Item bounds can reference self projections and still be object safe #122804
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rustbot
added
S-waiting-on-review
compiler-errors
force-pushed
the
item-bounds-can-reference-self
branch
from
3e77591
to
3184f93
Compare
workingjubilee
added
T-types
BoxyUwU
approved these changes
Apr 1, 2024
There was a problem hiding this comment.
would like to have an fcp for this tho. probably should mention about the fact that you can already kind of do this via supertraits, and also that we only assemble alias bound candidates for rigid aliases and <dyn Trait as Trait>::Assoc is never going to be a rigid alias so the item bounds shouldn't affect the trait object
BoxyUwU
added
needs-fcp
|
Ya, I realized during discussion I should probably explain exactly why this is sound, specifically discussing the way we do |
|
☔ The latest upstream changes (presumably #125001) made this pull request unmergeable. Please resolve the merge conflicts. |
compiler-errors
force-pushed
the
item-bounds-can-reference-self
branch
from
3184f93
to
1dcf764
Compare
|
This is ready I believe :3 @rfcbot fcp merge |
|
Team member @compiler-errors has proposed to merge this. The next step is review by the rest of the tagged team members: No concerns currently listed. Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for info about what commands tagged team members can give me. |
rfcbot
added
proposed-final-comment-period
compiler-errors
removed
the
needs-fcp
|
@rfcbot reviewed |
rfcbot
added
final-comment-period
|
🔔 This is now entering its final comment period, as per the review above. 🔔 |
rfcbot
added
finished-final-comment-period
|
The final comment period, with a disposition to merge, as per the review above, is now complete. As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed. This will be merged soon. |
|
@bors r+ |
bors
added
S-waiting-on-bors
Noratrieb
added a commit
to Noratrieb/rust
that referenced
this pull request
Jun 4, 2024
…ference-self, r=BoxyUwU
Item bounds can reference self projections and still be object safe
### Background
Currently, we have some interesting rules about where `Self` is allowed to be mentioned in objects. Specifically, we allow mentioning `Self` behind associated types (e.g. `fn foo(&self) -> Self::Assoc`) only if that `Self` type comes from the trait we're defining or its supertraits:
```
trait Foo {
fn good() -> Self::Assoc; // GOOD :)
fn bad() -> <Self as OtherTrait>::Assoc; // BAD!
}
```
And more specifically, these `Self::Assoc` projections are *only* allowed to show up in:
* (A1) Method signatures
* (A2) Where clauses on traits, GATs and methods
But `Self::Assoc` projections are **not** allowed to show up in:
* (B1) Supertrait bounds (specifically: all *super-predicates*, which includes the projections that come from elaboration, and not just the traits themselves).
* (B2) Item bounds of associated types
The reason for (B1) is interesting: specifically, it arises from the fact that we currently eagerly elaborate all projection predicates into the object, so if we had the following code:
```
trait Sub<Assoc = Self::SuperAssoc> {}
trait Super {
type SuperAssoc;
}
```
Then given `dyn Sub<SuperAssoc = i32>` we would need to have a type that is substituted into itself an infinite number of times[^1], like `dyn Sub<SuperAssoc = i32, Assoc = <dyn Sub<SuperAssoc = i32, Assoc = <dyn Sub<SuperAssoc = i32, Assoc = <... as Super>::SuperAssoc> as Super>::SuperAssoc> as Super>::SuperAssoc>`, i.e. the fixed-point of: `type T = dyn Sub<SuperAssoc = i32, Assoc = <T as Super>::SuperAssoc>`.
Similarly for (B2), we restrict mentioning `Self::Assoc` in associated type item bounds, which is the cause for rust-lang#122798. However, there is **no reason** for us to do so, since item bounds never show up structurally in the `dyn Trait` object type.
#### What?
This PR relaxes the check for item bounds so that `Self` may be mentioned behind associated types in the same cases that they currently work for method signatures (A1) and where clauses (A2).
#### Why?
Fixes rust-lang#122798. Removes a subtle and confusing inconsistency for the code mentioned in that issue.
This is sound because we only assemble alias bounds for rigid projections, and all projections coming from an object self type are not rigid, since all associated types should be specified by the type.
