Simplification of @trusted
Steven Schveighoffer
schveiguy at gmail.com
Thu Jun 17 19:23:36 UTC 2021
On 6/17/21 12:21 PM, Paul Backus wrote:
> On Thursday, 17 June 2021 at 14:30:58 UTC, Steven Schveighoffer wrote:
>> On 6/16/21 9:07 PM, Paul Backus wrote:
>>>
>>> It's impossible to guarantee, at the language level, that @safe code
>>> can never require manual review. The programmer is allowed to use any
>>> and all knowledge at their disposal to verify the memory safety of
>>> @trusted (or in your proposal, @system-block) code, including
>>> knowledge about @safe code.
>>
>> The goal is to guarantee that *as long as* your @trusted functions and
>> blocks have a @safe interface, then @safe code does not need to be
>> checked. When I say "not require review" I mean "I have checked all
>> the @trusted code, and it has a sound @safe interface, so all @safe
>> code that may call it have no need for review." We will never have a
>> marking that is language-guaranteed to not require review.
>>
>> To put it another way, as long as you aren't using @trusted escapes
>> that leak implementation details, your @safe code shouldn't need a
>> review. The problem is that trusted lambdas are not only the norm,
>> it's actually required, due to template inference.
>>
>> Right now, a @safe function can only be "assumed safe" as long as
>> there are no @trusted blocks in it. Once there is one trusted block,
>> then you have to review the whole function. The same thing goes for
>> data invariants (though that spreads to the whole module instead).
>>
>> Not having to review code for memory safety is supposed to be the
>> major point of @safe.
>
> Consider the following example:
>
> ```d
> size_t favoriteNumber() @safe { return 42; }
>
> int favoriteElement(ref int[50] array) @trusted
> {
> // This is memory safe because we know favoriteNumber returns 42
> return array.ptr[favoriteNumber()];
> }
> ```
>
> `favoriteElement` has a safe interface. There is no argument you can
> pass to it from `@safe` code that can possibly result in memory corruption.
>
> However, if you change `favoriteNumber` to return something different
> (for example, 69), this may no longer be the case. So changes to
> `favoriteNumber`--a `@safe` function with no `@trusted` escapes--must
> still be manually reviewed to ensure that memory safety is maintained.
But that's a different kind of problem. If favoriteNumber is allowed to
return anything above 49, then favoriteElement is invalid.
If favoriteNumber is *required* by spec to return 42, then it needs to
be reviewed to ensure that it does that. And then the @safe function
does not need to be reviewed for *memory* problems, just that it's
written to spec.
>
> There is no language change you can make (short of removing `@trusted`
> entirely) that will prevent this situation from arising.
Sure, code reviews on @safe code still need to happen to ensure they are
correct. But code reviews for *memory safety errors* which are *really
hard* to do right, should not be required.
It's similar to unit-tests. Instead of testing the whole project at
once, you test one thing, and if all the little things are correct, the
combination of things is valid.
-Steve
More information about the Digitalmars-d
mailing list