February 19, 2016 Re: Yet another leak in the sinking ship of @safe | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Steven Schveighoffer | On Fri, Feb 19, 2016 at 02:15:30PM -0500, Steven Schveighoffer via Digitalmars-d wrote: > On 2/19/16 2:00 PM, H. S. Teoh via Digitalmars-d wrote: > >On Thu, Feb 18, 2016 at 08:37:10AM -0800, H. S. Teoh via Digitalmars-d wrote: [...] > >>It's bad enough that some Phobos modules (*ahem*std.socket*cough*) liberally sprinkle @trusted on every function without regard to whether it's truly justified > >[...] > > > >I don't like being the guy who only whines but does nothing about it, so here's an attempt at plugging at least one of the holes in the @safe cheese grater: > > > > https://github.com/D-Programming-Language/phobos/pull/4011 [...] Well, that PR would cause too much breakage, so here's an alternative fix based on what Jakob Ovrum proposed: https://github.com/D-Programming-Language/dmd/pull/5468 > >More to come, hopefully. More cheese grater plugs from other contributors will be warmly welcomed, I'm sure (hint, hint!). > > Stick with ship as your metaphore. You *want* holes in your cheese grater ;) [...] But I'm lactose-intolerant! ;-) T -- Stop staring at me like that! It's offens... no, you'll hurt your eyes! | |||
Permalink
ReplyFebruary 23, 2016 Re: Yet another leak in the sinking ship of @safe | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to H. S. Teoh | On Friday, 19 February 2016 at 19:00:35 UTC, H. S. Teoh wrote: > Here's an existing one that plugs another hole in the cheese grater: > > https://github.com/D-Programming-Language/phobos/pull/4009 That pull mentions the issue of *arr[$..$].ptr being unsafe: https://issues.dlang.org/show_bug.cgi?id=11176 Assuming we don't want to disallow slice.ptr in @safe code, maybe we could have the compiler insert this code before reading slice.ptr: version(D_NoBoundsChecks) else if (slice.length == 0) throw new RangeError("Unsafe .ptr on empty array"); | |||
February 23, 2016 Re: Yet another leak in the sinking ship of @safe | ||||
|---|---|---|---|---|
| ||||
Posted in reply to Nick Treleaven | On Tuesday, 23 February 2016 at 11:04:31 UTC, Nick Treleaven wrote:
> Assuming we don't want to disallow slice.ptr in @safe code, maybe we could have the compiler insert this code before reading slice.ptr:
>
> version(D_NoBoundsChecks) else
> if (slice.length == 0) throw new RangeError("Unsafe .ptr on empty array");
Tweaking this a bit, a null .ptr dereference could arguably be considered safe, so we could only throw when empty and non-null:
version(D_NoBoundsChecks) {} else
if (slice.length == 0 && slice.ptr)
throw new RangeError("Unsafe .ptr on empty array");
This could still sometimes break existing @safe code that only wants to see if slice.ptr is null (and not dereference .ptr). If the above were implemented, doing that might need a @trusted wrapper:
@trusted bool isNull(T)(T[] slice){
return slice.ptr is null;
}
Instead comparing slice.ptr with null could be recognised and safely allowed by the compiler, without the runtime check, so long as .ptr doesn't escape.
| |||
Copyright © 1999-2021 by the D Language Foundation