Yet another leak in the sinking ship of @safe
H. S. Teoh via Digitalmars-d
digitalmars-d at puremagic.com
Thu Feb 18 10:41:58 PST 2016
On Thu, Feb 18, 2016 at 07:30:34PM +0100, Timon Gehr via Digitalmars-d wrote:
> On 18.02.2016 17:37, H. S. Teoh via Digitalmars-d wrote:
[...]
> >1) Casting an array of elements with indirections (in this case
> >Object[]) to void[] is questionable at best, outright unsafe at
> >worst, as shown here. Even if we were to rewrite readData() and mark
> >it @trusted, it still raises the question of what a @trusted function
> >can legally do with void[], which is essentially a type-erased array,
> >that justifies being tagged as @trusted. How can a function do
> >anything that doesn't break @safety if all type information about the
> >array has been erased, and it essentially sees it only as a ubyte[]?
> >I'm inclined to say that @trusted functions should only be allowed to
> >receive const(void)[] as parameter, not void[].
> >
> > https://issues.dlang.org/show_bug.cgi?id=15702
> >
>
> No problem here. There is no way to assign to a void[] without doing 2.
Sure there is:
void breakSafety(void[] data) @safe
{
union U {
void[] d;
int[] arr;
}
U u;
u.d = data;
u.arr[0] = 0xFF; // kaboom
}
> >2) To add salt to the wound, though, blatantly casting void[] to T[]
> >is allowed in @safe code, thus, readData() can even get away with
> >claiming to be @safe, when in fact it is anything but.
> >
> > https://issues.dlang.org/show_bug.cgi?id=15672
>
> This is the culprit.
It's only one of many culprits. As long as there is any way around
@safe, the entire system of guarantees breaks down.
T
--
Question authority. Don't ask why, just do it.
More information about the Digitalmars-d
mailing list