[Issue 21565] @safe code allows modification of a scalar that overlaps with a pointer

d-bugmail at puremagic.com d-bugmail at puremagic.com
Thu Jan 21 10:26:30 UTC 2021 

https://issues.dlang.org/show_bug.cgi?id=21565

RazvanN <razvan.nitu1305 at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |razvan.nitu1305 at gmail.com

--- Comment #5 from RazvanN <razvan.nitu1305 at gmail.com> ---
(In reply to Steven Schveighoffer from comment #3)
> A union between a pointer and integer is most definitely unsafe in all
> instances. If you never intend to access the int*, in any circumstance, then
> why have a union?

It may be safe if the user sets the integer part with valid memory addresses.
However, the compiler cannot know that.

> If you do intend to access the int *, then having any safe code anywhere
> just change the integer ruins the any safety assumptions that the @trusted
> or @system code can make. Essentially, it means @trusted code can never
> access such a union reliably except to access just the integer.

Trusted does not offer any guarantees. You can do whatever you want there.
If you want to access a pointer that is overlapped with an integer that is
the users' problem not the typesystems'. You cannot assume anything with
regards to that pointer, that is the reason why it is not allowed in @safe
code. In case you do use and you have a segfault, then the developer will have
to audit the trusted blocks, not the @safe ones.

> This means that T is OK to use ONLY in @system code, or ONLY in @safe code,
> but NEVER in @trusted code (unless you just follow the @safe rules).
> 
> I don't feel like we should bend the spec over backwards to fit with the
> implementation, when there isn't really a benefit (other than being able to
> close a bug report).

I think that this is an issue were reasonable people may disagree, but the fact
is that @safe is checked with regards to operations not data structures. There
is no concept of @safe union or @system union in D. It is the way you use it
that makes it @safe/@system. From this point of view, setting an integer that
is overlapped with a pointer is not unsafe, however accessing a pointer that is
overlapped with an integer is.

--

More information about the Digitalmars-d-bugs mailing list