There are some instances such as here that are unsafe functions that don't contain any unsafe operations. Can these be left untouched or is some sort of comment/explanation required?
Removing the unsafe signature would cause incompatible type issues for files that use these functions.
I personally think we don't need an explicit comment here, though it also wouldn't hurt adding
"This is safe and does not rely on any invariants given by the user" as most people are probably still expecting the
internals of an unsafe function to be implicitly unsafe, cc @LeSeulArtichaut
I think that in most of these situations, the caller must provide some guarantees, which aren’t immediately used, but which will be used later. IIRC there are examples of this in
Layout::new_unchecked where the function itself doesn’t use the guarantees that the layout is valid, but other pieces of unsafe code rely on them.
I’m not sure safety comments are useful in this kind of situation, and maybe what we could do is to point to these guarantees in the other contexts where we use them.
Keep in mind though that I’m vert far from an expert so my opinion isn’t that important :slight_smile:
If you want good advice you should ask someone from the unsafe code guidelines WG.
Thanks, @LeSeulArtichaut , I'll ask that there too.
The important bit for such cases is to document what the caller needs to ensure to safely call this function
in case of
initializer there is probably little to do as
zeroing is actually a safe choice (but the alternative choice of saying that this supports uninit memory would require unsafe)
but there are other cases where there actually is something to document even if there is no unsafe op:
there one should document why the data structure invariant of
Vec is correctly maintained