Safety annotations in core.stdc.

[alexrp]

Minor change to core.thread since some internal functions were made private.

This marks almost everything in core.stdc as @trusted. I also added some nothrow annotations while I was there.

[alexrp]

Now green everywhere (previous failures were unrelated).

[MartinNowak]

Nice.

You made a lot of decision why certain functions are not marked @trusted.
Could you please add some short comments (especially for stdio) so this won't get lost.

[alexrp]

OK, I'll go over and add more comments about safety decisions to the code later today.

[alexrp]

I've rebased with some comments on the annotations. Generally, I consider anything that mutates processor state or operates on unsafe stuff like C strings @system.

[andralex]

Nonono, fclose isn't trusted. It invalidates memory pointed to by stream.

[alexrp]

Good catch. Will mark it @system.

[alexrp]

Fixed.

[andralex]

I think we can provide a simple @trusted interface for malloc and calloc that work with a category of types (e.g. numeric types) and return a T[]. Of course this is not the place...

[alexrp]

I figured something like that would probably fit better in the allocators design.

[andralex]

Looks ready except as noted.

[d-random-contributor]

FILE's fields are available for modification, so functions with FILE* arguments can't be trusted. This is the reason MS provides FILE as opaque struct: it happened in the wild.

[andralex]

@d-random-contributor thanks for the note. Here "trusted" has a restricted meaning - it's only about memory safety, not general security.

[d-random-contributor]

Fields of FILE struct can be assigned with values that are not what clib expects there, breaking its invariant, e.g. a file buffer should be of a certain size - clib will blindly use it for reading and writing, if the buffer is of the wrong size, it will write past the end of the buffer.