safety model in D

[Andrei Alexandrescu]

Rainer Deyke wrote:
> Andrei Alexandrescu wrote:
>> Rainer Deyke wrote:
>>> '-safe' turns on runtime safety checks, which can be and should be
>>> mostly orthogonal to the module safety level.
>> Runtime vs. compile-time is immaterial.
> 
> The price of compile-time checks is that you are restricted to a subset
> of the language, which may or may not allow you to do what you need to do.
> 
> The price of runtime checks is runtime performance.
> 
> Safety is always good.  To me, the question is never if I want safety,
> but if I can afford it.  If I can't afford to pay the price of runtime
> checks, I may still want the compile-time checks.  If I can't afford to
> pay the price of compile-time checks, I may still want the runtime
> checks.  Thus, to me, the concepts of runtime and compile-time checks
> are orthogonal.

I hear what you're saying, but I am not enthusiastic at all about 
defining and advertising a half-pregnant state. Such a language is the 
worst of all worlds - it's frustrating to code in yet gives no guarantee 
to anyone. I don't see this going anywhere interesting. "Yeah, we have 
safety, and we also have, you know, half safety - it's like only a lap 
belt of sorts: inconvenient like crap and doesn't really help in an 
accident." I wouldn't want to code in such a language.

> A module either passes the compile-time checks or it does not.  It makes
> no sense make the compile-time checks optional for some modules.  If the
> module is written to pass the compile-time checks (i.e. uses the safe
> subset of the language), then the compile-time checks should always be
> performed for that module.

I think that's the current intention indeed.

Andrei