[Pre-RFC] Another take at clarifying `unsafe` semantics

HadrienG · 2018-03-28T21:42:07.172Z

H2CO3:

Well, that’s quite an exaggeration. What’s hard for one person might be trivial for another. The unsafe keyword is, in my opinion, the smallest ergonomic problem in today’s Rust.

I would not want to engage in a detailed comparison of Rust’s ergonomic issues, but considering the amount of time and discussions it takes even highly experienced Rust developers to figure out the basics of what can and cannot be done with pointers and references in unsafe code, I think we can safely (no pun intended) say that unsafe semantics are not trivial for anybody

This is why we have many projects which aim at clarifying these semantics, to which this pre-RFC is only one contribution in an area that was IMO insufficiently explored so far: the role of language semantics and ergonomics in unsafe abstraction design.

Adding pre and post won’t suddenly enlighten all the programmers coming from high-level languages.

…and thankfully, this is not the goal of this pre-RFC. Which is an attempt at clarifying the semantics of the tools that are used to build unsafe abstractions, a rather advanced Rust task which I do not expect complete beginners to engage into.

It seems to me that you are significantly overestimating the problem.

That might be the case. However, the amount of people who are constantly confused about what is perhaps the most dangerous feature of the Rust language worries me.

In the world of life-threatening systems, the more dangerous a tool is, the harder you make it to use it incorrectly. Knives have a handle shaped in such a way that it is pretty clear how you are supposed to pick them up. And power tools are similarly designed in such a way that you are unlikely to have your hand on the cutting bit when you turn them on.

Now, contrast this with Rust’s unsafe abstraction vocabulary:

Unsafe Rust should never trust Safe Rust’s abstractions, yet there is no safeguard in place to lint against reaching for these, in spite of this being a likely habit of the typical Rust programmer (who writes a lot more safe code than unsafe code).
Trait’s unsafe associated methods are, in current usage, solely about preconditions. All this usage of “unsafe” states is that the method’s implementation can rely on a certain property to be true for memory safety, but are not obliged to. Yet the method’s entire implementation is automatically turned into an unsafe block, silently enabling all kind of unsafe operations without any compiler warning/lint.
TrustedLen is another example of unsafe abstraction design gone wrong. This trait silently changes the semantics of another trait’s methods in a way that affects memory safety. Concretely, what this means is that the only thing keeping your unsafe code from doing something dangerous is a single trait bound. If you forget that “TrustedLen” bound anywhere, then you will open a memory safety hole without any warning. This would not have happened if, in an example of more principled abstraction design, the trusted length was provided as a method that is specific to the TrustedLen trait, which in turn would have required a notion akin to the proposed unsafe(post) fn.

It seems to me that there is definitely quite a lot to be done to make unsafe Rust abstractions as easy to use correctly as real-world sharp tools are And this pre-RFC proposes to start by clarifying what an unsafe abstraction is, and separating its inner components cleanly instead of the ambiguous soup that we currently have where the “unsafe” word is used to mean so many different things.

H2CO3:

If there is a problem at all — I don’t feel at all that the current unsafe design has any clarity issues. Again, inevitably, there will always be newcomers who find certain concepts hard. This cannot possibly be fixed by just piling more syntax on top of what we already have — they will have to invest significant effort into learning new concepts such as unsafe code either way, and I would argue that adding more complexity to the language wouldn’t help, conversely, impede their learning experience.

See above for some examples of highly perfectible unsafe design that you can play with today As with @gbutler, I think I should again clarify that I personally see two “layers” of unsafe users:

People who use the unsafe constructs provided by the Rust language and its standard library. This happens relatively early in the process of learning Rust, for example the first time one tries to optimize array manipulations or do FFI. Doing this only requires unsafe block. I think this is the most mature part of the unsafe ecosystem today, though as @gbutler points out it could certainly use better documentation.
People who, in addition, try to build unsafe abstractions which other developers (including future maintainers of the same crate) can rely upon. This is a more advanced topic, where one gets to invoke the other meanings of the unsafe keyword (unsafe fns, unsafe traits, unsafe impls…). These are the uses of the unsafe keyword which I think have unnecessarily unclear semantics, and could benefit from some language-level clarification.

I probably need to reword the pre-RFC in a way which makes it much clearer that I am catering to the latter population here. My wording is obviously not yet clear enough on this front.

gbutler · 2018-03-28T21:44:37.327Z

HadrienG:

I think part of our opinion divergence here lies in the fact that we are not looking at the same side of the issue

Yes, I agree. I tend to think that the thing that is missing is guidance and education rather than syntax. That being said, I also agree that differentiating between “unsafe blocks”, “unsafe trait impls”, and “unsafe functions/contracts” more clearly is worthwhile, but, I just don’t see that “unsafe(pre)” and “unsafe(post)” (or anything like that that I can really think of even though I initially approached this topic thinking that was the way forward) will usefully accomplish that goal.

Again, these are just my opinions and I’m probably wrong, but, I’m really starting to believe that there is no special keywords that could be used instead of just “unsafe” that would make the situation any better from an understanding perspective.

That being said, this is definitely a worthwhile discussion to have and I will keep an open mind about it for sure.

gbutler · 2018-03-28T21:49:34.012Z

HadrienG:

People who, in addition, try to build unsafe abstractions which other developers (including future maintainers of the same crate) can rely upon. This is a more advanced topic, where one gets to invoke the other meanings of the unsafe keyword (unsafe fns, unsafe traits, unsafe impls…). These are the uses of the unsafe keyword which I think have unnecessarily unclear semantics, and could benefit from some language-level clarification.

Ah…I think this comment more clearly expresses what you are going for. Definitely something to chew on.

gbutler · 2018-03-28T21:53:02.399Z

Doesn’t feel ready for an RFC. Still a little unclear on what will be accomplished for the amount of churn.

gbutler · 2018-03-28T21:56:44.852Z

HadrienG:

unsafe(post) functions provide guarantees which can be relied upon by unsafe code. Therefore, they can only return to their caller inside of an unsafe code block. These functions can safely be used when collecting information that is to be passed to an unsafe(pre) function, such as

Unfortunately, there is no difference from being called from inside and unsafe block and returning inside an unsafe block. In both cases, the call to the function must be wrapped in and unsafe block (unless you are proposing something like???):

unsafe { let x } = fn( zzzz );

Where ‘fn’ is an unsafe(post) function??? This would seem radically unuseful and confusing (to me) though.

gbutler · 2018-03-28T21:58:27.853Z

HadrienG:

Contrary to current unsafe fns, these modified forms of unsafe do not implicitly make the body of the function an unsafe block. The rationale for this is that only the author of the function knows which parts of the function, if any, are unsafe.

This I like. I agree that mixing up declaring an unsafe contract with and unsafe block of code is a mistake in the current implementation.

HadrienG · 2018-03-28T22:01:12.629Z

It is not unsafe to call an unsafe(post) function. All this annotation tells you is that you can rely about some properties of the result (described in the function’s documentation, like all unsafe contracts) for memory safety. If you are not doing unsafe things, then you can safely ignore the annotation.

In this sense, unsafe(post) is like const fn: a contract which sets requirements on the implementation, which the user may or may not rely on.

This is very different from unsafe(pre), which sets requirements on the user, which the implementation may or may not rely on.

gbutler · 2018-03-28T22:04:00.060Z

HadrienG:

They all guarantee properties which unsafe code is allowed to rely upon, and which could be violated by a careless implementor, resulting in unsafety.

Is this true? Unsafe code is specifically not permitted to rely upon safe code being implemented correctly for correct behavior (lack of UB). Should unsafe code be allowed to rely upon other (far distantly implemented) unsafe code to have been implemented correctly in order for it to not have UB? This doesn’t “FEEL” right. I think this needs some exploration.

gbutler · 2018-03-28T22:05:32.113Z

HadrienG:

It is not unsafe to call an unsafe(post) function

Then, why:

HadrienG':

Therefore, they can only return to their caller inside of an unsafe code block

HadrienG · 2018-03-28T22:06:31.335Z

gbutler:

Is this true? Unsafe code is specifically not permitted to rely upon safe code being implemented correctly for correct behavior (lack of UB). Should unsafe code be allowed to rely upon other (far distantly implemented) unsafe code to have been implemented correctly in order for it to not have UB? This doesn’t “FEEL” right. I think this needs some exploration.

Send and Sync are two examples of prior art. Unsafe code is allowed to rely on Send types being safely sendable across threads, and on Sync types being safely shareable between threads, in spite of the Send and Sync implementations for the type being defined kilometers of code away.

HadrienG · 2018-03-28T22:12:27.670Z

It is not unsafe to call an unsafe(post) function, but it is unsafe to implement one, because a bad implementation of an unsafe(post) function will cause memory/type/thread unsafety. This is the same reason why implementing Send and Sync is already unsafe today.

