• d-bugmail puremagic.com (43/44) Aug 22 2023 https://issues.dlang.org/show_bug.cgi?id=24098

d-bugmail puremagic.com writes:

https://issues.dlang.org/show_bug.cgi?id=24098

          Issue ID: 24098
           Summary: Safe variable can be initialized from ` system` static
                    constructor.
           Product: D
           Version: D2
          Hardware: All
                OS: All
            Status: NEW
          Keywords: accepts-invalid, safe, spec
          Severity: normal
          Priority: P3
         Component: dmd
          Assignee: nobody puremagic.com
          Reporter: timon.gehr gmx.ch

DMD 2.105.0:

```d
int* x;
 system static this(){
    x=cast(int*)0xDEADBEEF;
}
void main() safe{
    import std.stdio;
    writeln(*x);
}
```

From the language specification:

---
When it is only called with safe values and safe aliasing, a function has a
safe interface when:

   1. it cannot exhibit undefined behavior, and
   2. it cannot create unsafe values that are accessible from other parts of
the program (e.g., via return values, global variables, or ref parameters), and
   3. it cannot introduce unsafe aliasing that is accessible from other parts
of the program.

Functions that meet these requirements may be  safe or  trusted. Function that
do not meet these requirements can only be  system.
---

Clearly the main function does not meet requirement 2., yet is annotated
` safe` and compiles.

Fixing this may require some thinking about language design. One option is to
require `static this` to be ` trusted` instead of ` system` when it attempts to
initialize a non-` system` variable.

--