Discussion Thread: DIP 1028--Make @safe the Default--Final Review
Mathias LANG
geod24 at gmail.com
Mon Apr 6 03:02:29 UTC 2020
On Monday, 6 April 2020 at 02:43:51 UTC, Walter Bright wrote:
> On 4/5/2020 12:22 PM, Timon Gehr wrote:
>> I really doubt that. It's a simple rule. The version that is
>> easiest to implement is you simply disallow extern(C)
>> functions without body to be marked @safe. It's a single `if`
>> statement in an appropriate place.
>
> Famous last words.
>
> Just look at the swamp of misery from "simple" C rules, such as
> their effect on C++ overloading. The quagmire got a lot worse
> when C++ added type inference. I attended a Scott Meyers talk
> that was a full hour long just on the weird special cases
> forced on C++ due to those simple rules. Companies pay Scott a
> boatload of cash for these lectures.
>
> I wouldn't be surprised if more than half of the bugs in
> bugzilla are the result of an unexpected interaction between
> simple exceptions to rules.
>
> I've been around this block a few thousand times. Remember, it
> ain't just the compiler. The users don't remember these
> exceptions. Every one of them makes the language harder to
> learn and master.
I fail to understand how you are not seeing it as a problem,
provided every single other person on this thread has. And
consensus isn't easily achieved in the D community (or any
community, for that matter), but it seems that here, even if
opinions on `@safe` & `@trusted` differ, everyone agrees that
have `extern` functions without D linkage `@safe` by default is a
bad idea. Surely the voice of all the long standing D
contributors have to carry some weight ?
Regardless, it doesn't have to be a rule. Just make it a compiler
error. E.g. `extern(C) void foo();` leads to: "Error: `extern(C)
void foo()` needs to be explicitly marked as `@system` or
`@trusted`".
If you don't want this error message, then let it be `@system`,
and the compiler will complain with "Error: `@safe` function
`...` cannot call system function `...`" and hopefully that'd be
clear enough.
You're right that `extern` rely on the user declaring things
correctly to work. However, having the extern declaration
potentially mis-attributed by default is a sure way to shoot
oneself in the foot. By setting the default of `extern` (non D
linkage) functions to `@system`, OR by requiring users to
explicitly mark the prototype one way or the other, at least the
user has to *actively* make the mistake.
More information about the Digitalmars-d
mailing list