Clarify the story about unsafe functions

[ia0]

Unsafe functions are confusing because they are actually robust types. Essentially, fn() is a subtype of Update<P, fn()> which is equivalent to Update<P, unsafe fn()> which is a subtype of unsafe fn(). We can see how an unsafe function taking no parameter and returning nothing is both an unsafe type of fn() and a robust type of unsafe fn().

So really when a user writes an unsafe function, they claim robustness (thus correctness). In other words, they don't have restrictions to use but permissions to use (in particular, a user may call such functions, which is otherwise not permitted if the type was just unsafe fn() and not updated).

See rust-lang/rust#151195 for context. It's very easy to think about unsafe functions as unsafe types (i.e. that have restrictions to use). But the unsafe keyword actually flips the reasoning.

[ia0]

It's probably also good to draw the parallel between fn(A) -> R and unsafe fn(A) -> R on one side, and &T and *const T on the other. In particular, the types A and R in the unsafe function don't matter. They're not part of the safety invariant. Exactly like T in the raw pointer.

[ia0]

One way to restore an unsafe function being about restrictions, is to say that once it's in an unsafe block it becomes a safe function. Similarly, at definition time it is a safe function with restrictions, and gets wrapped as an unsafe function after it's defined and before it's used.