DIP 1028---Make @safe the Default---Community Review Round 1

Steven Schveighoffer schveiguy at gmail.com
Fri Jan 3 15:15:59 UTC 2020

On 1/2/20 6:19 AM, jmh530 wrote:
> On Thursday, 2 January 2020 at 09:47:48 UTC, Mike Parker wrote:
>> This is the feedback thread for the first round of Community Review 
>> for DIP 1028, "Make @safe the Default":
> I believe this DIP should be not be accepted until 1) it is possible to 
> write a @safe RC type, 2) someone writes a tool that adds @system to 
> every function that is not annotated @safe or @trusted (or already 
> @system) (probably not that hard).

So I spent about 3 days to try and bring a large project into the realm 
of `@safe` [1]. I'm still not done there, but it's both eminently 
possible, and satisfying to have something to show for "you can just 
mark all your stuff @safe". However, one of the biggest costs we are 
going to have for this DIP (and I 100% support this DIP), is that 
deprecations are not going to be easy. It's not always easy to take your 
well-crafted API, and make it usable in both `@safe` and `@system` code.

The two large issues I ran into (and these I think we need to have fixed 
in concurrence with this release):

1. std.variant.Variant cannot be @safe. We need a SafeVariant. I went 
with TaggedAlgebraic due to the nice generative features there.

2. Object.opXXX is NOT marked @safe. This means doing operators with 
objects (especially opEquals). In my PR, because I no longer needed to 
compare objects since I was moving away from Variant (which uses 
TypeInfo for checking runtime type), this problem kind of went away. But 
it's definitely something that is concerning.

These are likely not the only problems that will happen. And most likely 
we will see a lot of these little things crop up. The DIP should address 
not just schedules, but prerequisites for moving to the next stage of 
the process (e.g. Object must be usable with @safe before an official 
deprecation is added to the compiler).

If you read through the discussions on making MySQL safe (see the 
referenced issue report [2]), the biggest difficulty for me is if you 
need to change return types (as I did from Variant to TaggedAlgebraic). 
Now, your API needs to necessarily adjust because you can't overload 
based on return type in D. If that were possible, then the API updates 
and deprecations would be easy.

Is it even feasible to overload something like return type based on the 
context called from? i.e. if you call from a @system function, you get 
type A, if you call from a @safe function, you get type B.


[1] https://github.com/mysql-d/mysql-native/pull/214
[2] https://github.com/mysql-d/mysql-native/issues/175

More information about the Digitalmars-d mailing list