Discussion Thread: DIP 1028--Make @safe the Default--Final Review
Jonathan Marler
johnnymarler at gmail.com
Sat Apr 4 15:52:34 UTC 2020
On Saturday, 4 April 2020 at 11:57:50 UTC, H. S. Teoh wrote:
> [...]
Here's how I see function safety attributes:
verify body is @safe? | callable from @safe code?
-------------------------------------------------------------------
@system | NO | NO
@trusted | NO | YES
@safe | YES | YES
The compiler can only verify whether a function is @safe if it
has a body. When it doesn't, it is solely up to the programmer
to indicate whether it should be callable from @safe code.
So what about defaults? If we enable @safe by default on
"functions with bodies", then we are telling the compiler to
"verify" everything is safe by default. However, if we enable
@safe by default on "functions without bodies", then we are
telling the compiler to assume everything is "safe to call" by
default. The two are verify different changes and should not be
conflated. Changing the default for functions with bodies makes
some sense:
function has body => verify it is @safe => callable from @safe
code
For function's without bodies, not so much:
function has NO body => CANNOT verify it is @safe => ???
callable from @safe ???
P.S. Based on my table above, I don't think it makes sense to
mark any function without a body as @safe, rather, they are
either @system or @trusted.
P.S. Notice that there is a potential 4th attribute that verifies
the body is safe, but does not allow it to be called from @safe
code. It's possible for a function to only do @safe things, but
also be "unsafe" to call. However, D has taken the route that if
a function's body is @safe, it should also be safe to call it
from @safe code. This decision indicates that D ignores function
boundaries when it comes to safety. To me this indicates that
functions without bodies should not be marked safe by default,
because D treats code safety the same whether or not it's in
another function, and the compiler would never assume a block of
code is safe without analyzing it.
More information about the Digitalmars-d
mailing list