Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

proposal: spec: disallow T<->uintptr conversion for type T unsafe.Pointer #20171

Open
griesemer opened this issue Apr 28, 2017 · 5 comments

Comments

@griesemer
Copy link
Contributor

commented Apr 28, 2017

Currently, implementations permit conversions to/from unsafe.Pointer and to/from types with underlying type unsafe.Pointer.

Consequently, unsafe conversions can be hidden because package unsafe doesn't even have to be imported.

This was arguably an "implementation mistake" which we should fix. See also #19306.

@griesemer griesemer self-assigned this Apr 28, 2017

@gopherbot gopherbot added this to the Proposal milestone Apr 28, 2017

@bcmills

This comment has been minimized.

Copy link
Member

commented May 16, 2017

Per #18130 (comment), I believe that it would be difficult to eliminate the possibility that packages that do not explicitly import unsafe can obtain an unsafe.Pointer via some combination of interface{}, type-assertion, and/or reflection. At the very least, I think you'd need to ensure that no exported function can return an unsafe.Pointer, which is a pretty invasive change.

It may be more viable to disallow all conversions from unsafe.Pointer and instead make it assignable from any pointer type:

package unsafe

type Pointer

func Convert(Pointer) *T

Then unsafe becomes a sort of black-hole: the caller can obtain as many values of unsafe.Pointer as they want, but they only way to dereference one is by first importing unsafe in order to Convert it.

@griesemer

This comment has been minimized.

Copy link
Contributor Author

commented May 16, 2017

@bcmills I don't think we make this bullet-proof - but at least I want it to be water-proof.

But I agree that if we reconsider the unsafe package interface entirely, we may find better solutions. Even with your suggestion, it's possible to encapsulate the desired conversions in functions exported by a package that's not the unsafe package. A client would only need to import that package.

@rsc rsc changed the title Proposal: only permit unsafe conversions to/from unsafe.Pointer proposal: spec: disallow T<->uintptr conversion for type T unsafe.Pointer Jun 16, 2017

@rsc

This comment has been minimized.

Copy link
Contributor

commented Jun 16, 2017

Note that now that we have type aliases, we'd also have to disallow conversions involving T where

type T = unsafe.Pointer

as well. And that's a bit harder to defend.

@griesemer

This comment has been minimized.

Copy link
Contributor Author

commented Jun 16, 2017

@rsc An alternative (for Go 2) is to rethink how unsafe operations work. For instance, we could remove the Pointer type altogether and make all unsafe operations function-based.

@rsc

This comment has been minimized.

Copy link
Contributor

commented Jun 17, 2017

Indeed. That would fit with #19367.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.