@trusted considered harmful

David Nadlinger see at klickverbot.at
Sat Jul 28 07:29:54 PDT 2012


On Saturday, 28 July 2012 at 14:02:44 UTC, Andrei Alexandrescu 
wrote:
> If @trusted is not part of the signature, we can't enable e.g. 
> analyzers that verify an entire program or package to be safe. 
> This is not something that's currently used, but I'd hate to 
> look back and say, "heck, I hate that we conflated @trusted 
> with @safe!"

Could you elaborate on that? A @safe function is _identical_, 
from a client point of view, to a @trusted one. It can always 
call a @trusted function under the hood without the caller 
noticing, there is no way around that.

Thus, to be able to check that a program consists only of @safe 
code [1], you would need its complete source, i.e. including all 
the functions it can possibly invoke, to be able to check if 
@trusted code is called in any place. But with all the source 
available, you can just check the implementation for @trusted 
blocks [2], there is no advantage over having it in the signature.

Destroyed? :P

David


[1] Which is highly unlikely, by the way, as many parts of 
druntime just can't be safe.
[2] Or @trusted attributes in the function header – as 
described in the original post, they won't go away for backwards 
compatibility.


More information about the Digitalmars-d mailing list