dip1000 and preview in combine to cause extra safety errors
Steven Schveighoffer
schveiguy at gmail.com
Thu Jun 9 01:18:30 UTC 2022
On 6/8/22 7:31 PM, Walter Bright wrote:
> On 6/8/2022 12:02 PM, Steven Schveighoffer wrote:
>> But for some reason,
>
> The reason is it's @system code, where it's on the programmer.
>
> @safe layers on a vast smorgasbord of extra checking.
I'll respond basically to all your points here.
1. Yes, I get that this is @system code, and it appears that returning
of scope data in @system code is obviously subject to memory corruption.
For some reason, while you can't return a pointer to a local, you can
return a scope pointer.
2. The programmer is *not* expecting this. They did not write `scope`,
they wrote `in`, which according to the spec is "equivalent to const"
(see https://dlang.org/spec/function.html#in-params). I'm convinced that
we *absolutely cannot* turn on preview in by default until this is
addressed. I can't even recommend using the preview switch, as this is
too dangerous for memory safety.
3. The safe by default DIP (as everyone else has mentioned) was great,
except for extern(C) functions. I believe a vast majority wanted it
without that poison pill.
-Steve
More information about the Digitalmars-d
mailing list