comprehensive-rust/src/unsafe-rust/unsafe.md

---
minutes: 5
---

# Unsafe Rust

The Rust language has two parts:

- **Safe Rust:** memory safe, no undefined behavior possible.
- **Unsafe Rust:** can trigger undefined behavior if preconditions are violated.

We saw mostly safe Rust in this course, but it's important to know what Unsafe
Rust is.

Unsafe code is usually small and isolated, and its correctness should be
carefully documented. It is usually wrapped in a safe abstraction layer.

Unsafe Rust gives you access to five new capabilities:

- Dereference raw pointers.
- Access or modify mutable static variables.
- Access `union` fields.
- Call `unsafe` functions, including `extern` functions.
- Implement `unsafe` traits.

We will briefly cover unsafe capabilities next. For full details, please see
[Chapter 19.1 in the Rust Book](https://doc.rust-lang.org/book/ch19-01-unsafe-rust.html)
and the [Rustonomicon](https://doc.rust-lang.org/nomicon/).

<details>

Unsafe Rust does not mean the code is incorrect. It means that developers have
turned off some compiler safety features and have to write correct code by
themselves. It means the compiler no longer enforces Rust's memory-safety rules.

</details>
Comprehensive Rust v2 (#1073) I've taken some work by @fw-immunant and others on the new organization of the course and condensed it into a form amenable to a text editor and some computational analysis. You can see the inputs in `course.py` but the interesting bits are the output: `outline.md` and `slides.md`. The idea is to break the course into more, smaller segments with exercises at the ends and breaks in between. So `outline.md` lists the segments, their duration, and sums those durations up per-day. It shows we're about an hour too long right now! There are more details of the segments in `slides.md`, or you can see mostly the same stuff in `course.py`. This now contains all of the content from the v1 course, ensuring both that we've covered everything and that we'll have somewhere to redirect every page. Fixes #1082. Fixes #1465. --------- Co-authored-by: Nicole LeGare <dlegare.1001@gmail.com> Co-authored-by: Martin Geisler <mgeisler@google.com> 2023-11-29 10:39:24 -05:00			`---`
			`minutes: 5`
			`---`

