Cleanup

Author: peter-lyons-kehl

README.md

@@ -458,6 +458,13 @@ stable version (available for your Rust) automatically.
 This is special only to `0.*` - it is **not** possible to have a wildcard matching various **major**
 versions `1.0` or higher.
 
+## Procedural macros with side effects
+Several `prudent` macros duplicate their expression "parameter". In the generated Rust code the parameter expression is evaluated only once, but it's present in the code twice - once in an inactive `if false {...}` branch for verification, and once in the following active `else {...}` branch.
+
+That is OK with macros by example (defined with `macro_rules!`), and OK with any well-behaving
+procedural macros. However, if you pass in an expression that invokes a procedural macro that has
+side effects or state, it's your problem. Such a macro contradicts Rust guidelines.
+
 # Quality assurance
 
 Checks and tests are run by [GitHub Actions]. See

src/lib.rs

@@ -1,9 +1,4 @@
 #![doc = include_str!("../README.md")]
-// @TODO nightly?
-//
-// https://github.com/rust-lang/rust/issues/143874
-//
-// #![feature(const_trait_impl)]
 #![cfg_attr(not(any(doc, test)), no_std)]
 // This only refuses unsafe code in functions/expressions in this crate, but it ignores any unsafe
 // code generated by this crate's macros. (https://github.com/rust-lang/nomicon/issues/506)
@@ -53,91 +48,16 @@
 #[cfg(doc)]
 extern crate alloc;
 
-// Implementation notes ARE a part of the documentation:
-// - Otherwise it's a pain to edit them.
-// - Users deserve documentation of how a macro works, because
-//   - macros are much more difficult to read than Rust non-macro code, and
-//   - macros inject code evaluated as if written by the user, so potential for a security problem,
-//     even without any `unsafe` code.
-//
-/// Invoke an `unsafe` function.
+/// Invoke an `unsafe` function, but isolate `unsafe {...}` only for the function invocation itself.
+/// - `If $fn`, that is, the function itself, is NOT given as an identifier/qualified path, but it's
+///   given as an expression, then this expression is treated as if evaluated **outside** `unsafe
+///   {...}`.
+/// - Any arguments passed in as expressions are treated as if evaluated **outside** `unsafe {...}`.
 ///
 /// There is **no** extra enclosing pair of parenthesis `(...)` around the list of arguments (if
 /// any). If there was such a pair, it could be confused for a tuple. It would also be less readable
 /// when some parameters were tuples/complex expressions.
 ///
-/// Implementation notes
-///
-/// We want to accept any valid expressions for function parameters. But we don't want them to
-/// evaluate inside `unsafe {...}` block that calls the given `unsafe` function. That could "hide"
-/// other `unsafe` code (in expressions passed as parameters). So, we assign the given expressions
-/// (for parameters) to local variables first, before `unsafe{...}`.
-///
-/// However, that is a challenge with `macro_rules!`:
-/// - variable number of parameters => we store them in a tuple; but
-/// - storing them in an ordinary "flat" tuple would involve index numbers 0, 1, 2... That is
-///   difficult to generate with `macro_rules!` so that the generated numbers are literals:
-///   - It is possible for `macro_rules!` to generate integer **expressions**, but even that is
-///     [tricky](https://lukaswirth.dev/tlborm/decl-macros/building-blocks/counting.html).
-///   - Even if we generated integer expressions, we can't use them to access tuple fields. Instead,
-///     tuple access works with integer literals only.
-///
-/// Solution: A "tuple tree". It's an unbalanced binary tree. See it expanded:
-/// - [simple_examples/fn_add_three/src/main.rs](https://github.com/peter-lyons-kehl/prudent/blob/main/simple_examples/fn_add_three/src/main.rs)
-/// - `cd simple_examples/fn_add_three`
-/// - `cargo expand`
-///
-/// // @TODO update/remove - replace with links to the stored output of `cargo expand`
-/// ```rust
-/// # use prudent::unsafe_fn;
-/// unsafe fn add_three(left: u64, middle: u64, right: u64) -> u64 {
-///     left + middle + right
-/// }
-/// unsafe_fn!(add_three, 1, 2, 3);
-/// ```
-/// expands to:
-/// ```rust
-/// # unsafe fn add_three(left: u64, middle: u64, right: u64) -> u64 {
-/// #     left + middle + right
-/// # }
-/// // ...
-/// {
-///     let (tuple, fun) = ( (1, (2, (3,))), add_three );
-///     #[allow(unsafe_code)]
-///     unsafe {
-///         fun(tuple.0, tuple.1 .0, tuple.1 .1 .0)
-///     }
-/// };
-/// ```
-/// and
-/// [simple_examples/fn_add_four/src/main.rs](https://github.com/peter-lyons-kehl/prudent/blob/main/simple_examples/fn_add_four/src/main.rs):
-/// ```rust
-/// # use prudent::unsafe_fn;
-/// unsafe fn add_four(left: u64, middle_left:u64, middle_right:u64, right: u64) -> u64 {
-///     left + middle_left + middle_right + right
-/// }
-/// unsafe_fn!(add_four, 1, 2, 3, 4);
-/// ```
-/// expands to:
-/// ```rust
-/// # unsafe fn add_four(left: u64, middle_left: u64, middle_right: u64, right: u64) -> u64 {
-/// #     left + middle_left + middle_right + right
-/// # }
-/// // ...
-/// {
-///     let (tuple_tree, fun) = ( (1, (2, (3, (4,)))), add_four );
-///     #[allow(unsafe_code)]
-///     unsafe {
-///         fun(
-///             tuple_tree.0,
-///             tuple_tree.1 .0,
-///             tuple_tree.1 .1 .0,
-///             tuple_tree.1 .1 .1 .0,
-///         )
-///     }
-/// };
-/// ```
-///
 ///  @TODO replace with examples/ :
 /// ```
 #[doc = include_str!("../simple_examples/fn_add_three/src/main.rs")]
@@ -164,7 +84,7 @@ macro_rules! unsafe_fn {
 
