Typical security issues in C++: why the GC isn't your enemy
Siarhei Siamashka
siarhei.siamashka at gmail.com
Wed Dec 14 13:00:51 UTC 2022
On Tuesday, 13 December 2022 at 05:26:23 UTC, areYouSureAboutThat
wrote:
> My concern really is:
>
> How do I know my @safe code is calling @safe code and not
> @trusted code?
You can be sure that your @safe code is always calling at least
some small amount of @trusted code inside of Phobos.
> @safe interfaces are nice - but all of Phobos could just as
> well be marked as @trusted, since @safe implicately trusts
> @trusted, and my @safe code would still compile just fine.
Yes, it could be all marked as @trusted, but it isn't. Also
Phobos or any other third-party library theoretically could do a
lot of various bad things with or without @safe annotations. Some
libraries have better code quality than the others and that's
just how it is.
> But when I -release it, I discover something that is not so
> welcome...cause all of that @trusted code is no longer subject
> to runtime memory safety checks.
If these @trusted parts of Phobos are bug free, then everything
is fine. Your code shouldn't be able to trigger memory safety
bugs in Phobos by feeding incorrect input to it.
> I would like the compiler to tell me I'm calling code that has
> been marked as @trusted, and that if I want to proceed, then I
> need to compile with: -enableTrusted
As I already said before, you will effectively have to always use
this switch for compiling each and every application.
I guess, you probably want the @trusted parts of Phobos to be
annotated as @supertrusted and ignored by this switch, because
it's the standard library deserving special privileges? And only
complain about the @trusted attribute usage in your own code or
in third-party libraries written by plebeians ;-)
More information about the Digitalmars-d
mailing list