Tree

vstd_extra::ghost_tree

Struct Tree 

Source 
pub struct Tree<T: TreeNodeValue<L>, const N: usize, const L: usize> {
    pub root: Node<T, N, L>,
}

Fields§

§root: Node<T, N, L>

Implementations§

Source§

impl<T: TreeNodeValue<L>, const N: usize, const L: usize> Tree<T, N, L>

Source

pub proof fn axiom_depth_positive()

ensures
L > 0,
Source

pub proof fn axiom_size_positive()

ensures
N > 0,
Source

pub open spec fn inv(self) -> bool

{
    &&& self.root.inv()
    &&& self.root.level == 0

}
Source

pub open spec fn new() -> Self

{ Tree { root: Node::new(0) } }
Source

pub broadcast proof fn new_preserves_inv()

requires
forall |i: int| 0 <= i < N ==> #[trigger] T::default(0).rel_children(i, None),
ensures
#[trigger] Self::new().inv(),
Source

pub open spec fn insert(self, path: TreePath<N>, node: Node<T, N, L>) -> Self

recommends
self.inv(),
path.inv(),
node.inv(),
path.len() < L,
node.level == path.len() as nat,
{
    Tree {
        root: self.root.recursive_insert(path, node),
        ..self
    }
}
Source

pub open spec fn remove(self, path: TreePath<N>) -> Self

recommends
self.inv(),
path.inv(),
path.len() < L,
{
    Tree {
        root: self.root.recursive_remove(path),
        ..self
    }
}
Source

pub open spec fn visit(self, path: TreePath<N>) -> Seq<Node<T, N, L>>

recommends
self.inv(),
path.inv(),
path.len() < L,
{ self.root.recursive_visit(path) }
Source

pub broadcast proof fn visit_is_recursive_visit(self, path: TreePath<N>)

requires
self.inv(),
path.inv(),
path.len() < L,
ensures
#[trigger] self.visit(path) == self.root.recursive_visit(path),
Source

pub open spec fn trace(self, path: TreePath<N>) -> Seq<T>

recommends
self.inv(),
path.inv(),
path.len() < L,
{ self.root.recursive_trace(path) }
Source

pub broadcast proof fn trace_empty_is_head(self, path: TreePath<N>)

requires
path.len() == 0,
ensures
#[trigger] self.trace(path) == seq![self.root.value],
Source

pub proof fn lemma_trace_up_to(self, path1: TreePath<N>, path2: TreePath<N>, n: int)

requires
self.inv(),
path1.inv(),
path2.inv(),
n <= path1.len(),
n <= path2.len(),
forall |i: int| 0 <= i < n ==> path1.0[i] == path2.0[i],
self.trace(path1).len() > n,
ensures
self.trace(path2).len() > n,
forall |i: int| 0 <= i <= n ==> self.trace(path1)[i] == self.trace(path2)[i],
Source

pub broadcast proof fn lemma_trace_length(self, path: TreePath<N>)

requires
self.inv(),
path.inv(),
ensures
#[trigger] self.trace(path).len() <= path.len() + 1,
Source

pub open spec fn seek(self, path: TreePath<N>) -> Option<Node<T, N, L>>

{ self.root.recursive_seek(path) }
Source

pub proof fn lemma_seek_trace_length(self, path: TreePath<N>)

requires
self.inv(),
path.inv(),
path.len() < L,
self.seek(path) is Some,
ensures
self.trace(path).len() == path.len() + 1,
Source

pub proof fn lemma_seek_trace_next(self, path: TreePath<N>, idx: usize)

requires
self.seek(path) is Some,
self.seek(path)->Some_0.children[idx as int] is Some,
self.inv(),
path.inv(),
path.len() < L,
0 <= idx < N,
ensures
self.trace(path.push_tail(idx)).len() == path.len() + 2,
self.seek(path)->Some_0.children[idx as int]->Some_0.value
    == self.trace(path.push_tail(idx))[path.len() as int + 1],
Source

pub broadcast proof fn insert_preserves_inv(self, path: TreePath<N>, node: Node<T, N, L>)

