Pledges
Now we will look at pledges. Pledges are used for functions that return mutable references into some datastructure.
With a pledge you can explain to Prusti how the original object gets affected by changes to the returned reference.
We will demonstrate by implementing a function that gives you a mutable reference to the first element in the list.
Implementing peek_mut
The peek_mut will return a mutable reference of type T, so the precondition of the list requires it to be non-empty.
As a first postcondition, we want to ensure that the result of peek_mut points to the first element of the list.
In the code, we need to get a mutable reference to the type inside the Link = Option<Box<Node<T>>>. This requires the use of the type Option<&mut T>, which is a structure containing a reference, so it is not yet supported by Prusti. To still be able to verify peek_mut, we mark it as trusted for now:
// The next line is only required for doctests, you can ignore/remove it
extern crate prusti_contracts;
use prusti_contracts::*;
fn main() {}
pub struct List<T> {
head: Link<T>,
}
type Link<T> = Option<Box<Node<T>>>;
struct Node<T> {
elem: T,
next: Link<T>,
}
#[extern_spec(std::mem)]
#[ensures(snap(dest) === src)]
#[ensures(result === old(snap(dest)))]
fn replace<T>(dest: &mut T, src: T) -> T;
// Specs for std::option::Option<T>::unwrap(self) (and others) can be found here (work in progress):
// https://github.com/viperproject/prusti-dev/pull/1249/files#diff-bccda07f8a48357687e26408251041072c7470c188092fb58439de39974bdab5R47-R49
#[extern_spec]
impl<T> std::option::Option<T> {
#[requires(self.is_some())]
#[ensures(old(self) === Some(result))]
pub fn unwrap(self) -> T;
#[pure]
#[ensures(result == matches!(self, None))]
pub const fn is_none(&self) -> bool;
#[pure]
#[ensures(result == matches!(self, Some(_)))]
pub const fn is_some(&self) -> bool;
#[ensures(result === old(snap(self)))]
#[ensures(self.is_none())]
pub fn take(&mut self) -> Option<T>;
}
impl<T> List<T> {
#[pure]
pub fn len(&self) -> usize {
link_len(&self.head)
}
#[pure]
fn is_empty(&self) -> bool {
matches!(self.head, None)
}
#[ensures(result.len() == 0)]
pub fn new() -> Self {
List { head: None }
}
#[pure]
#[requires(index < self.len())]
pub fn lookup(&self, index: usize) -> &T {
link_lookup(&self.head, index)
}
#[ensures(self.len() == old(self.len()) + 1)]
#[ensures(snap(self.lookup(0)) === elem)]
#[ensures(forall(|i: usize| (i < old(self.len())) ==>
old(self.lookup(i)) === self.lookup(i + 1)))]
pub fn push(&mut self, elem: T) {
let new_node = Box::new(Node {
elem,
next: self.head.take(),
});
self.head = Some(new_node);
}
predicate! {
// two-state predicate to check if the head of a list was correctly removed
fn head_removed(&self, prev: &Self) -> bool {
self.len() == prev.len() - 1 // The length will decrease by 1
&& forall(|i: usize| // Every element will be shifted forwards by one
(1 <= i && i < prev.len())
==> prev.lookup(i) === self.lookup(i - 1))
}
}
#[ensures(old(self.is_empty()) ==>
result.is_none() &&
self.is_empty()
)]
#[ensures(!old(self.is_empty()) ==>
self.head_removed(&old(snap(self))) &&
result === Some(snap(old(snap(self)).lookup(0)))
)]
pub fn try_pop(&mut self) -> Option<T> {
match self.head.take() {
None => None,
Some(node) => {
self.head = node.next;
Some(node.elem)
}
}
}
#[requires(!self.is_empty())]
#[ensures(self.head_removed(&old(snap(self))))]
#[ensures(result === old(snap(self)).lookup(0))]
pub fn pop(&mut self) -> T {
self.try_pop().unwrap()
}
// // Not currently possible in Prusti
// pub fn try_peek(&self) -> Option<&T> {
// todo!()
// }
#[pure]
#[requires(!self.is_empty())]
pub fn peek(&self) -> &T {
self.lookup(0)
}
// #[requires(index < self.len())]
