June 09, 2022 [Issue 23175] New: -preview=in silently adds possible stack memory escape | ||||
---|---|---|---|---|
| ||||
https://issues.dlang.org/show_bug.cgi?id=23175 Issue ID: 23175 Summary: -preview=in silently adds possible stack memory escape Product: D Version: D2 Hardware: All OS: All Status: NEW Keywords: safe, spec Severity: enhancement Priority: P1 Component: dmd Assignee: nobody@puremagic.com Reporter: schveiguy@gmail.com In the current specification, an `in` parameter is defined as equivalent to `const`, as long as you don't use the `-preview=in` switch. Consider this existing code, written with the assumption that `in` is `const`: ```d string foo(in string s) { return s; } ``` This code is perfectly valid, does not cause memory corruption, and is functionally equivalent to: ```d string foo(const string s) { return s; } ``` However, turn on `-preview=in`, and now the function implies that the `s` parameter is `scope`. Turn dip1000/dip25 on, and now, the compiler assumes that `s` is not returned, and so it can allocate an array literal on the stack: ```d auto s = foo(['a']); // s now points to temporary stack data that is out of scope. ``` However, without the preview switches, the compiler allocates the array on the heap. This can lead to memory corruption via dangling pointers in @system code, that wasn't present without the preview switches. If preview in is going to change the semantics of parameters in a way that allows the compiler to introduce memory corruption, this usage *must* be warned about, either in the current compiler, or with an enabled switch (possibly dip1000), before it is turned on by default. -- |
Copyright © 1999-2021 by the D Language Foundation