creusot_contracts::ghost

Struct Ghost

Source 
pub struct Ghost<T>(/* private fields */);
Expand description

A type that can be used in ghost! context.

This type may be used to make more complicated proofs possible. In particular, some proof may need a notion of non-duplicable token to carry around.

Conceptually, a Ghost<T> is an object of type T that resides in a special “ghost” heap. This heap is inaccessible from normal code, and Ghost values cannot be used to influence the behavior of normal code.

This box can be accessed in a ghost! block:

let b: Ghost<i32> = Ghost::new(1);
ghost! {
    let value: i32 = b.into_inner();
    // use value here
}
let value: i32 = b.into_inner(); // compile error !

Implementations§

Source§

impl<T> Ghost<T>

Source

pub fn borrow(&self) -> Ghost<&T>

Transforms a &Ghost<T> into Ghost<&T>.

pure

ensures 

**result == **self

Source

pub fn borrow_mut(&mut self) -> Ghost<&mut T>

Transforms a &mut Ghost<T> into a Ghost<&mut T>.

pure

ensures 

*result.inner_logic() == (*self).inner_logic()

ensures 

^result.inner_logic() == (^self).inner_logic()

Source

pub fn conjure() -> Self

Conjures a Ghost<T> out of thin air.

This would be unsound in verified code, hence the false precondition. This function is nevertheless useful to create a Ghost in “trusted” contexts, when axiomatizing an API that is believed to be sound for external reasons.

pure

requires 

false

Source§

impl<T> Ghost<T>

Source

pub fn new(x: T) -> Self

Creates a new ghost variable.

This function can only be called in ghost! code.

pure

ensures 

*result == x

Source

pub fn new_logic(x: T) -> Self

logic 

Self(x)

ensures 

*result == x

Source

pub fn into_inner(self) -> T

Returns the inner value of the Ghost.

This function can only be called in ghost! context.

pure

ensures 

result == *self

Source

pub fn inner_logic(self) -> T

Returns the inner value of the Ghost.

You should prefer the dereference operator * instead.

logic 

self.0

Source§

impl<T, U> Ghost<(T, U)>

Source

pub fn split(self) -> (Ghost<T>, Ghost<U>)

pure

ensures 

*self == (*result.0, *result.1)

Trait Implementations§

Source§

impl<T: Clone> Clone for Ghost<T>

Source§

fn clone(&self) -> Self

ensures 

result == *self

1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl<T> Deref for Ghost<T>

Source§

fn deref(&self) -> &Self::Target

This function can only be called in ghost! context

pure

ensures 

(*self).inner_logic() == *result

Source§

type Target = T

The resulting type after dereferencing.
Source§

impl<T> DerefMut for Ghost<T>

Source§

fn deref_mut(&mut self) -> &mut Self::Target

This function can only be called in ghost! context

pure

ensures 

*result == (*self).inner_logic()

ensures 

^result == (^self).inner_logic()

Source§

impl<T> Invariant for Ghost<T>

Source§

fn invariant(self) -> bool

logic(prophetic) 

inv(self.inner_logic())

Source§

impl<T> Resolve for Ghost<T>

Source§

fn resolve(self) -> bool

logic(prophetic) 

resolve(&self.inner_logic())

Source§

fn resolve_coherence(&self)

logic(prophetic) 

{}

requires 

structural_resolve(self)

ensures 

(*self).resolve()

Source§

impl<T: View> View for Ghost<T>

Source§

fn view(self) -> Self::ViewTy

logic 

(*self).view()

Source§

type ViewTy = <T as View>::ViewTy

Auto Trait Implementations§

§

impl<T> !Freeze for Ghost<T>

§

impl<T> !RefUnwindSafe for Ghost<T>

§

impl<T> !Send for Ghost<T>

§

impl<T> !Sync for Ghost<T>

§

impl<T> !Unpin for Ghost<T>

§

impl<T> !UnwindSafe for Ghost<T>

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dst: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dst. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> MakeSized for T
where T: ?Sized,

Source§

fn make_sized(&self) -> Box<T>

logic

ensures 

*result == *self

Source§

impl<P, T> Receiver for P
where P: Deref<Target = T> + ?Sized, T: ?Sized,

Source§

type Target = T

🔬This is a nightly-only experimental API. (arbitrary_self_types)
The target type on which the method may be called.
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.