-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rename 'unsafe' to 'trusted.' #117
Conversation
This seems to imply that normal users of Rust should be using To that end, I greatly prefer the current name |
I'm slightly concerned this name may get confused with "I've checked this code and trust it" (i.e. arbitrary "bug free" code), rather than "the compiler is trusting me" (i.e. dangerous code). |
I also disagree, however, they need to know that unsafe exists. Before I mention |
Are you suggesting this for |
@steveklabnik, the keyword Either way, you'll have to explain to someone that Rust can do these low-level shenanigans. |
That said, I'm not about to assert that |
We could make |
I like the term "barrier" to describe what an unsafe block provides. On its own, I don't think it conveys the right terminology, but I'd like to at least fling it into the vocabulary mix here. I have definitely been convinced that unsafe { } is not the right syntax. It doesn't convey at all that it's a barrier, and should be safe itself. I don't exactly like "trusted", as it goes too far the opposite way. "unchecked", maybe is a good word. |
"Should be safe" presumes optimism. Rust is not an optimistic language, it is a pessimistic one (as are all languages with strong static type systems). Your unsafe code is unsafe, and you should feel unsafe. (Sorry, I'm too lazy to track down the Zoidberg meme generator.) |
I would propose a small change.. rather than |
|
I don't think I agree with your sentiment: If an unsafe { } block can be used to cause unsafety, then that code has bugs. We should convey the intended purpose of unsafe blocks: to denote the edge of unsafety, where the guarantees have been made. |
IMHO, even if "unsafe" can be misleading, "trusted" is far worse. When people will see "trusted" block, they will have the feeling, that the block is safer. It's quite the opposite. "unchecked" would be closer to reality but not scary enough to convince people that it should be avoided as much as possible. I still think that unsafe is a good choice. We can advertise better this feature without renaming it. |
What about something like "unwise" or "inadvisable"? If the intent is really to keep people away from its common use--but not so much as to outright prevent that use--"unsafe" may be too much of a judgment call on the quality of code written with that kind of block (i.e., an entirely unsafe practice) compared to a name that implies a standard preference? |
|
👍 for |
Adding to the madness: (un,non) |
@brocktopus: It's not unwise or inadvisable to use |
I barely have any context for the connotations of what the
|
If the name changes, I think it is important that the new name accurately describes what's going on, rather than relying on human fear. It's just telling the compiler "hey, I got this, you can go take a nap". If it also conveys that the operation is potentially risky, that's a happy benefit. Of the suggestions, I like |
-1. I like the way that I also think Whatever keyword is chosen, I think it should clearly suggest that the code it guards is more likely to do something bad/unsafe/buggy, while something like |
Unsafe does have precedence, as C# does the same thing: http://msdn.microsoft.com/en-US/library/t2yzs44b.aspx |
A small survey: Idris uses Haskell's got OCaml has |
This is a good point. Unsafe functions and unsafe blocks have different semantics, actually. Hrm. |
While I agree, I think this anxiety can come from social pressure, rather than being super inherent to the language itself. In other words, I think that the invariants are the most important information to convey, not the details. |
Dozens of conversations I've had with people just learning Rust disagree with you. I agree it's not hard to learn; but if people outside of Rust get confused, that's a good pointer that this is a bad name. Once you learn it, it's not that bad, but why not be clear what you mean from the start? |
I actually think |
the existing name,unsafe{}, makes perfect sense to me. There are safe operations(which the compiler can verify), vs unsafe operations (which you must test and verify by other means). |
I would also like to add some context here too: I have given more Rust presentations than anyone else that I know of (6? Anyone beat that?), on three continents. I've specifically been teaching people Rust for over a year, and have taught programming as a profession for a few years. I'm not saying that means that I'm correct, just that I may have run into this more than other people have, since Rust advocacy is a large part of what I do. I want to be clear that I think |
I think changing |
No, unsafe functions are different: you cannot use an unsafe function |
Both |
I dont think we should use If I had to change it, I would say that it should be called if we use the word And on a tangent, the quote is wrong in the "motivations" section:
We should never 'promise' that it is, because that could be misleading. The compiler makes us promises, it knows what it is doing; we may not know what we are doing, and we should not be making promises like that. But for |
@jcdyer Exactly, it has all the right connotations.
That's a great reason to call functions Edit: posting error |
How about Looks like this discussion has more points towards not renaming actually. I don't seem to see any reasonable argument here on why it needs renaming. It's a pretty keyword and does indeed associate with what it means. May be syntax needs to be made more horrid, like make user have to prefix each new line with a fn foo() {
!! hello();
!! and_die(void);
} Or, actually, may be requiring them to type the attribute like this instead? fn foo() {
#[UNSAFE] hello();
#[UNSAFE] and_die(void);
} |
By the way, has anyone attempted to propose |
|
I'm new to Rust.
I see analogy between unsafe and Java'a concept of checked exceptions. It's like unsafe function make context calling it unsafe. Using unsafe block you're getting back that assumption of safety, keeping it in you local context, unlike unsafe function. To summarize the difference is all about if safety could be guaranteed in a current context.
@ecl3ctic and @brandonson made great points on that differences explanations. |
when you try to explain what is |
I am closing this RFC. I still think that this is a poor name, but I plan on seriously revising this RFC anyway, and the discussion here will largely be irrelevant. I will open a new RFC when I have a better plan. Thank you all. |
You're welcome. IMO |
How about renaming them You wouldn't call them unsafe blocks, you'd call them blocks declared as safe by the programmer. In other words, explicitly safe blocks as opposed to implicitly safe blocks (everything else). |
I do not understand any of the arguments for using a positive word, the code in an |
|
Perfect, |
I don't understand the war against the On Mon, Dec 22, 2014 at 2:32 PM, Davis Silverman notifications@github.com
|
The basic issue is that Hence why I think the best way would be to decouple the two: keep |
Wouldn't |
|
|
@raindev Normal functions don't need to be trusted - the type system guarantees their safety. Only functions which may violate safety need a level of explicit trust. You're right that a |
if |
This entire topic seems like it should be used as the poster child for bike
The point of the language Forest. Trees. Cheers!
|
@nathanaschbacher great comment |
Tutorial: Fix typo in URL to tcp_connect documentation
* Fixes rust-lang#117 * Related to http://emberjs.com/blog/2016/01/23/core-team-face-to-face-january-2016.html#toc_rfc-improvements * Add "How We Teach This" section to RFCs * Make "Unresolved questions" optional but suggested * Move hat tip to the bottom, not important enough to be at the top * Replace manually curated "active" list with a link to the open PRs * Loosen language that implied *any* new API addition no matter how minor required an RFC * Add requirement that significant changes in Ember conventions or idiomatic programming style receive an RFC * Add emphasis to sections of the README * Drop outdated task of moving an RFC to the "completed" folder * Link to the core team notes for RFC discussions * Strengthen request for drawbacks
unsafe
blocks are one of Rust's most important features. However, the name "unsafe" doesn't properly communicate the intention of unsafe blocks. I propose we change the "unsafe" keyword to "trusted," initially deprecating it.