ref is unsafe

[Jason House]

On Sunday, 30 December 2012 at 08:38:27 UTC, Jonathan M Davis 
wrote:
> After some recent discussions relating to auto ref and const 
> ref, I have come
> to the conlusion that as it stands, ref is not @safe. It's 
> @system. And I
> think that we need to take a serious look at it to see what we 
> can do to make
> it @safe. The problem is combining code that takes ref 
> parameters with code
> that returns by ref.

The best solution I can think of is for the @safe code to require 
a ref return value is treated with the same care as all the 
function input arguments. I'll try to annotate the example code 
you gave to explain.


> Take this code for example:
>
> ref int foo(ref int i)
> {
>     return i;
> }

This function is valid. Ref input arguments can be returned.


>
> ref int bar()
> {
>     int i = 7;
>     return foo(i);
> }

If @safe, this code will not compile.
Error: foo may return a local stack variable
Since "i" is a local variable, "foo(i)" might return it.


>
> ref int baz(int i)
> {
>     return foo(i);
> }

This function is fine. "i" is an input argument so "foo(i)" is 
considered to be equivalent to an input argument.

>
> void main()
> {
>     auto a = bar();
>     auto b = baz(5);
> }

Both function calls compile. The variable a could be returned. 
I'm not sure if b should be returnable by ref. if "5" is a 
manifest constant, it must be an error in @safe code. If it has a 
permanent address, it could be returned.