Actual lifetime of static array slices?
Paul Backus
snarwin at gmail.com
Wed Nov 16 19:33:53 UTC 2022
On Tuesday, 15 November 2022 at 14:05:42 UTC, Siarhei Siamashka
wrote:
> On Tuesday, 15 November 2022 at 13:16:18 UTC, Paul Backus wrote:
>> D's safety model is the same. In `@safe` code, D will reject
>> anything that the compiler cannot say for sure is memory safe.
>> However, unlike in Rust, `@safe` is not the default in D, so
>> you must mark your code as `@safe` manually if you want to
>> benefit from these checks.
>
> I specifically asked for Ali's opinion. Because the context is
> that the compiler couldn't catch a memory safety bug in the
> code that was annotated as @safe (but without -dip1000) and Ali
> commented that "the compiler cannot do anything about it in all
> cases and we wouldn't want it to spend infinite amount of time
> to try to determine everything". This sounds like he justifies
> the compiler's failure and accepts this as something normal.
>
> The https://dlang.org/spec/memory-safe-d.html page also
> provides a rather vague statement: "@safe functions have a
> number of restrictions on what they may do and are intended to
> disallow operations that may cause memory corruption". Which
> kinda means that it makes some effort to catch some memory
> safety bugs. This weasel language isn't very reassuring,
> compared to a very clear Rust documentation.
The goal of `@safe` is to ensure that memory corruption cannot
possibly occur in `@safe` code, period--only in `@system` or
`@trusted` code. If the documentation isn't clear about this,
that's failure of the documentation.
However, there are some known issues with `@safe` that require
breaking changes to fix, and to make migration easier for
existing code, those changes have been hidden behind the
`-dip1000` flag. So in practice, if you are using `@safe` without
`-dip1000`, you may run into compiler bugs that compromise memory
safety.
That's what happened in your example. Slicing a stack-allocated
static array *shouldn't* be allowed in `@safe` code without
`-dip1000`, but the compiler allows it anyway, due to a bug, and
the fix for that bug is enabled by the `-dip1000` switch.
More information about the Digitalmars-d-learn
mailing list