Michal Minich wrote:
On Wed, 04 Nov 2009 13:12:54 -0600, Andrei Alexandrescu wrote:
But I think there is no reason no use -no-safe compiler flag ... for
what reason one would want to force safer program to compile as less
safer :)
Efficiency (e.g. remove array bounds checks).
As I'm thinking more about it, I don't see any reason to have any
compiler flag for safety at all.
That would be a great turn of events!!!
Andrei
Memory safety is pretty specific thing, If you want it, you want it all,
not just some part of it - then you cannot call it memory safety.
I agree and always did.
The
idea of safe module, which under some compiler switch is not safe does
not appeal to me.
Absolutely. Notice that if you thought I proposed that, there was a
misunderstanding.
But efficiency is also important, and if you want it,
why not move the code subjected to bounds checks to trusted/system module
- I hope they are not checked for bounds in release mode. Moving parts of
the code to trusted modules is more semantically describing, compared to
crude tool of ad-hoc compiler switch.
Well it's not as simple as that. Trusted code is not unchecked code -
it's code that may drop redundant checks here and there, leaving code
correct, even though the compiler cannot prove it. So no, there's no
complete removal of bounds checking. But a trusted module is allowed to
replace this:
foreach (i; 0 .. a.length) ++a[i];
with
foreach (i; 0 .. a.length) ++a.ptr[i];
The latter effectively escapes checks because it uses unchecked pointer
arithmetic. The code is still correct, but this time it's the human
vouching for it, not the compiler.
One thing I'm concerned with, whether there is compiler switch or not, is
that module numbers will increase, as you will probably want to split
some modules in two, because some part may be safe, and some not. I'm
wondering why the safety is not discussed on function level, similarly as
pure and nothrow currently exists. I'm not sure this would be good, just
wondering. Was this topic already discussed?
This is a relatively new topics, and you pointed out some legit kinks.
One possibility I discussed with Walter is to have version(safe) vs.
version(system) or so. That would allow a module to expose different
interfaces depending on the command line switches.
Andrei
