• d-bugmail puremagic.com (49/49) Oct 30 2023 https://issues.dlang.org/show_bug.cgi?id=24212

d-bugmail puremagic.com writes:

https://issues.dlang.org/show_bug.cgi?id=24212

          Issue ID: 24212
           Summary: [DIP1000] Scope pointer can escape via non-scope
                    parameter of pure virtual function
           Product: D
           Version: D2
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P1
         Component: dmd
          Assignee: nobody puremagic.com
          Reporter: snarwin+bugzilla gmail.com

As of DMD 2.105.2, the following invalid program compiles and runs without
errors:

---
interface I
{
     safe pure nothrow
    void fun(int* p);
}

int* global;

void main()  safe
{
    int* escaped;

    class Escaper : I
    {
         safe pure nothrow
        override void fun(int* p)
        {
            escaped = p;
        }
    }

    int n;
    I i = new Escaper;
    i.fun(&n);
}
---

This program is invalid because, in  safe code, it assigns the address of the
variable `n` to the variable `escaped`, which has a longer lifetime than `n`.

The expression `I.fun(&n)` should cause a compile-time error, because it
assigns the scope pointer value `&n` to the non-scope parameter `p`.

The compiler allows this because, due to the rules laid out in "Inferred scope
parameters in pure functions" [1], it believes that the parameter of `I.fun`
cannot escape. However, these rules do not account for the possibility that a
nested derived class may escape a non-scope parameter via its nested context.

[1]: https://dlang.org/spec/function.html#pure-scope-inference

--