@system blocks and safer @trusted (ST) functions
jmh530
john.michael.hall at gmail.com
Tue Jul 27 16:36:48 UTC 2021
On Sunday, 25 July 2021 at 21:42:16 UTC, Ali Çehreli wrote:
> [snip]
> Existing code:
>
> 1) Replace @safe keywords with @trusted where the compiler
> complains. (No safety lost because @trusted will be behaving
> exactly like today's @safe.)
>
> 2) Add @system where the compiler complains. This is because
> all code is @trusted by default and @trusted is safe.
>
> Ali
I'd much rather add new attributes for new behavior than break
existing code. If you want @safe to not be able to call @trusted
functions, then introduce a new attribute with that behavior.
I think too much is trying to get shoehorned into the
@safe/@trusted/@system dichotomy.
I have favored the whitelist/blacklist approach that had been
discussed on the forums previously (ignoring bikeshedding on
names). @whitelist would only allow operations known to be memory
safe (so no @trusted escape hatch). @blacklist would be the
opposite of what is currently @safe, in that things that are not
allowed in @safe would have to be in a @blacklist function (or
block). This would contrast with @system, which basically allows
everything in them. Unmarked @system functions would be assumed
to be @blacklist, unless they can be inferred to be @whitelist.
Whether @whitelist is orthogonal to @blacklist (such that
everything that is not @whitelist must be @blacklist), I am not
100% sure on, but I would lean to putting things in @blacklist
only if they are not allowed in @safe currently, which may allow
for a middle ground. Regardless, a @whitelist function can only
call @whitelist functions. A @blacklist function can call any
kind of function it wants.
@safe functions would be able to call @whitelist functions, but
nothing would stop them from calling @trusted @blacklist
functions. @trusted or @system functions could call either
@whitelist or @blacklist functions (the use of these might make
it easier to narrow down where safety issues are). However, if
either @safe/@trusted/@system functions call @blacklist functions
(or include blocks) then they become @blacklist (either
explicitly or inferred). So this would distinguish an @safe
function that is @whitelist from one that is @blacklist. An @safe
function that is @whitelist is verified by the compiler not to
only use operations that the compiler verifies are memory safe,
while one that is @blacklist will have at some point called
@trusted functions that use @blacklist behavior and needs to be
manually verified.
This approach doesn't break any code and allows for a lot of the
flexibility that I think people want with the @safe system.
More information about the Digitalmars-d
mailing list