On 08.08.24 15:10, Daniel Almeida wrote: > Hi Benno, > >> >> I will try to rephrase this, tell me if it helps. When checking if an >> API is sound, you are not allowed to change the code behind the API. >> That is because `unsafe` code often relies on the surrounding safe code >> to work properly. In the example above, safe code ensures that the raw >> pointer `ptr` is valid. This is OK (and also very necessary), since we >> expect people to be *aware* of the `unsafe` block and thus more >> carefully review the changes in surrounding safe code. If you have safe >> code that only interfaces with other safe code you don't need to be this >> careful. >> >> Note that this heavily depends on where you put the API boundary. In our >> case, we generally have this boundary: driver code <-> `kernel` crate. >> But if your driver requires very specific helper code that does not fit >> into the `kernel` crate, then you might also have an API boundary there. >> >> If it doesn't help, then it would great to get some more detailed >> questions which part(s) you need help with. >> >> --- >> Cheers, >> Benno >> >> > > Yes, I think this is more clear, but note that this explanation is more thorough > than the actual example. > > My point being, maybe you should take some of what you just wrote and put it > into the actual docs. Yeah that was part of my plan :) Thanks for taking a look. --- Cheers, Benno
