www.digitalmars.com         C & C++   DMDScript  

digitalmars.D.bugs - [Issue 13838] New: safe by default

https://issues.dlang.org/show_bug.cgi?id=13838

          Issue ID: 13838
           Summary:  safe by default
           Product: D
           Version: D2
          Hardware: x86
                OS: Windows
            Status: NEW
          Severity: enhancement
          Priority: P1
         Component: DMD
          Assignee: nobody puremagic.com
          Reporter: bearophile_hugs eml.cc

Languages like Rust show us how important memory safety is today, and the
planned DIP69 works for  safe code, this means now in D it becomes more
important to use  safe functions in most cases.

There are still some cases where you can't use  safe even if they should be
safe, some of them are shown here, but Phobos/druntime is getting better, and
they will decrease:


void main()  safe {
    import std.stdio, std.algorithm, std.bigint, std.typecons, std.array;
    [1, 2].sort!("a < b", SwapStrategy.stable);
    auto r = [1, 2].sort().release;
    writeln;
    BigInt a;
    a = a + a;
    alias Foo = Tuple!int;
    Foo[] data;
    data.remove!(x => x == Foo());
    int[] b;
    auto c = b.capacity;
    b.schwartzSort!(x => x);
    const r2 = cartesianProduct([1], [1]).array;
    [Typedef!int(1)].array;
}


So perhaps it's a good idea to have  safe functions by default. This is how it
could be done:
Step 1) Introduce a "-safe" compiler switch that gives a warning where a
function unmarked with  system/ trusted calls a  system/ trusted function or
performs memory-unsafe operations. This will help D developers improve Phobos.
Step 2) The functions defined above generate a warning if the -wi/-w switches
are used (even if no -safe switch is used).
Step 3) The functions defined above generate a deprecation message (even if no
-safe switch is used). The compiler -safe switch is still allowed, but it's not
documented in the options help message of the compiler.
Step 4) The functions defined above give an error, and the -safe switch is
removed from the compiler (it's not recognized any more).

See also Issue 12941

--
Dec 08 2014