From 95b7fcadca68d77170fa50b9d1809ef5ff488a81 Mon Sep 17 00:00:00 2001 From: Nick Treleaven Date: Wed, 22 Jul 2020 23:36:23 +0100 Subject: [PATCH] doc: add memory safety section & unsafe {...} example (#5804) --- doc/docs.md | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/doc/docs.md b/doc/docs.md index 638955359b..c0a2f800b8 100644 --- a/doc/docs.md +++ b/doc/docs.md @@ -70,6 +70,7 @@ you can do in V. * [vfmt](#vfmt) * [Profiling](#profiling) * [Advanced](#advanced) + * [Memory-unsafe code](#memory-unsafe-code) * [Calling C functions from V](#calling-c-functions-from-v) * [Debugging generated C code](#debugging-generated-c-code) * [Conditional compilation](#conditional-compilation) @@ -1873,6 +1874,51 @@ fn main(){ # Advanced Topics +## Memory-unsafe code + +Sometimes for efficiency you may want to write low-level code that can potentially +corrupt memory or be vulnerable to security exploits. V supports writing such code, +but not by default. + +V requires that any potentially memory-unsafe operations are marked intentionally. +Marking them also indicates to anyone reading the code that there could be +memory-safety violations if there was a mistake. + +Examples of potentially memory-unsafe operations are: + +* Pointer arithmetic +* Pointer indexing +* Conversion to pointer from an incompatible type +* Calling certain C functions, e.g. `free`, `strlen` and `strncmp`. + +To mark potentially memory-unsafe operations, enclose them in an `unsafe` block: + +```v +// allocate 2 uninitialized bytes & return a reference to them +mut p := unsafe { &byte(malloc(2)) } +p[0] = `h` // Error: pointer indexing is only allowed in `unsafe` blocks +unsafe { + p[0] = `h` + p[1] = `i` +} +p++ // Error: pointer arithmetic is only allowed in `unsafe` blocks +unsafe { + p++ // OK +} +assert *p == `i` +``` + +Best practice is to avoid putting memory-safe expressions inside an `unsafe` block, +so that the reason for using `unsafe` is as clear as possible. Generally any code +you think is memory-safe should not be inside an `unsafe` block, so the compiler +can verify it. + +If you suspect your program does violate memory-safety, you have a head start on +finding the cause: look at the `unsafe` blocks (and how they interact with +surrounding code). + +* Note: This is work in progress. + ## Calling C functions from V ```v