Skip to main content

ImageCap

javm_cap::cap::image

Struct ImageCap 

Source 
pub struct ImageCap {
    pub code: Vec<u8>,
    pub endpoints: Vec<(Key, EndpointDef)>,
    pub mappings: Vec<MemoryMapping>,
    pub pinned: Vec<ImageSlotEntry>,
    pub initial: Vec<ImageSlotEntry>,
    pub yield_receiver_slot: Option<Key>,
    pub gas_slots: Vec<Key>,
    pub quota_slots: Vec<Key>,
}
Expand description

§Validation model: structure is eager, semantics are lazy

An ImageCap is admitted from untrusted input under a two-layer discipline:

  • Structure — validated eagerly (here / in image_cap, the “deblob”). The metadata that frames execution: code length (≤ MAX_CODE_SIZE), memory-mapping bounds, slot indices, source-path depth, endpoint indices. A malformed structural field has no clean execution point to fault on — it would diverge between engines or panic the host — so it is rejected at construction. This is cheap (O(#endpoints + #mappings + #slots), it never scans the code) and therefore compatible with lazy compilation.

  • Semantics — validated lazily (at execution, by both engines identically). The instruction stream itself: illegal/forbidden encodings, and jal/branch/jalr/entry_pc targets. These are not rejected at admission — any code bytes are accepted. A forbidden encoding decodes as illegal and an off-bb_start target is refused only when reached, as ε = panic. Lazy (not eager deblob) because, without an instruction bitmask, a linear validator can’t tell code from data — eager rejection would reject legitimate code-as-data; lazy also keeps admission version-independent (a future ISA extension forks only at execution, never the cap set at admission) and preserves lazy compilation. The consensus requirement is that the two engines agree on what panics, not that the bytes are pre-screened. The producer toolchain still rejects forbidden encodings at build time as a diagnostic — that is UX, not a consensus rule.

Fields§

§code: Vec<u8>

The (single) code region: raw RV+C+custom-0 bytes, page-aligned so the kernel can direct-map it RO at the fixed protocol constant crate::layout::CODE_BASE. Empty for codeless images. See ImageCap::code_mapping.

§endpoints: Vec<(Key, EndpointDef)>

Endpoint definitions, keyed by a Key selector. A sparse, sorted association list (Dict-style — kept sorted by key, no fixed capacity); an absent key is an undefined endpoint. There is no dense array and no entry_pc == 0 sentinel, so an endpoint may legitimately start at code offset 0. (Vec<(Key, _)> rather than BTreeMap because the rkyv wire form has no Ord on the archived key.)

§mappings: Vec<MemoryMapping>

Memory mappings.

§pinned: Vec<ImageSlotEntry>

Pinned read-only slots (Cap::Data / Cap::Image). Images only ever reference content-addressed caps, so the target is a plain CapHash.

§initial: Vec<ImageSlotEntry>

Initial mutable slot state for non-pinned slots.

§yield_receiver_slot: Option<Key>

Slot holding Cap::Instance[YieldReceiver] (the catch-set), if any.

§gas_slots: Vec<Key>

Cnode slots holding the Cap::Instance[Gas{meter_key}] unit handles, consulted in order. See crate::image::Image::gas_slots.

§quota_slots: Vec<Key>

Cnode slots holding the Cap::Instance[Quota{quota_key}] unit handles.

Implementations§

Source§

impl ImageCap

Source

pub fn code_mapping(&self) -> Option<(u32, &[u8])>

The executable code region as (code_base, bytes). code_base is the fixed protocol constant crate::layout::CODE_BASE, so a PVM PC is code_base + byte_offset. None if the image declares no code (empty region) — such an image cannot execute.

Source

pub fn mapping_is_pinned(&self, start: u32) -> bool

True iff the memory mapping starting at guest VA start draws from a pinned (read-only) slot, so it must be laid read-only — a guest store to it faults. Mirrors the recompiler’s pinned-vs- initial slot classification (nub-arch-x86 build_runtime). Derived from Self::pinned at lay time, so a mapping carries no per-mapping permission field; the interpreter drivers (javm build_entry, nub-arch-local) call this so they classify identically to the recompiler.

Trait Implementations§

Source§

impl Archive for ImageCap
where Vec<u8>: Archive, Vec<(Key, EndpointDef)>: Archive, Vec<MemoryMapping>: Archive, Vec<ImageSlotEntry>: Archive, Option<Key>: Archive, Vec<Key>: Archive,

Source§

const COPY_OPTIMIZATION: CopyOptimization<Self>

An optimization flag that allows the bytes of this type to be copied directly to a writer instead of calling serialize. Read more
Source§

type Archived = ArchivedImageCap

The archived representation of this type. Read more
Source§

type Resolver = ImageCapResolver

The resolver for this type. It must contain all the additional information from serializing needed to make the archived type from the normal type.
Source§

fn resolve(&self, resolver: Self::Resolver, out: Place<Self::Archived>)

Creates the archived version of this value at the given position and writes it to the given output. Read more
Source§

impl Clone for ImageCap

Source§

fn clone(&self) -> Self

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for ImageCap

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl<__D: Fallible + ?Sized> Deserialize<ImageCap, __D> for Archived<ImageCap>
where Vec<u8>: Archive, <Vec<u8> as Archive>::Archived: Deserialize<Vec<u8>, __D>, Vec<(Key, EndpointDef)>: Archive, <Vec<(Key, EndpointDef)> as Archive>::Archived: Deserialize<Vec<(Key, EndpointDef)>, __D>, Vec<MemoryMapping>: Archive, <Vec<MemoryMapping> as Archive>::Archived: Deserialize<Vec<MemoryMapping>, __D>, Vec<ImageSlotEntry>: Archive, <Vec<ImageSlotEntry> as Archive>::Archived: Deserialize<Vec<ImageSlotEntry>, __D>, Option<Key>: Archive, <Option<Key> as Archive>::Archived: Deserialize<Option<Key>, __D>, Vec<Key>: Archive, <Vec<Key> as Archive>::Archived: Deserialize<Vec<Key>, __D>,

Source§

fn deserialize( &self, deserializer: &mut __D, ) -> Result<ImageCap, <__D as Fallible>::Error>

Deserializes using the given deserializer
Source§

impl HashTreeRoot for ImageCap

Source§

fn hash_tree_root<__D: Digest<OutputSize = U32>>(&self) -> [u8; 32]

Compute the hash tree root using D as the underlying hash.
Source§

impl<__S: Fallible + ?Sized> Serialize<__S> for ImageCap
where Vec<u8>: Serialize<__S>, Vec<(Key, EndpointDef)>: Serialize<__S>, Vec<MemoryMapping>: Serialize<__S>, Vec<ImageSlotEntry>: Serialize<__S>, Option<Key>: Serialize<__S>, Vec<Key>: Serialize<__S>,

Source§

fn serialize( &self, serializer: &mut __S, ) -> Result<<Self as Archive>::Resolver, <__S as Fallible>::Error>

Writes the dependencies for the object and returns a resolver that can create the archived type.

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
§

impl<T> ArchivePointee for T

§

type ArchivedMetadata = ()

The archived version of the pointer metadata for this type.
§

fn pointer_metadata( _: &<T as ArchivePointee>::ArchivedMetadata, ) -> <T as Pointee>::Metadata

Converts some archived metadata to the pointer metadata for itself.
§

impl<T> ArchiveUnsized for T
where T: Archive,

§

type Archived = <T as Archive>::Archived

The archived counterpart of this type. Unlike Archive, it may be unsized. Read more
§

fn archived_metadata( &self, ) -> <<T as ArchiveUnsized>::Archived as ArchivePointee>::ArchivedMetadata

Creates the archived version of the metadata for this value.
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T> LayoutRaw for T

§

fn layout_raw(_: <T as Pointee>::Metadata) -> Result<Layout, LayoutError>

Returns the layout of the type.
§

impl<T, N1, N2> Niching<NichedOption<T, N1>> for N2
where T: SharedNiching<N1, N2>, N1: Niching<T>, N2: Niching<T>,

§

unsafe fn is_niched(niched: *const NichedOption<T, N1>) -> bool

Returns whether the given value has been niched. Read more
§

fn resolve_niched(out: Place<NichedOption<T, N1>>)

Writes data to out indicating that a T is niched.
§

impl<T> Pointee for T

§

type Metadata = ()

The metadata type for pointers and references to this type.
Source§

impl<T> Same for T

Source§

type Output = T

Should always be Self
§

impl<T, S> SerializeUnsized<S> for T
where T: Serialize<S>, S: Fallible + Writer + ?Sized,

§

fn serialize_unsized( &self, serializer: &mut S, ) -> Result<usize, <S as Fallible>::Error>

Writes the object and returns the position of the archived type.
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.