@@ -13,323 +13,8 @@ Where TRPL introduces the language and teaches the basics, TURPL dives deep into
1313the specification of the language, and all the nasty bits necessary to write
1414Unsafe Rust. TURPL does not assume you have read TRPL, but does assume you know
1515the basics of the language and systems programming. We will not explain the
16- stack or heap, we will not explain the basic syntax.
16+ stack or heap. We will not explain the basic syntax.
1717
1818
1919
20-
21-
22- # Meet Safe and Unsafe
23-
24- Safe and Unsafe are Rust's chief engineers.
25-
26- TODO: ADORABLE PICTURES OMG
27-
28- Unsafe handles all the dangerous internal stuff. They build the foundations
29- and handle all the dangerous materials. By all accounts, Unsafe is really a bit
30- unproductive, because the nature of their work means that they have to spend a
31- lot of time checking and double-checking everything. What if there's an earthquake
32- on a leap year? Are we ready for that? Unsafe better be, because if they get
33- * anything* wrong, everything will blow up! What Unsafe brings to the table is
34- * quality* , not quantity. Still, nothing would ever get done if everything was
35- built to Unsafe's standards!
36-
37- That's where Safe comes in. Safe has to handle * everything else* . Since Safe needs
38- to * get work done* , they've grown to be fairly carless and clumsy! Safe doesn't worry
39- about all the crazy eventualities that Unsafe does, because life is too short to deal
40- with leap-year-earthquakes. Of course, this means there's some jobs that Safe just
41- can't handle. Safe is all about quantity over quality.
42-
43- Unsafe loves Safe to bits, but knows that tey * can never trust them to do the
44- right thing* . Still, Unsafe acknowledges that not every problem needs quite the
45- attention to detail that they apply. Indeed, Unsafe would * love* if Safe could do
46- * everything* for them. To accomplish this, Unsafe spends most of their time
47- building * safe abstractions* . These abstractions handle all the nitty-gritty
48- details for Safe, and choose good defaults so that the simplest solution (which
49- Safe will inevitably use) is usually the * right* one. Once a safe abstraction is
50- built, Unsafe ideally needs to never work on it again, and Safe can blindly use
51- it in all their work.
52-
53- Unsafe's attention to detail means that all the things that they mark as ok for
54- Safe to use can be combined in arbitrarily ridiculous ways, and all the rules
55- that Unsafe is forced to uphold will never be violated. If they * can* be violated
56- by Safe, that means * Unsafe* 's the one in the wrong. Safe can work carelessly,
57- knowing that if anything blows up, it's not * their* fault. Safe can also call in
58- Unsafe at any time if there's a hard problem they can't quite work out, or if they
59- can't meet the client's quality demands. Of course, Unsafe will beg and plead Safe
60- to try their latest safe abstraction first!
61-
62- In addition to being adorable, Safe and Unsafe are what makes Rust possible.
63- Rust can be thought of as two different languages: Safe Rust, and Unsafe Rust.
64- Any time someone opines the guarantees of Rust, they are almost surely talking about
65- Safe. However Safe is not sufficient to write every program. For that,
66- we need the Unsafe superset.
67-
68- Most fundamentally, writing bindings to other languages
69- (such as the C exposed by your operating system) is never going to be safe. Rust
70- can't control what other languages do to program execution! However Unsafe is
71- also necessary to construct fundamental abstractions where the type system is not
72- sufficient to automatically prove what you're doing is sound.
73-
74- Indeed, the Rust standard library is implemented in Rust, and it makes substantial
75- use of Unsafe for implementing IO, memory allocation, collections,
76- synchronization, and other low-level computational primitives.
77-
78- Upon hearing this, many wonder why they would not simply just use C or C++ in place of
79- Rust (or just use a "real" safe language). If we're going to do unsafe things, why not
80- lean on these much more established languages?
81-
82- The most important difference between C++ and Rust is a matter of defaults:
83- Rust is 100% safe by default. Even when you * opt out* of safety in Rust, it is a modular
84- action. In deciding to work with unchecked uninitialized memory, this does not
85- suddenly make dangling or null pointers a problem. When using unchecked indexing on ` x ` ,
86- one does not have to suddenly worry about indexing out of bounds on ` y ` .
87- C and C++, by contrast, have pervasive unsafety baked into the language. Even the
88- modern best practices like ` unique_ptr ` have various safety pitfalls.
89-
90- It cannot be emphasized enough that Unsafe should be regarded as an exceptional
91- thing, not a normal one. Unsafe is often the domain of * fundamental libraries* : anything that needs
92- to make FFI bindings or define core abstractions. These fundamental libraries then expose
93- a safe interface for intermediate libraries and applications to build upon. And these
94- safe interfaces make an important promise: if your application segfaults, it's not your
95- fault. * They* have a bug.
96-
97- And really, how is that different from * any* safe language? Python, Ruby, and Java libraries
98- can internally do all sorts of nasty things. The languages themselves are no
99- different. Safe languages * regularly* have bugs that cause critical vulnerabilities.
100- The fact that Rust is written with a healthy spoonful of Unsafe is no different.
