@trust is an encapsulation method, not an escape

via Digitalmars-d digitalmars-d at puremagic.com
Thu Feb 5 21:00:15 PST 2015


On Thursday, 5 February 2015 at 23:39:39 UTC, Walter Bright wrote:
>   static void trustedMemcopy(T[] dest, T[] src) @trusted
>   {
>     assert(src.length == dest.length);
>     memcpy(dest.ptr, src.ptr, src.length * T.sizeof);
>   }
>
> I don't have to review callers of trustedMemory() because it 
> encapsulates an unsafe operation (memcpy) with a safe interface.

It might have done so if it ensured that T was a proper value 
type, but unfortunately D's type system is not strong enough.

What happens if T is a unique_ptr style reference? Ouch, two 
unique references to the same object. Ouch, memory unsafe.

@safe is a leaky cauldron and will continue to be so until you 
provide a proof of language constructs and how they interact. The 
only sane way to do that is to do the proof over a simplified 
virtual machine and map all language constructs to it.


More information about the Digitalmars-d mailing list