[Pre-RFC] Another take at clarifying `unsafe` semantics

HadrienG · 2018-03-28T06:52:22.100Z

It’s been about two weeks since this pre-RFC has been around, the topic has been quiet for a while, and I now have two questions for you

The first one is, do you have any other question, comment, concern… which is not currently listed in this thread or adequately answered by it? If so, please speak up!

The second one is, do you think I should turn this in RFC form? If so, I could use some help from more experienced RFC writers in order to tune the wording, add missing parts, etc. I put this one in poll form:

No
Yes
I could actually mentor that

0 voters

Show results

jmst · 2018-03-28T11:32:06.355Z

While the current syntax is poor, the semantics are fine.

In particular currently unsafe functions are what you call “unsafe(pre)”, while unsafe traits are what you call “unsafe(post)”.

An “unsafe(pre) trait” is in current syntax simply a trait with all unsafe methods.

“unsafe(post) function” and “unsafe(post) types” exist as methods and associated types of unsafe traits.

“unsafe(post)” is meaningless for freestanding items since their implementation can’t change due to backwards compatibility.

However, it’s true that functions that are called by unsafe code can cause memory-unsafety if their functionality is non-compatibly broken, but that’s more of a property of the calling unsafe code. Requiring “unsafe(post)” on the callee seems inappropriate, since unsafe code may in theory want to rely on any behavior of safe code, so there is no way to figure out whether a function should be marked “unsafe(post)”

Having the syntax specify “unsafe(pre)” and “unsafe(post)” would have been better, but changing it now might not be really worth it.

Regarding “design-by-contract”, the proper solution is to add dependent types to Rust, so that pre and post conditions can be encoded as values of dependent types, and they can be statically checked.

HadrienG · 2018-03-28T17:50:02.244Z

jmst:

While the current syntax is poor, the semantics are fine.

Any contribution to the syntax bikeshed is much welcome If you do not like the proposed syntax, feel free to use the unabbreviated “unsafe preconditions” and “unsafe postconditions” expressions, which can hopefully be more readily agreed upon.

An “unsafe(pre) trait” is in current syntax simply a trait with all unsafe methods.

While I started with this definition too (along with a variant for unsafe(post) traits), because it looked like a very convenient and sensible shorthand, I backtracked from it after I came to the realization that traits differ from the sum of their public interfaces. If that were not the case, there would be no marker traits.

It all boils down to this question: what does “using a trait” mean? Does it mean using the interfaces provided by that trait? Or does it mean adding that trait to a list of trait bounds in a generic construct?

You can only describe marker traits using the latter definition. And you can achieve the former semantics, albeit in a more laborious way, by marking all functions in the trait as unsafe. So I think that a trait’s safety contract should be defined by what the trait guarantees about a type when used in generic bounds.

Which, in turn, means that I cannot think of an example in which a trait would be unsafe(pre), in the sense that adding this trait bound to generic code would introduce a risk of memory/type/thread unsafety if some conditions are not met.

“unsafe(post) function” and “unsafe(post) types” exist as methods and associated types of unsafe traits.

In your opinion, what would an unsafe(post) type be?

“unsafe(post)” is meaningless for freestanding items since their implementation can’t change due to backwards compatibility.

However, it’s true that functions that are called by unsafe code can cause memory-unsafety if their functionality is non-compatibly broken, but that’s more of a property of the calling unsafe code. Requiring “unsafe(post)” on the callee seems inappropriate, since unsafe code may in theory want to rely on any behavior of safe code, so there is no way to figure out whether a function should be marked “unsafe(post)”

This is, in my opinion at least, a failure of the current unsafe semantics which this proposal aims to address.

It is frequently stated in the Rust community that the safety of unsafe code cannot rely upon the correctness of safe code. For example, the safety of a HashTable cannot rely on the key type’s implementations of Hash and Eq being correct. However, what this negative statement fails to accurately convey is that as a result there is actually remarkably little that unsafe code is allowed to rely upon.

By the above standards, it is nearly impossible to safely use any kind of abstraction (from functions to generics) in unsafe code. In doing so, one must painfully attempt to mentally step through all the ways the abstractions could be incorrect (an exercise which the human mind is notoriously bad at), before hopefully convincing oneself that they have been relatively well accounted for. That is, until a sufficiently broken implementation of the abstraction surprises us by showing that yes, we have still not accounted for every possible bug.

