Thread overview
[Issue 22013] Making RefCounted dtor @safe breaks DIP1000
Jun 10, 2021
Atila Neves
Jun 10, 2021
Dennis
Dec 06, 2021
Stanislav Blinov
Aug 31, 2022
RazvanN
Dec 17, 2022
Iain Buclaw
June 10, 2021
https://issues.dlang.org/show_bug.cgi?id=22013

Atila Neves <atila.neves@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |accepts-invalid, safe

--
June 10, 2021
https://issues.dlang.org/show_bug.cgi?id=22013

Dennis <dkorpel@live.nl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dkorpel@live.nl
           Hardware|x86_64                      |All
                 OS|Linux                       |All

--- Comment #1 from Dennis <dkorpel@live.nl> ---
Can you reduce it to a self-contained test case without Phobos imports?

--
December 06, 2021
https://issues.dlang.org/show_bug.cgi?id=22013

Stanislav Blinov <stanislav.blinov@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |stanislav.blinov@gmail.com

--- Comment #2 from Stanislav Blinov <stanislav.blinov@gmail.com> ---
Adding @safe: at the top stops compilation in its tracks as the ctor and dtor for RefCounted get inferred @system.

With 2.098 and -dip1000 also an attempt to escape a local into RefCounted's ctor __is__ detected.

Escaping a local static array in @safe doesn't seem possible, so it would seem this issue is no longer valid?

However, as pertains to the goals of pull request mentioned above, even if the aforementioned problems in RefCounted's implementation are fixed, ref counted slices (even in disguise) can't possibly have their destructor @safe, as long as we can do this:

void test() @safe {
    auto slice = makeSomeKindOfRefCountedSlice!int(10);
    int[] local = slice.payload.data;

    static assert(!__traits(compiles, &slice)); // scope
    static assert(!__traits(compiles, &local)); // scope

    slice = slice.init; // drop ref count to 0 and deallocate
    local[1] = 32; // use after free in @safe function
}

It almost looks like we need a way to define functions that return only temporaries (so that the line `int[] local = slice.payload.data` above doesn't compile). Until we can do that in some form, any @safe destructor of such ref-counted slice could only be safe by convention (i.e. what's the point then?).

--
August 31, 2022
https://issues.dlang.org/show_bug.cgi?id=22013

RazvanN <razvan.nitu1305@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |razvan.nitu1305@gmail.com
          Component|dmd                         |phobos

--- Comment #3 from RazvanN <razvan.nitu1305@gmail.com> ---
Marking this as a phobos issue.

--
December 17, 2022
https://issues.dlang.org/show_bug.cgi?id=22013

Iain Buclaw <ibuclaw@gdcproject.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P1                          |P2

--