Manu's `shared` vs the @trusted promise

ag0aep6g anonymous at example.com
Tue Oct 23 11:24:27 UTC 2018


On 23.10.18 12:23, Dukc wrote:
> This does not only apply to builtin arrays. It also applies to RAII or 
> refcounted memory resources made safe with DIP1000

Absolutely. And they would be (or are) in violation of a strong @trusted.

[...]
> Perhaps you're right. But IMO the proposed struct would definitely be 
> low-level and fundamental enough to warrant an exception to that rule.

Maybe. But then the proposer has to spend time and nerves justifying the 
exception against fundamentalists like me or the more prestigious Timon 
Gehr. If marking the fields as `shared` is enough to maintain a strong 
@trusted, then that's a really simple way of making everyone happy.

> Note, I'm not saying I support what Manu proposed, just that the 
> argument about strong @trusted should not stop the proposal if we 
> otherwise like it.

I guess it comes down to how much value one assigns to a strong 
@trusted. Myself, I think that a strong @trusted/@safe is really, really 
nice. And I'd like to think that it can be maintained without any 
exceptions.

For non-`shared` safety-critical variables (reference count, etc.), 
there doesn't seem to be a nice solution to the problem, yet. We could 
mark them with Manu's `shared` just to force a non- at safe cast. But that 
would be silly, they're not shared in any way.

Instead, maybe we could let @system apply to variables. It would forbid 
accesses from @safe code. Then (strongly) @trusted code can rely on them.

Without a language change, an idiom like this might do the trick:

----
struct Array(T)
{
     Unsafe!size_t length;
     Unsafe!(T*) ptr;

     ref int opIndex(size_t i) @trusted
     {
         if (i >= length) throw new Error("");
         return ptr[i];
     }
}

struct Unsafe(T)
{
     void[T.sizeof] data;
     ref T get() @system { return * cast(T*) &data; }
     alias get this;
}

@safe unittest
{
     Unsafe!int x;
     int y;
     static assert(!__traits(compiles, x = 42));
     static assert(!__traits(compiles, y = x));
}

@system unittest
{
     Unsafe!int x;
     x = 42;
     assert(x == 42);
     int y = x;
     assert(y == 42);
}
----


More information about the Digitalmars-d mailing list