@system blocks and safer @trusted (ST) functions

jfondren julian.fondren at gmail.com
Tue Jul 27 21:05:52 UTC 2021 

On Tuesday, 27 July 2021 at 16:36:48 UTC, jmh530 wrote:
> On Sunday, 25 July 2021 at 21:42:16 UTC, Ali Çehreli wrote:
>> [snip]
>> Existing code:
>>
>> 1) Replace @safe keywords with @trusted where the compiler 
>> complains. (No safety lost because @trusted will be behaving 
>> exactly like today's @safe.)
>>
>> 2) Add @system where the compiler complains. This is because 
>> all code is @trusted by default and @trusted is safe.
>>
>> Ali
>
> I'd much rather add new attributes for new behavior than break 
> existing code. If you want @safe to not be able to call 
> @trusted functions, then introduce a new attribute with that 
> behavior.
>
> I think too much is trying to get shoehorned into the 
> @safe/@trusted/@system dichotomy.
>

Presently D is shoehorning two different usages into 
@safe/@trusted/@system:

1. the documented usage: @safe for checked @safe functions, 
@system for unrestricted functions, and @trusted for a 
manually-reviewed interface between the two. (complaint: @trusted 
functions check too little)

2. a usage people have moved to, where the manually-reviewed 
interfaces are now @trusted function literals embedded inside 
@safe functions. (complaint: '@trusted blocks' are too hard to 
review and their containing @safe functions are misleadingly 
'safe')

So that's already two ways to write SafeD code and both are found 
wanting. With @whitelist/@blacklist there'd be a third way. At 
that point, why not a fourth? I'm sure some people would like a 
single @unsafe attribute, and maybe it could be justified by a 
late discovery of a serious complaint with @whitelist/@blacklist. 
And then we could have a function signature containing `@trusted 
@whitelist @unsafe`, and then we could have a "The Nightmare of 
Memory Safety in D" video at cppcon.

Opposite the Scylla of "breaking code" isn't safe open water, but 
the Charbydis of "having to explain SafeD to a skeptical newbie." 
Why five attributes? Because three wasn't enough.

The immediate result of this DIP would also be three SafeD styles:

1. legacy code doing it as previously documented, #1 above

2. legacy code doing it with '@trusted blocks', #2 above

3. the new way of @safe functions without compromise, @trusted 
functions containing @system blocks, and @system functions

But as #3 solves the problems people had with #1 and #2, the 
farther-off result is just one SafeD again, this time also with 
the documentation matching what experts actually do.

More information about the Digitalmars-d mailing list