You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: text/0000-rust-has-provenance.md
+6Lines changed: 6 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -147,6 +147,7 @@ let x = if b { y/2 } else { z+42 };
147
147
Program analysis might want to track which variables can influence the value of `x`, and this is often called "provenance".
148
148
In our example, `x` would have provenance of `{y, z}`, indicating that those are the two variables that can affect the value of `x`.
149
149
However, this kind of provenance is purely *descriptive*, it just states facts about program executions.
150
+
This is just a way of talking about data dependencies (and possibly control dependencies).
150
151
The language standard would never even mention this form of provenance; a compiler would justify the correctness of its provenance analysis by relating them to the semantics specified in the standard.
151
152
It is safe to "forget" descriptive provenance during analysis (and it doesn't exist outside analysis to begin with); that just means the compiler cannot do provenance-based optimizations on the affected values.
152
153
Programmers do not have to think about descriptive provenance ever when judging the correctness of their code.
@@ -164,10 +165,15 @@ Sanitizers and undefined behavior detectors like [Miri](https://github.com/rust-
164
165
[^erase]: It is of course still possible to erase provenance during compilation, *if* the target that we are compiling to does not actually do the access checks that the abstract machine does. What is not safe is having a language operation that strips provenance, and inserting that in arbitrary places in the program.
165
166
166
167
The point of this RFC is that Rust has *prescriptive* provenance.
168
+
The author is not aware of cases of descriptive provenance that actually use the term "provenance"; usually people simply talk about data/control dependencies.
169
+
So while the term "provenance" might initially raise wrong expectations, there's also no pressing need to pick a different term.
170
+
Ultimately, wrong expectations will ensue with pretty much any name, since few people actually expect anything like prescriptive provenance to exist.
171
+
(This includes the author of this RFC, who was firmly anti-prescriptive-provenance around 2017, but has since come to the conclusion that there's no credible alternative.)
167
172
168
173
*Historical note:* The author assumes that provenance in C was originally intended to be purely descriptive.
169
174
However, the moment compilers started doing optimizations that exploit undefined behavior depending on the provenance of a pointer, provenance of de-facto-C became prescriptive.
170
175
A lot of the confusion around provenance arises from the fact that many people still think it is purely descriptive.
176
+
They will hence accept both "we do provenance-based alias analysis" and "pointers are just integers" as true statements, not realizing that these statements are contradicting each other.
171
177
The standard has not (yet) been updated to clarify this, but in 2022 the committee has accepted a Technical Specification that does explicitly state that C has prescriptive provenance.
0 commit comments