toStringz and toUTFz potentially unsafe

Johann MacDonagh johann.macdonagh.no at spam.gmail.com
Sun Jul 24 17:41:47 PDT 2011 

Both toStringz and toUTFz do something potentially unsafe. Both check 
whether the character after the end of the string is NULL. If so, then 
it simply returns a pointer to the original string. This is a good 
optimization in theory because this code:

string s = "abc";

will be a slice to a read-only section of the executable. The compiler 
will insert a NULL after the string in the read-only section. So this:

auto x = toStringz("abc");

is efficient. No relocations.

As @AndrejMitrovic commented in Phobos pull request 123 
https://github.com/D-Programming-Language/phobos/pull/123, this has 
potential issues:

import std.string;
import std.stdio;

struct A
{
     immutable char[2] foo;
     char[2] bar;
}

void main()
{
     auto a = A("aa", "\0b");
     auto charptr = toStringz(a.foo[]);

     a.bar = "bo";
     printf(charptr);   // two chars, then garbage
}

Another issue not mentioned is with slices. If I do...

string s = "abc";
string y = s[];
string z = y[];

z ~= '\0';

auto c = toStringz(y);

assert(c.ptr == y.ptr);

... what happens if I change that last character of z before I pass c to 
the C routine? Bad news. I think this optimization is great, but doesn't 
it go against D's motto of doing "the right thing by default"?

The question is, how can we keep this optimization so that:

toStringz("abc");

remains efficient?

The capacity field is 0 if the string is in a read-only section *or* if 
the string is on the stack:

auto x = "abc";
assert(x.capacity == 0);
char[3] y = "abc";
assert(x.capacity == 0);

So, this isn't safe either. This code:

     char[3] x = "abc";
     char y = '\0';

will put y right after x, so changing y after calling toStringz will 
cause issues.

In reality, the only time it's safe to do the "peek after end" is if the 
string is in the read-only section. Otherwise, there are potential 
issues (even if they are edge cases).

Do we care about this? Is there something we can add to druntime arrays 
that will tell whether or not the data backing a slice is in read-only 
memory (or perhaps an enum: read-only, stack, heap, other)? In reality, 
the only time this changes is when a read-only / stack heap is appended 
to, so performance issues are minimal.

Comments? Ideas?

More information about the Digitalmars-d mailing list