[Issue 14127] New: @trusted functions in std.array present unsafe interfaces

via Digitalmars-d-bugs digitalmars-d-bugs at puremagic.com
Thu Feb 5 02:00:01 PST 2015 

https://issues.dlang.org/show_bug.cgi?id=14127

          Issue ID: 14127
           Summary: @trusted functions in std.array present unsafe
                    interfaces
           Product: D
           Version: D2
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P1
         Component: Phobos
          Assignee: nobody at puremagic.com
          Reporter: bugzilla at digitalmars.com

Functions marked as @trusted must present safe interfaces, or the code they are
used in cannot be trusted. std.array has several of these:
----
Line 100:

  static auto trustedAllocateArray(size_t n) @trusted nothrow
  {
    return uninitializedArray!(Unqual!E[])(n);
  }

returning uninitialized data is not safe.
----
Line 482:

  auto uninitializedArray(T, I...)(I sizes) nothrow @trusted

returning uninitialized pointers is unsafe.
----
Line 868:

  void trustedMemmove(void* d, const void* s, size_t len) @trusted
  {
    memmove(d, s, len);
  }

declaring something as trusted doth not make it trustable.
----
Line 899:

  static auto trustedAllocateArray(size_t n) @trusted nothrow
  {
    return uninitializedArray!(T[])(n);
  }

again with the uninitialized data.
----
Line 1606, 1664, 1706:

  static U trustedCast(U, V)(V v) @trusted { return cast(U) v; }

trivial wrappers around unsafe operations does not make them safe.
----
Line 2640:

  ()@trusted{ _data.arr = _data.arr[0 .. _data.capacity]; }();

trivial wrappers around unsafe operations does not make them safe.
----
Line 2656:

  auto bi = ()@trusted{ return
    GC.qalloc(newlen * T.sizeof, blockAttribute!T);
  }();

trivial wrappers around unsafe operations does not make them safe.
----
Line 2668:

  if (len)
    ()@trusted{ memcpy(bi.base, _data.arr.ptr, len * T.sizeof); }();
  _data.arr = ()@trusted{ return (cast(Unqual!T*)bi.base)[0 .. len]; }();

trivial wrappers around unsafe operations does not make them safe.
----
Line 2723:

  auto bigDataFun() @trusted nothrow { return _data.arr.ptr[0 .. len + 1];}

trivial wrappers around unsafe operations does not make them safe.
----
Line 2729:

  auto ref uitem() @trusted nothrow @property { return cast(Unqual!T)item; }

trivial wrappers around unsafe operations does not make them safe.
----
Line 2773:

  auto bigDataFun() @trusted nothrow { return _data.arr.ptr[0 .. newlen];}

trivial wrappers around unsafe operations does not make them safe.
----
Line 2839:

  void clear() @safe pure nothrow
  {
    if (_data)
    {
        _data.arr = ()@trusted{ return _data.arr.ptr[0 .. 0]; }();
    }
  }

clear() is @trusted, it is not @safe.
----
Line 2857:

  enforce(newlength <= _data.arr.length);
  _data.arr = ()@trusted{ return _data.arr.ptr[0 .. newlength]; }();

The enforcement must go inside the @trusted code, not outside.
----

--

More information about the Digitalmars-d-bugs mailing list