DIP 1028---Make @safe the Default---Community Review Round 1
Arine
arine123445128843 at gmail.com
Tue Jan 14 05:23:10 UTC 2020
On Monday, 13 January 2020 at 17:34:48 UTC, Joseph Rushton
Wakeling wrote:
> On Monday, 13 January 2020 at 17:13:36 UTC, Arine wrote:
>> Rust doesn't just provide safety. It also provides a lot more
>> other guarantees than just safety. It is low level and
>> achieves memory safety *without* a GC. It provides guarantees
>> for multi threading, that reduces data races and other
>> difficult to diagnose problems. This is a world where single
>> thread performance isn't getting significantly faster. But we
>> are now getting CPUs with 64 cores and 128 threads.
>
> Yes, indeed. That's kind of the point -- Rust has established
> a set of viable techniques for proving memory safety in a
> systems programming context. That in turn establishes that
> there is lot of scope for D to improve its memory-safety
> guarantees (in particular, being able to prove memory safety
> criteria in GC-free code).
That's the thing, D has a GC. If you are now trying to push
Rust-like features into @safe to allow @safe non-gc memory, you
are going to be adding restricting code that would otherwise not
have to be to be @safe with a GC. So the language becomes more
restrictive like Rust, all while losing the benefit of having a
GC and not needing to worry about those restrictions. The DIP
that tried to disable dynamic array resizing is proof of that.
>> You can't just look at one aspect for Rust, without looking at
>> every aspect. Java provides memory safety, but there's a
>> reason why people using Rust don't use Java.
>
> Genuine question, as I'm not a Java dev: does Java genuinely
> provide _provable_ memory safety? Or is it just that in
> practice things will be memory safe because of the GC, and it
> doesn't allow you access to features that escape that safety
> blanket?
Depends what you mean by provable. If you mean using potentially
unsafe features and the compiler being able to prove they are
being used safely, no I don't think any compiler does that. If
you mean it's provable to be safe because it doesn't allow unsafe
features like basically what D does, then yes. It'd be more safe
than D in that regard as it simply doesn't allow pointers. If you
also take into consideration, in it's current state, D isn't
provable to be safe as it has features that a provably *unsafe*.
At least one person here even thought you couldn't use the
feature in @safe code (see: void initializers).
>> It's not just keyword choices. It's fundamentally how
>> discover-able @unsafe code is while reading @safe code.
>
> Isn't that the same as it's ever been -- search for @trusted
> blocks? I don't see how that would change.
If your in a @safe function trying to figure out where unsafe
calls are, how would you search for @trusted? The function you
are searching for could be in one of the thousands of different
files. Are you going to go look at each and every one? There's an
example a few pages back that illustrates this.
More information about the Digitalmars-d
mailing list