D not considered memory safe
Timon Gehr
timon.gehr at gmx.ch
Sat Jul 13 13:09:14 UTC 2024
On 7/13/24 14:37, aberba wrote:
> On Thursday, 11 July 2024 at 16:26:59 UTC, Walter Bright wrote:
>> On 7/9/2024 8:58 AM, Nick Treleaven wrote:
>>> [...]
>>
>> That's right. Converting an entire program to @safe can be done
>> successfully by doing it incrementally, getting it to pass its test
>> suite at each step. The way to do it incrementally is to start by
>> labeling each function @trusted, then making them @safe one by one.
>>
>> I've done this, it works.
>>
>> And, as you observe, grepping for "@trusted" makes for a builtin-in
>> TODO list!
>
> This to me is the most sensible way to go about it.
It's not. You'll quickly lose track of the 3 kinds of `@trusted` functions:
- @trusted functions that should be @safe
- @trusted functions that should be @trusted
- @trusted functions that must be @system
This is plain safewashing.
If you want incremental safety in the current language, you have to
start at the leaves, and put your TODO's in comments.
OpenD has an interesting approach towards default safety. They enabled a
large fraction of safety checks in functions without a safety
annotation. To disable them, explicit @system is required. This way you
get linting benefits even without already ensuring full memory safety
guarantees.
Anyway, there are many language-assisted ways to make incremental @safe
migration work (some would require only minimal changes to the
compiler), but I think slapping @trusted everywhere will not do anything
to improve the perceptions about D's memory safety.
More information about the Digitalmars-d
mailing list