From 647fa1273ceca9ff971a43b19080930dea4dd14c Mon Sep 17 00:00:00 2001 From: Rafal Kolanski Date: Tue, 9 Jul 2024 13:06:33 +1000 Subject: [PATCH 1/9] ainvs: use "assms" in name for arch locales i.e. 's/AI_asms/AI_assms/g' and same for Pre_asms ("asms" is rarely expected outside of ML code) Signed-off-by: Rafal Kolanski --- .../AARCH64/ArchAInvsPre.thy | 6 +- .../AARCH64/ArchDetype_AI.thy | 14 +-- .../AARCH64/ArchFinalise_AI.thy | 88 +++++++++---------- .../AARCH64/ArchInterrupt_AI.thy | 34 +++---- .../AARCH64/ArchIpcCancel_AI.thy | 8 +- .../AARCH64/ArchSchedule_AI.thy | 24 ++--- .../invariant-abstract/AARCH64/ArchTcb_AI.thy | 36 ++++---- proof/invariant-abstract/ARM/ArchAInvsPre.thy | 6 +- .../invariant-abstract/ARM/ArchDetype_AI.thy | 14 +-- .../ARM/ArchFinalise_AI.thy | 84 +++++++++--------- .../ARM/ArchInterrupt_AI.thy | 34 +++---- .../ARM/ArchIpcCancel_AI.thy | 8 +- .../ARM/ArchSchedule_AI.thy | 24 ++--- proof/invariant-abstract/ARM/ArchTcb_AI.thy | 36 ++++---- .../ARM_HYP/ArchAInvsPre.thy | 6 +- .../ARM_HYP/ArchDetype_AI.thy | 14 +-- .../ARM_HYP/ArchFinalise_AI.thy | 88 +++++++++---------- .../ARM_HYP/ArchInterrupt_AI.thy | 34 +++---- .../ARM_HYP/ArchIpcCancel_AI.thy | 8 +- .../ARM_HYP/ArchSchedule_AI.thy | 24 ++--- .../invariant-abstract/ARM_HYP/ArchTcb_AI.thy | 36 ++++---- .../RISCV64/ArchAInvsPre.thy | 6 +- .../RISCV64/ArchDetype_AI.thy | 14 +-- .../RISCV64/ArchFinalise_AI.thy | 84 +++++++++--------- .../RISCV64/ArchInterrupt_AI.thy | 34 +++---- .../RISCV64/ArchIpcCancel_AI.thy | 8 +- .../RISCV64/ArchSchedule_AI.thy | 24 ++--- .../invariant-abstract/RISCV64/ArchTcb_AI.thy | 36 ++++---- proof/invariant-abstract/X64/ArchAInvsPre.thy | 6 +- .../invariant-abstract/X64/ArchDetype_AI.thy | 14 +-- .../X64/ArchFinalise_AI.thy | 84 +++++++++--------- .../X64/ArchInterrupt_AI.thy | 34 +++---- .../X64/ArchIpcCancel_AI.thy | 12 +-- .../X64/ArchSchedule_AI.thy | 24 ++--- proof/invariant-abstract/X64/ArchTcb_AI.thy | 36 ++++---- 35 files changed, 521 insertions(+), 521 deletions(-) diff --git a/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy b/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy index 5f77c0be35..5dce18b02c 100644 --- a/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy +++ b/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy @@ -82,7 +82,7 @@ lemma device_frame_in_device_region: by (auto simp add: pspace_respects_device_region_def dom_def device_mem_def) global_naming Arch -named_theorems AInvsPre_asms +named_theorems AInvsPre_assms lemma get_vspace_of_thread_asid_or_global_pt: "(\asid. vspace_for_asid asid s = Some (get_vspace_of_thread (kheap s) (arch_state s) t)) @@ -102,7 +102,7 @@ lemma get_page_info_gpd_kmaps: table_base_pt_slot_offset[where level=max_pt_level, simplified]) done -lemma ptable_rights_imp_frame[AInvsPre_asms]: +lemma ptable_rights_imp_frame[AInvsPre_assms]: assumes "valid_state s" shows "\ ptable_rights t s vptr \ {}; ptable_lift t s vptr = Some (addrFromPPtr p) \ \ in_user_frame p s \ in_device_frame p s" @@ -140,7 +140,7 @@ end interpretation AInvsPre?: AInvsPre proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact AInvsPre_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact AInvsPre_assms)?) qed requalify_facts diff --git a/proof/invariant-abstract/AARCH64/ArchDetype_AI.thy b/proof/invariant-abstract/AARCH64/ArchDetype_AI.thy index f448888f1d..d00dbc5846 100644 --- a/proof/invariant-abstract/AARCH64/ArchDetype_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchDetype_AI.thy @@ -11,16 +11,16 @@ begin context Arch begin global_naming AARCH64 -named_theorems Detype_AI_asms +named_theorems Detype_AI_assms -lemma valid_globals_irq_node[Detype_AI_asms]: +lemma valid_globals_irq_node[Detype_AI_assms]: "\ valid_global_refs s; cte_wp_at ((=) cap) ptr s \ \ interrupt_irq_node s irq \ cap_range cap" apply (erule(1) valid_global_refsD) apply (simp add: global_refs_def) done -lemma caps_of_state_ko[Detype_AI_asms]: +lemma caps_of_state_ko[Detype_AI_assms]: "valid_cap cap s \ is_untyped_cap cap \ cap_range cap = {} \ @@ -34,7 +34,7 @@ lemma caps_of_state_ko[Detype_AI_asms]: split: option.splits if_splits)+ done -lemma mapM_x_storeWord[Detype_AI_asms]: +lemma mapM_x_storeWord[Detype_AI_assms]: (* FIXME: taken from Retype_C.thy and adapted wrt. the missing intvl syntax. *) assumes al: "is_aligned ptr word_size_bits" shows "mapM_x (\x. storeWord (ptr + of_nat x * word_size) 0) [0..x. if x \ S then {} else state_hyp_refs_of s x)" by (rule ext, simp add: state_hyp_refs_of_def detype_def) -lemma valid_ioports_detype[Detype_AI_asms]: +lemma valid_ioports_detype[Detype_AI_assms]: "valid_ioports s \ valid_ioports (detype (untyped_range cap) s)" by simp @@ -118,7 +118,7 @@ interpretation Detype_AI?: Detype_AI proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Detype_AI_asms)?) + by (intro_locales; (unfold_locales; fact Detype_AI_assms)?) qed context detype_locale_arch begin diff --git a/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy b/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy index 91241010b0..1390c0a215 100644 --- a/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy @@ -11,7 +11,7 @@ begin context Arch begin -named_theorems Finalise_AI_asms +named_theorems Finalise_AI_assms global_naming AARCH64 @@ -221,17 +221,17 @@ lemma unmap_page_tcb_cap_valid: global_naming Arch -lemma (* replaceable_cdt_update *)[simp,Finalise_AI_asms]: +lemma (* replaceable_cdt_update *)[simp,Finalise_AI_assms]: "replaceable (cdt_update f s) = replaceable s" by (fastforce simp: replaceable_def tcb_cap_valid_def reachable_frame_cap_def reachable_target_def) -lemma (* replaceable_revokable_update *)[simp,Finalise_AI_asms]: +lemma (* replaceable_revokable_update *)[simp,Finalise_AI_assms]: "replaceable (is_original_cap_update f s) = replaceable s" by (fastforce simp: replaceable_def is_final_cap'_def2 tcb_cap_valid_def reachable_frame_cap_def reachable_target_def) -lemma (* replaceable_more_update *) [simp,Finalise_AI_asms]: +lemma (* replaceable_more_update *) [simp,Finalise_AI_assms]: "replaceable (trans_state f s) sl cap cap' = replaceable s sl cap cap'" by (simp add: replaceable_def reachable_frame_cap_def reachable_target_def) @@ -243,9 +243,9 @@ lemma reachable_frame_cap_trans_state[simp]: "reachable_frame_cap cap (trans_state f s) = reachable_frame_cap cap s" by (simp add: reachable_frame_cap_def) -lemmas [Finalise_AI_asms] = obj_refs_obj_ref_of (* used under name obj_ref_ofI *) +lemmas [Finalise_AI_assms] = obj_refs_obj_ref_of (* used under name obj_ref_ofI *) -lemma (* empty_slot_invs *) [Finalise_AI_asms]: +lemma (* empty_slot_invs *) [Finalise_AI_assms]: "\\s. invs s \ cte_wp_at (replaceable s sl cap.NullCap) sl s \ emptyable sl s \ (info \ NullCap \ post_cap_delete_pre info ((caps_of_state s) (sl \ NullCap)))\ @@ -325,7 +325,7 @@ lemma (* empty_slot_invs *) [Finalise_AI_asms]: apply (simp add: is_final_cap'_def2 cte_wp_at_caps_of_state) by fastforce -lemma dom_tcb_cap_cases_lt_ARCH [Finalise_AI_asms]: +lemma dom_tcb_cap_cases_lt_ARCH [Finalise_AI_assms]: "dom tcb_cap_cases = {xs. length xs = 3 \ unat (of_bl xs :: machine_word) < 5}" apply (rule set_eqI, rule iffI) apply clarsimp @@ -335,7 +335,7 @@ lemma dom_tcb_cap_cases_lt_ARCH [Finalise_AI_asms]: apply (clarsimp simp: nat_to_cref_unat_of_bl') done -lemma (* unbind_notification_final *) [wp,Finalise_AI_asms]: +lemma (* unbind_notification_final *) [wp,Finalise_AI_assms]: "\is_final_cap' cap\ unbind_notification t \ \rv. is_final_cap' cap\" unfolding unbind_notification_def apply (wp final_cap_lift thread_set_caps_of_state_trivial hoare_drop_imps @@ -364,7 +364,7 @@ crunch prepare_thread_delete for caps_of_state[wp]: "\s. P (caps_of_state s)" (wp: crunch_wps ignore: do_machine_op) -declare prepare_thread_delete_caps_of_state [Finalise_AI_asms] +declare prepare_thread_delete_caps_of_state [Finalise_AI_assms] lemma dissociate_vcpu_tcb_final_cap[wp]: "\is_final_cap' cap\ dissociate_vcpu_tcb v t \\rv. is_final_cap' cap\" @@ -378,7 +378,7 @@ lemma length_and_unat_of_bl_length: "(length xs = x \ unat (of_bl xs :: 'a::len word) < 2 ^ x) = (length xs = x)" by (auto simp: unat_of_bl_length) -lemma (* finalise_cap_cases1 *)[Finalise_AI_asms]: +lemma (* finalise_cap_cases1 *)[Finalise_AI_assms]: "\\s. final \ is_final_cap' cap s \ cte_wp_at ((=) cap) slot s\ finalise_cap cap final @@ -417,12 +417,12 @@ crunch dissociate_vcpu_tcb ignore: do_machine_op set_object) crunch arch_finalise_cap - for typ_at[wp,Finalise_AI_asms]: "\s. P (typ_at T p s)" + for typ_at[wp,Finalise_AI_assms]: "\s. P (typ_at T p s)" (wp: crunch_wps simp: crunch_simps unless_def assertE_def ignore: maskInterrupt set_object) crunch prepare_thread_delete - for typ_at[wp,Finalise_AI_asms]: "\s. P (typ_at T p s)" + for typ_at[wp,Finalise_AI_assms]: "\s. P (typ_at T p s)" crunch arch_thread_set for tcb_at[wp]: "\s. tcb_at p s" @@ -441,7 +441,7 @@ crunch dissociate_vcpu_tcb crunch prepare_thread_delete for tcb_at[wp]: "\s. tcb_at p s" -lemma (* finalise_cap_new_valid_cap *)[wp,Finalise_AI_asms]: +lemma (* finalise_cap_new_valid_cap *)[wp,Finalise_AI_assms]: "\valid_cap cap\ finalise_cap cap x \\rv. valid_cap (fst rv)\" apply (cases cap; simp) apply (wp suspend_valid_cap prepare_thread_delete_typ_at @@ -1080,7 +1080,7 @@ crunch vcpu_finalise for invs[wp]: invs (ignore: dissociate_vcpu_tcb) -lemma arch_finalise_cap_invs' [wp,Finalise_AI_asms]: +lemma arch_finalise_cap_invs' [wp,Finalise_AI_assms]: "\invs and valid_cap (ArchObjectCap cap)\ arch_finalise_cap cap final \\rv. invs\" @@ -1140,14 +1140,14 @@ lemma arch_finalise_cap_vcpu: apply (wpsimp wp: wps simp: simps reachable_frame_cap_def | strengthen strg)+ done -lemma obj_at_not_live_valid_arch_cap_strg [Finalise_AI_asms]: +lemma obj_at_not_live_valid_arch_cap_strg [Finalise_AI_assms]: "(s \ ArchObjectCap cap \ aobj_ref cap = Some r \ \ typ_at (AArch AVCPU) r s) \ obj_at (\ko. \ live ko) r s" by (clarsimp simp: live_def valid_cap_def valid_arch_cap_ref_def obj_at_def a_type_arch_live valid_cap_simps hyp_live_def arch_live_def split: arch_cap.split_asm if_splits) -lemma obj_at_not_live_valid_arch_cap_strg' [Finalise_AI_asms]: +lemma obj_at_not_live_valid_arch_cap_strg' [Finalise_AI_assms]: "(s \ ArchObjectCap cap \ aobj_ref cap = Some r \ cap \ VCPUCap r) \ obj_at (\ko. \ live ko) r s" by (clarsimp simp: live_def valid_cap_def valid_arch_cap_ref_def obj_at_def @@ -1403,7 +1403,7 @@ lemma arch_finalise_cap_replaceable: done global_naming Arch -lemma (* deleting_irq_handler_slot_not_irq_node *)[Finalise_AI_asms]: +lemma (* deleting_irq_handler_slot_not_irq_node *)[Finalise_AI_assms]: "\if_unsafe_then_cap and valid_global_refs and cte_wp_at (\cp. cap_irqs cp \ {}) sl\ deleting_irq_handler irq @@ -1424,7 +1424,7 @@ lemma (* deleting_irq_handler_slot_not_irq_node *)[Finalise_AI_asms]: apply (clarsimp simp: appropriate_cte_cap_def split: cap.split_asm) done -lemma no_cap_to_obj_with_diff_ref_finalI_ARCH[Finalise_AI_asms]: +lemma no_cap_to_obj_with_diff_ref_finalI_ARCH[Finalise_AI_assms]: "\ cte_wp_at ((=) cap) p s; is_final_cap' cap s; obj_refs cap' = obj_refs cap \ \ no_cap_to_obj_with_diff_ref cap' {p} s" @@ -1446,7 +1446,7 @@ lemma no_cap_to_obj_with_diff_ref_finalI_ARCH[Finalise_AI_asms]: gen_obj_refs_Int) done -lemma (* suspend_no_cap_to_obj_ref *)[wp,Finalise_AI_asms]: +lemma (* suspend_no_cap_to_obj_ref *)[wp,Finalise_AI_assms]: "\no_cap_to_obj_with_diff_ref cap S\ suspend t \\rv. no_cap_to_obj_with_diff_ref cap S\" @@ -1490,7 +1490,7 @@ lemma prepare_thread_delete_unlive[wp]: apply (clarsimp simp: obj_at_def, case_tac ko, simp_all add: is_tcb_def live_def) done -lemma finalise_cap_replaceable [Finalise_AI_asms]: +lemma finalise_cap_replaceable [Finalise_AI_assms]: "\\s. s \ cap \ x = is_final_cap' cap s \ valid_mdb s \ cte_wp_at ((=) cap) sl s \ valid_objs s \ sym_refs (state_refs_of s) \ (cap_irqs cap \ {} \ if_unsafe_then_cap s \ valid_global_refs s) @@ -1542,7 +1542,7 @@ lemma finalise_cap_replaceable [Finalise_AI_asms]: | simp add: valid_cap_simps is_nondevice_page_cap_simps)+)) done -lemma (* deleting_irq_handler_cte_preserved *)[Finalise_AI_asms]: +lemma (* deleting_irq_handler_cte_preserved *)[Finalise_AI_assms]: assumes x: "\cap. P cap \ \ can_fast_finalise cap" shows "\cte_wp_at P p\ deleting_irq_handler irq \\rv. cte_wp_at P p\" apply (simp add: deleting_irq_handler_def) @@ -1561,15 +1561,15 @@ lemma arch_thread_set_cte_wp_at[wp]: done crunch dissociate_vcpu_tcb - for cte_wp_at[wp,Finalise_AI_asms]: "\s. P (cte_wp_at P' p s)" + for cte_wp_at[wp,Finalise_AI_assms]: "\s. P (cte_wp_at P' p s)" (simp: crunch_simps assertE_def wp: crunch_wps set_object_cte_at ignore: arch_thread_set) crunch prepare_thread_delete - for cte_wp_at[wp,Finalise_AI_asms]: "\s. P (cte_wp_at P' p s)" + for cte_wp_at[wp,Finalise_AI_assms]: "\s. P (cte_wp_at P' p s)" (simp: crunch_simps assertE_def wp: crunch_wps set_object_cte_at ignore: arch_thread_set) crunch arch_finalise_cap - for cte_wp_at[wp,Finalise_AI_asms]: "\s. P (cte_wp_at P' p s)" + for cte_wp_at[wp,Finalise_AI_assms]: "\s. P (cte_wp_at P' p s)" (simp: crunch_simps assertE_def wp: crunch_wps set_object_cte_at ignore: arch_thread_set) end @@ -1578,7 +1578,7 @@ interpretation Finalise_AI_1?: Finalise_AI_1 proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming AARCH64 @@ -1603,7 +1603,7 @@ lemma fast_finalise_replaceable[wp]: done global_naming Arch -lemma (* cap_delete_one_invs *) [Finalise_AI_asms,wp]: +lemma (* cap_delete_one_invs *) [Finalise_AI_assms,wp]: "\invs and emptyable ptr\ cap_delete_one ptr \\rv. invs\" apply (simp add: cap_delete_one_def unless_def is_final_cap_def) apply (rule hoare_pre) @@ -1617,7 +1617,7 @@ end interpretation Finalise_AI_2?: Finalise_AI_2 proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming AARCH64 @@ -1629,7 +1629,7 @@ crunch (wp: crunch_wps subset_refl) crunch prepare_thread_delete - for irq_node[Finalise_AI_asms,wp]: "\s. P (interrupt_irq_node s)" + for irq_node[Finalise_AI_assms,wp]: "\s. P (interrupt_irq_node s)" (wp: crunch_wps simp: crunch_simps) crunch arch_finalise_cap @@ -1780,7 +1780,7 @@ crunch prepare_thread_delete for invs[wp]: invs (ignore: set_object do_machine_op wp: dmo_invs_lift) -lemma (* finalise_cap_invs *)[Finalise_AI_asms]: +lemma (* finalise_cap_invs *)[Finalise_AI_assms]: shows "\invs and cte_wp_at ((=) cap) slot\ finalise_cap cap x \\rv. invs\" apply (cases cap, simp_all split del: if_split) apply (wp cancel_all_ipc_invs cancel_all_signals_invs unbind_notification_invs @@ -1797,14 +1797,14 @@ lemma (* finalise_cap_invs *)[Finalise_AI_asms]: apply (auto dest: cte_wp_at_valid_objs_valid_cap) done -lemma (* finalise_cap_irq_node *)[Finalise_AI_asms]: +lemma (* finalise_cap_irq_node *)[Finalise_AI_assms]: "\\s. P (interrupt_irq_node s)\ finalise_cap a b \\_ s. P (interrupt_irq_node s)\" by (case_tac a, wpsimp+) -lemmas (*arch_finalise_cte_irq_node *) [wp,Finalise_AI_asms] +lemmas (*arch_finalise_cte_irq_node *) [wp,Finalise_AI_assms] = hoare_use_eq_irq_node [OF arch_finalise_cap_irq_node arch_finalise_cap_cte_wp_at] -lemma (* deleting_irq_handler_st_tcb_at *) [Finalise_AI_asms]: +lemma (* deleting_irq_handler_st_tcb_at *) [Finalise_AI_assms]: "\st_tcb_at P t and K (\st. simple st \ P st)\ deleting_irq_handler irq \\rv. st_tcb_at P t\" @@ -1813,11 +1813,11 @@ lemma (* deleting_irq_handler_st_tcb_at *) [Finalise_AI_asms]: apply simp done -lemma irq_node_global_refs_ARCH [Finalise_AI_asms]: +lemma irq_node_global_refs_ARCH [Finalise_AI_assms]: "interrupt_irq_node s irq \ global_refs s" by (simp add: global_refs_def) -lemma (* get_irq_slot_fast_finalisable *)[wp,Finalise_AI_asms]: +lemma (* get_irq_slot_fast_finalisable *)[wp,Finalise_AI_assms]: "\invs\ get_irq_slot irq \cte_wp_at can_fast_finalise\" apply (simp add: get_irq_slot_def) apply wp @@ -1839,12 +1839,12 @@ lemma (* get_irq_slot_fast_finalisable *)[wp,Finalise_AI_asms]: apply (clarsimp simp: cap_range_def) done -lemma (* replaceable_or_arch_update_same *) [Finalise_AI_asms]: +lemma (* replaceable_or_arch_update_same *) [Finalise_AI_assms]: "replaceable_or_arch_update s slot cap cap" by (clarsimp simp: replaceable_or_arch_update_def replaceable_def is_arch_update_def is_cap_simps) -lemma (* replace_cap_invs_arch_update *)[Finalise_AI_asms]: +lemma (* replace_cap_invs_arch_update *)[Finalise_AI_assms]: "\\s. cte_wp_at (replaceable_or_arch_update s p cap) p s \ invs s \ cap \ cap.NullCap @@ -1869,7 +1869,7 @@ lemma dmo_pred_tcb_at[wp]: apply (clarsimp simp: pred_tcb_at_def obj_at_def) done -lemma dmo_tcb_cap_valid_ARCH [Finalise_AI_asms]: +lemma dmo_tcb_cap_valid_ARCH [Finalise_AI_assms]: "do_machine_op mop \\s. P (tcb_cap_valid cap ptr s)\" apply (simp add: tcb_cap_valid_def no_cap_to_obj_with_diff_ref_def) apply (wp_pre, wps, rule hoare_vcg_prop) @@ -1887,7 +1887,7 @@ lemma dmo_reachable_target[wp]: apply simp done -lemma (* dmo_replaceable_or_arch_update *) [Finalise_AI_asms,wp]: +lemma (* dmo_replaceable_or_arch_update *) [Finalise_AI_assms,wp]: "\\s. replaceable_or_arch_update s slot cap cap'\ do_machine_op mo \\r s. replaceable_or_arch_update s slot cap cap'\" @@ -1909,7 +1909,7 @@ interpretation Finalise_AI_3?: Finalise_AI_3 proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming AARCH64 @@ -1927,7 +1927,7 @@ interpretation Finalise_AI_4?: Finalise_AI_4 where replaceable_or_arch_update = replaceable_or_arch_update proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming AARCH64 @@ -1967,9 +1967,9 @@ lemma arch_finalise_cap_valid_cap[wp]: global_naming Arch -lemmas clearMemory_invs[wp,Finalise_AI_asms] = clearMemory_invs +lemmas clearMemory_invs[wp,Finalise_AI_assms] = clearMemory_invs -lemma valid_idle_has_null_cap_ARCH[Finalise_AI_asms]: +lemma valid_idle_has_null_cap_ARCH[Finalise_AI_assms]: "\ if_unsafe_then_cap s; valid_global_refs s; valid_idle s; valid_irq_node s; caps_of_state s (idle_thread s, v) = Some cap \ \ cap = NullCap" @@ -1985,7 +1985,7 @@ lemma valid_idle_has_null_cap_ARCH[Finalise_AI_asms]: apply (drule_tac x=word in spec, simp) done -lemma (* zombie_cap_two_nonidles *)[Finalise_AI_asms]: +lemma (* zombie_cap_two_nonidles *)[Finalise_AI_assms]: "\ caps_of_state s ptr = Some (Zombie ptr' zbits n); invs s \ \ fst ptr \ idle_thread s \ ptr' \ idle_thread s" apply (frule valid_global_refsD2, clarsimp+) @@ -2011,7 +2011,7 @@ interpretation Finalise_AI_5?: Finalise_AI_5 where replaceable_or_arch_update = replaceable_or_arch_update proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed end diff --git a/proof/invariant-abstract/AARCH64/ArchInterrupt_AI.thy b/proof/invariant-abstract/AARCH64/ArchInterrupt_AI.thy index 4ef745e647..7a880be79a 100644 --- a/proof/invariant-abstract/AARCH64/ArchInterrupt_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchInterrupt_AI.thy @@ -24,16 +24,16 @@ primrec arch_irq_control_inv_valid_real :: defs arch_irq_control_inv_valid_def: "arch_irq_control_inv_valid \ arch_irq_control_inv_valid_real" -named_theorems Interrupt_AI_asms +named_theorems Interrupt_AI_assms -lemma (* decode_irq_control_invocation_inv *)[Interrupt_AI_asms]: +lemma (* decode_irq_control_invocation_inv *)[Interrupt_AI_assms]: "\P\ decode_irq_control_invocation label args slot caps \\rv. P\" apply (simp add: decode_irq_control_invocation_def Let_def arch_check_irq_def arch_decode_irq_control_invocation_def whenE_def, safe) apply (wp | simp)+ done -lemma decode_irq_control_valid [Interrupt_AI_asms]: +lemma decode_irq_control_valid [Interrupt_AI_assms]: "\\s. invs s \ (\cap \ set caps. s \ cap) \ (\cap \ set caps. is_cnode_cap cap \ (\r \ cte_refs cap (interrupt_irq_node s). ex_cte_cap_wp_to is_cnode_cap r s)) @@ -51,7 +51,7 @@ lemma decode_irq_control_valid [Interrupt_AI_asms]: apply (intro conjI impI; clarsimp) done -lemma get_irq_slot_different_ARCH[Interrupt_AI_asms]: +lemma get_irq_slot_different_ARCH[Interrupt_AI_assms]: "\\s. valid_global_refs s \ ex_cte_cap_wp_to is_cnode_cap ptr s\ get_irq_slot irq \\rv s. rv \ ptr\" @@ -63,7 +63,7 @@ lemma get_irq_slot_different_ARCH[Interrupt_AI_asms]: apply (clarsimp simp: global_refs_def is_cap_simps cap_range_def) done -lemma is_derived_use_interrupt_ARCH[Interrupt_AI_asms]: +lemma is_derived_use_interrupt_ARCH[Interrupt_AI_assms]: "(is_ntfn_cap cap \ interrupt_derived cap cap') \ (is_derived m p cap cap')" apply (clarsimp simp: is_cap_simps) apply (clarsimp simp: interrupt_derived_def is_derived_def) @@ -71,7 +71,7 @@ lemma is_derived_use_interrupt_ARCH[Interrupt_AI_asms]: apply (simp add: is_cap_simps is_pt_cap_def vs_cap_ref_def) done -lemma maskInterrupt_invs_ARCH[Interrupt_AI_asms]: +lemma maskInterrupt_invs_ARCH[Interrupt_AI_assms]: "\invs and (\s. \b \ interrupt_states s irq \ IRQInactive)\ do_machine_op (maskInterrupt b irq) \\rv. invs\" @@ -91,13 +91,13 @@ lemma dmo_plic_complete_claim[wp]: apply (auto simp: plic_complete_claim_def machine_op_lift_def machine_rest_lift_def in_monad select_f_def) done -lemma no_cap_to_obj_with_diff_IRQHandler_ARCH[Interrupt_AI_asms]: +lemma no_cap_to_obj_with_diff_IRQHandler_ARCH[Interrupt_AI_assms]: "no_cap_to_obj_with_diff_ref (IRQHandlerCap irq) S = \" by (rule ext, simp add: no_cap_to_obj_with_diff_ref_def cte_wp_at_caps_of_state obj_ref_none_no_asid) -lemma (* set_irq_state_valid_cap *)[Interrupt_AI_asms]: +lemma (* set_irq_state_valid_cap *)[Interrupt_AI_assms]: "\valid_cap cap\ set_irq_state IRQSignal irq \\rv. valid_cap cap\" apply (clarsimp simp: set_irq_state_def) apply (wp do_machine_op_valid_cap) @@ -107,9 +107,9 @@ lemma (* set_irq_state_valid_cap *)[Interrupt_AI_asms]: done crunch set_irq_state - for valid_global_refs[Interrupt_AI_asms]: "valid_global_refs" + for valid_global_refs[Interrupt_AI_assms]: "valid_global_refs" -lemma invoke_irq_handler_invs'[Interrupt_AI_asms]: +lemma invoke_irq_handler_invs'[Interrupt_AI_assms]: assumes dmo_ex_inv[wp]: "\f. \invs and ex_inv\ do_machine_op f \\rv::unit. ex_inv\" assumes cap_insert_ex_inv[wp]: "\cap src dest. \ex_inv and invs and K (src \ dest)\ @@ -165,7 +165,7 @@ lemma invoke_irq_handler_invs'[Interrupt_AI_asms]: done qed -lemma (* invoke_irq_control_invs *) [Interrupt_AI_asms]: +lemma (* invoke_irq_control_invs *) [Interrupt_AI_assms]: "\invs and irq_control_inv_valid i\ invoke_irq_control i \\rv. invs\" apply (cases i, simp_all) apply (wp cap_insert_simple_invs @@ -189,7 +189,7 @@ lemma (* invoke_irq_control_invs *) [Interrupt_AI_asms]: crunch resetTimer for device_state_inv[wp]: "\ms. P (device_state ms)" -lemma resetTimer_invs_ARCH[Interrupt_AI_asms]: +lemma resetTimer_invs_ARCH[Interrupt_AI_assms]: "\invs\ do_machine_op resetTimer \\_. invs\" apply (wp dmo_invs) apply safe @@ -202,11 +202,11 @@ lemma resetTimer_invs_ARCH[Interrupt_AI_asms]: apply(erule use_valid, wp no_irq_resetTimer no_irq, assumption) done -lemma empty_fail_ackInterrupt_ARCH[Interrupt_AI_asms]: +lemma empty_fail_ackInterrupt_ARCH[Interrupt_AI_assms]: "empty_fail (ackInterrupt irq)" by (wp | simp add: ackInterrupt_def)+ -lemma empty_fail_maskInterrupt_ARCH[Interrupt_AI_asms]: +lemma empty_fail_maskInterrupt_ARCH[Interrupt_AI_assms]: "empty_fail (maskInterrupt f irq)" by (wp | simp add: maskInterrupt_def)+ @@ -269,7 +269,7 @@ lemma handle_reserved_irq_invs[wp]: "\invs\ handle_reserved_irq irq \\_. invs\" unfolding handle_reserved_irq_def by (wpsimp simp: non_kernel_IRQs_def) -lemma (* handle_interrupt_invs *) [Interrupt_AI_asms]: +lemma (* handle_interrupt_invs *) [Interrupt_AI_assms]: "\invs\ handle_interrupt irq \\_. invs\" apply (simp add: handle_interrupt_def) apply (rule conjI; rule impI) @@ -286,7 +286,7 @@ lemma (* handle_interrupt_invs *) [Interrupt_AI_asms]: | rule conjI)+ done -lemma sts_arch_irq_control_inv_valid[wp, Interrupt_AI_asms]: +lemma sts_arch_irq_control_inv_valid[wp, Interrupt_AI_assms]: "\arch_irq_control_inv_valid i\ set_thread_state t st \\rv. arch_irq_control_inv_valid i\" @@ -303,7 +303,7 @@ end interpretation Interrupt_AI?: Interrupt_AI proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales, simp_all add: Interrupt_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales, simp_all add: Interrupt_AI_assms)?) qed end diff --git a/proof/invariant-abstract/AARCH64/ArchIpcCancel_AI.thy b/proof/invariant-abstract/AARCH64/ArchIpcCancel_AI.thy index 40371a827a..fe7b74429a 100644 --- a/proof/invariant-abstract/AARCH64/ArchIpcCancel_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchIpcCancel_AI.thy @@ -10,11 +10,11 @@ begin context Arch begin global_naming AARCH64 -named_theorems IpcCancel_AI_asms +named_theorems IpcCancel_AI_assms crunch arch_post_cap_deletion - for typ_at[wp, IpcCancel_AI_asms]: "\s. P (typ_at T p s)" - and idle_thread[wp, IpcCancel_AI_asms]: "\s. P (idle_thread s)" + for typ_at[wp, IpcCancel_AI_assms]: "\s. P (typ_at T p s)" + and idle_thread[wp, IpcCancel_AI_assms]: "\s. P (idle_thread s)" end @@ -22,7 +22,7 @@ interpretation IpcCancel_AI?: IpcCancel_AI proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact IpcCancel_AI_asms)?) + by (intro_locales; (unfold_locales; fact IpcCancel_AI_assms)?) qed diff --git a/proof/invariant-abstract/AARCH64/ArchSchedule_AI.thy b/proof/invariant-abstract/AARCH64/ArchSchedule_AI.thy index b482dcb70f..29af15a82c 100644 --- a/proof/invariant-abstract/AARCH64/ArchSchedule_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchSchedule_AI.thy @@ -11,9 +11,9 @@ begin context Arch begin global_naming AARCH64 -named_theorems Schedule_AI_asms +named_theorems Schedule_AI_assms -lemma dmo_mapM_storeWord_0_invs[wp,Schedule_AI_asms]: +lemma dmo_mapM_storeWord_0_invs[wp,Schedule_AI_assms]: "do_machine_op (mapM (\p. storeWord p 0) S) \invs\" apply (simp add: dom_mapM) apply (rule mapM_UNIV_wp) @@ -30,16 +30,16 @@ lemma dmo_mapM_storeWord_0_invs[wp,Schedule_AI_asms]: global_naming Arch -lemma arch_stt_invs [wp,Schedule_AI_asms]: +lemma arch_stt_invs [wp,Schedule_AI_assms]: "arch_switch_to_thread t' \invs\" apply (wpsimp simp: arch_switch_to_thread_def) by (rule sym_refs_VCPU_hyp_live; fastforce) -lemma arch_stt_tcb [wp,Schedule_AI_asms]: +lemma arch_stt_tcb [wp,Schedule_AI_assms]: "arch_switch_to_thread t' \tcb_at t'\" by (wpsimp simp: arch_switch_to_thread_def wp: tcb_at_typ_at) -lemma arch_stt_runnable[Schedule_AI_asms]: +lemma arch_stt_runnable[Schedule_AI_assms]: "arch_switch_to_thread t \st_tcb_at runnable t\" by (wpsimp simp: arch_switch_to_thread_def) @@ -55,7 +55,7 @@ crunch and ct[wp]: "\s. P (cur_thread s)" (wp: mapM_x_wp mapM_wp subset_refl) -lemma arch_stit_invs[wp, Schedule_AI_asms]: +lemma arch_stit_invs[wp, Schedule_AI_assms]: "arch_switch_to_idle_thread \invs\" by (wpsimp simp: arch_switch_to_idle_thread_def) @@ -68,19 +68,19 @@ crunch set_vm_root and it[wp]: "\s. P (idle_thread s)" (simp: crunch_simps wp: hoare_drop_imps) -lemma arch_stit_activatable[wp, Schedule_AI_asms]: +lemma arch_stit_activatable[wp, Schedule_AI_assms]: "arch_switch_to_idle_thread \ct_in_state activatable\" apply (clarsimp simp: arch_switch_to_idle_thread_def) apply (wpsimp simp: ct_in_state_def wp: ct_in_state_thread_state_lift) done -lemma stit_invs [wp,Schedule_AI_asms]: +lemma stit_invs [wp,Schedule_AI_assms]: "switch_to_idle_thread \invs\" apply (simp add: switch_to_idle_thread_def arch_switch_to_idle_thread_def) apply (wpsimp|strengthen idle_strg)+ done -lemma stit_activatable[Schedule_AI_asms]: +lemma stit_activatable[Schedule_AI_assms]: "\invs\ switch_to_idle_thread \\_. ct_in_state activatable\" apply (simp add: switch_to_idle_thread_def arch_switch_to_idle_thread_def) apply (wpsimp simp: ct_in_state_def) @@ -88,7 +88,7 @@ lemma stit_activatable[Schedule_AI_asms]: elim!: pred_tcb_weaken_strongerE) done -lemma stt_invs [wp,Schedule_AI_asms]: +lemma stt_invs [wp,Schedule_AI_assms]: "switch_to_thread t' \invs\" apply (simp add: switch_to_thread_def) apply wp @@ -108,14 +108,14 @@ interpretation Schedule_AI_U?: Schedule_AI_U proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Schedule_AI_asms)?) + by (intro_locales; (unfold_locales; fact Schedule_AI_assms)?) qed interpretation Schedule_AI?: Schedule_AI proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Schedule_AI_asms)?) + by (intro_locales; (unfold_locales; fact Schedule_AI_assms)?) qed end diff --git a/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy b/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy index 70765d9317..5ad151b3e7 100644 --- a/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy @@ -11,17 +11,17 @@ begin context Arch begin global_naming AARCH64 -named_theorems Tcb_AI_asms +named_theorems Tcb_AI_assms -lemma activate_idle_invs[Tcb_AI_asms]: +lemma activate_idle_invs[Tcb_AI_assms]: "\invs and ct_idle\ arch_activate_idle_thread thread \\rv. invs and ct_idle\" by (simp add: arch_activate_idle_thread_def) -declare getRegister_empty_fail [Tcb_AI_asms] +declare getRegister_empty_fail [Tcb_AI_assms] lemma same_object_also_valid: (* arch specific *) "\ same_object_as cap cap'; s \ cap'; wellformed_cap cap; @@ -35,7 +35,7 @@ lemma same_object_also_valid: (* arch specific *) split: cap.split_asm arch_cap.split_asm option.splits)+) done -lemma same_object_obj_refs[Tcb_AI_asms]: +lemma same_object_obj_refs[Tcb_AI_assms]: "\ same_object_as cap cap' \ \ obj_refs cap = obj_refs cap'" apply (cases cap, simp_all add: same_object_as_def) @@ -122,13 +122,13 @@ lemma checked_insert_tcb_invs[wp]: (* arch specific *) done crunch arch_get_sanitise_register_info, arch_post_modify_registers - for tcb_at[wp, Tcb_AI_asms]: "tcb_at a" + for tcb_at[wp, Tcb_AI_assms]: "tcb_at a" crunch arch_get_sanitise_register_info, arch_post_modify_registers - for invs[wp, Tcb_AI_asms]: "invs" + for invs[wp, Tcb_AI_assms]: "invs" crunch arch_get_sanitise_register_info, arch_post_modify_registers - for ex_nonz_cap_to[wp, Tcb_AI_asms]: "ex_nonz_cap_to a" + for ex_nonz_cap_to[wp, Tcb_AI_assms]: "ex_nonz_cap_to a" -lemma finalise_cap_not_cte_wp_at[Tcb_AI_asms]: +lemma finalise_cap_not_cte_wp_at[Tcb_AI_assms]: assumes x: "P cap.NullCap" shows "\\s. \cp \ ran (caps_of_state s). P cp\ finalise_cap cap fin @@ -145,7 +145,7 @@ lemma finalise_cap_not_cte_wp_at[Tcb_AI_asms]: done -lemma table_cap_ref_max_free_index_upd[simp,Tcb_AI_asms]: +lemma table_cap_ref_max_free_index_upd[simp,Tcb_AI_assms]: "table_cap_ref (max_free_index_update cap) = table_cap_ref cap" by (simp add:free_index_update_def table_cap_ref_def split:cap.splits) @@ -156,7 +156,7 @@ global_interpretation Tcb_AI_1?: Tcb_AI_1 and is_cnode_or_valid_arch = is_cnode_or_valid_arch proof goal_cases interpret Arch . - case 1 show ?case by (unfold_locales; (fact Tcb_AI_asms)?) + case 1 show ?case by (unfold_locales; (fact Tcb_AI_assms)?) qed context Arch begin global_naming AARCH64 @@ -175,7 +175,7 @@ lemma use_no_cap_to_obj_asid_strg: (* arch specific *) by (fastforce simp: table_cap_ref_def vspace_asid_def valid_cap_simps obj_at_def split: cap.splits arch_cap.splits option.splits prod.splits) -lemma cap_delete_no_cap_to_obj_asid[wp, Tcb_AI_asms]: +lemma cap_delete_no_cap_to_obj_asid[wp, Tcb_AI_assms]: "\no_cap_to_obj_dr_emp cap\ cap_delete slot \\rv. no_cap_to_obj_dr_emp cap\" @@ -209,7 +209,7 @@ lemma option_case_eq_None: "((case m of None \ None | Some (a,b) \ Some a) = None) = (m = None)" by (clarsimp split: option.splits) -lemma tc_invs[Tcb_AI_asms]: +lemma tc_invs[Tcb_AI_assms]: "\invs and tcb_at a and (case_option \ (valid_cap o fst) e) and (case_option \ (valid_cap o fst) f) @@ -285,7 +285,7 @@ lemma check_valid_ipc_buffer_inv: (* arch_specific *) apply (wp | simp add: if_apply_def2 split del: if_split | wpcw)+ done -lemma check_valid_ipc_buffer_wp[Tcb_AI_asms]: +lemma check_valid_ipc_buffer_wp[Tcb_AI_assms]: "\\(s::'state_ext::state_ext state). is_arch_cap cap \ is_cnode_or_valid_arch cap \ valid_ipc_buffer_cap cap vptr \ is_aligned vptr msg_align_bits @@ -301,7 +301,7 @@ lemma check_valid_ipc_buffer_wp[Tcb_AI_asms]: valid_ipc_buffer_cap_def) done -lemma derive_no_cap_asid[wp,Tcb_AI_asms]: +lemma derive_no_cap_asid[wp,Tcb_AI_assms]: "\(no_cap_to_obj_with_diff_ref cap S)::'state_ext::state_ext state\bool\ derive_cap slot cap \\rv. no_cap_to_obj_with_diff_ref rv S\,-" @@ -315,7 +315,7 @@ lemma derive_no_cap_asid[wp,Tcb_AI_asms]: done -lemma decode_set_ipc_inv[wp,Tcb_AI_asms]: +lemma decode_set_ipc_inv[wp,Tcb_AI_assms]: "\P::'state_ext::state_ext state \ bool\ decode_set_ipc_buffer args cap slot excaps \\rv. P\" apply (simp add: decode_set_ipc_buffer_def whenE_def split_def @@ -324,7 +324,7 @@ lemma decode_set_ipc_inv[wp,Tcb_AI_asms]: apply simp done -lemma no_cap_to_obj_with_diff_ref_update_cap_data[Tcb_AI_asms]: +lemma no_cap_to_obj_with_diff_ref_update_cap_data[Tcb_AI_assms]: "no_cap_to_obj_with_diff_ref c S s \ no_cap_to_obj_with_diff_ref (update_cap_data P x c) S s" apply (case_tac "update_cap_data P x c = NullCap") @@ -341,7 +341,7 @@ lemma no_cap_to_obj_with_diff_ref_update_cap_data[Tcb_AI_asms]: done -lemma update_cap_valid[Tcb_AI_asms]: +lemma update_cap_valid[Tcb_AI_assms]: "valid_cap cap (s::'state_ext::state_ext state) \ valid_cap (case capdata of None \ cap_rights_update rs cap @@ -385,7 +385,7 @@ global_interpretation Tcb_AI?: Tcb_AI where is_cnode_or_valid_arch = AARCH64.is_cnode_or_valid_arch proof goal_cases interpret Arch . - case 1 show ?case by (unfold_locales; (fact Tcb_AI_asms)?) + case 1 show ?case by (unfold_locales; (fact Tcb_AI_assms)?) qed end diff --git a/proof/invariant-abstract/ARM/ArchAInvsPre.thy b/proof/invariant-abstract/ARM/ArchAInvsPre.thy index 97956e008c..b2fe17307a 100644 --- a/proof/invariant-abstract/ARM/ArchAInvsPre.thy +++ b/proof/invariant-abstract/ARM/ArchAInvsPre.thy @@ -178,11 +178,11 @@ lemma device_frame_in_device_region: global_naming Arch -named_theorems AInvsPre_asms +named_theorems AInvsPre_assms -lemma (* ptable_rights_imp_frame *)[AInvsPre_asms]: +lemma (* ptable_rights_imp_frame *)[AInvsPre_assms]: assumes "valid_state s" shows "ptable_rights t s x \ {} \ ptable_lift t s x = Some (addrFromPPtr y) \ @@ -225,7 +225,7 @@ end global_interpretation AInvsPre?: AInvsPre proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales, fact AInvsPre_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales, fact AInvsPre_assms)?) qed requalify_facts diff --git a/proof/invariant-abstract/ARM/ArchDetype_AI.thy b/proof/invariant-abstract/ARM/ArchDetype_AI.thy index 4d902bae2c..2588299497 100644 --- a/proof/invariant-abstract/ARM/ArchDetype_AI.thy +++ b/proof/invariant-abstract/ARM/ArchDetype_AI.thy @@ -10,16 +10,16 @@ begin context Arch begin global_naming ARM -named_theorems Detype_AI_asms +named_theorems Detype_AI_assms -lemma valid_globals_irq_node[Detype_AI_asms]: +lemma valid_globals_irq_node[Detype_AI_assms]: "\ valid_global_refs s; cte_wp_at ((=) cap) ptr s \ \ interrupt_irq_node s irq \ cap_range cap" apply (erule(1) valid_global_refsD) apply (simp add: global_refs_def) done -lemma caps_of_state_ko[Detype_AI_asms]: +lemma caps_of_state_ko[Detype_AI_assms]: "valid_cap cap s \ is_untyped_cap cap \ cap_range cap = {} \ @@ -34,7 +34,7 @@ lemma caps_of_state_ko[Detype_AI_asms]: done -lemma mapM_x_storeWord[Detype_AI_asms]: +lemma mapM_x_storeWord[Detype_AI_assms]: (* FIXME: taken from Retype_C.thy and adapted wrt. the missing intvl syntax. *) assumes al: "is_aligned ptr word_size_bits" shows "mapM_x (\x. storeWord (ptr + of_nat x * word_size) 0) [0..x. if x \ S then {} else state_hyp_refs_of s x)" by (rule ext, simp add: state_hyp_refs_of_def detype_def) -lemma valid_ioports_detype[Detype_AI_asms]: +lemma valid_ioports_detype[Detype_AI_assms]: "valid_ioports s \ valid_ioports (detype (untyped_range cap) s)" by auto @@ -124,7 +124,7 @@ interpretation Detype_AI?: Detype_AI proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Detype_AI_asms)?) + by (intro_locales; (unfold_locales; fact Detype_AI_assms)?) qed context detype_locale_arch begin diff --git a/proof/invariant-abstract/ARM/ArchFinalise_AI.thy b/proof/invariant-abstract/ARM/ArchFinalise_AI.thy index a4b9752fde..c7a2201c31 100644 --- a/proof/invariant-abstract/ARM/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/ARM/ArchFinalise_AI.thy @@ -10,9 +10,9 @@ begin context Arch begin -named_theorems Finalise_AI_asms +named_theorems Finalise_AI_assms -lemma (* obj_at_not_live_valid_arch_cap_strg *) [Finalise_AI_asms]: +lemma (* obj_at_not_live_valid_arch_cap_strg *) [Finalise_AI_assms]: "(s \ ArchObjectCap cap \ aobj_ref cap = Some r) \ obj_at (\ko. \ live ko) r s" by (clarsimp simp: valid_cap_def obj_at_def @@ -20,7 +20,7 @@ lemma (* obj_at_not_live_valid_arch_cap_strg *) [Finalise_AI_asms]: split: arch_cap.split_asm if_splits) crunch prepare_thread_delete - for caps_of_state[wp,Finalise_AI_asms]: "\s. P (caps_of_state s)" + for caps_of_state[wp,Finalise_AI_assms]: "\s. P (caps_of_state s)" global_naming ARM @@ -234,22 +234,22 @@ lemma unmap_page_tcb_cap_valid: global_naming Arch -lemma (* replaceable_cdt_update *)[simp,Finalise_AI_asms]: +lemma (* replaceable_cdt_update *)[simp,Finalise_AI_assms]: "replaceable (cdt_update f s) = replaceable s" by (fastforce simp: replaceable_def tcb_cap_valid_def) -lemma (* replaceable_revokable_update *)[simp,Finalise_AI_asms]: +lemma (* replaceable_revokable_update *)[simp,Finalise_AI_assms]: "replaceable (is_original_cap_update f s) = replaceable s" by (fastforce simp: replaceable_def is_final_cap'_def2 tcb_cap_valid_def) -lemma (* replaceable_more_update *) [simp,Finalise_AI_asms]: +lemma (* replaceable_more_update *) [simp,Finalise_AI_assms]: "replaceable (trans_state f s) sl cap cap' = replaceable s sl cap cap'" by (simp add: replaceable_def) -lemma (* obj_ref_ofI *) [Finalise_AI_asms]: "obj_refs cap = {x} \ obj_ref_of cap = x" +lemma (* obj_ref_ofI *) [Finalise_AI_assms]: "obj_refs cap = {x} \ obj_ref_of cap = x" by (case_tac cap, simp_all) (rename_tac arch_cap, case_tac arch_cap, simp_all) -lemma (* empty_slot_invs *) [Finalise_AI_asms]: +lemma (* empty_slot_invs *) [Finalise_AI_assms]: "\\s. invs s \ cte_wp_at (replaceable s sl cap.NullCap) sl s \ emptyable sl s \ (info \ NullCap \ post_cap_delete_pre info ((caps_of_state s) (sl \ NullCap)))\ @@ -325,7 +325,7 @@ lemma (* empty_slot_invs *) [Finalise_AI_asms]: apply (simp add: is_final_cap'_def2 cte_wp_at_caps_of_state) done -lemma dom_tcb_cap_cases_lt_ARCH [Finalise_AI_asms]: +lemma dom_tcb_cap_cases_lt_ARCH [Finalise_AI_assms]: "dom tcb_cap_cases = {xs. length xs = 3 \ unat (of_bl xs :: machine_word) < 5}" apply (rule set_eqI, rule iffI) apply clarsimp @@ -335,7 +335,7 @@ lemma dom_tcb_cap_cases_lt_ARCH [Finalise_AI_asms]: apply (clarsimp simp: nat_to_cref_unat_of_bl') done -lemma (* unbind_notification_final *) [wp,Finalise_AI_asms]: +lemma (* unbind_notification_final *) [wp,Finalise_AI_assms]: "\is_final_cap' cap\ unbind_notification t \ \rv. is_final_cap' cap\" unfolding unbind_notification_def apply (wp final_cap_lift thread_set_caps_of_state_trivial hoare_drop_imps @@ -345,7 +345,7 @@ lemma (* unbind_notification_final *) [wp,Finalise_AI_asms]: crunch prepare_thread_delete for is_final_cap'[wp]: "is_final_cap' cap" -lemma (* finalise_cap_cases1 *)[Finalise_AI_asms]: +lemma (* finalise_cap_cases1 *)[Finalise_AI_assms]: "\\s. final \ is_final_cap' cap s \ cte_wp_at ((=) cap) slot s\ finalise_cap cap final @@ -376,14 +376,14 @@ lemma (* finalise_cap_cases1 *)[Finalise_AI_asms]: done crunch arch_finalise_cap,prepare_thread_delete - for typ_at_arch[wp,Finalise_AI_asms]: "\s. P (typ_at T p s)" + for typ_at_arch[wp,Finalise_AI_assms]: "\s. P (typ_at T p s)" (wp: crunch_wps simp: crunch_simps unless_def assertE_def ignore: maskInterrupt ) crunch prepare_thread_delete for tcb_at[wp]: "\s. tcb_at p s" -lemma (* finalise_cap_new_valid_cap *)[wp,Finalise_AI_asms]: +lemma (* finalise_cap_new_valid_cap *)[wp,Finalise_AI_assms]: "\valid_cap cap\ finalise_cap cap x \\rv. valid_cap (fst rv)\" apply (cases cap, simp_all) apply (wp suspend_valid_cap @@ -397,7 +397,7 @@ lemma (* finalise_cap_new_valid_cap *)[wp,Finalise_AI_asms]: split del: if_split|clarsimp|wpc)+ done -lemma (* arch_finalise_cap_invs *)[wp,Finalise_AI_asms]: +lemma (* arch_finalise_cap_invs *)[wp,Finalise_AI_assms]: "\invs and valid_cap (ArchObjectCap cap)\ arch_finalise_cap cap final \\rv. invs\" @@ -408,7 +408,7 @@ lemma (* arch_finalise_cap_invs *)[wp,Finalise_AI_asms]: apply (auto simp: mask_def vmsz_aligned_def) done -lemma obj_at_not_live_valid_arch_cap_strg [Finalise_AI_asms]: +lemma obj_at_not_live_valid_arch_cap_strg [Finalise_AI_assms]: "(s \ ArchObjectCap cap \ aobj_ref cap = Some r) \ obj_at (\ko. \ live ko) r s" by (clarsimp simp: valid_cap_def obj_at_def @@ -457,7 +457,7 @@ lemma arch_finalise_cap_replaceable[wp]: done global_naming Arch -lemma (* deleting_irq_handler_slot_not_irq_node *)[Finalise_AI_asms]: +lemma (* deleting_irq_handler_slot_not_irq_node *)[Finalise_AI_assms]: "\if_unsafe_then_cap and valid_global_refs and cte_wp_at (\cp. cap_irqs cp \ {}) sl\ deleting_irq_handler irq @@ -478,7 +478,7 @@ lemma (* deleting_irq_handler_slot_not_irq_node *)[Finalise_AI_asms]: apply (clarsimp simp: appropriate_cte_cap_def split: cap.split_asm) done -lemma no_cap_to_obj_with_diff_ref_finalI_ARCH[Finalise_AI_asms]: +lemma no_cap_to_obj_with_diff_ref_finalI_ARCH[Finalise_AI_assms]: "\ cte_wp_at ((=) cap) p s; is_final_cap' cap s; obj_refs cap' = obj_refs cap \ \ no_cap_to_obj_with_diff_ref cap' {p} s" @@ -500,7 +500,7 @@ lemma no_cap_to_obj_with_diff_ref_finalI_ARCH[Finalise_AI_asms]: gen_obj_refs_Int) done -lemma (* suspend_no_cap_to_obj_ref *)[wp,Finalise_AI_asms]: +lemma (* suspend_no_cap_to_obj_ref *)[wp,Finalise_AI_assms]: "\no_cap_to_obj_with_diff_ref cap S\ suspend t \\rv. no_cap_to_obj_with_diff_ref cap S\" @@ -529,7 +529,7 @@ lemma suspend_unlive': apply simp done -lemma finalise_cap_replaceable [Finalise_AI_asms]: +lemma finalise_cap_replaceable [Finalise_AI_assms]: "\\s. s \ cap \ x = is_final_cap' cap s \ valid_mdb s \ cte_wp_at ((=) cap) sl s \ valid_objs s \ sym_refs (state_refs_of s) \ (cap_irqs cap \ {} \ if_unsafe_then_cap s \ valid_global_refs s) @@ -581,7 +581,7 @@ lemma finalise_cap_replaceable [Finalise_AI_asms]: | simp add: valid_cap_simps is_nondevice_page_cap_simps)+) done -lemma (* deleting_irq_handler_cte_preserved *)[Finalise_AI_asms]: +lemma (* deleting_irq_handler_cte_preserved *)[Finalise_AI_assms]: assumes x: "\cap. P cap \ \ can_fast_finalise cap" shows "\cte_wp_at P p\ deleting_irq_handler irq \\rv. cte_wp_at P p\" apply (simp add: deleting_irq_handler_def) @@ -590,11 +590,11 @@ lemma (* deleting_irq_handler_cte_preserved *)[Finalise_AI_asms]: crunch arch_finalise_cap - for cte_wp_at[wp,Finalise_AI_asms]: "\s. P (cte_wp_at P' p s)" + for cte_wp_at[wp,Finalise_AI_assms]: "\s. P (cte_wp_at P' p s)" (simp: crunch_simps assertE_def wp: crunch_wps set_object_cte_at) crunch prepare_thread_delete - for cte_wp_at[wp,Finalise_AI_asms]: "\s. P (cte_wp_at P' p s)" + for cte_wp_at[wp,Finalise_AI_assms]: "\s. P (cte_wp_at P' p s)" (simp: crunch_simps assertE_def wp: crunch_wps set_object_cte_at) end @@ -602,7 +602,7 @@ end interpretation Finalise_AI_1?: Finalise_AI_1 proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming ARM @@ -627,7 +627,7 @@ lemma fast_finalise_replaceable[wp]: done global_naming Arch -lemma (* cap_delete_one_invs *) [Finalise_AI_asms,wp]: +lemma (* cap_delete_one_invs *) [Finalise_AI_assms,wp]: "\invs and emptyable ptr\ cap_delete_one ptr \\rv. invs\" apply (simp add: cap_delete_one_def unless_def is_final_cap_def) apply (rule hoare_pre) @@ -641,7 +641,7 @@ end interpretation Finalise_AI_2?: Finalise_AI_2 proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming ARM @@ -651,7 +651,7 @@ crunch arch_finalise_cap (wp: crunch_wps simp: crunch_simps) crunch prepare_thread_delete - for irq_node[wp,Finalise_AI_asms]: "\s. P (interrupt_irq_node s)" + for irq_node[wp,Finalise_AI_assms]: "\s. P (interrupt_irq_node s)" crunch arch_finalise_cap for pred_tcb_at[wp]: "pred_tcb_at proj P t" @@ -1233,7 +1233,7 @@ global_naming Arch crunch prepare_thread_delete for invs[wp]: invs -lemma (* finalise_cap_invs *)[Finalise_AI_asms]: +lemma (* finalise_cap_invs *)[Finalise_AI_assms]: shows "\invs and cte_wp_at ((=) cap) slot\ finalise_cap cap x \\rv. invs\" apply (cases cap, simp_all split del: if_split) apply (wp cancel_all_ipc_invs cancel_all_signals_invs unbind_notification_invs @@ -1250,16 +1250,16 @@ lemma (* finalise_cap_invs *)[Finalise_AI_asms]: apply (auto dest: cte_wp_at_valid_objs_valid_cap) done -lemma (* finalise_cap_irq_node *)[Finalise_AI_asms]: +lemma (* finalise_cap_irq_node *)[Finalise_AI_assms]: "\\s. P (interrupt_irq_node s)\ finalise_cap a b \\_ s. P (interrupt_irq_node s)\" apply (case_tac a,simp_all) apply (wp | clarsimp)+ done -lemmas (*arch_finalise_cte_irq_node *) [wp,Finalise_AI_asms] +lemmas (*arch_finalise_cte_irq_node *) [wp,Finalise_AI_assms] = hoare_use_eq_irq_node [OF arch_finalise_cap_irq_node arch_finalise_cap_cte_wp_at] -lemma (* deleting_irq_handler_st_tcb_at *) [Finalise_AI_asms]: +lemma (* deleting_irq_handler_st_tcb_at *) [Finalise_AI_assms]: "\st_tcb_at P t and K (\st. simple st \ P st)\ deleting_irq_handler irq \\rv. st_tcb_at P t\" @@ -1268,11 +1268,11 @@ lemma (* deleting_irq_handler_st_tcb_at *) [Finalise_AI_asms]: apply simp done -lemma irq_node_global_refs_ARCH [Finalise_AI_asms]: +lemma irq_node_global_refs_ARCH [Finalise_AI_assms]: "interrupt_irq_node s irq \ global_refs s" by (simp add: global_refs_def) -lemma (* get_irq_slot_fast_finalisable *)[wp,Finalise_AI_asms]: +lemma (* get_irq_slot_fast_finalisable *)[wp,Finalise_AI_assms]: "\invs\ get_irq_slot irq \cte_wp_at can_fast_finalise\" apply (simp add: get_irq_slot_def) apply wp @@ -1294,12 +1294,12 @@ lemma (* get_irq_slot_fast_finalisable *)[wp,Finalise_AI_asms]: apply (clarsimp simp: cap_range_def) done -lemma (* replaceable_or_arch_update_same *) [Finalise_AI_asms]: +lemma (* replaceable_or_arch_update_same *) [Finalise_AI_assms]: "replaceable_or_arch_update s slot cap cap" by (clarsimp simp: replaceable_or_arch_update_def replaceable_def is_arch_update_def is_cap_simps) -lemma (* replace_cap_invs_arch_update *)[Finalise_AI_asms]: +lemma (* replace_cap_invs_arch_update *)[Finalise_AI_assms]: "\\s. cte_wp_at (replaceable_or_arch_update s p cap) p s \ invs s \ cap \ cap.NullCap @@ -1317,7 +1317,7 @@ lemma (* replace_cap_invs_arch_update *)[Finalise_AI_asms]: apply simp done -lemma dmo_tcb_cap_valid_ARCH [Finalise_AI_asms]: +lemma dmo_tcb_cap_valid_ARCH [Finalise_AI_assms]: "\\s. P (tcb_cap_valid cap ptr s)\ do_machine_op mop \\_ s. P (tcb_cap_valid cap ptr s)\" apply (simp add: tcb_cap_valid_def no_cap_to_obj_with_diff_ref_def) apply (rule hoare_pre) @@ -1326,7 +1326,7 @@ lemma dmo_tcb_cap_valid_ARCH [Finalise_AI_asms]: apply simp done -lemma (* dmo_replaceable_or_arch_update *) [Finalise_AI_asms,wp]: +lemma (* dmo_replaceable_or_arch_update *) [Finalise_AI_assms,wp]: "\\s. replaceable_or_arch_update s slot cap cap'\ do_machine_op mo \\r s. replaceable_or_arch_update s slot cap cap'\" @@ -1348,7 +1348,7 @@ interpretation Finalise_AI_3?: Finalise_AI_3 where replaceable_or_arch_update = replaceable_or_arch_update proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming ARM @@ -1366,7 +1366,7 @@ interpretation Finalise_AI_4?: Finalise_AI_4 where replaceable_or_arch_update = replaceable_or_arch_update proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming ARM @@ -1661,10 +1661,10 @@ crunch unmap_page_table, invalidate_tlb_by_asid, global_naming Arch -lemmas clearMemory_invs [wp,Finalise_AI_asms] +lemmas clearMemory_invs [wp,Finalise_AI_assms] = clearMemory_invs -lemma valid_idle_has_null_cap_ARCH[Finalise_AI_asms]: +lemma valid_idle_has_null_cap_ARCH[Finalise_AI_assms]: "\ if_unsafe_then_cap s; valid_global_refs s; valid_idle s; valid_irq_node s\ \ caps_of_state s (idle_thread s, v) = Some cap \ cap = NullCap" @@ -1680,7 +1680,7 @@ lemma valid_idle_has_null_cap_ARCH[Finalise_AI_asms]: apply (drule_tac x=word in spec, simp) done -lemma (* zombie_cap_two_nonidles *)[Finalise_AI_asms]: +lemma (* zombie_cap_two_nonidles *)[Finalise_AI_assms]: "\ caps_of_state s ptr = Some (Zombie ptr' zbits n); invs s \ \ fst ptr \ idle_thread s \ ptr' \ idle_thread s" apply (frule valid_global_refsD2, clarsimp+) @@ -1706,7 +1706,7 @@ interpretation Finalise_AI_5?: Finalise_AI_5 where replaceable_or_arch_update = replaceable_or_arch_update proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed end diff --git a/proof/invariant-abstract/ARM/ArchInterrupt_AI.thy b/proof/invariant-abstract/ARM/ArchInterrupt_AI.thy index 61058a2bf9..51cc82cb0c 100644 --- a/proof/invariant-abstract/ARM/ArchInterrupt_AI.thy +++ b/proof/invariant-abstract/ARM/ArchInterrupt_AI.thy @@ -23,16 +23,16 @@ primrec arch_irq_control_inv_valid_real :: defs arch_irq_control_inv_valid_def: "arch_irq_control_inv_valid \ arch_irq_control_inv_valid_real" -named_theorems Interrupt_AI_asms +named_theorems Interrupt_AI_assms -lemma (* decode_irq_control_invocation_inv *)[Interrupt_AI_asms]: +lemma (* decode_irq_control_invocation_inv *)[Interrupt_AI_assms]: "\P\ decode_irq_control_invocation label args slot caps \\rv. P\" apply (simp add: decode_irq_control_invocation_def Let_def arch_check_irq_def arch_decode_irq_control_invocation_def whenE_def, safe) apply (wp | simp)+ done -lemma decode_irq_control_valid [Interrupt_AI_asms]: +lemma decode_irq_control_valid [Interrupt_AI_assms]: "\\s. invs s \ (\cap \ set caps. s \ cap) \ (\cap \ set caps. is_cnode_cap cap \ (\r \ cte_refs cap (interrupt_irq_node s). ex_cte_cap_wp_to is_cnode_cap r s)) @@ -49,7 +49,7 @@ lemma decode_irq_control_valid [Interrupt_AI_asms]: apply (cases caps ; fastforce simp: cte_wp_at_eq_simp) done -lemma get_irq_slot_different_ARCH[Interrupt_AI_asms]: +lemma get_irq_slot_different_ARCH[Interrupt_AI_assms]: "\\s. valid_global_refs s \ ex_cte_cap_wp_to is_cnode_cap ptr s\ get_irq_slot irq \\rv s. rv \ ptr\" @@ -61,7 +61,7 @@ lemma get_irq_slot_different_ARCH[Interrupt_AI_asms]: apply (clarsimp simp: global_refs_def is_cap_simps cap_range_def) done -lemma is_derived_use_interrupt_ARCH[Interrupt_AI_asms]: +lemma is_derived_use_interrupt_ARCH[Interrupt_AI_assms]: "(is_ntfn_cap cap \ interrupt_derived cap cap') \ (is_derived m p cap cap')" apply (clarsimp simp: is_cap_simps) apply (clarsimp simp: interrupt_derived_def is_derived_def) @@ -69,7 +69,7 @@ lemma is_derived_use_interrupt_ARCH[Interrupt_AI_asms]: apply (simp add: is_cap_simps is_pt_cap_def vs_cap_ref_def) done -lemma maskInterrupt_invs_ARCH[Interrupt_AI_asms]: +lemma maskInterrupt_invs_ARCH[Interrupt_AI_assms]: "\invs and (\s. \b \ interrupt_states s irq \ IRQInactive)\ do_machine_op (maskInterrupt b irq) \\rv. invs\" @@ -79,13 +79,13 @@ lemma maskInterrupt_invs_ARCH[Interrupt_AI_asms]: valid_irq_states_but_def valid_irq_masks_but_def valid_machine_state_def cur_tcb_def valid_irq_states_def valid_irq_masks_def) done -lemma no_cap_to_obj_with_diff_IRQHandler_ARCH[Interrupt_AI_asms]: +lemma no_cap_to_obj_with_diff_IRQHandler_ARCH[Interrupt_AI_assms]: "no_cap_to_obj_with_diff_ref (IRQHandlerCap irq) S = \" by (rule ext, simp add: no_cap_to_obj_with_diff_ref_def cte_wp_at_caps_of_state obj_ref_none_no_asid) -lemma (* set_irq_state_valid_cap *)[Interrupt_AI_asms]: +lemma (* set_irq_state_valid_cap *)[Interrupt_AI_assms]: "\valid_cap cap\ set_irq_state IRQSignal irq \\rv. valid_cap cap\" apply (clarsimp simp: set_irq_state_def) apply (wp do_machine_op_valid_cap) @@ -95,12 +95,12 @@ lemma (* set_irq_state_valid_cap *)[Interrupt_AI_asms]: done crunch set_irq_state - for valid_global_refs[Interrupt_AI_asms]: "valid_global_refs" + for valid_global_refs[Interrupt_AI_assms]: "valid_global_refs" crunch arch_invoke_irq_handler for typ_at[wp]: "\s. P (typ_at T p s)" -lemma invoke_irq_handler_invs'[Interrupt_AI_asms]: +lemma invoke_irq_handler_invs'[Interrupt_AI_assms]: assumes dmo_ex_inv[wp]: "\f. \invs and ex_inv\ do_machine_op f \\rv::unit. ex_inv\" assumes cap_insert_ex_inv[wp]: "\cap src dest. \ex_inv and invs and K (src \ dest)\ @@ -156,7 +156,7 @@ lemma invoke_irq_handler_invs'[Interrupt_AI_asms]: done qed -lemma (* invoke_irq_control_invs *) [Interrupt_AI_asms]: +lemma (* invoke_irq_control_invs *) [Interrupt_AI_assms]: "\invs and irq_control_inv_valid i\ invoke_irq_control i \\rv. invs\" apply (cases i, simp_all) apply (wp cap_insert_simple_invs @@ -180,7 +180,7 @@ lemma (* invoke_irq_control_invs *) [Interrupt_AI_asms]: crunch resetTimer for device_state_inv[wp]: "\ms. P (device_state ms)" -lemma resetTimer_invs_ARCH[Interrupt_AI_asms]: +lemma resetTimer_invs_ARCH[Interrupt_AI_assms]: "\invs\ do_machine_op resetTimer \\_. invs\" apply (wp dmo_invs) apply safe @@ -193,15 +193,15 @@ lemma resetTimer_invs_ARCH[Interrupt_AI_asms]: apply(erule use_valid, wp no_irq_resetTimer no_irq, assumption) done -lemma empty_fail_ackInterrupt_ARCH[Interrupt_AI_asms]: +lemma empty_fail_ackInterrupt_ARCH[Interrupt_AI_assms]: "empty_fail (ackInterrupt irq)" by (wp | simp add: ackInterrupt_def)+ -lemma empty_fail_maskInterrupt_ARCH[Interrupt_AI_asms]: +lemma empty_fail_maskInterrupt_ARCH[Interrupt_AI_assms]: "empty_fail (maskInterrupt f irq)" by (wp | simp add: maskInterrupt_def)+ -lemma (* handle_interrupt_invs *) [Interrupt_AI_asms]: +lemma (* handle_interrupt_invs *) [Interrupt_AI_assms]: "\invs\ handle_interrupt irq \\_. invs\" apply (simp add: handle_interrupt_def) apply (rule conjI; rule impI) @@ -217,7 +217,7 @@ lemma (* handle_interrupt_invs *) [Interrupt_AI_asms]: | simp add: get_irq_state_def handle_reserved_irq_def)+ done -lemma sts_arch_irq_control_inv_valid[wp, Interrupt_AI_asms]: +lemma sts_arch_irq_control_inv_valid[wp, Interrupt_AI_assms]: "\arch_irq_control_inv_valid i\ set_thread_state t st \\rv. arch_irq_control_inv_valid i\" @@ -232,7 +232,7 @@ end interpretation Interrupt_AI?: Interrupt_AI proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales, simp_all add: Interrupt_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales, simp_all add: Interrupt_AI_assms)?) qed end diff --git a/proof/invariant-abstract/ARM/ArchIpcCancel_AI.thy b/proof/invariant-abstract/ARM/ArchIpcCancel_AI.thy index 8f0e8b96a3..ca35fa7912 100644 --- a/proof/invariant-abstract/ARM/ArchIpcCancel_AI.thy +++ b/proof/invariant-abstract/ARM/ArchIpcCancel_AI.thy @@ -10,11 +10,11 @@ begin context Arch begin global_naming ARM -named_theorems IpcCancel_AI_asms +named_theorems IpcCancel_AI_assms crunch arch_post_cap_deletion - for typ_at[wp, IpcCancel_AI_asms]: "\s. P (typ_at T p s)" - and idle_thread[wp, IpcCancel_AI_asms]: "\s. P (idle_thread s)" + for typ_at[wp, IpcCancel_AI_assms]: "\s. P (typ_at T p s)" + and idle_thread[wp, IpcCancel_AI_assms]: "\s. P (idle_thread s)" end @@ -22,7 +22,7 @@ interpretation IpcCancel_AI?: IpcCancel_AI proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact IpcCancel_AI_asms)?) + by (intro_locales; (unfold_locales; fact IpcCancel_AI_assms)?) qed diff --git a/proof/invariant-abstract/ARM/ArchSchedule_AI.thy b/proof/invariant-abstract/ARM/ArchSchedule_AI.thy index 713560f6b5..72f9324db3 100644 --- a/proof/invariant-abstract/ARM/ArchSchedule_AI.thy +++ b/proof/invariant-abstract/ARM/ArchSchedule_AI.thy @@ -10,9 +10,9 @@ begin context Arch begin global_naming ARM -named_theorems Schedule_AI_asms +named_theorems Schedule_AI_assms -lemma dmo_mapM_storeWord_0_invs[wp,Schedule_AI_asms]: +lemma dmo_mapM_storeWord_0_invs[wp,Schedule_AI_assms]: "valid invs (do_machine_op (mapM (\p. storeWord p 0) S)) (\_. invs)" apply (simp add: dom_mapM ef_storeWord) apply (rule mapM_UNIV_wp) @@ -40,25 +40,25 @@ lemma clearExMonitor_invs [wp]: global_naming Arch -lemma arch_stt_invs [wp,Schedule_AI_asms]: +lemma arch_stt_invs [wp,Schedule_AI_assms]: "\invs\ arch_switch_to_thread t' \\_. invs\" apply (simp add: arch_switch_to_thread_def) apply wp done -lemma arch_stt_tcb [wp,Schedule_AI_asms]: +lemma arch_stt_tcb [wp,Schedule_AI_assms]: "\tcb_at t'\ arch_switch_to_thread t' \\_. tcb_at t'\" apply (simp add: arch_switch_to_thread_def) apply (wp) done -lemma arch_stt_runnable[Schedule_AI_asms]: +lemma arch_stt_runnable[Schedule_AI_assms]: "\st_tcb_at runnable t\ arch_switch_to_thread t \\r . st_tcb_at runnable t\" apply (simp add: arch_switch_to_thread_def) apply wp done -lemma arch_stit_invs[wp, Schedule_AI_asms]: +lemma arch_stit_invs[wp, Schedule_AI_assms]: "\invs\ arch_switch_to_idle_thread \\r. invs\" by (wpsimp wp: svr_invs simp: arch_switch_to_idle_thread_def) @@ -72,20 +72,20 @@ crunch set_vm_root for ct[wp]: "\s. P (cur_thread s)" (wp: crunch_wps simp: crunch_simps) -lemma arch_stit_activatable[wp, Schedule_AI_asms]: +lemma arch_stit_activatable[wp, Schedule_AI_assms]: "\ct_in_state activatable\ arch_switch_to_idle_thread \\rv . ct_in_state activatable\" apply (clarsimp simp: arch_switch_to_idle_thread_def) apply (wpsimp simp: ct_in_state_def wp: ct_in_state_thread_state_lift) done -lemma stit_invs [wp,Schedule_AI_asms]: +lemma stit_invs [wp,Schedule_AI_assms]: "\invs\ switch_to_idle_thread \\rv. invs\" apply (simp add: switch_to_idle_thread_def) apply (wp sct_invs) by (clarsimp simp: invs_def valid_state_def valid_idle_def cur_tcb_def pred_tcb_at_def valid_machine_state_def obj_at_def is_tcb_def) -lemma stit_activatable[Schedule_AI_asms]: +lemma stit_activatable[Schedule_AI_assms]: "\invs\ switch_to_idle_thread \\rv . ct_in_state activatable\" apply (simp add: switch_to_idle_thread_def arch_switch_to_idle_thread_def) apply (wp | simp add: ct_in_state_def)+ @@ -93,7 +93,7 @@ lemma stit_activatable[Schedule_AI_asms]: elim!: pred_tcb_weaken_strongerE) done -lemma stt_invs [wp,Schedule_AI_asms]: +lemma stt_invs [wp,Schedule_AI_assms]: "\invs\ switch_to_thread t' \\_. invs\" apply (simp add: switch_to_thread_def) apply wp @@ -113,14 +113,14 @@ interpretation Schedule_AI_U?: Schedule_AI_U proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Schedule_AI_asms)?) + by (intro_locales; (unfold_locales; fact Schedule_AI_assms)?) qed interpretation Schedule_AI?: Schedule_AI proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Schedule_AI_asms)?) + by (intro_locales; (unfold_locales; fact Schedule_AI_assms)?) qed end diff --git a/proof/invariant-abstract/ARM/ArchTcb_AI.thy b/proof/invariant-abstract/ARM/ArchTcb_AI.thy index 3fbd5199e5..a9bb4e3b8a 100644 --- a/proof/invariant-abstract/ARM/ArchTcb_AI.thy +++ b/proof/invariant-abstract/ARM/ArchTcb_AI.thy @@ -10,17 +10,17 @@ begin context Arch begin global_naming ARM -named_theorems Tcb_AI_asms +named_theorems Tcb_AI_assms -lemma activate_idle_invs[Tcb_AI_asms]: +lemma activate_idle_invs[Tcb_AI_assms]: "\invs and ct_idle\ arch_activate_idle_thread thread \\rv. invs and ct_idle\" by (simp add: arch_activate_idle_thread_def) -lemma empty_fail_getRegister [intro!, simp, Tcb_AI_asms]: +lemma empty_fail_getRegister [intro!, simp, Tcb_AI_assms]: "empty_fail (getRegister r)" by (simp add: getRegister_def) @@ -37,7 +37,7 @@ lemma same_object_also_valid: (* arch specific *) split: cap.split_asm arch_cap.split_asm option.splits)+) done -lemma same_object_obj_refs[Tcb_AI_asms]: +lemma same_object_obj_refs[Tcb_AI_assms]: "\ same_object_as cap cap' \ \ obj_refs cap = obj_refs cap'" apply (cases cap, simp_all add: same_object_as_def) @@ -135,13 +135,13 @@ lemma checked_insert_tcb_invs[wp]: (* arch specific *) done crunch arch_get_sanitise_register_info, arch_post_modify_registers - for tcb_at[wp, Tcb_AI_asms]: "tcb_at a" + for tcb_at[wp, Tcb_AI_assms]: "tcb_at a" crunch arch_get_sanitise_register_info, arch_post_modify_registers - for invs[wp, Tcb_AI_asms]: "invs" + for invs[wp, Tcb_AI_assms]: "invs" crunch arch_get_sanitise_register_info, arch_post_modify_registers - for ex_nonz_cap_to[wp, Tcb_AI_asms]: "ex_nonz_cap_to a" + for ex_nonz_cap_to[wp, Tcb_AI_assms]: "ex_nonz_cap_to a" -lemma finalise_cap_not_cte_wp_at[Tcb_AI_asms]: +lemma finalise_cap_not_cte_wp_at[Tcb_AI_assms]: assumes x: "P cap.NullCap" shows "\\s. \cp \ ran (caps_of_state s). P cp\ finalise_cap cap fin @@ -158,7 +158,7 @@ lemma finalise_cap_not_cte_wp_at[Tcb_AI_asms]: done -lemma table_cap_ref_max_free_index_upd[simp,Tcb_AI_asms]: +lemma table_cap_ref_max_free_index_upd[simp,Tcb_AI_assms]: "table_cap_ref (max_free_index_update cap) = table_cap_ref cap" by (simp add: free_index_update_def table_cap_ref_def split: cap.splits) @@ -166,7 +166,7 @@ lemma table_cap_ref_max_free_index_upd[simp,Tcb_AI_asms]: interpretation Tcb_AI_1? : Tcb_AI_1 where state_ext_t = state_ext_t and is_cnode_or_valid_arch = is_cnode_or_valid_arch -by (unfold_locales; fact Tcb_AI_asms) +by (unfold_locales; fact Tcb_AI_assms) lemma use_no_cap_to_obj_asid_strg: (* arch specific *) @@ -183,7 +183,7 @@ lemma use_no_cap_to_obj_asid_strg: (* arch specific *) apply (fastforce simp: table_cap_ref_def valid_cap_simps elim!: asid_low_high_bits)+ done -lemma cap_delete_no_cap_to_obj_asid[wp, Tcb_AI_asms]: +lemma cap_delete_no_cap_to_obj_asid[wp, Tcb_AI_assms]: "\no_cap_to_obj_dr_emp cap\ cap_delete slot \\rv. no_cap_to_obj_dr_emp cap\" @@ -212,7 +212,7 @@ lemma as_user_ipc_tcb_cap_valid4[wp]: apply (clarsimp simp: get_tcb_def) done -lemma tc_invs[Tcb_AI_asms]: +lemma tc_invs[Tcb_AI_assms]: "\invs and tcb_at a and (case_option \ (valid_cap o fst) e) and (case_option \ (valid_cap o fst) f) @@ -291,7 +291,7 @@ lemma check_valid_ipc_buffer_inv: apply (wp | simp add: whenE_def if_apply_def2 | wpcw)+ done -lemma check_valid_ipc_buffer_wp[Tcb_AI_asms]: +lemma check_valid_ipc_buffer_wp[Tcb_AI_assms]: "\\(s::'state_ext::state_ext state). is_arch_cap cap \ is_cnode_or_valid_arch cap \ valid_ipc_buffer_cap cap vptr \ is_aligned vptr msg_align_bits @@ -307,7 +307,7 @@ lemma check_valid_ipc_buffer_wp[Tcb_AI_asms]: valid_ipc_buffer_cap_def) done -lemma derive_no_cap_asid[wp,Tcb_AI_asms]: +lemma derive_no_cap_asid[wp,Tcb_AI_assms]: "\(no_cap_to_obj_with_diff_ref cap S)::'state_ext::state_ext state\bool\ derive_cap slot cap \\rv. no_cap_to_obj_with_diff_ref rv S\,-" @@ -321,7 +321,7 @@ lemma derive_no_cap_asid[wp,Tcb_AI_asms]: done -lemma decode_set_ipc_inv[wp,Tcb_AI_asms]: +lemma decode_set_ipc_inv[wp,Tcb_AI_assms]: "\P::'state_ext::state_ext state \ bool\ decode_set_ipc_buffer args cap slot excaps \\rv. P\" apply (simp add: decode_set_ipc_buffer_def whenE_def split_def @@ -330,7 +330,7 @@ lemma decode_set_ipc_inv[wp,Tcb_AI_asms]: apply simp done -lemma no_cap_to_obj_with_diff_ref_update_cap_data[Tcb_AI_asms]: +lemma no_cap_to_obj_with_diff_ref_update_cap_data[Tcb_AI_assms]: "no_cap_to_obj_with_diff_ref c S s \ no_cap_to_obj_with_diff_ref (update_cap_data P x c) S s" apply (case_tac "update_cap_data P x c = NullCap") @@ -347,7 +347,7 @@ lemma no_cap_to_obj_with_diff_ref_update_cap_data[Tcb_AI_asms]: done -lemma update_cap_valid[Tcb_AI_asms]: +lemma update_cap_valid[Tcb_AI_assms]: "valid_cap cap (s::'state_ext::state_ext state) \ valid_cap (case capdata of None \ cap_rights_update rs cap @@ -389,7 +389,7 @@ global_interpretation Tcb_AI?: Tcb_AI proof goal_cases interpret Arch . case 1 show ?case - by (unfold_locales; fact Tcb_AI_asms) + by (unfold_locales; fact Tcb_AI_assms) qed end diff --git a/proof/invariant-abstract/ARM_HYP/ArchAInvsPre.thy b/proof/invariant-abstract/ARM_HYP/ArchAInvsPre.thy index 102cd05218..f4d3214e53 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchAInvsPre.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchAInvsPre.thy @@ -98,13 +98,13 @@ lemma device_frame_in_device_region: global_naming Arch -named_theorems AInvsPre_asms +named_theorems AInvsPre_assms lemma get_page_info_0[simp]: "get_page_info (\obj. get_arch_obj (kheap s obj)) 0 x = None" by (simp add: get_page_info_def) -lemma (* ptable_rights_imp_frame *)[AInvsPre_asms]: +lemma (* ptable_rights_imp_frame *)[AInvsPre_assms]: assumes "valid_state s" shows "ptable_rights t s x \ {} \ ptable_lift t s x = Some (addrFromPPtr y) \ @@ -138,7 +138,7 @@ end global_interpretation AInvsPre?: AInvsPre proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales, fact AInvsPre_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales, fact AInvsPre_assms)?) qed requalify_facts diff --git a/proof/invariant-abstract/ARM_HYP/ArchDetype_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchDetype_AI.thy index ae44dac57a..5400266d68 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchDetype_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchDetype_AI.thy @@ -10,16 +10,16 @@ begin context Arch begin global_naming ARM_HYP -named_theorems Detype_AI_asms +named_theorems Detype_AI_assms -lemma valid_globals_irq_node[Detype_AI_asms]: +lemma valid_globals_irq_node[Detype_AI_assms]: "\ valid_global_refs s; cte_wp_at ((=) cap) ptr s \ \ interrupt_irq_node s irq \ cap_range cap" apply (erule(1) valid_global_refsD) apply (simp add: global_refs_def) done -lemma caps_of_state_ko[Detype_AI_asms]: +lemma caps_of_state_ko[Detype_AI_assms]: "valid_cap cap s \ is_untyped_cap cap \ cap_range cap = {} \ @@ -38,7 +38,7 @@ lemma caps_of_state_ko[Detype_AI_asms]: is_cap_simps )+ done -lemma mapM_x_storeWord[Detype_AI_asms]: +lemma mapM_x_storeWord[Detype_AI_assms]: (* FIXME: taken from Retype_C.thy and adapted wrt. the missing intvl syntax. *) assumes al: "is_aligned ptr word_size_bits" shows "mapM_x (\x. storeWord (ptr + of_nat x * word_size) 0) [0..x. if x \ S then {} else state_hyp_refs_of s x)" by (rule ext, simp add: state_hyp_refs_of_def detype_def) -lemma valid_ioports_detype[Detype_AI_asms]: +lemma valid_ioports_detype[Detype_AI_assms]: "valid_ioports s \ valid_ioports (detype (untyped_range cap) s)" by auto @@ -128,7 +128,7 @@ interpretation Detype_AI?: Detype_AI proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Detype_AI_asms)?) + by (intro_locales; (unfold_locales; fact Detype_AI_assms)?) qed context detype_locale_arch begin diff --git a/proof/invariant-abstract/ARM_HYP/ArchFinalise_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchFinalise_AI.thy index 9ca314bcf0..ff6033c15f 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchFinalise_AI.thy @@ -11,13 +11,13 @@ begin context Arch begin -named_theorems Finalise_AI_asms +named_theorems Finalise_AI_assms crunch prepare_thread_delete for caps_of_state[wp]: "\s. P (caps_of_state s)" (wp: crunch_wps) -declare prepare_thread_delete_caps_of_state [Finalise_AI_asms] +declare prepare_thread_delete_caps_of_state [Finalise_AI_assms] global_naming ARM_HYP @@ -242,22 +242,22 @@ lemma unmap_page_tcb_cap_valid: global_naming Arch -lemma (* replaceable_cdt_update *)[simp,Finalise_AI_asms]: +lemma (* replaceable_cdt_update *)[simp,Finalise_AI_assms]: "replaceable (cdt_update f s) = replaceable s" by (fastforce simp: replaceable_def tcb_cap_valid_def) -lemma (* replaceable_revokable_update *)[simp,Finalise_AI_asms]: +lemma (* replaceable_revokable_update *)[simp,Finalise_AI_assms]: "replaceable (is_original_cap_update f s) = replaceable s" by (fastforce simp: replaceable_def is_final_cap'_def2 tcb_cap_valid_def) -lemma (* replaceable_more_update *) [simp,Finalise_AI_asms]: +lemma (* replaceable_more_update *) [simp,Finalise_AI_assms]: "replaceable (trans_state f s) sl cap cap' = replaceable s sl cap cap'" by (simp add: replaceable_def) -lemma (* obj_ref_ofI *) [Finalise_AI_asms]: "obj_refs cap = {x} \ obj_ref_of cap = x" +lemma (* obj_ref_ofI *) [Finalise_AI_assms]: "obj_refs cap = {x} \ obj_ref_of cap = x" by (case_tac cap, simp_all) (rename_tac arch_cap, case_tac arch_cap, simp_all) -lemma (* empty_slot_invs *) [Finalise_AI_asms]: +lemma (* empty_slot_invs *) [Finalise_AI_assms]: "\\s. invs s \ cte_wp_at (replaceable s sl cap.NullCap) sl s \ emptyable sl s \ (info \ NullCap \ post_cap_delete_pre info ((caps_of_state s) (sl \ NullCap)))\ @@ -333,7 +333,7 @@ lemma (* empty_slot_invs *) [Finalise_AI_asms]: apply (simp add: is_final_cap'_def2 cte_wp_at_caps_of_state) done -lemma dom_tcb_cap_cases_lt_ARCH [Finalise_AI_asms]: +lemma dom_tcb_cap_cases_lt_ARCH [Finalise_AI_assms]: "dom tcb_cap_cases = {xs. length xs = 3 \ unat (of_bl xs :: machine_word) < 5}" apply (rule set_eqI, rule iffI) apply clarsimp @@ -343,7 +343,7 @@ lemma dom_tcb_cap_cases_lt_ARCH [Finalise_AI_asms]: apply (clarsimp simp: nat_to_cref_unat_of_bl') done -lemma (* unbind_notification_final *) [wp,Finalise_AI_asms]: +lemma (* unbind_notification_final *) [wp,Finalise_AI_assms]: "\is_final_cap' cap\ unbind_notification t \ \rv. is_final_cap' cap\" unfolding unbind_notification_def apply (wp final_cap_lift thread_set_caps_of_state_trivial hoare_drop_imps @@ -371,7 +371,7 @@ lemma prepare_thread_delete_final[wp]: | wpc | clarsimp simp add: tcb_cap_cases_def)+ done -lemma (* finalise_cap_cases1 *)[Finalise_AI_asms]: +lemma (* finalise_cap_cases1 *)[Finalise_AI_assms]: "\\s. final \ is_final_cap' cap s \ cte_wp_at ((=) cap) slot s\ finalise_cap cap final @@ -411,12 +411,12 @@ crunch dissociate_vcpu_tcb ignore: do_machine_op set_object) (* ARMHYP fix *) crunch arch_finalise_cap - for typ_at[wp,Finalise_AI_asms]: "\s. P (typ_at T p s)" + for typ_at[wp,Finalise_AI_assms]: "\s. P (typ_at T p s)" (wp: crunch_wps simp: crunch_simps unless_def assertE_def ignore: maskInterrupt set_object) (* ARMHYP fix *) crunch prepare_thread_delete - for typ_at[wp,Finalise_AI_asms]: "\s. P (typ_at T p s)" + for typ_at[wp,Finalise_AI_assms]: "\s. P (typ_at T p s)" crunch arch_thread_set for tcb_at[wp]: "\s. tcb_at p s" @@ -437,7 +437,7 @@ crunch dissociate_vcpu_tcb crunch prepare_thread_delete for tcb_at[wp]: "\s. tcb_at p s" -lemma (* finalise_cap_new_valid_cap *)[wp,Finalise_AI_asms]: +lemma (* finalise_cap_new_valid_cap *)[wp,Finalise_AI_assms]: "\valid_cap cap\ finalise_cap cap x \\rv. valid_cap (fst rv)\" apply (cases cap, simp_all) apply (wp suspend_valid_cap prepare_thread_delete_typ_at @@ -1076,7 +1076,7 @@ crunch vcpu_finalise for invs[wp]: invs (ignore: dissociate_vcpu_tcb) -lemma arch_finalise_cap_invs' [wp,Finalise_AI_asms]: +lemma arch_finalise_cap_invs' [wp,Finalise_AI_assms]: "\invs and valid_cap (ArchObjectCap cap)\ arch_finalise_cap cap final \\rv. invs\" @@ -1139,14 +1139,14 @@ lemma arch_finalise_cap_vcpu: done -lemma obj_at_not_live_valid_arch_cap_strg [Finalise_AI_asms]: +lemma obj_at_not_live_valid_arch_cap_strg [Finalise_AI_assms]: "(s \ ArchObjectCap cap \ aobj_ref cap = Some r \ \ typ_at (AArch AVCPU) r s) \ obj_at (\ko. \ live ko) r s" by (clarsimp simp: live_def valid_cap_def obj_at_def a_type_arch_live valid_cap_simps hyp_live_def arch_live_def split: arch_cap.split_asm if_splits) -lemma obj_at_not_live_valid_arch_cap_strg' [Finalise_AI_asms]: +lemma obj_at_not_live_valid_arch_cap_strg' [Finalise_AI_assms]: "(s \ ArchObjectCap cap \ aobj_ref cap = Some r \ cap \ VCPUCap r) \ obj_at (\ko. \ live ko) r s" by (clarsimp simp: live_def valid_cap_def obj_at_def @@ -1197,7 +1197,7 @@ lemma arch_finalise_cap_replaceable1: global_naming Arch -lemma (* deleting_irq_handler_slot_not_irq_node *)[Finalise_AI_asms]: +lemma (* deleting_irq_handler_slot_not_irq_node *)[Finalise_AI_assms]: "\if_unsafe_then_cap and valid_global_refs and cte_wp_at (\cp. cap_irqs cp \ {}) sl\ deleting_irq_handler irq @@ -1218,7 +1218,7 @@ lemma (* deleting_irq_handler_slot_not_irq_node *)[Finalise_AI_asms]: apply (clarsimp simp: appropriate_cte_cap_def split: cap.split_asm) done -lemma no_cap_to_obj_with_diff_ref_finalI_ARCH[Finalise_AI_asms]: +lemma no_cap_to_obj_with_diff_ref_finalI_ARCH[Finalise_AI_assms]: "\ cte_wp_at ((=) cap) p s; is_final_cap' cap s; obj_refs cap' = obj_refs cap \ \ no_cap_to_obj_with_diff_ref cap' {p} s" @@ -1240,7 +1240,7 @@ lemma no_cap_to_obj_with_diff_ref_finalI_ARCH[Finalise_AI_asms]: gen_obj_refs_Int) done -lemma (* suspend_no_cap_to_obj_ref *)[wp,Finalise_AI_asms]: +lemma (* suspend_no_cap_to_obj_ref *)[wp,Finalise_AI_assms]: "\no_cap_to_obj_with_diff_ref cap S\ suspend t \\rv. no_cap_to_obj_with_diff_ref cap S\" @@ -1293,7 +1293,7 @@ lemma arch_finalise_cap_replaceable: \\rv s. replaceable s sl (fst rv) (cap.ArchObjectCap cap)\" by (cases cap; simp add: arch_finalise_cap_vcpu arch_finalise_cap_replaceable1) -lemma finalise_cap_replaceable [Finalise_AI_asms]: +lemma finalise_cap_replaceable [Finalise_AI_assms]: "\\s. s \ cap \ x = is_final_cap' cap s \ valid_mdb s \ cte_wp_at ((=) cap) sl s \ valid_objs s \ sym_refs (state_refs_of s) \ (cap_irqs cap \ {} \ if_unsafe_then_cap s \ valid_global_refs s) @@ -1347,7 +1347,7 @@ lemma finalise_cap_replaceable [Finalise_AI_asms]: | simp add: valid_cap_simps is_nondevice_page_cap_simps)+) done -lemma (* deleting_irq_handler_cte_preserved *)[Finalise_AI_asms]: +lemma (* deleting_irq_handler_cte_preserved *)[Finalise_AI_assms]: assumes x: "\cap. P cap \ \ can_fast_finalise cap" shows "\cte_wp_at P p\ deleting_irq_handler irq \\rv. cte_wp_at P p\" apply (simp add: deleting_irq_handler_def) @@ -1366,22 +1366,22 @@ lemma arch_thread_set_cte_wp_at[wp]: done crunch dissociate_vcpu_tcb - for cte_wp_at[wp,Finalise_AI_asms]: "\s. P (cte_wp_at P' p s)" + for cte_wp_at[wp,Finalise_AI_assms]: "\s. P (cte_wp_at P' p s)" (simp: crunch_simps assertE_def wp: crunch_wps set_object_cte_at ignore: arch_thread_set) crunch prepare_thread_delete - for cte_wp_at[wp,Finalise_AI_asms]: "\s. P (cte_wp_at P' p s)" + for cte_wp_at[wp,Finalise_AI_assms]: "\s. P (cte_wp_at P' p s)" (simp: crunch_simps assertE_def wp: crunch_wps set_object_cte_at ignore: arch_thread_set) crunch arch_finalise_cap - for cte_wp_at[wp,Finalise_AI_asms]: "\s. P (cte_wp_at P' p s)" + for cte_wp_at[wp,Finalise_AI_assms]: "\s. P (cte_wp_at P' p s)" (simp: crunch_simps assertE_def wp: crunch_wps set_object_cte_at ignore: arch_thread_set) end interpretation Finalise_AI_1?: Finalise_AI_1 proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming ARM_HYP @@ -1406,7 +1406,7 @@ lemma fast_finalise_replaceable[wp]: done global_naming Arch -lemma (* cap_delete_one_invs *) [Finalise_AI_asms,wp]: +lemma (* cap_delete_one_invs *) [Finalise_AI_assms,wp]: "\invs and emptyable ptr\ cap_delete_one ptr \\rv. invs\" apply (simp add: cap_delete_one_def unless_def is_final_cap_def) apply (rule hoare_pre) @@ -1420,7 +1420,7 @@ end interpretation Finalise_AI_2?: Finalise_AI_2 proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming ARM_HYP @@ -1432,7 +1432,7 @@ crunch (wp: crunch_wps subset_refl) crunch prepare_thread_delete - for irq_node[Finalise_AI_asms,wp]: "\s. P (interrupt_irq_node s)" + for irq_node[Finalise_AI_assms,wp]: "\s. P (interrupt_irq_node s)" (wp: crunch_wps simp: crunch_simps) crunch arch_finalise_cap @@ -2001,7 +2001,7 @@ crunch prepare_thread_delete for invs[wp]: invs (ignore: set_object) -lemma (* finalise_cap_invs *)[Finalise_AI_asms]: +lemma (* finalise_cap_invs *)[Finalise_AI_assms]: shows "\invs and cte_wp_at ((=) cap) slot\ finalise_cap cap x \\rv. invs\" apply (cases cap, simp_all split del: if_split) apply (wp cancel_all_ipc_invs cancel_all_signals_invs unbind_notification_invs @@ -2018,16 +2018,16 @@ lemma (* finalise_cap_invs *)[Finalise_AI_asms]: apply (auto dest: cte_wp_at_valid_objs_valid_cap) done -lemma (* finalise_cap_irq_node *)[Finalise_AI_asms]: +lemma (* finalise_cap_irq_node *)[Finalise_AI_assms]: "\\s. P (interrupt_irq_node s)\ finalise_cap a b \\_ s. P (interrupt_irq_node s)\" apply (case_tac a,simp_all) apply (wp | clarsimp)+ done -lemmas (*arch_finalise_cte_irq_node *) [wp,Finalise_AI_asms] +lemmas (*arch_finalise_cte_irq_node *) [wp,Finalise_AI_assms] = hoare_use_eq_irq_node [OF arch_finalise_cap_irq_node arch_finalise_cap_cte_wp_at] -lemma (* deleting_irq_handler_st_tcb_at *) [Finalise_AI_asms]: +lemma (* deleting_irq_handler_st_tcb_at *) [Finalise_AI_assms]: "\st_tcb_at P t and K (\st. simple st \ P st)\ deleting_irq_handler irq \\rv. st_tcb_at P t\" @@ -2036,11 +2036,11 @@ lemma (* deleting_irq_handler_st_tcb_at *) [Finalise_AI_asms]: apply simp done -lemma irq_node_global_refs_ARCH [Finalise_AI_asms]: +lemma irq_node_global_refs_ARCH [Finalise_AI_assms]: "interrupt_irq_node s irq \ global_refs s" by (simp add: global_refs_def) -lemma (* get_irq_slot_fast_finalisable *)[wp,Finalise_AI_asms]: +lemma (* get_irq_slot_fast_finalisable *)[wp,Finalise_AI_assms]: "\invs\ get_irq_slot irq \cte_wp_at can_fast_finalise\" apply (simp add: get_irq_slot_def) apply wp @@ -2062,12 +2062,12 @@ lemma (* get_irq_slot_fast_finalisable *)[wp,Finalise_AI_asms]: apply (clarsimp simp: cap_range_def) done -lemma (* replaceable_or_arch_update_same *) [Finalise_AI_asms]: +lemma (* replaceable_or_arch_update_same *) [Finalise_AI_assms]: "replaceable_or_arch_update s slot cap cap" by (clarsimp simp: replaceable_or_arch_update_def replaceable_def is_arch_update_def is_cap_simps) -lemma (* replace_cap_invs_arch_update *)[Finalise_AI_asms]: +lemma (* replace_cap_invs_arch_update *)[Finalise_AI_assms]: "\\s. cte_wp_at (replaceable_or_arch_update s p cap) p s \ invs s \ cap \ cap.NullCap @@ -2085,7 +2085,7 @@ lemma (* replace_cap_invs_arch_update *)[Finalise_AI_asms]: apply simp done -lemma dmo_tcb_cap_valid_ARCH [Finalise_AI_asms]: +lemma dmo_tcb_cap_valid_ARCH [Finalise_AI_assms]: "\\s. P (tcb_cap_valid cap ptr s)\ do_machine_op mop \\_ s. P (tcb_cap_valid cap ptr s)\" apply (simp add: tcb_cap_valid_def no_cap_to_obj_with_diff_ref_def) apply (rule hoare_pre) @@ -2094,7 +2094,7 @@ lemma dmo_tcb_cap_valid_ARCH [Finalise_AI_asms]: apply simp done -lemma (* dmo_replaceable_or_arch_update *) [Finalise_AI_asms,wp]: +lemma (* dmo_replaceable_or_arch_update *) [Finalise_AI_assms,wp]: "\\s. replaceable_or_arch_update s slot cap cap'\ do_machine_op mo \\r s. replaceable_or_arch_update s slot cap cap'\" @@ -2116,7 +2116,7 @@ interpretation Finalise_AI_3?: Finalise_AI_3 where replaceable_or_arch_update = replaceable_or_arch_update proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming ARM_HYP @@ -2134,7 +2134,7 @@ interpretation Finalise_AI_4?: Finalise_AI_4 where replaceable_or_arch_update = replaceable_or_arch_update proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming ARM_HYP @@ -2428,10 +2428,10 @@ lemma arch_finalise_cap_valid_cap [wp]: global_naming Arch -lemmas clearMemory_invs [wp,Finalise_AI_asms] +lemmas clearMemory_invs [wp,Finalise_AI_assms] = clearMemory_invs -lemma valid_idle_has_null_cap_ARCH[Finalise_AI_asms]: +lemma valid_idle_has_null_cap_ARCH[Finalise_AI_assms]: "\ if_unsafe_then_cap s; valid_global_refs s; valid_idle s; valid_irq_node s\ \ caps_of_state s (idle_thread s, v) = Some cap \ cap = NullCap" @@ -2447,7 +2447,7 @@ lemma valid_idle_has_null_cap_ARCH[Finalise_AI_asms]: apply (drule_tac x=word in spec, simp) done -lemma (* zombie_cap_two_nonidles *)[Finalise_AI_asms]: +lemma (* zombie_cap_two_nonidles *)[Finalise_AI_assms]: "\ caps_of_state s ptr = Some (Zombie ptr' zbits n); invs s \ \ fst ptr \ idle_thread s \ ptr' \ idle_thread s" apply (frule valid_global_refsD2, clarsimp+) @@ -2473,7 +2473,7 @@ interpretation Finalise_AI_5?: Finalise_AI_5 where replaceable_or_arch_update = replaceable_or_arch_update proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed end diff --git a/proof/invariant-abstract/ARM_HYP/ArchInterrupt_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchInterrupt_AI.thy index d193d18e47..45fa392485 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchInterrupt_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchInterrupt_AI.thy @@ -23,16 +23,16 @@ primrec arch_irq_control_inv_valid_real :: defs arch_irq_control_inv_valid_def: "arch_irq_control_inv_valid \ arch_irq_control_inv_valid_real" -named_theorems Interrupt_AI_asms +named_theorems Interrupt_AI_assms -lemma (* decode_irq_control_invocation_inv *)[Interrupt_AI_asms]: +lemma (* decode_irq_control_invocation_inv *)[Interrupt_AI_assms]: "\P\ decode_irq_control_invocation label args slot caps \\rv. P\" apply (simp add: decode_irq_control_invocation_def Let_def arch_check_irq_def arch_decode_irq_control_invocation_def whenE_def, safe) apply (wp | simp)+ done -lemma decode_irq_control_valid [Interrupt_AI_asms]: +lemma decode_irq_control_valid [Interrupt_AI_assms]: "\\s. invs s \ (\cap \ set caps. s \ cap) \ (\cap \ set caps. is_cnode_cap cap \ (\r \ cte_refs cap (interrupt_irq_node s). ex_cte_cap_wp_to is_cnode_cap r s)) @@ -49,7 +49,7 @@ lemma decode_irq_control_valid [Interrupt_AI_asms]: apply (cases caps ; fastforce simp: cte_wp_at_eq_simp) done -lemma get_irq_slot_different_ARCH[Interrupt_AI_asms]: +lemma get_irq_slot_different_ARCH[Interrupt_AI_assms]: "\\s. valid_global_refs s \ ex_cte_cap_wp_to is_cnode_cap ptr s\ get_irq_slot irq \\rv s. rv \ ptr\" @@ -61,7 +61,7 @@ lemma get_irq_slot_different_ARCH[Interrupt_AI_asms]: apply (clarsimp simp: global_refs_def is_cap_simps cap_range_def) done -lemma is_derived_use_interrupt_ARCH[Interrupt_AI_asms]: +lemma is_derived_use_interrupt_ARCH[Interrupt_AI_assms]: "(is_ntfn_cap cap \ interrupt_derived cap cap') \ (is_derived m p cap cap')" apply (clarsimp simp: is_cap_simps) apply (clarsimp simp: interrupt_derived_def is_derived_def) @@ -69,15 +69,15 @@ lemma is_derived_use_interrupt_ARCH[Interrupt_AI_asms]: apply (simp add: is_cap_simps is_pt_cap_def vs_cap_ref_def) done -lemmas maskInterrupt_invs_ARCH[Interrupt_AI_asms] = maskInterrupt_invs +lemmas maskInterrupt_invs_ARCH[Interrupt_AI_assms] = maskInterrupt_invs -lemma no_cap_to_obj_with_diff_IRQHandler_ARCH[Interrupt_AI_asms]: +lemma no_cap_to_obj_with_diff_IRQHandler_ARCH[Interrupt_AI_assms]: "no_cap_to_obj_with_diff_ref (IRQHandlerCap irq) S = \" by (rule ext, simp add: no_cap_to_obj_with_diff_ref_def cte_wp_at_caps_of_state obj_ref_none_no_asid) -lemma (* set_irq_state_valid_cap *)[Interrupt_AI_asms]: +lemma (* set_irq_state_valid_cap *)[Interrupt_AI_assms]: "\valid_cap cap\ set_irq_state IRQSignal irq \\rv. valid_cap cap\" apply (clarsimp simp: set_irq_state_def) apply (wp do_machine_op_valid_cap) @@ -87,13 +87,13 @@ lemma (* set_irq_state_valid_cap *)[Interrupt_AI_asms]: done crunch set_irq_state - for valid_global_refs[Interrupt_AI_asms]: "valid_global_refs" + for valid_global_refs[Interrupt_AI_assms]: "valid_global_refs" crunch arch_invoke_irq_handler for typ_at[wp]: "\s. P (typ_at T p s)" and valid_list[wp]: valid_list -lemma invoke_irq_handler_invs'[Interrupt_AI_asms]: +lemma invoke_irq_handler_invs'[Interrupt_AI_assms]: assumes dmo_ex_inv[wp]: "\f. \invs and ex_inv\ do_machine_op f \\rv::unit. ex_inv\" assumes cap_insert_ex_inv[wp]: "\cap src dest. \ex_inv and invs and K (src \ dest)\ @@ -149,7 +149,7 @@ lemma invoke_irq_handler_invs'[Interrupt_AI_asms]: done qed -lemma (* invoke_irq_control_invs *) [Interrupt_AI_asms]: +lemma (* invoke_irq_control_invs *) [Interrupt_AI_assms]: "\invs and irq_control_inv_valid i\ invoke_irq_control i \\rv. invs\" apply (cases i, simp_all) apply (wp cap_insert_simple_invs @@ -174,7 +174,7 @@ lemma (* invoke_irq_control_invs *) [Interrupt_AI_asms]: crunch resetTimer for device_state_inv[wp]: "\ms. P (device_state ms)" -lemma resetTimer_invs_ARCH[Interrupt_AI_asms]: +lemma resetTimer_invs_ARCH[Interrupt_AI_assms]: "\invs\ do_machine_op resetTimer \\_. invs\" apply (wp dmo_invs) apply safe @@ -187,11 +187,11 @@ lemma resetTimer_invs_ARCH[Interrupt_AI_asms]: apply(erule use_valid, wp no_irq_resetTimer no_irq, assumption) done -lemma empty_fail_ackInterrupt_ARCH[Interrupt_AI_asms]: +lemma empty_fail_ackInterrupt_ARCH[Interrupt_AI_assms]: "empty_fail (ackInterrupt irq)" by (wp | simp add: ackInterrupt_def)+ -lemma empty_fail_maskInterrupt_ARCH[Interrupt_AI_asms]: +lemma empty_fail_maskInterrupt_ARCH[Interrupt_AI_assms]: "empty_fail (maskInterrupt f irq)" by (wp | simp add: maskInterrupt_def)+ @@ -254,7 +254,7 @@ lemma handle_reserved_irq_invs[wp]: "\invs\ handle_reserved_irq irq \\_. invs\" unfolding handle_reserved_irq_def by (wpsimp simp: non_kernel_IRQs_def) -lemma (* handle_interrupt_invs *) [Interrupt_AI_asms]: +lemma (* handle_interrupt_invs *) [Interrupt_AI_assms]: "\invs\ handle_interrupt irq \\_. invs\" apply (simp add: handle_interrupt_def) apply (rule conjI; rule impI) @@ -271,7 +271,7 @@ lemma (* handle_interrupt_invs *) [Interrupt_AI_asms]: | rule conjI)+ done -lemma sts_arch_irq_control_inv_valid[wp, Interrupt_AI_asms]: +lemma sts_arch_irq_control_inv_valid[wp, Interrupt_AI_assms]: "\arch_irq_control_inv_valid i\ set_thread_state t st \\rv. arch_irq_control_inv_valid i\" @@ -286,7 +286,7 @@ end interpretation Interrupt_AI?: Interrupt_AI proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales, simp_all add: Interrupt_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales, simp_all add: Interrupt_AI_assms)?) qed end diff --git a/proof/invariant-abstract/ARM_HYP/ArchIpcCancel_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchIpcCancel_AI.thy index 658ec7663e..04dc01db01 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchIpcCancel_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchIpcCancel_AI.thy @@ -10,11 +10,11 @@ begin context Arch begin global_naming ARM_HYP -named_theorems IpcCancel_AI_asms +named_theorems IpcCancel_AI_assms crunch arch_post_cap_deletion - for typ_at[wp, IpcCancel_AI_asms]: "\s. P (typ_at T p s)" - and idle_thread[wp, IpcCancel_AI_asms]: "\s. P (idle_thread s)" + for typ_at[wp, IpcCancel_AI_assms]: "\s. P (typ_at T p s)" + and idle_thread[wp, IpcCancel_AI_assms]: "\s. P (idle_thread s)" end @@ -22,7 +22,7 @@ interpretation IpcCancel_AI?: IpcCancel_AI proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact IpcCancel_AI_asms)?) + by (intro_locales; (unfold_locales; fact IpcCancel_AI_assms)?) qed diff --git a/proof/invariant-abstract/ARM_HYP/ArchSchedule_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchSchedule_AI.thy index 296b00e0bf..f93a31d494 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchSchedule_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchSchedule_AI.thy @@ -10,9 +10,9 @@ begin context Arch begin global_naming ARM_HYP -named_theorems Schedule_AI_asms +named_theorems Schedule_AI_assms -lemma dmo_mapM_storeWord_0_invs[wp,Schedule_AI_asms]: +lemma dmo_mapM_storeWord_0_invs[wp,Schedule_AI_assms]: "valid invs (do_machine_op (mapM (\p. storeWord p 0) S)) (\_. invs)" apply (simp add: dom_mapM ef_storeWord) apply (rule mapM_UNIV_wp) @@ -41,17 +41,17 @@ lemma clearExMonitor_invs [wp]: global_naming Arch -lemma arch_stt_invs [wp,Schedule_AI_asms]: +lemma arch_stt_invs [wp,Schedule_AI_assms]: "\invs\ arch_switch_to_thread t' \\_. invs\" apply (wpsimp simp: arch_switch_to_thread_def) by (rule sym_refs_VCPU_hyp_live; fastforce) -lemma arch_stt_tcb [wp,Schedule_AI_asms]: +lemma arch_stt_tcb [wp,Schedule_AI_assms]: "\tcb_at t'\ arch_switch_to_thread t' \\_. tcb_at t'\" by (wpsimp simp: arch_switch_to_thread_def wp: tcb_at_typ_at) -lemma arch_stt_runnable[Schedule_AI_asms]: +lemma arch_stt_runnable[Schedule_AI_assms]: "\st_tcb_at runnable t\ arch_switch_to_thread t \\r. st_tcb_at runnable t\" by (wpsimp simp: arch_switch_to_thread_def) @@ -71,7 +71,7 @@ crunch and ct[wp]: "\s. P (cur_thread s)" (wp: mapM_x_wp mapM_wp subset_refl) -lemma arch_stit_invs[wp, Schedule_AI_asms]: +lemma arch_stit_invs[wp, Schedule_AI_assms]: "\invs\ arch_switch_to_idle_thread \\r. invs\" by (wpsimp wp: svr_invs simp: arch_switch_to_idle_thread_def) @@ -86,19 +86,19 @@ crunch set_vm_root and it[wp]: "\s. P (idle_thread s)" (simp: crunch_simps wp: hoare_drop_imps) -lemma arch_stit_activatable[wp, Schedule_AI_asms]: +lemma arch_stit_activatable[wp, Schedule_AI_assms]: "\ct_in_state activatable\ arch_switch_to_idle_thread \\rv . ct_in_state activatable\" apply (clarsimp simp: arch_switch_to_idle_thread_def) apply (wpsimp simp: ct_in_state_def wp: ct_in_state_thread_state_lift) done -lemma stit_invs [wp,Schedule_AI_asms]: +lemma stit_invs [wp,Schedule_AI_assms]: "\invs\ switch_to_idle_thread \\rv. invs\" apply (simp add: switch_to_idle_thread_def arch_switch_to_idle_thread_def) apply (wpsimp|strengthen idle_strg)+ done -lemma stit_activatable[Schedule_AI_asms]: +lemma stit_activatable[Schedule_AI_assms]: "\invs\ switch_to_idle_thread \\rv . ct_in_state activatable\" apply (simp add: switch_to_idle_thread_def arch_switch_to_idle_thread_def) apply (wp | simp add: ct_in_state_def)+ @@ -106,7 +106,7 @@ lemma stit_activatable[Schedule_AI_asms]: elim!: pred_tcb_weaken_strongerE) done -lemma stt_invs [wp,Schedule_AI_asms]: +lemma stt_invs [wp,Schedule_AI_assms]: "\invs\ switch_to_thread t' \\_. invs\" apply (simp add: switch_to_thread_def) apply wp @@ -126,14 +126,14 @@ interpretation Schedule_AI_U?: Schedule_AI_U proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Schedule_AI_asms)?) + by (intro_locales; (unfold_locales; fact Schedule_AI_assms)?) qed interpretation Schedule_AI?: Schedule_AI proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Schedule_AI_asms)?) + by (intro_locales; (unfold_locales; fact Schedule_AI_assms)?) qed end diff --git a/proof/invariant-abstract/ARM_HYP/ArchTcb_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchTcb_AI.thy index e6a5abc176..2fed220f2a 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchTcb_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchTcb_AI.thy @@ -10,17 +10,17 @@ begin context Arch begin global_naming ARM_HYP -named_theorems Tcb_AI_asms +named_theorems Tcb_AI_assms -lemma activate_idle_invs[Tcb_AI_asms]: +lemma activate_idle_invs[Tcb_AI_assms]: "\invs and ct_idle\ arch_activate_idle_thread thread \\rv. invs and ct_idle\" by (simp add: arch_activate_idle_thread_def) -lemma empty_fail_getRegister [intro!, simp, Tcb_AI_asms]: +lemma empty_fail_getRegister [intro!, simp, Tcb_AI_assms]: "empty_fail (getRegister r)" by (simp add: getRegister_def) @@ -37,7 +37,7 @@ lemma same_object_also_valid: (* arch specific *) split: cap.split_asm arch_cap.split_asm option.splits)+) done -lemma same_object_obj_refs[Tcb_AI_asms]: +lemma same_object_obj_refs[Tcb_AI_assms]: "\ same_object_as cap cap' \ \ obj_refs cap = obj_refs cap'" apply (cases cap, simp_all add: same_object_as_def) @@ -135,13 +135,13 @@ lemma checked_insert_tcb_invs[wp]: (* arch specific *) done crunch arch_get_sanitise_register_info, arch_post_modify_registers - for tcb_at[wp, Tcb_AI_asms]: "tcb_at a" + for tcb_at[wp, Tcb_AI_assms]: "tcb_at a" crunch arch_get_sanitise_register_info, arch_post_modify_registers - for invs[wp, Tcb_AI_asms]: "invs" + for invs[wp, Tcb_AI_assms]: "invs" crunch arch_get_sanitise_register_info, arch_post_modify_registers - for ex_nonz_cap_to[wp, Tcb_AI_asms]: "ex_nonz_cap_to a" + for ex_nonz_cap_to[wp, Tcb_AI_assms]: "ex_nonz_cap_to a" -lemma finalise_cap_not_cte_wp_at[Tcb_AI_asms]: +lemma finalise_cap_not_cte_wp_at[Tcb_AI_assms]: assumes x: "P cap.NullCap" shows "\\s. \cp \ ran (caps_of_state s). P cp\ finalise_cap cap fin @@ -159,7 +159,7 @@ lemma finalise_cap_not_cte_wp_at[Tcb_AI_asms]: done -lemma table_cap_ref_max_free_index_upd[simp,Tcb_AI_asms]: +lemma table_cap_ref_max_free_index_upd[simp,Tcb_AI_assms]: "table_cap_ref (max_free_index_update cap) = table_cap_ref cap" by (simp add:free_index_update_def table_cap_ref_def split:cap.splits) @@ -167,7 +167,7 @@ lemma table_cap_ref_max_free_index_upd[simp,Tcb_AI_asms]: interpretation Tcb_AI_1? : Tcb_AI_1 where state_ext_t = state_ext_t and is_cnode_or_valid_arch = is_cnode_or_valid_arch -by (unfold_locales; fact Tcb_AI_asms) +by (unfold_locales; fact Tcb_AI_assms) lemma use_no_cap_to_obj_asid_strg: (* arch specific *) @@ -185,7 +185,7 @@ lemma use_no_cap_to_obj_asid_strg: (* arch specific *) done declare arch_cap_fun_lift_simps [simp del] -lemma cap_delete_no_cap_to_obj_asid[wp, Tcb_AI_asms]: +lemma cap_delete_no_cap_to_obj_asid[wp, Tcb_AI_assms]: "\no_cap_to_obj_dr_emp cap\ cap_delete slot \\rv. no_cap_to_obj_dr_emp cap\" @@ -214,7 +214,7 @@ lemma as_user_ipc_tcb_cap_valid4[wp]: apply (clarsimp simp: get_tcb_def) done -lemma tc_invs[Tcb_AI_asms]: +lemma tc_invs[Tcb_AI_assms]: "\invs and tcb_at a and (case_option \ (valid_cap o fst) e) and (case_option \ (valid_cap o fst) f) @@ -292,7 +292,7 @@ lemma check_valid_ipc_buffer_inv: (* arch_specific *) apply (wp | simp add: if_apply_def2 split del: if_split | wpcw)+ done -lemma check_valid_ipc_buffer_wp[Tcb_AI_asms]: +lemma check_valid_ipc_buffer_wp[Tcb_AI_assms]: "\\(s::'state_ext::state_ext state). is_arch_cap cap \ is_cnode_or_valid_arch cap \ valid_ipc_buffer_cap cap vptr \ is_aligned vptr msg_align_bits @@ -308,7 +308,7 @@ lemma check_valid_ipc_buffer_wp[Tcb_AI_asms]: valid_ipc_buffer_cap_def) done -lemma derive_no_cap_asid[wp,Tcb_AI_asms]: +lemma derive_no_cap_asid[wp,Tcb_AI_assms]: "\(no_cap_to_obj_with_diff_ref cap S)::'state_ext::state_ext state\bool\ derive_cap slot cap \\rv. no_cap_to_obj_with_diff_ref rv S\,-" @@ -322,7 +322,7 @@ lemma derive_no_cap_asid[wp,Tcb_AI_asms]: done -lemma decode_set_ipc_inv[wp,Tcb_AI_asms]: +lemma decode_set_ipc_inv[wp,Tcb_AI_assms]: "\P::'state_ext::state_ext state \ bool\ decode_set_ipc_buffer args cap slot excaps \\rv. P\" apply (simp add: decode_set_ipc_buffer_def whenE_def split_def @@ -331,7 +331,7 @@ lemma decode_set_ipc_inv[wp,Tcb_AI_asms]: apply simp done -lemma no_cap_to_obj_with_diff_ref_update_cap_data[Tcb_AI_asms]: +lemma no_cap_to_obj_with_diff_ref_update_cap_data[Tcb_AI_assms]: "no_cap_to_obj_with_diff_ref c S s \ no_cap_to_obj_with_diff_ref (update_cap_data P x c) S s" apply (case_tac "update_cap_data P x c = NullCap") @@ -348,7 +348,7 @@ lemma no_cap_to_obj_with_diff_ref_update_cap_data[Tcb_AI_asms]: done -lemma update_cap_valid[Tcb_AI_asms]: +lemma update_cap_valid[Tcb_AI_assms]: "valid_cap cap (s::'state_ext::state_ext state) \ valid_cap (case capdata of None \ cap_rights_update rs cap @@ -390,7 +390,7 @@ global_interpretation Tcb_AI?: Tcb_AI proof goal_cases interpret Arch . case 1 show ?case - by (unfold_locales; fact Tcb_AI_asms) + by (unfold_locales; fact Tcb_AI_assms) qed end diff --git a/proof/invariant-abstract/RISCV64/ArchAInvsPre.thy b/proof/invariant-abstract/RISCV64/ArchAInvsPre.thy index b9609db770..20e3ccdf61 100644 --- a/proof/invariant-abstract/RISCV64/ArchAInvsPre.thy +++ b/proof/invariant-abstract/RISCV64/ArchAInvsPre.thy @@ -214,7 +214,7 @@ lemma device_frame_in_device_region: by (auto simp add: pspace_respects_device_region_def dom_def device_mem_def) global_naming Arch -named_theorems AInvsPre_asms +named_theorems AInvsPre_assms lemma get_vspace_of_thread_asid_or_global_pt: "(\asid. vspace_for_asid asid s = Some (get_vspace_of_thread (kheap s) (arch_state s) t)) @@ -222,7 +222,7 @@ lemma get_vspace_of_thread_asid_or_global_pt: by (auto simp: get_vspace_of_thread_def split: option.split kernel_object.split cap.split arch_cap.split) -lemma ptable_rights_imp_frame[AInvsPre_asms]: +lemma ptable_rights_imp_frame[AInvsPre_assms]: assumes "valid_state s" shows "\ ptable_rights t s x \ {}; ptable_lift t s x = Some (addrFromPPtr y) \ \ in_user_frame y s \ in_device_frame y s" @@ -264,7 +264,7 @@ end interpretation AInvsPre?: AInvsPre proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact AInvsPre_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact AInvsPre_assms)?) qed requalify_facts diff --git a/proof/invariant-abstract/RISCV64/ArchDetype_AI.thy b/proof/invariant-abstract/RISCV64/ArchDetype_AI.thy index c8dc4f125b..38b49ffa7e 100644 --- a/proof/invariant-abstract/RISCV64/ArchDetype_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchDetype_AI.thy @@ -10,16 +10,16 @@ begin context Arch begin global_naming RISCV64 -named_theorems Detype_AI_asms +named_theorems Detype_AI_assms -lemma valid_globals_irq_node[Detype_AI_asms]: +lemma valid_globals_irq_node[Detype_AI_assms]: "\ valid_global_refs s; cte_wp_at ((=) cap) ptr s \ \ interrupt_irq_node s irq \ cap_range cap" apply (erule(1) valid_global_refsD) apply (simp add: global_refs_def) done -lemma caps_of_state_ko[Detype_AI_asms]: +lemma caps_of_state_ko[Detype_AI_assms]: "valid_cap cap s \ is_untyped_cap cap \ cap_range cap = {} \ @@ -33,7 +33,7 @@ lemma caps_of_state_ko[Detype_AI_asms]: split: option.splits if_splits)+ done -lemma mapM_x_storeWord[Detype_AI_asms]: +lemma mapM_x_storeWord[Detype_AI_assms]: (* FIXME: taken from Retype_C.thy and adapted wrt. the missing intvl syntax. *) assumes al: "is_aligned ptr word_size_bits" shows "mapM_x (\x. storeWord (ptr + of_nat x * word_size) 0) [0..x. if x \ S then {} else state_hyp_refs_of s x)" by (rule ext, simp add: state_hyp_refs_of_def detype_def) -lemma valid_ioports_detype[Detype_AI_asms]: +lemma valid_ioports_detype[Detype_AI_assms]: "valid_ioports s \ valid_ioports (detype (untyped_range cap) s)" by simp @@ -117,7 +117,7 @@ interpretation Detype_AI?: Detype_AI proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Detype_AI_asms)?) + by (intro_locales; (unfold_locales; fact Detype_AI_assms)?) qed context detype_locale_arch begin diff --git a/proof/invariant-abstract/RISCV64/ArchFinalise_AI.thy b/proof/invariant-abstract/RISCV64/ArchFinalise_AI.thy index 655652f695..24f036acec 100644 --- a/proof/invariant-abstract/RISCV64/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchFinalise_AI.thy @@ -10,13 +10,13 @@ begin context Arch begin -named_theorems Finalise_AI_asms +named_theorems Finalise_AI_assms crunch prepare_thread_delete for caps_of_state[wp]: "\s. P (caps_of_state s)" (wp: crunch_wps) -declare prepare_thread_delete_caps_of_state [Finalise_AI_asms] +declare prepare_thread_delete_caps_of_state [Finalise_AI_assms] global_naming RISCV64 @@ -162,17 +162,17 @@ lemma unmap_page_tcb_cap_valid: global_naming Arch -lemma (* replaceable_cdt_update *)[simp,Finalise_AI_asms]: +lemma (* replaceable_cdt_update *)[simp,Finalise_AI_assms]: "replaceable (cdt_update f s) = replaceable s" by (fastforce simp: replaceable_def tcb_cap_valid_def reachable_frame_cap_def reachable_target_def) -lemma (* replaceable_revokable_update *)[simp,Finalise_AI_asms]: +lemma (* replaceable_revokable_update *)[simp,Finalise_AI_assms]: "replaceable (is_original_cap_update f s) = replaceable s" by (fastforce simp: replaceable_def is_final_cap'_def2 tcb_cap_valid_def reachable_frame_cap_def reachable_target_def) -lemma (* replaceable_more_update *) [simp,Finalise_AI_asms]: +lemma (* replaceable_more_update *) [simp,Finalise_AI_assms]: "replaceable (trans_state f s) sl cap cap' = replaceable s sl cap cap'" by (simp add: replaceable_def reachable_frame_cap_def reachable_target_def) @@ -184,9 +184,9 @@ lemma reachable_frame_cap_trans_state[simp]: "reachable_frame_cap cap (trans_state f s) = reachable_frame_cap cap s" by (simp add: reachable_frame_cap_def) -lemmas [Finalise_AI_asms] = obj_refs_obj_ref_of (* used under name obj_ref_ofI *) +lemmas [Finalise_AI_assms] = obj_refs_obj_ref_of (* used under name obj_ref_ofI *) -lemma (* empty_slot_invs *) [Finalise_AI_asms]: +lemma (* empty_slot_invs *) [Finalise_AI_assms]: "\\s. invs s \ cte_wp_at (replaceable s sl cap.NullCap) sl s \ emptyable sl s \ (info \ NullCap \ post_cap_delete_pre info ((caps_of_state s) (sl \ NullCap)))\ @@ -266,7 +266,7 @@ lemma (* empty_slot_invs *) [Finalise_AI_asms]: apply (simp add: is_final_cap'_def2 cte_wp_at_caps_of_state) by fastforce -lemma dom_tcb_cap_cases_lt_ARCH [Finalise_AI_asms]: +lemma dom_tcb_cap_cases_lt_ARCH [Finalise_AI_assms]: "dom tcb_cap_cases = {xs. length xs = 3 \ unat (of_bl xs :: machine_word) < 5}" apply (rule set_eqI, rule iffI) apply clarsimp @@ -276,7 +276,7 @@ lemma dom_tcb_cap_cases_lt_ARCH [Finalise_AI_asms]: apply (clarsimp simp: nat_to_cref_unat_of_bl') done -lemma (* unbind_notification_final *) [wp,Finalise_AI_asms]: +lemma (* unbind_notification_final *) [wp,Finalise_AI_assms]: "\is_final_cap' cap\ unbind_notification t \ \rv. is_final_cap' cap\" unfolding unbind_notification_def apply (wp final_cap_lift thread_set_caps_of_state_trivial hoare_drop_imps @@ -309,7 +309,7 @@ lemma length_and_unat_of_bl_length: "(length xs = x \ unat (of_bl xs :: 'a::len word) < 2 ^ x) = (length xs = x)" by (auto simp: unat_of_bl_length) -lemma (* finalise_cap_cases1 *)[Finalise_AI_asms]: +lemma (* finalise_cap_cases1 *)[Finalise_AI_assms]: "\\s. final \ is_final_cap' cap s \ cte_wp_at ((=) cap) slot s\ finalise_cap cap final @@ -343,12 +343,12 @@ crunch arch_thread_set (wp: crunch_wps set_object_typ_at) crunch arch_finalise_cap - for typ_at[wp,Finalise_AI_asms]: "\s. P (typ_at T p s)" + for typ_at[wp,Finalise_AI_assms]: "\s. P (typ_at T p s)" (wp: crunch_wps simp: crunch_simps unless_def assertE_def ignore: maskInterrupt set_object) crunch prepare_thread_delete - for typ_at[wp,Finalise_AI_asms]: "\s. P (typ_at T p s)" + for typ_at[wp,Finalise_AI_assms]: "\s. P (typ_at T p s)" crunch arch_thread_set for tcb_at[wp]: "\s. tcb_at p s" @@ -360,7 +360,7 @@ crunch arch_thread_get crunch prepare_thread_delete for tcb_at[wp]: "\s. tcb_at p s" -lemma (* finalise_cap_new_valid_cap *)[wp,Finalise_AI_asms]: +lemma (* finalise_cap_new_valid_cap *)[wp,Finalise_AI_assms]: "\valid_cap cap\ finalise_cap cap x \\rv. valid_cap (fst rv)\" apply (cases cap; simp) apply (wp suspend_valid_cap prepare_thread_delete_typ_at @@ -639,7 +639,7 @@ lemma as_user_valid_ioc[wp]: "\valid_ioc\ as_user t f \\rv. valid_ioc\" unfolding valid_ioc_def by (wpsimp wp: hoare_vcg_imp_lift hoare_vcg_all_lift) -lemma arch_finalise_cap_invs' [wp,Finalise_AI_asms]: +lemma arch_finalise_cap_invs' [wp,Finalise_AI_assms]: "\invs and valid_cap (ArchObjectCap cap)\ arch_finalise_cap cap final \\rv. invs\" @@ -656,7 +656,7 @@ lemma as_user_unlive[wp]: apply (wpsimp wp: set_object_wp) by (clarsimp simp: obj_at_def live_def hyp_live_def arch_tcb_context_set_def dest!: get_tcb_SomeD) -lemma obj_at_not_live_valid_arch_cap_strg [Finalise_AI_asms]: +lemma obj_at_not_live_valid_arch_cap_strg [Finalise_AI_assms]: "(s \ ArchObjectCap cap \ aobj_ref cap = Some r) \ obj_at (\ko. \ live ko) r s" by (clarsimp simp: valid_cap_def obj_at_def valid_arch_cap_ref_def @@ -826,7 +826,7 @@ lemma arch_finalise_cap_replaceable: global_naming Arch -lemma (* deleting_irq_handler_slot_not_irq_node *)[Finalise_AI_asms]: +lemma (* deleting_irq_handler_slot_not_irq_node *)[Finalise_AI_assms]: "\if_unsafe_then_cap and valid_global_refs and cte_wp_at (\cp. cap_irqs cp \ {}) sl\ deleting_irq_handler irq @@ -847,7 +847,7 @@ lemma (* deleting_irq_handler_slot_not_irq_node *)[Finalise_AI_asms]: apply (clarsimp simp: appropriate_cte_cap_def split: cap.split_asm) done -lemma no_cap_to_obj_with_diff_ref_finalI_ARCH[Finalise_AI_asms]: +lemma no_cap_to_obj_with_diff_ref_finalI_ARCH[Finalise_AI_assms]: "\ cte_wp_at ((=) cap) p s; is_final_cap' cap s; obj_refs cap' = obj_refs cap \ \ no_cap_to_obj_with_diff_ref cap' {p} s" @@ -869,7 +869,7 @@ lemma no_cap_to_obj_with_diff_ref_finalI_ARCH[Finalise_AI_asms]: gen_obj_refs_Int) done -lemma (* suspend_no_cap_to_obj_ref *)[wp,Finalise_AI_asms]: +lemma (* suspend_no_cap_to_obj_ref *)[wp,Finalise_AI_assms]: "\no_cap_to_obj_with_diff_ref cap S\ suspend t \\rv. no_cap_to_obj_with_diff_ref cap S\" @@ -903,7 +903,7 @@ lemma prepare_thread_delete_unlive[wp]: apply (clarsimp simp: obj_at_def, case_tac ko, simp_all add: is_tcb_def live_def) done -lemma finalise_cap_replaceable [Finalise_AI_asms]: +lemma finalise_cap_replaceable [Finalise_AI_assms]: "\\s. s \ cap \ x = is_final_cap' cap s \ valid_mdb s \ cte_wp_at ((=) cap) sl s \ valid_objs s \ sym_refs (state_refs_of s) \ (cap_irqs cap \ {} \ if_unsafe_then_cap s \ valid_global_refs s) @@ -954,7 +954,7 @@ lemma finalise_cap_replaceable [Finalise_AI_asms]: | simp add: valid_cap_simps is_nondevice_page_cap_simps)+)) done -lemma (* deleting_irq_handler_cte_preserved *)[Finalise_AI_asms]: +lemma (* deleting_irq_handler_cte_preserved *)[Finalise_AI_assms]: assumes x: "\cap. P cap \ \ can_fast_finalise cap" shows "\cte_wp_at P p\ deleting_irq_handler irq \\rv. cte_wp_at P p\" apply (simp add: deleting_irq_handler_def) @@ -973,10 +973,10 @@ lemma arch_thread_set_cte_wp_at[wp]: done crunch prepare_thread_delete - for cte_wp_at[wp,Finalise_AI_asms]: "\s. P (cte_wp_at P' p s)" + for cte_wp_at[wp,Finalise_AI_assms]: "\s. P (cte_wp_at P' p s)" crunch arch_finalise_cap - for cte_wp_at[wp,Finalise_AI_asms]: "\s. P (cte_wp_at P' p s)" + for cte_wp_at[wp,Finalise_AI_assms]: "\s. P (cte_wp_at P' p s)" (simp: crunch_simps assertE_def wp: crunch_wps set_object_cte_at ignore: arch_thread_set) end @@ -984,7 +984,7 @@ end interpretation Finalise_AI_1?: Finalise_AI_1 proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming RISCV64 @@ -1009,7 +1009,7 @@ lemma fast_finalise_replaceable[wp]: done global_naming Arch -lemma (* cap_delete_one_invs *) [Finalise_AI_asms,wp]: +lemma (* cap_delete_one_invs *) [Finalise_AI_assms,wp]: "\invs and emptyable ptr\ cap_delete_one ptr \\rv. invs\" apply (simp add: cap_delete_one_def unless_def is_final_cap_def) apply (rule hoare_pre) @@ -1023,13 +1023,13 @@ end interpretation Finalise_AI_2?: Finalise_AI_2 proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming RISCV64 crunch prepare_thread_delete - for irq_node[Finalise_AI_asms,wp]: "\s. P (interrupt_irq_node s)" + for irq_node[Finalise_AI_assms,wp]: "\s. P (interrupt_irq_node s)" crunch arch_finalise_cap for irq_node[wp]: "\s. P (interrupt_irq_node s)" @@ -1160,7 +1160,7 @@ crunch prepare_thread_delete for invs[wp]: invs (ignore: set_object) -lemma (* finalise_cap_invs *)[Finalise_AI_asms]: +lemma (* finalise_cap_invs *)[Finalise_AI_assms]: shows "\invs and cte_wp_at ((=) cap) slot\ finalise_cap cap x \\rv. invs\" apply (cases cap, simp_all split del: if_split) apply (wp cancel_all_ipc_invs cancel_all_signals_invs unbind_notification_invs @@ -1177,16 +1177,16 @@ lemma (* finalise_cap_invs *)[Finalise_AI_asms]: apply (auto dest: cte_wp_at_valid_objs_valid_cap) done -lemma (* finalise_cap_irq_node *)[Finalise_AI_asms]: +lemma (* finalise_cap_irq_node *)[Finalise_AI_assms]: "\\s. P (interrupt_irq_node s)\ finalise_cap a b \\_ s. P (interrupt_irq_node s)\" apply (case_tac a,simp_all) apply (wp | clarsimp)+ done -lemmas (*arch_finalise_cte_irq_node *) [wp,Finalise_AI_asms] +lemmas (*arch_finalise_cte_irq_node *) [wp,Finalise_AI_assms] = hoare_use_eq_irq_node [OF arch_finalise_cap_irq_node arch_finalise_cap_cte_wp_at] -lemma (* deleting_irq_handler_st_tcb_at *) [Finalise_AI_asms]: +lemma (* deleting_irq_handler_st_tcb_at *) [Finalise_AI_assms]: "\st_tcb_at P t and K (\st. simple st \ P st)\ deleting_irq_handler irq \\rv. st_tcb_at P t\" @@ -1195,11 +1195,11 @@ lemma (* deleting_irq_handler_st_tcb_at *) [Finalise_AI_asms]: apply simp done -lemma irq_node_global_refs_ARCH [Finalise_AI_asms]: +lemma irq_node_global_refs_ARCH [Finalise_AI_assms]: "interrupt_irq_node s irq \ global_refs s" by (simp add: global_refs_def) -lemma (* get_irq_slot_fast_finalisable *)[wp,Finalise_AI_asms]: +lemma (* get_irq_slot_fast_finalisable *)[wp,Finalise_AI_assms]: "\invs\ get_irq_slot irq \cte_wp_at can_fast_finalise\" apply (simp add: get_irq_slot_def) apply wp @@ -1221,12 +1221,12 @@ lemma (* get_irq_slot_fast_finalisable *)[wp,Finalise_AI_asms]: apply (clarsimp simp: cap_range_def) done -lemma (* replaceable_or_arch_update_same *) [Finalise_AI_asms]: +lemma (* replaceable_or_arch_update_same *) [Finalise_AI_assms]: "replaceable_or_arch_update s slot cap cap" by (clarsimp simp: replaceable_or_arch_update_def replaceable_def is_arch_update_def is_cap_simps) -lemma (* replace_cap_invs_arch_update *)[Finalise_AI_asms]: +lemma (* replace_cap_invs_arch_update *)[Finalise_AI_assms]: "\\s. cte_wp_at (replaceable_or_arch_update s p cap) p s \ invs s \ cap \ cap.NullCap @@ -1251,7 +1251,7 @@ lemma dmo_pred_tcb_at[wp]: apply (clarsimp simp: pred_tcb_at_def obj_at_def) done -lemma dmo_tcb_cap_valid_ARCH [Finalise_AI_asms]: +lemma dmo_tcb_cap_valid_ARCH [Finalise_AI_assms]: "do_machine_op mop \\s. P (tcb_cap_valid cap ptr s)\" apply (simp add: tcb_cap_valid_def no_cap_to_obj_with_diff_ref_def) apply (wp_pre, wps, rule hoare_vcg_prop) @@ -1269,7 +1269,7 @@ lemma dmo_reachable_target[wp]: apply simp done -lemma (* dmo_replaceable_or_arch_update *) [Finalise_AI_asms,wp]: +lemma (* dmo_replaceable_or_arch_update *) [Finalise_AI_assms,wp]: "\\s. replaceable_or_arch_update s slot cap cap'\ do_machine_op mo \\r s. replaceable_or_arch_update s slot cap cap'\" @@ -1290,7 +1290,7 @@ interpretation Finalise_AI_3?: Finalise_AI_3 where replaceable_or_arch_update = replaceable_or_arch_update proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming RISCV64 @@ -1308,7 +1308,7 @@ interpretation Finalise_AI_4?: Finalise_AI_4 where replaceable_or_arch_update = replaceable_or_arch_update proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming RISCV64 @@ -1347,9 +1347,9 @@ lemma arch_finalise_cap_valid_cap[wp]: global_naming Arch -lemmas clearMemory_invs[wp,Finalise_AI_asms] = clearMemory_invs +lemmas clearMemory_invs[wp,Finalise_AI_assms] = clearMemory_invs -lemma valid_idle_has_null_cap_ARCH[Finalise_AI_asms]: +lemma valid_idle_has_null_cap_ARCH[Finalise_AI_assms]: "\ if_unsafe_then_cap s; valid_global_refs s; valid_idle s; valid_irq_node s; caps_of_state s (idle_thread s, v) = Some cap \ \ cap = NullCap" @@ -1365,7 +1365,7 @@ lemma valid_idle_has_null_cap_ARCH[Finalise_AI_asms]: apply (drule_tac x=word in spec, simp) done -lemma (* zombie_cap_two_nonidles *)[Finalise_AI_asms]: +lemma (* zombie_cap_two_nonidles *)[Finalise_AI_assms]: "\ caps_of_state s ptr = Some (Zombie ptr' zbits n); invs s \ \ fst ptr \ idle_thread s \ ptr' \ idle_thread s" apply (frule valid_global_refsD2, clarsimp+) @@ -1391,7 +1391,7 @@ interpretation Finalise_AI_5?: Finalise_AI_5 where replaceable_or_arch_update = replaceable_or_arch_update proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed end diff --git a/proof/invariant-abstract/RISCV64/ArchInterrupt_AI.thy b/proof/invariant-abstract/RISCV64/ArchInterrupt_AI.thy index 62e1bc469d..818c7c6062 100644 --- a/proof/invariant-abstract/RISCV64/ArchInterrupt_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchInterrupt_AI.thy @@ -23,16 +23,16 @@ primrec arch_irq_control_inv_valid_real :: defs arch_irq_control_inv_valid_def: "arch_irq_control_inv_valid \ arch_irq_control_inv_valid_real" -named_theorems Interrupt_AI_asms +named_theorems Interrupt_AI_assms -lemma (* decode_irq_control_invocation_inv *)[Interrupt_AI_asms]: +lemma (* decode_irq_control_invocation_inv *)[Interrupt_AI_assms]: "\P\ decode_irq_control_invocation label args slot caps \\rv. P\" apply (simp add: decode_irq_control_invocation_def Let_def arch_check_irq_def arch_decode_irq_control_invocation_def whenE_def, safe) apply (wp | simp)+ done -lemma decode_irq_control_valid [Interrupt_AI_asms]: +lemma decode_irq_control_valid [Interrupt_AI_assms]: "\\s. invs s \ (\cap \ set caps. s \ cap) \ (\cap \ set caps. is_cnode_cap cap \ (\r \ cte_refs cap (interrupt_irq_node s). ex_cte_cap_wp_to is_cnode_cap r s)) @@ -54,7 +54,7 @@ lemma decode_irq_control_valid [Interrupt_AI_asms]: apply fast done -lemma get_irq_slot_different_ARCH[Interrupt_AI_asms]: +lemma get_irq_slot_different_ARCH[Interrupt_AI_assms]: "\\s. valid_global_refs s \ ex_cte_cap_wp_to is_cnode_cap ptr s\ get_irq_slot irq \\rv s. rv \ ptr\" @@ -66,7 +66,7 @@ lemma get_irq_slot_different_ARCH[Interrupt_AI_asms]: apply (clarsimp simp: global_refs_def is_cap_simps cap_range_def) done -lemma is_derived_use_interrupt_ARCH[Interrupt_AI_asms]: +lemma is_derived_use_interrupt_ARCH[Interrupt_AI_assms]: "(is_ntfn_cap cap \ interrupt_derived cap cap') \ (is_derived m p cap cap')" apply (clarsimp simp: is_cap_simps) apply (clarsimp simp: interrupt_derived_def is_derived_def) @@ -74,7 +74,7 @@ lemma is_derived_use_interrupt_ARCH[Interrupt_AI_asms]: apply (simp add: is_cap_simps is_pt_cap_def vs_cap_ref_def) done -lemma maskInterrupt_invs_ARCH[Interrupt_AI_asms]: +lemma maskInterrupt_invs_ARCH[Interrupt_AI_assms]: "\invs and (\s. \b \ interrupt_states s irq \ IRQInactive)\ do_machine_op (maskInterrupt b irq) \\rv. invs\" @@ -94,13 +94,13 @@ lemma dmo_plic_complete_claim[wp]: apply (auto simp: plic_complete_claim_def machine_op_lift_def machine_rest_lift_def in_monad select_f_def) done -lemma no_cap_to_obj_with_diff_IRQHandler_ARCH[Interrupt_AI_asms]: +lemma no_cap_to_obj_with_diff_IRQHandler_ARCH[Interrupt_AI_assms]: "no_cap_to_obj_with_diff_ref (IRQHandlerCap irq) S = \" by (rule ext, simp add: no_cap_to_obj_with_diff_ref_def cte_wp_at_caps_of_state obj_ref_none_no_asid) -lemma (* set_irq_state_valid_cap *)[Interrupt_AI_asms]: +lemma (* set_irq_state_valid_cap *)[Interrupt_AI_assms]: "\valid_cap cap\ set_irq_state IRQSignal irq \\rv. valid_cap cap\" apply (clarsimp simp: set_irq_state_def) apply (wp do_machine_op_valid_cap) @@ -110,9 +110,9 @@ lemma (* set_irq_state_valid_cap *)[Interrupt_AI_asms]: done crunch set_irq_state - for valid_global_refs[Interrupt_AI_asms]: "valid_global_refs" + for valid_global_refs[Interrupt_AI_assms]: "valid_global_refs" -lemma invoke_irq_handler_invs'[Interrupt_AI_asms]: +lemma invoke_irq_handler_invs'[Interrupt_AI_assms]: assumes dmo_ex_inv[wp]: "\f. \invs and ex_inv\ do_machine_op f \\rv::unit. ex_inv\" assumes cap_insert_ex_inv[wp]: "\cap src dest. \ex_inv and invs and K (src \ dest)\ @@ -168,7 +168,7 @@ lemma invoke_irq_handler_invs'[Interrupt_AI_asms]: done qed -lemma (* invoke_irq_control_invs *) [Interrupt_AI_asms]: +lemma (* invoke_irq_control_invs *) [Interrupt_AI_assms]: "\invs and irq_control_inv_valid i\ invoke_irq_control i \\rv. invs\" apply (cases i, simp_all) apply (wp cap_insert_simple_invs @@ -192,7 +192,7 @@ lemma (* invoke_irq_control_invs *) [Interrupt_AI_asms]: crunch resetTimer for device_state_inv[wp]: "\ms. P (device_state ms)" -lemma resetTimer_invs_ARCH[Interrupt_AI_asms]: +lemma resetTimer_invs_ARCH[Interrupt_AI_assms]: "\invs\ do_machine_op resetTimer \\_. invs\" apply (wp dmo_invs) apply safe @@ -205,11 +205,11 @@ lemma resetTimer_invs_ARCH[Interrupt_AI_asms]: apply(erule use_valid, wp no_irq_resetTimer no_irq, assumption) done -lemma empty_fail_ackInterrupt_ARCH[Interrupt_AI_asms]: +lemma empty_fail_ackInterrupt_ARCH[Interrupt_AI_assms]: "empty_fail (ackInterrupt irq)" by (wp | simp add: ackInterrupt_def)+ -lemma empty_fail_maskInterrupt_ARCH[Interrupt_AI_asms]: +lemma empty_fail_maskInterrupt_ARCH[Interrupt_AI_assms]: "empty_fail (maskInterrupt f irq)" by (wp | simp add: maskInterrupt_def)+ @@ -236,7 +236,7 @@ lemma handle_reserved_irq_invs[wp]: "\invs\ handle_reserved_irq irq \\_. invs\" unfolding handle_reserved_irq_def by (wpsimp simp: non_kernel_IRQs_def) -lemma (* handle_interrupt_invs *) [Interrupt_AI_asms]: +lemma (* handle_interrupt_invs *) [Interrupt_AI_assms]: "\invs\ handle_interrupt irq \\_. invs\" apply (simp add: handle_interrupt_def) apply (rule conjI; rule impI) @@ -253,7 +253,7 @@ lemma (* handle_interrupt_invs *) [Interrupt_AI_asms]: | rule conjI)+ done -lemma sts_arch_irq_control_inv_valid[wp, Interrupt_AI_asms]: +lemma sts_arch_irq_control_inv_valid[wp, Interrupt_AI_assms]: "\arch_irq_control_inv_valid i\ set_thread_state t st \\rv. arch_irq_control_inv_valid i\" @@ -270,7 +270,7 @@ end interpretation Interrupt_AI?: Interrupt_AI proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales, simp_all add: Interrupt_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales, simp_all add: Interrupt_AI_assms)?) qed end diff --git a/proof/invariant-abstract/RISCV64/ArchIpcCancel_AI.thy b/proof/invariant-abstract/RISCV64/ArchIpcCancel_AI.thy index 84a5cdca86..d8d0f9b2c7 100644 --- a/proof/invariant-abstract/RISCV64/ArchIpcCancel_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchIpcCancel_AI.thy @@ -10,11 +10,11 @@ begin context Arch begin global_naming RISCV64 -named_theorems IpcCancel_AI_asms +named_theorems IpcCancel_AI_assms crunch arch_post_cap_deletion - for typ_at[wp, IpcCancel_AI_asms]: "\s. P (typ_at T p s)" - and idle_thread[wp, IpcCancel_AI_asms]: "\s. P (idle_thread s)" + for typ_at[wp, IpcCancel_AI_assms]: "\s. P (typ_at T p s)" + and idle_thread[wp, IpcCancel_AI_assms]: "\s. P (idle_thread s)" end @@ -22,7 +22,7 @@ interpretation IpcCancel_AI?: IpcCancel_AI proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact IpcCancel_AI_asms)?) + by (intro_locales; (unfold_locales; fact IpcCancel_AI_assms)?) qed diff --git a/proof/invariant-abstract/RISCV64/ArchSchedule_AI.thy b/proof/invariant-abstract/RISCV64/ArchSchedule_AI.thy index 24d12b1b3f..d7e6e25eb2 100644 --- a/proof/invariant-abstract/RISCV64/ArchSchedule_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchSchedule_AI.thy @@ -10,9 +10,9 @@ begin context Arch begin global_naming RISCV64 -named_theorems Schedule_AI_asms +named_theorems Schedule_AI_assms -lemma dmo_mapM_storeWord_0_invs[wp,Schedule_AI_asms]: +lemma dmo_mapM_storeWord_0_invs[wp,Schedule_AI_assms]: "do_machine_op (mapM (\p. storeWord p 0) S) \invs\" apply (simp add: dom_mapM ef_storeWord) apply (rule mapM_UNIV_wp) @@ -29,19 +29,19 @@ lemma dmo_mapM_storeWord_0_invs[wp,Schedule_AI_asms]: global_naming Arch -lemma arch_stt_invs [wp,Schedule_AI_asms]: +lemma arch_stt_invs [wp,Schedule_AI_assms]: "\invs\ arch_switch_to_thread t' \\_. invs\" apply (simp add: arch_switch_to_thread_def) apply wp done -lemma arch_stt_tcb [wp,Schedule_AI_asms]: +lemma arch_stt_tcb [wp,Schedule_AI_assms]: "\tcb_at t'\ arch_switch_to_thread t' \\_. tcb_at t'\" apply (simp add: arch_switch_to_thread_def) apply (wp) done -lemma arch_stt_runnable[Schedule_AI_asms]: +lemma arch_stt_runnable[Schedule_AI_assms]: "\st_tcb_at runnable t\ arch_switch_to_thread t \\r . st_tcb_at runnable t\" apply (simp add: arch_switch_to_thread_def) apply wp @@ -52,7 +52,7 @@ lemma idle_strg: by (clarsimp simp: invs_def valid_state_def valid_idle_def cur_tcb_def pred_tcb_at_def valid_machine_state_def obj_at_def is_tcb_def) -lemma arch_stit_invs[wp, Schedule_AI_asms]: +lemma arch_stit_invs[wp, Schedule_AI_assms]: "\invs\ arch_switch_to_idle_thread \\r. invs\" by (wpsimp simp: arch_switch_to_idle_thread_def) @@ -67,19 +67,19 @@ crunch set_vm_root and it[wp]: "\s. P (idle_thread s)" (simp: crunch_simps wp: hoare_drop_imps) -lemma arch_stit_activatable[wp, Schedule_AI_asms]: +lemma arch_stit_activatable[wp, Schedule_AI_assms]: "\ct_in_state activatable\ arch_switch_to_idle_thread \\rv . ct_in_state activatable\" apply (clarsimp simp: arch_switch_to_idle_thread_def) apply (wpsimp simp: ct_in_state_def wp: ct_in_state_thread_state_lift) done -lemma stit_invs [wp,Schedule_AI_asms]: +lemma stit_invs [wp,Schedule_AI_assms]: "\invs\ switch_to_idle_thread \\rv. invs\" apply (simp add: switch_to_idle_thread_def arch_switch_to_idle_thread_def) apply (wpsimp|strengthen idle_strg)+ done -lemma stit_activatable[Schedule_AI_asms]: +lemma stit_activatable[Schedule_AI_assms]: "\invs\ switch_to_idle_thread \\rv . ct_in_state activatable\" apply (simp add: switch_to_idle_thread_def arch_switch_to_idle_thread_def) apply (wp | simp add: ct_in_state_def)+ @@ -87,7 +87,7 @@ lemma stit_activatable[Schedule_AI_asms]: elim!: pred_tcb_weaken_strongerE) done -lemma stt_invs [wp,Schedule_AI_asms]: +lemma stt_invs [wp,Schedule_AI_assms]: "\invs\ switch_to_thread t' \\_. invs\" apply (simp add: switch_to_thread_def) apply wp @@ -107,14 +107,14 @@ interpretation Schedule_AI_U?: Schedule_AI_U proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Schedule_AI_asms)?) + by (intro_locales; (unfold_locales; fact Schedule_AI_assms)?) qed interpretation Schedule_AI?: Schedule_AI proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Schedule_AI_asms)?) + by (intro_locales; (unfold_locales; fact Schedule_AI_assms)?) qed end diff --git a/proof/invariant-abstract/RISCV64/ArchTcb_AI.thy b/proof/invariant-abstract/RISCV64/ArchTcb_AI.thy index 3760f53e18..3e989e415f 100644 --- a/proof/invariant-abstract/RISCV64/ArchTcb_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchTcb_AI.thy @@ -10,17 +10,17 @@ begin context Arch begin global_naming RISCV64 -named_theorems Tcb_AI_asms +named_theorems Tcb_AI_assms -lemma activate_idle_invs[Tcb_AI_asms]: +lemma activate_idle_invs[Tcb_AI_assms]: "\invs and ct_idle\ arch_activate_idle_thread thread \\rv. invs and ct_idle\" by (simp add: arch_activate_idle_thread_def) -lemma empty_fail_getRegister [intro!, simp, Tcb_AI_asms]: +lemma empty_fail_getRegister [intro!, simp, Tcb_AI_assms]: "empty_fail (getRegister r)" by (simp add: getRegister_def) @@ -37,7 +37,7 @@ lemma same_object_also_valid: (* arch specific *) split: cap.split_asm arch_cap.split_asm option.splits)+) done -lemma same_object_obj_refs[Tcb_AI_asms]: +lemma same_object_obj_refs[Tcb_AI_assms]: "\ same_object_as cap cap' \ \ obj_refs cap = obj_refs cap'" apply (cases cap, simp_all add: same_object_as_def) @@ -124,13 +124,13 @@ lemma checked_insert_tcb_invs[wp]: (* arch specific *) done crunch arch_get_sanitise_register_info, arch_post_modify_registers - for tcb_at[wp, Tcb_AI_asms]: "tcb_at a" + for tcb_at[wp, Tcb_AI_assms]: "tcb_at a" crunch arch_get_sanitise_register_info, arch_post_modify_registers - for invs[wp, Tcb_AI_asms]: "invs" + for invs[wp, Tcb_AI_assms]: "invs" crunch arch_get_sanitise_register_info, arch_post_modify_registers - for ex_nonz_cap_to[wp, Tcb_AI_asms]: "ex_nonz_cap_to a" + for ex_nonz_cap_to[wp, Tcb_AI_assms]: "ex_nonz_cap_to a" -lemma finalise_cap_not_cte_wp_at[Tcb_AI_asms]: +lemma finalise_cap_not_cte_wp_at[Tcb_AI_assms]: assumes x: "P cap.NullCap" shows "\\s. \cp \ ran (caps_of_state s). P cp\ finalise_cap cap fin @@ -147,7 +147,7 @@ lemma finalise_cap_not_cte_wp_at[Tcb_AI_asms]: done -lemma table_cap_ref_max_free_index_upd[simp,Tcb_AI_asms]: +lemma table_cap_ref_max_free_index_upd[simp,Tcb_AI_assms]: "table_cap_ref (max_free_index_update cap) = table_cap_ref cap" by (simp add:free_index_update_def table_cap_ref_def split:cap.splits) @@ -158,7 +158,7 @@ global_interpretation Tcb_AI_1?: Tcb_AI_1 and is_cnode_or_valid_arch = is_cnode_or_valid_arch proof goal_cases interpret Arch . - case 1 show ?case by (unfold_locales; (fact Tcb_AI_asms)?) + case 1 show ?case by (unfold_locales; (fact Tcb_AI_assms)?) qed context Arch begin global_naming RISVB64 @@ -177,7 +177,7 @@ lemma use_no_cap_to_obj_asid_strg: (* arch specific *) by (fastforce simp: table_cap_ref_def vspace_asid_def valid_cap_simps obj_at_def split: cap.splits arch_cap.splits option.splits prod.splits) -lemma cap_delete_no_cap_to_obj_asid[wp, Tcb_AI_asms]: +lemma cap_delete_no_cap_to_obj_asid[wp, Tcb_AI_assms]: "\no_cap_to_obj_dr_emp cap\ cap_delete slot \\rv. no_cap_to_obj_dr_emp cap\" @@ -211,7 +211,7 @@ lemma option_case_eq_None: "((case m of None \ None | Some (a,b) \ Some a) = None) = (m = None)" by (clarsimp split: option.splits) -lemma tc_invs[Tcb_AI_asms]: +lemma tc_invs[Tcb_AI_assms]: "\invs and tcb_at a and (case_option \ (valid_cap o fst) e) and (case_option \ (valid_cap o fst) f) @@ -289,7 +289,7 @@ lemma check_valid_ipc_buffer_inv: (* arch_specific *) apply (wp | simp add: if_apply_def2 split del: if_split | wpcw)+ done -lemma check_valid_ipc_buffer_wp[Tcb_AI_asms]: +lemma check_valid_ipc_buffer_wp[Tcb_AI_assms]: "\\(s::'state_ext::state_ext state). is_arch_cap cap \ is_cnode_or_valid_arch cap \ valid_ipc_buffer_cap cap vptr \ is_aligned vptr msg_align_bits @@ -305,7 +305,7 @@ lemma check_valid_ipc_buffer_wp[Tcb_AI_asms]: valid_ipc_buffer_cap_def) done -lemma derive_no_cap_asid[wp,Tcb_AI_asms]: +lemma derive_no_cap_asid[wp,Tcb_AI_assms]: "\(no_cap_to_obj_with_diff_ref cap S)::'state_ext::state_ext state\bool\ derive_cap slot cap \\rv. no_cap_to_obj_with_diff_ref rv S\,-" @@ -319,7 +319,7 @@ lemma derive_no_cap_asid[wp,Tcb_AI_asms]: done -lemma decode_set_ipc_inv[wp,Tcb_AI_asms]: +lemma decode_set_ipc_inv[wp,Tcb_AI_assms]: "\P::'state_ext::state_ext state \ bool\ decode_set_ipc_buffer args cap slot excaps \\rv. P\" apply (simp add: decode_set_ipc_buffer_def whenE_def split_def @@ -328,7 +328,7 @@ lemma decode_set_ipc_inv[wp,Tcb_AI_asms]: apply simp done -lemma no_cap_to_obj_with_diff_ref_update_cap_data[Tcb_AI_asms]: +lemma no_cap_to_obj_with_diff_ref_update_cap_data[Tcb_AI_assms]: "no_cap_to_obj_with_diff_ref c S s \ no_cap_to_obj_with_diff_ref (update_cap_data P x c) S s" apply (case_tac "update_cap_data P x c = NullCap") @@ -345,7 +345,7 @@ lemma no_cap_to_obj_with_diff_ref_update_cap_data[Tcb_AI_asms]: done -lemma update_cap_valid[Tcb_AI_asms]: +lemma update_cap_valid[Tcb_AI_assms]: "valid_cap cap (s::'state_ext::state_ext state) \ valid_cap (case capdata of None \ cap_rights_update rs cap @@ -389,7 +389,7 @@ global_interpretation Tcb_AI?: Tcb_AI where is_cnode_or_valid_arch = RISCV64.is_cnode_or_valid_arch proof goal_cases interpret Arch . - case 1 show ?case by (unfold_locales; (fact Tcb_AI_asms)?) + case 1 show ?case by (unfold_locales; (fact Tcb_AI_assms)?) qed end diff --git a/proof/invariant-abstract/X64/ArchAInvsPre.thy b/proof/invariant-abstract/X64/ArchAInvsPre.thy index f345647dda..0c3249c888 100644 --- a/proof/invariant-abstract/X64/ArchAInvsPre.thy +++ b/proof/invariant-abstract/X64/ArchAInvsPre.thy @@ -179,9 +179,9 @@ lemma device_frame_in_device_region: by (auto simp add: pspace_respects_device_region_def dom_def device_mem_def) global_naming Arch -named_theorems AInvsPre_asms +named_theorems AInvsPre_assms -lemma ptable_rights_imp_frame[AInvsPre_asms]: +lemma ptable_rights_imp_frame[AInvsPre_assms]: assumes "valid_state s" shows "ptable_rights t s x \ {} \ ptable_lift t s x = Some (addrFromPPtr y) \ @@ -223,7 +223,7 @@ end interpretation AInvsPre?: AInvsPre proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact AInvsPre_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact AInvsPre_assms)?) qed requalify_facts diff --git a/proof/invariant-abstract/X64/ArchDetype_AI.thy b/proof/invariant-abstract/X64/ArchDetype_AI.thy index 17a3f8a37b..b236706142 100644 --- a/proof/invariant-abstract/X64/ArchDetype_AI.thy +++ b/proof/invariant-abstract/X64/ArchDetype_AI.thy @@ -10,16 +10,16 @@ begin context Arch begin global_naming X64 -named_theorems Detype_AI_asms +named_theorems Detype_AI_assms -lemma valid_globals_irq_node[Detype_AI_asms]: +lemma valid_globals_irq_node[Detype_AI_assms]: "\ valid_global_refs s; cte_wp_at ((=) cap) ptr s \ \ interrupt_irq_node s irq \ cap_range cap" apply (erule(1) valid_global_refsD) apply (simp add: global_refs_def) done -lemma caps_of_state_ko[Detype_AI_asms]: +lemma caps_of_state_ko[Detype_AI_assms]: "valid_cap cap s \ is_untyped_cap cap \ cap_range cap = {} \ @@ -33,7 +33,7 @@ lemma caps_of_state_ko[Detype_AI_asms]: split: option.splits if_splits)+ done -lemma mapM_x_storeWord[Detype_AI_asms]: +lemma mapM_x_storeWord[Detype_AI_assms]: (* FIXME: taken from Retype_C.thy and adapted wrt. the missing intvl syntax. *) assumes al: "is_aligned ptr word_size_bits" shows "mapM_x (\x. storeWord (ptr + of_nat x * word_size) 0) [0..x. if x \ S then {} else state_hyp_refs_of s x)" by (rule ext, simp add: state_hyp_refs_of_def detype_def) -lemma valid_ioports_detype[Detype_AI_asms]: +lemma valid_ioports_detype[Detype_AI_assms]: "valid_ioports s \ valid_ioports (detype (untyped_range cap) s)" apply (clarsimp simp: valid_ioports_def all_ioports_issued_def ioports_no_overlap_def issued_ioports_def more_update.caps_of_state_update) apply (clarsimp simp: detype_def cap_ioports_def ran_def elim!: ranE split: if_splits cap.splits arch_cap.splits) @@ -121,7 +121,7 @@ interpretation Detype_AI?: Detype_AI proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Detype_AI_asms)?) + by (intro_locales; (unfold_locales; fact Detype_AI_assms)?) qed context detype_locale_arch begin diff --git a/proof/invariant-abstract/X64/ArchFinalise_AI.thy b/proof/invariant-abstract/X64/ArchFinalise_AI.thy index c0282a4598..989b824bb4 100644 --- a/proof/invariant-abstract/X64/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/X64/ArchFinalise_AI.thy @@ -10,9 +10,9 @@ begin context Arch begin -named_theorems Finalise_AI_asms +named_theorems Finalise_AI_assms -lemma obj_at_not_live_valid_arch_cap_strg [Finalise_AI_asms]: +lemma obj_at_not_live_valid_arch_cap_strg [Finalise_AI_assms]: "(s \ ArchObjectCap cap \ aobj_ref cap = Some r) \ obj_at (\ko. \ live ko) r s" by (clarsimp simp: valid_cap_def obj_at_def @@ -205,22 +205,22 @@ lemma unmap_page_tcb_cap_valid: global_naming Arch -lemma (* replaceable_cdt_update *)[simp,Finalise_AI_asms]: +lemma (* replaceable_cdt_update *)[simp,Finalise_AI_assms]: "replaceable (cdt_update f s) = replaceable s" by (fastforce simp: replaceable_def tcb_cap_valid_def) -lemma (* replaceable_revokable_update *)[simp,Finalise_AI_asms]: +lemma (* replaceable_revokable_update *)[simp,Finalise_AI_assms]: "replaceable (is_original_cap_update f s) = replaceable s" by (fastforce simp: replaceable_def is_final_cap'_def2 tcb_cap_valid_def) -lemma (* replaceable_more_update *) [simp,Finalise_AI_asms]: +lemma (* replaceable_more_update *) [simp,Finalise_AI_assms]: "replaceable (trans_state f s) sl cap cap' = replaceable s sl cap cap'" by (simp add: replaceable_def) -lemma (* obj_ref_ofI *) [Finalise_AI_asms]: "obj_refs cap = {x} \ obj_ref_of cap = x" +lemma (* obj_ref_ofI *) [Finalise_AI_assms]: "obj_refs cap = {x} \ obj_ref_of cap = x" by (case_tac cap, simp_all) (rename_tac arch_cap, case_tac arch_cap, simp_all) -lemma (* empty_slot_invs *) [Finalise_AI_asms]: +lemma (* empty_slot_invs *) [Finalise_AI_assms]: "\\s. invs s \ cte_wp_at (replaceable s sl cap.NullCap) sl s \ emptyable sl s \ (info \ NullCap \ post_cap_delete_pre info ((caps_of_state s) (sl \ NullCap)))\ @@ -301,7 +301,7 @@ lemma (* empty_slot_invs *) [Finalise_AI_asms]: apply (simp add: is_final_cap'_def2 cte_wp_at_caps_of_state) done -lemma dom_tcb_cap_cases_lt_ARCH [Finalise_AI_asms]: +lemma dom_tcb_cap_cases_lt_ARCH [Finalise_AI_assms]: "dom tcb_cap_cases = {xs. length xs = 3 \ unat (of_bl xs :: machine_word) < 5}" apply (rule set_eqI, rule iffI) apply clarsimp @@ -311,7 +311,7 @@ lemma dom_tcb_cap_cases_lt_ARCH [Finalise_AI_asms]: apply (clarsimp simp: nat_to_cref_unat_of_bl'[simplified word_bits_def]) done -lemma (* unbind_notification_final *) [wp,Finalise_AI_asms]: +lemma (* unbind_notification_final *) [wp,Finalise_AI_assms]: "\is_final_cap' cap\ unbind_notification t \ \rv. is_final_cap' cap\" unfolding unbind_notification_def apply (wp final_cap_lift thread_set_caps_of_state_trivial hoare_drop_imps @@ -321,7 +321,7 @@ lemma (* unbind_notification_final *) [wp,Finalise_AI_asms]: crunch prepare_thread_delete for is_final_cap'[wp]: "is_final_cap' cap" -lemma (* finalise_cap_cases1 *)[Finalise_AI_asms]: +lemma (* finalise_cap_cases1 *)[Finalise_AI_assms]: "\\s. final \ is_final_cap' cap s \ cte_wp_at ((=) cap) slot s\ finalise_cap cap final @@ -353,7 +353,7 @@ lemma (* finalise_cap_cases1 *)[Finalise_AI_asms]: done crunch arch_finalise_cap, prepare_thread_delete - for typ_at_arch[wp,Finalise_AI_asms]: "\s. P (typ_at T p s)" + for typ_at_arch[wp,Finalise_AI_assms]: "\s. P (typ_at T p s)" (wp: crunch_wps simp: crunch_simps unless_def assertE_def ignore: maskInterrupt ) @@ -362,11 +362,11 @@ crunch prepare_thread_delete crunch prepare_thread_delete for tcb_at[wp]: "tcb_at p" crunch prepare_thread_delete - for cte_wp_at[wp, Finalise_AI_asms]: "\s. P (cte_wp_at P' p s)" + for cte_wp_at[wp, Finalise_AI_assms]: "\s. P (cte_wp_at P' p s)" crunch prepare_thread_delete - for irq_node[wp, Finalise_AI_asms]: "\s. P (interrupt_irq_node s)" + for irq_node[wp, Finalise_AI_assms]: "\s. P (interrupt_irq_node s)" crunch prepare_thread_delete - for caps_of_state[wp, Finalise_AI_asms]: "\s. P (caps_of_state s)" + for caps_of_state[wp, Finalise_AI_assms]: "\s. P (caps_of_state s)" crunch nativeThreadUsingFPU, switchFpuOwner for device_state_inv[wp]: "\ms. P (device_state ms)" @@ -395,7 +395,7 @@ crunch prepare_thread_delete for invs[wp]: invs (ignore: do_machine_op) -lemma (* finalise_cap_new_valid_cap *)[wp,Finalise_AI_asms]: +lemma (* finalise_cap_new_valid_cap *)[wp,Finalise_AI_assms]: "\valid_cap cap\ finalise_cap cap x \\rv. valid_cap (fst rv)\" apply (cases cap, simp_all) apply (wp suspend_valid_cap @@ -409,7 +409,7 @@ lemma (* finalise_cap_new_valid_cap *)[wp,Finalise_AI_asms]: split del: if_split|clarsimp|wpc)+ done -lemma (* arch_finalise_cap_invs *)[wp,Finalise_AI_asms]: +lemma (* arch_finalise_cap_invs *)[wp,Finalise_AI_assms]: "\invs and valid_cap (ArchObjectCap cap)\ arch_finalise_cap cap final \\rv. invs\" @@ -461,7 +461,7 @@ lemma arch_finalise_cap_replaceable[wp]: done global_naming Arch -lemma (* deleting_irq_handler_slot_not_irq_node *)[Finalise_AI_asms]: +lemma (* deleting_irq_handler_slot_not_irq_node *)[Finalise_AI_assms]: "\if_unsafe_then_cap and valid_global_refs and cte_wp_at (\cp. cap_irqs cp \ {}) sl\ deleting_irq_handler irq @@ -482,7 +482,7 @@ lemma (* deleting_irq_handler_slot_not_irq_node *)[Finalise_AI_asms]: apply (clarsimp simp: appropriate_cte_cap_def split: cap.split_asm) done -lemma no_cap_to_obj_with_diff_ref_finalI_ARCH[Finalise_AI_asms]: +lemma no_cap_to_obj_with_diff_ref_finalI_ARCH[Finalise_AI_assms]: "\ cte_wp_at ((=) cap) p s; is_final_cap' cap s; obj_refs cap' = obj_refs cap \ \ no_cap_to_obj_with_diff_ref cap' {p} s" @@ -504,7 +504,7 @@ lemma no_cap_to_obj_with_diff_ref_finalI_ARCH[Finalise_AI_asms]: gen_obj_refs_Int) done -lemma (* suspend_no_cap_to_obj_ref *)[wp,Finalise_AI_asms]: +lemma (* suspend_no_cap_to_obj_ref *)[wp,Finalise_AI_assms]: "\no_cap_to_obj_with_diff_ref cap S\ suspend t \\rv. no_cap_to_obj_with_diff_ref cap S\" @@ -535,13 +535,13 @@ crunch fpu_thread_delete for obj_at[wp]: "\s. P' (obj_at P p s)" (wp: whenE_wp simp: crunch_simps) -lemma (* fpu_thread_delete_no_cap_to_obj_ref *)[wp,Finalise_AI_asms]: +lemma (* fpu_thread_delete_no_cap_to_obj_ref *)[wp,Finalise_AI_assms]: "\no_cap_to_obj_with_diff_ref cap S\ fpu_thread_delete thread \\rv. no_cap_to_obj_with_diff_ref cap S\" by (wpsimp simp: no_cap_to_obj_with_diff_ref_def cte_wp_at_caps_of_state) -lemma finalise_cap_replaceable [Finalise_AI_asms]: +lemma finalise_cap_replaceable [Finalise_AI_assms]: "\\s. s \ cap \ x = is_final_cap' cap s \ valid_mdb s \ cte_wp_at ((=) cap) sl s \ valid_objs s \ sym_refs (state_refs_of s) \ (cap_irqs cap \ {} \ if_unsafe_then_cap s \ valid_global_refs s) @@ -594,7 +594,7 @@ lemma finalise_cap_replaceable [Finalise_AI_asms]: | simp add: valid_cap_simps is_nondevice_page_cap_simps)+) done -lemma (* deleting_irq_handler_cte_preserved *)[Finalise_AI_asms]: +lemma (* deleting_irq_handler_cte_preserved *)[Finalise_AI_assms]: assumes x: "\cap. P cap \ \ can_fast_finalise cap" shows "\cte_wp_at P p\ deleting_irq_handler irq \\rv. cte_wp_at P p\" apply (simp add: deleting_irq_handler_def) @@ -613,7 +613,7 @@ lemma set_asid_pool_cte_wp_at: crunch arch_finalise_cap - for cte_wp_at[wp,Finalise_AI_asms]: "\s. P (cte_wp_at P' p s)" + for cte_wp_at[wp,Finalise_AI_assms]: "\s. P (cte_wp_at P' p s)" (simp: crunch_simps assertE_def set_arch_obj_simps wp: set_aobject_cte_wp_at crunch_wps set_object_cte_at ignore: set_object) @@ -623,7 +623,7 @@ end interpretation Finalise_AI_1?: Finalise_AI_1 proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming X64 @@ -648,7 +648,7 @@ lemma fast_finalise_replaceable[wp]: done global_naming Arch -lemma (* cap_delete_one_invs *) [Finalise_AI_asms,wp]: +lemma (* cap_delete_one_invs *) [Finalise_AI_assms,wp]: "\invs and emptyable ptr\ cap_delete_one ptr \\rv. invs\" apply (simp add: cap_delete_one_def unless_def is_final_cap_def) apply (rule hoare_pre) @@ -662,7 +662,7 @@ end interpretation Finalise_AI_2?: Finalise_AI_2 proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming X64 @@ -1254,7 +1254,7 @@ crunch do_machine_op global_naming Arch -lemma (* finalise_cap_invs *)[Finalise_AI_asms]: +lemma (* finalise_cap_invs *)[Finalise_AI_assms]: shows "\invs and cte_wp_at ((=) cap) slot\ finalise_cap cap x \\rv. invs\" apply (cases cap, simp_all split del: if_split) apply (wp cancel_all_ipc_invs cancel_all_signals_invs unbind_notification_invs @@ -1271,16 +1271,16 @@ lemma (* finalise_cap_invs *)[Finalise_AI_asms]: apply (auto dest: cte_wp_at_valid_objs_valid_cap) done -lemma (* finalise_cap_irq_node *)[Finalise_AI_asms]: +lemma (* finalise_cap_irq_node *)[Finalise_AI_assms]: "\\s. P (interrupt_irq_node s)\ finalise_cap a b \\_ s. P (interrupt_irq_node s)\" apply (case_tac a,simp_all) apply (wp | clarsimp)+ done -lemmas (*arch_finalise_cte_irq_node *) [wp,Finalise_AI_asms] +lemmas (*arch_finalise_cte_irq_node *) [wp,Finalise_AI_assms] = hoare_use_eq_irq_node [OF arch_finalise_cap_irq_node arch_finalise_cap_cte_wp_at] -lemma (* deleting_irq_handler_st_tcb_at *) [Finalise_AI_asms]: +lemma (* deleting_irq_handler_st_tcb_at *) [Finalise_AI_assms]: "\st_tcb_at P t and K (\st. simple st \ P st)\ deleting_irq_handler irq \\rv. st_tcb_at P t\" @@ -1289,11 +1289,11 @@ lemma (* deleting_irq_handler_st_tcb_at *) [Finalise_AI_asms]: apply simp done -lemma irq_node_global_refs_ARCH [Finalise_AI_asms]: +lemma irq_node_global_refs_ARCH [Finalise_AI_assms]: "interrupt_irq_node s irq \ global_refs s" by (simp add: global_refs_def) -lemma (* get_irq_slot_fast_finalisable *)[wp,Finalise_AI_asms]: +lemma (* get_irq_slot_fast_finalisable *)[wp,Finalise_AI_assms]: "\invs\ get_irq_slot irq \cte_wp_at can_fast_finalise\" apply (simp add: get_irq_slot_def) apply wp @@ -1315,12 +1315,12 @@ lemma (* get_irq_slot_fast_finalisable *)[wp,Finalise_AI_asms]: apply (clarsimp simp: cap_range_def) done -lemma (* replaceable_or_arch_update_same *) [Finalise_AI_asms]: +lemma (* replaceable_or_arch_update_same *) [Finalise_AI_assms]: "replaceable_or_arch_update s slot cap cap" by (clarsimp simp: replaceable_or_arch_update_def replaceable_def is_arch_update_def is_cap_simps) -lemma (* replace_cap_invs_arch_update *)[Finalise_AI_asms]: +lemma (* replace_cap_invs_arch_update *)[Finalise_AI_assms]: "\\s. cte_wp_at (replaceable_or_arch_update s p cap) p s \ invs s \ cap \ cap.NullCap @@ -1341,7 +1341,7 @@ lemma (* replace_cap_invs_arch_update *)[Finalise_AI_asms]: crunch hw_asid_invalidate for pred_tcb_at_P[wp]: "\s. P (pred_tcb_at proj Q p s)" -lemma dmo_tcb_cap_valid_ARCH [Finalise_AI_asms]: +lemma dmo_tcb_cap_valid_ARCH [Finalise_AI_assms]: "\\s. P (tcb_cap_valid cap ptr s)\ do_machine_op mop \\_ s. P (tcb_cap_valid cap ptr s)\" apply (simp add: tcb_cap_valid_def no_cap_to_obj_with_diff_ref_def) apply (rule hoare_pre) @@ -1350,7 +1350,7 @@ lemma dmo_tcb_cap_valid_ARCH [Finalise_AI_asms]: apply simp done -lemma (* dmo_replaceable_or_arch_update *) [Finalise_AI_asms,wp]: +lemma (* dmo_replaceable_or_arch_update *) [Finalise_AI_assms,wp]: "\\s. replaceable_or_arch_update s slot cap cap'\ do_machine_op mo \\r s. replaceable_or_arch_update s slot cap cap'\" @@ -1372,14 +1372,14 @@ interpretation Finalise_AI_3?: Finalise_AI_3 where replaceable_or_arch_update = replaceable_or_arch_update proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed interpretation Finalise_AI_4?: Finalise_AI_4 where replaceable_or_arch_update = replaceable_or_arch_update proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed context Arch begin global_naming X64 @@ -1617,9 +1617,9 @@ crunch unmap_page_table, (wp: mapM_wp_inv mapM_x_wp' crunch_wps simp: crunch_simps set_arch_obj_simps ignore: set_object) -lemmas clearMemory_invs[wp, Finalise_AI_asms] = clearMemory_invs +lemmas clearMemory_invs[wp, Finalise_AI_assms] = clearMemory_invs -lemma valid_idle_has_null_cap_ARCH[Finalise_AI_asms]: +lemma valid_idle_has_null_cap_ARCH[Finalise_AI_assms]: "\ if_unsafe_then_cap s; valid_global_refs s; valid_idle s; valid_irq_node s\ \ caps_of_state s (idle_thread s, v) = Some cap \ cap = NullCap" @@ -1635,7 +1635,7 @@ lemma valid_idle_has_null_cap_ARCH[Finalise_AI_asms]: apply (drule_tac x=word in spec, simp) done -lemma (* zombie_cap_two_nonidles *)[Finalise_AI_asms]: +lemma (* zombie_cap_two_nonidles *)[Finalise_AI_assms]: "\ caps_of_state s ptr = Some (Zombie ptr' zbits n); invs s \ \ fst ptr \ idle_thread s \ ptr' \ idle_thread s" apply (frule valid_global_refsD2, clarsimp+) @@ -1684,7 +1684,7 @@ interpretation Finalise_AI_5?: Finalise_AI_5 where replaceable_or_arch_update = replaceable_or_arch_update proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed end diff --git a/proof/invariant-abstract/X64/ArchInterrupt_AI.thy b/proof/invariant-abstract/X64/ArchInterrupt_AI.thy index 25468596be..2572c3e91d 100644 --- a/proof/invariant-abstract/X64/ArchInterrupt_AI.thy +++ b/proof/invariant-abstract/X64/ArchInterrupt_AI.thy @@ -32,9 +32,9 @@ where defs arch_irq_control_inv_valid_def: "arch_irq_control_inv_valid \ arch_irq_control_inv_valid_real" -named_theorems Interrupt_AI_asms +named_theorems Interrupt_AI_assms -lemma (* decode_irq_control_invocation_inv *)[Interrupt_AI_asms]: +lemma (* decode_irq_control_invocation_inv *)[Interrupt_AI_assms]: "\P\ decode_irq_control_invocation label args slot caps \\rv. P\" apply (simp add: decode_irq_control_invocation_def Let_def arch_check_irq_def arch_decode_irq_control_invocation_def whenE_def split del: if_split) @@ -129,7 +129,7 @@ lemma arch_decode_irq_control_valid[wp]: done end -lemma (* decode_irq_control_valid *)[Interrupt_AI_asms]: +lemma (* decode_irq_control_valid *)[Interrupt_AI_assms]: "\\s. invs s \ (\cap \ set caps. s \ cap) \ (\cap \ set caps. is_cnode_cap cap \ (\r \ cte_refs cap (interrupt_irq_node s). ex_cte_cap_wp_to is_cnode_cap r s)) @@ -144,7 +144,7 @@ lemma (* decode_irq_control_valid *)[Interrupt_AI_asms]: | wp (once) hoare_drop_imps)+ done -lemma get_irq_slot_different_ARCH[Interrupt_AI_asms]: +lemma get_irq_slot_different_ARCH[Interrupt_AI_assms]: "\\s. valid_global_refs s \ ex_cte_cap_wp_to is_cnode_cap ptr s\ get_irq_slot irq \\rv s. rv \ ptr\" @@ -156,7 +156,7 @@ lemma get_irq_slot_different_ARCH[Interrupt_AI_asms]: apply (clarsimp simp: global_refs_def is_cap_simps cap_range_def) done -lemma is_derived_use_interrupt_ARCH[Interrupt_AI_asms]: +lemma is_derived_use_interrupt_ARCH[Interrupt_AI_assms]: "(is_ntfn_cap cap \ interrupt_derived cap cap') \ (is_derived m p cap cap')" apply (clarsimp simp: is_cap_simps) apply (clarsimp simp: interrupt_derived_def is_derived_def) @@ -164,7 +164,7 @@ lemma is_derived_use_interrupt_ARCH[Interrupt_AI_asms]: apply (simp add: is_cap_simps is_pt_cap_def vs_cap_ref_def) done -lemma maskInterrupt_invs_ARCH[Interrupt_AI_asms]: +lemma maskInterrupt_invs_ARCH[Interrupt_AI_assms]: "\invs and (\s. \b \ interrupt_states s irq \ IRQInactive)\ do_machine_op (maskInterrupt b irq) \\rv. invs\" @@ -174,7 +174,7 @@ lemma maskInterrupt_invs_ARCH[Interrupt_AI_asms]: valid_irq_states_but_def valid_irq_masks_but_def valid_machine_state_def cur_tcb_def valid_irq_states_def valid_irq_masks_def) done -lemma no_cap_to_obj_with_diff_IRQHandler_ARCH[Interrupt_AI_asms]: +lemma no_cap_to_obj_with_diff_IRQHandler_ARCH[Interrupt_AI_assms]: "no_cap_to_obj_with_diff_ref (IRQHandlerCap irq) S = \" by (rule ext, simp add: no_cap_to_obj_with_diff_ref_def cte_wp_at_caps_of_state @@ -183,7 +183,7 @@ lemma no_cap_to_obj_with_diff_IRQHandler_ARCH[Interrupt_AI_asms]: crunch do_machine_op for valid_cap: "valid_cap cap" -lemma (* set_irq_state_valid_cap *)[Interrupt_AI_asms]: +lemma (* set_irq_state_valid_cap *)[Interrupt_AI_assms]: "\valid_cap cap\ set_irq_state IRQSignal irq \\rv. valid_cap cap\" apply (clarsimp simp: set_irq_state_def) apply (wp do_machine_op_valid_cap) @@ -193,12 +193,12 @@ lemma (* set_irq_state_valid_cap *)[Interrupt_AI_asms]: done crunch set_irq_state - for valid_global_refs[Interrupt_AI_asms]: "valid_global_refs" + for valid_global_refs[Interrupt_AI_assms]: "valid_global_refs" crunch arch_invoke_irq_handler for typ_at[wp]: "\s. P (typ_at T p s)" -lemma invoke_irq_handler_invs'[Interrupt_AI_asms]: +lemma invoke_irq_handler_invs'[Interrupt_AI_assms]: assumes dmo_ex_inv[wp]: "\f. \invs and ex_inv\ do_machine_op f \\rv::unit. ex_inv\" assumes cap_insert_ex_inv[wp]: "\cap src dest. \ex_inv and invs and K (src \ dest)\ @@ -314,7 +314,7 @@ lemma arch_invoke_irq_control_invs[wp]: maxUserIRQ_def maxIRQ_def order.trans ex_cte_cap_to_cnode_always_appropriate_strg) -lemma (* invoke_irq_control_invs *) [Interrupt_AI_asms]: +lemma (* invoke_irq_control_invs *) [Interrupt_AI_assms]: "\invs and irq_control_inv_valid i\ invoke_irq_control i \\rv. invs\" apply (cases i, simp_all) apply (rule hoare_pre) @@ -331,7 +331,7 @@ lemma (* invoke_irq_control_invs *) [Interrupt_AI_asms]: crunch resetTimer for device_state_inv[wp]: "\ms. P (device_state ms)" -lemma resetTimer_invs_ARCH[Interrupt_AI_asms]: +lemma resetTimer_invs_ARCH[Interrupt_AI_assms]: "\invs\ do_machine_op resetTimer \\_. invs\" apply (wp dmo_invs) apply safe @@ -344,15 +344,15 @@ lemma resetTimer_invs_ARCH[Interrupt_AI_asms]: apply(erule use_valid, wp no_irq_resetTimer no_irq, assumption) done -lemma empty_fail_ackInterrupt_ARCH[Interrupt_AI_asms]: +lemma empty_fail_ackInterrupt_ARCH[Interrupt_AI_assms]: "empty_fail (ackInterrupt irq)" by (wp | simp add: ackInterrupt_def)+ -lemma empty_fail_maskInterrupt_ARCH[Interrupt_AI_asms]: +lemma empty_fail_maskInterrupt_ARCH[Interrupt_AI_assms]: "empty_fail (maskInterrupt f irq)" by (wp | simp add: maskInterrupt_def)+ -lemma (* handle_interrupt_invs *) [Interrupt_AI_asms]: +lemma (* handle_interrupt_invs *) [Interrupt_AI_assms]: "\invs\ handle_interrupt irq \\_. invs\" apply (simp add: handle_interrupt_def ) apply (rule conjI; rule impI) @@ -367,7 +367,7 @@ lemma (* handle_interrupt_invs *) [Interrupt_AI_asms]: apply (wp hoare_drop_imps resetTimer_invs_ARCH | simp add: get_irq_state_def handle_reserved_irq_def)+ done -lemma sts_arch_irq_control_inv_valid[wp, Interrupt_AI_asms]: +lemma sts_arch_irq_control_inv_valid[wp, Interrupt_AI_assms]: "\arch_irq_control_inv_valid i\ set_thread_state t st \\rv. arch_irq_control_inv_valid i\" @@ -387,7 +387,7 @@ end interpretation Interrupt_AI?: Interrupt_AI proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales, simp_all add: Interrupt_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales, simp_all add: Interrupt_AI_assms)?) qed end diff --git a/proof/invariant-abstract/X64/ArchIpcCancel_AI.thy b/proof/invariant-abstract/X64/ArchIpcCancel_AI.thy index a9a291e562..dff61cc619 100644 --- a/proof/invariant-abstract/X64/ArchIpcCancel_AI.thy +++ b/proof/invariant-abstract/X64/ArchIpcCancel_AI.thy @@ -10,26 +10,26 @@ begin context Arch begin global_naming X64 -named_theorems IpcCancel_AI_asms +named_theorems IpcCancel_AI_assms crunch set_endpoint - for v_ker_map[wp,IpcCancel_AI_asms]: "valid_kernel_mappings" + for v_ker_map[wp,IpcCancel_AI_assms]: "valid_kernel_mappings" (ignore: set_object wp: set_object_v_ker_map crunch_wps) crunch set_endpoint - for eq_ker_map[wp,IpcCancel_AI_asms]: "equal_kernel_mappings" + for eq_ker_map[wp,IpcCancel_AI_assms]: "equal_kernel_mappings" (ignore: set_object wp: set_object_equal_mappings crunch_wps) crunch arch_post_cap_deletion - for typ_at[wp, IpcCancel_AI_asms]: "\s. P (typ_at T p s)" - and idle_thread[wp, IpcCancel_AI_asms]: "\s. P (idle_thread s)" + for typ_at[wp, IpcCancel_AI_assms]: "\s. P (typ_at T p s)" + and idle_thread[wp, IpcCancel_AI_assms]: "\s. P (idle_thread s)" end interpretation IpcCancel_AI?: IpcCancel_AI proof goal_cases interpret Arch . - case 1 show ?case by (intro_locales; (unfold_locales; fact IpcCancel_AI_asms)?) + case 1 show ?case by (intro_locales; (unfold_locales; fact IpcCancel_AI_assms)?) qed end diff --git a/proof/invariant-abstract/X64/ArchSchedule_AI.thy b/proof/invariant-abstract/X64/ArchSchedule_AI.thy index 09ba73456b..29e13fc0c8 100644 --- a/proof/invariant-abstract/X64/ArchSchedule_AI.thy +++ b/proof/invariant-abstract/X64/ArchSchedule_AI.thy @@ -10,9 +10,9 @@ begin context Arch begin global_naming X64 -named_theorems Schedule_AI_asms +named_theorems Schedule_AI_assms -lemma dmo_mapM_storeWord_0_invs[wp,Schedule_AI_asms]: +lemma dmo_mapM_storeWord_0_invs[wp,Schedule_AI_assms]: "valid invs (do_machine_op (mapM (\p. storeWord p 0) S)) (\_. invs)" apply (simp add: dom_mapM ef_storeWord) apply (rule mapM_UNIV_wp) @@ -30,25 +30,25 @@ lemma dmo_mapM_storeWord_0_invs[wp,Schedule_AI_asms]: global_naming Arch -lemma arch_stt_invs [wp,Schedule_AI_asms]: +lemma arch_stt_invs [wp,Schedule_AI_assms]: "\invs\ arch_switch_to_thread t' \\_. invs\" apply (simp add: arch_switch_to_thread_def) apply wp done -lemma arch_stt_tcb [wp,Schedule_AI_asms]: +lemma arch_stt_tcb [wp,Schedule_AI_assms]: "\tcb_at t'\ arch_switch_to_thread t' \\_. tcb_at t'\" apply (simp add: arch_switch_to_thread_def) apply (wp) done -lemma arch_stt_runnable[Schedule_AI_asms]: +lemma arch_stt_runnable[Schedule_AI_assms]: "\st_tcb_at runnable t\ arch_switch_to_thread t \\r . st_tcb_at runnable t\" apply (simp add: arch_switch_to_thread_def) apply wp done -lemma arch_stit_invs[wp, Schedule_AI_asms]: +lemma arch_stit_invs[wp, Schedule_AI_assms]: "\invs\ arch_switch_to_idle_thread \\r. invs\" by (wpsimp wp: svr_invs simp: arch_switch_to_idle_thread_def) @@ -66,20 +66,20 @@ crunch set_vm_root for ct[wp]: "\s. P (cur_thread s)" (wp: crunch_wps simp: crunch_simps) -lemma arch_stit_activatable[wp, Schedule_AI_asms]: +lemma arch_stit_activatable[wp, Schedule_AI_assms]: "\ct_in_state activatable\ arch_switch_to_idle_thread \\rv . ct_in_state activatable\" apply (clarsimp simp: arch_switch_to_idle_thread_def) apply (wpsimp simp: ct_in_state_def wp: ct_in_state_thread_state_lift) done -lemma stit_invs [wp,Schedule_AI_asms]: +lemma stit_invs [wp,Schedule_AI_assms]: "\invs\ switch_to_idle_thread \\rv. invs\" apply (simp add: switch_to_idle_thread_def) apply (wp sct_invs) apply (clarsimp simp: invs_def valid_state_def valid_idle_def pred_tcb_at_tcb_at) done -lemma stit_activatable[Schedule_AI_asms]: +lemma stit_activatable[Schedule_AI_assms]: "\invs\ switch_to_idle_thread \\rv . ct_in_state activatable\" apply (simp add: switch_to_idle_thread_def arch_switch_to_idle_thread_def) apply (wp | simp add: ct_in_state_def)+ @@ -87,7 +87,7 @@ lemma stit_activatable[Schedule_AI_asms]: elim!: pred_tcb_weaken_strongerE) done -lemma stt_invs [wp,Schedule_AI_asms]: +lemma stt_invs [wp,Schedule_AI_assms]: "\invs\ switch_to_thread t' \\_. invs\" apply (simp add: switch_to_thread_def) apply wp @@ -107,14 +107,14 @@ interpretation Schedule_AI_U?: Schedule_AI_U proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Schedule_AI_asms)?) + by (intro_locales; (unfold_locales; fact Schedule_AI_assms)?) qed interpretation Schedule_AI?: Schedule_AI proof goal_cases interpret Arch . case 1 show ?case - by (intro_locales; (unfold_locales; fact Schedule_AI_asms)?) + by (intro_locales; (unfold_locales; fact Schedule_AI_assms)?) qed end diff --git a/proof/invariant-abstract/X64/ArchTcb_AI.thy b/proof/invariant-abstract/X64/ArchTcb_AI.thy index f1b0533036..947de34676 100644 --- a/proof/invariant-abstract/X64/ArchTcb_AI.thy +++ b/proof/invariant-abstract/X64/ArchTcb_AI.thy @@ -10,17 +10,17 @@ begin context Arch begin global_naming X64 -named_theorems Tcb_AI_asms +named_theorems Tcb_AI_assms -lemma activate_idle_invs[Tcb_AI_asms]: +lemma activate_idle_invs[Tcb_AI_assms]: "\invs and ct_idle\ arch_activate_idle_thread thread \\rv. invs and ct_idle\" by (simp add: arch_activate_idle_thread_def) -lemma empty_fail_getRegister [intro!, simp, Tcb_AI_asms]: +lemma empty_fail_getRegister [intro!, simp, Tcb_AI_assms]: "empty_fail (getRegister r)" by (simp add: getRegister_def) @@ -37,7 +37,7 @@ lemma same_object_also_valid: (* arch specific *) split: cap.split_asm arch_cap.split_asm option.splits)+) done -lemma same_object_obj_refs[Tcb_AI_asms]: +lemma same_object_obj_refs[Tcb_AI_assms]: "\ same_object_as cap cap' \ \ obj_refs cap = obj_refs cap'" apply (cases cap, simp_all add: same_object_as_def) @@ -141,13 +141,13 @@ lemma checked_insert_tcb_invs[wp]: (* arch specific *) done crunch arch_get_sanitise_register_info, arch_post_modify_registers - for tcb_at[wp, Tcb_AI_asms]: "tcb_at a" + for tcb_at[wp, Tcb_AI_assms]: "tcb_at a" crunch arch_get_sanitise_register_info, arch_post_modify_registers - for invs[wp, Tcb_AI_asms]: "invs" + for invs[wp, Tcb_AI_assms]: "invs" crunch arch_get_sanitise_register_info, arch_post_modify_registers - for ex_nonz_cap_to[wp, Tcb_AI_asms]: "ex_nonz_cap_to a" + for ex_nonz_cap_to[wp, Tcb_AI_assms]: "ex_nonz_cap_to a" -lemma finalise_cap_not_cte_wp_at[Tcb_AI_asms]: +lemma finalise_cap_not_cte_wp_at[Tcb_AI_assms]: assumes x: "P cap.NullCap" shows "\\s. \cp \ ran (caps_of_state s). P cp\ finalise_cap cap fin @@ -164,7 +164,7 @@ lemma finalise_cap_not_cte_wp_at[Tcb_AI_asms]: done -lemma table_cap_ref_max_free_index_upd[simp,Tcb_AI_asms]: +lemma table_cap_ref_max_free_index_upd[simp,Tcb_AI_assms]: "table_cap_ref (max_free_index_update cap) = table_cap_ref cap" by (simp add:free_index_update_def table_cap_ref_def split:cap.splits) @@ -175,7 +175,7 @@ global_interpretation Tcb_AI_1?: Tcb_AI_1 and is_cnode_or_valid_arch = is_cnode_or_valid_arch proof goal_cases interpret Arch . - case 1 show ?case by (unfold_locales; (fact Tcb_AI_asms)?) + case 1 show ?case by (unfold_locales; (fact Tcb_AI_assms)?) qed context Arch begin global_naming X64 @@ -194,7 +194,7 @@ lemma use_no_cap_to_obj_asid_strg: (* arch specific *) apply (fastforce simp: table_cap_ref_def valid_cap_simps wellformed_mapdata_def elim!: asid_low_high_bits)+ done -lemma cap_delete_no_cap_to_obj_asid[wp, Tcb_AI_asms]: +lemma cap_delete_no_cap_to_obj_asid[wp, Tcb_AI_assms]: "\no_cap_to_obj_dr_emp cap\ cap_delete slot \\rv. no_cap_to_obj_dr_emp cap\" @@ -207,7 +207,7 @@ lemma cap_delete_no_cap_to_obj_asid[wp, Tcb_AI_asms]: | rule obj_ref_none_no_asid)+ done -lemma tc_invs[Tcb_AI_asms]: +lemma tc_invs[Tcb_AI_assms]: "\invs and tcb_at a and (case_option \ (valid_cap o fst) e) and (case_option \ (valid_cap o fst) f) @@ -286,7 +286,7 @@ lemma check_valid_ipc_buffer_inv: (* arch_specific *) apply (wp | simp add: if_apply_def2 split del: if_split | wpcw)+ done -lemma check_valid_ipc_buffer_wp[Tcb_AI_asms]: +lemma check_valid_ipc_buffer_wp[Tcb_AI_assms]: "\\(s::'state_ext::state_ext state). is_arch_cap cap \ is_cnode_or_valid_arch cap \ valid_ipc_buffer_cap cap vptr \ is_aligned vptr msg_align_bits @@ -302,7 +302,7 @@ lemma check_valid_ipc_buffer_wp[Tcb_AI_asms]: valid_ipc_buffer_cap_def) done -lemma derive_no_cap_asid[wp,Tcb_AI_asms]: +lemma derive_no_cap_asid[wp,Tcb_AI_assms]: "\(no_cap_to_obj_with_diff_ref cap S)::'state_ext::state_ext state\bool\ derive_cap slot cap \\rv. no_cap_to_obj_with_diff_ref rv S\,-" @@ -316,7 +316,7 @@ lemma derive_no_cap_asid[wp,Tcb_AI_asms]: done -lemma decode_set_ipc_inv[wp,Tcb_AI_asms]: +lemma decode_set_ipc_inv[wp,Tcb_AI_assms]: "\P::'state_ext::state_ext state \ bool\ decode_set_ipc_buffer args cap slot excaps \\rv. P\" apply (simp add: decode_set_ipc_buffer_def whenE_def split_def @@ -325,7 +325,7 @@ lemma decode_set_ipc_inv[wp,Tcb_AI_asms]: apply simp done -lemma no_cap_to_obj_with_diff_ref_update_cap_data[Tcb_AI_asms]: +lemma no_cap_to_obj_with_diff_ref_update_cap_data[Tcb_AI_assms]: "no_cap_to_obj_with_diff_ref c S s \ no_cap_to_obj_with_diff_ref (update_cap_data P x c) S s" apply (case_tac "update_cap_data P x c = NullCap") @@ -342,7 +342,7 @@ lemma no_cap_to_obj_with_diff_ref_update_cap_data[Tcb_AI_asms]: done -lemma update_cap_valid[Tcb_AI_asms]: +lemma update_cap_valid[Tcb_AI_assms]: "valid_cap cap (s::'state_ext::state_ext state) \ valid_cap (case capdata of None \ cap_rights_update rs cap @@ -386,7 +386,7 @@ global_interpretation Tcb_AI?: Tcb_AI where is_cnode_or_valid_arch = X64.is_cnode_or_valid_arch proof goal_cases interpret Arch . - case 1 show ?case by (unfold_locales; (fact Tcb_AI_asms)?) + case 1 show ?case by (unfold_locales; (fact Tcb_AI_assms)?) qed end From d4f5564866207771561d54997bef30c7e59c1bee Mon Sep 17 00:00:00 2001 From: Rafal Kolanski Date: Thu, 11 Jul 2024 13:13:59 +1000 Subject: [PATCH 2/9] lib: overhaul Requalify, add arch variants * add warnings when exporting a name that already exists in theory context, suppressable by `(aliasing)` option * add `arch` variants of requalify commands that implicitly add the value of L4V_ARCH before whatever you give them, with optional suffixes for abstract (A) and Haskell (H) spec global naming. * write hopefully-understandable documentation with commented examples Signed-off-by: Rafal Kolanski --- lib/Requalify.thy | 460 ++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 408 insertions(+), 52 deletions(-) diff --git a/lib/Requalify.thy b/lib/Requalify.thy index b06fdb3719..01e71af48e 100644 --- a/lib/Requalify.thy +++ b/lib/Requalify.thy @@ -1,82 +1,132 @@ (* + * Copyright 2024, Proofcraft Pty Ltd * Copyright 2020, Data61, CSIRO (ABN 41 687 119 230) * * SPDX-License-Identifier: BSD-2-Clause *) (* - Requalify constants, types and facts into the current naming + Requalify constants, types and facts into the current naming. + Includes command variants that support implicitly using the L4V_ARCH environment variable. *) theory Requalify imports Main -keywords "requalify_facts" :: thy_decl and "requalify_types" :: thy_decl and "requalify_consts" :: thy_decl and - "global_naming" :: thy_decl +keywords "requalify_facts" :: thy_decl + and "requalify_types" :: thy_decl + and "requalify_consts" :: thy_decl + and "global_naming" :: thy_decl + and "arch_requalify_facts" :: thy_decl + and "arch_requalify_types" :: thy_decl + and "arch_requalify_consts" :: thy_decl + and "arch_global_naming" :: thy_decl begin ML \ local - fun all_facts_of ctxt = - let - val thy = Proof_Context.theory_of ctxt; - val global_facts = Global_Theory.facts_of thy; - in - Facts.dest_static false [] global_facts - end; + Proof_Context.theory_of ctxt + |> Global_Theory.facts_of + |> Facts.dest_static false []; + +fun tl' (_ :: xs) = xs + | tl' _ = [] + +(* Alias binding to fully-qualified name "name" in both global and local context *) +fun bind_alias global_alias_fn local_alias_fn binding (name : string) = + Local_Theory.declaration {syntax = false, pos = Position.none, pervasive = true} (fn phi => + let val binding' = Morphism.binding phi binding; + in Context.mapping (global_alias_fn binding' name) (local_alias_fn binding' name) end); + +(* Instantiate global and local aliasing functions for consts, types and facts *) +val const_alias = bind_alias Sign.const_alias Proof_Context.const_alias; +val type_alias = bind_alias Sign.type_alias Proof_Context.type_alias; +val alias_fact = bind_alias Global_Theory.alias_fact Proof_Context.alias_fact; + +(* Locate global fact matching supplied name. + When we specify a fact name that resolves to a global name, return the normal fact lookup result. + Note: Locale_Name.fact_name outside the locale resolves to a global name. + + When we are inside a locale, the lookup is more interesting. Supplying "short_name" will result + in "local.short_name", which we then need to match to some name in the global context. We do + this by going through *all* the fact names in the current context, searching for matches + of the form "X.Y.short_name", where we hope X is some theory, and Y is some locale. + Since "X.Y.short_name" is not sufficiently unique, we must also check that the theorems under + the discovered name match the ones under "local.short_name". *) fun global_fact ctxt nm = let val facts = Proof_Context.facts_of ctxt; val {name, thms, ...} = (Facts.retrieve (Context.Proof ctxt) facts (nm, Position.none)); - fun tl' (_ :: xs) = xs - | tl' _ = [] - - fun matches suf (gnm, gthms) = - let - val gsuf = Long_Name.explode gnm |> tl' |> tl' |> Long_Name.implode; - - in suf = gsuf andalso eq_list (Thm.equiv_thm (Proof_Context.theory_of ctxt)) (thms, gthms) - end + fun matches suffix (global_name, global_thms) = + suffix = (Long_Name.explode global_name |> tl' |> tl' |> Long_Name.implode) + andalso eq_list (Thm.equiv_thm (Proof_Context.theory_of ctxt)) (thms, global_thms) in - case Long_Name.dest_local name of NONE => (name, thms) | SOME suf => - (case (find_first (matches suf) (all_facts_of ctxt)) of - SOME x => x - | NONE => raise Fail ("Couldn't find global equivalent of local fact: " ^ nm)) + case Long_Name.dest_local name of + NONE => (name, thms) + | SOME suffix => + (case (find_first (matches suffix) (all_facts_of ctxt)) of + SOME x => x + | NONE => raise Fail ("Couldn't find global equivalent of local fact: " ^ nm)) end -fun syntax_alias global_alias local_alias b (name : string) = - Local_Theory.declaration {syntax = false, pos = Position.none, pervasive = true} (fn phi => - let val b' = Morphism.binding phi b - in Context.mapping (global_alias b' name) (local_alias b' name) end); +val alias = Parse.reserved "aliasing" >> K true +val alias_default = false -val alias_fact = syntax_alias Global_Theory.alias_fact Proof_Context.alias_fact; -val const_alias = syntax_alias Sign.const_alias Proof_Context.const_alias; -val type_alias = syntax_alias Sign.type_alias Proof_Context.type_alias; +(* (aliasing) only *) +val generic_options = Scan.optional (Args.parens alias >> (fn x => (x, ""))) (alias_default, "") -in +(* e.g. ARM, ARM_A, ARM_H *) +val arch_suffix = ((Parse.reserved "A" || Parse.reserved "H") >> (fn s => "_" ^ s)) +fun arch_prefix suffix = getenv_strict "L4V_ARCH" ^ suffix -fun gen_requalify get_proper_nm parse_nm check_nm alias = - (Parse.opt_target -- Scan.repeat1 (Parse.position (Scan.ahead parse_nm -- Parse.name)) - >> (fn (target,bs) => - Toplevel.local_theory NONE target (fn lthy => - let +(* ([aliasing][,] [A|H]) in that order *) +val arch_options = + Scan.optional ( + Args.parens ( + (alias --| Parse.$$$ "," -- arch_suffix) + || (alias >> (fn x => (x, ""))) + || (arch_suffix >> (fn x => (alias_default, x))) + )) (alias_default, "") - fun read_entry ((entry, t), pos) lthy = - let - val local_nm = get_proper_nm lthy t; - val _ = check_nm lthy (entry, (local_nm, pos)); - val b = Binding.make (Long_Name.base_name t, pos) +val arch_global_opts = Scan.optional (Args.parens arch_suffix) "" - val lthy' = lthy - |> alias b local_nm - - in lthy' end +in - in fold read_entry bs lthy end))) +fun gen_requalify get_proper_nm parse_nm check_parsed_nm alias_fn arch = +let + val options = if arch then arch_options else generic_options +in + (Parse.opt_target -- options -- Scan.repeat1 (Parse.position (Scan.ahead parse_nm -- Parse.name)) + >> (fn ((target, (aliasing, arch_suffix)), names) => + Toplevel.local_theory NONE target (fn lthy => + let + val global_ctxt = Proof_Context.theory_of lthy |> Proof_Context.init_global + + fun requalify_entry ((entry, orig_name), pos) lthy = + let + val name = if arch then arch_prefix arch_suffix ^ "." ^ orig_name else orig_name + val local_name = get_proper_nm lthy name; + val _ = check_parsed_nm lthy (entry, (local_name, pos)); + + (* Check whether the short (base) name is already available in theory context if no + locale target is supplied and the "aliasing" option is not supplied. + Note: currently no name collision warning when exporting into locale *) + val base_name = Long_Name.base_name name; + val global_base = try (get_proper_nm global_ctxt) (Long_Name.base_name name); + val _ = (case (global_base, target, aliasing) of + (SOME _, NONE, false) => warning ("Name \"" ^ base_name + ^ "\" already exists in theory context") + | _ => ()) + + val b = Binding.make (base_name, pos) + val lthy' = lthy |> alias_fn b local_name + in lthy' end + in fold requalify_entry names lthy end))) +end local @@ -84,34 +134,341 @@ val get_const_nm = ((fst o dest_Const) oo (Proof_Context.read_const {proper = tr val get_type_nm = ((fst o dest_Type) oo (Proof_Context.read_type_name {proper = true, strict = false})) val get_fact_nm = (fst oo global_fact) +(* For a theorem name, we want to additionally make sure that global fact names found by + global_fact are accessible in the current context. *) fun check_fact lthy (_, (nm, pos)) = Proof_Context.get_fact lthy (Facts.Named ((nm,pos), NONE)) in val _ = Outer_Syntax.command @{command_keyword requalify_consts} "alias const with current naming" - (gen_requalify get_const_nm Parse.const (fn lthy => fn (e, _) => get_const_nm lthy e) const_alias) + (gen_requalify get_const_nm Parse.const (fn lthy => fn (e, _) => get_const_nm lthy e) const_alias + false) val _ = Outer_Syntax.command @{command_keyword requalify_types} "alias type with current naming" - (gen_requalify get_type_nm Parse.typ (fn lthy => fn (e, _) => get_type_nm lthy e) type_alias) + (gen_requalify get_type_nm Parse.typ (fn lthy => fn (e, _) => get_type_nm lthy e) type_alias + false) val _ = Outer_Syntax.command @{command_keyword requalify_facts} "alias fact with current naming" - (gen_requalify get_fact_nm Parse.thm check_fact alias_fact) + (gen_requalify get_fact_nm Parse.thm check_fact alias_fact false) val _ = Outer_Syntax.command @{command_keyword global_naming} "change global naming of context block" (Parse.binding >> (fn naming => Toplevel.local_theory NONE NONE - (Local_Theory.map_background_naming (Name_Space.parent_path #> Name_Space.qualified_path true naming)))) + (Local_Theory.map_background_naming (Name_Space.parent_path + #> Name_Space.qualified_path true naming)))) + +(* Arch variants use the L4V_ARCH variable and an additional A/H option, so that when L4V_ARCH=ARM + "arch_requalify_consts (H) const" becomes "requalify_consts ARM_H.const" + This allows them to be used in a architecture-generic theory. + + For consts and types, we don't perform extra checking on the results of Parse.const and Parse.typ + because their "strings" contain embedded syntax, which means prepending a normal string to them + causes malformed syntax and YXML exceptions. It shouldn't matter, we are looking up the name and + checking it's a constant/type anyway. *) + +val _ = + Outer_Syntax.command @{command_keyword arch_requalify_consts} + "alias const with current naming, but prepend \"($L4V_ARCH)_[A|H].\" using env. variable" + (gen_requalify get_const_nm Parse.const (fn _ => fn (_, _) => ()) const_alias + true) + +val _ = + Outer_Syntax.command @{command_keyword arch_requalify_types} + "alias type with current naming, but prepend \"($L4V_ARCH)_[A|H].\" using env. variable" + (gen_requalify get_type_nm Parse.typ (fn _ => fn (_, _) => ()) type_alias + true) + +val _ = + Outer_Syntax.command @{command_keyword arch_requalify_facts} + "alias fact with current naming, but prepend \"($L4V_ARCH)_[A|H].\" using env. variable" + (gen_requalify get_fact_nm Parse.thm check_fact alias_fact true) + +val _ = + Outer_Syntax.command @{command_keyword arch_global_naming} + "change global naming of context block to \"($L4V_ARCH)_[A|H]\" using env. variable" + (arch_global_opts >> (fn arch_suffix => + Toplevel.local_theory NONE NONE + (Local_Theory.map_background_naming + (Name_Space.parent_path + #> Name_Space.qualified_path true (Binding.make (arch_prefix arch_suffix, @{here})))))) end end \ -(*Tests and examples *) +section \Tests and examples\ + +subsection \Generic\ + +subsubsection \Exporting types, constants and facts from a locale into the theory context\ + +locale Requalify_Example1 + +context Requalify_Example1 begin +typedecl ex1_type +definition "ex1_const \ undefined :: ex1_type" +end + +(* these will all generate errors: +typ ex1_type +term "ex1_const :: ex1_type" +thm ex1_const_def +*) + +typ Requalify_Example1.ex1_type +term "Requalify_Example1.ex1_const :: Requalify_Example1.ex1_type" +thm Requalify_Example1.ex1_const_def + +(* exporting will make types/consts/facts available *) + +requalify_types Requalify_Example1.ex1_type +typ ex1_type + +requalify_consts Requalify_Example1.ex1_const +term "ex1_const :: ex1_type" + +requalify_facts Requalify_Example1.ex1_const_def +thm ex1_const_def + +(* trying to export into theory context that already has that name will result in warnings *) +requalify_types Requalify_Example1.ex1_type +requalify_consts Requalify_Example1.ex1_const +requalify_facts Requalify_Example1.ex1_const_def + +(* warnings can be suppressed if naming collision is on purpose, but see caveats in next sections *) +requalify_types (aliasing) Requalify_Example1.ex1_type +requalify_consts (aliasing) Requalify_Example1.ex1_const +requalify_facts (aliasing) Requalify_Example1.ex1_const_def + +(* requalification can also occur via interpretation, using internal names, but this is slower *) +context begin interpretation Requalify_Example1 . +requalify_types ex1_type +requalify_consts ex1_const +requalify_facts ex1_const_def +end + + +subsubsection \Exporting types, constants and facts from a locale into a locale context\ + +locale Requalify_Example2 + +(* the target of the export can be a locale (this mode cannot be used from an interpretation) *) + +requalify_types (in Requalify_Example2) Requalify_Example1.ex1_type +requalify_consts (in Requalify_Example2) Requalify_Example1.ex1_const +requalify_facts (in Requalify_Example2) Requalify_Example1.ex1_const_def + +(* this is equivalent to doing the requalifications in the locale context *) +context Requalify_Example2 begin +requalify_types (in Requalify_Example2) Requalify_Example1.ex1_type +requalify_consts (in Requalify_Example2) Requalify_Example1.ex1_const +requalify_facts (in Requalify_Example2) Requalify_Example1.ex1_const_def +end + +typ Requalify_Example2.ex1_type +term "Requalify_Example2.ex1_const :: Requalify_Example2.ex1_type" +thm Requalify_Example2.ex1_const_def + +(* unfortunately, there is currently no warning on name collisions into locales *) +requalify_types (in Requalify_Example2) Requalify_Example1.ex1_type (* no warning *) +requalify_consts (in Requalify_Example2) Requalify_Example1.ex1_const (* no warning *) +requalify_facts (in Requalify_Example2) Requalify_Example1.ex1_const_def (* no warning *) + + +subsubsection \Using global naming to ensure a name prefix within a locale\ + +locale Requalify_Example_G + +context Requalify_Example_G begin global_naming EXAMPLE1 +typedecl ex_g_type +definition "ex_g_const \ undefined :: ex_g_type" +end + +(* note the prefixed names in the global context *) +typ EXAMPLE1.ex_g_type +term "EXAMPLE1.ex_g_const :: EXAMPLE1.ex_g_type" +thm EXAMPLE1.ex_g_const_def + +(* the locale names will not work, these will all generate errors: +typ Requalify_Example_G.ex_g_type +term "Requalify_Example_G.ex_g_const :: Requalify_Example_G.ex_g_type" +thm Requalify_Example_G.ex_g_const_def +*) + +(* Looking up the local unprefixed name inside the locale will work as expected *) +context Requalify_Example_G begin +thm ex_g_const_def +end + +(* using the new name, we can export as usual: *) +requalify_types EXAMPLE1.ex_g_type +requalify_consts EXAMPLE1.ex_g_const +requalify_facts EXAMPLE1.ex_g_const_def + +(* inside a locale interpretation, the names can be accessed without a prefix *) +context begin interpretation Requalify_Example_G . +requalify_types ex_g_type +requalify_consts ex_g_const +requalify_facts ex_g_const_def +end + +(* We can also re-export the name to the same locale in order to make an un-prefixed alias *) +requalify_types (in Requalify_Example_G) EXAMPLE1.ex_g_type +requalify_consts (in Requalify_Example_G) EXAMPLE1.ex_g_const +requalify_facts (in Requalify_Example_G) EXAMPLE1.ex_g_const_def + +(* This makes the names available via the locale name as well *) +typ Requalify_Example_G.ex_g_type +term "Requalify_Example_G.ex_g_const :: Requalify_Example_G.ex_g_type" +thm Requalify_Example_G.ex_g_const_def + + +subsubsection \Managing collisions and global naming\ + +(* In previous sections we generated collisions by repeatedly exporting the same thing. + Generally, exporting the same name from a locale into the global context is not advised, + as it will only cause confusion. + + However, a more realistic example is when global_naming is involved. Let's say we have a + Fake_Arch locale that's supposed to hide some architecture-specific details, and a name + prefix of FAKE_BOARD for a specific architecture. It makes more sense with constants and types, + but those are harder to tell apart in a demo. +*) + +lemma requalify_collision: + "False = False" + by simp + +locale Fake_Arch + +context Fake_Arch begin global_naming FAKE_BOARD +lemma requalify_collision: + "True = True" + by simp +end + +(* If we access the name, we get what we expect: *) +thm requalify_collision (* False = False *) + +(* Exporting requalify_collision to the theory context would now be ill-advised, as it would + make the global name inconvenient to access. What makes more sense is to export it such + that we can access the architecture specific name under Fake_Arch (and not talk about the + specific board), while maintaining access to the global name. Let's try: *) + +requalify_facts (in Fake_Arch) FAKE_BOARD.requalify_collision + +(* global context: good *) +thm requalify_collision (* False = False *) +thm Fake_Arch.requalify_collision (* True = True *) + +(* context post-interpretation: we don't have convenient access to the global name anymore *) +context begin interpretation Fake_Arch . +thm requalify_collision (* True = True *) +thm Fake_Arch.requalify_collision (* True = True *) +end + +(* This is because whatever name was last interpreted takes precedence. If we want to fix this, we + need to re-export the global name *from* the Fake_Arch locale. + By convention we also give it a "global." prefix: *) +context Fake_Arch begin + context begin global_naming global + requalify_facts (aliasing) Requalify.requalify_collision + end +end + +(* After this convolution, the names are now consistently available: *) + +(* globally *) +thm requalify_collision (* False = False *) +thm global.requalify_collision (* False = False *) +thm Fake_Arch.requalify_collision (* True = True *) + +(* when interpreted *) +context begin interpretation Fake_Arch . +thm requalify_collision (* False = False *) +thm global.requalify_collision (* False = False *) +thm Fake_Arch.requalify_collision (* True = True *) +end + +(* and in the locale context *) +context Fake_Arch begin +thm requalify_collision (* False = False *) +thm global.requalify_collision (* False = False *) +thm Fake_Arch.requalify_collision (* True = True *) +end + + +subsection \Architecture-specific (requires L4V_ARCH environment variable set to work)\ + +(* The above documentation and examples attempted to be somewhat generic. In the seL4 verification + repository, we have a specific setup: + + * A number of architectures (e.g. ARM, ARM_HYP, RISCV64, X64, AARCH64) parametrised by the + L4V_ARCH environment variable. + * An Arch locale for containing architecture-specific definitions, types and proofs, wherein + global naming wraps the architecture as follows: + * ($L4V_ARCH)_A for the Abstract spec (e.g. ARM_A) + * ($L4V_ARCH)_H for the Haskell spec (e.g. ARM_H) + * as per L4V_ARCH for everything else (e.g. ARM) (though other namespaces may appear in future) + + The arch_requalify and arch_global_naming variants lean on this, by being able to generically + say something about a requirement each specific architecture needs to fulfill. +*) + +context Fake_Arch begin + arch_global_naming (* equivalent to "global_naming ARM" on ARM *) + typedecl arch_specific_type + definition "arch_specific_const \ undefined :: arch_specific_type" + lemma arch_specific_lemma: "arch_specific_const = arch_specific_const" by simp + + arch_global_naming (A) (* equivalent to "global_naming ARM_A" on ARM *) + definition "arch_specific_const_a \ undefined :: arch_specific_type" + + arch_global_naming (H) (* equivalent to "global_naming ARM_A" on ARM *) + definition "arch_specific_const_h \ undefined :: arch_specific_type" +end + +(* confirm these are the ARM, ARM_A, and ARM_H prefixes respectively: *) +find_theorems name:arch_specific_const + +(* we requalify these prefixed constants without knowing what arch we are on: *) +arch_requalify_types arch_specific_type +arch_requalify_consts arch_specific_const +arch_requalify_facts arch_specific_lemma +arch_requalify_consts (A) arch_specific_const_a +arch_requalify_consts (H) arch_specific_const_h +arch_requalify_consts (H) arch_specific_const_h (* warnings work as usual *) +arch_requalify_consts (aliasing, H) arch_specific_const_h (* warnings suppression *) + +(* this has placed all names into the global context *) +typ arch_specific_type +thm arch_specific_lemma +term "arch_specific_const :: arch_specific_type" +term "arch_specific_const_a :: arch_specific_type" +term "arch_specific_const_h :: arch_specific_type" + +(* If we wish to create a generic name that does not compete with a global name, we need to export + into the Arch locale, then fix up the interpretation order of any collisions as described in + "Managing collisions and global naming" *) +arch_requalify_consts (in Fake_Arch) (A) arch_specific_const_a + +(* this now works *) +term Fake_Arch.arch_specific_const_a + +(* FIXME: this is dumping a bit much into the global context, might best be moved to a test file. + Moving to a test file would also allow us to use Arch locale for Arch examples. *) + +section "WUT" +(* FIXME: what do I do with these? I understand what they do, but they aren't conducive to + understanding anything. *) + +(* Extra Tests and examples *) + locale Requalify_Locale begin @@ -221,5 +578,4 @@ lemma "(requalify_const2 :: requalify_type2) = undefined" end - end From e1ff4641999be686e9a2dfe9b71b75ee854125f0 Mon Sep 17 00:00:00 2001 From: Rafal Kolanski Date: Tue, 9 Jul 2024 21:28:28 +1000 Subject: [PATCH 3/9] docs: arch-split: requalifying into Arch locale Also document that requalify commands will issue warnings. Signed-off-by: Rafal Kolanski --- docs/arch-split.md | 40 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/docs/arch-split.md b/docs/arch-split.md index 39705dd083..70331aeb85 100644 --- a/docs/arch-split.md +++ b/docs/arch-split.md @@ -220,6 +220,10 @@ done for any type, constant or fact: type, constant or fact, so that the unqualified name unambiguously denotes the architecture-specific concept for the current architecture. +Note: the `requalify_*` commands will warn when the unqualified name is already +available in the global context (see: Dealing with name clashes). To suppress +this warning, pass `(aliasing)` as the first parameter. + We do this in a generic theory: - `l4v/proof/invariant-abstract/ADT_AI.thy` @@ -298,6 +302,40 @@ This disparity will only get worse as the Arch context grows bigger, and might indicate the need for some alternative functionality. +### Requalifying into the Arch locale + +The `requalify` commands support a target parameter, e.g. + +```isabelle +requalify_facts (in Arch) user_mem_dom_cong +``` + +Which prevents exporting the name into the global theory context, exporting it +under `Arch.` instead: + +```isabelle +thm user_mem_dom_cong (* ERROR *) +thm ARM.user_mem_dom_cong (* ok *) +thm Arch.user_mem_dom_cong (* ok *) +``` + +This functionality can be useful when we want to give an architecture-specific +constant/type/fact a generic name, but not mix it with generic namespace (see +also Dealing with name clashes, as this affects lookup order inside +interpretations). + +One can target any locale in this fashion, although the usefulness to arch-split +is then decreased, since short names might not be visible past a naming prefix: + +```isabelle +requalify_facts (in Some_Locale) ARM.user_mem_dom_cong + +thm user_mem_dom_cong (* ERROR *) +thm ARM.user_mem_dom_cong (* ok *) +thm Some_Locale.user_mem_dom_cong (* ok *) +``` + + ### Dealing with name clashes Things are a bit more complicated when a generic theory needs to refer to an @@ -327,7 +365,7 @@ term deriveCap (* In the Arch context, this is the deriveCap funct term RetypeDecls_H.deriveCap (* This is the arch-generic deriveCap function. *) (* The following makes Arch.deriveCap refer to the architecture-specific constant. *) -requalify_consts deriveCap +requalify_consts deriveCap (* Warning: Name "deriveCap" already exists in theory context *) (* Unfortunately, the above also means that in a context in which Arch is interpreted, `deriveCap` unqualified would refer to the arch-specific constant, which may break existing proofs. From 705a73b6dc063ab032d11f68ac5db019dc0d4cdb Mon Sep 17 00:00:00 2001 From: Rafal Kolanski Date: Thu, 11 Jul 2024 19:25:54 +1000 Subject: [PATCH 4/9] lib: migrate Requalify tests into test/ Stops namespace pollution, allows us to use Arch locale as example. Signed-off-by: Rafal Kolanski --- lib/ROOT | 1 + lib/Requalify.thy | 380 +---------------------------------- lib/test/Requalify_Test.thy | 382 ++++++++++++++++++++++++++++++++++++ 3 files changed, 386 insertions(+), 377 deletions(-) create mode 100644 lib/test/Requalify_Test.thy diff --git a/lib/ROOT b/lib/ROOT index 10c3726175..84a5431195 100644 --- a/lib/ROOT +++ b/lib/ROOT @@ -127,6 +127,7 @@ session LibTest (lib) in test = Refine + Named_Eta_Test Rules_Tac_Test MonadicRewrite_Test + Requalify_Test (* use virtual memory function as an example, only makes sense on ARM: *) theories [condition = "L4V_ARCH_IS_ARM"] CorresK_Test diff --git a/lib/Requalify.thy b/lib/Requalify.thy index 01e71af48e..84dffdc8b5 100644 --- a/lib/Requalify.thy +++ b/lib/Requalify.thy @@ -8,8 +8,11 @@ (* Requalify constants, types and facts into the current naming. Includes command variants that support implicitly using the L4V_ARCH environment variable. + *) +text \See theory @{text "test/Requalify_Test.thy"} for commented examples and usage scenarios.\ + theory Requalify imports Main keywords "requalify_facts" :: thy_decl @@ -201,381 +204,4 @@ end end \ -section \Tests and examples\ - -subsection \Generic\ - -subsubsection \Exporting types, constants and facts from a locale into the theory context\ - -locale Requalify_Example1 - -context Requalify_Example1 begin -typedecl ex1_type -definition "ex1_const \ undefined :: ex1_type" -end - -(* these will all generate errors: -typ ex1_type -term "ex1_const :: ex1_type" -thm ex1_const_def -*) - -typ Requalify_Example1.ex1_type -term "Requalify_Example1.ex1_const :: Requalify_Example1.ex1_type" -thm Requalify_Example1.ex1_const_def - -(* exporting will make types/consts/facts available *) - -requalify_types Requalify_Example1.ex1_type -typ ex1_type - -requalify_consts Requalify_Example1.ex1_const -term "ex1_const :: ex1_type" - -requalify_facts Requalify_Example1.ex1_const_def -thm ex1_const_def - -(* trying to export into theory context that already has that name will result in warnings *) -requalify_types Requalify_Example1.ex1_type -requalify_consts Requalify_Example1.ex1_const -requalify_facts Requalify_Example1.ex1_const_def - -(* warnings can be suppressed if naming collision is on purpose, but see caveats in next sections *) -requalify_types (aliasing) Requalify_Example1.ex1_type -requalify_consts (aliasing) Requalify_Example1.ex1_const -requalify_facts (aliasing) Requalify_Example1.ex1_const_def - -(* requalification can also occur via interpretation, using internal names, but this is slower *) -context begin interpretation Requalify_Example1 . -requalify_types ex1_type -requalify_consts ex1_const -requalify_facts ex1_const_def -end - - -subsubsection \Exporting types, constants and facts from a locale into a locale context\ - -locale Requalify_Example2 - -(* the target of the export can be a locale (this mode cannot be used from an interpretation) *) - -requalify_types (in Requalify_Example2) Requalify_Example1.ex1_type -requalify_consts (in Requalify_Example2) Requalify_Example1.ex1_const -requalify_facts (in Requalify_Example2) Requalify_Example1.ex1_const_def - -(* this is equivalent to doing the requalifications in the locale context *) -context Requalify_Example2 begin -requalify_types (in Requalify_Example2) Requalify_Example1.ex1_type -requalify_consts (in Requalify_Example2) Requalify_Example1.ex1_const -requalify_facts (in Requalify_Example2) Requalify_Example1.ex1_const_def -end - -typ Requalify_Example2.ex1_type -term "Requalify_Example2.ex1_const :: Requalify_Example2.ex1_type" -thm Requalify_Example2.ex1_const_def - -(* unfortunately, there is currently no warning on name collisions into locales *) -requalify_types (in Requalify_Example2) Requalify_Example1.ex1_type (* no warning *) -requalify_consts (in Requalify_Example2) Requalify_Example1.ex1_const (* no warning *) -requalify_facts (in Requalify_Example2) Requalify_Example1.ex1_const_def (* no warning *) - - -subsubsection \Using global naming to ensure a name prefix within a locale\ - -locale Requalify_Example_G - -context Requalify_Example_G begin global_naming EXAMPLE1 -typedecl ex_g_type -definition "ex_g_const \ undefined :: ex_g_type" -end - -(* note the prefixed names in the global context *) -typ EXAMPLE1.ex_g_type -term "EXAMPLE1.ex_g_const :: EXAMPLE1.ex_g_type" -thm EXAMPLE1.ex_g_const_def - -(* the locale names will not work, these will all generate errors: -typ Requalify_Example_G.ex_g_type -term "Requalify_Example_G.ex_g_const :: Requalify_Example_G.ex_g_type" -thm Requalify_Example_G.ex_g_const_def -*) - -(* Looking up the local unprefixed name inside the locale will work as expected *) -context Requalify_Example_G begin -thm ex_g_const_def -end - -(* using the new name, we can export as usual: *) -requalify_types EXAMPLE1.ex_g_type -requalify_consts EXAMPLE1.ex_g_const -requalify_facts EXAMPLE1.ex_g_const_def - -(* inside a locale interpretation, the names can be accessed without a prefix *) -context begin interpretation Requalify_Example_G . -requalify_types ex_g_type -requalify_consts ex_g_const -requalify_facts ex_g_const_def -end - -(* We can also re-export the name to the same locale in order to make an un-prefixed alias *) -requalify_types (in Requalify_Example_G) EXAMPLE1.ex_g_type -requalify_consts (in Requalify_Example_G) EXAMPLE1.ex_g_const -requalify_facts (in Requalify_Example_G) EXAMPLE1.ex_g_const_def - -(* This makes the names available via the locale name as well *) -typ Requalify_Example_G.ex_g_type -term "Requalify_Example_G.ex_g_const :: Requalify_Example_G.ex_g_type" -thm Requalify_Example_G.ex_g_const_def - - -subsubsection \Managing collisions and global naming\ - -(* In previous sections we generated collisions by repeatedly exporting the same thing. - Generally, exporting the same name from a locale into the global context is not advised, - as it will only cause confusion. - - However, a more realistic example is when global_naming is involved. Let's say we have a - Fake_Arch locale that's supposed to hide some architecture-specific details, and a name - prefix of FAKE_BOARD for a specific architecture. It makes more sense with constants and types, - but those are harder to tell apart in a demo. -*) - -lemma requalify_collision: - "False = False" - by simp - -locale Fake_Arch - -context Fake_Arch begin global_naming FAKE_BOARD -lemma requalify_collision: - "True = True" - by simp -end - -(* If we access the name, we get what we expect: *) -thm requalify_collision (* False = False *) - -(* Exporting requalify_collision to the theory context would now be ill-advised, as it would - make the global name inconvenient to access. What makes more sense is to export it such - that we can access the architecture specific name under Fake_Arch (and not talk about the - specific board), while maintaining access to the global name. Let's try: *) - -requalify_facts (in Fake_Arch) FAKE_BOARD.requalify_collision - -(* global context: good *) -thm requalify_collision (* False = False *) -thm Fake_Arch.requalify_collision (* True = True *) - -(* context post-interpretation: we don't have convenient access to the global name anymore *) -context begin interpretation Fake_Arch . -thm requalify_collision (* True = True *) -thm Fake_Arch.requalify_collision (* True = True *) -end - -(* This is because whatever name was last interpreted takes precedence. If we want to fix this, we - need to re-export the global name *from* the Fake_Arch locale. - By convention we also give it a "global." prefix: *) -context Fake_Arch begin - context begin global_naming global - requalify_facts (aliasing) Requalify.requalify_collision - end -end - -(* After this convolution, the names are now consistently available: *) - -(* globally *) -thm requalify_collision (* False = False *) -thm global.requalify_collision (* False = False *) -thm Fake_Arch.requalify_collision (* True = True *) - -(* when interpreted *) -context begin interpretation Fake_Arch . -thm requalify_collision (* False = False *) -thm global.requalify_collision (* False = False *) -thm Fake_Arch.requalify_collision (* True = True *) -end - -(* and in the locale context *) -context Fake_Arch begin -thm requalify_collision (* False = False *) -thm global.requalify_collision (* False = False *) -thm Fake_Arch.requalify_collision (* True = True *) -end - - -subsection \Architecture-specific (requires L4V_ARCH environment variable set to work)\ - -(* The above documentation and examples attempted to be somewhat generic. In the seL4 verification - repository, we have a specific setup: - - * A number of architectures (e.g. ARM, ARM_HYP, RISCV64, X64, AARCH64) parametrised by the - L4V_ARCH environment variable. - * An Arch locale for containing architecture-specific definitions, types and proofs, wherein - global naming wraps the architecture as follows: - * ($L4V_ARCH)_A for the Abstract spec (e.g. ARM_A) - * ($L4V_ARCH)_H for the Haskell spec (e.g. ARM_H) - * as per L4V_ARCH for everything else (e.g. ARM) (though other namespaces may appear in future) - - The arch_requalify and arch_global_naming variants lean on this, by being able to generically - say something about a requirement each specific architecture needs to fulfill. -*) - -context Fake_Arch begin - arch_global_naming (* equivalent to "global_naming ARM" on ARM *) - typedecl arch_specific_type - definition "arch_specific_const \ undefined :: arch_specific_type" - lemma arch_specific_lemma: "arch_specific_const = arch_specific_const" by simp - - arch_global_naming (A) (* equivalent to "global_naming ARM_A" on ARM *) - definition "arch_specific_const_a \ undefined :: arch_specific_type" - - arch_global_naming (H) (* equivalent to "global_naming ARM_A" on ARM *) - definition "arch_specific_const_h \ undefined :: arch_specific_type" -end - -(* confirm these are the ARM, ARM_A, and ARM_H prefixes respectively: *) -find_theorems name:arch_specific_const - -(* we requalify these prefixed constants without knowing what arch we are on: *) -arch_requalify_types arch_specific_type -arch_requalify_consts arch_specific_const -arch_requalify_facts arch_specific_lemma -arch_requalify_consts (A) arch_specific_const_a -arch_requalify_consts (H) arch_specific_const_h -arch_requalify_consts (H) arch_specific_const_h (* warnings work as usual *) -arch_requalify_consts (aliasing, H) arch_specific_const_h (* warnings suppression *) - -(* this has placed all names into the global context *) -typ arch_specific_type -thm arch_specific_lemma -term "arch_specific_const :: arch_specific_type" -term "arch_specific_const_a :: arch_specific_type" -term "arch_specific_const_h :: arch_specific_type" - -(* If we wish to create a generic name that does not compete with a global name, we need to export - into the Arch locale, then fix up the interpretation order of any collisions as described in - "Managing collisions and global naming" *) -arch_requalify_consts (in Fake_Arch) (A) arch_specific_const_a - -(* this now works *) -term Fake_Arch.arch_specific_const_a - -(* FIXME: this is dumping a bit much into the global context, might best be moved to a test file. - Moving to a test file would also allow us to use Arch locale for Arch examples. *) - -section "WUT" -(* FIXME: what do I do with these? I understand what they do, but they aren't conducive to - understanding anything. *) - -(* Extra Tests and examples *) - - -locale Requalify_Locale -begin - -typedecl requalify_type - -definition "requalify_const == (undefined :: requalify_type)" - - -end - -typedecl requalify_type -definition "requalify_const == (undefined :: requalify_type)" - -context Requalify_Locale begin global_naming Requalify_Locale2 - -requalify_consts requalify_const -requalify_types requalify_type -requalify_facts requalify_const_def - -end - -term "requalify_const :: requalify_type" -term "Requalify_Locale2.requalify_const :: Requalify_Locale2.requalify_type" -lemma "Requalify_Locale2.requalify_const = (undefined :: Requalify_Locale2.requalify_type)" - by (simp add: Requalify_Locale2.requalify_const_def) - -consts requalify_test_f :: "'a \ 'b \ bool" - -lemma - assumes f1: "requalify_test_f requalify_const Requalify_Locale2.requalify_const" - and f2: "requalify_test_f Requalify_Locale2.requalify_const Requalify.requalify_const" - shows "requalify_test_f Requalify_Locale2.requalify_const requalify_const" "requalify_const = undefined" - apply (rule f1)? - apply (rule f2) - apply (simp add: requalify_const_def) - done - -context Requalify_Locale begin - -lemma - assumes f1: "requalify_test_f requalify_const Requalify_Locale2.requalify_const" - and f2: "requalify_test_f Requalify_Locale2.requalify_const Requalify.requalify_const" - shows "requalify_test_f Requalify_Locale2.requalify_const requalify_const" "requalify_const = undefined" - apply (rule f2)? - apply (rule f1) - apply (simp add: requalify_const_def) - done - -end - -context Requalify_Locale begin global_naming global - -requalify_consts Requalify.requalify_const -requalify_types Requalify.requalify_type -requalify_facts Requalify.requalify_const_def - -end - -context Requalify_Locale begin - -lemma - assumes f1: "requalify_test_f requalify_const Requalify_Locale2.requalify_const" - and f2: "requalify_test_f Requalify_Locale2.requalify_const global.requalify_const" - shows "requalify_test_f Requalify_Locale2.requalify_const requalify_const" "requalify_const = undefined" - apply (rule f1)? - apply (rule f2) - apply (simp add: requalify_const_def) - done -end - -context begin interpretation Requalify_Locale . - -lemma - assumes f1: "requalify_test_f requalify_const Requalify_Locale2.requalify_const" - and f2: "requalify_test_f Requalify_Locale2.requalify_const global.requalify_const" - shows "requalify_test_f