Skip to content

Port all viable contracts from verify-rust-std #147148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tautschnig wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Port all viable contracts from verify-rust-std #147148

tautschnig wants to merge 4 commits into from
+1,187 −274

Conversation

@tautschnig
Copy link
Contributor

@tautschnig tautschnig commented Sep 29, 2025

Ports over all contracts (other than those for Alignment, see the separate PR) that can be expressed using the current, experimental contracts syntax. (Notably, this excludes all contracts that refer to pointer validity.)

@rustbot rustbot added S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Sep 29, 2025
Noratrieb
Noratrieb reviewed Sep 29, 2025
View reviewed changes
@rust-log-analyzer

This comment has been minimized.

Sign in to view
bjorn3
bjorn3 reviewed Sep 30, 2025
View reviewed changes
library/core/src/num/uint_macros.rs
#[core::contracts::requires(!self.overflowing_mul(rhs).1)]
pub const unsafe fn unchecked_mul(self, rhs: Self) -> Self {
assert_unsafe_precondition!(
check_language_ub,
Copy link
Member

@bjorn3 bjorn3 Sep 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Many contracts are duplicating existing assert_unsafe_precondition!(). How should we handle this duplication?

Copy link
Contributor Author

@tautschnig tautschnig Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My personal opinion is that all uses of assert_unsafe_precondition should be replaced by contracts::requires clauses as contracts provide a more general framework.

bjorn3
bjorn3 reviewed Sep 30, 2025
View reviewed changes
tests/mir-opt/inline/unchecked_shifts.unchecked_shl_unsigned_smaller.Inline.panic-unwind.diff Outdated
+ _7 = &_4;
+ _6 = {closure@$SRC_DIR/core/src/num/uint_macros.rs:LL:COL} { 0: copy _7 };
+ StorageDead(_7);
+ _5 = contract_check_requires::<{closure@core::num::<impl u16>::unchecked_shl::{closure#0}}>(move _6) -> [return: bb1, unwind continue];
Copy link
Member

@bjorn3 bjorn3 Sep 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All these extra checks would slow down debug builds a lot in terms of runtime performance and likely a bit in build times, right? Can we check by how much exactly?

Copy link
Contributor Author

@tautschnig tautschnig Oct 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With #144438 merged there should not be any runtime impact (not even in debug builds), unless contract checks are enabled. Build times, however, may indeed be affects. Would you have any suggestion on what experiments we should perform to obtain numbers?

@bors
Copy link
Collaborator

bors commented Oct 3, 2025

☔ The latest upstream changes (presumably #142771) made this pull request unmergeable. Please resolve the merge conflicts.

@tautschnig tautschnig force-pushed the upstream-contracts/not-alignment branch from fc56734 to f47406e Compare October 29, 2025 12:46
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@tautschnig tautschnig force-pushed the upstream-contracts/not-alignment branch 2 times, most recently from fa3bb5c to b38b44c Compare October 29, 2025 19:00
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@tautschnig
Port all viable contracts from verify-rust-std
677b604 
Ports over all contracts (other than those for `Alignment`, see the
separate PR) that can be expressed using the current, experimental
contracts syntax. (Notably, this excludes all contracts that refer to
pointer validity.)
@tautschnig
Update expected MIR in tests
919d34a 
Updated via `./x.py test mir-opt --bless --stage 1`.
@tautschnig
Add contracts that require contract variables
e6c9c8d 
These are now expressible thanks to aeae085.
@tautschnig
Bless Miri test change
357743f
@tautschnig tautschnig force-pushed the upstream-contracts/not-alignment branch from 2daa184 to 357743f Compare October 30, 2025 10:09
@tautschnig tautschnig marked this pull request as ready for review October 30, 2025 12:23
@rustbot rustbot added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Oct 30, 2025
@rustbot
Copy link
Collaborator

rustbot commented Oct 30, 2025

⚠️ #[rustc_allow_const_fn_unstable] needs careful audit to avoid accidentally exposing unstable
implementation details on stable.

cc @rust-lang/wg-const-eval

The Miri subtree was changed

cc @rust-lang/miri

Some changes occurred to the intrinsics. Make sure the CTFE / Miri interpreter
gets adapted for the changes, if necessary.

cc @rust-lang/miri, @RalfJung, @oli-obk, @lcnr

@rustbot rustbot removed the S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. label Oct 30, 2025
@rustbot
Copy link
Collaborator

rustbot commented Oct 30, 2025

r? @scottmcm

rustbot has assigned @scottmcm.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@tautschnig
Copy link
Contributor Author

tautschnig commented Oct 30, 2025

@bors try @rust-timer queue

@rust-timer

This comment has been minimized.

Sign in to view
@rust-bors
Copy link

rust-bors bot commented Oct 30, 2025

@tautschnig: 🔑 Insufficient privileges: not in try users

@saethlin
Copy link
Member

saethlin commented Oct 30, 2025

@bors try @rust-timer queue

You can always ask for a perf run here: https://rust-lang.zulipchat.com/#narrow/channel/182449-t-compiler.2Fhelp/topic/perf.20run/with/543397764

@rust-timer

This comment has been minimized.

Sign in to view
@rust-bors

This comment has been minimized.

Sign in to view
rust-bors bot added a commit that referenced this pull request Oct 30, 2025
@rust-bors
Auto merge of #147148 - tautschnig:upstream-contracts/not-alignment, …
2c09cd9 
…r=<try>

Port all viable contracts from verify-rust-std
@rustbot rustbot added the S-waiting-on-perf Status: Waiting on a perf run to be completed. label Oct 30, 2025
@rust-bors
Copy link

rust-bors bot commented Oct 30, 2025

☀️ Try build successful (CI)
Build commit: 2c09cd9 (2c09cd94b5816629b10657151037a6951ff7a7d6, parent: 8205e6b75ec656305ac235d4726d2c7a1ddcef14)

@rust-timer

This comment has been minimized.

Sign in to view
@rust-timer
Copy link
Collaborator

rust-timer commented Oct 30, 2025

Finished benchmarking commit (2c09cd9): comparison URL.

Overall result: ❌ regressions - please read the text below

Benchmarking this pull request means it may be perf-sensitive – we'll automatically label it not fit for rolling up. You can override this, but we strongly advise not to, due to possible changes in compiler perf.

Next Steps: If you can justify the regressions found in this try perf run, please do so in sufficient writing along with @rustbot label: +perf-regression-triaged. If not, please fix the regressions and do another perf run. If its results are neutral or positive, the label will be automatically removed.

@bors rollup=never
@rustbot label: -S-waiting-on-perf +perf-regression

Instruction count

Our most reliable metric. Used to determine the overall result above. However, even this metric can be noisy.

mean range count
Regressions ❌
(primary)		 1.0% [0.1%, 12.2%] 79
Regressions ❌
(secondary)		 3.3% [0.0%, 17.6%] 53
Improvements ✅
(primary)		 - - 0
Improvements ✅
(secondary)		 -0.1% [-0.3%, -0.1%] 3
All ❌✅ (primary) 1.0% [0.1%, 12.2%] 79

Max RSS (memory usage)

Results (primary 1.6%, secondary 2.9%)

A less reliable metric. May be of interest, but not used to determine the overall result above.

mean range count
Regressions ❌
(primary)		 2.0% [0.8%, 3.8%] 22
Regressions ❌
(secondary)		 3.5% [1.0%, 8.0%] 28
Improvements ✅
(primary)		 -2.2% [-3.6%, -0.7%] 2
Improvements ✅
(secondary)		 -3.1% [-4.2%, -1.3%] 3
All ❌✅ (primary) 1.6% [-3.6%, 3.8%] 24

Cycles

Results (primary 4.5%, secondary 4.1%)

A less reliable metric. May be of interest, but not used to determine the overall result above.

mean range count
Regressions ❌
(primary)		 4.5% [2.1%, 10.7%] 8
Regressions ❌
(secondary)		 6.0% [1.4%, 18.2%] 36
Improvements ✅
(primary)		 - - 0
Improvements ✅
(secondary)		 -4.6% [-8.0%, -1.3%] 8
All ❌✅ (primary) 4.5% [2.1%, 10.7%] 8

Binary size

Results (primary 0.3%, secondary 0.9%)

A less reliable metric. May be of interest, but not used to determine the overall result above.

mean range count
Regressions ❌
(primary)		 0.3% [0.0%, 1.2%] 103
Regressions ❌
(secondary)		 0.9% [0.0%, 3.9%] 42
Improvements ✅
(primary)		 -0.0% [-0.0%, -0.0%] 1
Improvements ✅
(secondary)		 - - 0
All ❌✅ (primary) 0.3% [-0.0%, 1.2%] 104

Bootstrap: 475.886s -> 478.145s (0.47%)
Artifact size: 390.36 MiB -> 390.64 MiB (0.07%)

@rustbot rustbot added perf-regression Performance regression. and removed S-waiting-on-perf Status: Waiting on a perf run to be completed. labels Oct 30, 2025
@bors
Copy link
Collaborator

bors commented Nov 3, 2025

☔ The latest upstream changes (presumably #148412) made this pull request unmergeable. Please resolve the merge conflicts.

This was referenced Nov 6, 2025
Open
Closed
celinval
celinval reviewed Nov 13, 2025
View reviewed changes
library/core/src/alloc/layout.rs
Comment on lines +367 to +372
// #[core::contracts::ensures(
// move |result: &Layout|
// result.size() >= self.size() &&
// result.align() == self.align() &&
// result.size() % result.align() == 0 &&
// self.size() + self.padding_needed_for(self.align()) == result.size())]
Copy link
Contributor

@celinval celinval Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would something like this work?

#[core::contracts::ensures({
   let old_self = *self; // Copy self value.
   move |result: &Layout|
      result.size() >= old_self.size() &&
      result.align() == old_self.align() &&
      result.size() % result.align() == 0 &&
      old_self.size() + old_self.padding_needed_for(old_self.align()) == result.size())}]

@scottmcm
Copy link
Member

scottmcm commented Dec 6, 2025

So I like contracts, but it seems like we shouldn't be getting rustc-perf impacts this high to add them when they're not even being used to do anything? Is there anything feasible to do about that?

@rustbot author

@rustbot rustbot added S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Dec 6, 2025
@rustbot
Copy link
Collaborator

rustbot commented Dec 6, 2025

Reminder, once the PR becomes ready for a review, use @rustbot ready.

@dawidl022
Copy link
Contributor

dawidl022 commented Dec 6, 2025
edited
Loading

So I like contracts, but it seems like we shouldn't be getting rustc-perf impacts this high to add them when they're not even being used to do anything? Is there anything feasible to do about that?

I don't have the expertise to interpret the runs of rustc-perf, but I would imagine that parsing, type-checking, generating the MIR, and optimising out disabled contracts etc. adds to the compilation time of the standard library, and therefore to the compiler.

#145229 was proposed to completely disable macro expansion of contracts when those are disabled, but was rejected as having contracts not be type checked was considered undesirable. Maybe we can revisit this and implement some sort of hybrid solution, giving the option to opt-in or opt-out of contract macro expansion as a new compiler flag. Then e.g. the flag could be enabled in CI, checking the well-typedness of contracts, whereas for fast iterations to build rustc, developers would have the flag disabled.

Any thoughts on this approach? Should contract expansion be opt-in or opt-out? I would image opt-out is a better fit, as by default having type-checking on contracts is nice for the general user, and we can set the opt-out flag in the x script as a default for rustc developers.

@oli-obk
Copy link
Contributor

oli-obk commented Dec 6, 2025

The issue here is not the performance regression of compiling libstd, but that other crates have regressions when calling those functions

@dawidl022
Copy link
Contributor

dawidl022 commented Dec 6, 2025

but that other crates have regressions when calling those functions

Wouldn't the flag still do the job? We can expose the stdlib for consumption by crates with the contracts macro expansion disabled, and then users can override that with build-std if they wish.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bjorn3 bjorn3 bjorn3 left review comments

@celinval celinval celinval left review comments

@Noratrieb Noratrieb Noratrieb left review comments

+1 more reviewer

@dawidl022 dawidl022 dawidl022 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@scottmcm scottmcm

Labels

perf-regression Performance regression. S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-libs Relevant to the library team, which will review and decide on the PR/issue.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.