Discussion Thread: DIP 1028--Make @safe the Default--Final Review

Steven Schveighoffer schveiguy at gmail.com
Thu Apr 9 05:12:41 UTC 2020


On 4/9/20 12:31 AM, Timon Gehr wrote:
> On 08.04.20 22:47, Steven Schveighoffer wrote:
>> I never said that @trusted is the same as @system.
> 
> Nor did I claim you did.

You just said:

"If your opinion is truly that the following two code snippets are 
equivalent"

and then presented two code snippets that showed the same function with 
implementation tagged as @system or @trusted. I don't know how I'm 
supposed to interpret your claim other than you think I believe they are 
equivalent.

> The snippets above differ only in who is to 
> blame for the memory corruption. You claimed that's a non-essential 
> detail, and that is not true, but I don't know how to make that point to 
> you.

The snippets are different than what we are debating. We were not 
talking about trusted code being called from safe code, rather system 
code being incorrectly prototyped as @safe or @trusted. Whether you mark 
it incorrectly @safe or incorrectly @trusted is non-essential.

In both cases, the person who wrote the prototype is to blame, as the 
person who wrote the original code clearly meant it to be system, and 
the person who wrote the prototype got it wrong.

We have 3 situations:

1. The code is written as extern(C) in D, in which case, the exact 
safety attribute should be repeated as the prototype.
2. The code is written in some other language, but is @safe based on an 
examination either by spec or by actually proofreading the code. In 
which case, the prototype could be @trusted.
3. The code is written in some other language, and does not follow 
safety rules of D (e.g. memcpy). It should be marked @system.

In no circumstances should extern(C) code that is written outside D 
should be marked @safe. I would also consider it an error to write a 
prototype for an extern(C) D function other than what it actually is 
(@safe, @trusted, @system).

I consider both of those an error on the prototype author.

I would consider it a mistake to make it impossible to forward the exact 
attribute of a @safe extern(C) D function to the prototype.

-Steve


More information about the Digitalmars-d mailing list