The Trusted Iterator Length Problem

reem · 2015-02-24T06:10:46.702Z

Oh, I would just have exact_size be an unsafe method and implementing it would therefore require typing unsafe.

huon · 2015-02-24T06:22:43.082Z

@reem, that’s the problem that @P1start (and the rest of the thread ) is describing: a method declared unsafe in the trait doesn’t require the implementer to write unsafe.

reem · 2015-02-25T07:29:10.501Z

That seems wrong then.

tbu · 2015-02-25T10:23:54.095Z

Currently the unsafe declaration in the trait just means that the function is unsafe to call, so it might have to fulfill a contract. This doesn’t necessarily mean that every implementation of this function has to rely on that contract, and when they don’t they can just omit the unsafe.

bluss · 2015-02-25T13:13:09.465Z

We need real specialization based on optionally available traits. An impl of an unsafe trait TrustedIteratorLength could be present, and functions should be able to specialize for that case.

theme · 2015-03-10T01:32:52.745Z

Filed an issue for making ExactSizeIterator unsafe

github.com/rust-lang/rfcs

Issue: ExactSizeIterator should be an unsafe trait

opened by theemathas on 2015-03-10

closed by nikomatsakis on 2015-04-09

I think that ExactSizeIterator should be an unsafe trait, so that its invariant can be relied upon by unsafe code.
See also...

quantheory · 2015-03-19T22:59:36.252Z

I’m not sure if this is sensible, but if not it might inspire someone to have a better idea:

unsafe trait ExactSizeIterator {}
trait MaybeExactSizeIterator {
    // Edit: The `&self` isn't actually used in the blanket impls, but it
    // seems necessary for object safety?
    fn size_hint_is_exact(&self) -> bool;
}
impl<T> MaybeExactSizeIterator for T where T: ExactSizeIterator {
    fn size_hint_is_exact(&self) -> bool { true }
}
impl<T> MaybeExactSizeIterator for T where T: !ExactSizeIterator {
    fn size_hint_is_exact(&self) -> bool { false }
}
trait Iterator : MaybeExactSizeIterator {
    // ...
}

Pros:

Addresses this issue.
Everyone who accepts an Iterator can get this information without loss of generality.
unsafe is in the right place.

Cons:

It makes no sense to implement ExactSizeIterator without also implementing Iterator, so the dependence is a bit weird.
We have to have specialization that can get something like the above past the coherence rules. If you don’t have negative bounds of some sort, you unfortunately can’t express anything about the absence of an unsafe trait.

nikomatsakis · 2015-03-21T10:11:36.319Z

tbu:

It’s even worse than I understood from that comment. The proposed method would be unsafe to call, but you can implement it without unsafe, with a simple fn exact_size(&self) -> bool { true }.

I just wanted to note that this is no longer true now that PR https://github.com/rust-lang/rust/pull/23452 has landed. If you have an unsafe fn in a trait, the impl must now implement it with an unsafe fn as well.

huon · 2015-03-21T10:37:34.127Z

Great! I think I’m pretty happy with the unsafe method solution now.

system · 2019-03-25T08:23:37.936Z

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.