Programming Languages on Crack

Alexandru Ermicioi alexandru.ermicioi at gmail.com
Thu Jun 17 10:33:22 UTC 2021


On Thursday, 17 June 2021 at 02:02:58 UTC, Walter Bright wrote:
>
> That's for context. The rest will be about the @trusted 
> proposal.
>
> The question is: Why is @trusted at the function level rather 
> than
> at the statement level? It certainly seems more convenient to 
> apply
> it with statement granularity, and it will save 4 characters of 
> typing
> over the lambda approach. What could be wrong with that?
> And indeed, that so far appears to be the general reaction.
>
> The idea of putting it at the function level is to force (I 
> know,
> that sounds bad, but indulge me for a moment) the programmer
> to think about the decomposition of programs into safe and 
> unsafe
> code. Ideally, untrusted code should be encapsulated and 
> segregated
> into separate sections of code, with clean, well-defined, 
> well-considered,
> and well thought through interfaces.
Not always possible. Sometimes you have objects, that 90% are 
safe, and only 10% not. Having dedicated functions or interfaces 
for those 10% is just plain and unneeded clutter. How would I 
even name those methods/interfaces?
>
> At statement level, one just schlepps @trusted in front and 
> gives it
> no more consideration. It is thoughtlessly applied, the 
> compiler error
> goes away, Mission Accomplished! It might as well be renamed
> the @shaddup attribute. Zero thought is given to carefully 
> crafting
> a safe interface, because a safe interface to it is not 
> required.
> Of course that's tempting.
Truth to be told, I gave in to this temptation, though they were 
one liners. But still I fear that this temptation is quite great, 
as not every software engineer is keen at keeping highest degree 
of safety and code quality. That is my concern why current use of 
@trusted, and trusted lambda might not be sufficient, to make it 
quite convenient for ordinary engineer to use them properly.

Note: There is a better proposal flying around, which making 
trusted code be verified as safe, but allowing system blocks 
insid., That or it's derived version might be the best approach 
here imho.





More information about the Digitalmars-d mailing list