On Wednesday, July 04, 2012 09:21:35 Christophe Travert wrote: > What change would you expect in the langage? making pure function > automatically @safe? That may not be such a ba idea. However, that is > not even enough, you could still create bug from optimizations with > casting outside the pure function (for instance, you could alias > variables that should not be aliased).
An @safe function is only as safe as the @trusted functions that it calls. With @trusted, it's up to the programmer to determine that the @system stuff being done is actually being done in a way which is ultimately @safe (e.g. not using undefined behavior). If the programmer screwed up, and the @trusted stuff has buffer overruns or whatnot, then the @safe code isn't really @safe. With both @trusted and casts, it's up to the programmer to get them right, because what the programmer is doing is telling the compiler that they know better than the compiler and that they know what they're doing. If they do know better, then great. But if they don't, say hello to some nasty bugs. _All_ of the guarantees that the compiler gives are based on the type system. So, anything that the programmer does to work around the type system must be verified and guaranteed by the programmer to ultimately maintain the guarantees that compiler expects. Otherwise, the compiler's guarantees are based on wrong assumptions, and they're going to be invalid. - Jonathan M Davis