[Issue 19183] DIP1000 defeated if auto used instead of scope in variable declaration with template this member function

Wed Aug 22 10:42:36 UTC 2018

https://issues.dlang.org/show_bug.cgi?id=19183

--- Comment #11 from Atila Neves <atila.neves at gmail.com> ---
> @safe applies to functions/methods, not variables/fields. You can't forbid @safe code from accessing a visible variable.

Yes. But the code I presented is in one file for simplicity reasons. In real
life MyStruct would be library code. The bug isn't about accessing variables. I
understand what you mean about @safe messing up pointers, but I want to prevent
client code from doing that, not my own implementation!

> You're still just copying an `int*` around, which isn't unsafe.

Of course it is, that's basically the whole point of Rust and DIP1000.

> Without `scope` on the variable and without a destructor, there is no indication that `s.ints` has a non-infinite lifetime.

>From DIP1000:

"For all global and static variables, lifetime is infinite."
"For values allocated on the garbage collected heap, lifetime is infinite
whilst reachability is dependent on the references in the program bound to
those values."

Algebra of lifetimes lists "*e", "new", "e[i]", "ArrayLiteral" and
"ArrayLiteral[constant]" as the only expressions with infinite lifetime.

And again:

"A variable is inferred to be scope if it is initialized with a value that has
a non-∞ lifetime."

Therefore, since `auto s = MyStruct(10)` doesn't match any of the above
conditions for an infinite lifetime, `auto` or `scope` should be the same
thing.

> I'm not sure if I understand that correctly, but this compiles just fine:

I'm arguing it shouldn't.

--