Discussion Thread: DIP 1028--Make @safe the Default--Final Review

Jonathan Marler johnnymarler at gmail.com
Mon Apr 6 06:03:17 UTC 2020

On Monday, 6 April 2020 at 02:43:51 UTC, Walter Bright wrote:
> On 4/5/2020 12:22 PM, Timon Gehr wrote:
>> I really doubt that. It's a simple rule. The version that is 
>> easiest to implement is you simply disallow extern(C) 
>> functions without body to be marked @safe. It's a single `if` 
>> statement in an appropriate place.
> Famous last words.
> Just look at the swamp of misery from "simple" C rules, such as 
> their effect on C++ overloading. The quagmire got a lot worse 
> when C++ added type inference. I attended a Scott Meyers talk 
> that was a full hour long just on the weird special cases 
> forced on C++ due to those simple rules. Companies pay Scott a 
> boatload of cash for these lectures.
> I wouldn't be surprised if more than half of the bugs in 
> bugzilla are the result of an unexpected interaction between 
> simple exceptions to rules.
> I've been around this block a few thousand times. Remember, it 
> ain't just the compiler. The users don't remember these 
> exceptions. Every one of them makes the language harder to 
> learn and master.

I agree that every language needs to be very careful with complex 
rules.  But I don't see this as a complex rule, I would word it 
like this:

     treat "the code" inside "code blocks" as @safe unless 
explicitly marked as @system

Note that this would exclude function declarations themselves, as 
they are not "code", but instead, wrappers to executable code 
that comes from somewhere else and cannot be verified to be 
"@safe".  Whereas a function with a body (i.e. a code block) 
would be treated as @safe, namely, because the compiler can 
verify it is safe.

I think the rule is simple when you know the right way to define 
it.  I don't see any exceptions or "ifs", just a simple 
straightforward rule.

I would like to add however that I don't see you using this same 
"the rule is too complex" argument on DIP1032. Which would read 
something like this:

     function and delegate pointer types use the attributes that 
are listed, except when the type declarations themselves are 
function parameters or defined inside a function; in which case 
they would inherit all attribute from their contining function. 
(question: would nested functions also inherit attributes?).  
Although, if the type itself is defined outside the function and 
only an alias is used to declare a pointer inside the function 
then it will not inherit the attributes from the containing 

I also have a low confidence that covers all the complexity this 
rule would require, but that's what I came up with so far.  That 
rule seem much more complex to me, and the only benefit I see is 
saving some tokens on some function/delegate type declarations, 
which I don't see come up too often anyway.  From my end it looks 
like you aren't applying the same rules to every proposal, 
rather, you're selectively cherry-picking arguments for each 
individual one.

More information about the Digitalmars-d mailing list