[NLL] Dangly paths for box

[pnkfelix]

Special-case Box in rustc_mir::borrow_check.

Since we know dropping a box will not access any &mut or & references, it is safe to model its destructor as only touching the contents owned by the box.

---

There are three main things going on here:

1. The first main thing, this PR is fixing a bug in NLL where rustc previously would issue a diagnostic error in a case like this:

fn foo(x: Box<&mut i32>) -> &mut i32 { &mut **x } 

such code was accepted by the AST-borrowck in the past, but NLL was rejecting it with the following message (playground)

error[E0597]: `**x` does not live long enough
 --> src/main.rs:3:40
  |
3 | fn foo(x: Box<&mut i32>) -> &mut i32 { &mut **x }
  |                                        ^^^^^^^^ - `**x` dropped here while still borrowed
  |                                        |
  |                                        borrowed value does not live long enough
  |
note: borrowed value must be valid for the anonymous lifetime #1 defined on the function body at 3:1...
 --> src/main.rs:3:1
  |
3 | fn foo(x: Box<&mut i32>) -> &mut i32 { &mut **x }
  | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

error: aborting due to previous error

2. The second main thing: The reason such code was previously rejected was because NLL (MIR-borrowck) incorporates a fix for issue Drop and leaking &mut references #31567, where it models a destructor's execution as potentially accessing any borrows held by the thing being destructed. The tests with Scribble model this, showing that the compiler now catches such unsoundness.

However, that fix for issue #31567 is too strong, in that NLL (MIR-borrowck) includes Box as one of the types with a destructor that potentially accesses any borrows held by the box. This thus was the cause of the main remaining discrepancy between AST-borrowck and MIR-borrowck, as documented in issue #45696, specifically in the last example of this comment, which I have adapted into the fn foo shown above.

We did close issue #45696 back in December of 2017, but AFAICT that example was not fixed by PR #46268. (And we did not include a test, etc etc.)

This PR fixes that case, by trying to model the so-called DerefPure semantics of Box<T> when we traverse the type of the input to visit_terminator_drop.

3. The third main thing is that during a review of the first draft of this PR, @matthewjasper pointed out that the new traversal of Box<T> could cause the compiler to infinite loop. I have adjusted the PR to avoid this (by tracking what types we have previously seen), and added a much needed test of this somewhat odd scenario. (Its an odd scenario because the particular case only arises for things like struct A(Box<A>);, something which cannot be constructed in practice.)

Fix #45696.

[rust-highfive]

r? @estebank

(rust_highfive has picked a reviewer for you, use r? to override)

[pnkfelix]

r? @nikomatsakis

[pnkfelix]

Btw this PR illustrates a second breaking change to the static semantics associated with the move to NLL (the first breaking change being #27282), and thus provides extra justification for the migration mode (#46908) we are deploying with the 2018 edition.

[matthewjasper]

This looks like unconditional recursion when dropping struct A(Box<A>, ...)

[pnkfelix]

Note you didn’t put an Option<Box<A>> there

Doesn’t the compiler already reject such infinite types? Let me check

[pnkfelix]

Hmm okay this may indeed be a problem for me. You can define such types. You won’t be able to make an instance of one, but I imagine one could make a let a: Option<A> = None; and then the compiler would possibly infinite loop while trying to deal with the drop of the Option<A> ...

[matthewjasper]

I think the only way to get a local with such a type is as a function argument or unitialized variable for now. Option<A> is currently dropped as a single unit, since it's a lot harder to reborrow an enum field, which is the only case this matters as far as I can tell.

[pnkfelix]

Note that there are already existing bugs where infinitely sized types can cause the compiler, often specifically dropck, to hang.

Here are a couple (that are still open/unresolved) that I found by skimming over the results when I searched for "recursive" in our issues list: #44933, and #52852

(Plus there is #4287, which I might argue that example falls into in the long term, since our users might like getting a nice warning about the problem.)

[pnkfelix]

Also, it turns out that the infinite loop here does allocate memory on each iteration, so we will eventually exhaust our available memory and error out due to that. I don't know whether people think that is better or worse than just diverging execution... :)

Despite the existence of bugs like #44933 and #52852, I will go ahead and try to fix this PR to detect the recursion...

[pnkfelix]

(I had a slew of comments that falsely claimed that rustc under AST-borrowck also diverged on the case in question; but I had gotten confused because I was also checking the behavior of #52852, so I thought the infinite loops I was seeing there also applied to this struct A(Box<A>); case; I have now deleted those erroneous comments since they were just injecting a lot of noise on the PR.)

