Re: @trust is an encapsulation method, not an escape

2015-02-06 Thread via Digitalmars-d
On Friday, 6 February 2015 at 15:10:18 UTC, Steven Schveighoffer wrote: into suspect the whole function. So marking a function @safe, and having it mean this function has NO TRUSTED OR SYSTEM CODE in it whatsoever, is probably the right move, regardless of any other changes. But that would

Re: @trust is an encapsulation method, not an escape

2015-02-06 Thread via Digitalmars-d
On Friday, 6 February 2015 at 17:02:44 UTC, Wyatt wrote: 3. @trusted are formally proven safe ...by humans? It isn't that hard for typical library code that is required to be non-safe. You don't have to do better than the compiler code in terms of probability of slipping things

Re: @trust is an encapsulation method, not an escape

2015-02-06 Thread Tobias Pankrath via Digitalmars-d
I was referring to a hypothetical untrusted block that might be used something like this: --- void foo(Range)(Range r) @trusted { // ... untrusted { r.front; } // Your manually checked code. untrusted { r.popFront; } // … } --- Using current semantics we must not

Re: @trust is an encapsulation method, not an escape

2015-02-06 Thread David Nadlinger via Digitalmars-d
On Friday, 6 February 2015 at 17:16:19 UTC, Andrei Alexandrescu wrote: On 2/6/15 8:40 AM, David Nadlinger wrote: This still does not solve the template inference problem What is that? See my reply to Tobias [1]. This seems to be the crux of our disagreement and/or misunderstanding, and is

Re: @trust is an encapsulation method, not an escape

2015-02-06 Thread Atila Neves via Digitalmars-d
I'm trying to promote suggesting '@system' blocks instead of '@trusted'. '@trusted' functions, but '@system' blocks - which can only go in @trusted functions (@system block in @system functions are redundant). It's the same semantics, but it might win the day because the intent is to isolate

Re: @trust is an encapsulation method, not an escape

2015-02-06 Thread Vladimir Panteleev via Digitalmars-d
On Friday, 6 February 2015 at 16:19:00 UTC, Andrei Alexandrescu wrote: On 2/6/15 5:13 AM, Vladimir Panteleev wrote: That doesn't answer my question. A few years ago, I recall, you were arguing that for functions which are or may be exported to a DLL, thus all Phobos functions, it is

Re: @trust is an encapsulation method, not an escape

2015-02-06 Thread Tobias Pankrath via Digitalmars-d
On Friday, 6 February 2015 at 16:40:10 UTC, David Nadlinger wrote: This still does not solve the template inference problem though, unless you make it a non-@trusted block instead of requiring @safe-ty. Don't understand. If that matters, the code shouldn't be marked @trusted in the first

Re: @trust is an encapsulation method, not an escape

2015-02-06 Thread via Digitalmars-d
On Friday, 6 February 2015 at 16:19:26 UTC, John Colvin wrote: I can instantly see this happening: void foo() @trusted { auto p = malloc(…) @safe { global_datastructure.push(p) //loads of code } free(p) //a few lines of system code,

Re: @trust is an encapsulation method, not an escape

2015-02-06 Thread Andrei Alexandrescu via Digitalmars-d
On 2/6/15 8:19 AM, John Colvin wrote: Is that what we want? I can't see why not, but it feels off somehow... Effectively you've got @trusted blocks in an @trusted function, just inverted. That's the natural direction - the default assumption is weak, and you have the option to temporarily

Re: @trust is an encapsulation method, not an escape

2015-02-06 Thread Tobias Pankrath via Digitalmars-d
On Friday, 6 February 2015 at 16:19:26 UTC, John Colvin wrote: It feels inelegant, but it might be the best way out of a bad situation. I can instantly see this happening: void foo() @trusted { @safe { //loads of code } //a few lines of system code, only safe due to

