unchecked region constraints for opaque types in dead code

[lcnr]

edit: while this tests currently results in an error, the underying issue still exists #112417 (comment)

trait CallMeMaybe<'a, 'b> {
    fn mk() -> Self;
    fn subtype<T>(self, x: &'b T) -> &'a T;
}

struct Foo<'a, 'b: 'a>(&'a (), &'b ());
impl<'a, 'b> CallMeMaybe<'a, 'b> for Foo<'a, 'b> {
    fn mk() -> Self {
        Foo(&(), &())
    }

    fn subtype<T>(self, x: &'b T) -> &'a T {
        x
    }
}

// `foo` must not compile but does.
fn foo<'a, 'b>() -> impl CallMeMaybe<'a, 'b> {
    panic!();
    Foo(&(), &())
}

// The rest is only to exploit that unsoundness.
trait Func {
    type RetTy;
}
impl<F: FnOnce() -> R, R> Func for F {
    type RetTy = R;
}

fn subtype<'a, 'b, F: FnOnce() -> R, R: CallMeMaybe<'a, 'b>, T>(_: F, x: &'b T) -> &'a T {
    let proof = R::mk();
    proof.subtype(x)
}

fn main() {
    let y = subtype(foo, &String::from("Hello World"));
    println!("{y}"); // use after free
}

With the current implementation foo only defines the opaque type during HIR typeck and not in MIR typeck as the defining use is in dead code. HIR typeck does not check regions so we use erased regions instead. This hidden type with erased regions is then used as the actual hidden type of the RPIT because there is no hidden type defined by MIR typeck.

We then never check that the RPIT is well-formed outside of HIR typeck itself, so we never check that the region constraints hold for the opaque type.

[lcnr]

this unsoundness seems to not work for TAIT:

#![feature(type_alias_impl_trait)]

trait CallMeMaybe<'a, 'b> {
    fn mk() -> Self;
    fn subtype<T>(self, x: &'b T) -> &'a T;
}

struct Foo<'a, 'b: 'a>(&'a (), &'b ());
impl<'a, 'b> CallMeMaybe<'a, 'b> for Foo<'a, 'b> {
    fn mk() -> Self {
        Foo(&(), &())
    }

    fn subtype<T>(self, x: &'b T) -> &'a T {
        x
    }
}

type Alias<'a, 'b> = impl CallMeMaybe<'a, 'b>;
fn foo<'a, 'b>() -> Alias<'a, 'b> {
    panic!();
    Foo(&(), &())
}


fn subtype<'a, 'b, T>(x: &'b T) -> &'a T {
    let proof = Alias::mk();
    proof.subtype(x)
}

fn main() {
    let y = subtype(&String::from("Hello World"));
    println!("{y}");
}

instead results in

error: unconstrained opaque type
  --> src/main.rs:19:22
   |
19 | type Alias<'a, 'b> = impl CallMeMaybe<'a, 'b>;
   |                      ^^^^^^^^^^^^^^^^^^^^^^^^
   |
   = note: `Alias` must be used in combination with a concrete type within the same module

[apiraino]

WG-prioritization assigning priority (Zulip discussion).

@rustbot label -I-prioritize +P-high

[lqd]

Regression in nightly-2022-03-31:

• Auto merge of Rollup of 4 pull requests #95448 - Dylan-DPC:rollup-wpj5yto, r=Dylan-DPC
• Auto merge of update miri #95455 - RalfJung:miri, r=RalfJung
• Auto merge of Lazy type-alias-impl-trait take two #94081 - oli-obk:lazy_tait_take_two, r=nikomatsakis
• Auto merge of Rollup of 5 pull requests #95466 - Dylan-DPC:rollup-g7ddr8y, r=Dylan-DPC
• Auto merge of Strict Provenance MVP #95241 - Gankra:cleaned-provenance, r=workingjubilee
• Auto merge of allow arbitrary inherent impls for builtin types in core #94963 - lcnr:inherent-impls-std, r=oli-obk,m-ou-se
• Auto merge of Sync rustfmt subtree #95458 - calebcartwright:sync-rustfmt-subtree, r=calebcartwright
• Auto merge of Yet more parse_tt improvements #95425 - nnethercote:yet-more-parse_tt-improvements, r=petrochenkov

#94081 looks like a juicy target.

[Jules-Bertholet]

The OP example doesn't reproduce on the Playground (https://play.rust-lang.org/?version=nightly&mode=debug&edition=2021&gist=d0a7fd2fc4abe6e4ec732c1b6a28bf71). bisect-rustc says 09bc67b

[lcnr]

the underlying issue still exists: https://rust.godbolt.org/z/qK375cseW it seems to get covered by some changes when checking that opaque types are well-formed though. We should not have 'erased here. DOwngrading to P-medium however.