# Reduce unsafe code and detect soundness bugs with equivalence checks against safe code

For discussions on this idea see the RFC on the [Rust Internals forum](https://internals.rust-lang.org/t/rfc-use-cfg-reduce-unsafe-to-signal-preference-of-safe-code-over-performance/11648) and [Rust Secure Code Working Group](https://github.com/rust-secure-code/wg/issues/35).

To indicate preference of safety over performance: add `--cfg reduce_unsafe` to your `RUSTFLAGS`.

`reduce_unsafe::unchecked!` runs the unsafe code unless the `--cfg reduce_unsafe` flag is present.

`reduce_unsafe::checked!` uses `debug_assertions` to decide between `reduce_unsafe::unchecked!` and running both branches and panics if they diverge.

If you have unsafe code which you believe is sound which could be implemented (slower) with safe code, consider using the `reduce_unsafe::checked!` or `reduce_unsafe::unchecked!` macros or `#[cfg(reduce_unsafe)]` attribute.

```rust
let my_str = unsafe {
    str::from_utf8_unchecked(bytes)
};
```

becomes

```rust
let my_str = reduce_unsafe::checked!(
    unsafe { str::from_utf8_unchecked(bytes) },
    str::from_utf8(bytes).expect("BUG: unsound unsafe code detected")
);
```

or if the returned type does not implement `PartialEq` or there are visible side effects

```rust
let my_str = reduce_unsafe::unchecked!(
    unsafe { str::from_utf8_unchecked(bytes) },
    str::from_utf8(bytes).expect("BUG: unsound unsafe code detected")
);
```