DIP 1021--Argument Ownership and Function Calls--Final Review

Olivier FAURE couteaubleu at gmail.com
Thu Sep 19 09:09:39 UTC 2019 

On Thursday, 19 September 2019 at 02:54:57 UTC, Walter Bright 
wrote:
> On 9/18/2019 5:15 AM, Olivier FAURE wrote:
>> Any proposal which doesn't have data flow analysis won't 
>> provide actual memory safety.
>
> We plug the holes one by one.

So you're essentially saying "I have a broad solution in mind. I 
have a general idea of how the broad solution will work, but I 
want to implement the most actionable part before making more 
elaborate plans."

The problems with that approach are:
- You're holding yourself to a way, way lower standard than you 
hold other contributors.
- The "most actionable part" isn't very actionable at all given 
it brings no additional memory safety whatsoever.
- You're committing to the broad solution prematurely.

I'm going to focus on point 3, because my understanding is that 
you consider points 1 and 2 invalid.

You're explicitly assuming that "one mutable pointers or several 
const pointers" is the only possible model for GC-less memory 
safety, and as such you're utterly refusing to engage in any 
discussion of the potential downsides and drawbacks of such an 
approach.

You're basically saying "It doesn't matter if implementing the 
Rust model in D creates problems. We need to implement that 
model, nothing else matters."

And so you're working to implement this half-baked "can't pass 
the same argument twice" change, even though it brings no 
additional memory safety, and probably won't really reduce the 
work of implementing full lifetime semantics much.

My point, from the beginning, has always been this:

You're skipping steps.

No, Rust isn't the only possible model for memory safety. 
Reference-counting isn't the only possible memory-safe data 
structure. The "foobar(rcObject, &rcObject.data)" problem that 
has been floated around for a few years isn't the only challenge 
to implementing a safe GC-less model.

The reason I'm strongly opposed to this DIP, is that it should be 
based on a thorough analysis of possible memory safety models, 
advantages of different models over each other, and what model 
would be most suitable for D and why.

Instead, it acts like the analysis was already done and everybody 
agreed the Rust model was the best and all that's left is 
implementation details.

More information about the Digitalmars-d mailing list