The main feature of the proposed "utmost safe" safety level – is guaranteed and compiler checked memory safety (I think we could also discuss other types of safety and the corresponding colourisations in this thread).
No matter how good developer is there are always possibilities of bugs:
/*safe*/ func foo() {
ESCAPE_HATCH {
someSafeCall()
if condition() {
someUnsafeCall()
}
}
}
Here we've audited the code and came to conclusion that condition() will always evaluate to false. However we may have overlooked something and it does return true sometimes, or it indeed always returns false now, but a few months later due to refactoring in seemingly unrelated code it starts returning true, triggering unsafe code execution and potentially worst sequences it could bring – loss or corruption of user data.
With the bikeshed utmost safe colour this won't happen:
utmostSafe func foo() {
ESCAPE_HATCH {
someSafeCall()
if condition() {
someUnsafeCall()
}
}
}
There would be a guarantee that even when condition() starts returning true – unsafe code would never be executed, the app would trap instead (on a precondition). The relevant precondition calls would be generated by the compiler for utmostSafe functions for the "leaf" functions:
/*safe*/ func bar_safe() {
if otherCondition() {
ESCAPE_HATCH_LEAF {
malloc() // example unsafe leaf function
}
}
}
// autogenerated utmost safe version:
utmost_safe func bar_utmostSafe() {
if otherCondition() {
precondition(false)
// malloc() // example leaf function
}
}
Possible implementation:
func ESCAPE_HATCH_LEAF(_ trustedCode: @trusted () -> Void) {
if trustedCodeExecutionAllowed {
trustedCode()
} else {
fatalError("not allowed")
}
}
with the only difference to what "trustedCodeExecutionAllowed" evaluated: it would be effectively set to true in the unsafe and /*safe*/ functions and to false in the utmostSafe functions.
Here's a sketch of an algorithm how to do the transformation from a safe function to an utmost safe function. It could be done manually now or with a compiler support in the future:
- we have a safe (trusted) function, let's look in its body and all things it's doing
- if it's a "utmost safe" thing - leave it as is
- if it's a "trusted" thing change it to the "utmost safe" thing if that version is available
- if "utmost safe" version is not available and it is not possible to generate it (e.g. it's a C function) embed this thing in the above
ESCAPE_HATCH_LEAFblock. - as an optimization a several "trusted" calls in a row could be embedded in a single ESCAPE_HATCH_LEAF block.
- once the body of the function is transferred to be "utmost safe" the function itself (or it's version) could be re-labeled as "utmostSafe" concluding the transformation process.
Posts relevant to "utmost safety" from the other thread: 91, 92, 93, 95, 96, 97, 98, 99, 100