| Thread overview | |||||||
|---|---|---|---|---|---|---|---|
|
March 10, 2010 Is return by ref really @safe? | ||||
|---|---|---|---|---|
| ||||
 | This compiles, but should it?
@safe
ref int foo(ref int a) {
return a;
}
@safe
ref int bar() {
int a;
return foo(a); // leaking reference to a beyond bar's scope
}
--
Michel Fortin
michel.fortin@michelf.com
http://michelf.com/
| |||
Permalink
ReplyMarch 10, 2010 Re: Is return by ref really @safe? | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Michel Fortin | Michel Fortin: > This compiles, but should it? I think the @safe attribute is not significant here, because that code is wrong, in unsafe code too. I think DMD lets it pass because it's not able to spot the bug. I don't know if and when it will be able to trace such situations, but in the meantime: http://d.puremagic.com/issues/show_bug.cgi?id=3925 Bye, bearophile | |||
March 10, 2010 Re: Is return by ref really @safe? | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to bearophile | bearophile wrote:
> Michel Fortin:
>> This compiles, but should it?
>
> I think the @safe attribute is not significant here, because that code is wrong, in unsafe code too.
> I think DMD lets it pass because it's not able to spot the bug. I don't know if and when it will be able to trace such situations, but in the meantime:
> http://d.puremagic.com/issues/show_bug.cgi?id=3925
I would say the possibility of a bug makes this code unsafe by definition. Ref returns must be considered unsafe by default, unless the compiler can know for sure that the object will exist beyond the lifetime of the function.
| |||
March 10, 2010 Re: Is return by ref really @safe? | ||||
|---|---|---|---|---|
| ||||
Posted in reply to Norbert Nemec | On 2010-03-10 12:33:22 -0500, Norbert Nemec <Norbert@Nemec-online.de> said: > bearophile wrote: >> Michel Fortin: >>> This compiles, but should it? >> >> I think the @safe attribute is not significant here, because that code is wrong, in unsafe code too. >> I think DMD lets it pass because it's not able to spot the bug. I don't know if and when it will be able to trace such situations, but in the meantime: >> http://d.puremagic.com/issues/show_bug.cgi?id=3925 > > I would say the possibility of a bug makes this code unsafe by definition. Ref returns must be considered unsafe by default, unless the compiler can know for sure that the object will exist beyond the lifetime of the function. Exactly. This means that half of std.range will have to be @trusted for wrapper ranges like retro. It also breaks what I think Andrei said once: that 'ref' as implemented in D is guarantied not to hold dangling references. (But perhaps that's not what he said, I can't remember exactly.) I hope this is not written in TDPL. And thanks for filling the bug report bearophile. -- Michel Fortin michel.fortin@michelf.com http://michelf.com/ | |||
March 13, 2010 Re: Is return by ref really @safe? | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Michel Fortin | Michel Fortin wrote:
> This compiles, but should it?
>
> @safe
> ref int foo(ref int a) {
> return a;
> }
>
> @safe
> ref int bar() {
> int a;
> return foo(a); // leaking reference to a beyond bar's scope
> }
No.
| |||
Copyright © 1999-2021 by the D Language Foundation