Discussion Thread: DIP 1028--Make @safe the Default--Final Review

Jonathan M Davis newsgroup.d at jmdavisprog.com
Thu Mar 26 23:10:17 UTC 2020


On Thursday, March 26, 2020 8:24:24 AM MDT Adam D. Ruppe via Digitalmars-d 
wrote:
> On Thursday, 26 March 2020 at 14:12:24 UTC, Steven Schveighoffer
>
> wrote:
> > I still think this is the appropriate path. We cannot continue
> > to ignore memory safety as a secondary concern just because C
> > code is by-default unsafe. Memory unsafe HAS to be opt-in for
> > any new modern language to succeed.
>
> What frustrates me about these discussions is the facts that
> slices always check bounds by default. The GC prevents
> use-after-free bugs by default.
>
> C doesn't do those. So assuming C's problems apply to D is
> fallacious. Rust's complication is because they wanted to avoid
> the runtime checks. But D's runtime checks are also a valid
> solution.
>
> I suspect 95+% of C's problems already are extremely rare in D,
> yet the @safe advocates never seem to consider this at all.

Except that in @system code, the bounds checking gets turned off with
-release. So, with @system as the default, a lot less bounds checking is
going on than I think many people realize.

Sure, D code is much less likely to have @safety issues than C code, but the
@safety system is really designed with the idea that almost all code will be
@safe with only pockets of it being @system or @trusted, and as long as a
large percentage of code is @system, stuff like bounds checking or scope
with DIP 1000 doesn't really do what it's supposed to.

- Jonathan M Davis





More information about the Digitalmars-d mailing list