Shouldn't safety be the default. (page 2)

Settings

Help

Index » General » Shouldn't safety be the default. (page 2)

December 26

Re: Shouldn't safety be the default.

Posted by Lance Bachmeier
in reply to Paulo Pinto

Permalink

Lance Bachmeier

Posted in reply to Paulo Pinto

Permalink

On Tuesday, 26 December 2023 at 14:46:45 UTC, Paulo Pinto wrote:

On Tuesday, 26 December 2023 at 12:39:46 UTC, bachmeier wrote:

On Tuesday, 26 December 2023 at 12:00:13 UTC, Sebastiaan Koppe wrote:

[...]

The earlier proposal would have killed D. I no longer recall the details but it would have been miserable to interoperate with C code under that proposal. And without C interoperability, D is dead.

All that's needed is a compiler switch rather than breaking everyone's code. Or an easy way to shut it off. Neither of those were on the table.

Rust, Go, Swift, C# are doing just fine with the requirement that C interop must be explicitly marked as unsafe.

Aside from the massive amounts of money those languages had to start with, the primary use case of Go, Swift, and C# was not working with C, and Rust was explicitly written for someone wanting safe at all costs.

D's primary selling point for many is interoperability with C and otherwise writing unsafe code. Not only would this break almost all of my existing code for no benefit, it would break any package I want to work with that uses unsafe code (anything on code.dlang.org that does anything with a pointer), so then I'm having to maintain my own fork of those packages. All the documentation and tutorials with even one line of unsafe code are suddenly broken.

If D had been safe by default, this would not have been a big issue, even for those of us that don't care about safe by default. But to force this on us entirely because you don't want to add a -safe switch to the compiler is completely unreasonable. (The compiler switch was off the table, but the way you tested out the earlier DIP was by using a compiler switch.)

December 26

Re: Shouldn't safety be the default.

Posted by ryuukk_
in reply to Sebastiaan Koppe

Permalink

ryuukk_

Posted in reply to Sebastiaan Koppe

Permalink

On Tuesday, 26 December 2023 at 12:00:13 UTC, Sebastiaan Koppe wrote:

On Tuesday, 26 December 2023 at 11:32:15 UTC, ryuukk_ wrote:

https://dlang.org/spec/function.html#safe-functions

-No casting from a pointer type to any type with pointers other than void*.
-No casting from any non-pointer type to a pointer type.
-No pointer arithmetic (including pointer indexing).
-Cannot access __gshared variables.
-No inline assembler.

I hope this never becomes the default

I very much hope it does. It is a lot more economical.

9 out of 10 projects only need the features you mentioned sparingly. It is less effort to mark those place @trusted than the situation we are in now, where you need to sprinkle @safe almost everywhere.

Another way to look at is that the features you mentioned are almost always used exclusively in low level code that best sits behind an abstraction. If trusted is the default you need to mark anything using it @safe, but if safe is the default you only need to mark a few reusable low level pieces of code @trusted.

I understand, you got a point, it makes the ecosystem better, so i'm probably wrong here

But i personally don't use any of these attribute in my code bases, they are pure annoyances, most of the time

Will it solve problems like these?

https://github.com/dlang/dub/issues/2600

https://forum.dlang.org/thread/mjmufdnrcexliatzgkwh@forum.dlang.org

I'd rather see time spent working on getting features that help people's code compile faster (dub doubled their compile time by starting to use std.sumtype) instead of making more of them no longer compile because they do not comply with dmd @christmas tree decoration edition

Let's put it that way, if most of my code consist of low level bits, why should i mark everything @unsafe? I view unsafe as a feature, not as a bug

I hope it'll be toggleable with a compiler flag

December 26

Re: Shouldn't safety be the default.

Posted by ryuukk_
in reply to Paulo Pinto

Permalink

ryuukk_

Posted in reply to Paulo Pinto

Permalink

On Tuesday, 26 December 2023 at 14:46:45 UTC, Paulo Pinto wrote:

On Tuesday, 26 December 2023 at 12:39:46 UTC, bachmeier wrote:

On Tuesday, 26 December 2023 at 12:00:13 UTC, Sebastiaan Koppe wrote:

[...]

The earlier proposal would have killed D. I no longer recall the details but it would have been miserable to interoperate with C code under that proposal. And without C interoperability, D is dead.

All that's needed is a compiler switch rather than breaking everyone's code. Or an easy way to shut it off. Neither of those were on the table.

Rust, Go, Swift, C# are doing just fine with the requirement that C interop must be explicitly marked as unsafe.

Microsoft sells tooling and services, they have an army of "evangelists" to corrupt, i mean to lobby companies / governments all around the world, these people are driven by an economical motive to vendor lock you

Same for Apple/Swift, and same for Google/Go

Rust is similar, as it consist of a conglomerate of them all

I don't use D because i want corporate-credibility, i use it because it gets the job done faster than anything else (is it even still the case btw?)

December 26

Re: Shouldn't safety be the default.

Posted by Paul Backus
in reply to Hors

Permalink

Paul Backus

Posted in reply to Hors

Permalink

On Tuesday, 26 December 2023 at 07:05:48 UTC, Hors wrote:

Optional safety is really outdated, I think some people can't see how important is safety almost everywhere (both for system and general purpose). Safe by default allows you to catch bugs without possibly wrecking your entire system (or systems' of users of your app).

The correct way forward on this is to enable inference of @safe for (almost) all functions. No existing projects will break, and if you don't use any unsafe language features (pointer arithmetic, casting), your code will automatically become @safe with no intervention required.

Adam Ruppe has a good writeup of this approach on his blog: http://dpldocs.info/this-week-in-d/Blog.Posted_2022_07_11.html#inferred-attributes

December 26

Re: Shouldn't safety be the default.

Posted by Paulo Pinto
in reply to Lance Bachmeier

Permalink

Paulo Pinto

Posted in reply to Lance Bachmeier

Permalink

On Tuesday, 26 December 2023 at 15:35:55 UTC, Lance Bachmeier wrote:

On Tuesday, 26 December 2023 at 14:46:45 UTC, Paulo Pinto wrote:

On Tuesday, 26 December 2023 at 12:39:46 UTC, bachmeier wrote:

On Tuesday, 26 December 2023 at 12:00:13 UTC, Sebastiaan Koppe wrote:

[...]

The earlier proposal would have killed D. I no longer recall the details but it would have been miserable to interoperate with C code under that proposal. And without C interoperability, D is dead.

All that's needed is a compiler switch rather than breaking everyone's code. Or an easy way to shut it off. Neither of those were on the table.

Rust, Go, Swift, C# are doing just fine with the requirement that C interop must be explicitly marked as unsafe.

Cgo has been part of Go since the early days, Swift has been designed with interoperability with Objective-C (a C superset), and C++ has been supported in .NET since version 1.0 (yet another C superset).

How is that selling point going on since Andrei's book has been published, in terms of D market share versus all newcomers?

On which forum post am I advocating against -safe switch?

December 26

Re: Shouldn't safety be the default.

Posted by Paulo Pinto
in reply to ryuukk_

Permalink

Paulo Pinto

Posted in reply to ryuukk_

Permalink

On Tuesday, 26 December 2023 at 17:27:46 UTC, ryuukk_ wrote:

On Tuesday, 26 December 2023 at 14:46:45 UTC, Paulo Pinto wrote:

On Tuesday, 26 December 2023 at 12:39:46 UTC, bachmeier wrote:

On Tuesday, 26 December 2023 at 12:00:13 UTC, Sebastiaan Koppe wrote:

[...]

The earlier proposal would have killed D. I no longer recall the details but it would have been miserable to interoperate with C code under that proposal. And without C interoperability, D is dead.

All that's needed is a compiler switch rather than breaking everyone's code. Or an easy way to shut it off. Neither of those were on the table.

Rust, Go, Swift, C# are doing just fine with the requirement that C interop must be explicitly marked as unsafe.

Same for Apple/Swift, and same for Google/Go

Rust is similar, as it consist of a conglomerate of them all

I don't use D because i want corporate-credibility, i use it because it gets the job done faster than anything else (is it even still the case btw?)

Hardly, unfortunately, unless there are libraries available, which is increasingly harder as many aren't updated to keep up with D vlatest.

Which makes this safety discussion a moot point, too late to change it, even with the languages that prove otherwise, those libraries wouldn't be updated to safety by default.

December 27

Re: Shouldn't safety be the default.

Posted by Richard (Rikki) Andrew Cattermole
in reply to Paul Backus

Permalink

Richard (Rikki) Andrew Cattermole

Posted in reply to Paul Backus

Permalink

Agreed this is the way forward.

Only way to let people who don't care about safety to continue to not do so.

Also need things like contract invalidation for callbacks.

Still no idea how we'll deal with virtual types.

December 26

Re: Shouldn't safety be the default.

Posted by Walter Bright
in reply to Hors

Permalink

Walter Bright

Posted in reply to Hors

Permalink

@safe code is just as fast as @system code. You might be thinking about the switch that turns runtime array bounds checking on/off.

Yes, safety should be the default, but we don't want to break existing code.

December 27

Re: Shouldn't safety be the default.

Posted by Siarhei Siamashka
in reply to Hors

Permalink

Siarhei Siamashka

Posted in reply to Hors

Permalink

On Tuesday, 26 December 2023 at 13:18:43 UTC, Hors wrote:

On Tuesday, 26 December 2023 at 12:39:46 UTC, bachmeier wrote:

All that's needed is a compiler switch rather than breaking everyone's code. Or an easy way to shut it off. Neither of those were on the table.

Makes sense, instead of a breaking change. We can use another file extension for Safe DLang *.safeD, or [insert your idea here]. That file extension is just D but @safe is default, then it's no longer a breaking change as normal *.d codes still work.

An elephant in the room is the -dip1000 switch. Should or shouldn't it be enabled for the new *.safeD files? Here's an interesting old topic, where a beginner tried to explore the safety offered by D language: https://forum.dlang.org/thread/duwrxnkjaafnzpfgnted@forum.dlang.org

December 27

Re: Shouldn't safety be the default.

Posted by Siarhei Siamashka
in reply to Walter Bright

Permalink

Siarhei Siamashka

Posted in reply to Walter Bright

Permalink

On Wednesday, 27 December 2023 at 07:42:31 UTC, Walter Bright wrote:

@safe code is just as fast as @system code. You might be thinking about the switch that turns runtime array bounds checking on/off.

Yes, safety should be the default, but we don't want to break existing code.

My understanding is that people are suggesting a new global compiler switch to optionally disable safety (allow @system and @trusted to be called from @safe), which would indeed allow compiling old abandoned libraries and use them from the new code during the transition period.

Top | Forum index | About this forum

Forums