Discussion Thread: DIP 1028--Make @safe the Default--Final Review
aliak
something at something.com
Wed Apr 8 15:52:04 UTC 2020
On Wednesday, 8 April 2020 at 13:58:12 UTC, Steven Schveighoffer
wrote:
> On 4/8/20 9:35 AM, aliak wrote:
>> On Wednesday, 8 April 2020 at 13:09:33 UTC, Steven
>> Schveighoffer wrote:
>>> On 4/7/20 10:01 PM, Timon Gehr wrote:
>>>> [...]
>>> [...]
>>
>> It really feels like you and Timon are talking past each other
>> based on mixing up extern(C) declarations and extern(C)
>> definitions?
>
> No, I think we both understand that difference. I actually
> understand the point of view of Timon and Jonathan and agree
> with that point of view, I just think the restriction isn't
> helpful, and is just going to cause busywork for no true
> benefit.
Ok 👍My bad then.
>
>>
>> You can't mechanically check an extern(C) function declaration
>> with no source code. And @trusted on a mechanically checked
>> extern(C) function definition doesn't help anyone.
>
> If you have an extern(C) function that is mechanically checked
> @safe, should you have to mark the prototype @trusted? This is
> the question we are discussing.
Ah, then yeah, as mentioned above, I'm in your boat; if it's
mechanically checked then there's no need to mark it @trusted,
that'd just be a waste of time in the hunt for memory corruption.
>
> My opinion is that requiring a marking of @trusted doesn't make
> anything safer or more correct. If the function all of a sudden
> becomes @system (truly @system, and not semantically safe),
> then the @trusted is still a lie.
>
> The result is just going to be people ignoring @trusted C
> prototypes beyond the prototype definition itself, so it makes
> @trusted less of a red flag than it should be.
>
> If you see:
>
> @trusted extern(C) void memcpy(void *dest, void *src, size_t
> size)
>
> Then this is obviously wrong, and should be @system. It
> wouldn't be any different for a @safe marking.
Yes it would? If this was @safe I wouldn't need to check its
usage sights because I'm supposed to trust that @safe can only be
applied to functions that are mechanically checked. If it's
@trusted then I know I need to check it's usage sights because
it's not mechanically guaranteed to be a safe function.
>
> If you see:
>
> @trusted extern(C) void copy(ubyte[] dest, ubyte[] src)
>
> Then you are going to go check it, see that it's really @safe
> in the implementation, and start ignoring such prototypes as
> flags. Maybe you comment on it so next time you don't waste
> time going to check that one:
Yes, if I go to that definition and see that the body is @safe
then I'll be annoyed. If that's a prototype to a function defined
in a C library then it should not be allowed to be marked @safe.
>
> // really @safe in implementation
> @trusted extern(C) void copy(ubyte[] dest, ubyte[] src)
>
> Now, if it all of a sudden changes to @system, your @trusted
> tag is still ignored, just like it was marked @safe. That is my
> point. It doesn't change what is interpreted by a reviewer to
> require @trusted, it just adds busywork to shut up the compiler.
>
> In the end, the difference between @safe and @trusted on an
> extern(C) function prototype is documentation. functionally,
> they are equivalent.
>
> -Steve
More information about the Digitalmars-d
mailing list