Typical security issues in C++: why the GC isn't your enemy

areYouSureAboutThat areYouSureAboutThat at gmail.com
Wed Dec 14 23:29:00 UTC 2022 

On Wednesday, 14 December 2022 at 21:23:16 UTC, Siarhei Siamashka 
wrote:
> On Wednesday, 14 December 2022 at 20:36:39 UTC, 
> areYouSureAboutThat wrote:
>> On Wednesday, 14 December 2022 at 13:00:51 UTC, Siarhei 
>> Siamashka wrote:
>>>
>>> I guess, you probably want the @trusted parts of Phobos to be 
>>> annotated as @supertrusted and ignored by this switch, 
>>> because it's the standard library deserving special 
>>> privileges? And only complain about the @trusted attribute 
>>> usage in your own code or in third-party libraries written by 
>>> plebeians ;-)
>>
>> No. I do not 'trust' the standard library to be 'safe'. Why 
>> should I?
>
> Earlier you posted this link: 
> https://learn.microsoft.com/en-us/dotnet/csharp/misc/cs0227
> Why do you 'trust' the standard library and VM of C# to be 
> 'safe'?

That wasn't posted in the context of trusting code, but rather in 
the context of a thread where someone mentioned that OOP is not 
suited to building containers. I just posted that link to MS 
containers to refute that assertion.

In the context of trust, however, no, I do not trust those 
containers either. Why should I?

I rely (not trust) on the CLR to do it's job properly though.

In C#, safe is default and you cannot escape except through 
marking code as unsafe, and **additionally**, supplying to the 
compiler an option that explicately tells the compiler you are ok 
with compiling in that unsafe code.

But in D, you implicately tell the compiler you completely trust 
unsafe system code (that has essentially just been annoted as 
@trusted so that @safe can use it), but is nonetheless unsafe 
system code) - and you do this just by marking your module as 
@safe??

No. To me, @safe does not mean I'm completely ok with 
incorporating unsafe system code into my library (even if someone 
has annotated it with @trusted).

It's not that I don't ever want it, but I would like to know when 
it's occuring, and not find out in -release mode :-(

It would be a great auditing tool, if the compiler had this 
opt-in switch.

I expect its not that hard to do, since the compiler can already 
do it with @system.. at nogc..etc.. I guess I'll just have to work 
it out :-(

If I do, I'll submit a PR... maybe..

More information about the Digitalmars-d mailing list