@safe leak fix?

Steven Schveighoffer schveiguy at yahoo.com
Fri Nov 13 03:42:24 PST 2009 

On Thu, 12 Nov 2009 19:29:28 -0500, Robert Jacques <sandford at jhu.edu>  
wrote:

> On Thu, 12 Nov 2009 08:56:25 -0500, Steven Schveighoffer  
> <schveiguy at yahoo.com> wrote:
>
>> On Thu, 12 Nov 2009 08:45:36 -0500, Jason House  
>> <jason.james.house at gmail.com> wrote:
>>
>>> Walter Bright Wrote:
>>>
>>>> Jason House wrote:
>>>> > At a fundamental level, safety isn't about pointers or references to
>>>> > stack variables, but rather preventing their escape beyond function
>>>> > scope. Scope parameters could be very useful. Scope delegates were
>>>> > introduced for a similar reason.
>>>>
>>>> The problem is, they aren't so easy to prove correct.
>>>
>>> I understand the general problem with escape analysis, but I've always  
>>> thought of scope input as meaning @noescape. That should lead to easy  
>>> proofs. If my @noescape input (or slice of an array on the stack) is  
>>> passed to a function without @noescape, it's a compile error. That  
>>> reduces escape analysis to local verification.
>>
>> The problem is cases like this:
>>
>> char[] foo()
>> {
>>    char buf[100];
>>    // fill buf
>>    return strstr(buf, "hi").dup;
>> }
>>
>> This function is completely safe, but without full escape analysis the  
>> compiler can't tell.  The problem is, you don't know how the outputs of  
>> a function are connected to its inputs.  strstr cannot have its  
>> parameters marked as scope because it returns them.
>>
>> Scope parameters draw a rather conservative line in the sand, and while  
>> I think it's a good optimization we can get right now, it's not going  
>> to help in every case.  I'm perfectly fine with @safe being  
>> conservative and @trusted not, at least the power is still there if you  
>> need it.
>>
>> -Steve
>
> Well something like this should work (note that I'm making the  
> conversion  from T[N] to T[] explicit)
>
> auto strstr(T,U)(T src, U substring)
>      if(isRandomAccessRange!T &&
>         isRandomAccessRange!U &&
>         is(ElementType!U == ElementType!T)
> { /* Do strstr */ }
>
> char[] foo() {                     // Returns type char[]
>     char buf[100];                  // Of type scope char[100]
>     // fill buf                     // "hi" is type immutable(char)[]
>     return strstr(buf[], "hi").dup; // returns a lent char[], which is  
> dup-ed into a char[], which is okay to return
> }
>
> char[] foo2() {                    // Returns type char[]
>     char buf[100];                  // Of type scope char[100]
>     // fill buf                     // "hi" is type immutable(char)[]
>     return strstr(buf[], "hi");     // Error, strstr returns a lent  
> char[], not char[].
> }

Your proposal depends on scope being a type modifier, which it currently  
is not.  I think that's a separate issue to tackle.

-Steve

More information about the Digitalmars-d mailing list