Tracking issue for a minimal subset of RFC 911, const fn

[Centril]

This is a tracking issue for the RFC "Const functions and inherent methods" (rust-lang/rfcs#911).

This issue only tracks a minimal subset of the proposal in 911 that we are (hopefully) comfortable with stabilizing. To opt into the minimal subset, use #![feature(min_const_fn)]. To use the more expansive feature set, you can continue using #![feature(const_fn)] and other associated feature gates.

The minimal set will not include items from the following (incomplete) list:

1. const fns with type parameters with bounds (including where clauses) in scope (including from the parent e.g. impl) other than: lifetimes, Sized, or (the "un"-bound) ?Sized

   This restriction exists because we are not sure about our story around what bounds mean in a const fn context. See RFC: const bounds and methods rfcs#2237, const fn and generics const-eval#1, and https://github.com/Centril/rfc-effects/ for a discussion on this.

2. const fns with argument types or return types that contain fn pointers, dyn Trait, or impl Trait.

   This is checked recursively.
   The restriction ensures that you may not reach a value of these types by any means.

   This restriction exists for the same reasons as in 1.

3. const fns with any operations on floating-point numbers. This is achieved by making any floating-point operation not be const inside const fn.

   This restriction exists because we are not sure about the story wrt. determinism, achieving the same results on compile-time / run-time (including other machines) and floating points.

4. using a const fn call in a pattern, e.g.;

   const fn twice<T: Copy>(x: T) -> (T, T) { (x, x) }
   match x {
       twice(21) => { ... }
       _ => { ... }
   }

5. anything else that is not currently in const_fn or constants

   • raw ptr to usize cast (e.g. *const/mut T -> usize).
   • raw ptr deref.
   • if / if let / match.
   • loop / while.
   • let and destructuring.

6. union field access.

7. code requiring unsafe blocks.

Exhaustive list of features supported in const fn with #![feature(min_const_fn)]:

1. type parameters where the parameters have any of the following as part of their bounds (either on where or directly on the parameters):

   1. lifetimes
   2. Sized

   This means that <T: 'a + ?Sized> and <T: 'b + Sized> + <T> are all permitted.
   Note that ?Sized is the absence of a constraint when bounds have been fully elaborated
   which includes adding implicit Sized bounds.
   This entails that permitting Sized + lifetimes allows the above examples.

   This rule also applies to type parameters of items that contain const fns.

2. arithmetic operators on integers

3. boolean operators (except for && and || which are banned since they are short-circuiting).

4. any kind of aggregate constructor (array, struct, enum, tuple, ...)

5. calls to other const fns (methods and functions)

6. index operations on arrays and slices

7. field accesses on structs and tuples

8. reading from constants (but not statics, not even taking a reference to a static)

9. & and * (only dereferencing of references, not raw pointers)

10. casts except for raw pointer to usize casts

11. const unsafe fn is allowed, but the body must consist of safe operations only

The bar for stabilizing const fns in libcore/liballoc/libstd will be that they are writable in stable user code (unless they are wrappers for intrinsics, i.e. size_of and align_of). This means that they must work with min_const_fn.

Things to be done before stabilizing:

• Implement the min_const_fn feature gate. (Implement the min_const_fn feature gate #53604)
• Ensure that the above restrictions apply.
• Adjust documentation (see instructions on forge)
• Stabilization PR (see instructions on forge)

Unresolved questions:

None.

Vocabulary:

• CTFE
• promoted
• rvalue promotion

[Centril]

Also cc: @eddyb, @RalfJung, @est31, @durka, @mark-i-m, @japaric

[Centril]

Some concerns noted over at #24111:

• design (const fn tracking issue (RFC 911) #24111 (comment))
• priority (const fn tracking issue (RFC 911) #24111 (comment))
• runtime-pointer-addresses (const fn tracking issue (RFC 911) #24111 (comment))
• everything-const (const fn tracking issue (RFC 911) #24111 (comment))
• parallel-const-traits resolved by const fn tracking issue (RFC 911) #24111 (comment)

[oli-obk]

runtime-pointer-addresses (#24111 (comment))

does not apply here, because we neither stabilize union field accesses which could be used to transmute between any pointer and an integer, nor do we stabilize casting *const T to usize.

priority (#24111 (comment))

The 2018 edition takes precedence over this feature. Since it has been minimized to a very small surface area which will be enforced by a feature whitelist, it seems plausible that we can get everyone on board to at least stabilize it shortly after the 2018 edition has been released.

design (#24111 (comment))
everything-const (#24111 (comment))

Since we are punting on (almost) all design issues by using a minimal scheme, the only design question left is whether we want to start attaching the const keyword to many functions.

