Skip to main content

SegmentOwner

ostd::mm::frame::segment

Struct SegmentOwner 

Source 
pub struct SegmentOwner<M: AnyFrameMeta + ?Sized> {
    pub perms: Seq<MetaPerm<M>>,
}
Expand description

A SegmentOwner<M> holds the permission tokens for all frames in the Segment<M> for verification purposes.

Fields§

§perms: Seq<MetaPerm<M>>

The permissions for all frames in the segment, which must be well-formed and valid.

Implementations§

Source§

impl<M: AnyFrameMeta + ?Sized> SegmentOwner<M>

Source

pub proof fn produce_kernel_mem_view(tracked &self, segment: Segment<M>) -> tracked view : MemView

requires
self.inv(),
segment.inv_with(self),
ensures
segment.kernel_mem_view_covers(&view),

Produces a kernel direct-mapping memory view for the segment.

This is a proof bridge from segment ownership to the VM I/O memory-view model. It should eventually be justified by a real frame-content owner instead of metadata permissions alone.

Source

pub proof fn borrow_kernel_mem_view<'a>(tracked &'a self, segment: Segment<M>) -> tracked view : &'a MemView

requires
self.inv(),
segment.inv_with(self),
ensures
segment.kernel_mem_view_covers(view),

Borrows a kernel direct-mapping memory view for the segment.

This is the read-side counterpart of Self::produce_kernel_mem_view, used when the VM I/O owner only needs a shared read view.

Trait Implementations§

Source§

impl<M: AnyFrameMeta + ?Sized> Inv for SegmentOwner<M>

Source§

open spec fn inv(self) -> bool

{
    &&& forall |i: int| {
        0 <= i < self.perms.len() as int
            ==> {
                &&& self.perms[i].addr() % PAGE_SIZE == 0
                &&& self.perms[i].addr() < MAX_PADDR
                &&& self.perms[i].wf(&self.perms[i].inner_perms)
                &&& self.perms[i].is_init()

            }
    }

}

The invariant of a Segment:

  • the permissions are well-formed and valid;
  • the physical addresses of the permissions are aligned and within bounds.

Auto Trait Implementations§

§

impl<M> Freeze for SegmentOwner<M>

§

impl<M> !RefUnwindSafe for SegmentOwner<M>

§

impl<M> Send for SegmentOwner<M>
where M: Send,

§

impl<M> Sync for SegmentOwner<M>
where M: Sync,

§

impl<M> Unpin for SegmentOwner<M>
where M: Unpin,

§

impl<M> UnsafeUnpin for SegmentOwner<M>

§

impl<M> UnwindSafe for SegmentOwner<M>
where M: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T, VERUS_SPEC__A> FromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: From<T>,

§

fn obeys_from_spec() -> bool

§

fn from_spec(v: T) -> VERUS_SPEC__A

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T, VERUS_SPEC__A> IntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: Into<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> T

§

impl<T, U> IntoSpecImpl<U> for T
where U: From<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> U

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryFromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryFrom<T>,

§

fn obeys_try_from_spec() -> bool

§

fn try_from_spec( v: T, ) -> Result<VERUS_SPEC__A, <VERUS_SPEC__A as TryFrom<T>>::Error>

Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryIntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryInto<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<T, <VERUS_SPEC__A as TryInto<T>>::Error>

§

impl<T, U> TryIntoSpecImpl<U> for T
where U: TryFrom<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<U, <U as TryFrom<T>>::Error>