pub trait IteratorSpec: Iterator {
// Required methods
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool;
fn completed(&mut self) -> bool;
fn produces_refl(self);
fn produces_trans(
a: Self,
ab: Seq<Self::Item>,
b: Self,
bc: Seq<Self::Item>,
c: Self,
);
// Provided method
fn map_inv<B, F>(self, func: F) -> MapInv<Self, F> ⓘ
where Self: Sized,
F: FnMut(Self::Item, Snapshot<Seq<Self::Item>>) -> B { ... }
}Required Methods§
Sourcefn produces_refl(self)
fn produces_refl(self)
(law) ⚠
ensures
self.produces(Seq::empty(), self)Provided Methods§
Sourcefn map_inv<B, F>(self, func: F) -> MapInv<Self, F> ⓘ
fn map_inv<B, F>(self, func: F) -> MapInv<Self, F> ⓘ
terminates
ghost
requires
forall<e, i2> self.produces(Seq::singleton(e), i2) ==> func.precondition((e, Snapshot::new(Seq::empty())))
requires
MapInv::<Self, F>::reinitialize()requires
MapInv::<Self, F>::preservation(self, func)ensures
result == MapInv { iter: self, func, produced: Snapshot::new(Seq::empty())}
Dyn Compatibility§
This trait is not dyn compatible.
In older versions of Rust, dyn compatibility was called "object safety", so this trait is not object safe.
Implementations on Foreign Types§
Source§impl<'a, I, T> IteratorSpec for Cloned<I>
impl<'a, I, T> IteratorSpec for Cloned<I>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { exists<inner: &mut _> *inner == self.iter() && ^inner == (^self).iter() && inner.completed() }
Source§fn produces(self, visited: Seq<T>, o: Self) -> bool
fn produces(self, visited: Seq<T>, o: Self) -> bool
(open, prophetic)
pearlite! { exists<s: Seq<&'a T>> self.iter().produces(s, o.iter()) && visited.len() == s.len() && forall<i> 0 <= i && i < s.len() ==> T::clone.postcondition((s[i],), visited[i]) }
Source§fn produces_refl(self)
fn produces_refl(self)
(law) ⚠
ensures
self.produces(Seq::empty(), self)Source§fn produces_trans(a: Self, ab: Seq<T>, b: Self, bc: Seq<T>, c: Self)
fn produces_trans(a: Self, ab: Seq<T>, b: Self, bc: Seq<T>, c: Self)
(law) ⚠
requires
a.produces(ab, b)requires
b.produces(bc, c)ensures
a.produces(ab.concat(bc), c)Source§impl<'a, I, T> IteratorSpec for Copied<I>
impl<'a, I, T> IteratorSpec for Copied<I>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { exists<inner: &mut _> *inner == self.iter() && ^inner == (^self).iter() && inner.completed() }
Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open, prophetic)
pearlite! { exists<s: Seq<&'a T>> self.iter().produces(s, o.iter()) && visited.len() == s.len() && forall<i> 0 <= i && i < s.len() ==> visited[i] == *s[i] }
Source§fn produces_refl(self)
fn produces_refl(self)
(law) ⚠
ensures
self.produces(Seq::empty(), self)Source§impl<'a, K: DeepModel, V> IteratorSpec for Iter<'a, K, V>
impl<'a, K: DeepModel, V> IteratorSpec for Iter<'a, K, V>
Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open, prophetic, inline)
// `self@` equals the union of `visited` (viewed as a finite map) and `o@` pearlite! { self@.len() == visited.len() + o@.len() && (forall<k: &K, v: &V> visited.contains((k, v)) ==> self@.get(k.deep_model()) == Some(*v) && o@.get(k.deep_model()) == None) && (forall<k: K::DeepModelTy, v: V> o@.get(k) == Some(v) ==> self@.get(k) == Some(v) && !exists<k2: &K, v2: &V> k2.deep_model() == k && visited.contains((k2, v2))) && (forall<k: K::DeepModelTy, v: V> self@.get(k) == Some(v) ==> (exists<k2: &K> k2.deep_model() == k && visited.contains((k2, &v))) || o@.get(k) == Some(v)) && (forall<i1, i2> 0 <= i1 && i1 < visited.len() && 0 <= i2 && i2 < visited.len() && visited[i1].0.deep_model() == visited[i2].0.deep_model() ==> i1 == i2) }
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { resolve(self) && self@.is_empty() }Source§fn produces_refl(self)
fn produces_refl(self)
(open, law)
{}ensures
self.produces(Seq::empty(), self)Source§impl<'a, K: DeepModel, V> IteratorSpec for IterMut<'a, K, V>
impl<'a, K: DeepModel, V> IteratorSpec for IterMut<'a, K, V>
Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open, prophetic, inline)
// self@ equals the union of visited (viewed as a fmap) and o@ pearlite! { self@.len() == visited.len() + o@.len() && (forall<k: K, v: &mut V> visited.contains((&k, v)) ==> self@.get(k.deep_model()) == Some(v) && o@.get(k.deep_model()) == None) && (forall<k: K::DeepModelTy, v: &mut V> o@.get(k) == Some(v) ==> self@.get(k) == Some(v) && !exists<k2: &K, v2: &mut V> k2.deep_model() == k && visited.contains((k2, v2))) && (forall<k: K::DeepModelTy, v: &mut V> self@.get(k) == Some(v) ==> (exists<k1: &K> k1.deep_model() == k && visited.contains((k1, v))) || o@.get(k) == Some(v)) && (forall<i1, i2> 0 <= i1 && i1 < visited.len() && 0 <= i2 && i2 < visited.len() && visited[i1].0.deep_model() == visited[i2].0.deep_model() ==> i1 == i2) }
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { resolve(self) && self@.is_empty() }Source§fn produces_refl(self)
fn produces_refl(self)
(open, law)
{}ensures
self.produces(Seq::empty(), self)Source§impl<'a, T> IteratorSpec for Iter<'a, T>
impl<'a, T> IteratorSpec for Iter<'a, T>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { resolve(self) && (*self@)@ == Seq::empty() }Source§fn produces(self, visited: Seq<Self::Item>, tl: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, tl: Self) -> bool
(open)
pearlite! { self@.to_ref_seq() == visited.concat(tl@.to_ref_seq()) }
Source§fn produces_refl(self)
fn produces_refl(self)
(open, law)
{}ensures
self.produces(Seq::empty(), self)Source§impl<'a, T> IteratorSpec for Iter<'a, T>
impl<'a, T> IteratorSpec for Iter<'a, T>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { resolve(self) && (*self@)@ == Seq::empty() }Source§fn produces(self, visited: Seq<Self::Item>, tl: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, tl: Self) -> bool
(open)
pearlite! { self@.to_ref_seq() == visited.concat(tl@.to_ref_seq()) }
Source§fn produces_refl(self)
fn produces_refl(self)
(open, law)
{}ensures
self.produces(Seq::empty(), self)Source§impl<'a, T> IteratorSpec for IterMut<'a, T>
impl<'a, T> IteratorSpec for IterMut<'a, T>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { resolve(self) && (*self@)@ == Seq::empty() }Source§fn produces(self, visited: Seq<Self::Item>, tl: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, tl: Self) -> bool
(open)
pearlite! { self@.to_mut_seq() == visited.concat(tl@.to_mut_seq()) }
Source§fn produces_refl(self)
fn produces_refl(self)
(open, law)
{}ensures
self.produces(Seq::empty(), self)Source§impl<'a, T: DeepModel> IteratorSpec for Iter<'a, T>
impl<'a, T: DeepModel> IteratorSpec for Iter<'a, T>
Source§impl<'a, T: Eq + Hash + DeepModel, S: BuildHasher> IteratorSpec for Difference<'a, T, S>
impl<'a, T: Eq + Hash + DeepModel, S: BuildHasher> IteratorSpec for Difference<'a, T, S>
Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open, prophetic)
set_produces(self, visited, o)Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { resolve(self) && (self@).is_empty() }Source§fn produces_refl(self)
fn produces_refl(self)
(open, law)
{}ensures
self.produces(Seq::empty(), self)Source§impl<'a, T: Eq + Hash + DeepModel, S: BuildHasher> IteratorSpec for Intersection<'a, T, S>
impl<'a, T: Eq + Hash + DeepModel, S: BuildHasher> IteratorSpec for Intersection<'a, T, S>
Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open, prophetic)
set_produces(self, visited, o)Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { resolve(self) && (self@).is_empty() }Source§fn produces_refl(self)
fn produces_refl(self)
(open, law)
{}ensures
