Yet another leak in the sinking ship of @safe

Jonathan M Davis via Digitalmars-d digitalmars-d at puremagic.com
Thu Feb 18 13:50:08 PST 2016


On Thursday, 18 February 2016 at 20:24:18 UTC, H. S. Teoh wrote:
> On Thu, Feb 18, 2016 at 07:25:16PM +0000, Jonathan M Davis via 
> Digitalmars-d wrote:
>> On Thursday, 18 February 2016 at 18:58:56 UTC, H. S. Teoh 
>> wrote:
>> >On Thu, Feb 18, 2016 at 06:50:34PM +0000, Jonathan M Davis 
>> >via Digitalmars-d wrote:
>> >>On Thursday, 18 February 2016 at 18:41:25 UTC, Steven 
>> >>Schveighoffer wrote:
>> >[...]
>> >>>foo(void[] arr)
>> >>>{
>> >>>   void[] arr2 = [1234, 5678, 91011];
>> >>>   arr[] = arr2[0 .. arr.length];
>> >>>}
>> >>
>> >>Well, I'm not sure that that's actually not @safe.
>> >
>> >How can it possibly be @safe??? Consider:
>> >
>> >	void main() @safe {
>> >		Object[] objs = [ new Object() ];
>> >		foo(objs);
>> >	}
>> >
>> >Now the pointer to the Object instance has been corrupted.
>> 
>> Does it matter what state the void[] is in until you actually 
>> attempt to cast it to something else? If you have
>> 
>> Object[] oArr = [ new Object ];
>> void[] vArr = oArr;
>> vArr = vArr[0 .. $ - 1];
>> 
>> it's not like that's going to cause any problems - not by 
>> itself.
>
> I think you misread Steven's code.

Yes. It looks like I did.

> So the bottom line is that the array copy cannot be @safe.

Exactly. Passing it around is fine, but mutating it definitely is 
not.

> The larger question, is what, if anything, *can* you do with 
> void[] besides read-only operations, that doesn't break @safe?  
> Once something is (implicitly or otherwise) cast to void[], all 
> type information is forgotten, and there is no way, that I can 
> tell, to write to a void[] without causing @safe breakage.  If 
> so, wouldn't it make sense to require that the type should be 
> const(void)[] rather than void[]?

Why? The problem isn't that void[] was passed it. It's that what 
was done to it after it was passed in was not @safe. We need to 
fix it so that the compiler doesn't consider mutating void[] or 
casting away from it or doing anything with it that could corrupt 
memory @safe, but passing it around is perfectly @safe, even if 
it's not very useful by itself. So, I see no reason to make any 
requirements about const. As long as dmd correctly catches the 
operations that aren't @safe, the function which is passed the 
void[] and does more than pass it around is going to be forced to 
be @system anyway. So making any requirements about const(void[]) 
buys us nothing.

- Jonathan M Davis


More information about the Digitalmars-d mailing list