Requiring the author to provide a Rust-level "story" for every asm block reminds me of CompCert's external function simulation obligations. That framing opens the door to effect-typing the asm: give the compiler a ghost Rust function that expresses the reads/writes and provenance transformations you promise. Then miri (or a future verifier) could even check the story in debug builds, turning today's UB booby traps into a mechanically checked contract. If we can pull that off, inline asm becomes just another foreign effect in the type system instead of a get-out-of-jail-free card.
Sounds great on paper, but in practice most asm snippets are there exactly because the compiler can t express the trick in Rust, so writing and maintaining a formal ghost function would end up longer and buggier than the asm itself.
Requiring the author to provide a Rust-level "story" for every asm block reminds me of CompCert's external function simulation obligations. That framing opens the door to effect-typing the asm: give the compiler a ghost Rust function that expresses the reads/writes and provenance transformations you promise. Then miri (or a future verifier) could even check the story in debug builds, turning today's UB booby traps into a mechanically checked contract. If we can pull that off, inline asm becomes just another foreign effect in the type system instead of a get-out-of-jail-free card.
Sounds great on paper, but in practice most asm snippets are there exactly because the compiler can t express the trick in Rust, so writing and maintaining a formal ghost function would end up longer and buggier than the asm itself.