digitalmars.D.bugs - [Issue 14127] New: trusted functions in std.array present unsafe
- via Digitalmars-d-bugs (90/90) Feb 05 2015 https://issues.dlang.org/show_bug.cgi?id=14127
https://issues.dlang.org/show_bug.cgi?id=14127 Issue ID: 14127 Summary: trusted functions in std.array present unsafe interfaces Product: D Version: D2 Hardware: All OS: All Status: NEW Severity: normal Priority: P1 Component: Phobos Assignee: nobody puremagic.com Reporter: bugzilla digitalmars.com Functions marked as trusted must present safe interfaces, or the code they are used in cannot be trusted. std.array has several of these: ---- Line 100: static auto trustedAllocateArray(size_t n) trusted nothrow { return uninitializedArray!(Unqual!E[])(n); } returning uninitialized data is not safe. ---- Line 482: auto uninitializedArray(T, I...)(I sizes) nothrow trusted returning uninitialized pointers is unsafe. ---- Line 868: void trustedMemmove(void* d, const void* s, size_t len) trusted { memmove(d, s, len); } declaring something as trusted doth not make it trustable. ---- Line 899: static auto trustedAllocateArray(size_t n) trusted nothrow { return uninitializedArray!(T[])(n); } again with the uninitialized data. ---- Line 1606, 1664, 1706: static U trustedCast(U, V)(V v) trusted { return cast(U) v; } trivial wrappers around unsafe operations does not make them safe. ---- Line 2640: () trusted{ _data.arr = _data.arr[0 .. _data.capacity]; }(); trivial wrappers around unsafe operations does not make them safe. ---- Line 2656: auto bi = () trusted{ return GC.qalloc(newlen * T.sizeof, blockAttribute!T); }(); trivial wrappers around unsafe operations does not make them safe. ---- Line 2668: if (len) () trusted{ memcpy(bi.base, _data.arr.ptr, len * T.sizeof); }(); _data.arr = () trusted{ return (cast(Unqual!T*)bi.base)[0 .. len]; }(); trivial wrappers around unsafe operations does not make them safe. ---- Line 2723: auto bigDataFun() trusted nothrow { return _data.arr.ptr[0 .. len + 1];} trivial wrappers around unsafe operations does not make them safe. ---- Line 2729: auto ref uitem() trusted nothrow property { return cast(Unqual!T)item; } trivial wrappers around unsafe operations does not make them safe. ---- Line 2773: auto bigDataFun() trusted nothrow { return _data.arr.ptr[0 .. newlen];} trivial wrappers around unsafe operations does not make them safe. ---- Line 2839: void clear() safe pure nothrow { if (_data) { _data.arr = () trusted{ return _data.arr.ptr[0 .. 0]; }(); } } clear() is trusted, it is not safe. ---- Line 2857: enforce(newlength <= _data.arr.length); _data.arr = () trusted{ return _data.arr.ptr[0 .. newlength]; }(); The enforcement must go inside the trusted code, not outside. ---- --
Feb 05 2015