safety model in D

Andrei Alexandrescu SeeWebsiteForEmail at erdani.org
Wed Nov 4 12:24:47 PST 2009 

Michal Minich wrote:
> On Wed, 04 Nov 2009 13:12:54 -0600, Andrei Alexandrescu wrote:
> 
>>> But I think there is no reason no use -no-safe compiler flag ... for
>>> what reason one would want to force safer program to compile as less
>>> safer :)
>> Efficiency (e.g. remove array bounds checks).
>>
>>> As I'm thinking more about it, I don't see any reason to have any
>>> compiler flag for safety at all.
>> That would be a great turn of events!!!
>>
>>
>> Andrei
> 
> Memory safety is pretty specific thing, If you want it, you want it all, 
> not just some part of it - then you cannot call it memory safety.

I agree and always did.

> The 
> idea of safe module, which under some compiler switch is not safe does 
> not appeal to me.

Absolutely. Notice that if you thought I proposed that, there was a 
misunderstanding.

> But efficiency is also important, and if you want it, 
> why not move the code subjected to bounds checks to trusted/system module 
> - I hope they are not checked for bounds in release mode. Moving parts of 
> the code to trusted modules is more semantically describing, compared to 
> crude tool of ad-hoc compiler switch.

Well it's not as simple as that. Trusted code is not unchecked code - 
it's code that may drop redundant checks here and there, leaving code 
correct, even though the compiler cannot prove it. So no, there's no 
complete removal of bounds checking. But a trusted module is allowed to 
replace this:

foreach (i; 0 .. a.length) ++a[i];

with

foreach (i; 0 .. a.length) ++a.ptr[i];

The latter effectively escapes checks because it uses unchecked pointer 
arithmetic. The code is still correct, but this time it's the human 
vouching for it, not the compiler.

> One thing I'm concerned with, whether there is compiler switch or not, is 
> that module numbers will increase, as you will probably want to split 
> some modules in two, because some part may be safe, and some not. I'm 
> wondering why the safety is not discussed on function level, similarly as 
> pure and nothrow currently exists. I'm not sure this would be good, just 
> wondering. Was this topic already discussed?

This is a relatively new topics, and you pointed out some legit kinks. 
One possibility I discussed with Walter is to have version(safe) vs. 
version(system) or so. That would allow a module to expose different 
interfaces depending on the command line switches.


Andrei

More information about the Digitalmars-d mailing list