| Two questions: Why was the fix to this unsafe memory safety bug [0] only changes to code outside of unsafe Rust blocks?[1][2] Why does the Rustonomicon[3] say the following? > This code is 100% Safe Rust but it is also completely unsound. Changing the capacity violates the invariants of Vec (that cap reflects the allocated space in the Vec). This is not something the rest of Vec can guard against. It has to trust the capacity field because there's no way to verify it. > Because it relies on invariants of a struct field, this unsafe code does more than pollute a whole function: it pollutes a whole module. Generally, the only bullet-proof way to limit the scope of unsafe code is at the module boundary with privacy. [0] https://social.kernel.org/notice/B1JLrtkxEBazCPQHDM [1] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux... [2] https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux... [3] https://doc.rust-lang.org/nomicon/working-with-unsafe.html |