Safe by default v2 #228
Safe by default v2 #228
Conversation
|
Please add your name and contact info to the author field. You can remove Walter's. |
DIPs/DIP1044.md
Outdated
|
|
||
| Interfaces to extern C and C++ functions should always be explicitly marked. | ||
|
|
||
| Any unmarked `extern` C and C++ functions will remain `@system`. |
There was a problem hiding this comment.
Does this includes both body and bodiless extern functions?
|
|
||
| ## Breaking Changes and Deprecations | ||
|
|
||
| This will likely break most code that has not already been annotated with `@safe`, |
DIPs/DIP1044.md
Outdated
|
|
||
| Interfaces to extern C and C++ functions should always be explicitly marked. | ||
|
|
||
| Any unmarked `extern` C and C++ functions will remain `@system`. |
There was a problem hiding this comment.
The problem with this is that a lot of those functions are actually D code.
|
The DIP does not (explicitly) talk about function pointer and delegate types, especially when those types are used as a function parameter or function return type. void delegate() getCallback();equivalent to? void delegate() @safe getCallback() @safe;or void delegate() @system getCallback() @safe;or some third option I could not think of? With this DIP, which of the following two is the function declaration void register(void delegate() callback);equivalent to? void register(void delegate() @safe callback) @safe;or void register(void delegate() @system callback) @safe;or some third option I could not think of? |
DIPs/DIP1044.md
Outdated
| @@ -76,9 +76,7 @@ it will no longer link because the mangling will be different. But for `extern ( | |||
| safety is not part of the mangling and it will compile and link without error. This has always | |||
| relied on the user getting it correct. | |||
|
|
|||
| Interfaces to extern C and C++ functions should always be explicitly marked. | |||
There was a problem hiding this comment.
I was going to write such a DIP myself; I was waiting for -preview=dip1000 to become the default. I think that any and all declarations with no body should have explicit @safe/@trusted/@system attributes and that even considering linkage is a mistake.
There was a problem hiding this comment.
How is that considered a mistake?
You are interfacing with a language that has no notion of any safety guarantees. Ignoring differences between languages and the interfaces between them is a mistake.
There was a problem hiding this comment.
Because extern(C) does not mean "this is C code", it means "C linkage" and could very well be @safe D code.
There was a problem hiding this comment.
The problem is, a @safe extern(C) function that is not defined in-place is not verified by the compiler – and @safe means that the compiler checked it (up to calls to @trusted). I’m no expert on this, but as far as I understand it’s about mangling. Attributes are not part of the signature of extern(C) functions. extern(C) void f() @safe; could be defined elsewhere as extern(C) void f() @system { … }. I think D needs some solution to this; Maybe I’m naïve, but it could be as easy as generating mock symbols that actually include attributes that lead to linker errors when the attributes don’t match.
At least until 2.096.0, this worked:
import a;
extern(C) void f() @safe;
void main() @safe { f(); }module a;
extern(C) void f() @system { int* p; int a; p = &a; }If you change extern(C) to extern(D), you get the link error.
There was a problem hiding this comment.
Because
extern(C)does not mean "this is C code", it means "C linkage" and could very well be@safeD code.
If it's @safe D code then they can just import it. It doesn't matter if it's C code, or linkage, it is still going by C's rules. Just cause safe D code can have C linkage doesn't mean it should expose a C linkage of safe.
There was a problem hiding this comment.
They can indeed just import it, but it'll be extern(C) all the same. I don't know what "going by C's rules" means.
If it's D code with C linkage and it's @safe, well, it's @safe.
There was a problem hiding this comment.
Importing does not safeguard you from calling a @safe annotated extern(C) declared function (e.g. from a .di file) whose definition (implementation in a .d file) is annotated @system. That’s because the annotation is not visible for the linker.
I guess the easiest way would be to allow extern(C) @safe function declarations only if they’re also definitions. The proper way would be for D to do something that safeguards you at least in simple and obvious cases.
|
I think a more pragmatic step would be to opt in to |
|
I need a name and contact info in the Author field, please. Walter's name goes second if you're reusing content from his original DIP. |
|
@ntrel, in which regard would |
I'm pretty sure that |
It does! Unlike |
|
@Bolpat |
|
@ntrel, I used templates and attributes a lot, but never stumbled on this; wow. Probably because I consider |
|
@skyline131313 I've emailed you recently about moving this into review. Please get back to me when you're ready to move forward. |
|
This will need to show benefit over inference of safety (which it currently does not). |
No description provided.