From 8ff01b8302c204cf904a2b455becbbec275955b4 Mon Sep 17 00:00:00 2001 From: Rafal Kolanski Date: Tue, 23 Jul 2024 12:31:15 +1000 Subject: [PATCH] [wip] gen+aarch64 ainvs: move requalifies to generic theories * prevent duplication between arches by moving requalifications from Arch theories to generic ones * this strategy is not available for new constants that are introduced in the Arch locale that need to be referenced in generic definitions or locale instantiations --- proof/invariant-abstract/AARCH64/ArchAInvsPre.thy | 6 ------ proof/invariant-abstract/AARCH64/ArchArch_AI.thy | 14 -------------- .../invariant-abstract/AARCH64/ArchBCorres_AI.thy | 5 ----- .../AARCH64/ArchCSpaceInv_AI.thy | 2 -- proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy | 5 ----- proof/invariant-abstract/AARCH64/ArchTcb_AI.thy | 4 ---- proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy | 4 ---- proof/invariant-abstract/AARCH64/Machine_AI.thy | 6 ------ proof/invariant-abstract/AInvs.thy | 5 +++++ proof/invariant-abstract/CSpacePre_AI.thy | 3 +++ proof/invariant-abstract/KHeapPre_AI.thy | 6 ++++++ proof/invariant-abstract/LevityCatch_AI.thy | 4 ++++ proof/invariant-abstract/Schedule_AI.thy | 11 ++++------- proof/invariant-abstract/Syscall_AI.thy | 12 ++++++++++++ proof/invariant-abstract/TcbAcc_AI.thy | 2 ++ proof/invariant-abstract/VSpace_AI.thy | 1 + 16 files changed, 37 insertions(+), 53 deletions(-) diff --git a/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy b/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy index 892bed850f..83ae5d2b58 100644 --- a/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy +++ b/proof/invariant-abstract/AARCH64/ArchAInvsPre.thy @@ -140,10 +140,4 @@ proof goal_cases case 1 show ?case by (intro_locales; (unfold_locales; fact AInvsPre_assms)?) qed -(* FIXME arch_split: move to global theory *) -arch_requalify_facts - user_mem_dom_cong - device_mem_dom_cong - device_frame_in_device_region - end diff --git a/proof/invariant-abstract/AARCH64/ArchArch_AI.thy b/proof/invariant-abstract/AARCH64/ArchArch_AI.thy index 52643dfa1d..969da0e922 100644 --- a/proof/invariant-abstract/AARCH64/ArchArch_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchArch_AI.thy @@ -1726,18 +1726,4 @@ lemma arch_pinv_st_tcb_at: end -(* FIXME arch_split: move to global theory *) -arch_requalify_consts - valid_arch_inv - -arch_requalify_facts - invoke_arch_tcb - invoke_arch_invs - sts_valid_arch_inv - arch_decode_inv_wf - arch_pinv_st_tcb_at - -declare invoke_arch_invs[wp] -declare arch_decode_inv_wf[wp] - end diff --git a/proof/invariant-abstract/AARCH64/ArchBCorres_AI.thy b/proof/invariant-abstract/AARCH64/ArchBCorres_AI.thy index 97e040139b..1bb2fb31c9 100644 --- a/proof/invariant-abstract/AARCH64/ArchBCorres_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchBCorres_AI.thy @@ -45,9 +45,4 @@ crunch prepare_thread_delete end -(* FIXME arch_split: move to generic theory *) -arch_requalify_facts arch_finalise_cap_bcorres prepare_thread_delete_bcorres - -declare arch_finalise_cap_bcorres[wp] prepare_thread_delete_bcorres[wp] - end diff --git a/proof/invariant-abstract/AARCH64/ArchCSpaceInv_AI.thy b/proof/invariant-abstract/AARCH64/ArchCSpaceInv_AI.thy index ba702cde24..3ad84874c7 