On Friday, 22 May 2020 at 03:36:03 UTC, Paul Backus wrote:
Someone has created bindings for a C library and published them
on
code.dlang.org. Because they were written prior to DIP 1028,
the author assumed
that @system was the default, and didn't bother to add explicit
annotations to
@system functions. Their code looks like this:
--- clibrary.d
void monkey_around(...); // assumed @system-by-default
---
Months or years later, I decide to write a D program that makes
use of these
bindings. By then, @safe-by-default has been fully implemented.
I add
`clibrary` as a dependency to my Dub project and write the
following code:
--- app.d
import clibrary;
void main() // @safe-by-default
{
/* ... code ... */
monkey_around(...);
/* ... more code ... */
}
---
My program compiles with no errors...and then corrupts memory
at run-time, even
though every line of code I've written is @safe. Oops.
This is the nightmare scenario that people are worried about:
safety violations
being introduced *silently* into existing, correct D code.
Honest question: What is the use case for an
absolutely-positively-has-to-be-safe program that calls C code?
Why would anyone ever do that? C is not and will never be a safe
language. "Someone looked at that blob of horrendous C code and
thinks it's safe" does not inspire confidence. Why not rewrite
the code in D (or Rust or Haskell or whatever) if safety is that
critical?
