From 5d8862fef937389b006fb0618bf2de2e64d88355 Mon Sep 17 00:00:00 2001 From: Evan Johnson Date: Wed, 24 Jul 2024 10:43:16 -0700 Subject: [PATCH] kernel compiles with a bunch of trusted and ignores --- kernel/src/debug.rs | 2 +- kernel/src/grant.rs | 3 +++ kernel/src/ipc.rs | 3 +++ kernel/src/kernel.rs | 14 ++++++++++++++ kernel/src/lib.rs | 16 ++++++++-------- kernel/src/platform/mod.rs | 4 ++-- kernel/src/processbuffer.rs | 17 +++++++++++++++-- 7 files changed, 46 insertions(+), 13 deletions(-) diff --git a/kernel/src/debug.rs b/kernel/src/debug.rs index e15eeb0984c..60f47a4d1b3 100644 --- a/kernel/src/debug.rs +++ b/kernel/src/debug.rs @@ -602,7 +602,7 @@ pub fn debug_print(args: Arguments) { writer.publish_bytes(); } -#[flux::ignore] +#[flux::trusted] pub fn debug_println(args: Arguments) { let writer = unsafe { get_debug_writer() }; diff --git a/kernel/src/grant.rs b/kernel/src/grant.rs index 3c6a628e748..e89d9b7acd9 100644 --- a/kernel/src/grant.rs +++ b/kernel/src/grant.rs @@ -1761,6 +1761,7 @@ impl Iter { Iter { grant: self, @@ -1770,6 +1771,7 @@ impl, } +#[flux::ignore] impl<'a, T: Default, Upcalls: UpcallSize, AllowROs: AllowRoSize, AllowRWs: AllowRwSize> Iterator for Iter<'a, T, Upcalls, AllowROs, AllowRWs> { diff --git a/kernel/src/ipc.rs b/kernel/src/ipc.rs index b1ccf09b20e..76f18a7a6d1 100644 --- a/kernel/src/ipc.rs +++ b/kernel/src/ipc.rs @@ -42,6 +42,7 @@ pub enum IPCUpcallType { struct IPCData; /// The IPC mechanism struct. +#[flux::ignore] pub struct IPC { /// The grant regions for each process that holds the per-process IPC data. data: Grant< @@ -52,6 +53,7 @@ pub struct IPC { >, } +#[flux::ignore] impl IPC { pub fn new( kernel: &'static Kernel, @@ -102,6 +104,7 @@ impl IPC { } } +#[flux::ignore] impl SyscallDriver for IPC { /// command is how notify() is implemented. /// Notifying an IPC service is done by setting client_or_svc to 0, diff --git a/kernel/src/kernel.rs b/kernel/src/kernel.rs index 4da49f21fef..8bf175be155 100644 --- a/kernel/src/kernel.rs +++ b/kernel/src/kernel.rs @@ -71,6 +71,7 @@ enum AllocResult { /// Tries to allocate the grant region for specified driver and process. /// Returns if a new grant was allocated or not +#[flux::ignore] fn try_allocate_grant(driver: &dyn SyscallDriver, process: &dyn process::Process) -> AllocResult { let before_count = process.grant_allocated_count().unwrap_or(0); match driver.allocate_grant(process.processid()).is_ok() { @@ -99,6 +100,7 @@ impl Kernel { /// Helper function that moves all non-generic portions of process_map_or /// into a non-generic function to reduce code bloat from monomorphization. + #[flux::trusted] pub(crate) fn get_process(&self, processid: ProcessId) -> Option<&dyn process::Process> { // We use the index in the `processid` so we can do a direct lookup. // However, we are not guaranteed that the app still exists at that @@ -128,10 +130,12 @@ impl Kernel { /// different index in the processes array. Note that a match _will_ be /// found if the process still exists in the correct location in the array /// but is in any "stopped" state. + #[flux::trusted] pub(crate) fn process_map_or(&self, default: R, processid: ProcessId, closure: F) -> R where F: FnOnce(&dyn process::Process) -> R, { + // unimplemented!() match self.get_process(processid) { Some(process) => closure(process), None => default, @@ -152,6 +156,7 @@ impl Kernel { /// This is functionally the same as `process_map_or()`, but this method is /// available outside the kernel crate and requires a /// `ProcessManagementCapability` to use. + #[flux::trusted] pub fn process_map_or_external( &self, default: R, @@ -170,6 +175,7 @@ impl Kernel { /// Run a closure on every valid process. This will iterate the array of /// processes and call the closure on every process that exists. + #[flux::trusted] pub(crate) fn process_each(&self, mut closure: F) where F: FnMut(&dyn process::Process), @@ -185,6 +191,7 @@ impl Kernel { } /// Returns an iterator over all processes loaded by the kernel + #[flux::ignore] pub(crate) fn get_process_iter( &self, ) -> core::iter::FilterMap< @@ -205,6 +212,7 @@ impl