Simplification of @trusted (page 2)

Settings

Help

Index » General » Simplification of @trusted (page 2)

June 16, 2021

Re: Simplification of @trusted

Posted by Dominikus Dittes Scherkl
in reply to RazvanN

Permalink

Dominikus Dittes Scherkl

Posted in reply to RazvanN

Permalink

On Wednesday, 16 June 2021 at 11:38:54 UTC, RazvanN wrote:

Currently, @trusted applies only to functions. This is most of the times a pain when you want trusted code blocks inside functions. Why not simplify it a bit by using trusted scope blocks? E.g. this:

void foo() @safe
{
    () @trusted { ... }();
}

becomes this:

void foo() @safe
{
    @trusted
    {
       ....
    }
}

To make things easier, @trusted does not insert a scope (similar to static if).

YES PLEASE!
This was suggested since years meanwhile!
(and by the way: the use of @trusted at functions should be deprecated - a function should either be @save or @system, nothing in between. Only @trusted blocks should be allowed)

June 16, 2021

Re: Simplification of @trusted

Posted by Ogi
in reply to RazvanN

Permalink

Ogi

Posted in reply to RazvanN

Permalink

On Wednesday, 16 June 2021 at 11:38:54 UTC, RazvanN wrote:

Currently, @trusted applies only to functions. This is most of the times a pain when you want trusted code blocks inside functions. Why not simplify it a bit by using trusted scope blocks?

Yes.

June 16, 2021

Re: Simplification of @trusted

Posted by GrimMaple
in reply to RazvanN

Permalink

GrimMaple

Posted in reply to RazvanN

Permalink

On Wednesday, 16 June 2021 at 11:38:54 UTC, RazvanN wrote:

Currently, @trusted applies only to functions. This is most of the times a pain when you want trusted code blocks inside functions. Why not simplify it a bit by using trusted scope blocks? E.g. this:

void foo() @safe
{
    () @trusted { ... }();
}

becomes this:

void foo() @safe
{
    @trusted
    {
       ....
    }
}

To make things easier, @trusted does not insert a scope (similar to static if).

Of course, the feature would be additive (you can have both trusted functions and code blocks).

That would also provide an elegant workaround if void initialization is rejected in @safe code [1][2]. For example:

void foo() @safe
{
    @trusted
    {
        int[100] a = void;
    }
    ...
}

What do you think?

Cheers,
RazvanN

[1] https://issues.dlang.org/show_bug.cgi?id=17566
[2] https://github.com/dlang/dlang.org/pull/2260

I don't like that this allows implicitly lowering the safety level of any given function. As per example, the foo() function isn't @safe anymore, but @trusted. Which in turn should be reflected in the function signature. If this function is marked as @safe, I expect it to be @safe and not perform any shady stuff inside it. To me this really looks like foo() should be @trusted instead.

What I like more, is permitting to temporarily increase the safety level by using eg @safe blocks inside a @trusted function. For example

void foo() @trusted
{
    int[100] a = void;
    @safe
    {
        // Code with safety checks
    }
}

Overall, if something like this is implemented, it should support all safety levels for blocks, including @safe and @system, for consistency purposes

June 16, 2021

Re: Simplification of @trusted

Posted by H. S. Teoh
in reply to kinke

Permalink

H. S. Teoh

Posted in reply to kinke

Permalink

On Wed, Jun 16, 2021 at 01:00:07PM +0000, kinke via Digitalmars-d wrote:
> On Wednesday, 16 June 2021 at 11:38:54 UTC, RazvanN wrote:
> > What do you think?
> 
> Absolutely love it, I've wanted this for ages, similar to C# `unsafe {}` blocks. I absolutely hate the trusted lambdas 'idiom'.

This isn't the first time it was suggested.  Way back when, it was brought up and rejected because Walter thought that @trusted blocks should be discouraged, and therefore should be ugly to write.  It was extensively argued, but Walter preferred the "trusted lambda idiom", precisely because it was ugly, required effort to write, and therefore deters casual (ab)uses of @trusted.

T

-- 
What is Matter, what is Mind? Never Mind, it doesn't Matter.

June 16, 2021

Re: Simplification of @trusted

Posted by Ola Fosheim Grøstad
in reply to Sönke Ludwig

Permalink

Ola Fosheim Grøstad

Posted in reply to Sönke Ludwig

Permalink

On Wednesday, 16 June 2021 at 13:09:53 UTC, Sönke Ludwig wrote:
> `@trusted` *should* probably not even be available for functions (of course it is not a desirable breaking change to disallow that now, though).

Use the name ```@unsafe``` and deprecate ```@trusted``` then.

