@system blocks and safer @trusted (ST) functions

Steven Schveighoffer schveiguy at gmail.com
Sun Jul 25 15:49:13 UTC 2021 

On Sunday, 25 July 2021 at 13:19:55 UTC, Paul Backus wrote:
> On Sunday, 25 July 2021 at 05:05:44 UTC, Bruce Carneal wrote:
>> At beerconf I committed to putting forward a DIP regarding a 
>> new syntactic element to be made available within @trusted 
>> functions, the @system block.  The presence of one or more 
>> @system blocks would enable @safe checking elsewhere in the 
>> enclosing @trusted function.
>
> Both before and after this proposal, there are 3 kinds of code:

4 kinds.

>
> 1. Code that is automatically checked for memory safety.

Split this into:

1. Code that is automatically checked for memory safety.
1a. Code that has portions that have mechanical checks, but 
overall still needs manual checking for memory safety.

> 2. Code that is assumed by the compiler to be safe, and must be 
> manually checked for memory safety.
> 3. Code that is not checked for memory safety, and is assumed 
> to be unsafe.
>
> Currently, (1) is marked `@safe`, (2) is marked `@trusted`, and 
> (3) is marked `@system`.

(1) and (1a) are marked `@safe`. The latter have `@trusted` 
lambdas but require manual verification. The difference between 1 
and 1a is pretty subtle.

>
> Under this proposal, (1) would be marked either `@safe` or 
> `@trusted`, (2) would be marked either `@trusted` or `@system`, 
> and (3) would be marked `@system`. I do not think this is an 
> improvement relative to the status quo.

Under this proposal (though I haven't seen exactly the proposal, 
but I think I've conversed with Bruce enough to have a good 
understanding), 1 becomes `@safe` *exclusively* (which is the 
main benefit), 1a becomes `@trusted`, 2 becomes legacy (marked 
`@trusted` but with no `@system` escapes) and IMO should be 
warned about to the user, 3 is still `@system`.

>
>> The problematic @trusted lambda escapes creeping in to "@safe" 
>> code could be replaced going forward by a more honestly named 
>> form, @trusted code with @system blocks. Best practices could 
>> evolve to the point that @safe actually meant @safe again.
>
> What makes `@trusted` lambdas problematic is that they 
> implicitly depend on everything in their enclosing scope, which 
> makes it easy for a change in the `@safe` portion of the code 
> to accidentally violate an assumption that the `@trusted` 
> portion depends on.
>
> If we want to address this issue at the language level, the 
> most direct solution is to require that `@trusted` lambdas make 
> their dependencies explicit. This can be done by requiring all 
> `@trusted` nested functions (of which lambdas are a special 
> case) to be `static`.

This doesn't solve the problem exactly. A `@trusted` lambda is a 
localized piece of code, and is prone to be abused with the 
justification "well, it's just for this one time, and I know what 
this function does". The compiler cannot enforce that the code 
inside (current) `@trusted` functions actually obeys the `@safe` 
API.

> Of course, this is a breaking change, so it would require a 
> deprecation process.

No, it shouldn't be. The idea is that `@trusted` code without 
`@system` escapes is still accepted as legacy code that works as 
before. I would recommend a message from the compiler though.

`@trusted` lambdas should be required to be static, though that 
still doesn't solve the abuse problem. Perhaps they should just 
be disallowed?

-Steve

More information about the Digitalmars-d mailing list