// pub fn lookup_mut(&mut self, index: usize) -> &mut T {
// let mut curr_node = &mut self.head;
// let mut index = index; // Workaround for Prusti not supporting mutable fn arguments
// while index != 0 {
// body_invariant!(true);
// if let Some(next_node) = curr_node { // reference in enum
// curr_node = &mut next_node.next;
// } else {
// unreachable!();
// }
// index -= 1;
// }
// if let Some(node) = curr_node { // ERROR: [Prusti: unsupported feature] the creation of loans in this loop is not supported (ReborrowingDagHasNoMagicWands)
// &mut node.elem
// } else {
// unreachable!()
// }
// }
#[trusted] // required due to unsupported reference in enum
#[requires(!self.is_empty())]
#[ensures(snap(result) === old(snap(self.peek())))]
pub fn peek_mut(&mut self) -> &mut T {
// This does not work in Prusti at the moment:
// "&mut self.head" has type "&mut Option<T>"
// this gets auto-dereferenced by Rust into type: "Option<&mut T>"
// this then gets matched to "Some(node: &mut T)"
// References in enums are not yet supported, so this cannot be verified by Prusti
if let Some(node) = &mut self.head {
&mut node.elem
} else {
unreachable!()
}
}
}
#[pure]
#[requires(index < link_len(link))]
fn link_lookup<T>(link: &Link<T>, index: usize) -> &T {
match link {
Some(node) => {
if index == 0 {
&node.elem
} else {
link_lookup(&node.next, index - 1)
}
}
None => unreachable!(),
}
}
#[pure]
fn link_len<T>(link: &Link<T>) -> usize {
match link {
None => 0,
Some(node) => 1 + link_len(&node.next),
}
}
#[cfg(prusti)]
mod prusti_tests {
use super::*;
fn _test_list(){
let mut list = List::new(); // create an new, empty list
prusti_assert!(list.is_empty() && list.len() == 0); // list should be empty
list.push(5);
list.push(10);
prusti_assert!(!list.is_empty() && list.len() == 2); // length correct
prusti_assert!(*list.lookup(0) == 10); // head is 10
prusti_assert!(*list.lookup(1) == 5); // 5 got pushed back correctly
let x = list.pop();
prusti_assert!(x == 10); // pop returns the value that was added last
match list.try_pop() {
Some(y) => assert!(y == 5),
None => unreachable!()
}
let z = list.try_pop();
prusti_assert!(list.is_empty() && list.len() == 0); // length correct
prusti_assert!(z.is_none()); // `try_pop` on an empty list should return `None`
}
fn _test_peek() {
let mut list = List::new();
list.push(16);
prusti_assert!(list.peek() === list.lookup(0));
prusti_assert!(*list.peek() == 16);
list.push(5);
prusti_assert!(*list.peek() == 5);
list.pop();
prusti_assert!(*list.peek() == 16);
}
fn _test_peek_mut() {
let mut list = List::new();
list.push(8);
list.push(16);
// Open a new scope using an opening bracket `{`
// `first` will get dropped at the closing bracket `}`
{
let first = list.peek_mut();
// `first` is a mutable reference to the first element of the list
// for as long as `first` is exists, `list` cannot be accessed
prusti_assert!(*first == 16);
*first = 5; // Write 5 to the first slot of the list
prusti_assert!(*first == 5);
// `first` gets dropped here, `list` can be accessed again
}
prusti_assert!(list.len() == 2); //~ ERROR the asserted expression might not hold
prusti_assert!(*list.lookup(0) == 5); // this fails too
prusti_assert!(*list.lookup(1) == 8); // this fails too
}
}Note that peek_mut cannot be #[pure], since it returns a mutable reference.
Writing a test for our specification
Let's write a test to see if our specification works:
- Create a list with two elements: [16, 8]
- Get a mutable reference to the first element (16)
- Change the first element to 5
- Check if the list still has the expected properties after
firstgets dropped- Is the length 2?
- Is the first element 5?
- Is the second element 8?