Because unsafe code cannot rely on any abstraction, except possibly the ones that were defined in the same crate and by the same author (and even then…), it is very difficult to “scale up” unsafe codebases to complex tasks. Some will argue that this is generally a good thing, as unsafe code is dangerous and should be used very sparingly and in extremely localized locations. However, in practice, crossing the boundary between safe and unsafe code often comes with run-time validation costs, so whenever unsafe is used for performance reason (such as in the process of building containers or high-performance algorithmic primitives), keeping its usage at a very fine granularity may not be viable.

The notion of unsafe(post) aims to address this lack of scalability of unsafe codebases by introducing the notion of safety-critical contracts. Because Rust’s abstraction vocabulary is not (yet?) rich enough to express such a contract in code, it is to be expressed in comments, like all other contracts that pertain to unsafe code in Rust. But by formulating this contract, an abstraction author states “I recognize that a certain property is critical to memory safety, and I promise to guarantee this property for the entire lifetime of this abstraction, subjecting my code to the same level of scrutinity as any other safety-critical (“unsafe”) code”.

unsafe(post) is therefore a commitment that restricts an abstraction’s implementation in order to allow it to be used in more contexts, much like const fn is.

Having the syntax specify “unsafe(pre)” and “unsafe(post)” would have been better, but changing it now might not be really worth it.

Well, this is the question which I am trying to answer in this pre-RFC thread. If we were in the pre-rust 1.0 days, then it would be clear to me that clarifying unsafe semantics is called for. Today, where it involves some amount of churn for the Rust ecosystem, I need to prove that the benefits outweigh the cost. Since this is a trade-off which, as the person proposing a change, I come ill-prepared to analyze alone, I am looking for external points of view on this matter.

Regarding “design-by-contract”, the proper solution is to add dependent types to Rust, so that pre and post conditions can be encoded as values of dependent types, and they can be statically checked.

While I would love stronger support for design-by-contract in Rust, allowing desired properties to be expressed in code, I think that it would not fulfill all of the use cases of this feature, for the following reasons:

Some safety-critical properties cannot be easily expressed in code. Think about the “Do not create two &mut-references to the contents of an UnsafeCell” for example: considering that the client gets an *mut and is allowed to do whatever it likes with it, how should this postcondition be expressed?
Some safety-critical properties cannot be checked statically and are too expensive to check dynamically. Think about “Integers used to index slices with get_unchecked() are in range”, for example: the very reason why get_unchecked() exists is that dynamic bound checks are sometimes necessary to guarantee safety, but too expensive for indexing-intensive code.

Conversely, I understand that dependent types would be a much larger addition to the language than what this proposal suggests, which would need much stronger motivation, much deeper analysis of the problem and use cases, and would in general have much weaker chance of being accepted. In contrast, this proposal solves a well-defined and known problem in a minimal way, which is I think has been an important characteristic of a good RFC ever since Rust has stabilized.

gbutler · 2018-03-28T19:49:53.666Z

While I tend to agree that clarifying the safety semantics of Rust code is a worthwhile goal, I’m not convinced that any of this discussion or proposals actually make meaningful progress towards that goal. I’m really not certain what is missing from the discussion, but, I just don’t feel like anything that has been said does anything to illuminate the issue for the average developer who might be coming to Rust from another language.

I will say, there seems to be a number of issues being conflated. The idea of “Design by Contract” is not necessarily applicable only to the notion of “Safety” (in the Rust, “Avoid UB at all costs” sense). “Design by Contract” seems to me to have a much larger scope and discussing it too much within the confines of clarifying “Safety” (again, in the sense of “UB”) is too much “Scope Creep” (for an RFC like this).

I think how this whole subject should be approached (first) is instead of trying to nail down what “Safe/Unsafe” means, why not try enumerating all the things you can do in “unsafe code” and listing things that would be appropriate to check by a wrapper and things that would be more appropriate to have enforced elsewhere. Then, try to organize them into categories, and only then, see if we can’t nail down a better definition of Safe vs. Unsafe and how it relates to the categories identified.

