proposal: spec: disallow T<->uintptr conversion for type T unsafe.Pointer

[griesemer]

Currently, implementations permit conversions to/from unsafe.Pointer and to/from types with underlying type unsafe.Pointer.

Consequently, unsafe conversions can be hidden because package unsafe doesn't even have to be imported.

This was arguably an "implementation mistake" which we should fix. See also #19306.

[bcmills]

Per #18130 (comment), I believe that it would be difficult to eliminate the possibility that packages that do not explicitly import unsafe can obtain an unsafe.Pointer via some combination of interface{}, type-assertion, and/or reflection. At the very least, I think you'd need to ensure that no exported function can return an unsafe.Pointer, which is a pretty invasive change.

It may be more viable to disallow all conversions from unsafe.Pointer and instead make it assignable from any pointer type:

package unsafe

type Pointer

func Convert(Pointer) *T

Then unsafe becomes a sort of black-hole: the caller can obtain as many values of unsafe.Pointer as they want, but they only way to dereference one is by first importing unsafe in order to Convert it.

[griesemer]

@bcmills I don't think we make this bullet-proof - but at least I want it to be water-proof.

But I agree that if we reconsider the unsafe package interface entirely, we may find better solutions. Even with your suggestion, it's possible to encapsulate the desired conversions in functions exported by a package that's not the unsafe package. A client would only need to import that package.

[rsc]

Note that now that we have type aliases, we'd also have to disallow conversions involving T where

type T = unsafe.Pointer

as well. And that's a bit harder to defend.

[griesemer]

@rsc An alternative (for Go 2) is to rethink how unsafe operations work. For instance, we could remove the Pointer type altogether and make all unsafe operations function-based.

[rsc]

Indeed. That would fit with #19367.