> you’ll see how constant expressions are used to set up complex invariants based on the word size of the machine the code is compiled on.
It's a minor detail but this definitely should be "compiled for" instead of "compiled on", cross-compilation would not work correctly otherwise.
Aside from that I'm not sure if using extra types and constants to prevent stderr etc from being modified is an improvement. Sure you could maybe cause a race condition by changing it in the middle of writing, but how often are new programmers changing stderr at all? What's probably more common is setting it once at the beginning of the program, for example to redirect stderr to logcat on Android. And this change doesn't fix bugs in any legitimate uses, it simply makes them impossible. So I'm not sure who benefits, people who are modifying stderr in a buggy way, but had no reason to do so at all and just didn't realize it?
Same thing with sentinel values. Does any major Go program work by reassigning io.EOF? Has anyone done it by accident ever?
Generally, I don't think the threat model should be a willfully malicious programmer trying to cause problems, or at least it's not a useful model for Go since it's already totally inadequate for dealing with that scenario at a language level.
Rather than what's theoretically possible I think it would be better to focus on what mistakes are commonly made (or have especially severe consequences like security vulnerabilities) and only add program/language complexity where a cost/benefit analysis shows a strong case. That's not to say there isn't one here but I'm unconvinced by the provided examples or personal Go experience.
It's a minor detail but this definitely should be "compiled for" instead of "compiled on", cross-compilation would not work correctly otherwise.
Aside from that I'm not sure if using extra types and constants to prevent stderr etc from being modified is an improvement. Sure you could maybe cause a race condition by changing it in the middle of writing, but how often are new programmers changing stderr at all? What's probably more common is setting it once at the beginning of the program, for example to redirect stderr to logcat on Android. And this change doesn't fix bugs in any legitimate uses, it simply makes them impossible. So I'm not sure who benefits, people who are modifying stderr in a buggy way, but had no reason to do so at all and just didn't realize it?
Same thing with sentinel values. Does any major Go program work by reassigning io.EOF? Has anyone done it by accident ever?
Generally, I don't think the threat model should be a willfully malicious programmer trying to cause problems, or at least it's not a useful model for Go since it's already totally inadequate for dealing with that scenario at a language level.
Rather than what's theoretically possible I think it would be better to focus on what mistakes are commonly made (or have especially severe consequences like security vulnerabilities) and only add program/language complexity where a cost/benefit analysis shows a strong case. That's not to say there isn't one here but I'm unconvinced by the provided examples or personal Go experience.