[SNIP] >> If foo->bar() can mutate the lifetime of foo, of course you must take a >> strong >> reference to foo. Nothing about auto or range-for changes this. > >What auto does is make it really hard to tell whether a strong reference is >being taken. > >> If you don't understand your lifetimes, you get bugs. > >Fully agreed. The discussion is about whether auto helps or hinders that >understanding. The answer is that it depends on the surrounding code, from >where I sit... > >-Boris
So, where do we go from here? It's clear that auto is not as safe as some/many believe it to be; it can as Boris (and smaug and Xidorn) say hide lifetime issues and lead to non-obvious UAFs and the like. Some uses are certainly safe, but it isn't always obvious looking at a patch (per above), requiring more code investigation by the reviewer. If the resultant type isn't obvious, then using it isn't helping comprehension. When reading the code in the future, if the reader has to do non-trivial investigation just to know what's going on, it's hurting our work. If the win is to avoid typing.... I'd say it's not worth the risk. Or allow it, but only with commentary as to why it's safe, or with rules about what sort of types it's allowed with and anything other than those requires justification in comments/etc. -- Randell Jesup, Mozilla Corp remove "news" for personal email _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
