-
-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(lib): add forbid_unsafe
feature to disable unsafe code
#413
Conversation
Thanks for your detailed PR and comment! This work looks good and legit to me, but I think three important things are missing:
Thanks for your work on this :-) |
PS: note that the tests are currently failing, so fixing them is the priority :-) |
Oops, I had run tests only against the logos crate itself and not the workspace. I'll work on fixing those now, looks like it is failing because I entirely removed
I'll additionally do something about the unsafety of the Source trait so safe code can't cause UB in unsafe code (note this would mean an API change, because by default the entire Source trait will need to be marked unsafe). This will take a few commits to accomplish so I've changed this over to a draft until its ready for review. |
allow_unsafe
featureforbid_unsafe
feature
Will name it |
…and macro is re-exported
This now runs tests and benchmarks against both the default feature set and the new The remaining work is to split the unsafe code into new UnsafeSource and UnsafeChunk traits. That will remove the conditional compilation from the existing Source and Chunk traits, which will expose only a safe interface. Implementers of a custom source may then additionally opt-in to implementing the two new unsafe traits to enable the faster code paths (taking responsibility for any UB caused by incorrect implementation). Splitting the traits out will remove several conditional compilation attributes and will also work better with the rustdoc generator. As I have it right now, rustdoc can't document that some trait functions depend on features. Also, changing the API based on a feature is a little weird, so this approach will avoid that too. So some refactors and some documentation and then this will be ready for review. |
Thanks for your work @davidkern! Please ping me back when it's ready for a review :-) |
Will do! I've also been busy, but will have some more time to finish this up toward the end of the week. |
@jeertmans Sorry for the delay getting back to this. I think this just needed some documentation, which I've now added. I did try to split up the Source trait - but this was causing more issues than it seemed to be solving, so I've instead added a safety note to that trait's documentation. In terms of merge order, the other PR fixing the benchmark testing should go in first - that will make sure this one gets a good benchmarking run after merge, which should test out both the original unsafe code as well as the new safe-only code paths. Please let me know if you'd like to see any changes or adjustments to the documentation! |
@davidkern thanks so much for this work! The design you arrived at does meet my needs: by requiring the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, thanks! Let’s see what @pchickey has to say about this :)
The PR looks great @davidkern! Please reformat the code so linting and formatting checks both pass. Then, I think we can merge this :-) |
I really should add That should do it... |
forbid_unsafe
featureforbid_unsafe
feature to disable unsafe code
Looks great @davidkern, thank you for your contribution :-) |
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [logos](https://logos.maciej.codes/) ([source](https://redirect.github.com/maciejhirsz/logos)) | dependencies | patch | `0.14.1` -> `0.14.2` | --- ### Release Notes <details> <summary>maciejhirsz/logos (logos)</summary> ### [`v0.14.2`](https://redirect.github.com/maciejhirsz/logos/releases/tag/v0.14.2): - Optional `forbid_unsafe` feature, fuzzing, book, and more! [Compare Source](https://redirect.github.com/maciejhirsz/logos/compare/v0.14.1...v0.14.2) #### What's Changed - chore(book): added link to Rust's reference by [@​CommanderStorm](https://redirect.github.com/CommanderStorm) in [https://github.com/maciejhirsz/logos/pull/411](https://redirect.github.com/maciejhirsz/logos/pull/411) - feat: impl Source for T: Deref in no_std by [@​yjhmelody](https://redirect.github.com/yjhmelody) in [https://github.com/maciejhirsz/logos/pull/406](https://redirect.github.com/maciejhirsz/logos/pull/406) - fix(codegen/regex): allow vec growth on parse by [@​LeoDog896](https://redirect.github.com/LeoDog896) in [https://github.com/maciejhirsz/logos/pull/405](https://redirect.github.com/maciejhirsz/logos/pull/405) - test: basic fuzzing by [@​LeoDog896](https://redirect.github.com/LeoDog896) in [https://github.com/maciejhirsz/logos/pull/407](https://redirect.github.com/maciejhirsz/logos/pull/407) - feat(lib): add `forbid_unsafe` feature to disable unsafe code by [@​davidkern](https://redirect.github.com/davidkern) in [https://github.com/maciejhirsz/logos/pull/413](https://redirect.github.com/maciejhirsz/logos/pull/413) - chore(version): release v0.14.2 by [@​jeertmans](https://redirect.github.com/jeertmans) in [https://github.com/maciejhirsz/logos/pull/422](https://redirect.github.com/maciejhirsz/logos/pull/422) #### New Contributors - [@​CommanderStorm](https://redirect.github.com/CommanderStorm) made their first contribution in [https://github.com/maciejhirsz/logos/pull/411](https://redirect.github.com/maciejhirsz/logos/pull/411) - [@​yjhmelody](https://redirect.github.com/yjhmelody) made their first contribution in [https://github.com/maciejhirsz/logos/pull/406](https://redirect.github.com/maciejhirsz/logos/pull/406) - [@​davidkern](https://redirect.github.com/davidkern) made their first contribution in [https://github.com/maciejhirsz/logos/pull/413](https://redirect.github.com/maciejhirsz/logos/pull/413) **Full Changelog**: maciejhirsz/logos@v0.14.1...v0.14.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/akrantz01/antsi). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC44MC4wIiwidXBkYXRlZEluVmVyIjoiMzguODAuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
See Issue: #398
As discussed in the linked issue, this PR adds an
allow_unsafe
feature and gates all unsafe code on it.This does not include that feature in the default features, so the effect of this PR would be to effectively remove unsafe code from logos unless it is opted-in.
There should be a discussion (on the issue) of the right strategy to roll this out. Removing
unsafe
code immediately might not be the best option.There is an additional issue with the
Source
trait which this PR does not currently resolve.Benchmarks
Throughput of the benches for this PR and the original code (in GiB/s). Method: bench was run on release build four times, alternating between toggling
allow_unsafe
on and off. No extra effort was made to quiesce the machine other than just close other desktop apps.It'd be very beneficial to get benchmarks on other CPUs, given the surprising result for the i7.
Mac M3 Air
Disabling unsafe code does slow down throughput by a small amount, though not as much as I anticipated.
i7-7700HQ (Alienware 13 R3)
I did not expect this result, at all. I suspect the compiler is able to take an optimization it otherwise couldn't, but I've not investigated why yet.
Next steps
Source
unsafe if unsafe code is enabled - I think I have to duplicate the entire trait under acfg
because you can't conditionally compile an effect (unsafe) afaikread_byte_unchecked
use is emitted by the code generator, will need to bring it back and also introduce a safe alternative