I've read this issue before, and I still don't see anything that qualifies as "a global ramification or undesirable consequence" you mentioned earlier:
Allow me to re-ask my question without the red herring on whether or not marking freeze as unsafe would satisfy the skeptics, or what that would mean exactly.
Do you have a reference to such a global ramification or undesirable consequence which is:
- Relevant to by-value freeze (
MaybeUninit<T> -> MaybeUninit<T>). I agree that by-reffreezeis highly problematic withMADV_FREEexisting and other optimizations. - Not directly or indirectly a concern stemming from "using uninit memory is potentially leaks sensitive information", e.g. heartbleed related security arguments. These arguments simply make
freezebad by definition, because it could leak information, regardless of how it's used.
@RalfJung If your argument really just comes down to "using uninit memory is potentially leaks sensitive information", then I can respect that at least, but I'd like you to state it as such without hiding behind handwavy "global ramifications or undesirable consequences". If you really do have another technical argument not covered by my two conditions above, I'd love to hear it.
For me personally, assuming there isn't some other technical argument against freeze, I would be satisfied by a strongly worded comment on freeze noting how it's a potential security issue. Furthermore, really sensitive information like encryption keys and passwords should already be wiped from memory before calling free regardless of freeze existing for a variety of reasons.