DIP1028 - Rationale for accepting as is
ag0aep6g
anonymous at example.com
Sun May 24 20:26:45 UTC 2020
On 24.05.20 19:44, Arine wrote:
> On Sunday, 24 May 2020 at 15:42:54 UTC, ag0aep6g wrote:
[...]
>> @system does indicate that you don't have to check a function. But its
>> trumped by other indicators:
[...]
> You *have* to check @system code. That's where you are guarantee'd to
> have memory safety issues. If you are ignoring @system code because you
> think @safe code doesn't interact with it at all, then that's a problem
> you are creating for yourself. @system code can still call @safe code,
> and that @system code that is calling the @safe code can pass invalid
> information that causes the @safe code to misbehave. You have to check
> @system for memory safety issues.
You're right; it's not accurate that "@system does indicate that you
don't have to check a function". That's only true under particular
conditions:
When your entry points are @safe and you have already verified all
@trusted functions (including their call graphs which might include
@system functions), then you can ignore any other @system functions,
because your program doesn't call them anyway. But that's true for any
function. If your program doesn't call it, you don't need to check it.
So it's not a particularly meaningful thing to say about @system, and
that's on me.
More information about the Digitalmars-d-announce
mailing list