misplaced @trust?

[Zach the Mystic via Digitalmars-d]

On Thursday, 5 February 2015 at 18:21:40 UTC, Steven 
Schveighoffer wrote:
> On 2/5/15 1:12 PM, Zach the Mystic wrote:
>
>>
>> Hey I like the creativity you're showing. Just to give people 
>> a concrete
>> idea, you might show some sample code and illustrate how 
>> things work. It
>> sure helps when I'm trying to think about things.
>
> So for example:
>
> @safe int *foo()
> {
>    int *x;
>    int *y;
>    int z;
>    x = new int; // ok
>    //y = &z; // not OK
>    @trusted y = &z; // OK, but now y is marked as @trusted
>    // return y; // not OK, cannot return @trusted pointer in 
> @safe function
>    return cast(@safe)y; // ok, we are overriding the compiler.
>    // and of course return x; would be ok
> }
>
> -Steve

`cast(@safe)`...interesting. It's the most fine-tuned way of 
adding safety, whereas @trusting a whole function is the most 
blunt way.

I've been hatching a scheme for reference safety in my head which 
would automatically track `@trusted y = &z;` above, marking `y` 
with "scopedepth(1)", which would be unreturnable in @safe code.

I can anticipate the objection that giving people too much power 
will encourage them to abuse it... but then again, if that were 
true, who let them mark the whole function `@trusted` to begin 
with? Your proposal really pinpoints the actual code which needs 
to be worked on.

You're basically moving the unit of safety from the *function* to 
the *pointer*, which makes sense to me, since only a pointer can 
really be unsafe.