Skip to content

Mark std.file.readText as trusted#2378

Merged
dnadlinger merged 1 commit into
dlang:masterfrom
tom-tan:trusted-file-readText
Jul 30, 2014
Merged

Mark std.file.readText as trusted#2378
dnadlinger merged 1 commit into
dlang:masterfrom
tom-tan:trusted-file-readText

Conversation

@tom-tan

@tom-tan tom-tan commented Jul 28, 2014

Copy link
Copy Markdown
Contributor

std.file.readText includes an unsafe cast from void[] to string but we can verify it can be trusted.

Comment thread std/file.d Outdated

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like this is missing template constraint if(isSomeString!S), this cast + validate does not make sense for any other types.

@tom-tan

tom-tan commented Jul 28, 2014

Copy link
Copy Markdown
Contributor Author

Thank you for your suggestion.
I added a constraint if for it.

@JakobOvrum

Copy link
Copy Markdown
Contributor

Shouldn't the call to validate be in the trusted portion as well? That way, whatever the input to the trusted code, we can verify the output is valid UTF text. That seems to be the original purpose of these trusted subroutines in the first place, otherwise we're just doing it to fight the compiler.

@mihails-strasuns

Copy link
Copy Markdown

Erm. any reason why validate can't be / shouldn't be @safe?

@tom-tan

tom-tan commented Jul 29, 2014

Copy link
Copy Markdown
Contributor Author

We do not need wrap validate in a trusted block because it is a safe function.

@JakobOvrum

Copy link
Copy Markdown
Contributor

Erm. any reason why validate can't be / shouldn't be @safe?

It should be @safe.

We do not need wrap validate in a trusted block because it is a safe function.

Ideally we're not using nested functions just to fight the compiler.

As-is, the @trusted portion of the code is not where the runtime-checked safety occurs. It occurs in the parent function.

@mihails-strasuns

Copy link
Copy Markdown

As-is, the @trusted portion of the code is not where the runtime-checked safety occurs. It occurs in the parent function.

Sorry this is exactly the part I don't understand. @safe is about memory safety. Only part of this code that is in general memory-unsafe is cast expression. However casting specifically void[] buffer to some string type is always memory-safe so we mark exactly that expression as trusted.

Validation is not relevant here because malformed unicode string is still memory-safe.

@JakobOvrum

Copy link
Copy Markdown
Contributor

Indeed you don't seem to understand what I'm saying.

But nevermind, it's rare that we have the opportunity to completely encapsulate unsafe code in a neat little trusted block, so it's not really useful to advocate in general...

@mihails-strasuns

Copy link
Copy Markdown

Well I am very confused by your mention of "runtime-checked safety" because there are none here - this code is statically safe, it is just that compiler is not clever enough to consider this cast safe.

@dnadlinger

Copy link
Copy Markdown
Contributor

LGTM – could you please squash the commits together? Thanks!

@tom-tan

tom-tan commented Jul 30, 2014

Copy link
Copy Markdown
Contributor Author

I squashed the commits.

@dnadlinger

Copy link
Copy Markdown
Contributor

Auto-merge toggled on

dnadlinger added a commit that referenced this pull request Jul 30, 2014
@dnadlinger dnadlinger merged commit b5a783b into dlang:master Jul 30, 2014
@tom-tan tom-tan deleted the trusted-file-readText branch July 31, 2014 00:02
@tom-tan

tom-tan commented Jul 31, 2014

Copy link
Copy Markdown
Contributor Author

Thanks!

@JakobOvrum

Copy link
Copy Markdown
Contributor

Shouldn't the call to validate be in the trusted portion as well? That way, whatever the input to the trusted code, we can verify the output is valid UTF text. That seems to be the original purpose of these trusted subroutines in the first place, otherwise we're just doing it to fight the compiler.

In light of the recent @trusted debacle... so was I right after all? :)

@schveiguy

Copy link
Copy Markdown
Member

In light of the recent @trusted debacle... so was I right after all? :)

Not exactly. I think the whole thing should be trusted, it's pretty small.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants