Expand description
Tools and reasoning principles for raw pointers. The tools here are meant to address “real Rust pointers, including all their subtleties on the Rust Abstract Machine, to the largest extent that is reasonable.”
For a gentler introduction to some of the concepts here, see PPtr, which uses a much-simplified pointer model.
§Pointer model
A pointer consists of an address (ptr.addr() or ptr as usize), a provenance ptr@.provenance,
and metadata ptr@.metadata (which is trivial except for pointers to non-sized types).
Note that in spec code, pointer equality requires all 3 to be equal, whereas runtime equality (eq)
only compares addresses and metadata.
*mut T vs. *const T do not have any semantic difference and Verus treats them as the same;
they can be seamlessly cast to and fro.
Structs§
- Dealloc
- Permission to perform a deallocation with the global allocator.
- Dealloc
Data - Data associated with a
Deallocpermission. - Fake
Metadata - IsExposed
- Tracked object that indicates a given provenance has been exposed.
- Points
To - Permission to access possibly-initialized, typed memory.
- Points
ToData - Data associated with a
PointsTopermission. We keep track of both the pointer and the (potentially uninitialized) value it points to. - Points
ToRaw - Variable-sized uninitialized memory.
- Provenance
- Provenance
- Shared
Reference - This is meant to be a replacement for
&'a Tthat allows Verus to keep track of not just theTvalue but the pointer as well. It would be better to get rid of this and use normal reference types&'a T, but there are a lot of unsolved implementation questions. The existence ofSharedReference<'a, T>is a stop-gap.
Enums§
- MemContents
- Represents (typed) contents of memory.
Functions§
- allocate
- Allocate with the global allocator.
The precondition should be consistent with the documented safety conditions on
alloc. Returns a pointer with a correspondingPointsToRawandDeallocpermissions. - cast_
array_ ptr_ to_ slice_ ptr - Cast a pointer to an array of length
Nto a slice pointer. Address and provenance are preserved; metadata has lengthN. - cast_
ptr_ to_ thin_ ptr - Cast a pointer to a thin pointer. Address and provenance are preserved; metadata is now thin.
- cast_
ptr_ to_ usize - Cast the address of a pointer to a
usize. - cast_
slice_ ptr_ to_ slice_ ptr - Cast a slice pointer to another slice pointer. Length is preserved even if the size of the elements changes.
- cast_
slice_ ptr_ to_ str_ ptr - Cast a slice pointer to a
strpointer. Length is preserved even if the size of the elements changes. - cast_
str_ ptr_ to_ slice_ ptr - Cast a
strpointer to a slice pointer. Length is preserved even if the size of the elements changes. - deallocate
- Deallocate with the global allocator.
- expose_
provenance - Perform a provenance expose operation.
- group_
raw_ ptr_ axioms - ptr_
mut_ read - Calls
core::ptr::readto read from the memory pointed to byptr, using the permissionperm. - ptr_
mut_ ref - Equivalent to
&mut *X, passing in a permissionpermto ensure safety. The memory pointed to byptrmust be initialized. - ptr_
mut_ write - Calls
core::ptr::writeto write the valuevto the memory location pointed to byptr, using the permissionperm. - ptr_ref
- Equivalent to
&*ptr, passing in a permissionpermto ensure safety. The memory pointed to byptrmust be initialized. - ptr_
ref2 - Like
ptr_refbut returns aSharedReferenceso it keeps track of the relationship between the pointers. Note the resulting reference’s pointers does NOT have the same provenance. This is because in Rust models like Stacked Borrows / Tree Borrows, the pointer gets a new tag. - with_
exposed_ provenance - Construct a pointer with the given provenance from a usize address. The provenance must have previously been exposed.