@@ -43,14 +43,19 @@ proof *obligation*: The programmer has to ensure that this code is actually safe
4343to execute in the current context, because the compiler just trusts the
4444programmer to get this right. In contrast, ` unsafe fn ` represents an
4545* assumption* : As the author of this function, I make some assumptions that I
46- expect my callees to uphold. Making ` unsafe fn ` also implicitly play the role
47- of an ` unsafe ` block conflates these two dual aspects of unsafety (one party
48- making an assumption, another party having the obligation to prove that
49- assumption). There is no reason to believe that the assumption made by the
50- ` unsafe fn ` is the same as the obligation incurred by unsafe operations inside
51- this function, and hence the author of the ` unsafe fn ` should better carefully
52- check that their assumptions are sufficient to justify the unsafe operations
53- they are performing. This is what an ` unsafe ` block would indicate.
46+ expect my callees to uphold. (In terms of
47+ [ introduction and elimination forms of natural deduction] ( https://en.wikipedia.org/wiki/Natural_deduction#Introduction_and_elimination ) ,
48+ ` unsafe ` blocks are where you introduce, and ` unsafe fn ` is where you
49+ eliminate.)
50+
51+ Making ` unsafe fn ` also implicitly play the role of an ` unsafe ` block conflates
52+ these two dual aspects of unsafety (one party making an assumption, another
53+ party having the obligation to prove that assumption). There is no reason to
54+ believe that the assumption made by the ` unsafe fn ` is the same as the
55+ obligation incurred by unsafe operations inside this function, and hence the
56+ author of the ` unsafe fn ` should better carefully check that their assumptions
57+ are sufficient to justify the unsafe operations they are performing. This is
58+ what an ` unsafe ` block would indicate.
5459
5560# Guide-level explanation
5661[ guide-level-explanation ] : #guide-level-explanation
0 commit comments