@trust is an encapsulation method, not an escape

via Digitalmars-d digitalmars-d at puremagic.com
Fri Feb 6 06:14:05 PST 2015


On Friday, 6 February 2015 at 14:00:24 UTC, Atila Neves wrote:
> 1. Agree with H S Teoh on the maintainability aspect. Depending 
> on humans reviewing the code is never going to work out.

Of course it can work out. You need a formalized process and a 
group of people with training in math or comp.sci to do the 
review.

Proving memory safety for a single function in a semi-formal 
manner is not like proving full correctness.

I suggest the following:

1. @trusted should only be used on high priority code (not to 
gain minor speed ups)

2. @trusted code should always carry the safety-proof as embedded 
comments

3. @trusted templates should carry the most stringent type 
constraints (and proof required to weaken them)

4. At least 3 reviewers with knowledge of compsci/math MUST 
verify the soundness of the proof.

5. Have a list of volunteers that are called in by email to 
review @trusted code.

If only 2% is @trusted then this should work out fine. The 
alternative is to give up @safe completely or completely change 
the typesystem.


More information about the Digitalmars-d mailing list