DIP1028 - Rationale for accepting as is

Johannes Loher johannes.loher at fg4f.de
Tue May 26 02:04:02 UTC 2020 

On Tuesday, 26 May 2020 at 01:16:49 UTC, Walter Bright wrote:
> On 5/24/2020 5:56 PM, Timon Gehr wrote:
>> It's only greenwashing if it's misleading. Putting @safe is a 
>> lie, putting @trusted is honest.
>
> It is not honest unless the programmer actually carefully 
> examined the interface and the documentation to determine if it 
> is a safe interface or not. For example, labeling memcpy() with 
> @trusted is not honest.
>
> Forcing people to add uncheckable annotations is a path to 
> convenience, not honesty.

This has already been repeated over and over again but I'll do it 
once more:

If people cannot check the code (or get enough confidence in 
another way), they really shouldn’t annotate it with @trusted but 
with @system instead. If they annotate it with @trusted anyways, 
it is their own fault. And at least in that case they are lying 
and not the compiler. Also if something bad actually happens, 
they can at least search for „high risk areas“ (@trusted 
declarations).

Just consider the following situation:

A (maybe inexperienced) programmer needs to call an existing C 
function from D code. Because no bindings exist yet, he creates 
them himself. He does not add any annotations regarding safety. 
Now he uses this function in @safe code and he uses it in a way 
that actually creates a memory corruption (the function is not  
safe, but the developer does not know about that).

Now let's compare the two different options:

1. With DIP1028 in its current form, the code will compile and a 
memory corruption will actually happen. The problem might be 
extremely difficult to track down for the developer because he 
has no clues whatsoever where to start looking.

2. With one of the solutions that were presented, the code will 
not compile as it is. According to your argument of 
„convenience“, the developer will probably just mark the function 
incorrectly as @trusted which makes the code compile. The memory 
corruption will happen. However, even if the developer did not 
think much about potential safety issues when adding @trusted to 
the function, he now still remembers that he did that (it was a 
conscious decision, even if it was a careless and lazy one). He 
has a clear point to start looking for the reason of the memory 
corruption.

Do you honestly think option 1 is better?

More information about the Digitalmars-d-announce mailing list