Transition to @safe by default
Dukc
ajieskola at gmail.com
Mon Jul 29 17:10:50 UTC 2024
Walter Bright kirjoitti 29.7.2024 klo 19.40:
> So I propose "safe by default" to mean, for unattributed functions:
>
> 1. do all safety checks *except* checking for calling unattributed
> functions.
>
> 2. calling @system functions in unattributed functions will be flagged
>
> 3. calling unattributed functions will not affect attribute inference
>
> ----
> This will not make the code safe by default. But it will make code a lot
> safer by default, and will provide a transition path. Code passing this
> will be a lot easier to transition to full safety.
This will mean there will be two levels of safety: unattributed and
`@safe`. The only way they differ from each other is that you can't call
unattributed functions from `@safe`.
Is the idea that unattributed would mean "probably safe but needs deeper
scrutiny", like how you're using `@trusted` in DMD? Like, occasional
safewashing would be okay for unattributed functions, or leaving unsafe
C functions unmarked, but not so much for `@safe` or `@trusted`?
That's an interesting idea actually. Maybe it's the way to go!
I'm slightly worried it might lock us to almost-but-not-quite safe
future, when people don't finish their job and mark external functions
as `@system` when needed. But not as worried as I'm about the
possibility D will stay mostly `@system` if we don't do this.
More information about the dip.ideas
mailing list