Deny unsafe code in most of the code base #3824
Comments
alice-i-cecile
added
C-Code-Quality
|
It should be at most I think this lint is better left to code reviews. It's unlikely unsafe code is going to be accepted without providing a reason for it anyway. |
|
Fwiw, I'm in favour of My counterexample to it being code review would be This should (probably?) not be a manual System implementation. (I've not fixed that myself yet since I have other PRs open which would conflict IIRC, and honestly the whole fixed timestep solution needs a more thorough overhaul)
(That being said, this was added in a cart PR, so it's unclear how thoroughly it would have been reviewed anyway; would the change to |
|
#3893 removes the dynamic plugin functionality, and with it a large amount of |
alice-i-cecile
added
A-Cross-Cutting
# Objective Resolves #3824. `unsafe` code should be the exception, not the norm in Rust. It's obviously needed for various use cases as it's interfacing with platforms and essentially running the borrow checker at runtime in the ECS, but the touted benefits of Bevy is that we are able to heavily leverage Rust's safety, and we should be holding ourselves accountable to that by minimizing our unsafe footprint. ## Solution Deny `unsafe_code` workspace wide. Add explicit exceptions for the following crates, and forbid it in almost all of the others. * bevy_ecs - Obvious given how much unsafe is needed to achieve performant results * bevy_ptr - Works with raw pointers, even more low level than bevy_ecs. * bevy_render - due to needing to integrate with wgpu * bevy_window - due to needing to integrate with raw_window_handle * bevy_utils - Several unsafe utilities used by bevy_ecs. Ideally moved into bevy_ecs instead of made publicly usable. * bevy_reflect - Required for the unsafe type casting it's doing. * bevy_transform - for the parallel transform propagation * bevy_gizmos - For the SystemParam impls it has. * bevy_assets - To support reflection. Might not be required, not 100% sure yet. * bevy_mikktspace - due to being a conversion from a C library. Pending safe rewrite. * bevy_dynamic_plugin - Inherently unsafe due to the dynamic loading nature. Several uses of unsafe were rewritten, as they did not need to be using them: * bevy_text - a case of `Option::unchecked` could be rewritten as a normal for loop and match instead of an iterator. * bevy_color - the Pod/Zeroable implementations were replaceable with bytemuck's derive macros.
What problem does this solve or what need does it fill?
While undeniably useful and often irreplaceable, unsafe code is inherently challenging to audit and maintain.
Uses of unsafe code outside of the core engine crate should not be necessary; safe APIs for missing functionality should be exposed instead.
What solution would you like?
Add
#![deny(unsafe_code)]annotations to most bevy crates at the top of lib.rs.There are a few clear exceptions:
bevy_ecsbevy_crevicebevy_derivebevy_reflectThere are some surprising usages of
unsafethat should be handled in one form or another.bevy_render: used for working with raw window handlesbevy_dynamic_plugin+bevy_appbevy_core: used for fixed timestep run criteria...bevy_transform: used for working with entity hierarchies (Entity-entity relations 🌈 #3742 please...)bevy_winitandbevy_ui: used to manually impl Send and Sync for external typesbevy_tasks: used to transmute an executor lifetime to 'staticbevy_log: used to log messages for AndroidEach of these should be rewritten if feasible, or explicitly allowed if not.
Alternatives
We could use
#![forbid(unsafe_code)]instead, but the ability to allow unsafe in carefully thought-out one-off instances is probably too valuable for many of these crates.We could use #![warn(unsafe_code)] instead: keeping it at warning won't be a bother when you want to try things out locally, and Bevy CI will deny warnings.
The text was updated successfully, but these errors were encountered: