safety model in D
Don
nospam at nospam.com
Wed Nov 4 07:11:31 PST 2009
Andrei Alexandrescu wrote:
> Don wrote:
>> Andrei Alexandrescu wrote:
> module(safe) is not a comment. We need three types of modules because of
> the interaction between what the module declares and what the command
> line wants.
>
> Let's assume the default, no-flag build allows unsafe code, like right
> now. Then, module(safe) means that the module volunteers itself for
> tighter checking, and module(system) is same as module unadorned.
>
> But then if the user compiles with -safe, module(safe) is the same as
> module unadorned, and module(system) allows for unchecked operations in
> that particular module. I was uncomfortable with this, but Walter
> convinced me that D's charter is not to allow sandbox compilation and
> execution of malicious code. If you have the sources, you may as well
> take a look at their module declarations if you have some worry.
>
> Regardless on the result of the debate regarding the default compilation
> mode, if the change of that default mode is allowed in the command line,
> then we need both module(safe) and module(system).
When would it be MANDATORY for a module to be compiled in safe mode?
If module(safe) implies bound-checking *cannot* be turned off for that
module, would any standard library modules be module(safe)?
>> This actually seems pretty similar to public/private.
>> I see three types of modules:
>>
>> module : the default, should compile in -safe mode.
>> module(system) : Modules which need to do nasty stuff inside, but for
>> which all the public functions are safe.
>> module(sysinternal/restricted/...): Modules which exist only to
>> support system modules. This will include most APIs to C libraries.
>>
>> Modules in the outer ring need to be prevented from calling ones in
>> the inner ring.
>
> Well I wouldn't want to go any dirtier than "system", so my "system"
> would be your "sysinternal". I'd like to milden "system" a bit like in
> e.g. "trusted", which would be your "system".
Yeah, the names don't matter. The thing is, modules in the inner ring
are extremely rare. I'd hope there'd be just a few in druntime, and no
public ones at all in Phobos.
More information about the Digitalmars-d
mailing list