Isabelle2018: new "op x" syntax; now is "(x)"

(result of "isabelle update_op -m <dir>")

Isabelle2018: new comment syntax

(result of "isabelle update_comments <dirs>")

Proof update for crunch changes

ARM bisim: proof update for user_context refactor

Genericise deletion actions that occur after empty_slot

This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).

By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.

arm: update for simple_ko getter/setter

Removes all trailing whitespaces

wp: update the proofs for the new wp/wpc/wpsimp

Bisim / Access / InfoFlow: updates for Hypervisor stub

wp_cleanup: update proofs for new wp behaviour

The things that usually go wrong:
- wp fall through: add +, e.g.
apply (wp select_wp) -> apply (wp select_wp)+

- precondition: you can remove most hoare_pre, but wpc still needs it, and
sometimes the wp instance relies on being able to fit a rule to the
current non-schematic precondition. In that case, use "including no_pre"
to switch off the automatic hoare_pre application.

- very rarely there is a schematic postcondition that interferes with the
new trivial cleanup rules, because the rest of the script assumes some
specific state afterwards (shouldn't happen in a reasonable proof, but
not all proofs are reasonable..). In that case, (wp_once ...)+ should
emulate the old behaviour precisely.

Isabelle2016-1: fix some proofs broken by abs_def normalisation

Unfolding now automatically converts definitional rules to abs_def
normal form before rewriting.

Isabelle2016-1: update references to renamed constants and facts

trivial: remove some redundant uses of split_if rule

Updating remaining proofs for tcb_arch reserved_irq and arch_fault changes

* tcb_context rephrasing to (tcb_context o tcb_arch) and respectively
for set operations

* unfolding of reserved_irq for trivially solving most lemmas

* Changes to the inductive definition of integrity_obj to account for
tcb_arch and tcb_context new location

* Changes to the tcb examples in ExampleSystem to include tcb_arch

* Rephrasing of domain_sep_inv to accommodate the ReservedIRQ case

* Mostly rephrasing of tcb_context to (some form of) (tcb_context o tcb_arch)

* Trivial unfolding of handle_reserved_irq for hoare rules

* Examples in Example_Valid_State.thy were updated

* Nothing remarkable, mostly rephrasing of tcb_context and ReservedIRQ
handling

* Fun fact, some proofs are now shorter

tags: [VER-623][SELFOUR-413]

arch_split: requalify abstract theories

arch_split: Bisim checking

l4v-sabre: proof fix upto InfoFlowC

Wait -> Recv: update proofs

add arch_tcb object to C, rename aep -> ntfn

poll: Added new syscall for polling async endpoints (non-blocking wait)

aep-binding: finish Bisim

with help from Dan

aep-binding: attempted progress on Bisim, 1 sorry remains

assumptions include aep_obj aep = IdleAEP and aep_bound_tcb aep = Some
x, which I guess is probably a contradiction, but I don't know how to
prove that.

SELFOUR-220: When calling handleWait, only delete the
TCB's ReplyCap when actually waiting on a synchronous
endpoint.

fewer warnings

Isabelle2015 update: Bisim

remove even arch calls from separation kernel setup

(patch by Simon Winwood)

bisim: Isabelle 2014 changes.

github import of static cap config proofs