DIP1028 - Rationale for accepting as is
Atila Neves
atila.neves at gmail.com
Mon May 25 16:29:24 UTC 2020
On Sunday, 24 May 2020 at 16:44:01 UTC, Paul Backus wrote:
> On Sunday, 24 May 2020 at 03:28:25 UTC, Walter Bright wrote:
>> I'd like to emphasize:
>>
>> 1. It is not possible for the compiler to check any
>> declarations where the implementation is not available. Not in
>> D, not in any language. Declaring a declaration safe does not
>> make it safe.
>>
>> 2. If un-annotated declarations cause a compile time error, it
>> is highly likely the programmer will resort to "greenwashing"
>> - just slapping @safe on it. I've greenwashed code. Atila has.
>> Bruce Eckel has. We've all done it. Sometimes even for good
>> reasons.
>>
>> 3. Un-annotated declarations are easily detectable in a code
>> review.
>>
>> [...]
>
> If we were designing a new language from scratch, I would agree
> 100% with your reasoning.
>
> The problem is that there are un-annotated declarations in
> existing code that have already been reviewed, committed, and
> published under the assumption of @system-by-default. Those
> declarations need to be flagged for re-review in order to avoid
> introducing silent safety violations to existing D projects.
I share your concerns on this, but disagree on the likelihood of
reviews having gone by under the assumption of @system by
default. I doubt most people even thought about
@safe/@trusted/@system, and that's assuming anyone reviewed the
code in the first place.
A few years ago I submitted several PRs to Phobos to mark all
unittests that could with @safe explicitly. I'd say that was a
good example of nobody reviewing them for their @systemness.
More information about the Digitalmars-d-announce
mailing list