[Issue 14125] @trusted nested helper functions in std.file

[via Digitalmars-d-bugs]

https://issues.dlang.org/show_bug.cgi?id=14125

--- Comment #66 from Dicebot <public at dicebot.lv> ---
Thanks, Walter! This comment alone was more useful and meaningful than rest of
this thread combined :)

Let me use example from the very same std.file to oppose:

S readText(S = string)(in char[] name) @safe if (isSomeString!S)
{
    import std.utf : validate;
    static auto trustedCast(void[] buf) @trusted { return cast(S)buf; }
    auto result = trustedCast(read(name));
    validate(result);
    return result;
}

There are two important bits here:

1) This is verified to be safe only if call to `validate` is safe. Making it
all @trusted would allow to change `validate` to @system and silently break the
promise.

2) Cast is restricted to string types. Pretty much only way it can go wrong is
if function signature changes to allow other types - it is effectively @safe
function that compiler fails to identify as one.

Wrapper is marked @trusted incorrectly but that is intentional. @trusted here
is not used to tell function can actually be trusted but to keep everything
else plain @safe.

Alternative solution is to invert it:

S readText(S = string)(in char[] name) @trusted if (isSomeString!S)
{
    () @safe {
        import std.utf : validate;
        auto s = read(name);
    } ();

    auto result = cast(S) s;

    () @safe {
        validate(result);
    } ();

    return result;
}

Which also solves same problem but it result in creation of much more wrappers
and makes reading the source even harder (even despite the fact I cheated here
and used lambdas instead of nested functions).

--