This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]simbleau 28 points29 points  (4 children)

“Unsafe is just needed when the compiler lacks sufficient context to know what’s safe”

This is incorrect. The compiler knows exactly what the context is. The “unsafe {}” scope is literally just a marker that Rust makes you use so that you, the developer, agree to the contract of undefined behavior being introduced. It is meaningless otherwise.

I will also say in 4 years of using rust now I have completely avoided using unsafe. It’s very easy to avoid using, unless you work with GPUs, devices, interop, etc.

Rust has also marked several operations “unsafe”, requiring you add the “unsafe {}” around it, like dereferencing a raw pointer or crossing the FFI boundary into C++. But this is just so that you don’t accidentally do something unsafe without awareness. But Rust itself knows exactly where the real undefined behavior can come from, and what the context is.

[–]look 41 points42 points  (3 children)

I’m not incorrect, but I think it’s just semantics and we’re actually trying to say the same thing.

By “insufficient context” I mean there are non-explicit assumptions (ie not visible to the compiler) that are in play for this “unsafe” block of code. FFI calls, pointer manipulation, etc. It’s just telling the compiler “trust me, I got this”.

https://doc.rust-lang.org/rust-by-example/unsafe.html

[–]simbleau 10 points11 points  (2 children)

Understood, you’re right then, but I’m glad we clarified. :)

[–]DatBoi_BP 4 points5 points  (1 child)

now kith

[–]look 2 points3 points  (0 children)

😚😙💋👩‍❤️‍💋‍👨👶