www.digitalmars.com         C & C++   DMDScript  

digitalmars.D.bugs - [Issue 17363] New: safety hole due to $ caching in slice expressions

https://issues.dlang.org/show_bug.cgi?id=17363

          Issue ID: 17363
           Summary:  safety hole due to $ caching in slice expressions
           Product: D
           Version: D2
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P1
         Component: dmd
          Assignee: nobody puremagic.com
          Reporter: kinke gmx.net

When loading and caching $ once for a slice expression before evaluating the
bounds expressions, it isn't updated due to potential side effects on the
slicee when evaluating upper and lower bounds expressions, leading to invalid
bounds checks and memory corruption potential in  safe code:

```
 safe:

int[] globalArray;

int getLowerBound()
{
    globalArray = [ 666 ];
    return 0;
}

void main()
{
    globalArray = new int[256];
    auto r = globalArray[getLowerBound() .. $];
    assert(r[0] == 666);
    assert(r.length == 256); // BUG, should be 1
    r[] = 123; // oops
}
```

GDC and LDC don't cache $ and thus don't suffer from this issue.

--
May 01 2017