Handmade Network»Forums
48 posts
Use C as a scripting language?

I've been thinking about letting users make scripts for my project. What I'd like to do, is let them write and compile game scripts in C, as this would make it very easy to develop. The thing I'm concerned about, is a user could put something nasty in the script, and share it with my program. I can't think of a way to stop users doing that, unless I make a custom script language, probably visual.

Is this something devs worry about? Is it a bad idea to use C for this?

Mārtiņš Možeiko
2374 posts / 2 projects
Use C as a scripting language?
Edited by Mārtiņš Možeiko on

Technically that is possible, but it will require custom compiler that can do proper sandboxing & validating all memory accesses & indirect calls/jumps. That plus whitelisting what external calls that are allowed.

For example how it was done read internals of Google NaCl (Native Client):
https://en.wikipedia.org/wiki/Google_Native_Client
https://developer.chrome.com/docs/native-client/overview/
https://developer.chrome.com/docs/native-client/reference/sandbox_internals/x86-64-sandbox/

That was attempt to bring native code plugins into browser in secure manner. It is super super hard to do that correctly. It had many bugs compromising security. Eventually wasm won over it and Google deprecated NaCl.

So unless you're expert in compiler development & codegen and can spend a lot of time on this. I would strongly NOT recommend loading any natively compiled code if you need to guard against arbitrary code execution.

172 posts / 1 project
Use C as a scripting language?

The worst part of using C dynamically is having to bundle a compiler that is very much tied to the operating system and hardware. The user's code might also fail to compile due to differences between operating systems, updates to the compiler, et cetera.

Would be easier to just bundle a dynamic link library for own use as (.dll/.so) and find it in a folder dynamically using (FindFirstFileW, FindNextFileW, FindClose) on MS-Windows and (opendir, readdir) on Posix.

If both speed and security is important, you can create a virtual machine using complex instructions for anything that is computationally heavy. This is how OpenCV works with Python. Not the most cache effective nor powerful solution, but a lot faster than a scripted loop with memory bound checks for every little element.

If it's just to drive the story in a game using 100 virtual instructions per second, then don't worry about the performance.