On Thursday, 5 February 2015 at 18:21:40 UTC, Steven
Schveighoffer wrote:
On 2/5/15 1:12 PM, Zach the Mystic wrote:
Hey I like the creativity you're showing. Just to give people
a concrete
idea, you might show some sample code and illustrate how
things work. It
sure helps when I'm trying to think about things.
So for example:
@safe int *foo()
{
int *x;
int *y;
int z;
x = new int; // ok
//y = &z; // not OK
@trusted y = &z; // OK, but now y is marked as @trusted
// return y; // not OK, cannot return @trusted pointer in
@safe function
return cast(@safe)y; // ok, we are overriding the compiler.
// and of course return x; would be ok
}
-Steve
`cast(@safe)`...interesting. It's the most fine-tuned way of
adding safety, whereas @trusting a whole function is the most
blunt way.
I've been hatching a scheme for reference safety in my head which
would automatically track `@trusted y = &z;` above, marking `y`
with "scopedepth(1)", which would be unreturnable in @safe code.
I can anticipate the objection that giving people too much power
will encourage them to abuse it... but then again, if that were
true, who let them mark the whole function `@trusted` to begin
with? Your proposal really pinpoints the actual code which needs
to be worked on.
You're basically moving the unit of safety from the *function* to
the *pointer*, which makes sense to me, since only a pointer can
really be unsafe.