Auto merge of rust-lang#2513 - RalfJung:protected, r=saethlin

bors · bors · commit fec1c7aa3250 · 2022-08-28T16:01:49.000Z
slightly improve protector-related error messages I find the current retag messages confusing, since they sound like the item *was* protected, when it still actively *is* protected (and that is, in fact, the issue). Example error message: ``` error: Undefined Behavior: not granting access to tag <3095> because incompatible item [Unique for <3099>] is protected by call 943 --> tests/fail/stacked_borrows/invalidate_against_barrier1.rs:5:25 | 5 | let _val = unsafe { *x }; //~ ERROR: protect | ^^ not granting access to tag <3095> because incompatible item [Unique for <3099>] is protected by call 943 | = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information help: <3095> was created by a SharedReadWrite retag at offsets [0x0..0x4] --> tests/fail/stacked_borrows/invalidate_against_barrier1.rs:10:16 | 10 | let xraw = &mut x as *mut _; | ^^^^^^ help: <3095> cannot be used for memory access because that would remove protected tag <3099>, protected by this function call --> tests/fail/stacked_borrows/invalidate_against_barrier1.rs:1:1 | 1 | / fn inner(x: *mut i32, _y: &mut i32) { 2 | | // If `x` and `y` alias, retagging is fine with this... but we really 3 | | // shouldn't be allowed to use `x` at all because `y` was assumed to be 4 | | // unique for the duration of this call. 5 | | let _val = unsafe { *x }; //~ ERROR: protect 6 | | } | |_^ help: <3099> was derived from <3098>, which in turn was created here --> tests/fail/stacked_borrows/invalidate_against_barrier1.rs:12:17 | 12 | inner(xraw, xref); | ^^^^ = note: backtrace: = note: inside `inner` at tests/fail/stacked_borrows/invalidate_against_barrier1.rs:5:25 note: inside `main` at tests/fail/stacked_borrows/invalidate_against_barrier1.rs:12:5 --> tests/fail/stacked_borrows/invalidate_against_barrier1.rs:12:5 | 12 | inner(xraw, xref); | ^^^^^^^^^^^^^^^^^ ``` r? `@saethlin`
diff --git a/src/stacked_borrows/diagnostics.rs b/src/stacked_borrows/diagnostics.rs
@@ -2,7 +2,7 @@ use smallvec::SmallVec;
 use std::fmt;
 
 use rustc_middle::mir::interpret::{alloc_range, AllocId, AllocRange};
-use rustc_span::{Span, SpanData};
+use rustc_span::{Span, SpanData, DUMMY_SP};
 use rustc_target::abi::Size;
 
 use crate::helpers::CurrentSpan;
@@ -91,6 +91,7 @@ impl fmt::Display for InvalidationCause {
 
 #[derive(Clone, Debug)]
 struct Protection {
+    /// The parent tag from which this protected tag was derived.
     orig_tag: ProvenanceExtra,
     tag: SbTag,
     span: Span,
@@ -342,32 +343,39 @@ impl<'span, 'history, 'ecx, 'mir, 'tcx> DiagnosticCx<'span, 'history, 'ecx, 'mir
 
         let protected = protector_tag
             .and_then(|protector| {
-                self.history.protectors.iter().find_map(|protection| {
-                    if protection.tag == protector {
-                        Some((protection.orig_tag, protection.span.data()))
-                    } else {
-                        None
-                    }
+                self.history.protectors.iter().find(|protection| {
+                    protection.tag == protector
                 })
             })
-            .and_then(|(tag, call_span)| {
+            .and_then(|protection| {
                 self.history.creations.iter().rev().find_map(|event| {
-                    if ProvenanceExtra::Concrete(event.retag.new_tag) == tag {
-                        Some((event.retag.orig_tag, event.span.data(), call_span))
+                    if ProvenanceExtra::Concrete(event.retag.new_tag) == protection.orig_tag {
+                        Some((protection, event))
                     } else {
                         None
                     }
                 })
             })
-            .map(|(protecting_tag, protecting_tag_span, protection_span)| {
+            .map(|(protection, protection_parent)| {
+                let protected_tag = protection.tag;
                 [
                     (
                         format!(
-                            "{tag:?} was protected due to {protecting_tag:?} which was created here"
+                            "{tag:?} cannot be used for memory access because that would remove protected tag {protected_tag:?}, protected by this function call",
                         ),
-                        protecting_tag_span,
+                        protection.span.data(),
                     ),
-                    (format!("this protector is live for this call"), protection_span),
+                    if protection_parent.retag.new_tag == tag {
+                        (format!("{protected_tag:?} was derived from {tag:?}, the tag used for this memory access"), DUMMY_SP.data())
+                    } else {
+                        (
+                            format!(
+                                "{protected_tag:?} was derived from {protected_parent_tag:?}, which in turn was created here",
+                                protected_parent_tag = protection_parent.retag.new_tag,
+                            ),
+                            protection_parent.span.data()
+                        )
+                    }
                 ]
             });
 
diff --git a/tests/fail/stacked_borrows/aliasing_mut1.stderr b/tests/fail/stacked_borrows/aliasing_mut1.stderr
@@ -11,16 +11,12 @@ help: <TAG> was created by a Unique retag at offsets [0x0..0x4]
    |
 LL |     let xraw: *mut i32 = unsafe { mem::transmute(&mut x) };
    |                                                  ^^^^^^
-help: <TAG> was protected due to <TAG> which was created here
-  --> $DIR/aliasing_mut1.rs:LL:CC
-   |
-LL |     let xraw: *mut i32 = unsafe { mem::transmute(&mut x) };
-   |                                                  ^^^^^^
-help: this protector is live for this call
+help: <TAG> cannot be used for memory access because that would remove protected tag <TAG>, protected by this function call
   --> $DIR/aliasing_mut1.rs:LL:CC
    |
 LL | pub fn safe(_x: &mut i32, _y: &mut i32) {}
    | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   = help: <TAG> was derived from <TAG>, the tag used for this memory access
    = note: backtrace:
    = note: inside `safe` at $DIR/aliasing_mut1.rs:LL:CC
 note: inside `main` at $DIR/aliasing_mut1.rs:LL:CC
diff --git a/tests/fail/stacked_borrows/aliasing_mut2.stderr b/tests/fail/stacked_borrows/aliasing_mut2.stderr
@@ -11,16 +11,16 @@ help: <TAG> was created by a Unique retag at offsets [0x0..0x4]
    |
 LL |     let xref = &mut x;
    |                ^^^^^^
-help: <TAG> was protected due to <TAG> which was created here
-  --> $DIR/aliasing_mut2.rs:LL:CC
-   |
-LL |     safe_raw(xshr, xraw);
-   |              ^^^^
-help: this protector is live for this call
+help: <TAG> cannot be used for memory access because that would remove protected tag <TAG>, protected by this function call
   --> $DIR/aliasing_mut2.rs:LL:CC
    |
 LL | pub fn safe(_x: &i32, _y: &mut i32) {}
    | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+help: <TAG> was derived from <TAG>, which in turn was created here
+  --> $DIR/aliasing_mut2.rs:LL:CC
+   |
+LL |     safe_raw(xshr, xraw);
+   |              ^^^^
    = note: backtrace:
    = note: inside `safe` at $DIR/aliasing_mut2.rs:LL:CC
 note: inside `main` at $DIR/aliasing_mut2.rs:LL:CC
diff --git a/tests/fail/stacked_borrows/aliasing_mut4.stderr b/tests/fail/stacked_borrows/aliasing_mut4.stderr
@@ -11,16 +11,16 @@ help: <TAG> was created by a Unique retag at offsets [0x0..0x4]
    |
 LL |     let xref = &mut x;
    |                ^^^^^^
-help: <TAG> was protected due to <TAG> which was created here
-  --> $DIR/aliasing_mut4.rs:LL:CC
-   |
-LL |     safe_raw(xshr, xraw as *mut _);
-   |              ^^^^
-help: this protector is live for this call
+help: <TAG> cannot be used for memory access because that would remove protected tag <TAG>, protected by this function call
   --> $DIR/aliasing_mut4.rs:LL:CC
    |
 LL | pub fn safe(_x: &i32, _y: &mut Cell<i32>) {}
    | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+help: <TAG> was derived from <TAG>, which in turn was created here
+  --> $DIR/aliasing_mut4.rs:LL:CC
+   |
+LL |     safe_raw(xshr, xraw as *mut _);
+   |              ^^^^
    = note: backtrace:
    = note: inside `safe` at $DIR/aliasing_mut4.rs:LL:CC
 note: inside `main` at $DIR/aliasing_mut4.rs:LL:CC
diff --git a/tests/fail/stacked_borrows/deallocate_against_protector1.rs b/tests/fail/stacked_borrows/deallocate_against_protector1.rs
diff --git a/tests/fail/stacked_borrows/deallocate_against_protector1.stderr b/tests/fail/stacked_borrows/deallocate_against_protector1.stderr
@@ -12,19 +12,19 @@ LL |     unsafe { __rust_dealloc(ptr, layout.size(), layout.align()) }
    = note: inside `alloc::alloc::box_free::<i32, std::alloc::Global>` at RUSTLIB/alloc/src/alloc.rs:LL:CC
    = note: inside `std::ptr::drop_in_place::<std::boxed::Box<i32>> - shim(Some(std::boxed::Box<i32>))` at RUSTLIB/core/src/ptr/mod.rs:LL:CC
    = note: inside `std::mem::drop::<std::boxed::Box<i32>>` at RUSTLIB/core/src/mem/mod.rs:LL:CC
-note: inside closure at $DIR/deallocate_against_barrier1.rs:LL:CC
-  --> $DIR/deallocate_against_barrier1.rs:LL:CC
+note: inside closure at $DIR/deallocate_against_protector1.rs:LL:CC
+  --> $DIR/deallocate_against_protector1.rs:LL:CC
    |
 LL |         drop(unsafe { Box::from_raw(raw) });
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-   = note: inside `<[closure@$DIR/deallocate_against_barrier1.rs:LL:CC] as std::ops::FnOnce<(&mut i32,)>>::call_once - shim` at RUSTLIB/core/src/ops/function.rs:LL:CC
-note: inside `inner` at $DIR/deallocate_against_barrier1.rs:LL:CC
-  --> $DIR/deallocate_against_barrier1.rs:LL:CC
+   = note: inside `<[closure@$DIR/deallocate_against_protector1.rs:LL:CC] as std::ops::FnOnce<(&mut i32,)>>::call_once - shim` at RUSTLIB/core/src/ops/function.rs:LL:CC
+note: inside `inner` at $DIR/deallocate_against_protector1.rs:LL:CC
+  --> $DIR/deallocate_against_protector1.rs:LL:CC
    |
 LL |     f(x)
    |     ^^^^
-note: inside `main` at $DIR/deallocate_against_barrier1.rs:LL:CC
-  --> $DIR/deallocate_against_barrier1.rs:LL:CC
+note: inside `main` at $DIR/deallocate_against_protector1.rs:LL:CC
+  --> $DIR/deallocate_against_protector1.rs:LL:CC
    |
 LL | /     inner(Box::leak(Box::new(0)), |x| {
 LL | |         let raw = x as *mut _;
diff --git a/tests/fail/stacked_borrows/deallocate_against_protector2.rs b/tests/fail/stacked_borrows/deallocate_against_protector2.rs
diff --git a/tests/fail/stacked_borrows/deallocate_against_protector2.stderr b/tests/fail/stacked_borrows/deallocate_against_protector2.stderr
@@ -12,19 +12,19 @@ LL |     unsafe { __rust_dealloc(ptr, layout.size(), layout.align()) }
    = note: inside `alloc::alloc::box_free::<NotUnpin, std::alloc::Global>` at RUSTLIB/alloc/src/alloc.rs:LL:CC
    = note: inside `std::ptr::drop_in_place::<std::boxed::Box<NotUnpin>> - shim(Some(std::boxed::Box<NotUnpin>))` at RUSTLIB/core/src/ptr/mod.rs:LL:CC
    = note: inside `std::mem::drop::<std::boxed::Box<NotUnpin>>` at RUSTLIB/core/src/mem/mod.rs:LL:CC
-note: inside closure at $DIR/deallocate_against_barrier2.rs:LL:CC
-  --> $DIR/deallocate_against_barrier2.rs:LL:CC
+note: inside closure at $DIR/deallocate_against_protector2.rs:LL:CC
+  --> $DIR/deallocate_against_protector2.rs:LL:CC
    |
 LL |         drop(unsafe { Box::from_raw(raw) });
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-   = note: inside `<[closure@$DIR/deallocate_against_barrier2.rs:LL:CC] as std::ops::FnOnce<(&mut NotUnpin,)>>::call_once - shim` at RUSTLIB/core/src/ops/function.rs:LL:CC
-note: inside `inner` at $DIR/deallocate_against_barrier2.rs:LL:CC
-  --> $DIR/deallocate_against_barrier2.rs:LL:CC
+   = note: inside `<[closure@$DIR/deallocate_against_protector2.rs:LL:CC] as std::ops::FnOnce<(&mut NotUnpin,)>>::call_once - shim` at RUSTLIB/core/src/ops/function.rs:LL:CC
+note: inside `inner` at $DIR/deallocate_against_protector2.rs:LL:CC
+  --> $DIR/deallocate_against_protector2.rs:LL:CC
    |
 LL |     f(x)
    |     ^^^^
-note: inside `main` at $DIR/deallocate_against_barrier2.rs:LL:CC
-  --> $DIR/deallocate_against_barrier2.rs:LL:CC
+note: inside `main` at $DIR/deallocate_against_protector2.rs:LL:CC
+  --> $DIR/deallocate_against_protector2.rs:LL:CC
    |
 LL | /     inner(Box::leak(Box::new(NotUnpin(0, PhantomPinned))), |x| {
 LL | |         let raw = x as *mut _;
diff --git a/tests/fail/stacked_borrows/illegal_write6.stderr b/tests/fail/stacked_borrows/illegal_write6.stderr
@@ -11,12 +11,7 @@ help: <TAG> was created by a SharedReadWrite retag at offsets [0x0..0x4]
    |
 LL |     let p = x as *mut u32;
    |             ^
-help: <TAG> was protected due to <TAG> which was created here
-  --> $DIR/illegal_write6.rs:LL:CC
-   |
-LL |     foo(x, p);
-   |         ^
-help: this protector is live for this call
+help: <TAG> cannot be used for memory access because that would remove protected tag <TAG>, protected by this function call
   --> $DIR/illegal_write6.rs:LL:CC
    |
 LL | / fn foo(a: &mut u32, y: *mut u32) -> u32 {
@@ -26,6 +21,11 @@ LL | |     unsafe { *y = 2 };
 LL | |     return *a;
 LL | | }
    | |_^
+help: <TAG> was derived from <TAG>, which in turn was created here
+  --> $DIR/illegal_write6.rs:LL:CC
+   |
+LL |     foo(x, p);
+   |         ^
    = note: backtrace:
    = note: inside `foo` at $DIR/illegal_write6.rs:LL:CC
 note: inside `main` at $DIR/illegal_write6.rs:LL:CC
diff --git a/tests/fail/stacked_borrows/invalidate_against_protector1.rs b/tests/fail/stacked_borrows/invalidate_against_protector1.rs
diff --git a/tests/fail/stacked_borrows/invalidate_against_protector1.stderr b/tests/fail/stacked_borrows/invalidate_against_protector1.stderr
@@ -1,23 +1,18 @@
 error: Undefined Behavior: not granting access to tag <TAG> because incompatible item [Unique for <TAG>] is protected by call ID
-  --> $DIR/invalidate_against_barrier1.rs:LL:CC
+  --> $DIR/invalidate_against_protector1.rs:LL:CC
    |
 LL |     let _val = unsafe { *x };
    |                         ^^ not granting access to tag <TAG> because incompatible item [Unique for <TAG>] is protected by call ID
    |
    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
 help: <TAG> was created by a SharedReadWrite retag at offsets [0x0..0x4]
-  --> $DIR/invalidate_against_barrier1.rs:LL:CC
+  --> $DIR/invalidate_against_protector1.rs:LL:CC
    |
 LL |     let xraw = &mut x as *mut _;
    |                ^^^^^^
-help: <TAG> was protected due to <TAG> which was created here
-  --> $DIR/invalidate_against_barrier1.rs:LL:CC
-   |
-LL |     inner(xraw, xref);
-   |                 ^^^^
-help: this protector is live for this call
-  --> $DIR/invalidate_against_barrier1.rs:LL:CC
+help: <TAG> cannot be used for memory access because that would remove protected tag <TAG>, protected by this function call
+  --> $DIR/invalidate_against_protector1.rs:LL:CC
    |
 LL | / fn inner(x: *mut i32, _y: &mut i32) {
 LL | |     // If `x` and `y` alias, retagging is fine with this... but we really
@@ -26,10 +21,15 @@ LL | |     // unique for the duration of this call.
 LL | |     let _val = unsafe { *x };
 LL | | }
    | |_^
+help: <TAG> was derived from <TAG>, which in turn was created here
+  --> $DIR/invalidate_against_protector1.rs:LL:CC
+   |
+LL |     inner(xraw, xref);
+   |                 ^^^^
    = note: backtrace:
-   = note: inside `inner` at $DIR/invalidate_against_barrier1.rs:LL:CC
-note: inside `main` at $DIR/invalidate_against_barrier1.rs:LL:CC
-  --> $DIR/invalidate_against_barrier1.rs:LL:CC
+   = note: inside `inner` at $DIR/invalidate_against_protector1.rs:LL:CC
+note: inside `main` at $DIR/invalidate_against_protector1.rs:LL:CC
+  --> $DIR/invalidate_against_protector1.rs:LL:CC
    |
 LL |     inner(xraw, xref);
    |     ^^^^^^^^^^^^^^^^^
diff --git a/tests/fail/stacked_borrows/invalidate_against_protector2.rs b/tests/fail/stacked_borrows/invalidate_against_protector2.rs
diff --git a/tests/fail/stacked_borrows/invalidate_against_protector2.stderr b/tests/fail/stacked_borrows/invalidate_against_protector2.stderr
@@ -1,23 +1,18 @@
 error: Undefined Behavior: not granting access to tag <TAG> because incompatible item [SharedReadOnly for <TAG>] is protected by call ID
-  --> $DIR/invalidate_against_barrier2.rs:LL:CC
+  --> $DIR/invalidate_against_protector2.rs:LL:CC
    |
 LL |     unsafe { *x = 0 };
    |              ^^^^^^ not granting access to tag <TAG> because incompatible item [SharedReadOnly for <TAG>] is protected by call ID
    |
    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
 help: <TAG> was created by a SharedReadWrite retag at offsets [0x0..0x4]
-  --> $DIR/invalidate_against_barrier2.rs:LL:CC
+  --> $DIR/invalidate_against_protector2.rs:LL:CC
    |
 LL |     let xraw = &mut x as *mut _;
    |                ^^^^^^
-help: <TAG> was protected due to <TAG> which was created here
-  --> $DIR/invalidate_against_barrier2.rs:LL:CC
-   |
-LL |     inner(xraw, xref);
-   |                 ^^^^
-help: this protector is live for this call
-  --> $DIR/invalidate_against_barrier2.rs:LL:CC
+help: <TAG> cannot be used for memory access because that would remove protected tag <TAG>, protected by this function call
+  --> $DIR/invalidate_against_protector2.rs:LL:CC
    |
 LL | / fn inner(x: *mut i32, _y: &i32) {
 LL | |     // If `x` and `y` alias, retagging is fine with this... but we really
@@ -26,10 +21,15 @@ LL | |     // immutable for the duration of this call.
 LL | |     unsafe { *x = 0 };
 LL | | }
    | |_^
+help: <TAG> was derived from <TAG>, which in turn was created here
+  --> $DIR/invalidate_against_protector2.rs:LL:CC
+   |
+LL |     inner(xraw, xref);
+   |                 ^^^^
    = note: backtrace:
-   = note: inside `inner` at $DIR/invalidate_against_barrier2.rs:LL:CC
-note: inside `main` at $DIR/invalidate_against_barrier2.rs:LL:CC
-  --> $DIR/invalidate_against_barrier2.rs:LL:CC
+   = note: inside `inner` at $DIR/invalidate_against_protector2.rs:LL:CC
+note: inside `main` at $DIR/invalidate_against_protector2.rs:LL:CC
+  --> $DIR/invalidate_against_protector2.rs:LL:CC
    |
 LL |     inner(xraw, xref);
    |     ^^^^^^^^^^^^^^^^^
diff --git a/tests/fail/stacked_borrows/newtype_retagging.stderr b/tests/fail/stacked_borrows/newtype_retagging.stderr
@@ -11,18 +11,18 @@ help: <TAG> was created by a SharedReadWrite retag at offsets [0x0..0x4]
    |
 LL |     let ptr = Box::into_raw(Box::new(0i32));
    |               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-help: <TAG> was protected due to <TAG> which was created here
-  --> $DIR/newtype_retagging.rs:LL:CC
-   |
-LL |             Newtype(&mut *ptr),
-   |             ^^^^^^^^^^^^^^^^^^
-help: this protector is live for this call
+help: <TAG> cannot be used for memory access because that would remove protected tag <TAG>, protected by this function call
   --> $DIR/newtype_retagging.rs:LL:CC
    |
 LL | / fn dealloc_while_running(_n: Newtype<'_>, dealloc: impl FnOnce()) {
 LL | |     dealloc();
 LL | | }
    | |_^
+help: <TAG> was derived from <TAG>, which in turn was created here
+  --> $DIR/newtype_retagging.rs:LL:CC
+   |
+LL |             Newtype(&mut *ptr),
+   |             ^^^^^^^^^^^^^^^^^^
    = note: backtrace:
    = note: inside `std::boxed::Box::<i32>::from_raw_in` at RUSTLIB/alloc/src/boxed.rs:LL:CC
    = note: inside `std::boxed::Box::<i32>::from_raw` at RUSTLIB/alloc/src/boxed.rs:LL:CC
