-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CallerMustBeUnsafe] type attribute #5111
Comments
This is what security transparent vs. security critical code has been about... |
I might have missed it then; but what I am suggesting is something where .ctor 2 is forced to be public BufferedThing(int bufferSize){}
[CallerMustBeUnsafe]
public BufferedThing(byte[] internalBuffer){}
public BufferedThing(byte* internalBuffer, int bufferLength){} e.g. var buffer0 = new BufferedThing(10); // fine
var buffer1 = new BufferedThing(new byte[10]); // compile error
unsafe {
var buffer2 = new BufferedThing(new byte[10]); // fine
}
unsafe {
var buffer = new byte[10];
fixed (byte* pBuffer = &buffer[0]) {
var buffer3 = new BufferedThing(pBuffer, 10); // fine
}
} |
I like this for a couple reasons:
A real-world example of this would be methods on the Marshal class such as Copy and StructureToPtr. |
@morganbr refiled there if you want to add your comment? dotnet/roslyn#8663 |
To mark a function to be only be able to be called in an unsafe block.
It came up as an issue with having an
IntPtr
based api forVector.Copy
be equally could apply to something like a .ctor where you are passing an internal buffer to use (e.g. https://github.com/dotnet/coreclr/issues/3142)Or risk of use of buffers with overlapped I/O tasks and dispose dotnet/corefx#5954 (comment)
To indicate that the caller is aware there are risks and to be careful.
The text was updated successfully, but these errors were encountered: