ref parameters: there is no escape

Andrei Alexandrescu SeeWebsiteForEmail at erdani.org
Sun Aug 14 10:05:11 PDT 2011 

On 8/14/11 11:55 AM, dsimcha wrote:
> Argh, accidentally hit send before I meant to on my last post. Please
> ignore.
>
> On 8/14/2011 12:44 PM, Andrei Alexandrescu wrote:
>>> Consider the case
>>> of designing a D wrapper for C functionality.
>>>
>>> // C, we know it doesn't escape its parameters but the compiler doesn't.
>>> void cFun(int* a, int* b);
>>>
>>> // D:
>>> void dWrapper(ref int a, ref int b) {
>>> cFun(&a, &b);
>>> }
>>
>> I understand. Probably it's fine to require an explicit cast for taking
>> the address. Offhand, I don't see this as a frequent situation, or one
>> that would make pass-by-pointer unpalatable.
>
> Pass-by-pointer is really, really ugly when used in high-level D-style
> code, and exposes the implementation detail that the D wrapper is using
> C code. By explicit cast, do you mean one in dWrapper() that's
> encapsulated and invisible to the caller?

Yah, dWrapper would become:

void dWrapper(ref int a, ref int b) {
   cFun(cast(int*) &a, cast(int*) &b);
}

If the casts are missing, the compiler's error message could clarify 
under what assumptions they might be inserted.

>>> If you want the compiler to put extra restrictions on you in the name of
>>> safety, that's what SafeD is for. If you're writing an @system function,
>>> then the compiler should stay out of your way and let you do what you
>>> want, unless it can **prove** that it's wrong.
>>
>> The problem is, currently all functions that pass locals by ref cannot
>> be proven safe modularly.
>
>
> Right, but they can be proven safe if they pass locals by ref **to @safe
> functions**. I don't think there's any disagreement that @safe functions
> shouldn't be allowed to take the address of locals or parameters.

We don't have that rule yet, but we can enact it. I strongly believe it 
would help if we enacted the "unescapable ref" rule for all D code. It 
disallows a patently dangerous pattern that many C++ coding standards 
(including Facebook's) explicitly disallow. We found pernicious bugs in 
our code caused by escaping reference parameters, and we're looking into 
adding a rule in our lint program to statically disallow it. If that's 
worthwhile (and I have evidence it is), then it's all the better to put 
the check straight in the language.


Andrei

More information about the Digitalmars-d mailing list