Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix: make dcell fully @safe for consumers (fixes #10) #54

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gdamore merged 1 commit into from
Dec 15, 2025
Merged

fix: make dcell fully @safe for consumers (fixes #10) #54

gdamore merged 1 commit into from
Dec 15, 2025

Conversation

@gdamore
Copy link
Owner

@gdamore gdamore commented Dec 15, 2025
edited by coderabbitai bot
Loading

While here, the copyrights for files updates this year are updated for 2025.

Summary by CodeRabbit

  • Refactor

    • Strengthened safety and exception guarantees across many public APIs (parser, screen/tty, terminal I/O, UI components and demos) to improve runtime and memory/exception safety.

  • Bug Fixes

    • Removed an obsolete parser helper (public API removed).

  • Chores

    • Updated copyright years to 2025 and normalized JSON/config formatting.

✏️ Tip: You can customize this high-level summary in your review settings.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Dec 15, 2025
edited
Loading

Caution

Review failed

The pull request is closed.

Walkthrough

Tightens and standardizes safety and exception guarantees by adding @safe, @trusted, @nogc, and nothrow annotations across many dcell modules and demos; removes one parser helper (parseSequence); updates copyright years and JSON formatting in a few demo manifests.

Changes

Cohort / File(s) Change Summary
Copyright & metadata
demos/hello/dub.json, demos/mouse/dub.json, source/dcell/common.d, source/dcell/cursor.d		 Updated copyright years and JSON/module header formatting only.
Demos: ColorBoxes
demos/colors/source/colors.d		 Added @safe to bool flip(), void makeBox(), void handleEvent(Event), and void run().
Event queue
source/dcell/event.d		 Annotated EventQ.put(Event) as @safe nothrow.
Parser & event constructors
source/dcell/parser.d		 Many parser methods annotated (@safe, @trusted, @nogc, nothrow as appropriate); several event constructors annotated nothrow @safe``; removed parseSequence(string).
Screen abstraction
source/dcell/screen.d		 Public Screen API methods annotated with @safe (several also nothrow).
TTY interfaces & implementations
source/dcell/tty.d, source/dcell/ttyscreen.d, source/dcell/termio.d, source/dcell/wintty.d		 Added/adjusted per-member @trusted, @safe, @nogc, nothrow annotations on Tty interface and implementations (PosixTty, WinTty), TtyScreen/TtyEventQ; removed broad top-level Windows extern wrappers in favor of per-member attributes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

  • Review attention:
    • source/dcell/parser.d — confirm removal of parseSequence() and update any call sites.
    • source/dcell/termio.d, source/dcell/wintty.d, source/dcell/tty.d — verify @trusted placements and auditing of unsafe operations.
    • Cross-module stronger contracts (@nogc/nothrow/@safe) — ensure external callers comply with new guarantees.

Possibly related PRs

Poem

I nibble bytes and hop through lines, 🐇
Tucking @safe into cautious vines.
Trusted hops and nogc springs,
Terminals hum with gentler things.
Code warmed by tiny rabbit signs. ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and specifically describes the main change: adding @safe attributes to make dcell fully safe for consumers, directly referencing the associated issue #10.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1f5cd20 and f0ba4d9.

📒 Files selected for processing (12)
  • demos/colors/source/colors.d (4 hunks)
  • demos/hello/dub.json (1 hunks)
  • demos/mouse/dub.json (1 hunks)
  • source/dcell/common.d (1 hunks)
  • source/dcell/cursor.d (1 hunks)
  • source/dcell/event.d (1 hunks)
  • source/dcell/parser.d (12 hunks)
  • source/dcell/screen.d (12 hunks)
  • source/dcell/termio.d (12 hunks)
  • source/dcell/tty.d (2 hunks)
  • source/dcell/ttyscreen.d (20 hunks)
  • source/dcell/wintty.d (4 hunks)

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Dec 15, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
source/dcell/ttyscreen.d (1)

559-583: Add nothrow attribute to TtyEventQ.put() override.

