The "@safe vs struct destructor" dilemma

Dicebot public at dicebot.lv
Sun Apr 13 06:02:56 PDT 2014


On Sunday, 13 April 2014 at 01:30:59 UTC, Nick Sabalausky wrote:
> // Note, I meant for trustedWrapperWhatever to be private
> // and placed together with doStuff. Obviously not a public
> // func provided by foo's author.
> @trusted private auto trustedWrapperFoo(...) {...}

Still accessible by other functions in same module unless you 
keep each @trusted function in own module.

> ----------------------------------
>
> Then how could this possibly be any better?:
>
> ----------------------------------
> @system auto foo() {...}
>
> @trusted void doStuff() {
>     ...stuff...
>     foo();
>     ...stuff...
> }
> ----------------------------------
>
> The former contains extra safety checks (ie, for everything in 
> "...stuff...") that the latter does not. The former is 
> therefore better.

Because @system does not give any guarantees. It is expected by 
type system that calling such function can do anything horrible. 
@trusted, however, is expected to be 100% equivalent to @safe 
with only exception that its safety can't be verified by 
compiler. Any @trusted function from the type system point of 
view can be used in any context where @safe can be used.

It is you personal responsibility as a programmer to verify 100% 
safety of each @trusted function you write, otherwise anything 
can go wrong and writer will be only one to blame.


More information about the Digitalmars-d mailing list