The rule which I found to formalize this requirement in a way that is symmetrical with unsafe(pre) is to mandate that these function’s return statements be within an unsafe block, and thus characterized as potentially unsafe operations, like this.

unsafe(post) fn trust_me() -> usize {
    /* Do something inconsequential */

    // This is the part where it gets dangerous
    unsafe { 42 }
}

The rationale is that return statements in unsafe(post) functions propagate safety-critical information to the outside, and are thus unsafe operations. But I’m not 100% satisfied with this rule, and am open to bikeshedding it. As an even more minimal proposal, perhaps the unsafe(post) annotation on the function implementation is enough?

gbutler · 2018-03-28T22:19:25.367Z

OK, I think I’m able now to more clearly clarify my discomfort with this proposal and offer a possible enhancement that I believe could make all of this more worthy of the churn it imposes. I can best sum it up as, “Spell out the contract!”. What I mean by this would be to include some meta-language for specifying pre-conditions/post-conditions, that would server 2 purposes:

Clearly document the contract requirements in a way that can both be consumed by documentation generation in a standard fashion, AND
has the POTENTIAL to at some point be statically solvable and/or run-time optionally (debug/test only perhaps) enforced

A quick straw-man syntax/idea might be something like:

unsafe ( pre: assert ( ...some predicate DSL... )
             post: assert ( ...some predicate DSL.... ) )
fn ( .... ) -> Result

The “some predicate DSL” could be a mini, extensible language that allows expression conditions about the inputs and outputs. It could even allow an “Escape Hatch” like clause that is effectively, “We have no way of expressing this condition in the DSL, but, here is some normal human language that describes the necessary contract”.

That way, we can gradually evolve this DSL to support more and more of the kinds of necessary predicates and eventually work towards linting or otherwise statically analyzing whether or not they have been met.

Again, this is all very, very straw-man at this point and I would have to put significant effort to clarify further (I realize). I’m not an expert on this sort of thing, but, if I had my druthers, this is the direction I’d like to see pursued.

Perhaps this is an entirely orthogonal concern to what you are proposing though.

With this DSL idea, the compiler could parse the DSL predicates, determine (at some future point) if it has the potential to statically solve the predicate, if it CAN solve the predicate, and in the context of the call to the function it is able to verify that the predicate has been met, an “unsafe” block around the call isn’t required. However, if it can’t (yet) verify the predicate, it could spit out an error if no unsafe block is present and display the predicate that it can’t verify. If the predicate includes the “Escape Hatch” predicate, then the compiler obviously can’t verify and will output the the predicate for sure with an error if the unsafe block isn’t present.

If it can’t verify the predicate, but, and unsafe block is present, it would simply output a NOTE/REMINDER (like a WARNING, but, not classified as a warning) that simply reiterates the necessary predicates.

If the call is inside an unsafe block, and the predicates CAN be verified, it could warn about an unnecessary unsafe block.

Why this last? Because, then you will get an error in compiling if you break some code elsewhere that messes up the previously verifiable predicate.

To clarify further, with these predicates there are several possibilities for the compiler to find at the site of a call to an unsafe function (similar argument applies to unsafe returns):

predicates not specified - unsafe block required/lint on function def advising to add preds
preds specified, but, not statically solvable (aka compiler support lacking, escape hatch predicate used) - unsafe block required for call
preds specified, statically solvable (with one of the following possibilities):
- compiler can prove at call-site that predicate not met - COMPILER ERROR
- compiler can prove at call-site that predicate is met - UNSAFE block not required and is NOTE/REMINDERED against (on second thought, prob should be a compiler error as well – I’ll explain below)
- compiler cannot say for sure whether or not the predicate is met - UNSAFE block REQUIRED with output of a NOTE/REMINDER of what predicate(s) are being unsafely relied upon

I think the middle sub-bullet point above is the interesting one. Because the compiler can prove statically that you’ve met the predicate, it should be a compiler error to wrap in unsafe block. Why? Because that way, if you later change the code to break the predicate, you’ll get a new compiler error.

gbutler · 2018-03-28T22:22:07.974Z

HadrienG:

// This is the part where it gets dangerous unsafe { 42 }

Ah…Yes. That makes more sense. I misunderstood.

EDIT: That being said, I agree with @jmst, “What’s th point?” What function would you not want to guarantee that its post-conditions are met?