Publish Comprehensive Rust 🦀 2022-12-21 16:36:30 +01:00			`# Unsafe Rust`

			`The Rust language has two parts:`

Format all Markdown files with `dprint` (#1157) This is the result of running `dprint fmt` after removing `src/` from the list of excluded directories. This also reformats the Rust code: we might want to tweak this a bit in the future since some of the changes removes the hand-formatting. Of course, this formatting can be seen as a mis-feature, so maybe this is good overall. Thanks to mdbook-i18n-helpers 0.2, the POT file is nearly unchanged after this, meaning that all existing translations remain valid! A few messages were changed because of stray whitespace characters: msgid "" "Slices always borrow from another object. In this example, `a` has to remain " -"'alive' (in scope) for at least as long as our slice. " +"'alive' (in scope) for at least as long as our slice." msgstr "" The formatting is enforced in CI and we will have to see how annoying this is in practice for the many contributors. If it becomes annoying, we should look into fixing dprint/check#11 so that `dprint` can annotate the lines that need fixing directly, then I think we can consider more strict formatting checks. I added more customization to `rustfmt.toml`. This is to better emulate the dense style used in the course: - `max_width = 85` allows lines to take up the full width available in our code blocks (when taking margins and the line numbers into account). - `wrap_comments = true` ensures that we don't show very long comments in the code examples. I edited some comments to shorten them and avoid unnecessary line breaks — please trim other unnecessarily long comments when you see them! Remember we're writing code for slides :smile: - `use_small_heuristics = "Max"` allows for things like struct literals and if-statements to take up the full line width configured above. The formatting settings apply to all our Rust code right now — I think we could improve this with https://github.com/dprint/dprint/issues/711 which lets us add per-directory `dprint` configuration files. However, the `inherit: true` setting is not yet implemented (as far as I can tell), so a nested configuration file will have to copy most or all of the top-level file. 2023-12-31 00:15:07 +01:00			`- Safe Rust: memory safe, no undefined behavior possible.`
			`- Unsafe Rust: can trigger undefined behavior if preconditions are violated.`
Publish Comprehensive Rust 🦀 2022-12-21 16:36:30 +01:00
Format all Markdown files with `dprint` (#1157) This is the result of running `dprint fmt` after removing `src/` from the list of excluded directories. This also reformats the Rust code: we might want to tweak this a bit in the future since some of the changes removes the hand-formatting. Of course, this formatting can be seen as a mis-feature, so maybe this is good overall. Thanks to mdbook-i18n-helpers 0.2, the POT file is nearly unchanged after this, meaning that all existing translations remain valid! A few messages were changed because of stray whitespace characters: msgid "" "Slices always borrow from another object. In this example, `a` has to remain " -"'alive' (in scope) for at least as long as our slice. " +"'alive' (in scope) for at least as long as our slice." msgstr "" The formatting is enforced in CI and we will have to see how annoying this is in practice for the many contributors. If it becomes annoying, we should look into fixing dprint/check#11 so that `dprint` can annotate the lines that need fixing directly, then I think we can consider more strict formatting checks. I added more customization to `rustfmt.toml`. This is to better emulate the dense style used in the course: - `max_width = 85` allows lines to take up the full width available in our code blocks (when taking margins and the line numbers into account). - `wrap_comments = true` ensures that we don't show very long comments in the code examples. I edited some comments to shorten them and avoid unnecessary line breaks — please trim other unnecessarily long comments when you see them! Remember we're writing code for slides :smile: - `use_small_heuristics = "Max"` allows for things like struct literals and if-statements to take up the full line width configured above. The formatting settings apply to all our Rust code right now — I think we could improve this with https://github.com/dprint/dprint/issues/711 which lets us add per-directory `dprint` configuration files. However, the `inherit: true` setting is not yet implemented (as far as I can tell), so a nested configuration file will have to copy most or all of the top-level file. 2023-12-31 00:15:07 +01:00			`We saw mostly safe Rust in this course, but it's important to know what Unsafe`
			`Rust is.`
Publish Comprehensive Rust 🦀 2022-12-21 16:36:30 +01:00
Format all Markdown files with `dprint` (#1157) This is the result of running `dprint fmt` after removing `src/` from the list of excluded directories. This also reformats the Rust code: we might want to tweak this a bit in the future since some of the changes removes the hand-formatting. Of course, this formatting can be seen as a mis-feature, so maybe this is good overall. Thanks to mdbook-i18n-helpers 0.2, the POT file is nearly unchanged after this, meaning that all existing translations remain valid! A few messages were changed because of stray whitespace characters: msgid "" "Slices always borrow from another object. In this example, `a` has to remain " -"'alive' (in scope) for at least as long as our slice. " +"'alive' (in scope) for at least as long as our slice." msgstr "" The formatting is enforced in CI and we will have to see how annoying this is in practice for the many contributors. If it becomes annoying, we should look into fixing dprint/check#11 so that `dprint` can annotate the lines that need fixing directly, then I think we can consider more strict formatting checks. I added more customization to `rustfmt.toml`. This is to better emulate the dense style used in the course: - `max_width = 85` allows lines to take up the full width available in our code blocks (when taking margins and the line numbers into account). - `wrap_comments = true` ensures that we don't show very long comments in the code examples. I edited some comments to shorten them and avoid unnecessary line breaks — please trim other unnecessarily long comments when you see them! Remember we're writing code for slides :smile: - `use_small_heuristics = "Max"` allows for things like struct literals and if-statements to take up the full line width configured above. The formatting settings apply to all our Rust code right now — I think we could improve this with https://github.com/dprint/dprint/issues/711 which lets us add per-directory `dprint` configuration files. However, the `inherit: true` setting is not yet implemented (as far as I can tell), so a nested configuration file will have to copy most or all of the top-level file. 2023-12-31 00:15:07 +01:00			`Unsafe code is usually small and isolated, and its correctness should be`
			`carefully documented. It is usually wrapped in a safe abstraction layer.`
Update unsafe.md (#252) * Update unsafe.md Adding a paragraph explaining that unsafe code is not necessary broken or evil, but it is a mode where compiler safety features are off. * Move explanation to speaker notes To avoid slide being too long. Also edited text slightly. * Remove extra space --------- Co-authored-by: Andrew Walbran <qwandor@google.com> 2023-01-30 13:12:51 +00:00
Publish Comprehensive Rust 🦀 2022-12-21 16:36:30 +01:00			`Unsafe Rust gives you access to five new capabilities:`

