Fixing C's Biggest Mistake

Timon Gehr timon.gehr at gmx.ch
Tue Jan 3 21:55:15 UTC 2023 

On 1/1/23 19:18, Walter Bright wrote:
> On 12/31/2022 7:06 PM, Timon Gehr wrote:
>> No, it absolutely, positively does not... It only ensures no null 
>> dereference takes place on each specific run. You can have screwed it 
>> up and only notice once the program is published. I know this happens 
>> because I have been a _user_ of software with this kind of problem. 
>> Notably this kind of thing happens in released versions of DMD 
>> sometimes...
> 
> You're absolutely right. And if I do a pattern match to create a 
> non-nullable pointer, where the null arm does a fatal error if it can't 
> deal with the null, it's the same thing.
> ...

_IF_. It's a very big IF. If you can't deal with the null, it should 
have been a non-null pointer in the first place. While, without even 
more powerful language features, this is not absolutely _always_ 
possible, it is _usually_ possible. This should be very easy to 
understand from an "engineering point of view".

> But we've both stated this same thing several times now.
> 
> 
>> That's great. However, it's somewhat aggravating to me that I am 
>> currently not actually convinced you understand what's needed to 
>> achieve that. This is because you are making statements that equate 
>> nonnull pointers in the type system to runtime hardware checking with 
>> segmentation faults.
> 
> Yes, I am doing just that.
> 
> Perhaps I can state our difference thusly. You are coming from a type 
> theory point of view, and your position is quite right from that point 
> of view.
> ...

I am approaching this from a practical angle, as a user and creator of 
software.

> I'm not saying you are wrong. You are right. But I am coming from an 
> engineering point of view, saying that for practical purposes, the 
> hardware check produces the same result.
> ...

This is wrong from any point of view that includes occasionally running 
software. I have suffered as a user from many bugs whose underlying 
cause is exceedingly easy to guess as just being "somebody forgot about 
null" and a proper type system would have obviously prevented most of 
those _during the initial design of the system when everyone's memory of 
the code base was very fresh_.

If your software crashes with a fatal segmentation fault, that's an 
engineering failure. Using the right tools, such as type systems, is 
_part_ of software engineering.

Let me translate the previous discussion to the bridge setting:

TG: I observe bridges collapsing. Maybe we should actually calculate 
statics during the planing phase, before building them?

WB: From a computational standpoint you are right. However, from an 
engineering standpoint, you can just keep building bridges. You will 
then learn their flaws as they collapse, which gives you exactly the 
same end result.

I just don't think good engineers argue in this fashion. This is exactly 
the kind of out-of-touch ivory tower reasoning that theorists are 
sometimes accused of.

> If the hardware check wasn't there, I'd be all in on your approach. 
> Which is why I'm excited about sumtypes being used for error states.

Sure. And on some targets there is not even a hardware check. (WASM in 
particular would be useful to me.)

More information about the Digitalmars-d mailing list