Allocator-aware @safe reference counting is still not possible
Dukc
ajieskola at gmail.com
Fri Apr 14 15:26:00 UTC 2023
On Friday, 14 April 2023 at 13:42:15 UTC, Atila Neves wrote:
> On Sunday, 25 September 2022 at 12:03:08 UTC, Paul Backus wrote:
>> D has made a lot of progress recently on memory safety with
>> `-preview=dip1000`, thanks in no small part to [the work of
>> Dennis Korpel][1]. This progress has in turn enabled the
>> creation of [`SafeRefCounted`][2] by Ate Eskola, which will
>> hopefully be available in the next release of Phobos.
>>
>> [...]
>
> Couldn't it be `@safe` iff the particular allocator's
> deallocate is `@safe` (or missing)?
An interesting question. In principle, you COULD make `@safe`
allocator that allocates out of a static memory block. You are
only getting and returning `void[]` slices, which in itself isn't
`@system`. What makes it dangerous is that those void slices are
them used as storage for arbitrary types. So if your `@safe`
allocator doesn't do what it's supposed to you can end up
overwriting live pointers, because the allocation machinery does
`@trusted` casts that rely on the custom allocator behaving
right.
In practice it's probably going to be a problem. Maybe the
allocator should instead return some wrapper type over `void[]`
that can only be created or destructed in `@system` code.
More information about the Digitalmars-d
mailing list