Expand description
Embedding of UniqueFrame lifecycle operations: allocate
(unique_from_unused_embedded) and drop
(unique_drop_embedded).
A UniqueFrame handle in the embedding is a paddr-bearing
super::UniqueEntry in super::VmStore::unique_frames. Unlike a
shared super::FrameEntry, a unique handle drives its slot’s
ref_count to the REF_COUNT_UNIQUE sentinel (u64::MAX - 1),
which is not a participant in the rc == H + P + cover_count
accounting equation. Exclusivity (rc == REF_COUNT_UNIQUE ⟹ no shared users: handle_count == 0, paths_in_pt empty,
segment_cover_count == 0) needs no dedicated invariant clause:
it is implied by the equation itself — a user at a usage == Frame
slot fires the equation’s antecedent and demands rc != UNIQUE,
contradicting rc == UNIQUE. So unique_drop_embedded’s caller
recovers the “no users” facts by deriving that contradiction.
§Methods modeled
UniqueFrame::from_unused: allocate a fresh exclusive handle on a previously-unused slot. The slot transitionsusage == Unused, rc == UNUSED→usage == Frame, rc == UNIQUE.UniqueFramedrop: tear down the exclusive handle. The slot transitionsrc == UNIQUE→rc == UNUSED(last-ref teardown, uninitialising storage), withusage/paths_in_pt(empty) /in_listpreserved — the same shape asFrame’s last-ref teardown.Frame::from_unique(from_unique_embedded): convert the exclusive handle to a shared one —rcdropsUNIQUE → 1, consuming thesuper::UniqueEntryand minting asuper::FrameEntry(H: 0 → 1).UniqueFrame::try_from_shared(try_from_shared_embedded): convert a sole-reference shared handle (rc == 1) back to an exclusive one —rcrises1 → UNIQUE, consuming theFrameEntryand minting aUniqueEntry. Fallible: if the slot is not the sole reference (rc != 1) the CAS fails and the step is a no-op (the shared handle is returned unchanged).
§Model gaps
into_raw/from_raw(pub(crate)-only) and the accessors (meta/meta_mut/repurpose/transmute/start_paddr): no embedding state change / not surfaced.