Is @safe still a work-in-progress?
Walter Bright
newshound2 at digitalmars.com
Thu Aug 23 08:58:38 UTC 2018
On 8/22/2018 6:50 AM, Steven Schveighoffer wrote:
> What about:
>
> size_t put(sink, parameters...)
>
> Does this qualify as the sink being the "return" type? Obviously the real return
> can't contain any references, so it trivially can be ruled out as the
> destination of any escaping parameters.
Your reasoning is correct, but currently it only applies with 'void' return types.
> Or how about a member function that takes a ref parameter? Is `this` the
> "return" or is the ref parameter the "return"?
`this` is the ref parameter. In particular, consider a constructor:
struct S {
int* p;
this(return scope int* p) { this.p = p; }
}
int i;
S s = S(&i);
This code appears in Phobos, and it is very reasonable to expect it to check as
safe.
> My problem with the idea is that it is going to seem flaky -- we are using
> convention to dictate what is actually the return parameter, vs. what
> semantically happens inside the function. It's going to confuse anyone trying to
> do it a different way. I've experienced this in the past with things like
> toHash, where if you didn't define it with the exact signature, it wouldn't
> actually be used.
>
> I realize obviously, that `put` is already specified. But as I said in the bug
> report, we should think twice about defining rules based solely on how Phobos
> does things, and calling that the solution.
Phobos doesn't do this by accident. It's how constructors work (see above) and
how pipeline programming works.
> As for things being made "more flexible in the future" this basically translates
> to code breakage. For example, if you are depending on only the first parameter
> being considered the "return" value, and all of a sudden it changes to encompass
> all your parameters, your existing code may fail to compile, even if it's
> correctly safe and properly annotated.
It's a good point. But I don't see an obvious use case for considering all the
ref parameters as being returns.
> > I want to ensure Atila is successful with this. But that means Phobos has to
>> compile with dip1000. So I need to make it work.
>>
>
> I think it's a very worthy goal to make Phobos work, and a great proof of
> concept for dip1000's veracity.
>
> However, one-off rules just to make it work with existing code go against that
> goal IMO. Rules that stand on their own I think will fare better than ones that
> are loopholes to allow existing code to compile.
I couldn't come up with a better idea than this, and this one works.
More information about the Digitalmars-d
mailing list