ref parameters: there is no escape

Sun Aug 14 10:39:38 PDT 2011

On 8/14/2011 1:05 PM, Andrei Alexandrescu wrote:
>> Pass-by-pointer is really, really ugly when used in high-level D-style
>> code, and exposes the implementation detail that the D wrapper is using
>> C code. By explicit cast, do you mean one in dWrapper() that's
>> encapsulated and invisible to the caller?
>
> Yah, dWrapper would become:
>
> void dWrapper(ref int a, ref int b) {
> cFun(cast(int*) &a, cast(int*) &b);
> }
>
> If the casts are missing, the compiler's error message could clarify
> under what assumptions they might be inserted.

Ok, IIUC we might have found some common ground here.  Is the idea that, 
if you insert the cast, then it's an unsafe cast and you're free to take 
the address of a ref parameter, period?  I think this is a reasonable 
compromise:

1.  There's enormous precedent for the idea that casts are for things 
you **probably** shouldn't be doing but may occasionally have a good 
reason to do.

2.  It's greppable, unlike the status quo, where there's no easy way to 
search for possible escaping of addresses of ref parameters.

3.  It solves the encapsulation problem mentioned in my previous post.

4.  It can be disallowed in SafeD as an unsafe cast.

5.  If you allow taking the address of ref parameters without a cast as 
long as the compiler can prove that they don't escape, then performing 
this type of cast is a very explicit statement that you **know** the 
compiler can't prove that those addresses don't escape and that you take 
full responsibility for ensuring they don't.

6.  It may eventually lead to a more comprehensive ownership type system 
similar to one that's been discussed here before, where there's 
ScopedPointers and regular pointers.  A ScopedPointer is a super type of 
a regular pointer, isn't allowed to escape from where it was created, etc.

Bottom line:  I completely agree that escaping addresses of ref 
parameters is a terrible design.  I'm fine with making constructs that 
have the potential to do so more verbose and explicit by requiring 
casts.  However, I am against disallowing it completely for the 
following reasons:

1.  The rules against it would have to be conservative, meaning at least 
some valid designs are tossed out as well.  This is completely 
unacceptable in a systems language.

2.  I'm not convinced that escaping addresses of ref parameters is at 
all easy to do by accident.

3.  In a systems language the compiler should **never** go out of its 
way to completely disallow a design, no matter how bad that design is. 
A language is a tool that should do what the user tells it to, not a 
nanny that should prevent the user from being naughty.  (Though this 
does not preclude the compiler making it hard to do bad things **by 
accident**.)  I don't care if said design is wholeheartedly endorsed by 
The Devil himself.