Simplification of @trusted

H. S. Teoh hsteoh at quickfur.ath.cx
Wed Jun 16 18:11:18 UTC 2021 

On Wed, Jun 16, 2021 at 05:36:46PM +0000, Alexandru Ermicioi via Digitalmars-d wrote:
> On Wednesday, 16 June 2021 at 15:37:22 UTC, H. S. Teoh wrote:
[...]
> > This isn't the first time it was suggested.  Way back when, it was
> > brought up and rejected because Walter thought that @trusted blocks
> > should be discouraged, and therefore should be ugly to write.  It
> > was extensively argued, but Walter preferred the "trusted lambda
> > idiom", precisely because it was ugly, required effort to write, and
> > therefore deters casual (ab)uses of @trusted.
[...]
> Yet, it forces to make entire function trusted if lambdas are not
> used, and safe guarantees are lost to remainder of the code due to
> that.

Yeah, that's a flaw that ought to be fixed.  Marking an entire function
@trusted is generally a bad idea, unless it's a trivial function of 3-4
lines or less, because it turns off ALL safety checks in the function
body.  If the function is large, that's an onerous burden to review
whether or not the code is indeed trustworthy.  What we really want is
to keep those checks on except for the few bits of code that the
compiler cannot automatically verify.

This has also been suggested before, and people are saying it again (and
in principle I agree):

1) Change the meaning of @trusted such that in a @trusted function,
@safe checks are NOT suppressed by default. Instead, a @trusted function
allows @system blocks in its body where @safe checks are temporarily
suspended.

2) @system blocks are NOT allowed inside a @safe function.

Here's the reasoning:

- @trusted marks the *entire* function tainted and needing to be
  reviewed -- this is necessary because the safety of @system blocks
  therein often depends on the surrounding code context, and has to be
  reviewed in that larger context. It is not sufficient to review only
  the blocks containing @system code.

- Leaving @safe checks on outside @system blocks allows the @trusted
  function to be still mechanically checked to minimize human error.
  This allows the unchecked code to be confined to as small of a code
  block as possible.  Basically, limit the surface area of potential
  errors.

- We continue to maintain a difference between a @safe function and a
  @trusted function, because we do not want to allow @system blocks in a
  @safe function -- that would make @safe essentially meaningless
  (anybody can just throw in @system blocks in @safe code to bypass
  safety checks).  Such escapes are only allowed if the entire function
  is marked @trusted, making it clear that it potentially does something
  unsafe and therefore needs careful scrutiny.


T

-- 
One Word to write them all, One Access to find them, One Excel to count them all, And thus to Windows bind them. -- Mike Champion

More information about the Digitalmars-d mailing list