Concept proposal: Safely catching error

ag0aep6g via Digitalmars-d digitalmars-d at puremagic.com
Mon Jun 5 05:51:16 PDT 2017 

On 06/05/2017 11:50 AM, Olivier FAURE wrote:
> - But memory corruption is super bad, if a proved error *might* be 
> caused by memory corruption then we must absolutely throw the 
> potentially corrupted data away without using it.
> 
> - Besides, even without memory corruption, the same argument applies to 
> broken invariants; if we have data that breaks invariants, we need to 
> throw it away, and use it as little as possible.
> 
[...]
> 
> My proposal for solving these problems would be to explicitly allow to 
> catch Errors in @safe code IF the try block from which the Error is 
> caught is perfectly pure.
> 
> In other words, @safe functions would be allowed to catch Error after 
> try blocks if the block only mutates data declared inside of it; the 
> code would look like:
> 
>      import vibe.d;
> 
>      // ...
> 
>      string handleRequestOrError(in HTTPServerRequest req) @safe {
>          ServerData myData = createData();
> 
>          try {
>              // both doSomethingWithData and mutateMyData are @pure
> 
>              doSomethingWithData(req, myData);
>              mutateMyData(myData);
> 
>              return myData.toString;
>          }
>          catch (Error) {
>              throw new SomeException("Oh no, a system error occured");
>          }
>      }
> 
>      void handleRequest(HTTPServerRequest req,
>                         HTTPServerResponse res) @safe
>      {
>          try {
>              res.writeBody(handleRequestOrError(req), "text/plain");
>          }
>          catch (SomeException) {
>              // Handle exception
>          }
>      }
> 
> The point is, this is safe even when doSomethingWithData breaks an 
> invariant or mutateMyData corrupts myData, because the compiler 
> guarantees that the only data affected WILL be thrown away or otherwise 
> unaccessible by the time catch(Error) is reached.

But `myData` is still alive when `catch (Error)` is reached, isn't it?

[...]
> 
> What do you think? Does the idea have merit? Should I make it into a DIP?

How does `@trusted` fit into this? The premise is that there's a bug 
somewhere. You can't assume that the bug is in a `@system` function. It 
can just as well be in a `@trusted` one. And then `@safe` and `pure` 
mean nothing.

More information about the Digitalmars-d mailing list