Reddit: SafeD - The Safe Subset of D

Charles D Hixson charleshixsn at earthlink.net
Tue Mar 25 12:50:30 PDT 2008


Walter Bright wrote:
> Dejan Lekic wrote:
>> This simple concept is amazing, as is the fact that Modula-3 (as a 
>> language) had this (plus numerous other modern features) two decades ago.
> 
> Features from Modula-3 make me nervous, as Modula-3 was an abject 
> failure. I don't know why M3 failed, so I am suspicious of adopting 
> features without thoroughly understanding why M3 failed.

That particular feature, however, seems reasonable.  But I 
question the granularity.

I think that unsafe should be an attribute that could be set 
statically for a class or a function.  And read whenever you 
felt like reading it, of course.  But the question is, should 
it be set by the compiler, or by the programmer.  And what 
form should a check for safe vs. unsafe take?

One obvious form would be an assert check, but this presumes 
that unsafe code is allowed by default, and is only rejected 
if a test fails.

Another plausible approach would be to by default forbid the 
calling of unsafe code, and to have a pragma that allows it. 
This is a bit messy, as pragmas don't have nice boundary 
conditions.  (Rather like extern.  You either enable it for a 
statement/block, or for all succeeding statement/blocks. 
Still, a variation of pragma, the
pragma ( Identifier , ExpressionList )
form, could be nice.  I'm thinking of it having the form:
pragma (AllowUnsafe, class1, class2, etc, 
classk::unsafeFunction, etc.);
to allow the use of the specified unsafe code.  The reason for 
this form of the pragma is so that you don't accidentally 
allow all unsafe functions throughout and entire module by 
mistake.  Naturally the normal rules would still apply:  If 
you declared a pragma within a block, it would only apply 
within that block.

If you're adopting the pragma form, then the code could be 
detected as unsafe by the compiler, and only it's use 
forbidden (unless specifically allowed).

I haven't been able to think of any reason for dynamically 
allowing/forbidding the use of unsafe code, though I suppose 
such is possible.  In such a case it would probably be 
appropriate to use whatever form of allowance is decided upon, 
and then to forbid it with standard if statement (or try/catch 
blocks).


More information about the Digitalmars-d-announce mailing list