Format all Markdown files with `dprint` (#1157) This is the result of running `dprint fmt` after removing `src/` from the list of excluded directories. This also reformats the Rust code: we might want to tweak this a bit in the future since some of the changes removes the hand-formatting. Of course, this formatting can be seen as a mis-feature, so maybe this is good overall. Thanks to mdbook-i18n-helpers 0.2, the POT file is nearly unchanged after this, meaning that all existing translations remain valid! A few messages were changed because of stray whitespace characters: msgid "" "Slices always borrow from another object. In this example, `a` has to remain " -"'alive' (in scope) for at least as long as our slice. " +"'alive' (in scope) for at least as long as our slice." msgstr "" The formatting is enforced in CI and we will have to see how annoying this is in practice for the many contributors. If it becomes annoying, we should look into fixing dprint/check#11 so that `dprint` can annotate the lines that need fixing directly, then I think we can consider more strict formatting checks. I added more customization to `rustfmt.toml`. This is to better emulate the dense style used in the course: - `max_width = 85` allows lines to take up the full width available in our code blocks (when taking margins and the line numbers into account). - `wrap_comments = true` ensures that we don't show very long comments in the code examples. I edited some comments to shorten them and avoid unnecessary line breaks — please trim other unnecessarily long comments when you see them! Remember we're writing code for slides :smile: - `use_small_heuristics = "Max"` allows for things like struct literals and if-statements to take up the full line width configured above. The formatting settings apply to all our Rust code right now — I think we could improve this with https://github.com/dprint/dprint/issues/711 which lets us add per-directory `dprint` configuration files. However, the `inherit: true` setting is not yet implemented (as far as I can tell), so a nested configuration file will have to copy most or all of the top-level file. 2023-12-31 00:15:07 +01:00			`- Dereference raw pointers.`
			`- Access or modify mutable static variables.`
			- Access `union` fields.
			- Call `unsafe` functions, including `extern` functions.
			- Implement `unsafe` traits.
Publish Comprehensive Rust 🦀 2022-12-21 16:36:30 +01:00
Update unsafe.md (#252) * Update unsafe.md Adding a paragraph explaining that unsafe code is not necessary broken or evil, but it is a mode where compiler safety features are off. * Move explanation to speaker notes To avoid slide being too long. Also edited text slightly. * Remove extra space --------- Co-authored-by: Andrew Walbran <qwandor@google.com> 2023-01-30 13:12:51 +00:00			`We will briefly cover unsafe capabilities next. For full details, please see`
Add back links to the Rust Book I think it's important that we link the students to the full information about Unsafe Rust. 2023-01-02 10:30:40 +01:00			`[Chapter 19.1 in the Rust Book](https://doc.rust-lang.org/book/ch19-01-unsafe-rust.html)`
			`and the [Rustonomicon](https://doc.rust-lang.org/nomicon/).`
Update unsafe.md (#252) * Update unsafe.md Adding a paragraph explaining that unsafe code is not necessary broken or evil, but it is a mode where compiler safety features are off. * Move explanation to speaker notes To avoid slide being too long. Also edited text slightly. * Remove extra space --------- Co-authored-by: Andrew Walbran <qwandor@google.com> 2023-01-30 13:12:51 +00:00
			`<details>`

			`Unsafe Rust does not mean the code is incorrect. It means that developers have`
Comprehensive Rust v2 (#1073) I've taken some work by @fw-immunant and others on the new organization of the course and condensed it into a form amenable to a text editor and some computational analysis. You can see the inputs in `course.py` but the interesting bits are the output: `outline.md` and `slides.md`. The idea is to break the course into more, smaller segments with exercises at the ends and breaks in between. So `outline.md` lists the segments, their duration, and sums those durations up per-day. It shows we're about an hour too long right now! There are more details of the segments in `slides.md`, or you can see mostly the same stuff in `course.py`. This now contains all of the content from the v1 course, ensuring both that we've covered everything and that we'll have somewhere to redirect every page. Fixes #1082. Fixes #1465. --------- Co-authored-by: Nicole LeGare <dlegare.1001@gmail.com> Co-authored-by: Martin Geisler <mgeisler@google.com> 2023-11-29 10:39:24 -05:00			`turned off some compiler safety features and have to write correct code by`
Update unsafe.md (#252) * Update unsafe.md Adding a paragraph explaining that unsafe code is not necessary broken or evil, but it is a mode where compiler safety features are off. * Move explanation to speaker notes To avoid slide being too long. Also edited text slightly. * Remove extra space --------- Co-authored-by: Andrew Walbran <qwandor@google.com> 2023-01-30 13:12:51 +00:00			`themselves. It means the compiler no longer enforces Rust's memory-safety rules.`

			`</details>`