Again, the whole thing just seems kind of misty. I feel about unsafe the way I feel about porn, I can’t really define it, but, I know it when I see it.

EDIT: To clarify further:

Regarding enumerating of examples. What I mean by this is to get specific. For example, let’s talk about and list all the ways that pointer dereferencing can result in UB and then let’s try to enumerate strategies for preventing that sort of abuse. Same for calling FFI. Same for calling “unsafe” functions. Same for implementing “unsafe” traits. Same for accessing static mutable variables. Let’s try to enumerate all the ways each of these things can result in bad things happening, and then try to list mitigations for each of those. Then try classifying/categorizing the kinds of bad things and the categories of mitigation.

Perhaps this has already been done in the literature and that is how Rust came to some of the solutions it has come to. If that is the case, chalk (see what I did there) it up to my ignorance.

If nothing else such a list and categorization might be helpful as an advance chapter in the Nomicon that would be better than any sort of definition in helping those new to Rust on how to understand what “unsafe” really means.

H2CO3 · 2018-03-28T20:21:55.924Z

HadrienG:

Alternatives

Do nothing. Unsafe abstractions will remain confusing to implement and review, making unsafe Rust hard to learn and causing memory, type and thread safety issues that could have been avoided by improving unsafe code ergonomics.

Well, that’s quite an exaggeration. What’s hard for one person might be trivial for another. The unsafe keyword is, in my opinion, the smallest ergonomic problem in today’s Rust. Adding pre and post won’t suddenly enlighten all the programmers coming from high-level languages. It seems to me that you are significantly overestimating the problem.

If there is a problem at all — I don’t feel at all that the current unsafe design has any clarity issues. Again, inevitably, there will always be newcomers who find certain concepts hard. This cannot possibly be fixed by just piling more syntax on top of what we already have — they will have to invest significant effort into learning new concepts such as unsafe code either way, and I would argue that adding more complexity to the language wouldn’t help, conversely, it would impede their learning experience.

HadrienG · 2018-03-28T20:32:50.607Z

I think part of our opinion divergence here lies in the fact that we are not looking at the same side of the issue.

From my understanding, your comment asks for a guide to all the existing uses of unsafe constructs in the Rust language and standard library. What can go wrong, how to avoid it, together with some attempts at organizing these problem/solution pairs.

In constrast, this pre-RFC is about the tools used by Rust developers to create new unsafe abstractions. Basically, any time the unsafe keyword is used in someone’s code for any other purpose than introducing an unsafe block.

The former issue is, as you say, largely a documentation issue, which I believe is targeted by many existing projects. The latter reaches beyond that, in the sense that Rust’s current vocabulary for building unsafe abstractions is unnecessarily ambiguous and confusing even when you are familiar with it, due to the way it mixes together unrelated notions such as…

Unsafe blocks (“where bad things can happen”)
Unsafe preconditions (“what you need to do to prevent it”)
Unsafe postconditions (“how we help you at the task”)

Addressing this language-side issue is what this pre-RFC is about. From this perspective, I believe that what you are discussing is not in conflict with what I am proposing, but rather an important orthogonal issue.

Centril · 2018-03-28T21:26:27.907Z

HadrienG:

Conversely, I understand that dependent types would be a much larger addition to the language than what this proposal suggests

A limited form of dependent types are already being added to the language, see const generics.

Dependent types have great power / complexity ratio.

HadrienG · 2018-03-28T21:42:07.172Z

H2CO3:

Well, that’s quite an exaggeration. What’s hard for one person might be trivial for another. The unsafe keyword is, in my opinion, the smallest ergonomic problem in today’s Rust.

I would not want to engage in a detailed comparison of Rust’s ergonomic issues, but considering the amount of time and discussions it takes even highly experienced Rust developers to figure out the basics of what can and cannot be done with pointers and references in unsafe code, I think we can safely (no pun intended) say that unsafe semantics are not trivial for anybody

This is why we have many projects which aim at clarifying these semantics, to which this pre-RFC is only one contribution in an area that was IMO insufficiently explored so far: the role of language semantics and ergonomics in unsafe abstraction design.

