safety model in D

[Andrei Alexandrescu]

Walter Bright wrote:
> Andrei Alexandrescu wrote:
>> Sketch of the safe rules:
>>
>> \begin{itemize*}
>> \item No @cast@ from a pointer type to an integral type and vice versa
> 
> replace integral type with non-pointer type.
> 
>> \item No @cast@ between unrelated pointer types
>> \item Bounds checks on all array accesses
>> \item  No  unions  that  include  a reference  type  (array,  @class@,
>>   pointer, or @struct@ including such a type)
> 
> pointers are not a reference type. Replace "reference type" with 
> "pointers or reference types".
> 
>> \item No pointer arithmetic
> 
>> \item No escape of a pointer  or reference to a local variable outside
>>   its scope
> 
> revise: cannot take the address of a local or a reference.
> 
>> \item Cross-module function calls must only go to other @safe@ modules
>> \end{itemize*}
> 
> add:
> . no inline assembler
> . no casting away of const, immutable, or shared

Ok, here's what I have now:

\begin{itemize*}
\item No @cast@ from a pointer type to a non-pointer type (e.g.~@int@)
   and vice versa
\item No @cast@ between unrelated pointer types
\item Bounds checks on all array accesses
\item No  unions that include  pointer type, a reference  type (array,
   @class@), or a @struct@ including such a type
\item No pointer arithmetic
\item Taking the  address of a local is forbidden  (in fact the needed
   restriction is to  not allow such an address to  escape, but that is
   more difficult to track)
\item Cross-module function calls must only go to other @safe@ modules
\item No inline assembler
\item No casting away of @const@, @immutable@, or @shared@
\end{itemize*}


Andrei