Forbid freely casting lifetime bounds of dyn-types #136776
Conversation
rustbot
added
S-waiting-on-review
|
@bors try |
…, r=<try> [WIP] Forbid object lifetime changing pointer casts Fixes rust-lang#136702 r? `@ghost`
|
☀️ Try build successful - checks-actions |
|
@craterbot check |
|
👌 Experiment ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more |
craterbot
added
S-waiting-on-crater
|
🚧 Experiment ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more |
|
🎉 Experiment
|
craterbot
added
S-waiting-on-review
|
Most of these are on github; in terms of crates.io regressions all we have is:
Overall, 142 regressions are caused by EDIT: Ah, there's also |
traviscross
added
the
I-lang-nominated
|
We discussed this in the lang triage call today. We wanted to think more about it, so we're leaving it nominated to discuss again. |
|
@BoxyUwU Do you think it would be possible to implement this as an FCW? We talked about this in lang triage today and would prefer to start with that if we can. If it's not feasible, a hard error can also work (I would say though that we should upstream PRs to any crates we break). Another small thing I noticed is that the error message links to the Nomicon section on variance, but it would be ideal to link to a tracking issue or something describing this issue in particular. |
|
To add on to what tmandry, said, in our discussions we did feel that the approach taken in this PR is generally the right way forward, and we're happy to see this progress so as to help clear the way for cc @rust-lang/lang |
|
@tmandry I do expect it to be possible to FCW this. We can likely do something hacky around to fully emulate the fix (but as a lint), but if that doesn't work out all the regression we found were relatively "simple" cases that can probably be taken advantage of (if need be) to lint a subset of the actual cases we'd break with this PR edit: see compiler-errors' comment, I'm not so convinced this will be possible to FCW anymore and will likely investigate improving the diagnostics here. I've already filed PRs to the affected crates to migrate them over to a transmute to avoid the breakage if this lands |
|
I was thinking earlier that it may be possible to implement a lint to detect, but it seems to me that MIR borrowck is not equipped to implement such a lint. Specifically, it seems near impossible to answer whether a region outlives constraint (like, To fix this would require some significant engineering effort to refactor how NLL processes its region graph to make it easier to clone and reprocess with new constraints. |
…uto_to_object-hard-error, r=oli-obk Make `ptr_cast_add_auto_to_object` lint into hard error In Rust 1.81, we added a FCW lint (including linting in dependencies) against pointer casts that add an auto trait to dyn bounds. This was part of work making casts of pointers involving trait objects stricter, and was part of the work needed to restabilize trait upcasting. We considered just making this a hard error, but opted against it at that time due to breakage found by crater. This breakage was mostly due to the `anymap` crate which has been a persistent problem for us. It's now a year later, and the fact that this is not yet a hard error is giving us pause about stabilizing arbitrary self types and `derive(CoercePointee)`. So let's see about making a hard error of this. r? ghost cc `@adetaylor` `@Darksonn` `@BoxyUwU` `@RalfJung` `@compiler-errors` `@oli-obk` `@WaffleLapkin` Related: - rust-lang#135881 - rust-lang#136702 - rust-lang#136776 Tracking: - rust-lang#127323 - rust-lang#44874 - rust-lang#123430
…uto_to_object-hard-error, r=oli-obk Make `ptr_cast_add_auto_to_object` lint into hard error In Rust 1.81, we added a FCW lint (including linting in dependencies) against pointer casts that add an auto trait to dyn bounds. This was part of work making casts of pointers involving trait objects stricter, and was part of the work needed to restabilize trait upcasting. We considered just making this a hard error, but opted against it at that time due to breakage found by crater. This breakage was mostly due to the `anymap` crate which has been a persistent problem for us. It's now a year later, and the fact that this is not yet a hard error is giving us pause about stabilizing arbitrary self types and `derive(CoercePointee)`. So let's see about making a hard error of this. r? ghost cc ``@adetaylor`` ``@Darksonn`` ``@BoxyUwU`` ``@RalfJung`` ``@compiler-errors`` ``@oli-obk`` ``@WaffleLapkin`` Related: - rust-lang#135881 - rust-lang#136702 - rust-lang#136776 Tracking: - rust-lang#127323 - rust-lang#44874 - rust-lang#123430
…uto_to_object-hard-error, r=oli-obk Make `ptr_cast_add_auto_to_object` lint into hard error In Rust 1.81, we added a FCW lint (including linting in dependencies) against pointer casts that add an auto trait to dyn bounds. This was part of work making casts of pointers involving trait objects stricter, and was part of the work needed to restabilize trait upcasting. We considered just making this a hard error, but opted against it at that time due to breakage found by crater. This breakage was mostly due to the `anymap` crate which has been a persistent problem for us. It's now a year later, and the fact that this is not yet a hard error is giving us pause about stabilizing arbitrary self types and `derive(CoercePointee)`. So let's see about making a hard error of this. r? ghost cc ```@adetaylor``` ```@Darksonn``` ```@BoxyUwU``` ```@RalfJung``` ```@compiler-errors``` ```@oli-obk``` ```@WaffleLapkin``` Related: - rust-lang#135881 - rust-lang#136702 - rust-lang#136776 Tracking: - rust-lang#127323 - rust-lang#44874 - rust-lang#123430
lcnr
added
S-waiting-on-fcp
|
@rfcbot resolve can we do a FCW I get the impression that people don't seem too concerned about landing this without an FCW and I think it'll be a while before I can get around to looking into if we even can |
rust-rfcbot
added
final-comment-period
|
🔔 This is now entering its final comment period, as per the review above. 🔔 |
rust-rfcbot
added
finished-final-comment-period
|
The final comment period, with a disposition to merge, as per the review above, is now complete. As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed. This will be merged soon. |
|
Given the breakage, I would try to merge this right after the next beta cutoff to have the full 6 weeks on nightly |
| { | ||
| diag.span_note( | ||
| constraint.span, | ||
| format!("raw pointer casts of trait objects do not cast away lifetimes"), |
There was a problem hiding this comment.
| format!("raw pointer casts of trait objects do not cast away lifetimes"), | |
| format!("raw pointer casts of trait objects must not extend lifetimes"), |
maybe? "cast away" sounds weird
There was a problem hiding this comment.
"must not" sounds like "you can do it but you shouldn't". How about "can't extend lifetimes"?
There was a problem hiding this comment.
I learned in school that "must not" means "is not allowed to". But maybe it doesn't universally have that meaning?
There was a problem hiding this comment.
Well... It does mean that it's not allowed to do it. But to me "not allowed to" brings forward the wrong connotations compared to "can't"/"not able to"/"not possible" in the specific case of a compiler error message.
| // Trait parameters are Invariant, the only part that actually has subtyping | ||
| // here is the lifetime bound of the dyn-type. | ||
| // | ||
| // For example in `dyn Trait<'a> + 'b <: dyn Trait<'c> + 'd` we would require | ||
| // that `'a == 'c` but only that `'b: 'd`. | ||
| // | ||
| // We must not allow freely casting lifetime bounds of dyn-types as it may allow | ||
| // for inaccessible VTable methods being callable: #136702 | ||
| // | ||
| // We don't enforce this for casts of principal-less dyn types as their VTables do | ||
| // not contain any functions with `Self: 'a` bounds that could start holding after | ||
| // a pointer cast. | ||
| // | ||
| // We also don't enforce this for casts of pointers to pointers to dyn types. E.g. | ||
| // `*mut *mut dyn Trait + 'a -> *mut *mut dyn Trait + 'static` is allowed. This is | ||
| // fine because there is no actual VTable in play. |
There was a problem hiding this comment.
| // Trait parameters are Invariant, the only part that actually has subtyping | |
| // here is the lifetime bound of the dyn-type. | |
| // | |
| // For example in `dyn Trait<'a> + 'b <: dyn Trait<'c> + 'd` we would require | |
| // that `'a == 'c` but only that `'b: 'd`. | |
| // | |
| // We must not allow freely casting lifetime bounds of dyn-types as it may allow | |
| // for inaccessible VTable methods being callable: #136702 | |
| // | |
| // We don't enforce this for casts of principal-less dyn types as their VTables do | |
| // not contain any functions with `Self: 'a` bounds that could start holding after | |
| // a pointer cast. | |
| // | |
| // We also don't enforce this for casts of pointers to pointers to dyn types. E.g. | |
| // `*mut *mut dyn Trait + 'a -> *mut *mut dyn Trait + 'static` is allowed. This is | |
| // fine because there is no actual VTable in play. | |
| // Trait parameters are invariant, the only part that actually has subtyping | |
| // here is the lifetime bound of the dyn-type. | |
| // | |
| // For example in `dyn Trait<'a> + 'b <: dyn Trait<'c> + 'd` we would require | |
| // that `'a == 'c` but only that `'b: 'd`. | |
| // | |
| // We must not allow freely casting lifetime bounds of dyn-types as it may allow | |
| // for inaccessible VTable methods being callable: #136702 | |
| // | |
| // We don't enforce this for casts of principal-less dyn types as their VTables do | |
| // not contain any functions with `Self: 'a` bounds that could start holding after | |
| // a pointer cast. | |
| // | |
| // We also don't enforce this for casts of pointers to pointers to dyn types. E.g. | |
| // `*mut *mut dyn Trait + 'a -> *mut *mut dyn Trait + 'static` is allowed. This is | |
| // fine because there is no actual VTable in play. |
There was a problem hiding this comment.
I feel like allowing this for principal-less trait objects is quite inconsistent :< what's the additional breakage when always checking this, even if there are only auto traits
There was a problem hiding this comment.
What is meant by "principal-less" here?
There was a problem hiding this comment.
There was a problem hiding this comment.
So this is about casting dyn Send + 'short to dyn Send + 'long? I'm not convinced there's any reason to have a special case in the language for that particular case.
There was a problem hiding this comment.
I feel like allowing this for principal-less trait objects is quite inconsistent
I agree with u 🤔 I guess this would imply that we never have unconditional vtable methods that depend on lifetimes. E.g. sticking a type_id fn in all vtables like we do for size_of. I've no idea what the additional breakage is like. I can check this for auto-trait only dyn-types and do a second crater run (which will also detect any additional cases in the wild since the last one...)
There was a problem hiding this comment.
Is there anything I can do to help here?
There was a problem hiding this comment.
If you'd be able to checkout this PR and maybe rebase it then make a commit to check for the case where the target type has no principal trait and if so push an outlives requirement that the lifetime of the source trait object outlives the lifetime of the target trait object, that would be helpful 🤔 then its just a matter of queueing a crater run and checking it's not got more regressions than the previous one
BoxyUwU
added
S-waiting-on-author
Darksonn
force-pushed
the
forbid_object_lifetime_casts
branch
from
a3d0dac to
d525233
Compare
|
This PR was rebased onto a different main commit. Here's a range-diff highlighting what actually changed. Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers. |
|
@bors try |
This comment has been minimized.
This comment has been minimized.
Forbid freely casting lifetime bounds of dyn-types
|
@craterbot check |
|
👌 Experiment ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more |
craterbot
added
S-waiting-on-crater
| && src_tty.principal().is_none() | ||
| && dst_tty.principal().is_none() |
There was a problem hiding this comment.
@Darksonn I think this currently means that casting something like: *mut dyn Trait + Send + 'a to *mut Send + 'b won't check 'a: 'b. We ought to drop the src_tty.principal().is_none() check here, unless I'm misreading this code :)
20 participants
Fixes #136702
Reference PR:
Background reading about VTable calls/dyn compatibility: https://hackmd.io/zUp-sgZ0RFuFgsNfD4JqYw
This PR causes us to start enforcing that lifetimes of dyn types are constrained through pointer casts. Currently on stable casting
*mut dyn Trait + 'ato*mut dyn Trait + 'bpasses with no requirements on'aor'b. Under this PR we now require'ato outlive'b.Even though the pointee of
*mutpointers is considered to be invariant, we still use subtyping rather than equality. This mirrors how we support coercing&mut dyn Trait + 'ato&mut dyn Trait + 'bwhile requiring only'a: 'b. I believe this coercion is sound as there is no way for safe code tomem::swaptwodyn Trait's, and the same is definitely true of raw pointers.See the changes to this test: https://github.com/rust-lang/rust/pull/136776/files#diff-5523f20a800287a89c9f3e92646c887f3f7599be006b29dd9315f734a2137764
We also do not enforce any constraints on the lifetime of the dyn types if there are multiple pointer indirections. For example
*mut *mut dyn Trait + 'ais allowed to be casted to*mut *mut dyn Trait + 'bwith no requirements on'aor 'b`. This case is just a normal thin pointer cast where we do not care about the pointee type as there is no VTable in play.Test: https://github.com/rust-lang/rust/pull/136776/files#diff-3b6c8da342bb6530524158d686455a545bb8fd6f59cf5ff50d1d991ce74c9649
Finally, this is about any cast where the pointee is unsized with dyn-type metadata, not just literally the pointee type being a dyn-type. E.g. casting
*mut Wrapper<dyn Trait + 'a>to*mut Wrapper<dyn Trait + 'b>requires'a: 'bunder this PR.Test: https://github.com/rust-lang/rust/pull/136776/files#diff-ca0c44df62ae1ad1be70f892f01a59714336c7baf78602a5887ac1cf81145c96
Breakage
This is a breaking change.
Crater Report Comment: #136776 (comment)
Generated Report: https://crater-reports.s3.amazonaws.com/pr-136776/index.html
The majority of the breakage is caused by the
metricscrate with 142 of the regressions, and themaycrate with 14 of the regressions. Themetricscrate has been fixed and has backported the fix to previous versions of the crate that were also affected. Themaycrate has also been fixed.PRs against affected crates have been opened and can be seen here:
There were three regressions I've not filed PRs against:
r? @ghost