GhostSingleton

vstd::tokens::set

Struct GhostSingleton 

Source 
pub struct GhostSingleton<T> { /* private fields */ }
Expand description

A resource that has client ownership of a singleton

The existence of a GhostSingleton implies that:

Implementations§

Source§

impl<T> GhostSingleton<T>

Source

pub closed spec fn id(self) -> Loc

Location of the underlying resource

Source

pub closed spec fn view(self) -> T

Value owned by the singleton

Source

pub proof fn agree(tracked self: &GhostSingleton<T>, tracked auth: &GhostSetAuth<T>)

requires
self.id() == auth.id(),
ensures
auth@.contains(self@),

Agreement between a GhostSingleton and a corresponding GhostSetAuth

Verus might not have full context of the GhostSetAuth and a corresponding GhostSingleton. However, whenever we know that they refer to the same resource (i.e., have matching ids) we can assert that the GhostSingleton is a subset of the GhostSetAuth.

proof fn test(tracked &auth: GhostSetAuth<int>, tracked &pt: GhostSingleton<int>)
    requires
        auth.id() == sub.id(),
        pt@ == 1int
    ensures
        auth@.contains(1int)
{
    pt.agree(auth);
    assert(auth@.contains(1int));
}
Source

pub proof fn combine(tracked self, tracked other: GhostSingleton<T>) -> tracked r : GhostSubset<T>

requires
self.id() == other.id(),
ensures
r.id() == self.id(),
r@ == set![self @, other @],
self@ != other@,

We can combine two GhostSingletons into a GhostSubset We also learn that they were disjoint.

Source

pub proof fn disjoint(tracked &mut self, tracked other: &GhostSingleton<T>)

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@,
self@ != other@,

Shows that if a two GhostSingletons are not owning the same value

Source

pub proof fn disjoint_persistent(tracked &mut self, tracked other: &GhostPersistentSingleton<T>)

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@,
self@ != other@,

Shows that if a GhostSingleton and a GhostPersistentSingleton are not owning the same value

Source

pub proof fn disjoint_subset(tracked &mut self, tracked other: &GhostSubset<T>)

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@,
!other@.contains(self@),

Shows that if a GhostSingleton and a GhostSubset are not owning the same value

Source

pub proof fn disjoint_persistent_subset(tracked &mut self, tracked other: &GhostPersistentSubset<T>)

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@,
!other@.contains(self@),

Shows that if a GhostSingleton and a GhostPersistentSubset are not owning the same value

Source

pub proof fn subset(tracked self) -> tracked r : GhostSubset<T>

ensures
r.id() == self.id(),
r@ == set![self @],

Convert the GhostSingleton a GhostSubset

Source

pub proof fn persist(tracked self) -> tracked r : GhostPersistentSingleton<T>

ensures
self@ == r@,
self.id() == r.id(),

Converting a GhostSingleton into a GhostPersistentSingleton

Auto Trait Implementations§

§

impl<T> Freeze for GhostSingleton<T>

§

impl<T> RefUnwindSafe for GhostSingleton<T>
where T: RefUnwindSafe,

§

impl<T> Send for GhostSingleton<T>
where T: Send,

§

impl<T> Sync for GhostSingleton<T>
where T: Sync,

§

impl<T> Unpin for GhostSingleton<T>
where T: Unpin,

§

impl<T> UnwindSafe for GhostSingleton<T>
where T: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, VERUS_SPEC__A> FromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: From<T>,

Source§

exec fn obeys_from_spec() -> bool

Source§

exec fn from_spec(v: T) -> VERUS_SPEC__A

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, VERUS_SPEC__A> IntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: Into<T>,

Source§

exec fn obeys_into_spec() -> bool

Source§

exec fn into_spec(self) -> T

Source§

impl<T, U> IntoSpecImpl<U> for T
where U: From<T>,

Source§

open spec fn obeys_into_spec() -> bool

{ <U as FromSpec<Self>>::obeys_from_spec() }
Source§

open spec fn into_spec(self) -> U

{ U::from_spec(self) }
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.