Subset

creusot_contracts::invariant

Struct Subset 

Source 
pub struct Subset<T: InhabitedInvariant>(/* private fields */);
Expand description

A subset type.

This the same as T, with one exception: the invariant for T will also be verified in logic.

§Example

struct Pair(i32);
impl Invariant for Pair {
    #[logic] fn invariant(self) -> bool { self.0 % 2 == 0 }
}
impl InhabitedInvariant for Pair {
    #[logic]
    #[ensures(result.invariant())]
    fn inhabits() -> Self { Self(0i32) }
}

#[logic]
fn pair_in_logic(x: Subset<Pair>) {
    proof_assert!(x.0 % 2 == 0);
}

Implementations§

Source§

impl<T: InhabitedInvariant> Subset<T>

Source

pub fn new_logic(x: T) -> Self

Create a new element of Subset<T> in logic.

As per the documentation of Subset, the returned value will satisfy T’s type invariant.

(opaque)

requires 

x.invariant()

ensures 

result@ == x

Source

pub fn view_inj(self, other: Self)

Characterize that Subset<T> indeed contains a T (and only a T).

§Example
#[requires(x == y@)]
fn foo<T: InhabitedInvariant>(x: T, y: Subset<T>) {
    let x = Subset::new(x);
    let _ = snapshot!(Subset::<T>::view_inj);
    proof_assert!(x == y);
}

(opaque)

requires 

self@ == other@

ensures 

self == other

Source

pub fn new(x: T) -> Self

Create a new element of Subset<T>.

§Example
// Use the `Pair` type defined in `Subset`'s documentation

let p = Subset::new(Pair(0));
proof_assert!(p@.0 == 0i32);

terminates

ghost

ensures 

result == Self::new_logic(x)

Source

pub fn into_inner(self) -> T

Unwrap the Subset to get the inner value.

§Example
// Use the `Pair` type defined in `Subset`'s documentation

fn changes_pair(p: &mut Subset<Pair>) { /* ... */ }

let mut p = Subset::new(Pair(0));
changes_pair(&mut p);
let inner = p.into_inner();
proof_assert!(inner.0 % 2 == 0);

terminates

ghost

ensures 

result == self@

Trait Implementations§

Source§

impl<T: InhabitedInvariant + Clone> Clone for Subset<T>

Source§

fn clone(&self) -> Self

ensures 

T::clone.postcondition((&(self@),), result@)

1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl<T: InhabitedInvariant + DeepModel> DeepModel for Subset<T>

Source§

fn deep_model(self) -> T::DeepModelTy

(inline)

Source§

type DeepModelTy = <T as DeepModel>::DeepModelTy

Source§

impl<T: InhabitedInvariant> Deref for Subset<T>

Source§

fn deref(&self) -> &Self::Target

terminates

ghost

ensures 

*result == self@

Source§

type Target = T

The resulting type after dereferencing.
Source§

impl<T: InhabitedInvariant> DerefMut for Subset<T>

Source§

fn deref_mut(&mut self) -> &mut Self::Target

terminates

ghost

ensures 

*result == self@

ensures 

^result == (^self)@

Source§

impl<T: InhabitedInvariant + DeepModel + PartialEq> PartialEq for Subset<T>

Source§

fn eq(&self, rhs: &Self) -> bool

ensures 

result == (self.deep_model() == rhs.deep_model())

1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl<T: InhabitedInvariant> Resolve for Subset<T>

Source§

fn resolve(self) -> bool

(open, prophetic, inline) 

pearlite! { resolve(self@) }

Source§

fn resolve_coherence(self)

(prophetic)

requires 

structural_resolve(self)

ensures 

self.resolve()

Source§

impl<T: InhabitedInvariant> View for Subset<T>

Source§

fn view(self) -> T

(opaque)

ensures 

result.invariant()

Source§

type ViewTy = T

Source§

impl<T: InhabitedInvariant + Copy> Copy for Subset<T>

Source§

impl<T: InhabitedInvariant + DeepModel + Eq> Eq for Subset<T>

Auto Trait Implementations§

§

impl<T> Freeze for Subset<T>
where T: Freeze,

§

impl<T> RefUnwindSafe for Subset<T>
where T: RefUnwindSafe,

§

impl<T> Send for Subset<T>
where T: Send,

§

impl<T> Sync for Subset<T>
where T: Sync,

§

impl<T> Unpin for Subset<T>
where T: Unpin,

§

impl<T> UnwindSafe for Subset<T>
where T: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<P, T> Receiver for P
where P: Deref<Target = T> + ?Sized, T: ?Sized,

Source§

type Target = T

🔬This is a nightly-only experimental API. (arbitrary_self_types)
The target type on which the method may be called.
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.