← Back to index | Original Bugzilla link

Bug 14127 – @trusted functions in std.array present unsafe interfaces

Status
NEW
Severity
normal
Priority
P3
Component
phobos
Product
D
Version
D2
Platform
All
OS
All
Creation time
2015-02-05T10:00:01Z
Last change time
2024-12-01T16:23:42Z
Assigned to
No Owner
Creator
Walter Bright
Moved to GitHub: phobos#10114 →

Comments

Comment #0 by bugzilla — 2015-02-05T10:00:01Z
Functions marked as @trusted must present safe interfaces, or the code they are used in cannot be trusted. std.array has several of these: ---- Line 100: static auto trustedAllocateArray(size_t n) @trusted nothrow { return uninitializedArray!(Unqual!E[])(n); } returning uninitialized data is not safe. ---- Line 482: auto uninitializedArray(T, I...)(I sizes) nothrow @trusted returning uninitialized pointers is unsafe. ---- Line 868: void trustedMemmove(void* d, const void* s, size_t len) @trusted { memmove(d, s, len); } declaring something as trusted doth not make it trustable. ---- Line 899: static auto trustedAllocateArray(size_t n) @trusted nothrow { return uninitializedArray!(T[])(n); } again with the uninitialized data. ---- Line 1606, 1664, 1706: static U trustedCast(U, V)(V v) @trusted { return cast(U) v; } trivial wrappers around unsafe operations does not make them safe. ---- Line 2640: ()@trusted{ _data.arr = _data.arr[0 .. _data.capacity]; }(); trivial wrappers around unsafe operations does not make them safe. ---- Line 2656: auto bi = ()@trusted{ return GC.qalloc(newlen * T.sizeof, blockAttribute!T); }(); trivial wrappers around unsafe operations does not make them safe. ---- Line 2668: if (len) ()@trusted{ memcpy(bi.base, _data.arr.ptr, len * T.sizeof); }(); _data.arr = ()@trusted{ return (cast(Unqual!T*)bi.base)[0 .. len]; }(); trivial wrappers around unsafe operations does not make them safe. ---- Line 2723: auto bigDataFun() @trusted nothrow { return _data.arr.ptr[0 .. len + 1];} trivial wrappers around unsafe operations does not make them safe. ---- Line 2729: auto ref uitem() @trusted nothrow @property { return cast(Unqual!T)item; } trivial wrappers around unsafe operations does not make them safe. ---- Line 2773: auto bigDataFun() @trusted nothrow { return _data.arr.ptr[0 .. newlen];} trivial wrappers around unsafe operations does not make them safe. ---- Line 2839: void clear() @safe pure nothrow { if (_data) { _data.arr = ()@trusted{ return _data.arr.ptr[0 .. 0]; }(); } } clear() is @trusted, it is not @safe. ---- Line 2857: enforce(newlength <= _data.arr.length); _data.arr = ()@trusted{ return _data.arr.ptr[0 .. newlength]; }(); The enforcement must go inside the @trusted code, not outside. ----
Comment #1 by bugzilla — 2015-02-05T10:01:08Z
See https://issues.dlang.org/show_bug.cgi?id=14125 for rationale.
Comment #2 by k.hara.pg — 2015-02-05T10:25:19Z
I actually added some @trusted lambdas to enclose unsafe operations to make Appender usable in @safe code. But at least they would not do actual unsafe behavior because Appender manages memory pointer and its valid size.
Comment #3 by robert.schadek — 2024-12-01T16:23:42Z
THIS ISSUE HAS BEEN MOVED TO GITHUB https://github.com/dlang/phobos/issues/10114 DO NOT COMMENT HERE ANYMORE, NOBODY WILL SEE IT, THIS ISSUE HAS BEEN MOVED TO GITHUB