// The next line is only required for doctests, you can ignore/remove it
extern crate prusti_contracts;
use prusti_contracts::*;
fn main() {}
pub struct List<T> {
head: Link<T>,
}
type Link<T> = Option<Box<Node<T>>>;
struct Node<T> {
elem: T,
next: Link<T>,
}
#[extern_spec(std::mem)]
#[ensures(snap(dest) === src)]
#[ensures(result === old(snap(dest)))]
fn replace<T>(dest: &mut T, src: T) -> T;
// Specs for std::option::Option<T>::unwrap(self) (and others) can be found here (work in progress):
// https://github.com/viperproject/prusti-dev/pull/1249/files#diff-bccda07f8a48357687e26408251041072c7470c188092fb58439de39974bdab5R47-R49
#[extern_spec]
impl<T> std::option::Option<T> {
#[requires(self.is_some())]
#[ensures(old(self) === Some(result))]
pub fn unwrap(self) -> T;
#[pure]
#[ensures(result == matches!(self, None))]
pub const fn is_none(&self) -> bool;
#[pure]
#[ensures(result == matches!(self, Some(_)))]
pub const fn is_some(&self) -> bool;
#[ensures(result === old(snap(self)))]
#[ensures(self.is_none())]
pub fn take(&mut self) -> Option<T>;
}
impl<T> List<T> {
#[pure]
pub fn len(&self) -> usize {
link_len(&self.head)
}
#[pure]
fn is_empty(&self) -> bool {
matches!(self.head, None)
}
#[ensures(result.len() == 0)]
pub fn new() -> Self {
List { head: None }
}
#[pure]
#[requires(index < self.len())]
pub fn lookup(&self, index: usize) -> &T {
link_lookup(&self.head, index)
}
#[ensures(self.len() == old(self.len()) + 1)]
#[ensures(snap(self.lookup(0)) === elem)]
#[ensures(forall(|i: usize| (i < old(self.len())) ==>
old(self.lookup(i)) === self.lookup(i + 1)))]
pub fn push(&mut self, elem: T) {
let new_node = Box::new(Node {
elem,
next: self.head.take(),
});
self.head = Some(new_node);
}
predicate! {
// two-state predicate to check if the head of a list was correctly removed
fn head_removed(&self, prev: &Self) -> bool {
self.len() == prev.len() - 1 // The length will decrease by 1
&& forall(|i: usize| // Every element will be shifted forwards by one
(1 <= i && i < prev.len())
==> prev.lookup(i) === self.lookup(i - 1))
}
}
#[ensures(old(self.is_empty()) ==>
result.is_none() &&
self.is_empty()
)]
#[ensures(!old(self.is_empty()) ==>
self.head_removed(&old(snap(self))) &&
result === Some(snap(old(snap(self)).lookup(0)))
)]
pub fn try_pop(&mut self) -> Option<T> {
match self.head.take() {
None => None,
Some(node) => {
self.head = node.next;
Some(node.elem)
}
}
}
#[requires(!self.is_empty())]
#[ensures(self.head_removed(&old(snap(self))))]
#[ensures(result === old(snap(self)).lookup(0))]
pub fn pop(&mut self) -> T {
self.try_pop().unwrap()
}
// // Not currently possible in Prusti
// pub fn try_peek(&self) -> Option<&T> {
// todo!()
// }
#[pure]
#[requires(!self.is_empty())]
pub fn peek(&self) -> &T {
self.lookup(0)
}
// #[requires(index < self.len())]
// pub fn lookup_mut(&mut self, index: usize) -> &mut T {
// let mut curr_node = &mut self.head;
// let mut index = index; // Workaround for Prusti not supporting mutable fn arguments
// while index != 0 {
// body_invariant!(true);
// if let Some(next_node) = curr_node { // reference in enum
// curr_node = &mut next_node.next;
// } else {
// unreachable!();
// }
// index -= 1;
// }
// if let Some(node) = curr_node { // ERROR: [Prusti: unsupported feature] the creation of loans in this loop is not supported (ReborrowingDagHasNoMagicWands)
// &mut node.elem
// } else {
// unreachable!()
// }
// }
#[trusted] // required due to unsupported reference in enum
#[requires(!self.is_empty())]
#[ensures(snap(result) === old(snap(self.peek())))]
pub fn peek_mut(&mut self) -> &mut T {
// This does not work in Prusti at the moment:
// "&mut self.head" has type "&mut Option<T>"
// this gets auto-dereferenced by Rust into type: "Option<&mut T>"
// this then gets matched to "Some(node: &mut T)"
// References in enums are not yet supported, so this cannot be verified by Prusti
if let Some(node) = &mut self.head {
&mut node.elem
} else {
unreachable!()
}
}
}
#[pure]
#[requires(index < link_len(link))]
fn link_lookup<T>(link: &Link<T>, index: usize) -> &T {
match link {
Some(node) => {
if index == 0 {
&node.elem
} else {
link_lookup(&node.next, index - 1)
}
}
None => unreachable!(),
}
}
#[pure]
fn link_len<T>(link: &Link<T>) -> usize {
match link {
None => 0,
Some(node) => 1 + link_len(&node.next),
}
}
#[cfg(prusti)]
mod prusti_tests {
use super::*;
fn _test_list(){
let mut list = List::new(); // create an new, empty list
prusti_assert!(list.is_empty() && list.len() == 0); // list should be empty
list.push(5);
list.push(10);
prusti_assert!(!list.is_empty() && list.len() == 2); // length correct
prusti_assert!(*list.lookup(0) == 10); // head is 10
prusti_assert!(*list.lookup(1) == 5); // 5 got pushed back correctly
let x = list.pop();
prusti_assert!(x == 10); // pop returns the value that was added last
match list.try_pop() {
Some(y) => assert!(y == 5),
None => unreachable!()
}
let z = list.try_pop();
prusti_assert!(list.is_empty() && list.len() == 0); // length correct
prusti_assert!(z.is_none()); // `try_pop` on an empty list should return `None`
}
fn _test_peek() {
let mut list = List::new();
list.push(16);
prusti_assert!(list.peek() === list.lookup(0));
prusti_assert!(*list.peek() == 16);
list.push(5);
prusti_assert!(*list.peek() == 5);
list.pop();
prusti_assert!(*list.peek() == 16);
}
fn _test_peek_mut() {
let mut list = List::new();
list.push(8);
list.push(16);
// Open a new scope using an opening bracket `{`
// `first` will get dropped at the closing bracket `}`
{
let first = list.peek_mut();
// `first` is a mutable reference to the first element of the list
// for as long as `first` is exists, `list` cannot be accessed
prusti_assert!(*first == 16);
*first = 5; // Write 5 to the first slot of the list
prusti_assert!(*first == 5);
// `first` gets dropped here, `list` can be accessed again
}
prusti_assert!(list.len() == 2); //~ ERROR the asserted expression might not hold
prusti_assert!(*list.lookup(0) == 5); // this fails too
prusti_assert!(*list.lookup(1) == 8); // this fails too
}
}But this fails, Prusti cannot verify any of our last three prusti_assert statements. This is where pledges come in. We have to tell Prusti how the result affects the original list. Without this, Prusti assumes that changes to the reference can change every property of the original list, so nothing can be known about it after the reference gets dropped.
Writing the pledge
The pledge is written using an annotation, like ensures and requires, but with the keyword after_expiry.
Inside we have all the conditions that hold after the returned reference gets dropped:
// The next line is only required for doctests, you can ignore/remove it
extern crate prusti_contracts;
use prusti_contracts::*;
fn main() {}
pub struct List<T> {
head: Link<T>,
}
type Link<T> = Option<Box<Node<T>>>;
struct Node<T> {
elem: T,
next: Link<T>,
}
#[extern_spec(std::mem)]
#[ensures(snap(dest) === src)]
#[ensures(result === old(snap(dest)))]
fn replace<T>(dest: &mut T, src: T) -> T;
// Specs for std::option::Option<T>::unwrap(self) (and others) can be found here (work in progress):
// https://github.com/viperproject/prusti-dev/pull/1249/files#diff-bccda07f8a48357687e26408251041072c7470c188092fb58439de39974bdab5R47-R49
#[extern_spec]
impl<T> std::option::Option<T> {
#[requires(self.is_some())]
#[ensures(old(self) === Some(result))]
pub fn unwrap(self) -> T;
#[pure]
#[ensures(result == matches!(self, None))]
pub const fn is_none(&self) -> bool;
#[pure]
#[ensures(result == matches!(self, Some(_)))]
pub const fn is_some(&self) -> bool;
#[ensures(result === old(snap(self)))]
#[ensures(self.is_none())]
pub fn take(&mut self) -> Option<T>;
}
impl<T> List<T> {
#[pure]
pub fn len(&self) -> usize {
link_len(&self.head)
}
#[pure]
fn is_empty(&self) -> bool {
matches!(self.head, None)
}
#[ensures(result.len() == 0)]
pub fn new() -> Self {
List { head: None }
}
#[pure]
#[requires(index < self.len())]
pub fn lookup(&self, index: usize) -> &T {
link_lookup(&self.head, index)
}
#[ensures(self.len() == old(self.len()) + 1)]
#[ensures(snap(self.lookup(0)) === elem)]
#[ensures(forall(|i: usize| (i < old(self.len())) ==>
old(self.lookup(i)) === self.lookup(i + 1)))]
pub fn push(&mut self, elem: T) {
let new_node = Box::new(Node {
elem,
next: self.head.take(),
});
self.head = Some(new_node);
}
predicate! {
// two-state predicate to check if the head of a list was correctly removed
fn head_removed(&self, prev: &Self) -> bool {
self.len() == prev.len() - 1 // The length will decrease by 1
&& forall(|i: usize| // Every element will be shifted forwards by one
(1 <= i && i < prev.len())
==> prev.lookup(i) === self.lookup(i - 1))
}
}
#[ensures(old(self.is_empty()) ==>
result.is_none() &&
self.is_empty()
)]
#[ensures(!old(self.is_empty()) ==>
self.head_removed(&old(snap(self))) &&
result === Some(snap(old(snap(self)).lookup(0)))
)]
pub fn try_pop(&mut self) -> Option<T> {
match self.head.take() {
None => None,
Some(node) => {
self.head = node.next;
Some(node.elem)
}
}
}
#[requires(!self.is_empty())]
#[ensures(self.head_removed(&old(snap(self))))]
#[ensures(result === old(snap(self)).lookup(0))]
pub fn pop(&mut self) -> T {
self.try_pop().unwrap()
}
// // Not currently possible in Prusti
// pub fn try_peek(&self) -> Option<&T> {
// todo!()
// }
#[pure]
#[requires(!self.is_empty())]
pub fn peek(&self) -> &T {
self.lookup(0)
}
#[trusted] // required due to unsupported reference in enum
#[requires(!self.is_empty())]
#[ensures(snap(result) === old(snap(self.peek())))]
#[after_expiry(
old(self.len()) === self.len() // (1. condition)
&& forall(|i: usize| 1 <= i && i < self.len() // (2. condition)
==> old(snap(self.lookup(i))) === snap(self.lookup(i)))
&& snap(self.peek()) === before_expiry(snap(result)) // (3. condition)
)]
pub fn peek_mut(&mut self) -> &mut T {
// This does not work in Prusti at the moment:
// "&mut self.head" has type "&mut Option<T>"
// this gets auto-dereferenced by Rust into type: "Option<&mut T>"
// this then gets matched to "Some(node: &mut T)"
// References in enums are not yet supported, so this cannot be verified by Prusti
if let Some(node) = &mut self.head {
&mut node.elem
} else {
unreachable!()
}
// ...
}
}
#[pure]
#[requires(index < link_len(link))]
fn link_lookup<T>(link: &Link<T>, index: usize) -> &T {
match link {
Some(node) => {
if index == 0 {
&node.elem
} else {
link_lookup(&node.next, index - 1)
}
}
None => unreachable!(),
}
}
#[pure]
fn link_len<T>(link: &Link<T>) -> usize {
match link {
None => 0,
Some(node) => 1 + link_len(&node.next),
}
}
#[cfg(prusti)]
mod prusti_tests {
use super::*;
fn _test_list(){
let mut list = List::new(); // create an new, empty list
prusti_assert!(list.is_empty() && list.len() == 0); // list should be empty
list.push(5);
list.push(10);
prusti_assert!(!list.is_empty() && list.len() == 2); // length correct
prusti_assert!(*list.lookup(0) == 10); // head is 10
prusti_assert!(*list.lookup(1) == 5); // 5 got pushed back correctly
let x = list.pop();
prusti_assert!(x == 10); // pop returns the value that was added last
match list.try_pop() {
Some(y) => assert!(y == 5),
None => unreachable!()
}
let z = list.try_pop();
prusti_assert!(list.is_empty() && list.len() == 0); // length correct
prusti_assert!(z.is_none()); // `try_pop` on an empty list should return `None`
}
fn _test_peek() {
let mut list = List::new();
list.push(16);
prusti_assert!(list.peek() === list.lookup(0));
prusti_assert!(*list.peek() == 16);
list.push(5);
prusti_assert!(*list.peek() == 5);
list.pop();
prusti_assert!(*list.peek() == 16);
}
fn _test_peek_mut() {
let mut list = List::new();
list.push(8);
list.push(16);
// Open a new scope using an opening bracket `{`
// `first` will get dropped at the closing bracket `}`
{
let first = list.peek_mut();
// `first` is a mutable reference to the first element of the list
// for as long as `first` is exists, `list` cannot be accessed
prusti_assert!(*first == 16);
*first = 5; // Write 5 to the first slot of the list
prusti_assert!(*first == 5);
// `first` gets dropped here, `list` can be accessed again
}
prusti_assert!(list.len() == 2);
prusti_assert!(*list.lookup(0) == 5); // slot 0 is now `5`
prusti_assert!(*list.lookup(1) == 8); // slot 1 is unchanged
}
}We have three properties here:
- The list will have the same length afterwards.
- Any element of the list with index
1..list.len()will not be changed. - The element at the head of the list is the value that was assigned to the returned reference. This is denoted with the
before_expiryfunction.
With these three properties specified, our test verifies successfully!
Assert on expiry
Like after_expiry, there is also assert_on_expiry. It is used to check for conditions that have to be true when the returned reference expires, usually in order to uphold some type invariant.
As an example, we could use this to make sure that our list of i32 can only contain elements between 0 and 16.
