[Issue 2544] New: implicit const casting rules allow violations of const-safety

[d-bugmail at puremagic.com]

http://d.puremagic.com/issues/show_bug.cgi?id=2544

           Summary: implicit const casting rules allow violations of const-
                    safety
           Product: D
           Version: 2.022
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Keywords: spec
          Severity: major
          Priority: P2
         Component: DMD
        AssignedTo: bugzilla at digitalmars.com
        ReportedBy: lat7h at virginia.edu


The const system allows const views of mutable data; however, when used with
enough levels of indirection, accidental mutable access of const data is also
possible.

The smallest example I have found is

----
const(real)[] constants = [3.14159265358979323844L, 2.71828182845904523536L];
real[][][] unconsted = [[[]]];        // create mutable data
const(real)[][][] unsafe = unconsted; // and a partially-constant view of it
unsafe[0] = [constants];              // place const data in the const view
unconsted[0][0][0] = 3.14L;           // simplify pi using the mutable view
----

This is obviously contrived, but several of these layers of indirection can be
achieved (less succinctly but more commonly) using ref parameters to methods
instead.

I think that it suffices to require most intermediate levels of const-ness to
be illegal; you can either have the original const-ness or a more-const formal
with at most (I think) 2 levels of mutable indirection remaining: 
    const(T[])[][] assigned from T[][][] is OK, 
    const(T)[][][] assigned from T[][][] is not OK.
I have not been able to prove two levels is safe, but I have also not been able
to construct a counterexample.


--