@@ -82,38 +82,39 @@ to satisfy the conditions required to perform this unsafe operation.
8282# Reference-level explanation
8383[ reference-level-explanation ] : #reference-level-explanation
8484
85- First of all, we no longer warn that an ` unsafe ` block is unnecessary when it is
86- nested immediately inside an ` unsafe fn ` . So, the following compiles without
87- any warning:
85+ 1 . First of all, we no longer warn that an ` unsafe ` block is unnecessary when it is
86+ nested immediately inside an ` unsafe fn ` . So, the following compiles without
87+ any warning:
8888
89- ``` rust
90- unsafe fn get_unchecked <T >(x : & [T ], i : usize ) -> & T {
91- unsafe { x . get_unchecked (i ) }
92- }
93- ```
89+ ``` rust
90+ unsafe fn get_unchecked <T >(x : & [T ], i : usize ) -> & T {
91+ unsafe { x . get_unchecked (i ) }
92+ }
93+ ```
9494
95- However, nested ` unsafe ` blocks are still redundant, so this warns:
95+ However , nested `unsafe ` blocks are still redundant , so this warns :
9696
97- ``` rust
98- unsafe fn get_unchecked <T >(x : & [T ], i : usize ) -> & T {
99- unsafe { unsafe { x . get_unchecked (i ) } }
100- }
101- ```
97+ ```rust
98+ unsafe fn get_unchecked <T >(x : & [T ], i : usize ) -> & T {
99+ unsafe { unsafe { x . get_unchecked (i ) } }
100+ }
101+ ```
102102
103- In a next step, we have a lint that fires when an unsafe operation is performed
104- inside an ` unsafe fn ` but outside an ` unsafe ` block. So, this would trigger the
105- lint:
103+ 2 . In a next step , we have a lint that fires when an unsafe operation is performed
104+ inside an `unsafe fn ` but outside an `unsafe ` block . So , this would trigger the
105+ lint :
106106
107- ``` rust
108- unsafe fn get_unchecked <T >(x : & [T ], i : usize ) -> & T {
109- x . get_unchecked (i )
110- }
111- ```
107+ ```rust
108+ unsafe fn get_unchecked <T >(x : & [T ], i : usize ) -> & T {
109+ x . get_unchecked (i )
110+ }
111+ ```
112112
113- This gets us into a state where programmers are much less likely to accidentally
114- perform undesired unsafe operations inside ` unsafe fn ` .
113+ This gets us into a state where programmers are much less likely to accidentally
114+ perform undesired unsafe operations inside `unsafe fn `.
115115
116- Even later, it might be desirable to turn this warning into an error.
116+ 3 . Even later (in the 2021 edition ), it might be desirable to turn this warning
117+ into an error .
117118
118119# Drawbacks
119120[drawbacks ]: #drawbacks
@@ -131,6 +132,10 @@ I explained the rationale in the motivation section.
131132
132133The alternative is to not do anything , and live with the current situation .
133134
135+ We could introduce named proof obligations (proposed by @ Centril ) such that the
136+ compiler can be be told (to some extend ) if the assumptions made by the `unsafe
137+ fn ` are sufficient to discharge the requirements of the unsafe operations .
138+
134139# Prior art
135140[prior - art ]: #prior - art
136141
0 commit comments