Given that this invariant held before the reference was given out, it will hold again only if the element, potentially changed by the caller, is still in the correct range:
// The next line is only required for doctests, you can ignore/remove it
extern crate prusti_contracts;
use prusti_contracts::*;
fn main() {}
pub struct List<T> {
head: Link<T>,
}
type Link<T> = Option<Box<Node<T>>>;
struct Node<T> {
elem: T,
next: Link<T>,
}
#[extern_spec(std::mem)]
#[ensures(snap(dest) === src)]
#[ensures(result === old(snap(dest)))]
fn replace<T>(dest: &mut T, src: T) -> T;
// Specs for std::option::Option<T>::unwrap(self) (and others) can be found here (work in progress):
// https://github.com/viperproject/prusti-dev/pull/1249/files#diff-bccda07f8a48357687e26408251041072c7470c188092fb58439de39974bdab5R47-R49
#[extern_spec]
impl<T> std::option::Option<T> {
#[requires(self.is_some())]
#[ensures(old(self) === Some(result))]
pub fn unwrap(self) -> T;
#[pure]
#[ensures(result == matches!(self, None))]
pub const fn is_none(&self) -> bool;
#[pure]
#[ensures(result == matches!(self, Some(_)))]
pub const fn is_some(&self) -> bool;
#[ensures(result === old(snap(self)))]
#[ensures(self.is_none())]
pub fn take(&mut self) -> Option<T>;
}
impl<T> List<T> {
#[pure]
pub fn len(&self) -> usize {
link_len(&self.head)
}
#[pure]
fn is_empty(&self) -> bool {
matches!(self.head, None)
}
#[ensures(result.len() == 0)]
pub fn new() -> Self {
List { head: None }
}
#[pure]
#[requires(index < self.len())]
pub fn lookup(&self, index: usize) -> &T {
link_lookup(&self.head, index)
}
#[ensures(self.len() == old(self.len()) + 1)]
#[ensures(snap(self.lookup(0)) === elem)]
#[ensures(forall(|i: usize| (i < old(self.len())) ==>
old(self.lookup(i)) === self.lookup(i + 1)))]
pub fn push(&mut self, elem: T) {
let new_node = Box::new(Node {
elem,
next: self.head.take(),
});
self.head = Some(new_node);
}
predicate! {
// two-state predicate to check if the head of a list was correctly removed
fn head_removed(&self, prev: &Self) -> bool {
self.len() == prev.len() - 1 // The length will decrease by 1
&& forall(|i: usize| // Every element will be shifted forwards by one
(1 <= i && i < prev.len())
==> prev.lookup(i) === self.lookup(i - 1))
}
}
#[ensures(old(self.is_empty()) ==>
result.is_none() &&
self.is_empty()
)]
#[ensures(!old(self.is_empty()) ==>
self.head_removed(&old(snap(self)))
&&
result === Some(snap(old(snap(self)).lookup(0)))
)]
pub fn try_pop(&mut self) -> Option<T> {
match self.head.take() { // Replace mem::swap with the buildin Option::take
None => None,
Some(node) => {
self.head = node.next;
Some(node.elem)
}
}
}
#[requires(!self.is_empty())]
#[ensures(self.head_removed(&old(snap(self))))]
#[ensures(result === old(snap(self)).lookup(0))]
pub fn pop(&mut self) -> T {
self.try_pop().unwrap()
}
// // Not currently possible in Prusti
// pub fn try_peek(&self) -> Option<&T> {
// todo!()
// }
#[pure]
#[requires(!self.is_empty())]
pub fn peek(&self) -> &T {
self.lookup(0)
}
#[trusted] // required due to unsupported reference in enum
#[requires(!self.is_empty())]
#[ensures(snap(result) === old(snap(self.peek())))]
#[after_expiry(
old(self.len()) === self.len() // (1.)
&& forall(|i: usize| 1 <= i && i < self.len() // (2.)
==> old(snap(self.lookup(i))) === snap(self.lookup(i)))
&& snap(self.peek()) === before_expiry(snap(result)) // (3.)
)]
pub fn peek_mut(&mut self) -> &mut T {
// This does not work in Prusti at the moment:
// "&mut self.head" has type "&mut Option<T>"
// this gets auto-dereferenced by Rust into type: "Option<&mut T>"
// this then gets matched to "Some(node: &mut T)"
// References in enums are not yet supported, so this cannot be verified by Prusti
if let Some(node) = &mut self.head {
&mut node.elem
} else {
unreachable!()
}
// ...
}
}
impl List<i32> {
predicate!{
fn is_valid(&self) -> bool {
forall(|i: usize| i < self.len()
==> *self.lookup(i) >= 0 && *self.lookup(i) < 16)
}
}
// ==> { let value = *self.lookup(i);
// 0 <= value && value < 16 })
#[trusted] // required due to unsupported reference in enum
#[requires(!self.is_empty())]
#[requires(self.is_valid())]
#[ensures(snap(result) === old(snap(self.peek())))]
#[assert_on_expiry(
0 <= *result && *result < 16,
self.is_valid()
&& old(self.len()) === self.len() // (1.)
&& forall(|i: usize| 1 <= i && i < self.len() // (2.)
==> old(snap(self.lookup(i))) === snap(self.lookup(i)))
&& snap(self.peek()) === before_expiry(snap(result)) // (3.)
