Trait PageTableConfig Copy item path

The index range at the top level (C::NR_LEVELS()) page table.

When configured with this value, the PageTable instance will only be allowed to manage the virtual address range that is covered by this range. The range can be smaller than the actual allowed range specified by the hardware MMU (limited by C::ADDRESS_WIDTH).

Consumes the item and returns the physical address, the paging level, and the page property.

The ownership of the item will be consumed, i.e., the item will be forgotten after this function is called.

Restores the item from the physical address and the paging level.

There could be transformations after PageTableConfig::item_into_raw and before PageTableConfig::item_from_raw, which include:

• splitting and coalescing the items, for example, splitting one item into 512 level - 1 items with and contiguous physical addresses;
• protecting the items, for example, changing the page property.

Splitting and coalescing maintains ownership rules, i.e., if one physical address is within the range of one item, after splitting/ coalescing, there should be exactly one item that contains the address.

§Safety

The caller must ensure that:

• the physical address and the paging level represent a page table item or part of it (as described above);
• either the ownership of the item is properly transferred to the return value, or the return value is wrapped in a core::mem::ManuallyDrop that won’t outlive the original item.

A concrete trait implementation may require the caller to ensure that

• the [super::PageFlags::AVAIL1] flag is the same as that returned from PageTableConfig::item_into_raw.

item.clone_ensures(old_regions, new_regions, res),

Self::item_into_raw_spec(item).0 == pa,

res == item,

new_regions.inv(),

new_regions.slots =~= old_regions.slots,

new_regions.slot_owners.dom() =~= old_regions.slot_owners.dom(),

forall |i: usize| {
    i != frame_to_index(pa)
        ==> (#[trigger] new_regions.slot_owners[i] == old_regions.slot_owners[i])
},

new_regions.slot_owners[frame_to_index(pa)].inner_perms.ref_count.value()
    == old_regions.slot_owners[frame_to_index(pa)].inner_perms.ref_count.value() + 1,

new_regions.slot_owners[frame_to_index(pa)].inner_perms.ref_count.id()
    == old_regions.slot_owners[frame_to_index(pa)].inner_perms.ref_count.id(),

new_regions.slot_owners[frame_to_index(pa)].inner_perms.storage
    == old_regions.slot_owners[frame_to_index(pa)].inner_perms.storage,

new_regions.slot_owners[frame_to_index(pa)].inner_perms.vtable_ptr
    == old_regions.slot_owners[frame_to_index(pa)].inner_perms.vtable_ptr,

new_regions.slot_owners[frame_to_index(pa)].inner_perms.in_list
    == old_regions.slot_owners[frame_to_index(pa)].inner_perms.in_list,

new_regions.slot_owners[frame_to_index(pa)].paths_in_pt
    == old_regions.slot_owners[frame_to_index(pa)].paths_in_pt,

new_regions.slot_owners[frame_to_index(pa)].self_addr
    == old_regions.slot_owners[frame_to_index(pa)].self_addr,

new_regions.slot_owners[frame_to_index(pa)].raw_count
    == old_regions.slot_owners[frame_to_index(pa)].raw_count,

new_regions.slot_owners[frame_to_index(pa)].usage
    == old_regions.slot_owners[frame_to_index(pa)].usage,

Proves that clone_ensures for Self::Item implies concrete per-field properties on MetaRegionOwners. Each PageTableConfig implementor proves this by unfolding its MappedItem::clone_ensures → Frame::clone_ensures. Proves that after clone, the slot at frame_to_index(pa) has the expected per-field properties. Implementors unfold their MappedItem::clone_ensures to Frame::clone_ensures and connect pa to the frame’s internal pointer address.

regions.inv(),

Self::item_from_raw_spec(pa, level, prop) == item,

crate::mm::frame::meta::has_safe_slot(pa),

regions.slots.contains_key(frame_to_index(pa)),

regions.slot_owners.contains_key(frame_to_index(pa)),

regions.slot_owners[frame_to_index(pa)].inner_perms.ref_count.value() > 0,

regions.slot_owners[frame_to_index(pa)].inner_perms.ref_count.value() + 1
    < crate::specs::mm::frame::meta_owners::REF_COUNT_MAX,

item.clone_requires(regions),

Proves item.clone_requires(regions) from the concrete frame-slot facts delivered by metaregion_sound plus the non-saturation bound propagated from Cursor::query. Implementors unfold their MappedItem::clone_requires to Frame::clone_requires and connect pa to the frame’s internal pointer address.

{ 0 }

The leading bits [48, 64) of every virtual address managed by this config.

Concretely, a mapping m in this page table has m.va_range.start / 2^48 == LEADING_BITS_spec(). For non-sign-extended configurations (e.g. UserPtConfig) this is 0. For x86-64 kernel PT it is 0xffff (sign-extended high half). The type is wide enough to carry arbitrary bit patterns, so the model can accommodate future configurations that place their managed range at a non-canonical fixed offset.

Combined with TOP_LEVEL_INDEX_RANGE_spec, this fully determines the managed VA range, computed as vaddr_range_bounds_spec::<Self>. Callers that previously used VADDR_RANGE_spec() should use vaddr_range_bounds_spec::<C>() directly — the inclusive (start, end_inclusive) form avoids the end == usize::MAX + 1 overflow that plagues Range<Vaddr> for sign-extended kernel configurations.

{ true }

If we can remove the top-level page table entries.

This is for the kernel page table, whose second-top-level page tables need 'static lifetime to be shared with user page tables. Other page tables do not need to set this to false.