@trusted considered harmful
Jesse Phillips
jessekphillips+D at gmail.com
Fri Jul 27 19:05:14 PDT 2012
On Saturday, 28 July 2012 at 00:08:30 UTC, David Nadlinger wrote:
> 2) [...] The obvious solution is to add a "@trusted"
> declaration/block, which would allow unsafe code in a certain
> region. Putting @trusted in the function header would still be
> allowed for backwards compatibility (but discouraged), and
> would have the same effect as marking the function @safe and
> wrapping its whole body in a @trusted block. It could e.g. look
> something like this (the @ prefix definitely looks weird, but I
> didn't want to introduce a new keyword):
>
> ---
> void foo(T)(T t) {
> t.doSomething();
> @trusted {
> // Do something dirty.
> }
> t.doSomethingElse();
> @trusted phobosFunctionWhichHasNotBeenMarkedSafeYet();
> }
> ---
I don't see flaw with 1.
However 2 doesn't sound right.
@trusted {
// Do something dirty.
}
You aren't supposed to do dirty things in @trusted code. You're
supposed to safely wrap a system function to be usable by a safe
function. The system function is supposed to be short and getting
its hands dirty. Remember this is about memory safety and not
lack of bugs safety.
The template issue needs fixed, but maybe it is the inference
which needs expanded? Maybe a template is only inferred as safe
or trusted and require explicitly system?
I think I was going to say more, but I'm not versed in the
problems for this area, which I'm sure there are many, so this is
probably good enough self butchering.
More information about the Digitalmars-d
mailing list