@trusted considered harmful

Jesse Phillips jessekphillips+D at gmail.com
Fri Jul 27 19:05:14 PDT 2012


On Saturday, 28 July 2012 at 00:08:30 UTC, David Nadlinger wrote:

>  2) [...] The obvious solution is to add a "@trusted" 
> declaration/block, which would allow unsafe code in a certain 
> region. Putting @trusted in the function header would still be 
> allowed for backwards compatibility (but discouraged), and 
> would have the same effect as marking the function @safe and 
> wrapping its whole body in a @trusted block. It could e.g. look 
> something like this (the @ prefix definitely looks weird, but I 
> didn't want to introduce a new keyword):
>
> ---
>  void foo(T)(T t) {
>    t.doSomething();
>    @trusted {
>      // Do something dirty.
>    }
>    t.doSomethingElse();
>    @trusted phobosFunctionWhichHasNotBeenMarkedSafeYet();
>  }
> ---

I don't see flaw with 1.

However 2 doesn't sound right.

     @trusted {
       // Do something dirty.
     }

You aren't supposed to do dirty things in @trusted code. You're 
supposed to  safely wrap a system function to be usable by a safe 
function. The system function is supposed to be short and getting 
its hands dirty. Remember this is about memory safety and not 
lack of bugs safety.

The template issue needs fixed, but maybe it is the inference 
which needs expanded? Maybe a template is only inferred as safe 
or trusted and require explicitly system?

I think I was going to say more, but I'm not versed in the 
problems for this area, which I'm sure there are many, so this is 
probably good enough self butchering.


More information about the Digitalmars-d mailing list