Skip to content
Sound unchecked indexing using “generativity”; a type system approach to indices, pointers and ranges that are trusted to be in bounds.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



“Sound unchecked indexing” in Rust using “generativity” (branding by unique lifetime parameter).

Extremely experimental, but somewhat promising & exciting.

Main focus is on index ranges, not just single indices.

build_status crates

Crate Features:

  • use_std Enabled by default, disable to be no_std-compatible.


Also now described in: You can't spell trust without Rust. Chapter 6.3 hacking generativity onto rust. Gankro's master's thesis.

Recent Changes

  • 0.4.1
    • Remove the ability to clone non- FixedLength Containers, because allowing to clone a container was wrong in the presencen of the length changing .push()/.insert() methods on vectors in containers.
  • 0.4.0
    • Add method .make_twin() that allows two or more containers to use the same trusted indices, if they are the same size
    • Add new marker trait FixedLength for use in make_twin.
    • Remove the branded raw pointer features, since they need revision (See #11)
    • Fix bug in the proof of .join_cover()
    • Fix signatures in ContiguousMut so that it now uses &mut correctly
    • Update dev-dependencies
    • Add Ord, PartialOrd impls for Range
    • Now using Rust 2018 and requiring Rust 1.32 or later.
  • 0.3.2
    • Fix future compatibility warning about pointer casts.
    • Add Ord, Hash impls for Index and Hash for Range
  • 0.3.1
    • Fixes in tests
    • Add categories
  • 0.3.0
    • Tweak implementation traits a bit, PointerRange, Provable, ContainerRef, make them unsafe where needed.
    • Add Container::range_of
  • 0.2.0
    • Docs are better
    • Refactor most of the crate, prepare for other backends than slices
    • Expose PIndex, PRange, PSlice which are the pointer-based equivalents of safe trusted indices and ranges. Some algos are better when using a raw pointer representation (for example: lower bound). Since we don't have HKT, traitifying all of this is not so pleasant and is not yet complete.
    • New feature: can combine trusted indices with push/insert on Vec.
  • 0.1.2
    • Add binary_search_by and lower_bound to algorithms. Algorithms don't require T: Debug anymore.
  • 0.1.1
    • Point documentation to
  • 0.1.0
    • Add some docs and tests
    • Fix Range::join_cover_both to use ProofAdd
  • 0.1.0-alpha3
    • Add IndexingError and use it for all Results.
  • 0.1.0-alpha2
    • Add ProofAdd and use it in Range::join, Range::join_cover
    • Make Index<'id>, Range<'id> Send + Sync
  • 0.1.0-alpha1
    • First release


Dual-licensed to be compatible with the Rust project.

Licensed under the Apache License, Version 2.0 or the MIT license, at your option. This file may not be copied, modified, or distributed except according to those terms.

You can’t perform that action at this time.