> And any call to a C function; which is a lot harder to detect in a review.
Well these are `importc` and lack a body. Not exactly hard to detect in a
review. And before we butcher the language so that you need to write something
at callsite (which quickly gets tiresome btw), we can come up with a tool that
creates "review points" that lists where these are used. I really doubt such a
tool would be useful btw, see below.
> Sigh. This is “argument by assertion.” It’s not a valid argument unless you
> simply meant it as a matter of personal opinion.
It's indeed a personal opinion.
> The only piece that’s missing is a block that wraps unsafe code and takes
> away the “unsafe” effect, which is what Rust's “unsafe { ... }” does. That’s
> how you create a safe function that internally does unsafe things. That’s
> almost exactly what a “try” block does for exception effects, so it would
> only be a small change to the compiler.
That's a good point.
However, the benefits are not clear: To review code (for security or anything
really) it helps tremendously if you have less code. And the amount of
interfacing that is done with C/C++ is package specific: I'm quite sure that
every line of the wxWidgets wrapper is "unsafe" \-- that's the nature of
wrapper code, this code doesn't get better when every 2nd line is a new
`unsafe:` block.
