Le 28/07/2012 02:08, David Nadlinger a écrit :
As an example how this is problematic, consider that you are writing a
function which takes some generic input data, and needs to do (unsafe)
low-level buffer handling internally to efficiently do its job. You come
up with a first implementation, maybe only accepting arrays for the sake
of getting it working quickly, and add @trusted as your dirty buffer
magic isn't visible from the outside, but does break attribute
inference. Later, you decide that there is no reason not to take other
range types as input. Fortunately, the actual implementation doesn't
require any changes, so you just modify the template constraint as
needed, and you are good. Well, no – you've just completely broken all
safety guarantees for every program which calls your function, because
empty/front/popFront of the passed range might be @system.
Now, you might argue that this is a contrived scenario. Yes, the mistake
could have easily be avoided, @trusted on a template declaration should
always raise a red flag.
Run into that exact same problem this week. +1
