Understanding DIP 1000 semantics -- Where's the bug?

Mon Sep 23 18:46:40 UTC 2019

On Monday, 23 September 2019 at 18:39:03 UTC, Sebastiaan Koppe 
wrote:
> On Monday, 23 September 2019 at 08:46:18 UTC, Olivier FAURE 
> wrote:
>> Whoops. The following code compiles with -dip1000.
>>
>>     @safe:
>>
>>     int* foo(ref int x)
>>     {
>>         int* a = &x;
>>         return a;
>>     }
>>
>>     void main() {
>>         int* p;
>>         {
>>             int x;
>>             p = foo(x);
>>         }
>>         *p = 1;			// Memory corruption
>>     }
>>
>> That's a bug.
>
> Well, dip1000 doesn't do data-flow analyses. Which means the 
> compiler doesn't see that `x` escapes through `a`.

AFAICT, according to dip1000 this code should not allow the 
result of `foo(x)` to be assigned to p, as it has a longer 
lifetime. Likewise, it should not allow foo to return &x without 
the parameter being annotated with `return`. This looks like a 
bug in the implementation.