Expand description
Demonstration of the linear-drop obligation mechanism.
Concrete workbench showing what verification looks like when a
must-drop resource is honored vs. silently leaked. clean_inv() is the
boundary that breaks on leaks.
After the per-frame migration there is a single must-drop ledger: the
per-instance frame_obligations multiset. Both Frame<M> and Segment<M>
use it.
Frame<M>:ManuallyDrop::new(frame, ..)mints one entry atframe.key()(paired with the recovery path);Frame::drop/ManuallyDrop::newredeem one.Segment<M>: records one entry per frame it holds (minted bycrate::specs::mm::frame::segment::tracked_mint_seg_obligations, drained onSegment::drop).
Leaking either leaves frame_obligations non-empty, breaking the
frame_obligations.len() == 0 conjunct of clean_inv.
§How to use
- As-shipped,
demo_honoredverifies. - To see the leak case rejected, flip the
demo_leakcfg gate on [demo_leaked_when_enabled] and re-runcargo dv verify --targets ostd. The expected error is documented in the comments above that function.