@trust is an encapsulation method, not an escape
Walter Bright via Digitalmars-d
digitalmars-d at puremagic.com
Fri Feb 6 16:54:26 PST 2015
On 2/6/2015 4:29 PM, H. S. Teoh via Digitalmars-d wrote:
> This does not take into the account the fact that a @trusted function
> may call other, non- at trusted, functions. When one of those other
> functions changes, the @trusted function necessarily needs to be
> reviewed again.
That's correct.
> However, under the current implementation, this is not done because when
> the other, non- at trusted, function is modified, nobody thinks to
> re-review the @trusted function. They may not even be in the same
> module. There is no mechanism in place to raise a warning flag when a
> @trusted function's dependencies are modified. Thus, the proof of safety
> of the @trusted function has been invalidated, but trust continues to be
> conferred upon it.
When the interface to an @system function is changed, all uses of that function
have to be reviewed, whether one thinks of it or not. This is part of the review
process. Having @system blocks does not alter that.
More information about the Digitalmars-d
mailing list