reduce_unsafe/
lib.rs

1//! # Reduce unsafe code and detect soundness bugs with equivalence checks against safe code
2//!
3//! For discussions on this idea see the RFC on the [Rust Internals forum](https://internals.rust-lang.org/t/rfc-use-cfg-reduce-unsafe-to-signal-preference-of-safe-code-over-performance/11648) and [Rust Secure Code Working Group](https://github.com/rust-secure-code/wg/issues/35).
4//!
5//! To indicate preference of safety over performance: add `--cfg reduce_unsafe` to your `RUSTFLAGS`.
6//!
7//! `reduce_unsafe::unchecked!` runs the unsafe code unless the `--cfg reduce_unsafe` flag is present.
8//!
9//! `reduce_unsafe::checked!` uses `debug_assertions` to decide between `reduce_unsafe::unchecked!` and running both branches and panics if they diverge.
10//!
11//! If you have unsafe code which you believe is sound which could be implemented (slower) with safe code, consider using the `reduce_unsafe::checked!` or `reduce_unsafe::unchecked!` macros or `#[cfg(reduce_unsafe)]` attribute.
12//!
13//! ```rust
14//! # use core::str;
15//! # let bytes = b"hello world";
16//! let my_str = unsafe {
17//!     str::from_utf8_unchecked(bytes)
18//! };
19//! ```
20//!
21//! becomes
22//!
23//! ```rust
24//! # use core::str;
25//! # let bytes = b"hello world";
26//! let my_str = reduce_unsafe::checked!(
27//!     unsafe { str::from_utf8_unchecked(bytes) },
28//!     str::from_utf8(bytes).expect("BUG: unsound unsafe code detected")
29//! );
30//! ```
31//!
32//! or if the returned type does not implement `PartialEq` or there are visible side effects
33//!
34//! ```rust
35//! # use core::str;
36//! # let bytes = b"hello world";
37//! let my_str = reduce_unsafe::unchecked!(
38//!     unsafe { str::from_utf8_unchecked(bytes) },
39//!     str::from_utf8(bytes).expect("BUG: unsound unsafe code detected")
40//! );
41//! ```
42
43#[macro_export]
44macro_rules! unchecked {
45    ($unsafe_:expr, $safe:expr) => {{
46        #[cfg(not(reduce_unsafe))]
47        macro_rules! __reduce_unsafe_internal {
48            () => { $unsafe_ }
49        }
50        #[cfg(reduce_unsafe)]
51        macro_rules! __reduce_unsafe_internal {
52            () => { $safe }
53        }
54        __reduce_unsafe_internal!()
55    }}
56}
57
58#[macro_export]
59macro_rules! checked {
60    ($unsafe_:expr, $safe:expr) => {{
61        #[cfg(not(debug_assertions))]
62        macro_rules! __reduce_unsafe_internal {
63            () => {
64                $crate::unchecked!($unsafe_, $safe)
65            }
66        }
67        #[cfg(debug_assertions)]
68        macro_rules! __reduce_unsafe_internal {
69            () => {{
70                let unsafe_ = $unsafe_;
71                let safe = $safe;
72                debug_assert_eq!(unsafe_, safe);
73                unsafe_
74            }}
75        }
76        __reduce_unsafe_internal!()
77    }}
78}
79
80#[test]
81#[cfg_attr(reduce_unsafe, should_panic)]
82fn unchecked() {
83    let b = b"hello world\xff";
84    let s = unchecked!(
85        unsafe { core::str::from_utf8_unchecked(b) },
86        core::str::from_utf8(b).expect("BUG: unsound unsafe code detected")
87    );
88    assert_eq!(s.len(), 12);
89}
90
91#[test]
92#[should_panic]
93fn checked() {
94    let b = b"hello world\xff";
95    let _ = checked!(
96        unsafe { core::str::from_utf8_unchecked(b) },
97        core::str::from_utf8(b).expect("BUG: unsound unsafe code detected")
98    );
99    unreachable!();
100}