vstd::tokens::map

Struct GhostMapAuth

Source 
pub struct GhostMapAuth<K, V> { /* private fields */ }

Implementations§

Source§

impl<K, V> GhostMapAuth<K, V>

An implementation of a resource for owning a subset of keys in a map.

GhostMapAuth<K, T> represents authoritative ownership of the entire map, and GhostSubmap<K, T> represents client ownership of some subset of keys in the map. Updating the authoritative GhostMapAuth<K, T> requires a GhostSubmap<K, T> containing the keys being updated. GhostSubmap<K, T>s can be combined or split.

§Example
fn example_use() {
    let tracked (mut auth, mut sub) = GhostMapAuth::new(map![1u8 => 1u64, 2u8 => 2u64, 3u8 => 3u64]);

    // Allocate some more keys in the auth map, receiving a new submap.
    let tracked sub2 = auth.insert(map![4u8 => 4u64, 5u8 => 5u64]);
    proof { sub.combine(sub2); }

    // Delete some keys in the auth map, by returning corresponding submap.
    let tracked sub3 = sub.split(set![3u8, 4u8]);
    proof { auth.delete(sub3); }

    // Split the submap into a multiple submaps.
    let tracked sub4 = sub.split(set![1u8, 5u8]);

    // In general, we might need to call agree() to establish the fact that
    // a submap has the same values as the auth map.  Here, Verus doesn't need
    // agree because it can track where both the auth and submap came from.
    proof { sub.agree(&auth); }
    proof { sub4.agree(&auth); }

    assert(sub4[1u8] == auth[1u8]);
    assert(sub4[5u8] == auth[5u8]);
    assert(sub[2u8] == auth[2u8]);

    // Update keys using ownership of submaps.
    proof { sub.update(&mut auth, map![2u8 => 22u64]); }
    proof { sub4.update(&mut auth, map![1u8 => 11u64]); }
    assert(auth[1u8] == 11u64);
    assert(auth[2u8] == 22u64);

    // Not shown in this simple example is the main use case of this resource:
    // maintaining an invariant between GhostMapAuth<K, V> and some exec-mode
    // shared state with a map view (e.g., HashMap<K, V>), which states that
    // the Map<K, V> view of GhostMapAuth<K, V> is the same as the view of the
    // HashMap<K, V>, and then handing out a GhostSubmap<K, V> to different
    // clients that might need to operate on different keys in this map.
}
Source

pub closed spec fn id(self) -> Loc

Source

pub closed spec fn view(self) -> Map<K, V>

Source

pub open spec fn dom(self) -> Set<K>

{ self@.dom() }
Source

pub open spec fn spec_index(self, key: K) -> V

recommends
self.dom().contains(key),
{ self@[key] }
Source

pub proof fn dummy() -> tracked result : GhostMapAuth<K, V>

Source

pub proof fn take(tracked &mut self) -> tracked result : GhostMapAuth<K, V>

ensures
result == *old(self),
Source

pub proof fn empty(tracked &self) -> tracked result : GhostSubmap<K, V>

ensures
result.id() == self.id(),
result@ == Map::<K, V>::empty(),
Source

pub proof fn insert(tracked &mut self, m: Map<K, V>) -> tracked result : GhostSubmap<K, V>

requires
old(self)@.dom().disjoint(m.dom()),
ensures
self.id() == old(self).id(),
self@ == old(self)@.union_prefer_right(m),
result.id() == self.id(),
result@ == m,
Source

pub proof fn delete(tracked &mut self, tracked f: GhostSubmap<K, V>)

requires
f.id() == old(self).id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@.remove_keys(f@.dom()),
Source

pub proof fn new(m: Map<K, V>) -> tracked result : (GhostMapAuth<K, V>, GhostSubmap<K, V>)

ensures
result.0.id() == result.1.id(),
result.0@ == m,
result.1@ == m,

Auto Trait Implementations§

§

impl<K, V> Freeze for GhostMapAuth<K, V>

§

impl<K, V> RefUnwindSafe for GhostMapAuth<K, V>
where K: RefUnwindSafe, V: RefUnwindSafe,

§

impl<K, V> Send for GhostMapAuth<K, V>
where K: Send, V: Send,

§

impl<K, V> Sync for GhostMapAuth<K, V>
where K: Sync, V: Sync,

§

impl<K, V> Unpin for GhostMapAuth<K, V>
where K: Unpin, V: Unpin,

§

impl<K, V> UnwindSafe for GhostMapAuth<K, V>
where K: UnwindSafe, V: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.