Ghost

creusot_contracts::ghost

Struct Ghost 

Source 
pub struct Ghost<T: ?Sized>(/* private fields */);
Expand description

A type that can be used in ghost! context.

This type may be used to make more complicated proofs possible. In particular, some proof may need a notion of non-duplicable token to carry around.

Conceptually, a Ghost<T> is an object of type T that resides in a special “ghost” heap. This heap is inaccessible from normal code, and Ghost values cannot be used to influence the behavior of normal code.

This box can be accessed in a ghost! block:

let b: Ghost<i32> = Ghost::new(1);
ghost! {
    let value: i32 = b.into_inner();
    // use value here
}
let value: i32 = b.into_inner(); // compile error !

Implementations§

Source§

impl<T: ?Sized> Ghost<T>

Source

pub fn borrow(&self) -> Ghost<&T>

Transforms a &Ghost<T> into Ghost<&T>

erasure 

_

terminates

ghost

ensures 

**result == **self

Source

pub fn borrow_mut(&mut self) -> Ghost<&mut T>

Transforms a &mut Ghost<T> into a Ghost<&mut T>.

erasure 

_

terminates

ghost

ensures 

*result == &mut **self

Source

pub fn conjure() -> Self

Conjures a Ghost<T> out of thin air.

This would be unsound in verified code, hence the false precondition. This function is nevertheless useful to create a Ghost in “trusted” contexts, when axiomatizing an API that is believed to be sound for external reasons.

erasure 

_

terminates

ghost

requires 

false

Source§

impl<T: ?Sized> Ghost<T>

Source

pub fn new(x: T) -> Self
where T: Sized,

Creates a new ghost variable.

This function can only be called in ghost! code.

terminates

ghost

ensures 

*result == x

Source

pub fn new_logic(x: T) -> Self

(opaque)

ensures 

*result == x

Source

pub fn into_inner(self) -> T
where T: Sized,

Returns the inner value of the Ghost.

This function can only be called in ghost! context.

terminates

ghost

ensures 

result == *self

Source

pub fn inner_logic(self) -> T
where T: Sized,

Returns the inner value of the Ghost.

You should prefer the dereference operator * instead.

Source§

impl<T, U: ?Sized> Ghost<(T, U)>

Source

pub fn split(self) -> (Ghost<T>, Ghost<U>)

terminates

ghost

erasure 

_

ensures 

(*self).0 == *result.0

ensures 

(*self).1 == *result.1

Trait Implementations§

Source§

impl<T: Clone + Copy> Clone for Ghost<T>

Source§

fn clone(&self) -> Self

terminates

ghost

ensures 

result == *self

1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl<T: ?Sized> Deref for Ghost<T>

Source§

fn deref(&self) -> &Self::Target

This function can only be called in ghost! context

terminates

ghost

requires 

false

ensures 

result == &**self

Source§

type Target = T

The resulting type after dereferencing.
Source§

impl<T: ?Sized> DerefMut for Ghost<T>

Source§

fn deref_mut(&mut self) -> &mut Self::Target

This function can only be called in ghost! context

terminates

ghost

requires 

false

ensures 

result == &mut **self

Source§

impl<T: ?Sized + Fin> Fin for Ghost<T>

Source§

fn fin<'a>(self) -> &'a Self::Target

(open, prophetic, inline) 

pearlite! { &^*self }

Source§

type Target = <T as Fin>::Target

Source§

impl<T: ?Sized> Invariant for Ghost<T>

Source§

fn invariant(self) -> bool

(open, prophetic, inline) 

inv(*self)

Source§

impl<'a, L> LocalInvariantExt<'a> for &'a Ghost<L>
where Ghost<&'a L>: LocalInvariantExt<'a>,

Source§

fn open<A, F>(self, tokens: Ghost<Tokens<'a>>, f: F) -> A
where F: FnOnce(Ghost<&'a mut Self::Inner>) -> A,

requires

<Ghost<&'a L> as LocalInvariantExt<'a>>::open.precondition((Ghost::new_logic(&**self), tokens, f))

ensures

<Ghost<&'a L> as LocalInvariantExt<'a>>::open.postcondition((Ghost::new_logic(&**self), tokens, f), result)
Source§

type Inner = <Ghost<&'a L> as LocalInvariantExt<'a>>::Inner

Source§

impl<'a, T: Protocol> LocalInvariantExt<'a> for Ghost<&'a LocalInvariant<T>>

Source§

fn open<A, F>(self, tokens: Ghost<Tokens<'a>>, f: F) -> A
where F: FnOnce(Ghost<&'a mut Self::Inner>) -> A,

requires 

tokens.contains(self.namespace())

requires

forall<t: Ghost<&mut T>> (**t).protocol(self.public()) && inv(t) ==>
        f.precondition((t,)) &&
        // f must restore the invariant
        (forall<res: A> f.postcondition_once((t,), res) ==> (^t).protocol(self.public()))

ensures

exists<t: Ghost<&mut T>> t.protocol(self.public()) && f.postcondition_once((t,), result)
Source§

type Inner = T

Source§

impl<'a, T> LocalInvariantExt<'a> for Ghost<&'a T>
where T: Deref, Ghost<&'a T::Target>: LocalInvariantExt<'a>,

Source§

fn open<A, F>(self, tokens: Ghost<Tokens<'a>>, f: F) -> A
where F: FnOnce(Ghost<&'a mut Self::Inner>) -> A,

requires 

T::deref.precondition((*self,))

requires

forall<this> T::deref.postcondition((*self,), this) ==>
        <Ghost<&'a T::Target> as LocalInvariantExt<'a>>::open.precondition((Ghost::new_logic(this), tokens, f))

ensures

exists<this> T::deref.postcondition((*self,), this) &&
        <Ghost<&'a T::Target> as LocalInvariantExt<'a>>::open.postcondition((Ghost::new_logic(this), tokens, f), result)
Source§

type Inner = <Ghost<&'a <T as Deref>::Target> as LocalInvariantExt<'a>>::Inner

Source§

impl<T: Copy> Copy for Ghost<T>

Auto Trait Implementations§

§

impl<T> Freeze for Ghost<T>
where T: ?Sized,

§

impl<T> RefUnwindSafe for Ghost<T>
where T: RefUnwindSafe + ?Sized,

§

impl<T> Send for Ghost<T>
where T: Send + ?Sized,

§

impl<T> Sync for Ghost<T>
where T: Sync + ?Sized,

§

impl<T> Unpin for Ghost<T>
where T: Unpin + ?Sized,

§

impl<T> UnwindSafe for Ghost<T>
where T: UnwindSafe + ?Sized,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<P, T> Receiver for P
where P: Deref<Target = T> + ?Sized, T: ?Sized,

Source§

type Target = T

🔬This is a nightly-only experimental API. (arbitrary_self_types)
The target type on which the method may be called.
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.