ref is unsafe

Jonathan M Davis jmdavisProg at gmx.com
Sun Dec 30 03:14:42 PST 2012


On Sunday, December 30, 2012 11:04:35 monarch_dodra wrote:
> Wouldn't it be enough to disallow functions that both take and
> return by ref? There would still be some limitations, but at
> least:
> 
> //----
> @property ref T front(T)(T[] a);
> //----
> Would still be @safe.
> 
> It seams the only code that is unsafe always boils down to taking
> an argument by ref and returning it by ref...
> 
> At best, we'd (try) to only make that illegal (when we can), or
> (seeing things the other (safer) way around), only allow
> returning by ref, if the compiler is able to prove it is not also
> an input by ref?

The question is whether that would be too limiting. Certainly, it risks being 
a big problem for wrapper functions, since they may _need_ to take an argument 
by ref and return it by ref (or more probably, auto ref for both, but that 
amounts to the same thing as far as this issue goes). We could go with making 
such functions @system rather than @safe, but I don't know how problematic 
that would be. We may have no choice though, since unless you can prove that 
the ref being passed in will stay valid as long as the ref being passed out is 
used, you can't prove that that code is safe.

- Jonathan M Davis


More information about the Digitalmars-d mailing list