Empowering everyone to build reliable and efficient software.
Go to file
Matthias Krüger e903b29dc3
Rollup merge of #129021 - compiler-errors:ptr-cast-outlives, r=lcnr
Check WF of source type's signature on fn pointer cast

This PR patches the implied bounds holes slightly for #129005, #25860.

Like most implied bounds related unsoundness fixes, this isn't complete w.r.t. higher-ranked function signatures, but I believe it implements a pretty good heuristic for now.

### What does this do?

This PR makes a partial patch for a soundness hole in a `FnDef` -> `FnPtr` "reifying" pointer cast where we were never checking that the signature we are casting *from* is actually well-formed. Because of this, and because `FnDef` doesn't require its signature to be well-formed (just its predicates must hold), we are essentially allowed to "cast away" implied bounds that are assumed within the body of the `FnDef`:

```
fn foo<'a, 'b, T>(_: &'a &'b (), v: &'b T) -> &'a T { v }

fn bad<'short, T>(x: &'short T) -> &'static T {
    let f: fn(_, &'short T) -> &'static T = foo;
    f(&&(), x)
}
```

In this example, subtyping ends up casting the `_` type (which should be `&'static &'short ()`) to some other type that no longer serves as a "witness" to the lifetime relationship `'short: 'static` which would otherwise be required for this call to be WF. This happens regardless of if `foo`'s lifetimes are early- or late-bound.

This PR implements two checks:
1. We check that the signature of the `FnDef` is well-formed *before* casting it. This ensures that there is at least one point in the MIR where we ensure that the `FnDef`'s implied bounds are actually satisfied by the caller.
2. Implements a special case where if we're casting from a higher-ranked `FnDef` to a non-higher-ranked, we instantiate the binder of the `FnDef` with *infer vars* and ensure that it is a supertype of the target of the cast.

The (2.) is necessary to validate that these pointer casts are valid for higher-ranked `FnDef`. Otherwise, the example above would still pass even if `help`'s `'a` lifetime were late-bound.

### Further work

The WF checks for function calls are scattered all over the MIR. We check the WF of args in call terminators, we check the WF of `FnDef` when we create a `const` operand referencing it, and we check the WF of the return type in #115538, to name a few.

One way to make this a bit cleaner is to simply extend #115538 to always check that the signature is WF for `FnDef` types. I may do this as a follow-up, but I wanted to keep this simple since this leads to some pretty bad NLL diagnostics regressions, and AFAICT this solution is *complete enough*.

