safety model in D

[Don]

Michal Minich wrote:
> Hello Michel,
> 
>> I'm not sure this works so well. Look at this:
>>
>> module memory;   // unsafe interface - unsafe impl.
>> extern (C) void* malloc(int);
>> extern (C) void free(void*);
>> module (system) my.system;   // safe interface - unsafe impl.
>> import memory;
>> void test() { auto i = malloc(10); free(i); }   // ok: unsafe impl.
>> allowed
>> module (safe) my.safe;   // safe interface - safe impl.
>> import memory;
>> void test() { auto i = malloc(10); free(i); }   // error: malloc,
>> free
>> are unsafe
>> How is this supposed to work correctly with and without the "-safe"
>> compiler flag? The way you define things "-safe" would make module
>> memory safe for use while it is not.
> 
> I'm saying the module memory would not compile when compiler is called 
> with -safe switch.
> 
> the compiler would try to compile each module without safety 
> specification, as if they were *marked* (safe) - which will not succeed 
> for module memory in this case.
> 
> In this setting, the reasons to have -safe compiler switch are not so 
> important, they are more like convenience, meaning more like -forcesafe.
> You would want to use this flag only when you *need* to make sure your 
> application is safe, usually when you are using other libraries. By this 
> switch you can prevent compilation of unsafe application in case some 
> other library silently changes safe module to unsafe in newer version.
> 
> 
Doesn't work. There are system modules which CANNOT safely be called 
from safe modules -- eg extern(C) functions. They MUST have unsafe 
interfaces.