In this model, ownership is checked statically when variables go out of scope and before assignment.
"Owner pointers" must be uninitialized or null at the end of their scope.
Basically, the nullable state needs to be tracked at compile time, and nullable pointers,despite being a separate feature, reuse the same flow analysis.
For the impatient reader, a simplified way to think about it is to compare it with C++'s unique_ptr.
The difference is that, instead of runtime code being executed at the end of the scope (a destructor), we perform a compile-time check to ensure that the owner pointer is not referring to any object. The same before assignment.
So we get the same guarantees as C++ RAII, with some extras. In C++, the user has to adopt unique_ptr and additional wrappers (for example, for FILE). In this model, it works directly with malloc, fopen, etc., and is automatically safe, without the user having to opt in to "safety" or write wrappers. Safety is the default, and the safety requirements are propagated automatically.
It is interesting to note that propagation also works very well for struct members. Having an owner pointer as a struct member requires the user to provide a correct "destructor" or free the member manually before the struct object goes out of scope.
#pragma safety enable
#include <stdio.h>
int main() { FILE *_Owner _Opt f = fopen("file.txt", "r"); if (f) { fclose(f); } }
At the end of the scope of f, it can be in one of two possible states: "null" or "moved" (f is moved in the fclose call).
These are the expected states for an owner pointer at the end of its scope, so no warnings are issued.
Removing _Owner _Opt we have exactly the same code as users write today. But with the same or more guarantees than C++ RAII.