-preview=safer for D

Timon Gehr timon.gehr at gmx.ch
Sat Dec 14 15:12:11 UTC 2024


On 12/14/24 09:46, Walter Bright wrote:
> Now that this has been merged into master, what are your reactions?

Here's what I tried. (`&x` is just a placeholder for any unsafe 
operation, I am aware it would be fine for this to compile here, as it 
would with DIP1000.)


```d
import std;

void foo()@system{}

void bar(){
     foo(); // ok
}

void baz(){
     int x;
     // auto y=&x; // error, good
}

void qux(){
     foo(); // ok
     int x;
     // auto y=&x; // error, good
}

auto bongo(){
     int x;
     auto y=&x; // ok, bad
}

void flarp()(){
     int x;
     auto y=&x; // ok, bad
}

void main(){
     writeln("hi"); // ok
}
```

So I don't know, it's mixed for me. I do like the idea of linting 
functions with a not necessarily safe interface using the ordinary 
safety checks by default.

OTOH it is not so great that inferring a return type or using a template 
will disable the checks. I cannot even opt in: there is no explicit way 
to say: neither `@safe` nor inferred `@system`. I either have to go 
`@safe`, which may not be an option if the function interface is not 
memory safe, and even if the function interface is memory safe, I will 
have to opt into transitivity of `@safe` at that point, which is already 
the existing tradeoff without `-preview=safer`.

I will probably use the flag, but I have projects where a lot of my code 
or, more importantly, code in its dependencies, is templated and/or 
infers return types. `-preview=safer` will just not do all that much there.


More information about the Digitalmars-d mailing list