DIP1028 - Rationale for accepting as is

Walter Bright newshound2 at digitalmars.com
Wed May 27 10:03:21 UTC 2020


On 5/26/2020 5:20 AM, Johannes T wrote:
> On Tuesday, 26 May 2020 at 03:37:29 UTC, Walter Bright wrote:
>> [..]
> 
> Thank you very much for your patience with all the negative feedback. I get your 
> decision to not annotate extern C with @system by default. The biggest issue 
> with extern @system is that @trusted would become less useful when dealing with 
> declarations and bindings. @trusted would appear more frequently. We wouldn't be 
> able to assume that the author put in effort in assessing the trustworthiness of 
> a declaration. More greenwashing, less safety. Those are severe drawbacks, I agree.
> However, as Andrei pointed out, PR is a huge problem. We need to be able to sell 
> it with a straight face.

Frankly, I feel that if I could sit down with you folks, I can get the idea 
across what I'm trying to accomplish.

> I think this might be done by formally redefining the meaning of safety 
> attributes when applied to extern:
> The safety of extern can't be assessed by the compiler. Implicit "@safe" extern 
> within @safe code is accepted for the convenience of the average user. Explicit 
> @system or @trusted can be added for desired behavior.
> I think this can be explained.

I do, too. But apparently not by typing.

> It's not an acceptable solution for people who require correctness. ZombineDev 
> can't tell an auditor that he relies on D-Scanner to find the problematic spots. 
> I believe it's unavoidable to provide an option to change the default. It could 
> make extern @system or refuse to compile safe code calling @safe extern.

People who require correctness are going to have to manually audit each and 
every C declaration regardless. There's no way around it. A less strict auditor 
would focus his attention on un-annotated declarations and assume that annotated 
ones are annotated correctly.



More information about the Digitalmars-d-announce mailing list