Skip to content

Clarify when safety may rely on correctness#523

Merged
JohnTitor merged 2 commits into
rust-lang:masterfrom
ia0:unsafe
Jun 25, 2026
Merged

Clarify when safety may rely on correctness#523
JohnTitor merged 2 commits into
rust-lang:masterfrom
ia0:unsafe

Conversation

@ia0

@ia0 ia0 commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

This is a follow-up of #294 which in my opinion did not completely address the confusion.

The "Safe Rust client" terminology comes from the Reference. I'm using "dependencies" (think upstream code) as the opposite concept of "clients" (think downstream code). I'm happy to follow any suggestions to improve those terms.

This is a follow-up of rust-lang#294 which in my opinion did not completely address the confusion.

The "Safe Rust client" terminology comes from the [Reference](https://doc.rust-lang.org/reference/behavior-considered-undefined.html#r-undefined.soundness). I did not find official traces for "downstream" and "dependencies" but I believe they can be understood. I'm happy to follow any suggestions if those terms are still confusing.
Comment thread src/safe-unsafe-meaning.md Outdated
Comment on lines +66 to +67
On the other hand, Unsafe Rust cannot trust Safe Rust without care. It can
trust Safe Rust dependencies but cannot trust Safe Rust clients.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it'd be better to describe what cannot be trusted a bit more specific.

Suggested change
On the other hand, Unsafe Rust cannot trust Safe Rust without care. It can
trust Safe Rust dependencies but cannot trust Safe Rust clients.
On the other hand, Unsafe Rust cannot trust Safe Rust without care. It can
trust specific Safe Rust implementations, but not arbitrary Safe Rust chosen
or supplied by clients.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean by "implementation"? My understanding is that it means a specific version of the code that implements an API. If that's true then Unsafe Rust can trust arbitrary implementations of the crates it depends on, it doesn't need to be a specific implementation.

If we want to be more specific, this could look like:

  • Unsafe Rust can trust Safe Rust within its own crate (because the implementation is known and thus can be verified to be correct) and the crates of its dependencies (because, while unknown, the implementation is trusted to be correct).
  • Unsafe Rust cannot trust Safe Rust within the crates of its reverse-dependencies (because the implementation is unknown and not trusted to be correct).

Not sure how to formulate this elegantly.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reformulated by avoiding both the word "dependencies" and "implementations", simply using the word "clients" in the opposite direction. Does this sound better?

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah the current looks great! What I meant is a bounded body of code that the unsafe code has chosen to rely on as part of its trusted base.

Comment thread src/safe-unsafe-meaning.md Outdated
Comment on lines +95 to +98
This difference also holds for arbitrary implementations of one very specific
dependency. Unsafe Rust in crate `foo` (which depends on crate `bar`) may rely on
Safe Rust in crate `bar` to be written correctly, regardless of the actual
implementation.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about this wording? I'd avoid using two words, dependency and crate in the same paragraph.

Suggested change
This difference also holds for arbitrary implementations of one very specific
dependency. Unsafe Rust in crate `foo` (which depends on crate `bar`) may rely on
Safe Rust in crate `bar` to be written correctly, regardless of the actual
implementation.
The same can be true across crate boundaries. Unsafe Rust in crate `foo` may
trust a specific Safe Rust implementation in crate `bar` when that is a
bounded piece of code that can be reviewed.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The wording is much better, but the "specific implementation" issue from the other comment is still present. So I'll wait until we clarify that to update this part. Maybe "implementation" is more a general concept than I think.

@ia0 ia0 left a comment

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review! Before applying the suggestions, I have one clarification question in one of the comment.

Comment thread src/safe-unsafe-meaning.md Outdated
Comment on lines +66 to +67
On the other hand, Unsafe Rust cannot trust Safe Rust without care. It can
trust Safe Rust dependencies but cannot trust Safe Rust clients.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean by "implementation"? My understanding is that it means a specific version of the code that implements an API. If that's true then Unsafe Rust can trust arbitrary implementations of the crates it depends on, it doesn't need to be a specific implementation.

