Discussion Thread: DIP 1028--Make @safe the Default--Final Review

Mon Apr 6 03:02:29 UTC 2020

On Monday, 6 April 2020 at 02:43:51 UTC, Walter Bright wrote:
> On 4/5/2020 12:22 PM, Timon Gehr wrote:
>> I really doubt that. It's a simple rule. The version that is 
>> easiest to implement is you simply disallow extern(C) 
>> functions without body to be marked @safe. It's a single `if` 
>> statement in an appropriate place.
>
> Famous last words.
>
> Just look at the swamp of misery from "simple" C rules, such as 
> their effect on C++ overloading. The quagmire got a lot worse 
> when C++ added type inference. I attended a Scott Meyers talk 
> that was a full hour long just on the weird special cases 
> forced on C++ due to those simple rules. Companies pay Scott a 
> boatload of cash for these lectures.
>
> I wouldn't be surprised if more than half of the bugs in 
> bugzilla are the result of an unexpected interaction between 
> simple exceptions to rules.
>
> I've been around this block a few thousand times. Remember, it 
> ain't just the compiler. The users don't remember these 
> exceptions. Every one of them makes the language harder to 
> learn and master.

I fail to understand how you are not seeing it as a problem, 
provided every single other person on this thread has. And 
consensus isn't easily achieved in the D community (or any 
community, for that matter), but it seems that here, even if 
opinions on `@safe` & `@trusted` differ, everyone agrees that 
have `extern` functions without D linkage `@safe` by default is a 
bad idea. Surely the voice of all the long standing D 
contributors have to carry some weight ?

Regardless, it doesn't have to be a rule. Just make it a compiler 
error. E.g. `extern(C) void foo();` leads to: "Error: `extern(C) 
void foo()` needs to be explicitly marked as `@system` or 
`@trusted`".
If you don't want this error message, then let it be `@system`, 
and the compiler will complain with "Error: `@safe` function 
`...` cannot call system function `...`" and hopefully that'd be 
clear enough.

You're right that `extern` rely on the user declaring things 
correctly to work. However, having the extern declaration 
potentially mis-attributed by default is a sure way to shoot 
oneself in the foot. By setting the default of `extern` (non D 
linkage) functions to `@system`, OR by requiring users to 
explicitly mark the prototype one way or the other, at least the 
user has to *actively* make the mistake.