Box<&mut int> allows for constructing an &int aliasing the &mut, while the &mut is still modifyable

[huonw]

fn main() {
    let mut a = 3i;
    let b = box &mut a;
    let c = &b;
    let d = &***c; // point to the data
    **b = 4i; // modify the data!!!

    println!("{} {}", c, d); // both 4
}

[pcwalton]

Nominating for P-backcompat-lang as a borrow check bug

[pcwalton]

cc @nikomatsakis

[pnkfelix]

cc me

[brson]

1.0 P-backcompat-lang.

[huonw]

Also, it doesn't fail when using &mut instead of Box:

fn main() {
    let mut a = 3i;
    let b = &mut &mut a;
    let c = &b;
    let d = &***c;
    **b = 4i;

    println!("{} {}", c, d);
}

14498.rs:6:5: 6:8 error: cannot assign to `**b` because it is borrowed
14498.rs:6     **b = 4i;
               ^~~
14498.rs:4:14: 4:15 note: borrow of `**b` occurs here
14498.rs:4     let c = &b;
                        ^

[anasazi]

I think d is actually irrelevant to the real bug here. The assignment shouldn't be allowed while c exists since the immutable borrow freezes everything. It seems to still work with &mut, so maybe the owned pointer version just got lost in the ~ to box transition.

[anasazi]

Side note: the current Redex model correctly rejects this code (yay!).

[zwarich]

I have a simple fix for this: https://gist.github.com/zwarich/6f6bace941c87aeb7587. I'm testing on top of a lot of other borrowck changes, but this code in particular wasn't modified. I'll add a test, try again on master, and submit a PR.

[huonw]

@anasazi theoretically the ~ to box transition was just renaming the syntax, I believe Box is still represented in the compiler in exactly the same way that ~ was.

(Maybe @cmr could try this code on the last pre-~-removal compiler (or anything before that) to see if it was rejected then.)

[anasazi]

@huonw I just figured we would have run into & not actually freezing ~ pointers a long time ago, but it's possible I suppose.