GhostMapAuth

vstd::tokens::map

Struct GhostMapAuth 

Source 
pub struct GhostMapAuth<K, V> { /* private fields */ }
Expand description

A resource that has the authoritative ownership on the entire map

Implementations§

Source§

impl<K, V> GhostMapAuth<K, V>

Source

pub closed spec fn id(self) -> Loc

Resource location

Source

pub closed spec fn view(self) -> Map<K, V>

Logically underlying Map

Source

pub open spec fn dom(self) -> Set<K>

{ self@.dom() }

Domain of the GhostMapAuth

Source

pub open spec fn spec_index(self, key: K) -> V

recommends
self.dom().contains(key),
{ self@[key] }

Indexing operation auth[key]

Source

pub proof fn dummy() -> tracked result : GhostMapAuth<K, V>

Instantiate a dummy GhostMapAuth

Source

pub proof fn take(tracked &mut self) -> tracked result : GhostMapAuth<K, V>

ensures
result == *old(self),

Extract the GhostMapAuth from a mutable reference

Source

pub proof fn empty(tracked &self) -> tracked result : GhostSubmap<K, V>

ensures
result.id() == self.id(),
result@ == Map::<K, V>::empty(),

Create an empty GhostSubmap

Source

pub proof fn insert_map(tracked &mut self, m: Map<K, V>) -> tracked result : GhostSubmap<K, V>

requires
old(self)@.dom().disjoint(m.dom()),
ensures
self.id() == old(self).id(),
self@ == old(self)@.union_prefer_right(m),
result.id() == self.id(),
result@ == m,

Insert a Map of values, receiving the GhostSubmap that asserts ownership over the key domain inserted.

proof fn insert_map_example(tracked mut m: GhostMapAuth<int, int>) -> (tracked r: GhostSubmap<int, int>)
    requires
        !m.dom().contains(1int),
        !m.dom().contains(2int),
{
    let tracked submap = m.insert_map(map![1int => 1int, 2int => 4int]);
    // do something with the submap
    submap
}
Source

pub proof fn insert(tracked &mut self, k: K, v: V) -> tracked result : GhostPointsTo<K, V>

requires
!old(self)@.contains_key(k),
ensures
self.id() == old(self).id(),
self@ == old(self)@.insert(k, v),
result.id() == self.id(),
result@ == (k, v),

Insert a key-value pair, receiving the GhostPointsTo that asserts ownerships over the key.

proof fn insert_example(tracked mut m: GhostMapAuth<int, int>) -> (tracked r: GhostPointsTo<int, int>)
    requires
        !m.dom().contains(1int),
{
    let tracked points_to = m.insert(1, 1);
    // do something with the points_to
    points_to
}
Source

pub proof fn delete(tracked &mut self, tracked submap: GhostSubmap<K, V>)

requires
submap.id() == old(self).id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@.remove_keys(submap@.dom()),

Delete a set of keys

proof fn delete(tracked mut auth: GhostMapAuth<int, int>)
    requires
        auth.dom().contains(1int),
        auth.dom().contains(2int),
    ensures
        old(auth)@ == auth@
{
    let tracked submap = auth.insert_map(map![1int => 1int, 2int => 4int]);
    // do something with the submap
    auth.delete(submap)
}
Source

pub proof fn delete_points_to(tracked &mut self, tracked p: GhostPointsTo<K, V>)

requires
p.id() == old(self).id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@.remove(p.key()),

Delete a single key from the map

proof fn delete_key(tracked mut auth: GhostMapAuth<int, int>)
    requires
        auth.dom().contains(1int),
    ensures
        old(auth)@ == auth@
{
    let tracked points_to = auth.insert(1, 1);
    // do something with the submap
    auth.delete_points_to(points_to)
}
Source

pub proof fn new(m: Map<K, V>) -> tracked result : (GhostMapAuth<K, V>, GhostSubmap<K, V>)

ensures
result.0.id() == result.1.id(),
result.0@ == m,
result.1@ == m,

Create a new GhostMapAuth from a Map. Gives the other half of ownership in the form of a GhostSubmap.

fn example() {
    let m = map![1int => 1int, 2int => 4int, 3int => 9int];
    let tracked (auth, sub) = GhostMapAuth::new(m);
    assert(auth@ == m);
    assert(sub.dom() == m.dom());
}

Auto Trait Implementations§

§

impl<K, V> Freeze for GhostMapAuth<K, V>

§

impl<K, V> RefUnwindSafe for GhostMapAuth<K, V>
where K: RefUnwindSafe, V: RefUnwindSafe,

§

impl<K, V> Send for GhostMapAuth<K, V>
where K: Send, V: Send,

§

impl<K, V> Sync for GhostMapAuth<K, V>
where K: Sync, V: Sync,

§

impl<K, V> Unpin for GhostMapAuth<K, V>
where K: Unpin, V: Unpin,

§

impl<K, V> UnwindSafe for GhostMapAuth<K, V>
where K: UnwindSafe, V: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, VERUS_SPEC__A> FromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: From<T>,

Source§

exec fn obeys_from_spec() -> bool

Source§

exec fn from_spec(v: T) -> VERUS_SPEC__A

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, VERUS_SPEC__A> IntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: Into<T>,

Source§

exec fn obeys_into_spec() -> bool

Source§

exec fn into_spec(self) -> T

Source§

impl<T, U> IntoSpecImpl<U> for T
where U: From<T>,

Source§

open spec fn obeys_into_spec() -> bool

{ <U as FromSpec<Self>>::obeys_from_spec() }
Source§

open spec fn into_spec(self) -> U

{ U::from_spec(self) }
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.