I will definitely fix this PR. This is a case that used to work and my PR causes it to break in a pretty bad way.

[pnkfelix]

(fixed, and added corresponding test.)

[pnkfelix]

I'm going to assign this review to @nagisa since @nikomatsakis is on PTO.

@nagisa : do feel free to reassign to someone else if you do not feel comfortable with it. I could just let someone from the WG-compiler-nll working group look at it (indeed it seems like @matthewjasper has done at least enough of a review to point out something deep that I overlooked).

[pnkfelix]

r? @nagisa

[MaloJaffre]

These two lines seem to be incorrect, there is no actual recursion.

[nagisa]

Well, there is, in a sense that you cannot construct either E or F due to them being recursive. It is just that they are not mutually recursive, but perhaps ought to be?

[pnkfelix]

This was a typo. I meant for G to refer to H and H to refer to G.

(I had gone through a couple iterations of this and I added cases above... maybe I'll put these into individual inner modules to try to prevent this kind of mistake.)

[nagisa]

I looked over most of the code, but couldn’t finish looking over the tests. I’ll delegate to @eddyb to r+ this, as I believe they looked over the tests and/or semantics.

[nagisa]

Why is this between parens, and why is this not a proper doc?

[nagisa]

This makes sense and seems good.

[nagisa]

Makes sense, although I’m straining to have this not fly over my head entirely :)

[nagisa]

Well, there is, in a sense that you cannot construct either E or F due to them being recursive. It is just that they are not mutually recursive, but perhaps ought to be?

[eddyb]

cc @nikomatsakis this is starting to quickly become the rustc team's favorite hack!

[pnkfelix]

Indeed, in the commit message I even wrote:

Note: A similar style stack-only linked-list definition can be found
in `rustc_mir::borrow_check::places_conflict`. It might be good at
some point in the future to unify the two types and put the resulting
definition into `librustc_data_structures/`.

[eddyb]

back in my day... https://github.com/rust-lang/rust/pull/12162/files#diff-87946a10679226d1e5b4d6f9c30ab133R47

[eddyb]

nit: Ty not ty::Ty.

[pnkfelix]

yeah I guess we've hit the number of occurrences where we can add Ty to the use at the top.

[eddyb]

You can rearrange this to have Option around a pair of Ty and &SeenTy, bypassing the problems needing Option around it later.

[pnkfelix]

Okay I will try that.

[eddyb]

"the loss of the reference itself"?

[pnkfelix]

That is, the dropping of the representation of the box-pointer

How would you prefer to phrase this?

[eddyb]

Do you mean the allocation? Or the library-side newtype around the pointer? I would not call either a "reference" unless you mean the &mut Box<T> that a Drop::drop impl would get.

[pnkfelix]

I mean the library-side newtype around the pointer. I tried rephrasing as "StorageDead of the box-pointer representation" in my updated comments.

[eddyb]

Why is this last? Doesn't dropping the contents happen before deallocating the box?

[pnkfelix]

If you want the drop of the box contents to happen first, that should be easy to do. For some reason I thought the presentation was more "natural" from the view point of someone reading the code.

• I didn't think the order in which we did these three steps would actually matter ...
• (but now you've got me wondering if it could ... I'll do some experiments...)

I do remember playing with moving around the order to see if that got rid of the deltas to dropck.nll.stderr and dropck-object-cycle.nll.stderr. (But it didn't.)

So, anyway, I'll try putting it first as part of other changes I'm making in response to your feedback.

[pnkfelix]

One argument for why the order shouldn't matter here: Given a_box: Box<T>, In theory someone should be allowed to move the contents out of *a_box, and have those contents get dropped at a time that is disconnected from the (shallow) drop of a_box.

Of course that would be totally broken if the drop of a_box did attempt to dereference and drop the contents at *a_box. But that's why the shallow/deep distinction is important here.

[pnkfelix]

(but now you've got me wondering if it could ... I'll do some experiments...)

i played around a little to try to see if I could create a struct with a recursive self-reference inside a box and somehow throw in a destructor that would allow us to in some way observe the access order here. But perhaps unsurprisingly I was unable to make such a thing due to dropck rules...

[eddyb]

Wait, why do we need to do anything to the dereference, as opposed to the Box itself?
If you implemented Box in a library, you would recurse in an ADT and see a raw pointer... and not go further.

[pnkfelix]

Yes, and that's the whole problem.

If you implement MyBox as a library, then we see that that there is an impl Drop for MyBox and then fail to accept code like:

fn foo(x: MyBox<&mut i32>) -> &mut i32 { &mut **x } 

If you want to be able to implement MyBox as a library, then we will need to generalize the functionality described here via some means (be it DerefPure or #[dangly_path] or something else), and then have MyBox use that generalized functionality.

This PR is taking the expedient path of treating Box as a special case where we know its destructor is special.

[eddyb]

But is the shallow *x access even necessary? Doesn't owned *x + shallow x suffice?
Also, isn't this similar to unsafe impl<#[may_dangle] T> Drop for Box<T>?

[pnkfelix]

Ah I think I understand your question now.

The shallow *x access is definitely necessary. If you leave that out, you miss cases like a drop of a_box: Box<i32>, where the drop of the box needs to invalidate borrows of &*a_box and &mut *a_box

Notably, the shallow x access does not invalidate such borrows. (And the step that recurs on the box contents doesn't help there either, because when the original type was Box<i32> then we're just looking at i32...)

Because all the shallow x access touches is the fields of the box representation:

rust/src/liballoc/boxed.rs

Line 81 in f898179

pub struct Box<T: ?Sized>(Unique<T>);

i.e.:

rust/src/libcore/ptr.rs

Lines 2694 to 2702 in f898179

	pub struct Unique<T: ?Sized> {
	pointer: NonZero<*const T>,
	// NOTE: this marker has no consequences for variance, but is necessary
	// for dropck to understand that we logically own a `T`.
	//
	// For details, see:
	// https://github.com/rust-lang/rfcs/blob/master/text/0769-sound-generic-drop.md#phantom-data
	_marker: PhantomData<T>,
	}

[pnkfelix]

One might be able to argue that the special case handling here should be attached to Unique<T> rather than Box<T>. I haven't thought terribly hard about that option.

(But that would be much harder to implement in the short term. Right now in MIR-borrowck we do at least * track Box and derefs of Box as special things. If we had to somehow use UniquePtr instead then that would involve revisiting our code for representing the move-paths.)

[pnkfelix]

So the recursive call to visit_terminator_drop will bottom out here at this code:

rust/src/librustc_mir/borrow_check/mod.rs

Lines 900 to 914 in f898179

	_ => {
	// We have now refined the type of the value being
	// dropped (potentially) to just the type of a
	// subfield; so check whether that field's type still
	// "needs drop". If so, we assume that the destructor
	// may access any data it likes (i.e., a Deep Write).
	if erased_drop_place_ty.needs_drop(gcx, self.param_env) {
	self.access_place(
	ContextKind::Drop.new(loc),
	(drop_place, span),
	(Deep, Write(WriteKind::StorageDeadOrDrop)),
	LocalMutationIsAllowed::Yes,
	flow_state,
	);
	}

I.e. visit_terminator_drop is just meant to model the actions of destructors. If you hand it the place *a_box, that is just an i32. Dropping that has no effect.

So my shallow write to *a_box is an attempt to model the effect of the Box<T> destructor.

[pnkfelix]

@eddyb asked:

Also, isn't this similar to unsafe impl<#[may_dangle] T> Drop for Box?

Yes it is. That is in part why I called these things "dangly paths" in nikomatsakis/nll-rfc#40

[eddyb]

Okay, so the "owned drop" part of *a_box does not invalidate borrows to *a_box for at least some types, that helps a bit.

I wish the "shallow write" done to*a_box was more of a StorageDead effect (instead of just being called a "write"), because it's really destroying the backing storage, without necessarily writing to it.

[pnkfelix]

(Further review/discussion led to me pointing out that the effect encoded here is inded tagged as Write(WriteKind::StorageDeadOrDrop))

[pnkfelix]

See also PR #54310

[pnkfelix]

Note: One entirely reasonable path would be to not land this PR in time for 2008 Edition Preview 2 (EP2).

That is, we could try to get a guess as to how much code in the wild is relying on this, by seeing how many users report that they got what they see as a bogus warning from the NLL code in a scenario like this one.

I mention this mainly because while reading over nikomatsakis/nll-rfc#40 I was reminded that we never really "decided" that we were going to support this.

[eddyb]

Stray backtick after T.

[eddyb]

At the lowest (unsafe?) level, yes, step 2 would technically be in Drop for Box<T>.
However, from the point of view of the code using DerefOwn + Drop, step 2 would be part of dropping the &own T.

That is, dropping &own T invalidates it as backing storage for the code using it, so there would potentially be a gap in between dropping the &own T you got from DerefOwn and calling free (via Drop for Box<T>), in which you can't use the allocation even though it still exists.

This is quite distinct from moving out of the &own T, which would allow moving back in, or assigning to the T inside, which would drop the T but not invalidate the &own T.

[pnkfelix]

Hmm so you’re interpreting step 2 as solely invalidating the backing storage, while I was interpreting it as both invalidating the backing storage and deallocating the backing storage

Do I have that right? Where does the deallocation happen in your mental model, as part of step 3?

[pnkfelix]

Or, rereading my comment in the code, maybe I was interpreting step 2 as solely deallocating the backing storage, and I didn’t have the invalidation in any explicit step.

While you are pointing out that the invalidation happens, in the code here, as part of step 2

[eddyb]

While you are pointing out that the invalidation happens, in the code here, as part of step 2

Yes, in terms of borrowck, you can only observe that "backing storage" invalidation (see below).

Do I have that right? Where does the deallocation happen in your mental model, as part of step 3?

Yes, it's in step 3, and it's not something the borrowck can even model directly, since it doesn't understand the dynamic allocation protocol (the deallocation is "just" an FFI call with a raw pointer).

[eddyb]

Talking to @RalfJung, I reached a point where I'm wondering whether Drop(x: T) being a noop when !needs_drop(T) is a bad idea, since it makes some sense that it'd have an effect similar to Operand::Move(x) (i.e. invalidation of the source value).

I thought something like StorageDead(*a_box) was needed, but Move(*a_box) should do and Drop(*x) should maybe imply it as well.

For the &own T model, that means that Drop(x: &own T) only needs to invalidate the value at *x, not the underlying memory. However, we should have the same restrictions overall, as that memory is no longer reachable, since x had the unique path to it (which the Drop(x) should have invalidated), and invalidating the value at *x should prevent any other borrows from surviving.

In less words, we only need StorageLive / StorageDead for locals specifically because they're not behind indirection we can create/destroy in ways that would enable/disable access to the value through a single unique path (with subordinate borrows).

OTOH we don't generate Drop at all sometimes, as an optimization, so we have to rely on StorageDead instead for invalidating at least some of the locals.

[eddyb]

I think it's relevant if part of liballoc did &a_box.0 (for whatever reason) - without this last step, a_box could be dropped without that borrow being invalidated, right? You could probably use a #![no_std] test to check for this, by definition your own Box lang item.

[eddyb]

@bors r+

I hope @nikomatsakis agrees and we can revert it otherwise.

[bors]

📌 Commit c02c00b has been approved by eddyb

[RalfJung]

Uh, can we not fall-back-to-error instead of fall-back-to-accept? Seems like a disaster waiting to happen.^^

[pnkfelix]

We cannot fallback to error, at least not to hard error. That could break hypothetical code.

We could issue a future compatibility warning.

Or we could try to emit drop code that error dynamically ... maybe that is what you are asking for?

(When I wrote "skip them during drop", I meant during this static analysis. I believe the actual dynamic behavior here will be to ... infinite loop ... i think... )

[pnkfelix]

(This is the test case showing the kind of case that concerns me. It is currently marked as run-pass; we could make a variant of it that actually conjures up one of this infinitely regressed things, but I'm pretty sure that the unsafe code guidelines group would tag such a test as having undefined behavior, no?)

[RalfJung]

I'm pretty sure that the unsafe code guidelines group would tag such a test as having undefined behavior,

Yeah, I agree.

When I wrote "skip them during drop", I meant during this static analysis. I believe the actual dynamic behavior here will be to ... infinite loop ... i think...

Probably it'll fill up the stack. ;)
What does it mean for the static analysis to skip this? Does it not consider this a use, or so? That seems problematic.^^

[pnkfelix]

It considers the first one it sees a use, but not the second one encountered via the recursive descent.

But to even get to that code during dynamic execution you’d have to already built the invalid thing and be witnessing UB.

Maybe I should make a more complete illustrative test case for us to discuss, with the aforementioned construction...?

[RalfJung]

It considers the first one it sees a use, but not the second one encountered via the recursive descent.

I see. Yes, without knowing any of the details, this does make some sense.

[bors]

⌛ Testing commit c02c00b with merge 40cb447...

[bors]

☀️ Test successful - status-appveyor, status-travis
Approved by: eddyb
Pushing 40cb447 to master...