@rfcbot fcp merge

Team member @withoutboats has proposed to merge this. The next step is review by the rest of the tagged team members:

• [x] @Centril
• [x] @cramertj
• [x] @eddyb
• [x] @joshtriplett
• [x] @nikomatsakis
• [ ] @pnkfelix
• [x] @scottmcm
• [x] @withoutboats

Concerns:

• implementation-work-blocking-stabilization resolved by https://github.com/rust-lang/rust/issues/62149#issuecomment-517418610

Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

See this document for info about what commands tagged team members can give me.

(Just registering the existing blockers in the report above to make sure they don't slip)

@rfcbot concern implementation-work-blocking-stabilization

Team member ... has proposed to merge this

How can one merge a Github issue (not a pull request)?

@vi The bot is just a bit daft and doesn't check whether it's an issue or PR :) You can replace "merge" with "accept" here.

Wow, thank you for the comprehensive summary! I've only been following tangentially, but am completely confident you're on top of everything.

@rfcbot reviewed

Could it be possible to explicitly add “Triage AsyncAwait-Unclear issues” to the stabilization blockers (and/or register a concern for that)?

I've got https://github.com/rust-lang/rust/issues/60414 that I think is important (obviously, it's my bug :p), and would like to at least have it explicitly deferred before stabilization :)

I'd just like to express the community thanks for the effort the Rust teams have put into this feature! There's been a lot of design, discussion, and a few breakdowns in communication, but at least I, and hopefully many others, feel confident that through it all we've found the best solution possible for Rust. :tada:

(That said, I'd like to see a mention of the problems with bridging to completion-based and async-cancellation system APIs in future possibilities. TL;DR they still have to pass around owned buffers. It's a library issue, but one with mentioning.)

I also would like to see a mention of problems with completion-based APIs. (see this internals thread for context) Considering IOCP and introduction of io_uring, which may become The Way for async IO on Linux, I think it's important to have a clear way forward for handling them. IIUC hypothetical async drop ideas can not be implemented safely, and passing owned buffers will be less convenient and potentially less performant (e.g. due to a worse locality or due to additional copies).

@newpavlov I've implemented similar things for Fuchsia, and it is entirely possible to do with out async drop. There are a few different routes to doing this, such as using resource pooling where acquiring a resource potentially has to wait for some cleanup work to finish on old resources. The current futures API can and has been used to solve these problems effectively in production systems.

However, this issue is about the stabilization of async/await, which is orthogonal to the futures API design, which has already stabilized. Feel free to ask further questions or open an issue for discussion on the futures-rs repo.

@Ekleog

Could it be possible to explicitly add “Triage AsyncAwait-Unclear issues” to the stabilization blockers (and/or register a concern for that)?

Yup, that's something we've been doing every week. WRT that specific issue (#60414), I believe it's important and would love to see it fixed, but we haven't yet been able to decide whether or not it should block stabilization, especially since it's already observable in -> impl Trait functions.

@cramertj Thank you! I think #60414 's issue is basically “the error can arise really quickly now”, while with -> impl Trait it looks like no one had even noticed it before -- then it's alright if it gets deferred anyway, some issues will have to :) (FWIW it arose in natural code in a function where I return both () at a place and T::Assoc at another, which IIRC made me unable to get it to compile -- haven't checked the code since opening #60414, though, so maybe my recollection is wrong)

@Ekleog Yeah that makes sense! I can definitely see why it'd be a pain-- I've created a zulip stream to dive more into that specific issue.

EDIT: never mind, I missed the 1.38 target.

@cramertj

There are a few different routes to doing this, such as using resource pooling where acquiring a resource potentially has to wait for some cleanup work to finish on old resources.

Aren't they less efficient compared to keeping buffers as part of future state? My main concern is that current design will not be a zero-cost (in a sense that you will be able create a more efficient code by dropping async abstraction) and less ergonomic on completion-based APIs, and there is no clear way for fixing it. It's not a show-stopper by any means, but I think it's important to not forget about such deficiencies in design, thus the request to mention it in OP.

@theduke

The lang team can of course judge this better than me, but delaying to 1.38 to ensure a stable implementation would seem much more sensible.

This issue targets 1.38, see first line of description.

@huxi thanks, I missed that. Edited my comment.

@newpavlov

Aren't they less efficient compared to keeping buffers as part of future state? My main concern is that current design will not be a zero-cost (in a sense that you will be able create a more efficient code by dropping async abstraction) and less ergonomic on completion-based APIs, and there is no clear way for fixing it. It's not a show-stopper by any means, but I think it's important to not forget about such deficiencies in design, thus the request to mention it in OP.

No, not necessarily, but let's move this discussion to an issue on a separate thread, since it's unrelated to the stabilization of async/await.

(That said, I'd like to see a mention of the problems with bridging to completion-based and async-cancellation system APIs in future possibilities. TL;DR they still have to pass around owned buffers. It's a library issue, but one with mentioning.)

I also would like to see a mention of problems with completion-based APIs. (see this internals thread for context) Considering IOCP and introduction of io_uring, which may become The Way for async IO on Linux, I think it's important to have a clear way forward for handling them.

I agree with Taylor that discussing API designs in this problem space would be off topic, but I do want to address one specific aspect of these comments (and this discussion around io_uring in general) that is relevant to async/await stabilization: the problem of timing.

io_uring is an interface that is coming to Linux this year, 2019. The Rust project has been working on the futures abstraction since 2015, four years ago. The fundamental choice to favor a poll based over a completion based API occurred during 2015 and 2016. At RustCamp in 2015, Carl Lerche talked about why he made that choice in mio, the underlying IO abstraction. In this blog post in 2016, Aaron Turon talked about the benefits for creating higher level abstractions. These decisions were made a long time ago and we could not have gotten to the point we are now without them.

Suggestions that we should revisit our underlying futures model are suggestions that we should revert back to the state we were in 3 or 4 years ago, and start over from that point. What kind of abstraction could cover a completion-based IO model without introducing overhead for higher level primitives, like Aaron described? How will we map that model to a syntax that lets users write "normal Rust + minor annotations" the way async/await does? How will we be able to handle integrating that into our memory model, as we've done for these state machines with pin? Trying to provide answers to these questions would be off-topic for this thread; the point is that answering them, and proving the answers correct, is work. What amounts to a solid decade of labor-years between the different contributors so far would have to be redone again.

The goal of Rust is to ship a product that people can use, and that means we have to ship. We can't always be stopping to look into the future at what may become a big deal next year, and restarting our design process to incorporate that. We do the best we can based on the situation we find ourselves in. Obviously it can be frustrating to feel like we barely missed a big thing, but as it stands we don't have a full view either a) of what the best outcome for handling io_uring will be, b) how important io_uring will be in the ecosystem as a whole. We can't revert 4 years of work based on this.

There are already similar, probably even more serious, limitations of Rust in other spaces. I want to highlight one I looked at with Nick Fitzgerald last fall: wasm GC integration. The plan for handling managed objects in wasm is to essentially segment the memory space, so that they exist in a separate address space from unmanaged objects (indeed, someday in many separate address spaces). Rust's memory model is simply not designed to handle separate address spaces, and any unsafe code that deals with heap memory today assumes there is only 1 address space. While we've sketched out both breaking and technically-nonbreaking-but-extremely-disruptive technical solutions, the most likely path forward is to accept that our wasm GC story may not be perfectly optimal, because we are dealing with the limitations of Rust as it exists.

An interesting aspect that we are stabilizing here is that we are making self-referential structs available from safe code. What makes this interesting is that in a Pin<&mut SelfReferentialGenerator>, we have a mutable reference (stored as a field in the Pin) pointing to the entire generator state, and we have a pointer inside that state pointing to another piece of the state. That inner pointer aliases with the mutable reference!

The mutable reference, to my knowledge, does not get used to actually access the part of the memory that the pointer-to-another-field points so. (In particular, there is no clone method or so that would read the pointer-to field using any other pointer than the self-referential one.) Still, this is getting way closer to having a mutable reference alias with something than anything else in the core ecosystem, in particular anything else that ships with rustc itself. The "line" we are riding here is getting very thin, and we have to be careful not to lose all these nice optimizations that we want to do based on mutable references.

