Conversation
josephlr
left a comment
There was a problem hiding this comment.
I did a quick look, while nothing seems wrong, there are two things I want to take a closer look at:
- How the Physical Address stuff interacts with the memory encryption bit. If the C-bit isn't bit 52 (it's usually bit 47), could a valid physical address underflow into an invalid physical address?
- how the
kani::proofstuff works.
No because |
We'll have very similar harnesses for PhysAddr, so let's use a module to avoid name conflicts.
The Step implementation uses unsafe. The kani harnesses should give us some confidence that the unsafe code is correct.
These harnesses check that PhysFrame behaves like PhysAddr with the steps scaled by the page size.
|
rebased |
With the right |
Hmm, yeah, you're right. Maybe a better solution would be not to allow any bits above the C-bit/S-bit to be set.
Technically, adding this restriction would be a breaking change, however, any address that that didn't satisfy this restriction would be unusable in practice anyway, so we could also consider this a non-breaking fix instead of a breaking change. |
This PR adds
Stepimplementations forPhysAddrandPhysFrame. This PR also adds kani harnesses to prove the correctness of these new implementations and the unsafe code within them.Closes #212