← Back to index | Original Bugzilla link

Bug 24724 – Error when @trusted function returns reference to parameter

Status: NEW
Severity: enhancement
Priority: P1
Component: dmd
Product: D
Version: D2
Platform: All
OS: All
Creation time: 2024-08-26T15:57:56Z
Last change time: 2024-12-13T19:37:00Z
Keywords: pull
Assigned to: No Owner
Creator: Nick Treleaven

Moved to GitHub: dmd#20500 →

Comments

Comment #0 by nick — 2024-08-26T15:57:56Z

@trusted ref int a(ref int r) { return r; } @trusted int* b(ref int r) { return &r; } The above functions violate the @trusted requirement of having a safe interface, so these should both error on their return statements. The `return` attribute is a requirement for a safe interface when a `ref` parameter may escape. Otherwise, those functions should be @system (then no error is needed). PR incoming. Note the following are errors even in @system code: @system ref int c(int r) { return r; } @system int* d(int r) { return &r; }

Comment #1 by elpenguino+D — 2024-08-26T16:06:29Z

https://dlang.org/spec/function.html#trusted-functions "Like safe functions, trusted functions have safe interfaces. Unlike safe functions, this is not enforced by restrictions on the function body." We have a method to enforce safe interfaces. It's @safe.

Comment #2 by dlang-bot — 2024-08-26T16:14:12Z

@ntrel created dlang/dmd pull request #16814 "Fix Bugzilla 24724 - Error when @trusted function returns reference t…" fixing this issue: - Fix Bugzilla 24724 - Error when @trusted function returns reference to parameter Make it a deprecation for now. https://github.com/dlang/dmd/pull/16814

Comment #3 by nick — 2024-08-26T18:54:48Z

> this is not enforced by restrictions on the function body Why not enforce it at the interface level?

Comment #4 by nick — 2024-08-26T18:57:12Z

In what scenario is allowing @trusted to have an unsafe interface useful? A single example will suffice, please provide one (that can't be @system).

Comment #5 by elpenguino+D — 2024-08-26T19:37:45Z

(In reply to Nick Treleaven from comment #3) > > this is not enforced by restrictions on the function body > > Why not enforce it at the interface level? We do. With `@safe`. `@trusted` is specifically for manual enforcement. (In reply to Nick Treleaven from comment #4) > In what scenario is allowing @trusted to have an unsafe interface useful? A > single example will suffice, please provide one (that can't be @system). The compiler can't prove all memory-safe code is memory-safe, only a subset. It is occasionally useful to call manually-verified code from `@safe` functions, which `@trusted` enables. There is no other value to it. Adding enforcement to it removes that value, and reduces it to just a carbon copy of `@safe`. I'd rather see `@trusted` removed entirely than go down that path.

Comment #6 by dkorpel — 2024-08-26T20:20:19Z

(In reply to Nick Treleaven from comment #4) > In what scenario is allowing @trusted to have an unsafe interface useful? A > single example will suffice, please provide one (that can't be @system). The interface is not necessarily unsafe. The example you gave is trivial, but the return statement may be unreachable or guarded like so: ``` @trusted int* b(ref int r) { if (isInDataSegment(&r)) return &r; else return null; } ```

Comment #7 by robert.schadek — 2024-12-13T19:37:00Z

THIS ISSUE HAS BEEN MOVED TO GITHUB https://github.com/dlang/dmd/issues/20500 DO NOT COMMENT HERE ANYMORE, NOBODY WILL SEE IT, THIS ISSUE HAS BEEN MOVED TO GITHUB