Why Not?

Cargo subcommand to discover why a function is unsafe.

Requires a recent enough nightly rust toolchain.

# Make sure you have the necessary components installed

$ rustup component add rustc-dev llvm-tools-preview --toolchain nightly

# Install `cargo-whynot` with the nightly toolchain

$ cargo +nightly install cargo-whynot

# Invoke the tool!

$ cargo whynot safe foo

What is unsafety?

Nomicon definition

• Dereference raw pointers
• Call unsafe functions (including C functions, compiler intrinsics, and the raw allocator)
• Implement unsafe traits
• Mutate statics
• Access fields of unions

Why this tool?

Because it's a fun experiment, hooking into rustc to query the drivers. You should not use this tool because unsafe code is generally bad (it's not), but you can use it to figure out if there is an opportunity to make a function "safe".

Examples

With the following code

pub use unsafe_mod::unsafety;

pub unsafe fn foo() {
    let a = unsafety();
    eprintln!("a: {}", a);
}

pub mod unsafe_mod {
    pub unsafe fn unsafety() -> u32 {
        let mut a = 1;
        let a = std::ptr::addr_of_mut!(a);
        // this is the unsafe part
        let b = *a;
        b
    }
}

cargo whynot safe foo

will report

note: Function is unsafe
  ┌─ src/lib.rs:3:1
  │
3 │ pub unsafe fn foo() {
  │ ^^^^^^^^^^^^^^^^^^^ function is unsafe because:
4 │     let a = unsafety();
  │             ---------- call to unsafe function `unsafe_mod::unsafety`

help:
   ┌─ src/lib.rs:9:5
   │
 9 │     pub unsafe fn unsafety() -> u32 {
   │     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ function is unsafe because:
   ·
13 │         let b = *a;
   │                 ^^ dereference of raw pointer
   │
   = this function does a fundamentally unsafe operation

License