GhostPointsTo

vstd::tokens::map

Struct GhostPointsTo 

Source 
pub struct GhostPointsTo<K, V> { /* private fields */ }
Expand description

A resource that asserts client ownership over a single key in the map.

The existence of a GhostPointsTo implies that:

Implementations§

Source§

impl<K, V> GhostPointsTo<K, V>

Source

pub closed spec fn id(self) -> Loc

Location of the underlying resource

Source

pub open spec fn view(self) -> (K, V)

{ (self.key(), self.value()) }

Key-Value pair underlying the points to relationship

Source

pub closed spec fn key(self) -> K

Key of the points to

Source

pub closed spec fn value(self) -> V

Pointed-to value

Source

pub proof fn agree(tracked self: &GhostPointsTo<K, V>, tracked auth: &GhostMapAuth<K, V>)

requires
self.id() == auth.id(),
ensures
auth@.contains_pair(self.key(), self.value()),

Agreement between a GhostPointsTo and a corresponding GhostMapAuth

Verus might not have full context of the GhostMapAuth and a corresponding GhostPointsTo. However, whenever we know that they refer to the same resource (i.e., have matching ids) we can assert that the GhostPointsTo is a key-value pair in the GhostMapAuth.

proof fn test(tracked &auth: GhostMapAuth<int, int>, tracked &pt: GhostPointsTo<int, int>)
    requires
        auth.id() == sub.id(),
        pt@ == (1int, 1int)
    ensures
        auth[1int] == 1int
{
    pt.agree(auth);
    assert(auth[1int] == 1int);
}
Source

pub proof fn combine(tracked self, tracked other: GhostPointsTo<K, V>) -> tracked r : GhostSubmap<K, V>

requires
self.id() == other.id(),
ensures
r.id() == self.id(),
r@ == map![self.key() => self.value(), other.key() => other.value()],
self.key() != other.key(),

We can combine two GhostPointsTos into a GhostSubmap We also learn that they were disjoint.

Source

pub proof fn disjoint(tracked &mut self, tracked other: &GhostPointsTo<K, V>)

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@,
self.key() != other.key(),

Shows that if a two GhostPointsTos are not owning the same key

Source

pub proof fn disjoint_submap(tracked &mut self, tracked other: &GhostSubmap<K, V>)

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@,
!other.dom().contains(self.key()),

Shows that if a GhostPointsTo and a GhostSubmap are not owning the same key

Source

pub proof fn disjoint_persistent_submap(tracked &mut self, tracked other: &GhostPersistentSubmap<K, V>, )

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@,
!other.dom().contains(self.key()),

Shows that if a GhostPointsTo and a GhostPersistentSubmap are not owning the same key

Source

pub proof fn disjoint_persistent(tracked &mut self, tracked other: &GhostPersistentPointsTo<K, V>)

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@,
self.key() != other.key(),

Shows that if a GhostPointsTo and a GhostPersistentPointsTo are not owning the same key

Source

pub proof fn update(tracked &mut self, tracked auth: &mut GhostMapAuth<K, V>, v: V)

requires
old(self).id() == old(auth).id(),
ensures
self.id() == old(self).id(),
auth.id() == old(auth).id(),
self.key() == old(self).key(),
self@ == (self.key(), v),
auth@ == old(auth)@.union_prefer_right(map![self.key() => v]),

Update pointed to value

Source

pub proof fn submap(tracked self) -> tracked r : GhostSubmap<K, V>

ensures
r.id() == self.id(),
r@ == map![self.key() => self.value()],

Convert the GhostPointsTo a GhostSubmap

Source

pub proof fn lemma_view(self)

ensures
self@ == (self.key(), self.value()),

Can be used to learn what the key-value pair of GhostPointsTo is

Source

pub proof fn persist(tracked self) -> tracked r : GhostPersistentPointsTo<K, V>

ensures
self@ == r@,
self.id() == r.id(),

Convert a GhostPointsTo into a GhostPersistentPointsTo

Auto Trait Implementations§

§

impl<K, V> Freeze for GhostPointsTo<K, V>

§

impl<K, V> RefUnwindSafe for GhostPointsTo<K, V>
where K: RefUnwindSafe, V: RefUnwindSafe,

§

impl<K, V> Send for GhostPointsTo<K, V>
where K: Send, V: Send,

§

impl<K, V> Sync for GhostPointsTo<K, V>
where K: Sync, V: Sync,

§

impl<K, V> Unpin for GhostPointsTo<K, V>
where K: Unpin, V: Unpin,

§

impl<K, V> UnwindSafe for GhostPointsTo<K, V>
where K: UnwindSafe, V: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, VERUS_SPEC__A> FromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: From<T>,

Source§

exec fn obeys_from_spec() -> bool

Source§

exec fn from_spec(v: T) -> VERUS_SPEC__A

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, VERUS_SPEC__A> IntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: Into<T>,

Source§

exec fn obeys_into_spec() -> bool

Source§

exec fn into_spec(self) -> T

Source§

impl<T, U> IntoSpecImpl<U> for T
where U: From<T>,

Source§

open spec fn obeys_into_spec() -> bool

{ <U as FromSpec<Self>>::obeys_from_spec() }
Source§

open spec fn into_spec(self) -> U

{ U::from_spec(self) }
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.