Hacker News new | past | comments | ask | show | jobs | submit login

If I call a function that is running unsafe { } inside of it, do I know? Because I really want to know. And I want my function to be marked as unsafe as well (because it is) as well as any function calling my function, etc.



The way that you mark a function as unsafe is to stick a keyword in front of it:

  unsafe fn foo() { ... }
Any function marked as such is then allowed to call other unsafe functions:

  unsafe fn bar() { foo(); }
But there is a way to break the chain, which is to use an `unsafe` block without marking your function as unsafe:

  fn qux() {
      unsafe {
          bar();
      }
  }
That said, it's incorrect to think that Rust is any more unsafe than any other language because of this; most languages simply defer this behavior to their FFI. By pulling it into the language itself, Rust is actually safer than e.g. calling C from Python, because Rust can do the low-level fiddling while still retaining at least some of the safety checks of normal Rust code. Even unsafe Rust is safer than C.


> Even unsafe Rust is safer than C.

This is an important point. `unsafe` blocks only let you do a few extra operations[1], not anything you want. A lot of safety checks still happen inside of unsafe blocks.

1: http://static.rust-lang.org/doc/master/rust.html#behavior-co...


Well, no, you can still theoretically do anything you want, you just need to be very, very explicit about it. :)


Some things are undefined behaviour[1]... so you really don't want to want to do them (i.e. you can do them inside `unsafe`, but the compiler optimises/reasons assuming they never happen: if they occur at all, you could have an arbitrarily broken program).

[1]: http://doc.rust-lang.org/master/rust.html#behavior-considere...


The point that I'm trying to make here is that you cannot make any assumptions about an unsafe block. Anything can happen, including really terrible undefined behavior. But the fact that anything can happen is why Rust is as powerful as C in this area.


My point is that while anything _can_ happen, it's not like Rust just turns off every single check. Yes, they can be gotten around, but it's not like the type system suddenly goes away.


You don't know, but you can use a compiler flag that will tell you if you are.

> I want my function to be marked as unsafe as well (because it is)

This misunderstands the nature of `unsafe`. `unsafe` means "I promise that this is actually safe, even thought it can't be inferred." Take, for example, a type which has mutable, shared state, but enforces all access through a mutex[1]. This type presents a safe interface, but the compiler can't know that it's safe, so you have to use `unsafe` internally.

1: http://static.rust-lang.org/doc/master/std/cell/struct.RefCe...


> If I call a function that is running unsafe { } inside of it, do I know? Because I really want to know.

Pretty much every function is going to be transitively running unsafe code, since the core libraries use it to implement the base primitives.


It should be noted that the unsafe code in the core libraries is kept to a minimum and (at least in theory) heavily scrutinized.


All code in mozilla/rust gets a code review before landing, so there's always at least 2 sets of eyes on it.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: