On 08/14/2011 04:20 PM, Andrei Alexandrescu wrote:
Walter and I have had a long discussion and we thought we'd bring an
idea for community review.
We believe it would be useful for safety purposes to disallow escaping
addresses of ref parameters. Consider:
class C {
int * p;
this(ref int x) {
p = &x; // escapes the address of a ref parameter
}
}
Such code is accepted today. We believe it is error-prone and dangerous,
particularly because the caller has no syntactic cue that the address of
the parameter is passed into the function (in this case constructor).
Worse, such a function cannot be characterized as @safe.
So we want to make the above an error. The workaround is obvious - just
take int* as a parameter instead of ref int. What a function can do with
a ref parameter in general is:
* use it directly just like a local;
* pass it down to other functions (which may take it by value or
reference);
* pass its address down to pure functions because a pure function cannot
escape the address anyway (cool insight by Walter);
Well, then it is possible to 'wash clean' a pointer to ref argument
using a pure function:
int* identity(int* p)pure{return p;}
int* global;
void escapeRef(ref int x)@safe{
global=identity(&x);
}
* take its address as long as the address doesn't outlive the frame of
the function.
The third bullet is not easy to implement as it requires flow analysis,
but we may start with a conservative version first. Probably there won't
be a lot of broken code anyway.
Please chime in with any comments you might have!
Thanks,
Andrei
I agree, disallow. But more important is that scope parameters start
working. Probably some of the code could be reused.
