Currently, the range passes a copy of the unused union member to the saved version. Although this might seem innocuous, it's possible the postblit or copy constructor uses the existing data, which is actually the contents of the other range. Hard to come up with an example due to how most ranges work, but: import std.range; struct KillableRange { @safe: int *item; ref int front() {return *item; } bool empty() { return *item > 10; } void popFront() { ++(*item); } this(this) { assert(item is null || cast(size_t)item > 1000); item = new int(*item); } KillableRange save() { return this; } } void main() @safe { auto kr = KillableRange(new int(1)); int[] x = [1,2,3,4,5]; // length is first auto chosen = choose(true, x, kr); auto chosen2 = chosen.save; } This will assert because x.length overlaps kr.item when save is called. The correct mechanism is to use .init on the non-saved range. Something with RefCounted as implementation would easily be a good use case to show problems here, but it's harder to test without segfaulting.
@schveiguy created dlang/phobos pull request #7347 "Fix issue 20495 (choose copies unused union member, which is unsafe)" fixing this issue: - Fix issue 20495. Fixes safety of save function by passing init value of unused union member to ctor. Also simplify the @safe inference. https://github.com/dlang/phobos/pull/7347
dlang/phobos pull request #7347 "Fix issue 20495 (choose copies unused union member, which is unsafe)" was merged into stable: - 857543416dabea4c5b53867b908a1e103a4580a1 by Steven Schveighoffer: Fix issue 20495. Fixes safety of save function by passing init value of unused union member to ctor. Also simplify the @safe inference. https://github.com/dlang/phobos/pull/7347