From f436f34ff6b34f53581c7b75546ce34a5a6e04e3 Mon Sep 17 00:00:00 2001 From: Corey Lewis Date: Fri, 18 Aug 2023 12:40:52 +1000 Subject: [PATCH] proof: update for changes to nondet monad Signed-off-by: Corey Lewis --- proof/access-control/ARM/ArchArch_AC.thy | 8 ++-- proof/access-control/ARM/ArchDomainSepInv.thy | 4 +- proof/access-control/ARM/ArchTcb_AC.thy | 2 +- proof/access-control/DomainSepInv.thy | 6 +-- proof/access-control/Finalise_AC.thy | 24 +++++------ proof/access-control/Ipc_AC.thy | 18 ++++---- proof/access-control/RISCV64/ArchArch_AC.thy | 8 ++-- .../RISCV64/ArchDomainSepInv.thy | 4 +- proof/access-control/RISCV64/ArchTcb_AC.thy | 2 +- proof/access-control/Retype_AC.thy | 4 +- proof/access-control/Tcb_AC.thy | 4 +- proof/crefine/ARM/CSpace_C.thy | 6 +-- proof/crefine/ARM/Delete_C.thy | 4 +- proof/crefine/ARM/Detype_C.thy | 2 +- proof/crefine/ARM/Fastpath_Equiv.thy | 12 +++--- proof/crefine/ARM/Invoke_C.thy | 10 ++--- proof/crefine/ARM/Ipc_C.thy | 6 +-- proof/crefine/ARM/Refine_C.thy | 2 +- proof/crefine/ARM/Retype_C.thy | 6 +-- proof/crefine/ARM/SyscallArgs_C.thy | 6 +-- proof/crefine/ARM/Tcb_C.thy | 30 ++++++------- proof/crefine/ARM/VSpace_C.thy | 2 +- proof/crefine/ARM_HYP/CSpace_C.thy | 6 +-- proof/crefine/ARM_HYP/Delete_C.thy | 4 +- proof/crefine/ARM_HYP/Detype_C.thy | 2 +- proof/crefine/ARM_HYP/Fastpath_Equiv.thy | 12 +++--- proof/crefine/ARM_HYP/Invoke_C.thy | 10 ++--- proof/crefine/ARM_HYP/Ipc_C.thy | 8 ++-- proof/crefine/ARM_HYP/Refine_C.thy | 2 +- proof/crefine/ARM_HYP/Retype_C.thy | 6 +-- proof/crefine/ARM_HYP/SyscallArgs_C.thy | 6 +-- proof/crefine/ARM_HYP/Tcb_C.thy | 32 +++++++------- proof/crefine/ARM_HYP/VSpace_C.thy | 2 +- proof/crefine/Move_C.thy | 2 +- proof/crefine/RISCV64/CSpace_C.thy | 6 +-- proof/crefine/RISCV64/Delete_C.thy | 4 +- proof/crefine/RISCV64/Detype_C.thy | 2 +- proof/crefine/RISCV64/Invoke_C.thy | 10 ++--- proof/crefine/RISCV64/Ipc_C.thy | 8 ++-- proof/crefine/RISCV64/Refine_C.thy | 2 +- proof/crefine/RISCV64/Retype_C.thy | 6 +-- proof/crefine/RISCV64/SyscallArgs_C.thy | 6 +-- proof/crefine/RISCV64/Tcb_C.thy | 32 +++++++------- proof/crefine/X64/CSpace_C.thy | 6 +-- proof/crefine/X64/Delete_C.thy | 4 +- proof/crefine/X64/Detype_C.thy | 2 +- proof/crefine/X64/Invoke_C.thy | 10 ++--- proof/crefine/X64/Ipc_C.thy | 8 ++-- proof/crefine/X64/Refine_C.thy | 2 +- proof/crefine/X64/Retype_C.thy | 6 +-- proof/crefine/X64/SyscallArgs_C.thy | 6 +-- proof/crefine/X64/Tcb_C.thy | 32 +++++++------- proof/drefine/CNode_DR.thy | 10 ++--- proof/drefine/Finalise_DR.thy | 4 +- proof/drefine/Ipc_DR.thy | 2 +- proof/drefine/Untyped_DR.thy | 2 +- proof/infoflow/ADT_IF.thy | 14 +++---- proof/infoflow/ARM/ArchADT_IF.thy | 2 +- proof/infoflow/ARM/ArchArch_IF.thy | 8 ++-- proof/infoflow/ARM/ArchFinalCaps.thy | 10 ++--- proof/infoflow/ARM/ArchIRQMasks_IF.thy | 4 +- proof/infoflow/ARM/ArchIpc_IF.thy | 2 +- proof/infoflow/ARM/ArchTcb_IF.thy | 6 +-- proof/infoflow/FinalCaps.thy | 28 ++++++------- proof/infoflow/Finalise_IF.thy | 4 +- proof/infoflow/IRQMasks_IF.thy | 2 +- proof/infoflow/Interrupt_IF.thy | 2 +- proof/infoflow/Ipc_IF.thy | 8 ++-- proof/infoflow/RISCV64/ArchArch_IF.thy | 10 ++--- proof/infoflow/RISCV64/ArchFinalCaps.thy | 10 ++--- proof/infoflow/RISCV64/ArchIRQMasks_IF.thy | 4 +- proof/infoflow/RISCV64/ArchIpc_IF.thy | 2 +- proof/infoflow/RISCV64/ArchTcb_IF.thy | 6 +-- proof/infoflow/Scheduler_IF.thy | 6 +-- proof/infoflow/Tcb_IF.thy | 4 +- .../infoflow/refine/ARM/ArchADT_IF_Refine.thy | 4 +- .../refine/RISCV64/ArchADT_IF_Refine.thy | 4 +- .../AARCH64/ArchArch_AI.thy | 2 +- .../AARCH64/ArchCNodeInv_AI.thy | 2 +- .../AARCH64/ArchDetSchedAux_AI.thy | 2 +- .../invariant-abstract/AARCH64/ArchIpc_AI.thy | 4 +- .../invariant-abstract/AARCH64/ArchTcb_AI.thy | 2 +- .../AARCH64/ArchVSpaceEntries_AI.thy | 2 +- proof/invariant-abstract/AInvs.thy | 2 +- proof/invariant-abstract/ARM/ArchArch_AI.thy | 6 +-- .../ARM/ArchCNodeInv_AI.thy | 2 +- .../ARM/ArchDetSchedAux_AI.thy | 4 +- .../ARM/ArchFinalise_AI.thy | 2 +- proof/invariant-abstract/ARM/ArchIpc_AI.thy | 4 +- .../invariant-abstract/ARM/ArchRetype_AI.thy | 2 +- proof/invariant-abstract/ARM/ArchTcb_AI.thy | 2 +- .../ARM/ArchVSpaceEntries_AI.thy | 2 +- .../ARM_HYP/ArchArch_AI.thy | 6 +-- .../ARM_HYP/ArchCNodeInv_AI.thy | 2 +- .../ARM_HYP/ArchDetSchedAux_AI.thy | 4 +- .../ARM_HYP/ArchFinalise_AI.thy | 2 +- .../invariant-abstract/ARM_HYP/ArchIpc_AI.thy | 4 +- .../invariant-abstract/ARM_HYP/ArchTcb_AI.thy | 2 +- .../ARM_HYP/ArchVSpaceEntries_AI.thy | 4 +- proof/invariant-abstract/CNodeInv_AI.thy | 4 +- proof/invariant-abstract/DetSchedInvs_AI.thy | 8 ++-- .../DetSchedSchedule_AI.thy | 4 +- proof/invariant-abstract/Deterministic_AI.thy | 2 +- proof/invariant-abstract/Finalise_AI.thy | 2 +- proof/invariant-abstract/IpcCancel_AI.thy | 4 +- proof/invariant-abstract/Ipc_AI.thy | 16 +++---- .../RISCV64/ArchArch_AI.thy | 2 +- .../RISCV64/ArchCNodeInv_AI.thy | 2 +- .../RISCV64/ArchDetSchedAux_AI.thy | 4 +- .../invariant-abstract/RISCV64/ArchIpc_AI.thy | 4 +- .../invariant-abstract/RISCV64/ArchTcb_AI.thy | 2 +- .../RISCV64/ArchVSpaceEntries_AI.thy | 2 +- proof/invariant-abstract/Tcb_AI.thy | 2 +- proof/invariant-abstract/X64/ArchArch_AI.thy | 2 +- .../X64/ArchCNodeInv_AI.thy | 2 +- .../X64/ArchDetSchedAux_AI.thy | 4 +- proof/invariant-abstract/X64/ArchIpc_AI.thy | 4 +- .../invariant-abstract/X64/ArchRetype_AI.thy | 2 +- proof/invariant-abstract/X64/ArchTcb_AI.thy | 2 +- .../X64/ArchVSpaceEntries_AI.thy | 2 +- proof/refine/AARCH64/Arch_R.thy | 10 ++--- proof/refine/AARCH64/CNodeInv_R.thy | 20 ++++----- proof/refine/AARCH64/CSpace1_R.thy | 2 +- proof/refine/AARCH64/Detype_R.thy | 4 +- proof/refine/AARCH64/Finalise_R.thy | 4 +- proof/refine/AARCH64/Interrupt_R.thy | 2 +- proof/refine/AARCH64/Ipc_R.thy | 42 +++++++++---------- proof/refine/AARCH64/Refine.thy | 6 +-- proof/refine/AARCH64/Retype_R.thy | 3 +- proof/refine/AARCH64/Schedule_R.thy | 6 +-- proof/refine/AARCH64/Syscall_R.thy | 14 +++---- proof/refine/AARCH64/TcbAcc_R.thy | 11 +++-- proof/refine/AARCH64/Tcb_R.thy | 28 ++++++------- proof/refine/AARCH64/orphanage/Orphanage.thy | 30 ++++++------- proof/refine/ARM/Arch_R.thy | 8 ++-- proof/refine/ARM/CNodeInv_R.thy | 22 +++++----- proof/refine/ARM/CSpace1_R.thy | 2 +- proof/refine/ARM/Detype_R.thy | 4 +- proof/refine/ARM/Finalise_R.thy | 4 +- proof/refine/ARM/Interrupt_R.thy | 2 +- proof/refine/ARM/Ipc_R.thy | 42 +++++++++---------- proof/refine/ARM/PageTableDuplicates.thy | 10 ++--- proof/refine/ARM/Refine.thy | 6 +-- proof/refine/ARM/Retype_R.thy | 3 +- proof/refine/ARM/Schedule_R.thy | 6 +-- proof/refine/ARM/Syscall_R.thy | 14 +++---- proof/refine/ARM/TcbAcc_R.thy | 11 +++-- proof/refine/ARM/Tcb_R.thy | 32 +++++++------- proof/refine/ARM/orphanage/Orphanage.thy | 28 ++++++------- proof/refine/ARM_HYP/Arch_R.thy | 10 ++--- proof/refine/ARM_HYP/CNodeInv_R.thy | 20 ++++----- proof/refine/ARM_HYP/CSpace1_R.thy | 2 +- proof/refine/ARM_HYP/Detype_R.thy | 4 +- proof/refine/ARM_HYP/Finalise_R.thy | 4 +- proof/refine/ARM_HYP/Interrupt_R.thy | 2 +- proof/refine/ARM_HYP/Ipc_R.thy | 42 +++++++++---------- proof/refine/ARM_HYP/PageTableDuplicates.thy | 8 ++-- proof/refine/ARM_HYP/Refine.thy | 8 ++-- proof/refine/ARM_HYP/Retype_R.thy | 3 +- proof/refine/ARM_HYP/Schedule_R.thy | 6 +-- proof/refine/ARM_HYP/Syscall_R.thy | 14 +++---- proof/refine/ARM_HYP/TcbAcc_R.thy | 11 +++-- proof/refine/ARM_HYP/Tcb_R.thy | 32 +++++++------- proof/refine/RISCV64/Arch_R.thy | 10 ++--- proof/refine/RISCV64/CNodeInv_R.thy | 20 ++++----- proof/refine/RISCV64/CSpace1_R.thy | 2 +- proof/refine/RISCV64/Detype_R.thy | 4 +- proof/refine/RISCV64/Finalise_R.thy | 4 +- proof/refine/RISCV64/Interrupt_R.thy | 2 +- proof/refine/RISCV64/Ipc_R.thy | 42 +++++++++---------- proof/refine/RISCV64/Refine.thy | 6 +-- proof/refine/RISCV64/Retype_R.thy | 3 +- proof/refine/RISCV64/Schedule_R.thy | 6 +-- proof/refine/RISCV64/Syscall_R.thy | 14 +++---- proof/refine/RISCV64/TcbAcc_R.thy | 11 +++-- proof/refine/RISCV64/Tcb_R.thy | 28 ++++++------- proof/refine/RISCV64/orphanage/Orphanage.thy | 28 ++++++------- proof/refine/X64/Arch_R.thy | 10 ++--- proof/refine/X64/CNodeInv_R.thy | 20 ++++----- proof/refine/X64/CSpace1_R.thy | 2 +- proof/refine/X64/Detype_R.thy | 4 +- proof/refine/X64/Finalise_R.thy | 4 +- proof/refine/X64/Interrupt_R.thy | 2 +- proof/refine/X64/Ipc_R.thy | 42 +++++++++---------- proof/refine/X64/Refine.thy | 6 +-- proof/refine/X64/Retype_R.thy | 3 +- proof/refine/X64/Schedule_R.thy | 6 +-- proof/refine/X64/Syscall_R.thy | 14 +++---- proof/refine/X64/TcbAcc_R.thy | 11 +++-- proof/refine/X64/Tcb_R.thy | 30 ++++++------- 190 files changed, 789 insertions(+), 799 deletions(-) diff --git a/proof/access-control/ARM/ArchArch_AC.thy b/proof/access-control/ARM/ArchArch_AC.thy index cd183bec17..4f24903648 100644 --- a/proof/access-control/ARM/ArchArch_AC.thy +++ b/proof/access-control/ARM/ArchArch_AC.thy @@ -549,7 +549,7 @@ lemma perform_asid_control_invocation_respects: apply (rule hoare_pre) apply (wpc, simp) apply (wpsimp wp: set_cap_integrity_autarch cap_insert_integrity_autarch - retype_region_integrity[where sz=12] static_imp_wp) + retype_region_integrity[where sz=12] hoare_weak_lift_imp) apply (clarsimp simp: authorised_asid_control_inv_def ptr_range_def page_bits_def add.commute range_cover_def obj_bits_api_def default_arch_object_def @@ -576,12 +576,12 @@ lemma perform_asid_control_invocation_pas_refined [wp]: \\_. pas_refined aag\" apply (simp add: perform_asid_control_invocation_def) apply (rule hoare_pre) - apply (wp cap_insert_pas_refined' static_imp_wp + apply (wp cap_insert_pas_refined' hoare_weak_lift_imp | strengthen pas_refined_set_asid_strg | wpc | simp add: delete_objects_def2 fun_upd_def[symmetric])+ apply (wp retype_region_pas_refined'[where sz=pageBits] - hoare_vcg_ex_lift hoare_vcg_all_lift static_imp_wp hoare_wp_combs hoare_drop_imp + hoare_vcg_ex_lift hoare_vcg_all_lift hoare_weak_lift_imp hoare_wp_combs hoare_drop_imp retype_region_invs_extras(1)[where sz = pageBits] retype_region_invs_extras(4)[where sz = pageBits] retype_region_invs_extras(6)[where sz = pageBits] @@ -591,7 +591,7 @@ lemma perform_asid_control_invocation_pas_refined [wp]: max_index_upd_invs_simple max_index_upd_caps_overlap_reserved hoare_vcg_ex_lift set_cap_cte_wp_at hoare_vcg_disj_lift set_free_index_valid_pspace set_cap_descendants_range_in set_cap_no_overlap get_cap_wp set_cap_caps_no_overlap - hoare_vcg_all_lift static_imp_wp retype_region_invs_extras + hoare_vcg_all_lift hoare_weak_lift_imp retype_region_invs_extras set_cap_pas_refined_not_transferable | simp add: do_machine_op_def split_def cte_wp_at_neg2 region_in_kernel_window_def)+ apply (rename_tac frame slot parent base cap) diff --git a/proof/access-control/ARM/ArchDomainSepInv.thy b/proof/access-control/ARM/ArchDomainSepInv.thy index 73e9df6bee..eb3ac5ab85 100644 --- a/proof/access-control/ARM/ArchDomainSepInv.thy +++ b/proof/access-control/ARM/ArchDomainSepInv.thy @@ -49,7 +49,7 @@ lemma perform_page_invocation_domain_sep_inv: \\_. domain_sep_inv irqs st\" apply (rule hoare_pre) apply (wp mapM_wp[OF _ subset_refl] set_cap_domain_sep_inv mapM_x_wp[OF _ subset_refl] - perform_page_invocation_domain_sep_inv_get_cap_helper static_imp_wp + perform_page_invocation_domain_sep_inv_get_cap_helper hoare_weak_lift_imp | simp add: perform_page_invocation_def o_def | wpc)+ apply (clarsimp simp: valid_page_inv_def) apply (case_tac xa, simp_all add: domain_sep_inv_cap_def is_pg_cap_def) @@ -79,7 +79,7 @@ lemma perform_asid_control_invocation_domain_sep_inv: unfolding perform_asid_control_invocation_def apply (rule hoare_pre) apply (wp modify_wp cap_insert_domain_sep_inv' set_cap_domain_sep_inv - get_cap_domain_sep_inv_cap[where st=st] static_imp_wp + get_cap_domain_sep_inv_cap[where st=st] hoare_weak_lift_imp | wpc | simp )+ done diff --git a/proof/access-control/ARM/ArchTcb_AC.thy b/proof/access-control/ARM/ArchTcb_AC.thy index dd78504af0..1619cbdb92 100644 --- a/proof/access-control/ARM/ArchTcb_AC.thy +++ b/proof/access-control/ARM/ArchTcb_AC.thy @@ -45,7 +45,7 @@ lemma invoke_tcb_tc_respects_aag[Tcb_AC_assms]: | wp restart_integrity_autarch set_mcpriority_integrity_autarch as_user_integrity_autarch thread_set_integrity_autarch option_update_thread_integrity_autarch - opt_update_thread_valid_sched static_imp_wp + opt_update_thread_valid_sched hoare_weak_lift_imp cap_insert_integrity_autarch checked_insert_pas_refined cap_delete_respects' cap_delete_pas_refined' check_cap_inv2[where Q="\_. integrity aag X st"] diff --git a/proof/access-control/DomainSepInv.thy b/proof/access-control/DomainSepInv.thy index d9ecb7131e..9dd12f51f8 100644 --- a/proof/access-control/DomainSepInv.thy +++ b/proof/access-control/DomainSepInv.thy @@ -336,7 +336,7 @@ lemma empty_slot_domain_sep_inv: \\_ s. domain_sep_inv irqs (st :: 'state_ext state) (s :: det_ext state)\" unfolding empty_slot_def post_cap_deletion_def by (wpsimp wp: get_cap_wp set_cap_domain_sep_inv set_original_wp dxo_wp_weak - static_imp_wp deleted_irq_handler_domain_sep_inv) + hoare_weak_lift_imp deleted_irq_handler_domain_sep_inv) end @@ -568,7 +568,7 @@ lemma cap_move_cte_wp_at_other: cap_move cap src_slot dest_slot \\_. cte_wp_at P slot\" unfolding cap_move_def - by (wpsimp wp: set_cdt_cte_wp_at set_cap_cte_wp_at' dxo_wp_weak static_imp_wp set_original_wp) + by (wpsimp wp: set_cdt_cte_wp_at set_cap_cte_wp_at' dxo_wp_weak hoare_weak_lift_imp set_original_wp) lemma cte_wp_at_weak_derived_ReplyCap: "cte_wp_at ((=) (ReplyCap x False R)) slot s @@ -1042,7 +1042,7 @@ lemma invoke_tcb_domain_sep_inv: apply (simp add: split_def cong: option.case_cong) apply (wp checked_cap_insert_domain_sep_inv hoare_vcg_all_lift_R hoare_vcg_all_lift hoare_vcg_const_imp_lift_R cap_delete_domain_sep_inv cap_delete_deletes - dxo_wp_weak cap_delete_valid_cap cap_delete_cte_at static_imp_wp + dxo_wp_weak cap_delete_valid_cap cap_delete_cte_at hoare_weak_lift_imp | wpc | strengthen | simp add: option_update_thread_def emptyable_def tcb_cap_cases_def tcb_cap_valid_def tcb_at_st_tcb_at diff --git a/proof/access-control/Finalise_AC.thy b/proof/access-control/Finalise_AC.thy index ca1ccb5d7c..6910643e74 100644 --- a/proof/access-control/Finalise_AC.thy +++ b/proof/access-control/Finalise_AC.thy @@ -533,7 +533,7 @@ lemma reply_cancel_ipc_respects[wp]: apply (rule hoare_lift_Pf2[where f="cdt"]) apply (wpsimp wp: hoare_vcg_const_Ball_lift thread_set_integrity_autarch thread_set_invs_trivial[OF ball_tcb_cap_casesI] thread_set_tcb_state_trivial - thread_set_not_state_valid_sched static_imp_wp thread_set_cte_wp_at_trivial + thread_set_not_state_valid_sched hoare_weak_lift_imp thread_set_cte_wp_at_trivial thread_set_pas_refined simp: ran_tcb_cap_cases)+ apply (strengthen invs_psp_aligned invs_vspace_objs invs_arch_state, clarsimp) @@ -799,7 +799,7 @@ proof (induct arbitrary: st rule: rec_del.induct, simp_all only: rec_del_fails) apply (simp only: split_def) apply (rule hoare_pre_spec_validE) apply (rule split_spec_bindE) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (rule spec_strengthen_postE) apply (rule spec_valid_conj_liftE1) apply (rule valid_validE_R, rule rec_del_valid_list, rule preemption_point_inv'; @@ -816,7 +816,7 @@ next apply (subst rec_del.simps) apply (simp only: split_def) apply (rule hoare_pre_spec_validE) - apply (wp set_cap_integrity_autarch set_cap_pas_refined_not_transferable "2.hyps" static_imp_wp) + apply (wp set_cap_integrity_autarch set_cap_pas_refined_not_transferable "2.hyps" hoare_weak_lift_imp) apply ((wp preemption_point_inv' | simp add: integrity_subjects_def pas_refined_def)+)[1] apply (simp(no_asm)) apply (rule spec_strengthen_postE) @@ -833,7 +833,7 @@ next apply (simp add: conj_comms) apply (wp set_cap_integrity_autarch set_cap_pas_refined_not_transferable replace_cap_invs final_cap_same_objrefs set_cap_cte_cap_wp_to - set_cap_cte_wp_at hoare_vcg_const_Ball_lift static_imp_wp + set_cap_cte_wp_at hoare_vcg_const_Ball_lift hoare_weak_lift_imp | rule finalise_cap_not_reply_master | simp add: in_monad)+ apply (rule hoare_strengthen_post) @@ -848,7 +848,7 @@ next apply (wp finalise_cap_invs[where slot=slot] finalise_cap_replaceable[where sl=slot] finalise_cap_makes_halted[where slot=slot] - finalise_cap_auth' static_imp_wp)[1] + finalise_cap_auth' hoare_weak_lift_imp)[1] apply (rule finalise_cap_cases[where slot=slot]) apply (clarsimp simp: cte_wp_at_caps_of_state) apply (erule disjE) @@ -871,7 +871,7 @@ next case (3 ptr bits n slot s) show ?case apply (simp add: spec_validE_def) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply clarsimp done next @@ -889,7 +889,7 @@ next apply (wpsimp wp: rec_del_invs) apply (rule "4.hyps", assumption+) apply (wpsimp wp: set_cap_integrity_autarch set_cap_pas_refined_not_transferable - get_cap_wp static_imp_wp)+ + get_cap_wp hoare_weak_lift_imp)+ apply (clarsimp simp: invs_psp_aligned invs_vspace_objs invs_arch_state cte_wp_at_caps_of_state clas_no_asid cli_no_irqs aag_cap_auth_def) apply (drule_tac auth=auth in sta_caps, simp+) @@ -958,13 +958,13 @@ lemma rec_del_respects_CTEDelete_transferable': apply (wp rec_del_respects'') apply (solves \simp\) apply (subst rec_del.simps[abs_def]) - apply (wp add: hoare_K_bind without_preemption_wp static_imp_wp wp_transferable + apply (wp add: hoare_K_bind without_preemption_wp hoare_weak_lift_imp wp_transferable rec_del_Finalise_transferable del: wp_not_transferable | wpc)+ apply (rule hoare_post_impErr,rule rec_del_Finalise_transferable) apply simp apply (elim conjE) apply simp apply simp - apply (wp add: hoare_K_bind without_preemption_wp static_imp_wp wp_transferable + apply (wp add: hoare_K_bind without_preemption_wp hoare_weak_lift_imp wp_transferable rec_del_Finalise_transferable del: wp_not_transferable | wpc)+ @@ -1144,7 +1144,7 @@ proof (induct rule: rec_del.induct, simp_all only: rec_del_fails) apply (insert P_Null) apply (subst rec_del.simps) apply (simp only: split_def) - apply (wp static_imp_wp | simp)+ + apply (wp hoare_weak_lift_imp | simp)+ apply (wp empty_slot_cte_wp_at)[1] apply (rule spec_strengthen_postE) apply (rule hoare_pre_spec_validE) @@ -1160,7 +1160,7 @@ next apply (subst rec_del.simps) apply (simp only: split_def without_preemption_def rec_del_call.simps) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (wp set_cap_cte_wp_at')[1] apply (wp "2.hyps"[simplified without_preemption_def rec_del_call.simps]) apply ((wp preemption_point_inv | simp)+)[1] @@ -1172,7 +1172,7 @@ next apply (rule_tac Q = "\rv' s. (slot \ p \ exposed \ cte_wp_at P p s) \ P (fst rv') \ cte_at slot s" in hoare_post_imp) apply (clarsimp simp: cte_wp_at_caps_of_state) - apply (wp static_imp_wp set_cap_cte_wp_at' finalise_cap_cte_wp_at_nullinv + apply (wp hoare_weak_lift_imp set_cap_cte_wp_at' finalise_cap_cte_wp_at_nullinv finalise_cap_fst_ret get_cap_wp | simp add: is_final_cap_def)+ apply (clarsimp simp add: P_Zombie is_cap_simps cte_wp_at_caps_of_state)+ diff --git a/proof/access-control/Ipc_AC.thy b/proof/access-control/Ipc_AC.thy index 675f430a10..08b05b44d6 100644 --- a/proof/access-control/Ipc_AC.thy +++ b/proof/access-control/Ipc_AC.thy @@ -31,7 +31,7 @@ lemma send_signal_caps_of_state[wp]: "send_signal ntfnptr badge \\s. P (caps_of_state s)\" apply (clarsimp simp: send_signal_def) apply (rule hoare_seq_ext[OF _ get_simple_ko_sp]) - apply (wpsimp wp: dxo_wp_weak cancel_ipc_receive_blocked_caps_of_state gts_wp static_imp_wp + apply (wpsimp wp: dxo_wp_weak cancel_ipc_receive_blocked_caps_of_state gts_wp hoare_weak_lift_imp simp: update_waiting_ntfn_def) apply (clarsimp simp: fun_upd_def[symmetric] st_tcb_def2) done @@ -423,7 +423,7 @@ lemma send_signal_respects: apply (rule hoare_pre) apply (wp set_notification_respects[where auth=Notify] as_user_set_register_respects_indirect[where ntfnptr=ntfnptr] - set_thread_state_integrity' sts_st_tcb_at' static_imp_wp + set_thread_state_integrity' sts_st_tcb_at' hoare_weak_lift_imp cancel_ipc_receive_blocked_respects[where ntfnptr=ntfnptr] gts_wp | wpc | simp)+ @@ -451,7 +451,7 @@ lemma send_signal_respects: sts_st_tcb_at' as_user_set_register_respects set_thread_state_pas_refined set_simple_ko_pas_refined set_thread_state_respects_in_signalling [where ntfnptr = ntfnptr] - set_ntfn_valid_objs_at hoare_vcg_disj_lift static_imp_wp + set_ntfn_valid_objs_at hoare_vcg_disj_lift hoare_weak_lift_imp | wpc | simp add: update_waiting_ntfn_def)+ apply clarsimp @@ -756,10 +756,10 @@ lemma transfer_caps_loop_presM_extended: apply (clarsimp simp add: Let_def split_def whenE_def cong: if_cong list.case_cong split del: if_split) apply (rule hoare_pre) - apply (wp eb hoare_vcg_const_imp_lift hoare_vcg_const_Ball_lift static_imp_wp + apply (wp eb hoare_vcg_const_imp_lift hoare_vcg_const_Ball_lift hoare_weak_lift_imp | assumption | simp split del: if_split)+ apply (rule cap_insert_assume_null) - apply (wp x hoare_vcg_const_Ball_lift cap_insert_cte_wp_at static_imp_wp)+ + apply (wp x hoare_vcg_const_Ball_lift cap_insert_cte_wp_at hoare_weak_lift_imp)+ apply (rule hoare_vcg_conj_liftE_R) apply (rule derive_cap_is_derived_foo') apply (rule_tac Q' ="\cap' s. (vo \ cap'\ NullCap \ @@ -1061,7 +1061,7 @@ lemma send_ipc_pas_refined: (pasObjectAbs aag x21, Reply, pasSubject aag) \ pasPolicy aag)" in hoare_strengthen_post[rotated]) apply simp - apply (wp set_thread_state_pas_refined do_ipc_transfer_pas_refined static_imp_wp gts_wp + apply (wp set_thread_state_pas_refined do_ipc_transfer_pas_refined hoare_weak_lift_imp gts_wp | wpc | simp add: hoare_if_r_and)+ apply (wp hoare_vcg_all_lift hoare_imp_lift_something | simp add: st_tcb_at_tcb_states_of_state_eq)+ @@ -1206,7 +1206,7 @@ lemma receive_ipc_base_pas_refined: aag_has_auth_to aag Reply (hd list))" in hoare_strengthen_post[rotated]) apply (fastforce simp: pas_refined_refl) - apply (wp static_imp_wp do_ipc_transfer_pas_refined set_simple_ko_pas_refined + apply (wp hoare_weak_lift_imp do_ipc_transfer_pas_refined set_simple_ko_pas_refined set_thread_state_pas_refined get_simple_ko_wp hoare_vcg_all_lift hoare_vcg_imp_lift [OF set_simple_ko_get_tcb, unfolded disj_not1] | wpc @@ -1365,7 +1365,7 @@ lemma do_normal_transfer_send_integrity_autarch: by (wpsimp wp: as_user_integrity_autarch set_message_info_integrity_autarch copy_mrs_pas_refined copy_mrs_integrity_autarch transfer_caps_integrity_autarch lookup_extra_caps_authorised lookup_extra_caps_length get_mi_length get_mi_valid' - static_imp_wp hoare_vcg_conj_lift hoare_vcg_ball_lift lec_valid_cap') + hoare_weak_lift_imp hoare_vcg_conj_lift hoare_vcg_ball_lift lec_valid_cap') crunch integrity_autarch: setup_caller_cap "integrity aag X st" @@ -2365,7 +2365,7 @@ lemma send_ipc_integrity_autarch: apply (fastforce dest!: integrity_tcb_in_ipc_final elim!: integrity_trans) apply (wp setup_caller_cap_respects_in_ipc_reply set_thread_state_respects_in_ipc_autarch[where param_b = Inactive] - hoare_vcg_if_lift static_imp_wp possible_switch_to_respects_in_ipc_autarch + hoare_vcg_if_lift hoare_weak_lift_imp possible_switch_to_respects_in_ipc_autarch set_thread_state_running_respects_in_ipc do_ipc_transfer_respects_in_ipc thread_get_inv set_endpoint_integrity_in_ipc | wpc diff --git a/proof/access-control/RISCV64/ArchArch_AC.thy b/proof/access-control/RISCV64/ArchArch_AC.thy index bfa6a3dd3d..6bf14bae47 100644 --- a/proof/access-control/RISCV64/ArchArch_AC.thy +++ b/proof/access-control/RISCV64/ArchArch_AC.thy @@ -1237,7 +1237,7 @@ lemma perform_asid_control_invocation_respects: apply (wpc, simp) apply (wpsimp wp: set_cap_integrity_autarch cap_insert_integrity_autarch asid_table_entry_update_integrity retype_region_integrity[where sz=12] - static_imp_wp delete_objects_valid_vspace_objs delete_objects_valid_arch_state) + hoare_weak_lift_imp delete_objects_valid_vspace_objs delete_objects_valid_arch_state) apply (clarsimp simp: authorised_asid_control_inv_def ptr_range_def add.commute range_cover_def obj_bits_api_def default_arch_object_def pageBits_def word_bits_def) apply (subst is_aligned_neg_mask_eq[THEN sym], assumption) @@ -1318,9 +1318,9 @@ lemma perform_asid_control_invocation_pas_refined: apply (simp add: perform_asid_control_invocation_def ) apply wpc apply (rule pas_refined_asid_control_helper hoare_seq_ext hoare_K_bind)+ - apply (wp cap_insert_pas_refined' static_imp_wp | simp)+ + apply (wp cap_insert_pas_refined' hoare_weak_lift_imp | simp)+ apply ((wp retype_region_pas_refined'[where sz=pageBits] - hoare_vcg_ex_lift hoare_vcg_all_lift static_imp_wp hoare_wp_combs hoare_drop_imp + hoare_vcg_ex_lift hoare_vcg_all_lift hoare_weak_lift_imp hoare_wp_combs hoare_drop_imp retype_region_invs_extras(1)[where sz = pageBits] retype_region_invs_extras(4)[where sz = pageBits] retype_region_invs_extras(6)[where sz = pageBits] @@ -1329,7 +1329,7 @@ lemma perform_asid_control_invocation_pas_refined: max_index_upd_invs_simple max_index_upd_caps_overlap_reserved hoare_vcg_ex_lift set_cap_cte_wp_at hoare_vcg_disj_lift set_free_index_valid_pspace set_cap_descendants_range_in set_cap_no_overlap get_cap_wp set_cap_caps_no_overlap - hoare_vcg_all_lift static_imp_wp retype_region_invs_extras + hoare_vcg_all_lift hoare_weak_lift_imp retype_region_invs_extras set_cap_pas_refined_not_transferable arch_update_cap_valid_mdb | simp add: do_machine_op_def region_in_kernel_window_def cte_wp_at_neg2)+)[3] apply (rename_tac frame slot parent base ) diff --git a/proof/access-control/RISCV64/ArchDomainSepInv.thy b/proof/access-control/RISCV64/ArchDomainSepInv.thy index 9c20d3ae96..442b1f0946 100644 --- a/proof/access-control/RISCV64/ArchDomainSepInv.thy +++ b/proof/access-control/RISCV64/ArchDomainSepInv.thy @@ -52,7 +52,7 @@ lemma perform_page_invocation_domain_sep_inv: \\_. domain_sep_inv irqs st\" apply (rule hoare_pre) apply (wp mapM_wp[OF _ subset_refl] set_cap_domain_sep_inv mapM_x_wp[OF _ subset_refl] - perform_page_invocation_domain_sep_inv_get_cap_helper static_imp_wp + perform_page_invocation_domain_sep_inv_get_cap_helper hoare_weak_lift_imp | simp add: perform_page_invocation_def o_def | wpc)+ done @@ -72,7 +72,7 @@ lemma perform_asid_control_invocation_domain_sep_inv: unfolding perform_asid_control_invocation_def apply (rule hoare_pre) apply (wp modify_wp cap_insert_domain_sep_inv' set_cap_domain_sep_inv - get_cap_domain_sep_inv_cap[where st=st] static_imp_wp + get_cap_domain_sep_inv_cap[where st=st] hoare_weak_lift_imp | wpc | simp )+ done diff --git a/proof/access-control/RISCV64/ArchTcb_AC.thy b/proof/access-control/RISCV64/ArchTcb_AC.thy index 703a1ae1f6..5a8b7a0f0b 100644 --- a/proof/access-control/RISCV64/ArchTcb_AC.thy +++ b/proof/access-control/RISCV64/ArchTcb_AC.thy @@ -45,7 +45,7 @@ lemma invoke_tcb_tc_respects_aag[Tcb_AC_assms]: | wp restart_integrity_autarch set_mcpriority_integrity_autarch as_user_integrity_autarch thread_set_integrity_autarch option_update_thread_integrity_autarch - opt_update_thread_valid_sched static_imp_wp + opt_update_thread_valid_sched hoare_weak_lift_imp cap_insert_integrity_autarch checked_insert_pas_refined cap_delete_respects' cap_delete_pas_refined' check_cap_inv2[where Q="\_. integrity aag X st"] diff --git a/proof/access-control/Retype_AC.thy b/proof/access-control/Retype_AC.thy index 70428e3ede..de013d7d0c 100644 --- a/proof/access-control/Retype_AC.thy +++ b/proof/access-control/Retype_AC.thy @@ -970,7 +970,7 @@ lemma reset_untyped_cap_valid_vspace_objs: \\_. valid_vspace_objs\" unfolding reset_untyped_cap_def apply (wpsimp wp: mapME_x_inv_wp preemption_point_inv) - apply (wp static_imp_wp delete_objects_valid_vspace_objs) + apply (wp hoare_weak_lift_imp delete_objects_valid_vspace_objs) apply (wpsimp wp: get_cap_wp)+ apply (cases src_slot) apply (auto simp: cte_wp_at_caps_of_state) @@ -1008,7 +1008,7 @@ lemma reset_untyped_cap_valid_arch_state: \\_. valid_arch_state\" unfolding reset_untyped_cap_def apply (wpsimp wp: mapME_x_inv_wp preemption_point_inv) - apply (wp static_imp_wp delete_objects_valid_arch_state) + apply (wp hoare_weak_lift_imp delete_objects_valid_arch_state) apply (wpsimp wp: get_cap_wp)+ apply (cases src_slot) apply (auto simp: cte_wp_at_caps_of_state) diff --git a/proof/access-control/Tcb_AC.thy b/proof/access-control/Tcb_AC.thy index d581b91d46..c57ff1efc8 100644 --- a/proof/access-control/Tcb_AC.thy +++ b/proof/access-control/Tcb_AC.thy @@ -60,7 +60,7 @@ lemmas itr_wps = restart_integrity_autarch as_user_integrity_autarch thread_set_integrity_autarch option_update_thread_integrity_autarch thread_set_pas_refined cap_insert_integrity_autarch cap_insert_pas_refined - hoare_vcg_all_liftE wp_throw_const_impE hoare_weak_lift_imp hoare_vcg_all_lift + hoare_vcg_all_liftE hoare_weak_lift_impE hoare_weak_lift_imp hoare_vcg_all_lift check_cap_inv[where P="valid_cap c" for c] check_cap_inv[where P="tcb_cap_valid c p" for c p] check_cap_inv[where P="cte_at p0" for p0] @@ -322,7 +322,7 @@ subsubsection\@{term "pas_refined"}\ lemmas ita_wps = as_user_pas_refined restart_pas_refined cap_insert_pas_refined thread_set_pas_refined cap_delete_pas_refined' check_cap_inv2 hoare_vcg_all_liftE - wp_throw_const_impE hoare_weak_lift_imp hoare_vcg_all_lift + hoare_weak_lift_impE hoare_weak_lift_imp hoare_vcg_all_lift lemma hoare_st_refl: "\ \st. \P st\ f \Q st\; \r s st. Q st r s \ Q' r s \ \ \\s. P s s\ f \Q'\" diff --git a/proof/crefine/ARM/CSpace_C.thy b/proof/crefine/ARM/CSpace_C.thy index a928638687..607f475755 100644 --- a/proof/crefine/ARM/CSpace_C.thy +++ b/proof/crefine/ARM/CSpace_C.thy @@ -1033,14 +1033,14 @@ lemma cteInsert_ccorres: apply (rule ccorres_move_c_guard_cte) apply (ctac ccorres:ccorres_updateMDB_set_mdbPrev) apply (ctac ccorres: ccorres_updateMDB_skip) - apply (wp static_imp_wp)+ + apply (wp hoare_weak_lift_imp)+ apply (clarsimp simp: Collect_const_mem split del: if_split) apply vcg - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (clarsimp simp: Collect_const_mem split del: if_split) apply vcg apply (clarsimp simp:cmdb_node_relation_mdbNext) - apply (wp setUntypedCapAsFull_cte_at_wp static_imp_wp) + apply (wp setUntypedCapAsFull_cte_at_wp hoare_weak_lift_imp) apply (clarsimp simp: Collect_const_mem split del: if_split) apply (vcg exspec=setUntypedCapAsFull_modifies) apply wp diff --git a/proof/crefine/ARM/Delete_C.thy b/proof/crefine/ARM/Delete_C.thy index 4ed4c4563c..2d74008235 100644 --- a/proof/crefine/ARM/Delete_C.thy +++ b/proof/crefine/ARM/Delete_C.thy @@ -826,7 +826,7 @@ lemma finaliseSlot_ccorres: apply (simp add: guard_is_UNIV_def) apply (simp add: conj_comms) apply (wp make_zombie_invs' updateCap_cte_wp_at_cases - updateCap_cap_to' hoare_vcg_disj_lift static_imp_wp)+ + updateCap_cap_to' hoare_vcg_disj_lift hoare_weak_lift_imp)+ apply (simp add: guard_is_UNIV_def) apply wp apply (simp add: guard_is_UNIV_def) @@ -855,7 +855,7 @@ lemma finaliseSlot_ccorres: apply (erule(1) cmap_relationE1 [OF cmap_relation_cte]) apply (frule valid_global_refsD_with_objSize, clarsimp) apply (auto simp: typ_heap_simps dest!: ccte_relation_ccap_relation)[1] - apply (wp isFinalCapability_inv static_imp_wp | wp (once) isFinal[where x=slot'])+ + apply (wp isFinalCapability_inv hoare_weak_lift_imp | wp (once) isFinal[where x=slot'])+ apply vcg apply (rule conseqPre, vcg) apply clarsimp diff --git a/proof/crefine/ARM/Detype_C.thy b/proof/crefine/ARM/Detype_C.thy index 38f0623b5e..97b3c51563 100644 --- a/proof/crefine/ARM/Detype_C.thy +++ b/proof/crefine/ARM/Detype_C.thy @@ -1434,7 +1434,7 @@ lemma deleteObjects_ccorres': apply (rule allI, rule conseqPre, vcg) apply (clarsimp simp: in_monad) apply (rule bexI [rotated]) - apply (rule iffD2 [OF in_monad(20)]) + apply (rule iffD2 [OF in_monad(21)]) apply (rule conjI [OF refl refl]) apply (clarsimp simp: simpler_modify_def) proof - diff --git a/proof/crefine/ARM/Fastpath_Equiv.thy b/proof/crefine/ARM/Fastpath_Equiv.thy index ef3621d4bb..fcb1e1e8e7 100644 --- a/proof/crefine/ARM/Fastpath_Equiv.thy +++ b/proof/crefine/ARM/Fastpath_Equiv.thy @@ -1559,8 +1559,8 @@ lemma fastpath_callKernel_SysReplyRecv_corres: setThreadState_no_sch_change setThreadState_obj_at_unchanged sts_st_tcb_at'_cases sts_bound_tcb_at' fastpathBestSwitchCandidate_lift[where f="setThreadState s t" for s t] - static_imp_wp hoare_vcg_all_lift hoare_vcg_imp_lift - static_imp_wp cnode_caps_gsCNodes_lift + hoare_weak_lift_imp hoare_vcg_all_lift hoare_vcg_imp_lift + hoare_weak_lift_imp cnode_caps_gsCNodes_lift hoare_vcg_ex_lift | wps)+ apply (strengthen imp_consequent[where Q="tcb_at' t s" for t s]) @@ -1573,8 +1573,8 @@ lemma fastpath_callKernel_SysReplyRecv_corres: emptySlot_cnode_caps user_getreg_inv asUser_typ_ats asUser_obj_at_not_queued asUser_obj_at' mapM_x_wp' - static_imp_wp hoare_vcg_all_lift hoare_vcg_imp_lift - static_imp_wp cnode_caps_gsCNodes_lift + hoare_weak_lift_imp hoare_vcg_all_lift hoare_vcg_imp_lift + hoare_weak_lift_imp cnode_caps_gsCNodes_lift hoare_vcg_ex_lift fastpathBestSwitchCandidate_lift[where f="emptySlot a b" for a b] | simp del: comp_apply @@ -1585,8 +1585,8 @@ lemma fastpath_callKernel_SysReplyRecv_corres: apply (clarsimp cong: conj_cong) apply ((wp user_getreg_inv asUser_typ_ats asUser_obj_at_not_queued asUser_obj_at' mapM_x_wp' - static_imp_wp hoare_vcg_all_lift hoare_vcg_imp_lift - static_imp_wp cnode_caps_gsCNodes_lift + hoare_weak_lift_imp hoare_vcg_all_lift hoare_vcg_imp_lift + hoare_weak_lift_imp cnode_caps_gsCNodes_lift hoare_vcg_ex_lift | clarsimp simp: obj_at'_weakenE[OF _ TrueI] | solves \ diff --git a/proof/crefine/ARM/Invoke_C.thy b/proof/crefine/ARM/Invoke_C.thy index 1d4e0ff3eb..73061fed5e 100644 --- a/proof/crefine/ARM/Invoke_C.thy +++ b/proof/crefine/ARM/Invoke_C.thy @@ -1238,7 +1238,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule ccorres_return_C_errorE, simp+)[1] apply wp apply (vcg exspec=invokeCNodeRotate_modifies) - apply (wp static_imp_wp)+ + apply (wp hoare_weak_lift_imp)+ apply (simp add: Collect_const_mem) apply (vcg exspec=setThreadState_modifies) apply (simp add: Collect_const_mem) @@ -1302,16 +1302,16 @@ lemma decodeCNodeInvocation_ccorres: apply wp apply simp apply (vcg exspec=getSyscallArg_modifies) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply simp apply (vcg exspec=getSyscallArg_modifies) apply wp apply simp apply (vcg exspec=getSyscallArg_modifies) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply simp apply (vcg exspec=getSyscallArg_modifies) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply simp apply (vcg exspec=getSyscallArg_modifies) apply wp @@ -1326,7 +1326,7 @@ lemma decodeCNodeInvocation_ccorres: apply vcg apply simp apply (wp injection_wp_E[OF refl] hoare_vcg_const_imp_lift_R - hoare_vcg_all_lift_R lsfco_cte_at' static_imp_wp + hoare_vcg_all_lift_R lsfco_cte_at' hoare_weak_lift_imp | simp add: hasCancelSendRights_not_Null ctes_of_valid_strengthen cong: conj_cong | wp (once) hoare_drop_imps)+ diff --git a/proof/crefine/ARM/Ipc_C.thy b/proof/crefine/ARM/Ipc_C.thy index 2867a8d91c..1b6c7a07ab 100644 --- a/proof/crefine/ARM/Ipc_C.thy +++ b/proof/crefine/ARM/Ipc_C.thy @@ -3176,7 +3176,7 @@ proof - apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (clarsimp simp: seL4_MessageInfo_lift_def message_info_to_H_def mask_def msgLengthBits_def word_bw_assocs) - apply (wp getMessageInfo_le3 getMessageInfo_msgLength[unfolded K_def] static_imp_wp + apply (wp getMessageInfo_le3 getMessageInfo_msgLength[unfolded K_def] hoare_weak_lift_imp | simp)+ apply (simp add: Collect_const_mem) apply (auto simp: excaps_in_mem_def valid_ipc_buffer_ptr'_def @@ -3843,7 +3843,7 @@ lemma cteDeleteOne_tcbFault: apply (wp emptySlot_tcbFault cancelAllIPC_tcbFault getCTE_wp' cancelAllSignals_tcbFault unbindNotification_tcbFault isFinalCapability_inv unbindMaybeNotification_tcbFault - static_imp_wp + hoare_weak_lift_imp | wpc | simp add: Let_def)+ apply (clarsimp split: if_split) done @@ -4017,7 +4017,7 @@ proof - apply (wp sts_running_valid_queues setThreadState_st_tcb | simp)+ apply (ctac add: setThreadState_ccorres_valid_queues'_simple) apply wp - apply ((wp threadSet_valid_queues threadSet_sch_act threadSet_valid_queues' static_imp_wp + apply ((wp threadSet_valid_queues threadSet_sch_act threadSet_valid_queues' hoare_weak_lift_imp threadSet_valid_objs' threadSet_weak_sch_act_wf | simp add: valid_tcb_state'_def)+)[1] apply (clarsimp simp: guard_is_UNIV_def ThreadState_Restart_def diff --git a/proof/crefine/ARM/Refine_C.thy b/proof/crefine/ARM/Refine_C.thy index 8b51f7be0b..bc01eeafb9 100644 --- a/proof/crefine/ARM/Refine_C.thy +++ b/proof/crefine/ARM/Refine_C.thy @@ -663,7 +663,7 @@ lemma threadSet_all_invs_triv': apply (simp add: tcb_cte_cases_def) apply (simp add: exst_same_def) apply (wp thread_set_invs_trivial thread_set_ct_running thread_set_not_state_valid_sched - threadSet_invs_trivial threadSet_ct_running' static_imp_wp + threadSet_invs_trivial threadSet_ct_running' hoare_weak_lift_imp thread_set_ct_in_state | simp add: tcb_cap_cases_def tcb_arch_ref_def | rule threadSet_ct_in_state' diff --git a/proof/crefine/ARM/Retype_C.thy b/proof/crefine/ARM/Retype_C.thy index 7b30384e0c..1c4f15978b 100644 --- a/proof/crefine/ARM/Retype_C.thy +++ b/proof/crefine/ARM/Retype_C.thy @@ -6947,9 +6947,9 @@ shows "ccorres dc xfdc including no_pre apply (wp insertNewCap_invs' insertNewCap_valid_pspace' insertNewCap_caps_overlap_reserved' insertNewCap_pspace_no_overlap' insertNewCap_caps_no_overlap'' insertNewCap_descendants_range_in' - insertNewCap_untypedRange hoare_vcg_all_lift insertNewCap_cte_at static_imp_wp) + insertNewCap_untypedRange hoare_vcg_all_lift insertNewCap_cte_at hoare_weak_lift_imp) apply (wp insertNewCap_cte_wp_at_other) - apply (wp hoare_vcg_all_lift static_imp_wp insertNewCap_cte_at) + apply (wp hoare_vcg_all_lift hoare_weak_lift_imp insertNewCap_cte_at) apply (clarsimp simp:conj_comms | strengthen invs_valid_pspace' invs_pspace_aligned' invs_pspace_distinct')+ @@ -6983,7 +6983,7 @@ shows "ccorres dc xfdc hoare_vcg_prop createObject_gsCNodes_p createObject_cnodes_have_size) apply (rule hoare_vcg_conj_lift[OF createObject_capRange_helper]) apply (wp createObject_cte_wp_at' createObject_ex_cte_cap_wp_to - createObject_no_inter[where sz = sz] hoare_vcg_all_lift static_imp_wp)+ + createObject_no_inter[where sz = sz] hoare_vcg_all_lift hoare_weak_lift_imp)+ apply (clarsimp simp:invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace' field_simps range_cover.sz conj_comms range_cover.aligned range_cover_sz' is_aligned_shiftl_self aligned_add_aligned[OF range_cover.aligned]) diff --git a/proof/crefine/ARM/SyscallArgs_C.thy b/proof/crefine/ARM/SyscallArgs_C.thy index 2b2013a989..ac977cc863 100644 --- a/proof/crefine/ARM/SyscallArgs_C.thy +++ b/proof/crefine/ARM/SyscallArgs_C.thy @@ -47,7 +47,7 @@ lemma replyOnRestart_invs'[wp]: "\invs'\ replyOnRestart thread reply isCall \\rv. invs'\" including no_pre apply (simp add: replyOnRestart_def) - apply (wp setThreadState_nonqueued_state_update rfk_invs' static_imp_wp) + apply (wp setThreadState_nonqueued_state_update rfk_invs' hoare_weak_lift_imp) apply (rule hoare_vcg_all_lift) apply (wp setThreadState_nonqueued_state_update rfk_invs' hoare_vcg_all_lift rfk_ksQ) apply (rule hoare_strengthen_post, rule gts_sp') @@ -631,7 +631,7 @@ lemma getMRs_tcbContext: apply (wp|wpc)+ apply (rule_tac P="n < length x" in hoare_gen_asm) apply (clarsimp simp: nth_append) - apply (wp mapM_wp' static_imp_wp)+ + apply (wp mapM_wp' hoare_weak_lift_imp)+ apply simp apply (rule asUser_cur_obj_at') apply (simp add: getRegister_def msgRegisters_unfold) @@ -1051,7 +1051,7 @@ lemma getMRs_rel: getMRs thread buffer mi \\args. getMRs_rel args buffer\" apply (simp add: getMRs_rel_def) apply (rule hoare_pre) - apply (rule_tac x=mi in hoare_vcg_exI) + apply (rule_tac x=mi in hoare_exI) apply wp apply (rule_tac Q="\rv s. thread = ksCurThread s \ fst (getMRs thread buffer mi s) = {(rv,s)}" in hoare_strengthen_post) apply (wp det_result det_wp_getMRs) diff --git a/proof/crefine/ARM/Tcb_C.thy b/proof/crefine/ARM/Tcb_C.thy index d69234ed5b..e1cf49fd0c 100644 --- a/proof/crefine/ARM/Tcb_C.thy +++ b/proof/crefine/ARM/Tcb_C.thy @@ -606,7 +606,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply (rule ccorres_return_CE, simp+)[1] apply (wp (once)) apply (clarsimp simp: guard_is_UNIV_def) - apply (wpsimp wp: when_def static_imp_wp) + apply (wpsimp wp: when_def hoare_weak_lift_imp) apply (strengthen sch_act_wf_weak, wp) apply clarsimp apply wp @@ -620,7 +620,7 @@ lemma invokeTCB_ThreadControl_ccorres: tcb_at' target s \ ksCurDomain s \ maxDomain \ valid_queues' s \ fst (the priority) \ maxPriority)"]) apply (strengthen sch_act_wf_weak) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (clarsimp split: if_splits) apply (wp empty_fail_stateAssert hoare_case_option_wp | simp del: Collect_const)+ apply csymbr @@ -645,7 +645,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply wp apply (clarsimp simp: guard_is_UNIV_def) apply (simp add: when_def) - apply (wp hoare_vcg_if_lift2(1) static_imp_wp, strengthen sch_act_wf_weak; wp) + apply (wp hoare_vcg_if_lift2(1) hoare_weak_lift_imp, strengthen sch_act_wf_weak; wp) apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem tcbBuffer_def size_of_def cte_level_bits_def @@ -671,7 +671,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply (rule ccorres_return_CE, simp+) apply wp apply (clarsimp simp: guard_is_UNIV_def) - apply (wp hoare_vcg_if_lift2(1) static_imp_wp, strengthen sch_act_wf_weak; wp) + apply (wp hoare_vcg_if_lift2(1) hoare_weak_lift_imp, strengthen sch_act_wf_weak; wp) apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (simp add: guard_is_UNIV_def Collect_const_mem) apply (clarsimp simp: ccap_relation_def cap_thread_cap_lift cap_to_H_def) @@ -698,7 +698,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply wp apply (clarsimp simp: guard_is_UNIV_def) apply wpsimp - apply (wp static_imp_wp, strengthen sch_act_wf_weak, wp ) + apply (wp hoare_weak_lift_imp, strengthen sch_act_wf_weak, wp ) apply wp apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (simp cong: conj_cong) @@ -736,7 +736,7 @@ lemma invokeTCB_ThreadControl_ccorres: simp add: o_def) apply (rule_tac P="is_aligned (fst (the buf)) msg_align_bits" in hoare_gen_asm) - apply (wp threadSet_ipcbuffer_trivial static_imp_wp + apply (wp threadSet_ipcbuffer_trivial hoare_weak_lift_imp | simp | strengthen invs_sch_act_wf' invs_valid_objs' invs_weak_sch_act_wf invs_queues invs_valid_queues' | wp hoare_drop_imps)+ @@ -893,13 +893,13 @@ lemma invokeTCB_ThreadControl_ccorres: apply (simp add: conj_comms) apply (wp hoare_case_option_wp threadSet_invs_trivial setMCPriority_invs' typ_at_lifts[OF setMCPriority_typ_at'] - threadSet_cap_to' static_imp_wp | simp)+ + threadSet_cap_to' hoare_weak_lift_imp | simp)+ apply (clarsimp simp: guard_is_UNIV_def tcbCTableSlot_def Kernel_C.tcbCTable_def cte_level_bits_def size_of_def word_sle_def option_to_0_def cintr_def Collect_const_mem) apply (simp add: conj_comms) apply (wp hoare_case_option_wp threadSet_invs_trivial - threadSet_cap_to' static_imp_wp | simp)+ + threadSet_cap_to' hoare_weak_lift_imp | simp)+ apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (clarsimp simp: inQ_def) apply (subst is_aligned_neg_mask_eq) @@ -1439,7 +1439,7 @@ lemma threadSet_same: by (wpsimp wp: setObject_tcb_strongest getObject_tcb_wp) fastforce lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]: - notes static_imp_wp [wp] + notes hoare_weak_lift_imp [wp] shows "ccorres (cintr \ (\rv rv'. rv = [])) (liftxf errstate id (K ()) ret__unsigned_long_') (invs' and tcb_at' dst and ex_nonz_cap_to' dst and sch_act_simple @@ -2020,14 +2020,14 @@ shows word_less_nat_alt split: if_split_asm dest!: word_unat.Rep_inverse') apply (simp add: pred_conj_def) - apply (wp mapM_x_wp' sch_act_wf_lift valid_queues_lift static_imp_wp + apply (wp mapM_x_wp' sch_act_wf_lift valid_queues_lift hoare_weak_lift_imp tcb_in_cur_domain'_lift) apply (simp add: n_frameRegisters_def n_msgRegisters_def guard_is_UNIV_def) apply simp apply (rule mapM_x_wp') apply (rule hoare_pre) - apply (wp asUser_obj_at'[where t'=target] static_imp_wp + apply (wp asUser_obj_at'[where t'=target] hoare_weak_lift_imp asUser_valid_ipc_buffer_ptr') apply clarsimp apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem @@ -2036,7 +2036,7 @@ shows msgMaxLength_def msgLengthBits_def word_less_nat_alt unat_of_nat) apply (wp (once) hoare_drop_imps) - apply (wp asUser_obj_at'[where t'=target] static_imp_wp + apply (wp asUser_obj_at'[where t'=target] hoare_weak_lift_imp asUser_valid_ipc_buffer_ptr') apply (vcg exspec=setRegister_modifies) apply simp @@ -2056,12 +2056,12 @@ shows apply (simp cong: rev_conj_cong) apply wp apply (wp asUser_inv mapM_wp' getRegister_inv - asUser_get_registers[simplified] static_imp_wp)+ + asUser_get_registers[simplified] hoare_weak_lift_imp)+ apply (rule hoare_strengthen_post, rule asUser_get_registers) apply (clarsimp simp: obj_at'_def genericTake_def frame_gp_registers_convs) apply arith - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply simp apply (rule ccorres_inst[where P=\ and P'=UNIV], simp) apply (simp add: performTransfer_def) @@ -4338,7 +4338,7 @@ lemma decodeSetSpace_ccorres: done lemma invokeTCB_SetTLSBase_ccorres: - notes static_imp_wp [wp] + notes hoare_weak_lift_imp [wp] shows "ccorres (cintr \ (\rv rv'. rv = [])) (liftxf errstate id (K ()) ret__unsigned_long_') (invs') diff --git a/proof/crefine/ARM/VSpace_C.thy b/proof/crefine/ARM/VSpace_C.thy index 46cee37131..725ae72eea 100644 --- a/proof/crefine/ARM/VSpace_C.thy +++ b/proof/crefine/ARM/VSpace_C.thy @@ -3012,7 +3012,7 @@ lemma flushTable_ccorres: apply (rule ccorres_pre_getCurThread) apply (ctac (no_vcg) add: setVMRoot_ccorres) apply (rule ccorres_return_Skip) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply clarsimp apply (rule_tac Q="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) apply (simp add: invs'_invs_no_cicd cur_tcb'_def) diff --git a/proof/crefine/ARM_HYP/CSpace_C.thy b/proof/crefine/ARM_HYP/CSpace_C.thy index 071f24ae7d..7e5f0ed9ec 100644 --- a/proof/crefine/ARM_HYP/CSpace_C.thy +++ b/proof/crefine/ARM_HYP/CSpace_C.thy @@ -1073,14 +1073,14 @@ lemma cteInsert_ccorres: apply (rule ccorres_move_c_guard_cte) apply (ctac ccorres:ccorres_updateMDB_set_mdbPrev) apply (ctac ccorres: ccorres_updateMDB_skip) - apply (wp static_imp_wp)+ + apply (wp hoare_weak_lift_imp)+ apply (clarsimp simp: Collect_const_mem split del: if_split) apply vcg - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (clarsimp simp: Collect_const_mem split del: if_split) apply vcg apply (clarsimp simp:cmdb_node_relation_mdbNext) - apply (wp setUntypedCapAsFull_cte_at_wp static_imp_wp) + apply (wp setUntypedCapAsFull_cte_at_wp hoare_weak_lift_imp) apply (clarsimp simp: Collect_const_mem split del: if_split) apply (vcg exspec=setUntypedCapAsFull_modifies) apply wp diff --git a/proof/crefine/ARM_HYP/Delete_C.thy b/proof/crefine/ARM_HYP/Delete_C.thy index a4607ce083..e51026d0f5 100644 --- a/proof/crefine/ARM_HYP/Delete_C.thy +++ b/proof/crefine/ARM_HYP/Delete_C.thy @@ -867,7 +867,7 @@ lemma finaliseSlot_ccorres: apply (simp add: guard_is_UNIV_def) apply (simp add: conj_comms) apply (wp make_zombie_invs' updateCap_cte_wp_at_cases - updateCap_cap_to' hoare_vcg_disj_lift static_imp_wp)+ + updateCap_cap_to' hoare_vcg_disj_lift hoare_weak_lift_imp)+ apply (simp add: guard_is_UNIV_def) apply wp apply (simp add: guard_is_UNIV_def) @@ -896,7 +896,7 @@ lemma finaliseSlot_ccorres: apply (erule(1) cmap_relationE1 [OF cmap_relation_cte]) apply (frule valid_global_refsD_with_objSize, clarsimp) apply (auto simp: typ_heap_simps dest!: ccte_relation_ccap_relation)[1] - apply (wp isFinalCapability_inv static_imp_wp | wp (once) isFinal[where x=slot'])+ + apply (wp isFinalCapability_inv hoare_weak_lift_imp | wp (once) isFinal[where x=slot'])+ apply vcg apply (rule conseqPre, vcg) apply clarsimp diff --git a/proof/crefine/ARM_HYP/Detype_C.thy b/proof/crefine/ARM_HYP/Detype_C.thy index 015982cacc..697df03bf8 100644 --- a/proof/crefine/ARM_HYP/Detype_C.thy +++ b/proof/crefine/ARM_HYP/Detype_C.thy @@ -1541,7 +1541,7 @@ lemma deleteObjects_ccorres': apply (rule allI, rule conseqPre, vcg) apply (clarsimp simp: in_monad) apply (rule bexI [rotated]) - apply (rule iffD2 [OF in_monad(20)]) + apply (rule iffD2 [OF in_monad(21)]) apply (rule conjI [OF refl refl]) apply (clarsimp simp: simpler_modify_def) proof - diff --git a/proof/crefine/ARM_HYP/Fastpath_Equiv.thy b/proof/crefine/ARM_HYP/Fastpath_Equiv.thy index 2e92bda31f..9a015a7f92 100644 --- a/proof/crefine/ARM_HYP/Fastpath_Equiv.thy +++ b/proof/crefine/ARM_HYP/Fastpath_Equiv.thy @@ -1562,8 +1562,8 @@ lemma fastpath_callKernel_SysReplyRecv_corres: setThreadState_no_sch_change setThreadState_obj_at_unchanged sts_st_tcb_at'_cases sts_bound_tcb_at' fastpathBestSwitchCandidate_lift[where f="setThreadState s t" for s t] - static_imp_wp hoare_vcg_all_lift hoare_vcg_imp_lift - static_imp_wp cnode_caps_gsCNodes_lift + hoare_weak_lift_imp hoare_vcg_all_lift hoare_vcg_imp_lift + hoare_weak_lift_imp cnode_caps_gsCNodes_lift hoare_vcg_ex_lift | wps)+ apply (strengthen imp_consequent[where Q="tcb_at' t s" for t s]) @@ -1576,8 +1576,8 @@ lemma fastpath_callKernel_SysReplyRecv_corres: emptySlot_cnode_caps user_getreg_inv asUser_typ_ats asUser_obj_at_not_queued asUser_obj_at' mapM_x_wp' - static_imp_wp hoare_vcg_all_lift hoare_vcg_imp_lift - static_imp_wp cnode_caps_gsCNodes_lift + hoare_weak_lift_imp hoare_vcg_all_lift hoare_vcg_imp_lift + hoare_weak_lift_imp cnode_caps_gsCNodes_lift hoare_vcg_ex_lift fastpathBestSwitchCandidate_lift[where f="emptySlot a b" for a b] | simp del: comp_apply @@ -1588,8 +1588,8 @@ lemma fastpath_callKernel_SysReplyRecv_corres: apply (clarsimp cong: conj_cong) apply ((wp user_getreg_inv asUser_typ_ats asUser_obj_at_not_queued asUser_obj_at' mapM_x_wp' - static_imp_wp hoare_vcg_all_lift hoare_vcg_imp_lift - static_imp_wp cnode_caps_gsCNodes_lift + hoare_weak_lift_imp hoare_vcg_all_lift hoare_vcg_imp_lift + hoare_weak_lift_imp cnode_caps_gsCNodes_lift hoare_vcg_ex_lift | clarsimp simp: obj_at'_weakenE[OF _ TrueI] | solves \ diff --git a/proof/crefine/ARM_HYP/Invoke_C.thy b/proof/crefine/ARM_HYP/Invoke_C.thy index 7b2e2fb0cd..e9b38cf4ee 100644 --- a/proof/crefine/ARM_HYP/Invoke_C.thy +++ b/proof/crefine/ARM_HYP/Invoke_C.thy @@ -1256,7 +1256,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule ccorres_return_C_errorE, simp+)[1] apply wp apply (vcg exspec=invokeCNodeRotate_modifies) - apply (wp static_imp_wp)+ + apply (wp hoare_weak_lift_imp)+ apply (simp add: Collect_const_mem) apply (vcg exspec=setThreadState_modifies) apply (simp add: Collect_const_mem) @@ -1320,16 +1320,16 @@ lemma decodeCNodeInvocation_ccorres: apply wp apply simp apply (vcg exspec=getSyscallArg_modifies) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply simp apply (vcg exspec=getSyscallArg_modifies) apply wp apply simp apply (vcg exspec=getSyscallArg_modifies) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply simp apply (vcg exspec=getSyscallArg_modifies) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply simp apply (vcg exspec=getSyscallArg_modifies) apply wp @@ -1344,7 +1344,7 @@ lemma decodeCNodeInvocation_ccorres: apply vcg apply simp apply (wp injection_wp_E[OF refl] hoare_vcg_const_imp_lift_R - hoare_vcg_all_lift_R lsfco_cte_at' static_imp_wp + hoare_vcg_all_lift_R lsfco_cte_at' hoare_weak_lift_imp | simp add: hasCancelSendRights_not_Null ctes_of_valid_strengthen cong: conj_cong | wp (once) hoare_drop_imps)+ diff --git a/proof/crefine/ARM_HYP/Ipc_C.thy b/proof/crefine/ARM_HYP/Ipc_C.thy index 0b14957378..8d4feddeff 100644 --- a/proof/crefine/ARM_HYP/Ipc_C.thy +++ b/proof/crefine/ARM_HYP/Ipc_C.thy @@ -1810,7 +1810,7 @@ proof - apply (simp add: zip_upt_Cons guard_is_UNIVI seL4_VMFault_FSR_def split: list.split_asm) apply (simp split: list.split) apply (wp setMR_tcbFault_obj_at asUser_inv[OF getRestartPC_inv] - hoare_case_option_wp static_imp_wp + hoare_case_option_wp hoare_weak_lift_imp | simp add: option_to_ptr_def guard_is_UNIVI seL4_VMFault_PrefetchFault_def seL4_VMFault_Addr_def @@ -3641,7 +3641,7 @@ proof - apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (clarsimp simp: seL4_MessageInfo_lift_def message_info_to_H_def mask_def msgLengthBits_def word_bw_assocs) - apply (wp getMessageInfo_le3 getMessageInfo_msgLength[unfolded K_def] static_imp_wp + apply (wp getMessageInfo_le3 getMessageInfo_msgLength[unfolded K_def] hoare_weak_lift_imp | simp)+ apply (simp add: Collect_const_mem) apply (auto simp: excaps_in_mem_def valid_ipc_buffer_ptr'_def @@ -4371,7 +4371,7 @@ lemma cteDeleteOne_tcbFault: apply (wp emptySlot_tcbFault cancelAllIPC_tcbFault getCTE_wp' cancelAllSignals_tcbFault unbindNotification_tcbFault isFinalCapability_inv unbindMaybeNotification_tcbFault - static_imp_wp + hoare_weak_lift_imp | wpc | simp add: Let_def)+ apply (clarsimp split: if_split) done @@ -4545,7 +4545,7 @@ proof - apply (wp sts_running_valid_queues setThreadState_st_tcb | simp)+ apply (ctac add: setThreadState_ccorres_valid_queues'_simple) apply wp - apply ((wp threadSet_valid_queues threadSet_sch_act threadSet_valid_queues' static_imp_wp + apply ((wp threadSet_valid_queues threadSet_sch_act threadSet_valid_queues' hoare_weak_lift_imp threadSet_valid_objs' threadSet_weak_sch_act_wf | simp add: valid_tcb_state'_def)+)[1] apply (clarsimp simp: guard_is_UNIV_def ThreadState_Restart_def diff --git a/proof/crefine/ARM_HYP/Refine_C.thy b/proof/crefine/ARM_HYP/Refine_C.thy index 12797423de..b0a29d0f9b 100644 --- a/proof/crefine/ARM_HYP/Refine_C.thy +++ b/proof/crefine/ARM_HYP/Refine_C.thy @@ -677,7 +677,7 @@ lemma threadSet_all_invs_triv': apply (simp add: tcb_cte_cases_def) apply (simp add: exst_same_def) apply (wp thread_set_invs_trivial thread_set_ct_running thread_set_not_state_valid_sched - threadSet_invs_trivial threadSet_ct_running' static_imp_wp + threadSet_invs_trivial threadSet_ct_running' hoare_weak_lift_imp thread_set_ct_in_state | simp add: tcb_cap_cases_def | rule threadSet_ct_in_state' diff --git a/proof/crefine/ARM_HYP/Retype_C.thy b/proof/crefine/ARM_HYP/Retype_C.thy index 088a5ba965..1e888203eb 100644 --- a/proof/crefine/ARM_HYP/Retype_C.thy +++ b/proof/crefine/ARM_HYP/Retype_C.thy @@ -8307,9 +8307,9 @@ shows "ccorres dc xfdc including no_pre apply (wp insertNewCap_invs' insertNewCap_valid_pspace' insertNewCap_caps_overlap_reserved' insertNewCap_pspace_no_overlap' insertNewCap_caps_no_overlap'' insertNewCap_descendants_range_in' - insertNewCap_untypedRange hoare_vcg_all_lift insertNewCap_cte_at static_imp_wp) + insertNewCap_untypedRange hoare_vcg_all_lift insertNewCap_cte_at hoare_weak_lift_imp) apply (wp insertNewCap_cte_wp_at_other) - apply (wp hoare_vcg_all_lift static_imp_wp insertNewCap_cte_at) + apply (wp hoare_vcg_all_lift hoare_weak_lift_imp insertNewCap_cte_at) apply (clarsimp simp:conj_comms | strengthen invs_valid_pspace' invs_pspace_aligned' invs_pspace_distinct')+ @@ -8343,7 +8343,7 @@ shows "ccorres dc xfdc hoare_vcg_prop createObject_gsCNodes_p createObject_cnodes_have_size) apply (rule hoare_vcg_conj_lift[OF createObject_capRange_helper]) apply (wp createObject_cte_wp_at' createObject_ex_cte_cap_wp_to - createObject_no_inter[where sz = sz] hoare_vcg_all_lift static_imp_wp)+ + createObject_no_inter[where sz = sz] hoare_vcg_all_lift hoare_weak_lift_imp)+ apply (clarsimp simp:invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace' field_simps range_cover.sz conj_comms range_cover.aligned range_cover_sz' is_aligned_shiftl_self aligned_add_aligned[OF range_cover.aligned]) diff --git a/proof/crefine/ARM_HYP/SyscallArgs_C.thy b/proof/crefine/ARM_HYP/SyscallArgs_C.thy index 47ff210395..101cce83fd 100644 --- a/proof/crefine/ARM_HYP/SyscallArgs_C.thy +++ b/proof/crefine/ARM_HYP/SyscallArgs_C.thy @@ -47,7 +47,7 @@ lemma replyOnRestart_invs'[wp]: "\invs'\ replyOnRestart thread reply isCall \\rv. invs'\" including no_pre apply (simp add: replyOnRestart_def) - apply (wp setThreadState_nonqueued_state_update rfk_invs' static_imp_wp) + apply (wp setThreadState_nonqueued_state_update rfk_invs' hoare_weak_lift_imp) apply (rule hoare_vcg_all_lift) apply (wp setThreadState_nonqueued_state_update rfk_invs' hoare_vcg_all_lift rfk_ksQ) apply (rule hoare_strengthen_post, rule gts_sp') @@ -655,7 +655,7 @@ lemma getMRs_tcbContext: apply (wp|wpc)+ apply (rule_tac P="n < length x" in hoare_gen_asm) apply (clarsimp simp: nth_append) - apply (wp mapM_wp' static_imp_wp)+ + apply (wp mapM_wp' hoare_weak_lift_imp)+ apply simp apply (rule asUser_cur_obj_at') apply (simp add: getRegister_def msgRegisters_unfold) @@ -1085,7 +1085,7 @@ lemma getMRs_rel: getMRs thread buffer mi \\args. getMRs_rel args buffer\" apply (simp add: getMRs_rel_def) apply (rule hoare_pre) - apply (rule_tac x=mi in hoare_vcg_exI) + apply (rule_tac x=mi in hoare_exI) apply wp apply (rule_tac Q="\rv s. thread = ksCurThread s \ fst (getMRs thread buffer mi s) = {(rv,s)}" in hoare_strengthen_post) apply (wp det_result det_wp_getMRs) diff --git a/proof/crefine/ARM_HYP/Tcb_C.thy b/proof/crefine/ARM_HYP/Tcb_C.thy index b2e8f2066e..cb45ff7215 100644 --- a/proof/crefine/ARM_HYP/Tcb_C.thy +++ b/proof/crefine/ARM_HYP/Tcb_C.thy @@ -518,7 +518,7 @@ lemma cteInsert_cap_to'2: apply (simp add: cteInsert_def ex_nonz_cap_to'_def setUntypedCapAsFull_def) apply (rule hoare_vcg_ex_lift) apply (wp updateMDB_weak_cte_wp_at - updateCap_cte_wp_at_cases getCTE_wp' static_imp_wp) + updateCap_cte_wp_at_cases getCTE_wp' hoare_weak_lift_imp) apply (clarsimp simp: cte_wp_at_ctes_of) apply auto done @@ -667,7 +667,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply (rule ccorres_return_CE, simp+)[1] apply (wp (once)) apply (clarsimp simp: guard_is_UNIV_def) - apply (wpsimp wp: when_def static_imp_wp) + apply (wpsimp wp: when_def hoare_weak_lift_imp) apply (strengthen sch_act_wf_weak, wp) apply clarsimp apply wp @@ -681,7 +681,7 @@ lemma invokeTCB_ThreadControl_ccorres: tcb_at' target s \ ksCurDomain s \ maxDomain \ valid_queues' s \ fst (the priority) \ maxPriority)"]) apply (strengthen sch_act_wf_weak) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (clarsimp split: if_splits) apply (wp empty_fail_stateAssert hoare_case_option_wp | simp del: Collect_const)+ apply csymbr @@ -706,7 +706,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply wp apply (clarsimp simp: guard_is_UNIV_def) apply (simp add: when_def) - apply (wp hoare_vcg_if_lift2(1) static_imp_wp, strengthen sch_act_wf_weak; wp) + apply (wp hoare_vcg_if_lift2(1) hoare_weak_lift_imp, strengthen sch_act_wf_weak; wp) apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem tcbBuffer_def size_of_def cte_level_bits_def @@ -732,7 +732,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply (rule ccorres_return_CE, simp+) apply wp apply (clarsimp simp: guard_is_UNIV_def) - apply (wp hoare_vcg_if_lift2(1) static_imp_wp, strengthen sch_act_wf_weak; wp) + apply (wp hoare_vcg_if_lift2(1) hoare_weak_lift_imp, strengthen sch_act_wf_weak; wp) apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (simp add: guard_is_UNIV_def Collect_const_mem) apply (clarsimp simp: ccap_relation_def cap_thread_cap_lift cap_to_H_def) @@ -759,7 +759,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply wp apply (clarsimp simp: guard_is_UNIV_def) apply wpsimp - apply (wp static_imp_wp, strengthen sch_act_wf_weak, wp ) + apply (wp hoare_weak_lift_imp, strengthen sch_act_wf_weak, wp ) apply wp apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (simp cong: conj_cong) @@ -797,7 +797,7 @@ lemma invokeTCB_ThreadControl_ccorres: simp add: o_def) apply (rule_tac P="is_aligned (fst (the buf)) msg_align_bits" in hoare_gen_asm) - apply (wp threadSet_ipcbuffer_trivial static_imp_wp + apply (wp threadSet_ipcbuffer_trivial hoare_weak_lift_imp | simp | strengthen invs_sch_act_wf' invs_valid_objs' invs_weak_sch_act_wf invs_queues invs_valid_queues' | wp hoare_drop_imps)+ @@ -954,13 +954,13 @@ lemma invokeTCB_ThreadControl_ccorres: apply (simp add: conj_comms) apply (wp hoare_case_option_wp threadSet_invs_trivial setMCPriority_invs' typ_at_lifts[OF setMCPriority_typ_at'] - threadSet_cap_to' static_imp_wp | simp)+ + threadSet_cap_to' hoare_weak_lift_imp | simp)+ apply (clarsimp simp: guard_is_UNIV_def tcbCTableSlot_def Kernel_C.tcbCTable_def cte_level_bits_def size_of_def word_sle_def option_to_0_def cintr_def Collect_const_mem) apply (simp add: conj_comms) apply (wp hoare_case_option_wp threadSet_invs_trivial - threadSet_cap_to' static_imp_wp | simp)+ + threadSet_cap_to' hoare_weak_lift_imp | simp)+ apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (clarsimp simp: inQ_def) apply (subst is_aligned_neg_mask_eq) @@ -1510,7 +1510,7 @@ lemma asUser_setRegister_ko_at': done lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]: - notes static_imp_wp [wp] + notes hoare_weak_lift_imp [wp] shows "ccorres (cintr \ (\rv rv'. rv = [])) (liftxf errstate id (K ()) ret__unsigned_long_') (invs' and tcb_at' dst and ex_nonz_cap_to' dst and sch_act_simple @@ -2100,14 +2100,14 @@ shows word_less_nat_alt split: if_split_asm dest!: word_unat.Rep_inverse') apply (simp add: pred_conj_def) - apply (wp mapM_x_wp' sch_act_wf_lift valid_queues_lift static_imp_wp + apply (wp mapM_x_wp' sch_act_wf_lift valid_queues_lift hoare_weak_lift_imp tcb_in_cur_domain'_lift) apply (simp add: n_frameRegisters_def n_msgRegisters_def guard_is_UNIV_def) apply simp apply (rule mapM_x_wp') apply (rule hoare_pre) - apply (wp asUser_obj_at'[where t'=target] static_imp_wp + apply (wp asUser_obj_at'[where t'=target] hoare_weak_lift_imp asUser_valid_ipc_buffer_ptr') apply clarsimp apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem @@ -2116,7 +2116,7 @@ shows msgMaxLength_def msgLengthBits_def word_less_nat_alt unat_of_nat) apply (wp (once) hoare_drop_imps) - apply (wp asUser_obj_at'[where t'=target] static_imp_wp + apply (wp asUser_obj_at'[where t'=target] hoare_weak_lift_imp asUser_valid_ipc_buffer_ptr') apply (vcg exspec=setRegister_modifies) apply simp @@ -2136,12 +2136,12 @@ shows apply (simp cong: rev_conj_cong) apply wp apply (wp asUser_inv mapM_wp' getRegister_inv - asUser_get_registers[simplified] static_imp_wp)+ + asUser_get_registers[simplified] hoare_weak_lift_imp)+ apply (rule hoare_strengthen_post, rule asUser_get_registers) apply (clarsimp simp: obj_at'_def genericTake_def frame_gp_registers_convs) apply arith - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply simp apply (rule ccorres_inst[where P=\ and P'=UNIV], simp) apply (simp add: performTransfer_def) @@ -4429,7 +4429,7 @@ lemma decodeSetSpace_ccorres: done lemma invokeTCB_SetTLSBase_ccorres: - notes static_imp_wp [wp] + notes hoare_weak_lift_imp [wp] shows "ccorres (cintr \ (\rv rv'. rv = [])) (liftxf errstate id (K ()) ret__unsigned_long_') (invs') diff --git a/proof/crefine/ARM_HYP/VSpace_C.thy b/proof/crefine/ARM_HYP/VSpace_C.thy index 74702150d0..16f86c76cc 100644 --- a/proof/crefine/ARM_HYP/VSpace_C.thy +++ b/proof/crefine/ARM_HYP/VSpace_C.thy @@ -4185,7 +4185,7 @@ lemma flushTable_ccorres: apply (rule ccorres_pre_getCurThread) apply (ctac (no_vcg) add: setVMRoot_ccorres) apply (rule ccorres_return_Skip) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply clarsimp apply (rule_tac Q="\_ s. invs' s \ cur_tcb' s" in hoare_post_imp) apply (simp add: invs'_invs_no_cicd cur_tcb'_def) diff --git a/proof/crefine/Move_C.thy b/proof/crefine/Move_C.thy index f94e983ff6..7f983d812d 100644 --- a/proof/crefine/Move_C.thy +++ b/proof/crefine/Move_C.thy @@ -873,7 +873,7 @@ lemma cteDeleteOne_sch_act_wf: apply (simp add: finaliseCapTrue_standin_def Let_def) apply (rule hoare_pre) apply (wp isFinalCapability_inv cancelAllSignals_sch_act_wf - cancelAllIPC_sch_act_wf getCTE_wp' static_imp_wp + cancelAllIPC_sch_act_wf getCTE_wp' hoare_weak_lift_imp | wpc | simp add: Let_def split: if_split)+ done diff --git a/proof/crefine/RISCV64/CSpace_C.thy b/proof/crefine/RISCV64/CSpace_C.thy index 66e1663641..aca185a59c 100644 --- a/proof/crefine/RISCV64/CSpace_C.thy +++ b/proof/crefine/RISCV64/CSpace_C.thy @@ -1019,14 +1019,14 @@ lemma cteInsert_ccorres: apply (rule ccorres_move_c_guard_cte) apply (ctac ccorres:ccorres_updateMDB_set_mdbPrev) apply (ctac ccorres: ccorres_updateMDB_skip) - apply (wp static_imp_wp)+ + apply (wp hoare_weak_lift_imp)+ apply (clarsimp simp: Collect_const_mem split del: if_split) apply vcg - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (clarsimp simp: Collect_const_mem split del: if_split) apply vcg apply (clarsimp simp:cmdb_node_relation_mdbNext) - apply (wp setUntypedCapAsFull_cte_at_wp static_imp_wp) + apply (wp setUntypedCapAsFull_cte_at_wp hoare_weak_lift_imp) apply (clarsimp simp: Collect_const_mem split del: if_split) apply (vcg exspec=setUntypedCapAsFull_modifies) apply wp diff --git a/proof/crefine/RISCV64/Delete_C.thy b/proof/crefine/RISCV64/Delete_C.thy index b1e52aa8f1..ae87bc4098 100644 --- a/proof/crefine/RISCV64/Delete_C.thy +++ b/proof/crefine/RISCV64/Delete_C.thy @@ -878,7 +878,7 @@ lemma finaliseSlot_ccorres: apply (simp add: guard_is_UNIV_def) apply (simp add: conj_comms) apply (wp make_zombie_invs' updateCap_cte_wp_at_cases - updateCap_cap_to' hoare_vcg_disj_lift static_imp_wp)+ + updateCap_cap_to' hoare_vcg_disj_lift hoare_weak_lift_imp)+ apply (simp add: guard_is_UNIV_def) apply wp apply (simp add: guard_is_UNIV_def) @@ -906,7 +906,7 @@ lemma finaliseSlot_ccorres: apply (erule(1) cmap_relationE1 [OF cmap_relation_cte]) apply (frule valid_global_refsD_with_objSize, clarsimp) apply (auto simp: typ_heap_simps dest!: ccte_relation_ccap_relation)[1] - apply (wp isFinalCapability_inv static_imp_wp | wp (once) isFinal[where x=slot'])+ + apply (wp isFinalCapability_inv hoare_weak_lift_imp | wp (once) isFinal[where x=slot'])+ apply vcg apply (rule conseqPre, vcg) apply clarsimp diff --git a/proof/crefine/RISCV64/Detype_C.thy b/proof/crefine/RISCV64/Detype_C.thy index 07ff868629..6b4080632b 100644 --- a/proof/crefine/RISCV64/Detype_C.thy +++ b/proof/crefine/RISCV64/Detype_C.thy @@ -1550,7 +1550,7 @@ lemma deleteObjects_ccorres': apply (rule allI, rule conseqPre, vcg) apply (clarsimp simp: in_monad) apply (rule bexI [rotated]) - apply (rule iffD2 [OF in_monad(20)]) + apply (rule iffD2 [OF in_monad(21)]) apply (rule conjI [OF refl refl]) apply (clarsimp simp: simpler_modify_def) proof - diff --git a/proof/crefine/RISCV64/Invoke_C.thy b/proof/crefine/RISCV64/Invoke_C.thy index 64886ca41d..751013cb68 100644 --- a/proof/crefine/RISCV64/Invoke_C.thy +++ b/proof/crefine/RISCV64/Invoke_C.thy @@ -1248,7 +1248,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule ccorres_return_C_errorE, simp+)[1] apply wp apply (vcg exspec=invokeCNodeRotate_modifies) - apply (wp static_imp_wp)+ + apply (wp hoare_weak_lift_imp)+ apply (simp add: Collect_const_mem) apply (vcg exspec=setThreadState_modifies) apply (simp add: Collect_const_mem) @@ -1312,16 +1312,16 @@ lemma decodeCNodeInvocation_ccorres: apply wp apply simp apply (vcg exspec=getSyscallArg_modifies) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply simp apply (vcg exspec=getSyscallArg_modifies) apply wp apply simp apply (vcg exspec=getSyscallArg_modifies) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply simp apply (vcg exspec=getSyscallArg_modifies) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply simp apply (vcg exspec=getSyscallArg_modifies) apply wp @@ -1336,7 +1336,7 @@ lemma decodeCNodeInvocation_ccorres: apply vcg apply simp apply (wp injection_wp_E[OF refl] hoare_vcg_const_imp_lift_R - hoare_vcg_all_lift_R lsfco_cte_at' static_imp_wp + hoare_vcg_all_lift_R lsfco_cte_at' hoare_weak_lift_imp | simp add: hasCancelSendRights_not_Null ctes_of_valid_strengthen cong: conj_cong | wp (once) hoare_drop_imps)+ diff --git a/proof/crefine/RISCV64/Ipc_C.thy b/proof/crefine/RISCV64/Ipc_C.thy index e420debed1..030f7b34ac 100644 --- a/proof/crefine/RISCV64/Ipc_C.thy +++ b/proof/crefine/RISCV64/Ipc_C.thy @@ -1733,7 +1733,7 @@ proof - split: list.split_asm) apply (simp split: list.split) apply (wp setMR_tcbFault_obj_at asUser_inv[OF getRestartPC_inv] - hoare_case_option_wp static_imp_wp + hoare_case_option_wp hoare_weak_lift_imp | simp add: option_to_ptr_def guard_is_UNIVI seL4_VMFault_PrefetchFault_def seL4_VMFault_Addr_def @@ -3395,7 +3395,7 @@ proof - apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (clarsimp simp: seL4_MessageInfo_lift_def message_info_to_H_def mask_def msgLengthBits_def word_bw_assocs) - apply (wp getMessageInfo_le3 getMessageInfo_msgLength[unfolded K_def] static_imp_wp + apply (wp getMessageInfo_le3 getMessageInfo_msgLength[unfolded K_def] hoare_weak_lift_imp | simp)+ apply (auto simp: excaps_in_mem_def valid_ipc_buffer_ptr'_def option_to_0_def option_to_ptr_def @@ -4080,7 +4080,7 @@ lemma cteDeleteOne_tcbFault: apply (wp emptySlot_tcbFault cancelAllIPC_tcbFault getCTE_wp' cancelAllSignals_tcbFault unbindNotification_tcbFault isFinalCapability_inv unbindMaybeNotification_tcbFault - static_imp_wp + hoare_weak_lift_imp | wpc | simp add: Let_def)+ apply (clarsimp split: if_split) done @@ -4257,7 +4257,7 @@ proof - apply (wp sts_running_valid_queues setThreadState_st_tcb | simp)+ apply (ctac add: setThreadState_ccorres_valid_queues'_simple) apply wp - apply ((wp threadSet_valid_queues threadSet_sch_act threadSet_valid_queues' static_imp_wp + apply ((wp threadSet_valid_queues threadSet_sch_act threadSet_valid_queues' hoare_weak_lift_imp threadSet_valid_objs' threadSet_weak_sch_act_wf | simp add: valid_tcb_state'_def)+)[1] apply (clarsimp simp: guard_is_UNIV_def ThreadState_Restart_def diff --git a/proof/crefine/RISCV64/Refine_C.thy b/proof/crefine/RISCV64/Refine_C.thy index 5d1f75c3ff..1b4d2b1a04 100644 --- a/proof/crefine/RISCV64/Refine_C.thy +++ b/proof/crefine/RISCV64/Refine_C.thy @@ -639,7 +639,7 @@ lemma threadSet_all_invs_triv': apply (simp add: tcb_cte_cases_def cteSizeBits_def) apply (simp add: exst_same_def) apply (wp thread_set_invs_trivial thread_set_ct_running thread_set_not_state_valid_sched - threadSet_invs_trivial threadSet_ct_running' static_imp_wp + threadSet_invs_trivial threadSet_ct_running' hoare_weak_lift_imp thread_set_ct_in_state | simp add: tcb_cap_cases_def tcb_arch_ref_def | rule threadSet_ct_in_state' diff --git a/proof/crefine/RISCV64/Retype_C.thy b/proof/crefine/RISCV64/Retype_C.thy index 09a2f24008..e0a9fcd24d 100644 --- a/proof/crefine/RISCV64/Retype_C.thy +++ b/proof/crefine/RISCV64/Retype_C.thy @@ -7429,9 +7429,9 @@ shows "ccorres dc xfdc including no_pre apply (wp insertNewCap_invs' insertNewCap_valid_pspace' insertNewCap_caps_overlap_reserved' insertNewCap_pspace_no_overlap' insertNewCap_caps_no_overlap'' insertNewCap_descendants_range_in' - insertNewCap_untypedRange hoare_vcg_all_lift insertNewCap_cte_at static_imp_wp) + insertNewCap_untypedRange hoare_vcg_all_lift insertNewCap_cte_at hoare_weak_lift_imp) apply (wp insertNewCap_cte_wp_at_other) - apply (wp hoare_vcg_all_lift static_imp_wp insertNewCap_cte_at) + apply (wp hoare_vcg_all_lift hoare_weak_lift_imp insertNewCap_cte_at) apply (clarsimp simp:conj_comms | strengthen invs_valid_pspace' invs_pspace_aligned' invs_pspace_distinct')+ @@ -7465,7 +7465,7 @@ shows "ccorres dc xfdc hoare_vcg_prop createObject_gsCNodes_p createObject_cnodes_have_size) apply (rule hoare_vcg_conj_lift[OF createObject_capRange_helper]) apply (wp createObject_cte_wp_at' createObject_ex_cte_cap_wp_to - createObject_no_inter[where sz = sz] hoare_vcg_all_lift static_imp_wp)+ + createObject_no_inter[where sz = sz] hoare_vcg_all_lift hoare_weak_lift_imp)+ apply (clarsimp simp:invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace' field_simps range_cover.sz conj_comms range_cover.aligned range_cover_sz' is_aligned_shiftl_self aligned_add_aligned[OF range_cover.aligned]) diff --git a/proof/crefine/RISCV64/SyscallArgs_C.thy b/proof/crefine/RISCV64/SyscallArgs_C.thy index b1b7124999..5882cccc7a 100644 --- a/proof/crefine/RISCV64/SyscallArgs_C.thy +++ b/proof/crefine/RISCV64/SyscallArgs_C.thy @@ -48,7 +48,7 @@ lemma replyOnRestart_invs'[wp]: "\invs'\ replyOnRestart thread reply isCall \\rv. invs'\" including no_pre apply (simp add: replyOnRestart_def) - apply (wp setThreadState_nonqueued_state_update rfk_invs' static_imp_wp) + apply (wp setThreadState_nonqueued_state_update rfk_invs' hoare_weak_lift_imp) apply (rule hoare_vcg_all_lift) apply (wp setThreadState_nonqueued_state_update rfk_invs' hoare_vcg_all_lift rfk_ksQ) apply (rule hoare_strengthen_post, rule gts_sp') @@ -651,7 +651,7 @@ lemma getMRs_tcbContext: apply (wp|wpc)+ apply (rule_tac P="n < length x" in hoare_gen_asm) apply (clarsimp simp: nth_append) - apply (wp mapM_wp' static_imp_wp)+ + apply (wp mapM_wp' hoare_weak_lift_imp)+ apply simp apply (rule asUser_cur_obj_at') apply (simp add: getRegister_def msgRegisters_unfold) @@ -988,7 +988,7 @@ lemma getMRs_rel: getMRs thread buffer mi \\args. getMRs_rel args buffer\" apply (simp add: getMRs_rel_def) apply (rule hoare_pre) - apply (rule_tac x=mi in hoare_vcg_exI) + apply (rule_tac x=mi in hoare_exI) apply wp apply (rule_tac Q="\rv s. thread = ksCurThread s \ fst (getMRs thread buffer mi s) = {(rv,s)}" in hoare_strengthen_post) apply (wp det_result det_wp_getMRs) diff --git a/proof/crefine/RISCV64/Tcb_C.thy b/proof/crefine/RISCV64/Tcb_C.thy index e10874cbd5..16cc2e5a3c 100644 --- a/proof/crefine/RISCV64/Tcb_C.thy +++ b/proof/crefine/RISCV64/Tcb_C.thy @@ -525,7 +525,7 @@ lemma cteInsert_cap_to'2: apply (simp add: cteInsert_def ex_nonz_cap_to'_def setUntypedCapAsFull_def) apply (rule hoare_vcg_ex_lift) apply (wp updateMDB_weak_cte_wp_at - updateCap_cte_wp_at_cases getCTE_wp' static_imp_wp) + updateCap_cte_wp_at_cases getCTE_wp' hoare_weak_lift_imp) apply (clarsimp simp: cte_wp_at_ctes_of) apply auto done @@ -681,7 +681,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply (rule ccorres_return_CE, simp+)[1] apply (wp (once)) apply (clarsimp simp: guard_is_UNIV_def) - apply (wpsimp wp: when_def static_imp_wp) + apply (wpsimp wp: when_def hoare_weak_lift_imp) apply (strengthen sch_act_wf_weak, wp) apply clarsimp apply wp @@ -695,7 +695,7 @@ lemma invokeTCB_ThreadControl_ccorres: tcb_at' target s \ ksCurDomain s \ maxDomain \ valid_queues' s \ fst (the priority) \ maxPriority)"]) apply (strengthen sch_act_wf_weak) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (clarsimp split: if_splits) apply (wp empty_fail_stateAssert hoare_case_option_wp | simp del: Collect_const)+ apply csymbr @@ -720,7 +720,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply wp apply (clarsimp simp: guard_is_UNIV_def) apply (simp add: when_def) - apply (wp hoare_vcg_if_lift2(1) static_imp_wp, strengthen sch_act_wf_weak; wp) + apply (wp hoare_vcg_if_lift2(1) hoare_weak_lift_imp, strengthen sch_act_wf_weak; wp) apply (clarsimp simp : guard_is_UNIV_def Collect_const_mem) apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem tcbBuffer_def size_of_def cte_level_bits_def @@ -748,7 +748,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply (rule ccorres_return_CE, simp+) apply wp apply (clarsimp simp: guard_is_UNIV_def) - apply (wp hoare_vcg_if_lift2(1) static_imp_wp, strengthen sch_act_wf_weak; wp) + apply (wp hoare_vcg_if_lift2(1) hoare_weak_lift_imp, strengthen sch_act_wf_weak; wp) apply (clarsimp simp : guard_is_UNIV_def Collect_const_mem) apply (simp add: guard_is_UNIV_def Collect_const_mem flip: canonical_bit_def) @@ -777,7 +777,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply wp apply (clarsimp simp: guard_is_UNIV_def) apply wpsimp - apply (wp static_imp_wp, strengthen sch_act_wf_weak, wp ) + apply (wp hoare_weak_lift_imp, strengthen sch_act_wf_weak, wp ) apply wp apply (clarsimp simp : guard_is_UNIV_def Collect_const_mem) apply (simp cong: conj_cong) @@ -814,7 +814,7 @@ lemma invokeTCB_ThreadControl_ccorres: simp add: o_def) apply (rule_tac P="is_aligned (fst (the buf)) msg_align_bits" in hoare_gen_asm) - apply (wp threadSet_ipcbuffer_trivial static_imp_wp + apply (wp threadSet_ipcbuffer_trivial hoare_weak_lift_imp | simp | strengthen invs_sch_act_wf' invs_valid_objs' invs_weak_sch_act_wf invs_queues invs_valid_queues' | wp hoare_drop_imps)+ @@ -981,13 +981,13 @@ lemma invokeTCB_ThreadControl_ccorres: apply (simp add: conj_comms) apply (wp hoare_case_option_wp threadSet_invs_trivial setMCPriority_invs' typ_at_lifts[OF setMCPriority_typ_at'] - threadSet_cap_to' static_imp_wp | simp)+ + threadSet_cap_to' hoare_weak_lift_imp | simp)+ apply (clarsimp simp: guard_is_UNIV_def tcbCTableSlot_def Kernel_C.tcbCTable_def cte_level_bits_def size_of_def word_sle_def option_to_0_def cintr_def objBits_defs mask_def) apply (simp add: conj_comms) apply (wp hoare_case_option_wp threadSet_invs_trivial - threadSet_cap_to' static_imp_wp | simp)+ + threadSet_cap_to' hoare_weak_lift_imp | simp)+ apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (clarsimp simp: inQ_def) apply (subst is_aligned_neg_mask_eq) @@ -1539,7 +1539,7 @@ lemma asUser_setRegister_ko_at': done lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]: - notes static_imp_wp [wp] word_less_1[simp del] + notes hoare_weak_lift_imp [wp] word_less_1[simp del] shows "ccorres (cintr \ (\rv rv'. rv = [])) (liftxf errstate id (K ()) ret__unsigned_long_') (invs' and tcb_at' dst and ex_nonz_cap_to' dst and sch_act_simple @@ -2131,14 +2131,14 @@ shows word_less_nat_alt split: if_split_asm dest!: word_unat.Rep_inverse') apply (simp add: pred_conj_def) - apply (wp mapM_x_wp' sch_act_wf_lift valid_queues_lift static_imp_wp + apply (wp mapM_x_wp' sch_act_wf_lift valid_queues_lift hoare_weak_lift_imp tcb_in_cur_domain'_lift) apply (simp add: n_frameRegisters_def n_msgRegisters_def guard_is_UNIV_def) apply simp apply (rule mapM_x_wp') apply (rule hoare_pre) - apply (wp asUser_obj_at'[where t'=target] static_imp_wp + apply (wp asUser_obj_at'[where t'=target] hoare_weak_lift_imp asUser_valid_ipc_buffer_ptr') apply clarsimp apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem @@ -2147,7 +2147,7 @@ shows msgMaxLength_def msgLengthBits_def word_less_nat_alt unat_of_nat) apply (wp (once) hoare_drop_imps) - apply (wp asUser_obj_at'[where t'=target] static_imp_wp + apply (wp asUser_obj_at'[where t'=target] hoare_weak_lift_imp asUser_valid_ipc_buffer_ptr') apply (vcg exspec=setRegister_modifies) apply simp @@ -2167,12 +2167,12 @@ shows apply (simp cong: rev_conj_cong) apply wp apply (wp asUser_inv mapM_wp' getRegister_inv - asUser_get_registers[simplified] static_imp_wp)+ + asUser_get_registers[simplified] hoare_weak_lift_imp)+ apply (rule hoare_strengthen_post, rule asUser_get_registers) apply (clarsimp simp: obj_at'_def genericTake_def frame_gp_registers_convs) apply arith - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply simp apply (rule ccorres_inst[where P=\ and P'=UNIV], simp) apply (simp add: performTransfer_def) @@ -4440,7 +4440,7 @@ lemma decodeSetSpace_ccorres: done lemma invokeTCB_SetTLSBase_ccorres: - notes static_imp_wp [wp] + notes hoare_weak_lift_imp [wp] shows "ccorres (cintr \ (\rv rv'. rv = [])) (liftxf errstate id (K ()) ret__unsigned_long_') (invs') diff --git a/proof/crefine/X64/CSpace_C.thy b/proof/crefine/X64/CSpace_C.thy index 191859d975..e8b39a5233 100644 --- a/proof/crefine/X64/CSpace_C.thy +++ b/proof/crefine/X64/CSpace_C.thy @@ -1045,14 +1045,14 @@ lemma cteInsert_ccorres: apply (rule ccorres_move_c_guard_cte) apply (ctac ccorres:ccorres_updateMDB_set_mdbPrev) apply (ctac ccorres: ccorres_updateMDB_skip) - apply (wp static_imp_wp)+ + apply (wp hoare_weak_lift_imp)+ apply (clarsimp simp: Collect_const_mem split del: if_split) apply vcg - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (clarsimp simp: Collect_const_mem split del: if_split) apply vcg apply (clarsimp simp:cmdb_node_relation_mdbNext) - apply (wp setUntypedCapAsFull_cte_at_wp static_imp_wp) + apply (wp setUntypedCapAsFull_cte_at_wp hoare_weak_lift_imp) apply (clarsimp simp: Collect_const_mem split del: if_split) apply (vcg exspec=setUntypedCapAsFull_modifies) apply wp diff --git a/proof/crefine/X64/Delete_C.thy b/proof/crefine/X64/Delete_C.thy index 7db06f6cb9..fa30db71c0 100644 --- a/proof/crefine/X64/Delete_C.thy +++ b/proof/crefine/X64/Delete_C.thy @@ -878,7 +878,7 @@ lemma finaliseSlot_ccorres: apply (simp add: guard_is_UNIV_def) apply (simp add: conj_comms) apply (wp make_zombie_invs' updateCap_cte_wp_at_cases - updateCap_cap_to' hoare_vcg_disj_lift static_imp_wp)+ + updateCap_cap_to' hoare_vcg_disj_lift hoare_weak_lift_imp)+ apply (simp add: guard_is_UNIV_def) apply wp apply (simp add: guard_is_UNIV_def) @@ -912,7 +912,7 @@ lemma finaliseSlot_ccorres: apply (erule(1) cmap_relationE1 [OF cmap_relation_cte]) apply (frule valid_global_refsD_with_objSize, clarsimp) apply (auto simp: typ_heap_simps dest!: ccte_relation_ccap_relation)[1] - apply (wp isFinalCapability_inv static_imp_wp | wp (once) isFinal[where x=slot'])+ + apply (wp isFinalCapability_inv hoare_weak_lift_imp | wp (once) isFinal[where x=slot'])+ apply vcg apply (rule conseqPre, vcg) apply clarsimp diff --git a/proof/crefine/X64/Detype_C.thy b/proof/crefine/X64/Detype_C.thy index 898306d688..bd677c7ffa 100644 --- a/proof/crefine/X64/Detype_C.thy +++ b/proof/crefine/X64/Detype_C.thy @@ -1548,7 +1548,7 @@ lemma deleteObjects_ccorres': apply (rule allI, rule conseqPre, vcg) apply (clarsimp simp: in_monad) apply (rule bexI [rotated]) - apply (rule iffD2 [OF in_monad(20)]) + apply (rule iffD2 [OF in_monad(21)]) apply (rule conjI [OF refl refl]) apply (clarsimp simp: simpler_modify_def) proof - diff --git a/proof/crefine/X64/Invoke_C.thy b/proof/crefine/X64/Invoke_C.thy index 2800a857e9..ac13823e21 100644 --- a/proof/crefine/X64/Invoke_C.thy +++ b/proof/crefine/X64/Invoke_C.thy @@ -1246,7 +1246,7 @@ lemma decodeCNodeInvocation_ccorres: apply (rule ccorres_return_C_errorE, simp+)[1] apply wp apply (vcg exspec=invokeCNodeRotate_modifies) - apply (wp static_imp_wp)+ + apply (wp hoare_weak_lift_imp)+ apply (simp add: Collect_const_mem) apply (vcg exspec=setThreadState_modifies) apply (simp add: Collect_const_mem) @@ -1310,16 +1310,16 @@ lemma decodeCNodeInvocation_ccorres: apply wp apply simp apply (vcg exspec=getSyscallArg_modifies) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply simp apply (vcg exspec=getSyscallArg_modifies) apply wp apply simp apply (vcg exspec=getSyscallArg_modifies) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply simp apply (vcg exspec=getSyscallArg_modifies) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply simp apply (vcg exspec=getSyscallArg_modifies) apply wp @@ -1334,7 +1334,7 @@ lemma decodeCNodeInvocation_ccorres: apply vcg apply simp apply (wp injection_wp_E[OF refl] hoare_vcg_const_imp_lift_R - hoare_vcg_all_lift_R lsfco_cte_at' static_imp_wp + hoare_vcg_all_lift_R lsfco_cte_at' hoare_weak_lift_imp | simp add: hasCancelSendRights_not_Null ctes_of_valid_strengthen cong: conj_cong | wp (once) hoare_drop_imps)+ diff --git a/proof/crefine/X64/Ipc_C.thy b/proof/crefine/X64/Ipc_C.thy index 45eecea7bb..3d2bc76c34 100644 --- a/proof/crefine/X64/Ipc_C.thy +++ b/proof/crefine/X64/Ipc_C.thy @@ -1742,7 +1742,7 @@ proof - split: list.split_asm) apply (simp split: list.split) apply (wp setMR_tcbFault_obj_at asUser_inv[OF getRestartPC_inv] - hoare_case_option_wp static_imp_wp + hoare_case_option_wp hoare_weak_lift_imp | simp add: option_to_ptr_def guard_is_UNIVI seL4_VMFault_PrefetchFault_def seL4_VMFault_Addr_def @@ -3407,7 +3407,7 @@ proof - apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (clarsimp simp: seL4_MessageInfo_lift_def message_info_to_H_def mask_def msgLengthBits_def word_bw_assocs) - apply (wp getMessageInfo_le3 getMessageInfo_msgLength[unfolded K_def] static_imp_wp + apply (wp getMessageInfo_le3 getMessageInfo_msgLength[unfolded K_def] hoare_weak_lift_imp | simp)+ apply (auto simp: excaps_in_mem_def valid_ipc_buffer_ptr'_def option_to_0_def option_to_ptr_def @@ -4092,7 +4092,7 @@ lemma cteDeleteOne_tcbFault: apply (wp emptySlot_tcbFault cancelAllIPC_tcbFault getCTE_wp' cancelAllSignals_tcbFault unbindNotification_tcbFault isFinalCapability_inv unbindMaybeNotification_tcbFault - static_imp_wp + hoare_weak_lift_imp | wpc | simp add: Let_def)+ apply (clarsimp split: if_split) done @@ -4269,7 +4269,7 @@ proof - apply (wp sts_running_valid_queues setThreadState_st_tcb | simp)+ apply (ctac add: setThreadState_ccorres_valid_queues'_simple) apply wp - apply ((wp threadSet_valid_queues threadSet_sch_act threadSet_valid_queues' static_imp_wp + apply ((wp threadSet_valid_queues threadSet_sch_act threadSet_valid_queues' hoare_weak_lift_imp threadSet_valid_objs' threadSet_weak_sch_act_wf | simp add: valid_tcb_state'_def)+)[1] apply (clarsimp simp: guard_is_UNIV_def ThreadState_Restart_def diff --git a/proof/crefine/X64/Refine_C.thy b/proof/crefine/X64/Refine_C.thy index d258ccf71f..31e09c289e 100644 --- a/proof/crefine/X64/Refine_C.thy +++ b/proof/crefine/X64/Refine_C.thy @@ -642,7 +642,7 @@ lemma threadSet_all_invs_triv': apply (simp add: tcb_cte_cases_def) apply (simp add: exst_same_def) apply (wp thread_set_invs_trivial thread_set_ct_running thread_set_not_state_valid_sched - threadSet_invs_trivial threadSet_ct_running' static_imp_wp + threadSet_invs_trivial threadSet_ct_running' hoare_weak_lift_imp thread_set_ct_in_state | simp add: tcb_cap_cases_def tcb_arch_ref_def | rule threadSet_ct_in_state' diff --git a/proof/crefine/X64/Retype_C.thy b/proof/crefine/X64/Retype_C.thy index 1e2ddbc450..eec9e32085 100644 --- a/proof/crefine/X64/Retype_C.thy +++ b/proof/crefine/X64/Retype_C.thy @@ -8567,9 +8567,9 @@ shows "ccorres dc xfdc including no_pre apply (wp insertNewCap_invs' insertNewCap_valid_pspace' insertNewCap_caps_overlap_reserved' insertNewCap_pspace_no_overlap' insertNewCap_caps_no_overlap'' insertNewCap_descendants_range_in' - insertNewCap_untypedRange hoare_vcg_all_lift insertNewCap_cte_at static_imp_wp) + insertNewCap_untypedRange hoare_vcg_all_lift insertNewCap_cte_at hoare_weak_lift_imp) apply (wp insertNewCap_cte_wp_at_other) - apply (wp hoare_vcg_all_lift static_imp_wp insertNewCap_cte_at) + apply (wp hoare_vcg_all_lift hoare_weak_lift_imp insertNewCap_cte_at) apply (clarsimp simp:conj_comms | strengthen invs_valid_pspace' invs_pspace_aligned' invs_pspace_distinct')+ @@ -8603,7 +8603,7 @@ shows "ccorres dc xfdc hoare_vcg_prop createObject_gsCNodes_p createObject_cnodes_have_size) apply (rule hoare_vcg_conj_lift[OF createObject_capRange_helper]) apply (wp createObject_cte_wp_at' createObject_ex_cte_cap_wp_to - createObject_no_inter[where sz = sz] hoare_vcg_all_lift static_imp_wp)+ + createObject_no_inter[where sz = sz] hoare_vcg_all_lift hoare_weak_lift_imp)+ apply (clarsimp simp:invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace' field_simps range_cover.sz conj_comms range_cover.aligned range_cover_sz' is_aligned_shiftl_self aligned_add_aligned[OF range_cover.aligned]) diff --git a/proof/crefine/X64/SyscallArgs_C.thy b/proof/crefine/X64/SyscallArgs_C.thy index a01433a8bb..4be2242bd4 100644 --- a/proof/crefine/X64/SyscallArgs_C.thy +++ b/proof/crefine/X64/SyscallArgs_C.thy @@ -47,7 +47,7 @@ lemma replyOnRestart_invs'[wp]: "\invs'\ replyOnRestart thread reply isCall \\rv. invs'\" including no_pre apply (simp add: replyOnRestart_def) - apply (wp setThreadState_nonqueued_state_update rfk_invs' static_imp_wp) + apply (wp setThreadState_nonqueued_state_update rfk_invs' hoare_weak_lift_imp) apply (rule hoare_vcg_all_lift) apply (wp setThreadState_nonqueued_state_update rfk_invs' hoare_vcg_all_lift rfk_ksQ) apply (rule hoare_strengthen_post, rule gts_sp') @@ -657,7 +657,7 @@ lemma getMRs_tcbContext: apply (wp|wpc)+ apply (rule_tac P="n < length x" in hoare_gen_asm) apply (clarsimp simp: nth_append) - apply (wp mapM_wp' static_imp_wp)+ + apply (wp mapM_wp' hoare_weak_lift_imp)+ apply simp apply (rule asUser_cur_obj_at') apply (simp add: getRegister_def msgRegisters_unfold) @@ -994,7 +994,7 @@ lemma getMRs_rel: getMRs thread buffer mi \\args. getMRs_rel args buffer\" apply (simp add: getMRs_rel_def) apply (rule hoare_pre) - apply (rule_tac x=mi in hoare_vcg_exI) + apply (rule_tac x=mi in hoare_exI) apply wp apply (rule_tac Q="\rv s. thread = ksCurThread s \ fst (getMRs thread buffer mi s) = {(rv,s)}" in hoare_strengthen_post) apply (wp det_result det_wp_getMRs) diff --git a/proof/crefine/X64/Tcb_C.thy b/proof/crefine/X64/Tcb_C.thy index 1e13a4f9bd..541b7494c2 100644 --- a/proof/crefine/X64/Tcb_C.thy +++ b/proof/crefine/X64/Tcb_C.thy @@ -518,7 +518,7 @@ lemma cteInsert_cap_to'2: apply (simp add: cteInsert_def ex_nonz_cap_to'_def setUntypedCapAsFull_def) apply (rule hoare_vcg_ex_lift) apply (wp updateMDB_weak_cte_wp_at - updateCap_cte_wp_at_cases getCTE_wp' static_imp_wp) + updateCap_cte_wp_at_cases getCTE_wp' hoare_weak_lift_imp) apply (clarsimp simp: cte_wp_at_ctes_of) apply auto done @@ -674,7 +674,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply (rule ccorres_return_CE, simp+)[1] apply (wp (once)) apply (clarsimp simp: guard_is_UNIV_def) - apply (wpsimp wp: when_def static_imp_wp) + apply (wpsimp wp: when_def hoare_weak_lift_imp) apply (strengthen sch_act_wf_weak, wp) apply clarsimp apply wp @@ -688,7 +688,7 @@ lemma invokeTCB_ThreadControl_ccorres: tcb_at' target s \ ksCurDomain s \ maxDomain \ valid_queues' s \ fst (the priority) \ maxPriority)"]) apply (strengthen sch_act_wf_weak) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (clarsimp split: if_splits) apply (wp empty_fail_stateAssert hoare_case_option_wp | simp del: Collect_const)+ apply csymbr @@ -713,7 +713,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply wp apply (clarsimp simp: guard_is_UNIV_def) apply (simp add: when_def) - apply (wp hoare_vcg_if_lift2(1) static_imp_wp, strengthen sch_act_wf_weak; wp) + apply (wp hoare_vcg_if_lift2(1) hoare_weak_lift_imp, strengthen sch_act_wf_weak; wp) apply (clarsimp simp : guard_is_UNIV_def Collect_const_mem) apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem tcbBuffer_def size_of_def cte_level_bits_def @@ -741,7 +741,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply (rule ccorres_return_CE, simp+) apply wp apply (clarsimp simp: guard_is_UNIV_def) - apply (wp hoare_vcg_if_lift2(1) static_imp_wp, strengthen sch_act_wf_weak; wp) + apply (wp hoare_vcg_if_lift2(1) hoare_weak_lift_imp, strengthen sch_act_wf_weak; wp) apply (clarsimp simp : guard_is_UNIV_def Collect_const_mem) apply (simp add: guard_is_UNIV_def Collect_const_mem) apply (clarsimp simp: ccap_relation_def cap_thread_cap_lift cap_to_H_def canonical_address_bitfield_extract_tcb) @@ -769,7 +769,7 @@ lemma invokeTCB_ThreadControl_ccorres: apply wp apply (clarsimp simp: guard_is_UNIV_def) apply wpsimp - apply (wp static_imp_wp, strengthen sch_act_wf_weak, wp ) + apply (wp hoare_weak_lift_imp, strengthen sch_act_wf_weak, wp ) apply wp apply (clarsimp simp : guard_is_UNIV_def Collect_const_mem) apply (simp cong: conj_cong) @@ -806,7 +806,7 @@ lemma invokeTCB_ThreadControl_ccorres: simp add: o_def) apply (rule_tac P="is_aligned (fst (the buf)) msg_align_bits" in hoare_gen_asm) - apply (wp threadSet_ipcbuffer_trivial static_imp_wp + apply (wp threadSet_ipcbuffer_trivial hoare_weak_lift_imp | simp | strengthen invs_sch_act_wf' invs_valid_objs' invs_weak_sch_act_wf invs_queues invs_valid_queues' | wp hoare_drop_imps)+ @@ -965,13 +965,13 @@ lemma invokeTCB_ThreadControl_ccorres: apply (simp add: conj_comms) apply (wp hoare_case_option_wp threadSet_invs_trivial setMCPriority_invs' typ_at_lifts[OF setMCPriority_typ_at'] - threadSet_cap_to' static_imp_wp | simp)+ + threadSet_cap_to' hoare_weak_lift_imp | simp)+ apply (clarsimp simp: guard_is_UNIV_def tcbCTableSlot_def Kernel_C.tcbCTable_def cte_level_bits_def size_of_def word_sle_def option_to_0_def cintr_def objBits_defs mask_def) apply (simp add: conj_comms) apply (wp hoare_case_option_wp threadSet_invs_trivial - threadSet_cap_to' static_imp_wp | simp)+ + threadSet_cap_to' hoare_weak_lift_imp | simp)+ apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem) apply (clarsimp simp: inQ_def) apply (subst is_aligned_neg_mask_eq) @@ -1529,7 +1529,7 @@ lemma asUser_setRegister_ko_at': done lemma invokeTCB_WriteRegisters_ccorres[where S=UNIV]: - notes static_imp_wp [wp] word_less_1[simp del] + notes hoare_weak_lift_imp [wp] word_less_1[simp del] shows "ccorres (cintr \ (\rv rv'. rv = [])) (liftxf errstate id (K ()) ret__unsigned_long_') (invs' and tcb_at' dst and ex_nonz_cap_to' dst and sch_act_simple @@ -2121,14 +2121,14 @@ shows word_less_nat_alt split: if_split_asm dest!: word_unat.Rep_inverse') apply (simp add: pred_conj_def) - apply (wp mapM_x_wp' sch_act_wf_lift valid_queues_lift static_imp_wp + apply (wp mapM_x_wp' sch_act_wf_lift valid_queues_lift hoare_weak_lift_imp tcb_in_cur_domain'_lift) apply (simp add: n_frameRegisters_def n_msgRegisters_def guard_is_UNIV_def) apply simp apply (rule mapM_x_wp') apply (rule hoare_pre) - apply (wp asUser_obj_at'[where t'=target] static_imp_wp + apply (wp asUser_obj_at'[where t'=target] hoare_weak_lift_imp asUser_valid_ipc_buffer_ptr') apply clarsimp apply (clarsimp simp: guard_is_UNIV_def Collect_const_mem @@ -2137,7 +2137,7 @@ shows msgMaxLength_def msgLengthBits_def word_less_nat_alt unat_of_nat) apply (wp (once) hoare_drop_imps) - apply (wp asUser_obj_at'[where t'=target] static_imp_wp + apply (wp asUser_obj_at'[where t'=target] hoare_weak_lift_imp asUser_valid_ipc_buffer_ptr') apply (vcg exspec=setRegister_modifies) apply simp @@ -2157,12 +2157,12 @@ shows apply (simp cong: rev_conj_cong) apply wp apply (wp asUser_inv mapM_wp' getRegister_inv - asUser_get_registers[simplified] static_imp_wp)+ + asUser_get_registers[simplified] hoare_weak_lift_imp)+ apply (rule hoare_strengthen_post, rule asUser_get_registers) apply (clarsimp simp: obj_at'_def genericTake_def frame_gp_registers_convs) apply arith - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply simp apply (rule ccorres_inst[where P=\ and P'=UNIV], simp) apply (simp add: performTransfer_def) @@ -4429,7 +4429,7 @@ lemma decodeSetSpace_ccorres: done lemma invokeTCB_SetTLSBase_ccorres: - notes static_imp_wp [wp] + notes hoare_weak_lift_imp [wp] shows "ccorres (cintr \ (\rv rv'. rv = [])) (liftxf errstate id (K ()) ret__unsigned_long_') (invs') diff --git a/proof/drefine/CNode_DR.thy b/proof/drefine/CNode_DR.thy index fdb277d77f..5361f6ba10 100644 --- a/proof/drefine/CNode_DR.thy +++ b/proof/drefine/CNode_DR.thy @@ -218,7 +218,7 @@ lemma insert_cap_sibling_corres: apply (rule_tac s=s' in transform_cdt_slot_inj_on_cte_at[where P=\]) apply (auto simp: swp_def dest: mdb_cte_atD elim!: ranE)[1] - apply ((wp set_cap_caps_of_state2 get_cap_wp static_imp_wp + apply ((wp set_cap_caps_of_state2 get_cap_wp hoare_weak_lift_imp | simp add: swp_def cte_wp_at_caps_of_state)+) apply (wp set_cap_idle | simp add:set_untyped_cap_as_full_def split del: if_split)+ @@ -231,7 +231,7 @@ lemma insert_cap_sibling_corres: cte_wp_at_caps_of_state has_parent_cte_at is_physical_def dest!:is_untyped_cap_eqD) apply fastforce - apply (wp get_cap_wp set_cap_idle static_imp_wp + apply (wp get_cap_wp set_cap_idle hoare_weak_lift_imp | simp add:set_untyped_cap_as_full_def split del: if_split)+ apply (rule_tac Q = "\r s. cdt s sibling = None @@ -303,7 +303,7 @@ lemma insert_cap_child_corres: apply (rule_tac s=s' in transform_cdt_slot_inj_on_cte_at[where P=\]) apply (auto simp: swp_def dest: mdb_cte_atD elim!: ranE)[1] - apply (wp set_cap_caps_of_state2 get_cap_wp static_imp_wp + apply (wp set_cap_caps_of_state2 get_cap_wp hoare_weak_lift_imp | simp add: swp_def cte_wp_at_caps_of_state)+ apply (wp set_cap_idle | simp add:set_untyped_cap_as_full_def split del:if_split)+ @@ -314,14 +314,14 @@ lemma insert_cap_child_corres: apply (wp set_cap_mdb_cte_at | simp add:not_idle_thread_def)+ apply (clarsimp simp:mdb_cte_at_def cte_wp_at_caps_of_state) apply fastforce - apply (wp get_cap_wp set_cap_idle static_imp_wp + apply (wp get_cap_wp set_cap_idle hoare_weak_lift_imp | simp split del:if_split add:set_untyped_cap_as_full_def)+ apply (rule_tac Q = "\r s. not_idle_thread (fst child) s \ (\cap. caps_of_state s src = Some cap) \ should_be_parent_of src_capa (is_original_cap s src) cap (cap_insert_dest_original cap src_capa) \ mdb_cte_at (swp (cte_wp_at ((\) cap.NullCap)) s) (cdt s)" in hoare_strengthen_post) - apply (wp set_cap_mdb_cte_at static_imp_wp | simp add:not_idle_thread_def)+ + apply (wp set_cap_mdb_cte_at hoare_weak_lift_imp | simp add:not_idle_thread_def)+ apply (clarsimp simp:mdb_cte_at_def cte_wp_at_caps_of_state) apply fastforce apply clarsimp diff --git a/proof/drefine/Finalise_DR.thy b/proof/drefine/Finalise_DR.thy index 415e0c9180..fd7fdb63fd 100644 --- a/proof/drefine/Finalise_DR.thy +++ b/proof/drefine/Finalise_DR.thy @@ -542,7 +542,7 @@ lemma flush_space_dwp[wp]: apply (clarsimp split:option.splits) apply (rule do_machine_op_wp) apply clarsimp - apply (wp static_imp_wp)+ + apply (wp hoare_weak_lift_imp)+ apply (rule do_machine_op_wp) apply clarsimp apply wp @@ -3602,7 +3602,7 @@ next | simp add: not_idle_thread_def del: gets_to_return)+ apply (simp add: conj_comms) apply (wp replace_cap_invs final_cap_same_objrefs set_cap_cte_wp_at - hoare_vcg_const_Ball_lift set_cap_cte_cap_wp_to static_imp_wp + hoare_vcg_const_Ball_lift set_cap_cte_cap_wp_to hoare_weak_lift_imp | erule finalise_cap_not_reply_master[simplified in_monad, simplified] | simp only: not_idle_thread_def pred_conj_def simp_thms)+ apply (rule hoare_strengthen_post) diff --git a/proof/drefine/Ipc_DR.thy b/proof/drefine/Ipc_DR.thy index 2023071ac2..7e753044d2 100644 --- a/proof/drefine/Ipc_DR.thy +++ b/proof/drefine/Ipc_DR.thy @@ -1233,7 +1233,7 @@ lemma cap_insert_cte_wp_at_masked_as_full: shows "\\s. if slot = dest then P cap else cte_wp_at P slot s\ cap_insert cap src dest \\uu. cte_wp_at P slot\" apply (simp add:cap_insert_def set_untyped_cap_as_full_def) - apply (wp set_cap_cte_wp_at hoare_vcg_if_lift get_cap_wp static_imp_wp dxo_wp_weak + apply (wp set_cap_cte_wp_at hoare_vcg_if_lift get_cap_wp hoare_weak_lift_imp dxo_wp_weak | simp split del:if_split)+ apply (intro conjI impI allI | clarsimp simp:cte_wp_at_caps_of_state)+ diff --git a/proof/drefine/Untyped_DR.thy b/proof/drefine/Untyped_DR.thy index 2d56b66389..dd40ff9e4d 100644 --- a/proof/drefine/Untyped_DR.thy +++ b/proof/drefine/Untyped_DR.thy @@ -865,7 +865,7 @@ lemma create_cap_mdb_cte_at: \ cte_wp_at ((\)cap.NullCap) parent s \ cte_at (fst tup) s\ create_cap type sz parent dev tup \\rv s. mdb_cte_at (swp (cte_wp_at ((\)cap.NullCap)) s) (cdt s)\" apply (simp add: create_cap_def split_def mdb_cte_at_def) - apply (wp hoare_vcg_all_lift set_cap_default_not_none set_cdt_cte_wp_at static_imp_wp dxo_wp_weak + apply (wp hoare_vcg_all_lift set_cap_default_not_none set_cdt_cte_wp_at hoare_weak_lift_imp dxo_wp_weak | simp | wps)+ apply (fastforce simp: cte_wp_at_caps_of_state) done diff --git a/proof/infoflow/ADT_IF.thy b/proof/infoflow/ADT_IF.thy index 63ef7b2f48..bb7d5fd295 100644 --- a/proof/infoflow/ADT_IF.thy +++ b/proof/infoflow/ADT_IF.thy @@ -787,7 +787,7 @@ lemma kernel_entry_if_invs: kernel_entry_if e tc \\_. invs\" unfolding kernel_entry_if_def - by (wpsimp wp: thread_set_invs_trivial static_imp_wp + by (wpsimp wp: thread_set_invs_trivial hoare_weak_lift_imp simp: arch_tcb_update_aux2 ran_tcb_cap_cases)+ lemma kernel_entry_if_globals_equiv: @@ -796,7 +796,7 @@ lemma kernel_entry_if_globals_equiv: kernel_entry_if e tc \\_. globals_equiv st\" apply (simp add: kernel_entry_if_def) - apply (wp static_imp_wp handle_event_globals_equiv + apply (wp hoare_weak_lift_imp handle_event_globals_equiv thread_set_invs_trivial thread_set_context_globals_equiv | simp add: ran_tcb_cap_cases arch_tcb_update_aux2)+ apply (clarsimp simp: cur_thread_idle) @@ -831,7 +831,7 @@ lemma kernel_entry_silc_inv[wp]: \\_. silc_inv aag st\" unfolding kernel_entry_if_def by (wpsimp simp: ran_tcb_cap_cases arch_tcb_update_aux2 - wp: static_imp_wp handle_event_silc_inv thread_set_silc_inv thread_set_invs_trivial + wp: hoare_weak_lift_imp handle_event_silc_inv thread_set_silc_inv thread_set_invs_trivial thread_set_not_state_valid_sched thread_set_pas_refined | wp (once) hoare_vcg_imp_lift | force)+ @@ -1016,7 +1016,7 @@ lemma kernel_entry_pas_refined[wp]: \\_. pas_refined aag\" unfolding kernel_entry_if_def by (wpsimp simp: ran_tcb_cap_cases schact_is_rct_def arch_tcb_update_aux2 - wp: static_imp_wp handle_event_pas_refined thread_set_pas_refined + wp: hoare_weak_lift_imp handle_event_pas_refined thread_set_pas_refined guarded_pas_domain_lift thread_set_invs_trivial thread_set_not_state_valid_sched | force)+ @@ -1026,7 +1026,7 @@ lemma kernel_entry_if_domain_sep_inv: \\_. domain_sep_inv irqs st\" unfolding kernel_entry_if_def by (wpsimp simp: ran_tcb_cap_cases arch_tcb_update_aux2 - wp: handle_event_domain_sep_inv static_imp_wp + wp: handle_event_domain_sep_inv hoare_weak_lift_imp thread_set_invs_trivial thread_set_not_state_valid_sched)+ lemma kernel_entry_if_valid_sched: @@ -1037,7 +1037,7 @@ lemma kernel_entry_if_valid_sched: by (wpsimp simp: kernel_entry_if_def ran_tcb_cap_cases arch_tcb_update_aux2 wp: handle_event_valid_sched thread_set_invs_trivial hoare_vcg_disj_lift thread_set_no_change_tcb_state ct_in_state_thread_state_lift - thread_set_not_state_valid_sched static_imp_wp)+ + thread_set_not_state_valid_sched hoare_weak_lift_imp)+ lemma kernel_entry_if_irq_masks: "\(\s. P (irq_masks_of_state s)) and domain_sep_inv False st and invs\ @@ -2643,7 +2643,7 @@ lemma handle_invocation_irq_state_inv: split del: if_split) apply (wp syscall_valid) apply ((wp irq_state_inv_triv | wpc | simp)+)[2] - apply (wp static_imp_wp perform_invocation_irq_state_inv hoare_vcg_all_lift + apply (wp hoare_weak_lift_imp perform_invocation_irq_state_inv hoare_vcg_all_lift hoare_vcg_ex_lift decode_invocation_IRQHandlerCap | wpc | wp (once) hoare_drop_imps diff --git a/proof/infoflow/ARM/ArchADT_IF.thy b/proof/infoflow/ARM/ArchADT_IF.thy index 6e0e34eb9a..e0438c9dec 100644 --- a/proof/infoflow/ARM/ArchADT_IF.thy +++ b/proof/infoflow/ARM/ArchADT_IF.thy @@ -254,7 +254,7 @@ lemma kernel_entry_if_valid_pdpt_objs[wp]: apply (simp add: kernel_entry_if_def) apply (wp | wpc | simp add: kernel_entry_if_def)+ apply (wpsimp simp: ran_tcb_cap_cases arch_tcb_update_aux2 - wp: static_imp_wp thread_set_invs_trivial)+ + wp: hoare_weak_lift_imp thread_set_invs_trivial)+ done lemma kernel_entry_if_valid_vspace_objs_if[ADT_IF_assms, wp]: diff --git a/proof/infoflow/ARM/ArchArch_IF.thy b/proof/infoflow/ARM/ArchArch_IF.thy index 872256754b..f5c0527ab9 100644 --- a/proof/infoflow/ARM/ArchArch_IF.thy +++ b/proof/infoflow/ARM/ArchArch_IF.thy @@ -1428,8 +1428,8 @@ lemma set_mrs_globals_equiv: apply (clarsimp) apply (insert length_msg_lt_msg_max) apply (simp) - apply (wp set_object_globals_equiv static_imp_wp) - apply (wp hoare_vcg_all_lift set_object_globals_equiv static_imp_wp)+ + apply (wp set_object_globals_equiv hoare_weak_lift_imp) + apply (wp hoare_vcg_all_lift set_object_globals_equiv hoare_weak_lift_imp)+ apply (clarsimp simp:arm_global_pd_not_tcb)+ done @@ -1444,7 +1444,7 @@ lemma perform_page_invocation_globals_equiv: apply (wp mapM_swp_store_pte_globals_equiv hoare_vcg_all_lift dmo_cacheRangeOp_lift mapM_swp_store_pde_globals_equiv mapM_x_swp_store_pte_globals_equiv mapM_x_swp_store_pde_globals_equiv set_cap_globals_equiv'' - unmap_page_globals_equiv store_pte_globals_equiv store_pde_globals_equiv static_imp_wp + unmap_page_globals_equiv store_pte_globals_equiv store_pde_globals_equiv hoare_weak_lift_imp do_flush_globals_equiv set_mrs_globals_equiv set_message_info_globals_equiv | wpc | simp add: do_machine_op_bind cleanByVA_PoU_def)+ by (auto simp: cte_wp_parent_not_global_pd authorised_for_globals_page_inv_def valid_page_inv_def @@ -1479,7 +1479,7 @@ lemma perform_asid_control_invocation_globals_equiv: max_index_upd_invs_simple set_cap_no_overlap set_cap_caps_no_overlap max_index_upd_caps_overlap_reserved region_in_kernel_window_preserved - hoare_vcg_all_lift get_cap_wp static_imp_wp + hoare_vcg_all_lift get_cap_wp hoare_weak_lift_imp set_cap_idx_up_aligned_area[where dev = False,simplified] | simp)+ (* factor out the implication -- we know what the relevant components of the diff --git a/proof/infoflow/ARM/ArchFinalCaps.thy b/proof/infoflow/ARM/ArchFinalCaps.thy index 261ac95d0c..63ffbffb7c 100644 --- a/proof/infoflow/ARM/ArchFinalCaps.thy +++ b/proof/infoflow/ARM/ArchFinalCaps.thy @@ -181,7 +181,7 @@ lemma perform_page_invocation_silc_inv: apply (wp mapM_wp[OF _ subset_refl] set_cap_silc_inv mapM_x_wp[OF _ subset_refl] perform_page_table_invocation_silc_inv_get_cap_helper'[where st=st] - hoare_vcg_all_lift hoare_vcg_if_lift static_imp_wp + hoare_vcg_all_lift hoare_vcg_if_lift hoare_weak_lift_imp | wpc | simp only: swp_def o_def fun_app_def K_def | wp (once) hoare_drop_imps)+ @@ -212,7 +212,7 @@ lemma perform_asid_control_invocation_silc_inv: apply (rule hoare_pre) apply (wp modify_wp cap_insert_silc_inv' retype_region_silc_inv[where sz=pageBits] set_cap_silc_inv get_cap_slots_holding_overlapping_caps[where st=st] - delete_objects_silc_inv static_imp_wp + delete_objects_silc_inv hoare_weak_lift_imp | wpc | simp )+ apply (clarsimp simp: authorised_asid_control_inv_def silc_inv_def valid_aci_def ptr_range_def page_bits_def) apply (rule conjI) @@ -275,15 +275,15 @@ lemma arch_invoke_irq_control_silc_inv[FinalCaps_assms]: done lemma invoke_tcb_silc_inv[FinalCaps_assms]: - notes static_imp_wp [wp] - static_imp_conj_wp [wp] + notes hoare_weak_lift_imp [wp] + hoare_weak_lift_imp_conj [wp] shows "\silc_inv aag st and einvs and simple_sched_action and pas_refined aag and tcb_inv_wf tinv and K (authorised_tcb_inv aag tinv)\ invoke_tcb tinv \\_. silc_inv aag st\" apply (case_tac tinv) apply ((wp restart_silc_inv hoare_vcg_if_lift suspend_silc_inv mapM_x_wp[OF _ subset_refl] - static_imp_wp + hoare_weak_lift_imp | wpc | simp split del: if_split add: authorised_tcb_inv_def check_cap_at_def | clarsimp diff --git a/proof/infoflow/ARM/ArchIRQMasks_IF.thy b/proof/infoflow/ARM/ArchIRQMasks_IF.thy index 0b3761e134..b9819e009f 100644 --- a/proof/infoflow/ARM/ArchIRQMasks_IF.thy +++ b/proof/infoflow/ARM/ArchIRQMasks_IF.thy @@ -139,13 +139,13 @@ lemma invoke_tcb_irq_masks[IRQMasks_IF_assms]: apply (wp hoare_vcg_conj_liftE1 cap_delete_irq_masks) apply fastforce apply blast - apply (wpsimp wp: static_imp_wp hoare_vcg_all_lift checked_cap_insert_domain_sep_inv)+ + apply (wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checked_cap_insert_domain_sep_inv)+ apply (rule_tac Q="\ r s. domain_sep_inv False st s \ P (irq_masks_of_state s)" and E="\_ s. P (irq_masks_of_state s)" in hoare_post_impErr) apply (wp hoare_vcg_conj_liftE1 cap_delete_irq_masks) apply fastforce apply blast - apply (simp add: option_update_thread_def | wp static_imp_wp hoare_vcg_all_lift | wpc)+ + apply (simp add: option_update_thread_def | wp hoare_weak_lift_imp hoare_vcg_all_lift | wpc)+ by fastforce+ end diff --git a/proof/infoflow/ARM/ArchIpc_IF.thy b/proof/infoflow/ARM/ArchIpc_IF.thy index 1f1c607746..00429cf5e8 100644 --- a/proof/infoflow/ARM/ArchIpc_IF.thy +++ b/proof/infoflow/ARM/ArchIpc_IF.thy @@ -420,7 +420,7 @@ lemma set_mrs_equiv_but_for_labels[Ipc_IF_assms]: apply (simp add: word_size_def) apply (erule is_aligned_no_overflow') apply simp - apply (wp set_object_equiv_but_for_labels hoare_vcg_all_lift static_imp_wp | simp)+ + apply (wp set_object_equiv_but_for_labels hoare_vcg_all_lift hoare_weak_lift_imp | simp)+ apply (fastforce dest: get_tcb_not_asid_pool_at)+ done diff --git a/proof/infoflow/ARM/ArchTcb_IF.thy b/proof/infoflow/ARM/ArchTcb_IF.thy index 2d068493a0..b5800ea077 100644 --- a/proof/infoflow/ARM/ArchTcb_IF.thy +++ b/proof/infoflow/ARM/ArchTcb_IF.thy @@ -121,7 +121,7 @@ lemma invoke_tcb_thread_preservation[Tcb_IF_assms]: out_no_cap_to_trivial[OF ball_tcb_cap_casesI] thread_set_ipc_tcb_cap_valid check_cap_inv2[where Q="\_. P"] cap_delete_P cap_insert_P thread_set_P thread_set_P' set_mcpriority_P set_mcpriority_idle_thread - dxo_wp_weak static_imp_wp) + dxo_wp_weak hoare_weak_lift_imp) | simp add: ran_tcb_cap_cases dom_tcb_cap_cases[simplified] emptyable_def del: hoare_True_E_R | wpc @@ -144,7 +144,7 @@ lemma invoke_tcb_thread_preservation[Tcb_IF_assms]: lemma tc_reads_respects_f[Tcb_IF_assms]: assumes domains_distinct[wp]: "pas_domains_distinct aag" and tc[simp]: "ti = ThreadControl x41 x42 x43 x44 x45 x46 x47 x48" - notes validE_valid[wp del] static_imp_wp [wp] + notes validE_valid[wp del] hoare_weak_lift_imp [wp] shows "reads_respects_f aag l (silc_inv aag st and only_timer_irq_inv irq st' and einvs and simple_sched_action @@ -221,7 +221,7 @@ lemma tc_reads_respects_f[Tcb_IF_assms]: invs_psp_aligned invs_vspace_objs invs_arch_state | wp (once) hoare_drop_imp)+ apply (simp add: option_update_thread_def tcb_cap_cases_def - | wp static_imp_wp static_imp_conj_wp thread_set_pas_refined + | wp hoare_weak_lift_imp hoare_weak_lift_imp_conj thread_set_pas_refined reads_respects_f[OF thread_set_reads_respects, where st=st and Q="\"] | wpc)+ apply (wp hoare_vcg_all_lift thread_set_tcb_fault_handler_update_invs diff --git a/proof/infoflow/FinalCaps.thy b/proof/infoflow/FinalCaps.thy index 5e954e5f8f..1af9df37ec 100644 --- a/proof/infoflow/FinalCaps.thy +++ b/proof/infoflow/FinalCaps.thy @@ -741,7 +741,7 @@ lemma set_cap_silc_inv: apply (rule equiv_forI) apply (erule use_valid) unfolding set_cap_def - apply (wp set_object_wp get_object_wp static_imp_wp | simp add: split_def | wpc)+ + apply (wp set_object_wp get_object_wp hoare_weak_lift_imp | simp add: split_def | wpc)+ apply clarsimp apply (rule conjI) apply fastforce @@ -919,7 +919,7 @@ lemma cap_swap_silc_inv: apply (rule hoare_gen_asm) unfolding cap_swap_def apply (rule hoare_pre) - apply (wp set_cap_silc_inv hoare_vcg_ex_lift static_imp_wp + apply (wp set_cap_silc_inv hoare_vcg_ex_lift hoare_weak_lift_imp set_cap_slots_holding_overlapping_caps_other[where aag=aag] set_cdt_silc_inv | simp split del: if_split)+ apply (rule conjI) @@ -955,7 +955,7 @@ lemma cap_move_silc_inv: apply (rule hoare_pre) apply (wp set_cap_silc_inv hoare_vcg_ex_lift set_cap_slots_holding_overlapping_caps_other[where aag=aag] - set_cdt_silc_inv static_imp_wp + set_cdt_silc_inv hoare_weak_lift_imp | simp)+ apply (rule conjI) apply (fastforce simp: cap_points_to_label_def) @@ -985,7 +985,7 @@ lemma cap_insert_silc_inv: \\_. silc_inv aag st\" unfolding cap_insert_def (* The order here matters. The first two need to be first. *) - apply (wp assert_wp static_imp_conj_wp set_cap_silc_inv hoare_vcg_ex_lift + apply (wp assert_wp hoare_weak_lift_imp_conj set_cap_silc_inv hoare_vcg_ex_lift set_untyped_cap_as_full_slots_holding_overlapping_caps_other[where aag=aag] get_cap_wp update_cdt_silc_inv | simp | wp (once) hoare_drop_imps)+ apply clarsimp @@ -1210,7 +1210,7 @@ lemma reply_cancel_ipc_silc_inv: unfolding reply_cancel_ipc_def apply (wp cap_delete_one_silc_inv hoare_vcg_if_lift | simp)+ apply wps - apply (wp static_imp_wp hoare_vcg_all_lift hoare_vcg_ball_lift) + apply (wp hoare_weak_lift_imp hoare_vcg_all_lift hoare_vcg_ball_lift) apply clarsimp apply (rename_tac b a) apply (frule(1) descendants_of_owned_or_transferable, force, force, elim disjE) @@ -1569,7 +1569,7 @@ lemma rec_del_silc_inv': valid_validE_R[OF rec_del_respects(2)[simplified]] "2.hyps" drop_spec_validE[OF liftE_wp] set_cap_silc_inv set_cap_pas_refined replace_cap_invs final_cap_same_objrefs set_cap_cte_cap_wp_to - set_cap_cte_wp_at static_imp_wp hoare_vcg_ball_lift + set_cap_cte_wp_at hoare_weak_lift_imp hoare_vcg_ball_lift | simp add: finalise_cap_not_reply_master_unlifted split del: if_split)+ (* where the action is *) apply (simp cong: conj_cong add: conj_comms) @@ -1608,7 +1608,7 @@ lemma rec_del_silc_inv': finalise_cap_invs[where slot=slot] finalise_cap_replaceable[where sl=slot] finalise_cap_makes_halted[where slot=slot] - finalise_cap_auth' static_imp_wp) + finalise_cap_auth' hoare_weak_lift_imp) apply (wp drop_spec_validE[OF liftE_wp] get_cap_auth_wp[where aag=aag] | simp add: is_final_cap_def)+ @@ -1719,7 +1719,7 @@ lemma rec_del_silc_inv_CTEDelete_transferable': apply (wp rec_del_silc_inv_not_transferable) apply simp apply (subst rec_del.simps[abs_def]) - apply (wp add: hoare_K_bind without_preemption_wp empty_slot_silc_inv static_imp_wp wp_transferable + apply (wp add: hoare_K_bind without_preemption_wp empty_slot_silc_inv hoare_weak_lift_imp wp_transferable rec_del_Finalise_transferable del: wp_not_transferable | wpc)+ @@ -2161,7 +2161,7 @@ lemma cap_insert_silc_inv': apply (wp set_cap_silc_inv hoare_vcg_ex_lift set_untyped_cap_as_full_slots_holding_overlapping_caps_other[where aag=aag] get_cap_wp update_cdt_silc_inv set_cap_caps_of_state2 - set_untyped_cap_as_full_cdt_is_original_cap static_imp_wp + set_untyped_cap_as_full_cdt_is_original_cap hoare_weak_lift_imp | simp split del: if_split)+ apply (intro allI impI conjI) apply clarsimp @@ -2284,7 +2284,7 @@ lemma cap_insert_silc_inv''': apply (wp set_cap_silc_inv hoare_vcg_ex_lift set_untyped_cap_as_full_slots_holding_overlapping_caps_other[where aag=aag] get_cap_wp update_cdt_silc_inv set_cap_caps_of_state2 - set_untyped_cap_as_full_cdt_is_original_cap static_imp_wp + set_untyped_cap_as_full_cdt_is_original_cap hoare_weak_lift_imp | simp split del: if_split)+ apply (intro impI conjI allI) apply clarsimp @@ -2321,7 +2321,7 @@ lemma invoke_irq_handler_silc_inv: apply (rule hoare_gen_asm) apply (case_tac hi) apply (wp cap_insert_silc_inv'' cap_delete_one_silc_inv_subject cap_delete_one_cte_wp_at_other - static_imp_wp hoare_vcg_ex_lift + hoare_weak_lift_imp hoare_vcg_ex_lift slots_holding_overlapping_caps_from_silc_inv[where aag=aag and st=st] | simp add: authorised_irq_hdl_inv_def get_irq_slot_def conj_comms)+ apply (clarsimp simp: pas_refined_def irq_map_wellformed_aux_def) @@ -2489,7 +2489,7 @@ lemma send_ipc_silc_inv: send_ipc block call badge can_grant can_grant_reply thread epptr \\_. silc_inv aag st\" unfolding send_ipc_def - apply (wp setup_caller_cap_silc_inv static_imp_wp do_ipc_transfer_silc_inv gts_wp + apply (wp setup_caller_cap_silc_inv hoare_weak_lift_imp do_ipc_transfer_silc_inv gts_wp | wpc | simp add:st_tcb_at_tcb_states_of_state_eq | rule conjI impI @@ -2544,7 +2544,7 @@ lemma receive_ipc_base_silc_inv: \\_. silc_inv aag st\" apply (clarsimp simp: thread_get_def get_thread_state_def cong: endpoint.case_cong) apply (rule hoare_pre) - apply (wp setup_caller_cap_silc_inv static_imp_wp do_ipc_transfer_silc_inv + apply (wp setup_caller_cap_silc_inv hoare_weak_lift_imp do_ipc_transfer_silc_inv | wpc | simp split del: if_split)+ apply (wp hoare_vcg_all_lift hoare_vcg_imp_lift set_simple_ko_get_tcb | wpc | simp split del: if_split)+ @@ -2632,7 +2632,7 @@ lemma setup_reply_master_silc_inv: unfolding setup_reply_master_def apply (wp set_cap_silc_inv hoare_vcg_ex_lift slots_holding_overlapping_caps_from_silc_inv[where aag=aag and st=st and P="\"] - get_cap_wp static_imp_wp + get_cap_wp hoare_weak_lift_imp | simp)+ apply (clarsimp simp: cap_points_to_label_def silc_inv_def) done diff --git a/proof/infoflow/Finalise_IF.thy b/proof/infoflow/Finalise_IF.thy index de0818eeee..232c643622 100644 --- a/proof/infoflow/Finalise_IF.thy +++ b/proof/infoflow/Finalise_IF.thy @@ -601,7 +601,7 @@ lemma possible_switch_to_reads_respects: (possible_switch_to tptr)" apply (simp add: possible_switch_to_def ethread_get_def) apply (case_tac "aag_can_read aag tptr \ aag_can_affect aag l tptr") - apply (wp static_imp_wp tcb_sched_action_reads_respects | wpc | simp)+ + apply (wp hoare_weak_lift_imp tcb_sched_action_reads_respects | wpc | simp)+ apply (clarsimp simp: get_etcb_def) apply ((intro conjI impI allI | elim aag_can_read_self reads_equivE affects_equivE equiv_forE conjE disjE @@ -1208,7 +1208,7 @@ next apply (wp drop_spec_ev[OF liftE_ev] set_cap_reads_respects_f[where st=st] set_cap_silc_inv[where st=st] | simp)+ apply (wp replace_cap_invs set_cap_cte_wp_at set_cap_sets final_cap_same_objrefs - set_cap_cte_cap_wp_to hoare_vcg_const_Ball_lift static_imp_wp + set_cap_cte_cap_wp_to hoare_vcg_const_Ball_lift hoare_weak_lift_imp drop_spec_ev[OF liftE_ev] finalise_cap_reads_respects set_cap_silc_inv set_cap_only_timer_irq_inv set_cap_pas_refined_not_transferable | simp add: cte_wp_at_eq_simp diff --git a/proof/infoflow/IRQMasks_IF.thy b/proof/infoflow/IRQMasks_IF.thy index b4eb9daa34..026a172a59 100644 --- a/proof/infoflow/IRQMasks_IF.thy +++ b/proof/infoflow/IRQMasks_IF.thy @@ -306,7 +306,7 @@ lemma handle_invocation_irq_masks: \\rv s. P (irq_masks_of_state s)\" apply (simp add: handle_invocation_def ts_Restart_case_helper split_def liftE_liftM_liftME liftME_def bindE_assoc) - apply (wp static_imp_wp syscall_valid perform_invocation_irq_masks[where st=st] + apply (wp hoare_weak_lift_imp syscall_valid perform_invocation_irq_masks[where st=st] hoare_vcg_all_lift hoare_vcg_ex_lift decode_invocation_IRQHandlerCap | simp add: invs_valid_objs)+ done diff --git a/proof/infoflow/Interrupt_IF.thy b/proof/infoflow/Interrupt_IF.thy index be97fd3eca..862c1b8d81 100644 --- a/proof/infoflow/Interrupt_IF.thy +++ b/proof/infoflow/Interrupt_IF.thy @@ -44,7 +44,7 @@ lemma invoke_irq_handler_reads_respects_f: cap_delete_one_reads_respects_f[where st=st] reads_respects_f[OF get_irq_slot_reads_respects, where Q="\"] cap_insert_silc_inv'' cap_delete_one_silc_inv_subject - cap_delete_one_cte_wp_at_other static_imp_wp + cap_delete_one_cte_wp_at_other hoare_weak_lift_imp hoare_vcg_ex_lift slots_holding_overlapping_caps_from_silc_inv[where aag=aag and st=st] | simp | simp add: get_irq_slot_def)+ apply (clarsimp simp: pas_refined_def irq_map_wellformed_aux_def) diff --git a/proof/infoflow/Ipc_IF.thy b/proof/infoflow/Ipc_IF.thy index eef53e0502..67a649d0a7 100644 --- a/proof/infoflow/Ipc_IF.thy +++ b/proof/infoflow/Ipc_IF.thy @@ -218,7 +218,7 @@ lemma update_waiting_ntfn_equiv_but_for_labels: update_waiting_ntfn nptr list boundtcb badge \\_. equiv_but_for_labels aag L st\" unfolding update_waiting_ntfn_def - apply (wp static_imp_wp as_user_equiv_but_for_labels set_thread_state_runnable_equiv_but_for_labels + apply (wp hoare_weak_lift_imp as_user_equiv_but_for_labels set_thread_state_runnable_equiv_but_for_labels set_thread_state_pas_refined set_notification_equiv_but_for_labels set_simple_ko_pred_tcb_at set_simple_ko_pas_refined hoare_vcg_disj_lift possible_switch_to_equiv_but_for_labels @@ -1136,7 +1136,7 @@ lemma transfer_caps_reads_respects: (transfer_caps mi caps endpoint receiver receive_buffer)" unfolding transfer_caps_def fun_app_def by (wp transfer_caps_loop_reads_respects get_receive_slots_rev - get_receive_slots_authorised hoare_vcg_all_lift static_imp_wp + get_receive_slots_authorised hoare_vcg_all_lift hoare_weak_lift_imp | wpc | simp add: ball_conj_distrib)+ lemma aag_has_auth_to_read_mrs: @@ -1360,7 +1360,7 @@ lemma receive_ipc_base_reads_respects: as_user_set_register_reads_respects' | simp | intro allI impI | rule pre_ev, wpc)+)[2] apply (intro allI impI) - apply (wp static_imp_wp set_simple_ko_reads_respects set_thread_state_reads_respects + apply (wp hoare_weak_lift_imp set_simple_ko_reads_respects set_thread_state_reads_respects setup_caller_cap_reads_respects do_ipc_transfer_reads_respects possible_switch_to_reads_respects gets_cur_thread_ev set_thread_state_pas_refined set_simple_ko_reads_respects hoare_vcg_all_lift @@ -1398,7 +1398,7 @@ lemma receive_ipc_reads_respects: apply (rename_tac epptr badge rights) apply (wp receive_ipc_base_reads_respects complete_signal_reads_respects - static_imp_wp set_simple_ko_reads_respects set_thread_state_reads_respects + hoare_weak_lift_imp set_simple_ko_reads_respects set_thread_state_reads_respects setup_caller_cap_reads_respects complete_signal_reads_respects thread_get_reads_respects get_thread_state_reads_respects diff --git a/proof/infoflow/RISCV64/ArchArch_IF.thy b/proof/infoflow/RISCV64/ArchArch_IF.thy index 5f2f165870..a2f63f2769 100644 --- a/proof/infoflow/RISCV64/ArchArch_IF.thy +++ b/proof/infoflow/RISCV64/ArchArch_IF.thy @@ -943,8 +943,8 @@ lemma set_mrs_globals_equiv: apply (clarsimp) apply (insert length_msg_lt_msg_max) apply (simp) - apply (wp set_object_globals_equiv static_imp_wp) - apply (wp hoare_vcg_all_lift set_object_globals_equiv static_imp_wp)+ + apply (wp set_object_globals_equiv hoare_weak_lift_imp) + apply (wp hoare_vcg_all_lift set_object_globals_equiv hoare_weak_lift_imp)+ apply (fastforce simp: valid_arch_state_def obj_at_def get_tcb_def dest: valid_global_arch_objs_pt_at) done @@ -981,7 +981,7 @@ lemma perform_pg_inv_unmap_globals_equiv: apply (rule hoare_weaken_pre) apply (wp mapM_swp_store_pte_globals_equiv hoare_vcg_all_lift mapM_x_swp_store_pte_globals_equiv set_cap_globals_equiv'' unmap_page_globals_equiv store_pte_globals_equiv - store_pte_globals_equiv static_imp_wp set_message_info_globals_equiv + store_pte_globals_equiv hoare_weak_lift_imp set_message_info_globals_equiv unmap_page_valid_arch_state perform_pg_inv_get_addr_globals_equiv | wpc | simp add: do_machine_op_bind sfence_def)+ apply (clarsimp simp: acap_map_data_def) @@ -998,7 +998,7 @@ lemma perform_pg_inv_map_globals_equiv: unfolding perform_pg_inv_map_def by (wp mapM_swp_store_pte_globals_equiv hoare_vcg_all_lift mapM_x_swp_store_pte_globals_equiv set_cap_globals_equiv'' unmap_page_globals_equiv store_pte_globals_equiv - store_pte_globals_equiv static_imp_wp set_message_info_globals_equiv + store_pte_globals_equiv hoare_weak_lift_imp set_message_info_globals_equiv unmap_page_valid_arch_state perform_pg_inv_get_addr_globals_equiv | wpc | simp add: do_machine_op_bind sfence_def | fastforce)+ @@ -1049,7 +1049,7 @@ lemma perform_asid_control_invocation_globals_equiv: max_index_upd_invs_simple set_cap_no_overlap set_cap_caps_no_overlap max_index_upd_caps_overlap_reserved region_in_kernel_window_preserved - hoare_vcg_all_lift get_cap_wp static_imp_wp + hoare_vcg_all_lift get_cap_wp hoare_weak_lift_imp set_cap_idx_up_aligned_area[where dev = False,simplified] | simp)+ (* factor out the implication -- we know what the relevant components of the diff --git a/proof/infoflow/RISCV64/ArchFinalCaps.thy b/proof/infoflow/RISCV64/ArchFinalCaps.thy index 4dd9854b4e..f10001e11f 100644 --- a/proof/infoflow/RISCV64/ArchFinalCaps.thy +++ b/proof/infoflow/RISCV64/ArchFinalCaps.thy @@ -160,7 +160,7 @@ lemma perform_page_invocation_silc_inv: apply (wp mapM_wp[OF _ subset_refl] set_cap_silc_inv mapM_x_wp[OF _ subset_refl] perform_page_table_invocation_silc_inv_get_cap_helper'[where st=st] - hoare_vcg_all_lift hoare_vcg_if_lift static_imp_wp + hoare_vcg_all_lift hoare_vcg_if_lift hoare_weak_lift_imp | wpc | simp only: swp_def o_def fun_app_def K_def | wp (once) hoare_drop_imps)+ @@ -186,7 +186,7 @@ lemma perform_asid_control_invocation_silc_inv: apply (rule hoare_pre) apply (wp modify_wp cap_insert_silc_inv' retype_region_silc_inv[where sz=pageBits] set_cap_silc_inv get_cap_slots_holding_overlapping_caps[where st=st] - delete_objects_silc_inv static_imp_wp + delete_objects_silc_inv hoare_weak_lift_imp | wpc | simp )+ apply (clarsimp simp: authorised_asid_control_inv_def silc_inv_def valid_aci_def ptr_range_def page_bits_def) apply (rule conjI) @@ -250,15 +250,15 @@ lemma arch_invoke_irq_control_silc_inv[FinalCaps_assms]: done lemma invoke_tcb_silc_inv[FinalCaps_assms]: - notes static_imp_wp [wp] - static_imp_conj_wp [wp] + notes hoare_weak_lift_imp [wp] + hoare_weak_lift_imp_conj [wp] shows "\silc_inv aag st and einvs and simple_sched_action and pas_refined aag and tcb_inv_wf tinv and K (authorised_tcb_inv aag tinv)\ invoke_tcb tinv \\_. silc_inv aag st\" apply (case_tac tinv) apply ((wp restart_silc_inv hoare_vcg_if_lift suspend_silc_inv mapM_x_wp[OF _ subset_refl] - static_imp_wp + hoare_weak_lift_imp | wpc | simp split del: if_split add: authorised_tcb_inv_def check_cap_at_def | clarsimp diff --git a/proof/infoflow/RISCV64/ArchIRQMasks_IF.thy b/proof/infoflow/RISCV64/ArchIRQMasks_IF.thy index e0c3ed7a98..bd11499548 100644 --- a/proof/infoflow/RISCV64/ArchIRQMasks_IF.thy +++ b/proof/infoflow/RISCV64/ArchIRQMasks_IF.thy @@ -135,13 +135,13 @@ lemma invoke_tcb_irq_masks[IRQMasks_IF_assms]: apply (wp hoare_vcg_conj_liftE1 cap_delete_irq_masks) apply fastforce apply blast - apply (wpsimp wp: static_imp_wp hoare_vcg_all_lift checked_cap_insert_domain_sep_inv)+ + apply (wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checked_cap_insert_domain_sep_inv)+ apply (rule_tac Q="\ r s. domain_sep_inv False st s \ P (irq_masks_of_state s)" and E="\_ s. P (irq_masks_of_state s)" in hoare_post_impErr) apply (wp hoare_vcg_conj_liftE1 cap_delete_irq_masks) apply fastforce apply blast - apply (simp add: option_update_thread_def | wp static_imp_wp hoare_vcg_all_lift | wpc)+ + apply (simp add: option_update_thread_def | wp hoare_weak_lift_imp hoare_vcg_all_lift | wpc)+ by fastforce+ lemma init_arch_objects_irq_masks: diff --git a/proof/infoflow/RISCV64/ArchIpc_IF.thy b/proof/infoflow/RISCV64/ArchIpc_IF.thy index 7898354887..9e2e734276 100644 --- a/proof/infoflow/RISCV64/ArchIpc_IF.thy +++ b/proof/infoflow/RISCV64/ArchIpc_IF.thy @@ -419,7 +419,7 @@ lemma set_mrs_equiv_but_for_labels[Ipc_IF_assms]: apply (simp add: word_size_def) apply (erule is_aligned_no_overflow') apply simp - apply (wp set_object_equiv_but_for_labels hoare_vcg_all_lift static_imp_wp | simp)+ + apply (wp set_object_equiv_but_for_labels hoare_vcg_all_lift hoare_weak_lift_imp | simp)+ apply (fastforce dest: get_tcb_not_asid_pool_at)+ done diff --git a/proof/infoflow/RISCV64/ArchTcb_IF.thy b/proof/infoflow/RISCV64/ArchTcb_IF.thy index 1e17e1d882..2602fcb8f4 100644 --- a/proof/infoflow/RISCV64/ArchTcb_IF.thy +++ b/proof/infoflow/RISCV64/ArchTcb_IF.thy @@ -123,7 +123,7 @@ lemma invoke_tcb_thread_preservation[Tcb_IF_assms]: out_no_cap_to_trivial[OF ball_tcb_cap_casesI] thread_set_ipc_tcb_cap_valid check_cap_inv2[where Q="\_. P"] cap_delete_P cap_insert_P thread_set_P thread_set_P' set_mcpriority_P set_mcpriority_idle_thread - dxo_wp_weak static_imp_wp) + dxo_wp_weak hoare_weak_lift_imp) | simp add: ran_tcb_cap_cases dom_tcb_cap_cases[simplified] emptyable_def option_update_thread_def del: hoare_True_E_R | wpc)+) (*slow*) @@ -140,7 +140,7 @@ lemma invoke_tcb_thread_preservation[Tcb_IF_assms]: lemma tc_reads_respects_f[Tcb_IF_assms]: assumes domains_distinct[wp]: "pas_domains_distinct aag" and tc[simp]: "ti = ThreadControl x41 x42 x43 x44 x45 x46 x47 x48" - notes validE_valid[wp del] static_imp_wp [wp] + notes validE_valid[wp del] hoare_weak_lift_imp [wp] shows "reads_respects_f aag l (silc_inv aag st and only_timer_irq_inv irq st' and einvs and simple_sched_action @@ -217,7 +217,7 @@ lemma tc_reads_respects_f[Tcb_IF_assms]: invs_psp_aligned invs_vspace_objs invs_arch_state | wp (once) hoare_drop_imp)+ apply (simp add: option_update_thread_def tcb_cap_cases_def - | wp static_imp_wp static_imp_conj_wp thread_set_pas_refined + | wp hoare_weak_lift_imp hoare_weak_lift_imp_conj thread_set_pas_refined reads_respects_f[OF thread_set_reads_respects, where st=st and Q="\"] | wpc)+ apply (wp hoare_vcg_all_lift thread_set_tcb_fault_handler_update_invs diff --git a/proof/infoflow/Scheduler_IF.thy b/proof/infoflow/Scheduler_IF.thy index 0e55b21e0c..a1f0c91f38 100644 --- a/proof/infoflow/Scheduler_IF.thy +++ b/proof/infoflow/Scheduler_IF.thy @@ -605,7 +605,7 @@ proof - apply (simp add: scheduler_affects_equiv_def[abs_def]) apply (rule hoare_pre) apply (wps c) - apply (wp static_imp_wp a silc_dom_equiv_states_equiv_lift d e s w i x hoare_vcg_imp_lift) + apply (wp hoare_weak_lift_imp a silc_dom_equiv_states_equiv_lift d e s w i x hoare_vcg_imp_lift) apply fastforce done qed @@ -671,7 +671,7 @@ proof - apply (simp add: asahi_scheduler_affects_equiv_def[abs_def]) apply (rule hoare_pre) apply (wps c) - apply (wp static_imp_wp a silc_dom_equiv_states_equiv_lift d w) + apply (wp hoare_weak_lift_imp a silc_dom_equiv_states_equiv_lift d w) apply clarsimp done qed @@ -731,7 +731,7 @@ proof - apply (simp add: asahi_ex_scheduler_affects_equiv_def[abs_def]) apply (rule hoare_pre) apply (wps c) - apply (wp static_imp_wp a silc_dom_equiv_states_equiv_lift d w x hoare_vcg_imp_lift') + apply (wp hoare_weak_lift_imp a silc_dom_equiv_states_equiv_lift d w x hoare_vcg_imp_lift') apply clarsimp done qed diff --git a/proof/infoflow/Tcb_IF.thy b/proof/infoflow/Tcb_IF.thy index ad90ae59c8..7fb3dc8dba 100644 --- a/proof/infoflow/Tcb_IF.thy +++ b/proof/infoflow/Tcb_IF.thy @@ -90,7 +90,7 @@ next apply (simp add: conj_comms) apply (wp set_cap_P set_cap_Q replace_cap_invs final_cap_same_objrefs set_cap_cte_cap_wp_to - set_cap_cte_wp_at hoare_vcg_const_Ball_lift static_imp_wp + set_cap_cte_wp_at hoare_vcg_const_Ball_lift hoare_weak_lift_imp | rule finalise_cap_not_reply_master | simp add: in_monad)+ apply (rule hoare_strengthen_post) @@ -486,7 +486,7 @@ context Tcb_IF_2 begin lemma invoke_tcb_reads_respects_f: assumes domains_distinct[wp]: "pas_domains_distinct aag" - notes validE_valid[wp del] static_imp_wp [wp] + notes validE_valid[wp del] hoare_weak_lift_imp [wp] shows "reads_respects_f aag l (silc_inv aag st and only_timer_irq_inv irq st' and einvs diff --git a/proof/infoflow/refine/ARM/ArchADT_IF_Refine.thy b/proof/infoflow/refine/ARM/ArchADT_IF_Refine.thy index 14f0275927..09a27e4a9c 100644 --- a/proof/infoflow/refine/ARM/ArchADT_IF_Refine.thy +++ b/proof/infoflow/refine/ARM/ArchADT_IF_Refine.thy @@ -24,7 +24,7 @@ lemma kernelEntry_invs'[ADT_IF_Refine_assms, wp]: kernelEntry_if e tc \\_. invs'\" apply (simp add: kernelEntry_if_def) - apply (wp threadSet_invs_trivial threadSet_ct_running' static_imp_wp + apply (wp threadSet_invs_trivial threadSet_ct_running' hoare_weak_lift_imp | wp (once) hoare_drop_imps | clarsimp)+ done @@ -36,7 +36,7 @@ lemma kernelEntry_arch_extras[ADT_IF_Refine_assms, wp]: kernelEntry_if e tc \\_. arch_extras\" apply (simp add: kernelEntry_if_def) - apply (wp handleEvent_valid_duplicates' threadSet_invs_trivial threadSet_ct_running' static_imp_wp + apply (wp handleEvent_valid_duplicates' threadSet_invs_trivial threadSet_ct_running' hoare_weak_lift_imp | wp (once) hoare_drop_imps | clarsimp)+ done diff --git a/proof/infoflow/refine/RISCV64/ArchADT_IF_Refine.thy b/proof/infoflow/refine/RISCV64/ArchADT_IF_Refine.thy index 23e74cf71a..56b80b2ac3 100644 --- a/proof/infoflow/refine/RISCV64/ArchADT_IF_Refine.thy +++ b/proof/infoflow/refine/RISCV64/ArchADT_IF_Refine.thy @@ -24,7 +24,7 @@ lemma kernelEntry_invs'[ADT_IF_Refine_assms, wp]: kernelEntry_if e tc \\_. invs'\" apply (simp add: kernelEntry_if_def) - apply (wp threadSet_invs_trivial threadSet_ct_running' static_imp_wp + apply (wp threadSet_invs_trivial threadSet_ct_running' hoare_weak_lift_imp | wp (once) hoare_drop_imps | clarsimp)+ done @@ -36,7 +36,7 @@ lemma kernelEntry_arch_extras[ADT_IF_Refine_assms, wp]: kernelEntry_if e tc \\_. arch_extras\" apply (simp add: kernelEntry_if_def) - apply (wp threadSet_invs_trivial threadSet_ct_running' static_imp_wp + apply (wp threadSet_invs_trivial threadSet_ct_running' hoare_weak_lift_imp | wp (once) hoare_drop_imps | clarsimp)+ done diff --git a/proof/invariant-abstract/AARCH64/ArchArch_AI.thy b/proof/invariant-abstract/AARCH64/ArchArch_AI.thy index 21def6855b..6d5af8020e 100644 --- a/proof/invariant-abstract/AARCH64/ArchArch_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchArch_AI.thy @@ -557,7 +557,7 @@ lemma cap_insert_simple_arch_caps_ap: hoare_vcg_disj_lift set_cap_reachable_pg_cap set_cap.vs_lookup_pages | clarsimp)+ apply (wp set_cap_arch_obj set_cap_valid_table_caps hoare_vcg_ball_lift - get_cap_wp static_imp_wp)+ + get_cap_wp hoare_weak_lift_imp)+ apply (clarsimp simp: cte_wp_at_caps_of_state is_cap_simps) apply (rule conjI) apply (clarsimp simp: vs_cap_ref_def) diff --git a/proof/invariant-abstract/AARCH64/ArchCNodeInv_AI.thy b/proof/invariant-abstract/AARCH64/ArchCNodeInv_AI.thy index 049391739a..c192246603 100644 --- a/proof/invariant-abstract/AARCH64/ArchCNodeInv_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchCNodeInv_AI.thy @@ -617,7 +617,7 @@ next apply (rule "2.hyps"[simplified rec_del_call.simps slot_rdcall.simps conj_assoc], assumption+) apply (simp add: cte_wp_at_eq_simp | wp replace_cap_invs set_cap_sets final_cap_same_objrefs - set_cap_cte_cap_wp_to static_imp_wp + set_cap_cte_cap_wp_to hoare_weak_lift_imp | erule finalise_cap_not_reply_master)+ apply (wp hoare_vcg_const_Ball_lift)+ apply (rule hoare_strengthen_post) diff --git a/proof/invariant-abstract/AARCH64/ArchDetSchedAux_AI.thy b/proof/invariant-abstract/AARCH64/ArchDetSchedAux_AI.thy index e2eff8d130..d500ad97dc 100644 --- a/proof/invariant-abstract/AARCH64/ArchDetSchedAux_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchDetSchedAux_AI.thy @@ -92,7 +92,7 @@ crunches perform_asid_control_invocation and schedact[wp]: "\s. P (scheduler_action s)" and ready_queues[wp]: "\s. P (ready_queues s)" and cur_domain[wp]: "\s. P (cur_domain s)" - (wp: static_imp_wp) + (wp: hoare_weak_lift_imp) lemma perform_asid_control_invocation_valid_sched: "\ct_active and invs and valid_aci aci and valid_sched and valid_idle\ diff --git a/proof/invariant-abstract/AARCH64/ArchIpc_AI.thy b/proof/invariant-abstract/AARCH64/ArchIpc_AI.thy index c08556317a..b71a087568 100644 --- a/proof/invariant-abstract/AARCH64/ArchIpc_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchIpc_AI.thy @@ -308,7 +308,7 @@ lemma transfer_caps_non_null_cte_wp_at: unfolding transfer_caps_def apply simp apply (rule hoare_pre) - apply (wp hoare_vcg_ball_lift transfer_caps_loop_cte_wp_at static_imp_wp + apply (wp hoare_vcg_ball_lift transfer_caps_loop_cte_wp_at hoare_weak_lift_imp | wpc | clarsimp simp:imp)+ apply (rule hoare_strengthen_post [where Q="\rv s'. (cte_wp_at ((\) cap.NullCap) ptr) s' @@ -483,7 +483,7 @@ lemma do_ipc_transfer_respects_device_region[Ipc_AI_cont_assms]: apply (wpsimp simp: do_ipc_transfer_def do_normal_transfer_def transfer_caps_def bind_assoc wp: hoare_vcg_all_lift hoare_drop_imps)+ apply (simp only: ball_conj_distrib[where P="\x. real_cte_at x s" for s]) - apply (wpsimp wp: get_rs_cte_at2 thread_get_wp static_imp_wp grs_distinct + apply (wpsimp wp: get_rs_cte_at2 thread_get_wp hoare_weak_lift_imp grs_distinct hoare_vcg_ball_lift hoare_vcg_all_lift hoare_vcg_conj_lift simp: obj_at_def is_tcb_def)+ apply (simp split: kernel_object.split_asm) diff --git a/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy b/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy index 98b24a3eff..aa1043de05 100644 --- a/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchTcb_AI.thy @@ -258,7 +258,7 @@ lemma tc_invs[Tcb_AI_asms]: checked_insert_no_cap_to out_no_cap_to_trivial[OF ball_tcb_cap_casesI] thread_set_ipc_tcb_cap_valid - static_imp_wp static_imp_conj_wp)[1] + hoare_weak_lift_imp hoare_weak_lift_imp_conj)[1] | simp add: ran_tcb_cap_cases dom_tcb_cap_cases[simplified] emptyable_def del: hoare_True_E_R diff --git a/proof/invariant-abstract/AARCH64/ArchVSpaceEntries_AI.thy b/proof/invariant-abstract/AARCH64/ArchVSpaceEntries_AI.thy index 23f9d53a59..862bfb4c09 100644 --- a/proof/invariant-abstract/AARCH64/ArchVSpaceEntries_AI.thy +++ b/proof/invariant-abstract/AARCH64/ArchVSpaceEntries_AI.thy @@ -213,7 +213,7 @@ lemma perform_asid_pool_invocation_valid_vspace_objs'[wp]: crunch valid_vspace_objs'[wp]: perform_asid_pool_invocation, perform_asid_control_invocation "valid_vspace_objs'" (ignore: delete_objects set_object - wp: static_imp_wp crunch_wps + wp: hoare_weak_lift_imp crunch_wps simp: crunch_simps unless_def) lemma perform_page_valid_vspace_objs'[wp]: diff --git a/proof/invariant-abstract/AInvs.thy b/proof/invariant-abstract/AInvs.thy index 1310a21a9f..89fdb035fd 100644 --- a/proof/invariant-abstract/AInvs.thy +++ b/proof/invariant-abstract/AInvs.thy @@ -45,7 +45,7 @@ lemma kernel_entry_invs: \\rv. invs and (\s. ct_running s \ ct_idle s)\" apply (simp add: kernel_entry_def) apply (wp akernel_invs thread_set_invs_trivial thread_set_ct_in_state - do_machine_op_ct_in_state static_imp_wp hoare_vcg_disj_lift + do_machine_op_ct_in_state hoare_weak_lift_imp hoare_vcg_disj_lift | clarsimp simp add: tcb_cap_cases_def)+ done diff --git a/proof/invariant-abstract/ARM/ArchArch_AI.thy b/proof/invariant-abstract/ARM/ArchArch_AI.thy index 72950eb1e9..c217b7e022 100644 --- a/proof/invariant-abstract/ARM/ArchArch_AI.thy +++ b/proof/invariant-abstract/ARM/ArchArch_AI.thy @@ -527,7 +527,7 @@ lemma cap_insert_simple_arch_caps_ap: hoare_vcg_disj_lift set_cap_reachable_pg_cap set_cap.vs_lookup_pages | clarsimp)+ apply (wp set_cap_arch_obj set_cap_valid_table_caps hoare_vcg_ball_lift - get_cap_wp static_imp_wp)+ + get_cap_wp hoare_weak_lift_imp)+ apply (clarsimp simp: cte_wp_at_caps_of_state is_cap_simps) apply (rule conjI) apply (clarsimp simp: vs_cap_ref_def) @@ -1386,7 +1386,7 @@ lemma arch_decode_inv_wf[wp]: apply (cases "isPageFlushLabel (invocation_type label)") apply (rule hoare_pre) apply simp - apply (wp whenE_throwError_wp static_imp_wp hoare_drop_imps) + apply (wp whenE_throwError_wp hoare_weak_lift_imp hoare_drop_imps) apply (simp add: valid_arch_inv_def valid_page_inv_def) apply (wp find_pd_for_asid_pd_at_asid | wpc)+ apply (clarsimp simp: valid_cap_def mask_def) @@ -1468,7 +1468,7 @@ lemma arch_decode_inv_wf[wp]: apply (cases "isPDFlushLabel (invocation_type label)") apply simp apply (rule hoare_pre) - apply (wpsimp wp: whenE_throwError_wp static_imp_wp hoare_drop_imp get_master_pte_wp + apply (wpsimp wp: whenE_throwError_wp hoare_weak_lift_imp hoare_drop_imp get_master_pte_wp get_master_pde_wp whenE_throwError_wp simp: resolve_vaddr_def valid_arch_inv_def valid_pdi_def Let_def) apply (rule_tac Q'="\pd' s. vspace_at_asid x2 pd' s \ x2 \ mask asid_bits \ x2 \ 0" diff --git a/proof/invariant-abstract/ARM/ArchCNodeInv_AI.thy b/proof/invariant-abstract/ARM/ArchCNodeInv_AI.thy index f384a3e349..48e18ca421 100644 --- a/proof/invariant-abstract/ARM/ArchCNodeInv_AI.thy +++ b/proof/invariant-abstract/ARM/ArchCNodeInv_AI.thy @@ -617,7 +617,7 @@ next apply (rule "2.hyps"[simplified rec_del_call.simps slot_rdcall.simps conj_assoc], assumption+) apply (simp add: cte_wp_at_eq_simp | wp replace_cap_invs set_cap_sets final_cap_same_objrefs - set_cap_cte_cap_wp_to static_imp_wp + set_cap_cte_cap_wp_to hoare_weak_lift_imp | erule finalise_cap_not_reply_master)+ apply (wp hoare_vcg_const_Ball_lift)+ apply (rule hoare_strengthen_post) diff --git a/proof/invariant-abstract/ARM/ArchDetSchedAux_AI.thy b/proof/invariant-abstract/ARM/ArchDetSchedAux_AI.thy index 41909a4c4d..3b16580690 100644 --- a/proof/invariant-abstract/ARM/ArchDetSchedAux_AI.thy +++ b/proof/invariant-abstract/ARM/ArchDetSchedAux_AI.thy @@ -100,9 +100,9 @@ crunch ct[wp]: perform_asid_control_invocation "\s. P (cur_thread s)" crunch idle_thread[wp]: perform_asid_control_invocation "\s. P (idle_thread s)" -crunch valid_etcbs[wp]: perform_asid_control_invocation valid_etcbs (wp: static_imp_wp) +crunch valid_etcbs[wp]: perform_asid_control_invocation valid_etcbs (wp: hoare_weak_lift_imp) -crunch valid_blocked[wp]: perform_asid_control_invocation valid_blocked (wp: static_imp_wp) +crunch valid_blocked[wp]: perform_asid_control_invocation valid_blocked (wp: hoare_weak_lift_imp) crunch schedact[wp]: perform_asid_control_invocation "\s :: det_ext state. P (scheduler_action s)" (wp: crunch_wps simp: detype_def detype_ext_def wrap_ext_det_ext_ext_def cap_insert_ext_def ignore: freeMemory) diff --git a/proof/invariant-abstract/ARM/ArchFinalise_AI.thy b/proof/invariant-abstract/ARM/ArchFinalise_AI.thy index a0dd0c82af..9a09ed053b 100644 --- a/proof/invariant-abstract/ARM/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/ARM/ArchFinalise_AI.thy @@ -1137,7 +1137,7 @@ lemma arch_finalise_case_no_lookup: | simp add: vs_cap_ref_simps vs_lookup_pages_eq_at[THEN fun_cong, symmetric] vs_lookup_pages_eq_ap[THEN fun_cong, symmetric])+ - apply (wp hoare_vcg_all_lift unmap_page_unmapped static_imp_wp) + apply (wp hoare_vcg_all_lift unmap_page_unmapped hoare_weak_lift_imp) apply (wpc|wp unmap_page_table_unmapped3 delete_asid_unmapped |simp add:vs_cap_ref_def vs_lookup_pages_eq_at[THEN fun_cong,symmetric] diff --git a/proof/invariant-abstract/ARM/ArchIpc_AI.thy b/proof/invariant-abstract/ARM/ArchIpc_AI.thy index 6b5b69b525..b9cd9eea53 100644 --- a/proof/invariant-abstract/ARM/ArchIpc_AI.thy +++ b/proof/invariant-abstract/ARM/ArchIpc_AI.thy @@ -319,7 +319,7 @@ lemma transfer_caps_non_null_cte_wp_at: unfolding transfer_caps_def apply simp apply (rule hoare_pre) - apply (wp hoare_vcg_ball_lift transfer_caps_loop_cte_wp_at static_imp_wp + apply (wp hoare_vcg_ball_lift transfer_caps_loop_cte_wp_at hoare_weak_lift_imp | wpc | clarsimp simp:imp)+ apply (rule hoare_strengthen_post [where Q="\rv s'. (cte_wp_at ((\) cap.NullCap) ptr) s' @@ -441,7 +441,7 @@ lemma do_ipc_transfer_respects_device_region[Ipc_AI_cont_assms]: apply (wpsimp simp: do_ipc_transfer_def do_normal_transfer_def transfer_caps_def bind_assoc wp: hoare_vcg_all_lift hoare_drop_imps)+ apply (subst ball_conj_distrib) - apply (wpsimp wp: get_rs_cte_at2 thread_get_wp static_imp_wp grs_distinct + apply (wpsimp wp: get_rs_cte_at2 thread_get_wp hoare_weak_lift_imp grs_distinct hoare_vcg_ball_lift hoare_vcg_all_lift hoare_vcg_conj_lift simp: obj_at_def is_tcb_def)+ apply (simp split: kernel_object.split_asm) diff --git a/proof/invariant-abstract/ARM/ArchRetype_AI.thy b/proof/invariant-abstract/ARM/ArchRetype_AI.thy index cbabced693..239be82228 100644 --- a/proof/invariant-abstract/ARM/ArchRetype_AI.thy +++ b/proof/invariant-abstract/ARM/ArchRetype_AI.thy @@ -448,7 +448,7 @@ lemma copy_global_invs_mappings_restricted: apply (simp add: valid_pspace_def pred_conj_def) apply (rule hoare_conjI, wp copy_global_equal_kernel_mappings_restricted) apply (clarsimp simp: global_refs_def) - apply (rule valid_prove_more, rule hoare_vcg_conj_lift, rule hoare_TrueI) + apply (rule hoare_post_add, rule hoare_vcg_conj_lift, rule hoare_TrueI) apply (simp add: copy_global_mappings_def valid_pspace_def) apply (rule hoare_seq_ext [OF _ gets_sp]) apply (rule hoare_strengthen_post) diff --git a/proof/invariant-abstract/ARM/ArchTcb_AI.thy b/proof/invariant-abstract/ARM/ArchTcb_AI.thy index e1f7dcaf97..9daed244f1 100644 --- a/proof/invariant-abstract/ARM/ArchTcb_AI.thy +++ b/proof/invariant-abstract/ARM/ArchTcb_AI.thy @@ -261,7 +261,7 @@ lemma tc_invs[Tcb_AI_asms]: checked_insert_no_cap_to out_no_cap_to_trivial[OF ball_tcb_cap_casesI] thread_set_ipc_tcb_cap_valid - static_imp_wp static_imp_conj_wp)[1] + hoare_weak_lift_imp hoare_weak_lift_imp_conj)[1] | simp add: ran_tcb_cap_cases dom_tcb_cap_cases[simplified] emptyable_def del: hoare_True_E_R diff --git a/proof/invariant-abstract/ARM/ArchVSpaceEntries_AI.thy b/proof/invariant-abstract/ARM/ArchVSpaceEntries_AI.thy index 3ed467cc85..6ec2baf64a 100644 --- a/proof/invariant-abstract/ARM/ArchVSpaceEntries_AI.thy +++ b/proof/invariant-abstract/ARM/ArchVSpaceEntries_AI.thy @@ -699,7 +699,7 @@ lemma invoke_untyped_valid_pdpt[wp]: crunch valid_pdpt_objs[wp]: perform_asid_pool_invocation, perform_asid_control_invocation "valid_pdpt_objs" - (ignore: delete_objects wp: delete_objects_valid_pdpt static_imp_wp) + (ignore: delete_objects wp: delete_objects_valid_pdpt hoare_weak_lift_imp) abbreviation (input) "safe_pt_range \ \slots s. obj_at (\ko. \pt. ko = ArchObj (PageTable pt) diff --git a/proof/invariant-abstract/ARM_HYP/ArchArch_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchArch_AI.thy index bff5414bd4..e3b292e5f8 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchArch_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchArch_AI.thy @@ -544,7 +544,7 @@ lemma cap_insert_simple_arch_caps_ap: hoare_vcg_disj_lift set_cap_reachable_pg_cap set_cap.vs_lookup_pages | clarsimp)+ apply (wp set_cap_arch_obj set_cap_valid_table_caps hoare_vcg_ball_lift - get_cap_wp static_imp_wp set_cap_empty_tables[simplified second_level_tables_def, simplified])+ + get_cap_wp hoare_weak_lift_imp set_cap_empty_tables[simplified second_level_tables_def, simplified])+ apply (clarsimp simp: cte_wp_at_caps_of_state is_cap_simps) apply (rule conjI) apply (clarsimp simp: vs_cap_ref_def) @@ -1712,7 +1712,7 @@ lemma arch_decode_inv_wf[wp]: apply (cases "isPageFlushLabel (invocation_type label)") apply simp apply (rule hoare_pre) - apply (wp whenE_throwError_wp static_imp_wp hoare_drop_imps) + apply (wp whenE_throwError_wp hoare_weak_lift_imp hoare_drop_imps) apply (simp add: valid_arch_inv_def valid_page_inv_def) apply (wp find_pd_for_asid_pd_at_asid | wpc)+ apply (clarsimp simp: valid_cap_def mask_def) @@ -1795,7 +1795,7 @@ lemma arch_decode_inv_wf[wp]: apply (cases "isPDFlushLabel (invocation_type label)") apply simp apply (rule hoare_pre) - apply (wp whenE_throwError_wp static_imp_wp hoare_drop_imp | wpc | simp)+ + apply (wp whenE_throwError_wp hoare_weak_lift_imp hoare_drop_imp | wpc | simp)+ apply (simp add: resolve_vaddr_def) apply (wp get_master_pte_wp get_master_pde_wp whenE_throwError_wp | wpc | simp)+ apply (clarsimp simp: valid_arch_inv_def valid_pdi_def)+ diff --git a/proof/invariant-abstract/ARM_HYP/ArchCNodeInv_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchCNodeInv_AI.thy index ffe0163e0b..eaa223d09f 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchCNodeInv_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchCNodeInv_AI.thy @@ -633,7 +633,7 @@ next apply (rule "2.hyps"[simplified rec_del_call.simps slot_rdcall.simps conj_assoc], assumption+) apply (simp add: cte_wp_at_eq_simp | wp replace_cap_invs set_cap_sets final_cap_same_objrefs - set_cap_cte_cap_wp_to static_imp_wp + set_cap_cte_cap_wp_to hoare_weak_lift_imp | erule finalise_cap_not_reply_master)+ apply (wp hoare_vcg_const_Ball_lift)+ apply (rule hoare_strengthen_post) diff --git a/proof/invariant-abstract/ARM_HYP/ArchDetSchedAux_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchDetSchedAux_AI.thy index 9829850062..35d493914d 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchDetSchedAux_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchDetSchedAux_AI.thy @@ -102,9 +102,9 @@ crunch ct[wp]: perform_asid_control_invocation "\s. P (cur_thread s)" crunch idle_thread[wp]: perform_asid_control_invocation "\s. P (idle_thread s)" -crunch valid_etcbs[wp]: perform_asid_control_invocation valid_etcbs (wp: static_imp_wp) +crunch valid_etcbs[wp]: perform_asid_control_invocation valid_etcbs (wp: hoare_weak_lift_imp) -crunch valid_blocked[wp]: perform_asid_control_invocation valid_blocked (wp: static_imp_wp) +crunch valid_blocked[wp]: perform_asid_control_invocation valid_blocked (wp: hoare_weak_lift_imp) crunch schedact[wp]: perform_asid_control_invocation "\s :: det_ext state. P (scheduler_action s)" (wp: crunch_wps simp: detype_def detype_ext_def wrap_ext_det_ext_ext_def cap_insert_ext_def ignore: freeMemory) diff --git a/proof/invariant-abstract/ARM_HYP/ArchFinalise_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchFinalise_AI.thy index 2d14aaba13..71b98056fd 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchFinalise_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchFinalise_AI.thy @@ -1879,7 +1879,7 @@ lemma arch_finalise_case_no_lookup: | simp add: vs_cap_ref_simps vs_lookup_pages_eq_at[THEN fun_cong, symmetric] vs_lookup_pages_eq_ap[THEN fun_cong, symmetric])+ - apply (wp hoare_vcg_all_lift unmap_page_unmapped static_imp_wp) + apply (wp hoare_vcg_all_lift unmap_page_unmapped hoare_weak_lift_imp) apply (wpc|wp unmap_page_table_unmapped3 delete_asid_unmapped |simp add:vs_cap_ref_def vs_lookup_pages_eq_at[THEN fun_cong,symmetric] diff --git a/proof/invariant-abstract/ARM_HYP/ArchIpc_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchIpc_AI.thy index da5902ddaf..a893fa7a99 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchIpc_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchIpc_AI.thy @@ -321,7 +321,7 @@ lemma transfer_caps_non_null_cte_wp_at: unfolding transfer_caps_def apply simp apply (rule hoare_pre) - apply (wp hoare_vcg_ball_lift transfer_caps_loop_cte_wp_at static_imp_wp + apply (wp hoare_vcg_ball_lift transfer_caps_loop_cte_wp_at hoare_weak_lift_imp | wpc | clarsimp simp:imp)+ apply (rule hoare_strengthen_post [where Q="\rv s'. (cte_wp_at ((\) cap.NullCap) ptr) s' @@ -495,7 +495,7 @@ lemma do_ipc_transfer_respects_device_region[Ipc_AI_cont_assms]: apply (wpsimp simp: do_ipc_transfer_def do_normal_transfer_def transfer_caps_def bind_assoc wp: hoare_vcg_all_lift hoare_drop_imps)+ apply (simp only: ball_conj_distrib[where P="\x. real_cte_at x s" for s]) - apply (wpsimp wp: get_rs_cte_at2 thread_get_wp static_imp_wp grs_distinct + apply (wpsimp wp: get_rs_cte_at2 thread_get_wp hoare_weak_lift_imp grs_distinct hoare_vcg_ball_lift hoare_vcg_all_lift hoare_vcg_conj_lift simp: obj_at_def is_tcb_def)+ apply (simp split: kernel_object.split_asm) diff --git a/proof/invariant-abstract/ARM_HYP/ArchTcb_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchTcb_AI.thy index c5a940f2bb..700af03901 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchTcb_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchTcb_AI.thy @@ -263,7 +263,7 @@ lemma tc_invs[Tcb_AI_asms]: checked_insert_no_cap_to out_no_cap_to_trivial[OF ball_tcb_cap_casesI] thread_set_ipc_tcb_cap_valid - static_imp_wp static_imp_conj_wp)[1] + hoare_weak_lift_imp hoare_weak_lift_imp_conj)[1] | simp add: ran_tcb_cap_cases dom_tcb_cap_cases[simplified] emptyable_def del: hoare_True_E_R diff --git a/proof/invariant-abstract/ARM_HYP/ArchVSpaceEntries_AI.thy b/proof/invariant-abstract/ARM_HYP/ArchVSpaceEntries_AI.thy index 6de970f90f..28812e081c 100644 --- a/proof/invariant-abstract/ARM_HYP/ArchVSpaceEntries_AI.thy +++ b/proof/invariant-abstract/ARM_HYP/ArchVSpaceEntries_AI.thy @@ -631,7 +631,7 @@ lemma invoke_untyped_valid_pdpt[wp]: crunch valid_pdpt_objs[wp]: perform_asid_pool_invocation, perform_asid_control_invocation "valid_pdpt_objs" - (ignore: delete_objects wp: delete_objects_valid_pdpt static_imp_wp) + (ignore: delete_objects wp: delete_objects_valid_pdpt hoare_weak_lift_imp) abbreviation (input) "safe_pt_range \ \slots s. obj_at (\ko. \pt. ko = ArchObj (PageTable pt) @@ -1023,7 +1023,7 @@ lemma perform_page_directory_valid_pdpt[wp]: done crunch valid_pdpt_objs[wp]: perform_vcpu_invocation "valid_pdpt_objs" - (ignore: delete_objects wp: delete_objects_valid_pdpt static_imp_wp) + (ignore: delete_objects wp: delete_objects_valid_pdpt hoare_weak_lift_imp) lemma perform_invocation_valid_pdpt[wp]: diff --git a/proof/invariant-abstract/CNodeInv_AI.thy b/proof/invariant-abstract/CNodeInv_AI.thy index ae2857d1a5..802f1c3c7f 100644 --- a/proof/invariant-abstract/CNodeInv_AI.thy +++ b/proof/invariant-abstract/CNodeInv_AI.thy @@ -2371,10 +2371,10 @@ lemma empty_slot_emptyable[wp]: crunch emptyable[wp]: blocked_cancel_ipc "emptyable sl" - (ignore: set_thread_state wp: emptyable_lift sts_st_tcb_at_cases static_imp_wp) + (ignore: set_thread_state wp: emptyable_lift sts_st_tcb_at_cases hoare_weak_lift_imp) crunch emptyable[wp]: cancel_signal "emptyable sl" - (ignore: set_thread_state wp: emptyable_lift sts_st_tcb_at_cases static_imp_wp) + (ignore: set_thread_state wp: emptyable_lift sts_st_tcb_at_cases hoare_weak_lift_imp) lemma cap_delete_one_emptyable[wp]: diff --git a/proof/invariant-abstract/DetSchedInvs_AI.thy b/proof/invariant-abstract/DetSchedInvs_AI.thy index e80655d124..b89890f632 100644 --- a/proof/invariant-abstract/DetSchedInvs_AI.thy +++ b/proof/invariant-abstract/DetSchedInvs_AI.thy @@ -317,7 +317,7 @@ lemma valid_blocked_lift: apply (rule hoare_pre) apply (wps c e d) apply (simp add: valid_blocked_def) - apply (wp hoare_vcg_ball_lift hoare_vcg_all_lift hoare_vcg_conj_lift static_imp_wp a) + apply (wp hoare_vcg_ball_lift hoare_vcg_all_lift hoare_vcg_conj_lift hoare_weak_lift_imp a) apply (rule hoare_convert_imp) apply (rule typ_at_st_tcb_at_lift) apply (wp a t)+ @@ -356,7 +356,7 @@ lemma weak_valid_sched_action_lift: shows "\weak_valid_sched_action\ f \\rv. weak_valid_sched_action\" apply (rule hoare_lift_Pf[where f="\s. scheduler_action s", OF _ c]) apply (simp add: weak_valid_sched_action_def) - apply (wp hoare_vcg_all_lift static_imp_wp a) + apply (wp hoare_vcg_all_lift hoare_weak_lift_imp a) done lemma switch_in_cur_domain_lift: @@ -367,7 +367,7 @@ lemma switch_in_cur_domain_lift: apply (rule hoare_lift_Pf[where f="\s. scheduler_action s", OF _ b]) apply (rule hoare_lift_Pf[where f="\s. cur_domain s", OF _ c]) apply (simp add: switch_in_cur_domain_def in_cur_domain_def) - apply (wp hoare_vcg_all_lift static_imp_wp a c) + apply (wp hoare_vcg_all_lift hoare_weak_lift_imp a c) done lemma valid_sched_action_lift: @@ -382,7 +382,7 @@ lemma valid_sched_action_lift: apply (rule hoare_vcg_conj_lift) apply (rule hoare_lift_Pf[where f="\s. scheduler_action s", OF _ c]) apply (simp add: is_activatable_def) - apply (wp weak_valid_sched_action_lift switch_in_cur_domain_lift static_imp_wp a b c d e)+ + apply (wp weak_valid_sched_action_lift switch_in_cur_domain_lift hoare_weak_lift_imp a b c d e)+ done lemma valid_sched_lift: diff --git a/proof/invariant-abstract/DetSchedSchedule_AI.thy b/proof/invariant-abstract/DetSchedSchedule_AI.thy index ebb5e8681a..50b7648932 100644 --- a/proof/invariant-abstract/DetSchedSchedule_AI.thy +++ b/proof/invariant-abstract/DetSchedSchedule_AI.thy @@ -2131,7 +2131,7 @@ lemma valid_blocked_except_lift: apply (rule hoare_pre) apply (wps c e d) apply (simp add: valid_blocked_except_def) - apply (wp static_imp_wp hoare_vcg_ball_lift hoare_vcg_all_lift hoare_vcg_conj_lift a) + apply (wp hoare_weak_lift_imp hoare_vcg_ball_lift hoare_vcg_all_lift hoare_vcg_conj_lift a) apply (rule hoare_convert_imp) apply (rule typ_at_st_tcb_at_lift) apply (wp a t)+ @@ -3192,7 +3192,7 @@ lemma invoke_domain_valid_sched[wp]: ethread_set_valid_blocked ethread_set_ssa_valid_sched_action ethread_set_not_cur_ct_in_cur_domain ethread_set_not_idle_valid_sched ethread_set_not_idle_valid_idle_etcb) - apply (wp static_imp_wp static_imp_conj_wp tcb_dequeue_not_queued tcb_sched_action_dequeue_valid_blocked_except) + apply (wp hoare_weak_lift_imp hoare_weak_lift_imp_conj tcb_dequeue_not_queued tcb_sched_action_dequeue_valid_blocked_except) apply simp apply (wp hoare_vcg_disj_lift) apply (rule_tac Q="\_. valid_sched and not_queued t and valid_idle and (\s. t \ idle_thread s)" in hoare_strengthen_post) diff --git a/proof/invariant-abstract/Deterministic_AI.thy b/proof/invariant-abstract/Deterministic_AI.thy index c46775a01b..90a38d0182 100644 --- a/proof/invariant-abstract/Deterministic_AI.thy +++ b/proof/invariant-abstract/Deterministic_AI.thy @@ -3122,7 +3122,7 @@ lemma empty_slot_valid_list[wp]: apply (simp add: empty_slot_def) apply (simp add: set_cdt_def update_cdt_list_def set_cdt_list_def empty_slot_ext_def bind_assoc cong: if_cong) - apply (wp get_cap_wp static_imp_wp | wpc | wp (once) hoare_vcg_all_lift)+ + apply (wp get_cap_wp hoare_weak_lift_imp | wpc | wp (once) hoare_vcg_all_lift)+ apply (clarsimp simp del: fun_upd_apply) apply (frule mdb_empty_abs_simple.intro) apply(case_tac "cdt s sl") diff --git a/proof/invariant-abstract/Finalise_AI.thy b/proof/invariant-abstract/Finalise_AI.thy index d542fd4ae1..88e85c3824 100644 --- a/proof/invariant-abstract/Finalise_AI.thy +++ b/proof/invariant-abstract/Finalise_AI.thy @@ -935,7 +935,7 @@ lemma cap_delete_one_deletes_reply: split: if_split_asm elim!: allEI) apply (rule hoare_vcg_all_lift) apply simp - apply (wp static_imp_wp empty_slot_deletes empty_slot_caps_of_state get_cap_wp)+ + apply (wp hoare_weak_lift_imp empty_slot_deletes empty_slot_caps_of_state get_cap_wp)+ apply (fastforce simp: cte_wp_at_caps_of_state valid_reply_caps_def is_cap_simps unique_reply_caps_def is_reply_cap_to_def simp del: split_paired_All) diff --git a/proof/invariant-abstract/IpcCancel_AI.thy b/proof/invariant-abstract/IpcCancel_AI.thy index 05e86eb7ff..31eec542cf 100644 --- a/proof/invariant-abstract/IpcCancel_AI.thy +++ b/proof/invariant-abstract/IpcCancel_AI.thy @@ -154,7 +154,7 @@ lemma blocked_ipc_st_tcb_at_general: blocked_cancel_ipc st t \\rv. st_tcb_at P t'\" apply (simp add: blocked_cancel_ipc_def) - apply (wp sts_st_tcb_at_cases static_imp_wp, simp+) + apply (wp sts_st_tcb_at_cases hoare_weak_lift_imp, simp+) done @@ -163,7 +163,7 @@ lemma cancel_signal_st_tcb_at_general: cancel_signal t ntfn \\rv. st_tcb_at P t'\" apply (simp add: cancel_signal_def) - apply (wp sts_st_tcb_at_cases ntfn_cases_weak_wp static_imp_wp) + apply (wp sts_st_tcb_at_cases ntfn_cases_weak_wp hoare_weak_lift_imp) apply simp done diff --git a/proof/invariant-abstract/Ipc_AI.thy b/proof/invariant-abstract/Ipc_AI.thy index d78d399685..576f36ae95 100644 --- a/proof/invariant-abstract/Ipc_AI.thy +++ b/proof/invariant-abstract/Ipc_AI.thy @@ -517,7 +517,7 @@ lemma cap_insert_weak_cte_wp_at2: cap_insert cap src dest \\uu. cte_wp_at P p\" unfolding cap_insert_def - by (wp set_cap_cte_wp_at get_cap_wp static_imp_wp + by (wp set_cap_cte_wp_at get_cap_wp hoare_weak_lift_imp | simp add: cap_insert_def | unfold set_untyped_cap_as_full_def | auto simp: cte_wp_at_def dest!:imp)+ @@ -603,10 +603,10 @@ lemma transfer_caps_loop_presM: apply (clarsimp simp add: Let_def split_def whenE_def cong: if_cong list.case_cong split del: if_split) apply (rule hoare_pre) - apply (wp eb hoare_vcg_const_imp_lift hoare_vcg_const_Ball_lift static_imp_wp + apply (wp eb hoare_vcg_const_imp_lift hoare_vcg_const_Ball_lift hoare_weak_lift_imp | assumption | simp split del: if_split)+ apply (rule cap_insert_assume_null) - apply (wp x hoare_vcg_const_Ball_lift cap_insert_cte_wp_at static_imp_wp)+ + apply (wp x hoare_vcg_const_Ball_lift cap_insert_cte_wp_at hoare_weak_lift_imp)+ apply (rule hoare_vcg_conj_liftE_R) apply (rule derive_cap_is_derived_foo) apply (rule_tac Q' ="\cap' s. (vo \ cap'\ cap.NullCap \ @@ -1830,7 +1830,7 @@ lemma set_mrs_valid_ioc[wp]: apply (simp add: set_mrs_def) apply (wp | wpc)+ apply (simp only: zipWithM_x_mapM_x split_def) - apply (wp mapM_x_wp' set_object_valid_ioc_caps static_imp_wp + apply (wp mapM_x_wp' set_object_valid_ioc_caps hoare_weak_lift_imp | simp)+ apply (clarsimp simp: obj_at_def get_tcb_def valid_ioc_def split: option.splits Structures_A.kernel_object.splits) @@ -2627,7 +2627,7 @@ lemma complete_signal_invs: \ (\T. typ_at T ntfnptr s) \ valid_ntfn (ntfn_set_obj ntfn IdleNtfn) s \ ((\y. ntfn_bound_tcb ntfn = Some y) \ ex_nonz_cap_to ntfnptr s)" in hoare_strengthen_post) - apply (wp hoare_vcg_all_lift static_imp_wp hoare_vcg_ex_lift | wpc + apply (wp hoare_vcg_all_lift hoare_weak_lift_imp hoare_vcg_ex_lift | wpc | simp add: live_def valid_ntfn_def valid_bound_tcb_def split: option.splits)+ apply ((clarsimp simp: obj_at_def state_refs_of_def)+)[2] apply (rule_tac obj_at_valid_objsE[OF _ invs_valid_objs]; clarsimp) @@ -2818,7 +2818,7 @@ lemma valid_bound_tcb_typ_at: "(\p. \\s. typ_at ATCB p s\ f \\_ s. typ_at ATCB p s\) \ \\s. valid_bound_tcb tcb s\ f \\_ s. valid_bound_tcb tcb s\" apply (clarsimp simp: valid_bound_tcb_def split: option.splits) - apply (wpsimp wp: hoare_vcg_all_lift tcb_at_typ_at static_imp_wp) + apply (wpsimp wp: hoare_vcg_all_lift tcb_at_typ_at hoare_weak_lift_imp) done crunch bound_tcb[wp]: set_thread_state, set_message_info, set_mrs, as_user "valid_bound_tcb t" @@ -2902,7 +2902,7 @@ lemma rai_invs': apply (rule hoare_pre) apply (wp set_simple_ko_valid_objs hoare_vcg_const_Ball_lift valid_ioports_lift as_user_no_del_ntfn[simplified ntfn_at_def2, simplified] - valid_irq_node_typ ball_tcb_cap_casesI static_imp_wp + valid_irq_node_typ ball_tcb_cap_casesI hoare_weak_lift_imp valid_bound_tcb_typ_at[rule_format] | simp add: valid_ntfn_def)+ apply clarsimp @@ -3052,7 +3052,7 @@ lemma si_invs': | clarsimp simp:is_cap_simps | wpc | strengthen reply_cap_doesnt_exist_strg disjI2_strg[where Q="cte_wp_at (\cp. is_master_reply_cap cp \ R cp) p s"] - | (wp hoare_vcg_conj_lift static_imp_wp | wp dxo_wp_weak | simp)+ + | (wp hoare_vcg_conj_lift hoare_weak_lift_imp | wp dxo_wp_weak | simp)+ | wp valid_ioports_lift)+ apply (clarsimp simp: ep_redux_simps conj_ac cong: list.case_cong if_cong) apply (frule(1) sym_refs_ko_atD) diff --git a/proof/invariant-abstract/RISCV64/ArchArch_AI.thy b/proof/invariant-abstract/RISCV64/ArchArch_AI.thy index a9f5859b29..2ccb4b0b15 100644 --- a/proof/invariant-abstract/RISCV64/ArchArch_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchArch_AI.thy @@ -573,7 +573,7 @@ lemma cap_insert_simple_arch_caps_ap: hoare_vcg_disj_lift set_cap_reachable_pg_cap set_cap.vs_lookup_pages | clarsimp)+ apply (wp set_cap_arch_obj set_cap_valid_table_caps hoare_vcg_ball_lift - get_cap_wp static_imp_wp)+ + get_cap_wp hoare_weak_lift_imp)+ apply (clarsimp simp: cte_wp_at_caps_of_state is_cap_simps) apply (rule conjI) apply (clarsimp simp: vs_cap_ref_def) diff --git a/proof/invariant-abstract/RISCV64/ArchCNodeInv_AI.thy b/proof/invariant-abstract/RISCV64/ArchCNodeInv_AI.thy index ef1acc9af6..689a352cd6 100644 --- a/proof/invariant-abstract/RISCV64/ArchCNodeInv_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchCNodeInv_AI.thy @@ -622,7 +622,7 @@ next apply (rule "2.hyps"[simplified rec_del_call.simps slot_rdcall.simps conj_assoc], assumption+) apply (simp add: cte_wp_at_eq_simp | wp replace_cap_invs set_cap_sets final_cap_same_objrefs - set_cap_cte_cap_wp_to static_imp_wp + set_cap_cte_cap_wp_to hoare_weak_lift_imp | erule finalise_cap_not_reply_master)+ apply (wp hoare_vcg_const_Ball_lift)+ apply (rule hoare_strengthen_post) diff --git a/proof/invariant-abstract/RISCV64/ArchDetSchedAux_AI.thy b/proof/invariant-abstract/RISCV64/ArchDetSchedAux_AI.thy index 07c38ebe92..20b9604f77 100644 --- a/proof/invariant-abstract/RISCV64/ArchDetSchedAux_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchDetSchedAux_AI.thy @@ -101,9 +101,9 @@ crunch ct[wp]: perform_asid_control_invocation "\s. P (cur_thread s)" crunch idle_thread[wp]: perform_asid_control_invocation "\s. P (idle_thread s)" -crunch valid_etcbs[wp]: perform_asid_control_invocation valid_etcbs (wp: static_imp_wp) +crunch valid_etcbs[wp]: perform_asid_control_invocation valid_etcbs (wp: hoare_weak_lift_imp) -crunch valid_blocked[wp]: perform_asid_control_invocation valid_blocked (wp: static_imp_wp) +crunch valid_blocked[wp]: perform_asid_control_invocation valid_blocked (wp: hoare_weak_lift_imp) crunch schedact[wp]: perform_asid_control_invocation "\s :: det_ext state. P (scheduler_action s)" (wp: crunch_wps simp: detype_def detype_ext_def wrap_ext_det_ext_ext_def cap_insert_ext_def ignore: freeMemory) diff --git a/proof/invariant-abstract/RISCV64/ArchIpc_AI.thy b/proof/invariant-abstract/RISCV64/ArchIpc_AI.thy index 0ddc6a1845..0eccce1718 100644 --- a/proof/invariant-abstract/RISCV64/ArchIpc_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchIpc_AI.thy @@ -307,7 +307,7 @@ lemma transfer_caps_non_null_cte_wp_at: unfolding transfer_caps_def apply simp apply (rule hoare_pre) - apply (wp hoare_vcg_ball_lift transfer_caps_loop_cte_wp_at static_imp_wp + apply (wp hoare_vcg_ball_lift transfer_caps_loop_cte_wp_at hoare_weak_lift_imp | wpc | clarsimp simp:imp)+ apply (rule hoare_strengthen_post [where Q="\rv s'. (cte_wp_at ((\) cap.NullCap) ptr) s' @@ -464,7 +464,7 @@ lemma do_ipc_transfer_respects_device_region[Ipc_AI_cont_assms]: apply (wpsimp simp: do_ipc_transfer_def do_normal_transfer_def transfer_caps_def bind_assoc wp: hoare_vcg_all_lift hoare_drop_imps)+ apply (simp only: ball_conj_distrib[where P="\x. real_cte_at x s" for s]) - apply (wpsimp wp: get_rs_cte_at2 thread_get_wp static_imp_wp grs_distinct + apply (wpsimp wp: get_rs_cte_at2 thread_get_wp hoare_weak_lift_imp grs_distinct hoare_vcg_ball_lift hoare_vcg_all_lift hoare_vcg_conj_lift simp: obj_at_def is_tcb_def)+ apply (simp split: kernel_object.split_asm) diff --git a/proof/invariant-abstract/RISCV64/ArchTcb_AI.thy b/proof/invariant-abstract/RISCV64/ArchTcb_AI.thy index 2256385a7d..f1a0fa79c8 100644 --- a/proof/invariant-abstract/RISCV64/ArchTcb_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchTcb_AI.thy @@ -260,7 +260,7 @@ lemma tc_invs[Tcb_AI_asms]: checked_insert_no_cap_to out_no_cap_to_trivial[OF ball_tcb_cap_casesI] thread_set_ipc_tcb_cap_valid - static_imp_wp static_imp_conj_wp)[1] + hoare_weak_lift_imp hoare_weak_lift_imp_conj)[1] | simp add: ran_tcb_cap_cases dom_tcb_cap_cases[simplified] emptyable_def del: hoare_True_E_R diff --git a/proof/invariant-abstract/RISCV64/ArchVSpaceEntries_AI.thy b/proof/invariant-abstract/RISCV64/ArchVSpaceEntries_AI.thy index ec72a6be23..aa2e6e58f5 100644 --- a/proof/invariant-abstract/RISCV64/ArchVSpaceEntries_AI.thy +++ b/proof/invariant-abstract/RISCV64/ArchVSpaceEntries_AI.thy @@ -233,7 +233,7 @@ lemma perform_asid_pool_invocation_valid_vspace_objs'[wp]: crunch valid_vspace_objs'[wp]: perform_asid_pool_invocation, perform_asid_control_invocation "valid_vspace_objs'" (ignore: delete_objects set_object - wp: static_imp_wp crunch_wps + wp: hoare_weak_lift_imp crunch_wps simp: crunch_simps unless_def) lemma pte_range_interD: diff --git a/proof/invariant-abstract/Tcb_AI.thy b/proof/invariant-abstract/Tcb_AI.thy index d20c73f832..6ec13c139e 100644 --- a/proof/invariant-abstract/Tcb_AI.thy +++ b/proof/invariant-abstract/Tcb_AI.thy @@ -175,7 +175,7 @@ lemma (in Tcb_AI_1) copyreg_invs: invoke_tcb (tcb_invocation.CopyRegisters dest src susp resume frames ints arch) \\rv. invs\" apply (wpsimp simp: if_apply_def2 - wp: mapM_x_wp' suspend_nonz_cap_to_tcb static_imp_wp) + wp: mapM_x_wp' suspend_nonz_cap_to_tcb hoare_weak_lift_imp) apply (clarsimp simp: invs_def valid_state_def valid_pspace_def suspend_def dest!: idle_no_ex_cap) done diff --git a/proof/invariant-abstract/X64/ArchArch_AI.thy b/proof/invariant-abstract/X64/ArchArch_AI.thy index a5020d6de0..4f0cce3de3 100644 --- a/proof/invariant-abstract/X64/ArchArch_AI.thy +++ b/proof/invariant-abstract/X64/ArchArch_AI.thy @@ -526,7 +526,7 @@ lemma cap_insert_simple_arch_caps_ap: hoare_vcg_disj_lift set_cap_reachable_pg_cap set_cap.vs_lookup_pages | clarsimp)+ apply (wp set_cap_arch_obj set_cap_valid_table_caps hoare_vcg_ball_lift - get_cap_wp static_imp_wp)+ + get_cap_wp hoare_weak_lift_imp)+ apply (clarsimp simp: cte_wp_at_caps_of_state is_cap_simps) apply (rule conjI) apply (clarsimp simp: vs_cap_ref_def) diff --git a/proof/invariant-abstract/X64/ArchCNodeInv_AI.thy b/proof/invariant-abstract/X64/ArchCNodeInv_AI.thy index 8b9ae68c45..a6a4987054 100644 --- a/proof/invariant-abstract/X64/ArchCNodeInv_AI.thy +++ b/proof/invariant-abstract/X64/ArchCNodeInv_AI.thy @@ -646,7 +646,7 @@ next apply (rule "2.hyps"[simplified rec_del_call.simps slot_rdcall.simps conj_assoc], assumption+) apply (simp add: cte_wp_at_eq_simp | wp replace_cap_invs set_cap_sets final_cap_same_objrefs - set_cap_cte_cap_wp_to static_imp_wp + set_cap_cte_cap_wp_to hoare_weak_lift_imp | erule finalise_cap_not_reply_master)+ apply (wp hoare_vcg_const_Ball_lift)+ apply (rule hoare_strengthen_post) diff --git a/proof/invariant-abstract/X64/ArchDetSchedAux_AI.thy b/proof/invariant-abstract/X64/ArchDetSchedAux_AI.thy index 30f448c6a4..760b927c57 100644 --- a/proof/invariant-abstract/X64/ArchDetSchedAux_AI.thy +++ b/proof/invariant-abstract/X64/ArchDetSchedAux_AI.thy @@ -99,9 +99,9 @@ crunch ct[wp]: perform_asid_control_invocation "\s. P (cur_thread s)" crunch idle_thread[wp]: perform_asid_control_invocation "\s. P (idle_thread s)" -crunch valid_etcbs[wp]: perform_asid_control_invocation valid_etcbs (wp: static_imp_wp) +crunch valid_etcbs[wp]: perform_asid_control_invocation valid_etcbs (wp: hoare_weak_lift_imp) -crunch valid_blocked[wp]: perform_asid_control_invocation valid_blocked (wp: static_imp_wp) +crunch valid_blocked[wp]: perform_asid_control_invocation valid_blocked (wp: hoare_weak_lift_imp) crunch schedact[wp]: perform_asid_control_invocation "\s :: det_ext state. P (scheduler_action s)" (wp: crunch_wps simp: detype_def detype_ext_def wrap_ext_det_ext_ext_def cap_insert_ext_def ignore: freeMemory) diff --git a/proof/invariant-abstract/X64/ArchIpc_AI.thy b/proof/invariant-abstract/X64/ArchIpc_AI.thy index ea5bd40c0d..4174c8ddf3 100644 --- a/proof/invariant-abstract/X64/ArchIpc_AI.thy +++ b/proof/invariant-abstract/X64/ArchIpc_AI.thy @@ -319,7 +319,7 @@ lemma transfer_caps_non_null_cte_wp_at: unfolding transfer_caps_def apply simp apply (rule hoare_pre) - apply (wp hoare_vcg_ball_lift transfer_caps_loop_cte_wp_at static_imp_wp + apply (wp hoare_vcg_ball_lift transfer_caps_loop_cte_wp_at hoare_weak_lift_imp | wpc | clarsimp simp:imp)+ apply (rule hoare_strengthen_post [where Q="\rv s'. (cte_wp_at ((\) cap.NullCap) ptr) s' @@ -435,7 +435,7 @@ lemma do_ipc_transfer_respects_device_region[Ipc_AI_cont_assms]: apply (rule hoare_drop_imps) apply wp apply (subst ball_conj_distrib) - apply (wp get_rs_cte_at2 thread_get_wp static_imp_wp grs_distinct + apply (wp get_rs_cte_at2 thread_get_wp hoare_weak_lift_imp grs_distinct hoare_vcg_ball_lift hoare_vcg_all_lift hoare_vcg_conj_lift | simp)+ apply (rule hoare_strengthen_post[where Q = "\r s. cap_refs_respects_device_region s \ valid_objs s \ valid_mdb s \ obj_at (\ko. \tcb. ko = TCB tcb) t s"]) diff --git a/proof/invariant-abstract/X64/ArchRetype_AI.thy b/proof/invariant-abstract/X64/ArchRetype_AI.thy index 2f53f9f341..454d18cb9b 100644 --- a/proof/invariant-abstract/X64/ArchRetype_AI.thy +++ b/proof/invariant-abstract/X64/ArchRetype_AI.thy @@ -389,7 +389,7 @@ lemma copy_global_invs_mappings_restricted: apply (simp add: valid_pspace_def pred_conj_def) apply (rule hoare_conjI, wp copy_global_equal_kernel_mappings_restricted) apply (clarsimp simp: global_refs_def) - apply (rule valid_prove_more, rule hoare_vcg_conj_lift, rule hoare_TrueI) + apply (rule hoare_post_add, rule hoare_vcg_conj_lift, rule hoare_TrueI) apply (simp add: copy_global_mappings_def valid_pspace_def) apply (rule hoare_seq_ext [OF _ gets_sp]) apply (rule hoare_strengthen_post) diff --git a/proof/invariant-abstract/X64/ArchTcb_AI.thy b/proof/invariant-abstract/X64/ArchTcb_AI.thy index 9320999dfc..463f9a4081 100644 --- a/proof/invariant-abstract/X64/ArchTcb_AI.thy +++ b/proof/invariant-abstract/X64/ArchTcb_AI.thy @@ -257,7 +257,7 @@ lemma tc_invs[Tcb_AI_asms]: checked_insert_no_cap_to out_no_cap_to_trivial[OF ball_tcb_cap_casesI] thread_set_ipc_tcb_cap_valid - static_imp_wp static_imp_conj_wp)[1] + hoare_weak_lift_imp hoare_weak_lift_imp_conj)[1] | simp add: ran_tcb_cap_cases dom_tcb_cap_cases[simplified] emptyable_def del: hoare_True_E_R diff --git a/proof/invariant-abstract/X64/ArchVSpaceEntries_AI.thy b/proof/invariant-abstract/X64/ArchVSpaceEntries_AI.thy index 6aebdc7877..77720c0a6a 100644 --- a/proof/invariant-abstract/X64/ArchVSpaceEntries_AI.thy +++ b/proof/invariant-abstract/X64/ArchVSpaceEntries_AI.thy @@ -556,7 +556,7 @@ lemma invoke_untyped_valid_vspace_objs'[wp]: crunch valid_vspace_objs'[wp]: perform_asid_pool_invocation, perform_asid_control_invocation "valid_vspace_objs'" (ignore: delete_objects set_object - wp: static_imp_wp crunch_wps + wp: hoare_weak_lift_imp crunch_wps simp: crunch_simps unless_def) lemma pte_range_interD: diff --git a/proof/refine/AARCH64/Arch_R.thy b/proof/refine/AARCH64/Arch_R.thy index 619e28f81b..bb55328489 100644 --- a/proof/refine/AARCH64/Arch_R.thy +++ b/proof/refine/AARCH64/Arch_R.thy @@ -1377,13 +1377,13 @@ lemma performASIDControlInvocation_tcb_at': apply (rule hoare_name_pre_state) apply (clarsimp simp: performASIDControlInvocation_def split: asidcontrol_invocation.splits) apply (clarsimp simp: valid_aci'_def cte_wp_at_ctes_of cong: conj_cong) - apply (wp static_imp_wp |simp add:placeNewObject_def2)+ - apply (wp createObjects_orig_obj_at2' updateFreeIndex_pspace_no_overlap' getSlotCap_wp static_imp_wp)+ + apply (wp hoare_weak_lift_imp |simp add:placeNewObject_def2)+ + apply (wp createObjects_orig_obj_at2' updateFreeIndex_pspace_no_overlap' getSlotCap_wp hoare_weak_lift_imp)+ apply (clarsimp simp: projectKO_opts_defs) apply (strengthen st_tcb_strg' [where P=\]) apply (wp deleteObjects_invs_derivatives[where p="makePoolParent aci"] hoare_vcg_ex_lift deleteObjects_cte_wp_at'[where d=False] - deleteObjects_st_tcb_at'[where p="makePoolParent aci"] static_imp_wp + deleteObjects_st_tcb_at'[where p="makePoolParent aci"] hoare_weak_lift_imp updateFreeIndex_pspace_no_overlap' deleteObject_no_overlap[where d=False])+ apply (case_tac ctea) apply (clarsimp) @@ -1707,7 +1707,7 @@ lemma performASIDControlInvocation_st_tcb_at': hoare_vcg_ex_lift deleteObjects_cte_wp_at' deleteObjects_invs_derivatives deleteObjects_st_tcb_at' - static_imp_wp + hoare_weak_lift_imp | simp add: placeNewObject_def2)+ apply (case_tac ctea) apply (clarsimp) @@ -1986,7 +1986,7 @@ lemma performASIDControlInvocation_invs' [wp]: updateFreeIndex_caps_no_overlap'' updateFreeIndex_descendants_of2 updateFreeIndex_caps_overlap_reserved - updateCap_cte_wp_at_cases static_imp_wp + updateCap_cte_wp_at_cases hoare_weak_lift_imp getSlotCap_wp)+ apply (clarsimp simp:conj_comms ex_disj_distrib is_aligned_mask | strengthen invs_valid_pspace' invs_pspace_aligned' diff --git a/proof/refine/AARCH64/CNodeInv_R.thy b/proof/refine/AARCH64/CNodeInv_R.thy index 61a240b21c..f724a14ba8 100644 --- a/proof/refine/AARCH64/CNodeInv_R.thy +++ b/proof/refine/AARCH64/CNodeInv_R.thy @@ -4862,7 +4862,7 @@ lemma cteSwap_iflive'[wp]: simp only: if_live_then_nonz_cap'_def imp_conv_disj ex_nonz_cap_to'_def) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift - hoare_vcg_ex_lift updateCap_cte_wp_at_cases static_imp_wp)+ + hoare_vcg_ex_lift updateCap_cte_wp_at_cases hoare_weak_lift_imp)+ apply (clarsimp simp: cte_wp_at_ctes_of) apply (drule(1) if_live_then_nonz_capE') apply (clarsimp simp: ex_nonz_cap_to'_def cte_wp_at_ctes_of) @@ -5724,7 +5724,7 @@ lemma cteSwap_cte_wp_cteCap: apply simp apply (wp hoare_drop_imps)[1] apply (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases - getCTE_wp' hoare_vcg_all_lift static_imp_wp)+ + getCTE_wp' hoare_vcg_all_lift hoare_weak_lift_imp)+ apply simp apply (clarsimp simp: o_def) done @@ -5738,7 +5738,7 @@ lemma capSwap_cte_wp_cteCap: apply(simp add: capSwapForDelete_def) apply(wp) apply(rule cteSwap_cte_wp_cteCap) - apply(wp getCTE_wp getCTE_cte_wp_at static_imp_wp)+ + apply(wp getCTE_wp getCTE_cte_wp_at hoare_weak_lift_imp)+ apply(clarsimp) apply(rule conjI) apply(simp add: cte_at_cte_wp_atD) @@ -6247,7 +6247,7 @@ proof (induct arbitrary: P p rule: finalise_spec_induct2) apply clarsimp apply (case_tac "cteCap rv", simp_all add: isCap_simps final_matters'_def)[1] - apply (wp isFinalCapability_inv static_imp_wp | simp | wp (once) isFinal[where x=sl])+ + apply (wp isFinalCapability_inv hoare_weak_lift_imp | simp | wp (once) isFinal[where x=sl])+ apply (wp getCTE_wp') apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule conjI, clarsimp simp: removeable'_def) @@ -7046,14 +7046,14 @@ next apply simp apply (wp replace_cap_invs final_cap_same_objrefs set_cap_cte_wp_at set_cap_cte_cap_wp_to - hoare_vcg_const_Ball_lift static_imp_wp + hoare_vcg_const_Ball_lift hoare_weak_lift_imp | simp add: conj_comms | erule finalise_cap_not_reply_master [simplified])+ apply (elim conjE, strengthen exI[mk_strg I], strengthen asm_rl[where psi="(cap_relation cap cap')" for cap cap', mk_strg I E]) apply (wp make_zombie_invs' updateCap_cap_to' updateCap_cte_wp_at_cases - hoare_vcg_ex_lift static_imp_wp) + hoare_vcg_ex_lift hoare_weak_lift_imp) apply clarsimp apply (drule_tac cap=a in cap_relation_removables, clarsimp, assumption+) @@ -7095,7 +7095,7 @@ next apply (clarsimp dest!: isCapDs simp: cte_wp_at_ctes_of) apply (case_tac "cteCap rv'", auto simp add: isCap_simps is_cap_simps final_matters'_def)[1] - apply (wp isFinalCapability_inv static_imp_wp + apply (wp isFinalCapability_inv hoare_weak_lift_imp | simp add: is_final_cap_def conj_comms cte_wp_at_eq_simp)+ apply (rule isFinal[where x="cte_map slot"]) apply (wp get_cap_wp| simp add: conj_comms)+ @@ -7236,7 +7236,7 @@ next apply (rule updateCap_corres) apply simp apply (simp add: is_cap_simps) - apply (rule_tac Q="\rv. cte_at' (cte_map ?target)" in valid_prove_more) + apply (rule_tac R="\rv. cte_at' (cte_map ?target)" in hoare_post_add) apply (wp, (wp getCTE_wp)+) apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule no_fail_pre, wp, simp) @@ -8393,7 +8393,7 @@ lemma cteMove_iflive'[wp]: ex_nonz_cap_to'_def) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift hoare_vcg_ex_lift updateCap_cte_wp_at_cases - getCTE_wp static_imp_wp)+ + getCTE_wp hoare_weak_lift_imp)+ apply (clarsimp simp: cte_wp_at_ctes_of) apply (drule(1) if_live_then_nonz_capE') apply (clarsimp simp: ex_nonz_cap_to'_def cte_wp_at_ctes_of) @@ -8574,7 +8574,7 @@ lemma cteMove_cte_wp_at: \\_ s. cte_wp_at' (\c. Q (cteCap c)) ptr s\" unfolding cteMove_def apply (fold o_def) - apply (wp updateCap_cte_wp_at_cases updateMDB_weak_cte_wp_at getCTE_wp static_imp_wp|simp add: o_def)+ + apply (wp updateCap_cte_wp_at_cases updateMDB_weak_cte_wp_at getCTE_wp hoare_weak_lift_imp|simp add: o_def)+ apply (clarsimp simp: cte_wp_at_ctes_of) done diff --git a/proof/refine/AARCH64/CSpace1_R.thy b/proof/refine/AARCH64/CSpace1_R.thy index 2566da1438..07e74b4e3d 100644 --- a/proof/refine/AARCH64/CSpace1_R.thy +++ b/proof/refine/AARCH64/CSpace1_R.thy @@ -935,7 +935,7 @@ lemma cteInsert_weak_cte_wp_at: \\uu. cte_wp_at'(\c. P (cteCap c)) p\" unfolding cteInsert_def error_def updateCap_def setUntypedCapAsFull_def apply (simp add: bind_assoc split del: if_split) - apply (wp setCTE_weak_cte_wp_at updateMDB_weak_cte_wp_at static_imp_wp | simp)+ + apply (wp setCTE_weak_cte_wp_at updateMDB_weak_cte_wp_at hoare_weak_lift_imp | simp)+ apply (wp getCTE_ctes_wp)+ apply (clarsimp simp: isCap_simps split:if_split_asm| rule conjI)+ done diff --git a/proof/refine/AARCH64/Detype_R.thy b/proof/refine/AARCH64/Detype_R.thy index c52bc2d2ce..0a46a4ecf0 100644 --- a/proof/refine/AARCH64/Detype_R.thy +++ b/proof/refine/AARCH64/Detype_R.thy @@ -1968,12 +1968,12 @@ lemma cte_wp_at_top: tcbReplySlot_def tcbCTableSlot_def tcbVTableSlot_def objBits_simps cteSizeBits_def) apply (simp add: alignCheck_def bind_def alignError_def fail_def return_def objBits_simps - magnitudeCheck_def in_monad is_aligned_mask when_def + magnitudeCheck_def in_monad is_aligned_mask when_def unless_def split: option.splits) apply (intro conjI impI allI; simp add: not_le) apply (clarsimp simp:cte_check_def) apply (simp add: alignCheck_def bind_def alignError_def fail_def return_def objBits_simps - magnitudeCheck_def in_monad is_aligned_mask when_def + magnitudeCheck_def in_monad is_aligned_mask when_def unless_def split: option.splits) apply (intro conjI impI allI; simp add:not_le) apply (simp add: typeError_def fail_def cte_check_def split: Structures_H.kernel_object.splits) diff --git a/proof/refine/AARCH64/Finalise_R.thy b/proof/refine/AARCH64/Finalise_R.thy index 90095ef30a..b8bfb3320d 100644 --- a/proof/refine/AARCH64/Finalise_R.thy +++ b/proof/refine/AARCH64/Finalise_R.thy @@ -1573,7 +1573,7 @@ lemma emptySlot_corres: defer apply wpsimp+ apply (rule corres_no_failI) - apply (rule no_fail_pre, wp static_imp_wp) + apply (rule no_fail_pre, wp hoare_weak_lift_imp) apply (clarsimp simp: cte_wp_at_ctes_of valid_pspace'_def) apply (clarsimp simp: valid_mdb'_def valid_mdb_ctes_def) apply (rule conjI, clarsimp) @@ -3634,7 +3634,7 @@ lemma cteDeleteOne_invs[wp]: subgoal by auto subgoal by (auto dest!: isCapDs simp: pred_tcb_at'_def obj_at'_def live'_def hyp_live'_def ko_wp_at'_def) - apply (wp isFinalCapability_inv getCTE_wp' static_imp_wp + apply (wp isFinalCapability_inv getCTE_wp' hoare_weak_lift_imp | wp (once) isFinal[where x=ptr])+ apply (fastforce simp: cte_wp_at_ctes_of) done diff --git a/proof/refine/AARCH64/Interrupt_R.thy b/proof/refine/AARCH64/Interrupt_R.thy index 7c3a18e259..c93c7b9f24 100644 --- a/proof/refine/AARCH64/Interrupt_R.thy +++ b/proof/refine/AARCH64/Interrupt_R.thy @@ -673,7 +673,7 @@ lemma timerTick_corres: apply wp+ apply (simp add:decDomainTime_def) apply wp - apply (wpsimp wp: static_imp_wp threadSet_timeslice_invs threadSet_valid_queues + apply (wpsimp wp: hoare_weak_lift_imp threadSet_timeslice_invs threadSet_valid_queues threadSet_valid_queues' tcbSchedAppend_valid_objs' threadSet_pred_tcb_at_state threadSet_weak_sch_act_wf rescheduleRequired_weak_sch_act_wf tcbSchedAppend_valid_queues)+ diff --git a/proof/refine/AARCH64/Ipc_R.thy b/proof/refine/AARCH64/Ipc_R.thy index 0cfdd63a7d..3bc8c3bac1 100644 --- a/proof/refine/AARCH64/Ipc_R.thy +++ b/proof/refine/AARCH64/Ipc_R.thy @@ -321,7 +321,7 @@ lemma cteInsert_cte_wp_at: cteInsert cap src dest \\uu. cte_wp_at' (\c. P (cteCap c)) p\" apply (simp add: cteInsert_def) - apply (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp static_imp_wp + apply (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp hoare_weak_lift_imp | clarsimp simp: comp_def | unfold setUntypedCapAsFull_def)+ apply (drule cte_at_cte_wp_atD) @@ -365,7 +365,7 @@ lemma cteInsert_weak_cte_wp_at3: else cte_wp_at' (\c. P (cteCap c)) p s\ cteInsert cap src dest \\uu. cte_wp_at' (\c. P (cteCap c)) p\" - by (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp' static_imp_wp + by (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp' hoare_weak_lift_imp | clarsimp simp: comp_def cteInsert_def | unfold setUntypedCapAsFull_def | auto simp: cte_wp_at'_def dest!: imp)+ @@ -585,7 +585,7 @@ lemma cteInsert_cte_cap_to': apply (rule hoare_use_eq_irq_node' [OF cteInsert_ksInterruptState]) apply (clarsimp simp:cteInsert_def) apply (wp hoare_vcg_ex_lift updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases - setUntypedCapAsFull_cte_wp_at getCTE_wp static_imp_wp) + setUntypedCapAsFull_cte_wp_at getCTE_wp hoare_weak_lift_imp) apply (clarsimp simp:cte_wp_at_ctes_of) apply (rule_tac x = "cref" in exI) apply (rule conjI) @@ -628,7 +628,7 @@ lemma cteInsert_weak_cte_wp_at2: apply (rule hoare_use_eq_irq_node' [OF cteInsert_ksInterruptState]) apply (clarsimp simp:cteInsert_def) apply (wp hoare_vcg_ex_lift updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases - setUntypedCapAsFull_cte_wp_at getCTE_wp static_imp_wp) + setUntypedCapAsFull_cte_wp_at getCTE_wp hoare_weak_lift_imp) apply (clarsimp simp:cte_wp_at_ctes_of weak) apply auto done @@ -661,11 +661,11 @@ lemma transferCapsToSlots_presM: apply (wp eb hoare_vcg_const_Ball_lift hoare_vcg_const_imp_lift | assumption | wpc)+ apply (rule cteInsert_assume_Null) - apply (wp x hoare_vcg_const_Ball_lift cteInsert_cte_cap_to' static_imp_wp) + apply (wp x hoare_vcg_const_Ball_lift cteInsert_cte_cap_to' hoare_weak_lift_imp) apply (rule cteInsert_weak_cte_wp_at2,clarsimp) - apply (wp hoare_vcg_const_Ball_lift static_imp_wp)+ + apply (wp hoare_vcg_const_Ball_lift hoare_weak_lift_imp)+ apply (rule cteInsert_weak_cte_wp_at2,clarsimp) - apply (wp hoare_vcg_const_Ball_lift cteInsert_cte_wp_at static_imp_wp + apply (wp hoare_vcg_const_Ball_lift cteInsert_cte_wp_at hoare_weak_lift_imp deriveCap_derived_foo)+ apply (thin_tac "\slots. PROP P slots" for P) apply (clarsimp simp: cte_wp_at_ctes_of remove_rights_def @@ -1039,7 +1039,7 @@ lemma transferCaps_corres: apply (rule corres_rel_imp, rule transferCapsToSlots_corres, simp_all add: split_def)[1] apply (case_tac info, simp) - apply (wp hoare_vcg_all_lift get_rs_cte_at static_imp_wp + apply (wp hoare_vcg_all_lift get_rs_cte_at hoare_weak_lift_imp | simp only: ball_conj_distrib)+ apply (simp add: cte_map_def tcb_cnode_index_def split_def) apply (clarsimp simp: valid_pspace'_def valid_ipc_buffer_ptr'_def2 @@ -1441,7 +1441,7 @@ lemma doNormalTransfer_corres: hoare_valid_ipc_buffer_ptr_typ_at' copyMRs_typ_at' hoare_vcg_const_Ball_lift lookupExtraCaps_length | simp add: if_apply_def2)+) - apply (wp static_imp_wp | strengthen valid_msg_length_strengthen)+ + apply (wp hoare_weak_lift_imp | strengthen valid_msg_length_strengthen)+ apply clarsimp apply auto done @@ -2184,7 +2184,7 @@ lemma doReplyTransfer_corres: apply (clarsimp simp: tcb_relation_def) apply (fold dc_def, rule possibleSwitchTo_corres) apply simp - apply (wp static_imp_wp static_imp_conj_wp set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at' + apply (wp hoare_weak_lift_imp hoare_weak_lift_imp_conj set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at' sts_st_tcb' sts_valid_queues | force simp: valid_sched_def valid_sched_action_def valid_tcb_state'_def)+ apply (rule corres_guard_imp) @@ -2282,15 +2282,15 @@ lemma setupCallerCap_corres: tcb_cnode_index_def cte_level_bits_def) apply (simp add: cte_map_def tcbCallerSlot_def tcb_cnode_index_def cte_level_bits_def) - apply (rule_tac Q="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" - in valid_prove_more) + apply (rule_tac R="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" + in hoare_post_add) apply (wp, (wp getSlotCap_wp)+) apply blast apply (rule no_fail_pre, wp) apply (clarsimp simp: cte_wp_at'_def cte_at'_def) - apply (rule_tac Q="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" - in valid_prove_more) + apply (rule_tac R="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" + in hoare_post_add) apply (wp, (wp getCTE_wp')+) apply blast apply (rule no_fail_pre, wp) @@ -2347,7 +2347,7 @@ lemma possibleSwitchTo_weak_sch_act_wf[wp]: bitmap_fun_defs) apply (wp rescheduleRequired_weak_sch_act_wf weak_sch_act_wf_lift_linear[where f="tcbSchedEnqueue t"] - getObject_tcb_wp static_imp_wp + getObject_tcb_wp hoare_weak_lift_imp | wpc)+ apply (clarsimp simp: obj_at'_def weak_sch_act_wf_def ps_clear_def tcb_in_cur_domain'_def) done @@ -2710,7 +2710,7 @@ lemma possibleSwitchTo_sch_act[wp]: possibleSwitchTo t \\rv s. sch_act_wf (ksSchedulerAction s) s\" apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs) - apply (wp static_imp_wp threadSet_sch_act setQueue_sch_act threadGet_wp + apply (wp hoare_weak_lift_imp threadSet_sch_act setQueue_sch_act threadGet_wp | simp add: unless_def | wpc)+ apply (auto simp: obj_at'_def tcb_in_cur_domain'_def) done @@ -2731,7 +2731,7 @@ lemma possibleSwitchTo_ksQ': possibleSwitchTo t \\_ s. t' \ set (ksReadyQueues s p)\" apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs) - apply (wp static_imp_wp rescheduleRequired_ksQ' tcbSchedEnqueue_ksQ threadGet_wp + apply (wp hoare_weak_lift_imp rescheduleRequired_ksQ' tcbSchedEnqueue_ksQ threadGet_wp | wpc | simp split del: if_split)+ apply (auto simp: obj_at'_def) @@ -2743,7 +2743,7 @@ lemma possibleSwitchTo_valid_queues'[wp]: possibleSwitchTo t \\rv. valid_queues'\" apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs) - apply (wp static_imp_wp threadGet_wp | wpc | simp)+ + apply (wp hoare_weak_lift_imp threadGet_wp | wpc | simp)+ apply (auto simp: obj_at'_def) done @@ -3698,7 +3698,7 @@ lemma completeSignal_invs: \ ((\y. ntfnBoundTCB ntfn = Some y) \ ex_nonz_cap_to' ntfnptr s) \ ntfnptr \ ksIdleThread s" in hoare_strengthen_post) - apply ((wp hoare_vcg_ex_lift static_imp_wp | wpc | simp add: valid_ntfn'_def)+)[1] + apply ((wp hoare_vcg_ex_lift hoare_weak_lift_imp | wpc | simp add: valid_ntfn'_def)+)[1] apply (clarsimp simp: obj_at'_def state_refs_of'_def typ_at'_def ko_wp_at'_def live'_def split: option.splits) apply (blast dest: ntfn_q_refs_no_bound_refs') @@ -3914,7 +3914,7 @@ lemma rai_invs'[wp]: \ \ep = ActiveNtfn\ apply (simp add: invs'_def valid_state'_def) apply (rule hoare_pre) - apply (wp valid_irq_node_lift sts_valid_objs' typ_at_lifts static_imp_wp + apply (wp valid_irq_node_lift sts_valid_objs' typ_at_lifts hoare_weak_lift_imp asUser_urz | simp add: valid_ntfn'_def)+ apply (clarsimp simp: pred_tcb_at' valid_pspace'_def) @@ -4357,7 +4357,7 @@ lemma sendSignal_st_tcb'_Running: sendSignal ntfnptr bdg \\_. st_tcb_at' (\st. st = Running \ P st) t\" apply (simp add: sendSignal_def) - apply (wp sts_st_tcb_at'_cases cancelIPC_st_tcb_at' gts_wp' getNotification_wp static_imp_wp + apply (wp sts_st_tcb_at'_cases cancelIPC_st_tcb_at' gts_wp' getNotification_wp hoare_weak_lift_imp | wpc | clarsimp simp: pred_tcb_at')+ done diff --git a/proof/refine/AARCH64/Refine.thy b/proof/refine/AARCH64/Refine.thy index 564a2a4d7c..ab4825d870 100644 --- a/proof/refine/AARCH64/Refine.thy +++ b/proof/refine/AARCH64/Refine.thy @@ -275,7 +275,7 @@ lemma kernel_entry_invs: thread_set_ct_running thread_set_not_state_valid_sched hoare_vcg_disj_lift ct_in_state_thread_state_lift thread_set_no_change_tcb_state call_kernel_domain_time_inv_det_ext call_kernel_domain_list_inv_det_ext - static_imp_wp + hoare_weak_lift_imp | clarsimp simp add: tcb_cap_cases_def active_from_running)+ done @@ -432,7 +432,7 @@ lemma kernelEntry_invs': apply (simp add: kernelEntry_def) apply (wp ckernel_invs callKernel_domain_time_left threadSet_invs_trivial threadSet_ct_running' - TcbAcc_R.dmo_invs' static_imp_wp + TcbAcc_R.dmo_invs' hoare_weak_lift_imp doMachineOp_ct_in_state' doMachineOp_sch_act_simple callKernel_domain_time_left | clarsimp simp: user_memory_update_def no_irq_def tcb_at_invs' @@ -657,7 +657,7 @@ lemma entry_corres: apply (rule hoare_strengthen_post, rule ckernel_invs, simp add: invs'_def cur_tcb'_def) apply (wp thread_set_invs_trivial thread_set_ct_running threadSet_invs_trivial threadSet_ct_running' - thread_set_not_state_valid_sched static_imp_wp + thread_set_not_state_valid_sched hoare_weak_lift_imp hoare_vcg_disj_lift ct_in_state_thread_state_lift | simp add: tcb_cap_cases_def ct_in_state'_def thread_set_no_change_tcb_state | (wps, wp threadSet_st_tcb_at2) )+ diff --git a/proof/refine/AARCH64/Retype_R.thy b/proof/refine/AARCH64/Retype_R.thy index 35c0ce4632..0df5280d1d 100644 --- a/proof/refine/AARCH64/Retype_R.thy +++ b/proof/refine/AARCH64/Retype_R.thy @@ -2586,7 +2586,6 @@ lemmas object_splits = declare hoare_in_monad_post[wp del] declare univ_get_wp[wp del] -declare result_in_set_wp[wp del] lemma nullPointer_0_simp[simp]: "(nullPointer = 0) = True" @@ -4375,7 +4374,7 @@ proof - apply (simp add: ct_idle_or_in_cur_domain'_def tcb_in_cur_domain'_def) apply (rule hoare_pre) apply (wps a b c d) - apply (wp static_imp_wp e' hoare_vcg_disj_lift) + apply (wp hoare_weak_lift_imp e' hoare_vcg_disj_lift) apply (auto simp: obj_at'_def ct_in_state'_def st_tcb_at'_def) done qed diff --git a/proof/refine/AARCH64/Schedule_R.thy b/proof/refine/AARCH64/Schedule_R.thy index 0baefd716c..fa8bbb3d93 100644 --- a/proof/refine/AARCH64/Schedule_R.thy +++ b/proof/refine/AARCH64/Schedule_R.thy @@ -11,7 +11,7 @@ begin context begin interpretation Arch . (*FIXME: arch_split*) -declare static_imp_wp[wp_split del] +declare hoare_weak_lift_imp[wp_split del] (* Levity: added (20090713 10:04:12) *) declare sts_rel_idle [simp] @@ -505,7 +505,7 @@ lemma ct_idle_or_in_cur_domain'_lift2: apply (rule hoare_lift_Pf2[where f=ksCurThread]) apply (rule hoare_lift_Pf2[where f=ksSchedulerAction]) including no_pre - apply (wp static_imp_wp hoare_vcg_disj_lift) + apply (wp hoare_weak_lift_imp hoare_vcg_disj_lift) apply simp+ done @@ -1517,7 +1517,7 @@ lemma switchToIdleThread_invs_no_cicd': crunch obj_at'[wp]: "Arch.switchToIdleThread" "obj_at' (P :: ('a :: no_vcpu) \ bool) t" -declare static_imp_conj_wp[wp_split del] +declare hoare_weak_lift_imp_conj[wp_split del] lemma setCurThread_const: "\\_. P t \ setCurThread t \\_ s. P (ksCurThread s) \" diff --git a/proof/refine/AARCH64/Syscall_R.thy b/proof/refine/AARCH64/Syscall_R.thy index 742259a699..bbfb69b6bf 100644 --- a/proof/refine/AARCH64/Syscall_R.thy +++ b/proof/refine/AARCH64/Syscall_R.thy @@ -338,7 +338,7 @@ lemma threadSet_tcbDomain_update_sch_act_wf[wp]: apply (simp add: threadSet_def) apply wp apply (wps setObject_sa_unchanged) - apply (wp static_imp_wp getObject_tcb_wp hoare_vcg_all_lift)+ + apply (wp hoare_weak_lift_imp getObject_tcb_wp hoare_vcg_all_lift)+ apply (rename_tac word) apply (rule_tac Q="\_ s. ksSchedulerAction s = SwitchToThread word \ st_tcb_at' runnable' word s \ tcb_in_cur_domain' word s \ word \ t" @@ -683,7 +683,7 @@ proof - apply (rule hoare_weaken_pre [OF cteInsert_weak_cte_wp_at3]) apply (rule PUC,simp) apply (clarsimp simp: cte_wp_at_ctes_of) - apply (wp hoare_vcg_all_lift static_imp_wp | simp add:ball_conj_distrib)+ + apply (wp hoare_vcg_all_lift hoare_weak_lift_imp | simp add:ball_conj_distrib)+ done qed @@ -802,7 +802,7 @@ lemma doReply_invs[wp]: apply assumption apply (erule cte_wp_at_weakenE') apply (fastforce) - apply (wp sts_invs_minor'' sts_st_tcb' static_imp_wp) + apply (wp sts_invs_minor'' sts_st_tcb' hoare_weak_lift_imp) apply (rule_tac Q="\rv s. invs' s \ sch_act_simple s \ st_tcb_at' awaiting_reply' t s \ t \ ksIdleThread s" @@ -820,7 +820,7 @@ lemma doReply_invs[wp]: apply (erule_tac P="\st. awaiting_reply' st \ activatable' st" in pred_tcb'_weakenE) apply (case_tac st, clarsimp+) - apply (wp threadSet_invs_trivial threadSet_st_tcb_at2 static_imp_wp + apply (wp threadSet_invs_trivial threadSet_st_tcb_at2 hoare_weak_lift_imp | clarsimp simp add: inQ_def)+ apply (rule_tac Q="\_. invs' and tcb_at' t and sch_act_simple and st_tcb_at' awaiting_reply' t" @@ -976,7 +976,7 @@ lemma setDomain_invs': (\y. domain \ maxDomain))\ setDomain ptr domain \\y. invs'\" apply (simp add:setDomain_def ) - apply (wp add: when_wp static_imp_wp static_imp_conj_wp rescheduleRequired_all_invs_but_extra + apply (wp add: when_wp hoare_weak_lift_imp hoare_weak_lift_imp_conj rescheduleRequired_all_invs_but_extra tcbSchedEnqueue_valid_action hoare_vcg_if_lift2) apply (rule_tac Q = "\r s. all_invs_but_sch_extra s \ curThread = ksCurThread s \ (ptr \ curThread \ ct_not_inQ s \ sch_act_wf (ksSchedulerAction s) s \ ct_idle_or_in_cur_domain' s)" @@ -990,7 +990,7 @@ lemma setDomain_invs': prefer 2 apply clarsimp apply assumption - apply (wp static_imp_wp threadSet_pred_tcb_no_state threadSet_not_curthread_ct_domain + apply (wp hoare_weak_lift_imp threadSet_pred_tcb_no_state threadSet_not_curthread_ct_domain threadSet_tcbDomain_update_ct_not_inQ | simp)+ apply (rule_tac Q = "\r s. invs' s \ curThread = ksCurThread s \ sch_act_simple s \ domain \ maxDomain @@ -1302,7 +1302,7 @@ lemma hinv_invs'[wp]: apply (simp add: handleInvocation_def split_def ts_Restart_case_helper') apply (wp syscall_valid' setThreadState_nonqueued_state_update rfk_invs' - hoare_vcg_all_lift static_imp_wp) + hoare_vcg_all_lift hoare_weak_lift_imp) apply simp apply (intro conjI impI) apply (wp gts_imp' | simp)+ diff --git a/proof/refine/AARCH64/TcbAcc_R.thy b/proof/refine/AARCH64/TcbAcc_R.thy index b502f9c5c7..950f7950b0 100644 --- a/proof/refine/AARCH64/TcbAcc_R.thy +++ b/proof/refine/AARCH64/TcbAcc_R.thy @@ -12,7 +12,6 @@ begin context begin interpretation Arch . (*FIXME: arch_split*) declare if_weak_cong [cong] -declare result_in_set_wp[wp] declare hoare_in_monad_post[wp] declare trans_state_update'[symmetric,simp] declare storeWordUser_typ_at' [wp] @@ -2394,9 +2393,9 @@ lemma threadSet_queued_sch_act_wf[wp]: split: scheduler_action.split) apply (wp hoare_vcg_conj_lift) apply (simp add: threadSet_def) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (wps setObject_sa_unchanged) - apply (wp static_imp_wp getObject_tcb_wp)+ + apply (wp hoare_weak_lift_imp getObject_tcb_wp)+ apply (clarsimp simp: obj_at'_def) apply (wp hoare_vcg_all_lift hoare_vcg_conj_lift hoare_convert_imp)+ apply (simp add: threadSet_def) @@ -4173,7 +4172,7 @@ lemma possibleSwitchTo_ct_not_inQ: possibleSwitchTo t \\_. ct_not_inQ\" (is "\?PRE\ _ \_\") apply (simp add: possibleSwitchTo_def curDomain_def) - apply (wpsimp wp: static_imp_wp rescheduleRequired_ct_not_inQ tcbSchedEnqueue_ct_not_inQ + apply (wpsimp wp: hoare_weak_lift_imp rescheduleRequired_ct_not_inQ tcbSchedEnqueue_ct_not_inQ threadGet_wp | (rule hoare_post_imp[OF _ rescheduleRequired_sa_cnt], fastforce))+ apply (fastforce simp: obj_at'_def) @@ -4192,7 +4191,7 @@ lemma threadSet_tcbState_update_ct_not_inQ[wp]: apply (clarsimp) apply (rule hoare_conjI) apply (rule hoare_weaken_pre) - apply (wps, wp static_imp_wp) + apply (wps, wp hoare_weak_lift_imp) apply (wp OMG_getObject_tcb)+ apply (clarsimp simp: comp_def) apply (wp hoare_drop_imp) @@ -4212,7 +4211,7 @@ lemma threadSet_tcbBoundNotification_update_ct_not_inQ[wp]: apply (rule hoare_conjI) apply (rule hoare_weaken_pre) apply wps - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (wp OMG_getObject_tcb) apply (clarsimp simp: comp_def) apply (wp hoare_drop_imp) diff --git a/proof/refine/AARCH64/Tcb_R.thy b/proof/refine/AARCH64/Tcb_R.thy index 13b188f743..0c2df3888a 100644 --- a/proof/refine/AARCH64/Tcb_R.thy +++ b/proof/refine/AARCH64/Tcb_R.thy @@ -340,7 +340,7 @@ lemma invokeTCB_WriteRegisters_corres: apply (rule_tac P=\ and P'=\ in corres_inst) apply simp apply (wp+)[2] - apply ((wp static_imp_wp restart_invs' + apply ((wp hoare_weak_lift_imp restart_invs' | strengthen valid_sched_weak_strg einvs_valid_etcbs invs_valid_queues' invs_queues invs_weak_sch_act_wf | clarsimp simp: invs_def valid_state_def valid_sched_def invs'_def valid_state'_def @@ -450,15 +450,15 @@ proof - apply (rule corres_split[OF corres_when[OF refl rescheduleRequired_corres]]) apply (rule_tac P=\ and P'=\ in corres_inst) apply simp - apply (solves \wp static_imp_wp\)+ + apply (solves \wp hoare_weak_lift_imp\)+ apply (rule_tac Q="\_. einvs and tcb_at dest" in hoare_post_imp) apply (clarsimp simp: invs_def valid_state_def valid_pspace_def valid_sched_weak_strg valid_sched_def) prefer 2 apply (rule_tac Q="\_. invs' and tcb_at' dest" in hoare_post_imp) apply (clarsimp simp: invs'_def valid_state'_def invs_weak_sch_act_wf cur_tcb'_def) - apply ((wp mapM_x_wp' static_imp_wp | simp+)+)[4] - apply ((wp static_imp_wp restart_invs' | wpc | clarsimp simp: if_apply_def2)+)[2] - apply (wp suspend_nonz_cap_to_tcb static_imp_wp | simp add: if_apply_def2)+ + apply ((wp mapM_x_wp' hoare_weak_lift_imp | simp+)+)[4] + apply ((wp hoare_weak_lift_imp restart_invs' | wpc | clarsimp simp: if_apply_def2)+)[2] + apply (wp suspend_nonz_cap_to_tcb hoare_weak_lift_imp | simp add: if_apply_def2)+ apply (fastforce simp: invs_def valid_state_def valid_pspace_def dest!: idle_no_ex_cap) by (fastforce simp: invs'_def valid_state'_def dest!: global'_no_ex_cap) @@ -632,7 +632,7 @@ lemma sp_corres2: apply (rule rescheduleRequired_corres) apply (rule possibleSwitchTo_corres) apply ((clarsimp - | wp static_imp_wp hoare_vcg_if_lift hoare_wp_combs gts_wp + | wp hoare_weak_lift_imp hoare_vcg_if_lift hoare_wp_combs gts_wp isRunnable_wp)+)[4] apply (wp hoare_vcg_imp_lift' hoare_vcg_if_lift hoare_vcg_all_lift) apply clarsimp @@ -1617,30 +1617,30 @@ lemma tc_invs': apply (simp only: eq_commute[where a="a"]) apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits [where P="\x. x s" for s]) - apply ((wp case_option_wp threadSet_invs_trivial static_imp_wp + apply ((wp case_option_wp threadSet_invs_trivial hoare_weak_lift_imp hoare_vcg_all_lift threadSet_cap_to' | clarsimp simp: inQ_def)+)[2] apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits [where P="\x. x s" for s]) - apply ((wp case_option_wp threadSet_invs_trivial static_imp_wp setMCPriority_invs' + apply ((wp case_option_wp threadSet_invs_trivial hoare_weak_lift_imp setMCPriority_invs' typ_at_lifts[OF setMCPriority_typ_at'] hoare_vcg_all_lift threadSet_cap_to' | clarsimp simp: inQ_def)+)[2] - apply (wp add: setP_invs' static_imp_wp hoare_vcg_all_lift)+ + apply (wp add: setP_invs' hoare_weak_lift_imp hoare_vcg_all_lift)+ apply (rule case_option_wp_None_return[OF setP_invs'[simplified pred_conj_assoc]]) apply clarsimp apply wpfix apply assumption apply (rule case_option_wp_None_returnOk) - apply (wpsimp wp: static_imp_wp hoare_vcg_all_lift + apply (wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak threadSet_invs_trivial2 threadSet_tcb' hoare_vcg_all_lift threadSet_cte_wp_at')+ - apply (wpsimp wp: static_imp_wpE cteDelete_deletes + apply (wpsimp wp: hoare_weak_lift_imp_R cteDelete_deletes hoare_vcg_all_lift_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R cteDelete_invs' cteDelete_invs' cteDelete_typ_at'_lifts)+ apply (assumption | clarsimp cong: conj_cong imp_cong | (rule case_option_wp_None_returnOk) - | wpsimp wp: static_imp_wp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak + | wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak hoare_vcg_imp_lift' hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P=sch_act_simple] - hoare_vcg_const_imp_lift_R assertDerived_wp_weak static_imp_wpE cteDelete_deletes + hoare_vcg_const_imp_lift_R assertDerived_wp_weak hoare_weak_lift_imp_R cteDelete_deletes hoare_vcg_all_lift_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R cteDelete_invs' cteDelete_typ_at'_lifts cteDelete_sch_act_simple)+ apply (clarsimp simp: tcb_cte_cases_def cte_level_bits_def objBits_defs tcbIPCBufferSlot_def) @@ -2670,7 +2670,7 @@ lemma restart_makes_simple': \\rv. st_tcb_at' simple' t\" apply (simp add: restart_def) apply (wp sts_st_tcb_at'_cases cancelIPC_simple - cancelIPC_st_tcb_at static_imp_wp | simp)+ + cancelIPC_st_tcb_at hoare_weak_lift_imp | simp)+ apply (rule hoare_strengthen_post [OF isStopped_inv]) prefer 2 apply assumption diff --git a/proof/refine/AARCH64/orphanage/Orphanage.thy b/proof/refine/AARCH64/orphanage/Orphanage.thy index ef571c05b1..ec109368d7 100644 --- a/proof/refine/AARCH64/orphanage/Orphanage.thy +++ b/proof/refine/AARCH64/orphanage/Orphanage.thy @@ -446,7 +446,7 @@ lemma rescheduleRequired_no_orphans [wp]: \ \rv s. no_orphans s \" unfolding rescheduleRequired_def apply (wp tcbSchedEnqueue_no_orphans hoare_vcg_all_lift ssa_no_orphans | wpc | clarsimp)+ - apply (wps tcbSchedEnqueue_nosch, wp static_imp_wp) + apply (wps tcbSchedEnqueue_nosch, wp hoare_weak_lift_imp) apply (rename_tac word t p) apply (rule_tac P="word = t" in hoare_gen_asm) apply (wp hoare_disjI1 | clarsimp)+ @@ -458,7 +458,7 @@ lemma rescheduleRequired_almost_no_orphans [wp]: \ \rv s. almost_no_orphans tcb_ptr s \" unfolding rescheduleRequired_def apply (wp tcbSchedEnqueue_almost_no_orphans_lift hoare_vcg_all_lift | wpc | clarsimp)+ - apply (wps tcbSchedEnqueue_nosch, wp static_imp_wp) + apply (wps tcbSchedEnqueue_nosch, wp hoare_weak_lift_imp) apply (rename_tac word t p) apply (rule_tac P="word = t" in hoare_gen_asm) apply (wp hoare_disjI1 | clarsimp)+ @@ -1078,7 +1078,7 @@ proof - apply (rule_tac Q="\_ s. (t = candidate \ ksCurThread s = candidate) \ (t \ candidate \ sch_act_not t s)" in hoare_post_imp) - apply (wpsimp wp: stt_nosch static_imp_wp)+ + apply (wpsimp wp: stt_nosch hoare_weak_lift_imp)+ apply (fastforce dest!: in_all_active_tcb_ptrsD simp: all_queued_tcb_ptrs_def comp_def) done @@ -1207,7 +1207,7 @@ lemma possibleSwitchTo_almost_no_orphans [wp]: \ \rv s. no_orphans s \" unfolding possibleSwitchTo_def by (wp rescheduleRequired_valid_queues'_weak tcbSchedEnqueue_almost_no_orphans - ssa_almost_no_orphans static_imp_wp + ssa_almost_no_orphans hoare_weak_lift_imp | wpc | clarsimp | wp (once) hoare_drop_imp)+ @@ -1967,7 +1967,7 @@ lemma writereg_no_orphans: unfolding invokeTCB_def performTransfer_def postModifyRegisters_def apply simp apply (rule hoare_pre) - by (wp hoare_vcg_if_lift hoare_vcg_conj_lift restart_invs' static_imp_wp + by (wp hoare_vcg_if_lift hoare_vcg_conj_lift restart_invs' hoare_weak_lift_imp | strengthen invs_valid_queues' | clarsimp simp: invs'_def valid_state'_def dest!: global'_no_ex_cap )+ lemma copyreg_no_orphans: @@ -1977,8 +1977,8 @@ lemma copyreg_no_orphans: \ \rv s. no_orphans s \" unfolding invokeTCB_def performTransfer_def postModifyRegisters_def apply simp - apply (wp hoare_vcg_if_lift static_imp_wp) - apply (wp static_imp_wp hoare_vcg_conj_lift hoare_drop_imp mapM_x_wp' restart_invs' + apply (wp hoare_vcg_if_lift hoare_weak_lift_imp) + apply (wp hoare_weak_lift_imp hoare_vcg_conj_lift hoare_drop_imp mapM_x_wp' restart_invs' restart_no_orphans asUser_no_orphans suspend_nonz_cap_to_tcb | strengthen invs_valid_queues' | wpc | simp add: if_apply_def2)+ apply (fastforce simp: invs'_def valid_state'_def dest!: global'_no_ex_cap) @@ -1990,7 +1990,7 @@ lemma settlsbase_no_orphans: \ \rv s. no_orphans s \" unfolding invokeTCB_def performTransfer_def apply simp - apply (wp hoare_vcg_if_lift static_imp_wp) + apply (wp hoare_vcg_if_lift hoare_weak_lift_imp) apply (wpsimp wp: hoare_vcg_imp_lift' mapM_x_wp' asUser_no_orphans)+ done @@ -2056,19 +2056,19 @@ lemma tc_no_orphans: apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits[where P="\x. x s" for s]) apply ((wp case_option_wp threadSet_no_orphans threadSet_invs_trivial - threadSet_cap_to' hoare_vcg_all_lift static_imp_wp | clarsimp simp: inQ_def)+)[2] + threadSet_cap_to' hoare_vcg_all_lift hoare_weak_lift_imp | clarsimp simp: inQ_def)+)[2] apply (rule hoare_walk_assmsE) apply (cases mcp; clarsimp simp: pred_conj_def option.splits[where P="\x. x s" for s]) apply ((wp case_option_wp threadSet_no_orphans threadSet_invs_trivial setMCPriority_invs' typ_at_lifts[OF setMCPriority_typ_at'] - threadSet_cap_to' hoare_vcg_all_lift static_imp_wp | clarsimp simp: inQ_def)+)[3] + threadSet_cap_to' hoare_vcg_all_lift hoare_weak_lift_imp | clarsimp simp: inQ_def)+)[3] apply ((simp only: simp_thms cong: conj_cong | wp cteDelete_deletes cteDelete_invs' cteDelete_sch_act_simple case_option_wp[where m'="return ()", OF setPriority_no_orphans return_inv,simplified] checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P=sch_act_simple] checkCap_inv[where P=no_orphans] checkCap_inv[where P="tcb_at' a"] threadSet_cte_wp_at' hoare_vcg_all_lift_R hoare_vcg_all_lift threadSet_no_orphans - hoare_vcg_const_imp_lift_R static_imp_wp hoare_drop_imp threadSet_ipcbuffer_invs + hoare_vcg_const_imp_lift_R hoare_weak_lift_imp hoare_drop_imp threadSet_ipcbuffer_invs | strengthen invs_valid_queues' | (simp add: locateSlotTCB_def locateSlotBasic_def objBits_def objBitsKO_def tcbIPCBufferSlot_def tcb_cte_cases_def, @@ -2152,7 +2152,7 @@ lemma performPageInvocation_no_orphans [wp]: apply (simp add: performPageInvocation_def cong: page_invocation.case_cong) apply (rule hoare_pre) - apply (wp mapM_x_wp' mapM_wp' static_imp_wp | wpc | clarsimp)+ + apply (wp mapM_x_wp' mapM_wp' hoare_weak_lift_imp | wpc | clarsimp)+ done crunch no_orphans [wp]: handleVMFault "no_orphans" @@ -2178,7 +2178,7 @@ lemma performARMVCPUInvocation_no_orphans [wp]: apply (simp add: performARMVCPUInvocation_def cong: page_invocation.case_cong) apply (rule hoare_pre) - apply (wp mapM_x_wp' mapM_wp' static_imp_wp | wpc | clarsimp)+ + apply (wp mapM_x_wp' mapM_wp' hoare_weak_lift_imp | wpc | clarsimp)+ done lemma performASIDControlInvocation_no_orphans [wp]: @@ -2232,13 +2232,13 @@ lemma performASIDControlInvocation_no_orphans [wp]: \\reply. no_orphans\" apply (clarsimp simp: performASIDControlInvocation_def split: asidcontrol_invocation.splits) - apply (wp static_imp_wp | clarsimp)+ + apply (wp hoare_weak_lift_imp | clarsimp)+ apply (rule_tac Q="\rv s. no_orphans s" in hoare_post_imp) apply (clarsimp simp: no_orphans_def all_active_tcb_ptrs_def is_active_tcb_ptr_def all_queued_tcb_ptrs_def) apply (wp | clarsimp simp:placeNewObject_def2)+ apply (wp createObjects'_wp_subst)+ - apply (wp static_imp_wp updateFreeIndex_pspace_no_overlap'[where sz= pageBits] getSlotCap_wp | simp)+ + apply (wp hoare_weak_lift_imp updateFreeIndex_pspace_no_overlap'[where sz= pageBits] getSlotCap_wp | simp)+ apply (strengthen invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace') apply (clarsimp simp:conj_comms) apply (wp deleteObjects_invs'[where idx = idx and d=False] diff --git a/proof/refine/ARM/Arch_R.thy b/proof/refine/ARM/Arch_R.thy index 675d47d274..99153796fb 100644 --- a/proof/refine/ARM/Arch_R.thy +++ b/proof/refine/ARM/Arch_R.thy @@ -1183,13 +1183,13 @@ lemma performASIDControlInvocation_tcb_at': apply (rule hoare_name_pre_state) apply (clarsimp simp: performASIDControlInvocation_def split: asidcontrol_invocation.splits) apply (clarsimp simp: valid_aci'_def cte_wp_at_ctes_of cong: conj_cong) - apply (wp static_imp_wp |simp add:placeNewObject_def2)+ - apply (wp createObjects_orig_obj_at2' updateFreeIndex_pspace_no_overlap' getSlotCap_wp static_imp_wp)+ + apply (wp hoare_weak_lift_imp |simp add:placeNewObject_def2)+ + apply (wp createObjects_orig_obj_at2' updateFreeIndex_pspace_no_overlap' getSlotCap_wp hoare_weak_lift_imp)+ apply (clarsimp simp: projectKO_opts_defs) apply (strengthen st_tcb_strg' [where P=\]) apply (wp deleteObjects_invs_derivatives[where p="makePoolParent aci"] hoare_vcg_ex_lift deleteObjects_cte_wp_at'[where d=False] - deleteObjects_st_tcb_at'[where p="makePoolParent aci"] static_imp_wp + deleteObjects_st_tcb_at'[where p="makePoolParent aci"] hoare_weak_lift_imp updateFreeIndex_pspace_no_overlap' deleteObject_no_overlap[where d=False])+ apply (case_tac ctea) apply (clarsimp) @@ -1853,7 +1853,7 @@ lemma performASIDControlInvocation_invs' [wp]: updateFreeIndex_caps_no_overlap'' updateFreeIndex_descendants_of2 updateFreeIndex_caps_overlap_reserved - updateCap_cte_wp_at_cases static_imp_wp + updateCap_cte_wp_at_cases hoare_weak_lift_imp getSlotCap_wp)+ apply (clarsimp simp:conj_comms ex_disj_distrib is_aligned_mask | strengthen invs_valid_pspace' invs_pspace_aligned' diff --git a/proof/refine/ARM/CNodeInv_R.thy b/proof/refine/ARM/CNodeInv_R.thy index 7ff554587a..3459ade0a2 100644 --- a/proof/refine/ARM/CNodeInv_R.thy +++ b/proof/refine/ARM/CNodeInv_R.thy @@ -4862,7 +4862,7 @@ lemma cteSwap_iflive'[wp]: simp only: if_live_then_nonz_cap'_def imp_conv_disj ex_nonz_cap_to'_def) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift - hoare_vcg_ex_lift updateCap_cte_wp_at_cases static_imp_wp)+ + hoare_vcg_ex_lift updateCap_cte_wp_at_cases hoare_weak_lift_imp)+ apply (clarsimp simp: cte_wp_at_ctes_of) apply (drule(1) if_live_then_nonz_capE') apply (clarsimp simp: ex_nonz_cap_to'_def cte_wp_at_ctes_of) @@ -5741,7 +5741,7 @@ lemma cteSwap_cte_wp_cteCap: apply simp apply (wp hoare_drop_imps)[1] apply (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases - getCTE_wp' hoare_vcg_all_lift static_imp_wp)+ + getCTE_wp' hoare_vcg_all_lift hoare_weak_lift_imp)+ apply simp apply (clarsimp simp: o_def) done @@ -5755,7 +5755,7 @@ lemma capSwap_cte_wp_cteCap: apply(simp add: capSwapForDelete_def) apply(wp) apply(rule cteSwap_cte_wp_cteCap) - apply(wp getCTE_wp getCTE_cte_wp_at static_imp_wp)+ + apply(wp getCTE_wp getCTE_cte_wp_at hoare_weak_lift_imp)+ apply(clarsimp) apply(rule conjI) apply(simp add: cte_at_cte_wp_atD) @@ -6233,7 +6233,7 @@ proof (induct arbitrary: P p rule: finalise_spec_induct2) apply clarsimp apply (case_tac "cteCap rv", simp_all add: isCap_simps final_matters'_def)[1] - apply (wp isFinalCapability_inv static_imp_wp | simp | wp (once) isFinal[where x=sl])+ + apply (wp isFinalCapability_inv hoare_weak_lift_imp | simp | wp (once) isFinal[where x=sl])+ apply (wp getCTE_wp') apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule conjI, clarsimp simp: removeable'_def) @@ -7016,18 +7016,18 @@ next apply simp apply ((wp replace_cap_invs final_cap_same_objrefs set_cap_cte_wp_at set_cap_cte_cap_wp_to - hoare_vcg_const_Ball_lift static_imp_wp + hoare_vcg_const_Ball_lift hoare_weak_lift_imp | simp add: conj_comms | erule finalise_cap_not_reply_master [simplified])+)[1] apply (simp(no_asm_use)) apply (wp make_zombie_invs' updateCap_cap_to' updateCap_cte_wp_at_cases - static_imp_wp)+ + hoare_weak_lift_imp)+ apply (elim conjE, strengthen subst[where P="cap_relation cap" for cap, mk_strg I _ E]) apply simp apply (wp make_zombie_invs' updateCap_cap_to' updateCap_cte_wp_at_cases - static_imp_wp)+ + hoare_weak_lift_imp)+ apply clarsimp apply (drule_tac cap=a in cap_relation_removables, clarsimp, assumption+) @@ -7069,7 +7069,7 @@ next apply (clarsimp dest!: isCapDs simp: cte_wp_at_ctes_of) apply (case_tac "cteCap rv'", auto simp add: isCap_simps is_cap_simps final_matters'_def)[1] - apply (wp isFinalCapability_inv static_imp_wp + apply (wp isFinalCapability_inv hoare_weak_lift_imp | simp add: is_final_cap_def conj_comms cte_wp_at_eq_simp)+ apply (rule isFinal[where x="cte_map slot"]) apply (wp get_cap_wp| simp add: conj_comms)+ @@ -7210,7 +7210,7 @@ next apply (rule updateCap_corres) apply simp apply (simp add: is_cap_simps) - apply (rule_tac Q="\rv. cte_at' (cte_map ?target)" in valid_prove_more) + apply (rule_tac R="\rv. cte_at' (cte_map ?target)" in hoare_post_add) apply (wp, (wp getCTE_wp)+) apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule no_fail_pre, wp, simp) @@ -8345,7 +8345,7 @@ lemma cteMove_iflive'[wp]: ex_nonz_cap_to'_def) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift hoare_vcg_ex_lift updateCap_cte_wp_at_cases - getCTE_wp static_imp_wp)+ + getCTE_wp hoare_weak_lift_imp)+ apply (clarsimp simp: cte_wp_at_ctes_of) apply (drule(1) if_live_then_nonz_capE') apply (clarsimp simp: ex_nonz_cap_to'_def cte_wp_at_ctes_of) @@ -8523,7 +8523,7 @@ lemma cteMove_cte_wp_at: \\_ s. cte_wp_at' (\c. Q (cteCap c)) ptr s\" unfolding cteMove_def apply (fold o_def) - apply (wp updateCap_cte_wp_at_cases updateMDB_weak_cte_wp_at getCTE_wp static_imp_wp|simp add: o_def)+ + apply (wp updateCap_cte_wp_at_cases updateMDB_weak_cte_wp_at getCTE_wp hoare_weak_lift_imp|simp add: o_def)+ apply (clarsimp simp: cte_wp_at_ctes_of) done diff --git a/proof/refine/ARM/CSpace1_R.thy b/proof/refine/ARM/CSpace1_R.thy index 8302a3c9fe..8e10bb1125 100644 --- a/proof/refine/ARM/CSpace1_R.thy +++ b/proof/refine/ARM/CSpace1_R.thy @@ -911,7 +911,7 @@ lemma cteInsert_weak_cte_wp_at: \\uu. cte_wp_at'(\c. P (cteCap c)) p\" unfolding cteInsert_def error_def updateCap_def setUntypedCapAsFull_def apply (simp add: bind_assoc split del: if_split) - apply (wp setCTE_weak_cte_wp_at updateMDB_weak_cte_wp_at static_imp_wp | simp)+ + apply (wp setCTE_weak_cte_wp_at updateMDB_weak_cte_wp_at hoare_weak_lift_imp | simp)+ apply (wp getCTE_ctes_wp)+ apply (clarsimp simp: isCap_simps split:if_split_asm| rule conjI)+ done diff --git a/proof/refine/ARM/Detype_R.thy b/proof/refine/ARM/Detype_R.thy index d5fefed2cf..a6ee0813ae 100644 --- a/proof/refine/ARM/Detype_R.thy +++ b/proof/refine/ARM/Detype_R.thy @@ -1982,13 +1982,13 @@ lemma cte_wp_at_top: apply (simp add:alignCheck_def bind_def alignError_def fail_def return_def objBits_simps magnitudeCheck_def in_monad is_aligned_mask - when_def split:option.splits) + when_def unless_def split:option.splits) apply (intro conjI impI allI,simp_all add:not_le) apply (clarsimp simp:cte_check_def) apply (simp add:alignCheck_def bind_def alignError_def fail_def return_def objBits_simps magnitudeCheck_def in_monad is_aligned_mask - when_def split:option.splits) + when_def unless_def split:option.splits) apply (intro conjI impI allI,simp_all add:not_le) apply (simp add:typeError_def fail_def cte_check_def split:Structures_H.kernel_object.splits)+ diff --git a/proof/refine/ARM/Finalise_R.thy b/proof/refine/ARM/Finalise_R.thy index f14abde014..d9e5c3fd04 100644 --- a/proof/refine/ARM/Finalise_R.thy +++ b/proof/refine/ARM/Finalise_R.thy @@ -1533,7 +1533,7 @@ lemma emptySlot_corres: defer apply wpsimp+ apply (rule corres_no_failI) - apply (rule no_fail_pre, wp static_imp_wp) + apply (rule no_fail_pre, wp hoare_weak_lift_imp) apply (clarsimp simp: cte_wp_at_ctes_of valid_pspace'_def) apply (clarsimp simp: valid_mdb'_def valid_mdb_ctes_def) apply (rule conjI, clarsimp) @@ -3240,7 +3240,7 @@ lemma cteDeleteOne_invs[wp]: subgoal by auto subgoal by (auto dest!: isCapDs simp: pred_tcb_at'_def obj_at'_def projectKOs ko_wp_at'_def) - apply (wp isFinalCapability_inv getCTE_wp' static_imp_wp + apply (wp isFinalCapability_inv getCTE_wp' hoare_weak_lift_imp | wp (once) isFinal[where x=ptr])+ apply (fastforce simp: cte_wp_at_ctes_of) done diff --git a/proof/refine/ARM/Interrupt_R.thy b/proof/refine/ARM/Interrupt_R.thy index 202bf76367..7394b96018 100644 --- a/proof/refine/ARM/Interrupt_R.thy +++ b/proof/refine/ARM/Interrupt_R.thy @@ -696,7 +696,7 @@ lemma timerTick_corres: apply (simp add:decDomainTime_def) apply wp apply (wp|wpc|unfold Let_def|simp)+ - apply (wp static_imp_wp threadSet_timeslice_invs threadSet_valid_queues threadSet_valid_queues' + apply (wp hoare_weak_lift_imp threadSet_timeslice_invs threadSet_valid_queues threadSet_valid_queues' threadSet_pred_tcb_at_state threadSet_weak_sch_act_wf tcbSchedAppend_valid_objs' rescheduleRequired_weak_sch_act_wf tcbSchedAppend_valid_queues| simp)+ apply (strengthen sch_act_wf_weak) diff --git a/proof/refine/ARM/Ipc_R.thy b/proof/refine/ARM/Ipc_R.thy index 7b973a8134..bbbdfc219c 100644 --- a/proof/refine/ARM/Ipc_R.thy +++ b/proof/refine/ARM/Ipc_R.thy @@ -306,7 +306,7 @@ lemma cteInsert_cte_wp_at: cteInsert cap src dest \\uu. cte_wp_at' (\c. P (cteCap c)) p\" apply (simp add: cteInsert_def) - apply (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp static_imp_wp + apply (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp hoare_weak_lift_imp | clarsimp simp: comp_def | unfold setUntypedCapAsFull_def)+ apply (drule cte_at_cte_wp_atD) @@ -350,7 +350,7 @@ lemma cteInsert_weak_cte_wp_at3: else cte_wp_at' (\c. P (cteCap c)) p s\ cteInsert cap src dest \\uu. cte_wp_at' (\c. P (cteCap c)) p\" - by (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp' static_imp_wp + by (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp' hoare_weak_lift_imp | clarsimp simp: comp_def cteInsert_def | unfold setUntypedCapAsFull_def | auto simp: cte_wp_at'_def dest!: imp)+ @@ -570,7 +570,7 @@ lemma cteInsert_cte_cap_to': apply (rule hoare_use_eq_irq_node' [OF cteInsert_ksInterruptState]) apply (clarsimp simp:cteInsert_def) apply (wp hoare_vcg_ex_lift updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases - setUntypedCapAsFull_cte_wp_at getCTE_wp static_imp_wp) + setUntypedCapAsFull_cte_wp_at getCTE_wp hoare_weak_lift_imp) apply (clarsimp simp:cte_wp_at_ctes_of) apply (rule_tac x = "cref" in exI) apply (rule conjI) @@ -613,7 +613,7 @@ lemma cteInsert_weak_cte_wp_at2: apply (rule hoare_use_eq_irq_node' [OF cteInsert_ksInterruptState]) apply (clarsimp simp:cteInsert_def) apply (wp hoare_vcg_ex_lift updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases - setUntypedCapAsFull_cte_wp_at getCTE_wp static_imp_wp) + setUntypedCapAsFull_cte_wp_at getCTE_wp hoare_weak_lift_imp) apply (clarsimp simp:cte_wp_at_ctes_of weak) apply auto done @@ -646,11 +646,11 @@ lemma transferCapsToSlots_presM: apply (wp eb hoare_vcg_const_Ball_lift hoare_vcg_const_imp_lift | assumption | wpc)+ apply (rule cteInsert_assume_Null) - apply (wp x hoare_vcg_const_Ball_lift cteInsert_cte_cap_to' static_imp_wp) + apply (wp x hoare_vcg_const_Ball_lift cteInsert_cte_cap_to' hoare_weak_lift_imp) apply (rule cteInsert_weak_cte_wp_at2,clarsimp) - apply (wp hoare_vcg_const_Ball_lift static_imp_wp)+ + apply (wp hoare_vcg_const_Ball_lift hoare_weak_lift_imp)+ apply (rule cteInsert_weak_cte_wp_at2,clarsimp) - apply (wp hoare_vcg_const_Ball_lift cteInsert_cte_wp_at static_imp_wp + apply (wp hoare_vcg_const_Ball_lift cteInsert_cte_wp_at hoare_weak_lift_imp deriveCap_derived_foo)+ apply (thin_tac "\slots. PROP P slots" for P) apply (clarsimp simp: cte_wp_at_ctes_of remove_rights_def @@ -1034,7 +1034,7 @@ lemma transferCaps_corres: apply (rule corres_rel_imp, rule transferCapsToSlots_corres, simp_all add: split_def)[1] apply (case_tac info, simp) - apply (wp hoare_vcg_all_lift get_rs_cte_at static_imp_wp + apply (wp hoare_vcg_all_lift get_rs_cte_at hoare_weak_lift_imp | simp only: ball_conj_distrib)+ apply (simp add: cte_map_def tcb_cnode_index_def split_def) apply (clarsimp simp: valid_pspace'_def valid_ipc_buffer_ptr'_def2 @@ -1407,7 +1407,7 @@ lemma doNormalTransfer_corres: hoare_valid_ipc_buffer_ptr_typ_at' copyMRs_typ_at' hoare_vcg_const_Ball_lift lookupExtraCaps_length | simp add: if_apply_def2)+) - apply (wp static_imp_wp | strengthen valid_msg_length_strengthen)+ + apply (wp hoare_weak_lift_imp | strengthen valid_msg_length_strengthen)+ apply clarsimp apply auto done @@ -2130,7 +2130,7 @@ lemma doReplyTransfer_corres: apply simp apply (fold dc_def, rule possibleSwitchTo_corres) apply simp - apply (wp static_imp_wp static_imp_conj_wp set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at' + apply (wp hoare_weak_lift_imp hoare_weak_lift_imp_conj set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at' sts_st_tcb' sts_valid_queues | simp | force simp: valid_sched_def valid_sched_action_def valid_tcb_state'_def)+ apply (rule corres_guard_imp) apply (rule setThreadState_corres) @@ -2231,15 +2231,15 @@ lemma setupCallerCap_corres: tcb_cnode_index_def cte_level_bits_def) apply (simp add: cte_map_def tcbCallerSlot_def tcb_cnode_index_def cte_level_bits_def) - apply (rule_tac Q="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" - in valid_prove_more) + apply (rule_tac R="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" + in hoare_post_add) apply (wp, (wp getSlotCap_wp)+) apply blast apply (rule no_fail_pre, wp) apply (clarsimp simp: cte_wp_at'_def cte_at'_def) - apply (rule_tac Q="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" - in valid_prove_more) + apply (rule_tac R="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" + in hoare_post_add) apply (wp, (wp getCTE_wp')+) apply blast apply (rule no_fail_pre, wp) @@ -2296,7 +2296,7 @@ lemma possibleSwitchTo_weak_sch_act_wf[wp]: bitmap_fun_defs) apply (wp rescheduleRequired_weak_sch_act_wf weak_sch_act_wf_lift_linear[where f="tcbSchedEnqueue t"] - getObject_tcb_wp static_imp_wp + getObject_tcb_wp hoare_weak_lift_imp | wpc)+ apply (clarsimp simp: obj_at'_def projectKOs weak_sch_act_wf_def ps_clear_def tcb_in_cur_domain'_def) done @@ -2663,7 +2663,7 @@ lemma possibleSwitchTo_sch_act[wp]: possibleSwitchTo t \\rv s. sch_act_wf (ksSchedulerAction s) s\" apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs) - apply (wp static_imp_wp threadSet_sch_act setQueue_sch_act threadGet_wp + apply (wp hoare_weak_lift_imp threadSet_sch_act setQueue_sch_act threadGet_wp | simp add: unless_def | wpc)+ apply (auto simp: obj_at'_def projectKOs tcb_in_cur_domain'_def) done @@ -2684,7 +2684,7 @@ lemma possibleSwitchTo_ksQ': possibleSwitchTo t \\_ s. t' \ set (ksReadyQueues s p)\" apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs) - apply (wp static_imp_wp rescheduleRequired_ksQ' tcbSchedEnqueue_ksQ threadGet_wp + apply (wp hoare_weak_lift_imp rescheduleRequired_ksQ' tcbSchedEnqueue_ksQ threadGet_wp | wpc | simp split del: if_split)+ apply (auto simp: obj_at'_def) @@ -2696,7 +2696,7 @@ lemma possibleSwitchTo_valid_queues'[wp]: possibleSwitchTo t \\rv. valid_queues'\" apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs) - apply (wp static_imp_wp threadGet_wp | wpc | simp)+ + apply (wp hoare_weak_lift_imp threadGet_wp | wpc | simp)+ apply (auto simp: obj_at'_def) done @@ -3660,7 +3660,7 @@ lemma completeSignal_invs: \ ((\y. ntfnBoundTCB ntfn = Some y) \ ex_nonz_cap_to' ntfnptr s) \ ntfnptr \ ksIdleThread s" in hoare_strengthen_post) - apply ((wp hoare_vcg_ex_lift static_imp_wp | wpc | simp add: valid_ntfn'_def)+)[1] + apply ((wp hoare_vcg_ex_lift hoare_weak_lift_imp | wpc | simp add: valid_ntfn'_def)+)[1] apply (clarsimp simp: obj_at'_def state_refs_of'_def typ_at'_def ko_wp_at'_def projectKOs split: option.splits) apply (blast dest: ntfn_q_refs_no_bound_refs') apply wp @@ -3878,7 +3878,7 @@ lemma rai_invs'[wp]: \ \ep = ActiveNtfn\ apply (simp add: invs'_def valid_state'_def) apply (rule hoare_pre) - apply (wp valid_irq_node_lift sts_valid_objs' typ_at_lifts static_imp_wp + apply (wp valid_irq_node_lift sts_valid_objs' typ_at_lifts hoare_weak_lift_imp asUser_urz | simp add: valid_ntfn'_def)+ apply (clarsimp simp: pred_tcb_at' valid_pspace'_def) @@ -4270,7 +4270,7 @@ lemma sendSignal_st_tcb'_Running: sendSignal ntfnptr bdg \\_. st_tcb_at' (\st. st = Running \ P st) t\" apply (simp add: sendSignal_def) - apply (wp sts_st_tcb_at'_cases cancelIPC_st_tcb_at' gts_wp' getNotification_wp static_imp_wp + apply (wp sts_st_tcb_at'_cases cancelIPC_st_tcb_at' gts_wp' getNotification_wp hoare_weak_lift_imp | wpc | clarsimp simp: pred_tcb_at')+ done diff --git a/proof/refine/ARM/PageTableDuplicates.thy b/proof/refine/ARM/PageTableDuplicates.thy index c9301f170e..2180d5e21e 100644 --- a/proof/refine/ARM/PageTableDuplicates.thy +++ b/proof/refine/ARM/PageTableDuplicates.thy @@ -1613,7 +1613,7 @@ lemma unmapPage_valid_duplicates'[wp]: in mapM_x_storePDE_update_helper[where sz = 6]) apply wp+ apply (clarsimp simp:conj_comms) - apply (wp checkMappingPPtr_inv static_imp_wp)+ + apply (wp checkMappingPPtr_inv hoare_weak_lift_imp)+ apply (clarsimp simp:conj_comms) apply (rule hoare_post_imp_R[where Q'= "\r. pspace_aligned' and (\s. vs_valid_duplicates' (ksPSpace s)) and @@ -1981,7 +1981,7 @@ lemma performArchInvocation_valid_duplicates': apply (clarsimp simp:cte_wp_at_ctes_of) apply (case_tac ctea,clarsimp) apply (frule(1) ctes_of_valid_cap'[OF _ invs_valid_objs']) - apply (wp static_imp_wp|simp)+ + apply (wp hoare_weak_lift_imp|simp)+ apply (simp add:placeNewObject_def) apply (wp |simp add:alignError_def unless_def|wpc)+ apply (wp updateFreeIndex_pspace_no_overlap' hoare_drop_imp @@ -2033,11 +2033,11 @@ lemma tc_valid_duplicates': apply (simp only: eq_commute[where a="a"]) apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits [where P="\x. x s" for s]) - apply ((wp case_option_wp threadSet_invs_trivial static_imp_wp + apply ((wp case_option_wp threadSet_invs_trivial hoare_weak_lift_imp hoare_vcg_all_lift threadSet_cap_to' | clarsimp simp: inQ_def)+)[2] apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits [where P="\x. x s" for s]) - apply ((wp case_option_wp threadSet_invs_trivial static_imp_wp setMCPriority_invs' + apply ((wp case_option_wp threadSet_invs_trivial hoare_weak_lift_imp setMCPriority_invs' typ_at_lifts[OF setMCPriority_typ_at'] hoare_vcg_all_lift threadSet_cap_to' | clarsimp simp: inQ_def)+)[2] apply ((simp only: simp_thms cases_simp cong: conj_cong @@ -2051,7 +2051,7 @@ lemma tc_valid_duplicates': checkCap_inv[where P="\s. vs_valid_duplicates' (ksPSpace s)"] checkCap_inv[where P=sch_act_simple] cteDelete_valid_duplicates' hoare_vcg_const_imp_lift_R typ_at_lifts[OF setPriority_typ_at'] assertDerived_wp threadSet_cte_wp_at' - hoare_vcg_all_lift_R hoare_vcg_all_lift static_imp_wp)[1] + hoare_vcg_all_lift_R hoare_vcg_all_lift hoare_weak_lift_imp)[1] | wpc | simp add: inQ_def | wp hoare_vcg_conj_liftE1 cteDelete_invs' cteDelete_deletes hoare_vcg_const_imp_lift)+) diff --git a/proof/refine/ARM/Refine.thy b/proof/refine/ARM/Refine.thy index c94879f165..479aa1e32d 100644 --- a/proof/refine/ARM/Refine.thy +++ b/proof/refine/ARM/Refine.thy @@ -280,7 +280,7 @@ lemma kernel_entry_invs: thread_set_ct_running thread_set_not_state_valid_sched hoare_vcg_disj_lift ct_in_state_thread_state_lift thread_set_no_change_tcb_state call_kernel_domain_time_inv_det_ext call_kernel_domain_list_inv_det_ext - static_imp_wp + hoare_weak_lift_imp | clarsimp simp add: tcb_cap_cases_def active_from_running)+ done @@ -422,7 +422,7 @@ lemma kernelEntry_invs': apply (simp add: kernelEntry_def) apply (wp ckernel_invs callKernel_valid_duplicates' callKernel_domain_time_left threadSet_invs_trivial threadSet_ct_running' - TcbAcc_R.dmo_invs' static_imp_wp + TcbAcc_R.dmo_invs' hoare_weak_lift_imp callKernel_domain_time_left | clarsimp simp: user_memory_update_def no_irq_def tcb_at_invs' valid_domain_list'_def)+ @@ -644,7 +644,7 @@ lemma entry_corres: apply (rule hoare_strengthen_post, rule ckernel_invs, simp add: invs'_def cur_tcb'_def) apply (wp thread_set_invs_trivial thread_set_ct_running threadSet_invs_trivial threadSet_ct_running' - thread_set_not_state_valid_sched static_imp_wp + thread_set_not_state_valid_sched hoare_weak_lift_imp hoare_vcg_disj_lift ct_in_state_thread_state_lift | simp add: tcb_cap_cases_def ct_in_state'_def thread_set_no_change_tcb_state | (wps, wp threadSet_st_tcb_at2) )+ diff --git a/proof/refine/ARM/Retype_R.thy b/proof/refine/ARM/Retype_R.thy index 4e2fea3ea0..8888942ed0 100644 --- a/proof/refine/ARM/Retype_R.thy +++ b/proof/refine/ARM/Retype_R.thy @@ -2587,7 +2587,6 @@ lemmas object_splits = declare hoare_in_monad_post[wp del] declare univ_get_wp[wp del] -declare result_in_set_wp[wp del] crunch valid_arch_state'[wp]: copyGlobalMappings "valid_arch_state'" (wp: crunch_wps) @@ -4530,7 +4529,7 @@ proof - apply (simp add: ct_idle_or_in_cur_domain'_def tcb_in_cur_domain'_def) apply (rule hoare_pre) apply (wps a b c d) - apply (wp static_imp_wp e' hoare_vcg_disj_lift) + apply (wp hoare_weak_lift_imp e' hoare_vcg_disj_lift) apply (auto simp: obj_at'_def ct_in_state'_def projectKOs st_tcb_at'_def) done qed diff --git a/proof/refine/ARM/Schedule_R.thy b/proof/refine/ARM/Schedule_R.thy index 8622fbfcf9..1eeb7b4351 100644 --- a/proof/refine/ARM/Schedule_R.thy +++ b/proof/refine/ARM/Schedule_R.thy @@ -10,7 +10,7 @@ begin context begin interpretation Arch . (*FIXME: arch_split*) -declare static_imp_wp[wp_split del] +declare hoare_weak_lift_imp[wp_split del] (* Levity: added (20090713 10:04:12) *) declare sts_rel_idle [simp] @@ -466,7 +466,7 @@ lemma ct_idle_or_in_cur_domain'_lift2: apply (unfold ct_idle_or_in_cur_domain'_def) apply (rule hoare_lift_Pf2[where f=ksCurThread]) apply (rule hoare_lift_Pf2[where f=ksSchedulerAction]) - apply (wp static_imp_wp hoare_vcg_disj_lift | assumption)+ + apply (wp hoare_weak_lift_imp hoare_vcg_disj_lift | assumption)+ done lemma tcbSchedEnqueue_invs'[wp]: @@ -1395,7 +1395,7 @@ lemma switchToIdleThread_invs_no_cicd': crunch obj_at'[wp]: "Arch.switchToIdleThread" "\s. obj_at' P t s" -declare static_imp_conj_wp[wp_split del] +declare hoare_weak_lift_imp_conj[wp_split del] lemma setCurThread_const: "\\_. P t \ setCurThread t \\_ s. P (ksCurThread s) \" diff --git a/proof/refine/ARM/Syscall_R.thy b/proof/refine/ARM/Syscall_R.thy index cd9070df3a..3f35fa5c05 100644 --- a/proof/refine/ARM/Syscall_R.thy +++ b/proof/refine/ARM/Syscall_R.thy @@ -328,7 +328,7 @@ lemma threadSet_tcbDomain_update_sch_act_wf[wp]: apply (simp add: threadSet_def) apply wp apply (wps setObject_sa_unchanged) - apply (wp static_imp_wp getObject_tcb_wp hoare_vcg_all_lift)+ + apply (wp hoare_weak_lift_imp getObject_tcb_wp hoare_vcg_all_lift)+ apply (rename_tac word) apply (rule_tac Q="\_ s. ksSchedulerAction s = SwitchToThread word \ st_tcb_at' runnable' word s \ tcb_in_cur_domain' word s \ word \ t" @@ -679,7 +679,7 @@ proof - apply (rule hoare_weaken_pre [OF cteInsert_weak_cte_wp_at3]) apply (rule PUC,simp) apply (clarsimp simp: cte_wp_at_ctes_of) - apply (wp hoare_vcg_all_lift static_imp_wp | simp add:ball_conj_distrib)+ + apply (wp hoare_vcg_all_lift hoare_weak_lift_imp | simp add:ball_conj_distrib)+ done qed @@ -798,7 +798,7 @@ lemma doReply_invs[wp]: apply assumption apply (erule cte_wp_at_weakenE') apply (fastforce) - apply (wp sts_invs_minor'' sts_st_tcb' static_imp_wp) + apply (wp sts_invs_minor'' sts_st_tcb' hoare_weak_lift_imp) apply (rule_tac Q="\rv s. invs' s \ sch_act_simple s \ st_tcb_at' awaiting_reply' t s \ t \ ksIdleThread s" @@ -816,7 +816,7 @@ lemma doReply_invs[wp]: apply (erule_tac P="\st. awaiting_reply' st \ activatable' st" in pred_tcb'_weakenE) apply (case_tac st, clarsimp+) - apply (wp threadSet_invs_trivial threadSet_st_tcb_at2 static_imp_wp + apply (wp threadSet_invs_trivial threadSet_st_tcb_at2 hoare_weak_lift_imp | clarsimp simp add: inQ_def)+ apply (rule_tac Q="\_. invs' and tcb_at' t and sch_act_simple and st_tcb_at' awaiting_reply' t" @@ -971,7 +971,7 @@ lemma setDomain_invs': (\y. domain \ maxDomain))\ setDomain ptr domain \\y. invs'\" apply (simp add:setDomain_def ) - apply (wp add: when_wp static_imp_wp static_imp_conj_wp rescheduleRequired_all_invs_but_extra + apply (wp add: when_wp hoare_weak_lift_imp hoare_weak_lift_imp_conj rescheduleRequired_all_invs_but_extra tcbSchedEnqueue_valid_action hoare_vcg_if_lift2) apply (rule_tac Q = "\r s. all_invs_but_sch_extra s \ curThread = ksCurThread s \ (ptr \ curThread \ ct_not_inQ s \ sch_act_wf (ksSchedulerAction s) s \ ct_idle_or_in_cur_domain' s)" @@ -985,7 +985,7 @@ lemma setDomain_invs': prefer 2 apply clarsimp apply assumption - apply (wp static_imp_wp threadSet_pred_tcb_no_state threadSet_not_curthread_ct_domain + apply (wp hoare_weak_lift_imp threadSet_pred_tcb_no_state threadSet_not_curthread_ct_domain threadSet_tcbDomain_update_ct_not_inQ | simp)+ apply (rule_tac Q = "\r s. invs' s \ curThread = ksCurThread s \ sch_act_simple s \ domain \ maxDomain @@ -1332,7 +1332,7 @@ lemma hinv_invs'[wp]: apply (simp add: handleInvocation_def split_def ts_Restart_case_helper') apply (wp syscall_valid' setThreadState_nonqueued_state_update rfk_invs' - hoare_vcg_all_lift static_imp_wp) + hoare_vcg_all_lift hoare_weak_lift_imp) apply simp apply (intro conjI impI) apply (wp gts_imp' | simp)+ diff --git a/proof/refine/ARM/TcbAcc_R.thy b/proof/refine/ARM/TcbAcc_R.thy index 904b4b1162..877aa4285b 100644 --- a/proof/refine/ARM/TcbAcc_R.thy +++ b/proof/refine/ARM/TcbAcc_R.thy @@ -11,7 +11,6 @@ begin context begin interpretation Arch . (*FIXME: arch_split*) declare if_weak_cong [cong] -declare result_in_set_wp[wp] declare hoare_in_monad_post[wp] declare trans_state_update'[symmetric,simp] declare storeWordUser_typ_at' [wp] @@ -2318,9 +2317,9 @@ lemma threadSet_queued_sch_act_wf[wp]: split: scheduler_action.split) apply (wp hoare_vcg_conj_lift) apply (simp add: threadSet_def) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (wps setObject_sa_unchanged) - apply (wp static_imp_wp getObject_tcb_wp)+ + apply (wp hoare_weak_lift_imp getObject_tcb_wp)+ apply (clarsimp simp: obj_at'_def) apply (wp hoare_vcg_all_lift hoare_vcg_conj_lift hoare_convert_imp)+ apply (simp add: threadSet_def) @@ -4023,7 +4022,7 @@ lemma possibleSwitchTo_ct_not_inQ: possibleSwitchTo t \\_. ct_not_inQ\" (is "\?PRE\ _ \_\") apply (simp add: possibleSwitchTo_def curDomain_def) - apply (wpsimp wp: static_imp_wp rescheduleRequired_ct_not_inQ tcbSchedEnqueue_ct_not_inQ + apply (wpsimp wp: hoare_weak_lift_imp rescheduleRequired_ct_not_inQ tcbSchedEnqueue_ct_not_inQ threadGet_wp | (rule hoare_post_imp[OF _ rescheduleRequired_sa_cnt], fastforce))+ apply (fastforce simp: obj_at'_def) @@ -4042,7 +4041,7 @@ lemma threadSet_tcbState_update_ct_not_inQ[wp]: apply (clarsimp) apply (rule hoare_conjI) apply (rule hoare_weaken_pre) - apply (wps, wp static_imp_wp) + apply (wps, wp hoare_weak_lift_imp) apply (wp OMG_getObject_tcb)+ apply (clarsimp simp: comp_def) apply (wp hoare_drop_imp) @@ -4062,7 +4061,7 @@ lemma threadSet_tcbBoundNotification_update_ct_not_inQ[wp]: apply (rule hoare_conjI) apply (rule hoare_weaken_pre) apply wps - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (wp OMG_getObject_tcb) apply (clarsimp simp: comp_def) apply (wp hoare_drop_imp) diff --git a/proof/refine/ARM/Tcb_R.thy b/proof/refine/ARM/Tcb_R.thy index 4ba774444c..6ca57825eb 100644 --- a/proof/refine/ARM/Tcb_R.thy +++ b/proof/refine/ARM/Tcb_R.thy @@ -350,7 +350,7 @@ lemma invokeTCB_WriteRegisters_corres: apply (rule_tac P=\ and P'=\ in corres_inst) apply simp apply (wp+)[2] - apply ((wp static_imp_wp restart_invs' + apply ((wp hoare_weak_lift_imp restart_invs' | strengthen valid_sched_weak_strg einvs_valid_etcbs invs_valid_queues' invs_queues invs_weak_sch_act_wf | clarsimp simp: invs_def valid_state_def valid_sched_def invs'_def valid_state'_def @@ -449,7 +449,7 @@ proof - apply (simp add: frame_registers_def frameRegisters_def) apply (simp add: getRestartPC_def setNextPC_def dc_def[symmetric]) apply (rule Q[OF refl refl]) - apply ((wp mapM_x_wp' static_imp_wp | simp)+)[2] + apply ((wp mapM_x_wp' hoare_weak_lift_imp | simp)+)[2] apply (rule corres_split_nor) apply (rule corres_when[OF refl]) apply (rule R[OF refl refl]) @@ -459,17 +459,17 @@ proof - apply (rule corres_split[OF corres_when[OF refl rescheduleRequired_corres]]) apply (rule_tac P=\ and P'=\ in corres_inst) apply simp - apply ((wp static_imp_wp)+)[6] + apply ((wp hoare_weak_lift_imp)+)[6] apply (rule_tac Q="\_. einvs and tcb_at dest" in hoare_strengthen_post[rotated]) apply (clarsimp simp: invs_def valid_sched_weak_strg valid_sched_def) prefer 2 apply (rule_tac Q="\_. invs' and tcb_at' dest" in hoare_strengthen_post[rotated]) apply (clarsimp simp: invs'_def valid_state'_def invs_weak_sch_act_wf) - apply ((wp mapM_x_wp' static_imp_wp | simp)+)[2] - apply ((wp mapM_x_wp' static_imp_wp | simp)+)[1] - apply (wp mapM_x_wp' static_imp_wp | simp)+ - apply ((wp mapM_x_wp' static_imp_wp restart_invs' | wpc | clarsimp simp add: if_apply_def2)+)[2] - apply (wp suspend_nonz_cap_to_tcb static_imp_wp | simp add: if_apply_def2)+ + apply ((wp mapM_x_wp' hoare_weak_lift_imp | simp)+)[2] + apply ((wp mapM_x_wp' hoare_weak_lift_imp | simp)+)[1] + apply (wp mapM_x_wp' hoare_weak_lift_imp | simp)+ + apply ((wp mapM_x_wp' hoare_weak_lift_imp restart_invs' | wpc | clarsimp simp add: if_apply_def2)+)[2] + apply (wp suspend_nonz_cap_to_tcb hoare_weak_lift_imp | simp add: if_apply_def2)+ apply (fastforce simp: invs_def valid_state_def valid_pspace_def dest!: idle_no_ex_cap) apply (fastforce simp: invs'_def valid_state'_def dest!: global'_no_ex_cap) @@ -644,7 +644,7 @@ lemma sp_corres2: apply (rule rescheduleRequired_corres) apply (rule possibleSwitchTo_corres) apply ((clarsimp - | wp static_imp_wp hoare_vcg_if_lift hoare_wp_combs gts_wp + | wp hoare_weak_lift_imp hoare_vcg_if_lift hoare_wp_combs gts_wp isRunnable_wp)+)[4] apply (wp hoare_vcg_imp_lift' hoare_vcg_if_lift hoare_vcg_all_lift) apply clarsimp @@ -1697,30 +1697,30 @@ lemma tc_invs': apply (simp only: eq_commute[where a="a"]) apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits [where P="\x. x s" for s]) - apply ((wp case_option_wp threadSet_invs_trivial static_imp_wp + apply ((wp case_option_wp threadSet_invs_trivial hoare_weak_lift_imp hoare_vcg_all_lift threadSet_cap_to' | clarsimp simp: inQ_def)+)[2] apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits [where P="\x. x s" for s]) - apply ((wp case_option_wp threadSet_invs_trivial static_imp_wp setMCPriority_invs' + apply ((wp case_option_wp threadSet_invs_trivial hoare_weak_lift_imp setMCPriority_invs' typ_at_lifts[OF setMCPriority_typ_at'] hoare_vcg_all_lift threadSet_cap_to' | clarsimp simp: inQ_def)+)[2] - apply (wp add: setP_invs' static_imp_wp hoare_vcg_all_lift)+ + apply (wp add: setP_invs' hoare_weak_lift_imp hoare_vcg_all_lift)+ apply (rule case_option_wp_None_return[OF setP_invs'[simplified pred_conj_assoc]]) apply clarsimp apply wpfix apply assumption apply (rule case_option_wp_None_returnOk) - apply (wpsimp wp: static_imp_wp hoare_vcg_all_lift + apply (wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak threadSet_invs_trivial2 threadSet_tcb' hoare_vcg_all_lift threadSet_cte_wp_at')+ - apply (wpsimp wp: static_imp_wpE cteDelete_deletes + apply (wpsimp wp: hoare_weak_lift_imp_R cteDelete_deletes hoare_vcg_all_lift_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R cteDelete_invs' cteDelete_invs' cteDelete_typ_at'_lifts)+ apply (assumption | clarsimp cong: conj_cong imp_cong | (rule case_option_wp_None_returnOk) - | wpsimp wp: static_imp_wp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak + | wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak hoare_vcg_imp_lift' hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P=sch_act_simple] - hoare_vcg_const_imp_lift_R assertDerived_wp_weak static_imp_wpE cteDelete_deletes + hoare_vcg_const_imp_lift_R assertDerived_wp_weak hoare_weak_lift_imp_R cteDelete_deletes hoare_vcg_all_lift_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R cteDelete_invs' cteDelete_typ_at'_lifts cteDelete_sch_act_simple)+ apply (clarsimp simp: tcb_cte_cases_def cte_level_bits_def objBits_defs tcbIPCBufferSlot_def) diff --git a/proof/refine/ARM/orphanage/Orphanage.thy b/proof/refine/ARM/orphanage/Orphanage.thy index bc19088f44..4c8554f5ec 100644 --- a/proof/refine/ARM/orphanage/Orphanage.thy +++ b/proof/refine/ARM/orphanage/Orphanage.thy @@ -458,7 +458,7 @@ lemma rescheduleRequired_no_orphans [wp]: \ \rv s. no_orphans s \" unfolding rescheduleRequired_def apply (wp tcbSchedEnqueue_no_orphans hoare_vcg_all_lift ssa_no_orphans | wpc | clarsimp)+ - apply (wps tcbSchedEnqueue_nosch, wp static_imp_wp) + apply (wps tcbSchedEnqueue_nosch, wp hoare_weak_lift_imp) apply (rename_tac word t p) apply (rule_tac P="word = t" in hoare_gen_asm) apply (wp hoare_disjI1 | clarsimp)+ @@ -470,7 +470,7 @@ lemma rescheduleRequired_almost_no_orphans [wp]: \ \rv s. almost_no_orphans tcb_ptr s \" unfolding rescheduleRequired_def apply (wp tcbSchedEnqueue_almost_no_orphans_lift hoare_vcg_all_lift | wpc | clarsimp)+ - apply (wps tcbSchedEnqueue_nosch, wp static_imp_wp) + apply (wps tcbSchedEnqueue_nosch, wp hoare_weak_lift_imp) apply (rename_tac word t p) apply (rule_tac P="word = t" in hoare_gen_asm) apply (wp hoare_disjI1 | clarsimp)+ @@ -1048,7 +1048,7 @@ proof - apply (rule_tac Q="\_ s. (t = candidate \ ksCurThread s = candidate) \ (t \ candidate \ sch_act_not t s)" in hoare_post_imp) - apply (wpsimp wp: stt_nosch static_imp_wp)+ + apply (wpsimp wp: stt_nosch hoare_weak_lift_imp)+ apply (fastforce dest!: in_all_active_tcb_ptrsD simp: all_queued_tcb_ptrs_def comp_def) done @@ -1178,7 +1178,7 @@ lemma possibleSwitchTo_almost_no_orphans [wp]: \ \rv s. no_orphans s \" unfolding possibleSwitchTo_def by (wp rescheduleRequired_valid_queues'_weak tcbSchedEnqueue_almost_no_orphans - ssa_almost_no_orphans static_imp_wp + ssa_almost_no_orphans hoare_weak_lift_imp | wpc | clarsimp | wp (once) hoare_drop_imp)+ @@ -1954,7 +1954,7 @@ lemma writereg_no_orphans: unfolding invokeTCB_def performTransfer_def postModifyRegisters_def apply simp apply (rule hoare_pre) - by (wp hoare_vcg_if_lift hoare_vcg_conj_lift restart_invs' static_imp_wp + by (wp hoare_vcg_if_lift hoare_vcg_conj_lift restart_invs' hoare_weak_lift_imp | strengthen invs_valid_queues' | clarsimp simp: invs'_def valid_state'_def dest!: global'_no_ex_cap )+ @@ -1966,10 +1966,10 @@ lemma copyreg_no_orphans: unfolding invokeTCB_def performTransfer_def postModifyRegisters_def supply if_weak_cong[cong] apply simp - apply (wp hoare_vcg_if_lift static_imp_wp) + apply (wp hoare_vcg_if_lift hoare_weak_lift_imp) apply (wp hoare_vcg_imp_lift' mapM_x_wp' asUser_no_orphans | wpc | clarsimp split del: if_splits)+ - apply (wp static_imp_wp hoare_vcg_conj_lift hoare_drop_imp mapM_x_wp' restart_invs' + apply (wp hoare_weak_lift_imp hoare_vcg_conj_lift hoare_drop_imp mapM_x_wp' restart_invs' restart_no_orphans asUser_no_orphans suspend_nonz_cap_to_tcb | strengthen invs_valid_queues' | wpc | simp add: if_apply_def2)+ apply (fastforce simp: invs'_def valid_state'_def dest!: global'_no_ex_cap) @@ -1981,7 +1981,7 @@ lemma settlsbase_no_orphans: \ \rv s. no_orphans s \" unfolding invokeTCB_def performTransfer_def apply simp - apply (wp hoare_vcg_if_lift static_imp_wp) + apply (wp hoare_vcg_if_lift hoare_weak_lift_imp) apply (wpsimp wp: hoare_vcg_imp_lift' mapM_x_wp' asUser_no_orphans)+ done @@ -2047,19 +2047,19 @@ lemma tc_no_orphans: apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits[where P="\x. x s" for s]) apply ((wp case_option_wp threadSet_no_orphans threadSet_invs_trivial - threadSet_cap_to' hoare_vcg_all_lift static_imp_wp | clarsimp simp: inQ_def)+)[2] + threadSet_cap_to' hoare_vcg_all_lift hoare_weak_lift_imp | clarsimp simp: inQ_def)+)[2] apply (rule hoare_walk_assmsE) apply (cases mcp; clarsimp simp: pred_conj_def option.splits[where P="\x. x s" for s]) apply ((wp case_option_wp threadSet_no_orphans threadSet_invs_trivial setMCPriority_invs' typ_at_lifts[OF setMCPriority_typ_at'] - threadSet_cap_to' hoare_vcg_all_lift static_imp_wp | clarsimp simp: inQ_def)+)[3] + threadSet_cap_to' hoare_vcg_all_lift hoare_weak_lift_imp | clarsimp simp: inQ_def)+)[3] apply ((simp only: simp_thms cong: conj_cong | wp cteDelete_deletes cteDelete_invs' cteDelete_sch_act_simple case_option_wp[where m'="return ()", OF setPriority_no_orphans return_inv,simplified] checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P=sch_act_simple] checkCap_inv[where P=no_orphans] checkCap_inv[where P="tcb_at' a"] threadSet_cte_wp_at' hoare_vcg_all_lift_R hoare_vcg_all_lift threadSet_no_orphans - hoare_vcg_const_imp_lift_R static_imp_wp hoare_drop_imp threadSet_ipcbuffer_invs + hoare_vcg_const_imp_lift_R hoare_weak_lift_imp hoare_drop_imp threadSet_ipcbuffer_invs | strengthen invs_valid_queues' | (simp add: locateSlotTCB_def locateSlotBasic_def objBits_def objBitsKO_def tcbIPCBufferSlot_def tcb_cte_cases_def, @@ -2137,7 +2137,7 @@ lemma performPageInvocation_no_orphans [wp]: apply (simp add: performPageInvocation_def cong: page_invocation.case_cong) apply (rule hoare_pre) - apply (wp mapM_x_wp' mapM_wp' static_imp_wp | wpc | clarsimp simp: pdeCheckIfMapped_def pteCheckIfMapped_def)+ + apply (wp mapM_x_wp' mapM_wp' hoare_weak_lift_imp | wpc | clarsimp simp: pdeCheckIfMapped_def pteCheckIfMapped_def)+ done lemma performASIDControlInvocation_no_orphans [wp]: @@ -2190,13 +2190,13 @@ lemma performASIDControlInvocation_no_orphans [wp]: \\reply. no_orphans\" apply (clarsimp simp: performASIDControlInvocation_def split: asidcontrol_invocation.splits) - apply (wp static_imp_wp | clarsimp)+ + apply (wp hoare_weak_lift_imp | clarsimp)+ apply (rule_tac Q="\rv s. no_orphans s" in hoare_post_imp) apply (clarsimp simp: no_orphans_def all_active_tcb_ptrs_def is_active_tcb_ptr_def all_queued_tcb_ptrs_def) apply (wp | clarsimp simp:placeNewObject_def2)+ apply (wp createObjects'_wp_subst)+ - apply (wp static_imp_wp updateFreeIndex_pspace_no_overlap'[where sz= pageBits] getSlotCap_wp | simp)+ + apply (wp hoare_weak_lift_imp updateFreeIndex_pspace_no_overlap'[where sz= pageBits] getSlotCap_wp | simp)+ apply (strengthen invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace') apply (clarsimp simp:conj_comms) apply (wp deleteObjects_invs'[where idx = idx and d=False] diff --git a/proof/refine/ARM_HYP/Arch_R.thy b/proof/refine/ARM_HYP/Arch_R.thy index 1fe4c1e9da..65dc8de207 100644 --- a/proof/refine/ARM_HYP/Arch_R.thy +++ b/proof/refine/ARM_HYP/Arch_R.thy @@ -1413,13 +1413,13 @@ lemma performASIDControlInvocation_tcb_at': apply (rule hoare_name_pre_state) apply (clarsimp simp: performASIDControlInvocation_def split: asidcontrol_invocation.splits) apply (clarsimp simp: valid_aci'_def cte_wp_at_ctes_of cong: conj_cong) - apply (wp static_imp_wp |simp add:placeNewObject_def2)+ - apply (wp createObjects_orig_obj_at2' updateFreeIndex_pspace_no_overlap' getSlotCap_wp static_imp_wp)+ + apply (wp hoare_weak_lift_imp |simp add:placeNewObject_def2)+ + apply (wp createObjects_orig_obj_at2' updateFreeIndex_pspace_no_overlap' getSlotCap_wp hoare_weak_lift_imp)+ apply (clarsimp simp: projectKO_opts_defs) apply (strengthen st_tcb_strg' [where P=\]) apply (wp deleteObjects_invs_derivatives[where p="makePoolParent aci"] hoare_vcg_ex_lift deleteObjects_cte_wp_at'[where d=False] - deleteObjects_st_tcb_at'[where p="makePoolParent aci"] static_imp_wp + deleteObjects_st_tcb_at'[where p="makePoolParent aci"] hoare_weak_lift_imp updateFreeIndex_pspace_no_overlap' deleteObject_no_overlap[where d=False])+ apply (case_tac ctea) apply (clarsimp) @@ -2038,7 +2038,7 @@ lemma performASIDControlInvocation_st_tcb_at': hoare_vcg_ex_lift deleteObjects_cte_wp_at' deleteObjects_invs_derivatives deleteObjects_st_tcb_at' - static_imp_wp + hoare_weak_lift_imp | simp add: placeNewObject_def2)+ apply (case_tac ctea) apply (clarsimp) @@ -2168,7 +2168,7 @@ lemma performASIDControlInvocation_invs' [wp]: updateFreeIndex_caps_no_overlap'' updateFreeIndex_descendants_of2 updateFreeIndex_caps_overlap_reserved - updateCap_cte_wp_at_cases static_imp_wp + updateCap_cte_wp_at_cases hoare_weak_lift_imp getSlotCap_wp)+ apply (clarsimp simp:conj_comms ex_disj_distrib is_aligned_mask | strengthen invs_valid_pspace' invs_pspace_aligned' diff --git a/proof/refine/ARM_HYP/CNodeInv_R.thy b/proof/refine/ARM_HYP/CNodeInv_R.thy index d2a6e3ffca..efa6b06484 100644 --- a/proof/refine/ARM_HYP/CNodeInv_R.thy +++ b/proof/refine/ARM_HYP/CNodeInv_R.thy @@ -4880,7 +4880,7 @@ lemma cteSwap_iflive'[wp]: simp only: if_live_then_nonz_cap'_def imp_conv_disj ex_nonz_cap_to'_def) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift - hoare_vcg_ex_lift updateCap_cte_wp_at_cases static_imp_wp)+ + hoare_vcg_ex_lift updateCap_cte_wp_at_cases hoare_weak_lift_imp)+ apply (clarsimp simp: cte_wp_at_ctes_of) apply (drule(1) if_live_then_nonz_capE') apply (clarsimp simp: ex_nonz_cap_to'_def cte_wp_at_ctes_of) @@ -5780,7 +5780,7 @@ lemma cteSwap_cte_wp_cteCap: apply simp apply (wp hoare_drop_imps)[1] apply (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases - getCTE_wp' hoare_vcg_all_lift static_imp_wp)+ + getCTE_wp' hoare_vcg_all_lift hoare_weak_lift_imp)+ apply simp apply (clarsimp simp: o_def) done @@ -5794,7 +5794,7 @@ lemma capSwap_cte_wp_cteCap: apply(simp add: capSwapForDelete_def) apply(wp) apply(rule cteSwap_cte_wp_cteCap) - apply(wp getCTE_wp getCTE_cte_wp_at static_imp_wp)+ + apply(wp getCTE_wp getCTE_cte_wp_at hoare_weak_lift_imp)+ apply(clarsimp) apply(rule conjI) apply(simp add: cte_at_cte_wp_atD) @@ -6297,7 +6297,7 @@ proof (induct arbitrary: P p rule: finalise_spec_induct2) apply clarsimp apply (case_tac "cteCap rv", simp_all add: isCap_simps final_matters'_def)[1] - apply (wp isFinalCapability_inv static_imp_wp | simp | wp (once) isFinal[where x=sl])+ + apply (wp isFinalCapability_inv hoare_weak_lift_imp | simp | wp (once) isFinal[where x=sl])+ apply (wp getCTE_wp') apply (clarsimp simp: cte_wp_at_ctes_of disj_ac) apply (rule conjI, clarsimp simp: removeable'_def) @@ -7094,14 +7094,14 @@ next apply simp apply ((wp replace_cap_invs final_cap_same_objrefs set_cap_cte_wp_at set_cap_cte_cap_wp_to - hoare_vcg_const_Ball_lift static_imp_wp + hoare_vcg_const_Ball_lift hoare_weak_lift_imp | simp add: conj_comms | erule finalise_cap_not_reply_master [simplified])+) apply (elim conjE, strengthen exI[mk_strg I], strengthen asm_rl[where psi="(cap_relation cap cap')" for cap cap', mk_strg I E]) apply (wp make_zombie_invs' updateCap_cap_to' updateCap_cte_wp_at_cases - hoare_vcg_ex_lift static_imp_wp) + hoare_vcg_ex_lift hoare_weak_lift_imp) apply clarsimp apply (drule_tac cap=a in cap_relation_removables, clarsimp, assumption+) @@ -7143,7 +7143,7 @@ next apply (clarsimp dest!: isCapDs simp: cte_wp_at_ctes_of) apply (case_tac "cteCap rv'", auto simp add: isCap_simps is_cap_simps final_matters'_def)[1] - apply (wp isFinalCapability_inv static_imp_wp + apply (wp isFinalCapability_inv hoare_weak_lift_imp | simp add: is_final_cap_def conj_comms cte_wp_at_eq_simp)+ apply (rule isFinal[where x="cte_map slot"]) apply (wp get_cap_wp| simp add: conj_comms)+ @@ -7284,7 +7284,7 @@ next apply (rule updateCap_corres) apply simp apply (simp add: is_cap_simps) - apply (rule_tac Q="\rv. cte_at' (cte_map ?target)" in valid_prove_more) + apply (rule_tac R="\rv. cte_at' (cte_map ?target)" in hoare_post_add) apply (wp, (wp getCTE_wp)+) apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule no_fail_pre, wp, simp) @@ -8437,7 +8437,7 @@ lemma cteMove_iflive'[wp]: ex_nonz_cap_to'_def) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift hoare_vcg_ex_lift updateCap_cte_wp_at_cases - getCTE_wp static_imp_wp)+ + getCTE_wp hoare_weak_lift_imp)+ apply (clarsimp simp: cte_wp_at_ctes_of) apply (drule(1) if_live_then_nonz_capE') apply (clarsimp simp: ex_nonz_cap_to'_def cte_wp_at_ctes_of) @@ -8615,7 +8615,7 @@ lemma cteMove_cte_wp_at: \\_ s. cte_wp_at' (\c. Q (cteCap c)) ptr s\" unfolding cteMove_def apply (fold o_def) - apply (wp updateCap_cte_wp_at_cases updateMDB_weak_cte_wp_at getCTE_wp static_imp_wp|simp add: o_def)+ + apply (wp updateCap_cte_wp_at_cases updateMDB_weak_cte_wp_at getCTE_wp hoare_weak_lift_imp|simp add: o_def)+ apply (clarsimp simp: cte_wp_at_ctes_of) done diff --git a/proof/refine/ARM_HYP/CSpace1_R.thy b/proof/refine/ARM_HYP/CSpace1_R.thy index 647efaa166..6a82520a9c 100644 --- a/proof/refine/ARM_HYP/CSpace1_R.thy +++ b/proof/refine/ARM_HYP/CSpace1_R.thy @@ -928,7 +928,7 @@ lemma cteInsert_weak_cte_wp_at: \\uu. cte_wp_at'(\c. P (cteCap c)) p\" unfolding cteInsert_def error_def updateCap_def setUntypedCapAsFull_def apply (simp add: bind_assoc split del: if_split) - apply (wp setCTE_weak_cte_wp_at updateMDB_weak_cte_wp_at static_imp_wp | simp)+ + apply (wp setCTE_weak_cte_wp_at updateMDB_weak_cte_wp_at hoare_weak_lift_imp | simp)+ apply (wp getCTE_ctes_wp)+ apply (clarsimp simp: isCap_simps split:if_split_asm| rule conjI)+ done diff --git a/proof/refine/ARM_HYP/Detype_R.thy b/proof/refine/ARM_HYP/Detype_R.thy index b6612efc6d..2ad9254d39 100644 --- a/proof/refine/ARM_HYP/Detype_R.thy +++ b/proof/refine/ARM_HYP/Detype_R.thy @@ -2044,13 +2044,13 @@ lemma cte_wp_at_top: apply (simp add:alignCheck_def bind_def alignError_def fail_def return_def objBits_simps magnitudeCheck_def in_monad is_aligned_mask - when_def split:option.splits) + when_def unless_def split:option.splits) apply (intro conjI impI allI,simp_all add:not_le) apply (clarsimp simp:cte_check_def) apply (simp add:alignCheck_def bind_def alignError_def fail_def return_def objBits_simps magnitudeCheck_def in_monad is_aligned_mask - when_def split:option.splits) + when_def unless_def split:option.splits) apply (intro conjI impI allI,simp_all add:not_le) apply (simp add:typeError_def fail_def cte_check_def split:Structures_H.kernel_object.splits)+ diff --git a/proof/refine/ARM_HYP/Finalise_R.thy b/proof/refine/ARM_HYP/Finalise_R.thy index 89ad60a06e..536280436e 100644 --- a/proof/refine/ARM_HYP/Finalise_R.thy +++ b/proof/refine/ARM_HYP/Finalise_R.thy @@ -1539,7 +1539,7 @@ lemma emptySlot_corres: defer apply wpsimp+ apply (rule corres_no_failI) - apply (rule no_fail_pre, wp static_imp_wp) + apply (rule no_fail_pre, wp hoare_weak_lift_imp) apply (clarsimp simp: cte_wp_at_ctes_of valid_pspace'_def) apply (clarsimp simp: valid_mdb'_def valid_mdb_ctes_def) apply (rule conjI, clarsimp) @@ -3667,7 +3667,7 @@ lemma cteDeleteOne_invs[wp]: subgoal by auto subgoal by (auto dest!: isCapDs simp: pred_tcb_at'_def obj_at'_def projectKOs live'_def hyp_live'_def ko_wp_at'_def) - apply (wp isFinalCapability_inv getCTE_wp' static_imp_wp + apply (wp isFinalCapability_inv getCTE_wp' hoare_weak_lift_imp | wp (once) isFinal[where x=ptr])+ apply (fastforce simp: cte_wp_at_ctes_of) done diff --git a/proof/refine/ARM_HYP/Interrupt_R.thy b/proof/refine/ARM_HYP/Interrupt_R.thy index 861aae22ae..b2007e80ef 100644 --- a/proof/refine/ARM_HYP/Interrupt_R.thy +++ b/proof/refine/ARM_HYP/Interrupt_R.thy @@ -683,7 +683,7 @@ lemma timerTick_corres: apply (simp add:decDomainTime_def) apply wp apply (wp|wpc|unfold Let_def|simp)+ - apply (wp static_imp_wp threadSet_timeslice_invs threadSet_valid_queues threadSet_valid_queues' + apply (wp hoare_weak_lift_imp threadSet_timeslice_invs threadSet_valid_queues threadSet_valid_queues' threadSet_pred_tcb_at_state threadSet_weak_sch_act_wf tcbSchedAppend_valid_objs' rescheduleRequired_weak_sch_act_wf tcbSchedAppend_valid_queues| simp)+ apply (strengthen sch_act_wf_weak) diff --git a/proof/refine/ARM_HYP/Ipc_R.thy b/proof/refine/ARM_HYP/Ipc_R.thy index ce53168398..48c77e4072 100644 --- a/proof/refine/ARM_HYP/Ipc_R.thy +++ b/proof/refine/ARM_HYP/Ipc_R.thy @@ -317,7 +317,7 @@ lemma cteInsert_cte_wp_at: cteInsert cap src dest \\uu. cte_wp_at' (\c. P (cteCap c)) p\" apply (simp add: cteInsert_def) - apply (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp static_imp_wp + apply (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp hoare_weak_lift_imp | clarsimp simp: comp_def | unfold setUntypedCapAsFull_def)+ apply (drule cte_at_cte_wp_atD) @@ -361,7 +361,7 @@ lemma cteInsert_weak_cte_wp_at3: else cte_wp_at' (\c. P (cteCap c)) p s\ cteInsert cap src dest \\uu. cte_wp_at' (\c. P (cteCap c)) p\" - by (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp' static_imp_wp + by (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp' hoare_weak_lift_imp | clarsimp simp: comp_def cteInsert_def | unfold setUntypedCapAsFull_def | auto simp: cte_wp_at'_def dest!: imp)+ @@ -581,7 +581,7 @@ lemma cteInsert_cte_cap_to': apply (rule hoare_use_eq_irq_node' [OF cteInsert_ksInterruptState]) apply (clarsimp simp:cteInsert_def) apply (wp hoare_vcg_ex_lift updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases - setUntypedCapAsFull_cte_wp_at getCTE_wp static_imp_wp) + setUntypedCapAsFull_cte_wp_at getCTE_wp hoare_weak_lift_imp) apply (clarsimp simp:cte_wp_at_ctes_of) apply (rule_tac x = "cref" in exI) apply (rule conjI) @@ -624,7 +624,7 @@ lemma cteInsert_weak_cte_wp_at2: apply (rule hoare_use_eq_irq_node' [OF cteInsert_ksInterruptState]) apply (clarsimp simp:cteInsert_def) apply (wp hoare_vcg_ex_lift updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases - setUntypedCapAsFull_cte_wp_at getCTE_wp static_imp_wp) + setUntypedCapAsFull_cte_wp_at getCTE_wp hoare_weak_lift_imp) apply (clarsimp simp:cte_wp_at_ctes_of weak) apply auto done @@ -657,11 +657,11 @@ lemma transferCapsToSlots_presM: apply (wp eb hoare_vcg_const_Ball_lift hoare_vcg_const_imp_lift | assumption | wpc)+ apply (rule cteInsert_assume_Null) - apply (wp x hoare_vcg_const_Ball_lift cteInsert_cte_cap_to' static_imp_wp) + apply (wp x hoare_vcg_const_Ball_lift cteInsert_cte_cap_to' hoare_weak_lift_imp) apply (rule cteInsert_weak_cte_wp_at2,clarsimp) - apply (wp hoare_vcg_const_Ball_lift static_imp_wp)+ + apply (wp hoare_vcg_const_Ball_lift hoare_weak_lift_imp)+ apply (rule cteInsert_weak_cte_wp_at2,clarsimp) - apply (wp hoare_vcg_const_Ball_lift cteInsert_cte_wp_at static_imp_wp + apply (wp hoare_vcg_const_Ball_lift cteInsert_cte_wp_at hoare_weak_lift_imp deriveCap_derived_foo)+ apply (thin_tac "\slots. PROP P slots" for P) apply (clarsimp simp: cte_wp_at_ctes_of remove_rights_def @@ -1053,7 +1053,7 @@ lemma transferCaps_corres: apply (rule corres_rel_imp, rule transferCapsToSlots_corres, simp_all add: split_def)[1] apply (case_tac info, simp) - apply (wp hoare_vcg_all_lift get_rs_cte_at static_imp_wp + apply (wp hoare_vcg_all_lift get_rs_cte_at hoare_weak_lift_imp | simp only: ball_conj_distrib)+ apply (simp add: cte_map_def tcb_cnode_index_def split_def) apply (clarsimp simp: valid_pspace'_def valid_ipc_buffer_ptr'_def2 @@ -1471,7 +1471,7 @@ lemma doNormalTransfer_corres: hoare_valid_ipc_buffer_ptr_typ_at' copyMRs_typ_at' hoare_vcg_const_Ball_lift lookupExtraCaps_length | simp add: if_apply_def2)+) - apply (wp static_imp_wp | strengthen valid_msg_length_strengthen)+ + apply (wp hoare_weak_lift_imp | strengthen valid_msg_length_strengthen)+ apply clarsimp apply auto done @@ -2256,7 +2256,7 @@ lemma doReplyTransfer_corres: apply simp apply (fold dc_def, rule possibleSwitchTo_corres) apply simp - apply (wp static_imp_wp static_imp_conj_wp set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at' + apply (wp hoare_weak_lift_imp hoare_weak_lift_imp_conj set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at' sts_st_tcb' sts_valid_queues | simp | force simp: valid_sched_def valid_sched_action_def valid_tcb_state'_def)+ apply (rule corres_guard_imp) apply (rule setThreadState_corres) @@ -2357,15 +2357,15 @@ lemma setupCallerCap_corres: tcb_cnode_index_def cte_level_bits_def) apply (simp add: cte_map_def tcbCallerSlot_def tcb_cnode_index_def cte_level_bits_def) - apply (rule_tac Q="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" - in valid_prove_more) + apply (rule_tac R="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" + in hoare_post_add) apply (wp, (wp getSlotCap_wp)+) apply blast apply (rule no_fail_pre, wp) apply (clarsimp simp: cte_wp_at'_def cte_at'_def) - apply (rule_tac Q="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" - in valid_prove_more) + apply (rule_tac R="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" + in hoare_post_add) apply (wp, (wp getCTE_wp')+) apply blast apply (rule no_fail_pre, wp) @@ -2422,7 +2422,7 @@ lemma possibleSwitchTo_weak_sch_act_wf[wp]: bitmap_fun_defs) apply (wp rescheduleRequired_weak_sch_act_wf weak_sch_act_wf_lift_linear[where f="tcbSchedEnqueue t"] - getObject_tcb_wp static_imp_wp + getObject_tcb_wp hoare_weak_lift_imp | wpc)+ apply (clarsimp simp: obj_at'_def projectKOs weak_sch_act_wf_def ps_clear_def tcb_in_cur_domain'_def) done @@ -2790,7 +2790,7 @@ lemma possibleSwitchTo_sch_act[wp]: possibleSwitchTo t \\rv s. sch_act_wf (ksSchedulerAction s) s\" apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs) - apply (wp static_imp_wp threadSet_sch_act setQueue_sch_act threadGet_wp + apply (wp hoare_weak_lift_imp threadSet_sch_act setQueue_sch_act threadGet_wp | simp add: unless_def | wpc)+ apply (auto simp: obj_at'_def projectKOs tcb_in_cur_domain'_def) done @@ -2811,7 +2811,7 @@ lemma possibleSwitchTo_ksQ': possibleSwitchTo t \\_ s. t' \ set (ksReadyQueues s p)\" apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs) - apply (wp static_imp_wp rescheduleRequired_ksQ' tcbSchedEnqueue_ksQ threadGet_wp + apply (wp hoare_weak_lift_imp rescheduleRequired_ksQ' tcbSchedEnqueue_ksQ threadGet_wp | wpc | simp split del: if_split)+ apply (auto simp: obj_at'_def) @@ -2823,7 +2823,7 @@ lemma possibleSwitchTo_valid_queues'[wp]: possibleSwitchTo t \\rv. valid_queues'\" apply (simp add: possibleSwitchTo_def curDomain_def) - apply (wp static_imp_wp threadGet_wp | wpc | simp)+ + apply (wp hoare_weak_lift_imp threadGet_wp | wpc | simp)+ apply (auto simp: obj_at'_def) done @@ -3806,7 +3806,7 @@ lemma completeSignal_invs: \ ((\y. ntfnBoundTCB ntfn = Some y) \ ex_nonz_cap_to' ntfnptr s) \ ntfnptr \ ksIdleThread s" in hoare_strengthen_post) - apply ((wp hoare_vcg_ex_lift static_imp_wp | wpc | simp add: valid_ntfn'_def)+)[1] + apply ((wp hoare_vcg_ex_lift hoare_weak_lift_imp | wpc | simp add: valid_ntfn'_def)+)[1] apply (clarsimp simp: obj_at'_def state_refs_of'_def typ_at'_def ko_wp_at'_def live'_def projectKOs split: option.splits) apply (blast dest: ntfn_q_refs_no_bound_refs') apply wp @@ -4027,7 +4027,7 @@ lemma rai_invs'[wp]: \ \ep = ActiveNtfn\ apply (simp add: invs'_def valid_state'_def) apply (rule hoare_pre) - apply (wp valid_irq_node_lift sts_valid_objs' typ_at_lifts static_imp_wp + apply (wp valid_irq_node_lift sts_valid_objs' typ_at_lifts hoare_weak_lift_imp asUser_urz | simp add: valid_ntfn'_def)+ apply (clarsimp simp: pred_tcb_at' valid_pspace'_def) @@ -4507,7 +4507,7 @@ lemma sendSignal_st_tcb'_Running: sendSignal ntfnptr bdg \\_. st_tcb_at' (\st. st = Running \ P st) t\" apply (simp add: sendSignal_def) - apply (wp sts_st_tcb_at'_cases cancelIPC_st_tcb_at' gts_wp' getNotification_wp static_imp_wp + apply (wp sts_st_tcb_at'_cases cancelIPC_st_tcb_at' gts_wp' getNotification_wp hoare_weak_lift_imp | wpc | clarsimp simp: pred_tcb_at')+ done diff --git a/proof/refine/ARM_HYP/PageTableDuplicates.thy b/proof/refine/ARM_HYP/PageTableDuplicates.thy index 6dd3471595..c15aa27a38 100644 --- a/proof/refine/ARM_HYP/PageTableDuplicates.thy +++ b/proof/refine/ARM_HYP/PageTableDuplicates.thy @@ -1898,7 +1898,7 @@ lemma performArchInvocation_valid_duplicates': apply (clarsimp simp:cte_wp_at_ctes_of) apply (case_tac ctea,clarsimp) apply (frule(1) ctes_of_valid_cap'[OF _ invs_valid_objs']) - apply (wp static_imp_wp|simp)+ + apply (wp hoare_weak_lift_imp|simp)+ apply (simp add:placeNewObject_def) apply (wp |simp add:alignError_def unless_def|wpc)+ apply (wp updateFreeIndex_pspace_no_overlap' hoare_drop_imp @@ -1948,10 +1948,10 @@ lemma tc_valid_duplicates': apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits [where P="\x. x s" for s]) apply ((wp case_option_wp threadSet_invs_trivial - hoare_vcg_all_lift threadSet_cap_to' static_imp_wp | simp add: inQ_def | fastforce)+)[2] + hoare_vcg_all_lift threadSet_cap_to' hoare_weak_lift_imp | simp add: inQ_def | fastforce)+)[2] apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits [where P="\x. x s" for s]) - apply ((wp case_option_wp setMCPriority_invs' static_imp_wp + apply ((wp case_option_wp setMCPriority_invs' hoare_weak_lift_imp typ_at_lifts[OF setMCPriority_typ_at'] hoare_vcg_all_lift threadSet_cap_to' | simp add: inQ_def | fastforce)+)[2] apply ((simp only: simp_thms cases_simp cong: conj_cong @@ -1970,7 +1970,7 @@ lemma tc_valid_duplicates': threadSet_cte_wp_at' hoare_vcg_all_lift_R hoare_vcg_all_lift - static_imp_wp + hoare_weak_lift_imp )[1] | wpc | simp add: inQ_def diff --git a/proof/refine/ARM_HYP/Refine.thy b/proof/refine/ARM_HYP/Refine.thy index 92a68a54c8..5fc38d5121 100644 --- a/proof/refine/ARM_HYP/Refine.thy +++ b/proof/refine/ARM_HYP/Refine.thy @@ -280,7 +280,7 @@ lemma kernel_entry_invs: thread_set_ct_running thread_set_not_state_valid_sched hoare_vcg_disj_lift ct_in_state_thread_state_lift thread_set_no_change_tcb_state call_kernel_domain_time_inv_det_ext call_kernel_domain_list_inv_det_ext - static_imp_wp + hoare_weak_lift_imp | clarsimp simp add: tcb_cap_cases_def active_from_running)+ done @@ -424,7 +424,7 @@ lemma kernelEntry_invs': apply (wp ckernel_invs callKernel_valid_duplicates' callKernel_domain_time_left threadSet_invs_trivial threadSet_ct_running' TcbAcc_R.dmo_invs' callKernel_domain_time_left - static_imp_wp + hoare_weak_lift_imp | clarsimp simp: user_memory_update_def no_irq_def tcb_at_invs' atcbContextSet_def valid_domain_list'_def)+ done @@ -656,12 +656,12 @@ lemma entry_corres: apply (rule hoare_strengthen_post, rule akernel_invs_det_ext, simp add: invs_def cur_tcb_def) apply (rule hoare_strengthen_post, rule ckernel_invs, simp add: invs'_def cur_tcb'_def) apply ((wp thread_set_invs_trivial thread_set_ct_running - thread_set_not_state_valid_sched static_imp_wp + thread_set_not_state_valid_sched hoare_weak_lift_imp hoare_vcg_disj_lift ct_in_state_thread_state_lift | simp add: tcb_cap_cases_def thread_set_no_change_tcb_state)+)[1] apply (simp add: pred_conj_def cong: conj_cong) apply (wp threadSet_invs_trivial threadSet_ct_running' - static_imp_wp hoare_vcg_disj_lift + hoare_weak_lift_imp hoare_vcg_disj_lift | simp add: ct_in_state'_def atcbContextSet_def | (wps, wp threadSet_st_tcb_at2))+ apply (clarsimp simp: invs_def cur_tcb_def) diff --git a/proof/refine/ARM_HYP/Retype_R.thy b/proof/refine/ARM_HYP/Retype_R.thy index 00628e6c4a..7be836f8b7 100644 --- a/proof/refine/ARM_HYP/Retype_R.thy +++ b/proof/refine/ARM_HYP/Retype_R.thy @@ -2584,7 +2584,6 @@ lemma update_gs_ksMachineState_update_swap: declare hoare_in_monad_post[wp del] declare univ_get_wp[wp del] -declare result_in_set_wp[wp del] crunch valid_arch_state'[wp]: copyGlobalMappings "valid_arch_state'" (wp: crunch_wps) @@ -4553,7 +4552,7 @@ proof - apply (simp add: ct_idle_or_in_cur_domain'_def tcb_in_cur_domain'_def) apply (rule hoare_pre) apply (wps a b c d) - apply (wp static_imp_wp e' hoare_vcg_disj_lift) + apply (wp hoare_weak_lift_imp e' hoare_vcg_disj_lift) apply (auto simp: obj_at'_def ct_in_state'_def projectKOs st_tcb_at'_def) done qed diff --git a/proof/refine/ARM_HYP/Schedule_R.thy b/proof/refine/ARM_HYP/Schedule_R.thy index 8be4b8e1e1..92162ab7e0 100644 --- a/proof/refine/ARM_HYP/Schedule_R.thy +++ b/proof/refine/ARM_HYP/Schedule_R.thy @@ -10,7 +10,7 @@ begin context begin interpretation Arch . (*FIXME: arch_split*) -declare static_imp_wp[wp_split del] +declare hoare_weak_lift_imp[wp_split del] (* Levity: added (20090713 10:04:12) *) declare sts_rel_idle [simp] @@ -516,7 +516,7 @@ lemma ct_idle_or_in_cur_domain'_lift2: apply (rule hoare_lift_Pf2[where f=ksCurThread]) apply (rule hoare_lift_Pf2[where f=ksSchedulerAction]) including no_pre - apply (wp static_imp_wp hoare_vcg_disj_lift) + apply (wp hoare_weak_lift_imp hoare_vcg_disj_lift) apply simp+ done @@ -1490,7 +1490,7 @@ lemma switchToIdleThread_invs_no_cicd': crunch obj_at'[wp]: "Arch.switchToIdleThread" "obj_at' (P :: ('a :: no_vcpu) \ bool) t" -declare static_imp_conj_wp[wp_split del] +declare hoare_weak_lift_imp_conj[wp_split del] lemma setCurThread_const: "\\_. P t \ setCurThread t \\_ s. P (ksCurThread s) \" diff --git a/proof/refine/ARM_HYP/Syscall_R.thy b/proof/refine/ARM_HYP/Syscall_R.thy index b1b980194c..231e0ea580 100644 --- a/proof/refine/ARM_HYP/Syscall_R.thy +++ b/proof/refine/ARM_HYP/Syscall_R.thy @@ -338,7 +338,7 @@ lemma threadSet_tcbDomain_update_sch_act_wf[wp]: apply (simp add: threadSet_def) apply wp apply (wps setObject_sa_unchanged) - apply (wp static_imp_wp getObject_tcb_wp hoare_vcg_all_lift)+ + apply (wp hoare_weak_lift_imp getObject_tcb_wp hoare_vcg_all_lift)+ apply (rename_tac word) apply (rule_tac Q="\_ s. ksSchedulerAction s = SwitchToThread word \ st_tcb_at' runnable' word s \ tcb_in_cur_domain' word s \ word \ t" @@ -689,7 +689,7 @@ proof - apply (rule hoare_weaken_pre [OF cteInsert_weak_cte_wp_at3]) apply (rule PUC,simp) apply (clarsimp simp: cte_wp_at_ctes_of) - apply (wp hoare_vcg_all_lift static_imp_wp | simp add:ball_conj_distrib)+ + apply (wp hoare_vcg_all_lift hoare_weak_lift_imp | simp add:ball_conj_distrib)+ done qed @@ -811,7 +811,7 @@ lemma doReply_invs[wp]: apply assumption apply (erule cte_wp_at_weakenE') apply (fastforce) - apply (wp sts_invs_minor'' sts_st_tcb' static_imp_wp) + apply (wp sts_invs_minor'' sts_st_tcb' hoare_weak_lift_imp) apply (rule_tac Q="\rv s. invs' s \ sch_act_simple s \ st_tcb_at' awaiting_reply' t s \ t \ ksIdleThread s" @@ -829,7 +829,7 @@ lemma doReply_invs[wp]: apply (erule_tac P="\st. awaiting_reply' st \ activatable' st" in pred_tcb'_weakenE) apply (case_tac st, clarsimp+) - apply (wp threadSet_invs_trivial threadSet_st_tcb_at2 static_imp_wp + apply (wp threadSet_invs_trivial threadSet_st_tcb_at2 hoare_weak_lift_imp | clarsimp simp add: inQ_def)+ apply (rule_tac Q="\_. invs' and tcb_at' t and sch_act_simple and st_tcb_at' awaiting_reply' t" @@ -987,7 +987,7 @@ lemma setDomain_invs': (\y. domain \ maxDomain))\ setDomain ptr domain \\y. invs'\" apply (simp add:setDomain_def ) - apply (wp add: when_wp static_imp_wp static_imp_conj_wp rescheduleRequired_all_invs_but_extra + apply (wp add: when_wp hoare_weak_lift_imp hoare_weak_lift_imp_conj rescheduleRequired_all_invs_but_extra tcbSchedEnqueue_valid_action hoare_vcg_if_lift2) apply (rule_tac Q = "\r s. all_invs_but_sch_extra s \ curThread = ksCurThread s \ (ptr \ curThread \ ct_not_inQ s \ sch_act_wf (ksSchedulerAction s) s \ ct_idle_or_in_cur_domain' s)" @@ -1001,7 +1001,7 @@ lemma setDomain_invs': prefer 2 apply clarsimp apply assumption - apply (wp static_imp_wp threadSet_pred_tcb_no_state threadSet_not_curthread_ct_domain + apply (wp hoare_weak_lift_imp threadSet_pred_tcb_no_state threadSet_not_curthread_ct_domain threadSet_tcbDomain_update_ct_not_inQ | simp)+ apply (rule_tac Q = "\r s. invs' s \ curThread = ksCurThread s \ sch_act_simple s \ domain \ maxDomain @@ -1349,7 +1349,7 @@ lemma hinv_invs'[wp]: apply (simp add: handleInvocation_def split_def ts_Restart_case_helper') apply (wp syscall_valid' setThreadState_nonqueued_state_update rfk_invs' - hoare_vcg_all_lift static_imp_wp) + hoare_vcg_all_lift hoare_weak_lift_imp) apply (simp add: if_apply_def2) apply (wp gts_imp' | simp)+ apply (rule_tac Q'="\rv. invs'" in hoare_post_imp_R[rotated]) diff --git a/proof/refine/ARM_HYP/TcbAcc_R.thy b/proof/refine/ARM_HYP/TcbAcc_R.thy index 4797861d15..2eb81e8d9f 100644 --- a/proof/refine/ARM_HYP/TcbAcc_R.thy +++ b/proof/refine/ARM_HYP/TcbAcc_R.thy @@ -11,7 +11,6 @@ begin context begin interpretation Arch . (*FIXME: arch_split*) declare if_weak_cong [cong] -declare result_in_set_wp[wp] declare hoare_in_monad_post[wp] declare trans_state_update'[symmetric,simp] declare storeWordUser_typ_at' [wp] @@ -2397,9 +2396,9 @@ lemma threadSet_queued_sch_act_wf[wp]: split: scheduler_action.split) apply (wp hoare_vcg_conj_lift) apply (simp add: threadSet_def) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (wps setObject_sa_unchanged) - apply (wp static_imp_wp getObject_tcb_wp)+ + apply (wp hoare_weak_lift_imp getObject_tcb_wp)+ apply (clarsimp simp: obj_at'_def) apply (wp hoare_vcg_all_lift hoare_vcg_conj_lift hoare_convert_imp)+ apply (simp add: threadSet_def) @@ -4141,7 +4140,7 @@ lemma possibleSwitchTo_ct_not_inQ: possibleSwitchTo t \\_. ct_not_inQ\" (is "\?PRE\ _ \_\") apply (simp add: possibleSwitchTo_def curDomain_def) - apply (wpsimp wp: static_imp_wp rescheduleRequired_ct_not_inQ tcbSchedEnqueue_ct_not_inQ + apply (wpsimp wp: hoare_weak_lift_imp rescheduleRequired_ct_not_inQ tcbSchedEnqueue_ct_not_inQ threadGet_wp | (rule hoare_post_imp[OF _ rescheduleRequired_sa_cnt], fastforce))+ apply (fastforce simp: obj_at'_def) @@ -4160,7 +4159,7 @@ lemma threadSet_tcbState_update_ct_not_inQ[wp]: apply (clarsimp) apply (rule hoare_conjI) apply (rule hoare_weaken_pre) - apply (wps, wp static_imp_wp) + apply (wps, wp hoare_weak_lift_imp) apply (wp OMG_getObject_tcb)+ apply (clarsimp simp: comp_def) apply (wp hoare_drop_imp) @@ -4180,7 +4179,7 @@ lemma threadSet_tcbBoundNotification_update_ct_not_inQ[wp]: apply (rule hoare_conjI) apply (rule hoare_weaken_pre) apply wps - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (wp OMG_getObject_tcb) apply (clarsimp simp: comp_def) apply (wp hoare_drop_imp) diff --git a/proof/refine/ARM_HYP/Tcb_R.thy b/proof/refine/ARM_HYP/Tcb_R.thy index 109319ac5a..92fb4a22f0 100644 --- a/proof/refine/ARM_HYP/Tcb_R.thy +++ b/proof/refine/ARM_HYP/Tcb_R.thy @@ -347,7 +347,7 @@ lemma invokeTCB_WriteRegisters_corres: apply (rule_tac P=\ and P'=\ in corres_inst) apply simp apply (wp+)[2] - apply ((wp static_imp_wp restart_invs' + apply ((wp hoare_weak_lift_imp restart_invs' | strengthen valid_sched_weak_strg einvs_valid_etcbs invs_valid_queues' invs_queues invs_weak_sch_act_wf | clarsimp simp: invs_def valid_state_def valid_sched_def invs'_def valid_state'_def @@ -446,7 +446,7 @@ proof - apply (simp add: frame_registers_def frameRegisters_def) apply (simp add: getRestartPC_def setNextPC_def dc_def[symmetric]) apply (rule Q[OF refl refl]) - apply (wp mapM_x_wp' static_imp_wp | simp)+ + apply (wp mapM_x_wp' hoare_weak_lift_imp | simp)+ apply (rule corres_split_nor) apply (rule corres_when[OF refl]) apply (rule R[OF refl refl]) @@ -456,15 +456,15 @@ proof - apply (rule corres_split[OF corres_when[OF refl rescheduleRequired_corres]]) apply (rule_tac P=\ and P'=\ in corres_inst) apply simp - apply (solves \wp static_imp_wp\)+ + apply (solves \wp hoare_weak_lift_imp\)+ apply (rule_tac Q="\_. einvs and tcb_at dest" in hoare_strengthen_post[rotated]) apply (clarsimp simp: invs_def valid_sched_weak_strg valid_sched_def) prefer 2 apply (rule_tac Q="\_. invs' and tcb_at' dest" in hoare_strengthen_post[rotated]) apply (clarsimp simp: invs'_def valid_state'_def invs_weak_sch_act_wf) - apply ((wp mapM_x_wp' static_imp_wp | simp)+)[4] - apply ((wp static_imp_wp restart_invs' | wpc | clarsimp simp add: if_apply_def2)+)[2] - apply (wp suspend_nonz_cap_to_tcb static_imp_wp | simp add: if_apply_def2)+ + apply ((wp mapM_x_wp' hoare_weak_lift_imp | simp)+)[4] + apply ((wp hoare_weak_lift_imp restart_invs' | wpc | clarsimp simp add: if_apply_def2)+)[2] + apply (wp suspend_nonz_cap_to_tcb hoare_weak_lift_imp | simp add: if_apply_def2)+ apply (fastforce simp: invs_def valid_state_def valid_pspace_def dest!: idle_no_ex_cap) apply (fastforce simp: invs'_def valid_state'_def dest!: global'_no_ex_cap) @@ -636,9 +636,9 @@ lemma sp_corres2: apply wp apply wp apply clarsimp - apply (wp static_imp_wp hoare_vcg_if_lift hoare_wp_combs gts_wp) + apply (wp hoare_weak_lift_imp hoare_vcg_if_lift hoare_wp_combs gts_wp) apply clarsimp - apply (wp hoare_vcg_if_lift static_imp_wp hoare_wp_combs isRunnable_wp) + apply (wp hoare_vcg_if_lift hoare_weak_lift_imp hoare_wp_combs isRunnable_wp) apply (wp hoare_vcg_imp_lift' hoare_vcg_if_lift hoare_vcg_all_lift) apply clarsimp apply (wp hoare_drop_imps) @@ -1673,30 +1673,30 @@ lemma tc_invs': apply (simp only: eq_commute[where a="a"]) apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits [where P="\x. x s" for s]) - apply ((wp case_option_wp threadSet_invs_trivial static_imp_wp + apply ((wp case_option_wp threadSet_invs_trivial hoare_weak_lift_imp hoare_vcg_all_lift threadSet_cap_to' | clarsimp simp: inQ_def)+)[2] apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits [where P="\x. x s" for s]) - apply ((wp case_option_wp threadSet_invs_trivial static_imp_wp setMCPriority_invs' + apply ((wp case_option_wp threadSet_invs_trivial hoare_weak_lift_imp setMCPriority_invs' typ_at_lifts[OF setMCPriority_typ_at'] hoare_vcg_all_lift threadSet_cap_to' | clarsimp simp: inQ_def)+)[2] - apply (wp add: setP_invs' static_imp_wp hoare_vcg_all_lift)+ + apply (wp add: setP_invs' hoare_weak_lift_imp hoare_vcg_all_lift)+ apply (rule case_option_wp_None_return[OF setP_invs'[simplified pred_conj_assoc]]) apply clarsimp apply wpfix apply assumption apply (rule case_option_wp_None_returnOk) - apply (wpsimp wp: static_imp_wp hoare_vcg_all_lift + apply (wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak threadSet_invs_trivial2 threadSet_tcb' hoare_vcg_all_lift threadSet_cte_wp_at')+ - apply (wpsimp wp: static_imp_wpE cteDelete_deletes + apply (wpsimp wp: hoare_weak_lift_imp_R cteDelete_deletes hoare_vcg_all_lift_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R cteDelete_invs' cteDelete_invs' cteDelete_typ_at'_lifts)+ apply (assumption | clarsimp cong: conj_cong imp_cong | (rule case_option_wp_None_returnOk) - | wpsimp wp: static_imp_wp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak + | wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak hoare_vcg_imp_lift' hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P=sch_act_simple] - hoare_vcg_const_imp_lift_R assertDerived_wp_weak static_imp_wpE cteDelete_deletes + hoare_vcg_const_imp_lift_R assertDerived_wp_weak hoare_weak_lift_imp_R cteDelete_deletes hoare_vcg_all_lift_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R cteDelete_invs' cteDelete_typ_at'_lifts cteDelete_sch_act_simple)+ apply (clarsimp simp: tcb_cte_cases_def cte_level_bits_def objBits_defs @@ -2749,7 +2749,7 @@ lemma restart_makes_simple': \\rv. st_tcb_at' simple' t\" apply (simp add: restart_def) apply (wp sts_st_tcb_at'_cases cancelIPC_simple - cancelIPC_st_tcb_at static_imp_wp | simp)+ + cancelIPC_st_tcb_at hoare_weak_lift_imp | simp)+ apply (rule hoare_strengthen_post [OF isStopped_inv]) prefer 2 apply assumption diff --git a/proof/refine/RISCV64/Arch_R.thy b/proof/refine/RISCV64/Arch_R.thy index 223f87637a..753aad7b41 100644 --- a/proof/refine/RISCV64/Arch_R.thy +++ b/proof/refine/RISCV64/Arch_R.thy @@ -970,13 +970,13 @@ lemma performASIDControlInvocation_tcb_at': apply (rule hoare_name_pre_state) apply (clarsimp simp: performASIDControlInvocation_def split: asidcontrol_invocation.splits) apply (clarsimp simp: valid_aci'_def cte_wp_at_ctes_of cong: conj_cong) - apply (wp static_imp_wp |simp add:placeNewObject_def2)+ - apply (wp createObjects_orig_obj_at2' updateFreeIndex_pspace_no_overlap' getSlotCap_wp static_imp_wp)+ + apply (wp hoare_weak_lift_imp |simp add:placeNewObject_def2)+ + apply (wp createObjects_orig_obj_at2' updateFreeIndex_pspace_no_overlap' getSlotCap_wp hoare_weak_lift_imp)+ apply (clarsimp simp: projectKO_opts_defs) apply (strengthen st_tcb_strg' [where P=\]) apply (wp deleteObjects_invs_derivatives[where p="makePoolParent aci"] hoare_vcg_ex_lift deleteObjects_cte_wp_at'[where d=False] - deleteObjects_st_tcb_at'[where p="makePoolParent aci"] static_imp_wp + deleteObjects_st_tcb_at'[where p="makePoolParent aci"] hoare_weak_lift_imp updateFreeIndex_pspace_no_overlap' deleteObject_no_overlap[where d=False])+ apply (case_tac ctea) apply (clarsimp) @@ -1216,7 +1216,7 @@ lemma performASIDControlInvocation_st_tcb_at': hoare_vcg_ex_lift deleteObjects_cte_wp_at' deleteObjects_invs_derivatives deleteObjects_st_tcb_at' - static_imp_wp + hoare_weak_lift_imp | simp add: placeNewObject_def2)+ apply (case_tac ctea) apply (clarsimp) @@ -1342,7 +1342,7 @@ lemma performASIDControlInvocation_invs' [wp]: updateFreeIndex_caps_no_overlap'' updateFreeIndex_descendants_of2 updateFreeIndex_caps_overlap_reserved - updateCap_cte_wp_at_cases static_imp_wp + updateCap_cte_wp_at_cases hoare_weak_lift_imp getSlotCap_wp)+ apply (clarsimp simp:conj_comms ex_disj_distrib is_aligned_mask | strengthen invs_valid_pspace' invs_pspace_aligned' diff --git a/proof/refine/RISCV64/CNodeInv_R.thy b/proof/refine/RISCV64/CNodeInv_R.thy index 87d955c784..d4feda068b 100644 --- a/proof/refine/RISCV64/CNodeInv_R.thy +++ b/proof/refine/RISCV64/CNodeInv_R.thy @@ -4861,7 +4861,7 @@ lemma cteSwap_iflive'[wp]: simp only: if_live_then_nonz_cap'_def imp_conv_disj ex_nonz_cap_to'_def) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift - hoare_vcg_ex_lift updateCap_cte_wp_at_cases static_imp_wp)+ + hoare_vcg_ex_lift updateCap_cte_wp_at_cases hoare_weak_lift_imp)+ apply (clarsimp simp: cte_wp_at_ctes_of) apply (drule(1) if_live_then_nonz_capE') apply (clarsimp simp: ex_nonz_cap_to'_def cte_wp_at_ctes_of) @@ -5727,7 +5727,7 @@ lemma cteSwap_cte_wp_cteCap: apply simp apply (wp hoare_drop_imps)[1] apply (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases - getCTE_wp' hoare_vcg_all_lift static_imp_wp)+ + getCTE_wp' hoare_vcg_all_lift hoare_weak_lift_imp)+ apply simp apply (clarsimp simp: o_def) done @@ -5741,7 +5741,7 @@ lemma capSwap_cte_wp_cteCap: apply(simp add: capSwapForDelete_def) apply(wp) apply(rule cteSwap_cte_wp_cteCap) - apply(wp getCTE_wp getCTE_cte_wp_at static_imp_wp)+ + apply(wp getCTE_wp getCTE_cte_wp_at hoare_weak_lift_imp)+ apply(clarsimp) apply(rule conjI) apply(simp add: cte_at_cte_wp_atD) @@ -6250,7 +6250,7 @@ proof (induct arbitrary: P p rule: finalise_spec_induct2) apply clarsimp apply (case_tac "cteCap rv", simp_all add: isCap_simps final_matters'_def)[1] - apply (wp isFinalCapability_inv static_imp_wp | simp | wp (once) isFinal[where x=sl])+ + apply (wp isFinalCapability_inv hoare_weak_lift_imp | simp | wp (once) isFinal[where x=sl])+ apply (wp getCTE_wp') apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule conjI, clarsimp simp: removeable'_def) @@ -7025,14 +7025,14 @@ next apply simp apply (wp replace_cap_invs final_cap_same_objrefs set_cap_cte_wp_at set_cap_cte_cap_wp_to - hoare_vcg_const_Ball_lift static_imp_wp + hoare_vcg_const_Ball_lift hoare_weak_lift_imp | simp add: conj_comms | erule finalise_cap_not_reply_master [simplified])+ apply (elim conjE, strengthen exI[mk_strg I], strengthen asm_rl[where psi="(cap_relation cap cap')" for cap cap', mk_strg I E]) apply (wp make_zombie_invs' updateCap_cap_to' updateCap_cte_wp_at_cases - hoare_vcg_ex_lift static_imp_wp) + hoare_vcg_ex_lift hoare_weak_lift_imp) apply clarsimp apply (drule_tac cap=a in cap_relation_removables, clarsimp, assumption+) @@ -7074,7 +7074,7 @@ next apply (clarsimp dest!: isCapDs simp: cte_wp_at_ctes_of) apply (case_tac "cteCap rv'", auto simp add: isCap_simps is_cap_simps final_matters'_def)[1] - apply (wp isFinalCapability_inv static_imp_wp + apply (wp isFinalCapability_inv hoare_weak_lift_imp | simp add: is_final_cap_def conj_comms cte_wp_at_eq_simp)+ apply (rule isFinal[where x="cte_map slot"]) apply (wp get_cap_wp| simp add: conj_comms)+ @@ -7215,7 +7215,7 @@ next apply (rule updateCap_corres) apply simp apply (simp add: is_cap_simps) - apply (rule_tac Q="\rv. cte_at' (cte_map ?target)" in valid_prove_more) + apply (rule_tac R="\rv. cte_at' (cte_map ?target)" in hoare_post_add) apply (wp, (wp getCTE_wp)+) apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule no_fail_pre, wp, simp) @@ -8372,7 +8372,7 @@ lemma cteMove_iflive'[wp]: ex_nonz_cap_to'_def) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift hoare_vcg_ex_lift updateCap_cte_wp_at_cases - getCTE_wp static_imp_wp)+ + getCTE_wp hoare_weak_lift_imp)+ apply (clarsimp simp: cte_wp_at_ctes_of) apply (drule(1) if_live_then_nonz_capE') apply (clarsimp simp: ex_nonz_cap_to'_def cte_wp_at_ctes_of) @@ -8553,7 +8553,7 @@ lemma cteMove_cte_wp_at: \\_ s. cte_wp_at' (\c. Q (cteCap c)) ptr s\" unfolding cteMove_def apply (fold o_def) - apply (wp updateCap_cte_wp_at_cases updateMDB_weak_cte_wp_at getCTE_wp static_imp_wp|simp add: o_def)+ + apply (wp updateCap_cte_wp_at_cases updateMDB_weak_cte_wp_at getCTE_wp hoare_weak_lift_imp|simp add: o_def)+ apply (clarsimp simp: cte_wp_at_ctes_of) done diff --git a/proof/refine/RISCV64/CSpace1_R.thy b/proof/refine/RISCV64/CSpace1_R.thy index 2c73fde839..b2ea3e319b 100644 --- a/proof/refine/RISCV64/CSpace1_R.thy +++ b/proof/refine/RISCV64/CSpace1_R.thy @@ -934,7 +934,7 @@ lemma cteInsert_weak_cte_wp_at: \\uu. cte_wp_at'(\c. P (cteCap c)) p\" unfolding cteInsert_def error_def updateCap_def setUntypedCapAsFull_def apply (simp add: bind_assoc split del: if_split) - apply (wp setCTE_weak_cte_wp_at updateMDB_weak_cte_wp_at static_imp_wp | simp)+ + apply (wp setCTE_weak_cte_wp_at updateMDB_weak_cte_wp_at hoare_weak_lift_imp | simp)+ apply (wp getCTE_ctes_wp)+ apply (clarsimp simp: isCap_simps split:if_split_asm| rule conjI)+ done diff --git a/proof/refine/RISCV64/Detype_R.thy b/proof/refine/RISCV64/Detype_R.thy index 6b570a3582..27b02533be 100644 --- a/proof/refine/RISCV64/Detype_R.thy +++ b/proof/refine/RISCV64/Detype_R.thy @@ -1891,12 +1891,12 @@ lemma cte_wp_at_top: tcbReplySlot_def tcbCTableSlot_def tcbVTableSlot_def objBits_simps cteSizeBits_def) apply (simp add: alignCheck_def bind_def alignError_def fail_def return_def objBits_simps - magnitudeCheck_def in_monad is_aligned_mask when_def + magnitudeCheck_def in_monad is_aligned_mask when_def unless_def split: option.splits) apply (intro conjI impI allI; simp add: not_le) apply (clarsimp simp:cte_check_def) apply (simp add: alignCheck_def bind_def alignError_def fail_def return_def objBits_simps - magnitudeCheck_def in_monad is_aligned_mask when_def + magnitudeCheck_def in_monad is_aligned_mask when_def unless_def split: option.splits) apply (intro conjI impI allI; simp add:not_le) apply (simp add: typeError_def fail_def cte_check_def split: Structures_H.kernel_object.splits) diff --git a/proof/refine/RISCV64/Finalise_R.thy b/proof/refine/RISCV64/Finalise_R.thy index 448be8bf04..ca005a3037 100644 --- a/proof/refine/RISCV64/Finalise_R.thy +++ b/proof/refine/RISCV64/Finalise_R.thy @@ -1588,7 +1588,7 @@ lemma emptySlot_corres: defer apply wpsimp+ apply (rule corres_no_failI) - apply (rule no_fail_pre, wp static_imp_wp) + apply (rule no_fail_pre, wp hoare_weak_lift_imp) apply (clarsimp simp: cte_wp_at_ctes_of valid_pspace'_def) apply (clarsimp simp: valid_mdb'_def valid_mdb_ctes_def) apply (rule conjI, clarsimp) @@ -3259,7 +3259,7 @@ lemma cteDeleteOne_invs[wp]: subgoal by auto subgoal by (auto dest!: isCapDs simp: pred_tcb_at'_def obj_at'_def projectKOs ko_wp_at'_def) - apply (wp isFinalCapability_inv getCTE_wp' static_imp_wp + apply (wp isFinalCapability_inv getCTE_wp' hoare_weak_lift_imp | wp (once) isFinal[where x=ptr])+ apply (fastforce simp: cte_wp_at_ctes_of) done diff --git a/proof/refine/RISCV64/Interrupt_R.thy b/proof/refine/RISCV64/Interrupt_R.thy index 18d758713c..fffa216df0 100644 --- a/proof/refine/RISCV64/Interrupt_R.thy +++ b/proof/refine/RISCV64/Interrupt_R.thy @@ -683,7 +683,7 @@ lemma timerTick_corres: apply wp+ apply (simp add:decDomainTime_def) apply wp - apply (wpsimp wp: static_imp_wp threadSet_timeslice_invs threadSet_valid_queues + apply (wpsimp wp: hoare_weak_lift_imp threadSet_timeslice_invs threadSet_valid_queues threadSet_valid_queues' tcbSchedAppend_valid_objs' threadSet_pred_tcb_at_state threadSet_weak_sch_act_wf rescheduleRequired_weak_sch_act_wf tcbSchedAppend_valid_queues)+ diff --git a/proof/refine/RISCV64/Ipc_R.thy b/proof/refine/RISCV64/Ipc_R.thy index 5147b576c8..8eb0ed05f3 100644 --- a/proof/refine/RISCV64/Ipc_R.thy +++ b/proof/refine/RISCV64/Ipc_R.thy @@ -320,7 +320,7 @@ lemma cteInsert_cte_wp_at: cteInsert cap src dest \\uu. cte_wp_at' (\c. P (cteCap c)) p\" apply (simp add: cteInsert_def) - apply (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp static_imp_wp + apply (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp hoare_weak_lift_imp | clarsimp simp: comp_def | unfold setUntypedCapAsFull_def)+ apply (drule cte_at_cte_wp_atD) @@ -364,7 +364,7 @@ lemma cteInsert_weak_cte_wp_at3: else cte_wp_at' (\c. P (cteCap c)) p s\ cteInsert cap src dest \\uu. cte_wp_at' (\c. P (cteCap c)) p\" - by (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp' static_imp_wp + by (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp' hoare_weak_lift_imp | clarsimp simp: comp_def cteInsert_def | unfold setUntypedCapAsFull_def | auto simp: cte_wp_at'_def dest!: imp)+ @@ -584,7 +584,7 @@ lemma cteInsert_cte_cap_to': apply (rule hoare_use_eq_irq_node' [OF cteInsert_ksInterruptState]) apply (clarsimp simp:cteInsert_def) apply (wp hoare_vcg_ex_lift updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases - setUntypedCapAsFull_cte_wp_at getCTE_wp static_imp_wp) + setUntypedCapAsFull_cte_wp_at getCTE_wp hoare_weak_lift_imp) apply (clarsimp simp:cte_wp_at_ctes_of) apply (rule_tac x = "cref" in exI) apply (rule conjI) @@ -627,7 +627,7 @@ lemma cteInsert_weak_cte_wp_at2: apply (rule hoare_use_eq_irq_node' [OF cteInsert_ksInterruptState]) apply (clarsimp simp:cteInsert_def) apply (wp hoare_vcg_ex_lift updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases - setUntypedCapAsFull_cte_wp_at getCTE_wp static_imp_wp) + setUntypedCapAsFull_cte_wp_at getCTE_wp hoare_weak_lift_imp) apply (clarsimp simp:cte_wp_at_ctes_of weak) apply auto done @@ -660,11 +660,11 @@ lemma transferCapsToSlots_presM: apply (wp eb hoare_vcg_const_Ball_lift hoare_vcg_const_imp_lift | assumption | wpc)+ apply (rule cteInsert_assume_Null) - apply (wp x hoare_vcg_const_Ball_lift cteInsert_cte_cap_to' static_imp_wp) + apply (wp x hoare_vcg_const_Ball_lift cteInsert_cte_cap_to' hoare_weak_lift_imp) apply (rule cteInsert_weak_cte_wp_at2,clarsimp) - apply (wp hoare_vcg_const_Ball_lift static_imp_wp)+ + apply (wp hoare_vcg_const_Ball_lift hoare_weak_lift_imp)+ apply (rule cteInsert_weak_cte_wp_at2,clarsimp) - apply (wp hoare_vcg_const_Ball_lift cteInsert_cte_wp_at static_imp_wp + apply (wp hoare_vcg_const_Ball_lift cteInsert_cte_wp_at hoare_weak_lift_imp deriveCap_derived_foo)+ apply (thin_tac "\slots. PROP P slots" for P) apply (clarsimp simp: cte_wp_at_ctes_of remove_rights_def @@ -1038,7 +1038,7 @@ lemma transferCaps_corres: apply (rule corres_rel_imp, rule transferCapsToSlots_corres, simp_all add: split_def)[1] apply (case_tac info, simp) - apply (wp hoare_vcg_all_lift get_rs_cte_at static_imp_wp + apply (wp hoare_vcg_all_lift get_rs_cte_at hoare_weak_lift_imp | simp only: ball_conj_distrib)+ apply (simp add: cte_map_def tcb_cnode_index_def split_def) apply (clarsimp simp: valid_pspace'_def valid_ipc_buffer_ptr'_def2 @@ -1453,7 +1453,7 @@ lemma doNormalTransfer_corres: hoare_valid_ipc_buffer_ptr_typ_at' copyMRs_typ_at' hoare_vcg_const_Ball_lift lookupExtraCaps_length | simp add: if_apply_def2)+) - apply (wp static_imp_wp | strengthen valid_msg_length_strengthen)+ + apply (wp hoare_weak_lift_imp | strengthen valid_msg_length_strengthen)+ apply clarsimp apply auto done @@ -2195,7 +2195,7 @@ lemma doReplyTransfer_corres: apply (clarsimp simp: tcb_relation_def) apply (fold dc_def, rule possibleSwitchTo_corres) apply simp - apply (wp static_imp_wp static_imp_conj_wp set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at' + apply (wp hoare_weak_lift_imp hoare_weak_lift_imp_conj set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at' sts_st_tcb' sts_valid_queues | force simp: valid_sched_def valid_sched_action_def valid_tcb_state'_def)+ apply (rule corres_guard_imp) @@ -2297,15 +2297,15 @@ lemma setupCallerCap_corres: tcb_cnode_index_def cte_level_bits_def) apply (simp add: cte_map_def tcbCallerSlot_def tcb_cnode_index_def cte_level_bits_def) - apply (rule_tac Q="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" - in valid_prove_more) + apply (rule_tac R="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" + in hoare_post_add) apply (wp, (wp getSlotCap_wp)+) apply blast apply (rule no_fail_pre, wp) apply (clarsimp simp: cte_wp_at'_def cte_at'_def) - apply (rule_tac Q="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" - in valid_prove_more) + apply (rule_tac R="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" + in hoare_post_add) apply (wp, (wp getCTE_wp')+) apply blast apply (rule no_fail_pre, wp) @@ -2362,7 +2362,7 @@ lemma possibleSwitchTo_weak_sch_act_wf[wp]: bitmap_fun_defs) apply (wp rescheduleRequired_weak_sch_act_wf weak_sch_act_wf_lift_linear[where f="tcbSchedEnqueue t"] - getObject_tcb_wp static_imp_wp + getObject_tcb_wp hoare_weak_lift_imp | wpc)+ apply (clarsimp simp: obj_at'_def projectKOs weak_sch_act_wf_def ps_clear_def tcb_in_cur_domain'_def) done @@ -2725,7 +2725,7 @@ lemma possibleSwitchTo_sch_act[wp]: possibleSwitchTo t \\rv s. sch_act_wf (ksSchedulerAction s) s\" apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs) - apply (wp static_imp_wp threadSet_sch_act setQueue_sch_act threadGet_wp + apply (wp hoare_weak_lift_imp threadSet_sch_act setQueue_sch_act threadGet_wp | simp add: unless_def | wpc)+ apply (auto simp: obj_at'_def projectKOs tcb_in_cur_domain'_def) done @@ -2746,7 +2746,7 @@ lemma possibleSwitchTo_ksQ': possibleSwitchTo t \\_ s. t' \ set (ksReadyQueues s p)\" apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs) - apply (wp static_imp_wp rescheduleRequired_ksQ' tcbSchedEnqueue_ksQ threadGet_wp + apply (wp hoare_weak_lift_imp rescheduleRequired_ksQ' tcbSchedEnqueue_ksQ threadGet_wp | wpc | simp split del: if_split)+ apply (auto simp: obj_at'_def) @@ -2758,7 +2758,7 @@ lemma possibleSwitchTo_valid_queues'[wp]: possibleSwitchTo t \\rv. valid_queues'\" apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs) - apply (wp static_imp_wp threadGet_wp | wpc | simp)+ + apply (wp hoare_weak_lift_imp threadGet_wp | wpc | simp)+ apply (auto simp: obj_at'_def) done @@ -3710,7 +3710,7 @@ lemma completeSignal_invs: \ ((\y. ntfnBoundTCB ntfn = Some y) \ ex_nonz_cap_to' ntfnptr s) \ ntfnptr \ ksIdleThread s" in hoare_strengthen_post) - apply ((wp hoare_vcg_ex_lift static_imp_wp | wpc | simp add: valid_ntfn'_def)+)[1] + apply ((wp hoare_vcg_ex_lift hoare_weak_lift_imp | wpc | simp add: valid_ntfn'_def)+)[1] apply (clarsimp simp: obj_at'_def state_refs_of'_def typ_at'_def ko_wp_at'_def split: option.splits) apply (blast dest: ntfn_q_refs_no_bound_refs') apply wp @@ -3928,7 +3928,7 @@ lemma rai_invs'[wp]: \ \ep = ActiveNtfn\ apply (simp add: invs'_def valid_state'_def) apply (rule hoare_pre) - apply (wp valid_irq_node_lift sts_valid_objs' typ_at_lifts static_imp_wp + apply (wp valid_irq_node_lift sts_valid_objs' typ_at_lifts hoare_weak_lift_imp asUser_urz | simp add: valid_ntfn'_def)+ apply (clarsimp simp: pred_tcb_at' valid_pspace'_def) @@ -4384,7 +4384,7 @@ lemma sendSignal_st_tcb'_Running: sendSignal ntfnptr bdg \\_. st_tcb_at' (\st. st = Running \ P st) t\" apply (simp add: sendSignal_def) - apply (wp sts_st_tcb_at'_cases cancelIPC_st_tcb_at' gts_wp' getNotification_wp static_imp_wp + apply (wp sts_st_tcb_at'_cases cancelIPC_st_tcb_at' gts_wp' getNotification_wp hoare_weak_lift_imp | wpc | clarsimp simp: pred_tcb_at')+ done diff --git a/proof/refine/RISCV64/Refine.thy b/proof/refine/RISCV64/Refine.thy index 9f54720fce..5e970bf65e 100644 --- a/proof/refine/RISCV64/Refine.thy +++ b/proof/refine/RISCV64/Refine.thy @@ -274,7 +274,7 @@ lemma kernel_entry_invs: thread_set_ct_running thread_set_not_state_valid_sched hoare_vcg_disj_lift ct_in_state_thread_state_lift thread_set_no_change_tcb_state call_kernel_domain_time_inv_det_ext call_kernel_domain_list_inv_det_ext - static_imp_wp + hoare_weak_lift_imp | clarsimp simp add: tcb_cap_cases_def active_from_running)+ done @@ -420,7 +420,7 @@ lemma kernelEntry_invs': apply (simp add: kernelEntry_def) apply (wp ckernel_invs callKernel_domain_time_left threadSet_invs_trivial threadSet_ct_running' - TcbAcc_R.dmo_invs' static_imp_wp + TcbAcc_R.dmo_invs' hoare_weak_lift_imp doMachineOp_ct_in_state' doMachineOp_sch_act_simple callKernel_domain_time_left | clarsimp simp: user_memory_update_def no_irq_def tcb_at_invs' @@ -633,7 +633,7 @@ lemma entry_corres: apply (rule hoare_strengthen_post, rule ckernel_invs, simp add: invs'_def cur_tcb'_def) apply (wp thread_set_invs_trivial thread_set_ct_running threadSet_invs_trivial threadSet_ct_running' - thread_set_not_state_valid_sched static_imp_wp + thread_set_not_state_valid_sched hoare_weak_lift_imp hoare_vcg_disj_lift ct_in_state_thread_state_lift | simp add: tcb_cap_cases_def ct_in_state'_def thread_set_no_change_tcb_state | (wps, wp threadSet_st_tcb_at2) )+ diff --git a/proof/refine/RISCV64/Retype_R.thy b/proof/refine/RISCV64/Retype_R.thy index b717396aa9..cd55719ec1 100644 --- a/proof/refine/RISCV64/Retype_R.thy +++ b/proof/refine/RISCV64/Retype_R.thy @@ -2487,7 +2487,6 @@ lemmas object_splits = declare hoare_in_monad_post[wp del] declare univ_get_wp[wp del] -declare result_in_set_wp[wp del] crunch valid_arch_state'[wp]: copyGlobalMappings "valid_arch_state'" (wp: crunch_wps) @@ -4351,7 +4350,7 @@ proof - apply (simp add: ct_idle_or_in_cur_domain'_def tcb_in_cur_domain'_def) apply (rule hoare_pre) apply (wps a b c d) - apply (wp static_imp_wp e' hoare_vcg_disj_lift) + apply (wp hoare_weak_lift_imp e' hoare_vcg_disj_lift) apply (auto simp: obj_at'_def ct_in_state'_def st_tcb_at'_def) done qed diff --git a/proof/refine/RISCV64/Schedule_R.thy b/proof/refine/RISCV64/Schedule_R.thy index 800d5399b9..8524d6bdd5 100644 --- a/proof/refine/RISCV64/Schedule_R.thy +++ b/proof/refine/RISCV64/Schedule_R.thy @@ -10,7 +10,7 @@ begin context begin interpretation Arch . (*FIXME: arch_split*) -declare static_imp_wp[wp_split del] +declare hoare_weak_lift_imp[wp_split del] (* Levity: added (20090713 10:04:12) *) declare sts_rel_idle [simp] @@ -399,7 +399,7 @@ lemma ct_idle_or_in_cur_domain'_lift2: apply (rule hoare_lift_Pf2[where f=ksCurThread]) apply (rule hoare_lift_Pf2[where f=ksSchedulerAction]) including no_pre - apply (wp static_imp_wp hoare_vcg_disj_lift) + apply (wp hoare_weak_lift_imp hoare_vcg_disj_lift) apply simp+ done @@ -1361,7 +1361,7 @@ lemma switchToIdleThread_invs_no_cicd': crunch obj_at'[wp]: "Arch.switchToIdleThread" "\s. obj_at' P t s" -declare static_imp_conj_wp[wp_split del] +declare hoare_weak_lift_imp_conj[wp_split del] lemma setCurThread_const: "\\_. P t \ setCurThread t \\_ s. P (ksCurThread s) \" diff --git a/proof/refine/RISCV64/Syscall_R.thy b/proof/refine/RISCV64/Syscall_R.thy index eed6658629..21253a4474 100644 --- a/proof/refine/RISCV64/Syscall_R.thy +++ b/proof/refine/RISCV64/Syscall_R.thy @@ -337,7 +337,7 @@ lemma threadSet_tcbDomain_update_sch_act_wf[wp]: apply (simp add: threadSet_def) apply wp apply (wps setObject_sa_unchanged) - apply (wp static_imp_wp getObject_tcb_wp hoare_vcg_all_lift)+ + apply (wp hoare_weak_lift_imp getObject_tcb_wp hoare_vcg_all_lift)+ apply (rename_tac word) apply (rule_tac Q="\_ s. ksSchedulerAction s = SwitchToThread word \ st_tcb_at' runnable' word s \ tcb_in_cur_domain' word s \ word \ t" @@ -684,7 +684,7 @@ proof - apply (rule hoare_weaken_pre [OF cteInsert_weak_cte_wp_at3]) apply (rule PUC,simp) apply (clarsimp simp: cte_wp_at_ctes_of) - apply (wp hoare_vcg_all_lift static_imp_wp | simp add:ball_conj_distrib)+ + apply (wp hoare_vcg_all_lift hoare_weak_lift_imp | simp add:ball_conj_distrib)+ done qed @@ -803,7 +803,7 @@ lemma doReply_invs[wp]: apply assumption apply (erule cte_wp_at_weakenE') apply (fastforce) - apply (wp sts_invs_minor'' sts_st_tcb' static_imp_wp) + apply (wp sts_invs_minor'' sts_st_tcb' hoare_weak_lift_imp) apply (rule_tac Q="\rv s. invs' s \ sch_act_simple s \ st_tcb_at' awaiting_reply' t s \ t \ ksIdleThread s" @@ -821,7 +821,7 @@ lemma doReply_invs[wp]: apply (erule_tac P="\st. awaiting_reply' st \ activatable' st" in pred_tcb'_weakenE) apply (case_tac st, clarsimp+) - apply (wp threadSet_invs_trivial threadSet_st_tcb_at2 static_imp_wp + apply (wp threadSet_invs_trivial threadSet_st_tcb_at2 hoare_weak_lift_imp | clarsimp simp add: inQ_def)+ apply (rule_tac Q="\_. invs' and tcb_at' t and sch_act_simple and st_tcb_at' awaiting_reply' t" @@ -976,7 +976,7 @@ lemma setDomain_invs': (\y. domain \ maxDomain))\ setDomain ptr domain \\y. invs'\" apply (simp add:setDomain_def ) - apply (wp add: when_wp static_imp_wp static_imp_conj_wp rescheduleRequired_all_invs_but_extra + apply (wp add: when_wp hoare_weak_lift_imp hoare_weak_lift_imp_conj rescheduleRequired_all_invs_but_extra tcbSchedEnqueue_valid_action hoare_vcg_if_lift2) apply (rule_tac Q = "\r s. all_invs_but_sch_extra s \ curThread = ksCurThread s \ (ptr \ curThread \ ct_not_inQ s \ sch_act_wf (ksSchedulerAction s) s \ ct_idle_or_in_cur_domain' s)" @@ -990,7 +990,7 @@ lemma setDomain_invs': prefer 2 apply clarsimp apply assumption - apply (wp static_imp_wp threadSet_pred_tcb_no_state threadSet_not_curthread_ct_domain + apply (wp hoare_weak_lift_imp threadSet_pred_tcb_no_state threadSet_not_curthread_ct_domain threadSet_tcbDomain_update_ct_not_inQ | simp)+ apply (rule_tac Q = "\r s. invs' s \ curThread = ksCurThread s \ sch_act_simple s \ domain \ maxDomain @@ -1302,7 +1302,7 @@ lemma hinv_invs'[wp]: apply (simp add: handleInvocation_def split_def ts_Restart_case_helper') apply (wp syscall_valid' setThreadState_nonqueued_state_update rfk_invs' - hoare_vcg_all_lift static_imp_wp) + hoare_vcg_all_lift hoare_weak_lift_imp) apply simp apply (intro conjI impI) apply (wp gts_imp' | simp)+ diff --git a/proof/refine/RISCV64/TcbAcc_R.thy b/proof/refine/RISCV64/TcbAcc_R.thy index 49c0678017..472d75b3ea 100644 --- a/proof/refine/RISCV64/TcbAcc_R.thy +++ b/proof/refine/RISCV64/TcbAcc_R.thy @@ -11,7 +11,6 @@ begin context begin interpretation Arch . (*FIXME: arch_split*) declare if_weak_cong [cong] -declare result_in_set_wp[wp] declare hoare_in_monad_post[wp] declare trans_state_update'[symmetric,simp] declare storeWordUser_typ_at' [wp] @@ -2365,9 +2364,9 @@ lemma threadSet_queued_sch_act_wf[wp]: split: scheduler_action.split) apply (wp hoare_vcg_conj_lift) apply (simp add: threadSet_def) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (wps setObject_sa_unchanged) - apply (wp static_imp_wp getObject_tcb_wp)+ + apply (wp hoare_weak_lift_imp getObject_tcb_wp)+ apply (clarsimp simp: obj_at'_def) apply (wp hoare_vcg_all_lift hoare_vcg_conj_lift hoare_convert_imp)+ apply (simp add: threadSet_def) @@ -4125,7 +4124,7 @@ lemma possibleSwitchTo_ct_not_inQ: possibleSwitchTo t \\_. ct_not_inQ\" (is "\?PRE\ _ \_\") apply (simp add: possibleSwitchTo_def curDomain_def) - apply (wpsimp wp: static_imp_wp rescheduleRequired_ct_not_inQ tcbSchedEnqueue_ct_not_inQ + apply (wpsimp wp: hoare_weak_lift_imp rescheduleRequired_ct_not_inQ tcbSchedEnqueue_ct_not_inQ threadGet_wp | (rule hoare_post_imp[OF _ rescheduleRequired_sa_cnt], fastforce))+ apply (fastforce simp: obj_at'_def) @@ -4144,7 +4143,7 @@ lemma threadSet_tcbState_update_ct_not_inQ[wp]: apply (clarsimp) apply (rule hoare_conjI) apply (rule hoare_weaken_pre) - apply (wps, wp static_imp_wp) + apply (wps, wp hoare_weak_lift_imp) apply (wp OMG_getObject_tcb)+ apply (clarsimp simp: comp_def) apply (wp hoare_drop_imp) @@ -4164,7 +4163,7 @@ lemma threadSet_tcbBoundNotification_update_ct_not_inQ[wp]: apply (rule hoare_conjI) apply (rule hoare_weaken_pre) apply wps - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (wp OMG_getObject_tcb) apply (clarsimp simp: comp_def) apply (wp hoare_drop_imp) diff --git a/proof/refine/RISCV64/Tcb_R.thy b/proof/refine/RISCV64/Tcb_R.thy index 93a5c96ef9..c4f071c007 100644 --- a/proof/refine/RISCV64/Tcb_R.thy +++ b/proof/refine/RISCV64/Tcb_R.thy @@ -337,7 +337,7 @@ lemma invokeTCB_WriteRegisters_corres: apply (rule_tac P=\ and P'=\ in corres_inst) apply simp apply (wp+)[2] - apply ((wp static_imp_wp restart_invs' + apply ((wp hoare_weak_lift_imp restart_invs' | strengthen valid_sched_weak_strg einvs_valid_etcbs invs_valid_queues' invs_queues invs_weak_sch_act_wf | clarsimp simp: invs_def valid_state_def valid_sched_def invs'_def valid_state'_def @@ -444,15 +444,15 @@ proof - apply (rule corres_split[OF corres_when[OF refl rescheduleRequired_corres]]) apply (rule_tac P=\ and P'=\ in corres_inst) apply simp - apply (solves \wp static_imp_wp\)+ + apply (solves \wp hoare_weak_lift_imp\)+ apply (rule_tac Q="\_. einvs and tcb_at dest" in hoare_post_imp) apply (clarsimp simp: invs_def valid_state_def valid_pspace_def valid_sched_weak_strg valid_sched_def) prefer 2 apply (rule_tac Q="\_. invs' and tcb_at' dest" in hoare_post_imp) apply (clarsimp simp: invs'_def valid_state'_def invs_weak_sch_act_wf cur_tcb'_def) - apply ((wp mapM_x_wp' static_imp_wp | simp+)+)[4] - apply ((wp static_imp_wp restart_invs' | wpc | clarsimp simp: if_apply_def2)+)[2] - apply (wp suspend_nonz_cap_to_tcb static_imp_wp | simp add: if_apply_def2)+ + apply ((wp mapM_x_wp' hoare_weak_lift_imp | simp+)+)[4] + apply ((wp hoare_weak_lift_imp restart_invs' | wpc | clarsimp simp: if_apply_def2)+)[2] + apply (wp suspend_nonz_cap_to_tcb hoare_weak_lift_imp | simp add: if_apply_def2)+ apply (fastforce simp: invs_def valid_state_def valid_pspace_def dest!: idle_no_ex_cap) by (fastforce simp: invs'_def valid_state'_def dest!: global'_no_ex_cap) @@ -627,7 +627,7 @@ lemma sp_corres2: apply (rule rescheduleRequired_corres) apply (rule possibleSwitchTo_corres) apply ((clarsimp - | wp static_imp_wp hoare_vcg_if_lift hoare_wp_combs gts_wp + | wp hoare_weak_lift_imp hoare_vcg_if_lift hoare_wp_combs gts_wp isRunnable_wp)+)[4] apply (wp hoare_vcg_imp_lift' hoare_vcg_if_lift hoare_vcg_all_lift) apply clarsimp @@ -1609,30 +1609,30 @@ lemma tc_invs': apply (simp only: eq_commute[where a="a"]) apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits [where P="\x. x s" for s]) - apply ((wp case_option_wp threadSet_invs_trivial static_imp_wp + apply ((wp case_option_wp threadSet_invs_trivial hoare_weak_lift_imp hoare_vcg_all_lift threadSet_cap_to' | clarsimp simp: inQ_def)+)[2] apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits [where P="\x. x s" for s]) - apply ((wp case_option_wp threadSet_invs_trivial static_imp_wp setMCPriority_invs' + apply ((wp case_option_wp threadSet_invs_trivial hoare_weak_lift_imp setMCPriority_invs' typ_at_lifts[OF setMCPriority_typ_at'] hoare_vcg_all_lift threadSet_cap_to' | clarsimp simp: inQ_def)+)[2] - apply (wp add: setP_invs' static_imp_wp hoare_vcg_all_lift)+ + apply (wp add: setP_invs' hoare_weak_lift_imp hoare_vcg_all_lift)+ apply (rule case_option_wp_None_return[OF setP_invs'[simplified pred_conj_assoc]]) apply clarsimp apply wpfix apply assumption apply (rule case_option_wp_None_returnOk) - apply (wpsimp wp: static_imp_wp hoare_vcg_all_lift + apply (wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak threadSet_invs_trivial2 threadSet_tcb' hoare_vcg_all_lift threadSet_cte_wp_at')+ - apply (wpsimp wp: static_imp_wpE cteDelete_deletes + apply (wpsimp wp: hoare_weak_lift_imp_R cteDelete_deletes hoare_vcg_all_lift_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R cteDelete_invs' cteDelete_invs' cteDelete_typ_at'_lifts)+ apply (assumption | clarsimp cong: conj_cong imp_cong | (rule case_option_wp_None_returnOk) - | wpsimp wp: static_imp_wp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak + | wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak hoare_vcg_imp_lift' hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P=sch_act_simple] - hoare_vcg_const_imp_lift_R assertDerived_wp_weak static_imp_wpE cteDelete_deletes + hoare_vcg_const_imp_lift_R assertDerived_wp_weak hoare_weak_lift_imp_R cteDelete_deletes hoare_vcg_all_lift_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R cteDelete_invs' cteDelete_typ_at'_lifts cteDelete_sch_act_simple)+ apply (clarsimp simp: tcb_cte_cases_def cte_level_bits_def objBits_defs tcbIPCBufferSlot_def) @@ -2673,7 +2673,7 @@ lemma restart_makes_simple': \\rv. st_tcb_at' simple' t\" apply (simp add: restart_def) apply (wp sts_st_tcb_at'_cases cancelIPC_simple - cancelIPC_st_tcb_at static_imp_wp | simp)+ + cancelIPC_st_tcb_at hoare_weak_lift_imp | simp)+ apply (rule hoare_strengthen_post [OF isStopped_inv]) prefer 2 apply assumption diff --git a/proof/refine/RISCV64/orphanage/Orphanage.thy b/proof/refine/RISCV64/orphanage/Orphanage.thy index 1307c892db..46f6622f12 100644 --- a/proof/refine/RISCV64/orphanage/Orphanage.thy +++ b/proof/refine/RISCV64/orphanage/Orphanage.thy @@ -449,7 +449,7 @@ lemma rescheduleRequired_no_orphans [wp]: \ \rv s. no_orphans s \" unfolding rescheduleRequired_def apply (wp tcbSchedEnqueue_no_orphans hoare_vcg_all_lift ssa_no_orphans | wpc | clarsimp)+ - apply (wps tcbSchedEnqueue_nosch, wp static_imp_wp) + apply (wps tcbSchedEnqueue_nosch, wp hoare_weak_lift_imp) apply (rename_tac word t p) apply (rule_tac P="word = t" in hoare_gen_asm) apply (wp hoare_disjI1 | clarsimp)+ @@ -461,7 +461,7 @@ lemma rescheduleRequired_almost_no_orphans [wp]: \ \rv s. almost_no_orphans tcb_ptr s \" unfolding rescheduleRequired_def apply (wp tcbSchedEnqueue_almost_no_orphans_lift hoare_vcg_all_lift | wpc | clarsimp)+ - apply (wps tcbSchedEnqueue_nosch, wp static_imp_wp) + apply (wps tcbSchedEnqueue_nosch, wp hoare_weak_lift_imp) apply (rename_tac word t p) apply (rule_tac P="word = t" in hoare_gen_asm) apply (wp hoare_disjI1 | clarsimp)+ @@ -1078,7 +1078,7 @@ proof - apply (rule_tac Q="\_ s. (t = candidate \ ksCurThread s = candidate) \ (t \ candidate \ sch_act_not t s)" in hoare_post_imp) - apply (wpsimp wp: stt_nosch static_imp_wp)+ + apply (wpsimp wp: stt_nosch hoare_weak_lift_imp)+ apply (fastforce dest!: in_all_active_tcb_ptrsD simp: all_queued_tcb_ptrs_def comp_def) done @@ -1207,7 +1207,7 @@ lemma possibleSwitchTo_almost_no_orphans [wp]: \ \rv s. no_orphans s \" unfolding possibleSwitchTo_def by (wp rescheduleRequired_valid_queues'_weak tcbSchedEnqueue_almost_no_orphans - ssa_almost_no_orphans static_imp_wp + ssa_almost_no_orphans hoare_weak_lift_imp | wpc | clarsimp | wp (once) hoare_drop_imp)+ @@ -1920,7 +1920,7 @@ lemma writereg_no_orphans: unfolding invokeTCB_def performTransfer_def postModifyRegisters_def apply simp apply (rule hoare_pre) - by (wp hoare_vcg_if_lift hoare_vcg_conj_lift restart_invs' static_imp_wp + by (wp hoare_vcg_if_lift hoare_vcg_conj_lift restart_invs' hoare_weak_lift_imp | strengthen invs_valid_queues' | clarsimp simp: invs'_def valid_state'_def dest!: global'_no_ex_cap )+ lemma copyreg_no_orphans: @@ -1930,8 +1930,8 @@ lemma copyreg_no_orphans: \ \rv s. no_orphans s \" unfolding invokeTCB_def performTransfer_def postModifyRegisters_def apply simp - apply (wp hoare_vcg_if_lift static_imp_wp) - apply (wp static_imp_wp hoare_vcg_conj_lift hoare_drop_imp mapM_x_wp' restart_invs' + apply (wp hoare_vcg_if_lift hoare_weak_lift_imp) + apply (wp hoare_weak_lift_imp hoare_vcg_conj_lift hoare_drop_imp mapM_x_wp' restart_invs' restart_no_orphans asUser_no_orphans suspend_nonz_cap_to_tcb | strengthen invs_valid_queues' | wpc | simp add: if_apply_def2)+ apply (fastforce simp: invs'_def valid_state'_def dest!: global'_no_ex_cap) @@ -1943,7 +1943,7 @@ lemma settlsbase_no_orphans: \ \rv s. no_orphans s \" unfolding invokeTCB_def performTransfer_def apply simp - apply (wp hoare_vcg_if_lift static_imp_wp) + apply (wp hoare_vcg_if_lift hoare_weak_lift_imp) apply (wpsimp wp: hoare_vcg_imp_lift' mapM_x_wp' asUser_no_orphans)+ done @@ -2009,19 +2009,19 @@ lemma tc_no_orphans: apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits[where P="\x. x s" for s]) apply ((wp case_option_wp threadSet_no_orphans threadSet_invs_trivial - threadSet_cap_to' hoare_vcg_all_lift static_imp_wp | clarsimp simp: inQ_def)+)[2] + threadSet_cap_to' hoare_vcg_all_lift hoare_weak_lift_imp | clarsimp simp: inQ_def)+)[2] apply (rule hoare_walk_assmsE) apply (cases mcp; clarsimp simp: pred_conj_def option.splits[where P="\x. x s" for s]) apply ((wp case_option_wp threadSet_no_orphans threadSet_invs_trivial setMCPriority_invs' typ_at_lifts[OF setMCPriority_typ_at'] - threadSet_cap_to' hoare_vcg_all_lift static_imp_wp | clarsimp simp: inQ_def)+)[3] + threadSet_cap_to' hoare_vcg_all_lift hoare_weak_lift_imp | clarsimp simp: inQ_def)+)[3] apply ((simp only: simp_thms cong: conj_cong | wp cteDelete_deletes cteDelete_invs' cteDelete_sch_act_simple case_option_wp[where m'="return ()", OF setPriority_no_orphans return_inv,simplified] checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P=sch_act_simple] checkCap_inv[where P=no_orphans] checkCap_inv[where P="tcb_at' a"] threadSet_cte_wp_at' hoare_vcg_all_lift_R hoare_vcg_all_lift threadSet_no_orphans - hoare_vcg_const_imp_lift_R static_imp_wp hoare_drop_imp threadSet_ipcbuffer_invs + hoare_vcg_const_imp_lift_R hoare_weak_lift_imp hoare_drop_imp threadSet_ipcbuffer_invs | strengthen invs_valid_queues' | (simp add: locateSlotTCB_def locateSlotBasic_def objBits_def objBitsKO_def tcbIPCBufferSlot_def tcb_cte_cases_def, @@ -2096,7 +2096,7 @@ lemma performPageInvocation_no_orphans [wp]: apply (simp add: performPageInvocation_def cong: page_invocation.case_cong) apply (rule hoare_pre) - apply (wp mapM_x_wp' mapM_wp' static_imp_wp | wpc | clarsimp)+ + apply (wp mapM_x_wp' mapM_wp' hoare_weak_lift_imp | wpc | clarsimp)+ done lemma performASIDControlInvocation_no_orphans [wp]: @@ -2150,13 +2150,13 @@ lemma performASIDControlInvocation_no_orphans [wp]: \\reply. no_orphans\" apply (clarsimp simp: performASIDControlInvocation_def split: asidcontrol_invocation.splits) - apply (wp static_imp_wp | clarsimp)+ + apply (wp hoare_weak_lift_imp | clarsimp)+ apply (rule_tac Q="\rv s. no_orphans s" in hoare_post_imp) apply (clarsimp simp: no_orphans_def all_active_tcb_ptrs_def is_active_tcb_ptr_def all_queued_tcb_ptrs_def) apply (wp | clarsimp simp:placeNewObject_def2)+ apply (wp createObjects'_wp_subst)+ - apply (wp static_imp_wp updateFreeIndex_pspace_no_overlap'[where sz= pageBits] getSlotCap_wp | simp)+ + apply (wp hoare_weak_lift_imp updateFreeIndex_pspace_no_overlap'[where sz= pageBits] getSlotCap_wp | simp)+ apply (strengthen invs_pspace_aligned' invs_pspace_distinct' invs_valid_pspace') apply (clarsimp simp:conj_comms) apply (wp deleteObjects_invs'[where idx = idx and d=False] diff --git a/proof/refine/X64/Arch_R.thy b/proof/refine/X64/Arch_R.thy index 9083c6fdd2..242ff6183c 100644 --- a/proof/refine/X64/Arch_R.thy +++ b/proof/refine/X64/Arch_R.thy @@ -1480,13 +1480,13 @@ lemma performASIDControlInvocation_tcb_at': apply (rule hoare_name_pre_state) apply (clarsimp simp: performASIDControlInvocation_def split: asidcontrol_invocation.splits) apply (clarsimp simp: valid_aci'_def cte_wp_at_ctes_of cong: conj_cong) - apply (wp static_imp_wp |simp add:placeNewObject_def2)+ - apply (wp createObjects_orig_obj_at2' updateFreeIndex_pspace_no_overlap' getSlotCap_wp static_imp_wp)+ + apply (wp hoare_weak_lift_imp |simp add:placeNewObject_def2)+ + apply (wp createObjects_orig_obj_at2' updateFreeIndex_pspace_no_overlap' getSlotCap_wp hoare_weak_lift_imp)+ apply (clarsimp simp: projectKO_opts_defs) apply (strengthen st_tcb_strg' [where P=\]) apply (wp deleteObjects_invs_derivatives[where p="makePoolParent aci"] hoare_vcg_ex_lift deleteObjects_cte_wp_at'[where d=False] - deleteObjects_st_tcb_at'[where p="makePoolParent aci"] static_imp_wp + deleteObjects_st_tcb_at'[where p="makePoolParent aci"] hoare_weak_lift_imp updateFreeIndex_pspace_no_overlap' deleteObject_no_overlap[where d=False])+ apply (case_tac ctea) apply (clarsimp) @@ -1894,7 +1894,7 @@ lemma performASIDControlInvocation_st_tcb_at': hoare_vcg_ex_lift deleteObjects_cte_wp_at' deleteObjects_invs_derivatives deleteObjects_st_tcb_at' - static_imp_wp + hoare_weak_lift_imp | simp add: placeNewObject_def2)+ apply (case_tac ctea) apply (clarsimp) @@ -2041,7 +2041,7 @@ lemma performASIDControlInvocation_invs' [wp]: updateFreeIndex_caps_no_overlap'' updateFreeIndex_descendants_of2 updateFreeIndex_caps_overlap_reserved - updateCap_cte_wp_at_cases static_imp_wp + updateCap_cte_wp_at_cases hoare_weak_lift_imp getSlotCap_wp)+ apply (clarsimp simp:conj_comms ex_disj_distrib is_aligned_mask | strengthen invs_valid_pspace' invs_pspace_aligned' diff --git a/proof/refine/X64/CNodeInv_R.thy b/proof/refine/X64/CNodeInv_R.thy index e15856b5ac..7e73232588 100644 --- a/proof/refine/X64/CNodeInv_R.thy +++ b/proof/refine/X64/CNodeInv_R.thy @@ -4906,7 +4906,7 @@ lemma cteSwap_iflive'[wp]: simp only: if_live_then_nonz_cap'_def imp_conv_disj ex_nonz_cap_to'_def) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift - hoare_vcg_ex_lift updateCap_cte_wp_at_cases static_imp_wp)+ + hoare_vcg_ex_lift updateCap_cte_wp_at_cases hoare_weak_lift_imp)+ apply (clarsimp simp: cte_wp_at_ctes_of) apply (drule(1) if_live_then_nonz_capE') apply (clarsimp simp: ex_nonz_cap_to'_def cte_wp_at_ctes_of) @@ -5831,7 +5831,7 @@ lemma cteSwap_cte_wp_cteCap: apply simp apply (wp hoare_drop_imps)[1] apply (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases - getCTE_wp' hoare_vcg_all_lift static_imp_wp)+ + getCTE_wp' hoare_vcg_all_lift hoare_weak_lift_imp)+ apply simp apply (clarsimp simp: o_def) done @@ -5845,7 +5845,7 @@ lemma capSwap_cte_wp_cteCap: apply(simp add: capSwapForDelete_def) apply(wp) apply(rule cteSwap_cte_wp_cteCap) - apply(wp getCTE_wp getCTE_cte_wp_at static_imp_wp)+ + apply(wp getCTE_wp getCTE_cte_wp_at hoare_weak_lift_imp)+ apply(clarsimp) apply(rule conjI) apply(simp add: cte_at_cte_wp_atD) @@ -6383,7 +6383,7 @@ proof (induct arbitrary: P p rule: finalise_spec_induct2) apply clarsimp apply (case_tac "cteCap rv", simp_all add: isCap_simps final_matters'_def)[1] - apply (wp isFinalCapability_inv static_imp_wp | simp | wp (once) isFinal[where x=sl])+ + apply (wp isFinalCapability_inv hoare_weak_lift_imp | simp | wp (once) isFinal[where x=sl])+ apply (wp getCTE_wp') apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule conjI, clarsimp simp: removeable'_def) @@ -7167,14 +7167,14 @@ next apply simp apply (wp replace_cap_invs final_cap_same_objrefs set_cap_cte_wp_at set_cap_cte_cap_wp_to - hoare_vcg_const_Ball_lift static_imp_wp + hoare_vcg_const_Ball_lift hoare_weak_lift_imp | simp add: conj_comms | erule finalise_cap_not_reply_master [simplified])+ apply (elim conjE, strengthen exI[mk_strg I], strengthen asm_rl[where psi="(cap_relation cap cap')" for cap cap', mk_strg I E]) apply (wp make_zombie_invs' updateCap_cap_to' updateCap_cte_wp_at_cases - hoare_vcg_ex_lift static_imp_wp) + hoare_vcg_ex_lift hoare_weak_lift_imp) apply clarsimp apply (drule_tac cap=a in cap_relation_removables, clarsimp, assumption+) @@ -7216,7 +7216,7 @@ next apply (clarsimp dest!: isCapDs simp: cte_wp_at_ctes_of) apply (case_tac "cteCap rv'", auto simp add: isCap_simps is_cap_simps final_matters'_def)[1] - apply (wp isFinalCapability_inv static_imp_wp + apply (wp isFinalCapability_inv hoare_weak_lift_imp | simp add: is_final_cap_def conj_comms cte_wp_at_eq_simp)+ apply (rule isFinal[where x="cte_map slot"]) apply (wp get_cap_wp| simp add: conj_comms)+ @@ -7357,7 +7357,7 @@ next apply (rule updateCap_corres) apply simp apply (simp add: is_cap_simps) - apply (rule_tac Q="\rv. cte_at' (cte_map ?target)" in valid_prove_more) + apply (rule_tac R="\rv. cte_at' (cte_map ?target)" in hoare_post_add) apply (wp, (wp getCTE_wp)+) apply (clarsimp simp: cte_wp_at_ctes_of) apply (rule no_fail_pre, wp, simp) @@ -8537,7 +8537,7 @@ lemma cteMove_iflive'[wp]: ex_nonz_cap_to'_def) apply (wp hoare_vcg_all_lift hoare_vcg_disj_lift hoare_vcg_ex_lift updateCap_cte_wp_at_cases - getCTE_wp static_imp_wp)+ + getCTE_wp hoare_weak_lift_imp)+ apply (clarsimp simp: cte_wp_at_ctes_of) apply (drule(1) if_live_then_nonz_capE') apply (clarsimp simp: ex_nonz_cap_to'_def cte_wp_at_ctes_of) @@ -8742,7 +8742,7 @@ lemma cteMove_cte_wp_at: \\_ s. cte_wp_at' (\c. Q (cteCap c)) ptr s\" unfolding cteMove_def apply (fold o_def) - apply (wp updateCap_cte_wp_at_cases updateMDB_weak_cte_wp_at getCTE_wp static_imp_wp|simp add: o_def)+ + apply (wp updateCap_cte_wp_at_cases updateMDB_weak_cte_wp_at getCTE_wp hoare_weak_lift_imp|simp add: o_def)+ apply (clarsimp simp: cte_wp_at_ctes_of) done diff --git a/proof/refine/X64/CSpace1_R.thy b/proof/refine/X64/CSpace1_R.thy index 6f751f138d..72c6e7ce40 100644 --- a/proof/refine/X64/CSpace1_R.thy +++ b/proof/refine/X64/CSpace1_R.thy @@ -938,7 +938,7 @@ lemma cteInsert_weak_cte_wp_at: \\uu. cte_wp_at'(\c. P (cteCap c)) p\" unfolding cteInsert_def error_def updateCap_def setUntypedCapAsFull_def apply (simp add: bind_assoc split del: if_split) - apply (wp setCTE_weak_cte_wp_at updateMDB_weak_cte_wp_at static_imp_wp | simp)+ + apply (wp setCTE_weak_cte_wp_at updateMDB_weak_cte_wp_at hoare_weak_lift_imp | simp)+ apply (wp getCTE_ctes_wp)+ apply (clarsimp simp: isCap_simps split:if_split_asm| rule conjI)+ done diff --git a/proof/refine/X64/Detype_R.thy b/proof/refine/X64/Detype_R.thy index 5e397be610..fd4f2c0b28 100644 --- a/proof/refine/X64/Detype_R.thy +++ b/proof/refine/X64/Detype_R.thy @@ -2002,13 +2002,13 @@ lemma cte_wp_at_top: apply (simp add:alignCheck_def bind_def alignError_def fail_def return_def objBits_simps magnitudeCheck_def in_monad is_aligned_mask - when_def split:option.splits) + when_def unless_def split:option.splits) apply (intro conjI impI allI,simp_all add:not_le) apply (clarsimp simp:cte_check_def) apply (simp add:alignCheck_def bind_def alignError_def fail_def return_def objBits_simps magnitudeCheck_def in_monad is_aligned_mask - when_def split:option.splits) + when_def unless_def split:option.splits) apply (intro conjI impI allI,simp_all add:not_le) apply (simp add:typeError_def fail_def cte_check_def split:Structures_H.kernel_object.splits)+ diff --git a/proof/refine/X64/Finalise_R.thy b/proof/refine/X64/Finalise_R.thy index 55b5d053ea..12db176ef9 100644 --- a/proof/refine/X64/Finalise_R.thy +++ b/proof/refine/X64/Finalise_R.thy @@ -1707,7 +1707,7 @@ lemma emptySlot_corres: defer apply wpsimp+ apply (rule corres_no_failI) - apply (rule no_fail_pre, wp static_imp_wp) + apply (rule no_fail_pre, wp hoare_weak_lift_imp) apply (clarsimp simp: cte_wp_at_ctes_of valid_pspace'_def) apply (clarsimp simp: valid_mdb'_def valid_mdb_ctes_def) apply (rule conjI, clarsimp) @@ -3434,7 +3434,7 @@ lemma cteDeleteOne_invs[wp]: subgoal by auto subgoal by (auto dest!: isCapDs simp: pred_tcb_at'_def obj_at'_def projectKOs ko_wp_at'_def) - apply (wp isFinalCapability_inv getCTE_wp' static_imp_wp + apply (wp isFinalCapability_inv getCTE_wp' hoare_weak_lift_imp | wp (once) isFinal[where x=ptr])+ apply (fastforce simp: cte_wp_at_ctes_of) done diff --git a/proof/refine/X64/Interrupt_R.thy b/proof/refine/X64/Interrupt_R.thy index d10b498e03..843dd43c89 100644 --- a/proof/refine/X64/Interrupt_R.thy +++ b/proof/refine/X64/Interrupt_R.thy @@ -743,7 +743,7 @@ lemma timerTick_corres: apply (simp add:decDomainTime_def) apply wp apply (wp|wpc|unfold Let_def|simp)+ - apply (wp static_imp_wp threadSet_timeslice_invs threadSet_valid_queues threadSet_valid_queues' + apply (wp hoare_weak_lift_imp threadSet_timeslice_invs threadSet_valid_queues threadSet_valid_queues' threadSet_pred_tcb_at_state threadSet_weak_sch_act_wf tcbSchedAppend_valid_objs' rescheduleRequired_weak_sch_act_wf tcbSchedAppend_valid_queues| simp)+ apply (strengthen sch_act_wf_weak) diff --git a/proof/refine/X64/Ipc_R.thy b/proof/refine/X64/Ipc_R.thy index a2eac7b8cd..4c31d2ec32 100644 --- a/proof/refine/X64/Ipc_R.thy +++ b/proof/refine/X64/Ipc_R.thy @@ -320,7 +320,7 @@ lemma cteInsert_cte_wp_at: cteInsert cap src dest \\uu. cte_wp_at' (\c. P (cteCap c)) p\" apply (simp add: cteInsert_def) - apply (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp static_imp_wp + apply (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp hoare_weak_lift_imp | clarsimp simp: comp_def | unfold setUntypedCapAsFull_def)+ apply (drule cte_at_cte_wp_atD) @@ -364,7 +364,7 @@ lemma cteInsert_weak_cte_wp_at3: else cte_wp_at' (\c. P (cteCap c)) p s\ cteInsert cap src dest \\uu. cte_wp_at' (\c. P (cteCap c)) p\" - by (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp' static_imp_wp + by (wp updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases getCTE_wp' hoare_weak_lift_imp | clarsimp simp: comp_def cteInsert_def | unfold setUntypedCapAsFull_def | auto simp: cte_wp_at'_def dest!: imp)+ @@ -584,7 +584,7 @@ lemma cteInsert_cte_cap_to': apply (rule hoare_use_eq_irq_node' [OF cteInsert_ksInterruptState]) apply (clarsimp simp:cteInsert_def) apply (wp hoare_vcg_ex_lift updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases - setUntypedCapAsFull_cte_wp_at getCTE_wp static_imp_wp) + setUntypedCapAsFull_cte_wp_at getCTE_wp hoare_weak_lift_imp) apply (clarsimp simp:cte_wp_at_ctes_of) apply (rule_tac x = "cref" in exI) apply (rule conjI) @@ -627,7 +627,7 @@ lemma cteInsert_weak_cte_wp_at2: apply (rule hoare_use_eq_irq_node' [OF cteInsert_ksInterruptState]) apply (clarsimp simp:cteInsert_def) apply (wp hoare_vcg_ex_lift updateMDB_weak_cte_wp_at updateCap_cte_wp_at_cases - setUntypedCapAsFull_cte_wp_at getCTE_wp static_imp_wp) + setUntypedCapAsFull_cte_wp_at getCTE_wp hoare_weak_lift_imp) apply (clarsimp simp:cte_wp_at_ctes_of weak) apply auto done @@ -660,11 +660,11 @@ lemma transferCapsToSlots_presM: apply (wp eb hoare_vcg_const_Ball_lift hoare_vcg_const_imp_lift | assumption | wpc)+ apply (rule cteInsert_assume_Null) - apply (wp x hoare_vcg_const_Ball_lift cteInsert_cte_cap_to' static_imp_wp) + apply (wp x hoare_vcg_const_Ball_lift cteInsert_cte_cap_to' hoare_weak_lift_imp) apply (rule cteInsert_weak_cte_wp_at2,clarsimp) - apply (wp hoare_vcg_const_Ball_lift static_imp_wp)+ + apply (wp hoare_vcg_const_Ball_lift hoare_weak_lift_imp)+ apply (rule cteInsert_weak_cte_wp_at2,clarsimp) - apply (wp hoare_vcg_const_Ball_lift cteInsert_cte_wp_at static_imp_wp + apply (wp hoare_vcg_const_Ball_lift cteInsert_cte_wp_at hoare_weak_lift_imp deriveCap_derived_foo)+ apply (thin_tac "\slots. PROP P slots" for P) apply (clarsimp simp: cte_wp_at_ctes_of remove_rights_def @@ -1069,7 +1069,7 @@ lemma transferCaps_corres: apply (rule corres_rel_imp, rule transferCapsToSlots_corres, simp_all add: split_def)[1] apply (case_tac info, simp) - apply (wp hoare_vcg_all_lift get_rs_cte_at static_imp_wp + apply (wp hoare_vcg_all_lift get_rs_cte_at hoare_weak_lift_imp | simp only: ball_conj_distrib)+ apply (simp add: cte_map_def tcb_cnode_index_def split_def) apply (clarsimp simp: valid_pspace'_def valid_ipc_buffer_ptr'_def2 @@ -1502,7 +1502,7 @@ lemma doNormalTransfer_corres: hoare_valid_ipc_buffer_ptr_typ_at' copyMRs_typ_at' hoare_vcg_const_Ball_lift lookupExtraCaps_length | simp add: if_apply_def2)+) - apply (wp static_imp_wp | strengthen valid_msg_length_strengthen)+ + apply (wp hoare_weak_lift_imp | strengthen valid_msg_length_strengthen)+ apply clarsimp apply auto done @@ -2244,7 +2244,7 @@ lemma doReplyTransfer_corres: apply simp apply (fold dc_def, rule possibleSwitchTo_corres) apply simp - apply (wp static_imp_wp static_imp_conj_wp set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at' + apply (wp hoare_weak_lift_imp hoare_weak_lift_imp_conj set_thread_state_runnable_weak_valid_sched_action sts_st_tcb_at' sts_st_tcb' sts_valid_queues | simp | force simp: valid_sched_def valid_sched_action_def valid_tcb_state'_def)+ apply (rule corres_guard_imp) apply (rule setThreadState_corres) @@ -2344,15 +2344,15 @@ lemma setupCallerCap_corres: tcb_cnode_index_def cte_level_bits_def) apply (simp add: cte_map_def tcbCallerSlot_def tcb_cnode_index_def cte_level_bits_def) - apply (rule_tac Q="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" - in valid_prove_more) + apply (rule_tac R="\rv. cte_at' (receiver + 2 ^ cte_level_bits * tcbCallerSlot)" + in hoare_post_add) apply (wp, (wp getSlotCap_wp)+) apply blast apply (rule no_fail_pre, wp) apply (clarsimp simp: cte_wp_at'_def cte_at'_def) - apply (rule_tac Q="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" - in valid_prove_more) + apply (rule_tac R="\rv. cte_at' (sender + 2 ^ cte_level_bits * tcbReplySlot)" + in hoare_post_add) apply (wp, (wp getCTE_wp')+) apply blast apply (rule no_fail_pre, wp) @@ -2409,7 +2409,7 @@ lemma possibleSwitchTo_weak_sch_act_wf[wp]: bitmap_fun_defs) apply (wp rescheduleRequired_weak_sch_act_wf weak_sch_act_wf_lift_linear[where f="tcbSchedEnqueue t"] - getObject_tcb_wp static_imp_wp + getObject_tcb_wp hoare_weak_lift_imp | wpc)+ apply (clarsimp simp: obj_at'_def projectKOs weak_sch_act_wf_def ps_clear_def tcb_in_cur_domain'_def) done @@ -2777,7 +2777,7 @@ lemma possibleSwitchTo_sch_act[wp]: possibleSwitchTo t \\rv s. sch_act_wf (ksSchedulerAction s) s\" apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs) - apply (wp static_imp_wp threadSet_sch_act setQueue_sch_act threadGet_wp + apply (wp hoare_weak_lift_imp threadSet_sch_act setQueue_sch_act threadGet_wp | simp add: unless_def | wpc)+ apply (auto simp: obj_at'_def projectKOs tcb_in_cur_domain'_def) done @@ -2798,7 +2798,7 @@ lemma possibleSwitchTo_ksQ': possibleSwitchTo t \\_ s. t' \ set (ksReadyQueues s p)\" apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs) - apply (wp static_imp_wp rescheduleRequired_ksQ' tcbSchedEnqueue_ksQ threadGet_wp + apply (wp hoare_weak_lift_imp rescheduleRequired_ksQ' tcbSchedEnqueue_ksQ threadGet_wp | wpc | simp split del: if_split)+ apply (auto simp: obj_at'_def) @@ -2810,7 +2810,7 @@ lemma possibleSwitchTo_valid_queues'[wp]: possibleSwitchTo t \\rv. valid_queues'\" apply (simp add: possibleSwitchTo_def curDomain_def bitmap_fun_defs) - apply (wp static_imp_wp threadGet_wp | wpc | simp)+ + apply (wp hoare_weak_lift_imp threadGet_wp | wpc | simp)+ apply (auto simp: obj_at'_def) done @@ -3771,7 +3771,7 @@ lemma completeSignal_invs: \ ((\y. ntfnBoundTCB ntfn = Some y) \ ex_nonz_cap_to' ntfnptr s) \ ntfnptr \ ksIdleThread s" in hoare_strengthen_post) - apply ((wp hoare_vcg_ex_lift static_imp_wp | wpc | simp add: valid_ntfn'_def)+)[1] + apply ((wp hoare_vcg_ex_lift hoare_weak_lift_imp | wpc | simp add: valid_ntfn'_def)+)[1] apply (clarsimp simp: obj_at'_def state_refs_of'_def typ_at'_def ko_wp_at'_def projectKOs split: option.splits) apply (blast dest: ntfn_q_refs_no_bound_refs') apply wp @@ -3990,7 +3990,7 @@ lemma rai_invs'[wp]: \ \ep = ActiveNtfn\ apply (simp add: invs'_def valid_state'_def) apply (rule hoare_pre) - apply (wp valid_irq_node_lift sts_valid_objs' typ_at_lifts static_imp_wp + apply (wp valid_irq_node_lift sts_valid_objs' typ_at_lifts hoare_weak_lift_imp asUser_urz | simp add: valid_ntfn'_def)+ apply (clarsimp simp: pred_tcb_at' valid_pspace'_def) @@ -4455,7 +4455,7 @@ lemma sendSignal_st_tcb'_Running: sendSignal ntfnptr bdg \\_. st_tcb_at' (\st. st = Running \ P st) t\" apply (simp add: sendSignal_def) - apply (wp sts_st_tcb_at'_cases cancelIPC_st_tcb_at' gts_wp' getNotification_wp static_imp_wp + apply (wp sts_st_tcb_at'_cases cancelIPC_st_tcb_at' gts_wp' getNotification_wp hoare_weak_lift_imp | wpc | clarsimp simp: pred_tcb_at')+ done diff --git a/proof/refine/X64/Refine.thy b/proof/refine/X64/Refine.thy index b80b9b6ea8..ddce64cc1c 100644 --- a/proof/refine/X64/Refine.thy +++ b/proof/refine/X64/Refine.thy @@ -280,7 +280,7 @@ lemma kernel_entry_invs: thread_set_ct_running thread_set_not_state_valid_sched hoare_vcg_disj_lift ct_in_state_thread_state_lift thread_set_no_change_tcb_state call_kernel_domain_time_inv_det_ext call_kernel_domain_list_inv_det_ext - static_imp_wp + hoare_weak_lift_imp | clarsimp simp add: tcb_cap_cases_def active_from_running)+ done @@ -420,7 +420,7 @@ lemma kernelEntry_invs': apply (simp add: kernelEntry_def) apply (wp ckernel_invs callKernel_domain_time_left threadSet_invs_trivial threadSet_ct_running' - TcbAcc_R.dmo_invs' static_imp_wp + TcbAcc_R.dmo_invs' hoare_weak_lift_imp doMachineOp_sch_act_simple callKernel_domain_time_left | clarsimp simp: user_memory_update_def no_irq_def tcb_at_invs' @@ -632,7 +632,7 @@ lemma entry_corres: apply (rule hoare_strengthen_post, rule ckernel_invs, simp add: invs'_def cur_tcb'_def) apply (wp thread_set_invs_trivial thread_set_ct_running threadSet_invs_trivial threadSet_ct_running' - thread_set_not_state_valid_sched static_imp_wp + thread_set_not_state_valid_sched hoare_weak_lift_imp hoare_vcg_disj_lift ct_in_state_thread_state_lift | simp add: tcb_cap_cases_def ct_in_state'_def thread_set_no_change_tcb_state | (wps, wp threadSet_st_tcb_at2) )+ diff --git a/proof/refine/X64/Retype_R.thy b/proof/refine/X64/Retype_R.thy index 1e1ee2dc65..83f9357b2e 100644 --- a/proof/refine/X64/Retype_R.thy +++ b/proof/refine/X64/Retype_R.thy @@ -2603,7 +2603,6 @@ lemma update_gs_ksMachineState_update_swap: declare hoare_in_monad_post[wp del] declare univ_get_wp[wp del] -declare result_in_set_wp[wp del] crunch valid_arch_state'[wp]: copyGlobalMappings "valid_arch_state'" (wp: crunch_wps) @@ -4555,7 +4554,7 @@ proof - apply (simp add: ct_idle_or_in_cur_domain'_def tcb_in_cur_domain'_def) apply (rule hoare_pre) apply (wps a b c d) - apply (wp static_imp_wp e' hoare_vcg_disj_lift) + apply (wp hoare_weak_lift_imp e' hoare_vcg_disj_lift) apply (auto simp: obj_at'_def ct_in_state'_def projectKOs st_tcb_at'_def) done qed diff --git a/proof/refine/X64/Schedule_R.thy b/proof/refine/X64/Schedule_R.thy index b1eb3a6820..c1827abcf3 100644 --- a/proof/refine/X64/Schedule_R.thy +++ b/proof/refine/X64/Schedule_R.thy @@ -10,7 +10,7 @@ begin context begin interpretation Arch . (*FIXME: arch_split*) -declare static_imp_wp[wp_split del] +declare hoare_weak_lift_imp[wp_split del] (* Levity: added (20090713 10:04:12) *) declare sts_rel_idle [simp] @@ -448,7 +448,7 @@ lemma ct_idle_or_in_cur_domain'_lift2: apply (rule hoare_lift_Pf2[where f=ksCurThread]) apply (rule hoare_lift_Pf2[where f=ksSchedulerAction]) including no_pre - apply (wp static_imp_wp hoare_vcg_disj_lift) + apply (wp hoare_weak_lift_imp hoare_vcg_disj_lift) apply simp+ done @@ -1360,7 +1360,7 @@ lemma switchToIdleThread_invs_no_cicd': crunch obj_at'[wp]: "Arch.switchToIdleThread" "\s. obj_at' P t s" -declare static_imp_conj_wp[wp_split del] +declare hoare_weak_lift_imp_conj[wp_split del] lemma setCurThread_const: "\\_. P t \ setCurThread t \\_ s. P (ksCurThread s) \" diff --git a/proof/refine/X64/Syscall_R.thy b/proof/refine/X64/Syscall_R.thy index bd12f45043..78aaf0ddcc 100644 --- a/proof/refine/X64/Syscall_R.thy +++ b/proof/refine/X64/Syscall_R.thy @@ -337,7 +337,7 @@ lemma threadSet_tcbDomain_update_sch_act_wf[wp]: apply (simp add: threadSet_def) apply wp apply (wps setObject_sa_unchanged) - apply (wp static_imp_wp getObject_tcb_wp hoare_vcg_all_lift)+ + apply (wp hoare_weak_lift_imp getObject_tcb_wp hoare_vcg_all_lift)+ apply (rename_tac word) apply (rule_tac Q="\_ s. ksSchedulerAction s = SwitchToThread word \ st_tcb_at' runnable' word s \ tcb_in_cur_domain' word s \ word \ t" @@ -688,7 +688,7 @@ proof - apply (rule hoare_weaken_pre [OF cteInsert_weak_cte_wp_at3]) apply (rule PUC,simp) apply (clarsimp simp: cte_wp_at_ctes_of) - apply (wp hoare_vcg_all_lift static_imp_wp | simp add:ball_conj_distrib)+ + apply (wp hoare_vcg_all_lift hoare_weak_lift_imp | simp add:ball_conj_distrib)+ done qed @@ -807,7 +807,7 @@ lemma doReply_invs[wp]: apply assumption apply (erule cte_wp_at_weakenE') apply (fastforce) - apply (wp sts_invs_minor'' sts_st_tcb' static_imp_wp) + apply (wp sts_invs_minor'' sts_st_tcb' hoare_weak_lift_imp) apply (rule_tac Q="\rv s. invs' s \ sch_act_simple s \ st_tcb_at' awaiting_reply' t s \ t \ ksIdleThread s" @@ -825,7 +825,7 @@ lemma doReply_invs[wp]: apply (erule_tac P="\st. awaiting_reply' st \ activatable' st" in pred_tcb'_weakenE) apply (case_tac st, clarsimp+) - apply (wp threadSet_invs_trivial threadSet_st_tcb_at2 static_imp_wp + apply (wp threadSet_invs_trivial threadSet_st_tcb_at2 hoare_weak_lift_imp | clarsimp simp add: inQ_def)+ apply (rule_tac Q="\_. invs' and tcb_at' t and sch_act_simple and st_tcb_at' awaiting_reply' t" @@ -982,7 +982,7 @@ lemma setDomain_invs': (\y. domain \ maxDomain))\ setDomain ptr domain \\y. invs'\" apply (simp add:setDomain_def ) - apply (wp add: when_wp static_imp_wp static_imp_conj_wp rescheduleRequired_all_invs_but_extra + apply (wp add: when_wp hoare_weak_lift_imp hoare_weak_lift_imp_conj rescheduleRequired_all_invs_but_extra tcbSchedEnqueue_valid_action hoare_vcg_if_lift2) apply (rule_tac Q = "\r s. all_invs_but_sch_extra s \ curThread = ksCurThread s \ (ptr \ curThread \ ct_not_inQ s \ sch_act_wf (ksSchedulerAction s) s \ ct_idle_or_in_cur_domain' s)" @@ -996,7 +996,7 @@ lemma setDomain_invs': prefer 2 apply clarsimp apply assumption - apply (wp static_imp_wp threadSet_pred_tcb_no_state threadSet_not_curthread_ct_domain + apply (wp hoare_weak_lift_imp threadSet_pred_tcb_no_state threadSet_not_curthread_ct_domain threadSet_tcbDomain_update_ct_not_inQ | simp)+ apply (rule_tac Q = "\r s. invs' s \ curThread = ksCurThread s \ sch_act_simple s \ domain \ maxDomain @@ -1311,7 +1311,7 @@ lemma hinv_invs'[wp]: apply (simp add: handleInvocation_def split_def ts_Restart_case_helper') apply (wp syscall_valid' setThreadState_nonqueued_state_update rfk_invs' - hoare_vcg_all_lift static_imp_wp) + hoare_vcg_all_lift hoare_weak_lift_imp) apply simp apply (intro conjI impI) apply (wp gts_imp' | simp)+ diff --git a/proof/refine/X64/TcbAcc_R.thy b/proof/refine/X64/TcbAcc_R.thy index e62bed56bb..a1e2648535 100644 --- a/proof/refine/X64/TcbAcc_R.thy +++ b/proof/refine/X64/TcbAcc_R.thy @@ -11,7 +11,6 @@ begin context begin interpretation Arch . (*FIXME: arch_split*) declare if_weak_cong [cong] -declare result_in_set_wp[wp] declare hoare_in_monad_post[wp] declare trans_state_update'[symmetric,simp] declare storeWordUser_typ_at' [wp] @@ -2352,9 +2351,9 @@ lemma threadSet_queued_sch_act_wf[wp]: split: scheduler_action.split) apply (wp hoare_vcg_conj_lift) apply (simp add: threadSet_def) - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (wps setObject_sa_unchanged) - apply (wp static_imp_wp getObject_tcb_wp)+ + apply (wp hoare_weak_lift_imp getObject_tcb_wp)+ apply (clarsimp simp: obj_at'_def) apply (wp hoare_vcg_all_lift hoare_vcg_conj_lift hoare_convert_imp)+ apply (simp add: threadSet_def) @@ -4111,7 +4110,7 @@ lemma possibleSwitchTo_ct_not_inQ: possibleSwitchTo t \\_. ct_not_inQ\" (is "\?PRE\ _ \_\") apply (simp add: possibleSwitchTo_def curDomain_def) - apply (wpsimp wp: static_imp_wp rescheduleRequired_ct_not_inQ tcbSchedEnqueue_ct_not_inQ + apply (wpsimp wp: hoare_weak_lift_imp rescheduleRequired_ct_not_inQ tcbSchedEnqueue_ct_not_inQ threadGet_wp | (rule hoare_post_imp[OF _ rescheduleRequired_sa_cnt], fastforce))+ apply (fastforce simp: obj_at'_def) @@ -4130,7 +4129,7 @@ lemma threadSet_tcbState_update_ct_not_inQ[wp]: apply (clarsimp) apply (rule hoare_conjI) apply (rule hoare_weaken_pre) - apply (wps, wp static_imp_wp) + apply (wps, wp hoare_weak_lift_imp) apply (wp OMG_getObject_tcb)+ apply (clarsimp simp: comp_def) apply (wp hoare_drop_imp) @@ -4150,7 +4149,7 @@ lemma threadSet_tcbBoundNotification_update_ct_not_inQ[wp]: apply (rule hoare_conjI) apply (rule hoare_weaken_pre) apply wps - apply (wp static_imp_wp) + apply (wp hoare_weak_lift_imp) apply (wp OMG_getObject_tcb) apply (clarsimp simp: comp_def) apply (wp hoare_drop_imp) diff --git a/proof/refine/X64/Tcb_R.thy b/proof/refine/X64/Tcb_R.thy index 1c783b16cf..5d33d79026 100644 --- a/proof/refine/X64/Tcb_R.thy +++ b/proof/refine/X64/Tcb_R.thy @@ -353,7 +353,7 @@ lemma invokeTCB_WriteRegisters_corres: apply (rule_tac P=\ and P'=\ in corres_inst) apply simp apply (wp+)[2] - apply ((wp static_imp_wp restart_invs' + apply ((wp hoare_weak_lift_imp restart_invs' | strengthen valid_sched_weak_strg einvs_valid_etcbs invs_valid_queues' invs_queues invs_weak_sch_act_wf | clarsimp simp: invs_def valid_state_def valid_sched_def invs'_def valid_state'_def @@ -452,7 +452,7 @@ proof - apply (simp add: frame_registers_def frameRegisters_def) apply (simp add: getRestartPC_def setNextPC_def dc_def[symmetric]) apply (rule Q[OF refl refl]) - apply (wpsimp wp: mapM_x_wp' static_imp_wp)+ + apply (wpsimp wp: mapM_x_wp' hoare_weak_lift_imp)+ apply (rule corres_split_nor) apply (rule corres_when[OF refl]) apply (rule R[OF refl refl]) @@ -462,15 +462,15 @@ proof - apply (rule corres_split[OF corres_when[OF refl rescheduleRequired_corres]]) apply (rule_tac P=\ and P'=\ in corres_inst) apply simp - apply ((solves \wp static_imp_wp\)+) + apply ((solves \wp hoare_weak_lift_imp\)+) apply (rule_tac Q="\_. einvs and tcb_at dest" in hoare_post_imp) apply (clarsimp simp: invs_def valid_sched_weak_strg valid_sched_def) prefer 2 apply (rule_tac Q="\_. invs' and tcb_at' dest" in hoare_post_imp) apply (clarsimp simp: invs'_def valid_state'_def invs_weak_sch_act_wf cur_tcb'_def) - apply (wp mapM_x_wp' static_imp_wp | simp)+ - apply ((wp static_imp_wp restart_invs' | wpc | clarsimp simp: if_apply_def2)+)[2] - apply (wp suspend_nonz_cap_to_tcb static_imp_wp | simp add: if_apply_def2)+ + apply (wp mapM_x_wp' hoare_weak_lift_imp | simp)+ + apply ((wp hoare_weak_lift_imp restart_invs' | wpc | clarsimp simp: if_apply_def2)+)[2] + apply (wp suspend_nonz_cap_to_tcb hoare_weak_lift_imp | simp add: if_apply_def2)+ apply (fastforce simp: invs_def valid_state_def valid_pspace_def dest!: idle_no_ex_cap) apply (fastforce simp: invs'_def valid_state'_def dest!: global'_no_ex_cap) @@ -640,7 +640,7 @@ lemma sp_corres2: apply (rule rescheduleRequired_corres) apply (rule possibleSwitchTo_corres) apply ((clarsimp - | wp static_imp_wp hoare_vcg_if_lift hoare_wp_combs gts_wp + | wp hoare_weak_lift_imp hoare_vcg_if_lift hoare_wp_combs gts_wp isRunnable_wp)+)[4] apply (wp hoare_vcg_imp_lift' hoare_vcg_if_lift hoare_vcg_all_lift) apply clarsimp @@ -1635,30 +1635,30 @@ lemma tc_invs': apply (simp only: eq_commute[where a="a"]) apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits [where P="\x. x s" for s]) - apply ((wp case_option_wp threadSet_invs_trivial static_imp_wp + apply ((wp case_option_wp threadSet_invs_trivial hoare_weak_lift_imp hoare_vcg_all_lift threadSet_cap_to' | clarsimp simp: inQ_def)+)[2] apply (rule hoare_walk_assmsE) apply (clarsimp simp: pred_conj_def option.splits [where P="\x. x s" for s]) - apply ((wp case_option_wp threadSet_invs_trivial static_imp_wp setMCPriority_invs' + apply ((wp case_option_wp threadSet_invs_trivial hoare_weak_lift_imp setMCPriority_invs' typ_at_lifts[OF setMCPriority_typ_at'] hoare_vcg_all_lift threadSet_cap_to' | clarsimp simp: inQ_def)+)[2] - apply (wp add: setP_invs' static_imp_wp hoare_vcg_all_lift)+ + apply (wp add: setP_invs' hoare_weak_lift_imp hoare_vcg_all_lift)+ apply (rule case_option_wp_None_return[OF setP_invs'[simplified pred_conj_assoc]]) apply clarsimp apply wpfix apply assumption apply (rule case_option_wp_None_returnOk) - apply (wpsimp wp: static_imp_wp hoare_vcg_all_lift + apply (wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak threadSet_invs_trivial2 threadSet_tcb' hoare_vcg_all_lift threadSet_cte_wp_at')+ - apply (wpsimp wp: static_imp_wpE cteDelete_deletes + apply (wpsimp wp: hoare_weak_lift_imp_R cteDelete_deletes hoare_vcg_all_lift_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R cteDelete_invs' cteDelete_invs' cteDelete_typ_at'_lifts)+ apply (assumption | clarsimp cong: conj_cong imp_cong | (rule case_option_wp_None_returnOk) - | wpsimp wp: static_imp_wp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak + | wpsimp wp: hoare_weak_lift_imp hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] assertDerived_wp_weak hoare_vcg_imp_lift' hoare_vcg_all_lift checkCap_inv[where P="tcb_at' t" for t] checkCap_inv[where P="valid_cap' c" for c] checkCap_inv[where P=sch_act_simple] - hoare_vcg_const_imp_lift_R assertDerived_wp_weak static_imp_wpE cteDelete_deletes + hoare_vcg_const_imp_lift_R assertDerived_wp_weak hoare_weak_lift_imp_R cteDelete_deletes hoare_vcg_all_lift_R hoare_vcg_conj_liftE1 hoare_vcg_const_imp_lift_R hoare_vcg_propE_R cteDelete_invs' cteDelete_typ_at'_lifts cteDelete_sch_act_simple)+ apply (clarsimp simp: tcb_cte_cases_def cte_level_bits_def objBits_defs tcbIPCBufferSlot_def) @@ -2705,7 +2705,7 @@ lemma restart_makes_simple': \\rv. st_tcb_at' simple' t\" apply (simp add: restart_def) apply (wp sts_st_tcb_at'_cases cancelIPC_simple - cancelIPC_st_tcb_at static_imp_wp | simp)+ + cancelIPC_st_tcb_at hoare_weak_lift_imp | simp)+ apply (rule hoare_strengthen_post [OF isStopped_inv]) prefer 2 apply assumption