Skip to main content

Int

creusot_std::logic

Struct Int 

Source 
pub struct Int;
Expand description

An unbounded, mathematical integer.

This type cannot be only be constructed in logical or ghost code.

§Integers in pearlite

Note that in pearlite, all integer literals are of type Int:

let x = 1i32;
//             ↓ need to use the view operator to convert `i32` to `Int`
proof_assert!(x@ == 1);

You can use the usual operators on integers: +, -, *, / and %.

Note that those operators are not available in ghost code.

Implementations§

Source§

impl Int

Source

pub fn pow(self, p: Int) -> Int

Compute self^p.

§Example
proof_assert!(3.pow(4) == 729);

Source

pub fn pow2(self) -> Int

Compute 2^p.

§Example
proof_assert!(pow2(4) == 16);

Source

pub fn max(self, x: Int) -> Int

Compute the maximum of self and x.

§Example
proof_assert!(10.max(2) == 10);

Source

pub fn min(self, x: Int) -> Int

Compute the minimum of self and x.

§Example
proof_assert!(10.max(2) == 2);

Source

pub fn div_euclid(self, d: Int) -> Int

Compute the euclidean division of self by d.

§Example
proof_assert!(10.div_euclid(3) == 3);

Source

pub fn rem_euclid(self, d: Int) -> Int

Compute the remainder of the euclidean division of self by d.

§Example
 proof_assert!(10.rem_euclid(3) == 1);

Source

pub fn abs_diff(self, other: Int) -> Int

Compute the absolute difference of self and x.

§Example
proof_assert!(10.abs_diff(3) == 7);
proof_assert!(3.abs_diff(10) == 7);
proof_assert!((-5).abs_diff(5) == 10);

(open) 

if self < other { other - self } else { self - other }

Source§

impl Int

Source

pub fn new(value: i128) -> Ghost<Self>

Create a new Int value

The result is wrapped in a Ghost, so that it can only be access inside a ghost! block.

You should not have to use this method directly: instead, use the int suffix inside of a ghost block:

let x: Ghost<Int> = ghost!(1int);
ghost! {
    let y: Int = 2int;
};

terminates

ghost

ensures 

*result == value@

Source

pub fn incr_ghost(&mut self)

terminates

ghost

ensures 

^self == *self + 1

Source

pub fn decr_ghost(&mut self)

terminates

ghost

ensures 

^self == *self - 1

Trait Implementations§

Source§

impl Add for Int

Source§

fn add(self, other: Int) -> Self

terminates

ghost

ensures 

result == self + other

Source§

type Output = Int

The resulting type after applying the + operator.
Source§

impl AddLogic for Int

Source§

fn add(self, other: Self) -> Self

Source§

type Output = Int

Source§

impl Clone for Int

Source§

fn clone(&self) -> Self

terminates

ghost

ensures 

result == *self

1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl DeepModel for Int

Source§

fn deep_model(self) -> Self::DeepModelTy

(open, inline) 

self

Source§

type DeepModelTy = Int

Source§

impl Div for Int

Source§

fn div(self, other: Int) -> Self

terminates

ghost

ensures 

result == self / other

Source§

type Output = Int

The resulting type after applying the / operator.
Source§

impl DivLogic for Int

Source§

fn div(self, other: Self) -> Self

Source§

type Output = Int

Source§

impl<T> Index<Int> for Seq<T>

Source§

fn index(&self, index: Int) -> &Self::Output

terminates

ghost

requires 

0 <= index && index < self.len()

ensures 

*result == self[index]

Source§

type Output = T

The returned type after indexing.
Source§

impl<T> IndexLogic<Int> for [T]

Source§

fn index_logic(self, ix: Int) -> Self::Item

(open, inline) 

pearlite! { self@[ix] }

Source§

type Item = T

Source§

impl<T, const N: usize> IndexLogic<Int> for [T; N]

Source§

fn index_logic(self, ix: Int) -> Self::Item

(open, inline) 

pearlite! { self@[ix] }

Source§

type Item = T

Source§

impl<T> IndexLogic<Int> for Seq<T>

Source§

fn index_logic(self, _: Int) -> Self::Item

Source§

type Item = T

Source§

impl<T, A: Allocator> IndexLogic<Int> for Vec<T, A>

Available on crate feature nightly only.
Source§

fn index_logic(self, ix: Int) -> Self::Item

(open, inline) 

pearlite! { self@[ix] }

Source§

type Item = T

Source§

impl<T, A: Allocator> IndexLogic<Int> for VecDeque<T, A>

Available on crate feature nightly only.
Source§

fn index_logic(self, ix: Int) -> Self::Item

(open, inline) 

pearlite! { self@[ix] }

Source§

type Item = T

Source§

impl<T> IndexMut<Int> for Seq<T>

Source§

fn index_mut(&mut self, index: Int) -> &mut Self::Output

terminates

ghost

requires 

0 <= index && index < self.len()

ensures 

(*self).len() == (^self).len()

ensures 

*result == (*self)[index] && ^result == (^self)[index]

ensures 

forall<i> i != index ==> (*self).get(i) == (^self).get(i)

Source§

impl LocalUpdate<Int> for Int

Source§

fn premise(self, _: Int, _: Int) -> bool

(open, inline) 

true

Source§

fn update(self, from_auth: Int, from_frag: Int) -> (Int, Int)

(open, inline) 

(from_auth + self, from_frag + self)

Source§

fn frame_preserving(self, from_auth: Int, from_frag: Int, frame: Option<Int>)

requires 

self.premise(from_auth, from_frag)

requires 

Some(from_frag).op(frame) == Some(Some(from_auth))

ensures

let (to_auth, to_frag) = LocalUpdate::update(self, from_auth, from_frag);
Some(to_frag).op(frame) == Some(Some(to_auth))
Source§

impl Mul for Int

Source§

fn mul(self, other: Int) -> Self

terminates

ghost

ensures 

result == self * other

Source§

type Output = Int

The resulting type after applying the * operator.
Source§

impl MulLogic for Int

Source§

fn mul(self, other: Self) -> Self

Source§

type Output = Int

Source§

impl Neg for Int

Source§

fn neg(self) -> Self

terminates

ghost

ensures 

result == -self

Source§

type Output = Int

The resulting type after applying the - operator.
Source§

impl NegLogic for Int

Source§

fn neg(self) -> Self

Source§

type Output = Int

Source§

impl OrdLogic for Int

Source§

fn cmp_log(self, o: Self) -> Ordering

(open)

if self < o {
    Ordering::Less
} else if self == o {
    Ordering::Equal
} else {
    Ordering::Greater
}
Source§

fn le_log(self, _: Self) -> bool

Source§

fn lt_log(self, _: Self) -> bool

Source§

fn ge_log(self, _: Self) -> bool

Source§

fn gt_log(self, _: Self) -> bool

Source§

fn cmp_le_log(x: Self, y: Self)

(open(pub(self)), law)

ensures 

x.le_log(y) == (x.cmp_log(y) != Ordering::Greater)

Source§

fn cmp_lt_log(x: Self, y: Self)

(open(pub(self)), law)

ensures 

x.lt_log(y) == (x.cmp_log(y) == Ordering::Less)

Source§

fn cmp_ge_log(x: Self, y: Self)

(open(pub(self)), law)

ensures 

x.ge_log(y) == (x.cmp_log(y) != Ordering::Less)

Source§

fn cmp_gt_log(x: Self, y: Self)

(open(pub(self)), law)

ensures 

x.gt_log(y) == (x.cmp_log(y) == Ordering::Greater)

Source§

fn refl(x: Self)

(open(pub(self)), law)

ensures 

x.cmp_log(x) == Ordering::Equal

Source§

fn trans(x: Self, y: Self, z: Self, o: Ordering)

(open(pub(self)), law)

requires 

x.cmp_log(y) == o

requires 

y.cmp_log(z) == o

ensures 

x.cmp_log(z) == o

Source§

fn antisym1(x: Self, y: Self)

(open(pub(self)), law)

requires 

x.cmp_log(y) == Ordering::Less

ensures 

y.cmp_log(x) == Ordering::Greater

Source§

fn antisym2(x: Self, y: Self)

(open(pub(self)), law)

requires 

x.cmp_log(y) == Ordering::Greater

ensures 

y.cmp_log(x) == Ordering::Less

Source§

fn eq_cmp(x: Self, y: Self)

(open(pub(self)), law)

ensures 

(x == y) == (x.cmp_log(y) == Ordering::Equal)

Source§

impl PartialEq for Int

Source§

fn eq(&self, other: &Self) -> bool

terminates

ghost

ensures 

result == (*self == *other)

1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl PartialOrd for Int

Source§

fn partial_cmp(&self, other: &Self) -> Option<Ordering>

terminates

ghost

ensures 

result == Some((*self).cmp_log(*other))

Source§

fn lt(&self, other: &Self) -> bool

terminates

ghost

ensures 

result == (*self).lt_log(*other)

Source§

fn le(&self, other: &Self) -> bool

terminates

ghost

ensures 

result == (*self).le_log(*other)

Source§

fn gt(&self, other: &Self) -> bool

terminates

ghost

ensures 

result == (*self).gt_log(*other)

