December 22, 2012
http://d.puremagic.com/issues/show_bug.cgi?id=9195

           Summary: Can do pointer arithmetic in safeD!
           Product: D
           Version: D2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: DMD
        AssignedTo: nobody@puremagic.com
        ReportedBy: dmitry.olsh@gmail.com


--- Comment #0 from Dmitry Olshansky <dmitry.olsh@gmail.com> 2012-12-22 11:42:23 PST ---
Pointer arithmetic limitation is too dam easy to side step. In fact I did it accidentaly.

The snippet shows the problem in its full glory:


@safe uint* glorious(uint * ptr, size_t offset)
{
    return &ptr[offset];
}

//correctly can't be @safe
/*@safe*/ @trusted uint* casual(uint * ptr, size_t offset)
{
    return ptr+offset;
}

@safe void main()
{
    uint[] arr = [1, 2, 3, 4];
    assert(*casual(arr.ptr, 3) == 4);
    assert(*glorious(arr.ptr, 3) == 4);
    assert(glorious(arr.ptr, 0xdead_beaf) == casual(arr.ptr, 0xdead_beaf));
}

This undermines the whole promise of memory safety in SafeD  - if you can index raw pointers you no safer then with direct pointer arithmetic.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
December 30, 2012
http://d.puremagic.com/issues/show_bug.cgi?id=9195


Jonathan M Davis <jmdavisProg@gmx.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jmdavisProg@gmx.com


--- Comment #1 from Jonathan M Davis <jmdavisProg@gmx.com> 2012-12-30 03:58:32 PST ---
I don't see the problem here. The pointer arithmetic is in @trusted code. It's up to the programmer - not the compiler - to verify the safety of the code in that case. And all of the unsafe operations are in @trusted code. If you don't want this to happen, then don't mark a function as @trusted when it doesn't make sense to. This code is a problem simply because code which had no business being marked as @trusted was marked as @trusted. What would you expect to work differently about this?

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
December 30, 2012
http://d.puremagic.com/issues/show_bug.cgi?id=9195



--- Comment #2 from Dmitry Olshansky <dmitry.olsh@gmail.com> 2012-12-30 04:20:34 PST ---
(In reply to comment #1)
> I don't see the problem here. The pointer arithmetic is in @trusted code. It's up to the programmer - not the compiler - to verify the safety of the code in that case. And all of the unsafe operations are in @trusted code. If you don't want this to happen, then don't mark a function as @trusted when it doesn't make sense to. This code is a problem simply because code which had no business being marked as @trusted was marked as @trusted. What would you expect to work differently about this?

It's not @trusted. casual is a doing a pointer atirhmetic just fine.

But see 'glorious' function in this example. It is does the same pointer arithmetic but it's marked @safe and main is @safe! All compiles and runs, it's a bug in @safety.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
December 30, 2012
http://d.puremagic.com/issues/show_bug.cgi?id=9195



--- Comment #3 from Jonathan M Davis <jmdavisProg@gmx.com> 2012-12-30 14:35:00 PST ---
> It's not @trusted. casual is a doing a pointer atirhmetic just fine.

But casual is marked as @trusted, so I don't see any problem there at all.

As for glorious, what pointer arithmetic is it doing? I just see it indexing an array, which would be bounds checked. Though actually, it looks like it's taking the address of a local variable, which is supposed to be @system. So, _that_ is a bug, but I don't see any pointer arithmetic here which is marked with @safe when it should be @system. It's the & which is the problem.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
December 30, 2012
http://d.puremagic.com/issues/show_bug.cgi?id=9195


Simen Kjaeraas <simen.kjaras@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |simen.kjaras@gmail.com


--- Comment #4 from Simen Kjaeraas <simen.kjaras@gmail.com> 2012-12-30 15:34:22 PST ---
> As for glorious, what pointer arithmetic is it doing? I just see it indexing an
array, which would be bounds checked.

Look again. It's not indexing an array, it's indexing a pointer.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
December 31, 2012
http://d.puremagic.com/issues/show_bug.cgi?id=9195



--- Comment #5 from Jonathan M Davis <jmdavisProg@gmx.com> 2012-12-30 17:26:28 PST ---
> Look again. It's not indexing an array, it's indexing a pointer.

Hmmm. Yes, you're right. It's indexing a pointer. I guess that that's currently considered @safe, though underneath the hood, it's really no different from pointer arithmetic. Dereferencing the pointer should be fine, and ptr[0] should be fine for that same reason, but ptr[x] could be doing who-knows-what and isn't really any different from *(ptr + x), so that should be considered @system and isn't.

So, I'd say that the problem is that indexing a pointer is considered @safe when it shouldn't be, presumably because it's not explicit pointer arithmetic. The fact that you were talking about pointer arithmetic threw me off, since the explicit pointer arithmetic _isn't_ @safe, and I guess that Walter got thrown off in a similar way when he made pointer arithmetic @system.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
January 14, 2013
http://d.puremagic.com/issues/show_bug.cgi?id=9195


yebblies <yebblies@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |pull
         AssignedTo|nobody@puremagic.com        |yebblies@gmail.com


--- Comment #6 from yebblies <yebblies@gmail.com> 2013-01-14 21:59:48 EST ---
https://github.com/D-Programming-Language/dmd/pull/1482

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
January 14, 2013
http://d.puremagic.com/issues/show_bug.cgi?id=9195



--- Comment #7 from github-bugzilla@puremagic.com 2013-01-14 11:49:06 PST ---
Commits pushed to master at https://github.com/D-Programming-Language/dmd

https://github.com/D-Programming-Language/dmd/commit/580eb165d141848658ea71ac6cba54e3023d98a8 Fix Issue 9195 - Should not be able to index a pointer in safed

This prevents indexing a pointer in @safe code unless the index is known at compile time to be zero.

https://github.com/D-Programming-Language/dmd/commit/e97e886c7a092a279bf72b1ad5e6fb63dc81b82e Merge pull request #1482 from yebblies/issue9195

Issue 9195 - Should not be able to index a pointer in safed

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
January 14, 2013
http://d.puremagic.com/issues/show_bug.cgi?id=9195


Walter Bright <bugzilla@digitalmars.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |bugzilla@digitalmars.com
         Resolution|                            |FIXED


-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
January 16, 2013
http://d.puremagic.com/issues/show_bug.cgi?id=9195



--- Comment #8 from github-bugzilla@puremagic.com 2013-01-16 11:50:29 PST ---
Commits pushed to master at https://github.com/D-Programming-Language/dmd

https://github.com/D-Programming-Language/dmd/commit/3d5b45196c687b714928954b027ef2944ca0beac Fix Issue 9195 - Should not be able to index a pointer in safed

Allow pointer arithmetic when using an offset that is known to be zero

https://github.com/D-Programming-Language/dmd/commit/381bddf74ba9ddbd298491c182cc58043958f455 Merge pull request #1492 from yebblies/issue9195

Fix Issue 9195 - Should not be able to index a pointer in safed

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Top | Discussion index | About this forum | D home