Expand description
Self-contained one-step-soundness harness for the frame LinkedList
(crate::mm::frame::LinkedList) — the embedding’s companion to
super::VmStore, specialised to linked-list operations.
§Why a separate, generic store
Unlike VmStore (which fixes concrete configs such as
UserPtConfig), ListStore<M> is generic over the link metadata
M. The kernel’s LinkedList<M> is a generic library with no
canonical concrete instantiation in ostd, and LinkedListOwner<M>
cannot be type-erased to dyn: its per-link permission is the
associated type <M as Repr<MetaSlotSmall>>::Perm, embedded in
LinkInnerPerms<M>, so the trait is not object-safe (cf.
Frame<dyn AnyFrameMeta>, which works only because it exposes no
associated type post-erasure).
§Why in_list is a non-issue here
ListStore<M> requires only regions.inv()
(MetaRegionOwners::inv), which — unlike
VmStore::structural_inv — does not constrain in_list. A
listed frame sits at rc == REF_COUNT_UNIQUE with
in_list == list_id != 0; the UNIQUE branch of MetaSlotOwner::inv
pins only storage/vtable_ptr init, leaving in_list free. So
listed frames are admitted with no invariant weakening — the
in_list == 0 constraint is purely a VmStore concern and does not
arise in this harness.
§State
regions: the shared metadata-region ownership.lists: heldLinkedListOwners. Each link is a forgottenUniqueFrame<Link<M>>(its drop-obligation was consumed byinto_rawon push); the owner’sLinkedListOwner::relate_regionties every link to its UNIQUE region slot and pins thenext/prevpointer wiring.loose: held-but-unlistedUniqueFrameOwners — liveUniqueFrame<Link<M>>handles (drop-obligation present) eligible to be pushed.pushmoves one fromlooseinto a list;popmoves a list’s end link out intoloose.
§Roadmap
Landed: the store + invariant, the front/back
allocate-build-teardown suite (new, push_front / pop_front,
push_back / pop_back), the general cursor surgery —
insert_before / take_current at an arbitrary index
(ListStore::step_insert_before_at / ListStore::step_take_at),
which subsume the front/back ops — the read-only accessors
(ListStore::step_size / ListStore::step_is_empty), and the
full persistent cursor lifecycle: a cursor checks its list out of
lists into cursors (ListStore::step_cursor_front_mut /
step_cursor_back_mut / step_cursor_mut_at), walks it
(step_move_next / step_move_prev / step_current_meta), mutates
through it (step_cursor_insert_before / step_cursor_take_current),
and checks it back in on drop (ListStore::step_cursor_drop).
Structs§
- List
Store - One-step-soundness store for the frame
LinkedList. Holds the sharedregions, the set of held lists, the pool of loose (push-eligible)UniqueFrame<Link<M>>handles, and the live cursors.
Functions§
- axiom_
empty_ list_ owner - fresh_
list_ id - fresh_
loose_ id - insert_
before_ at_ embedded - lemma_
fresh_ list_ id_ not_ in_ dom - lemma_
fresh_ loose_ id_ not_ in_ dom - list_
drop_ embedded - list_
registry_ ok - pop_
back_ embedded - pop_
front_ embedded - push_
back_ embedded - push_
front_ embedded - take_
at_ embedded
Type Aliases§
- Cursor
Id - Logical identifier for a live
CursorOwnerin the store. A cursor is keyed by the homeListIdwhose list it checked out, so a list is cursored iff its id is incursors(and then absent fromlists). - ListId
- Logical identifier for a held
LinkedListOwnerin the store. - LooseId
- Logical identifier for a loose (held-but-unlisted)
UniqueFrame<Link<M>>in the store.