Typical security issues in C++: why the GC isn't your enemy
areYouSureAboutThat
areYouSureAboutThat at gmail.com
Wed Dec 14 23:29:00 UTC 2022
On Wednesday, 14 December 2022 at 21:23:16 UTC, Siarhei Siamashka
wrote:
> On Wednesday, 14 December 2022 at 20:36:39 UTC,
> areYouSureAboutThat wrote:
>> On Wednesday, 14 December 2022 at 13:00:51 UTC, Siarhei
>> Siamashka wrote:
>>>
>>> I guess, you probably want the @trusted parts of Phobos to be
>>> annotated as @supertrusted and ignored by this switch,
>>> because it's the standard library deserving special
>>> privileges? And only complain about the @trusted attribute
>>> usage in your own code or in third-party libraries written by
>>> plebeians ;-)
>>
>> No. I do not 'trust' the standard library to be 'safe'. Why
>> should I?
>
> Earlier you posted this link:
> https://learn.microsoft.com/en-us/dotnet/csharp/misc/cs0227
> Why do you 'trust' the standard library and VM of C# to be
> 'safe'?
That wasn't posted in the context of trusting code, but rather in
the context of a thread where someone mentioned that OOP is not
suited to building containers. I just posted that link to MS
containers to refute that assertion.
In the context of trust, however, no, I do not trust those
containers either. Why should I?
I rely (not trust) on the CLR to do it's job properly though.
In C#, safe is default and you cannot escape except through
marking code as unsafe, and **additionally**, supplying to the
compiler an option that explicately tells the compiler you are ok
with compiling in that unsafe code.
But in D, you implicately tell the compiler you completely trust
unsafe system code (that has essentially just been annoted as
@trusted so that @safe can use it), but is nonetheless unsafe
system code) - and you do this just by marking your module as
@safe??
No. To me, @safe does not mean I'm completely ok with
incorporating unsafe system code into my library (even if someone
has annotated it with @trusted).
It's not that I don't ever want it, but I would like to know when
it's occuring, and not find out in -release mode :-(
It would be a great auditing tool, if the compiler had this
opt-in switch.
I expect its not that hard to do, since the compiler can already
do it with @system.. at nogc..etc.. I guess I'll just have to work
it out :-(
If I do, I'll submit a PR... maybe..
More information about the Digitalmars-d
mailing list