Re: @trust is an encapsulation method, not an escape

2015-02-06 Thread Wyatt via Digitalmars-d
On Friday, 6 February 2015 at 15:48:45 UTC, Ola Fosheim Grøstad wrote: 2. @trusted sections are written without dependencies This really won't happen unless statically enforced because humans are involved. 3. @trusted are formally proven safe ...by humans? 4. @trusted functions rarely

Re: @trust is an encapsulation method, not an escape

2015-02-06 Thread Zach the Mystic via Digitalmars-d
On Friday, 6 February 2015 at 17:36:27 UTC, Atila Neves wrote: I'm trying to promote suggesting '@system' blocks instead of '@trusted'. '@trusted' functions, but '@system' blocks - which can only go in @trusted functions (@system block in @system functions are redundant). It's the same

Re: @trust is an encapsulation method, not an escape

2015-02-06 Thread Zach the Mystic via Digitalmars-d
On Friday, 6 February 2015 at 18:30:03 UTC, Zach the Mystic wrote: That might be better than using @safe inside @trusted: @trusted void myfunc() { //implicitly safe ... @system { //wouldn't compile otherwise. auto ptr = cast(ubyte*)4; } //implicitly safe again } Exactly. I think this

Re: @trust is an encapsulation method, not an escape

2015-02-06 Thread Andrei Alexandrescu via Digitalmars-d
On 2/6/15 9:28 AM, David Nadlinger wrote: On Friday, 6 February 2015 at 17:16:19 UTC, Andrei Alexandrescu wrote: On 2/6/15 8:40 AM, David Nadlinger wrote: This still does not solve the template inference problem What is that? See my reply to Tobias [1]. This seems to be the crux of our

Re: @trust is an encapsulation method, not an escape

2015-02-06 Thread David Nadlinger via Digitalmars-d
On Friday, 6 February 2015 at 18:39:28 UTC, Andrei Alexandrescu wrote: It's clear. I just don't think it's a good point. -- Andrei I'm not making a point; I'm posing a problem. What is your solution? David

Re: @trust is an encapsulation method, not an escape

2015-02-06 Thread Andrei Alexandrescu via Digitalmars-d
On 2/6/15 9:41 AM, Vladimir Panteleev wrote: On Friday, 6 February 2015 at 16:19:00 UTC, Andrei Alexandrescu wrote: On 2/6/15 5:13 AM, Vladimir Panteleev wrote: That doesn't answer my question. A few years ago, I recall, you were arguing that for functions which are or may be exported to a

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Brad Roberts via Digitalmars-d
I figured that someone would have already objected to part of this, but the definition is stronger than I believe is intended for D: On 2/5/2015 5:23 PM, H. S. Teoh via Digitalmars-d wrote: 2) I think we also all basically agree that the *intent* of @trusted is to be an encapsulation

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Walter Bright via Digitalmars-d
On 2/5/2015 8:30 PM, Brad Roberts via Digitalmars-d wrote: @safe code is memory safe when passed good inputs. @safe code does not have to detect or prevent garbage input from causing harm. The promises of @trusted aren't stronger than that either. This is correct. Thanks for catching it.

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread via Digitalmars-d
On Thursday, 5 February 2015 at 23:39:39 UTC, Walter Bright wrote: static void trustedMemcopy(T[] dest, T[] src) @trusted { assert(src.length == dest.length); memcpy(dest.ptr, src.ptr, src.length * T.sizeof); } I don't have to review callers of trustedMemory() because it

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Walter Bright via Digitalmars-d
On 2/5/2015 8:20 PM, Dicebot wrote: I am not even sure how you can show the example though, to be honest - implied issues are about maintaining code and not just writing it. Let's start with std.array.uninitializedArray(): auto uninitializedArray(T, I...)(I sizes) nothrow @trusted Note

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Walter Bright via Digitalmars-d
On 2/5/2015 9:00 PM, Ola Fosheim =?UTF-8?B?R3LDuHN0YWQi?= ola.fosheim.grostad+dl...@gmail.com wrote: On Thursday, 5 February 2015 at 23:39:39 UTC, Walter Bright wrote: static void trustedMemcopy(T[] dest, T[] src) @trusted { assert(src.length == dest.length); memcpy(dest.ptr,

