@trusted attribute should be replaced with @trusted blocks

Joseph Rushton Wakeling joseph.wakeling at webdrake.net
Thu Jan 23 11:40:20 UTC 2020


On Saturday, 18 January 2020 at 21:44:17 UTC, David Nadlinger 
wrote:
> On Thursday, 16 January 2020 at 00:21:21 UTC, Joseph Rushton 
> Wakeling wrote:
>> The fact that in a similar situation D forces you to annotate 
>> the function with `@trusted`, and alert users to the 
>> _possibility_ that memory safety bugs could exist within the 
>> code of this function, is useful information even if you can't 
>> access the source code.
>
> Detail the scenario where this would be useful, please.

I'm honestly not sure what is useful to add to the existing 
discussion.  But I think the problem is that most folks are 
looking for certainties, whereas I'm prepared to entertain a 
certain amount of probability in certain contexts.  (Please read 
on to understand what I mean by that, rather than assuming that 
I'm prepared to allow memory safety to be a roll of the dice:-)

Put it like this: for any given @safe function you see, odds are 
that in practice it uses no @trusted code outside the standard 
library/runtime.  Is that a guarantee?  No.  But it's a 
reasonable heuristic to use on a day-to-day "How concerned do I 
have to be that this function might do something scary?" basis.  
(Depending on what the function does, I might be able to make an 
educated guess of the likelihood there's something @trusted 
closer to home.)

OTOH if I see a function marked as @trusted I have a cast-iron 
guarantee that the compiler did not do anything to verify the 
memory safety of _this particular function_.  Which gives me a 
nudge that on the balance of probability, I might want to give a 
bit more up-front scrutiny to exactly what it's doing -- either 
by reading the source code if I can, or by playing with it a bit 
to see if I can trip it up with some unexpected input.

Is that an _audit_?  No.  But it doesn't seem vastly different to 
the kind of day to day trust-versus-verify judgement calls that 
we all have to make, on a day to day basis, about all sorts of 
matters of code correctness in the APIs that we use.

> If you want to audit a program to make sure there are no uses 
> of potentially memory-unsafe code, you need access to all the 
> source code

Yes, agreed.  But that's the difference between doing a full 
safety audit versus the typical day-to-day "Does it seem 
reasonable to use this function for my use-case?" judgement calls 
that we all make when writing code.


More information about the Digitalmars-d mailing list