This is also desirable because we can do this via supertraits already. In rust-lang#122789, it is noted that an item bound of `Eq` already works, just not `PartialEq` because of the default item bound. This is weird and should be fixed.
#### Future work
We could make the check for `Self` in super-predicates more sophisticated as well, only erroring if `Self` shows up in a projection super-predicate.
[^1]: This could be fixed by some sort of structural replacement or eager normalization, but I don't think it's necessary currently.
Noratrieb
added a commit
to Noratrieb/rust
that referenced
this pull request
Jun 4, 2024
…ference-self, r=BoxyUwU
Item bounds can reference self projections and still be object safe
### Background
Currently, we have some interesting rules about where `Self` is allowed to be mentioned in objects. Specifically, we allow mentioning `Self` behind associated types (e.g. `fn foo(&self) -> Self::Assoc`) only if that `Self` type comes from the trait we're defining or its supertraits:
```
trait Foo {
fn good() -> Self::Assoc; // GOOD :)
fn bad() -> <Self as OtherTrait>::Assoc; // BAD!
}
```
And more specifically, these `Self::Assoc` projections are *only* allowed to show up in:
* (A1) Method signatures
* (A2) Where clauses on traits, GATs and methods
But `Self::Assoc` projections are **not** allowed to show up in:
* (B1) Supertrait bounds (specifically: all *super-predicates*, which includes the projections that come from elaboration, and not just the traits themselves).
* (B2) Item bounds of associated types
The reason for (B1) is interesting: specifically, it arises from the fact that we currently eagerly elaborate all projection predicates into the object, so if we had the following code:
```
trait Sub<Assoc = Self::SuperAssoc> {}
trait Super {
type SuperAssoc;
}
```
Then given `dyn Sub<SuperAssoc = i32>` we would need to have a type that is substituted into itself an infinite number of times[^1], like `dyn Sub<SuperAssoc = i32, Assoc = <dyn Sub<SuperAssoc = i32, Assoc = <dyn Sub<SuperAssoc = i32, Assoc = <... as Super>::SuperAssoc> as Super>::SuperAssoc> as Super>::SuperAssoc>`, i.e. the fixed-point of: `type T = dyn Sub<SuperAssoc = i32, Assoc = <T as Super>::SuperAssoc>`.
Similarly for (B2), we restrict mentioning `Self::Assoc` in associated type item bounds, which is the cause for rust-lang#122798. However, there is **no reason** for us to do so, since item bounds never show up structurally in the `dyn Trait` object type.
#### What?
This PR relaxes the check for item bounds so that `Self` may be mentioned behind associated types in the same cases that they currently work for method signatures (A1) and where clauses (A2).
#### Why?
Fixes rust-lang#122798. Removes a subtle and confusing inconsistency for the code mentioned in that issue.
This is sound because we only assemble alias bounds for rigid projections, and all projections coming from an object self type are not rigid, since all associated types should be specified by the type.
This is also desirable because we can do this via supertraits already. In rust-lang#122789, it is noted that an item bound of `Eq` already works, just not `PartialEq` because of the default item bound. This is weird and should be fixed.
#### Future work
We could make the check for `Self` in super-predicates more sophisticated as well, only erroring if `Self` shows up in a projection super-predicate.
[^1]: This could be fixed by some sort of structural replacement or eager normalization, but I don't think it's necessary currently.
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Jun 4, 2024
Rollup of 9 pull requests Successful merges: - rust-lang#122804 (Item bounds can reference self projections and still be object safe) - rust-lang#124486 (Add tracking issue and unstable book page for `"vectorcall"` ABI) - rust-lang#125504 (Change pedantically incorrect OnceCell/OnceLock wording) - rust-lang#125608 (Avoid follow-up errors if the number of generic parameters already doesn't match) - rust-lang#125690 (ARM Target Docs Update) - rust-lang#125750 (Align `Term` methods with `GenericArg` methods, add `Term::expect_*`) - rust-lang#125818 (Handle no values cfgs with `--print=check-cfg`) - rust-lang#125909 (rustdoc: add a regression test for a former blanket impl synthesis ICE) - rust-lang#125919 (Remove stray "this") r? `@ghost` `@rustbot` modify labels: rollup
|
Failed in #125956 (comment) |
bors
added
S-waiting-on-author
|
hehe, race condition, I was writing the same rollup failure message that this PR needed a rebase |
compiler-errors
force-pushed
the
item-bounds-can-reference-self
branch
from
1dcf764
to
1b58a7f
Compare
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Jun 6, 2024
…unsoundness, r=<try> Fix supertrait associated type unsoundness This is built on top of rust-lang#122804 though that's really not related, it's just easier to make this modification with the changes to the object safety code that I did in that PR. The only thing is that PR may make this unsoundness slightly easier to abuse, since there are more positions that allow self-associated-types. This PR only looks for supertrait associated types *without* normalizing. I'm gonna crater this initially -- preferably we don't need to normalize unless there's a lot of breakage. I assume that most people are writing `Self::Assoc` so they don't really care about the trait ref being normalized, so somewhat tempted to believe that this will just work out and we can extend it later if needed. r? lcnr
|
☔ The latest upstream changes (presumably #126374) made this pull request unmergeable. Please resolve the merge conflicts. |
|
@compiler-errors needs a rebase :-) |
compiler-errors
force-pushed
the
item-bounds-can-reference-self
branch
from
1b58a7f
to
b7b1b3e
Compare
|
I would be perhaps a little worried about the other PR landing then causing more regressions than expected and it getting reverted. That'd mean this PR would wind up making the problem A Bit worse on a long term basis potentially although I imagine we'd wind up with a fcw in that scenario 🤷♀️. I think trying to hit that unsoundness is also pretty hard in practice, I remember trying to find an example that'd hit it a few times and didn't manage to. I don't think it matters to land that PR before this one, we should just go ahead and merge this imo |
|
Given that #126090 should be in FCP soon and feels quite straight forward, I think we should wait until it's through FCP and then merge both PRs at once (as that the fix builds on this one). |
matthiaskrgr
added a commit
to matthiaskrgr/rust
that referenced
this pull request
Jul 25, 2024
…y-unsoundness, r=lcnr Fix supertrait associated type unsoundness ### What? Object safety allows us to name `Self::Assoc` associated types in certain positions if they come from our trait or one of our supertraits. When this check was implemented, I think it failed to consider that supertraits can have different args, and it was only checking def-id equality. This is problematic, since we can sneak different implementations in by implementing `Supertrait<NotActuallyTheSupertraitSubsts>` for a `dyn` type. This can be used to implement an unsound transmute function. See the committed test. ### How do we fix it? We consider the whole trait ref when checking for supertraits. Right now, this is implemented using equality *without* normalization. We erase regions since those don't affect trait selection. This is a limitation that could theoretically affect code that should be accepted, but doesn't matter in practice -- there are 0 crater regression. We could make this check stronger, but I would be worried about cycle issues. I assume that most people are writing `Self::Assoc` so they don't really care about the trait ref being normalized. --- ### What is up w the stacked commit This is built on top of rust-lang#122804 though that's really not related, it's just easier to make this modification with the changes to the object safety code that I did in that PR. The only thing is that PR may make this unsoundness slightly easier to abuse, since there are more positions that allow self-associated-types -- I am happy to stall that change until this PR merges. --- Fixes rust-lang#126079 r? lcnr
rust-timer
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Jul 26, 2024
