-
Notifications
You must be signed in to change notification settings - Fork 69
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Contracts: Experimental attributes and language intrinsics #759
Comments
This issue is not meant to be used for technical discussion. There is a Zulip stream for that. Use this issue to leave procedural comments, such as volunteering to review, indicating that you second the proposal (or third, etc), or raising a concern that you would like to be addressed. Concerns or objections to the proposal should be discussed on Zulip and formally registered here by adding a comment with the following syntax:
Concerns can be lifted with:
See documentation at https://forge.rust-lang.org cc @rust-lang/compiler @rust-lang/compiler-contributors |
@rustbot second |
A colleague reminded me of these past meetings with relevant content: rust-lang/lang-team#181 , which links to a hackmd. I think that hackmd's content was snapshotted at that time and transcribed to lang team design meeting minutes |
@rustbot label -final-comment-period +major-change-accepted |
…nd an intrinsic for checking it. Known issues: * My original intent, as described in the MCP (rust-lang/compiler-team#759) was to have a rustc-prefixed attribute namespace (like rustc_contracts::requires). But I could not get things working when I tried to do rewriting via a rustc-prefixed builtin attribute-macro. So for now it is called `contracts::requires`. * The macro is currently expanding to a `core::intrinsics::contract_check` path. I suspect that the expansion will actually want to be conditional based on whether it is expanding within std or outside of std. * The macro itself is very naive; it assumes the first occurrence of `{ ... }` in the token-stream will be the function body (and injects the intrinsic call there). I suspect there are some contracts like `const { ... }` that might mess that up. * The emitted abort message when a contract fails is just "contract failure". Obviously the message should include more details, e.g. what function failed, which contract-expression failed and (maybe) what value caused the failure.
I was talking to @m-ou-se, and she gave two great suggestions that we should consider:
|
@celinval if you're looking into furthering or contributing to this proposal, I suggest heading to its Zulip discussion stream. |
My bad! Sorry for the noise. I totally forgot about the Zulip thread. I'll use that instead! |
Proposal
Contracts: Experimental attributes and language intrinsics
Executive summary: I want to land experimental unstable attributes for behaviorial specification, and intrinsics for enabling better tools to validate and verify those specifications.
Objective
I want to enable Rust, as a language, to be to state behaviorial specifications in formal code-like language.
Example (adapted from real code within libcore):
(Note: the above example may not be the ideal contract to use for
IndexRange
; it might be the case that we would want stronger safety or correctness post-conditions. It is just meant to illustrate the basic idea.)With such contract forms in place:
I am calling these formal specifcations "contracts". I envision contracts as a Rust-like predicate language for expressing method pre-conditions, method post-conditions, and type invariants.
I want the contract language to be sufficently precise such that:
Status Quo
Here's how I see the status quo today, for the Rust project itself and for the majority of Rust developers:
then, at best, each such condition/invariant is specified via documentation and/or comments, and (potentially) dynamically-checked via assert or debug_assert.
But we can do better than that status quo.
I want the Rust standard library eventually to specify its APIs formally, and I want verification and validation tools to be able to extract those formal specifications.
What I want to add
Making pre-conditions, post-conditions, and invariants formally stated as logical predicates (that are encoded distinctly from documentation and assertions) will enable other tools to extract such logical predicates in order to generate tests and attempt static verification.
Here's what I want to add as unstable experimental language extensions:
For example, I want to be able to toggle a switch in miri that will make it attempt to test claims made by contracts.
My example above has leveraged an attribute-based surface syntax. It is possible that we will find that other non-attribute construct are more appropriate for some situations. (For example, I have seen suggestions that type invariants would be better off framed as an instance of a trait that a type implements.)
Distinct forms
I am not yet certain how many kinds of contract special forms we might need.
At the very least, I anticipate it being useful to distinguish between safety-related contracts (which one would attach to instances of
unsafe fn
) vs correctness-related contracts (which one might attach to any kind of method).For unsafe methods, one can write safety preconditions, illustrated above with
#[rustc_contracts::requires(for safety: ...)]
.Such preconditions should capture the same conditions that the project documents today via comments like
// SAFETY
.The intention of
#[rustc_contracts::requires(for safety: ...)]
is to state all preconditions for theunsafe fn
that, if violated, may yield Undefined Behavior that may result either during its own execution or after it returns(either in the current code base, or in future versions of it).Both safe and unsafe methods can also have correctness criteria, distinct from safety criteria. These are stronger guarantees that may have stricter preconditions.
Contracts may also express post-conditions (i.e. assurances provided by the method specification), annotated with
#[rustc_contracts::ensures(...)]
.Like preconditions, post-conditions can be categorized according to whether they are focused on safety criteria, or full correctness.
Safety postconditions are predicates on the return value and overall system state that hold as the method exits, assuming the safety preconditions (and overall language and library runtime invariants) have not been violated; these do not assume any correctness preconditions.
Correctness postconditions are similar predicates, but they can assume all correctness preconditions.
Finally, invariants are predicates that can be attached to types. In particular, safety predicates are expected to established when control flows from an unsafe to safe context, and can only be assumed in safe contexts. Unsafe methods on a type must explicitly state which parts of the types' safety predicate can be assumed as part of its safety pre-conditions.
(We leave the generalization of this, "correctness invariants", as an unresolved question.)
This distinction allows specifications and verification tools to focus, when needed, on safety criteria separately from correctness criteria. (It also provides more freedom in what semantics tooling might assign to contracts: in particular, I can easily imagine custom tooling that would abort a program upon encountering a safety violation, but merely log a correctness violation and allow computation to proceed. In a similar vein, I can also imagine custom tooling that would delay evaluating a correctness precondition until it saw evidence of a correctness post-condition failing.)
Note: I do not consider the design described here sufficient for meeting all of our specification needs.
For example, there are numerous unsafe methods that impose obligations on the caller on how the return value from the method is used, or other "frame conditions", that cannot be locally checked solely during the execution of the unsafe method.
We leave finding a satisfactory resolution to this as an open question (see "safety post-obligations" in the "Unresolved questions" below).
My overall intention with these annotations is is two-fold:
A richer example
Consider binary search. Rust's binary search routine is safe, regardless of what (well-typed) input it is provided.
But the overall correctness of binary search requires that the input sequence is itself sorted.
(Again, I am not claiming these to be ideal contracts for verification purposes; they merely illustrate the ideas behind the interface.)
As shown here, I expect the contract predicate language to have some way to express logical quantifiers like "for all values i of type T". (I also expect there to be variations on this theme, such as "for all values of a given type in range start..limit", "there exists some value x of type T that satisfies predicate P", and so on.)
However, I also want to ensure that contracts are able to used even outside of static verification tooling. So, I expect contract-specific forms like
for_all
to be realized as macros or intrinisics that will offer ways to provide "hints" to testing machinery; that is the purpose of thesuch_as: ...
in the above example use offor_all!
: thesuch_as: ...
is intended to be ignored by formal verification tooling, but used by other tooling as the basis for generating test inputs to seed the dynamic checking.Unresolved questions
Here are some examples of questions that we leave open for now, to be resolved during on going experimentation with the constructs. There are many many more that are not listed here.
Syntax bikesheds galore: I am not thrilled by the prospect of writing
#[rustc_contracts::requires(for safety: ...)]
all over the place.For example, an earlier draft of this MCP had used
#[safety::requires(...)]
, which I find far more palatable, but may pose serious hazards for compatibility with existing code bases.I am leaving identification of "a good syntax" as an open problem.
Static vs dynamic semantics: My idealized contract system would allow contracts to inform both static verification and dynamic validation tools. Some contracts like
forall!
do not have an "obviously right" dynamic interpretation.Safety post-obligations: The safety criteria for some unsafe methods is stated as a constraint on how the caller uses the return value from a method.
For example:
str::as_bytes_mut
says "The caller must ensure that the content of the slice is valid UTF-8 before the borrow ends and the underlyingstr
is used."This cannot be expressed as a mere
safety::requires
form as envisioned above.(My best guess is that such contracts require a richer structure, such as an entiretly hypothetical
#[safety::at_lifetime_end(|output| str::from_utf8(output).is_ok())]
, which could only be checked in the future, right before the&mut u8
borrow expires and the reference is again capable of being treated as a&mut str
.)Correctness invariants: As mentioned above, there is probably utility in being able to attach invariants to a type that are used for proving functional correctness. But it is not as clear where to establish the points where correctness invariants must be checked. It may make more sense here to use something like refinement types, where explicit method calls (potentially in ghost code) would (re)establish such invariants.
Purity: Do contracts need to be pure (i.e. have no non-local side-effects)? Some verification tools will require this.
Panic: How should a panicking expression within a contract be treated? Some of the above code was written with slice's
get
method rather than the index operator, in order to sidestep this question. But rather than disallowing panic entirely (i.e. treating it as a improperly written contract), it might be more natural to interpret a panic within a contract expression as a contract failure.Related work
There are several projects that seek to bring state-of-the-art verification and automated reasoning technolgies to Rust. See for example Aeneas, Creusot, Kani, Prusti, and Verus.
There are also validation tools like Proptest and Quickcheck that allow developers to write invidual tests that cover large families of behavior.
This proposal is largely a result of my discussions with some of the developers of the static verification tooling (as well as my own investigations of such tooling).
You can see a presentation I did on this subject at: http://pnkfx.org/presentations/contracts2-rw2024.pdf, and the project proposal I put forth earlier this year at : https://rust-lang.github.io/rust-project-goals/2024h2/Contracts-and-invariants.html
At this point I want to stop attempting to acquire outside interest in the task, and instead start writing unstable code in Nightly Rust. Thus this MCP. :)
Mentors or Reviewers
If you have a reviewer or mentor in mind for this work, mention them
here. You can put your own name here if you are planning to mentor the
work.
I expect interest from various verification tooling people for this work, including @celinval and @Nadrieril
Process
The main points of the Major Change Process are as follows:
@rustbot second
.-C flag
, then full team check-off is required.@rfcbot fcp merge
on either the MCP or the PR.You can read more about Major Change Proposals on forge.
Comments
This issue is not meant to be used for technical discussion. There is a Zulip stream for that. Use this issue to leave procedural comments, such as volunteering to review, indicating that you second the proposal (or third, etc), or raising a concern that you would like to be addressed.
The text was updated successfully, but these errors were encountered: