On Saturday, 3 May 2025 at 03:11:14 UTC, Timon Gehr wrote:

Thanks for the explaination.

On Sunday, 4 May 2025 at 11:02:27 UTC, Paul Backus wrote:

I think you're a bit too fast with your judgement here.

While the unsafe keyword doesn't directly turn off the borrow checker, it does let you to work your way around it. I don't know exactly how, but I'm sure it's possible; it's a systems programming language after all. Most likely it involves calling some sort of unsafe typecasting function. I think this is what Walter means.

On Sunday, 4 May 2025 at 16:35:23 UTC, Dukc wrote:

No, you're giving Walter too much credit here.

In context, he is clearly trying to claim that the @live/non-@live distinction in D is analogous to the safe/unsafe distinction in Rust w.r.t. borrow checking--i.e., that both languages have a mode with borrow checking, and a mode without it. The difference--he claims--is that in Rust, the mode with borrow checking is opt-out, and in D, it's opt-in.

The actual difference between D and Rust's approach is that Rust has two separate kinds of pointers: references, which are borrow-checked (in both safe and unsafe code), and raw pointers, which aren't. In other words, whether borrow checking is done or not is decided on a type-by-type basis, not a function-by-function basis.

The fact that Walter is (apparently) unaware of these facts shows that he has clearly not "studied the Rust specification," as he claims.

On Sunday, 4 May 2025 at 16:53:55 UTC, Paul Backus wrote:

I'm not trying to claim he understands the Rust borrow checker and how it differs from ours. It's clear he's missing something, or at least failing to see (or admit) how inpractical our solution is compared to the Rust one.

I'm only saying he didn't write anything that would prove he didn't even attempt to study it.

On Saturday, 3 May 2025 at 19:22:20 UTC, Walter Bright wrote:

@live:

I would never seriously consider this.

It would mean I have to make all my @safe code @live before I can begin using the @trusted version of free without it being safewashing.

And thereafter I could never use any third party @safe/@trusted code that isn't verified to be @live correct. This includes Phobos.

Just dropping to @system/@trusted when doing manual memory management is far more practical regardless of the use case.

Most certainly we don't want to force existing @safe D code to adapt @live rules. Not even over an edition switch. In that you're right.

But ironically, our opt-out borrow checker does exactly this in a practical sense. Like I wrote above, you can only depend on @live for @safety if you use it everywhere. This is the worst of both worlds: not only do I have to make all my @safe code to use the borrow checker (as in Rust), I must manually make sure I don't have any non-@live @safe code around, unless I'm willing to manually review them like a @trusted function.

If the borrow checker is to be of any real use, we need some way to check where it is needed. So that code that does manual memory management will have to use @live (or ditch @safe), but your regular garbage-collected stuff won't.