1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100
//! # Reduce unsafe code and detect soundness bugs with equivalence checks against safe code //! //! For discussions on this idea see the RFC on the [Rust Internals forum](https://internals.rust-lang.org/t/rfc-use-cfg-reduce-unsafe-to-signal-preference-of-safe-code-over-performance/11648) and [Rust Secure Code Working Group](https://github.com/rust-secure-code/wg/issues/35). //! //! To indicate preference of safety over performance: add `--cfg reduce_unsafe` to your `RUSTFLAGS`. //! //! `reduce_unsafe::unchecked!` runs the unsafe code unless the `--cfg reduce_unsafe` flag is present. //! //! `reduce_unsafe::checked!` uses `debug_assertions` to decide between `reduce_unsafe::unchecked!` and running both branches and panics if they diverge. //! //! If you have unsafe code which you believe is sound which could be implemented (slower) with safe code, consider using the `reduce_unsafe::checked!` or `reduce_unsafe::unchecked!` macros or `#[cfg(reduce_unsafe)]` attribute. //! //! ```rust //! # use core::str; //! # let bytes = b"hello world"; //! let my_str = unsafe { //! str::from_utf8_unchecked(bytes) //! }; //! ``` //! //! becomes //! //! ```rust //! # use core::str; //! # let bytes = b"hello world"; //! let my_str = reduce_unsafe::checked!( //! unsafe { str::from_utf8_unchecked(bytes) }, //! str::from_utf8(bytes).expect("BUG: unsound unsafe code detected") //! ); //! ``` //! //! or if the returned type does not implement `PartialEq` or there are visible side effects //! //! ```rust //! # use core::str; //! # let bytes = b"hello world"; //! let my_str = reduce_unsafe::unchecked!( //! unsafe { str::from_utf8_unchecked(bytes) }, //! str::from_utf8(bytes).expect("BUG: unsound unsafe code detected") //! ); //! ``` #[macro_export] macro_rules! unchecked { ($unsafe_:expr, $safe:expr) => {{ #[cfg(not(reduce_unsafe))] macro_rules! __reduce_unsafe_internal { () => { $unsafe_ } } #[cfg(reduce_unsafe)] macro_rules! __reduce_unsafe_internal { () => { $safe } } __reduce_unsafe_internal!() }} } #[macro_export] macro_rules! checked { ($unsafe_:expr, $safe:expr) => {{ #[cfg(not(debug_assertions))] macro_rules! __reduce_unsafe_internal { () => { $crate::unchecked!($unsafe_, $safe) } } #[cfg(debug_assertions)] macro_rules! __reduce_unsafe_internal { () => {{ let unsafe_ = $unsafe_; let safe = $safe; debug_assert_eq!(unsafe_, safe); unsafe_ }} } __reduce_unsafe_internal!() }} } #[test] #[cfg_attr(reduce_unsafe, should_panic)] fn unchecked() { let b = b"hello world\xff"; let s = unchecked!( unsafe { core::str::from_utf8_unchecked(b) }, core::str::from_utf8(b).expect("BUG: unsound unsafe code detected") ); assert_eq!(s.len(), 12); } #[test] #[should_panic] fn checked() { let b = b"hello world\xff"; let _ = checked!( unsafe { core::str::from_utf8_unchecked(b) }, core::str::from_utf8(b).expect("BUG: unsound unsafe code detected") ); unreachable!(); }