Transition to @safe by default

Walter Bright newshound2 at digitalmars.com
Tue Aug 6 00:54:32 UTC 2024


On 7/30/2024 1:09 PM, Timon Gehr wrote:
> What is a characterization of those unattributed functions that are the root 
> cause for any lack of memory safety in unattributed functions? Is it just 
> `extern(C)` function prototypes? If so, that seems a bit weird.

Function prototypes can only be taken at face value. If they are unattributed, 
they would be accepted as callable from @safe code. Or we could simply say that 
prototypes would have to be explicitly attributed in order to be callable from 
@safe code.


> - calling a single `@system` function in an unattributed one would disable other 
> safety checks in that unattributed function as it would then infer `@system`.

Not necessarily. But it would still require the caller to mark the function 
@trusted or @system.


> - there is still no way to enable safety checks in `@trusted` functions.

One can always switch it temporarily to @safe, fix any errors, then put it back.

But in general, trusted code should be a very small part of a program.


More information about the dip.ideas mailing list