Adding pre and post won’t suddenly enlighten all the programmers coming from high-level languages.

…and thankfully, this is not the goal of this pre-RFC. Which is an attempt at clarifying the semantics of the tools that are used to build unsafe abstractions, a rather advanced Rust task which I do not expect complete beginners to engage into.

It seems to me that you are significantly overestimating the problem.

That might be the case. However, the amount of people who are constantly confused about what is perhaps the most dangerous feature of the Rust language worries me.

In the world of life-threatening systems, the more dangerous a tool is, the harder you make it to use it incorrectly. Knives have a handle shaped in such a way that it is pretty clear how you are supposed to pick them up. And power tools are similarly designed in such a way that you are unlikely to have your hand on the cutting bit when you turn them on.

Now, contrast this with Rust’s unsafe abstraction vocabulary:

Unsafe Rust should never trust Safe Rust’s abstractions, yet there is no safeguard in place to lint against reaching for these, in spite of this being a likely habit of the typical Rust programmer (who writes a lot more safe code than unsafe code).
Trait’s unsafe associated methods are, in current usage, solely about preconditions. All this usage of “unsafe” states is that the method’s implementation can rely on a certain property to be true for memory safety, but are not obliged to. Yet the method’s entire implementation is automatically turned into an unsafe block, silently enabling all kind of unsafe operations without any compiler warning/lint.
TrustedLen is another example of unsafe abstraction design gone wrong. This trait silently changes the semantics of another trait’s methods in a way that affects memory safety. Concretely, what this means is that the only thing keeping your unsafe code from doing something dangerous is a single trait bound. If you forget that “TrustedLen” bound anywhere, then you will open a memory safety hole without any warning. This would not have happened if, in an example of more principled abstraction design, the trusted length was provided as a method that is specific to the TrustedLen trait, which in turn would have required a notion akin to the proposed unsafe(post) fn.

It seems to me that there is definitely quite a lot to be done to make unsafe Rust abstractions as easy to use correctly as real-world sharp tools are And this pre-RFC proposes to start by clarifying what an unsafe abstraction is, and separating its inner components cleanly instead of the ambiguous soup that we currently have where the “unsafe” word is used to mean so many different things.

H2CO3:

If there is a problem at all — I don’t feel at all that the current unsafe design has any clarity issues. Again, inevitably, there will always be newcomers who find certain concepts hard. This cannot possibly be fixed by just piling more syntax on top of what we already have — they will have to invest significant effort into learning new concepts such as unsafe code either way, and I would argue that adding more complexity to the language wouldn’t help, conversely, impede their learning experience.

See above for some examples of highly perfectible unsafe design that you can play with today As with @gbutler, I think I should again clarify that I personally see two “layers” of unsafe users:

People who use the unsafe constructs provided by the Rust language and its standard library. This happens relatively early in the process of learning Rust, for example the first time one tries to optimize array manipulations or do FFI. Doing this only requires unsafe block. I think this is the most mature part of the unsafe ecosystem today, though as @gbutler points out it could certainly use better documentation.
People who, in addition, try to build unsafe abstractions which other developers (including future maintainers of the same crate) can rely upon. This is a more advanced topic, where one gets to invoke the other meanings of the unsafe keyword (unsafe fns, unsafe traits, unsafe impls…). These are the uses of the unsafe keyword which I think have unnecessarily unclear semantics, and could benefit from some language-level clarification.

I probably need to reword the pre-RFC in a way which makes it much clearer that I am catering to the latter population here. My wording is obviously not yet clear enough on this front.

gbutler · 2018-03-28T21:44:37.327Z

HadrienG:

I think part of our opinion divergence here lies in the fact that we are not looking at the same side of the issue

Yes, I agree. I tend to think that the thing that is missing is guidance and education rather than syntax. That being said, I also agree that differentiating between “unsafe blocks”, “unsafe trait impls”, and “unsafe functions/contracts” more clearly is worthwhile, but, I just don’t see that “unsafe(pre)” and “unsafe(post)” (or anything like that that I can really think of even though I initially approached this topic thinking that was the way forward) will usefully accomplish that goal.

