A serious security bug... caused by no bounds checking.
Steven Schveighoffer
schveiguy at yahoo.com
Thu Apr 10 17:52:25 PDT 2014
On Thu, 10 Apr 2014 19:21:52 -0400, Andrei Alexandrescu
<SeeWebsiteForEmail at erdani.org> wrote:
> On 4/10/14, 10:56 AM, Steven Schveighoffer wrote:
>> @safe code can be marked as @trusted instead, and nothing changes,
>> except @trusted code can have bounds checks removed. How does this not
>> work as a solution?
>
> Doesn't work because @trusted removes all additional checks by the
> compiler. We do want to have @safe as mechanically verified.
I think you are missing something. This is code that is marked as @safe.
Then you change it to @trusted. It doesn't change that the code is @safe,
but now it's @trusted so the bounds checks can be removed temporarily.
The assertion is that -noboundscheck for @safe code is a temporary
condition to find possible optimizations. Then if this helps, you can find
a more permanent mechanism to fix the performance. A similar mechanism is
to use @trusted to allow bounds checks to go away temporarily, as a test.
Any function that is @safe can be instead marked as @trusted, and nothing
else changes.
>> As Walter often says about logical const, logical @safe is @safe by
>> convention, and it loses all of its teeth.
>
> I think you are wrong here.
Victims with bleeding hearts around the world are feeling the effects of
logical safety.
If @safe is just a convention, then I don't see the point of having it at
all. If it can't be a guarantee, then it's pretty much another tech
buzzword with no teeth.
-Steve
More information about the Digitalmars-d
mailing list