• Walter Bright (3/3) Jul 11 https://www.youtube.com/watch?v=lkgszkPnV8g
• Timon Gehr (34/39) Jul 11 Well, the situation in D is overall much better, but I wouldn't say it
• Walter Bright (29/64) Jul 12 `-release` hasn't turned of bounds checking for something like 15 years....
• Timon Gehr (37/93) Jul 12 ```d
• Walter Bright (2/3) Jul 12 It'll give the bounds check error for @safe code even with -release.
• Timon Gehr (6/14) Jul 12 I am aware. In C++ you can get the bounds check with std::vector::at.
• cc (7/9) Jul 19 This is very interesting because until this past week or so I
• Paul Backus (5/14) Jul 19 -release includes -boundscheck=safeonly, which turns off bounds
• monkyyy (3/7) Jul 11 d is buggy and there are several things I believe cant be fixed
• =?UTF-8?Q?Ali_=C3=87ehreli?= (6/11) Aug 02 It was a bonus slide in one of my meetup presentations. It comes with
• Walter Bright (4/10) Aug 03 Haha, a response to the same cppcon talk!

Walter Bright <newshound2 digitalmars.com> writes:

https://www.youtube.com/watch?v=lkgszkPnV8g

This is a great talk. In my first pass, D doesn't suffer from any of them.

Anyone want to verify?

Timon Gehr <timon.gehr gmx.ch> writes:

On 7/11/24 22:36, Walter Bright wrote:
 https://www.youtube.com/watch?v=lkgszkPnV8g
 
 This is a great talk. In my first pass, D doesn't suffer from any of them.
 
 Anyone want to verify?

Well, the situation in D is overall much better, but I wouldn't say it 
does not suffer from any of them.


- std::vector::operator[]:
   D code still suffers from unrecoverable range errors that would crash 
the website, it's just not a memory safety issue unless you pass badly 
designed compiler flags like `-release`.


- std::map::operator[]:
   Not a problem in D.


- get_default():
   Potential for lifetime error fixed with DIP1000.
   Still potentially a performance problem in D without DIP1040.


- volatile:
   Not clear, but I guess `volatile` is less popular nowadays.
   https://dlang.org/phobos/core_volatile.html
   D also does not have a full `shared` story so far.


- shared_ptr thread-safe:
   Potentially fixed because D has transitive `shared`. But again, 
`shared` is unfinished. Or use GC.


- shared_ptr bonus bug:
   Simple pattern like the one on the slide seem superficially fixable 
with DIP1000, but in general in D it is not possible to make smart 
pointer dereferencing safe. Can use GC though.


- lock bug:
   That syntax would not lock until the end of the scope in D either, 
but for different reasons. But there is no reason to expect it would 
work, so I guess we can consider this fixed in D.


I guess the lessons are:

- D also does not have static typing to rule out range errors.
- D also does not have memory safety for general allocator-backed 
container types.
- remove `-release`
- implement DIP1040.
- finalize `shared`.

Walter Bright <newshound2 digitalmars.com> writes:

On 7/11/2024 3:39 PM, Timon Gehr wrote:
 - std::vector::operator[]:
    D code still suffers from unrecoverable range errors that would crash the 
 website, it's just not a memory safety issue unless you pass badly designed 
 compiler flags like `-release`.

`-release` hasn't turned of bounds checking for something like 15 years. To 
disable it, `-noboundscheck` is required.

What a range check error does can be set with the `-checkaction` switch:

-checkaction=[D|C|halt|context]
                     behavior on assert/boundscheck/finalswitch failure

 - std::map::operator[]:
    Not a problem in D.
 
 
 - get_default():
    Potential for lifetime error fixed with DIP1000.
    Still potentially a performance problem in D without DIP1040.
 
 
 - volatile:
    Not clear, but I guess `volatile` is less popular nowadays.
    https://dlang.org/phobos/core_volatile.html

Those are special functions, and the documentation is explicit about what they 
are for, and not for, and atomic operations are in the "not" category. They are 
not part of the type system of the language.

    D also does not have a full `shared` story so far.

