Skip to main content

javm_cap/
layout.rs

1//! PVM2 guest virtual-address-space layout (ABI constants).
2//!
3//! These constants define where a transpiler-emitted Image's code and
4//! data regions map in the guest's 32-bit address space. They are part
5//! of the PVM2 ABI contract: the transpiler (`javm-transpiler`) bakes
6//! `PC = CODE_BASE + byte_offset` into endpoint entry PCs and native
7//! `auipc`/`jalr` resolution and lays data caps from [`DATA_BASE`] up,
8//! and every runtime (`nub-arch-x86`, `nub-arch-local`, `javm`) maps
9//! `Image.code` read-only at `CODE_BASE` and data at `DATA_BASE`.
10//!
11//! The constants live here in `javm-cap` because it is the only crate
12//! every producer (transpiler) and consumer (each runtime) depends on.
13//! Code placement is a fixed protocol constant rather than an
14//! Image-supplied mapping entry: an untrusted Image must not get to
15//! choose where its code lands.
16//!
17//! ```text
18//!   [0,         CODE_BASE)  unmapped — NULL guard (catch PC=0 / null deref)
19//!   [CODE_BASE, DATA_BASE)  CODE     — RO, ≤ MAX_CODE_SIZE bytes
20//!   [DATA_BASE, 4 GiB)      DATA     — stack / ro / rw / heap, RO|RW
21//! ```
22//!
23//! Code low (4 MiB) gives the null guard; data high (256 MiB) keeps the
24//! whole data region contiguous above code instead of wrapping around
25//! it. Both `[0, CODE_BASE)` and `[CODE_BASE + code, DATA_BASE)` are
26//! unmapped, so a stray fetch or load there faults.
27
28/// Guest virtual address where the (single) code region maps read-only.
29/// A PVM PC is `CODE_BASE + byte_offset`. Sits at 4 MiB so `[0, 4 MiB)`
30/// is an unmapped null guard.
31pub const CODE_BASE: u32 = 0x0040_0000;
32
33/// Guest virtual address where the data region begins. All data caps
34/// (stack / ro / rw / heap) and instance overlays live in `[DATA_BASE,
35/// 4 GiB)`. At 256 MiB, well clear of the largest permitted code region.
36pub const DATA_BASE: u32 = 0x1000_0000;
37
38/// Maximum byte length of the code region. Code occupies `[CODE_BASE,
39/// CODE_BASE + code_len)` and must stay below `DATA_BASE`, so
40/// `code_len ≤ DATA_BASE − CODE_BASE` = 252 MiB.
41pub const MAX_CODE_SIZE: u32 = DATA_BASE - CODE_BASE;