Fix issue 19128 - argument to alloca may be too large

[belka-ew]

In rt.arrayassign._d_arraysetassign alloca is called if the buffer should be allocated is larger than 16 bytes:

void[16] buf = void;
void[] tmp;
if (element_size > buf.sizeof)
{
    tmp = alloca(element_size)[0 .. element_size];
}
else
    tmp = buf[];

It is dangerous since alloca unavailable to allocate causes undefined behaviour, so the alloca man page states:

The alloca() function returns a pointer to the beginning of the allocated space. If the allocation causes stack overflow, program behavior is undefined.

See related discussion:
D-Programming-GDC/gdc#699

[dlang-bot]

Thanks for your pull request and interest in making D better, @belka-ew! We are looking forward to reviewing it, and you should be hearing from a maintainer soon.
Please verify that your PR follows this checklist:

• My PR is fully covered with tests (you can see the annotated coverage diff directly on GitHub with CodeCov's browser extension
• My PR is as minimal as possible (smaller, focused PRs are easier to review than big ones)
• I have provided a detailed rationale explaining my changes
• New or modified functions have Ddoc comments (with Params: and Returns:)

Please see CONTRIBUTING.md for more information.

---

If you have addressed all reviews or aren't sure how to proceed, don't hesitate to ping us with a simple comment.

Bugzilla references

Auto-close	Bugzilla	Severity	Description
✓	19128	enhancement	argument to alloca may be too large

Testing this PR locally

If you don't have a local development environment setup, you can use Digger to test this PR:

dub fetch digger
dub run digger -- build "master + druntime#2258"

[iain-buclaw-sociomantic]

I would argue here that if we are going to fall back to malloc. Then having a pre-allocated buffer is pointless.

This should be:

if (elementSize <= maxAllocaSize)
  ptmp = alloca(elementSize);
else
  ptmp = malloc(elementSize);

[iain-buclaw-sociomantic]

Or at the very least, this should just be a simple s/alloca/malloc/ swap.

void* ptmp = (elementSize > buf.sizeof) ? malloc(elementSize) : buf.ptr;

// Later...
if (ptmp != buf.ptr)
  free(ptmp);

[JinShil]

This is an excellent candidate for migration to a template. @belka-ew, how confident are you in modifying DMD to lower assignment expressions to something like void __ArrayAssign(TFrom, TTo)(const TFrom[] from, TTo[] to)? All this size checking could be done at compile-time.

[belka-ew]

how confident are you in modifying DMD to lower assignment expressions to something like void __ArrayAssign(TFrom, TTo)(const TFrom[] from, TTo[] to)?

At least I could try. This PR has to wait then.

[JinShil]

How was 1024 chosen?

[belka-ew]

Pretty random. Should be enough for a lot of data types, and not too much.

[JinShil]

I recently noticed that DMD's __alloca implementation has a stack overflow check. Can that be utilized in this implementation, and is it consistent with other compiler implementations?

[ibuclaw]

From memory, no. You can still get a pointer returned from alloca that will crash if you try to dereference.

Try setting the stack size to a low value and call alloca with a number slightly higher than that.

[ibuclaw]

Moving PR to #2409