DIP 1028---Make @safe the Default---Community Review Round 1

H. S. Teoh hsteoh at quickfur.ath.cx
Sun Jan 5 17:57:18 UTC 2020

On Sun, Jan 05, 2020 at 04:43:55PM +0000, jxel via Digitalmars-d wrote:
> Well you can call @safe code from @system, so you can't really
> guarantee the value is correct in @safe.

The guarantees of @safe is conditioned upon being called from other
@safe code. As long as somewhere at the top of the call chain there's a
@system function, then all bets are off.  This is why this DIP is so
important: until main() can become @safe, there's always a possibility
that somewhere along the line you screwed up and negated the guarantees
of @safe. This is unavoidable; for example a @system main() could have
trashed the entire RAM before calling a @safe function, and it's already
in UB land when the @safe function runs, so there's no way for the @safe
function to guarantee anything.

Our current situation is that we have @system on top of the call chain
(because not everything is @safe yet) and maybe some @safe bits lower
down or at the bottom.  Where we want to get to is @safe at the top, and
small bits of @system at the bottom gated by properly-audited @trusted
entry points.  This DIP is an important step in this direction.

> Kind of the same situation with an uninitialized bool that evaluates
> differently because of the code gen. The only way to guarantee it is
> valid is if you created the variable in @safe and wasn't passed as a
> parameter.

D always initializes all locals. Writing `bool b = void;' is @system, so
again, once your caller is @system, all bets are off further down the
call chain.

> Anyways, realistically people are just going to use @trusted: more
> instead of @system: because @trusted: is an actual solution and
> doesn't require fixing templates and any other anomalies that show up.
> So yes more code will work with @safe but it won't actually make it
> safer.

If I had my way, I'd outright outlaw "@trusted:" and only allow it on
smaller constructs.  If you really wanted to trust an entire module
that's essentially @system, just write main() @system and be done with
it. Why lie to yourself for no benefit whatsoever?


Life is complex. It consists of real and imaginary parts. -- YHL

More information about the Digitalmars-d mailing list