DIP 1028---Make @safe the Default---Community Review Round 1
Mathias Lang
pro.mathias.lang at gmail.com
Tue Jan 7 18:38:09 UTC 2020
On Friday, 3 January 2020 at 11:06:32 UTC, Walter Bright wrote:
>
> Modules can be labeled as @system by beginning them with:
>
> @system:
>
As mentioned countless times already, this has a widely different
effect.
>> First, because '@safe', and attributes by extension, is
>> currently not a practical tool, and even not usable in some
>> cases.
>
> Issues not in bugzilla do not get fixed. Please add issues that
> make it not practical or usable to bugzilla and mark them with
> the `safe` keyword.
https://issues.dlang.org/show_bug.cgi?id=17953
This affects object.Throwable.toString. I'm not asking for that
specific syntax, but we do need a way to say "delegate attributes
in, delegate attributes out".
>> It is currently painful to mix differently-attributed code if
>> you are not going full template (e.g. classes, delegates).
>> I've worked for two companies using D, and none of them used
>> @safe, and were more on the low-level side of things.
>
> It is true that using @safe successfully will often entail some
> level of refactoring to separate the safe code from unsafe
> code. It is perfectly fine if you choose to not use @safe.
Except that I do not control all the code I write. Some libraries
will use `@safe` everywhere, some won't. And mixing them becomes
a nightmare. For example, I'd be very happy to live without
`@safe`, but I use Vibe.d, which forces `@safe` on me because
some people wanted to be able to use `@safe` in the first place.
This is the kind of ecosystem split people keep talking about.
>> In fact, @safe wouldn't even have prevented most of the bug we
>> had,
>
> Most is not all, and the bugs it does uncover tend to be the
> ugly ones. I recently spent 3 days trying to track down a
> memory corruption bug in DMD. These are not happy hours for me.
> Detecting problems at compile time is infinitely cheaper.
In terms of cost/benefit ratio, it does not cross the mark for me.
I also recently spent 3 days debugging a memory corruption issue,
happening because of a stack overflow, something `@safe` can't
prevent. So here's another anecdotal evidence for your anecdotal
evidence.
> It's also the future. It's clear where languages are going.
> Unsafe languages are going on the ash heap of history. We can
> either get in front of this sea change, or get run over by it.
If I wanted to be using Rust, I would be using Rust.
> The simplest way to be compatible with the switch is to simply
> label things that don't compile as @system. Or just put
> @system: at the beginning.
>
> As for DMD, I intend to take advantage of this feature as soon
> as it is accepted. Keep in mind that DMD was originally a "C
> with Classes" program, with no notion of @safe (or const, pure,
> nothrow, or nogc).
And I invite you to try it already (you don't need it to be
merged to start fixing `@safe`ty issues) to see the effect. Note
that DMD is not a library and has almost no dependency, which
makes fixing issues much simpler.
>> Side note, using this flag to compile Phobos would most likely
>> result in link failures, like it did with DIP1000.
>
> We fixed the link failures with DIP1000.
Because `scope` is ignored for mangling. `@safe` cannot be
ignored, so the same solution cannot be used.
>> Third, we start to have a few DIPs piling up in the -preview
>> section. DIP25, DIP1000, DIP1008. Some libraries use it, some
>> don't, and adding more features there will only balkanize the
>> language more.
>
> All programming languages improve or die.
I don't disagree with improving the language, I disagree with the
way of doing it. If `@safe` was hassle-free we wouldn't be having
this conversation, but it's not, and making it the default just
switch the hassle to someone else.
> > actually finish what we started.
>
> All issues need to go into bugzilla. Issues not in bugzilla do
> not get fixed.
There's a trove of issues in bugzilla to pick from. But put in
simpler terms: Where is `@safe` reference counting ?
>> TL;DR: Disruptive change that requires every D user to put
>> some work to support it (possibly many months worth of work),
>> yet no evidence that a single large-scale project have been
>> experimented with while writing this DIP.
>
> Nobody will try it, either, unless and until it is actually put
> into the compiler.
And then, nobody will try it unless druntime / Phobos is compiled
with it. But then we're back to the point where it's not really
opt-in because of link failures. I'll add more of that on the PR
itself.
More information about the Digitalmars-d
mailing list