dsimcha wrote:
== Quote from Andrei Alexandrescu ([email protected])'s articleSafeD is, unfortunately, not finished at the moment. I want to leave in place a stub that won't lock our options. Here's what we currently have: module(system) calvin; This means calvin can do unsafe things. module(safe) susie; This means susie commits to extra checks and therefore only a subset of D. module hobbes; This means hobbes abides to whatever the default safety setting is. The default safety setting is up to the compiler. In dmd by default it is "system", and can be overridden with "-safe". Sketch of the safe rules: \begin{itemize*} \item No @cast@ from a pointer type to an integral type and vice versa \item No @cast@ between unrelated pointer types \item Bounds checks on all array accesses \item No unions that include a reference type (array, @class@, pointer, or @struct@ including such a type) \item No pointer arithmetic \item No escape of a pointer or reference to a local variable outside its scope \item Cross-module function calls must only go to other @safe@ modules \end{itemize*} So these are my thoughts so far. There is one problem though related to the last \item - there's no way for a module to specify "trusted", meaning: "Yeah, I do unsafe stuff inside, but safe modules can call me no problem". Many modules in std fit that mold. How can we address that? Again, I'm looking for a simple, robust, extensible design that doesn't lock our options. Thanks, AndreiOne comment that came up in discussing GC stuff in Bugzilla: How do you prevent the following in SafeD? auto arrayOfRefs = new SomeClass[100]; GC.setAttr(arrayOfRefs.ptr, GC.BlkAttr.NO_SCAN); foreach(ref elem; arrayOfRefs) { elem = new SomeClass(); }
Is GC.setAttr a safe function? Andrei
