D Article: Memory Safety
Jakob Ovrum via Digitalmars-d-announce
digitalmars-d-announce at puremagic.com
Wed Jan 20 20:31:25 PST 2016
On Wednesday, 20 January 2016 at 19:55:45 UTC, H. S. Teoh wrote:
> On Wed, Jan 20, 2016 at 07:25:43PM +0000, Dicebot via
> Digitalmars-d-announce wrote:
>> `auto p = () @trusted { return &t; } ();`
>>
>> Huh, I thought Andrei was opposed to this idiom? Is it now
>> considered reserved for templates or something has changed?
>
> Yeah, I thought this was exactly the case where some of us
> Phobos contributors got lambasted by Andrei and Walter for
> abusing @trusted.
That was for non-templated functions where this approach makes no
sense. Indeed it is counterproductive, because @trusted on the
whole function is a better indication of what needs to be
reviewed for memory safety (the whole function!).
> Any exception to the strict usage of @trusted to me smells like
> a time bomb waiting to explode. It may not be today or
> tomorrow, but sooner or later somebody is going to slip up and
> the compiler won't help you. It's bad enough that every single
> change to a @trusted function must be vetted to ensure actual
> safety; now we have to also vet any modification to any
> function that contains @trusted anonymous functions? In a large
> template function, it's too easy to miss these @trusted
> sub-functions, because if the code change is far away enough,
> the @trusted annotation won't even show up in the diff. So
> reviewers may not even realize it's a change that may have
> broken @trusted.
It is the only way to solve this problem.
More information about the Digitalmars-d-announce
mailing list