On Saturday, 7 February 2015 at 23:50:55 UTC, Andrei Alexandrescu
wrote:
I was looking into ways to make core.stdc safer. That should be
relatively easy to do by defining a few wrappers. For example:
int setvbuf(FILE* stream, char* buf, int mode, size_t size);
is unsafe because there's no relationship between buf and size.
But this is fine:
@trusted int setvbuf(T)(FILE* stream, T[] buf, int mode)
if (is(T == char) || is(T == byte) || is(T == ubyte))
{
return setvbuf(stream, cast(char*) buf.ptr, mode,
buf.length);
}
Another example is:
int stat(in char*, stat_t*);
which may start reading through random memory if the string is
not zero-terminated. Again, the solution is here to ensure the
string does have a terminating zero:
@trusted int stat(in char[] name, stat_t* p)
{
if (isZeroTerminated(name)) return stat(name.ptr, p);
auto t = cast(char*) malloc(name.length + 1);
scope(exit) free(t);
memcpy(t, name.ptr, name.length);
t[name.length] = 0;
return stat(t, p);
}
Such wrappers would allow safe code to use more C stdlib
primitives. The question is whether these wrappers are worth
adding to core.stdc.stdio.
Thanks,
Andrei
I think this is crucial if we want to keep actual Phobos sources
easily review-able within your requirements. There is a good
value in having `core.stdc` to map C headers 1-to-1 though.
Would you consider separate `core.safestdc` package tree where
such wrappers could be put on per need basis (duplicating tree
structure of core.stdc modules internally)
