On Thursday, 11 July 2024 at 05:59:08 UTC, Walter Bright wrote:

> Second, just declare them @trusted until one gets around to a proper refactoring.
>
> In fact, I've been doing just that. Adding @safe: at the top, and then everything that fails to compile gets marked @trusted. Eventually, refactor the code as time permits.
>
> No need for Yet Another Attribute.

So, the solution is just turn your program into a gigantic facade of @safe, until you have time to refactor it as really @safe?

Meh ...

Walter,

Clearly: `extern(C)` and `extern(D)` bitfields would need to have compatible layouts for syntactically identical declarations that are accepted by both.

Please understand this simple point, otherwise it makes no sense to continue this debate.

On 7/11/24 04:40, Walter Bright wrote:
> On 7/10/2024 5:19 PM, Timon Gehr wrote:
>> On 7/10/24 23:50, Walter Bright wrote:
>>> On 7/8/2024 4:18 PM, Timon Gehr wrote:
>>>> The simple fact is that if you program in a language without footguns, you are free to not worry about shooting your own foot. (Assuming you like having feet.)
>>>
>>> A "footgun" is just another word for "bug".
>>
>> This is not true. A footgun in this context is something that encourages the creation of bugs. A "footgun" is another word for "error-prone design".
> 
> 2's complement arithmetic? Floating point arithmetic? Operator precedence?
> 
> All of those are footguns.

2's complement arithmetic is indeed something people have complained about. I don't think `core.checkedint` is a good solution, but it should at least indicate that people were unsatisfied. I have complained about the D specification's approach to floating-point arithmetic in the past. Operator precedence is something that D actually innovated on in comparison to C in order to make it less error prone.

> We live with them because attempts to avoid them make for slow and complex code.
> ...

This justification does not extend to everything that is a footgun. Some features are just unmitigated footguns, with essentially no upsides. Sometimes fixing a footgun is as simple as making syntax more explicit, as it is in this case.

> Back in the 70's, I read the "Pascal User Manual and Report", and decided to try to write some programs in Pascal. Wirth had removed so many footguns, I could not write a useful program with it. It also just looked ugly. Wirth simply went too far. Subsequent implementations of Pascal had to add a lot of footguns to make it a useful language.
> ...

ok.

> 
>> There is a wide spectrum between the two extremes. You are here engaging in unproductive black and white thinking.
> 
> I'm illustrating a point - that moving to "a language without footguns" is not practical.

My point was not even that it is practical. :/ Please consider the context of my post.

Someone said that you have to choose between security and freedom, I said security is a form of freedom, someone doubted it. I therefore picked out an extreme (maybe unrealizable?) example to demonstrate that yes, security is indeed a form of freedom.

> In solving engineering problems, a very productive way of settings up is specifying the boundary conditions. Same here.
> 
> May I say you brought it up!
> ...

No, I don't think you can. Context matters. It is you who completely ignored the boundary conditions of my post and went off on a tangent.

> 
>> Again, just watch your own keynote from last year's DConf. All airplanes can crash, that does not mean all cockpit designs are equivalent.
> 
> I regularly emphasize "use your best judgement",

I am.

> not blindly following rules. I don't rigidly follow all the rules in my presentation, either.
> ...

I am not advocating rigidly following all rules in your presentation.

But when you of all people deviate, there should be a justification for it. You have so far failed to give one that is satisfactory. All you did was give justifications for _other_ footguns in the language, and you argued against footguns that are _not_ in the language, and that I am not even proposing. The only line of argument that would structurally work as a justification is your outlandish outright denial that C bitfields are a footgun, but this is so far removed from reality that it is unpersuasive as well.

> Not matching C's and C++'s struct layouts by default is a pretty big footgun, and it includes the risk of memory corruption. One also would be less likely to have added tests for it.
> ...

I agree. What is your point? Do you think best judgment would indicate that we need a footgun like that? I disagree.

If your point is actually that _I_ am in some way the one proposing layout mismatches, well I am not. You would be misrepresenting my point, utterly and absolutely.

> Use of bitfields

This is the memory safety thread, not the bitfield thread, but okay.

> for externally imposed layouts is a frankly unusual case, and having one's layout not match it quite right is rather normal when doing such things. One would expect testing to cover it. It also is not a memory corruption problem. I.e. it's a much smaller footgun.
> ...

Differences in layout may also move pointers around, even if the differences originate from bitfields.

> P.S. What about extern(C) vs extern(D) functions? Is that a footgun? No, because the linker will barf if your code conflates the two.

Well, what am I to say? I approve. This is sane. Why is it sane? Because `extern(D)` somewhat deviates from C insanity, by mangling names.

> The linker has no information on struct layouts.

This is why, clearly, `extern(C)` and `extern(D)` bitfields would need to have compatible layouts for code that is accepted by both.

(Anyway, arguably it could also be a good idea to put a hash of the struct layout in mangled names.)

> Neither does a shared library interface.
> 
> Iain has complained bitterly in the past, with 100% justification, that we'd change the struct layouts in the D front end and neglect to change the corresponding .h files. The result was always mysterious and difficult to find bugs. The end result was the tool to autogenerate frontend.h and compare it for differences. Do we really want to inflict that on our users by default?

No, of course we do not want to inflict that on our users by default... Note the structure of your argument here, which is "look at this insane C footgun design!". I am the one proposing more layout sanity in this situation. You are the one advocating for less sanity in layouts. Please stop trying to somehow pretend it is the other way around. It's tiresome.

> Matching the layout is a big deal.
> 

Of course!

On 7/11/24 07:59, Walter Bright wrote:
> On 7/10/2024 7:33 PM, Richard (Rikki) Andrew Cattermole wrote:
>> The point is, once @safe is the default, that capability goes away without @infer.
> 
> I understand that.
> 
> First, @system code should be a very small part of a program. If complex things are being done with layers of templates in @system code, I propose that is a badly designed program.
> ...

So? A template library should still work with `@system` lambdas.

> Second, just declare them @trusted until one gets around to a proper refactoring.
> 
> In fact, I've been doing just that. Adding @safe: at the top, and then everything that fails to compile gets marked @trusted. Eventually, refactor the code as time permits.
> 
> No need for Yet Another Attribute.

If even the main language designer advocates for randomly sprinkling `@trusted` to shut up the compiler, there is no hope for memory safe D.

On 7/11/24 04:36, Walter Bright wrote:
> On 7/10/2024 7:31 PM, Walter Bright wrote:
>> The missing feature is there:
>>
>> ```
>> @safe {
>>     .. templates that must be safe ..
>> }
>>
>> .. templates that infer safe ..
>> ```
> 
> I might also add that it is good practice to put your unsafe code in another module, as well as code that may be inferred as unsafe.
> 
> In any case, we can keep adding more and more features to the language that add very little. But it's not going to go well, and nobody is going to read the 1000 page specification. C and C++ have both gone down that path.
> 
> 

The simple point remains that Steven is absolutely correct that putting `@safe:` does not work.

On 7/10/2024 11:31 PM, Richard (Rikki) Andrew Cattermole wrote:
> Yeah I get that, but that is a major problem for things like std.algorithm.
> 
> There will be situations without a migration path forward.

Pass @trusted arguments to the templates.

The truth is about every piece of existing code not already annotated is going to fail to compile with safe-by-default. That's been my experience, at least.

The migration path is to mark the stuff with @trusted. You can see that in the dmd source code.

On 7/11/2024 12:53 AM, Paolo Invernizzi wrote:
> So, the solution is just turn your program into a gigantic facade of @safe, until you have time to refactor it as really @safe?

Yes.

Let's say you have a spaghetti flow graph of a pile of functions calling each other. Some of them are not safe, and so the functions that call the functions that call the functions are not safe, in recursive cycles (like the compile implementation!). How do you go about making the whole thing safe? It's most practical to do things incrementally - so mark everything trusted, and then, starting with the leaves, rework them to make them safe.

Trying to redo it all in one go is only going to lead to frustration.

On 7/9/2024 8:58 AM, Nick Treleaven wrote:
> Any pattern to subvert safe involves the `@trusted` attribute (except for compiler bugs, which editions help to fix). `@trusted` is an obvious flag in code review that memory-safety may be violated. Grepping for `@trusted` is an easy way to narrow down places where memory-safety is violated.
> 
> Arguing that @trusted can be abused is a tiny problem compared to the far harder to detect abuse in @system by default code.

That's right. Converting an entire program to @safe can be done successfully by doing it incrementally, getting it to pass its test suite at each step. The way to do it incrementally is to start by labeling each function @trusted, then making them @safe one by one.

I've done this, it works.

And, as you observe, grepping for "@trusted" makes for a builtin-in TODO list!

On Sunday, 7 July 2024 at 09:47:51 UTC, Sebastian Nibisz wrote:
> On Sunday, 7 July 2024 at 00:48:49 UTC, monkyyy wrote:
>> On Saturday, 6 July 2024 at 22:48:32 UTC, Sebastian Nibisz
>>> Is a car that has airbags deactivated by default before each drive safe?
>>
>> Is a car that has seatbelts unhooked by default safe? Is a car that can active the engine without annotating which seats are being sat in safe?
>
> Cars warn when you don't wear your seat belt. The newest cars won't let you drive.

Out of curiosity, which cars won't let you drive if you don't have the seat belt on?

That sounds like a really bad (and potentially dangerous) design.