@trust is an encapsulation method, not an escape
Steven Schveighoffer via Digitalmars-d
digitalmars-d at puremagic.com
Mon Feb 9 09:32:55 PST 2015
On 2/6/15 7:29 PM, H. S. Teoh via Digitalmars-d wrote:
> On Fri, Feb 06, 2015 at 04:04:48PM -0800, Walter Bright via Digitalmars-d wrote:
> [...]
>> I agree with Andrei in that I do not believe that reviewing a @trusted
>> function, line by line, for safety is necessarily some sort of
>> maintenance nightmare. If it is, then a refactoring should be
>> considered to encapsulate the unsafe code in a smaller, simpler
>> manner.
> [...]
>
> This does not take into the account the fact that a @trusted function
> may call other, non- at trusted, functions. When one of those other
> functions changes, the @trusted function necessarily needs to be
> reviewed again.
This problem isn't solved by the proposal, however. If you are calling a
@system function inside a @trusted function, and you've marked it as
@system, then changing the @system function does not affect the call.
However, if you changed a @safe function into a @system function, then a
call inside a @trusted function would have to now be annotated.
It's important to note that our proposal will not fix cases where
something subtle happens inside a @system block. What it DOES do is
limit this effect to the @system block instead of the whole function.
-Steve
More information about the Digitalmars-d
mailing list