GhostPersistentPointsTo

vstd::tokens::map

Struct GhostPersistentPointsTo 

Source 
pub struct GhostPersistentPointsTo<K, V> { /* private fields */ }
Expand description

A resource representing duplicable client knowledge of a single key in the map.

The existence of a GhostPersistentPointsTo implies that:

Implementations§

Source§

impl<K, V> GhostPersistentPointsTo<K, V>

Source

pub closed spec fn id(self) -> Loc

Location of the underlying resource

Source

pub open spec fn view(self) -> (K, V)

{ (self.key(), self.value()) }

Key-Value pair underlying the points to relationship

Source

pub closed spec fn key(self) -> K

Key of the points to

Source

pub closed spec fn value(self) -> V

Pointed-to value

Source

pub proof fn duplicate(tracked &mut self) -> tracked result : GhostPersistentPointsTo<K, V>

ensures
self.id() == result.id(),
old(self).id() == self.id(),
old(self)@ == self@,
result@ == self@,

Duplicate the GhostPersistentPointsTo

Source

pub proof fn agree(tracked self: &GhostPersistentPointsTo<K, V>, tracked auth: &GhostMapAuth<K, V>)

requires
self.id() == auth.id(),
ensures
auth@.contains_pair(self.key(), self.value()),

Agreement between a GhostPersistentPointsTo and a corresponding GhostMapAuth

Verus might not have full context of the GhostMapAuth and a corresponding GhostPersistentPointsTo. However, whenever we know that they refer to the same resource (i.e., have matching ids) we can assert that the GhostPersistentPointsTo is a key-value pair in the GhostMapAuth.

proof fn test(tracked &auth: GhostMapAuth<int, int>, tracked &pt: GhostPersistentPointsTo<int, int>)
    requires
        auth.id() == sub.id(),
        pt@ == (1int, 1int)
    ensures
        auth[1int] == 1int
{
    pt.agree(auth);
    assert(auth[1int] == 1int);
}
Source

pub proof fn combine(tracked self, tracked other: GhostPersistentPointsTo<K, V>, ) -> tracked submap : GhostPersistentSubmap<K, V>

requires
self.id() == other.id(),
ensures
submap.id() == self.id(),
submap@ == map![self.key() => self.value(), other.key() => other.value()],
self.key() != other.key() ==> submap@.len() == 2,
self.key() == other.key() ==> submap@.len() == 1,

We can combine two GhostPersistentPointsTos into a GhostPersistentSubmap

Source

pub proof fn disjoint(tracked &mut self, tracked other: &GhostPointsTo<K, V>)

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@,
self.key() != other.key(),

When we have a GhostPersistentPointsTo and a GhostPointsTo, we can prove that they are in disjoint domains.

Source

pub proof fn disjoint_submap(tracked &mut self, tracked other: &GhostSubmap<K, V>)

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@,
!other@.contains_key(self.key()),

When we have a GhostPersistentPointsTo and a GhostSubmap, we can prove that they are in disjoint domains.

Source

pub proof fn intersection_agrees(tracked &mut self, tracked other: &GhostPersistentPointsTo<K, V>)

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@,
self.key() == other.key() ==> self.value() == other.value(),

Shows that if a client has two GhostPersistentPointsTos they are either disjoint or agreeing in values in the intersection

Source

pub proof fn intersection_agrees_submap(tracked &mut self, tracked other: &GhostPersistentSubmap<K, V>, )

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@,
other@.contains_key(self.key()) ==> other@[self.key()] == self.value(),

Shows that if a GhostPersistentPointsTo and a GhostSubmap are not owning the same key

Source

pub proof fn submap(tracked self) -> tracked r : GhostPersistentSubmap<K, V>

ensures
r.id() == self.id(),
r@ == map![self.key() => self.value()],

Convert the GhostPersistentPointsTo a GhostPersistentSubmap

Source

pub proof fn lemma_view(self)

ensures
self@ == (self.key(), self.value()),

Can be used to learn what the key-value pair of GhostPersistentPointsTo is

Auto Trait Implementations§

§

impl<K, V> Freeze for GhostPersistentPointsTo<K, V>

§

impl<K, V> RefUnwindSafe for GhostPersistentPointsTo<K, V>
where K: RefUnwindSafe, V: RefUnwindSafe,

§

impl<K, V> Send for GhostPersistentPointsTo<K, V>
where K: Send, V: Send,

§

impl<K, V> Sync for GhostPersistentPointsTo<K, V>
where K: Sync, V: Sync,

§

impl<K, V> Unpin for GhostPersistentPointsTo<K, V>
where K: Unpin, V: Unpin,

§

impl<K, V> UnwindSafe for GhostPersistentPointsTo<K, V>
where K: UnwindSafe, V: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, VERUS_SPEC__A> FromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: From<T>,

Source§

exec fn obeys_from_spec() -> bool

Source§

exec fn from_spec(v: T) -> VERUS_SPEC__A

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, VERUS_SPEC__A> IntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: Into<T>,

Source§

exec fn obeys_into_spec() -> bool

Source§

exec fn into_spec(self) -> T

Source§

impl<T, U> IntoSpecImpl<U> for T
where U: From<T>,

Source§

open spec fn obeys_into_spec() -> bool

{ <U as FromSpec<Self>>::obeys_from_spec() }
Source§

open spec fn into_spec(self) -> U

{ U::from_spec(self) }
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.