I tried this code:

#![feature(contracts)] #[core::contracts::ensures({*x = 0; |_ret| true})] fn buggy_add(x: &mut u32, y: u32 ) { *x = *x + y; } fn main() { let mut x = 10; buggy_add(&mut x, 100); assert_eq!(x, 110); }

I expected to see this happen: The assertions should succeed

Instead, this happened: The assertion fails because x == 100. Note that this bad behavior happens even with the contract checks disabled. I.e.: with -Zcontract-checks=no

Meta

rustc --version --verbose:

rustc 1.86.0 (05f9846f8 2025-03-31) binary: rustc commit-hash: 05f9846f893b09a1be1fc8560e33fc3c815cfecb commit-date: 2025-03-31 host: x86_64-unknown-linux-gnu release: 1.86.0 LLVM version: 19.1.7 

Context

We currently instantiate the ensures clause in the function body as is. This logic is different than how we handle requires, where we wrap it around a closure. This has a neat property that allow users to capture input values to implement old terms.

Unfortunately, this allows users to also mutate the input, which is rather dangerous. So I believe we should also wrap the ensures clause in a closure. We can keep the capture input behavior, but this will create another layer of indirection.