@trust is an encapsulation method, not an escape
Steven Schveighoffer via Digitalmars-d
digitalmars-d at puremagic.com
Mon Feb 9 06:40:36 PST 2015
On 2/7/15 7:11 AM, "Ola Fosheim =?UTF-8?B?R3LDuHN0YWQi?=
<ola.fosheim.grostad+dlang at gmail.com>" wrote:
> You are trying to do this:
>
> 1. mechanically verify the whole @trusted region
>
> 2. manually verify the whole @trusted region, but be sloppy about it
> here an there
>
> 3. Ooops, we were sloppy in the wrong spot...
No.
A @trusted function is manually verified, period.
But we also must tag potential points of leakage with @system. In fact,
it probably could be a warning/error if you have a @trusted function
without any @system escapes (it could just be marked @safe).
Think of it this way: the @system tags are the only places where issues
can creep into the function. But then you have to apply the leaks to the
whole function. It makes the problem of finding potential safety issues
more tractable, because the compiler forces us to identify the root causes.
-Steve
More information about the Digitalmars-d
mailing list