@trusted attribute should be replaced with @trusted blocks
Ola Fosheim Grøstad
ola.fosheim.grostad at gmail.com
Thu Jan 16 15:46:01 UTC 2020
On Thursday, 16 January 2020 at 15:30:45 UTC, Steven
Schveighoffer wrote:
> The second is how much manual review is needed for the code.
> This is a signal to the reviewer/reader. In the current regime,
> the two reasons for marking are muddled -- we don't have a good
> way to say "this needs manual checking, but I also want the
> benefits of mechanical checking". This is why I proposed a
> change to trusted code STILL being mechanically checked, unless
> you want an escape. This would allow you to mark all code that
> needs manual review trusted, even if it's mechanically checked
> (it still needs review if the system-calling parts can muck
> with the data).
As was pointed out @trusted does not achieve much more than a
comment, so why not just have a statement- / operator-level
escape using a distinguishable and greppable marker like @@. Then
you can just prepend that to all function calls or operations
that are unsafe:
safe_function(…){
ptr = …
//TRUSTED: this is safe because x, y, z
@@free(ptr);
}
Then leave on any existing mechanical checks and keep adding @@
until it passes.
More information about the Digitalmars-d
mailing list