June 08, 2022 Re: dip1000 and preview in combine to cause extra safety errors | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to John Colvin | On Wednesday, 8 June 2022 at 17:50:18 UTC, John Colvin wrote: >On Wednesday, 8 June 2022 at 16:58:41 UTC, deadalnix wrote: >On Wednesday, 8 June 2022 at 16:32:25 UTC, John Colvin wrote: The problem is Isn't the DIP process supposed to catch these sorts of things? | |||
June 09, 2022 Re: dip1000 and preview in combine to cause extra safety errors | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to claptrap |
On 09/06/2022 7:18 AM, claptrap wrote:
> Isn't the DIP process supposed to catch these sorts of things?
DIP1000 was the first DIP to go through the new system. But even then, we are still having to change how it works many years after the fact due to the complexities involved.
| |||
June 08, 2022 Re: dip1000 and preview in combine to cause extra safety errors | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Meta | On Wednesday, 8 June 2022 at 19:07:00 UTC, Meta wrote:
> On Wednesday, 8 June 2022 at 18:44:28 UTC, 12345swordy wrote:
>> On Wednesday, 8 June 2022 at 18:32:41 UTC, Timon Gehr wrote:
>>> [...]
>>
>> I got to say here, you shouldn't be able to compile that code at all if it is going to shoot you in the foot unintentionally.
>>
>> - Alex
>
> I believe this is because foo is not annotated with @safe, thus it's @system by default and you're allowed to do all kinds of unsafe things. Mark it @safe and the compiler will correctly complain:
>
> ```
> @safe
> string foo(in string s)
> {
> return s; // Error: scope variable `s` may not be returned
> }
>
> void main()
> {
> import std.stdio;
> string[] result;
> foreach(c; "hello")
> {
> result ~= foo([c]);
> }
> writeln(result);
> }
> ```
>
> In addition, changing `in` to `const return scope` makes the compiler aware that you intend to return the value, and thus it seems to somehow know not to re-use that stack space, and correctly prints ["h", "e", "l", "l", "o"].
You shouldn't have to mark your functions safe to prevent shooting yourself in the foot. It should give a warning message that can be surpass by explicitly marking your function as system.
-Alex
| |||
June 08, 2022 Re: dip1000 and preview in combine to cause extra safety errors | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Steven Schveighoffer | On Wednesday, 8 June 2022 at 19:02:53 UTC, Steven Schveighoffer wrote: >But for some reason, this specific code doesn't fail with Apparently Well the real bug in this code lies in Story time: When DIP1000 was first introduced, there was a lot of discussion to make sure we have it behind a switch. So Now the decision that Walter made, and that I, honestly, still do not understand to this day, was to make Later on, there was a push to get rid of most, if not all, usages of Now, that's where I come in. I implemented That's how you end up with: https://github.com/dlang/dmd/blob/7e1b115a0c62c04b74fecfed8a220d5e31cf4fe0/src/dmd/mtype.d#L4397-L4399 Does it make sense ? I don't think so. If it was up to me, Whether it's right or wrong, it's a change that silently introduces memory corruption. It ought to produce a warning for such code. I'm not blaming anybody here for behavior that is probably correct per the spec. But is there no mechanism to be had for warning about this? D already doesn't allow returning a pointer to stack data, even in I have argued with Walter for a long time that having | |||
June 08, 2022 Re: dip1000 and preview in combine to cause extra safety errors | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Steven Schveighoffer | On Wednesday, 8 June 2022 at 15:35:56 UTC, Steven Schveighoffer wrote: >So silently changing behavior to create new dangling pointers with a preview switch is ok? Remember, there is already code that does this. It's not trying to be clever via scope, it's not trying to be This is one of the reasons why all code should endeavour to be Alas, I do agree that most of us use | |||
June 08, 2022 Re: dip1000 and preview in combine to cause extra safety errors | ||||
|---|---|---|---|---|
| ||||
Posted in reply to Steven Schveighoffer | On Wednesday, 8 June 2022 at 19:02:53 UTC, Steven Schveighoffer wrote: >D already doesn't allow returning a pointer to stack data, even in -Steve D does allow it, just not directly: The philosophy is to force to be explicit in the simplest cases that are almost always errors, but not trying to seriously prevent the escape. | |||
June 08, 2022 Re: dip1000 and preview in combine to cause extra safety errors | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to Dukc | On 6/8/22 4:49 PM, Dukc wrote: >The philosophy is to force to be explicit in the simplest cases that are almost always errors, but not trying to seriously prevent the escape. This is the same case. You are returning what is a a reference to a scope (local) variable, directly. Yes, I know this doesn't mean it catches everything. There is also something to be said about dip1000 not allowing this even for @system code, when it can prove imminent memory corruption. @system code should not set footguns all over the floor, they should be on a back shelf, where you have to go and grab it in order to fire southward. -Steve | |||
June 08, 2022 Re: dip1000 and preview in combine to cause extra safety errors | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to claptrap | On Wednesday, 8 June 2022 at 19:18:20 UTC, claptrap wrote: >On Wednesday, 8 June 2022 at 17:50:18 UTC, John Colvin wrote: >On Wednesday, 8 June 2022 at 16:58:41 UTC, deadalnix wrote: >On Wednesday, 8 June 2022 at 16:32:25 UTC, John Colvin wrote: The problem is Isn't the DIP process supposed to catch these sorts of things? It did. | |||
June 08, 2022 Re: dip1000 and preview in combine to cause extra safety errors | ||||
|---|---|---|---|---|
| ||||
Posted in reply to Steven Schveighoffer | On Wednesday, 8 June 2022 at 21:00:25 UTC, Steven Schveighoffer wrote: >On 6/8/22 4:49 PM, Dukc wrote: >The philosophy is to force to be explicit in the simplest cases that are almost always errors, but not trying to seriously prevent the escape. This is the same case. You are returning what is a a reference to a scope (local) variable, directly. I suppose you're right, that would be good if it errored. In fact, I'm surprised the compiler does not siletly add I did initially advocate for compiling without adding | |||
June 08, 2022 Re: dip1000 and preview in combine to cause extra safety errors | ||||
|---|---|---|---|---|
| ||||
 Posted in reply to John Colvin | On 6/8/2022 10:50 AM, John Colvin wrote:
> The problem is `foo` and whether the compiler should somehow prevent the inconsistency between the signature and implementation. Obviously the answer is “yes, ideally”, but in practice with @safe, @system, dip1000, @live and so on it’s all a mess.
The checks aren't done for @system code. Yes, the compiler believes you for @system code. It's the point of @system code.
If foo() is annotated with @safe,
test6.d(5): Deprecation: scope variable `s` may not be returned
The compiler is working as intended, this is not unexpected behavior.
| |||
Permalink
Reply
