On 2/7/15 7:11 AM, "Ola Fosheim =?UTF-8?B?R3LDuHN0YWQi?= <ola.fosheim.grostad+dl...@gmail.com>" wrote:

You are trying to do this:

1. mechanically verify the whole @trusted region

2. manually verify the whole @trusted region, but be sloppy about it
here an there

3. Ooops, we were sloppy in the wrong spot...

No.

A @trusted function is manually verified, period.

But we also must tag potential points of leakage with @system. In fact, it probably could be a warning/error if you have a @trusted function without any @system escapes (it could just be marked @safe).

Think of it this way: the @system tags are the only places where issues can creep into the function. But then you have to apply the leaks to the whole function. It makes the problem of finding potential safety issues more tractable, because the compiler forces us to identify the root causes.

-Steve

Reply via email to