-
Notifications
You must be signed in to change notification settings - Fork 108
/
Copy pathExampleSpec_SI.thy
365 lines (322 loc) · 15.9 KB
/
ExampleSpec_SI.thy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
(*
* Copyright 2020, Data61, CSIRO (ABN 41 687 119 230)
*
* SPDX-License-Identifier: GPL-2.0-only
*)
(*
* This file contains an example spec, and shows it obeys the well_formed constraints
*
* This file contains the invariants of the user-space initialiser,
* the well-formed conditions of the input capDL specification,
* and the predicates describing the initial state.
*)
theory ExampleSpec_SI
imports SysInit.WellFormed_SI
begin
context begin interpretation Arch . (*FIXME: arch-split*)
lemma object_slots_empty_object [simp]:
"object_slots (Frame \<lparr>cdl_frame_size_bits = small_frame_size\<rparr>) slot = Some cap \<Longrightarrow> cap = NullCap"
"object_slots (PageDirectory \<lparr>cdl_page_directory_caps = empty_cap_map pd_size\<rparr>) slot = Some cap \<Longrightarrow> cap = NullCap"
"empty_cap_map obj_id slot = Some cap \<Longrightarrow> cap = NullCap"
by (clarsimp simp: object_slots_def empty_cap_map_def
split: if_split_asm)+
lemma object_type_simps [simp]:
"object_type (Tcb t) = TcbType"
"object_type (CNode c) = CNodeType"
"object_type (PageDirectory pd) = PageDirectoryType"
"object_type (PageTable pt) = PageTableType"
"object_type (Frame f) = FrameType (cdl_frame_size_bits f)"
by (clarsimp simp: object_type_def)+
lemma well_formed_empty:
"well_formed \<lparr>
cdl_arch = undefined,
cdl_objects = Map.empty,
cdl_cdt = undefined,
cdl_current_thread = undefined,
cdl_irq_node = ucast,
cdl_asid_table = undefined,
cdl_current_domain = undefined
\<rparr>"
by (clarsimp simp: well_formed_def well_formed_orig_caps_unique_def cap_at_def
well_formed_irqhandler_caps_unique_def well_formed_irqhandler_caps_def
well_formed_irq_table_def down_ucast_inj is_down
well_formed_fake_pt_caps_unique_def irq_nodes_def object_at_def
opt_cap_def slots_of_def bound_irqs_def)
definition "tcb_id = 2000"
definition "cnode_id = 2001"
definition "pd_id = 2002"
definition "frame_id = 2003"
lemmas object_id_defs = tcb_id_def cnode_id_def pd_id_def frame_id_def
definition
"example_tcb =
\<lparr>cdl_tcb_caps = [tcb_cspace_slot \<mapsto> CNodeCap cnode_id 0 1 2,
tcb_vspace_slot \<mapsto> PageDirectoryCap pd_id Real None,
tcb_replycap_slot \<mapsto> NullCap,
tcb_caller_slot \<mapsto> NullCap,
tcb_ipcbuffer_slot \<mapsto> FrameCap False frame_id {AllowRead, AllowWrite} small_frame_size Real None,
tcb_pending_op_slot \<mapsto> NullCap,
tcb_boundntfn_slot \<mapsto> NullCap],
cdl_tcb_fault_endpoint = 0,
cdl_tcb_intent = \<lparr>cdl_intent_op = None,
cdl_intent_error = False,
cdl_intent_cap = 0,
cdl_intent_extras = [],
cdl_intent_recv_slot = None\<rparr>,
cdl_tcb_has_fault = False,
cdl_tcb_domain = minBound\<rparr>"
definition
example_irq_node :: "cdl_irq \<Rightarrow> cdl_object_id"
where
"example_irq_node = ucast"
definition
example_irq_node2 :: "cdl_irq \<Rightarrow> cdl_object_id"
where
"example_irq_node2 = (\<lambda>irq. ucast irq + 100)"
lemma example_irq_node_def2:
"example_irq_node2 = (\<lambda>irq. word_of_int (uint irq + 100))"
unfolding example_irq_node2_def
by (metis (opaque_lifting) ucast_def wi_hom_add word_of_int_numeral)
definition
"example_spec =
\<lparr>cdl_arch = undefined,
cdl_objects = [tcb_id \<mapsto> Tcb example_tcb,
cnode_id \<mapsto> CNode (\<lparr>cdl_cnode_caps = (empty_cap_map 2) ++
[0 \<mapsto> TcbCap tcb_id,
1 \<mapsto> CNodeCap cnode_id 0 0 2,
2 \<mapsto> PageDirectoryCap pd_id Real None,
3 \<mapsto> FrameCap False frame_id {AllowRead, AllowWrite} small_frame_size Real None],
cdl_cnode_size_bits = 2\<rparr>),
pd_id \<mapsto> PageDirectory \<lparr>cdl_page_directory_caps = empty_cap_map pd_size\<rparr>,
frame_id \<mapsto> Frame \<lparr>cdl_frame_size_bits = small_frame_size\<rparr>],
cdl_cdt = Map.empty, \<comment> \<open>All caps are orig caps.\<close>
cdl_current_thread = undefined,
cdl_irq_node = example_irq_node,
cdl_asid_table = undefined,
cdl_current_domain = undefined\<rparr>"
lemma cdl_irq_node_example_spec [simp]:
"cdl_irq_node example_spec = example_irq_node"
by (clarsimp simp: example_spec_def)
lemma cnode_id_not_in_irq_cnodes:
"cnode_id \<notin> irq_nodes example_spec"
by (clarsimp simp: irq_nodes_def example_spec_def object_at_def
is_irq_node_def object_id_defs)
lemma example_spec_is_tcb:
"\<lbrakk>cdl_objects example_spec obj_id = Some obj; is_tcb obj\<rbrakk>
\<Longrightarrow> obj_id = tcb_id \<and> obj = Tcb example_tcb"
by (clarsimp simp: example_spec_def is_tcb_def
split: cdl_object.splits if_split_asm)
lemma well_formed_tcb_example:
"cdl_objects example_spec obj_id = Some obj
\<Longrightarrow> well_formed_tcb example_spec obj_id obj"
apply (clarsimp simp: well_formed_tcb_def)
apply (drule (1) example_spec_is_tcb, clarsimp)
apply (clarsimp simp: example_tcb_def tcb_has_fault_def tcb_domain_def minBound_word
object_slots_def tcb_slot_defs cnode_id_not_in_irq_cnodes
is_default_cap_def cap_type_def default_cap_def
split: if_split_asm)
done
lemma well_formed_orig_caps_unique_example:
"well_formed_orig_caps_unique example_spec"
by (auto simp: well_formed_orig_caps_unique_def example_spec_def
object_at_def is_cnode_def opt_cap_def
slots_of_def object_slots_def
empty_cap_map_def cap_object_def cap_has_object_def
update_slots_def object_id_defs
split: if_split_asm option.splits)
lemma well_formed_irqhandler_caps_unique_example:
"well_formed_irqhandler_caps_unique example_spec"
apply (clarsimp simp: well_formed_irqhandler_caps_unique_def cap_irq_def cap_type_def
split: cdl_cap.splits)
apply (clarsimp simp: example_spec_def opt_cap_def slots_of_def
object_slots_def empty_cap_map_def example_tcb_def
split: if_split_asm option.splits)
done
lemma well_formed_fake_pt_caps_unique_example:
"well_formed_fake_pt_caps_unique example_spec"
by (auto simp: well_formed_fake_pt_caps_unique_def example_spec_def
object_at_def opt_cap_def
slots_of_def object_slots_def
empty_cap_map_def is_pd_def
split: if_split_asm option.splits)
lemma well_formed_orig_cap_tcb [simp]:
"well_formed_orig_cap (TcbCap obj_id)"
by (clarsimp simp: well_formed_orig_cap_def default_cap_def cap_type_def
cap_rights_def ep_related_cap_def)
lemma well_formed_cap_ex [simp]:
"well_formed_cap (CNodeCap a 0 0 2)"
"well_formed_cap (TcbCap 0)"
by (clarsimp simp: well_formed_cap_def guard_bits_def)+
lemma cap_at_has_no_parents_in_cdt_example_spec [simp]:
"cap_at_has_no_parents_in_cdt cap_ref example_spec"
by (clarsimp simp: cap_at_has_no_parents_in_cdt_def example_spec_def opt_parent_def)
lemma irqhandler_cap_at_example_spec [simp]:
"\<not> irqhandler_cap_at cap_ref example_spec"
by (clarsimp simp: example_spec_def cap_at_def object_id_defs split_beta'
opt_cap_def slots_of_def object_slots_def
example_tcb_def tcb_slot_defs empty_cap_map_def
split: if_split_asm)
lemma original_cap_at_example_spec [simp]:
"original_cap_at cap_ref example_spec"
by (clarsimp simp: original_cap_at_def)
lemma well_formed_cap_example [simp]:
"\<lbrakk>cdl_objects example_spec obj_id = Some obj;
object_slots obj slot = Some cap; cap \<noteq> NullCap\<rbrakk>
\<Longrightarrow> well_formed_cap cap"
by (clarsimp simp: well_formed_cap_def example_spec_def example_tcb_def
object_slots_def empty_cap_map_def guard_bits_def
tcb_slot_defs vm_read_write_def
split: cdl_cap.splits if_split_asm)
lemma range_example_irq_node:
"range example_irq_node = {x. x \<le> mask irq_len}"
apply (clarsimp simp: irq_nodes_def example_spec_def example_irq_node_def irq_len_val mask_def)
apply (subst ucast_range_less, simp+)
apply (subst word_less_sub_le [where 'a = 32 and n=irq_len, unfolded irq_len_val, simplified])
apply simp
done
lemma irq_cnodes_example_spec [simp]:
"irq_nodes example_spec = {}"
by (clarsimp simp: irq_nodes_def range_example_irq_node
object_at_def is_irq_node_def example_spec_def)
lemma example_irq_node_less_mask_irq_len:
"example_irq_node irq = obj_id \<Longrightarrow> obj_id \<le> mask irq_len"
apply (insert range_example_irq_node)
apply (auto simp: image_def)
done
lemma well_formed_irqhandler_caps_example:
"well_formed_irqhandler_caps example_spec"
apply (clarsimp simp: well_formed_irqhandler_caps_def bound_irqs_def)
apply (clarsimp simp: example_spec_def object_id_defs object_slots_def
empty_cap_map_def opt_cap_def slots_of_def
example_tcb_def
split: if_split_asm)
apply (drule example_irq_node_less_mask_irq_len, simp add: irq_len_val mask_def)+
done
lemma well_formed_cdt_example [simp]:
"\<lbrakk>cdl_objects example_spec obj_id = Some obj;
object_slots obj slot = Some cap; cap \<noteq> NullCap\<rbrakk>
\<Longrightarrow> well_formed_cdt example_spec (obj_id, slot) cap"
apply (clarsimp simp: well_formed_cdt_def)
apply (rule_tac x=cnode_id in exI)
apply (fastforce simp: well_formed_cdt_def example_spec_def object_id_defs
object_slots_def object_at_def is_cnode_def
opt_cap_def slots_of_def
empty_cap_map_def
split: if_split_asm)
done
lemma well_formed_orig_cap_example [simp]:
"\<lbrakk>cdl_objects example_spec obj_id = Some obj;
object_slots obj slot = Some cap; cap \<noteq> NullCap\<rbrakk>
\<Longrightarrow> well_formed_orig_cap cap"
by (clarsimp simp: well_formed_orig_cap_def example_spec_def
object_slots_def example_tcb_def empty_cap_map_def
cap_type_def default_cap_def cap_rights_def
tcb_slot_defs ep_related_cap_def
split: if_split_asm)
lemma well_formed_cap_to_real_object_example [simp]:
"\<lbrakk>cdl_objects example_spec obj_id = Some obj; object_slots obj slot = Some cap\<rbrakk>
\<Longrightarrow> well_formed_cap_to_real_object example_spec cap"
apply (clarsimp simp: well_formed_cap_to_real_object_def real_object_at_def)
apply (clarsimp simp: example_spec_def object_id_defs empty_cap_map_def
object_slots_def example_tcb_def
split: if_split_asm)
done
lemma well_formed_cap_types_match_example [simp]:
"\<lbrakk>cdl_objects example_spec obj_id = Some obj; object_slots obj slot = Some cap; cap \<noteq> NullCap\<rbrakk>
\<Longrightarrow> well_formed_cap_types_match example_spec cap"
apply (clarsimp simp: well_formed_cap_types_match_def example_spec_def object_id_defs
split: if_split_asm)
apply (clarsimp simp: object_slots_def example_tcb_def object_id_defs
split: if_split_asm)
apply (clarsimp simp: object_slots_def example_tcb_def object_id_defs
split: if_split_asm)
done
lemma well_formed_caps_example [simp]:
"cdl_objects example_spec obj_id = Some obj \<Longrightarrow>
well_formed_caps example_spec obj_id obj"
apply (clarsimp simp: well_formed_caps_def)
apply (clarsimp simp: example_spec_def empty_cap_map_def object_slots_def example_tcb_def is_fake_vm_cap_def
split: if_split_asm)
done
