I have been tangentially involved in a trial which was meant to try to introduce Rust in an old and large project which has regular audits for certain components and code paths.
The trial was concluded recently with a "lessons learned" meeting, and the auditors wondered if it's possible to annotate
unsafe blocks to constrain what can be done within it. There was a specific case in the trial where an unsafe block was used to access members in an union, and the question was if it's possible to put constraints on the code block to explicitly disallow any other types of unsafe features.
I occurred to me after the conversation that this might not even be as useful as one might think, since some unsafe features may potentially be expressable using other features, which would make the strict categorization (for the intended purpose here) much less useful.
In their hypothetical example they had put an
unsafe_allowed = "enum_member_access" (or something along that line) attribute on an
unsafe block. Is there already any such feature, are there any plans for one, or has it already been rejected?
I think they found the idea of constraining certain types of operations within
unsafe-blocks to be appealing to their auditing process, but on sober reflection I can't help think it's a little odd -- these auditors are quite happy to tell you that you can never trust a compiler (or even hardware..) to do what you tell it, so I'm not sure how such an
unsafe constraint would be trusted within that frame of reference.