Safety by abstract data types + silent truncation:
type PAddr = (PhysPage,POffset)
type PhysPage -- abstract
type POffset = Word12
getPAddr ∈ PAddr → H Word8
setPAddr ∈ PAddr → Word8 → H ()
allocPhysPage ∈ H (Maybe PhysPage)
Safety by abstract data types + run-time bounds checks:
data MemRegion -- abstract
type Offset = Word32
pokeByteOff ∈ Storable a ⇒ MemRegion → Offset → a → H ()
peekByteOff ∈ Storable a ⇒ MemRegion → Offset → H a
data Range = Range { lo,hi∈Addr }
screen ∈ Range
screen = Range 0xb8000 0xb8fff
InRange ∈ Range → Addr → Prop
screenPoke ∈ (a∈Addr) → InRange screen a → Word16 → H ()
Implementation of screenPoke
writableScreen ∈ (a∈Addr) → InRange screen a → Writable a
writableScreen a r = Unsafe.writable a
screenPoke ∈ (a∈Addr)→ InRange screen a → Word16 → H ()
screenPoke a r d = poke16 a (writableScreen a r) d