@trust is an encapsulation method, not an escape
via Digitalmars-d
digitalmars-d at puremagic.com
Thu Feb 5 21:00:15 PST 2015
On Thursday, 5 February 2015 at 23:39:39 UTC, Walter Bright wrote:
> static void trustedMemcopy(T[] dest, T[] src) @trusted
> {
> assert(src.length == dest.length);
> memcpy(dest.ptr, src.ptr, src.length * T.sizeof);
> }
>
> I don't have to review callers of trustedMemory() because it
> encapsulates an unsafe operation (memcpy) with a safe interface.
It might have done so if it ensured that T was a proper value
type, but unfortunately D's type system is not strong enough.
What happens if T is a unique_ptr style reference? Ouch, two
unique references to the same object. Ouch, memory unsafe.
@safe is a leaky cauldron and will continue to be so until you
provide a proof of language constructs and how they interact. The
only sane way to do that is to do the proof over a simplified
virtual machine and map all language constructs to it.
More information about the Digitalmars-d
mailing list