Re: ref parameters: there is no escape

Sun, 14 Aug 2011 10:10:24 -0700 

On 8/14/11 11:55 AM, dsimcha wrote:

Argh, accidentally hit send before I meant to on my last post. Please
ignore.

On 8/14/2011 12:44 PM, Andrei Alexandrescu wrote:

Consider the case
of designing a D wrapper for C functionality.

// C, we know it doesn't escape its parameters but the compiler doesn't.
void cFun(int* a, int* b);

// D:
void dWrapper(ref int a, ref int b) {
cFun(&a, &b);
}


I understand. Probably it's fine to require an explicit cast for taking
the address. Offhand, I don't see this as a frequent situation, or one
that would make pass-by-pointer unpalatable.


Pass-by-pointer is really, really ugly when used in high-level D-style
code, and exposes the implementation detail that the D wrapper is using
C code. By explicit cast, do you mean one in dWrapper() that's
encapsulated and invisible to the caller?


Yah, dWrapper would become:

void dWrapper(ref int a, ref int b) {
  cFun(cast(int*) &a, cast(int*) &b);
}
If the casts are missing, the compiler's error message could clarify under what assumptions they might be inserted. 


If you want the compiler to put extra restrictions on you in the name of
safety, that's what SafeD is for. If you're writing an @system function,
then the compiler should stay out of your way and let you do what you
want, unless it can **prove** that it's wrong.


The problem is, currently all functions that pass locals by ref cannot
be proven safe modularly.



Right, but they can be proven safe if they pass locals by ref **to @safe
functions**. I don't think there's any disagreement that @safe functions
shouldn't be allowed to take the address of locals or parameters.
We don't have that rule yet, but we can enact it. I strongly believe it would help if we enacted the "unescapable ref" rule for all D code. It disallows a patently dangerous pattern that many C++ coding standards (including Facebook's) explicitly disallow. We found pernicious bugs in our code caused by escaping reference parameters, and we're looking into adding a rule in our lint program to statically disallow it. If that's worthwhile (and I have evidence it is), then it's all the better to put the check straight in the language. 


Andrei

Reply via email to