It seems to me that their “Contract based programming” is “Parse, Don’t Validate” and what they call “canonical type” is “Make Illegal States Unrepresentable”.
Although the only safe way to construct if through the validator TryFrom trait, the Username can be created through unsafe transmute (casting the bits of one value to the type of another without checks). This is normally fine though as with unsafe you are introducing undefined behaviour anyway.
This is not Rust’s definition of “undefined behavior” (1, 2, 3). By the usual definition, unsafe introduces UB only if one misuses it (whereas Safe Rust doesn’t give one the opportunity to introduce UB). Even the “horribly unsafe”transmute function doesn’t always introduce UB, and it would likely be deprecated if it did, like its sibling uninitialized.
I think their example use of transmute might indeed have UB, though, because they didn’t specify the layout of Username.
It seems to me that their “Contract based programming” is “Parse, Don’t Validate” and what they call “canonical type” is “Make Illegal States Unrepresentable”.
This is not Rust’s definition of “undefined behavior” (1, 2, 3). By the usual definition,
unsafeintroduces UB only if one misuses it (whereas Safe Rust doesn’t give one the opportunity to introduce UB). Even the “horribly unsafe”transmutefunction doesn’t always introduce UB, and it would likely be deprecated if it did, like its siblinguninitialized.I think their example use of
transmutemight indeed have UB, though, because they didn’t specify the layout ofUsername.