Case by case is all fine and good. But you're trying argue what a programmer *should* do if he knew what was good for him. While I'm trying to argue that the programmer should be *free* to test how fast his code would run without bounds checking, just for the hell of it. You want to enforce best practices while I want to allow freedom to choose.
I don't know about those other dialects. In D, if you put the label safe in the beginning of each module and compile it with safe flag (and not with noboundscheck flag), then it is memory safe barring compiler bugs. It doesn't allow you to use pointer arithmetic or unsafe casts or call unsafe functions, but that's hardly what I'd call a *crippled* subset of the language. But the point was that D has a memory safe subset and a noboundscheck flag which obviously makes the compilation *not* memory safe. And I was wondering why can't rust have this flag too. > On 28 Mar 2014, at 04:26, Daniel Micay <danielmi...@gmail.com> wrote: > >> On 27/03/14 10:04 PM, Tommi Tissari wrote: >> Opting in case by case is not the same thing as having a compiler flag which >> you can toggle without modifying the source. > > A case-by-case basis preserves the safety guarantees of the language and > doesn't introduce a new dialect. It also means you can deal with this on > a case-by-case basis with careful auditing rather than assuming the > entire program is correct. It's not even viewed as *wrong* to do an > out-of-bounds index at the moment - it causes failure, not an abort. > >> Perhaps bounds checking is the only safety measure which has runtime >> penalty? (Not sure about that) But that would explain why it would be a >> separate flag. > > There's also dynamic borrow checking on RefCell, and many functions > check for integer overflow when it would cause memory unsafety. > Lifetimes permit only a subset of the valid uses for references. Do you > want a flag to turn off lifetime checking too? That would mean 4 > language dialects (no_bounds_check, no_bounds_check+no_lifetime_check, > no_lifetime_check, rust). Should the entire test suite (excluding > intentionally changed ones) be run for each supported language subset? > I'm sure we have at least one test checking for bounds-checking failure. > >> By the way, D is memory safe (although it's opt-in) and it has this >> noboundscheck flag. So I don't see what the problem is. > > D is *not* memory-safe, with or without the noboundscheck flag... the > flag makes it less memory safe than it already is, of course. If you're > counting the crippled subset of the language available in functions > marked safe, then sure - but that's not anything like Rust. > _______________________________________________ Rust-dev mailing list Rust-dev@mozilla.org https://mail.mozilla.org/listinfo/rust-dev
