Report: Analysis of survey: Memory safety in D, what is your view?
Richard Andrew Cattermole (Rikki)
richard at cattermole.co.nz
Fri Nov 8 16:51:07 UTC 2024
The highlights of this survey, was presented at the DLF meeting
on the 9th of November 2024.
No actions were immediately taken from the information given here.
However it is of interest for the future.
## Interest in Memory Safety
Of the respondants, nearly half responded that they use memory
safety for everything they do (49.2% 32 people), the second
largest group use memory safety for somethings but not everything
(30.8% 20 people), for some it isn't worth their time and can be
combined with the last group of ``@system`` only (20% 13 people)
with more than half being convincable.
For those that were ``@system`` only, they were not asked the
majority of questions as they would not have an answer to the
questions.
## Turning on Memory Safety
It was asked if turning on additional memory safety using a new
attribute would be a desired addition.
Of the 54 responses, 63% (34 people) said that if we are going to
do it, it should be in ``@safe``, no new attribute.
The second largest category at 11.1% (6 people) did not prefer
it, but would accept it.
The third largest category at 7.4% (4 people) prefer it for
invasive changes like borrow checker.
About 5 of the single submissions were related to no new
attributes.
The rest have single submissions and won't be mentioned here.
## Feature Usage
The following features have been tried out of 58 responses:
- ``@safe`` 57 people
- ``@live`` 9 people
- ``DIP25`` 27 people
- ``DIP1000`` 40 people
- No shared access 20 people
- ``-preview=in`` 21 people
- System variables 9 people
Of these 49 people, the following features people are continuing
to use:
- ``@safe`` 44 people
- ``@live`` 3 people
- ``DIP25`` 20 people
- ``DIP1000`` 24 people
- No shared access 17 people
- ``-preview=in`` 20 people
- System variables 11 people
Of these 44 people will recommend the features:
- ``@safe`` 38 people
- ``@live`` 4 people
- ``DIP25`` 13 people
- ``DIP1000`` 18 people
- No shared access 10 people
- ``-preview=in`` 17 people
- System variables 10 people
Some of these numbers went up from the prior question, which by
itself is an interesting result.
Of note is that DIP1000 had a massive difference between people
trying it and recommending it.
Another observation is that ``@live`` is attempting to solve a
problem that those who care about memory safety do not have.
This does not imply that lack of desire or need for a borrow
checker of a different design.
### What Prevents Adoption?
The following comments have been made regarding why people have
not adopted or tried out language features:
- Do not like them
- Not turned on by default
- Bad error messages
- Reuse of attributes
- Lack of examples and documentation
- Too complicated
- Does not add anything (``@live``), does not allow ``@trusted``
code to become ``@safe``.
- Not worth typing of attributes
- Usage of Phobos doesn't compile
- Limited expressiveness
Each of these may have multiple people stating it in some form.
The following comments have been made regarding why people have
not continued to use memory safety language features:
- Too much effort to add, needs to be the default
- Can be difficult to interface to non-D code
- Uncertainty of the future
- Introduces fighting the compiler, without reducing bugs
- DIP1000 has cases where it does not work
- Too restrictive and poorly implemented
- ImportC cannot be marked as ``@trusted``
- Limited expressiveness
- DIP1000 indirection doesn't compose well
- Library code does not work with them (including Phobos)
### Confidence in Features
Given current features 57 people responded between 1 and 5 if
they would recommend D.
1. 5.4%
2. 10.5%
3. 29.8%
4. 40.4%
5. 14%
Given additional features 55 people responded:
1. 5.5%
2. 1.8%
3. 20%
4. 30.9%
5. 41.8%
## Improvements to Escape Analysis
The following improvements to escape analysis (DIP1000,
``@live``) are desired out of 46 people:
- Inferation 45.7% 21 people
- What is needed to unblock reference counting 39.1% 18 people
- Differentitate strength of relationship for escaping 26.1% 12
people
- Replace attributes with escape set 17.4% 8 people
- Replace combination of attributes 17.4% 8 people
The rest were write ins all at 1 person.
For which multiple said removal.
## Additional protection
Of the 45 responses people wanted the following features:
- Type state analysis 71.1% 32 people
- Ownership transfer 60% 27 people
- Guaranteed protection of variables with a lock 31.1% 14 people
The rest were write ins all at 1 person.
## What Can We Do Better?
Unrelated to memory safety the question was asked, what can we do
better?
Some of the responses (can have multiple responses per item):
- Allow turning on preview switches within a D file rather than
as a CLI argument to the compiler.
- There may have been better things that we could have worked on
in the last 10 years.
- Have D leadership use tooling and IDE's that they don't
normally use so as to see what the current state of the ecosystem
is.
- Break code, if it means fixing things.
- Infer, not attributes for lifetimes.
- Memory safety by default.
- Use the GC as primary safety mechanism.
- Add sum types.
- Make containers and RC work.
- Less annotations that need to be written.
- ``-betterC`` needs better documentation.
- There are too many custom druntimes (7) was countered.
- Uses cases such as commercial games have too much time taken up
by ``@safe``.
- The flexibility of D is an asset. Can pick memory safety level.
- Type safety, memory safety and formal verification would be a
desired trait of D for security sensitive applications.
- Add the inverses of attributes (``@impure``)
- Better defaults i.e. ``@safe``
- Don't chase Rust.
## Population of Respondants
The number of people who responded to this question was 61, at
93% of total people who answered the survey (65).
- Hobbyist: 75.4%
- Employee: 27.9%
- Student: 4.9%
- Owner or management of a business: 19.7%
According to the global statistics on the users of [Stack
Overflow for
2024](https://survey.stackoverflow.co/2024/work#employment-employment), the following results were obtained with 65,437 responses:
Unlike the D survey, it is a multiple choice question that
telleys to a total of 118.6%.
It was answered by a very broad representation of people in the
programming population globally.
- Hobbyist: 8.8%
- Employee: 75.3%
- Student: 13.2%
- Self employed: 16.4%
At 65 respondants, the D survey is quite small, in comparison to
the Stack Overflow survey of 65,437 responses.
This makes the resulting statistics not useful for drawing a
direct conclusion from.
The one note of interest is that employee and hobbyist appear to
be swapped with D's employee number being larger than Stack
Overflows hobbyist number by a wide margin.
This could be indicative of a very different group of people
attracted to D, compared to the wider field.
## Recommendations
Any new memory safety features should focus upon what can be
turned on in ``@safe`` code and be tuned in such a way that what
affects everyone has a high degree of certainty of being wrong.
Tuning where possible to turn a feature on as a consequence could
be preferred when the breakage is invasive, but not required for
normal operation.
This is exemplified by the significant lack of usage of
``@live``, this is an attribute that adds behavior on top of
``@safe``.
While a good portion of respondants are ok with the memory safety
features of D in terms of quantity, it is clear that there is a
strong desire to add additional memory safety protection.
New features that people strongly want are type state analysis
and ownership transfer.
With the next being guaranteed protection of a variable with a
lock at less than half the other two.
A common theme throughout the write ins is poor error messages.
More descriptive error messages with the explanation explaining
why the compiler came to a decision would be of significant
benefit for complex language features that people may not be
familiar with such as escape analysis.
Some include language features unrelated to memory safety
including a desire for sum types.
The population of D users appears to have a very different
constituent members and therefore the trends, desires and needs
will not reflect other language communities.
Any language or ecosystem changes should reflect the D population
base, and therefore need not prioritise what other language
communities are doing, but must prioritise the existing D
community population when apply the D Language Foundations IVY
statement.
To get a more accurate population of D, future surveys should be
made available on the D home page.
More information about the Digitalmars-d
mailing list