@trust is an encapsulation method, not an escape

Walter Bright via Digitalmars-d digitalmars-d at puremagic.com
Fri Feb 6 14:17:16 PST 2015


On 2/6/2015 5:28 AM, Steven Schveighoffer wrote:
> It's better because I know where it is used. It's used in one place, and I can
> squash it right there saying "No, you can't do this in this one place." Instead
> of reviewing an API in ALL POSSBILE CONTEXTS (which if trustedCast is a public
> API, would be a lot), I have to review one call in ONE CONTEXT.
>
> The former is WORSE because it can be used in 100 places. Now I have to go
> through and fix ALL THOSE FUNCTIONS that use it, because its interface was
> exposed to the whole of phobos.

This is the crux of the problem - failing to define a safe interface to the 
trusted code block. Without defining an interface, you're right, you must review 
all the context(s) that call it. With a safe interface you DO NOT. You only have 
to review the interface.

A simple rule:

"If you need to do a safety review on the context in which @trusted code is 
called YOU ARE DOING IT WRONG because you've failed to provide a safe interface 
to the @trusted code."


It's like solving a physics problem and winding up with negative energy. If that 
happens, you made a mistake. It is not a matter of judgement or opinion, it is 
an objective fact.

Going forward, all @trusted code that leaks unsafety into its context will be 
rejected for inclusion in Phobos. The code reviewer only has to review the 
@trusted block to determine this - he does not have to review the context.


More information about the Digitalmars-d mailing list