rust-guide icon indicating copy to clipboard operation
rust-guide copied to clipboard
verified publisher icon ANSSI-FR

Unsafe code can't assume invariants of (Partial){Eq,Ord}

Open bjorn3 opened this issue 5 years ago • 1 comments

In the second use, it may lead to classical security issues linked to memory safety violations. That is again a factor in the practice of limiting the use of unsafe blocks.

They are not unsafe traits, so unsafe code is not allowed to assume anything about their implementation. At worst violating the documented invariants is allowed to cause a panic.

bjorn3 avatar Jun 26 '20 20:06 bjorn3

In particular, the standard library may not and does not use its assumed properties for such unsound optimizations as alluded to. That is in contrast to for example C++. In this spirit, I suggest adjusting the wording slightly to make it clear that these assumptions hold only when one looks for safety guarantees but are not required for soundness guarantees.

Rust assumes a lot of invariants

Rust expects a lot of invariants, for the purpose of safety guarantees,

Maybe it should also be considered to add a paragraph discouraging safety critical code from having type parameters with these bounds, to avoid confusions both in for the caller and the implementor.

197g avatar Jun 26 '20 20:06 197g