Fix Issue 18157 - std.file.rmdirRecurse should be usable in @safe

[ljmf00]

rmdirRecurse should be @safe as the cast(string) is safe in this context and
dirEntries, even though @System, it uses a RefCounted iterator which inside
will always make the reference deleted as the reference will never be passed
outside the function scope.

Signed-off-by: Luís Ferreira contact@lsferreira.net

[dlang-bot]

Thanks for your pull request and interest in making D better, @ljmf00! We are looking forward to reviewing it, and you should be hearing from a maintainer soon.
Please verify that your PR follows this checklist:

• My PR is fully covered with tests (you can see the coverage diff by visiting the details link of the codecov check)
• My PR is as minimal as possible (smaller, focused PRs are easier to review than big ones)
• I have provided a detailed rationale explaining my changes
• New or modified functions have Ddoc comments (with Params: and Returns:)

Please see CONTRIBUTING.md for more information.

---

If you have addressed all reviews or aren't sure how to proceed, don't hesitate to ping us with a simple comment.

Bugzilla references

Your PR doesn't reference any Bugzilla issue.

If your PR contains non-trivial changes, please reference a Bugzilla issue or create a manual changelog.

Testing this PR locally

If you don't have a local development environment setup, you can use Digger to test this PR:

dub run digger -- build "master + phobos#7675"

[ljmf00]

Please tell if I'm thinking in a wrong way and there's logic that need to be added in order to make this properly @safe , but AFAIK this shouldn't be a problem.

[thewilsonator]

The general idea is to have @trusted as narrow in scope as possible

[thewilsonator]

What needs to be @trusted in this function?

[ljmf00]

dirEntries is @System, so that's why it needs @trusted attribute. In this context, I consider this being safe because dirEntries returns a RefCounted wrapped variable, that, inside this will always be eliminated, so it doesn't make much sense to be unsafe here, IMHO.

The unsafe part is here:

foreach (DirEntry e; dirEntries(de.name, SpanMode.depth, false))
{
    attrIsDir(e.linkAttributes) ? rmdir(e.name) : remove(e.name);
}

[thewilsonator]

is it the call to dirEntries, or the iteration or both? What about rmdir/remove?

[wilzbach]

Can't we use a local @trusted lambda + a comment to make sure nothing unsafe gets added in the future?

[ljmf00]

is it the call to dirEntries, or the iteration or both? What about rmdir/remove?

both rmdir and remove uses a @trusted trustedRmdir and removeImpl respectively, so, when called it's both @safe calls.

Can't we use a local @trusted lambda + a comment to make sure nothing unsafe gets added in the future?

Sure, I'll do it.

Also, if you follow this example here,

phobos/std/datetime/timezone.d

Line 2451 in 453faad

foreach (DirEntry de; dirEntries(tzDatabaseDir, SpanMode.depth))

, they are also using dirEntries in a @trusted function, so maybe it should be a good idea to wrap it too. I'll do it in another PR.

[thewilsonator]

Does this have an issue number?

[wilzbach]

.

[ljmf00]

Does this have an issue number?

Yes, https://issues.dlang.org/show_bug.cgi?id=18157 . I'll change the PR title.

Also, I don't think the dependency there to https://issues.dlang.org/show_bug.cgi?id=18155 is necessary, because, since dirEntries are using a RefConted object to increase performance and to not rely on GC.

[ljmf00]

My fault, I referenced the wrong issue. Already updated the title again.

[edi33416]

Can it also be marked as pure?

[ljmf00]

Can it also be marked as pure?

No. This function can't be pure in any way because it calls impure functions and this perform I/O.

[edi33416]

lgtm

[atilaneves]

Can't this be verified by the compiler by making the ref DirEntry de scope?

[ljmf00]

No because .dirEntries is @System and scope will do nothing about safety here. RefCounted is @System because the implementation uses malloc/free.

[ljmf00]

See this interesting discussion about @safe ref counting on dlang forum: https://forum.dlang.org/thread/r8ilpu$2mk7$1@digitalmars.com

[ljmf00]

@wilzbach the bot didn't detected the issue Fix even though merged with Fix Issue xxx https://issues.dlang.org/show_bug.cgi?id=18157. Can this be closed?

[wilzbach]

The bot only parses the commit messages as they are used to assemble the changelog. That's why it's important to check whether the issue displays in its commit message. We can't do much more than closing the issue manually and likely it will end up in the changelog because of the merge commit title.