Yet another leak in the sinking ship of @safe
Steven Schveighoffer via Digitalmars-d
digitalmars-d at puremagic.com
Thu Feb 18 12:14:08 PST 2016
On 2/18/16 2:25 PM, H. S. Teoh via Digitalmars-d wrote:
> On Thu, Feb 18, 2016 at 01:58:24PM -0500, Steven Schveighoffer via Digitalmars-d wrote:
>> On 2/18/16 11:37 AM, H. S. Teoh via Digitalmars-d wrote:
>>> While @safe is a good idea in principle, the current implementation
>>> is rather lackluster.
>>
>> IMO, I think safe code should disallow casting that doesn't involve a
>> runtime function that verifies safety (such as casting an object to
>> another type, or invoking a @safe opCast), including casting array
>> types.
>
> But isn't casting from, say, long[] to int[] @safe? Last time I checked,
> druntime does actually convert .length correctly as well, so that
> converting, say, int[] to long[] won't let you overrun the array by
> accessing the last elements of the long[].
Probably. But there is always @trusted escapes. We are guaranteed
@safety if we just disallow casting whatsoever.
It doesn't sit well with me that casting is a standard mechanism to use
in @safe code. Casting is supposed to be a red flag. Even converting
between object types, I think casting is just a terrible requirement.
Maybe it's too restrictive, I don't know. It's unlikely to happen in any
case.
> But obviously casting Object[] to long[] would be a very bad idea, and
> should not be allowed in @safe. Scarily enough, this code currently
> compiles without any complaint from the compiler:
>
> void main() @safe
> {
> Object[] objs = [ new Object() ];
> long[] longs = cast(long[]) objs;
> longs[0] = 12345;
> }
>
> Yikes. Apparently you don't even need void[] to break @safe here. :-(
The difference here is that you have a cast. Casting to void[] doesn't
require one.
>> And implicit casts to void[] should be disallowed.
>>
>> This would be a painful restriction, which is why I think it won't
>> happen :(
> [...]
>
> As far as I can tell, implicit casting to const(void)[] shouldn't be a
> cause for concern -- if all you can do with it is to read the data
> (e.g., a hexdump debugging function for printing out the byte
> representation of something), there shouldn't be any problems. It's when
> you write to the void[] that bad things begin to happen.
Possibly casting to const(T)[] should be OK for @safe code. But again, a
conservative approach that disallows casts is what I would do. Note that
you can't print out bytes from a void[], you would need a ubyte[].
-Steve
More information about the Digitalmars-d
mailing list