DIP 1028---Make @safe the Default---Community Review Round 1
Steven Schveighoffer
schveiguy at gmail.com
Fri Jan 3 22:13:28 UTC 2020
On 1/3/20 3:59 PM, Guillaume Piolat wrote:
> On Thursday, 2 January 2020 at 09:47:48 UTC, Mike Parker wrote:
>> This is the feedback thread for the first round of Community Review
>> for DIP 1028, "Make @safe the Default":
>>
>> https://github.com/dlang/DIPs/blob/1b705f8d4faa095d6d9e3a1b81d6cfa6d688554b/DIPs/DIP1028.md
>>
>>
>> All review-related feedback on and discussion of the DIP should occur
>> in this thread. The review period will end at 11:59 PM ET on January
>> 16, or when I make a post declaring it complete.
>>
>> At the end of Round 1, if further review is deemed necessary, the DIP
>> will be scheduled for another round of Community Review. Otherwise, it
>> will be queued for the Final Review and Formal Assessment.
>>
>> Anyone intending to post feedback in this thread is expected to be
>> familiar with the reviewer guidelines:
>>
>> https://github.com/dlang/DIPs/blob/master/docs/guidelines-reviewers.md
>>
>> *Please stay on topic!*
>>
>> Thanks in advance to all who participate.
>
> I'm still against:
> - it break everything for everyone, so we'll lose working packages on
> code.dlang.org who happen to have no maintainer but have worked for years
Can we auto-check this? It should be as easy as checking out each
package and doing dub build with an altered compiler, along with the
current one. If the current compiler builds but the altered one does
not, then you have found an issue to be reported/analyzed. Such use
cases would be instrumental for finding a reason NOT to do this DIP, or
alternatively, show how little breakage would be.
I tend to think that the breakages will be both minor and few.
> - it doesn't seem like Community input is wanted in any way, it's all
> "there is no choice"
There is no choice in that D must support safety. But I'm certain that
if there were a very compelling reason not to make it the default, this
would not be accepted. This IS the community feedback.
> - ...but doing it just move the default. It's not an enabler for "safe
> reference counting" or things like that, since it's just a default.
It's very much an enabler because people tend to write safe code all the
time without marking it. For example, I'm sure iopipe (with the
exception of the calls into c-libraries such as memchr and zlib) can be
marked safe. But I didn't, because I haven't bothered to worry about it.
But absolutely it should be @safe.
I'd probably have to adjust a few things, and then it will build. The
benefit is huge, because then someone doesn't have to choose between
memory safety and iopipe speed. If the compiler complained about this
when I was developing it, I'd fix the problems as they happened.
> - benefits are overstated since D has always had a lot less memory
> corruption than C++ (thanks to slices, GC, bounds-checks, and default
> initialization!). And C++ has less corruption than C thanks to
> encapsulation. CVE are often due to C which has the maximum number of
> corruptions.
The difference will be huge. I don't know if this can be overstated. I'd
say 99% of code written is ALREADY safe. But we are missing out on the
benefits of that because we don't bother marking (lazy idiots that we
are). Then you have an ecosystem that is safe-unfriendly, and it begets
more code that is safe unfriendly. Once any dependency didn't pay
attention to safe, you have to deal with it with @trusted at the higher
levels, and it's turtles all the way down. This is very similar to the
const problem.
Take for example, mysql-native. Nothing in there is really safe
friendly, yet. So if I want to use mysql, I have to make MY code
safe-unfriendly, or just insert trusted escapes for everything, hoping
that mysql-native is really actually safe (it pretty much is).
One step further, vibe.d now complains all over the place that your
handlers are not safe, especially for REST routes. If I want to use
mysql-native and vibe.d, everything either has to be trusted, or I have
to use some other library.
When the compiler complains about the 1% of your code that isn't
mechanically checkable as safe, you will spend the 1% of your time to
fix it, and move on. It will just feel like another syntax error "oh
yeah, I forgot a semicolon". I don't complain about semicolon
requirements, I just fix them and move on.
> If one's software is an attack vector, then people that care could use
> the @safe subset instead of making the life of every beginner worse.
How does this make beginner life worse? Does the beginner start off
doing pointer math, or using void *? The advantage here is that D
eschews such things for more safe features, so D code is usually safe
anyway!
void main()
{
import std.stdio;
writeln("Hello, world!");
}
will still work.
-Steve
More information about the Digitalmars-d
mailing list