On Saturday, 28 July 2012 at 00:08:30 UTC, David Nadlinger wrote:
2) [...] The obvious solution is to add a "@trusted"
declaration/block, which would allow unsafe code in a certain
region. Putting @trusted in the function header would still be
allowed for backwards compatibility (but discouraged), and
would have the same effect as marking the function @safe and
wrapping its whole body in a @trusted block. It could e.g. look
something like this (the @ prefix definitely looks weird, but I
didn't want to introduce a new keyword):
---
void foo(T)(T t) {
t.doSomething();
@trusted {
// Do something dirty.
}
t.doSomethingElse();
@trusted phobosFunctionWhichHasNotBeenMarkedSafeYet();
}
---
I don't see flaw with 1.
However 2 doesn't sound right.
@trusted {
// Do something dirty.
}
You aren't supposed to do dirty things in @trusted code. You're
supposed to safely wrap a system function to be usable by a safe
function. The system function is supposed to be short and getting
its hands dirty. Remember this is about memory safety and not
lack of bugs safety.
The template issue needs fixed, but maybe it is the inference
which needs expanded? Maybe a template is only inferred as safe
or trusted and require explicitly system?
I think I was going to say more, but I'm not versed in the
problems for this area, which I'm sure there are many, so this is
probably good enough self butchering.
