On Thursday, 17 June 2021 at 19:06:31 UTC, Paul Backus wrote:
>In order for get
to have a safe interface, it must not be possible to call it from @safe
code with an instance that has offset >= 2
. Because of the bug in size
, it is possible for @safe
code to call get
with such an instance. Therefore, get
does not have a safe interface.
Yes, but if I make size() @trusted and fix the bug then interface is provably safe?
class A {
this() @trusted {
ptr = &buffer[0];
offset = 0;
}
int get() @trusted { return ptr[offset]; }
void set(int i) @trusted { this.offset = i&1; }
int size() @trusted { return 2;}
private:
int[2] buffer;
int* ptr;
int offset;
}
Also, if I do this, it is probably safe, because of the invariant that is checked?
class A {
this() @trusted {
ptr = &buffer[0];
offset = 0;
}
int get() @trusted { return ptr[offset]; }
void set(int i) @trusted { this.offset = i&1; }
int size()@safe{ offset=2; return 2;}
invariant{ assert(0<= offset && offset <=1 ); }
private:
int[2] buffer;
int* ptr;
int offset;
}