Skip to content

Commit b3fc0c3

Browse files
DougGregorDougGregor
committed
Clarify places where @unsafe isn't required on declarations
1 parent 6a42b44 commit b3fc0c3

File tree

1 file changed

+19
-0
lines changed

1 file changed

+19
-0
lines changed

proposals/nnnn-strict-memory-safety.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -162,6 +162,25 @@ Module `B` uses the `DataWrapper` type. If compiled without strict safety checki
162162

163163
If module `C` enables strict memory safety, the use of `MyType` is considered safe (since it was not marked `@unsafe` and doesn't involve unsafe types in its interface). However, the access to `wrapper` will result in a diagnostic, because the type of `wrapper` involves an `@unsafe` type. This diagnostic will occur whether or not `wrapper` has been explicitly marked `@unsafe`.
164164

165+
There are a few exemptions to the rule that any unsafe constructs within the signature require the declaration to be `@unsafe`:
166+
167+
* Local variables involving unsafe types do not need to be marked with `@unsafe`. For example, the local variable `base` will have unsafe type `UnsafePointer?`, but does not require `@unsafe` because every *use* of this local variable will need to be marked using the `unsafe` expression described in the next section.
168+
169+
```swift
170+
func sum(array: [Int]) -> Int {
171+
array.withUnsafeBufferPointer { buffer in
172+
let base = /*unsafe*/ buffer.baseAddress
173+
// ...
174+
}
175+
}
176+
```
177+
178+
* Default arguments of functions are part of the implementation of a function, not its signature. For example, the following function does not have any unsafe types in its signature, so it does not require `@unsafe`, even though the default argument for `value` involves unsafe code. That unsafe code is effectively part of the body of the function, so it follows the rules for `unsafe` expressions.
179+
180+
```swift
181+
func hasDefault(value: Int = /*unsafe*/ getIntegerUnsafely()) { ... }
182+
```
183+
165184
### `unsafe` expression
166185

167186
When a declaration is marked `@unsafe`, it is free to use any other unsafe types as part of its interface. Any time there is executable code that makes use of unsafe constructs, that code must be within an `unsafe` expression or it will receive a diagnostic about uses of unsafe code. In the example from the previous section, `wrapper` can be marked as `@unsafe` to suppress diagnostics by explicitly propagating unsafety to their clients:

0 commit comments

Comments
 (0)