@trust is an encapsulation method, not an escape
Andrei Alexandrescu via Digitalmars-d
digitalmars-d at puremagic.com
Fri Feb 6 17:43:00 PST 2015
On 2/6/15 3:21 PM, weaselcat wrote:
> On Friday, 6 February 2015 at 23:02:54 UTC, Zach the Mystic wrote:
>
>> No, at least three of us, Steven, H.S. Teoh and myself have confirmed
>> that we've moved beyond requesting @trusted blocks. We are no longer
>> requesting them. We are requesting *@system* blocks, which can only
>> appear in @trusted and @system functions. Any unsafe code appearing in
>> a @trusted function which is not inside a @system block is an error.
>> We've changed the name, but I think it will make a world of difference
>> regarding how you will look at it. Marking '@system' code inside a
>> @trusted function is exactly what is requested. Your message about
>> '@trusted' being only acceptable as an interface has been heard. There
>> will be no @trusted blocks, only @system blocks, which are the exact
>> same thing, except they can only appear in @trusted and @system
>> functions.
>>
>> This solution appeals to me greatly. It pinpoints precisely where
>> unsafe code can generate; it catches unintended safety violations in
>> all @trusted code outside @system blocks, as requested by many people
>> so far; it makes systems programming highly visible, with redundancy
>> at the function signature and at the unsafe code itself. I really
>> think it's spot on!
>
> this sounds interesting, is anyone going to make a DIP for it?
Consider the previous code:
https://github.com/D-Programming-Language/phobos/blob/accb351b96bb04a6890bb7df018749337e55eccc/std/file.d#L194
that got replaced with:
https://github.com/D-Programming-Language/phobos/blob/master/std/file.d#L194
With the system proposal we're looking at something like:
version (Posix) void[] read(in char[] name, size_t upTo = size_t.max)
@trusted
{
import core.memory;
// A few internal configuration parameters {
enum size_t
minInitialAlloc = 1024 * 4,
maxInitialAlloc = size_t.max / 2,
sizeIncrement = 1024 * 16,
maxSlackMemoryAllowed = 1024;
// }
@system
{
immutable fd = core.sys.posix.fcntl.open(name.tempCString(),
core.sys.posix.fcntl.O_RDONLY);
}
cenforce(fd != -1, name);
scope(exit) core.sys.posix.unistd.close(fd);
stat_t statbuf = void;
@system
{
cenforce(trustedFstat(fd, trustedRef(statbuf)) == 0, name);
}
immutable initialAlloc = to!size_t(statbuf.st_size
? min(statbuf.st_size + 1, maxInitialAlloc)
: minInitialAlloc);
void[] result = uninitializedArray!(ubyte[])(initialAlloc);
scope(failure) delete result;
size_t size = 0;
for (;;)
{
@system
{
immutable actual = core.sys.posix.unistd.read(fd,
result.ptr + size),
min(result.length, upTo) - size);
}
cenforce(actual != -1, name);
if (actual == 0) break;
size += actual;
if (size < result.length) continue;
immutable newAlloc = size + sizeIncrement;
@system
{
result = GC.realloc(result.ptr, newAlloc,
GC.BlkAttr.NO_SCAN)[0 .. newAlloc];
}
@system
{
return result.length - size >= maxSlackMemoryAllowed
? GC.realloc(result.ptr, size, GC.BlkAttr.NO_SCAN)[0 .. size]
: result[0 .. size];
}
}
We want to move D forward, folks. This is not it.
Andrei
More information about the Digitalmars-d
mailing list