A serious security bug... caused by no bounds checking.
Steven Schveighoffer
schveiguy at yahoo.com
Thu Apr 10 10:56:04 PDT 2014
On Thu, 10 Apr 2014 13:45:26 -0400, Tommi <tommitissari at hotmail.com> wrote:
> On Thursday, 10 April 2014 at 17:37:53 UTC, Steven Schveighoffer wrote:
>> On Thu, 10 Apr 2014 13:25:25 -0400, bearophile
>> <bearophileHUGS at lycos.com> wrote:
>>
>>> Take a look ad Ada language. It has bounds checking and its compilers
>>> have a switch to disable those checks. If you want the bounds checking
>>> don't use the switch that disables the bounds checking. Safety doesn't
>>> mean to have no way to work around safety locks. It means have nice
>>> handy locks that are active on default. In a system language total
>>> safety is an illusion. Better to focus on real world safety and not a
>>> illusion of theoretical safety.
>>
>> That's why we have @trusted.
>
> No. @trusted is for code that cannot be guaranteed to be memory-safe by
> the compiler (either at runtime or at compile-time), but the programmer
> still wants to promise that the code is memory-safe. Array bounds
> checking doesn't land under that moniker, it can be checked by the
> compiler.
@safe code can be marked as @trusted instead, and nothing changes, except
@trusted code can have bounds checks removed. How does this not work as a
solution?
As Walter often says about logical const, logical @safe is @safe by
convention, and it loses all of its teeth.
-Steve
More information about the Digitalmars-d
mailing list