Alternate designs:

• infer the constness (deemed not feasible right now and a semver footgun)
• inverting the system by marking functions as notconst (massive breaking change)
• using a #[const] attribute

Wrt the "everything function is getting const attached to it" worry: The current design is entirely forward compatible with allowing const mod, const impl to allow marking entire code regions as const. Although that seems like it could benefit from the attribute, as you could write #![const] at the top of the crate root and have everything be const.

[RalfJung]

because we neither stabilize union field accesses which could be used to transmute between any pointer and an integer

We do not? I see you sneakily added that to the first post.^^

These are already stable for const. Why not allow them in const fn?

[Centril]

@RalfJung

Why not allow the in const fn?

@oli-obk added that part, but I think about it like this: given union field accesses, you can perform &[mut] T -> usize and so you may violate our plans for CTFE correctness per your blog post. Now, we can say that the operation *(const/mut) T -> usize is UB in const fn, but I would like to wait with that because:

1. It gives us more time to develop our story around the rules of unsafe within const fn.
2. We need to make sure that our teaching material is up to the task so that users will not do &T -> usize and think that's OK.

All in all, I think that if we are more conservative here and punt on this, we can ship a more minimal const fn faster.

[RalfJung]

I see. I don't like these inconsistencies but oh well. Looks like qualify_consts will be cleaned up... another time.^^

In terms of teaching, again we have the same problem for const... I thought the sanity check might help (unlike a const fn, a const has a very simple "observable behavior" so we can actually test for these things statically) but it seems it does not complain about

union Trans { x: &'static i32, y: usize }
const BAR : usize = unsafe { Trans { x: &0 }.y };

[nikomatsakis]

First, a nit:

const fns with type parameters with bounds (including where clauses) (lifetimes are OK) either on themselves or on the scope they are contained within (e.g. impls and such...)

Presumably something like T: Sized is ok -- or, more to the point, const fn foo<T>(t: T) -> T { t }...? So is it just that Sized trait is allowed?

But, more generally, I think that this proposal does a good job of outlining the surface area of the language to be stabilized, but I'd like to see a better outline of what the implications are regarding the "const system in general".

One key question here is the interaction of const fn and promotion, I think, since that is the main place where we can find ourselves in tricky questions (e.g., even something like const fn foo(a: u32, b: u32) -> { a + b } can be problematic if a call to it is promoted). Can someone (e.g., @oli-obk) write out the conditions in which calls to const fn can currently be promoted, if any? I don't recall. =)

I think by now I am mostly bought into the general framing from Ralf's blog post, but I'd like to also know if there are alternative approaches that we are ruling out by stabilizing const fn.

It seems like one of the key bits that I could imagine being controversial was the idea that a const fn could do things that we cannot statically guarantee are valid (e.g., in unsafe code) but that we could still promote calls to that const fn. If we wind up hitting errors at compilation time, that is then a violation of the const fn declaration analogous to hitting UB at runtime. As I said, I think I am mostly bought into this framing, but I would like to clarify if we are losing room to maneuever here in any way.

[nikomatsakis]

To expand a bit on something:

Presumably something like T: Sized is ok -- or, more to the point, const fn foo(t: T) -> T { t }...? So is it just that Sized trait is allowed?

I had initially considered suggesting that we allow auto traits as well, but I do not think this is a good idea. For one thing, unlike Sized ,auto traits may have custom impls, and that might constrain us in ways that we do not want. e.g., you can have

unsafe impl<T: Display> Send for Foo<T> { }

Now, if you have a const fn foo<U: Send>(...) where U = Foo<T>, and we accept it, we will therefore be saying that T: Display is provable in a const context. But if we wanted to change how trait resolution works in a const context to consider only impls that are marked const or some such thing, that could be problematic.

Since Sized does not permit custom impls, we don't have this problem. Similarly, we could permit lifetime bounds (T: 'a).

[Centril]

@RalfJung

I see. I don't like these inconsistencies but oh well.

Hehe; I don't like them either, but I fully intend for many of the restrictions to be temporary ^.^

---

@nikomatsakis

So is it just that Sized trait is allowed?

Right; so I think lifetimes in bounds + Sized + ?Sized (which is the true "no bound") would be permitted.

[mark-i-m]

I'm curious about the UX side of things. Some of the limitations might be surprising to people. For example, being able to write a generic but not bounds.

I can imagine it being frustrating to start implementing my program and then all of a sudden something doesn't work because it requires nightly. I either have to change to nightly or change my implementation approach.

