@trusted attribute should be replaced with @trusted blocks

David Nadlinger code at klickverbot.at
Sat Jan 18 21:44:17 UTC 2020

On Thursday, 16 January 2020 at 00:21:21 UTC, Joseph Rushton 
Wakeling wrote:
> The fact that in a similar situation D forces you to annotate 
> the function with `@trusted`, and alert users to the 
> _possibility_ that memory safety bugs could exist within the 
> code of this function, is useful information even if you can't 
> access the source code.

Detail the scenario where this would be useful, please.

If you want to audit a program to make sure there are no uses of 
potentially memory-unsafe code, you need access to all the source 
code: Even @safe functions can contain arbitrary amounts of 
potentially unsafe code, as they can call into @trusted 
functions. You make this point yourself in the quoted post; any 
information conveyed by @trusted is necessarily incomplete, by 
virtue of it being intransitive.

In other words, this "alert", as you put it, has next to no 
information content on account of its arbitrarily high 
false-negative rate (@safe functions calling into unsafe code), 
and is thus worse than useless.

If you don't have access to the source code, you don't know 
anything about what is used to implement a @safe function. If you 
do, you don't care where exactly the keyword you are grepping for 
in an audit is, as long as it is proximate to the 
potentially-unsafe code.

@trusted has no place on the API level.

  — David

More information about the Digitalmars-d mailing list