← Back to context

Comment by ceteia

3 days ago

How can you be sure? When I looked at for instance sudo-rs, it proclaimed loudly that it is memory safe, but its code has lots of unsafe.

https://github.com/trifectatechfoundation/sudo-rs

https://grep.app/search?f.repo=trifectatechfoundation%2Fsudo...

And Miri is very popular in Rust. Even if a Rust project doesn't have unsafe, sometimes people still run Miri with it, since dependencies might have messed up their unsafe usage.

3 comments

ceteia

Reply
joshuamorton  2 days ago

> but its code has lots of unsafe.

And every instance of unsafe that I could find (except one, in test-only code) was a call to libc with a clarifying comment on why this particular use was safe. That is, all (or at least, all of it that I could find) was wrapping an unsafe API with documented (and usually straightforward and local) invariants that maintain safety, such that the calling code is safe.

I'd say that the fact that miri's trophy-shelf[0] has 39 entries and is 7 years old and still regularly updated is a pretty good indicator that memory bugs are sufficiently rare in rust so as to be notable. That is the opposite of "regular"

[0]: https://github.com/rust-lang/miri/blame/master/README.md

  • ceteia  2 days ago

    [flagged]

    • joshuamorton  2 days ago

      > A comment does not automatically make code safe. What even is that argument? There have directly been examples of Rust code with SAFETY comments that later were found to be memory unsafe.

      I did not make this argument. I encourage you to reread my comment and do so with the HN guidelines in mind!