@trusted considered harmful

Andrei Alexandrescu SeeWebsiteForEmail at erdani.org
Sat Jul 28 09:16:42 PDT 2012 

On 7/28/12 10:34 AM, Artur Skawina wrote:
> On 07/28/12 15:47, Andrei Alexandrescu wrote:
>> On 7/28/12 7:05 AM, Artur Skawina wrote:
>>> On 07/28/12 02:08, David Nadlinger wrote:
>>>> @trusted in its current form needs to go. Its design is badly broken, as it leaks implementation details and encourages writing unsafe code.
>>>
>>> The problem with @trusted is that it is transitive.
>>>
>>> @trusted should allow unsafe operations in the covered scope (right now -
>>> the function), but disallow calling unsafe (@system) code.
>>
>> No. Trusted means "hand-checked, good to go". It can do anything.
>
> Exactly, but the only way for it to mean anything is if it really /can/
> be hand-checked.

It means someone stares at it until the goat dies.

> A "trusted" function that calls arbitrary, potentially
> unsafe code cannot be trusted.

I think you have it all wrong. Trusted means it's verified by a human, 
not by a formal method. The compiler allows it to do anything.

> You can't audit code that isn't available.

Correct. If you make e.g. syscalls into a closed-source OS you trust 
that function to not have bugs. It's a decision made by the human who 
annotates @trusted.

> So the result is bugs (like the ones mentioned in this thread), where @safe
> is bypassed, because the @trusted functions aren't expecting to be used
> with "unsafe" ones. @trusted bypasses *all* safety checks, not just those
> in the hand-checked code. This is something that you will want sometimes,
> but in most cases is neither necessary nor desirable. When dealing with
> safety one has to be conservative. The proposals to limit the scope of
> @trusted only address the symptoms, not the cause. If the design is fixed,
> many of the reasons for introducing the finer-grained @trusted disappear,
> and it is the truly unsafe (@trusted that calls @system) code that needs
> the extra annotations -- which is a good thing. Papering over design bugs
> never is.

I don't understand what you suggest here. Is it a sort of a refinement 
of @trusted?


Andrei

More information about the Digitalmars-d mailing list