-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initializing a zero-length array leaks the initializer #74836
Comments
Minimized: struct A;
impl Drop for A {
fn drop(&mut self) {
println!("Dropping A");
}
}
fn main() {
let a = A;
let _ = [a; 0];
} |
Marked as p-low as per the discussion |
This is a really weird corner case. If we modify the example slightly: struct A;
impl Drop for A {
fn drop(&mut self) {
println!("Dropping A");
}
}
fn foo() -> [A; 0] {
let a = A;
[a; 0]
}
fn main() {
foo();
} them |
Regardless of what we end up doing, I think we should add a lint for this kind of scenario, as I think whatever behavior we use is going to be surprising. |
Currently, writing a zero-length array repeat expression (e.g. `[String::new(); 0]`) will cause the initializer value to be leaked. See rust-lang#74836 for more details There are three ways that we could potentially handle this case: 1. Run the destructor immediately after 'constructing' the zero-length array. 2. Run the destructor when the initializer value would otherwise be dropped (i.e. at the end of the lexical scope) 3. Keep the current behavior and continue to leak to the initializer Note that the 'obvious' choice (running the destructor when the array is dropped) does not work, since a zero-length array does not actually store the value we want to drop. All of these options seem likely to be surprising and inconsistent to users. Since any fully monomorphic constant can be used as the repeat length, this has the potential to cause confusing 'action at a distance' (e.g. changing a `const` from 0 to 1 results in drop order changing). Regardless of which option we decide on, we should tell users to use an empty array (`[]`) instead. This commit adds a new lint ZERO_REPEAT_WITH_DROP, which fires when a type that (potentially) has a destructor is used in a zero-length array repeat expression. If a type has no drop glue, we skip linting, since dropping it has no user-visible side effects. If we do not know if a type has drop glue (e.g. `Option<T>`), we lint anyway, since some choice of generic arguments could trigger the strange drop behavior. If the length const expression is not fully monomorphic (e.g. contains a generic parameter), the compiler requires the type used in the repeat expression to be `Copy`. Therefore, we don't need to lint in this case, since a `Copy` type can never have drop glue.
I would not expect a destructor to run when fn foo() -> [A; 0] {
let a = A;
<[A; 0]>::new(a)
} When the array length is zero the repeating array "constructor" happens not to use the repeated value so it should be responsible for dropping it. |
Agreed. Dropping should happen at the location of I am not sure a lint is the right solution here? If we want to change MIR building (this looks like a clear bug to me), I do not see what a lint would achieve. |
Hm, why does this even build? Usually array initializers only work for Is there a special case for when the array length is <= 1? I guess then we also need a special case during drop elaboration (or so) for when the array length is exactly 0? Cc @matthewjasper @nikomatsakis (not sure who else to ping for MIR stuff) |
Yup, it appears that |
I looked into fixing this by teaching parts of compiler that perform move based reasoning about special status of Though, maybe that particular case of repeat should be lowered differently when building MIR so that it can be treated more uniformly later on? |
@tmiasko thanks for looking into this! Once we are past drop elaboration, no special cases should be needed any more. But I am not sure how early/late in the pipeline that happens. Your list is somewhat concerning though, this sounds like it'd be very easy to miss a place and introduce a subtle bug. OTOH, we cannot really use different MIR for this -- with const generics, |
To give a little more context to earlier comment, consider a MIR that before the drop elaboration looks as follows: _0 = [move _1; 0];
drop(_1) -> bb2; Currently, the local |
I wonder if it would be simpler to modify the THIR -> MIR lowering to treat |
Yeah, I wondered the same -- so this sounds like a promising idea.
