Andrei Alexandrescu <seewebsiteforem...@erdani.org> wrote: > Walter and I have had a long discussion and we thought we'd bring an idea > for community review. > > We believe it would be useful for safety purposes to disallow escaping > addresses of ref parameters. Consider: > > class C { > int * p; > this(ref int x) { > p = &x; // escapes the address of a ref parameter > } > } > > Such code is accepted today. We believe it is error-prone and dangerous, > particularly because the caller has no syntactic cue that the address of > the parameter is passed into the function (in this case constructor).
Well, you could adopt bug 6442 and call the constructor as auto c = new C(ref x); <g> > Worse, such a function cannot be characterized as @safe. > > So we want to make the above an error. The workaround is obvious - just > take int* as a parameter instead of ref int. What a function can do with > a ref parameter in general is: > > * use it directly just like a local; > > * pass it down to other functions (which may take it by value or reference); > > * pass its address down to pure functions because a pure function cannot > escape the address anyway (cool insight by Walter); > Does this mean strongly pure? Because for now we can write a weakly pure function pure int* escape(int* q) { return q; } and change that constructor to this(ref int x) { p = escape(&x); } > * take its address as long as the address doesn't outlive the frame of the > function. > > The third bullet is not easy to implement as it requires flow analysis, > but we may start with a conservative version first. Probably there won't > be a lot of broken code anyway. > > Please chime in with any comments you might have! > > > Thanks, > > Andrei