Struct creusot_contracts::ptr_own::PtrOwn

source · 
pub struct PtrOwn<T: ?Sized>(/* private fields */);
Expand description

Token that represents the ownership of a memory cell. A PtrOwn value only exists in the ghost world, but can be used in combination with a corresponding RawPtr to access and modify memory.

A warning regarding memory leaks: dropping a GhostBox<PtrOwn<T>> (we only ever handle ghost PtrOwn values) cannot deallocate the memory corresponding to the pointer because it is a ghost value. One must thus remember to explicitly call drop in order to free the memory tracked by a PtrOwn token.

Implementations§

source§

impl<T: ?Sized> PtrOwn<T>

source

pub fn ptr(&self) -> RawPtr<T>

The raw pointer whose ownership is tracked by this PtrOwn

logic

source

pub fn val(&self) -> SizedW<T>

The value currently stored at address self.ptr()

logic

source§

impl<T> PtrOwn<T>

source

pub fn new(v: T) -> (RawPtr<T>, GhostBox<PtrOwn<T>>)

Creates a new PtrOwn and associated RawPtr by allocating a new memory cell initialized with v.

ensures 

result.1.ptr() == result.0 && *result.1.val() == v

source§

impl<T: ?Sized> PtrOwn<T>

source

pub fn from_box(val: Box<T>) -> (RawPtr<T>, GhostBox<PtrOwn<T>>)

Creates a ghost PtrOwn and associated RawPtr from an existing Box.

ensures 

result.1.ptr() == result.0 && *result.1.val() == *val

source

pub fn as_ref(ptr: RawPtr<T>, own: GhostBox<&PtrOwn<T>>) -> &T

Immutably borrows the underlying T.

requires 

ptr == own.ptr()

ensures 

*result == *own.val()

source

pub fn as_mut(ptr: RawPtr<T>, own: GhostBox<&mut PtrOwn<T>>) -> &mut T

Mutably borrows the underlying T.

requires 

ptr == own.ptr()

ensures 

*result == *own.val()

ensures 

(^own.inner_logic()).ptr() == own.ptr()

ensures 

*(^own.inner_logic()).val() == ^result

source

pub fn to_box(ptr: RawPtr<T>, own: GhostBox<PtrOwn<T>>) -> Box<T>

Transfers ownership of own back into a Box.

requires 

ptr == own.ptr()

ensures 

*result == *own.val()

source

pub fn drop(ptr: RawPtr<T>, own: GhostBox<PtrOwn<T>>)

Deallocates the memory pointed by ptr.

requires 

ptr == own.ptr()

source

pub fn disjoint_lemma(own1: &mut PtrOwn<T>, own2: &PtrOwn<T>)

If one owns two PtrOwns in ghost code, then they are for different pointers.

pure

ensures 

own1.ptr().addr_logic() != own2.ptr().addr_logic()

ensures 

*own1 == ^own1

Trait Implementations§

source§

impl<T: ?Sized> Invariant for PtrOwn<T>

source§

fn invariant(self) -> bool

logic(prophetic) 

pearlite! { !self.ptr().is_null_logic() && inv(self.val()) }

Auto Trait Implementations§

§

impl<T> Freeze for PtrOwn<T>
where T: ?Sized,

§

impl<T> !RefUnwindSafe for PtrOwn<T>

§

impl<T> !Send for PtrOwn<T>

§

impl<T> !Sync for PtrOwn<T>

§

impl<T> !Unpin for PtrOwn<T>

§

impl<T> !UnwindSafe for PtrOwn<T>

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> MakeSized for T
where T: ?Sized,

source§

fn make_sized(&self) -> Box<T>

logic

ensures 

*result == *self

source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.