On 2011-08-14 16:20, Andrei Alexandrescu wrote:
Walter and I have had a long discussion and we thought we'd bring an
idea for community review.
We believe it would be useful for safety purposes to disallow escaping
addresses of ref parameters. Consider:
class C {
int * p;
this(ref int x) {
p = &x; // escapes the address of a ref parameter
}
}
Such code is accepted today. We believe it is error-prone and dangerous,
particularly because the caller has no syntactic cue that the address of
the parameter is passed into the function (in this case constructor).
Worse, such a function cannot be characterized as @safe.
So we want to make the above an error. The workaround is obvious - just
take int* as a parameter instead of ref int. What a function can do with
a ref parameter in general is:
* use it directly just like a local;
* pass it down to other functions (which may take it by value or
reference);
* pass its address down to pure functions because a pure function cannot
escape the address anyway (cool insight by Walter);
* take its address as long as the address doesn't outlive the frame of
the function.
The third bullet is not easy to implement as it requires flow analysis,
but we may start with a conservative version first. Probably there won't
be a lot of broken code anyway.
Please chime in with any comments you might have!
Thanks,
Andrei
I have code relying on this, probably not could practice but it works.
This is a usage example:
void main ()
{
int i = 3;
restore(i) in {
i = 4;
};
assert(i == 3);
}
Restore returns a struct which overloads the "in" operator and stores a
pointer to the value pass to "restore". I'm overloading the "in"
operator have a nicer looking delegate syntax. But I guess this could be
seen as operator overload abuse. If D just could have a good looking
syntax for delegate literals, like this:
restore(i) {
i = 4;
}
Then this wouldn't be needed.
--
/Jacob Carlborg
