This is a place for people to communicate about auditing unsafe
code in core
Rust crates and replacing it with safe code where feasible.
Everyone is invited to participate!
You do not have to be an unsafe
expert to help out. There's a lot of work
to do just picking crates (ones with a lot of reverse-dependencies are best),
and then sorting out where they use unsafe
and why. If you think something
isn't right just post it in the tracking issue and others can have a look and
talk it out.
Our process is as follows:
1) File a tracking issue in this repo about a particular crate, giving its
name and a link to their github (or other repository location).
2) Audit unsafe
usage in that crate.
unsafe
blocks are it gets harder: you have to
carefully determine if the unsafe
is being used appropriately. We've been
requesting Clippy lints
for known antipatterns, so running cargo +nightly clippy
is a good
starting point. If you don't know if a certain unsafe
block is okay,
post the questionable block in a comment in the tracking issue here
and someone else can have a look too, or ask in
#black-magic
on Rust Community Discord.
3) When problems are found with an unsafe
block we want to file bug reports in
that crate's repo, send PRs with fixes if possible, and also write up
security advisories if necessary.unsafe
block is sound, but can be converted to safe code without
losing performance, that's a great thing to do! This is often the case
thanks to Rust adding new safe abstractions and improving the optimizer
since the code was originally written.unsafe
can't be eliminated without a performance
loss. Unfortunate, but it will happen some of the time. Note that benchmarks
must actually be used to back up any performance loss claims. There are
already many cases where switching from unsafe
to safe alternatives has
increased performance, so simply guessing that performance will regress
is not enough.unsafe
, add a
#![forbid(unsafe_code)]
attribute to its src/lib.rs
or main.rs
.
After doing that, help others discover Safety Dance by adding a badge to
your README.md: Markdown code:
[![unsafe forbidden](https://img.shields.io/badge/unsafe-forbidden-success.svg)](https://github.com/rust-secure-code/safety-dance/)
Check out the safety improvements already done!
GIF image encoder/decoder written in Rust (tracking issue)
100% safety blocked by Polonius integration in rustc
Done by: Shnatsel
A streaming compression/decompression library DEFLATE-based streams in Rust. Has C and Rust backends (tracking issue)
Done by: oyvindln, Shnatsel, Alex Crichton
A general purpose library of common HTTP types (tracking issue)
Done by: Qwaz, Sean McArthur
Image operations and conversions to/from image formats (tracking issue)
The remaining unsafe blocks are inherent and cannot be removed. They have been audited and found to be sound.
Done by: fintelia, HeroicKatora, 64
Popular DEFLATE compression/decompression library (tracking issue)
Done by: DevQps, Shnatsel, WanzenBug, mleonhard
The fastest DEFLATE compression/decompression library in Rust, backend for flate2 (tracking issue)
Fast and memory saving bsdiff 4.x compatible delta compressor and patcher (tracking issue)
Done by: Nicolas Braud-Santoni
A spinlock for Rust (tracking issue)
spin::RwLock
found to be unsound,completely rewritten based on Facebook's Folly implementation, new implementation audited for soundnessspin::Once
audited and found sound as of version 0.5.2Done by: Matt Taylor, Acrimon
Suffix array construction and searching algorithms for in-memory binary data (tracking issue)
Done by: Nicolas Braud-Santoni
You can help by:
unsafe
in themCheck out what's in progress or pick up a work item on the issue tracker!