@trusted attribute should be replaced with @trusted blocks
Joseph Rushton Wakeling
joseph.wakeling at webdrake.net
Thu Jan 16 00:21:21 UTC 2020
On Wednesday, 15 January 2020 at 23:46:11 UTC, ag0aep6g wrote:
> You're saying that it is useful for me as a user of Phobos when
> I see that, for example, std.stdio.File.open is @trusted [1],
> right?
Yes, I am saying exactly that.
> I disagree. It doesn't mean anything other than @safe in that
> context. Knowing that the function is @trusted instead of @safe
> is of zero use to a user of Phobos. It cannot help them make
> any decision whatsoever.
I see what you're getting at here -- you mean that if we're
treating this function as a black box that I have no influence
over, then both @safe and @trusted mean the same thing in terms
of how that black box ought to behave.
But that doesn't mean the distinction isn't useful. It gives me
a clear indication that the code of this function (note, _the
code of this function_, not the code of other functions it might
call) could contain bugs that would allow memory safety
violations.
Contrast this with, say, Rust, where any function can do
something like this:
fn foo(x: &[int]) {
unsafe {
// any old horrible stuff can happen here
}
}
... where any number of memory safety bugs could exist in that
`unsafe { ... }` block, and yet there is no possible clue from
the API that this could be going on.
The fact that in a similar situation D forces you to annotate the
function with `@trusted`, and alert users to the _possibility_
that memory safety bugs could exist within the code of this
function, is useful information even if you can't access the
source code.
> I.e., it's a tool for library authors, not for library users.
> You clearly spoke of an "external" or "outside" user of the
> function before.
It's clearly much less useful to anyone who doesn't have access
to the source code (which doesn't mean it's not useful at all).
But in general, given the ability to read and search the source
code (which users as well as authors can do), it's very useful to
be able to ask the question: "Of the code in this project that
claims to be memory safe, which bits could actually contain
memory safety bugs?"
More information about the Digitalmars-d
mailing list