Re: [rust-dev] Declaring the API unsafe while keeping the internal safety checks

Thu, 01 Jan 2015 12:07:29 -0800 


On 2015-01-01 12:17, Vladimir Pouzanov wrote:

I had this idea for some time and I'd like to discuss it to see if it is
something reasonable to be proposed for rust to implement or there are
other ways around the problem.

Let's say I have a low level function that manipulates the hardware
clock using some platform-specific argument. Internally this function
will do an unsafe volatile mem write to store value in the register, but
this is the only part of the code that is unsafe compiler-wise, whatever
else is in there in the function is safe and I want the compiler to warn
me if any other unsafe operation happens.

Now, given that this function is actually unsafe in terms of its
realtime consequences (it does not do any validation of the input for
speed) I want to mark it as unsafe fn and make a safer wrapper for end
users, while keeping this for the little subset of users that will need
the actual speed benefits.

Unfortunately, marking it unsafe will now allow any other unsafe
operation in the body of the function, when what I wanted is just to
force users of it to be aware of unsafety via compiler validation.


I would typically do:

#[inline]
fn do_some_required_computations() { /* execute safe code here */ }

pub unsafe fn set_clock_mode(mode: uint32) {
    do_some_required_computations();
    // write the value to mmaped register
}


That said, I believe Rust's idea of what is "unsafe" is pretty 
restricted to memory safety, and one would not typically mark things 
that are unsafe by other means as "unsafe".




A safe {} block could have helped me in this case. But is it a good idea
overall?

Some pseudo-code to illustrate

pub unsafe fn set_clock_mode(mode: uint32) {
   // ...
   // doing some required computations
   // this code must be 'safe' for the compiler
   unsafe {
     // ...
     // writing the value to mmaped register, this one is unsafe but
validated by programmer
   }
}

pub fn set_clock_mode_safe(mode: uint32) -> bool {
   // ...
   // validate input
   unsafe {
     // I want this call to require unsafe block
     set_clock_mode(mode);
   }
}

--
Sincerely,
Vladimir "Farcaller" Pouzanov
http://farcaller.net/


_______________________________________________
Rust-dev mailing list
Rust-dev@mozilla.org
https://mail.mozilla.org/listinfo/rust-dev



--
David Henningsson, Canonical Ltd.
https://launchpad.net/~diwic
_______________________________________________
Rust-dev mailing list
Rust-dev@mozilla.org
https://mail.mozilla.org/listinfo/rust-dev






















					Reply via email to