pub proof fn lemma_idx_times_pow2_bound<C: PageTableConfig>(start: Vaddr, end: Vaddr)Expand description
requires
start as int
== (C::TOP_LEVEL_INDEX_RANGE_spec().start as int)
* (pow2(pte_index_bit_offset_spec::<C::C>(C::NR_LEVELS()) as nat) as int),end as int
== ((C::TOP_LEVEL_INDEX_RANGE_spec().end as int)
* (pow2(pte_index_bit_offset_spec::<C::C>(C::NR_LEVELS()) as nat) as int) - 1)
% 0x1_0000_0000_0000_0000int,(start as int) < (pow2(C::ADDRESS_WIDTH() as nat) as int),(end as int) < (pow2(C::ADDRESS_WIDTH() as nat) as int),end as int
== (C::TOP_LEVEL_INDEX_RANGE_spec().end as int)
* (pow2(pte_index_bit_offset_spec::<C::C>(C::NR_LEVELS()) as nat) as int) - 1,Two-in-one: start = idx.start * 2^off < 2^ADDRESS_WIDTH and
end = (idx.end * 2^off - 1) % 2^64 < 2^ADDRESS_WIDTH.
The first follows from idx.start < 2^(ADDRESS_WIDTH - off). The
second from idx.end <= 2^(ADDRESS_WIDTH - off) plus the no-wrap
condition: idx.end * 2^off <= 2^ADDRESS_WIDTH ≤ 2^64, so the % 2^64
is a no-op when the value is positive.