[Issue 14125] @trusted nested helper functions in std.file (page 5)

https://issues.dlang.org/show_bug.cgi?id=14125 --- Comment #38 from David Nadlinger <code@klickverbot.at> --- (In reply to Walter Bright from comment #34) > This also flunks that rule: > > @safe T* func(T* p) { > @trusted { > p += 5; > } > return p; > } So does this: --- @trusted void claimsToBeSafe(ref T* p) { p += 5; } @safe T* func(T* p) { claimsToBeSafe(p); return p; } --- And this: --- @safe T* func(T* p) { @trusted void claimsToBeSafe(ref T* p) { p += 5; } claimsToBeSafe(p); return p; } --- What is your point? @trusted can be used incorrectly. Nothing new and exciting so far. --

https://issues.dlang.org/show_bug.cgi?id=14125 --- Comment #39 from Walter Bright <bugzilla@digitalmars.com> --- (In reply to David Nadlinger from comment #36) > May I suggest that you try to understand the issue at hand instead of repeating the same non-solution over and over again? For a small sampling of code that can't easily be rewritten to follow your demands, check std.array. std.array is a big module. You'll need to be much more specific. --

https://issues.dlang.org/show_bug.cgi?id=14125 --- Comment #40 from David Nadlinger <code@klickverbot.at> --- (In reply to Walter Bright from comment #39) > (In reply to David Nadlinger from comment #36) > > May I suggest that you try to understand the issue at hand instead of repeating the same non-solution over and over again? For a small sampling of code that can't easily be rewritten to follow your demands, check std.array. > > std.array is a big module. You'll need to be much more specific. grep for "trusted[A-Z]". For example, trustedCast() in join(). --

https://issues.dlang.org/show_bug.cgi?id=14125 --- Comment #41 from Andrei Alexandrescu <andrei@erdani.com> --- (In reply to hsteoh from comment #35) > @Andrei: any @safe function can call a @trusted function that may contain arbitrary unsafe operations. Just because something is marked @safe at the top guarantees nothing. Agreed - and that's exactly why we shouldn't abuse it. --

https://issues.dlang.org/show_bug.cgi?id=14125 --- Comment #42 from Andrei Alexandrescu <andrei@erdani.com> --- (In reply to David Nadlinger from comment #40) > (In reply to Walter Bright from comment #39) > > (In reply to David Nadlinger from comment #36) > > > May I suggest that you try to understand the issue at hand instead of repeating the same non-solution over and over again? For a small sampling of code that can't easily be rewritten to follow your demands, check std.array. > > > > std.array is a big module. You'll need to be much more specific. > > grep for "trusted[A-Z]". For example, trustedCast() in join(). Sigh, std.array has become another disaster area we need to clean. --

https://issues.dlang.org/show_bug.cgi?id=14125 --- Comment #43 from Andrei Alexandrescu <andrei@erdani.com> --- (In reply to David Nadlinger from comment #38) > What is your point? > > @trusted can be used incorrectly. Nothing new and exciting so far. His point is that gainful use of @trusted is for safe interfaces with unsafe implementations, not make-believe that unsafe functions are actually safe. It's a very good point. --

February 05, 2015

[Issue 14125] @trusted nested helper functions in std.file

Posted by Walter Bright

Permalink

Walter Bright

Permalink

https://issues.dlang.org/show_bug.cgi?id=14125

--- Comment #44 from Walter Bright <bugzilla@digitalmars.com> ---
(In reply to David Nadlinger from comment #40)
> grep for "trusted[A-Z]". For example, trustedCast() in join().

For reference:

  static U trustedCast(U, V)(V v) @trusted { return cast(U) v; }

That's a fine example of what I'm talking about as a complete misunderstanding of what trust is supposed to be doing. It's putting the entire onus of using the cast correctly on the CALLER. It is not checkable without checking the supposedly @safe code that uses it, which has defeated the purpose of @safe.

The use in join() looks like this (paraphrasing):

    @safe join() {
       ... safe code ...
       return trustedCast();
    }

I understand you want the ...safe code... to be checked for safety. Here's how to do it:

    @trusted join() {
        @safe {
            ... safe code ...
        }
        return cast(U) v;
    }

--

https://issues.dlang.org/show_bug.cgi?id=14125 --- Comment #45 from Andrei Alexandrescu <andrei@erdani.com> --- (In reply to Walter Bright from comment #44) > I understand you want the ...safe code... to be checked for safety. Here's how to do it: > > @trusted join() { > @safe { > ... safe code ... > } > return cast(U) v; > } That's beautiful. Too bad it doesn't work :o). --

https://issues.dlang.org/show_bug.cgi?id=14125 --- Comment #46 from Walter Bright <bugzilla@digitalmars.com> --- I was a bit curious where these misunderstandings came from. Turns out, example code for C# 'unsafe' code presents not only unsafe code, but an unsafe interface: https://msdn.microsoft.com/en-us/library/aa288474(v=vs.71).aspx#vcwlkunsafecode_readfileexample public unsafe int Read(byte[] buffer, int index, int count) { int n = 0; fixed (byte* p = buffer) { if (!ReadFile(handle, p + index, count, &n, 0)) return 0; } return n; } Note that there's no guarantee that index is within the length of buffer[]. The poor sot cannot simply review Read(), he's got to review EVERY SINGLE CALLER of read(). Since this is taught as correct usage of 'unsafe', it's something we're going to have to regularly auger against. --

https://issues.dlang.org/show_bug.cgi?id=14125 --- Comment #47 from Walter Bright <bugzilla@digitalmars.com> --- (In reply to Andrei Alexandrescu from comment #45) > That's beautiful. Too bad it doesn't work :o). I did say I paraphrased it. I've come out against supporting @trusted { ... code ... } because it made it too easy to do bad things with it. But I did use it to make for a simpler example :-) --

Forums