A serious security bug... caused by no bounds checking.
Meta
jared771 at gmail.com
Fri Apr 11 08:15:20 PDT 2014
On Friday, 11 April 2014 at 14:06:33 UTC, Daniel Murphy wrote:
> Trying to prevent developer stupidity is a lost cause.
>
> Bounds checks are on by default. They are even on when you ask
> for 'fast-over-safe' aka -release. They get turned off when
> you explicitly ask for it.
>
>> But there is a cost, even to labeling the "one inner" function
>> @trusted. Perhaps that function is extremely long and complex.
>> There should be a way to say, "I still want all the @safety
>> checks, except for this one critical array access, I have
>> manually guaranteed the bounds". We don't have anything like
>> that. All other safety checks are really static, this is the
>> only runtime penalty for safety.
>
> Something like (() @trusted => arr.ptr[index]) should do the
> trick.
>
>> The blunt flag approach is scary. @trusted is better, in that
>> you can focus on one function at a time. But I think we need
>> something more precise. Perhaps you should be able to have
>> @trusted scopes, or @trusted expressions.
>
> @trusted delegates get you 99.99% of the way there.
Hasn't there been a proposal before to allow
@system/@trusted/@safe blocks, allowing it to be a bit more
granular than at the function level? Maybe:
@trusted
{
arr.ptr[index]
}
Could be lowered to (() @trusted => arr.ptr[index]).
More information about the Digitalmars-d
mailing list