[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 github-bugzi...@puremagic.com changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |FIXED --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 --- Comment #20 from github-bugzi...@puremagic.com --- Commits pushed to stable at https://github.com/dlang/phobos https://github.com/dlang/phobos/commit/882a1fb8f62b872f3463e9fca2b2e1e04d36effb Fix issue #8471 - allow only pointers as readf parameters https://github.com/dlang/phobos/commit/0059fc3263b9ebd62ef7c6c7b3eed4b20f313364 Merge pull request #5076 from byebye/issue_8471 --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 --- Comment #19 from Andrei Alexandrescu--- @Bolpat (In reply to Bolpat from comment #18) > As Andrei pointed out, readf has its signature for historic reasons. Please > check out my pull: https://github.com/dlang/phobos/pull/5247 If I'm correct, > we can deprecate formattedRead and with it readf with pointers. > > Tell me if I'm wrong, but there is no justification to make readf @trusted. > It accesses a __gshared global and is not @safe for good reasons. Using __gshared is not problematic because the reading primitives are interlocked. --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 Bolpatchanged: What|Removed |Added CC||qs.il.paperi...@gmail.com --- Comment #18 from Bolpat --- As Andrei pointed out, readf has its signature for historic reasons. Please check out my pull: https://github.com/dlang/phobos/pull/5247 If I'm correct, we can deprecate formattedRead and with it readf with pointers. Tell me if I'm wrong, but there is no justification to make readf @trusted. It accesses a __gshared global and is not @safe for good reasons. --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 greenifychanged: What|Removed |Added Status|RESOLVED|REOPENED CC||greeen...@gmail.com Resolution|FIXED |--- --- Comment #17 from greenify --- (wrongly closed) --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 github-bugzi...@puremagic.com changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |FIXED --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 --- Comment #16 from github-bugzi...@puremagic.com --- Commits pushed to newCTFE at https://github.com/dlang/phobos https://github.com/dlang/phobos/commit/882a1fb8f62b872f3463e9fca2b2e1e04d36effb Fix issue #8471 - allow only pointers as readf parameters https://github.com/dlang/phobos/commit/0059fc3263b9ebd62ef7c6c7b3eed4b20f313364 Merge pull request #5076 from byebye/issue_8471 --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 Jakub Łabajchanged: What|Removed |Added Status|RESOLVED|REOPENED Resolution|FIXED |--- --- Comment #15 from Jakub Łabaj --- It's not fixed yet, my commit doesn't really make readf @safe/@trusted (sorry for the mess). --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 github-bugzi...@puremagic.com changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |FIXED --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 --- Comment #14 from github-bugzi...@puremagic.com --- Commits pushed to master at https://github.com/dlang/phobos https://github.com/dlang/phobos/commit/882a1fb8f62b872f3463e9fca2b2e1e04d36effb Fix issue #8471 - allow only pointers as readf parameters https://github.com/dlang/phobos/commit/0059fc3263b9ebd62ef7c6c7b3eed4b20f313364 Merge pull request #5076 from byebye/issue_8471 Fix issue #8471 - allow only pointers as readf parameters --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 --- Comment #13 from Jakub Łabaj--- I understand now, thanks! You can find my profile here: https://github.com/byebye. I've create a simple PR: https://github.com/dlang/phobos/pull/5040 for similar issue involving formattedRead, where I was wondering if I should restrict arguments to pointers. So it seems the solution would be exactly the same in both cases. --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 --- Comment #12 from Andrei Alexandrescu--- @Jakub, what's your github id? thx! --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 --- Comment #11 from Andrei Alexandrescu--- Oh, sorry. The idea is to leave readf unqualified and let the compiler infer whether it's safe or not. In this particular case I see there's a simple solution - just add a constraint to it making sure all parameters are pointers. Something like: uint readf(Data...)(in char[] format, Data data) if (allSatisfy!