• d-bugmail puremagic.com (48/48) Jun 09 2022 https://issues.dlang.org/show_bug.cgi?id=23175

d-bugmail puremagic.com writes:

https://issues.dlang.org/show_bug.cgi?id=23175

          Issue ID: 23175
           Summary: -preview=in silently adds possible stack memory escape
           Product: D
           Version: D2
          Hardware: All
                OS: All
            Status: NEW
          Keywords: safe, spec
          Severity: enhancement
          Priority: P1
         Component: dmd
          Assignee: nobody puremagic.com
          Reporter: schveiguy gmail.com

In the current specification, an `in` parameter is defined as equivalent to
`const`, as long as you don't use the `-preview=in` switch.

Consider this existing code, written with the assumption that `in` is `const`:

```d
string foo(in string s)
{
   return s;
}
```

This code is perfectly valid, does not cause memory corruption, and is
functionally equivalent to:

```d
string foo(const string s)
{
   return s;
}
```

However, turn on `-preview=in`, and now the function implies that the `s`
parameter is `scope`.

Turn dip1000/dip25 on, and now, the compiler assumes that `s` is not returned,
and so it can allocate an array literal on the stack:

```d
auto s = foo(['a']); // s now points to temporary stack data that is out of
scope.
```

However, without the preview switches, the compiler allocates the array on the
heap.

This can lead to memory corruption via dangling pointers in  system code, that
wasn't present without the preview switches.

If preview in is going to change the semantics of parameters in a way that
allows the compiler to introduce memory corruption, this usage *must* be warned
about, either in the current compiler, or with an enabled switch (possibly
dip1000), before it is turned on by default.

--