Skip to content

Commit 55de6fa

Browse files
author
mukund
authored
Clarify some of the language around marking traits safe/unsafe. (#268)
1 parent a462a3a commit 55de6fa

File tree

1 file changed

+13
-10
lines changed

1 file changed

+13
-10
lines changed

src/safe-unsafe-meaning.md

+13-10
Original file line numberDiff line numberDiff line change
@@ -121,16 +121,19 @@ trait expects. In this situation, the Unsafe Rust in the internals of
121121
implementation is correct. If it isn't, it's the fault of the unsafe trait
122122
implementation, which is consistent with Rust's safety guarantees.
123123

124-
The decision of whether to mark a trait `unsafe` is an API design choice.
125-
Rust has traditionally avoided doing this because it makes Unsafe
126-
Rust pervasive, which isn't desirable. `Send` and `Sync` are marked unsafe
127-
because thread safety is a *fundamental property* that unsafe code can't
128-
possibly hope to defend against in the way it could defend against a buggy
129-
`Ord` implementation. Similarly, `GlobalAllocator` is keeping accounts of all
130-
the memory in the program and other things like `Box` or `Vec` build on top of
131-
it. If it does something weird (giving the same chunk of memory to another
132-
request when it is still in use), there's no chance to detect that and do
133-
anything about it.
124+
The decision of whether to mark a trait `unsafe` is an API design choice. A
125+
safe trait is easier to implement, but any unsafe code that relies on it must
126+
defend against incorrect behavior. Marking a trait `unsafe` shifts this
127+
responsibility to the implementor. Rust has traditionally avoided marking
128+
traits `unsafe` because it makes Unsafe Rust pervasive, which isn't desirable.
129+
130+
`Send` and `Sync` are marked unsafe because thread safety is a *fundamental
131+
property* that unsafe code can't possibly hope to defend against in the way it
132+
could defend against a buggy `Ord` implementation. Similarly, `GlobalAllocator`
133+
is keeping accounts of all the memory in the program and other things like
134+
`Box` or `Vec` build on top of it. If it does something weird (giving the same
135+
chunk of memory to another request when it is still in use), there's no chance
136+
to detect that and do anything about it.
134137

135138
The decision of whether to mark your own traits `unsafe` depends on the same
136139
sort of consideration. If `unsafe` code can't reasonably expect to defend

0 commit comments

Comments
 (0)