| |
 | Posted by Jonathan M Davis
in reply to Guillaume Piolat |  Permalink Reply |
|
Jonathan M Davis 
Posted in reply to Guillaume Piolat
| On Friday, August 25, 2023 3:00:08 PM MDT Guillaume Piolat via Digitalmars-d- learn wrote:
> The idea is to deliberately mark @system functions that need special scrutiny to use, regardless of their memory-safety. Function that would typically be named `assumeXXX`.
>
>
>
> ```d
> class MyEncodedThing
> {
> Encoding encoding;
>
> /// Unsafe cast of encoding.
> void assumeEncoding (Encoding encoding) /* here */ @system /*
> here */
> {
> this.encoding = encoding;
> }
> }
>
> char* assumeZeroTerminated(char[] str) @system
> {
> return str.ptr;
> }
>
> ```
>
> That way, @safe code will still need to manually @trust them.
Well, if no attribute inference is involved, then @system isn't required. However, explicitly marking it @system makes it so that you won't accidentally make it @safe via later introducing attribute inference or by adding something like @safe: or @safe {} to the code. It also makes it clear that the @system is intentional rather than it being the case that no one decided to put @safe or @trusted on it.
So, it arguable is good practice to mark functions @system if they're intended to be @system rather than leaving it up to the defaults.
Either way, if the code using those functions are going to be able to use @trusted correctly, the documentation should probably be very clear about what the @system function is doing - at least if you're not in an environment where everyone is expected to look at the code itself rather than at documentation.
- Jonathan M Davis
|
