Skip to main content

KVmStore

Struct KVmStore 

Source
pub struct KVmStore {
    pub regions: MetaRegionOwners,
    pub kernel_pt: PageTableOwner<KernelPtConfig>,
    pub kvirt_areas: Map<KVirtId, Range<Vaddr>>,
}
Expand description

One-step-soundness store for the kernel virtual area API. Holds the shared regions, the single global kernel page table kernel_pt, and the set of allocated kernel virtual areas (each a Range<Vaddr> handle — see the module docs).

The kernel analog of super::VmStore; see the module documentation for how it differs (one global PT vs. a map of user VmSpaces).

Fields§

§regions: MetaRegionOwners§kernel_pt: PageTableOwner<KernelPtConfig>§kvirt_areas: Map<KVirtId, Range<Vaddr>>

Implementations§

Source§

impl KVmStore

Source

pub open spec fn inv(self) -> bool

{
    &&& self.regions.inv()
    &&& self.kernel_pt.inv()
    &&& self.kernel_pt.metaregion_sound(self.regions)
    &&& forall |id: KVirtId| {
        #[trigger] self.kvirt_areas.dom().contains(id)
            ==> {
                let r = self.kvirt_areas[id];
                &&& KERNEL_BASE_VADDR <= r.start
                &&& r.end <= FRAME_METADATA_BASE_VADDR
                &&& r.start % PAGE_SIZE == 0
                &&& r.end % PAGE_SIZE == 0
                &&& r.start <= r.end

            }
    }

}

The store’s top-level invariant.

Mirrors the page-table-soundness portion of super::VmStore::structural_inv (the kernel PT relates to the region map via PageTableOwner::metaregion_sound) and adds the per-area range well-formedness that [KVirtArea::inv] enforces at the handle level (within the kernel VMALLOC bounds, page-aligned, ordered).

Source§

impl KVmStore

Source

pub proof fn step_query<'rcu>(tracked &mut self, id: KVirtId, addr: Vaddr, tracked guards: &mut Guards<'rcu>, root_guard: PageTableGuard<'rcu, KernelPtConfig>, ) -> res : Option<MappedItem>

requires
old(self).inv(),
old(self).kvirt_areas.dom().contains(id),
old(self).kvirt_areas[id].start <= addr < old(self).kvirt_areas[id].end,
!(KVirtArea {
    range: old(self).kvirt_areas[id],
})
    .query_panic_condition(
        KVirtAreaOwner {
            pt_owner: old(self).kernel_pt,
        },
        addr,
        old(self).regions,
    ),
ensures
final(self).inv(),
final(self).kvirt_areas == old(self).kvirt_areas,
({
    let area = KVirtArea {
        range: old(self).kvirt_areas[id],
    };
    let owner = KVirtAreaOwner {
        pt_owner: old(self).kernel_pt,
    };
    &&& area.query_some_condition(owner, addr)
        ==> area.query_some_ensures(owner, addr, res)
    &&& !area.query_some_condition(owner, addr) ==> KVirtArea::query_none_ensures(res)

}),

KVirtArea::query: read the mapped item at the page containing addr in area id. Checks the kernel PT out into a cursor, queries (cloning the resolved leaf — regions refcount bump), and checks it back in, so the store keeps a sound kernel_pt. The caller supplies the ambient lock state (guards / root_guard), as the exec does.

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T, VERUS_SPEC__A> FromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: From<T>,

§

fn obeys_from_spec() -> bool

§

fn from_spec(v: T) -> VERUS_SPEC__A

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T, VERUS_SPEC__A> IntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: Into<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> T

§

impl<T, U> IntoSpecImpl<U> for T
where U: From<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> U

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryFromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryFrom<T>,

§

fn obeys_try_from_spec() -> bool

§

fn try_from_spec( v: T, ) -> Result<VERUS_SPEC__A, <VERUS_SPEC__A as TryFrom<T>>::Error>

Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryIntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryInto<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<T, <VERUS_SPEC__A as TryInto<T>>::Error>

§

impl<T, U> TryIntoSpecImpl<U> for T
where U: TryFrom<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<U, <U as TryFrom<T>>::Error>

§

impl<A> SpecEq<&A> for A
where A: ?Sized,

§

impl<A> SpecEq<&mut A> for A
where A: ?Sized,

§

impl<A> SpecEq<A> for A
where A: ?Sized,

§

impl<A> SpecEq<Ghost<A>> for A

§

impl<A> SpecEq<Tracked<A>> for A