Simplification of @trusted
Bruce Carneal
bcarneal at gmail.com
Thu Jun 17 01:33:39 UTC 2021
On Thursday, 17 June 2021 at 01:07:05 UTC, Paul Backus wrote:
> On Thursday, 17 June 2021 at 00:34:12 UTC, Steven Schveighoffer
> wrote:
>> [...]
>
> It's impossible to guarantee, at the language level, that @safe
> code can never require manual review. The programmer is allowed
> to use any and all knowledge at their disposal to verify the
> memory safety of @trusted (or in your proposal, @system-block)
> code, including knowledge about @safe code.
>
> You might say, "the only thing a @trusted function can possibly
> know about a @safe function is its signature, so that doesn't
> matter," but that's not quite true. If the @trusted function
> and the @safe function are in the same module, the @trusted
> function can (in principle) rely on the inner workings of the
> safe function without invalidating its proof of memory safety,
> since the programmer knows that any given version of the
> @trusted function will only ever call the corresponding version
> of the @safe function.
>
> Of course, such a @trusted function should never pass code
> review. But the fact that it can exist in principle means that
> you cannot truly rely on @safe to mean "no manual checking
> required", even if @trusted lambdas and nested functions are
> forbidden.
I understand there is a big difference between "never need to
check absent compiler error" and "only need to check if someone
who wrote the code should find another line of work", but there
is also a big difference between where we are now and where we
could be, particularly since improvements in this area will yield
compounding benefit.
More information about the Digitalmars-d
mailing list