Add rules for ref safety

[BillWagner]

This updates the Variables clause with several sections for ref safety.

This PR is primarily from taking the text from the Span safety proposal and editing into the style for the standard.

In addition, a few rules were added:

1. out parameters can't be returned by ref
2. An instance method of a struct can't return this by ref.
3. An in parameter can't be returned by ref, only by ref readonly.

The third rules makes this illegal:

public ref int MakeWritable(in int p)
{
    return ref p; // Error,
 }

readonly int j = 5;

ref int k = MakeWritable(in j);
k = 7;

[BillWagner]

This section doesn't handle a rule needed later in C# 11 (when ref fields are allowed):

• A ref parameter can't be returned by ref as a field in another ref argument.

For example:

ref struct S { 
  ref int refField;
}

void M(ref S p1, ref int p2) {
   p1.refField = ref p2;
}

These rules would allow that because both p1 and p2 have ref-safe-to-escape-scope of calling-method. But, doing so could be dangerous: p2 could be a local in the calling method, and p1 could be a static field in the type of the calling method.

[jskeet]

This is a very shallow review - I'll do a more complete one when I have more mental energy. (I get very confused by all of this.)

[Nigel-Ecma]

I haven't done a thorough review today but did find a possible typo and, to me at least, a lack of distinction between a variable/location and it’s contents. I know this stuff can be hard to comprehend for many (a student) – variables have names & values, and a name can itself be a value (aka reference, pointer, address – words which may have different semantics depending on the language). We just need to be clear what is escaping etc. using whatever language we decide or it will be confusing to many.

[BillWagner]

@jskeet I think this one is now ready. I'd like to have async reviews before our April meeting. If so, I can clean up the remaining ref related PRs for V7.

[jskeet]

Sounds good to me. We can discuss it in today's meeting to try to get anything sync out of the way.

[jskeet]

A bunch of comments that I hope are useful. The whole thing bamboozles me anyway, but I think it's also harder to read because a name change may have been incompletely implemented. (Either that, or we need to define safe-to-escape-scope somewhere...)

I'm hoping that next time I look, it'll make more sense to me :) (I know the gist of what we're trying to achieve, but the terminology somehow just won't stick in my brain.)

[BillWagner]

responding to initial review

[jskeet]

Just as an FYI: I'll look at this again tomorrow UK time, and answer questions then.

[jskeet]

I think I'm getting closer to approving :) At some point I think we'll need to just say "Good enough for now" and make any further changes later.

[BillWagner]

First update to resolve many of the review comments.

[BillWagner]

Tagging @jaredpar @gafter @cston @RikkiGibson to look at the diffs for #d8dd5d4523dc88c51ad2dc7888968bb5659ad0de

From an earlier conversation, I'm splitting the rules for ref_safe_to_escape (not referred to as ref_safe_scope, and safe_to_escape.

The reason is that the safe_to_escape rules are only interesting in how they apply to ref struct types. Any other variable type can be copied (by value) anywhere.

A ref struct is constrained: It can only be copied within the ref_safe_scope of its referent. Moving these rules into the section on ref structs makes that distinction more clear.

[Nigel-Ecma]

Just a single comment but git decided it needed to be a review…

[jskeet]

Much clearer than before, thanks. I've raised various comments, but I think my overall feeling is:

• We need another pass at consistency of terms and dash-separation vs underscore_separation
• It feels like we're missing a definition of "safe to ref return". It's possible I just missed it though!

[jskeet]

@gafter will have a look at this, and there are a few actions defined in comments, but otherwise, we're ready to merge.

[RexJaeschke]

@ BillWagner. Per your request, I just looked over this PR and saw a potential problem in the following:

There are three valid ref-safe-scopes:

• block: A variable_reference to a local variable declared in a block is valid from its declaration to the end of the block in which it is declared. The ref-safe-scope of a local variable is block. A local variable declared in a method has a ref-safe-scope of the block that defines the method. A variable declared in a block is a valid referent only if the reference variable is declared in the same block after the referent, or a nested block.
• function-member: A variable_reference to a value parameter on a function member declaration, including the implicit this parameter is valid in the entire function member. The ref-safe-scope of the fields of a struct type is function-member. A variable with ref-safe-scope of function-member is a valid referent only if the reference variable is declared in the same function member.
• caller-scope: Member fields of a class type and ref parameters have ref-safe-scope of caller-scope. A variable with ref-safe-scope of caller-scope can be the referent of a reference return. A variable that can be the referent of a reference-return is safe-to-ref-return.

I'm concerned about defining a new term called block, as we already have a grammar rule by that name. My first thought was to rename your 3 new terms ref-safe-block-scope, ref-safe-function-member-scope, and ref-safe-caller-scope. However, I realize they are rather long, and perhaps a little unwieldy. But it does directly relate them.

In the definition of block, "The ref-safe-scope of a local variable is block.", if "block" is intended to be a reference to a grammar rule, it should be italicized. Likewise for "function-member" in "The ref-safe-scope of the fields of a struct type is function-member." in the function-member definition EXCEPT that grammar rules use "_" rather than "-", so I'm not sure what this (and possibly "block") are referring to.

[BillWagner]

I'm concerned about defining a new term called block, as we already have a grammar rule by that name. My first thought was to rename your 3 new terms ref-safe-block-scope, ref-safe-function-member-scope, and ref-safe-caller-scope. However, I realize they are rather long, and perhaps a little unwieldy. But it does directly relate them.

I'll propose that we should use these terms. Yes, they are unwieldy, but so are the concepts. These terms directly relate to the concepts, as you say.

I've been looking for terms that were both succinct and descriptive, and I've always come up short. I think descriptive wins.

I'd like others thoughts before I make those edits. Tagging @gafter @jskeet @MadsTorgersen @Nigel-Ecma

[Nigel-Ecma]

I'll propose that we should use these terms. Yes, they are unwieldy, but so are the concepts. These terms directly relate to the concepts, as you say.

I've been looking for terms that were both succinct and descriptive, and I've always come up short. I think descriptive wins.

I'd like others thoughts before I make those edits. Tagging @gafter @jskeet @MadsTorgersen @Nigel-Ecma

Agree, go wth the longer descriptive terms

[jskeet]

Minor comments, but I think I'm still fine with it. There may well be nuances that I've missed - the whole thing is quite confusing, but that's just the nature of it.

[jskeet]

Minor comments, but I think I'm still fine with it. There may well be nuances that I've missed - the whole thing is quite confusing, but that's just the nature of it.

[jskeet]

Minor comments, but I think I'm still fine with it. There may well be nuances that I've missed - the whole thing is quite confusing, but that's just the nature of it.

[jskeet]

Minor comments, but I think I'm still fine with it. There may well be nuances that I've missed - the whole thing is quite confusing, but that's just the nature of it.

[Nigel-Ecma]

I'm marking this a "request changes" but I'm only suggesting the change and others might manage better wordsmithing.