Bug 13983 – RefCounted needs to be @safe

Currently RefCounted fails all three attributes, which greatly limits its usefulness, since the negation of these attributes transitively propagates to its payload and everything underneath. This blocks issue #13936.

ping, this requires a safe wrapper around malloc/free right?

Adding @safe is impossible until a scheme is added to the language to detect escaped references. Adding nothrow is also impossible because this throws when the computer is out of memory.

(In reply to Jack Stouffer from comment #2) > Adding nothrow is also impossible because this throws > when the computer is out of memory. You can still throw an OutOfMemoryError with nothrow. Or does RefCounted throw some an Exception (as opposed to an Error)?

(In reply to Jack Stouffer from comment #2) > Adding nothrow is also impossible because this throws > when the computer is out of memory. This is incorrect since the out-of-memory is an Error, not an Exception, and nothrow functions can throw Errors.

FYI: https://github.com/dlang/phobos/pull/4692

Partial fix (@safe not done) pulled here: https://github.com/dlang/phobos/pull/4832

I' m currently working on a fix for -dip1000 compilable std.algorithm.iteration which will(?) touch "RefCounted needs to be (some more) @safe" as well, sadly all by introducing @trusted :-( ; Am I completely wrong here with @trusted? These are my current typecons.RefCounted related findings in order to fix std/algorithm/iteration.d(4245): Error: @safe function std.algorithm.iteration.__unittest_L4227_C7 cannot call @system function std.algorithm.comparison.equal!().equal!(Result, string[]).equal : ``` diff --git a/std/typecons.d b/std/typecons.d index 3a36bc4..e9f79ba 100644 --- a/std/typecons.d +++ b/std/typecons.d @@ -5540,9 +5540,9 @@ if (!is(T == class) && !(is(T == interface))) { extern(C) private pure nothrow @nogc static // TODO remove pure when https://issues.dlang.org/show_bug.cgi?id=15862 has been fixed { - pragma(mangle, "free") void pureFree( void *ptr ); + pragma(mangle, "free") void pureFree( void *ptr ) @trusted; pragma(mangle, "gc_addRange") void pureGcAddRange( in void* p, size_t sz, const TypeInfo ti = null ); - pragma(mangle, "gc_removeRange") void pureGcRemoveRange( in void* p ); + pragma(mangle, "gc_removeRange") void pureGcRemoveRange( in void* p ) @trusted; } /// $(D RefCounted) storage implementation. @@ -5557,7 +5557,7 @@ if (!is(T == class) && !(is(T == interface))) private Impl* _store; - private void initialize(A...)(auto ref A args) + private void initialize(A...)(auto ref A args) @trusted { import core.exception : onOutOfMemoryError; import std.conv : emplace; @@ -5690,7 +5690,7 @@ to deallocate the corresponding resource. if (--_refCounted._store._count) return; // Done, deallocate - .destroy(_refCounted._store._payload); + () @trusted { .destroy(_refCounted._store._payload); }(); static if (hasIndirections!T) { pureGcRemoveRange(&_refCounted._store._payload); ```

Regarding nothrow and pure, this is fixed as Phobos unittests confirm. Changing the title. And by the way, the struct is also @nogc and -betterC. @safe remains a problem though. It cannot be added in vanilla D, but with -dip1000 flag there may be hope. Atila recently made a PR that attempts to do just that: https://github.com/dlang/phobos/pull/8101

Solved by https://github.com/dlang/phobos/pull/8368. Well, mostly. Caveat 1: It is only `@safe` with the -preview=dip1000 flag. But AFAIK there's no solution to that. Generic safe reference counting without DIP1000 is simply impossible. Caveat 2: To be precise, `RefCounted` is still `@system`. To avoid backward compatibility problems, you have to use `SafeRefCounted` instead if you want to be safe. Feel free to open another issue if you feel these caveats need closing.

This hasn't been solved at all. RefCounted still isn't @safe. SafeRefCounted is merely a workaround. If the existing RefCounted isn't going to be made @safe, it should be deprecated and removed.