Is @trusted the wrong direction?

Jonathan M Davis newsgroup.d at
Sat Nov 9 18:33:09 UTC 2019

On Saturday, November 9, 2019 9:22:05 AM MST Dominikus Dittes Scherkl via 
Digitalmars-d wrote:
> I always thought trusted functions shouldn't be a thing. Almost
> never a whole function need to be trusted, but only a few lines
> of code. What we need instead are trusted blocks. Those can be
> simulated with anonymous nested functions, but the syntax is ugly
> as hell while complete trusted functions should be forbidden.

Really, the fact that @trusted is at the function level is just an
unnecessary complication. From the caller's perspective, @safe and @trusted
are identical. Whether the function has been vetted for memory safety by the
compiler or by a programmer doesn't matter to the caller. So, the fact that
there's an API difference just causes problems (though fortunately, it's
really just metaprogramming that's negatively affected by it).

I think that it would definitely be a good idea to add @trusted blocks of
some kind to the language, but what that should look like is an open
question. I also don't know how easy it would be to convince Walter to
accept such a DIP, since I don't know what he currently thinks about the
issue. For the moment, using @trusted lambdas is the best that we have, but
yeah, it's ridiculously verbose and ugly. It also can cause bugs when you
forget to call the lambda. Either way, using @trusted on non-lambda
functions should usually be discouraged. Sometimes, it does make sense to
use @trusted on large blocks of code, but most of the time, it doesn't, and
it makes it a lot harder to figure out what exactly was @system that needed
to be @trusted when a lot of code was @trusted at once.

- Jonathan M Davis

More information about the Digitalmars-d mailing list