Tell us your DIP1000 woes

Richard (Rikki) Andrew Cattermole richard at cattermole.co.nz
Mon Aug 26 08:33:37 UTC 2024


On 26/08/2024 8:17 PM, Walter Bright wrote:
> I found the following inconsistency:
> 
> ```
> @safe ref int abc(int i) { return ghi(i); }
> @trusted ref int ghi(ref int r) { return r; }
> 
> @safe int* foo(int i) { return bar(&i); } // Error: reference to local 
> variable `i` assigned to non-scope parameter `p` calling `bar`
> @trusted int* bar(int* p) { return p; }
> ```
> 
> Compiling with -dip1000 gives the error indicated. Note that it did not 
> give an error for the semantically equivalent call to ghi(i).
> 
> Possible resolutions:
> 
> 1. give an error for both
> 
> 2. give no error for both, as @trusted implementations are the user's 
> problem
> 
> 3. disallow taking the address of a local variable in @safe code


There is a fourth option:

Infer for ``@trusted`` functions, but don't validate.

Support describing the empty escape set separately from wanting it inferred.

If set, trust it, otherwise infer.

Will infer:

```d
@trusted ref int ghi(ref int r) { return r; }
```

Will use annotation:

```d
@trusted ref int ghi(@escapevia(return) ref int r) { return r; }
@trusted ref int ghi(@escapevia() ref int r) { return r; }
```

First and second will error, but third won't.

This appears to be an interaction between DIP1000 and the fact that 
``@trusted`` functions have an interface that is required to be 
``@safe`` but not its body validated.


More information about the Digitalmars-d mailing list