Initial go at contract support: attribute syntax for preconditions, and an intrinsic for checking it.

Known issues:

 * My original intent, as described in the MCP (rust-lang/compiler-team#759) was
   to have a rustc-prefixed attribute namespace (like
   rustc_contracts::requires). But I could not get things working when I tried
   to do rewriting via a rustc-prefixed builtin attribute-macro. So for now it
   is called `contracts::requires`.

 * The macro is currently expanding to a `core::intrinsics::contract_check`
   path. I suspect that the expansion will actually want to be conditional based
   on whether it is expanding within std or outside of std.

 * The macro itself is very naive; it assumes the first occurrence of `{ ... }`
   in the token-stream will be the function body (and injects the intrinsic call
   there). I suspect there are some contracts like `const { ... }` that might
   mess that up.

 * The emitted abort message when a contract fails is just "contract failure".
   Obviously the message should include more details, e.g. what function failed,
   which contract-expression failed and (maybe) what value caused the failure.

Author: pnkfelix

compiler/rustc_builtin_macros/src/contracts.rs

@@ -0,0 +1,80 @@
+use rustc_ast::token;
+use rustc_ast::tokenstream::{DelimSpan, DelimSpacing, Spacing, TokenStream, TokenTree};
+use rustc_errors::ErrorGuaranteed;
+use rustc_expand::base::{AttrProcMacro, ExtCtxt};
+use rustc_span::symbol::{sym, Symbol};
+use rustc_span::Span;
+
+pub struct ExpandRequires;
+
+impl AttrProcMacro for ExpandRequires {
+    fn expand<'cx>(
+        &self,
+        ecx: &'cx mut ExtCtxt<'_>,
+        span: Span,
+        annotation: TokenStream,
+        annotated: TokenStream,
+    ) -> Result<TokenStream, ErrorGuaranteed> {
+        expand_requires_tts(ecx, span, annotation, annotated)
+    }
+}
+
+fn expand_requires_tts(
+    _ecx: &mut ExtCtxt<'_>,
+    attr_span: Span,
+    annotation: TokenStream,
+    annotated: TokenStream,
+) -> Result<TokenStream, ErrorGuaranteed> {
+    let mut new_tts = Vec::with_capacity(annotated.len());
+    let mut cursor = annotated.into_trees();
+
+    // XXX this will break if you have a `{ ... }` syntactically prior to the fn body,
+    // e.g. if a `const { ... }` can occur in a where clause. We need to do something
+    // smarter for injecting this code into the right place.
+    while let Some(tt) = cursor.next_ref() {
+        if let TokenTree::Delimited(sp, spacing, delim @ token::Delimiter::Brace, inner_ts) = tt {
+            let revised_tt = TokenTree::Delimited(
+                *sp, *spacing, *delim,
+
+                // XXX a constructed ast doesn't actually *carry*
+                // tokens from which to  build a TokenStream.
+                // So instead, use the original annotation directly.
+                // TokenStream::from_ast(&ast_for_invoke)
+
+                std::iter::once(TokenTree::token_alone(token::Ident(sym::core, token::IdentIsRaw::No), attr_span))
+                    .chain(std::iter::once(TokenTree::token_alone(token::PathSep, attr_span)))
+                    .chain(std::iter::once(TokenTree::token_alone(token::Ident(sym::intrinsics, token::IdentIsRaw::No), attr_span)))
+                    .chain(std::iter::once(TokenTree::token_alone(token::PathSep, attr_span)))
+                    .chain(std::iter::once(TokenTree::token_alone(token::Ident(sym::contract_check, token::IdentIsRaw::No), attr_span)))
+                    .chain(std::iter::once(TokenTree::Delimited(
+                        DelimSpan::from_single(attr_span),
+                        DelimSpacing { open: Spacing::JointHidden, close: Spacing::JointHidden },
+                        token::Delimiter::Parenthesis,
+                        TokenStream::new(
+                            std::iter::once(TokenTree::token_alone(token::BinOp(token::BinOpToken::Or), attr_span))
+                                .chain(std::iter::once(TokenTree::token_alone(token::BinOp(token::BinOpToken::Or), attr_span)))
+                                .chain(std::iter::once(TokenTree::Delimited(DelimSpan::from_single(attr_span),
+                                                                            DelimSpacing { open: Spacing::JointHidden, close: Spacing::JointHidden },
+                                                                            token::Delimiter::Brace,
+                                                                            annotation)))
+                                .chain(std::iter::once(TokenTree::token_alone(token::Comma, attr_span)))
+                                .chain(std::iter::once(TokenTree::token_alone(token::Literal(token::Lit::new(token::LitKind::Str, Symbol::intern("contract failure"), None)), attr_span)))
+                                .collect()
+                        ))))
+                    .chain(TokenStream::token_alone(token::Semi, attr_span).trees().cloned())
+                    .chain(inner_ts.trees().cloned())
+                    .collect());
+            new_tts.push(revised_tt);
+            break;
+        } else {
+            new_tts.push(tt.clone());
+            continue;
+        }
+    };
+
+    // Above we injected the intrinsic call. Now just copy over all the other token trees.
+    while let Some(tt) = cursor.next_ref() {
+        new_tts.push(tt.clone());
+    }
+    Ok(TokenStream::new(new_tts))
+}

