Fantastic exchange from DConf
Moritz Maxeiner via Digitalmars-d
digitalmars-d at puremagic.com
Fri May 19 06:46:47 PDT 2017
On Friday, 19 May 2017 at 11:53:57 UTC, Steven Schveighoffer
wrote:
> On 5/19/17 5:12 AM, Moritz Maxeiner wrote:
>> On Thursday, 18 May 2017 at 12:12:18 UTC, Steven Schveighoffer
>> wrote:
>>> [...]
>>>
>>> We still allow unsafe operations inside @safe code, using
>>> @trusted.
>>> This is a necessary evil, but it's so very important that the
>>> base
>>> libraries (druntime and phobos) keep this to a minimum, and
>>> that we
>>> review those @trusted blocks to death.
>>
>> That and we need to make sure it is understood by everyone
>> using third
>> party @safe code that it is *not* a "I don't have to audit
>> this code"
>> free card. It merely reduced the amount of code you need to
>> review to
>> what is marked as @trusted (with regards to memory safety); as
>> long as
>> you don't *know* whether some third party code is @safe or
>> @trusted, you
>> (as the programmer) have to assume it is @trusted and that
>> means you
>> have to extend trust to the author and cannot assume any of
>> the @safe
>> guarantees for that code.
>
> What we need are 2 things:
>
> 1. @trusted blocks need to be rock-solid in Phobos and
> Druntime. And as rare as possible.
Agreed 100%.
> This provides a foundation to build completely @safe libraries.
Agreed if you mean libraries being marked completely as @safe
(which I assume).
Disagreed if you mean libraries that are proven to never corrupt
memory (not possible with unsafe operating system).
> It's like atomics -- they are hugely important and very easy to
> get wrong.
Sure.
> Leave the actual implementation to the pros.
If you mean the act of implementing: Yes, agreed.
If you mean the entire mind space of the implementation, aka you
(the programmer) receives a "get out of audit this" free card,
because "professionals" wrote it: No. You are *always*
responsible for verifying *all* third party @trusted code
*yourself*.
> We should be the pros on phobos/druntime safety.
Agreed.
>
> 2. @trusted blocks in any project need to be considered red
> flags. You should not need to audit @safe code.
Yes you do, because it can call into @trusted like this:
---
void foo(int[] bar) @safe
{
() @trusted {
// Exploitable code here
}();
}
---
You *must* audit third party @safe code for such hidden @trusted
code (e.g. grep recursively through such third party code for
@trusted and verify).
> What you need to do is audit @trusted code when it interacts
> with @safe code.
You need to audit *all* @trusted code, because you don't
necessarily control who calls it.
> If you can prove that in *all cases* the @safe code is still
> @safe even with the included @trusted blocks, then you don't
> have to audit @safe code that calls that "tainted" function.
s/prove/promise/
But yes, that is precisely what I wrote in the above with regards
to the reduction of what you have to audit.
>
> If we get into "@safe really means @trusted" territory, we have
> lost.
For code that you write yourself, @safe means @safe, of course.
For code other people write and you want to call, it being marked
@safe does really mean @trusted as long as you yourself have not
looked inside it and verified there either is no hidden @trusted,
or verified *yourself* that the hidden @trusted is memory safe.
I consider any other behaviour to be negligent to the degree of
"you don't actually care about memory safety at all".
More information about the Digitalmars-d
mailing list