HadrienG · 2018-03-28T22:23:01.373Z

I think this could be a possible backwards-compatible extension to this proposal, that could be added to the proposal’s list of future possibilities. It is not clear to me if it would be needed on day one, as long as we plan ahead for it.

jmst · 2018-03-28T22:40:25.114Z

I don’t think “unsafe(post)” on non-trait functions makes any sense.

Unsafe code could want to rely on the advertised behavior of ANY function defined in ANY crate, and there is no way to predict whether a given function would want to be used by unsafe code.

For instance, what parts of the standard library should be tagged as “unsafe(post)”? (the answer of course is all of it, which makes it pointless)

H2CO3 · 2018-03-28T22:52:43.397Z

HadrienG:

considering the amount of time and discussions it takes even highly experienced Rust developers to figure out the basics of what can and cannot be done with pointers and references in unsafe code

That seems to me like it stems from an orthogonal issue. Let me elaborate:

Danger is inherent to unsafe code. (Well, that statement is a bit redundant, isn’t it.) However you twist the syntax and/or the semantics of the language, writing unsafe code (viewed either from the “consumer of unsafe abstractions” or “author of unsafe abstractions” side) is always going to require more thinking and vigilance than usual. Yes, this can be true even for very basic concepts and operations. But I’m sure that is not a unique feature of programming in Rust. If you have studied some sort of scientific discipline at a (say) intermediate level, you probably very well know the feeling of sitting on a 1-line maths of physics problem for a couple of hours or days before being able to grasp an otherwise basic idea.

I don’t want to get too philosophical or generally off-topic here, but the problem is that our monkey brains are just not designed to do what we are doing with them. So at the end of the day, implying that intrinsically hard problems are only hard because we are not approaching them ergonomically enough and not because they are hard looks like a fallacy to me.

the amount of people who are constantly confused about what is perhaps the most dangerous feature of the Rust language worries me.

I understand and agree with that; what I am saying is that this is an inherent issue, and not something that can be mitigated completely or nearly completely by improved language design. Either interpretation of unsafe means “give up some safety guarantees”. That’s not going to be pretty either way for the reasons described above, and at the same time, the complexity introduced by the language changes laid out in this pre-RFC is, in my opinion, does not have a good enough investment-return rate. I’m not saying that ergonomic improvements to unsafe would be completely useless – I’m just trying to argue that the advantages they would bring to the table wouldn’t be worth the increased complexity.

In the world of life-threatening systems, the more dangerous a tool is, the harder you make it to use it incorrectly. Knives have a handle shaped in such a way that it is pretty clear how you are supposed to pick them up.

I absolutely agree with all of this too; in fact I’m generally the biggest fan of designing systems so that they have the least chance to be used incorrectly. However, and I don’t want to repeat myself over and over again, but the very purpose and nature of unsafe code renders attempts at making it safer very hard to achieve (I would even say contradictory).

Basically, what @gbutler wrote:

gbutler:

I’m really starting to believe that there is no special keywords that could be used instead of just unsafe that would make the situation any better from an understanding perspective.

You made three other very good points:

Unsafe Rust should never trust Safe Rust’s abstractions, yet there is no safeguard in place to lint against reaching for these.

I’m always in for more compiler warnings and lints! This, I think, is probably the easiest issue to address. Adding more rules/patterns to be recognized by the compiler or e.g. Clippy is an easy and in my opinion uncontroversial action, and we should go for it. If it’s likely wrong – warn about it!

As you can see, I’m in favor of these sorts of improvements as long as they don’t offset the balance towards just adding more stuff to the language in an unhealthy manner. A core language addition is a scene which always requires extremely careful consideration, and in 99.9% of the cases, the right thing to do with a new feature is to omit it. Compiler warnings and linter rules are nothing like it, they are basically free and completely safe (“safe” here meaning “does not break earlier code/concepts/assumptions or introduces bugs”).

Yet the method’s entire implementation is automatically turned into an unsafe block, silently enabling all kind of unsafe operations without any compiler warning/lint.

It’s not exactly silent, because it has a big honkin’ unsafe at the beginning. Still, I understand your concerns, I do think they are valid, and indeed, it would absolutely make sense to be able to mark a function unsafe without turning the entire body into an unsafe block. This is yet another change that likely wouldn’t need any sort of core language addition. It’s merely that the compiler should consider the body block safe rather than unsafe. If I recall correctly, that literally means flipping a one-bit flag in the compiler. (Maybe in several places, but you get the idea.)

