D not considered memory safe
Quirin Schroll
qs.il.paperinik at gmail.com
Fri Jul 19 14:57:17 UTC 2024
On Saturday, 6 July 2024 at 23:39:54 UTC, Sebastian Nibisz wrote:
> On Saturday, 6 July 2024 at 23:10:02 UTC, Walter Bright wrote:
>> On 7/6/2024 4:07 AM, Sebastian Nibisz wrote:
>>> Seriously? Any language is safe in this case, you just need
>>> to write safe code.
>>
>> Enabling the checks is quite different from writing code with
>> no bugs in it.
>
> But you have to remember to enable it. Inexperienced programmer
> usually won't do this and will build unsafe code unconsciously.
This is the single best reason to enable `@safe` by default.
Writing correct `@system` code is as hard as writing `@trusted`
code, and both require the programmer to know the language very,
very well. You shouldn’t mark a function `@system` or `@trusted`
unless you understand exactly why that’s the right thing.
---
The only big issue with `@safe` by default is higher-order
functions. Because `@safe` makes no guarantees (unlike `pure` or
`nothrow`), requiring a callback delegate to be `@safe` makes no
sense generally. (In contrast, requiring a `pure` or `nothrow`
callback can make sense in special circumstances. Practically, if
your higher-order function can be called with a `@safe` callback,
it can be called with a `@system` callback. The problem is that
the language does not understand this.
This means, in general, higher-order functions must be overloaded:
```d
void hof(void delegate() @system callback) @system =>
hof(cast(void delegate() @safe)callback);
void hof(void delegate() @safe callback) @safe
{
callback();
}
```
For application code, it might be fine if a callback is
needlessly required to be `@safe` if the application is `@safe`
code anyway. Libraries can’t make such assumptions on usage,
though.
Top-level `@safe:` does not influence callback types. In [a DIP
Idea](https://forum.dlang.org/thread/rtccewhszjtldwowuhsx@forum.dlang.org), I proposed `default @safe module` declarations, so that for any declaration lexically in the module, `@safe` is applied by default instead of `@system`.
More information about the Digitalmars-d
mailing list