creusot_contracts::pcell

Struct PCell

Source 
pub struct PCell<T: ?Sized>(/* private fields */);
Expand description

A “permission” cell allowing interior mutability via a ghost token.

When writing/reading the cell, you need to explicitely pass a PCellOwn object.

§Safety

When using Creusot to verify the code, all methods should be safe to call. Indeed, Creusot ensures that every operation on the inner value uses the right PCellOwn object created by PCell::new, ensuring safety in a manner similar to ghost_cell.

Implementations§

Source§

impl<T> PCell<T>

Source

pub fn new(value: T) -> (Self, Ghost<PCellOwn<T>>)

Creates a new PCell containing the given value.

ensures 

result.0.id() == result.1.id()

ensures 

(*result.1)@ == value

Source

pub unsafe fn set(&self, perm: Ghost<&mut PCellOwn<T>>, val: T)

Sets the contained value.

§Safety

You must ensure that no other borrows to the inner value of self exists when calling this function.

Creusot will check that all calls to this function are indeed safe: see the type documentation.

requires 

self.id() == perm.id()

ensures 

val == (^perm.inner_logic())@

ensures 

resolve(&(*perm.inner_logic())@)

ensures 

self.id() == (^perm.inner_logic()).id()

Source

pub unsafe fn replace(&self, perm: Ghost<&mut PCellOwn<T>>, val: T) -> T

Replaces the contained value with val, and returns the old contained value.

§Safety

You must ensure that no other borrows to the inner value of self exists when calling this function.

Creusot will check that all calls to this function are indeed safe: see the type documentation.

requires 

self.id() == perm.id()

ensures 

val == (^perm.inner_logic())@

ensures 

result == (*perm.inner_logic())@

ensures 

self.id() == (^perm.inner_logic()).id()

Source

pub fn into_inner(self, perm: Ghost<PCellOwn<T>>) -> T

Unwraps the value, consuming the cell.

requires 

self.id() == perm.id()

ensures 

result == perm@

Source

pub unsafe fn borrow<'a>(&'a self, perm: Ghost<&'a PCellOwn<T>>) -> &'a T

Immutably borrows the wrapped value.

The permission also acts as a guard, preventing writes to the underlying value while it is borrowed.

§Safety

You must ensure that no mutable borrow to the inner value of self exists when calling this function.

Creusot will check that all calls to this function are indeed safe: see the type documentation.

requires 

self.id() == perm.id()

ensures 

*result == perm@

Source

pub unsafe fn borrow_mut<'a>( &'a self, perm: Ghost<&'a mut PCellOwn<T>>, ) -> &'a mut T

Mutably borrows the wrapped value.

The permission also acts as a guard, preventing accesses to the underlying value while it is borrowed.

§Safety

You must ensure that no other borrows to the inner value of self exists when calling this function.

Creusot will check that all calls to this function are indeed safe: see the type documentation.

requires 

self.id() == perm.id()

ensures 

self.id() == (^perm.inner_logic()).id()

ensures 

*result == (*perm.inner_logic())@

ensures 

^result == (^perm.inner_logic())@

Source§

impl<T> PCell<T>
where T: Copy,

Source

pub unsafe fn get(&self, perm: Ghost<&PCellOwn<T>>) -> T

Returns a copy of the contained value.

§Safety

You must ensure that no mutable borrow to the inner value of self exists when calling this function.

Creusot will check that all calls to this function are indeed safe: see the type documentation.

requires 

self.id() == perm.id()

ensures 

result == (**perm)@

Source§

impl<T> PCell<T>

Source

pub fn id(self) -> Id

Returns the logical identity of the cell.

This is used to guarantee that a PCellOwn is always used with the right PCell.

logic

Source

pub fn as_ptr(&self) -> *mut T

Returns a raw pointer to the underlying data in this cell.

ensures 

true

Source

pub fn from_mut(t: &mut T) -> (&PCell<T>, Ghost<&mut PCellOwn<T>>)

Returns a &PCell<T> from a &mut T

ensures 

result.0.id() == result.1.inner_logic().id()

ensures 

^t == (^result.1.inner_logic())@

ensures 

*t == (*result.1.inner_logic())@

Source§

impl<T> PCell<T>
where T: Default,

Source

pub unsafe fn take(&self, perm: Ghost<&mut PCellOwn<T>>) -> T

Takes the value of the cell, leaving Default::default() in its place.

§Safety

You must ensure that no other borrows to the inner value of self exists when calling this function.

Creusot will check that all calls to this function are indeed safe: see the type documentation.

requires 

self.id() == perm.id()

ensures 

self.id() == (^perm.inner_logic()).id()

ensures 

result == (*perm.inner_logic())@

ensures 

(^perm.inner_logic())@.is_default()

Auto Trait Implementations§

§

impl<T> !Freeze for PCell<T>

§

impl<T> !RefUnwindSafe for PCell<T>

§

impl<T> !Send for PCell<T>

§

impl<T> !Sized for PCell<T>

§

impl<T> !Sync for PCell<T>

§

impl<T> !Unpin for PCell<T>

§

impl<T> !UnwindSafe for PCell<T>

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> MakeSized for T
where T: ?Sized,

Source§

fn make_sized(&self) -> Box<T>

logic

ensures 

*result == *self

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.