An exegesis of Walter's reference counted slice
Andrei Alexandrescu via Digitalmars-d
digitalmars-d at puremagic.com
Tue Feb 24 11:40:34 PST 2015
I modified Walter's sample code to this:
http://dpaste.dzfl.pl/f3d854feede9. It uses malloc for both the array
and the reference count, and also uses @trusted minimally. I inserted
assert()s here and there to clarify the workings. Nothing big except for
the careful use of @trusted.
I'll use this as a basis of some exegesis.
1. The code is a bit more complicated than it should. Overall this is
not a biggie; regular D users are not supposed to write reference
counted slices casually. But I was bummed that e.g. I found no way to
call emplace() @safe-ly.
2. Michel's point (https://issues.dlang.org/show_bug.cgi?id=14221)
reveals the largest issue with RC/GC integration. We need to find a fix
for it if we want to have the GC lift cycles.
3. opIndex ("here's the magic") is the most interesting part of the
proposal. It disallows unsafe use such as:
@safe ref int fun()
{
auto a = RCArray!int([1, 2, 3]);
return a[1];
}
Nice. I'd go as far as saying that barring implementation bugs, with
DIP25 in tow, and after we fix 14221, it's impossible to get an invalid
memory access with RCArray in @safe code. This (we offer a way to design
@safe arrays and more generally structs that are @safe) is interesting
and important.
That said there is a rub. The part that deallocates memory in the
destructor must be @trusted. That is fine, but the trustworthiness of
that code depends on the "return" attribute in opIndex. Furthermore, if
the author of RCSlice forgets to put "return" there, the compiler won't
help - it just allows wrong code like fun() above to compile and run
(causing dangling pointer use).
So: does DIP25 allow safe slices? Looks that way, though a proof would
be nice. Does it allow other safe interesting structs that own data?
Very likely. Does it allow really sophisticated ownership schemes? We
need to explore that. Does it protect against bugs in implementations of
safe ownership schemes that explicitly release memory? Not too well. I
think the prevalent idiom will be to accompany such artifacts with
unittests that make sure unsafe uses (such as fun() above) do not compile.
Andrei
More information about the Digitalmars-d
mailing list