Conditionally compile contracts instead of deciding at run-time

The initial implementation of contracts, despite requiring a
compiler flag to enable runtime checking of contracts, still
compiled contracts into function definitions, even when
the compiler flag was disabled. This meant that contracts
could not be safely added to functions without breaking
optimisations, or even without potentially changing
the behaviour of the function.

This change guards macro expansion of the built-in contract macros
with the contract-checks compiler flag. Additionally, it removes
the contract_checks compiler intrinsic that was used to determine
whether contract checks should be executed at runtime. Now,
when contracts checks are compiled into the body of a function,
they will always be executed.

Author: dawidl022

compiler/rustc_builtin_macros/src/contracts.rs

@@ -17,7 +17,11 @@ impl AttrProcMacro for ExpandRequires {
         annotation: TokenStream,
         annotated: TokenStream,
     ) -> Result<TokenStream, ErrorGuaranteed> {
-        expand_requires_tts(ecx, span, annotation, annotated)
+        if ecx.sess.contract_checks() {
+            expand_requires_tts(ecx, span, annotation, annotated)
+        } else {
+            Ok(annotated)
+        }
     }
 }
 
@@ -29,7 +33,11 @@ impl AttrProcMacro for ExpandEnsures {
         annotation: TokenStream,
         annotated: TokenStream,
     ) -> Result<TokenStream, ErrorGuaranteed> {
-        expand_ensures_tts(ecx, span, annotation, annotated)
+        if ecx.sess.contract_checks() {
+            expand_ensures_tts(ecx, span, annotation, annotated)
+        } else {
+            Ok(annotated)
+        }
     }
 }
 

library/core/src/intrinsics/mod.rs

@@ -2557,23 +2557,6 @@ pub const unsafe fn const_make_global(ptr: *mut u8) -> *const u8 {
     ptr
 }
 
-/// Returns whether we should perform contract-checking at runtime.
-///
-/// This is meant to be similar to the ub_checks intrinsic, in terms
-/// of not prematurely committing at compile-time to whether contract
-/// checking is turned on, so that we can specify contracts in libstd
-/// and let an end user opt into turning them on.
-#[rustc_const_unstable(feature = "contracts_internals", issue = "128044" /* compiler-team#759 */)]
-#[unstable(feature = "contracts_internals", issue = "128044" /* compiler-team#759 */)]
-#[inline(always)]
-#[rustc_intrinsic]
-pub const fn contract_checks() -> bool {
-    // FIXME: should this be `false` or `cfg!(contract_checks)`?
-
-    // cfg!(contract_checks)
-    false
-}
-
 /// Check if the pre-condition `cond` has been met.
 ///
 /// By default, if `contract_checks` is enabled, this will panic with no unwind if the condition
@@ -2594,7 +2577,7 @@ pub const fn contract_check_requires<C: Fn() -> bool + Copy>(cond: C) {
         if const {
                 // Do nothing
         } else {
-            if contract_checks() && !cond() {
+            if !cond() {
                 // Emit no unwind panic in case this was a safety requirement.
                 crate::panicking::panic_nounwind("failed requires check");
             }
@@ -2622,7 +2605,7 @@ pub const fn contract_check_ensures<C: Fn(&Ret) -> bool + Copy, Ret>(cond: C, re
             // Do nothing
             ret
         } else {
-            if contract_checks() && !cond(&ret) {
+            if !cond(&ret) {
                 // Emit no unwind panic in case this was a safety requirement.
                 crate::panicking::panic_nounwind("failed ensures check");
             }

tests/ui/contracts/associated-item-disabled.rs

@@ -0,0 +1,19 @@
+// Ensure we don't ICE when contract present on an associated item but
+// contract-checks are disabled.
+
+//@ compile-flags: --crate-type=lib
+//@ check-pass
+
+#![feature(contracts)]
+//~^ WARN the feature `contracts` is incomplete and may not be safe to use
+
+extern crate core;
+
+use core::contracts::requires;
+
+struct Foo;
+
+impl Foo {
+    #[requires(align > 0 && (align & (align - 1)) == 0)]
+    pub fn foo(align: i32) {}
+}

tests/ui/contracts/internal_machinery/contract-lang-items.unchk_fail_post.stderr renamed to tests/ui/contracts/associated-item-disabled.stderr

@@ -1,7 +1,7 @@
 warning: the feature `contracts` is incomplete and may not be safe to use and/or cause compiler crashes
-  --> $DIR/contract-lang-items.rs:15:12
+  --> $DIR/associated-item-disabled.rs:7:12
    |
-LL | #![feature(contracts)] // to access core::contracts
+LL | #![feature(contracts)]
    |            ^^^^^^^^^
    |
    = note: see issue #128044 <https://github.com/rust-lang/rust/issues/128044> for more information

tests/ui/contracts/associated-item.rs

@@ -1,6 +1,7 @@
 // Ensure we don't ICE when lowering contracts on an associated item.
 
 //@ compile-flags: --crate-type=lib
+//@ compile-flags: -Zcontract-checks=yes
 //@ check-pass
 
 #![feature(contracts)]

tests/ui/contracts/associated-item.stderr

@@ -1,5 +1,5 @@
 warning: the feature `contracts` is incomplete and may not be safe to use and/or cause compiler crashes
-  --> $DIR/associated-item.rs:6:12
+  --> $DIR/associated-item.rs:7:12
    |
 LL | #![feature(contracts)]
    |            ^^^^^^^^^

tests/ui/contracts/contract-annotation-limitations.rs

@@ -1,6 +1,8 @@
 //! Test for some of the existing limitations and the current error messages.
 //! Some of these limitations may be removed in the future.
 
+//@ compile-flags: -Zcontract-checks=yes
+
 #![feature(contracts)]
 //~^ WARN the feature `contracts` is incomplete and may not be safe to use and/or cause compiler crashes [incomplete_features]
 #![allow(dead_code)]

tests/ui/contracts/contract-annotation-limitations.stderr

@@ -1,17 +1,17 @@
 error: contract annotations is only supported in functions with bodies
-  --> $DIR/contract-annotation-limitations.rs:18:5
+  --> $DIR/contract-annotation-limitations.rs:20:5
    |
 LL |     #[core::contracts::ensures(|ret| ret.is_none_or(Stars::is_valid))]
    |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 error: contract annotations is only supported in functions with bodies
-  --> $DIR/contract-annotation-limitations.rs:22:5
+  --> $DIR/contract-annotation-limitations.rs:24:5
    |
 LL |     #[core::contracts::ensures(|ret| ret.is_none_or(Stars::is_valid))]
    |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 warning: the feature `contracts` is incomplete and may not be safe to use and/or cause compiler crashes
-  --> $DIR/contract-annotation-limitations.rs:4:12
+  --> $DIR/contract-annotation-limitations.rs:6:12
    |
 LL | #![feature(contracts)]
    |            ^^^^^^^^^

tests/ui/contracts/contracts-disabled-side-effect-ensures.rs

@@ -0,0 +1,17 @@
+//@ run-pass
+#![feature(contracts)]
+//~^ WARN the feature `contracts` is incomplete and may not be safe to use and/or cause compiler crashes [incomplete_features]
+
+extern crate core;
+use core::contracts::ensures;
+
+#[ensures({*x = 0; |_ret| true})]
+fn buggy_add(x: &mut u32, y: u32) {
+    *x = *x + y;
+}
+
+fn main() {
+    let mut x = 10;
+    buggy_add(&mut x, 100);
+    assert_eq!(x, 110);
+}

tests/ui/contracts/internal_machinery/contract-lang-items.unchk_pass.stderr renamed to tests/ui/contracts/contracts-disabled-side-effect-ensures.stderr

@@ -1,7 +1,7 @@
 warning: the feature `contracts` is incomplete and may not be safe to use and/or cause compiler crashes
-  --> $DIR/contract-lang-items.rs:15:12
+  --> $DIR/contracts-disabled-side-effect-ensures.rs:2:12
    |
-LL | #![feature(contracts)] // to access core::contracts
+LL | #![feature(contracts)]
    |            ^^^^^^^^^
    |
    = note: see issue #128044 <https://github.com/rust-lang/rust/issues/128044> for more information