-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
consider assignments of union field of ManuallyDrop type safe #78068
Merged
Merged
Changes from all commits
Commits
Show all changes
7 commits
Select commit
Hold shift + click to select a range
3ac1df8
consider assignments of union field of ManuallyDrop type safe
RalfJung 64856e2
adjust union access unsafety check logic to take into account Deref a…
RalfJung 63bdb3a
improve formatting
RalfJung af309cc
needs -> might need
RalfJung df1c55a
add function to iterate through all sub-places, and add PlaceRef::ty
RalfJung 571da2c
refactor unsafety checking of places
RalfJung 0bb82c4
expand iter_projections comment
RalfJung File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -181,6 +181,9 @@ impl<'a, 'tcx> Visitor<'tcx> for UnsafetyChecker<'a, 'tcx> { | |
self.check_mut_borrowing_layout_constrained_field(*place, context.is_mutating_use()); | ||
} | ||
|
||
// Check for borrows to packed fields. | ||
// `is_disaligned` already traverses the place to consider all projections after the last | ||
// `Deref`, so this only needs to be called once at the top level. | ||
if context.is_borrow() { | ||
if util::is_disaligned(self.tcx, self.body, self.param_env, *place) { | ||
self.require_unsafe( | ||
|
@@ -190,87 +193,105 @@ impl<'a, 'tcx> Visitor<'tcx> for UnsafetyChecker<'a, 'tcx> { | |
} | ||
} | ||
|
||
for (i, elem) in place.projection.iter().enumerate() { | ||
let proj_base = &place.projection[..i]; | ||
if context.is_borrow() { | ||
if util::is_disaligned(self.tcx, self.body, self.param_env, *place) { | ||
// Some checks below need the extra metainfo of the local declaration. | ||
let decl = &self.body.local_decls[place.local]; | ||
|
||
// Check the base local: it might be an unsafe-to-access static. We only check derefs of the | ||
// temporary holding the static pointer to avoid duplicate errors | ||
// <https://github.com/rust-lang/rust/pull/78068#issuecomment-731753506>. | ||
if decl.internal && place.projection.first() == Some(&ProjectionElem::Deref) { | ||
// If the projection root is an artifical local that we introduced when | ||
// desugaring `static`, give a more specific error message | ||
// (avoid the general "raw pointer" clause below, that would only be confusing). | ||
if let Some(box LocalInfo::StaticRef { def_id, .. }) = decl.local_info { | ||
if self.tcx.is_mutable_static(def_id) { | ||
self.require_unsafe( | ||
UnsafetyViolationKind::BorrowPacked, | ||
UnsafetyViolationDetails::BorrowOfPackedField, | ||
UnsafetyViolationKind::General, | ||
UnsafetyViolationDetails::UseOfMutableStatic, | ||
); | ||
return; | ||
} else if self.tcx.is_foreign_item(def_id) { | ||
self.require_unsafe( | ||
UnsafetyViolationKind::General, | ||
UnsafetyViolationDetails::UseOfExternStatic, | ||
); | ||
return; | ||
} | ||
} | ||
let source_info = self.source_info; | ||
if let [] = proj_base { | ||
let decl = &self.body.local_decls[place.local]; | ||
if decl.internal { | ||
// If the projection root is an artifical local that we introduced when | ||
// desugaring `static`, give a more specific error message | ||
// (avoid the general "raw pointer" clause below, that would only be confusing). | ||
if let Some(box LocalInfo::StaticRef { def_id, .. }) = decl.local_info { | ||
if self.tcx.is_mutable_static(def_id) { | ||
self.require_unsafe( | ||
UnsafetyViolationKind::General, | ||
UnsafetyViolationDetails::UseOfMutableStatic, | ||
); | ||
return; | ||
} else if self.tcx.is_foreign_item(def_id) { | ||
self.require_unsafe( | ||
UnsafetyViolationKind::General, | ||
UnsafetyViolationDetails::UseOfExternStatic, | ||
); | ||
return; | ||
} | ||
} else { | ||
// Internal locals are used in the `move_val_init` desugaring. | ||
// We want to check unsafety against the source info of the | ||
// desugaring, rather than the source info of the RHS. | ||
self.source_info = self.body.local_decls[place.local].source_info; | ||
} | ||
} | ||
|
||
// Check for raw pointer `Deref`. | ||
for (base, proj) in place.iter_projections() { | ||
if proj == ProjectionElem::Deref { | ||
let source_info = self.source_info; // Backup source_info so we can restore it later. | ||
if base.projection.is_empty() && decl.internal { | ||
// Internal locals are used in the `move_val_init` desugaring. | ||
// We want to check unsafety against the source info of the | ||
// desugaring, rather than the source info of the RHS. | ||
self.source_info = self.body.local_decls[place.local].source_info; | ||
} | ||
let base_ty = base.ty(self.body, self.tcx).ty; | ||
if base_ty.is_unsafe_ptr() { | ||
self.require_unsafe( | ||
UnsafetyViolationKind::GeneralAndConstFn, | ||
UnsafetyViolationDetails::DerefOfRawPointer, | ||
) | ||
} | ||
self.source_info = source_info; // Restore backed-up source_info. | ||
} | ||
let base_ty = Place::ty_from(place.local, proj_base, self.body, self.tcx).ty; | ||
match base_ty.kind() { | ||
ty::RawPtr(..) => self.require_unsafe( | ||
UnsafetyViolationKind::GeneralAndConstFn, | ||
UnsafetyViolationDetails::DerefOfRawPointer, | ||
), | ||
ty::Adt(adt, _) => { | ||
if adt.is_union() { | ||
if context == PlaceContext::MutatingUse(MutatingUseContext::Store) | ||
|| context == PlaceContext::MutatingUse(MutatingUseContext::Drop) | ||
|| context == PlaceContext::MutatingUse(MutatingUseContext::AsmOutput) | ||
{ | ||
let elem_ty = match elem { | ||
ProjectionElem::Field(_, ty) => ty, | ||
_ => span_bug!( | ||
self.source_info.span, | ||
"non-field projection {:?} from union?", | ||
place | ||
), | ||
}; | ||
if !elem_ty.is_copy_modulo_regions( | ||
self.tcx.at(self.source_info.span), | ||
self.param_env, | ||
) { | ||
self.require_unsafe( | ||
UnsafetyViolationKind::GeneralAndConstFn, | ||
UnsafetyViolationDetails::AssignToNonCopyUnionField, | ||
) | ||
} else { | ||
// write to non-move union, safe | ||
} | ||
} else { | ||
self.require_unsafe( | ||
UnsafetyViolationKind::GeneralAndConstFn, | ||
UnsafetyViolationDetails::AccessToUnionField, | ||
) | ||
} | ||
} | ||
|
||
// Check for union fields. For this we traverse right-to-left, as the last `Deref` changes | ||
// whether we *read* the union field or potentially *write* to it (if this place is being assigned to). | ||
let mut saw_deref = false; | ||
for (base, proj) in place.iter_projections().rev() { | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. ah, cute, I missed that this was a double-ended iterator at first and wondered how you were going to manage this |
||
if proj == ProjectionElem::Deref { | ||
saw_deref = true; | ||
continue; | ||
} | ||
|
||
let base_ty = base.ty(self.body, self.tcx).ty; | ||
if base_ty.ty_adt_def().map_or(false, |adt| adt.is_union()) { | ||
// If we did not hit a `Deref` yet and the overall place use is an assignment, the | ||
// rules are different. | ||
let assign_to_field = !saw_deref | ||
&& matches!( | ||
context, | ||
PlaceContext::MutatingUse( | ||
MutatingUseContext::Store | ||
| MutatingUseContext::Drop | ||
| MutatingUseContext::AsmOutput | ||
) | ||
); | ||
// If this is just an assignment, determine if the assigned type needs dropping. | ||
if assign_to_field { | ||
// We have to check the actual type of the assignment, as that determines if the | ||
// old value is being dropped. | ||
let assigned_ty = place.ty(&self.body.local_decls, self.tcx).ty; | ||
// To avoid semver hazard, we only consider `Copy` and `ManuallyDrop` non-dropping. | ||
let manually_drop = assigned_ty | ||
.ty_adt_def() | ||
.map_or(false, |adt_def| adt_def.is_manually_drop()); | ||
let nodrop = manually_drop | ||
|| assigned_ty.is_copy_modulo_regions( | ||
self.tcx.at(self.source_info.span), | ||
self.param_env, | ||
); | ||
if !nodrop { | ||
self.require_unsafe( | ||
UnsafetyViolationKind::GeneralAndConstFn, | ||
UnsafetyViolationDetails::AssignToDroppingUnionField, | ||
); | ||
} else { | ||
// write to non-drop union field, safe | ||
} | ||
} else { | ||
self.require_unsafe( | ||
UnsafetyViolationKind::GeneralAndConstFn, | ||
UnsafetyViolationDetails::AccessToUnionField, | ||
) | ||
} | ||
_ => {} | ||
} | ||
self.source_info = source_info; | ||
} | ||
} | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be useful to give an example based on Rust code. For example:
Given the place
a.b.c
, this would yield:(a, b)
(a.b, c)
I am a bit surprised by this structure -- I guess I expected it to return
a
,a.b
, anda.b.c
, rather than a tuple, and to have people match on the "tail" projection (if any). But I guess this is ok too.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I expanded the comment.
I first thought of something like this, but it doesn't really match what clients need, at least what this particular client needs. The point is to check the projections, so the iterator really should yield as often as there are projections. And given that it also seemed odd to not make the projection itself directly available.
In a follow-up PR I hope to port more clients to this API, I guess then we will see how generally useful it is.