Is @safe still a work-in-progress?
H. S. Teoh
hsteoh at quickfur.ath.cx
Fri Aug 17 14:26:07 UTC 2018
On Fri, Aug 17, 2018 at 01:50:32AM -0600, Jonathan M Davis via Digitalmars-d wrote:
[...]
> Honestly, the reality of the matter is that @safe is probably always
> going to be somewhat broken, because it's implemented via blacklisting
> rather than whitelisting. Instead of @safe only allowing stuff that's
> been proven to be @safe, it disallows stuff that a programmer decided
> was @system.
Sigh:
https://issues.dlang.org/show_bug.cgi?id=12941
This was reported 4 years ago, but was unfortunately closed as invalid.
It will continue to be a problem as long as @safe is implemented via
blacklisting, because every single time there's a new language feature,
there's a chance that a loophole is introduced into @safe. And that's
not counting the combinatorial explosion of existing language features
that might lead to @safe loopholes, that we simply haven't thought of
yet. It's like allowing anyone to enter your house freely except those
few people whom you've explicitly named. You can't possibly expect *not*
to get robbed that way.
> The bug you ran into is a pretty glaring one that arguably should have
> been fixed ages ago, but given how hard it is to prove what is and
> isn't @safe, there are bound to be corner cases which have been
> missed. As we find them, they'll be fixed, but who knows how many are
> left or whether we'll ever actually get them all.
[...]
And that is exactly why the whole implementation of @safe is currently
rather laughable. By blacklisting rather than whitelisting, we basically
open the door wide open to loopholes -- anything that we haven't thought
of yet could potentially be a @safe-breaking combination, and we
wouldn't know until somebody discovers and reports it.
Sadly, it seems there is little interest in reimplementing @safe to use
whitelisting instead of blacklisting.
T
--
A program should be written to model the concepts of the task it performs rather than the physical world or a process because this maximizes the potential for it to be applied to tasks that are conceptually similar and, more important, to tasks that have not yet been conceived. -- Michael B. Allen
More information about the Digitalmars-d
mailing list