There's probably little we can do about that at this point, in particular since Pin is already stable, but I feel it is worth pointing out that this will significantly complicate whatever the rules end up being for which aliasing is allowed and which is not. If you thought Stacked Borrows was complicated, prepare for things getting worse.

Cc https://github.com/rust-lang/unsafe-code-guidelines/issues/148

The mutable reference, to my knowledge, does not get used to actually access the part of the memory that the pointer-to-another-field points so.

People have talked about making all of these coroutine types implement Debug, it sounds like that conversation should also integrate unsafe code guidelines to be sure what its safe to debug print.

People have talked about making all of these coroutine types implement Debug, it sounds like that conversation should also integrate unsafe code guidelines to be sure what its safe to debug print.

Indeed. Such a Debug implementation, if it prints the self-referenced fields, would likely prohibit MIR-level reference-based optimizations inside generators.

Update regarding blockers:

The two high level blockers have both made great progress and might actually both be finished (?). More info from @cramertj @tmandry and @nikomatsakis about this would be great:

• The multiple lifetimes issue should have been fixed by #61775
• The size issue is more ambiguous; there will always be more optimizations to do, but I think the low hanging fruit of avoiding obvious exponential increase footguns has mostly been resolved?

This leaves documentation and testing as the major blockers on stabilizing this feature. @Centril has consistently expressed concerns that the feature is not well tested or polished enough; @Centril is there anywhere you have enumerated specific concerns that can be checked off to drive this feature to stabilization?

I'm not sure if anyone is driving documentation. Anyone who wants to focus on improving the in-tree documentation in the book, reference, etc would be doing a great service! Out of tree documentation like in the futures repo or areweasyncyet has a bit of extra time.

As of today we have 6 weeks until the beta is cut, so let's say we have 4 weeks (until August 1) to get these things done to be confident we won't slip 1.38.

The size issue is more ambiguous; there will always be more optimizations to do, but I think the low hanging fruit of avoiding obvious exponential increase footguns has mostly been resolved?

I believe so, and some others were also closed recently; but there are other blocking issues.

@Centril is there anywhere you have enumerated specific concerns that can be checked off to drive this feature to stabilization?

There's a dropbox paper with a list of things we wanted to be tested and there's https://github.com/rust-lang/rust/issues/62121. Other than that I'll try to re-review the areas I think are under-tested ASAP. That said, some areas are now pretty well tested.

Anyone who wants to focus on improving the in-tree documentation in the book, reference, etc would be doing a great service!

Indeed; I would be happy to review PRs to the reference. Also cc @ehuss.

I would also like to move async unsafe fn out of the MVP into its own feature gate because I think a) it has seen little use, b) it is not particularly well tested, c) it ostensibly behaves weirdly because the .await point is not where you write unsafe { ... } and this is understandable from "leaky implementation POV" but not so much from an effects POV, d) it has seen little discussion and was not included in the RFC nor this report, and e) we did this with const fn and it worked fine. (I can write up the feature gating PR)

I am fine with destabilizing async unsafe fn, though I am skeptical of us winding up with a different design than the present one. But it seems wise to give us time to figure that out!

I created https://github.com/rust-lang/rust/issues/62500 for moving async unsafe fn to a distinct feature gate and listed it as a blocker. We should probably create a proper tracking issue as well, I guess.

I'm strongly skeptical that we'll reach a different design for async unsafe fn and am surprised by the decision to not include it in the initial round of stabilization. I have written a number of async fns that are unsafe and will make them async fn really_this_function_is_unsafe() or something, I suppose. This seems like a regression in a basic expectation that Rust users have in terms of being able to define functions that require unsafe { ... } to call. Yet another feature gate will contribute to the impression that async/await is unfinished.

@cramertj seems like we ought to discuss! I created a Zulip topic for it, to try and keep this tracking issue from getting too overloaded.

Regarding future sizes, the cases that affect every await point are optimized. The last remaining issue that I know of is #59087, where any borrow of a future before awaiting can double the size allocated for that future. This is pretty unfortunate, but still quite a bit better than where we were before.

I have an idea of how to fix that issue, but unless this is way more common than I realize, it probably shouldn't be a blocker for a stable MVP.

