Contradictory justification for status quo

H. S. Teoh via Digitalmars-d digitalmars-d at puremagic.com
Fri Feb 27 07:33:22 PST 2015


On Fri, Feb 27, 2015 at 06:02:57AM -0800, Andrei Alexandrescu via Digitalmars-d wrote:
[...]
> Safety is good to have, and the simple litmus test is if you slap
> @safe: at the top of all modules and you use no @trusted (or of course
> use it correctly), you should have memory safety, guaranteed.
[...]

@safe has some pretty nasty holes right now... like:

	https://issues.dlang.org/show_bug.cgi?id=5270
	https://issues.dlang.org/show_bug.cgi?id=8838
	https://issues.dlang.org/show_bug.cgi?id=12822
	https://issues.dlang.org/show_bug.cgi?id=13442
	https://issues.dlang.org/show_bug.cgi?id=13534
	https://issues.dlang.org/show_bug.cgi?id=13536
	https://issues.dlang.org/show_bug.cgi?id=13537
	https://issues.dlang.org/show_bug.cgi?id=14136
	https://issues.dlang.org/show_bug.cgi?id=14138

There are probably other holes that we haven't discovered yet.

All in all, it's not looking like much of a guarantee right now.  It's
more like a cheese grater.

This is a symptom of the fact that @safe, as currently implemented,
starts by assuming the whole language is @safe, and then checking for
exceptions that are deemed unsafe. Since D has become quite a large,
complex language, many unsafe operations and unsafe combinations of
features are bound to be overlooked (cf. combinatorial explosion), hence
there are a lot of known holes and probably just as many, if not more,
unknown ones. Trying to fix them is like playing whack-a-mole: there's
always yet one more loophole that we overlooked, and that one hole
compromises the whole system. Not to mention, every time a new language
feature is added, @safe is potentially compromised by newly introduced
combinations of features that are permitted by default.

Rather, what *should* have been done is to start with @safe *rejecting*
everything in the language, and then gradually relaxed to permit more
operations as they are vetted to be safe on a case-by-case basis. That
way, instead of having a long list of holes in @safe that need to be
plugged, we *already* have guaranteed safety and just need to allow more
safe operations that are currently prohibited. @safe bugs should have
been of the form "operation X is rejected but ought to be legal", rather
than "operation X is accepted but compromises @safe". In the former case
we would already have achieved guaranteed safety, but in the latter
case, as is the current situation, we don't have guaranteed safety and
it's an uphill battle to get there (and we don't know if we'll ever
arrive).

See: https://issues.dlang.org/show_bug.cgi?id=12941


T

-- 
Verbing weirds language. -- Calvin (& Hobbes)


More information about the Digitalmars-d mailing list