Tracking Issue for Contracts #128044
Description
This is a tracking issue for the MCP "Contracts" (rust-lang/compiler-team#759).
The feature gate for the issue is #![feature(contracts)].
Current (2025-03-20) design doc: https://hackmd.io/@celinaval/B1UEl3tUyl
About tracking issues
Tracking issues are used to record the overall progress of implementation.
They are also used as hubs connecting to other relevant issues, e.g., bugs or open design questions.
A tracking issue is however not meant for large scale discussion, questions, or bug reports about a feature.
Instead, open a dedicated issue for the specific matter and add the relevant feature gate label.
Discussion comments will get marked as off-topic or deleted.
Repeated discussions on the tracking issue may lead to the tracking issue getting locked.
Steps
- Approve as lang experiment.Implement the MCP (cc @rust-lang/compiler). Initial implementation: #[contracts::requires(...)] + #[contracts::ensures(...)] #128045Add interface for external tools to retrieve the contract specification.Add type invariant.Improve error message (include
#[track_caller])Adjust documentation (see instructions on rustc-dev-guide)Adjust documentation (see instructions on rustc-dev-guide)Formatting for new syntax has been added to the Style Guide (nightly-style-procedure)Stabilization PR (see instructions on rustc-dev-guide)
Unresolved Questions
- Tooling support: How much functionality should be integrated into Rust project provided tooling itself? E.g. should something like miri be exploring fuzzing of data that is fed into functional preconditions as a way to explore state space?
- Syntax bikesheds galore: Define the exact syntax for contract attributes. Should we separate correctness vs safety conditions?
- Static vs dynamic semantics: The idealized contract system would allow contracts to inform both static verification and dynamic validation tools. What's the best way to handle conditions that cannot be checked with both semantics.
- Safety post-obligations: The safety criteria for some unsafe methods is stated as a constraint on how the caller uses the return value from a method. This cannot be expressed as a mere safety::requires form as envisioned above. Should we add something like:
#[safety::at_lifetime_end(|output| str::from_utf8(output).is_ok())], which could only be checked in the future, right before the &mut u8 borrow expires? See original MCP for more details - Correctness invariants: As mentioned above, there is probably utility in being able to attach invariants to a type that are used for proving functional correctness. But it is not as clear where to establish the points where correctness invariants must be checked. It may make more sense here to use something like refinement types, where explicit method calls (potentially in ghost code) would (re)establish such invariants.
- Purity: Do contracts need to be pure (i.e. have no non-local side-effects)?
- Panic: How should a panicking expression within a contract be treated? Should users be able to specify conditions that will lead to panic? Should any post-condition be checked during unwind?
Implementation history
Compiler support
Standard library usage
Metadata
Metadata
Assignees
Labels
Blocker: In-tree experiment; RFC pending, not yet approved or unneeded (requires FCP to stabilize).Category: An issue tracking the progress of sth. like the implementation of an RFC`#![feature(contracts)]`Relevant to the compiler team, which will review and decide on the PR/issue.Relevant to the language team
Type
Projects
Status
Milestone
Relationships
Development
No branches or pull requests
Participants
Activity
traviscross commentedon Jan 16, 2025
@rustbot labels +T-lang
traviscross commentedon Jan 29, 2025
We've approved this as as lang experiment:
@nikomatsakis is serving as the liaison.
Rollup merge of rust-lang#128045 - pnkfelix:rustc-contracts, r=oli-obk
Rollup merge of rust-lang#128045 - pnkfelix:rustc-contracts, r=oli-obk
Unrolled build for rust-lang#128045
Rollup merge of #128045 - pnkfelix:rustc-contracts, r=oli-obk
Rollup merge of #128045 - pnkfelix:rustc-contracts, r=oli-obk
4 remaining items
Rollup merge of rust-lang#128045 - pnkfelix:rustc-contracts, r=oli-obk
RalfJung commentedon Mar 19, 2025
@celinval what's the status of the design document that you started here? Now that there is an implementation in rustc, it'd be good to have e.g. a page on the dev guide explaining the overall design, and in particular explaining the lowering of the attributes, as that can be quite hard to follow otherwise.
celinval commentedon Mar 19, 2025
I just finished updating the design document, and I included the changes to support adding contract to constant functions.I believe there's a request to hold a design review with the compiler team, but I don't know when it will be.
I can create a PR to the dev-guide. Should I wait for the design review meeting?
RalfJung commentedon Mar 20, 2025
Maybe it makes sense to wait until after the meeting then.
contract_checks#144438Connor-GH commentedon Aug 17, 2025
There is prior art in static verification with the likes of SPARK or flux-rs. Both of them deny compilation if it cannot verify a condition. For example, a
NonZeroU8being constructed from a runtimenumvalue will not compile, unless you can coerce it with some runtime asserts that otherwise convince it. Both SPARK and flux have a "trusted mode" where you can opt out of checks, similar tounsafe. It's possible, even, that we could use the same sort ofunsafewrapper around a contract attribute, likeunsafe(trusted_assume(num != 0))or similar.This would probably be a feature best kept behind a feature gate due to the compilation cost you would have to pay for an SMT solver. An SMT solver would probably be outside of Rust's scope so consider that the alternative is using yet another third-party library that we have no control over (liquid-fixpoint). Additionally, the audience for this feature is almost exclusively the academic or safety-critical crowd, and the latter is unlikely to get along with this feature in Rust since they like ground-up proofs (think seL4). The former, however, is where Rust gets quite a few of its ideas from, so I see as a fit, albeit with a lot of work to do. Projects like Redox OS and the Linux kernel could make use of this and provide logical guarantees, not just memory safety guarantees.
#[spec]to Support Traits and Trait Implementations mkovaxx/anodized#41backend-native-contractsmkovaxx/anodized#48