@trusted considered harmful
Andrei Alexandrescu
SeeWebsiteForEmail at erdani.org
Sat Jul 28 07:02:43 PDT 2012
On 7/27/12 8:08 PM, David Nadlinger wrote:
> First, there is no point in having @trusted in the function signature.
> Why? From the perspective of the caller of the function in question,
> @safe and @trusted mean exactly the same thing. If you are not convinced
> about that, just consider that you can wrap any @trusted function into a
> @safe function to make it @safe, and vice versa.
If @trusted is not part of the signature, we can't enable e.g. analyzers
that verify an entire program or package to be safe. This is not
something that's currently used, but I'd hate to look back and say,
"heck, I hate that we conflated @trusted with @safe!"
> One issue is that the distinction unnecessarily restricts the
> implementation in terms of interface stability. Yes, @safe and @trusted
> are equivalent from the caller's perspective, but they are mangled
> differently. This means that changing a function signature from one to
> the other is a breaking change to the ABI, and as the mangled name is
> available in the program (which is e.g. what
> std.traits.FunctionAttributes), also to the API.
I salute this quest for stability, but I don't find it the argument all
that compelling. If one makes changes to a library, well, some changes
will require clients to relink. Some don't. I don't see why we'd make a
thing of the particular change @safe <-> @trusted. Is this often,
fundamental, big,...?
> Thus, you can't just change @trusted to @safe or vice versa on the
> implementation side if you make changes code which require @trusted,
> resp. cause it to be no longer needed.
Can't parse this sentence following "if you make changes code..."
> But the much bigger problem is that @trusted doesn't play well with
> template attribute inference and makes it much too easy to accidentally
> mark a function as safe to call if it really isn't. Both things are a
> consequence of the fact that it can be applied at the function level
> only; there is no way to apply it selectively to only a part of the
> function.
This could be a more serious problem. Could you please write a brief
example that shows attribute deduction messing things up? I don't
understand how marking a template as @trusted is bad.
> The obvious solution is to add a "@trusted"
> declaration/block, which would allow unsafe code in a certain region.
This is sensible, but I fail to figure how it adds value over marking
functions as @trusted. Sure, it's finer-grained, but it's also less
structured.
Andrei
More information about the Digitalmars-d
mailing list