Of course, it could be one of those things that just needs experimentation on nightly for a while. For example, we could implement the proposed min_const_fn feature and see how many uses of the const_fn feature on crates.io can be changed to it. If that proportion is low, I think we should think twice before stabilizing.

[RalfJung]

Can someone (e.g., @oli-obk) write out the conditions in which calls to const fn can currently be promoted, if any?

My long-term plan (which I still did not get around to submit to the const RFC repo...) was that a call to a safe const fn would get promoted whenever all its arguments would get promoted. Notably, we do not look into the body.

I originally thought we could not look into the body for promoting uses of const either, but IIRC there are problems then because we do want to promote

const FOO : Option<Cell<i32>> = None;
&FOO

but not

const FOO : Option<Cell<i32>> = Some(Cell::new(0));
&FOO

So it seems like, even if it's just for backwards compatibility, looking "into" a const body is needed. I hope that what we are really doing is just look at the result of the const, i.e. the final value, not the expression used to compute it (and TBH I do not know how we check if that value is Sync, but whatever). But I think we should not do that for const fn (and, with their argument dependencies, that would be indeed much harder).

Now @oli-obk can fix all my misconceptions. :D

[oli-obk]

Can someone (e.g., @oli-obk) write out the conditions in which calls to const fn can currently be promoted, if any?

A const fn call is "always" promoted right now. If the creation of its arguments involves unions, raw pointer to usize casts or raw pointer derefs, then the analysis doesn't even consider the the call for promotion. So it's not a question of whether to promote a const fn call, but whether its arguments seem promotable.

min_const_fn does not change this, but it also restricts the function body to a minimal setting where you cannot write a const fn that would cause it to fail promotion. Any potential unconst feature has been removed.

This means we are fully forward compatible with any scheme that we choose wrt promotion failures (or lack thereof).

So it seems like, even if it's just for backwards compatibility, looking "into" a const body is needed.

We don't allow even mentioning cells, even if they don't end up in the final result. I think it would be very confusing for users if they can use Cell in a const fn body to compute something, and return a u32 and then that result is not promoted.

    const FOO : Option<Cell<i32>> = (None, Some(Cell::new(0))).0;
    let _: &'static _ = &FOO; // ERROR: does not live long enough

If we want to make this properly (meaning not surprising to users) we need to do these checks on final values, not on constant/const fn bodies. I have implemented a prototype for checking whether a value needs user-written Drop. I think I can also do this for UnsafeCell.

I'm curious about the UX side of things. Some of the limitations might be surprising to people. For example, being able to write a generic but not bounds.

We have so many const features that users are surprised about not being stable although very similar features are. I don't think extending the group of stable features will make ppl unhappy.

[RalfJung]

We don't allow even mentioning cells, even if they don't end up in the final result.

So we check the type to be frozen recursively?

I have implemented a prototype for checking whether a value needs user-written Drop. I think I can also do this for UnsafeCell.

Oh so currently we do not do any value-based analysis, and could go entirely off of the type of the const, not entering its body?

No that's not true, the following works

    const FOO : Option<Vec<i32>> = None;
    let _: &'static _ = &FOO;

[oli-obk]

could go entirely off of the type of the const, not entering its body?

No, I implemented a prototype for checking the constant's final value for promotability. So the body is ignored, but we check the value similarly how the const sanity checks work.

[RalfJung]

Well that's still looking "into" the constant, breaking the abstraction.

OTOH it enables reasonable code, so we likely want it. You said you "implemented a prototype", but something seems to already have landed?

[oli-obk]

You said you "implemented a prototype", but something seems to already have landed?

No, we've had body-revealing checks since forever. This is nothing new.

[durka]

Why can we not allow control flow in const fns?

[durka]

Also, has there been an audit of which const fns in std/crates.io can be implemented according to these restrictions?

[Centril]

@durka I've skimmed the const fns in libstd and I think it should all work with these restrictions.
However; if it does not work for some of the stable ones, we will have to create some sort of exemption mechanism for those (think rustc_const_stable).
A more thorough audit of libstd would be good.

Wrt. control flow and destructuring, see:

• Tracking issue for RFC 2342, "Allow if and match in constants" #49146
• Tracking issue for RFC 2344, "Allow loop in constant evaluation" #52000
• Tracking issue for RFC 2345, "Allow panicking in constants" (const_panic) #51999
• Tracking issue for RFC 2341, Allow locals and destructuring in const fn #48821

[oli-obk]

@durka this is not the issue for discussing what to add to the minimal const fn (control flow isn't even in full const fns yet), but for discussing what to remove to make it forward compatible to every possible scheme.

So. @RalfJung has noted that NonZero::new_unchecked is not const safe, so the question is whether to ban unsafe const fn under this feature gate.

