Table lookup collision lint and safe table indexing

.gitignore

@@ -23,6 +23,7 @@ _aot_generated/
 modules/dasSFML/libsfml/
 site/
 doc/sphinx-build/
+doc/source/stdlib/detail/
 doc/source/__pycache__/
 doc/source/_build/doctrees/environment.pickle
 doc/source/_build/

daslib/rst_comment.das

@@ -475,6 +475,7 @@ class RstComment : AstCommentReader {
             output = get_das_root() + "/doc/source/stdlib/detail/"
         }
         let fname = "{output}/{name}.rst"
+        mkdir(output)
         fopen(fname,"wb") <| $ ( f ) {
             if (f==null) {
                 panic_rst("can't open {fname}")

doc/source/reference/language/options.rst

@@ -289,8 +289,11 @@ Safety and Strictness
      - Disallows ``unsafe``-ly uninitialized structures.
    * - ``unsafe_table_lookup``
      - bool
-     - true
-     - Makes table lookup (``tab[key]``) an unsafe operation.
+     - false
+     - Makes table lookup (``tab[key]``) an unsafe operation. When ``false`` (default),
+       table lookups are safe but the compiler still detects dangerous patterns where
+       the same table is indexed multiple times in a single expression
+       (``table_lookup_collision`` lint error).
    * - ``relaxed_pointer_const``
      - bool
      - false

doc/source/reference/language/tables.rst

@@ -20,20 +20,43 @@ Tables are associative containers implemented as a set of key/value pairs:
         tab["some"] = 20  // replaces the value for 'some' key
     }
 
-Accessing a table element via the index operator is unsafe, because Daslang containers store unboxed values.
+Daslang containers store unboxed values, so table lookups via the index operator (``tab[key]``) can
+cause undefined behavior when the **same table** is referenced more than once in the **same expression**.
 Consider the following example:
 
 .. code-block:: das
 
-    tab["1"] = tab["2"]               // this potentially breaks the table
+    tab["1"] = tab["2"]               // ERROR: potential table lookup collision
 
-What happens is table may get resized either after tab["1"] or tab["2"] if either key is missing (similar to C++ STL hash_map).
+What happens is the table may get resized after either ``tab["1"]`` or ``tab["2"]`` if the key is missing
+(similar to C++ STL hash_map), invalidating the reference returned by the other lookup.
 
-It is possible to suppress this unsafe error via ``CodeOfPolicies``, or by using the following option:
+The compiler detects this and reports a ``table_lookup_collision`` lint error. The check catches any
+expression where the same table appears in two or more index operations that keep the result as a
+reference (assignments, moves, clones). Value lookups (where the result is immediately copied out)
+are safe and not flagged.
+
+Other dangerous patterns include:
+
+.. code-block:: das
+
+    tab[1] := tab[2]                  // ERROR: clone between two lookups
+    tab[1] <- tab[2]                  // ERROR: move between two lookups
+    foo.tab[1] = foo.tab[2]          // ERROR: same table via field access
+
+A single ``tab[key]`` in an expression is always safe. Multiple lookups of **different** tables in the
+same expression are also safe:
+
+.. code-block:: das
+
+    tab1[1] = tab2[2]                 // OK: different tables
+
+It is possible to make **all** table lookups unsafe (requiring an ``unsafe`` block) via ``CodeOfPolicies``
+or the following option:
 
 .. code-block:: das
 
-    options unsafe_table_lookup = false
+    options unsafe_table_lookup        // makes every tab[key] require unsafe
 
 Safe navigation of the table is safe, since it does not create missing keys:
 

doc/source/reference/language/unsafe.rst

@@ -171,10 +171,16 @@ They are typically controlled via CodeOfPolicies or appropriate option:
 
 .. code-block:: das
 
-    options unsafe_table_lookup = false // makes table indexing safe. refers to CodeOfPolicies::unsafe_table_lookup
+    options unsafe_table_lookup // makes ALL table indexing unsafe. refers to CodeOfPolicies::unsafe_table_lookup
 
     var tab <- { 1=>"one", 2=>"two" }
-    tab[3] = "three"        // this is unsafe, since it can create a pointer to a temporary object
+    unsafe {
+        tab[3] = "three"    // requires unsafe when unsafe_table_lookup is enabled
+    }
+
+By default ``unsafe_table_lookup`` is ``false`` — individual table lookups are safe. However, the compiler
+still detects dangerous patterns where the same table is indexed more than once in a single expression
+(see :ref:`Tables <tables>` for details).
 
 .. seealso::
 

doc/source/stdlib/ast.rst

@@ -493,6 +493,8 @@ properties of the `ExprAt` object.
 
          * **under_clone** (0x10) - The expression is under a clone operation.
 
+         * **under_deref** (0x20) - The expression is under a dereference (ExprRef2Value), safe for table lookup collision detection.
+
 
 
 .. _alias-ExprMakeLocalFlags:

doc/source/stdlib/builtin.rst

@@ -3348,3 +3348,18 @@ Notifies the compiler that ahead-of-time code generation is now in progress.
 
 
 
++++++++++++++
+Uncategorized
++++++++++++++
+
+.. _function-builtin_with_argv_array_ls_anything_gr__block_ls__c_void_gr_:
+
+.. das:function:: with_argv(new_arguments: array<anything>; block: block<():void>)
+
+Sets ``argc``, ``argv`` to first argument, for the ``body`` block. 
+
+:Arguments: * **new_arguments** : array implicit
+
+            * **block** : block<void> implicit
+
+