@trusted considered harmful
David Nadlinger
see at klickverbot.at
Sat Jul 28 07:29:54 PDT 2012
On Saturday, 28 July 2012 at 14:02:44 UTC, Andrei Alexandrescu
wrote:
> If @trusted is not part of the signature, we can't enable e.g.
> analyzers that verify an entire program or package to be safe.
> This is not something that's currently used, but I'd hate to
> look back and say, "heck, I hate that we conflated @trusted
> with @safe!"
Could you elaborate on that? A @safe function is _identical_,
from a client point of view, to a @trusted one. It can always
call a @trusted function under the hood without the caller
noticing, there is no way around that.
Thus, to be able to check that a program consists only of @safe
code [1], you would need its complete source, i.e. including all
the functions it can possibly invoke, to be able to check if
@trusted code is called in any place. But with all the source
available, you can just check the implementation for @trusted
blocks [2], there is no advantage over having it in the signature.
Destroyed? :P
David
[1] Which is highly unlikely, by the way, as many parts of
druntime just can't be safe.
[2] Or @trusted attributes in the function header – as
described in the original post, they won't go away for backwards
compatibility.
More information about the Digitalmars-d
mailing list