pub struct GhostISubset<T> { /* private fields */ }Expand description
A resource that has client ownership of a subset
The existence of a GhostISubset implies that:
- Those values will remain in the set unless ;
- Those values will remain in the set (unless the onwer of the
GhostISubsetdeletes it usingGhostISetAuth::delete); - All other
GhostISubset/GhostISingletonare disjoint from it
Implementations§
Source§impl<T> GhostISubset<T>
impl<T> GhostISubset<T>
Sourcepub open spec fn is_singleton(self) -> bool
pub open spec fn is_singleton(self) -> bool
{
&&& self@.len() == 1
&&& self@.finite()
&&& !self@.is_empty()
}Checks whether the GhostISubset refers to a single value (and thus can be converted to a
GhostISingleton).
Sourcepub proof fn dummy() -> tracked result : GhostISubset<T>
pub proof fn dummy() -> tracked result : GhostISubset<T>
Instantiate a dummy GhostISubset
Sourcepub proof fn empty(tracked &self) -> tracked result : GhostISubset<T>
pub proof fn empty(tracked &self) -> tracked result : GhostISubset<T>
result.id() == self.id(),result@ == ISet::<T>::empty(),Create an empty GhostISubset
Sourcepub proof fn take(tracked &mut self) -> tracked result : GhostISubset<T>
pub proof fn take(tracked &mut self) -> tracked result : GhostISubset<T>
old(self).id() == final(self).id(),final(self)@.is_empty(),result == *old(self),result.id() == final(self).id(),Extract the GhostISubset from a mutable reference, leaving behind an empty map.
Sourcepub proof fn agree(tracked self: &GhostISubset<T>, tracked auth: &GhostISetAuth<T>)
pub proof fn agree(tracked self: &GhostISubset<T>, tracked auth: &GhostISetAuth<T>)
self.id() == auth.id(),ensuresself@ <= auth@,Agreement between a GhostISubset and a corresponding GhostISetAuth
Verus might not have full context of the GhostISetAuth and a corresponding GhostISubset.
However, whenever we know that they refer to the same resource (i.e., have matching ids) we
can assert that the GhostISubset is a submap of the GhostISetAuth.
proof fn test(tracked &auth: GhostISetAuth<int>, tracked &sub: GhostISubset<int>)
requires
auth.id() == sub.id(),
sub@.contains(1int),
ensures
auth@.contains(1int),
{
sub.agree(auth);
assert(sub@ <= auth@);
assert(auth.contains(1int));
}Sourcepub proof fn combine(tracked &mut self, tracked other: GhostISubset<T>)
pub proof fn combine(tracked &mut self, tracked other: GhostISubset<T>)
old(self).id() == other.id(),ensuresfinal(self).id() == old(self).id(),final(self)@ == old(self)@.union(other@),old(self)@.disjoint(other@),Combining two GhostISubsets is possible.
We consume the input GhostISubset and merge it into the first.
We also learn that they were disjoint.
Sourcepub proof fn combine_singleton(tracked &mut self, tracked other: GhostISingleton<T>)
pub proof fn combine_singleton(tracked &mut self, tracked other: GhostISingleton<T>)
old(self).id() == other.id(),ensuresfinal(self).id() == old(self).id(),final(self)@ == old(self)@.insert(other@),!old(self)@.contains(other@),Combining a GhostISingleton into GhostISubset is possible, in a similar way to the way to combine
GhostISubsets.
Sourcepub proof fn disjoint(tracked &mut self, tracked other: &GhostISubset<T>)
pub proof fn disjoint(tracked &mut self, tracked other: &GhostISubset<T>)
old(self).id() == other.id(),ensuresfinal(self).id() == old(self).id(),final(self)@ == old(self)@,final(self)@.disjoint(other@),When we have two GhostISubsets we can prove that they have disjoint domains.
Sourcepub proof fn disjoint_persistent(tracked &mut self, tracked other: &GhostPersistentISubset<T>)
pub proof fn disjoint_persistent(tracked &mut self, tracked other: &GhostPersistentISubset<T>)
old(self).id() == other.id(),ensuresfinal(self).id() == old(self).id(),final(self)@ == old(self)@,final(self)@.disjoint(other@),When we have a GhostISubset and a GhostPersistentISubset we can prove that they are in disjoint
domains.
Sourcepub proof fn disjoint_singleton(tracked &mut self, tracked other: &GhostISingleton<T>)
pub proof fn disjoint_singleton(tracked &mut self, tracked other: &GhostISingleton<T>)
old(self).id() == other.id(),ensuresfinal(self).id() == old(self).id(),final(self)@ == old(self)@,!final(self)@.contains(other@),When we have a GhostISubset and a GhostISingleton we can prove that they are in disjoint
domains.
Sourcepub proof fn disjoint_persistent_singleton(
tracked &mut self,
tracked other: &GhostPersistentISingleton<T>,
)
pub proof fn disjoint_persistent_singleton( tracked &mut self, tracked other: &GhostPersistentISingleton<T>, )
old(self).id() == other.id(),ensuresfinal(self).id() == old(self).id(),final(self)@ == old(self)@,!final(self)@.contains(other@),When we have a GhostISubset and a GhostPersistentISingleton we can prove that they are in disjoint
domains.
Sourcepub proof fn split(tracked &mut self, s: ISet<T>) -> tracked result : GhostISubset<T>
pub proof fn split(tracked &mut self, s: ISet<T>) -> tracked result : GhostISubset<T>
s <= old(self)@,ensuresfinal(self).id() == old(self).id(),result.id() == final(self).id(),old(self)@ == final(self)@.union(result@),result@ =~= s,final(self)@ =~= old(self)@ - s,We can split a GhostISubset based on a set of values
Sourcepub proof fn split_singleton(tracked &mut self, v: T) -> tracked result : GhostISingleton<T>
pub proof fn split_singleton(tracked &mut self, v: T) -> tracked result : GhostISingleton<T>
old(self)@.contains(v),ensuresfinal(self).id() == old(self).id(),result.id() == final(self).id(),old(self)@ == final(self)@.insert(result@),result@ == v,final(self)@ =~= old(self)@.remove(v),We can separate a single value out of a GhostISubset
Sourcepub proof fn singleton(tracked self) -> tracked r : GhostISingleton<T>
pub proof fn singleton(tracked self) -> tracked r : GhostISingleton<T>
self.is_singleton(),ensuresself@ == iset![r @],self.id() == r.id(),Converting a GhostISubset into a GhostISingleton
Sourcepub proof fn persist(tracked self) -> tracked r : GhostPersistentISubset<T>
pub proof fn persist(tracked self) -> tracked r : GhostPersistentISubset<T>
self@ == r@,self.id() == r.id(),Converting a GhostISubset into a GhostPersistentISubset
Auto Trait Implementations§
impl<T> Freeze for GhostISubset<T>
impl<T> RefUnwindSafe for GhostISubset<T>where
T: RefUnwindSafe,
impl<T> Send for GhostISubset<T>where
T: Send,
impl<T> Sync for GhostISubset<T>where
T: Sync,
impl<T> Unpin for GhostISubset<T>where
T: Unpin,
impl<T> UnsafeUnpin for GhostISubset<T>
impl<T> UnwindSafe for GhostISubset<T>where
T: UnwindSafe,
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Source§impl<T, U> IntoSpecImpl<U> for Twhere
U: From<T>,
impl<T, U> IntoSpecImpl<U> for Twhere
U: From<T>,
Source§impl<T, VERUS_SPEC__A> TryFromSpec<T> for VERUS_SPEC__Awhere
VERUS_SPEC__A: TryFrom<T>,
impl<T, VERUS_SPEC__A> TryFromSpec<T> for VERUS_SPEC__Awhere
VERUS_SPEC__A: TryFrom<T>,
Source§exec fn obeys_try_from_spec() -> bool
exec fn obeys_try_from_spec() -> bool
Source§impl<T, VERUS_SPEC__A> TryIntoSpec<T> for VERUS_SPEC__Awhere
VERUS_SPEC__A: TryInto<T>,
impl<T, VERUS_SPEC__A> TryIntoSpec<T> for VERUS_SPEC__Awhere
VERUS_SPEC__A: TryInto<T>,
Source§exec fn obeys_try_into_spec() -> bool
exec fn obeys_try_into_spec() -> bool
Source§impl<T, U> TryIntoSpecImpl<U> for Twhere
U: TryFrom<T>,
impl<T, U> TryIntoSpecImpl<U> for Twhere
U: TryFrom<T>,
Source§open spec fn obeys_try_into_spec() -> bool
open spec fn obeys_try_into_spec() -> bool
{ <U as TryFromSpec<Self>>::obeys_try_from_spec() }