[Issue 19316] New: GC runtime breaks @safe

[d-bugmail at puremagic.com]

https://issues.dlang.org/show_bug.cgi?id=19316

          Issue ID: 19316
           Summary: GC runtime breaks @safe
           Product: D
           Version: D2
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P1
         Component: druntime
          Assignee: nobody at puremagic.com
          Reporter: stanislav.blinov at gmail.com

Per @safe-ty rules, @safe functions shall not call @system functions.
Unfortunately, the GC may run finalizers during collection, even when that
collection is triggered from within @safe function:

import std.stdio;

class C {
    ~this() // @system!
     {
         printf("Called @system function\n");
     }
}

void safeFunc() @safe {
    auto a = new int[10^^6]; // 'new' may require collection
    // do 'safe' things with 'a'
}

void main() {
    new C;      // the object is no longer referenced, will be collected, i.e.
assume that this happened elsewhere in the program via last reference going out
of scope
    printf("Entering @safe function\n");
    safeFunc(); // if this triggers collection, it effectively calls @system
C.__dtor inside @safe safeFunc
    printf("Exited @safe function\n");
}

Output with default GC options:

Entering @safe function
Called @system function
Exited @safe function

Thus, arbitrary non- at safe code may 'escape' into @safe context. This of course
applies to struct destructors as well.

This issue is made worse by the fact that the behavior is non-deterministic:
collection may or may not trigger depending on the GC state, destructor may or
may not be called depending on program state.

--