The "@safe vs struct destructor" dilemma
Dicebot
public at dicebot.lv
Sun Apr 13 06:02:56 PDT 2014
On Sunday, 13 April 2014 at 01:30:59 UTC, Nick Sabalausky wrote:
> // Note, I meant for trustedWrapperWhatever to be private
> // and placed together with doStuff. Obviously not a public
> // func provided by foo's author.
> @trusted private auto trustedWrapperFoo(...) {...}
Still accessible by other functions in same module unless you
keep each @trusted function in own module.
> ----------------------------------
>
> Then how could this possibly be any better?:
>
> ----------------------------------
> @system auto foo() {...}
>
> @trusted void doStuff() {
> ...stuff...
> foo();
> ...stuff...
> }
> ----------------------------------
>
> The former contains extra safety checks (ie, for everything in
> "...stuff...") that the latter does not. The former is
> therefore better.
Because @system does not give any guarantees. It is expected by
type system that calling such function can do anything horrible.
@trusted, however, is expected to be 100% equivalent to @safe
with only exception that its safety can't be verified by
compiler. Any @trusted function from the type system point of
view can be used in any context where @safe can be used.
It is you personal responsibility as a programmer to verify 100%
safety of each @trusted function you write, otherwise anything
can go wrong and writer will be only one to blame.
More information about the Digitalmars-d
mailing list