On Wednesday, 28 October 2015 at 02:08:18 UTC, Sebastiaan Koppe
wrote:
On Tuesday, 27 October 2015 at 11:41:52 UTC, Andrei
Alexandrescu wrote:
The crux of the matter is modular typechecking. Consider the
following example:
// module widget.d
@safe class Widget {
void fun() {
g_widget = this;
}
}
static Widget g_widget;
// end of module widget.d
Now, once the typechecker OKs module widget.d, the summary
that all other typechecking "sees" is:
@safe class Widget {
void fun();
}
Isn't it a shame that that kind of information gets tossed
aside? Seems to be very valuable and the loss of it the cause
of several issues.
Perhaps, but that assignment is perfectly @safe. What isn't @safe
is when you then free the Widget later because a ref-count hit 0.
And that code already has to be @system or @trusted given what
it's doing. So, really, the problem is that some @safe operations
can lead to problems when @system code does stuff that assumes
that those operations did not occur. So, unfortunately, whether
that code can be @trusted depends on what some @safe code did
rather than @system code like you'd normally expect. But the
compiler simply doesn't understand enough about why something is
@system to be able to figure out where @safe code could foul it
up even if it has all of the source code to look at.
- Jonathan M Davis
