[M3devel] meaning of unsafe?

Randy Coleburn rcoleburn at scires.com
Fri Jan 2 22:41:37 CET 2009


Jay:
 
Modula-3 has a very precise definition of what it means to have a safe or an UNSAFE module.  See pages 59-61 (section 2.7 Unsafe Operations) of the "Green Book" (Systems Programming with Modula-3 edited by Greg Nelson).
 
Bottom line is that if you don't use any features of the language that are deemed UNSAFE, your program can't cause unchecked runtime errors.
 
Regards,
Randy

>>> Jay <jay.krell at cornell.edu> 1/2/2009 2:02 AM >>>
Recent quote, that I haven't further investigated, made me realize some of my ignorance.
 
I know that "unsafe" includes:
  taking address of local 
  explicit free 
    dealing with any untraced ref? Not sure.
 
Questions are:
  is unsafe well statically enforced?
  and/or is safe well statically enforced?
 
That is, should I remove unsafe "everywhere", as long as it compiles ok, it must be safe, and better, so leave it that way? And if it fails, put it back?
 
Or do I need to think about it myself?
 
I think for modules it might be brainless as stated -- put it in only where the compiler makes, and nowhere extra, since extra is a loss not a bonus.
 
But for interfaces.. I think, again, ideal to remove it where you can, but that the compiler can't enforce it? At least where there is "external"?
Maybe I should just reread that quote, and thing about it.
 
Safe can code call unsafe code, but should not be able to do so with parameters that, indirectly, make the safe code unsafe. For example, I cannot safe call "free" in unsafe code on behalf of safe code, unless I am darn sure the data isn't referenced -- unless I am the garbage collector. Any pointer give to unsafe code by safe code must not be stored "long term" -- ie: in the heap or globals, because it could be a stack pointer. Unless, well, duh..ok, any VAR parameter or UNTRACED REF passed to unsafe code, what I just said, but traced refs can be held onto -- they are by definition not stack pointers.
 
I guess, you know..programming C code that interacts with Modula-3 code..you realize the incompleteness of the C type system. Modula-3 has, let's say, var, traced ref, and untraced ref. C just has pointers. The compiler doesn't know any better, the programmer has to.
 
If you imagine a Modula-3 to C header compiler..which I would like..you know, it outputs C headers that map FROM Modula-3 interfaces (instead of the usual hand translations in either direction), it would likely lose a lot of information and only be for special purpose use, unless, unlikely, not likely valuable, this problem was solved. 
Which..oh, this is interesting..I can see, to solve this, you'd need an "API" for storing pointers perhaps. Something perhaps to make sure the pointer is allowed to be stored like such. Not sure. But I suspect this "API" is related to the "checks" that the Modula-3 compiler generates...I really need to understand those...
 
 
Generally this is easy, because generally things are "synchronous" -- generally the C code doesn't hold on to its parameters beyond the lifetime of itself -- doesn't store it in the heap or globally for other threads to use, and generally the Modula-3 code isn't busy freeing the parameters on another thread, in fact VAR parameters cannot be freed, they are on the stack, and traced refs can only be freed..if the garbage collector can't find any references to them..and then untraced refs require "discipline" both in the Modula-3 code and the C code, but again generally, saved by "synchronicity" -- C code doesn't hold on to them, Modula-3 code doesn't free them on another thread. Those scenarios are certainly possible, just not all that common, and as soon as you "escape" to safe Modula-3 code, not a possibility..no untraced refs..
 
 
About right?
 
 
 - Jay

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://m3lists.elegosoft.com/pipermail/m3devel/attachments/20090102/756f5809/attachment-0002.html>


More information about the M3devel mailing list