From: clubley@remove_me.eisner.decus.org-Earth.UFP   
      
   On 2025-11-15, Dan Cross  wrote:   
   > In article <10f4oi1$25lkk$2@dont-email.me>,   
   > Simon Clubley   wrote:   
   >>   
   >>The unsafe keyword is a hack implemented in languages that have not been   
   >>designed correctly.   
   >   
   > Wait, Simon, tell me how you really feel.   
   >   
      
   Well, Simon is known to have opinions. :-)   
      
   >>The Ada approach, of disabling checks on a specific   
   >>reference to a variable instead of disabling checks within a whole block   
   >>of code, is far superior.   
   >   
   > It's unclear to me how this is materially different.   
   >   
   > In Rust, blocks return the value of the last expression they   
   > contain, so an `unsafe` block may refer to a single expression.   
   > However, I disagree with the above in the sense that the ability   
   > to introduce scope when doing something `unsafe` can be   
   > incredibly useful.  But what if the expression is really a   
   > statement?   
   >   
   > For example:   
   >   
   > ```rust   
   > 	unsafe {   
   > 	    use core::intrinsics::volatile_copy_memory;   
   > 	    let src = entry.virt_page_addr() as *const arch::Page;   
   > 	    volatile_copy_memory(page, src, 1);   
   > 	}   
   > ```   
      
   And that is exactly the kind of thing I am talking about. :-)   
      
   Of those three statements, only the last one appears to be the unsafe one.   
      
   It is also the kind of thing I was reacting to when I saw Arne's   
   example and went YUCK!, YUCK!, YUCK! :-)   
      
   >   
   > There's no need to leak the existence of `src` or that one is   
   > using the volatile memcpy intrinsic here.  I suppose could could   
   > also write this as,   
   >   
      
   If that is important, I would have placed the whole sequence inside a   
   local block as you do below.   
      
   > ```rust   
   > 	{   
   > 	    use core::intrinsics::volatile_copy_memory;   
   > 	    let src = entry.virt_page_addr() as *const arch::Page;   
   > 	    unsafe {   
   > 		volatile_copy_memory(page, src, 1);   
   > 	    }   
   > 	}   
   > ```   
      
   And this example is much closer to the Ada way. Related statements still   
   get checked and only one specific statement, the actual statement that is   
   unsafe, has checks disabled.   
      
   >   
   > etc.   
   >   
   >   
   >>For example, this is how you do an unsafe conversion in Ada:   
   >>   
   >>https://adaic.org/resources/add_content/docs/95style/html/sec_5/5-9-1.html   
   >   
   > This example seems equivalent to an `unsafe fn` in Rust.  An   
   > unsafe conversion of this nature might use `std::mem::transmute`   
   > in that world.   
   >   
      
   The Ada example localises the unsafe bit down to a specific operation   
   within a statement, not a full statement, and certainly not a full function.   
      
   Simon.   
      
   --   
   Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP   
   Walking destinations on a map are further away than they appear.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)