dip1000 + pure is a DEADLY COMBO

Wed May 12 13:14:30 UTC 2021

Sorry for the attention-grabbing title, but I think it's 
warranted, because the gist of it is this:

**With `-preview=dip1000` enabled, the compiler will happily 
compile valid, `@safe` D code into memory corrupting machine 
code.**

The root cause is:
[Issue 20150 - -dip1000 defeated by 
pure](https://issues.dlang.org/show_bug.cgi?id=20150)

The compiler ignores "reference to local variable `x` assigned to 
non-scope parameter `y`" errors when the function is annotated or 
inferred `pure`. The idea is, presumably, that `pure` functions 
can't escape references because they have no interaction with 
global variables. This is false of course, since they can still 
return them or assign them to other parameters.

The deadly part it that using this flawed logic, the compiler 
sometimes turns GC allocations into stack allocations too 
eagerly. Here I got memory corruption because the compiler 
allocated an array literal on the stack instead of the heap:

[Issue 21291 - Array literal that escapes scope is allocated on 
stack](https://issues.dlang.org/show_bug.cgi?id=21291)

Later I encountered another instance of it where a closure was 
not heap-allocated, which looked something like this:

```D
import core.thread;
@safe:
void main() {
     S s;
     s.memberFunc();
}

struct S {
     int a;
     auto memberFunc() {
         auto t = new Thread({
             auto pa = &a; // pointer to stack frame of main!
         });
     }
}
```

I'm not the only one who encountered memory corruption bugs this 
way, user Dechcaudron commented on my issue: "This has also 
happened to me, no idea it could be due to -dip1000".

And most recently:
[Issue 21912 - Invalid stack closure when calling delegate inside 
lambda](https://issues.dlang.org/show_bug.cgi?id=21912)

### Why is this not fixed?

Walter made a PR for fixing the behavior in dmd: (March 2020)
https://github.com/dlang/dmd/pull/10924

Later, aG0aep6G made a better fix: (November 2020)
https://github.com/dlang/dmd/pull/12010

But they're both blocked by the fact that Phobos relies on the 
bug to compile with -dip1000. This makes sense, because the 
conversion process was mostly "add `scope` and `return` 
annotations until the compile errors go away". `pure` functions 
did not give error messages, so they did not get those 
annotations.

Regarding this extra work, [aG0aep6G 
commented:](https://github.com/dlang/dmd/pull/12010#issuecomment-759070687) (January 2021)

> I had started on it, but it's tedious work tracking down the 
> errors through templates and overloads. If I remember 
> correctly, dup gave me some trouble, too.
>
> So I've put it on ice for the time being. If someone else wants 
> to give it a shot, that would be great.

And that's where we are now.

### Future of dip1000

Matthias asked "Is there a plan to enable DIP1000 by default?" 
during [DConf Online 2020 Day One Q \& A Livestream, at 
4:50:11](https://youtu.be/o-2_mxaCL9w?t=17411).
Walter mentioned "we can do it now" and Atila mentioned how the 
first step would be to change -dip1000 errors into equivalent 
deprecation warnings.

Clearly, issue 20150 is a blocker for dip1000 by default.

In the meantime, since I absolutely don't want another 
unfortunate soul debugging memory corruption bugs that dip1000 
introduces, this post is meant to raise awareness, and discuss 
intermediate solutions.

Maybe the compiler can defensively heap-allocate for now, though 
that would break `@nogc` code. Or maybe we can add another 
switch, `-preview=dip1000proper`, since the fix is a breaking 
change. What do you think?