Discussion Thread: DIP 1028--Make @safe the Default--Final Review

Timon Gehr timon.gehr at gmx.ch
Mon Apr 6 18:28:07 UTC 2020


On 06.04.20 01:38, Steven Schveighoffer wrote:
> On 4/5/20 3:57 PM, tsbockman wrote:
>> On Sunday, 5 April 2020 at 19:22:59 UTC, Timon Gehr wrote:
>>> That makes no sense at all. You are arguing in favor of _ at trusted_ by 
>>> default! It should not even be _possible_ to mark an extern(C) 
>>> function @safe, it has to be either @system or @trusted. The compiler 
>>> does not do any checking here.
>>
>> I agree completely with this: it should be a compile-time error to 
>> declare a bodyless extern(C) function @safe, regardless of whether it 
>> is done implicitly by default, or explicitly with an annotation.
>>
>> The only distinction between @safe and @trusted is the compiler 
>> verification of the safety of a function's implementation. If that 
>> compiler verification wasn't done, then @safe cannot rightly apply.
>>
>> If having a different implicit default for bodyless extern(C) 
>> functions is too complicated, then just don't have a default for them 
>> at all: require all such declarations to be explicitly annotated 
>> either @system or @trusted.
> 
> I disagree with disallowing @safe as a specific marking on extern(C) 
> code. You can write @safe extern(C) functions in D, and it makes no 
> sense to require that they are @trusted at the prototype.

The linker can hijack them. The function signature of a @trusted 
function should be @safe anyway.

> Assuming 
> @safe, no. Explicitly @safe OK, you marked it, you own it.
> ...

@safe:

// a lot of code
// ...

extern(C) corrupt_all_the_memory();

When did @safe become a matter of "it's your own fault if you shoot 
yourself in the foot, this memory corruption you are having is a good 
thing because it will teach you not to make more mistakes in the 
future"? If something may break @safe-ty as it trusts the programmer to 
get it right, it ought to be @trusted.


> We have similar problems with inout -- preventing obvious incorrect 
> cases makes sense, until it doesn't.

This is not analogous. Here, the problem is that the "obvious incorrect 
cases" where not actually incorrect.

> I wish now I could go back and 
> change what I thought, but unfortunately I'm not well-versed in the 
> compiler to make the changes myself.
> 
> -Steve
I think you can just grep for the error messages and then remove the checks.


More information about the Digitalmars-d mailing list