Isabelle2018: new "op x" syntax; now is "(x)"

(result of "isabelle update_op -m <dir>")

globally use session-qualified imports; add Lib session

Session-qualified imports will be required for Isabelle2018 and help clarify
the structure of sessions in the build tree.

This commit mainly adds a new set of sessions for lib/, including a Lib
session that includes most theories in lib/ and a few separate sessions for
parts that have dependencies beyond CParser or are separate AFP sessions.
The group "lib" collects all lib/ sessions.

As a consequence, other theories should use lib/ theories by session name,
not by path, which in turns means spec and proof sessions should also refer
to each other by session name, not path, to avoid duplicate theory errors in
theory merges later.

arm-hyp: update proofs for SELFOUR-584: running multiple VMs on ARM

As requested by verification, hypervisor registers are now an
enumeration-indexed array rather than individual fields. This cleans up
some of the proof. Additionally, we sweep some non-complexity under the
machine op rug: vcpu_hw_write/read_reg_ccorres is as deep as we go,
rather than specifying every operation and proving that
vcpu_hw_write seL4_VCPUReg_REG calls set_REG for every REG

I took this opportunity to clean up some arm-hyp definitions and proofs,
so some whitespace cleanup got tangled in.

Genericise deletion actions that occur after empty_slot

This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).

By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.

arm-hyp: revise scheduler / fastpath / scheduler bitmaps (SELFOUR-242)

Apply "invert-fastpath" changes to arm-hyp (ainvs, refine, crefine).
See main commit for arm for more context.

update object and field widths for x64, and remove some magic numbers

In X64 update the following to match the C kernel:
- TCB size-bits (11).
- Endpoint size-bits (4).
- Guard bits (58).
- Message registers.

For all architectures, replace magic numbers with defined constants in
specifications, and as far as possible in proofs:
- tcb_bits in abstract spec.
- tcbBlockSizeBits, cteSizeBits, ntfnSizeBits, epSizeBits in Haskell
spec, Haskell and C refinement proofs.

arm-hyp crefine: VSpace_C sorry-free, vcpu_(save|restore)_ccorres done

arm-hyp crefine: update IsolatedThreadActions for vcpuSave change

arm-hyp refine: new vs_valid_duplicates

The Haskell invariant now describes the page mappings necessary for LargePage
and SuperSection. Updates to refine/* to repair the corresponding fallout.

This commit moves some of the largePagePTEOffset et al lemmas from CRefine up
into Refine.

A small number of small but fiddly word lemmas are currently still sorried.

arm-hyp crefine: IsolatedThreadAction sorry-free

arm-hyp crefine: one sorry left in IsolatedThreadAction

arm-hyp crefine: trivial: rename after refine changes

arm-hyp crefine: sorry Invoke_C and IsolatedThreadAction

arm-hyp crefine: update ARM*. with ARM_HYP*. qualification

Found three quantification flavours styles: ARM. ARM_A. ARM_H.

Via find|sed on entire folder.

arm-hyp crefine: copy from ARM