I think this is an absolutely terrible idea, unless it has an "I know
what I'm doing, let me cast away the safety" loophole. Consider the
case of designing a D wrapper for C functionality.
// C, we know it doesn't escape its parameters but the compiler doesn't.
void cFun(int* a, int* b);
// D:
void dWrapper(ref int a, ref int b) {
cFun(&a, &b);
}
If you want the compiler to put extra restrictions on you in the name of
safety, that's what SafeD is for. If you're writing an @system
function, then the compiler should stay out of your way and let you do
what you want, unless it can **prove** that it's wrong.
On 8/14/2011 10:20 AM, Andrei Alexandrescu wrote:
Walter and I have had a long discussion and we thought we'd bring an
idea for community review.
We believe it would be useful for safety purposes to disallow escaping
addresses of ref parameters. Consider:
class C {
int * p;
this(ref int x) {
p = &x; // escapes the address of a ref parameter
}
}
Such code is accepted today. We believe it is error-prone and dangerous,
particularly because the caller has no syntactic cue that the address of
the parameter is passed into the function (in this case constructor).
Worse, such a function cannot be characterized as @safe.
So we want to make the above an error. The workaround is obvious - just
take int* as a parameter instead of ref int. What a function can do with
a ref parameter in general is:
* use it directly just like a local;
* pass it down to other functions (which may take it by value or
reference);
* pass its address down to pure functions because a pure function cannot
escape the address anyway (cool insight by Walter);
* take its address as long as the address doesn't outlive the frame of
the function.
The third bullet is not easy to implement as it requires flow analysis,
but we may start with a conservative version first. Probably there won't
be a lot of broken code anyway.
Please chime in with any comments you might have!
Thanks,
Andrei
