Transition to @safe by default

Walter Bright newshound2 at digitalmars.com
Mon Jul 29 16:40:52 UTC 2024 

As discussed in this thread:

https://www.digitalmars.com/d/archives/digitalmars/D/D_not_considered_memory_safe_374866.html

There are significant problems with making D default to being @safe, with 
respect to transitioning existing code to it. The problems are large enough that 
I fear it will deter people from putting in the work to make the transition.

The problems are:

1. Programs with cycles in the flow graph. The cycles mean any function in that 
cycle cannot be made @safe until all the functions in the cycle are @safe. My 
experience with transitioning large programs is that transitioning must be done 
incrementally, function by function, testing for no breakage after each change. 
Trying to do it all at once does not work, and never will work.

2. The difficulties in making functions @safe are:

  a. C strings

  b. unions that lay pointers over other values

  c. calling other functions that are not @safe/@trusted

  d. few functions are marked @safe/@trusted/@system

  e. safety inference is not done for most functions for various reasons

  f. safety inference can be problematic for cycles in the function flow graph

3. I proposed marking the unmarked functions @trusted, which will enable @safe 
to be done on a function-by-function basis. Timon objects on the basis of this 
will be lying about the functions having a safe interface, and the programmer is 
unlikely to complete fixing all of those functions.

I don't have an easy solution for 2.a and 2.b. But the rest boil down to a safe 
function not being able to call a system function. How can we ameliorate this 
problem?

The following is based on an idea that was proposed in that thread.

Function safety is actually in 4 states:

1. unattributed
2. @safe
3. @trusted
4. @system

So I propose "safe by default" to mean, for unattributed functions:

1. do all safety checks *except* checking for calling unattributed functions.

2. calling @system functions in unattributed functions will be flagged

3. calling unattributed functions will not affect attribute inference

----
This will not make the code safe by default. But it will make code a lot safer 
by default, and will provide a transition path. Code passing this will be a lot 
easier to transition to full safety.

More information about the dip.ideas mailing list