-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce unsafe
blocks to have comments explaining why the required invariants hold
#9330
Comments
unsafe
blocks to have comments explaining why the required invariants holdunsafe
blocks to have comments explaining why the required invariants hold
This is covered by |
Wow, this is almost exactly what I had in mind. And kudos to @Serial-ATA for implementing it! I do have a couple of questions regarding some of the choices made:
I understand one is meant for documentations
|
A structured version could be interesting, but also far from trivial. The |
Closing since this is implemented as |
What it does
This is the users side of the
missing_safety_doc
lint. Enforce each block ofunsafe
to have a corresponding comment explaining why all the calls tounsafe
meet the invariants required by theSafety
section of theunsafe fn
.Motivation
unsafe
rust relaxes some of the invariant that safe rust enforces. This is to allow the programmer to express some operations that the compiler cannot prove will be memory safe. The point being highlighted is thatunsafe
rust is not a mechanism the programmer can use to do unsafe things, but rather a promise to the compiler that the code is safe even though the compiler cannot prove it. The burden of proof then lies on the programmer [and reviewers] to ensure that all the invariants that the function requires to hold, does hold. This does not mean the programmer cannot provide an incorrect proof, but it does make the following less likely:Stricter variant
A possible future improvement would update the
missing_safety_doc
lint to require the documentation to provide a list of the invariants required by theunsafe fn
, each with an identifier - e.g.dangling_pointer
and an explanation of what it entails. Themissing_safety_proof
lint would then provide the same list of identifiers, but instead of explaining the required invariant would contain a proof of why that invariant holds at that point in the code. The documentation can then easily provide links from the proof to the explanation via the identifier.Some
Safety
documentation is already in list form, e.g. pointeras_ref
method:Lint Name
missing_safety_proof
Category
style
- Same asmissing_safety_check
although I can see both moving tocorrectness
.Advantage
unsafe fn
's read theSafety
documentation of the function they're using.unsafe
block is safe is part of the code and directly observable by a reviewer. The reviewer then has a much easier time verifying that the proof actually holds.Drawbacks
missing_safety_check
lint. Currently this is one of the most commonly ignored lints, so this is legitimately a concern.unsafe
block containing multipleunsafe fn
's should be handled. This could result in one of the unsafe operations being overlooked while another is being explained.Example
Could be written as:
The text was updated successfully, but these errors were encountered: