Skip to content

rustdoc: Prototype implement RFC 3842 with safety::requires attribute#155201

Open
yilin0518 wants to merge 1 commit intorust-lang:mainfrom
safer-rust:safety-tags-macro
Open

rustdoc: Prototype implement RFC 3842 with safety::requires attribute#155201
yilin0518 wants to merge 1 commit intorust-lang:mainfrom
safer-rust:safety-tags-macro

Conversation

@yilin0518
Copy link
Copy Markdown

@yilin0518 yilin0518 commented Apr 12, 2026

Hi! I am a member of safer-rust, a group working toward safer patterns around unsafe Rust. In July 2025, we opened RFC 3842, which explores tagging public unsafe APIs with safety tags and #[safety] attribute.

To help move that discussion forward with something concrete, this PR adds a prototype of one piece of that direction, applied in a way that already works with the standard library today. For now, we implement the inert #[safety::requires(...)] attribute and a rustdoc pipeline that turns it into user-visible documentation before intra-doc links are resolved.

Concretely, the PR adds:

  • an unstable rustdoc flag --safety-spec PATH, pointing at a small TOML file (package.name + [tag.*] templates with {placeholder} substitution);
  • a new default pass inject-safety-docs, which reads #[safety::requires] on items (e.g. Tag(args…) expanded from TOML, or Tag = "…" for per-site text, including tags that appear in TOML and not in the TOML), and merges the generated Markdown into the item docs (typically under # Safety);
  • In the #[safety::requires] attribute, we can use two forms: #[safety::requires(Tag(arg1, arg2, ...))] or #[safety::requires(Tag="description")]. The former requires the Tag must come from TOML. The latter can use costomized Tag name and use the description as its content. Also, the #[safety::requires(Tag="description")] transforms snake_case when the Tag doesn't exist in the TOML, replacing all underscores (_) with spaces and capitalizing the first letter.
  • #![register_tool(safety)] in core, so we can add #[safety::requires] attributes in core and can be processed by rustdoc.
  • bootstrap wiring so x.py doc library/... can pass a default spec path, while still allowing RUSTDOCFLAGS to override --safety-spec without duplicating the flag.

As an emperimental tool, we performed tests in core. We only modified one function(core::ptr::read_unaligned), adding corresponding #[safety::requires] attribute and removing the original safety contract. By using ./x.py doc library/core --stage 1, we can generate the same safety description.

Several days ago, we opened a zulip chat. Because this touches rustdoc (new unstable flag, default pass ordering, and doc merging) and core (tool registration for inert attributes), we would really appreciate any feedback from rust community. It would help us adjust the prototype and refocus the RFC discussion.

@rustbot rustbot added S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. T-bootstrap Relevant to the bootstrap subteam: Rust's build system (x.py and src/bootstrap) T-libs Relevant to the library team, which will review and decide on the PR/issue. T-rustdoc Relevant to the rustdoc team, which will review and decide on the PR/issue. labels Apr 12, 2026
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@yilin0518 yilin0518 force-pushed the safety-tags-macro branch 2 times, most recently from 64eea17 to f17a926 Compare April 13, 2026 06:46
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@rustbot rustbot added the A-run-make Area: port run-make Makefiles to rmake.rs label Apr 13, 2026
@yilin0518
rustdoc: implement RFC 3842 with safety::requires attribute
85c465d 
* Support "#[safety::requires()]" attribute for documentation injection.
* Support "{Tag}={description}" format with customized tags.
* Prototype implementation of Safety contract insertion.
@yilin0518 yilin0518 marked this pull request as ready for review April 14, 2026 05:12
@rustbot
Copy link
Copy Markdown
Collaborator

rustbot commented Apr 14, 2026

These commits modify the Cargo.lock file. Unintentional changes to Cargo.lock can be introduced when switching branches and rebasing PRs.

If this was unintentional then you should revert the changes before this PR is merged.
Otherwise, you can ignore this comment.

@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. and removed S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. labels Apr 14, 2026
@rustbot
Copy link
Copy Markdown
Collaborator

rustbot commented Apr 14, 2026

r? @notriddle

rustbot has assigned @notriddle.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

  • Owners of files modified in this PR: rustdoc
  • rustdoc expanded to 9 candidates
  • Random selection from GuillaumeGomez, fmease, lolbinarycat, notriddle

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@notriddle notriddle

Labels

A-run-make Area: port run-make Makefiles to rmake.rs S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-bootstrap Relevant to the bootstrap subteam: Rust's build system (x.py and src/bootstrap) T-libs Relevant to the library team, which will review and decide on the PR/issue. T-rustdoc Relevant to the rustdoc team, which will review and decide on the PR/issue.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@yilin0518 @rust-log-analyzer @rustbot @notriddle