Knud Soerensen a écrit :
> Walter Bright wrote:
>> Clay Smith wrote:
>>> Is SafeD just a label for the programmer selectively using D features?
>> Yes, but it would also be enforced by a compiler switch.
> 
> Hi Walter
> Would it be better to implement a general framework for defining
> code constraints ??
> 
> See Scott Meyers talk on Generalizing Const
> http://video.google.com/videoplay?docid=-4728145737208991310

I must admit that the presentation went way over my head, but I wanted to add that those 'code constraints' reminds me of 'capabilities' which are an interesting way to provide granular security.

renoX

renoX a écrit :
> Knud Soerensen a écrit :
>> Walter Bright wrote:
>>> Clay Smith wrote:
>>>> Is SafeD just a label for the programmer selectively using D features?
>>> Yes, but it would also be enforced by a compiler switch.
>>
>> Hi Walter
>> Would it be better to implement a general framework for defining
>> code constraints ??
>>
>> See Scott Meyers talk on Generalizing Const
>> http://video.google.com/videoplay?docid=-4728145737208991310
> 
> I must admit that the presentation went way over my head, but I wanted to add that those 'code constraints' reminds me of 'capabilities' which are an interesting way to provide granular security.
> 
> renoX

Just to explain what I mean for this, here's a video-talk about Joe, a Java's subset intended to enable capability-style programming:
http://uk.youtube.com/watch?v=EGX2I31OhBE
http://code.google.com/p/joe-e/

The goal is is different but it's still interesting: if I understood correctly SafeD's goal would be to offer a Java-like safety, but even Java's like safety isn't enough to provide fine grain security so researchers made Joe a Java's subset for this.

So maybe Joe's design would be interesting as an inspiration to SafeD (and if it's too limiting, there could be several level of 'safety').

Regards,
renoX

Walter Bright wrote:
> Julio César Carrascal Urquijo wrote:
> 
>> How will one assert that a library function is certified for usage in SafeD even if it uses unsafe constructs? New keywords?
> 
> There'll have to be some syntax for that.

I hope you mean that once such a library function is Certified, it gets some kind of [at least compiler readable] property stating that it is SafeD compliant?

As to the matter of certifying the function, in trivial cases the compiler could do it.


But with some important special cases, I can see no other way than to manually scrutinize the source code. Think of a complicated function (say, some hairy tensor math operation, maybe an FFT function, or whatever that's nontrivial) that internally needs to do "unsafe" operations or even in-line asm, but that has been deemed safe by Authoritative Professionals.

Georg Wrede wrote:
> Walter Bright wrote:
>> Julio César Carrascal Urquijo wrote:
>>
>>> How will one assert that a library function is certified for usage in SafeD even if it uses unsafe constructs? New keywords?
>>
>> There'll have to be some syntax for that.
> 
> I hope you mean that once such a library function is Certified, it gets some kind of [at least compiler readable] property stating that it is SafeD compliant?

Yes.

> As to the matter of certifying the function, in trivial cases the compiler could do it.

There's no reason to syntactically mark a function as safe if the compiler can verify it.


> But with some important special cases, I can see no other way than to manually scrutinize the source code. Think of a complicated function (say, some hairy tensor math operation, maybe an FFT function, or whatever that's nontrivial) that internally needs to do "unsafe" operations or even in-line asm, but that has been deemed safe by Authoritative Professionals.

Yes, but the idea is to reduce the scope as much as possible of where you have to manually look for unsafe code.

Walter Bright wrote:
> 
> http://reddit.com/r/programming/info/6d210/comments/

Would it be possible to use unsafe libraries with a safe D subset?  I'm think of something like being able to specify what libraries you can link to that are unsafe somehow, perhaps through a dll or wrapper.

-Joel

janderson wrote:
> Walter Bright wrote:
>>
>> http://reddit.com/r/programming/info/6d210/comments/
> 
> Would it be possible to use unsafe libraries with a safe D subset?  I'm think of something like being able to specify what libraries you can link to that are unsafe somehow, perhaps through a dll or wrapper.
> 
> -Joel

What I'm getting at is that some libs may be safe for one project but may not be considered safe in another.  For instance, someone may want to prevent writing to a file, in another this may be perfectly acceptable however they may want security in other areas.

-Joel

Walter Bright wrote:
> Georg Wrede wrote:
>> Walter Bright wrote:
>>> Julio César Carrascal Urquijo wrote:
>>>
>>>> How will one assert that a library function is certified for usage in SafeD even if it uses unsafe constructs? New keywords?
>>>
>>> There'll have to be some syntax for that.
>>
>> I hope you mean that once such a library function is Certified, it gets some kind of [at least compiler readable] property stating that it is SafeD compliant?
> 
> Yes.
> 
>> As to the matter of certifying the function, in trivial cases the compiler could do it.
> 
> There's no reason to syntactically mark a function as safe if the compiler can verify it.
> 
>> But with some important special cases, I can see no other way than to manually scrutinize the source code. Think of a complicated function (say, some hairy tensor math operation, maybe an FFT function, or whatever that's nontrivial) that internally needs to do "unsafe" operations or even in-line asm, but that has been deemed safe by Authoritative Professionals.
> 
> Yes, but the idea is to reduce the scope as much as possible of where you have to manually look for unsafe code.


I'm simply thrilled!

I wish D uses the concept of UNSAFE modules similar (or the same) as in the excellent Modula-3 language (which influenced all modern OO languages, IMHO).
Modula-3 has a keyword "UNSAFE" which is used in a module or interface declaration to indicate that it is _unsafe_. In other words it informs us that the module/interface uses unsafe features of the language. If module or interface is not labeled "unsafe" (default behavior), it is assumed to be safe.
This simple concept is amazing, as is the fact that Modula-3 (as a language) had this (plus numerous other modern features) two decades ago.

Kind regards

PS. I am not advocating Modula-3 here. I do C++ (16 years), D, Java and PHP programming, mostly.

Walter Bright wrote:
> There's no reason to syntactically mark a function as safe if the compiler can verify it.

Well, if you have a mix of safe and unsafe code, there is -- you want to tell the compiler to verify some stuff and ignore other stuff.

On Sat, 22 Mar 2008 21:47:59 -0700
Walter Bright <newshound1@digitalmars.com> wrote:

> 
> http://reddit.com/r/programming/info/6d210/comments/

I think this calls for a compiler switch that forces bounds checking on, whether or not debug or release mode. You don't want to be shipping debug code.

Also, a pragma or similar would be helpful; if it could enable bounds-checking from that point until the end of the scope, you could completely rely on bounds checks in your code, like you can do in other modern languages.

Finally, would SafeD have to disallow destructors? If you're accessing garbage collected memory in a destructor, you're asking for trouble. It's not always as simple as directly disallowing access these fields. Calling functions can indirectly cause the memory to be accessed. However, if you're not accessing GC memory in a destructor, you're probably using some lower-level functions, which are generally untrustworthy.

-- 
Chris Miller <chris@dprogramming.com>