Skip to content

Commit 2e47c41

Browse files
RalfJungRalfJung
committed
minor editing; unsafe_to_call alternative
1 parent 1b3e1dd commit 2e47c41

File tree

1 file changed

+8
-6
lines changed

1 file changed

+8
-6
lines changed

text/0000-unsafe-block-in-unsafe-fn.md

Lines changed: 8 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -52,8 +52,9 @@ about *defining* obligations. The fact that the body of an `unsafe fn` is also
5252
implicitly treated like a block has made it hard to realize this duality
5353
[even for experienced Rust developers][unsafe-dual]. (Completing the picture,
5454
`unsafe Trait` also defines an obligation, that is discharged by `unsafe impl`.
55-
Curiously, `unsafe impl` does *not* implicitly make all bodies of this `impl`
56-
unsafe blocks, which is somewhat inconsistent with `unsafe fn`.)
55+
Curiously, `unsafe trait` does *not* implicitly make all bodies of default
56+
functions defined inside this trait unsafe blocks, which is somewhat
57+
inconsistent with `unsafe fn` when viewed through this lens.)
5758

5859
[unsafe-dual]: https://github.com/rust-lang/rfcs/pull/2585#issuecomment-577852430
5960

@@ -156,6 +157,11 @@ The alternative is to not do anything, and live with the current situation.
156157

157158
We could bikeshed the lint name.
158159

160+
We could avoid using `unsafe` for dual purpose, and instead have `unsafe_to_call
161+
fn` for functions that are "unsafe to call" but do not implicitly have an
162+
`unsafe {}` block in their body. For consistency, we might want `unsafe_to_impl
163+
trait` for traits, though the behavior would be the same as `unsafe trait`.
164+
159165
We could introduce named proof obligations (proposed by @Centril) such that the
160166
compiler can be be told (to some extend) if the assumptions made by the `unsafe
161167
fn` are sufficient to discharge the requirements of the unsafe operations.
@@ -164,10 +170,6 @@ We could restrict this requirement to use `unsafe` blocks in `unsafe fn` to
164170
those `unsafe fn` that contain at least one `unsafe` block, meaning short
165171
`unsafe fn` would keep compiling like they do now.
166172

167-
We could have separate marker for `unsafe fn` with and without an implicitly
168-
unsafe body, e.g. `unsafe unsafe fn` has an unsafe body, or `unsafe fn foo(...)
169-
-> ... unsafe { }` has an unsafe body, or `unsafe_to_call fn` has a safe body.
170-
171173
# Prior art
172174
[prior-art]: #prior-art
173175

0 commit comments

Comments
 (0)