NLL does not affect things that implement Drop. This is called "eager drop", and while it would only affect unsafe code, we deemed it to be too likely to cause problems with said code. Even though it's unsafe, we don't want to make that even harder to understand.
That makes sense. A developer writing unsafe code can more easily and clearly control their drops by introducing new scopes than deciphering where the eager drop happened.
I'm somewhat okay with the parsing ones using unsafe if we can be very sure that the unsafe code actually has a performance impact, and be very careful about it. Some of them already do this, but not all.
So why is `unsafe` even in the language, then? It would seem to me that it simultaneously undermines safety guarantees, and it can't even ensure performance improvements.
So I'm curious, can you point to known problems with Haskell or ML that do not involve using the unsafe features? Scala has problems even without resorting to "unsafe" features like casting or native methods.
It looks as if the new language would not have helped the first problem, unless it lacks lambda support, or prevents capturing by copy. On first impression, I would chalk that fault up to over-use of refcounting, something that the new language seems like it would make worse.
The second seems like bypassing the type system, something you would have misused "unsafe" for in the new language.
True. What I really meant is that safe code can interact with unsafe code, and thus cannot guarantee everything working correctly. Of course, this is bug with unsafe code, my bad.
Yes, safety was the initial motivation. The advantage is that you free once and the semantics are more stack like. The performance is an additional benefit.
It is entirely possible to have no bugs in the <100 lines needed for this code, so I don't think the bug argument is valid. adrusi did raise a legitimate concern however.
Reading the article made me wonder when the remove of unsafe was due to refactoring the code and when it was enabled by enhancements to the language since the code was originally written.
A safe language isn't a language that lets you do things safely, it's a language that will not let you do them unsafely, or will at least make it hard to do so.
The moment you allow things that don't work well with the prover, people will use them, and the whole ecosystem becomes unsafe. And by extension, your code becomes unsafe, if the compiler can't reason about what happens when your code calls theirs.
Plus, unless you have just the right linter set up, you can still accidentally mess up and do something unsafe if the compiler lets you.
IIRC it's simultaneously not 100% safe because it can't stop R-W bugs (iterator invalidation, etc), and also more restrictive because it allows a smaller set of lifetime relations. This may have changed since I last saw it, which was admittedly quite a while ago.
Still, major improvement. Could very well be "enough", practically speaking.
when iterators can’t be used and llvm can’t elide you can use unsafe to elide by hand. the scenarios where the performance matters and iterators can’t be used are thankfully pretty rare so not much unsafe has to be used for this reason.
Good point, but unsafe code works just fine without compiling to native in the first place. JIT CIL unsafe code would probably perform identically to compiled code, as you'd only use unsafe code inside tight loops anyway - and the JIT will have compiled it to native on/before the first pass through.
reply