Safe mode in D?
Timon Gehr
timon.gehr at gmx.ch
Fri Oct 18 07:08:14 PDT 2013
On 10/18/2013 09:30 AM, Maxim Fomin wrote:
> ...
Nice collection.
> // ---- Case 12. Breaking immutable via pure ---- //
>
> import std.stdio;
> import core.memory;
>
> class A
> {
> int *ptr;
> ~this()
> {
> (*ptr)++;
> }
> }
>
> pure foo()
> {
> A a = new A;
> int* ptr = new int;
> a.ptr = ptr;
> a = null;
> return ptr;
> }
>
> void main()
> {
> immutable int* ptr = foo();
> writeln(*ptr); // 0
> GC.collect();
> writeln(*ptr); // 1
> }
>
> The latest bug is nice, because after 2.063 Kenji has fixed the
> language, improving consistency of calling immutable/const qualified
> constructors, but allowed to cast return value of pure function to
> immutable because there was belief that inside purity function value
> cannot escape. Such ideom was advertised several times in this
> newsgroups. It appears that idea is not reliable.
>
It's no less of a design issue, but the main problem is actually that
class destructors are unsafe in general.
import core.memory;
class A{
int *ptr;
this(immutable int* ptr)immutable{ this.ptr = ptr; }
~this(){
(*ptr)++;
}
}
immutable y = 2;
void main(){
auto x = new immutable(A)(&y);
GC.collect();
assert(*&y==y); // fails
}
Of course, @safe implicit conversions to immutable do not simplify any
attempt to solve this, but the feature is not essential to the problem.
> Probably there are other cases.
>
> tl;dr do not take into account D' type system and safety seriously.
Your other examples are just DMD bugs afaics. (With the possible
exception of delegate context pointer memory safety, but that is a
simple fix.)
More information about the Digitalmars-d
mailing list