@trusted attribute should be replaced with @trusted blocks
ag0aep6g
anonymous at example.com
Wed Jan 15 18:06:11 UTC 2020
On 15.01.20 17:54, Joseph Rushton Wakeling wrote:
> On Wednesday, 15 January 2020 at 14:30:02 UTC, Ogi wrote:
[...]
>> @safe fun() {
>> //safe code here
>> @trusted {
>> //those few lines that require manual checking
>> }
>> //we are safe again
>> }
[...]
> So here's the problem with this approach (which was mentioned by several
> people in the discussion): the actual safety of a function like this is
> usually down to the combination of the lines that (in your example) are
> both inside and outside the @trusted block.
Yup. But a proposal could specify that that's the intended meaning for
an @safe function that contains @trusted blocks. Whereas it's more of a
cheat when we use @trusted nested functions like that.
[...]
> So, a better approach would be for the function to be marked up like this:
>
> @trusted fun () // alerts the outside user
> {
> // lines that on their own are provably safe go here
> @system {
> // these lines are allowed to use @system code
> }
> // only provably safe lines here again
> }
>
> ... and the compiler's behaviour would be to explicitly verify standard
> @safe rules for all the lines inside the @trusted function _except_ the
> ones inside a @system { ... } block.
>
> Cf. Steven Schveighoffer's remarks here:
> https://forum.dlang.org/post/qv7t8b$2h2t$1@digitalmars.com
>
> This way the function signature gives a clear indicator to the user
> which functions are provably @safe, and which are safe only on the
> assumption that the developer has done their job properly.
I don't think that's what Steven had in mind. In that world, @safe would
be very, very limited, because it couldn't be allowed to call @trusted
functions. That means @safe would only apply to trivial functions, and
@trusted would assume the role that @safe has today. But you'd have to
wrap every call from an @trusted to another @trusted function in an
@system block. It wouldn't be practical.
The real purpose of @trusted in that example is to allow the @system
block in the body, and to signal to reviewers and maintainers that the
whole function is unsafe despite the mechanical checks that are done on
most of the lines. To a user, @trusted functions would still be the same
as @safe ones.
Unfortunately, adding the mechanical checks of @safe to @trusted would
mean breaking all @trusted code that exists. So implementing that scheme
seems unrealistic.
But as Steven says, it can be done when we use @trusted blocks instead
of @system blocks and @safe instead of @trusted on the function. I.e.:
@safe fun ()
{
// lines that the compiler accepts as @safe go here
@trusted {
// these lines are allowed to use @system code
}
// only @safe lines here again
}
It weakens the meaning of @safe somewhat, but it's often treated that
way already. There's clearly a need.
More information about the Digitalmars-d
mailing list