[Issue 17049] [scope] class references are not escape checked like pointers

via Digitalmars-d-bugs digitalmars-d-bugs at puremagic.com
Fri Feb 24 12:55:10 PST 2017


https://issues.dlang.org/show_bug.cgi?id=17049

Martin Nowak <code at dawg.eu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |---

--- Comment #3 from Martin Nowak <code at dawg.eu> ---
Remember how we agreed on that the compiler shouldn't be too smart when
inferring whether the return value could alias any of the arguments.
This is crucial to support ownership idioms such as unique, where the container
could for example just wrap an int handle.
Use-after-free for handles is no different from dangling pointers, just as
unsafe and able to corrupt memory.

struct S
{
    float* ptr; // needs a pointer for the compiler to attach the lifetime of
get's return value to S
    @safe P get() return scope;
}

P escape() @safe
{
    scope S s; // need to explicitly declare this as scope for the compiler to
infer get's return value as scope
    P p = s.get();
    return p;
}

//////////

Here is a simpler example on why this is broken.

struct S
{
    @safe S* get() return scope
    {
        return &this;
    }
}

S* escape() @safe
{
    S s;
    auto ps = s.get();
    return ps;
}

In `auto ps = s.get()` the compiler should conservatively assume that ps points
to s, simply b/c the signature (w/ return scope) would allow to do so. Even if
the return type is seemingly unrelated to the passed in scope arguments type
conversions may be done by @trusted functions that are intransparent for the
compiler.

--


More information about the Digitalmars-d-bugs mailing list