Skip to main content

AtomicInvariant

creusot_std::ghost::invariant

Struct AtomicInvariant 

Source 
pub struct AtomicInvariant<T>(/* private fields */);
Expand description

A shareable invariant for atomic accesses between threads.

If you need sequentially consistent accesses, use AtomicInvariant.

If you do not need to share the invariant across threads, see NonAtomicInvariant.

Implementations§

Source§

impl<T: Protocol> AtomicInvariant<T>

Source

pub fn new(value: Ghost<T>, namespace: Snapshot<Namespace>) -> Ghost<Self>

Construct a AtomicInvariant

§Parameters
  • value: the actual data contained in the invariant. Use Self::open to access it. Also called the ‘private’ part of the invariant.
  • namespace: the namespace of the invariant. This is required to avoid opening the same invariant twice.

requires 

value.protocol()

ensures 

result.public() == value.public()

ensures 

result.namespace() == *namespace

terminates

ghost

Source

pub fn namespace(self) -> Namespace

Get the namespace associated with this invariant.

logic(opaque)

Source

pub fn public(self) -> T::Public

Get the ‘public’ part of this invariant.

logic(opaque)

Source

pub fn into_inner(self) -> T

Gives the actual invariant held by the AtomicInvariant.

ensures 

result.public() == self.public() && result.protocol()

terminates

ghost

Source

pub fn open<A>( &self, tokens: Tokens<'_>, f: impl FnGhost + for<'a> FnOnce(&'a mut T) -> A, ) -> A

Open the invariant to get the data stored inside.

This will call the closure f with the inner data. You must restore the contained Protocol before returning from the closure.

NOTE: This function can only be called from ghost code, because atomic invariants are always wrapped in Ghost. This guarantees atomicity.

requires 

tokens.contains(self.namespace())

requires

forall<t: &mut T> t.public() == self.public() && t.protocol() && inv(t) ==>
    f.precondition((t,)) &&
    // f must restore the invariant
    (forall<res: A> f.postcondition_once((t,), res) ==> (^t).public() == self.public() && (^t).protocol())

ensures

exists<t: &mut T> t.public() == self.public() && t.protocol() && inv(t) &&
    f.postcondition_once((t,), result)

terminates

ghost

Trait Implementations§

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.