Skip to content

prove: cursor_mut_at at mm::frame::linked_list#454

Open
Marsman1996 wants to merge 1 commit into
asterinas:mainfrom
Marsman1996:prove-cursor_mut_at
Open

prove: cursor_mut_at at mm::frame::linked_list#454
Marsman1996 wants to merge 1 commit into
asterinas:mainfrom
Marsman1996:prove-cursor_mut_at

Conversation

@Marsman1996
Copy link
Copy Markdown
Collaborator

@Marsman1996 Marsman1996 commented May 16, 2026 

  1. Strength assessment: stronger.                                                                                                                   
  2. Intent preservation assessment: changed.                                                                                                         
  3. Redundancy assessment: none.                                                                                                                     
  4. Score: 6/10.                                                                                                                                     
                                                                                                                                                      
  Rationale: the added requires at ostd/src/mm/frame/linked_list.rs:430 correctly strengthens the contract enough to justify                          
  regions.slots.tracked_borrow(...) and the in_list atomic load. The clauses are not redundant; both correspond directly to proof obligations.        
                                                                                                                                                      
  The downside is semantic: cursor_mut_at is documented as getting a cursor for a frame if it is in the list, but list-owned frames normally have slot
  permissions in LinkedListOwner::perms, not necessarily regions.slots. Requiring regions.slots.contains_key(frame_to_index(frame)) narrows the       
  function away from that intended use case. Removing #[verifier::external_body] is a positive proof-quality change, but the strengthened precondition
  changes the original contract shape.

@Marsman1996 Marsman1996 requested review from Copilot and rikosellic May 16, 2026 04:10
Copilot AI reviewed May 16, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR attempts to prove LinkedList::cursor_mut_at by removing its external verification body and adding the proof obligations needed to borrow frame metadata and load in_list.

Changes:

  • Adds regions.slots/in_list permission requirements to cursor_mut_at.
  • Moves tracked owner/permission handling inside the successful get_slot branch.
  • Uses a borrowed slot permission for metadata access instead of indexing regions.slots directly.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread ostd/src/mm/frame/linked_list.rs
-> cursor_owner: Tracked<Option<CursorOwner<M>>>,
requires
old(regions).inv(),
has_safe_slot(frame) ==> old(regions).slots.contains_key(frame_to_index(frame)),
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rikosellic rikosellic Awaiting requested review from rikosellic

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Marsman1996