Transition to @safe by default
Walter Bright
newshound2 at digitalmars.com
Mon Jul 29 16:40:52 UTC 2024
As discussed in this thread:
https://www.digitalmars.com/d/archives/digitalmars/D/D_not_considered_memory_safe_374866.html
There are significant problems with making D default to being @safe, with
respect to transitioning existing code to it. The problems are large enough that
I fear it will deter people from putting in the work to make the transition.
The problems are:
1. Programs with cycles in the flow graph. The cycles mean any function in that
cycle cannot be made @safe until all the functions in the cycle are @safe. My
experience with transitioning large programs is that transitioning must be done
incrementally, function by function, testing for no breakage after each change.
Trying to do it all at once does not work, and never will work.
2. The difficulties in making functions @safe are:
a. C strings
b. unions that lay pointers over other values
c. calling other functions that are not @safe/@trusted
d. few functions are marked @safe/@trusted/@system
e. safety inference is not done for most functions for various reasons
f. safety inference can be problematic for cycles in the function flow graph
3. I proposed marking the unmarked functions @trusted, which will enable @safe
to be done on a function-by-function basis. Timon objects on the basis of this
will be lying about the functions having a safe interface, and the programmer is
unlikely to complete fixing all of those functions.
I don't have an easy solution for 2.a and 2.b. But the rest boil down to a safe
function not being able to call a system function. How can we ameliorate this
problem?
The following is based on an idea that was proposed in that thread.
Function safety is actually in 4 states:
1. unattributed
2. @safe
3. @trusted
4. @system
So I propose "safe by default" to mean, for unattributed functions:
1. do all safety checks *except* checking for calling unattributed functions.
2. calling @system functions in unattributed functions will be flagged
3. calling unattributed functions will not affect attribute inference
----
This will not make the code safe by default. But it will make code a lot safer
by default, and will provide a transition path. Code passing this will be a lot
easier to transition to full safety.
More information about the dip.ideas
mailing list