[Issue 18016] New: using uninitialized value is considered @safe but has undefined behavior

d-bugmail at puremagic.com d-bugmail at puremagic.com
Mon Nov 27 12:18:02 UTC 2017 

https://issues.dlang.org/show_bug.cgi?id=18016

          Issue ID: 18016
           Summary: using uninitialized value is considered @safe but has
                    undefined behavior
           Product: D
           Version: D2
          Hardware: All
                OS: All
            Status: NEW
          Keywords: safe, spec
          Severity: normal
          Priority: P1
         Component: dmd
          Assignee: nobody at puremagic.com
          Reporter: ag0aep6g at gmail.com

Spin-off from issue 15542. Difference is that this issue is about `@safe` where
15542 was about `pure`. 

Code:

----
int f() @safe
{
    int x = void;
    return x;
}
----

This code is currently accepted by dmd, but per the spec it would have to be
rejected.

On `@safe` the spec says: "Safe functions are functions that are statically
checked to exhibit no possibility of undefined behavior." [1]

On void initialization it says: "If the Initializer is void, however, the
variable is not initialized. If its value is used before it is set, undefined
program behavior will result." [2]

So `return x;` has undefined behavior, but `@safe` is supposed to prevent
undefined behavior. `@safe` should make the code not compile.

I see a couple different ways to approach to this:

1) Disallow void initialization in `@safe` code. This would also fix issue
17561 and issue 17566. It would also break existing code that uses void
initialization correctly.

2) Give some defined behavior to void initialized values (without
indirections). For example, say that the value of `x` is unpredictable, but
that the program at large is unaffected (no undefined behavior). With this
approach, issue 15542 would become actual. That is, `pure` would need special
consideration.

3) Water down `@safe` so that it doesn't protect against all undefined
behavior, but only against those instances that break memory safety in
practice. This would seem dangerously unprincipled to me.




[1] https://dlang.org/spec/function.html#function-safety
[2] https://dlang.org/spec/declaration.html#void_init

--

More information about the Digitalmars-d-bugs mailing list