missing_unsafe_doc, explain why an unsafe block is safe/sound · Issue #7464 · rust-lang/rust-clippy (original) (raw)

What it does

Kinda like missing_safety_doc, but this lint would warn about a missing comment on each unsafe {} block, for which a comment must exist explaining why the unsafe block is safe/sound.

Categories (optional)

• Kind: style

What is the advantage of the recommended code over the original code

There'd be no recommended code, but the lint would suggest adding

To the new code as a start. The lint would also raise a warning if that comment is copied verbatim.

Drawbacks

This would be rather bothersome to those who know what they're doing, or only make small unsafe blocks all around.

Example

pub(crate) fn coerce(ffi_pointer: *const usize) -> T { unsafe { some_unchecked_function(pointer) } }

Could be written as:

pub(crate) fn coerce(ffi_pointer: *const usize) -> T { // Safety: function visibility is crate-internal, ffi_pointer could only be constructed in this crate. unsafe { some_unchecked_function(pointer) } }

The following code would still raise a warning (not because of what transmute is doing here, but because the safety comment still has "[...]", as suggested. The developer would need to update it with an actual sentence.);

// Safety: [...] let totally_a_usize = unsafe { std::mem::transmute::<String, usize>(string) };