Again, these are just my opinions and I’m probably wrong, but, I’m really starting to believe that there is no special keywords that could be used instead of just “unsafe” that would make the situation any better from an understanding perspective.

That being said, this is definitely a worthwhile discussion to have and I will keep an open mind about it for sure.

gbutler · 2018-03-28T21:49:34.012Z

HadrienG:

People who, in addition, try to build unsafe abstractions which other developers (including future maintainers of the same crate) can rely upon. This is a more advanced topic, where one gets to invoke the other meanings of the unsafe keyword (unsafe fns, unsafe traits, unsafe impls…). These are the uses of the unsafe keyword which I think have unnecessarily unclear semantics, and could benefit from some language-level clarification.

Ah…I think this comment more clearly expresses what you are going for. Definitely something to chew on.

gbutler · 2018-03-28T21:53:02.399Z

Doesn’t feel ready for an RFC. Still a little unclear on what will be accomplished for the amount of churn.

gbutler · 2018-03-28T21:56:44.852Z

HadrienG:

unsafe(post) functions provide guarantees which can be relied upon by unsafe code. Therefore, they can only return to their caller inside of an unsafe code block. These functions can safely be used when collecting information that is to be passed to an unsafe(pre) function, such as

Unfortunately, there is no difference from being called from inside and unsafe block and returning inside an unsafe block. In both cases, the call to the function must be wrapped in and unsafe block (unless you are proposing something like???):

unsafe { let x } = fn( zzzz );

Where ‘fn’ is an unsafe(post) function??? This would seem radically unuseful and confusing (to me) though.

gbutler · 2018-03-28T21:58:27.853Z

HadrienG:

Contrary to current unsafe fns, these modified forms of unsafe do not implicitly make the body of the function an unsafe block. The rationale for this is that only the author of the function knows which parts of the function, if any, are unsafe.

This I like. I agree that mixing up declaring an unsafe contract with and unsafe block of code is a mistake in the current implementation.

HadrienG · 2018-03-28T22:01:12.629Z

It is not unsafe to call an unsafe(post) function. All this annotation tells you is that you can rely about some properties of the result (described in the function’s documentation, like all unsafe contracts) for memory safety. If you are not doing unsafe things, then you can safely ignore the annotation.

In this sense, unsafe(post) is like const fn: a contract which sets requirements on the implementation, which the user may or may not rely on.

This is very different from unsafe(pre), which sets requirements on the user, which the implementation may or may not rely on.

gbutler · 2018-03-28T22:04:00.060Z

HadrienG:

They all guarantee properties which unsafe code is allowed to rely upon, and which could be violated by a careless implementor, resulting in unsafety.

Is this true? Unsafe code is specifically not permitted to rely upon safe code being implemented correctly for correct behavior (lack of UB). Should unsafe code be allowed to rely upon other (far distantly implemented) unsafe code to have been implemented correctly in order for it to not have UB? This doesn’t “FEEL” right. I think this needs some exploration.

gbutler · 2018-03-28T22:05:32.113Z

HadrienG:

It is not unsafe to call an unsafe(post) function

Then, why:

HadrienG':

Therefore, they can only return to their caller inside of an unsafe code block

HadrienG · 2018-03-28T22:06:31.335Z

gbutler:

Is this true? Unsafe code is specifically not permitted to rely upon safe code being implemented correctly for correct behavior (lack of UB). Should unsafe code be allowed to rely upon other (far distantly implemented) unsafe code to have been implemented correctly in order for it to not have UB? This doesn’t “FEEL” right. I think this needs some exploration.

Send and Sync are two examples of prior art. Unsafe code is allowed to rely on Send types being safely sendable across threads, and on Sync types being safely shareable between threads, in spite of the Send and Sync implementations for the type being defined kilometers of code away.

HadrienG · 2018-03-28T22:12:27.670Z

It is not unsafe to call an unsafe(post) function, but it is unsafe to implement one, because a bad implementation of an unsafe(post) function will cause memory/type/thread unsafety. This is the same reason why implementing Send and Sync is already unsafe today.

