GhostSetAuth

vstd::tokens::set

Struct GhostSetAuth 

Source 
pub struct GhostSetAuth<T> { /* private fields */ }
Expand description

A resource that has the authoritative ownership on the entire set

For ownership of only a subset of values, see GhostSubset. For ownership of a single value, see GhostSingleton.

Implementations§

Source§

impl<T> GhostSetAuth<T>

Source

pub closed spec fn id(self) -> Loc

Resource location

Source

pub closed spec fn view(self) -> Set<T>

Logically underlying Set

Source

pub proof fn new(s: Set<T>) -> tracked result : (GhostSetAuth<T>, GhostSubset<T>)

ensures
result.0.id() == result.1.id(),
result.0@ == s,
result.1@ == s,

Create a new GhostSetAuth from a Set. Gives the other half of ownership in the form of a GhostSubset

fn example() {
    let s = set![1int, 2int];
    let tracked (auth, sub) = GhostSetAuth::new(s);
    assert(auth@ == s);
    assert(sub@ == auth@);
}
Source

pub proof fn dummy() -> tracked result : GhostSetAuth<T>

Instantiate a dummy GhostSetAuth

Source

pub proof fn take(tracked &mut self) -> tracked result : GhostSetAuth<T>

ensures
result == *old(self),

Extract the GhostSetAuth from a mutable reference

Source

pub proof fn empty(tracked &self) -> tracked result : GhostSubset<T>

ensures
result.id() == self.id(),
result@ == Set::<T>::empty(),

Create an empty GhostSubset

Source

pub proof fn insert_set(tracked &mut self, s: Set<T>) -> tracked result : GhostSubset<T>

requires
old(self)@.disjoint(s),
ensures
self.id() == old(self).id(),
self@ == old(self)@.union(s),
result.id() == self.id(),
result@ == s,

Insert a Set of values, receiving the GhostSubset that asserts ownership over the set inserted.

proof fn insert_set_example(tracked mut m: GhostSetAuth<int>) -> (tracked r: GhostSubset<int>)
    requires
        m@.contains(1int),
        m@.contains(2int),
{
    let tracked subset = m.insert_set(set![1int, 2int]);
    // do something with the subset
    subset
}
Source

pub proof fn insert(tracked &mut self, v: T) -> tracked result : GhostSingleton<T>

requires
!old(self)@.contains(v),
ensures
self.id() == old(self).id(),
self@ == old(self)@.insert(v),
result.id() == self.id(),
result@ == v,

Insert a value, receiving the GhostSingleton that asserts ownerships over the value.

proof fn insert_example(tracked mut s: GhostSetAuth<int>) -> (tracked r: GhostSingleton<int>)
    requires
        !m@.contains(1int),
{
    let tracked singleton = m.insert(1);
    // do something with the singleton
    singleton
}
Source

pub proof fn delete(tracked &mut self, tracked f: GhostSubset<T>)

requires
f.id() == old(self).id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@.difference(f@),

Delete a set of values

proof fn delete(tracked mut auth: GhostSetAuth<int>)
    requires
        auth@.contains(1int),
        auth@.contains(2int),
    ensures
        old(auth)@ == auth@
{
    let tracked submap = auth.insert_set(set![1int, 2int]);
    // do something with the submap
    auth.delete(submap)
}
Source

pub proof fn delete_singleton(tracked &mut self, tracked p: GhostSingleton<T>)

requires
p.id() == old(self).id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@.remove(p@),

Delete a single key from the map

proof fn delete_key(tracked mut auth: GhostSetAuth<int>)
    requires
        auth.dom().contains(1int),
    ensures
        old(auth)@ == auth@
{
    let tracked points_to = auth.insert(1, 1);
    // do something with the submap
    auth.delete_points_to(points_to)
}

Auto Trait Implementations§

§

impl<T> Freeze for GhostSetAuth<T>

§

impl<T> RefUnwindSafe for GhostSetAuth<T>
where T: RefUnwindSafe,

§

impl<T> Send for GhostSetAuth<T>
where T: Send,

§

impl<T> Sync for GhostSetAuth<T>
where T: Sync,

§

impl<T> Unpin for GhostSetAuth<T>
where T: Unpin,

§

impl<T> UnwindSafe for GhostSetAuth<T>
where T: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, VERUS_SPEC__A> FromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: From<T>,

Source§

exec fn obeys_from_spec() -> bool

Source§

exec fn from_spec(v: T) -> VERUS_SPEC__A

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, VERUS_SPEC__A> IntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: Into<T>,

Source§

exec fn obeys_into_spec() -> bool

Source§

exec fn into_spec(self) -> T

Source§

impl<T, U> IntoSpecImpl<U> for T
where U: From<T>,

Source§

open spec fn obeys_into_spec() -> bool

{ <U as FromSpec<Self>>::obeys_from_spec() }
Source§

open spec fn into_spec(self) -> U

{ U::from_spec(self) }
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.