Child

ostd::mm::page_table

Enum Child 

Source 
pub enum Child<C: PageTableConfig> {
    PageTable(PageTableNode<C>),
    Frame(Paddr, PagingLevel, PageProperty),
    None,
}
Expand description

A page table entry that owns the child of a page table node if present.

Variants§

§

PageTable(PageTableNode<C>)

A child page table node.

§

Frame(Paddr, PagingLevel, PageProperty)

Physical address of a mapped physical frame.

It is associated with the virtual page property and the level of the mapping node, which decides the size of the frame.

§

None

Implementations§

Source§

impl<C: PageTableConfig> Child<C>

Source

pub fn arrow_1(self) -> PagingLevel

Source

pub fn arrow_2(self) -> PageProperty

Source

pub fn arrow_PageTable_0(self) -> PageTableNode<C>

Source

pub fn arrow_Frame_0(self) -> Paddr

Source

pub fn arrow_Frame_1(self) -> PagingLevel

Source

pub fn arrow_Frame_2(self) -> PageProperty

Source§

impl<C: PageTableConfig> Child<C>

Source

pub exec fn into_pte(self) -> res : C::E

with
Tracked(owner): Tracked<&mut EntryOwner<C>>,
Tracked(regions): Tracked<&mut MetaRegionOwners>,
requires
self.invariants(*old(owner), *old(regions)),
old(owner).in_scope,
ensures
owner.pte_invariants(res, *regions),
*regions == old(owner).into_pte_regions_spec(*old(regions)),
*owner == old(owner).into_pte_owner_spec(),
old(owner).node is Some
    ==> res
        == C::E::new_pt_spec(meta_to_frame(old(owner).node.unwrap().meta_perm.addr())),

Converts the child to a raw PTE value.

§Verified Properties
§Preconditions
  • Safety Invariants: all safety invariants must hold on the child.
  • Safety: the entry’s must be marked as a child, which implies that it has a raw_count of 0.
§Postconditions
  • Safety Invariants: the PTE’s safety invariants are preserved.
  • Safety: the entry’s raw count is incremented by 1.
  • Safety: No frame other than the target entry’s (if applicable) is impacted by the call.
  • Correctness: the PTE is equivalent to the original Child.
§Safety

The PTE safety invariants ensure that the raw pointer to the entry is tracked correctly so that we can guarantee the safety condition on from_pte.

Source

pub exec fn from_pte(pte: C::E, level: PagingLevel) -> res : Self

with
Tracked(regions): Tracked<&mut MetaRegionOwners>,
Tracked(entry_own): Tracked<&mut EntryOwner<C>>,
requires
old(entry_own).pte_invariants(pte, *old(regions)),
level == old(entry_own).parent_level,
ensures
res.invariants(*entry_own, *regions),
res == Child::<C>::from_pte_spec(pte, level, *regions),
*entry_own == old(entry_own).from_pte_owner_spec(),
*regions == entry_own.from_pte_regions_spec(*old(regions)),

Converts a PTE to a Child.

§Verified Properties
§Preconditions
  • Safety Invariants: the PTE’s safety invariants must hold.
  • Safety: level must match the original level of the child.
§Postconditions
  • Safety Invariants: the safety invariants are preserved.
  • Safety: the EntryOwner is aware that it is tracking an entry in Child form.
  • Safety: No frame other than the target entry’s (if applicable) is impacted by the call.
  • Correctness: the Child is equivalent to the original PTE.
§Safety

The PTE safety invariants require that the PTE was previously obtained using Self::into_pte (or another function that calls ManuallyDrop::new, which is sufficient for safety).

Source§

impl<C: PageTableConfig> Child<C>

Source

pub open spec fn get_node(self) -> Option<PageTableNode<C>>

{
    match self {
        Self::PageTable(node) => Some(node),
        _ => None,
    }
}
Source

pub open spec fn get_frame_tuple(self) -> Option<(Paddr, PagingLevel, PageProperty)>

{
    match self {
        Self::Frame(paddr, level, prop) => Some((paddr, level, prop)),
        _ => None,
    }
}
Source

pub open spec fn into_pte_frame_spec( self, tuple: (Paddr, PagingLevel, PageProperty), ) -> C::E

{
    let (paddr, level, prop) = tuple;
    C::E::new_page_spec(paddr, level, prop)
}
Source

pub open spec fn into_pte_none_spec(self) -> C::E

{ C::E::new_absent_spec() }
Source

pub open spec fn from_pte_spec( pte: C::E, level: PagingLevel, regions: MetaRegionOwners, ) -> Self

{
    if !pte.is_present() {
        Self::None
    } else if pte.is_last(level) {
        Self::Frame(pte.paddr(), level, pte.prop())
    } else {
        Self::PageTable(PageTableNode::from_raw_spec(pte.paddr()))
    }
}
Source

pub open spec fn from_pte_frame_spec(pte: C::E, level: PagingLevel) -> Self

{ Self::Frame(pte.paddr(), level, pte.prop()) }
Source

pub open spec fn from_pte_pt_spec(paddr: Paddr, regions: MetaRegionOwners) -> Self

{ Self::PageTable(PageTableNode::from_raw_spec(paddr)) }
Source

pub open spec fn invariants(self, owner: EntryOwner<C>, regions: MetaRegionOwners) -> bool

{
    &&& owner.inv()
    &&& regions.inv()
    &&& self.wf(owner)
    &&& owner.relate_region(regions)
    &&& owner.in_scope

}

Trait Implementations§

Source§

impl<C: PageTableConfig> OwnerOf for Child<C>

Source§

open spec fn wf(self, owner: Self::Owner) -> bool

{
    match self {
        Self::PageTable(node) => (
            &&& owner.is_node()
            &&& node.ptr.addr() == owner.node.unwrap().meta_perm.addr()
            &&& node.index() == frame_to_index(meta_to_frame(node.ptr.addr()))

        ),
        Self::Frame(paddr, level, prop) => (
            &&& owner.is_frame()
            &&& owner.frame.unwrap().mapped_pa == paddr
            &&& owner.frame.unwrap().prop == prop
            &&& level == owner.parent_level

        ),
        Self::None => owner.is_absent(),
    }
}
Source§

type Owner = EntryOwner<C>

The owner of the concrete type. The Owner must implement Inv, indicating that it must has a consistent state.

Auto Trait Implementations§

§

impl<C> Freeze for Child<C>

§

impl<C> !RefUnwindSafe for Child<C>

§

impl<C> Send for Child<C>

§

impl<C> Sync for Child<C>

§

impl<C> Unpin for Child<C>
where C: Unpin,

§

impl<C> UnwindSafe for Child<C>
where C: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T, VERUS_SPEC__A> FromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: From<T>,

§

fn obeys_from_spec() -> bool

§

fn from_spec(v: T) -> VERUS_SPEC__A

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T, VERUS_SPEC__A> IntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: Into<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> T

§

impl<T, U> IntoSpecImpl<U> for T
where U: From<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> U

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryFromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryFrom<T>,

§

fn obeys_try_from_spec() -> bool

§

fn try_from_spec( v: T, ) -> Result<VERUS_SPEC__A, <VERUS_SPEC__A as TryFrom<T>>::Error>

Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryIntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryInto<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<T, <VERUS_SPEC__A as TryInto<T>>::Error>

§

impl<T, U> TryIntoSpecImpl<U> for T
where U: TryFrom<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<U, <U as TryFrom<T>>::Error>