Dereferencing pointers in @safe code [was: Re: checkedint call removal]
David Nadlinger via Digitalmars-d
digitalmars-d at puremagic.com
Sat Aug 2 15:23:11 PDT 2014
On Saturday, 2 August 2014 at 20:23:53 UTC, Andrei Alexandrescu
wrote:
> @system fun(int[] p) {
> gun(p.ptr + p.length);
> }
>
> @safe gun(int* p) {
> if (p) *p = 42;
> }
>
> This passes semantic checking but is unsafe and unsafety is in
> the @safe code. Well, that's fine, we might say. The problem is
> this works against our stance that "inspect @system code by
> hand, @safe code will take care of itself".
No! Calling gun like this is just the same as calling
"gun(cast(int*)0xdeadbeef)". You wouldn't argue that the @safe
code is at fault there either. Or when passing an array slice
with an invalid .ptr to a @safe function. It's not like you would
routinely pass p.ptr + p.length to _any_ function with a single
pointer argument (except maybe for a setter for the end of an
iterator pair or something like that).
Yes, p.ptr + p.length is merely invalid invalid to dereference,
as opposed to being completely undefined behavior by itself
(assuming C rules). But I don't see how this changes anything
about the fact that fun() invokes a function with invalid
parameters (@safe or not).
Cheers,
David
More information about the Digitalmars-d
mailing list