Transition to @safe by default

Mon Jul 29 18:23:37 UTC 2024

https://gist.github.com/rikkimax/37cc5db5f381a9adc1dde6a9bbcad46d

# Safer By Default

| Field           | Value 
            |
|-----------------|-----------------------------------------------------------------|
| DIP:            | (number/id -- assigned by DIP Manager) 
            |
| Author:         | Richard (Rikki) Andrew Cattermole 
<firstname at lastname.co.nz>                        |
| Implementation: | (links to implementation PR if any) 
            |
| Status:         | Draft 
            |

## Abstract

This proposal makes D more easily ``@safe`` by changing the default 
safety level and introducing new diagnostic logging level.

## Contents
* [Rationale](#rationale)
* [Prior Work](#prior-work)
* [Description](#description)
* [Breaking Changes and Deprecations](#breaking-changes-and-deprecations)
* [Reference](#reference)
* [Copyright & License](#copyright--license)
* [Reviews](#reviews)

## Rationale

Memory safety is increasing becoming more important to the programming 
field. With a signicant adoption rate of the Rust language, and with it 
governmental organizations becoming less tolerant of failure for compile 
time verifiable things. Furthermore this provides a transition path 
towards safety without preventing those who do not wish to not.

## Prior Work

This has many a NewsGroup post about it. Along with a DIP to change the 
default.

TODO: link something

## Description

To increase the memory safety of D, ``@safe`` must be the default for 
all new code.

### Language

This is a two pronged approach, the first is to introduce a new safety 
level, this has until now been the default.

```diff
AtAttribute:
+	@ unknownsafety
```

The attribute ``@unknownsafety`` may not be marked on a function with a 
body. But may be put on a function pointer.

If a function or a function pointer has not been marked with a safety 
attribute, it is inferred to be ``@unknownsafety``.

An ``@unknownsafety`` function:
- Must not call an ``@system`` function.
- Can call other ``@unknownsafety`` functions.
- Will be checked against the ``@safe`` checks.

If a ``@unknownsafety`` function passes all ``@safe`` checks, then it 
will be upgraded to ``@safe``.

### Compiler

In the compiler, the second approach takes place.
A new command line switch is added, ``-ms``.
This memory safety switch, will allow setting the diagnostic log level 
and for which module(s) to apply it to for all memory safety check messages.

Example:
- ``-msoff dmd.*``
- ``-mswarn std.*``
- ``-msinfo *``

The default level is info.

All memory safety errors that currently work by ``@safe`` would be 
converted to this diagnostic level.

## Breaking Changes and Deprecations

In current D2 edition, the default level will need to be off to prevent 
code breakage.
Otherwise for newer editions it will be info.

## Reference
Optional links to reference material such as existing discussions, 
research papers
or any other supplementary materials.

## Copyright & License
Copyright (c) 2024 by the D Language Foundation

Licensed under [Creative Commons Zero 
1.0](https://creativecommons.org/publicdomain/zero/1.0/legalcode.txt)

## History