bearophile wrote:
I have studied more Linux bugs.
----------------
An example of bug (more than 14 like this fixed in few years):
- memset(pp, 0, sizeof(pp)); + memset(pp, 0, sizeof(*pp));
- memcpy((caddr_t)TstSchedTbl, (caddr_t)&vcIndex,sizeof(TstSchedTbl));
+ memcpy((caddr_t)TstSchedTbl, (caddr_t)&vcIndex,
sizeof(*TstSchedTbl));
Here the type system knows that pp is a pointer. sizeof(pp) is typically a
word, while the correct sizeof(*pp) is often larger. A simple way to avoid
this bug in D is to use a zerioing template function, something like
(untested) (in GNU C there is a way to write a similar macro, I don't know
why they don't use it, even if it's a bit less safe and much less nice
looking):
void zeroit(T)(T* ptr) if (!IsPointer!T) { memset(ptr, 0, (*ptr).sizeof); }
Standard safer wrappers for some C functions may help low-level D coding.
If you don't want to use a zeroit() then a type system able to catch such
bugs needs some nice annotations...
In D:
pp[] = 0;
or:
pp = typeof(pp).init;
etc.
In this post I don't see any little rule worth adding to the D compiler.
Many of them are dealt with with D's scope guard, RIAA, and garbage collection
support.