### Crater triage

Done here: https://github.com/rust-lang/rust/pull/129021#issuecomment-2297702647

r? lcnr
2024-09-06 07:33:56 +02:00
.github Update library/Cargo.toml in weekly job 2024-08-19 07:30:11 -05:00
compiler Rollup merge of #129021 - compiler-errors:ptr-cast-outlives, r=lcnr 2024-09-06 07:33:56 +02:00
library Auto merge of #129999 - matthiaskrgr:rollup-pzr9c8p, r=matthiaskrgr 2024-09-06 03:06:52 +00:00
LICENSES Include REUSE.toml in REUSE.toml. 2024-07-22 09:44:18 +01:00
src Auto merge of #129999 - matthiaskrgr:rollup-pzr9c8p, r=matthiaskrgr 2024-09-06 03:06:52 +00:00
tests Rollup merge of #129021 - compiler-errors:ptr-cast-outlives, r=lcnr 2024-09-06 07:33:56 +02:00
.clang-format Add .clang-format 2024-06-26 05:56:00 +08:00
.editorconfig Only use max_line_length = 100 for *.rs 2023-07-10 15:18:36 -07:00
.git-blame-ignore-revs Exclude the copy blessing from git blame 2024-08-18 16:09:03 -07:00
.gitattributes Rename config.toml.example to config.example.toml 2023-03-11 14:10:00 -08:00
.gitignore gitignore: ignore ICE reports regardless of directory 2024-08-25 14:19:05 +03:00
.gitmodules Update to LLVM 19 2024-07-30 10:22:48 +02:00
.ignore Add .ignore file to make config.toml searchable in vscode 2024-06-24 10:15:16 +02:00
.mailmap Rollup merge of #129906 - BoxyUwU:boxy_mailmap, r=lqd 2024-09-02 22:35:23 +02:00
Cargo.lock Rollup merge of #101339 - the8472:ci-randomize-debug, r=Mark-Simulacrum 2024-09-05 03:47:39 +02:00
Cargo.toml Switch to using the v2 resolver in most workspaces 2024-08-18 13:59:09 -05:00
CODE_OF_CONDUCT.md Remove the code of conduct; instead link https://www.rust-lang.org/conduct.html 2019-10-05 22:55:19 +02:00
config.example.toml Rollup merge of #101339 - the8472:ci-randomize-debug, r=Mark-Simulacrum 2024-09-05 03:47:39 +02:00
configure Ensure ./configure works when configure.py path contains spaces 2024-02-16 18:57:22 +00:00
CONTRIBUTING.md fix: Update CONTRIBUTING.md recommend -> recommended 2023-11-16 23:57:09 +05:30
COPYRIGHT Update COPYRIGHT file 2022-10-30 10:23:14 -04:00
INSTALL.md Rollup merge of #127434 - onur-ozkan:use-bootstrap-instead-of-rustbuild, r=Mark-Simulacrum 2024-07-13 20:19:45 -07:00
LICENSE-APACHE Remove appendix from LICENCE-APACHE 2019-12-30 14:25:53 +00:00
LICENSE-MIT LICENSE-MIT: Remove inaccurate (misattributed) copyright notice 2017-07-26 16:51:58 -07:00
README.md Use SVG logos in the README.md. 2024-04-03 19:48:20 +02:00
RELEASES.md Rollup merge of #129944 - Mark-Simulacrum:relnotes-tweak, r=pietroalbini 2024-09-05 19:43:50 +02:00
REUSE.toml REUSE.toml: Copyright text isn't parsed as Markdown. 2024-08-06 11:04:55 +01:00
rust-bors.toml Increase timeout for new bors bot 2024-03-13 08:31:07 +01:00
rustfmt.toml Auto merge of #128083 - Mark-Simulacrum:bump-bootstrap, r=albertlarsan68 2024-07-30 17:49:08 +00:00
triagebot.toml Temporarily remove fmease from the review rotation 2024-09-04 11:43:38 +02:00
x Make x capable of resolving symlinks 2023-10-14 17:53:33 +03:00
x.ps1 use & instead of start-process in x.ps1 2023-12-09 09:46:16 -05:00
x.py Fix recent python linting errors 2023-08-02 04:40:28 -04:00

This is the main source code repository for Rust. It contains the compiler, standard library, and documentation.

Why Rust?

  • Performance: Fast and memory-efficient, suitable for critical services, embedded devices, and easily integrate with other languages.

  • Reliability: Our rich type system and ownership model ensure memory and thread safety, reducing bugs at compile-time.

  • Productivity: Comprehensive documentation, a compiler committed to providing great diagnostics, and advanced tooling including package manager and build tool (Cargo), auto-formatter (rustfmt), linter (Clippy) and editor support (rust-analyzer).

Quick Start

Read "Installation" from The Book.

Installing from Source

If you really want to install from source (though this is not recommended), see INSTALL.md.

Getting Help

See https://www.rust-lang.org/community for a list of chat platforms and forums.

Contributing

See CONTRIBUTING.md.

License

Rust is primarily distributed under the terms of both the MIT license and the Apache License (Version 2.0), with portions covered by various BSD-like licenses.

See LICENSE-APACHE, LICENSE-MIT, and COPYRIGHT for details.

Trademark

The Rust Foundation owns and protects the Rust and Cargo trademarks and logos (the "Rust Trademarks").

If you want to use these names or brands, please read the media guide.

Third-party logos may be subject to third-party copyrights and trademarks. See Licenses for details.