@trust is an encapsulation method, not an escape

David Nadlinger via Digitalmars-d digitalmars-d at puremagic.com
Fri Feb 6 09:12:39 PST 2015 

On Friday, 6 February 2015 at 16:50:51 UTC, Tobias Pankrath wrote:
> On Friday, 6 February 2015 at 16:40:10 UTC, David Nadlinger 
> wrote:
>>
>> This still does not solve the template inference problem 
>> though, unless you make it a "non- at trusted" block instead of 
>> requiring @safe-ty.
>
> Don't understand. If that matters, the code shouldn't be marked 
> @trusted
> in the first place.

Let's say you have a template function that accepts a range. For 
performance, you want to do some of the processing in a way that 
is @system, but can be verified to be correct for all inputs in 
this specific case. In other words, that piece of code can be 
rightfully @trusted. However, marking the whole function as 
@trusted would be a mistake, as the primitives of the range that 
is your input data might be @system.

Using @trusted blocks (which is what is currently emulated by the 
nested functions/lambdas), you can just mark your unsafe code as 
@trusted and let the compiler figure out the safety of the whole 
function. @safe blocks wouldn't work for this, as you'd 
inadvertently require the user-supplied input range to have 
@safe/@trusted primitives.

>> And then you'd end up with the—at least to my eyes—rather 
>> absurd situation that a template function that is marked 
>> @trusted might actually end up being @system.
>>
>> David
>
> How?

I was referring to a hypothetical "untrusted" block that might be 
used something like this:

---
void foo(Range)(Range r) @trusted {
   // ...

   untrusted {
     r.front;
   }

   // Your manually checked code.

   untrusted {
     r.popFront;
   }

   // …
}
---

This seems incredibly backwards. Not only is it confusing to 
read, it also encourages bugs where operations mistakenly end up 
being @trusted by forgetting to mark, say, an added call to 
r.empty as untrusted. On the other hand, it is much more unlikely 
that you accidentally add a new @trusted block. It seems obvious 
that explicitly whitelisting a small number of potentially 
dangerous but safe operations is much less error-prone approach 
than disabling compiler checks for everything and then having to 
remember to blacklist all unverified external dependencies.

David

More information about the Digitalmars-d mailing list