Menu
Search

Forums

Forum Index

December 12, 2022
Gravatar of Nick TreleavenPosted by Nick Treleaven
in reply to Siarhei Siamashka		Reply
Nick Treleaven
Gravatar of Nick Treleaven
Posted in reply to Siarhei Siamashka


Reply

On Monday, 12 December 2022 at 13:08:10 UTC, Siarhei Siamashka wrote:

>

On Monday, 12 December 2022 at 12:57:54 UTC, Nick Treleaven wrote:

>

On Monday, 12 December 2022 at 11:07:00 UTC, Siarhei Siamashka wrote:

>

Bounds checking is not done in @safe and @trusted code in "-release" builds.

False. Compile this with -release:

Is it really difficult to see that this was a typo given the context? You need to read it as @system and @trusted code.

OK, I realized you may have meant that after posting. (Also I wasn't expecting markdown to make the first line of the backtrace so big!).

December 12, 2022
Gravatar of Adam D RuppePosted by Adam D Ruppe
in reply to Basile B.		Reply
Adam D Ruppe
Gravatar of Adam D Ruppe
Posted in reply to Basile B.


Reply
On Monday, 12 December 2022 at 12:23:08 UTC, Basile B. wrote:
> The problem would be then that there's no way to disable assertions, so we also need
>
>     -assertion={on|off}

Already there:

  -check=[assert|bounds|in|invariant|out|switch][=[on|off]]
                    enable or disable specific checks
  -checkaction=[D|C|halt|context]
                    behavior on assert/boundscheck/finalswitch

> And then we can drop -release.

-release should never have existed. It is absolutely unacceptable to ever use is in real world code under any circumstances.
December 12, 2022
Gravatar of Adam D RuppePosted by Adam D Ruppe
in reply to Walter Bright		Reply
Adam D Ruppe
Gravatar of Adam D Ruppe
Posted in reply to Walter Bright


Reply
On Monday, 12 December 2022 at 03:48:26 UTC, Walter Bright wrote:
> Safe code is where bounds checking is needed.

Most code needs bounds checking. The exceptions can use the `.ptr` property to *locally* bypass it. (Which is correctly prohibited in `@safe` code, since it is trusting the programmer to do it right.)

The global switches should *never* be used in *any* real world code. If you think you can trust every last bit of the code, you have no business handling user data.
December 12, 2022
Gravatar of Siarhei SiamashkaPosted by Siarhei Siamashka
in reply to Nick Treleaven		Reply
Siarhei Siamashka
Gravatar of Siarhei Siamashka
Posted in reply to Nick Treleaven


Reply

On Monday, 12 December 2022 at 12:53:42 UTC, Nick Treleaven wrote:

>

What about deprecating defining main without a @system/@trusted/@safe attribute? Then users have to make a choice. If they choose @safe then anything main calls has to have a safe interface.

This would be a step in the right direction. But modules don't have main. And it's not ergonomic:

void bar() {
}
void foo() {
  bar();
}
void main() @safe {
  foo();
}

The user will first get a complaint about annotating "foo". And after this is done, there will be a complaint about "bar" and so on. Many people will be very much annoyed after a few minutes of such activity. This can be alternatively resolved by adding @safe: at the top of the file, but the compiler needs to give a clear hint about this. If this is not done, then many beginners won't be happy and some of them will quit right from the start.

>

I almost never use @safe: because it prevents @safe attribute inference.

Why is this a problem?

>

Of course, if D can encourage/default to using @safe that may make the language more popular by helping market it.

D has very effective marketing. It's very good at attracting attention because the advertisements are spread everywhere in wikipedia, hackernews and other places. I think that the majority of software developers (excluding the youngsters) already know that D language exists and already gave it a try at some point in the past. But making a good first impression and then managing not to betray expectations is another story.

Default @safe can prevent beginners from feeling stabbed in the back if they came looking for a safe language, only to be surprised by an unexpected out of bounds bug in a -release build. It's like "LOL, are you kidding?" discovery. And not everyone is particularly enthusiastic about registering in the forum to ask questions.

December 12, 2022
Gravatar of Siarhei SiamashkaPosted by Siarhei Siamashka
in reply to Adam D Ruppe		Reply
Siarhei Siamashka
Gravatar of Siarhei Siamashka
Posted in reply to Adam D Ruppe


Reply
On Monday, 12 December 2022 at 13:22:56 UTC, Adam D Ruppe wrote:
> -release should never have existed. It is absolutely unacceptable to ever use is in real world code under any circumstances.

Well, somebody may claim that it is absolutely unacceptable to have real world D code without annotating most of it as @safe under any circumstances. If you don't annotate it as @safe, then you may accidentally use functions like https://dlang.org/library/std/string/from_stringz.html in an inappropriate way or have stack variable references escaping the scope. Memory safety is more than just bounds checking.

And then -release won't be a problem after your code is @safe.
December 12, 2022
Gravatar of DukcPosted by Dukc
in reply to Adam D Ruppe		Reply
Dukc
Gravatar of Dukc
Posted in reply to Adam D Ruppe


Reply

On Monday, 12 December 2022 at 13:22:56 UTC, Adam D Ruppe wrote:

>

On Monday, 12 December 2022 at 12:23:08 UTC, Basile B. wrote:

>

The problem would be then that there's no way to disable assertions, so we also need

-assertion={on|off}

Already there:

-check=[assert|bounds|in|invariant|out|switch][=[on|off]]
enable or disable specific checks
-checkaction=[D|C|halt|context]
behavior on assert/boundscheck/finalswitch

Plus, you should not have much more desire to disable assertions than bounds checking. Failing a disabled assert is undefined behaviour, meaning memory safety is off if they are disabled. If you want an assertion you can disable for performance, write debug assert.

December 13, 2022
Gravatar of Timon GehrPosted by Timon Gehr
in reply to Siarhei Siamashka		Reply
Timon Gehr
Gravatar of Timon Gehr
Posted in reply to Siarhei Siamashka


Reply
On 12/12/22 12:07, Siarhei Siamashka wrote:
> 
> You have my 100% support here. But the tricky thing is that the majority of the current D language community seems to disagree with us, as evidenced by the apparent rejection of DIP 1028. And we should do a much better job convincing them to change their mind.

Sorry, but this is a really bad take. DIP 1028 wanted to make extern(C) prototypes `@safe` by default, which is essentially the only criticism it attracted. [1] Walter then decided to pull the DIP entirely. It's not on the community.


[1] `@safe` on an `extern(C)` prototype is currently equivalent to `@trusted`. DIP 1028 was therefore "@trusted by default". A really bad default and one that would make existing _unsafe_ code `@safe` implicitly.
December 12, 2022
Gravatar of areYouSureAboutThatPosted by areYouSureAboutThat
in reply to Timon Gehr		Reply
areYouSureAboutThat
Gravatar of areYouSureAboutThat
Posted in reply to Timon Gehr


Reply
On Monday, 12 December 2022 at 23:18:13 UTC, Timon Gehr wrote:
> On 12/12/22 12:07, Siarhei Siamashka wrote:
>> 
>> You have my 100% support here. But the tricky thing is that the majority of the current D language community seems to disagree with us, as evidenced by the apparent rejection of DIP 1028. And we should do a much better job convincing them to change their mind.
>
> Sorry, but this is a really bad take. DIP 1028 wanted to make extern(C) prototypes `@safe` by default, which is essentially the only criticism it attracted. [1] Walter then decided to pull the DIP entirely. It's not on the community.
>
>
> [1] `@safe` on an `extern(C)` prototype is currently equivalent to `@trusted`. DIP 1028 was therefore "@trusted by default". A really bad default and one that would make existing _unsafe_ code `@safe` implicitly.

The problem with D (which has always been its problem, and likely always will be its problem), is that it 'defaults' to allowing the programmer to shoot themselves in the foot, at any time, and typically without warning (i.e. it defaults to 'ease of use' over safety).

That's what 'ease of use' means in D (the same as it means in C - trust the programmer).

This is why it's not mentioned by NSA I suspect (assuming they've even heard of it). NSA do NOT want you to use languages that 'implicately trust' the programmer to get memory safety correct.

'ease of use' (I suspect) is what attracts some to D. But for others, it's @safe that attract them to D. Both are at opposite ends of the spectrum.

So how to please people that are at opposite ends of the spectrum?

You give them 'the option', to opt-in or opt-out. It's that simple.

So how about a compile time, commandline switch, that (warns or fails) when @safe code is calling @trusted code?

Basically, I'm, saying to the compiler -> "if it's not @safe, I do not 'trust' it."
December 13, 2022
Gravatar of Siarhei SiamashkaPosted by Siarhei Siamashka
in reply to areYouSureAboutThat		Reply
Siarhei Siamashka
Gravatar of Siarhei Siamashka
Posted in reply to areYouSureAboutThat


Reply
On Monday, 12 December 2022 at 23:48:58 UTC, areYouSureAboutThat wrote:
> So how about a compile time, commandline switch, that (warns or fails) when @safe code is calling @trusted code?
>
> Basically, I'm, saying to the compiler -> "if it's not @safe, I do not 'trust' it."

Then you will have this warning in pretty much every application. Because any @safe code eventually ends up doing OS kernel API calls to show stuff on your screen or save it to a hard drive. The bridge from @safe to @system has to be crossed somewhere and the code annotated as @trusted works as such bridge.

If your OS kernel is buggy, then it compromises the safety of your program and you can't do anything about this (other than patching up your OS kernel). If your @trusted function is buggy, then it compromises the safety of your program and you can't do anything about this (other than fixing bugs in the @trusted code). Of course, assuming that it was actually necessary to annotate the function as @trusted in the first place and it could not be @safe for a very good reason.

I don't see any problem with this model. It takes a deliberate effort to annotate a function as @trusted. You are not getting this attribute by default or via https://dlang.org/spec/function.html#function-attribute-inference
December 13, 2022
Gravatar of areYouSureAboutThatPosted by areYouSureAboutThat
in reply to Siarhei Siamashka		Reply
areYouSureAboutThat
Gravatar of areYouSureAboutThat
Posted in reply to Siarhei Siamashka


Reply
On Tuesday, 13 December 2022 at 00:56:12 UTC, Siarhei Siamashka wrote:
> On Monday, 12 December 2022 at 23:48:58 UTC, areYouSureAboutThat wrote:
>> So how about a compile time, commandline switch, that (warns or fails) when @safe code is calling @trusted code?
>>
>> Basically, I'm, saying to the compiler -> "if it's not @safe, I do not 'trust' it."
>
> Then you will have this warning in pretty much every application. Because any @safe code eventually ends up doing OS kernel API calls to show stuff on your screen or save it to a hard drive. The bridge from @safe to @system has to be crossed somewhere and the code annotated as @trusted works as such bridge.
>

Fair enough. But in that case, @unsafe would be a much better attribute than @trusted.

If you @trust code, you are presumably implicately trusting that it is memory safe.

Whereas, @unsafe, you're saying, look... I know it's not @safe, but I wanna use it anyway, even if that results in memory corruption.

D should move towards deprecating @trusted, and replacing it with @unsafe.
« First   ‹ Prev
1 2 3 4 5 6 7 8 9 10 11
Next ›   Last »