I have been working on adding unsafe functions. The first "installment" is
ready to be merged: it simply allows functions or blocks to be tagged as
unsafe. The code to actually check that unsafe functions are only called from
unsafe blocks is included, but not enabled. I have a branch that adds
sufficient unsafe annotations to make the library and compiler compile, but it
cannot be merged in until a new snapshot is generated that contains the first
installment. I will submit a push request soon.
The current syntax is as follows:
"unsafe fn foo() { … }" designates an unsafe function. Unsafe functions can
only be used from unsafe code. Unsafe code is either another unsafe function
or the contents of an unsafe block.
An unsafe block is written "unsafe {…}". The contents of the block are unsafe
but the block itself is not. This allows unsafe code to be wrapped inside of
safe functions.
To create an unsafe wrapper function, the most convenient notation is the
following:
fn foo(…) -> T unsafe {
… (unsafe code) ...
}
Here the keyword unsafe precedes the "{" that begins the body of the function.
This means that the body is an unsafe block, but the function itself is safe.
Certainly restrictions are not currently enforced. I intend to add these in
next:
* The only unsafe operations are invoking native libraries or unsafe functions.
I will shortly begin adding other operations such as pointer dereferences or
arithmetic. Any suggestions for operations/ast nodes that ought to be unsafe
are welcome.
* Unsafe functions should not be first class. That is, you should not be able
to get a pointer to an unsafe function, it must be called by name.
Note that it is possible to create a Smalltalk/Ruby-stlye block in unsafe
functions or blocks. Such "fn blocks" may contain unsafe code. I believe this
is safe because those blocks can only be invoked from within the context of the
unsafe creator.
Niko
_______________________________________________
Rust-dev mailing list
[email protected]
https://mail.mozilla.org/listinfo/rust-dev
