@trust is an encapsulation method, not an escape
Walter Bright via Digitalmars-d
digitalmars-d at puremagic.com
Thu Feb 5 16:04:24 PST 2015
On 2/5/2015 3:43 PM, Dicebot wrote:
> The fact that @trusted is contained in small block doesn't mean rest of @safe
> function doesn't need to be reviewed. Only difference is "review all manually"
> vs "review all manually with some help of compiler".
I did a review of all uses of @trusted in std.array:
https://issues.dlang.org/show_bug.cgi?id=14127
About 90% of them resulted in the injection of unsafe code into safe functions,
requiring a safety review of those allegedly mechanically checkable functions.
This is an abject failure of the technique of using @trusted as an escape than
as encapsulation.
By definition, if an @trusted function presents itself with a safe interface,
the calling code does not have to be reviewed. And reviewing the interface is a
heluva lot easier than the whole rest of the code.
More information about the Digitalmars-d
mailing list