@safe by default

Timon Gehr timon.gehr at gmx.ch
Sat Jun 1 21:06:05 UTC 2024


On 5/30/24 20:35, Atila Neves wrote:
> https://github.com/atilaneves/DIPs/blob/safe-by-default/safe-by-default.md
> 
> Destroy!

- I think even more important than the default is the ability to change 
the default (e.g. `default(@safe):`). This does not exist currently, but 
it would be required for easy migration.

- There is not really any value in being able to write `@safe 
extern(C)/extern(C++)` prototypes. It's wrong and any linter would need 
to have a warning for it. I would just require an explicit `@system` or 
`@trusted` annotation. Note that for `extern(C)/extern(C++)` prototypes, 
`@safe` and `@trusted` have _the same semantics and interpretation_, but 
only one of them looks adequately dangerous and is easy to grep.

- The DIP should clarify whether annotations like `@safe:` apply to 
prototypes or whether prototypes always need an individual annotation.

- N.B.: OpenD has been experimenting with changing the default safety 
level behavior to be a distinct category from the other three. (It 
enables checks on pointer arithmetic, but is not transitive and does not 
include DIP1000 checks.) It does not guarantee memory safety but can 
catch bugs.



More information about the dip.ideas mailing list