DIP 1028---Make @safe the Default---Community Review Round 1

Steven Schveighoffer schveiguy at gmail.com
Thu Jan 9 20:33:00 UTC 2020

On 1/9/20 3:08 PM, ag0aep6g wrote:
> On Thursday, 9 January 2020 at 19:35:36 UTC, Steven Schveighoffer wrote:
>> If I could mark the whole thing trusted, and turn on the mechanical 
>> checking for everything except line X, then I'd do that instead.
> Well, you can do that:
>      void foo() @trusted
>      {
>          () @safe { /* ... stuff ... */ } ();
>          bar(1, 2, 3); /* line X */
>          () @safe { /* ... stuff ... */ } ();
>      }
> The problem is, of course, that you can't have `foo`'s safety inferred 
> based on "stuff". Which is what we usually want.

This turns on its head the lines you have to pay most attention to though :)

Basically, your job of manually checking such a function is to 1. 
establish which parts are not mechanically checked, and 2. verify they 
are ALWAYS correct (unlikely) or that they are correct based on the 
mechanically checked parts of the function.

In order to do that efficiently, I want to tag where the trouble spots 
may be. And these are likely to be MUCH fewer than the checked ones.

Put it another way, a safe function with no trusted escapes needs no 
checking. A safe function with one trusted escape needs each safe line 
checked in reference to the trusted escape. With 2 escapes, you need to 
check each line against 2 blocks, etc.

e.g. (to build on the previous example):

@safe void someFunction()
     int[4] data;
         data.ptr[3] = 42;

Looking at line 2 and 3, I can verify that no parts touch anything that 
might be affected by the trusted block. I don't need to check foo to see 
if it's safe when called with "argument", nor do I need to investigate 
bar(), I just need to know, it doesn't use anything that is currently 
affected by the trusted block. It makes my job easier as a manual 
checker. I only need to investigate the declaration of `data`, and the 
trusted block.

> I have actually used that pattern once in Phobos:
> https://github.com/dlang/phobos/blob/master/std/range/package.d#L1550-L1581
> I had to duplicate the code and use `__traits(compiles, ...)` to get 
> inference. So the result isn't exactly pretty. But the use of @trusted 
> is watertight, as far as I can tell.

Hm... this is an odd thing for sure. I probably would have done it this 
way though:

ref getR1() @trusted { return r1; }
ref getR2() @trusted { return r2; }

return r1Chosen ? ChooseResult(r1Chosen, getR1().save, getR2()) : 
ChooseResult(r1Chosen, getR1(), getR2().save);

But actually, is that right? Even if it's safe, it's a bad idea to copy 
the non-tagged item, as its contents are the contents for the other 
item. Shouldn't it be:

return r1Chosen ? ChooseResult(r1Chosen, getR1().save, R2.init) : 
ChooseResult(r1Chosen, R1.init, getR2().save);


More information about the Digitalmars-d mailing list