self.produces(Seq::empty(), self)Source§impl<A: IteratorSpec, B: IteratorSpec> IteratorSpec for Zip<A, B>
impl<A: IteratorSpec, B: IteratorSpec> IteratorSpec for Zip<A, B>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { exists<a: &mut A, b: &mut B> *a == (*self).itera() && *b == (*self).iterb() && ^a == (^self).itera() && ^b == (^self).iterb() && (a.completed() && resolve(b) || exists<x: A::Item> inv(x) && (*a).produces(Seq::singleton(x), ^a) && resolve(x) && (*b).completed()) }
Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open, prophetic)
pearlite! { // Using an `unzip` definition doesn't work well because of issues related to datatypes and `match` exists<p1: Seq<_>, p2: Seq<_>> p1.len() == p2.len() && p2.len() == visited.len() && (forall<i> 0 <= i && i < visited.len() ==> visited[i] == (p1[i], p2[i])) && self.itera().produces(p1, o.itera()) && self.iterb().produces(p2, o.iterb()) }
Source§fn produces_refl(self)
fn produces_refl(self)
(law) ⚠
ensures
self.produces(Seq::empty(), self)Source§impl<I: DoubleEndedIteratorSpec> IteratorSpec for Rev<I>
impl<I: DoubleEndedIteratorSpec> IteratorSpec for Rev<I>
Source§impl<I: IteratorSpec + ?Sized> IteratorSpec for &mut I
impl<I: IteratorSpec + ?Sized> IteratorSpec for &mut I
Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open, prophetic)
pearlite! { (*self).produces(visited, *o) && ^self == ^o }Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { (*self).completed() && ^*self == ^^self }Source§fn produces_refl(self)
fn produces_refl(self)
(open, law)
{}ensures
self.produces(Seq::empty(), self)Source§impl<I: IteratorSpec> IteratorSpec for Enumerate<I>
impl<I: IteratorSpec> IteratorSpec for Enumerate<I>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { exists<inner: &mut _> *inner == self.iter() && ^inner == (^self).iter() && inner.completed() && self.n()@ == (^self).n()@ }
Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open, prophetic)
pearlite! { visited.len() == o.n()@ - self.n()@ && exists<s: Seq<I::Item>> self.iter().produces(s, o.iter()) && visited.len() == s.len() && forall<i> 0 <= i && i < s.len() ==> visited[i].0@ == self.n()@ + i && visited[i].1 == s[i] }
Source§fn produces_refl(self)
fn produces_refl(self)
(law) ⚠
ensures
self.produces(Seq::empty(), self)Source§impl<I: IteratorSpec> IteratorSpec for Fuse<I>
impl<I: IteratorSpec> IteratorSpec for Fuse<I>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { (self@ == None || exists<it:&mut I> it.completed() && self@ == Some(*it)) && (^self)@ == None }
Source§fn produces(self, prod: Seq<Self::Item>, other: Self) -> bool
fn produces(self, prod: Seq<Self::Item>, other: Self) -> bool
(open, prophetic)
pearlite! { match self@ { None => prod == Seq::empty() && other@ == self@, Some(i) => match other@ { Some(i2) => i.produces(prod, i2), None => false, }, } }
Source§fn produces_refl(self)
fn produces_refl(self)
(open, law)
{}ensures
self.produces(Seq::empty(), self)Source§impl<I: IteratorSpec> IteratorSpec for Skip<I>
impl<I: IteratorSpec> IteratorSpec for Skip<I>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { (^self).n()@ == 0 && exists<s: Seq<Self::Item>, i: &mut I> s.len() <= (*self).n()@ && self.iter().produces(s, *i) && (forall<i> 0 <= i && i < s.len() ==> resolve(s[i])) && i.completed() && ^i == (^self).iter() }
Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open, prophetic)
pearlite! { visited == Seq::empty() && self == o || o.n()@ == 0 && visited.len() > 0 && exists<s: Seq<Self::Item>> s.len() == self.n()@ && self.iter().produces(s.concat(visited), o.iter()) && forall<i> 0 <= i && i < s.len() ==> resolve(s[i]) }
Source§fn produces_refl(self)
fn produces_refl(self)
(law) ⚠
ensures
self.produces(Seq::empty(), self)Source§impl<I: IteratorSpec> IteratorSpec for Take<I>
impl<I: IteratorSpec> IteratorSpec for Take<I>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { self.n()@ == 0 && resolve(self) || (*self).n()@ > 0 && (*self).n()@ == (^self).n()@ + 1 && self.iter_mut().completed() }
Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open, prophetic)
pearlite! { self.n()@ == o.n()@ + visited.len() && self.iter().produces(visited, o.iter()) }
Source§fn produces_refl(self)
fn produces_refl(self)
(law) ⚠
ensures
self.produces(Seq::empty(), self)Source§impl<I: IteratorSpec, B, F: FnMut(I::Item) -> Option<B>> IteratorSpec for FilterMap<I, F>
impl<I: IteratorSpec, B, F: FnMut(I::Item) -> Option<B>> IteratorSpec for FilterMap<I, F>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { (exists<s: Seq<_>, e: &mut I > self.iter().produces(s, *e) && e.completed() && forall<i> 0 <= i && i < s.len() ==> (*self).func().postcondition_mut((s[i],), (^self).func(), None)) && (*self).func() == (^self).func() }
Source§fn produces(self, visited: Seq<Self::Item>, succ: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, succ: Self) -> bool
(open, prophetic)
pearlite! { private_invariant(self) ==> self.func().hist_inv(succ.func()) && // f here is a mapping from indices of `visited` to those of `s`, where `s` is the whole sequence produced by the underlying iterator // Interestingly, Z3 guesses `f` quite readily but gives up *totally* on `s`. However, the addition of the final assertions on the correctness of the values // blocks z3's guess for `f`. exists<s: Seq<I::Item>, f: Mapping<Int, Int>> self.iter().produces(s, succ.iter()) && (forall<i> 0 <= i && i < visited.len() ==> 0 <= f.get(i) && f.get(i) < s.len()) && // `f` is a monotone mapping (forall<i, j> 0 <= i && i < j && j < visited.len() ==> f.get(i) < f.get(j)) && // `f` points to elements produced in `s` (by the underlying `iter`) for which the predicate `self.func()` returned `Some`. (forall<i> 0 <= i && i < visited.len() ==> self.func().postcondition_mut((s[f.get(i)],), self.func(), Some(visited[i]))) && // For other elements not in the image of `f`, the predicate `self.func()` returned `None`. (forall<j> 0 <= j && j < s.len() ==> (!exists<i> 0 <= i && i < visited.len() && f.get(i) == j) == self.func().postcondition_mut((s[j],), self.func(), None)) }
Source§fn produces_refl(self)
fn produces_refl(self)
(law) ⚠
ensures
self.produces(Seq::empty(), self)Source§impl<I: IteratorSpec, B, F: FnMut(I::Item) -> B> IteratorSpec for Map<I, F>
impl<I: IteratorSpec, B, F: FnMut(I::Item) -> B> IteratorSpec for Map<I, F>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { (exists<inner: &mut _> *inner == self.iter() && ^inner == (^self).iter() && inner.completed()) && (*self).func() == (^self).func() }
Source§fn produces(self, visited: Seq<Self::Item>, succ: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, succ: Self) -> bool
(open, prophetic, inline)
pearlite! { self.func().hist_inv(succ.func()) && exists<fs: Seq<&mut F>> fs.len() == visited.len() && exists<s: Seq<I::Item>> #[trigger(self.iter().produces(s, succ.iter()))] s.len() == visited.len() && self.iter().produces(s, succ.iter()) && (forall<i> 1 <= i && i < fs.len() ==> ^fs[i - 1] == *fs[i]) && if visited.len() == 0 { self.func() == succ.func() } else { *fs[0] == self.func() && ^fs[visited.len() - 1] == succ.func() } && forall<i> 0 <= i && i < visited.len() ==> self.func().hist_inv(*fs[i]) && (*fs[i]).precondition((s[i],)) && (*fs[i]).postcondition_mut((s[i],), ^fs[i], visited[i]) }
Source§fn produces_refl(self)
fn produces_refl(self)
(law) ⚠
ensures
self.produces(Seq::empty(), self)Source§impl<I: IteratorSpec, F: FnMut(&I::Item) -> bool> IteratorSpec for Filter<I, F>
