<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto">This is unsound:<div><br></div><div>x <- malloc ...</div><div>memcpy ... copy a nul-terminated string into x</div><div>let len = cstringLength x</div><div>free x</div><div><br></div><div>Because GHC can float the let binding down to where it is used after free.<br><br><div dir="ltr">Sent from my iPhone</div><div dir="ltr"><br><blockquote type="cite">On Jan 21, 2021, at 7:45 PM, Zemyla <zemyla@gmail.com> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="auto">That doesn't sound right. I don't think it allocates any data on the heap which could cause reallocation and move an unpinned ByteArray#, which is the only way I can think it would be unsafe.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Jan 21, 2021, 17:50 Andrew Martin <<a href="mailto:andrew.thaddeus@gmail.com">andrew.thaddeus@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Both the unboxed variant and the wrapper are only sound on primitive string literals. You cannot use them on anything that was allocated at runtime, only on stuff baked into the rodata section. This is a pretty onerous restriction. What use case did you have in mind?<br>
<br>
Sent from my iPhone<br>
<br>
> On Jan 20, 2021, at 11:02 PM, Viktor Dukhovni <<a href="mailto:ietf-dane@dukhovni.org" target="_blank" rel="noreferrer">ietf-dane@dukhovni.org</a>> wrote:<br>
> <br>
> <br>
>> <br>
>>> On Jan 21, 2021, at 1:39 AM, chessai <<a href="mailto:chessai1996@gmail.com" target="_blank" rel="noreferrer">chessai1996@gmail.com</a>> wrote:<br>
>>> On Wed, Jan 20, 2021, 17:01 Viktor Dukhovni <<a href="mailto:ietf-dane@dukhovni.org" target="_blank" rel="noreferrer">ietf-dane@dukhovni.org</a>> wrote:<br>
>>>> On Wed, Jan 20, 2021 at 09:54:30AM -0800, chessai wrote:<br>
>>>> <br>
>>>> I've wanted the following before:<br>
>>>> <br>
>>>> foreign import ccall unsafe "strlen"<br>
>>>> cstringLength# :: Addr# -> Int#<br>
>>>> <br>
>>>> cstringLength :: CString -> Int<br>
>>>> cstringLength (Ptr s) = I# (cstringLength# s)<br>
>>>> <br>
>>>> A natural place for this seems to be Foreign.C.String.<br>
>>> <br>
>>> Why a new FFI call, rather than `cstringLength#` from ghc-prim: GHC.CString<br>
>>> (as of GHC 9.0.1):<br>
>> <br>
>> I forgot about that addition. In that case we would just need the lifted wrapper<br>
> <br>
> No worries, sure the lifted wrapper makes sense, and Foreign.C.String does<br>
> look like a reasonable place in which to define, and from which to export it.<br>
> <br>
> -- <br>
> Viktor.<br>
> <br>
> _______________________________________________<br>
> Libraries mailing list<br>
> <a href="mailto:Libraries@haskell.org" target="_blank" rel="noreferrer">Libraries@haskell.org</a><br>
> <a href="http://mail.haskell.org/cgi-bin/mailman/listinfo/libraries" rel="noreferrer noreferrer" target="_blank">http://mail.haskell.org/cgi-bin/mailman/listinfo/libraries</a><br>
_______________________________________________<br>
Libraries mailing list<br>
<a href="mailto:Libraries@haskell.org" target="_blank" rel="noreferrer">Libraries@haskell.org</a><br>
<a href="http://mail.haskell.org/cgi-bin/mailman/listinfo/libraries" rel="noreferrer noreferrer" target="_blank">http://mail.haskell.org/cgi-bin/mailman/listinfo/libraries</a><br>
</blockquote></div>
</div></blockquote></div></body></html>