
The 'Tootsie Pop' Model for Unsafe Rust Code - GolDDranks
http://smallcultfollowing.com/babysteps/blog/2016/05/27/the-tootsie-pop-model-for-unsafe-code/
======
GolDDranks
There has been a lot of discussion (and critique, and confusion) about using
"unsafe" in the comments of HN threads concerning Rust. One should remember
that using "unsafe" is NOT inherently a bad thing – Rust builds on a model
that allows doing tricks with unsafe code and then wrapping all the magic
behind safe interfaces, abstracting the unsafeness away.

However, it's true that there is still no consensus what exactly is allowed
with unsafe and what's not. A parallel to this would be a confusion whether
pointers of different types are allowed to alias in C – it's undefined
behaviour, despite being counterintuitive to many.

But there's an ongoing effort to define and formalize the Rust memory model,
which would provide an end to this debate. Recently, there has been also
discussion that it should be not only defined, but also more intuitive than
C's one, for instance. Undefined behaviour shouldn't be allowed to take you by
surprise too easily.

~~~
theseoafs
In what way is Rust suitable as a systems language if we don't have a picture
of what unsafe code is or is not allowed?

At least in C there is a consensus about what works and what doesn't -- i.e.
pointer aliasing is technically undefined behavior but the modern compilers
let you get away with it. In Rust there doesn't even seem to be a consensus
about how the compiler should work.

~~~
tatterdemalion
> pointer aliasing is technically undefined behavior but the modern compilers
> let you get away with it

This is _exactly_ the kind of situation Rust wants to avoid.

~~~
theseoafs
Okay, and that's fine if Rust doesn't want to be used for making kernels,
programming language runtimes, etc. You know, systems language stuff.

~~~
tatterdemalion
This is ill-informed and dogmatic bravado. It has no content. Please don't
make comments like this in the future, they are an invariably negative
contribution to the conversation. You do not understand the post you are
commenting on, which assumed a level of understanding of Rust that made it a
poor fit for this venue.

------
yarper
I don't think anyone outside the US knows what a tootsie pop is.

~~~
twic
Sounds broadly similar to a chocolate eclair:

[http://www.chocablog.com/reviews/cadbury-chocolate-
eclairs/](http://www.chocablog.com/reviews/cadbury-chocolate-eclairs/)

------
alblue
Apparently a "tootsie pop" is an American sweet (candy) which has a hard
centre and a soft middle. The allegory is that having a hard fixed API with a
dangerous/unsafe centre is the way to wrap unsafe code. Though why the article
wasn't just titled "how to wrap unsafe code in Rust" is unclear to me.

~~~
tatterdemalion
This post is not about 'wrapping unsafe code' \- in fact, its not even about
writing Rust at all. Its about trying to delimit the scopes in which the
compiler will perform optimizations based on invariants that are guaranteed in
safe Rust but can be violated in unsafe Rust. This is a post about the design
of the language, not of code in the language.

The name was chosen because it was the metaphor the author thought of; as a
bonus, you've learned something about another culture. Tootsie pops (the most
common lollipop in the United States) have a privileged place in American pop
culture because of this commercial:
[https://www.youtube.com/watch?v=O6rHeD5x2tI](https://www.youtube.com/watch?v=O6rHeD5x2tI)

