RFC: Add safe blocks

[AverseABFun]

This RFC is a proposal for so-called "safe blocks" that would provide the opposite effect of unsafe blocks.

Rendered

[programmerjake]

the general idea of the reference-level explanation is that, rather than describing how it should be implemented in rustc, you instead describe exactly how the syntax works since the idea is this section of the RFC gets copied to the Rust Reference, you could adapt the text from the reference section on unsafe blocks

[AverseABFun]

Ohh, thank you! I'll fix that now. Should I keep my paragraph on rustc or no?

[AverseABFun]

I'm assuming no.

[AverseABFun]

Fixed!

[kennytm]

As a (not very good) prior art there were the pop_unsafe! and push_unsafe! macros back in 1.3.0 to temporarily inhibit the unsafe block a.k.a. "unsafety hygiene" (rust-lang/rust#27215).

push_unsafe!({
    expr_1;
    pop_unsafe!({
        expr_2;
    })
})

// similar to this RFC's
unsafe {
    expr_1;
    safe {
        expr_2;
    }
}

It is a very ugly hack and the surface syntax is quickly removed in 1.5.0 (rust-lang/rust#28980), but the remnants are only purged 6 years later in 1.55.0 (rust-lang/rust#85421).

---

As for the RFC itself

1. It would be very unfortunate if we need to turn safe into a keyword (see also RFC: Reserve try for try { .. } block expressions #2388). Its usage is pretty common.

2. As shown above, the push/pop-unsafe implementation treats it like a stack, so that an outer unsafe block can propagate into the macro (godbolt):

   #![feature(pushpop_unsafe)]
   #![allow(dead_code)]
   
   unsafe fn do_unsafe_thing(_: u8) {}
   
   macro_rules! do_something {
       ($e:expr) => {
           push_unsafe!({
               do_unsafe_thing(0);
               pop_unsafe!($e)
           })
       }
   }
   
   fn main() {
       unsafe {
           do_something! {
               do_unsafe_thing(1) // no error here
           }
       }
       
       do_something! {
           do_unsafe_thing(2) // E0133 here
       }
   }

   The RFC does not specify the nesting behavior. If we rewrite the macro to use a safe block, will the do_unsafe_thing(1) line still compile fine?

   macro_rules! do_something {
       ($e:expr) => {
           unsafe {
               do_unsafe_thing(0);
               k#safe { $e }
           }
       }
   }

[AverseABFun]

Hmm, for the nesting behavior I don't think it would as the safe block is the block it's contained within and thus it would be assumed to be safe code. For the keyword thing, safe would be the most natural name but maybe it could be something like "resafe" as to prevent conflicts?

…

On Sat, Feb 1, 2025, 4:53 AM kennytm ***@***.***> wrote: As a (not very good) prior art there were the pop_unsafe! and push_unsafe! macros back in 1.3.0 to temporarily inhibit the unsafe block a.k.a. "unsafety hygiene" (rust-lang/rust#27215 <rust-lang/rust#27215>). push_unsafe!({ expr_1; pop_unsafe!({ expr_2; })}) // similar to this RFC'sunsafe { expr_1; safe { expr_2; }} It is a very ugly hack and the surface syntax is quickly removed in 1.5.0 ( rust-lang/rust#28980 <rust-lang/rust#28980>), but the remnants are only purged 6 years later in 1.55.0 (rust-lang/rust#85421 <rust-lang/rust#85421>). ------------------------------ As for the RFC itself 1. It would be very unfortunate if we need to turn safe into a keyword (see also #2388 <#2388>). Its usage is pretty common <https://github.com/search?q=lang%3ARust%20%2F(let%7Cfn)%20safe%5Cb%2F&type=code> . 2. As shown above, the push/pop-unsafe implementation treats it like a stack, so that an outer unsafe block can propagate into the macro ( godbolt <https://godbolt.org/#g:!((g:!((g:!((h:codeEditor,i:(filename:'1',fontScale:14,fontUsePx:'0',j:1,lang:rust,selection:(endColumn:2,endLineNumber:25,positionColumn:2,positionLineNumber:25,selectionStartColumn:1,selectionStartLineNumber:1,startColumn:1,startLineNumber:1),source:'%23!!%5Bfeature(pushpop_unsafe)%5D%0A%23!!%5Ballow(dead_code)%5D%0A%0Aunsafe+fn+do_unsafe_thing(_:+u8)+%7B%7D%0A%0Amacro_rules!!+do_something+%7B%0A++++($e:expr)+%3D%3E+%7B%0A++++++++push_unsafe!!(%7B%0A++++++++++++do_unsafe_thing(0)%3B%0A++++++++++++pop_unsafe!!($e)%0A++++++++%7D)%0A++++%7D%0A%7D%0A%0Afn+main()+%7B%0A++++unsafe+%7B%0A++++++++do_something!!+%7B%0A++++++++++++do_unsafe_thing(1)+//+no+error+here%0A++++++++%7D%0A++++%7D%0A++++%0A++++do_something!!+%7B%0A++++++++do_unsafe_thing(2)+//+E0133+here%0A++++%7D%0A%7D'),l:'5',n:'0',o:'Rust+source+%231',t:'0')),k:50,l:'4',m:100,n:'0',o:'',s:0,t:'0'),(g:!((h:output,i:(compilerName:'rustc+1.4.0',editorid:1,fontScale:14,fontUsePx:'0',j:1,wrap:'1'),l:'5',n:'0',o:'Output+of+rustc+1.4.0+(Compiler+%231)',t:'0'),(h:compiler,i:(compiler:r140,filters:(b:'0',binary:'1',binaryObject:'1',commentOnly:'0',debugCalls:'1',demangle:'0',directives:'0',execute:'1',intel:'0',libraryCode:'0',trim:'1',verboseDemangling:'0'),flagsViewOpen:'1',fontScale:14,fontUsePx:'0',j:1,lang:rust,libs:!(),options:'',overrides:!((name:env,values:!((name:RUSTC_BOOTSTRAP_KEY,value:'01:09:53')))),selection:(endColumn:1,endLineNumber:1,positionColumn:1,positionLineNumber:1,selectionStartColumn:1,selectionStartLineNumber:1,startColumn:1,startLineNumber:1),source:1),l:'5',n:'0',o:'+rustc+1.4.0+(Editor+%231)',t:'0')),header:(),k:50,l:'4',n:'0',o:'',s:0,t:'0')),l:'2',n:'0',o:'',t:'0')),version:4> ): #![feature(pushpop_unsafe)]#![allow(dead_code)] unsafe fn do_unsafe_thing(_: u8) {} macro_rules! do_something { ($e:expr) => { push_unsafe!({ do_unsafe_thing(0); pop_unsafe!($e) }) }} fn main() { unsafe { do_something! { do_unsafe_thing(1) // no error here } } do_something! { do_unsafe_thing(2) // E0133 here }} The RFC does not specify the nesting behavior. If we rewrite the macro to use a safe block, will the do_unsafe_thing(1) line still compile fine? macro_rules! do_something { ($e:expr) => { unsafe { do_unsafe_thing(0); k#safe { $e } } }} — Reply to this email directly, view it on GitHub <#3768 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ATOOUFURYEJWVWBEMPOA7KD2NSRT3AVCNFSM6AAAAABWIZBHI2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMMRYHEYDENRUGU> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[programmerjake]

