I think that we should not be bound by any particular artifacts of the previous compiler's treatment of unsafe code, because the full set of those artifacts is not specified.
I also think it was a mistake to "document" this behavior for end-user use,
because people will write unsafe code that happens to pass tests with a particular Go release and believe that therefore they got it right.
We don't have a test suite for what unsafe behavior we support except for the runtime itself, and compiler writers aren't good at imaging the crazy things that people might do with unsafe code. And lacking such a test suite, for unsafe, I think it's fine for compiler-writers to push back hard on "bugs" involving unsafe code.
Unsafe code is generally a security violation, because no matter what we say in documentation, we don't check it mechanically. It's pretty much the whole point of actual security violations that they do an end-run on documented restrictions. Or as I asked, "what prevents?"
--
You received this message because you are subscribed to the Google Groups "golang-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
I think we have a different understanding of what a security violation is..
One of the problems with unsafe is that it is not mechanically checked;this means that people can make uncaught unintentional mistakes,which are latent bugs, or they can make uncaught *intentional* "mistakes",and those are security violations.
As to the usefulness, in older languages, unsafe was used quite happilyas part of the language implementation,
The default pattern ought to be "don't use unsafe. No, really, don't use unsafe.Did you benchmark it yet without unsafe? Could you file a compiler performancebug instead?"
I may not understand present-day information security (i.e., unintentional leaks may be regarded as a lot more severe than I imagine),
but by intentional "mistake", I meant an exploit, made to look like a hand-optimization. With unsafe many of the conventional checks are turned off, and it's entirely possible to scribble all over memory if you can sneak your "optimization" past reviewers.
Experience with "unsafe" code is that even when users are explicitly told not to use it, they use it.
However, your wording keeps expressing concern that users are using package unsafe at all. So let me establish this: do you think end users should never use package unsafe, or do you think sometimes it's appropriate for them to use?
> email to golang-dev+unsubscribe@googlegroups.com.
My goal is never for performance, meaning that its only use is those cases where it is necessary for compatibility with stuff written in other languages.
The default performance model I'd like to use is that code I don't trust enough to run it is modeled as infinitely slow.
This gets squishy around memory-mapped files and things like that. Some of this can be addressed with better interfaces (and with improved compiler optimization, for instance better inlining, so that the calls have zero cost). Java introduced nio and ByteBuffers for this, for example. And understand, making something like java ByteBuffers work well in Go is a real problem in the existing compiler, I'd like it to be the case that the tricksy-clever unsafe code is in a library function, that the user might pass in a closure or two, and that everything would inline itself into no calls at all, but that doesn't happen now.
My goal is never for performance, meaning that its only use is those cases where it is necessary for compatibility with stuff written in other languages. The default performance model I'd like to use is that code I don't trust enough to run it is modeled as infinitely slow.
My goal is never for performance, meaning that its only use is those cases where it is necessary for compatibility with stuff written in other languages. The default performance model I'd like to use is that code I don't trust enough to run it is modeled as infinitely slow.What about this: for each use of unsafe (except in the runtime), we insert 10 useless instructions.
From: <golan...@googlegroups.com> on behalf of Rob Pike <r...@golang.org>
Date: Friday, August 19, 2016 at 2:58 PM
To: cherry <luna...@gmail.com>
Cc: David Chase <drc...@google.com>, Matthew Dempsky <mdem...@google.com>, golang-dev <golan...@googlegroups.com>
Subject: Re: [golang-dev] Guarantees for package unsafe
Here is a list of some to choose from: https://www.physics.ohio-state.edu/~bcd/humor/instruction.set.html
On Sat, Aug 20, 2016 at 7:57 AM, cherry <luna...@gmail.com> wrote:
My goal is never for performance, meaning that its only use is those cases where it is necessary for compatibility with stuff written in other languages. The default performance model I'd like to use is that code I don't trust enough to run it is modeled as infinitely slow.
What about this: for each use of unsafe (except in the runtime), we insert 10 useless instructions.
--
You received this message because you are subscribed to the Google Groups "golang-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-dev+...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "golang-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-dev+...@googlegroups.com.
On Fri, Aug 19, 2016 at 12:20 PM, David Chase <drc...@google.com> wrote:My goal is never for performance, meaning that its only use is those cases where it is necessary for compatibility with stuff written in other languages.Cool, so we agree there are cases where it's necessary to use package unsafe. :)How should users that find themselves in those infrequent scenarios know how to use package unsafe correctly? It seems unhelpful to tell a user they have to use X to implement something, but then to refuse to tell them how to use X. Even more so if we're going to later blame them for misusing X.The way we do that for other features/tools is to document them.
--
The problem is that if we say "therefore we should include it in the spec" we get way too much unsafe code written.
If the spec can say "this applies to a particular dot release of Go, and it's all, entirely, subject to change in the future, and you should feel comfortable reading assembly code to figure out what's going on before you file a bug that involves 'unsafe'", that might make me happy.
Obviously in such a world we'd prioritize bugs in interfaces to native code (because there really is no other way), but I think this is a different sort of contract than the usual language spec, which is why I'm not comfortable just sticking it in the spec "because that's where we document things". There's a rule of language design, that you can't imagine all the crazy-ass things that people will do with your beautiful new language, and I don't like stirring unsafe into that mix. For most of the language, if someone figures out something we hadn't previously imagined and somehow our implementation falls short, we should make it work, because that's what the language spec says. If it involves unsafe, I want a different contract, one where I get to say "whoops, wow, we never imagined unsafe could work like that, we need to fix the spec to ban that".
I like Cherry's idea.
I like Cherry's idea.I think intentionally slowing down usage of package unsafe is punitive of our users who legitimately need to use it. The users who unnecessarily/incorrectly use it are already punished by extra bugs / upgrade pains.