DIP 1028---Make @safe the Default---Community Review Round 1

H. S. Teoh hsteoh at quickfur.ath.cx
Thu Jan 9 19:59:03 UTC 2020

On Thu, Jan 09, 2020 at 02:35:36PM -0500, Steven Schveighoffer via Digitalmars-d wrote:
> On 1/9/20 2:22 PM, Timon Gehr wrote:
> > @safe code can't be trusted. It may be edited by programmers who are
> > not allowed to write @trusted code.
> I'm not saying it's safe. I'm saying I want the mechanical checking
> outside the trusted escape. e.g. I want the compiler to check these
> parts, but I know this one part needs trusting. D doesn't give a
> better way to express this other than safe code with trusted escapes.

Yeah, I also consider this to be valuable.  Another way of doing the
same thing is that @trusted *doesn't* allow unsafe operations by
default, it just marks that function as needing to be manually verified,
but within that function you have to explicitly mark out which parts are
to be trusted:

	auto myfunc(Args args) @trusted {
		... // only @safe code allowed here
		@system {
			... // @system code allowed here
		... // only @safe code allowed here

The idea is that you want the compiler to statically check everything
outside that nested @system block so that no unsafe operations are
permitted there, so that you can isolate block the code that requires
temporary suspension of @safe checks to a small, self-contained block.

But the function as a whole cannot be marked @safe because the @system
block within interacts with the surrounding code, so you cannot
guarantee the resulting combination will actually be @safe.  The
function still needs to be audited *as a whole* for safety, but with the
benefit that the compiler is also helping with part of the auditing by
prohibiting potentially unsafe operations outside explicitly-marked

Inside a non- at trusted function, @system blocks would be completely
verboten. (@system functions don't need such blocks because they're
entirely @system already.)


It always amuses me that Windows has a Safe Mode during bootup. Does that mean that Windows is normally unsafe?

More information about the Digitalmars-d mailing list