|
| 1 | +# Unsafe Fields |
| 2 | + |
| 3 | +| Metadata | | |
| 4 | +| :-- | :-- | |
| 5 | +| Point of contact | @jswrenn | |
| 6 | +| Teams | <!-- TEAMS WITH ASKS --> | |
| 7 | +| Task owners | <!-- TASK OWNERS --> | |
| 8 | +| Status | Proposed | |
| 9 | +| Zulip channel | N/A | |
| 10 | +| Tracking issue | [rust-lang/rust-project-goals#273] | |
| 11 | + |
| 12 | +## Summary |
| 13 | + |
| 14 | +Design and implement a mechanism for denoting when fields carry library safety invariants. |
| 15 | + |
| 16 | +## Motivation |
| 17 | + |
| 18 | +The absence of a mechanism for denoting the presence of library safety invariants increases both the risk of working with `unsafe` code and the difficulty of evaluating its soundness. |
| 19 | + |
| 20 | +### The status quo |
| 21 | + |
| 22 | +Presently, Rust lacks mechanisms for denoting when fields carry library safety invariants, and for enforcing extra care around their use. Consequently, to evaluate the soundness of `unsafe` code (i.e., code which relies on safety invariants being upheld), it is not enough to check the contents of `unsafe` blocks — one must check all places (including safe contexts) in which safety invariants might be violated. (See [*The Scope of Unsafe*]) |
| 23 | + |
| 24 | +For example, consider this idealized `Vec`: |
| 25 | + |
| 26 | +```rust |
| 27 | +pub struct Vec<T> { |
| 28 | + data: Box<[MaybeUninit<T>]>, |
| 29 | + len: usize, |
| 30 | +} |
| 31 | +``` |
| 32 | + |
| 33 | +Although `len` is bound by a safety invariant, it is trivial to violate its invariant in entirely safe code: |
| 34 | + |
| 35 | +```rust |
| 36 | +impl Vec<T> { |
| 37 | + pub fn evil(&mut self) { |
| 38 | + self.len += 2; |
| 39 | + } |
| 40 | +} |
| 41 | +``` |
| 42 | + |
| 43 | +Rust cannot enforce that modifications of `len` require `unsafe`, because the language does not provide the programmer a way of communicating to the compiler that `len` carries safety invariants. |
| 44 | + |
| 45 | +[*The Scope of Unsafe*]: https://www.ralfj.de/blog/2016/01/09/the-scope-of-unsafe.html |
| 46 | + |
| 47 | +### The "shiny future" we are working towards |
| 48 | + |
| 49 | +Rust programmers will use the `unsafe` keyword to denote fields that carry library safety invariants; e.g.: |
| 50 | + |
| 51 | +```rust |
| 52 | +struct Vec<T> { |
| 53 | + // SAFETY: The elements `data[i]` for |
| 54 | + // `i < len` are in a valid state. |
| 55 | + unsafe data: Box<[MaybeUninit<T>]>, |
| 56 | + unsafe len: usize, |
| 57 | +} |
| 58 | +``` |
| 59 | + |
| 60 | +Rust will require that usages of `unsafe` fields which could violate their safety invariants must *only* occur within `unsafe` contexts. |
| 61 | + |
| 62 | +### The next 6 months |
| 63 | + |
| 64 | +In the next six months, we will iterate on the design and implementation of unsafe fields. An RFC for `unsafe` fields will be accepted, and a candidate implementation will — at the very least — be ready to enter the stabilization process. |
| 65 | + |
| 66 | +## Design axioms |
| 67 | + |
| 68 | +The design of `unsafe` fields is guided by three axioms: |
| 69 | + |
| 70 | +1. **Unsafe Fields Denote Safety Invariants** |
| 71 | + A field *should* be marked `unsafe` if it carries arbitrary library safety invariants with respect to its enclosing type. |
| 72 | +2. **Unsafe Usage is Always Unsafe** |
| 73 | + Uses of `unsafe` fields which could violate their invariants *must* occur in the scope of an `unsafe` block. |
| 74 | +3. **Safe Usage is Usually Safe** |
| 75 | + Uses of `unsafe` fields which cannot violate their invariants *should not* require an unsafe block. |
| 76 | + |
| 77 | +## Ownership and team asks |
| 78 | + |
| 79 | +**Owner:** @jswrenn |
| 80 | + |
| 81 | +| Task | Owner(s) or team(s) | Notes | |
| 82 | +|--------------------------------|----------------------|--------------------------------| |
| 83 | +| Discussion and moral support | ![Team][] [lang] | | |
| 84 | +| Author RFC | @jhpratt, @jswrenn | [RFC3458], [Living Design Doc] | |
| 85 | +| Implementation | @veluca93, @jswrenn | | |
| 86 | +| Standard reviews | ![Team][] [compiler] | | |
| 87 | +| Design meeting | ![Team][] [lang] | | |
| 88 | +| Lang-team champion | ![Team][] [lang] | @scottmcm | |
| 89 | +| RFC decision | ![Team][] [lang] | | |
| 90 | + |
| 91 | +Ongoing discussion on [Zulip]. |
| 92 | + |
| 93 | +[Zulip]: https://rust-lang.zulipchat.com/#narrow/channel/213817-t-lang/topic/unsafe.20fields.20RFC |
| 94 | +[RFC3458]: https://github.com/rust-lang/rfcs/pull/3458 |
| 95 | +[Living Design Doc]: https://hackmd.io/SJqXa_8lJe |
| 96 | + |
| 97 | +### Definitions |
| 98 | + |
| 99 | +Definitions for terms used above: |
| 100 | + |
| 101 | +* *Discussion and moral support* is the lowest level offering, basically committing the team to nothing but good vibes and general support for this endeavor. |
| 102 | +* *Author RFC* and *Implementation* means actually writing the code, document, whatever. |
| 103 | +* *Design meeting* means holding a synchronous meeting to review a proposal and provide feedback (no decision expected). |
| 104 | +* *RFC decisions* means reviewing an RFC and deciding whether to accept. |
| 105 | +* *Org decisions* means reaching a decision on an organizational or policy matter. |
| 106 | +* *Secondary review* of an RFC means that the team is "tangentially" involved in the RFC and should be expected to briefly review. |
| 107 | +* *Stabilizations* means reviewing a stabilization and report and deciding whether to stabilize. |
| 108 | +* *Standard reviews* refers to reviews for PRs against the repository; these PRs are not expected to be unduly large or complicated. |
| 109 | +* *Prioritized nominations* refers to prioritized lang-team response to nominated issues, with the expectation that there will be *some* response from the next weekly triage meeting. |
| 110 | +* *Dedicated review* means identifying an individual (or group of individuals) who will review the changes, as they're expected to require significant context. |
| 111 | +* Other kinds of decisions: |
| 112 | + * [Lang team experiments](https://lang-team.rust-lang.org/how_to/experiment.html) are used to add nightly features that do not yet have an RFC. They are limited to trusted contributors and are used to resolve design details such that an RFC can be written. |
| 113 | + * Compiler [Major Change Proposal (MCP)](https://forge.rust-lang.org/compiler/mcp.html) is used to propose a 'larger than average' change and get feedback from the compiler team. |
| 114 | + * Library [API Change Proposal (ACP)](https://std-dev-guide.rust-lang.org/development/feature-lifecycle.html) describes a change to the standard library. |
| 115 | + |
| 116 | +## Frequently asked questions |
| 117 | + |
| 118 | +TBD |
0 commit comments