Disallow side effects in contract expressions #3213
Labels
[C] Feature / Enhancement
A new feature request or enhancement to an existing feature.
Z-Contracts
Issue related to code contracts
Milestone
Currently, function contracts allow for arbitrary expressions, including ones that allow for potential side effects.
This could result in a statement that modifies the input arguments to a function before running the function on those arguments, or modifying the result or input arguments after the computation has passed.
This is likely related to #2909. This showcases an infinite loop as a side effect resulting in a contract being vacuously true.
The problem with side effects within the function contracts is that it blurs the abstraction of the contract macros, as it requires the user to reason about the
kani::assert
statements that the contract macros compile to. The arguments are no longer being directly fed in and out of the function, but rather there are precomputations and postcomputations which could have side effects. To truly maintain the proper abstraction of these macros, the pre and post computations must be pure.The text was updated successfully, but these errors were encountered: