DIP1000 scope inference
Steven Schveighoffer
schveiguy at gmail.com
Wed Oct 26 14:38:15 UTC 2022
On 10/26/22 4:03 AM, Walter Bright wrote:
> On 10/24/2022 6:35 PM, Steven Schveighoffer wrote:
>> In a `@trusted` function today, without dip1000, the above is
>> perfectly reasonable and not invalid. Will dip1000 make it corrupt
>> memory?
>
> A very good question. Clearly, having code work when it is @safe, but
> cause memory corruption when it is marked @trusted, is the wrong
> solution. This should never happen. I'm not sure what the solution
> should be here.
>
I should be clear here -- the code does *not* compile in @safe code, but
is perfectly reasonable as @trusted code.
What I don't want is the compiler taking actions based on scope
inference that cause memory corruption.
I get that we can say "if it wouldn't compile in @safe, it's on you to
make sure it doesn't corrupt memory as @trusted". But if the reason it's
unsafe is not because of things you wrote, but because of compiler
inference (as in this case), then the compiler should either not do the
inference, or not hoist allocations to the stack based on that inference.
A philosophy/statement to that effect should be satisfactory. The last
thing we want dip1000 to do is *cause* memory corruption.
-Steve
More information about the Digitalmars-d
mailing list