anodized 0.4.0

An ecosystem for correct Rust based on lightweight specification annotations
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

use anodized::spec;

// This test verifies that capture aliases are not accessible in the function body
// or in requires/maintains conditions

#[spec(
    captures: [
        x as old_x,
        y as old_y,
    ],
    ensures: [
        // OK: aliases are available in ensures.
        old_x == 5,
        // OK: aliases are available in ensures.
        old_y == 10,
    ],
)]
fn captures_not_in_body(x: i32, y: i32) -> i32 {
    // Should be an error: `old_x` must not be in scope.
    let a = old_x;
    // Should be an error: `old_y` must not be in scope.
    let b = old_y;
    x + y
}

#[spec(
    requires: [
        // Should be an error: `old_x` must not be in scope.
        old_x > 0,
    ],
    captures: [
        x as old_x,
    ],
)]
fn captures_not_in_requires(x: i32) {
    // Function body
}

#[spec(
    maintains: [
        // Should be an error: `old_x` must not be in scope.
        old_x > 0,
    ],
    captures: [
        x as old_x,
    ],
)]
fn captures_not_in_maintains(x: i32) {
    // Function body
}

fn main() {}