DIP1028 - Rationale for accepting as is
Bruce Carneal
bcarneal at gmail.com
Sun May 24 06:26:56 UTC 2020
On Sunday, 24 May 2020 at 03:28:25 UTC, Walter Bright wrote:
> I'd like to emphasize:
>
> 1. It is not possible for the compiler to check any
> declarations where the implementation is not available. Not in
> D, not in any language. Declaring a declaration safe does not
> make it safe.
Agree completely. Not in dispute that I've seen. In the same
vein, defaulting a declaration to @safe doesn't make it safe.
For the ultra paranoid, even the name mangling in D libraries is
not to be trusted because "the implementation is not available".
>
> 2. If un-annotated declarations cause a compile time error, it
> is highly likely the programmer will resort to "greenwashing" -
> just slapping @safe on it. I've greenwashed code. Atila has.
> Bruce Eckel has. We've all done it. Sometimes even for good
> reasons.
I don't believe that you or any other competent programmer
greenwashes safety critical code. Regardless, the safety
conscious must review their dependencies whatever default applies.
>
> 3. Un-annotated declarations are easily detectable in a code
> review.
Automating this for the transitive closure of defaulted @safe
functions would help. Maybe that capability is there already and
I missed it?
> [snip]
> It is, in a not-at-all obvious way, safer for C declarations to
> default to being safe.
I agree that it is not-at-all obvious.
On a positive note, the DIP discussion/clarification should
encourage the safety conscious to rebase code to a machine
checkable form whenever feasible.
More information about the Digitalmars-d-announce
mailing list