https://issues.dlang.org/show_bug.cgi?id=17049
Martin Nowak <c...@dawg.eu> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |---
--- Comment #3 from Martin Nowak <c...@dawg.eu> ---
Remember how we agreed on that the compiler shouldn't be too smart when
inferring whether the return value could alias any of the arguments.
This is crucial to support ownership idioms such as unique, where the container
could for example just wrap an int handle.
Use-after-free for handles is no different from dangling pointers, just as
unsafe and able to corrupt memory.
struct S
{
float* ptr; // needs a pointer for the compiler to attach the lifetime of
get's return value to S
@safe P get() return scope;
}
P escape() @safe
{
scope S s; // need to explicitly declare this as scope for the compiler to
infer get's return value as scope
P p = s.get();
return p;
}
//////////
Here is a simpler example on why this is broken.
struct S
{
@safe S* get() return scope
{
return &this;
}
}
S* escape() @safe
{
S s;
auto ps = s.get();
return ps;
}
In `auto ps = s.get()` the compiler should conservatively assume that ps points
to s, simply b/c the signature (w/ return scope) would allow to do so. Even if
the return type is seemingly unrelated to the passed in scope arguments type
conversions may be done by @trusted functions that are intransparent for the
compiler.
--
