Skip to main content

HostFunction

lion_core::step

Enum HostFunction 

Source 
pub enum HostFunction {
    CapCall,
    CapSend,
    KernelAlloc,
    MemFree,
    CapRevoke,
    Declassify,
    ThreadCreate,
    ThreadConfigure,
    ThreadResume,
    ThreadSuspend,
    ThreadDestroy,
}
Expand description

All host functions that cross the trust boundary (EROS-style 6 operations)

Corresponds to Lean: inductive HostFunctionId

EROS consolidation (13 -> 6):

  • CapInvoke -> CapCall (synchronous capability invocation)
  • CapDelegate, CapAccept -> User-space protocol over CapSend
  • IpcSend -> CapSend (async message send)
  • IpcReceive -> Removed (mailbox read via CapCall)
  • MemAlloc, ResourceCreate, ResourceAccess -> KernelAlloc
  • MemFree -> MemFree (keep separate for safety)
  • CapRevoke -> CapRevoke (kernel operation)
  • WorkflowStart, WorkflowStep -> Removed (user-space library)
  • Declassify -> Declassify (IFC operation)

Variants§

§

CapCall

Synchronous capability invocation (replaces cap_invoke)

Corresponds to Lean: | cap_call

§

CapSend

Async message send (replaces ipc_send; delegation is user-space protocol)

Corresponds to Lean: | cap_send

§

KernelAlloc

Kernel resource allocation (replaces mem_alloc, resource_create)

Corresponds to Lean: | kernel_alloc

§

MemFree

Memory deallocation (keep separate for safety)

Corresponds to Lean: | mem_free

§

CapRevoke

Capability revocation

Corresponds to Lean: | cap_revoke

§

Declassify

Controlled information declassification (IFC operation)

Corresponds to Lean: | declassify

§

ThreadCreate

Create new thread (requires ThreadControl capability)

Corresponds to Lean: | thread_create

§

ThreadConfigure

Configure thread bindings (requires ThreadControl capability)

Corresponds to Lean: | thread_configure

§

ThreadResume

Resume suspended thread (requires ThreadControl capability)

Corresponds to Lean: | thread_resume

§

ThreadSuspend

Suspend running thread (requires ThreadControl capability)

Corresponds to Lean: | thread_suspend

§

ThreadDestroy

Terminate thread (requires ThreadControl capability)

Corresponds to Lean: | thread_destroy

Implementations§

Source§

impl HostFunction

Source

pub const CAP_INVOKE: HostFunction = HostFunction::CapCall

👎Deprecated:

Use HostFunction::CapCall instead (EROS consolidation)

Legacy alias: CapInvoke -> CapCall

Source

pub const IPC_SEND: HostFunction = HostFunction::CapSend

👎Deprecated:

Use HostFunction::CapSend instead (EROS consolidation)

Legacy alias: IpcSend -> CapSend

Source

pub const MEM_ALLOC: HostFunction = HostFunction::KernelAlloc

👎Deprecated:

Use HostFunction::KernelAlloc instead (EROS consolidation)

Legacy alias: MemAlloc -> KernelAlloc

Source§

impl HostFunction

Source

pub fn is_effectful(&self) -> bool

Check if this host function is effectful

All host functions cross the trust boundary, so all are effectful.

Corresponds to Lean: def is_effectful_host_call

Source

pub fn is_declassify(&self) -> bool

Check if this is a declassify operation

Corresponds to Lean: def is_declassify

Source

pub fn is_cap_operation(&self) -> bool

Check if this is a capability operation (may modify kernel.revocation)

Corresponds to Lean: def is_cap_operation

Source

pub fn is_mem_operation(&self) -> bool

Check if this is a memory operation (modifies ghost state)

Corresponds to Lean: def is_mem_operation

Source

pub fn execute( &self, state: &State, hc: &HostCall, result: &HostResult, ) -> Result<State, StepError>

Execute the host function

Corresponds to Lean: def KernelExecHost

§Errors

Returns StepError::PluginNotFound if the caller plugin does not exist. Returns StepError::HostCallPreconditionFailed if function-specific preconditions are not met. Returns StepError::ActorNotFound if a destination actor does not exist (CapSend). Returns StepError::QuotaExceeded if the allocation would exceed the plugin’s memory quota (KernelAlloc). Returns StepError::AddressAlreadyFreed if the address is already freed (MemFree). Returns StepError::CapabilityTargetsAddress if a valid capability targets the address (MemFree). Returns StepError::CapabilityNotFound if the capability does not exist (CapRevoke).

Source

pub fn execute_mut( &self, state: &mut State, hc: &HostCall, result: &HostResult, ) -> Result<(), StepError>

Execute the host function (mutating version).

Same validation as execute but modifies &mut State in place.

Source

pub fn is_thread_operation(&self) -> bool

Check if this is a thread operation (requires ThreadControl capability)

Corresponds to Lean: thread_create/configure/resume/suspend/destroy

Trait Implementations§

Source§

impl Clone for HostFunction

Source§

fn clone(&self) -> HostFunction

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for HostFunction

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Hash for HostFunction

Source§

fn hash<__H: Hasher>(&self, state: &mut __H)

Feeds this value into the given Hasher. Read more
1.3.0 · Source§

fn hash_slice<H>(data: &[Self], state: &mut H)
where H: Hasher, Self: Sized,

Feeds a slice of this type into the given Hasher. Read more
Source§

impl PartialEq for HostFunction

Source§

fn eq(&self, other: &HostFunction) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Copy for HostFunction

Source§

impl Eq for HostFunction

Source§

impl StructuralPartialEq for HostFunction

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.