On Wednesday, 8 February 2017 at 15:18:34 UTC, Sönke Ludwig wrote:
The problem is that there are two affected call stacks - the @system API function that registers the @system callback, wrapping/casting it as @trusted, and the event handler that later on actually calls the callback. The latter place is where the hidden violation of the @safe guarantees happens.
Hidden from whom? Since it's user, who supplies @system code to vibe, he knows that the resulting program doesn't provide @safe guarantees.
It can be communicated at the API level: int f(@safe void delegate() dg) @safe { code } int f(@system void delegate() dg) @system { return f(cast(@safe void delegate())dg); } So that unsafe overload would be only callable from unsafe code.