user0/rust
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Auto merge of #52782 - pnkfelix:issue-45696-dangly-paths-for-box, r=eddyb

Browse source 
[NLL] Dangly paths for box

Special-case `Box` in `rustc_mir::borrow_check`.

Since we know dropping a box will not access any `&mut` or `&` references, it is safe to model its destructor as only touching the contents *owned* by the box.

----

There are three main things going on here:

1. The first main thing, this PR is fixing a bug in NLL where `rustc` previously would issue a diagnostic error in a case like this:
```rust
fn foo(x: Box<&mut i32>) -> &mut i32 { &mut **x }
```

such code was accepted by the AST-borrowck in the past, but NLL was rejecting it with the following message ([playground](https://play.rust-lang.org/?gist=13c5560f73bfb16d6dab3ceaad44c0f8&version=nightly&mode=release&edition=2015))
```
error[E0597]: `**x` does not live long enough
 --> src/main.rs:3:40
  |
3 | fn foo(x: Box<&mut i32>) -> &mut i32 { &mut **x }
  |                                        ^^^^^^^^ - `**x` dropped here while still borrowed
  |                                        |
  |                                        borrowed value does not live long enough
  |
note: borrowed value must be valid for the anonymous lifetime #1 defined on the function body at 3:1...
 --> src/main.rs:3:1
  |
3 | fn foo(x: Box<&mut i32>) -> &mut i32 { &mut **x }
  | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

error: aborting due to previous error
```

2. The second main thing: The reason such code was previously rejected was because NLL (MIR-borrowck) incorporates a fix for issue #31567, where it models a destructor's execution as potentially accessing any borrows held by the thing being destructed. The tests with `Scribble` model this, showing that the compiler now catches such unsoundness.

However, that fix for issue #31567 is too strong, in that NLL (MIR-borrowck) includes `Box` as one of the types with a destructor that potentially accesses any borrows held by the box. This thus was the cause of the main remaining discrepancy between AST-borrowck and MIR-borrowck, as documented in issue #45696, specifically in [the last example of this comment](https://github.com/rust-lang/rust/issues/45696#issuecomment-345367873), which I have adapted into the `fn foo` shown above.

We did close issue #45696 back in December of 2017, but AFAICT that example was not fixed by PR #46268. (And we did not include a test, etc etc.)

This PR fixes that case, by trying to model the so-called `DerefPure` semantics of `Box<T>` when we traverse the type of the input to `visit_terminator_drop`.

3. The third main thing is that during a review of the first draft of this PR, @matthewjasper pointed out that the new traversal of `Box<T>` could cause the compiler to infinite loop. I have adjusted the PR to avoid this (by tracking what types we have previously seen), and added a much needed test of this somewhat odd scenario. (Its an odd scenario because the particular case only arises for things like `struct A(Box<A>);`, something which cannot be constructed in practice.)

Fix #45696.
This commit is contained in:
bors 2018-08-02 19:42:19 +00:00
commit 40cb4478a3
9 changed files with 586 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/test/ui/generator/dropck.nll.stderr
View file

@ -9,8 +9,6 @@ LL | }
| |
| `*cell` dropped here while still borrowed
| borrow later used here, when `gen` is dropped
|
= note: values in a scope are dropped in the opposite order they are defined
error[E0597]: `ref_` does not live long enough
--> $DIR/dropck.rs:22:11

