@trusted attribute should be replaced with @trusted blocks

Timon Gehr timon.gehr at gmx.ch
Thu Jan 16 01:32:57 UTC 2020

On 16.01.20 02:07, Paul Backus wrote:
> On Wednesday, 15 January 2020 at 14:30:02 UTC, Ogi wrote:
>> If you think of it, it makes no sense for @trusted to be a function 
>> attribute. It doesn’t describe its behavior but its implementation. If 
>> you call a function, it should not be your concern; @safe and @trusted 
>> are the same thing for you. But these two attributes result in two 
>> different signatures. If a function expects a @safe callback, you 
>> can’t pass a @trusted function to it without @safe wrapping. If some 
>> library makes a function that used to be @safe @trusted, that’s a 
>> breaking change. Etc, etc. Why should we introduce complexity out of 
>> nowhere?
> To me, this is the only part of the argument against @trusted that's 
> really convincing. Having the @safe/@trusted distinction be part of the 
> type system and the ABI is almost 100% downside, and changing that would 
> eliminate some pain points at essentially no cost to the language.
> However, both of these issues can be fixed without a huge overhaul of 
> @trusted. The type-system issue can be fixed by introducing implicit 
> conversions between @safe and @trusted functions,

That's already how it works. The OP just didn't bother to check whether 
the claim is true:

void main(){
     void delegate()@safe dg0=()@trusted{}; // ok
     void delegate()@trusted dg1=()@safe{}; // ok

> and the ABI issue can 
> be fixed by changing how @trusted affects name mangling.
> ...

It's not just the ABI, it's also static introspection. The way to fix 
that is to treat `@trusted` functions as `@safe` functions from the 
outside. (E.g.., `typeof(()@trusted{})` would be `void delegate()@safe`.)

> Once these issues are fixed, the only remaining benefits of the proposed 
> overhaul are cosmetic, and IMO not worth the disruption they would cause.

More information about the Digitalmars-d mailing list