TrustedLen is another example of unsafe abstraction design gone wrong. […]

That’s right too! I’m in favor of replacing TrustedLen with something more explicit and harder-to-forget/abuse. I still strongly doubt that this can only be done using, or that it is best achieved by, additions to the core language.

Finally:

People who, in addition, try to build unsafe abstractions which other developers (including future maintainers of the same crate) can rely upon.

Indeed, that puts the issue in a somewhat different perspective, although my comments about how more syntax wouldn’t help much still apply.

gbutler · 2018-03-28T22:58:36.700Z

H2CO3:

comments about how more syntax wouldn’t help much still apply.

This is my feeling as well. No matter how much I WANT there to be a special syntax or keywords that makes all of this clear, nothing seems to fit the bill.

HadrienG · 2018-03-29T09:53:56.622Z

It will take me a while to fully process and answer the comments from last night (thanks everyone for your interest and feedback!), but in meantime, I thought I would like to throw in a possible alternative to this pre-RFC that sprung in my mind while reading @H2CO3’s post, on which any thought would be appreciated.

It seems to me that one common theme in this discussion is that the proposed semantic clarifications are often evaluated to be useful, but not enough to justify a churn-inducing language addition at this point in time.

The obvious way to answer this kind of feedback is to provide a library-based implementation of the proposed concept, which allows experimenting with it today and gaining experience of it, to make a better future decision about whether a future language integration would be worthwhile.

So far, since this is touching rather deep language semantics I have struggled to come up with such an implementation. But I think I just had an idea which might be heading in the right direction. Like all library-level implementations of something which really should be implemented at the language level, it is pretty ugly-looking and limited in some ways, but it might still be usable enough to be viable for real-world projects.

Tentative library-level translation

First unsafe(pre) fn sketch

Unsafe function preconditions are often, though not always, about parameters. Often, as discussed in the static analysis section of the pre-RFC, they even target a subset of the function’s parameters.

As it turns out, unlike tagging whole functions as unsafe(pre), tagging individual function parameters as unsafe(pre) can be quite easily done without help from the language. All we need is a suitably designed wrapper type for the parameters:

struct UnsafeData<T>(T)

impl<T> UnsafeData<T> {
    // Need an unsafe block to attest that the contract is respected
    unsafe fn new(inner: T) -> Self { Self(inner) }

    // Accessor methods are unimportant and may be freely bikeshedded,
    // a realistic implementation will probably want to use Deref, or
    // even make the whole type pub.
    fn unpack(self) -> T { self.0 }
    fn get(&self) -> &T { &self.0 }
    fn get_mut(&mut self) -> &mut T { &mut self.0 }
}

// UNSAFE PRECONDITION: "dangerous" must be equal to 42.
fn unsafe_pre(dangerous: UnsafeData<usize>, safe: isize) {
    // Some boilerplate is needed on the callee side because this is
    // a type system hack rather than a language feature. But most
    // importantly, the body of the function is not implicitly unsafe.
    let dangerous = dangerous.unpack();

    // Do something with the parameters, with or without using the
    // unsafe precondition that the input UnsafeData provides
}

fn call_unsafe_pre() {
    // I hereby testify that I understood the contract of unsafe_pre()
    let dangerous = unsafe { UnsafeData::new(42) };
    unsafe_pre(dangerous, 64);
}

If a precondition is not about a single function parameter, but about a relationship between multiple function parameters, then we can state this by putting the parameters together in a tuple or struct and giving an UnsafeData<ParameterPack> to the function.

// UNSAFE PRECONDITION: The provided index must be in range for the
// provided slice for this code to be safe.
fn unsafe_coupling(coupled: UnsafeData<(&[u8], usize)>) -> u8 {
    let coupled = coupled.unpack();
    unsafe { coupled.0.get_unchecked(coupled.1) }
}

Then there is the problem of unsafe preconditions which are about “ambient state” (the hardware, the operating system, global variables…) rather than unsafe parameters. We can encode them in the type system by using a marker type which actually contains nothing, but is unsafe to create nonetheless:

struct UnsafeContext()

impl UnsafeContext {
    // Again, we need unsafe to attest that the precondition is upheld
    unsafe fn new() -> Self { Self() }
}

// UNSAFE PRECONDITION: Do not use this function outside of April 1st
fn april_fools(joke: &str, _date_checked: UnsafeContext) {
    println!("{}", joke);
}

fn call_april_fools() {
    // Yes, I am sure that it is April 1st today
    let date_checked = unsafe { UnsafeContext::new() };
    april_fools("Rust is getting merged into C++20", date_checked);
}

