Capability-Safety I: Prelude
— 2023-01-24

  1. introduction
  2. capability-safety
  3. the plan


In 2021 Tmandry published the post: "Contexts and Capabilities". In it they present the idea of with-clauses, providing a means of passing types such as allocators around in a more convenient way. The post goes into detail about the feature, but you can roughly think of it as a way to declare types which are live within a certain scope, and are automatically passed into functions which require them:

//! A usage-only example of `with`-clauses to create scoped allocators.
//! This example is somewhat incomplete, but hopefully gives enough of a sense
//! of what it would feel like to use `with`-clauses.

// Before: using `#[feature(allocator_api)]` to allocate into a bump allocator.
let bump = bumpalo::Bump::new(); // Create a bump allocator
let vec1 = Vec::new_in(&bump);   // Use `new_in` to allocate into the bump allocator
let vec2 = Vec::new_in(&bump);

// After: using `with`-clauses to allocate into a bump allocator.
with std::alloc::alloc = bumpalo::Bump::new() { // Create a bump allocator for this scope
    let vec1 = Vec::new(); // `new` uses whichever allocator is currently active
    let vec2 = Vec::new();


While we were brainstorming about with-clauses it got me wondering: Would it be possible to not only leverage with-clauses as a means of just passing arguments around, but also as a means of guaranteeing encapsulation?. Or differently put: if we can think of with-clauses as a way of passing capabilities, would it be possible for us to make Rust "capability-safe" 1? I reached out to Sunfishcode who has worked a lot on capabilities for WebAssembly, and for the past year or so we've been researching how we might be able to introduce a notion of capability-safety into Rust.


I'm intentionally not really going into detail about what "capability-safety" is exactly; a follow-up to this post is being written. But to not leave people entirely in the dark, let me try and summarize it: What if we had access to a kind of function which guarantees it will only ever operate over exactly what it declared in its function signature and nothing else. This enables functions to not only describe what they can do, but by omission now also what they can't do. A lot of safety-critical systems would love to have access to that kind of expressiveness, but there are a bunch of other uses for it too. This intersects with a bunch of different aspects of the language, so expect us to go into minute detail about how we believe we can make this all work in future posts.

The good news is: we think we have a plausible design - one which not only enable capability-safety, but crucially would so without breaking any of Rust's stability guarantees. We've consulted with members of both lang and libs, and at least from a technical point of view it seems like it could work. But if we ever want to turn it into a formal Rust language proposal, we not only need the design to be plausible, we also need to show that it's something which is beneficial. Something which solves real issues people experience, and something which people would be excited to adopt.

The plan

You can consider this post a statement of intent. Sunfish and I are committed to figuring out how we can actually talk about capability-safety in a way that makes sense. I've tried and failed to write something coherent post about this a couple of times now. But we believe it's time to actually start publishing about this. So that's exactly what we'll be doing!

We'll start explaining by what capabilities are, why they're useful, what capability-safety is, which guarantees it provides, introduce you to our design, and then work through the various interactions. There's not a lot of material on capability-safety available, so the real challenge for us is to figure out the right framing and examples to have it actually make sense.

But we're convinced we can actually make it happen. Sunfish has already started writing about some these topics which you can check out here:

His next post will be about capability-safety. Stay tuned for that!

Thanks to Sunfishcode for help reviewing this post!