@system blocks and safer @trusted (ST) functions

claptrap clap at trap.com
Wed Jul 28 08:40:47 UTC 2021 

On Monday, 26 July 2021 at 16:45:07 UTC, jfondren wrote:
> On Monday, 26 July 2021 at 16:26:53 UTC, claptrap wrote:
>> Its a pointless exercise because your example is a red 
>> herring, but this breaks it.
> ...
>> And TBH I'm not even sure what your overall point is.
>
> It's a response to overly strong claims about what this DIP 
> will achieve:
>
> https://forum.dlang.org/post/fnhvydmbguyagcmaepih@forum.dlang.org
>> It is a response to the claim that "the compiler's assertions 
>> regarding your remaining @safe code might actually mean 
>> something." They mean exactly the same thing with your 
>> proposal as they do without it: that the @safe portion of the 
>> program does not violate the language's memory-safety 
>> invariants directly.

If you're saying the proposed "system blocks inside trusted 
functions" provide no advantage over teh current "trusted lambdas 
inside safe functions" yes thats true. But I think the point is 
trusted functions get more checking. Even if you say well you can 
achieve the same by just using a trusted lambda inside a safe 
function its not the same once you consider what people actually 
do.

If you have just one trusted function in your app, then switching 
to this new regime would automatically give you more checking.

You have to take into account how people will actually behave, 
even if you can technically achieve the same thing with the 
current system.


> And it's again from the perspective of someone reviewing a 
> patch rather than someone troubleshooting a bug. *Once there is 
> a memory error in your program*, then @safe helps you by 
> telling you to look elsewhere for the direct violation. If you 
> are reviewing patches with an eye towards not including a 
> memory error in your program, then @safe matters a lot less.

This is still mischaracterizing the problem, if you add safe code 
and it causes a memory error to occur in trusted or system code, 
the problem was already there. You're not adding a memory error, 
just changing the conditions so it is triggered.

It would be nice to have a system that would help with problems 
like that but I think its actually unreasonable, and probably 
impossible. And it's probably counterproductive to use examples 
like that to guide the design process. You're designing for 
constraints that cant be met.

More information about the Digitalmars-d mailing list