100644 --- a/proof/invariant-abstract/AARCH64/ArchCSpaceInv_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchCSpaceInv_AI.thy @@ -210,6 +210,4 @@ lemmas cap_vptr_simps [simp] = end -arch_requalify_facts replace_cap_invs - end diff --git a/proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy b/proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy index 05759f6b54..bc4db311ee 100644 --- a/proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchCSpace_AI.thy @@ -599,9 +599,4 @@ lemma set_cap_kernel_window_simple: end -(* FIXME arch_split: move to non-Arch theory? *) -arch_requalify_facts - set_cap_valid_arch_caps_simple - set_cap_kernel_window_simple - end diff --git a/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy b/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy index 6c37465baa..33d7d7f6ed 100644 --- a/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy @@ -383,8 +383,4 @@ proof goal_cases case 1 show ?case by (unfold_locales; (fact Tcb_AI_assms)?) qed -(* FIXME arch_split: move to global theory *) -arch_requalify_consts is_cnode_or_valid_arch -arch_requalify_facts invoke_tcb_typ_at - end diff --git a/proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy b/proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy index 973d7e1ae6..48bb3f688a 100644 --- a/proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchVSpace_AI.thy @@ -3142,8 +3142,4 @@ crunch vcpu_switch end -(* FIXME arch_split: move to generic theory? *) -arch_requalify_facts - do_machine_op_valid_kernel_mappings - end diff --git a/proof/invariant-abstract/AARCH64/Machine_AI.thy b/proof/invariant-abstract/AARCH64/Machine_AI.thy index b6d2e48bce..793e63d832 100644 --- a/proof/invariant-abstract/AARCH64/Machine_AI.thy +++ b/proof/invariant-abstract/AARCH64/Machine_AI.thy @@ -423,10 +423,4 @@ lemma dmo_gets_inv[wp]: end -arch_requalify_facts - det_getRegister - det_setRegister - det_getRestartPC - det_setNextPC - end diff --git a/proof/invariant-abstract/AInvs.thy b/proof/invariant-abstract/AInvs.thy index c1e3aac714..dad6152d6a 100644 --- a/proof/invariant-abstract/AInvs.thy +++ b/proof/invariant-abstract/AInvs.thy @@ -12,6 +12,11 @@ theory AInvs imports ArchAInvsPre begin +arch_requalify_facts + user_mem_dom_cong + device_mem_dom_cong + device_frame_in_device_region + lemma st_tcb_at_nostate_upd: "\ get_tcb t s = Some y; tcb_state y = tcb_state y' \ \ st_tcb_at P t' (s \kheap := (kheap s)(t \ TCB y')\) = st_tcb_at P t' s" diff --git a/proof/invariant-abstract/CSpacePre_AI.thy b/proof/invariant-abstract/CSpacePre_AI.thy index 9cc07003ef..541227b0b3 100644 --- a/proof/invariant-abstract/CSpacePre_AI.thy +++ b/proof/invariant-abstract/CSpacePre_AI.thy @@ -20,6 +20,9 @@ arch_requalify_consts cap_asid_base cap_vptr +arch_requalify_facts + replace_cap_invs + lemma fun_upd_Some: "ms p = Some k \ (ms(a \ b)) p = Some (if a = p then b else k)" by auto diff --git a/proof/invariant-abstract/KHeapPre_AI.thy b/proof/invariant-abstract/KHeapPre_AI.thy index 9fca503d7c..06ff116b25 100644 --- a/proof/invariant-abstract/KHeapPre_AI.thy +++ b/proof/invariant-abstract/KHeapPre_AI.thy @@ -8,6 +8,12 @@ theory KHeapPre_AI imports Machine_AI begin +arch_requalify_facts + det_getRegister + det_setRegister + det_getRestartPC + det_setNextPC + primrec same_caps :: "Structures_A.kernel_object \ Structures_A.kernel_object \ bool" where diff --git a/proof/invariant-abstract/LevityCatch_AI.thy b/proof/invariant-abstract/LevityCatch_AI.thy index fa3f444e8a..6c7a9465b8 100644 --- a/proof/invariant-abstract/LevityCatch_AI.thy +++ b/proof/invariant-abstract/LevityCatch_AI.thy @@ -19,9 +19,13 @@ arch_requalify_consts arch_requalify_facts ptrFormPAddr_addFromPPtr aobj_ref_arch_cap + arch_finalise_cap_bcorres + prepare_thread_delete_bcorres lemmas aobj_ref_arch_cap_simps[simp] = aobj_ref_arch_cap +lemmas [wp] = arch_finalise_cap_bcorres prepare_thread_delete_bcorres + lemma detype_arch_state: "arch_state (detype S s) = arch_state s" by (simp add: detype_def) diff --git a/proof/invariant-abstract/Schedule_AI.thy b/proof/invariant-abstract/Schedule_AI.thy index ed0cdc3364..7f6e8cd564 100644 --- a/proof/invariant-abstract/Schedule_AI.thy +++ b/proof/invariant-abstract/Schedule_AI.thy @@ -8,10 +8,13 @@ theory Schedule_AI imports VSpace_AI begin +arch_requalify_facts + no_irq + no_irq_storeWord + abbreviation "activatable \ \st. runnable st \ idle st" - locale Schedule_AI = fixes state_ext :: "('a::state_ext) itself" assumes dmo_mapM_storeWord_0_invs[wp]: @@ -27,12 +30,6 @@ locale Schedule_AI = assumes stit_activatable: "\invs\ switch_to_idle_thread \\rv . (ct_in_state activatable :: 'a state \ bool)\" -(* FIXME arch_split: some of these could be moved to generic theories - so they don't need to be requalified. *) -arch_requalify_facts - no_irq - no_irq_storeWord - crunch schedule_switch_thread_fastfail for inv[wp]: P diff --git a/proof/invariant-abstract/Syscall_AI.thy b/proof/invariant-abstract/Syscall_AI.thy index a24240816f..960fa04707 100644 --- a/proof/invariant-abstract/Syscall_AI.thy +++ b/proof/invariant-abstract/Syscall_AI.thy @@ -22,16 +22,28 @@ begin arch_requalify_facts (A) data_to_cptr_def +arch_requalify_consts + is_cnode_or_valid_arch + valid_arch_inv + arch_requalify_facts resetTimer_device_state_inv arch_decode_invocation_inv arch_post_cap_deletion_cur_thread arch_post_cap_deletion_state_refs_of arch_invoke_irq_handler_typ_at + invoke_tcb_typ_at + invoke_arch_tcb + invoke_arch_invs + sts_valid_arch_inv + arch_decode_inv_wf + arch_pinv_st_tcb_at lemmas [wp] = arch_decode_invocation_inv lookup_cap_and_slot_inv + invoke_arch_invs + arch_decode_inv_wf lemmas [simp] = data_to_cptr_def diff --git a/proof/invariant-abstract/TcbAcc_AI.thy b/proof/invariant-abstract/TcbAcc_AI.thy index 7494233a23..57c2351394 100644 --- a/proof/invariant-abstract/TcbAcc_AI.thy +++ b/proof/invariant-abstract/TcbAcc_AI.thy @@ -13,6 +13,8 @@ arch_requalify_facts as_user_inv getRegister_inv user_getreg_inv + set_cap_valid_arch_caps_simple + set_cap_kernel_window_simple declare user_getreg_inv[wp] diff --git a/proof/invariant-abstract/VSpace_AI.thy b/proof/invariant-abstract/VSpace_AI.thy index 47cdba4606..c2c67f953f 100644 --- a/proof/invariant-abstract/VSpace_AI.thy +++ b/proof/invariant-abstract/VSpace_AI.thy @@ -13,6 +13,7 @@ imports ArchVSpace_AI begin arch_requalify_facts + do_machine_op_valid_kernel_mappings ackInterrupt_device_state_inv pspace_respects_device_region_dmo cap_refs_respects_device_region_dmo