Originally posted by ssokolow
View Post
Linux 6.13 Hits A "Tipping Point" With More Rust Drivers Expected Soon
Collapse
X
-
Originally posted by darkonix View Post
Unsafe provides a limited number of extra features:- Dereference raw pointers
- Implement unsafe traits
- Call unsafe functions
- Mutate statics (including external ones)
- Access fields of unions
This analysis of unsafe usage in the wild is interesting: https://foundation.rust-lang.org/new...f-unsafe-rust/
What does calling unsafe functions mean? Are you saying you can't call functions that have unsafe blocks in them at all without unsafe? Or just the way they are called is unsafe? (i.e. arguments)
Mutating statics is extremely common too but I suppose there's alternatives for that so whatever. (i.e. caching expensive things at runtime that should be loaded on demand, and yes, I mean with thread safety and an atomic exchange)
And you can't use unions at all in safe Rust code? Yikes.
Comment
-
Originally posted by Weasel View PostI can't understand how you can program anything of value without dereferencing raw pointers (which is the same thing as accessing a reference).
What does calling unsafe functions mean? Are you saying you can't call functions that have unsafe blocks in them at all without unsafe? Or just the way they are called is unsafe? (i.e. arguments)
Code:unsafe fn dangerous() {} unsafe { dangerous(); }
Mutating statics is extremely common too but I suppose there's alternatives for that so whatever. (i.e. caching expensive things at runtime that should be loaded on demand, and yes, I mean with thread safety and an atomic exchange)
"If a static item is declared with the mut keyword, then it is allowed to be modified by the program. However, accessing mutable statics can cause undefined behavior in a number of ways, for example due to data races in a multithreaded context. As such, all accesses to mutable statics require an unsafe block."
It allows you to do things that are undefined behavior if you explicitly say it is unsafe.
And you can't use unions at all in safe Rust code? Yikes.
"Unions have no notion of an “active field”. Instead, every union access just interprets the storage as the type of the field used for the access. Reading a union field reads the bits of the union at the field’s type. Fields might have a non-zero offset (except when the C representation is used); in that case the bits starting at the offset of the fields are read. It is the programmer’s responsibility to make sure that the data is valid at the field’s type. Failing to do so results in undefined behavior. For example, reading the value 3 from a field of the boolean type is undefined behavior."
Rust uses unsafe as a way for the programmer to take responsibility explicitly for code that can cause undefined behavior. It let's you do it but you have to be explicit. I really like that approach instead of hiding potentially dangerous behavior from the programmer, or the programmer ignoring what they are doing.
Comment
-
-
Originally posted by Weasel View PostBecause then it's C with an infinitely worse syntax, so what's the point? (Rust syntax is horrid, and for the next guy who will start his history lesson about how it borrows from OCaml, I will make it clear so you can understand: OCaml is trash and has terrible syntax)
But really the point is that 99% of your code isn't in the unsafe blocks, so you're really only comparing the 1% as if it was the entire language, which I don't agree with.Last edited by smitty3268; 16 December 2024, 03:31 AM.
Comment
-
-
Originally posted by darkonix View PostYou don't need a raw pointer because there are type safe references. You need a raw pointer only to deal with a C library or some systems/embedded access. Similar to C++ references but more powerful (ref https://stackoverflow.com/a/64167719/721855).
People keep saying references can't be null. But they can. There's absolutely zero guarantee the caller doesn't supply you a null reference, just like passing a null pointer. And that leads to a crash which is just the same as an assertion...?
The fact Rust has only "smart pointers" while those are just an optional thing (i.e. programmer's choice) in C++ kinda proves which one is superior (it's not Rust since it forces you to one thing).
Originally posted by darkonix View PostI'll refer to the link:
"If a static item is declared with the mut keyword, then it is allowed to be modified by the program. However, accessing mutable statics can cause undefined behavior in a number of ways, for example due to data races in a multithreaded context. As such, all accesses to mutable statics require an unsafe block."
It allows you to do things that are undefined behavior if you explicitly say it is unsafe.
Originally posted by darkonix View PostApparently no, because it is really unsafe to do so: https://doc.rust-lang.org/reference/...g-union-fields
"Unions have no notion of an “active field”. Instead, every union access just interprets the storage as the type of the field used for the access. Reading a union field reads the bits of the union at the field’s type. Fields might have a non-zero offset (except when the C representation is used); in that case the bits starting at the offset of the fields are read. It is the programmer’s responsibility to make sure that the data is valid at the field’s type. Failing to do so results in undefined behavior. For example, reading the value 3 from a field of the boolean type is undefined behavior."
Rust uses unsafe as a way for the programmer to take responsibility explicitly for code that can cause undefined behavior. It let's you do it but you have to be explicit. I really like that approach instead of hiding potentially dangerous behavior from the programmer, or the programmer ignoring what they are doing.
There's an alternative to do type punning without union in C/C++ but it requires compiler extensions (may_alias attribute). I don't see how having to cast and use such types is any different than an "unsafe" block...?
Comment
-
Comment