[Issue 17363] New: @safety hole due to $ caching in slice expressions
via Digitalmars-d-bugs
digitalmars-d-bugs at puremagic.com
Mon May 1 11:36:41 PDT 2017
https://issues.dlang.org/show_bug.cgi?id=17363
Issue ID: 17363
Summary: @safety hole due to $ caching in slice expressions
Product: D
Version: D2
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P1
Component: dmd
Assignee: nobody at puremagic.com
Reporter: kinke at gmx.net
When loading and caching $ once for a slice expression before evaluating the
bounds expressions, it isn't updated due to potential side effects on the
slicee when evaluating upper and lower bounds expressions, leading to invalid
bounds checks and memory corruption potential in @safe code:
```
@safe:
int[] globalArray;
int getLowerBound()
{
globalArray = [ 666 ];
return 0;
}
void main()
{
globalArray = new int[256];
auto r = globalArray[getLowerBound() .. $];
assert(r[0] == 666);
assert(r.length == 256); // BUG, should be 1
r[] = 123; // oops
}
```
GDC and LDC don't cache $ and thus don't suffer from this issue.
--
More information about the Digitalmars-d-bugs
mailing list