|
|
|
@ -121,16 +121,19 @@ trait expects. In this situation, the Unsafe Rust in the internals of
|
|
|
|
implementation is correct. If it isn't, it's the fault of the unsafe trait
|
|
|
|
implementation is correct. If it isn't, it's the fault of the unsafe trait
|
|
|
|
implementation, which is consistent with Rust's safety guarantees.
|
|
|
|
implementation, which is consistent with Rust's safety guarantees.
|
|
|
|
|
|
|
|
|
|
|
|
The decision of whether to mark a trait `unsafe` is an API design choice.
|
|
|
|
The decision of whether to mark a trait `unsafe` is an API design choice. A
|
|
|
|
Rust has traditionally avoided doing this because it makes Unsafe
|
|
|
|
safe trait is easier to implement, but any unsafe code that relies on it must
|
|
|
|
Rust pervasive, which isn't desirable. `Send` and `Sync` are marked unsafe
|
|
|
|
defend against incorrect behavior. Marking a trait `unsafe` shifts this
|
|
|
|
because thread safety is a *fundamental property* that unsafe code can't
|
|
|
|
responsibility to the implementor. Rust has traditionally avoided marking
|
|
|
|
possibly hope to defend against in the way it could defend against a buggy
|
|
|
|
traits `unsafe` because it makes Unsafe Rust pervasive, which isn't desirable.
|
|
|
|
`Ord` implementation. Similarly, `GlobalAllocator` is keeping accounts of all
|
|
|
|
|
|
|
|
the memory in the program and other things like `Box` or `Vec` build on top of
|
|
|
|
`Send` and `Sync` are marked unsafe because thread safety is a *fundamental
|
|
|
|
it. If it does something weird (giving the same chunk of memory to another
|
|
|
|
property* that unsafe code can't possibly hope to defend against in the way it
|
|
|
|
request when it is still in use), there's no chance to detect that and do
|
|
|
|
could defend against a buggy `Ord` implementation. Similarly, `GlobalAllocator`
|
|
|
|
anything about it.
|
|
|
|
is keeping accounts of all the memory in the program and other things like
|
|
|
|
|
|
|
|
`Box` or `Vec` build on top of it. If it does something weird (giving the same
|
|
|
|
|
|
|
|
chunk of memory to another request when it is still in use), there's no chance
|
|
|
|
|
|
|
|
to detect that and do anything about it.
|
|
|
|
|
|
|
|
|
|
|
|
The decision of whether to mark your own traits `unsafe` depends on the same
|
|
|
|
The decision of whether to mark your own traits `unsafe` depends on the same
|
|
|
|
sort of consideration. If `unsafe` code can't reasonably expect to defend
|
|
|
|
sort of consideration. If `unsafe` code can't reasonably expect to defend
|
|
|
|
|
mukund
4 years ago
committed by
GitHub