Requalify_Locale2.requalify_const requalify_const" "requalify_const = undefined" - apply (rule f1)? - apply (rule f2) - apply (simp add: requalify_const_def) - done -end - -locale Requalify_Locale3 -begin - -typedecl requalify_type2 -definition "requalify_const2 == (undefined :: requalify_type2)" - -end - -context begin interpretation Requalify_Locale3 . - -requalify_consts requalify_const2 -requalify_types requalify_type2 -requalify_facts requalify_const2_def - -end - -lemma "(requalify_const2 :: requalify_type2) = undefined" - by (simp add: requalify_const2_def) - -context Requalify_Locale3 begin - -lemma "(requalify_const2 :: requalify_type2) = undefined" - by (simp add: requalify_const2_def) - -end - end diff --git a/lib/test/Requalify_Test.thy b/lib/test/Requalify_Test.thy new file mode 100644 index 0000000000..009eea83da --- /dev/null +++ b/lib/test/Requalify_Test.thy @@ -0,0 +1,382 @@ +(* + * Copyright 2024, Proofcraft Pty Ltd + * Copyright 2020, Data61, CSIRO (ABN 41 687 119 230) + * + * SPDX-License-Identifier: BSD-2-Clause + *) + +theory Requalify_Test +imports Lib.Requalify +begin + +section \Tests and examples for requalify commands\ + +subsection \Generic\ + +subsubsection \Exporting types, constants and facts from a locale into the theory context\ + +locale Requalify_Example1 + +context Requalify_Example1 begin +typedecl ex1_type +definition "ex1_const \ undefined :: ex1_type" +end + +(* these will all generate errors: +typ ex1_type +term "ex1_const :: ex1_type" +thm ex1_const_def +*) + +typ Requalify_Example1.ex1_type +term "Requalify_Example1.ex1_const :: Requalify_Example1.ex1_type" +thm Requalify_Example1.ex1_const_def + +(* exporting will make types/consts/facts available *) + +requalify_types Requalify_Example1.ex1_type +typ ex1_type + +requalify_consts Requalify_Example1.ex1_const +term "ex1_const :: ex1_type" + +requalify_facts Requalify_Example1.ex1_const_def +thm ex1_const_def + +(* trying to export into theory context that already has that name will result in warnings *) +requalify_types Requalify_Example1.ex1_type +requalify_consts Requalify_Example1.ex1_const +requalify_facts Requalify_Example1.ex1_const_def + +(* warnings can be suppressed if naming collision is on purpose, but see caveats in next sections *) +requalify_types (aliasing) Requalify_Example1.ex1_type +requalify_consts (aliasing) Requalify_Example1.ex1_const +requalify_facts (aliasing) Requalify_Example1.ex1_const_def + +(* requalification can also occur via interpretation, using internal names, but this is slower *) +context begin interpretation Requalify_Example1 . +requalify_types ex1_type +requalify_consts ex1_const +requalify_facts ex1_const_def +end + + +subsubsection \Exporting types, constants and facts from a locale into a locale context\ + +locale Requalify_Example2 + +(* the target of the export can be a locale (this mode cannot be used from an interpretation) *) + +requalify_types (in Requalify_Example2) Requalify_Example1.ex1_type +requalify_consts (in Requalify_Example2) Requalify_Example1.ex1_const +requalify_facts (in Requalify_Example2) Requalify_Example1.ex1_const_def + +(* this is equivalent to doing the requalifications in the original locale context *) +context Requalify_Example1 begin +requalify_types (in Requalify_Example2) ex1_type +requalify_consts (in Requalify_Example2) ex1_const +requalify_facts (in Requalify_Example2) ex1_const_def +end + +typ Requalify_Example2.ex1_type +term "Requalify_Example2.ex1_const :: Requalify_Example2.ex1_type" +thm Requalify_Example2.ex1_const_def + +(* unfortunately, there is currently no warning on name collisions into locales *) +requalify_types (in Requalify_Example2) Requalify_Example1.ex1_type (* no warning *) +requalify_consts (in Requalify_Example2) Requalify_Example1.ex1_const (* no warning *) +requalify_facts (in Requalify_Example2) Requalify_Example1.ex1_const_def (* no warning *) + + +subsubsection \Using global naming to ensure a name prefix within a locale\ + +locale Requalify_Example_G + +context Requalify_Example_G begin global_naming EXAMPLE1 +typedecl ex_g_type +definition "ex_g_const \ undefined :: ex_g_type" +end + +(* note the prefixed names in the global context *) +typ EXAMPLE1.ex_g_type +term "EXAMPLE1.ex_g_const :: EXAMPLE1.ex_g_type" +thm EXAMPLE1.ex_g_const_def + +(* the locale names will not work, these will all generate errors: +typ Requalify_Example_G.ex_g_type +term "Requalify_Example_G.ex_g_const :: Requalify_Example_G.ex_g_type" +thm Requalify_Example_G.ex_g_const_def +*) + +(* Looking up the local unprefixed name inside the locale will work as expected *) +context Requalify_Example_G begin +thm ex_g_const_def +end + +(* using the new name, we can export as usual: *) +requalify_types EXAMPLE1.ex_g_type +requalify_consts EXAMPLE1.ex_g_const +requalify_facts EXAMPLE1.ex_g_const_def + +(* inside a locale interpretation, the names can be accessed without a prefix *) +context begin interpretation Requalify_Example_G . +requalify_types ex_g_type +requalify_consts ex_g_const +requalify_facts ex_g_const_def +end + +(* We can also re-export the name to the same locale in order to make an un-prefixed alias *) +requalify_types (in Requalify_Example_G) EXAMPLE1.ex_g_type +requalify_consts (in Requalify_Example_G) EXAMPLE1.ex_g_const +requalify_facts (in Requalify_Example_G) EXAMPLE1.ex_g_const_def + +(* This makes the names available via the locale name as well *) +typ Requalify_Example_G.ex_g_type +term "Requalify_Example_G.ex_g_const :: Requalify_Example_G.ex_g_type" +thm Requalify_Example_G.ex_g_const_def + + +subsubsection \Managing collisions and global naming\ + +(* In previous sections we generated collisions by repeatedly exporting the same thing. + Generally, exporting the same name from a locale into the global context is not advised, + as it will only cause confusion. + + However, a more realistic example is when global_naming is involved. Let's say we have a + Arch locale that's supposed to hide some architecture-specific details, and a name + prefix of BOARD for a specific architecture. It makes more sense with constants and types, + but those are harder to tell apart in a demo. +*) + +lemma requalify_collision: + "False = False" + by simp + +locale Arch + +context Arch begin global_naming BOARD +lemma requalify_collision: + "True = True" + by simp +end + +(* If we access the name, we get what we expect: *) +thm requalify_collision (* False = False *) + +(* Exporting requalify_collision to the theory context would now be ill-advised, as it would + make the global name inconvenient to access. What makes more sense is to export it such + that we can access the architecture specific name under Fake_Arch (and not talk about the + specific board), while maintaining access to the global name. Let's try: *) + +requalify_facts (in Arch) BOARD.requalify_collision + +(* global context: good *) +thm requalify_collision (* False = False *) +thm Arch.requalify_collision (* True = True *) + +(* context post-interpretation: we don't have convenient access to the global name anymore *) +context begin interpretation Arch . +thm requalify_collision (* True = True *) +thm Arch.requalify_collision (* True = True *) +end + +(* This is because whatever name was last interpreted takes precedence. If we want to fix this, we + need to re-export the global name *from* the Fake_Arch locale. + By convention we also give it a "global." prefix: *) +context Arch begin + context begin global_naming global + requalify_facts (aliasing) Requalify_Test.requalify_collision + end +end + +(* After this convolution, the names are now consistently available: *) + +(* globally *) +thm requalify_collision (* False = False *) +thm global.requalify_collision (* False = False *) +thm Arch.requalify_collision (* True = True *) + +(* when interpreted *) +context begin interpretation Arch . +thm requalify_collision (* False = False *) +thm global.requalify_collision (* False = False *) +thm Arch.requalify_collision (* True = True *) +end + +(* and in the locale context *) +context Arch begin +thm requalify_collision (* False = False *) +thm global.requalify_collision (* False = False *) +thm Arch.requalify_collision (* True = True *) +end + + +subsection \Architecture-specific (requires L4V_ARCH environment variable set to work)\ + +(* The above documentation and examples attempted to be somewhat generic. In the seL4 verification + repository, we have a specific setup: + + * A number of architectures (e.g. ARM, ARM_HYP, RISCV64, X64, AARCH64) parametrised by the + L4V_ARCH environment variable. + * An Arch locale for containing architecture-specific definitions, types and proofs, wherein + global naming wraps the architecture as follows: + * ($L4V_ARCH)_A for the Abstract spec (e.g. ARM_A) + * ($L4V_ARCH)_H for the Haskell spec (e.g. ARM_H) + * as per L4V_ARCH for everything else (e.g. ARM) (though other namespaces may appear in future) + + The arch_requalify and arch_global_naming variants lean on this, by being able to generically + say something about a requirement each specific architecture needs to fulfill. +*) + +context Arch begin + arch_global_naming (* equivalent to "global_naming ARM" on ARM *) + typedecl arch_specific_type + definition "arch_specific_const \ undefined :: arch_specific_type" + lemma arch_specific_lemma: "arch_specific_const = arch_specific_const" by simp + + arch_global_naming (A) (* equivalent to "global_naming ARM_A" on ARM *) + definition "arch_specific_const_a \ undefined :: arch_specific_type" + + arch_global_naming (H) (* equivalent to "global_naming ARM_A" on ARM *) + definition "arch_specific_const_h \ undefined :: arch_specific_type" +end + +(* confirm these are the ARM, ARM_A, and ARM_H prefixes respectively: *) +find_theorems name:arch_specific_const + +(* we requalify these prefixed constants without knowing what arch we are on: *) +arch_requalify_types arch_specific_type +arch_requalify_consts arch_specific_const +arch_requalify_facts arch_specific_lemma +arch_requalify_consts (A) arch_specific_const_a +arch_requalify_consts (H) arch_specific_const_h +arch_requalify_consts (H) arch_specific_const_h (* warnings work as usual *) +arch_requalify_consts (aliasing, H) arch_specific_const_h (* warnings suppression *) + +(* this has placed all names into the global context *) +typ arch_specific_type +thm arch_specific_lemma +term "arch_specific_const :: arch_specific_type" +term "arch_specific_const_a :: arch_specific_type" +term "arch_specific_const_h :: arch_specific_type" + +(* If we wish to create a generic name that does not compete with a global name, we need to export + into the Arch locale, then fix up the interpretation order of any collisions as described in + "Managing collisions and global naming" *) +arch_requalify_consts (in Arch) (A) arch_specific_const_a + +(* this now works *) +term Arch.arch_specific_const_a + + +section "Misc tests / usage examples" + +locale Requalify_Locale +begin + +typedecl requalify_type + +definition "requalify_const == (undefined :: requalify_type)" + + +end + +typedecl requalify_type +definition "requalify_const == (undefined :: requalify_type)" + +context Requalify_Locale begin global_naming Requalify_Locale2 + +requalify_consts requalify_const +requalify_types requalify_type +requalify_facts requalify_const_def + +end + +term "requalify_const :: requalify_type" +term "Requalify_Locale2.requalify_const :: Requalify_Locale2.requalify_type" +lemma "Requalify_Locale2.requalify_const = (undefined :: Requalify_Locale2.requalify_type)" + by (simp add: Requalify_Locale2.requalify_const_def) + +consts requalify_test_f :: "'a \ 'b \ bool" + +lemma + assumes f1: "requalify_test_f requalify_const Requalify_Locale2.requalify_const" + and f2: "requalify_test_f Requalify_Locale2.requalify_const Requalify_Test.requalify_const" + shows "requalify_test_f Requalify_Locale2.requalify_const requalify_const" "requalify_const = undefined" + apply (rule f1)? + apply (rule f2) + apply (simp add: requalify_const_def) + done + +context Requalify_Locale begin + +lemma + assumes f1: "requalify_test_f requalify_const Requalify_Locale2.requalify_const" + and f2: "requalify_test_f Requalify_Locale2.requalify_const Requalify_Test.requalify_const" + shows "requalify_test_f Requalify_Locale2.requalify_const requalify_const" "requalify_const = undefined" + apply (rule f2)? + apply (rule f1) + apply (simp add: requalify_const_def) + done + +end + +context Requalify_Locale begin global_naming global + +requalify_consts Requalify_Test.requalify_const +requalify_types Requalify_Test.requalify_type +requalify_facts Requalify_Test.requalify_const_def + +end + +context Requalify_Locale begin + +lemma + assumes f1: "requalify_test_f requalify_const Requalify_Locale2.requalify_const" + and f2: "requalify_test_f Requalify_Locale2.requalify_const global.requalify_const" + shows "requalify_test_f Requalify_Locale2.requalify_const requalify_const" "requalify_const = undefined" + apply (rule f1)? + apply (rule f2) + apply (simp add: requalify_const_def) + done +end + +context begin interpretation Requalify_Locale . + +lemma + assumes f1: "requalify_test_f requalify_const Requalify_Locale2.requalify_const" + and f2: "requalify_test_f Requalify_Locale2.requalify_const global.requalify_const" + shows "requalify_test_f Requalify_Locale2.requalify_const requalify_const" "requalify_const = undefined" + apply (rule f1)? + apply (rule f2) + apply (simp add: requalify_const_def) + done +end + +locale Requalify_Locale3 +begin + +typedecl requalify_type2 +definition "requalify_const2 == (undefined :: requalify_type2)" + +end + +context begin interpretation Requalify_Locale3 . + +requalify_consts requalify_const2 +requalify_types requalify_type2 +requalify_facts requalify_const2_def + +end + +lemma "(requalify_const2 :: requalify_type2) = undefined" + by (simp add: requalify_const2_def) + +context Requalify_Locale3 begin + +lemma "(requalify_const2 :: requalify_type2) = undefined" + by (simp add: requalify_const2_def) + +end + +end From c248d3128745da6b81390bb4da23b0b9d61cc986 Mon Sep 17 00:00:00 2001 From: Rafal Kolanski Date: Thu, 11 Jul 2024 17:29:53 +1000 Subject: [PATCH 5/9] [wip] gen+aarch64 ainvs: deploy requalify infrastructure Temporarily only dealing with AARCH64; want feedback before applying to other arches. * global_naming AARCH64 -> arch_global_naming * try get rid of `interpretation Arch .` (slow) in lieu of `(in Arch)` (faster) or proper requalifying (nearly instant) * get rid of requalifications that were already requalified, or were global (thanks to new warnings) TODO: some of these will turn out to be broken because they're not actually global/exported on other arches * put arch_global_naming on same line as `context Arch begin` * annotate requalifications in Arch theories that can be moved to generic * put FIXMEs on unusual global_naming practices Signed-off-by: Rafal Kolanski --- .../invariant-abstract/AARCH64/ArchADT_AI.thy | 2 +- .../AARCH64/ArchAInvsPre.thy | 13 +++-- .../invariant-abstract/AARCH64/ArchAcc_AI.thy | 2 +- .../AARCH64/ArchArch_AI.thy | 14 ++--- .../AARCH64/ArchBCorres2_AI.thy | 4 +- .../AARCH64/ArchBCorres_AI.thy | 4 +- .../AARCH64/ArchBits_AI.thy | 2 +- .../AARCH64/ArchCNodeInv_AI.thy | 10 ++-- .../AARCH64/ArchCSpaceInvPre_AI.thy | 2 +- .../AARCH64/ArchCSpaceInv_AI.thy | 6 +-- .../AARCH64/ArchCSpacePre_AI.thy | 2 +- .../AARCH64/ArchCSpace_AI.thy | 13 ++--- .../AARCH64/ArchCrunchSetup_AI.thy | 2 +- .../AARCH64/ArchDetSchedAux_AI.thy | 2 +- .../AARCH64/ArchDetSchedDomainTime_AI.thy | 4 +- .../AARCH64/ArchDetSchedSchedule_AI.thy | 4 +- .../AARCH64/ArchDeterministic_AI.thy | 4 +- .../AARCH64/ArchDetype_AI.thy | 10 ++-- .../AARCH64/ArchEmptyFail_AI.thy | 10 ++-- .../AARCH64/ArchFinalise_AI.thy | 18 +++---- .../AARCH64/ArchInterruptAcc_AI.thy | 2 +- .../AARCH64/ArchInterrupt_AI.thy | 2 +- .../AARCH64/ArchInvariants_AI.thy | 4 +- .../AARCH64/ArchIpcCancel_AI.thy | 2 +- .../invariant-abstract/AARCH64/ArchIpc_AI.thy | 4 +- .../AARCH64/ArchKHeap_AI.thy | 4 +- .../AARCH64/ArchKernelInit_AI.thy | 2 +- .../AARCH64/ArchLevityCatch_AI.thy | 2 +- .../AARCH64/ArchRetype_AI.thy | 22 ++++---- .../AARCH64/ArchSchedule_AI.thy | 3 +- .../AARCH64/ArchSyscall_AI.thy | 2 +- .../AARCH64/ArchTcbAcc_AI.thy | 2 +- .../invariant-abstract/AARCH64/ArchTcb_AI.thy | 13 +++-- .../AARCH64/ArchUntyped_AI.thy | 2 +- .../AARCH64/ArchVCPU_AI.thy | 2 +- .../AARCH64/ArchVSpaceEntries_AI.thy | 2 +- .../AARCH64/ArchVSpace_AI.thy | 9 ++-- .../invariant-abstract/AARCH64/Machine_AI.thy | 13 ++--- proof/invariant-abstract/ADT_AI.thy | 10 ++-- proof/invariant-abstract/BCorres_AI.thy | 20 ++++---- proof/invariant-abstract/CNodeInv_AI.thy | 6 +-- proof/invariant-abstract/CSpaceInvPre_AI.thy | 19 ++++--- proof/invariant-abstract/CSpaceInv_AI.thy | 22 ++++---- proof/invariant-abstract/CSpacePre_AI.thy | 4 +- proof/invariant-abstract/CSpace_AI.thy | 15 +++--- proof/invariant-abstract/DetSchedAux_AI.thy | 5 +- proof/invariant-abstract/Deterministic_AI.thy | 4 +- proof/invariant-abstract/Detype_AI.thy | 6 +-- proof/invariant-abstract/EmptyFail_AI.thy | 5 +- proof/invariant-abstract/Finalise_AI.thy | 15 +++--- proof/invariant-abstract/Interrupt_AI.thy | 8 +-- proof/invariant-abstract/InvariantsPre_AI.thy | 11 ++-- proof/invariant-abstract/Invariants_AI.thy | 51 ++++++++++--------- proof/invariant-abstract/IpcCancel_AI.thy | 9 ++-- proof/invariant-abstract/Ipc_AI.thy | 27 +++++----- proof/invariant-abstract/KHeap_AI.thy | 14 +++-- proof/invariant-abstract/LevityCatch_AI.thy | 10 ++-- proof/invariant-abstract/Retype_AI.thy | 8 ++- proof/invariant-abstract/Schedule_AI.thy | 6 +-- proof/invariant-abstract/Syscall_AI.thy | 12 +++-- proof/invariant-abstract/TcbAcc_AI.thy | 7 +-- proof/invariant-abstract/Tcb_AI.thy | 6 +-- proof/invariant-abstract/Untyped_AI.thy | 17 +------ proof/invariant-abstract/VSpacePre_AI.thy | 6 +-- proof/invariant-abstract/VSpace_AI.thy | 10 ++-- 65 files changed, 235 insertions(+), 318 deletions(-) diff --git a/proof/invariant-abstract/AARCH64/ArchADT_AI.thy b/proof/invariant-abstract/AARCH64/ArchADT_AI.thy index c0376b854c..753c5e8949 100644 --- a/proof/invariant-abstract/AARCH64/ArchADT_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchADT_AI.thy @@ -12,7 +12,7 @@ imports "Lib.Simulation" Invariants_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming subsection \Constructing a virtual-memory view\ diff --git a/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy b/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy index 5dce18b02c..4bb6bc441e 100644 --- a/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy +++ b/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy @@ -11,9 +11,7 @@ begin unbundle l4v_word_context -context Arch begin - -global_naming AARCH64 +context Arch begin arch_global_naming lemma ucast_ucast_mask_low: "(ucast (x && mask asid_low_bits) :: asid_low_index) = ucast x" by (rule ucast_mask_drop, simp add: asid_low_bits_def) @@ -143,9 +141,10 @@ proof goal_cases case 1 show ?case by (intro_locales; (unfold_locales; fact AInvsPre_assms)?) qed -requalify_facts - AARCH64.user_mem_dom_cong - AARCH64.device_mem_dom_cong - AARCH64.device_frame_in_device_region +(* FIXME arch_split: move to global theory *) +arch_requalify_facts + user_mem_dom_cong + device_mem_dom_cong + device_frame_in_device_region end diff --git a/proof/invariant-abstract/AARCH64/ArchAcc_AI.thy b/proof/invariant-abstract/AARCH64/ArchAcc_AI.thy index df5aa1ef06..7ff2c2d231 100644 --- a/proof/invariant-abstract/AARCH64/ArchAcc_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchAcc_AI.thy @@ -17,7 +17,7 @@ lemma valid_vso_at[wp]:"\valid_vso_at level p\ f \\ case aci of MakePool frame slot parent base \ @@ -414,7 +414,7 @@ lemma equal_kernel_mappings: end -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma vmid_for_asid_empty_update: "\ asid_table s asid_high = None; asid_pools_of s ap = Some Map.empty \ \ @@ -1726,21 +1726,17 @@ lemma arch_pinv_st_tcb_at: end - -context begin interpretation Arch . - -requalify_consts +(* FIXME arch_split: move to global theory *) +arch_requalify_consts valid_arch_inv -requalify_facts +arch_requalify_facts invoke_arch_tcb invoke_arch_invs sts_valid_arch_inv arch_decode_inv_wf arch_pinv_st_tcb_at -end - declare invoke_arch_invs[wp] declare arch_decode_inv_wf[wp] diff --git a/proof/invariant-abstract/AARCH64/ArchBCorres2_AI.thy b/proof/invariant-abstract/AARCH64/ArchBCorres2_AI.thy index 94caa7b577..6259833c46 100644 --- a/proof/invariant-abstract/AARCH64/ArchBCorres2_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchBCorres2_AI.thy @@ -10,7 +10,7 @@ imports BCorres2_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems BCorres2_AI_assms @@ -89,7 +89,7 @@ interpretation BCorres2_AI?: BCorres2_AI lemmas schedule_bcorres[wp] = schedule_bcorres1[OF BCorres2_AI_axioms] -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming crunch send_ipc,send_signal,do_reply_transfer,arch_perform_invocation for (bcorres) bcorres[wp]: truncate_state diff --git a/proof/invariant-abstract/AARCH64/ArchBCorres_AI.thy b/proof/invariant-abstract/AARCH64/ArchBCorres_AI.thy index 41388b855a..8364a914dd 100644 --- a/proof/invariant-abstract/AARCH64/ArchBCorres_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchBCorres_AI.thy @@ -11,7 +11,7 @@ imports ArchBitSetup_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma entry_for_asid_truncate[simp]: "entry_for_asid asid (truncate_state s) = entry_for_asid asid s" @@ -45,7 +45,7 @@ crunch prepare_thread_delete end -requalify_facts AARCH64.arch_finalise_cap_bcorres AARCH64.prepare_thread_delete_bcorres +arch_requalify_facts arch_finalise_cap_bcorres prepare_thread_delete_bcorres declare arch_finalise_cap_bcorres[wp] prepare_thread_delete_bcorres[wp] diff --git a/proof/invariant-abstract/AARCH64/ArchBits_AI.thy b/proof/invariant-abstract/AARCH64/ArchBits_AI.thy index f5afcbc3fb..ff173a2570 100644 --- a/proof/invariant-abstract/AARCH64/ArchBits_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchBits_AI.thy @@ -9,7 +9,7 @@ theory ArchBits_AI imports Invariants_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming (* arch-specific interpretations of update locales: *) diff --git a/proof/invariant-abstract/AARCH64/ArchCNodeInv_AI.thy b/proof/invariant-abstract/AARCH64/ArchCNodeInv_AI.thy index 04467df833..2a9184bd13 100644 --- a/proof/invariant-abstract/AARCH64/ArchCNodeInv_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchCNodeInv_AI.thy @@ -9,7 +9,7 @@ theory ArchCNodeInv_AI imports CNodeInv_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems CNodeInv_AI_assms @@ -538,7 +538,7 @@ qed termination rec_del by (rule rec_del_termination) -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma post_cap_delete_pre_is_final_cap': "\valid_ioports s; caps_of_state s slot = Some cap; is_final_cap' cap s; cap_cleanup_opt cap \ NullCap\ @@ -800,7 +800,7 @@ global_interpretation CNodeInv_AI_2?: CNodeInv_AI_2 qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma finalise_cap_rvk_prog [CNodeInv_AI_assms]: "finalise_cap cap f \\s. revoke_progress_ord m (\x. map_option cap_to_rpo (caps_of_state s x))\" @@ -905,7 +905,7 @@ termination cap_revoke by (rule cap_revoke_termination) declare cap_revoke.simps[simp del] -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming crunch finalise_slot for typ_at[wp, CNodeInv_AI_assms]: "\s. P (typ_at T p s)" @@ -930,7 +930,7 @@ global_interpretation CNodeInv_AI_4?: CNodeInv_AI_4 qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma cap_move_ioports: "\valid_ioports and cte_wp_at ((=) cap.NullCap) ptr' diff --git a/proof/invariant-abstract/AARCH64/ArchCSpaceInvPre_AI.thy b/proof/invariant-abstract/AARCH64/ArchCSpaceInvPre_AI.thy index 3e3e165547..9be7754f33 100644 --- a/proof/invariant-abstract/AARCH64/ArchCSpaceInvPre_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchCSpaceInvPre_AI.thy @@ -14,7 +14,7 @@ imports CSpaceInvPre_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma aobj_ref_acap_rights_update[simp]: "aobj_ref (acap_rights_update f x) = aobj_ref x" diff --git a/proof/invariant-abstract/AARCH64/ArchCSpaceInv_AI.thy b/proof/invariant-abstract/AARCH64/ArchCSpaceInv_AI.thy index b2c600a167..ba702cde24 100644 --- a/proof/invariant-abstract/AARCH64/ArchCSpaceInv_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchCSpaceInv_AI.thy @@ -12,7 +12,7 @@ theory ArchCSpaceInv_AI imports CSpaceInv_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming definition safe_ioport_insert :: "cap \ cap \ 'a::state_ext state \ bool" @@ -210,8 +210,6 @@ lemmas cap_vptr_simps [simp] = end -context begin interpretation Arch . -requalify_facts replace_cap_invs -end +arch_requalify_facts replace_cap_invs end diff --git a/proof/invariant-abstract/AARCH64/ArchCSpacePre_AI.thy b/proof/invariant-abstract/AARCH64/ArchCSpacePre_AI.thy index 7fdac5a929..2080df6b50 100644 --- a/proof/invariant-abstract/AARCH64/ArchCSpacePre_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchCSpacePre_AI.thy @@ -13,7 +13,7 @@ theory ArchCSpacePre_AI imports CSpacePre_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemmas typ_at_eq_kheap_obj = typ_at_eq_kheap_obj atyp_at_eq_kheap_obj diff --git a/proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy b/proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy index 42b0e4cfff..05759f6b54 100644 --- a/proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy @@ -12,7 +12,7 @@ theory ArchCSpace_AI imports CSpace_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems CSpace_AI_assms @@ -304,7 +304,7 @@ end global_interpretation cap_insert_crunches?: cap_insert_crunches . -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma cap_insert_cap_refs_in_kernel_window[wp, CSpace_AI_assms]: "\cap_refs_in_kernel_window @@ -496,7 +496,7 @@ proof goal_cases qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma is_cap_simps': "is_cnode_cap cap = (\r bits g. cap = cap.CNodeCap r bits g)" @@ -599,12 +599,9 @@ lemma set_cap_kernel_window_simple: end -context begin interpretation Arch . - -requalify_facts +(* FIXME arch_split: move to non-Arch theory? *) +arch_requalify_facts set_cap_valid_arch_caps_simple set_cap_kernel_window_simple end - -end diff --git a/proof/invariant-abstract/AARCH64/ArchCrunchSetup_AI.thy b/proof/invariant-abstract/AARCH64/ArchCrunchSetup_AI.thy index 0f783df33d..5cc6c4d7d3 100644 --- a/proof/invariant-abstract/AARCH64/ArchCrunchSetup_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchCrunchSetup_AI.thy @@ -10,7 +10,7 @@ imports "Lib.Crunch_Instances_NonDet" begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming crunch_ignore (add: debugPrint clearMemory pt_lookup_from_level) diff --git a/proof/invariant-abstract/AARCH64/ArchDetSchedAux_AI.thy b/proof/invariant-abstract/AARCH64/ArchDetSchedAux_AI.thy index 8d56752005..2439b153b8 100644 --- a/proof/invariant-abstract/AARCH64/ArchDetSchedAux_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchDetSchedAux_AI.thy @@ -9,7 +9,7 @@ theory ArchDetSchedAux_AI imports DetSchedAux_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems DetSchedAux_AI_assms diff --git a/proof/invariant-abstract/AARCH64/ArchDetSchedDomainTime_AI.thy b/proof/invariant-abstract/AARCH64/ArchDetSchedDomainTime_AI.thy index 949773c328..44790fee8d 100644 --- a/proof/invariant-abstract/AARCH64/ArchDetSchedDomainTime_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchDetSchedDomainTime_AI.thy @@ -9,7 +9,7 @@ theory ArchDetSchedDomainTime_AI imports DetSchedDomainTime_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems DetSchedDomainTime_AI_assms @@ -62,7 +62,7 @@ proof goal_cases case 1 show ?case by (unfold_locales; (fact DetSchedDomainTime_AI_assms)?) qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming crunch arch_perform_invocation for domain_time_inv[wp, DetSchedDomainTime_AI_assms]: "\s. P (domain_time s)" diff --git a/proof/invariant-abstract/AARCH64/ArchDetSchedSchedule_AI.thy b/proof/invariant-abstract/AARCH64/ArchDetSchedSchedule_AI.thy index 84f6d9fb1b..b168ce488f 100644 --- a/proof/invariant-abstract/AARCH64/ArchDetSchedSchedule_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchDetSchedSchedule_AI.thy @@ -9,7 +9,7 @@ theory ArchDetSchedSchedule_AI imports DetSchedSchedule_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems DetSchedSchedule_AI_assms @@ -498,7 +498,7 @@ proof goal_cases case 1 show ?case by (unfold_locales; (fact DetSchedSchedule_AI_assms)?) qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma dmo_scheduler_act_sane[wp]: "\scheduler_act_sane\ do_machine_op f \\rv. scheduler_act_sane\" diff --git a/proof/invariant-abstract/AARCH64/ArchDeterministic_AI.thy b/proof/invariant-abstract/AARCH64/ArchDeterministic_AI.thy index 360d38f0f7..72360b387e 100644 --- a/proof/invariant-abstract/AARCH64/ArchDeterministic_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchDeterministic_AI.thy @@ -11,7 +11,7 @@ begin declare dxo_wp_weak[wp del] -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems Deterministic_AI_assms @@ -40,7 +40,7 @@ proof goal_cases case 1 show ?case by (unfold_locales; (fact Deterministic_AI_assms)?) qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming crunch arch_invoke_irq_handler for valid_list[wp,Deterministic_AI_assms]: valid_list diff --git a/proof/invariant-abstract/AARCH64/ArchDetype_AI.thy b/proof/invariant-abstract/AARCH64/ArchDetype_AI.thy index d00dbc5846..b7a66c2305 100644 --- a/proof/invariant-abstract/AARCH64/ArchDetype_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchDetype_AI.thy @@ -9,7 +9,7 @@ theory ArchDetype_AI imports Detype_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems Detype_AI_assms @@ -636,8 +636,8 @@ interpretation Detype_AI_2 Detype_AI_2.intro by blast -context begin interpretation Arch . -lemma delete_objects_invs[wp]: +(* generic consequence of architecture-specific details *) +lemma (in Arch) delete_objects_invs[wp]: "\(\s. \slot. cte_wp_at ((=) (cap.UntypedCap dev ptr bits f)) slot s \ descendants_range (cap.UntypedCap dev ptr bits f) slot s) and invs and ct_active\ @@ -657,6 +657,8 @@ lemma delete_objects_invs[wp]: apply (drule (1) cte_wp_valid_cap) apply (simp add: valid_cap_def cap_aligned_def word_size_bits_def untyped_min_bits_def) done -end + +requalify_facts Arch.delete_objects_invs +lemmas [wp] = delete_objects_invs end diff --git a/proof/invariant-abstract/AARCH64/ArchEmptyFail_AI.thy b/proof/invariant-abstract/AARCH64/ArchEmptyFail_AI.thy index 3d8fc10556..8e229505a0 100644 --- a/proof/invariant-abstract/AARCH64/ArchEmptyFail_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchEmptyFail_AI.thy @@ -9,7 +9,7 @@ theory ArchEmptyFail_AI imports EmptyFail_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems EmptyFail_AI_assms @@ -30,7 +30,7 @@ global_interpretation EmptyFail_AI_load_word?: EmptyFail_AI_load_word case 1 show ?case by (unfold_locales; (fact EmptyFail_AI_assms)?) qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming crunch handle_fault for (empty_fail) empty_fail[wp, EmptyFail_AI_assms] @@ -128,7 +128,7 @@ proof goal_cases case 1 show ?case by (unfold_locales; (fact EmptyFail_AI_assms)?) qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma empty_fail_pt_lookup_from_level[wp]: "empty_fail (pt_lookup_from_level level pt_ptr vptr target_pt_ptr)" @@ -158,7 +158,7 @@ proof goal_cases case 1 show ?case by (unfold_locales; (fact EmptyFail_AI_assms)?) qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming crunch cap_delete, choose_thread for (empty_fail) empty_fail[wp, EmptyFail_AI_assms] @@ -182,7 +182,7 @@ proof goal_cases case 1 show ?case by (unfold_locales; (fact EmptyFail_AI_assms)?) qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma plic_complete_claim_empty_fail[wp, EmptyFail_AI_assms]: "empty_fail (plic_complete_claim irq)" diff --git a/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy b/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy index 1390c0a215..f45618a637 100644 --- a/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy @@ -9,12 +9,10 @@ theory ArchFinalise_AI imports Finalise_AI begin -context Arch begin +context Arch begin arch_global_naming named_theorems Finalise_AI_assms -global_naming AARCH64 - lemma valid_global_refs_asid_table_udapte [iff]: "valid_global_refs (s\arch_state := arm_asid_table_update f (arch_state s)\) = valid_global_refs s" @@ -1581,7 +1579,7 @@ interpretation Finalise_AI_1?: Finalise_AI_1 by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma fast_finalise_replaceable[wp]: "\\s. s \ cap \ x = is_final_cap' cap s @@ -1620,7 +1618,7 @@ interpretation Finalise_AI_2?: Finalise_AI_2 case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming crunch vcpu_update, vgic_update, vcpu_disable, vcpu_restore, vcpu_save_reg_range, vgic_update_lr, @@ -1753,7 +1751,7 @@ lemma invs_valid_arch_capsI: "invs s \ valid_arch_caps s" by (simp add: invs_def valid_state_def) -context Arch begin global_naming AARCH64 (*FIXME: arch_split*) +context Arch begin arch_global_naming (*FIXME: arch_split*) lemma do_machine_op_reachable_pg_cap[wp]: "\\s. P (reachable_frame_cap cap s)\ @@ -1900,9 +1898,7 @@ lemma (* dmo_replaceable_or_arch_update *) [Finalise_AI_assms,wp]: end -context begin interpretation Arch . -requalify_consts replaceable_or_arch_update -end +arch_requalify_consts replaceable_or_arch_update interpretation Finalise_AI_3?: Finalise_AI_3 where replaceable_or_arch_update = replaceable_or_arch_update @@ -1912,7 +1908,7 @@ interpretation Finalise_AI_3?: Finalise_AI_3 by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma typ_at_data_at_wp: assumes typ_wp: "\a.\typ_at a p \ g \\s. typ_at a p\" @@ -1930,7 +1926,7 @@ interpretation Finalise_AI_4?: Finalise_AI_4 case 1 show ?case by (intro_locales; (unfold_locales; fact Finalise_AI_assms)?) qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma set_asid_pool_obj_at_ptr: "\\s. P (ArchObj (arch_kernel_obj.ASIDPool mp))\ diff --git a/proof/invariant-abstract/AARCH64/ArchInterruptAcc_AI.thy b/proof/invariant-abstract/AARCH64/ArchInterruptAcc_AI.thy index 89d96eedf9..b1ad88de5d 100644 --- a/proof/invariant-abstract/AARCH64/ArchInterruptAcc_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchInterruptAcc_AI.thy @@ -12,7 +12,7 @@ theory ArchInterruptAcc_AI imports InterruptAcc_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems InterruptAcc_AI_assms diff --git a/proof/invariant-abstract/AARCH64/ArchInterrupt_AI.thy b/proof/invariant-abstract/AARCH64/ArchInterrupt_AI.thy index 7a880be79a..d3948582f8 100644 --- a/proof/invariant-abstract/AARCH64/ArchInterrupt_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchInterrupt_AI.thy @@ -9,7 +9,7 @@ theory ArchInterrupt_AI imports Interrupt_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming primrec arch_irq_control_inv_valid_real :: "arch_irq_control_invocation \ 'a::state_ext state \ bool" diff --git a/proof/invariant-abstract/AARCH64/ArchInvariants_AI.thy b/proof/invariant-abstract/AARCH64/ArchInvariants_AI.thy index a9f92a1061..75d8ba5d37 100644 --- a/proof/invariant-abstract/AARCH64/ArchInvariants_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchInvariants_AI.thy @@ -9,7 +9,7 @@ theory ArchInvariants_AI imports InvariantsPre_AI "Eisbach_Tools.Apply_Trace_Cmd" begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming (* compatibility with other architectures, input only *) abbreviation @@ -29,7 +29,7 @@ record iarch_tcb = itcb_vcpu :: "obj_ref option" end_qualify -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming definition arch_tcb_to_iarch_tcb :: "arch_tcb \ iarch_tcb" where "arch_tcb_to_iarch_tcb arch_tcb \ \ itcb_vcpu = tcb_vcpu arch_tcb \" diff --git a/proof/invariant-abstract/AARCH64/ArchIpcCancel_AI.thy b/proof/invariant-abstract/AARCH64/ArchIpcCancel_AI.thy index fe7b74429a..1a33884511 100644 --- a/proof/invariant-abstract/AARCH64/ArchIpcCancel_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchIpcCancel_AI.thy @@ -8,7 +8,7 @@ theory ArchIpcCancel_AI imports IpcCancel_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems IpcCancel_AI_assms diff --git a/proof/invariant-abstract/AARCH64/ArchIpc_AI.thy b/proof/invariant-abstract/AARCH64/ArchIpc_AI.thy index 448c7690d0..0c3835fe49 100644 --- a/proof/invariant-abstract/AARCH64/ArchIpc_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchIpc_AI.thy @@ -9,7 +9,7 @@ theory ArchIpc_AI imports Ipc_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems Ipc_AI_assms @@ -499,7 +499,7 @@ proof goal_cases case 1 show ?case by (unfold_locales; (fact Ipc_AI_assms)?) qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems Ipc_AI_cont_assms diff --git a/proof/invariant-abstract/AARCH64/ArchKHeap_AI.thy b/proof/invariant-abstract/AARCH64/ArchKHeap_AI.thy index 4ec61c00b0..bcd7840fc9 100644 --- a/proof/invariant-abstract/AARCH64/ArchKHeap_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchKHeap_AI.thy @@ -9,7 +9,7 @@ theory ArchKHeap_AI imports KHeapPre_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming definition non_vspace_obj :: "kernel_object \ bool" where "non_vspace_obj ko \ case ko of @@ -129,7 +129,7 @@ locale vspace_only_obj_pred = Arch + sublocale vspace_only_obj_pred < arch_only_obj_pred using vspace_pred_imp[OF vspace_only] by unfold_locales -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma valid_vspace_obj_lift: assumes "\T p. T \ AVCPU \ f \typ_at (AArch T) p\" diff --git a/proof/invariant-abstract/AARCH64/ArchKernelInit_AI.thy b/proof/invariant-abstract/AARCH64/ArchKernelInit_AI.thy index 5b0a5e6c44..c9e7d1dfc1 100644 --- a/proof/invariant-abstract/AARCH64/ArchKernelInit_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchKernelInit_AI.thy @@ -12,7 +12,7 @@ imports Arch_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming text \ Showing that there is a state that satisfies the abstract invariants. diff --git a/proof/invariant-abstract/AARCH64/ArchLevityCatch_AI.thy b/proof/invariant-abstract/AARCH64/ArchLevityCatch_AI.thy index 925b19f736..8b22b3fd86 100644 --- a/proof/invariant-abstract/AARCH64/ArchLevityCatch_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchLevityCatch_AI.thy @@ -12,7 +12,7 @@ imports "Lib.SplitRule" begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma asid_high_bits_of_shift[simp]: "asid_high_bits_of (ucast x << asid_low_bits) = x" diff --git a/proof/invariant-abstract/AARCH64/ArchRetype_AI.thy b/proof/invariant-abstract/AARCH64/ArchRetype_AI.thy index 1ed3288e1f..f8497bb8ad 100644 --- a/proof/invariant-abstract/AARCH64/ArchRetype_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchRetype_AI.thy @@ -13,7 +13,7 @@ theory ArchRetype_AI imports Retype_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems Retype_AI_assms @@ -125,10 +125,7 @@ declare post_retype_invs_check_def[simp] end - -context begin interpretation Arch . -requalify_consts post_retype_invs_check -end +arch_requalify_consts post_retype_invs_check definition post_retype_invs :: "apiobject_type \ obj_ref list \ 'z::state_ext state \ bool" @@ -144,7 +141,7 @@ global_interpretation Retype_AI_post_retype_invs?: Retype_AI_post_retype_invs by (unfold_locales; fact post_retype_invs_def) -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma init_arch_objects_invs_from_restricted: "\post_retype_invs new_type refs @@ -177,7 +174,7 @@ global_interpretation Retype_AI_slot_bits?: Retype_AI_slot_bits qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma valid_untyped_helper [Retype_AI_assms]: assumes valid_c : "s \ c" @@ -274,6 +271,7 @@ locale retype_region_proofs_arch context retype_region_proofs begin +(* FIXME arch_split: is there any way to optimise this interpretation out? we can't nest contexts *) interpretation Arch . lemma valid_cap: @@ -580,7 +578,7 @@ sublocale retype_region_proofs_gen?: retype_region_proofs_gen end -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma unique_table_caps_null: "unique_table_caps_2 (null_filter caps) @@ -683,9 +681,7 @@ lemma cap_range_respects_device_region_cong[cong]: by (clarsimp simp: cap_range_respects_device_region_def) -context begin interpretation Arch . -requalify_consts region_in_kernel_window -end +arch_requalify_consts region_in_kernel_window context retype_region_proofs_arch begin @@ -875,7 +871,7 @@ lemmas post_retype_invs_axioms = retype_region_proofs_invs_axioms end -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems Retype_AI_assms' @@ -905,7 +901,7 @@ global_interpretation Retype_AI?: Retype_AI qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma retype_region_plain_invs: "\invs and caps_no_overlap ptr sz and pspace_no_overlap_range_cover ptr sz diff --git a/proof/invariant-abstract/AARCH64/ArchSchedule_AI.thy b/proof/invariant-abstract/AARCH64/ArchSchedule_AI.thy index 29af15a82c..61c7cee033 100644 --- a/proof/invariant-abstract/AARCH64/ArchSchedule_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchSchedule_AI.thy @@ -9,7 +9,7 @@ theory ArchSchedule_AI imports Schedule_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems Schedule_AI_assms @@ -28,6 +28,7 @@ lemma dmo_mapM_storeWord_0_invs[wp,Schedule_AI_assms]: apply wp by (simp add: upto.simps word_bits_def) +(* FIXME arch_split: why not arch global naming? this doesn't make sense *) global_naming Arch lemma arch_stt_invs [wp,Schedule_AI_assms]: diff --git a/proof/invariant-abstract/AARCH64/ArchSyscall_AI.thy b/proof/invariant-abstract/AARCH64/ArchSyscall_AI.thy index 4293491321..6c673e874c 100644 --- a/proof/invariant-abstract/AARCH64/ArchSyscall_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchSyscall_AI.thy @@ -14,7 +14,7 @@ imports Syscall_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems Syscall_AI_assms diff --git a/proof/invariant-abstract/AARCH64/ArchTcbAcc_AI.thy b/proof/invariant-abstract/AARCH64/ArchTcbAcc_AI.thy index 71494de427..99ad83388e 100644 --- a/proof/invariant-abstract/AARCH64/ArchTcbAcc_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchTcbAcc_AI.thy @@ -8,7 +8,7 @@ theory ArchTcbAcc_AI imports TcbAcc_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems TcbAcc_AI_assms diff --git a/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy b/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy index 5ad151b3e7..6c37465baa 100644 --- a/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy @@ -9,7 +9,7 @@ theory ArchTcb_AI imports Tcb_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems Tcb_AI_assms @@ -159,7 +159,7 @@ proof goal_cases case 1 show ?case by (unfold_locales; (fact Tcb_AI_assms)?) qed -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma use_no_cap_to_obj_asid_strg: (* arch specific *) "(cte_at p s \ no_cap_to_obj_dr_emp cap s \ valid_cap cap s \ invs s) @@ -376,11 +376,6 @@ crunch invoke_tcb end -context begin interpretation Arch . -requalify_consts is_cnode_or_valid_arch -requalify_facts invoke_tcb_typ_at -end - global_interpretation Tcb_AI?: Tcb_AI where is_cnode_or_valid_arch = AARCH64.is_cnode_or_valid_arch proof goal_cases @@ -388,4 +383,8 @@ proof goal_cases case 1 show ?case by (unfold_locales; (fact Tcb_AI_assms)?) qed +(* FIXME arch_split: move to global theory *) +arch_requalify_consts is_cnode_or_valid_arch +arch_requalify_facts invoke_tcb_typ_at + end diff --git a/proof/invariant-abstract/AARCH64/ArchUntyped_AI.thy b/proof/invariant-abstract/AARCH64/ArchUntyped_AI.thy index 3a046586e8..4c92fcba10 100644 --- a/proof/invariant-abstract/AARCH64/ArchUntyped_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchUntyped_AI.thy @@ -9,7 +9,7 @@ theory ArchUntyped_AI imports Untyped_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming named_theorems Untyped_AI_assms diff --git a/proof/invariant-abstract/AARCH64/ArchVCPU_AI.thy b/proof/invariant-abstract/AARCH64/ArchVCPU_AI.thy index 85de8526a7..aaeac4a458 100644 --- a/proof/invariant-abstract/AARCH64/ArchVCPU_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchVCPU_AI.thy @@ -9,7 +9,7 @@ theory ArchVCPU_AI imports AInvs begin -context Arch begin global_naming AARCH64 (*FIXME: arch_split*) +context Arch begin arch_global_naming (*FIXME: arch_split*) (* This is similar to cur_vcpu_2, but not close enough to reuse. *) definition active_cur_vcpu_of :: "'z state \ obj_ref option" where diff --git a/proof/invariant-abstract/AARCH64/ArchVSpaceEntries_AI.thy b/proof/invariant-abstract/AARCH64/ArchVSpaceEntries_AI.thy index f03ba67b39..816b92285f 100644 --- a/proof/invariant-abstract/AARCH64/ArchVSpaceEntries_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchVSpaceEntries_AI.thy @@ -9,7 +9,7 @@ theory ArchVSpaceEntries_AI imports VSpaceEntries_AI begin -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming (* Since we're not doing anything with the index apart from returning it, this definition works for both, NormalPTs and VSRootPTs *) diff --git a/proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy b/proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy index d1fc5e4588..973d7e1ae6 100644 --- a/proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy @@ -21,7 +21,7 @@ lemma valid_asid_map_upd[simp]: end -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming sublocale set_vcpu: non_vspace_non_cap_non_mem_op "set_vcpu p vcpu" + @@ -2324,7 +2324,7 @@ lemma valid_vspace_obj: end -context Arch begin global_naming AARCH64 +context Arch begin arch_global_naming lemma set_asid_pool_arch_objs_map: "\valid_vspace_objs and valid_arch_state and valid_global_objs and @@ -3142,9 +3142,8 @@ crunch vcpu_switch end -context begin interpretation Arch . -requalify_facts +(* FIXME arch_split: move to generic theory? *) +arch_requalify_facts do_machine_op_valid_kernel_mappings -end end diff --git a/proof/invariant-abstract/AARCH64/Machine_AI.thy b/proof/invariant-abstract/AARCH64/Machine_AI.thy index 7fb8d8b961..200404b0ea 100644 --- a/proof/invariant-abstract/AARCH64/Machine_AI.thy +++ b/proof/invariant-abstract/AARCH64/Machine_AI.thy @@ -69,6 +69,7 @@ crunch_ignore (no_irq) (add: handleE' handleE handle_elseE forM forM_x zipWithM ignore_failure) +(* FIXME arch_split: no global_naming? *) context Arch begin text \Deterministic\ @@ -423,14 +424,10 @@ lemma dmo_gets_inv[wp]: end -context begin interpretation Arch . - requalify_facts - det_getRegister - det_setRegister - det_getRestartPC - det_setNextPC - -end + Arch.det_getRegister + Arch.det_setRegister + Arch.det_getRestartPC + Arch.det_setNextPC end diff --git a/proof/invariant-abstract/ADT_AI.thy b/proof/invariant-abstract/ADT_AI.thy index 2a898cbba6..9ae0cf8f98 100644 --- a/proof/invariant-abstract/ADT_AI.thy +++ b/proof/invariant-abstract/ADT_AI.thy @@ -11,17 +11,13 @@ imports ArchADT_AI begin -context begin interpretation Arch . - -requalify_consts +arch_requalify_consts (A) empty_context init_A_st + +arch_requalify_consts ptable_lift ptable_rights - addrFromPPtr - ptrFromPAddr - -end text \ The general refinement calculus (see theory Simulation) requires diff --git a/proof/invariant-abstract/BCorres_AI.thy b/proof/invariant-abstract/BCorres_AI.thy index 2649bf34c4..66a525cbad 100644 --- a/proof/invariant-abstract/BCorres_AI.thy +++ b/proof/invariant-abstract/BCorres_AI.thy @@ -16,6 +16,16 @@ abbreviation "bcorres \ bcorres_underlying truncate_state" abbreviation "s_bcorres \ s_bcorres_underlying truncate_state" +context Arch begin arch_global_naming + +crunch arch_post_cap_deletion + for (bcorres) bcorres[wp]: truncate_state + +end + +arch_requalify_facts + arch_post_cap_deletion_bcorres + lemma dxo_bcorres[wp]: "bcorres (do_extended_op f) (do_extended_op f)" apply (simp add: do_extended_op_def) @@ -63,16 +73,6 @@ lemma bcorres_select_ext[wp]: by (clarsimp simp: select_ext_def bind_def gets_def return_def select_def assert_def get_def select_switch_unit_def bcorres_underlying_def s_bcorres_underlying_def fail_def) -context Arch begin - -crunch arch_post_cap_deletion - for (bcorres) bcorres[wp]: truncate_state - -end - -requalify_facts - Arch.arch_post_cap_deletion_bcorres - crunch set_original, set_object, set_cap, set_irq_state, deleted_irq_handler, get_cap,set_cdt, empty_slot for (bcorres) bcorres[wp]: truncate_state diff --git a/proof/invariant-abstract/CNodeInv_AI.thy b/proof/invariant-abstract/CNodeInv_AI.thy index ac470e88d1..c41336582f 100644 --- a/proof/invariant-abstract/CNodeInv_AI.thy +++ b/proof/invariant-abstract/CNodeInv_AI.thy @@ -13,14 +13,10 @@ theory CNodeInv_AI imports ArchIpc_AI begin - -context begin interpretation Arch . -requalify_facts - set_cap_arch +arch_requalify_facts cte_at_length_limit arch_derive_cap_untyped valid_arch_mdb_cap_swap -end declare set_cap_arch[wp] diff --git a/proof/invariant-abstract/CSpaceInvPre_AI.thy b/proof/invariant-abstract/CSpaceInvPre_AI.thy index 3af1af7515..5e7956ee72 100644 --- a/proof/invariant-abstract/CSpaceInvPre_AI.thy +++ b/proof/invariant-abstract/CSpaceInvPre_AI.thy @@ -8,18 +8,13 @@ theory CSpaceInvPre_AI imports ArchAcc_AI begin -context begin interpretation Arch . - -requalify_consts +arch_requalify_consts table_cap_ref empty_table -requalify_facts +arch_requalify_facts empty_table_def -end - - lemma set_cap_caps_of_state[wp]: "\\s. P ((caps_of_state s) (ptr \ cap))\ set_cap cap ptr \\rv s. P (caps_of_state s)\" apply (cases ptr) @@ -141,8 +136,9 @@ lemma empty_table_caps_of: "empty_table S ko \ caps_of ko = {}" by (cases ko, simp_all add: empty_table_def caps_of_def cap_of_def) -context begin interpretation Arch . -lemma free_index_update_test_function_stuff[simp]: +(* FIXME arch_split: exports properties of functions that are not necessarily in global context, + and then they get placed in the global simpset *) +lemma (in Arch) free_index_update_test_function_stuff[simp]: "cap_asid (src_cap\free_index := a\) = cap_asid src_cap" "gen_obj_refs (src_cap\free_index := a\) = gen_obj_refs src_cap" "vs_cap_ref (src_cap\free_index := a\) = vs_cap_ref src_cap" @@ -152,6 +148,9 @@ lemma free_index_update_test_function_stuff[simp]: by (auto simp: cap_asid_def free_index_update_def vs_cap_ref_def is_cap_simps gen_obj_refs_def split: cap.splits arch_cap.splits) -end + +requalify_facts Arch.free_index_update_test_function_stuff + +lemmas [simp] = free_index_update_test_function_stuff end diff --git a/proof/invariant-abstract/CSpaceInv_AI.thy b/proof/invariant-abstract/CSpaceInv_AI.thy index 538d6d0a7f..3596331e20 100644 --- a/proof/invariant-abstract/CSpaceInv_AI.thy +++ b/proof/invariant-abstract/CSpaceInv_AI.thy @@ -12,31 +12,31 @@ theory CSpaceInv_AI imports ArchCSpaceInvPre_AI begin -context begin interpretation Arch . - -requalify_consts +arch_requalify_consts cap_master_arch_cap replaceable_final_arch_cap replaceable_non_final_arch_cap unique_table_refs -requalify_facts +(* There are multiple arch-dependent acap_rights_update_id, one for wellformed_acap, + one for valid_arch_cap. Prefer the latter. *) +arch_requalify_facts (aliasing) + acap_rights_update_id + +arch_requalify_facts aobj_ref_acap_rights_update arch_obj_size_acap_rights_update valid_arch_cap_acap_rights_update - valid_validate_vm_rights cap_master_arch_inv unique_table_refs_def valid_ipc_buffer_cap_def acap_rights_update_idem cap_master_arch_cap_rights - acap_rights_update_id is_nondevice_page_cap_simps set_cap_hyp_refs_of state_hyp_refs_of_revokable set_cap_hyp_refs_of is_valid_vtable_root_is_arch_cap -end lemma is_valid_vtable_root_simps[simp]: "\ is_valid_vtable_root (UntypedCap a b c d)" @@ -1053,17 +1053,15 @@ lemma get_cap_caps_of_state: "(fst (get_cap p s) = {(cap, s)}) = (Some cap = caps_of_state s p)" by (clarsimp simp: caps_of_state_def eq_commute) -context Arch begin - -lemma abj_ref_none_no_refs: +(* generic consequence of architecture-specific details *) +(* FIXME arch_split: no global naming? *) +lemma (in Arch) abj_ref_none_no_refs: "obj_refs c = {} \ table_cap_ref c = None" unfolding table_cap_ref_def apply (cases c; simp) subgoal for ac by (cases ac; simp) done -end - requalify_facts Arch.abj_ref_none_no_refs lemma no_cap_to_obj_with_diff_ref_Null: diff --git a/proof/invariant-abstract/CSpacePre_AI.thy b/proof/invariant-abstract/CSpacePre_AI.thy index f94098cb0d..9cc07003ef 100644 --- a/proof/invariant-abstract/CSpacePre_AI.thy +++ b/proof/invariant-abstract/CSpacePre_AI.thy @@ -12,15 +12,13 @@ theory CSpacePre_AI imports ArchCSpaceInv_AI begin -context begin interpretation Arch . -requalify_consts +arch_requalify_consts cap_asid is_simple_cap_arch is_derived_arch safe_parent_for_arch cap_asid_base cap_vptr -end lemma fun_upd_Some: "ms p = Some k \ (ms(a \ b)) p = Some (if a = p then b else k)" diff --git a/proof/invariant-abstract/CSpace_AI.thy b/proof/invariant-abstract/CSpace_AI.thy index 5d043c1782..9f9d26a088 100644 --- a/proof/invariant-abstract/CSpace_AI.thy +++ b/proof/invariant-abstract/CSpace_AI.thy @@ -12,25 +12,28 @@ theory CSpace_AI imports ArchCSpacePre_AI begin -context begin interpretation Arch . - -requalify_consts +arch_requalify_consts irq_state_update irq_state final_matters_arch ups_of_heap +(* FIXME arch_split: this should maybe have a global_naming *) requalify_facts + Arch.loadWord_inv + +arch_requalify_facts (A) + update_cnode_cap_data_def + +arch_requalify_facts is_derived_arch_non_arch ups_of_heap_non_arch_upd master_arch_cap_obj_refs master_arch_cap_cap_class same_aobject_as_commute arch_derive_cap_inv - loadWord_inv valid_global_refsD2 arch_derived_is_device - update_cnode_cap_data_def safe_parent_for_arch_not_arch safe_parent_cap_range_arch valid_arch_mdb_simple @@ -44,8 +47,6 @@ requalify_facts valid_arch_mdb_null_filter valid_arch_mdb_untypeds -end - declare set_cap_update_free_index_valid_arch_mdb[wp] (* Proofs don't want to see these details. *) diff --git a/proof/invariant-abstract/DetSchedAux_AI.thy b/proof/invariant-abstract/DetSchedAux_AI.thy index 2223ed31cf..046b794ec7 100644 --- a/proof/invariant-abstract/DetSchedAux_AI.thy +++ b/proof/invariant-abstract/DetSchedAux_AI.thy @@ -8,10 +8,9 @@ theory DetSchedAux_AI imports DetSchedInvs_AI begin -context begin interpretation Arch . +(* (* FIXME arch_split: check it's global on other arches *) requalify_facts - invoke_untyped_st_tcb_at -end + invoke_untyped_st_tcb_at *) crunch_ignore (del: cap_swap_ext cap_move_ext cap_insert_ext empty_slot_ext create_cap_ext tcb_sched_action diff --git a/proof/invariant-abstract/Deterministic_AI.thy b/proof/invariant-abstract/Deterministic_AI.thy index f9452d06bf..c4db9f5153 100644 --- a/proof/invariant-abstract/Deterministic_AI.thy +++ b/proof/invariant-abstract/Deterministic_AI.thy @@ -8,14 +8,12 @@ theory Deterministic_AI imports AInvs begin -context begin interpretation Arch . -requalify_facts +arch_requalify_facts update_work_units_empty_fail reset_work_units_empty_fail set_domain_empty_fail thread_set_domain_empty_fail arch_post_cap_deletion_valid_list -end lemmas [wp] = update_work_units_empty_fail diff --git a/proof/invariant-abstract/Detype_AI.thy b/proof/invariant-abstract/Detype_AI.thy index 0e61737e84..6fe4089048 100644 --- a/proof/invariant-abstract/Detype_AI.thy +++ b/proof/invariant-abstract/Detype_AI.thy @@ -8,9 +8,7 @@ theory Detype_AI imports ArchRetype_AI begin -context begin interpretation Arch . - -requalify_facts +arch_requalify_facts valid_arch_mdb_detype clearMemory_invs invs_irq_state_independent @@ -18,8 +16,6 @@ requalify_facts caps_region_kernel_window_imp init_arch_objects_wps -end - declare clearMemory_invs[wp] declare invs_irq_state_independent[intro!, simp] diff --git a/proof/invariant-abstract/EmptyFail_AI.thy b/proof/invariant-abstract/EmptyFail_AI.thy index 126a8d275e..744447a57f 100644 --- a/proof/invariant-abstract/EmptyFail_AI.thy +++ b/proof/invariant-abstract/EmptyFail_AI.thy @@ -8,10 +8,9 @@ theory EmptyFail_AI imports ArchTcb_AI begin -context begin interpretation Arch . +(* FIXME arch_split: no global_naming *) requalify_facts - ef_machine_op_lift -end + Arch.ef_machine_op_lift lemmas [wp] = ef_ignore_failure ef_machine_op_lift diff --git a/proof/invariant-abstract/Finalise_AI.thy b/proof/invariant-abstract/Finalise_AI.thy index 9361002b75..b1fcf80039 100644 --- a/proof/invariant-abstract/Finalise_AI.thy +++ b/proof/invariant-abstract/Finalise_AI.thy @@ -20,27 +20,26 @@ where | cap.Zombie r zb n \ {(r, replicate (zombie_cte_bits zb) False)} | _ \ {})" -context begin interpretation Arch . +arch_requalify_consts (A) + unmap_page -requalify_consts +arch_requalify_consts vs_cap_ref - unmap_page - clearMemory arch_post_cap_delete_pre +(* FIXME arch_split: no global_naming *) requalify_facts + Arch.no_irq_clearMemory + +arch_requalify_facts final_cap_lift - no_irq_clearMemory valid_global_refsD - valid_global_refsD2 arch_post_cap_deletion_valid_objs arch_post_cap_deletion_cte_wp_at arch_post_cap_deletion_caps_of_state arch_post_cap_deletion_irq_node arch_post_cap_deletion_invs -end - definition "post_cap_delete_pre cap cs \ case cap of IRQHandlerCap irq \ cap \ ran cs diff --git a/proof/invariant-abstract/Interrupt_AI.thy b/proof/invariant-abstract/Interrupt_AI.thy index 2b94ccc0d0..9400285444 100644 --- a/proof/invariant-abstract/Interrupt_AI.thy +++ b/proof/invariant-abstract/Interrupt_AI.thy @@ -12,14 +12,8 @@ theory Interrupt_AI imports ArchIpc_AI begin - -context begin interpretation Arch . -requalify_consts - maxIRQ - -requalify_facts +arch_requalify_facts arch_post_cap_deletion_mdb_inv -end definition interrupt_derived :: "cap \ cap \ bool" diff --git a/proof/invariant-abstract/InvariantsPre_AI.thy b/proof/invariant-abstract/InvariantsPre_AI.thy index 0201647a67..3fc6876f9e 100644 --- a/proof/invariant-abstract/InvariantsPre_AI.thy +++ b/proof/invariant-abstract/InvariantsPre_AI.thy @@ -8,15 +8,12 @@ theory InvariantsPre_AI imports LevityCatch_AI begin -context begin interpretation Arch . - -requalify_types - aa_type - -requalify_consts +(* FIXME RAF: these already appear exported to global context?! +arch_requalify_types (A) aa_type -end +arch_requalify_consts (A) + aa_type *) (* FIXME: move *) declare ranI [intro] diff --git a/proof/invariant-abstract/Invariants_AI.thy b/proof/invariant-abstract/Invariants_AI.thy index 09fbb5a5d3..845908d66b 100644 --- a/proof/invariant-abstract/Invariants_AI.thy +++ b/proof/invariant-abstract/Invariants_AI.thy @@ -9,16 +9,24 @@ theory Invariants_AI imports ArchInvariants_AI begin -context begin interpretation Arch . - -requalify_types +arch_requalify_types iarch_tcb -requalify_consts +arch_requalify_consts (A) + arch_cap_is_device + ASIDPoolObj + +(* we need to know the sizes of arch objects in the generic context *) +arch_requalify_facts (A) + cte_level_bits_def + tcb_bits_def + endpoint_bits_def + ntfn_bits_def + +arch_requalify_consts not_kernel_window global_refs arch_obj_bits_type - arch_cap_is_device is_nondevice_page_cap state_hyp_refs_of hyp_refs_of @@ -45,8 +53,6 @@ requalify_consts valid_global_vspace_mappings pspace_in_kernel_window - ASIDPoolObj - valid_vs_lookup user_mem device_mem @@ -59,7 +65,7 @@ requalify_consts vs_lookup vs_lookup_pages -requalify_facts +arch_requalify_facts valid_arch_sizes aobj_bits_T valid_arch_cap_def2 @@ -93,12 +99,13 @@ requalify_facts wellformed_arch_typ valid_arch_tcb_pspaceI valid_arch_tcb_lift - cte_level_bits_def obj_ref_not_arch_gen_ref arch_gen_ref_not_obj_ref arch_gen_obj_refs_inD same_aobject_same_arch_gen_refs valid_arch_mdb_eqI + iarch_tcb_context_set + iarch_tcb_set_registers lemmas [simp] = tcb_bits_def @@ -107,12 +114,10 @@ lemmas [simp] = iarch_tcb_context_set iarch_tcb_set_registers -end - -lemmas [intro!] = idle_global acap_rights_update_id +lemmas [intro!] = idle_global acap_rights_update_id -lemmas [simp] = acap_rights_update_id state_hyp_refs_update - tcb_arch_ref_simps hyp_live_tcb_simps hyp_refs_of_simps +lemmas [simp] = acap_rights_update_id state_hyp_refs_update + tcb_arch_ref_simps hyp_live_tcb_simps hyp_refs_of_simps \ \---------------------------------------------------------------------------\ @@ -1686,17 +1691,13 @@ lemma cte_wp_at_pspaceI: "\ cte_wp_at P slot s; kheap s = kheap s' \ \ cte_wp_at P slot s'" by (simp add: cte_wp_at_cases) -context Arch begin -lemma valid_arch_cap_pspaceI: +(* generic consequence of architecture-specific details *) +lemma (in Arch) valid_arch_cap_pspaceI: "\ valid_arch_cap acap s; kheap s = kheap s' \ \ valid_arch_cap acap s'" unfolding valid_arch_cap_def by (auto intro: obj_at_pspaceI split: arch_cap.split) -end -context begin interpretation Arch . -requalify_facts - valid_arch_cap_pspaceI -end +requalify_facts Arch.valid_arch_cap_pspaceI lemma valid_cap_pspaceI: "\ s \ cap; kheap s = kheap s' \ \ s' \ cap" @@ -2953,11 +2954,11 @@ lemma valid_idle_lift: lemmas caps_of_state_valid_cap = cte_wp_valid_cap [OF caps_of_state_cteD] - +(* generic consequence of architecture-specific details *) lemma (in Arch) obj_ref_is_arch: "\aobj_ref c = Some r; valid_arch_cap c s\ \ \ ako. kheap s r = Some (ArchObj ako)" -by (auto simp add: valid_arch_cap_def obj_at_def valid_arch_cap_ref_def split: arch_cap.splits if_splits) - + by (auto simp: valid_arch_cap_def obj_at_def valid_arch_cap_ref_def + split: arch_cap.splits if_splits) requalify_facts Arch.obj_ref_is_arch @@ -3264,7 +3265,7 @@ lemma invs_sym_refs [elim!]: "invs s \ sym_refs (state_refs_of s)" by (simp add: invs_def valid_state_def valid_pspace_def) -lemma invs_hyp_sym_refs [elim!]: (* ARMHYP move and requalify *) +lemma invs_hyp_sym_refs [elim!]: "invs s \ sym_refs (state_hyp_refs_of s)" by (simp add: invs_def valid_state_def valid_pspace_def) diff --git a/proof/invariant-abstract/IpcCancel_AI.thy b/proof/invariant-abstract/IpcCancel_AI.thy index 613971c5c1..fbd43920f4 100644 --- a/proof/invariant-abstract/IpcCancel_AI.thy +++ b/proof/invariant-abstract/IpcCancel_AI.thy @@ -8,13 +8,12 @@ theory IpcCancel_AI imports ArchSchedule_AI begin -context begin interpretation Arch . - +(* FIXME arch_split: strange global_naming *) requalify_facts - arch_stit_invs - arch_post_cap_deletion_pred_tcb_at + Arch.arch_stit_invs -end +arch_requalify_facts + arch_post_cap_deletion_pred_tcb_at declare arch_post_cap_deletion_pred_tcb_at[wp] diff --git a/proof/invariant-abstract/Ipc_AI.thy b/proof/invariant-abstract/Ipc_AI.thy index d47d10b33d..af16acb055 100644 --- a/proof/invariant-abstract/Ipc_AI.thy +++ b/proof/invariant-abstract/Ipc_AI.thy @@ -10,25 +10,26 @@ imports "Monads.WPBang" begin -context begin interpretation Arch . -requalify_consts +arch_requalify_consts in_device_frame + +(* FIXME arch_split: unclear why not arch global_naming *) requalify_facts + Arch.setup_caller_cap_ioports + Arch.set_mrs_ioports + Arch.as_user_ioports + Arch.set_message_info_ioports + Arch.copy_mrs_ioports + Arch.store_word_offs_ioports + Arch.make_arch_fault_msg_ioports + Arch.arch_derive_cap_notzombie + Arch.arch_derive_cap_notIRQ + +arch_requalify_facts lookup_ipc_buffer_inv set_mi_invs as_user_hyp_refs_of valid_arch_arch_tcb_set_registers - setup_caller_cap_ioports - set_mrs_ioports - as_user_ioports - set_message_info_ioports - copy_mrs_ioports - store_word_offs_ioports - make_arch_fault_msg_ioports - arch_derive_cap_notzombie - arch_derive_cap_notIRQ - -end declare lookup_ipc_buffer_inv[wp] declare set_mi_invs[wp] diff --git a/proof/invariant-abstract/KHeap_AI.thy b/proof/invariant-abstract/KHeap_AI.thy index 937070e540..9294d03014 100644 --- a/proof/invariant-abstract/KHeap_AI.thy +++ b/proof/invariant-abstract/KHeap_AI.thy @@ -8,15 +8,18 @@ theory KHeap_AI imports ArchKHeap_AI begin -context begin interpretation Arch . - -requalify_consts +arch_requalify_consts obj_is_device valid_vso_at non_vspace_obj vspace_obj_pred +(* FIXME arch_split: these should probably be in an arch-named context *) requalify_facts + Arch.getActiveIRQ_neq_non_kernel + Arch.dmo_getActiveIRQ_non_kernel + +arch_requalify_facts pspace_in_kernel_window_atyp_lift valid_vspace_objs_lift_weak vs_lookup_vspace_obj_at_lift @@ -57,15 +60,10 @@ requalify_facts default_arch_object_not_live default_tcb_not_live - getActiveIRQ_neq_non_kernel - dmo_getActiveIRQ_non_kernel - valid_arch_tcb_same_type valid_arch_tcb_typ_at valid_tcb_arch_ref_lift -end - lemmas cap_is_device_obj_is_device[simp] = cap_is_device_obj_is_device lemmas storeWord_device_state_hoare[wp] = storeWord_device_state_inv diff --git a/proof/invariant-abstract/LevityCatch_AI.thy b/proof/invariant-abstract/LevityCatch_AI.thy index 10b229f813..fa3f444e8a 100644 --- a/proof/invariant-abstract/LevityCatch_AI.thy +++ b/proof/invariant-abstract/LevityCatch_AI.thy @@ -13,16 +13,13 @@ begin (* FIXME: eliminate mapM_UNIV_wp, use mapM_wp' directly *) lemmas mapM_UNIV_wp = mapM_wp' -context begin interpretation Arch . - -requalify_consts +arch_requalify_consts ptrFromPAddr addrFromPPtr -requalify_facts + +arch_requalify_facts ptrFormPAddr_addFromPPtr aobj_ref_arch_cap -end - lemmas aobj_ref_arch_cap_simps[simp] = aobj_ref_arch_cap lemma detype_arch_state: @@ -46,7 +43,6 @@ lemmas cap_irqs_simps[simp] = declare liftE_wp[wp] declare case_sum_True[simp] -declare select_singleton[simp] crunch_ignore (add: do_extended_op) diff --git a/proof/invariant-abstract/Retype_AI.thy b/proof/invariant-abstract/Retype_AI.thy index 08fb0e5487..6091a83335 100644 --- a/proof/invariant-abstract/Retype_AI.thy +++ b/proof/invariant-abstract/Retype_AI.thy @@ -15,14 +15,12 @@ begin abbreviation "up_aligned_area ptr sz \ {ptr..(ptr && ~~ mask sz) + (2 ^ sz - 1)}" abbreviation "down_aligned_area ptr sz \ {(ptr && ~~ mask sz) + (2 ^ sz - 1) .. ptr}" -context begin interpretation Arch . -requalify_facts +arch_requalify_facts global_refs_kheap valid_vspace_obj_default -requalify_consts - clearMemory + +arch_requalify_consts clearMemoryVM -end declare global_refs_kheap[simp] diff --git a/proof/invariant-abstract/Schedule_AI.thy b/proof/invariant-abstract/Schedule_AI.thy index f471e9a01f..b3e4be88fd 100644 --- a/proof/invariant-abstract/Schedule_AI.thy +++ b/proof/invariant-abstract/Schedule_AI.thy @@ -27,13 +27,11 @@ locale Schedule_AI = assumes stit_activatable: "\invs\ switch_to_idle_thread \\rv . (ct_in_state activatable :: 'a state \ bool)\" -context begin interpretation Arch . (* FIXME arch_split: some of these could be moved to generic theories so they don't need to be unqualified. *) requalify_facts - no_irq - no_irq_storeWord -end + Arch.no_irq + Arch.no_irq_storeWord crunch schedule_switch_thread_fastfail for inv[wp]: P diff --git a/proof/invariant-abstract/Syscall_AI.thy b/proof/invariant-abstract/Syscall_AI.thy index 22715346a5..71e4197069 100644 --- a/proof/invariant-abstract/Syscall_AI.thy +++ b/proof/invariant-abstract/Syscall_AI.thy @@ -16,16 +16,18 @@ imports ArchInterrupt_AI begin -context begin interpretation Arch . requalify_facts - arch_decode_invocation_inv - lookup_cap_and_slot_inv + (* lookup_cap_and_slot_inv (* FIXME arch_split: check other arches to make sure this is global *) *) + Arch.resetTimer_device_state_inv + +arch_requalify_facts (A) data_to_cptr_def + +arch_requalify_facts + arch_decode_invocation_inv arch_post_cap_deletion_cur_thread arch_post_cap_deletion_state_refs_of arch_invoke_irq_handler_typ_at - resetTimer_device_state_inv -end lemmas [wp] = arch_decode_invocation_inv diff --git a/proof/invariant-abstract/TcbAcc_AI.thy b/proof/invariant-abstract/TcbAcc_AI.thy index 85c17f7675..7494233a23 100644 --- a/proof/invariant-abstract/TcbAcc_AI.thy +++ b/proof/invariant-abstract/TcbAcc_AI.thy @@ -8,9 +8,7 @@ theory TcbAcc_AI imports ArchCSpace_AI begin -context begin interpretation Arch . - -requalify_facts +arch_requalify_facts valid_arch_arch_tcb_context_set as_user_inv getRegister_inv @@ -18,8 +16,6 @@ requalify_facts declare user_getreg_inv[wp] -end - locale TcbAcc_AI_storeWord_invs = fixes state_ext_t :: "'state_ext::state_ext itself" assumes storeWord_invs[wp]: @@ -1130,7 +1126,6 @@ lemma kheap_Some_state_hyp_refs_ofD: "kheap s p = Some ko \ state_hyp_refs_of s p = hyp_refs_of ko" by (rule ko_at_state_hyp_refs_ofD; simp add: obj_at_def) -(* FIXME should be able to prove this in the generic context *) lemma sts_hyp_refs_of[wp]: "\\s. P (state_hyp_refs_of s)\ set_thread_state t st diff --git a/proof/invariant-abstract/Tcb_AI.thy b/proof/invariant-abstract/Tcb_AI.thy index 55406a0718..bb98806023 100644 --- a/proof/invariant-abstract/Tcb_AI.thy +++ b/proof/invariant-abstract/Tcb_AI.thy @@ -8,13 +8,9 @@ theory Tcb_AI imports ArchCNodeInv_AI begin -context begin interpretation Arch . - -requalify_facts +arch_requalify_facts arch_derive_is_arch -end - locale Tcb_AI_1 = fixes state_ext_t :: "('state_ext::state_ext) itself" fixes is_cnode_or_valid_arch :: "cap \ bool" diff --git a/proof/invariant-abstract/Untyped_AI.thy b/proof/invariant-abstract/Untyped_AI.thy index c832c114c6..8ba8f5ebef 100644 --- a/proof/invariant-abstract/Untyped_AI.thy +++ b/proof/invariant-abstract/Untyped_AI.thy @@ -15,22 +15,14 @@ begin unbundle l4v_word_context (* because of Lib.MonadicRewrite *) -context begin interpretation Arch . - -requalify_consts - region_in_kernel_window - arch_default_cap +arch_requalify_consts second_level_tables safe_ioport_insert -requalify_facts - set_cap_valid_arch_caps_simple - set_cap_kernel_window_simple +arch_requalify_facts set_cap_ioports' safe_ioport_insert_triv -end - primrec valid_untyped_inv_wcap :: "Invocations_A.untyped_invocation \ cap option \ 'z::state_ext state \ bool" @@ -528,11 +520,6 @@ lemma range_cover_stuff: done qed (simp add: word_bits_def) -context Arch begin - (*FIXME: generify proof that uses this *) - lemmas range_cover_stuff_arch = range_cover_stuff[unfolded word_bits_def, simplified] -end - lemma cte_wp_at_range_cover: "\bits < word_bits; rv\ 2^ sz; invs s; diff --git a/proof/invariant-abstract/VSpacePre_AI.thy b/proof/invariant-abstract/VSpacePre_AI.thy index e4e17075f3..bec3a0b40c 100644 --- a/proof/invariant-abstract/VSpacePre_AI.thy +++ b/proof/invariant-abstract/VSpacePre_AI.thy @@ -12,13 +12,9 @@ theory VSpacePre_AI imports ArchTcbAcc_AI begin -context begin interpretation Arch . - -requalify_facts +arch_requalify_facts cap_master_cap_tcb_cap_valid_arch -end - lemma throw_on_false_wp[wp]: "\P\ f \\rv s. (rv \ Q () s) \ (\ rv \ E x s)\ \ \P\ throw_on_false x f \Q\,\E\" diff --git a/proof/invariant-abstract/VSpace_AI.thy b/proof/invariant-abstract/VSpace_AI.thy index 2e8513cb81..54a7294310 100644 --- a/proof/invariant-abstract/VSpace_AI.thy +++ b/proof/invariant-abstract/VSpace_AI.thy @@ -11,14 +11,14 @@ Architecture-independent VSpace invariant proofs theory VSpace_AI imports ArchVSpace_AI begin -context begin interpretation Arch . +(* FIXME arch_split: this should maybe have global_naming *) requalify_facts - pspace_respects_device_region_dmo - cap_refs_respects_device_region_dmo - ackInterrupt_device_state_inv + Arch.ackInterrupt_device_state_inv -end +arch_requalify_facts + pspace_respects_device_region_dmo + cap_refs_respects_device_region_dmo lemmas device_region_dmos = pspace_respects_device_region_dmo From 54473b246eaed3b478061887944947e001d0546b Mon Sep 17 00:00:00 2001 From: Rafal Kolanski Date: Tue, 23 Jul 2024 11:16:46 +1000 Subject: [PATCH 6/9] [wip] gen+aarch64 ainvs: add missing arch_global_naming * get rid of `global_naming Arch`, this is no longer needed since we can requalify directly from `arch_global_naming` with `arch_requalify` commands * add missing `arch_global_naming` for `context Arch`, for consistency --- .../AARCH64/ArchAInvsPre.thy | 1 - .../AARCH64/ArchBCorres_AI.thy | 1 + .../AARCH64/ArchDetype_AI.thy | 1 + .../AARCH64/ArchFinalise_AI.thy | 9 -------- .../AARCH64/ArchSchedule_AI.thy | 3 --- .../AARCH64/ArchVCPU_AI.thy | 2 +- .../invariant-abstract/AARCH64/Machine_AI.thy | 13 ++++++------ proof/invariant-abstract/CSpaceInv_AI.thy | 2 +- proof/invariant-abstract/CSpace_AI.thy | 5 +---- proof/invariant-abstract/EmptyFail_AI.thy | 5 ++--- proof/invariant-abstract/Finalise_AI.thy | 5 +---- proof/invariant-abstract/InvariantsPre_AI.thy | 7 ------- proof/invariant-abstract/IpcCancel_AI.thy | 5 +---- proof/invariant-abstract/Ipc_AI.thy | 21 ++++++++----------- proof/invariant-abstract/KHeap_AI.thy | 7 ++----- proof/invariant-abstract/Schedule_AI.thy | 8 +++---- proof/invariant-abstract/Syscall_AI.thy | 6 +++--- proof/invariant-abstract/VSpace_AI.thy | 5 +---- 18 files changed, 34 insertions(+), 72 deletions(-) diff --git a/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy b/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy index 4bb6bc441e..892bed850f 100644 --- a/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy +++ b/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy @@ -79,7 +79,6 @@ lemma device_frame_in_device_region: \ device_state (machine_state s) p \ None" by (auto simp add: pspace_respects_device_region_def dom_def device_mem_def) -global_naming Arch named_theorems AInvsPre_assms lemma get_vspace_of_thread_asid_or_global_pt: diff --git a/proof/invariant-abstract/AARCH64/ArchBCorres_AI.thy b/proof/invariant-abstract/AARCH64/ArchBCorres_AI.thy index 8364a914dd..97e040139b 100644 --- a/proof/invariant-abstract/AARCH64/ArchBCorres_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchBCorres_AI.thy @@ -45,6 +45,7 @@ crunch prepare_thread_delete end +(* FIXME arch_split: move to generic theory *) arch_requalify_facts arch_finalise_cap_bcorres prepare_thread_delete_bcorres declare arch_finalise_cap_bcorres[wp] prepare_thread_delete_bcorres[wp] diff --git a/proof/invariant-abstract/AARCH64/ArchDetype_AI.thy b/proof/invariant-abstract/AARCH64/ArchDetype_AI.thy index b7a66c2305..5a7106fd59 100644 --- a/proof/invariant-abstract/AARCH64/ArchDetype_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchDetype_AI.thy @@ -637,6 +637,7 @@ interpretation Detype_AI_2 by blast (* generic consequence of architecture-specific details *) +(* FIXME arch-split: can't this be done without this strange requalification? *) lemma (in Arch) delete_objects_invs[wp]: "\(\s. \slot. cte_wp_at ((=) (cap.UntypedCap dev ptr bits f)) slot s \ descendants_range (cap.UntypedCap dev ptr bits f) slot s) and diff --git a/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy b/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy index f45618a637..d609d7ca97 100644 --- a/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchFinalise_AI.thy @@ -217,8 +217,6 @@ lemma unmap_page_tcb_cap_valid: done -global_naming Arch - lemma (* replaceable_cdt_update *)[simp,Finalise_AI_assms]: "replaceable (cdt_update f s) = replaceable s" by (fastforce simp: replaceable_def tcb_cap_valid_def @@ -1400,7 +1398,6 @@ lemma arch_finalise_cap_replaceable: apply (clarsimp simp: valid_cap_def wellformed_mapdata_def cap_aligned_def obj_at_def) done -global_naming Arch lemma (* deleting_irq_handler_slot_not_irq_node *)[Finalise_AI_assms]: "\if_unsafe_then_cap and valid_global_refs and cte_wp_at (\cp. cap_irqs cp \ {}) sl\ @@ -1600,7 +1597,6 @@ lemma fast_finalise_replaceable[wp]: apply (clarsimp simp: cap_irqs_def cap_irq_opt_def split: cap.split_asm) done -global_naming Arch lemma (* cap_delete_one_invs *) [Finalise_AI_assms,wp]: "\invs and emptyable ptr\ cap_delete_one ptr \\rv. invs\" apply (simp add: cap_delete_one_def unless_def is_final_cap_def) @@ -1771,9 +1767,6 @@ lemma replaceable_or_arch_update_pg: apply (auto simp: is_cap_simps is_arch_update_def cap_master_cap_simps) done - -global_naming Arch - crunch prepare_thread_delete for invs[wp]: invs (ignore: set_object do_machine_op wp: dmo_invs_lift) @@ -1961,8 +1954,6 @@ lemma arch_finalise_cap_valid_cap[wp]: unfolding arch_finalise_cap_def by (wpsimp split: arch_cap.split option.split bool.split) -global_naming Arch - lemmas clearMemory_invs[wp,Finalise_AI_assms] = clearMemory_invs lemma valid_idle_has_null_cap_ARCH[Finalise_AI_assms]: diff --git a/proof/invariant-abstract/AARCH64/ArchSchedule_AI.thy b/proof/invariant-abstract/AARCH64/ArchSchedule_AI.thy index 61c7cee033..01d12ad001 100644 --- a/proof/invariant-abstract/AARCH64/ArchSchedule_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchSchedule_AI.thy @@ -28,9 +28,6 @@ lemma dmo_mapM_storeWord_0_invs[wp,Schedule_AI_assms]: apply wp by (simp add: upto.simps word_bits_def) -(* FIXME arch_split: why not arch global naming? this doesn't make sense *) -global_naming Arch - lemma arch_stt_invs [wp,Schedule_AI_assms]: "arch_switch_to_thread t' \invs\" apply (wpsimp simp: arch_switch_to_thread_def) diff --git a/proof/invariant-abstract/AARCH64/ArchVCPU_AI.thy b/proof/invariant-abstract/AARCH64/ArchVCPU_AI.thy index aaeac4a458..35dc4a38bc 100644 --- a/proof/invariant-abstract/AARCH64/ArchVCPU_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchVCPU_AI.thy @@ -9,7 +9,7 @@ theory ArchVCPU_AI imports AInvs begin -context Arch begin arch_global_naming (*FIXME: arch_split*) +context Arch begin arch_global_naming (* This is similar to cur_vcpu_2, but not close enough to reuse. *) definition active_cur_vcpu_of :: "'z state \ obj_ref option" where diff --git a/proof/invariant-abstract/AARCH64/Machine_AI.thy b/proof/invariant-abstract/AARCH64/Machine_AI.thy index 200404b0ea..b6d2e48bce 100644 --- a/proof/invariant-abstract/AARCH64/Machine_AI.thy +++ b/proof/invariant-abstract/AARCH64/Machine_AI.thy @@ -69,8 +69,7 @@ crunch_ignore (no_irq) (add: handleE' handleE handle_elseE forM forM_x zipWithM ignore_failure) -(* FIXME arch_split: no global_naming? *) -context Arch begin +context Arch begin arch_global_naming text \Deterministic\ @@ -424,10 +423,10 @@ lemma dmo_gets_inv[wp]: end -requalify_facts - Arch.det_getRegister - Arch.det_setRegister - Arch.det_getRestartPC - Arch.det_setNextPC +arch_requalify_facts + det_getRegister + det_setRegister + det_getRestartPC + det_setNextPC end diff --git a/proof/invariant-abstract/CSpaceInv_AI.thy b/proof/invariant-abstract/CSpaceInv_AI.thy index 3596331e20..a7145640a6 100644 --- a/proof/invariant-abstract/CSpaceInv_AI.thy +++ b/proof/invariant-abstract/CSpaceInv_AI.thy @@ -1054,7 +1054,7 @@ lemma get_cap_caps_of_state: by (clarsimp simp: caps_of_state_def eq_commute) (* generic consequence of architecture-specific details *) -(* FIXME arch_split: no global naming? *) +(* FIXME arch_split: no global naming, immediately requalified *) lemma (in Arch) abj_ref_none_no_refs: "obj_refs c = {} \ table_cap_ref c = None" unfolding table_cap_ref_def diff --git a/proof/invariant-abstract/CSpace_AI.thy b/proof/invariant-abstract/CSpace_AI.thy index 9f9d26a088..bd116c14c2 100644 --- a/proof/invariant-abstract/CSpace_AI.thy +++ b/proof/invariant-abstract/CSpace_AI.thy @@ -18,14 +18,11 @@ arch_requalify_consts final_matters_arch ups_of_heap -(* FIXME arch_split: this should maybe have a global_naming *) -requalify_facts - Arch.loadWord_inv - arch_requalify_facts (A) update_cnode_cap_data_def arch_requalify_facts + loadWord_inv is_derived_arch_non_arch ups_of_heap_non_arch_upd master_arch_cap_obj_refs diff --git a/proof/invariant-abstract/EmptyFail_AI.thy b/proof/invariant-abstract/EmptyFail_AI.thy index 744447a57f..8ccf6bfa90 100644 --- a/proof/invariant-abstract/EmptyFail_AI.thy +++ b/proof/invariant-abstract/EmptyFail_AI.thy @@ -8,9 +8,8 @@ theory EmptyFail_AI imports ArchTcb_AI begin -(* FIXME arch_split: no global_naming *) -requalify_facts - Arch.ef_machine_op_lift +arch_requalify_facts + ef_machine_op_lift lemmas [wp] = ef_ignore_failure ef_machine_op_lift diff --git a/proof/invariant-abstract/Finalise_AI.thy b/proof/invariant-abstract/Finalise_AI.thy index b1fcf80039..310653546c 100644 --- a/proof/invariant-abstract/Finalise_AI.thy +++ b/proof/invariant-abstract/Finalise_AI.thy @@ -27,11 +27,8 @@ arch_requalify_consts vs_cap_ref arch_post_cap_delete_pre -(* FIXME arch_split: no global_naming *) -requalify_facts - Arch.no_irq_clearMemory - arch_requalify_facts + no_irq_clearMemory final_cap_lift valid_global_refsD arch_post_cap_deletion_valid_objs diff --git a/proof/invariant-abstract/InvariantsPre_AI.thy b/proof/invariant-abstract/InvariantsPre_AI.thy index 3fc6876f9e..4020592d02 100644 --- a/proof/invariant-abstract/InvariantsPre_AI.thy +++ b/proof/invariant-abstract/InvariantsPre_AI.thy @@ -8,13 +8,6 @@ theory InvariantsPre_AI imports LevityCatch_AI begin -(* FIXME RAF: these already appear exported to global context?! -arch_requalify_types (A) - aa_type - -arch_requalify_consts (A) - aa_type *) - (* FIXME: move *) declare ranI [intro] diff --git a/proof/invariant-abstract/IpcCancel_AI.thy b/proof/invariant-abstract/IpcCancel_AI.thy index fbd43920f4..30c49f0710 100644 --- a/proof/invariant-abstract/IpcCancel_AI.thy +++ b/proof/invariant-abstract/IpcCancel_AI.thy @@ -8,11 +8,8 @@ theory IpcCancel_AI imports ArchSchedule_AI begin -(* FIXME arch_split: strange global_naming *) -requalify_facts - Arch.arch_stit_invs - arch_requalify_facts + arch_stit_invs arch_post_cap_deletion_pred_tcb_at declare arch_post_cap_deletion_pred_tcb_at[wp] diff --git a/proof/invariant-abstract/Ipc_AI.thy b/proof/invariant-abstract/Ipc_AI.thy index af16acb055..1db26a08b9 100644 --- a/proof/invariant-abstract/Ipc_AI.thy +++ b/proof/invariant-abstract/Ipc_AI.thy @@ -13,19 +13,16 @@ begin arch_requalify_consts in_device_frame -(* FIXME arch_split: unclear why not arch global_naming *) -requalify_facts - Arch.setup_caller_cap_ioports - Arch.set_mrs_ioports - Arch.as_user_ioports - Arch.set_message_info_ioports - Arch.copy_mrs_ioports - Arch.store_word_offs_ioports - Arch.make_arch_fault_msg_ioports - Arch.arch_derive_cap_notzombie - Arch.arch_derive_cap_notIRQ - arch_requalify_facts + setup_caller_cap_ioports + set_mrs_ioports + as_user_ioports + set_message_info_ioports + copy_mrs_ioports + store_word_offs_ioports + make_arch_fault_msg_ioports + arch_derive_cap_notzombie + arch_derive_cap_notIRQ lookup_ipc_buffer_inv set_mi_invs as_user_hyp_refs_of diff --git a/proof/invariant-abstract/KHeap_AI.thy b/proof/invariant-abstract/KHeap_AI.thy index 9294d03014..81f0520c59 100644 --- a/proof/invariant-abstract/KHeap_AI.thy +++ b/proof/invariant-abstract/KHeap_AI.thy @@ -14,12 +14,9 @@ arch_requalify_consts non_vspace_obj vspace_obj_pred -(* FIXME arch_split: these should probably be in an arch-named context *) -requalify_facts - Arch.getActiveIRQ_neq_non_kernel - Arch.dmo_getActiveIRQ_non_kernel - arch_requalify_facts + getActiveIRQ_neq_non_kernel + dmo_getActiveIRQ_non_kernel pspace_in_kernel_window_atyp_lift valid_vspace_objs_lift_weak vs_lookup_vspace_obj_at_lift diff --git a/proof/invariant-abstract/Schedule_AI.thy b/proof/invariant-abstract/Schedule_AI.thy index b3e4be88fd..ed0cdc3364 100644 --- a/proof/invariant-abstract/Schedule_AI.thy +++ b/proof/invariant-abstract/Schedule_AI.thy @@ -28,10 +28,10 @@ locale Schedule_AI = "\invs\ switch_to_idle_thread \\rv . (ct_in_state activatable :: 'a state \ bool)\" (* FIXME arch_split: some of these could be moved to generic theories - so they don't need to be unqualified. *) -requalify_facts - Arch.no_irq - Arch.no_irq_storeWord + so they don't need to be requalified. *) +arch_requalify_facts + no_irq + no_irq_storeWord crunch schedule_switch_thread_fastfail for inv[wp]: P diff --git a/proof/invariant-abstract/Syscall_AI.thy b/proof/invariant-abstract/Syscall_AI.thy index 71e4197069..a24240816f 100644 --- a/proof/invariant-abstract/Syscall_AI.thy +++ b/proof/invariant-abstract/Syscall_AI.thy @@ -16,14 +16,14 @@ imports ArchInterrupt_AI begin -requalify_facts - (* lookup_cap_and_slot_inv (* FIXME arch_split: check other arches to make sure this is global *) *) - Arch.resetTimer_device_state_inv +(* requalify_facts + lookup_cap_and_slot_inv (* FIXME arch_split: check other arches to make sure this is global *) *) arch_requalify_facts (A) data_to_cptr_def arch_requalify_facts + resetTimer_device_state_inv arch_decode_invocation_inv arch_post_cap_deletion_cur_thread arch_post_cap_deletion_state_refs_of diff --git a/proof/invariant-abstract/VSpace_AI.thy b/proof/invariant-abstract/VSpace_AI.thy index 54a7294310..47cdba4606 100644 --- a/proof/invariant-abstract/VSpace_AI.thy +++ b/proof/invariant-abstract/VSpace_AI.thy @@ -12,11 +12,8 @@ theory VSpace_AI imports ArchVSpace_AI begin -(* FIXME arch_split: this should maybe have global_naming *) -requalify_facts - Arch.ackInterrupt_device_state_inv - arch_requalify_facts + ackInterrupt_device_state_inv pspace_respects_device_region_dmo cap_refs_respects_device_region_dmo From 22cccb33b5d79ca8ea5ac20e023ce125370fdbb9 Mon Sep 17 00:00:00 2001 From: Rafal Kolanski Date: Tue, 23 Jul 2024 11:33:44 +1000 Subject: [PATCH 7/9] ainvs: disambiguate acap_rights_update_id Rename the wellformed_acap version to wf_acap_rights_update_id, and the valid_arch_cap version to valid_acap_rights_update_id. Signed-off-by: Rafal Kolanski --- .../invariant-abstract/AARCH64/ArchCSpaceInvPre_AI.thy | 2 +- proof/invariant-abstract/AARCH64/ArchInvariants_AI.thy | 2 +- proof/invariant-abstract/ARM/ArchCSpaceInvPre_AI.thy | 2 +- proof/invariant-abstract/ARM/ArchInvariants_AI.thy | 2 +- .../invariant-abstract/ARM_HYP/ArchCSpaceInvPre_AI.thy | 2 +- proof/invariant-abstract/ARM_HYP/ArchInvariants_AI.thy | 2 +- proof/invariant-abstract/CSpaceInv_AI.thy | 10 +++------- proof/invariant-abstract/Invariants_AI.thy | 6 +++--- .../invariant-abstract/RISCV64/ArchCSpaceInvPre_AI.thy | 2 +- proof/invariant-abstract/RISCV64/ArchInvariants_AI.thy | 2 +- proof/invariant-abstract/X64/ArchCSpaceInvPre_AI.thy | 2 +- proof/invariant-abstract/X64/ArchInvariants_AI.thy | 2 +- 12 files changed, 16 insertions(+), 20 deletions(-) diff --git a/proof/invariant-abstract/AARCH64/ArchCSpaceInvPre_AI.thy b/proof/invariant-abstract/AARCH64/ArchCSpaceInvPre_AI.thy index 9be7754f33..44df5b80cd 100644 --- a/proof/invariant-abstract/AARCH64/ArchCSpaceInvPre_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchCSpaceInvPre_AI.thy @@ -363,7 +363,7 @@ lemma cap_master_arch_cap_rights [simp]: by (simp add: cap_master_arch_cap_def acap_rights_update_def split: arch_cap.splits) -lemma acap_rights_update_id [intro!, simp]: +lemma valid_acap_rights_update_id [intro!, simp]: "valid_arch_cap ac s \ acap_rights_update (acap_rights ac) ac = ac" unfolding acap_rights_update_def acap_rights_def valid_arch_cap_def by (cases ac; simp) diff --git a/proof/invariant-abstract/AARCH64/ArchInvariants_AI.thy b/proof/invariant-abstract/AARCH64/ArchInvariants_AI.thy index 75d8ba5d37..ee66eb7045 100644 --- a/proof/invariant-abstract/AARCH64/ArchInvariants_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchInvariants_AI.thy @@ -1272,7 +1272,7 @@ lemma aobj_at_default_arch_cap_valid: lemmas aobj_ref_default = aobj_ref_arch_cap -lemma acap_rights_update_id [intro!, simp]: +lemma wf_acap_rights_update_id [intro!, simp]: "wellformed_acap cap \ acap_rights_update (acap_rights cap) cap = cap" unfolding acap_rights_update_def by (auto split: arch_cap.splits option.splits) diff --git a/proof/invariant-abstract/ARM/ArchCSpaceInvPre_AI.thy b/proof/invariant-abstract/ARM/ArchCSpaceInvPre_AI.thy index a5a4220129..d298ea7f7a 100644 --- a/proof/invariant-abstract/ARM/ArchCSpaceInvPre_AI.thy +++ b/proof/invariant-abstract/ARM/ArchCSpaceInvPre_AI.thy @@ -293,7 +293,7 @@ lemma cap_master_arch_cap_rights [simp]: by (simp add: cap_master_arch_cap_def acap_rights_update_def split: arch_cap.splits) -lemma acap_rights_update_id [intro!, simp]: +lemma valid_acap_rights_update_id [intro!, simp]: "valid_arch_cap ac s \ acap_rights_update (acap_rights ac) ac = ac" unfolding acap_rights_update_def acap_rights_def valid_arch_cap_def by (cases ac; simp) diff --git a/proof/invariant-abstract/ARM/ArchInvariants_AI.thy b/proof/invariant-abstract/ARM/ArchInvariants_AI.thy index d3efceb2c4..c30b47f8d9 100644 --- a/proof/invariant-abstract/ARM/ArchInvariants_AI.thy +++ b/proof/invariant-abstract/ARM/ArchInvariants_AI.thy @@ -2153,7 +2153,7 @@ lemma vs_cap_ref_eq_imp_table_cap_ref_eq: arch_cap_fun_lift_def split: cap.splits arch_cap.splits vmpage_size.splits option.splits) -lemma acap_rights_update_id [intro!, simp]: +lemma wf_acap_rights_update_id [intro!, simp]: "\wellformed_acap cap\ \ acap_rights_update (acap_rights cap) cap = cap" unfolding wellformed_acap_def acap_rights_update_def by (auto split: arch_cap.splits) diff --git a/proof/invariant-abstract/ARM_HYP/ArchCSpaceInvPre_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchCSpaceInvPre_AI.thy index 16024bb9e6..c694bb7881 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchCSpaceInvPre_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchCSpaceInvPre_AI.thy @@ -293,7 +293,7 @@ lemma cap_master_arch_cap_rights [simp]: by (simp add: cap_master_arch_cap_def acap_rights_update_def split: arch_cap.splits) -lemma acap_rights_update_id [intro!, simp]: +lemma valid_acap_rights_update_id [intro!, simp]: "valid_arch_cap ac s \ acap_rights_update (acap_rights ac) ac = ac" unfolding acap_rights_update_def acap_rights_def valid_arch_cap_def by (cases ac; simp) diff --git a/proof/invariant-abstract/ARM_HYP/ArchInvariants_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchInvariants_AI.thy index c8b7c5586a..4f23c783f9 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchInvariants_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchInvariants_AI.thy @@ -2162,7 +2162,7 @@ lemma valid_vspace_objs_lift: apply (rule valid_vspace_obj_typ [OF z], auto) done -lemma acap_rights_update_id [intro!, simp]: +lemma wf_acap_rights_update_id [intro!, simp]: "\wellformed_acap cap\ \ acap_rights_update (acap_rights cap) cap = cap" unfolding wellformed_acap_def acap_rights_update_def by (auto split: arch_cap.splits) diff --git a/proof/invariant-abstract/CSpaceInv_AI.thy b/proof/invariant-abstract/CSpaceInv_AI.thy index a7145640a6..9d86e52b46 100644 --- a/proof/invariant-abstract/CSpaceInv_AI.thy +++ b/proof/invariant-abstract/CSpaceInv_AI.thy @@ -18,11 +18,6 @@ arch_requalify_consts replaceable_non_final_arch_cap unique_table_refs -(* There are multiple arch-dependent acap_rights_update_id, one for wellformed_acap, - one for valid_arch_cap. Prefer the latter. *) -arch_requalify_facts (aliasing) - acap_rights_update_id - arch_requalify_facts aobj_ref_acap_rights_update arch_obj_size_acap_rights_update @@ -31,6 +26,7 @@ arch_requalify_facts unique_table_refs_def valid_ipc_buffer_cap_def acap_rights_update_idem + valid_acap_rights_update_id cap_master_arch_cap_rights is_nondevice_page_cap_simps set_cap_hyp_refs_of @@ -52,10 +48,10 @@ lemma is_valid_vtable_root_simps[simp]: lemmas [simp] = aobj_ref_acap_rights_update arch_obj_size_acap_rights_update valid_validate_vm_rights cap_master_arch_inv acap_rights_update_idem - cap_master_arch_cap_rights acap_rights_update_id state_hyp_refs_of_revokable + cap_master_arch_cap_rights valid_acap_rights_update_id state_hyp_refs_of_revokable lemmas [intro] = valid_arch_cap_acap_rights_update -lemmas [intro!] = acap_rights_update_id +lemmas [intro!] = valid_acap_rights_update_id lemmas [wp] = set_cap_hyp_refs_of lemma remove_rights_cap_valid[simp]: diff --git a/proof/invariant-abstract/Invariants_AI.thy b/proof/invariant-abstract/Invariants_AI.thy index 845908d66b..005db58cf7 100644 --- a/proof/invariant-abstract/Invariants_AI.thy +++ b/proof/invariant-abstract/Invariants_AI.thy @@ -78,7 +78,7 @@ arch_requalify_facts valid_arch_state_lift aobj_at_default_arch_cap_valid aobj_ref_default - acap_rights_update_id + wf_acap_rights_update_id physical_arch_cap_has_ref wellformed_arch_default valid_vspace_obj_default' @@ -114,9 +114,9 @@ lemmas [simp] = iarch_tcb_context_set iarch_tcb_set_registers -lemmas [intro!] = idle_global acap_rights_update_id +lemmas [intro!] = idle_global wf_acap_rights_update_id -lemmas [simp] = acap_rights_update_id state_hyp_refs_update +lemmas [simp] = wf_acap_rights_update_id state_hyp_refs_update tcb_arch_ref_simps hyp_live_tcb_simps hyp_refs_of_simps diff --git a/proof/invariant-abstract/RISCV64/ArchCSpaceInvPre_AI.thy b/proof/invariant-abstract/RISCV64/ArchCSpaceInvPre_AI.thy index 26c89dc4e8..26355d6fb4 100644 --- a/proof/invariant-abstract/RISCV64/ArchCSpaceInvPre_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchCSpaceInvPre_AI.thy @@ -368,7 +368,7 @@ lemma cap_master_arch_cap_rights [simp]: by (simp add: cap_master_arch_cap_def acap_rights_update_def split: arch_cap.splits) -lemma acap_rights_update_id [intro!, simp]: +lemma valid_acap_rights_update_id [intro!, simp]: "valid_arch_cap ac s \ acap_rights_update (acap_rights ac) ac = ac" unfolding acap_rights_update_def acap_rights_def valid_arch_cap_def by (cases ac; simp) diff --git a/proof/invariant-abstract/RISCV64/ArchInvariants_AI.thy b/proof/invariant-abstract/RISCV64/ArchInvariants_AI.thy index 44ef380453..b2132a49b9 100644 --- a/proof/invariant-abstract/RISCV64/ArchInvariants_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchInvariants_AI.thy @@ -1082,7 +1082,7 @@ lemma aobj_at_default_arch_cap_valid: lemmas aobj_ref_default = aobj_ref_arch_cap -lemma acap_rights_update_id [intro!, simp]: +lemma wf_acap_rights_update_id [intro!, simp]: "wellformed_acap cap \ acap_rights_update (acap_rights cap) cap = cap" unfolding acap_rights_update_def by (auto split: arch_cap.splits option.splits) diff --git a/proof/invariant-abstract/X64/ArchCSpaceInvPre_AI.thy b/proof/invariant-abstract/X64/ArchCSpaceInvPre_AI.thy index 1f6b81000c..7f7cbfb122 100644 --- a/proof/invariant-abstract/X64/ArchCSpaceInvPre_AI.thy +++ b/proof/invariant-abstract/X64/ArchCSpaceInvPre_AI.thy @@ -320,7 +320,7 @@ lemma cap_master_arch_cap_rights [simp]: by (simp add: cap_master_arch_cap_def acap_rights_update_def split: arch_cap.splits) -lemma acap_rights_update_id [intro!, simp]: +lemma valid_acap_rights_update_id [intro!, simp]: "valid_arch_cap ac s \ acap_rights_update (acap_rights ac) ac = ac" unfolding acap_rights_update_def acap_rights_def valid_arch_cap_def by (cases ac; simp) diff --git a/proof/invariant-abstract/X64/ArchInvariants_AI.thy b/proof/invariant-abstract/X64/ArchInvariants_AI.thy index 884b521be6..228740a7cf 100644 --- a/proof/invariant-abstract/X64/ArchInvariants_AI.thy +++ b/proof/invariant-abstract/X64/ArchInvariants_AI.thy @@ -3030,7 +3030,7 @@ lemma vs_cap_ref_eq_imp_table_cap_ref_eq: arch_cap_fun_lift_def split: cap.splits arch_cap.splits vmpage_size.splits option.splits) -lemma acap_rights_update_id [intro!, simp]: +lemma wf_acap_rights_update_id [intro!, simp]: "\wellformed_acap cap\ \ acap_rights_update (acap_rights cap) cap = cap" unfolding wellformed_acap_def acap_rights_update_def by (auto split: arch_cap.splits) From 9a10755abd1e4654193ffb59b90fd9a86ea67833 Mon Sep 17 00:00:00 2001 From: Rafal Kolanski Date: Tue, 23 Jul 2024 12:31:15 +1000 Subject: [PATCH 8/9] [wip] gen+aarch64 ainvs: move requalifies to generic theories * prevent duplication between arches by moving requalifications from Arch theories to generic ones * this strategy is not available for new constants that are introduced in the Arch locale that need to be referenced in generic definitions or locale instantiations --- proof/invariant-abstract/AARCH64/ArchAInvsPre.thy | 6 ------ proof/invariant-abstract/AARCH64/ArchArch_AI.thy | 14 -------------- .../invariant-abstract/AARCH64/ArchBCorres_AI.thy | 5 ----- .../AARCH64/ArchCSpaceInv_AI.thy | 2 -- proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy | 5 ----- proof/invariant-abstract/AARCH64/ArchTcb_AI.thy | 4 ---- proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy | 4 ---- proof/invariant-abstract/AARCH64/Machine_AI.thy | 6 ------ proof/invariant-abstract/AInvs.thy | 5 +++++ proof/invariant-abstract/CSpacePre_AI.thy | 3 +++ proof/invariant-abstract/KHeapPre_AI.thy | 6 ++++++ proof/invariant-abstract/LevityCatch_AI.thy | 4 ++++ proof/invariant-abstract/Schedule_AI.thy | 11 ++++------- proof/invariant-abstract/Syscall_AI.thy | 12 ++++++++++++ proof/invariant-abstract/TcbAcc_AI.thy | 2 ++ proof/invariant-abstract/VSpace_AI.thy | 1 + 16 files changed, 37 insertions(+), 53 deletions(-) diff --git a/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy b/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy index 892bed850f..83ae5d2b58 100644 --- a/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy +++ b/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy @@ -140,10 +140,4 @@ proof goal_cases case 1 show ?case by (intro_locales; (unfold_locales; fact AInvsPre_assms)?) qed -(* FIXME arch_split: move to global theory *) -arch_requalify_facts - user_mem_dom_cong - device_mem_dom_cong - device_frame_in_device_region - end diff --git a/proof/invariant-abstract/AARCH64/ArchArch_AI.thy b/proof/invariant-abstract/AARCH64/ArchArch_AI.thy index 52643dfa1d..969da0e922 100644 --- a/proof/invariant-abstract/AARCH64/ArchArch_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchArch_AI.thy @@ -1726,18 +1726,4 @@ lemma arch_pinv_st_tcb_at: end -(* FIXME arch_split: move to global theory *) -arch_requalify_consts - valid_arch_inv - -arch_requalify_facts - invoke_arch_tcb - invoke_arch_invs - sts_valid_arch_inv - arch_decode_inv_wf - arch_pinv_st_tcb_at - -declare invoke_arch_invs[wp] -declare arch_decode_inv_wf[wp] - end diff --git a/proof/invariant-abstract/AARCH64/ArchBCorres_AI.thy b/proof/invariant-abstract/AARCH64/ArchBCorres_AI.thy index 97e040139b..1bb2fb31c9 100644 --- a/proof/invariant-abstract/AARCH64/ArchBCorres_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchBCorres_AI.thy @@ -45,9 +45,4 @@ crunch prepare_thread_delete end -(* FIXME arch_split: move to generic theory *) -arch_requalify_facts arch_finalise_cap_bcorres prepare_thread_delete_bcorres - -declare arch_finalise_cap_bcorres[wp] prepare_thread_delete_bcorres[wp] - end diff --git a/proof/invariant-abstract/AARCH64/ArchCSpaceInv_AI.thy b/proof/invariant-abstract/AARCH64/ArchCSpaceInv_AI.thy index ba702cde24..3ad84874c7 100644 --- a/proof/invariant-abstract/AARCH64/ArchCSpaceInv_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchCSpaceInv_AI.thy @@ -210,6 +210,4 @@ lemmas cap_vptr_simps [simp] = end -arch_requalify_facts replace_cap_invs - end diff --git a/proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy b/proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy index 05759f6b54..bc4db311ee 100644 --- a/proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy @@ -599,9 +599,4 @@ lemma set_cap_kernel_window_simple: end -(* FIXME arch_split: move to non-Arch theory? *) -arch_requalify_facts - set_cap_valid_arch_caps_simple - set_cap_kernel_window_simple - end diff --git a/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy b/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy index 6c37465baa..33d7d7f6ed 100644 --- a/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy @@ -383,8 +383,4 @@ proof goal_cases case 1 show ?case by (unfold_locales; (fact Tcb_AI_assms)?) qed -(* FIXME arch_split: move to global theory *) -arch_requalify_consts is_cnode_or_valid_arch -arch_requalify_facts invoke_tcb_typ_at - end diff --git a/proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy b/proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy index 973d7e1ae6..48bb3f688a 100644 --- a/proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy @@ -3142,8 +3142,4 @@ crunch vcpu_switch end -(* FIXME arch_split: move to generic theory? *) -arch_requalify_facts - do_machine_op_valid_kernel_mappings - end diff --git a/proof/invariant-abstract/AARCH64/Machine_AI.thy b/proof/invariant-abstract/AARCH64/Machine_AI.thy index b6d2e48bce..793e63d832 100644 --- a/proof/invariant-abstract/AARCH64/Machine_AI.thy +++ b/proof/invariant-abstract/AARCH64/Machine_AI.thy @@ -423,10 +423,4 @@ lemma dmo_gets_inv[wp]: end -arch_requalify_facts - det_getRegister - det_setRegister - det_getRestartPC - det_setNextPC - end diff --git a/proof/invariant-abstract/AInvs.thy b/proof/invariant-abstract/AInvs.thy index c1e3aac714..dad6152d6a 100644 --- a/proof/invariant-abstract/AInvs.thy +++ b/proof/invariant-abstract/AInvs.thy @@ -12,6 +12,11 @@ theory AInvs imports ArchAInvsPre begin +arch_requalify_facts + user_mem_dom_cong + device_mem_dom_cong + device_frame_in_device_region + lemma st_tcb_at_nostate_upd: "\ get_tcb t s = Some y; tcb_state y = tcb_state y' \ \ st_tcb_at P t' (s \kheap := (kheap s)(t \ TCB y')\) = st_tcb_at P t' s" diff --git a/proof/invariant-abstract/CSpacePre_AI.thy b/proof/invariant-abstract/CSpacePre_AI.thy index 9cc07003ef..541227b0b3 100644 --- a/proof/invariant-abstract/CSpacePre_AI.thy +++ b/proof/invariant-abstract/CSpacePre_AI.thy @@ -20,6 +20,9 @@ arch_requalify_consts cap_asid_base cap_vptr +arch_requalify_facts + replace_cap_invs + lemma fun_upd_Some: "ms p = Some k \ (ms(a \ b)) p = Some (if a = p then b else k)" by auto diff --git a/proof/invariant-abstract/KHeapPre_AI.thy b/proof/invariant-abstract/KHeapPre_AI.thy index 9fca503d7c..06ff116b25 100644 --- a/proof/invariant-abstract/KHeapPre_AI.thy +++ b/proof/invariant-abstract/KHeapPre_AI.thy @@ -8,6 +8,12 @@ theory KHeapPre_AI imports Machine_AI begin +arch_requalify_facts + det_getRegister + det_setRegister + det_getRestartPC + det_setNextPC + primrec same_caps :: "Structures_A.kernel_object \ Structures_A.kernel_object \ bool" where diff --git a/proof/invariant-abstract/LevityCatch_AI.thy b/proof/invariant-abstract/LevityCatch_AI.thy index fa3f444e8a..6c7a9465b8 100644 --- a/proof/invariant-abstract/LevityCatch_AI.thy +++ b/proof/invariant-abstract/LevityCatch_AI.thy @@ -19,9 +19,13 @@ arch_requalify_consts arch_requalify_facts ptrFormPAddr_addFromPPtr aobj_ref_arch_cap + arch_finalise_cap_bcorres + prepare_thread_delete_bcorres lemmas aobj_ref_arch_cap_simps[simp] = aobj_ref_arch_cap +lemmas [wp] = arch_finalise_cap_bcorres prepare_thread_delete_bcorres + lemma detype_arch_state: "arch_state (detype S s) = arch_state s" by (simp add: detype_def) diff --git a/proof/invariant-abstract/Schedule_AI.thy b/proof/invariant-abstract/Schedule_AI.thy index ed0cdc3364..7f6e8cd564 100644 --- a/proof/invariant-abstract/Schedule_AI.thy +++ b/proof/invariant-abstract/Schedule_AI.thy @@ -8,10 +8,13 @@ theory Schedule_AI imports VSpace_AI begin +arch_requalify_facts + no_irq + no_irq_storeWord + abbreviation "activatable \ \st. runnable st \ idle st" - locale Schedule_AI = fixes state_ext :: "('a::state_ext) itself" assumes dmo_mapM_storeWord_0_invs[wp]: @@ -27,12 +30,6 @@ locale Schedule_AI = assumes stit_activatable: "\invs\ switch_to_idle_thread \\rv . (ct_in_state activatable :: 'a state \ bool)\" -(* FIXME arch_split: some of these could be moved to generic theories - so they don't need to be requalified. *) -arch_requalify_facts - no_irq - no_irq_storeWord - crunch schedule_switch_thread_fastfail for inv[wp]: P diff --git a/proof/invariant-abstract/Syscall_AI.thy b/proof/invariant-abstract/Syscall_AI.thy index a24240816f..960fa04707 100644 --- a/proof/invariant-abstract/Syscall_AI.thy +++ b/proof/invariant-abstract/Syscall_AI.thy @@ -22,16 +22,28 @@ begin arch_requalify_facts (A) data_to_cptr_def +arch_requalify_consts + is_cnode_or_valid_arch + valid_arch_inv + arch_requalify_facts resetTimer_device_state_inv arch_decode_invocation_inv arch_post_cap_deletion_cur_thread arch_post_cap_deletion_state_refs_of arch_invoke_irq_handler_typ_at + invoke_tcb_typ_at + invoke_arch_tcb + invoke_arch_invs + sts_valid_arch_inv + arch_decode_inv_wf + arch_pinv_st_tcb_at lemmas [wp] = arch_decode_invocation_inv lookup_cap_and_slot_inv + invoke_arch_invs + arch_decode_inv_wf lemmas [simp] = data_to_cptr_def diff --git a/proof/invariant-abstract/TcbAcc_AI.thy b/proof/invariant-abstract/TcbAcc_AI.thy index 7494233a23..57c2351394 100644 --- a/proof/invariant-abstract/TcbAcc_AI.thy +++ b/proof/invariant-abstract/TcbAcc_AI.thy @@ -13,6 +13,8 @@ arch_requalify_facts as_user_inv getRegister_inv user_getreg_inv + set_cap_valid_arch_caps_simple + set_cap_kernel_window_simple declare user_getreg_inv[wp] diff --git a/proof/invariant-abstract/VSpace_AI.thy b/proof/invariant-abstract/VSpace_AI.thy index 47cdba4606..c2c67f953f 100644 --- a/proof/invariant-abstract/VSpace_AI.thy +++ b/proof/invariant-abstract/VSpace_AI.thy @@ -13,6 +13,7 @@ imports ArchVSpace_AI begin arch_requalify_facts + do_machine_op_valid_kernel_mappings ackInterrupt_device_state_inv pspace_respects_device_region_dmo cap_refs_respects_device_region_dmo From f1270aaa5e5997dcc40f08eeea92420c6d327dd7 Mon Sep 17 00:00:00 2001 From: Rafal Kolanski Date: Tue, 23 Jul 2024 15:07:01 +1000 Subject: [PATCH 9/9] [wip] docs: arch-split.md: more overhaul * prefer arch_global_naming * prefer arch_requalify commands over interpretation * indicate consts might need to be requalified in Arch theories * explain (in Arch) + requalify pattern for generic consequences of arch-specific properties --- docs/arch-split.md | 190 +++++++++++++++++++++++++++++++++------------ 1 file changed, 141 insertions(+), 49 deletions(-) diff --git a/docs/arch-split.md b/docs/arch-split.md index 70331aeb85..82ab05943f 100644 --- a/docs/arch-split.md +++ b/docs/arch-split.md @@ -151,11 +151,12 @@ want to prevent, however, inadvertent references to types, constants and facts which are only internal to a particular architecture (e.g. definitions of constants). -To help achieve this hiding, we provide a custom command, **global_naming**, -that modifies the way qualified names are generated. The primary use of -`global_naming` is in architecture-specific theories, to ensure that by default, -types, constants and lemmas are given an architecture-specific qualified name, -even though they are part of the Arch locale. +To help achieve this hiding, we provide the custom commands **global_naming** +and **arch_global_naming**, which modify the way qualified names are generated. +The primary use of these commands is in architecture-specific theories, to +ensure that by default, types, constants and lemmas are given an +architecture-specific qualified name, even though they are part of the Arch +locale. - `l4v/proof/invariant-abstract/ARM/ArchADT_AI.thy` @@ -171,6 +172,12 @@ context Arch begin global_naming ARM definition "get_pd_of_thread ≡ ..." end +(* the more convenient and preferred way to achieve the above when L4V_ARCH=ARM + is to use arch_global_naming, spiritually equivalent to `global_naming $L4V_ARCH` *) +context Arch begin arch_global_naming +(* ... *) +end + (* Back in the global context, we can't refer to these names without naming a particular architecture! *) term get_pd_of_thread (* Free variable *) term Arch.get_pd_of_thread (* Free variable *) @@ -192,8 +199,8 @@ architecture. If we saw such a reference in a generic theory, we would immediately recognise that something was wrong. The convention is that in architecture-specific theories, we initially -give *all* types, constants and lemmas with an architecture-specific -`global_naming` scheme. Then, in generic theories, we use +give *all* types, constants and lemmas with the architecture-specific +`arch_global_naming` scheme. Then, in generic theories, we use *requalification* to selectively extract just those types, constants and facts which are expected to exist on all architectures. @@ -204,8 +211,13 @@ We provide three custom commands for giving existing names new bindings in the global namespace: **requalify_types**, **requalify_consts**, **requalify_facts**, for types, constants and facts respectively. The new name is based on the context in which the requalification command is -executed. We use requalification in various ways, depending on the -situation. +executed. As with `global_naming`, we provide `L4V_ARCH`-aware versions of +these commands: **arch_requalify_types**, **arch_requalify_consts** and +**arch_requalify_types**. + +To understand how these commands function, see `lib/test/Requalify_Test.thy`. + +We use requalification in various ways, depending on the situation. The most basic use is to take a name from the Arch context and make it available in the global context without qualification. This should be @@ -220,11 +232,73 @@ done for any type, constant or fact: type, constant or fact, so that the unqualified name unambiguously denotes the architecture-specific concept for the current architecture. -Note: the `requalify_*` commands will warn when the unqualified name is already -available in the global context (see: Dealing with name clashes). To suppress -this warning, pass `(aliasing)` as the first parameter. +Note: the `[arch_]requalify_*` commands will warn when the unqualified name is +already available in the global context (see: Dealing with name clashes). To +suppress this warning, pass `(aliasing)` as the first parameter. + + +### Requalifying in practice + +Let's use the generic theory `l4v/proof/invariant-abstract/ADT_AI.thy` as an +example: + +```isabelle +theory ADT_AI +imports + "./$L4V_ARCH/ArchADT_AI" +begin + +term empty_context (* Free variable. *) +``` + +The constant `empty_context` is not visible in the theory scope, as it was +defined inside the Arch locale, likely with `arch_global_naming`, thus visible +as (for example) `ARM.empty_context`. We want to make this constant available +to generic proofs. The obvious way to do this is: + +```isabelle +requalify_consts ARM.empty_context (* avoid: can only be done in Arch theories *) +``` + +Unfortunately, on another platforms such as RISCV64, the constant will have a +different qualified name. We can instead appeal to `L4V_ARCH` again, since we +already rely on it to select the correct theories for the current architecture: + +```isabelle +arch_requalify_consts empty_context (* preferred *) + +(* The requalified constant is now available unqualified in the global context. *) +term empty_context + +(* However, its definition is not. *) +thm empty_context_def (* ERROR *) +``` + +In some cases, consts/types/facts may be thrown into the `Arch` context without +further qualification. In such cases, normal requalification may be used: + +```isabelle +requalify_consts Arch.empty_context (* standard locale version, likely due to missing global_naming *) +``` + + +### Requalifying inside "Arch" theories + +While requalifying inside `Arch*` theories is possible, as seen above, it +requires duplicating the requalify command(s) on every architecture, and so +should be avoided. However, it is not always possible to conveniently do so, +particularly when defining constants inside `Arch`, then having to use those +constants to instantiate locales, before heading back into the `Arch` context. -We do this in a generic theory: + +### Requalifying via interpretation (slow) + +Using `arch_requalify_*` commands still implicitly appeals to the name of the +architecture while in a generic theory. This has the advantage of being fast and +thus is preferred, but we describe the old interpretation method here for +reference (for dealing with older theories or older repository versions). + +We can do this in a generic theory: - `l4v/proof/invariant-abstract/ADT_AI.thy` @@ -268,38 +342,12 @@ the only purpose of the anonymous context block is to limit the scope of this Note: It is critical to the success of arch_split that we *never* interpret the Arch locale, *except* inside an appropriate context block. -In a generic theory, we typically only interpret the Arch locale: - -- to requalify names with no qualifier, or +In a generic theory, we typically only interpret the Arch locale to keep +existing proofs checking until we find time to factor out the +architecture-dependent parts. The `.` in `context begin interpretation Arch .` +in the middle of AInvs takes 7.5s, so repeated use of this technique should be +avoided when possible. -- to keep existing proofs checking until we find time to factor out the - architecture-dependent parts. - - -### Unconventional requalification shortcut - -While the expected convention is to perform requalify commands in the generic -theory as described above, there exists a shortcut for doing so in -architecture-specific theories when outside the Arch context: - -```isabelle -requalify_facts - ARM.user_mem_dom_cong - -thm user_mem_dom_cong (* ok *) -thm ARM.user_mem_dom_cong (* ok *) -thm Arch.user_mem_dom_cong (* ERROR *) -``` - -This immediately makes the fact available in the global context. While it is a -violation of expected conventions and needs to be repeated in every -arch-specific theory file, there is one important difference: -* the `.` in `context begin interpretation Arch .` in the middle of AInvs takes 7.5s -* `requalify_facts` in the global context is nearly instant (even for -multiple facts). - -This disparity will only get worse as the Arch context grows bigger, and -might indicate the need for some alternative functionality. ### Requalifying into the Arch locale @@ -319,10 +367,12 @@ thm ARM.user_mem_dom_cong (* ok *) thm Arch.user_mem_dom_cong (* ok *) ``` -This functionality can be useful when we want to give an architecture-specific -constant/type/fact a generic name, but not mix it with generic namespace (see -also Dealing with name clashes, as this affects lookup order inside -interpretations). +Generally, we want to avoid unprefixed names in the Arch locale, preferring to +use a `global_naming` to generate a prefix instead. However, when the generic +and arch-specific short names are identical, this functionality allows giving +an architecture-specific constant/type/fact a generic name while not mixing it +with generic namespace (see also "Dealing with name clashes", as this affects +lookup order inside interpretations). One can target any locale in this fashion, although the usefulness to arch-split is then decreased, since short names might not be visible past a naming prefix: @@ -444,7 +494,16 @@ Haskell specs. We use `ARM` everywhere else. This means that the arch-specific references only require either an `ARM_A` or `ARM_H` qualifier. No theory qualifier is required, and the result is more robust to theory reorganisation. -In the future, when we are properly splitting the refinement proofs, we will may +Requalification of consts/types/facts from these prefixes should be done as +follows: + +```isabelle +arch_requalify_const some_const (* requalifies ARM.some_const *) +arch_requalify_const (A) some_const (* requalifies ARM_A.some_const *) +arch_requalify_const (H) some_const (* requalifies ARM_H.some_const *) +``` + +In the future, when we are properly splitting the refinement proofs, we may want to extend this approach by introducing `Arch_A` and `Arch_H` `global_naming` schemes to disambiguate overloaded requalified names. @@ -687,6 +746,39 @@ generates limited duplication: a fact from `Foo_AI_1` will be duplicated in `Foo_AI_2`, but not in `Foo_AI_3+`. +### Temporarily proving a fact in the Arch locale + +The concept of "generic consequences of architecture-specific properties" shows +up in a few places. Normally, as outlined above, we prefer either exporting +enough facts to prove the property in the generic context or requiring the +property as a locale assumption. However, sometimes we end up in a situation +where the same proof will work on all architectures and spelling it out with +locale assumptions is inconvenient. For example (from `Invariants_AI`): + +```isabelle +(* generic consequence of architecture-specific details *) +lemma (in Arch) valid_arch_cap_pspaceI: + "⟦ valid_arch_cap acap s; kheap s = kheap s' ⟧ ⟹ valid_arch_cap acap s'" + unfolding valid_arch_cap_def + by (auto intro: obj_at_pspaceI split: arch_cap.split) + +requalify_facts Arch.valid_arch_cap_pspaceI +``` + +In this case, no matter what the architecture, the `valid_arch_cap` function +will only ever look at the heap, so this proof will always work. + +There are some considerations when using this strategy: + +1. We use the Arch locale without a `global_naming`, as its performance better + than entering the Arch locale and proving the lemma there. This means its + qualified name will be `Arch.valid_arch_cap_pspaceI`, but this is acceptable + since: +2. The lemma is immediately requalified into the generic context, so we never + really want to use its qualified name again. +3. This technique is rarely used, *use sparingly*! + + ## Qualifying non-locale-compatible commands Generally speaking, architecture-specific definitions and lemmas should