June 16, 2021

Re: Simplification of @trusted

Posted by RazvanN
in reply to GrimMaple

Permalink

RazvanN

Posted in reply to GrimMaple

Permalink

On Wednesday, 16 June 2021 at 14:57:19 UTC, GrimMaple wrote:

What I like more, is permitting to temporarily increase the safety level by using eg @safe blocks inside a @trusted function. For example

void foo() @trusted
{
    int[100] a = void;
    @safe
    {
        // Code with safety checks
    }
}

I don't think that this is a good alternative. The normalcy we are striving for is to have as much code as possible @safe and as little as possible trusted. From that perspective it makes much more sense to annotate the entire function as @safe and have minor sections as being trusted.

Overall, if something like this is implemented, it should support all safety levels for blocks, including @safe and @system, for consistency purposes

I don't really see the point in having @safe/trusted blocks inside of @system functions or @system/trusted blocks inside @safe functions. As for trusted functions, although I like the idea of deprecating them, there are cases of functions that are a few lines of code long (or even one liners) that do some unsafe operations that can be trusted; in this situation it's much easier to annotate the function as trusted. However, outside of such scenarios (for big functions), annotating functions as trusted is bad practice.

June 16, 2021

Re: Simplification of @trusted

Posted by RazvanN
in reply to H. S. Teoh

Permalink

RazvanN

Posted in reply to H. S. Teoh

Permalink

On Wednesday, 16 June 2021 at 15:37:22 UTC, H. S. Teoh wrote:

>
> This isn't the first time it was suggested.  Way back when, it was brought up and rejected because Walter thought that @trusted blocks should be discouraged, and therefore should be ugly to write.  It was extensively argued, but Walter preferred the "trusted lambda idiom", precisely because it was ugly, required effort to write, and therefore deters casual (ab)uses of @trusted.
>
>
> T

I think that the time to reassess that decision has come. In reality, trusted is needed to write **optimized** safe code. Since there are a lot of scenarios where trusted is needed we should simply accept it and make it easy to use.

Another counter argument is that it is so much easier to trust the entire function (instead of using trusted lambdas), that the previous design decision ends up causing more bad than good.

June 16, 2021

Re: Simplification of @trusted

Posted by Paul Backus
in reply to GrimMaple

Permalink

Paul Backus

Posted in reply to GrimMaple

Permalink

On Wednesday, 16 June 2021 at 14:57:19 UTC, GrimMaple wrote:

There is no difference (from the caller's point of view) between the "safety level" of a @safe function and a @trusted function. Both are memory-safe. The only difference is that the @safe function has its safety checked automatically, by the compiler, and the @trusted function has its safety checked manually, by the programmer.

"But surely," you will object, "automatic checking is more reliable than manual checking, and therefore the @safe function is 'safer' than the @trusted one." Unfortunately, the conclusion does not follow from the premise: a @safe function is allowed to call any number of @trusted functions internally, so it is entirely possible that both functions rely on manual checking for their memory safety. You cannot tell just from looking at the signatures.

June 16, 2021

Re: Simplification of @trusted

Posted by GrimMaple
in reply to RazvanN

Permalink

GrimMaple

Posted in reply to RazvanN

Permalink

On Wednesday, 16 June 2021 at 15:58:23 UTC, RazvanN wrote:

On Wednesday, 16 June 2021 at 14:57:19 UTC, GrimMaple wrote:

What I like more, is permitting to temporarily increase the safety level by using eg @safe blocks inside a @trusted function. For example

void foo() @trusted
{
    int[100] a = void;
    @safe
    {
        // Code with safety checks
    }
}

With my approach, you can still cover as many code @safe as you want without lying to the end user about the function safety. IMHO, if you perform @trusted operations in a @safe function, the function cannot be called @safe .

> >

Overall, if something like this is implemented, it should support all safety levels for blocks, including @safe and @system, for consistency purposes

The point is enabling @safe checks on parts of @system/@trusted code, that otherwise would require weird solutions. Or, if you prefer, to be consistent over the lang. I think it is more predictable to the user, that if you can mark a block @trusted, it can be marked @safe or @system as well

June 16, 2021

Re: Simplification of @trusted

Posted by RazvanN
in reply to GrimMaple

Permalink

RazvanN

Posted in reply to GrimMaple

Permalink

On Wednesday, 16 June 2021 at 16:17:28 UTC, GrimMaple wrote:

On Wednesday, 16 June 2021 at 15:58:23 UTC, RazvanN wrote:

On Wednesday, 16 June 2021 at 14:57:19 UTC, GrimMaple wrote:

But this is not true. As Paul Backus pointed out, you can still have
a @safe function that calls trusted functions. Your argument seems
to imply that @safe should never interact with @trusted code, which
to be honest will make it unusable.

> > >

Overall, if something like this is implemented, it should support all safety levels for blocks, including @safe and @system, for consistency purposes

I understand, but my point is that if you have a @system function it is kind
of useless to have @safe portions of it, you still cannot call it from @safe code.
It makes much more sense to have a @safe function with small trusted blocks.

Top | Forum index | About this forum

Forums