@trusted attribute should be replaced with @trusted blocks
Steven Schveighoffer
schveiguy at gmail.com
Thu Jan 16 15:45:46 UTC 2020
On 1/16/20 6:50 AM, Joseph Rushton Wakeling wrote:
> Obviously in general one should not assume virtue on the part of library
> developers. But OTOH in a day-to-day practical working scenario, where
> one has to prioritize how often one wants to deep-dive into
> implementation details -- versus just taking a function's signature and
> docs at face value and only enquiring more deeply if something breaks --
> it's always useful to have a small hint about the best vs. worst case
> scenarios.
>
> It's not that @safe provides a stronger guarantee than @trusted, it's
> that @trusted makes clear that you are definitely in worst-case
> territory. It's not a magic bullet, it's just another data point that
> helps inform the question of whether one might want to deep-dive up
> front or not (a decision which might be influenced by plenty of other
> factors besides memory safety concerns).
>
In fact, because of how the system works, @safe code is LESS likely to
mean what you think.
If you see a @safe function, it just means "some of this is mechanically
checked". It doesn't mean that the function is so much more solid than a
@trusted function that you can skip the review. It can have trusted
escapes that force the whole function into the realm of needing review.
I would say that today, @safe and @trusted are indistinguishable from
each other as a user of the function.
If we moved to a scheme more like I was writing about in the post you
quoted, then they actually do start to take on a more solid meaning.
It's still not fool-proof -- @safe functions can call @trusted
functions, which can call @system functions. BUT if everyone does the
job they should be doing, then you shouldn't be able to call @trusted
functions and corrupt memory, and you should not have to necessarily
review @safe functions. There are still cases where you still have to
review functions that are @safe which do not have inner functions that
are trusted. These are cases where data that is usually accessible to
safe functions can cause memory problems in conjunction with trusted
functions. When you need to break the rules, it's very hard to contain
where the rule breaking stops.
-Steve
More information about the Digitalmars-d
mailing list