New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose unsafe operations #190
Comments
To clarify, this is needed because e.g. the Rust standard library often wraps an entire function in an unsafe block to indicate that everything in that function, even the safe calls, need to be correct for the entire function to be safe. The alternative - i.e. wrapping each individual call to an It is desirable to be able to tell apart safe and unsafe operations inside an unsafe block because it would simplify auditing. If unsafe calls are highlighted in some way, one could easily make a list of all the unsafe calls in the block, check their documentation to see what invariants they require to be upheld, and then verify that the rest of the block (i.e. the safe calls) uphold those invariants. Without this it's easy to miss some unsafe call that actually requires some invariants to be upheld, and thus miss a security vulnerability. |
Any ideas on how to visualize this? I can think of showing the names of unsafe functions in a different color (e.g. red) or underlining the unsafe expression with yellow. |
I'd suggest consistently using the same styling for all unsafe operations and to not use this styling for anything else. All styling I can think of works for all unsafe operations (bold, underline, special fg/bg colors,...) so what to choose is up to whoever implements this. These are important things, so they should stand out and be readable, ideally without making the reader blind. |
We definitely should do this, but it is definitely pretty far in the future: to highlight unsafe fn calls, we must resolve method invocation to the corresponding method definition, and that basically means implementing all of rust except for lifetimes. I've filed intellij-rust/intellij-rust#3013 for IntelliJ, which already has all the relevant infra in place for this feature. |
Possibly a relevant RFC: rust-lang/rfcs#2585 |
I think the far future has come? It seems like we have required infrastructure to implement this. The solution consists of two big parts:
The second part should be done on hir (as it has semantic implications: we should flag unnecessary/missing unsafe blocks once analysis has no false positives). I think we should add fn unsafe_expressions(db: &impl HIrdatabase, def: DefWithBody) -> Vec<ExprId> function to hir/expr. It should work roughtly like |
For the first part, we now can just slap TokenModifier::Unsafe onto unsafe ops. |
I'm going to try taking this one on. |
I think this is mostly done at the moment, set *.unsafe color in the color theme to highlight the ops. |
It would be great if the rust-analyzer would expose which operations are
unsafe
, e.g., calling anunsafe fn
, dereferencing a pointer, creating a reference to a field of a packed struct, reading from an union, etc. So that Rust IDEs can underline/highlight these operations (e.g. because operations inside an unsafe block are not all always unsafe).The text was updated successfully, but these errors were encountered: