DIP 1006 - Preliminary Review Round 1
Paolo Invernizzi
paolo.invernizzi at gmail.com
Wed Mar 7 16:21:55 UTC 2018
On Wednesday, 7 March 2018 at 16:04:50 UTC, Timon Gehr wrote:
> On 07.03.2018 16:30, Paolo Invernizzi wrote:
>> On Wednesday, 7 March 2018 at 15:26:01 UTC, Timon Gehr wrote:
>>> On 07.03.2018 15:08, Paolo Invernizzi wrote:
>>>> On Wednesday, 7 March 2018 at 13:55:11 UTC, Jonathan M Davis
>>>> wrote:
>>>>> [...]
>>>>
>>>> Jonathan, I understand your point, but still I can't find an
>>>> answer to clarify my doubts.
>>>>
>>>> Are we asking for no UB in @safe code?
>>>> Are we asking for UB in @safe code but constrained to no
>>>> memory corruptions?
>>>>
>>>> /Paolo
>>>
>>> UB is unconstrained by definition. If it is constrained, it
>>> is not UB.
>>
>> That! Thanks!
>>
>> So, @safe code is code where UB should not be possible?
>
> Yes. (If you have UB, memory corruption is one of the allowed
> outcomes, but @safe should not allow memory corruption. So
> @safe needs to at least ban UB. According to Walter @safe needs
> to ban memory corruption but not more. Therefore, as memory
> corruption leads to UB (it is impractical to specify anything
> else, at least for writes), @safe bans UB and nothing else.)
>
> Also note that even in @system code I don't want asserts to
> cause UB in release. There should be an @system facility for
> this purpose. (The situation is different than with bounds
> checks: if bounds checks fail, there will always be a bad
> memory access, which is UB, but with asserts it's always
> possible that the assert itself was wrong and the code itself
> will not trigger UB.)
>
>> Is it pragmatically possible to reach that goal?
>>
>> /Paolo
>
> Yes. (Languages can be type safe and type systems can be
> arbitrarily powerful.) It is certainly possible to _aim_ for
> that goal, which Walter and Andrei have done on other occasions.
Thanks Timon, now everything it's definitely more clear to me on
that matter.
I think a good compromise is to just totally ignore assert in
release during optimization as a default, and use a compiler flag
to let the optimiser peek to them, if a user want to explore that
potential gain.
Just like '-boundscheck'.
Thanks to all for having clarified that point to me (and
hopefully to others also!)
/Paolo
More information about the Digitalmars-d
mailing list