[Virgil] virgil philosophy question about 'unsafe'

[Benjamin Titzer]

Hi Douglas,

The term "unsafe" is generally meant to refer to the runtime type safety 
of the program. A program is "safe" if no variable (either on the stack, a 
global, or in the heap) takes on a value that is not within the valid 
values for its declared type. In C, a program may use complex pointer 
arithmetic to access fields of heap objects and can use type casts to 
subvert the type system. A C program which passes the C typechecker can 
still be unsafe; it may violate the statically declared types of variables 
through faulty pointer arithmetic, unchecked casts, NULL pointer 
dereferences, etc. For some C programs, this is benign, but often leads to 
unpredictable and hard to track bugs.

A "safe" language ensures statically, when the program is typechecked by 
the compiler, than no such runtime type errors occur (although sometimes 
some dynamic checks are needed). This allows better reasoning about the 
behavior of the program by both the programmer and the compiler and faster 
identification and diagnosis of bugs.

> Hi,
>
> I have has a look at the website and have a question.
>
> In a couple of places 'unsafe' is mentioned with
> reference to C etc. and libraries. What do they mean
> by 'unsafe'?
>
> Further, if libraries are unsafe does this also apply
> to drivers and if not why not?

Yes, generally any unsafe component in the system can lead to the 
violation of the safety properties of the rest of the system, unless 
carefully isolated.

In Virgil, the idea is to develop all of the code, including drivers, in a 
safe language, and expose access to the hardware only in safe ways, so 
that there isn't a need for unsafe code. So far, so good. There are 
limitations though; e.g. Virgil cannot handle DMA yet.

Hope this answers your questions,
-B