@@ -9,9 +9,9 @@ use crate::collections::queue;
99
1010
1111#[ flux_rs:: refined_by( ring_len: int, head: int, tail: int) ]
12- #[ flux_rs:: invariant( ring_len > 0 ) ]
12+ #[ flux_rs:: invariant( ring_len > 1 ) ]
1313pub struct RingBuffer < ' a , T : ' a > {
14- #[ field( { & mut [ T ] [ ring_len] | ring_len > 0 } ) ]
14+ #[ field( { & mut [ T ] [ ring_len] | ring_len > 1 } ) ]
1515 ring : & ' a mut [ T ] ,
1616 #[ field( { usize [ head] | head < ring_len} ) ]
1717 head : usize ,
@@ -29,7 +29,7 @@ flux_rs::defs! {
2929
3030
3131impl < ' a , T : Copy > RingBuffer < ' a , T > {
32- #[ flux_rs:: sig( fn ( { & mut [ T ] [ @ring_len] | ring_len > 0 } ) -> RingBuffer <T >[ ring_len, 0 , 0 ] ) ]
32+ #[ flux_rs:: sig( fn ( { & mut [ T ] [ @ring_len] | ring_len > 1 } ) -> RingBuffer <T >[ ring_len, 0 , 0 ] ) ]
3333 pub fn new ( ring : & ' a mut [ T ] ) -> RingBuffer < ' a , T > {
3434 RingBuffer {
3535 head : 0 ,
@@ -108,26 +108,18 @@ impl<T: Copy> queue::Queue<T> for RingBuffer<'_, T> {
108108 // that hasn't been read
109109 rg. head != rg. tail
110110 &&
111- (
112- // either we're full and don't update
113- // hd == rb_next(tl, ring_len) -> rg.tail == tl && rg.head == hd
114- ( hd != rb_next( tl, ring_len) || rg. tail == tl && rg. head == hd)
115- ||
116- // or we updated which means the new value of tail is (tl + 1) % r
117- // hd != rb_next(tl, ring_len) -> rg.tail = rb_next(tl, ring_len)
118- ( hd == rb_next( tl, ring_len) || rg. tail == rb_next( tl, ring_len) )
119- )
111+ // either we're full and don't update
112+ // hd == rb_next(tl, ring_len) -> rg.tail == tl && rg.head == hd
113+ ( hd == rb_next( tl, ring_len) => rg. tail == tl && rg. head == hd)
114+ &&
115+ // or we updated which means the new value of tail is (tl + 1) % r
116+ // hd != rb_next(tl, ring_len) -> rg.tail = rb_next(tl, ring_len)
117+ ( hd != rb_next( tl, ring_len) => rg. tail == rb_next( tl, ring_len) )
120118 }
121119 ) ]
122120 fn enqueue ( & mut self , val : T ) -> bool {
123121 if self . is_full ( ) {
124122 // Incrementing tail will overwrite head
125- //
126- // at this point we know that
127- // self.head == ((self.tail + 1) % self.ring_len())
128- // so of course tail != head but for some reason
129- // this is not provable
130- flux_support:: assume ( self . tail != self . head ) ;
131123 false
132124 } else {
133125 self . ring [ self . tail ] = val;
@@ -148,15 +140,11 @@ impl<T: Copy> queue::Queue<T> for RingBuffer<'_, T> {
148140 &&
149141 // or we have space so we just enqueue
150142 ( !full( old) => ( rg. tail == next_tl( old) && rg. head == old. head) )
151-
152143 }
153144 ) ]
154145 fn push ( & mut self , val : T ) -> Option < T > {
155146 let result = if self . is_full ( ) {
156147 let val = self . ring [ self . head ] ;
157- // at this point we should be
158- // able to deduce that head != tail
159- flux_support:: assume ( self . tail != self . head ) ;
160148 self . head = ( self . head + 1 ) % self . ring_len ( ) ;
161149 Some ( val)
162150 } else {
@@ -172,11 +160,9 @@ impl<T: Copy> queue::Queue<T> for RingBuffer<'_, T> {
172160 fn ( self : & strg RingBuffer <T >[ @ring_len, @hd, @tl] ) -> Option <T >
173161 ensures self : RingBuffer <T >{
174162 rg:
175- // hd == tl -> (rg.head == hd && rg.tail == tl && rg.head == rg.tail)
176- ( hd != tl || ( rg. head == hd && rg. tail == tl && rg. head == rg. tail) )
177- ||
178- // hd != tl -> (rg.head == rb_next(tl, ring_len))
179- ( hd == tl || rg. head == rb_next( hd, ring_len) )
163+ ( hd == tl => ( rg. head == hd && rg. tail == tl && rg. head == rg. tail) )
164+ &&
165+ ( hd != tl => rg. head == rb_next( hd, ring_len) )
180166 }
181167 ) ]
182168 fn dequeue ( & mut self ) -> Option < T > {
@@ -240,7 +226,6 @@ impl<T: Copy> queue::Queue<T> for RingBuffer<'_, T> {
240226 fn ( self : & strg RingBuffer <T >[ @ring_len, @hd, @tl] , _)
241227 ensures self : RingBuffer <T >{ rg: rg. tail < rg. ring_len}
242228 ) ]
243- // NOTE: May want to strengthen this to talk about correctness
244229 fn retain < F > ( & mut self , mut f : F )
245230 where
246231 F : FnMut ( & T ) -> bool ,
0 commit comments