ref is unsafe

[Tommi]

On Friday, 4 January 2013 at 06:30:55 UTC, Sönke Ludwig wrote:
> In other words, references returned by a function call that 
> took any references to locals would be
> tainted as possibly local (in the function local data flow) and 
> thus are not allowed to escape the
> scope. References derived from non-local refs could still be 
> returned and returning references to
> fields from a struct method also works.
>
> ---
> @safe ref int test(ref int v) {
> 	return v; // fine
> }
>
> @safe ref int test2() {
> 	int local;
> 	return test(local); // error: (possibly) returning ref to local
> }
>
> @safe ref int test3() {
> 	int local;
> 	int* ptr = &test(local); // fine, ptr is tainted 'local'
> 	return *ptr; // error: (possibly) returning ref to local
> }
>
> @safe ref int test4(ref int val) {
> 	return test(val); // fine, can only be a ref to the external 
> 'val' or to a global
> }
> ---

Trying to say that formally:

Definitions:
'Tainter function':
     A function that:
     1. takes at least one of its parameters by reference
     and
     2. returns by reference
	
'Tainting function call':
     A call to a 'tainter function' where at least one of the
     arguments passed by reference is ref to a local variable

Then the rules become:
Function may not return a reference to:
Rule 1: a function-local variable
Rule 2. a value returned by a 'tainting function call'

@safe:

ref int tfun(ref int v) { // tfun tagged 'tainter function'
     ...
}

ref int test1() {
     int local;
     return local; // error by Rule 1
}

ref int test2() {
     int local;
     return tfun(local); // error by Rule 2
}

ref int test3() {
     int local;
     int* ptr = &tfun(local); // ptr tagged 'local'
     return *ptr; // error by Rule 2
}

ref int test4(ref int val) {
     return tfun(val); // fine
}

int global;

ref int test5() {
     int local;
     int* ptr = &tfun(local); // ptr tagged 'local'
     ptr = &global; // ptr's 'local' tag removed
     return *ptr; // fine
}