Blog post: What D got wrong

[Jonathan M Davis]

On Tuesday, December 18, 2018 8:00:48 AM MST Steven Schveighoffer via 
Digitalmars-d-announce wrote:
> On 12/17/18 4:42 AM, Dukc wrote:
> > On Monday, 17 December 2018 at 09:41:01 UTC, Dukc wrote:
> >> On Saturday, 15 December 2018 at 19:53:06 UTC, Atila Neves wrote:
> >>> @safe and pure though...
> >>
> >> Why @safe? Can't you just write "@safe:" on top and switch to
> >> @system/@trusted as needed?
> >
> > Argh, I forgot that you are not supposed to @safe templates away.
>
> You can apply @safe to anything. It's @trusted you have to be careful
> with.
>
> Of course, it probably won't work for many templates.

@safe should only be used on a template if the @safety of the code does not
depend on the template arguments, and it frequently does depend on them.
Mass-applying attributes should rarely be done with templated code. It
already causes enough problems with non-templated code, because it's easy to
not realize that an attribute has been mass-applied, but without a way to
explicitly mark a templated function so that an attribute is inferred in
spite of it being mass-applied, mass-applying attributes with templated code
will usually result in attributes being wrongly applied.

Now, for any attribute other than @trusted, the worst that you're going to
get out of incorrectly applying an attribute to a template is a compilation
error when a particular instantiation doesn't work with that attribute,
whereas for @trusted it's a disaster in the making. Mass-applying @trusted
is almost always a terrible idea. The one exception would maybe be something
like the bindings in druntime, where a number of modules do it, because it's
just a bunch of C prototypes. But even then, there's a high risk of marking
a function as @trusted later when someone adds it and doesn't realize that
@trusted was applied.

- Jonathan M Davis