if safe is a context-dependent keyword so it's only a keyword when immediately followed by {, it shouldn't really conflict with existing code unless that code is really weird. this is kinda like union.

if there's enough code that conflicts, safe can become a context-dependent keyword in the next edition and we'll just use k#safe in edition <= 2024.

[tczajka]

Every single motivating example can be solved better by reducing the overly large scope of the unsafe block. Extra syntax to undo unsafe feels unnecessary to me.

[kennytm]

@programmerjake

if safe is a context-dependent keyword so it's only a keyword when immediately followed by {, it shouldn't really conflict with existing code unless that code is really weird. this is kinda like union.

First of all, if safe { … } .

The reason safe cannot be a contextual keyword is the same as that of try, please checkout #2388. Contextual keyword works for union declaration because union IDENTIFIER is otherwise an invalid sequence everywhere else. But safe { … } is already a valid expression in itself.

If this RFC has to use the syntax IDENTIFIER { … } there is no choice but to make that identifier a ful keyword the next edition. Or you could pick a different syntax such as safe! { … }.

[burdges]

I'd think some localized flavor of #[forbid(unsafe_code)] makes more sense than the word safe, no?

Could #[forbid(unsafe_code)] appear before a statement or code block?

[zachs18]

Hmm, yes, #[forbid(unsafe_code)] or #[deny(unsafe_code)] can be put on a (normal) block inside an unsafe block, but currently it doesn't appear to actually fire on unsafe operations in that block. Presumably the unsafe_code lint only fires on unsafe blocks (and unsafe attributes like #[no_mangle]), not unsafe operations: playground link.

Perhaps the unsafe_code lint could be updated to also apply to unsafe operations if the lint level is raised inside an unsafe block?

[programmerjake]

I'd think some localized flavor of #[forbid(unsafe_code)] makes more sense than the word safe, no?

I disagree for 2 reasons:

1. forbidding unsafe code would prevent you from having an unsafe block inside a macro's argument, safe blocks allow you to do that.
2. I don't think rust should rely on lints for safety, since iirc they can be disabled with cap-lints and are disabled by default in dependencies.

[JarredAllen]

Another alternative worth mentioning that I think would serve the same purpose: allowing finer-grained control of where unsafe is applied (e.g. though single function call unsafe), such that you won't need a safe block anymore.

Which one is better is a matter of preference. I personally like having only one unsafe operation per unsafe block, so I can explicitly document on the block why the preconditions are met, so I'd prefer having finer-grained unsafe blocks, but I know other people like to include the entire code incorporating a safety invariant in one unsafe block that details the invariant requirements. And nothing prevents Rust from having both, though the second one would have diminishing marginal returns.

I'm not the arbiter of which approach Rust should take, but I think it'd be worth mentioning in the alternatives section, at least.

[ssokolow]

I disagree for 2 reasons:

1. forbidding unsafe code would prevent you from having an unsafe block inside a macro's argument, safe blocks allow you to do that.

So use #[deny(unsafe_code)] instead, since it can be overridden with #[allow(unsafe_code)]?

[ssokolow]

Overall, I don't get the feeling that this proposal justifies the added complexity of having a whole new keyword and mechanism in the language.

First, as tczajka said, all the motivating examples have un-idiomatically broad unsafe blocks and I don't think we should be implicitly encouraging developers to do that by allowing unsafe→safe→unsafe→safe→... nesting at the syntactic level.

Second, this feels like the kind of thing where the main place that it'd be relevant is when a macro is subverting how unsafe interacts with scoping in the regular language (i.e. calling a function from inside unsafe doesn't grant unsafe to its contents but substituting some AST nodes into unsafe in a macro does), and I don't think we should so readily be altering the shape of the language at large to account for situations that only crop up because of quirks of what macros are.

(I'm reminded of what a brain-bender it was to realize that, though there was no trait for me to implement to extend Keats/validator in the way I wanted, I could extend it just by defining my own extension trait because it being written using macros meant that #[validate] implemented duck-typed method resolution.)