DIP1028 - Rationale for accepting as is

Arine arine1283798123 at gmail.com
Sun May 24 14:12:02 UTC 2020 

On Sunday, 24 May 2020 at 03:28:25 UTC, Walter Bright wrote:
> I'd like to emphasize:
>
> 1. It is not possible for the compiler to check any 
> declarations where the implementation is not available. Not in 
> D, not in any language. Declaring a declaration safe does not 
> make it safe.

That's why Rust has gotten rid of declarations all together, 
except for C, which are implicitly marked unsafe, and they cannot 
be marked "safe" (there is no such feature).

> 2. If un-annotated declarations cause a compile time error, it 
> is highly likely the programmer will resort to "greenwashing" - 
> just slapping @safe on it. I've greenwashed code. Atila has. 
> Bruce Eckel has. We've all done it. Sometimes even for good 
> reasons.

Having extern(C) be @safe by default doesn't stop greenwashing. 
As others have pointed out, you are doing the greenwashing for 
the programmer. That's not better.

> 3. Un-annotated declarations are easily detectable in a code 
> review.

Declarations annotated with @trusted are even easier to detect. 
And arguably declarations that aren't annotated aren't that easy 
to detect.

> 4. Greenwashing is not easily detectable in a code review.
>
> 5. Greenwashing doesn't fix anything. The code is not safer. 
> It's an illusion, not a guarantee.
>
> 6. If someone cares to annotate declarations, it means he has 
> at least thought about it, because he doesn't need to. Hence 
> it's more likely to be correct than when greenwashed.
>
> 7. D should *not* make it worthwhile for people to greenwash 
> code.
>
> It is, in a not-at-all obvious way, safer for C declarations to 
> default to being safe.

This whole situation just makes it more obvious to me, you 
shouldn't be able to mark extern(C) declarations as @safe or 
@trusted at all. If that truly is your fear, it should just not 
be possible to mark them as @safe/@trusted.

8. D should make incorrect code *more* difficult, not easier. Or 
are you conveniently ignoring this ideology?

Code is going to break no matter what. That's the cost you are 
going to pay for making @safe default. You can't fix that. The 
difference is what the aftermath will look like.

More information about the Digitalmars-d-announce mailing list