@trust is an encapsulation method, not an escape
H. S. Teoh via Digitalmars-d
digitalmars-d at puremagic.com
Fri Feb 6 16:29:20 PST 2015
On Fri, Feb 06, 2015 at 04:04:48PM -0800, Walter Bright via Digitalmars-d wrote:
[...]
> I agree with Andrei in that I do not believe that reviewing a @trusted
> function, line by line, for safety is necessarily some sort of
> maintenance nightmare. If it is, then a refactoring should be
> considered to encapsulate the unsafe code in a smaller, simpler
> manner.
[...]
This does not take into the account the fact that a @trusted function
may call other, non- at trusted, functions. When one of those other
functions changes, the @trusted function necessarily needs to be
reviewed again.
However, under the current implementation, this is not done because when
the other, non- at trusted, function is modified, nobody thinks to
re-review the @trusted function. They may not even be in the same
module. There is no mechanism in place to raise a warning flag when a
@trusted function's dependencies are modified. Thus, the proof of safety
of the @trusted function has been invalidated, but trust continues to be
conferred upon it.
T
--
Let's call it an accidental feature. -- Larry Wall
More information about the Digitalmars-d
mailing list