Reduce `unsafe` from the function declarations to smallest possible `unsafe` blocks

kud1ing / rucaja

Calling the JVM from Rust via JNI

https://docs.rs/rucaja

Apache License 2.0

31 stars 7 forks source link

Reduce `unsafe` from the function declarations to smallest possible `unsafe` blocks #20

Closed kud1ing closed 6 years ago

kud1ing commented 6 years ago

Should we hide unsafe inside the functions or is more honest/beneficial to leak unsafe in the function declarations as it is?

Discussion from the perspective of keep leaking unsafeness:

Pro:
- what Rucaja does is possibly unsafe
- the JNI is low-level and not well documented
- but we try hard to use JNI correctly and thus everything we do should be safe, unless it is a bug
Con:
- forces users to deal with unsafeness

fpoli commented 6 years ago

As a general rule I would prefer to expose the unsafe whenever Rucaja is possibly unsafe. That is, a crash / undefined behavior that happens while using a safe Rucaja function should be a bug of Rucaja.

treyzania commented 6 years ago

@fpoli That's true. Like how you can do magic things like Vec::from_raw_parts. But if we can make some Rucaja functionality definitely safe for some subset of behavior then it absolutely makes sense to wrap it with safe, idiomatic Rust.

fpoli commented 6 years ago

I agree

kud1ing commented 6 years ago

I made up my mind and i agree that we should reduce the scope of unsafeness as much as possible.

We should prevent invalid usage of JNI, as we currently never store raw null-pointers. Crashes and unexpected null-pointer-exceptions in Java-land are bugs.

kud1ing commented 6 years ago

Fixed by https://github.com/kud1ing/rucaja/commit/55c32ab2ca252912d2ffecc18ce44be7781e0e5f