When dealing with unsafe code, the containing module has to ensure safety by upholding invariants. To make this feasible, the module should be as small as possible, only containing the unsafe functionality and the code necessary to uphold the guarantees, and embedding this in a larger module that can safely use the abstraction.
This keeps the code needed for an unsafe audit in manageable size.
When dealing with
unsafe
code, the containing module has to ensure safety by upholding invariants. To make this feasible, the module should be as small as possible, only containing the unsafe functionality and the code necessary to uphold the guarantees, and embedding this in a larger module that can safely use the abstraction.This keeps the code needed for an unsafe audit in manageable size.