compiler/rustc_builtin_macros/src/lib.rs

@@ -35,6 +35,7 @@ mod compile_error;
 mod concat;
 mod concat_bytes;
 mod concat_idents;
+mod contracts;
 mod derive;
 mod deriving;
 mod edition_panic;
@@ -131,4 +132,5 @@ pub fn register_builtin_macros(resolver: &mut dyn ResolverExpand) {
 
     let client = proc_macro::bridge::client::Client::expand1(proc_macro::quote);
     register(sym::quote, SyntaxExtensionKind::Bang(Box::new(BangProcMacro { client })));
+    register(sym::contracts_requires, SyntaxExtensionKind::Attr(Box::new(contracts::ExpandRequires)));
 }

compiler/rustc_expand/src/base.rs

@@ -234,6 +234,7 @@ impl Annotatable {
 
 /// Result of an expansion that may need to be retried.
 /// Consider using this for non-`MultiItemModifier` expanders as well.
+#[derive(Debug)]
 pub enum ExpandResult<T, U> {
     /// Expansion produced a result (possibly dummy).
     Ready(T),

compiler/rustc_expand/src/expand.rs

@@ -699,7 +699,8 @@ impl<'a, 'b> MacroExpander<'a, 'b> {
                 }
                 _ => unreachable!(),
             },
-            InvocationKind::Attr { attr, pos, mut item, derives } => match ext {
+            InvocationKind::Attr { attr, pos, mut item, derives } => {
+                match ext {
                 SyntaxExtensionKind::Attr(expander) => {
                     self.gate_proc_macro_input(&item);
                     self.gate_proc_macro_attr_item(span, &item);
@@ -777,7 +778,7 @@ impl<'a, 'b> MacroExpander<'a, 'b> {
                     fragment_kind.expect_from_annotatables(iter::once(item))
                 }
                 _ => unreachable!(),
-            },
+            }},
             InvocationKind::Derive { path, item, is_const } => match ext {
                 SyntaxExtensionKind::Derive(expander)
                 | SyntaxExtensionKind::LegacyDerive(expander) => {

compiler/rustc_hir_analysis/src/check/intrinsic.rs

@@ -103,6 +103,7 @@ pub fn intrinsic_operation_unsafety(tcx: TyCtxt<'_>, intrinsic_id: LocalDefId) -
         | sym::saturating_sub
         | sym::rotate_left
         | sym::rotate_right
+        | sym::contract_check
         | sym::ctpop
         | sym::ctlz
         | sym::cttz
@@ -653,6 +654,8 @@ pub fn check_intrinsic_type(
             sym::simd_shuffle => (3, 0, vec![param(0), param(0), param(1)], param(2)),
             sym::simd_shuffle_generic => (2, 1, vec![param(0), param(0)], param(1)),
 
