unsafe attributes

[RalfJung]

Consider some attributes 'unsafe', so that they must only be used like this:

#[unsafe(no_mangle)]

Rendered
Prior discussion on IRLO

[ojeda]

Yes, please! :)

[joshtriplett]

We do have to settle this. You can put declarations inside a block within a function, including AFAIK an unsafe block.

[Lokathor]

A fn inside of an unsafe block inside of another fn doesn't "inherit" the unsafe block over its body, so it would be most logical for it to also not inherit the unsafe block over its attributes.

https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=59b2b073cba046f252f19218933b0d21

[RalfJung]

Good point, will add a note on that.

[joshtriplett]

I don't want to bikeshed something that doesn't need to be in this RFC. But I do think this is the wrong syntax. unsafe used like that should be "unsafe to derive", not "derives an unsafe trait".

[RalfJung]

Indeed, the intention is that this is an example for "unsafe to derive". Note that the text says "the deriving macro itself cannot check all required safety conditions".

[Lokathor]

I don't think that this RFC offers much for library developers.

Normally, when you write a library and use an unsafe block, you can know for sure (because of a runtime check or because of a type system trick, or for some other reason) that your unsafe operation is justified at that point in the code. That is actually why you write the unsafe block. If you can't be sure that everything is alright, the you do not write that unsafe block. Perhaps you make the entire function an unsafe fn and pass the obligation on to the caller. It doesn't matter. What matters is that you do not use unsafe blocks unless you have the situational knowledge to justify why the contents of the block won't cause UB in this situation. I think we all agree on this position.

However, say that a library needs to export a function under a particular name. The library author needs to use either no_mangle or export_name. These are unsafe attributes. The unsafety here is that if a given symbol is defined more than once among all the object files being linked together to form an executable, it's UB. But the library author does not control what object files get linked into the final executable, and so they absolutely should not write "SAFETY: there is no other global function of this name" next to #[unsafe(no_mangle)]. That is not a promise that the library author can keep.

The same goes for link_section. The library author does not decide on the linker script used to generate the executable, so they can't make a promise about the validity of using a special link section on a particular fn or static.

If you write an unsafe block without the proper pre-conditions, the code is considered to be unsound code. "please don't publish that on crates.io", and so on. This RFC forces library authors to write unsafe(...) around attribute usage that they are incapable of validating the safety pre-conditions for.

The RFC makes unsafe attribute usage more "grep-able", but not actually less unsafe or less error prone. This doesn't give a library author the ability to communicate to a user, "I'm doing this unusual thing, here's what you need to do on your end to make sure things work out". The RFC doesn't prevent UB at all. It just follows the absolute letter of the rust law that says "if there's UB then someone must have used unsafe", and now we can point to the literal ascii string having appeared in some file somewhere.

[afetisov]

"More greppable" is largely the point. While the specific attributes (no_mangle, link_section, link, link_name) may be grepped for manually, It also provides a general mechanism to communicate unsafety of arbitrary other attributes (including proc macros, custom attributes and external tool attributes). It's also much easier to grep for unsafe than to remember the full list of all attributes with unsafe behaviour. It also adds the concept of unsafety for attributes, which allows tools to depend on it (e.g. forbid usage of these attributes in the #![forbid(unsafe_code)] lint, or propagate unsafety through macros).

With regards to usage by library authors, you should think about it like unsafe fn rather than unsafe { } block. I.e. you, as the author, specify preconditions which all users must satisfy, even though you can't enforce them yourself. It's the same situation as an extern fn: you provide an unsafe API, but you can't know or make any guarantees about its consumers.

But I think @Lokathor 's objection can be rephrased in the following way: with unsafe fn, there are really two concepts at play. The function may be unsafe to use, enforcing preconditions on its consumers, or unsafe to implement, requiring extra care from its author and allowing the usage of unsafe calls inside. Many people think that it was a mistake to merge those two concepts into a single unsafe fn. We have the same issue with unsafe attributes: do they mean that the API consumers must uphold extra invariants, or that the function author promises that some invariants are satisfied? With #[unsafe(no_mangle)] (and all other proposed existing unsafe attributes) it's the former. With #[derive(unsafe(DangerousTrait))] it's likely the latter.

[Lokathor]

I absolutely would not say that about unsafe fn, I think it is factually wrong.

[Nemo157]

It sounds like the missing step there is the ability to mark your crate as unsafe

/// SAFETY: We require users of this crate to promise there is no other global `write` symbol
#[unsafe(no_mangle)]
pub fn write() {}

This provides something similar to item-level unsafe {} blocks, but we don't have a corresponding item-level unsafe fn declaration to wrap them.

[Nemo157]

We have the same issue with unsafe attributes: do they mean that the API consumers must uphold extra invariants, or that the function author promises that some invariants are satisfied? With #[unsafe(no_mangle)] (and all other proposed existing unsafe attributes) it's the former. With #[derive(unsafe(DangerousTrait))] it's likely the latter.

Both of these examples are the latter. You are discharging the unsafety of the attribute or the derive. There is no way existing or with this RFC to do the former.

[Lokathor]

The other thing is that if the compiler handled it then we could make no_mangle a safe attribute, but we're just not doing that.

[comex]

The other thing is that if the compiler handled it then we could make no_mangle a safe attribute, but we're just not doing that.

That’s quite impossible if you’re statically linking any C code or other precompiled objects into the executable, since the compiler doesn’t know what names that code might define or depend on. And on some platforms (Linux), symbol definitions can leak even across dynamically linked libraries.

[Lokathor]

Well the compiler could scan at least all objects it knows go into the linking, even if they're written in non-rust.

But if symbols can leak in even after the initial linking then not only is there no hope to make no_mangle fully safe, but there's clearly also no hope you could ever discharge your safety obligation within a library. So I think that supports my point that just putting the string "unsafe" next to no_mangle is not itself improving things by much.

Idea for a separate RFC: Perhaps cargo could generate a list of all the unmangled symbols all your deps are bringing in so that you can check the list?

[RalfJung]

However, say that a library needs to export a function under a particular name. The library author needs to use either no_mangle or export_name. These are unsafe attributes. The unsafety here is that if a given symbol is defined more than once among all the object files being linked together to form an executable, it's UB. But the library author does not control what object files get linked into the final executable, and so they absolutely should not write "SAFETY: there is no other global function of this name" next to #[unsafe(no_mangle)]. That is not a promise that the library author can keep.

That is just fundamental in the nature of these attributes -- they can only be checked on the whole-program "post-linking" level. There is no way to soundly use any of them in a library. The RFC doesn't change that, it just makes this existing fact more clear. I have amended the text to clarify that.

[ojeda]

Well the compiler could scan at least all objects it knows go into the linking, even if they're written in non-rust.

It would not cover all cases, so you would still need to mark them as unsafe.

I think such a scan would be orthogonal to the RFC: it could be performed (or not) regardless of whether we get unsafe attributes.

no hope to make no_mangle fully safe [...] putting the string "unsafe" next to no_mangle is not itself improving things by much.

Yeah, but since there is no way to make it happen in the general case, at least this one should be marked as such.

Of course, that doesn't mean you cannot add new, safe attributes in the future for similar use cases.

Perhaps cargo could generate a list of all the unmangled symbols all your deps are bringing in so that you can check the list?

The generated docs of rustdoc could be another good place to put them.

[joshtriplett]

@rfcbot merge

[rfcbot]

Team member @joshtriplett has proposed to merge this. The next step is review by the rest of the tagged team members:

• @joshtriplett
• @nikomatsakis
• @pnkfelix
• @scottmcm
• @tmandry

Concerns:

• change-syntax-to-drop-parentheses resolved by unsafe attributes #3325 (comment)
• maybe-make-this-part-of-next-edition resolved by unsafe attributes #3325 (comment)
• syntax-not-ideal resolved by unsafe attributes #3325 (comment)

Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

cc @rust-lang/lang-advisors: FCP proposed for lang, please feel free to register concerns.
See this document for info about what commands tagged team members can give me.

[tmandry]

@rfcbot reviewed

However that could make it tricky to consistently support non-builtin unsafe attributes in the future, so the RFC proposes to not do that yet.

Not a blocking concern since this is forward-compatible, but I don't see how supporting safe attributes makes it difficult to support non-builtin unsafe attributes in the future. I suppose nesting could be problematic if we support nesting under arbitrary unknown attributes.

[RalfJung]

I really don't know what is hard or easy with proc macro attributes and things like that, so after the first version of this PR (which was very liberal with where unsafe could be used) got feedback pointing out that could be tricky, I made it super restrictive.

[scottmcm]

Pondering: this leans more into the use of unsafe as the keyword to discharge the safety obligation.

Would this be a place to add the hold_my_beer (not under that name) term that is for discarding specifically, to leave unsafe as the marker for introducing obligations?

Or would it be too weird to have the different word here but not in the other places?