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread weaselcat via Digitalmars-d
On Friday, 6 February 2015 at 05:32:48 UTC, Walter Bright wrote: On 2/5/2015 9:00 PM, Ola Fosheim =?UTF-8?B?R3LDuHN0YWQi?= ola.fosheim.grostad+dl...@gmail.com wrote: On Thursday, 5 February 2015 at 23:39:39 UTC, Walter Bright wrote: static void trustedMemcopy(T[] dest, T[] src) @trusted {

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Zach the Mystic via Digitalmars-d
On Friday, 6 February 2015 at 03:14:59 UTC, Walter Bright wrote: I don't see how any proposal can work unless it specifies a safe interface to an unsafe section of code. (I read a Rust tutorial that rather bluntly pointed this out as well.) Link?

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Dicebot via Digitalmars-d
On Friday, 6 February 2015 at 01:12:18 UTC, Walter Bright wrote: On 2/5/2015 4:13 PM, Dicebot wrote: I know this definition. It have tried it in practice and concluded as being absolutely useless. There is no way I am going to return back to this broken concept - better to ignore @safe

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Walter Bright via Digitalmars-d
On 2/5/2015 7:39 PM, Zach the Mystic wrote: On Friday, 6 February 2015 at 03:14:59 UTC, Walter Bright wrote: I don't see how any proposal can work unless it specifies a safe interface to an unsafe section of code. (I read a Rust tutorial that rather bluntly pointed this out as well.) Link?

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Walter Bright via Digitalmars-d
On 2/5/2015 9:55 PM, weaselcat wrote: What's the D way of checking if a parameter is a reftype, valuetype, etc? http://dlang.org/phobos/std_traits.html

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Andrei Alexandrescu via Digitalmars-d
On 2/5/15 3:43 PM, Dicebot wrote: The fact that @trusted is contained in small block doesn't mean rest of @safe function doesn't need to be reviewed. Only difference is review all manually vs review all manually with some help of compiler. As Steve and others have shown, unsafe code under the

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Walter Bright via Digitalmars-d
On 2/5/2015 3:43 PM, Dicebot wrote: The fact that @trusted is contained in small block doesn't mean rest of @safe function doesn't need to be reviewed. Only difference is review all manually vs review all manually with some help of compiler. I did a review of all uses of @trusted in std.array:

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Dicebot via Digitalmars-d
On Friday, 6 February 2015 at 00:04:26 UTC, Walter Bright wrote: On 2/5/2015 3:43 PM, Dicebot wrote: The fact that @trusted is contained in small block doesn't mean rest of @safe function doesn't need to be reviewed. Only difference is review all manually vs review all manually with some help

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Dicebot via Digitalmars-d
On Thursday, 5 February 2015 at 23:49:05 UTC, Andrei Alexandrescu wrote: On 2/5/15 3:43 PM, Dicebot wrote: The fact that @trusted is contained in small block doesn't mean rest of @safe function doesn't need to be reviewed. Only difference is review all manually vs review all manually with some

@trust is an encapsulation method, not an escape

2015-02-05 Thread Walter Bright via Digitalmars-d
Consider the following code excerpted from std.array.join: static U trustedCast(U, V)(V v) @trusted { return cast(U) v; } return trustedCast!RetType(result); This is because the compiler would complain that the following line would not be @safe: return cast(RetType)(result); The

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Dicebot via Digitalmars-d
The fact that @trusted is contained in small block doesn't mean rest of @safe function doesn't need to be reviewed. Only difference is review all manually vs review all manually with some help of compiler.

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Dicebot via Digitalmars-d
On Thursday, 5 February 2015 at 23:43:19 UTC, Dicebot wrote: The fact that @trusted is contained in small block doesn't mean rest of @safe function doesn't need to be reviewed. Only difference is review all manually vs review all manually with some help of compiler. I believe that was also

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Walter Bright via Digitalmars-d
On 2/5/2015 4:13 PM, Dicebot wrote: I know this definition. It have tried it in practice and concluded as being absolutely useless. There is no way I am going to return back to this broken concept - better to ignore @safe completely as misfeature if you insist on doing things that way. I'm

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Andrei Alexandrescu via Digitalmars-d
On 2/5/15 5:12 PM, Walter Bright wrote: On 2/5/2015 4:13 PM, Dicebot wrote: I know this definition. It have tried it in practice and concluded as being absolutely useless. There is no way I am going to return back to this broken concept - better to ignore @safe completely as misfeature if you

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread H. S. Teoh via Digitalmars-d
On Thu, Feb 05, 2015 at 11:50:05PM +, Dicebot via Digitalmars-d wrote: On Thursday, 5 February 2015 at 23:43:19 UTC, Dicebot wrote: The fact that @trusted is contained in small block doesn't mean rest of @safe function doesn't need to be reviewed. Only difference is review all manually vs

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Andrei Alexandrescu via Digitalmars-d
On 2/5/15 5:23 PM, H. S. Teoh via Digitalmars-d wrote: It is a desperate attempt to contain a maintenance problem that's growing out of hand. Before we get into this - do you have evidence of the maintenance problem that's growing out of hand? E.g. bugs in std.file that were fixed etc.

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread H. S. Teoh via Digitalmars-d
On Thu, Feb 05, 2015 at 05:12:16PM -0800, Walter Bright via Digitalmars-d wrote: On 2/5/2015 4:13 PM, Dicebot wrote: I know this definition. It have tried it in practice and concluded as being absolutely useless. There is no way I am going to return back to this broken concept - better to

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Andrei Alexandrescu via Digitalmars-d
On 2/5/15 5:53 PM, H. S. Teoh via Digitalmars-d wrote: And while you're at it, try reviewing a few Phobos PR's related to std.array as well, and observe for yourself the maintenance issues that arise. Again, could you please collect past evidence of such? According to you there must be many

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Zach the Mystic via Digitalmars-d
On Friday, 6 February 2015 at 02:06:29 UTC, Andrei Alexandrescu wrote: On 2/5/15 5:53 PM, H. S. Teoh via Digitalmars-d wrote: And while you're at it, try reviewing a few Phobos PR's related to std.array as well, and observe for yourself the maintenance issues that arise. Again, could you

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Andrei Alexandrescu via Digitalmars-d
On 2/5/15 5:23 PM, H. S. Teoh via Digitalmars-d wrote: This whole discussion has been very tiring and frustrating, because we keep talking past each other. The reason we keep talking past each other is because we keep conflating several distinct, though related, issues. Bummer about that.

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Walter Bright via Digitalmars-d
On 2/5/2015 6:26 PM, Andrei Alexandrescu wrote: (2) I don't think the proposal you sketched at http://goo.gl/JWqafx is good. The goo link is disabled for violating goo's terms of service, whatever that means. What's the real url?

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Andrei Alexandrescu via Digitalmars-d
On 2/5/15 6:52 PM, Walter Bright wrote: On 2/5/2015 6:26 PM, Andrei Alexandrescu wrote: (2) I don't think the proposal you sketched at http://goo.gl/JWqafx is good. The goo link is disabled for violating goo's terms of service, whatever that means. What's the real url?

Re: @trust is an encapsulation method, not an escape

2015-02-05 Thread Walter Bright via Digitalmars-d
On 2/5/2015 7:00 PM, Andrei Alexandrescu wrote: On 2/5/15 6:52 PM, Walter Bright wrote: On 2/5/2015 6:26 PM, Andrei Alexandrescu wrote: (2) I don't think the proposal you sketched at http://goo.gl/JWqafx is good. The goo link is disabled for violating goo's terms of service, whatever that

<    1   2