impl<I: IteratorSpec, F: FnMut(&I::Item) -> bool> IteratorSpec for Filter<I, F>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { (exists<s: Seq<_>, e: &mut I > self.iter().produces(s, *e) && e.completed() && forall<i> 0 <= i && i < s.len() ==> (*self).func().postcondition_mut((&s[i],), (^self).func(), false)) && (*self).func() == (^self).func() }
Source§fn produces(self, visited: Seq<Self::Item>, succ: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, succ: Self) -> bool
(open, prophetic)
pearlite! { private_invariant(self) ==> self.func().hist_inv(succ.func()) && // f here is a mapping from indices of `visited` to those of `s`, where `s` is the whole sequence produced by the underlying iterator // Interestingly, Z3 guesses `f` quite readily but gives up *totally* on `s`. However, the addition of the final assertions on the correctness of the values // blocks z3's guess for `f`. exists<s: Seq<Self::Item>, f: Mapping<Int, Int>> self.iter().produces(s, succ.iter()) && (forall<i> 0 <= i && i < visited.len() ==> 0 <= f.get(i) && f.get(i) < s.len()) && // `f` is a monotone mapping (forall<i, j> 0 <= i && i < j && j < visited.len() ==> f.get(i) < f.get(j)) && (forall<i> 0 <= i && i < visited.len() ==> visited[i] == s[f.get(i)]) && (forall<i> 0 <= i && i < s.len() ==> (exists<j> 0 <= j && j < visited.len() && f.get(j) == i) == self.func().postcondition_mut((&s[i],), self.func(), true)) }
Source§fn produces_refl(self)
fn produces_refl(self)
(law) ⚠
ensures
self.produces(Seq::empty(), self)Source§impl<Idx: DeepModel<DeepModelTy = Int> + Step> IteratorSpec for Range<Idx>
Available on crate feature nightly only.
impl<Idx: DeepModel<DeepModelTy = Int> + Step> IteratorSpec for Range<Idx>
Available on crate feature
nightly only.Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { resolve(self) && self.start.deep_model() >= self.end.deep_model() }
Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open)
pearlite! { self.end == o.end && self.start.deep_model() <= o.start.deep_model() && (visited.len() > 0 ==> o.start.deep_model() <= o.end.deep_model()) && visited.len() == o.start.deep_model() - self.start.deep_model() && forall<i> 0 <= i && i < visited.len() ==> visited[i].deep_model() == self.start.deep_model() + i }
Source§fn produces_refl(self)
fn produces_refl(self)
(law) ⚠
ensures
self.produces(Seq::empty(), self)Source§impl<Idx: DeepModel<DeepModelTy = Int> + Step> IteratorSpec for RangeInclusive<Idx>
Available on crate feature nightly only.
impl<Idx: DeepModel<DeepModelTy = Int> + Step> IteratorSpec for RangeInclusive<Idx>
Available on crate feature
nightly only.Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { self.is_empty_log() && (^self).is_empty_log() }
Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open)
pearlite! { visited.len() == range_inclusive_len(self) - range_inclusive_len(o) && (self.is_empty_log() ==> o.is_empty_log()) && (o.is_empty_log() || self.end_log() == o.end_log()) && forall<i> 0 <= i && i < visited.len() ==> visited[i].deep_model() == self.start_log().deep_model() + i }
Source§fn produces_refl(self)
fn produces_refl(self)
(open, law)
{}ensures
self.produces(Seq::empty(), self)Source§impl<K: DeepModel, V> IteratorSpec for IntoIter<K, V>
impl<K: DeepModel, V> IteratorSpec for IntoIter<K, V>
Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open, prophetic, inline)
// self@ equals the union of visited (viewed as a fmap) and o@ pearlite! { self@.len() == visited.len() + o@.len() && (forall<k: K, v: V> visited.contains((k, v)) ==> self@.get(k.deep_model()) == Some(v) && o@.get(k.deep_model()) == None) && (forall<k: K::DeepModelTy, v: V> o@.get(k) == Some(v) ==> self@.get(k) == Some(v) && !exists<k2: K, v2: V> k2.deep_model() == k && visited.contains((k2, v2))) && (forall<k: K::DeepModelTy, v: V> self@.get(k) == Some(v) ==> (exists<k1: K> k1.deep_model() == k && visited.contains((k1, v))) || o@.get(k) == Some(v)) && (forall<i1, i2> 0 <= i1 && i1 < visited.len() && 0 <= i2 && i2 < visited.len() && visited[i1].0.deep_model() == visited[i2].0.deep_model() ==> i1 == i2) }
