On Wednesday, 8 March 2017 at 17:40:29 UTC, Brad Roberts wrote:
[...]
You can hide unsafe code in D by annotating a function with
@trusted the same way you can hide unsafe code in Rust with
unsafe blocks.
Clearly marked is an interesting definition of hidden.
---
module mymemorysafexyzlibrary;
struct Context { /* ... */ }
@safe
Context* createContextSafely()
{
return () @trusted {
// What's gonna happen if you use this?
// Ask your memory allocation professional
void* foo = malloc(Context.sizeof-1);
return cast(Data*) foo;
}();
}
---
The operating word here being "can". The above is semantically
equivalent (assuming the delegate gets optimized out) to an
unsafe block inside a Rust function. And yes, that's what I
consider hidden unsafe code, and it means that if you call
function `bar` from a @safe function `foo`, `bar` being marked as
@safe does not save you from auditing `bar`'s source code.
