MetaRegionOwners

ostd::specs::mm::frame::meta_region_owners

Struct MetaRegionOwners 

Source 
pub struct MetaRegionOwners {
    pub slots: Map<usize, PointsTo<MetaSlot>>,
    pub slot_owners: Map<usize, MetaSlotOwner>,
}
Expand description

Represents the ownership of the meta-frame memory region.

§Verification Design

§Slot owners

Every metadata slot has its owner (MetaSlotOwner) tracked by the slot_owners map at all times. This makes the MetaRegionOwners the one place that tracks every frame, whether or not it is in use.

§Slot permissions

We treat the slot permissions differently depending on how they are used. The permissions of unused slots are tracked in slots, as are those of frames that do not otherwise belong to any other data structure. This is necessary because those frames can have a new reference taken at any time via Frame::from_in_use. Unique frames and frames that are forgotten with into_raw have their permissions tracked by the owner of whatever object they belong to. Their permissions will be returned to slots when the object is dropped. Whether or not the frame has a permission in slots, it will always have an owner in slot_owners, which tracks information that needs to be globally visible.

§Safety

Forgetting a slot with into_raw or ManuallyDrop::new will leak the frame. Forgetting it multiple times without restoring it will likely result in a memory leak, but not double-free. Double-free happens when from_raw is called on a frame that is not forgotten, or that has been dropped with ManuallyDrop::drop instead of into_raw. All functions in the verified code that call from_raw have a precondition that the frame’s index is not a key in slots.

Fields§

§slots: Map<usize, PointsTo<MetaSlot>>§slot_owners: Map<usize, MetaSlotOwner>

Implementations§

Source§

impl MetaRegionOwners

Source

pub open spec fn ref_count(self, i: usize) -> res : u64

recommends
self.inv(),
i < max_meta_slots() as usize,
{ self.slot_owners[i].inner_perms.ref_count.value() }
Source

pub open spec fn paddr_range_in_region(self, range: Range<Paddr>) -> bool

recommends
self.inv(),
range.start < range.end < MAX_PADDR,
{
    forall |paddr: Paddr| {
        (range.start <= paddr < range.end && paddr % PAGE_SIZE == 0)
            ==> self.slots.contains_key(frame_to_index_spec(paddr))
    }
}
Source

pub open spec fn paddr_range_not_mapped(self, range: Range<Paddr>) -> bool

recommends
self.inv(),
range.start < range.end < MAX_PADDR,
{
    forall |paddr: Paddr| {
        (range.start <= paddr < range.end && paddr % PAGE_SIZE == 0)
            ==> self.slot_owners[frame_to_index_spec(paddr)].path_if_in_pt is None
    }
}
Source

pub open spec fn paddr_range_not_in_region(self, range: Range<Paddr>) -> bool

recommends
self.inv(),
range.start < range.end < MAX_PADDR,
{
    forall |paddr: Paddr| {
        (range.start <= paddr < range.end && paddr % PAGE_SIZE == 0)
            ==> !self.slots.contains_key(frame_to_index_spec(paddr))
    }
}
Source

pub proof fn inv_implies_correct_addr(self, paddr: usize)

requires
paddr < MAX_PADDR,
paddr % PAGE_SIZE == 0,
self.inv(),
ensures
self.slot_owners.contains_key(frame_to_index_spec(paddr) as usize),
Source

pub proof fn sync_perm<M: AnyFrameMeta + Repr<MetaSlotStorage>>(tracked &mut self, index: usize, perm: &MetaPerm<M>, )

ensures
self.slots == old(self).slots.insert(index, perm.points_to),
self.slot_owners == old(self).slot_owners,
Source

pub proof fn copy_perm<M: AnyFrameMeta + Repr<MetaSlotStorage>>(tracked &mut self, index: usize, ) -> tracked perm : MetaPerm<M>

requires
old(self).slots.contains_key(index),
ensures
perm.points_to == old(self).slots[index],
self.slots == old(self).slots.remove(index),
self.slot_owners == old(self).slot_owners,

Trait Implementations§

Source§

impl Inv for MetaRegionOwners

Source§

open spec fn inv(self) -> bool

{
    &&& self.slots.dom().finite()
    &&& {
        forall |i: usize| {
            i < max_meta_slots() <==> #[trigger] self.slot_owners.contains_key(i)
        }
    }
    &&& {
        forall |i: usize| #[trigger] self.slots.contains_key(i) ==> i < max_meta_slots()
    }
    &&& {
        forall |i: usize| {
            #[trigger] self.slots.contains_key(i)
                ==> {
                    &&& self.slot_owners.contains_key(i)
                    &&& self.slot_owners[i].inv()
                    &&& self.slots[i].is_init()
                    &&& self.slots[i].addr() == meta_addr(i)
                    &&& self.slots[i].value().wf(self.slot_owners[i])
                    &&& self.slot_owners.contains_key(i)
                    &&& self.slot_owners[i].self_addr == self.slots[i].addr()

                }
        }
    }
    &&& {
        forall |i: usize| {
            #[trigger] self.slot_owners.contains_key(i)
                ==> {
                    &&& self.slot_owners[i].inv()

                }
        }
    }

}
Source§

impl InvView for MetaRegionOwners

Source§

proof fn view_preserves_inv(self)

Source§

impl View for MetaRegionOwners

Source§

open spec fn view(&self) -> <Self as View>::V

{
    let slots = self.slot_owners.map_values(|s: MetaSlotOwner| s@);
    MetaRegionModel { slots }
}
Source§

type V = MetaRegionModel

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T, VERUS_SPEC__A> FromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: From<T>,

§

fn obeys_from_spec() -> bool

§

fn from_spec(v: T) -> VERUS_SPEC__A

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T, VERUS_SPEC__A> IntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: Into<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> T

§

impl<T, U> IntoSpecImpl<U> for T
where U: From<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> U

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryFromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryFrom<T>,

§

fn obeys_try_from_spec() -> bool

§

fn try_from_spec( v: T, ) -> Result<VERUS_SPEC__A, <VERUS_SPEC__A as TryFrom<T>>::Error>

Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryIntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryInto<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<T, <VERUS_SPEC__A as TryInto<T>>::Error>

§

impl<T, U> TryIntoSpecImpl<U> for T
where U: TryFrom<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<U, <U as TryFrom<T>>::Error>