Disallow Unsafe Declarations

[skyline131313]

[mdparker]

Please add your real name and contact info to the author field.

[ntrel]

Forbidding trusted is both impractical and inconsistent (see the above comments). Forbidding safe is easy to justify, as that means mechanically checked. The DIP rationale might need to be very robust however as it seems from past forum discussions that Walter might oppose that. The DIP would need to address Walters specific criticisms. They can be found in the safe by default DIP forum discussions.

[mdparker]

I need your name and contact info, please. I don't understand why Walter's name is on it. Could you elaborate?

[anon17]

Here's how you can break extern functions:

extern(C) int getpid() @system
{
	//unsafe code here
}

[dukc]

I don't think there is any good reason to prevent annotating an external function @trusted. Consider a safe external function, like abs in the C standard library. Today, it can declared as extern(C) @trusted int abs(int);. With this proposal, this will break, and the declaration will have to be changed to

pragma(mangle, "abs") private extern(C) @system int abs_(int);
@trusted int abs(int arg){return abs_(arg);}

This, in addition to the breakage, is much more verbose and ugly. I don't see what this accomplishes.

Now, preventing @safe on external non-D declarations is a promising idea. Since an external C or C++ function will have to be manually verified for @safety just like a @trusted function, it would make sense that the declaration had to be @trusted.