ref parameters: there is no escape
kennytm
kennytm at gmail.com
Sun Aug 14 08:28:00 PDT 2011
Andrei Alexandrescu <SeeWebsiteForEmail at erdani.org> wrote:
> Walter and I have had a long discussion and we thought we'd bring an idea
> for community review.
>
> We believe it would be useful for safety purposes to disallow escaping
> addresses of ref parameters. Consider:
>
> class C {
> int * p;
> this(ref int x) {
> p = &x; // escapes the address of a ref parameter
> }
> }
>
> Such code is accepted today. We believe it is error-prone and dangerous,
> particularly because the caller has no syntactic cue that the address of
> the parameter is passed into the function (in this case constructor).
Well, you could adopt bug 6442 and call the constructor as
auto c = new C(ref x);
<g>
> Worse, such a function cannot be characterized as @safe.
>
> So we want to make the above an error. The workaround is obvious - just
> take int* as a parameter instead of ref int. What a function can do with
> a ref parameter in general is:
>
> * use it directly just like a local;
>
> * pass it down to other functions (which may take it by value or reference);
>
> * pass its address down to pure functions because a pure function cannot
> escape the address anyway (cool insight by Walter);
>
Does this mean strongly pure? Because for now we can write a weakly pure
function
pure int* escape(int* q) { return q; }
and change that constructor to
this(ref int x) { p = escape(&x); }
> * take its address as long as the address doesn't outlive the frame of the function.
>
> The third bullet is not easy to implement as it requires flow analysis,
> but we may start with a conservative version first. Probably there won't
> be a lot of broken code anyway.
>
> Please chime in with any comments you might have!
>
>
> Thanks,
>
> Andrei
More information about the Digitalmars-d
mailing list