About making Phobos @safe

Jack Stouffer jack at jackstouffer.com
Fri Mar 23 20:33:40 UTC 2018


On Friday, 23 March 2018 at 17:31:09 UTC, Jesse Phillips wrote:
> @safe/@trusted doesn't mean "calling this function will not 
> result in heartbleed."

If @safe doesn't protect against buffer overflows then chuck the 
whole thing out the window and start over.

> What you're getting is that when you call this function there 
> are no parameter values which you could pass such that you 
> could cause memory corruption. If you are concerned about 
> heartbleed then you don't need to review @safe code, @trusted 
> code should be reviewed so that @safe code can't cause issue 
> with any of the valid parameters (the way it calls @system 
> functions should be safe). And @system code should reviewed for 
> heartbleed. If you use zlib and it has a heartbleed bug then it 
> is your fault for not reviewing the @system code, not the fault 
> of D marking its usage as @system.

We can't review the zlib code which is the thrust of the issue. 
It's entirely possible that a bug  in zlib could write past the 
bounds of an array. We could in theory verify zlib, but

1. It would require including the C code in the distribution that 
was reviewed rather than linking to the system version

2. The review process would have to be repeated every time we 
update to a new zlib release.

 From a Phobos dev's perspective, zlib.compress2 is as much as a 
black box as malloc.

> You mention mallac being ok to use with @trusted, but it has 
> the same issue, if you didn't review the code behind your 
> mallac call then it could introduce heartbleed, you don't know 
> because you didn't review it.

Functions in the C standard library are a category difference 
because it's completely reasonable to assume that malloc isn't 
going to corrupt memory. The same assumption cannot be made with, 
to use the example again, libssl.


More information about the Digitalmars-d mailing list