DIP1000 scope inference

Quirin Schroll qs.il.paperinik at gmail.com
Thu Oct 27 17:39:14 UTC 2022 

On Wednesday, 26 October 2022 at 20:24:38 UTC, tsbockman wrote:
> On Wednesday, 26 October 2022 at 10:43:11 UTC, German Diago 
> wrote:
>> Is not trusted code (note my little D experience so sorry if I 
>> am asking something relatively stupid) unsafe? I mean, @safe 
>> is safe, @trusted is ??, @system is you go your own.
>>
>> - So what are the guarantees of @trusted compared to @system?
>
> A `@safe` function is guaranteed by the compiler to be memory 
> safe to call from other `@safe` code with (almost) any possible 
> arguments and under (almost) any circumstances.
>
> A `@trusted` function is guaranteed by its author to be memory 
> safe to call from other `@safe` code with (almost) any possible 
> arguments and under (almost) any circumstances.

The “(almost)” should be absent. If you mean something other than 
compiler bugs, please tell us.

> A `@system` function may require the caller to follow 
> additional rules beyond those enforced by the compiler, even in 
> `@safe` code, to maintain memory safety. Since the compiler 
> does not know what these additional rules are and cannot 
> enforce them automatically, calling `@system` functions 
> directly from `@safe` code is forbidden.
>
> | Attribute  | Must check definition | Must check each caller |
> |------------|-----------------------|------------------------|
> | `@safe`    | compiler              | compiler               |
> | `@trusted` | programmer            | compiler               |
> | `@system`  | programmer            | programmer             |
>
> Assume the function is implemented correctly, then try to 
> figure out how to call the function from `@safe` code in a way 
> that violates memory safety. If there is a way to do so, the 
> function should be `@system`.
>
> Otherwise, it should be `@safe` if that compiles, or `@trusted` 
> if not.

I agree with the characterization of `@safe` and `@system`. For 
`@trusted` functions, there’s something more to say:
* Widely accessible ones (e.g. `public`, `package`, `protected`, 
even `private` in a big module) should have a `@safe` interface, 
i.e. you can use them like `@safe` functions in all regards; they 
just aren’t `@safe` because of some implementation details.
* Narrowly accessible ones (e.g. `private` (in a small module), 
local functions, immediately executed lambdas) can have a 
`@system` interface, but their surroundings can be trusted to use 
the function correctly.

More information about the Digitalmars-d mailing list