ref is unsafe
Jonathan M Davis
jmdavisProg at gmx.com
Sun Dec 30 03:14:42 PST 2012
On Sunday, December 30, 2012 11:04:35 monarch_dodra wrote:
> Wouldn't it be enough to disallow functions that both take and
> return by ref? There would still be some limitations, but at
> least:
>
> //----
> @property ref T front(T)(T[] a);
> //----
> Would still be @safe.
>
> It seams the only code that is unsafe always boils down to taking
> an argument by ref and returning it by ref...
>
> At best, we'd (try) to only make that illegal (when we can), or
> (seeing things the other (safer) way around), only allow
> returning by ref, if the compiler is able to prove it is not also
> an input by ref?
The question is whether that would be too limiting. Certainly, it risks being
a big problem for wrapper functions, since they may _need_ to take an argument
by ref and return it by ref (or more probably, auto ref for both, but that
amounts to the same thing as far as this issue goes). We could go with making
such functions @system rather than @safe, but I don't know how problematic
that would be. We may have no choice though, since unless you can prove that
the ref being passed in will stay valid as long as the ref being passed out is
used, you can't prove that that code is safe.
- Jonathan M Davis
More information about the Digitalmars-d
mailing list