dip1000 and preview in combine to cause extra safety errors
Ali Çehreli
acehreli at yahoo.com
Thu Jun 9 00:44:58 UTC 2022
On 6/8/22 16:47, H. S. Teoh wrote:
> @safe by default is a good thing to have
I think we used wrong names. @safe is not safe because it allows an
escape hatch. Today, @safe is actually "trusted" because the compiler
trusts the programmer but checks whatever it is allowed to. Basically
today's @safe is "verify, but trust".
> -- except on
> extern(C) interfaces to C code, which by definition is un- at safe
I see it differently: extern(C) interfaces are @trusted but they can't
be checked. (More below.)
I was convinced (after having an email exchange with Walter) that unless
we assumed extern(C) functions @safe, then nobody would bother marking
their declarations as @trusted one-by-one. And whoever marked them as
such, they would do it without actually auditing any source code.
What have we gained by disapproving @safe-by-default? Nothing: C API
would either not be called and be marked blindly as @trusted. I think
this is more embarrassing than @safe-by-default C libraries.
So, D's presumed embarrassment of "C functions are assumed @safe" was
against both practicality and the truth: The truth is, we indeed "trust"
C functions because we use C libraries all the time without reading
their source code. This is the definition of trust. And that's why I say
we chose wrong names around this topic.
> -- the
> most it can be is @trusted, and I'm sure nobody wants @trusted by
> default.)
Me wants @trusted by default but with some semantic changes! :)
I think I have written the following proposal before, which requires
changing the semantics but I haven't thought about every detail. (I am
not methodic nor complete when it comes to such design ideas.)
So, this is what we have currently:
@safe: Checked with escape hatch
@trusted: Assumed safe, unchecked
@system: Assumed unsafe, unchecked
default: @system
extern(C): @system
The whole thing could have started (and I believe can be changed into)
like the following instead:
@safe: Checked without escape hatch
@trusted: Checked, with escape hatch (@system will be the escape hatch)
@system: Assumed unsafe, unchecked
default: @trusted
extern(C): @trusted but can't check
As that list may be hard to parse, here is a commentary:
@safe: We had it wrong. @safe should mean "safe" without any escape hatch.
@trusted: The name was fine but why not check D code that is not marked?
So, let's make this the default, and check all D code. Everybody will
benefit. Except, we will have to add @system{} to some places.
@system: No change here but this becomes the escape hatch.
extern(C): We will happily call them from @trusted code (but not @safe
code) but we can't check them. So what? The society trusts C libraries,
so do we.
Ali
More information about the Digitalmars-d
mailing list