@@ -24,19 +24,52 @@ $(HEADERNAV_TOC)
2424
2525$(H2 $(LNAME2 usage, Usage))
2626
27- $(P Memory safety can be enabled on a per-function basis using
28- the $(DDSUBLINK spec/function, safe-functions, $(D @safe) attribute).
29- This can be inferred when the compiler has the function body
30- available. The $(DDSUBLINK spec/function, trusted-functions, `@trusted` attribute) can be used when a function has a safe
31- interface, but uses unsafe code internally. These functions can
32- be called from $(D @safe) code.
27+ $(P There are three categories of functions from the perspective of memory safety:)
28+ $(UL
29+ $(LI $(DDSUBLINK spec/function, safe-functions, `@safe`) functions)
30+ $(LI $(DDSUBLINK spec/function, trusted-functions, `@trusted`) functions)
31+ $(LI $(DDSUBLINK spec/function, system-functions, `@system`) functions)
3332 )
3433
34+ $(P `@system` functions may perform any operation legal from the perspective of the language including inherently
35+ memory unsafe operations like returning pointers to expired stackframes. These functions may not be called directly from
36+ `@safe` functions.)
37+
38+ $(P `@trusted` functions have all the capabilities of `@system` functions but may be called from
39+ `@safe` functions. For this reason they should be very limited in the scope of their use. Typical uses of
40+ `@trusted` functions include wrapping system calls that take buffer pointer and length arguments separately so that
41+ @safe` functions may call them with arrays.)
42+
43+ $(P `@safe` functions have a number of restrictions on what they may do and are intended to disallow operations that
44+ may cause memory corruption. See $(DDSUBLINK spec/function, safe-functions, `@safe` functions).)
45+
46+ $(P These attributes may be inferred when the compiler has the function body available, such as with templates.)
47+
3548 $(P Array bounds checks are necessary to enforce memory safety, so
36- these are enabled (by default) for $(D @safe) code even in $(B
37- -release) mode.
49+ these are enabled (by default) for `@safe` code even in $(B -release) mode.
3850 )
3951
52+ $(H3 $(LNAME2 scope-return-params, Scope and Return Parameters))
53+
54+ $(P The function parameter attributes `return` and `scope` are used to track what happens to low-level pointers
55+ passed to functions. Such pointers include: raw pointers, arrays, `this`, classes, `ref` parameters, delegate/lazy parameters,
56+ and aggregates containing a pointer.)
57+
58+ $(P $(D scope) ensures that no references to the pointed-to object are retained, in global variables or pointers passed to the
59+ function (and recursively to other functions called in the function), as a result of calling the function.
60+ Variables in the function body and parameter list that are `scope` may have their allocations elided as a result.)
61+
62+ $(P $(D return) indicates that either the return value of the function or the first parameter is a pointer derived from the
63+ `return` parameter or any other parameters also marked `return`.
64+ For constructors, `return` applies to the (implicitly returned) `this` reference.
65+ For void functions, `return` applies to the first parameter $(I iff) it is `ref`; this is to support UFCS,
66+ property setters and non-member functions (e.g. `put` used like `put(dest, source)`).)
67+
68+ $(P These attributes may appear after the formal parameter list, in which case they apply either to a method's `this` parameter, or to
69+ a free function's first parameter $(I iff) it is `ref`.
70+ `return` or `scope` is ignored when applied to a type that is not a low-level pointer.)
71+
72+
4073$(H2 $(LNAME2 limitations, Limitations))
4174
4275 $(P Memory safety does not imply that code is portable, uses only
0 commit comments