That said, I still need to look at the impact of these optimizations on Fuchsia (that's been blocked for awhile but should clear up today or tomorrow). It's quite possible we'll discover more cases, and will need to decide if any of them should be blocking.

@cramertj (Reminder: I do use async/await and want it to stabilize ASAP) Your argument sounds like an argument for delaying stabilization of async/await, not for stabilizing async unsafe right now without proper experimentation and thought.

Especially as it wasn't included in the RFC, and will potentially trigger another “impl trait in argument position” shitstorm if it was forced out this way.

[Side note that doesn't really deserve discussion here: for “Yet another feature gate will contribute to the impression that async/await is unfinished”, I've found a bug every few hours of using async/await, spread by the few months legitimately needed by the rustc team to fix them, and it's the thing that makes me say it's unfinished. Last one was fixed a few days ago, and I'm really hoping I won't uncover another one when I try again to compile my code with a newer rustc, but…]

Your argument sounds like an argument for delaying stabilization of async/await, not for stabilizing async unsafe right now without proper experimentation and thought.

No, it isn't an argument for that. I believe that async unsafe is ready, and can't imagine any other design for it. I believe there are only negative consequences to not including it in this initial release. I do not believe that delaying async/await as a whole, nor async unsafe specifically, will produce a better result.

can't imagine any other design for it

An alternative design, though one that definitely requires complicated extensions: async unsafe fn is unsafe to .await, not to call(). The reasoning behind this being that _nothing unsafe can be done_ at the point where the async fn is called and creates the impl Future. All that step does is stuff data into a struct (in effect, all async fn are const to call). The actual point of unsafety is advancing the future with poll.

(imho, if the unsafe is immediate, unsafe async fn makes more sense, and if the unsafe is delayed, async unsafe fn makes more sense.)

Of course, if we never get a way to say e.g. unsafe Future where all methods of Future are unsafe to call, then "hoisting" the unsafe to the creation of the impl Future, and the contract of that unsafe being to use the resulting future in a safe way. But this can also be almost trivially done without unsafe async fn by just "desugaring" manually to an async block: unsafe fn os_stuff() -> impl Future { async { .. } }.

On top of that, though, there's a question of if there actually exists a way to have invariants that need to be held once polling starts that don't need to be held at creation. It's a common pattern in Rust that you use an unsafe constructor to a safe type (e.g. Vec::from_raw_parts). But key there is that after the construction, the type _cannot_ be misused; the unsafe scope is over. This scoping of unsafety is key to Rust's guarantees. If you introduce an unsafe async fn that crates a safe impl Future with requirements for how/when it's polled, then pass it to safe code, that safe code is suddenly inside your unsafety barrier. And this is _very_ likely to happen as soon as you use this future in any manner other than immediately awaiting it, as it'll likely go through _some_ external combinator.

I guess the TL;DR of this is that there are definitely corners of async unsafe fn that should be discussed properly before stabilizing it, especially with the direction of const Trait potentially being introduced (I have a draft blog post about generalizing this to a "weak 'effects' system" with any fn-modifying keyword). However, unsafe async fn might actually be clear enough about the "ordering"/"positioning" of the unsafe to stabilize.

I believe that an effects-based unsafe Future trait is not only out of reach of anything we know how to express in the language or the compiler today, but that it would ultimately be a worse design due to the additional effect-polymorphism that it would require combinators to have.

nothing unsafe can be done at the point where the async fn is called and creates the impl Future. All that step does is stuff data into a struct (in effect, all async fn are const to call). The actual point of unsafety is advancing the future with poll.

It's true that since an async fn can't run any user code prior to being .awaited, any undefined behavior would likely be delayed until .await was called. I think, though, that there's an important distinction between the point of UB and the point of unsafety. The actual point of unsafety is wherever an API author decides that a user needs to promise that a set of non-statically-verifiable invariants are met, even if the result of those invariants being violated wouldn't cause UB until later in some other safe code. One common example of this is an unsafe function to create a value that implements a trait with safe methods (exactly what this is). I've seen this used to ensure that e.g. Visitor-trait-implementing types whose implementations rely on unsafe invariants can be used soundly, by requiring unsafe to construct the type. Other examples include things like slice::from_raw_parts, which itself will not cause UB (type validity invariants aside), but accesses to the resulting slice will.

I don't believe that async unsafe fn represents a unique or interesting case here-- it follows a well-established pattern for performing unsafe behaviors behind a safe interface by requiring an unsafe constructor.

@cramertj The fact you're even having to argument for this (and I'm not suggesting I think the current solution is a bad one, or that I have a better idea) means, to me, that this debate should be at a place people who care about rust should follow: the RFC repository.

As a reminder, a quote from its readme:

You need to follow this process if [...] :

• Any semantic or syntactic change to the language that is not a bugfix.
• [... and also non-cited stuff]

I'm not saying any change to the current design will happen. Actually, thinking about it a few minutes makes me think it's likely the best design I could think of. But process is what allows us to avoid our beliefs from becoming a danger to Rust, and we're missing the wisdom of many people who follow the RFC repository but don't read every single issue by not following the process here.

Sometimes not following the process might make sense. Here I can see no urgency that would warrant ignoring the process just to avoid some 2 weeks of FCP delay.

So please let rust be honest with its community about the promises it gives in its own readme, and just keep that feature below a feature gate until there's at least an accepted RFC and hopefully some more use of it in the wild. Whether it's the whole async/await feature gate or just an unsafe-async feature gate I don't care, but just don't stabilize something that has (AFAIK) seen little usage beyond the async-wg and is barely known about in the overall community.

I am writing a first pass at reference material for the book. Along the way, I noticed that the async-await RFC says that the ? operator's behavior has not yet been determined. And yet it seems to work fine in an async block (playground). Should we move that to a separate feature gate? Or was that resolved at some point? I didn't see it in the stabilization report, but perhaps I missed it.

(I also asked this question on Zulip and would prefer responses there, as it's easier to manage for me.)

Yes, it was discussed and resolved along with the behavior of return, break, continue et. al. which all do "the only possible thing" and behave as they would inside of a closure.

let f = unsafe { || {...} }; is also safe to call and IIRC it's equivalent to moving theunsafe to inside of the closure.
Same thing for unsafe fn foo() -> impl Fn() { || {...} }.

This, to me, is precedent enough for "the unsafe thing happens after leaving the unsafe scope".

The same holds for other places. As previously pointed out, unsafe is not always where the potential UB would be. Example:

    let mut vec: Vec<u32> = Vec::new();

    unsafe { vec.set_len(100); }      // <- unsafe

    let val = vec.get(5).unwrap();     // <- UB
    println!("{}", val);

It just seems like a misunderstanding of unsafe to me - unsafe doesn't mark that "an unsafe operation occurs inside here"- it marks "I am garanteeing that I uphold the necessary invariants here." While you could be upholding the invariants at the await point, because it involves no variable parameters, its not a very obvious site for checking that you uphold the invariants. It makes much more sense, and is far more consistent with how all of our unsafe abstractions work, to guarantee you uphold invariants at the call site.

This is connected to why thinking of unsafe as an effect leads to inaccurate intuitions (as Ralf argued when that idea was first brought up last year). Unsafety is specifically, intentionally, not infectious. While you can write unsafe functions that call other unsafe functions and just forward their invariants up the call stack, this is not the normal way that unsafe is used at all, and its actually a syntactic marker used for defining contracts on values and manually checking that you uphold them.

So its not the case that every design decision needs a whole RFC, but we've been working on trying to provide more clarity and structure on how decisions are made. The list of major decision points in the opening of this issue is an example of that. Using the tools available to us, I'd like to take a stab at a structured consensus point around this issue of unsafe async fns, so this is a summary post with a poll.

async unsafe fn

async unsafe fns are async functions which can only be called inside an unsafe block. Inside their body is treated as an unsafe scope. The primary alternative design would be to make async unsafe fns unsafe to await, rather than to call. There are a number of solid reasons to prefer the design in which they are unsafe to call:

1. It is consistent syntactically with the behavior of non-async unsafe fns, which are also unsafe to call.
2. It is more consistent with how unsafe works in general. An unsafe function is an abstraction which depends on some invariants being upheld by its caller. That is, its not the case that its about marking "where the unsafe operation happens" but "where the invariant is guaranteed to be upheld." Its much more sensible to check that the invariants are upheld at the call site, where the arguments are actually specified, than at the await site, separate from when the arguments were selected and verified. This is very normal for unsafe functions in general, which often determine some state that other, safe functions expect to be correct
3. It is more consistent with the desugaring notion of async fn signatures, where you can model the signature as equivalent to removing the async modifier and wrapping the return type in a future.
4. The alternative is not viable to implement in the near or medium term (meaning several years). There is no way to create a future which is unsafe to poll in the currently designed Rust language. Some kind of "unsafe as an effect" would be a huge change that would have far reaching implications and need to deal with how it is backward compatible with unsafe as it exists today already (like, normal unsafe functions and blocks). Adding async unsafe fns does not significantly change that landscape, whereas async unsafe fns under the current interpretation of unsafe have real practical use cases in the near and medium term.

@rfcbot ask lang "Do we accept stabilizing async unsafe fn as an async fn which is unsafe to call?"

I have no idea how to make a poll with rfcbot but I've nominated it at least.

Team member @withoutboats has asked teams: T-lang, for consensus on:

"Do we accept stabilizing async unsafe fn as an async fn which is unsafe to call?"

• [x] @Centril
• [x] @cramertj
• [x] @eddyb
• [ ] @joshtriplett
• [x] @nikomatsakis
• [ ] @pnkfelix
• [ ] @scottmcm
• [x] @withoutboats

@withoutboats

I'd like to take a stab at a structured consensus point around this issue of unsafe async fns, so this is a summary post with a poll.

Thanks for the write-up. The discussion has me convinced that async unsafe fn as it works in nightly today behaves right. (Tho some tests should probably be added since it looked sparse.) Also, could you please amend the report at the top with parts of your report + a description of how async unsafe fn behaves?

It is more consistent with how unsafe works in general. An unsafe function is an abstraction which depends on some invariants being upheld by its caller. That is, its not the case that its about marking "where the unsafe operation happens" but "where the invariant is guaranteed to be upheld." Its much more sensible to check that the invariants are upheld at the call site, where the arguments are actually specified, than at the await site, separate from when the arguments were selected and verified. This is very normal for unsafe functions in general, which often determine some state that other, safe functions expect to be correct

As someone not paying too close attention, I would agree and think the solution here is good documentation.

I might be off the mark here, but given that

• futures are combinatorical by nature, it's fundamental that they are composable.
• await points inside a future implementation are generally an invisible implementation detail.
• the future is very distant from the execution context, with the actual user maybe in-between instead of at the root.

it seems to me that invariants depending on specific awaiting usage/behavior is somewhere between a bad idea and impossible to rule safe.

If there are cases where the awaited output value is what is involved in upholding the invariants, I assume the future could simply have an output that is a wrapper requiring unsafe access, like

struct UnsafeOutput<T>(T);
impl<T> UnsafeOutput<T> {
    unsafe fn unwrap(self) -> T { self.0 }
}

Given that the unsafeness is before the asyncness in this "early unsafe", I'd be much happier with the modifier order being unsafe async fn than async unsafe fn, because unsafe (async fn) maps much more obviously onto that behavior than async (unsafe fn).

I'll happily accept either, but I strongly feel that the wrapping order exposed here has the unsafe on the outside, and the order of the modifiers can help make this clear. (unsafe is the modifier to async fn, not async the modifier to unsafe fn.)

I'll happily accept either, but I strongly feel that the wrapping order exposed here has the unsafe on the outside, and the order of the modifiers can help make this clear. (unsafe is the modifier to async fn, not async the modifier to unsafe fn.)

I was with you until your last parenthesized point. @withoutboats' writeup makes it pretty clear for me that, if the unsafety is dealt with at the call site, what you actually have is an unsafe fn (that happens to be called in an async context).

I'd say we paint the bikeshed async unsafe fn.

I think that async unsafe fn makes more sense, but I also think that we should grammatically accept any order among async, unsafe, and const. But async unsafe fn makes more sense to me with the notion that you strip the async and modify the return type to "desugar" it.

The alternative is not viable to implement in the near or medium term (meaning several years). There is no way to create a future which is unsafe to poll in the currently designed Rust language.

