1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100

//! # Reduce unsafe code and detect soundness bugs with equivalence checks against safe code
//!
//! For discussions on this idea see the RFC on the [Rust Internals forum](https://internals.rust-lang.org/t/rfc-use-cfg-reduce-unsafe-to-signal-preference-of-safe-code-over-performance/11648) and [Rust Secure Code Working Group](https://github.com/rust-secure-code/wg/issues/35).
//!
//! To indicate preference of safety over performance: add `--cfg reduce_unsafe` to your `RUSTFLAGS`.
//!
//! `reduce_unsafe::unchecked!` runs the unsafe code unless the `--cfg reduce_unsafe` flag is present.
//!
//! `reduce_unsafe::checked!` uses `debug_assertions` to decide between `reduce_unsafe::unchecked!` and running both branches and panics if they diverge.
//!
//! If you have unsafe code which you believe is sound which could be implemented (slower) with safe code, consider using the `reduce_unsafe::checked!` or `reduce_unsafe::unchecked!` macros or `#[cfg(reduce_unsafe)]` attribute.
//!
//! ```rust
//! # use core::str;
//! # let bytes = b"hello world";
//! let my_str = unsafe {
//!     str::from_utf8_unchecked(bytes)
//! };
//! ```
//!
//! becomes
//!
//! ```rust
//! # use core::str;
//! # let bytes = b"hello world";
//! let my_str = reduce_unsafe::checked!(
//!     unsafe { str::from_utf8_unchecked(bytes) },
//!     str::from_utf8(bytes).expect("BUG: unsound unsafe code detected")
//! );
//! ```
//!
//! or if the returned type does not implement `PartialEq` or there are visible side effects
//!
//! ```rust
//! # use core::str;
//! # let bytes = b"hello world";
//! let my_str = reduce_unsafe::unchecked!(
//!     unsafe { str::from_utf8_unchecked(bytes) },
//!     str::from_utf8(bytes).expect("BUG: unsound unsafe code detected")
//! );
//! ```

#[macro_export]
macro_rules! unchecked {
    ($unsafe_:expr, $safe:expr) => {{
        #[cfg(not(reduce_unsafe))]
        macro_rules! __reduce_unsafe_internal {
            () => { $unsafe_ }
        }
        #[cfg(reduce_unsafe)]
        macro_rules! __reduce_unsafe_internal {
            () => { $safe }
        }
        __reduce_unsafe_internal!()
    }}
}

#[macro_export]
macro_rules! checked {
    ($unsafe_:expr, $safe:expr) => {{
        #[cfg(not(debug_assertions))]
        macro_rules! __reduce_unsafe_internal {
            () => {
                $crate::unchecked!($unsafe_, $safe)
            }
        }
        #[cfg(debug_assertions)]
        macro_rules! __reduce_unsafe_internal {
            () => {{
                let unsafe_ = $unsafe_;
                let safe = $safe;
                debug_assert_eq!(unsafe_, safe);
                unsafe_
            }}
        }
        __reduce_unsafe_internal!()
    }}
}

#[test]
#[cfg_attr(reduce_unsafe, should_panic)]
fn unchecked() {
    let b = b"hello world\xff";
    let s = unchecked!(
        unsafe { core::str::from_utf8_unchecked(b) },
        core::str::from_utf8(b).expect("BUG: unsound unsafe code detected")
    );
    assert_eq!(s.len(), 12);
}

#[test]
#[should_panic]
fn checked() {
    let b = b"hello world\xff";
    let _ = checked!(
        unsafe { core::str::from_utf8_unchecked(b) },
        core::str::from_utf8(b).expect("BUG: unsound unsafe code detected")
    );
    unreachable!();
}