As Alice already replied, there should be no issue with having an `unsafe` function in an Abstraction. But we should strive for them to be as few as possible. > I am in no way disagreeing with the use of safe abstractions, but I think we > should have abstractions where they make sense. This is the case in the vast > majority of times, but not in *all* of them. > > A simple example is a MMIO read or write. Should a driver be forbidden to call > readX/writeX for an address it knows to be valid? How can you possibly write an > abstraction for this, when the driver is the only one aware of the actual > device addresses, and when the driver author is the person with actual access > to the HW docs? One idea that I have in this concrete example would be to make the driver specify in exactly one place what the addresses are that are read/writeable. If there are devices with dynamic addresses, then we could additionally provide an `unsafe` API, but link to the safe one for people to prefer. > If a driver is written partially in Rust, and partially in C, and it gets a > pointer to some kcallocâ??d memory in C, should It be forbidden to use unsafe > in order to build a slice from that pointer? How can you possibly design a > general abstraction for something that is, essentially, a driver-internal API? This also would be a good example for an exception of (3). In this case, you could still write a driver-specific abstraction that does everything under the hood and then every place in the driver can use the safe abstraction. > For these corner cases, a simple safety comment should suffice. By all means, > let's strive to push as much of the unsafe bits into the kernel crate. But, > IMHO, we shouldnâ??t treat Rust drivers as some unprivileged entity, theyâ??re > also kernel code, after all. That is true, but I want to prevent that we just "ship it" and then a couple of days later it turns out that there was a good abstraction after all. I personally like to spend a lot of time thinking about safe abstractions before giving in to `unsafe`, but I understand that we need to find a balance. In the end, we can also always change things. But when something lands, it most of the time won't get people thinking about whether there is a better way of doing things. Not unless the status quo is annoying/burdensome, at which point it already "was too late", ie there could have been more thought at the beginning. --- Cheers, Benno
