DIP1028 - Rationale for accepting as is
Arine
arine1283798123 at gmail.com
Sun May 24 17:44:26 UTC 2020
On Sunday, 24 May 2020 at 15:42:54 UTC, ag0aep6g wrote:
> On Sunday, 24 May 2020 at 14:39:50 UTC, Arine wrote:
>> Then that is definitely a bug if that's the case. Someone
>> should probably make a bug report, Walter? If you are still
>> using @system with @safe, then that would still be somewhere
>> you have to look for not memory safe code. @trusted should
>> just mean that someone verified it. @system then would mean no
>> one's verified it to be safe, that doesn't mean you don't have
>> to check it.
>
> @system does indicate that you don't have to check a function.
> But its trumped by other indicators:
>
> * @system entry points (`main`, static constructors, static
> initializers) - have to check those.
>
> * Foreign prototypes (`extern (C)` and friends) - have to check
> those, whether they're @system or @safe or @trusted.
>
> * @system functions that are being called by @trusted ones -
> have to check those. But I would say that's part of verifying
> @trusted functions.
>
> Other than that (and maybe other special cases that I've
> missed), you can safely ignore @system functions, because your
> @safe program cannot possibly be calling them.
You *have* to check @system code. That's where you are
guarantee'd to have memory safety issues. If you are ignoring
@system code because you think @safe code doesn't interact with
it at all, then that's a problem you are creating for yourself.
@system code can still call @safe code, and that @system code
that is calling the @safe code can pass invalid information that
causes the @safe code to misbehave. You have to check @system for
memory safety issues. It seems Walter's comments about only have
to review @trusted are being taken too literally.
More information about the Digitalmars-d-announce
mailing list