Discussion Thread: DIP 1028--Make @safe the Default--Final Review
Mathias Lang
pro.mathias.lang at gmail.com
Fri Mar 27 04:20:47 UTC 2020
On Thursday, 26 March 2020 at 10:55:44 UTC, Atila Neves wrote:
> On Wednesday, 25 March 2020 at 21:58:40 UTC, Jonathan Marler
> wrote:
>> Has the benefit warranted the cost to manage these tags
>> throughout your code?
>
> Yes. Especially since the cost is trivial.
>
>> Do we have any projects that are already using this behavior
>> by putting "@safe:" at the top of every file? Does anyone
>> have any pointers to projects that have done this?
>
> All my projects that aren't called reggae. The only reason for
> that exception is that it's ancient and I didn't know any
> better then.
>
> I don't know how we've managed, but we've utterly failed at
> marketing @safe to the community. Writing @safe code is easy
> unless you're doing manual memory management or trying to
> abstract it with a library. *Especially* with DIP1000.
There's a huge difference between correctly using `@safe` and
having things compile.
I have *never* seen non-trivial library that manage to do the
former without imposing strong requirements on the user. Let me
repeat that: I haven't seen a *single* non-trivial library out
there that does it correctly. It either forces user code to be
`@safe`, or bypasses `@safe`ty checks completely.
And since exceptional claims calls for exceptional proof, I
wanted to check whether or not your libraries would be any
different. It took me less than 5 minutes to find this:
https://github.com/atilaneves/unit-threaded/issues/176
We didn't fail to market `@safe`. We failed to provide a
construct that allows users to write libraries that take
attributes (`@safe`, `nothrow`, `@nogc`, same fight) into account
without incredible amounts of boilerplate.
Take any library that accepts a delegate: Either one has to
restrict what the delegate can do, or make a certain attribute
un-enforceable. There's no way to write an interface that
concisely expresses that its `@safe`ty, `@nogc`-ness or
`nothrow`-ness depends on the user-provided delegate, unless you
template absolutely everything, which is not a viable (and
sometimes, not possible) solution.
We need something similar to `inout` for attributes. Or at the
very least, a way to express this dependency. Only then will
changing the default be a remotely viable possibility, in my
opinion. At the moment, all this is doing is ignoring the problem
and pushing the complexity from one demographic to the other.
More information about the Digitalmars-d
mailing list