Initial Idea: Bounded Numbers

blacktemplar · September 20, 2025, 9:37pm

In a lot of my projects I argue in some way or another along the lines:

Those inputs are (per API specifications) guaranteed to be smaller than X, therefore summing two of them up can never overflow within u8.

Thinking about this problem more. I was wondering if we could move this argumentation from a purely meta level to the type level and let the compiler do the reasoning.

This is what I want to achieve with my project GitHub - blacktemplar/bounded-num.

It is in a very prototype state and the API is very minimal and documentation is missing fully.

The idea is that instead of:

let a: u8 = ...;
let b: u8 = ...;
let c: u8 = a + b;

one would do:

let a: BoundedNum<u8, P5, P100> = ...;
let b: BoundedNum<u8, P7, P150> = ...;
// type hint is unnecessary here, I just put it here for illustration,
// the compiler could figure it out just fine
let c: BoundedNum<u8, P12, P250> = a + b;

This has multiple benefits: One sees directly from the type the potential range of the value AND operators like Add can be implemented in a way that they never overflow. I consider the latter part the more important part given the motivation of this project. For me overflows can be quite dangerous, especially since they can happen silently in production (and are hard to debug if you cannot reproduce production with overflow checks turned on).

Just to illustrate how the compiler helps to avoid overflows, this would not compile

let a: BoundedNum<u8, P5, P100> = ...;
let b: BoundedNum<u8, P7, P156> = ...;
let c = a + b;

because a might be 100 and b might be 156 which would lead to an overflow of u8 when added.

It would be great to hear from others if this idea could be useful and if there are no other crates that achieve the same / a similar thing (I have tried searching for such crates but couldn't find one that satisfied me). Also, of course if someone wants to review my very early prototype code I am very happy to get feedback (although at this stage a review of the idea is more important for me than the code).

Jesper · September 21, 2025, 1:24am

Pascal had something like that:

var
  x: 1..10;

It could check you didn't assign an out-of-range value to x ... though I don't think the checks extended to later non-constant assignments. But you could do that in rust ...

philomathic_life · September 21, 2025, 1:44am

Refinement types is the more general concept. flux is one example of a refinement type checker for Rust. You can read other topics on the matter like this one. In Rust it seems like the term "pattern type" is more common, and here is a now-closed MVP on the matter which also mentions why pattern/refinement types likely won't have a subtyping relation (e.g., like &'static T is a subtype of &'a T) but instead would rely on less powerful coercion (e.g., like ! coerces to T).

blacktemplar · September 21, 2025, 7:29am

Wow, thank you for the good references. I have looked into flux and it is a very cool concept. Although I think it is quite a bit different to what I had in mind. Of course it is much more general but it also means it feels a bit like a patch, given that a third-party tool is needed to check it and the way the annotations are designed as opt-in (if I understand it correctly) it might happen that one forgets to add some annotations. The last point is for me especially important in the context of overflows. I want to have an API that just doesn't allow silent overflows for my types (of course we can have stuff like wrapping_add so that the user explicitly states that they want to wrap around the type boundaries).

So I think for the concrete use case of bounded numbers I feel like a more explicit direct type approach has benefits. Of course it is a trade-off as my approach is much more enforcing once you use the bounded types and therefore can also be restrictive (although there is always the option to get the unbounded inner value like u8 and directly work with it, I see this somehow as the equivalent of unsafe as you have to be careful with overflows if you do it).

Of course it would be great if this would be a language-built-in as you suggested in your other links and that it would have sub-type relations or at least some type of coercion. But until this happens my library I would say can achieve almost the same thing except that sub-typing/coercion is not given so one has to call .into() or .try_into() manually if one wants to change the bounds (note that currently I don't implement Into and TryInto but have those methods without any traits because I ran into problems with overlapping implementations when I tried to implement the traits).

So long story short, I still see a use case for this much more specific approach to refinement types compared to flux.

tdelmas · September 21, 2025, 6:59pm

Something like that ? ranged_integers - Rust

let x = r!([1 6] 5);
let y = r!([1 6] 4);

let a = x + y;  // The minimum is (1+1)=2, the maximum is (6+6)=12
let check_add: Ranged<2, 12> = a;  // Range assertion assignment
assert_eq!(check_add, r!(9));

let s = x - y;  // The minimum is (1-6)=-5, the maximum is (6-1)=5
let check_sub: Ranged<-5, 5> = s;  // Range assertion assignment
assert_eq!(check_sub, r!(1));

jhpratt · September 22, 2025, 6:46am

I created the deranged crate for this purpose, and it does anything possible within compiler limitations. It even includes niche value optimization via a custom struct!

Redglyph · September 22, 2025, 10:01am

There's an RFC but it's still open (not sure why):

github.com/rust-lang/rfcs

Numerical Constrained Types

opened 07:04PM - 19 May 16 UTC

HallM

T-lang

## Background Numerical types with defined constraints can be a useful way to p…erform some sanity checks at compile time. Ada is one of language I know which has these constraints. There may be other applications, but numbers are the main thing I find a use for them. While not a total zero-cost abstraction, the bounds checks are controlled by the user. Further bounds checks within other functions for data validation is not required as the user can know the number is within bounds. The advantage may be in areas such as libraries or applications with formulas that have defined boundaries for parameters. A library writer may add bounds checks to each function to validate invalid data is not being sent. With numerical constraints, the library writer can define a type and know for certain the parameters are valid. The same level of certainty applies to outputs as the receiver knows the data returns is within the expected range. I believe these types could lead to more explicit code, especially in the field of medical devices or spacecraft where the data must not be outside of expected ranges. This could be a stepping stone towards Why3-like provers or design by contract, though those could happen externally such as a MIR to Why3's IL conversion. Looking for some comments and refinement prior to writing an RFC if this sounds sane. ## Additions The language would need two new parts: a way to specify numerical constraints and a conditional-cast capability that performs the run-time validation. ### Specify numerical constraints One way to specify constraints similar to Ada could be: ``` type Hours = u32 in 0..23; // bounded on both upper and lower type Celcius = f64 in -273.15..; // lower bound, but no upper bound ``` The addition would be adding the ability to specify the range of valid values. There may be some other concepts of defining constraints. I use the `in` keyword here instead of `range` as `in` is already a reserved keyword in Rust. Another option may be to allow a closure of function to be specified to handle the checks in special circumstances. ### Conditional-cast The second part, conditional-casting, is required as the compiler may not know if one thing could be cast to another. I propose introducing an `as?` cast which returns something similar to an `Option<T>`. If possible, having the ability for the compiler to know if a cast could be valid would be beneficial for some cases as well. Using something similar to `Option<T>` allows the user to handle out of bounds situations cleanly much like doing manual bounds checking. `Option<T>` itself could work, though `None` is a bit vague for "value could not cast." ``` let x: i32 = ...; // not important what x is, only that it is an i32 let h: Hours = 23 as Hours; // compiler may be able to know this is valid let h: Hours = 24 as Hours; // compiler could know that this is invalid let h: Option<Hours> = x as? Hours; if let Some(h) = x as? Hours {} ``` The cast system could also understand that casting to a superset is always fine, but casting to a subset requires a check. Therefore, `h as i32` compiles without a check as `h` is definitely within the i32 range. If there was a second type in the range 1..24, that type also could not cast to Hours as 1..24 does not cover the entire 0..23 range.

Yes, I remember using that in Pascal, Ada and VHDL. It can be very handy.

tdelmas · September 22, 2025, 11:54am

@jhpratt you mean https://crates.io/crates/deranged ? (your link is a 404 for me)

blacktemplar · September 22, 2025, 6:40pm

Oh this looks interesting, thanks for the link, I think this is something similar to what I imagined. Interesting that they use const generics (vs me using typenum) and get away with it with some helper trait construct.

jhpratt · September 22, 2025, 10:23pm

Fixed! I typed it off hand

system · December 21, 2025, 10:24pm

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.

Topic		Replies	Views
Requiring evaluation to succeed in the where clause help	4	566	December 12, 2021
A question/remark on arithmetic operations	15	2513	January 12, 2023
Variables with the desired range help	7	1177	September 24, 2023
Annotate number range for llvm	7	1010	January 12, 2023
Integer bounds for generic help	3	1401	November 11, 2020

Initial Idea: Bounded Numbers

Related topics