Issue 13537: forbid modifying overlapping mutable/immutable fields in @safe code

[quickfur]

This implementation is a compromise; it only prevents immutable breakage in @safe code, but still allows this in @system code, because forbidding it in @system code would break existing code such as std.typecons.Rebindable that use a union to reinterpret type modifiers.

[dlang-bot]

Fix	Bugzilla	Description
✗	13537	Unions may break immutability

[JakobOvrum]

Does this help with memory safety?

[quickfur]

Not directly, no. But potentially it might prevent an illegal attempt to modify read-only memory.

[MetaLang]

Does this also work with nested anonymous unions?

[quickfur]

It seems to work:

struct S
{
    union
    {   
        struct
        {   
            int x;
            immutable int y;
        }
        struct
        {   
            int z;
            int w;
        }
    }
}
void hun() @safe
{
    S s;
    s.w = 1;
}

Compiler output:

test/fail_compilation/fail13537.d(49): Error: field s.w cannot be modified in @safe code because it overlaps mutable and immutable

Changing the last line to s.z = 1; makes the compile error go away.

Did you have a specific test case in mind?

[MetaLang]

No, I just tried to fix this problem before and I couldn't figure out how to make it work for anonymous unions.

[quickfur]

ping @WalterBright @yebblies
Does this PR make sense, or the approach is wrong and we should just close this?

[yebblies]

Is overlapping const and immutable allowed?

[quickfur]

Yes.

[yebblies]

It looks to me like it isn't with this patch... Could I get a test case added for it?

[quickfur]

Added a test case... though I'm not sure how exactly to test this, since const/immutable by definition means you can't modify anything, so it's not as if you could test that assigning to the const field is allowed.

[WalterBright]

This should be extended so that using unions to bypass qualifiers shared, const, immutable, and inout should not be allowed in safe code.

[quickfur]

Then what should we do about std.typecons.Rebindable? Make it @trusted?

[WalterBright]

Since it cannot be mechanically verified as safe, then yes, it has to be trusted (if it is actually safe).

[WalterBright]

Are you planning on moving forward with this or should I take it over?

[quickfur]

I'm short on time to work on this right now, please take this over so that it doesn't get delayed any longer. Thanks!

[WalterBright]

Rebooted as #5940