pub struct GhostIPointsTo<K, V> { /* private fields */ }Expand description
A resource that asserts client ownership over a single key in the map.
The existence of a GhostIPointsTo implies that:
- Those key will remain in the map (unless the onwer of the
GhostIPointsTodeletes it usingGhostIMapAuth::delete_points_to); - Those key will remain pointing to the same value (unless the onwer of the
GhostIPointsToupdates them usingGhostIPointsTo::update) - All other
GhostISubmap/GhostIPointsTo/GhostPersistentISubmap/GhostPersistentIPointsToare disjoint subsets of the domain
Implementations§
Source§impl<K, V> GhostIPointsTo<K, V>
impl<K, V> GhostIPointsTo<K, V>
Sourcepub open spec fn view(self) -> (K, V)
pub open spec fn view(self) -> (K, V)
{ (self.key(), self.value()) }Key-Value pair underlying the points to relationship
Sourcepub proof fn agree(tracked self: &GhostIPointsTo<K, V>, tracked auth: &GhostIMapAuth<K, V>)
pub proof fn agree(tracked self: &GhostIPointsTo<K, V>, tracked auth: &GhostIMapAuth<K, V>)
self.id() == auth.id(),ensuresauth@.contains_pair(self.key(), self.value()),Agreement between a GhostIPointsTo and a corresponding GhostIMapAuth
Verus might not have full context of the GhostIMapAuth and a corresponding GhostIPointsTo.
However, whenever we know that they refer to the same resource (i.e., have matching ids) we
can assert that the GhostIPointsTo is a key-value pair in the GhostIMapAuth.
proof fn test(tracked &auth: GhostIMapAuth<int, int>, tracked &pt: GhostIPointsTo<int, int>)
requires
auth.id() == sub.id(),
pt@ == (1int, 1int)
ensures
auth[1int] == 1int
{
pt.agree(auth);
assert(auth[1int] == 1int);
}Sourcepub proof fn combine(tracked self, tracked other: GhostIPointsTo<K, V>) -> tracked r : GhostISubmap<K, V>
pub proof fn combine(tracked self, tracked other: GhostIPointsTo<K, V>) -> tracked r : GhostISubmap<K, V>
self.id() == other.id(),ensuresr.id() == self.id(),r@ == imap![self.key() => self.value(), other.key() => other.value()],self.key() != other.key(),We can combine two GhostIPointsTos into a GhostISubmap
We also learn that they were disjoint.
Sourcepub proof fn disjoint(tracked &mut self, tracked other: &GhostIPointsTo<K, V>)
pub proof fn disjoint(tracked &mut self, tracked other: &GhostIPointsTo<K, V>)
old(self).id() == other.id(),ensuresfinal(self).id() == old(self).id(),final(self)@ == old(self)@,final(self).key() != other.key(),Shows that if a two GhostIPointsTos are not owning the same key
Sourcepub proof fn disjoint_submap(tracked &mut self, tracked other: &GhostISubmap<K, V>)
pub proof fn disjoint_submap(tracked &mut self, tracked other: &GhostISubmap<K, V>)
old(self).id() == other.id(),ensuresfinal(self).id() == old(self).id(),final(self)@ == old(self)@,!other.dom().contains(final(self).key()),Shows that if a GhostIPointsTo and a GhostISubmap are not owning the same key
Sourcepub proof fn disjoint_persistent_submap(
tracked &mut self,
tracked other: &GhostPersistentISubmap<K, V>,
)
pub proof fn disjoint_persistent_submap( tracked &mut self, tracked other: &GhostPersistentISubmap<K, V>, )
old(self).id() == other.id(),ensuresfinal(self).id() == old(self).id(),final(self)@ == old(self)@,!other.dom().contains(final(self).key()),Shows that if a GhostIPointsTo and a GhostPersistentISubmap are not owning the same key
Sourcepub proof fn disjoint_persistent(tracked &mut self, tracked other: &GhostPersistentIPointsTo<K, V>)
pub proof fn disjoint_persistent(tracked &mut self, tracked other: &GhostPersistentIPointsTo<K, V>)
old(self).id() == other.id(),ensuresfinal(self).id() == old(self).id(),final(self)@ == old(self)@,final(self).key() != other.key(),Shows that if a GhostIPointsTo and a GhostPersistentIPointsTo are not owning the same key
Sourcepub proof fn update(tracked &mut self, tracked auth: &mut GhostIMapAuth<K, V>, v: V)
pub proof fn update(tracked &mut self, tracked auth: &mut GhostIMapAuth<K, V>, v: V)
old(self).id() == old(auth).id(),ensuresfinal(self).id() == old(self).id(),final(auth).id() == old(auth).id(),final(self).key() == old(self).key(),final(self)@ == (final(self).key(), v),final(auth)@ == old(auth)@.union_prefer_right(imap![final(self).key() => v]),Update pointed to value
Sourcepub proof fn submap(tracked self) -> tracked r : GhostISubmap<K, V>
pub proof fn submap(tracked self) -> tracked r : GhostISubmap<K, V>
r.id() == self.id(),r@ == imap![self.key() => self.value()],Convert the GhostIPointsTo a GhostISubmap
Sourcepub proof fn lemma_view(self)
pub proof fn lemma_view(self)
self@ == (self.key(), self.value()),Can be used to learn what the key-value pair of GhostIPointsTo is
Sourcepub proof fn persist(tracked self) -> tracked r : GhostPersistentIPointsTo<K, V>
pub proof fn persist(tracked self) -> tracked r : GhostPersistentIPointsTo<K, V>
self@ == r@,self.id() == r.id(),Convert a GhostIPointsTo into a GhostPersistentIPointsTo
Auto Trait Implementations§
impl<K, V> Freeze for GhostIPointsTo<K, V>
impl<K, V> RefUnwindSafe for GhostIPointsTo<K, V>where
K: RefUnwindSafe,
V: RefUnwindSafe,
impl<K, V> Send for GhostIPointsTo<K, V>
impl<K, V> Sync for GhostIPointsTo<K, V>
impl<K, V> Unpin for GhostIPointsTo<K, V>
impl<K, V> UnsafeUnpin for GhostIPointsTo<K, V>
impl<K, V> UnwindSafe for GhostIPointsTo<K, V>where
K: UnwindSafe,
V: UnwindSafe,
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Source§impl<T, U> IntoSpecImpl<U> for Twhere
U: From<T>,
impl<T, U> IntoSpecImpl<U> for Twhere
U: From<T>,
Source§impl<T, VERUS_SPEC__A> TryFromSpec<T> for VERUS_SPEC__Awhere
VERUS_SPEC__A: TryFrom<T>,
impl<T, VERUS_SPEC__A> TryFromSpec<T> for VERUS_SPEC__Awhere
VERUS_SPEC__A: TryFrom<T>,
Source§exec fn obeys_try_from_spec() -> bool
exec fn obeys_try_from_spec() -> bool
Source§impl<T, VERUS_SPEC__A> TryIntoSpec<T> for VERUS_SPEC__Awhere
VERUS_SPEC__A: TryInto<T>,
impl<T, VERUS_SPEC__A> TryIntoSpec<T> for VERUS_SPEC__Awhere
VERUS_SPEC__A: TryInto<T>,
Source§exec fn obeys_try_into_spec() -> bool
exec fn obeys_try_into_spec() -> bool
Source§impl<T, U> TryIntoSpecImpl<U> for Twhere
U: TryFrom<T>,
impl<T, U> TryIntoSpecImpl<U> for Twhere
U: TryFrom<T>,
Source§open spec fn obeys_try_into_spec() -> bool
open spec fn obeys_try_into_spec() -> bool
{ <U as TryFromSpec<Self>>::obeys_try_from_spec() }