)]
pub fn peek_mut_16(&mut self) -> &mut i32 {
if let Some(node) = &mut self.head {
&mut node.elem
} else {
unreachable!()
}
}
}
fn _test_assert_on_expiry() {
let mut list = List::new();
list.push(2);
list.push(1);
list.push(0);
{
let first = list.peek_mut_16();
// *first = 16; // This gives an error: [Prusti: verification error] obligation might not hold on borrow expiry
*first = 15;
}
}
#[pure]
#[requires(index < link_len(link))]
fn link_lookup<T>(link: &Link<T>, index: usize) -> &T {
match link {
Some(node) => {
if index == 0 {
&node.elem
} else {
link_lookup(&node.next, index - 1)
}
}
None => unreachable!(),
}
}
#[pure]
fn link_len<T>(link: &Link<T>) -> usize {
match link {
None => 0,
Some(node) => 1 + link_len(&node.next),
}
}
#[cfg(prusti)]
mod prusti_tests {
use super::*;
fn _test_list(){
let mut list = List::new(); // create an new, empty list
prusti_assert!(list.is_empty() && list.len() == 0); // list should be empty
list.push(5);
list.push(10);
prusti_assert!(!list.is_empty() && list.len() == 2); // length correct
prusti_assert!(*list.lookup(0) == 10); // head is 10
prusti_assert!(*list.lookup(1) == 5); // 5 got pushed back correctly
let x = list.pop();
prusti_assert!(x == 10); // pop returns the value that was added last
match list.try_pop() {
Some(y) => assert!(y == 5),
None => unreachable!()
}
let z = list.try_pop();
prusti_assert!(list.is_empty() && list.len() == 0); // length correct
prusti_assert!(z.is_none()); // `try_pop` on an empty list should return `None`
}
fn _test_peek() {
let mut list = List::new();
list.push(16);
prusti_assert!(list.peek() === list.lookup(0));
prusti_assert!(*list.peek() == 16);
list.push(5);
prusti_assert!(*list.peek() == 5);
list.pop();
prusti_assert!(*list.peek() == 16);
}
fn _test_peek_mut() {
let mut list = List::new();
list.push(8);
list.push(16);
// Open a new scope using an opening bracket `{`
// `first` will get dropped at the closing bracket `}`
{
let first = list.peek_mut();
// `first` is a mutable reference to the first element of the list
// for as long as `first` is exists, `list` cannot be accessed
prusti_assert!(*first == 16);
*first = 5; // Write 5 to the first slot of the list
prusti_assert!(*first == 5);
// `first` gets dropped here, `list` can be accessed again
}
prusti_assert!(list.len() == 2);
prusti_assert!(*list.lookup(0) == 5); // slot 0 is now `5`
prusti_assert!(*list.lookup(1) == 8); // slot 1 is unchanged
}
}The syntax here is #[assert_on_expiry(condition, pledge)].
This means that condition is checked at the caller side before (or "when") the reference expires, and pledge must hold after the reference expires.
Note that for any assertion A, after_expiry(A) is equivalent to assert_on_expiry(true, A).
Full Code
// Expand to see full code up to this chapter
// The next line is only required for doctests, you can ignore/remove it
extern crate prusti_contracts;
use prusti_contracts::*;
fn main() {}
pub struct List<T> {
head: Link<T>,
}
type Link<T> = Option<Box<Node<T>>>;
struct Node<T> {
elem: T,
next: Link<T>,
}
#[extern_spec(std::mem)]
#[ensures(snap(dest) === src)]
#[ensures(result === old(snap(dest)))]
fn replace<T>(dest: &mut T, src: T) -> T;
// Specs for std::option::Option<T>::unwrap(self) (and others) can be found here (work in progress):
// https://github.com/viperproject/prusti-dev/pull/1249/files#diff-bccda07f8a48357687e26408251041072c7470c188092fb58439de39974bdab5R47-R49
#[extern_spec]
impl<T> std::option::Option<T> {
#[requires(self.is_some())]
#[ensures(old(self) === Some(result))]
pub fn unwrap(self) -> T;
#[pure]
#[ensures(result == matches!(self, None))]
pub const fn is_none(&self) -> bool;
#[pure]
#[ensures(result == matches!(self, Some(_)))]
pub const fn is_some(&self) -> bool;
#[ensures(result === old(snap(self)))]
#[ensures(self.is_none())]
pub fn take(&mut self) -> Option<T>;
}
impl<T> List<T> {
#[pure]
pub fn len(&self) -> usize {
link_len(&self.head)
}
#[pure]
fn is_empty(&self) -> bool {
matches!(self.head, None)
}
#[ensures(result.len() == 0)]
pub fn new() -> Self {
List { head: None }
}
#[pure]
#[requires(index < self.len())]
pub fn lookup(&self, index: usize) -> &T {
link_lookup(&self.head, index)
}
#[ensures(self.len() == old(self.len()) + 1)]
#[ensures(snap(self.lookup(0)) === elem)]
#[ensures(forall(|i: usize| (i < old(self.len())) ==>
old(self.lookup(i)) === self.lookup(i + 1)))]
pub fn push(&mut self, elem: T) {
let new_node = Box::new(Node {
elem,
next: self.head.take(),
});
self.head = Some(new_node);
}
predicate! {
// two-state predicate to check if the head of a list was correctly removed
fn head_removed(&self, prev: &Self) -> bool {
self.len() == prev.len() - 1 // The length will decrease by 1
&& forall(|i: usize| // Every element will be shifted forwards by one
(1 <= i && i < prev.len())
==> prev.lookup(i) === self.lookup(i - 1))
}
}
#[ensures(old(self.is_empty()) ==>
result.is_none() &&
self.is_empty()
)]
#[ensures(!old(self.is_empty()) ==>
self.head_removed(&old(snap(self))) &&
result === Some(snap(old(snap(self)).lookup(0)))
)]
pub fn try_pop(&mut self) -> Option<T> {
match self.head.take() {
None => None,
Some(node) => {
self.head = node.next;
Some(node.elem)
}
}
}
#[requires(!self.is_empty())]
#[ensures(self.head_removed(&old(snap(self))))]
#[ensures(result === old(snap(self)).lookup(0))]
pub fn pop(&mut self) -> T {
self.try_pop().unwrap()
}
// // Not currently possible in Prusti
// pub fn try_peek(&self) -> Option<&T> {
// todo!()
// }
#[pure]
#[requires(!self.is_empty())]
pub fn peek(&self) -> &T {
self.lookup(0)
}
#[trusted] // required due to unsupported reference in enum
#[requires(!self.is_empty())]
#[ensures(snap(result) === old(snap(self.peek())))]
#[after_expiry(
old(self.len()) === self.len() // (1. condition)
&& forall(|i: usize| 1 <= i && i < self.len() // (2. condition)
==> old(snap(self.lookup(i))) === snap(self.lookup(i)))
&& snap(self.peek()) === before_expiry(snap(result)) // (3. condition)
)]
pub fn peek_mut(&mut self) -> &mut T {
// This does not work in Prusti at the moment:
// "&mut self.head" has type "&mut Option<T>"
// this gets auto-dereferenced by Rust into type: "Option<&mut T>"
// this then gets matched to "Some(node: &mut T)"
// References in enums are not yet supported, so this cannot be verified by Prusti
if let Some(node) = &mut self.head {
&mut node.elem
} else {
unreachable!()
}
// ...
}
}
#[pure]
#[requires(index < link_len(link))]
fn link_lookup<T>(link: &Link<T>, index: usize) -> &T {
match link {
Some(node) => {
if index == 0 {
&node.elem
} else {
link_lookup(&node.next, index - 1)
}
}
None => unreachable!(),
}
}
#[pure]
fn link_len<T>(link: &Link<T>) -> usize {
match link {
None => 0,
Some(node) => 1 + link_len(&node.next),
}
}
#[cfg(prusti)]
mod prusti_tests {
use super::*;
fn _test_list(){
let mut list = List::new(); // create an new, empty list
prusti_assert!(list.is_empty() && list.len() == 0); // list should be empty
list.push(5);
list.push(10);
prusti_assert!(!list.is_empty() && list.len() == 2); // length correct
prusti_assert!(*list.lookup(0) == 10); // head is 10
prusti_assert!(*list.lookup(1) == 5); // 5 got pushed back correctly
let x = list.pop();
prusti_assert!(x == 10); // pop returns the value that was added last
match list.try_pop() {
Some(y) => assert!(y == 5),
None => unreachable!()
}
let z = list.try_pop();
prusti_assert!(list.is_empty() && list.len() == 0); // length correct
prusti_assert!(z.is_none()); // `try_pop` on an empty list should return `None`
}
fn _test_peek() {
let mut list = List::new();
list.push(16);
prusti_assert!(list.peek() === list.lookup(0));
prusti_assert!(*list.peek() == 16);
list.push(5);
prusti_assert!(*list.peek() == 5);
list.pop();
prusti_assert!(*list.peek() == 16);
}
fn _test_peek_mut() {
let mut list = List::new();
list.push(8);
list.push(16);
// Open a new scope using an opening bracket `{`
// `first` will get dropped at the closing bracket `}`
{
let first = list.peek_mut();
// `first` is a mutable reference to the first element of the list
// for as long as `first` is exists, `list` cannot be accessed
prusti_assert!(*first == 16);
*first = 5; // Write 5 to the first slot of the list
prusti_assert!(*first == 5);
// `first` gets dropped here, `list` can be accessed again
}
prusti_assert!(list.len() == 2);
prusti_assert!(*list.lookup(0) == 5); // slot 0 is now `5`
prusti_assert!(*list.lookup(1) == 8); // slot 1 is unchanged
}
}