safety model in D

Jason House jason.james.house at gmail.com
Wed Nov 4 05:52:00 PST 2009 

Aelxx Wrote:

> 
> "Andrei Alexandrescu" <SeeWebsiteForEmail at erdani.org> ÓÏÏÂÝÉÌ/ÓÏÏÂÝÉÌÁ × 
> ÎÏ×ÏÓÔÑÈ ÓÌÅÄÕÀÝÅÅ: news:hcr2hb$dvm$1 at digitalmars.com...
> > Jesse Phillips wrote:
> >> On Tue, 03 Nov 2009 17:55:15 -0600, Andrei Alexandrescu wrote:
> >>
> >>> There's a lot more, but there are a few useful subspaces. One is, if an
> >>> entire application only uses module(safe) that means there is no memory
> >>> error in that application, ever.
> >>>
> >>> Andrei
> >>
> >> Does that mean that a module that uses a "trusted" module must also be 
> >> marked as "trusted?" I would see this as pointless since system modules 
> >> are likely to be used in safe code a lot.
> >
> > Same here.
> >
> >> I think the only real option is to have the importer decide if it is 
> >> trusted.
> >
> > That can't work. I can't say that stdc.stdlib is trusted no matter how 
> > hard I try. I mean free is there!
> >
> >> I don't see a reasonable way to have third party certification. It is 
> >> between the library writer and application developer. Since the library 
> >> writer's goal should be to have a system module that is safe, he would 
> >> likely want to mark it as trusted. This would leave "system" unused 
> >> because everyone wants to be safe.
> >
> > Certain modules definitely can't aspire to be trusted. But for example 
> > std.stdio can claim to be trusted because, in spite of using untrusted 
> > stuff like FILE* and fclose, they are encapsulated in a way that makes it 
> > impossible for a safe client to engender memory errors.
> >
> >> In conclusion, here is a chunk of possible import options. I vote for the 
> >> top two.
> >>
> >> import(system) std.stdio;
> >> system import std.stdio;
> >> trusted import std.stdio;
> >> import(trusted) std.stdio;
> >> import("This is a system module and I know that it is potentially unsafe, 
> >> but I still want to use it in my safe code") std.stdio;
> >
> > Specifying a clause with import crossed my mind too, it's definitely 
> > something to keep in mind.
> >
> >
> > Andrei
> >
> How about this:
> system module foo ;
> ... (code)
> trusted module foo2 ;
> ... (code)
> safe module bar ;
> ... (code)
> 
> import foo, foo2, bar ; // status defined automatically from module 
> declaration.
> //  error: used system module 'foo' in safe application.
> 
> 


What stops an irritated programmer from marking every one of his modules as trusted? 

An even worse scenario would be if they create a safe facade module and importing all his pseudo-trusted code. As described so far, trust isn't transitive/viral.

More information about the Digitalmars-d mailing list