Is @trusted the wrong direction?

Steven Schveighoffer schveiguy at
Mon Nov 11 16:01:05 UTC 2019

On 11/9/19 11:22 AM, Dominikus Dittes Scherkl wrote:
> I always thought trusted functions shouldn't be a thing. Almost never a 
> whole function need to be trusted, but only a few lines of code. What we 
> need instead are trusted blocks. Those can be simulated with anonymous 
> nested functions, but the syntax is ugly as hell while complete trusted 
> functions should be forbidden.

Yeah, it would be nicer. But the sad part is that a @safe function with 
@trusted pieces STILL has to be completely manually verified. Because a 
@trusted lambda can muck with the guarantees of the @safe parts inside 
the lambda. In essence, a function boundary is the correct place, 
because that's where the safety guarantees are defined.

What a @safe function with @trusted parts DOES do, is help the focus of 
the review. You can look at the trusted lambda and reason about what 
possibly safety problems could arise from it, then check all the safe 
code to see if those cases happen.

I'd still be in favor of a less verbose trusted block syntax. Not only 
for the brevity, but also because relying on the optimizer/inliner to 
properly write the code seems like a code smell.


More information about the Digitalmars-d mailing list