Encapsulating trust

Dicebot via Digitalmars-d digitalmars-d at puremagic.com
Mon Sep 1 11:31:57 PDT 2014


On Monday, 1 September 2014 at 18:29:32 UTC, Daniel Murphy wrote:
> "monarch_dodra"  wrote in message 
> news:wvslfmdauwupzioryhgq at forum.dlang.org...
>
>> I meant it mostly in that the proposal to mark the entire 
>> function as @trusted isn't even *applicable* to template 
>> functions.
>
> That isn't what I was proposing.  Using a trusted nested or 
> lambda function is fine, but it should not be possible to 
> violate @safe by changing only the enclosing function.
>
> eg making a trustedMemcpy is just as much a violation of @safe 
> as marking the actual memcpy as @safe.  It still relies on the 
> calling function being manually verified not to call it 
> incorrectly.  If your calling function needs to be manually 
> verified, it should be @trusted.  If it can't be manually 
> verified, it should be @system.

Idea is that you move not only actual unsafe operation into 
@trusted lambda but also any additional context that makes it 
effectively @safe, separating it from the rest of the function.

It is not that trivial to spot though so some mistakes are 
inevitable.


More information about the Digitalmars-d mailing list