implied bounds from associated types may not actually get implied pt 2. #98543
Labels
A-associated-items
Area: Associated items (types, constants & functions)
A-implied-bounds
Area: Implied bounds / inferred outlives-bounds
C-bug
Category: This is a bug.
I-unsound
Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness
P-high
High priority
T-types
Relevant to the types team, which will review and decide on the PR/issue.
Comments
lcnr
added
C-bug
rustbot
added
the
I-prioritize
lcnr
added
A-associated-items
|
Unlike #91068, these code examples compile “successfully” all the way since Rust 1.7.0. |
|
WG-prioritization assigning priority (Zulip discussion). @rustbot label -I-prioritize +P-high |
rustbot
added
P-high
|
while this currently does not work, we should also add a test for something like this. If we get stronger implied bounds, simply requiring the caller to prove wf for all projection components won't be enough anymore #![feature(generic_associated_types)]
trait Trait<'a> {
type Type
where
Self: 'a;
}
impl<'a, T> Trait<'a> for T {
type Type = ()
where
Self: 'a; // once this bound gets implied, we have UB again
}
fn f<'a, 'b>(s: &'b str, _: <&'b () as Trait<'a>>::Type) -> &'a str
where
&'b (): Trait<'a>, // <- adding this bound is the change from #91068
{
s
}
fn main() {
let x = String::from("Hello World!");
let y = f(&x, ());
drop(x);
println!("{}", y);
}trait Trait<'a>: 'a {
type Type;
}
impl<'a, T> Trait<'a> for T
where
T: 'a // if this bound get's implied we would probably get ub here again
{
type Type = ();
}
fn f<'a, 'b>(s: &'b str, _: <&'b () as Trait<'a>>::Type) -> &'a str
where
&'b (): Trait<'a>, // <- adding this bound is the change from #91068
{
s
}
fn main() {
let x = String::from("Hello World!");
let y = f(&x, ());
drop(x);
println!("{}", y);
} |
|
There's a PR open that fixes this. |
jackh726
removed
the
I-types-nominated
bors
added a commit
to rust-lang-ci/rust
that referenced
this issue
Aug 9, 2022
consider unnormalized types for implied bounds extracted, and slightly modified, from rust-lang#98900 The idea here is that generally, rustc is split into things which can assume its inputs are well formed[^1], and things which have verify that themselves. Generally most predicates should only deal with well formed inputs, e.g. a `&'a &'b (): Trait` predicate should be able to assume that `'b: 'a` holds. Normalization can loosen wf requirements (see rust-lang#91068) and must therefore not be used in places which still have to check well formedness. The only such place should hopefully be `WellFormed` predicates fixes rust-lang#87748 and rust-lang#98543 r? `@jackh726` cc `@rust-lang/types` [^1]: These places may still encounter non-wf inputs and have to deal with them without causing an ICE as we may check for well formedness out of order.
|
fixed by #99217 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
revives #91068 which has been fixed by only considering implied bounds from projections if they don't normalize while typechecking the function itself
rust/compiler/rustc_borrowck/src/type_check/free_region_relations.rs
Lines 256 to 289 in 7125846
This does not mean that the projection won't normalize when getting called:
The added bound prevents
<&'a &'b () as Trait>::Typefrom getting normalized while borrowcheckingf, as we prefer param candidates over impl candidates. When callingf, we don't have the&'a &'b (): Traitin ourparam_env, so we can now freely use the impl candidate to normalize the projection. The caller therefore doesn't have to prove that&'a &'b ()is well formed, causing unsoundness.I am a bit surprised that the caller doesn't have to prove that the
&'a &'b (): Traitobligation is well formed, which would cause this example to not be unsound. It doesn't remove the general unsoundness here though. Here's an alternative test where that isn't enough:The text was updated successfully, but these errors were encountered: