On Thursday, 5 February 2015 at 23:47:00 UTC, Andrei Alexandrescu
wrote:
On 2/5/15 3:22 PM, Dicebot wrote:
To put it differently - there is no way I would have ever
taken the risk
merging a 50-line @trusted function, be it Phobos or work
project.
Surely you're exaggerating.
Not even slightly. I have revoked my Phobos access for a specific
reason that I can't do the reviewer job properly with such
requirements and would have been forced to ignore all pull
requests that tackle @trusted anyway.
We're looking at a function that performs system calls and
reads into a memory buffer allocated appropriately (and
economically). Claiming that that function is safe then
enumerating the numerous unsafe and unprovable escape hatches
it uses is someone claiming "I'm a virgin - of course save for
those six one-night stands I've had."
So what? I don't care how justified it is, I simply don't trust
my attention span enough do verify that foo() is a virgin. I am
not a rock-star programmer and I know my limits. Verifying 50
lines of @trusted with no help from compiler at all is beyond
those limits.
When all exceptions to safety are explicitly listed I can review
the implementation knowing "ok, this will be safe _unless_ it
gets screwed by data coming from those trusted wrappers". And
that is big mentality switch that helps to maintain focus.
It's unclear what you're advocating here. I don't think your
previous arguments stand scrutiny. One possible new argument
might be an analysis on how this:
https://github.com/D-Programming-Language/phobos/blob/accb351b96bb04a6890bb7df018749337e55eccc/std/file.d#L194
is easier to reason about than this:
https://github.com/D-Programming-Language/phobos/blob/master/std/file.d#L194
It will be a very short analysis considering I am not able to
reason about the latter one at all - it simply requires too much
of a time investment to me to even consider it.
