On Saturday, 28 July 2012 at 14:02:44 UTC, Andrei Alexandrescu
wrote:
If @trusted is not part of the signature, we can't enable e.g.
analyzers that verify an entire program or package to be safe.
This is not something that's currently used, but I'd hate to
look back and say, "heck, I hate that we conflated @trusted
with @safe!"
Could you elaborate on that? A @safe function is _identical_,
from a client point of view, to a @trusted one. It can always
call a @trusted function under the hood without the caller
noticing, there is no way around that.
Thus, to be able to check that a program consists only of @safe
code [1], you would need its complete source, i.e. including all
the functions it can possibly invoke, to be able to check if
@trusted code is called in any place. But with all the source
available, you can just check the implementation for @trusted
blocks [2], there is no advantage over having it in the signature.
Destroyed? :P
David
[1] Which is highly unlikely, by the way, as many parts of
druntime just can't be safe.
[2] Or @trusted attributes in the function header – as
described in the original post, they won't go away for backwards
compatibility.
