misplaced @trust?
Walter Bright via Digitalmars-d
digitalmars-d at puremagic.com
Thu Feb 5 12:54:25 PST 2015
On 2/5/2015 12:25 PM, Steven Schveighoffer wrote:
> On 2/5/15 3:13 PM, Walter Bright wrote:
>> So the question is, what does @trusted actually buy you, since the
>> compiler can't check it?
>>
>> It serves as notice that "This function merits special attention during
>> code review to check that it has a safe interface and that its
>> implementation is correct."
>>
>
> That also applies to @safe functions since they can call @trusted functions.
No - the @trusted function is reviewed to ensure it has a safe interface. Then
there is no need to review for safety anyone that calls it. It's the whole point.
For example, https://issues.dlang.org/show_bug.cgi?id=14127
A rather cursory inspection reveals that these @trusted functions have unsafe
interfaces, and are therefore unacceptable in Phobos. (Of course, D will let you
write such code because it is a systems programming language, but Phobos must be
an example of best practices, and these are not.)
> In essense, @trusted buys you headaches. I think we should try to lessen them.
An aspect of a well-designed encapsulation is the number of @trusted interfaces
is minimized. If you find an abstraction that has @trusted sprinkled liberally
through it, it's an indicator of a failed abstraction.
More information about the Digitalmars-d
mailing list