Menu
Search

Forums

Forum Index

Jump to page: 1 2 3
Thread overview
More evidence that memory safety is the future for programming languages
Mar 28, 2020
Walter Bright
Mar 28, 2020
JN
Mar 29, 2020
Timon Gehr
Mar 28, 2020
rikki cattermole
Mar 29, 2020
Arine
Mar 29, 2020
Timon Gehr
Mar 29, 2020
Timon Gehr
Mar 29, 2020
Timon Gehr
Mar 29, 2020
Timon Gehr
Mar 30, 2020
Dukc
Mar 30, 2020
Atila Neves
Mar 31, 2020
Dukc
Apr 01, 2020
Atila Neves
Apr 01, 2020
Dukc
Mar 30, 2020
Johan
Mar 31, 2020
Walter Bright
Apr 01, 2020
Johan
Apr 01, 2020
Walter Bright
Apr 02, 2020
Jacob Carlborg
Apr 02, 2020
Johan
Apr 02, 2020
Walter Bright
Apr 02, 2020
Walter Bright
Mar 31, 2020
Sebastiaan Koppe
Mar 31, 2020
Sebastiaan Koppe
March 28, 2020
Gravatar of Walter BrightPosted by Walter BrightReply
Walter Bright
Gravatar of Walter Bright


Reply
https://news.ycombinator.com/item?id=22711391

Fitting in with the push for @safe as the default, and the @live Ownership/Borrowing system for D.

We can either get on the bus or get run over by the bus.
March 28, 2020
Gravatar of JNPosted by JN
in reply to Walter Bright		Reply
JN
Gravatar of JN
Posted in reply to Walter Bright


Reply
On Saturday, 28 March 2020 at 20:24:02 UTC, Walter Bright wrote:
> https://news.ycombinator.com/item?id=22711391
>
> Fitting in with the push for @safe as the default, and the @live Ownership/Borrowing system for D.
>
> We can either get on the bus or get run over by the bus.

Over time we learned that opt-in safety doesn't work and @safe should be the default. Do you think the same will happen with @live?
March 29, 2020
Gravatar of rikki cattermolePosted by rikki cattermole
in reply to Walter Bright		Reply
rikki cattermole
Gravatar of rikki cattermole
Posted in reply to Walter Bright


Reply
On 29/03/2020 9:24 AM, Walter Bright wrote:
> https://news.ycombinator.com/item?id=22711391
> 
> Fitting in with the push for @safe as the default, and the @live Ownership/Borrowing system for D.
> 
> We can either get on the bus or get run over by the bus.

"This is why D requires and @live attribute be added to functions to enable the checking for just those functions, so it doesn't break every program out there."

Interesting quote there.

But what if we want to use these semantics isolated and not turn it on in every function in use?

The alternative I have been proposing is headconst tied to lifetimes, basically a borrowed pointer just with a bit of extra syntax that does propagate within a type.

https://gist.github.com/rikkimax/4cb2cc8ddcac33c1a9bb20de432f9dea
March 29, 2020
Gravatar of ArinePosted by Arine
in reply to rikki cattermole		Reply
Arine
Gravatar of Arine
Posted in reply to rikki cattermole


Reply
On Saturday, 28 March 2020 at 23:14:05 UTC, rikki cattermole wrote:
> On 29/03/2020 9:24 AM, Walter Bright wrote:
>> https://news.ycombinator.com/item?id=22711391
>> 
>> Fitting in with the push for @safe as the default, and the @live Ownership/Borrowing system for D.
>> 
>> We can either get on the bus or get run over by the bus.
>
> "This is why D requires and @live attribute be added to functions to enable the checking for just those functions, so it doesn't break every program out there."
>
> Interesting quote there.


Indeed it is interesting, on one hand, you have @safe being made the default, breaking all code in existence. And then you have @live being introduced so it doesn't break all code in existence. It seems @live is making the same mistake as @safe. How long until @live becomes the default?


I also find this claim to be quite bold:

> This is why D uses DFA to catch 100% of the positives with 0% negatives.

When in the review thread previously the sentiment was along the lines of, "patch the holes as they appear". So how do you go from patching holes as they appear, to 100% guaranteeing it catches everything correctly, without thorough testing. Or is that just empty marketing promises?
March 29, 2020
Gravatar of Timon GehrPosted by Timon Gehr
in reply to JN		Reply
Timon Gehr
Gravatar of Timon Gehr
Posted in reply to JN


Reply
On 28.03.20 22:03, JN wrote:
> On Saturday, 28 March 2020 at 20:24:02 UTC, Walter Bright wrote:
>> https://news.ycombinator.com/item?id=22711391
>>
>> Fitting in with the push for @safe as the default, and the @live Ownership/Borrowing system for D.
>>
>> We can either get on the bus or get run over by the bus.
> 
> Over time we learned that opt-in safety doesn't work and @safe should be the default. Do you think the same will happen with @live?

Why would this happen? The only thing that @safe and @live have in common is that they are function qualifiers that add additional type checking. @safe is in service of an invariant (memory safety), while @live is not. It's just a linting tool that (from the perspective of memory safety) produces exclusively false positives in @safe code. Also, there is no way to negate it.
March 29, 2020
Gravatar of Timon GehrPosted by Timon Gehr
in reply to Walter Bright		Reply
Timon Gehr
Gravatar of Timon Gehr
Posted in reply to Walter Bright


Reply
On 28.03.20 21:24, Walter Bright wrote:
> @live Ownership/Borrowing system

@live is not an Ownership/Borrowing system, even though it is true that it is based on concepts related to ownership and borrowing.

An Ownership/Borrowing system enforces ownership semantics in @safe code, @live does not. It is a linter for @system and @trusted code with no safety guarantees.
March 29, 2020
Gravatar of Timon GehrPosted by Timon Gehr
in reply to Arine		Reply
Timon Gehr
Gravatar of Timon Gehr
Posted in reply to Arine


Reply
On 29.03.20 03:08, Arine wrote:
> On Saturday, 28 March 2020 at 23:14:05 UTC, rikki cattermole wrote:
>> On 29/03/2020 9:24 AM, Walter Bright wrote:
>>> https://news.ycombinator.com/item?id=22711391
>>>
>>> Fitting in with the push for @safe as the default, and the @live Ownership/Borrowing system for D.
>>>
>>> We can either get on the bus or get run over by the bus.
>>
>> "This is why D requires and @live attribute be added to functions to enable the checking for just those functions, so it doesn't break every program out there."
>>
>> Interesting quote there.
> 
> 
> Indeed it is interesting, on one hand, you have @safe being made the default, breaking all code in existence. And then you have @live being introduced so it doesn't break all code in existence. It seems @live is making the same mistake as @safe. How long until @live becomes the default?
> ...

@live will never be the default in any version of D that I am willing to use. I really don't understand why people are inclined to think it is on the same level as @safe. It just is not.

> 
> I also find this claim to be quite bold:
> 
>> This is why D uses DFA to catch 100% of the positives with 0% negatives.
> 
> When in the review thread previously the sentiment was along the lines of, "patch the holes as they appear". So how do you go from patching holes as they appear, to 100% guaranteeing it catches everything correctly, without thorough testing. Or is that just empty marketing promises?
> 

It's not a statement that has a standard meaning. What positives and what negatives? Refer to the following table:

                       | problem exists | problem does not exist
----------------------------------------------------------------
flagged by linter      | true positive  | false positive
----------------------------------------------------------------
not flagged by linter  | false negative | true negative
----------------------------------------------------------------

@live leads to any of the four kinds of outcomes:

void foo(int *p)@live{
    free(p);
    free(p); // true positive
}

void bar(int *p)@live{
    auto q=p;
    *p=3;    // false positive
}

void baz()@live{
    auto p=new int;
    free(p); // false negative
}

void qux()@life{
    auto p=cast(int*)malloc(int.sizeof);
    free(p); // true negative
}

An amusing way to interpret 100% positives and 0% negatives would be to say the linter flags all positives (either true or false) and no negatives (neither true nor false). That basically means the linter flags every code as being problematic, which would make it completely useless.

In the thread on hackernews, there were a few people who interpreted the statement as saying that the linter has neither false positives nor false negatives, which is provably impossible. You can get rid of one of them at a time, but not both. @safe is an example of a feature that does not have false negatives (unless the implementation is buggy), but of course it has loads of false positives, for example you cannot manage memory manually in @safe code without @trusted escapes, even if you do it correctly.
March 29, 2020
Gravatar of Timon GehrPosted by Timon Gehr
in reply to Timon Gehr		Reply
Timon Gehr
Gravatar of Timon Gehr
Posted in reply to Timon Gehr


Reply
On 29.03.20 04:28, Timon Gehr wrote:
> 
> void qux()@life{

Actually, there is a true positive on this line.
March 29, 2020
Gravatar of Timon GehrPosted by Timon Gehr
in reply to Timon Gehr		Reply
Timon Gehr
Gravatar of Timon Gehr
Posted in reply to Timon Gehr


Reply
On 29.03.20 04:28, Timon Gehr wrote:
> 
> An amusing way to interpret 100% positives and 0% negatives would be to say the linter flags all positives (either true or false) and no negatives (neither true nor false). That basically means the linter flags every code as being problematic, which would make it completely useless.

Another way to interpret it is to just take it as the statement that everything that is flagged by the linter is a positive, and everything else is a negative. This is the definition of positive and negative.
March 30, 2020
Gravatar of DukcPosted by Dukc
in reply to Walter Bright		Reply
Dukc
Gravatar of Dukc
Posted in reply to Walter Bright


Reply
On Saturday, 28 March 2020 at 20:24:02 UTC, Walter Bright wrote:
> Fitting in with the push for @safe as the default, and the @live Ownership/Borrowing system for D.
>
> We can either get on the bus or get run over by the bus.

I have recently added a lot of unittests to my code. That confirmed me that as we all know, it is a mandatory to do if I even a remotely bug-free program is desired :). And that's in a program that already had no global state and used ranges, `final switch`es and `assert`s fairly much.

So I am thinking, perhaps a dead-easy and well known way to test correct `malloc`-`free` pairing in unit tests would work just as well, but be easier to implement and use? It'd be something like this to use:

```
unittest
{   auto tracer = MallocTracer();

    if (true)
    {   auto raiiObject = allocAnObject();
        raiiObject.doSomething();
        assert(tracer.numMallocs == tracer.numFrees - 1);
    }

    assert(tracer.numMallocs == tracer.numFrees);
}
```
« First   ‹ Prev
1 2 3
Next ›   Last »