Do we need `unsafe` macros?

Aloso · April 14, 2020, 11:06pm

When calling an unsafe function or performing an unsafe operation, it has to be in an unsafe block or function, so you can find potentially dangerous code by searching for the unsafe keyword.

However, this is not true for macro_rules!. For example:

macro_rules! dangerous {
    ($e:expr) => {
        std::mem::transmute($e)
    }
}

unsafe fn foo(n: usize): *const () {
    dangerous!(n)
}

The dangerous! macro must be used in an unsafe context, but it isn't declared as unsafe.

Maybe we could allow the unsafe keyword in macro_rules! like the following?

macro_rules! dangerous {
    unsafe ($e:expr) => {
        std::mem::transmute($e)
    }
}

mjbshaw · April 14, 2020, 11:16pm

Do we need unsafe macros?

No, we don't need them.

so you can find potentially dangerous code by searching for the unsafe keyword.

You can still find the unsafe code by searching for the unsafe keyword. It's right there: the foo function.

A change like this offers minimal benefit (if any) and just adds unnecessary churn to Rust.

Aloso · April 14, 2020, 11:20pm

When looking at the foo function, you don't know if the dangerous! macro contains unsafe code. This is practically the same argumentation as with unsafe functions. If I were to replace the dangerous! macro with a dangerous function, I'd have to mark it as unsafe.

steffahn · April 14, 2020, 11:35pm

That's because functions declare their interface in their signature, properly encapsulating the implementation details - macros don't. If you really want to provide an unsafe macro in your public API, then you have to describe that it's only usable inside unsafe in its documentation. Just like you have to describe a lot of other way more important things in the documentation like what kind of arguments or what custom syntax is accepted.

RustyYato · April 14, 2020, 11:37pm

macros in unsafe code already need to be carefully checked because macros can affect control flow in non-trivial ways, so adding this modifier does little to improve the situation.

steffahn · April 14, 2020, 11:44pm

There is an optional TODO about “make unsafe and lints hygienic” in the macros 2.0 tracking issue. I don't know what they mean by this. I just noticed this, I was going to suggest that your idea, if it has any value, then probably most so in the context of macros 2.0 syntax, hence I looked up that issue for you.

system · July 13, 2020, 11:44pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Explicitly marking unsafe macro expressions Unsafe Code Guidelines	17	5181	May 21, 2019
Unsafe-to-invoke macros that expand to items Unsafe Code Guidelines	10	401	February 11, 2025
Hidden unsafe due to unintentionally abusable macros and include Unsafe Code Guidelines	58	4721	December 22, 2024
Pre-RFC: making unsafe more safe to use language design	12	3253	March 25, 2019
You_can::turn_off_the_borrow_checker should not be allowed without declaring unsafe Unsafe Code Guidelines	14	2834	December 22, 2024

Do we need `unsafe` macros?

Related topics