dip1000 and preview in combine to cause extra safety errors

Ali Çehreli acehreli at yahoo.com
Thu Jun 9 00:44:58 UTC 2022 

On 6/8/22 16:47, H. S. Teoh wrote:

 > @safe by default is a good thing to have

I think we used wrong names. @safe is not safe because it allows an 
escape hatch. Today, @safe is actually "trusted" because the compiler 
trusts the programmer but checks whatever it is allowed to. Basically 
today's @safe is "verify, but trust".

 > -- except on
 > extern(C) interfaces to C code, which by definition is un- at safe

I see it differently: extern(C) interfaces are @trusted but they can't 
be checked. (More below.)

I was convinced (after having an email exchange with Walter) that unless 
we assumed extern(C) functions @safe, then nobody would bother marking 
their declarations as @trusted one-by-one. And whoever marked them as 
such, they would do it without actually auditing any source code.

What have we gained by disapproving @safe-by-default? Nothing: C API 
would either not be called and be marked blindly as @trusted. I think 
this is more embarrassing than @safe-by-default C libraries.

So, D's presumed embarrassment of "C functions are assumed @safe" was 
against both practicality and the truth: The truth is, we indeed "trust" 
C functions because we use C libraries all the time without reading 
their source code. This is the definition of trust. And that's why I say 
we chose wrong names around this topic.

 > -- the
 > most it can be is @trusted, and I'm sure nobody wants @trusted by
 > default.)

Me wants @trusted by default but with some semantic changes! :)

I think I have written the following proposal before, which requires 
changing the semantics but I haven't thought about every detail. (I am 
not methodic nor complete when it comes to such design ideas.)

So, this is what we have currently:

   @safe: Checked with escape hatch

   @trusted: Assumed safe, unchecked

   @system: Assumed unsafe, unchecked

   default: @system

   extern(C): @system

The whole thing could have started (and I believe can be changed into) 
like the following instead:

   @safe: Checked without escape hatch

   @trusted: Checked, with escape hatch (@system will be the escape hatch)

   @system: Assumed unsafe, unchecked

   default: @trusted

   extern(C): @trusted but can't check

As that list may be hard to parse, here is a commentary:

@safe: We had it wrong. @safe should mean "safe" without any escape hatch.

@trusted: The name was fine but why not check D code that is not marked? 
So, let's make this the default, and check all D code. Everybody will 
benefit. Except, we will have to add @system{} to some places.

@system: No change here but this becomes the escape hatch.

extern(C): We will happily call them from @trusted code (but not @safe 
code) but we can't check them. So what? The society trusts C libraries, 
so do we.

Ali

More information about the Digitalmars-d mailing list