[Issue 17049] [scope] class references are not escape checked like pointers

Dec 31, 2016

Martin Nowak

Dec 31, 2016

Feb 21, 2017

Feb 22, 2017

Feb 24, 2017

Feb 24, 2017

Feb 24, 2017

Feb 24, 2017

Feb 24, 2017

https://issues.dlang.org/show_bug.cgi?id=17049 Walter Bright <bugzilla@digitalmars.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |bugzilla@digitalmars.com Resolution|--- |INVALID --- Comment #2 from Walter Bright <bugzilla@digitalmars.com> --- The reason no error is detected is because there isn't one. The declaration: S s; does not declare a pointer that points to the stack. --

February 24, 2017

[Issue 17049] [scope] class references are not escape checked like pointers

Posted by Martin Nowak

Permalink

Martin Nowak

Permalink

https://issues.dlang.org/show_bug.cgi?id=17049

Martin Nowak <code@dawg.eu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|INVALID                     |---

--- Comment #3 from Martin Nowak <code@dawg.eu> ---
Remember how we agreed on that the compiler shouldn't be too smart when
inferring whether the return value could alias any of the arguments.
This is crucial to support ownership idioms such as unique, where the container
could for example just wrap an int handle.
Use-after-free for handles is no different from dangling pointers, just as
unsafe and able to corrupt memory.

struct S
{
    float* ptr; // needs a pointer for the compiler to attach the lifetime of
get's return value to S
    @safe P get() return scope;
}

P escape() @safe
{
    scope S s; // need to explicitly declare this as scope for the compiler to
infer get's return value as scope
    P p = s.get();
    return p;
}

//////////

Here is a simpler example on why this is broken.

struct S
{
    @safe S* get() return scope
    {
        return &this;
    }
}

S* escape() @safe
{
    S s;
    auto ps = s.get();
    return ps;
}

In `auto ps = s.get()` the compiler should conservatively assume that ps points to s, simply b/c the signature (w/ return scope) would allow to do so. Even if the return type is seemingly unrelated to the passed in scope arguments type conversions may be done by @trusted functions that are intransparent for the compiler.

--

https://issues.dlang.org/show_bug.cgi?id=17049 --- Comment #4 from Martin Nowak <code@dawg.eu> --- There is a difference from member functions to free function. static @safe S* get2(return ref scope S _this) { return &_this; } struct S { @safe S* get1() return scope { return &this; } } S* escape() @safe { S s; auto ps1 = s.get1(); auto ps2 = s.get2(); return ps1; // works // return ps2; // doesn't work } --

https://issues.dlang.org/show_bug.cgi?id=17049 --- Comment #5 from Martin Nowak <code@dawg.eu> --- (In reply to Martin Nowak from comment #4) > return ps1; // works silenty escapes !!! > // return ps2; // doesn't work correctly errors on escape !!! > } --

https://issues.dlang.org/show_bug.cgi?id=17049 --- Comment #6 from Martin Nowak <code@dawg.eu> --- And the same is supposed to work for foreign pointers? static @safe float* get2(return ref scope S _this) { return convert(&_this); } @trusted float* convert(S* s) { return cast(float*)s; } struct S { } float* escape() @safe { S s; auto pf = s.get2(); return pf; // works } ---- Error: scope variable pf may not be returned ---- --

https://issues.dlang.org/show_bug.cgi?id=17049 --- Comment #7 from Martin Nowak <code@dawg.eu> --- And this is supposed to not work? struct Handle { int a; } static @safe Handle get2(return ref scope S _this) { return Handle(1); } struct S { } Handle escape() @safe { S s; auto h = s.get2(); return h; // works } --

https://issues.dlang.org/show_bug.cgi?id=17049 Martin Nowak <code@dawg.eu> changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|[scope] class references |[scope] member methods not |are not escape checked like |escape checked like free |pointers |functions --- Comment #8 from Martin Nowak <code@dawg.eu> --- The Handle case would need to look like this, w/ a free function dmd correctly prevents escaping. struct Handle { @safe: int fd; @disable this(this); ~this() {} } // not-copyable static @safe ref int get1(return ref scope Handle _this) { return _this.fd; } int* escape1() @safe { Handle h; auto p = &h.get1(); return p; } static @safe int* get2(return ref scope Handle _this) { return &_this.fd; } int* escape2() @safe { Handle h; auto p = h.get2(); return p; } ---- /tmp/tmp.Rm7L5V5FW1/bug.d(17): Error: cannot take address of ref return of get1() in @safe function escape1 // this restriction migth get removed at some point /tmp/tmp.Rm7L5V5FW1/bug.d(18): Error: scope variable p may not be returned /tmp/tmp.Rm7L5V5FW1/bug.d(30): Error: scope variable p may not be returned ---- So the problematic bug is that member methods are not correctly checked. --

Forums