DIP 1028---Make @safe the Default---Community Review Round 1

jxel jxel at gmall.com
Mon Jan 6 04:02:17 UTC 2020

On Monday, 6 January 2020 at 02:17:42 UTC, Walter Bright wrote:
> On 1/5/2020 12:13 PM, jxel wrote:
>> inserting @trusted gets it to compile, or they can spend 2-4 
>> hours restructuring code, they are going to use the option 
>> that doesn't waste their time.
> This misses the point. D provides plenty of escapes from 
> writing safe code. The point is not to stop all those escapes, 
> but to:
> 1. make it clear where those escapes are
> 2. make it auditable, i.e. the QA dept can grep for `@trusted` 
> and then decide whether to have a company standard about that 
> or not. In the absence of such, the code is not auditable.
> For example, in C:
>     void foo() { int* p; } // initialized to garbage
> This is not auditable. Whereas in D:
>     @system void foo() { int* p = void; } // initialized to 
> garbage
> *is* auditable and is intentional and requires extra effort, it 
> is not the default.

There seems to be a disconnect of Practicality Vs. Ideology here. 
I had a similar argument with someone who was distained with 
std::map<> for being implemented as an ordered map instead of as 
a hash map. That the basic map should be a hash map as in the 
general case you don't need it to be sorted and you pay for the 
performance impact. That its intuitive and what people expect of 
the basic map type to be implemented as a hash map. This isn't 
practical to do.

I agree with your ideology, it is sound. The price you have to 
pay for it though, is too high. In my opinion. If you don't think 
it is, no one can stop you.

More information about the Digitalmars-d mailing list