DIP1000 observation
Dennis
dkorpel at gmail.com
Tue Aug 27 10:51:26 UTC 2024
On Monday, 26 August 2024 at 23:37:36 UTC, Jonathan M Davis wrote:
> Well, that does reduce the problem, but it still means that a
> function which is perfectly @safe as long as you don't pass it
> scoped types is either going to have to use scope for scoped
> types to work, or the caller is going to have to cast away
> scope.
As my example showed, there is no cast involved. The cast
operator can't even be used for this purpose. All you need is the
caller to be `@system` or `@trusted`, which without dip1000 must
be the case anyway since you're taking the address of a local.
> And honestly, if @system and @trusted functions can accept
> scope data without having to cast away scope
It's about whether the call site is `@system` or `@trusted`, not
the called function.
> Attribute inferrence will both reduce the problem by making
> some stuff just work and increase the problem by introducing
> scope in places that wouldn't otherwise have it.
(...)
> that will probably just increase how much I use @system instead
> of @safe and overall result in more memory safety issues in my
> code,
Are you aware that DIP1000 strictly reduces the amount of
`@system` / `@trusted` code you need?
And also that adding / inferring `scope` to a parameter is always
a strict improvement for the caller of the function with that
parameter?
If you can find a counterexample, where enabling dip1000 would
require more `@system` code without relying on the current bug
that slicing locals is allowed in `@safe` functions, or an
example where inferring / adding `scope` to a parameter adds
restrictions to the call site, please post it here or on a
bugzilla.
More information about the Digitalmars-d
mailing list