Skip to content

Converting "&'a &'b T" to "&'a T" in the presence of non-lexical lifetimes can be unsound #48803

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
exists-forall opened this issue Mar 7, 2018 · 3 comments
Closed

Converting "&'a &'b T" to "&'a T" in the presence of non-lexical lifetimes can be unsound #48803

exists-forall opened this issue Mar 7, 2018 · 3 comments
Assignees
@spastorino
Labels
A-borrow-checker Area: The borrow checker A-NLL Area: Non-lexical lifetimes (NLL) C-bug Category: This is a bug. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness NLL-sound Working towards the "invalid code does not compile" goal T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.

Comments

@exists-forall
Copy link

The following snippet should be rejected for allowing a value to be mutated while it is borrowed, but it is accepted on nightly when non-lexical lifetimes are enabled (playground):

#![feature(nll)]

fn flatten<'a, 'b, T>(x: &'a &'b T) -> &'a T {
    x
}

fn main() {
    let mut x = "original";
    let y = &x;
    let z = &y;
    let w = flatten(z);
    x = "modified";
    println!("{}", w); // prints "modified"
}
@Centril Centril added A-borrow-checker Area: The borrow checker T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness A-NLL Area: Non-lexical lifetimes (NLL) C-bug Category: This is a bug. WG-compiler-nll labels Mar 7, 2018
@nikomatsakis nikomatsakis added the NLL-sound Working towards the "invalid code does not compile" goal label Mar 14, 2018
@pnkfelix
Copy link
Member

pnkfelix commented Apr 3, 2018

(assigning to @nikomatsakis to write up mentoring instructions, or potentially fix outright)

@nikomatsakis
Copy link
Contributor

I discussed the problem with @spastorino in gitter the other day:

https://gitter.im/rust-impl-period/WG-compiler-nll?at=5ace0ee101a2b40f382ead12

@nikomatsakis
Copy link
Contributor

As I pointed out in gitter, this is the point where we instantiate the late-bound regions in the signature:

rust/src/librustc_mir/borrow_check/nll/type_check/mod.rs

Lines 890 to 895 in ca26ef3

let (sig, map) = self.infcx.replace_late_bound_regions_with_fresh_var(
term.source_info.span,
LateBoundRegionConversionTime::FnCall,
&sig,
);
let sig = self.normalize(&sig, term_location);

That variable sig will be a FnSig. Much like the AST-based type checker code, we need to iterate through the inputs and prove their types are well-formed. I imagine something like:

self.prove_predicates(
  sig.inputs().iter().map(|ty| ty::PredicateWellFormed(ty))
);

@spastorino spastorino mentioned this issue Apr 11, 2018
Merged
bors added a commit that referenced this issue Apr 15, 2018
@bors
Auto merge of #49885 - spastorino:fn_ref_unsound, r=nikomatsakis
602b395 
Fix unsoundness bug in functions input references

Fixes #48803

r? @nikomatsakis
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@spastorino spastorino

Labels
A-borrow-checker Area: The borrow checker A-NLL Area: Non-lexical lifetimes (NLL) C-bug Category: This is a bug. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness NLL-sound Working towards the "invalid code does not compile" goal T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@spastorino @nikomatsakis @pnkfelix @Centril @exists-forall