-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should the traits be unsafe? #87
Comments
Marking the traits unsafe wouldn't stop people from Ideally, they would be marked |
It makes a big difference in responsibility. If a trait is In contrast, if a trait is not marked * Here, the “law” of |
It is not possible to violate safety just by implementing The documentation already tells others not to implement the traits, and there's currently no way to enforce that. |
It is appropriate for Sync and Send so why not Unsigned and Integer? Send and Sync are
Likewise, unsafe code that ascribes special meaning to Unsigned and Integer can run into problems with an incorrectly implemented Unsigned or Integer. |
This could apply to literally any public trait, no? Typenum doesn't do anything unsafe with these traits, and frankly I find it hard to imagine how one could implement them in such a way as to cause unsafety when their methods do nothing more than return integers. |
In my view, a crate that incorrectly implements Unsigned or Integer has broken its API contract with typenum, which explicitly states not to do that. I feel no need to cater to such a crate, and I don't think marking those traits unsafe would be the right way to do so anyway. Marking the traits unsafe would add confusion to those using typenum properly, and I don't think that's a good idea. Someday, |
Not every trait. Consider an unsafe B tree implementation: if the Ord implementation is horribly broken, then the unsafe code needs to be prepared for that situation; it can't just segfault because Ord is not an unsafe trait. rust-lang/rust#33197 Likewise one could consider uses of Integer / Unsigned for indexing into arrays in unsafe code, which would blow up if those traits are improperly implemented. An unsafe trait doesn't impose any restrictions on its users. It only affects implementors. There is precedent in the use of unsafe as a workaround for sealed traits: https://docs.rs/ndarray/0.9.1/ndarray/trait.Data.html |
Note that using unsafe traits isn't unsafe or require unsafe. It's implementing them that is unsafe. The users are just using the traits; if there would be confusion, it would be because some user would have a wrong mental model what an unsafe trait means. That being said, unsafe code cannot trust unknown implementations of a trait, but if it can be sure that only known implementations are used, and the implementation semantics are backed up by invariants that are considered a part of the public API, there shouldn't be any problem. So if you feed your unsafe code only stuff implemented in this crate, there is no problem, and you don't need the traits to be unsafe. |
I feel this is an over-generalization. By this reasoning, every single I believe there is nothing wrong with providing an unsafe abstraction that is open. A
The one tricky bit here is that changing the contract on implementors requires a major semver bump, but is likely to be missed by implementors during an update since it's often "just a documentation change." While I've never been in this position myself, I suspect you can make this situation less dangerous by making a trivial change to the unsafe trait with the specific intent to prevent old implementations from continuing to compile. I have no particularly strong feeling with regards to whether or not typenum should feel obligated to provide such abstractions for unsafe code, though. (huh, why did I write this comment, then...?) |
I am unconvinced that adding |
It would be nice if
Unsigned
/Integer
could be markedunsafe
so that unsafe code downstream can “trust” that anyUnsigned
type will yield sensible answers. I do see thatso
unsafe
would simply be a formal way to document this (either that, or through a private supertrait).The text was updated successfully, but these errors were encountered: