safety model in D

Don nospam at nospam.com
Wed Nov 4 08:51:59 PST 2009 

Andrei Alexandrescu wrote:
> Don wrote:
>> Andrei Alexandrescu wrote:
>>> Don wrote:
>>>> Andrei Alexandrescu wrote:
>>
>>> module(safe) is not a comment. We need three types of modules because 
>>> of the interaction between what the module declares and what the 
>>> command line wants.
>>>
>>> Let's assume the default, no-flag build allows unsafe code, like 
>>> right now. Then, module(safe) means that the module volunteers itself 
>>> for tighter checking, and module(system) is same as module unadorned.
>>>
>>> But then if the user compiles with -safe, module(safe) is the same as 
>>> module unadorned, and module(system) allows for unchecked operations 
>>> in that particular module. I was uncomfortable with this, but Walter 
>>> convinced me that D's charter is not to allow sandbox compilation and 
>>> execution of malicious code. If you have the sources, you may as well 
>>> take a look at their module declarations if you have some worry.
>>>
>>> Regardless on the result of the debate regarding the default 
>>> compilation mode, if the change of that default mode is allowed in 
>>> the command line, then we need both module(safe) and module(system).
>>
>> When would it be MANDATORY for a module to be compiled in safe mode?
> 
> module(safe) entails safe mode, come hell or high water.
> 
>> If module(safe) implies bound-checking *cannot* be turned off for that 
>> module, would any standard library modules be module(safe)?
> 
> I think most or all of the standard library is trusted. But don't forget 
> that std is a bad example of a typical library or program because std 
> interfaces programs with the OS.

I think it's not so atypical. Database, graphics, anything which calls a 
C library will be the same.
For an app, I'd imagine you'd have a policy of either always compiling 
with -safe, or ignoring it.
If you've got a general-purpose library, you have to assume some of your 
users will be compiling with -safe. So you have to make all your library 
modules safe, regardless of how they are marked. (Similarly, -w is NOT 
optional for library developers).

That doesn't leave very much.
I'm not seeing the use case for module(safe).

More information about the Digitalmars-d mailing list