|
| 1 | +# Instrument the Rust standard library with safety contracts |
| 2 | + |
| 3 | +| Metadata | | |
| 4 | +| -------- |---------------------------| |
| 5 | +| Owner(s) | @celinval and @tautschnig | |
| 6 | +| Teams | [libs][compiler] | |
| 7 | +| Status | Proposed | |
| 8 | + |
| 9 | +## Summary |
| 10 | + |
| 11 | +Finish the implementation of the contract attributes proposed in the compiler [MCP-759], |
| 12 | +and port safety contracts from the [verify-rust-std] fork to the Rust standard library. |
| 13 | + |
| 14 | +## Motivation |
| 15 | + |
| 16 | +Safety contracts serve as formal specifications that define the preconditions, postconditions, and invariants, |
| 17 | +that must be maintained for functions and data structures to operate correctly and safely. |
| 18 | +Currently, the Rust standard library already contains safety pre- and postconditions specified in the unsafe functions' |
| 19 | +documentation. |
| 20 | + |
| 21 | +Contract attributes will enable developers to define safety requirements and behavioral specifications through programmatic contracts, |
| 22 | +which can be automatically converted into runtime checks when needed. |
| 23 | +These contracts can also express conditions that are verifiable through static analysis tools, |
| 24 | +and also provide foundation for formal verification of the standard library implementation, and other Rust code. |
| 25 | + |
| 26 | +### The status quo |
| 27 | + |
| 28 | +Safety conditions are already well documented, and the Rust standard library is also instrumented using |
| 29 | +`check_library_ub` and `check_language_ub` in many different places for conditions that are checkable at runtime. |
| 30 | + |
| 31 | +The compiler team has also accepted @pnkfelix's proposal [MCP-759] to add experimental contracts attributes, and |
| 32 | +the initial implementation is currently [under review](https://github.com/rust-lang/rust/pull/128045). |
| 33 | + |
| 34 | +Finally, we have annotated and verified around 200 functions in the [verify-rust-std] fork with safety contracts using |
| 35 | +contract attributes similar to the ones proposed in [MCP-759]. |
| 36 | + |
| 37 | +### The next 6 months |
| 38 | + |
| 39 | +First, we will keep working with the compiler team to finish the implementation of contract attributes. |
| 40 | +We'll add support to `#[contracts::requires]` and `#[contracts::ensures]` attributes as described in [MCP-759], |
| 41 | +as well type invariant specification. |
| 42 | + |
| 43 | +This will allow users to convert contracts into runtime checks, as well as, provide compiler interface |
| 44 | +for external tools, such as verification tools, to retrieve the annotated contracts. |
| 45 | + |
| 46 | +Once that has been merged to the compiler, we will work with the library to annotate functions of the standard library |
| 47 | +with their safety contracts. |
| 48 | + |
| 49 | +### The "shiny future" we are working towards |
| 50 | + |
| 51 | +All unsafe functions in Rust should have their safety conditions specified using contracts, and verified that those |
| 52 | +conditions are enough to guarantee absence of undefined behavior. |
| 53 | + |
| 54 | +Rust users should be able to check that their code do not violate the safety contracts of unsafe functions, which |
| 55 | +would rule out the possibility that their applications could have a safety bug. |
| 56 | + |
| 57 | +## Design axioms |
| 58 | + |
| 59 | +- **No runtime penalty**: Instrumentation must not affect the standard library runtime behavior, including performance, |
| 60 | +unless users opt-in for contract runtime checks. |
| 61 | +- **Formal Verification**: Enable the verification of the standard library implementation. |
| 62 | +- **Contract as code**: Keeping the contract language and specification as close as possible to Rust syntax and |
| 63 | + semantics will lower the barrier for users to understand and be able to write their own contracts. |
| 64 | + |
| 65 | +## Ownership and team asks |
| 66 | + |
| 67 | +**Owner:** @celinval and @tautschnig |
| 68 | + |
| 69 | +| Subgoal | Owner(s) or team(s) | Notes | |
| 70 | +|----------------------------------|------------------------|----------------------| |
| 71 | +| Discussion and moral support | ![Team][] [libs] | | |
| 72 | +| Experimental Contract attributes | | | |
| 73 | +| ↳ Author MCP | | Done already by @pnkfelix | |
| 74 | +| ↳ Implementation | @celinval | This is in progress. | |
| 75 | +| ↳ Standard reviews | ![Team][] [compiler] | | |
| 76 | +| ↳ Design meeting | ![Team][] [compiler] | | |
| 77 | +| Standard Library Contracts | @celinval, @tautschnig | | |
| 78 | +| ↳ Writing new contracts | Help wanted | | |
| 79 | +| ↳ Standard reviews | ![Team][] [libs] | | |
| 80 | + |
| 81 | +### Definitions |
| 82 | + |
| 83 | +Definitions for terms used above: |
| 84 | + |
| 85 | +* *Discussion and moral support* is the lowest level offering, basically committing the team to nothing but good vibes and general support for this endeavor. |
| 86 | +* *Author MCP* and *Implementation* means actually writing the code, document, whatever. |
| 87 | +* *Design meeting* means holding a synchronous meeting to review a proposal and provide feedback (no decision expected). |
| 88 | +* *Standard reviews* refers to reviews for PRs against the repository; these PRs are not expected to be unduly large or complicated. |
| 89 | + |
| 90 | +## Frequently asked questions |
| 91 | + |
| 92 | +[verify-rust-std]: https://github.com/model-checking/verify-rust-std |
| 93 | +[MCP-759]: https://github.com/rust-lang/compiler-team/issues/759 |
0 commit comments