Skip to main content

NonAtomicInvariant

creusot_std::ghost::invariant

Struct NonAtomicInvariant 

Source 
pub struct NonAtomicInvariant<T: Protocol>(/* private fields */);
Expand description

A ghost structure, that holds a piece of data (T) together with an protocol.

§Note

NonAtomicInvariant is not Sync, and is invariant in the underlying data.

  • not Sync precisely because it is non-atomic, so access to the data is unsyncronized
  • invariant because it gives access to a mutable borrow of this data.

Implementations§

Source§

impl<T: Protocol> NonAtomicInvariant<T>

Source

pub fn new( value: Ghost<T>, public: Snapshot<T::Public>, namespace: Snapshot<Namespace>, ) -> Ghost<Self>

Construct a NonAtomicInvariant

§Parameters
  • value: the actual data contained in the invariant. Use Self::open to access it. Also called the ‘private’ part of the invariant.
  • public: the ‘public’ part of the invariant.
  • namespace: the namespace of the invariant. This is required to avoid opening the same invariant twice.

requires 

value.protocol(*public)

ensures 

result.public() == *public

ensures 

result.namespace() == *namespace

terminates

ghost

Source

pub fn into_inner(self) -> T

Gives the actual invariant held by the NonAtomicInvariant.

ensures 

result.protocol(self.public())

terminates

ghost

Source

pub fn namespace(self) -> Namespace

Get the namespace associated with this invariant.

logic(opaque)

Source

pub fn public(self) -> T::Public

Get the ‘public’ part of this invariant.

logic(opaque)

Source

pub fn open<'a, A>( this: Ghost<&'a Self>, tokens: Ghost<Tokens<'a>>, f: impl FnOnce(Ghost<&'a mut T>) -> A, ) -> A

Open the invariant to get the data stored inside.

This will call the closure f with the inner data. You must restore the contained Protocol before returning from the closure.

requires 

tokens.contains(this.namespace())

requires

forall<t: Ghost<&mut T>> t.protocol(this.public()) && inv(t) ==>
    f.precondition((t,)) &&
    // f must restore the invariant
    (forall<res: A> f.postcondition_once((t,), res) ==> (^t).protocol(this.public()))

ensures

exists<t: Ghost<&mut T>> inv(t) && t.protocol(this.public()) && f.postcondition_once((t,), result)
Source

pub fn open_const<'a>(&'a self, tokens: &'a Tokens<'_>) -> &'a T

Open the invariant to get the data stored inside, immutably. This allows reentrant access to the invariant.

requires 

tokens.contains(self.namespace())

ensures 

result.protocol(self.public())

terminates

ghost

Trait Implementations§

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.