Handmade Network»Forums
65 posts
Use C as a scripting language?

I've been thinking about letting users make scripts for my project. What I'd like to do, is let them write and compile game scripts in C, as this would make it very easy to develop. The thing I'm concerned about, is a user could put something nasty in the script, and share it with my program. I can't think of a way to stop users doing that, unless I make a custom script language, probably visual.

Is this something devs worry about? Is it a bad idea to use C for this?

Mārtiņš Možeiko
2405 posts / 2 projects
Use C as a scripting language?
Edited by Mārtiņš Možeiko on

Technically that is possible, but it will require custom compiler that can do proper sandboxing & validating all memory accesses & indirect calls/jumps. That plus whitelisting what external calls that are allowed.

For example how it was done read internals of Google NaCl (Native Client):
https://en.wikipedia.org/wiki/Google_Native_Client
https://developer.chrome.com/docs/native-client/overview/
https://developer.chrome.com/docs/native-client/reference/sandbox_internals/x86-64-sandbox/

That was attempt to bring native code plugins into browser in secure manner. It is super super hard to do that correctly. It had many bugs compromising security. Eventually wasm won over it and Google deprecated NaCl.

So unless you're expert in compiler development & codegen and can spend a lot of time on this. I would strongly NOT recommend loading any natively compiled code if you need to guard against arbitrary code execution.

186 posts / 1 project
Use C as a scripting language?

The worst part of using C dynamically is having to bundle a compiler that is very much tied to the operating system and hardware. The user's code might also fail to compile due to differences between operating systems, updates to the compiler, et cetera.

Would be easier to just bundle a dynamic link library for own use as (.dll/.so) and find it in a folder dynamically using (FindFirstFileW, FindNextFileW, FindClose) on MS-Windows and (opendir, readdir) on Posix.

If both speed and security is important, you can create a virtual machine using complex instructions for anything that is computationally heavy. This is how OpenCV works with Python. Not the most cache effective nor powerful solution, but a lot faster than a scripted loop with memory bound checks for every little element.

If it's just to drive the story in a game using 100 virtual instructions per second, then don't worry about the performance.

4 posts / 1 project
Use C as a scripting language?

May I suggest... Javascript? It's a pretty simple scripting language with C syntax.

I started out with my own simple script interpreter, then tried Lua (because it's easy to embed) but I didn't care for the syntax, then realized I was overlooking the elephant in the room: JS. I was so sick and tired of webdev, I forgot that JS itself is alright. I'm using MuJS, a little embedded JS engine with a Lua-like API and an unrestrictive license. It's used in PDF readers so security is a priority.

186 posts / 1 project
Use C as a scripting language?
Replying to synthnostate (#26681)

Yes, the root problem with Javascript in browsers is that old bugs in how it is interpreted remains from the oldest implementations, in order to not break backwards compatibility. Even Batch would be okay if it wasn't for the super buggy implementation of cmd.exe trying to emulate every bug from the 1980s. Just need a fresh dialect, preferrably with the grammar and exception handling formally defined.