Index-assign in str should be unsafe

[SimonSapin]

As far as I understand, the str types have a pretty strong assumption that they contain valid UTF-8. Any method/function that could break this (such as push_bytes) is marked as unsafe.

However, it is possible to assign random bytes in the middle of a ~str, breaking the UTF-8 invariant:

rusti: let mut a = ~"test"; a[1] = 0x80; 
        (a.as_bytes().to_owned(), ::std::str::is_utf8(a.as_bytes()))
(~[116, 128, 115, 116], false)

I think that such assignments should only be allowed in unsafe code.

Update: str.as_mut_buf should also be unsafe, IMO.

[lilyball]

I had no idea str even allowed index-assign.

[SimonSapin]

@kballard forbidding it entirely could also fix the issue, but might be overkill.

[alexcrichton]

Hmm... This could be tricker than just forbidding assignment because this code compiles as well

fn main() {               
    let mut a = ~"test";  
    {                     
        let c = &mut a[2];
        *c = 0x32;        
    }                     
    println(a);           
}                         

[SimonSapin]

@alexcrichton I suppose we could also forbid (in safe code) to borrow mutable references to individual bytes in a string. Similarly, I believe that str.as_mut_buf() should be unsafe (but str.as_imm_buf() does not need to be.)

[thestinger]

I think we should just forbid index-assign and borrowing mutable references. It can still be done through unsafe methods, but doesn't need to be in the language as a feature.

The only unsafe language feature we have is raw pointer dereferencing so it's nice to keep it simple.

[thestinger]

Nominating for the backwards compatible milestone.

[thestinger]

as_mut_buf doesn't need to be unsafe because it passes you a raw pointer, which is unusable without unsafe

[catamorphism]

Accepted for well-defined. (Also: document what "unsafe" means, which is a separate issue.)