Type state analysis

Atila Neves atila.neves at gmail.com
Wed Apr 10 19:17:01 UTC 2024


On Monday, 8 April 2024 at 20:10:24 UTC, Richard (Rikki) Andrew 
Cattermole wrote:
> On 09/04/2024 6:18 AM, Atila Neves wrote:
>> On Sunday, 17 March 2024 at 15:35:40 UTC, Paul Backus wrote:
>>> On Sunday, 17 March 2024 at 06:51:23 UTC, Richard (Rikki) 
>>> Andrew Cattermole wrote:
>>>> [...]
>>>
>>> Yet another proposal for a humongous language feature to 
>>> solve a problem that can already be solved without it.
>>>
>>> It is possible to achieve temporal safety in D already with 
>>> `scope` (DIP 1000) and `@system` variables (DIP 1035). The 
>>> ergonomics are not great, but they can be improved (e.g., 
>>> with built-in move-on-last-use).
>>>
>>> This proposal specifically has the same problem as `@live`: 
>>> it splits `@safe` code into separate "new `@safe`" and "old 
>>> `@safe`" dialects, which are mutually incompatible.
>>>
>>> The ideas themselves are not terrible. I would be interested 
>>> to see what this looks like implemented in a research 
>>> language. But I do not think it has any place in D.
>> 
>> I second all of the above.
>
> Just so we are clear, DIP1000 is not able to provide memory 
> safety on a single thread, let alone multiple.
>
> It is missing the child/parent relationship to prevent:
>
> ```d
> Parent* parent;
> Field* child = &parent.field;
> parent.destroy;
> Field value = *child;
> ```

DIP1000 depends on lifetimes and RAII, and in a language like D 
with constructors and destructors I struggle to find a reason to 
write `parent.destroy`. This works as intended, in the sense that 
it fails to compile:

```
     Field* child;
     {
         Parent parent;
         child = &parent.field;
     }
     Field value = *child;
```

It's the same reason why I don't understand "Logic errors such as 
trying to read from an unopened file" - why would a file be 
unopened?


More information about the dip.ideas mailing list