Is @trusted the wrong direction?
schveiguy at gmail.com
Mon Nov 11 16:01:05 UTC 2019
On 11/9/19 11:22 AM, Dominikus Dittes Scherkl wrote:
> I always thought trusted functions shouldn't be a thing. Almost never a
> whole function need to be trusted, but only a few lines of code. What we
> need instead are trusted blocks. Those can be simulated with anonymous
> nested functions, but the syntax is ugly as hell while complete trusted
> functions should be forbidden.
Yeah, it would be nicer. But the sad part is that a @safe function with
@trusted pieces STILL has to be completely manually verified. Because a
@trusted lambda can muck with the guarantees of the @safe parts inside
the lambda. In essence, a function boundary is the correct place,
because that's where the safety guarantees are defined.
What a @safe function with @trusted parts DOES do, is help the focus of
the review. You can look at the trusted lambda and reason about what
possibly safety problems could arise from it, then check all the safe
code to see if those cases happen.
I'd still be in favor of a less verbose trusted block syntax. Not only
for the brevity, but also because relying on the optimizer/inliner to
properly write the code seems like a code smell.
More information about the Digitalmars-d