Yet another leak in the sinking ship of @safe
Timon Gehr via Digitalmars-d
digitalmars-d at puremagic.com
Thu Feb 18 11:23:24 PST 2016
On 18.02.2016 19:41, H. S. Teoh via Digitalmars-d wrote:
> On Thu, Feb 18, 2016 at 07:30:34PM +0100, Timon Gehr via Digitalmars-d wrote:
>> On 18.02.2016 17:37, H. S. Teoh via Digitalmars-d wrote:
> [...]
>>> 1) Casting an array of elements with indirections (in this case
>>> Object[]) to void[] is questionable at best, outright unsafe at
>>> worst, as shown here. Even if we were to rewrite readData() and mark
>>> it @trusted, it still raises the question of what a @trusted function
>>> can legally do with void[], which is essentially a type-erased array,
>>> that justifies being tagged as @trusted. How can a function do
>>> anything that doesn't break @safety if all type information about the
>>> array has been erased, and it essentially sees it only as a ubyte[]?
>>> I'm inclined to say that @trusted functions should only be allowed to
>>> receive const(void)[] as parameter, not void[].
>>>
>>> https://issues.dlang.org/show_bug.cgi?id=15702
>>>
>>
>> No problem here. There is no way to assign to a void[] without doing 2.
>
> Sure there is:
>
> void breakSafety(void[] data) @safe
> {
> union U {
> void[] d;
> int[] arr;
> }
> U u;
> u.d = data;
> u.arr[0] = 0xFF; // kaboom
> }
> ...
That's in essence just a different way to cast void[] to int[]. Steven's
example disproves my previous claim though. Still, I don't think the
conversion is the problem. It's the mutation of memory without type
information.
>
>>> 2) To add salt to the wound, though, blatantly casting void[] to T[]
>>> is allowed in @safe code, thus, readData() can even get away with
>>> claiming to be @safe, when in fact it is anything but.
>>>
>>> https://issues.dlang.org/show_bug.cgi?id=15672
>>
>> This is the culprit.
>
> It's only one of many culprits. As long as there is any way around
> @safe, the entire system of guarantees breaks down.
>
>
If you want to verify guarantees, @safe should be specified by inclusion
and ideally, type safety should be proved formally (after applying a few
fixes). This first requires a formal language semantics.
That's already a lot of effort, and after that you still don't have a
verified implementation.
More information about the Digitalmars-d
mailing list