← Back to context

Comment by menaerus

1 day ago

They also say

  The practice of encapsulation enables local reasoning about safety invariants.

which is not fully correct. Undefined behavior in unsafe blocks can and will leak into the safe Rust code so there is nothing there about the "local reasoning" or "encapsulation" or "safety invariants".

This whole blog always read to me as too much like a marketing material disguised with some data so that it is not so obvious. IMHO

7 comments

menaerus

Reply
aw1621107  1 day ago

> which is not fully correct. Undefined behavior in unsafe blocks can and will leak into the safe Rust code so there is nothing there about the "local reasoning" or "encapsulation" or "safety invariants".

Strictly speaking, that encapsulation enables local reasoning about safety invariants does not necessarily imply that encapsulation guarantees local reasoning about safety invariants. It's always possible to write something unadvisable, and no language is capable of preventing that.

That being said, I think you might be missing the point to some extent. The idea behind the sentence is not to say that the consequences of a mistake will not be felt elsewhere. The idea is that when reasoning about whether you're upholding invariants and/or investivating something that went wrong, the amount of code you need to look at is bounded such that you can ignore everything outside those bounds; i.e., you can look at some set of code in complete isolation. In the most conservative/general case that boundary would be the module boundary, but it's not uncommon to be able to shrink those boundaries to the function body, or potentially even further.

This general concept here isn't really new. Rust just applied it in a relatively new context.

  • menaerus  1 day ago

    Yes, but my point is when things blow up how exactly do you know which unsafe block you should look into? From their statement it appears as if there's such a simple correlation between "here's your segfault" and "here's your unsafe block that caused it", and which I believe there isn't, and which is why I said there's no encapsulation, local reasoning etc.

    • Xylakant  1 day ago

      But you know that it's one of them. That cuts 96% of their codebase out, even assuming you have no idea which one it could be.

    • aw1621107  21 hours ago

      > Yes, but my point is when things blow up how exactly do you know which unsafe block you should look into?

      In the most general case, you don't. But again, I think that that rather misses the point the statement was trying to get at.

      Perhaps a more useful framing for you would be that in the most general case the encapsulation and local reasoning here is between modules that use unsafe and everything else. In some (many? most?) cases you can further bound how much code you need to look at if/when something goes wrong since not all code in unsafe modules/functions/blocks depend on each other, but in any case the point is that you only need to inspect a subset of code when reasoning about safety invariants and/or debugging a crash.

      > From their statement it appears as if there's such a simple correlation between "here's your segfault" and "here's your unsafe block that caused it",

      I don't get that sense from the statement at all.

      2 replies →