Manu's `shared` vs the @trusted promise
ag0aep6g
anonymous at example.com
Tue Oct 23 11:24:27 UTC 2018
On 23.10.18 12:23, Dukc wrote:
> This does not only apply to builtin arrays. It also applies to RAII or
> refcounted memory resources made safe with DIP1000
Absolutely. And they would be (or are) in violation of a strong @trusted.
[...]
> Perhaps you're right. But IMO the proposed struct would definitely be
> low-level and fundamental enough to warrant an exception to that rule.
Maybe. But then the proposer has to spend time and nerves justifying the
exception against fundamentalists like me or the more prestigious Timon
Gehr. If marking the fields as `shared` is enough to maintain a strong
@trusted, then that's a really simple way of making everyone happy.
> Note, I'm not saying I support what Manu proposed, just that the
> argument about strong @trusted should not stop the proposal if we
> otherwise like it.
I guess it comes down to how much value one assigns to a strong
@trusted. Myself, I think that a strong @trusted/@safe is really, really
nice. And I'd like to think that it can be maintained without any
exceptions.
For non-`shared` safety-critical variables (reference count, etc.),
there doesn't seem to be a nice solution to the problem, yet. We could
mark them with Manu's `shared` just to force a non- at safe cast. But that
would be silly, they're not shared in any way.
Instead, maybe we could let @system apply to variables. It would forbid
accesses from @safe code. Then (strongly) @trusted code can rely on them.
Without a language change, an idiom like this might do the trick:
----
struct Array(T)
{
Unsafe!size_t length;
Unsafe!(T*) ptr;
ref int opIndex(size_t i) @trusted
{
if (i >= length) throw new Error("");
return ptr[i];
}
}
struct Unsafe(T)
{
void[T.sizeof] data;
ref T get() @system { return * cast(T*) &data; }
alias get this;
}
@safe unittest
{
Unsafe!int x;
int y;
static assert(!__traits(compiles, x = 42));
static assert(!__traits(compiles, y = x));
}
@system unittest
{
Unsafe!int x;
x = 42;
assert(x == 42);
int y = x;
assert(y == 42);
}
----
More information about the Digitalmars-d
mailing list