D not considered memory safe

Timon Gehr timon.gehr at gmx.ch
Thu Jul 25 11:47:21 UTC 2024


On 7/25/24 04:32, Walter Bright wrote:
> On 7/22/2024 12:00 PM, Timon Gehr wrote:
>> Anyway, the point is there should be a way to have the compiler help 
>> you do this kind of safety scaffolding without you needing to lie to 
>> the compiler.
> 
> I understand your design and it has merit.
> 
> Issues:
> 
> 1. the proliferation of these features. Have you seen all the C 
> extensions VC and gcc have? It makes for an excessively large and 
> intimidating language. The larger the specification, the less people 
> will read it.
> ...

Hardly applies in any relevant fashion to pragmas that enable additional 
type checking.

> 2. if an existing feature can be pressed into service instead, adding a 
> new feature needs a big advantage
> ...

You are in effect removing an existing feature.

> 3. one of the earliest goals with D was to make it easier for managers 
> and QA staff to have rules and enforce them. @trusted was always 
> intended to be an easily greppable construct so that the QA reviewer 
> knows where to focus his effort. A manager can lay down a rule "no 
> level1 programmers can check in @trusted" and enforce it mechanically.
> ...

Well, your approach is essentially that your higher-level programmers go 
around slapping `@trusted:` on files. I'll give you that banning "level1 
programmers" from checking in any code at all probably does help safety.

> 4. @trusted makes for a nice and easily grepped TODO list to measure 
> progress on making the code actually safe
> ...

No, some uses of `@trusted` are inevitable. `@trusted` means: "this has 
been audited and the author certifies that the interface is safe".

What you are describing is not `@trusted`, you are describing `@yolo`: 
"this has not been audited at all but I need it to be `@safe` anyway for 
marketing purposes".

> 5. In a final release, @trusted should be quite rare. But it's up to the 
> team to enforce it.
> ...

Well, what do you think I am doing here? You are behaving in a way I 
deem irresponsible by promoting this way of using `@trusted`.

> 6. @trusted can absolutely be abused. But you can't hide it!
> ...

I am putting forward a critique of that abuse, which is indeed plainly 
visible.

> 7. Simple is better.
> ...

Apparently `@trusted` is already too complex for most people to wrap 
their heads around it. It's a pity.

> 8. Not needing to learn new things is better.

The way you suggest `@trusted` should be used is a novelty. It's a 
completely new attribute.


More information about the Digitalmars-d mailing list