@safe by default

Jacob Shtokolov jacob.100205 at gmail.com
Sat Jun 16 21:08:27 UTC 2018


On Saturday, 16 June 2018 at 17:46:56 UTC, Jonathan M Davis wrote:
> I would point out that in general, doing that with attributes 
> is rather error-prone, because it's easy for folks reading the 
> code to miss them, making it unclear that they're in effect, 
> and because unfortunately most attributes cannot be reversed, 
> mass-applying them like that can then cause problems down the 
> line when you need the attribute to _not_ apply to a function.
>
> That being said, @safe is pretty much the one with the least 
> problems, because it's one of the ones that you can reverse by 
> using @system or @trusted explicitly where needed. However, 
> there is no way to turn attribute inferrence back on, so 
> putting @safe at the top of a module that has templated 
> functions where the @safeness really needs to be inferred based 
> on the template arguments can be a problem (though it's not as 
> big a problem as putting @trusted at the top of the module, 
> since at least with @safe, it just means that you'd end up with 
> templates that don't compile when they would have been inferred 
> as @system, whereas with @trusted, you'd potentially be hiding 
> memory-safety bugs).
>
> So, while putting @safe at the top of the module may very well 
> be your best choice, be aware that mass-applying attributes 
> like that _can_ cause problems.
>
> - Jonathan M Davis

Thanks Jonathan! The case with templated functions indeed is not 
obvious.

> doing that with attributes is rather error-prone, because it's 
> easy for folks reading the code to miss them, making it unclear 
> that they're in effect, and because unfortunately most 
> attributes cannot be reversed, mass-applying them like that can 
> then cause problems down the line when you need the attribute 
> to _not_ apply to a function.

I completely agree with the second point - if we can't reverse 
these attributes in random places, the feature doesn't make sense 
at all.

The first point, however, looks arguable to me. So I would say 
that it strongly depends on the task: for example, in web 
development there is absolutely no need to use pointers and other 
unsafe features until you really need them. In this case it's 
better to force safety for all functions by default, and it would 
be hard to do if we need to mark every single function as @safe 
(not that hard of course, but very unpleasant).


More information about the Digitalmars-d mailing list