On 2/7/15 7:11 AM, "Ola Fosheim =?UTF-8?B?R3LDuHN0YWQi?=
<ola.fosheim.grostad+dl...@gmail.com>" wrote:
You are trying to do this:
1. mechanically verify the whole @trusted region
2. manually verify the whole @trusted region, but be sloppy about it
here an there
3. Ooops, we were sloppy in the wrong spot...
No.
A @trusted function is manually verified, period.
But we also must tag potential points of leakage with @system. In fact,
it probably could be a warning/error if you have a @trusted function
without any @system escapes (it could just be marked @safe).
Think of it this way: the @system tags are the only places where issues
can creep into the function. But then you have to apply the leaks to the
whole function. It makes the problem of finding potential safety issues
more tractable, because the compiler forces us to identify the root causes.
-Steve
