Forbid freely casting lifetime bounds of dyn-types #136776
Conversation
rustbot
added
S-waiting-on-review
|
@bors try |
…, r=<try> [WIP] Forbid object lifetime changing pointer casts Fixes rust-lang#136702 r? `@ghost`
|
☀️ Try build successful - checks-actions |
|
@craterbot check |
|
👌 Experiment ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more |
craterbot
added
S-waiting-on-crater
|
🚧 Experiment ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more |
|
🎉 Experiment
|
craterbot
added
S-waiting-on-review
|
Most of these are on github; in terms of crates.io regressions all we have is:
Overall, 142 regressions are caused by EDIT: Ah, there's also |
traviscross
added
the
I-lang-nominated
|
We discussed this in the lang triage call today. We wanted to think more about it, so we're leaving it nominated to discuss again. |
|
@BoxyUwU Do you think it would be possible to implement this as an FCW? We talked about this in lang triage today and would prefer to start with that if we can. If it's not feasible, a hard error can also work (I would say though that we should upstream PRs to any crates we break). Another small thing I noticed is that the error message links to the Nomicon section on variance, but it would be ideal to link to a tracking issue or something describing this issue in particular. |
|
To add on to what tmandry, said, in our discussions we did feel that the approach taken in this PR is generally the right way forward, and we're happy to see this progress so as to help clear the way for cc @rust-lang/lang |
|
@tmandry I do expect it to be possible to FCW this. We can likely do something hacky around to fully emulate the fix (but as a lint), but if that doesn't work out all the regression we found were relatively "simple" cases that can probably be taken advantage of (if need be) to lint a subset of the actual cases we'd break with this PR edit: see compiler-errors' comment, I'm not so convinced this will be possible to FCW anymore and will likely investigate improving the diagnostics here. I've already filed PRs to the affected crates to migrate them over to a transmute to avoid the breakage if this lands |
|
I was thinking earlier that it may be possible to implement a lint to detect, but it seems to me that MIR borrowck is not equipped to implement such a lint. Specifically, it seems near impossible to answer whether a region outlives constraint (like, To fix this would require some significant engineering effort to refactor how NLL processes its region graph to make it easier to clone and reprocess with new constraints. |
…uto_to_object-hard-error, r=oli-obk Make `ptr_cast_add_auto_to_object` lint into hard error In Rust 1.81, we added a FCW lint (including linting in dependencies) against pointer casts that add an auto trait to dyn bounds. This was part of work making casts of pointers involving trait objects stricter, and was part of the work needed to restabilize trait upcasting. We considered just making this a hard error, but opted against it at that time due to breakage found by crater. This breakage was mostly due to the `anymap` crate which has been a persistent problem for us. It's now a year later, and the fact that this is not yet a hard error is giving us pause about stabilizing arbitrary self types and `derive(CoercePointee)`. So let's see about making a hard error of this. r? ghost cc `@adetaylor` `@Darksonn` `@BoxyUwU` `@RalfJung` `@compiler-errors` `@oli-obk` `@WaffleLapkin` Related: - rust-lang#135881 - rust-lang#136702 - rust-lang#136776 Tracking: - rust-lang#127323 - rust-lang#44874 - rust-lang#123430
…uto_to_object-hard-error, r=oli-obk Make `ptr_cast_add_auto_to_object` lint into hard error In Rust 1.81, we added a FCW lint (including linting in dependencies) against pointer casts that add an auto trait to dyn bounds. This was part of work making casts of pointers involving trait objects stricter, and was part of the work needed to restabilize trait upcasting. We considered just making this a hard error, but opted against it at that time due to breakage found by crater. This breakage was mostly due to the `anymap` crate which has been a persistent problem for us. It's now a year later, and the fact that this is not yet a hard error is giving us pause about stabilizing arbitrary self types and `derive(CoercePointee)`. So let's see about making a hard error of this. r? ghost cc ``@adetaylor`` ``@Darksonn`` ``@BoxyUwU`` ``@RalfJung`` ``@compiler-errors`` ``@oli-obk`` ``@WaffleLapkin`` Related: - rust-lang#135881 - rust-lang#136702 - rust-lang#136776 Tracking: - rust-lang#127323 - rust-lang#44874 - rust-lang#123430
…uto_to_object-hard-error, r=oli-obk Make `ptr_cast_add_auto_to_object` lint into hard error In Rust 1.81, we added a FCW lint (including linting in dependencies) against pointer casts that add an auto trait to dyn bounds. This was part of work making casts of pointers involving trait objects stricter, and was part of the work needed to restabilize trait upcasting. We considered just making this a hard error, but opted against it at that time due to breakage found by crater. This breakage was mostly due to the `anymap` crate which has been a persistent problem for us. It's now a year later, and the fact that this is not yet a hard error is giving us pause about stabilizing arbitrary self types and `derive(CoercePointee)`. So let's see about making a hard error of this. r? ghost cc ```@adetaylor``` ```@Darksonn``` ```@BoxyUwU``` ```@RalfJung``` ```@compiler-errors``` ```@oli-obk``` ```@WaffleLapkin``` Related: - rust-lang#135881 - rust-lang#136702 - rust-lang#136776 Tracking: - rust-lang#127323 - rust-lang#44874 - rust-lang#123430
BoxyUwU
force-pushed
the
forbid_object_lifetime_casts
branch
from
cfa1e3a to
ccf0f1e
Compare
This comment has been minimized.
This comment has been minimized.
BoxyUwU
force-pushed
the
forbid_object_lifetime_casts
branch
from
ccf0f1e to
1ba8d9d
Compare
This comment has been minimized.
This comment has been minimized.
BoxyUwU
force-pushed
the
forbid_object_lifetime_casts
branch
from
1ba8d9d to
2209f3e
Compare
BoxyUwU
changed the title
|
r? lcnr |
|
@rfcbot resolve needs FCP proposal |
|
☔ The latest upstream changes (presumably #145844) made this pull request unmergeable. Please resolve the merge conflicts. |
|
Chatting about this with @BoxyUwU, I've now got the following thoughts here, any inaccuracies are my own :3 There are generally 2 things you can do with trait objects which depend on their vtable:
We already require wide pointers to be valid for upcasting on stable, they have to be upcast safe. This means raw pointer casts must not change the const and type arguments of trait objects. We don't yet require raw pointers to be dispatch safe but want to do so in this FCP. This requires forbidding the addition of auto traits (already stable), changing lifetimes of the trait object (already stable), and changing the lifetime bound of the trait object (this FCP). Why require raw pointers to be dispatch safeIf we require raw pointers to be dispatch safe we don't need separate notions of upcast safety and dispatch safety, so that's nice. I doubt we'd decide to remove upcast safety requirements by now.
Why not have that requirementIt feels weird :3 I want to be able to go "I actually know the underlying value outlives some specific lifetime and should be able to use an ordinary cast for this". E.g. playground. We could instead make the impl of My personal vibeI am personally still unsure what to prefer, but would have ideally had exactly this decision while we've stabilized trait upcasting as this decision is influenced by the fact that pointers already have to be upcast safe. With this, requiring them to be dispatch safe as well seems reasonable enough. I think changing MIR borrowck to support forward compat warnings like this would be desirable, but a significant effort the first time we do it. So I think landing this without one is fine. @rfcbot reviewed |
|
@lcnr I pretty much agree with that. Here's how I would characterize it: The safety requirement of a
Trait upcasting moved from 1 to 2. This FCP moves from 2 to 3. |
lcnr
added
S-waiting-on-fcp
|
@rfcbot resolve can we do a FCW I get the impression that people don't seem too concerned about landing this without an FCW and I think it'll be a while before I can get around to looking into if we even can |
rust-rfcbot
added
final-comment-period
|
🔔 This is now entering its final comment period, as per the review above. 🔔 |
rust-rfcbot
added
finished-final-comment-period
|
The final comment period, with a disposition to merge, as per the review above, is now complete. As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed. This will be merged soon. |
|
Given the breakage, I would try to merge this right after the next beta cutoff to have the full 6 weeks on nightly |
| { | ||
| diag.span_note( | ||
| constraint.span, | ||
| format!("raw pointer casts of trait objects do not cast away lifetimes"), |
There was a problem hiding this comment.
| format!("raw pointer casts of trait objects do not cast away lifetimes"), | |
| format!("raw pointer casts of trait objects must not extend lifetimes"), |
maybe? "cast away" sounds weird
| // Trait parameters are Invariant, the only part that actually has subtyping | ||
| // here is the lifetime bound of the dyn-type. | ||
| // | ||
| // For example in `dyn Trait<'a> + 'b <: dyn Trait<'c> + 'd` we would require | ||
| // that `'a == 'c` but only that `'b: 'd`. | ||
| // | ||
| // We must not allow freely casting lifetime bounds of dyn-types as it may allow | ||
| // for inaccessible VTable methods being callable: #136702 | ||
| // | ||
| // We don't enforce this for casts of principal-less dyn types as their VTables do | ||
| // not contain any functions with `Self: 'a` bounds that could start holding after | ||
| // a pointer cast. | ||
| // | ||
| // We also don't enforce this for casts of pointers to pointers to dyn types. E.g. | ||
| // `*mut *mut dyn Trait + 'a -> *mut *mut dyn Trait + 'static` is allowed. This is | ||
| // fine because there is no actual VTable in play. |
There was a problem hiding this comment.
