthen sch_act_wf_weak)+ - apply (rule_tac Q="\rv. invs' and no_orphans" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs' and no_orphans" in hoare_post_imp) apply (fastforce simp: inQ_def) apply (wp hoare_drop_imps | clarsimp)+ apply (clarsimp simp:invs'_def valid_state'_def valid_pspace'_def) @@ -1691,7 +1691,7 @@ lemma setPriority_no_orphans[wp]: \\_. no_orphans\" unfolding setPriority_def apply wpsimp - apply (rule_tac Q="\_ s. almost_no_orphans tptr s \ weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp) + apply (rule_tac Q'="\_ s. almost_no_orphans tptr s \ weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp) apply clarsimp apply (clarsimp simp: is_active_tcb_ptr_runnable' pred_tcb_at'_def obj_at'_def almost_no_orphans_no_orphans elim!: almost_no_orphans_no_orphans') @@ -1748,7 +1748,7 @@ lemma tc_no_orphans: checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P=sch_act_simple] checkCap_inv[where P=no_orphans] checkCap_inv[where P="tcb_at' a"] threadSet_cte_wp_at' hoare_vcg_all_liftE_R hoare_vcg_all_lift threadSet_no_orphans - hoare_vcg_const_imp_lift_R hoare_weak_lift_imp hoare_drop_imp threadSet_ipcbuffer_invs + hoare_vcg_const_imp_liftE_R hoare_weak_lift_imp hoare_drop_imp threadSet_ipcbuffer_invs | (simp add: locateSlotTCB_def locateSlotBasic_def objBits_def objBitsKO_def tcbIPCBufferSlot_def tcb_cte_cases_def, wp hoare_return_sp) @@ -1879,7 +1879,7 @@ lemma performASIDControlInvocation_no_orphans [wp]: apply (clarsimp simp: performASIDControlInvocation_def split: asidcontrol_invocation.splits) apply (wp hoare_weak_lift_imp | clarsimp)+ - apply (rule_tac Q="\rv s. no_orphans s" in hoare_post_imp) + apply (rule_tac Q'="\rv s. no_orphans s" in hoare_post_imp) apply (clarsimp simp: no_orphans_def all_active_tcb_ptrs_def is_active_tcb_ptr_def all_queued_tcb_ptrs_def) apply (wp | clarsimp simp:placeNewObject_def2)+ @@ -1974,7 +1974,7 @@ lemma handleInvocation_no_orphans [wp]: unfolding handleInvocation_def apply (rule hoare_pre) apply (wp syscall_valid' setThreadState_isRestart_no_orphans | wpc | clarsimp)+ - apply (rule_tac Q="\state s. no_orphans s \ invs' s \ + apply (rule_tac Q'="\state s. no_orphans s \ invs' s \ (state = Structures_H.thread_state.Restart \ st_tcb_at' isRestart thread s)" in hoare_post_imp) @@ -2033,7 +2033,7 @@ notes if_cong[cong] shows apply (clarsimp simp: whenE_def split del: if_split | wp hoare_drop_imps getNotification_wp | wpc )+ (*takes a while*) apply (rule_tac Q'="\rv s. no_orphans s \ invs' s" in hoare_strengthen_postE_R) apply (wp, fastforce) - apply (rule_tac Q="\rv s. no_orphans s \ invs' s" in hoare_post_imp) + apply (rule_tac Q'="\rv s. no_orphans s \ invs' s" in hoare_post_imp) apply (wp | clarsimp | fastforce)+ done @@ -2046,7 +2046,7 @@ lemma handleReply_no_orphans [wp]: apply (rule hoare_pre) apply (wp hoare_drop_imps | wpc | clarsimp)+ apply (wp hoare_vcg_all_lift) - apply (rule_tac Q="\rv s. no_orphans s \ invs' s \ tcb_at' thread s \ + apply (rule_tac Q'="\rv s. no_orphans s \ invs' s \ tcb_at' thread s \ valid_cap' rv s" in hoare_post_imp) apply (wp hoare_drop_imps | clarsimp simp: valid_cap'_def | clarsimp simp: invs'_def cur_tcb'_def valid_state'_def)+ diff --git a/proof/refine/ARM_HYP/Arch_R.thy b/proof/refine/ARM_HYP/Arch_R.thy index 0273f4d317..7e4d1f4092 100644 --- a/proof/refine/ARM_HYP/Arch_R.thy +++ b/proof/refine/ARM_HYP/Arch_R.thy @@ -1320,7 +1320,7 @@ lemma associateVCPUTCB_corres: apply (corresKsimp search: getObject_vcpu_corres setObject_VCPU_corres vcpuSwitch_corres'' wp: get_vcpu_wp getVCPU_wp hoare_vcg_imp_lift' simp: vcpu_relation_def) - apply (rule_tac Q="\_. invs and tcb_at t" in hoare_strengthen_post) + apply (rule_tac Q'="\_. invs and tcb_at t" in hoare_strengthen_post) apply wp apply clarsimp apply (rule conjI) @@ -1329,7 +1329,7 @@ lemma associateVCPUTCB_corres: apply (frule (1) sym_refs_vcpu_tcb, fastforce) apply (fastforce simp: obj_at_def)+ apply (wpsimp)+ - apply (rule_tac Q="\_. invs' and tcb_at' t" in hoare_strengthen_post) + apply (rule_tac Q'="\_. invs' and tcb_at' t" in hoare_strengthen_post) apply wpsimp apply clarsimp apply (rule conjI) @@ -1891,8 +1891,8 @@ lemma arch_decodeInvocation_wf[wp]: cong: list.case_cong prod.case_cong) apply (rule hoare_pre) apply (wpsimp simp: valid_arch_inv'_def valid_page_inv'_def)+ - apply (rule hoare_vcg_conj_lift_R,(wp ensureSafeMapping_inv)[1])+ - apply (wpsimp wp: whenE_throwError_wp checkVP_wpR hoare_vcg_const_imp_lift_R hoare_drop_impE_R + apply (rule hoare_vcg_conj_liftE_R,(wp ensureSafeMapping_inv)[1])+ + apply (wpsimp wp: whenE_throwError_wp checkVP_wpR hoare_vcg_const_imp_liftE_R hoare_drop_impE_R ensureSafeMapping_valid_slots_duplicated' createMappingEntries_valid_pde_slots' findPDForASID_page_directory_at' simp: valid_arch_inv'_def valid_page_inv'_def)+ @@ -2354,14 +2354,14 @@ lemma associateVCPUTCB_invs'[wp]: apply (clarsimp simp: associateVCPUTCB_def) apply (subst bind_assoc[symmetric], fold associateVCPUTCB_helper_def) apply wpsimp - apply (rule_tac Q="\_ s. invs' s \ ko_wp_at' (is_vcpu' and hyp_live') vcpu s" in hoare_post_imp) + apply (rule_tac Q'="\_ s. invs' s \ ko_wp_at' (is_vcpu' and hyp_live') vcpu s" in hoare_post_imp) apply simp apply (rule hoare_vcg_conj_lift) apply (wpsimp wp: assoc_invs'[folded associateVCPUTCB_helper_def]) apply (clarsimp simp: associateVCPUTCB_helper_def) apply (wpsimp simp: vcpu_at_is_vcpu'[symmetric])+ apply (wpsimp wp: getVCPU_wp) - apply (rule_tac Q="\_. invs' and obj_at' (\tcb. atcbVCPUPtr (tcbArch tcb) = None) tcb and + apply (rule_tac Q'="\_. invs' and obj_at' (\tcb. atcbVCPUPtr (tcbArch tcb) = None) tcb and ex_nonz_cap_to' vcpu and ex_nonz_cap_to' tcb and vcpu_at' vcpu" in hoare_strengthen_post) apply wpsimp diff --git a/proof/refine/ARM_HYP/CNodeInv_R.thy b/proof/refine/ARM_HYP/CNodeInv_R.thy index f996140d28..71577bf880 100644 --- a/proof/refine/ARM_HYP/CNodeInv_R.thy +++ b/proof/refine/ARM_HYP/CNodeInv_R.thy @@ -206,7 +206,7 @@ lemma decodeCNodeInvocation_corres: apply (rule corres_trivial) subgoal by (auto simp add: whenE_def, auto simp add: returnOk_def) apply (wp | wpc | simp(no_asm))+ - apply (wp hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + apply (wp hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift hoare_vcg_all_liftE_R hoare_vcg_all_lift lsfco_cte_at' hoare_drop_imps | clarsimp)+ subgoal by (auto elim!: valid_cnode_capI) @@ -6166,7 +6166,7 @@ lemma reduceZombie_invs'': apply (wp | simp)+ apply (rule getCTE_wp) apply (wp | simp)+ - apply (rule_tac Q="\cte s. rv = capZombiePtr cap + + apply (rule_tac Q'="\cte s. rv = capZombiePtr cap + of_nat (capZombieNumber cap) * 2^cteSizeBits - 2^cteSizeBits \ cte_wp_at' (\c. c = cte) slot s \ invs' s \ no_cte_prop Q s \ sch_act_simple s" @@ -6489,8 +6489,8 @@ lemmas cteDelete_typ_at'_lifts [wp] = typ_at_lifts [OF cteDelete_typ_at'] lemma cteDelete_cte_at: "\\\ cteDelete slot bool \\rv. cte_at' slot\" - apply (rule_tac Q="\s. cte_at' slot s \ \ cte_at' slot s" - in hoare_pre(1)) + apply (rule_tac P'="\s. cte_at' slot s \ \ cte_at' slot s" + in hoare_weaken_pre) apply (rule hoare_strengthen_post) apply (rule hoare_vcg_disj_lift) apply (rule typ_at_lifts, rule cteDelete_typ_at') @@ -6529,7 +6529,7 @@ lemma cteDelete_cte_wp_at_invs: apply (clarsimp simp: cte_wp_at_ctes_of) apply wp apply (simp add: imp_conjR conj_comms) - apply (rule_tac Q="\rv s. invs' s \ sch_act_simple s \ + apply (rule_tac Q'="\rv s. invs' s \ sch_act_simple s \ (fst rv \ cte_wp_at' (\cte. removeable' slot s (cteCap cte)) slot s) \ (fst rv \ @@ -6540,9 +6540,9 @@ lemma cteDelete_cte_wp_at_invs: cteCap cte = NullCap \ (\zb n. cteCap cte = Zombie slot zb n)) slot s)" - and E="\rv. \" in hoare_strengthen_postE) + and E'="\rv. \" in hoare_strengthen_postE) apply (wp finaliseSlot_invs finaliseSlot_removeable finaliseSlot_sch_act_simple - hoare_drop_imps(2)[OF finaliseSlot_irqs]) + hoare_drop_impE_R[OF finaliseSlot_irqs]) apply (rule hoare_strengthen_postE_R, rule finaliseSlot_abort_cases) apply (clarsimp simp: cte_wp_at_ctes_of dest!: isCapDs) apply simp @@ -6564,7 +6564,7 @@ lemma cteDelete_cte_wp_at_invs: p s" in hoare_strengthen_postE_R) apply (wp finaliseSlot_invs finaliseSlot_removeable finaliseSlot_sch_act_simple - hoare_drop_imps(2)[OF finaliseSlot_irqs]) + hoare_drop_impE_R[OF finaliseSlot_irqs]) apply (rule hoare_strengthen_postE_R [OF finaliseSlot_cte_wp_at[where p=p and P=P]]) apply simp+ apply (clarsimp simp: cte_wp_at_ctes_of) @@ -6578,8 +6578,8 @@ lemma cteDelete_sch_act_simple: cteDelete slot exposed \\rv. sch_act_simple\" apply (simp add: cteDelete_def whenE_def split_def) apply (wp hoare_drop_imps | simp)+ - apply (rule_tac hoare_strengthen_postE [where Q="\rv. sch_act_simple" - and E="\rv. sch_act_simple"]) + apply (rule_tac hoare_strengthen_postE [where Q'="\rv. sch_act_simple" + and E'="\rv. sch_act_simple"]) apply (rule valid_validE) apply (wp finaliseSlot_sch_act_simple) apply simp+ @@ -6765,7 +6765,7 @@ proof (induct rule: finalise_induct3) apply ((wp | simp add: locateSlot_conv)+)[2] apply (rule drop_spec_validE) apply simp - apply (rule_tac Q="\rv s. revoke_progress_ord m (option_map capToRPO \ cteCaps_of s) + apply (rule_tac Q'="\rv s. revoke_progress_ord m (option_map capToRPO \ cteCaps_of s) \ cte_wp_at' (\cte. cteCap cte = fst rvb) sl s" in hoare_post_imp) apply (clarsimp simp: o_def cte_wp_at_ctes_of capToRPO_def @@ -7336,7 +7336,7 @@ next apply (rule updateCap_corres) apply simp apply (simp add: is_cap_simps) - apply (rule_tac R="\rv. cte_at' (cte_map ?target)" in hoare_post_add) + apply (rule_tac Q'="\rv. cte_at' (cte_map ?target)" in hoare_post_add) apply (wp, (wp getCTE_wp)+) apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule no_fail_pre, wp, simp) @@ -7498,7 +7498,7 @@ lemma cteRevoke_typ_at': lemma cteRevoke_invs': "\invs' and sch_act_simple\ cteRevoke ptr \\rv. invs'\" - apply (rule_tac Q="\rv. invs' and sch_act_simple" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs' and sch_act_simple" in hoare_strengthen_post) apply (wp cteRevoke_preservation cteDelete_invs' cteDelete_sch_act_simple)+ apply simp_all done @@ -9067,7 +9067,7 @@ proof (induct rule: finalise_spec_induct) apply (unfold Let_def split_def fst_conv snd_conv case_Zombie_assert_fold haskell_fail_def) apply (wp getCTE_wp' preemptionPoint_invR| simp add: o_def irq_state_independent_HI)+ - apply (rule hoare_post_imp [where Q="\_. valid_irq_states'"]) + apply (rule hoare_post_imp[where Q'="\_. valid_irq_states'"]) apply simp apply wp[1] apply (rule spec_strengthen_postE) @@ -9110,7 +9110,7 @@ lemma cteDelete_irq_states': apply (simp add: cteDelete_def split_def) apply (wp whenE_wp) apply (rule hoare_strengthen_postE) - apply (rule hoare_valid_validE) + apply (rule valid_validE) apply (rule finaliseSlot_irq_states') apply simp apply simp diff --git a/proof/refine/ARM_HYP/CSpace_R.thy b/proof/refine/ARM_HYP/CSpace_R.thy index 4d3630ce36..35de818ba2 100644 --- a/proof/refine/ARM_HYP/CSpace_R.thy +++ b/proof/refine/ARM_HYP/CSpace_R.thy @@ -2147,7 +2147,7 @@ lemma cteInsert_mdb' [wp]: cteInsert cap src dest \\_. valid_mdb'\" apply (simp add:valid_mdb'_def valid_mdb_ctes_def) - apply (rule_tac Q = "\r s. valid_dlist (ctes_of s) \ irq_control (ctes_of s) \ + apply (rule_tac Q'="\r s. valid_dlist (ctes_of s) \ irq_control (ctes_of s) \ no_0 (ctes_of s) \ mdb_chain_0 (ctes_of s) \ mdb_chunked (ctes_of s) \ untyped_mdb' (ctes_of s) \ untyped_inc' (ctes_of s) \ Q s" for Q @@ -4013,12 +4013,12 @@ lemma setupReplyMaster_corres: apply (fastforce dest: pspace_relation_no_reply_caps state_relation_pspace_relation) apply (clarsimp simp: cte_map_def tcb_cnode_index_def cte_wp_at_ctes_of) - apply (rule_tac Q="\rv. einvs and tcb_at t and + apply (rule_tac Q'="\rv. einvs and tcb_at t and cte_wp_at ((=) rv) (t, tcb_cnode_index 2)" in hoare_strengthen_post) apply (wp hoare_drop_imps get_cap_wp) apply (clarsimp simp: invs_def valid_state_def elim!: cte_wp_at_weakenE) - apply (rule_tac Q="\rv. valid_pspace' and valid_mdb' and + apply (rule_tac Q'="\rv. valid_pspace' and valid_mdb' and cte_wp_at' ((=) rv) (cte_map (t, tcb_cnode_index 2))" in hoare_strengthen_post) apply (wp hoare_drop_imps getCTE_wp') diff --git a/proof/refine/ARM_HYP/Detype_R.thy b/proof/refine/ARM_HYP/Detype_R.thy index c5792172e4..c8a29f1ab9 100644 --- a/proof/refine/ARM_HYP/Detype_R.thy +++ b/proof/refine/ARM_HYP/Detype_R.thy @@ -64,7 +64,7 @@ lemma descendants_range_in_lift': apply (simp only: Ball_def[unfolded imp_conv_disj]) apply (rule hoare_pre) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift st cap_range) - apply (rule_tac Q = "\r s. cte_wp_at' (\c. capRange (cteCap c) \ S = {}) x s" + apply (rule_tac Q'="\r s. cte_wp_at' (\c. capRange (cteCap c) \ S = {}) x s" in hoare_strengthen_post) apply (wp cap_range) apply (clarsimp simp:cte_wp_at_ctes_of null_filter'_def) @@ -1834,7 +1834,7 @@ lemma deleteObjects_invs': proof - show ?thesis apply (rule hoare_pre) - apply (rule_tac G="is_aligned ptr bits \ 2 \ bits \ bits \ word_bits" in hoare_grab_asm) + apply (rule_tac P'="is_aligned ptr bits \ 2 \ bits \ bits \ word_bits" in hoare_grab_asm) apply (clarsimp simp add: deleteObjects_def2) apply (simp add: freeMemory_def bind_assoc doMachineOp_bind ef_storeWord) apply (simp add: bind_assoc[where f="\_. modify f" for f, symmetric]) @@ -4084,7 +4084,7 @@ lemma createNewCaps_pspace_no_overlap': apply simp+ apply (simp add:range_cover_def) apply (simp add:range_cover.sz(1)[where 'a=32, folded word_bits_def]) - apply (rule_tac Q = "\r. pspace_no_overlap' (ptr + (1 + of_nat n << Types_H.getObjectSize ty us)) + apply (rule_tac Q'="\r. pspace_no_overlap' (ptr + (1 + of_nat n << Types_H.getObjectSize ty us)) (Types_H.getObjectSize ty us) and pspace_aligned' and pspace_distinct'" in hoare_strengthen_post) apply (case_tac ty) diff --git a/proof/refine/ARM_HYP/Finalise_R.thy b/proof/refine/ARM_HYP/Finalise_R.thy index f83fc8906a..6a29f383d0 100644 --- a/proof/refine/ARM_HYP/Finalise_R.thy +++ b/proof/refine/ARM_HYP/Finalise_R.thy @@ -1796,7 +1796,7 @@ lemma isFinalCapability_inv: apply (simp add: isFinalCapability_def Let_def split del: if_split cong: if_cong) apply (rule hoare_pre, wp) - apply (rule hoare_post_imp [where Q="\s. P"], simp) + apply (rule hoare_post_imp[where Q'="\s. P"], simp) apply wp apply simp done @@ -2452,7 +2452,7 @@ lemma deleteASID_invs'[wp]: apply (simp add: deleteASID_def cong: option.case_cong) apply (rule hoare_pre) apply (wp | wpc)+ - apply (rule_tac Q="\rv. valid_obj' (injectKO rv) and invs'" + apply (rule_tac Q'="\rv. valid_obj' (injectKO rv) and invs'" in hoare_post_imp) apply (rename_tac rv s) apply (clarsimp split: if_split_asm del: subsetI) @@ -3134,7 +3134,7 @@ lemma cancelIPC_bound_tcb_at'[wp]: apply (simp add: getThreadReplySlot_def locateSlot_conv liftM_def) apply (rule hoare_pre) apply (wp capDeleteOne_bound_tcb_at' getCTE_ctes_of) - apply (rule_tac Q="\_. bound_tcb_at' P tptr" in hoare_post_imp) + apply (rule_tac Q'="\_. bound_tcb_at' P tptr" in hoare_post_imp) apply (clarsimp simp: capHasProperty_def cte_wp_at_ctes_of) apply (wp threadSet_pred_tcb_no_state | simp)+ done @@ -4013,7 +4013,7 @@ lemma no_idle_thread_cap: lemmas getCTE_no_0_obj'_helper = getCTE_inv - hoare_strengthen_post[where Q="\_. no_0_obj'" and P=no_0_obj' and a="getCTE slot" for slot] + hoare_strengthen_post[where Q'="\_. no_0_obj'" and P=no_0_obj' and f="getCTE slot" for slot] context begin interpretation Arch . (*FIXME: arch_split*) context diff --git a/proof/refine/ARM_HYP/Interrupt_R.thy b/proof/refine/ARM_HYP/Interrupt_R.thy index c9524a40a2..91a901b911 100644 --- a/proof/refine/ARM_HYP/Interrupt_R.thy +++ b/proof/refine/ARM_HYP/Interrupt_R.thy @@ -381,7 +381,7 @@ lemma invokeIRQHandler_corres: apply simp apply (rule corres_split_nor[OF cap_delete_one_corres]) apply (rule cteInsert_corres, simp+) - apply (rule_tac Q="\rv s. einvs s \ cte_wp_at (\c. c = cap.NullCap) irq_slot s + apply (rule_tac Q'="\rv s. einvs s \ cte_wp_at (\c. c = cap.NullCap) irq_slot s \ (a, b) \ irq_slot \ cte_wp_at (is_derived (cdt s) (a, b) cap) (a, b) s" in hoare_post_imp) @@ -848,7 +848,7 @@ proof - apply (wp gts_wp) apply (wp gts_wp') apply (rule_tac - Q="\rv. tcb_at rv and einvs + Q'="\rv. tcb_at rv and einvs and (\_. valid_fault (ExceptionTypes_A.fault.ArchFault rva))" in hoare_post_imp) apply (clarsimp cong: imp_cong conj_cong simp: not_pred_tcb runnable_eq pred_conj_def) @@ -856,7 +856,7 @@ proof - apply (clarsimp simp: pred_tcb_at_def obj_at_def invs_psp_aligned invs_distinct) apply wp apply clarsimp - apply (rule_tac Q="\rv x. tcb_at' rv x + apply (rule_tac Q'="\rv x. tcb_at' rv x \ invs' x \ sch_act_not rv x" in hoare_post_imp) @@ -921,7 +921,7 @@ lemma vppiEvent_corres: is runnable directly afterwards, which is obvious and should not propagate further; clean up the postconditions of the thread_get and threadGet *) apply (rule_tac - Q="\rv. tcb_at rv and einvs + Q'="\rv. tcb_at rv and einvs and (\_. valid_fault (ExceptionTypes_A.fault.ArchFault (ARM_A.VPPIEvent irq)))" in hoare_post_imp) @@ -930,7 +930,7 @@ lemma vppiEvent_corres: clarsimp simp: invs_psp_aligned invs_distinct) apply wp apply (clarsimp cong: imp_cong conj_cong simp: pred_conj_def) - apply (rule_tac Q="\rv x. tcb_at' rv x + apply (rule_tac Q'="\rv x. tcb_at' rv x \ invs' x \ sch_act_not rv x" in hoare_post_imp) apply (rename_tac rv s) @@ -1078,7 +1078,7 @@ lemma timerTick_invs'[wp]: apply (wpsimp wp: threadSet_invs_trivial threadSet_pred_tcb_no_state rescheduleRequired_all_invs_but_ct_not_inQ simp: tcb_cte_cases_def) - apply (rule_tac Q="\rv. invs'" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs'" in hoare_post_imp) apply (clarsimp simp: invs'_def valid_state'_def) apply (simp add: decDomainTime_def) apply wp @@ -1089,7 +1089,7 @@ lemma timerTick_invs'[wp]: hoare_vcg_imp_lift threadSet_ct_idle_or_in_cur_domain')+ apply (rule hoare_strengthen_post[OF tcbSchedAppend_all_invs_but_ct_not_inQ']) apply (wpsimp simp: invs'_def valid_state'_def valid_pspace'_def sch_act_wf_weak)+ - apply (rule_tac Q="\_. invs'" in hoare_strengthen_post) + apply (rule_tac Q'="\_. invs'" in hoare_strengthen_post) apply (wpsimp wp: threadSet_pred_tcb_no_state threadSet_tcbDomain_triv threadSet_valid_objs' threadSet_timeslice_invs)+ apply (clarsimp simp: invs'_def valid_state'_def valid_pspace'_def) @@ -1136,7 +1136,7 @@ lemma vgicMaintenance_invs'[wp]: apply (strengthen st_tcb_ex_cap''[where P=active']) apply (strengthen invs_iflive') apply (clarsimp cong: imp_cong conj_cong simp: pred_conj_def) - apply (rule_tac Q="\_ s. tcb_at' (ksCurThread s) s + apply (rule_tac Q'="\_ s. tcb_at' (ksCurThread s) s \ invs' s \ sch_act_not (ksCurThread s) s" in hoare_post_imp) @@ -1169,7 +1169,7 @@ lemma vppiEvent_invs'[wp]: apply (strengthen st_tcb_ex_cap''[where P=active']) apply (strengthen invs_iflive') apply (clarsimp cong: imp_cong conj_cong simp: pred_conj_def) - apply (rule_tac Q="\_ s. tcb_at' (ksCurThread s) s + apply (rule_tac Q'="\_ s. tcb_at' (ksCurThread s) s \ invs' s \ sch_act_not (ksCurThread s) s" in hoare_post_imp) @@ -1191,7 +1191,7 @@ lemma hint_invs[wp]: apply (simp add: handleInterrupt_def getSlotCap_def cong: irqstate.case_cong) apply (rule conjI; rule impI) apply (wp dmo_maskInterrupt_True getCTE_wp' | wpc | simp add: doMachineOp_bind maskIrqSignal_def)+ - apply (rule_tac Q="\rv. invs'" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs'" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_ctes_of ex_nonz_cap_to'_def) apply fastforce apply (wpsimp wp: threadSet_invs_trivial getIRQState_wp diff --git a/proof/refine/ARM_HYP/IpcCancel_R.thy b/proof/refine/ARM_HYP/IpcCancel_R.thy index 8a9b144248..4c780afdf5 100644 --- a/proof/refine/ARM_HYP/IpcCancel_R.thy +++ b/proof/refine/ARM_HYP/IpcCancel_R.thy @@ -935,7 +935,7 @@ lemma (in delete_one_conc_pre) cancelIPC_sch_act_simple[wp]: apply (wp hoare_drop_imps delete_one_sch_act_simple | simp add: getThreadReplySlot_def | wpcw | rule sch_act_simple_lift - | (rule_tac Q="\rv. sch_act_simple" in hoare_post_imp, simp))+ + | (rule_tac Q'="\rv. sch_act_simple" in hoare_post_imp, simp))+ done lemma cancelSignal_st_tcb_at: @@ -945,7 +945,7 @@ lemma cancelSignal_st_tcb_at: \\rv. st_tcb_at' P t\" apply (simp add: cancelSignal_def Let_def list_case_If) apply (wp sts_st_tcb_at'_cases hoare_vcg_const_imp_lift - hoare_drop_imp[where R="%rv s. P' rv" for P']) + hoare_drop_imp[where Q'="%rv s. P' rv" for P']) apply clarsimp+ done @@ -1033,7 +1033,7 @@ lemma (in delete_one_conc_pre) cancelIPC_tcb_at_runnable': apply (rule_tac Q'="\st. st_tcb_at' runnable' t and K (runnable' st)" in bind_wp) apply(case_tac rv; simp) apply (wpsimp wp: sts_pred_tcb_neq')+ - apply (rule_tac Q="\rv. ?PRE" in hoare_post_imp, fastforce) + apply (rule_tac Q'="\rv. ?PRE" in hoare_post_imp, fastforce) apply (wp cteDeleteOne_tcb_at_runnable' threadSet_pred_tcb_no_state cancelSignal_tcb_at_runnable' @@ -1133,7 +1133,7 @@ lemma sts_weak_sch_act_wf[wp]: including classic_wp_pre apply (simp add: setThreadState_def) apply (wp rescheduleRequired_weak_sch_act_wf) - apply (rule_tac Q="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp, simp) + apply (rule_tac Q'="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp, simp) apply (simp add: weak_sch_act_wf_def) apply (wp hoare_vcg_all_lift) apply (wps threadSet_nosch) @@ -1259,11 +1259,11 @@ lemma (in delete_one) suspend_corres: apply (wpsimp simp: update_restart_pc_def updateRestartPC_def)+ apply (wpsimp wp: sts_valid_objs') apply (wpsimp simp: update_restart_pc_def updateRestartPC_def valid_tcb_state'_def)+ - apply (rule hoare_post_imp[where Q = "\_ s. einvs s \ tcb_at t s"]) + apply (rule hoare_post_imp[where Q'="\_ s. einvs s \ tcb_at t s"]) apply (simp add: invs_implies invs_strgs valid_queues_in_correct_ready_q valid_queues_ready_qs_distinct valid_sched_def) apply wp - apply (rule hoare_post_imp[where Q = "\_ s. invs' s \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\_ s. invs' s \ tcb_at' t s"]) apply (fastforce simp: invs'_def valid_tcb_state'_def) apply (wpsimp simp: update_restart_pc_def updateRestartPC_def)+ apply fastforce+ @@ -1458,7 +1458,7 @@ lemma (in delete_one_conc) suspend_invs'[wp]: apply (simp add: suspend_def) apply (wpsimp wp: sts_invs_minor' gts_wp' simp: updateRestartPC_def | strengthen no_refs_simple_strg')+ - apply (rule_tac Q="\_. invs' and sch_act_simple and st_tcb_at' simple' t + apply (rule_tac Q'="\_. invs' and sch_act_simple and st_tcb_at' simple' t and (\s. t \ ksIdleThread s)" in hoare_post_imp) apply clarsimp @@ -1488,7 +1488,7 @@ lemma (in delete_one_conc_pre) suspend_sch_act_simple[wp]: lemma (in delete_one_conc) suspend_objs': "\invs' and sch_act_simple and tcb_at' t and (\s. t \ ksIdleThread s)\ suspend t \\rv. valid_objs'\" - apply (rule_tac Q="\_. invs'" in hoare_strengthen_post) + apply (rule_tac Q'="\_. invs'" in hoare_strengthen_post) apply (wp suspend_invs') apply fastforce done @@ -1601,7 +1601,7 @@ proof - apply (rule ep_cancel_corres_helper) apply (rule mapM_x_wp') apply (wp weak_sch_act_wf_lift_linear set_thread_state_runnable_weak_valid_sched_action | simp)+ - apply (rule_tac R="\_ s. \x\set list. tcb_at' x s \ valid_objs' s \ pspace_aligned' s \ pspace_distinct' s" + apply (rule_tac Q'="\_ s. \x\set list. tcb_at' x s \ valid_objs' s \ pspace_aligned' s \ pspace_distinct' s" in hoare_post_add) apply (rule mapM_x_wp') apply ((wpsimp wp: hoare_vcg_const_Ball_lift mapM_x_wp' sts_st_tcb' sts_valid_objs' @@ -1662,7 +1662,7 @@ lemma cancelAllSignals_corres: set_thread_state_runnable_weak_valid_sched_action | simp)+ apply (rename_tac list) - apply (rule_tac R="\_ s. (\x\set list. tcb_at' x s) \ valid_objs' s + apply (rule_tac Q'="\_ s. (\x\set list. tcb_at' x s) \ valid_objs' s \ sym_heap_sched_pointers s \ valid_sched_pointers s \ valid_objs' s \ pspace_aligned' s \ pspace_distinct' s" in hoare_post_add) @@ -1710,7 +1710,7 @@ proof - show ?thesis apply (simp add: setThreadState_def) apply (wpsimp wp: hoare_vcg_imp_lift [OF nrct]) - apply (rule_tac Q="\_. ?PRE" in hoare_post_imp) + apply (rule_tac Q'="\_. ?PRE" in hoare_post_imp) apply (clarsimp) apply (rule hoare_convert_imp [OF threadSet_nosch threadSet_ct]) apply assumption @@ -1961,7 +1961,7 @@ lemma cancelAllIPC_valid_objs'[wp]: apply (rule bind_wp [OF _ get_ep_sp']) apply (rule hoare_pre) apply (wp set_ep_valid_objs' setSchedulerAction_valid_objs') - apply (rule_tac Q="\_ s. valid_objs' s \ pspace_aligned' s \ pspace_distinct' s + apply (rule_tac Q'="\_ s. valid_objs' s \ pspace_aligned' s \ pspace_distinct' s \ (\x\set (epQueue ep). tcb_at' x s)" in hoare_post_imp) apply simp @@ -1987,7 +1987,7 @@ lemma cancelAllSignals_valid_objs'[wp]: apply (wp, simp) apply (wp, simp) apply (rename_tac list) - apply (rule_tac Q="\rv s. valid_objs' s \ (\x\set list. tcb_at' x s)" + apply (rule_tac Q'="\rv s. valid_objs' s \ (\x\set list. tcb_at' x s)" in hoare_post_imp) apply (simp add: valid_ntfn'_def) apply (simp add: Ball_def) @@ -2296,7 +2296,7 @@ lemma cancelBadgedSends_corres: apply (rule corres_split_nor[OF setEndpoint_corres]) apply (simp add: ep_relation_def) apply (rule corres_split_eqr[OF _ _ _ hoare_post_add - [where R="\_. valid_objs' and pspace_aligned' + [where Q'="\_. valid_objs' and pspace_aligned' and pspace_distinct'"]]) apply (rule_tac S="(=)" and Q="\xs s. (\x \ set xs. (epptr, TCBBlockedSend) \ state_refs_of s x) \ diff --git a/proof/refine/ARM_HYP/Ipc_R.thy b/proof/refine/ARM_HYP/Ipc_R.thy index 1632e98f5c..8c9671f1a8 100644 --- a/proof/refine/ARM_HYP/Ipc_R.thy +++ b/proof/refine/ARM_HYP/Ipc_R.thy @@ -52,7 +52,7 @@ lemma lsfco_cte_at': apply (wp) apply (clarsimp simp: split_def unlessE_def split del: if_split) - apply (wp hoare_drop_imps) + apply (wpsimp wp: hoare_drop_imps) done declare unifyFailure_wp [wp] @@ -489,7 +489,7 @@ next apply clarsimp apply assumption apply (subst imp_conjR) - apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R') apply (rule derive_cap_is_derived) apply (wp derive_cap_is_derived_foo)+ apply (simp split del: if_split) @@ -501,7 +501,7 @@ next apply clarsimp apply assumption apply (subst imp_conjR) - apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R') apply (rule hoare_strengthen_postE_R[OF deriveCap_derived]) apply (clarsimp simp:cte_wp_at_ctes_of) apply (wp deriveCap_derived_foo) @@ -613,7 +613,7 @@ lemma cteInsert_assume_Null: apply (rule bind_wp[OF _ getCTE_sp])+ apply (rule hoare_name_pre_state) apply (clarsimp simp: cte_wp_at_ctes_of) - apply (erule hoare_pre(1)) + apply (erule hoare_weaken_pre) apply simp done @@ -1860,7 +1860,7 @@ declare asUser_global_refs' [wp] lemma lec_valid_cap' [wp]: "\valid_objs'\ lookupExtraCaps thread xa mi \\rv s. (\x\set rv. s \' fst x)\, -" apply (rule hoare_pre, rule hoare_strengthen_postE_R) - apply (rule hoare_vcg_conj_lift_R[where R=valid_objs' and S="\_. valid_objs'"]) + apply (rule hoare_vcg_conj_liftE_R[where P'=valid_objs' and Q'="\_. valid_objs'"]) apply (rule lookupExtraCaps_srcs) apply wp apply (clarsimp simp: cte_wp_at_ctes_of) @@ -2263,7 +2263,7 @@ lemma doReplyTransfer_corres: apply (fastforce) apply (clarsimp simp:is_cap_simps) apply (wp weak_valid_sched_action_lift)+ - apply (rule_tac Q="\_ s. valid_objs' s \ cur_tcb' s \ tcb_at' receiver s + apply (rule_tac Q'="\_ s. valid_objs' s \ cur_tcb' s \ tcb_at' receiver s \ sch_act_wf (ksSchedulerAction s) s \ sym_heap_sched_pointers s \ valid_sched_pointers s \ pspace_aligned' s \ pspace_distinct' s" @@ -2320,7 +2320,7 @@ lemma doReplyTransfer_corres: threadSet_tcbDomain_triv threadSet_valid_objs' threadSet_sched_pointers threadSet_valid_sched_pointers | simp add: valid_tcb_state'_def)+ - apply (rule_tac Q="\_. valid_sched and cur_tcb and tcb_at sender and tcb_at receiver and + apply (rule_tac Q'="\_. valid_sched and cur_tcb and tcb_at sender and tcb_at receiver and valid_objs and pspace_aligned and pspace_distinct" in hoare_strengthen_post [rotated], clarsimp) apply (wp) @@ -2328,7 +2328,7 @@ lemma doReplyTransfer_corres: apply (assumption) apply (rule conjI, clarsimp) apply (clarsimp simp add: invs_def valid_state_def valid_pspace_def) - apply (rule_tac Q="\_. tcb_at' sender and tcb_at' receiver and invs'" + apply (rule_tac Q'="\_. tcb_at' sender and tcb_at' receiver and invs'" in hoare_strengthen_post [rotated]) apply (solves\auto simp: invs'_def valid_state'_def\) apply wp @@ -2410,14 +2410,14 @@ lemma setupCallerCap_corres: tcb_cnode_index_def cte_level_bits_def) apply (simp add: cte_map_def tcbCallerSlot_def tcb_cnode_index_def cte_level_bits_def) - apply (rule_tac R="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" + apply (rule_tac Q'="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" in hoare_post_add) apply (wp, (wp getSlotCap_wp)+) apply blast apply (rule no_fail_pre, wp) apply (clarsimp simp: cte_wp_at'_def cte_at'_def) - apply (rule_tac R="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" + apply (rule_tac Q'="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" in hoare_post_add) apply (wp, (wp getCTE_wp')+) apply blast @@ -2760,7 +2760,7 @@ lemma sendSignal_corres: valid_queues_in_correct_ready_q valid_queues_ready_qs_distinct valid_sched_valid_queues | simp add: valid_tcb_state_def)+ - apply (rule_tac Q="\rv. invs' and tcb_at' a" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs' and tcb_at' a" in hoare_strengthen_post) apply wp apply (fastforce simp: invs'_def valid_state'_def sch_act_wf_weak valid_tcb_state'_def) apply (rule setNotification_corres) @@ -2788,7 +2788,7 @@ lemma sendSignal_corres: apply (rule corres_split[OF asUser_setRegister_corres]) apply (rule possibleSwitchTo_corres) apply ((wp | simp)+)[1] - apply (rule_tac Q="\_. (\s. sch_act_wf (ksSchedulerAction s) s) and + apply (rule_tac Q'="\_. (\s. sch_act_wf (ksSchedulerAction s) s) and cur_tcb' and st_tcb_at' runnable' (hd list) and valid_objs' and sym_heap_sched_pointers and valid_sched_pointers and @@ -2983,7 +2983,7 @@ lemma cancelIPC_nonz_cap_to'[wp]: | wpc | simp | clarsimp elim!: cte_wp_at_weakenE' - | rule hoare_post_imp[where Q="\rv. ex_nonz_cap_to' p"])+ + | rule hoare_post_imp[where Q'="\rv. ex_nonz_cap_to' p"])+ done @@ -3063,7 +3063,7 @@ proof - apply (wpc) apply (wp | simp)+ apply (wpc, wp+) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp) apply simp done @@ -3075,7 +3075,7 @@ proof - apply (wp) apply (wp hoare_convert_imp)[1] apply (wp) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp hoare_convert_imp | simp)+ done show ?thesis @@ -3088,16 +3088,16 @@ proof - apply (wp)+ apply (wp hoare_convert_imp)[1] apply (wpc, wp+) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp cdo)+ - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply ((wp aipc hoare_convert_imp)+)[6] apply (wp) apply (wp hoare_convert_imp)[1] apply (wpc, wp+) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp) apply simp done @@ -3356,7 +3356,7 @@ lemma receiveIPC_corres: valid_sched_action_def) apply (clarsimp split: if_split_asm) apply (clarsimp | wp do_ipc_transfer_tcb_caps)+ - apply (rule_tac Q="\_ s. sch_act_wf (ksSchedulerAction s) s + apply (rule_tac Q'="\_ s. sch_act_wf (ksSchedulerAction s) s \ sym_heap_sched_pointers s \ valid_sched_pointers s \ pspace_aligned' s \ pspace_distinct' s" in hoare_post_imp) @@ -3632,7 +3632,7 @@ lemma setupCallerCap_vp[wp]: apply (simp add: valid_pspace'_def setupCallerCap_def getThreadCallerSlot_def getThreadReplySlot_def locateSlot_conv getSlotCap_def) apply (wp getCTE_wp) - apply (rule_tac Q="\_. valid_pspace' and + apply (rule_tac Q'="\_. valid_pspace' and tcb_at' sender and tcb_at' rcvr" in hoare_post_imp) apply (clarsimp simp: valid_cap'_def o_def cte_wp_at_ctes_of isCap_simps @@ -3665,7 +3665,7 @@ lemma setupCallerCap_ifunsafe[wp]: apply (wp getSlotCap_cte_wp_at | simp add: unique_master_reply_cap' | strengthen eq_imp_strg | wp (once) hoare_drop_imp[where f="getCTE rs" for rs])+ - apply (rule_tac Q="\rv. valid_objs' and tcb_at' rcvr and ex_nonz_cap_to' rcvr" + apply (rule_tac Q'="\rv. valid_objs' and tcb_at' rcvr and ex_nonz_cap_to' rcvr" in hoare_post_imp) apply (clarsimp simp: ex_nonz_tcb_cte_caps' tcbCallerSlot_def objBits_def objBitsKO_def dom_def cte_level_bits_def) @@ -3833,7 +3833,7 @@ lemma completeSignal_invs: apply (rule bind_wp[OF _ get_ntfn_sp']) apply (rule hoare_pre) apply (wp set_ntfn_minor_invs' | wpc | simp)+ - apply (rule_tac Q="\_ s. (state_refs_of' s ntfnptr = ntfn_bound_refs' (ntfnBoundTCB ntfn)) + apply (rule_tac Q'="\_ s. (state_refs_of' s ntfnptr = ntfn_bound_refs' (ntfnBoundTCB ntfn)) \ ntfn_at' ntfnptr s \ valid_ntfn' (ntfnObj_update (\_. Structures_H.ntfn.IdleNtfn) ntfn) s \ ((\y. ntfnBoundTCB ntfn = Some y) \ ex_nonz_cap_to' ntfnptr s) @@ -3863,7 +3863,7 @@ lemma setupCallerCap_urz[wp]: getThreadCallerSlot_def getThreadReplySlot_def locateSlot_conv) apply (wp getCTE_wp') - apply (rule_tac Q="\_. untyped_ranges_zero' and valid_mdb' and valid_objs'" in hoare_post_imp) + apply (rule_tac Q'="\_. untyped_ranges_zero' and valid_mdb' and valid_objs'" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_ctes_of cteCaps_of_def untyped_derived_eq_def isCap_simps) apply (wp sts_valid_pspace_hangers) @@ -3913,7 +3913,7 @@ lemma ri_invs' [wp]: apply (rule bind_wp [OF _ gbn_sp']) apply (rule bind_wp) (* set up precondition for old proof *) - apply (rule_tac R="ko_at' ep (capEPPtr cap) and ?pre" in hoare_vcg_if_split) + apply (rule_tac P''="ko_at' ep (capEPPtr cap) and ?pre" in hoare_vcg_if_split) apply (wp completeSignal_invs) apply (case_tac ep) \ \endpoint = RecvEP\ @@ -4155,7 +4155,7 @@ lemma setupCallerCap_cap_to' [wp]: "\ex_nonz_cap_to' p\ setupCallerCap a b c \\rv. ex_nonz_cap_to' p\" apply (simp add: setupCallerCap_def getThreadCallerSlot_def getThreadReplySlot_def) apply (wp cteInsert_cap_to') - apply (rule_tac Q="\rv. ex_nonz_cap_to' p + apply (rule_tac Q'="\rv. ex_nonz_cap_to' p and cte_wp_at' (\c. (cteCap c) = rv) callerSlot" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_ctes_of) @@ -4216,9 +4216,9 @@ lemma si_invs'[wp]: hoare_convert_imp [OF setEndpoint_nosch setEndpoint_ct'] hoare_drop_imp [where f="threadGet tcbFault t"] | rule_tac f="getThreadState a" in hoare_drop_imp - | wp (once) hoare_drop_imp[where R="\_ _. call"] - hoare_drop_imp[where R="\_ _. \ call"] - hoare_drop_imp[where R="\_ _. cg"] + | wp (once) hoare_drop_imp[where Q'="\_ _. call"] + hoare_drop_imp[where Q'="\_ _. \ call"] + hoare_drop_imp[where Q'="\_ _. cg"] | simp add: valid_tcb_state'_def case_bool_If case_option_If cong: if_cong diff --git a/proof/refine/ARM_HYP/PageTableDuplicates.thy b/proof/refine/ARM_HYP/PageTableDuplicates.thy index ab683806bd..7752065a32 100644 --- a/proof/refine/ARM_HYP/PageTableDuplicates.thy +++ b/proof/refine/ARM_HYP/PageTableDuplicates.thy @@ -650,7 +650,7 @@ lemma createObject_valid_duplicates'[wp]: apply (simp add: placeNewObject_def placeNewDataObject_def placeNewObject'_def split_def copyGlobalMappings_def split del: if_split - | wp unless_wp[where P="d"] unless_wp[where Q=\] + | wp unless_wp[where P="d"] unless_wp[where P'=\] | wpc | simp add: alignError_def split del: if_split)+ apply (intro conjI impI) apply clarsimp+ @@ -1999,7 +1999,7 @@ lemma tc_valid_duplicates': checkCap_inv[where P="\s. vs_valid_duplicates' (ksPSpace s)"] checkCap_inv[where P=sch_act_simple] cteDelete_valid_duplicates' - hoare_vcg_const_imp_lift_R + hoare_vcg_const_imp_liftE_R typ_at_lifts [OF setPriority_typ_at'] assertDerived_wp threadSet_cte_wp_at' @@ -2185,7 +2185,7 @@ lemma handleRecv_valid_duplicates'[wp]: apply wp apply ((wp getNotification_wp | wpc | simp add: whenE_def split del: if_split)+)[1] - apply (rule_tac Q="\rv s. vs_valid_duplicates' (ksPSpace s)" + apply (rule_tac Q'="\rv s. vs_valid_duplicates' (ksPSpace s)" in hoare_strengthen_postE[rotated]) @@ -2234,7 +2234,7 @@ lemma callKernel_valid_duplicates': apply (simp add: callKernel_def fastpathKernelAssertions_def) apply (rule hoare_pre) apply (wp activate_invs' activate_sch_act schedule_sch - hoare_drop_imp[where R="\_. kernelExitAssertions"] + hoare_drop_imp[where Q'="\_. kernelExitAssertions"] schedule_sch_act_simple he_invs' hoare_vcg_if_lift3 | simp add: no_irq_getActiveIRQ | strengthen non_kernel_IRQs_strg, simp cong: conj_cong)+ diff --git a/proof/refine/ARM_HYP/Refine.thy b/proof/refine/ARM_HYP/Refine.thy index 788f7db190..4767fe0de3 100644 --- a/proof/refine/ARM_HYP/Refine.thy +++ b/proof/refine/ARM_HYP/Refine.thy @@ -226,12 +226,12 @@ lemma set_thread_state_sched_act: apply (simp add: set_thread_state_ext_def) apply wp apply (rule hoare_pre_cont) - apply (rule_tac Q="\rv. (\s. runnable ts) and (\s. P (scheduler_action s))" + apply (rule_tac Q'="\rv. (\s. runnable ts) and (\s. P (scheduler_action s))" in hoare_strengthen_post) apply wp apply force apply (wp gts_st_tcb_at)+ - apply (rule_tac Q="\rv. st_tcb_at ((=) state) thread and (\s. runnable state) and (\s. P (scheduler_action s))" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. st_tcb_at ((=) state) thread and (\s. runnable state) and (\s. P (scheduler_action s))" in hoare_strengthen_post) apply (simp add: st_tcb_at_def) apply (wp obj_set_prop_at)+ apply (force simp: st_tcb_at_def obj_at_def) @@ -270,7 +270,7 @@ lemma kernel_entry_invs: \\rv. einvs and (\s. ct_running s \ ct_idle s) and (\s. 0 < domain_time s) and valid_domain_list and (\s. scheduler_action s = resume_cur_thread)\" - apply (rule_tac Q="\rv. invs and (\s. ct_running s \ ct_idle s) and valid_sched and + apply (rule_tac Q'="\rv. invs and (\s. ct_running s \ ct_idle s) and valid_sched and (\s. 0 < domain_time s) and valid_domain_list and valid_list and (\s. scheduler_action s = resume_cur_thread)" in hoare_post_imp) @@ -316,7 +316,7 @@ lemma do_user_op_invs2: do_user_op f tc \\_. (einvs and ct_running and (\s. scheduler_action s = resume_cur_thread)) and (\s. 0 < domain_time s) and valid_domain_list \" - apply (rule_tac Q="\_. valid_list and valid_sched and + apply (rule_tac Q'="\_. valid_list and valid_sched and (\s. scheduler_action s = resume_cur_thread) and (invs and ct_running) and (\s. 0 < domain_time s) and valid_domain_list" in hoare_strengthen_post) @@ -391,7 +391,7 @@ lemma ckernel_invs: apply (rule hoare_pre) apply (wp activate_invs' activate_sch_act schedule_sch schedule_sch_act_simple he_invs' schedule_invs' hoare_vcg_if_lift3 - hoare_drop_imp[where R="\_. kernelExitAssertions"] + hoare_drop_imp[where Q'="\_. kernelExitAssertions"] | simp add: no_irq_getActiveIRQ | strengthen non_kernel_IRQs_strg[where Q=True, simplified], simp cong: conj_cong)+ done @@ -580,20 +580,20 @@ lemma kernel_corres': apply simp apply (wpsimp wp: hoare_drop_imps hoare_vcg_all_lift simp: schact_is_rct_def)[1] apply simp - apply (rule_tac Q="\irq s. irq \ Some ` non_kernel_IRQs \ invs' s \ + apply (rule_tac Q'="\irq s. irq \ Some ` non_kernel_IRQs \ invs' s \ (\irq'. irq = Some irq' \ intStateIRQTable (ksInterruptState s ) irq' \ IRQInactive)" in hoare_post_imp) apply clarsimp apply (wp doMachineOp_getActiveIRQ_IRQ_active handle_event_valid_sched | simp)+ - apply (rule_tac Q="\_. \" and E="\_. invs'" in hoare_strengthen_postE) + apply (rule_tac Q'="\_. \" and E'="\_. invs'" in hoare_strengthen_postE) apply wpsimp+ apply (simp add: invs'_def valid_state'_def) apply (rule corres_split[OF schedule_corres]) apply (rule activateThread_corres) apply (wp schedule_invs' hoare_vcg_if_lift2 dmo_getActiveIRQ_non_kernel | simp cong: rev_conj_cong | strengthen None_drop | subst Ex_Some_conv)+ - apply (rule_tac Q="\_. valid_sched and invs and valid_list" and E="\_. valid_sched and invs and valid_list" + apply (rule_tac Q'="\_. valid_sched and invs and valid_list" and E'="\_. valid_sched and invs and valid_list" in hoare_strengthen_postE) apply (wp handle_event_valid_sched hoare_vcg_if_lift3 | simp diff --git a/proof/refine/ARM_HYP/Retype_R.thy b/proof/refine/ARM_HYP/Retype_R.thy index 0bb394a295..82698e8920 100644 --- a/proof/refine/ARM_HYP/Retype_R.thy +++ b/proof/refine/ARM_HYP/Retype_R.thy @@ -4273,7 +4273,7 @@ lemma createNewCaps_cur: cur_tcb' s\ createNewCaps ty ptr n us d \\rv. cur_tcb'\" - apply (rule hoare_post_imp [where Q="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) apply (simp add: cur_tcb'_def) apply (wp hoare_vcg_ex_lift createNewCaps_obj_at') apply (clarsimp simp: pspace_no_overlap'_def cur_tcb'_def valid_pspace'_def) @@ -4351,18 +4351,19 @@ lemma createNewCaps_idle'[wp]: split del: if_split) apply (rename_tac apiobject_type) apply (case_tac apiobject_type, simp_all split del: if_split)[1] - apply (wp, simp) - including classic_wp_pre - apply (wp mapM_x_wp' - createObjects_idle' - threadSet_idle' + apply wpsimp + (* The following step does not use wpsimp to avoid clarsimp_no_cond, which for some reason + leads to a failed proof state. If this could be fixed then the inclusion of + classic_wp_pre could also be removed. *) + including classic_wp_pre + apply (wp mapM_x_wp' createObjects_idle' threadSet_idle' | simp add: projectKO_opt_tcb projectKO_opt_cte makeObject_cte makeObject_tcb archObjSize_def tcb_cte_cases_def objBitsKO_def APIType_capBits_def vspace_bits_defs objBits_def createObjects_def | intro conjI impI - | fastforce simp: curDomain_def)+ + | clarsimp simp: curDomain_def)+ done crunch createNewCaps @@ -4383,7 +4384,7 @@ lemma createNewCaps_global_refs': createNewCaps ty ptr n us d \\rv. valid_global_refs'\" apply (simp add: valid_global_refs'_def valid_cap_sizes'_def valid_refs'_def) - apply (rule_tac Q="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} + apply (rule_tac Q'="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} \ 2 ^ capBits (cteCap cte) > gsMaxObjectSize s)) ptr s \ global_refs' s \ kernel_data_refs" in hoare_post_imp) apply (auto simp: cte_wp_at_ctes_of linorder_not_less elim!: ranE)[1] @@ -5050,7 +5051,7 @@ proof (rule hoare_gen_asm, erule conjE) "\ct_not_inQ and valid_pspace' and pspace_no_overlap' ptr sz\ createNewCaps ty ptr n us dev \\_. ct_not_inQ\" unfolding ct_not_inQ_def - apply (rule_tac Q="\s. ksSchedulerAction s = ResumeCurrentThread + apply (rule_tac P'="\s. ksSchedulerAction s = ResumeCurrentThread \ (obj_at' (Not \ tcbQueued) (ksCurThread s) s \ valid_pspace' s \ pspace_no_overlap' ptr sz s)" in hoare_pre_imp, clarsimp) @@ -5189,7 +5190,7 @@ lemma createObjects_no_cte_valid_global: createObjects ptr n val gbits \\rv s. valid_global_refs' s\" apply (simp add: valid_global_refs'_def valid_cap_sizes'_def valid_refs'_def) - apply (rule_tac Q="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} + apply (rule_tac Q'="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} \ 2 ^ capBits (cteCap cte) > gsMaxObjectSize s)) ptr s \ global_refs' s \ kernel_data_refs" in hoare_post_imp) apply (auto simp: cte_wp_at_ctes_of linorder_not_less elim!: ranE)[1] @@ -5296,7 +5297,7 @@ lemma createObjects_cur': cur_tcb' s\ createObjects ptr n val gbits \\rv s. cur_tcb' s\" - apply (rule hoare_post_imp [where Q="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) apply (simp add: cur_tcb'_def) apply (wp hoare_vcg_ex_lift createObjects_orig_obj_at3) apply (clarsimp simp: cur_tcb'_def) @@ -5386,7 +5387,7 @@ proof - createObjects ptr n val gbits \\_. ct_not_inQ\" (is "\ _; _ \ \ \\s. ct_not_inQ s \ ?REST s\ _ \_\") apply (simp add: ct_not_inQ_def) - apply (rule_tac Q="\s. (ksSchedulerAction s = ResumeCurrentThread) \ + apply (rule_tac P'="\s. (ksSchedulerAction s = ResumeCurrentThread) \ (obj_at' (Not \ tcbQueued) (ksCurThread s) s \ ?REST s)" in hoare_pre_imp, clarsimp) apply (rule hoare_convert_imp [OF createObjects_nosch]) diff --git a/proof/refine/ARM_HYP/Schedule_R.thy b/proof/refine/ARM_HYP/Schedule_R.thy index e92a2795d3..ee340f2f7e 100644 --- a/proof/refine/ARM_HYP/Schedule_R.thy +++ b/proof/refine/ARM_HYP/Schedule_R.thy @@ -729,7 +729,7 @@ lemma tcbSchedDequeue_valid_mdb'[wp]: "\valid_mdb' and valid_objs'\ tcbSchedDequeue tcbPtr \\_. valid_mdb'\" unfolding tcbSchedDequeue_def apply (wpsimp simp: bitmap_fun_defs setQueue_def wp: threadSet_mdb' tcbQueueRemove_valid_mdb') - apply (rule_tac Q="\_. tcb_at' tcbPtr" in hoare_post_imp) + apply (rule_tac Q'="\_. tcb_at' tcbPtr" in hoare_post_imp) apply (fastforce simp: tcb_cte_cases_def cteSizeBits_def) apply (wpsimp wp: threadGet_wp)+ apply (fastforce simp: obj_at'_def) @@ -1057,7 +1057,7 @@ lemma tcbSchedDequeue_not_tcbQueued: "\\\ tcbSchedDequeue t \\_. obj_at' (\x. \ tcbQueued x) t\" apply (simp add: tcbSchedDequeue_def) apply (wp|clarsimp)+ - apply (rule_tac Q="\queued. obj_at' (\x. tcbQueued x = queued) t" in hoare_post_imp) + apply (rule_tac Q'="\queued. obj_at' (\x. tcbQueued x = queued) t" in hoare_post_imp) apply (clarsimp simp: obj_at'_def) apply (wpsimp wp: threadGet_wp)+ apply (clarsimp simp: obj_at'_def) @@ -2103,13 +2103,13 @@ lemma schedule_corres: apply wpsimp+ apply (clarsimp simp: conj_ac cong: conj_cong) apply wp - apply (rule_tac Q="\_ s. valid_blocked_except t s \ scheduler_action s = switch_thread t" + apply (rule_tac Q'="\_ s. valid_blocked_except t s \ scheduler_action s = switch_thread t" in hoare_post_imp, fastforce) apply (wp add: tcb_sched_action_enqueue_valid_blocked_except tcbSchedEnqueue_invs'_not_ResumeCurrentThread thread_get_wp del: gets_wp | strengthen valid_objs'_valid_tcbs' invs_valid_pspace')+ - apply (clarsimp simp: conj_ac if_apply_def2 cong: imp_cong conj_cong del: hoare_gets) + apply (clarsimp simp: conj_ac if_apply_def2 cong: imp_cong conj_cong) apply (wp gets_wp)+ (* abstract final subgoal *) @@ -2375,7 +2375,7 @@ lemma schedule_invs': apply (wpsimp wp: scheduleChooseNewThread_invs' ssa_invs' chooseThread_invs_no_cicd' setSchedulerAction_invs' setSchedulerAction_direct switchToThread_tcb_in_cur_domain' switchToThread_ct_not_queued_2 - | wp hoare_disjI2[where R="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] + | wp hoare_disjI2[where Q'="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] | wp hoare_drop_imp[where f="isHighestPrio d p" for d p] | simp only: obj_at'_activatable_st_tcb_at'[simplified comp_def] | strengthen invs'_invs_no_cicd diff --git a/proof/refine/ARM_HYP/SubMonad_R.thy b/proof/refine/ARM_HYP/SubMonad_R.thy index f57d7ad94d..dffd4ded32 100644 --- a/proof/refine/ARM_HYP/SubMonad_R.thy +++ b/proof/refine/ARM_HYP/SubMonad_R.thy @@ -79,7 +79,7 @@ lemma threadSet_modify_asUser: apply (clarsimp simp: threadSet_def setObject_def split_def updateObject_default_def) apply wp - apply (rule_tac Q="\rv. obj_at' ((=) rv) t and ((=) st)" in hoare_post_imp) + apply (rule_tac Q'="\rv. obj_at' ((=) rv) t and ((=) st)" in hoare_post_imp) apply (clarsimp simp: asUser_replace_def Let_def obj_at'_def projectKOs fun_upd_def split: option.split kernel_object.split) diff --git a/proof/refine/ARM_HYP/Syscall_R.thy b/proof/refine/ARM_HYP/Syscall_R.thy index 206a66a918..4e22f87935 100644 --- a/proof/refine/ARM_HYP/Syscall_R.thy +++ b/proof/refine/ARM_HYP/Syscall_R.thy @@ -340,7 +340,7 @@ lemma threadSet_tcbDomain_update_sch_act_wf[wp]: apply (wps setObject_sa_unchanged) apply (wp hoare_weak_lift_imp getObject_tcb_wp hoare_vcg_all_lift)+ apply (rename_tac word) - apply (rule_tac Q="\_ s. ksSchedulerAction s = SwitchToThread word \ + apply (rule_tac Q'="\_ s. ksSchedulerAction s = SwitchToThread word \ st_tcb_at' runnable' word s \ tcb_in_cur_domain' word s \ word \ t" in hoare_strengthen_post) apply (wp hoare_vcg_all_lift hoare_vcg_conj_lift hoare_vcg_imp_lift)+ @@ -377,20 +377,20 @@ lemma setDomain_corres: apply ((wpsimp wp: hoare_vcg_imp_lift' ethread_set_not_queued_valid_queues hoare_vcg_all_lift | strengthen valid_objs'_valid_tcbs' valid_queues_in_correct_ready_q valid_queues_ready_qs_distinct)+)[1] - apply (rule_tac Q="\_. valid_objs' and sym_heap_sched_pointers and valid_sched_pointers + apply (rule_tac Q'="\_. valid_objs' and sym_heap_sched_pointers and valid_sched_pointers and pspace_aligned' and pspace_distinct' and (\s. sch_act_wf (ksSchedulerAction s) s) and tcb_at' tptr" in hoare_strengthen_post[rotated]) apply (fastforce simp: invs'_def valid_state'_def sch_act_wf_weak st_tcb_at'_def o_def) apply (wpsimp wp: threadSet_valid_objs' threadSet_sched_pointers threadSet_valid_sched_pointers)+ - apply (rule_tac Q="\_ s. valid_queues s \ not_queued tptr s + apply (rule_tac Q'="\_ s. valid_queues s \ not_queued tptr s \ pspace_aligned s \ pspace_distinct s \ valid_etcbs s \ weak_valid_sched_action s" in hoare_post_imp) apply (fastforce simp: pred_tcb_at_def obj_at_def) apply (wpsimp wp: tcb_dequeue_not_queued) - apply (rule_tac Q = "\_ s. invs' s \ obj_at' (Not \ tcbQueued) tptr s \ sch_act_simple s + apply (rule_tac Q'="\_ s. invs' s \ obj_at' (Not \ tcbQueued) tptr s \ sch_act_simple s \ tcb_at' tptr s" in hoare_strengthen_post[rotated]) apply (clarsimp simp: invs'_def valid_state'_def valid_pspace'_def sch_act_simple_def) @@ -804,7 +804,7 @@ lemma doReply_invs[wp]: apply simp apply (wp (once) sts_st_tcb') apply wp - apply (rule_tac Q="\_ s. invs' s \ t \ ksIdleThread s \ st_tcb_at' awaiting_reply' t s" + apply (rule_tac Q'="\_ s. invs' s \ t \ ksIdleThread s \ st_tcb_at' awaiting_reply' t s" in hoare_post_imp) apply clarsimp apply (rule conjI, erule pred_tcb'_weakenE, case_tac st, clarsimp+) @@ -817,7 +817,7 @@ lemma doReply_invs[wp]: apply (case_tac st, clarsimp+) apply (wp cteDeleteOne_reply_pred_tcb_at)+ apply clarsimp - apply (rule_tac Q="\_. (\s. t \ ksIdleThread s) + apply (rule_tac Q'="\_. (\s. t \ ksIdleThread s) and cte_wp_at' (\cte. \grant. cteCap cte = capability.ReplyCap t False grant) slot" in hoare_strengthen_post [rotated]) @@ -829,7 +829,7 @@ lemma doReply_invs[wp]: apply (erule cte_wp_at_weakenE') apply (fastforce) apply (wp sts_invs_minor'' sts_st_tcb' hoare_weak_lift_imp) - apply (rule_tac Q="\_ s. invs' s \ sch_act_simple s + apply (rule_tac Q'="\_ s. invs' s \ sch_act_simple s \ st_tcb_at' awaiting_reply' t s \ t \ ksIdleThread s" in hoare_post_imp) @@ -844,7 +844,7 @@ lemma doReply_invs[wp]: apply (case_tac st, clarsimp+) apply (wp threadSet_invs_trivial threadSet_st_tcb_at2 hoare_weak_lift_imp | clarsimp simp add: inQ_def)+ - apply (rule_tac Q="\_. invs' and tcb_at' t + apply (rule_tac Q'="\_. invs' and tcb_at' t and sch_act_simple and st_tcb_at' awaiting_reply' t" in hoare_strengthen_post [rotated]) apply clarsimp @@ -962,7 +962,7 @@ lemma setDomain_invs': apply (simp add:setDomain_def ) apply (wp add: when_wp hoare_weak_lift_imp hoare_weak_lift_imp_conj rescheduleRequired_all_invs_but_extra tcbSchedEnqueue_valid_action hoare_vcg_if_lift2) - apply (rule_tac Q = "\r s. all_invs_but_sch_extra s \ curThread = ksCurThread s + apply (rule_tac Q'="\r s. all_invs_but_sch_extra s \ curThread = ksCurThread s \ (ptr \ curThread \ ct_not_inQ s \ sch_act_wf (ksSchedulerAction s) s \ ct_idle_or_in_cur_domain' s)" in hoare_strengthen_post[rotated]) apply (clarsimp simp:invs'_def valid_state'_def st_tcb_at'_def[symmetric] valid_pspace'_def) @@ -974,7 +974,7 @@ lemma setDomain_invs': apply assumption apply (wp hoare_weak_lift_imp threadSet_pred_tcb_no_state threadSet_not_curthread_ct_domain threadSet_tcbDomain_update_ct_not_inQ | simp)+ - apply (rule_tac Q = "\r s. invs' s \ curThread = ksCurThread s \ sch_act_simple s + apply (rule_tac Q'="\r s. invs' s \ curThread = ksCurThread s \ sch_act_simple s \ domain \ maxDomain \ (ptr \ curThread \ ct_not_inQ s \ sch_act_not ptr s)" in hoare_strengthen_post[rotated]) @@ -1244,7 +1244,7 @@ lemma handleInvocation_corres: apply (wp reply_from_kernel_tcb_at) apply (rule impI, wp+) apply (wpsimp wp: hoare_drop_imps|strengthen invs_distinct invs_psp_aligned)+ - apply (rule_tac Q="\rv. einvs and schact_is_rct and valid_invocation rve + apply (rule_tac Q'="\rv. einvs and schact_is_rct and valid_invocation rve and (\s. thread = cur_thread s) and st_tcb_at active thread" in hoare_post_imp) @@ -1252,7 +1252,7 @@ lemma handleInvocation_corres: elim!: st_tcb_weakenE) apply (wp sts_st_tcb_at' set_thread_state_schact_is_rct set_thread_state_active_valid_sched) - apply (rule_tac Q="\rv. invs' and valid_invocation' rve' + apply (rule_tac Q'="\rv. invs' and valid_invocation' rve' and (\s. thread = ksCurThread s) and st_tcb_at' active' thread and (\s. ksSchedulerAction s = ResumeCurrentThread) @@ -1265,7 +1265,7 @@ lemma handleInvocation_corres: apply (wp lec_caps_to lsft_ex_cte_cap_to | simp add: split_def liftE_bindE[symmetric] ct_in_state'_def ball_conj_distrib - | rule hoare_vcg_E_elim)+ + | rule hoare_vcg_conj_elimE)+ apply (clarsimp simp: tcb_at_invs invs_valid_objs valid_tcb_state_def ct_in_state_def simple_from_active invs_mdb @@ -1536,7 +1536,7 @@ lemma handleRecv_isBlocking_corres': apply (rule handleFault_corres) apply simp apply (wp get_simple_ko_wp | wpcw | simp)+ - apply (rule hoare_vcg_E_elim) + apply (rule hoare_vcg_conj_elimE) apply (simp add: lookup_cap_def lookup_slot_for_thread_def) apply wp apply (simp add: split_def) @@ -1584,14 +1584,14 @@ lemma hw_invs'[wp]: deleteCallerCap_ct'] | wpc | simp add: ct_in_state'_def whenE_def split del: if_split)+ apply (rule validE_validE_R) - apply (rule_tac Q="\rv s. invs' s + apply (rule_tac Q'="\rv s. invs' s \ sch_act_sane s \ thread = ksCurThread s \ ct_in_state' simple' s \ ex_nonz_cap_to' thread s \ thread \ ksIdleThread s \ (\x \ zobj_refs' rv. ex_nonz_cap_to' x s)" - and E="\_ _. True" + and E'="\_ _. True" in hoare_strengthen_postE[rotated]) apply (clarsimp simp: isCap_simps ct_in_state'_def pred_tcb_at' invs_valid_objs' sch_act_sane_not obj_at'_def projectKOs pred_tcb_at'_def) @@ -1640,7 +1640,7 @@ lemma hy_invs': "\invs' and ct_active'\ handleYield \\r. invs' and ct_active'\" apply (simp add: handleYield_def) apply (wpsimp wp: ct_in_state_thread_state_lift' rescheduleRequired_all_invs_but_ct_not_inQ) - apply (rule_tac Q="\_. all_invs_but_ct_not_inQ' and ct_active'" in hoare_post_imp) + apply (rule_tac Q'="\_. all_invs_but_ct_not_inQ' and ct_active'" in hoare_post_imp) apply clarsimp apply (subst pred_conj_def) apply (rule hoare_vcg_conj_lift) @@ -1850,7 +1850,7 @@ lemma handleReply_nonz_cap_to_ct: "\ct_active' and invs' and sch_act_simple\ handleReply \\rv s. ex_nonz_cap_to' (ksCurThread s) s\" - apply (rule_tac Q="\rv. ct_active' and invs'" + apply (rule_tac Q'="\rv. ct_active' and invs'" in hoare_post_imp) apply (auto simp: ct_in_state'_def elim: st_tcb_ex_cap'')[1] apply (wp | simp)+ diff --git a/proof/refine/ARM_HYP/TcbAcc_R.thy b/proof/refine/ARM_HYP/TcbAcc_R.thy index 4ca95b09a8..9cfa6322ae 100644 --- a/proof/refine/ARM_HYP/TcbAcc_R.thy +++ b/proof/refine/ARM_HYP/TcbAcc_R.thy @@ -1100,7 +1100,7 @@ lemma threadSet_obj_at'_really_strongest: apply (simp add: threadSet_def) apply (wp setObject_tcb_strongest) apply (subst simp_thms(32)[symmetric], rule hoare_vcg_disj_lift) - apply (rule hoare_post_imp [where Q="\rv s. \ tcb_at' t s \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \ tcb_at' t s \ tcb_at' t s"]) apply simp apply (subst simp_thms(21)[symmetric], rule hoare_vcg_conj_lift) apply (rule getObject_inv_tcb) @@ -1187,7 +1187,7 @@ proof - show ?thesis apply (rule_tac P=P in P_bool_lift) apply (rule pos) - apply (rule_tac Q="\_ s. \ tcb_at' t' s \ pred_tcb_at' proj (\tcb. \ P' tcb) t' s" + apply (rule_tac Q'="\_ s. \ tcb_at' t' s \ pred_tcb_at' proj (\tcb. \ P' tcb) t' s" in hoare_post_imp) apply (erule disjE) apply (clarsimp dest!: pred_tcb_at') @@ -3363,7 +3363,7 @@ lemma sts_valid_objs': setThreadState st t \\_. valid_objs'\" apply (wpsimp simp: setThreadState_def wp: threadSet_valid_objs') - apply (rule_tac Q="\_. valid_objs' and pspace_aligned' and pspace_distinct'" in hoare_post_imp) + apply (rule_tac Q'="\_. valid_objs' and pspace_aligned' and pspace_distinct'" in hoare_post_imp) apply fastforce apply (wpsimp wp: threadSet_valid_objs') apply (simp add: valid_tcb'_def tcb_cte_cases_def cteSizeBits_def) @@ -3628,7 +3628,7 @@ lemma sts_sch_act': apply assumption apply (case_tac "runnable' st") apply ((wp threadSet_runnable_sch_act hoare_drop_imps | simp)+)[1] - apply (rule_tac Q="\rv s. st_tcb_at' (Not \ runnable') t s \ + apply (rule_tac Q'="\rv s. st_tcb_at' (Not \ runnable') t s \ (ksCurThread s \ t \ ksSchedulerAction s \ ResumeCurrentThread \ sch_act_wf (ksSchedulerAction s) s)" in hoare_post_imp) @@ -3648,10 +3648,10 @@ lemma sts_sch_act[wp]: prefer 2 apply assumption apply (case_tac "runnable' st") - apply (rule_tac Q="\s. sch_act_wf (ksSchedulerAction s) s" + apply (rule_tac P'="\s. sch_act_wf (ksSchedulerAction s) s" in hoare_pre_imp, simp) apply ((wp hoare_drop_imps threadSet_runnable_sch_act | simp)+)[1] - apply (rule_tac Q="\rv s. st_tcb_at' (Not \ runnable') t s \ + apply (rule_tac Q'="\rv s. st_tcb_at' (Not \ runnable') t s \ (ksCurThread s \ t \ ksSchedulerAction s \ ResumeCurrentThread \ sch_act_wf (ksSchedulerAction s) s)" in hoare_post_imp) @@ -3932,7 +3932,7 @@ lemma addToBitmap_valid_bitmapQ: addToBitmap d p \\_. valid_bitmapQ\" (is "\?pre\ _ \_\") - apply (rule_tac Q="\_ s. ?pre s \ bitmapQ d p s" in hoare_strengthen_post) + apply (rule_tac Q'="\_ s. ?pre s \ bitmapQ d p s" in hoare_strengthen_post) apply (wpsimp wp: addToBitmap_valid_bitmapQ_except addToBitmap_bitmapQ) apply (fastforce elim: valid_bitmap_valid_bitmapQ_exceptE) done @@ -4628,7 +4628,7 @@ lemma ct_in_state'_decomp: assumes x: "\\s. t = (ksCurThread s)\ f \\rv s. t = (ksCurThread s)\" assumes y: "\Pre\ f \\rv. st_tcb_at' Prop t\" shows "\\s. Pre s \ t = (ksCurThread s)\ f \\rv. ct_in_state' Prop\" - apply (rule hoare_post_imp [where Q="\rv s. t = ksCurThread s \ st_tcb_at' Prop t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. t = ksCurThread s \ st_tcb_at' Prop t s"]) apply (clarsimp simp add: ct_in_state'_def) apply (rule hoare_weaken_pre) apply (wp x y) @@ -4699,7 +4699,7 @@ lemma setQueue_pred_tcb_at[wp]: unfolding pred_tcb_at'_def apply (rule_tac P=P' in P_bool_lift) apply (rule setQueue_obj_at) - apply (rule_tac Q="\_ s. \typ_at' TCBT t s \ obj_at' (Not \ (P \ proj \ tcb_to_itcb')) t s" + apply (rule_tac Q'="\_ s. \typ_at' TCBT t s \ obj_at' (Not \ (P \ proj \ tcb_to_itcb')) t s" in hoare_post_imp, simp add: not_obj_at' o_def) apply (wp hoare_vcg_disj_lift) apply (clarsimp simp: not_obj_at' o_def) @@ -4981,7 +4981,7 @@ lemma sts_iflive'[wp]: \\rv. if_live_then_nonz_cap'\" apply (simp add: setThreadState_def setQueue_def) apply wpsimp - apply (rule_tac Q="\rv. if_live_then_nonz_cap' and pspace_aligned' and pspace_distinct'" + apply (rule_tac Q'="\rv. if_live_then_nonz_cap' and pspace_aligned' and pspace_distinct'" in hoare_post_imp) apply clarsimp apply (wpsimp wp: threadSet_iflive') @@ -5125,7 +5125,7 @@ lemma tcbSchedEnqueue_ct_not_inQ: proof - have ts: "\?PRE\ threadSet (tcbQueued_update (\_. True)) t \\_. ct_not_inQ\" apply (simp add: ct_not_inQ_def) - apply (rule_tac Q="\s. ksSchedulerAction s = ResumeCurrentThread + apply (rule_tac P'="\s. ksSchedulerAction s = ResumeCurrentThread \ obj_at' (Not \ tcbQueued) (ksCurThread s) s \ ksCurThread s \ t" in hoare_pre_imp, clarsimp) apply (rule hoare_convert_imp [OF threadSet_nosch]) @@ -5152,7 +5152,7 @@ lemma tcbSchedAppend_ct_not_inQ: proof - have ts: "\?PRE\ threadSet (tcbQueued_update (\_. True)) t \\_. ct_not_inQ\" apply (simp add: ct_not_inQ_def) - apply (rule_tac Q="\s. ksSchedulerAction s = ResumeCurrentThread + apply (rule_tac P'="\s. ksSchedulerAction s = ResumeCurrentThread \ obj_at' (Not \ tcbQueued) (ksCurThread s) s \ ksCurThread s \ t" in hoare_pre_imp, clarsimp) apply (rule hoare_convert_imp [OF threadSet_nosch]) @@ -5179,7 +5179,7 @@ lemma setSchedulerAction_direct: lemma rescheduleRequired_ct_not_inQ: "\\\ rescheduleRequired \\_. ct_not_inQ\" apply (simp add: rescheduleRequired_def ct_not_inQ_def) - apply (rule_tac Q="\_ s. ksSchedulerAction s = ChooseNewThread" + apply (rule_tac Q'="\_ s. ksSchedulerAction s = ChooseNewThread" in hoare_post_imp, clarsimp) apply (wp setSchedulerAction_direct) done @@ -5250,7 +5250,7 @@ lemma setThreadState_ct_not_inQ: including no_pre apply (simp add: setThreadState_def) apply (wp rescheduleRequired_ct_not_inQ) - apply (rule_tac Q="\_. ?PRE" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE" in hoare_post_imp, clarsimp) apply (wp) done @@ -5407,7 +5407,7 @@ lemma removeFromBitmap_valid_bitmapQ[wp]: removeFromBitmap d p \\_. valid_bitmapQ\" (is "\?pre\ _ \_\") - apply (rule_tac Q="\_ s. ?pre s \ \ bitmapQ d p s" in hoare_strengthen_post) + apply (rule_tac Q'="\_ s. ?pre s \ \ bitmapQ d p s" in hoare_strengthen_post) apply (wpsimp wp: removeFromBitmap_valid_bitmapQ_except removeFromBitmap_bitmapQ) apply (fastforce elim: valid_bitmap_valid_bitmapQ_exceptE) done diff --git a/proof/refine/ARM_HYP/Tcb_R.thy b/proof/refine/ARM_HYP/Tcb_R.thy index bdbf45857d..3f3b13a5ab 100644 --- a/proof/refine/ARM_HYP/Tcb_R.thy +++ b/proof/refine/ARM_HYP/Tcb_R.thy @@ -81,7 +81,7 @@ abbreviation lemma gts_st_tcb': "\tcb_at' t\ getThreadState t \\rv. st_tcb_at' (\st. st = rv) t\" apply (rule hoare_weaken_pre) - apply (rule hoare_post_imp[where Q="\rv s. \rv'. rv = rv' \ st_tcb_at' (\st. st = rv') t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \rv'. rv = rv' \ st_tcb_at' (\st. st = rv') t s"]) apply simp apply (wp hoare_vcg_ex_lift) apply (clarsimp simp add: pred_tcb_at'_def obj_at'_def) @@ -108,15 +108,15 @@ lemma activate_invs': split del: if_splits cong: if_cong) apply (wp) apply (clarsimp simp: ct_in_state'_def) - apply (rule_tac Q="\rv. invs' and ct_idle'" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs' and ct_idle'" in hoare_post_imp, simp) apply (wp activateIdle_invs) apply (clarsimp simp: ct_in_state'_def) - apply (rule_tac Q="\rv. invs' and ct_running' and sch_act_simple" + apply (rule_tac Q'="\rv. invs' and ct_running' and sch_act_simple" in hoare_post_imp, simp) apply (rule hoare_weaken_pre) apply (wp ct_in_state'_set asUser_ct sts_invs_minor' | wp (once) sch_act_simple_lift)+ - apply (rule_tac Q="\_. st_tcb_at' runnable' thread + apply (rule_tac Q'="\_. st_tcb_at' runnable' thread and sch_act_simple and invs' and (\s. thread = ksCurThread s)" in hoare_post_imp, clarsimp) @@ -194,7 +194,7 @@ lemma setupReplyMaster_weak_sch_act_wf[wp]: \\rv s. weak_sch_act_wf (ksSchedulerAction s) s\" apply (simp add: setupReplyMaster_def) apply (wp) - apply (rule_tac Q="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" + apply (rule_tac Q'="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp, clarsimp) apply (wp)+ apply assumption @@ -220,11 +220,11 @@ lemma restart_corres: apply (wp set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at' sts_st_tcb' sts_valid_objs' | clarsimp simp: valid_tcb_state'_def | strengthen valid_objs'_valid_tcbs')+ - apply (rule_tac Q="\rv. valid_sched and cur_tcb and pspace_aligned and pspace_distinct" + apply (rule_tac Q'="\rv. valid_sched and cur_tcb and pspace_aligned and pspace_distinct" in hoare_strengthen_post) apply wp apply (fastforce simp: valid_sched_def valid_sched_action_def) - apply (rule_tac Q="\rv. invs' and ex_nonz_cap_to' t" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs' and ex_nonz_cap_to' t" in hoare_strengthen_post) apply wp apply (clarsimp simp: invs'_def valid_state'_def sch_act_wf_weak valid_pspace'_def valid_tcb_state'_def) @@ -360,10 +360,10 @@ lemma invokeTCB_WriteRegisters_corres: valid_sched_valid_queues valid_objs'_valid_tcbs' invs_valid_objs' | clarsimp simp: invs_def valid_state_def valid_sched_def invs'_def valid_state'_def dest!: global'_no_ex_cap idle_no_ex_cap)+)[2] - apply (rule_tac Q="\_. einvs and tcb_at dest and ex_nonz_cap_to dest" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\_. einvs and tcb_at dest and ex_nonz_cap_to dest" in hoare_strengthen_post[rotated]) apply (fastforce simp: invs_def valid_sched_weak_strg valid_sched_def valid_state_def dest!: idle_no_ex_cap) prefer 2 - apply (rule_tac Q="\_. invs' and tcb_at' dest and ex_nonz_cap_to' dest" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\_. invs' and tcb_at' dest and ex_nonz_cap_to' dest" in hoare_strengthen_post[rotated]) apply (fastforce simp: sch_act_wf_weak invs'_def valid_state'_def dest!: global'_no_ex_cap) apply (wpsimp simp: getSanitiseRegisterInfo_def)+ apply fastforce @@ -472,10 +472,10 @@ proof - apply (rule_tac P=\ and P'=\ in corres_inst) apply simp apply (solves \wp hoare_weak_lift_imp\)+ - apply (rule_tac Q="\_. einvs and tcb_at dest" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\_. einvs and tcb_at dest" in hoare_strengthen_post[rotated]) apply (fastforce simp: invs_def valid_state_def valid_pspace_def valid_sched_weak_strg valid_sched_def) prefer 2 - apply (rule_tac Q="\_. invs' and tcb_at' dest" in hoare_strengthen_post[rotated]) + apply (rule_tac Q'="\_. invs' and tcb_at' dest" in hoare_strengthen_post[rotated]) apply (fastforce simp: invs'_def valid_state'_def invs_weak_sch_act_wf cur_tcb'_def) apply ((wp mapM_x_wp' hoare_weak_lift_imp | (simp add: cur_tcb'_def[symmetric])+)+)[8] apply ((wp hoare_weak_lift_imp restart_invs' | wpc | clarsimp simp add: if_apply_def2)+)[2] @@ -544,7 +544,7 @@ lemma tcbSchedDequeue_not_queued: \\rv. obj_at' (Not \ tcbQueued) t\" apply (simp add: tcbSchedDequeue_def) apply (wp | simp)+ - apply (rule_tac Q="\rv. obj_at' (\obj. tcbQueued obj = rv) t" + apply (rule_tac Q'="\rv. obj_at' (\obj. tcbQueued obj = rv) t" in hoare_post_imp) apply (clarsimp simp: obj_at'_def) apply (wp tg_sp' [where P=\, simplified] | simp)+ @@ -1422,7 +1422,7 @@ proof - have B: "\t v. \invs' and tcb_at' t\ threadSet (tcbFaultHandler_update v) t \\rv. invs'\" by (wp threadSet_invs_trivial | clarsimp simp: inQ_def)+ note stuff = Z B out_invs_trivial hoare_case_option_wp - hoare_vcg_const_Ball_lift hoare_vcg_const_Ball_lift_R + hoare_vcg_const_Ball_lift hoare_vcg_const_Ball_liftE_R cap_delete_deletes cap_delete_valid_cap out_valid_objs cap_insert_objs cteDelete_deletes cteDelete_sch_act_simple @@ -1457,7 +1457,7 @@ proof - apply (rule corres_returnOkTT, simp) apply wp apply wp - apply (wpsimp wp: hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + apply (wpsimp wp: hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift hoare_vcg_all_liftE_R hoare_vcg_all_lift as_user_invs thread_set_ipc_tcb_cap_valid thread_set_tcb_ipc_buffer_cap_cleared_invs @@ -1478,7 +1478,7 @@ proof - threadSet_invs_tcbIPCBuffer_update threadSet_cte_wp_at' | strengthen simple_sched_action_sched_act_not)+ apply ((wpsimp wp: stuff hoare_vcg_all_liftE_R hoare_vcg_all_lift - hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift threadSet_valid_objs' thread_set_not_state_valid_sched thread_set_tcb_ipc_buffer_cap_cleared_invs thread_set_cte_wp_at_trivial thread_set_no_cap_to_trivial getThreadBufferSlot_dom_tcb_cte_cases @@ -1514,7 +1514,7 @@ proof - in hoare_strengthen_postE_R[simplified validE_R_def, rotated]) apply (case_tac g'; clarsimp simp: isCap_simps ; clarsimp elim: invs_valid_objs' cong:imp_cong) apply (wp add: stuff hoare_vcg_all_liftE_R hoare_vcg_all_lift - hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift setMCPriority_invs' + hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift setMCPriority_invs' threadSet_valid_objs' thread_set_not_state_valid_sched setP_invs' typ_at_lifts [OF setPriority_typ_at'] typ_at_lifts [OF setMCPriority_typ_at'] @@ -1595,15 +1595,15 @@ lemma tc_invs': apply (wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak threadSet_invs_trivial2 threadSet_tcb' hoare_vcg_all_lift threadSet_cte_wp_at')+ - apply (wpsimp wp: hoare_weak_lift_imp_R cteDelete_deletes - hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R + apply (wpsimp wp: hoare_weak_lift_impE_R cteDelete_deletes + hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_liftE_R hoare_vcg_propE_R cteDelete_invs' cteDelete_invs' cteDelete_typ_at'_lifts)+ apply (assumption | clarsimp cong: conj_cong imp_cong | (rule case_option_wp_None_returnOk) | wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak hoare_vcg_imp_lift' hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P=sch_act_simple] - hoare_vcg_const_imp_lift_R assertDerived_wp_weak hoare_weak_lift_imp_R cteDelete_deletes - hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R + hoare_vcg_const_imp_liftE_R assertDerived_wp_weak hoare_weak_lift_impE_R cteDelete_deletes + hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_liftE_R hoare_vcg_propE_R cteDelete_invs' cteDelete_typ_at'_lifts cteDelete_sch_act_simple)+ apply (clarsimp simp: tcb_cte_cases_def cte_level_bits_def objBits_defs tcbIPCBufferSlot_def) @@ -2687,7 +2687,7 @@ lemma inv_tcb_IRQInactive: apply (rule hoare_pre) apply (wpc | wp withoutPreemption_R cteDelete_IRQInactive checkCap_inv - hoare_vcg_const_imp_lift_R cteDelete_irq_states' + hoare_vcg_const_imp_liftE_R cteDelete_irq_states' hoare_vcg_const_imp_lift | simp add: split_def)+ done diff --git a/proof/refine/ARM_HYP/Untyped_R.thy b/proof/refine/ARM_HYP/Untyped_R.thy index c3f49e3a0e..f43a553319 100644 --- a/proof/refine/ARM_HYP/Untyped_R.thy +++ b/proof/refine/ARM_HYP/Untyped_R.thy @@ -398,7 +398,7 @@ next apply wp+ apply (wp hoare_drop_impE_R hoare_vcg_all_liftE_R | clarsimp)+ - apply (rule hoare_strengthen_post [where Q = "\r. invs and valid_cap r and cte_at slot"]) + apply (rule hoare_strengthen_post[where Q'="\r. invs and valid_cap r and cte_at slot"]) apply wp+ apply (clarsimp simp: is_cap_simps bits_of_def cap_aligned_def valid_cap_def word_bits_def) @@ -406,7 +406,7 @@ next apply (strengthen refl exI[mk_strg I E] exI[where x=d])+ apply simp apply wp+ - apply (rule hoare_strengthen_post [where Q = "\r. invs' and cte_at' (cte_map slot)"]) + apply (rule hoare_strengthen_post[where Q'="\r. invs' and cte_at' (cte_map slot)"]) apply wp+ apply (clarsimp simp:invs_pspace_aligned' invs_pspace_distinct') apply auto[1] @@ -3206,7 +3206,7 @@ lemma createNewCaps_parent_helper: (\tup\set (zip (xs rv) rv). sameRegionAs (cteCap cte) (snd tup))) p\" - apply (rule hoare_post_imp [where Q="\rv s. \cte. cte_wp_at' ((=) cte) p s + apply (rule hoare_post_imp[where Q'="\rv s. \cte. cte_wp_at' ((=) cte) p s \ isUntypedCap (cteCap cte) \ (\tup\set (zip (xs rv) rv). sameRegionAs (cteCap cte) (snd tup))"]) @@ -4571,7 +4571,7 @@ lemma resetUntypedCap_invs_etc: | strengthen invs_pspace_aligned' invs_pspace_distinct' | simp add: ct_in_state'_def sch_act_simple_def - | rule hoare_vcg_conj_lift_R + | rule hoare_vcg_conj_liftE_R | wp (once) preemptionPoint_inv | wps | wp (once) ex_cte_cap_to'_pres)+ @@ -5289,7 +5289,7 @@ crunch insertNewCap lemma insertNewCap_ct_idle_or_in_cur_domain'[wp]: "\ct_idle_or_in_cur_domain' and ct_active'\ insertNewCap parent slot cap \\_. ct_idle_or_in_cur_domain'\" apply (wp ct_idle_or_in_cur_domain'_lift_futz[where Q=\]) -apply (rule_tac Q="\_. obj_at' (\tcb. tcbState tcb \ Structures_H.thread_state.Inactive) t and obj_at' (\tcb. d = tcbDomain tcb) t" +apply (rule_tac Q'="\_. obj_at' (\tcb. tcbState tcb \ Structures_H.thread_state.Inactive) t and obj_at' (\tcb. d = tcbDomain tcb) t" in hoare_strengthen_post) apply (wp | clarsimp elim: obj_at'_weakenE)+ apply (auto simp: obj_at'_def) diff --git a/proof/refine/ARM_HYP/VSpace_R.thy b/proof/refine/ARM_HYP/VSpace_R.thy index 8bf4e02748..7438273404 100644 --- a/proof/refine/ARM_HYP/VSpace_R.thy +++ b/proof/refine/ARM_HYP/VSpace_R.thy @@ -739,12 +739,12 @@ lemma find_pd_for_asid_pd_at_asid_again: apply (unfold validE_def, rule hoare_name_pre_state, fold validE_def) apply (case_tac "\pd. vspace_at_asid asid pd s") apply clarsimp - apply (rule_tac Q="\rv s'. s' = s \ rv = pd" and E="\\" in hoare_strengthen_postE) + apply (rule_tac Q'="\rv s'. s' = s \ rv = pd" and E'="\\" in hoare_strengthen_postE) apply (rule hoare_pre, wp find_pd_for_asid_valids) apply fastforce apply simp+ - apply (rule_tac Q="\rv s'. s' = s \ vspace_at_asid asid rv s'" - and E="\rv s'. s' = s" in hoare_strengthen_postE) + apply (rule_tac Q'="\rv s'. s' = s \ vspace_at_asid asid rv s'" + and E'="\rv s'. s' = s" in hoare_strengthen_postE) apply (rule hoare_pre, wp) apply clarsimp+ done @@ -1563,7 +1563,7 @@ lemma deleteASIDPool_corres: apply (simp only:) apply (rule setVMRoot_corres) apply wp+ - apply (rule_tac R="\_ s. rv = arm_asid_table (arch_state s)" + apply (rule_tac Q'="\_ s. rv = arm_asid_table (arch_state s)" in hoare_post_add) apply (drule sym, simp only: ) apply (drule sym, simp only: ) @@ -1578,7 +1578,7 @@ lemma deleteASIDPool_corres: apply (rule hoare_vcg_conj_lift, (rule mapM_invalidate[where ptr=ptr])?, ((wp mapM_wp' | simp)+)[1])+ - apply (rule_tac R="\_ s. rv' = armKSASIDTable (ksArchState s)" + apply (rule_tac Q'="\_ s. rv' = armKSASIDTable (ksArchState s)" in hoare_post_add) apply (simp only: pred_conj_def cong: conj_cong) apply simp @@ -2052,7 +2052,7 @@ lemma valid_objs_valid_vcpu': "\ valid_objs' s ; ko_at' (t :: vcpu) p s lemma setObject_vcpu_no_tcb_update: "\ vcpuTCBPtr (f vcpu) = vcpuTCBPtr vcpu \ \ \ valid_objs' and ko_at' (vcpu :: vcpu) p\ setObject p (f vcpu) \ \_. valid_objs' \" - apply (rule_tac Q="valid_objs' and (ko_at' vcpu p and valid_obj' (KOArch (KOVCPU vcpu)))" in hoare_pre_imp) + apply (rule_tac P'="valid_objs' and (ko_at' vcpu p and valid_obj' (KOArch (KOVCPU vcpu)))" in hoare_pre_imp) apply (clarsimp) apply (frule valid_objs_valid_vcpu') apply assumption+ @@ -2299,11 +2299,11 @@ lemma unmapPage_corres: | wp hoare_drop_imps | wp mapM_wp' | assumption)+ apply auto[1] - apply (wpsimp wp: hoare_vcg_const_imp_lift_R lookupPTSlot_inv + apply (wpsimp wp: hoare_vcg_const_imp_liftE_R lookupPTSlot_inv | strengthen not_in_global_refs_vs_lookup page_directory_at_lookup_mask_aligned_strg page_directory_at_lookup_mask_add_aligned_strg - | wp hoare_vcg_const_Ball_lift_R mapM_wp')+ + | wp hoare_vcg_const_Ball_liftE_R mapM_wp')+ apply (clarsimp simp add: valid_unmap_def valid_asid_def) apply (case_tac sz) apply (auto simp: invs_def valid_state_def @@ -2868,7 +2868,7 @@ proof - apply wp apply (wpsimp, safe; wpsimp wp: hoare_vcg_ex_lift) apply wpsimp - apply (rule_tac Q="\_. K (word \ mask asid_bits \ word \ 0) and invs + apply (rule_tac Q'="\_. K (word \ mask asid_bits \ word \ 0) and invs and (\s. \pd. vspace_at_asid word pd s)" in hoare_strengthen_post) prefer 2 apply auto[1] @@ -2928,7 +2928,7 @@ proof - apply wp apply (wpsimp, safe ; wpsimp wp: hoare_vcg_ex_lift) apply wpsimp - apply (rule_tac Q="\_. K (word \ mask asid_bits \ word \ 0) and invs + apply (rule_tac Q'="\_. K (word \ mask asid_bits \ word \ 0) and invs and (\s. \pd. vspace_at_asid word pd s)" in hoare_strengthen_post) prefer 2 apply auto[1] @@ -5323,7 +5323,7 @@ lemma perform_pt_invs [wp]: apply clarsimp apply (wp arch_update_updateCap_invs unmapPage_cte_wp_at' getSlotCap_wp|wpc)+ apply (rename_tac acap word a b) - apply (rule_tac Q="\_. invs' and cte_wp_at' (\cte. \d r R sz m. cteCap cte = + apply (rule_tac Q'="\_. invs' and cte_wp_at' (\cte. \d r R sz m. cteCap cte = ArchObjectCap (PageCap d r R sz m)) word" in hoare_strengthen_post) apply (wp unmapPage_cte_wp_at') diff --git a/proof/refine/Move_R.thy b/proof/refine/Move_R.thy index 0c75573e99..5fe79b1b0a 100644 --- a/proof/refine/Move_R.thy +++ b/proof/refine/Move_R.thy @@ -69,7 +69,7 @@ lemma hoare_vcg_if_lift3: \R\ f \\rv s. (if P rv s then X rv else Y rv) s\" by auto -lemmas hoare_pre_post = hoare_pre_imp[where R="\_. Q" and Q=Q for Q] +lemmas hoare_pre_post = hoare_pre_imp[where Q="\_. Q" and P'=Q for Q] lemmas corres_underlying_gets_pre_rhs = corres_symb_exec_r[OF _ _ gets_inv no_fail_pre[OF no_fail_gets TrueI]] diff --git a/proof/refine/RISCV64/CNodeInv_R.thy b/proof/refine/RISCV64/CNodeInv_R.thy index 2db4cd4681..565d219c54 100644 --- a/proof/refine/RISCV64/CNodeInv_R.thy +++ b/proof/refine/RISCV64/CNodeInv_R.thy @@ -207,7 +207,7 @@ lemma decodeCNodeInvocation_corres: apply (rule corres_trivial) subgoal by (auto simp add: whenE_def, auto simp add: returnOk_def) apply (wp | wpc | simp(no_asm))+ - apply (wp hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + apply (wp hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift hoare_vcg_all_liftE_R hoare_vcg_all_lift lsfco_cte_at' hoare_drop_imps | clarsimp)+ subgoal by (auto elim!: valid_cnode_capI) @@ -6112,7 +6112,7 @@ lemma reduceZombie_invs'': apply (wp | simp)+ apply (rule getCTE_wp) apply (wp | simp)+ - apply (rule_tac Q="\cte s. rv = capZombiePtr cap + + apply (rule_tac Q'="\cte s. rv = capZombiePtr cap + of_nat (capZombieNumber cap) * 2^cteSizeBits - 2^cteSizeBits \ cte_wp_at' (\c. c = cte) slot s \ invs' s \ no_cte_prop Q s \ sch_act_simple s" @@ -6438,8 +6438,8 @@ lemmas cteDelete_typ_at'_lifts [wp] = typ_at_lifts [OF cteDelete_typ_at'] lemma cteDelete_cte_at: "\\\ cteDelete slot bool \\rv. cte_at' slot\" - apply (rule_tac Q="\s. cte_at' slot s \ \ cte_at' slot s" - in hoare_pre(1)) + apply (rule_tac P'="\s. cte_at' slot s \ \ cte_at' slot s" + in hoare_weaken_pre) apply (rule hoare_strengthen_post) apply (rule hoare_vcg_disj_lift) apply (rule typ_at_lifts, rule cteDelete_typ_at') @@ -6478,7 +6478,7 @@ lemma cteDelete_cte_wp_at_invs: apply (clarsimp simp: cte_wp_at_ctes_of) apply wp apply (simp add: imp_conjR conj_comms) - apply (rule_tac Q="\rv s. invs' s \ sch_act_simple s \ + apply (rule_tac Q'="\rv s. invs' s \ sch_act_simple s \ (fst rv \ cte_wp_at' (\cte. removeable' slot s (cteCap cte)) slot s) \ (fst rv \ @@ -6488,9 +6488,9 @@ lemma cteDelete_cte_wp_at_invs: cteCap cte = NullCap \ (\zb n. cteCap cte = Zombie slot zb n)) slot s)" - and E="\rv. \" in hoare_strengthen_postE) + and E'="\rv. \" in hoare_strengthen_postE) apply (wp finaliseSlot_invs finaliseSlot_removeable finaliseSlot_sch_act_simple - hoare_drop_imps(2)[OF finaliseSlot_irqs]) + hoare_drop_impE_R[OF finaliseSlot_irqs]) apply (rule hoare_strengthen_postE_R, rule finaliseSlot_abort_cases) apply (clarsimp simp: cte_wp_at_ctes_of dest!: isCapDs) apply simp @@ -6511,7 +6511,7 @@ lemma cteDelete_cte_wp_at_invs: p s" in hoare_strengthen_postE_R) apply (wp finaliseSlot_invs finaliseSlot_removeable finaliseSlot_sch_act_simple - hoare_drop_imps(2)[OF finaliseSlot_irqs]) + hoare_drop_impE_R[OF finaliseSlot_irqs]) apply (rule hoare_strengthen_postE_R [OF finaliseSlot_cte_wp_at[where p=p and P=P]]) apply simp+ apply (clarsimp simp: cte_wp_at_ctes_of) @@ -6525,8 +6525,8 @@ lemma cteDelete_sch_act_simple: cteDelete slot exposed \\rv. sch_act_simple\" apply (simp add: cteDelete_def whenE_def split_def) apply (wp hoare_drop_imps | simp)+ - apply (rule_tac hoare_strengthen_postE [where Q="\rv. sch_act_simple" - and E="\rv. sch_act_simple"]) + apply (rule_tac hoare_strengthen_postE [where Q'="\rv. sch_act_simple" + and E'="\rv. sch_act_simple"]) apply (rule valid_validE) apply (wp finaliseSlot_sch_act_simple) apply simp+ @@ -6689,7 +6689,7 @@ proof (induct rule: finalise_induct3) apply ((wp | simp add: locateSlot_conv)+)[2] apply (rule drop_spec_validE) apply simp - apply (rule_tac Q="\rv s. revoke_progress_ord m (option_map capToRPO \ cteCaps_of s) + apply (rule_tac Q'="\rv s. revoke_progress_ord m (option_map capToRPO \ cteCaps_of s) \ cte_wp_at' (\cte. cteCap cte = fst rvb) sl s" in hoare_post_imp) apply (clarsimp simp: o_def cte_wp_at_ctes_of capToRPO_def @@ -7260,7 +7260,7 @@ next apply (rule updateCap_corres) apply simp apply (simp add: is_cap_simps) - apply (rule_tac R="\rv. cte_at' (cte_map ?target)" in hoare_post_add) + apply (rule_tac Q'="\rv. cte_at' (cte_map ?target)" in hoare_post_add) apply (wp, (wp getCTE_wp)+) apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule no_fail_pre, wp, simp) @@ -7422,7 +7422,7 @@ lemma cteRevoke_typ_at': lemma cteRevoke_invs': "\invs' and sch_act_simple\ cteRevoke ptr \\rv. invs'\" - apply (rule_tac Q="\rv. invs' and sch_act_simple" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs' and sch_act_simple" in hoare_strengthen_post) apply (wp cteRevoke_preservation cteDelete_invs' cteDelete_sch_act_simple)+ apply simp_all done @@ -8957,7 +8957,7 @@ proof (induct rule: finalise_spec_induct) apply (unfold Let_def split_def fst_conv snd_conv case_Zombie_assert_fold haskell_fail_def) apply (wp getCTE_wp' preemptionPoint_invR| simp add: o_def irq_state_independent_HI)+ - apply (rule hoare_post_imp [where Q="\_. valid_irq_states'"]) + apply (rule hoare_post_imp[where Q'="\_. valid_irq_states'"]) apply simp apply wp[1] apply (rule spec_strengthen_postE) @@ -9000,7 +9000,7 @@ lemma cteDelete_irq_states': apply (simp add: cteDelete_def split_def) apply (wp whenE_wp) apply (rule hoare_strengthen_postE) - apply (rule hoare_valid_validE) + apply (rule valid_validE) apply (rule finaliseSlot_irq_states') apply simp apply simp diff --git a/proof/refine/RISCV64/CSpace_R.thy b/proof/refine/RISCV64/CSpace_R.thy index 3053fdb972..5c738b5552 100644 --- a/proof/refine/RISCV64/CSpace_R.thy +++ b/proof/refine/RISCV64/CSpace_R.thy @@ -2146,7 +2146,7 @@ lemma cteInsert_mdb' [wp]: cteInsert cap src dest \\_. valid_mdb'\" apply (simp add:valid_mdb'_def valid_mdb_ctes_def) - apply (rule_tac Q = "\r s. valid_dlist (ctes_of s) \ irq_control (ctes_of s) \ + apply (rule_tac Q'="\r s. valid_dlist (ctes_of s) \ irq_control (ctes_of s) \ no_0 (ctes_of s) \ mdb_chain_0 (ctes_of s) \ mdb_chunked (ctes_of s) \ untyped_mdb' (ctes_of s) \ untyped_inc' (ctes_of s) \ Q s" for Q @@ -3957,12 +3957,12 @@ lemma setupReplyMaster_corres: apply (fastforce dest: pspace_relation_no_reply_caps state_relation_pspace_relation) apply (clarsimp simp: cte_map_def tcb_cnode_index_def cte_wp_at_ctes_of) - apply (rule_tac Q="\rv. einvs and tcb_at t and + apply (rule_tac Q'="\rv. einvs and tcb_at t and cte_wp_at ((=) rv) (t, tcb_cnode_index 2)" in hoare_strengthen_post) apply (wp hoare_drop_imps get_cap_wp) apply (clarsimp simp: invs_def valid_state_def elim!: cte_wp_at_weakenE) - apply (rule_tac Q="\rv. valid_pspace' and valid_mdb' and + apply (rule_tac Q'="\rv. valid_pspace' and valid_mdb' and cte_wp_at' ((=) rv) (cte_map (t, tcb_cnode_index 2))" in hoare_strengthen_post) apply (wp hoare_drop_imps getCTE_wp') diff --git a/proof/refine/RISCV64/Detype_R.thy b/proof/refine/RISCV64/Detype_R.thy index 8dfb98384f..addc819a28 100644 --- a/proof/refine/RISCV64/Detype_R.thy +++ b/proof/refine/RISCV64/Detype_R.thy @@ -64,7 +64,7 @@ lemma descendants_range_in_lift': apply (simp only: Ball_def[unfolded imp_conv_disj]) apply (rule hoare_pre) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift st cap_range) - apply (rule_tac Q = "\r s. cte_wp_at' (\c. capRange (cteCap c) \ S = {}) x s" + apply (rule_tac Q'="\r s. cte_wp_at' (\c. capRange (cteCap c) \ S = {}) x s" in hoare_strengthen_post) apply (wp cap_range) apply (clarsimp simp:cte_wp_at_ctes_of null_filter'_def) @@ -1687,7 +1687,7 @@ lemma deleteObjects_invs': proof - show ?thesis apply (rule hoare_pre) - apply (rule_tac G="is_aligned ptr bits \ 3 \ bits \ bits \ word_bits" in hoare_grab_asm) + apply (rule_tac P'="is_aligned ptr bits \ 3 \ bits \ bits \ word_bits" in hoare_grab_asm) apply (clarsimp simp add: deleteObjects_def2) apply (simp add: freeMemory_def bind_assoc doMachineOp_bind ef_storeWord) apply (simp add: bind_assoc[where f="\_. modify f" for f, symmetric]) @@ -3643,7 +3643,7 @@ lemma createNewCaps_pspace_no_overlap': apply simp+ apply (simp add:range_cover_def) apply (simp add:range_cover.sz(1)[where 'a=machine_word_len, folded word_bits_def]) - apply (rule_tac Q = "\r. pspace_no_overlap' (ptr + (1 + of_nat n << Types_H.getObjectSize ty us)) + apply (rule_tac Q'="\r. pspace_no_overlap' (ptr + (1 + of_nat n << Types_H.getObjectSize ty us)) (Types_H.getObjectSize ty us) and pspace_aligned' and pspace_distinct'" in hoare_strengthen_post) apply (case_tac ty) diff --git a/proof/refine/RISCV64/Finalise_R.thy b/proof/refine/RISCV64/Finalise_R.thy index 7c0b7039e2..b14004c493 100644 --- a/proof/refine/RISCV64/Finalise_R.thy +++ b/proof/refine/RISCV64/Finalise_R.thy @@ -1832,7 +1832,7 @@ lemma isFinalCapability_inv: apply (simp add: isFinalCapability_def Let_def split del: if_split cong: if_cong) apply (rule hoare_pre, wp) - apply (rule hoare_post_imp [where Q="\s. P"], simp) + apply (rule hoare_post_imp[where Q'="\s. P"], simp) apply wp apply simp done @@ -2738,7 +2738,7 @@ lemma cancelIPC_bound_tcb_at'[wp]: apply (simp add: getThreadReplySlot_def locateSlot_conv liftM_def) apply (rule hoare_pre) apply (wp capDeleteOne_bound_tcb_at' getCTE_ctes_of) - apply (rule_tac Q="\_. bound_tcb_at' P tptr" in hoare_post_imp) + apply (rule_tac Q'="\_. bound_tcb_at' P tptr" in hoare_post_imp) apply (clarsimp simp: capHasProperty_def cte_wp_at_ctes_of) apply (wp threadSet_pred_tcb_no_state | simp)+ done diff --git a/proof/refine/RISCV64/Interrupt_R.thy b/proof/refine/RISCV64/Interrupt_R.thy index 61396aca78..39f6067c88 100644 --- a/proof/refine/RISCV64/Interrupt_R.thy +++ b/proof/refine/RISCV64/Interrupt_R.thy @@ -380,7 +380,7 @@ lemma invokeIRQHandler_corres: apply simp apply (rule corres_split_nor[OF cap_delete_one_corres]) apply (rule cteInsert_corres, simp+) - apply (rule_tac Q="\rv s. einvs s \ cte_wp_at (\c. c = cap.NullCap) irq_slot s + apply (rule_tac Q'="\rv s. einvs s \ cte_wp_at (\c. c = cap.NullCap) irq_slot s \ (a, b) \ irq_slot \ cte_wp_at (is_derived (cdt s) (a, b) cap) (a, b) s" in hoare_post_imp) @@ -787,7 +787,7 @@ lemma timerTick_invs'[wp]: apply (wpsimp wp: threadSet_invs_trivial threadSet_pred_tcb_no_state rescheduleRequired_all_invs_but_ct_not_inQ simp: tcb_cte_cases_def) - apply (rule_tac Q="\rv. invs'" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs'" in hoare_post_imp) apply (clarsimp simp: invs'_def valid_state'_def) apply (simp add: decDomainTime_def) apply wp @@ -798,7 +798,7 @@ lemma timerTick_invs'[wp]: hoare_vcg_imp_lift threadSet_ct_idle_or_in_cur_domain')+ apply (rule hoare_strengthen_post[OF tcbSchedAppend_all_invs_but_ct_not_inQ']) apply (wpsimp simp: invs'_def valid_state'_def valid_pspace'_def sch_act_wf_weak)+ - apply (rule_tac Q="\_. invs'" in hoare_strengthen_post) + apply (rule_tac Q'="\_. invs'" in hoare_strengthen_post) apply (wpsimp wp: threadSet_pred_tcb_no_state threadSet_tcbDomain_triv threadSet_valid_objs' threadSet_timeslice_invs)+ apply (clarsimp simp: invs'_def valid_state'_def valid_pspace'_def) @@ -837,7 +837,7 @@ lemma hint_invs[wp]: apply (wp dmo_maskInterrupt_True getCTE_wp' | wpc | simp add: doMachineOp_bind maskIrqSignal_def )+ - apply (rule_tac Q="\rv. invs'" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs'" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_ctes_of ex_nonz_cap_to'_def) apply fastforce apply (wp threadSet_invs_trivial | simp add: inQ_def handleReservedIRQ_def)+ diff --git a/proof/refine/RISCV64/IpcCancel_R.thy b/proof/refine/RISCV64/IpcCancel_R.thy index 199eeb227f..1544db9f75 100644 --- a/proof/refine/RISCV64/IpcCancel_R.thy +++ b/proof/refine/RISCV64/IpcCancel_R.thy @@ -906,7 +906,7 @@ lemma (in delete_one_conc_pre) cancelIPC_sch_act_simple[wp]: apply (wp hoare_drop_imps delete_one_sch_act_simple | simp add: getThreadReplySlot_def | wpcw | rule sch_act_simple_lift - | (rule_tac Q="\rv. sch_act_simple" in hoare_post_imp, simp))+ + | (rule_tac Q'="\rv. sch_act_simple" in hoare_post_imp, simp))+ done lemma cancelSignal_st_tcb_at: @@ -916,7 +916,7 @@ lemma cancelSignal_st_tcb_at: \\rv. st_tcb_at' P t\" apply (simp add: cancelSignal_def Let_def list_case_If) apply (wp sts_st_tcb_at'_cases hoare_vcg_const_imp_lift - hoare_drop_imp[where R="%rv s. P' rv" for P']) + hoare_drop_imp[where Q'="%rv s. P' rv" for P']) apply clarsimp+ done @@ -1005,7 +1005,7 @@ lemma (in delete_one_conc_pre) cancelIPC_tcb_at_runnable': apply (case_tac rv; simp) apply (wp sts_pred_tcb_neq' | simp | wpc)+ apply (clarsimp) - apply (rule_tac Q="\rv. ?PRE" in hoare_post_imp, fastforce) + apply (rule_tac Q'="\rv. ?PRE" in hoare_post_imp, fastforce) apply (wp cteDeleteOne_tcb_at_runnable' threadSet_pred_tcb_no_state cancelSignal_tcb_at_runnable' @@ -1104,7 +1104,7 @@ lemma sts_weak_sch_act_wf[wp]: including classic_wp_pre apply (simp add: setThreadState_def) apply (wp rescheduleRequired_weak_sch_act_wf) - apply (rule_tac Q="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp, simp) + apply (rule_tac Q'="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp, simp) apply (simp add: weak_sch_act_wf_def) apply (wp hoare_vcg_all_lift) apply (wps threadSet_nosch) @@ -1232,11 +1232,11 @@ lemma (in delete_one) suspend_corres: apply wp apply (wpsimp wp: sts_valid_objs') apply (wpsimp simp: update_restart_pc_def updateRestartPC_def valid_tcb_state'_def)+ - apply (rule hoare_post_imp[where Q = "\rv s. einvs s \ tcb_at t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. einvs s \ tcb_at t s"]) apply (simp add: invs_implies invs_strgs valid_queues_in_correct_ready_q valid_queues_ready_qs_distinct valid_sched_def) apply wp - apply (rule hoare_post_imp[where Q = "\_ s. invs' s \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\_ s. invs' s \ tcb_at' t s"]) apply (fastforce simp: invs'_def valid_tcb_state'_def) apply (wpsimp simp: update_restart_pc_def updateRestartPC_def)+ apply fastforce+ @@ -1279,7 +1279,7 @@ lemma (in delete_one_conc) suspend_invs'[wp]: apply (simp add: suspend_def) apply (wpsimp wp: sts_invs_minor' gts_wp' simp: updateRestartPC_def | strengthen no_refs_simple_strg')+ - apply (rule_tac Q="\_. invs' and sch_act_simple and st_tcb_at' simple' t + apply (rule_tac Q'="\_. invs' and sch_act_simple and st_tcb_at' simple' t and (\s. t \ ksIdleThread s)" in hoare_post_imp) apply clarsimp @@ -1307,7 +1307,7 @@ lemma (in delete_one_conc_pre) suspend_sch_act_simple[wp]: lemma (in delete_one_conc) suspend_objs': "\invs' and sch_act_simple and tcb_at' t and (\s. t \ ksIdleThread s)\ suspend t \\rv. valid_objs'\" - apply (rule_tac Q="\_. invs'" in hoare_strengthen_post) + apply (rule_tac Q'="\_. invs'" in hoare_strengthen_post) apply (wp suspend_invs') apply fastforce done @@ -1421,7 +1421,7 @@ proof - apply (rule ep_cancel_corres_helper) apply (rule mapM_x_wp') apply (wp weak_sch_act_wf_lift_linear set_thread_state_runnable_weak_valid_sched_action | simp)+ - apply (rule_tac R="\_ s. \x\set list. tcb_at' x s \ valid_objs' s \ pspace_aligned' s \ pspace_distinct' s" + apply (rule_tac Q'="\_ s. \x\set list. tcb_at' x s \ valid_objs' s \ pspace_aligned' s \ pspace_distinct' s" in hoare_post_add) apply (rule mapM_x_wp') apply ((wpsimp wp: hoare_vcg_const_Ball_lift mapM_x_wp' sts_st_tcb' sts_valid_objs' @@ -1481,7 +1481,7 @@ lemma cancelAllSignals_corres: set_thread_state_runnable_weak_valid_sched_action | simp)+ apply (rename_tac list) - apply (rule_tac R="\_ s. (\x\set list. tcb_at' x s) \ valid_objs' s + apply (rule_tac Q'="\_ s. (\x\set list. tcb_at' x s) \ valid_objs' s \ sym_heap_sched_pointers s \ valid_sched_pointers s \ valid_objs' s \ pspace_aligned' s \ pspace_distinct' s" in hoare_post_add) @@ -1529,7 +1529,7 @@ proof - show ?thesis apply (simp add: setThreadState_def) apply (wpsimp wp: hoare_vcg_imp_lift [OF nrct]) - apply (rule_tac Q="\_. ?PRE" in hoare_post_imp) + apply (rule_tac Q'="\_. ?PRE" in hoare_post_imp) apply (clarsimp) apply (rule hoare_convert_imp [OF threadSet_nosch threadSet_ct]) apply assumption @@ -1780,7 +1780,7 @@ lemma cancelAllIPC_valid_objs'[wp]: apply (rule bind_wp [OF _ get_ep_sp']) apply (rule hoare_pre) apply (wp set_ep_valid_objs' setSchedulerAction_valid_objs') - apply (rule_tac Q="\_ s. valid_objs' s \ pspace_aligned' s \ pspace_distinct' s + apply (rule_tac Q'="\_ s. valid_objs' s \ pspace_aligned' s \ pspace_distinct' s \ (\x\set (epQueue ep). tcb_at' x s)" in hoare_post_imp) apply simp @@ -1806,7 +1806,7 @@ lemma cancelAllSignals_valid_objs'[wp]: apply (wp, simp) apply (wp, simp) apply (rename_tac list) - apply (rule_tac Q="\rv s. valid_objs' s \ (\x\set list. tcb_at' x s)" + apply (rule_tac Q'="\rv s. valid_objs' s \ (\x\set list. tcb_at' x s)" in hoare_post_imp) apply (simp add: valid_ntfn'_def) apply (simp add: Ball_def) @@ -2107,7 +2107,7 @@ lemma cancelBadgedSends_corres: apply (rule corres_split_nor[OF setEndpoint_corres]) apply (simp add: ep_relation_def) apply (rule corres_split_eqr[OF _ _ _ hoare_post_add - [where R="\_. valid_objs' and pspace_aligned' + [where Q'="\_. valid_objs' and pspace_aligned' and pspace_distinct'"]]) apply (rule_tac S="(=)" and Q="\xs s. (\x \ set xs. (epptr, TCBBlockedSend) \ state_refs_of s x) \ diff --git a/proof/refine/RISCV64/Ipc_R.thy b/proof/refine/RISCV64/Ipc_R.thy index a0bca357e1..68750d37ac 100644 --- a/proof/refine/RISCV64/Ipc_R.thy +++ b/proof/refine/RISCV64/Ipc_R.thy @@ -52,7 +52,7 @@ lemma lsfco_cte_at': apply (wp) apply (clarsimp simp: split_def unlessE_def split del: if_split) - apply (wp hoare_drop_imps throwE_R) + apply (wpsimp wp: hoare_drop_imps throwE_R) done declare unifyFailure_wp [wp] @@ -492,7 +492,7 @@ next apply clarsimp apply assumption apply (subst imp_conjR) - apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R') apply (rule derive_cap_is_derived) apply (wp derive_cap_is_derived_foo)+ apply (simp split del: if_split) @@ -504,7 +504,7 @@ next apply clarsimp apply assumption apply (subst imp_conjR) - apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R') apply (rule hoare_strengthen_postE_R[OF deriveCap_derived]) apply (clarsimp simp:cte_wp_at_ctes_of) apply (wp deriveCap_derived_foo) @@ -616,7 +616,7 @@ lemma cteInsert_assume_Null: apply (rule bind_wp[OF _ getCTE_sp])+ apply (rule hoare_name_pre_state) apply (clarsimp simp: cte_wp_at_ctes_of) - apply (erule hoare_pre(1)) + apply (erule hoare_weaken_pre) apply simp done @@ -1816,7 +1816,7 @@ declare asUser_global_refs' [wp] lemma lec_valid_cap' [wp]: "\valid_objs'\ lookupExtraCaps thread xa mi \\rv s. (\x\set rv. s \' fst x)\, -" apply (rule hoare_pre, rule hoare_strengthen_postE_R) - apply (rule hoare_vcg_conj_lift_R[where R=valid_objs' and S="\_. valid_objs'"]) + apply (rule hoare_vcg_conj_liftE_R[where P'=valid_objs' and Q'="\_. valid_objs'"]) apply (rule lookupExtraCaps_srcs) apply wp apply (clarsimp simp: cte_wp_at_ctes_of) @@ -2195,7 +2195,7 @@ lemma doReplyTransfer_corres: apply (fastforce) apply (clarsimp simp:is_cap_simps) apply (wp weak_valid_sched_action_lift)+ - apply (rule_tac Q="\_ s. valid_objs' s \ cur_tcb' s \ tcb_at' receiver s + apply (rule_tac Q'="\_ s. valid_objs' s \ cur_tcb' s \ tcb_at' receiver s \ sch_act_wf (ksSchedulerAction s) s \ sym_heap_sched_pointers s \ valid_sched_pointers s \ pspace_aligned' s \ pspace_distinct' s" @@ -2252,7 +2252,7 @@ lemma doReplyTransfer_corres: threadSet_tcbDomain_triv threadSet_valid_objs' threadSet_sched_pointers threadSet_valid_sched_pointers | simp add: valid_tcb_state'_def)+ - apply (rule_tac Q="\_. valid_sched and cur_tcb and tcb_at sender and tcb_at receiver and + apply (rule_tac Q'="\_. valid_sched and cur_tcb and tcb_at sender and tcb_at receiver and valid_objs and pspace_aligned and pspace_distinct" in hoare_strengthen_post [rotated], clarsimp) apply (wp) @@ -2260,7 +2260,7 @@ lemma doReplyTransfer_corres: apply (assumption) apply (rule conjI, clarsimp) apply (clarsimp simp add: invs_def valid_state_def valid_pspace_def) - apply (rule_tac Q="\_. tcb_at' sender and tcb_at' receiver and invs'" + apply (rule_tac Q'="\_. tcb_at' sender and tcb_at' receiver and invs'" in hoare_strengthen_post [rotated]) apply (solves\auto simp: invs'_def valid_state'_def\) apply wp @@ -2341,14 +2341,14 @@ lemma setupCallerCap_corres: tcb_cnode_index_def cte_level_bits_def) apply (simp add: cte_map_def tcbCallerSlot_def tcb_cnode_index_def cte_level_bits_def) - apply (rule_tac R="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" + apply (rule_tac Q'="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" in hoare_post_add) apply (wp, (wp getSlotCap_wp)+) apply blast apply (rule no_fail_pre, wp) apply (clarsimp simp: cte_wp_at'_def cte_at'_def) - apply (rule_tac R="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" + apply (rule_tac Q'="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" in hoare_post_add) apply (wp, (wp getCTE_wp')+) apply blast @@ -2683,7 +2683,7 @@ lemma sendSignal_corres: valid_queues_in_correct_ready_q valid_queues_ready_qs_distinct valid_sched_valid_queues | simp add: valid_tcb_state_def)+ - apply (rule_tac Q="\rv. invs' and tcb_at' a" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs' and tcb_at' a" in hoare_strengthen_post) apply wp apply (fastforce simp: invs'_def valid_state'_def sch_act_wf_weak valid_tcb_state'_def) apply (rule setNotification_corres) @@ -2711,7 +2711,7 @@ lemma sendSignal_corres: apply (rule corres_split[OF asUser_setRegister_corres]) apply (rule possibleSwitchTo_corres) apply ((wp | simp)+)[1] - apply (rule_tac Q="\_. (\s. sch_act_wf (ksSchedulerAction s) s) and + apply (rule_tac Q'="\_. (\s. sch_act_wf (ksSchedulerAction s) s) and cur_tcb' and st_tcb_at' runnable' (hd list) and valid_objs' and sym_heap_sched_pointers and valid_sched_pointers and @@ -2912,7 +2912,7 @@ lemma cancelIPC_nonz_cap_to'[wp]: | wpc | simp | clarsimp elim!: cte_wp_at_weakenE' - | rule hoare_post_imp[where Q="\rv. ex_nonz_cap_to' p"])+ + | rule hoare_post_imp[where Q'="\rv. ex_nonz_cap_to' p"])+ done @@ -2992,7 +2992,7 @@ proof - apply (wpc) apply (wp | simp)+ apply (wpc, wp+) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp) apply simp done @@ -3004,7 +3004,7 @@ proof - apply (wp) apply (wp hoare_convert_imp)[1] apply (wp) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp hoare_convert_imp | simp)+ done show ?thesis @@ -3017,16 +3017,16 @@ proof - apply (wp)+ apply (wp hoare_convert_imp)[1] apply (wpc, wp+) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp cdo)+ - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply ((wp aipc hoare_convert_imp)+)[6] apply (wp) apply (wp hoare_convert_imp)[1] apply (wpc, wp+) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp) apply simp done @@ -3284,7 +3284,7 @@ lemma receiveIPC_corres: valid_sched_action_def) apply (clarsimp split: if_split_asm) apply (clarsimp | wp do_ipc_transfer_tcb_caps)+ - apply (rule_tac Q="\_ s. sch_act_wf (ksSchedulerAction s) s + apply (rule_tac Q'="\_ s. sch_act_wf (ksSchedulerAction s) s \ sym_heap_sched_pointers s \ valid_sched_pointers s \ pspace_aligned' s \ pspace_distinct' s" in hoare_post_imp) @@ -3544,7 +3544,7 @@ lemma setupCallerCap_vp[wp]: apply (simp add: valid_pspace'_def setupCallerCap_def getThreadCallerSlot_def getThreadReplySlot_def locateSlot_conv getSlotCap_def) apply (wp getCTE_wp) - apply (rule_tac Q="\_. valid_pspace' and + apply (rule_tac Q'="\_. valid_pspace' and tcb_at' sender and tcb_at' rcvr" in hoare_post_imp) apply (clarsimp simp: valid_cap'_def o_def cte_wp_at_ctes_of isCap_simps @@ -3575,7 +3575,7 @@ lemma setupCallerCap_ifunsafe[wp]: apply (wp getSlotCap_cte_wp_at | simp add: unique_master_reply_cap' | strengthen eq_imp_strg | wp (once) hoare_drop_imp[where f="getCTE rs" for rs])+ - apply (rule_tac Q="\rv. valid_objs' and tcb_at' rcvr and ex_nonz_cap_to' rcvr" + apply (rule_tac Q'="\rv. valid_objs' and tcb_at' rcvr and ex_nonz_cap_to' rcvr" in hoare_post_imp) apply (clarsimp simp: ex_nonz_tcb_cte_caps' tcbCallerSlot_def objBits_def objBitsKO_def dom_def cte_level_bits_def) @@ -3732,7 +3732,7 @@ lemma completeSignal_invs: apply (rule bind_wp[OF _ get_ntfn_sp']) apply (rule hoare_pre) apply (wp set_ntfn_minor_invs' | wpc | simp)+ - apply (rule_tac Q="\_ s. (state_refs_of' s ntfnptr = ntfn_bound_refs' (ntfnBoundTCB ntfn)) + apply (rule_tac Q'="\_ s. (state_refs_of' s ntfnptr = ntfn_bound_refs' (ntfnBoundTCB ntfn)) \ ntfn_at' ntfnptr s \ valid_ntfn' (ntfnObj_update (\_. Structures_H.ntfn.IdleNtfn) ntfn) s \ ((\y. ntfnBoundTCB ntfn = Some y) \ ex_nonz_cap_to' ntfnptr s) @@ -3762,7 +3762,7 @@ lemma setupCallerCap_urz[wp]: getThreadCallerSlot_def getThreadReplySlot_def locateSlot_conv) apply (wp getCTE_wp') - apply (rule_tac Q="\_. untyped_ranges_zero' and valid_mdb' and valid_objs'" in hoare_post_imp) + apply (rule_tac Q'="\_. untyped_ranges_zero' and valid_mdb' and valid_objs'" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_ctes_of cteCaps_of_def untyped_derived_eq_def isCap_simps) apply (wp sts_valid_pspace_hangers) @@ -3814,7 +3814,7 @@ lemma ri_invs' [wp]: apply (rule bind_wp [OF _ gbn_sp']) apply (rule bind_wp) (* set up precondition for old proof *) - apply (rule_tac R="ko_at' ep (capEPPtr cap) and ?pre" in hoare_vcg_if_split) + apply (rule_tac P''="ko_at' ep (capEPPtr cap) and ?pre" in hoare_vcg_if_split) apply (wp completeSignal_invs) apply (case_tac ep) \ \endpoint = RecvEP\ @@ -4088,9 +4088,9 @@ lemma si_invs'[wp]: hoare_convert_imp [OF setEndpoint_nosch setEndpoint_ct'] hoare_drop_imp [where f="threadGet tcbFault t"] | rule_tac f="getThreadState a" in hoare_drop_imp - | wp (once) hoare_drop_imp[where R="\_ _. call"] - hoare_drop_imp[where R="\_ _. \ call"] - hoare_drop_imp[where R="\_ _. cg"] + | wp (once) hoare_drop_imp[where Q'="\_ _. call"] + hoare_drop_imp[where Q'="\_ _. \ call"] + hoare_drop_imp[where Q'="\_ _. cg"] | simp add: valid_tcb_state'_def case_bool_If case_option_If cong: if_cong diff --git a/proof/refine/RISCV64/Refine.thy b/proof/refine/RISCV64/Refine.thy index 1e0f664dd3..2714ae0496 100644 --- a/proof/refine/RISCV64/Refine.thy +++ b/proof/refine/RISCV64/Refine.thy @@ -220,12 +220,12 @@ lemma set_thread_state_sched_act: apply (simp add: set_thread_state_ext_def) apply wp apply (rule hoare_pre_cont) - apply (rule_tac Q="\rv. (\s. runnable ts) and (\s. P (scheduler_action s))" + apply (rule_tac Q'="\rv. (\s. runnable ts) and (\s. P (scheduler_action s))" in hoare_strengthen_post) apply wp apply force apply (wp gts_st_tcb_at)+ - apply (rule_tac Q="\rv. st_tcb_at ((=) state) thread and (\s. runnable state) and (\s. P (scheduler_action s))" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. st_tcb_at ((=) state) thread and (\s. runnable state) and (\s. P (scheduler_action s))" in hoare_strengthen_post) apply (simp add: st_tcb_at_def) apply (wp obj_set_prop_at)+ apply (force simp: st_tcb_at_def obj_at_def) @@ -264,7 +264,7 @@ lemma kernel_entry_invs: \\rv. einvs and (\s. ct_running s \ ct_idle s) and (\s. 0 < domain_time s) and valid_domain_list and (\s. scheduler_action s = resume_cur_thread)\" - apply (rule_tac Q="\rv. invs and (\s. ct_running s \ ct_idle s) and valid_sched and + apply (rule_tac Q'="\rv. invs and (\s. ct_running s \ ct_idle s) and valid_sched and (\s. 0 < domain_time s) and valid_domain_list and valid_list and (\s. scheduler_action s = resume_cur_thread)" in hoare_post_imp) @@ -310,7 +310,7 @@ lemma do_user_op_invs2: do_user_op f tc \\_. (einvs and ct_running and (\s. scheduler_action s = resume_cur_thread)) and (\s. 0 < domain_time s) and valid_domain_list \" - apply (rule_tac Q="\_. valid_list and valid_sched and + apply (rule_tac Q'="\_. valid_list and valid_sched and (\s. scheduler_action s = resume_cur_thread) and (invs and ct_running) and (\s. 0 < domain_time s) and valid_domain_list" in hoare_strengthen_post) @@ -565,22 +565,22 @@ lemma kernel_corres': apply simp apply (wpsimp wp: hoare_drop_imps hoare_vcg_all_lift simp: schact_is_rct_def)[1] apply simp - apply (rule_tac Q="\irq s. invs' s \ + apply (rule_tac Q'="\irq s. invs' s \ (\irq'. irq = Some irq' \ intStateIRQTable (ksInterruptState s ) irq' \ IRQInactive)" in hoare_post_imp) apply simp apply (wp doMachineOp_getActiveIRQ_IRQ_active handle_event_valid_sched | simp)+ - apply (rule_tac Q="\_. \" and E="\_. invs'" in hoare_strengthen_postE) + apply (rule_tac Q'="\_. \" and E'="\_. invs'" in hoare_strengthen_postE) apply wpsimp+ apply (simp add: invs'_def valid_state'_def) apply (rule corres_split[OF schedule_corres]) apply (rule activateThread_corres) apply (wp handle_interrupt_valid_sched[unfolded non_kernel_IRQs_def, simplified] schedule_invs' hoare_vcg_if_lift2 hoare_drop_imps |simp)+ - apply (rule_tac Q="\_. valid_sched and invs and valid_list" and - E="\_. valid_sched and invs and valid_list" + apply (rule_tac Q'="\_. valid_sched and invs and valid_list" and + E'="\_. valid_sched and invs and valid_list" in hoare_strengthen_postE) apply (wp handle_event_valid_sched hoare_vcg_imp_lift' |simp)+ apply (clarsimp simp: active_from_running schact_is_rct_def) diff --git a/proof/refine/RISCV64/Retype_R.thy b/proof/refine/RISCV64/Retype_R.thy index 63da0e957c..1efd013312 100644 --- a/proof/refine/RISCV64/Retype_R.thy +++ b/proof/refine/RISCV64/Retype_R.thy @@ -4145,7 +4145,7 @@ lemma createNewCaps_cur: cur_tcb' s\ createNewCaps ty ptr n us d \\rv. cur_tcb'\" - apply (rule hoare_post_imp [where Q="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) apply (simp add: cur_tcb'_def) apply (wp hoare_vcg_ex_lift createNewCaps_obj_at') apply (clarsimp simp: pspace_no_overlap'_def cur_tcb'_def valid_pspace'_def) @@ -4223,19 +4223,16 @@ lemma createNewCaps_idle'[wp]: split del: if_split) apply (cases ty, simp_all add: Arch_createNewCaps_def split del: if_split) - apply (rename_tac apiobject_type) - apply (case_tac apiobject_type, simp_all split del: if_split)[1] - apply (wp, simp) - including classic_wp_pre - apply (wp mapM_x_wp' - createObjects_idle' - threadSet_idle' - | simp add: projectKO_opt_tcb projectKO_opt_cte - makeObject_cte makeObject_tcb archObjSize_def - tcb_cte_cases_def objBitsKO_def APIType_capBits_def - objBits_def createObjects_def bit_simps cteSizeBits_def - | intro conjI impI - | fastforce simp: curDomain_def)+ + apply (rename_tac apiobject_type) + apply (case_tac apiobject_type, simp_all split del: if_split)[1] + apply wpsimp + apply (wpsimp wp: mapM_x_wp' createObjects_idle' threadSet_idle' + | simp add: projectKO_opt_tcb projectKO_opt_cte + makeObject_cte makeObject_tcb archObjSize_def + tcb_cte_cases_def objBitsKO_def APIType_capBits_def + objBits_def createObjects_def bit_simps cteSizeBits_def + | intro conjI impI + | clarsimp simp: curDomain_def)+ done crunch createNewCaps @@ -4253,7 +4250,7 @@ lemma createNewCaps_global_refs': createNewCaps ty ptr n us d \\rv. valid_global_refs'\" apply (simp add: valid_global_refs'_def valid_cap_sizes'_def valid_refs'_def) - apply (rule_tac Q="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} + apply (rule_tac Q'="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} \ 2 ^ capBits (cteCap cte) > gsMaxObjectSize s)) ptr s \ global_refs' s \ kernel_data_refs" in hoare_post_imp) apply (auto simp: cte_wp_at_ctes_of linorder_not_less elim!: ranE)[1] @@ -4846,7 +4843,7 @@ proof (rule hoare_gen_asm, elim conjE) "\ct_not_inQ and valid_pspace' and pspace_no_overlap' ptr sz\ createNewCaps ty ptr n us dev \\_. ct_not_inQ\" unfolding ct_not_inQ_def - apply (rule_tac Q="\s. ksSchedulerAction s = ResumeCurrentThread + apply (rule_tac P'="\s. ksSchedulerAction s = ResumeCurrentThread \ (obj_at' (Not \ tcbQueued) (ksCurThread s) s \ valid_pspace' s \ pspace_no_overlap' ptr sz s)" in hoare_pre_imp, clarsimp) @@ -4984,7 +4981,7 @@ lemma createObjects_no_cte_valid_global: createObjects ptr n val gbits \\rv s. valid_global_refs' s\" apply (simp add: valid_global_refs'_def valid_cap_sizes'_def valid_refs'_def) - apply (rule_tac Q="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} + apply (rule_tac Q'="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} \ 2 ^ capBits (cteCap cte) > gsMaxObjectSize s)) ptr s \ global_refs' s \ kernel_data_refs" in hoare_post_imp) apply (auto simp: cte_wp_at_ctes_of linorder_not_less elim!: ranE)[1] @@ -5093,7 +5090,7 @@ lemma createObjects_cur': cur_tcb' s\ createObjects ptr n val gbits \\rv s. cur_tcb' s\" - apply (rule hoare_post_imp [where Q="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) apply (simp add: cur_tcb'_def) apply (wp hoare_vcg_ex_lift createObjects_orig_obj_at3) apply (clarsimp simp: cur_tcb'_def) @@ -5180,7 +5177,7 @@ proof - createObjects ptr n val gbits \\_. ct_not_inQ\" (is "\ _; _ \ \ \\s. ct_not_inQ s \ ?REST s\ _ \_\") apply (simp add: ct_not_inQ_def) - apply (rule_tac Q="\s. (ksSchedulerAction s = ResumeCurrentThread) \ + apply (rule_tac P'="\s. (ksSchedulerAction s = ResumeCurrentThread) \ (obj_at' (Not \ tcbQueued) (ksCurThread s) s \ ?REST s)" in hoare_pre_imp, clarsimp) apply (rule hoare_convert_imp [OF createObjects_nosch]) diff --git a/proof/refine/RISCV64/Schedule_R.thy b/proof/refine/RISCV64/Schedule_R.thy index 8b981774fc..822ea514a9 100644 --- a/proof/refine/RISCV64/Schedule_R.thy +++ b/proof/refine/RISCV64/Schedule_R.thy @@ -647,7 +647,7 @@ lemma tcbSchedDequeue_valid_mdb'[wp]: "\valid_mdb' and valid_objs'\ tcbSchedDequeue tcbPtr \\_. valid_mdb'\" unfolding tcbSchedDequeue_def apply (wpsimp simp: bitmap_fun_defs setQueue_def wp: threadSet_mdb' tcbQueueRemove_valid_mdb') - apply (rule_tac Q="\_. tcb_at' tcbPtr" in hoare_post_imp) + apply (rule_tac Q'="\_. tcb_at' tcbPtr" in hoare_post_imp) apply (fastforce simp: tcb_cte_cases_def cteSizeBits_def) apply (wpsimp wp: threadGet_wp)+ apply (fastforce simp: obj_at'_def) @@ -930,7 +930,7 @@ lemma tcbSchedDequeue_not_tcbQueued: "\\\ tcbSchedDequeue t \\_. obj_at' (\x. \ tcbQueued x) t\" apply (simp add: tcbSchedDequeue_def) apply (wp|clarsimp)+ - apply (rule_tac Q="\queued. obj_at' (\x. tcbQueued x = queued) t" in hoare_post_imp) + apply (rule_tac Q'="\queued. obj_at' (\x. tcbQueued x = queued) t" in hoare_post_imp) apply (clarsimp simp: obj_at'_def) apply (wpsimp wp: threadGet_wp)+ apply (clarsimp simp: obj_at'_def) @@ -1961,13 +1961,13 @@ lemma schedule_corres: apply (clarsimp simp: conj_ac cong: conj_cong) apply wp - apply (rule_tac Q="\_ s. valid_blocked_except t s \ scheduler_action s = switch_thread t" + apply (rule_tac Q'="\_ s. valid_blocked_except t s \ scheduler_action s = switch_thread t" in hoare_post_imp, fastforce) apply (wp add: tcb_sched_action_enqueue_valid_blocked_except tcbSchedEnqueue_invs'_not_ResumeCurrentThread thread_get_wp del: gets_wp | strengthen valid_objs'_valid_tcbs')+ - apply (clarsimp simp: conj_ac if_apply_def2 cong: imp_cong conj_cong del: hoare_gets) + apply (clarsimp simp: conj_ac if_apply_def2 cong: imp_cong conj_cong) apply (wp gets_wp)+ (* abstract final subgoal *) @@ -2232,7 +2232,7 @@ lemma schedule_invs': apply (wpsimp wp: scheduleChooseNewThread_invs' ssa_invs' chooseThread_invs_no_cicd' setSchedulerAction_invs' setSchedulerAction_direct switchToThread_tcb_in_cur_domain' switchToThread_ct_not_queued_2 - | wp hoare_disjI2[where R="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] + | wp hoare_disjI2[where Q'="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] | wp hoare_drop_imp[where f="isHighestPrio d p" for d p] | simp only: obj_at'_activatable_st_tcb_at'[simplified comp_def] | strengthen invs'_invs_no_cicd diff --git a/proof/refine/RISCV64/SubMonad_R.thy b/proof/refine/RISCV64/SubMonad_R.thy index 70af5a5e61..37e1d7825a 100644 --- a/proof/refine/RISCV64/SubMonad_R.thy +++ b/proof/refine/RISCV64/SubMonad_R.thy @@ -80,7 +80,7 @@ lemma threadSet_modify_asUser: apply (clarsimp simp: threadSet_def setObject_def split_def updateObject_default_def) apply wp - apply (rule_tac Q="\rv. obj_at' ((=) rv) t and ((=) st)" in hoare_post_imp) + apply (rule_tac Q'="\rv. obj_at' ((=) rv) t and ((=) st)" in hoare_post_imp) apply (clarsimp simp: asUser_replace_def Let_def obj_at'_def fun_upd_def split: option.split kernel_object.split) apply (wp getObject_obj_at' | clarsimp simp: objBits_simps' atcbContextSet_def)+ diff --git a/proof/refine/RISCV64/Syscall_R.thy b/proof/refine/RISCV64/Syscall_R.thy index 845a007692..4e48900a1f 100644 --- a/proof/refine/RISCV64/Syscall_R.thy +++ b/proof/refine/RISCV64/Syscall_R.thy @@ -339,7 +339,7 @@ lemma threadSet_tcbDomain_update_sch_act_wf[wp]: apply (wps setObject_sa_unchanged) apply (wp hoare_weak_lift_imp getObject_tcb_wp hoare_vcg_all_lift)+ apply (rename_tac word) - apply (rule_tac Q="\_ s. ksSchedulerAction s = SwitchToThread word \ + apply (rule_tac Q'="\_ s. ksSchedulerAction s = SwitchToThread word \ st_tcb_at' runnable' word s \ tcb_in_cur_domain' word s \ word \ t" in hoare_strengthen_post) apply (wp hoare_vcg_all_lift hoare_vcg_conj_lift hoare_vcg_imp_lift)+ @@ -376,20 +376,20 @@ lemma setDomain_corres: apply ((wpsimp wp: hoare_vcg_imp_lift' ethread_set_not_queued_valid_queues hoare_vcg_all_lift | strengthen valid_objs'_valid_tcbs' valid_queues_in_correct_ready_q valid_queues_ready_qs_distinct)+)[1] - apply (rule_tac Q="\_. valid_objs' and sym_heap_sched_pointers and valid_sched_pointers + apply (rule_tac Q'="\_. valid_objs' and sym_heap_sched_pointers and valid_sched_pointers and pspace_aligned' and pspace_distinct' and (\s. sch_act_wf (ksSchedulerAction s) s) and tcb_at' tptr" in hoare_strengthen_post[rotated]) apply (fastforce simp: invs'_def valid_state'_def sch_act_wf_weak st_tcb_at'_def o_def) apply (wpsimp wp: threadSet_valid_objs' threadSet_sched_pointers threadSet_valid_sched_pointers)+ - apply (rule_tac Q="\_ s. valid_queues s \ not_queued tptr s + apply (rule_tac Q'="\_ s. valid_queues s \ not_queued tptr s \ pspace_aligned s \ pspace_distinct s \ valid_etcbs s \ weak_valid_sched_action s" in hoare_post_imp) apply (fastforce simp: pred_tcb_at_def obj_at_def) apply (wpsimp wp: tcb_dequeue_not_queued) - apply (rule_tac Q = "\_ s. invs' s \ obj_at' (Not \ tcbQueued) tptr s \ sch_act_simple s + apply (rule_tac Q'="\_ s. invs' s \ obj_at' (Not \ tcbQueued) tptr s \ sch_act_simple s \ tcb_at' tptr s" in hoare_strengthen_post[rotated]) apply (clarsimp simp: invs'_def valid_state'_def valid_pspace'_def sch_act_simple_def) @@ -793,7 +793,7 @@ lemma doReply_invs[wp]: apply simp apply (wp (once) sts_st_tcb') apply wp - apply (rule_tac Q="\_ s. invs' s \ t \ ksIdleThread s \ st_tcb_at' awaiting_reply' t s" + apply (rule_tac Q'="\_ s. invs' s \ t \ ksIdleThread s \ st_tcb_at' awaiting_reply' t s" in hoare_post_imp) apply clarsimp apply (rule conjI, erule pred_tcb'_weakenE, case_tac st, clarsimp+) @@ -806,7 +806,7 @@ lemma doReply_invs[wp]: apply (case_tac st, clarsimp+) apply (wp cteDeleteOne_reply_pred_tcb_at)+ apply clarsimp - apply (rule_tac Q="\_. (\s. t \ ksIdleThread s) + apply (rule_tac Q'="\_. (\s. t \ ksIdleThread s) and cte_wp_at' (\cte. \grant. cteCap cte = capability.ReplyCap t False grant) slot" in hoare_strengthen_post [rotated]) @@ -818,7 +818,7 @@ lemma doReply_invs[wp]: apply (erule cte_wp_at_weakenE') apply (fastforce) apply (wp sts_invs_minor'' sts_st_tcb' hoare_weak_lift_imp) - apply (rule_tac Q="\_ s. invs' s \ sch_act_simple s + apply (rule_tac Q'="\_ s. invs' s \ sch_act_simple s \ st_tcb_at' awaiting_reply' t s \ t \ ksIdleThread s" in hoare_post_imp) @@ -833,7 +833,7 @@ lemma doReply_invs[wp]: apply (case_tac st, clarsimp+) apply (wp threadSet_invs_trivial threadSet_st_tcb_at2 hoare_weak_lift_imp | clarsimp simp add: inQ_def)+ - apply (rule_tac Q="\_. invs' and tcb_at' t + apply (rule_tac Q'="\_. invs' and tcb_at' t and sch_act_simple and st_tcb_at' awaiting_reply' t" in hoare_strengthen_post [rotated]) apply clarsimp @@ -946,7 +946,7 @@ lemma setDomain_invs': apply (simp add:setDomain_def ) apply (wp add: when_wp hoare_weak_lift_imp hoare_weak_lift_imp_conj rescheduleRequired_all_invs_but_extra tcbSchedEnqueue_valid_action hoare_vcg_if_lift2) - apply (rule_tac Q = "\r s. all_invs_but_sch_extra s \ curThread = ksCurThread s + apply (rule_tac Q'="\r s. all_invs_but_sch_extra s \ curThread = ksCurThread s \ (ptr \ curThread \ ct_not_inQ s \ sch_act_wf (ksSchedulerAction s) s \ ct_idle_or_in_cur_domain' s)" in hoare_strengthen_post[rotated]) apply (clarsimp simp:invs'_def valid_state'_def st_tcb_at'_def[symmetric] valid_pspace'_def) @@ -958,7 +958,7 @@ lemma setDomain_invs': apply assumption apply (wp hoare_weak_lift_imp threadSet_pred_tcb_no_state threadSet_not_curthread_ct_domain threadSet_tcbDomain_update_ct_not_inQ | simp)+ - apply (rule_tac Q = "\r s. invs' s \ curThread = ksCurThread s \ sch_act_simple s + apply (rule_tac Q'="\r s. invs' s \ curThread = ksCurThread s \ sch_act_simple s \ domain \ maxDomain \ (ptr \ curThread \ ct_not_inQ s \ sch_act_not ptr s)" in hoare_strengthen_post[rotated]) @@ -1190,7 +1190,7 @@ lemma handleInvocation_corres: apply (wp reply_from_kernel_tcb_at) apply (rule impI, wp+) apply (wpsimp wp: hoare_drop_imps|strengthen invs_distinct invs_psp_aligned)+ - apply (rule_tac Q="\rv. einvs and schact_is_rct and valid_invocation rve + apply (rule_tac Q'="\rv. einvs and schact_is_rct and valid_invocation rve and (\s. thread = cur_thread s) and st_tcb_at active thread" in hoare_post_imp) @@ -1198,7 +1198,7 @@ lemma handleInvocation_corres: elim!: st_tcb_weakenE) apply (wp sts_st_tcb_at' set_thread_state_schact_is_rct set_thread_state_active_valid_sched) - apply (rule_tac Q="\rv. invs' and valid_invocation' rve' + apply (rule_tac Q'="\rv. invs' and valid_invocation' rve' and (\s. thread = ksCurThread s) and st_tcb_at' active' thread and (\s. ksSchedulerAction s = ResumeCurrentThread)" @@ -1210,7 +1210,7 @@ lemma handleInvocation_corres: apply (wp lec_caps_to lsft_ex_cte_cap_to | simp add: split_def liftE_bindE[symmetric] ct_in_state'_def ball_conj_distrib - | rule hoare_vcg_E_elim)+ + | rule hoare_vcg_conj_elimE)+ apply (clarsimp simp: tcb_at_invs invs_valid_objs valid_tcb_state_def ct_in_state_def simple_from_active invs_mdb @@ -1279,7 +1279,7 @@ lemma hinv_invs'[wp]: apply (clarsimp simp: valid_idle'_def valid_state'_def invs'_def pred_tcb_at'_def obj_at'_def idle_tcb'_def) apply wp+ - apply (rule_tac Q="\rv'. invs' and valid_invocation' rv + apply (rule_tac Q'="\rv'. invs' and valid_invocation' rv and (\s. ksSchedulerAction s = ResumeCurrentThread) and (\s. ksCurThread s = thread) and st_tcb_at' active' thread" @@ -1481,7 +1481,7 @@ lemma handleRecv_isBlocking_corres': apply (rule handleFault_corres) apply simp apply (wp get_simple_ko_wp | wpcw | simp)+ - apply (rule hoare_vcg_E_elim) + apply (rule hoare_vcg_conj_elimE) apply (simp add: lookup_cap_def lookup_slot_for_thread_def) apply wp apply (simp add: split_def) @@ -1529,14 +1529,14 @@ lemma hw_invs'[wp]: deleteCallerCap_ct'] | wpc | simp add: ct_in_state'_def whenE_def split del: if_split)+ apply (rule validE_validE_R) - apply (rule_tac Q="\rv s. invs' s + apply (rule_tac Q'="\rv s. invs' s \ sch_act_sane s \ thread = ksCurThread s \ ct_in_state' simple' s \ ex_nonz_cap_to' thread s \ thread \ ksIdleThread s \ (\x \ zobj_refs' rv. ex_nonz_cap_to' x s)" - and E="\_ _. True" + and E'="\_ _. True" in hoare_strengthen_postE[rotated]) apply (clarsimp simp: isCap_simps ct_in_state'_def pred_tcb_at' invs_valid_objs' sch_act_sane_not obj_at'_def pred_tcb_at'_def) @@ -1585,7 +1585,7 @@ lemma hy_invs': "\invs' and ct_active'\ handleYield \\r. invs' and ct_active'\" apply (simp add: handleYield_def) apply (wpsimp wp: ct_in_state_thread_state_lift' rescheduleRequired_all_invs_but_ct_not_inQ) - apply (rule_tac Q="\_. all_invs_but_ct_not_inQ' and ct_active'" in hoare_post_imp) + apply (rule_tac Q'="\_. all_invs_but_ct_not_inQ' and ct_active'" in hoare_post_imp) apply clarsimp apply (subst pred_conj_def) apply (rule hoare_vcg_conj_lift) @@ -1803,7 +1803,7 @@ lemma handleReply_nonz_cap_to_ct: "\ct_active' and invs' and sch_act_simple\ handleReply \\rv s. ex_nonz_cap_to' (ksCurThread s) s\" - apply (rule_tac Q="\rv. ct_active' and invs'" + apply (rule_tac Q'="\rv. ct_active' and invs'" in hoare_post_imp) apply (auto simp: ct_in_state'_def elim: st_tcb_ex_cap'')[1] apply (wp | simp)+ @@ -1917,7 +1917,7 @@ proof - apply (rule handleVMFault_corres) apply (erule handleFault_corres) apply (rule hoare_elim_pred_conjE2) - apply (rule hoare_vcg_E_conj, rule valid_validE_E, wp) + apply (rule hoare_vcg_conj_liftE_E, rule valid_validE_E, wp) apply (wp handle_vm_fault_valid_fault) apply (rule hv_inv_ex') apply wp diff --git a/proof/refine/RISCV64/TcbAcc_R.thy b/proof/refine/RISCV64/TcbAcc_R.thy index 4de414248a..597a272ce9 100644 --- a/proof/refine/RISCV64/TcbAcc_R.thy +++ b/proof/refine/RISCV64/TcbAcc_R.thy @@ -1075,7 +1075,7 @@ lemma threadSet_obj_at'_really_strongest: apply (simp add: threadSet_def) apply (wp setObject_tcb_strongest) apply (subst simp_thms(32)[symmetric], rule hoare_vcg_disj_lift) - apply (rule hoare_post_imp [where Q="\rv s. \ tcb_at' t s \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \ tcb_at' t s \ tcb_at' t s"]) apply simp apply (subst simp_thms(21)[symmetric], rule hoare_vcg_conj_lift) apply (rule getObject_inv_tcb) @@ -1161,7 +1161,7 @@ proof - show ?thesis apply (rule_tac P=P in P_bool_lift) apply (rule pos) - apply (rule_tac Q="\_ s. \ tcb_at' t' s \ pred_tcb_at' proj (\tcb. \ P' tcb) t' s" + apply (rule_tac Q'="\_ s. \ tcb_at' t' s \ pred_tcb_at' proj (\tcb. \ P' tcb) t' s" in hoare_post_imp) apply (erule disjE) apply (clarsimp dest!: pred_tcb_at') @@ -3311,7 +3311,7 @@ lemma sts_valid_objs': setThreadState st t \\_. valid_objs'\" apply (wpsimp simp: setThreadState_def wp: threadSet_valid_objs') - apply (rule_tac Q="\_. valid_objs' and pspace_aligned' and pspace_distinct'" in hoare_post_imp) + apply (rule_tac Q'="\_. valid_objs' and pspace_aligned' and pspace_distinct'" in hoare_post_imp) apply fastforce apply (wpsimp wp: threadSet_valid_objs') apply (simp add: valid_tcb'_def tcb_cte_cases_def cteSizeBits_def) @@ -3578,7 +3578,7 @@ lemma sts_sch_act': apply assumption apply (case_tac "runnable' st") apply ((wp threadSet_runnable_sch_act hoare_drop_imps | simp)+)[1] - apply (rule_tac Q="\rv s. st_tcb_at' (Not \ runnable') t s \ + apply (rule_tac Q'="\rv s. st_tcb_at' (Not \ runnable') t s \ (ksCurThread s \ t \ ksSchedulerAction s \ ResumeCurrentThread \ sch_act_wf (ksSchedulerAction s) s)" in hoare_post_imp) @@ -3598,10 +3598,10 @@ lemma sts_sch_act[wp]: prefer 2 apply assumption apply (case_tac "runnable' st") - apply (rule_tac Q="\s. sch_act_wf (ksSchedulerAction s) s" + apply (rule_tac P'="\s. sch_act_wf (ksSchedulerAction s) s" in hoare_pre_imp, simp) apply ((wp hoare_drop_imps threadSet_runnable_sch_act | simp)+)[1] - apply (rule_tac Q="\rv s. st_tcb_at' (Not \ runnable') t s \ + apply (rule_tac Q'="\rv s. st_tcb_at' (Not \ runnable') t s \ (ksCurThread s \ t \ ksSchedulerAction s \ ResumeCurrentThread \ sch_act_wf (ksSchedulerAction s) s)" in hoare_post_imp) @@ -3877,7 +3877,7 @@ lemma addToBitmap_valid_bitmapQ: addToBitmap d p \\_. valid_bitmapQ\" (is "\?pre\ _ \_\") - apply (rule_tac Q="\_ s. ?pre s \ bitmapQ d p s" in hoare_strengthen_post) + apply (rule_tac Q'="\_ s. ?pre s \ bitmapQ d p s" in hoare_strengthen_post) apply (wpsimp wp: addToBitmap_valid_bitmapQ_except addToBitmap_bitmapQ) apply (fastforce elim: valid_bitmap_valid_bitmapQ_exceptE) done @@ -4572,7 +4572,7 @@ lemma ct_in_state'_decomp: assumes x: "\\s. t = (ksCurThread s)\ f \\rv s. t = (ksCurThread s)\" assumes y: "\Pre\ f \\rv. st_tcb_at' Prop t\" shows "\\s. Pre s \ t = (ksCurThread s)\ f \\rv. ct_in_state' Prop\" - apply (rule hoare_post_imp [where Q="\rv s. t = ksCurThread s \ st_tcb_at' Prop t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. t = ksCurThread s \ st_tcb_at' Prop t s"]) apply (clarsimp simp add: ct_in_state'_def) apply (rule hoare_weaken_pre) apply (wp x y) @@ -4643,7 +4643,7 @@ lemma setQueue_pred_tcb_at[wp]: unfolding pred_tcb_at'_def apply (rule_tac P=P' in P_bool_lift) apply (rule setQueue_obj_at) - apply (rule_tac Q="\_ s. \typ_at' TCBT t s \ obj_at' (Not \ (P \ proj \ tcb_to_itcb')) t s" + apply (rule_tac Q'="\_ s. \typ_at' TCBT t s \ obj_at' (Not \ (P \ proj \ tcb_to_itcb')) t s" in hoare_post_imp, simp add: not_obj_at' o_def) apply (wp hoare_vcg_disj_lift) apply (clarsimp simp: not_obj_at' o_def) @@ -4904,7 +4904,7 @@ lemma sts_iflive'[wp]: \\rv. if_live_then_nonz_cap'\" apply (simp add: setThreadState_def setQueue_def) apply wpsimp - apply (rule_tac Q="\rv. if_live_then_nonz_cap' and pspace_aligned' and pspace_distinct'" + apply (rule_tac Q'="\rv. if_live_then_nonz_cap' and pspace_aligned' and pspace_distinct'" in hoare_post_imp) apply clarsimp apply (wpsimp wp: threadSet_iflive') @@ -5048,7 +5048,7 @@ lemma tcbSchedEnqueue_ct_not_inQ: proof - have ts: "\?PRE\ threadSet (tcbQueued_update (\_. True)) t \\_. ct_not_inQ\" apply (simp add: ct_not_inQ_def) - apply (rule_tac Q="\s. ksSchedulerAction s = ResumeCurrentThread + apply (rule_tac P'="\s. ksSchedulerAction s = ResumeCurrentThread \ obj_at' (Not \ tcbQueued) (ksCurThread s) s \ ksCurThread s \ t" in hoare_pre_imp, clarsimp) apply (rule hoare_convert_imp [OF threadSet_nosch]) @@ -5075,7 +5075,7 @@ lemma tcbSchedAppend_ct_not_inQ: proof - have ts: "\?PRE\ threadSet (tcbQueued_update (\_. True)) t \\_. ct_not_inQ\" apply (simp add: ct_not_inQ_def) - apply (rule_tac Q="\s. ksSchedulerAction s = ResumeCurrentThread + apply (rule_tac P'="\s. ksSchedulerAction s = ResumeCurrentThread \ obj_at' (Not \ tcbQueued) (ksCurThread s) s \ ksCurThread s \ t" in hoare_pre_imp, clarsimp) apply (rule hoare_convert_imp [OF threadSet_nosch]) @@ -5102,7 +5102,7 @@ lemma setSchedulerAction_direct: lemma rescheduleRequired_ct_not_inQ: "\\\ rescheduleRequired \\_. ct_not_inQ\" apply (simp add: rescheduleRequired_def ct_not_inQ_def) - apply (rule_tac Q="\_ s. ksSchedulerAction s = ChooseNewThread" + apply (rule_tac Q'="\_ s. ksSchedulerAction s = ChooseNewThread" in hoare_post_imp, clarsimp) apply (wp setSchedulerAction_direct) done @@ -5173,7 +5173,7 @@ lemma setThreadState_ct_not_inQ: including no_pre apply (simp add: setThreadState_def) apply (wp rescheduleRequired_ct_not_inQ) - apply (rule_tac Q="\_. ?PRE" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE" in hoare_post_imp, clarsimp) apply (wp) done @@ -5330,7 +5330,7 @@ lemma removeFromBitmap_valid_bitmapQ[wp]: removeFromBitmap d p \\_. valid_bitmapQ\" (is "\?pre\ _ \_\") - apply (rule_tac Q="\_ s. ?pre s \ \ bitmapQ d p s" in hoare_strengthen_post) + apply (rule_tac Q'="\_ s. ?pre s \ \ bitmapQ d p s" in hoare_strengthen_post) apply (wpsimp wp: removeFromBitmap_valid_bitmapQ_except removeFromBitmap_bitmapQ) apply (fastforce elim: valid_bitmap_valid_bitmapQ_exceptE) done diff --git a/proof/refine/RISCV64/Tcb_R.thy b/proof/refine/RISCV64/Tcb_R.thy index cb9fb41ed6..55b7a543fa 100644 --- a/proof/refine/RISCV64/Tcb_R.thy +++ b/proof/refine/RISCV64/Tcb_R.thy @@ -81,7 +81,7 @@ abbreviation lemma gts_st_tcb': "\tcb_at' t\ getThreadState t \\rv. st_tcb_at' (\st. st = rv) t\" apply (rule hoare_weaken_pre) - apply (rule hoare_post_imp[where Q="\rv s. \rv'. rv = rv' \ st_tcb_at' (\st. st = rv') t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \rv'. rv = rv' \ st_tcb_at' (\st. st = rv') t s"]) apply simp apply (wp hoare_vcg_ex_lift) apply (clarsimp simp add: pred_tcb_at'_def obj_at'_def) @@ -106,15 +106,15 @@ lemma activate_invs': apply (case_tac rv; simp add: isTS_defs split del: if_split cong: if_cong) apply (wp) apply (clarsimp simp: ct_in_state'_def) - apply (rule_tac Q="\rv. invs' and ct_idle'" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs' and ct_idle'" in hoare_post_imp, simp) apply (wp activateIdle_invs) apply (clarsimp simp: ct_in_state'_def) - apply (rule_tac Q="\rv. invs' and ct_running' and sch_act_simple" + apply (rule_tac Q'="\rv. invs' and ct_running' and sch_act_simple" in hoare_post_imp, simp) apply (rule hoare_weaken_pre) apply (wp ct_in_state'_set asUser_ct sts_invs_minor' | wp (once) sch_act_simple_lift)+ - apply (rule_tac Q="\_. st_tcb_at' runnable' thread + apply (rule_tac Q'="\_. st_tcb_at' runnable' thread and sch_act_simple and invs' and (\s. thread = ksCurThread s)" in hoare_post_imp, clarsimp) @@ -184,7 +184,7 @@ lemma setupReplyMaster_weak_sch_act_wf[wp]: \\rv s. weak_sch_act_wf (ksSchedulerAction s) s\" apply (simp add: setupReplyMaster_def) apply (wp) - apply (rule_tac Q="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" + apply (rule_tac Q'="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp, clarsimp) apply (wp)+ apply assumption @@ -210,11 +210,11 @@ lemma restart_corres: apply (wp set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at' sts_st_tcb' sts_valid_objs' | clarsimp simp: valid_tcb_state'_def | strengthen valid_objs'_valid_tcbs')+ - apply (rule_tac Q="\rv. valid_sched and cur_tcb and pspace_aligned and pspace_distinct" + apply (rule_tac Q'="\rv. valid_sched and cur_tcb and pspace_aligned and pspace_distinct" in hoare_strengthen_post) apply wp apply (fastforce simp: valid_sched_def valid_sched_action_def) - apply (rule_tac Q="\rv. invs' and ex_nonz_cap_to' t" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs' and ex_nonz_cap_to' t" in hoare_strengthen_post) apply wp apply (clarsimp simp: invs'_def valid_state'_def sch_act_wf_weak valid_pspace'_def valid_tcb_state'_def) @@ -344,10 +344,10 @@ lemma invokeTCB_WriteRegisters_corres: valid_sched_valid_queues valid_objs'_valid_tcbs' invs_valid_objs' | clarsimp simp: invs_def valid_state_def valid_sched_def invs'_def valid_state'_def dest!: global'_no_ex_cap idle_no_ex_cap)+)[2] - apply (rule_tac Q="\_. einvs and tcb_at dest and ex_nonz_cap_to dest" in hoare_post_imp) + apply (rule_tac Q'="\_. einvs and tcb_at dest and ex_nonz_cap_to dest" in hoare_post_imp) apply (fastforce simp: invs_def valid_sched_weak_strg valid_sched_def valid_state_def dest!: idle_no_ex_cap) prefer 2 - apply (rule_tac Q="\_. invs' and tcb_at' dest and ex_nonz_cap_to' dest" in hoare_post_imp) + apply (rule_tac Q'="\_. invs' and tcb_at' dest and ex_nonz_cap_to' dest" in hoare_post_imp) apply (fastforce simp: sch_act_wf_weak invs'_def valid_state'_def dest!: global'_no_ex_cap) apply wpsimp+ done @@ -451,10 +451,10 @@ proof - apply (rule_tac P=\ and P'=\ in corres_inst) apply simp apply (solves \wp hoare_weak_lift_imp\)+ - apply (rule_tac Q="\_. einvs and tcb_at dest" in hoare_post_imp) + apply (rule_tac Q'="\_. einvs and tcb_at dest" in hoare_post_imp) apply (fastforce simp: invs_def valid_state_def valid_pspace_def valid_sched_weak_strg valid_sched_def) prefer 2 - apply (rule_tac Q="\_. invs' and tcb_at' dest" in hoare_post_imp) + apply (rule_tac Q'="\_. invs' and tcb_at' dest" in hoare_post_imp) apply (fastforce simp: invs'_def valid_state'_def invs_weak_sch_act_wf cur_tcb'_def) apply ((wp mapM_x_wp' hoare_weak_lift_imp | (simp add: cur_tcb'_def[symmetric])+)+)[8] apply ((wp hoare_weak_lift_imp restart_invs' | wpc | clarsimp simp: if_apply_def2)+)[2] @@ -523,7 +523,7 @@ lemma tcbSchedDequeue_not_queued: \\rv. obj_at' (Not \ tcbQueued) t\" apply (simp add: tcbSchedDequeue_def) apply (wp | simp)+ - apply (rule_tac Q="\rv. obj_at' (\obj. tcbQueued obj = rv) t" + apply (rule_tac Q'="\rv. obj_at' (\obj. tcbQueued obj = rv) t" in hoare_post_imp) apply (clarsimp simp: obj_at'_def) apply (wp tg_sp' [where P=\, simplified] | simp)+ @@ -1398,7 +1398,7 @@ proof - have B: "\t v. \invs' and tcb_at' t\ threadSet (tcbFaultHandler_update v) t \\rv. invs'\" by (wp threadSet_invs_trivial | clarsimp simp: inQ_def)+ note stuff = Z B out_invs_trivial hoare_case_option_wp - hoare_vcg_const_Ball_lift hoare_vcg_const_Ball_lift_R + hoare_vcg_const_Ball_lift hoare_vcg_const_Ball_liftE_R cap_delete_deletes cap_delete_valid_cap out_valid_objs cap_insert_objs cteDelete_deletes cteDelete_sch_act_simple @@ -1433,7 +1433,7 @@ proof - apply (rule corres_returnOkTT, simp) apply wp apply wp - apply (wpsimp wp: hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + apply (wpsimp wp: hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift hoare_vcg_all_liftE_R hoare_vcg_all_lift as_user_invs thread_set_ipc_tcb_cap_valid thread_set_tcb_ipc_buffer_cap_cleared_invs @@ -1454,7 +1454,7 @@ proof - threadSet_invs_tcbIPCBuffer_update threadSet_cte_wp_at' | strengthen simple_sched_action_sched_act_not)+ apply ((wpsimp wp: stuff hoare_vcg_all_liftE_R hoare_vcg_all_lift - hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift threadSet_valid_objs' thread_set_not_state_valid_sched thread_set_tcb_ipc_buffer_cap_cleared_invs thread_set_cte_wp_at_trivial thread_set_no_cap_to_trivial getThreadBufferSlot_dom_tcb_cte_cases @@ -1489,7 +1489,7 @@ proof - in hoare_strengthen_postE_R[simplified validE_R_def, rotated]) apply (case_tac g'; clarsimp simp: isCap_simps ; clarsimp cong:imp_cong) apply (wp add: stuff hoare_vcg_all_liftE_R hoare_vcg_all_lift - hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift setMCPriority_invs' + hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift setMCPriority_invs' threadSet_valid_objs' thread_set_not_state_valid_sched setP_invs' typ_at_lifts [OF setPriority_typ_at'] typ_at_lifts [OF setMCPriority_typ_at'] @@ -1567,15 +1567,15 @@ lemma tc_invs': apply (wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak threadSet_invs_trivial2 threadSet_tcb' hoare_vcg_all_lift threadSet_cte_wp_at')+ - apply (wpsimp wp: hoare_weak_lift_imp_R cteDelete_deletes - hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R + apply (wpsimp wp: hoare_weak_lift_impE_R cteDelete_deletes + hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_liftE_R hoare_vcg_propE_R cteDelete_invs' cteDelete_invs' cteDelete_typ_at'_lifts)+ apply (assumption | clarsimp cong: conj_cong imp_cong | (rule case_option_wp_None_returnOk) | wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak hoare_vcg_imp_lift' hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P=sch_act_simple] - hoare_vcg_const_imp_lift_R assertDerived_wp_weak hoare_weak_lift_imp_R cteDelete_deletes - hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R + hoare_vcg_const_imp_liftE_R assertDerived_wp_weak hoare_weak_lift_impE_R cteDelete_deletes + hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_liftE_R hoare_vcg_propE_R cteDelete_invs' cteDelete_typ_at'_lifts cteDelete_sch_act_simple)+ apply (clarsimp simp: tcb_cte_cases_def cte_level_bits_def objBits_defs tcbIPCBufferSlot_def) by (auto dest!: isCapDs isReplyCapD isValidVTableRootD simp: isCap_simps) @@ -2649,7 +2649,7 @@ lemma inv_tcb_IRQInactive: apply (rule hoare_pre) apply (wpc | wp withoutPreemption_R cteDelete_IRQInactive checkCap_inv - hoare_vcg_const_imp_lift_R cteDelete_irq_states' + hoare_vcg_const_imp_liftE_R cteDelete_irq_states' hoare_vcg_const_imp_lift | simp add: split_def)+ done diff --git a/proof/refine/RISCV64/Untyped_R.thy b/proof/refine/RISCV64/Untyped_R.thy index 6d421bf111..2ba0827379 100644 --- a/proof/refine/RISCV64/Untyped_R.thy +++ b/proof/refine/RISCV64/Untyped_R.thy @@ -398,7 +398,7 @@ next apply (simp add: word_le_nat_alt) apply (simp add: unat_arith_simps) apply wpsimp+ - apply (rule hoare_strengthen_post [where Q = "\r. invs and valid_cap r and cte_at slot"]) + apply (rule hoare_strengthen_post[where Q'="\r. invs and valid_cap r and cte_at slot"]) apply wp+ apply (clarsimp simp: is_cap_simps bits_of_def cap_aligned_def valid_cap_def word_bits_def) @@ -406,7 +406,7 @@ next apply (strengthen refl exI[mk_strg I E] exI[where x=d])+ apply simp apply wp+ - apply (rule hoare_strengthen_post [where Q = "\r. invs' and cte_at' (cte_map slot)"]) + apply (rule hoare_strengthen_post[where Q'="\r. invs' and cte_at' (cte_map slot)"]) apply wp+ apply (clarsimp simp:invs_pspace_aligned' invs_pspace_distinct') apply (wp whenE_throwError_wp | wp (once) hoare_drop_imps)+ @@ -3171,7 +3171,7 @@ lemma createNewCaps_parent_helper: (\tup\set (zip (xs rv) rv). sameRegionAs (cteCap cte) (snd tup))) p\" - apply (rule hoare_post_imp [where Q="\rv s. \cte. cte_wp_at' ((=) cte) p s + apply (rule hoare_post_imp[where Q'="\rv s. \cte. cte_wp_at' ((=) cte) p s \ isUntypedCap (cteCap cte) \ (\tup\set (zip (xs rv) rv). sameRegionAs (cteCap cte) (snd tup))"]) @@ -4542,7 +4542,7 @@ lemma resetUntypedCap_invs_etc: | strengthen invs_pspace_aligned' invs_pspace_distinct' | simp add: ct_in_state'_def sch_act_simple_def - | rule hoare_vcg_conj_lift_R + | rule hoare_vcg_conj_liftE_R | wp (once) preemptionPoint_inv | wps | wp (once) ex_cte_cap_to'_pres)+ @@ -5222,7 +5222,7 @@ lemma insertNewCap_valid_irq_handlers: lemma insertNewCap_ct_idle_or_in_cur_domain'[wp]: "\ct_idle_or_in_cur_domain' and ct_active'\ insertNewCap parent slot cap \\_. ct_idle_or_in_cur_domain'\" apply (wp ct_idle_or_in_cur_domain'_lift_futz[where Q=\]) -apply (rule_tac Q="\_. obj_at' (\tcb. tcbState tcb \ Structures_H.thread_state.Inactive) t and obj_at' (\tcb. d = tcbDomain tcb) t" +apply (rule_tac Q'="\_. obj_at' (\tcb. tcbState tcb \ Structures_H.thread_state.Inactive) t and obj_at' (\tcb. d = tcbDomain tcb) t" in hoare_strengthen_post) apply (wp | clarsimp elim: obj_at'_weakenE)+ apply (auto simp: obj_at'_def) diff --git a/proof/refine/RISCV64/orphanage/Orphanage.thy b/proof/refine/RISCV64/orphanage/Orphanage.thy index 5bd91def55..b1bc552e9e 100644 --- a/proof/refine/RISCV64/orphanage/Orphanage.thy +++ b/proof/refine/RISCV64/orphanage/Orphanage.thy @@ -562,7 +562,7 @@ lemma tcbSchedDequeue_no_orphans[wp]: apply (rule hoare_allI) apply (rename_tac tcb_ptr) apply (case_tac "tcb_ptr = tcbPtr") - apply (rule_tac Q="\_ s. st_tcb_at' (\state. \ is_active_thread_state state) tcbPtr s" + apply (rule_tac Q'="\_ s. st_tcb_at' (\state. \ is_active_thread_state state) tcbPtr s" in hoare_post_imp) apply fastforce apply wpsimp @@ -851,7 +851,7 @@ proof - \\_. no_orphans\" apply (wpsimp wp: scheduleChooseNewThread_no_orphans ssa_no_orphans hoare_vcg_all_lift ThreadDecls_H_switchToThread_no_orphans)+ - apply (rule_tac Q="\_ s. (t = candidate \ ksCurThread s = candidate) \ + apply (rule_tac Q'="\_ s. (t = candidate \ ksCurThread s = candidate) \ (t \ candidate \ sch_act_not t s)" in hoare_post_imp) apply (wpsimp wp: stt_nosch hoare_weak_lift_imp)+ @@ -1077,7 +1077,7 @@ lemma sendIPC_no_orphans [wp]: possibleSwitchTo_almost_no_orphans' | wpc | clarsimp simp: is_active_thread_state_def isRestart_def isRunning_def)+ - apply (rule_tac Q="\rv. no_orphans and valid_objs' and ko_at' rv epptr + apply (rule_tac Q'="\rv. no_orphans and valid_objs' and ko_at' rv epptr and (\s. sch_act_wf (ksSchedulerAction s) s)" in hoare_post_imp) apply (fastforce simp: valid_objs'_def valid_obj'_def valid_ep'_def obj_at'_def) apply (wp get_ep_sp' | clarsimp)+ @@ -1293,7 +1293,7 @@ lemma cancelAllIPC_no_orphans [wp]: and I="no_orphans and (\s. \t\set list. tcb_at' t s)" in mapM_x_inv_wp2 | clarsimp simp: valid_tcb_state'_def)+ - apply (rule_tac Q="\rv. no_orphans and valid_objs' and pspace_aligned' and pspace_distinct' and + apply (rule_tac Q'="\rv. no_orphans and valid_objs' and pspace_aligned' and pspace_distinct' and ko_at' rv epptr" in hoare_post_imp) apply (fastforce simp: valid_obj'_def valid_ep'_def obj_at'_def) @@ -1317,7 +1317,7 @@ lemma cancelAllSignals_no_orphans [wp]: apply (wp sts_valid_objs' set_ntfn_valid_objs' sts_st_tcb' hoare_vcg_const_Ball_lift tcbSchedEnqueue_almost_no_orphans| clarsimp simp: valid_tcb_state'_def)+ - apply (rule_tac Q="\rv. no_orphans and valid_objs' and pspace_aligned' and pspace_distinct' and + apply (rule_tac Q'="\rv. no_orphans and valid_objs' and pspace_aligned' and pspace_distinct' and ko_at' rv ntfn" in hoare_post_imp) apply (fastforce simp: valid_obj'_def valid_ntfn'_def obj_at'_def) @@ -1430,7 +1430,7 @@ lemma deleteASIDPool_no_orphans [wp]: \ \rv s. no_orphans s \" unfolding deleteASIDPool_def apply (wp | clarsimp)+ - apply (rule_tac Q="\rv s. no_orphans s" in hoare_post_imp) + apply (rule_tac Q'="\rv s. no_orphans s" in hoare_post_imp) apply (clarsimp simp: no_orphans_def all_queued_tcb_ptrs_def all_active_tcb_ptrs_def is_active_tcb_ptr_def) apply (wp mapM_wp_inv getObject_inv loadObject_default_inv | clarsimp)+ @@ -1536,7 +1536,7 @@ lemma cteRevoke_no_orphans [wp]: "\ \s. no_orphans s \ invs' s \ sch_act_simple s \ cteRevoke ptr \ \rv s. no_orphans s \" - apply (rule_tac Q="\rv s. no_orphans s \ invs' s \ sch_act_simple s" + apply (rule_tac Q'="\rv s. no_orphans s \ invs' s \ sch_act_simple s" in hoare_strengthen_post) apply (wp cteRevoke_preservation cteDelete_invs' cteDelete_sch_act_simple)+ apply auto @@ -1562,7 +1562,7 @@ lemma doReplyTransfer_no_orphans[wp]: | wpc | clarsimp simp: is_active_thread_state_def isRunning_def isRestart_def | wp (once) hoare_drop_imps | strengthen sch_act_wf_weak)+ - apply (rule_tac Q="\rv. invs' and no_orphans" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs' and no_orphans" in hoare_post_imp) apply (fastforce simp: inQ_def) apply (wp hoare_drop_imps | clarsimp)+ apply (clarsimp simp:invs'_def valid_state'_def valid_pspace'_def) @@ -1638,7 +1638,7 @@ lemma setPriority_no_orphans[wp]: \\_. no_orphans\" unfolding setPriority_def apply wpsimp - apply (rule_tac Q="\_ s. almost_no_orphans tptr s \ weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp) + apply (rule_tac Q'="\_ s. almost_no_orphans tptr s \ weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp) apply clarsimp apply (clarsimp simp: is_active_tcb_ptr_runnable' pred_tcb_at'_def obj_at'_def almost_no_orphans_no_orphans elim!: almost_no_orphans_no_orphans') @@ -1695,7 +1695,7 @@ lemma tc_no_orphans: checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P=sch_act_simple] checkCap_inv[where P=no_orphans] checkCap_inv[where P="tcb_at' a"] threadSet_cte_wp_at' hoare_vcg_all_liftE_R hoare_vcg_all_lift threadSet_no_orphans - hoare_vcg_const_imp_lift_R hoare_weak_lift_imp hoare_drop_imp threadSet_ipcbuffer_invs + hoare_vcg_const_imp_liftE_R hoare_weak_lift_imp hoare_drop_imp threadSet_ipcbuffer_invs | (simp add: locateSlotTCB_def locateSlotBasic_def objBits_def objBitsKO_def tcbIPCBufferSlot_def tcb_cte_cases_def, wp hoare_return_sp) @@ -1823,7 +1823,7 @@ lemma performASIDControlInvocation_no_orphans [wp]: apply (clarsimp simp: performASIDControlInvocation_def split: asidcontrol_invocation.splits) apply (wp hoare_weak_lift_imp | clarsimp)+ - apply (rule_tac Q="\rv s. no_orphans s" in hoare_post_imp) + apply (rule_tac Q'="\rv s. no_orphans s" in hoare_post_imp) apply (clarsimp simp: no_orphans_def all_active_tcb_ptrs_def is_active_tcb_ptr_def all_queued_tcb_ptrs_def) apply (wp | clarsimp simp:placeNewObject_def2)+ @@ -1907,7 +1907,7 @@ lemma handleInvocation_no_orphans [wp]: unfolding handleInvocation_def apply (rule hoare_pre) apply (wp syscall_valid' setThreadState_isRestart_no_orphans | wpc | clarsimp)+ - apply (rule_tac Q="\state s. no_orphans s \ invs' s \ + apply (rule_tac Q'="\state s. no_orphans s \ invs' s \ (state = Structures_H.thread_state.Restart \ st_tcb_at' isRestart thread s)" in hoare_post_imp) @@ -1966,7 +1966,7 @@ notes if_cong[cong] shows apply (clarsimp simp: whenE_def split del: if_split | wp hoare_drop_imps getNotification_wp | wpc )+ (*takes a while*) apply (rule_tac Q'="\rv s. no_orphans s \ invs' s" in hoare_strengthen_postE_R) apply (wp, fastforce) - apply (rule_tac Q="\rv s. no_orphans s \ invs' s" in hoare_post_imp) + apply (rule_tac Q'="\rv s. no_orphans s \ invs' s" in hoare_post_imp) apply (wp | clarsimp | fastforce)+ done @@ -1979,7 +1979,7 @@ lemma handleReply_no_orphans [wp]: apply (rule hoare_pre) apply (wp hoare_drop_imps | wpc | clarsimp)+ apply (wp hoare_vcg_all_lift) - apply (rule_tac Q="\rv s. no_orphans s \ invs' s \ tcb_at' thread s \ + apply (rule_tac Q'="\rv s. no_orphans s \ invs' s \ tcb_at' thread s \ valid_cap' rv s" in hoare_post_imp) apply (wp hoare_drop_imps | clarsimp simp: valid_cap'_def | clarsimp simp: invs'_def cur_tcb'_def valid_state'_def)+ diff --git a/proof/refine/X64/Arch_R.thy b/proof/refine/X64/Arch_R.thy index 46cae04aa4..303974819c 100644 --- a/proof/refine/X64/Arch_R.thy +++ b/proof/refine/X64/Arch_R.thy @@ -541,8 +541,8 @@ lemma find_vspace_for_asid_lookup_slot [wp]: \\rv. \\ (lookup_pml4_slot rv vptr && ~~ mask pml4_bits)\, -" apply (rule hoare_pre) apply (rule hoare_strengthen_postE_R) - apply (rule hoare_vcg_R_conj) - apply (rule hoare_vcg_R_conj) + apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R) apply (rule find_vspace_for_asid_inv [where P="\", THEN valid_validE_R]) apply (rule find_vspace_for_asid_lookup) apply (rule find_vspace_for_asid_aligned_pm) @@ -1612,7 +1612,7 @@ lemma decode_page_inv_wf[wp]: apply (simp add: split_def split del: if_split cong: list.case_cong prod.case_cong) apply (rule hoare_pre) - apply (wp createMappingEntries_wf checkVP_wpR whenE_throwError_wp hoare_vcg_const_imp_lift_R + apply (wp createMappingEntries_wf checkVP_wpR whenE_throwError_wp hoare_vcg_const_imp_liftE_R | wpc | simp add: valid_arch_inv'_def valid_page_inv'_def | wp (once) hoare_drop_imps)+ apply (clarsimp simp: neq_Nil_conv invs_valid_objs' linorder_not_le cte_wp_at_ctes_of) diff --git a/proof/refine/X64/CNodeInv_R.thy b/proof/refine/X64/CNodeInv_R.thy index 517735b4e7..308d4e2dd3 100644 --- a/proof/refine/X64/CNodeInv_R.thy +++ b/proof/refine/X64/CNodeInv_R.thy @@ -207,7 +207,7 @@ lemma decodeCNodeInvocation_corres: apply (rule corres_trivial) subgoal by (auto simp add: whenE_def, auto simp add: returnOk_def) apply (wp | wpc | simp(no_asm))+ - apply (wp hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + apply (wp hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift hoare_vcg_all_liftE_R hoare_vcg_all_lift lsfco_cte_at' hoare_drop_imps | clarsimp)+ subgoal by (auto elim!: valid_cnode_capI) @@ -6229,7 +6229,7 @@ lemma reduceZombie_invs'': apply (wp | simp)+ apply (rule getCTE_wp) apply (wp | simp)+ - apply (rule_tac Q="\cte s. rv = capZombiePtr cap + + apply (rule_tac Q'="\cte s. rv = capZombiePtr cap + of_nat (capZombieNumber cap) * 2^cteSizeBits - 2^cteSizeBits \ cte_wp_at' (\c. c = cte) slot s \ invs' s \ no_cte_prop Q s \ sch_act_simple s" @@ -6571,8 +6571,8 @@ lemmas cteDelete_typ_at'_lifts [wp] = typ_at_lifts [OF cteDelete_typ_at'] lemma cteDelete_cte_at: "\\\ cteDelete slot bool \\rv. cte_at' slot\" - apply (rule_tac Q="\s. cte_at' slot s \ \ cte_at' slot s" - in hoare_pre(1)) + apply (rule_tac P'="\s. cte_at' slot s \ \ cte_at' slot s" + in hoare_weaken_pre) apply (rule hoare_strengthen_post) apply (rule hoare_vcg_disj_lift) apply (rule typ_at_lifts, rule cteDelete_typ_at') @@ -6611,7 +6611,7 @@ lemma cteDelete_cte_wp_at_invs: apply (clarsimp simp: cte_wp_at_ctes_of) apply wp apply (simp add: imp_conjR conj_comms) - apply (rule_tac Q="\rv s. invs' s \ sch_act_simple s \ + apply (rule_tac Q'="\rv s. invs' s \ sch_act_simple s \ (fst rv \ cte_wp_at' (\cte. removeable' slot s (cteCap cte)) slot s) \ (fst rv \ @@ -6621,9 +6621,9 @@ lemma cteDelete_cte_wp_at_invs: cteCap cte = NullCap \ (\zb n. cteCap cte = Zombie slot zb n)) slot s)" - and E="\rv. \" in hoare_strengthen_postE) + and E'="\rv. \" in hoare_strengthen_postE) apply (wp finaliseSlot_invs finaliseSlot_removeable finaliseSlot_sch_act_simple - hoare_drop_imps(2)[OF finaliseSlot_irqs]) + hoare_drop_impE_R[OF finaliseSlot_irqs]) apply (rule hoare_strengthen_postE_R, rule finaliseSlot_abort_cases) apply (clarsimp simp: cte_wp_at_ctes_of dest!: isCapDs) apply simp @@ -6644,7 +6644,7 @@ lemma cteDelete_cte_wp_at_invs: p s" in hoare_strengthen_postE_R) apply (wp finaliseSlot_invs finaliseSlot_removeable finaliseSlot_sch_act_simple - hoare_drop_imps(2)[OF finaliseSlot_irqs]) + hoare_drop_impE_R[OF finaliseSlot_irqs]) apply (rule hoare_strengthen_postE_R [OF finaliseSlot_cte_wp_at[where p=p and P=P]]) apply simp+ apply (clarsimp simp: cte_wp_at_ctes_of) @@ -6658,8 +6658,8 @@ lemma cteDelete_sch_act_simple: cteDelete slot exposed \\rv. sch_act_simple\" apply (simp add: cteDelete_def whenE_def split_def) apply (wp hoare_drop_imps | simp)+ - apply (rule_tac hoare_strengthen_postE [where Q="\rv. sch_act_simple" - and E="\rv. sch_act_simple"]) + apply (rule_tac hoare_strengthen_postE [where Q'="\rv. sch_act_simple" + and E'="\rv. sch_act_simple"]) apply (rule valid_validE) apply (wp finaliseSlot_sch_act_simple) apply simp+ @@ -6832,7 +6832,7 @@ proof (induct rule: finalise_induct3) apply ((wp | simp add: locateSlot_conv)+)[2] apply (rule drop_spec_validE) apply simp - apply (rule_tac Q="\rv s. revoke_progress_ord m (option_map capToRPO \ cteCaps_of s) + apply (rule_tac Q'="\rv s. revoke_progress_ord m (option_map capToRPO \ cteCaps_of s) \ cte_wp_at' (\cte. cteCap cte = fst rvb) sl s" in hoare_post_imp) apply (clarsimp simp: o_def cte_wp_at_ctes_of capToRPO_def @@ -7403,7 +7403,7 @@ next apply (rule updateCap_corres) apply simp apply (simp add: is_cap_simps) - apply (rule_tac R="\rv. cte_at' (cte_map ?target)" in hoare_post_add) + apply (rule_tac Q'="\rv. cte_at' (cte_map ?target)" in hoare_post_add) apply (wp, (wp getCTE_wp)+) apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule no_fail_pre, wp, simp) @@ -7565,7 +7565,7 @@ lemma cteRevoke_typ_at': lemma cteRevoke_invs': "\invs' and sch_act_simple\ cteRevoke ptr \\rv. invs'\" - apply (rule_tac Q="\rv. invs' and sch_act_simple" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs' and sch_act_simple" in hoare_strengthen_post) apply (wp cteRevoke_preservation cteDelete_invs' cteDelete_sch_act_simple)+ apply simp_all done @@ -9167,7 +9167,7 @@ proof (induct rule: finalise_spec_induct) apply (unfold Let_def split_def fst_conv snd_conv case_Zombie_assert_fold haskell_fail_def) apply (wp getCTE_wp' preemptionPoint_invR| simp add: o_def irq_state_independent_HI)+ - apply (rule hoare_post_imp [where Q="\_. valid_irq_states'"]) + apply (rule hoare_post_imp[where Q'="\_. valid_irq_states'"]) apply simp apply wp[1] apply (rule spec_strengthen_postE) @@ -9210,7 +9210,7 @@ lemma cteDelete_irq_states': apply (simp add: cteDelete_def split_def) apply (wp whenE_wp) apply (rule hoare_strengthen_postE) - apply (rule hoare_valid_validE) + apply (rule valid_validE) apply (rule finaliseSlot_irq_states') apply simp apply simp diff --git a/proof/refine/X64/CSpace_R.thy b/proof/refine/X64/CSpace_R.thy index 293c0222ea..95b31abac5 100644 --- a/proof/refine/X64/CSpace_R.thy +++ b/proof/refine/X64/CSpace_R.thy @@ -2239,7 +2239,7 @@ lemma cteInsert_mdb' [wp]: cteInsert cap src dest \\_. valid_mdb'\" apply (simp add:valid_mdb'_def valid_mdb_ctes_def) - apply (rule_tac Q = "\r s. valid_dlist (ctes_of s) \ irq_control (ctes_of s) \ + apply (rule_tac Q'="\r s. valid_dlist (ctes_of s) \ irq_control (ctes_of s) \ no_0 (ctes_of s) \ mdb_chain_0 (ctes_of s) \ ioport_control (ctes_of s) \ mdb_chunked (ctes_of s) \ untyped_mdb' (ctes_of s) \ untyped_inc' (ctes_of s) \ Q s" for Q @@ -4162,12 +4162,12 @@ lemma setupReplyMaster_corres: apply (fastforce dest: pspace_relation_no_reply_caps state_relation_pspace_relation) apply (clarsimp simp: cte_map_def tcb_cnode_index_def cte_wp_at_ctes_of) - apply (rule_tac Q="\rv. einvs and tcb_at t and + apply (rule_tac Q'="\rv. einvs and tcb_at t and cte_wp_at ((=) rv) (t, tcb_cnode_index 2)" in hoare_strengthen_post) apply (wp hoare_drop_imps get_cap_wp) apply (clarsimp simp: invs_def valid_state_def elim!: cte_wp_at_weakenE) - apply (rule_tac Q="\rv. valid_pspace' and valid_mdb' and + apply (rule_tac Q'="\rv. valid_pspace' and valid_mdb' and cte_wp_at' ((=) rv) (cte_map (t, tcb_cnode_index 2))" in hoare_strengthen_post) apply (wp hoare_drop_imps getCTE_wp') diff --git a/proof/refine/X64/Detype_R.thy b/proof/refine/X64/Detype_R.thy index 7b0e60ddd2..50ef5a6753 100644 --- a/proof/refine/X64/Detype_R.thy +++ b/proof/refine/X64/Detype_R.thy @@ -64,7 +64,7 @@ lemma descendants_range_in_lift': apply (simp only: Ball_def[unfolded imp_conv_disj]) apply (rule hoare_pre) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift st cap_range) - apply (rule_tac Q = "\r s. cte_wp_at' (\c. capRange (cteCap c) \ S = {}) x s" + apply (rule_tac Q'="\r s. cte_wp_at' (\c. capRange (cteCap c) \ S = {}) x s" in hoare_strengthen_post) apply (wp cap_range) apply (clarsimp simp:cte_wp_at_ctes_of null_filter'_def) @@ -1801,7 +1801,7 @@ lemma deleteObjects_invs': proof - show ?thesis apply (rule hoare_pre) - apply (rule_tac G="is_aligned ptr bits \ 3 \ bits \ bits \ word_bits" in hoare_grab_asm) + apply (rule_tac P'="is_aligned ptr bits \ 3 \ bits \ bits \ word_bits" in hoare_grab_asm) apply (clarsimp simp add: deleteObjects_def2) apply (simp add: freeMemory_def bind_assoc doMachineOp_bind ef_storeWord) apply (simp add: bind_assoc[where f="\_. modify f" for f, symmetric]) @@ -4360,7 +4360,7 @@ lemma createNewCaps_pspace_no_overlap': apply simp+ apply (simp add:range_cover_def) apply (simp add:range_cover.sz(1)[where 'a=machine_word_len, folded word_bits_def]) - apply (rule_tac Q = "\r. pspace_no_overlap' (ptr + (1 + of_nat n << Types_H.getObjectSize ty us)) + apply (rule_tac Q'="\r. pspace_no_overlap' (ptr + (1 + of_nat n << Types_H.getObjectSize ty us)) (Types_H.getObjectSize ty us) and pspace_aligned' and pspace_distinct'" in hoare_strengthen_post) apply (case_tac ty) diff --git a/proof/refine/X64/Finalise_R.thy b/proof/refine/X64/Finalise_R.thy index 2e6172c9d1..546ebcc0a1 100644 --- a/proof/refine/X64/Finalise_R.thy +++ b/proof/refine/X64/Finalise_R.thy @@ -1955,7 +1955,7 @@ lemma isFinalCapability_inv: apply (simp add: isFinalCapability_def Let_def split del: if_split cong: if_cong) apply (rule hoare_pre, wp) - apply (rule hoare_post_imp [where Q="\s. P"], simp) + apply (rule hoare_post_imp[where Q'="\s. P"], simp) apply wp apply simp done @@ -2586,7 +2586,7 @@ lemma deleteASID_invs'[wp]: apply (simp add: deleteASID_def cong: option.case_cong) apply (rule hoare_pre) apply (wp | wpc)+ - apply (rule_tac Q="\rv. valid_obj' (injectKO rv) and invs'" + apply (rule_tac Q'="\rv. valid_obj' (injectKO rv) and invs'" in hoare_post_imp) apply (rename_tac rv s) apply (clarsimp split: if_split_asm del: subsetI) @@ -2895,7 +2895,7 @@ lemma cancelIPC_bound_tcb_at'[wp]: apply (simp add: getThreadReplySlot_def locateSlot_conv liftM_def) apply (rule hoare_pre) apply (wp capDeleteOne_bound_tcb_at' getCTE_ctes_of) - apply (rule_tac Q="\_. bound_tcb_at' P tptr" in hoare_post_imp) + apply (rule_tac Q'="\_. bound_tcb_at' P tptr" in hoare_post_imp) apply (clarsimp simp: capHasProperty_def cte_wp_at_ctes_of) apply (wp threadSet_pred_tcb_no_state | simp)+ done diff --git a/proof/refine/X64/Interrupt_R.thy b/proof/refine/X64/Interrupt_R.thy index 6f3104d79a..fc38160e56 100644 --- a/proof/refine/X64/Interrupt_R.thy +++ b/proof/refine/X64/Interrupt_R.thy @@ -388,7 +388,7 @@ lemma invokeIRQHandler_corres: apply simp apply (rule corres_split_nor[OF cap_delete_one_corres]) apply (rule cteInsert_corres, simp+) - apply (rule_tac Q="\rv s. einvs s \ cte_wp_at (\c. c = cap.NullCap) irq_slot s + apply (rule_tac Q'="\rv s. einvs s \ cte_wp_at (\c. c = cap.NullCap) irq_slot s \ (a, b) \ irq_slot \ cte_wp_at (is_derived (cdt s) (a, b) cap) (a, b) s" in hoare_post_imp) @@ -855,7 +855,7 @@ lemma timerTick_invs'[wp]: apply (wpsimp wp: threadSet_invs_trivial threadSet_pred_tcb_no_state rescheduleRequired_all_invs_but_ct_not_inQ simp: tcb_cte_cases_def) - apply (rule_tac Q="\rv. invs'" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs'" in hoare_post_imp) apply (clarsimp simp: invs'_def valid_state'_def) apply (simp add: decDomainTime_def) apply wp @@ -866,7 +866,7 @@ lemma timerTick_invs'[wp]: hoare_vcg_imp_lift threadSet_ct_idle_or_in_cur_domain')+ apply (rule hoare_strengthen_post[OF tcbSchedAppend_all_invs_but_ct_not_inQ']) apply (wpsimp simp: invs'_def valid_state'_def valid_pspace'_def sch_act_wf_weak)+ - apply (rule_tac Q="\_. invs'" in hoare_strengthen_post) + apply (rule_tac Q'="\_. invs'" in hoare_strengthen_post) apply (wpsimp wp: threadSet_pred_tcb_no_state threadSet_tcbDomain_triv threadSet_valid_objs' threadSet_timeslice_invs)+ apply (clarsimp simp: invs'_def valid_state'_def valid_pspace'_def) @@ -905,7 +905,7 @@ lemma hint_invs[wp]: apply (wp dmo_maskInterrupt_True getCTE_wp' | wpc | simp add: doMachineOp_bind maskIrqSignal_def)+ - apply (rule_tac Q="\rv. invs'" in hoare_post_imp) + apply (rule_tac Q'="\rv. invs'" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_ctes_of ex_nonz_cap_to'_def) apply fastforce apply (wp threadSet_invs_trivial | simp add: inQ_def handleReservedIRQ_def)+ diff --git a/proof/refine/X64/IpcCancel_R.thy b/proof/refine/X64/IpcCancel_R.thy index 70c1e8d1ad..45bf872c51 100644 --- a/proof/refine/X64/IpcCancel_R.thy +++ b/proof/refine/X64/IpcCancel_R.thy @@ -915,7 +915,7 @@ lemma (in delete_one_conc_pre) cancelIPC_sch_act_simple[wp]: apply (wp hoare_drop_imps delete_one_sch_act_simple | simp add: getThreadReplySlot_def | wpcw | rule sch_act_simple_lift - | (rule_tac Q="\rv. sch_act_simple" in hoare_post_imp, simp))+ + | (rule_tac Q'="\rv. sch_act_simple" in hoare_post_imp, simp))+ done lemma cancelSignal_st_tcb_at: @@ -925,7 +925,7 @@ lemma cancelSignal_st_tcb_at: \\rv. st_tcb_at' P t\" apply (simp add: cancelSignal_def Let_def list_case_If) apply (wp sts_st_tcb_at'_cases hoare_vcg_const_imp_lift - hoare_drop_imp[where R="%rv s. P' rv" for P']) + hoare_drop_imp[where Q'="%rv s. P' rv" for P']) apply clarsimp+ done @@ -1015,7 +1015,7 @@ lemma (in delete_one_conc_pre) cancelIPC_tcb_at_runnable': apply (case_tac rv; simp) apply (wp sts_pred_tcb_neq' | simp | wpc)+ apply (clarsimp) - apply (rule_tac Q="\rv. ?PRE" in hoare_post_imp, fastforce) + apply (rule_tac Q'="\rv. ?PRE" in hoare_post_imp, fastforce) apply (wp cteDeleteOne_tcb_at_runnable' threadSet_pred_tcb_no_state cancelSignal_tcb_at_runnable' @@ -1117,7 +1117,7 @@ lemma sts_weak_sch_act_wf[wp]: including classic_wp_pre apply (simp add: setThreadState_def) apply (wp rescheduleRequired_weak_sch_act_wf) - apply (rule_tac Q="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp, simp) + apply (rule_tac Q'="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp, simp) apply (simp add: weak_sch_act_wf_def) apply (wp hoare_vcg_all_lift) apply (wps threadSet_nosch) @@ -1256,11 +1256,11 @@ lemma (in delete_one) suspend_corres: apply wpsimp apply (wpsimp wp: sts_valid_objs') apply (wpsimp simp: update_restart_pc_def updateRestartPC_def valid_tcb_state'_def)+ - apply (rule hoare_post_imp[where Q = "\rv s. einvs s \ tcb_at t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. einvs s \ tcb_at t s"]) apply (simp add: invs_implies invs_strgs valid_queues_in_correct_ready_q valid_queues_ready_qs_distinct valid_sched_def) apply wp - apply (rule hoare_post_imp[where Q = "\_ s. invs' s \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\_ s. invs' s \ tcb_at' t s"]) apply (fastforce simp: invs'_def valid_tcb_state'_def) apply (wpsimp simp: update_restart_pc_def updateRestartPC_def)+ apply fastforce @@ -1342,7 +1342,7 @@ lemma setThreadState_oa_queued: apply (simp add: setThreadState_def) apply (wp rescheduleRequired_oa_queued) apply (simp add: sch_act_simple_def) - apply (rule_tac Q="\_. ?Q R" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?Q R" in hoare_post_imp, clarsimp) apply (wp threadSet_obj_at'_strongish) apply (clarsimp) done @@ -1382,7 +1382,7 @@ lemma (in delete_one_conc) suspend_invs'[wp]: apply (simp add: suspend_def) apply (wpsimp wp: sts_invs_minor' gts_wp' simp: updateRestartPC_def | strengthen no_refs_simple_strg')+ - apply (rule_tac Q="\_. invs' and sch_act_simple and st_tcb_at' simple' t + apply (rule_tac Q'="\_. invs' and sch_act_simple and st_tcb_at' simple' t and (\s. t \ ksIdleThread s)" in hoare_post_imp) apply clarsimp @@ -1410,7 +1410,7 @@ lemma (in delete_one_conc_pre) suspend_sch_act_simple[wp]: lemma (in delete_one_conc) suspend_objs': "\invs' and sch_act_simple and tcb_at' t and (\s. t \ ksIdleThread s)\ suspend t \\rv. valid_objs'\" - apply (rule_tac Q="\_. invs'" in hoare_strengthen_post) + apply (rule_tac Q'="\_. invs'" in hoare_strengthen_post) apply (wp suspend_invs') apply fastforce done @@ -1526,7 +1526,7 @@ proof - apply (rule ep_cancel_corres_helper) apply (rule mapM_x_wp') apply (wp weak_sch_act_wf_lift_linear set_thread_state_runnable_weak_valid_sched_action | simp)+ - apply (rule_tac R="\_ s. \x\set list. tcb_at' x s \ valid_objs' s \ pspace_aligned' s \ pspace_distinct' s" + apply (rule_tac Q'="\_ s. \x\set list. tcb_at' x s \ valid_objs' s \ pspace_aligned' s \ pspace_distinct' s" in hoare_post_add) apply (rule mapM_x_wp') apply ((wpsimp wp: hoare_vcg_const_Ball_lift mapM_x_wp' sts_st_tcb' sts_valid_objs' @@ -1587,7 +1587,7 @@ lemma cancelAllSignals_corres: set_thread_state_runnable_weak_valid_sched_action | simp)+ apply (rename_tac list) - apply (rule_tac R="\_ s. (\x\set list. tcb_at' x s) \ valid_objs' s + apply (rule_tac Q'="\_ s. (\x\set list. tcb_at' x s) \ valid_objs' s \ sym_heap_sched_pointers s \ valid_sched_pointers s \ valid_objs' s \ pspace_aligned' s \ pspace_distinct' s" in hoare_post_add) @@ -1635,7 +1635,7 @@ proof - show ?thesis apply (simp add: setThreadState_def) apply (wpsimp wp: hoare_vcg_imp_lift [OF nrct]) - apply (rule_tac Q="\_. ?PRE" in hoare_post_imp) + apply (rule_tac Q'="\_. ?PRE" in hoare_post_imp) apply (clarsimp) apply (rule hoare_convert_imp [OF threadSet_nosch threadSet_ct]) apply assumption @@ -1885,7 +1885,7 @@ lemma cancelAllIPC_valid_objs'[wp]: apply (rule bind_wp [OF _ get_ep_sp']) apply (rule hoare_pre) apply (wp set_ep_valid_objs' setSchedulerAction_valid_objs') - apply (rule_tac Q="\_ s. valid_objs' s \ pspace_aligned' s \ pspace_distinct' s + apply (rule_tac Q'="\_ s. valid_objs' s \ pspace_aligned' s \ pspace_distinct' s \ (\x\set (epQueue ep). tcb_at' x s)" in hoare_post_imp) apply simp @@ -1911,7 +1911,7 @@ lemma cancelAllSignals_valid_objs'[wp]: apply (wp, simp) apply (wp, simp) apply (rename_tac list) - apply (rule_tac Q="\rv s. valid_objs' s \ (\x\set list. tcb_at' x s)" + apply (rule_tac Q'="\rv s. valid_objs' s \ (\x\set list. tcb_at' x s)" in hoare_post_imp) apply (simp add: valid_ntfn'_def) apply (simp add: Ball_def) @@ -2217,7 +2217,7 @@ lemma cancelBadgedSends_corres: apply (rule corres_guard_imp) apply (rule corres_split_nor[OF setEndpoint_corres]) apply (simp add: ep_relation_def) - apply (rule corres_split_eqr[OF _ _ _ hoare_post_add[where R="\_. valid_objs'"]]) + apply (rule corres_split_eqr[OF _ _ _ hoare_post_add[where Q'="\_. valid_objs'"]]) apply (rule_tac S="(=)" and Q="\xs s. (\x \ set xs. (epptr, TCBBlockedSend) \ state_refs_of s x) \ distinct xs \ valid_etcbs s \ diff --git a/proof/refine/X64/Ipc_R.thy b/proof/refine/X64/Ipc_R.thy index 0722425a93..665b14d5b3 100644 --- a/proof/refine/X64/Ipc_R.thy +++ b/proof/refine/X64/Ipc_R.thy @@ -53,7 +53,7 @@ lemma lsfco_cte_at': apply (wp) apply (clarsimp simp: split_def unlessE_def split del: if_split) - apply (wp hoare_drop_imps throwE_R) + apply (wpsimp wp: hoare_drop_imps throwE_R) done declare unifyFailure_wp [wp] @@ -493,7 +493,7 @@ next apply clarsimp apply assumption apply (subst imp_conjR) - apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R') apply (rule derive_cap_is_derived) apply (wp derive_cap_is_derived_foo)+ apply (simp split del: if_split) @@ -505,7 +505,7 @@ next apply clarsimp apply assumption apply (subst imp_conjR) - apply (rule hoare_vcg_conj_liftE_R) + apply (rule hoare_vcg_conj_liftE_R') apply (rule hoare_strengthen_postE_R[OF deriveCap_derived]) apply (clarsimp simp:cte_wp_at_ctes_of) apply (wp deriveCap_derived_foo) @@ -617,7 +617,7 @@ lemma cteInsert_assume_Null: apply (rule bind_wp[OF _ getCTE_sp])+ apply (rule hoare_name_pre_state) apply (clarsimp simp: cte_wp_at_ctes_of) - apply (erule hoare_pre(1)) + apply (erule hoare_weaken_pre) apply simp done @@ -1851,7 +1851,7 @@ declare asUser_global_refs' [wp] lemma lec_valid_cap' [wp]: "\valid_objs'\ lookupExtraCaps thread xa mi \\rv s. (\x\set rv. s \' fst x)\, -" apply (rule hoare_pre, rule hoare_strengthen_postE_R) - apply (rule hoare_vcg_conj_lift_R[where R=valid_objs' and S="\_. valid_objs'"]) + apply (rule hoare_vcg_conj_liftE_R[where P'=valid_objs' and Q'="\_. valid_objs'"]) apply (rule lookupExtraCaps_srcs) apply wp apply (clarsimp simp: cte_wp_at_ctes_of) @@ -2242,7 +2242,7 @@ lemma doReplyTransfer_corres: apply (fastforce) apply (clarsimp simp:is_cap_simps) apply (wp weak_valid_sched_action_lift)+ - apply (rule_tac Q="\_ s. valid_objs' s \ cur_tcb' s \ tcb_at' receiver s + apply (rule_tac Q'="\_ s. valid_objs' s \ cur_tcb' s \ tcb_at' receiver s \ sch_act_wf (ksSchedulerAction s) s \ sym_heap_sched_pointers s \ valid_sched_pointers s \ pspace_aligned' s \ pspace_distinct' s" @@ -2303,14 +2303,14 @@ lemma doReplyTransfer_corres: threadSet_tcbDomain_triv threadSet_valid_objs' threadSet_sched_pointers threadSet_valid_sched_pointers | simp add: valid_tcb_state'_def)+ - apply (rule_tac Q="\_. valid_sched and cur_tcb and tcb_at sender and tcb_at receiver and + apply (rule_tac Q'="\_. valid_sched and cur_tcb and tcb_at sender and tcb_at receiver and valid_objs and pspace_aligned and pspace_distinct" in hoare_strengthen_post [rotated], clarsimp) apply (wp) apply (rule hoare_chain [OF cap_delete_one_invs]) apply (assumption) apply fastforce - apply (rule_tac Q="\_. tcb_at' sender and tcb_at' receiver and invs'" + apply (rule_tac Q'="\_. tcb_at' sender and tcb_at' receiver and invs'" in hoare_strengthen_post [rotated]) apply (solves\auto simp: invs'_def valid_state'_def\) apply wp @@ -2391,14 +2391,14 @@ lemma setupCallerCap_corres: tcb_cnode_index_def cte_level_bits_def) apply (simp add: cte_map_def tcbCallerSlot_def tcb_cnode_index_def cte_level_bits_def) - apply (rule_tac R="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" + apply (rule_tac Q'="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" in hoare_post_add) apply (wp, (wp getSlotCap_wp)+) apply blast apply (rule no_fail_pre, wp) apply (clarsimp simp: cte_wp_at'_def cte_at'_def) - apply (rule_tac R="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" + apply (rule_tac Q'="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" in hoare_post_add) apply (wp, (wp getCTE_wp')+) apply blast @@ -2731,7 +2731,7 @@ lemma sendSignal_corres: valid_queues_in_correct_ready_q valid_queues_ready_qs_distinct valid_sched_valid_queues | simp add: valid_tcb_state_def)+ - apply (rule_tac Q="\rv. invs' and tcb_at' a" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs' and tcb_at' a" in hoare_strengthen_post) apply wp apply (fastforce simp: invs'_def valid_state'_def sch_act_wf_weak valid_tcb_state'_def) apply (rule setNotification_corres) @@ -2759,7 +2759,7 @@ lemma sendSignal_corres: apply (rule corres_split[OF asUser_setRegister_corres]) apply (rule possibleSwitchTo_corres) apply ((wp | simp)+)[1] - apply (rule_tac Q="\_. (\s. sch_act_wf (ksSchedulerAction s) s) and + apply (rule_tac Q'="\_. (\s. sch_act_wf (ksSchedulerAction s) s) and cur_tcb' and st_tcb_at' runnable' (hd list) and valid_objs' and sym_heap_sched_pointers and valid_sched_pointers and @@ -2937,7 +2937,7 @@ lemma cancelIPC_nonz_cap_to'[wp]: | wpc | simp | clarsimp elim!: cte_wp_at_weakenE' - | rule hoare_post_imp[where Q="\rv. ex_nonz_cap_to' p"])+ + | rule hoare_post_imp[where Q'="\rv. ex_nonz_cap_to' p"])+ done @@ -3017,7 +3017,7 @@ proof - apply (wpc) apply (wp | simp)+ apply (wpc, wp+) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp) apply simp done @@ -3029,7 +3029,7 @@ proof - apply (wp) apply (wp hoare_convert_imp)[1] apply (wp) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp hoare_convert_imp | simp)+ done show ?thesis @@ -3042,16 +3042,16 @@ proof - apply (wp)+ apply (wp hoare_convert_imp)[1] apply (wpc, wp+) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp cdo)+ - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply ((wp aipc hoare_convert_imp)+)[6] apply (wp) apply (wp hoare_convert_imp)[1] apply (wpc, wp+) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp) - apply (rule_tac Q="\_. ?PRE t'" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE t'" in hoare_post_imp, clarsimp) apply (wp) apply simp done @@ -3310,7 +3310,7 @@ lemma receiveIPC_corres: valid_sched_action_def) apply (clarsimp split: if_split_asm) apply (clarsimp | wp do_ipc_transfer_tcb_caps)+ - apply (rule_tac Q="\_ s. sch_act_wf (ksSchedulerAction s) s + apply (rule_tac Q'="\_ s. sch_act_wf (ksSchedulerAction s) s \ sym_heap_sched_pointers s \ valid_sched_pointers s \ pspace_aligned' s \ pspace_distinct' s" in hoare_post_imp) @@ -3563,7 +3563,7 @@ lemma setupCallerCap_vp[wp]: apply (simp add: valid_pspace'_def setupCallerCap_def getThreadCallerSlot_def getThreadReplySlot_def locateSlot_conv getSlotCap_def) apply (wp getCTE_wp) - apply (rule_tac Q="\_. valid_pspace' and + apply (rule_tac Q'="\_. valid_pspace' and tcb_at' sender and tcb_at' rcvr" in hoare_post_imp) apply (clarsimp simp: valid_cap'_def o_def cte_wp_at_ctes_of isCap_simps @@ -3596,7 +3596,7 @@ lemma setupCallerCap_ifunsafe[wp]: apply (wp getSlotCap_cte_wp_at | simp add: unique_master_reply_cap' | strengthen eq_imp_strg | wp (once) hoare_drop_imp[where f="getCTE rs" for rs])+ - apply (rule_tac Q="\rv. valid_objs' and tcb_at' rcvr and ex_nonz_cap_to' rcvr" + apply (rule_tac Q'="\rv. valid_objs' and tcb_at' rcvr and ex_nonz_cap_to' rcvr" in hoare_post_imp) apply (clarsimp simp: ex_nonz_tcb_cte_caps' tcbCallerSlot_def objBits_def objBitsKO_def dom_def cte_level_bits_def) @@ -3768,7 +3768,7 @@ lemma completeSignal_invs: apply (rule bind_wp[OF _ get_ntfn_sp']) apply (rule hoare_pre) apply (wp set_ntfn_minor_invs' | wpc | simp)+ - apply (rule_tac Q="\_ s. (state_refs_of' s ntfnptr = ntfn_bound_refs' (ntfnBoundTCB ntfn)) + apply (rule_tac Q'="\_ s. (state_refs_of' s ntfnptr = ntfn_bound_refs' (ntfnBoundTCB ntfn)) \ ntfn_at' ntfnptr s \ valid_ntfn' (ntfnObj_update (\_. Structures_H.ntfn.IdleNtfn) ntfn) s \ ((\y. ntfnBoundTCB ntfn = Some y) \ ex_nonz_cap_to' ntfnptr s) @@ -3798,7 +3798,7 @@ lemma setupCallerCap_urz[wp]: getThreadCallerSlot_def getThreadReplySlot_def locateSlot_conv) apply (wp getCTE_wp') - apply (rule_tac Q="\_. untyped_ranges_zero' and valid_mdb' and valid_objs'" in hoare_post_imp) + apply (rule_tac Q'="\_. untyped_ranges_zero' and valid_mdb' and valid_objs'" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_ctes_of cteCaps_of_def untyped_derived_eq_def isCap_simps) apply (wp sts_valid_pspace_hangers) @@ -3851,7 +3851,7 @@ lemma ri_invs' [wp]: apply (rule bind_wp [OF _ gbn_sp']) apply (rule bind_wp) (* set up precondition for old proof *) - apply (rule_tac R="ko_at' ep (capEPPtr cap) and ?pre" in hoare_vcg_if_split) + apply (rule_tac P''="ko_at' ep (capEPPtr cap) and ?pre" in hoare_vcg_if_split) apply (wp completeSignal_invs) apply (case_tac ep) \ \endpoint = RecvEP\ @@ -4138,9 +4138,9 @@ lemma si_invs'[wp]: hoare_convert_imp [OF setEndpoint_nosch setEndpoint_ct'] hoare_drop_imp [where f="threadGet tcbFault t"] | rule_tac f="getThreadState a" in hoare_drop_imp - | wp (once) hoare_drop_imp[where R="\_ _. call"] - hoare_drop_imp[where R="\_ _. \ call"] - hoare_drop_imp[where R="\_ _. cg"] + | wp (once) hoare_drop_imp[where Q'="\_ _. call"] + hoare_drop_imp[where Q'="\_ _. \ call"] + hoare_drop_imp[where Q'="\_ _. cg"] | simp add: valid_tcb_state'_def case_bool_If case_option_If cong: if_cong diff --git a/proof/refine/X64/Refine.thy b/proof/refine/X64/Refine.thy index f5c68d514f..c263007517 100644 --- a/proof/refine/X64/Refine.thy +++ b/proof/refine/X64/Refine.thy @@ -226,12 +226,12 @@ lemma set_thread_state_sched_act: apply (simp add: set_thread_state_ext_def) apply wp apply (rule hoare_pre_cont) - apply (rule_tac Q="\rv. (\s. runnable ts) and (\s. P (scheduler_action s))" + apply (rule_tac Q'="\rv. (\s. runnable ts) and (\s. P (scheduler_action s))" in hoare_strengthen_post) apply wp apply force apply (wp gts_st_tcb_at)+ - apply (rule_tac Q="\rv. st_tcb_at ((=) state) thread and (\s. runnable state) and (\s. P (scheduler_action s))" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. st_tcb_at ((=) state) thread and (\s. runnable state) and (\s. P (scheduler_action s))" in hoare_strengthen_post) apply (simp add: st_tcb_at_def) apply (wp obj_set_prop_at)+ apply (force simp: st_tcb_at_def obj_at_def) @@ -270,7 +270,7 @@ lemma kernel_entry_invs: \\rv. einvs and (\s. ct_running s \ ct_idle s) and (\s. 0 < domain_time s) and valid_domain_list and (\s. scheduler_action s = resume_cur_thread)\" - apply (rule_tac Q="\rv. invs and (\s. ct_running s \ ct_idle s) and valid_sched and + apply (rule_tac Q'="\rv. invs and (\s. ct_running s \ ct_idle s) and valid_sched and (\s. 0 < domain_time s) and valid_domain_list and valid_list and (\s. scheduler_action s = resume_cur_thread)" in hoare_post_imp) @@ -316,7 +316,7 @@ lemma do_user_op_invs2: do_user_op f tc \\_. (einvs and ct_running and (\s. scheduler_action s = resume_cur_thread)) and (\s. 0 < domain_time s) and valid_domain_list \" - apply (rule_tac Q="\_. valid_list and valid_sched and + apply (rule_tac Q'="\_. valid_list and valid_sched and (\s. scheduler_action s = resume_cur_thread) and (invs and ct_running) and (\s. 0 < domain_time s) and valid_domain_list" in hoare_strengthen_post) @@ -391,7 +391,7 @@ lemma ckernel_invs: apply (rule hoare_pre) apply (wp activate_invs' activate_sch_act schedule_sch schedule_sch_act_simple he_invs' schedule_invs' - hoare_drop_imp[where R="\_. kernelExitAssertions"] + hoare_drop_imp[where Q'="\_. kernelExitAssertions"] | simp add: no_irq_getActiveIRQ)+ done @@ -560,21 +560,21 @@ lemma kernel_corres': apply simp apply (wpsimp wp: hoare_drop_imps hoare_vcg_all_lift simp: schact_is_rct_def)[1] apply simp - apply (rule_tac Q="\irq s. invs' s \ + apply (rule_tac Q'="\irq s. invs' s \ (\irq'. irq = Some irq' \ intStateIRQTable (ksInterruptState s ) irq' \ IRQInactive)" in hoare_post_imp) apply simp apply (wp doMachineOp_getActiveIRQ_IRQ_active handle_event_valid_sched | simp)+ - apply (rule_tac Q="\_. \" and E="\_. invs'" in hoare_strengthen_postE) + apply (rule_tac Q'="\_. \" and E'="\_. invs'" in hoare_strengthen_postE) apply wpsimp+ apply (simp add: invs'_def valid_state'_def) apply (rule corres_split[OF schedule_corres]) apply (rule activateThread_corres) apply (wp schedule_invs' hoare_vcg_if_lift2 hoare_drop_imps handle_interrupt_valid_sched[unfolded non_kernel_IRQs_def, simplified] |simp)+ - apply (rule_tac Q="\_. valid_sched and invs and valid_list" and E="\_. valid_sched and invs and valid_list" + apply (rule_tac Q'="\_. valid_sched and invs and valid_list" and E'="\_. valid_sched and invs and valid_list" in hoare_strengthen_postE) apply (wp handle_event_valid_sched |simp)+ apply (clarsimp simp: active_from_running schact_is_rct_def) diff --git a/proof/refine/X64/Retype_R.thy b/proof/refine/X64/Retype_R.thy index 3cbfd38f92..b20f6dbf23 100644 --- a/proof/refine/X64/Retype_R.thy +++ b/proof/refine/X64/Retype_R.thy @@ -4312,7 +4312,7 @@ lemma createNewCaps_cur: cur_tcb' s\ createNewCaps ty ptr n us d \\rv. cur_tcb'\" - apply (rule hoare_post_imp [where Q="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) apply (simp add: cur_tcb'_def) apply (wp hoare_vcg_ex_lift createNewCaps_obj_at') apply (clarsimp simp: pspace_no_overlap'_def cur_tcb'_def valid_pspace'_def) @@ -4396,17 +4396,14 @@ lemma createNewCaps_idle'[wp]: split del: if_split) apply (rename_tac apiobject_type) apply (case_tac apiobject_type, simp_all split del: if_split)[1] - apply (wp, simp) - including classic_wp_pre - apply (wp mapM_x_wp' - createObjects_idle' - threadSet_idle' + apply wpsimp + apply (wpsimp wp: mapM_x_wp' createObjects_idle' threadSet_idle' | simp add: projectKO_opt_tcb projectKO_opt_cte makeObject_cte makeObject_tcb archObjSize_def tcb_cte_cases_def objBitsKO_def APIType_capBits_def objBits_def createObjects_def bit_simps | intro conjI impI - | fastforce simp: curDomain_def)+ + | clarsimp simp: curDomain_def)+ done crunch createNewCaps @@ -4427,7 +4424,7 @@ lemma createNewCaps_global_refs': createNewCaps ty ptr n us d \\rv. valid_global_refs'\" apply (simp add: valid_global_refs'_def valid_cap_sizes'_def valid_refs'_def) - apply (rule_tac Q="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} + apply (rule_tac Q'="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} \ 2 ^ capBits (cteCap cte) > gsMaxObjectSize s)) ptr s \ global_refs' s \ kernel_data_refs" in hoare_post_imp) apply (auto simp: cte_wp_at_ctes_of linorder_not_less elim!: ranE)[1] @@ -5062,7 +5059,7 @@ proof (rule hoare_gen_asm, elim conjE) "\ct_not_inQ and valid_pspace' and pspace_no_overlap' ptr sz\ createNewCaps ty ptr n us dev \\_. ct_not_inQ\" unfolding ct_not_inQ_def - apply (rule_tac Q="\s. ksSchedulerAction s = ResumeCurrentThread + apply (rule_tac P'="\s. ksSchedulerAction s = ResumeCurrentThread \ (obj_at' (Not \ tcbQueued) (ksCurThread s) s \ valid_pspace' s \ pspace_no_overlap' ptr sz s)" in hoare_pre_imp, clarsimp) @@ -5200,7 +5197,7 @@ lemma createObjects_no_cte_valid_global: createObjects ptr n val gbits \\rv s. valid_global_refs' s\" apply (simp add: valid_global_refs'_def valid_cap_sizes'_def valid_refs'_def) - apply (rule_tac Q="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} + apply (rule_tac Q'="\rv s. \ptr. \ cte_wp_at' (\cte. (kernel_data_refs \ capRange (cteCap cte) \ {} \ 2 ^ capBits (cteCap cte) > gsMaxObjectSize s)) ptr s \ global_refs' s \ kernel_data_refs" in hoare_post_imp) apply (auto simp: cte_wp_at_ctes_of linorder_not_less elim!: ranE)[1] @@ -5331,7 +5328,7 @@ lemma createObjects_cur': cur_tcb' s\ createObjects ptr n val gbits \\rv s. cur_tcb' s\" - apply (rule hoare_post_imp [where Q="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \t. ksCurThread s = t \ tcb_at' t s"]) apply (simp add: cur_tcb'_def) apply (wp hoare_vcg_ex_lift createObjects_orig_obj_at3) apply (clarsimp simp: cur_tcb'_def) @@ -5424,7 +5421,7 @@ proof - createObjects ptr n val gbits \\_. ct_not_inQ\" (is "\ _; _ \ \ \\s. ct_not_inQ s \ ?REST s\ _ \_\") apply (simp add: ct_not_inQ_def) - apply (rule_tac Q="\s. (ksSchedulerAction s = ResumeCurrentThread) \ + apply (rule_tac P'="\s. (ksSchedulerAction s = ResumeCurrentThread) \ (obj_at' (Not \ tcbQueued) (ksCurThread s) s \ ?REST s)" in hoare_pre_imp, clarsimp) apply (rule hoare_convert_imp [OF createObjects_nosch]) diff --git a/proof/refine/X64/Schedule_R.thy b/proof/refine/X64/Schedule_R.thy index ddd108b9b7..fb37c1c16b 100644 --- a/proof/refine/X64/Schedule_R.thy +++ b/proof/refine/X64/Schedule_R.thy @@ -597,7 +597,7 @@ lemma tcbSchedDequeue_valid_mdb'[wp]: "\valid_mdb' and valid_objs'\ tcbSchedDequeue tcbPtr \\_. valid_mdb'\" unfolding tcbSchedDequeue_def apply (wpsimp simp: bitmap_fun_defs setQueue_def wp: threadSet_mdb' tcbQueueRemove_valid_mdb') - apply (rule_tac Q="\_. tcb_at' tcbPtr" in hoare_post_imp) + apply (rule_tac Q'="\_. tcb_at' tcbPtr" in hoare_post_imp) apply (fastforce simp: tcb_cte_cases_def cteSizeBits_def) apply (wpsimp wp: threadGet_wp)+ apply (fastforce simp: obj_at'_def) @@ -903,7 +903,7 @@ lemma tcbSchedDequeue_not_tcbQueued: "\\\ tcbSchedDequeue t \\_. obj_at' (\x. \ tcbQueued x) t\" apply (simp add: tcbSchedDequeue_def) apply (wp|clarsimp)+ - apply (rule_tac Q="\queued. obj_at' (\x. tcbQueued x = queued) t" in hoare_post_imp) + apply (rule_tac Q'="\queued. obj_at' (\x. tcbQueued x = queued) t" in hoare_post_imp) apply (clarsimp simp: obj_at'_def) apply (wpsimp wp: threadGet_wp)+ apply (clarsimp simp: obj_at'_def) @@ -1905,13 +1905,13 @@ lemma schedule_corres: apply (clarsimp simp: conj_ac cong: conj_cong) apply wp - apply (rule_tac Q="\_ s. valid_blocked_except t s \ scheduler_action s = switch_thread t" + apply (rule_tac Q'="\_ s. valid_blocked_except t s \ scheduler_action s = switch_thread t" in hoare_post_imp, fastforce) apply (wp add: tcb_sched_action_enqueue_valid_blocked_except tcbSchedEnqueue_invs'_not_ResumeCurrentThread thread_get_wp del: gets_wp | strengthen valid_objs'_valid_tcbs')+ - apply (clarsimp simp: conj_ac if_apply_def2 cong: imp_cong conj_cong del: hoare_gets) + apply (clarsimp simp: conj_ac if_apply_def2 cong: imp_cong conj_cong) apply (wp gets_wp)+ (* abstract final subgoal *) @@ -2173,7 +2173,7 @@ lemma schedule_invs': apply (wpsimp wp: scheduleChooseNewThread_invs' ssa_invs' chooseThread_invs_no_cicd' setSchedulerAction_invs' setSchedulerAction_direct switchToThread_tcb_in_cur_domain' switchToThread_ct_not_queued_2 - | wp hoare_disjI2[where R="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] + | wp hoare_disjI2[where Q'="\_ s. tcb_in_cur_domain' (ksCurThread s) s"] | wp hoare_drop_imp[where f="isHighestPrio d p" for d p] | simp only: obj_at'_activatable_st_tcb_at'[simplified comp_def] | strengthen invs'_invs_no_cicd diff --git a/proof/refine/X64/SubMonad_R.thy b/proof/refine/X64/SubMonad_R.thy index f7398e8eac..a591ba5320 100644 --- a/proof/refine/X64/SubMonad_R.thy +++ b/proof/refine/X64/SubMonad_R.thy @@ -76,7 +76,7 @@ lemma threadSet_modify_asUser: apply (clarsimp simp: threadSet_def setObject_def split_def updateObject_default_def) apply wp - apply (rule_tac Q="\rv. obj_at' ((=) rv) t and ((=) st)" in hoare_post_imp) + apply (rule_tac Q'="\rv. obj_at' ((=) rv) t and ((=) st)" in hoare_post_imp) apply (clarsimp simp: asUser_replace_def Let_def obj_at'_def projectKOs fun_upd_def split: option.split kernel_object.split) diff --git a/proof/refine/X64/Syscall_R.thy b/proof/refine/X64/Syscall_R.thy index ebc110e4cc..bc54db1691 100644 --- a/proof/refine/X64/Syscall_R.thy +++ b/proof/refine/X64/Syscall_R.thy @@ -339,7 +339,7 @@ lemma threadSet_tcbDomain_update_sch_act_wf[wp]: apply (wps setObject_sa_unchanged) apply (wp hoare_weak_lift_imp getObject_tcb_wp hoare_vcg_all_lift)+ apply (rename_tac word) - apply (rule_tac Q="\_ s. ksSchedulerAction s = SwitchToThread word \ + apply (rule_tac Q'="\_ s. ksSchedulerAction s = SwitchToThread word \ st_tcb_at' runnable' word s \ tcb_in_cur_domain' word s \ word \ t" in hoare_strengthen_post) apply (wp hoare_vcg_all_lift hoare_vcg_conj_lift hoare_vcg_imp_lift)+ @@ -376,20 +376,20 @@ lemma setDomain_corres: apply ((wpsimp wp: hoare_vcg_imp_lift' ethread_set_not_queued_valid_queues hoare_vcg_all_lift | strengthen valid_objs'_valid_tcbs' valid_queues_in_correct_ready_q valid_queues_ready_qs_distinct)+)[1] - apply (rule_tac Q="\_. valid_objs' and sym_heap_sched_pointers and valid_sched_pointers + apply (rule_tac Q'="\_. valid_objs' and sym_heap_sched_pointers and valid_sched_pointers and pspace_aligned' and pspace_distinct' and (\s. sch_act_wf (ksSchedulerAction s) s) and tcb_at' tptr" in hoare_strengthen_post[rotated]) apply (fastforce simp: invs'_def valid_state'_def sch_act_wf_weak st_tcb_at'_def o_def) apply (wpsimp wp: threadSet_valid_objs' threadSet_sched_pointers threadSet_valid_sched_pointers)+ - apply (rule_tac Q="\_ s. valid_queues s \ not_queued tptr s + apply (rule_tac Q'="\_ s. valid_queues s \ not_queued tptr s \ pspace_aligned s \ pspace_distinct s \ valid_etcbs s \ weak_valid_sched_action s" in hoare_post_imp) apply (fastforce simp: pred_tcb_at_def obj_at_def) apply (wpsimp wp: tcb_dequeue_not_queued) - apply (rule_tac Q = "\_ s. invs' s \ obj_at' (Not \ tcbQueued) tptr s \ sch_act_simple s + apply (rule_tac Q'="\_ s. invs' s \ obj_at' (Not \ tcbQueued) tptr s \ sch_act_simple s \ tcb_at' tptr s" in hoare_strengthen_post[rotated]) apply (clarsimp simp: invs'_def valid_state'_def valid_pspace'_def sch_act_simple_def) @@ -796,7 +796,7 @@ lemma doReply_invs[wp]: apply simp apply (wp (once) sts_st_tcb') apply wp - apply (rule_tac Q="\_ s. invs' s \ t \ ksIdleThread s \ st_tcb_at' awaiting_reply' t s" + apply (rule_tac Q'="\_ s. invs' s \ t \ ksIdleThread s \ st_tcb_at' awaiting_reply' t s" in hoare_post_imp) apply clarsimp apply (rule conjI, erule pred_tcb'_weakenE, case_tac st, clarsimp+) @@ -809,7 +809,7 @@ lemma doReply_invs[wp]: apply (case_tac st, clarsimp+) apply (wp cteDeleteOne_reply_pred_tcb_at)+ apply clarsimp - apply (rule_tac Q="\_. (\s. t \ ksIdleThread s) + apply (rule_tac Q'="\_. (\s. t \ ksIdleThread s) and cte_wp_at' (\cte. \grant. cteCap cte = capability.ReplyCap t False grant) slot" in hoare_strengthen_post [rotated]) @@ -821,7 +821,7 @@ lemma doReply_invs[wp]: apply (erule cte_wp_at_weakenE') apply (fastforce) apply (wp sts_invs_minor'' sts_st_tcb' hoare_weak_lift_imp) - apply (rule_tac Q="\_ s. invs' s \ sch_act_simple s + apply (rule_tac Q'="\_ s. invs' s \ sch_act_simple s \ st_tcb_at' awaiting_reply' t s \ t \ ksIdleThread s" in hoare_post_imp) @@ -836,7 +836,7 @@ lemma doReply_invs[wp]: apply (case_tac st, clarsimp+) apply (wp threadSet_invs_trivial threadSet_st_tcb_at2 hoare_weak_lift_imp | clarsimp simp add: inQ_def)+ - apply (rule_tac Q="\_. invs' and tcb_at' t + apply (rule_tac Q'="\_. invs' and tcb_at' t and sch_act_simple and st_tcb_at' awaiting_reply' t" in hoare_strengthen_post [rotated]) apply clarsimp @@ -946,7 +946,7 @@ lemma setDomain_invs': apply (simp add:setDomain_def ) apply (wp add: when_wp hoare_weak_lift_imp hoare_weak_lift_imp_conj rescheduleRequired_all_invs_but_extra tcbSchedEnqueue_valid_action hoare_vcg_if_lift2) - apply (rule_tac Q = "\r s. all_invs_but_sch_extra s \ curThread = ksCurThread s + apply (rule_tac Q'="\r s. all_invs_but_sch_extra s \ curThread = ksCurThread s \ (ptr \ curThread \ ct_not_inQ s \ sch_act_wf (ksSchedulerAction s) s \ ct_idle_or_in_cur_domain' s)" in hoare_strengthen_post[rotated]) apply (clarsimp simp:invs'_def valid_state'_def st_tcb_at'_def[symmetric] valid_pspace'_def) @@ -958,7 +958,7 @@ lemma setDomain_invs': apply assumption apply (wp hoare_weak_lift_imp threadSet_pred_tcb_no_state threadSet_not_curthread_ct_domain threadSet_tcbDomain_update_ct_not_inQ | simp)+ - apply (rule_tac Q = "\r s. invs' s \ curThread = ksCurThread s \ sch_act_simple s + apply (rule_tac Q'="\r s. invs' s \ curThread = ksCurThread s \ sch_act_simple s \ domain \ maxDomain \ (ptr \ curThread \ ct_not_inQ s \ sch_act_not ptr s)" in hoare_strengthen_post[rotated]) @@ -1198,7 +1198,7 @@ lemma handleInvocation_corres: apply (simp cong: conj_cong) apply (simp cong: rev_conj_cong) apply (wpsimp wp: hoare_drop_imps)+ - apply (rule_tac Q="\rv. einvs and schact_is_rct and valid_invocation rve + apply (rule_tac Q'="\rv. einvs and schact_is_rct and valid_invocation rve and (\s. thread = cur_thread s) and st_tcb_at active thread" in hoare_post_imp) @@ -1206,7 +1206,7 @@ lemma handleInvocation_corres: elim!: st_tcb_weakenE) apply (wp sts_st_tcb_at' set_thread_state_schact_is_rct set_thread_state_active_valid_sched) - apply (rule_tac Q="\rv. invs' and valid_invocation' rve' + apply (rule_tac Q'="\rv. invs' and valid_invocation' rve' and (\s. thread = ksCurThread s) and st_tcb_at' active' thread and (\s. ksSchedulerAction s = ResumeCurrentThread)" @@ -1218,7 +1218,7 @@ lemma handleInvocation_corres: apply (wp lec_caps_to lsft_ex_cte_cap_to | simp add: split_def liftE_bindE[symmetric] ct_in_state'_def ball_conj_distrib - | rule hoare_vcg_E_elim)+ + | rule hoare_vcg_conj_elimE)+ apply (clarsimp simp: tcb_at_invs invs_valid_objs valid_tcb_state_def ct_in_state_def simple_from_active invs_mdb) @@ -1287,7 +1287,7 @@ lemma hinv_invs'[wp]: apply (clarsimp simp: valid_idle'_def valid_state'_def invs'_def pred_tcb_at'_def obj_at'_def idle_tcb'_def) apply wp+ - apply (rule_tac Q="\rv'. invs' and valid_invocation' rv + apply (rule_tac Q'="\rv'. invs' and valid_invocation' rv and (\s. ksSchedulerAction s = ResumeCurrentThread) and (\s. ksCurThread s = thread) and st_tcb_at' active' thread" @@ -1489,7 +1489,7 @@ lemma handleRecv_isBlocking_corres': apply (rule handleFault_corres) apply simp apply (wp get_simple_ko_wp | wpcw | simp)+ - apply (rule hoare_vcg_E_elim) + apply (rule hoare_vcg_conj_elimE) apply (simp add: lookup_cap_def lookup_slot_for_thread_def) apply wp apply (simp add: split_def) @@ -1537,14 +1537,14 @@ lemma hw_invs'[wp]: deleteCallerCap_ct'] | wpc | simp add: ct_in_state'_def whenE_def split del: if_split)+ apply (rule validE_validE_R) - apply (rule_tac Q="\rv s. invs' s + apply (rule_tac Q'="\rv s. invs' s \ sch_act_sane s \ thread = ksCurThread s \ ct_in_state' simple' s \ ex_nonz_cap_to' thread s \ thread \ ksIdleThread s \ (\x \ zobj_refs' rv. ex_nonz_cap_to' x s)" - and E="\_ _. True" + and E'="\_ _. True" in hoare_strengthen_postE[rotated]) apply (clarsimp simp: isCap_simps ct_in_state'_def pred_tcb_at' invs_valid_objs' sch_act_sane_not obj_at'_def projectKOs pred_tcb_at'_def) @@ -1593,7 +1593,7 @@ lemma hy_invs': "\invs' and ct_active'\ handleYield \\r. invs' and ct_active'\" apply (simp add: handleYield_def) apply (wpsimp wp: ct_in_state_thread_state_lift' rescheduleRequired_all_invs_but_ct_not_inQ) - apply (rule_tac Q="\_. all_invs_but_ct_not_inQ' and ct_active'" in hoare_post_imp) + apply (rule_tac Q'="\_. all_invs_but_ct_not_inQ' and ct_active'" in hoare_post_imp) apply clarsimp apply (subst pred_conj_def) apply (rule hoare_vcg_conj_lift) @@ -1810,7 +1810,7 @@ lemma handleReply_nonz_cap_to_ct: "\ct_active' and invs' and sch_act_simple\ handleReply \\rv s. ex_nonz_cap_to' (ksCurThread s) s\" - apply (rule_tac Q="\rv. ct_active' and invs'" + apply (rule_tac Q'="\rv. ct_active' and invs'" in hoare_post_imp) apply (auto simp: ct_in_state'_def elim: st_tcb_ex_cap'')[1] apply (wp | simp)+ @@ -1924,7 +1924,7 @@ proof - apply (rule handleVMFault_corres) apply (erule handleFault_corres) apply (rule hoare_elim_pred_conjE2) - apply (rule hoare_vcg_E_conj, rule valid_validE_E, wp) + apply (rule hoare_vcg_conj_liftE_E, rule valid_validE_E, wp) apply (wp handle_vm_fault_valid_fault) apply (rule hv_inv_ex') apply wp diff --git a/proof/refine/X64/TcbAcc_R.thy b/proof/refine/X64/TcbAcc_R.thy index 08a7a21bd0..9bba6cdaea 100644 --- a/proof/refine/X64/TcbAcc_R.thy +++ b/proof/refine/X64/TcbAcc_R.thy @@ -1039,7 +1039,7 @@ lemma threadSet_obj_at'_really_strongest: apply (simp add: threadSet_def) apply (wp setObject_tcb_strongest) apply (subst simp_thms(32)[symmetric], rule hoare_vcg_disj_lift) - apply (rule hoare_post_imp [where Q="\rv s. \ tcb_at' t s \ tcb_at' t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \ tcb_at' t s \ tcb_at' t s"]) apply simp apply (subst simp_thms(21)[symmetric], rule hoare_vcg_conj_lift) apply (rule getObject_inv_tcb) @@ -1126,7 +1126,7 @@ proof - show ?thesis apply (rule_tac P=P in P_bool_lift) apply (rule pos) - apply (rule_tac Q="\_ s. \ tcb_at' t' s \ pred_tcb_at' proj (\tcb. \ P' tcb) t' s" + apply (rule_tac Q'="\_ s. \ tcb_at' t' s \ pred_tcb_at' proj (\tcb. \ P' tcb) t' s" in hoare_post_imp) apply (erule disjE) apply (clarsimp dest!: pred_tcb_at') @@ -3271,7 +3271,7 @@ lemma sts_valid_objs': setThreadState st t \\_. valid_objs'\" apply (wpsimp simp: setThreadState_def wp: threadSet_valid_objs') - apply (rule_tac Q="\_. valid_objs' and pspace_aligned' and pspace_distinct'" in hoare_post_imp) + apply (rule_tac Q'="\_. valid_objs' and pspace_aligned' and pspace_distinct'" in hoare_post_imp) apply fastforce apply (wpsimp wp: threadSet_valid_objs') apply (simp add: valid_tcb'_def tcb_cte_cases_def cteSizeBits_def) @@ -3527,7 +3527,7 @@ lemma sts_sch_act': apply assumption apply (case_tac "runnable' st") apply ((wp threadSet_runnable_sch_act hoare_drop_imps | simp)+)[1] - apply (rule_tac Q="\rv s. st_tcb_at' (Not \ runnable') t s \ + apply (rule_tac Q'="\rv s. st_tcb_at' (Not \ runnable') t s \ (ksCurThread s \ t \ ksSchedulerAction s \ ResumeCurrentThread \ sch_act_wf (ksSchedulerAction s) s)" in hoare_post_imp) @@ -3547,10 +3547,10 @@ lemma sts_sch_act[wp]: prefer 2 apply assumption apply (case_tac "runnable' st") - apply (rule_tac Q="\s. sch_act_wf (ksSchedulerAction s) s" + apply (rule_tac P'="\s. sch_act_wf (ksSchedulerAction s) s" in hoare_pre_imp, simp) apply ((wp hoare_drop_imps threadSet_runnable_sch_act | simp)+)[1] - apply (rule_tac Q="\rv s. st_tcb_at' (Not \ runnable') t s \ + apply (rule_tac Q'="\rv s. st_tcb_at' (Not \ runnable') t s \ (ksCurThread s \ t \ ksSchedulerAction s \ ResumeCurrentThread \ sch_act_wf (ksSchedulerAction s) s)" in hoare_post_imp) @@ -3826,7 +3826,7 @@ lemma addToBitmap_valid_bitmapQ: addToBitmap d p \\_. valid_bitmapQ\" (is "\?pre\ _ \_\") - apply (rule_tac Q="\_ s. ?pre s \ bitmapQ d p s" in hoare_strengthen_post) + apply (rule_tac Q'="\_ s. ?pre s \ bitmapQ d p s" in hoare_strengthen_post) apply (wpsimp wp: addToBitmap_valid_bitmapQ_except addToBitmap_bitmapQ) apply (fastforce elim: valid_bitmap_valid_bitmapQ_exceptE) done @@ -4535,7 +4535,7 @@ lemma ct_in_state'_decomp: assumes x: "\\s. t = (ksCurThread s)\ f \\rv s. t = (ksCurThread s)\" assumes y: "\Pre\ f \\rv. st_tcb_at' Prop t\" shows "\\s. Pre s \ t = (ksCurThread s)\ f \\rv. ct_in_state' Prop\" - apply (rule hoare_post_imp [where Q="\rv s. t = ksCurThread s \ st_tcb_at' Prop t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. t = ksCurThread s \ st_tcb_at' Prop t s"]) apply (clarsimp simp add: ct_in_state'_def) apply (rule hoare_weaken_pre) apply (wp x y) @@ -4606,7 +4606,7 @@ lemma setQueue_pred_tcb_at[wp]: unfolding pred_tcb_at'_def apply (rule_tac P=P' in P_bool_lift) apply (rule setQueue_obj_at) - apply (rule_tac Q="\_ s. \typ_at' TCBT t s \ obj_at' (Not \ (P \ proj \ tcb_to_itcb')) t s" + apply (rule_tac Q'="\_ s. \typ_at' TCBT t s \ obj_at' (Not \ (P \ proj \ tcb_to_itcb')) t s" in hoare_post_imp, simp add: not_obj_at' o_def) apply (wp hoare_vcg_disj_lift) apply (clarsimp simp: not_obj_at' o_def) @@ -4870,7 +4870,7 @@ lemma sts_iflive'[wp]: \\rv. if_live_then_nonz_cap'\" apply (simp add: setThreadState_def setQueue_def) apply wpsimp - apply (rule_tac Q="\rv. if_live_then_nonz_cap' and pspace_aligned' and pspace_distinct'" + apply (rule_tac Q'="\rv. if_live_then_nonz_cap' and pspace_aligned' and pspace_distinct'" in hoare_post_imp) apply clarsimp apply (wpsimp wp: threadSet_iflive') @@ -5015,7 +5015,7 @@ lemma tcbSchedEnqueue_ct_not_inQ: proof - have ts: "\?PRE\ threadSet (tcbQueued_update (\_. True)) t \\_. ct_not_inQ\" apply (simp add: ct_not_inQ_def) - apply (rule_tac Q="\s. ksSchedulerAction s = ResumeCurrentThread + apply (rule_tac P'="\s. ksSchedulerAction s = ResumeCurrentThread \ obj_at' (Not \ tcbQueued) (ksCurThread s) s \ ksCurThread s \ t" in hoare_pre_imp, clarsimp) apply (rule hoare_convert_imp [OF threadSet_nosch]) @@ -5042,7 +5042,7 @@ lemma tcbSchedAppend_ct_not_inQ: proof - have ts: "\?PRE\ threadSet (tcbQueued_update (\_. True)) t \\_. ct_not_inQ\" apply (simp add: ct_not_inQ_def) - apply (rule_tac Q="\s. ksSchedulerAction s = ResumeCurrentThread + apply (rule_tac P'="\s. ksSchedulerAction s = ResumeCurrentThread \ obj_at' (Not \ tcbQueued) (ksCurThread s) s \ ksCurThread s \ t" in hoare_pre_imp, clarsimp) apply (rule hoare_convert_imp [OF threadSet_nosch]) @@ -5069,7 +5069,7 @@ lemma setSchedulerAction_direct: lemma rescheduleRequired_ct_not_inQ: "\\\ rescheduleRequired \\_. ct_not_inQ\" apply (simp add: rescheduleRequired_def ct_not_inQ_def) - apply (rule_tac Q="\_ s. ksSchedulerAction s = ChooseNewThread" + apply (rule_tac Q'="\_ s. ksSchedulerAction s = ChooseNewThread" in hoare_post_imp, clarsimp) apply (wp setSchedulerAction_direct) done @@ -5133,7 +5133,7 @@ lemma setThreadState_ct_not_inQ: including no_pre apply (simp add: setThreadState_def) apply (wp rescheduleRequired_ct_not_inQ) - apply (rule_tac Q="\_. ?PRE" in hoare_post_imp, clarsimp) + apply (rule_tac Q'="\_. ?PRE" in hoare_post_imp, clarsimp) apply (wp) done @@ -5292,7 +5292,7 @@ lemma removeFromBitmap_valid_bitmapQ[wp]: removeFromBitmap d p \\_. valid_bitmapQ\" (is "\?pre\ _ \_\") - apply (rule_tac Q="\_ s. ?pre s \ \ bitmapQ d p s" in hoare_strengthen_post) + apply (rule_tac Q'="\_ s. ?pre s \ \ bitmapQ d p s" in hoare_strengthen_post) apply (wpsimp wp: removeFromBitmap_valid_bitmapQ_except removeFromBitmap_bitmapQ) apply (fastforce elim: valid_bitmap_valid_bitmapQ_exceptE) done diff --git a/proof/refine/X64/Tcb_R.thy b/proof/refine/X64/Tcb_R.thy index bfeb3d01da..0c29dad57c 100644 --- a/proof/refine/X64/Tcb_R.thy +++ b/proof/refine/X64/Tcb_R.thy @@ -81,7 +81,7 @@ abbreviation lemma gts_st_tcb': "\tcb_at' t\ getThreadState t \\rv. st_tcb_at' (\st. st = rv) t\" apply (rule hoare_weaken_pre) - apply (rule hoare_post_imp[where Q="\rv s. \rv'. rv = rv' \ st_tcb_at' (\st. st = rv') t s"]) + apply (rule hoare_post_imp[where Q'="\rv s. \rv'. rv = rv' \ st_tcb_at' (\st. st = rv') t s"]) apply simp apply (wp hoare_vcg_ex_lift) apply (clarsimp simp add: pred_tcb_at'_def obj_at'_def) @@ -107,15 +107,15 @@ lemma activate_invs': apply (case_tac rv, simp_all add: isTS_defs) apply (wp) apply (clarsimp simp: ct_in_state'_def) - apply (rule_tac Q="\rv. invs' and ct_idle'" in hoare_post_imp, simp) + apply (rule_tac Q'="\rv. invs' and ct_idle'" in hoare_post_imp, simp) apply (wp activateIdle_invs) apply (clarsimp simp: ct_in_state'_def) - apply (rule_tac Q="\rv. invs' and ct_running' and sch_act_simple" + apply (rule_tac Q'="\rv. invs' and ct_running' and sch_act_simple" in hoare_post_imp, simp) apply (rule hoare_weaken_pre) apply (wp ct_in_state'_set asUser_ct sts_invs_minor' | wp (once) sch_act_simple_lift)+ - apply (rule_tac Q="\_. st_tcb_at' runnable' thread + apply (rule_tac Q'="\_. st_tcb_at' runnable' thread and sch_act_simple and invs' and (\s. thread = ksCurThread s)" in hoare_post_imp, clarsimp) @@ -193,7 +193,7 @@ lemma setupReplyMaster_weak_sch_act_wf[wp]: \\rv s. weak_sch_act_wf (ksSchedulerAction s) s\" apply (simp add: setupReplyMaster_def) apply (wp) - apply (rule_tac Q="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" + apply (rule_tac Q'="\_ s. weak_sch_act_wf (ksSchedulerAction s) s" in hoare_post_imp, clarsimp) apply (wp)+ apply assumption @@ -219,11 +219,11 @@ lemma restart_corres: apply (wp set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at' sts_st_tcb' sts_valid_objs' | clarsimp simp: valid_tcb_state'_def | strengthen valid_objs'_valid_tcbs')+ - apply (rule_tac Q="\rv. valid_sched and cur_tcb and pspace_aligned and pspace_distinct" + apply (rule_tac Q'="\rv. valid_sched and cur_tcb and pspace_aligned and pspace_distinct" in hoare_strengthen_post) apply wp apply (fastforce simp: valid_sched_def valid_sched_action_def) - apply (rule_tac Q="\rv. invs' and ex_nonz_cap_to' t" in hoare_strengthen_post) + apply (rule_tac Q'="\rv. invs' and ex_nonz_cap_to' t" in hoare_strengthen_post) apply wp apply (clarsimp simp: invs'_def valid_state'_def sch_act_wf_weak valid_pspace'_def valid_tcb_state'_def) @@ -365,10 +365,10 @@ lemma invokeTCB_WriteRegisters_corres: valid_sched_valid_queues valid_objs'_valid_tcbs' invs_valid_objs' | clarsimp simp: invs_def valid_state_def valid_sched_def invs'_def valid_state'_def dest!: global'_no_ex_cap idle_no_ex_cap)+)[2] - apply (rule_tac Q="\_. einvs and tcb_at dest and ex_nonz_cap_to dest" in hoare_post_imp) + apply (rule_tac Q'="\_. einvs and tcb_at dest and ex_nonz_cap_to dest" in hoare_post_imp) apply (fastforce simp: invs_def valid_sched_weak_strg valid_sched_def valid_state_def dest!: idle_no_ex_cap) prefer 2 - apply (rule_tac Q="\_. invs' and tcb_at' dest and ex_nonz_cap_to' dest" in hoare_post_imp) + apply (rule_tac Q'="\_. invs' and tcb_at' dest and ex_nonz_cap_to' dest" in hoare_post_imp) apply (fastforce simp: sch_act_wf_weak invs'_def valid_state'_def dest!: global'_no_ex_cap) apply wpsimp+ apply fastforce @@ -476,10 +476,10 @@ proof - apply (rule_tac P=\ and P'=\ in corres_inst) apply simp apply ((solves \wpsimp wp: hoare_weak_lift_imp\)+) - apply (rule_tac Q="\_. einvs and tcb_at dest" in hoare_post_imp) + apply (rule_tac Q'="\_. einvs and tcb_at dest" in hoare_post_imp) apply (fastforce simp: invs_def valid_sched_weak_strg valid_sched_def) prefer 2 - apply (rule_tac Q="\_. invs' and tcb_at' dest" in hoare_post_imp) + apply (rule_tac Q'="\_. invs' and tcb_at' dest" in hoare_post_imp) apply (fastforce simp: invs'_def valid_state'_def invs_weak_sch_act_wf cur_tcb'_def) apply ((wp mapM_x_wp' hoare_weak_lift_imp | simp flip: cur_tcb'_def)+)[8] apply ((wp hoare_weak_lift_imp restart_invs' | wpc | @@ -552,7 +552,7 @@ lemma tcbSchedDequeue_not_queued: \\rv. obj_at' (Not \ tcbQueued) t\" apply (simp add: tcbSchedDequeue_def) apply (wp | simp)+ - apply (rule_tac Q="\rv. obj_at' (\obj. tcbQueued obj = rv) t" + apply (rule_tac Q'="\rv. obj_at' (\obj. tcbQueued obj = rv) t" in hoare_post_imp) apply (clarsimp simp: obj_at'_def) apply (wp tg_sp' [where P=\, simplified] | simp)+ @@ -1467,7 +1467,7 @@ proof - have B: "\t v. \invs' and tcb_at' t\ threadSet (tcbFaultHandler_update v) t \\rv. invs'\" by (wp threadSet_invs_trivial | clarsimp simp: inQ_def)+ note stuff = Z B out_invs_trivial hoare_case_option_wp - hoare_vcg_const_Ball_lift hoare_vcg_const_Ball_lift_R + hoare_vcg_const_Ball_lift hoare_vcg_const_Ball_liftE_R cap_delete_deletes cap_delete_valid_cap out_valid_objs cap_insert_objs cteDelete_deletes cteDelete_sch_act_simple @@ -1502,7 +1502,7 @@ proof - apply (rule corres_returnOkTT, simp) apply wp apply wp - apply (wpsimp wp: hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + apply (wpsimp wp: hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift hoare_vcg_all_liftE_R hoare_vcg_all_lift as_user_invs thread_set_ipc_tcb_cap_valid thread_set_tcb_ipc_buffer_cap_cleared_invs @@ -1523,7 +1523,7 @@ proof - threadSet_invs_tcbIPCBuffer_update threadSet_cte_wp_at' | strengthen simple_sched_action_sched_act_not)+ apply ((wpsimp wp: stuff hoare_vcg_all_liftE_R hoare_vcg_all_lift - hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift + hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift threadSet_valid_objs' thread_set_not_state_valid_sched thread_set_tcb_ipc_buffer_cap_cleared_invs thread_set_cte_wp_at_trivial thread_set_no_cap_to_trivial getThreadBufferSlot_dom_tcb_cte_cases @@ -1559,7 +1559,7 @@ proof - in hoare_strengthen_postE_R[simplified validE_R_def, rotated]) apply (case_tac g'; clarsimp simp: isCap_simps ; clarsimp elim: invs_valid_objs' cong:imp_cong) apply (wp add: stuff hoare_vcg_all_liftE_R hoare_vcg_all_lift - hoare_vcg_const_imp_lift_R hoare_vcg_const_imp_lift setMCPriority_invs' + hoare_vcg_const_imp_liftE_R hoare_vcg_const_imp_lift setMCPriority_invs' threadSet_valid_objs' thread_set_not_state_valid_sched setP_invs' typ_at_lifts [OF setPriority_typ_at'] typ_at_lifts [OF setMCPriority_typ_at'] @@ -1637,15 +1637,15 @@ lemma tc_invs': apply (wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak threadSet_invs_trivial2 threadSet_tcb' hoare_vcg_all_lift threadSet_cte_wp_at')+ - apply (wpsimp wp: hoare_weak_lift_imp_R cteDelete_deletes - hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R + apply (wpsimp wp: hoare_weak_lift_impE_R cteDelete_deletes + hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_liftE_R hoare_vcg_propE_R cteDelete_invs' cteDelete_invs' cteDelete_typ_at'_lifts)+ apply (assumption | clarsimp cong: conj_cong imp_cong | (rule case_option_wp_None_returnOk) | wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak hoare_vcg_imp_lift' hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P=sch_act_simple] - hoare_vcg_const_imp_lift_R assertDerived_wp_weak hoare_weak_lift_imp_R cteDelete_deletes - hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R + hoare_vcg_const_imp_liftE_R assertDerived_wp_weak hoare_weak_lift_impE_R cteDelete_deletes + hoare_vcg_all_liftE_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_liftE_R hoare_vcg_propE_R cteDelete_invs' cteDelete_typ_at'_lifts cteDelete_sch_act_simple)+ apply (clarsimp simp: tcb_cte_cases_def cte_level_bits_def objBits_defs tcbIPCBufferSlot_def) by (auto dest!: isCapDs isReplyCapD isValidVTableRootD simp: isCap_simps) @@ -2727,7 +2727,7 @@ lemma inv_tcb_IRQInactive: apply (rule hoare_pre) apply (wpc | wp withoutPreemption_R cteDelete_IRQInactive checkCap_inv - hoare_vcg_const_imp_lift_R cteDelete_irq_states' + hoare_vcg_const_imp_liftE_R cteDelete_irq_states' hoare_vcg_const_imp_lift | simp add: split_def)+ done diff --git a/proof/refine/X64/Untyped_R.thy b/proof/refine/X64/Untyped_R.thy index a8ff388f96..0102c32122 100644 --- a/proof/refine/X64/Untyped_R.thy +++ b/proof/refine/X64/Untyped_R.thy @@ -397,7 +397,7 @@ next apply (simp add: unat_arith_simps) apply wp+ apply clarsimp - apply (rule hoare_strengthen_post [where Q = "\r. invs and valid_cap r and cte_at slot"]) + apply (rule hoare_strengthen_post[where Q'="\r. invs and valid_cap r and cte_at slot"]) apply wp+ apply (clarsimp simp: is_cap_simps bits_of_def cap_aligned_def valid_cap_def word_bits_def) @@ -405,7 +405,7 @@ next apply (strengthen refl exI[mk_strg I E] exI[where x=d])+ apply simp apply wp+ - apply (rule hoare_strengthen_post [where Q = "\r. invs' and cte_at' (cte_map slot)"]) + apply (rule hoare_strengthen_post[where Q'="\r. invs' and cte_at' (cte_map slot)"]) apply wp+ apply (clarsimp simp:invs_pspace_aligned' invs_pspace_distinct') apply (wp whenE_throwError_wp | wp (once) hoare_drop_imps)+ @@ -3261,7 +3261,7 @@ lemma createNewCaps_parent_helper: (\tup\set (zip (xs rv) rv). sameRegionAs (cteCap cte) (snd tup))) p\" - apply (rule hoare_post_imp [where Q="\rv s. \cte. cte_wp_at' ((=) cte) p s + apply (rule hoare_post_imp[where Q'="\rv s. \cte. cte_wp_at' ((=) cte) p s \ isUntypedCap (cteCap cte) \ (\tup\set (zip (xs rv) rv). sameRegionAs (cteCap cte) (snd tup))"]) @@ -4647,7 +4647,7 @@ lemma resetUntypedCap_invs_etc: | strengthen invs_pspace_aligned' invs_pspace_distinct' | simp add: ct_in_state'_def sch_act_simple_def - | rule hoare_vcg_conj_lift_R + | rule hoare_vcg_conj_liftE_R | wp (once) preemptionPoint_inv | wps | wp (once) ex_cte_cap_to'_pres)+ @@ -5349,7 +5349,7 @@ crunch insertNewCap lemma insertNewCap_ct_idle_or_in_cur_domain'[wp]: "\ct_idle_or_in_cur_domain' and ct_active'\ insertNewCap parent slot cap \\_. ct_idle_or_in_cur_domain'\" apply (wp ct_idle_or_in_cur_domain'_lift_futz[where Q=\]) - apply (rule_tac Q="\_. obj_at' (\tcb. tcbState tcb \ Structures_H.thread_state.Inactive) t and + apply (rule_tac Q'="\_. obj_at' (\tcb. tcbState tcb \ Structures_H.thread_state.Inactive) t and obj_at' (\tcb. d = tcbDomain tcb) t" in hoare_strengthen_post) apply (wp | clarsimp elim: obj_at'_weakenE)+ diff --git a/proof/refine/X64/VSpace_R.thy b/proof/refine/X64/VSpace_R.thy index 0f97844716..b8acf56e7a 100644 --- a/proof/refine/X64/VSpace_R.thy +++ b/proof/refine/X64/VSpace_R.thy @@ -423,7 +423,7 @@ lemma deleteASIDPool_corres: apply (simp only:) apply (rule setVMRoot_corres[OF refl]) apply wp+ - apply (rule_tac R="\_ s. rv = x64_asid_table (arch_state s)" + apply (rule_tac Q'="\_ s. rv = x64_asid_table (arch_state s)" in hoare_post_add) apply (drule sym, simp only: ) apply (drule sym, simp only: ) @@ -436,7 +436,7 @@ lemma deleteASIDPool_corres: valid_vs_lookup_unmap_strg) apply (wp mapM_wp')+ apply simp - apply (rule_tac R="\_ s. rv' = x64KSASIDTable (ksArchState s)" + apply (rule_tac Q'="\_ s. rv' = x64KSASIDTable (ksArchState s)" in hoare_post_add) apply (simp only: pred_conj_def cong: conj_cong) apply simp @@ -2601,7 +2601,7 @@ lemma perform_page_invs [wp]: | wpc | clarsimp simp: performPageInvocationUnmap_def)+ apply (rename_tac acap word a b) - apply (rule_tac Q="\_. invs' and cte_wp_at' (\cte. \r R mt sz d m. cteCap cte = + apply (rule_tac Q'="\_. invs' and cte_wp_at' (\cte. \r R mt sz d m. cteCap cte = ArchObjectCap (PageCap r R mt sz d m)) word" in hoare_strengthen_post) apply (wp unmapPage_cte_wp_at') diff --git a/sys-init/DuplicateCaps_SI.thy b/sys-init/DuplicateCaps_SI.thy index 24737e6ba6..37abbb3887 100644 --- a/sys-init/DuplicateCaps_SI.thy +++ b/sys-init/DuplicateCaps_SI.thy @@ -189,10 +189,10 @@ lemma duplicate_cap_sep_general: apply clarsimp apply (frule well_formed_finite [where obj_id=obj_id]) apply (clarsimp simp: si_caps_at_def) - apply (rule hoare_chain [where - P="\((si_cnode_id, unat free_cptr) \c NullCap \* si_objects) \* + apply (rule hoare_chain[where + P'="\((si_cnode_id, unat free_cptr) \c NullCap \* si_objects) \* (\* obj_id \ {obj_id. real_object_at obj_id spec}. si_cap_at t orig_caps spec dev obj_id) \* R\" and - Q="\rv.\(si_cap_at t (map_of (zip [obj\obj_ids. obj_filter obj spec] + Q'="\rv.\(si_cap_at t (map_of (zip [obj\obj_ids. obj_filter obj spec] free_cptrs)) spec dev obj_id \* si_objects) \* (\* obj_id \ {obj_id. real_object_at obj_id spec}. si_cap_at t orig_caps spec dev obj_id) \* R\"]) apply (rule sep_set_conj_map_singleton_wp [where x=obj_id]) diff --git a/sys-init/InitCSpace_SI.thy b/sys-init/InitCSpace_SI.thy index 132d1325dc..7fca65fe39 100644 --- a/sys-init/InitCSpace_SI.thy +++ b/sys-init/InitCSpace_SI.thy @@ -1538,12 +1538,12 @@ lemma init_cnode_slot_copy_not_original_sep: apply (clarsimp simp: cap_at_def) apply (rename_tac cap) (* Rearrange to work with the sep_list_conj_map_singleton_wp rule. *) - apply (rule hoare_chain [where P="\(object_slot_empty spec t obj_id slot \* + apply (rule hoare_chain[where P'="\(object_slot_empty spec t obj_id slot \* si_cap_at t dup_caps spec dev obj_id \* object_fields_empty spec t obj_id \* si_objects) \* si_objs_caps_at t orig_caps spec dev {obj_id. cnode_at obj_id spec} \* R\" - and Q="\_. \(object_slot_initialised spec t obj_id slot \* + and Q'="\_. \(object_slot_initialised spec t obj_id slot \* si_cap_at t dup_caps spec dev obj_id \* object_fields_empty spec t obj_id \* si_objects) \*