Yet another leak in the sinking ship of @safe

H. S. Teoh via Digitalmars-d digitalmars-d at puremagic.com
Thu Feb 18 10:58:56 PST 2016


On Thu, Feb 18, 2016 at 06:50:34PM +0000, Jonathan M Davis via Digitalmars-d wrote:
> On Thursday, 18 February 2016 at 18:41:25 UTC, Steven Schveighoffer wrote:
[...]
> >foo(void[] arr)
> >{
> >   void[] arr2 = [1234, 5678, 91011];
> >   arr[] = arr2[0 .. arr.length];
> >}
> 
> Well, I'm not sure that that's actually not @safe.

How can it possibly be @safe??? Consider:

	void main() @safe {
		Object[] objs = [ new Object() ];
		foo(objs);
	}

Now the pointer to the Object instance has been corrupted.


> It's trying to interpret the void[] that's the problem. Certainly, you
> can convert T[] to void[] and pass it around all day without risking
> any memory corruption, so that should definitely be @safe, and I don't
> see how reducing the length of a void[] could actually cause memory
> corruption on its own. It's when you cast the void[] to something else
> that you risk things going south, and that's what needs to be @system.
> So, I'm not sure that there's actually any reason for your example
> code to not be @safe.
[...]

I think you missed the point of his example. :-) The point is that it's
perfectly legal to (1) cast an array of int to void[], and (2) it's also
perfectly legal to cast an array of anything to void[], and (3) under
current rules, it's perfectly legal to copy one void[] to another
void[].

Arguably, (3) should not be allowed in @safe code. Which again brings us
back to the point, that if any function takes void[] as an argument, is
there *anything* it can do with the void[] other than reading it, that
*won't* break @safe?

If there's *nothing* it can legally do with a void[] (other than reading
it) without violating @safe, then shouldn't it be a requirement that all
functions marked @safe must take const(void)[] rather than void[]?


T

-- 
Chance favours the prepared mind. -- Louis Pasteur


More information about the Digitalmars-d mailing list