On 2/5/2015 12:25 PM, Steven Schveighoffer wrote:
On 2/5/15 3:13 PM, Walter Bright wrote:
So the question is, what does @trusted actually buy you, since the
compiler can't check it?
It serves as notice that "This function merits special attention during
code review to check that it has a safe interface and that its
implementation is correct."
That also applies to @safe functions since they can call @trusted functions.
No - the @trusted function is reviewed to ensure it has a safe interface. Then
there is no need to review for safety anyone that calls it. It's the whole point.
For example, https://issues.dlang.org/show_bug.cgi?id=14127
A rather cursory inspection reveals that these @trusted functions have unsafe
interfaces, and are therefore unacceptable in Phobos. (Of course, D will let you
write such code because it is a systems programming language, but Phobos must be
an example of best practices, and these are not.)
In essense, @trusted buys you headaches. I think we should try to lessen them.
An aspect of a well-designed encapsulation is the number of @trusted interfaces
is minimized. If you find an abstraction that has @trusted sprinkled liberally
through it, it's an indicator of a failed abstraction.
