Skip to content

Index-assign in str should be unsafe #8891

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
SimonSapin opened this issue Aug 30, 2013 · 8 comments · Fixed by #9750
Closed

Index-assign in str should be unsafe #8891

SimonSapin opened this issue Aug 30, 2013 · 8 comments · Fixed by #9750

Comments

@SimonSapin
Copy link
Contributor

As far as I understand, the str types have a pretty strong assumption that they contain valid UTF-8. Any method/function that could break this (such as push_bytes) is marked as unsafe.

However, it is possible to assign random bytes in the middle of a ~str, breaking the UTF-8 invariant:

rusti: let mut a = ~"test"; a[1] = 0x80; 
        (a.as_bytes().to_owned(), ::std::str::is_utf8(a.as_bytes()))
(~[116, 128, 115, 116], false)

I think that such assignments should only be allowed in unsafe code.

Update: str.as_mut_buf should also be unsafe, IMO.

@lilyball
Copy link
Contributor

I had no idea str even allowed index-assign.

@SimonSapin
Copy link
Contributor Author

@kballard forbidding it entirely could also fix the issue, but might be overkill.

@alexcrichton
Copy link
Member

Hmm... This could be tricker than just forbidding assignment because this code compiles as well

fn main() {               
    let mut a = ~"test";  
    {                     
        let c = &mut a[2];
        *c = 0x32;        
    }                     
    println(a);           
}                         

@SimonSapin
Copy link
Contributor Author

@alexcrichton I suppose we could also forbid (in safe code) to borrow mutable references to individual bytes in a string. Similarly, I believe that str.as_mut_buf() should be unsafe (but str.as_imm_buf() does not need to be.)

@thestinger
Copy link
Contributor

I think we should just forbid index-assign and borrowing mutable references. It can still be done through unsafe methods, but doesn't need to be in the language as a feature.

The only unsafe language feature we have is raw pointer dereferencing so it's nice to keep it simple.

@thestinger
Copy link
Contributor

Nominating for the backwards compatible milestone.

@thestinger
Copy link
Contributor

as_mut_buf doesn't need to be unsafe because it passes you a raw pointer, which is unusable without unsafe

@catamorphism
Copy link
Contributor

Accepted for well-defined. (Also: document what "unsafe" means, which is a separate issue.)

bors added a commit that referenced this issue Oct 9, 2013
This behavior was decided to get out-right forbidden by the compiler


Closes #8891
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants