@trusted attribute should be replaced with @trusted blocks

[H. S. Teoh]

On Thu, Jan 16, 2020 at 10:30:45AM -0500, Steven Schveighoffer via Digitalmars-d wrote:
[...]
> There are two things to look at for safety. One is that a function is
> safe or not safe (that is, it has a safe implementation, even if there
> are calls to system functions, so therefore is callable from
> mechanically checked safe code). This is the part where the compiler
> uses function attributes to determine what is callable and what is
> not.
> 
> The second is how much manual review is needed for the code. This is a
> signal to the reviewer/reader. In the current regime, the two reasons
> for marking are muddled -- we don't have a good way to say "this needs
> manual checking, but I also want the benefits of mechanical checking".
> This is why I proposed a change to trusted code STILL being
> mechanically checked, unless you want an escape. This would allow you
> to mark all code that needs manual review trusted, even if it's
> mechanically checked (it still needs review if the system-calling
> parts can muck with the data).
[...]

This is why I proposed that @trusted functions should *still* be subject
to @safe checks, only with the exception that they're allowed to have
embedded @system blocks where such checks are relaxed (and these @system
blocks are only allowed inside @trusted functions).  So the @trusted is
a visual marker that it needs to be manually verified, but you still
have the benefit of the compiler automatically verifying most of its
body except for the (hopefully small) @system block where such checks
are temporarily suspended.


T

-- 
It is impossible to make anything foolproof because fools are so ingenious. -- Sammy