On Saturday, 2 August 2014 at 20:23:53 UTC, Andrei Alexandrescu
wrote:
@system fun(int[] p) {
gun(p.ptr + p.length);
}
@safe gun(int* p) {
if (p) *p = 42;
}
This passes semantic checking but is unsafe and unsafety is in
the @safe code. Well, that's fine, we might say. The problem is
this works against our stance that "inspect @system code by
hand, @safe code will take care of itself".
No! Calling gun like this is just the same as calling
"gun(cast(int*)0xdeadbeef)". You wouldn't argue that the @safe
code is at fault there either. Or when passing an array slice
with an invalid .ptr to a @safe function. It's not like you would
routinely pass p.ptr + p.length to _any_ function with a single
pointer argument (except maybe for a setter for the end of an
iterator pair or something like that).
Yes, p.ptr + p.length is merely invalid invalid to dereference,
as opposed to being completely undefined behavior by itself
(assuming C rules). But I don't see how this changes anything
about the fact that fun() invokes a function with invalid
parameters (@safe or not).
Cheers,
David
