[Issue 23175] New: -preview=in silently adds possible stack memory escape

[d-bugmail at puremagic.com]

https://issues.dlang.org/show_bug.cgi?id=23175

          Issue ID: 23175
           Summary: -preview=in silently adds possible stack memory escape
           Product: D
           Version: D2
          Hardware: All
                OS: All
            Status: NEW
          Keywords: safe, spec
          Severity: enhancement
          Priority: P1
         Component: dmd
          Assignee: nobody at puremagic.com
          Reporter: schveiguy at gmail.com

In the current specification, an `in` parameter is defined as equivalent to
`const`, as long as you don't use the `-preview=in` switch.

Consider this existing code, written with the assumption that `in` is `const`:

```d
string foo(in string s)
{
   return s;
}
```

This code is perfectly valid, does not cause memory corruption, and is
functionally equivalent to:

```d
string foo(const string s)
{
   return s;
}
```

However, turn on `-preview=in`, and now the function implies that the `s`
parameter is `scope`.

Turn dip1000/dip25 on, and now, the compiler assumes that `s` is not returned,
and so it can allocate an array literal on the stack:

```d
auto s = foo(['a']); // s now points to temporary stack data that is out of
scope.
```

However, without the preview switches, the compiler allocates the array on the
heap.

This can lead to memory corruption via dangling pointers in @system code, that
wasn't present without the preview switches.

If preview in is going to change the semantics of parameters in a way that
allows the compiler to introduce memory corruption, this usage *must* be warned
about, either in the current compiler, or with an enabled switch (possibly
dip1000), before it is turned on by default.

--