DIP 1028--Make @safe the Default--Formal Assessment

H. S. Teoh hsteoh at quickfur.ath.cx
Thu May 21 23:45:30 UTC 2020 

On Thu, May 21, 2020 at 01:46:09PM -0700, Walter Bright via Digitalmars-d-announce wrote:
[...]
> I expected flak from this decision. I'm prepared to take the flak
> because this is the right decision. I did not make it lightly.

This makes it sound like you think that those who disagree with you
disagree with @safe by default.  That is not the case.  I think in
general, (almost?) everyone here agrees that safety by default is the
way to go.  We all agree that @safe by default ought to be in the
language, in one form or another. That's not the dispute here.

The dispute concerns the specific implementation of @safe by default as
set out in this DIP. Specifically, the weakening of the promise of @safe
by implicitly trusting extern(C) declarations to be @safe, which is
equivalent to programming by convention ("trust the programmer to
remember to write @system on extern(C) prototypes"). Which, ironically,
undermines the whole purpose of this DIP. (That is, unless I
misunderstood, and the whole purpose of this DIP is to undermine @safety
and thereby make it even more of a joke than it currently is right now.)


> Please keep in mind that I've made other unpopular decisions that have
> proven their worth over time. I hope you'll reserve judgement until we
> all see how this change plays out.
[...]

Oh I'm waiting to see this one plays out, you bet!  What will come of
trusting the programmer to do the right thing when it comes to
annotating extern(C) prototypes with @system?  Well, I'm sure it will
all work out well in the end, since, after all, it isn't as if we didn't
have ~50 years or so of experience with programming by convention,
y'know, esp. in C code (that we should implicitly trust when calling
from D, btw), which has led to beautiful security holes and exploits
caused by memory corruption and other such wonderful things.

Or, since you like airplane analogies, there's absolutely nothing wrong
with designing your cockpit controls such that the default behaviour,
when the pilot does not indicate otherwise, is to nose-dive into the
ground.  After all, if he didn't mean to do that, he should've
remembered to override the default behaviour explicitly, right? That's
what he was trained to do, anyway.  And besides, it's easier to
implement the controls this way, since doing otherwise would add
excessive complication to the design.


T

-- 
The early bird gets the worm. Moral: ewww...

More information about the Digitalmars-d-announce mailing list