+            sym::contract_check => (1, 0, vec![param(0), Ty::new_static_str(tcx)], tcx.types.unit),
+
             other => {
                 tcx.dcx().emit_err(UnrecognizedIntrinsicFunction { span, name: other });
                 return;

compiler/rustc_mir_transform/src/lower_intrinsics.rs

@@ -333,6 +333,12 @@ impl<'tcx> MirPass<'tcx> for LowerIntrinsics {
                         });
                         terminator.kind = TerminatorKind::Goto { target };
                     }
+                    sym::contract_check => {
+                        if tcx.sess.opts.unstable_opts.contract_checking.no_checks() {
+                            let target = target.unwrap();
+                            terminator.kind = TerminatorKind::Goto { target };
+                        }
+                    }
                     _ => {}
                 }
             }

compiler/rustc_parse/src/validate_attr.rs

@@ -76,7 +76,7 @@ pub fn check_attr(features: &Features, psess: &ParseSess, attr: &Attribute) {
     // Check input tokens for built-in and key-value attributes.
     match attr_info {
         // `rustc_dummy` doesn't have any restrictions specific to built-in attributes.
-        Some(BuiltinAttribute { name, template, .. }) if *name != sym::rustc_dummy => {
+        Some(BuiltinAttribute { name, template, .. }) if input_restricted_by_parser(*name) => {
             match parse_meta(psess, attr) {
                 Ok(meta) => check_builtin_meta_item(psess, &meta, attr.style, *name, *template),
                 Err(err) => {
@@ -97,6 +97,11 @@ pub fn check_attr(features: &Features, psess: &ParseSess, attr: &Attribute) {
     }
 }
 
+fn input_restricted_by_parser(name: Symbol) -> bool {
+    name != sym::rustc_dummy &&
+        name != sym::rustc_contracts_requires
+}
+
 pub fn parse_meta<'a>(psess: &'a ParseSess, attr: &Attribute) -> PResult<'a, MetaItem> {
     let item = attr.get_normal_item();
     Ok(MetaItem {

compiler/rustc_session/src/config.rs

@@ -145,6 +145,28 @@ pub enum InstrumentCoverage {
     Yes,
 }
 
+/// Individual flag values controlled by `-Z contract-checking`.
+#[derive(Clone, Copy, Debug, PartialEq, Eq, Hash)]
+pub enum ContractCheckingOptions {
+    Dynamic,
+    None,
+}
+
+impl Default for ContractCheckingOptions {
+    fn default() -> Self {
+        ContractCheckingOptions::None
+    }
+}
+
+impl ContractCheckingOptions {
+    pub fn no_checks(&self) -> bool {
+        match self {
+            ContractCheckingOptions::None => true,
+            ContractCheckingOptions::Dynamic => false,
+        }
+    }
+}
+
 /// Individual flag values controlled by `-Z coverage-options`.
 #[derive(Clone, Copy, Debug, PartialEq, Eq, Hash, Default)]
 pub struct CoverageOptions {
@@ -2959,8 +2981,8 @@ pub enum WasiExecModel {
 /// how the hash should be calculated when adding a new command-line argument.
 pub(crate) mod dep_tracking {
     use super::{
-        BranchProtection, CFGuard, CFProtection, CollapseMacroDebuginfo, CoverageOptions,
-        CrateType, DebugInfo, DebugInfoCompression, ErrorOutputType, FunctionReturn,
+        BranchProtection, CFGuard, CFProtection, CollapseMacroDebuginfo, ContractCheckingOptions, 
+        CoverageOptions, CrateType, DebugInfo, DebugInfoCompression, ErrorOutputType, FunctionReturn,
         InliningThreshold, InstrumentCoverage, InstrumentXRay, LinkerPluginLto, LocationDetail,
         LtoCli, NextSolverConfig, OomStrategy, OptLevel, OutFileName, OutputType, OutputTypes,
         Polonius, RemapPathScopeComponents, ResolveDocLinks, SourceFileHashAlgorithm,
@@ -3035,6 +3057,7 @@ pub(crate) mod dep_tracking {
         CodeModel,
         TlsModel,
         InstrumentCoverage,
+        ContractCheckingOptions,
         CoverageOptions,
         InstrumentXRay,
         CrateType,

