Invariants of the Rust Type System

# Invariants of the type system FIXME: This file talks about invariants of the type system as a whole, not only the solver There are a lot of invariants - things the type system guarantees to be true at all times - which are desirable or expected from other languages and type systems. Unfortunately, quite a few of them do not hold in Rust right now. This is either a fundamental to its design or caused by bugs and something that may change in the future. It is important to know about the things you can assume while working on - and with - the type system, so here's an incomplete and unofficial list of invariants of the core type system: - ✅: this invariant mostly holds, with some weird exceptions, you can rely on it outside of these cases - ❌: this invariant does not hold, either due to bugs or by design, you must not rely on it for soundness or have to be incredibly careful when doing so ### `wf(X)` implies `wf(normalize(X))` ✅ If a type containing aliases is well-formed, it should also be well-formed after normalizing said aliases. We rely on this as otherwise we would have to re-check for well-formedness for these types. ### Structural equality modulo regions implies semantic equality ✅ If you have a some type and equate it to itself after replacing any regions with unique inference variables in both the lhs and rhs, the now potentially structurally different types should still be equal to each other. Needed to prevent goals from succeeding in HIR typeck and then failing in MIR borrowck. If this invariant is broken MIR typeck ends up failing with an ICE. ### Applying inference results from a goal does not change its result ❌ TODO: this invariant is formulated in a weird way and needs to be elaborated. Pretty much: I would like this check to only fail if there's a solver bug: https://github.com/rust-lang/rust/blob/2ffeb4636b4ae376f716dc4378a7efb37632dc2d/compiler/rustc_trait_selection/src/solve/eval_ctxt.rs#L391-L407 If we prove some goal/equate types/whatever, apply the resulting inference constraints, and then redo the original action, the result should be the same. This unfortunately does not hold - at least in the new solver - due to a few annoying reasons. ### The trait solver has to be *locally sound* ✅ This means that we must never return *success* for goals for which no `impl` exists. That would mean we assume a trait is implemented even though it is not, which is very likely to result in actual unsoundness. When using `where`-bounds to prove a goal, the `impl` will be provided by the user of the item. This invariant only holds if we check region constraints. As we do not check region constraints during implicit negative overlap check in coherence, this invariant is broken there. As this check relies on *completeness* of the trait solver, it is not able to use the current region constraints check - `InferCtxt::resolve_regions` - as its handling of type outlives goals is incomplete. ### Normalization of semantically equal aliases in empty environments results in a unique type ✅ Normalization for alias types/consts has to have a unique result. Otherwise we can easily implement transmute in safe code. Given the following function, we have to make sure that the input and output types always get normalized to the same concrete type. ```rust fn foo<T: Trait>( x: <T as Trait>::Assoc ) -> <T as Trait>::Assoc { x } ``` Many of the currently known unsound issues end up relying on this invariant being broken. It is however very difficult to imagine a sound type system without this invariant, so

This section discusses invariants of the Rust type system, highlighting which invariants hold (✅) and which do not (❌), either due to bugs or design choices. It covers aspects such as well-formedness after normalization, structural vs. semantic equality, the impact of applying inference results, local soundness of the trait solver, and the uniqueness of normalization for semantically equal aliases. Violations of these invariants can lead to unsoundness and unexpected behavior.