@trust is an encapsulation method, not an escape

Walter Bright via Digitalmars-d digitalmars-d at puremagic.com
Thu Feb 5 20:39:47 PST 2015 

On 2/5/2015 8:20 PM, Dicebot wrote:
> I am not even sure how you can show the example though, to be honest - implied
> issues are about maintaining code and not just writing it.

Let's start with std.array.uninitializedArray():

    auto uninitializedArray(T, I...)(I sizes) nothrow @trusted

Note how it says it is 'trusted'. Yet it can be used to create an uninitialized 
array of pointers! There is no freakin' way this function should pass muster. 
Worse, multiple modules use it:

array.d:            return uninitializedArray!(Unqual!E[])(n);
array.d:auto uninitializedArray(T, I...)(I sizes) nothrow @trusted
array.d:    double[] arr = uninitializedArray!(double[])(100);
array.d:    double[][] matrix = uninitializedArray!(double[][])(42, 31);
array.d:    auto s1 = uninitializedArray!(int[])();
array.d:            return uninitializedArray!(T[])(n);
array.d:        auto result = uninitializedArray!(RetTypeElement[])(length);
array.d:            auto result = uninitializedArray!(RetTypeElement[])(length);
array.d:        auto result = uninitializedArray!(RetTypeElement[])(length);
file.d:    import std.array : uninitializedArray;
file.d:        auto buf = uninitializedArray!(ubyte[])(size);
file.d:        void[] result = uninitializedArray!(ubyte[])(initialAlloc);
numeric.d:    import std.array : uninitializedArray;
numeric.d:        auto memSpace = uninitializedArray!(lookup_t[])(2 * size);
numeric.d:        ret = uninitializedArray!(Complex!F[])(range.length);
numeric.d:        ret = uninitializedArray!(Complex!F[])(range.length);
parallelism.d:                auto buf = uninitializedArray!(MapType!(Args[0], 
functions)[])(len);
parallelism.d:                    temp = uninitializedArray!Temp(workUnitSize);
parallelism.d:                    temp = uninitializedArray!Temp(workUnitSize);
stdio.d:    import std.array : appender, uninitializedArray;
stdio.d:                buf = uninitializedArray!(char[])(i);
stdio.d:                buf = uninitializedArray!(char[])(i);
stdio.d:    import std.array : appender, uninitializedArray;
utf.d:        import std.array : uninitializedArray;
utf.d:        auto copy = uninitializedArray!(Unqual!OutChar[])(str.length + 1);

So I already know there are serious problems. Looking closer, I see there's 
another function:

auto minimallyInitializedArray(T, I...)(I sizes) nothrow @trusted

which initializes everything to 0, pointers and all. I agree this one can be 
trusted. The difference between their implementations is a parameter they pass 
to arrayAllocImpl(), which says whether to 0 it or not.

But really, it's only pointer types (and types composed of pointers) that make 
it system code. Since uninitializedArray() is a template, we can have two 
implementations for it that are statically selected based on the element type.
One is @system, when E is a type that contains a pointer. The other is @trusted, 
when E is not a pointer.

That solves that problem without great effort.

Upstream of uninitializedArray(), the only problem then is when it is called to 
generate an uninitialized array of pointers. In order to make the call safe, the 
caller must then ensure that the array gets initialized with safe values. And 
that code should be properly marked as @trusted, and not before.

I.e. start at the bottom, and work up until you find the right place to make it 
trusted. Rinse, repeat. I am not seeing where the problem with doing this is.

More information about the Digitalmars-d mailing list