D not considered memory safe

Paolo Invernizzi paolo.invernizzi at gmail.com
Sat Jul 13 13:13:43 UTC 2024


On Saturday, 13 July 2024 at 13:09:14 UTC, Timon Gehr wrote:
> On 7/13/24 14:37, aberba wrote:
>> On Thursday, 11 July 2024 at 16:26:59 UTC, Walter Bright wrote:
>>> [...]
>> 
>> This to me is the most sensible way to go about it.
>
> It's not. You'll quickly lose track of the 3 kinds of 
> `@trusted` functions:
>
> - @trusted functions that should be @safe
> - @trusted functions that should be @trusted
> - @trusted functions that must be @system
>
> This is plain safewashing.
>
> If you want incremental safety in the current language, you 
> have to start at the leaves, and put your TODO's in comments.
>
> OpenD has an interesting approach towards default safety. They 
> enabled a large fraction of safety checks in functions without 
> a safety annotation. To disable them, explicit @system is 
> required. This way you get linting benefits even without 
> already ensuring full memory safety guarantees.
>
> Anyway, there are many language-assisted ways to make 
> incremental @safe migration work (some would require only 
> minimal changes to the compiler), but I think slapping @trusted 
> everywhere will not do anything to improve the perceptions 
> about D's memory safety.

I would add one point, Walter wrote in his original port:

"In fact, I've been doing just that. Adding @safe: at the top, 
and then everything that fails to compile gets marked @trusted. 
****Eventually****, refactor the code as time permits."

Ouch!



More information about the Digitalmars-d mailing list