Capability-Safety I: Prelude
In 2021 Tmandry published the post: "Contexts and Capabilities". In it they present the idea of with-clauses, providing a means of passing types such as allocators around in a more convenient way. The post goes into detail about the feature, but you can roughly think of it as a way to declare types which are live within a certain scope, and are automatically passed into functions which require them:
While we were brainstorming about with-clauses it got me wondering: Would it be possible to not only leverage with-clauses as a means of just passing arguments around, but also as a means of guaranteeing encapsulation?. Or differently put: if we can think of with-clauses as a way of passing capabilities, would it be possible for us to make Rust "capability-safe" 1? I reached out to Sunfishcode who has worked a lot on capabilities for WebAssembly, and for the past year or so we've been researching how we might be able to introduce a notion of capability-safety into Rust.
I'm intentionally not really going into detail about what "capability-safety" is exactly; a follow-up to this post is being written. But to not leave people entirely in the dark, let me try and summarize it: What if we had access to a kind of function which guarantees it will only ever operate over exactly what it declared in its function signature and nothing else. This enables functions to not only describe what they can do, but by omission now also what they can't do. A lot of safety-critical systems would love to have access to that kind of expressiveness, but there are a bunch of other uses for it too. This intersects with a bunch of different aspects of the language, so expect us to go into minute detail about how we believe we can make this all work in future posts.