First unsafe(post) fn sketch, and a problem

These functions promise safety-critical guarantees about either their result or the ambient state at the end of their execution. So we use the same strategy here of using a suitable wrapper type on the result side. As it turns out, we can do this using the same UnsafeData and UnsafeContext notions that we have introduced above:

// UNSAFE POSTCONDITION: Will return "42"
fn unsafe_post() -> UnsafeData<usize> {
    /* Perfectly safe work */

    // I'm sure that this is 42, I have double-checked it
    unsafe { UnsafeData::new(42) }
}

// UNSAFE POSTCONDITION: Only returns on April 1st
fn wait_april_1st() -> UnsafeContext {
    /* Safely wait until the day is right */

    // I have made sure that it is time now
    unsafe { UnsafeContext::new() }
}

fn call_unsafe_post() {
    let result = unsafe_post();
    wait_april_1st();

    // Again, some _safe_ boilerplate is needed on the caller side
    let result = result.unpack();
}

Although they introduce some boilerplate at the boundary between unsafe and safe code, these library-level implementations of unsafe(pre) and unsafe(post) compose nicely with each other…

fn compose() {
    april_fools("Rust 2018 will introduce mandatory garbage collection", wait_april_1st());
    unsafe_pre(unsafe_post(), 64);
}

…however, there lies also a major problem with this first type system encoding of unsafe preconditions and postconditions: it is excessively permissive. We can plug unsafe data from any function into any other function that expects unsafe data of the same type, even if the associated unsafe preconditions and postconditions are wholly unrelated, and all this occurs without using an unsafe block. This is obviously not good.

Take two: encoding the contract

To address this major safety issue, we need to make the underlying contract part of the UnsafeData or UnsafeContext type. A first rough implementation could use simple marker types:

// Unsafe types
struct UnsafeData<T, Contract>(T, Contract)
struct UnsafeContext<Contract>(Contract)

// Marker types representing contracts
struct DataIs42()
struct DayIsApril1st()

// Shorthands to avoid insanity
type DataWithContract = UnsafeData<usize, DataIs42>
type ContextWithContract = UnsafeContext<DayIsApril1st>

By adding suitable trait bounds on the Contract type and modifications to the UnsafeData and UnsafeContext implementation, one could also later extend this implementation into a poor man’s design-by-contract tool, where contracts which are expressible in code are expressed in code, as @gbutler had in mind earlier.

As before unsafe associated trait methods would be handled with the same formalism as free unsafe functions, with added “every implementation must provide this” caveats.

What a library-based proposal cannot address

As stated before, like any type system hack, this is much more boilerplate-intensive than language-level concept integration.
A library cannot deprecate the old unsafe abstraction vocabulary, leading to confusing coexistence of the old and new approach (some will see this as an advantage)
There is as far as I can tell no way to express unsafe(post) traits at the type system level in today’s Rust, so they would need to stick with the current syntax
Unsafe invariants cannot be expressed as function inputs and outputs, and therefore cannot be expressed at the type system level. They can be again approximated with UnsafeContext, but the approximation is even more detached from the actual contract.
With a library-level implementation, some forms of static analysis such as linting of dangerous existing usage of unsafe code become much more difficult.

HadrienG · 2018-03-29T17:53:14.092Z

jmst:

I don’t think “unsafe(post)” on non-trait functions makes any sense.

Unsafe code could want to rely on the advertised behavior of ANY function defined in ANY crate, and there is no way to predict whether a given function would want to be used by unsafe code.

For instance, what parts of the standard library should be tagged as “unsafe(post)”? (the answer of course is all of it, which makes it pointless)

A similar concern already exists today with const fn. So far, the answer has basically been “mark fns as const if someone has a need for it and you see yourself upholding this contract forever in the future”. I think this reasoning also applies to unsafe(post), but even more so.

unsafe(post) is a strong commitment from the implementor of a function. When you mark a function as unsafe(post), you are not merely stating “I think that this function is correct and have quickly checked it in my unit tests”, as with normal functions. What you are now saying is “I am so convinced that this function is correct, for any set of inputs and on every hardware architecture which Rust will ever run on, that I am ready to bet the Rust language’s type/memory/thread-safety on it, and to promise that it will remain a safe bet forever in the future”.

Effectively, an unsafe(post) function is a piece of unsafe code like any other (which is why the proposed rules force use of an unsafe block to implement it), and as such it must be subjected to the same level of scrutinity and quality standards as other unsafe code, which in sane Rust projects is much higher than that of regular code.

