Transition to @safe by default

[Timon Gehr]

On 7/29/24 18:40, Walter Bright wrote:
> 
> So I propose "safe by default" to mean, for unattributed functions:
> ...
Thanks for looking into this kind of thing!

> 1. do all safety checks *except* checking for calling unattributed 
> functions.
> 
> 2. calling @system functions in unattributed functions will be flagged
> 
> 3. calling unattributed functions will not affect attribute inference
> 
> ----
> This will not make the code safe by default. But it will make code a lot 
> safer by default,

What is a characterization of those unattributed functions that are the 
root cause for any lack of memory safety in unattributed functions? Is 
it just `extern(C)` function prototypes? If so, that seems a bit weird.

> and will provide a transition path. Code passing this 
> will be a lot easier to transition to full safety.
I think this is getting somewhere, but probably needs something more to 
become really practical. Some issues I see:

- calling a single `@system` function in an unattributed one would 
disable other safety checks in that unattributed function as it would 
then infer `@system`. It seems this would likely also lead to cases 
where safety checks are enabled in one part of a inferreed-`@system` 
function, but not another part.

- there is still no way to enable safety checks in `@trusted` functions.