DIP 1006 - Preliminary Review Round 1

Jonathan M Davis newsgroup.d at jmdavisprog.com
Wed Mar 7 14:23:53 UTC 2018 

On Wednesday, March 07, 2018 14:08:35 Paolo Invernizzi via Digitalmars-d 
wrote:
> On Wednesday, 7 March 2018 at 13:55:11 UTC, Jonathan M Davis
>
> wrote:
> > On Wednesday, March 07, 2018 13:24:19 Paolo Invernizzi via
> >
> > Digitalmars-d wrote:
> >> [...]
> >
> > That would make assertions a lot worse to use, because then
> > they would be in production code slowing it down. Also, as it
> > stands, -release is not supposed to violate @safe. To do that,
> > you have to use -boundscheck=off to turn off bounsd checking.
> > That was a very purposeful design decision, because we did not
> > want -release to violate @safe, and if the compiler is allowed
> > to add optimizations which are unsafe based on assertions, then
> > that completely destroys the ability to have @safe code with
> > -release. And if we were going to do that, why did we leave
> > array bounds checking on with -release?
> >
> > [...]
>
> Jonathan, I understand your point, but still I can't find an
> answer to clarify my doubts.
>
> Are we asking for no UB in @safe code?
> Are we asking for UB in @safe code but constrained to no memory
> corruptions?

@safe is all about guaranteeing memory safety. That's it's entire job. No
more, no less. What happens with UB beyond that is irrelevant. If satisfying
the requirement that @safe code be memory safe means that UB cannot be
allowed in @safe code, then UB cannot be allowed in @safe code. If there is
some form of UB that is constrained enough that it's guaranteed that it
can't violate memory safety, then I don't see any reason why it can't be in
@safe code any more than it can't be in @system code, because it's not
violating the guarantees that @safe is intended to provide - that the code
is memory safe.

Other language rules may make UB illegal or explicitly allow it for one
reason or another (e.g. it's supposed to be guaranteed that function
arguments are evaluated left-to-right, though I'm not sure if that's ever
been implemented like it's supposed to be), but in the case of @safe, it's
all about what's memory safe. And what is or isn't allowed with regards to
UB in @safe therefore has to be a function of what is required to guarantee
that the code is memory safe.

- Jonathan M Davis

More information about the Digitalmars-d mailing list