-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CallerMustBeUnsafe] type attribute #8663
Comments
I like this for a couple reasons:
A real-world example of this would be methods on the Marshal class such as Copy and StructureToPtr. |
Also for some of the |
I am not sure I understand this. You already have to be called from unsafe context to do unsafe things, which manipulating IntPtr is not from the point of view of CLR. That's the whole point of unsafe vs IntPtr. What can you do that is not safe without unsafe? Looks like your "safe" is different from CLR's "safe" and you want to use the latter to enforce the former... |
Operating over a window of larger data; so have buffer of 1000 bytes, return an |
Yes, but that is not CLR unsafe. If you want to behave it that way, what prevents you declaring the constructor as |
An |
Well as happily as any other unsafe code, i.e. you still need to be in full trust, otherwise you get VerificationException. What do you expect the benefits would be? |
Full trust doesn't exist in coreclr or native as far as I'm aware. Also as a "user beware" do you accept the risks marker. I have no objection to any code calling these psuedo-"unsafe" methods; unlike the the Full trust system - its more to make the caller aware there are risks. |
Also full trust vs not full trust is quite broad brush; rather than at specific method level (like unsafe) |
Moved to the roslyn-analyzers repo - dotnet/roslyn-analyzers#972 |
From https://github.com/dotnet/coreclr/issues/3143
To mark a function to be only be able to be called in an unsafe block.
It came up as an issue with having an
IntPtr
based api forVector.Copy
be equally could apply to something like a .ctor where you are passing an internal buffer to use (e.g. https://github.com/dotnet/coreclr/issues/3142)Or risk of use of buffers with overlapped I/O tasks and dispose dotnet/corefx#5954 (comment)
To indicate that the caller is aware there are risks and to be careful. What I am suggesting is something where .ctor 2 is forced to be
unsafe
in the same way .ctor 3 is:e.g.
The text was updated successfully, but these errors were encountered: