Skip to content

Added comments when using unsafe#1501

Closed
danieldyn wants to merge 1 commit intodimforge:mainfrom
danieldyn:explain-unsafe-usage
Closed

Added comments when using unsafe#1501
danieldyn wants to merge 1 commit intodimforge:mainfrom
danieldyn:explain-unsafe-usage

Conversation

@danieldyn
Copy link

@danieldyn danieldyn commented Mar 23, 2025

What changed?

Why?

To get issue #628 closer to being completely solved

@danieldyn danieldyn mentioned this pull request Mar 23, 2025
Open
Ralith
Ralith requested changes Mar 23, 2025
View reviewed changes
nalgebra-glm/src/common.rs
///
/// The floating-point value's bit-level representation is preserved.
///
/// Using unsafe is sound because the bitwise representation of f32 fits in i32
Copy link
Collaborator

@Ralith Ralith Mar 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This documentation goes inside the function, on the unsafe block. The use of unsafety in the implementation is not public; the purpose of the comment is to help a developer or auditor who is looking at the implementation.

nalgebra-glm/src/common.rs
///
/// The floating-point value's bit-level representation is preserved.
///
/// Using unsafe is sound because the bitwise representation of f32 fits in i32
Copy link
Collaborator

@Ralith Ralith Mar 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As above.

nalgebra-lapack/src/cholesky.rs
lapack_check!(info);

// Copy lower triangle to upper triangle.
// Using unsafe to ensure the bounds i and j are always valid indices,
Copy link
Collaborator

@Ralith Ralith Mar 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment doesn't make sense. The unsafe operation requires that the indices are in bounds; it does nothing to ensure that is actually the case. The comment should explain how we know it's the case.

nalgebra-lapack/src/cholesky.rs
}

/// This macro uses unsafe to manually ensure memory safety for external functions
/// For incorrectly sized and initialized matrices and arrays, undefined behavior will occur
Copy link
Collaborator

@Ralith Ralith Mar 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment seems to be arguing that the use of unsafety is incorrect. If that's true, then we should fix the unsoundness, not just declare its presence. Several similar looking instances below.

nalgebra-lapack/src/svd.rs


// Using unsafe to manually ensure memory safety for external function lapack_func
// Rust cannot check the slices' or raw poinnters' safety
Copy link
Collaborator

@Ralith Ralith Mar 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here and below, the comment must explain exactly what the safety invariants are, and how we know they're satisfied.

@danieldyn danieldyn closed this by deleting the head repository Oct 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ralith Ralith Ralith requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danieldyn @Ralith