ChildRef

ostd::mm::page_table

Enum ChildRef 

Source 
pub enum ChildRef<'a, C: PageTableConfig> {
    PageTable(PageTableNodeRef<'a, C>),
    Frame(Paddr, PagingLevel, PageProperty),
    None,
}
Expand description

A reference to the child of a page table node.

§Verification Design

If the child is itself a page table node, it is represented by a PageTableNodeRef, because a reference to it must be treated as a potentially shared reference of the appropriate lifetime. By contrast, a mapped frame can be referenced by just carrying its values, and an absent one is just a simple tag.

Variants§

§

PageTable(PageTableNodeRef<'a, C>)

A child page table node.

§

Frame(Paddr, PagingLevel, PageProperty)

Physical address of a mapped physical frame.

It is associated with the virtual page property and the level of the mapping node, which decides the size of the frame.

§

None

Implementations§

Source§

impl<'a, C: PageTableConfig> ChildRef<'a, C>

Source

pub fn arrow_1(self) -> PagingLevel

Source

pub fn arrow_2(self) -> PageProperty

Source

pub fn arrow_PageTable_0(self) -> PageTableNodeRef<'a, C>

Source

pub fn arrow_Frame_0(self) -> Paddr

Source

pub fn arrow_Frame_1(self) -> PagingLevel

Source

pub fn arrow_Frame_2(self) -> PageProperty

Source§

impl<C: PageTableConfig> ChildRef<'_, C>

Source

pub exec fn from_pte(pte: &C::E, level: PagingLevel) -> res : Self

with
Tracked(regions): Tracked<&mut MetaRegionOwners>,
Tracked(entry_owner): Tracked<&EntryOwner<C>>,
requires
entry_owner.pte_invariants(*pte, *old(regions)),
level == entry_owner.parent_level,
ensures
res.invariants(*entry_owner, *regions),
*regions =~= *old(regions),

Converts a PTE to a reference to a child.

§Verified Properties
§Preconditions
  • Safety Invariants: the PTE’s safety invariants must hold.
  • Safety: level must match the original level of the child.
§Postconditions
  • Safety Invariants: the safety invariants are preserved.
  • Correctness: the ChildRef is equivalent to the original PTE.
  • Safety: No frame other than the target entry’s (if applicable) is impacted by the call.
§Safety
  • The PTE safety invariants require that the PTE was previously obtained using Self::from_pte
  • The soundness of using the resulting ChildRef as a reference follows from FrameRef safety.
Source§

impl<C: PageTableConfig> ChildRef<'_, C>

Source

pub open spec fn invariants(self, owner: EntryOwner<C>, regions: MetaRegionOwners) -> bool

{
    &&& owner.inv()
    &&& regions.inv()
    &&& self.wf(owner)
    &&& owner.relate_region(regions)
    &&& !owner.in_scope

}

Trait Implementations§

Source§

impl<'a, C: PageTableConfig> OwnerOf for ChildRef<'a, C>

Source§

open spec fn wf(self, owner: Self::Owner) -> bool

{
    match self {
        Self::PageTable(node) => (
            &&& owner.is_node()
            &&& node.inner.0.ptr.addr() == owner.node.unwrap().meta_perm.addr()

        ),
        Self::Frame(paddr, level, prop) => (
            &&& owner.is_frame()
            &&& owner.frame.unwrap().mapped_pa == paddr
            &&& owner.frame.unwrap().prop == prop

        ),
        Self::None => owner.is_absent(),
    }
}
Source§

type Owner = EntryOwner<C>

The owner of the concrete type. The Owner must implement Inv, indicating that it must has a consistent state.

Auto Trait Implementations§

§

impl<'a, C> Freeze for ChildRef<'a, C>

§

impl<'a, C> !RefUnwindSafe for ChildRef<'a, C>

§

impl<'a, C> Send for ChildRef<'a, C>

§

impl<'a, C> Sync for ChildRef<'a, C>

§

impl<'a, C> Unpin for ChildRef<'a, C>
where C: Unpin,

§

impl<'a, C> !UnwindSafe for ChildRef<'a, C>

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T, VERUS_SPEC__A> FromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: From<T>,

§

fn obeys_from_spec() -> bool

§

fn from_spec(v: T) -> VERUS_SPEC__A

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T, VERUS_SPEC__A> IntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: Into<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> T

§

impl<T, U> IntoSpecImpl<U> for T
where U: From<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> U

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryFromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryFrom<T>,

§

fn obeys_try_from_spec() -> bool

§

fn try_from_spec( v: T, ) -> Result<VERUS_SPEC__A, <VERUS_SPEC__A as TryFrom<T>>::Error>

Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryIntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryInto<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<T, <VERUS_SPEC__A as TryInto<T>>::Error>

§

impl<T, U> TryIntoSpecImpl<U> for T
where U: TryFrom<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<U, <U as TryFrom<T>>::Error>