Split large unsafe function slide #2406
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| --- | ||
| minutes: 5 | ||
| --- | ||
|
|
||
| # Calling Unsafe Functions | ||
|
|
||
| Failing to uphold the safety requirements breaks memory safety! | ||
|
|
||
| ```rust,editable | ||
| #[derive(Debug)] | ||
| #[repr(C)] | ||
| struct KeyPair { | ||
| pk: [u16; 4], // 8 bytes | ||
| sk: [u16; 4], // 8 bytes | ||
| } | ||
|
|
||
| const PK_BYTE_LEN: usize = 8; | ||
|
|
||
| fn log_public_key(pk_ptr: *const u16) { | ||
| let pk: &[u16] = unsafe { std::slice::from_raw_parts(pk_ptr, PK_BYTE_LEN) }; | ||
| println!("{pk:?}"); | ||
| } | ||
|
|
||
| fn main() { | ||
| let key_pair = KeyPair { pk: [1, 2, 3, 4], sk: [0, 0, 42, 0] }; | ||
| log_public_key(key_pair.pk.as_ptr()); | ||
| } | ||
| ``` | ||
|
|
||
| Always include a safety comment for each `unsafe` block. It must explain why the | ||
| code is actually safe. This example is missing a safety comment and has UB. | ||
|
|
||
| <details> | ||
|
|
||
| Key points: | ||
|
|
||
| - The second argument to `slice::from_raw_parts` is the number of _elements_, | ||
| not bytes! This example demonstrate undefined behavior by reading past the end | ||
| of one array and into another. | ||
|
|
||
| - The standard library contains many low-level unsafe functions. Prefer the safe | ||
| alternatives when possible! | ||
|
|
||
| - If you use an unsafe function as an optimization, make sure to add a benchmark | ||
| to demonstrate the gain. | ||
|
|
||
| </details> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,33 @@ | ||
| --- | ||
| minutes: 3 | ||
| --- | ||
|
|
||
| # Unsafe External Functions | ||
|
|
||
| All functions implemented in a foreign language are considered unsafe in Rust: | ||
|
|
||
| ```rust,editable | ||
| extern "C" { | ||
| fn abs(input: i32) -> i32; | ||
| } | ||
|
|
||
| fn main() { | ||
| // SAFETY: `abs` doesn't deal with pointers and doesn't have any safety | ||
| // requirements. | ||
| unsafe { | ||
| println!("Absolute value of -3 according to C: {}", abs(-3)); | ||
| } | ||
| } | ||
| ``` | ||
|
|
||
| <details> | ||
|
|
||
| `abs` is unsafe because it is an external function (FFI). Calling external | ||
| functions is usually only a problem when those functions do things with pointers | ||
| which might violate Rust's memory model, but in general any C function might | ||
| have undefined behaviour under any arbitrary circumstances. | ||
|
There was a problem hiding this comment. Is it worth mentioning here that there is no automatic checking of the Rust function signature against that of the target function? For example, in this case the C function might take |
||
|
|
||
| The `"C"` in this example is the ABI; | ||
| [other ABIs are available too](https://doc.rust-lang.org/reference/items/external-blocks.html). | ||
|
|
||
| </details> | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,100 +1,19 @@ | ||
| --- | ||
| minutes: 1 | ||
| --- | ||
|
|
||
| # Unsafe Functions | ||
|
|
||
| A function or method can be marked `unsafe` if it has extra preconditions you | ||
| must uphold to avoid undefined behaviour. | ||
|
|
||
| There are two main categories: | ||
|
|
||
| - Foreign functions in `extern "C"` blocks. | ||
| - Rust functions declared unsafe with `unsafe fn`. | ||
|
|
||
| <details> | ||
|
|
||
| We will look at the two kinds of unsafe functions next. | ||
|
|
||
| </details> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| --- | ||
| minutes: 3 | ||
| --- | ||
|
|
||
| # Unsafe Rust Functions | ||
|
|
||
| You can mark your own functions as `unsafe` if they require particular | ||
| conditions to avoid undefined behaviour. | ||
|
|
||
| ```rust,editable | ||
| /// Swaps the values pointed to by the given pointers. | ||
| /// | ||
| /// # Safety | ||
| /// | ||
| /// The pointers must be valid and properly aligned. | ||
|
|
||
| unsafe fn swap(a: *mut u8, b: *mut u8) { | ||
| let temp = *a; | ||
| *a = *b; | ||
| *b = temp; | ||
| } | ||
|
|
||
| fn main() { | ||
| let mut a = 42; | ||
| let mut b = 66; | ||
|
|
||
| // SAFETY: ... | ||
| unsafe { | ||
| swap(&mut a, &mut b); | ||
| } | ||
|
|
||
| println!("a = {}, b = {}", a, b); | ||
| } | ||
| ``` | ||
|
|
||
| <details> | ||
|
|
||
| We wouldn't actually use pointers for a `swap` function --- it can be done | ||
| safely with references. | ||
|
|
||
| Note that unsafe code is allowed within an unsafe function without an `unsafe` | ||
| block. We can prohibit this with `#[deny(unsafe_op_in_unsafe_fn)]`. Try adding | ||
| it and see what happens. This will likely change in a future Rust edition. | ||
|
There was a problem hiding this comment. rust-lang/rust#120535 in the 2024 edition, in fact! |
||
|
|
||
| </details> | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For subslides, we've used a subdirectory to contain the subslides. Also, only the top-level slide has the timing information. See src/methods-and-traits/traits for an example.