1 unstable release
0.1.0 | Jan 18, 2020 |
---|
#6 in #equivalence
7KB
55 lines
Reduce unsafe code and detect soundness bugs with equivalence checks against safe code
For discussions on this idea see the RFC on the Rust Internals forum and Rust Secure Code Working Group.
To indicate preference of safety over performance: add --cfg reduce_unsafe
to your RUSTFLAGS
.
reduce_unsafe::unchecked!
runs the unsafe code unless the --cfg reduce_unsafe
flag is present.
reduce_unsafe::checked!
uses debug_assertions
to decide between reduce_unsafe::unchecked!
and running both branches and panics if they diverge.
If you have unsafe code which you believe is sound which could be implemented (slower) with safe code, consider using the reduce_unsafe::checked!
or reduce_unsafe::unchecked!
macros or #[cfg(reduce_unsafe)]
attribute.
let my_str = unsafe {
str::from_utf8_unchecked(bytes)
};
becomes
let my_str = reduce_unsafe::checked!(
unsafe { str::from_utf8_unchecked(bytes) },
str::from_utf8(bytes).expect("BUG: unsound unsafe code detected")
);
or if the returned type does not implement PartialEq
or there are visible side effects
let my_str = reduce_unsafe::unchecked!(
unsafe { str::from_utf8_unchecked(bytes) },
str::from_utf8(bytes).expect("BUG: unsound unsafe code detected")
);