Simplification of @trusted
ag0aep6g
anonymous at example.com
Thu Jun 17 20:57:27 UTC 2021
On Thursday, 17 June 2021 at 20:37:11 UTC, Ola Fosheim Grøstad
wrote:
> But this.offset can provably only hold the value 0 or 1.
You mean if it holds a different value, then the program becomes
invalid? Sure, that's easy to prove. Do you expect the compiler
to do that proof, and then give you an error when you violate the
invariant? That's not at all how D works.
> What is the point of manually auditing @trusted if one impose
> arbitrary requirements like these?
The point of manually auditing @trusted is to ensure that the
function actually follows the requirements. If you don't want to
bother making a function's interface safe, mark it @system.
> So I am basically forced to use a bool to represent offset for
> it to be considered safe?
That might work (haven't given it much thought). What you're
supposed to do is wait for DIP 1035, or recreate its @system
variables in a library. What people actually do is ignore the
rules and live the dangerous lifes of safety outlaws.
> One should start by defining invariants that will keep the
> class safe.
>
> Then one should audit all methods with respect to the
> invariants.
You can do that with @system. @safe and @trusted won't help
enforcing your custom invariants.
More information about the Digitalmars-d
mailing list