Skip to content

refactor(allocator/vec): clarify comment#11071

Merged
graphite-app[bot] merged 1 commit intomainfrom
05-16-refactor_allocator_vec_clarify_comment
May 17, 2025
Merged

refactor(allocator/vec): clarify comment#11071
graphite-app[bot] merged 1 commit intomainfrom
05-16-refactor_allocator_vec_clarify_comment

Conversation

@overlookmotel
Copy link
Member

@overlookmotel overlookmotel commented May 16, 2025
edited
Loading

Follow-on after #10884. Clarify comment as to why as u32 is valid here.

@overlookmotel Graphite App
Copy link
Member Author

overlookmotel commented May 16, 2025
edited
Loading

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

  • 0-merge - adds this PR to the back of the merge queue
  • hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

This was referenced May 16, 2025
Merged
Merged
@github-actions github-actions bot added the C-cleanup Category - technical debt or refactoring. Solution not expected to change behavior label May 16, 2025
@overlookmotel overlookmotel mentioned this pull request May 16, 2025
Merged
@overlookmotel overlookmotel marked this pull request as ready for review May 16, 2025 12:48
@codspeed-hq
Copy link

codspeed-hq bot commented May 16, 2025
edited
Loading

CodSpeed Instrumentation Performance Report

Merging #11071 will not alter performance

Comparing 05-16-refactor_allocator_vec_clarify_comment (fc2f040) with main (ae15046)

Summary

✅ 36 untouched benchmarks

This was referenced May 16, 2025
Merged
Merged
Dunqing
Dunqing approved these changes May 16, 2025
View reviewed changes
Copy link
Member

@Dunqing Dunqing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! I understand a little bit how to write a caller guarantee related safety comment

This was referenced May 16, 2025
Merged
Closed
Closed
@overlookmotel
Copy link
Member Author

overlookmotel commented May 17, 2025
edited
Loading

I don't know if this helps, but the way I conceptualize it is:

Unsafe functions have a "contract". They require the caller to ensure the terms of the contract are always upheld. In return, the unsafe function promises that UB can't happen, if the caller keeps their side of the bargain.

Like a real-world legal contract, both sides (the function and its caller) need to understand the terms of the contract, and agree to them. When the caller calls the function in an unsafe { ... } block, it "signs" the contract, stating "I agree to these terms, and I solemnly promise never to break them."

The safety comments represent the contract and the signing of it.

  • /// # SAFETY comment on the unsafe function is the contract - it should explain exactly what are the terms of that contract.
  • // SAFETY: ... comment on code which calls the unsafe function is the "contract signing ceremony" - it should explain exactly how it can be sure that it'll always uphold the terms of the contract in all circumstances.

In addition:

Both safe and unsafe functions can provide guarantees, which should also be documented. e.g. Vec::reserve guarantees that after you call it with n, the Vec will have space for at least n additional elements. If it can't fulfill that promise, the doc comment should explain what it'll do (e.g. return Option::None, or panic).

When code calls an unsafe function, it can list the guarantees other functions provided as "evidence" that it's impossible it will ever break the safety contract.

Note: What makes a function unsafe is not that it includes unsafe code. What makes it an unsafe function is that it requires the caller to sign a contract.

Here's a silly example:

pub struct FourBytes {
    bytes: [u8; 4],
    /// Current index.
    /// SAFETY: Must always be less than 4.
    current_index: usize,
}

impl FourBytes {
    pub fn new() -> Self {
        // SAFETY: `current_index: 0` satisfies safety constraint
        // of the type that `current_index < 4`.
        Self { bytes: [11, 22, 33, 44], current_index: 0 }
    }

    /// Set current index, without bounds checks.
    ///
    /// # SAFETY
    /// `index` must be less than 4.
    unsafe fn set_current_index_unchecked(&mut self, index: usize) {
        self.current_index = index;
    }

    /// Get the current byte.
    fn get_current(&self) -> u8 {
        // SAFETY: `new` and `set_current_index_unchecked`
        // are the only methods which set `current_index`.
        // Both ensure `current_index` is never greater than 4,
        // so reading `self.bytes[self.current_index]` cannot be out of bounds.
        unsafe {
            *self.bytes.get_unchecked(self.current_index)
        }
    }
}

set_current_index_unchecked contains no unsafe code, but it's the method which is unsafe, because it is the one which requires the caller to "sign a contract".

get_current does contain unsafe code, but is not an unsafe function because it imposes no contract on the caller. It's soundness relies on the guarantees of the type / other methods.

@overlookmotel overlookmotel added the 0-merge Merge with Graphite Merge Queue label May 17, 2025
@overlookmotel Graphite App
Copy link
Member Author

overlookmotel commented May 17, 2025
edited by graphite-app bot
Loading

Merge activity

@overlookmotel
refactor(allocator/vec): clarify comment (#11071)
fc2f040 
Follow-on after #10884. Clarify comment as to why `as u32` is valid here.
@graphite-app graphite-app bot force-pushed the 05-16-refactor_allocator_vec_clarify_comment branch from c0bd73a to fc2f040 Compare May 17, 2025 10:16
@graphite-app graphite-app bot merged commit fc2f040 into main May 17, 2025
25 of 26 checks passed
@graphite-app graphite-app bot removed the 0-merge Merge with Graphite Merge Queue label May 17, 2025
@graphite-app graphite-app bot deleted the 05-16-refactor_allocator_vec_clarify_comment branch May 17, 2025 10:22
@oxc-bot oxc-bot mentioned this pull request May 20, 2025
Merged
@Dunqing
Copy link
Member

Dunqing commented May 22, 2025

I don't know if this helps, but the way I conceptualize it is:

Unsafe functions have a "contract". They require the caller to ensure the terms of the contract are always upheld. In return, the unsafe function promises that UB can't happen, if the caller keeps their side of the bargain.

Like a real-world legal contract, both sides (the function and its caller) need to understand the terms of the contract, and agree to them. When the caller calls the function in an unsafe { ... } block, it "signs" the contract, stating "I agree to these terms, and I solemnly promise never to break them."

The safety comments represent the contract and the signing of it.

  • /// # SAFETY comment on the unsafe function is the contract - it should explain exactly what are the terms of that contract.
  • // SAFETY: ... comment on code which calls the unsafe function is the "contract signing ceremony" - it should explain exactly how it can be sure that it'll always uphold the terms of the contract in all circumstances.

In addition:

Both safe and unsafe functions can provide guarantees, which should also be documented. e.g. Vec::reserve guarantees that after you call it with n, the Vec will have space for at least n additional elements. If it can't fulfill that promise, the doc comment should explain what it'll do (e.g. return Option::None, or panic).

When code calls an unsafe function, it can list the guarantees other functions provided as "evidence" that it's impossible it will ever break the safety contract.

Note: What makes a function unsafe is not that it includes unsafe code. What makes it an unsafe function is that it requires the caller to sign a contract.

Here's a silly example:

pub struct FourBytes {
    bytes: [u8; 4],
    /// Current index.
    /// SAFETY: Must always be less than 4.
    current_index: usize,
}

impl FourBytes {
    pub fn new() -> Self {
        // SAFETY: `current_index: 0` satisfies safety constraint
        // of the type that `current_index < 4`.
        Self { bytes: [11, 22, 33, 44], current_index: 0 }
    }

    /// Set current index, without bounds checks.
    ///
    /// # SAFETY
    /// `index` must be less than 4.
    unsafe fn set_current_index_unchecked(&mut self, index: usize) {
        self.current_index = index;
    }

    /// Get the current byte.
    fn get_current(&self) -> u8 {
        // SAFETY: `new` and `set_current_index_unchecked`
        // are the only methods which set `current_index`.
        // Both ensure `current_index` is never greater than 4,
        // so reading `self.bytes[self.current_index]` cannot be out of bounds.
        unsafe {
            *self.bytes.get_unchecked(self.current_index)
        }
    }
}

set_current_index_unchecked contains no unsafe code, but it's the method which is unsafe, because it is the one which requires the caller to "sign a contract".

get_current does contain unsafe code, but is not an unsafe function because it imposes no contract on the caller. It's soundness relies on the guarantees of the type / other methods.

I finally found time to review your comment. It's very helpful, for sure! Your explanation and example are very easy to understand! I am looking forward to writing more quite safe "unsafe code" 😂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Dunqing Dunqing Dunqing approved these changes

Assignees

No one assigned

Labels

C-cleanup Category - technical debt or refactoring. Solution not expected to change behavior

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@overlookmotel @Dunqing