@@ -895,6 +895,36 @@ marked `unsafe` is unsafe to use* is both pedagogically simple and fail safe; i.
895895field is marked ` unsafe ` , it cannot be misused in such a way that its invariant is violated in safe
896896code.
897897
898+ ### Mixing Syntactic Knobs with a Wrapper Type
899+
900+ One alternative proposed in this RFC's discussion recommends a combination of syntactic knobs and a
901+ wrapper type. In brief, a simple [ ` Unsafe ` wrapper type] ( #unsafe-wrapper-type ) would be provided,
902+ along with two field safety modifiers:
903+
904+ - ` unsafe `
905+ All uses except reading are ` unsafe ` .
906+ - ` unsafe(mut) `
907+ All uses except reading and ` &mut ` -referencing are ` unsafe ` .
908+
909+ Under this proposal, a programmer would use some combination of ` unsafe ` , ` unsafe(mut) ` and ` Unsafe `
910+ to precisely tune Rust's safety tooling protections, depending on the hazards of their invariant.
911+
912+ The primary advantage of this approach is that it results in comparatively fewer instances in which
913+ [ the programmer must write a 'trivial' safety proof] ( #trivial-safety-proofs ) . However, it achieves
914+ this by front-loading the requirement that the programmer imagine all possible safety hazards of
915+ their field. A mistake, here, may lead to a false sense of security if Rust fails to require
916+ ` unsafe ` for uses that are, in fact, dangerous. By contrast, this RFC requires that programmers
917+ resolve these questions only on an as-needed basis; e.g., until you need to ` & ` -reference a field,
918+ you do not need to confront whether doing so is * always* a safe operation.
919+
920+ This alternative also inherits some of the disadvantages of [ ` Unsafe ` wrapper
921+ types] ( #unsafe-wrapper-type ) ; namely that the safety proofs needed to operate on an ` Unsafe ` wrapper
922+ value depend on the dataflow of the program; the wrapper value must be traced to its originating
923+ field so that field's safety documentation may be examined.
924+
925+ Comparatively, we believe that this RFC's proposal is both pedagogically simpler and less prone to
926+ misuse, and that these benefits outweigh its [ drawbacks] ( #drawbacks ) .
927+
898928# Drawbacks
899929
900930## Trivial Safety Proofs
@@ -958,13 +988,13 @@ be invoked. Future language extensions that permit partial borrows will resolve
958988## Syntactic Knobs and Wrapper Types
959989
960990While we are confident that this RFC has the best tradeoffs among the alternatives in the design
961- space, it is not a one-way door. This RFC is forwards-compatible with some future additions of
962- [ syntactic knobs ] ( #more -syntactic-granularity ) and tooling-aware [ wrapper
963- types] ( #unsafe-wrapper-type ) . A variant of ` unsafe ` that permits safe ` & ` -referencing could be
964- introduced at any time without breaking existing code. Over an edition boundary, safe reads of
965- ` unsafe ` fields could be permitted by rewriting existing ` unsafe ` fields to wrap their field type in
966- a tooling-aware ` Unsafe ` wrapper type. This migration would be sound, but not seamless, and could
967- not be embarked on lightly.
991+ space, it is not a one-way door. This RFC is forwards-compatible with some future additions of some
992+ [ combinations ] ( #mixing -syntactic-knobs-with-a-wrapper-type ) of [ syntactic
993+ knobs ] ( #more-syntactic-granularity ) and [ wrapper types] ( #unsafe-wrapper-type ) . A variant of ` unsafe `
994+ that permits safe ` & ` -referencing could be introduced at any time without breaking existing code.
995+ Over an edition boundary, safe reads of ` unsafe ` fields could be permitted by rewriting existing
996+ ` unsafe ` fields to wrap their field type in a tooling-aware ` Unsafe ` wrapper type. This migration
997+ would be sound, but not seamless, and could not be embarked on lightly.
968998
969999## Safe Unions
9701000
0 commit comments