DIP 1021--Argument Ownership and Function Calls--Community Review Round 1

[ag0aep6g]

On 18.07.19 12:42, Nick Treleaven wrote:
> On Thursday, 18 July 2019 at 09:09:37 UTC, ag0aep6g wrote:
[...]
> struct S
> {
>      private byte* ptr;
>      import core.stdc.stdlib;
[...]
>      ~this() @trusted
>      {
>          free(ptr);
>      }
> }
> 
> @safe:
> 
> // won't compile with DIP 1021
> void bad(ref S s, ref byte b)
> {
>      s.destroy;
>      b++;
> }
[...]

I'm not sure if there's a meaningful difference between your code and 
mine. You're calling the destructor explicitly with `destroy`, So it's 
practically the same as my `clear` method, no?

Anyway, I think we're on the same page: The goal of DIP 1021 seems to be 
to allow marking calls to `free` (and similar functions) as @trusted in 
certain situations. The DIP should say this, and give an example.

>> Except it still wouldn't be 100% ok, because @safe code could set `ptr 
>> = new byte;` and then `free` would be called on GC memory.
> 
> It is @safe outside the module that S is defined in with a private ptr 
> (modulo .tupleof).

That's a common hack, but strictly speaking it's an invalid use of 
@trusted. An @trusted function must be safe regardless of where it's 
called from. I.e., it must also be safe when called from within the same 
module.

But finding a solution to that problem is probably outside of the scope 
of the DIP being discussed.