Discussion Thread: DIP 1028--Make @safe the Default--Final Review

Steven Schveighoffer schveiguy at gmail.com
Fri Apr 3 21:06:28 UTC 2020 

On 4/3/20 4:22 PM, Walter Bright wrote:
> On 3/26/2020 9:02 AM, Atila Neves wrote:
>> extern(C) doesn't necessarily mean the code is written in C and can't 
>> be verified by the compiler. It might just be written in D (or C++, or 
>> Rust, or...).
> 
> That's right. It means "use a C function call interface". For example, 
> one might be writing a function meant to be called from C code.

I want to make sure you understand that we are not talking about 
extern(C) functions that are written in D.

extern(C) void foo() {
import std.stdio;
writeln("hello world!");

}

can absolutely be assumed @safe. It has an implementation. The compiler 
can verify right there that it works. This should fail to compile in 
that case:

extern(C) void foo() {
*cast(int *)0xdeadbeef = 5;
}

But what should absolutely not compile is:

extern(C) int free(void *);

void foo(int *ptr) // now inferred @safe
{
    free(ptr);
}

Notice I didn't import core.stdc.stdlib. You cannot fix this code, it 
will break. Silently. Anything that depends on it will also break, 
cascading the error all the way through D code. Things that were @system 
will magically become @safe even though they are not. @safe will become 
a cruel joke.

There are multiple options:

1. extern(C) (or really anything without @safe name mangling) without 
implementation is assumed @system.
2. extern(C) (et. al.) without implementation must be marked @system, 
@safe, or @trusted explicitly.
3. option 1 or 2 PLUS such functions with implementation follow the same 
rules (for consistency).

There is no grey area -- @safe is COMPLETELY destroyed if we assume all 
unmarked extern(C) prototypes are @safe.

Even if the function is written in D, the fact that the prototype 
marking could be forgotten is going to cause huge issues. How many times 
has someone needed a function from druntime that's not public but is 
extern(C) and just threw in a prototype? All those would now be @safe!

The fact that we cannot control where/how people define their prototypes 
means we have to be firm on this. They need to opt-in to @safe with 
extern(C), it cannot be default.

-Steve

More information about the Digitalmars-d mailing list