133
src/test/ui/issue-45696-long-live-borrows-in-boxes.rs Normal file
View file

@ -0,0 +1,133 @@
// Copyright 2018 The Rust Project Developers. See the COPYRIGHT
// file at the top-level directory of this distribution and at
// http://rust-lang.org/COPYRIGHT.
//
// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
// option. This file may not be copied, modified, or distributed
// except according to those terms.
// rust-lang/rust#45696: This test is checking that we can return
// mutable borrows owned by boxes even when the boxes are dropped.
//
// We will explicitly test AST-borrowck, NLL, and migration modes;
// thus we will also skip the automated compare-mode=nll.
// revisions: ast nll migrate
// ignore-compare-mode-nll
#![cfg_attr(nll, feature(nll))]
//[migrate]compile-flags: -Z borrowck=migrate -Z two-phase-borrows
// run-pass
// This function shows quite directly what is going on: We have a
// reborrow of contents within the box.
fn return_borrow_from_dropped_box_1(x: Box<&mut u32>) -> &mut u32 { &mut **x }
// This function is the way you'll probably see this in practice (the
// reborrow is now implicit).
fn return_borrow_from_dropped_box_2(x: Box<&mut u32>) -> &mut u32 { *x }
// For the remaining tests we just add some fields or other
// indirection to ensure that the compiler isn't just special-casing
// the above `Box<&mut T>` as the only type that would work.
// Here we add a tuple of indirection between the box and the
// reference.
type BoxedTup<'a, 'b> = Box<(&'a mut u32, &'b mut u32)>;
fn return_borrow_of_field_from_dropped_box_1<'a>(x: BoxedTup<'a, '_>) -> &'a mut u32 {
&mut *x.0
}
fn return_borrow_of_field_from_dropped_box_2<'a>(x: BoxedTup<'a, '_>) -> &'a mut u32 {
x.0
}
fn return_borrow_from_dropped_tupled_box_1<'a>(x: (BoxedTup<'a, '_>, &mut u32)) -> &'a mut u32 {
&mut *(x.0).0
}
fn return_borrow_from_dropped_tupled_box_2<'a>(x: (BoxedTup<'a, '_>, &mut u32)) -> &'a mut u32 {
(x.0).0
}
fn basic_tests() {
let mut x = 2;
let mut y = 3;
let mut z = 4;
*return_borrow_from_dropped_box_1(Box::new(&mut x)) += 10;
assert_eq!((x, y, z), (12, 3, 4));
*return_borrow_from_dropped_box_2(Box::new(&mut x)) += 10;
assert_eq!((x, y, z), (22, 3, 4));
*return_borrow_of_field_from_dropped_box_1(Box::new((&mut x, &mut y))) += 10;
assert_eq!((x, y, z), (32, 3, 4));
*return_borrow_of_field_from_dropped_box_2(Box::new((&mut x, &mut y))) += 10;
assert_eq!((x, y, z), (42, 3, 4));
*return_borrow_from_dropped_tupled_box_1((Box::new((&mut x, &mut y)), &mut z)) += 10;
assert_eq!((x, y, z), (52, 3, 4));
*return_borrow_from_dropped_tupled_box_2((Box::new((&mut x, &mut y)), &mut z)) += 10;
assert_eq!((x, y, z), (62, 3, 4));
}
// These scribbling tests have been transcribed from
// issue-45696-scribble-on-boxed-borrow.rs
//
// In the context of that file, these tests are meant to show cases
// that should be *accepted* by the compiler, so here we are actually
// checking that the code we get when they are compiled matches our
// expectations.
struct Scribble<'a>(&'a mut u32);
impl<'a> Drop for Scribble<'a> { fn drop(&mut self) { *self.0 = 42; } }
// this is okay, in both AST-borrowck and NLL: The `Scribble` here *has*
// to strictly outlive `'a`
fn borrowed_scribble<'a>(s: &'a mut Scribble) -> &'a mut u32 {
&mut *s.0
}
// this, by analogy to previous case, is also okay.
fn boxed_borrowed_scribble<'a>(s: Box<&'a mut Scribble>) -> &'a mut u32 {
&mut *(*s).0
}
// this, by analogy to previous case, is also okay.
fn boxed_boxed_borrowed_scribble<'a>(s: Box<Box<&'a mut Scribble>>) -> &'a mut u32 {
&mut *(**s).0
}
fn scribbling_tests() {
let mut x = 1;
{
let mut long_lived = Scribble(&mut x);
*borrowed_scribble(&mut long_lived) += 10;
assert_eq!(*long_lived.0, 11);
// (Scribble dtor runs here, after `&mut`-borrow above ends)
}
assert_eq!(x, 42);
x = 1;
{
let mut long_lived = Scribble(&mut x);
*boxed_borrowed_scribble(Box::new(&mut long_lived)) += 10;
assert_eq!(*long_lived.0, 11);
// (Scribble dtor runs here, after `&mut`-borrow above ends)
}
assert_eq!(x, 42);
x = 1;
{
let mut long_lived = Scribble(&mut x);
*boxed_boxed_borrowed_scribble(Box::new(Box::new(&mut long_lived))) += 10;
assert_eq!(*long_lived.0, 11);
// (Scribble dtor runs here, after `&mut`-borrow above ends)
}
assert_eq!(x, 42);
}
fn main() {
basic_tests();
scribbling_tests();
}

66
src/test/ui/issue-45696-no-variant-box-recur.rs Normal file
View file

@ -0,0 +1,66 @@
// Copyright 2018 The Rust Project Developers. See the COPYRIGHT
// file at the top-level directory of this distribution and at
// http://rust-lang.org/COPYRIGHT.
//
// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
// option. This file may not be copied, modified, or distributed
// except according to those terms.
// rust-lang/rust#45696: This test checks the compiler won't infinite
// loop when you declare a variable of type `struct A(Box<A>, ...);`
// (which is impossible to construct but *is* possible to declare; see
// also issues #4287, #44933, and #52852).
//
// We will explicitly test AST-borrowck, NLL, and migration modes;
// thus we will also skip the automated compare-mode=nll.
// revisions: ast nll migrate
// ignore-compare-mode-nll
#![cfg_attr(nll, feature(nll))]
//[migrate]compile-flags: -Z borrowck=migrate -Z two-phase-borrows
// run-pass
// This test has structs and functions that are by definiton unusable
// all over the place, so just go ahead and allow dead_code
#![allow(dead_code)]
// direct regular recursion with indirect ownership via box
struct C { field: Box<C> }
// direct non-regular recursion with indirect ownership via box
struct D { field: Box<(D, D)> }
// indirect regular recursion with indirect ownership via box.
struct E { field: F }
struct F { field: Box<E> }
// indirect non-regular recursion with indirect ownership via box.
struct G { field: (H, H) }
struct H { field: Box<G> }
// These enums are cases that are not currently hit by the
// `visit_terminator_drop` recursion down a type's structural
// definition.
//
// But it seems prudent to include them in this test as variants on
// the above, in that they are similarly non-constructable data types
// with destructors that would diverge.
enum I { One(Box<I>) }
enum J { One(Box<J>), Two(Box<J>) }
fn impossible_to_call_c(_c: C) { }
fn impossible_to_call_d(_d: D) { }
fn impossible_to_call_e(_e: E) { }
fn impossible_to_call_f(_f: F) { }
fn impossible_to_call_g(_g: G) { }
fn impossible_to_call_h(_h: H) { }
fn impossible_to_call_i(_i: I) { }
fn impossible_to_call_j(_j: J) { }
fn main() {
}

14
src/test/ui/issue-45696-scribble-on-boxed-borrow.ast.stderr Normal file
View file

@ -0,0 +1,14 @@
error: compilation successful
--> $DIR/issue-45696-scribble-on-boxed-borrow.rs:89:1
|
LL | / fn main() { //[ast]~ ERROR compilation successful
LL | | //[migrate]~^ ERROR compilation successful
LL | | let mut x = 1;
LL | | {
... |
LL | | *boxed_boxed_scribbled(Box::new(Box::new(Scribble(&mut x)))) += 10;
LL | | }
| |_^
error: aborting due to previous error

69
src/test/ui/issue-45696-scribble-on-boxed-borrow.migrate.stderr Normal file
View file

@ -0,0 +1,69 @@
warning[E0597]: `*s.0` does not live long enough
--> $DIR/issue-45696-scribble-on-boxed-borrow.rs:63:5
|
LL | &mut *s.0 //[nll]~ ERROR `*s.0` does not live long enough [E0597]
| ^^^^^^^^^ borrowed value does not live long enough
...
LL | }
| - `*s.0` dropped here while still borrowed
|
note: borrowed value must be valid for the lifetime 'a as defined on the function body at 62:14...
--> $DIR/issue-45696-scribble-on-boxed-borrow.rs:62:14
|
LL | fn scribbled<'a>(s: Scribble<'a>) -> &'a mut u32 {
| ^^
= warning: This error has been downgraded to a warning for backwards compatibility with previous releases.
It represents potential unsoundness in your code.
This warning will become a hard error in the future.
warning[E0597]: `*s.0` does not live long enough
--> $DIR/issue-45696-scribble-on-boxed-borrow.rs:73:5
|
LL | &mut *(*s).0 //[nll]~ ERROR `*s.0` does not live long enough [E0597]
| ^^^^^^^^^^^^ borrowed value does not live long enough
...
LL | }
| - `*s.0` dropped here while still borrowed
|
note: borrowed value must be valid for the lifetime 'a as defined on the function body at 72:20...
--> $DIR/issue-45696-scribble-on-boxed-borrow.rs:72:20
|
LL | fn boxed_scribbled<'a>(s: Box<Scribble<'a>>) -> &'a mut u32 {
| ^^
= warning: This error has been downgraded to a warning for backwards compatibility with previous releases.
It represents potential unsoundness in your code.
This warning will become a hard error in the future.
warning[E0597]: `*s.0` does not live long enough
--> $DIR/issue-45696-scribble-on-boxed-borrow.rs:83:5
|
LL | &mut *(**s).0 //[nll]~ ERROR `*s.0` does not live long enough [E0597]
| ^^^^^^^^^^^^^ borrowed value does not live long enough
...
LL | }
| - `*s.0` dropped here while still borrowed
|
note: borrowed value must be valid for the lifetime 'a as defined on the function body at 82:26...
--> $DIR/issue-45696-scribble-on-boxed-borrow.rs:82:26
|
LL | fn boxed_boxed_scribbled<'a>(s: Box<Box<Scribble<'a>>>) -> &'a mut u32 {
| ^^
= warning: This error has been downgraded to a warning for backwards compatibility with previous releases.
It represents potential unsoundness in your code.
This warning will become a hard error in the future.
error: compilation successful
--> $DIR/issue-45696-scribble-on-boxed-borrow.rs:89:1
|
LL | / fn main() { //[ast]~ ERROR compilation successful
LL | | //[migrate]~^ ERROR compilation successful
LL | | let mut x = 1;
LL | | {
... |
LL | | *boxed_boxed_scribbled(Box::new(Box::new(Scribble(&mut x)))) += 10;
LL | | }
| |_^
error: aborting due to previous error
For more information about this error, try `rustc --explain E0597`.

48
src/test/ui/issue-45696-scribble-on-boxed-borrow.nll.stderr Normal file
View file

@ -0,0 +1,48 @@
error[E0597]: `*s.0` does not live long enough
--> $DIR/issue-45696-scribble-on-boxed-borrow.rs:63:5
|
LL | &mut *s.0 //[nll]~ ERROR `*s.0` does not live long enough [E0597]
| ^^^^^^^^^ borrowed value does not live long enough
...
LL | }
| - `*s.0` dropped here while still borrowed
|
note: borrowed value must be valid for the lifetime 'a as defined on the function body at 62:14...
--> $DIR/issue-45696-scribble-on-boxed-borrow.rs:62:14
|
LL | fn scribbled<'a>(s: Scribble<'a>) -> &'a mut u32 {
| ^^
error[E0597]: `*s.0` does not live long enough
--> $DIR/issue-45696-scribble-on-boxed-borrow.rs:73:5
|
LL | &mut *(*s).0 //[nll]~ ERROR `*s.0` does not live long enough [E0597]
| ^^^^^^^^^^^^ borrowed value does not live long enough
...
LL | }
| - `*s.0` dropped here while still borrowed
|
note: borrowed value must be valid for the lifetime 'a as defined on the function body at 72:20...
--> $DIR/issue-45696-scribble-on-boxed-borrow.rs:72:20
|
LL | fn boxed_scribbled<'a>(s: Box<Scribble<'a>>) -> &'a mut u32 {
| ^^
error[E0597]: `*s.0` does not live long enough
--> $DIR/issue-45696-scribble-on-boxed-borrow.rs:83:5
|
LL | &mut *(**s).0 //[nll]~ ERROR `*s.0` does not live long enough [E0597]
| ^^^^^^^^^^^^^ borrowed value does not live long enough
...
LL | }
| - `*s.0` dropped here while still borrowed
|
note: borrowed value must be valid for the lifetime 'a as defined on the function body at 82:26...
--> $DIR/issue-45696-scribble-on-boxed-borrow.rs:82:26
|
LL | fn boxed_boxed_scribbled<'a>(s: Box<Box<Scribble<'a>>>) -> &'a mut u32 {
| ^^
error: aborting due to 3 previous errors
For more information about this error, try `rustc --explain E0597`.

110
src/test/ui/issue-45696-scribble-on-boxed-borrow.rs Normal file
View file

@ -0,0 +1,110 @@
// Copyright 2018 The Rust Project Developers. See the COPYRIGHT
// file at the top-level directory of this distribution and at
// http://rust-lang.org/COPYRIGHT.
//
// Licensed under the Apache License, Version 2.0 <LICENSE-APACHE or
// http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your
// option. This file may not be copied, modified, or distributed
// except according to those terms.
// rust-lang/rust#45696: This test is checking that we *cannot* return
// mutable borrows that would be scribbled over by destructors before
// the return occurs.
//
// We will explicitly test AST-borrowck, NLL, and migration modes;
// thus we will also skip the automated compare-mode=nll.
// revisions: ast nll migrate
// ignore-compare-mode-nll
// This test is going to pass in the ast and migrate revisions,
// because the AST-borrowck accepted this code in the past (see notes
// below). So we use `#[rustc_error]` to keep the outcome as an error
// in all scenarios, and rely on the stderr files to show what the
// actual behavior is. (See rust-lang/rust#49855.)
#![feature(rustc_attrs)]
#![cfg_attr(nll, feature(nll))]
//[migrate]compile-flags: -Z borrowck=migrate -Z two-phase-borrows
struct Scribble<'a>(&'a mut u32);
impl<'a> Drop for Scribble<'a> { fn drop(&mut self) { *self.0 = 42; } }
// this is okay, in both AST-borrowck and NLL: The `Scribble` here *has*
// to strictly outlive `'a`
fn borrowed_scribble<'a>(s: &'a mut Scribble) -> &'a mut u32 {
&mut *s.0
}
// this, by analogy to previous case, is also okay.
fn boxed_borrowed_scribble<'a>(s: Box<&'a mut Scribble>) -> &'a mut u32 {
&mut *(*s).0
}
// this, by analogy to previous case, is also okay.
fn boxed_boxed_borrowed_scribble<'a>(s: Box<Box<&'a mut Scribble>>) -> &'a mut u32 {
&mut *(**s).0
}
// this is not okay: in between the time that we take the mutable
// borrow and the caller receives it as a return value, the drop of
// `s` will scribble on it, violating our aliasing guarantees.
//
// * (Maybe in the future the two-phase borrows system will be
// extended to support this case. But for now, it is an error in
// NLL, even with two-phase borrows.)
//
// In any case, the AST-borrowck was not smart enough to know that
// this should be an error. (Which is perhaps the essence of why
// rust-lang/rust#45696 arose in the first place.)
fn scribbled<'a>(s: Scribble<'a>) -> &'a mut u32 {
&mut *s.0 //[nll]~ ERROR `*s.0` does not live long enough [E0597]
//[migrate]~^ WARNING `*s.0` does not live long enough [E0597]
//[migrate]~| WARNING This error has been downgraded to a warning for backwards compatibility
}
// This, by analogy to previous case, is *also* not okay.
//
// (But again, AST-borrowck was not smart enogh to know that this
// should be an error.)
fn boxed_scribbled<'a>(s: Box<Scribble<'a>>) -> &'a mut u32 {
&mut *(*s).0 //[nll]~ ERROR `*s.0` does not live long enough [E0597]
//[migrate]~^ WARNING `*s.0` does not live long enough [E0597]
//[migrate]~| WARNING This error has been downgraded to a warning for backwards compatibility
}
// This, by analogy to previous case, is *also* not okay.
//
// (But again, AST-borrowck was not smart enogh to know that this
// should be an error.)
fn boxed_boxed_scribbled<'a>(s: Box<Box<Scribble<'a>>>) -> &'a mut u32 {
&mut *(**s).0 //[nll]~ ERROR `*s.0` does not live long enough [E0597]
//[migrate]~^ WARNING `*s.0` does not live long enough [E0597]
//[migrate]~| WARNING This error has been downgraded to a warning for backwards compatibility
}
#[rustc_error]
fn main() { //[ast]~ ERROR compilation successful
//[migrate]~^ ERROR compilation successful
let mut x = 1;
{
let mut long_lived = Scribble(&mut x);
*borrowed_scribble(&mut long_lived) += 10;
// (Scribble dtor runs here, after `&mut`-borrow above ends)
}
{
let mut long_lived = Scribble(&mut x);
*boxed_borrowed_scribble(Box::new(&mut long_lived)) += 10;
// (Scribble dtor runs here, after `&mut`-borrow above ends)
}
{
let mut long_lived = Scribble(&mut x);
*boxed_boxed_borrowed_scribble(Box::new(Box::new(&mut long_lived))) += 10;
// (Scribble dtor runs here, after `&mut`-borrow above ends)
}
*scribbled(Scribble(&mut x)) += 10;
*boxed_scribbled(Box::new(Scribble(&mut x))) += 10;
*boxed_boxed_scribbled(Box::new(Box::new(Scribble(&mut x)))) += 10;
}

2
src/test/ui/span/dropck-object-cycle.nll.stderr
View file

@ -9,8 +9,6 @@ LL | }
| |
| `*m` dropped here while still borrowed
| borrow later used here, when `m` is dropped
|
= note: values in a scope are dropped in the opposite order they are defined
error: aborting due to previous error