Kernel { /// This is functionally the same as `process_each()`, but this method is /// available outside the kernel crate and requires a /// `ProcessManagementCapability` to use. + #[flux::trusted] pub fn process_each_capability( &'static self, _capability: &dyn capabilities::ProcessManagementCapability, @@ -225,6 +233,7 @@ impl Kernel { /// Run a closure on every process, but only continue if the closure returns `None`. That is, /// if the closure returns any non-`None` value, iteration stops and the value is returned from /// this function to the called. + #[flux::trusted] pub(crate) fn process_until(&self, closure: F) -> Option where F: Fn(&dyn process::Process) -> Option, @@ -249,6 +258,7 @@ impl Kernel { /// /// This is needed for `ProcessId` itself to implement the `.index()` command to /// verify that the referenced app is still at the correct index. + #[flux::trusted] pub(crate) fn processid_is_valid(&self, processid: &ProcessId) -> bool { self.processes.get(processid.index).map_or(false, |p| { p.map_or(false, |process| process.processid().id() == processid.id()) @@ -359,6 +369,7 @@ impl Kernel { /// This function has one configuration option: `no_sleep`. If that argument /// is set to true, the kernel will never attempt to put the chip to sleep, /// and this function can be called again immediately. + #[flux::ignore] pub fn kernel_loop_operation, C: Chip, const NUM_PROCS: u8>( &self, resources: &KR, @@ -426,6 +437,7 @@ impl Kernel { /// /// Most of the behavior of this loop is controlled by the `Scheduler` /// implementation in use. + #[flux::ignore] pub fn kernel_loop, C: Chip, const NUM_PROCS: u8>( &self, resources: &KR, @@ -472,6 +484,7 @@ impl Kernel { /// cooperatively). Notably, time spent in this function by the kernel, /// executing system calls or merely setting up the switch to/from /// userspace, is charged to the process. + #[flux::ignore] fn do_process, C: Chip, const NUM_PROCS: u8>( &self, resources: &KR, @@ -682,6 +695,7 @@ impl Kernel { /// driver system calls to peripheral driver capsules through the platforms /// `with_driver` method. #[inline] + #[flux::ignore] fn handle_syscall, C: Chip>( &self, resources: &KR, diff --git a/kernel/src/lib.rs b/kernel/src/lib.rs index fb375753ec5..7f1f1cd1670 100644 --- a/kernel/src/lib.rs +++ b/kernel/src/lib.rs @@ -111,32 +111,32 @@ pub mod debug; #[flux::ignore] pub mod deferred_call; pub mod errorcode; -#[flux::ignore] +#[flux::trusted] pub mod grant; #[flux::ignore] pub mod hil; #[flux::ignore] pub mod introspection; -#[flux::ignore] +#[flux::trusted] pub mod ipc; pub mod platform; -#[flux::ignore] +// #[flux::ignore] pub mod process; #[flux::ignore] pub mod process_checker; -#[flux::ignore] +// #[flux::ignore] pub mod processbuffer; #[flux::ignore] pub mod scheduler; pub mod storage_permissions; -#[flux::ignore] +// #[flux::ignore] pub mod syscall; -#[flux::ignore] +// #[flux::ignore] pub mod upcall; pub mod utilities; mod config; -#[flux::ignore] +// #[flux::ignore] mod kernel; mod memop; #[flux::ignore] @@ -149,7 +149,7 @@ mod process_policies; mod process_printer; #[flux::ignore] mod process_standard; -#[flux::ignore] +// #[flux::ignore] mod syscall_driver; // Core resources exposed as `kernel::Type`. diff --git a/kernel/src/platform/mod.rs b/kernel/src/platform/mod.rs index 2d68b2d864e..0674da758f0 100644 --- a/kernel/src/platform/mod.rs +++ b/kernel/src/platform/mod.rs @@ -5,14 +5,14 @@ //! Traits for implementing various layers and components in Tock. //! //! Implementations of these traits are used by the core kernel. -#[flux::ignore] +// #[flux::ignore] pub mod chip; pub mod mpu; #[flux::ignore] pub mod scheduler_timer; pub mod watchdog; -#[flux::ignore] +// #[flux::ignore] pub(crate) mod platform; pub use self::platform::ContextSwitchCallback; diff --git a/kernel/src/processbuffer.rs b/kernel/src/processbuffer.rs index 6ad9b00e303..810077b28f3 100644 --- a/kernel/src/processbuffer.rs +++ b/kernel/src/processbuffer.rs @@ -328,6 +328,7 @@ impl ReadableProcessBuffer for ReadOnlyProcessBuffer { /// /// This verifies the process is still valid before accessing the underlying /// memory. + #[flux::ignore] fn enter(&self, fun: F) -> Result where F: FnOnce(&ReadableProcessSlice) -> R, @@ -388,6 +389,7 @@ impl ReadOnlyProcessBufferRef<'_> { /// [`ReadOnlyProcessBuffer::new_external`]. The derived lifetime can /// help enforce the invariant that this incoming pointer may only /// be access for a certain duration. + #[flux::ignore] pub(crate) unsafe fn new(ptr: *const u8, len: usize, process_id: ProcessId) -> Self { Self { buf: ReadOnlyProcessBuffer::new(ptr, len, process_id), @@ -535,6 +537,7 @@ impl ReadableProcessBuffer for ReadWriteProcessBuffer { /// /// This verifies the process is still valid before accessing the underlying /// memory. + #[flux::ignore] fn enter(&self, fun: F) -> Result where F: FnOnce(&ReadableProcessSlice) -> R, @@ -568,6 +571,7 @@ impl ReadableProcessBuffer for ReadWriteProcessBuffer { } } +#[flux::ignore] impl WriteableProcessBuffer for ReadWriteProcessBuffer { fn mut_enter(&self, fun: F) -> Result where @@ -625,6 +629,7 @@ impl ReadWriteProcessBufferRef<'_> { /// [`ReadWriteProcessBuffer::new_external`]. The derived lifetime can /// help enforce the invariant that this incoming pointer may only /// be access for a certain duration. + #[flux::ignore] pub(crate) unsafe fn new(ptr: *mut u8, len: usize, process_id: ProcessId) -> Self { Self { buf: ReadWriteProcessBuffer::new(ptr, len, process_id), @@ -736,6 +741,7 @@ impl ReadableProcessSlice { /// # Panics /// /// This function will panic if `self.len() != dest.len()`. + #[flux::ignore] pub fn copy_to_slice(&self, dest: &mut [u8]) { // The panic code path was put into a cold function to not // bloat the call site. @@ -759,6 +765,7 @@ impl ReadableProcessSlice { /// /// The length of `self` must be the same as `dest`. Subslicing /// can be used to obtain a slice of matching length. + #[flux::ignore] pub fn copy_to_slice_or_err(&self, dest: &mut [u8]) -> Result<(), ErrorCode> { // Method implemetation adopted from the // core::slice::copy_from_slice method implementation: @@ -791,6 +798,7 @@ impl ReadableProcessSlice { } /// Iterate the slice in chunks. + #[flux::ignore] pub fn chunks( &self, chunk_size: usize, @@ -857,7 +865,7 @@ impl Index> for ReadableProcessSlice { &self[idx.start..self.len()] } } - +#[flux::ignore] impl Index for ReadableProcessSlice { // Indexing into a ReadableProcessSlice must yield a // ReadableProcessByte, to limit the API surface of the wrapped @@ -919,6 +927,7 @@ impl WriteableProcessSlice { /// # Panics /// /// This function will panic if `self.len() != dest.len()`. + #[flux::ignore] pub fn copy_to_slice(&self, dest: &mut [u8]) { // The panic code path was put into a cold function to not // bloat the call site. @@ -942,6 +951,7 @@ impl WriteableProcessSlice { /// /// The length of `self` must be the same as `dest`. Subslicing /// can be used to obtain a slice of matching length. + #[flux::ignore] pub fn copy_to_slice_or_err(&self, dest: &mut [u8]) -> Result<(), ErrorCode> { // Method implemetation adopted from the // core::slice::copy_from_slice method implementation: @@ -971,6 +981,7 @@ impl WriteableProcessSlice { /// # Panics /// /// This function will panic if `src.len() != self.len()`. + #[flux::ignore] pub fn copy_from_slice(&self, src: &[u8]) { // Method implemetation adopted from the // core::slice::copy_from_slice method implementation: @@ -997,6 +1008,7 @@ impl WriteableProcessSlice { /// /// The length of `src` must be the same as `self`. Subslicing can /// be used to obtain a slice of matching length. + #[flux::ignore] pub fn copy_from_slice_or_err(&self, src: &[u8]) -> Result<(), ErrorCode> { // Method implemetation adopted from the // core::slice::copy_from_slice method implementation: @@ -1028,6 +1040,7 @@ impl WriteableProcessSlice { } /// Iterate over the slice in chunks. + #[flux::ignore] pub fn chunks( &self, chunk_size: usize, @@ -1094,7 +1107,7 @@ impl Index> for WriteableProcessSlice { &self[idx.start..self.len()] } } - +#[flux::ignore] impl Index for WriteableProcessSlice { // Indexing into a WriteableProcessSlice yields a Cell, as // mutating the memory contents is allowed.