compiler/rustc_session/src/options.rs

@@ -395,6 +395,7 @@ mod desc {
     pub const parse_optimization_fuel: &str = "crate=integer";
     pub const parse_dump_mono_stats: &str = "`markdown` (default) or `json`";
     pub const parse_instrument_coverage: &str = parse_bool;
+    pub const parse_contract_checking_options: &str = "`none` (default) or `dynamic`";
     pub const parse_coverage_options: &str =
         "`block` | `branch` | `condition` | `mcdc` | `no-mir-spans`";
     pub const parse_instrument_xray: &str = "either a boolean (`yes`, `no`, `on`, `off`, etc), or a comma separated list of settings: `always` or `never` (mutually exclusive), `ignore-loops`, `instruction-threshold=N`, `skip-entry`, `skip-exit`";
@@ -967,6 +968,23 @@ mod parse {
         true
     }
 
+    pub(crate) fn parse_contract_checking_options(slot: &mut ContractCheckingOptions, v: Option<&str>) -> bool {
+        let Some(v) =  v else { return true; };
+
+        match v {
+            "none" => {
+                *slot = ContractCheckingOptions::None;
+            }
+            "dynamic" => {
+                *slot = ContractCheckingOptions::Dynamic;
+            }
+            _ => {
+                return false;
+            }
+        }
+        true
+    }
+
     pub(crate) fn parse_coverage_options(slot: &mut CoverageOptions, v: Option<&str>) -> bool {
         let Some(v) = v else { return true };
 
@@ -1625,6 +1643,8 @@ options! {
         "the backend to use"),
     combine_cgu: bool = (false, parse_bool, [TRACKED],
         "combine CGUs into a single one"),
+    contract_checking: ContractCheckingOptions = (ContractCheckingOptions::default(), parse_contract_checking_options, [TRACKED],
+        "select how rustc_contracts are handled: static, dynamic, or no checking (default: none)"),
     coverage_options: CoverageOptions = (CoverageOptions::default(), parse_coverage_options, [TRACKED],
         "control details of coverage instrumentation"),
     crate_attr: Vec<String> = (Vec::new(), parse_string_push, [TRACKED],

compiler/rustc_span/src/symbol.rs

@@ -620,6 +620,8 @@ symbols! {
         const_try,
         constant,
         constructor,
+        contract_check,
+        contracts_requires,
         convert_identity,
         copy,
         copy_closures,
@@ -1583,6 +1585,8 @@ symbols! {
         rustc_const_panic_str,
         rustc_const_stable,
         rustc_const_unstable,
+        rustc_contracts,
+        rustc_contracts_requires,
         rustc_conversion_suggestion,
         rustc_deallocator,
         rustc_def_path,

library/core/src/intrinsics.rs

@@ -2834,6 +2834,14 @@ pub const fn ptr_metadata<P: ptr::Pointee<Metadata = M> + ?Sized, M>(_ptr: *cons
     unreachable!()
 }
 
+#[cfg(not(bootstrap))]
+#[rustc_nounwind]
+#[unstable(feature = "rustc_contracts", issue = "none" /* compiler-team#759 */)]
+#[rustc_intrinsic]
+pub fn contract_check<C: FnOnce() -> bool>(c: C, on_fail_msg: &'static str) {
+    assert!(c(), "{}", on_fail_msg);
+}
+
 // Some functions are defined here because they accidentally got made
 // available in this module on stable. See <https://github.com/rust-lang/rust/issues/15702>.
 // (`transmute` also falls into this category, but it cannot be wrapped due to the

library/core/src/lib.rs

@@ -295,6 +295,14 @@ pub mod assert_matches {
     pub use crate::macros::{assert_matches, debug_assert_matches};
 }
 
+#[cfg(not(bootstrap))]
+/// XXX
+#[unstable(feature = "rustc_contracts", issue = "none")]
+pub mod contracts {
+    #[unstable(feature = "rustc_contracts", issue = "none")]
+    pub use crate::macros::builtin::contracts_requires as requires;
+}
+
 #[unstable(feature = "cfg_match", issue = "115585")]
 pub use crate::macros::cfg_match;
 

library/core/src/macros/mod.rs

@@ -1677,6 +1677,20 @@ pub(crate) mod builtin {
         /* compiler built-in */
     }
 
+    #[cfg(not(bootstrap))]
+    /// Attribute macro applied to a function to give it a precondition.
+    ///
+    /// This one is not prefixed with rustc_ because pnkfelix is trying to
+    /// debug whether that name is ignored specially which can make things
+    /// hard to track down when adding a new feature like this.
+    #[unstable(feature = "rustc_contracts", issue = "none")]
+    // #[allow_internal_unstable(rustc_attrs)]
+    #[allow_internal_unstable(core_intrinsics)]
+    #[rustc_builtin_macro]
+    pub macro contracts_requires($item:item) {
+        /* compiler built-in */
+    }
+
     /// Attribute macro applied to a function to register it as a handler for allocation failure.
     ///
     /// See also [`std::alloc::handle_alloc_error`](../../../std/alloc/fn.handle_alloc_error.html).

library/core/src/prelude/common.rs

@@ -79,6 +79,15 @@ pub use crate::macros::builtin::{
 #[unstable(feature = "derive_const", issue = "none")]
 pub use crate::macros::builtin::derive_const;
 
+/*
+#[cfg(not(bootstrap))]
+#[unstable(feature = "rustc_contracts", issue = "none")]
+pub use crate::macros::builtin::{rustc_contracts_requires, rustc_contracts_ensures};
+*/
+#[cfg(not(bootstrap))]
+#[unstable(feature = "rustc_contracts", issue = "none")]
+pub use crate::contracts;
+
 #[unstable(
     feature = "cfg_accessible",
     issue = "64797",

library/std/src/prelude/common.rs

@@ -45,6 +45,10 @@ pub use core::prelude::v1::{
     stringify, trace_macros, Clone, Copy, Debug, Default, Eq, Hash, Ord, PartialEq, PartialOrd,
 };
 
+#[cfg(not(bootstrap))]
+#[unstable(feature = "rustc_contracts", issue = "none")]
+pub use core::prelude::v1::contracts;
+
 #[unstable(
     feature = "concat_bytes",
     issue = "87555",

tests/ui/contracts.rs

@@ -0,0 +1,23 @@
+//@ revisions: no_fails catch_fail no_checking
+//@ [no_fails]    run-pass
+//@ [catch_fail]  run-fail
+//@ [no_checking] run-pass
+
+//@[no_fails]    compile-flags: -Zcontract-checking=dynamic
+//@[catch_fail]  compile-flags: -Zcontract-checking=dynamic
+//@[no_checking] compile-flags: -Zcontract-checking=none
+
+#![allow(internal_features)]
+#![feature(rustc_attrs, rustc_contracts, core_intrinsics)]
+
+#[contracts::requires(x > 0)]
+fn foo(x: i32) {
+    let _ = x + 2;
+}
+
+fn main() {
+    foo(10);
+
+    #[cfg(not(no_fails))]
+    foo(-10);
+}