@trust is an encapsulation method, not an escape
via Digitalmars-d
digitalmars-d at puremagic.com
Sat Feb 7 04:11:31 PST 2015
On Saturday, 7 February 2015 at 11:32:41 UTC, Steven
Schveighoffer wrote:
> The idea is that @trusted code still has to be reviewed for
> memory issues, but is mechanically checked for most of the
> function for obvious @safe violations. It limits to a degree
> the scrutiny one must apply to the @trusted function.
>
> Remember, the whole point of a @trusted function is that it's
> manually verified.
This is the wrong way to do it and this is a tooling issue, not a
language issue.
The right way to do it is this:
1. annotate the @trusted region manually where it is needed
2. mechanically verify the whole @trusted region
Of course, then you also need a theorem prover...
You are trying to do this:
1. mechanically verify the whole @trusted region
2. manually verify the whole @trusted region, but be sloppy about
it here an there
3. Ooops, we were sloppy in the wrong spot...
Not good.
More information about the Digitalmars-d
mailing list