DIP1028 - Rationale for accepting as is

ag0aep6g anonymous at example.com
Fri May 22 19:16:26 UTC 2020 

On 22.05.20 20:24, Atila Neves wrote:
> On Friday, 22 May 2020 at 18:11:28 UTC, ag0aep6g wrote:
>> So the DIP itself wasn't good enough to convince you.
> 
> Had that been the case, I would have rejected it.

You said the DIP as written felt "icky". And only after a chat with 
Walter did that feeling go away. You're saying you would have accepted a 
DIP that feels icky? DIPs are supposed to be convincing, not barely 
tolerable.

> memcpy isn't a good example since it's explicitly @system:
> 
> https://dlang.org/phobos/core_stdc_string.html#.memcpy

core.stdc.string.memcpy is a specific binding to C's memcpy. Any other 
declaration of it will be implicitly @safe.

"But why would anyone declare `memcpy` themselves, when they can just 
import the one from `core`?" I hear you ask. And I answer:

1) Shouldn't matter, if we're talking about a principled safety system. 
But I realize that the leadership isn't interested in that anymore.

2) I have quickly typed out C declarations before, because it was more 
convenient than looking up where it is exactly in the standard library. 
And we're all about catering to convenience now, aren't we?

> Yes. But most of them aren't like memcpy. Most D code calls other D 
> code, not C.

Most D code isn't behind an `extern (C)` prototype. Virtually no one is 
(strongly) against making D functions @safe by default.

> Am I saying nothing bad can happen if we implicitly trust extern(C) 
> declarations? No. I'm saying we'll be no worse off if they're all 
> implicitly @system.

"No worse off" should not be good enough for a DIP.

> This compiles with no warnings right *now*:
> 
> void main() {
>      import core.stdc.stdlib: free;
>      free(cast(void*) 42);
>      free(new int);
>      free(&main);
> }

And this doesn't compile right now, but it will with DIP 1028:

----
extern (C) void free(void*);
void main() @safe {
      free(cast(void*) 42);
      free(new int);
      free(&main);
}
----

Yes, yes, I know. That's soo much less common in the real world. But 
before the great @safe schism that is happening right now, @safe wasn't 
about catching more bugs than not on average. It was about being "100% 
mechanically checkable" (Walter's words).

I for one liked it better when it had that aspiration. And I was 
contributing towards that goal (latest PR was merged just yesterday, 
coincidentally [1]). I have no interest in a version of @safe that is 
deliberately fuzzy, where I have to defend safety fixes against 
convenience arguments.


[1] https://github.com/dlang/dlang.org/pull/2773

More information about the Digitalmars-d-announce mailing list