On 7/22/2024 7:14 AM, Quirin Schroll wrote:
> My bet is annotating things `@trusted` on a large basis is going to end up an eternal makeshift.

Perhaps. But it is still up to the user to edit their code to make it @safe, one way or another.

Mark the arguments to a template as @trusted if they are not safe, and the template will then be safe.

The real issue here is too much unsafe code. There isn't a way to fix that without rolling up one's sleeves and going after it hammer and tong.

On 7/20/2024 8:55 AM, Timon Gehr wrote:
> My proposal has been to check for bitfield layout best practices by default, to the point of maximum portability.
> Explicit `extern(C)` would be required to turn the checks off.
> 
> I.e., compatible layouts, but D would be more sane.

Ok, I understand that.

On 7/20/2024 9:10 AM, Timon Gehr wrote:
> You are marking functions as `pragma(local_safe)` one by one while you fix any errors that pop up. The code remains compilable for the entire time. Then once the entire cycle has been fixed, you can replace `pragma(local_safe)` by `@safe`.

How is that different from marking with @trusted?

On 7/22/24 18:47, Walter Bright wrote:
> Mark the arguments to a template as @trusted if they are not safe, and the template will then be safe.
> ...

No. It will be @safe, but possibly not memory safe. Again, this is pure safewashing. What is even the point of this exercise?

On 7/22/24 18:51, Walter Bright wrote:
> On 7/20/2024 9:10 AM, Timon Gehr wrote:
>> You are marking functions as `pragma(local_safe)` one by one while you fix any errors that pop up. The code remains compilable for the entire time. Then once the entire cycle has been fixed, you can replace `pragma(local_safe)` by `@safe`.
> 
> How is that different from marking with @trusted?
> 

It will not make the function callable from properly `@safe` code yet, it will just enable some checks. There could be another `pragma` (e.g., `pragma(local_safe, false)` to silence the checks for some portion of the function.

This way you can gradually enable checks without introducing safety lies into the type system. Once all the checks pass, memory safety has been established and you can mark the functions properly `@safe`.

Maybe `pragma(check_safe)` that checks the entire body, even function calls, would be more useful on its own, but we could easily have both.

Anyway, the point is there should be a way to have the compiler help you do this kind of safety scaffolding without you needing to lie to the compiler.

On Friday, 19 July 2024 at 18:19:38 UTC, Walter Bright wrote:
> On 7/13/2024 2:46 PM, Timon Gehr wrote:
>> Well, your suggestion was to put @trusted _everywhere_, not only on functions with a safe interface. As Dennis points out, it seems that is exactly what happened in some instances.
>
> That is correct.
>
>> Anyway, `@trusted` indicates that whoever put it there reviewed the implementation for memory safety. This makes this approach impractical.
>
> You could call it unwise, or a footgun, or introducing technical debt. But it is practical.
>
> If a surgeon wants to fix a man's heart, first he's going to make things worse by slicing him open like a side of beef.

They use keyhole surgery for a lot of heart ops these days, they fit new values by going in through a vein in your leg for example.


> If a mechanic wants to rebuilt an engine, first he has to dismantle a fair chunk of the car, making things worse.

I think you're making a false equivalence.

Your argument for doing it the way you have is that it's the most effective way of doing it, not that it's the only way to do it. If it were unavoidable there wouldn't even be a debate about it.