vibe.d: problematic "Non- at safe methods are deprecated in REST interfaces"

Jonathan M Davis newsgroup.d at jmdavisprog.com
Wed Jul 11 08:57:54 UTC 2018 

On Wednesday, 11 July 2018 01:46:10 MDT Piotr Mitana via Digitalmars-d-learn 
wrote:
> On Tuesday, 10 July 2018 at 13:24:43 UTC, WebFreak001 wrote:
> > It's supposed to make webservers safe and not crash because of
> > segmentation faults, etc.
> >
> > If you still want to write code like you are used to and don't
> > care about that in your webserver, just mark everything in the
> > implementation @trusted (but @safe in the interface) and it
> > will be fine.
>
> I understand the motivation of this and this motivation is
> undoubtly correct.
>
> The problem is when you use the libraries, especially those
> interfacing with C code. The intention of @trusted is to use it
> to mark the code that *is* memory safe, but it cannot be verified
> automatically by the compiler (for example required checks are
> done before an array access).
>
> That's why there is a problem with the libraries that are *not*
> safe - or at least I don't know the code and cannot verify that
> they are.

Well, you should be able to at least verify that your usage of the library
is @safe. The internals may have problems, but if you've verified all of
your code and marked it as @trusted, then the compiler can check the rest of
your code, and if there _is_ a memory corruption problem, you know where to
look - any @trusted code and then any libraries you're using. But if you
just give up and let all of your code be @system, then you lose out on all
of the benefits of the compiler verifying your code. The C binding in
druntime are typically marked with @trusted so long as their API is @safe
(and thus any @safety bugs in using it are inside the C implementation and
not due to misuing the function), since if we don't do that, then @safe
becomes pretty useless pretty fast in real world programs. At some point,
you have to trust that the C functions are doing their jobs properly, but
regardless of whether they are, @trusted allows you to narrow down the
problem when there is a memory corruption issue while allowing most of your
program to be verified by the compiler - which is the point.

- Jonathan M Davis

More information about the Digitalmars-d-learn mailing list