FWIW I ran into a similar problem that I mentioned in RFC2585 when it comes to closures inside unsafe fn and the function traits. I didn't expect unsafe async fn to return a Future with a safe poll method, but instead to return an UnsafeFuture with an unsafe poll method. (*) We could then make .await also work on UnsafeFutures when it is used inside of unsafe { } blocks, but not otherwise.

These two future traits would be a huge change with respect to what we have today, and they would probably introduce a lot of composability issues. So the ship for exploring alternatives has probably sailed. Particularly since this would be different to how the Fn traits work today (e.g. we don't have a UnsafeFn trait or similar, and my issue in RFC2585 was that creating a closure inside an unsafe fn returns a closure that impls Fn(), that is, that is safe to call, even though this closure can call unsafe functions.

Creating the "unsafe" Future or closure is not the problem, the problem is calling them without proving that doing so is safe, particularly when their types do not say that this must be done.

(*) We can provide a blanket impl of UnsafeFuture for all Futures, and we can also provide UnsafeFuture an unsafe method to "unwrap" itself as a Future that is safe to poll.

Here's my two cents:

• @cramertj's explanation (https://github.com/rust-lang/rust/issues/62149#issuecomment-510166207) convinces me that unsafe async functions are the right design.
• I very much prefer a fixed ordering of the keywords unsafe and async
• I slightly prefer the ordering unsafe async fn because the ordering seems more logical. Similar to "a fast electric car" vs "an electric fast car". Mainly because an async fn desugars to an fn. So, it makes sense that the two keywords are next to each other.

I think let f = unsafe { || { ... } } should make f safe, an UnsafeFn trait should never be introduced, and a priori .awaiting and async unsafe fn should be safe. Any UnsafeFuture needs strong justification!

All this follows because unsafe should be explicit, and Rust should nudge you back into safe land. Also by this token, f's ... should _not_ be an unsafe block, https://github.com/rust-lang/rfcs/pull/2585 should be adopted, and an async unsafe fn should have a safe body.

I think this last point might prove rather crucial. It's possible that every async unsafe fn will employ an unsafe block, but similarly most would benefit from some safety analysis, and many sound complex enough to mistakes easy.

We should never bypass the borrow checker when capturing for closures in particular.

So my comment here: https://github.com/rust-lang/rust/issues/62149#issuecomment-511116357 is a very bad idea.

An UnsafeFuture trait would require the caller to write unsafe { } to poll a future, yet the caller has no idea of which obligations must be proven there, e.g., if you get a Box<dyn UnsafeFuture> is unsafe { future.poll() } safe ? For all futures ? You can't know. So this would be completely useless as @rpjohnst pointed out on discord for a similar UnsafeFn trait.

Requiring Future's to always be safe to pol makes sense, and the process of constructing a future that must be safe to poll can be unsafe; I suppose that's what async unsafe fn is. But in that case, the fn item can document what needs to be upheld so that the returned future is safe to poll.

@rfcbot implementation-work-blocking-stabilization

There are still 2 known implementation blockers to my knowledge (https://github.com/rust-lang/rust/issues/61949, https://github.com/rust-lang/rust/issues/62517) and it would still be good to add some tests. I'm resolving my concern to make rfcbot not be our blocker time-wise and then we'll actually block on the fixes instead.

@rfcbot resolve implementation-work-blocking-stabilization

:bell: This is now entering its final comment period, as per the review above. :bell:

Filed stabilization PR in https://github.com/rust-lang/rust/pull/63209.

The final comment period, with a disposition to merge, as per the review above, is now complete.

As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed.

The RFC will be merged soon.

An interesting aspect that we are stabilizing here is that we are making self-referential structs available from safe code. What makes this interesting is that in a Pin<&mut SelfReferentialGenerator>, we have a mutable reference (stored as a field in the Pin) pointing to the entire generator state, and we have a pointer inside that state pointing to another piece of the state. That inner pointer aliases with the mutable reference!

As a follow-up to this, @comex actually managed to write some (safe) async Rust code that violates LLVM's noalias annotations the way we currently emit them. However, it seems due to the use of TLS, there are currently no miscompilations.