@@ -72,7 +72,12 @@ mod transition {
7272 // accesses, since the data is not being mutated. Hence the `{ .. }`
7373 res @ Reserved { .. } if !protected => res,
7474 Reserved { .. } => Frozen , // protected reserved
75- Active => Frozen ,
75+ Active =>
76+ if protected {
77+ Disabled
78+ } else {
79+ Frozen
80+ } ,
7681 non_writeable @ ( Frozen | Disabled ) => non_writeable,
7782 } )
7883 }
@@ -189,34 +194,9 @@ impl PermTransition {
189194 Permission { inner : self . from }
190195 }
191196
192- /// Determines whether a transition that occured is compatible with the presence
193- /// of a Protector. This is not included in the `transition` functions because
194- /// it would distract from the few places where the transition is modified
195- /// because of a protector, but not forbidden.
196- ///
197- /// Note: this is not in charge of checking that there *is* a protector,
198- /// it should be used as
199- /// ```
200- /// let no_protector_error = if is_protected(tag) {
201- /// transition.is_allowed_by_protector()
202- /// };
203- /// ```
204- pub fn is_allowed_by_protector ( & self ) -> bool {
205- assert ! ( self . is_possible( ) ) ;
206- match ( self . from , self . to ) {
207- _ if self . from == self . to => true ,
208- // It is always a protector violation to not be readable anymore
209- ( _, Disabled ) => false ,
210- // In the case of a `Reserved` under a protector, both transitions
211- // `Reserved => Active` and `Reserved => Frozen` can legitimately occur.
212- // The first is standard (Child Write), the second is for Foreign Writes
213- // on protected Reserved where we must ensure that the pointer is not
214- // written to in the future.
215- ( Reserved { .. } , Active ) | ( Reserved { .. } , Frozen ) => true ,
216- // This pointer should have stayed writeable for the whole function
217- ( Active , Frozen ) => false ,
218- _ => unreachable ! ( "Transition {} should never be possible" , self ) ,
219- }
197+ /// Determines if this transition would disable the permission.
198+ pub fn produces_disabled ( self ) -> bool {
199+ self . to == Disabled
220200 }
221201}
222202
@@ -298,14 +278,15 @@ pub mod diagnostics {
298278///
299279/// This function assumes that its arguments apply to the same location
300280/// and that they were obtained during a normal execution. It will panic otherwise.
301- /// - `err` cannot be a `ProtectedTransition(_)` of a noop transition, as those
302- /// never trigger protectors;
303281/// - all transitions involved in `self` and `err` should be increasing
304282/// (Reserved < Active < Frozen < Disabled);
305283/// - between `self` and `err` the permission should also be increasing,
306284/// so all permissions inside `err` should be greater than `self.1`;
307285/// - `Active` and `Reserved` cannot cause an error due to insufficient permissions,
308286/// so `err` cannot be a `ChildAccessForbidden(_)` of either of them;
287+ /// - `err` should not be `ProtectedDisabled(Disabled)`, because the protected
288+ /// tag should not have been `Disabled` in the first place (if this occurs it means
289+ /// we have unprotected tags that become protected)
309290pub ( in super :: super ) fn is_relevant ( & self , err : TransitionError ) -> bool {
310291 // NOTE: `super::super` is the visibility of `TransitionError`
311292 assert ! ( self . is_possible( ) ) ;
@@ -342,45 +323,39 @@ pub mod diagnostics {
342323 unreachable ! ( "permissions between self and err must be increasing" ) ,
343324 }
344325 }
345- TransitionError :: ProtectedTransition ( forbidden) => {
346- assert ! ( !forbidden. is_noop( ) ) ;
326+ TransitionError :: ProtectedDisabled ( before_disabled) => {
347327 // Show how we got to the starting point of the forbidden transition,
348328 // but ignore what came before.
349329 // This eliminates transitions like `Reserved -> Active`
350330 // when the error is a `Frozen -> Disabled`.
351- match ( self . to , forbidden . from , forbidden . to ) {
331+ match ( self . to , before_disabled . inner ) {
352332 // We absolutely want to know where it was activated.
