Tell us your DIP1000 woes
Timon Gehr
timon.gehr at gmx.ch
Mon Aug 26 09:31:18 UTC 2024
On 8/26/24 10:17, Walter Bright wrote:
> I found the following inconsistency:
>
> ```
> @safe ref int abc(int i) { return ghi(i); }
> @trusted ref int ghi(ref int r) { return r; }
>
> @safe int* foo(int i) { return bar(&i); } // Error: reference to local
> variable `i` assigned to non-scope parameter `p` calling `bar`
> @trusted int* bar(int* p) { return p; }
> ```
> ...
This is exactly how it should work.
What's inconsistent here is your code. The first `@trusted` function is
invalid. The second `@trusted` function is fine because the parameter is
not `scope`. The second function can even be `@safe`. The first memory
safety bug is therefore not caught (because the bug is in the `@trusted`
function), while the second one is caught (because the bug is in the
`@safe` function).
> Compiling with -dip1000 gives the error indicated. Note that it did not
> give an error for the semantically equivalent call to ghi(i).
>
If you want to attribute blame for a bug, not only the semantics matter,
also the contracts at function interfaces matter. This is exactly why
DIP1000 comes with annotations to make the intent clear and checkable
modularly.
There is no analogy between raw pointers and `ref`, there is an analogy
between `scope` pointers and `ref`.
(If you want to continue this discussion, we should probably take it out
of the thread.)
More information about the Digitalmars-d
mailing list