Ate Eskola was inspired to write a series of tutorials about DIP1000 for the D Blog. The first post in the series is live. If you haven't yet dug into DIP1000 much or understood how to use it, this should give you enough to get started.

The blog:
https://dlang.org/blog/2022/06/21/dip1000-memory-safety-in-a-modern-system-programming-language-pt-1/

Reddit:
https://www.reddit.com/r/programming/comments/vhfd28/memory_safety_in_a_modern_system_programming/

On Tuesday, 21 June 2022 at 15:05:46 UTC, Mike Parker wrote:

int[5] stackData = [-1, -2, -3, -4, -5];

// Lifetime of stackData2 ends
// before limitedRef, so this is
// disallowed.
limitedRef = stackData[];

In the above example, stackData2 seems to be a typo.

On Tuesday, 21 June 2022 at 22:55:56 UTC, StarCanopy wrote:

int[5] stackData = [-1, -2, -3, -4, -5];

// Lifetime of stackData2 ends
// before limitedRef, so this is
// disallowed.
limitedRef = stackData[];

Thanks, you're right. Missed that when editing.

On Tuesday, 21 June 2022 at 15:05:46 UTC, Mike Parker wrote:

Good article!

On Wednesday, 22 June 2022 at 06:48:34 UTC, Dukc wrote:

int[5] stackData = [-1, -2, -3, -4, -5];

// Lifetime of stackData2 ends
// before limitedRef, so this is
// disallowed.
limitedRef = stackData[];

Other typo:
, as that dcoument is what

On Tuesday, 21 June 2022 at 15:05:46 UTC, Mike Parker wrote:

Now on 26. place at Hacker News.

On Wednesday, 22 June 2022 at 19:09:28 UTC, Dukc wrote:

This was a nice presentation, if there will be a follow up then maybe create examples with a main and a button for «run this» that will show it in run.dlang.org?

I suspect some readers will think TLDR when faced with longer blog posts, and just look at the examples (hence the show-don't-tell principle).

On 6/21/22 11:05 AM, Mike Parker wrote:

Dip1000's point is starting to seep in. I still think it's going to be a challenge for people new to D (not just us old-timers). But...

The part about scope being shallow. This is a problem.

scope a = "first";
scope b = "second";
string[] arr = [a, b]; // invalid regardless of attributes in @safe code

Sometimes algorithms require manipulation of structure, such as sorting arrays, or using linked lists, and sometimes it's nice to be able to point at things on the stack, temporarily. This is one of the things I was looking forward to with dip1000, since it does allow pointing at the stack when it can work out the details.

Is there any plan to address this other than "just use @system"?

-Steve

On Wednesday, 22 June 2022 at 20:48:13 UTC, Steven Schveighoffer wrote:

One thing that will be confusing to most users is that it appears to be using "taint" rather than proper flow analysis on the pointed-to-object?

int* test(int arg1, int arg2) {
    int* p = null;
    p = &arg1;
    p = new int(5);
    return p;  // complains about p being scope
}

On 6/22/22 5:07 PM, Ola Fosheim Grøstad wrote:

int* test(int arg1, int arg2) {
     int* p = null;
     p = &arg1;
     p = new int(5);
     return p;  // complains about p being scope
}

The other option is to complain about the assignment of &arg to p. That might be a better answer. At least it's understandable, and not sneaky.

Full flow analysis will be defeatable by more complex situations:

int *p = null;
if(alwaysEvaluateToFalse()) p = &arg;
else p = new int(5);
return p;

That would take a lot of effort just to prove it shouldn't be scope.

-Steve