Field | Value |
---|---|
DIP: | 1028 |
Review Count: | 0 |
Author: | Walter Bright walter@digitalmars.com |
Implementation: | |
Status: | Community Review Round 1 |
Currently, D functions default to being @system
. This DIP proposes changing the default to @safe
.
- Rationale
- Prior Work
- Description
- Breaking Changes and Deprecations
- Reference
- Copyright & License
- Reviews
When D was first developed, there was little interest in the extra safety checks
introduced by @safe
. But as the costs of unsafe code have become ever more apparent
and expensive, and @safe
has grown more capable, the balance has shifted. Users expect
safety to be opt-out, not opt-in.
- Other languages such as Rust and C# have safety as opt-out, rather than opt-in.
- A previous draft proposal: @safe-by-default First Draft
Functions such as template functions, nested functions, and lambdas that are not annotated
currently have their @safe
/ @system
attribute inferred. This behavior will not change.
Any other unannotated function that will now be assumed to be @safe
rather than @system
.
Because this is expected to break a lot of existing code, it will be enabled with the compiler switch:
-preview=safedefault
There are no grammar changes.
This will likely break most code that has not already been annotated with @safe
,
@trusted
, or @system
. Fortunately, the solution is easy, although tedious: annotate
functions that aren't safe with @trusted
or @system
.
Copyright (c) 2019 by the D Language Foundation
Licensed under Creative Commons Zero 1.0
The DIP Manager will supplement this section with a summary of each review stage of the DIP process beyond the Draft Review.