Skip to main content

DropObligation

vstd_extra::drop_tracking

Struct DropObligation 

Source 
pub struct DropObligation<R> { /* private fields */ }
Expand description

A linear-looking “must drop” obligation tied to a value of type R.

R is the key type used to identify the resource in the State’s obligation ledger — e.g. Range<Paddr> for a Segment<M>, usize for a per-slot resource, () for impls that pipe the token through without a per-instance ledger. Two-layer enforcement (the design that survives Verus’s affineness):

  1. Token (this type): an ExclusiveGhost<R> wrapper. Each alloc produces a unique [Loc]; two outstanding tokens can be proven distinct via DropObligation::validate_with_other. No external_body axioms — the allocation is verified by vstd’s resource algebra.
  2. Ledger (in State): optional. For impls that opt in, the State carries a set/multiset of outstanding keys; mint adds, redeem removes, and the State’s clean_inv() (or any boundary predicate) requires the set to be empty (or the per-slot counter to be zero). Combined with 1, the linear guarantee is sound: silently dropping the token leaves the ledger non-empty and breaks the boundary check.

Impls that don’t add a per-state ledger still pass tokens through — they get the API uniformity but not the enforcement.

Implementations§

Source§

impl<R> DropObligation<R>

Source

pub closed spec fn value(self) -> R

Source

pub closed spec fn id(self) -> Loc

Unique identifier of this token. Two outstanding DropObligations can be proven distinct via Self::validate_with_other.

Source

pub proof fn tracked_mint(value: R) -> tracked res : DropObligation<R>

ensures
res.value() == value,

Mint a fresh obligation token. Sound on its own (no axiom — the allocation goes through vstd’s resource algebra and is verified). Two legitimate uses:

  • Inside an impl that opts out of per-state-ledger enforcement (e.g. Key = () impls): the token is a no-op marker; the trait API stays uniform but no clean_inv() enforcement applies.
  • As the underlying allocator for a paired mint axiom on HasObligations — the axiom adds the ledger entry alongside.
Source

pub proof fn validate_with_other(tracked &mut self, tracked other: &Self)

ensures
*old(self) == *final(self),
final(self).id() != other.id(),

Two outstanding obligations have distinct Locs.

Auto Trait Implementations§

§

impl<R> Freeze for DropObligation<R>

§

impl<R> RefUnwindSafe for DropObligation<R>
where R: RefUnwindSafe,

§

impl<R> Send for DropObligation<R>
where R: Send,

§

impl<R> Sync for DropObligation<R>
where R: Sync,

§

impl<R> Unpin for DropObligation<R>
where R: Unpin,

§

impl<R> UnsafeUnpin for DropObligation<R>

§

impl<R> UnwindSafe for DropObligation<R>
where R: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T, VERUS_SPEC__A> FromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: From<T>,

§

fn obeys_from_spec() -> bool

§

fn from_spec(v: T) -> VERUS_SPEC__A

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T, VERUS_SPEC__A> IntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: Into<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> T

§

impl<T, U> IntoSpecImpl<U> for T
where U: From<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> U

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryFromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryFrom<T>,

§

fn obeys_try_from_spec() -> bool

§

fn try_from_spec( v: T, ) -> Result<VERUS_SPEC__A, <VERUS_SPEC__A as TryFrom<T>>::Error>

Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryIntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryInto<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<T, <VERUS_SPEC__A as TryInto<T>>::Error>

§

impl<T, U> TryIntoSpecImpl<U> for T
where U: TryFrom<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<U, <U as TryFrom<T>>::Error>

§

impl<A> SpecEq<&A> for A
where A: ?Sized,

§

impl<A> SpecEq<&mut A> for A
where A: ?Sized,

§

impl<A> SpecEq<A> for A
where A: ?Sized,

§

impl<A> SpecEq<Ghost<A>> for A

§

impl<A> SpecEq<Tracked<A>> for A