101- However it * does* mean that Rust doesn't need to fall back to the pervasive unsafety of
102- C to do the nasty things that need to get done.
103-
104-
105-
106-
107-
108- # What do Safe and Unsafe really mean?
109-
110- Rust cares about preventing the following things:
111-
112- * Dereferencing null or dangling pointers
113- * Reading [ uninitialized memory] [ ]
114- * Breaking the [ pointer aliasing rules] [ ]
115- * Producing invalid primitive values:
116- * dangling/null references
117- * a ` bool ` that isn't 0 or 1
118- * an undefined ` enum ` discriminant
119- * a ` char ` larger than char::MAX (TODO: check if stronger restrictions apply)
120- * A non-utf8 ` str `
121- * Unwinding into another language
122- * Causing a [ data race] [ ]
123- * Invoking Misc. Undefined Behaviour (in e.g. compiler intrinsics)
124-
125- That's it. That's all the Undefined Behaviour in Rust. Libraries are free to
126- declare arbitrary requirements if they could transitively cause memory safety
127- issues, but it all boils down to the above actions. Rust is otherwise
128- quite permisive with respect to other dubious operations. Rust considers it
129- "safe" to:
130-
131- * Deadlock
132- * Have a Race Condition
133- * Leak memory
134- * Fail to call destructors
135- * Overflow integers
136- * Delete the production database
137-
138- However any program that does such a thing is * probably* incorrect. Rust
139- provides lots of tools to make doing these things rare, but these problems are
140- considered impractical to categorically prevent.
141-
142- Rust models the seperation between Safe and Unsafe with the ` unsafe ` keyword.
143- There are several places ` unsafe ` can appear in Rust today, which can largely be
144- grouped into two categories:
145-
146- * There are unchecked contracts here. To declare you understand this, I require
147- you to write ` unsafe ` elsewhere:
148- * On functions, ` unsafe ` is declaring the function to be unsafe to call. Users
149- of the function must check the documentation to determine what this means,
150- and then have to write ` unsafe ` somewhere to identify that they're aware of
151- the danger.
152- * On trait declarations, ` unsafe ` is declaring that * implementing* the trait
153- is an unsafe operation, as it has contracts that other unsafe code is free to
154- trust blindly.
155-
156- * I am declaring that I have, to the best of my knowledge, adhered to the
157- unchecked contracts:
158- * On trait implementations, ` unsafe ` is declaring that the contract of the
159- ` unsafe ` trait has been upheld.
160- * On blocks, ` unsafe ` is declaring any unsafety from an unsafe
161- operation within to be handled, and therefore the parent function is safe.
162-
163- There is also ` #[unsafe_no_drop_flag] ` , which is a special case that exists for
164- historical reasons and is in the process of being phased out. See the section on
165- [ destructors] [ ] for details.
166-
167- Some examples of unsafe functions:
168-
169- * ` slice::get_unchecked ` will perform unchecked indexing, allowing memory
170- safety to be freely violated.
171- * ` ptr::offset ` is an intrinsic that invokes Undefined Behaviour if it is
172- not "in bounds" as defined by LLVM (see the lifetimes section for details).
173- * ` mem::transmute ` reinterprets some value as having the given type,
174- bypassing type safety in arbitrary ways. (see [ conversions] [ ] for details)
175- * All FFI functions are ` unsafe ` because they can do arbitrary things.
176- C being an obvious culprit, but generally any language can do something
177- that Rust isn't happy about.
178-
179- As of Rust 1.0 there are exactly two unsafe traits:
180-
181- * ` Send ` is a marker trait (it has no actual API) that promises implementors
182- are safe to send to another thread.
183- * ` Sync ` is a marker trait that promises that threads can safely share
184- implementors through a shared reference.
185-
186- The need for unsafe traits boils down to the fundamental lack of trust that Unsafe
187- has for Safe. All safe traits are free to declare arbitrary contracts, but because
188- implementing them is a job for Safe, Unsafe can't trust those contracts to actually
189- be upheld.
190-
191- For instance Rust has ` PartialOrd ` and ` Ord ` traits to try to differentiate
192- between types which can "just" be compared, and those that actually implement a
193- * total* ordering. Pretty much every API that wants to work with data that can be
194- compared * really* wants Ord data. For instance, a sorted map like BTreeMap
195- * doesn't even make sense* for partially ordered types. If you claim to implement
196- Ord for a type, but don't actually provide a proper total ordering, BTreeMap will
197- get * really confused* and start making a total mess of itself. Data that is
198- inserted may be impossible to find!
199-
200- But that's ok. BTreeMap is safe, so it guarantees that even if you give it a
201- * completely* garbage Ord implementation, it will still do something * safe* . You
202- won't start reading uninitialized memory or unallocated memory. In fact, BTreeMap
203- manages to not actually lose any of your data. When the map is dropped, all the
204- destructors will be successfully called! Hooray!
