Merge pull request #55 from PLSysSec/result_fix_2

adjust tock so that flux-core Result spec doesn't break it

Author: enjhnsn2

arch/rv32i/src/pmp.rs

@@ -1300,6 +1300,7 @@ impl<const MAX_REGIONS: usize, P: TORUserPMP<MAX_REGIONS> + 'static> kernel::pla
     // type MpuConfig = PMPUserMPUConfig<MAX_REGIONS>;
     type Region = PMPUserRegion<MAX_REGIONS>;
 
+    #[flux_rs::trusted]
     fn enable_app_mpu(&self) -> MpuEnabledCapability {
         // TODO: This operation may fail when the PMP is not exclusively used
         // for userspace. Instead of panicing, we should handle this case more
@@ -1360,6 +1361,8 @@ pub mod test {
             Ok(())
         }
 
+        // #[flux_rs::sig(fn (x: usize) -> u32[x] requires x <= u32::MAX)]
+        #[flux_rs::sig(fn (&Self) -> Result<(), ()>[true])]
         fn enable_user_pmp(&self) -> Result<(), ()> {
             Ok(())
         } // The kernel's MPU trait requires

flux_support/src/extern_specs/result.rs

@@ -14,4 +14,14 @@ impl<T, E> Result<T, E> {
 
     #[sig(fn(&Result<T,E>[@b]) -> bool[!b])]
     const fn is_err(&self) -> bool;
+
+    #[sig(fn(Result<T, E>[true]) -> T)]
+    fn unwrap(self) -> T
+    where
+        E: core::fmt::Debug;
+
+    #[sig(fn(Result<T, E>[false]) -> E)]
+    fn unwrap_err(self) -> E
+    where
+        T: core::fmt::Debug;
 }

kernel/src/syscall_driver.rs

@@ -81,6 +81,7 @@ impl CommandReturn {
 }
 
 impl From<Result<(), ErrorCode>> for CommandReturn {
+    #[flux_rs::trusted]
     fn from(rc: Result<(), ErrorCode>) -> Self {
         match rc {
             Ok(()) => CommandReturn::success(),