Update `libtock_unittest` to disallow non-swapping Allow behavior.
jrvanwhy opened this issue · comments
When Tock 2.0 was released, capsules had the ability to refuse to return Allow buffers as well as the ability to return buffers other than the most recently provided buffer. This was reflected in TRD 104, as well as the design of the fake::Driver
trait:
fn allow_readonly(&self, buffer_num: u32, buffer: RoAllowBuffer)
-> Result<RoAllowBuffer, (RoAllowBuffer, ErrorCode)>;
fn allow_readwrite(&self, buffer_num: u32, buffer: RwAllowBuffer)
-> Result<RwAllowBuffer, (RwAllowBuffer, ErrorCode)>;
However, that is changing in upstream Tock: tock/tock#2906. Now, libtock_platform
can rely on the Allow system call to always return the last successfully-Allowed buffer. The Allow APIs I am designing for libtock-rs
(e.g. #348) rely on this.
As a result, libtock_platform
and libtock_unittest
are currently unsound when combined: libtock_unittest
allows a safe fake::Driver
implementation to handle buffers in a way that libtock_platform
assumes is impossible. To resolve this, we need to update libtock_unittest
to match the new behavior of the Tock kernel (and the new TRD 104 wording).