DIP 1028---Make @safe the Default---Community Review Round 1
Mathias Lang
pro.mathias.lang at gmail.com
Fri Jan 3 06:31:40 UTC 2020
On Thursday, 2 January 2020 at 09:47:48 UTC, Mike Parker wrote:
> This is the feedback thread for the first round of Community
> Review for DIP 1028, "Make @safe the Default":
>
On paper, this sounds like a great idea. Make '@safe' the default
so people have to opt out of memory safety rather than opt-in.
However, we have extensive experience with those changes (and how
they are handled), and I am not, as it stands, in favor of it.
First, because '@safe', and attributes by extension, is currently
not a practical tool, and even not usable in some cases. It is
currently painful to mix differently-attributed code if you are
not going full template (e.g. classes, delegates). I've worked
for two companies using D, and none of them used @safe, and were
more on the low-level side of things.
In fact, @safe wouldn't even have prevented most of the bug we
had, as they were fibers stack overflow (I'm sure any fiber user
know what I'm talking about).
Second because those kind of changes have historically been badly
handled, as the impact is not fully assessed. For such a large
and impactful change, I would expect the proposer of the DIP to
assess the impact of this change on a few projects, in order to
provide a data point. Either go with major D projects, and/or
pull a sample for the dub registry, to gauge the hassle,
performance and readability degradation it can bring.
Yet DMD is not @safe. Neither is druntime. DUB, Vibe.d ? Neither.
And I've seen countless places where '@safe' is either forced on
the user (by forcing the user to provide '@safe' routines), or
just bypassed by means of '@trusted'. Just take a look at Vibe.d.
Side note, using this flag to compile Phobos would most likely
result in link failures, like it did with DIP1000.
Third, we start to have a few DIPs piling up in the -preview
section. DIP25, DIP1000, DIP1008. Some libraries use it, some
don't, and adding more features there will only balkanize the
language more. Let's not repeat the `std.experimental` experience
with the compiler, and actually finish what we started.
TL;DR: Disruptive change that requires every D user to put some
work to support it (possibly many months worth of work), yet no
evidence that a single large-scale project have been experimented
with while writing this DIP.
More information about the Digitalmars-d
mailing list