Transition to @safe by default

Dukc ajieskola at gmail.com
Mon Jul 29 17:10:50 UTC 2024


Walter Bright kirjoitti 29.7.2024 klo 19.40:
> So I propose "safe by default" to mean, for unattributed functions:
> 
> 1. do all safety checks *except* checking for calling unattributed 
> functions.
> 
> 2. calling @system functions in unattributed functions will be flagged
> 
> 3. calling unattributed functions will not affect attribute inference
> 
> ----
> This will not make the code safe by default. But it will make code a lot 
> safer by default, and will provide a transition path. Code passing this 
> will be a lot easier to transition to full safety.

This will mean there will be two levels of safety: unattributed and 
`@safe`. The only way they differ from each other is that you can't call 
unattributed functions from `@safe`.

Is the idea that unattributed would mean "probably safe but needs deeper 
scrutiny", like how you're using `@trusted` in DMD? Like, occasional 
safewashing would be okay for unattributed functions, or leaving unsafe 
C functions unmarked, but not so much for `@safe` or `@trusted`?

That's an interesting idea actually. Maybe it's the way to go!

I'm slightly worried it might lock us to almost-but-not-quite safe 
future, when people don't finish their job and mark external functions 
as `@system` when needed. But not as worried as I'm about the 
possibility D will stay mostly `@system` if we don't do this.


More information about the dip.ideas mailing list