Trusted Manifesto

[Dicebot via Digitalmars-d]

On Monday, 9 February 2015 at 10:16:48 UTC, Walter Bright wrote:
> On 2/9/2015 1:36 AM, Dicebot wrote:
>>>  string toUpper(string s) @safe
>>>  {
>>>     char[] r = new char[s.length];
>>>     foreach (i, c; s)
>>>    r[i] = toUpper(c);
>>>     return cast(string)r; // <== unsafe operation
>>>  }
>>
>> Shouldn't that be `return assumeUnique(r)` instead?
>
> assumeUnique does a little more than assume the argument is 
> unique - it also casts it, which is not a necessary consequence 
> of holding a unique reference. For the purpose of this article, 
> I'd rather have the unsafe cast be explicit rather than a side 
> effect.

What I have meant is that here cast is only safe under assumption 
that casted slice is unique (has not other referenced). 
`assumeUnique` is supposed to exactly communicate that to the 
reader in most idiomatic manner. It would be still inferred as 
@system here so rules won't be compromised.

>>> Introducing the 'trusted' template to be put in std.conv:
>>>
>>> @trusted auto trusted(alias fun)() { return fun(); }
>>
>> Is this guaranteed to be inlined in frontend?
>
> pragma(inline, true) is not available yet!

And this is exactly why I am asking ;) Wide usage of this idiom 
before inlining is guaranteed may result in performance 
regressions.

>> Shouldn't it better be called `system` to denote operation is 
>> not actually trusted?
>
> Andrei had the idea that one could simply grep the code for 
> 'trusted' and thereby flag the code (trusted and @trusted) that 
> merits special attention. I agreed it was a good idea.

Fine by me.