https://issues.dlang.org/show_bug.cgi?id=17363
Issue ID: 17363
Summary: @safety hole due to $ caching in slice expressions
Product: D
Version: D2
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P1
Component: dmd
Assignee: nob...@puremagic.com
Reporter: ki...@gmx.net
When loading and caching $ once for a slice expression before evaluating the
bounds expressions, it isn't updated due to potential side effects on the
slicee when evaluating upper and lower bounds expressions, leading to invalid
bounds checks and memory corruption potential in @safe code:
```
@safe:
int[] globalArray;
int getLowerBound()
{
globalArray = [ 666 ];
return 0;
}
void main()
{
globalArray = new int[256];
auto r = globalArray[getLowerBound() .. $];
assert(r[0] == 666);
assert(r.length == 256); // BUG, should be 1
r[] = 123; // oops
}
```
GDC and LDC don't cache $ and thus don't suffer from this issue.
--
