On 12-10-15 08:27 AM, Marijn Haverbeke wrote:
The question I guess is how often this situation comes up. Is it just libmath? Or is this sort of thing extremely common when doing bindings?Extremely common. I'm somewhat appalled that the blanket 'all C functions are unsafe' idea is even being considered (and enthusiastically supported). Yes, C code can segfault and do other nasty things if you call it incorrectly. But wrapping every call to a C function in an unsafe block will dilute the 'red flag' role of unsafe blocks to the point of making them just painful noise, and wrapping the C functions themselves in a wrapper function to make them safe is, in most cases, a wax nose -- the wrapper will not be able to guarantee that the call won't go wrong, so no safety is added.
A potential middle-ground: unsafe if it takes or returns a raw pointer, safe otherwise? Not perfect (eg. racing on static data, and Spooky System Calls, still foul it up) but perhaps a closer approximation of fact?
In any case I agree with the notion that this has to be an (overridable) default, not a requirement for masses of nuisance boilerplate. In general we should notice cases where boilerplate is arising and nip them in the bud.
-Graydon _______________________________________________ Rust-dev mailing list [email protected] https://mail.mozilla.org/listinfo/rust-dev
