[Issue 22802] New: [dip1000] First ref parameter seen as `return` destination even with `this`
d-bugmail at puremagic.com
d-bugmail at puremagic.com
Mon Feb 21 16:20:33 UTC 2022
https://issues.dlang.org/show_bug.cgi?id=22802
Issue ID: 22802
Summary: [dip1000] First ref parameter seen as `return`
destination even with `this`
Product: D
Version: D2
Hardware: All
OS: All
Status: NEW
Keywords: safe
Severity: normal
Priority: P1
Component: dmd
Assignee: nobody at puremagic.com
Reporter: dkorpel at live.nl
In escape.d, the `bool isFirstRef()` function incorrectly accepts the first ref
parameter as a `return scope` destination, even when there is a `this`
parameter that should be the only return destination. This allows you to escape
a stack pointer:
```
@safe:
struct S
{
int* ptr;
void assign(ref int* refPtr, return scope int* z) scope
{
this.ptr = z; // allowed, first ref
refPtr = z; // should not be allowed
}
}
int* escape()
{
int local;
S escapeThis;
int* escapeRef;
escapeThis.assign(escapeRef, &local);
return escapeRef; // Accepts invalid
return escapeThis.ptr; // Error, correct
}
```
--
More information about the Digitalmars-d-bugs
mailing list