Skip to main content

RevocationState

lion_core::state

Struct RevocationState 

Source 
pub struct RevocationState { /* private fields */ }
Expand description

Revocation epoch tracking

Corresponds to Lean: structure RevocationState

INVARIANTS:

  • caps is sorted by CapId, no duplicate IDs
  • caps[i].0 == caps[i].1.id() for all entries (keys match cap IDs)
  • Parent IDs are always less than child IDs (ParentLt)
  • Valid capabilities have valid parents (ValidParentPresent)
  • children_index is consistent with parent relationships in caps (ChildrenIndexConsistent)
  • children_index is complete: every cap with a parent is in the index (ChildrenIndexComplete)

Implementations§

Source§

impl RevocationState

Source

pub fn empty() -> Self

Create empty revocation state

Corresponds to Lean: def RevocationState.empty : RevocationState

Source

pub fn is_valid(&self, cap_id: CapId) -> bool

Helper: Find insertion point for sorted insert using binary search

Check if capability exists and is valid

Corresponds to Lean: def RevocationState.is_valid

Source

pub fn get(&self, cap_id: CapId) -> Option<&Capability>

Get a capability by ID

Source

pub fn contains(&self, cap_id: CapId) -> bool

Check if the table contains a capability

Source

pub fn revoke(&self, cap_id: CapId) -> Self

Revoke capability by ID (single cap only)

Corresponds to Lean: def RevocationState.revoke

Returns the new state with the capability revoked. If the capability doesn’t exist, returns the state unchanged.

Source

pub fn revoke_mut(&mut self, cap_id: CapId) -> Result<(), KernelError>

Revoke capability by ID (mutating version)

§Errors

Returns KernelError::CapNotFound if the capability ID is not in the table.

Source

pub fn has_ancestor(&self, cap_id: CapId, ancestor_id: CapId) -> bool

Check if ancestorId is in the parent chain of capId

Corresponds to Lean: def RevocationState.has_ancestor

Uses a fuel parameter for termination (ParentLt guarantees termination with fuel = capId).

Source

pub fn in_revoke_set(&self, k: CapId, cap_id: CapId) -> bool

Check if cap_id is in the revoke set (id == cap_id OR has cap_id as ancestor)

Corresponds to Lean: def RevocationState.in_revoke_set

Source

pub fn revoke_transitive(&self, cap_id: CapId) -> Self

Revoke capability and all descendants transitively

Corresponds to Lean: def RevocationState.revoke_transitive

Sets valid=false on capId and any cap whose parent chain includes capId.

Source

pub fn revoke_transitive_mut(&mut self, cap_id: CapId)

Revoke capability and all descendants transitively (mutating version)

Source

pub fn insert(&self, cap: Capability) -> Result<Self, KernelError>

Insert a capability (returns error on collision)

Corresponds to Lean: def RevocationState.insert

SECURITY: This function MUST check for ID collision to maintain the uniqueness invariant and prevent capability forgery via replacement.

Also maintains children_index for O(log n) revocation.

§Errors

Returns KernelError::CapIdCollision if a capability with the same ID already exists.

Source

pub fn insert_mut(&mut self, cap: Capability) -> Result<(), KernelError>

Insert a capability (mutating version)

Also maintains children_index for O(log n) revocation.

§Errors

Returns KernelError::CapIdCollision if a capability with the same ID already exists.

Source

pub fn revoke_transitive_fast(&self, cap_id: CapId) -> Self

Add a child to the children_index (maintains sorted order)

Rebuilds the index using only Vec::new/push/len and array indexing. Semantically identical to the production version above. Revoke capability and all descendants transitively (O(k) optimized)

Corresponds to Lean: def RevocationState.revoke_transitive_fast

Uses children_index for O(k) traversal where k = number of descendants.

Source

pub fn revoke_transitive_fast_mut( &mut self, cap_id: CapId, ) -> Result<(), KernelError>

Revoke capability and all descendants transitively (O(k) optimized, mutating)

§Errors

Returns KernelError::CapNotFound if the capability does not exist.

Source

pub fn epoch(&self) -> u64

Get the current revocation epoch

Source

pub fn cap_count(&self) -> usize

Get the number of capabilities

Source

pub fn valid_caps(&self) -> Vec<(CapId, Capability)>

Get all valid capabilities

Source

pub fn cap_ids(&self) -> Vec<CapId>

Get all capability IDs

Source

pub fn iter(&self) -> Iter<'_, (CapId, Capability)>

Iterate over all capabilities

Returns a slice iterator over (CapId, Capability) pairs. This provides compatibility with code that uses .iter() on the caps.

Source

pub fn any_valid_targeting(&self, target: ResourceId) -> bool

Check if any valid capability targets the given resource

SECURITY: This check is CRITICAL for apply_free. If any valid capability targets an address, freeing that address would create a USE-AFTER-FREE vulnerability (dangling capability).

Corresponds to Lean: Memory safety guard in apply_free

Trait Implementations§

Source§

impl Clone for RevocationState

Source§

fn clone(&self) -> RevocationState

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for RevocationState

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for RevocationState

Source§

fn default() -> Self

Returns the “default value” for a type. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.