On Sunday, 24 May 2020 at 16:44:01 UTC, Paul Backus wrote:
On Sunday, 24 May 2020 at 03:28:25 UTC, Walter Bright wrote:
I'd like to emphasize:
1. It is not possible for the compiler to check any
declarations where the implementation is not available. Not in
D, not in any language. Declaring a declaration safe does not
make it safe.
2. If un-annotated declarations cause a compile time error, it
is highly likely the programmer will resort to "greenwashing"
- just slapping @safe on it. I've greenwashed code. Atila has.
Bruce Eckel has. We've all done it. Sometimes even for good
reasons.
3. Un-annotated declarations are easily detectable in a code
review.
[...]
If we were designing a new language from scratch, I would agree
100% with your reasoning.
The problem is that there are un-annotated declarations in
existing code that have already been reviewed, committed, and
published under the assumption of @system-by-default. Those
declarations need to be flagged for re-review in order to avoid
introducing silent safety violations to existing D projects.
I share your concerns on this, but disagree on the likelihood of
reviews having gone by under the assumption of @system by
default. I doubt most people even thought about
@safe/@trusted/@system, and that's assuming anyone reviewed the
code in the first place.
A few years ago I submitted several PRs to Phobos to mark all
unittests that could with @safe explicitly. I'd say that was a
good example of nobody reviewing them for their @systemness.
