ref parameters: there is no escape
Timon Gehr
timon.gehr at gmx.ch
Sun Aug 14 08:14:42 PDT 2011
On 08/14/2011 04:20 PM, Andrei Alexandrescu wrote:
> Walter and I have had a long discussion and we thought we'd bring an
> idea for community review.
>
> We believe it would be useful for safety purposes to disallow escaping
> addresses of ref parameters. Consider:
>
> class C {
> int * p;
> this(ref int x) {
> p = &x; // escapes the address of a ref parameter
> }
> }
>
> Such code is accepted today. We believe it is error-prone and dangerous,
> particularly because the caller has no syntactic cue that the address of
> the parameter is passed into the function (in this case constructor).
> Worse, such a function cannot be characterized as @safe.
>
> So we want to make the above an error. The workaround is obvious - just
> take int* as a parameter instead of ref int. What a function can do with
> a ref parameter in general is:
>
> * use it directly just like a local;
>
> * pass it down to other functions (which may take it by value or
> reference);
>
> * pass its address down to pure functions because a pure function cannot
> escape the address anyway (cool insight by Walter);
Well, then it is possible to 'wash clean' a pointer to ref argument
using a pure function:
int* identity(int* p)pure{return p;}
int* global;
void escapeRef(ref int x)@safe{
global=identity(&x);
}
>
> * take its address as long as the address doesn't outlive the frame of
> the function.
>
> The third bullet is not easy to implement as it requires flow analysis,
> but we may start with a conservative version first. Probably there won't
> be a lot of broken code anyway.
>
> Please chime in with any comments you might have!
>
>
> Thanks,
>
> Andrei
I agree, disallow. But more important is that scope parameters start
working. Probably some of the code could be reused.
More information about the Digitalmars-d
mailing list