From ed37589b34ab0e7bb24ca6ec0a672571f732b013 Mon Sep 17 00:00:00 2001 From: Evan Johnson Date: Wed, 31 Jul 2024 14:33:15 -0700 Subject: [PATCH] many less trusted/ignored --- kernel/src/deferred_call.rs | 3 +++ kernel/src/grant.rs | 18 ++++++++++++++++++ kernel/src/ipc.rs | 13 ++++--------- kernel/src/lib.rs | 3 --- kernel/src/process_printer.rs | 2 +- kernel/src/utilities/binary_write.rs | 1 + 6 files changed, 27 insertions(+), 13 deletions(-) diff --git a/kernel/src/deferred_call.rs b/kernel/src/deferred_call.rs index e7fa023154c..6d7e05871fd 100644 --- a/kernel/src/deferred_call.rs +++ b/kernel/src/deferred_call.rs @@ -95,6 +95,7 @@ impl<'a> DynDefCallRef<'a> { // are identical, making this zero-cost, but saving us from having to trust // that `fn(*const ())` and `fn handle_deferred_call(&self)` will always have the same calling // convention for any type. + #[flux::trusted] fn new(x: &'a T) -> Self { Self { data: x as *const _ as *const (), @@ -106,6 +107,7 @@ impl<'a> DynDefCallRef<'a> { impl DynDefCallRef<'_> { // more efficient pass by `self` if we don't have to implement `DeferredCallClient` directly + #[flux::trusted] fn handle_deferred_call(self) { (self.callback)(self.data) } @@ -139,6 +141,7 @@ pub struct DeferredCall { idx: usize, } +#[flux::trusted] impl DeferredCall { /// Creates a new deferred call with a unique ID. pub fn new() -> Self { diff --git a/kernel/src/grant.rs b/kernel/src/grant.rs index 8e630da8b58..94bac50d1f1 100644 --- a/kernel/src/grant.rs +++ b/kernel/src/grant.rs @@ -272,6 +272,7 @@ impl<'a> EnteredGrantKernelManagedLayout<'a> { /// `EnteredGrantKernelManagedLayout` for the given `base_ptr` at the same /// time, otherwise multiple mutable references to the same upcall/allow /// slices could be created. + #[flux::trusted] unsafe fn read_from_base( base_ptr: NonNull, process: &'a dyn Process, @@ -309,6 +310,7 @@ impl<'a> EnteredGrantKernelManagedLayout<'a> { /// not be any other `EnteredGrantKernelManagedLayout` for /// the given `base_ptr` at the same time, otherwise multiple mutable /// references to the same upcall/allow slices could be created. + #[flux::trusted] unsafe fn initialize_from_counts( base_ptr: NonNull, upcalls_num_val: UpcallItems, @@ -347,6 +349,7 @@ impl<'a> EnteredGrantKernelManagedLayout<'a> { /// Returns the entire grant size including the kernel owned memory, /// padding, and data for T. Requires that grant_t_align be a power of 2, /// which is guaranteed from align_of rust calls. + #[flux::trusted] fn grant_size( upcalls_num: UpcallItems, allow_ro_num: AllowRoItems, @@ -394,6 +397,7 @@ impl<'a> EnteredGrantKernelManagedLayout<'a> { // grant region. Caller must verify that memory is accessible and well // aligned to T. let grant_t_size_usize: usize = grant_t_size.0; + assume(grant_size > grant_t_size_usize); NonNull::new_unchecked(base_ptr.as_ptr().add(grant_size - grant_t_size_usize)) } @@ -571,6 +575,7 @@ pub struct GrantKernelData<'a> { impl<'a> GrantKernelData<'a> { /// Create a `GrantKernelData` object to provide a handle for capsules to /// call Upcalls. + #[flux::trusted] fn new( upcalls: &'a [SavedUpcall], allow_ro: &'a [SavedAllowRo], @@ -634,6 +639,7 @@ impl<'a> GrantKernelData<'a> { /// be returned. This returns a process::Error to allow for easy chaining of /// this function with the ReadOnlyProcessBuffer::enter function with /// `and_then`. + #[flux::trusted] pub fn get_readonly_processbuffer( &self, allow_ro_num: usize, @@ -673,6 +679,7 @@ impl<'a> GrantKernelData<'a> { /// be return. This returns a process::Error to allow for easy chaining of /// this function with the `ReadWriteProcessBuffer::enter()` function with /// `and_then`. + #[flux::trusted] pub fn get_readwrite_processbuffer( &self, allow_rw_num: usize, @@ -1199,6 +1206,7 @@ impl<'a, T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: Allow /// Note, a grant can only be entered once at a time. Attempting to call /// `.enter()` on a grant while it is already entered will result in a /// panic!()`. See the comment in `access_grant()` for more information. + #[flux::trusted] pub fn enter(self, fun: F) -> R where F: FnOnce(&mut GrantData, &GrantKernelData) -> R, @@ -1264,6 +1272,7 @@ impl<'a, T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: Allow /// /// Returns `None` if the grant is already entered. Otherwise returns /// `Some(fun())`. + #[flux::trusted] pub fn try_enter(self, fun: F) -> Option where F: FnOnce(&mut GrantData, &GrantKernelData) -> R, @@ -1282,6 +1291,7 @@ impl<'a, T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: Allow /// Note, a grant can only be entered once at a time. Attempting to call /// `.enter()` on a grant while it is already entered will result in a /// panic!()`. See the comment in `access_grant()` for more information. + #[flux::trusted] pub fn enter_with_allocator(self, fun: F) -> R where F: FnOnce(&mut GrantData, &GrantKernelData, &mut GrantRegionAllocator) -> R, @@ -1300,6 +1310,7 @@ impl<'a, T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: Allow /// If `panic_on_reenter` is `true`, this will panic if the grant region is /// already currently entered. If `panic_on_reenter` is `false`, this will /// return `None` if the grant region is entered and do nothing. + #[flux::trusted] fn access_grant(self, fun: F, panic_on_reenter: bool) -> Option where F: FnOnce(&mut GrantData, &GrantKernelData) -> R, @@ -1316,6 +1327,7 @@ impl<'a, T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: Allow /// If `panic_on_reenter` is `true`, this will panic if the grant region is /// already currently entered. If `panic_on_reenter` is `false`, this will /// return `None` if the grant region is entered and do nothing. + #[flux::trusted] fn access_grant_with_allocator(self, fun: F, panic_on_reenter: bool) -> Option where F: FnOnce(&mut GrantData, &GrantKernelData, &mut GrantRegionAllocator) -> R, @@ -1498,6 +1510,7 @@ impl CustomGrant { /// Because this function requires `&mut self`, it should be impossible to /// access the inner data of a given `CustomGrant` reentrantly. Thus the /// reentrance detection we use for non-custom grants is not needed here. + #[flux::trusted] pub fn enter(&mut self, fun: F) -> Result where F: FnOnce(GrantData<'_, T>) -> R, @@ -1550,6 +1563,7 @@ impl GrantRegionAllocator { /// # Panic Safety /// /// If `init` panics, the freshly allocated memory may leak. + #[flux::trusted] pub fn alloc_with(&mut self, init: F) -> Result, Error> where F: FnOnce() -> T, @@ -1579,6 +1593,7 @@ impl GrantRegionAllocator { /// /// If `val_func` panics, the freshly allocated memory and any values /// already written will be leaked. + #[flux::trusted] pub fn alloc_n_with( &mut self, mut init: F, @@ -1698,6 +1713,7 @@ impl(&self, processid: ProcessId, fun: F) -> Result where F: FnOnce(&mut GrantData, &GrantKernelData) -> R, @@ -1719,6 +1735,7 @@ impl(&self, processid: ProcessId, fun: F) -> Result where F: FnOnce(&mut GrantData, &GrantKernelData, &mut GrantRegionAllocator) -> R, @@ -1744,6 +1761,7 @@ impl(&self, mut fun: F) where F: FnMut(ProcessId, &mut GrantData, &GrantKernelData), diff --git a/kernel/src/ipc.rs b/kernel/src/ipc.rs index 2296948f12a..2968abe02a5 100644 --- a/kernel/src/ipc.rs +++ b/kernel/src/ipc.rs @@ -42,18 +42,11 @@ pub enum IPCUpcallType { struct IPCData; /// The IPC mechanism struct. -#[flux::ignore] pub struct IPC { /// The grant regions for each process that holds the per-process IPC data. - data: Grant< - IPCData, - UpcallCount, - AllowRoCount<{ ro_allow::COUNT }>, - AllowRwCount, - >, + data: Grant, AllowRoCount<1>, AllowRwCount>, } -#[flux::ignore] impl IPC { pub fn new( kernel: &'static Kernel, @@ -67,6 +60,7 @@ impl IPC { /// Schedule an IPC upcall for a process. This is called by the main /// scheduler loop if an IPC task was queued for the process. + #[flux::trusted] pub(crate) unsafe fn schedule_upcall( &self, schedule_on: ProcessId, @@ -104,7 +98,7 @@ impl IPC { } } -#[flux::ignore] +// #[flux::ignore] impl SyscallDriver for IPC { /// command is how notify() is implemented. /// Notifying an IPC service is done by setting client_or_svc to 0, @@ -127,6 +121,7 @@ impl SyscallDriver for IPC { /// - `3`: Notify a client with descriptor `target_id`, typically in response to a previous /// notify from the client. Returns an error if `target_id` refers to an invalid client /// or the notify fails to enqueue. + #[flux::trusted] fn command( &self, command_number: usize, diff --git a/kernel/src/lib.rs b/kernel/src/lib.rs index 00a9ceb2828..a48abb25d52 100644 --- a/kernel/src/lib.rs +++ b/kernel/src/lib.rs @@ -108,14 +108,11 @@ pub mod capabilities; pub mod collections; pub mod component; pub mod debug; -#[flux::trusted] pub mod deferred_call; pub mod errorcode; -#[flux::trusted] pub mod grant; pub mod hil; pub mod introspection; -#[flux::trusted] pub mod ipc; pub mod platform; pub mod process; diff --git a/kernel/src/process_printer.rs b/kernel/src/process_printer.rs index 1eca5fdf96b..39c5edda9ed 100644 --- a/kernel/src/process_printer.rs +++ b/kernel/src/process_printer.rs @@ -98,7 +98,7 @@ impl ProcessPrinter for ProcessPrinterText { // being duplicated. However, it does not make sense that the kernel // would want to run the process while it is displaying debugging // information about it, so this should be a safe assumption. - #[flux::trusted] + #[flux::trusted] // VTOCK-note: times out fn print_overview( &self, process: &dyn Process, diff --git a/kernel/src/utilities/binary_write.rs b/kernel/src/utilities/binary_write.rs index 365d4c62224..e52e54f9f30 100644 --- a/kernel/src/utilities/binary_write.rs +++ b/kernel/src/utilities/binary_write.rs @@ -109,6 +109,7 @@ impl<'a> core::fmt::Write for WriteToBinaryOffsetWrapper<'a> { 0 } else { // We want to start in the middle. + // assume(self.offset > self.index); self.offset - self.index };