creusot_contracts::ptr_own

Struct PtrOwn

Source 
pub struct PtrOwn<T: ?Sized> { /* private fields */ }
Expand description

Token that represents the ownership of a memory cell. A PtrOwn value only exists in the ghost world, but can be used in combination with a corresponding RawPtr to access and modify memory.

A warning regarding memory leaks: dropping a Ghost<PtrOwn<T>> (we only ever handle ghost PtrOwn values) cannot deallocate the memory corresponding to the pointer because it is a ghost value. One must thus remember to explicitly call drop in order to free the memory tracked by a PtrOwn token.

§Safety

When using Creusot to verify the code, all methods should be safe to call. Indeed, Creusot ensures that every operation on the inner value uses the right PtrOwn object created by PtrOwn::new, ensuring safety in a manner similar to ghost_cell.

Implementations§

Source§

impl<T: ?Sized> PtrOwn<T>

Source

pub fn ptr(&self) -> RawPtr<T>

The raw pointer whose ownership is tracked by this PtrOwn

logic 

self.ptr

Source

pub fn val(&self) -> SizedW<T>

The value currently stored at address self.ptr()

logic 

self.val

Source§

impl<T> PtrOwn<T>

Source

pub fn new(v: T) -> (RawPtr<T>, Ghost<PtrOwn<T>>)

Creates a new PtrOwn and associated RawPtr by allocating a new memory cell initialized with v.

ensures 

result.1.ptr() == result.0 && *result.1.val() == v

Source§

impl<T: ?Sized> PtrOwn<T>

Source

pub fn from_box(val: Box<T>) -> (RawPtr<T>, Ghost<PtrOwn<T>>)

Creates a ghost PtrOwn and associated RawPtr from an existing Box.

ensures 

result.1.ptr() == result.0 && *result.1.val() == *val

Source

pub unsafe fn as_ref(ptr: RawPtr<T>, own: Ghost<&PtrOwn<T>>) -> &T

Immutably borrows the underlying T.

§Safety

Safety requirements are the same as a direct dereference: &*ptr.

Creusot will check that all calls to this function are indeed safe: see the type documentation.

requires 

ptr == own.ptr()

ensures 

*result == *own.val()

Source

pub unsafe fn as_mut(ptr: RawPtr<T>, own: Ghost<&mut PtrOwn<T>>) -> &mut T

Mutably borrows the underlying T.

§Safety

Safety requirements are the same as a direct dereference: &mut *ptr.

Creusot will check that all calls to this function are indeed safe: see the type documentation.

requires 

ptr == own.ptr()

ensures 

*result == *own.val()

ensures 

(^own.inner_logic()).ptr() == own.ptr()

ensures 

*(^own.inner_logic()).val() == ^result

Source

pub unsafe fn to_box(ptr: RawPtr<T>, own: Ghost<PtrOwn<T>>) -> Box<T>

Transfers ownership of own back into a Box.

§Safety

Safety requirements are the same as Box::from_raw.

Creusot will check that all calls to this function are indeed safe: see the type documentation.

requires 

ptr == own.ptr()

ensures 

*result == *own.val()

Source

pub unsafe fn drop(ptr: RawPtr<T>, own: Ghost<PtrOwn<T>>)

Deallocates the memory pointed by ptr.

§Safety

Safety requirements are the same as Box::from_raw.

Creusot will check that all calls to this function are indeed safe: see the type documentation.

requires 

ptr == own.ptr()

Source

pub fn disjoint_lemma(own1: &mut PtrOwn<T>, own2: &PtrOwn<T>)

If one owns two PtrOwns in ghost code, then they are for different pointers.

pure

ensures 

own1.ptr().addr_logic() != own2.ptr().addr_logic()

ensures 

*own1 == ^own1

Trait Implementations§

Source§

impl<T: ?Sized> Invariant for PtrOwn<T>

Source§

fn invariant(self) -> bool

logic 

!self.ptr().is_null_logic()

Auto Trait Implementations§

§

impl<T> Freeze for PtrOwn<T>
where T: ?Sized,

§

impl<T> !RefUnwindSafe for PtrOwn<T>

§

impl<T> !Send for PtrOwn<T>

§

impl<T> !Sync for PtrOwn<T>

§

impl<T> Unpin for PtrOwn<T>
where T: ?Sized,

§

impl<T> !UnwindSafe for PtrOwn<T>

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> MakeSized for T
where T: ?Sized,

Source§

fn make_sized(&self) -> Box<T>

logic

ensures 

*result == *self

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.