That cannot work; for |
I wondered about that too. So far I noticed that it would require additional changes to take into account lifetime extension / promotion, as direct implementation would allow: fn main() {
let _: &'static [String; 0] = &[String::new(); 0];
} |
Ah, interesting. We could probably allow this if we really wanted, or we could use a slightly different desugaring such as |
Shouldn't this be https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=aa5afcbb47e59595dc6ced846671c47f |
Acknowledge that `[CONST; N]` is stable When `const_in_array_repeat_expressions` (RFC 2203) got unstably implemented as part of rust-lang#61749, accidentally, the special case of repeating a *constant* got stabilized immediately. That is why the following code works on stable: ```rust const EMPTY: Vec<i32> = Vec::new(); pub const fn bar() -> [Vec<i32>; 2] { [EMPTY; 2] } fn main() { let x = bar(); } ``` In contrast, if we had written `[expr; 2]` for some expression that is not *literally* a constant but could be evaluated at compile-time (e.g. `(EMPTY,).0`), this would have failed. We could take back this stabilization as it was clearly accidental. However, I propose we instead just officially accept this and stabilize a small subset of RFC 2203, while leaving the more complex case of general expressions that could be evaluated at compile-time unstable. Making that case work well is pretty much blocked on inline `const` expressions (to avoid relying too much on [implicit promotion](https://github.com/rust-lang/const-eval/blob/master/promotion.md)), so it could take a bit until it comes to full fruition. `[CONST; N]` is an uncontroversial subset of this feature that has no semantic ambiguities, does not rely on promotion, and basically provides the full expressive power of RFC 2203 but without the convenience (people have to define constants to repeat them, possibly using associated consts if generics are involved). Well, I said "no semantic ambiguities", that is only almost true... the one point I am not sure about is `[CONST; 0]`. There are two possible behaviors here: either this is equivalent to `let x = CONST; [x; 0]`, or it is a NOP (if we argue that the constant is never actually instantiated). The difference between the two is that if `CONST` has a destructor, it should run in the former case (but currently doesn't, due to rust-lang#74836); but should not run if it is considered a NOP. For regular `[x; 0]` there seems to be consensus on running drop (there isn't really an alternative); any opinions for the `CONST` special case? Should this instantiate the const only to immediately run its destructors? That seems somewhat silly to me. After all, the `let`-expansion does *not* work in general, for `N > 1`. Cc `@rust-lang/lang` `@rust-lang/wg-const-eval` Cc rust-lang#49147
Is a |
The This issue is about |
I’m unfamiliar with the compiler-internal mechanisms that are relevant here. From a user-perspective, the situation is – in my opinion – as follows
My personal conclusion would be to entirely remove the special capabilities of In order to avoid breakage, one could
|
Modify MIR building to drop repeat expressions with length zero Closes rust-lang#74836 . Previously, when a user wrote `[foo; 0]` we used to simply leak `foo`. The goal is to fix that. This PR changes MIR building to make `[foo; 0]` equivalent to `{ drop(foo); [] }` in all cases. Of course, this is a breaking change (see below). A crater run did not indicate any regressions though, and given that the previous behavior was almost definitely not what any user wanted, it seems unlikely that anyone was relying on this. Note that const generics are in general unaffected by this. Inserting the extra `drop` is only meaningful/necessary when `foo` is of a non-`Copy` type, and array repeat expressions with const generic repetition count must always be `Copy`. Besides the obvious change to behavior associated with the additional drop, there are three categories of examples where this also changes observable behavior. In all of these cases, the new behavior is consistent with what you would get by replacing `[foo; 0]` with `{ drop(foo); [] }`. As such, none of these give the user new powers to express more things. **No longer allowed in const (breaking)**: ```rust const _: [String; 0] = [String::new(); 0]; ``` This compiles on stable today. Because we now introduce the drop of `String`, this no longer compiles as `String` may not be dropped in a const context. **Reduced dataflow (non-breaking)**: ```rust let mut x: i32 = 0; let r = &x; let a = [r; 0]; x = 5; let _b = a; ``` Borrowck rejects this code on stable because it believes there is dataflow between `a` and `r`, and so the lifetime of `r` has to extend to the last statement. This change removes the dataflow and the above code is allowed to compile. **More const promotion (non-breaking)**: ```rust let _v: &'static [String; 0] = &[String::new(); 0]; ``` This does not compile today because `String` having drop glue keeps it from being const promoted (despite that drop glue never being executed). After this change, this is allowed to compile. ### Alternatives A previous attempt at this tried to reduce breakage by various tricks. This is still a possibility, but given that crater showed no regressions it seems unclear why we would want to introduce this complexity. Disallowing `[foo; 0]` completely is also an option, but obviously this is more of a breaking change. I do not know how often this is actually used though. r? `@oli-obk`
If this is closed, the warning update on this page might be outdated : https://doc.rust-lang.org/reference/expressions/array-expr.html |
This bug was reported on StackOverflow today. Filipe Rodrigues noticed that the initializer of a zero-length array is leaked:
The code above does not run
drop()
fora
, while I'd expect that it should. According to a comment by @mcarton, this regression occurred between Rust 1.11.0 and 1.12.0, i.e. when MIR code generation was enabled by default.The text was updated successfully, but these errors were encountered: