[Issue 12941] Everything should be @unsafe by default, and explicitly vetted (and documented) as @safe

via Digitalmars-d-bugs digitalmars-d-bugs at puremagic.com
Thu Jun 19 15:46:11 PDT 2014 

https://issues.dlang.org/show_bug.cgi?id=12941

timon.gehr at gmx.ch changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |timon.gehr at gmx.ch

--- Comment #4 from timon.gehr at gmx.ch ---
My thoughts were:

@safety is to be checked after lowering has been applied. (such as template
instantiation

The following are all @safe:

expressions:
- reading and writing (by the means of the = operator) of (thread-local or
immutable) static and function-local (mutable, const, immutable, inout)
variables.
- reading and writing of (struct) member variables of @safe receivers. (extra
precautions need to be taken for class members.)
- accessing the 'this'/'super' reference.
- null literals
- boolean literals
- $
- all forms of integer, character and float literals
- string literals
- array literals with @safe constituents
- associative array literals with @safe constituents
- all function literals
- assert expressions with @safe arguments
- built-in new expressions with @safe arguments for types without destructors.
- built-in member new expressions with @safe receiver of class type and @safe
arguments for types without destructors.
- slicing of expressions of type T[] for some T
- indexing into expressions of type T[] for some T (!=void)
- pre- and post- ++ and -- for unqualified basic types
- calling @safe/@trusted static functions with by-value or 'ref' @safe
arguments
- calling @safe/@trusted member functions on with by-value or 'ref' @safe
arguments on @safe receivers
- taking the address of (all!) static functions
- universal construction for (qualified) basic types with an @safe argument.
- binary ||, &&, |, ^, &, ==, !=, >, >=, <, <=, !<>=, <>, <>=, !<=, !<, !>=,
!>, !<>, <<, >>, >>>, +, -, *, /, %, ^^ and unary -, +, !, ~ expressions on
(possibly const, immutable or inout) basic type @safe operands.
- conditional expressions (?:) on @safe operands
- assign expressions of the form 'a op= b' are @safe if 'a=a op b' is @safe.
(TODO: formalize properly)
- comma expressions (,) on @safe operands.

statements:
- the empty (;) statement
- a block statement containing only @safe statements
- case statements, case range statements, default statements consisting of
@safe statements.
- a labelled @safe statement.
- an expression statement consisting of a @safe expression
- a declaration statement consisting of a @safe nested-declaration
- if statements with @safe condition, @safe then statement and @safe or missing
else statement.
- while statements with @safe condition and @safe body.
- do statements with @safe body and @safe condition
- for statements with @safe initializer, @safe test, @safe increment and @safe
body.
- (final) switch statements with @safe switch expression and @safe body.
- continue statements
- break statements
- by value return statements with @safe or missing return expression
- goto statements (assuming that all skip-initialization cases are caught.)
- with statements with @safe with expression and @safe body
- try statements with @safe body and @safe catch / finally statements
  - catch statements with @safe body
  - finally statements with @safe body
- throw statements with @safe throw expression

nested-declarations:
- declarations not directly influencing code generation: alias declarations,
aggregate declarations, enum declarations, import declarations
- template mixin with @safe body
- variable declarations which are default-initialized or initialized using an
@safe expression

A function can be annotated @safe if its body and its contracts (if any) are
@safe statements.

TODO: identify missing items on this list

TODO: think properly about class references and unary '*' (dereferencing null
pointers runs into issues in the (*nullptr).foo case.)

TODO: think about and specify which type casts are @safe. (This should include
at least the implicit conversions between built-in types.)

TODO: shared, synchronized?

TODO: Specify the invariants that @safe functions assume relating to the memory
contents. Those invariants need to be established by @trusted functions before
returning and by all functions before calling into @safe functions. @safe
functions are guaranteed to preserve those invariants given that all @trusted
functions do.

TODO: Maybe give a semi-formal proof of the above assertion.

TODO: probably this is better with an accompanying wiki page or something

--

More information about the Digitalmars-d-bugs mailing list