← Back to index | Original Bugzilla link

Bug 24750 – escaping sliced stack arrays not detected

Status
NEW
Severity
normal
Priority
P1
Component
dmd
Product
D
Version
D2
Platform
All
OS
All
Creation time
2024-09-07T21:43:13Z
Last change time
2024-12-13T19:37:15Z
Keywords
safe
Assigned to
No Owner
Creator
Walter Bright
Moved to GitHub: dmd#20508 →

Comments

Comment #0 by bugzilla — 2024-09-07T21:43:13Z
Jonathan Davis reports: int[] foo() { int[3] arr = [1,2,3]; return arr[]; // returning `arr[]` escapes a reference to local variable `arr` } whereas: int[] foo() { int[3] arr = [1,2,3]; int[] slice = arr[]; return slice; } compiles without complaint.
Comment #1 by bugzilla — 2024-09-07T21:47:21Z
The error is detected if -dip1000 is used and the function is marked @safe.
Comment #2 by issues.dlang — 2024-09-07T22:54:55Z
Well, I wouldn't expect an error in those examples, because foo isn't marked as @safe (though if the compiler is able to see that it's definitively a bug, I see no problem with it giving an error even with @system code). More generally, what should be happening though is that slicing a static array should give the same kind of error that taking the address of a local variable does (and in the same circumstances). So, --- void foo() @safe { int[3] arr; auto slice = arr[]; } --- should give an error similar to --- void foo() @safe { int i; auto ptr = &i; } --- which gives --- test.d(8): Error: cannot take address of local `i` in `@safe` function `foo` --- If the compiler is able to detect that the usage is actually memory-safe (like it can with DIP 1000), then it makes sense for it to not give an error, but in any case where it isn't smart enough to know for sure, it should give an error in @safe code (since otherwise, it can't actually guarantee that the code is memory-safe), and the situations where it's going to be able to do that should be identical between taking the address of a local variable and slicing a static array, because it's ultimately the same operation, just with a different type. And at this point, without DIP 1000, I would expect an error in any case where you take the address of a local variable in @safe code (since without DIP 1000, the compiler can't currently detect that no escaping occurs), so IMHO, we should be doing the same with any code that slices a static array (be it explicitly or implicitly), and until we do, it's a hole in @safe - though of course, any such change would require a deprecation period if we don't want to immediately break existing code.
Comment #3 by nick — 2024-09-08T10:28:08Z
> compiles without complaint. > The error is detected if -dip1000 is used and the function is marked @safe. With dmd v2.109.0 (and recent git master) I get: os/retslice.d(7): Error: scope variable `slice` may not be returned
Comment #4 by issues.dlang — 2024-09-09T22:41:14Z
A similar issue: https://issues.dlang.org/show_bug.cgi?id=24757
Comment #5 by robert.schadek — 2024-12-13T19:37:15Z
THIS ISSUE HAS BEEN MOVED TO GITHUB https://github.com/dlang/dmd/issues/20508 DO NOT COMMENT HERE ANYMORE, NOBODY WILL SEE IT, THIS ISSUE HAS BEEN MOVED TO GITHUB