Shouldn't casting an object to void* be considered @safe?

Sat Dec 14 20:53:49 UTC 2019

On Saturday, 14 December 2019 at 19:16:08 UTC, Joseph Rushton 
Wakeling wrote:
> Indeed.  Has anything I said suggested otherwise?

My bad, I thought you were implying that it shouldn't be @safe 
because it isn't useful.

> That's relevant to this discussion, because when asking "Should 
> the cast to `void*` be @safe?" we are really asking, "Is it 
> possible for the compiler to decide this without needing the 
> developer to verify?"

The compiler should only be concerned with verifying what it 
knows. E.g. if a `bool*` reaches `@safe` code, it must be null or 
point to a mutable 0 or 1 value. I don't think adding any 
additional rules is helpful. You might also say "casting ubyte[] 
to char[] should be unsafe because the compiler doesn't know 
whether the developer's string functions exhibit undefined 
behavior on invalid unicode", but if the developer relies on 
correct unicode like that, his functions are incorrectly marked 
@trusted. If you want that guarantee, you should not use char[] 
but make your own struct type that ensures that.

A void* is an opaque pointer type. If I start writing a function 
like:
```
void setZero(void* ptr) @trusted {

}
```
I simply can't assume anything about ptr other than that it is a 
valid `void*`.

It does raise the question what can be assumed about a `void*`.
You could say that a void* must point to at least 1 byte of 
mutable memory, such that this function is correctly @trusted:

```
void setZero(void* ptr) @trusted {
     if (ptr) {
         *(cast(ubyte) ptr) = 0;
     }
}
```

However, I'd argue a void* is even more opaque than that, since 
it's not uncommon to use them as generic 'handles' in C 
libraries, such as HMODULE in the Windows API:
https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-getprocaddress

> we are creating opportunities for unsafe memory access that 
> didn't exist previously.

I doubt that. If you have a code example, I'm very interested. I 
bet that any @trusted code that can be broken by allowing 
cast(void*) in @safe code can also be broken without that.

> No, that won't do.  What if you cast from a `ulong` to a 
> `void*`?

That is `@safe`, unless there is a way to corrupt memory in 
`@safe` code by doing that.