Simplification of @trusted

ag0aep6g anonymous at example.com
Thu Jun 17 13:54:06 UTC 2021 

On 17.06.21 14:52, Ola Fosheim Grøstad wrote:
> When you ask for the next lexeme the lexer advances a pointer, if it 
> hits a zero character it stops advancing.
> 
> For this to be @trusted, by the safe-requirements, the lexer cannot 
> accept a filebuffer it has not allocated itself, as that makes it 
> possible for external code to overwrite the zeros.

That's right. An @trusted function cannot ever advance a pointer it 
received from the outside. It can only assume that the pointer can be 
dereferenced.

[...]
> The lexer should only require that the filebuffer invariant of unique 
> ownership and no borrowed pointers to hold. Then the lexer can add the 
> zero-character at the end of the buffer and it will be @safe.

You're losing me. You wrote that the lexer advances a pointer to a 
"character". I figure that means it has a `char*` parameter. What's a 
filebuffer? If it's a struct around a `char*`, why is the lexer 
manipulating the pointer directly instead of calling some method of the 
filebuffer?

An example in code (instead of descriptions) would go a long way.

[...]
> I don't think this is enough to prevent @safe code from tripping up 
> @trusted code as it would prevent many interesting ADTs from being 
> implemented efficently. Meaning, you would have to restrict yourself to 
> @safe practices (like bounds checks).

I'm sure many interesting types are not compatible with @safe/@trusted.

DIP 1000, Walter's @live experiments, and @system variables (DIP 1035 
[1]) might enable some more. The ideas in this thread might go 
somewhere, too.

[...]
> Ok, but it is not _realistic_ to think that D users will not write code 
> that they think is _good enough_ for their purpose. Since there is no 
> way to verify that they  adhere to idealistic principles, it won't happen.

I think there's almost a consensus that @trusted isn't quite good 
enough, exactly because no one can be bothered to use it as intended. 
That's why the incremental improvements mentioned above are being worked 
on. I don't think anyone is working on redesigning (or reinterpreting) 
the whole thing from the ground up. And I would expect strong push-back 
from Walter if someone tried.

> So, you can get Phobos to adhere to it, but basically no other libraries 
> will. And applications will most certainly make choices on a 
> case-by-case evaluation.

Phobos isn't even close to adhering to it. Yes, that's a problem.


[1] https://github.com/dlang/DIPs/blob/master/DIPs/DIP1035.md

More information about the Digitalmars-d mailing list