On 27/03/14 10:04 PM, Tommi Tissari wrote: > Opting in case by case is not the same thing as having a compiler flag which > you can toggle without modifying the source.
A case-by-case basis preserves the safety guarantees of the language and doesn't introduce a new dialect. It also means you can deal with this on a case-by-case basis with careful auditing rather than assuming the entire program is correct. It's not even viewed as *wrong* to do an out-of-bounds index at the moment - it causes failure, not an abort. > Perhaps bounds checking is the only safety measure which has runtime penalty? > (Not sure about that) But that would explain why it would be a separate > flag. There's also dynamic borrow checking on RefCell, and many functions check for integer overflow when it would cause memory unsafety. Lifetimes permit only a subset of the valid uses for references. Do you want a flag to turn off lifetime checking too? That would mean 4 language dialects (no_bounds_check, no_bounds_check+no_lifetime_check, no_lifetime_check, rust). Should the entire test suite (excluding intentionally changed ones) be run for each supported language subset? I'm sure we have at least one test checking for bounds-checking failure. > By the way, D is memory safe (although it's opt-in) and it has this > noboundscheck flag. So I don't see what the problem is. D is *not* memory-safe, with or without the noboundscheck flag... the flag makes it less memory safe than it already is, of course. If you're counting the crippled subset of the language available in functions marked safe, then sure - but that's not anything like Rust.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Rust-dev mailing list [email protected] https://mail.mozilla.org/listinfo/rust-dev