205-
206- However BTreeMap is implemented using a modest spoonful of Unsafe (most collections
207- are). That means that it is not necessarily * trivially true* that a bad Ord
208- implementation will make BTreeMap behave safely. Unsafe most be sure not to rely
209- on Ord * where safety is at stake* , because Ord is provided by Safe, and memory
210- safety is not Safe's responsibility to uphold. * It must be impossible for Safe
211- code to violate memory safety* .
212-
213- But wouldn't it be grand if there was some way for Unsafe to trust * some* trait
214- contracts * somewhere* ? This is the problem that unsafe traits tackle: by marking
215- * the trait itself* as unsafe * to implement* , Unsafe can trust the implementation
216- to be correct (because Unsafe can trust themself).
217-
218- Rust has traditionally avoided making traits unsafe because it makes Unsafe
219- pervasive, which is not desirable. Send and Sync are unsafe is because
220- thread safety is a * fundamental property* that Unsafe cannot possibly hope to
221- defend against in the same way it would defend against a bad Ord implementation.
222- The only way to possibly defend against thread-unsafety would be to * not use
223- threading at all* . Making every operation atomic isn't even sufficient, because
224- it's possible for complex invariants between disjoint locations in memory.
225-
226- Even concurrent paradigms that are traditionally regarded as Totally Safe like
227- message passing implicitly rely on some notion of thread safety -- are you
228- really message-passing if you send a * pointer* ? Send and Sync therefore require
229- some * fundamental* level of trust that Safe code can't provide, so they must be
230- unsafe to implement. To help obviate the pervasive unsafety that this would
231- introduce, Send (resp. Sync) is * automatically* derived for all types composed only
232- of Send (resp. Sync) values. 99% of types are Send and Sync, and 99% of those
233- never actually say it (the remaining 1% is overwhelmingly synchronization
234- primitives).
235-
236-
237-
238-
239- # Working with Unsafe
240-
241- Rust generally only gives us the tools to talk about safety in a scoped and
242- binary manner. Unfortunately reality is significantly more complicated than that.
243- For instance, consider the following toy function:
244-
245- ``` rust
246- fn do_idx (idx : usize , arr : & [u8 ]) -> Option <u8 > {
247- if idx < arr . len () {
248- unsafe {
249- Some (* arr . get_unchecked (idx ))
250- }
251- } else {
252- None
253- }
254- }
255- ```
256-
257- Clearly, this function is safe. We check that the index is in bounds, and if it
258- is, index into the array in an unchecked manner. But even in such a trivial
259- function, the scope of the unsafe block is questionable. Consider changing the
260- ` < ` to a ` <= ` :
261-
262- ``` rust
263- fn do_idx (idx : usize , arr : & [u8 ]) -> Option <u8 > {
264- if idx <= arr . len () {
265- unsafe {
266- Some (* arr . get_unchecked (idx ))
267- }
268- } else {
269- None
270- }
271- }
272- ```
273-
274- This program is now unsound, an yet * we only modified safe code* . This is the
275- fundamental problem of safety: it's non-local. The soundness of our unsafe
276- operations necessarily depends on the state established by "safe" operations.
277- Although safety * is* modular (we * still* don't need to worry about about
278- unrelated safety issues like uninitialized memory), it quickly contaminates the
279- surrounding code.
280-
281- Trickier than that is when we get into actual statefulness. Consider a simple
282- implementation of ` Vec ` :
283-
284- ``` rust
285- // Note this defintion is insufficient. See the section on lifetimes.
286- struct Vec <T > {
287- ptr : * mut T ,
288- len : usize ,
289- cap : usize ,
290- }
291-
292- // Note this implementation does not correctly handle zero-sized types.
293- // We currently live in a nice imaginary world of only positive fixed-size
294- // types.
295- impl <T > Vec <T > {
296- fn push (& mut self , elem : T ) {
297- if self . len == self . cap {
298- // not important for this example
299- self . reallocate ();
300- }
301- unsafe {
302- ptr :: write (self . ptr. offset (len as isize ), elem );
303- self . len += 1 ;
304- }
305- }
306- }
307- ```
308-
309- This code is simple enough to reasonably audit and verify. Now consider
310- adding the following method:
311-
312- ``` rust
313- fn make_room (& mut self ) {
314- // grow the capacity
315- self . cap += 1 ;
316- }
317- ```
318-
319- This code is safe, but it is also completely unsound. Changing the capacity
320- violates the invariants of Vec (that ` cap ` reflects the allocated space in the
321- Vec). This is not something the rest of ` Vec ` can guard against. It * has* to
322- trust the capacity field because there's no way to verify it.
323-
324- ` unsafe ` does more than pollute a whole function: it pollutes a whole * module* .
325- Generally, the only bullet-proof way to limit the scope of unsafe code is at the
326- module boundary with privacy.
327-
328-
329-
330- [ trpl ] : https://doc.rust-lang.org/book/
331- [ pointer aliasing rules ] : lifetimes.html#references
332- [ uninitialized memory ] : uninitialized.html
333- [ data race ] : concurrency.html
334- [ destructors ] : raii.html
335- [ conversions ] : conversions.html
20+ [ trpl ] : https://doc.rust-lang.org/book/
0 commit comments