dip1000 and preview in combine to cause extra safety errors

[Steven Schveighoffer]

On 6/8/22 7:31 PM, Walter Bright wrote:
> On 6/8/2022 12:02 PM, Steven Schveighoffer wrote:
>> But for some reason,
> 
> The reason is it's @system code, where it's on the programmer.
> 
> @safe layers on a vast smorgasbord of extra checking.

I'll respond basically to all your points here.

1. Yes, I get that this is @system code, and it appears that returning 
of scope data in @system code is obviously subject to memory corruption. 
For some reason, while you can't return a pointer to a local, you can 
return a scope pointer.
2. The programmer is *not* expecting this. They did not write `scope`, 
they wrote `in`, which according to the spec is "equivalent to const" 
(see https://dlang.org/spec/function.html#in-params). I'm convinced that 
we *absolutely cannot* turn on preview in by default until this is 
addressed. I can't even recommend using the preview switch, as this is 
too dangerous for memory safety.
3. The safe by default DIP (as everyone else has mentioned) was great, 
except for extern(C) functions. I believe a vast majority wanted it 
without that poison pill.

-Steve