@trusted considered harmful
David Nadlinger
see at klickverbot.at
Sat Jul 28 07:41:25 PDT 2012
On Saturday, 28 July 2012 at 14:02:44 UTC, Andrei Alexandrescu
wrote:
>> But the much bigger problem is that @trusted doesn't play well
>> with
>> template attribute inference and makes it much too easy to
>> accidentally
>> mark a function as safe to call if it really isn't. Both
>> things are a
>> consequence of the fact that it can be applied at the function
>> level
>> only; there is no way to apply it selectively to only a part
>> of the
>> function.
>
> This could be a more serious problem. Could you please write a
> brief example that shows attribute deduction messing things up?
> I don't understand how marking a template as @trusted is bad.
See the std.uuid discussion I linked in the original post for a
real-world example of this bug.
The gist is: You can't ever mark a function which can end up
execute code coming from a template parameter, for example a
function accepting a range, as @trusted, because then you would
vouch for all the passed in code as well, which might be @system.
[1]
Templates parameters which just supply data are obviously not a
problem.
David
[1] Unless you explicitly check whether the passed code is @safe,
that is. If you go down this route, though, you need to duplicate
the function declaration, which isn't pretty. See
std.range.RefRange.save for an example of this.
More information about the Digitalmars-d
mailing list