dip1000 and preview in combine to cause extra safety errors

Paul Backus snarwin at gmail.com
Thu Jun 9 01:20:37 UTC 2022 

On Thursday, 9 June 2022 at 00:44:58 UTC, Ali Çehreli wrote:
> I was convinced (after having an email exchange with Walter) 
> that unless we assumed extern(C) functions @safe, then nobody 
> would bother marking their declarations as @trusted one-by-one. 
> And whoever marked them as such, they would do it without 
> actually auditing any source code.

It is actually even worse than this: no matter how diligent you 
are, it is impossible to audit the source code corresponding to 
an extern(C) function declaration, even in principle.

The reason for this is that when your code calls an extern(C) 
function, it is not calling a specific implementation. Rather, it 
is calling whatever implementation happens to get linked into the 
final binary when the code is compiled. If someone builds your 
code 10 years from now on a new system, it may end up calling a C 
implementation that was not even written yet when you wrote your 
extern(C) function declaration!

Strictly speaking, this means that you can *never* be absolutely, 
100% mathematically sure that an extern(C) function is 
memory-safe. So if you are aiming for an absolute, 100% 
mathematically-ironclad guarantee of memory safety, your program 
cannot call any extern(C) functions, ever, period.

Unfortunately, this also means your program cannot make any 
system calls, so you will probably not get very far attempting to 
program this way.

The solution is to give up on aiming for an absolute, 100% 
mathematical guarantee of memory safety under all possible 
circumstances. Instead, what we aim for in practice is a 
*conditional* guarantee: "my program is memory safe, so long as 
assumptions A, B, and C about the external world hold true."

Some common assumptions we make are:

* The OS's system call interface behaves as documented.
* The C standard library API behaves as specified in the relevant 
C standard.
* Other C libraries I depend on behave as documented.

It is important to understand that relying on C libraries to 
behave according to their documentation is *not* the same thing 
as marking their functions as @trusted. Many C library functions 
say explicitly, in their documentation, that they *will* corrupt 
memory if called in certain ways. These functions must still be 
marked as @system, even if you are willing to "trust" the 
libraries to behave as-documented.

More information about the Digitalmars-d mailing list