This is why I do not expect every function out there to become unsafe(post), but only carefully selected code which is specifically intended to be used in unsafe codebases, and ready to undergo the stringent level of QA that elicits the hard-earned confidence of experienced Rust programmers in unsafe code.

HadrienG · 2018-03-29T20:15:45.221Z

What a great comment! I find myself in agreement with much of what you are saying here, so this will be mostly about clarifying a bit my position and what I am trying to achieve here.

A tale of complexity and complication

I understand that some difficulties of unsafe emerge from essential complexity (i.e. stuff that is fundamentally hard, like proving any kind of theorem about arbitrarily aliased pointers), and that other difficulties emerge from accidental complication (i.e. stuff that is only hard because of usability issues, like unsafe Rust’s “do not trust safe abstractions” rule). Here, I am aiming for the latter kind of issue, and agree that the former kind can only be overcome through teaching, experience, and obsessive amounts of QA.

I do not think that either of us really knows how these two kinds of difficulties are distributed. Is it mostly the former? Mostly the latter? A bit of both? You seem to be partial towards the first interpretation, whereas I seem to be partial towards the second interpretation. In defense of the latter, my experience of software ergonomics has always been that software engineers tend to have a strong psychological bias towards avoiding the “bad ergonomics” explanation, instead preferring to blame either their users or the essential complexity of their product. I know that I am no different, so I consciously attempt to correct this bias by forcing my mind in the opposite direction a bit. Maybe I am pushing it too far, though, you tell me

Best-case usability matters too!

The hypothesis which I build upon, rightly or wrongly, is that there definitely is a non-negligible ergonomic component to the difficulty of writing correct unsafe code. That there are things which we could do to hint our users in the right direction, and which would come at a relatively low cost when writing correct unsafe code, but which we do not do yet.

I have provided a couple of examples of what I perceive to be low-usability areas in Rust’s unsafe abstraction design, which you have agreed with, so it seems to me that without further proof, we can at least agree that this hypothesis is not completely ridiculous. But you do raise a very good point here, which is that the best answer to a usability issue does not simply make it harder to do the wrong thing. It also keeps it almost as easy, or even makes it easier, to do the right thing.

An unfortunately widespread failure to understand this fact is what gives real-life safety interlocks a bad reputation: many of these do make it harder to do the wrong thing, but at the cost of also making it harder to do the right thing, which is not usually perceived to be a good compromise even when the harm that is prevented is much greater than the harm which is inflicted.

In contrast, well-designed safety systems hint the user away from the error before it has even occurred, ideally going as far as to make the error impossible. Like the little knife design cues which tell you which side of the blade is the sharp one, or the “auto-ignite” gas appliance mechanisms that make sure that you cannot turn on the gas flow without lighting it up.

As you say, Unsafe Rust cannot, by its very nature, reach the “no error possible” usability nirvana. It exists so that if it is written correctly, Safe Rust will be able to. So our role model for Unsafe Rust ergonomics should not be an auto-ignite gas appliance, but a good knife: still dangerous, yet so easy to grasp that you do not need that much training to use it safely. More exactly, it should be a sharp knife: as everyone who regularly uses knives know, dull knives are more dangerous than sharp ones in spite of being theoretically less so, because the frustration of cutting anything with them will lead you to start doing stupid things with your hands. Annoying safeties are worse than no safety at all.

Reducing mental footprint

I think that clarifying the semantics of unsafe abstractions would be a step in the right direction, because from my understanding it actually would make it easier, rather than harder, to implement them correctly.

Today, devising an unsafe abstraction involves a small set of complex decisions. Like “where do I need to write the unsafe keyword?”, or “should I mark this function as unsafe?”. These decisions are few because each use of the “unsafe” keyword has a tremendous amount of power in today’s Rust. But they are also complex because analyzing all this expressive power comes at the cost of a higher mental footprint.

Whenever you write “unsafe” in your code, you need to pause and think “hey, why am I doing that?”. Is it because you want to do something unsafe? Because you assume something that is potentially critical to your code’s safety, or that of someone else’s code? Because you guarantee something that is critical to memory-safety? Or maybe a combination of several of these things? Are you sure that you have thought about all of it? Have you documented it somewhere?

And then, because unsafe does not mandate documentation of the underlying contract (another thing which I wish static analyzers like clippy or rustc’s warnings would lint on), there are chances that other people who will need to maintain that code much later in the future, including yourself, will need to go through this complex thought process all over again. What does each unsafe keyword in this code mean? What is it about? Am I sure that I can fully understand it? Can I trust the comments to tell me everything?

