Description
Proposal
Unsafe checking is presently implemented on MIR. However, we have a steady stream of problems related to this -- in particular, the lang team generally expects unsafe checking to be "syntactic' in nature, but MIR is not mapped to syntax very closely. This means that we need special hacks to do things like require unsafe { } when dereferencing a raw pointer in dead code or other sitations. The most recent bug like this is rust-lang/rust#80059.
The reason we chose to implement Unsafe checking on MIR was because it was more desugared, and in particular we wanted to enforce some safety conditions on access to fields of packed structs (iirc). Finding all borrows is kind of difficult on HIR, and trivial in MIR. However, requiring unsafe code in dead code etc is trivial in HIR, and a pain in MIR. So what to do? (see caveat below).
I propose we rewrite the unsafe checker to operate on THIR. THIR is fully explicit about borrows and things but still basically an AST, like HIR, and therefore much easier to manage.
Caveat: borrows of fields on a packed struct are "insta-ub" (at least, if the field is not aligned), and not really just "unsafe". So preventing such borrows is not really the job of the unsafety checker; they should be outright rejected both inside and outside unsafe blocks (see rust-lang/rust#27060).
Mentors or Reviewers
I would be happy to mentor, but I am looking for someone to do the implementation work!
Process
The main points of the Major Change Process is as follows:
- File an issue describing the proposal.
- A compiler team member or contributor who is knowledgeable in the area can second by writing
@rustbot second.- Finding a "second" suffices for internal changes. If however you are proposing a new public-facing feature, such as a
-C flag, then full team check-off is required. - Compiler team members can initiate a check-off via
@rfcbot fcp mergeon either the MCP or the PR.
- Finding a "second" suffices for internal changes. If however you are proposing a new public-facing feature, such as a
- Once an MCP is seconded, the Final Comment Period begins. If no objections are raised after 10 days, the MCP is considered approved.
You can read more about Major Change Proposals on forge.
Comments
This issue is not meant to be used for technical discussion. There is a Zulip stream for that. Use this issue to leave procedural comments, such as volunteering to review, indicating that you second the proposal (or third, etc), or raising a concern that you would like to be addressed.