Skip to main content

UniqueFrameOwner

ostd::specs::mm::frame::unique

Struct UniqueFrameOwner 

Source 
pub struct UniqueFrameOwner<M: AnyFrameMeta + Repr<MetaSlotStorage> + OwnerOf> {
    pub meta_own: M::Owner,
    pub slot_index: usize,
}

Fields§

§meta_own: M::Owner§slot_index: usize

Implementations§

Source§

impl<M: AnyFrameMeta + Repr<MetaSlotSmall>> UniqueFrameOwner<Link<M>>

{
    &&& self.meta_perm_of(regions).value().metadata.prev is None
    &&& self.meta_perm_of(regions).value().metadata.next is None
    &&& self.meta_own.paddr == self.meta_perm_of(regions).addr()

}
Source§

impl<M: AnyFrameMeta + Repr<MetaSlotStorage> + OwnerOf> UniqueFrameOwner<M>

Source

pub open spec fn meta_perm_of( self, regions: MetaRegionOwners, ) -> PointsTo<MetaSlot, Metadata<M>>

{
    PointsTo::new_spec(
        regions.slots[self.slot_index],
        regions.slot_owners[self.slot_index].inner_perms,
    )
}

The typed permission for this frame, reconstructed from the region: the outer pointer-perm regions.slots[slot_index] paired with the inner perms regions.slot_owners[slot_index].inner_perms. Borrow-model analog of the owned meta_perm field; meaningful where slots.contains_key.

Source

pub open spec fn perm_inv(self, perm: PointsTo<MetaSlot>) -> bool

{
    &&& perm.is_init()
    &&& perm.addr() == meta_addr(self.slot_index)

}
Source

pub open spec fn global_inv(self, regions: MetaRegionOwners) -> bool

{
    let perm = self.meta_perm_of(regions);
    &&& regions.slots.contains_key(self.slot_index)
    &&& regions.slot_owners.contains_key(self.slot_index)
    &&& perm.is_init()
    &&& perm.wf(&perm.inner_perms)
    &&& perm.addr() == meta_addr(self.slot_index)
    &&& perm.addr() == perm.points_to.addr()
    &&& perm.value().metadata.wf(self.meta_own)
    &&& regions.slot_owners[self.slot_index].self_addr == meta_addr(self.slot_index)
    &&& regions.slot_owners[self.slot_index].inner_perms.ref_count.value()
        == REF_COUNT_UNIQUE
    &&& regions.frame_obligations.count(self.slot_index) > 0

}

Borrow-model global invariant: the frame’s permission is parked in regions.slots[slot_index] (NOT owned by the frame), and the reconstructed meta_perm_of is well-formed and decodes to metadata matching meta_own. A UniqueFrame is the sole live reference to its slot, so the slot sits at REF_COUNT_UNIQUE — the unique-frame analog of the segment’s 0 < ref_count <= REF_COUNT_MAX regime in [SegmentOwner::relate_regions]. Being live, it also owes a pending-Drop obligation in frame_obligations (minted at from_unused/from_raw, consumed by drop/into_raw).

Source

pub proof fn from_raw_owner(owner: M::Owner, index: Ghost<usize>) -> Self

Source

pub open spec fn from_unused_owner( old_regions: MetaRegionOwners, paddr: Paddr, metadata: M, res: Self, regions: MetaRegionOwners, ) -> bool

{
    &&& <M as OwnerOf>::wf(metadata, res.meta_own)
    &&& res.slot_index == frame_to_index(paddr)
    &&& res.meta_perm_of(regions).addr() == frame_to_meta(paddr)
    &&& res.meta_perm_of(regions).value().metadata == metadata
    &&& regions.slots == old_regions.slots
    &&& regions.slot_owners[frame_to_index(paddr)].inner_perms
        == old_regions.slot_owners[frame_to_index(paddr)].inner_perms
    &&& regions.slot_owners[frame_to_index(paddr)].usage
        == old_regions.slot_owners[frame_to_index(paddr)].usage
    &&& regions.slot_owners[frame_to_index(paddr)].paths_in_pt
        == old_regions.slot_owners[frame_to_index(paddr)].paths_in_pt
    &&& forall |i: usize| {
        i != frame_to_index(paddr)
            ==> regions.slot_owners[i] == old_regions.slot_owners[i]
    }
    &&& regions.frame_obligations == old_regions.frame_obligations
    &&& regions.inv()

}
Source

pub proof fn tracked_from_unused_owner(tracked regions: &mut MetaRegionOwners, paddr: Paddr, ) -> tracked res : Self

ensures
Self::from_unused_owner(
    *old(regions),
    paddr,
    res.meta_perm_of(*final(regions)).value().metadata,
    res,
    *final(regions),
),

Trait Implementations§

Source§

impl<M: AnyFrameMeta + Repr<MetaSlotStorage> + OwnerOf> Inv for UniqueFrameOwner<M>

Source§

open spec fn inv(self) -> bool

{
    &&& self.slot_index < MAX_NR_PAGES
    &&& self.slot_index < max_meta_slots()

}
Source§

impl<M: AnyFrameMeta + Repr<MetaSlotStorage> + OwnerOf> InvView for UniqueFrameOwner<M>

Source§

proof fn view_preserves_inv(self)

Source§

impl<M: AnyFrameMeta + Repr<MetaSlotStorage> + OwnerOf> View for UniqueFrameOwner<M>

Source§

open spec fn view(&self) -> Self::V

{
    UniqueFrameModel {
        meta: self.meta_own@,
    }
}
Source§

type V = UniqueFrameModel<M>

Auto Trait Implementations§

§

impl<M> Freeze for UniqueFrameOwner<M>
where <M as OwnerOf>::Owner: Freeze,

§

impl<M> RefUnwindSafe for UniqueFrameOwner<M>
where <M as OwnerOf>::Owner: RefUnwindSafe,

§

impl<M> Send for UniqueFrameOwner<M>
where <M as OwnerOf>::Owner: Send,

§

impl<M> Sync for UniqueFrameOwner<M>
where <M as OwnerOf>::Owner: Sync,

§

impl<M> Unpin for UniqueFrameOwner<M>
where <M as OwnerOf>::Owner: Unpin,

§

impl<M> UnsafeUnpin for UniqueFrameOwner<M>
where <M as OwnerOf>::Owner: UnsafeUnpin,

§

impl<M> UnwindSafe for UniqueFrameOwner<M>
where <M as OwnerOf>::Owner: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T, VERUS_SPEC__A> FromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: From<T>,

§

fn obeys_from_spec() -> bool

§

fn from_spec(v: T) -> VERUS_SPEC__A

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T, VERUS_SPEC__A> IntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: Into<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> T

§

impl<T, U> IntoSpecImpl<U> for T
where U: From<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> U

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryFromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryFrom<T>,

§

fn obeys_try_from_spec() -> bool

§

fn try_from_spec( v: T, ) -> Result<VERUS_SPEC__A, <VERUS_SPEC__A as TryFrom<T>>::Error>

Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryIntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryInto<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<T, <VERUS_SPEC__A as TryInto<T>>::Error>

§

impl<T, U> TryIntoSpecImpl<U> for T
where U: TryFrom<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<U, <U as TryFrom<T>>::Error>

§

impl<A> SpecEq<&A> for A
where A: ?Sized,

§

impl<A> SpecEq<&mut A> for A
where A: ?Sized,

§

impl<A> SpecEq<A> for A
where A: ?Sized,

§

impl<A> SpecEq<Ghost<A>> for A

§

impl<A> SpecEq<Tracked<A>> for A