@trust is an encapsulation method, not an escape

Tobias Müller via Digitalmars-d digitalmars-d at puremagic.com
Fri Feb 6 08:03:27 PST 2015


"Ola Fosheim Grøstad" <ola.fosheim.grostad+dlang at gmail.com> wrote:
> On Friday, 6 February 2015 at 13:28:59 UTC, Steven Schveighoffer wrote:
>> The bottom line of my reasoning is that code changes over time, > by
>> different people. Context is forgotten. It's much better to > have the
>> compiler verify you know what you are doing when > working with @trusted
>> than it is to just allow anyone to inject > code anywhere.
> 
> Actually, I think this argument goes against what you are arguing for.
> Anything within a @trusted section has a big warning sign attached to it
> that says "cannot modify this without detailed review". But the compiler
> cannot verify that a @safe function with local @trusted blocks are
> actually safe, so it only buys you a false sense of security.

I'd go even further:
The compiler could even make optimizations in @safe code based on the
assumption that all @trusted function calls expose a safe interface. I
suspect this will lead to undefined behavior and very subtle bugs.


More information about the Digitalmars-d mailing list