@safe by default

Timon Gehr timon.gehr at gmx.ch
Fri Jun 7 14:25:50 UTC 2024


On 6/7/24 02:58, Atila Neves wrote:
> On Thursday, 6 June 2024 at 17:01:05 UTC, Timon Gehr wrote:
>> On 6/3/24 17:55, Atila Neves wrote:
>>>> - There is not really any value in being able to write `@safe 
>>>> extern(C)/extern(C++)` prototypes. It's wrong and any linter would 
>>>> need to have a warning for it. I would just require an explicit 
>>>> `@system` or `@trusted` annotation. Note that for 
>>>> `extern(C)/extern(C++)` prototypes, `@safe` and `@trusted` have _the 
>>>> same semantics and interpretation_, but only one of them looks 
>>>> adequately dangerous and is easy to grep.
>>>
>>> I get this, but the issue is that those functions might actually be 
>>> written in D.
>>
>> Why is this an issue?
> 
> The compiler would have access to the body and so would verify its 
> @safe-ness.

A function prototype does not have a body and the actual body may be in 
another compilation unit. For `extern(D)` the mangled name gives some 
assurances, but not for `extern(C)` and `extern(C++)`.

I guess maybe an additional alternative name can be given to `@safe` 
`extern(C)` functions, but I doubt that linker errors are a great UX for 
safety checks.


More information about the dip.ideas mailing list