353- ( Active , Active , Frozen | Disabled ) => true ,
333+ ( Active , Active ) => true ,
354334 // And knowing where it became Frozen is also important.
355- ( Frozen , Frozen , Disabled ) => true ,
335+ ( Frozen , Frozen ) => true ,
356336 // If the error is a transition `Frozen -> Disabled`, then we don't really
357337 // care whether before that was `Reserved -> Active -> Frozen` or
358338 // `Reserved -> Frozen` or even `Frozen` directly.
359339 // The error will only show either
360340 // - created as Frozen, then Frozen -> Disabled is forbidden
361341 // - created as Reserved, later became Frozen, then Frozen -> Disabled is forbidden
362342 // In both cases the `Reserved -> Active` part is inexistant or irrelevant.
363- ( Active , Frozen , Disabled ) => false ,
343+ ( Active , Frozen ) => false ,
364344
365- // `Reserved -> Frozen` does not trigger protectors.
366- ( _, Reserved { .. } , Frozen ) =>
367- unreachable ! ( "this transition cannot cause an error" ) ,
345+ ( _, Disabled ) =>
346+ unreachable ! (
347+ "permission that results in Disabled should not itself be Disabled in the first place"
348+ ) ,
368349 // No transition has `Reserved` as its `.to` unless it's a noop.
369- ( Reserved { .. } , _, _) => unreachable ! ( "self is a noop transition" ) ,
370- ( _, Disabled , Disabled ) | ( _, Frozen , Frozen ) | ( _, Active , Active ) =>
371- unreachable ! ( "err contains a noop transition" ) ,
350+ ( Reserved { .. } , _) => unreachable ! ( "self is a noop transition" ) ,
372351
373352 // Permissions only evolve in the order `Reserved -> Active -> Frozen -> Disabled`,
374353 // so permissions found must be increasing in the order
375354 // `self.from < self.to <= forbidden.from < forbidden.to`.
376- ( Disabled , Reserved { .. } | Active | Frozen , _ )
377- | ( Frozen , Reserved { .. } | Active , _ )
378- | ( Active , Reserved { .. } , _ ) =>
355+ ( Disabled , Reserved { .. } | Active | Frozen )
356+ | ( Frozen , Reserved { .. } | Active )
357+ | ( Active , Reserved { .. } ) =>
379358 unreachable ! ( "permissions between self and err must be increasing" ) ,
380- ( _, Disabled , Reserved { .. } | Active | Frozen )
381- | ( _, Frozen , Reserved { .. } | Active )
382- | ( _, Active , Reserved { .. } ) =>
383- unreachable ! ( "permissions within err must be increasing" ) ,
384359 }
385360 }
386361 // We don't care because protectors evolve independently from
@@ -406,7 +381,7 @@ mod propagation_optimization_checks {
406381 pub use super :: * ;
407382 impl PermissionPriv {
408383 /// Enumerate all states
409- pub fn all ( ) -> impl Iterator < Item = PermissionPriv > {
384+ pub fn all ( ) -> impl Iterator < Item = Self > {
410385 vec ! [
411386 Active ,
412387 Reserved { ty_is_freeze: true } ,
@@ -418,17 +393,23 @@ mod propagation_optimization_checks {
418393 }
419394 }
420395
396+ impl Permission {
397+ pub fn all ( ) -> impl Iterator < Item = Self > {
398+ PermissionPriv :: all ( ) . map ( |inner| Self { inner } )
399+ }
400+ }
401+
421402 impl AccessKind {
422403 /// Enumerate all AccessKind.
423- pub fn all ( ) -> impl Iterator < Item = AccessKind > {
404+ pub fn all ( ) -> impl Iterator < Item = Self > {
424405 use AccessKind :: * ;
425406 [ Read , Write ] . into_iter ( )
426407 }
427408 }
428409
429410 impl AccessRelatedness {
430411 /// Enumerate all relative positions
431- pub fn all ( ) -> impl Iterator < Item = AccessRelatedness > {
412+ pub fn all ( ) -> impl Iterator < Item = Self > {
432413 use AccessRelatedness :: * ;
433414 [ This , StrictChildAccess , AncestorAccess , DistantAccess ] . into_iter ( )
434415 }
0 commit comments