Allocator-aware @safe reference counting is still not possible
Paul Backus
snarwin at gmail.com
Sun Sep 25 13:12:11 UTC 2022
On Sunday, 25 September 2022 at 12:48:14 UTC, Dukc wrote:
> On Sunday, 25 September 2022 at 12:03:08 UTC, Paul Backus wrote:
>> However, an allocator-aware version of `SafeRefCounted` that
>> calls a generic `Allocator.deallocate` function instead of
>> free specifically has *literally no idea* what that function
>> will do, and therefore cannot mark that call as `@trusted`,
>> ever, under any circumstances.
>
> I think it can. We need to agree on what the deallocator can
> and cannot do. If the deallocator then does something
> disallowed, then its the deallocator that's to blame, not
> `SafeRefCounted`.
This is "safety by convention"--the exact thing we're trying to
get away from by using `@safe`. It can work in example code and
small projects, but it doesn't scale, because the effort required
to maintain safety scales exponentially with program size
(proportional to the number of code paths).
To make this work, we need the compiler to *enforce* the rules
about what the deallocator can and cannot do.
More information about the Digitalmars-d
mailing list