@trust is an encapsulation method, not an escape
Paulo Pinto via Digitalmars-d
digitalmars-d at puremagic.com
Fri Feb 6 07:55:14 PST 2015
On Friday, 6 February 2015 at 15:14:14 UTC, Wyatt wrote:
> On Friday, 6 February 2015 at 13:42:40 UTC, Ola Fosheim Grøstad
> wrote:
>>
>> "cannot modify this without detailed review".
>>
> This quote from Ola, here? That basically describes my job
> maintaining big piles of legacy C: the compiler verifies
> nothing, so every change to the anything in the API of "safe"
> functions or anything in their entire call chain must be
> painstakingly reviewed.
>
> A single change generally takes me several days of research,
> verification, and testing. I fixed about 150 potential memory
> issues (and several really dumb logic errors) with Clang's
> static analysis when I first inherited the code; it took weeks.
> (And now writing new stuff using this "safe" API is turning up
> memory safety issues anyway!)
>
> So from my perspective, calling this situation "completely
> impractical" reveals a stunning gift for understatement. Is
> this really the best we can do after however many years?
> Because it blows.
>
> The current @trusted semantics (and accompanying politics) make
> it exceedingly clear that @safe is meaningless for anything
> beyond trivial, one-off tools that will never receive
> maintenance.
>
> -Wyatt
Exactly the reason why I never liked C and C++ only makes it
better if everyone on team stays away from Cisms and uses the
safer alternatives.
Now the C and C++ world finally accepted the use of static
analyzers, but I had the displeasure to try to find pointer
related issues without one, back in the .com days. As you say, it
takes weeks.
Regarding D, maybe @trusted should go away and only keep @system
(== unsafe in other languages), as it can hardly give any extra
security guarantee.
However, I don't see how to solve the human review process, as
that is an halting problem.
--
Paulo
More information about the Digitalmars-d
mailing list