requires
self.inv(),
path.inv(),
node.inv(),
path.len() < L,
node.level == path.len() as nat,
self.seek(path.pop_tail().1) is Some
    ==> self.seek(path.pop_tail().1)->Some_0
        .value
        .rel_children(path.index(path.len() - 1) as int, Some(node.value)),
self.seek(path.pop_tail().1) is None
    ==> T::default((path.len() - 1) as nat)
        .rel_children(path.index(path.len() - 1) as int, Some(node.value)),
forall |lv: nat, i: int| {
    lv < L ==> (0 <= i < N ==> #[trigger] T::default(lv).rel_children(i, None))
},
ensures
#[trigger] self.insert(path, node).inv(),
Source

pub broadcast proof fn remove_preserves_inv(self, path: TreePath<N>)

requires
self.inv(),
path.inv(),
path.len() < L,
path.len() > 0
    ==> (self.seek(path.pop_tail().1) is Some
        ==> self.seek(path.pop_tail().1)->Some_0
            .children[path.pop_tail().0 as int] is None
            || self.seek(path.pop_tail().1)->Some_0
                .value
                .rel_children(path.index(path.len() - 1) as int, None)),
ensures
#[trigger] self.remove(path).inv(),
Source

pub broadcast proof fn visited_nodes_inv(self, path: TreePath<N>)

requires
#[trigger] self.inv(),
#[trigger] path.inv(),
path.len() < L,
ensures
forall |i: int| {
    0 <= i < self.visit(path).len() ==> #[trigger] self.visit(path).index(i).inv()
},
Source

pub open spec fn on_tree(self, node: Node<T, N, L>) -> bool

recommends
self.inv(),
node.inv(),
{ self.root.on_subtree(node) }
Source

pub broadcast proof fn on_tree_property(self, node: Node<T, N, L>)

requires
self.inv(),
node.inv(),
#[trigger] self.on_tree(node),
ensures
node.level == 0 ==> self.root == node,
node.level > 0
    ==> exists |path: TreePath<N>| {
        #[trigger] path.inv() && path.len() == node.level
            && self.visit(path).last() == node
    },
Source

pub broadcast proof fn not_on_tree_property(self, node: Node<T, N, L>)

requires
self.inv(),
node.inv(),
!#[trigger] self.on_tree(node),
ensures
node != self.root,
node.level > 0
    ==> forall |path: TreePath<N>| {
        #[trigger] path.inv() && path.len() == node.level
            ==> self.visit(path).last() != node
    },
Source

pub open spec fn get_path(self, node: Node<T, N, L>) -> TreePath<N>

recommends
self.inv(),
node.inv(),
self.on_tree(node),
{ path_between::<T, N, L>(self.root, node) }
Source

pub broadcast proof fn get_path_properties(self, node: Node<T, N, L>)

requires
self.inv(),
node.inv(),
self.on_tree(node),
ensures
#[trigger] self.get_path(node).inv(),
#[trigger] self.get_path(node).len() == node.level,
node.level == 0 ==> #[trigger] self.get_path(node).is_empty(),
node.level > 0 ==> #[trigger] self.visit(self.get_path(node)).last() == node,

Auto Trait Implementations§

§

impl<T, const N: usize, const L: usize> Freeze for Tree<T, N, L>
where T: Freeze,

§

impl<T, const N: usize, const L: usize> RefUnwindSafe for Tree<T, N, L>
where T: RefUnwindSafe,

§

impl<T, const N: usize, const L: usize> Send for Tree<T, N, L>
where T: Send,

§

impl<T, const N: usize, const L: usize> Sync for Tree<T, N, L>
where T: Sync,

§

impl<T, const N: usize, const L: usize> Unpin for Tree<T, N, L>
where T: Unpin,

§

impl<T, const N: usize, const L: usize> UnwindSafe for Tree<T, N, L>
where T: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T, VERUS_SPEC__A> FromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: From<T>,

§

fn obeys_from_spec() -> bool

§

fn from_spec(v: T) -> VERUS_SPEC__A

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T, VERUS_SPEC__A> IntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: Into<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> T

§

impl<T, U> IntoSpecImpl<U> for T
where U: From<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> U

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryFromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryFrom<T>,

§

fn obeys_try_from_spec() -> bool

§

fn try_from_spec( v: T, ) -> Result<VERUS_SPEC__A, <VERUS_SPEC__A as TryFrom<T>>::Error>

Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryIntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryInto<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<T, <VERUS_SPEC__A as TryInto<T>>::Error>

§

impl<T, U> TryIntoSpecImpl<U> for T
where U: TryFrom<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<U, <U as TryFrom<T>>::Error>