creusot_contracts/
ptr_own.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
//! Raw pointers with ghost code

#[cfg(creusot)]
use crate::util::SizedW;
use crate::*;

/// Raw pointer whose ownership is tracked by a ghost [`PtrOwn`].
pub type RawPtr<T> = *const T;

/// Token that represents the ownership of a memory cell. A `PtrOwn` value only
/// exists in the ghost world, but can be used in combination with a
/// corresponding [`RawPtr`] to access and modify memory.
///
/// A warning regarding memory leaks: dropping a `Ghost<PtrOwn<T>>` (we only
/// ever handle ghost `PtrOwn` values) cannot deallocate the memory
/// corresponding to the pointer because it is a ghost value. One must thus
/// remember to explicitly call [`drop`] in order to free the memory tracked by a
/// `PtrOwn` token.
///
/// # Safety
///
/// When using Creusot to verify the code, all methods should be safe to call. Indeed,
/// Creusot ensures that every operation on the inner value uses the right [`PtrOwn`] object
/// created by [`PtrOwn::new`], ensuring safety in a manner similar to [ghost_cell](https://docs.rs/ghost-cell/latest/ghost_cell/).
#[allow(dead_code)]
pub struct PtrOwn<T: ?Sized> {
    ptr: RawPtr<T>,
    val: Box<T>,
}

impl<T: ?Sized> PtrOwn<T> {
    /// The raw pointer whose ownership is tracked by this `PtrOwn`
    #[logic]
    #[open(self)]
    pub fn ptr(&self) -> RawPtr<T> {
        self.ptr
    }

    /// The value currently stored at address [`self.ptr()`](Self::ptr)
    #[logic]
    #[open(self)]
    pub fn val(&self) -> SizedW<T> {
        self.val
    }
}

impl<T: ?Sized> Invariant for PtrOwn<T> {
    #[predicate]
    #[open]
    fn invariant(self) -> bool {
        !self.ptr().is_null_logic()
    }
}

impl<T> PtrOwn<T> {
    /// Creates a new `PtrOwn` and associated [`RawPtr`] by allocating a new memory
    /// cell initialized with `v`.
    #[ensures(result.1.ptr() == result.0 && *result.1.val() == v)]
    pub fn new(v: T) -> (RawPtr<T>, Ghost<PtrOwn<T>>) {
        Self::from_box(Box::new(v))
    }
}

impl<T: ?Sized> PtrOwn<T> {
    /// Creates a ghost `PtrOwn` and associated [`RawPtr`] from an existing [`Box`].
    #[trusted]
    #[ensures(result.1.ptr() == result.0 && *result.1.val() == *val)]
    pub fn from_box(val: Box<T>) -> (RawPtr<T>, Ghost<PtrOwn<T>>) {
        assert!(core::mem::size_of_val::<T>(&*val) > 0, "PtrOwn doesn't support ZSTs");
        (Box::into_raw(val), Ghost::conjure())
    }

    /// Immutably borrows the underlying `T`.
    ///
    /// # Safety
    ///
    /// Safety requirements are the same as a direct dereference: `&*ptr`.
    ///
    /// Creusot will check that all calls to this function are indeed safe: see the
    /// [type documentation](PtrOwn).
    #[trusted]
    #[requires(ptr == own.ptr())]
    #[ensures(*result == *own.val())]
    #[allow(unused_variables)]
    pub unsafe fn as_ref(ptr: RawPtr<T>, own: Ghost<&PtrOwn<T>>) -> &T {
        unsafe { &*ptr }
    }

    /// Mutably borrows the underlying `T`.
    ///
    /// # Safety
    ///
    /// Safety requirements are the same as a direct dereference: `&mut *ptr`.
    ///
    /// Creusot will check that all calls to this function are indeed safe: see the
    /// [type documentation](PtrOwn).
    #[trusted]
    #[allow(unused_variables)]
    #[requires(ptr == own.ptr())]
    #[ensures(*result == *own.val())]
    // Currently .inner_logic() is needed instead of *; see issue #1257
    #[ensures((^own.inner_logic()).ptr() == own.ptr())]
    #[ensures(*(^own.inner_logic()).val() == ^result)]
    pub unsafe fn as_mut(ptr: RawPtr<T>, own: Ghost<&mut PtrOwn<T>>) -> &mut T {
        unsafe { &mut *(ptr as *mut _) }
    }

    /// Transfers ownership of `own` back into a [`Box`].
    ///
    /// # Safety
    ///
    /// Safety requirements are the same as [`Box::from_raw`].
    ///
    /// Creusot will check that all calls to this function are indeed safe: see the
    /// [type documentation](PtrOwn).
    #[trusted]
    #[requires(ptr == own.ptr())]
    #[ensures(*result == *own.val())]
    #[allow(unused_variables)]
    pub unsafe fn to_box(ptr: RawPtr<T>, own: Ghost<PtrOwn<T>>) -> Box<T> {
        unsafe { Box::from_raw(ptr as *mut _) }
    }

    /// Deallocates the memory pointed by `ptr`.
    ///
    /// # Safety
    ///
    /// Safety requirements are the same as [`Box::from_raw`].
    ///
    /// Creusot will check that all calls to this function are indeed safe: see the
    /// [type documentation](PtrOwn).
    #[requires(ptr == own.ptr())]
    pub unsafe fn drop(ptr: RawPtr<T>, own: Ghost<PtrOwn<T>>) {
        let _ = Self::to_box(ptr, own);
    }

    /// If one owns two `PtrOwn`s in ghost code, then they are for different pointers.
    #[trusted]
    #[pure]
    #[ensures(own1.ptr().addr_logic() != own2.ptr().addr_logic())]
    #[ensures(*own1 == ^own1)]
    #[allow(unused_variables)]
    pub fn disjoint_lemma(own1: &mut PtrOwn<T>, own2: &PtrOwn<T>) {}
}