Is @trusted the wrong direction?

Sat Nov 9 23:44:06 UTC 2019

On Saturday, 9 November 2019 at 21:13:22 UTC, Dominikus Dittes 
Scherkl wrote:
> On Saturday, 9 November 2019 at 20:38:47 UTC, Alexandru 
> Ermicioi wrote:
>> ```d
>> import std.stdio;
>>
>> T trusted (T)(T delegate() @system dg) @trusted {
>>    return dg();
>> }
>>
>> void main() @safe
>> {
>>     writeln("Hello D");
>>
>>     ({
>>         writeln("C ", cast(void*) 1);
>>     }).trusted;
>> }
>> ```
>>
>> looks a lot better than anonymous functions that are called 
>> right away after being defined.
>
> Hmm. Only slightly better syntax, but more important doesn't 
> solve the other half of the problem: Forbidding non-lambda 
> trusted functions.
>
> The syntax I would prefer for trusted blocks is simply
>
> @trusted
> {
> }
>
> And everything between the @trusted and the opening bracket 
> (like function declarations) would be forbidden.

Implementation is trivial... I got tit to work in a small hour 
but the problem is that for now the safety really only works at 
the function level so the function properties have to be patch 
for the duration of the trusted block.

If someone wants to play a bit:

---
 From 8b4fc62610b54375b4824be28478dc11bd0023cf Mon Sep 17 00:00:00 
2001
From: Me <Me at nowhe.re>
Date: Sun, 10 Nov 2019 00:27:25 +0100
Subject: [PATCH] Allow partial trusting of a BlockStatment

- prevent usage of trusted delegates
- allow to infere @safe on func template containing these blocks
- reduce the scope of the manual verification, supposed to be 
done for @trusted
---
  src/dmd/parse.d        | 23 ++++++++++++++++++++++-
  src/dmd/statement.d    |  1 +
  src/dmd/statementsem.d | 17 +++++++++++++++++
  3 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/src/dmd/parse.d b/src/dmd/parse.d
index 04cfc34e3..a57224b55 100644
--- a/src/dmd/parse.d
+++ b/src/dmd/parse.d
@@ -5383,6 +5383,27 @@ final class Parser(AST) : Lexer

          switch (token.value)
          {
+        case TOK.at:
+            auto n = peek(&token);
+            // @trusted { }
+            // ---
+            // ScopeBlockStatement:
+            //      Attributes? BlockStatement
+            //
+            if (n.value == TOK.identifier && 
isBuiltinAtAttribute(n.ident) == STC.trusted
+                && peekNext2 == TOK.leftCurly)
+            {
+                nextToken();
+                nextToken();
+                AST.Statement r = parseStatement(flags);
+                if (r.stmt == AST.STMT.Scope)
+                {
+                    (cast(AST.ScopeStatement) r).stc = 
AST.STC.trusted;
+                    // printf("trusted block parsed...\n");
+                }
+                return r;
+            }
+            goto Ldeclaration;
          case TOK.identifier:
              {
                  /* A leading identifier can be a declaration, 
label, or expression.
@@ -5565,7 +5586,7 @@ final class Parser(AST) : Lexer
          case TOK.pure_:
          case TOK.ref_:
          case TOK.gshared:
-        case TOK.at:
+        //case TOK.at:
          case TOK.struct_:
          case TOK.union_:
          case TOK.class_:
diff --git a/src/dmd/statement.d b/src/dmd/statement.d
index ea05cb75a..4a081e5a9 100644
--- a/src/dmd/statement.d
+++ b/src/dmd/statement.d
@@ -1009,6 +1009,7 @@ extern (C++) class ScopeStatement : 
Statement
  {
      Statement statement;
      Loc endloc;                 // location of closing curly 
bracket
+    STC stc;                    // indicate the block temporary 
attributes, @trusted only

      extern (D) this(const ref Loc loc, Statement statement, Loc 
endloc)
      {
diff --git a/src/dmd/statementsem.d b/src/dmd/statementsem.d
index 9276ffddb..ab1f1d234 100644
--- a/src/dmd/statementsem.d
+++ b/src/dmd/statementsem.d
@@ -420,6 +420,9 @@ private extern (C++) final class 
StatementSemanticVisitor : Visitor
      override void visit(ScopeStatement ss)
      {
          //printf("ScopeStatement::semantic(sc = %p)\n", sc);
+
+
+
          if (ss.statement)
          {
              ScopeDsymbol sym = new ScopeDsymbol();
@@ -427,6 +430,20 @@ private extern (C++) final class 
StatementSemanticVisitor : Visitor
              sym.endlinnum = ss.endloc.linnum;
              sc = sc.push(sym);

+            // patch the scope to apply a temporary trusting for 
@trusted { }
+            TypeFunction tf = sc.func ? 
sc.func.type.toTypeFunction() : null;
+            const TRUST tr = tf ? tf.trust : TRUST.init;
+            if (ss.stc == STC.trusted && tr != TRUST.init)
+            {
+                tf.trust = TRUST.trusted;
+                //printf("set block statement scope and parent 
func as trusted...\n");
+            }
+            scope(exit)
+            {
+                if (tf)
+                    tf.trust = tr;
+            }
+
              Statements* a = ss.statement.flatten(sc);
              if (a)
              {
--
2.17.2


---
