Discussion Thread: DIP 1028--Make @safe the Default--Final Review
Bruce Carneal
bcarneal at gmail.com
Sun Apr 12 02:26:20 UTC 2020
On Monday, 6 April 2020 at 12:35:20 UTC, Steven Schveighoffer
wrote:
> On 4/5/20 10:43 PM, Walter Bright wrote:
>> On 4/5/2020 12:22 PM, Timon Gehr wrote:
>>> I really doubt that. It's a simple rule. The version that is
>>> easiest to implement is you simply disallow extern(C)
>>> functions without body to be marked @safe. It's a single `if`
>>> statement in an appropriate place.
>>
>> Famous last words.
>>
>> Just look at the swamp of misery from "simple" C rules, such
>> as their effect on C++ overloading. The quagmire got a lot
>> worse when C++ added type inference. I attended a Scott Meyers
>> talk that was a full hour long just on the weird special cases
>> forced on C++ due to those simple rules. Companies pay Scott a
>> boatload of cash for these lectures.
>
> Is this really your argument? Do we need Scott Meyers to
> explain such "esoteric" compiler errors like:
>
> Error: cannot call @system function memcpy from @safe function
> main.
>
> I think this is not an hour-long talk, but a 10-second talk: "C
> functions aren't checked by the D compiler, so they are @system
> by default." Done.
>
> I think possibly those folks are going to be much more
> vulnerable to the existing rules surrounding @trusted that many
> of the core D developers can't seem to get right.
>
> @system by default extern(C) functions are literally the most
> understandable and correct part of the whole D
> @safe/@system/@trusted system. And you want to remove that.
> Please reconsider.
>
Even though the formal review period is over I'd like to leave a
response to an earlier post from Walter. I've tagged it on here
since it picks up on Steve's thoughts on the topic, which I agree
with, and because a direct response in the Feedback Thread was,
understandably, deleted.
For context, this is an excerpt from a post that Walter made in
the Feedback Thread for DIP 1028 wherein he argues *against*
@system by default for extern declarations. Interspersed are my
thoughts.
[snip]
>
> 1. it's a special case inconsistency, which has its own costs
> and confusion.
C is not a safe language. Defaulting C externs to @safe, as you
propose, would be confusing.
>
> 2. the compiler cannot verify any extern declarations as being
> safe, even D
> ones. It's always going to be up to the user to annotate them
> correctly.
@safe should mean safe, as in machine checkable. My position is
that if it can't be machine checked, it shouldn't be considered
@safe.
>
> 3. the extern(C) specifies an ABI, it doesn't say anything
> about how the
> function is implemented, or even which language it is
> implemented in. A pretty
> big chunk of the dmd implementation (80-90%?) is extern(C++)
Exactly, "it doesn't say anything..." so the default should be
@system.
I'm not sure what you're trying to say in the second part. Is it
that we should default to @safe because your code is
safe-by-programmer-assertion and there's a lot of it?
>
> 4. it's trivial to mark a block of C function declarations with
> @system and
> trivial to audit it. I've done it already to a bunch of
> druntime headers
As you and others have noted, safety by convention doesn't scale.
>
> 5. D's separate compilation model relies on extern declarations
> where source is
> not available and safety cannot be machine checked. It's
> inherent
>
Yes. Absent tooling upgrades, the super-safety conscious have
whole program compilation and @trusted reviews to work with
> 6. We're just talking about the default. The whole point of
> @safe being the
> default is that it is far and away the most common case, even
> for C functions.
@safe doesn't work as a probability. It aspires to certainty.
('aspires' because could be bugs in the checker, or holes in the
spec or, ...)
>
> 7. A function having different attributes depending on whether
> or not a body is
> present is surprising behavior
Not surprising to me. It just reflects the ability/inability of
the compiler to check safety.
>
> 8. annotating "extern(C) void free(void*);" as @safe doesn't
> make it safe, either, again relying on the user
Relying on the user to overcome bad defaults isn't going to work.
If it did you'd not need the @safe by default DIP.
> [snip]
As many others before me, I urge you to change direction
regarding extern defaults. Barring that I hope Atila will step
in for the team to prevent an own goal.
More information about the Digitalmars-d
mailing list