[RalfJung]

Instead of banning random subsets of unsafe operations, I'd prefer -- if we want to keep the space open for how we resolve "const safety" -- to just not allow unsafe blocks in const fn, period. That would cover both union field access, raw pointer deref and calling unsafe const fn.

I think the only safe operation we are worried about is raw ptr to usize, and AFAIK that is not even allowed in const, so we are good.

[Centril]

Update:

• unsafe { .. } is now banned.

• lifetimes, Sized, and ?Sized in bounds (either implicitly / explicitly) is now permitted.

[therealprof]

Is there any plan or timeframe for stabilisation of this feature?

This is blocking a major embedded use case to safely pass data and peripherals in and out of interrupt handlers as far as I can see (cf. rust-embedded/bare-metal#11). The use of const fn is currently cfg-gated to make the crate work in stable (without static Mutexes in that case) but min_const_fn would suffice to make that IMHO important feature generally available.

[Centril]

@therealprof Stabilization is blocked on merging #53851.

[gnzlbg]

This restriction exists because we are not sure about the story wrt. determinism, achieving the same results on compile-time / run-time (including other machines) and floating points.

We discussed this on IRC a while ago, but I don't see it mentioned here, so it might be worth it to update the OP. We are sure about this: it is, in general, impossible to achieve the same results at compile-time and run-time (on all targets). What const fn should do? Probably just implement IEEE arithmetic, fixing the implementation-defined behavior to some behavior in a target independent way. cc @rkruppe

[RalfJung]

As uncovered in #54696, raw pointer comparison is not the only concern -- we also have ti disallow function pointer comparison as CTFE does not support that operation. Does min_const_fn handle that?

[oli-obk]

Well... we do have "function pointers in const fn are unstable" even for casting functions to function pointers.

[RalfJung]

But we could still write a function that takes two fn ptrs and compares them? It couldn't be called (currently), but we should rule out the binop as well.

[cramertj]

@RalfJung Attempting to define

const fn cmp(x: fn(), y: fn()) -> bool {
    x == y
}

with #![feature(min_const_fn)] gives "error: function pointers in const fn are unstable".

[RalfJung]

If we have that in a test, I am happy :)

[Centril]

@oli-obk given that we landed #53851, should we move to stabilize this?

[bstrie]

However, I'd like to see a test ensuring that

   const FOO: NonZeroU8 = unsafe { NonZeroU8::new_unchecked(0) };

is caught by the sanity check. Currently nightly accepts that constant without complaining.

@RalfJung , it would appear that post-#54835 nightly still accepts this code without warning. Did you intend for this code not to work?

[oli-obk]

Nightly on the playground gives me

error[E0080]: this constant likely exhibits undefined behavior
 --> src/main.rs:3:1
  |
3 | const FOO: NonZeroU8 = unsafe { NonZeroU8::new_unchecked(0) };
  | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered 0, but expected something greater or equal to 1
  |
  = note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rust compiler repository if you believe it should not be considered undefined behavior

https://play.rust-lang.org/?gist=8544bb6dd824c73bd0ea8466aad29ae9&version=nightly&mode=debug&edition=2015

[RalfJung]

And there's tests as well: https://github.com/rust-lang/rust/blob/master/src/test/ui/consts/const-eval/ub-nonnull.rs

This can been fixed with #54762

[therealprof]

Any change we can get this into beta? I'd really love to do some 2018 edition proving and cleanup of some embedded crates but without min_const_fn available on beta, realistic checks are somewhat limited.

[oli-obk]

It will be in the next beta. Until then you could just use nightly without any feature gates

[therealprof]

@oli-obk That's what I'm doing at the moment but I thought the point of the beta was to test Edition features and nightly might behave differently. I guess I'm looking forward then to trying the next beta and everything working fine just like on nighty. ;)

[Centril]

Documentation was done in rust-lang/reference#440. Since everything is done, I'll close this out.

[therealprof]

@oli-obk > It will be in the next beta. Until then you could just use nightly without any feature gates

# rustc +beta --version
rustc 1.30.0-beta.15 (590121930 2018-10-12)
# cargo +beta build --release
...
error[E0658]: const fn is unstable (see issue #53555)
  --> /Users/egger/OSS/bare-metal/src/lib.rs:22:5
   |
22 | /     pub const unsafe fn new(address: usize) -> Self {
23 | |         Peripheral {
24 | |             address: address as *mut T,
25 | |         }
26 | |     }
   | |_____^

[crlf0710]

@therealprof "the next beta" means the 1.31 one, which will arrive some time around the time 1.30 stable ships(Oct 25).