(isPointer, Data); Then the only way to call readf is with pointers, which eliminates the possibility of shenanigans. --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 --- Comment #10 from Jakub Łabaj--- I know how to create PRs, I've already created some. What I mean is I'm not sure how you see the solution, e.g. '@safe function with a small @trusted core', could elaborate on this, please? --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 --- Comment #9 from Andrei Alexandrescu--- (In reply to Jakub Łabaj from comment #8) > Sorry, I'm not sure what you mean by that - what are the next steps to do > here? I think Razvan Nitu has reached out to you on how to go about creating PRs. --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 --- Comment #8 from Jakub Łabaj--- Sorry, I'm not sure what you mean by that - what are the next steps to do here? --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 --- Comment #7 from Andrei Alexandrescu--- Cool, thanks, then the bug is legit. The fix would be a @safe function with a small @trusted core. --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 --- Comment #6 from Jakub Łabaj--- Currently I see one way to break the safety, which is to not pass a real pointer, but a structure with unary '*' overloaded: @safe unittest { struct Unsafe { int* x; ref int opUnary(string s)() if (s == "*") { int y; // int* ptr = // not @safe return *x; } } static int x; static Unsafe unsafe; unsafe.x = string text = "10"; formattedRead(text, "%d ", unsafe); // called by readf assert(*unsafe.x == 10); } Probably I can't mess up assignment operator nor constructor, because only builtin types are parsable (constrained by function unformatValue). So I think making formattedRead / readf accepting only pointers to builtin types is a way to make them @trusted. --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 --- Comment #5 from Andrei Alexandrescu--- (In reply to Jakub Łabaj from comment #4) > According to Steven's blog post > (http://dlang.org/blog/2016/09/28/how-to-write-trusted-code-in-d/) I should > "never use @trusted on template functions that accept arbitrary types". Is > the readf case special in this regard? If readf calls user-defined functions (constructor, assignment) then yes that's a problem. The smoking gun would be an unsafe unittest that passes with the current implementation. Can you write one? --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 Jakub Łabajchanged: What|Removed |Added CC||uaaabbj...@gmail.com --- Comment #4 from Jakub Łabaj --- According to Steven's blog post (http://dlang.org/blog/2016/09/28/how-to-write-trusted-code-in-d/) I should "never use @trusted on template functions that accept arbitrary types". Is the readf case special in this regard? --
[Issue 8471] std.stdio.readf should be @trusted
https://issues.dlang.org/show_bug.cgi?id=8471 Andrei Alexandrescuchanged: What|Removed |Added Keywords||bootcamp --
[Issue 8471] std.stdio.readf
http://d.puremagic.com/issues/show_bug.cgi?id=8471 Andrei Alexandrescu and...@metalanguage.com changed: What|Removed |Added Status|NEW |RESOLVED CC||and...@metalanguage.com Resolution||WONTFIX --- Comment #1 from Andrei Alexandrescu and...@metalanguage.com 2012-07-30 06:50:18 PDT --- When readf was defined, ref didn't work with variadics. Closing because fixing behavior now would break existing code. -- Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email --- You are receiving this mail because: ---
[Issue 8471] std.stdio.readf
http://d.puremagic.com/issues/show_bug.cgi?id=8471 bearophile_h...@eml.cc changed: What|Removed |Added CC||bearophile_h...@eml.cc --- Comment #2 from bearophile_h...@eml.cc 2012-07-30 07:01:56 PDT --- (In reply to comment #1) When readf was defined, ref didn't work with variadics. Closing because fixing behavior now would break existing code. Maybe a less bug prone and different named function should be added, that uses ref... -- Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email --- You are receiving this mail because: ---
[Issue 8471] std.stdio.readf should be @trusted
http://d.puremagic.com/issues/show_bug.cgi?id=8471 Andrei Alexandrescu and...@metalanguage.com changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|WONTFIX | Summary|std.stdio.readf |std.stdio.readf should be ||@trusted --- Comment #3 from Andrei Alexandrescu and...@metalanguage.com 2012-07-30 08:11:42 PDT --- Actually it's not that bad - readf is not bug prone because it statically ensures that all of its parameters are pointers. Using pointers is also safe because readf doesn't escape them. Actually I'm reopening this with a different title. -- Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email --- You are receiving this mail because: ---