@trusted considered harmful

[deadalnix]

Le 28/07/2012 02:08, David Nadlinger a écrit :
> As an example how this is problematic, consider that you are writing a
> function which takes some generic input data, and needs to do (unsafe)
> low-level buffer handling internally to efficiently do its job. You come
> up with a first implementation, maybe only accepting arrays for the sake
> of getting it working quickly, and add @trusted as your dirty buffer
> magic isn't visible from the outside, but does break attribute
> inference. Later, you decide that there is no reason not to take other
> range types as input. Fortunately, the actual implementation doesn't
> require any changes, so you just modify the template constraint as
> needed, and you are good. Well, no – you've just completely broken all
> safety guarantees for every program which calls your function, because
> empty/front/popFront of the passed range might be @system.
>
> Now, you might argue that this is a contrived scenario. Yes, the mistake
> could have easily be avoided, @trusted on a template declaration should
> always raise a red flag.

Run into that exact same problem this week. +1