lemma well_formed_cap_to_object_example:
"cdl_objects example_spec obj_id = Some obj
\<Longrightarrow> well_formed_cap_to_object example_spec obj_id obj"
apply (clarsimp simp: well_formed_cap_to_object_def)
apply (clarsimp simp: example_spec_def example_tcb_def)
apply (intro conjI)
apply (rule_tac x=cnode_id in exI)
apply (fastforce simp: example_spec_def example_tcb_def object_id_defs
opt_cap_def slots_of_def object_slots_def
opt_parent_def object_at_def
is_cnode_def cap_object_def cap_has_object_def
real_object_at_def irq_nodes_def
range_example_irq_node is_irq_node_def
split: if_split_asm)
apply (clarsimp simp: cap_type_def split:cdl_cap.splits)
apply (clarsimp simp: example_spec_def example_tcb_def object_id_defs
opt_cap_def slots_of_def object_slots_def
opt_parent_def object_at_def
is_cnode_def cap_object_def cap_has_object_def
cap_type_def cnode_cap_size_def
empty_cap_map_def object_size_bits_def
split: if_split_asm)
done
lemma well_formed_cap_to_non_empty_pt_example:
"cdl_objects example_spec obj_id = Some obj \<Longrightarrow>
well_formed_cap_to_non_empty_pt example_spec obj_id obj"
by (clarsimp simp: well_formed_cap_to_non_empty_pt_def example_spec_def
object_at_def is_pt_def
split: if_split_asm)
lemma well_formed_vspace_example:
"cdl_objects example_spec obj_id = Some obj
\<Longrightarrow> well_formed_vspace example_spec obj_id obj"
apply (clarsimp simp: well_formed_vspace_def well_formed_cap_to_non_empty_pt_example)
apply (clarsimp simp: example_spec_def is_pt_def is_pd_def object_slots_def empty_cap_map_def
split: if_split_asm)
done
lemma well_formed_irq_node_example:
"cdl_objects example_spec obj_id = Some obj
\<Longrightarrow> well_formed_irq_node example_spec obj_id obj"
by (clarsimp simp: well_formed_irq_node_def)
lemma well_formed_irq_table_example [simp]:
"well_formed_irq_table example_spec"
apply (clarsimp simp: well_formed_irq_table_def)
apply (rule conjI)
apply (clarsimp simp: well_formed_irq_table_def example_irq_node_def down_ucast_inj is_down)
apply clarsimp
apply (cut_tac irq=irq in example_irq_node_less_mask_irq_len, simp add: irq_len_val mask_def)
apply (clarsimp simp: example_spec_def object_id_defs irq_len_val mask_def split: if_split_asm)
done
lemma well_formed_example:
"well_formed example_spec"
apply (clarsimp simp: well_formed_def)
apply (intro conjI)
apply (rule well_formed_orig_caps_unique_example)
apply (rule well_formed_irqhandler_caps_unique_example)
apply (rule well_formed_fake_pt_caps_unique_example)
apply (rule well_formed_irqhandler_caps_example)
apply (clarsimp split: option.splits, rename_tac obj)
apply (clarsimp simp: well_formed_cap_to_object_example
well_formed_orig_caps_unique_example)
apply (rule conjI)
apply (erule well_formed_tcb_example)
apply (rule conjI)
apply (fact well_formed_vspace_example)
apply (rule conjI)
apply (fact well_formed_irq_node_example)
apply (fastforce simp: example_spec_def object_size_bits_def object_default_state_def2
pd_size_def word_bits_def empty_cnode_def is_cnode_def
object_slots_def empty_cap_map_def tcb_slot_defs
default_tcb_def example_tcb_def
small_frame_size_def object_at_def
irq_nodes_def range_example_irq_node
split: if_split_asm)
apply (clarsimp simp: example_spec_def object_size_bits_def object_default_state_def2
pd_size_def word_bits_def empty_cnode_def is_cnode_def
object_slots_def empty_cap_map_def tcb_slot_defs
default_tcb_def example_tcb_def cap_at_def opt_cap_def slots_of_def
small_frame_size_def object_at_def
irq_nodes_def range_example_irq_node
split: if_split_asm)
done
end
end