Question and proposal: Can D be used to compile and run untrusted plug-ins?

Brian Callahan bcallah at
Tue Dec 7 19:31:46 UTC 2021

On Saturday, 4 December 2021 at 11:33:21 UTC, Moamen Abdelsattar 
> I've recently known that D functions can be marked as `@safe`, 
> which makes all unsafe operations unallowed inside the 
> function, my question is: Can this feature be used to compile 
> and run untrusted D code safely?
> I mean: Let's say We have a program written in D or C, and we 
> want to allow the user to extend the program by writing 
> plug-ins and compiling them into dynamic libraries (like 
> notepadd++ plug-ins).
> Now the plug-in can access all system calls and can do 
> something malicious, but what if the plug-in is written in D 
> and we have something like `-forceSafe` compiler flag (which is 
> the proposal) that will force every function written by the 
> user to be `@safe`. Now, the user can only import the 
> application's API and use it to perform functions and can't 
> access the system directly. Is that true?

What you want appears to be similar to the pledge(2) system call 
from OpenBSD:

It is available on all D compilers, but only when running your 
code on OpenBSD.


More information about the Digitalmars-d mailing list