View mode: basic / threaded / horizontal-split · Log in · Help
December 22, 2012
[Issue 9195] New: Can do pointer arithmetic in safeD!
http://d.puremagic.com/issues/show_bug.cgi?id=9195

          Summary: Can do pointer arithmetic in safeD!
          Product: D
          Version: D2
         Platform: All
       OS/Version: All
           Status: NEW
         Severity: major
         Priority: P2
        Component: DMD
       AssignedTo: nobody@puremagic.com
       ReportedBy: dmitry.olsh@gmail.com


--- Comment #0 from Dmitry Olshansky <dmitry.olsh@gmail.com> 2012-12-22 11:42:23 PST ---
Pointer arithmetic limitation is too dam easy to side step. In fact I did it
accidentaly.

The snippet shows the problem in its full glory:


@safe uint* glorious(uint * ptr, size_t offset)
{
   return &ptr[offset];
}

//correctly can't be @safe
/*@safe*/ @trusted uint* casual(uint * ptr, size_t offset)
{
   return ptr+offset;
}

@safe void main()
{
   uint[] arr = [1, 2, 3, 4];
   assert(*casual(arr.ptr, 3) == 4);
   assert(*glorious(arr.ptr, 3) == 4);
   assert(glorious(arr.ptr, 0xdead_beaf) == casual(arr.ptr, 0xdead_beaf));
}

This undermines the whole promise of memory safety in SafeD  - if you can index
raw pointers you no safer then with direct pointer arithmetic.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
December 30, 2012
[Issue 9195] Can do pointer arithmetic in safeD!
http://d.puremagic.com/issues/show_bug.cgi?id=9195


Jonathan M Davis <jmdavisProg@gmx.com> changed:

          What    |Removed                     |Added
----------------------------------------------------------------------------
                CC|                            |jmdavisProg@gmx.com


--- Comment #1 from Jonathan M Davis <jmdavisProg@gmx.com> 2012-12-30 03:58:32 PST ---
I don't see the problem here. The pointer arithmetic is in @trusted code. It's
up to the programmer - not the compiler - to verify the safety of the code in
that case. And all of the unsafe operations are in @trusted code. If you don't
want this to happen, then don't mark a function as @trusted when it doesn't
make sense to. This code is a problem simply because code which had no business
being marked as @trusted was marked as @trusted. What would you expect to work
differently about this?

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
December 30, 2012
[Issue 9195] Can do pointer arithmetic in safeD!
http://d.puremagic.com/issues/show_bug.cgi?id=9195



--- Comment #2 from Dmitry Olshansky <dmitry.olsh@gmail.com> 2012-12-30 04:20:34 PST ---
(In reply to comment #1)
> I don't see the problem here. The pointer arithmetic is in @trusted code. It's
> up to the programmer - not the compiler - to verify the safety of the code in
> that case. And all of the unsafe operations are in @trusted code. If you don't
> want this to happen, then don't mark a function as @trusted when it doesn't
> make sense to. This code is a problem simply because code which had no business
> being marked as @trusted was marked as @trusted. What would you expect to work
> differently about this?

It's not @trusted. casual is a doing a pointer atirhmetic just fine.

But see 'glorious' function in this example. It is does the same pointer
arithmetic but it's marked @safe and main is @safe! All compiles and runs, it's
a bug in @safety.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
December 30, 2012
[Issue 9195] Can do pointer arithmetic in safeD!
http://d.puremagic.com/issues/show_bug.cgi?id=9195



--- Comment #3 from Jonathan M Davis <jmdavisProg@gmx.com> 2012-12-30 14:35:00 PST ---
> It's not @trusted. casual is a doing a pointer atirhmetic just fine.

But casual is marked as @trusted, so I don't see any problem there at all.

As for glorious, what pointer arithmetic is it doing? I just see it indexing an
array, which would be bounds checked. Though actually, it looks like it's
taking the address of a local variable, which is supposed to be @system. So,
_that_ is a bug, but I don't see any pointer arithmetic here which is marked
with @safe when it should be @system. It's the & which is the problem.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
December 30, 2012
[Issue 9195] Can do pointer arithmetic in safeD!
http://d.puremagic.com/issues/show_bug.cgi?id=9195


Simen Kjaeraas <simen.kjaras@gmail.com> changed:

          What    |Removed                     |Added
----------------------------------------------------------------------------
                CC|                            |simen.kjaras@gmail.com


--- Comment #4 from Simen Kjaeraas <simen.kjaras@gmail.com> 2012-12-30 15:34:22 PST ---
> As for glorious, what pointer arithmetic is it doing? I just see it indexing an
array, which would be bounds checked.

Look again. It's not indexing an array, it's indexing a pointer.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
December 31, 2012
[Issue 9195] Can do pointer arithmetic in safeD!
http://d.puremagic.com/issues/show_bug.cgi?id=9195



--- Comment #5 from Jonathan M Davis <jmdavisProg@gmx.com> 2012-12-30 17:26:28 PST ---
> Look again. It's not indexing an array, it's indexing a pointer.

Hmmm. Yes, you're right. It's indexing a pointer. I guess that that's currently
considered @safe, though underneath the hood, it's really no different from
pointer arithmetic. Dereferencing the pointer should be fine, and ptr[0] should
be fine for that same reason, but ptr[x] could be doing who-knows-what and
isn't really any different from *(ptr + x), so that should be considered
@system and isn't.

So, I'd say that the problem is that indexing a pointer is considered @safe
when it shouldn't be, presumably because it's not explicit pointer arithmetic.
The fact that you were talking about pointer arithmetic threw me off, since the
explicit pointer arithmetic _isn't_ @safe, and I guess that Walter got thrown
off in a similar way when he made pointer arithmetic @system.

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
January 14, 2013
[Issue 9195] Should not be able to index a pointer in safed
http://d.puremagic.com/issues/show_bug.cgi?id=9195


yebblies <yebblies@gmail.com> changed:

          What    |Removed                     |Added
----------------------------------------------------------------------------
          Keywords|                            |pull
        AssignedTo|nobody@puremagic.com        |yebblies@gmail.com


--- Comment #6 from yebblies <yebblies@gmail.com> 2013-01-14 21:59:48 EST ---
https://github.com/D-Programming-Language/dmd/pull/1482

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
January 14, 2013
[Issue 9195] Should not be able to index a pointer in safed
http://d.puremagic.com/issues/show_bug.cgi?id=9195



--- Comment #7 from github-bugzilla@puremagic.com 2013-01-14 11:49:06 PST ---
Commits pushed to master at https://github.com/D-Programming-Language/dmd

https://github.com/D-Programming-Language/dmd/commit/580eb165d141848658ea71ac6cba54e3023d98a8
Fix Issue 9195 - Should not be able to index a pointer in safed

This prevents indexing a pointer in @safe code unless the index is known at
compile time to be zero.

https://github.com/D-Programming-Language/dmd/commit/e97e886c7a092a279bf72b1ad5e6fb63dc81b82e
Merge pull request #1482 from yebblies/issue9195

Issue 9195 - Should not be able to index a pointer in safed

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
January 14, 2013
[Issue 9195] Should not be able to index a pointer in safed
http://d.puremagic.com/issues/show_bug.cgi?id=9195


Walter Bright <bugzilla@digitalmars.com> changed:

          What    |Removed                     |Added
----------------------------------------------------------------------------
            Status|NEW                         |RESOLVED
                CC|                            |bugzilla@digitalmars.com
        Resolution|                            |FIXED


-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
January 16, 2013
[Issue 9195] Should not be able to index a pointer in safed
http://d.puremagic.com/issues/show_bug.cgi?id=9195



--- Comment #8 from github-bugzilla@puremagic.com 2013-01-16 11:50:29 PST ---
Commits pushed to master at https://github.com/D-Programming-Language/dmd

https://github.com/D-Programming-Language/dmd/commit/3d5b45196c687b714928954b027ef2944ca0beac
Fix Issue 9195 - Should not be able to index a pointer in safed

Allow pointer arithmetic when using an offset that is known to be zero

https://github.com/D-Programming-Language/dmd/commit/381bddf74ba9ddbd298491c182cc58043958f455
Merge pull request #1492 from yebblies/issue9195

Fix Issue 9195 - Should not be able to index a pointer in safed

-- 
Configure issuemail: http://d.puremagic.com/issues/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
Top | Discussion index | About this forum | D home