It's a far better story than C++ has.


 - shared_ptr thread-safe:
    Potentially fixed because D has transitive `shared`. But again, `shared`
is 
 unfinished. Or use GC.


 - shared_ptr bonus bug:
    Simple pattern like the one on the slide seem superficially fixable with 
 DIP1000, but in general in D it is not possible to make smart pointer 
 dereferencing safe.

It is possible by blocking any attempts at bypassing the interface of it.

 Can use GC though.

Yup. Not the unsafe mess shared_ptr is.


 - lock bug:
    That syntax would not lock until the end of the scope in D either, but for 
 different reasons. But there is no reason to expect it would work, so I guess
we 
 can consider this fixed in D.

Unmentioned is the "if it looks like a declaration it is one" ambiguity bug, 
that featured fairly prominently in the talk. D does not allow:

```
void test()
{
     int (x);
}
```
Error: undefined identifier `x`

as a declaration of x.


 I guess the lessons are:
 
 - D also does not have static typing to rule out range errors.

I don't understand that. If you have resizeable arrays, static typing is not 
going to give you compile time guarantees. D does allow static arrays, which
can 
rule out range errors for statically known indices.


 - D also does not have memory safety for general allocator-backed container
types.

That wasn't in his talk.


 - implement DIP1040.

We'll be moving forward with that.

 - finalize `shared`.

The idea is to disallow use of shared if it cannot be done atomically - 
std.atomic would need to be used.

Timon Gehr <timon.gehr gmx.ch> writes:

On 7/12/24 22:13, Walter Bright wrote:
 On 7/11/2024 3:39 PM, Timon Gehr wrote:
 - std::vector::operator[]:
    D code still suffers from unrecoverable range errors that would 
 crash the website, it's just not a memory safety issue unless you pass 
 badly designed compiler flags like `-release`.

 
 `-release` hasn't turned of bounds checking for something like 15 years. 
 To disable it, `-noboundscheck` is required.
 ...


```d
void main(){
     auto a=[1,2,3];
     a[3]=2;
}
```

```bash
$ dmd -run tt
core.exception.ArrayIndexError tt.d(4): index [3] is out of bounds for 
array of length 3
----------------
??:? onArrayIndexError [0x5a712bff44b2]
??:? _d_arraybounds_indexp [0x5a712bff180f]
??:? _Dmain [0x5a712bff1780]
```

```bash
dmd -release -run tt
```

(crickets.)

 ...
 - volatile:
    Not clear, but I guess `volatile` is less popular nowadays.
    https://dlang.org/phobos/core_volatile.html

 
 Those are special functions, and the documentation is explicit about 
 what they are for, and not for, and atomic operations are in the "not" 
 category. They are not part of the type system of the language.
 ...

I am aware.

    D also does not have a full `shared` story so far.

 
 It's a far better story than C++ has.
 ...

I acknowledged as much at the beginning of my post.
I like D and I dislike C++.

 
 - shared_ptr thread-safe:
    Potentially fixed because D has transitive `shared`. But again, 
 `shared` is unfinished. Or use GC.

 
 
 - shared_ptr bonus bug:
    Simple pattern like the one on the slide seem superficially fixable 
 with DIP1000, but in general in D it is not possible to make smart 
 pointer dereferencing safe.

 
 It is possible by blocking any attempts at bypassing the interface of it.
 ...

Well, the example was specifically about the dereference operator 
returning by `ref`.

 
 I guess the lessons are:

 - D also does not have static typing to rule out range errors.

 
 I don't understand that. If you have resizeable arrays, static typing is 
 not going to give you compile time guarantees.

It can do that. Neither D nor C++, nor other particularly popular 
languages are doing it yet though.

There are entire compilers that have been verified for functional 
correctness by the type systems of their implementation languages. This 
in particular includes absence of runtime errors, which is not even 
prone to misspecification errors.

 ...
 
 - D also does not have memory safety for general allocator-backed 
 container types.

 
 That wasn't in his talk.
 ...

`shared_ptr` was in the talk. The language-level safety challenges 
remain basically the same, whether you build your data structures out of 
`shared_ptr`s or not.

 ...
 - finalize `shared`.

 
 The idea is to disallow use of shared if it cannot be done atomically - 
 std.atomic would need to be used.

At the moment, basic druntime synchronization functionality does not 
compile with `-preview=nosharedaccess`.

Class references cannot be tail-`shared`. etc.

Walter Bright <newshound2 digitalmars.com> writes:

On 7/12/2024 2:16 PM, Timon Gehr wrote:
 (crickets.)

It'll give the bounds check error for  safe code even with -release.

Timon Gehr <timon.gehr gmx.ch> writes:

On 7/13/24 01:25, Walter Bright wrote:
 On 7/12/2024 2:16 PM, Timon Gehr wrote:
 (crickets.)

 
 It'll give the bounds check error for  safe code even with -release.
 

I am aware. In C++ you can get the bounds check with std::vector::at.

Anyway, your point was:

On 7/12/24 22:13, Walter Bright wrote:
 
 `-release` hasn't turned of bounds checking for something like 15 years. 
 To disable it, `-noboundscheck` is required.

This is false. Nothing else is required to turn off some bounds checks 
with `-release`, escalating out-of-bounds accesses to a memory safety issue.

cc <cc nevernet.com> writes:

On Friday, 12 July 2024 at 20:13:24 UTC, Walter Bright wrote:
 `-release` hasn't turned of bounds checking for something like 
 15 years. To disable it, `-noboundscheck` is required.

This is very interesting because until this past week or so I 
thought -release implied -noboundscheck as well.  I think I've 
been using D around 8 or 9 years now.  I had already stopped 
using -release some time ago, but nonetheless, whatever 
documentation there was for those command line args must have 
been veeery slow to catch up to reality.

Paul Backus <snarwin gmail.com> writes:

On Friday, 19 July 2024 at 14:34:33 UTC, cc wrote:
 On Friday, 12 July 2024 at 20:13:24 UTC, Walter Bright wrote:
 `-release` hasn't turned of bounds checking for something like 
 15 years. To disable it, `-noboundscheck` is required.

 This is very interesting because until this past week or so I 
 thought -release implied -noboundscheck as well.  I think I've 
 been using D around 8 or 9 years now.  I had already stopped 
 using -release some time ago, but nonetheless, whatever 
 documentation there was for those command line args must have 
 been veeery slow to catch up to reality.

-release includes -boundscheck=safeonly, which turns off bounds 
checking in  system and  trusted code.

Most D code is not (yet)  safe, so the result is that most D code 
will have its bounds checks removed when using -release.

monkyyy <crazymonkyyy gmail.com> writes:

On Thursday, 11 July 2024 at 20:36:35 UTC, Walter Bright wrote:
 https://www.youtube.com/watch?v=lkgszkPnV8g

 This is a great talk. In my first pass, D doesn't suffer from 
 any of them.

 Anyone want to verify?

d is buggy and there are several things I believe cant be fixed 
without a major rewrites; it wont be any good to pretend otherwise

=?UTF-8?Q?Ali_=C3=87ehreli?= <acehreli yahoo.com> writes:

On 7/11/24 1:36 PM, Walter Bright wrote:
 https://www.youtube.com/watch?v=lkgszkPnV8g
 
 This is a great talk. In my first pass, D doesn't suffer from any of them.
 
 Anyone want to verify?

It was a bonus slide in one of my meetup presentations. It comes with 
horrible audio and speaker accent but here it is:

   https://youtu.be/qrxxgYwU1X0?t=903

Ali
"yes, alive"

Walter Bright <newshound2 digitalmars.com> writes:

On 8/2/2024 8:07 PM, Ali Çehreli wrote:
 It was a bonus slide in one of my meetup presentations. It comes with horrible 
 audio and speaker accent but here it is:
 
    https://youtu.be/qrxxgYwU1X0?t=903

Haha, a response to the same cppcon talk!

Would you consider re-recording it?

 Ali
 "yes, alive"


Glad to hear it!