On 2/6/2015 5:28 AM, Steven Schveighoffer wrote:
It's better because I know where it is used. It's used in one place, and I can
squash it right there saying "No, you can't do this in this one place." Instead
of reviewing an API in ALL POSSBILE CONTEXTS (which if trustedCast is a public
API, would be a lot), I have to review one call in ONE CONTEXT.
The former is WORSE because it can be used in 100 places. Now I have to go
through and fix ALL THOSE FUNCTIONS that use it, because its interface was
exposed to the whole of phobos.
This is the crux of the problem - failing to define a safe interface to the
trusted code block. Without defining an interface, you're right, you must review
all the context(s) that call it. With a safe interface you DO NOT. You only have
to review the interface.
A simple rule:
"If you need to do a safety review on the context in which @trusted code is
called YOU ARE DOING IT WRONG because you've failed to provide a safe interface
to the @trusted code."
It's like solving a physics problem and winding up with negative energy. If that
happens, you made a mistake. It is not a matter of judgement or opinion, it is
an objective fact.
Going forward, all @trusted code that leaks unsafety into its context will be
rejected for inclusion in Phobos. The code reviewer only has to review the
@trusted block to determine this - he does not have to review the context.
