Stream: t-compiler/help

Topic: Unsafe blocks in unsafe functions


Ram (Jul 04 2020 at 02:50, on Zulip):

There are some instances such as here that are unsafe functions that don't contain any unsafe operations. Can these be left untouched or is some sort of comment/explanation required?
Removing the unsafe signature would cause incompatible type issues for files that use these functions.

lcnr (Jul 04 2020 at 07:04, on Zulip):

I personally think we don't need an explicit comment here, though it also wouldn't hurt adding
"This is safe and does not rely on any invariants given by the user" as most people are probably still expecting the
internals of an unsafe function to be implicitly unsafe, cc @LeSeulArtichaut

LeSeulArtichaut (Jul 04 2020 at 09:33, on Zulip):

I think that in most of these situations, the caller must provide some guarantees, which aren’t immediately used, but which will be used later. IIRC there are examples of this in Layout::new_unchecked where the function itself doesn’t use the guarantees that the layout is valid, but other pieces of unsafe code rely on them.

I’m not sure safety comments are useful in this kind of situation, and maybe what we could do is to point to these guarantees in the other contexts where we use them.

LeSeulArtichaut (Jul 04 2020 at 09:35, on Zulip):

Keep in mind though that I’m vert far from an expert so my opinion isn’t that important :slight_smile:
If you want good advice you should ask someone from the unsafe code guidelines WG.

Ram (Jul 04 2020 at 10:41, on Zulip):

Thanks, @LeSeulArtichaut , I'll ask that there too.

RalfJ (Jul 05 2020 at 07:00, on Zulip):

The important bit for such cases is to document what the caller needs to ensure to safely call this function

RalfJ (Jul 05 2020 at 07:01, on Zulip):

in case of initializer there is probably little to do as zeroing is actually a safe choice (but the alternative choice of saying that this supports uninit memory would require unsafe)

RalfJ (Jul 05 2020 at 07:01, on Zulip):

but there are other cases where there actually is something to document even if there is no unsafe op:
https://www.ralfj.de/blog/2016/01/09/the-scope-of-unsafe.html

RalfJ (Jul 05 2020 at 07:01, on Zulip):

there one should document why the data structure invariant of Vec is correctly maintained

Last update: Sep 28 2020 at 15:30UTC