DIP 1028---Make @safe the Default---Community Review Round 1

H. S. Teoh hsteoh at quickfur.ath.cx
Sun Jan 5 04:07:52 UTC 2020

On Sat, Jan 04, 2020 at 10:35:19PM +0000, jxel via Digitalmars-d wrote:
> I looked at a few of the dub packages that work with the safe
> transition, some of them just had @trusted: at the top.

Yikes. Which packages are those?  Blanket @trusted at the top of a file
is a huge anti-pattern, and a big red flag that the code is *not* to be

Proper use of @trusted dictates that it should be as small and as
contained as possible, and that it should only be applied to functions
that export a safe API. I.e., this:

	void trustedMemset(void* buf, size_t sz, ubyte data) @trusted

is flat-out wrong code, because there is no way to ensure that the
parameters received by the function are actually safe. The correct
signature is:

	void trustedMemset(void[] buf, ubyte data) @trusted

because the slice ensures that the length will always be consistent with
the actual buffer size when passed from @safe code. (Of course, all bets
are off if the caller is @system.)

There is no way you can check an entire module this way *and* ensure it
continues to obey this rule over time in the face of ongoing code
changes. (And that's not to mention the respective function bodies, all
of which must be vetted before it can be trusted.) I absolutely do not
trust any module that has @trusted: at the top.


Spaghetti code may be tangly, but lasagna code is just cheesy.

More information about the Digitalmars-d mailing list