Comment by blegge

7 hours ago

> arena-based tree with zero unsafe in the public API

Why "in the public API"? Does this imply it's using unsafe behind the hood? If so, what for?

9 comments

blegge

Reply
gpm  5 hours ago

I agree the wording is a bit strange, but a quick grep of the repo shows that it doesn't imply that.

The only usages of unsafe are in src/ffi, which is only compiled when the ffi feature is enabled. ffi is fundamentally unsafe ("unsafe" meaning "the compiler can't automatically verify this code won't result in undefined behavior") so using it there is reasonable, and the rest of the crate is properly free of unsafe.

fulafel  5 hours ago

It provides a libxml2-compatible C API and that accepted pointers, this would seem to necessitate unsafe at least.

DetroitThrow  7 hours ago

Yeah I'm a bit confused because you can have an entirely unsafe code base with just the public interface marked as safe. No unsafe in the interface isn't a measure of safety at all.

  • mirashii  6 hours ago

    It is a measure of the intended level of care that the users of your interface have to take. If there's no unsafe in the interface, then that implies that the library has only provided safe interfaces, even if it uses unsafe internally, and that the interface exposed enforces all necessary invariants.

    It is absolutely a useful distinction on whether your users need to deal with unsafe themselves or not.

    • kelnos  1 hour ago

      It's useful, to be sure, but I wouldn't want to use a library with a safe public interface that is mostly unsafe underneath (unless it's a -sys crate, of course). I think "this crate has no unsafe code" or "this crate has a minimal amount of carefully audited unsafe code" are good things to see, in general.

    • ahepp  5 hours ago

      I guess I don't write enough rust to say this with confidence, but isn't that the bare minimum? I find it difficult to believe the rust community would accept using a library where the API requires unsafe.

      2 replies →

    • DetroitThrow  6 hours ago

      Sure, it's a useful distinction for whether users need to care about safety but not whether the underlying code is safe itself, which is what I wrote about.

      No or very little but verified unsafe internal code is the bar for many Rust reimplementations. It would also be what keeps the code memory safe.