The base class EventQ.put is declared as @safe nothrow (source/dcell/event.d:82), but the override in TtyEventQ at line 559 only specifies @safe, omitting nothrow. The derived class must preserve or strengthen the base class contract. Add nothrow to match:

override void put(Event ev) @safe nothrow
{
    super.put(ev);
    ti.wakeUp();
}
source/dcell/termio.d (1)

388-407: Use atomic store for sigFd assignment or implement CAS-based initialization.

The watchResize function has a genuine TOCTOU race condition on lines 393-402. The atomicLoad(sigFd) == -1 check is followed by non-atomic assignments to sigPipe, sigWfd, sigRfd, and sigFd. If multiple threads call watchResize concurrently, both could pass the check and overwrite globals, with the signal handler in handleSigWinCh (line 359) writing to a partially-initialized or stale sigWfd.

Replace the plain assignment sigFd = fd; (line 402) with atomicStore(&sigFd, fd); and use cas (compare-and-swap) for the initial check-and-set sequence. Also fix the plain assignment at line 416 in ignoreResize.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2bde43e and 5702721.

📒 Files selected for processing (12)
  • demos/colors/source/colors.d (4 hunks)
  • demos/hello/dub.json (1 hunks)
  • demos/mouse/dub.json (1 hunks)
  • source/dcell/common.d (1 hunks)
  • source/dcell/cursor.d (1 hunks)
  • source/dcell/event.d (1 hunks)
  • source/dcell/parser.d (12 hunks)
  • source/dcell/screen.d (12 hunks)
  • source/dcell/termio.d (12 hunks)
  • source/dcell/tty.d (2 hunks)
  • source/dcell/ttyscreen.d (20 hunks)
  • source/dcell/wintty.d (4 hunks)
🚧 Files skipped from review as they are similar to previous changes (4)
  • demos/colors/source/colors.d
  • demos/hello/dub.json
  • source/dcell/cursor.d
  • demos/mouse/dub.json
🧰 Additional context used
🧠 Learnings (3)
📚 Learning: 2025-12-14T19:58:59.815Z 
Learnt from: gdamore
Repo: gdamore/dcell PR: 53
File: source/dcell/ttyscreen.d:557-577
Timestamp: 2025-12-14T19:58:59.815Z
Learning: In source/dcell/ttyscreen.d, the TtyEventQ class intentionally has different behavior between put() and opOpAssign methods. The put() method calls ti.wakeUp() for external callers injecting synthetic events, while opOpAssign (used via ~= operator) bypasses wakeUp() as a performance optimization when appending events internally during tty event processing where the thread is already active.

Applied to files:

  • source/dcell/event.d
  • source/dcell/tty.d
  • source/dcell/ttyscreen.d
📚 Learning: 2025-12-14T19:56:40.073Z 
Learnt from: gdamore
Repo: gdamore/dcell PR: 53
File: source/dcell/screen.d:96-126
Timestamp: 2025-12-14T19:56:40.073Z
Learning: In dcell, the EventQ class is intentionally designed as both an input range and an output range of Event. The output range functionality allows applications to inject synthetic events into the event stream.

Applied to files:

  • source/dcell/event.d
📚 Learning: 2025-12-08T19:10:45.993Z 
Learnt from: gdamore
Repo: gdamore/dcell PR: 27
File: source/dcell/ttyscreen.d:763-766
Timestamp: 2025-12-08T19:10:45.993Z
Learning: In source/dcell/ttyscreen.d, the newTtyScreen() factory function intentionally does not accept a term parameter because the TtyScreen constructor handles environment variable resolution internally with an optional term parameter. Users needing to override the terminal type should call the constructor directly: new TtyScreen(newDevTty(), "custom-term").

Applied to files:

  • source/dcell/ttyscreen.d
  • source/dcell/wintty.d
🔇 Additional comments (17)
source/dcell/common.d (1)

4-4: LGTM!

Copyright year update is appropriate for the 2025 modifications.

source/dcell/event.d (1)

82-85: LGTM!

The @safe nothrow annotations are appropriate for the array append operation. This strengthens the safety contract for consumers of the EventQ output range interface.

source/dcell/screen.d (1)

25-265: LGTM!

The comprehensive @safe annotations across the Screen interface establish a strong safety contract for consumers. The final method implementations correctly delegate to other @safe methods, maintaining consistency throughout the interface.

source/dcell/parser.d (3)

313-318: LGTM!

The pure @safe @nogc annotations are correct. The method performs only safe operations: saving a reference, nulling the field, and returning the slice.

386-660: Appropriate use of @trusted.

The scan() method correctly uses @trusted as it encapsulates low-level byte manipulation and UTF decoding operations that cannot be verified as @safe by the compiler, but are manually verified to be memory-safe.

1094-1218: LGTM!

The event factory methods (newFocusEvent, newKeyEvent, newMouseEvent, newPasteEvent) correctly use nothrow @safe as they only perform struct initialization and call MonoTime.currTime() which has matching attributes.

source/dcell/tty.d (1)

24-95: LGTM!

The Tty interface appropriately uses @trusted for I/O methods that interact with system calls, while resized() correctly uses @safe since it's a simple flag check. This establishes clear safety contracts that implementations must satisfy.

source/dcell/wintty.d (3)

64-69: @trusted annotation is appropriate for Windows API calls.

The constructor correctly uses @trusted since it calls Windows kernel APIs (GetStdHandle, CreateEventW) that are declared as extern(Windows) @nogc nothrow but cannot be verified by the compiler for memory safety.

112-114: LGTM: Empty method is correctly marked @safe.

The flush() method has an empty body and correctly uses @safe.

201-206: LGTM: Pure data access correctly marked @safe.

The resized() method only reads and writes member variables without any unsafe operations, making @safe the correct annotation.

source/dcell/termio.d (3)

59-62: LGTM: Constructor correctly annotated.

Simple assignment of a string parameter to a member variable is correctly marked nothrow @safe.

113-118: @trusted is appropriate here, but note the mixed safety levels.

The save() method is marked @trusted which is correct since it calls isatty() and tcgetattr() (C library functions). However, it also throws exceptions via throw and enforce, which is fine since it's not marked nothrow.

314-318: Verify that wasResized(fd) maintains @nogc contract.

The resized() method is marked nothrow @safe @nogc, and it calls wasResized(fd). Ensure that wasResized (line 421) also maintains the @nogc contract, which it does (nothrow @trusted @nogc).

source/dcell/ttyscreen.d (4)

316-327: LGTM: Pure cell buffer operations correctly marked @safe.

The clear() method performs safe operations on the cell buffer. The @safe annotation is appropriate.

383-386: LGTM: Accessor correctly marked with full safety guarantees.

The colors() getter is appropriately marked const pure nothrow @safe since it only returns a struct field value.

605-616: LGTM: Internal I/O helpers correctly marked @safe.

The puts() and flush() methods use OutBuffer operations which are @safe. The flush() method calls ti.write() and ti.flush() which should be @safe or @trusted (verified in termio.d and wintty.d).

449-502: No action needed - @safe compatibility is correctly maintained.

All methods called by waitForEvent are properly marked:

  • parser.events() is @safe
  • parser.parse() is @safe
  • ti.resized() is @safe
  • ti.read() is @trusted

A @safe function can correctly call @trusted functions. The read() method is appropriately marked @trusted because it performs OS-level system calls that require unsafe operations; this is the intended design for FFI and platform-specific code.

@gdamore
fix: make dcell fully @safe for consumers (fixes #10)
f0ba4d9 
While here, the copyrights for files updates this year are updated for 2025.
@gdamore gdamore merged commit 6776836 into main Dec 15, 2025
4 of 5 checks passed
@gdamore gdamore deleted the safe branch December 15, 2025 01:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gdamore