| // Trait parameters are Invariant, the only part that actually has subtyping | |
| // here is the lifetime bound of the dyn-type. | |
| // | |
| // For example in `dyn Trait<'a> + 'b <: dyn Trait<'c> + 'd` we would require | |
| // that `'a == 'c` but only that `'b: 'd`. | |
| // | |
| // We must not allow freely casting lifetime bounds of dyn-types as it may allow | |
| // for inaccessible VTable methods being callable: #136702 | |
| // | |
| // We don't enforce this for casts of principal-less dyn types as their VTables do | |
| // not contain any functions with `Self: 'a` bounds that could start holding after | |
| // a pointer cast. | |
| // | |
| // We also don't enforce this for casts of pointers to pointers to dyn types. E.g. | |
| // `*mut *mut dyn Trait + 'a -> *mut *mut dyn Trait + 'static` is allowed. This is | |
| // fine because there is no actual VTable in play. | |
| // Trait parameters are invariant, the only part that actually has subtyping | |
| // here is the lifetime bound of the dyn-type. | |
| // | |
| // For example in `dyn Trait<'a> + 'b <: dyn Trait<'c> + 'd` we would require | |
| // that `'a == 'c` but only that `'b: 'd`. | |
| // | |
| // We must not allow freely casting lifetime bounds of dyn-types as it may allow | |
| // for inaccessible VTable methods being callable: #136702 | |
| // | |
| // We don't enforce this for casts of principal-less dyn types as their VTables do | |
| // not contain any functions with `Self: 'a` bounds that could start holding after | |
| // a pointer cast. | |
| // | |
| // We also don't enforce this for casts of pointers to pointers to dyn types. E.g. | |
| // `*mut *mut dyn Trait + 'a -> *mut *mut dyn Trait + 'static` is allowed. This is | |
| // fine because there is no actual VTable in play. |
There was a problem hiding this comment.
I feel like allowing this for principal-less trait objects is quite inconsistent :< what's the additional breakage when always checking this, even if there are only auto traits
There was a problem hiding this comment.
What is meant by "principal-less" here?
There was a problem hiding this comment.
There was a problem hiding this comment.
So this is about casting dyn Send + 'short to dyn Send + 'long? I'm not convinced there's any reason to have a special case in the language for that particular case.
There was a problem hiding this comment.
Allowing this behind a pointer indirection is also quite strange. Sure, *mut *mut dyn Trait + 'a has no vtable, but it points to a vtable, and after the cast we'll be using that vtable in a different way.
There was a problem hiding this comment.
I don't think the pointer indirection case is strange. That's just casting *mut A to *mut B for two different sized types A,B.
There was a problem hiding this comment.
Ah, fair, I forgot for a second that we allow arbitrary casts on raw pointers.^^
There was a problem hiding this comment.
I feel like allowing this for principal-less trait objects is quite inconsistent
I agree with u 🤔 I guess this would imply that we never have unconditional vtable methods that depend on lifetimes. E.g. sticking a type_id fn in all vtables like we do for size_of. I've no idea what the additional breakage is like. I can check this for auto-trait only dyn-types and do a second crater run (which will also detect any additional cases in the wild since the last one...)
20 participants
Fixes #136702
Reference PR:
Background reading about VTable calls/dyn compatibility: https://hackmd.io/zUp-sgZ0RFuFgsNfD4JqYw
This PR causes us to start enforcing that lifetimes of dyn types are constrained through pointer casts. Currently on stable casting
*mut dyn Trait + 'ato*mut dyn Trait + 'bpasses with no requirements on'aor'b. Under this PR we now require'ato outlive'b.Even though the pointee of
*mutpointers is considered to be invariant, we still use subtyping rather than equality. This mirrors how we support coercing&mut dyn Trait + 'ato&mut dyn Trait + 'bwhile requiring only'a: 'b. I believe this coercion is sound as there is no way for safe code tomem::swaptwodyn Trait's, and the same is definitely true of raw pointers.See the changes to this test: https://github.com/rust-lang/rust/pull/136776/files#diff-5523f20a800287a89c9f3e92646c887f3f7599be006b29dd9315f734a2137764
We also do not enforce any constraints on the lifetime of the dyn types if there are multiple pointer indirections. For example
*mut *mut dyn Trait + 'ais allowed to be casted to*mut *mut dyn Trait + 'bwith no requirements on'aor 'b`. This case is just a normal thin pointer cast where we do not care about the pointee type as there is no VTable in play.Test: https://github.com/rust-lang/rust/pull/136776/files#diff-3b6c8da342bb6530524158d686455a545bb8fd6f59cf5ff50d1d991ce74c9649
Finally, this is about any cast where the pointee is unsized with dyn-type metadata, not just literally the pointee type being a dyn-type. E.g. casting
*mut Wrapper<dyn Trait + 'a>to*mut Wrapper<dyn Trait + 'b>requires'a: 'bunder this PR.Test: https://github.com/rust-lang/rust/pull/136776/files#diff-ca0c44df62ae1ad1be70f892f01a59714336c7baf78602a5887ac1cf81145c96
Breakage
This is a breaking change.
Crater Report Comment: #136776 (comment)
Generated Report: https://crater-reports.s3.amazonaws.com/pr-136776/index.html
The majority of the breakage is caused by the
metricscrate with 142 of the regressions, and themaycrate with 14 of the regressions. Themetricscrate has been fixed and has backported the fix to previous versions of the crate that were also affected. Themaycrate has also been fixed.PRs against affected crates have been opened and can be seen here:
There were three regressions I've not filed PRs against:
r? @ghost