An assert is just a fancy `if condition { panic(message) }`. If the optimizer ca...

haberman · 2025-02-04T00:50:29 1738630229

Ah, I see what you are saying. Yes, if the optimizer is able to eliminate the postcondition check, I agree that it would constitute a proof that the code upholds the invariant.

The big question is how much real-world code the optimizer would be capable of "solving" in this way.

I wonder if most algorithms would eventually be solvable if you keep breaking them down into smaller pieces. Or if some would have some step of irreducible complexity that the optimizer cannot figure out, now matter how much you break it down.

Yoric · 2025-02-04T12:24:40 1738671880

I wonder if there is a simple way to stop compilation quickly, with a readable error message, if the optimizer isn't able to eliminate the check.

edit: There is https://github.com/dtolnay/no-panic

vlovich123 · 2025-02-04T15:59:04 1738684744

> Functions that require some amount of optimization to prove that they do not panic may no longer compile in debug mode after being marked #[no_panic].

So you’re probably going to have to protect this with a cfg_attr to only apply the no_panic in release only.

Yoric · 2025-02-05T15:20:23 1738768823

Probably, yes.

That or forcing compilation to always target release.

vlovich123 · 2025-02-04T15:57:55 1738684675

To be clear, the optimizer doesn’t uphold the post condition. It just says “the post condition is usable to elide other checks”. But if the condition itself is incorrect, the compiler will STILL elide those checks. If the compiler could prove the condition on its own it would have done so. That’s why that assert is named unchecked and is itself unsafe!

saagarjha · 2025-02-04T10:52:24 1738666344

Generally you run into the halting problem and whatnot real quick.

vlovich123 · 2025-02-04T15:56:17 1738684577

To be clear as there’s a lot of nuance. Assert unchecked is telling the compiler the condition must always hold. The optimizer and compiler don’t make any assumption about the assert. That information is then used by the compiler to optimize away checks it otherwise would have to do (eg making sure an Option is Some if you call unwrap).

If you have an assumption that gives unhelpful information, the optimizer will emit panic code. Worse, if the assumption is incorrect, then the compiler can easily miscompile the code (both in terms of UB because of an incorrectly omitted panic path AND because it can miscompile surprising deductions you didn’t think of that your assumption enables).

I would use the assume crate for this before this got standardized but very carefully in carefully profiled hotspots. Wrapping it in a safe call as in this article would have been unthinkable - the unsafe needs to live exactly where you are making the assumption, there’s no safety provided by the wrapper. Indeed I see this a lot where the safety is spuriously added at the function call boundary instead of making the safety the responsibility of the caller when your function wrapper doesn’t actually guarantee any of the safety invariants hold.

haberman · 2025-02-05T18:13:35 1738779215

> Wrapping it in a safe call as in this article would have been unthinkable - the unsafe needs to live exactly where you are making the assumption, there’s no safety provided by the wrapper.

I want to be sure I understand your meaning. In your analysis, if the check_invariant function was marked unsafe, would the code be acceptable in your eyes?

vlovich123 · 2025-02-07T18:50:44 1738954244

Unsafe is the P0. I'd avoid this approach wholesale UNLESS it was a critical hot path with no other way to get safe Rust to elide the check (hint - you'd be surprised how much gets elided in idiomatic Rust). Basically, this is a nice sharp knife in the toolbox to know about and so sharp I'd rarely use it.