On 22/09/14 05:12 PM, Tony Arcieri wrote: > On Mon, Sep 22, 2014 at 12:32 PM, Daniel Micay <danielmi...@gmail.com > <mailto:danielmi...@gmail.com>> wrote: > > Rust doesn't use `unsafe` to uphold the UTF-8 invariant of strings. It > uses `unsafe` as a memory safety boundary, and in this case breaking the > invariant would be memory unsafe. > > > I just want to say that I completely agree with you that "unsafe" is the > wrong tool for the job here. > > However there is still a problem I feel is potentially solved via type > systems, not necessarily Rust's, only if Rust chooses to rise to the > challenge. > > After 1.0 might be a good time to start considering these problems. I > know you already have enough work on your plate as-is.
I think it can be solved by using visibility, along with providing a way to override the visibility rules and call private functions. That means replacing the current usage of visibility for memory safety with unsafe fields though, but I think that's important to make the memory safety boundary work properly anyway.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Rust-dev mailing list Rust-dev@mozilla.org https://mail.mozilla.org/listinfo/rust-dev
