Message from discussion request for feedback: making foreign function calls to C printf-style functions safer
Received: by 10.66.88.5 with SMTP id bc5mr1793719pab.11.1344319025619;
Mon, 06 Aug 2012 22:57:05 -0700 (PDT)
From: trijezdci <trijez...@gmail.com>
Subject: Re: request for feedback: making foreign function calls to C
printf-style functions safer
Date: Thu, 2 Aug 2012 13:37:52 -0700 (PDT)
X-Trace: posting.google.com 1343939872 12242 127.0.0.1 (2 Aug 2012 20:37:52 GMT)
NNTP-Posting-Date: Thu, 2 Aug 2012 20:37:52 +0000 (UTC)
Injection-Info: glegroupsg2000goo.googlegroups.com; posting-host=18.104.22.168;
Content-Type: text/plain; charset=ISO-8859-1
Wirth defined a simple rule: Any facility that bypasses the otherwise stric=
t safety rules of the language belongs into module SYSTEM and as a conseque=
nce, once a facility is imported from SYSTEM, then safety may no longer be =
guaranteed, thus import from SYSTEM works as an indicator, too.
I know some people do not like this rule set. They believe SYSTEM is evil a=
nd should be removed or at least it should be crippled. I find Wirth's rule=
set for SYSTEM perfectly sufficient and I do not share those notions on SY=
STEM. This is not something I feel like discussing either. I take SYSTEM fo=
The suggested pragma takes effect only in combination with a facility that =
is provided by SYSTEM. Therefore, in order to use the pragma, one would fir=
st need to use the facility and in order to use the facility, one would fir=
st need to import it from SYSTEM. It thus satisfies Wirth's rule set for SY=
Did we consider to revise Wirth's rule set for SYSTEM to put restrictions o=
n what kinds of modules can import from what other kinds of modules? Yes we=
did and it turned out to be a silly idea that we abandoned soon again. I a=
m not going to comment any further on this.
> a terrible burden on the compiler builder (for doubtful benefit
No, you have it upside down. The pragma is suggested as a recommendation so=
that compiler implementors who feel they want such a check will be able to=
use a blueprint that avoids rendering source code non-portable, which is a=
risk if nothing is defined.
> I hope you make it an optional part to enforce this.
Copy-pasted from my earlier post:
>> we are talking about an optional pragma, that is to say,
>> a recommendation to implementors "if you feel strong
>> enough about checking this type of dangerous FFI call,
>> then here is how you should do it".