| Field | Value |
|---|---|
| DIP: | 1028 |
| Review Count: | 0 |
| Author: | Walter Bright walter@digitalmars.com |
| Implementation: | |
| Status: | Community Review Round 1 |
Currently, D functions default to being @system. This DIP proposes changing the default to @safe.
- Rationale
- Prior Work
- Description
- Breaking Changes and Deprecations
- Reference
- Copyright & License
- Reviews
When D was first developed, there was little interest in the extra safety checks
introduced by @safe. But as the costs of unsafe code have become ever more apparent
and expensive, and @safe has grown more capable, the balance has shifted. Users expect
safety to be opt-out, not opt-in.
- Other languages such as Rust and C# have safety as opt-out, rather than opt-in.
- A previous draft proposal: @safe-by-default First Draft
Functions such as template functions, nested functions, and lambdas that are not annotated
currently have their @safe / @system attribute inferred. This behavior will not change.
Any other unannotated function that will now be assumed to be @safe rather than @system.
Because this is expected to break a lot of existing code, it will be enabled with the compiler switch:
-preview=safedefault
There are no grammar changes.
This will likely break most code that has not already been annotated with @safe,
@trusted, or @system. Fortunately, the solution is easy, although tedious: annotate
functions that aren't safe with @trusted or @system.
Copyright (c) 2019 by the D Language Foundation
Licensed under Creative Commons Zero 1.0
The DIP Manager will supplement this section with a summary of each review stage of the DIP process beyond the Draft Review.