Fantastic exchange from DConf

Moritz Maxeiner via Digitalmars-d digitalmars-d at puremagic.com
Fri May 19 13:19:46 PDT 2017


On Friday, 19 May 2017 at 17:21:23 UTC, Dominikus Dittes Scherkl 
wrote:
> On Friday, 19 May 2017 at 15:52:52 UTC, Moritz Maxeiner wrote:
>> On Friday, 19 May 2017 at 15:12:20 UTC, Steven Schveighoffer
>>> I don't expect people to use Phobos and audit all the 
>>> @trusted blocks personally.
>>
>> As long as they don't actually call them, that's reasonable. 
>> But if your application ends up calling @trusted code and you 
>> did not audit that @trusted yourself, you have violated the 
>> @trusted requirement:
>> You cannot promise to the compiler that the code is memory 
>> safe since you have no knowledge of what it actually does.
> No. @trusted is about trust: you cannot rely on the compiler to 
> verify it, but the code is reviewed by humans.

Precisely. It is about trust the compiler extends to you, the 
programmer, instead of a mechanical proof (@safe):

"Trusted functions are guaranteed by the programmer to not 
exhibit any undefined behavior if called by a safe function. 
Generally, trusted functions should be kept small so that they 
are easier to manually verify." [1]

If you write an application that uses @trusted code - even from a 
third party library - *you* are the programmer that the compiler 
extends the trust to.


> So there is a  list of reviewers and if this list contains some 
> names you happen to trust (sic!) you don't have to audit the 
> code yourself.

Trust, but verify: Considering the damages already caused via 
memory corruption, I would argue that even if you have a list of 
people you trust to both write @trusted and review @trusted code 
(both of which is fine imho), reviewing them yourself (when 
writing an application) is the prudent (and sane) course of 
action.


> Especially basic libraries will over time become tested and 
> audited by very many people or even organizations. So after 
> some time they really can be trusted.

Absolutely not. This kind of mentality is what allowed bugs like 
heartbleed to rot for years[2], or even decades[3]. Unsafe code 
can never be *inherently* trusted.

>
>>> If "D is  memory safe" means "D is memory safe ONLY if you 
>>> verify all of the standard library personally", we still have 
>>> lost.
>>
>> It is more like "D is memory safe" meaning "D is memory safe 
>> ONLY if you verify all of the @trusted code your application 
>> end up compiling in / linking against".
>> There is no way around that I can see without getting rid of 
>> @trusted, which is impossible for a systems PL.
> For bigger projects you always need to trust in some previous 
> work.

Not really. You can always verify any @trusted code (and if the 
amount of @trusted code you have to verify is large, then I argue 
that you are using the wrong previous work with regards to memory 
safety).

> But having the @trusted and @save mechanism makes the resulting 
> code a whole lot more trustworthy than any C library can ever 
> be - just by reducing the number of lines of code that really 
> need be audited.

I agree with that viewpoint (and wrote about the reduced auditing 
work previously in this conversation), but the quote you 
responded to here was about using D in general being memory safe 
(which is binary "yes/no"), not any particular library's degree 
of trustworthyness with regards to memory safety (which is a 
continuous scale).

> I personally would not going bejond probing some few functions 
> within a library which I think are more complicated and 
> fragile, and if I find them ok, my trust in what else the 
> authors have marked @trusted increases likewise.

That is your choice, but the general track record of trusting 
others to get it right without verifying it yourself remains 
atrocious and I would still consider you negligent for doing so, 
because while in C one has had little other choice historically - 
since without a @safe concept the amount of code one would have 
to verify reaches gargantuan size - in D we can (and should imho) 
only have small amounts of @trusted code.

[1] https://dlang.org/spec/function.html#trusted-functions
[2] 
https://www.theguardian.com/technology/2014/apr/11/heartbleed-developer-error-regrets-oversight
[3] 
https://www.theguardian.com/technology/2014/jun/06/heartbleed-openssl-bug-security-vulnerabilities


More information about the Digitalmars-d mailing list