@trusted attribute should be replaced with @trusted blocks
timon.gehr at gmx.ch
Thu Jan 16 23:31:15 UTC 2020
On 16.01.20 12:50, Joseph Rushton Wakeling wrote:
> On Thursday, 16 January 2020 at 03:34:26 UTC, Timon Gehr wrote:
>> @safe does not fully eliminate risk of memory corruption in practice,
>> but that does not mean there is anything non-absolute about the
>> specifications of the attributes.
> Would we be able to agree that the absolute part of the spec of both
> amounts to, "The emergence of a memory safety problem inside this
> function points to a bug either in the function itself or in the
> initialization of the data that is passed to it" ... ?
More or less. Two points:
- The _only_ precondition a @trusted/@safe function can assume for
guaranteeing no memory corruption is that there is no preexisting memory
- For callers that threat the library as a black-box, this definition is
essentially sufficient. (This is why there is not really a reason to
treat the signatures differently to the point where changing from one to
the other is a breaking API change.) White-box callers get the
additional language guarantee that if the function corrupts memory, that
happens when it executed some bad @trusted code and this is the
motivation behind having both @safe and @trusted. @system exists because
in low-level code, sometimes you want to write or use functions that
have highly non-trivial preconditions for ensuring no memory corruption
> (In the latter case I'm thinking that e.g. one can have a perfectly,
> provably correct @safe function taking a slice as input, and its
> behaviour can still get messed up because the user initializes a slice
> in some crazy unsafe way and passes that in.)
That is preexisting memory corruption. If you use @trusted/@system code
to destroy an invariant that the @safe part of the language assumes to
hold for a given type, you have corrupted memory.
>> As I am sure you understand, if you see a @safe function signature,
>> you don't know that its implementation is not a single @trusted
>> function call
> Yes, on this we agree. (I even mentioned this case in one of my posts
>> so the difference in signature is meaningless unless you adhere to
>> specific conventions
> Here's where I think we start having a disagreement. I think it is
> meaningful to be able to distinguish between "The compiler will attempt
> to validate the memory safety of this function to the extent possible
> given the @trusted assumptions injected by the developer" (which _might_
> be the entirety of the function), versus "The safety of this function
> will definitely not be validated in any way by the compiler".
> Obviously that's _more_ helpful to the library authors than users, but
> it's still informative to the user: it's saying that while the _worst
> case_ assumptions are the same (100% unvalidated), the best case are not.
It is possible to write a @trusted function that consists of a single
call to a @safe function, so you are assuming a convention where people
do not call @safe code from @trusted code in certain ways. Anyway, my
central point was that it is an implementation detail. That does not
mean it is necessarily useless to a user in all circumstances, but that
someone who writes a library will likely choose to hide it.
>> (which the library you will be considering to use as a dependency most
>> likely will not do).
> Obviously in general one should not assume virtue on the part of library
> developers. But OTOH in a day-to-day practical working scenario, where
> one has to prioritize how often one wants to deep-dive into
> implementation details -- versus just taking a function's signature and
> docs at face value and only enquiring more deeply if something breaks --
> it's always useful to have a small hint about the best vs. worst case
Right now, the library developer has a valid incentive to actively avoid
@trusted functions in their API. This is because it is always possible,
@trusted is an implementation detail and changing this detail can in
principle break dependent code. (E.g., a template instantiated with a
@safe delegate will give you a different instantiation from the same
template instantiated with a @trusted delegate, and if e.g., you have
some static cache in your template function, a change from @safe to
@trusted in some API can silently slow down the downstream application
by a factor of two, change iteration orders through hash tables, etc.)
> It's not that @safe provides a stronger guarantee than @trusted, it's
> that @trusted makes clear that you are definitely in worst-case
> territory. It's not a magic bullet, it's just another data point that
> helps inform the question of whether one might want to deep-dive up
> front or not (a decision which might be influenced by plenty of other
> factors besides memory safety concerns).
> The distinction only becomes meaningless if one is unable to deep-dive
> and explore the library code.
I just think that if you are willing to do that, you should use e.g.
grep, not the function signature where a competent library author will
likely choose to hide @trusted as an implementation detail.
More information about the Digitalmars-d