Rollup merge of rust-lang#126090 - compiler-errors:supertrait-assoc-ty-unsoundness, r=lcnr Fix supertrait associated type unsoundness ### What? Object safety allows us to name `Self::Assoc` associated types in certain positions if they come from our trait or one of our supertraits. When this check was implemented, I think it failed to consider that supertraits can have different args, and it was only checking def-id equality. This is problematic, since we can sneak different implementations in by implementing `Supertrait<NotActuallyTheSupertraitSubsts>` for a `dyn` type. This can be used to implement an unsound transmute function. See the committed test. ### How do we fix it? We consider the whole trait ref when checking for supertraits. Right now, this is implemented using equality *without* normalization. We erase regions since those don't affect trait selection. This is a limitation that could theoretically affect code that should be accepted, but doesn't matter in practice -- there are 0 crater regression. We could make this check stronger, but I would be worried about cycle issues. I assume that most people are writing `Self::Assoc` so they don't really care about the trait ref being normalized. --- ### What is up w the stacked commit This is built on top of rust-lang#122804 though that's really not related, it's just easier to make this modification with the changes to the object safety code that I did in that PR. The only thing is that PR may make this unsoundness slightly easier to abuse, since there are more positions that allow self-associated-types -- I am happy to stall that change until this PR merges. --- Fixes rust-lang#126079 r? lcnr
|
This was merged with #126090 |
github-actions bot
pushed a commit
to rust-lang/miri
that referenced
this pull request
Jul 26, 2024
…ness, r=lcnr Fix supertrait associated type unsoundness ### What? Object safety allows us to name `Self::Assoc` associated types in certain positions if they come from our trait or one of our supertraits. When this check was implemented, I think it failed to consider that supertraits can have different args, and it was only checking def-id equality. This is problematic, since we can sneak different implementations in by implementing `Supertrait<NotActuallyTheSupertraitSubsts>` for a `dyn` type. This can be used to implement an unsound transmute function. See the committed test. ### How do we fix it? We consider the whole trait ref when checking for supertraits. Right now, this is implemented using equality *without* normalization. We erase regions since those don't affect trait selection. This is a limitation that could theoretically affect code that should be accepted, but doesn't matter in practice -- there are 0 crater regression. We could make this check stronger, but I would be worried about cycle issues. I assume that most people are writing `Self::Assoc` so they don't really care about the trait ref being normalized. --- ### What is up w the stacked commit This is built on top of rust-lang/rust#122804 though that's really not related, it's just easier to make this modification with the changes to the object safety code that I did in that PR. The only thing is that PR may make this unsoundness slightly easier to abuse, since there are more positions that allow self-associated-types -- I am happy to stall that change until this PR merges. --- Fixes #126079 r? lcnr
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Background
Currently, we have some interesting rules about where
Selfis allowed to be mentioned in objects. Specifically, we allow mentioningSelfbehind associated types (e.g.fn foo(&self) -> Self::Assoc) only if thatSelftype comes from the trait we're defining or its supertraits:And more specifically, these
Self::Assocprojections are only allowed to show up in:But
Self::Assocprojections are not allowed to show up in:The reason for (B1) is interesting: specifically, it arises from the fact that we currently eagerly elaborate all projection predicates into the object, so if we had the following code:
Then given
dyn Sub<SuperAssoc = i32>we would need to have a type that is substituted into itself an infinite number of times1, likedyn Sub<SuperAssoc = i32, Assoc = <dyn Sub<SuperAssoc = i32, Assoc = <dyn Sub<SuperAssoc = i32, Assoc = <... as Super>::SuperAssoc> as Super>::SuperAssoc> as Super>::SuperAssoc>, i.e. the fixed-point of:type T = dyn Sub<SuperAssoc = i32, Assoc = <T as Super>::SuperAssoc>.Similarly for (B2), we restrict mentioning
Self::Associn associated type item bounds, which is the cause for #122798. However, there is no reason for us to do so, since item bounds never show up structurally in thedyn Traitobject type.What?
This PR relaxes the check for item bounds so that
Selfmay be mentioned behind associated types in the same cases that they currently work for method signatures (A1) and where clauses (A2).Why?
Fixes #122798. Removes a subtle and confusing inconsistency for the code mentioned in that issue.
This is sound because we only assemble alias bounds for rigid projections, and all projections coming from an object self type are not rigid, since all associated types should be specified by the type.
This is also desirable because we can do this via supertraits already. In #122789, it is noted that an item bound of
Eqalready works, just notPartialEqbecause of the default item bound. This is weird and should be fixed.Future work
We could make the check for
Selfin super-predicates more sophisticated as well, only erroring ifSelfshows up in a projection super-predicate.Footnotes
This could be fixed by some sort of structural replacement or eager normalization, but I don't think it's necessary currently. ↩