[RalfJung]

Or would it be too weird to have the different word here but not in the other places?

Yeah that feels pretty weird to me. If we want to use another keyword for this use of unsafe we should do it consistently.

[rfcbot]

🔔 This is now entering its final comment period, as per the review above. 🔔

[pnkfelix]

@rfcbot concern maybe-make-this-part-of-next-edition

During T-lang triage, I posed the question of whether we should not push to land this change across all Rust editions, and instead have it only become a change on e.g. Rust 2024.

If we do want this to be coupled to the edition boundary, then it would be good for the RFC to spell out how it is coupled to the edition. (E.g. maybe it is always warn-by-default for Rust editions < 2024, but is a hard error to leave out the unsafe-discharge for edition >= 2024.)

[kpreid]

Here is a technical question that might give a reason beyond subjective readability to pick a syntax: Is unsafe itself an attribute that can be shadowed? (For example, the built-in attribute derive can, which is used in macro_rules_attribute to useful effect).

• If it cannot be shadowed, then perhaps it should have a different syntax that falls outside of normal attribute() and attribute =, to highlight that it is not just an attribute.
• If it can be shadowed, then it's weird that we're enabling "shadowing a keyword" which is normally impossible, but maybe that's valuable regularity, in which case I think the syntax should be regular too.

[tgross35]

For lack of any better idea, I created a discussion with poll to try to estimate the general feel. https://rust-lang.zulipchat.com/#narrow/stream/213817-t-lang/topic/Unsafe.20attribute.20syntax/near/424767855

Well, currently parentheses has a pretty big lead 23-3-3. I don't think anyone likes making decisions by poll, but that does seem to be a reasonable enough level of consensus to pass this on to the lang team, barring any technical/grammar issues that have been brought up.

Here is a technical question that might give a reason beyond subjective readability to pick a syntax: Is unsafe itself an attribute that can be shadowed? (For example, the built-in attribute derive can, which is used in macro_rules_attribute to useful effect).

* If it cannot be shadowed, then perhaps it should have a different syntax that falls outside of normal `attribute()` and `attribute =`, to highlight that it is not _just an attribute_.

* If it can be shadowed, then it's weird that we're enabling "shadowing a keyword" which is normally impossible, but maybe that's valuable regularity, in which case I think the syntax should be regular too.

Great concern - but to create an attribute macro you would need to create a function of the same name, which you cannot do. I guess that is just keyword vs. more or less a builtin function with name scope.

extern crate proc_macro;
use proc_macro::TokenStream;


#[proc_macro]
pub fn unsafe(_: TokenStream) -> TokenStream { todo!() }

mod unsafe {
    macro_rules! unsafe { ()=>() }
}

$ rustc foo.rs --crate-type=proc-macro
error: expected identifier, found keyword `unsafe`
 --> foo.rs:6:8
  |
6 | pub fn unsafe(_: TokenStream) -> TokenStream { todo!() }
  |        ^^^^^^ expected identifier, found keyword

error: expected identifier, found keyword `unsafe`
 --> foo.rs:8:5
  |
8 | mod unsafe {
  |     ^^^^^^ expected identifier, found keyword

error: expected identifier, found keyword `unsafe`
 --> foo.rs:9:18
  |
9 |     macro_rules! unsafe { ()=>() }
  |                  ^^^^^^ expected identifier, found keyword

[Jules-Bertholet]

Great concern - but to create an attribute macro you would need to create a function of the same name, which you cannot do.

Technically, you can use the r#unsafe syntax, but the attribute then requires r#unsafe as well.

[joshtriplett]

Given all the support the parenthesis option has, and the opposition to some of the other options, and the impending edition cutoff, I'm going to resolve this concern. I no longer think we should block on this. If another team member would like to raise a blocking concern, please go ahead.

@rfcbot resolve syntax-not-ideal

[rfcbot]

🔔 This is now entering its final comment period, as per the review above. 🔔

[rfcbot]

The final comment period, with a disposition to merge, as per the review above, is now complete.

As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed.

This will be merged soon.

[RalfJung]

I have updated the filename to match the RFC number.
@rust-lang/lang I think merging the PR is usually done by someone on the team?

[traviscross]

The lang team has accepted this RFC, and we've now merged it.

Thanks to @RalfJung for pushing this work forward, and thanks to all those who reviewed this RFC and contributed helpful feedback.

For further updates on this work, follow the tracking issue:

• Tracking Issue for RFC 3325: unsafe attributes rust#123757