If we want to be more specific, this could look like:

  • Unsafe Rust can trust Safe Rust within its own crate (because the implementation is known and thus can be verified to be correct) and the crates of its dependencies (because, while unknown, the implementation is trusted to be correct).
  • Unsafe Rust cannot trust Safe Rust within the crates of its reverse-dependencies (because the implementation is unknown and not trusted to be correct).

Not sure how to formulate this elegantly.

Comment thread src/safe-unsafe-meaning.md Outdated
Comment on lines +95 to +98
This difference also holds for arbitrary implementations of one very specific
dependency. Unsafe Rust in crate `foo` (which depends on crate `bar`) may rely on
Safe Rust in crate `bar` to be written correctly, regardless of the actual
implementation.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The wording is much better, but the "specific implementation" issue from the other comment is still present. So I'll wait until we clarify that to update this part. Maybe "implementation" is more a general concept than I think.

@JohnTitor JohnTitor left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you and sorry for the delay!

@JohnTitor JohnTitor added this pull request to the merge queue Jun 25, 2026
Merged via the queue into rust-lang:master with commit 5012a37 Jun 25, 2026
2 checks passed
@ia0

ia0 commented Jun 25, 2026

Copy link
Copy Markdown
Contributor Author

Thanks for the review!

@ia0 ia0 deleted the unsafe branch June 25, 2026 10:13
JonathanBrouwer added a commit to JonathanBrouwer/rust that referenced this pull request Jun 30, 2026
Update books

## rust-lang/nomicon

1 commits in cc6a6bae8c3bfa389974e533c54694662c1a9de6..5012a37c682b26c4e19433888ed2ca9b129696ca
2026-06-25 10:05:58 UTC to 2026-06-25 10:05:58 UTC

- Clarify when safety may rely on correctness (rust-lang/nomicon#523)

## rust-lang/reference

10 commits in 2c27905c15a51983b54d84f050d3bda096194d27..86635e30bf861a038dc197d7e16fd09e7e514e7a
2026-06-25 17:00:32 UTC to 2026-06-16 18:56:35 UTC

- use-declarations.md: move example to where it's described (rust-lang/reference#2295)
- fix link target (rust-lang/reference#2299)
- remove broken text (rust-lang/reference#2297)
- type-layout: rewrite `#[repr(C)]` struct layout algorithm (rust-lang/reference#2243)
- Fix grammar rules containing or pertaining to bounds (rust-lang/reference#2257)
- Document metadata of ptrs to indirectly unsized types (rust-lang/reference#2289)
- Generalize the wide-pointer total-size bound (rust-lang/reference#2290)
- Cover `str` in the wide-pointer metadata rule (rust-lang/reference#2288)
- Define an unsized tail (rust-lang/reference#2287)
- Define pointer metadata (rust-lang/reference#2286)
rust-timer added a commit to rust-lang/rust that referenced this pull request Jun 30, 2026
Rollup merge of #158571 - rustbot:docs-update, r=ehuss

Update books

## rust-lang/nomicon

1 commits in cc6a6bae8c3bfa389974e533c54694662c1a9de6..5012a37c682b26c4e19433888ed2ca9b129696ca
2026-06-25 10:05:58 UTC to 2026-06-25 10:05:58 UTC

- Clarify when safety may rely on correctness (rust-lang/nomicon#523)

## rust-lang/reference

10 commits in 2c27905c15a51983b54d84f050d3bda096194d27..86635e30bf861a038dc197d7e16fd09e7e514e7a
2026-06-25 17:00:32 UTC to 2026-06-16 18:56:35 UTC

- use-declarations.md: move example to where it's described (rust-lang/reference#2295)
- fix link target (rust-lang/reference#2299)
- remove broken text (rust-lang/reference#2297)
- type-layout: rewrite `#[repr(C)]` struct layout algorithm (rust-lang/reference#2243)
- Fix grammar rules containing or pertaining to bounds (rust-lang/reference#2257)
- Document metadata of ptrs to indirectly unsized types (rust-lang/reference#2289)
- Generalize the wide-pointer total-size bound (rust-lang/reference#2290)
- Cover `str` in the wide-pointer metadata rule (rust-lang/reference#2288)
- Define an unsized tail (rust-lang/reference#2287)
- Define pointer metadata (rust-lang/reference#2286)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants