MemView

ostd::specs::mm::virt_mem_newer

Struct MemView 

Source 
pub struct MemView {
    pub mappings: Set<Mapping>,
    pub memory: Map<Paddr, FrameContents>,
}

Fields§

§mappings: Set<Mapping>§memory: Map<Paddr, FrameContents>

Implementations§

Source§

impl MemView

Source

pub open spec fn addr_transl(self, va: usize) -> Option<(usize, usize)>

{
    let mappings = self
        .mappings
        .filter(|m: Mapping| m.va_range.start <= va < m.va_range.end);
    if 0 < mappings.len() {
        let m = mappings.choose();
        let off = va - m.va_range.start;
        Some((m.pa_range.start, off as usize))
    } else {
        None
    }
}
Source

pub open spec fn read(self, va: usize) -> MemContents<u8>

{
    let (pa, off) = self.addr_transl(va).unwrap();
    self.memory[pa].contents[off as int]
}
Source

pub open spec fn write(self, va: usize, x: u8) -> Self

{
    let (pa, off) = self.addr_transl(va).unwrap();
    MemView {
        memory: self
            .memory
            .insert(
                pa,
                FrameContents {
                    contents: self
                        .memory[pa]
                        .contents
                        .update(off as int, raw_ptr::MemContents::Init(x)),
                    size: self.memory[pa].size,
                    range: self.memory[pa].range,
                },
            ),
        ..self
    }
}
Source

pub open spec fn eq_at(self, va1: usize, va2: usize) -> bool

{
    let (pa1, off1) = self.addr_transl(va1).unwrap();
    let (pa2, off2) = self.addr_transl(va2).unwrap();
    self.memory[pa1].contents[off1 as int] == self.memory[pa2].contents[off2 as int]
}
Source

pub open spec fn is_mapped(self, va: usize, pa: usize) -> bool

{ self.addr_transl(va) is Some && self.addr_transl(va).unwrap().0 == pa }
Source

pub open spec fn borrow_at_spec(&self, vaddr: usize, len: usize) -> MemView

{
    let range_end = vaddr + len;
    let valid_pas = Set::new(|pa: usize| {
        exists |va: usize| vaddr <= va < range_end && #[trigger] self.is_mapped(va, pa)
    });
    MemView {
        mappings: self
            .mappings
            .filter(|m: Mapping| m.va_range.start < range_end && m.va_range.end > vaddr),
        memory: self.memory.restrict(valid_pas),
    }
}
Source

pub open spec fn mappings_are_disjoint(self) -> bool

{
    forall |m1: Mapping, m2: Mapping| {
        self.mappings.contains(m1) && self.mappings.contains(m2) && m1 != m2
            ==> {
                m1.va_range.end <= m2.va_range.start
                    || m2.va_range.end <= m1.va_range.start
            }
    }
}
Source

pub open spec fn split_spec(self, vaddr: usize, len: usize) -> (MemView, MemView)

{
    let split_end = vaddr + len;
    let left_mappings = self
        .mappings
        .filter(|m: Mapping| m.va_range.start < split_end && m.va_range.end > vaddr);
    let right_mappings = self.mappings.filter(|m: Mapping| m.va_range.end > split_end);
    let left_pas = Set::new(|pa: usize| {
        exists |va: usize| vaddr <= va < split_end && self.is_mapped(va, pa)
    });
    let right_pas = Set::new(|pa: usize| {
        exists |va: usize| va >= split_end && self.is_mapped(va, pa)
    });
    (
        MemView {
            mappings: left_mappings,
            memory: self.memory.restrict(left_pas),
        },
        MemView {
            mappings: right_mappings,
            memory: self.memory.restrict(right_pas),
        },
    )
}
Source

pub proof fn borrow_at(tracked &self, vaddr: usize, len: usize) -> tracked r : &MemView

ensures
r == self.borrow_at_spec(vaddr, len),

Borrows a memory view for a sub-range.

Source

pub proof fn split(tracked self, vaddr: usize, len: usize) -> tracked r : (Self, Self)

ensures
r == self.split_spec(vaddr, len),

Splits the memory view into two disjoint views.

Returns the split memory views where the first is for [vaddr, vaddr + len) and the second is for the rest.

Source

pub proof fn lemma_split_preserves_transl( original: MemView, vaddr: usize, len: usize, left: MemView, right: MemView, )

requires
original.split_spec(vaddr, len) == (left, right),
ensures
right.memory.dom().subset_of(original.memory.dom()),
forall |va: usize| {
    vaddr <= va < vaddr + len
        ==> { #[trigger] original.addr_transl(va) == left.addr_transl(va) }
},
forall |va: usize| {
    va >= vaddr + len
        ==> { #[trigger] original.addr_transl(va) == right.addr_transl(va) }
},

This proves that if split is performed and we have (lhs, rhs) = self.split(vaddr, len), then we have all translations preserved in lhs and rhs.

Source

pub open spec fn join_spec(self, other: MemView) -> MemView

{
    MemView {
        mappings: self.mappings.union(other.mappings),
        memory: self.memory.union_prefer_right(other.memory),
    }
}
Source

pub proof fn join(tracked &mut self, tracked other: Self)

requires
old(self).mappings.disjoint(other.mappings),
ensures
*self == old(self).join_spec(other),

Merges two disjoint memory views back into one.

Source

pub proof fn lemma_split_join_identity( this: MemView, lhs: MemView, rhs: MemView, vaddr: usize, len: usize, )

requires
this.split_spec(vaddr, len) == (lhs, rhs),
ensures
this == lhs.join_spec(rhs),

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T, VERUS_SPEC__A> FromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: From<T>,

§

fn obeys_from_spec() -> bool

§

fn from_spec(v: T) -> VERUS_SPEC__A

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T, VERUS_SPEC__A> IntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: Into<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> T

§

impl<T, U> IntoSpecImpl<U> for T
where U: From<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> U

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryFromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryFrom<T>,

§

fn obeys_try_from_spec() -> bool

§

fn try_from_spec( v: T, ) -> Result<VERUS_SPEC__A, <VERUS_SPEC__A as TryFrom<T>>::Error>

Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryIntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryInto<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<T, <VERUS_SPEC__A as TryInto<T>>::Error>

§

impl<T, U> TryIntoSpecImpl<U> for T
where U: TryFrom<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<U, <U as TryFrom<T>>::Error>