DIP1028 - Rationale for accepting as is
bachmeier
no at spam.net
Fri May 22 13:58:14 UTC 2020
On Friday, 22 May 2020 at 03:36:03 UTC, Paul Backus wrote:
> Someone has created bindings for a C library and published them
> on
> code.dlang.org. Because they were written prior to DIP 1028,
> the author assumed
> that @system was the default, and didn't bother to add explicit
> annotations to
> @system functions. Their code looks like this:
>
> --- clibrary.d
>
> void monkey_around(...); // assumed @system-by-default
>
> ---
>
> Months or years later, I decide to write a D program that makes
> use of these
> bindings. By then, @safe-by-default has been fully implemented.
> I add
> `clibrary` as a dependency to my Dub project and write the
> following code:
>
> --- app.d
>
> import clibrary;
>
> void main() // @safe-by-default
> {
> /* ... code ... */
>
> monkey_around(...);
>
> /* ... more code ... */
> }
>
> ---
>
> My program compiles with no errors...and then corrupts memory
> at run-time, even
> though every line of code I've written is @safe. Oops.
>
> This is the nightmare scenario that people are worried about:
> safety violations
> being introduced *silently* into existing, correct D code.
Honest question: What is the use case for an
absolutely-positively-has-to-be-safe program that calls C code?
Why would anyone ever do that? C is not and will never be a safe
language. "Someone looked at that blob of horrendous C code and
thinks it's safe" does not inspire confidence. Why not rewrite
the code in D (or Rust or Haskell or whatever) if safety is that
critical?
More information about the Digitalmars-d-announce
mailing list