Safety, undefined behavior, @safe, @trusted
Michel Fortin
michel.fortin at michelf.com
Thu Nov 5 16:43:04 PST 2009
On 2009-11-05 19:14:47 -0500, Walter Bright <newshound1 at digitalmars.com> said:
> Andrei Alexandrescu wrote:
>> Are we in agreement that @safe functions have bounds checking on
>> regardless of -release?
>
> You're right from a theoretical perspective, but not from a practical
> one. People ought to be able to flip on 'safe' without large
> performance penalties.
>
> If it came with inescapable large performance penalties, then it'll get
> a bad rap and people will be reluctant to use it, defeating its purpose.
But if you remove bound checking, it isn't safe anymore, is it?
Sometime safety is more important than performance. If I needed
performance in a safe program, I'd profile and find the bottlenecks,
review carefully those parts of the code slowing down the program, then
when I trust them perfectly I'd add the @trusted attribute. @trusted
should remove bound checks (in release mode). @safe should keep them to
keep other less trustworthy pieces of of the program truly safe.
That said, I'd be in favor of a compiler switch to enable/disable
runtime checks in release mode... perhaps "-safe" could return as way
to generate truly safe binaries even in release mode. This would also
make it pretty easy to evaluate how much impact those runtime checks
have on final executable (by turning on and off the compiler switch).
--
Michel Fortin
michel.fortin at michelf.com
http://michelf.com/
More information about the Digitalmars-d
mailing list