Left

vstd_extra::resource::ghost_resource::csum

Struct Left 

Source 
pub struct Left<A, B, const TOTAL: u64 = 2> { /* private fields */ }
Expand description

Left ensures the resource is of type A.

Implementations§

Source§

impl<A, B, const TOTAL: u64> Left<A, B, TOTAL>

Source

pub closed spec fn id(self) -> Loc

Returns the unique identifier.

Source

pub closed spec fn protocol_monoid(self) -> CsumP<A, B, TOTAL>

The underlying protocol monoid value for this resource.

Source

pub open spec fn is_resource_owner(self) -> bool

{ self.protocol_monoid().is_resource_owner() }

Whether this token has the right to access the underlying resource.

Source

pub open spec fn resource(self) -> A

{ self.protocol_monoid().resource()->Left_0 }

The resource value, only meaningful if is_resource_owner is true.

Source

pub open spec fn wf(self) -> bool

{
    &&& self.protocol_monoid().is_left()
    &&& self.protocol_monoid().is_valid()
    &&& 1 <= self.frac() <= TOTAL
    &&& self.is_resource_owner() ==> (self.has_resource() <==> !self.has_no_resource())

}

Type invariant.

Source

pub open spec fn has_resource(self) -> bool

{ self.protocol_monoid().has_resource() }

Whether the resource is currently stored, only meaningful if is_resource_owner is true.

Source

pub open spec fn has_no_resource(self) -> bool

{ self.protocol_monoid().has_no_resource() }

Whether the resource has been taken, only meaningful if is_resource_owner is true.

Source

pub open spec fn frac(self) -> int

{ self.protocol_monoid().frac() }

The fraction this token represents.

Source

pub proof fn validate(tracked &self)

ensures
self.wf(),

Left token satisfies the type invariant.

Source

pub proof fn validate_with_left(tracked &mut self, tracked other: &Self)

requires
old(self).id() == other.id(),
ensures
*old(self) == *self,
!(self.is_resource_owner() && other.is_resource_owner()),
self.frac() + other.frac() <= TOTAL,
self.wf(),

The existence of two Left tokens with the same id ensures at most one of them is the resource owner.

Source

pub proof fn validate_with_right(tracked &self, tracked other: &Right<A, B, TOTAL>)

ensures
self.id() != other.id(),
self.wf(),

The existence of a Right token ensures they can not have the same id.

Source

pub proof fn tracked_borrow(tracked &self) -> tracked res : &A

requires
self.has_resource(),
ensures
*res == self.resource(),

Borrows the resource of type A.

Source

pub proof fn take_resource(tracked &mut self) -> tracked res : A

requires
old(self).is_resource_owner(),
old(self).has_resource(),
ensures
self.id() == old(self).id(),
res == old(self).resource(),
self.is_resource_owner(),
self.has_no_resource(),
self.frac() == old(self).frac(),
self.wf(),

Takes the resource out of the token.

Source

pub proof fn put_resource(tracked &mut self, tracked a: A)

requires
old(self).is_resource_owner(),
old(self).has_no_resource(),
ensures
self.id() == old(self).id(),
self.protocol_monoid() == CsumP::<A, B, TOTAL>::Cinl(Some(a), self.frac(), true),
self.is_resource_owner(),
self.has_resource(),
self.resource() == a,
self.frac() == old(self).frac(),
self.wf(),

Puts a resource of type A back to the token.

Source

pub proof fn split_with_resource(tracked &mut self, n: int) -> tracked res : Self

requires
0 < n < old(self).frac(),
ensures
self.id() == old(self).id(),
res.id() == self.id(),
self.frac() == old(self).frac() - n,
res.frac() == n,
!self.is_resource_owner(),
res.is_resource_owner() <==> old(self).is_resource_owner(),
res.is_resource_owner() ==> (res.has_resource() <==> old(self).has_resource()),
res.has_resource() ==> res.resource() == old(self).resource(),
self.wf(),
res.wf(),

Splits this token into two Left tokens with the given fraction n, given the resource to the new token if available.

Source

pub proof fn split_without_resource(tracked &mut self, n: int) -> tracked res : Self

requires
0 < n < old(self).frac(),
ensures
self.id() == old(self).id(),
res.id() == self.id(),
self.frac() == old(self).frac() - n,
res.frac() == n,
!res.is_resource_owner(),
self.is_resource_owner() <==> old(self).is_resource_owner(),
self.is_resource_owner() ==> (self.has_resource() <==> old(self).has_resource()),
self.has_resource() ==> self.resource() == old(self).resource(),
self.wf(),
res.wf(),

Splits this token into two Left tokens with the given fraction n, without giving the resource to the new token.

Source

pub proof fn update(tracked &mut self, tracked a: A) -> tracked res : Option<A>

requires
old(self).is_resource_owner(),
ensures
self.id() == old(self).id(),
self.is_resource_owner(),
self.has_resource(),
self.resource() == a,
self.frac() == old(self).frac(),
res == if old(self).has_resource() { Some(old(self).resource()) } else { None },
self.wf(),

Updates the token with a new resource of type A, and returns the old resource if available.

Auto Trait Implementations§

§

impl<A, B, const TOTAL: u64> Freeze for Left<A, B, TOTAL>

§

impl<A, B, const TOTAL: u64> RefUnwindSafe for Left<A, B, TOTAL>
where A: RefUnwindSafe, B: RefUnwindSafe,

§

impl<A, B, const TOTAL: u64> Send for Left<A, B, TOTAL>
where A: Send + Sync, B: Send + Sync,

§

impl<A, B, const TOTAL: u64> Sync for Left<A, B, TOTAL>
where A: Sync + Send, B: Sync + Send,

§

impl<A, B, const TOTAL: u64> Unpin for Left<A, B, TOTAL>
where A: Unpin, B: Unpin,

§

impl<A, B, const TOTAL: u64> UnwindSafe for Left<A, B, TOTAL>
where A: UnwindSafe, B: UnwindSafe,

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

§

impl<T, VERUS_SPEC__A> FromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: From<T>,

§

fn obeys_from_spec() -> bool

§

fn from_spec(v: T) -> VERUS_SPEC__A

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

§

impl<T, VERUS_SPEC__A> IntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: Into<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> T

§

impl<T, U> IntoSpecImpl<U> for T
where U: From<T>,

§

fn obeys_into_spec() -> bool

§

fn into_spec(self) -> U

Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryFromSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryFrom<T>,

§

fn obeys_try_from_spec() -> bool

§

fn try_from_spec( v: T, ) -> Result<VERUS_SPEC__A, <VERUS_SPEC__A as TryFrom<T>>::Error>

Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
§

impl<T, VERUS_SPEC__A> TryIntoSpec<T> for VERUS_SPEC__A
where VERUS_SPEC__A: TryInto<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<T, <VERUS_SPEC__A as TryInto<T>>::Error>

§

impl<T, U> TryIntoSpecImpl<U> for T
where U: TryFrom<T>,

§

fn obeys_try_into_spec() -> bool

§

fn try_into_spec(self) -> Result<U, <U as TryFrom<T>>::Error>