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { resolve(self) && self@.is_empty() }Source§fn produces_refl(self)
fn produces_refl(self)
(open, law)
{}ensures
self.produces(Seq::empty(), self)Source§impl<T> IteratorSpec for Empty<T>
impl<T> IteratorSpec for Empty<T>
Source§impl<T> IteratorSpec for Once<T>
impl<T> IteratorSpec for Once<T>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { (*self)@ == None && resolve(self) }Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open, prophetic)
pearlite! { visited == Seq::empty() && self == o || exists<e: Self::Item> self@ == Some(e) && visited == Seq::singleton(e) && o@ == None }
Source§fn produces_refl(self)
fn produces_refl(self)
(law) ⚠
ensures
self.produces(Seq::empty(), self)Source§impl<T> IteratorSpec for IntoIter<T>
impl<T> IteratorSpec for IntoIter<T>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { (*self)@ == None && resolve(self) }Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open)
pearlite! { visited == Seq::empty() && self == o || exists<e: Self::Item> self@ == Some(e) && visited == Seq::singleton(e) && o@ == None }
Source§fn produces_refl(self)
fn produces_refl(self)
(law) ⚠
ensures
self.produces(Seq::empty(), self)Source§impl<T> IteratorSpec for Iter<'_, T>
impl<T> IteratorSpec for Iter<'_, T>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { (*self)@ == None && resolve(self) }Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open)
pearlite! { visited == Seq::empty() && self == o || exists<e: Self::Item> self@ == Some(e) && visited == Seq::singleton(e) && o@ == None }
Source§fn produces_refl(self)
fn produces_refl(self)
(law) ⚠
ensures
self.produces(Seq::empty(), self)Source§impl<T> IteratorSpec for IterMut<'_, T>
impl<T> IteratorSpec for IterMut<'_, T>
Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { (*self)@ == None && resolve(self) }Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open)
pearlite! { visited == Seq::empty() && self == o || exists<e: Self::Item> self@ == Some(e) && visited == Seq::singleton(e) && o@ == None }
Source§fn produces_refl(self)
fn produces_refl(self)
(law) ⚠
ensures
self.produces(Seq::empty(), self)Source§impl<T, A: Allocator> IteratorSpec for IntoIter<T, A>
Available on crate feature nightly only.
impl<T, A: Allocator> IteratorSpec for IntoIter<T, A>
Available on crate feature
nightly only.Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { resolve(self) && self@ == Seq::empty() }Source§fn produces(self, visited: Seq<T>, rhs: Self) -> bool
fn produces(self, visited: Seq<T>, rhs: Self) -> bool
(open)
pearlite! { self@ == visited.concat(rhs@) }
Source§fn produces_refl(self)
fn produces_refl(self)
(open, law)
{}ensures
self.produces(Seq::empty(), self)Source§fn produces_trans(a: Self, ab: Seq<T>, b: Self, bc: Seq<T>, c: Self)
fn produces_trans(a: Self, ab: Seq<T>, b: Self, bc: Seq<T>, c: Self)
(open, law)
{}requires
a.produces(ab, b)requires
b.produces(bc, c)ensures
a.produces(ab.concat(bc), c)Source§impl<T, const N: usize> IteratorSpec for IntoIter<T, N>
impl<T, const N: usize> IteratorSpec for IntoIter<T, N>
Source§fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
fn produces(self, visited: Seq<Self::Item>, o: Self) -> bool
(open, prophetic)
pearlite! { self@ == visited.concat(o@) }Source§fn completed(&mut self) -> bool
fn completed(&mut self) -> bool
(open, prophetic)
pearlite! { resolve(self) && self@ == Seq::empty() }Source§fn produces_refl(self)
fn produces_refl(self)
(open, law)
{}ensures
self.produces(Seq::empty(), self)