Source§

fn ge(&self, other: &Self) -> bool

terminates

ghost

ensures 

result == (*self).ge_log(*other)

Source§

impl RA for Int

Source§

fn op(self, other: Self) -> Option<Int>

(open, inline) 

Some(self + other)

Source§

fn factor(self, factor: Self) -> Option<Self>

(open, inline) 

Some(self - factor)

ensures

match result {
        Some(c) => factor.op(c) == Some(self),
        None => false,
    }
Source§

fn commutative(a: Self, b: Self)

(law)

ensures 

a.op(b) == b.op(a)

Source§

fn associative(a: Self, b: Self, c: Self)

ensures

a.op(b).and_then_logic(|ab: Self| ab.op(c)) == b.op(c).and_then_logic(|bc| a.op(bc))
Source§

fn core(self) -> Option<Self>

(open, inline) 

Some(0)

Source§

fn core_idemp(self)

ensures

let c = self.core().unwrap_logic();
c.op(c) == Some(c)

ensures 

self.core().unwrap_logic().op(self) == Some(self)

Source§

fn core_is_maximal_idemp(self, i: Self)

requires 

i.op(i) == Some(i)

requires 

i.op(self) == Some(self)

ensures

match self.core() {
        Some(c) => i.incl(c),
        None => false,
    }
Source§

fn eq(self, other: Self) -> bool

(open, inline) Read more

Source§

fn incl(self, other: Self) -> bool

Inclusion of RA. Read more
Source§

fn incl_op(self, other: Self, comb: Self)

(law) Read more
Source§

fn incl_eq(self, other: Self) -> bool

(open, sealed) Read more

Source§

fn incl_eq_op(a: Self, b: Self, x: Self) -> bool

(open, sealed) Read more
Source§

fn update(self, x: Self) -> bool

Ensures that we can go from self to x without making composition with the frame invalid. Read more
Source§

fn update_nondet(self, s: Set<Self>) -> bool

This is used in Resource::update_nondet. Read more
Source§

fn associative_none(a: Self, b: Self, c: Self, bc: Self)

Specialized version of Self::associative, in the case where a.op(b) == None. Read more
Source§

fn associative_some(a: Self, b: Self, c: Self, ab: Self, bc: Self)

Specialized version of Self::associative, in the case where a.op(b) and b.op(c) are both valid. Read more
Source§

fn incl_transitive(a: Self, b: Self, c: Self)

RA::incl is transitive. Read more
Source§

impl Rem for Int

Source§

fn rem(self, other: Int) -> Self

terminates

ghost

ensures 

result == self % other

Source§

type Output = Int

The resulting type after applying the % operator.
Source§

impl RemLogic for Int

Source§

fn rem(self, other: Self) -> Self

Source§

type Output = Int

Source§

impl Sub for Int

Source§

fn sub(self, other: Int) -> Self

terminates

ghost

ensures 

result == self - other

Source§

type Output = Int

The resulting type after applying the - operator.
Source§

impl SubLogic for Int

Source§

fn sub(self, other: Self) -> Self

Source§

type Output = Int

Source§

impl UnitRA for Int

Source§

fn unit() -> Self

(open, inline) 

0

ensures 

forall<x: Self> #[trigger(x.op(result))] x.op(result) == Some(x)

Source§

fn core_total(self) -> Self

(open, inline) 

0

ensures 

self.core() == Some(result)

Source§

fn core_total_idemp(self)

ensures 

self.core_total().op(self.core_total()) == Some(self.core_total())

ensures 

self.core_total().op(self) == Some(self)

Source§

fn incl_refl()

In unitary RAs, the inclusion relation is reflexive Read more
Source§

fn unit_core()

The unit is its own core Read more
Source§

impl WellFounded for Int

Source§

fn well_founded_relation(self, other: Self) -> bool

(open, inline) 

self >= 0 && self > other

Source§

fn no_infinite_decreasing_sequence(s: Mapping<Int, Self>) -> Int

(opaque)

ensures 

result >= 0

ensures 

!Self::well_founded_relation(s[result], s[result + 1])

Source§

impl Copy for Int

Source§

impl Plain for Int

Auto Trait Implementations§

§

impl Freeze for Int

§

impl RefUnwindSafe for Int

§

impl Send for Int

§

impl Sync for Int

§

impl Unpin for Int

§

impl UnwindSafe for Int

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T, Rhs, Output> NumOps<Rhs, Output> for T
where T: Sub<Rhs, Output = Output> + Mul<Rhs, Output = Output> + Div<Rhs, Output = Output> + Add<Rhs, Output = Output> + Rem<Rhs, Output = Output>,