The rule which I found to formalize this requirement in a way that is symmetrical with unsafe(pre) is to mandate that these function’s return statements be within an unsafe block, and thus characterized as potentially unsafe operations, like this.

unsafe(post) fn trust_me() -> usize {
    /* Do something inconsequential */

    // This is the part where it gets dangerous
    unsafe { 42 }
}

The rationale is that return statements in unsafe(post) functions propagate safety-critical information to the outside, and are thus unsafe operations. But I’m not 100% satisfied with this rule, and am open to bikeshedding it. As an even more minimal proposal, perhaps the unsafe(post) annotation on the function implementation is enough?

gbutler · 2018-03-28T22:19:25.367Z

OK, I think I’m able now to more clearly clarify my discomfort with this proposal and offer a possible enhancement that I believe could make all of this more worthy of the churn it imposes. I can best sum it up as, “Spell out the contract!”. What I mean by this would be to include some meta-language for specifying pre-conditions/post-conditions, that would server 2 purposes:

Clearly document the contract requirements in a way that can both be consumed by documentation generation in a standard fashion, AND
has the POTENTIAL to at some point be statically solvable and/or run-time optionally (debug/test only perhaps) enforced

A quick straw-man syntax/idea might be something like:

unsafe ( pre: assert ( ...some predicate DSL... )
             post: assert ( ...some predicate DSL.... ) )
fn ( .... ) -> Result

The “some predicate DSL” could be a mini, extensible language that allows expression conditions about the inputs and outputs. It could even allow an “Escape Hatch” like clause that is effectively, “We have no way of expressing this condition in the DSL, but, here is some normal human language that describes the necessary contract”.

That way, we can gradually evolve this DSL to support more and more of the kinds of necessary predicates and eventually work towards linting or otherwise statically analyzing whether or not they have been met.

Again, this is all very, very straw-man at this point and I would have to put significant effort to clarify further (I realize). I’m not an expert on this sort of thing, but, if I had my druthers, this is the direction I’d like to see pursued.

Perhaps this is an entirely orthogonal concern to what you are proposing though.

With this DSL idea, the compiler could parse the DSL predicates, determine (at some future point) if it has the potential to statically solve the predicate, if it CAN solve the predicate, and in the context of the call to the function it is able to verify that the predicate has been met, an “unsafe” block around the call isn’t required. However, if it can’t (yet) verify the predicate, it could spit out an error if no unsafe block is present and display the predicate that it can’t verify. If the predicate includes the “Escape Hatch” predicate, then the compiler obviously can’t verify and will output the the predicate for sure with an error if the unsafe block isn’t present.

If it can’t verify the predicate, but, and unsafe block is present, it would simply output a NOTE/REMINDER (like a WARNING, but, not classified as a warning) that simply reiterates the necessary predicates.

If the call is inside an unsafe block, and the predicates CAN be verified, it could warn about an unnecessary unsafe block.

Why this last? Because, then you will get an error in compiling if you break some code elsewhere that messes up the previously verifiable predicate.

To clarify further, with these predicates there are several possibilities for the compiler to find at the site of a call to an unsafe function (similar argument applies to unsafe returns):

predicates not specified - unsafe block required/lint on function def advising to add preds
preds specified, but, not statically solvable (aka compiler support lacking, escape hatch predicate used) - unsafe block required for call
preds specified, statically solvable (with one of the following possibilities):
- compiler can prove at call-site that predicate not met - COMPILER ERROR
- compiler can prove at call-site that predicate is met - UNSAFE block not required and is NOTE/REMINDERED against (on second thought, prob should be a compiler error as well – I’ll explain below)
- compiler cannot say for sure whether or not the predicate is met - UNSAFE block REQUIRED with output of a NOTE/REMINDER of what predicate(s) are being unsafely relied upon

I think the middle sub-bullet point above is the interesting one. Because the compiler can prove statically that you’ve met the predicate, it should be a compiler error to wrap in unsafe block. Why? Because that way, if you later change the code to break the predicate, you’ll get a new compiler error.

gbutler · 2018-03-28T22:22:07.974Z

HadrienG:

// This is the part where it gets dangerous unsafe { 42 }

Ah…Yes. That makes more sense. I misunderstood.

EDIT: That being said, I agree with @jmst, “What’s th point?” What function would you not want to guarantee that its post-conditions are met?