On Saturday, 28 July 2012 at 14:02:44 UTC, Andrei Alexandrescu
wrote:
But the much bigger problem is that @trusted doesn't play well
with
template attribute inference and makes it much too easy to
accidentally
mark a function as safe to call if it really isn't. Both
things are a
consequence of the fact that it can be applied at the function
level
only; there is no way to apply it selectively to only a part
of the
function.
This could be a more serious problem. Could you please write a
brief example that shows attribute deduction messing things up?
I don't understand how marking a template as @trusted is bad.
See the std.uuid discussion I linked in the original post for a
real-world example of this bug.
The gist is: You can't ever mark a function which can end up
execute code coming from a template parameter, for example a
function accepting a range, as @trusted, because then you would
vouch for all the passed in code as well, which might be @system.
[1]
Templates parameters which just supply data are obviously not a
problem.
David
[1] Unless you explicitly check whether the passed code is @safe,
that is. If you go down this route, though, you need to duplicate
the function declaration, which isn't pretty. See
std.range.RefRange.save for an example of this.
