Am 15.10.2012 um 17:27 schrieb Marijn Haverbeke <[email protected]>:
> The question I guess is how often this situation comes up. Is it just
> libmath? Or is this sort of thing extremely common when doing bindings?
>
> Extremely common. I'm somewhat appalled that the blanket 'all C functions are
> unsafe' idea is even being considered (and enthusiastically supported). Yes,
> C code can segfault and do other nasty things if you call it incorrectly. But
> wrapping every call to a C function in an unsafe block will dilute the 'red
> flag' role of unsafe blocks to the point of making them just painful noise,
> and wrapping the C functions themselves in a wrapper function to make them
> safe is, in most cases, a wax nose -- the wrapper will not be able to
> guarantee that the call won't go wrong, so no safety is added.
>
An 'extern safe' vs. 'extern' as 'extern unsafe' by default would be my
favorite: At least it gives the author of a binding a chance to say 'I thought
about this and don't expect it to do anything nasty'. This already should help
prioritize when hunting bugs and auditing code. I'd love if such declarations
would optionally come with a person's name for increased social interaction ;)
On the crate level it may be worthwhile to be able to use other crates and say
to what degree they are trusted, i.e. wether calls to that crate should be
considered unsafe or not. Exploring this may make it desirable to have a third
trust level for 'claimed safe by the author'.
Cheers,
Stefan.
_______________________________________________
Rust-dev mailing list
[email protected]
https://mail.mozilla.org/listinfo/rust-dev
