Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RFC for unsafe blocks in unsafe fn #2585
RFC for unsafe blocks in unsafe fn #2585
Changes from 1 commit
cbbd0ce
51ca5b4
77a9992
aa85ef7
5d46a2d
5571c39
2550a0b
153d286
8cb1b3f
949590b
ec454f2
1b3e1dd
2e47c41
814301e
9838e5d
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can start as
allow
by default. The fact thatconst unsafe fn
already behaves this way and thatclippy
can uplift this lint towarn
, will already make sure to migrate large parts of the ecosystem.Oh... you are already mentioning that below in the unresolved questions...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I had to follow the RFC structure, didn't I? ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other possible drawbacks to list:
It will become less ergonomic to write unsafe code (it's justified I think, but worth mentioning...).
People might just do this:
and then nothing has been gained. I don't know what the risk of this is, but worth mentioning.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added (a variant of) 1.
For 2., I think something has been gained: It is not possible to incrementally improve this function's
unsafe
locality. Or maybe it is not worth it, then that has at least been explicitly documented in the code.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I'm not entirely sure 2. is a drawback or not; I usually try to write the section as what someone else might think is a potential drawback (but not necessarily me) -- i.e. this is the section where I try to bring out my inner Dr. Phil / empathy =P
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The drawbacks section now says
That should cover 2, right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@RalfJung the concern is actually slightly different here; it is that people will just go and write one big
unsafe { ... }
when they shouldn't.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Isn't that already possible today?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mark-i-m yes; sure -- the concern is that the change we do here might not have any noticable effect cause people could be lazy and...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't it be good that people can explicitly choose to not write a big
unsafe
block instead of being forced into one automatically?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
C# has
unsafe
blocks in addition tounsafe
methods. Though it's not super helpful since I'm not aware of the C# community ever discussing burden of proof issues like this RFC does, probably because 99.99% of the time the answer in that language is "unsafe just isn't worth it". I couldn't even find a C# style guide that mentions the existence of unsafe code, much less has guidelines for making it less dangerous.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Furthermore, while other languages may not have blocks many do have escape hatches (which are relevant to this section)... Examples I found:
Haskell: http://hackage.haskell.org/package/base-4.12.0.0/docs/System-IO-Unsafe.html#v:unsafePerformIO and http://hackage.haskell.org/package/base-4.8.0.0/docs/Unsafe-Coerce.html
Idris: /~https://github.com/idris-lang/Idris-dev/blob/master/libs/prelude/Builtins.idr#L189
Agda: https://agda.readthedocs.io/en/v2.5.4.2/language/postulates.html
Coq: /~https://github.com/coq/coq/wiki/CoqAndAxioms also, http://adam.chlipala.net/cpdt/html/Universes.html#lab78
ReasonML: https://reasonml.github.io/docs/en/interop -- actually, this is sort of a block...
OCaml: https://caml.inria.fr/pub/docs/manual-ocaml/libref/Obj.html
SML: http://www.smlnj.org/doc/SMLofNJ/pages/unsafe.html
Ada: http://www.adaic.org/resources/add_content/docs/95style/html/sec_5/5-9-1.html
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Centril But this RFC is specifically about blocks and nesting of unsafe escape hatches. I do not think any of the examples you mention apply there, do they?
@Ixrec Thanks, I had no idea! And it looks like unsafe operations can be used freely in unsafe functions. :/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@RalfJung not with that specificity no; the languages have the "block" form, e.g.:
what they lack is the unsafe function form.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's still quite different from Rust. It's just a normal function to the compiler, no checks for "unsafe operations" or so are performed. I do not see a close enough relation to this RFC.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@RalfJung alright; fair enough. Let's leave this bit (the comment thread) open for interested readers who want to see the associated material linked. :)