All this mental complexity leads to mistakes, which in the case of unsafe means safety bugs. So I wish we could part away with some of this complexity, by doing what humans always do when encountering big chunks of complexity: breaking it down in smaller pieces.

What this proposal aims at

And this is, in a nutshell, what this pre-RFC is about: cutting the big scary blob of unsafe abstraction semantics into smaller pieces which the human brain can more easily digest, using the opportunity to also augment the semantics of “unsafe” with notions that we have been talking about forever in the Rust community, like unsafe contracts, without yet being able to express them in code.

By making “unsafe” less monolithic, we turn the process of designing an unsafe abstraction from a set of few complex decisions to a set of many simple ones. We are no longer marking methods are unsafe and reverse-engineering what that means after the fact, instead we…

…start by putting an unsafe block inside of them (“Rust, please remove the safety net!”)
…then realize that we need to make an assumption inside of that block (“Hmmm, I really need that slice index to be in range…”)
…then encode that assumption as an unsafe precondition.
At that point, ideally, our favorite static analyzer starts linting us that we need to document that precondition. Ah, yes, this is true, we need to do that.
Then some development passes, and some time later, we realize that we need to make the same assumption many times, and that we always guarantee it in the same way. So we extract the code which offers that guarantee in a dedicated function, or perhaps a trait if we want to allow for other implementations in the future.
“But well”, our helpful static analyzer then starts wondering, “how am I, or your future self and collaborators, to figure out that the contents of this function are critical to memory safety?”. Of course, the analyzer is right. So we mark the function’s output as featuring an unsafe postcondition, and in order to avoid another static analyzer lint, we immediately document what the postcondition is about.

In this model, developing unsafe abstractions has moved from a complex exercise in reverse-engineering the semantics of the language and of your code, into a more iterative process that naturally evolves from the unsafe block, which is the root of all unsafe development workflows, via a stream of small, simple, and self-contained abstraction design decisions.

Certainly, the price to pay for making each of these decisions easier is that there are more of them along the way. But overall, I think that when dealing with limited human brains, this is almost always the right trade-off.

This will not resolve anything!

…nor does it have to. It is intended as a step forward, not as a silver bullet.

The process of making Unsafe Rust easier to understand and use has begun a long time ago, with the first visible milestone being perhaps the publication of the Nomicon. It has gone through a large amount of intemediary steps, involving many blog posts, the Rust Belt project, and the ongoing unsafe Rust guidelines and memory model efforts.

Not every step was a direct success. Some RFCs were rejected, some std APIs like scoped threads had to be discarded in a backwards-incompatible way because even the best Rust devs could not fully tell what is safe from what isn’t. But even these apparent failures turned out to be mere learning experiences, which the community could use to move forward and avoid making the same mistake twice. Now we have sound scoped threads. Well, as far as we can tell, anyway

This pre-RFC is intended to be a stepping stone towards a future of easier unsafe development, which of course may never materialize:

By clarifying what unsafe Rust is about, it allows Rust’s famed static analysis tools (including rustc’s warnings and clippy) to go further in their analysis than was ever possible before, and hopefully to ultimately help unsafe code developers more at their task instead of less (since, by common agreement, they are the Rust developers who need most help).
By being designed for minimalism today and extensibility tomorrow (all the way to much more complex and tantalizing features like @gbutler’s statically checked contracts proposal), it makes gradual evolution of unsafe semantics a viable endeavour, rather than imposing from the start a daunting and impossibly large compatibility-breaking change.

Maybe this pre-RFC will ultimately be accepted, possibly after an indefinitely long library-based probation period. Maybe it will be hard-rejected. Maybe it will be left in limbo forever. Maybe it will be superseded by a better idea. But whatever happens, I hope that this thread will be remembered as a useful contribution to the continuous Rust improvement process of figuring out what Unsafe Rust is, what are its pitfalls, and how we can best avoid them…

But to go back to the core topic, yes, even if accepted, this pre-RFC won’t be enough to kill today’s TrustedLen. All it does is to introduce new abstraction vocabulary that can be used to devise its eventual replacement. And to clearly differentiate safe/unsafe abstractions and lint against unsafe code relying on safe abstractions. And to gradually phase out the “unsafe precondition means unsafe body” footgun, which we cannot just turn off in the compiler right away due to backwards compatibility promises.