What exactly does "@safe" mean?
Jonathan M Davis
jmdavisProg at gmx.com
Sat Jun 1 14:02:25 PDT 2013
On Saturday, June 01, 2013 21:59:18 monarch_dodra wrote:
> The way I understood it, @safe defines a list of things that are
> or aren't legal inside the implementation of a function. It also
> changes the scheme of bounds checking, in release code.
>
> What bothers me though, is that from an interface point of view,
> it doesn't really mean anything (or at least, I haven't really
> understood anything). AFAIK: if I call something "@safe", chances
> of a core dump are relatively "lower", but they can still happen:
> * A function that accepts a pointer as an argument can be marked
> safe, so all bets are off there, no, since the pointer can be
> dereferenced?
> * Member functions for structs that have pointers, too, can be
> marked safe...
>
> Or does it only mean "if you give me valid pointers, I can't core
> dump*"?
> (*ignoring current flaws, such as escaping slices from static
> arrays)
>
> The main reason about this question is that now I'm confused
> about @trusted: what are the conditions a developer needs to take
> into account before marking a function "@trusted" ?
>
> Ditto for member functions, when they operate on pointer members.
> Can those be @safe?
>
> Yeah, overall, I'm confused as to what "@safe" means from an
> interface point of view :(
@safe is for memory safety, meaning that @safe code cannot corrupt memory. You
can get segfaults due to null pointers and the like, but you can't have code
which writes passed the end of a buffer, or which uses a freed memory, or does
anything else which involves writing or reading from memory which variables
aren't supposed to have access to.
Assuming that there are no bugs in @safe, the one thing that can invalidate it
is @trusted. With @trusted code, it is the _programmer_ who is then
guaranteeing that the code is actually @safe. The code is doing something
which is potentially not safe (and therefore is considered @system by the
compiler) but which _could_ be safe if the code is correct, and if the
programmer is marking the code as @trusted, they are then telling the compiler
that they've verified that the code isn't doing anything which could corrupt
memory. As long as the programmer doesn't screw that up, then any @safe code
calling that @trusted function is indeed @safe, but if the programmer screwed
it up, then you could still get memory corruption. However, here's really no
way to get around that problem with a systems language, since most code needs
to eventually call something that's @system (e.g. all I/O needs @system stuff
internally). But by limiting how much code is @system or @trusted, most code
is @safe with a minimal amount of code having to have been verified by an
appropriately competent programmer as being @trusted.
- Jonathan M Davis
More information about the Digitalmars-d
mailing list