ref is unsafe

Araq rumpf_a at gmx.de
Thu Jan 3 16:46:31 PST 2013


On Wednesday, 2 January 2013 at 23:33:16 UTC, Thiez wrote:
> On Wednesday, 2 January 2013 at 22:53:04 UTC, Jonathan M Davis 
> wrote:
>> Then we're going to have to disagree, and I believe that 
>> Walter and Andrei are
>> completely with me on this one. If all of the constructs that 
>> you use are
>> @safe, then it should be _guaranteed_ that your program is 
>> memory-safe. That's
>> what @safe is for. Yes, it can be gotten around if the 
>> programmer marks
>> @system code as @trusted when it's not really memory-safe, but 
>> that's the
>> programmer's problem. @safe is not doing it's job and is 
>> completely pointless
>> if it has any holes in it beyond programmers mislabeling 
>> functions as @trusted.
>> - Jonathan M Davis
>
> Perhaps it is worth looking at Rust for this problem?

You can also look at how Algol solved this over 40 years ago: 
Insert a runtime check that the escaping reference does not point 
to the current stack frame which is about to be destroyed. The 
check should be very cheap at runtime but it can be deactivated 
in a release build for efficiency just like it is done for array 
indexing.

FYI Nimrod has the same problem and it's planned to prevent these 
cases statically with a type based alias analysis; however at 
least the first versions will still keep the dynamic check as 
these kind of static analyses cry for correctness proofs IMO.


More information about the Digitalmars-d mailing list