GhostSubset

vstd::tokens::set

Struct GhostSubset 

Source 
pub struct GhostSubset<T> { /* private fields */ }
Expand description

A resource that has client ownership of a subset

The existence of a GhostSubset implies that:

Implementations§

Source§

impl<T> GhostSubset<T>

Source

pub open spec fn is_singleton(self) -> bool

{
    &&& self@.len() == 1
    &&& self@.finite()
    &&& !self@.is_empty()

}

Checks whether the GhostSubset refers to a single value (and thus can be converted to a GhostSingleton).

Source

pub closed spec fn id(self) -> Loc

Resource location

Source

pub closed spec fn view(self) -> Set<T>

Logically underlying Set

Source

pub proof fn dummy() -> tracked result : GhostSubset<T>

Instantiate a dummy GhostSubset

Source

pub proof fn empty(id: int) -> tracked result : GhostSubset<T>

ensures
result.id() == id,
result@ == Set::<T>::empty(),

Instantiate an empty GhostSubset of a particular id

Source

pub proof fn take(tracked &mut self) -> tracked result : GhostSubset<T>

ensures
old(self).id() == self.id(),
self@.is_empty(),
result == *old(self),
result.id() == self.id(),

Extract the GhostSubset from a mutable reference, leaving behind an empty map.

Source

pub proof fn agree(tracked self: &GhostSubset<T>, tracked auth: &GhostSetAuth<T>)

requires
self.id() == auth.id(),
ensures
self@ <= auth@,

Agreement between a GhostSubset and a corresponding GhostSetAuth

Verus might not have full context of the GhostSetAuth and a corresponding GhostSubset. However, whenever we know that they refer to the same resource (i.e., have matching ids) we can assert that the GhostSubset is a submap of the GhostSetAuth.

proof fn test(tracked &auth: GhostSetAuth<int>, tracked &sub: GhostSubset<int>)
    requires
        auth.id() == sub.id(),
        sub@.contains(1int),
    ensures
        auth@.contains(1int),
{
    sub.agree(auth);
    assert(sub@ <= auth@);
    assert(auth.contains(1int));
}
Source

pub proof fn combine(tracked &mut self, tracked other: GhostSubset<T>)

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@.union(other@),
old(self)@.disjoint(other@),

Combining two GhostSubsets is possible. We consume the input GhostSubset and merge it into the first. We also learn that they were disjoint.

Source

pub proof fn combine_singleton(tracked &mut self, tracked other: GhostSingleton<T>)

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@.insert(other@),
!old(self)@.contains(other@),

Combining a GhostSingleton into GhostSubset is possible, in a similar way to the way to combine GhostSubsets.

Source

pub proof fn disjoint(tracked &mut self, tracked other: &GhostSubset<T>)

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@,
self@.disjoint(other@),

When we have two GhostSubsets we can prove that they have disjoint domains.

Source

pub proof fn disjoint_persistent(tracked &mut self, tracked other: &GhostPersistentSubset<T>)

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@,
self@.disjoint(other@),

When we have a GhostSubset and a GhostPersistentSubset we can prove that they are in disjoint domains.

Source

pub proof fn disjoint_singleton(tracked &mut self, tracked other: &GhostSingleton<T>)

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@,
!self@.contains(other@),

When we have a GhostSubset and a GhostSingleton we can prove that they are in disjoint domains.

Source

pub proof fn disjoint_persistent_singleton(tracked &mut self, tracked other: &GhostPersistentSingleton<T>, )

requires
old(self).id() == other.id(),
ensures
self.id() == old(self).id(),
self@ == old(self)@,
!self@.contains(other@),

When we have a GhostSubset and a GhostPersistentSingleton we can prove that they are in disjoint domains.

Source

pub proof fn split(tracked &mut self, s: Set<T>) -> tracked result : GhostSubset<T>

requires
s <= old(self)@,
ensures
self.id() == old(self).id(),
result.id() == self.id(),
old(self)@ == self@.union(result@),
result@ =~= s,
self@ =~= old(self)@ - s,

We can split a GhostSubset based on a set of values

Source

pub proof fn split_singleton(tracked &mut self, v: T) -> tracked result : GhostSingleton<T>

requires
old(self)@.contains(v),
ensures
self.id() == old(self).id(),
result.id() == self.id(),
old(self)@ == self@.insert(result@),
result@ == v,
self@ =~= old(self)@.remove(v),

We can separate a single value out of a GhostSubset

Source

pub proof fn singleton(tracked self) -> tracked r : GhostSingleton<T>

requires
self.is_singleton(),
ensures
self@ == set![r @],
self.id() == r.id(),

Converting a GhostSubset into a GhostSingleton

Source

pub proof fn persist(tracked self) -> tracked r : GhostPersistentSubset<T>

ensures
self@ == r@,
self.id() == r.id(),

Converting a GhostSubset into a GhostPersistentSubset

Auto Trait Implementations§

§

impl<T> Freeze for GhostSubset<T>

§

impl<T> RefUnwindSafe for GhostSubset<T>
where T: RefUnwindSafe,

§

impl<T> Send for GhostSubset<T>
where T: Send,

§

impl<T> Sync for GhostSubset<T>
where T: Sync,

§

impl<T> Unpin for GhostSubset<T>
where T: Unpin,

§

impl<T> UnwindSafe for GhostSubset<T>
where T: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, VERUS_SPEC__A> FromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: From<T>,

Source§

exec fn obeys_from_spec() -> bool

Source§

exec fn from_spec(v: T) -> VERUS_SPEC__A

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, VERUS_SPEC__A> IntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: Into<T>,

Source§

exec fn obeys_into_spec() -> bool

Source§

exec fn into_spec(self) -> T

Source§

impl<T, U> IntoSpecImpl<U> for T
where U: From<T>,

Source§

open spec fn obeys_into_spec() -> bool

{ <U as FromSpec<Self>>::obeys_from_spec() }
Source§

open spec fn into_spec(self) -> U

{ U::from_spec(self) }
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.