 /// Invoke an `unsafe` method. Like [unsafe_fn], but
 /// - This accepts a receiver `&self`, `&mut self` and `self`. TODO Box/Rc/Arc, dyn?
-/// - This treats `self` as if in an `unsafe {...}` block.
+/// - This treats `self` as if it were evaluated **outside** the `unsafe {...}` block.
 /// - $fn can **NOT** be an expression or a qualified path (which doesn't work in standard methods
 ///   calls anyways), but only an identifier.
 #[macro_export]
@@ -186,7 +106,8 @@ macro_rules! unsafe_method {
 }
 //-------------
 
-/// Set a value of a `static mut` variable or its (sub...-)field.
+/// Set a value of a `static mut` variable or its (sub...-)field, but isolate `unsafe {...}` only to
+/// that assignment.
 ///
 /// To minimize unintended `unsafe`, calculate any indexes etc. beforehand, store them in local
 /// variables and pass them in.
@@ -196,29 +117,31 @@ macro_rules! unsafe_method {
 #[macro_export]
 macro_rules! unsafe_static_set {
     ($static:expr, $val:expr) => {{
-        let val = $val;
-        #[allow(unsafe_code)]
-        unsafe {
-            $static = val;
+        if false {
+            let _ = $val;
+            unreachable!()
+        } else {
+            #[allow(unsafe_code)]
+            unsafe {
+                $static = $val;
+            }
         }
     }};
 }
 
 /// Deref a pointer (either `const` or `mut`) and yield a read-only reference.
 ///
-/// If `$type` is given, it's expected to be the referenced type (NOT the given pointer, NOT the
-/// target reference type) and the given pointer is cast to `* const $type`. `$type` may start with
-/// `dyn`. `$type` may be a slice `[...]`.
+/// If `$type` is given, it's expected to be the referenced type (NOT the given pointer, NOT a
+/// reference based on the given pointer), and the given pointer is cast to `* const $type`. `$type`
+/// may start with `dyn`. `$type` may be a slice `[...]`.
 #[macro_export]
 macro_rules! unsafe_ref {
     ($ptr:expr) => {{
-        let ptr = $ptr;
-        let _: *const _ = ptr; // Partial type check that $ptr yields a const pointer
+        let ptr: *const _ = $ptr;
         unsafe { &*ptr }
     }};
     ($ptr:expr, $lifetime:lifetime) => {{
-        let ptr = $ptr;
-        let _: *const _ = ptr; // Partial type check that $ptr yields a const pointer
+        let ptr: *const _ = $ptr;
         unsafe { &*ptr as &$lifetime _ }
     }};
     ($ptr:expr, $type:ty) => {{
@@ -241,25 +164,21 @@ macro_rules! unsafe_ref {
 #[macro_export]
 macro_rules! unsafe_mut {
     ($ptr:expr) => {{
-        let ptr = $ptr;
-        let _: *mut _ = ptr; // Partial type check that $ptr yields a mut pointer
+        let ptr: *mut _ = $ptr;
         unsafe { &mut *ptr }
     }};
     ($ptr:expr, $lifetime:lifetime) => {{
-        let ptr = $ptr;
-        let _: *mut _ = ptr; // Partial type check that $ptr yields a mut pointer
+        let ptr: *mut _ = $ptr;
         unsafe { &mut *ptr as &$lifetime mut _}
     }};
     ($ptr:expr, $ptr_type:ty) => {{
         let ptr = $ptr;
         let ptr = ptr as *mut $ptr_type;
-        // let _: *mut _ = ptr; // Partial type check that $ptr yields a mut pointer
         unsafe { &mut *ptr}
     }};
     ($ptr:expr, $ptr_type:ty, $lifetime:lifetime) => {{
         let ptr = $ptr;
         let ptr = ptr as *mut $ptr_type;
-        //let _: *mut _ = ptr; // Partial type check that $ptr yields a mut pointer
         unsafe { &mut *ptr as &$lifetime mut _}
     }};
 }
@@ -274,15 +193,13 @@ pub const fn expect_copy_ptr<T: Copy>(_: *const T) {}
 #[macro_export]
 macro_rules! unsafe_val {
     ($ptr:expr) => {{
-        let ptr = $ptr;
-        let _: *const _ = ptr; // Partial type check that $ptr yields a const pointer
+        let ptr: *const _ = $ptr;
         $crate::expect_copy_ptr(ptr);
         unsafe { *ptr }
     }};
     ($ptr:expr, $ptr_type:ty) => {{
         let ptr = $ptr;
         let ptr = ptr as *const $ptr_type;
-        let _: *const _ = ptr; // Partial type check that $ptr yields a const pointer
         $crate::expect_copy_ptr(ptr);
         unsafe { *ptr }
     }};
@@ -319,11 +236,15 @@ macro_rules! unsafe_use {
 #[macro_export]
 macro_rules! unsafe_set {
     ($ptr:expr, $value:expr) => {{
-        let (ptr, value) = ($ptr, $value);
-        let _: *mut _ = ptr; // Partial type check that $ptr yields a mut pointer
-        #[allow(unsafe_code)]
-        unsafe {
-            *ptr = value;
+        if false {
+            let _: *mut _ = $ptr;
+            let _ = $value;
+            unreachable!()
+        } else {
+            #[allow(unsafe_code)]
+            unsafe {
+                *$ptr = $value;
+            }
         }
     }};
 }