D @ safety and dip1000

original text
I want to know them @ Safety and dip1000 Of The goal is . Ensure the memory security of the whole program ?
Multiword variable How about the data competition in the update ?

@safe Yes , But it's not simple , because main Not the only possible entry point , And there @trusted.
D at present :
Shared data must be marked "shared".@safe The code can't access shared data ( Just use -preview=nosharedaccess Make sure ). If you want to deal with shared data , To write @system/@trusted The code does not itself Make sure Thread safety .
Be careful DIP1000 Will not make @safe More secure . It allows the former @system The code becomes @safe. If you have written this kind of code , be DIP1000 Very good . without ,DIP1000 It doesn't affect you .

as follows , no need -dip1000 or -ftransition=dip1000 Compiling , But it's not safe. :

int[] global;

@safe
void f0(int[] val) {
    
    global = val;
}

@safe
void f1() {
    
  int[3] local = [1, 2, 3];
  f0(local);
}

DIP 1000 Will refuse .

Yes , Myna quite a lot . If Myna Not through -preview=dip1000 Show it , Then it is more impossible to scold it . because DIP1000 Will eventually become Default , The problem will disappear .
vice versa :-preview=dip1000 Yes Loophole , Without a switch No, . But these are more likely Get fixed , Because someone really cares about finishing DIP1000.

d author : Even though @safe Does not provide complete memory security , but @live Make up for other parts .
Programmers can manually With a lock To avoid Multiword variable Data competition in .

pb:
Um. ? I understand that even if there is no @live, Modular compiler Errors and misuse @trusted,@safe The code should be 100% Memory safe .
add to ownership / To borrow What the system does ( or Should be done Of ), image DIP1000 equally , Can be found in @safe In the code , You need to work in @system/@trusted Things , such as Manual memory release .

Implemented today @safe The problem is pressing The blacklist To achieve it .

I said, " should " and " Module compiler error " yes with reason Of .
however , That is to use White list Realization , There is still a Should not go further White list error . for example , Several recent fixes -preview=dip1000 Of , It's for This type of error .

Yes , Misuse @trusted,@live Only in @ System /@ Security As Check Tools are a little useful .
@live Not done ownership / To loan What the system should do . I have pointed out , But most people still seem to assume that . I don't understand why . The proposed design has been public for a long time , It's obvious that @safe Almost useless in code , because @live That's it. Function Annotations .
@live comparison ownership / To loan , It's very superficial , Therefore, it is of little use .

To borrow / Check Systems and ownership There are two things . To borrow / The viewer Ensure once Only one variable access or Multiple invariants visit .
ownership And Manage memory yes relevant Yes, but Completely different The theme of .Rust in notorious Of ownership The system because Mobile semantics , Only... Are allowed at a time An ownership .
D Medium To borrow / The viewer , I haven't Fully understand What problems should it solve .

In my submission , stay @safe It is allowed that Original pointer It's a basic mistake . stay @safe In the code , Be similar to C#/Java/ other , Should be Completely opaque Of Manage memory . It's easier , and D It's complicated .

@live To write @[email protected] The code doesn't help .
In order to make @safe or @trusted Code dependency @live Of Ownership invariants ,( for example ,“ Non domain The pointer has Point to memory ”),@safe Code cannot violate These invariants . because @live The invariant of is only in @live Function to enforce , And allow @safe Code calls non @live function , The result is , allow @safe Code violation @live invariant , therefore @safe or @trusted Code cannot rely on These invariants .
To solve this problem , New rules must be introduced , for example :
1, all @safe The function must also be @live.
2,@safe Function cannot call Not @live function .
Of course , Adding such rules will actually destroy every existing D Every one of the projects @safe function , It is completely infeasible in practice , This is the current @live Design is the reason for the dead end .

No, @live, Can't prevent Release twice .
@live Only... Are allowed at a time One ownership , And with the Mobile semantics relation .

If you write @safe Code , Has received Protect . No more @live.