DIP1000 scope inference

[tsbockman]

On Wednesday, 26 October 2022 at 10:43:11 UTC, German Diago wrote:
> Is not trusted code (note my little D experience so sorry if I 
> am asking something relatively stupid) unsafe? I mean, @safe is 
> safe, @trusted is ??, @system is you go your own.
>
> - So what are the guarantees of @trusted compared to @system?

A `@safe` function is guaranteed by the compiler to be memory 
safe to call from other `@safe` code with (almost) any possible 
arguments and under (almost) any circumstances.

A `@trusted` function is guaranteed by its author to be memory 
safe to call from other `@safe` code with (almost) any possible 
arguments and under (almost) any circumstances.

A `@system` function may require the caller to follow additional 
rules beyond those enforced by the compiler, even in `@safe` 
code, to maintain memory safety. Since the compiler does not know 
what these additional rules are and cannot enforce them 
automatically, calling `@system` functions directly from `@safe` 
code is forbidden.

| Attribute  | Must check definition | Must check each caller |
|------------|-----------------------|------------------------|
| `@safe`    | compiler              | compiler               |
| `@trusted` | programmer            | compiler               |
| `@system`  | programmer            | programmer             |

Assume the function is implemented correctly, then try to figure 
out how to call the function from `@safe` code in a way that 
violates memory safety. If there is a way to do so, the function 
should be `@system`.

Otherwise, it should be `@safe` if that compiles, or `@trusted` 
if not.