Working with Unsafe

    This function is safe and correct. We check that the index is in bounds, and if itis, index into the array in an unchecked manner. But even in such a trivialfunction, the scope of the unsafe block is questionable. Consider changing the to a <=:

    This program is now unsound, and yet we only modified safe code. This is thefundamental problem of safety: it’s non-local. The soundness of our unsafeoperations necessarily depends on the state established by otherwise“safe” operations.

    Safety is modular in the sense that opting into unsafety doesn’t require youto consider arbitrary other kinds of badness. For instance, doing an uncheckedindex into a slice doesn’t mean you suddenly need to worry about the slice beingnull or containing uninitialized memory. Nothing fundamentally changes. Howeversafety isn’t modular in the sense that programs are inherently stateful andyour unsafe operations may depend on arbitrary other state.

    This code is simple enough to reasonably audit and informally verify. Now consideradding the following method:

    This code is 100% Safe Rust but it is also completely unsound. Changing thecapacity violates the invariants of Vec (that cap reflects the allocated spacein the Vec). This is not something the rest of Vec can guard against. It hasto trust the capacity field because there’s no way to verify it.

    Because it relies on invariants of a struct field, this codedoes more than pollute a whole function: it pollutes a whole module.Generally, the only bullet-proof way to limit the scope of unsafe code is at themodule boundary with privacy.

    It is therefore possible for us to write a completely safe abstraction thatrelies on complex invariants. This is critical to the relationship betweenSafe Rust and Unsafe Rust.

    We have already seen that Unsafe code must trust some Safe code, but shouldn’ttrust generic Safe code. Privacy is important to unsafe code for similar reasons:it prevents us from having to trust all the safe code in the universe from messingwith our trusted state.

    Safety lives!