@trusted attribute should be replaced with @trusted blocks
David Nadlinger
code at klickverbot.at
Sat Jan 18 21:44:17 UTC 2020
On Thursday, 16 January 2020 at 00:21:21 UTC, Joseph Rushton
Wakeling wrote:
> The fact that in a similar situation D forces you to annotate
> the function with `@trusted`, and alert users to the
> _possibility_ that memory safety bugs could exist within the
> code of this function, is useful information even if you can't
> access the source code.
Detail the scenario where this would be useful, please.
If you want to audit a program to make sure there are no uses of
potentially memory-unsafe code, you need access to all the source
code: Even @safe functions can contain arbitrary amounts of
potentially unsafe code, as they can call into @trusted
functions. You make this point yourself in the quoted post; any
information conveyed by @trusted is necessarily incomplete, by
virtue of it being intransitive.
In other words, this "alert", as you put it, has next to no
information content on account of its arbitrarily high
false-negative rate (@safe functions calling into unsafe code),
and is thus worse than useless.
If you don't have access to the source code, you don't know
anything about what is used to implement a @safe function. If you
do, you don't care where exactly the keyword you are grepping for
in an audit is, as long as it is proximate to the
potentially-unsafe code.
@trusted has no place on the API level.
— David
More information about the Digitalmars-d
mailing list