Providing implicit conversion of - memory-safety

Renato renato at athaydes.com
Tue Jan 23 21:40:46 UTC 2024 

On Tuesday, 23 January 2024 at 21:18:53 UTC, bachmeier wrote:
> There are two things things that cause the problem. One is the 
> use of a template and the other is passing an unsigned type. 
> The reason the first parameter uses a template is because there 
> are a lot of types I could send as the first argument, and for 
> some of them there was a transformation of index (for instance, 
> you can pass a date as a long[2], or you can pass another type 
> and pull out the length, that sort of thing). It's using a 
> pointer because I was working with a C library, and that's how 
> the data is stored and passed around.
>
> The data is time series. If after the transformations the index 
> is less than zero, it returns 0.0, which is used for all 
> pre-sample values. If it's non-negative, return the element at 
> that position.
>
> One of the nice things about D is the ability to write this 
> kind of code in such a natural and (I thought) intuitive style. 
> I really like the way all this comes together. There's really 
> no way that code should have been able to do anything wrong. 
> What's terribly frustrating is that the compiler had full 
> knowledge of what was happening, but by choice it didn't say 
> anything, even though D is supposed to prevent these things 
> that happen in C.

While I can understand your frustration, it seems to me D is not 
to blame in this instance because the code is quite patently 
using unsafe constructs (D does not claim to be fully safe).

Would something like this work?

```d
double value(T)(T index, double* x) if (is(T : size_t))
{
     if (index < 5 || x == null)
     {
         return 0.0;
     }
     else
     {
         return x[index - 5];
     }
}

void main()
{
     import std.stdio;
     import std.range : iota;

     double[] ds = [1, 2, 3, 4, 5, 6];
     ubyte b = 1;
     foreach (_; iota(12))
     {
         writeln(value(b++, ds.ptr));
     }
}
```

This will still read rubbish if the index goes past the actual 
array (because I assume you can't get the exact length from the C 
code? If you can, you should pass that in and do the bounds check 
yourself) but there's no unsigned type mistakes (notice that it's 
almost always a mistake to subract from any unsigned type - D 
scanner correctly warns about that).

More information about the Digitalmars-d-learn mailing list