-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggestion: New attribute for functions without any memory safety invariants #1438
Comments
I'm not sure how metadata could attribute APIs as "safe" and somehow make that work across Ecmascript, C++, C#, Rust, Dart, Zig, Beef, etc. It may be useful to figure out what "safe" means across all these languages and come up with more granular set of common attributes we could apply. (For example, we could mark an API as [DoesX] and [DoesntDoY].) Projection authors can then decide if that meets their definition of "safe". The metadata team is currently focused on basic API issues so I don't see this happening anytime soon. Will close this for now but feel free to continue the discussion/propose something a bit more actionable. |
Sure thing :) I can see why you wouldn't be in a hurry to make a design for this. I'd say there's a pretty strong middle ground in each of the languages' needs though! I'm going to pop a few notes here since I doubt I'll return to this soon either. I'd want to explore a
For forwards/backwards compatibility we'd also want to think about subtyping between effects. In the future we might want |
If projects/APIs start to get annotated with a |
See microsoft/windows-rs#1506 for how this would be useful in the Rust bindings.
Plenty of windows' APIs cant possibly break memory safety, as they check all of their invariants internally and error out if there's any problem. For example,
GetStdHandle
can be safely (as defined by Rust) called at any time. However, the generated bindings must pessimistically include theunsafe
attribute:Outside of the Rust ecosystem, it is generally useful to be able to recognize these "encapsulated" APIs. They can be called with predictable effects with much less scrutiny over their documentation.
A
safe
attribute could trivially be added to checked handle-based APIs likeGetStdHandle
, but I would also hope that we'd add them to APIs with enough type information to uphold pointer invariants etc.The text was updated successfully, but these errors were encountered: