Immovable generators

[Zoxc]

This adds support for immovable generators which allow you to borrow local values inside generator across suspension points. These are declared using a static keyword:

let mut generator = static || {
    let local = &Vec::new();
    yield;
    local.push(0i8);
};
generator.resume();

// ERROR moving the generator after it has resumed would invalidate the interior reference
// drop(generator);

Region inference is no longer affected by the types stored in generators so the regions inside should be similar to other code (and unaffected by the presence of yield expressions). The borrow checker is extended to pick up the slack so interior references still result in errors for movable generators. This fixes #44197, #45259 and #45093.

This PR depends on PR #44917 (immovable types), I suggest potential reviewers ignore the first commit as it adds immovable types.

[rust-highfive]

r? @arielb1

(rust_highfive has picked a reviewer for you, use r? to override)

[arielb1]

Can't you replicate the zip loop that the TyTuple branch does?

[Zoxc]

I had to deal with the Binder, which needs an intermediate type. I could create one though.

[arielb1]

You could implement Relate for &'tcx Slice<Ty<'tcx>> using the same algorithm as Substs.

[Zoxc]

I changed this to use an intermediate type to make it clear the logic only applies to TyGeneratorWitness.

[arielb1]

This doesn't feel right. If the generator captures an upvar through a mutable reference, the generator doesn't have dropck constraints:

#![feature(generators, generator_trait)]

use std::cell::RefCell;
use std::ops::Generator;

fn static_alloc<'a, T>(t: T) -> &'a mut T {
    // this is an unsafe function, but it is sound (not running destructors
    // is safe), can be implemented using a static dropless arena of
    // `ManuallyDrop` data, and was planned to be added to the standard
    // library at some point.
    unsafe {
        use std::mem;
        let mut b = Box::new(t);
        let r = &mut *(&mut *b as *mut T);
        mem::forget(b);
        r
    }
}

fn main() {
    let (cell, mut gen);
    cell = Box::new(RefCell::new(0));
    let ref_ = static_alloc(Some(cell.borrow_mut()));
    // the upvar is the non-dropck `&mut Option<Ref<'a, i32>>`.
    gen = || {
        // but the generator can use it to drop a `Ref<'a, i32>`.
        let _d = ref_.take();
        yield;
    };
    gen.resume();
    // drops the RefCell and then the Ref, leading to use-after-free
}

[arielb1]

It might be a better idea to treat generators like trait object and have them always be dtorck. If generators are "supposed to be" captured by an impl Trait or trait object, this shouldn't be a problem in practice..

[Zoxc]

This gives the following error.:

error[E0597]: `ref_` does not live long enough
  --> dtorck.rs:27:18
   |
25 |     gen = || {
   |           -- capture occurs here
26 |         // but the generator can use it to drop a `Ref<'a, i32>`.
27 |         let _d = ref_.take();
   |                  ^^^^ does not live long enough
...
32 | }
   | - borrowed value dropped before borrower
   |
   = note: values in a scope are dropped in the opposite order they are created

error: aborting due to previous error

Note that upvars are still checked. Even if we didn't ignore the interior, would higher-ranked regions have any effect on dtorck?

[arielb1]

Does this still give the error with your PR? the only upvar should be ref_, which should have an empty dtorck constraint. Maybe I just need to check this PR out to see that this holds?

[Zoxc]

That error is from this PR.

[arielb1]

Could you make this into a test?

[arielb1]

TyFnPtr skips binders blindly in the next 5 lines, so sure.

[Zoxc]

Ok. Removed this FIXME.

[arielb1]

// It is either a Box or some already borrowed local.

nit: it can also be a borrow from something based on an upvar, e.g. &fcx.tcx.

[Zoxc]

I was thinking of MIR locals here.

[arielb1]

(*fcx).tcx is not an already borrowed MIR local, it's from the place where fcx was allocated from, which can be everywhere (e.g. it could be a field of an arena or Vec, which are not a Box).

I just want to avoid comments that lie to avoid rumors spreading.

[Zoxc]

I changed this comment.

[arielb1]

You could also only promote locals that are borrowed across a yield if you don't want to promote everything.

[Zoxc]

I'd need a liveness analysis which properly handles borrows then. I'm waiting on NLL before I do that. My plan is to have a pass which optimizes Storage* instructions based on NLL and then let the generator transformation only use the dataflow analysis on those instructions.

[arielb1]

not a tuple anymore.

[Zoxc]

Fixed.

[arielb1]

Maybe add a comment to the following effect:

The types in the generator interior contain lifetimes local to the generator itself, which should not be exposed outside of the generator. Therefore, we replace these lifetimes with existentially-bound lifetimes, which reflect the exact value of the lifetimes not being known by users.

These lifetimes are used in auto trait impl checking (for example, if a Sync generator contains an &'α T, we need to check whether &'α T: Sync), so knowledge of the exact relationships between them isn't particularly important.

Note that lifetimes in the type of a local that is currently dead need not be alive. It's up to the generator to ensure that captured lifetimes that are actually used are alive.

[Zoxc]

Note that lifetimes in the type of a local that is currently dead need not be alive. It's up to the generator to ensure that captured lifetimes that are actually used are alive.

I'm not sure what you mean by this. I added your other paragraphs as comments.

[arielb1]

Can you add a test that static generators actually work - that you can yield *b and that it stays valid?

[Zoxc]

You could do yield *b in movable generator, given NLL. Did you mean I should use the reference after the yield so the test still works with NLL?

[arielb1]

That's one thing. Another thing is that you should have a test that actually runs the generator and asserts that the references have the same value between resumes, to quickly catch if some change horribly breaks immovable generator codegen.

[Zoxc]

I changed this test.

[arielb1]

Could you also add an rpass test for the "vexpr lifetime" case (aka #44197)?

[arielb1]

I also need to think of more tests to add here.

[Zoxc]

I added a test case for #44197.

[bors]

☔ The latest upstream changes (presumably #45381) made this pull request unmergeable. Please resolve the merge conflicts.

[carols10cents]

Triage ping @Zoxc -- looks like there are merge conflicts again and some test failures!

[Zoxc]

This PR is blocked on landing #44917.

[bors]

☔ The latest upstream changes (presumably #45072) made this pull request unmergeable. Please resolve the merge conflicts.

[bors]

☔ The latest upstream changes (presumably #45735) made this pull request unmergeable. Please resolve the merge conflicts.

[bors]

☔ The latest upstream changes (presumably #45944) made this pull request unmergeable. Please resolve the merge conflicts.

[kennytm]

triage: still blocked by #44917.

[nikomatsakis]

As an aside, It doesn't seem to me that creating a "static generator" has to be unsafe, but I don't mind that it is. Am I missing something though? That is, is it UB to create a static generator under some conditions (even if you never invoke next?).

I would have thought that the proof burden would be:

• Once you invoke next the first time,
• all further calls must use the same pointer.

[arielb1]

@nikomatsakis

In the generator's contents signature, all regions are replaced with bound regions. This means a generator type would be something of the form:

⊢ AutoTrait auto trait
⊢ ∀'a,'b. {Foo1<'a>, Foo2<'b>}: AutoTrait
----------------
⊢ Generator#1234<'x, 'y, T, may_contain=∃'a,'b. {Foo1<'a>, Foo2<'b>}, return_type=T): AutoTrait

Basically, the generator contains some of the interior times for some set of substituted lifetimes, so if an OIBITauto trait holds for every substitution of the lifetimes, then it holds for the generator.

Note that we lose all information about relations between the lifetimes - we might have had impl Sync for Foo1<'static>, and the generator might have only ever stored a Foo1<'static>, but we don't try to handle that. I think this should be not that bad in practice because the generator's contents only get used for proving auto traits, which should not have weird lifetime constraints.

[arielb1]

It doesn't seem to me that creating a "static generator" has to be unsafe,

ATM static generators use the "standard" safe Generator trait. This means that static generators, once created, are a safety hazard - moving them and calling resume again would cause UB.

The above is probably a bad idea - it is very easy to make an unsafe API using them - and we should create an new ImmovableGenerator trait with an unsafe resume method.

[nikomatsakis]

@arielb1 oh, I hadn't even looked at the trait part of this PR, I just assumed we would have an ImmobileGenerator trait =)

I think that's what we want, yeah.

[Zoxc]

Am I missing something though? That is, is it UB to create a static generator under some conditions (even if you never invoke next?).

It is always safe to create a generator.

I would have thought that the proof burden would be:

Once you invoke next the first time,
all further calls must use the same pointer.

You have to ensure that once you call resume the generator cannot move in memory. You cannot move it between resume calls.

[nikomatsakis]

It is always safe to create a generator.

By this I guess you mean a non-static generator?

You have to ensure that once you call resume the generator cannot move in memory. You cannot move it between resume calls.

Right, and for this reason I think that the resume method ought to be unsafe.

But I think we can tweak this in follow-up work. I'm pretty happy with this PR.

r=me once rebased.

[Zoxc]

@bors r=nikomatsakis

[bors]

📌 Commit 55c6c88 has been approved by nikomatsakis

[bors]

⌛ Testing commit 55c6c88 with merge fdecb05...

[bors]

☀️ Test successful - status-appveyor, status-travis
Approved by: nikomatsakis
Pushing fdecb05 to master...