I’m really excited about this proposal! I think it could help WebKit a lot.
A few things I mentioned in today’s meet-up:
- I believe this analysis can also enforce the
noescapefunction argument attribute with relatively little additional effort. The strawman proposal is to model anoescapefunction argument as having an OriginSet that contains a single Loan that originates at the start of the function and invalidates at every function return point. - If we enforce
noescape, then we can also turn this intra-procedural analysis into an inter-procedural analysis, still based on local reasoning, again with relatively little additional effort. The strawman proposal is: Any value whose OriginSet includes a non-opaque Loan, if passed as a function argument in a parameter slot that has no declared lifetime label (i.e., the declared function parameter has the Opaque origin), is by definition a Potential Dangling Pointer. (Since the dangling pointer is only potential, it probably only emits a warning in strict mode.) The programmer can cure this warning by marking the parameternoescape,[[clang::lifetimebound]], or[[clang::lifetime_capture_by]]. (Of course, the compiler may still signal a different warning if it finds a contradiction with these attributes.)