Add rand_core::InfallibleRng marker trait
#1412
Conversation
|
This PR got a bunch of unrelated formatting changes in the edited files, which were introduced automatically by my editor. Later we probably need to fix formatting for the whole project and add rustfmt check to CI. |
Yes; I was thinking try to resolve most PRs first. But we could also just go ahead... |
| /// A marker trait used to indicate that an [`RngCore`] implementation is | ||
| /// supposed to never return errors from the [`RngCore::try_fill_bytes`] method | ||
| /// and never panic on unwrapping [`Error`] while calling other methods. | ||
| /// | ||
| /// This trait is usually implemented by PRNGs, as opposed to OS, hardware, | ||
| /// and periodically-reseeded RNGs, which may fail with IO errors. | ||
| pub trait InfallibleRng: RngCore {} |
There was a problem hiding this comment.
Commenting just for visibility of the significant addition.
It falls into the same trap as std::iter::TrustedLen in that it promises something about another trait.
I think I'm okay with this, but worth thinking about / getting more input on.
There was a problem hiding this comment.
I thought about different alternatives and it looks like it's the simplest option. Plus, we already have the CryptoRng trait.
One potential option is to make error an associated type (and CryptoRng may become associated bool constant). This way we could use Infallible by default. But without trait aliases it would be significantly less ergonomic to work with. Here is a draft of how it could look in future: playground.
There was a problem hiding this comment.
Adding associated types + consts to RngCore changes the meaning on every existing usage as a generic bound.
For "crypto grade", I prefer the trait-inheritance model. After all, every CryptoRng is also a valid RNG. Also, can't have CRYPTO_STRONG default to true on all impls.
For infallibility, we'd at least need a bound on that error type: Error: std::error::Error or Error: Into<Something> where Something is a summarized RNG error (NotInitialized, EndOfSequence, IOError, MissingHardwareDevice, ???).
There was a problem hiding this comment.
every CryptoRng is also a valid RNG.
Yes, and? I don't see why the associated constant would be at odds with it. "Cryptographically strong" is a binary property of RNG, which can be modeled perfectly by an associated bool constant.
Also, can't have CRYPTO_STRONG default to true on all impls.
Yes, it should've been false in my example.
For infallibility, we'd at least need a bound on that error type
Sure. But I think it's an unimportant detail. Without stabilization of at least trait aliases, this approach is, arguably, not practical anyway.
There was a problem hiding this comment.
Yes, and?
Only that this case does work well with the trait inheritance model; not every boolean property does.
newpavlov
force-pushed
the
infallible_rng
branch
from
f2d07f3
to
e567a95
Compare
|
I've cleaned up the formatting changes. |
|
There is a much simpler alternative to this PR: require that all Implication: we should drop We can also drop Am I missing anything important? |
|
I am open to a more global rework (e.g. it may be worth to remove
In my opinion, it's tantamount to sweeping the problem under the rug. IO-based RNGs such as As for |
|
You are right that such questions are beyond the scope of this PR, however we should at least determine whether we actually want |
|
Closing in favor of #1424. |
Implementers of the
rand_core::InfallibleRngtrait indicate that they will never return errors from theRngCore::try_fill_bytesmethod and will never panic on unwrappingrand_core::Errorwhile calling other methods.@ctz
Does it address your concerns mentioned in this comment? If you have other concerns/suggestion, feel free to list them here or in a separate issue.