DIP1028 - Rationale for accepting as is

Arafel er.krali at gmail.com
Sun May 24 06:51:10 UTC 2020


On 24/5/20 5:28, Walter Bright wrote:
> I'd like to emphasize:
> 
> 1. It is not possible for the compiler to check any declarations where 
> the implementation is not available. Not in D, not in any language. 
> Declaring a declaration safe does not make it safe.
> 

Here, I agree with Timon: only @system and @trusted should be possible, 
and in my personal view it should be mandatory to annotate external 
declarations. If not, at least default to `@system`.

> 2. If un-annotated declarations cause a compile time error, it is highly 
> likely the programmer will resort to "greenwashing" - just slapping 
> @safe on it. I've greenwashed code. Atila has. Bruce Eckel has. We've 
> all done it. Sometimes even for good reasons.
> 

So the compiler helpfully does the "greenwashing" for us. How is that an 
improvement in any way?

> 3. Un-annotated declarations are easily detectable in a code review.
> 

No, they are not. If somebody slaps `@trusted:` at the beginning of a 
file, that's a conscious decision, there will be a commit for that. 
Fingers can be pointed and questions asked.

If the compiler silently does it's highly likely that many people won't 
notice, and at the very least there will be plausible deniability 
("sure, boss, I didn't know you had to slap `@system` to our C 
declarations, also, I was using @safe and the compiler didn't complain").

> 4. Greenwashing is not easily detectable in a code review.
> 

I would say that greping for `@trusted:` is no that hard. I'm pretty 
sure tools like d-scanner are more than able to catch the more advanced 
cases.

> 5. Greenwashing doesn't fix anything. The code is not safer. It's an 
> illusion, not a guarantee.
> 

Yet the compiler will just do it, breaking all the promises for `@safe` 
code in the process. Now the whole `@safe` concept becomes the same 
"illusion".

> 6. If someone cares to annotate declarations, it means he has at least 
> thought about it, because he doesn't need to. Hence it's more likely to 
> be correct than when greenwashed.
> 

Q.E.D.

How come this doesn't apply to the compiler?

> 7. D should *not* make it worthwhile for people to greenwash code.
> 

Then just disallow blanket greenwashing at all. You're just making the 
case for forbidding `@trusted:`, and that's something I'd totally support.

Or make it so that function declarations need

> It is, in a not-at-all obvious way, safer for C declarations to default 
> to being safe.

It's definitely one of most not-obvious things I've ever seen here.


More information about the Digitalmars-d-announce mailing list