DIP 1021--Argument Ownership and Function Calls--Community Review Round 1

[Nick Treleaven]

On Monday, 15 July 2019 at 15:23:32 UTC, Mike Parker wrote:
> https://github.com/dlang/DIPs/blob/793f83911fdc8c88c6ef34e6a36b5e11e3e574e5/DIPs/DIP1021.md

OK, I think I have a practical example that this DIP enables. 
Here is a RAII @nogc dynamic array that can be appended to, and 
exposes individual elements by ref. Before the destructor and 
`append` could not be marked @trusted because of `maybe_bad` - 
its ref parameter `i` may have outlived a.data.ptr. Now all 
methods of Array can be @trusted AFAIK.

struct Array
{
     private int[] data;
     import core.stdc.stdlib;
     @nogc:

     void append(int e) @trusted
     {   // inefficient but it works
         const len = data.length + 1;
         auto ptr = cast(int*)realloc(data.ptr, len * int.sizeof);
         data = ptr[0..len];
     }

     ref int get(size_t i) @trusted return
     {
         return data[i];
     }

     ~this() @trusted
     {
         if (data.ptr) free(data.ptr);
     }
}

@safe:

void maybe_bad(ref Array a, ref int i)
{
     a = Array(); // frees a.data.ptr
     i++;
}

void main()
{
     Array a;
     a.append(5);
     // compiler knows result of `get` is owned by `a`
     // error: Can't pass multiple mutable references owned by `a`
     maybe_bad(a, a.get(0));
}

Walter - is this correct?