Interpret gsl::Pointer as making types unsafe (gated behind a flag).#505
Open
copybara-service[bot] wants to merge 1 commit intomainfrom
Open
Interpret gsl::Pointer as making types unsafe (gated behind a flag).#505copybara-service[bot] wants to merge 1 commit intomainfrom
gsl::Pointer as making types unsafe (gated behind a flag).#505copybara-service[bot] wants to merge 1 commit intomainfrom
Conversation
PiperOrigin-RevId: 872978169
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Interpret
gsl::Pointeras making types unsafe (gated behind a flag).See the docs: https://clang.llvm.org/docs/AttributeReference.html#pointer
In other words, this is meant to capture the concept that it might even dangle. Example types that have a Pointer annotation include:
Very clearly, we want all of these to be unsafe. While the exact meaning of
gsl::Pointeris subject to change in clang, I think we can reliably use it as signal that a type should be an unsafe type.Of course, this change is backwards-incompatible, so it is gated behind a flag, but we can turn it on atomically once this is released to crosstool. Especially important, we can then flip it on for the standard library so that string_view becomes unsafe. That was a major oversight.
Interestingly (and I didn't expect this going in), because string_view is a template instantiation (and therefore pessimistically, but mistakenly, assumed to be owned by the current target), the unsafe_view attribute has to be added on the targets defining functions that accept a string_view parameter, not on cc_std itself. That's actually better for us, just wasn't what I expected at first when I was trying to test the CL.
Note that I tested it by only migrating one user of string_view to enable this -- it required unsafe, as expected (and I enforce this with a deny(unused_unsafe)). The other uses will, like the rest of google3, be migrated in a big ol' CL enabling the feature flag.
SLOPBOT WARNING: This change was pretty much entirely written by Gemini, with only minor cleanups by me. Quinn, you were wrong, sometimes it can handle big requests while I go afk! Ha ha ha ha productivity hack please don't take my job.
Prompt: