vstd::cell

Struct PCell

Source 
pub struct PCell<V> { /* private fields */ }
Expand description

PCell<V> (which stands for “permissioned call”) is the primitive Verus Cell type.

Technically, it is a wrapper around core::cell::UnsafeCell<core::mem::MaybeUninit<V>>, and thus has the same runtime properties: there are no runtime checks (as there would be for Rust’s traditional core::cell::RefCell). Its data may be uninitialized.

Furthermore (and unlike both core::cell::Cell and core::cell::RefCell), a PCell<V> may be Sync (depending on V). Thanks to verification, Verus ensures that access to the cell is data-race-free.

PCell uses a ghost permission token similar to simple_pptr::PPtr – see the simple_pptr::PPtr documentation for the basics. For PCell, the associated type of the permission token is cell::PointsTo.

§Differences from PPtr.

The key difference is that, whereas simple_pptr::PPtr represents a fixed address in memory, a PCell has no fixed address because a PCell might be moved. As such, the pcell.id() does not correspond to a memory address; rather, it is a unique identifier that is fixed for a given cell, even when it is moved.

The arbitrary ID given by pcell.id() is of type CellId. Despite the fact that it is, in some ways, “like a pointer”, note that CellId does not support any meangingful arithmetic, has no concept of a “null ID”, and has no runtime representation.

Also note that the PCell might be dropped before the PointsTo token is dropped, although in that case it will no longer be possible to use the PointsTo in exec code to extract data from the cell.

§Example (TODO)

Implementations§

Source§

impl<V> PCell<V>

Source

pub uninterp fn id(&self) -> CellId

A unique ID for the cell.

Source

pub const exec fn empty() -> pt : (PCell<V>, Tracked<PointsTo<V>>)

ensures
pt.1@@ === pcell_points![pt.0.id() => MemContents::Uninit],

Return an empty (“uninitialized”) cell.

Source

pub const exec fn new(v: V) -> pt : (PCell<V>, Tracked<PointsTo<V>>)

ensures
pt.1@@ === pcell_points![pt.0.id() => MemContents::Init(v)],
Source

pub exec fn put(&self, Tracked(perm): Tracked<&mut PointsTo<V>>, v: V)

requires
old(perm)@ === pcell_points![self.id() => MemContents::Uninit],
ensures
perm@ === pcell_points![self.id() => MemContents::Init(v)],
Source

pub exec fn take(&self, Tracked(perm): Tracked<&mut PointsTo<V>>) -> v : V

requires
self.id() === old(perm)@.pcell,
old(perm).is_init(),
ensures
perm.id() === old(perm)@.pcell,
perm.mem_contents() === MemContents::Uninit,
v === old(perm).value(),
Source

pub exec fn replace(&self, Tracked(perm): Tracked<&mut PointsTo<V>>, in_v: V) -> out_v : V

requires
self.id() === old(perm)@.pcell,
old(perm).is_init(),
ensures
perm.id() === old(perm)@.pcell,
perm.mem_contents() === MemContents::Init(in_v),
out_v === old(perm).value(),
Source

pub exec fn borrow<'a>(&'a self, Tracked(perm): Tracked<&'a PointsTo<V>>) -> v : &'a V

requires
self.id() === perm@.pcell,
perm.is_init(),
ensures
*v === perm.value(),
Source

pub exec fn into_inner(self, Tracked(perm): Tracked<PointsTo<V>>) -> v : V

requires
self.id() === perm@.pcell,
perm.is_init(),
ensures
v === perm.value(),
Source§

impl<V: Copy> PCell<V>

Source

pub exec fn write(&self, Tracked(perm): Tracked<&mut PointsTo<V>>, in_v: V)

requires
self.id() === old(perm)@.pcell,
old(perm).is_init(),
ensures
perm.id() === old(perm)@.pcell,
perm.mem_contents() === MemContents::Init(in_v),

Trait Implementations§

Source§

impl<T> Send for PCell<T>

Source§

impl<T> Sync for PCell<T>

PCell is always safe to Send or Sync. Rather, it is the PointsTo object where Send and Sync matter. (It doesn’t matter if you move the bytes to another thread if you can’t access them.)

Auto Trait Implementations§

§

impl<V> !Freeze for PCell<V>

§

impl<V> !RefUnwindSafe for PCell<V>

§

impl<V> Unpin for PCell<V>
where V: Unpin,

§

impl<V> UnwindSafe for PCell<V>
where V: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.