When Tock 2.0 was released, capsules had the ability to refuse to return Allow buffers as well as the ability to return buffers other than the most recently provided buffer. This was reflected in TRD 104, as well as the design of the fake::Driver trait:

fn allow_readonly(&self, buffer_num: u32, buffer: RoAllowBuffer)
    -> Result<RoAllowBuffer, (RoAllowBuffer, ErrorCode)>;

fn allow_readwrite(&self, buffer_num: u32, buffer: RwAllowBuffer)
    -> Result<RwAllowBuffer, (RwAllowBuffer, ErrorCode)>;

However, that is changing in upstream Tock: tock/tock#2906. Now, libtock_platform can rely on the Allow system call to always return the last successfully-Allowed buffer. The Allow APIs I am designing for libtock-rs (e.g. #348) rely on this.

As a result, libtock_platform and libtock_unittest are currently unsound when combined: libtock_unittest allows a safe fake::Driver implementation to handle buffers in a way that libtock_platform assumes is impossible. To resolve this, we need to update libtock_unittest to match the new behavior of the Tock kernel (and the new TRD 104 wording).