Trait PageTableConfig Copy item path

The index range at the top level (C::NR_LEVELS()) page table.

When configured with this value, the PageTable instance will only be allowed to manage the virtual address range that is covered by this range. The range can be smaller than the actual allowed range specified by the hardware MMU (limited by C::ADDRESS_WIDTH).

core::mem::size_of::<Self::E>() == Self::C::PTE_SIZE_spec(),

Layout identity: the PTE type’s Rust size_of matches the config’s PTE_SIZE_spec. Concrete impls satisfy this via their global layout declaration. Exposed for generic code that calls core::mem::size_of::<Self::E>().

NR_ENTRIES * core::mem::size_of::<Self::E>() == crate::specs::arch::mm::PAGE_SIZE,

A full PT-node’s worth of PTEs fills exactly one base page. NR_ENTRIES * size_of::<E>() == PAGE_SIZE. Bundles the pow2-divides-pow2 ⇒ mul-equals-div arithmetic Verus doesn’t auto-derive from axiom_nr_subpage_per_huge + axiom_pte_size.

Self::TOP_LEVEL_INDEX_RANGE_spec().end <= NR_ENTRIES,

The top-level index range fits within a single PT-node. Concretely 0..256 (UserPtConfig) or 256..512 (KernelPtConfig); both have end <= NR_ENTRIES. Used by PT-node on_drop to bound range.start * size_of::<C::E>() <= PAGE_SIZE.

core::mem::size_of::<Self::E>() % core::mem::align_of::<Self::E>() == 0,

core::mem::align_of::<Self::E>() > 0,

align_of::<E>() divides size_of::<E>(). True for any sized Rust type (the alignment divides the size by the layout rules), but Verus’s size_of/align_of are uninterpreted so we expose it as an axiom. Used by PT-node on_drop to prove cursor alignment is preserved across read_once iterations.

Consumes the item and returns the physical address, the paging level, and the page property.

The ownership of the item will be consumed, i.e., the item will be forgotten after this function is called.

Restores the item from the physical address and the paging level.

There could be transformations after PageTableConfig::item_into_raw and before PageTableConfig::item_from_raw, which include:

• splitting and coalescing the items, for example, splitting one item into 512 level - 1 items with and contiguous physical addresses;
• protecting the items, for example, changing the page property.

Splitting and coalescing maintains ownership rules, i.e., if one physical address is within the range of one item, after splitting/ coalescing, there should be exactly one item that contains the address.

§Safety

The caller must ensure that:

• the physical address and the paging level represent a page table item or part of it (as described above);
• either the ownership of the item is properly transferred to the return value, or the return value is wrapped in a core::mem::ManuallyDrop that won’t outlive the original item.

A concrete trait implementation may require the caller to ensure that

• the [super::PageFlags::AVAIL1] flag is the same as that returned from PageTableConfig::item_into_raw.

Whether cloning this item bumps a slot’s refcount. For ref-counted items (e.g. MappedItem::Tracked), true; for items where clone is a no-op (e.g. MappedItem::Untracked for kernel MMIO frames), false.

Per-config predicate that captures the structural well-formedness an item reconstructed via item_from_raw_spec must satisfy. Typically: the Frame::inv() of the tracked-frame component (if any).

KernelPtConfig defines this as match item { Tracked(f, _) => f.inv(), Untracked => true }. UserPtConfig defines it as item.frame.inv().

crate::mm::frame::meta::has_safe_slot(pa),

Self::item_well_formed(Self::item_from_raw_spec(pa, level, prop)),

The item produced by item_from_raw_spec is structurally well-formed (see item_well_formed).

item.clone_ensures(old_regions, new_regions, res),

Self::item_into_raw_spec(item).0 == pa,

res == item,

new_regions.inv(),

new_regions.slots =~= old_regions.slots,

new_regions.slot_owners.dom() =~= old_regions.slot_owners.dom(),

forall |i: usize| {
    i != frame_to_index(pa)
        ==> (#[trigger] new_regions.slot_owners[i] == old_regions.slot_owners[i])
},

Self::tracked(item)
    ==> {
        &&& new_regions.slot_owners[frame_to_index(pa)].inner_perms.ref_count.value()
            == old_regions.slot_owners[frame_to_index(pa)].inner_perms.ref_count.value()
                + 1
        &&& new_regions.slot_owners[frame_to_index(pa)].inner_perms.ref_count.id()
            == old_regions.slot_owners[frame_to_index(pa)].inner_perms.ref_count.id()
        &&& new_regions.slot_owners[frame_to_index(pa)].inner_perms.storage
            == old_regions.slot_owners[frame_to_index(pa)].inner_perms.storage
        &&& new_regions.slot_owners[frame_to_index(pa)].inner_perms.vtable_ptr
            == old_regions.slot_owners[frame_to_index(pa)].inner_perms.vtable_ptr
        &&& new_regions.slot_owners[frame_to_index(pa)].inner_perms.in_list
            == old_regions.slot_owners[frame_to_index(pa)].inner_perms.in_list
        &&& new_regions.slot_owners[frame_to_index(pa)].paths_in_pt
            == old_regions.slot_owners[frame_to_index(pa)].paths_in_pt
        &&& new_regions.slot_owners[frame_to_index(pa)].self_addr
            == old_regions.slot_owners[frame_to_index(pa)].self_addr
        &&& new_regions.slot_owners[frame_to_index(pa)].usage
            == old_regions.slot_owners[frame_to_index(pa)].usage

    },

!Self::tracked(item)
    ==> new_regions.slot_owners[frame_to_index(pa)]
        == old_regions.slot_owners[frame_to_index(pa)],

Self::tracked(item)
    ==> (new_regions.frame_obligations
        =~= old_regions.frame_obligations.insert(frame_to_index(pa))),

!Self::tracked(item)
    ==> (new_regions.frame_obligations =~= old_regions.frame_obligations),

Proves that clone_ensures for Self::Item implies concrete per-field properties on MetaRegionOwners. Each PageTableConfig implementor proves this by unfolding its MappedItem::clone_ensures → Frame::clone_ensures. Proves that after clone, the slot at frame_to_index(pa) has the expected per-field properties. Implementors unfold their MappedItem::clone_ensures to Frame::clone_ensures and connect pa to the frame’s internal pointer address.

regions.inv(),

Self::item_from_raw_spec(pa, level, prop) == item,

crate::mm::frame::meta::has_safe_slot(pa),

regions.slots.contains_key(frame_to_index(pa)),

regions.slot_owners.contains_key(frame_to_index(pa)),

Self::tracked(item)
    ==> regions.slot_owners[frame_to_index(pa)].inner_perms.ref_count.value() > 0,

Self::tracked(item)
    ==> regions.slot_owners[frame_to_index(pa)].inner_perms.ref_count.value()
        != crate::specs::mm::frame::meta_owners::REF_COUNT_UNUSED,

Self::tracked(item)
    ==> (regions.slot_owners[frame_to_index(pa)].inner_perms.ref_count.value()
        < crate::specs::mm::frame::meta_owners::REF_COUNT_MAX || may_panic()),

item.clone_requires(regions),

Proves item.clone_requires(regions) from the concrete frame-slot facts delivered by metaregion_sound plus the non-saturation bound propagated from Cursor::query. Implementors unfold their MappedItem::clone_requires to Frame::clone_requires and connect pa to the frame’s internal pointer address.

{ 0 }

The leading bits [48, 64) of every virtual address managed by this config.

Concretely, a mapping m in this page table has m.va_range.start / 2^48 == LEADING_BITS_spec(). For non-sign-extended configurations (e.g. UserPtConfig) this is 0. For x86-64 kernel PT it is 0xffff (sign-extended high half). The type is wide enough to carry arbitrary bit patterns, so the model can accommodate future configurations that place their managed range at a non-canonical fixed offset.

Combined with TOP_LEVEL_INDEX_RANGE_spec, this fully determines the managed VA range, computed as vaddr_range_bounds_spec::<Self>. Callers that previously used VADDR_RANGE_spec() should use vaddr_range_bounds_spec::<C>() directly — the inclusive (start, end_inclusive) form avoids the end == usize::MAX + 1 overflow that plagues Range<Vaddr> for sign-extended kernel configurations.

{ true }

If we can remove the top-level page table entries.

This is for the kernel page table, whose second-top-level page tables need 'static lifetime to be shared with user page tables. Other page tables do not need to set this to false.

{ 0x1_0000_0000_0000_0000int }

Upper bound on locked_range().end as int for cursors of this config.

May be tighter than the structural vaddr_range_bounds_spec().1 + 1 when the actual sources of cursor ranges (e.g. the kvirt allocator for KernelPtConfig) draw from a sub-window of the configured VA range. KernelPtConfig overrides this to FRAME_METADATA_BASE_VADDR, which the kvirt_alloc_range_bounds axiom enforces. This bound is what allows the cursor’s move_forward proof to discharge prefix.idx[NR_LEVELS - 1] + 1 < NR_ENTRIES at the top-level boundary — the structural bound only gives <= NR_ENTRIES for configurations whose TOP_LEVEL_INDEX_RANGE.end == NR_ENTRIES.

Default: usize::MAX + 1 (no tightening over the structural bound).