Skip to content

Can the standard library rely on stated but unenforceable invariants of traits like TotalOrd? #14418

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
huonw opened this issue May 25, 2014 · 5 comments
Closed

Can the standard library rely on stated but unenforceable invariants of traits like TotalOrd? #14418

huonw opened this issue May 25, 2014 · 5 comments
Labels
P-low Low priority

Comments

@huonw
Copy link
Member

huonw commented May 25, 2014

Some traits like TotalOrd and TotalEq have invariants (like a < b || a == b || a > b for all a and b for TotalOrd). These can be stated in documentation but not enforced by the compiler or in the type system.

Some algorithms (e.g. a sort, or a data structure) may wish to rely on these stated invariants in a way that means a violation could be memory unsafe. E.g. a highly-optimised sort might run out of bounds when a comparison function is incorrect in exactly the right (well, wrong) way. Being safe in the face of incorrectness can come at the cost of efficiency by being forced to use a slower algorithm, or perform bounds checks etc.

Nominating.
@emberian
Copy link
Member

I think this is a bit of a sticky issue, but safe code should never cause memory unsafety, ever. If relying on those assumptions would cause memory unsafety, they should be marked unsafe.

@eddyb
Copy link
Member

eddyb commented May 25, 2014

As a very wild suggestion:

if prove!((a < b) ^ (a == b) ^ (a > b) forall a, b in T) {
    /* fast implementation */
} else {
    /* potentially slower implementation */
}

cc @regehr might as well toy with the idea if we have access to the tools

@regehr
Copy link

regehr commented May 27, 2014

This is really interesting. I have been playing with the design of something similar to this -- an interface between optimizer and prover for Rust. I need to think on it more. Thanks for ccing me.

@brson brson added P-low and removed I-nominated labels May 29, 2014
@brson
Copy link
Contributor

brson commented May 29, 2014

P-low, not 1.0

@thestinger
Copy link
Contributor

There's a simple solution to this, so I don't think it needs to be an issue. Add a default method #[inline(always)] unsafe fn is_correct() -> bool { false } and correct implementations can override it. It's even backwards compatible to do this for a trait.

flip1995 pushed a commit to flip1995/rust that referenced this issue Mar 20, 2025
@Alexendoo
Reinstate single_match/single_match_else lints with comments (rus…
d443f38 
…t-lang#14420)

Commit efe3fe9 removed the ability for
`single_match` and `single_match_else` to trigger if comments were
present outside of the arms, as those comments would be lost while
rewriting the `match` expression.

This reinstates the lint, but prevents the suggestion from being applied
automatically in the presence of comments by using the `MaybeIncorrect`
applicability. Also, a note is added to the lint message to warn the
user about the need to preserve the comments if acting upon the
suggestion.

changelog: [`single_match`, `single_match_else`]: reinstate lint when
comments are inside the `match` but do not autofix the code

Fix rust-lang#14418
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
P-low Low priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@eddyb @brson @emberian @regehr @huonw @thestinger